v0.2.0: Discord-friendly markdown, User/Group merge, expanded redaction#12
Merged
bakerboy448 merged 11 commits intomainfrom May 2, 2026
Merged
v0.2.0: Discord-friendly markdown, User/Group merge, expanded redaction#12bakerboy448 merged 11 commits intomainfrom
bakerboy448 merged 11 commits intomainfrom
Conversation
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (21)
WalkthroughThis PR introduces v0.2.0 with three major feature areas: a new user/group information extraction and display system, enhanced sensitive data redaction patterns, and multi-format markdown output (GitHub vs. Discord). It also updates CI/CD workflows for automated dependency management and adds clipboard fallback support. All user-facing changes integrate via refactored UI tabs and dual-format markdown copy buttons. ChangesUser/Group Information & Display
Sensitive Data Redaction Enhancements
Infrastructure & Polish
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 47 minutes and 50 seconds.Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/main.ts (1)
485-503:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winPreview output diverges from actual GitHub copy output.
At Line 485-Line 503, the preview is built from service + volume tables only, while copy uses
buildCombinedMarkdown+formatForGitHub(which also includes User/Group and headings). This can mislead users comparing preview vs copied output.Suggested fix
- const svcMd = generateMarkdownTable(services) - const volMd = generateVolumeComparisonMarkdown(services) - const mdParts: string[] = [] - if (svcMd) mdParts.push(svcMd) - if (volMd) mdParts.push(volMd) - if (mdParts.length > 0) { - const combinedMd = mdParts.join('\n\n') + const combinedMd = formatForGitHub(buildCombinedMarkdown(services)) + if (combinedMd) { const mdLabel = el('label') mdLabel.textContent = 'Markdown preview (GitHub format) — use the buttons above to copy GitHub or Discord variants:' mdLabel.style.marginTop = '0.75rem' volumesContainer.appendChild(mdLabel) const mdPreview = el('textarea', { className: 'code-textarea', rows: String(Math.min(combinedMd.split('\n').length + 1, 18)), readonly: 'true', spellcheck: 'false', }) mdPreview.value = combinedMd volumesContainer.appendChild(mdPreview) }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/main.ts` around lines 485 - 503, The preview textarea currently builds markdown from generateMarkdownTable(services) + generateVolumeComparisonMarkdown(services) which differs from the copy pipeline; change the preview to use the same pipeline as the copy buttons by calling buildCombinedMarkdown(services) and then passing that result to formatForGitHub (or the same formatter used by the copy action) and use that formatted string for mdPreview.value and rows; update references around generateMarkdownTable/generateVolumeComparisonMarkdown and ensure mdPreview and volumesContainer get the formatted output so preview and copy are identical.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/patterns.ts`:
- Line 45: The regex literal /\bgh[pousr]_[A-Za-z0-9]{30,}\b/ in src/patterns.ts
only matches classic GH PAT prefixes (ghp_, gho_, etc.) — update that entry (or
add a new one) to also detect fine‑grained tokens that start with the
github_pat_ prefix by including an alternative for "github_pat_" and allowing
the appropriate alphanumeric/URL-safe characters and length used by fine‑grained
tokens; keep the change scoped to the existing patterns array entry so detection
covers both classic and fine‑grained GitHub PAT formats.
In `@src/services.ts`:
- Line 137: The code currently only accepts string service['user'] and drops
numeric YAML scalars; update the user extraction logic (the occurrences using
service['user'] such as the line with user: typeof service['user'] === 'string'
? service['user'].trim() : '') to also accept numbers by converting them to
strings (e.g., if typeof service['user'] === 'number' then
String(service['user']) ) and preserve trimming for strings; also add a unit
test that parses an unquoted numeric YAML entry like user: 1000 to ensure the
numeric value is preserved as "1000".
