Discloses the single anonymous adoption ping sent on startup and points
users to the upstream README section for full opt-out instructions
instead of duplicating the table here.
Send a single fire-and-forget ping at startup to help track adoption
and version spread. No persistent identifiers are collected.
main() is wrapped via runMain() so deferred Wait drains in-flight pings
before os.Exit.
Opt out via any of:
DO_NOT_TRACK=1
OSS_TELEMETRY_DISABLED=1
KPORTAL_DISABLE_TELEMETRY=1
CI on Linux flagged a race in TestStartWorker_HealthCallback_StatusChange:
the test read ui.updates while the healthchecker's per-port goroutine
(spawned by Register at checker.go:164) was still running and could
fire UpdateStatus through notifyStatusChange.
The earlier mutex on MockStatusUpdater protected the writes; the read
side was unprotected, and the goroutine had not finished by the time
the test started ranging over the slice on slower runners.
Fix:
- call healthChecker.Unregister(fwd.ID()) to drain the per-port
goroutine before reading
- hold ui.mu around the slice read for belt-and-suspenders happens-
before, regardless of goroutine timing
Verified locally with go test -race -count=20 on the targeted test
and -count=3 on the full forward package.
main() body is now os.Exit(run(ctx, args, stdin, stdout, stderr))
where ctx comes from signal.NotifyContext and IO is io.Reader/Writer
instead of os.Std*. run() parses flags via a fresh flag.NewFlagSet
(no more package-level flag.* globals) and dispatches to:
runShowVersion(stdout)
runCheckUpdate(stdout, stderr)
runConvert(input, output, stdout, stderr)
runHeadless(ctx, opts)
runVerboseTable(ctx, opts)
runInteractive(ctx, opts)
Helpers extracted: parseFlags, resolveConfigPath, initLoggers,
configureStdlibLog, loadOrCreateConfig, buildRuntimeDeps,
makeHTTPLogSubscriber, shutdownManager. Signal-loop and fsnotify
watcher exit cleanly on ctx.Done() (previously chan-based with
unconditional os.Exit).
Behaviour preserved by smoke checks: -version, -update, generate
without --context, generate with bogus context, -check on
missing/valid config, -headless start+SIGINT shutdown.
Coverage: cmd/kportal 17.4% -> 71.3%. New run_test.go exercises
run() and every run* mode. main() and runInteractive remain at 0%
(TTY-required); not feasible without a tea.Program factory
abstraction, which would add complexity for minimal coverage gain.
The mock recorded calls into unprotected slices while being invoked
concurrently from the test goroutine and from the health-checker
callback registered by Manager.startWorker (and the watchdog hung
callback). go test -race -count=20 reliably tripped the race detector
on TestStartWorker_HealthCallback_StatusChange.
Wrap the slice writes in a sync.Mutex. Read-side code in tests reads
only after manager.Stop() drains the background goroutines (Stop's
wg.Wait establishes a happens-before edge), so direct reads remain
race-free.
internal/ui: 27.9% -> 79.8%. Adds three test files (~3300 lines):
- wizard_handlers_extended_test.go: keyboard branches not previously
covered (ctrl+c, pgup/pgdn, search filter typing, port-checked
failure path, alias text edit, focus toggling, error states),
plus removeForwardsCmd / removeForwardByIDCmd against real Mutator
+ tempdir config (dedup + at-least-one-namespace validation).
- wizard_views_test.go: every renderXxx path with a populated
AddWizardState — context/namespace selectors, resource selection,
port entry, http log list/detail, success, scroll indicators.
- table_test.go: AddForward / UpdateStatus / SetError / Clear /
FilterStrings flows.
Test-only fixups noted by agent:
- getFilteredEntries silently skips StatusCode==0 entries (only
completed responses are visible). Tests now seed StatusCode=200.
- handleForwardSaved leaves step=StepConfirmation on save error
rather than advancing to StepSuccess; assertion corrected.
- removeForwardsCmd needs >=2 forwards in a context for dedup tests
so removing one leaves the context non-empty (validator rejects
empty contexts).
go test -race -count=1 ./... clean across all 14 packages.
cmd/kportal: 0% -> 17.4% (testable surface only — main() is a
274-statement monolith with OS signals, bubbletea TUI, kubeconfig
loading, signal-loop goroutines, and config watcher all in one
function. Hitting 70% requires extracting it into run(args,w) int,
which is a non-trivial refactor — out of scope for a coverage pass.)
Tests cover: promptCreateConfig (yes/no/EOF/empty inputs via os.Pipe
stdin redirection), contains, resolveGenerateConfigPath (all 4 system
dirs + abs/rel branches), runGenerate (missing flag, -h, unknown
flag, invalid context, malformed YAML, no-TTY error path).
internal/version: 45.7% -> 97.8%. Added httptest.NewServer + custom
rewriteTransport to redirect GitHub API calls. Covered NewChecker,
fetchLatestRelease (200/403/404/429/500, malformed JSON, empty
tag_name), CheckForUpdate (newer/same/current-newer/error/cancelled),
parseVersion edge cases (empty, single digit, alpha).
