fix(inspect): harden Docker discovery with batched inspect, fix find command, and add tests

- Fix P0 bug: `find` command passed `2>/dev/null` as literal arg and had
  ungrouped `-type f` that only applied to last `-name` pattern
- Fix P0 perf: batch `docker inspect` to 2 execs instead of N+1
- Fix P1 security: add MaxComposeFileSize guard (10MB) to prevent OOM
- Fix P1 correctness: ParseDockerSize now uses SI/decimal units matching
  Docker's actual format (1 GB = 1e9, not 1024^3)
- Fix P1 style: remove emoji from all log messages in inspect package
- Add deterministic output: sort networks, ports, volumes for stable diffs
- Extract pure parsing functions for testability
- Add 24 tests: unit (70%), integration (20%), e2e (10%)
- Add constants for compose search paths, file names, sensitive keywords

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: CodeMonkeyCybersecurity

.github/workflows/ci.yml

@@ -161,7 +161,7 @@ PY
         run: scripts/ci/preflight.sh
 
       - name: Install golangci-lint
-        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.0.0
+        run: bash scripts/ci/install-golangci-lint.sh
 
       - name: Run lint lane
         env:
@@ -245,6 +245,10 @@ PY
         run: |
           test -f outputs/ci/unit/report.json && cat outputs/ci/unit/report.json || true
 
+      - name: Alert on unit lane report
+        if: always()
+        run: python3 scripts/ci/report-alert.py ci-unit outputs/ci/unit/report.json
+
   ci-deps-unit:
     name: ci-deps-unit
     runs-on: ubuntu-latest
@@ -295,6 +299,10 @@ PY
         run: |
           test -f outputs/ci/deps-unit/report.json && cat outputs/ci/deps-unit/report.json || true
 
+      - name: Alert on dependency-focused unit lane report
+        if: always()
+        run: python3 scripts/ci/report-alert.py ci-deps-unit outputs/ci/deps-unit/report.json
+
   ci-integration:
     name: ci-integration
     runs-on: ubuntu-latest
@@ -344,6 +352,10 @@ PY
         run: |
           test -f outputs/ci/integration/report.json && cat outputs/ci/integration/report.json || true
 
+      - name: Alert on integration lane report
+        if: always()
+        run: python3 scripts/ci/report-alert.py ci-integration outputs/ci/integration/report.json
+
   ci-e2e-smoke:
     name: ci-e2e-smoke
     runs-on: ubuntu-latest
@@ -391,6 +403,10 @@ PY
         run: |
           test -f outputs/ci/e2e-smoke/report.json && cat outputs/ci/e2e-smoke/report.json || true
 
+      - name: Alert on e2e smoke lane report
+        if: always()
+        run: python3 scripts/ci/report-alert.py ci-e2e-smoke outputs/ci/e2e-smoke/report.json
+
   ci-fuzz:
     name: ci-fuzz
     runs-on: ubuntu-latest
@@ -438,6 +454,10 @@ PY
         run: |
           test -f outputs/ci/fuzz/report.json && cat outputs/ci/fuzz/report.json || true
 
+      - name: Alert on fuzz lane report
+        if: always()
+        run: python3 scripts/ci/report-alert.py ci-fuzz outputs/ci/fuzz/report.json
+
   ci-e2e-full:
     name: ci-e2e-full
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
@@ -485,3 +505,7 @@ PY
         if: always()
         run: |
           test -f outputs/ci/e2e-full/report.json && cat outputs/ci/e2e-full/report.json || true
+
+      - name: Alert on e2e full lane report
+        if: always()
+        run: python3 scripts/ci/report-alert.py ci-e2e-full outputs/ci/e2e-full/report.json

.pre-commit-config.yaml

@@ -47,10 +47,10 @@ repos:
   # Local hooks for custom checks
   - repo: local
     hooks:
-      # Enforce local/CI parity lane via mage-compatible entrypoint
+      # Enforce local/CI parity lane via npm wrapper
       - id: ci-debug-parity
-        name: CI debug parity gate (magew ci:debug)
-        entry: ./magew ci:debug
+        name: CI debug parity gate (npm run ci:debug)
+        entry: npm run ci:debug --silent
         language: system
         pass_filenames: false
         require_serial: true
@@ -80,13 +80,13 @@ repos:
         pass_filenames: false
         description: Ensures code compiles successfully
 
