Server-side Go daemon that watches git branches and automatically deploys changes with encrypted snapshots, framework-aware build pipelines, health validation, and instant rollback.
AXChrono is a plugin for AevonX — a macOS server management application. This repository serves as a reference implementation for building AevonX plugins.
- Overview
- Architecture
- Features (25)
- Supported Frameworks (15)
- API Reference (33 Endpoints)
- CLI Reference (22 Commands)
- Configuration (21 Sections)
- Plugin Structure
- Building
- Installation
- How It Works
- Building Your Own AevonX Plugin
- Security
- Testing
- License
┌─────────────────────────────────────────────────────────────────┐
│ AevonX macOS App │
│ │
│ ┌──────────┐ SSH Tunnel ┌────────────────────────────┐ │
│ │ Chrono │ ──────────────── │ AXChrono Daemon (Go) │ │
│ │ Swift UI │ curl :9444 │ ┌──────────────────────┐ │ │
│ │ Plugin │ │ │ Stats API (REST) │ │ │
│ └──────────┘ │ │ 33 endpoints │ │ │
│ │ └──────────────────────┘ │ │
│ │ ┌──────────────────────┐ │ │
│ │ │ GitPulse Watcher │ │ │
│ │ │ Polling + Webhooks │ │ │
│ │ └──────────────────────┘ │ │
│ │ ┌──────────────────────┐ │ │
│ │ │ NeuralPipe Pipeline │ │ │
│ │ │ 15 Framework Engines │ │ │
│ │ └──────────────────────┘ │ │
│ │ ┌──────────────────────┐ │ │
│ │ │ ChronoShift Snapshots│ │ │
│ │ │ AES-256-GCM Encrypted│ │ │
│ │ └──────────────────────┘ │ │
│ └────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
Stats:
- 8,295 lines of Go code
- 63 source files across 16 packages
- 28 unit tests across 5 test suites
- 120 secret detection patterns (VaultScan)
- 33 REST API endpoints
- 22 CLI commands
- 15 framework deployers
- 21 configuration sections
AXChrono runs as a systemd service on the target Linux server. It communicates with the AevonX macOS app through two channels:
| Channel | Protocol | Purpose |
|---|---|---|
| Stats API | HTTP REST on 127.0.0.1:9444 |
Real-time data, deploy triggers, configuration |
| CLI | Unix socket /var/run/axchrono.sock |
Local administration via axchrono exec |
The AevonX app reaches both channels via SSH tunnel:
AevonX App → SSH → curl http://127.0.0.1:9444/api/v1/...
AevonX App → SSH → axchrono exec status
axchrono (main)
├── Config Manager (hot-reload via SIGHUP)
├── GitPulse Watcher Engine
│ ├── Poller goroutines (one per project, adaptive backoff)
│ └── Webhook HTTP server (GitHub/GitLab/Bitbucket)
├── Pipeline Engine (worker pool, max 2 concurrent)
│ └── Deploy goroutines (snapshot → pull → scan → build → switch → health)
├── Health Monitor (30s tick, HTTP/process/disk/memory probes)
├── SelfHeal Daemon (watches health, triggers auto-rollback)
├── TimeGate Scheduler (deploy windows, blackout periods)
├── Stats API Server (net/http, token auth, CORS)
├── CLI Socket Server (Unix domain socket, JSON protocol)
└── Cluster Heartbeat (optional, 15s tick)
| # | Feature | Package | Description |
|---|---|---|---|
| 1 | GitPulse | watcher/ |
Autonomous branch monitoring with adaptive polling and webhook receiver |
| 2 | NeuralPipe | framework/ |
Multi-signal framework detection with confidence scoring (15 frameworks) |
| 3 | ZeroFlip | deploy/zeroflip.go |
Zero-downtime symlink deployment with instant atomic switch |
| 4 | ChronoShift | snapshot/ |
AES-256-GCM encrypted snapshots with incremental delta support |
| 5 | DeployMutex | pipeline/mutex.go |
Distributed deploy lock preventing concurrent deploys per project |
| # | Feature | Package | Description |
|---|---|---|---|
| 6 | VaultScan | scanner/secrets.go |
120 regex patterns detecting API keys, tokens, private keys in git diffs |
| 7 | ThreatRadar | scanner/vuln.go |
Dependency vulnerability scanning with severity-based blocking |
| 8 | DriftDetector | scanner/drift.go |
Filesystem integrity monitoring — detects unauthorized changes |
| 9 | ConfigFortress | deploy/config_protect.go |
Protects sensitive files (.env, config) from being overwritten during deploy |
