Skip to content

feat: migrates go-gemara from v0.0.1 to v0.3.0#472

Merged
hbraswelrh merged 10 commits intocomplytime:mainfrom
hbraswelrh:feat/migrates-gemara-v0.3.0
Apr 14, 2026
Merged

feat: migrates go-gemara from v0.0.1 to v0.3.0#472
hbraswelrh merged 10 commits intocomplytime:mainfrom
hbraswelrh:feat/migrates-gemara-v0.3.0

Conversation

@hbraswelrh
Copy link
Copy Markdown
Member

@hbraswelrh hbraswelrh commented Apr 14, 2026
edited
Loading

Summary

  • Combines the work from PR feat: migrates go-gemara from v0.0.1 to v0.2.0 #468 (source code + governance artifact migration to go-gemara v0.2.0) with the dependabot PR chore(deps): bump github.com/gemaraproj/go-gemara from 0.0.1 to 0.3.0 #469 (go-gemara v0.3.0 vendor bump)
  • Bumps github.com/gemaraproj/go-gemara from v0.0.1 to v0.3.0 (Gemara spec v1.0.0 GA)
  • Bumps Go minimum version to 1.25.0 (toolchain go1.25.9) as required by go-gemara v0.3.0
  • Adapts complyctl source to the new go-gemara API: generics-based gemara.Load[T]() with fetcher interface, renamed enum values (NotSetUndetermined), and updated AcceptedMethod fields (TypeMode)
  • Migrates governance artifacts (controls, threats, policy, capabilities) to the v1.0.0 GA schema
  • Adds governance/capabilities/complytime-capabilities.yaml with 7 capabilities extracted from the threat catalog
  • Rebased onto main including CRAPLoad baseline fix (chore: regenerate crapload baseline for latest gaze version #471)

Related Issues

Security review

  • All vendored code verified against Go checksum database (go mod verify — all modules verified)
  • No new dependencies introduced beyond the go-gemara version bump
  • EntryMapping.ReferenceId field tag removes omitempty (v0.3.0 change) — strictness improvement that prevents ambiguous empty reference-id values from being silently dropped during serialization
  • Governance artifacts validated against Gemara v1 CUE schema via gemara-mcp server
  • No injection vectors, no unsafe deserialization, no new external network calls

Related Issues

Test plan

  • go build ./... passes
  • go test ./internal/output/ ./internal/policy/ passes
  • go mod verify — all modules verified
  • Governance artifacts validated against Gemara v1 schema (ThreatCatalog, Policy, CapabilityCatalog validated via gemara-mcp)
  • LoadLayerByMediaType coverage raised to 82.4% (CRAPLoad new-function violation resolved)
  • Behavioral e2e tests pass in CI
  • RPM builds pass in CI

🤖 Generated with Claude Code

@hbraswelrh hbraswelrh requested a review from a team as a code owner April 14, 2026 09:07
@hbraswelrh
Copy link
Copy Markdown
Member Author

hbraswelrh commented Apr 14, 2026

/packit build

@hbraswelrh hbraswelrh mentioned this pull request Apr 14, 2026
Closed
4 tasks
@hbraswelrh hbraswelrh requested a review from jpower432 April 14, 2026 12:14
hbraswelrh and others added 8 commits April 14, 2026 14:31
@hbraswelrh
feat: bumps complyctl to go-gemara v0.2.0
3fa381d 
Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
@hbraswelrh
chore: bumps complytime policy gemara version
f0014d3 
Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
@hbraswelrh
feat: adds capability catalog for version bump
65eff59 
Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
@hbraswelrh
fix: reverts go version back to 1.24.13
cfb6000 
Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
@hbraswelrh
fix: adds go toolchain patch install
d55d254 
Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
@hbraswelrh
fix: updates with schema requirements
8740859 
Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
@hbraswelrh
fix: updates for consistent gemara-version
d70e1e7 
Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
@hbraswelrh @claude
feat: bumps go-gemara from v0.2.0 to v0.3.0 (Gemara spec v1.0.0 GA)
cf78621 
Updates the vendored go-gemara dependency to v0.3.0 and aligns
governance artifact gemara-version fields from 1.0.0-rc.2 to
1.0.0 to match the GA schema release.

Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@hbraswelrh hbraswelrh force-pushed the feat/migrates-gemara-v0.3.0 branch from e942351 to cf78621 Compare April 14, 2026 12:33
@hbraswelrh @claude
test: adds happy path tests for LoadLayerByMediaType
b56c845 
Adds tests covering manifest fetch, JSON parse, and layer matching
to bring LoadLayerByMediaType coverage from guard-clauses-only to
82.4%, resolving the CRAPLoad new-function violation (58.78 → below
threshold).

Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
marcusburghardt
marcusburghardt previously approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI-assisted review: APPROVE — All CI checks pass. Two LOW non-blocking observations noted inline.

Comment thread go.mod
Comment thread internal/output/evaluator.go
jpower432
jpower432 reviewed Apr 14, 2026
View reviewed changes
Comment thread cmd/mock-oci-registry/testdata/ampel-branch-protection-catalog.yaml Outdated
jpower432
jpower432 previously approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jpower432 jpower432 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Left one nit.

@hbraswelrh @claude
fix: addresses review comments on PR 472
5f6d130 
- Adds comment explaining Undetermined as conservative default for
  unknown plugin confidence levels
- Updates ampel-branch-protection-catalog gemara-version to 1.0.0

Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@hbraswelrh hbraswelrh dismissed stale reviews from jpower432 and marcusburghardt via 5f6d130 April 14, 2026 16:14
@hbraswelrh
Copy link
Copy Markdown
Member Author

hbraswelrh commented Apr 14, 2026

@marcusburghardt @jpower432 Factored in review comments. Thanks

marcusburghardt
marcusburghardt approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jpower432
jpower432 approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jpower432 jpower432 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hbraswelrh hbraswelrh merged commit 3354328 into complytime:main Apr 14, 2026
27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcusburghardt marcusburghardt marcusburghardt approved these changes

@jpower432 jpower432 jpower432 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: update complyctl governance gemara content

3 participants

@hbraswelrh @marcusburghardt @jpower432