Conversation
Add 17 specialized filters for high-token-waste AWS operations: - CloudWatch Logs (get-log-events, filter-log-events, get-query-results) - CloudFormation describe-stack-events (failures-first) - Lambda list-functions, get-function (strips Environment secrets) - IAM list-roles (extract principals), list-users - DynamoDB scan/query/get-item (recursive type unwrapping) - ECS describe-tasks (stoppedReason + exitCode) - EC2 describe-security-groups (compact rule notation) - S3API list-objects-v2, S3 sync/cp (text summary) - EKS describe-cluster, SQS receive-message - Secrets Manager get-secret-value Architecture: - Extract run_aws_filtered() shared runner with Result<i32> return - Add force_tee_hint() for truncation recovery (no dead ends for LLMs) - Follow six-phase contract (stderr tracking, tee on failure, exit codes) - Migrate existing 8 handlers to shared runner Inspired by #644 for DynamoDB get-item, S3 transfer, Secrets Manager, query-results, and N-type precision.
When RTK runs via Claude Code's PreToolUse hook, grep/rg subprocesses inherit the hook's open stdin pipe. They block waiting for EOF and never terminate, accumulating memory unboundedly (reported: 514GB on 96GB Mac, kernel panic). Fix: set stdin(Stdio::null()) on both rg and grep fallback commands so subprocesses get immediate EOF instead of inheriting the parent pipe. Signed-off-by: Patrick szymkowiak <patrick.szymkowiak@innovtech.eu>
pr_merge() was using run_filtered with a filter_fn that ignored stdout and always returned "ok merged". This made AI agents believe PRs were merged when they weren't. Switch to run_passthrough so the real gh output is shown. gh pr merge is a destructive action — the user must see exactly what happened. Signed-off-by: Patrick szymkowiak <patrick.szymkowiak@innovtech.eu>
Previously, commands not in any deny/ask list were auto-allowed. This bypassed Claude Code's least-privilege default where unlisted commands should prompt the user for confirmation. Permission precedence is now: Deny > Ask > Allow (explicit) > Default (ask). Changes: - permissions.rs: load allow rules from settings.json, add Default variant - rewrite_cmd.rs: treat Default same as Ask (exit 3) - hook_cmd.rs: add permission checks to Copilot VS Code hook (ask/allow/deny), add deny check to Gemini hook (no ask mode available in Gemini CLI) Gemini CLI limitation: only supports allow/deny, no ask mode. Codex: ask is parsed but fails open. These tools document the limitation. Signed-off-by: Patrick szymkowiak <patrick.szymkowiak@innovtech.eu>
feat(aws): expand CLI filters from 8 to 25 subcommands
Signed-off-by: Patrick szymkowiak <patrick.szymkowiak@innovtech.eu>
…733) Command::output() sets stdin to Stdio::piped() by default, creating an empty pipe instead of inheriting the terminal. SSH signing tools (1Password, YubiKey, gpg-agent with pinentry) need TTY access on stdin for passphrase prompts or agent communication. This caused signatures to be silently dropped — commits succeeded but without gpgsig headers. Fix: add .stdin(Stdio::inherit()) to git commit and git push commands so they inherit the parent's stdin (terminal or hook pipe). Output capture via stdout/stderr pipes is preserved. Signed-off-by: Patrick szymkowiak <patrick.szymkowiak@innovtech.eu>
fix(security): default to ask when no permission rule matches (#886)
fix(git): inherit stdin for commit and push to preserve SSH signing (#733)
Also fixes flaky test_rewrite_rtk_disabled_warns_on_stderr: the subprocess part relied on target/debug/rtk being current, but cargo test doesn't rebuild the standalone binary. Added mtime guard -> skips when binary is older than test executable.
…/rtk into fix/batch-priority-issues
fix(grep): close subprocess stdin to prevent memory leak (#897)
|
Jb seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
Signed-off-by: em0t <10153971+em0t@users.noreply.github.com>
Signed-off-by: em0t <10153971+em0t@users.noreply.github.com>
Signed-off-by: em0t <10153971+em0t@users.noreply.github.com>
Telemetry details are already documented in the README privacy section. No need to print them during init. Signed-off-by: Patrick szymkowiak <patrick.szymkowiak@innovtech.eu>
fix(go): preserve failing test location context
fix(git): preserve full diff hunk headers
fix(init): remove opt-out instruction from telemetry message
Signed-off-by: em0t <10153971+em0t@users.noreply.github.com>
fix(gh): pass through gh pr merge instead of canned response (#938)
aeppling
changed the title
Signed-off-by: em0t <10153971+em0t@users.noreply.github.com>
…/rtk into fix/batch-priority-issues
fix(go): avoid false build errors from download logs
Contributor
Author
|
CLA-assistant fail to lookup @jbronssin but he has already signed CLA |
fix(main): kill zombie processes + path for rtk md + missing intergrations
Drop-based ChildGuard doesn't run on signals with panic=abort (release profile). Register a signal handler that stores the child PID in an AtomicU32 and kills it on SIGINT/SIGTERM, then re-raises the signal with default handler for correct exit status propagation. Fixes orphan processes when rtk proxy is killed by Claude Code, process managers, or manual kill — the root cause behind issue #897. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
Author
|
Need : #1021 , once merged ok for me |
aeppling
added a commit
that referenced
this pull request
Apr 4, 2026
Integrates ~30 develop commits (PR #997): AWS expansion (8→25 cmds), SSH signing for git commit/push, go test context, grep stdin leak fix, default-to-ask permissions, gh pr merge passthrough. Conflict resolution (4 files): - git.rs: kept .output()+stdin(inherit) for commit/push (SSH/GPG signing) - go_cmd.rs: accepted incoming + added pub(crate) visibility - hook_check.rs: merged binary_hook_registered + other_integration_installed - hook_cmd.rs: fixed permissions path, println→writeln for Gemini deny Verified: 1445 tests pass, 0 clippy errors, all manual integration tests pass. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
fix(proxy): kill child process on SIGINT/SIGTERM to prevent orphans
pszymkowiak
requested changes
Apr 6, 2026
Collaborator
pszymkowiak
left a comment
pszymkowiak
left a comment
There was a problem hiding this comment.
Tested on multipass VM (Ubuntu 24.04, aarch64): 106/110 passed, avg 85% savings. Same 2 pre-existing failures as PR #934 (clippy warnings + diff exit code test bug).
Must fix before merge:
- Version regression — develop is 0.34.1, master is 0.34.3. Bump to 0.35.0.
- CHANGELOG — duplicate
[Unreleased]sections (lines 8 and 48). Merge into one. - 2 new clippy warnings — signal handler cast in
main.rs:2009-2010. Fix:handle_signal as *const () as libc::sighandler_t
All 15 ecosystems pass. No interaction bugs between combined PRs.
Keep develop's [Unreleased] section on top, followed by master's released versions (0.34.3, 0.34.2). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fix(merge): changelog conflicts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Feat :
8 to 20 aws commands supports
Filters quality :
Fixs :
#886
#893
#733
#938
#892
#897
#913
#989