| 10 | PermissionMatrix | deploy/permissions.go |
Enforces file ownership and permissions per framework rules |
| # | Feature | Package | Description |
|---|---|---|---|
| 11 | SentinelHealth | health/ |
Multi-probe health validation (HTTP, process, TCP, disk, memory) |
| 12 | SelfHeal | health/selfheal.go |
Automatic rollback when health checks fail consecutively |
| 13 | GhostDeploy | deploy/ghost.go |
Shadow deployment to parallel directory — validate before promoting |
| 14 | CanaryShift | deploy/canary.go |
Gradual traffic shifting (5% → 25% → 50% → 100%) with auto-rollback |
| 15 | MigrationSandbox | deploy/migration.go |
Run database migrations in isolated sandbox before applying to production |
| # | Feature | Package | Description |
|---|---|---|---|
| 16 | ChronoLog | timeline/ |
Immutable append-only timeline of all operations (deploy, rollback, health) |
| 17 | CacheNexus | cache/ |
Build artifact caching with TTL and per-project purge |
| 18 | ScriptReactor | hooks/ |
Pre/post deploy hooks — run custom scripts at any pipeline stage |
| 19 | TimeGate | scheduler/ |
Deploy scheduling with time windows, blackout periods, timezone support |
| 20 | ConstellationSync | cluster/ |
Multi-server deployments with rolling, parallel, and canary strategies |
| 21 | DeployHologram | api/handlers.go |
Pre-deploy impact analysis (files changed, dependencies, risk level) |
| # | Feature | Package | Description |
|---|---|---|---|
| 22 | Stats API | api/ |
33-endpoint REST API with token auth, CORS, and SSE streaming |
| 23 | CLI | cli/ |
22 commands via Unix socket for local server administration |
| 24 | Hot Reload | config/ |
SIGHUP-triggered config reload without daemon restart |
| 25 | Structured Logging | logger/ |
JSON logging with 4 channels (main, deploy, security, audit) |
NeuralPipe uses multi-signal confidence scoring to detect frameworks. Each framework has weighted detection signals (file existence, content matching, directory structure) and a minimum confidence threshold.
| Framework | Detection Signals | Build Pipeline |
|---|---|---|
| Laravel | artisan, composer.json (laravel/framework), config/app.php |
composer install → migrate → cache:clear → optimize |
| WordPress | wp-config.php, wp-content/, wp-admin/ |
wp-cli updates → permissions → cache flush |
| Next.js | next.config.js, package.json (next), pages/ or app/ |
npm install → next build → pm2 restart |
| React | package.json (react-scripts/vite), src/App.{jsx,tsx} |
npm install → npm run build → sync to webroot |
| Node.js | package.json, server.js or index.js |
npm install → pm2 restart |
| Django | manage.py, requirements.txt, settings.py |
pip install → migrate → collectstatic → gunicorn reload |
| FastAPI | requirements.txt (fastapi/uvicorn), main.py |
pip install → uvicorn restart |
| Go | go.mod, main.go, cmd/*/main.go |
go build → systemd restart |
| Docker | Dockerfile, docker-compose.yml |
docker compose build → docker compose up -d |
| Rails | Gemfile (rails), config/routes.rb, bin/rails |
bundle install → migrate → assets:precompile → puma restart |
| PHP | index.php, composer.json (no laravel) |
composer install → opcache reset |
| Static | index.html, no package.json/composer.json |
rsync to webroot |
| Rust | Cargo.toml, src/main.rs |
cargo build --release → systemd restart |
| .NET | *.csproj, Program.cs, appsettings.json |
dotnet publish → systemd restart |
| Java/Spring | pom.xml or build.gradle (spring-boot) |
maven/gradle build → systemd restart |
NeuralPipe doesn't blindly run all build steps. It analyzes git diff to determine which steps are needed:
Changed: composer.lock → triggers: composer install
Changed: database/migrations/ → triggers: php artisan migrate
Changed: resources/views/ → triggers: cache:clear only
Changed: nothing in above → triggers: symlink switch only
All endpoints are prefixed with /api/v1 and require the X-AXChrono-Token header.
| Method | Endpoint | Description |
|---|---|---|
GET |
/status |
Daemon status, uptime, version, active deploys |
| Method | Endpoint | Description |
|---|---|---|
GET |
/projects |
List all tracked projects |
POST |
/projects |
Add a new project |
GET |
/projects/{id} |
Get project details |
PUT |
/projects/{id} |
Update project config |
DELETE |
/projects/{id} |
Remove project from tracking |
| Method | Endpoint | Description |
|---|---|---|
POST |
/projects/{id}/deploy |
Trigger manual deployment |
GET |
/projects/{id}/deploys |
Deploy history (paginated) |
GET |
/deploys/{id} |
Deploy details with pipeline steps |
GET |
/deploys/{id}/log |
SSE — Real-time deploy log stream |
POST |
/deploys/{id}/cancel |
Cancel a running deploy |
| Method | Endpoint | Description |
|---|---|---|
POST |
/projects/{id}/rollback |
Rollback to a snapshot |
GET |
/snapshots/{project} |
List available snapshots |
| Method | Endpoint | Description |
|---|---|---|
GET |
/health |
Health results for all projects |
GET |
/projects/{id}/health |
Health probes for a specific project |
GET |
/projects/{id}/drift |
Drift detection results |
POST |
/projects/{id}/scan |
Trigger on-demand security scan |
GET |
/projects/{id}/hologram |
Pre-deploy impact analysis |
| Method | Endpoint | Description |
|---|---|---|
GET |
/cache/status |
Cache size and statistics |
DELETE |
/cache |
Purge all cached data |
DELETE |
/cache/{project} |
Purge cache for a specific project |
| Method | Endpoint | Description |
|---|---|---|
GET |
/approvals/pending |
List pending approval requests |
GET |
/approvals/history |
Approval history |
POST |
/approvals/{id}/approve |
Approve a pending operation |
POST |
/approvals/{id}/deny |
Deny a pending operation |
| Method | Endpoint | Description |
|---|---|---|
GET |
/webhooks/status |
Webhook receiver status |
POST |
/webhooks/test |
Send a test webhook |
GET |
/projects/{id}/webhook |
Project webhook config |
POST |
/projects/{id}/webhook/regenerate |
Regenerate webhook secret |
| Method | Endpoint | Description |
|---|---|---|
GET |
/projects/{id}/timeline |
Deployment timeline (ChronoLog) |
GET |
/cluster/status |
Cluster member status |
POST |
/cluster/deploy |
Cluster-wide deployment |
POST |
/cluster/rollback |
Cluster-wide rollback |
All requests require the X-AXChrono-Token header:
curl -s -H "X-AXChrono-Token: YOUR_TOKEN" http://127.0.0.1:9444/api/v1/statusThe CLI communicates with the running daemon via Unix socket.
