Skip to content

feat(cli): read commands, CI automation surface, and branded terminal UI#46

Merged
general-maximus-decimus merged 14 commits into
alphafrom
r/release.29.06.2026.stallion-cli-commands
Jul 6, 2026
Merged

feat(cli): read commands, CI automation surface, and branded terminal UI#46
general-maximus-decimus merged 14 commits into
alphafrom
r/release.29.06.2026.stallion-cli-commands

Conversation

@general-maximus-decimus

@general-maximus-decimus general-maximus-decimus commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

New commands

  • list-projects, list-buckets, list-bundles, list-releases, release-info, list-patches: read the full org → project → bucket → bundle → release → patch hierarchy from the terminal
  • use / context: save a default org+project and inspect or clear it
  • whoami: profile, organizations, and the active context at a glance

CI automation

  • --ci-token on all read commands: fully non-interactive, project-scoped auth for pipelines (no stored login needed); region is derived from the token itself
  • --json on every read and on publish-bundle: stdout carries exactly one parseable JSON document (spinners/diagnostics go to stderr), failures emit {"error": ...} with a non-zero exit — $(... | jq) is safe by construction
  • publish-bundle waits until the uploaded bundle is queryable before returning, so a follow-up release-bundle cannot race into "bundle not found"

Filtering & output

  • --limit on list commands (default 15, max 30), --name filter for buckets, --bucket/--bucket-id + --platform filters for bundles
  • list-bundles shows the full sha256 hash (wraps on narrow terminals) and the release note; release-info renders rollout, status, and adoption metrics
  • branded terminal UI: logo banner, spinners with progress meters, bordered boards, consistent status lines

Summary

This pull request introduces a significant set of new features, focusing on read commands, CI automation, and a branded terminal UI. The changes are well-structured, improve user experience, and enhance the CLI's capabilities for both interactive and automated use. Key improvements include robust context management, a dedicated UI module for consistent output, and critical security advice for key generation. The --ci-token implementation for read commands is a good security practice for automation.


Generated by StallionDevX

@stalliondevx stalliondevx Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 StallionDevX AI Review

Quality Score: ░░░░░░░░░░ 0/100

Verdict: comment

Summary

⚠️ Automated review could not be completed. The AI analysis encountered an error. Please review this PR manually.

@stalliondevx stalliondevx Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 StallionDevX AI Review

Quality Score: ░░░░░░░░░░ 0/100

Verdict: comment

Summary

⚠️ Automated review could not be completed. The AI analysis encountered an error. Please review this PR manually.

@stalliondevx stalliondevx Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 StallionDevX AI Review

Quality Score: ██████████ 95/100

Verdict: approve

Summary

This pull request introduces a significant set of new commands for listing resources (organizations, projects, buckets, bundles, releases) and managing CLI context. It also includes a major overhaul of the command-line interface's branding and user experience, moving to a new UI module and @inquirer/prompts. The architectural changes, particularly the user-client.ts module, centralize logic for resolving context and making authenticated API calls, which is a good improvement for maintainability. Overall, the changes are well-structured and enhance the CLI's functionality and usability.

⚠️ Warning (2)

  • 🧹 Untyped API Response Datasrc/api/user-client.ts:129
    The API responses for ENDPOINTS.PROJECT.LIST and ENDPOINTS.BUCKET.LIST are typed as any[]. This reduces type safety and makes the code harder to maintain and refactor, as the structure of p and b objects is inferred at runtime.
  • 🧹 Hardcoded Default Region 'ap'src/api/user-client.ts:13
    The default region 'ap' is hardcoded as a fallback when parsing the CI token region or retrieving it from the context. While 'ap' might be the primary region, hardcoding it could lead to issues if the CLI is used in environments where 'ap' is not the default or if a token/context genuinely lacks region information and a different default is expected.

