Release 0.11.1

.github/workflows/pytest.yml → .github/workflows/lshell-tests.yml

@@ -1,57 +1,89 @@
-# This workflow will install Python dependencies, run tests and lint with a single version of Python
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
-
-name: Pytest
+name: Lshell Tests
 
 on:
   push:
-    branches: [ "master" ]
+    branches: [ "main", "pre-release" ]
   pull_request:
+    branches: [ "main", "pre-release" ]
+  workflow_dispatch:
 
 permissions:
   contents: read
 
 jobs:
-  build:
-
+  pytest:
+    name: Pytest Unit/Integration Tests
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v4
     - name: Set up Python 3.10
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v5
       with:
         python-version: "3.10"
     - name: Set up Python path
       run: echo "PYTHONPATH=$PWD" >> $GITHUB_ENV
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install flake8 pytest
+        pip install pytest
         if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
     - name: Install the lshell package
       run: pip install .
-    - name: Lint with flake8
+    - name: Test with pytest
+      run: |
+        pytest
+
+  lint:
+    name: Lint + Flake8
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.8", "3.9", "3.10"]
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Set up Python path
+      run: echo "PYTHONPATH=$PWD" >> $GITHUB_ENV
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install pylint flake8
+        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+    - name: Analyse with pylint and flake8
       run: |
+        pylint lshell test
         # stop the build if there are Python syntax errors or undefined names
         flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
         # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
         flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
-    - name: Test with pytest
+
+  fuzz-security-parser:
+    name: Fuzz Security Parser/Policy
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Install just
+      uses: taiki-e/install-action@just
+    - name: Fuzz security parser/policy
+      timeout-minutes: 45
       run: |
-        pytest
+        just test-fuzz-security-parser 20000
 
   ssh-e2e:
-    name: SSH E2E (Docker + Ansible)
+    name: SSH End-to-End (Docker + Ansible)
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v4
-
     - name: Run SSH end-to-end tests
       run: |
         docker compose -f docker-compose.e2e.yml up --build --abort-on-container-exit --exit-code-from ansible-runner ansible-runner
-
     - name: Cleanup SSH E2E stack
       if: always()
       run: |

.github/workflows/pypi-publish.yml

@@ -1,53 +1,93 @@
-name: Publish Python 🐍 distribution 📦 to PyPI and TestPyPI
+name: Publish Python 🐍 distribution 📦 to PyPI
 
-on: 
+on:
   push:
+    branches:
+    - pre-release
     tags:
-      - '*'
+    - "*"
+
+permissions:
+  contents: read
 
 jobs:
-  build:
-    name: Build distribution 📦
+  publish:
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/limited-shell
+    permissions:
+      id-token: write
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        fetch-depth: 2
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
         python-version: "3.x"
-    - name: Install pypa/build
-      run: >-
-        python3 -m
-        pip install
-        build
-        --user
-    - name: Build a binary wheel and a source tarball
-      run: python3 -m build
-    - name: Store the distribution packages
-      uses: actions/upload-artifact@v4
-      with:
-        name: python-package-distributions
-        path: dist/
-
-  publish-to-pypi:
-    name: >-
-      Publish Python 🐍 distribution 📦 to PyPI
-    needs:
-    - build
-    runs-on: ubuntu-latest
+    - name: Decide whether to publish
+      id: decide
+      env:
+        REF_TYPE: ${{ github.ref_type }}
+        REF_NAME: ${{ github.ref_name }}
+        SHA: ${{ github.sha }}
+        BEFORE_SHA: ${{ github.event.before }}
+      run: |
+        set -euo pipefail
+        CURRENT_VERSION="$(python3 -c 'from lshell.variables import __version__; print(__version__)')"
+        echo "version=${CURRENT_VERSION}" >> "${GITHUB_OUTPUT}"
 
-    environment:
-      name: pypi
-      url: https://pypi.org/p/limited-shell
-    permissions:
-      id-token: write  # IMPORTANT: mandatory for trusted publishing
+        # Official releases: tag is required and must match package version.
+        if [[ "${REF_TYPE}" == "tag" ]]; then
+          if [[ "${REF_NAME}" == "${CURRENT_VERSION}" ]]; then
+            echo "should_publish=true" >> "${GITHUB_OUTPUT}"
+            echo "reason=tag_release" >> "${GITHUB_OUTPUT}"
+          else
+            echo "should_publish=false" >> "${GITHUB_OUTPUT}"
+            echo "reason=tag_version_mismatch" >> "${GITHUB_OUTPUT}"
+          fi
+          exit 0
+        fi
 
-    steps:
-    - name: Download all the dists
-      uses: actions/download-artifact@v4
-      with:
-        name: python-package-distributions
-        path: dist/
+        # Auto RC release from pre-release only when version file changed.
+        if [[ "${REF_NAME}" != "pre-release" ]]; then
+          echo "should_publish=false" >> "${GITHUB_OUTPUT}"
+          echo "reason=not_pre_release_branch" >> "${GITHUB_OUTPUT}"
+          exit 0
+        fi
+
+        if [[ "${CURRENT_VERSION}" != *rc* ]]; then
+          echo "should_publish=false" >> "${GITHUB_OUTPUT}"
+          echo "reason=not_rc_version" >> "${GITHUB_OUTPUT}"
+          exit 0
+        fi
+
+        if [[ -z "${BEFORE_SHA}" || "${BEFORE_SHA}" =~ ^0+$ ]]; then
+          echo "should_publish=false" >> "${GITHUB_OUTPUT}"
+          echo "reason=missing_before_sha" >> "${GITHUB_OUTPUT}"
+          exit 0
+        fi
+
+        if ! git diff --name-only "${BEFORE_SHA}..${SHA}" | grep -qx "lshell/variables.py"; then
+          echo "should_publish=false" >> "${GITHUB_OUTPUT}"
+          echo "reason=version_file_not_changed" >> "${GITHUB_OUTPUT}"
+          exit 0
+        fi
+
+        echo "should_publish=true" >> "${GITHUB_OUTPUT}"
+        echo "reason=rc_version_file_changed" >> "${GITHUB_OUTPUT}"
+    - name: Decision summary
+      run: |
+        echo "should_publish=${{ steps.decide.outputs.should_publish }}"
+        echo "version=${{ steps.decide.outputs.version }}"
+        echo "reason=${{ steps.decide.outputs.reason }}"
+    - name: Build distribution 📦
+      if: steps.decide.outputs.should_publish == 'true'
+      run: |
+        python3 -m pip install --upgrade build
+        python3 -m build
     - name: Publish distribution 📦 to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
+      if: steps.decide.outputs.should_publish == 'true'
+      uses: pypa/gh-action-pypi-publish@release/v1

.gitignore

@@ -9,3 +9,4 @@ dist/
 test.lsh
 .pylint_cache/
 .pylint.d/
+.hypothesis/

CHANGELOG.md

@@ -3,6 +3,20 @@
 Contact: [ghantoos@ghantoos.org](mailto:ghantoos@ghantoos.org)  
 [https://github.com/ghantoos/lshell](https://github.com/ghantoos/lshell)
 
+### v0.11.1 21/03/2026
+- Feature: Added `lshell setup-system` to provision logging paths/permissions and user/group wiring for deployments.
+- Feature: Added `lshell harden-init` with hardened templates (`sftp-only`, `rsync-backup`, `deploy-minimal`, `readonly-support`) plus `--dry-run`, scoped `[grp:*]`/`[user:*]`, and validation checks.
+- Feature: Added configurable handling for `command not found` messages.
+- Feature: Hardened CLI env argument parsing for `LSHELL_ARGS`.
+- Feature: Added ECS-compatible JSON security audit events via `security_audit_json`.
+- Feature: Added runtime containment controls: `max_sessions_per_user`, `max_background_jobs`, `command_timeout`, and `max_processes` (`RLIMIT_NPROC`), and surfaced them in policy diagnostics.
+- Feature: Improved shell signal behavior for `Ctrl+C`/interrupt flows and `Ctrl+D` handling when stopped/background jobs exist.
+- Package: Added packaged Bash completion support (`etc/bash_completion.d/lshell`).
+- Package: Updated DEB/RPM packaging and smoke-test scripts for more stable build/install validation.
+- Package: Migrated packaging/build metadata to `pyproject.toml` (PEP 517) and removed `setup.py`.
+- Tests: Expanded audit test coverage for structured security events.
+- Tests: Added parser fuzzing support (`Atheris`) and expanded security/property-based tests.
+
 ### v0.11.0 10/03/2026
 - Reworked command parsing with a new `pyparsing`-based parser for more reliable command handling.
 - Added policy diagnostics and built-ins: `policy-show`, `policy-path`, and `policy-sudo`.

Dockerfile

@@ -7,7 +7,7 @@ RUN \
     # For Debian/Ubuntu
     if [ -f /etc/debian_version ]; then \
         apt-get update && \
-        apt-get install -y python3 python3-pip git flake8 pylint python3-pytest python3-pexpect python3-setuptools python3-pyparsing vim procps sudo && \
+        apt-get install -y python3 python3-pip python3-dev build-essential clang libclang-rt-dev git flake8 pylint python3-pytest python3-pexpect python3-setuptools python3-pyparsing vim procps sudo && \
         apt-get clean; \
         groupadd -f testuser; \
         useradd -m -d /home/testuser -s /bin/bash -g testuser testuser; \
@@ -50,8 +50,15 @@ ENV PYTHONPATH=/home/testuser/lshell
 # Copy the code and requirements
 COPY . /home/testuser/lshell
 
-# Install lshell from the source
-RUN python3 setup.py install
+# Install test/runtime Python dependencies from the repository requirements.
+# Debian/Ubuntu images may require --break-system-packages (PEP 668).
+RUN python3 -m pip install --no-cache-dir -r /home/testuser/lshell/requirements.txt \
+    || python3 -m pip install --break-system-packages --no-cache-dir -r /home/testuser/lshell/requirements.txt
+
+# Install lshell from source via PEP 517/pyproject.toml.
+# Debian/Ubuntu images may require --break-system-packages (PEP 668).
+RUN python3 -m pip install --no-cache-dir --no-deps --no-build-isolation /home/testuser/lshell \
+    || python3 -m pip install --break-system-packages --no-cache-dir --no-deps --no-build-isolation /home/testuser/lshell
 
 # Switch to `testuser`
 USER testuser

MANIFEST.in

@@ -3,5 +3,6 @@ include README.md
 include CHANGELOG.md
 include etc/lshell.conf
 include etc/logrotate.d/lshell
+include etc/bash_completion.d/lshell
 include man/lshell.1
 include MANIFEST.in

Makefile

@@ -3,7 +3,7 @@
 # $Id: Makefile,v 1.16 2010-03-06 23:11:38 ghantoos Exp $
 #
 
-PYTHON=`which python`
+PYTHON=`which python3`
 DESTDIR=/
 BUILDIR=$(CURDIR)/debian/lshell
 PROJECT=lshell
@@ -17,27 +17,26 @@ all:
 		@echo "make clean - Get rid of scratch and byte files"
 
 source:
-		$(PYTHON) setup.py sdist
+		$(PYTHON) -m build --sdist
 
 sourcedeb:
-		$(PYTHON) setup.py sdist --dist-dir=../ --prune
-		rename -f 's/$(PROJECT)-(.*)\.tar\.gz/$(PROJECT)_$$1\.orig\.tar\.gz/' ../*
+		$(PYTHON) -m build --sdist --outdir=../
+		rename -f 's/limited_shell-(.*)\.tar\.gz/$(PROJECT)_$$1\.orig\.tar\.gz/' ../limited_shell-*.tar.gz
 
 install: 
-		$(PYTHON) setup.py install --root=$(DESTDIR) --no-compile
+		$(PYTHON) -m pip install --no-deps --no-build-isolation --root=$(DESTDIR) --no-compile .
 
 buildrpm: 
-		$(PYTHON) setup.py bdist_rpm --pre-install=rpm/preinstall --post-install=rpm/postinstall --post-uninstall=rpm/postuninstall
+		rpmbuild -ba rpm/lshell.spec
 
 builddeb:
 		# build the source package in the parent directory 
 		# then rename it to project_version.orig.tar.gz
-		$(PYTHON) setup.py sdist --dist-dir=../ --prune
-		rename -f 's/$(PROJECT)-(.*)\.tar\.gz/$(PROJECT)_$$1\.orig\.tar\.gz/' ../*
+		$(PYTHON) -m build --sdist --outdir=../
+		rename -f 's/limited_shell-(.*)\.tar\.gz/$(PROJECT)_$$1\.orig\.tar\.gz/' ../limited_shell-*.tar.gz
 		# build the package
 		dpkg-buildpackage -i -I -rfakeroot
 
 clean:
-		$(PYTHON) setup.py clean
-		rm -rf build/ MANIFEST dist/
+		rm -rf build/ MANIFEST dist/ *.egg-info
 		find . -name '*.pyc' -delete