New subcommand that connects to a chosen kube context and walks the
user through three picker steps before writing forwards to the config:
1. Namespace multi-select (no system-namespace exclusion)
2. Service multi-select grouped by namespace, with already-configured
rows greyed out and locked off
3. Starting-port input with a live preview of consecutive local-port
assignments, skipping any port already taken by the existing config
or another row in the batch
Multi-port services emit one forward per port. Non-TCP ports are
skipped with a one-line warning at the end (kportal forward layer is
TCP-only). --dry-run prints the planned forwards without writing.
Subcommand dispatch lives in cmd/kportal/main.go: when os.Args[1] ==
'generate', runGenerate(os.Args[2:]) is invoked before the main
flag.Parse() so the flag.NewFlagSet 'generate' parses its own
'--context', '--config', '--dry-run' flags. Invalid contexts list
the available ones for quick correction.
Tests in internal/ui/generate_test.go cover:
- namespace toggle / toggle-all / filter
- service multi-select with locked already-configured rows and
non-TCP filtering
- port-collision-aware consecutive assignment using a real Mutator
against a tempdir config
- reject + recover for starting-port < 1024
- dry-run does not invoke the mutator
- end-to-end Update() walk through the three steps
- parse-starting-port boundary table
- port-step view rendering
- ServiceCandidate.Key() determinism
README updated with a 'Generate Forwards from a Cluster' section
describing the flow and the three flags.
Previously, editing a forward and keeping its local port unchanged
failed the wizard's port-availability check: the in-config scan
found the forward's own entry and reported '✗ Port N already
assigned to <self.ID>'. Users had to pick a different port,
edit, then change back.
checkPortCmd now accepts an excludeID. The wizard passes
wizard.originalID when isEditing so the forward being edited is
ignored during the in-config conflict scan. The OS-level port
check is unchanged (still catches actual port collisions).
New regression test: TestCheckPortCmd_ExcludeID_AllowsKeepingOwnPort.
Adds an HTTP-log enable toggle to the wizard's confirmation step so
users can flip httpLog on a forward without editing YAML by hand.
Behaviour:
- 'h' on the confirmation step toggles HTTPLog when not focused on
the alias text input. When focus is on alias, 'h' is treated as
text so users can still type aliases like 'host' or 'http-proxy'.
- The confirmation summary shows '[x] enabled' or '[ ] disabled'.
- New forwards: toggle on -> &HTTPLogSpec{Enabled: true}; off -> nil.
- Edit mode: pre-populates the toggle from the existing forward and
preserves any advanced HTTPLog fields the user had configured in
YAML (logFile, includeHeaders, maxBodySize, filterPath) by copying
the original spec on save. Toggling off discards the advanced
fields (consistent with 'absent in YAML = disabled').
State changes:
- ForwardStatus gains *config.HTTPLogSpec so the wizard can see the
full original spec on edit.
- AddWizardState gains httpLog bool + httpLogOriginal *HTTPLogSpec.
Three new tests:
- TestHandleAddWizardKeys_HToggleHTTPLog
- TestHandleAddWizardKeys_HOnAliasFocusIsTextInput
- TestEditPrefill_PreservesHTTPLog
Real kubeconfig context names commonly contain characters the
validator rejected:
- 'admin@home', 'user@cluster.example.com' (kubectl rename, EKS
aws-iam-authenticator)
- 'cluster.example.com', 'gke_proj_zone_cluster.prod' (FQDN, GKE)
- 'arn:aws:eks:us-east-1:123:cluster/foo' (EKS ARN)
kubeconfig itself imposes no character restrictions, so requiring
[a-zA-Z0-9_-] only was kportal-specific over-validation that blocked
legitimate users. Widen the allowed set to add '@', '.', ':', '/'.
Names must still start and end with a letter or digit so YAML
specials and leading whitespace remain rejected.
Tests cover the new positive cases and tighten negative coverage
(starts-with-@, ends-with-/, ends-with-dot).
Previously a second Stop() call would panic from a double-close on
eventBus and re-stop the healthChecker/watchdog whose contexts had
already been cancelled. Wrapping the body in sync.Once makes
sequential and concurrent double-Stop safe.
TestManager_Stop_Idempotent covers both paths.
Releases are signed by the lukaszraczylo/shared-actions reusable
workflow, so the Sigstore certificate subject is the workflow URL
rather than this repo. The previous regex
'https://github.com/lukaszraczylo/kportal/.*' never matched, so any
user with cosign installed would see verification fail and abort
the install.
