chore: enhance fuselage script with link-all and unlink-all options for batch processing

[tassoevan]

Proposed changes (including videos or screenshots)

It adds convenience options for link and unlink all Fuselage packages from a sibling repository.

Issue(s)

Steps to test or reproduce

Further comments

Task: ARCH-2160

Summary by CodeRabbit

• New Features
  • Added link-all and unlink-all actions to efficiently manage symbolic links for all local fuselage packages in a single command.
  • Updated help documentation to detail all available actions and usage patterns.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: af463a7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[tassoevan]

/jira ARCH-2113

[coderabbitai]

Walkthrough

Extended fuselage.sh with link-all and unlink-all actions to batch-symlink all local packages. Help text documents the new options with examples. Runtime validation accepts these actions, discovers packages under ../fuselage/packages, and rewrites them to link/unlink with the full package list.

Batch linking for fuselage packages

Layer / File(s)	Summary
Help text and documentation for new actions fuselage.sh	Help output lists link-all and unlink-all as valid -a/--action options with corrected wording, and adds usage examples showing yarn fuselage -a link-all and yarn fuselage -a unlink-all for batch symlinking all local packages.
Action validation and package discovery fuselage.sh	Action validation now accepts link-all and unlink-all; when selected, script checks that ../fuselage/packages exists, discovers all package directories inside, errors if none are found, and converts the action to link or unlink with a semicolon-separated list of discovered packages.

🎯 2 (Simple) | ⏱️ ~8 minutes

type: feature

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding link-all and unlink-all options to the fuselage script for batch processing, which matches the actual implementation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

fuselage.sh (1)

84-103: ⚡ Quick win

Consider clarifying the error message about repository location.

The error message at line 87 states "Make sure the fuselage repository is available at the project root," but the path ../fuselage/packages indicates a sibling directory (one level up, then into fuselage). The message could be more precise about the expected location.

📝 Suggested clarification

     if [[ ! -d "../fuselage/packages" ]]; then
         echo "Could not find ../fuselage/packages"
-        echo "Make sure the fuselage repository is available at the project root"
+        echo "Make sure the fuselage repository is cloned as a sibling directory"
         exit 1
     fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@fuselage.sh` around lines 84 - 103, The error message about repository
location is vague: update the echo text in the fuselage.sh branch that checks
../fuselage/packages (the block that computes packages and sets action to
"link"/"unlink") to state the exact expected path (e.g., "../fuselage/packages"
or "a sibling directory named 'fuselage' one level up") so users know to place
the fuselage repo at ../fuselage relative to the current project; modify the
echo that currently reads "Make sure the fuselage repository is available at the
project root" to a clearer sentence referencing "../fuselage/packages" or
equivalent phrasing.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@fuselage.sh`:
- Line 10: Fix the typo in the help/usage string for the undo|unlink command:
replace "symbolic li nk" with "symbolic link" in the fuselage.sh help text
associated with the undo|unlink description so the displayed help reads "Removes
the symbolic link for the fuselage package".
- Around line 11-12: The help text for link-all and unlink-all mentions
./fuselage/packages but the runtime check uses ../fuselage/packages; make them
consistent by updating the help string to reference ../fuselage/packages (or
change the runtime check to ./fuselage/packages if you intend the repo to be in
the current directory). Locate the help block that documents "link-all" and
"unlink-all" and the path validation that references "../fuselage/packages" and
ensure both use the same path string so users and the code match.

---

Nitpick comments:
In `@fuselage.sh`:
- Around line 84-103: The error message about repository location is vague:
update the echo text in the fuselage.sh branch that checks ../fuselage/packages
(the block that computes packages and sets action to "link"/"unlink") to state
the exact expected path (e.g., "../fuselage/packages" or "a sibling directory
named 'fuselage' one level up") so users know to place the fuselage repo at
../fuselage relative to the current project; modify the echo that currently
reads "Make sure the fuselage repository is available at the project root" to a
clearer sentence referencing "../fuselage/packages" or equivalent phrasing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d6359771-b175-4504-bef2-0f5dc17d9431

📥 Commits

Reviewing files that changed from the base of the PR and between 7af134c and 65aa322.

📒 Files selected for processing (1)

• fuselage.sh

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: cubic · AI code reviewer
• GitHub Check: CodeQL-Build
• GitHub Check: Hacktron Security Check

🔇 Additional comments (1)

fuselage.sh (1)

40-45: LGTM!

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix typo: "li nk" should be "link".

There's an extra space in "symbolic li nk" that makes the help text look unprofessional.

📝 Proposed fix

-    - undo|unlink : Removes the symbolic li nk for the fuselage package
+    - undo|unlink : Removes the symbolic link for the fuselage package

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- undo|unlink : Removes the symbolic li nk for the fuselage package
	- undo|unlink : Removes the symbolic link for the fuselage package

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@fuselage.sh` at line 10, Fix the typo in the help/usage string for the
undo|unlink command: replace "symbolic li nk" with "symbolic link" in the
fuselage.sh help text associated with the undo|unlink description so the
displayed help reads "Removes the symbolic link for the fuselage package".

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Path in documentation doesn't match implementation.