axchrono exec <command> [args...]| Command | Description |
|---|---|
status |
Show daemon status and version |
reload |
Reload configuration (same as SIGHUP) |
projects list |
List all tracked projects |
projects add <path> |
Add a project by path |
projects remove <id> |
Remove a project |
deploy <project_id> |
Trigger deployment |
deploy cancel <deploy_id> |
Cancel a running deployment |
rollback <project_id> <snapshot_id> |
Rollback to snapshot |
scan drift <project_id> |
Run drift detection |
scan secrets <project_id> |
Run secret scan |
scan vuln <project_id> |
Run vulnerability scan |
snapshots list <project_id> |
List snapshots |
snapshots create <project_id> |
Create manual snapshot |
snapshots restore <project_id> <snap_id> |
Restore snapshot |
cache status |
Show cache statistics |
cache purge [project_id] |
Purge cache |
timeline <project_id> |
Show deploy timeline |
health check [project_id] |
Run health check |
approvals list |
Show pending approvals |
approvals approve <id> |
Approve an operation |
approvals deny <id> |
Deny an operation |
approvals history |
Show approval history |
webhook status |
Webhook receiver status |
webhook test |
Send test webhook |
webhook regenerate <project_id> |
Regenerate secret |
AXChrono is configured via /etc/aevonx/plugins/axchrono/config.avx (JSON format following the AevonX plugin config schema).
1. GitPulse — Branch Watcher
| Key | Type | Default | Description |
|---|---|---|---|
gitpulse_mode |
string | "poll" |
Watch mode: poll, webhook, or both |
gitpulse_poll_interval |
number | 60 |
Seconds between polls |
gitpulse_adaptive_polling |
boolean | true |
Increase interval when no changes detected |
gitpulse_max_adaptive_interval |
number | 300 |
Maximum poll interval in seconds |
2. ChronoShift — Snapshots
| Key | Type | Default | Description |
|---|---|---|---|
snapshot_enabled |
boolean | true |
Create snapshot before every deploy |
snapshot_max_per_project |
number | 10 |
Rotate after N snapshots |
snapshot_compression_level |
number | 6 |
gzip level (1-9) |
snapshot_base_path |
string | "/etc/aevonx/plugins/axchrono/snapshots" |
Storage location |
3. ZeroFlip — Zero-Downtime
| Key | Type | Default | Description |
|---|---|---|---|
zeroflip_enabled |
boolean | true |
Use symlink-based deployment |
zeroflip_max_releases |
number | 5 |
Keep N release directories |
4. Pipeline — Build & Deploy
| Key | Type | Default | Description |
|---|---|---|---|
pipeline_max_concurrent |
number | 2 |
Max simultaneous deployments |
pipeline_timeout |
number | 15 |
Minutes before deploy times out |
5. VaultScan — Secret Detection
| Key | Type | Default | Description |
|---|---|---|---|
vaultscan_enabled |
boolean | true |
Scan diffs for secrets |
vaultscan_mode |
string | "block" |
block = stop deploy, warn = log only, off = skip |
vaultscan_ignore_paths |
string | "" |
Comma-separated glob patterns to skip |
6. SentinelHealth — Health Validation
| Key | Type | Default | Description |
|---|---|---|---|
sentinel_enabled |
boolean | true |
Validate health after deploy |
sentinel_stabilization_delay |
number | 5 |
Seconds to wait before checking |
sentinel_auto_rollback |
boolean | true |
Auto-rollback on health failure |
7–21. Additional Sections
See dist/config.avx for all 21 sections including: SelfHeal, ThreatRadar, DriftDetector, GhostDeploy, CanaryShift, BranchUniverse, TimeGate, CacheNexus, ConstellationSync, Approval, Webhook, Alerts, Stats API, and Logging.
plugins/AXChrono/
├── cmd/axchrono/
│ └── main.go # Entry point (daemon + CLI mode)
├── internal/
│ ├── api/ # Stats API (REST + SSE)
│ │ ├── server.go # HTTP server with timeouts
│ │ ├── routes.go # 33 route definitions
│ │ ├── handlers.go # Request handlers
│ │ └── middleware.go # Auth, logging, CORS
│ ├── cache/ # CacheNexus
│ │ ├── manager.go # Build cache with TTL
│ │ └── types.go
│ ├── cli/ # CLI system
│ │ ├── commands.go # 22 command registry
│ │ └── exec.go # Socket server + client
│ ├── cluster/ # ConstellationSync
│ │ └── sync.go # Multi-server deploy strategies
│ ├── config/ # Configuration
│ │ ├── config.go # JSON loader + hot-reload
│ │ └── types.go # Config struct (flat fields)
│ ├── deploy/ # Deploy strategies
│ │ ├── zeroflip.go # Symlink zero-downtime
│ │ ├── ghost.go # GhostDeploy shadow deploy
│ │ ├── canary.go # CanaryShift traffic split
│ │ ├── migration.go # MigrationSandbox
│ │ ├── permissions.go # PermissionMatrix
│ │ ├── config_protect.go # ConfigFortress
│ │ └── types.go
│ ├── framework/ # NeuralPipe (15 frameworks)
│ │ ├── detector.go # Multi-signal detection engine
│ │ ├── base.go # Deployer interface + types
│ │ ├── laravel.go ... java.go # Framework-specific deployers
│ │ └── (15 framework files)
│ ├── health/ # SentinelHealth + SelfHeal
│ │ ├── monitor.go # Background health loop
│ │ ├── probes.go # HTTP, process, disk, memory
│ │ ├── selfheal.go # Auto-recovery daemon
│ │ └── types.go
│ ├── hooks/ # ScriptReactor
│ │ ├── reactor.go # Pre/post hook execution
│ │ └── types.go
│ ├── logger/ # Structured logging
│ │ └── logger.go # 4-channel JSON logger
│ ├── pipeline/ # Deploy pipeline
│ │ ├── engine.go # Pipeline executor
│ │ ├── step.go # Step runner with shell exec
│ │ ├── mutex.go # DeployMutex (project lock)
│ │ └── types.go
│ ├── scanner/ # Security scanners
│ │ ├── secrets.go # VaultScan (diff scanner)
│ │ ├── patterns.go # 120 secret patterns
│ │ ├── drift.go # DriftDetector
│ │ ├── vuln.go # ThreatRadar
│ │ └── types.go
│ ├── scheduler/ # TimeGate
│ │ └── timegate.go # Deploy windows + blackouts
│ ├── snapshot/ # ChronoShift
│ │ ├── engine.go # Create/restore/rotate snapshots
│ │ ├── crypto.go # AES-256-GCM encryption
│ │ ├── incremental.go # Delta-based incremental snapshots
│ │ └── types.go
│ ├── timeline/ # ChronoLog
│ │ ├── chronolog.go # Immutable event log
│ │ └── types.go
│ └── watcher/ # GitPulse
│ ├── engine.go # Watcher engine (poll + webhook)
│ ├── polling.go # Git poller with adaptive backoff
│ ├── webhook.go # Webhook HTTP receiver
│ └── types.go
├── tests/ # Test suites
│ ├── framework_test.go # 8 tests — detection + deployers
│ ├── snapshot_test.go # 6 tests — AES encrypt/decrypt
│ ├── scanner_test.go # 7 tests — VaultScan patterns
│ ├── pipeline_test.go # 3 tests — engine + status
│ └── watcher_test.go # 4 tests — events + backoff
├── dist/ # Distribution files
│ ├── config.avx # Default config (21 sections)
│ ├── _manifest.json # Plugin metadata + 69 allowed actions
│ ├── setup.sh # Server installation script
│ ├── uninstall.sh # Clean uninstall script
│ └── hooks/
│ └── example-post-deploy.sh # Example hook with env vars
├── build/ # Build output (gitignored)
├── go.mod
├── Makefile
└── .gitignore
- Go 1.22+
- Make
# Build for current platform
make build
# Build for Linux amd64 (server)
make build-linux
# Build for Linux ARM64 (Hetzner CAX, AWS Graviton)
make build-linux-arm64
# Build both architectures
make build-all
# Create distribution zip (binary + config + scripts)
make zip # → build/axchrono-1.0.0.zip (amd64)
make zip-arm64 # → build/axchrono-1.0.0-arm64.zip
# Run tests
make test
# Lint and format
make vet
make fmtbuild/
├── axchrono-linux-amd64 # Linux x86_64 binary
├── axchrono-linux-arm64 # Linux ARM64 binary
├── axchrono-1.0.0.zip # Distribution package (amd64)
└── axchrono-1.0.0-arm64.zip # Distribution package (ARM64)
The AevonX app handles installation automatically through the plugin system. Click Install Plugin in the AXChrono tab.
# Upload and extract
scp build/axchrono-1.0.0.zip root@server:/tmp/
ssh root@server
cd /tmp && unzip axchrono-1.0.0.zip -d axchrono-install
cd axchrono-install
# Run setup
chmod +x setup.sh
./setup.shThe setup script performs:
-
Creates directories:
/etc/aevonx/plugins/axchrono/(config, snapshots, cache)/var/log/aevonx/plugins/axchrono/(logs)/etc/aevonx/hooks/axchrono/(custom hooks)
-
Installs binary to
/usr/local/bin/axchrono -
Installs config to
/etc/aevonx/plugins/axchrono/config.avx(chmod 600) -
Creates systemd service:
[Unit] Description=AXChrono — Autonomous Git Deployment Engine After=network.target [Service] Type=simple ExecStart=/usr/local/bin/axchrono --config /etc/aevonx/plugins/axchrono/config.avx Restart=on-failure RestartSec=5 LimitNOFILE=65535 [Install] WantedBy=multi-user.target
-
Enables and starts the service
# Check service status
systemctl status axchrono
# Check daemon status via CLI
axchrono exec status
# Check API
curl -s -H "X-AXChrono-Token: YOUR_TOKEN" http://127.0.0.1:9444/api/v1/statusWhen a change is detected on a tracked branch:
1. GitPulse detects new commit (poll or webhook)
│
2. DeployMutex acquires project lock
│
3. ChronoShift creates encrypted snapshot (AES-256-GCM)
│
4. Git pull (fetch + reset to new commit)
│
5. VaultScan scans diff for secrets (120 patterns)
│ ├── Secret found + mode=block → ABORT + rollback
│ └── Clean → continue
│
6. NeuralPipe detects framework → selects build steps
│ ├── Laravel: composer install → migrate → optimize
│ ├── Next.js: npm install → next build → pm2 restart
│ └── ... (15 frameworks)
│
7. MigrationSandbox runs database migrations (if needed)
│
8. ZeroFlip performs atomic symlink switch
│
9. PermissionMatrix enforces file ownership
│
10. SentinelHealth validates deployment
├── HTTP probe → expected status code
├── Process probe → service running
├── Disk probe → threshold check
└── Memory probe → threshold check
│
┌──────┴──────┐
│ │
HEALTHY UNHEALTHY
│ │
Deploy Live Auto-Rollback
│ (restore snapshot)
│ │
11. ChronoLog records event (immutable timeline)
Snapshots are encrypted with AES-256-GCM. The key is derived deterministically:
key = SHA-256(serverID + ":" + projectPath + ":axchrono-v1")
This means:
- Each server+project combination has a unique key
- No key storage needed — derived from known values
- Snapshots are tied to the specific server and project
GitPulse intelligently adjusts polling frequency:
No changes for 0–10 min → base interval (60s)
No changes for 10–60 min → interval + 30s (up to max/2)
No changes for 1h+ → interval × 2 (up to max)
Change detected → reset to base interval
AXChrono serves as the reference implementation for AevonX plugins. Here's how the plugin system works:
Every AevonX plugin must provide:
| Component | Required | Description |
|---|---|---|
| Binary | Yes | Single Go binary, runs as systemd service |
| config.avx | Yes | JSON config following AevonX config schema |
| _manifest.json | Yes | Plugin metadata, actions, health check |
| setup.sh | Yes | Installation script |
| uninstall.sh | Yes | Clean removal script |
| Stats API | Yes | HTTP REST API on localhost (any port) |
| CLI | Optional | <plugin> exec <command> via Unix socket |
{
"name": "Your Plugin",
"slug": "your-plugin",
"description": "What it does",
"version": "1.0.0",
"icon": "sf.symbol.name",
"binary": "/usr/local/bin/your-plugin exec",
"arg_style": "positional",
"service_name": "your-plugin",
"config_dir": "/etc/aevonx/plugins/your-plugin",
"hooks_dir": "/etc/aevonx/hooks/your-plugin",
"allowed_actions": [
"status",