-      # Verify E2E tests have build tags
-      - id: verify-e2e-build-tags
-        name: Verify E2E build tags
-        entry: bash -c 'for f in test/e2e/*_test.go; do head -1 "$f" | grep -q "//go:build e2e" || { echo "ERROR: $f missing //go:build e2e tag"; exit 1; }; done'
+      # Verify environment-dependent tests are build-tagged
+      - id: verify-test-build-tags
+        name: Verify test build tags
+        entry: bash scripts/ci/check-test-tags.sh
         language: system
         pass_filenames: false
-        description: Ensures all E2E tests have proper build tags
+        description: Ensures environment-dependent tests keep their explicit build tags
 
       # Check for deprecated benchmark pattern
       - id: check-benchmark-pattern

pkg/ai/ai.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"os"
 	"strings"
 	"time"
@@ -437,6 +438,10 @@ func (ai *AIAssistant) sendRequest(rc *eos_io.RuntimeContext, request AIRequest)
 		url = ai.baseURL + "/messages"
 	}
 
+	if err := validateRequestURL(url); err != nil {
+		return nil, err
+	}
+
 	// Create HTTP request
 	req, err := http.NewRequestWithContext(rc.Ctx, "POST", url, bytes.NewBuffer(requestBody))
 	if err != nil {
@@ -492,6 +497,23 @@ func (ai *AIAssistant) sendRequest(rc *eos_io.RuntimeContext, request AIRequest)
 	return &aiResponse, nil
 }
 
+func validateRequestURL(rawURL string) error {
+	parsedURL, err := url.Parse(rawURL)
+	if err != nil {
+		return fmt.Errorf("invalid AI request URL: %w", err)
+	}
+
+	if parsedURL.Scheme != "http" && parsedURL.Scheme != "https" {
+		return fmt.Errorf("invalid AI request URL scheme %q", parsedURL.Scheme)
+	}
+
+	if parsedURL.Host == "" {
+		return fmt.Errorf("invalid AI request URL host")
+	}
+
+	return nil
+}
+
 // NewConversationContext creates a new conversation context
 func NewConversationContext(systemPrompt string) *ConversationContext {
 	return &ConversationContext{

pkg/ai/ai_security_test.go

@@ -369,7 +369,10 @@ func TestAIErrorHandling(t *testing.T) {
 			model:     "claude-3-sonnet-20240229",
 			maxTokens: 100,
 			client: func() *httpclient.Client {
-				c, _ := httpclient.NewClient(&httpclient.Config{Timeout: 30 * time.Second})
+				cfg := httpclient.TestConfig()
+				cfg.Timeout = 250 * time.Millisecond
+				cfg.RetryConfig.MaxRetries = 0
+				c, _ := httpclient.NewClient(cfg)
 				return c
 			}(),
 		}
@@ -379,10 +382,8 @@ func TestAIErrorHandling(t *testing.T) {
 			Messages:     []AIMessage{},
 		}
 
-		// This should handle the invalid URL gracefully
 		_, err := assistant.Chat(rc, ctx, "test message")
-		if err != nil {
-			t.Logf("Expected error for invalid URL: %v", err)
-		}
+		assert.Error(t, err, "Should return error for invalid URL")
+		assert.Contains(t, err.Error(), "invalid AI request URL")
 	})
 }

pkg/ai/ai_test.go

@@ -334,8 +334,12 @@ func TestHTTPRequestSecurity(t *testing.T) {
 	t.Run("request_timeout_security", func(t *testing.T) {
 		// Create a server that delays response longer than client timeout
 		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			time.Sleep(10 * time.Second) // Delay much longer than client timeout
-			w.WriteHeader(http.StatusOK)
+			select {
+			case <-time.After(10 * time.Second):
+				w.WriteHeader(http.StatusOK)
+			case <-r.Context().Done():
+				return
+			}
 		}))
 		defer server.Close()
 

pkg/ai/comprehensive_test.go

@@ -480,7 +480,10 @@ func TestChatErrorHandling(t *testing.T) {
 			model:     "claude-3-sonnet-20240229",
 			maxTokens: 100,
 			client: func() *httpclient.Client {
-				c, _ := httpclient.NewClient(&httpclient.Config{Timeout: 30 * time.Second})
+				cfg := httpclient.TestConfig()
+				cfg.Timeout = 250 * time.Millisecond
+				cfg.RetryConfig.MaxRetries = 0
+				c, _ := httpclient.NewClient(cfg)
 				return c
 			}(),
 		}
@@ -490,11 +493,9 @@ func TestChatErrorHandling(t *testing.T) {
 			Messages:     []AIMessage{},
 		}
 
