Skip to content

feat: v0.9.1 — silence CLI AUTH_SECRET warning, add cf --version, trademark policy#627

Merged
frankbria merged 1 commit into
mainfrom
feat/v0.9.1-auth-warning-trademark
Jun 13, 2026
Merged

feat: v0.9.1 — silence CLI AUTH_SECRET warning, add cf --version, trademark policy#627
frankbria merged 1 commit into
mainfrom
feat/v0.9.1-auth-warning-trademark

Conversation

@frankbria

@frankbria frankbria commented Jun 13, 2026

Copy link
Copy Markdown
Owner

Bundles the follow-ups that surfaced after the v0.9.0 publish into a single v0.9.1. Refs #613 (does not close it — PyPI go-live for 0.9.1 is the tag push).

Fixes

The AUTH_SECRET not set warning on every cf command. It was a module-level side effect in codeframe/auth/manager.py that ran at import; Python's last-resort logging handler then printed it to stderr, so it leaked onto the CLI even though the Golden Path never uses auth. Removed the import-time warning. The check that matters is untouched: ui/server.py:_validate_security_config() (called at startup) still warns in self-hosted mode and raises in hosted mode. Covered by a new regression test (fresh-interpreter import is silent; hosted-mode still raises; self-hosted still warns).

Added

  • cf --version / cf -V — resolves the installed version from package metadata via a root Typer callback. This also fixes the verification confusion: with uv tool install, the package is isolated, so a system Python's importlib.metadata.version('codeframe-ai') raises PackageNotFoundError (expected, not a bug). Use cf --version or uv tool list.
  • TRADEMARKS.md — trademark policy. The AGPL covers the code; the CodeFRAME™ name and logo are trademarks of Noatak Enterprises, LLC, dba Bria Strategy Group, reserved separately. Permits nominative use ("works with CodeFRAME"); requires permission to name a fork/product "CodeFRAME". Uses ™ (mark is pending, not yet registered — ® would be improper now). Conservative language, flagged for your attorney's review.

Changed

  • README: ™ on the header and a footer trademark notice; a "Trademark" bullet + cross-link. LICENSING.md: a code-vs-brand callout linking the policy.
  • Version 0.9.0 → 0.9.1; CHANGELOG.md updated.

Verification

  • New tests: tests/auth/test_import_is_quiet.py, tests/cli/test_version_flag.py — pass.
  • Full tests/cli/ + tests/auth/: 494 passed, 9 skipped (serve stubs) — the new root callback doesn't disturb existing commands.
  • uv build0.9.1; cf --versioncodeframe 0.9.1; wheel still complete (24 packages); cf --help shows zero AUTH_SECRET lines.
  • ruff check clean.

After merge (you)

Tag v0.9.1 to publish: git tag -a v0.9.1 -m "CodeFRAME 0.9.1" && git push origin v0.9.1 → the release workflow builds, publishes to PyPI (trusted publishing is already set up), and cuts the GitHub Release. ™ → ® swap is a future change once registration issues.

Summary by CodeRabbit

Release Notes

  • New Features

    • Added --version / -V CLI flag to display installed version
    • Introduced CodeFRAME™ trademark policy documentation
  • Bug Fixes

    • Resolved default AUTH_SECRET warnings appearing in CLI output
  • Documentation

    • Added trademark usage guidelines and licensing clarifications
    • Updated README and licensing documents with trademark attribution

…demark policy

Fixes
- Default-AUTH_SECRET warning fired at import time in auth/manager.py and, via
  logging's last-resort handler, printed on every `cf` command (the Golden Path
  never uses auth). Removed the import-time warning; server startup validation
  (ui/server.py:_validate_security_config) is unchanged — still warns in
  self-hosted mode and raises in hosted mode. Regression test added.

Added
- `cf --version` / `-V` resolves the installed version from package metadata
  (root Typer callback). Note for users: with `uv tool install`, check via
  `cf --version` or `uv tool list` — a system Python won't see the isolated env.
- TRADEMARKS.md: the AGPL covers the code; the CodeFRAME name and logo are
  trademarks of Noatak Enterprises, LLC, dba Bria Strategy Group, reserved
  separately. Forks may use the code but must rename. README/LICENSING.md note
  the code/brand boundary; README header + footer carry the (TM) notice.

Release
- Version 0.9.0 -> 0.9.1; CHANGELOG updated.

Refs #613.
@coderabbitai

coderabbitai Bot commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4591fbdf-3cb8-4f23-ba45-138c1fea54a0

📥 Commits

Reviewing files that changed from the base of the PR and between bd4c2ba and 30d026e.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (9)
  • CHANGELOG.md
  • LICENSING.md
  • README.md
  • TRADEMARKS.md
  • codeframe/auth/manager.py
  • codeframe/cli/app.py
  • pyproject.toml
  • tests/auth/test_import_is_quiet.py
  • tests/cli/test_version_flag.py

Walkthrough

Bumps the package to version 0.9.1. Adds a --version/-V CLI flag resolved via importlib.metadata. Removes the import-time AUTH_SECRET default-secret warning from auth/manager.py, deferring it to server startup. Introduces TRADEMARKS.md and updates README.md and LICENSING.md with trademark cross-references.