The help text indicates ./fuselage/packages (current directory), but the actual code at line 85 checks ../fuselage/packages (sibling directory). This inconsistency could confuse users trying to understand where to place the fuselage repository.

📝 Proposed fix

-    - link-all    : Creates symbolic links for all packages in ./fuselage/packages
-    - unlink-all  : Removes symbolic links for all packages in ./fuselage/packages
+    - link-all    : Creates symbolic links for all packages in ../fuselage/packages
+    - unlink-all  : Removes symbolic links for all packages in ../fuselage/packages

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- link-all : Creates symbolic links for all packages in ./fuselage/packages
	- unlink-all : Removes symbolic links for all packages in ./fuselage/packages
	- link-all : Creates symbolic links for all packages in ../fuselage/packages
	- unlink-all : Removes symbolic links for all packages in ../fuselage/packages

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@fuselage.sh` around lines 11 - 12, The help text for link-all and unlink-all
mentions ./fuselage/packages but the runtime check uses ../fuselage/packages;
make them consistent by updating the help string to reference
../fuselage/packages (or change the runtime check to ./fuselage/packages if you
intend the repo to be in the current directory). Locate the help block that
documents "link-all" and "unlink-all" and the path validation that references
"../fuselage/packages" and ensure both use the same path string so users and the
code match.

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="fuselage.sh">

<violation number="1" location="fuselage.sh:11">
P2: Path in documentation doesn't match implementation. The help text references `./fuselage/packages` (current directory) but the actual code operates on `../fuselage/packages` (sibling directory). This will confuse users trying to set up their directory structure.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

P2: Path in documentation doesn't match implementation. The help text references ./fuselage/packages (current directory) but the actual code operates on ../fuselage/packages (sibling directory). This will confuse users trying to set up their directory structure.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At fuselage.sh, line 11:

<comment>Path in documentation doesn't match implementation. The help text references `./fuselage/packages` (current directory) but the actual code operates on `../fuselage/packages` (sibling directory). This will confuse users trying to set up their directory structure.</comment>

<file context>
@@ -4,10 +4,12 @@ if [[ $1 == "--help" || $1 == "-h" ]]; then
+    Specify the action to be performed by the script.
     - link        : Creates a symbolic link for the fuselage package
     - undo|unlink : Removes the symbolic li nk for the fuselage package
+    - link-all    : Creates symbolic links for all packages in ./fuselage/packages
+    - unlink-all  : Removes symbolic links for all packages in ./fuselage/packages
     - next        : Update dependencies with the @next npm package version
</file context>

Suggested change

	- link-all : Creates symbolic links for all packages in ./fuselage/packages
	- unlink-all : Removes symbolic links for all packages in ./fuselage/packages
	- link-all : Creates symbolic links for all packages in ../fuselage/packages
	- unlink-all : Removes symbolic links for all packages in ../fuselage/packages

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.75%. Comparing base (b92bcc7) to head (af463a7).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40701      +/-   ##
===========================================
- Coverage    69.76%   69.75%   -0.01%     
===========================================
  Files         3327     3327              
  Lines       123134   123134              
  Branches     21963    21926      -37     
===========================================
- Hits         85902    85891      -11     
- Misses       33873    33890      +17     
+ Partials      3359     3353       -6     

Flag	Coverage Δ
e2e	59.37% <ø> (-0.02%)	⬇️
e2e-api	46.07% <ø> (-0.05%)	⬇️
unit	70.48% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hacktron-app]

3 issues found across 3 files

Severity	Count
🟡 Medium	2
🟢 Low	1

Comments Outside Diff (3)

🟢 Low: User Enumeration via 2FA Email Code Request Timing Attack (Timing)

Location: apps/meteor/app/api/server/v1/users.ts:673-1612

The users.2fa.sendEmailCode endpoint allows an attacker to verify the existence of users by observing the response. Although the endpoint returns a success status regardless of whether the user exists, the underlying logic performs a database lookup (Users.findOneByEmailAddress or Users.findOneByUsername). An attacker can potentially use this to enumerate valid usernames or emails by measuring response times or observing other side-channel indicators, as the server performs a database operation for valid identifiers but not for invalid ones. This is a common pattern for user enumeration.

---

🟡 Medium: Insecure Direct Object Reference in Push Token Assignment

Location: apps/meteor/app/push/server/methods.ts:31

The 'raix:push-setuser' Meteor method allows any authenticated user to update the 'userId' field of an arbitrary 'PushToken' document to their own 'userId'. By providing the '_id' of a push token belonging to another user, an attacker can reassign that token to their own account. This could lead to information disclosure if push notifications or associated metadata contain sensitive information intended for the original owner of the token. The method fails to verify if the 'PushToken' document currently belongs to the caller.

---

🟡 Medium: Unauthorized User Addition in Discussion Creation

Location: apps/meteor/app/discussion/server/methods/createDiscussion.ts:89

The createDiscussion method allows users to create discussions in rooms they have access to. However, the createRoom function is called with invitedUsers derived from the replied message owner and the users parameter passed by the caller. While the createDiscussion method checks if the caller has permission to start a discussion, it does not explicitly verify if the current user has permission to add the specified users to the new room, potentially allowing an attacker to force-add users to a private discussion room they shouldn't be in.

View full scan results