Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds a comprehensive VyOS test lab infrastructure with Docker-based deployment scripts, network configuration, and integration documentation for the bbctl CLI. The changes primarily introduce new test infrastructure files and documentation to support multi-tenant networking scenarios.
Key Changes
- Added Docker-based VyOS test lab setup with automated provisioning scripts
- Introduced network configuration files for L3VPN/EVPN, WireGuard, and OSPF
- Added comprehensive documentation for VyOS networking and test lab setup
- Created TypeScript schema definitions and OpenAPI integration files
Reviewed Changes
Copilot reviewed 57 out of 61 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/vyos-lab/setup-lab.sh | Main orchestration script for VyOS lab deployment with router configuration |
| tests/vyos-lab/scripts/*.sh | Individual setup scripts for base infrastructure, containers, L3VPN, and WireGuard |
| tests/vyos-lab/README.md | Documentation for the VyOS test lab environment |
| docs/vyos-*.md | Comprehensive networking architecture and test lab documentation |
| src/main.rs | Added TestVyOS command for connectivity testing |
| schema.ts | TypeScript/Zod schemas for API validation |
| package.json | Added npm scripts and dependencies for TypeScript tooling |
Comments suppressed due to low confidence (6)
src/main.rs:1
- The TestVyOS command destructuring pattern is missing several fields that are defined in the command struct (password, key_path, api_key). This will cause a compilation error. Include all fields in the destructuring pattern or use
..to ignore unused fields.
src/main.rs:1 - [nitpick] The default host IP '5.254.54.3' appears to be a public IP address that may not be appropriate as a default value. Consider using 'localhost' or a more generic local IP address as the default.
tests/vyos-lab/setup-lab.sh:1 - The script references ${SCRIPT_DIR}/scripts/ but SCRIPT_DIR is defined relative to the current script location. The scripts directory should exist at ${SCRIPT_DIR}/scripts/, but the actual scripts are in a sibling 'scripts' directory based on the file structure. This path should be verified or corrected.
tests/vyos-lab/scripts/setup-base.sh:1 - Hardcoded interface name 'eth0' may not exist on all systems. Consider detecting the default route interface dynamically using
ip route show default | awk '{print $5}'or making it configurable.
tests/vyos-lab/scripts/configure-wireguard.sh:1 - The regex pattern for extracting the WireGuard private key expects exactly 43 characters, but WireGuard keys are base64-encoded 32-byte values resulting in 44 characters (including padding). The pattern should be
[A-Za-z0-9+/=]\{44\}to correctly match WireGuard keys.
tests/vyos-lab/scripts/setup-vyos-container.sh:1 - The encrypted password hash is exposed in plain text in the configuration script. While this is a test environment, it's better practice to generate unique passwords per deployment or document that this is the hash for the default 'vyos' password.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
schema.ts
Outdated
| provider: ProviderTypeEnum, | ||
| providerId: z.string(), | ||
| region: z.string(), | ||
| cidr: z.string().regex(/^([0-9]{1,3}\.){3}[0-9]{1,3}\/[0-9]{1,2}$/), |
There was a problem hiding this comment.
The CIDR regex validation only checks the format but doesn't validate that octets are in the valid range (0-255) or that the prefix length is valid (0-32 for IPv4). Consider using a more robust validation or IP validation library to prevent invalid CIDR blocks like '999.999.999.999/99'.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 57 out of 61 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (8)
vyos-lab/setup-network.sh:1
- The hardcoded absolute path
/home/bodnar/vyos-labmakes this script non-portable. Use$(dirname "$0")or a relative path to make the script work for other users and environments.
vyos-lab/mkosi.default:1 - Hardcoded path contains a specific username 'bodnar'. This should use a relative path or environment variable to ensure portability across different user environments.
tests/vyos-lab/setup-lab.sh:1 - The default host IP
5.254.54.3appears to be a public IP address. For a test lab, consider using private IP ranges (e.g., 192.168.x.x or 10.x.x.x) to avoid potential conflicts with real public IPs.