"your.custom.action"
],
"health_check": {
"command": "your-plugin exec status",
"interval": "30s",
"timeout": "10s"
},
"systemd": {
"after": "network.target",
"restart": "on-failure",
"restart_sec": 5
}
}{
"plugin_name": "Your Plugin",
"plugin_slug": "your-plugin",
"config_version": "1.0.0",
"config_schema": [
{
"section": "Section Name",
"description": "What this section configures",
"fields": [
{
"key": "field_name",
"label": "Human-Readable Label",
"type": "string|number|boolean|select",
"default": "value",
"description": "What this field does",
"options": ["opt1", "opt2"]
}
]
}
]
}Follow these rules (from core-go/NOTE.md):
- Max 400 lines per file — split into multiple files if needed
make([]T, 0)notvar x []T— always initialize slicescontext.Contextas first parameter everywheresync.Mutexon all shared state- Shell command sanitization — never pass user input directly to
sh -c - No password/secret logging — redact sensitive data
- Doc comments on all exported functions
go vet+ zero warnings before release
The AevonX app renders plugin UI through AXPluginGateView:
// In the sidebar, your plugin tab routes to:
AXPluginGateView(slug: "your-plugin", serverId: serverId) {
YourPluginRootView(serverId: serverId)
}AXPluginGateView automatically handles:
- Loading — Shows skeleton while checking installation
- Not installed — Shows install button (free) or purchase prompt (paid)
- License expired — Shows renewal prompt
- Installed — Renders your plugin's SwiftUI content
Communication pattern:
// All API calls go through SSH → curl to your localhost API
let result = await SSHBridge.shared.executeAsync(
serverId: serverId,
command: "curl -s -H 'X-YourPlugin-Token: \(token)' http://127.0.0.1:PORT/api/v1/..."
)- Snapshots: AES-256-GCM with SHA-256 derived keys
- API Auth: Token-based (
X-AXChrono-Tokenheader) - Config: File permissions
chmod 600(root only)
120 patterns covering:
- AWS (Access Keys, Secret Keys, Session Tokens)
- GCP (Service Account Keys, API Keys)
- Azure (Storage Keys, Connection Strings)
- GitHub/GitLab/Bitbucket tokens
- Stripe, Twilio, SendGrid, Slack, Discord tokens
- Private keys (RSA, DSA, EC, PGP)
- Database connection strings (MySQL, PostgreSQL, MongoDB, Redis)
- JWT tokens, OAuth secrets
- Generic API keys and passwords in config files
- Stats API listens on
127.0.0.1only (not exposed to network) - CLI uses Unix socket with filesystem permissions
- Config file readable by root only
- Webhook signatures verified per provider (HMAC-SHA256)
- Rate limiting on webhook receiver (30 req/min default)
# Run all tests
make test
# Run with verbose output
go test -v ./tests/...
# Run specific test suite
go test -v ./tests/ -run TestDetect
go test -v ./tests/ -run TestVaultScan
go test -v ./tests/ -run TestEncrypt| Suite | Tests | Coverage |
|---|---|---|
framework_test.go |
8 | Framework detection (Laravel, Next.js, Go, Docker, Unknown) + deployer registry |
snapshot_test.go |
6 | AES-256-GCM round-trip, nonce uniqueness, wrong key rejection, 1MB data |
scanner_test.go |
7 | AWS key detection, private key detection, off mode, ignore paths, redaction |
pipeline_test.go |
3 | Engine creation, active deploy tracking, status constants |
watcher_test.go |
4 | Change events, poller creation, adaptive backoff logic |
| Total | 28 |
| Signal | Action |
|---|---|
SIGHUP |
Reload configuration without restart |
SIGTERM |
Graceful shutdown (2s grace period) |
SIGINT |
Graceful shutdown (2s grace period) |
Proprietary — AevonX Plugin. See AevonX License for terms.
Built with Go 1.22 for AevonX