diff --git a/docs/plans/merge-resolution-plan.md b/docs/plans/merge-resolution-plan.md new file mode 100644 index 00000000..61cf5e7e --- /dev/null +++ b/docs/plans/merge-resolution-plan.md @@ -0,0 +1,192 @@ +# Merge Conflict Resolution Plan: `feature/beta-release` → `main` + +**Plan ID**: MERGE-2026-001 +**Status**: 🔄 PENDING +**Priority**: High +**Created**: 2026-01-25 + +--- + +## Summary + +This plan addresses merge conflicts in the `feature/beta-release` branch that need resolution against `main`. After analyzing all conflicting files, here is the recommended resolution strategy. + +--- + +## File Analysis + +### 1. `.github/workflows/codeql.yml` + +**Conflict Likelihood**: Low-Medium +**Current State**: No visible conflict markers + +**Key Features in Current Version**: +- Go version: `1.25.6` +- Forked PR handling (skips when `fork == true`) +- CodeQL config file: `.github/codeql/codeql-config.yml` +- SARIF analysis with error/warning/note counting + +**Resolution Strategy**: **Accept feature branch changes** +- Feature branch likely has updated Go version and security improvements +- Verify `GO_VERSION` env var matches other workflows after merge + +--- + +### 2. `.github/workflows/docker-build.yml` + +**Conflict Likelihood**: Medium +**Current State**: No visible conflict markers + +**Key Features in Current Version**: +- SBOM generation and attestation +- CVE-2025-68156 verification for Caddy/CrowdSec +- Feature branch detection and artifact handling +- Multi-platform builds (amd64/arm64) +- Trivy vulnerability scanning + +**Resolution Strategy**: **Accept feature branch changes** +- Feature branch contains critical security patches +- Verify image tag logic matches expected patterns +- Confirm `SYFT_VERSION` and `GRYPE_VERSION` are current + +--- + +### 3. `Dockerfile` + +**Conflict Likelihood**: High (likely PR #550 Debian Trixie migration) +**Current State**: Already using `debian:trixie-slim` + +**Key Features in Current Version**: +- Base image: `debian:trixie-slim` (Debian 13 testing) +- Go version: `1.25` (builder stages) +- Caddy version: `2.11.0-beta.2` +- CrowdSec version: `1.7.6` +- gosu version: `1.17` +- Security patches for `expr-lang/expr@v1.17.7` +- Multi-stage build with cross-compilation helpers + +**Resolution Strategy**: **Accept feature branch changes (post-Trixie migration)** +- If main still uses `bookworm-slim`, take feature branch version +- Critical: Preserve all CVE patches (CVE-2025-68156, CVE-2025-58183, etc.) +- Ensure all `renovate:` comments are preserved for automated updates + +--- + +### 4. `backend/go.sum` + +**Conflict Likelihood**: High +**Current State**: 167 packages, no conflict markers + +**Key Versions Detected**: +- `golang.org/x/crypto@v0.47.0` +- `google.golang.org/grpc@v1.75.0` +- `gorm.io/gorm@v1.31.1` +- `github.com/gin-gonic/gin@v1.11.0` + +**Resolution Strategy**: **Regenerate after merge** +- Dependency lock files should never be manually merged +- After resolving other conflicts, run: + ```bash + cd backend && go mod tidy && go mod download + ``` + +--- + +### 5. `frontend/package-lock.json` ⚠️ (Not `backend/`) + +**Conflict Likelihood**: High +**Current State**: 7499 lines, lockfileVersion 3 + +**Resolution Strategy**: **Regenerate after merge** +- Delete the file and regenerate: + ```bash + cd frontend && rm package-lock.json && npm install + ``` + +--- + +### 6. `frontend/package.json` ⚠️ (Not `backend/`) + +**Conflict Likelihood**: Medium +**Current State**: Version `0.3.0`, no conflict markers + +**Key Dependencies**: +- React: `^19.2.3` +- Vite: `^7.3.1` +- Playwright: `^1.57.0` +- TypeScript: `^5.9.3` + +**Resolution Strategy**: **Manual review required** +- Compare `main` and feature branch versions +- Keep higher version numbers when there are conflicts +- Ensure no duplicate entries + +--- + +## Command Sequence for Resolution + +```bash +# 1. Ensure you're on the feature branch +git checkout feature/beta-release + +# 2. Fetch latest main +git fetch origin main + +# 3. Start the merge (this will show conflicts) +git merge origin/main + +# 4. For workflow files (if conflicts exist): +# Accept feature branch changes, then verify +git checkout --theirs .github/workflows/codeql.yml +git checkout --theirs .github/workflows/docker-build.yml +git add .github/workflows/ + +# 5. For Dockerfile (if conflicts exist): +# Accept feature branch (Trixie migration) +git checkout --theirs Dockerfile +git add Dockerfile + +# 6. For Go dependencies: +git checkout --theirs backend/go.sum +cd backend && go mod tidy +cd .. +git add backend/go.sum backend/go.mod + +# 7. For frontend dependencies: +cd frontend +rm -f package-lock.json +# Manually resolve package.json if needed +npm install +cd .. +git add frontend/package.json frontend/package-lock.json + +# 8. Complete the merge +git commit -m "Merge main into feature/beta-release - resolve conflicts" + +# 9. Validate +make lint +make test +``` + +--- + +## Post-Merge Validation Checklist + +- [ ] `go mod tidy` completes without errors +- [ ] `npm install` (frontend) completes without errors +- [ ] Docker build succeeds: `docker build -t charon:test .` +- [ ] CI workflows pass on push +- [ ] Go version consistent across all workflows (`1.25.6`) +- [ ] Debian Trixie base image in Dockerfile + +--- + +## Notes + +1. **File Path Correction**: The conflicting package files are in `frontend/`, not `backend/`. The Go backend uses `go.mod`/`go.sum`, not npm. + +2. **Conflict markers not visible**: The files read don't show `<<<<<<<` markers, suggesting either: + - The merge hasn't been attempted yet + - Conflicts would appear after running `git merge` + +3. **PR #550 Reference**: The Dockerfile already shows Trixie migration is complete in the current branch. diff --git a/frontend/package-lock.json b/frontend/package-lock.json index 1e8996c7..4527daf9 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -576,9 +576,9 @@ } }, "node_modules/@emnapi/core": { - "version": "1.7.1", - "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.7.1.tgz", - "integrity": "sha512-o1uhUASyo921r2XtHYOHy7gdkGLge8ghBEQHMWmyJFoXlpU58kIrhhN3w26lpQb6dspetweapMn2CSNwQ8I4wg==", + "version": "1.8.1", + "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.8.1.tgz", + "integrity": "sha512-AvT9QFpxK0Zd8J0jopedNm+w/2fIzvtPKPjqyw9jwvBaReTTqPBk9Hixaz7KbjimP+QNz605/XnjFcDAL2pqBg==", "dev": true, "license": "MIT", "optional": true, @@ -588,9 +588,9 @@ } }, "node_modules/@emnapi/runtime": { - "version": "1.7.1", - "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.7.1.tgz", - "integrity": "sha512-PVtJr5CmLwYAU9PZDMITZoR5iAOShYREoR45EyyLrbntV50mdePTgUn4AmOw90Ifcj+x2kRjdzr1HP3RrNiHGA==", + "version": "1.8.1", + "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.8.1.tgz", + "integrity": "sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg==", "dev": true, "license": "MIT", "optional": true, @@ -1388,9 +1388,9 @@ } }, "node_modules/@napi-rs/wasm-runtime": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.0.tgz", - "integrity": "sha512-Fq6DJW+Bb5jaWE69/qOE0D1TUN9+6uWhCeZpdnSBk14pjLcCWR7Q8n49PTSPHazM37JqrsdpEthXy2xn6jWWiA==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.1.tgz", + "integrity": "sha512-p64ah1M1ld8xjWv3qbvFwHiFVWrq1yFvV4f7w+mzaqiR4IlSgkqhcRdHwsGgomwzBH51sRY4NEowLxnaBjcW/A==", "dev": true, "license": "MIT", "optional": true, @@ -1398,6 +1398,10 @@ "@emnapi/core": "^1.7.1", "@emnapi/runtime": "^1.7.1", "@tybys/wasm-util": "^0.10.1" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/Brooooooklyn" } }, "node_modules/@nodelib/fs.scandir": { @@ -3046,66 +3050,6 @@ "node": ">=14.0.0" } }, - "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@emnapi/core": { - "version": "1.7.1", - "dev": true, - "inBundle": true, - "license": "MIT", - "optional": true, - "dependencies": { - "@emnapi/wasi-threads": "1.1.0", - "tslib": "^2.4.0" - } - }, - "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@emnapi/runtime": { - "version": "1.7.1", - "dev": true, - "inBundle": true, - "license": "MIT", - "optional": true, - "dependencies": { - "tslib": "^2.4.0" - } - }, - "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@emnapi/wasi-threads": { - "version": "1.1.0", - "dev": true, - "inBundle": true, - "license": "MIT", - "optional": true, - "dependencies": { - "tslib": "^2.4.0" - } - }, - "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@napi-rs/wasm-runtime": { - "version": "1.1.0", - "dev": true, - "inBundle": true, - "license": "MIT", - "optional": true, - "dependencies": { - "@emnapi/core": "^1.7.1", - "@emnapi/runtime": "^1.7.1", - "@tybys/wasm-util": "^0.10.1" - } - }, - "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@tybys/wasm-util": { - "version": "0.10.1", - "dev": true, - "inBundle": true, - "license": "MIT", - "optional": true, - "dependencies": { - "tslib": "^2.4.0" - } - }, - "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/tslib": { - "version": "2.8.1", - "dev": true, - "inBundle": true, - "license": "0BSD", - "optional": true - }, "node_modules/@tailwindcss/oxide-win32-arm64-msvc": { "version": "4.1.18", "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.1.18.tgz", @@ -4986,11 +4930,12 @@ } }, "node_modules/fsevents": { - "version": "2.3.3", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz", - "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==", + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz", + "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==", "dev": true, "hasInstallScript": true, + "license": "MIT", "optional": true, "os": [ "darwin" @@ -5628,6 +5573,7 @@ "arm64" ], "dev": true, + "license": "MPL-2.0", "optional": true, "os": [ "android" @@ -5648,6 +5594,7 @@ "arm64" ], "dev": true, + "license": "MPL-2.0", "optional": true, "os": [ "darwin" @@ -5668,6 +5615,7 @@ "x64" ], "dev": true, + "license": "MPL-2.0", "optional": true, "os": [ "darwin" @@ -5688,6 +5636,7 @@ "x64" ], "dev": true, + "license": "MPL-2.0", "optional": true, "os": [ "freebsd" @@ -5708,6 +5657,7 @@ "arm" ], "dev": true, + "license": "MPL-2.0", "optional": true, "os": [ "linux" @@ -5728,6 +5678,7 @@ "arm64" ], "dev": true, + "license": "MPL-2.0", "optional": true, "os": [ "linux" @@ -5748,6 +5699,7 @@ "arm64" ], "dev": true, + "license": "MPL-2.0", "optional": true, "os": [ "linux" @@ -5808,6 +5760,7 @@ "arm64" ], "dev": true, + "license": "MPL-2.0", "optional": true, "os": [ "win32" @@ -5828,6 +5781,7 @@ "x64" ], "dev": true, + "license": "MPL-2.0", "optional": true, "os": [ "win32" @@ -6263,21 +6217,6 @@ "node": ">=18" } }, - "node_modules/playwright/node_modules/fsevents": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz", - "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==", - "dev": true, - "hasInstallScript": true, - "license": "MIT", - "optional": true, - "os": [ - "darwin" - ], - "engines": { - "node": "^8.16.0 || ^10.6.0 || >=11.0.0" - } - }, "node_modules/postcss": { "version": "8.5.6", "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz", @@ -7237,6 +7176,21 @@ } } }, + "node_modules/vite/node_modules/fsevents": { + "version": "2.3.3", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz", + "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==", + "dev": true, + "hasInstallScript": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": "^8.16.0 || ^10.6.0 || >=11.0.0" + } + }, "node_modules/vitest": { "version": "4.0.17", "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.0.17.tgz",