Comment thread src/api/user-client.ts
Comment thread src/api/user-client.ts

@stalliondevx stalliondevx Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 StallionDevX AI Review

Quality Score: ██████████ 95/100

Verdict: approve

Summary

This pull request introduces a significant refactor of the CLI's user interface, replacing inquirer with @inquirer/prompts and centralizing all UI logic into a new src/ui module. This greatly improves consistency, branding, and maintainability. Several new commands (list-projects, list-buckets, list-bundles, list-releases, release-info, use, context, whoami) are added, expanding the CLI's functionality. A new user-client.ts centralizes API client creation and context resolution, enhancing code organization. The generate-secret-key command was removed and its functionality merged into generate-key-pair, which now uses the new UI for clearer output and security warnings. Overall, this is a well-structured and impactful update.

⚠️ Warning (4)

  • 🧹 Specific pnpm version in packageManagerpackage.json:16
    The packageManager field specifies a very precise version of pnpm (pnpm@10.11.0). While this ensures strict dependency management, it might require a package.json update for minor pnpm version bumps, which could be cumbersome.
  • 🧹 Error message could be more actionablesrc/api/user-client.ts:164
    The error message 'No projects found in this organization.' is clear, but could be more helpful by suggesting next steps to the user, such as how to create a project.
  • 🧹 Error message could be more actionablesrc/api/user-client.ts:185
    Similar to project resolution, the error message 'No buckets found in this project.' could be more helpful by suggesting next steps to the user.
  • 🎨 Date format for user displaysrc/commands/generate-key-pair.command.ts:45
    Using toISOString() provides a precise, machine-readable date. For user-facing output, a more human-friendly local date/time format might improve readability.

@stalliondevx stalliondevx Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 StallionDevX AI Review

Quality Score: ░░░░░░░░░░ 0/100

Verdict: comment

Summary

⚠️ Automated review could not be completed. The AI analysis encountered an error. Please review this PR manually.

@stalliondevx stalliondevx Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 StallionDevX AI Review

Quality Score: ███████░░░ 65/100

Verdict: request changes

🔐 Security vulnerabilities detected — review required before merging

Summary

This pull request introduces a significant number of new CLI commands and a new, branded terminal UI, which greatly enhances the user experience and functionality. The refactoring of prompt libraries and error reporting to use the new UI module is a positive step for maintainability and consistency. However, there are critical security and usability concerns related to regular expression handling and interactive prompts in non-interactive environments that need to be addressed before merging.

🚨 Critical (2)

  • 🔐 Regular Expression Denial of Service (ReDoS) Vulnerabilitysrc/ui/format.ts:10
    The filterAndLimit function constructs a regular expression directly from user input (--filter option) without proper escaping or validation. A malicious or complex regex pattern can consume excessive CPU resources, leading to a denial of service.
  • 🐛 Commands can hang in non-interactive environmentssrc/api/user-client.ts:95
    Functions like resolveOrgContext, resolveProjectId, resolveBucketId, and resolvePlatform use interactive prompts (promptSelect) to gather missing information. If these commands are executed in a non-interactive environment (e.g., CI/CD pipeline) without all required options provided via flags, the process will hang indefinitely, waiting for user input.

⚠️ Warning (1)

  • 🧹 Inconsistent error handling in key generationsrc/commands/generate-key-pair.command.ts:60
    The execute method catches errors during key generation but only logs them to the console. It does not re-throw the error or ensure the process exits with a non-zero status code, which means the command might appear to succeed to a calling script even if it failed.

Comment thread src/ui/format.ts
Comment thread src/api/user-client.ts
Comment thread src/commands/generate-key-pair.command.ts

@stalliondevx stalliondevx Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 StallionDevX AI Review

Quality Score: █████████░ 85/100

Verdict: request changes

Summary

This pull request introduces a significant overhaul of the CLI's user interface, migrating to a structured ui module with @inquirer/prompts for interactive input and consistent formatting. It adds a comprehensive suite of new commands for listing resources (list-projects, list-buckets, list-bundles, list-releases, list-patches), context management (context, use), and user information (whoami). The generate-secret-key command has been removed, and generate-key-pair was refactored to use the new UI. Support for --ci-token has been extended to many read-only commands. Overall, these changes greatly enhance the CLI's functionality, user experience, and maintainability.