In `@tests/markdown.test.ts`:
- Around line 197-259: Tests for formatForGitHub/formatForDiscord are missing a
positive-path assertion that the User/Group markdown section appears when
service data includes userGroup; add one test case for each formatter that
constructs a service via makeService with a userGroup field (e.g., makeService({
name: 'app', image: 'nginx', userGroup: '1000:1000' })), calls
buildCombinedMarkdown and then formatForGitHub/formatForDiscord, and asserts the
output contains the expected User/Group section heading and table content (for
GitHub expect "### User/Group" and the pipe-table rows; for Discord expect
"**User/Group**" wrapped appropriately and the raw table lines), ensuring the
section is present rather than omitted.
---
Outside diff comments:
In `@src/main.ts`:
- Around line 485-503: The preview textarea currently builds markdown from
generateMarkdownTable(services) + generateVolumeComparisonMarkdown(services)
which differs from the copy pipeline; change the preview to use the same
pipeline as the copy buttons by calling buildCombinedMarkdown(services) and then
passing that result to formatForGitHub (or the same formatter used by the copy
action) and use that formatted string for mdPreview.value and rows; update
references around generateMarkdownTable/generateVolumeComparisonMarkdown and
ensure mdPreview and volumesContainer get the formatted output so preview and
copy are identical.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2f666c47-8434-4a52-9c96-a838cd083779
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (19)
.github/dependabot.yml.github/workflows/ci.yml.github/workflows/dependabot-automerge.yml.github/workflows/prerelease.ymlREADME.mdpackage.jsonsrc/clipboard.tssrc/config.tssrc/main.tssrc/markdown.tssrc/patterns.tssrc/redact.tssrc/services.tssrc/volume-table.tstests/cards.test.tstests/markdown.test.tstests/patterns.test.tstests/services.test.tstests/volume-table.test.ts
Collaborator
Author
|
Pushed 3 follow-up commits addressing CodeRabbit review:
255 tests passing (was 231). Build still 82 KB / 26 KB gzipped. Side admin: GitHub Projects (classic) disabled on the repo (was deprecation-noisy). |
navigator.clipboard.writeText fails silently in several real-world
contexts (no transient user-activation, focus on a different document,
permission denied, browsers that expose the API but throw at call time).
The page is HTTPS so the fallback rarely fires, but its absence meant
"Copy" buttons reported success on a no-op or failed outright.
Add a hidden-textarea + document.execCommand('copy') fallback that runs
when the modern API throws or is unavailable, and tighten the secure-
context check.
Discord does not render pipe-table markdown; the | separators show literally and any *_~ chars in volume paths trigger inline formatting. Wrapping each table in a triple-backtick code fence preserves alignment in Discord's monospace renderer and blocks inline-format parsing. - buildCombinedMarkdown(services) returns the per-section pieces. - formatForGitHub: existing ### headings + bare tables. - formatForDiscord: **bold** labels + fenced code blocks per section. Tests cover empty inputs, fence count, section omission when a source table is empty, and that the Discord formatter does not use ### so it renders consistently across Discord clients.
The single biggest support question for *arr-style stacks is "why can't service X read files written by service Y?" That's almost always a UID/GID mismatch hiding in PUID/PGID env, an explicit user: directive, or group_add. Surface them in one place so mismatches are obvious. - ServiceInfo gains a userGroup field with user, puid, pgid, groupAdd, and umask. Lookups for PUID/PGID/UMASK are case-insensitive so a typo'd `Puid` still surfaces. - A derived `user` row is added to extras (and the service overview table). Combines the user: directive with PUID/PGID; collapses to a single value when they match, annotates when they conflict. - New User/Group comparison table (DOM + markdown) renders alongside the volume comparison. Rows that are empty across all services are hidden so the table only shows fields that exist somewhere. - Discord and GitHub markdown exports include the new section.
- Switch the post-sanitize default tab from YAML to Table. Most users reach for this view first to scan services, ports, user/group, and volume comparison; YAML is the fallback when the structured view isn't enough. - Replace the single "Copy as Markdown" button with two: "Copy MD (GitHub)" (existing format) and "Copy MD (Discord)" (fenced-code variant). The previous output was unreadable when pasted into Discord support channels. - Render the User/Group comparison and Volume comparison tables under labelled headings so the Table tab presents them as distinct sections. - Open* buttons (PrivateBin, logs.notifiarr, Gist) now call window.open synchronously inside the click handler before the clipboard write. Awaiting first drops the user-activation token in Safari and triggers the popup blocker.