tests/vyos-lab/scripts/setup-base.sh:1 - The script assumes network interface
eth0exists. Modern systems may use different interface naming schemes (e.g., ens33, enp0s3). Consider detecting the default interface dynamically or documenting this assumption.
tests/vyos-lab/scripts/setup-vyos-container.sh:1 - Using a hardcoded password hash in test scripts is a security concern if these scripts are ever used in non-test environments. Add a prominent comment warning that this is for testing only, or better yet, generate unique passwords per deployment.
src/main.rs:1 - The error message refers to implementation details ('tokio runtime') that may confuse users. This appears to be a placeholder that returns an error, but the actual implementation exists later in main(). Consider removing this unreachable code path or updating the comment to clarify the control flow.
src/network.rs:1 - The code accesses
config.portwithunwrap_or(), but theWireguardConfigstruct definesportas a non-optionalu16field. This suggests either the struct definition is incorrect or this code is outdated. The struct should haveport: Option<u16>if this fallback is intended.
src/services/instance.rs:1 - The hardcoded node name 'pve' is a placeholder that could cause issues in production. This should either retrieve the actual node name from the instance metadata or be documented as a limitation that requires configuration.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "typescript": "^5.2.2" | ||
| }, | ||
| "engines": { | ||
| "bun": ">=1.0.0" |
There was a problem hiding this comment.
The package requires Bun >=1.0.0 but doesn't document this requirement prominently in the README or installation instructions. Users following the installation guide might not realize they need Bun installed.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
- Add complete TypeScript/Zod schema definitions for all API models - Implement OpenAPI 3.1 specification generation with Swagger UI - Set up Bun runtime environment with TypeScript support - Add comprehensive API documentation and integration guides - Configure ESLint for TypeScript with strict validation rules - Create example validation scripts and development workflows - Establish schema compatibility between Rust backend and TypeScript API - Add documentation index with complete guide references - Implement automated OpenAPI schema generation from Zod schemas
Restores the full 1,241 lines of critical infrastructure documentation that was accidentally truncated to just the header section. Content includes: - Complete architecture overview with mermaid diagrams - Network addressing schemas - Physical infrastructure setup procedures - Hypervisor layer configuration (NIC, SR-IOV, LACP, OVS) - VyOS VM deployment using mkosi and systemd-vmspawn - WireGuard control plane configuration - Complete bash scripts for infrastructure automation Restored from commit 8467274 which has correct markdown formatting (```bash without spaces) instead of the bad formatting introduced in later commits (``` bash with spaces). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Restores README.md from commit 8467274 which has correct markdown formatting (```bash without spaces) instead of the bad formatting introduced in later commits (``` bash with spaces). All documentation sections are preserved: - Testing with VyOS Lab Environment - Complete Documentation section with all guide links - Examples section for TypeScript validation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Adds back Rust/Cargo-specific comments and patterns from the initial commit while maintaining the clean, deduplicated structure: - Rust/Cargo section with explanatory comments about Cargo.lock - Rust-specific patterns: debug/, target/, **/*.rs.bk, *.pdb - Maintains comprehensive coverage of Bun, Node.js, TypeScript, IDE, OS-specific files, environment variables, debug, testing, and logs Removes duplicate entries that were present in the main branch. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Restores PLAN.md and docs/vyos-test-lab-setup.md from commit 8467274 which has correct markdown formatting: - Single space after bullets (- item) instead of triple (-) - Single space after numbered lists (1. item) instead of double (1. ) - No extra blank lines after headers All substantive content is preserved, only formatting corrected. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Daniel Bodnar <1790726+danielbodnar@users.noreply.github.com>
… check Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Daniel Bodnar <1790726+danielbodnar@users.noreply.github.com>
danielbodnar
force-pushed
the
chore/bisect
branch
from
592b682 to
f934dfb
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 45 out of 50 changed files in this pull request and generated 21 comments.
Comments suppressed due to low confidence (2)
package.json:58
package.jsonhas an extra closing brace at the end, making the JSON invalid and breaking installs/tooling. Remove the trailing}so the file ends with a single top-level object close.
