feat: add output formatting, MCP tools, tests, and security fixes#123
Merged
tim-thacker-nullify merged 2 commits intofeat/distribution-overhaulfrom Feb 24, 2026
Merged
Conversation
…rity fixes - Add output formatting package (json/yaml/table) with --output flag support - Update code generator to use output.Print() for all 326 generated commands - Add composite MCP tools: get_security_posture_summary, get_findings_for_repo - Add triage tools for SCA, secrets, and DAST findings - Add --repo flag to MCP serve with git remote auto-detection - Add unit tests for auth, MCP server helpers, output formatters, API client - Fix: config file permissions changed from 0644 to 0600 - Fix: add HTTP status code check in device token polling - Fix: show manual URL message when browser can't be opened - Fix: remove token value from debug log output Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: replace device code polling with localhost callback auth Rewrite login flow: CLI starts a localhost HTTP server, opens browser to Cognito, receives callback with session ID, fetches tokens from backend. No more code confirmation or polling delay. - Replace DeviceFlowLogin() with Login() using localhost callback - Use http.NewRequestWithContext for proper context propagation - Add tracer spans to all auth functions - Simplify get_token.go to delegate to auth.GetValidToken() Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: harden login with CSRF check, duplicate guard, and ctx cancellation - Verify received session_id matches expected one (CSRF protection) - Use sync.Once to guard against duplicate callback invocations - Add ctx.Done() case to select for proper Ctrl+C cancellation - Improve success HTML with checkmark SVG - Create session before starting server to have expected session ID Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix duplicate callback handling: serve success page on repeated requests Previously, a second callback to the CLI localhost server after sync.Once would return an empty response. Now it returns the success HTML page. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add signal handling for graceful Ctrl+C during login Wrap login context with signal.NotifyContext so Ctrl+C triggers the ctx.Done() select case, printing "authentication cancelled" cleanly instead of an abrupt process termination. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix go.mod: run go mod tidy to sync dependencies Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Migrate CLI from go-arg to cobra and clean up struct tags - Replace go-arg-based main.go with cobra command structure - Remove go-arg struct tags from DAST and auth models - Add HTTP client timeout to NullifyClient - Add generate-api Makefile target Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix Makefile build target for cobra package structure Change ./cmd/cli/... to ./cmd/cli since the cobra cmd subpackage is not a separate binary target. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix lint errors: errcheck and gofmt issues Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
tim-thacker-nullify
merged commit 9321f5e
into
feat/distribution-overhaul
1 of 2 checks passed
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Feb 24, 2026
* feat: add GoReleaser, install script, and distribution channels Replace manual cross-compilation and release workflow with GoReleaser for consistent artifact naming, checksums, and automatic publishing to Homebrew tap and Scoop bucket. Add a curl|sh install script for easy Linux/macOS installation. Rewrite README installation section with platform-specific one-liners and fix badge links. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: remove Homebrew tap, Scoop bucket, and extra token config Keep everything self-contained in this repo — no separate tap/bucket repos or additional token secrets needed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: restore original release trigger and versioning flow Keep push-to-main trigger and PR-label-based semver calculation via release-version action. GoReleaser runs after the version is calculated and the tag is created. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: add output formatting, MCP tools, tests, and security fixes (#123) * feat: add output formatting, enhanced MCP tools, unit tests, and security fixes - Add output formatting package (json/yaml/table) with --output flag support - Update code generator to use output.Print() for all 326 generated commands - Add composite MCP tools: get_security_posture_summary, get_findings_for_repo - Add triage tools for SCA, secrets, and DAST findings - Add --repo flag to MCP serve with git remote auto-detection - Add unit tests for auth, MCP server helpers, output formatters, API client - Fix: config file permissions changed from 0644 to 0600 - Fix: add HTTP status code check in device token polling - Fix: show manual URL message when browser can't be opened - Fix: remove token value from debug log output Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: replace device flow with localhost callback auth (#124) * feat: replace device code polling with localhost callback auth Rewrite login flow: CLI starts a localhost HTTP server, opens browser to Cognito, receives callback with session ID, fetches tokens from backend. No more code confirmation or polling delay. - Replace DeviceFlowLogin() with Login() using localhost callback - Use http.NewRequestWithContext for proper context propagation - Add tracer spans to all auth functions - Simplify get_token.go to delegate to auth.GetValidToken() Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: harden login with CSRF check, duplicate guard, and ctx cancellation - Verify received session_id matches expected one (CSRF protection) - Use sync.Once to guard against duplicate callback invocations - Add ctx.Done() case to select for proper Ctrl+C cancellation - Improve success HTML with checkmark SVG - Create session before starting server to have expected session ID Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix duplicate callback handling: serve success page on repeated requests Previously, a second callback to the CLI localhost server after sync.Once would return an empty response. Now it returns the success HTML page. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add signal handling for graceful Ctrl+C during login Wrap login context with signal.NotifyContext so Ctrl+C triggers the ctx.Done() select case, printing "authentication cancelled" cleanly instead of an abrupt process termination. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix go.mod: run go mod tidy to sync dependencies Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Migrate CLI from go-arg to cobra and clean up struct tags - Replace go-arg-based main.go with cobra command structure - Remove go-arg struct tags from DAST and auth models - Add HTTP client timeout to NullifyClient - Add generate-api Makefile target Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix Makefile build target for cobra package structure Change ./cmd/cli/... to ./cmd/cli since the cobra cmd subpackage is not a separate binary target. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix lint errors: errcheck and gofmt issues Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * fix: address security review findings - Fail install if no checksum tool available instead of silently bypassing - Create config dir with 0700 permissions, config file with 0600 - Sanitize host value before JSON interpolation - URL-encode refresh token in query parameter Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
internal/output/package with JSON, YAML, and table formatters. Code generator updated to useoutput.Print()instead of rawfmt.Println.get_security_posture_summary,get_findings_for_repo), triage tools for SCA/secrets/DAST, and--repoflag with git remote auto-detection.Test plan
go build ./...compiles cleanlygo test ./internal/auth/... ./internal/mcp/... ./internal/output/... ./internal/api/...passesnullify sast list-findings --output tablerenders readable tablenullify mcp servestarts and responds totools/listnullify auth logindevice flow completes successfully🤖 Generated with Claude Code