Skip to content

Add validate and plan workflows with ordered config parsing#1

Merged
oleksandr-balyshyn merged 16 commits into
mainfrom
clean-code-review-loop
Jul 7, 2026
Merged

Add validate and plan workflows with ordered config parsing#1
oleksandr-balyshyn merged 16 commits into
mainfrom
clean-code-review-loop

Conversation

@oleksandr-balyshyn

@oleksandr-balyshyn oleksandr-balyshyn commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

  • New Features
    • Added validate and plan commands, including plan --output json for structured previews.
    • Preserved directive/action order across YAML, JSON, JSON5, and TOML configs.
    • Improved release/version embedding and GitHub prerelease/stable tagging behavior.
  • Bug Fixes
    • Made directive execution and planning more deterministic (e.g., link, create, clean, shell) with clearer errors and stricter validation.
  • Documentation
    • Updated guides, troubleshooting, and examples; removed HOCON/config-extension support and refreshed CLI walkthroughs.
  • Chores
    • Strengthened CI (lint, race, vet, vuln scanning) and added tooling targets (lint/fix, race, vulncheck).

Clean now removes broken links based on their resolved target, directory creation reports chmod failures, and relink avoids removing links when Readlink fails.
Adds focused tests for platform shell selection, fallback behavior, exit-code propagation, and canceled-context handling at the shell execution boundary.
BREAKING CHANGE: --plugin, --plugin-dir, --disable-built-in-plugins, and the plugins directive are no longer accepted as compatibility features. The Go port now exposes only built-in directives.
Adds read-only validation and plan generation for supported directives, preserves config directive source order across YAML, JSON, JSON5, and TOML, and refactors link resolution around an explicit resolved-link model.
Updates README and guides for validate/plan usage, JSON plan output, and the supported YAML, JSON, JSON5, and TOML format set.
Drops the HOCON runtime dependency and example, records the supported-format decision, and keeps HOCON as an explicitly unsupported format in tests.
Builds now pass the resolved release version into dotbot-go so packaged binaries report the tag-derived version.
Add package documentation and godoc comments across the public Go surface. Refactor CLI help, app orchestration, JSON5 ordered parsing, link application, and shell directive option handling while preserving behavior. Add characterization tests for config normalization, link mutations, globbing, expansion, CLI help, and shell option precedence.
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@oleksandr-balyshyn, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 13 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 72a8ce43-8fd0-47a5-a168-f153e7f619c5

📥 Commits

Reviewing files that changed from the base of the PR and between 4ddbde2 and db961d2.

📒 Files selected for processing (45)
  • .agents/skills/codebase-design/DEEPENING.md
  • .agents/skills/codebase-design/DESIGN-IT-TWICE.md
  • .agents/skills/codebase-design/SKILL.md
  • .agents/skills/decision-mapping/SKILL.md
  • .agents/skills/design-an-interface/SKILL.md
  • .agents/skills/diagnosing-bugs/SKILL.md
  • .agents/skills/diagnosing-bugs/scripts/hitl-loop.template.sh
  • .agents/skills/domain-modeling/ADR-FORMAT.md
  • .agents/skills/domain-modeling/CONTEXT-FORMAT.md
  • .agents/skills/domain-modeling/SKILL.md
  • .agents/skills/git-guardrails-claude-code/SKILL.md
  • .agents/skills/git-guardrails-claude-code/scripts/block-dangerous-git.sh
  • .agents/skills/grill-me/SKILL.md
  • .agents/skills/grill-with-docs/SKILL.md
  • .agents/skills/grilling/SKILL.md
  • .agents/skills/handoff/SKILL.md
  • .agents/skills/implement/SKILL.md
  • .agents/skills/improve-codebase-architecture/HTML-REPORT.md
  • .agents/skills/improve-codebase-architecture/SKILL.md
  • .agents/skills/prototype/LOGIC.md
  • .agents/skills/prototype/SKILL.md
  • .agents/skills/prototype/UI.md
  • .agents/skills/request-refactor-plan/SKILL.md
  • .agents/skills/review/SKILL.md
  • .agents/skills/scaffold-exercises/SKILL.md
  • .agents/skills/setup-matt-pocock-skills/SKILL.md
  • .agents/skills/setup-matt-pocock-skills/domain.md
  • .agents/skills/setup-matt-pocock-skills/issue-tracker-github.md
  • .agents/skills/setup-matt-pocock-skills/issue-tracker-gitlab.md
  • .agents/skills/setup-matt-pocock-skills/issue-tracker-local.md
  • .agents/skills/setup-matt-pocock-skills/triage-labels.md
  • .agents/skills/setup-pre-commit/SKILL.md
  • .agents/skills/to-issues/SKILL.md
  • .agents/skills/to-prd/SKILL.md
  • .agents/skills/writing-beats/SKILL.md
  • .agents/skills/writing-fragments/SKILL.md
  • .agents/skills/writing-great-skills/GLOSSARY.md
  • .agents/skills/writing-great-skills/SKILL.md
  • .agents/skills/writing-shape/SKILL.md
  • .github/workflows/ci-release.yml
  • internal/app/app_test.go
  • internal/cli/cli_test.go
  • internal/core/core_test.go
  • internal/core/create.go
  • skills-lock.json
📝 Walkthrough

