Introduces a new internal/proxy package that provides a localhost HTTP
reverse proxy enforcing read-only access to the Kubernetes API server.
- Allows GET, HEAD, OPTIONS requests (kubectl get/describe/logs/top/watch)
- Blocks POST, PUT, DELETE, PATCH with metav1.Status 405 responses
- Blocks Connection: Upgrade requests (kubectl exec/cp/port-forward)
- Uses client-go transport for TLS/auth to the real API server
- Rewrites kubeconfig: server URL to proxy, strips auth, sets insecure-skip-tls-verify
- Appends [RO] suffix to context name in rewritten kubeconfig
- DEBUG=1 enables request/response logging
- Comprehensive test coverage for all proxy behavior
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Spawns an isolated sub-shell with a minimal kubeconfig containing only the specified context.
This allows the user to launch a shell where they can only interact with a single cluster without having to worry about a command or an LLM agent interacting with other contexts.
Inside the isolated shell, most context switching/editing operations on kubectx are blocked. Nested shells not allowed.
Fixes#12.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix(release): customize goreleaser config file, by adding json schema and fixing configuration version
* fix(go): rename invalid comment format
* fix(ci): made release workflow work again
replace goreleaser --rm-dist flag by --clean
increment go version for release pipeline
fetch previous tags use by goreleaser
give release workflow content write permissions to publish release
