feat(cli): read commands, CI automation surface, and branded terminal UI#46
Conversation
There was a problem hiding this comment.
🤖 StallionDevX AI Review
Quality Score: ██████████ 95/100
Verdict: approve
Summary
This pull request introduces a significant set of new commands for listing resources (organizations, projects, buckets, bundles, releases) and managing CLI context. It also includes a major overhaul of the command-line interface's branding and user experience, moving to a new UI module and @inquirer/prompts. The architectural changes, particularly the user-client.ts module, centralize logic for resolving context and making authenticated API calls, which is a good improvement for maintainability. Overall, the changes are well-structured and enhance the CLI's functionality and usability.
⚠️ Warning (2)
- 🧹 Untyped API Response Data —
src/api/user-client.ts:129
The API responses forENDPOINTS.PROJECT.LISTandENDPOINTS.BUCKET.LISTare typed asany[]. This reduces type safety and makes the code harder to maintain and refactor, as the structure ofpandbobjects is inferred at runtime. - 🧹 Hardcoded Default Region 'ap' —
src/api/user-client.ts:13
The default region 'ap' is hardcoded as a fallback when parsing the CI token region or retrieving it from the context. While 'ap' might be the primary region, hardcoding it could lead to issues if the CLI is used in environments where 'ap' is not the default or if a token/context genuinely lacks region information and a different default is expected.
There was a problem hiding this comment.
🤖 StallionDevX AI Review
Quality Score: ██████████ 95/100
Verdict: approve
Summary
This pull request introduces a significant refactor of the CLI's user interface, replacing inquirer with @inquirer/prompts and centralizing all UI logic into a new src/ui module. This greatly improves consistency, branding, and maintainability. Several new commands (list-projects, list-buckets, list-bundles, list-releases, release-info, use, context, whoami) are added, expanding the CLI's functionality. A new user-client.ts centralizes API client creation and context resolution, enhancing code organization. The generate-secret-key command was removed and its functionality merged into generate-key-pair, which now uses the new UI for clearer output and security warnings. Overall, this is a well-structured and impactful update.
⚠️ Warning (4)
- 🧹 Specific pnpm version in packageManager —
package.json:16
ThepackageManagerfield specifies a very precise version of pnpm (pnpm@10.11.0). While this ensures strict dependency management, it might require apackage.jsonupdate for minor pnpm version bumps, which could be cumbersome. - 🧹 Error message could be more actionable —
src/api/user-client.ts:164
The error message 'No projects found in this organization.' is clear, but could be more helpful by suggesting next steps to the user, such as how to create a project. - 🧹 Error message could be more actionable —
src/api/user-client.ts:185
Similar to project resolution, the error message 'No buckets found in this project.' could be more helpful by suggesting next steps to the user. - 🎨 Date format for user display —
src/commands/generate-key-pair.command.ts:45
UsingtoISOString()provides a precise, machine-readable date. For user-facing output, a more human-friendly local date/time format might improve readability.
…nteractive validation)
There was a problem hiding this comment.
🤖 StallionDevX AI Review
Quality Score: ███████░░░ 65/100
Verdict: request changes
🔐 Security vulnerabilities detected — review required before merging
Summary
This pull request introduces a significant number of new CLI commands and a new, branded terminal UI, which greatly enhances the user experience and functionality. The refactoring of prompt libraries and error reporting to use the new UI module is a positive step for maintainability and consistency. However, there are critical security and usability concerns related to regular expression handling and interactive prompts in non-interactive environments that need to be addressed before merging.
🚨 Critical (2)
- 🔐 Regular Expression Denial of Service (ReDoS) Vulnerability —
src/ui/format.ts:10
ThefilterAndLimitfunction constructs a regular expression directly from user input (--filteroption) without proper escaping or validation. A malicious or complex regex pattern can consume excessive CPU resources, leading to a denial of service. - 🐛 Commands can hang in non-interactive environments —
src/api/user-client.ts:95
Functions likeresolveOrgContext,resolveProjectId,resolveBucketId, andresolvePlatformuse interactive prompts (promptSelect) to gather missing information. If these commands are executed in a non-interactive environment (e.g., CI/CD pipeline) without all required options provided via flags, the process will hang indefinitely, waiting for user input.