}
}
docs/api-readme.md:37
- The OpenAPI generation instructions include duplicated headings and a malformed code fence (an opening
bash, then bullet text, then anotherbash). This breaks Markdown rendering and makes the instructions hard to follow. Remove the duplicated prerequisite/install blocks and use a single properly-delimited code fence for commands.
- Bun 1.0 or higher
### Installation
```bash
- Bun 1.0 or higher
### Installation
```bash
cd bitbuilder.io/bbctl
bun install
</details>
---
💡 <a href="/bitbuilder-io/bbctl/new/main?filename=.github/instructions/*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.
| - systemctl restart frr | ||
| - echo "Router 2 setup complete" | ||
| - echo "Router 2 setup complete" |
| ## Security Considerations | ||
|
|
||
|
|
||
| ## Security Considerations | ||
| - Isolation between tenants using VRFs |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Daniel Bodnar <1790726+danielbodnar@users.noreply.github.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Daniel Bodnar <1790726+danielbodnar@users.noreply.github.com>
Removed duplicate conclusion paragraph in PLAN.md Signed-off-by: Daniel Bodnar <1790726+danielbodnar@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Daniel Bodnar <1790726+danielbodnar@users.noreply.github.com>
|
|
||
| // Optionally disable TLS certificate verification for lab/dev setups | ||
| if !self.config.verify_ssl { | ||
| builder = builder.danger_accept_invalid_certs(true); |
Check failure
Code scanning / CodeQL
Disabled TLS certificate check High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
In general, to fix this problem, the HTTP client must never disable TLS certificate validation in production code. Instead of toggling danger_accept_invalid_certs(true) at runtime, certificate verification should remain enabled (the default), and any special handling for lab/dev environments should be implemented in a safer way (for example, by using proper test certificates or environment‑specific roots, not by disabling validation).
The best fix here, without changing existing functionality more than necessary, is to remove the call to danger_accept_invalid_certs(true) entirely and rely on the default behavior of reqwest::Client::builder(), which is to validate certificates. If you still want an explicit link between verify_ssl and client behavior, you can set danger_accept_invalid_certs(false) when verify_ssl is true, but that is redundant and not required for correctness. Since we cannot change the rest of the code and want a minimal, safe change, we will simply delete the conditional block that disables TLS verification and leave the rest of init_http_client intact. No new imports, methods, or definitions are needed; the change is localized to init_http_client in src/api/vyos.rs, lines 116–119.
| @@ -110,14 +110,9 @@ | ||
| /// Initialize HTTP client for API operations | ||
| fn init_http_client(&mut self) -> Result<()> { | ||
| if self.http_client.is_none() { | ||
| let mut builder = Client::builder() | ||
| let builder = Client::builder() | ||
| .timeout(Duration::from_secs(self.config.timeout)); | ||
|
|
||
| // Optionally disable TLS certificate verification for lab/dev setups | ||
| if !self.config.verify_ssl { | ||
| builder = builder.danger_accept_invalid_certs(true); | ||
| } | ||
|
|
||
| let client = builder | ||
| .build() | ||
| .context("Failed to build HTTP client")?; |
This pull request introduces several foundational improvements to the BitBuilder Cloud CLI (bbctl) project, focusing on documentation, configuration, code quality, and initial planning. The changes establish a clear project structure, add configuration and linting for both Rust and TypeScript development, and provide comprehensive guides and plans for future development.
Project Planning and Documentation:
PLAN.md.docs/api-readme.md, including instructions for schema validation, type safety, and client generation.docs/configuration-guide.md, covering all aspects of bbctl configuration, provider and credential management, and best practices.README.mdwith instructions for testing against a VyOS lab environment.Development Environment and Tooling:
.eslintrc.jsonfor TypeScript linting with recommended rules and project-specific overrides.bunfig.tomlto configure Bun for dependency management, testing, and building TypeScript code.Cargo.tomlto include theuuidcrate for networking and security features, preparing for future API and RPC additions.Developer Experience and Guidelines:
CLAUDE.mdwith more detailed build, test, and style guidelines, including project structure, code formatting, and naming conventions. [1] [2] [3] [4]These changes lay the groundwork for robust development practices, clear documentation, and a maintainable codebase as bbctl evolves.