Walkthrough

This PR removes HOCON support, adds order-preserving parsers for supported config formats, introduces validate/plan flows across config, core, app, and CLI layers, and updates CI, tooling, and documentation for the new command and release behavior.

Changes

Config Format Rework

Layer / File(s) Summary
Ordered task model and registry
internal/config/config.go, internal/config/*_test.go
Adds ordered task/action construction and normalization helpers, updates the registry to supported formats only, and adjusts config tests for directive order and unsupported formats.
Order-preserving parsers
internal/config/yaml_parser.go, internal/config/json_parser.go, internal/config/json5_ordered.go, internal/config/toml_parser.go, go.mod
Adds YAML/JSON/JSON5/TOML parser implementations that preserve key order and reconstruct ordered task lists from parsed data.
Config docs and references
docs/CONFIG_FORMATS.md, docs/decisions/ADR-001-supported-config-formats.md, docs/migration/*.md, examples/install.hocon
Updates supported-format docs, migration notes, troubleshooting text, and removes the HOCON example and references.

Validate/Plan Workflow and Directive Refactor

Layer / File(s) Summary
Plan contracts and dispatcher
internal/core/plan.go, internal/core/dispatcher.go, internal/core/types.go, internal/core/helpers.go, internal/core/doc.go
Adds plan data types, dispatcher validate/plan flow, shared handler contracts, deterministic helper functions, and core package documentation.
Handler Validate/Plan implementations
internal/core/create.go, internal/core/link.go, internal/core/link_apply.go, internal/core/link_glob.go, internal/core/link_paths.go, internal/core/clean.go, internal/core/shell_handler.go
Adds validate/plan support to create, link, clean, and shell handlers, and refactors link resolution, glob handling, and link mutation helpers.
Core behavior tests
internal/core/core_test.go, internal/core/link_glob_test.go, internal/core/link_mutation_test.go
Adds dispatcher, validation, planning, glob, link mutation, and clean behavior tests across core packages.
App validate/plan integration
internal/app/app.go, internal/app/plan_output.go, internal/app/app_test.go, internal/app/doc.go
Updates app options and Run control flow for validate/plan execution, adds plan output rendering, and extends app tests for validation and plan output modes.
CLI validate/plan wiring
internal/cli/cli.go, internal/cli/cli_test.go, internal/cli/doc.go
Updates CLI option mapping, subcommand registration, help rendering, and flag display logic for validate and plan modes.
Estimated code review effort: 4 (Complex) ~75 minutes
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main changes: new validate/plan workflows plus ordered config parsing support.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch clean-code-review-loop

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🧹 Nitpick comments (5)
internal/config/config_test.go (1)

106-291: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider extracting shared order-preservation test scaffolding.