-		// This should handle the invalid URL gracefully
 		_, err := assistant.Chat(rc, ctx, "test message")
-		if err != nil {
-			t.Logf("Expected error for invalid URL: %v", err)
-		}
+		assert.Error(t, err, "Should return error for invalid URL")
+		assert.Contains(t, err.Error(), "invalid AI request URL")
 	})
 }
 

pkg/authentication/comprehensive_test.go

@@ -567,10 +567,10 @@ func TestAuthenticationFlow(t *testing.T) {
 // TestTokenValidation tests token validation and lifecycle
 func TestTokenValidation(t *testing.T) {
 	t.Parallel()
-	mockProvider := new(MockAuthProvider)
 
 	t.Run("valid token", func(t *testing.T) {
 		t.Parallel()
+		mockProvider := new(MockAuthProvider)
 		ctx := context.Background()
 		token := generateTestToken()
 
@@ -594,6 +594,7 @@ func TestTokenValidation(t *testing.T) {
 
 	t.Run("expired token", func(t *testing.T) {
 		t.Parallel()
+		mockProvider := new(MockAuthProvider)
 		ctx := context.Background()
 		token := generateTestToken()
 
@@ -615,6 +616,7 @@ func TestTokenValidation(t *testing.T) {
 
 	t.Run("invalid token", func(t *testing.T) {
 		t.Parallel()
+		mockProvider := new(MockAuthProvider)
 		ctx := context.Background()
 		token := "invalid-token"
 
@@ -628,6 +630,7 @@ func TestTokenValidation(t *testing.T) {
 
 	t.Run("revoked token", func(t *testing.T) {
 		t.Parallel()
+		mockProvider := new(MockAuthProvider)
 		ctx := context.Background()
 		token := generateTestToken()
 

pkg/authentik/unified_client.go

@@ -29,6 +29,15 @@ type UnifiedClient struct {
 	httpClient *http.Client
 }
 
+var waitForRetry = func(ctx context.Context, delay time.Duration) error {
+	select {
+	case <-time.After(delay):
+		return nil
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}
+
 // NewUnifiedClient creates a new unified Authentik API client
 // SECURITY: Enforces TLS 1.2+ for all API communication
 // RELIABILITY: Includes retry logic with exponential backoff
@@ -69,18 +78,21 @@ func (c *UnifiedClient) DoRequest(ctx context.Context, method, path string, body
 	var lastErr error
 	maxRetries := 3
 	baseDelay := time.Second
+	nextDelay := time.Duration(0)
 
 	for attempt := 0; attempt <= maxRetries; attempt++ {
 		if attempt > 0 {
 			// P1 FIX: Use Retry-After header if present (from previous attempt)
 			// RATIONALE: API knows best when to retry (rate limit windows, maintenance)
 			// SECURITY: Prevents aggressive retry that could trigger IP ban
 			// Note: retryAfter is set below when we get 429/503 response
-			delay := baseDelay * time.Duration(1<<uint(attempt-1)) // Default: exponential backoff
-			select {
-			case <-time.After(delay):
-			case <-ctx.Done():
-				return nil, ctx.Err()
+			delay := nextDelay
+			if delay <= 0 {
+				delay = baseDelay * time.Duration(1<<uint(attempt-1)) // Default: exponential backoff
+			}
+			nextDelay = 0
+			if err := waitForRetry(ctx, delay); err != nil {
+				return nil, err
 			}
 		}
 
@@ -137,17 +149,12 @@ func (c *UnifiedClient) DoRequest(ctx context.Context, method, path string, body
 			if retryAfter := resp.Header.Get("Retry-After"); retryAfter != "" {
 				// Retry-After can be seconds (integer) or HTTP date
 				if seconds, parseErr := strconv.Atoi(retryAfter); parseErr == nil && seconds > 0 {
-					// Wait for specified seconds before next retry
 					retryDelay := time.Duration(seconds) * time.Second
 					// Cap at 5 minutes to prevent indefinite wait
 					if retryDelay > 5*time.Minute {
 						retryDelay = 5 * time.Minute
 					}
-					select {
-					case <-time.After(retryDelay):
-					case <-ctx.Done():
-						return nil, ctx.Err()
-					}
+					nextDelay = retryDelay
 				}
 				// Note: HTTP date format parsing not implemented - use default backoff
 			}