Add coverage in three places: Key patterns: - *_URL / *_URI / *_DSN / *_CONNECTION_STRING tail suffixes. - DATABASE/REDIS/MONGO/AMQP/RABBIT/CELERY/POSTGRES/MYSQL/ELASTIC prefixes (catches DATABASE_URL etc. without a password-y substring). - AWS access/secret keys, Tailscale auth keys, GitHub PATs/tokens, any *webhook* key. - Strip a trailing _FILE suffix before matching so the Docker-secrets convention (POSTGRES_PASSWORD_FILE, DATABASE_URL_FILE) is covered. Value patterns (redact regardless of key name): - Basic-auth credentials embedded in any URL value. - GitHub PATs (ghp_/gho_/ghu_/ghs_/ghr_). - AWS access key IDs (AKIA/ASIA/AROA/AIPA/AGPA/AIDA + 16 chars). - Tailscale auth keys. - Discord and Slack incoming-webhook URLs. - JWT-shaped values (three base64url segments separated by dots). config.ts default sensitivePatterns updated to match. Tests cover the new key/value matchers; fake test fixtures get pragma allowlist comments.
- Add dependabot-automerge.yml: auto-merge minor/patch Dependabot PRs via gh pr merge --auto --squash, gated on CI green. Keeps the human review queue focused on majors. Uses dependabot/fetch-metadata to classify update type. - Refine .github/dependabot.yml: split npm group into dev-deps-minor vs prod-deps-minor (so dev-only churn auto-merges without dragging runtime deps along), set open-pull-requests-limit, ignore @types/node major bumps so Node versioning stays deliberate. - ci.yml: add top-level permissions: contents: read so the workflow defaults to least-privilege. - prerelease.yml: paths-ignore docs / config-only changes so README, pre-commit, dependabot, and similar commits don't spam pre-release tags + GitHub releases. Also suppress a pre-existing SC2001 shellcheck warning on the capture-group sed (shellcheck false positive — parameter expansion can't replicate the regex).
…ction - Three-tab UI with Table as default; per-tab purpose documented. - Two copy buttons (GitHub vs Discord) with the rationale for the Discord fenced-code variant. - User/Group merging behaviour (directive + PUID/PGID + group_add + UMASK) and case-insensitive env lookup. - Expanded redaction coverage: connection-string keys, embedded URL basic-auth, vendor token formats, and Docker-secrets _FILE suffix. - Architecture file list updated to include volume-table / volume-utils.
…ub PATs Issue #10 (TRaSH): Discord/Slack/Telegram identifiers leak who you are and which servers/channels you operate in. Add key patterns for discord_*, slack_*, telegram_*, matrix_*, teams_* prefixes and the common *_id suffixes (guild_id, channel_id, server_id, workspace_id, tenant_id, application_id, bot_id, client_id). Tests confirm the common compose IDs (CONTAINER_ID, IMAGE_ID, USER_ID, PROCESS_ID) are not over-matched. Also fix a value-side gap: the ghp_/gho_/ghu_/ghs_/ghr_ regex only matched classic GitHub PATs, not fine-grained tokens which use the github_pat_<base62>_… prefix and underscore-bearing payload. Add a dedicated alt pattern.
When users paste from a rendered HTML source (forum thread, wiki, GitHub diff preview, or the autocompose web demo), the input arrives with &/</" entities and %20-style percent encoding instead of literal characters. YAML rejects these so the previous error path was misleading — the input was correct but the encoding wasn't. Add normalizeEncodedInput() called from extractYaml: - Decode HTML entities (named, decimal, hex) via the textarea trick when at least one entity is present. - Decode percent-encoding only when there are >= 2 percent-sequences, so a literal "100%" stays literal but "/path/My%20Files" decodes. - Malformed sequences (%ZZ) are left in place rather than throwing. 8 new tests cover plain-text passthrough, named/numeric/hex entities, percent paths, the literal-% guard, mixed encoding, and malformed input.