The five TestReadPreserves*TaskDirectiveOrder tests repeat the same write-file/Read/assert-order pattern. A small table-driven helper (filename, content, expected directives) would reduce duplication without losing per-format clarity.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/config/config_test.go` around lines 106 - 291, The
order-preservation tests repeat the same setup/read/assert flow across multiple
formats, so extract the shared scaffolding into a small table-driven helper to
reduce duplication. Keep the format-specific cases in
TestReadPreservesYAMLTaskDirectiveOrder,
TestReadPreservesJSONTaskDirectiveOrder,
TestReadPreservesJSON5TaskDirectiveOrder,
TestReadPreservesJSON5OrderWithDelimitersInStringsAndComments,
TestReadPreservesJSON5QuotedKeysWithDelimiters,
TestReadPreservesTOMLTaskDirectiveOrder, and
TestReadPreservesTOMLArrayTableTaskDirectiveOrder by passing filename, file
contents, and expected directives into the helper.
internal/app/app.go (2)

164-169: 🩺 Stability & Availability | 🔵 Trivial | 💤 Low value

baseDirectory indexes opts.ConfigFiles[0] without its own bounds check.

This is safe today because Run already validates len(opts.ConfigFiles) != 0 before calling baseDirectory (Line 94-97), but the helper itself has no defensive guard, so any future call site that skips that upstream check would panic with an index-out-of-range.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/app/app.go` around lines 164 - 169, baseDirectory currently
dereferences opts.ConfigFiles[0] without checking that ConfigFiles is non-empty,
so make the helper defensive by validating opts.ConfigFiles before indexing it
and handling the empty case safely. Update baseDirectory in app.go to either
return a sensible fallback or surface an error, and keep the existing Run
validation aligned with this helper so future call sites cannot panic when they
bypass the upfront len(opts.ConfigFiles) check.

90-93: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Warning-suppression logic duplicates the "json" format literal from plan_output.go.

Line 103's !(opts.Plan && opts.Output == "json") guard exists purely to keep the "No tasks" warning from corrupting JSON plan output (confirmed by TestRunPlanJSONIsNotPrefixedByEmptyConfigWarning). This duplicates the format switch in plan_output.go's writePlanOutput. If a new structured format (e.g. "yaml") is added there later, this condition must be remembered and updated separately, or the new format's output will get silently corrupted by the warning.

Consider exposing a small helper (e.g. isStructuredOutput(format string) bool) from plan_output.go and reusing it here instead of hardcoding the literal twice.

Also applies to: 103-105

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/app/app.go` around lines 90 - 93, The warning-suppression check in
app.Run currently hardcodes the same output-format logic as plan_output.go,
which risks drifting when new structured formats are added. Move that format
decision into a shared helper in plan_output.go, such as
isStructuredOutput(format string), and reuse it from the Run flow instead of
checking opts.Output against the literal directly. Update the guard around the
“No tasks” warning to call the shared helper so plan output handling stays
consistent with writePlanOutput.
internal/core/create.go (1)

19-62: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Minor duplication between Validate and Plan.

Both methods independently re-derive the list/map shape from data after Plan already calls Validate. Consider extracting a shared parse step (e.g., a private parseCreate(data) (paths []string, opts map[string]any, err error)) reused by Validate/Plan/Handle to avoid re-implementing the same type switch three times across handlers.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/core/create.go` around lines 19 - 62, `CreateHandler.Validate` and
`CreateHandler.Plan` are duplicating the same list/map parsing logic for `data`;
extract the shape check and conversion into a shared helper (for example a
private parse function used by `Validate`, `Plan`, and `Handle`) so the
type-switch and string/map assertions live in one place and `Plan` just consumes
the parsed result.
.github/workflows/ci-release.yml (1)

124-129: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Pin govulncheck to a specific version for reproducible CI.

go run golang.org/x/vuln/cmd/govulncheck@latest is unpinned, so the release pipeline's behavior can change without a corresponding PR when a new govulncheck version is published. The justfile's vulncheck target has the same pattern.