⚠️ Warning (5)

  • 🐛 Ambiguous CI token region fallbacksrc/api/user-client.ts:16
    If the CI token does not contain valid region information, the API client defaults to 'ap'. This could lead to API requests being sent to the wrong regional endpoint, resulting in errors or increased latency.
  • 🧹 Brittle CI token support checksrc/command-line/command.registry.ts:40
    The supportsCIToken array uses hardcoded string names of command classes. This is brittle and prone to errors if command class names change, requiring manual updates in this array.
  • 🧹 Lack of type safety for API responsessrc/api/user-client.ts:138
    Several functions (e.g., resolveProjectId, resolveBucketId, and the new list-* commands) use any for API response data structures. This reduces type safety and makes the code harder to understand and maintain.
  • Inefficient client-side filtering for list commandssrc/commands/list-buckets.command.ts:67
    The filter option for list commands (e.g., list-buckets, list-bundles) is applied client-side after fetching all results. For large datasets, this can be inefficient and consume unnecessary network bandwidth and memory.
  • 🧹 Generic error message in verifyLoginsrc/command-line/base.command.ts:106
    The verifyLogin function catches any error during authentication and throws a generic 'Failed to authenticate. Invalid token.' This hides the underlying cause of failure, making debugging difficult if the issue is not an invalid token (e.g., network error, API downtime).

@stalliondevx stalliondevx Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 StallionDevX AI Review

Quality Score: █████████░ 85/100

Verdict: request changes

Summary

This pull request introduces a significant refactor of the CLI's user interface and command structure, adding many new commands for listing resources and managing context. The new ui module greatly improves consistency and user experience. The user-client.ts centralizes authentication and context resolution logic, which is a positive architectural change. Key generation output is also improved. Overall, a strong improvement in maintainability and user experience.

⚠️ Warning (7)

  • 🐛 Unsafe default region in resolveOrgContextsrc/api/user-client.ts:98
    If an organization's region cannot be determined, it defaults to 'ap'. This might lead to API calls to the wrong region if the organization is exclusively hosted in a different region and 'ap' is not a valid endpoint for it, potentially causing unexpected errors or failures.
  • 🐛 Invalid 'limit' option handlingsrc/commands/list-buckets.command.ts:40
    The options.limit parameter is directly converted to a number using Number(). If a non-numeric value is provided (e.g., --limit=abc), Number() returns NaN. Sending NaN to the API might cause unexpected server-side behavior or errors.
  • 🐛 Invalid 'limit' option handlingsrc/commands/list-bundles.command.ts:44
    The options.limit parameter is directly converted to a number using Number(). If a non-numeric value is provided (e.g., --limit=abc), Number() returns NaN. Sending NaN to the API might cause unexpected server-side behavior or errors.
  • 🐛 Invalid 'limit' option handlingsrc/commands/list-patches.command.ts:40
    The options.limit parameter is directly converted to a number using Number(). If a non-numeric value is provided (e.g., --limit=abc), Number() returns NaN. Sending NaN to the API might cause unexpected server-side behavior or errors.
  • 🐛 Invalid 'limit' option handlingsrc/commands/list-projects.command.ts:37
    The options.limit parameter is directly converted to a number using Number(). If a non-numeric value is provided (e.g., --limit=abc), Number() returns NaN. Sending NaN to the API might cause unexpected server-side behavior or errors.
  • 🐛 Invalid 'limit' option handlingsrc/commands/list-releases.command.ts:44
    The options.limit parameter is directly converted to a number using Number(). If a non-numeric value is provided (e.g., --limit=abc), Number() returns NaN. Sending NaN to the API might cause unexpected server-side behavior or errors.
  • 🧹 Redundant String() conversion for IDssrc/api/user-client.ts:75
    IDs like o.orgId, p.id, p._id, and b.id are explicitly converted to String(). While harmless, if these values are consistently strings from the API, these conversions are redundant. If they can be numbers, the conversion is appropriate.

Comment thread src/api/user-client.ts
Comment thread src/commands/list-buckets.command.ts
Comment thread src/commands/list-bundles.command.ts
Comment thread src/commands/list-patches.command.ts
Comment thread src/commands/list-projects.command.ts
Comment thread src/commands/list-releases.command.ts
Comment thread src/api/user-client.ts

@stalliondevx stalliondevx Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 StallionDevX AI Review

Quality Score: ████████░░ 80/100

Verdict: request changes

Summary

This pull request introduces a significant overhaul of the CLI's user interface, adopting a branded terminal UI and providing CI-friendly JSON output options. It centralizes context management for organizations, projects, and buckets, and expands the range of available commands for listing resources and managing releases. The refactor to use a dedicated UI module (src/ui) is a major improvement for user experience and consistency. However, there are notable areas for improvement regarding type safety and robust region handling.

⚠️ Warning (5)

  • 🐛 Inconsistent Default Regionsrc/api/user-client.ts:14
    The region is repeatedly defaulted to 'ap' when it cannot be parsed from the CI token or found in the organization data. This might not be a safe universal default and could lead to incorrect API calls for users outside the 'ap' region if the token or context is missing region information.
  • 🧹 Lack of Specific API Response Typessrc/api/user-client.ts:109
    The API client responses frequently use any[] or any for data properties (e.g., client.post<{ data: any[] }>(...)). This reduces type safety, makes it harder to understand the expected data structure, and increases the risk of runtime errors. This issue is present across multiple new list commands and the whoami command.
  • 🧹 Hardcoded Key Modulus Lengthsrc/commands/generate-key-pair.command.ts:34
    The modulusLength for RSA key generation is hardcoded to 2048. While 2048 bits is generally considered secure for RSA, it might be beneficial to make this configurable or ensure it aligns with future security standards without requiring code changes.
  • 🐛 Generic Error Message on Authentication Failuresrc/command-line/base.command.ts:106
    The verifyLogin method catches any error during API verification and re-throws a generic 'Failed to authenticate. Invalid token.' message. This might hide more specific issues (e.g., network errors, server issues) that could be more helpful for debugging.
  • 🧹 Magic String for Platform Optionssrc/api/user-client.ts:170
    The resolvePlatform function uses hardcoded strings 'android' and 'ios' for platform selection. While these are common, using an enum or a constant for these values would improve maintainability and prevent typos.

Comment thread src/api/user-client.ts
Comment thread src/api/user-client.ts
Comment thread src/commands/generate-key-pair.command.ts
Comment thread src/command-line/base.command.ts
Comment thread src/api/user-client.ts

@stalliondevx stalliondevx Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 StallionDevX AI Review

Quality Score: █████████░ 90/100

Verdict: request changes

Summary

This pull request introduces a significant refactoring of the CLI's user interface and adds several new commands for listing resources and managing context. The shift to a dedicated ui module greatly enhances consistency and user experience. The new user-client.ts centralizes API client creation and context resolution, improving maintainability. Overall, the changes are positive, improving both the user experience and the internal architecture.

⚠️ Warning (2)

  • 🐛 Ambiguous region fallback for explicit orgIdsrc/api/user-client.ts:105
    When an orgId is explicitly provided via a flag, if it's not found in the list of organizations returned by fetchOrgs, the region defaults to 'ap'. This might mask an issue where the user provided an invalid orgId or one they don't have access to, leading to a potentially confusing error later when API calls fail due to an incorrect region or non-existent org. It's better to fail early and clearly.
  • 🧹 Hardcoded list for CI token validation bypasssrc/command-line/command.registry.ts:40
    The shouldSkipValidationForCIToken function uses a hardcoded array of command names to determine which commands can bypass interactive user validation when a CI token is provided. As more CI-friendly commands are added, this list will grow and become harder to maintain, increasing the risk of errors or omissions.

@stalliondevx stalliondevx Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 StallionDevX AI Review

Quality Score: ██████████ 98/100

Verdict: approve

Summary

This pull request introduces a significant refactor of the CLI's user interface and adds a suite of new commands for managing organizations, projects, buckets, bundles, and releases. The UI refactor to a new ui module provides a more consistent and branded user experience. Context management for user login and selected organizations/projects has been improved, enhancing usability for multi-org/multi-project environments. The changes are well-structured and improve the overall maintainability and user experience of the CLI.

@general-maximus-decimus general-maximus-decimus changed the title chore: initial commit for new commands feat(cli): read commands, CI automation surface, and branded terminal UI Jul 5, 2026

@stalliondevx stalliondevx Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 StallionDevX AI Review

Quality Score: ██████████ 98/100

Verdict: approve

Summary

This pull request introduces a significant set of new features, focusing on read commands, CI automation, and a branded terminal UI. The changes are well-structured, improve user experience, and enhance the CLI's capabilities for both interactive and automated use. Key improvements include robust context management, a dedicated UI module for consistent output, and critical security advice for key generation. The --ci-token implementation for read commands is a good security practice for automation.

@stalliondevx stalliondevx Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 StallionDevX AI Review

Quality Score: █████████░ 90/100

Verdict: request changes

🔐 Security vulnerabilities detected — review required before merging

Summary

This pull request introduces a significant set of new features, focusing on read commands, CI automation, and a branded terminal UI. The changes are well-structured, improve user experience, and enhance the CLI's capabilities for both interactive and automated use. Key improvements include robust context management, a dedicated UI module for consistent output, and critical security advice for key generation. The --ci-token implementation for read commands is a good security practice for automation. A few minor bugs related to input validation and redundant API calls were identified, along with a suggestion for improved error logging.

⚠️ Warning (4)

  • 🐛 Invalid ID not validated in context resolutionsrc/api/user-client.ts:98
    When an orgId, projectId, or bucketId is provided via a flag, the resolve* functions return it directly without validating if it actually exists in the fetched list of available entities. This can lead to cryptic 'not found' errors later in the command execution if the provided ID is invalid, instead of a clear error message at the resolution step.
  • Redundant API client creation in whoamisrc/commands/whoami.command.ts:24
    The whoami command calls getUserToken() and then createUserApiClient(). createUserApiClient() internally calls getUserToken() again, leading to redundant token retrieval and API client initialization.
  • 🧹 Silent error handling for profile cachingsrc/command-line/base.command.ts:105
    The verifyLogin method silently catches and ignores any errors that occur while attempting to cache the user profile (fullName, email). While the intent is to not fail authentication for a caching issue, silently ignoring errors can hide potential problems with context storage or API response parsing.
  • 🔐 Backend validation of filtered inputs is criticalsrc/commands/list-buckets.command.ts:59
    Several new list commands pass user-supplied filter values (e.g., name, bucketId, platform, bundleVersion) directly to the backend API. It is critical that the corresponding backend endpoints implement robust input validation and sanitization for all filter parameters to prevent potential injection vulnerabilities.

Comment thread src/api/user-client.ts
Comment thread src/commands/whoami.command.ts
Comment thread src/command-line/base.command.ts
Comment thread src/commands/list-buckets.command.ts
@general-maximus-decimus general-maximus-decimus changed the base branch from main to alpha July 6, 2026 14:29
@general-maximus-decimus general-maximus-decimus merged commit 59ac814 into alpha Jul 6, 2026
4 checks passed
@stallion-release-bot

Copy link
Copy Markdown

🎉 This PR is included in version 2.6.0-alpha.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant