Use native git-go library

Author: tstromberg

.ko.yaml

@@ -40,11 +40,33 @@ The server **cannot** push commands. Ever. That's the point.
 ## Quick Start
 
 ```bash
-# Server
-./out/gitmdm-server -git [email protected]:org/compliance.git -api-key SECRET
+# Server - now with 100% less git CLI dependency!
+# Auto-generates a join key from hardware ID if you're too lazy to set one
+./gitmdm-server -git /path/to/compliance  # Creates repo if it doesn't exist
+# or
+./gitmdm-server -clone /existing/repo      # Uses existing local repo
+
+# The server will display something like:
+# ═══════════════════════════════════════════════════════════════
+# GitMDM Server Started
+# Join Key: 926DD23A5B
+# 
+# To register an agent, run:
+#   ./gitmdm-agent --server http://localhost:8080 --join 926DD23A5B
+# ═══════════════════════════════════════════════════════════════
+
+# Agent - checks in every 20 minutes (because 5 was too clingy)
+./gitmdm-agent --server http://localhost:8080 --join 926DD23A5B
+```
+
+### Environment Variables (for the Docker crowd)
 
-# Agent
-./out/gitmdm-agent -server https://server:8080
+```bash
+# Server accepts these if you're allergic to flags
+export [email protected]:org/compliance.git
+export PORT=8080
+export JOIN_KEY=SUPERSECRET123  # Or let it auto-generate one
+./gitmdm-server
 ```
 
 ## Local Checks
@@ -77,12 +99,16 @@ You'll see output similar to:
 
 SOC 2 compliance evidence in git:
 ```
-devices/laptop-alice/disk_encryption.json  ✓
-devices/laptop-alice/screen_lock.json      ✓
-devices/server-prod/firewall.json          ✓
+devices/
+├── 926DD23A5B/                    # Hardware IDs, not names (privacy!)
+│   ├── info.json                  # Device metadata
+│   ├── disk_encryption.json       ✓
+│   ├── screen_lock.json          ✓ 
+│   └── firewall.json             ✓
+└── README.md                      # Auto-created, unlike this one
 ```
 
-Every check, every change, cryptographically signed and timestamped.
+Every check, every change, in git. No database to corrupt, no API to hack.
 
 ## Supported Platforms
 
@@ -102,27 +128,49 @@ Edit, compile, deploy. No runtime configuration files to tamper with.
 
 ## Security Guarantees
 
-- Server compromise = read-only access to compliance reports
-- No arbitrary code execution, even with root on the server
-- Agent decides what runs based on compiled-in checks
-- Bash restricted mode when shell execution is needed
+- **Server compromise = read-only access to compliance reports** (and they're in git anyway)
+- **No arbitrary code execution** - Not even with root on the server
+- **Agent decides what runs** - Compiled-in checks, not runtime shenanigans
+- **Bash restricted mode** - When we absolutely must shell out
+- **No git CLI required** - Pure Go implementation (go-git), works in containers
+- **Join key required** - Keeps the riffraff out of your compliance data
 
 ## Building
 
 ```bash
 make all
 ```
 
+Compiles to static binaries because dynamic linking is for people who enjoy debugging production at 3 AM.
+
+## Code Philosophy
+
+Written in Go, blessed by Rob Pike's simplicity principles:
+- Functions read like recipes, not puzzle boxes
+- No clever abstractions that require a PhD to understand  
+- Minimal dependencies (yaml, retry, go-git - that's it!)
+- If a function is <7 lines and called once, it's inlined
+- Security through simplicity, not complexity theater
+
 ## FAQ
 
-**Q: Is this SOC 2 compliant?**
+**Q: Is this SOC 2 compliant?**  
 A: It generates the reports auditors need. Without the backdoors.
 
-**Q: What if we need to change checks?**
+**Q: What if we need to change checks?**  
 A: Rebuild and redeploy. Immutability is a feature, not a bug.
 
-**Q: Why git?**
-A: Cryptographic proof, audit trail, existing tooling, no database.
+**Q: Why git?**  
+A: Cryptographic proof, audit trail, existing tooling, no database to "accidentally" DROP.
+
+**Q: Does it need git installed?**  
+A: Nope! Uses go-git. Works in your hipster minimal container.
+
+**Q: What's a join key?**  
+A: A speed bump for script kiddies. Not Fort Knox, but keeps honest people honest.
+
+**Q: Why 20-minute check-ins?**  
+A: Because 5 minutes was needy, and daily was negligent. Goldilocks would approve.
 
 ---
 

README.md

@@ -73,7 +73,11 @@ func analyzeGDMAutoLogin(output string) Result {
 		return Result{Status: statusNA, Description: "Not GDM output"}
 	}
 
-	configFile := getGDMConfigFile(output)
+	// Determine GDM config file location
+	configFile := "/etc/gdm3/custom.conf"
+	if strings.Contains(output, "/etc/gdm/") {
+		configFile = "/etc/gdm/custom.conf"
+	}
 
 	if strings.Contains(output, "automaticloginenable") {
 		if strings.Contains(output, "automaticloginenable=true") ||
@@ -187,13 +191,6 @@ func isErrorOutput(output string) bool {
 	return strings.Contains(output, "does not exist") || strings.Contains(output, "error")
 }
 
-func getGDMConfigFile(output string) string {
-	if strings.Contains(output, "/etc/gdm/") {
-		return "/etc/gdm/custom.conf"
-	}
-	return "/etc/gdm3/custom.conf"
-}
-
 func extractGDMAutoLoginUser(output string) string {
 	if !strings.Contains(output, "automaticlogin=") {
 		return ""

cmd/agent/analyzer/auto_login.go

@@ -97,13 +97,13 @@ func (*Agent) executeCommandWithPipes(ctx context.Context, checkName, command st
 	stdoutBytes := stdoutBuf.Bytes()
 	stdout := string(stdoutBytes)
 	if len(stdoutBytes) > maxOutputSize {
-		stdout = string(stdoutBytes[:maxOutputSize]) + "\n[Output truncated to 10KB]..."
+		stdout = string(stdoutBytes[:maxOutputSize]) + "\n[Output truncated to 90KB]..."
 	}
 
 	stderrBytes := stderrBuf.Bytes()
 	stderr := string(stderrBytes)
 	if len(stderrBytes) > maxOutputSize {
-		stderr = string(stderrBytes[:maxOutputSize]) + "\n[Output truncated to 10KB]..."
+		stderr = string(stderrBytes[:maxOutputSize]) + "\n[Output truncated to 90KB]..."
 	}
 
 	// Determine exit code