⚠️ Warning (1)
- 🧹 Inconsistent error handling in key generation —
src/commands/generate-key-pair.command.ts:60
Theexecutemethod catches errors during key generation but only logs them to the console. It does not re-throw the error or ensure the process exits with a non-zero status code, which means the command might appear to succeed to a calling script even if it failed.
There was a problem hiding this comment.
🤖 StallionDevX AI Review
Quality Score: █████████░ 85/100
Verdict: request changes
Summary
This pull request introduces a significant overhaul of the CLI's user interface, migrating to a structured ui module with @inquirer/prompts for interactive input and consistent formatting. It adds a comprehensive suite of new commands for listing resources (list-projects, list-buckets, list-bundles, list-releases, list-patches), context management (context, use), and user information (whoami). The generate-secret-key command has been removed, and generate-key-pair was refactored to use the new UI. Support for --ci-token has been extended to many read-only commands. Overall, these changes greatly enhance the CLI's functionality, user experience, and maintainability.
⚠️ Warning (5)
- 🐛 Ambiguous CI token region fallback —
src/api/user-client.ts:16
If the CI token does not contain valid region information, the API client defaults to 'ap'. This could lead to API requests being sent to the wrong regional endpoint, resulting in errors or increased latency. - 🧹 Brittle CI token support check —
src/command-line/command.registry.ts:40
ThesupportsCITokenarray uses hardcoded string names of command classes. This is brittle and prone to errors if command class names change, requiring manual updates in this array. - 🧹 Lack of type safety for API responses —
src/api/user-client.ts:138
Several functions (e.g.,resolveProjectId,resolveBucketId, and the newlist-*commands) useanyfor API response data structures. This reduces type safety and makes the code harder to understand and maintain. - ⚡ Inefficient client-side filtering for list commands —
src/commands/list-buckets.command.ts:67
Thefilteroption for list commands (e.g.,list-buckets,list-bundles) is applied client-side after fetching all results. For large datasets, this can be inefficient and consume unnecessary network bandwidth and memory. - 🧹 Generic error message in
verifyLogin—src/command-line/base.command.ts:106
TheverifyLoginfunction catches any error during authentication and throws a generic 'Failed to authenticate. Invalid token.' This hides the underlying cause of failure, making debugging difficult if the issue is not an invalid token (e.g., network error, API downtime).
There was a problem hiding this comment.
🤖 StallionDevX AI Review
Quality Score: █████████░ 85/100
Verdict: request changes
Summary
This pull request introduces a significant refactor of the CLI's user interface and command structure, adding many new commands for listing resources and managing context. The new ui module greatly improves consistency and user experience. The user-client.ts centralizes authentication and context resolution logic, which is a positive architectural change. Key generation output is also improved. Overall, a strong improvement in maintainability and user experience.
⚠️ Warning (7)
- 🐛 Unsafe default region in resolveOrgContext —
src/api/user-client.ts:98
If an organization's region cannot be determined, it defaults to 'ap'. This might lead to API calls to the wrong region if the organization is exclusively hosted in a different region and 'ap' is not a valid endpoint for it, potentially causing unexpected errors or failures. - 🐛 Invalid 'limit' option handling —
src/commands/list-buckets.command.ts:40
Theoptions.limitparameter is directly converted to a number usingNumber(). If a non-numeric value is provided (e.g.,--limit=abc),Number()returnsNaN. SendingNaNto the API might cause unexpected server-side behavior or errors. - 🐛 Invalid 'limit' option handling —
src/commands/list-bundles.command.ts:44
Theoptions.limitparameter is directly converted to a number usingNumber(). If a non-numeric value is provided (e.g.,--limit=abc),Number()returnsNaN. SendingNaNto the API might cause unexpected server-side behavior or errors. - 🐛 Invalid 'limit' option handling —
src/commands/list-patches.command.ts:40
Theoptions.limitparameter is directly converted to a number usingNumber(). If a non-numeric value is provided (e.g.,--limit=abc),Number()returnsNaN. SendingNaNto the API might cause unexpected server-side behavior or errors. - 🐛 Invalid 'limit' option handling —
src/commands/list-projects.command.ts:37
Theoptions.limitparameter is directly converted to a number usingNumber(). If a non-numeric value is provided (e.g.,--limit=abc),Number()returnsNaN. SendingNaNto the API might cause unexpected server-side behavior or errors. - 🐛 Invalid 'limit' option handling —
src/commands/list-releases.command.ts:44
Theoptions.limitparameter is directly converted to a number usingNumber(). If a non-numeric value is provided (e.g.,--limit=abc),Number()returnsNaN. SendingNaNto the API might cause unexpected server-side behavior or errors. - 🧹 Redundant String() conversion for IDs —
src/api/user-client.ts:75
IDs likeo.orgId,p.id,p._id, andb.idare explicitly converted toString(). While harmless, if these values are consistently strings from the API, these conversions are redundant. If they can be numbers, the conversion is appropriate.
There was a problem hiding this comment.
🤖 StallionDevX AI Review
Quality Score: ████████░░ 80/100
Verdict: request changes
Summary
This pull request introduces a significant overhaul of the CLI's user interface, adopting a branded terminal UI and providing CI-friendly JSON output options. It centralizes context management for organizations, projects, and buckets, and expands the range of available commands for listing resources and managing releases. The refactor to use a dedicated UI module (src/ui) is a major improvement for user experience and consistency. However, there are notable areas for improvement regarding type safety and robust region handling.
⚠️ Warning (5)
- 🐛 Inconsistent Default Region —
src/api/user-client.ts:14
The region is repeatedly defaulted to 'ap' when it cannot be parsed from the CI token or found in the organization data. This might not be a safe universal default and could lead to incorrect API calls for users outside the 'ap' region if the token or context is missing region information. - 🧹 Lack of Specific API Response Types —
src/api/user-client.ts:109
The API client responses frequently useany[]oranyfordataproperties (e.g.,client.post<{ data: any[] }>(...)). This reduces type safety, makes it harder to understand the expected data structure, and increases the risk of runtime errors. This issue is present across multiple new list commands and thewhoamicommand. - 🧹 Hardcoded Key Modulus Length —
src/commands/generate-key-pair.command.ts:34
ThemodulusLengthfor RSA key generation is hardcoded to 2048. While 2048 bits is generally considered secure for RSA, it might be beneficial to make this configurable or ensure it aligns with future security standards without requiring code changes. - 🐛 Generic Error Message on Authentication Failure —
src/command-line/base.command.ts:106
TheverifyLoginmethod catches any error during API verification and re-throws a generic 'Failed to authenticate. Invalid token.' message. This might hide more specific issues (e.g., network errors, server issues) that could be more helpful for debugging. - 🧹 Magic String for Platform Options —
src/api/user-client.ts:170
TheresolvePlatformfunction uses hardcoded strings 'android' and 'ios' for platform selection. While these are common, using an enum or a constant for these values would improve maintainability and prevent typos.
There was a problem hiding this comment.
🤖 StallionDevX AI Review
Quality Score: █████████░ 90/100
Verdict: request changes
Summary
This pull request introduces a significant refactoring of the CLI's user interface and adds several new commands for listing resources and managing context. The shift to a dedicated ui module greatly enhances consistency and user experience. The new user-client.ts centralizes API client creation and context resolution, improving maintainability. Overall, the changes are positive, improving both the user experience and the internal architecture.
⚠️ Warning (2)
- 🐛 Ambiguous region fallback for explicit orgId —
src/api/user-client.ts:105
When anorgIdis explicitly provided via a flag, if it's not found in the list of organizations returned byfetchOrgs, the region defaults to 'ap'. This might mask an issue where the user provided an invalidorgIdor one they don't have access to, leading to a potentially confusing error later when API calls fail due to an incorrect region or non-existent org. It's better to fail early and clearly. - 🧹 Hardcoded list for CI token validation bypass —
src/command-line/command.registry.ts:40
TheshouldSkipValidationForCITokenfunction uses a hardcoded array of command names to determine which commands can bypass interactive user validation when a CI token is provided. As more CI-friendly commands are added, this list will grow and become harder to maintain, increasing the risk of errors or omissions.
There was a problem hiding this comment.
