feat: interactive approval flow for community extensions

DyanGalih · DyanGalih · commit bae44483f01f · 2026-06-17T09:44:27.000Z
diff --git a/src/specify_cli/__init__.py b/src/specify_cli/__init__.py
@@ -879,7 +879,7 @@ def catalog_add(
     })
 
     config["catalogs"] = catalogs
-    config_path.write_text(yaml.dump(config, default_flow_style=False, sort_keys=False, allow_unicode=True), encoding="utf-8")
+    config_path.write_text(yaml.safe_dump(config, default_flow_style=False, sort_keys=False, allow_unicode=True), encoding="utf-8")
 
     install_label = "install allowed" if install_allowed else "discovery only"
     console.print(f"\n[green]✓[/green] Added catalog '[bold]{name}[/bold]' ({install_label})")
@@ -919,7 +919,7 @@ def catalog_remove(
         raise typer.Exit(1)
 
     config["catalogs"] = catalogs
-    config_path.write_text(yaml.dump(config, default_flow_style=False, sort_keys=False, allow_unicode=True), encoding="utf-8")
+    config_path.write_text(yaml.safe_dump(config, default_flow_style=False, sort_keys=False, allow_unicode=True), encoding="utf-8")
 
     console.print(f"[green]✓[/green] Removed catalog '{name}'")
     if not catalogs:
@@ -987,8 +987,8 @@ def extension_add(
             raise typer.Exit(0)
 
     try:
-        with console.status(f"[cyan]Installing extension: {extension}[/cyan]"):
-            if dev:
+        if dev:
+            with console.status(f"[cyan]Installing extension: {extension}[/cyan]"):
                 # Install from local directory
                 source_path = Path(extension).expanduser().resolve()
                 if not source_path.exists():
@@ -1010,12 +1010,13 @@ def extension_add(
                     force=force
                 )
 
-            elif from_url:
-                # Install from URL (ZIP file)
-                import urllib.error
+        elif from_url:
+            # Install from URL (ZIP file)
+            import urllib.error
 
-                console.print(f"Downloading from {safe_url}...")
+            console.print(f"Downloading from {safe_url}...")
 
+            with console.status(f"[cyan]Installing extension: {extension}[/cyan]"):
                 # Download ZIP to temp location
                 download_dir = project_root / ".specify" / "extensions" / ".cache" / "downloads"
                 download_dir.mkdir(parents=True, exist_ok=True)
@@ -1038,66 +1039,86 @@ def extension_add(
                     if zip_path.exists():
                         zip_path.unlink()
 
-            else:
-                # Try bundled extensions first (shipped with spec-kit)
-                bundled_path = _locate_bundled_extension(extension)
-                if bundled_path is not None:
+        else:
+            # Try bundled extensions first (shipped with spec-kit)
+            bundled_path = _locate_bundled_extension(extension)
+            if bundled_path is not None:
+                with console.status(f"[cyan]Installing extension: {extension}[/cyan]"):
                     manifest = manager.install_from_directory(
                         bundled_path, speckit_version, priority=priority, force=force
                     )
-                else:
-                    # Install from catalog (also resolves display names to IDs)
-                    catalog = ExtensionCatalog(project_root)
+            else:
+                # Install from catalog (also resolves display names to IDs)
+                catalog = ExtensionCatalog(project_root)
 
-                    # Check if extension exists in catalog (supports both ID and display name)
-                    ext_info, catalog_error = _resolve_catalog_extension(extension, catalog, "add")
-                    if catalog_error:
-                        console.print(f"[red]Error:[/red] Could not query extension catalog: {catalog_error}")
-                        raise typer.Exit(1)
-                    if not ext_info:
-                        console.print(f"[red]Error:[/red] Extension '{extension}' not found in catalog")
-                        console.print("\nSearch available extensions:")
-                        console.print("  specify extension search")
-                        raise typer.Exit(1)
+                # Check if extension exists in catalog (supports both ID and display name)
+                ext_info, catalog_error = _resolve_catalog_extension(extension, catalog, "add")
+                if catalog_error:
+                    console.print(f"[red]Error:[/red] Could not query extension catalog: {catalog_error}")
+                    raise typer.Exit(1)
+                if not ext_info:
+                    console.print(f"[red]Error:[/red] Extension '{extension}' not found in catalog")
+                    console.print("\nSearch available extensions:")
+                    console.print("  specify extension search")
+                    raise typer.Exit(1)
 
-                    # If catalog resolved a display name to an ID, check bundled again
-                    resolved_id = ext_info['id']
-                    if resolved_id != extension:
-                        bundled_path = _locate_bundled_extension(resolved_id)
-                        if bundled_path is not None:
+                # If catalog resolved a display name to an ID, check bundled again
+                resolved_id = ext_info['id']
+                if resolved_id != extension:
+                    bundled_path = _locate_bundled_extension(resolved_id)
+                    if bundled_path is not None:
+                        with console.status(f"[cyan]Installing extension: {extension}[/cyan]"):
                             manifest = manager.install_from_directory(
                                 bundled_path, speckit_version, priority=priority, force=force
                             )
 
-                    if bundled_path is None:
-                        # Bundled extensions without a download URL must come from the local package
-                        if ext_info.get("bundled") and not ext_info.get("download_url"):
-                            console.print(
-                                f"[red]Error:[/red] Extension '{ext_info['id']}' is bundled with spec-kit "
-                                f"but could not be found in the installed package."
-                            )
-                            console.print(
-                                "\nThis usually means the spec-kit installation is incomplete or corrupted."
-                            )
-                            console.print("Try reinstalling spec-kit:")
-                            console.print(f"  {REINSTALL_COMMAND}")
-                            raise typer.Exit(1)
-
-                        # Enforce install_allowed policy
-                        if not ext_info.get("_install_allowed", True):
-                            catalog_name = ext_info.get("_catalog_name", "community")
-                            console.print(
-                                f"[red]Error:[/red] '{extension}' is available in the "
-                                f"'{catalog_name}' catalog but installation is not allowed from that catalog."
-                            )
-                            console.print(
-                                f"\nTo enable installation, add '{extension}' to an approved catalog "
-                                f"(install_allowed: true) in .specify/extension-catalogs.yml."
+                if bundled_path is None:
+                    # Bundled extensions without a download URL must come from the local package
+                    if ext_info.get("bundled") and not ext_info.get("download_url"):
+                        console.print(
+                            f"[red]Error:[/red] Extension '{ext_info['id']}' is bundled with spec-kit "
+                            f"but could not be found in the installed package."
+                        )
+                        console.print(
+                            "\nThis usually means the spec-kit installation is incomplete or corrupted."
+                        )
+                        console.print("Try reinstalling spec-kit:")
+                        console.print(f"  {REINSTALL_COMMAND}")
+                        raise typer.Exit(1)
+
+                    # Enforce install_allowed policy
+                    if not ext_info.get("_install_allowed", True):
+                        catalog_name = ext_info.get("_catalog_name", "community")
+                        console.print()
+                        console.print(
+                            Panel(
+                                f"[bold]'{ext_info['name']}' is available in the '{catalog_name}' catalog "
+                                f"but installation is not allowed from that catalog.[/bold]\n\n"
+                                f"Approve installation from '{catalog_name}' for this project?\n"
+                                "This will update .specify/extension-catalogs.yml so future installs "
+                                "from that catalog are allowed.",
+                                title="[bold yellow]Catalog Approval Required[/bold yellow]",
+                                border_style="yellow",
+                                padding=(1, 2),
                             )
-                            raise typer.Exit(1)
+                        )
+                        console.print()
+                        try:
+                            confirm = typer.confirm("Approve catalog and continue?", default=False)
+                        except (typer.Abort, KeyboardInterrupt):
+                            console.print("Cancelled")
+                            raise typer.Exit(0)
+                        if not confirm:
+                            console.print("Cancelled")
+                            raise typer.Exit(0)
+                        approved_catalog = catalog.approve_catalog_install(catalog_name)
+                        console.print(
+                            f"[green]✓[/green] Approved catalog '[bold]{approved_catalog.name}[/bold]' for installation"
+                        )
 
-                        # Download extension ZIP (use resolved ID, not original argument which may be display name)
-                        extension_id = ext_info['id']
+                    # Download extension ZIP (use resolved ID, not original argument which may be display name)
+                    extension_id = ext_info['id']
+                    with console.status(f"[cyan]Installing extension: {ext_info['name']}[/cyan]"):
                         console.print(f"Downloading {ext_info['name']} v{ext_info.get('version', 'unknown')}...")
                         zip_path = catalog.download_extension(extension_id)
 
@@ -1286,8 +1307,9 @@ def extension_search(
             else:
                 console.print(f"\n  [yellow]⚠[/yellow]  Not directly installable from '{catalog_name}'.")
                 console.print(
-                    f"  Add to an approved catalog with install_allowed: true, "
-                    f"or install from a ZIP URL: specify extension add {ext['id']} --from <zip-url>"
+                    f"  Run [cyan]specify extension add {ext['id']}[/cyan] to approve "
+                    f"the catalog and install, or use a ZIP URL: "
+                    f"specify extension add {ext['id']} --from <zip-url>"
                 )
             console.print()
 
@@ -1486,8 +1508,13 @@ def _print_extension_info(ext_info: dict, manager):
         console.print("[yellow]Not installed[/yellow]")
         console.print(
             f"\n[yellow]⚠[/yellow]  '{ext_info['id']}' is available in the '{catalog_name}' catalog "
-            f"but not in your approved catalog. Add it to .specify/extension-catalogs.yml "
-            f"with install_allowed: true to enable installation."
+            f"but installation is not currently allowed from that catalog."
+        )
+        console.print(
+            f"\n[cyan]Install:[/cyan] specify extension add {ext_info['id']}"
+        )
+        console.print(
+            "[dim]You will be prompted to approve the catalog before installation proceeds.[/dim]"
         )
 
 
diff --git a/src/specify_cli/__main__.py b/src/specify_cli/__main__.py
@@ -0,0 +1,5 @@
+import sys
+from specify_cli import main
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/src/specify_cli/extensions.py b/src/specify_cli/extensions.py
@@ -1275,7 +1275,7 @@ def check_compatibility(
         # Parse version specifier (e.g., ">=0.1.0,<2.0.0")
         try:
             specifier = SpecifierSet(required)
-            if current not in specifier:
+            if not specifier.contains(current, prereleases=True):
                 raise CompatibilityError(
                     f"Extension requires spec-kit {required}, "
                     f"but {speckit_version} is installed.\n"
@@ -2100,6 +2100,63 @@ def get_active_catalogs(self) -> List[CatalogEntry]:
             ),
         ]
 
+    def _catalog_entry_to_dict(self, entry: CatalogEntry) -> Dict[str, Any]:
+        """Serialize a catalog entry back to YAML config shape."""
+        return {
+            "name": entry.name,
+            "url": entry.url,
+            "priority": entry.priority,
+            "install_allowed": entry.install_allowed,
+            "description": entry.description,
+        }
+
+    def approve_catalog_install(self, catalog_name: str) -> CatalogEntry:
+        """Persist install permission for a catalog while preserving the stack."""
+        active_catalogs = self.get_active_catalogs()
+        updated_catalogs: List[Dict[str, Any]] = []
+        approved_entry: Optional[CatalogEntry] = None
+
+        for entry in active_catalogs:
+            if entry.name == catalog_name:
+                entry = self._entry(
+                    url=entry.url,
+                    name=entry.name,
+                    priority=entry.priority,
+                    install_allowed=True,
+                    description=entry.description,
+                )
+                approved_entry = entry
+            updated_catalogs.append(self._catalog_entry_to_dict(entry))
+
+        if approved_entry is None:
+            raise ValidationError(
+                f"Catalog '{catalog_name}' is not active and cannot be approved"
+            )
+
+        project_root = self.project_root.resolve()
+        config_path = self.project_root / ".specify" / self.CONFIG_FILENAME
+        resolved_parent = config_path.parent.resolve()
+        if not resolved_parent.is_relative_to(project_root):
+            raise ValidationError(
+                "Refusing to write catalog config outside the project root"
+            )
+        if config_path.exists() and config_path.is_symlink():
+            raise ValidationError(
+                f"Refusing to write catalog config via symlink: {config_path}"
+            )
+
+        config_path.parent.mkdir(parents=True, exist_ok=True)
+        config_path.write_text(
+            yaml.safe_dump(
+                {"catalogs": updated_catalogs},
+                default_flow_style=False,
+                sort_keys=False,
+                allow_unicode=True,
+            ),
+            encoding="utf-8",
+        )
+        return approved_entry
+
     def get_catalog_url(self) -> str:
         """Get the primary catalog URL.
 
diff --git a/tests/test_extensions.py b/tests/test_extensions.py
