Enable and test Gotify and Custom Webhook notifications

.docker/compose/docker-compose.dev.yml

@@ -32,6 +32,8 @@ services:
       #- CPM_SECURITY_RATELIMIT_ENABLED=false
       #- CPM_SECURITY_ACL_ENABLED=false
       - FEATURE_CERBERUS_ENABLED=true
+    # Docker socket group access: copy docker-compose.override.example.yml
+    # to docker-compose.override.yml and set your host's docker GID.
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro # For local container discovery
       - crowdsec_data:/app/data/crowdsec

.docker/compose/docker-compose.local.yml

@@ -27,6 +27,8 @@ services:
       - FEATURE_CERBERUS_ENABLED=true
       # Emergency "break-glass" token for security reset when ACL blocks access
       - CHARON_EMERGENCY_TOKEN=03e4682c1164f0c1cb8e17c99bd1a2d9156b59824dde41af3bb67c513e5c5e92
+    # Docker socket group access: copy docker-compose.override.example.yml
+    # to docker-compose.override.yml and set your host's docker GID.
     extra_hosts:
       - "host.docker.internal:host-gateway"
     cap_add:

.docker/compose/docker-compose.override.example.yml

@@ -0,0 +1,26 @@
+# Docker Compose override — copy to docker-compose.override.yml to activate.
+#
+# Use case: grant the container access to the host Docker socket so that
+# Charon can discover running containers.
+#
+# 1. cp docker-compose.override.example.yml docker-compose.override.yml
+# 2. Uncomment the service that matches your compose file:
+#      - "charon" for docker-compose.local.yml
+#      - "app"    for docker-compose.dev.yml
+# 3. Replace <GID> with the output of:  stat -c '%g' /var/run/docker.sock
+# 4. docker compose up -d
+
+services:
+  # Uncomment for docker-compose.local.yml
+  charon:
+    group_add:
+      - "<GID>"   # e.g. "988" — run: stat -c '%g' /var/run/docker.sock
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+  # Uncomment for docker-compose.dev.yml
+  app:
+    group_add:
+      - "<GID>"   # e.g. "988" — run: stat -c '%g' /var/run/docker.sock
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro

.docker/compose/docker-compose.playwright-ci.yml

@@ -85,6 +85,7 @@ services:
       - playwright_data:/app/data
       - playwright_caddy_data:/data
       - playwright_caddy_config:/config
+      - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
     healthcheck:
       test: ["CMD", "curl", "-sf", "http://localhost:8080/api/v1/health"]
       interval: 5s
@@ -111,6 +112,7 @@ services:
     volumes:
       - playwright_crowdsec_data:/var/lib/crowdsec/data
       - playwright_crowdsec_config:/etc/crowdsec
+      - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
     healthcheck:
       test: ["CMD", "cscli", "version"]
       interval: 10s

.docker/compose/docker-compose.playwright-local.yml

@@ -49,6 +49,8 @@ services:
       # True tmpfs for E2E test data - fresh on every run, in-memory only
       # mode=1777 allows any user to write (container runs as non-root)
       - /app/data:size=100M,mode=1777
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
     healthcheck:
       test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"]
       interval: 5s

.docker/docker-entrypoint.sh

@@ -27,30 +27,24 @@ get_group_by_gid() {
 }
 
 create_group_with_gid() {
-    local gid="$1"
-    local name="$2"
-
     if command -v addgroup >/dev/null 2>&1; then
-        addgroup -g "$gid" "$name" 2>/dev/null || true
+        addgroup -g "$1" "$2" 2>/dev/null || true
         return
     fi
 
     if command -v groupadd >/dev/null 2>&1; then
-        groupadd -g "$gid" "$name" 2>/dev/null || true
+        groupadd -g "$1" "$2" 2>/dev/null || true
     fi
 }
 
 add_user_to_group() {
-    local user="$1"
-    local group="$2"
-
     if command -v addgroup >/dev/null 2>&1; then
-        addgroup "$user" "$group" 2>/dev/null || true
+        addgroup "$1" "$2" 2>/dev/null || true
         return
     fi
 
     if command -v usermod >/dev/null 2>&1; then
-        usermod -aG "$group" "$user" 2>/dev/null || true
+        usermod -aG "$2" "$1" 2>/dev/null || true
     fi
 }
 
@@ -142,8 +136,15 @@ if [ -S "/var/run/docker.sock" ] && is_root; then
         fi
     fi
 elif [ -S "/var/run/docker.sock" ]; then
-    echo "Note: Docker socket mounted but container is running non-root; skipping docker.sock group setup."
-    echo "      If Docker discovery is needed, run with matching group permissions (e.g., --group-add)"
+    DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null || echo "unknown")
+    echo "Note: Docker socket mounted (GID=$DOCKER_SOCK_GID) but container is running non-root; skipping docker.sock group setup."
+    echo "      If Docker discovery is needed, add 'group_add: [\"$DOCKER_SOCK_GID\"]' to your compose service."
+    if [ "$DOCKER_SOCK_GID" = "0" ]; then
+        if [ "${ALLOW_DOCKER_SOCK_GID_0:-false}" != "true" ]; then
+            echo "⚠️  WARNING: Docker socket GID is 0 (root group). group_add: [\"0\"] grants root-group access."
+            echo "   Set ALLOW_DOCKER_SOCK_GID_0=true to acknowledge this risk."
+        fi
+    fi
 else
     echo "Note: Docker socket not found. Docker container discovery will be unavailable."
 fi
@@ -191,7 +192,7 @@ if command -v cscli >/dev/null; then
         echo "Initializing persistent CrowdSec configuration..."
 
         # Check if .dist has content
-        if [ -d "/etc/crowdsec.dist" ] && [ -n "$(ls -A /etc/crowdsec.dist 2>/dev/null)" ]; then
+        if [ -d "/etc/crowdsec.dist" ] && find /etc/crowdsec.dist -mindepth 1 -maxdepth 1 -print -quit 2>/dev/null | grep -q .; then
             echo "Copying config from /etc/crowdsec.dist..."
             if ! cp -r /etc/crowdsec.dist/* "$CS_CONFIG_DIR/"; then
                 echo "ERROR: Failed to copy config from /etc/crowdsec.dist"
@@ -208,7 +209,7 @@ if command -v cscli >/dev/null; then
                 exit 1
             fi
             echo "✓ Successfully initialized config from .dist directory"
-        elif [ -d "/etc/crowdsec" ] && [ ! -L "/etc/crowdsec" ] && [ -n "$(ls -A /etc/crowdsec 2>/dev/null)" ]; then
+        elif [ -d "/etc/crowdsec" ] && [ ! -L "/etc/crowdsec" ] && find /etc/crowdsec -mindepth 1 -maxdepth 1 -print -quit 2>/dev/null | grep -q .; then
             echo "Copying config from /etc/crowdsec (fallback)..."
             if ! cp -r /etc/crowdsec/* "$CS_CONFIG_DIR/"; then
                 echo "ERROR: Failed to copy config from /etc/crowdsec (fallback)"
@@ -248,7 +249,7 @@ if command -v cscli >/dev/null; then
         echo "Expected: /etc/crowdsec -> /app/data/crowdsec/config"
         echo "This indicates a critical build-time issue. Symlink must be created at build time as root."
         echo "DEBUG: Directory check:"
-        ls -la /etc/ | grep crowdsec || echo "  (no crowdsec entry found)"
+        find /etc -mindepth 1 -maxdepth 1 -name '*crowdsec*' -exec ls -ld {} \; 2>/dev/null || echo "  (no crowdsec entry found)"
         exit 1
     fi
 

.github/agents/Backend_Dev.agent.md

@@ -2,9 +2,9 @@
 name: 'Backend Dev'
 description: 'Senior Go Engineer focused on high-performance, secure backend implementation.'
 argument-hint: 'The specific backend task from the Plan (e.g., "Implement ProxyHost CRUD endpoints")'
-tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openIntegratedBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*',  edit, search, web, 'github/*', 'playwright/*',  todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, ''
+tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/runCommand, vscode/vscodeAPI, execute/getTerminalOutput, execute/awaitTerminal, execute/killTerminal, execute/runTask, execute/createAndRunTask, execute/runTests, execute/runNotebookCell, execute/testFailure, execute/runInTerminal, read/terminalSelection, read/terminalLastCommand, read/getTaskOutput, read/getNotebookSummary, read/problems, read/readFile, read/readNotebookCellOutput, agent/askQuestions, agent/runSubagent, browser/openBrowserPage, edit/createDirectory, edit/createFile, edit/createJupyterNotebook, edit/editFiles, edit/editNotebook, edit/rename, search/changes, search/codebase, search/fileSearch, search/listDirectory, search/searchResults, search/textSearch, search/searchSubagent, search/usages, web/fetch, github/add_comment_to_pending_review, github/add_issue_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, github/add_comment_to_pending_review, github/add_issue_comment, github/add_reply_to_pull_request_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_pull_request_with_copilot, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_copilot_job_status, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, io.github.goreleaser/mcp/check, playwright/browser_click, playwright/browser_close, playwright/browser_console_messages, playwright/browser_drag, playwright/browser_evaluate, playwright/browser_file_upload, playwright/browser_fill_form, playwright/browser_handle_dialog, playwright/browser_hover, playwright/browser_install, playwright/browser_navigate, playwright/browser_navigate_back, playwright/browser_network_requests, playwright/browser_press_key, playwright/browser_resize, playwright/browser_run_code, playwright/browser_select_option, playwright/browser_snapshot, playwright/browser_tabs, playwright/browser_take_screenshot, playwright/browser_type, playwright/browser_wait_for, github/add_comment_to_pending_review, github/add_issue_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, github/add_reply_to_pull_request_comment, github/create_pull_request_with_copilot, github/get_copilot_job_status, microsoftdocs/mcp/microsoft_code_sample_search, microsoftdocs/mcp/microsoft_docs_fetch, microsoftdocs/mcp/microsoft_docs_search, mcp-refactor-typescript/code_quality, mcp-refactor-typescript/file_operations, mcp-refactor-typescript/refactoring, mcp-refactor-typescript/workspace, todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/pullRequestStatusChecks, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment
+
 
-model: GPT-5.3-Codex (copilot)
 target: vscode
 user-invocable: true
 disable-model-invocation: false

.github/agents/DevOps.agent.md

@@ -2,9 +2,8 @@
 name: 'DevOps'
 description: 'DevOps specialist for CI/CD pipelines, deployment debugging, and GitOps workflows focused on making deployments boring and reliable'
 argument-hint: 'The CI/CD or infrastructure task (e.g., "Debug failing GitHub Action workflow")'
-tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openIntegratedBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*',  edit, search, web, 'github/*', 'playwright/*', todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, ''
+tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/runCommand, vscode/vscodeAPI, execute/getTerminalOutput, execute/awaitTerminal, execute/killTerminal, execute/runTask, execute/createAndRunTask, execute/runTests, execute/runNotebookCell, execute/testFailure, execute/runInTerminal, read/terminalSelection, read/terminalLastCommand, read/getTaskOutput, read/getNotebookSummary, read/problems, read/readFile, read/readNotebookCellOutput, agent/askQuestions, agent/runSubagent, browser/openBrowserPage, edit/createDirectory, edit/createFile, edit/createJupyterNotebook, edit/editFiles, edit/editNotebook, edit/rename, search/changes, search/codebase, search/fileSearch, search/listDirectory, search/searchResults, search/textSearch, search/searchSubagent, search/usages, web/fetch, github/add_comment_to_pending_review, github/add_issue_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, github/add_comment_to_pending_review, github/add_issue_comment, github/add_reply_to_pull_request_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_pull_request_with_copilot, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_copilot_job_status, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, io.github.goreleaser/mcp/check, playwright/browser_click, playwright/browser_close, playwright/browser_console_messages, playwright/browser_drag, playwright/browser_evaluate, playwright/browser_file_upload, playwright/browser_fill_form, playwright/browser_handle_dialog, playwright/browser_hover, playwright/browser_install, playwright/browser_navigate, playwright/browser_navigate_back, playwright/browser_network_requests, playwright/browser_press_key, playwright/browser_resize, playwright/browser_run_code, playwright/browser_select_option, playwright/browser_snapshot, playwright/browser_tabs, playwright/browser_take_screenshot, playwright/browser_type, playwright/browser_wait_for, github/add_comment_to_pending_review, github/add_issue_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, github/add_reply_to_pull_request_comment, github/create_pull_request_with_copilot, github/get_copilot_job_status, microsoftdocs/mcp/microsoft_code_sample_search, microsoftdocs/mcp/microsoft_docs_fetch, microsoftdocs/mcp/microsoft_docs_search, mcp-refactor-typescript/code_quality, mcp-refactor-typescript/file_operations, mcp-refactor-typescript/refactoring, mcp-refactor-typescript/workspace, todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/pullRequestStatusChecks, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment
 
-model: GPT-5.3-Codex (copilot)
 target: vscode
 user-invocable: true
 disable-model-invocation: false