🤖 StallionDevX AI Review
Quality Score: ██████████ 98/100
Verdict: approve
Summary
This pull request introduces a significant refactor of the CLI's user interface and adds a suite of new commands for managing organizations, projects, buckets, bundles, and releases. The UI refactor to a new ui module provides a more consistent and branded user experience. Context management for user login and selected organizations/projects has been improved, enhancing usability for multi-org/multi-project environments. The changes are well-structured and improve the overall maintainability and user experience of the CLI.
There was a problem hiding this comment.
🤖 StallionDevX AI Review
Quality Score: ██████████ 98/100
Verdict: approve
Summary
This pull request introduces a significant set of new features, focusing on read commands, CI automation, and a branded terminal UI. The changes are well-structured, improve user experience, and enhance the CLI's capabilities for both interactive and automated use. Key improvements include robust context management, a dedicated UI module for consistent output, and critical security advice for key generation. The --ci-token implementation for read commands is a good security practice for automation.
…release.29.06.2026.stallion-cli-commands
There was a problem hiding this comment.
🤖 StallionDevX AI Review
Quality Score: █████████░ 90/100
Verdict: request changes
🔐 Security vulnerabilities detected — review required before merging
Summary
This pull request introduces a significant set of new features, focusing on read commands, CI automation, and a branded terminal UI. The changes are well-structured, improve user experience, and enhance the CLI's capabilities for both interactive and automated use. Key improvements include robust context management, a dedicated UI module for consistent output, and critical security advice for key generation. The --ci-token implementation for read commands is a good security practice for automation. A few minor bugs related to input validation and redundant API calls were identified, along with a suggestion for improved error logging.
⚠️ Warning (4)
- 🐛 Invalid ID not validated in context resolution —
src/api/user-client.ts:98
When anorgId,projectId, orbucketIdis provided via a flag, theresolve*functions return it directly without validating if it actually exists in the fetched list of available entities. This can lead to cryptic 'not found' errors later in the command execution if the provided ID is invalid, instead of a clear error message at the resolution step. - ⚡ Redundant API client creation in
whoami—src/commands/whoami.command.ts:24
Thewhoamicommand callsgetUserToken()and thencreateUserApiClient().createUserApiClient()internally callsgetUserToken()again, leading to redundant token retrieval and API client initialization. - 🧹 Silent error handling for profile caching —
src/command-line/base.command.ts:105
TheverifyLoginmethod silently catches and ignores any errors that occur while attempting to cache the user profile (fullName,email). While the intent is to not fail authentication for a caching issue, silently ignoring errors can hide potential problems with context storage or API response parsing. - 🔐 Backend validation of filtered inputs is critical —
src/commands/list-buckets.command.ts:59
Several new list commands pass user-supplied filter values (e.g.,name,bucketId,platform,bundleVersion) directly to the backend API. It is critical that the corresponding backend endpoints implement robust input validation and sanitization for all filter parameters to prevent potential injection vulnerabilities.
|
🎉 This PR is included in version 2.6.0-alpha.2 🎉 The release is available on: Your semantic-release bot 📦🚀 |
New commands
list-projects,list-buckets,list-bundles,list-releases,release-info,list-patches: read the full org → project → bucket → bundle → release → patch hierarchy from the terminaluse/context: save a default org+project and inspect or clear itwhoami: profile, organizations, and the active context at a glanceCI automation
--ci-tokenon all read commands: fully non-interactive, project-scoped auth for pipelines (no stored login needed); region is derived from the token itself--jsonon every read and onpublish-bundle: stdout carries exactly one parseable JSON document (spinners/diagnostics go to stderr), failures emit{"error": ...}with a non-zero exit —$(... | jq)is safe by constructionpublish-bundlewaits until the uploaded bundle is queryable before returning, so a follow-uprelease-bundlecannot race into "bundle not found"Filtering & output
--limiton list commands (default 15, max 30),--namefilter for buckets,--bucket/--bucket-id+--platformfilters for bundleslist-bundlesshows the full sha256 hash (wraps on narrow terminals) and the release note;release-inforenders rollout, status, and adoption metricsSummary
This pull request introduces a significant set of new features, focusing on read commands, CI automation, and a branded terminal UI. The changes are well-structured, improve user experience, and enhance the CLI's capabilities for both interactive and automated use. Key improvements include robust context management, a dedicated UI module for consistent output, and critical security advice for key generation. The
--ci-tokenimplementation for read commands is a good security practice for automation.Generated by StallionDevX