Deepen kitty audit and hardening automation #19
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR enhances the kitty configuration hardening and automation infrastructure by adding comprehensive validation, monitoring, and synchronization safeguards. It introduces password validation for remote control, helper script health checks, multi-vendor GPU telemetry support, and interactive sync confirmations with automatic snapshots. Additionally, it automates lint discovery across the entire kitty tree and documents all improvements in a comprehensive audit report.
Key Changes
- Added remote control password validation and keybinding script verification to prevent misconfigurations
- Extended GPU monitoring to support NVIDIA, AMD (ROCm), and Intel GPUs with graceful fallbacks
- Enhanced sync operations with destructive action confirmations and automatic tarball snapshots for rollback capability
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| kitty/verify-config.sh | Adds security validation for remote_control_password and executable checks for all keybinding helper scripts |
| kitty/system-monitor.sh | Implements multi-vendor GPU detection and telemetry with vendor-specific label display |
| kitty/scripts/sync.sh | Introduces confirmation prompts and snapshot creation before destructive sync operations |
| kitty/scripts/lint.sh | Automates discovery of all shell scripts using find instead of hardcoded list |
| kitty/HARDENING-AUDIT-REPORT.md | Documents delivered hardening enhancements and remaining improvement opportunities |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if [[ ${#SCRIPTS[@]} -eq 0 ]]; then | ||
| echo -e "${RED}❌ No shell scripts found under $KITTY_ROOT${NC}" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
The color variables RED and NC are used before they are defined. The color definitions appear at lines 31-35, but they are referenced here at lines 27-28. This will cause the error message to display literal '${RED}' and '${NC}' instead of colored output. Move the color variable definitions (lines 31-35) to before line 26.
| local_rel="${script#./}" | ||
| rel_path="$local_rel" |
There was a problem hiding this comment.
The local keyword is a bash built-in for declaring function-local variables, but local_rel is being used as a regular variable name outside a function context. While this works, the naming is misleading. Consider renaming to script_rel or similar to avoid confusion with the local keyword.
| local_rel="${script#./}" | |
| rel_path="$local_rel" | |
| script_rel="${script#./}" | |
| rel_path="$script_rel" |
| 5. **Telemetry privacy & resilience** – monitors scope process management to the invoking user, clean window titles on exit, and fall back when GPU/temperature commands are absent, preventing leaked state across sessions.【F:kitty/system-monitor.sh†L21-L89】【F:kitty/stop-monitor.sh†L12-L34】 | ||
|
|
||
| ## 4. Delivered Hardening Enhancements | ||
| 1. **Remote-control password hygiene** – `verify-config.sh` now asserts that `remote_control_password` is defined (and not left at the placeholder), so multi-user deployments get an explicit red/yellow signal before exposing `kitty @` sockets.【F:kitty/verify-config.sh†L170-L211】 |
There was a problem hiding this comment.
The line reference 'L170-L211' is inconsistent with the actual implementation. The remote_control_password validation code spans lines 178-189 in verify-config.sh, not 170-211. The range 170-211 includes unrelated remote control socket configuration checks. Update the reference to 【F:kitty/verify-config.sh†L178-L189】 for accuracy.
| 1. **Remote-control password hygiene** – `verify-config.sh` now asserts that `remote_control_password` is defined (and not left at the placeholder), so multi-user deployments get an explicit red/yellow signal before exposing `kitty @` sockets.【F:kitty/verify-config.sh†L170-L211】 | |
| 1. **Remote-control password hygiene** – `verify-config.sh` now asserts that `remote_control_password` is defined (and not left at the placeholder), so multi-user deployments get an explicit red/yellow signal before exposing `kitty @` sockets.【F:kitty/verify-config.sh†L178-L189】 |
|
|
||
| ## 4. Delivered Hardening Enhancements | ||
| 1. **Remote-control password hygiene** – `verify-config.sh` now asserts that `remote_control_password` is defined (and not left at the placeholder), so multi-user deployments get an explicit red/yellow signal before exposing `kitty @` sockets.【F:kitty/verify-config.sh†L170-L211】 | ||
| 2. **Helper script health checks** – The verification script parses every `.sh` path referenced in `keybindings.conf`, confirming the helpers exist and carry the executable bit, which prevents overlays or AI tooling from silently breaking after refactors.【F:kitty/verify-config.sh†L213-L246】【F:kitty/kitty.d/keybindings.conf†L63-L149】 |
There was a problem hiding this comment.
The line reference 'L213-L246' is inaccurate. The helper script validation code actually spans lines 191-228 in verify-config.sh. Update the reference to 【F:kitty/verify-config.sh†L191-L228】 for accuracy.
| 2. **Helper script health checks** – The verification script parses every `.sh` path referenced in `keybindings.conf`, confirming the helpers exist and carry the executable bit, which prevents overlays or AI tooling from silently breaking after refactors.【F:kitty/verify-config.sh†L213-L246】【F:kitty/kitty.d/keybindings.conf†L63-L149】 | |
| 2. **Helper script health checks** – The verification script parses every `.sh` path referenced in `keybindings.conf`, confirming the helpers exist and carry the executable bit, which prevents overlays or AI tooling from silently breaking after refactors.【F:kitty/verify-config.sh†L191-L228】【F:kitty/kitty.d/keybindings.conf†L63-L149】 |
Summary
kitty/HARDENING-AUDIT-REPORT.mdverify-config.shso remote-control passwords and every keybinding helper script are validated before launchTesting
bash -n kitty/scripts/lint.shbash -n kitty/scripts/sync.shbash -n kitty/system-monitor.shbash -n kitty/verify-config.shCodex Task