fix: canonical hardening (audit findings #1-12)#9
Merged
Conversation
Correctness & safety - batch: pass the parsed file through instead of posting nil (was a silent no-op that ignored the input); accept a JSON array of items and reject empty/invalid input - delete: --no-input now refuses with an error instead of deleting without confirmation — only --force/--yes authorizes skipping the prompt - api client: set a 60s request timeout; wire signal.NotifyContext for SIGINT/SIGTERM into the root context so requests are cancellable; bound local browser login with a 5m timeout so the callback port is released Contract - list/query: emit exit code 3 (empty) on zero results while still writing a valid (empty) array to stdout - schema: expose `auth login --redirect-uri` Auth robustness - GenerateState propagates crypto/rand errors instead of risking a predictable OAuth CSRF state - token expiry check gains a 30s clock-skew leeway Docs - add SECURITY.md (token/secret handling + private disclosure path) - remove dead demo.gif reference from README - fix llms.txt (--order-by) and COMMANDS (--select dot paths); document the batch file format Tests - cover internal/cmd (delete/create/batch guards), batch passthrough, and output.IsEmpty
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves findings #1–#12 from the codebase audit. Findings #13+ (dependabot, CONTRIBUTING, retry/backoff, godocs, dry-run double-header, go.mod patch pin) are intentionally out of scope.
Correctness & safety
batch.goparsed the file then postednil. Now passes the items through underBatchItemRequest; accepts a JSON array and rejects empty/invalid input.--no-inputdeleted without confirming — it was treated as a--forcesynonym. Now it refuses (exit 2, "refusing to delete without --force in --no-input mode"); only--force/--yesauthorizes skipping the prompt. Matches the documented contract.signal.NotifyContext(SIGINT/SIGTERM) is wired into the root context so in-flight requests cancel on Ctrl-C; local login is bounded by a 5m timeout (also makes the previously-dead "login timed out" branch reachable and frees port 8844 on abandonment).Contract
list/queryon zero results, while stdout still gets a valid (empty) array — agents can finally branch on it.auth login --redirect-urinow appears inqbo schema.Auth robustness
GenerateStatepropagatescrypto/randerrors (no more all-zeros/predictable CSRF state on failure).Docs
demo.gif<img>from the README; fixllms.txt(--order-by) andCOMMANDS(--selectdot paths); document the batch file format.Tests (#12)
internal/cmdhad zero tests (the root cause that let #1/#2 ship). Added: delete unknown-entity /--no-input/ dry-run-no-network guards, create unknown-entity, batch empty/invalid rejection, batch passthrough (httptest), andoutput.IsEmpty.All local checks green: build, race tests, vet, golangci-lint.