Changes

CLI version flag and quiet auth import

Layer / File(s) Summary
CLI --version/-V flag and version bump
codeframe/cli/app.py, pyproject.toml, tests/cli/test_version_flag.py
Adds _get_version (with importlib.metadata fallback) and _version_callback, wired to the root Typer callback as an eager --version/-V option that prints the version and exits; pyproject.toml bumped to 0.9.1; parametrized test asserts clean exit and semver pattern in stdout.
Remove import-time AUTH_SECRET warning
codeframe/auth/manager.py, tests/auth/test_import_is_quiet.py
Strips the warning emitted on module import, leaving a comment that defers the check to _validate_security_config() at server start; regression test runs a subprocess import to assert no AUTH_SECRET text on stderr and pins hosted vs. self-hosted validation behavior.
CHANGELOG 0.9.1 release notes
CHANGELOG.md
Adds the [0.9.1] section documenting the version flag, TRADEMARKS.md addition, auth warning fix, and branding changes; updates [Unreleased] and [0.9.1] compare links.

Trademark policy documentation

Layer / File(s) Summary
TRADEMARKS.md and cross-references
TRADEMARKS.md, README.md, LICENSING.md
New TRADEMARKS.md defines ownership, permitted/restricted uses, correct mark usage, and a contact email; README.md gains ™ in the title, a trademark bullet, and updated footer wording; LICENSING.md adds a paragraph separating AGPL code rights from trademark restrictions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hop hop, what's the version today?
cf --version now shows the way!
The secret stays quiet at import time,
And trademarks are marked with a ™ chime.
TRADEMARKS.md guards the CodeFRAME name,
This rabbit ships 0.9.1 — ready to claim! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 71.43% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the three main changes: silencing the CLI AUTH_SECRET warning, adding the cf --version flag, and establishing a trademark policy.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/v0.9.1-auth-warning-trademark

Comment @coderabbitai help to get the list of available commands and usage tips.

@claude

claude Bot commented Jun 13, 2026

Copy link
Copy Markdown

Code Review — v0.9.1 patch

This is a clean, well-scoped patch that addresses the three issues from the v0.9.0 publish. Overall quality is high. A few observations:


Auth warning removal (manager.py) — the fix is correct. Moving the guard from module-level to _validate_security_config() (called only at server startup) is the right model. The explanatory comment in place of the old warning is genuinely helpful for the next reader. Verified that the server-side check still distinguishes self-hosted (warn) from hosted (raise) — nothing was lost.

cf --version (app.py) — textbook Typer idiom: is_eager=True, raise typer.Exit(), and the @app.callback() placement is correct. The inline import in _get_version() is a minor style note (imports inside functions are unconventional), but it is reasonable here to defer the importlib.metadata import until the flag is actually requested. Not worth changing.

Test quality — all three test patterns are solid:

  • test_importing_auth_manager_emits_no_warning uses subprocess.run for true interpreter isolation — the right tool for this.
  • test_server_validation_still_raises_in_hosted_mode monkeypatches manager.SECRET at the module level so the lazy import inside _validate_security_config() picks up the patched value correctly.
  • test_version_flag_prints_version_and_exits accepts 0.0.0+unknown via the semver-ish regex — handles the uninstalled-tree path.

TRADEMARKS.md — correctly uses TM (pending, not yet registered), the nominative-use section is clear, and the LICENSING.md cross-link closes the loop. The attorney-review flag in the PR description is appropriate given the legal nature.


Minor observations (none blocking):

  1. _root docstring is the new app-level help text. cf --help will now display "CodeFRAME: Autonomous coding agent orchestration (v2 CLI)." as the top-level description. If there is already a description set elsewhere on app, they could conflict. Worth a quick cf --help pass to confirm the output looks right.

  2. test_server_validation_warns_but_allows_in_self_hosted_mode — the caplog assertion checks r.message (the unformatted log string), and the warning text in server.py contains "default AUTH_SECRET". The substring matches. Just noting the dependency in case the warning wording changes later.

  3. README trademark repetition — the footer now has the TM notice in two forms: a sentence paragraph and an italic line. The duplication is minor but could be collapsed into one if the README is already long.

  4. CHANGELOG link ordering — looks correct: [Unreleased] points to v0.9.1...HEAD, new [0.9.1] entry compares v0.9.0...v0.9.1. No issues.


Verdict: All core changes are correct, the regression test coverage pins the exact behavior that broke in v0.9.0, and the trademark policy is appropriate for a pending-registration mark. Ready to merge once you have confirmed cf --help output looks right with the new @app.callback() docstring in place.

@frankbria frankbria merged commit 4637786 into main Jun 13, 2026
11 checks passed
@frankbria frankbria deleted the feat/v0.9.1-auth-warning-trademark branch June 13, 2026 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant