From d1c3ff829bef22973bb41f8225c691a1c20d5548 Mon Sep 17 00:00:00 2001 From: denver Date: Fri, 16 Jan 2026 15:53:01 -0600 Subject: [PATCH 1/3] fix(audit-sidecar): add macOS compatibility for workspace builds The aya crate (eBPF userspace library) uses Linux-specific APIs (netlink, bpf syscalls) that cause compilation failures on macOS. This prevented `cargo build --workspace` from succeeding on macOS. Changes: - Move aya dependency to Linux-only target section in Cargo.toml - Add module-level cfg gate to loader.rs (only compiles on Linux+ebpf) - Update cfg attributes in main.rs to require both ebpf feature AND Linux - Add #[allow(unused_variables)] for raw_event_tx on non-Linux platforms The audit sidecar now runs in "stub mode" on macOS (no eBPF monitoring) while preserving full functionality on Linux. Co-Authored-By: Claude Opus 4.5 --- crates/loom-weaver-audit-sidecar/Cargo.toml | 8 +++++--- crates/loom-weaver-audit-sidecar/src/loader.rs | 7 +++++++ crates/loom-weaver-audit-sidecar/src/main.rs | 10 ++++++---- 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/crates/loom-weaver-audit-sidecar/Cargo.toml b/crates/loom-weaver-audit-sidecar/Cargo.toml index 57b7952f..2403bb22 100644 --- a/crates/loom-weaver-audit-sidecar/Cargo.toml +++ b/crates/loom-weaver-audit-sidecar/Cargo.toml @@ -39,9 +39,6 @@ prometheus = "0.13" # Axum for health endpoint axum = "0.7" -# eBPF userspace library -aya = "0.13" - # Cryptographic hashing sha2 = "0.10" @@ -60,3 +57,8 @@ ebpf = [] proptest = { workspace = true } tempfile = { workspace = true } tokio-test = { workspace = true } + +# Linux-only dependencies +[target.'cfg(target_os = "linux")'.dependencies] +# eBPF userspace library - Linux only (uses netlink, bpf syscalls) +aya = "0.13" diff --git a/crates/loom-weaver-audit-sidecar/src/loader.rs b/crates/loom-weaver-audit-sidecar/src/loader.rs index c77a1a54..548cb422 100644 --- a/crates/loom-weaver-audit-sidecar/src/loader.rs +++ b/crates/loom-weaver-audit-sidecar/src/loader.rs @@ -1,6 +1,13 @@ // Copyright (c) 2025 Geoffrey Huntley . All rights reserved. // SPDX-License-Identifier: Proprietary +//! eBPF audit loader for Linux systems. +//! +//! This module is only compiled on Linux with the `ebpf` feature enabled. +//! On other platforms, the audit sidecar runs in stub mode without eBPF monitoring. + +#![cfg(all(feature = "ebpf", target_os = "linux"))] + // The LoaderError enum is intentionally large due to the aya::programs::ProgramError // contained in the Attach variant. Boxing would add unnecessary complexity for // error types that are only used at startup/initialization time. diff --git a/crates/loom-weaver-audit-sidecar/src/main.rs b/crates/loom-weaver-audit-sidecar/src/main.rs index 8fd0ee79..b25ff957 100644 --- a/crates/loom-weaver-audit-sidecar/src/main.rs +++ b/crates/loom-weaver-audit-sidecar/src/main.rs @@ -11,6 +11,7 @@ mod event_processor; mod events; mod filter; mod health; +#[cfg(all(feature = "ebpf", target_os = "linux"))] mod loader; mod metrics; @@ -30,7 +31,7 @@ use crate::config::Config; use crate::event_processor::{EventProcessor, EventProcessorConfig}; use crate::events::WeaverAuditEvent; use crate::health::{health_router, HealthState}; -#[cfg(feature = "ebpf")] +#[cfg(all(feature = "ebpf", target_os = "linux"))] use crate::loader::EbpfAuditLoader; use crate::metrics::Metrics; @@ -181,6 +182,7 @@ async fn main() -> Result<()> { )); // Bounded channel for raw eBPF events to prevent OOM from unbounded task spawning + #[allow(unused_variables)] let (raw_event_tx, mut raw_event_rx) = mpsc::channel::>(1000); // Spawn consumer task to process raw events @@ -191,7 +193,7 @@ async fn main() -> Result<()> { } }); - #[cfg(feature = "ebpf")] + #[cfg(all(feature = "ebpf", target_os = "linux"))] let ebpf_loaded = match EbpfAuditLoader::new() { Ok(loader) => { let attached = loader.attached_count(); @@ -234,9 +236,9 @@ async fn main() -> Result<()> { } }; - #[cfg(not(feature = "ebpf"))] + #[cfg(not(all(feature = "ebpf", target_os = "linux")))] let ebpf_loaded = { - info!("eBPF feature not enabled, running in stub mode"); + info!("eBPF not available (feature disabled or not on Linux), running in stub mode"); health_state.set_ebpf_status(0, 0).await; false }; From 60b7350e6df8c2828bdd800fdd2ebe4a5eb703fa Mon Sep 17 00:00:00 2001 From: denver Date: Fri, 16 Jan 2026 16:58:47 -0600 Subject: [PATCH 2/3] fix(web): add /auth proxy for dev server authentication The frontend was unable to authenticate because the /auth endpoint was not being proxied to the backend server. Co-Authored-By: Claude Opus 4.5 --- web/loom-web/vite.config.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/web/loom-web/vite.config.ts b/web/loom-web/vite.config.ts index 698a9786..bb86a0de 100644 --- a/web/loom-web/vite.config.ts +++ b/web/loom-web/vite.config.ts @@ -26,6 +26,10 @@ export default defineConfig({ target: 'http://127.0.0.1:8080', changeOrigin: true, }, + '/auth': { + target: 'http://127.0.0.1:8080', + changeOrigin: true, + }, }, }, test: { From 1ef9638cab97bd6ceaa8136247d76bc9fd72a1b7 Mon Sep 17 00:00:00 2001 From: denver Date: Fri, 16 Jan 2026 17:07:42 -0600 Subject: [PATCH 3/3] chore: update .gitignore for local dev files Ignore local development files that shouldn't be committed: - .env and .env.* (environment config with secrets) - .claude/ (Claude Code workspace settings) - .playwright-mcp/ (Playwright screenshots) - CURRENT_SESSION_CONTEXT.md (session-specific notes) - main.sh and /docs/ (local convenience scripts/docs) - package-lock.json (project uses pnpm) Co-Authored-By: Claude Opus 4.5 --- .gitignore | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.gitignore b/.gitignore index 5acda05b..748c309f 100644 --- a/.gitignore +++ b/.gitignore @@ -48,3 +48,23 @@ Thumbs.db # Database files loom.db* + +# Local environment +.env +.env.* + +# Claude Code +.claude/ + +# Playwright MCP screenshots +.playwright-mcp/ + +# Session-specific files +CURRENT_SESSION_CONTEXT.md + +# Local convenience scripts/docs (not part of repo) +main.sh +/docs/ + +# npm lockfile (project uses pnpm) +package-lock.json