Skip to content

🩺 Audit fixes: CLI contracts, config safety, CI consolidation, docs & release status#4

Merged
Labault merged 23 commits into
mainfrom
codex/audit-improvements
Jun 17, 2026
Merged

🩺 Audit fixes: CLI contracts, config safety, CI consolidation, docs & release status#4
Labault merged 23 commits into
mainfrom
codex/audit-improvements

Conversation

@Labault

@Labault Labault commented Jun 17, 2026

Copy link
Copy Markdown
Owner

Independent senior-level audit of the repository, implemented as atomic commits (gitmoji + conventional commits). Each change ships with tests and/or CI guards; npm test, pre-commit run --all-files and commitlint pass across the whole branch.

P0 — CLI contracts & side effects

  • mac setup --help / mac doctor --help now print usage instead of erroring / silently running diagnostics.
  • mac doctor exits non-zero when a required tool is missing (CI/automation friendly).
  • mac setup writes its log to ~/Library/Logs/mac-dev-setup instead of polluting the current directory.

P1 — Config / uninstall / profiles

  • Git init.defaultBranch now comes solely from the managed include (no intrusive global write).
  • Setup no longer regenerates the versioned zsh completion inside the install tree.
  • uninstall --remove-config covers all 7 managed files (was 3), using the existing identical-only guard.
  • Profiles are validated dynamically (no more hard-coded full|minimal); safe-charset check prevents path traversal.

P2 — CI & commit quality

  • Commit linting uses commitlint over the PR/push range (drops the divergent check-commit.sh that broke Dependabot's ⬆️ prefix and existing 🚀/♻️ history).
  • Three overlapping macOS workflows collapsed into one gate; hardening runs once instead of three times; triggers restricted to PRs and main.
  • Hardening denylist scoped to the profile Brewfiles (no false positives from the global brew list), with the orbctl check folded in.
  • Post-install zsh completion check is now non-fatal.

P3 — Version / docs

  • Tool-doc Brewfile edit instructions point at the editable profiles/full/Brewfile.
  • CI rejects committed local artifacts (.DS_Store, logs/, *.log).
  • @gitmoji/gitmoji-regex declared as a direct dependency.
  • Release status reconciled to a pre-1.0 state (0.5.0): the entire mac CLI was actually unreleased (tags stop at v0.4.1), and the old changelog "1.0.0" entry really described 0.2.0. Changelog rebuilt honestly with the missing 0.2.0/0.4.1 sections; 1.0.0 criteria re-opened as targets.

F2 — Documentation deduplication

  • Removed the repeated generic brew bundle install block and boilerplate per-tool Updates sections from 19 tool docs, pointing to the canonical docs/homebrew/homebrew.md while keeping tool-specific content (−175 lines net).

Labault and others added 23 commits June 17, 2026 18:15
mac setup --help / -h previously failed with "Unknown option" because
the command wrapper did not recognise the help flags, while
scripts/setup.sh --help worked. Add the missing case so the CLI contract
is consistent, and cover it in the smoke tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
mac doctor ignored all arguments, so mac doctor --help actually ran the
full diagnostic (including brew doctor) instead of printing usage. Parse
arguments and expose a read-only --help/-h flag, rejecting unknown
options. Covered by the CLI smoke tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
mac doctor printed "brew missing" or "mac CLI missing" but always ended
with "Doctor done" and exit 0, which is misleading for CI and automation.
Track required-tool failures and return a non-zero status while keeping
brew warnings non-fatal. A stubbed-PATH smoke test covers the failure
path.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
scripts/setup.sh created ./logs/setup.log relative to the current
directory, so running "mac setup" from another project polluted that
project with a logs/ folder. Write to a user-level location
($HOME/Library/Logs/mac-dev-setup by default, overridable via
MAC_DEV_SETUP_LOG_DIR) and assert the absence of CWD pollution in tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
git.sh wrote init.defaultBranch directly into the global git config,
outside the managed include.path. The same setting already lives in
configs/git/.gitconfig, so the direct write was both redundant and an
intrusive change to the user's global config. Drop it and let the
include be the single source of truth.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
zsh.sh regenerated configs/zsh/completions/_mac on every "mac setup",
mutating a versioned file inside the installed checkout (which breaks on
read-only or otherwise pinned installs). The completion is already
generated and committed during development and verified up to date in
CI, so setup now installs the committed file as-is.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The README documents seven MacDevSetup-managed files, but
--remove-config only handled the git include, alias.sh and the zsh
completion. Extend remove_config to the managed zsh dotfiles
(.zprofile, .zshrc, .zsh_plugins.txt, .p10k.zsh) using the existing
remove_if_identical guard, so files are removed only when they match the
versioned copy and left untouched (with a warning) otherwise. Covered by
a dry-run smoke test against a temporary HOME.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
profile_list discovers profiles by scanning profiles/, but
profile_name_is_valid hard-coded "full|minimal", so any newly added
profile directory was listed yet rejected by validation. Validate names
against a safe charset (which also prevents path traversal) and let
profile_exists decide availability. Usage strings now use a generic
<profile> placeholder alongside the dynamic profile list.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
scripts/check-commit.sh hard-coded only five gitmoji and checked just the
last commit, so it diverged from the commitlint config used by the local
commit-msg hook and the Makefile, and would have rejected valid history
(emoji such as the refactor/bump gitmoji, including Dependabot's prefix).
Replace it with commitlint over the full PR/push range, reusing the same
shared config as the local hook, and drop the redundant script.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Three macOS workflows overlapped: brewfile.yml installed the full profile
and ran hardening twice (once via verify.sh, once directly), hardening.yml
ran hardening a third time, and ci-macos.yml installed the full profile
again. All three also triggered on every branch push.

Collapse them into one macOS workflow that caches Homebrew, installs the
full profile, applies setup once, and runs verify.sh (which already runs
the hardening layer). Trigger only on pull_request and pushes to main to
stop burning macOS minutes on every feature-branch push.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
hardening.sh grepped the machine's global `brew list`, so any developer
machine that legitimately had one of the denied tools (e.g. direnv) would
fail the gate. Scan the declared profile Brewfiles instead — the contract
this repository actually owns — document the rationale, and fold the
orbctl check (previously duplicated in verify.sh) into the single
denylist. Brew doctor/outdated stay informational and only run when brew
is available.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The post-install check ran `exit 1` if the mac completion was not already
registered in a freshly spawned shell. On customised shells, or before
compinit has picked up ~/.zsh/completions, this made an otherwise
successful "mac setup" report failure. Downgrade it to a warning; the
completion loads in a new shell session.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Tool docs told readers to add/remove entries "in/from the root Brewfile",
but the root Brewfile is only a compatibility symlink; the editable source
is profiles/full/Brewfile (as homebrew.md and the architecture docs
already state). Update the boilerplate across the tool docs to reference
the real source, leaving the legitimate descriptions of the compatibility
symlink untouched.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add a guard that fails the quality job if known local artifacts
(.DS_Store, a logs/ directory, or *.log files) are ever tracked. These
are gitignored today, but the check makes the boundary explicit so a
forced add cannot slip generated state into the repository.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
commitlint.config.cjs requires @gitmoji/gitmoji-regex directly, but it was
only present as a transitive dependency of commitlint-config-gitmoji, so a
dedupe or upstream change could break commit linting. Declare it
explicitly in devDependencies.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The package declared 1.0.0 and the changelog had a dated 1.0.0 section,
but no v1.0.0 tag exists (tags stop at v0.4.1) and the entire modular mac
CLI is in fact unreleased; the old "1.0.0" entry actually described the
0.2.0 work. Move the package to 0.5.0, rebuild the changelog honestly
(Unreleased holds the CLI and audit fixes; fill in the missing 0.2.0 and
0.4.1 sections from history), and uncheck the 1.0.0 version criteria that
are no longer true so they read as targets again.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Every tool page repeated the same generic "brew bundle --file=Brewfile"
install block and a per-tool "Updates" section that only ran
"brew upgrade <tool>", both already documented canonically in
docs/homebrew/homebrew.md. Replace the generic install block with a
pointer to the Homebrew setup doc and drop the boilerplate Updates
sections, while preserving tool-specific content (direct install, verify
commands, and data-safety notes such as OrbStack's runtime checks).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Labault Labault merged commit dad4e84 into main Jun 17, 2026
2 checks passed
@Labault Labault deleted the codex/audit-improvements branch June 17, 2026 17:08
Labault added a commit that referenced this pull request Jun 18, 2026
🩺 Audit fixes: CLI contracts, config safety, CI consolidation, docs & release status
Labault added a commit that referenced this pull request Jun 21, 2026
🩺 Audit fixes: CLI contracts, config safety, CI consolidation, docs & release status
Labault added a commit that referenced this pull request Jun 22, 2026
🩺 Audit fixes: CLI contracts, config safety, CI consolidation, docs & release status
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant