Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .editorconfig
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
root = true

[*]
charset = utf-8
end_of_line = lf
insert_final_newline = true
indent_style = space
indent_size = 2
trim_trailing_whitespace = true

[*.py]
indent_size = 4

[Makefile]
indent_style = tab
8 changes: 8 additions & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
* text=auto eol=lf
*.png binary
*.jpg binary
*.jpeg binary
*.gif binary
*.ico binary
*.pdf binary
assets/vscode-interface/LICENSE whitespace=-trailing-space
5 changes: 5 additions & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
* @sumitake

/assets/vscode-interface/ @sumitake
/.github/workflows/ @sumitake
/SECURITY.md @sumitake
42 changes: 42 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Bug report
description: Report a reproducible defect using sanitized information only.
title: "[Bug]: "
labels: ["bug"]
body:
- type: markdown
attributes:
value: Do not include tokens, tunnel IDs, cluster IDs, account names, hostnames, or private paths.
- type: textarea
id: description
attributes:
label: Description
description: What happened, and what did you expect?
validations:
required: true
- type: input
id: revision
attributes:
label: Commit or version
validations:
required: true
- type: input
id: environment
attributes:
label: Environment
description: Operating system plus Node.js and Python versions.
validations:
required: true
- type: textarea
id: reproduction
attributes:
label: Minimal reproduction
description: Use placeholders for all deployment-specific values.
validations:
required: true
- type: checkboxes
id: sanitation
attributes:
label: Sanitization
options:
- label: I removed credentials and deployment-specific identifiers from this report.
required: true
8 changes: 8 additions & 0 deletions .github/ISSUE_TEMPLATE/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
blank_issues_enabled: false
contact_links:
- name: Private security report
url: https://github.com/sumitake/Remote-SSH-Tunnel/security/advisories/new
about: Report vulnerabilities privately.
- name: VS Code Remote Tunnels documentation
url: https://code.visualstudio.com/docs/remote/tunnels#_using-the-code-cli
about: Get support for the standalone CLI and Microsoft tunnel service.
25 changes: 25 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
day: monday
open-pull-requests-limit: 5
labels: ["dependencies", "github-actions"]

- package-ecosystem: npm
directory: /
schedule:
interval: weekly
day: monday
open-pull-requests-limit: 5
labels: ["dependencies", "javascript"]

- package-ecosystem: pip
directory: /
schedule:
interval: weekly
day: monday
open-pull-requests-limit: 5
labels: ["dependencies", "python"]
21 changes: 21 additions & 0 deletions .github/pull_request_template.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Pull Request

## Summary

- What changed:
- Why:

## Verification

- [ ] Node tests and executable smoke check pass
- [ ] Python tests, Ruff lint, and Ruff format checks pass
- [ ] Dependency audit and repository validator pass
- [ ] No real credentials, tunnel metadata, hostnames, usernames, or private paths are present
- [ ] Microsoft-derived assets remain isolated and attributed
- [ ] User-visible changes are documented in `CHANGELOG.md`

## Security impact

Describe changes to authentication, port exposure, command execution, protocol
parsing, output handling, dependencies, services, or licensing. Write `None` only
when none of those boundaries changed.
104 changes: 104 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
name: CI

on:
pull_request:
push:
branches: [main]
workflow_dispatch:

permissions:
contents: read

concurrency:
group: ci-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
node:
name: Node ${{ matrix.node }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
node: [20, 22, 24]
steps:
- name: Check out repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Set up Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: ${{ matrix.node }}
cache: npm
- name: Install locked dependencies without lifecycle scripts
run: npm ci --ignore-scripts
- name: Run Node checks
run: npm run check
- name: Lint Markdown
run: npm run lint:markdown
- name: Audit runtime dependencies
run: npm audit --audit-level=moderate
- name: Inspect package contents
run: npm pack --dry-run

python:
name: Python ${{ matrix.python }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python: ["3.11", "3.12", "3.13", "3.14"]
steps:
- name: Check out repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Set up Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: ${{ matrix.python }}
cache: pip
- name: Install project and test tools
run: python -m pip install '.[dev]'
- name: Lint
run: ruff check .
- name: Check formatting
run: ruff format --check .
- name: Test
run: python -m pytest
- name: Build wheel
run: python -m pip wheel . --no-deps --wheel-dir /tmp/remote-ssh-tunnel-wheel

dependency-audit:
name: Python Dependency Audit
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Set up Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.13"
cache: pip
- name: Install pip-audit
run: python -m pip install pip-audit==2.10.1
- name: Audit locked runtime requirement
run: pip-audit --strict --progress-spinner=off --cache-dir /tmp/pip-audit-cache --requirement requirements.txt

metadata:
name: Repository Metadata
runs-on: ubuntu-latest
steps:
- name: Check out full history
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.13"
- name: Validate repository contracts
run: python scripts/validate_repository.py
- name: Lint GitHub Actions workflows
run: |
go install github.com/rhysd/actionlint/cmd/actionlint@v1.7.12
"$(go env GOPATH)/bin/actionlint"
- name: Check whitespace
run: git diff --check HEAD^
42 changes: 42 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: CodeQL

on:
pull_request:
push:
branches: [main]
schedule:
- cron: "23 6 * * 4"
workflow_dispatch:

permissions:
contents: read
security-events: write

concurrency:
group: codeql-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
analyze:
name: Analyze ${{ matrix.label }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
label: JavaScript/TypeScript
- language: python
label: Python
steps:
- name: Check out repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Initialize CodeQL
uses: github/codeql-action/init@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3
with:
languages: ${{ matrix.language }}
queries: security-extended
- name: Analyze
uses: github/codeql-action/analyze@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3
with:
category: /language:${{ matrix.language }}
31 changes: 31 additions & 0 deletions .github/workflows/secret-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: Secret Scan

on:
pull_request:
push:
branches: [main]
schedule:
- cron: "41 5 * * 1"
workflow_dispatch:

permissions:
contents: read
pull-requests: read

concurrency:
group: secret-scan-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
gitleaks:
name: Gitleaks
runs-on: ubuntu-latest
steps:
- name: Check out full history
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
- name: Scan repository history
uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
14 changes: 14 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
.DS_Store
.env
.env.*
!.env.example
.pytest_cache/
.ruff_cache/
.venv/
__pycache__/
*.egg-info/
*.log
build/
coverage/
dist/
node_modules/
9 changes: 9 additions & 0 deletions .markdownlint-cli2.jsonc
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"config": {
"MD013": false,
"MD024": {
"siblings_only": true
},
"MD033": false
}
}
20 changes: 20 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Changelog

All notable changes to this project are documented here. The format follows
[Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and versions follow
[Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

## [0.1.0] - 2026-07-11

### Added

- Loopback-only Microsoft dev-tunnels relay with an explicit port allowlist.
- Bounded MessagePack RPC client with direct argv execution and safe output rendering.
- Host and client deployment workflows, service-manager examples, and recovery guidance.
- Isolated CC-BY-4.0 interface fixtures and third-party attribution.
- Matrix CI, CodeQL, Gitleaks, Dependabot, repository validation, and public contribution files.

[Unreleased]: https://github.com/sumitake/Remote-SSH-Tunnel/compare/v0.1.0...HEAD
[0.1.0]: https://github.com/sumitake/Remote-SSH-Tunnel/releases/tag/v0.1.0
40 changes: 40 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Contributing

## Development setup

Use Node.js 20 or newer and Python 3.11 or newer.

```bash
npm ci
python3 -m venv .venv
.venv/bin/python -m pip install '.[dev]'
```

Run the same checks required by CI:

```bash
npm run check
npm audit --audit-level=moderate
.venv/bin/ruff check .
.venv/bin/ruff format --check .
.venv/bin/python -m pytest
.venv/bin/python scripts/validate_repository.py
```

Reinstall `.[dev]` after changing Python source before rerunning the installed
CLI. Editable installs are not used because Python 3.14 ignores the
underscore-prefixed `.pth` filenames currently emitted by common build backends.

## Pull requests

- Open a focused branch and include tests for behavior changes.
- Never commit tokens, real tunnel or cluster IDs, account names, hostnames,
private paths, captured extension binaries, or unredacted operational logs.
- Keep Microsoft-derived interface material under `assets/vscode-interface/`
and update its attribution, source revision, and modification notice.
- Pin every third-party GitHub Action to a full commit SHA.
- Update `CHANGELOG.md` for user-visible changes.

By contributing, you agree that original code is provided under the repository's
MIT license and appropriately identified adapted assets remain under their stated
license.
Loading
Loading