- services.ts: accept numeric user: scalars. Unquoted YAML user: 1000 parses to a number, not a string, so the previous typeof === 'string' guard silently dropped it. Centralize the coercion in readUserDirective() and use it from both extractUserGroup and deriveUser. Test added. - main.ts: collapse the markdown-preview pipeline onto the same code path the copy buttons use (buildCombinedMarkdown + formatForGitHub). Previously the preview composed its own bare table sections without the ### headings, so what users saw differed from what they copied. Drops two now-unused imports. - markdown.test.ts: add positive-path assertions that the User / Group section appears in both formatForGitHub (### heading + pipe table) and formatForDiscord (**bold** label + fenced code) when userGroup data is present. The existing tests only covered Services and Volume Comparison sections.
bakerboy448
force-pushed
the
fix/clipboard-and-discord-markdown
branch
from
4cd7347 to
da92496
Compare
Collaborator
Author
|
Rebased onto current @coderabbitai full review please — the previous review was on the pre-rebase tip and the three follow-up commits address all three inline comments and the outside-diff main.ts comment. |
|
Tip For best results, initiate chat on the files or code changes.
[full_review] |
bakerboy448
dismissed
coderabbitai[bot]’s stale review
Stale review against pre-rebase commit daf7b50. All four findings addressed in commits 6d26d0d (fine-grained PAT + chat IDs, also issue #10), 777dc97 (HTML/percent paste decode), and da92496 (numeric user scalar coercion + preview/copy pipeline alignment + missing User/Group test assertions). CodeRabbit status check on the rebased tip da92496 is PASS.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Eight focused commits — fixes user-reported bugs and adds the most-requested workflow improvements for the *arr / homelab support use-case.
Bugs fixed
execCommand('copy')fallback path so the modernnavigator.clipboard.writeTextfailures (focus loss, browsers that expose the API but throw) no longer leave the user staring at a "Copied!" label that didn't actually copy.window.opensynchronously inside the click handler, then await the clipboard write. Previously the await ate the user-activation token in Safari and the popup was blocked.|shows literally and_/*chars in volume paths trigger inline formatting. Added a dedicated Copy MD (Discord) button that wraps each table in a fenced code block; the existing GitHub markdown button is preserved as Copy MD (GitHub).Features
user:directive,PUID,PGID,group_add,UMASK. The single biggest *arr support question is "why can't service X read files written by service Y?" — a UID/GID mismatch is now obvious in one glance instead of buried in env dumps.userextra in the service overview merges theuser:directive withPUID/PGIDenv vars, collapsing to a single value when they match and annotating the directive when they conflict.Puidstill surfaces.Redaction expansion
Closes the gaps identified in the redaction audit:
*_URL,*_URI,*_DSN,DATABASE_*,REDIS_*,MONGO_*,POSTGRES_*, etc.).*webhook*._FILEsuffix stripping for the Docker-secrets convention.scheme://user:pass@host),ghp_…/gho_…etc., AWS access key IDs (AKIA…), Tailscale (tskey-…-…), Discord/Slack webhook URLs, JWT-shaped tokens.CI / Dependabot
gh pr merge --auto --squashfor minor + patch updates, gated on CI green.permissions: contents: readfor least-privilege.paths-ignoreskips docs/config-only commits so README edits stop spamming pre-release tags.Tests
231 tests pass (was 191). New coverage:
###in Discord output for older clients)._FILEsuffix.Build
Single-file output is 82 KB / 26 KB gzipped — well under the 150 KB CI gate.
Test plan
npm test— 231 tests passnpx tsc --noEmit— cleannpm run build— 82 KB outputSummary by CodeRabbit
Release Notes
New Features
Improvements
Chores