Pin cert-identity to the exact workflow URL:
^https://github\.com/lukaszraczylo/shared-actions/\.github/workflows/go-release\.yaml@refs/heads/main$
Override via COSIGN_CERT_IDENTITY_REGEXP for forks of the release
pipeline. Same fix applied to README's manual verification example.
Verified end-to-end against release v0.2.90:
cosign verify-blob ... -> Verified OK
P0 #8 — install.sh fetched and installed the binary with no integrity
check whatsoever, despite README claiming cosign verification. A
compromised release or registry MITM resulted in RCE on every
installer.
Now:
- downloads checksums.txt alongside the archive (required; abort on
missing)
- computes local SHA-256 with shasum -a 256 (works on macOS+Linux,
not GNU-only sha256sum)
- aborts on mismatch with a clear error
- if cosign is in PATH AND the sigstore bundle is present (the latter
already published by goreleaser), verifies cert-identity. Skipped
silently when cosign is absent so the install path still works for
users without cosign installed.
- SKIP_COSIGN=1 lets users opt out of cosign verification only
(checksum verification is always enforced).
- DRY_RUN=1 verifies + downloads but does not install, for testing.
Also replaced GNU-only `grep -oP` (silently fails on macOS BSD grep)
with portable awk for parsing kportal --version.
NOTE: the cosign cert-identity regex matches lukaszraczylo/kportal/.*
but actual releases are signed from the shared-actions reusable
workflow. Users with cosign installed will currently see a verification
failure on real releases. Either widen the regex to lukaszraczylo/.*
or change the signing identity scheme — flagging for follow-up.
README install section updated to mention the new verification.
P0 #1 — HTTP traffic logger captured Authorization, Cookie, Set-Cookie,
X-Api-Key, X-Auth-Token, X-Csrf-Token, Proxy-Authorization, X-Access-Token
verbatim into log entries (file 0600 + UI subscribers). Bearer tokens
and session cookies were ending up on disk whenever httpLog.includeHeaders
was enabled.
flattenHeaders now redacts:
- the explicit list above (case-insensitive via http.CanonicalHeaderKey)
- any header name containing 'token', 'secret', 'password', 'apikey'
Header names remain visible; values become [REDACTED].
Redaction is unconditional and on-by-default — no opt-out flag. Users
who want raw headers can use tcpdump.
P0 #6 — Headless mode without -v silently routed both structured and
stdlib logs to io.Discard. A daemon under launchd/systemd had no way to
report errors. Headless now defaults log destination to os.Stderr; -v
controls only the level (debug vs info). TUI-quiet path is preserved.
Tests in internal/httplog/redact_test.go cover all explicit names,
substring patterns, and case variants.
In the remove-wizard's confirming state, pressing Esc was reflexively
calling removeForwardsCmd — i.e. confirming deletion. The on-screen
help text said 'Esc: Cancel'. Reflexive Esc-to-cancel destroyed data.
Esc now sets confirming=false and resets the cursor; deletion
requires Enter on Yes. Non-confirming Esc behavior (exit wizard with
ClearScreen) is unchanged.
Three regression tests added in handlers_test.go.
P0 #2 — currentConfig data race
Manager.currentConfig was written without locking in Start/Reload but
read from the health-checker callback goroutine. All accesses now go
through workersMu (read or write as appropriate).
P0 #3 — Reload kills health checker permanently
Reload's zero-forward branch called m.Stop() which tore down the
health checker, watchdog, and event bus. After that, EnableForward
silently registered callbacks against dead components. Now the branch
stops only the running workers; the supervisory infrastructure stays
alive across config changes.
P0 #4 — rest.Config write-write race
executePortForward was mutating .Dial on the cached *rest.Config
shared by all forwards in the same kube context. Cloning the config
with rest.CopyConfig before mutation isolates per-forward dialers.
P0 #5 — ForwardWorker.Stop() double-close panic
close(w.stopChan) is now wrapped in sync.Once, so concurrent Stop
calls (Manager.Stop racing stopWorkerInternal) are safe.
New tests in internal/forward/concurrency_test.go exercise each fix
under -race: 16 concurrent worker Stops, repeated sequential Stops,
empty-Reload preserves infra pointers, and concurrent currentConfig
read/write.
CI runners have no kubeconfig, so clientcmd's loader returns an empty
config (no error) and CurrentContext == "". The previous assertion
'NotEmpty(context)' on the success branch was incorrect — an empty
current-context is valid for an empty kubeconfig.
Mirrors the looser pattern in TestDiscovery_ListContexts.
- [x] Add golangci-lint v2 configuration with formatters section
- [x] Reorganize linters-settings under linters section
- [x] Replace if-else chains with switch statements for clarity
- [x] Wrap all ignored error returns with `_ = ` pattern
- [x] Add OSC 8 hyperlink helper function for clickable ports
- [x] Add blank line in table styling function
- [x] Remove unnecessary type assertion in test
lukaszraczylo