Script Runner version history

[jmthomas]

This implementation utilizes git in a new script-runner-api volume to do the history tracking

Differs from #3382 which uses bucket history

closes #2389

[ryanmelt]

No new volumes. I still need to review, but do whatever under /gems/scripts or something.

[codecov]

Codecov Report

❌ Patch coverage is 84.54545% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.22%. Comparing base (f29c725) to head (9155656).

Files with missing lines	Patch %	Lines
openc3/lib/openc3/models/target_model.rb	84.09%	7 Missing ⚠️
...t-runner-api/app/controllers/scripts_controller.rb	44.44%	5 Missing ⚠️
openc3/lib/openc3/models/plugin_model.rb	90.00%	3 Missing ⚠️
...-cmd-tlm-api/app/controllers/plugins_controller.rb	88.23%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3411      +/-   ##
==========================================
- Coverage   79.25%   79.22%   -0.03%     
==========================================
  Files         689      690       +1     
  Lines       57293    57386      +93     
  Branches      728      728              
==========================================
+ Hits        45406    45464      +58     
- Misses      11809    11844      +35     
  Partials       78       78              

Flag	Coverage Δ
python	80.29% <ø> (+<0.01%)	⬆️
ruby-api	80.85% <80.55%> (-0.48%)	⬇️
ruby-backend	83.10% <86.48%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jmthomas]

No new volumes. I still need to review, but do whatever under /gems/scripts or something.

That volume is read-only. Making it read / write comes with some trade-offs:

• ✓ One fewer volume to manage/back up/migrate.
• ✗ Any user script run via Script Runner can now write anywhere under /gems — overwrite installed gem files, plant Trojan code in gems/openc3-*/lib/.... Today the :ro flag is the OS-level guarantee against that.
• ✗ Data co-tenancy. Backing up scripts history means backing up the whole gems volume (multi-GB).
• ✗ Permission model: /gems is owned openc3:openc3 (1001), gemfile dirs have specific perms. Script Runner runtime UID is the host UID (501 on your Mac, baked elsewhere). Adding /gems/script-versions with 1777 keeps versions writable but the surrounding gem tree's perms still allow SR-API process writes via its UID — same security concern.

[ryanmelt]

Ok. I guess it is only needed by ScriptRunner. Will talk architecture tomorrow.

[aikido-pr-checks]

15 Open source vulnerabilities detected - medium severity
Aikido detected 15 vulnerabilities across 1 package, it includes 14 medium and 1 low vulnerabilities.

Details

Remediation Aikido suggests bumping the vulnerable packages to a safe version.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.}
More info

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​monaco-editor@​0.54.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm marked is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: openc3-cosmos-init/plugins/pnpm-lock.yaml → npm/monaco-editor@0.54.0 → npm/marked@14.0.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/marked@14.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm monaco-editor is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: openc3-cosmos-init/plugins/packages/openc3-vue-common/package.json → npm/monaco-editor@0.54.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/monaco-editor@0.54.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
3.6% Duplication on New Code

See analysis details on SonarQube Cloud

[jmthomas]

Ok. I guess it is only needed by ScriptRunner. Will talk architecture tomorrow.

Now also used by cmd-tlm-server so it can handle upgrades