♻️ Proposed fix
-      - name: Run vulnerability scan
-        run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...
+      - name: Run vulnerability scan
+        run: go run golang.org/x/vuln/cmd/govulncheck@v1.1.4 ./...
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-release.yml around lines 124 - 129, The vulnerability
scan step is using an unpinned govulncheck version, which makes CI behavior
non-reproducible. Update the workflow’s “Run vulnerability scan” command to use
a fixed govulncheck version instead of `@latest`, and apply the same change in the
justfile vulncheck target so both entry points stay consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci-release.yml:
- Around line 105-109: The Run golangci-lint step is pinned to an older
golangci-lint version that cannot parse Go 1.26 syntax while this workflow uses
Go 1.26.4. Update the version in the golangci/golangci-lint-action@v6
configuration to a release that supports Go 1.26, keeping the existing args and
action setup unchanged.
- Around line 84-93: The test and build jobs in the workflow are still checking
out with writable GitHub credentials and using Go caching on untrusted runs.
Update the actions/checkout step in those jobs to set persist-credentials to
false, and adjust the actions/setup-go step for those jobs to avoid writing
cache on PR/untrusted events (or disable cache there entirely). Keep the tag job
unchanged, since it is the only one that needs push access.

In `@docs/USER_GUIDE.md`:
- Around line 71-73: The validation description in USER_GUIDE.md is inaccurate
because validate does not report how many operations would be planned. Update
the wording around validate to say it checks that the config can be read and
directive payloads have supported shapes, while explicitly stating it does not
create directories, links, or run shell commands; use the validate command
description in the guide as the place to adjust this behavior text.

In `@internal/config/toml_parser.go`:
- Around line 131-132: The tomlunstable.String branch in the TOML parser is
returning raw bytes instead of decoding the string value, so escape sequences
and multiline/basic string handling are incorrect. Update the value handling in
the parser to route String nodes through tomlScalarValue rather than converting
node.Data directly in the toml parser logic. Keep the fix localized to the
scalar decoding path used by the TOML node switch.

In `@internal/expand/expand_test.go`:
- Around line 46-68: The Path tests are using Unix-style expected strings even
though NormSlash and ExpandEnv make the output OS-dependent. Update TestPath to
branch on runtime.GOOS or construct the expected values with filepath helpers so
the env-only and undefined-env cases match Windows backslash behavior as well as
other platforms. Use the Path test cases and the Path function as the reference
points when adjusting the assertions.
- Around line 9-33: The User test is only setting HOME, so the bare-tilde case
can still depend on host-specific Windows home resolution. Update TestUser in
expand_test.go to either set the Windows home environment variables used by
os.UserHomeDir (such as USERPROFILE) alongside HOME, or skip the test on
Windows, and keep the existing User/~/filepath expectations unchanged.

---

Nitpick comments:
In @.github/workflows/ci-release.yml:
- Around line 124-129: The vulnerability scan step is using an unpinned
govulncheck version, which makes CI behavior non-reproducible. Update the
workflow’s “Run vulnerability scan” command to use a fixed govulncheck version
instead of `@latest`, and apply the same change in the justfile vulncheck target
so both entry points stay consistent.

In `@internal/app/app.go`:
- Around line 164-169: baseDirectory currently dereferences opts.ConfigFiles[0]
without checking that ConfigFiles is non-empty, so make the helper defensive by
validating opts.ConfigFiles before indexing it and handling the empty case
safely. Update baseDirectory in app.go to either return a sensible fallback or
surface an error, and keep the existing Run validation aligned with this helper
so future call sites cannot panic when they bypass the upfront
len(opts.ConfigFiles) check.
- Around line 90-93: The warning-suppression check in app.Run currently
hardcodes the same output-format logic as plan_output.go, which risks drifting
when new structured formats are added. Move that format decision into a shared
helper in plan_output.go, such as isStructuredOutput(format string), and reuse
it from the Run flow instead of checking opts.Output against the literal
directly. Update the guard around the “No tasks” warning to call the shared
helper so plan output handling stays consistent with writePlanOutput.

In `@internal/config/config_test.go`:
- Around line 106-291: The order-preservation tests repeat the same
setup/read/assert flow across multiple formats, so extract the shared
scaffolding into a small table-driven helper to reduce duplication. Keep the
format-specific cases in TestReadPreservesYAMLTaskDirectiveOrder,
TestReadPreservesJSONTaskDirectiveOrder,
TestReadPreservesJSON5TaskDirectiveOrder,
TestReadPreservesJSON5OrderWithDelimitersInStringsAndComments,
TestReadPreservesJSON5QuotedKeysWithDelimiters,
TestReadPreservesTOMLTaskDirectiveOrder, and
TestReadPreservesTOMLArrayTableTaskDirectiveOrder by passing filename, file
contents, and expected directives into the helper.

In `@internal/core/create.go`:
- Around line 19-62: `CreateHandler.Validate` and `CreateHandler.Plan` are
duplicating the same list/map parsing logic for `data`; extract the shape check
and conversion into a shared helper (for example a private parse function used
by `Validate`, `Plan`, and `Handle`) so the type-switch and string/map
assertions live in one place and `Plan` just consumes the parsed result.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4b5222c4-70bd-489b-ad4d-2623b79f42f7

📥 Commits

Reviewing files that changed from the base of the PR and between 38bdfad and ebc1963.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (59)
  • .github/workflows/ci-release.yml
  • .golangci.yml
  • README.md
  • cmd/dotbot-go/doc.go
  • docs/CONFIG_FORMATS.md
  • docs/TROUBLESHOOTING.md
  • docs/USER_GUIDE.md
  • docs/decisions/ADR-001-supported-config-formats.md
  • docs/migration/ARCHITECTURE.md
  • docs/migration/CLI_ENGINEER.md
  • docs/migration/CORE_MIGRATION.md
  • docs/migration/DEPENDENCY_DECISIONS.md
  • docs/migration/MIGRATION_ANALYSIS.md
  • docs/migration/REVIEW_REPORT.md
  • docs/migration/TEST_ENGINEER.md
  • examples/install.hocon
  • go.mod
  • internal/app/app.go
  • internal/app/app_test.go
  • internal/app/doc.go
  • internal/app/plan_output.go
  • internal/cli/cli.go
  • internal/cli/cli_test.go
  • internal/cli/doc.go
  • internal/config/config.go
  • internal/config/config_test.go
  • internal/config/doc.go
  • internal/config/json5_ordered.go
  • internal/config/json_parser.go
  • internal/config/normalize_test.go
  • internal/config/parsers.go
  • internal/config/toml_parser.go
  • internal/config/yaml_parser.go
  • internal/core/clean.go
  • internal/core/core_test.go
  • internal/core/create.go
  • internal/core/dispatcher.go
  • internal/core/doc.go
  • internal/core/helpers.go
  • internal/core/link.go
  • internal/core/link_apply.go
  • internal/core/link_glob.go
  • internal/core/link_glob_test.go
  • internal/core/link_mutation_test.go
  • internal/core/link_paths.go
  • internal/core/plan.go
  • internal/core/shell_handler.go
  • internal/core/types.go
  • internal/expand/doc.go
  • internal/expand/expand.go
  • internal/expand/expand_test.go
  • internal/fsops/doc.go
  • internal/fsops/fs.go
  • internal/log/doc.go
  • internal/log/log.go
  • internal/shell/doc.go
  • internal/shell/shell.go
  • internal/shell/shell_test.go
  • justfile
💤 Files with no reviewable changes (5)
  • go.mod
  • examples/install.hocon
  • docs/migration/REVIEW_REPORT.md
  • internal/config/parsers.go
  • docs/migration/TEST_ENGINEER.md

Comment thread .github/workflows/ci-release.yml Outdated
Comment thread .github/workflows/ci-release.yml
Comment thread docs/USER_GUIDE.md Outdated
Comment thread internal/config/toml_parser.go Outdated
Comment thread internal/expand/expand_test.go
Comment thread internal/expand/expand_test.go
@oleksandr-balyshyn oleksandr-balyshyn changed the title Clean code review loop Add validate and plan workflows with ordered config parsing Jul 7, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
internal/core/create.go (1)

26-36: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Plan omits resolved mode from Detail.

Plan only sets Directive and Target; the resolved os.FileMode (via createMode) isn't surfaced in Operation.Detail, even though Operation.Detail exists to carry "directive-specific context for display." Users running --plan won't see what mode will be applied to created directories.

♻️ Suggested enhancement
 func (h CreateHandler) Plan(ctx *Context, directive string, data any) ([]Operation, error) {
 	entries, err := createEntries(data)
 	if err != nil {
 		return nil, err
 	}
+	defaults, _ := asMap(ctx.Defaults["create"])
 	operations := make([]Operation, 0, len(entries))
 	for _, entry := range entries {
-		operations = append(operations, Operation{Directive: directive, Target: entry.path})
+		mode := createMode(defaults, entry.options)
+		operations = append(operations, Operation{Directive: directive, Target: entry.path, Detail: fmt.Sprintf("mode=%o", mode)})
 	}
 	return operations, nil
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/core/create.go` around lines 26 - 36, The Plan method in
CreateHandler is only populating Directive and Target, so the resolved file mode
is missing from Operation.Detail. Update Plan to carry the createMode-derived
os.FileMode into each Operation.Detail for directory entries, while keeping
createEntries as the source of targets, so --plan shows the actual mode that
will be applied.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/core/create.go`:
- Around line 20-23: Validate currently only calls createEntries, so invalid
mode values can slip through --validate and fail later in Handle. Update
CreateHandler.Validate to also resolve and check the mode for each parsed entry,
including when the default mode is used, or change createMode/parseMode so
invalid modes return an error during validation. Use the existing createEntries,
createMode, parseMode, and CreateHandler.Validate flow to keep the validation
path aligned with runtime handling.

---

Nitpick comments:
In `@internal/core/create.go`:
- Around line 26-36: The Plan method in CreateHandler is only populating
Directive and Target, so the resolved file mode is missing from
Operation.Detail. Update Plan to carry the createMode-derived os.FileMode into
each Operation.Detail for directory entries, while keeping createEntries as the
source of targets, so --plan shows the actual mode that will be applied.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f43e6e17-4a72-4daa-8450-ba6b262d6b74

📥 Commits

Reviewing files that changed from the base of the PR and between ebc1963 and 4181062.

📒 Files selected for processing (17)
  • .github/workflows/ci-release.yml
  • .golangci.yml
  • docs/USER_GUIDE.md
  • internal/app/app.go
  • internal/app/app_test.go
  • internal/app/plan_output.go
  • internal/cli/cli.go
  • internal/cli/cli_test.go
  • internal/config/config_test.go
  • internal/config/json5_ordered.go
  • internal/config/toml_parser.go
  • internal/core/create.go
  • internal/core/link_apply.go
  • internal/expand/expand_test.go
  • internal/log/log.go
  • internal/shell/shell.go
  • justfile
✅ Files skipped from review due to trivial changes (3)
  • .golangci.yml
  • docs/USER_GUIDE.md
  • internal/log/log.go
🚧 Files skipped from review as they are similar to previous changes (13)
  • internal/config/toml_parser.go
  • justfile
  • internal/expand/expand_test.go
  • internal/shell/shell.go
  • internal/cli/cli.go
  • internal/core/link_apply.go
  • internal/app/plan_output.go
  • internal/app/app.go
  • .github/workflows/ci-release.yml
  • internal/app/app_test.go
  • internal/cli/cli_test.go
  • internal/config/config_test.go
  • internal/config/json5_ordered.go

Comment thread internal/core/create.go
@guardrails

guardrails Bot commented Jul 7, 2026

Copy link
Copy Markdown

⚠️ We detected 24 security issues in this pull request:

Hard-Coded Secrets (24)
Severity Details Docs
Medium Title: Hex High Entropy String
"computedHash": "2426dc4accf1a85dedfb560edb3a877ec8828b7375ea08c970df2b6c900a2a22"
📚
Medium Title: Hex High Entropy String
"computedHash": "1f47652b01676edd07dbe79c709dd91cfd0ef79fe4f9033afaa9bb3111e0b173"
📚
Medium Title: Hex High Entropy String
"computedHash": "885b05367fb1cf61a1e27e0d50f14d2502a05c1fa276c6e9ea050ce6a90e7095"
📚
Medium Title: Hex High Entropy String
"computedHash": "1a993ce9b2aaa653ee441c8d7efb7f27de03493c722be6dfb8137bcb8db1bc72"
📚
Medium Title: Hex High Entropy String
"computedHash": "67343881f5def98487d56243155716110afbcbf22ec92421c882d532b941cb17"
📚
Medium Title: Hex High Entropy String
"computedHash": "53a1de29d2b76481202608376fa4a20a8bd7e65b0b8a907a8c9578e629cf313f"
📚
Medium Title: Hex High Entropy String
"computedHash": "f321507f77702a54af1db66549ec1685fc625390d06c57d7949cdcda8eb1b5c7"
📚
Medium Title: Hex High Entropy String
"computedHash": "e7ef25bbee50cda2eb7b3a8ef541db0a0396dad7d369f7d14fb610671dd1864b"
📚
Medium Title: Hex High Entropy String
"computedHash": "ef685a6fa0bbe73b05bbd8dc1ec97258191587f07c6aa7dbc9006675ceb8f90f"
📚
Medium Title: Hex High Entropy String
"computedHash": "5d0f81e38abe6b984e1feaa731927de5291d040982106ac513cf54ec240e00ec"
📚
Medium Title: Hex High Entropy String
"computedHash": "f7b0f3636d20c12d1596336efa6943346f85c97f6419371347ac96c089dca08f"
📚
Medium Title: Hex High Entropy String
"computedHash": "8bf292143ca93b00276a0de0fc5f84f2381f4690c5b0d32e99fa283a072f392f"
📚
Medium Title: Hex High Entropy String
"computedHash": "40ff56e36bb13b5a9a16903efd6c78a02690ba430e10a8d1a65559100b77f475"
📚
Medium Title: Hex High Entropy String
"computedHash": "176cf1d0c4dc4fc4d958c4bc4ed67f222f2656bda2f3f15e3a3e98b2e5edaf2f"
📚
Medium Title: Hex High Entropy String
"computedHash": "8f98a68bf07ef9b80d5302d863efe896fbf7beb488f01904ad65c76fac394e82"
📚
Medium Title: Hex High Entropy String
"computedHash": "486d60a7e984b76850bd22b3b58b98d0063a3b9b3acf319e4d5a37bf1283ea02"
📚
Medium Title: Hex High Entropy String
"computedHash": "400da4521ed701c99e8824ae7b71c7859632ee91481b3715890036cf8aec6857"
📚
Medium Title: Hex High Entropy String
"computedHash": "f9aeedf0a1f560ec465c3939c54434c2d949ac8b958a0493db52216f688a0366"
📚
Medium Title: Hex High Entropy String
"computedHash": "4e2a11d35f018490d42a79234432f779d7131b9920373ef24cfbc68229bfef6c"
📚
Medium Title: Hex High Entropy String
"computedHash": "5a733e19d825f22e83de52e68b8840c9fd2fa7501282277a122c1aa28a922059"
📚
Medium Title: Hex High Entropy String
"computedHash": "ee085ddd96636cd55306a11e75396a5cc3d98b5658bf2460439d511095ad86f9"
📚
Medium Title: Hex High Entropy String
"computedHash": "1c21ac5c7444041a7536527b2016a5f7c5626d9f2279380ea4a418cbee548f6f"
📚
Medium Title: Hex High Entropy String
"computedHash": "581f78b50b3d81b095de86b5c18a4d9fa932fbe414cc82bd26d627d4da518f07"
📚
Medium Title: Hex High Entropy String
"computedHash": "4cae0b2eccd512594a1edc15a0eeffaa2f11e7f2cf21dd4cf9213171c165d324"
📚

More info on how to fix Hard-Coded Secrets in General.


👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

@oleksandr-balyshyn
oleksandr-balyshyn merged commit 21984eb into main Jul 7, 2026
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant