Implement multi-progress tracking and enhance security checks (#54)

* Implement multi-progress tracking with progress spinners

- Added `ProgressSpinner` and `MultiProgress` types for managing concurrent progress bars.
- Introduced task status constants: Pending, Running, Success, Failed, and Skipped.
- Implemented methods for starting, completing, failing, and skipping tasks.
- Added functionality to increment progress and track bytes written.
- Created rendering logic for displaying progress bars in the terminal.
- Implemented tests for all new functionality, including status transitions and concurrent access.
- Added helper functions for formatting output and managing terminal display.

* feat: enhance dependency checks and add vulnerability scanning tools

* fix: adjust race detector usage in CI for macOS compatibility

Author: jongio

.github/workflows/ci.yml

@@ -40,9 +40,15 @@ jobs:
       - name: Install golangci-lint
         run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
 
+      - name: Install staticcheck
+        run: go install honnef.co/go/tools/cmd/staticcheck@latest
+
       - name: Install gosec
         run: go install github.com/securego/gosec/v2/cmd/gosec@latest
 
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
       - name: Run preflight checks
         run: mage preflight
 
@@ -106,7 +112,12 @@ jobs:
         shell: bash
         run: |
           mkdir -p ../coverage
-          go test -short -v -race -coverprofile=../coverage/coverage.out ./...
+          # Race detector not supported on macOS without additional setup
+          if [ "${{ matrix.os }}" = "macos-latest" ]; then
+            go test -short -v -coverprofile=../coverage/coverage.out ./...
+          else
+            go test -short -v -race -coverprofile=../coverage/coverage.out ./...
+          fi
 
       - name: Upload coverage to Codecov
         if: github.repository == 'jongio/azd-app'

.github/workflows/release.yml

@@ -45,9 +45,15 @@ jobs:
       - name: Install golangci-lint
         run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
 
+      - name: Install staticcheck
+        run: go install honnef.co/go/tools/cmd/staticcheck@latest
+
       - name: Install gosec
         run: go install github.com/securego/gosec/v2/cmd/gosec@latest
 
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
       - name: Run preflight checks
         run: mage preflight
 
@@ -111,7 +117,12 @@ jobs:
         shell: bash
         run: |
           mkdir -p ../coverage
-          go test -short -v -race -coverprofile=../coverage/coverage.out ./...
+          # Race detector not supported on macOS without additional setup
+          if [ "${{ matrix.os }}" = "macos-latest" ]; then
+            go test -short -v -coverprofile=../coverage/coverage.out ./...
+          else
+            go test -short -v -race -coverprofile=../coverage/coverage.out ./...
+          fi
 
   lint:
     name: Lint

.gitignore

@@ -112,3 +112,4 @@ cli2/jongio.azd.app/internal/cmd/prompt.go
 cli2/jongio.azd.app/internal/cmd/root.go
 cli2/jongio.azd.app/internal/cmd/version.go
 azd-app.sln
+cli/output-coverage

cli/docs/dev/parallel-install-output-spec.md

@@ -0,0 +1,93 @@
+# Parallel Dependency Installation Output Specification
+
+## Overview
+When installing dependencies for multiple projects concurrently, each project should display its own progress indicator and final status on separate, persistent lines.
+
+## Requirements
+
+### During Installation
+1. **Concurrent Display**: Each project displays on its own line with an animated progress indicator
+2. **Non-Overlapping Output**: Multiple projects install concurrently with separate, non-interfering progress displays
+3. **Real-time Activity**: Progress shows live activity (spinning/counting) while npm/pip/dotnet runs
+4. **Activity Feedback**: As the underlying process writes output, the progress bar updates to show work is happening
+
+### After Completion
+1. **Persistent Status Lines**: Each project shows a final status line that remains visible (doesn't disappear)
+2. **Success Format**: `✓ <project-name> (<package-manager>)` displayed in green
+3. **Failure Format**: `✗ <project-name> (<package-manager>)` displayed in red
+4. **Complete Summary**: All final status lines remain visible so user can see the complete summary of what succeeded/failed
+5. **Overall Summary**: After all projects complete, show total count: `✓ Installed N project(s)` or error summary
+
+## Visual Layout
+
+### Expected Output Flow
+```
+Installing Dependencies
+
+web (npm) (15/-, 8 it/s) [1s]    ← animated progress bar
+api (pip) (12/-, 6 it/s) [1s]    ← animated progress bar
+
+[after completion - progress bars cleared and replaced with:]
+
+✓ web (npm)                       ← persistent success line
+✓ api (pip)                       ← persistent success line
+
+✓ Installed 2 project(s)          ← overall summary
+```
+
+### Error Case
+```
+Installing Dependencies
+
+web (npm) (23/-, 9 it/s) [2s]    ← animated progress bar
+api (pip) (8/-, 4 it/s) [1s]     ← animated progress bar
+
+[after completion:]
+
+✓ web (npm)                       ← success
+✗ api (pip)                       ← failure
+
+✗ Failed to install 1 project(s)  ← error summary
+  • api: failed to install requirements: ...
+```
+
+## Implementation Details
+
+### Progress Display
+- **Type**: Indeterminate spinner bar (unknown total)
+- **Updates**: Incremented on each write from npm/pip/dotnet process
+- **Cleanup**: On completion, clear the progress bar line before printing status
+
+### Output Flow
+1. Create progress bar for each project with project name + package manager as description
+2. Route process stdout/stderr to update progress on each write
+3. When installation completes:
+   - Stop the progress bar
+   - Clear the progress bar line (overwrite with spaces + carriage return)
+   - Print final status: `✓ <name>` or `✗ <name>` on a fresh line
+4. After all projects complete, print overall summary
+
+### Concurrency Handling
+- Each project runs concurrently
+- All projects must complete before showing summary
+- Thread-safe handling of concurrent progress updates
+- Progress display library handles concurrent rendering to terminal
+
+### Status Messages
+- **Success**: Green checkmark + project identifier
+- **Failure**: Red X + project identifier + error details in summary
+- **Summary**: Total count of successful/failed installations
+
+## Edge Cases
+
+### No Projects Found
+Show message: "No projects found"
+
+### All Skipped (Already Installed)
+Still show per-project status but indicate they were skipped
+
+### Mixed Success/Failure
+Show all individual statuses, then error summary listing only failures
+
+### JSON Output Mode
+Suppress all progress bars and status lines, output only JSON result at end

cli/magefile.go

@@ -284,6 +284,74 @@ func Vet() error {
 	return nil
 }
 
+// Staticcheck runs staticcheck for advanced static analysis.
+func Staticcheck() error {
+	fmt.Println("Running staticcheck...")
+	if err := sh.RunV("staticcheck", "./..."); err != nil {
+		fmt.Println("⚠️  staticcheck found issues. Ensure staticcheck is installed:")
+		fmt.Println("    go install honnef.co/go/tools/cmd/staticcheck@latest")
+		return err
+	}
+	fmt.Println("✅ staticcheck passed!")
+	return nil
+}
+
+// ModTidy ensures go.mod and go.sum are tidy.
+func ModTidy() error {
+	fmt.Println("Running go mod tidy...")
+	if err := sh.RunV("go", "mod", "tidy"); err != nil {
+		return fmt.Errorf("go mod tidy failed: %w", err)
+	}
+
+	// Check if there are any changes
+	if err := sh.RunV("git", "diff", "--exit-code", "go.mod", "go.sum"); err != nil {
+		return fmt.Errorf("go.mod or go.sum has uncommitted changes after running go mod tidy - please review and commit these changes")
+	}
+
+	fmt.Println("✅ go mod tidy passed!")
+	return nil
+}
+
+// ModVerify verifies dependencies have expected content.
+func ModVerify() error {
+	fmt.Println("Running go mod verify...")
+	if err := sh.RunV("go", "mod", "verify"); err != nil {
+		return fmt.Errorf("go mod verify failed: %w", err)
+	}
+	fmt.Println("✅ go mod verify passed!")
+	return nil
+}
+
+// Vulncheck runs govulncheck to check for known vulnerabilities.
+func Vulncheck() error {
+	fmt.Println("Running govulncheck...")
+	if err := sh.RunV("govulncheck", "./..."); err != nil {
+		fmt.Println("⚠️  govulncheck found vulnerabilities. Ensure govulncheck is installed:")
+		fmt.Println("    go install golang.org/x/vuln/cmd/govulncheck@latest")
+		return err
+	}
+	fmt.Println("✅ No known vulnerabilities found!")
+	return nil
+}
+
+// runVulncheck runs govulncheck if available, otherwise skips.
+func runVulncheck() error {
+	fmt.Println("Checking for known vulnerabilities...")
+	// Check if govulncheck is installed
+	if _, err := exec.LookPath("govulncheck"); err != nil {
+		fmt.Println("⚠️  govulncheck not installed - skipping vulnerability check")
+		fmt.Println("    Install with: go install golang.org/x/vuln/cmd/govulncheck@latest")
+		return nil // Don't fail preflight if not installed
+	}
+
+	if err := sh.RunV("govulncheck", "./..."); err != nil {
+		fmt.Println("⚠️  Known vulnerabilities found!")
+		return err
+	}
+	fmt.Println("✅ No known vulnerabilities found!")
+	return nil
+}
+
 // Clean removes build artifacts and coverage reports.
 func Clean() error {
 	fmt.Println("Cleaning build artifacts...")
@@ -369,12 +437,16 @@ func Preflight() error {
 		fn   func() error
 	}{
 		{"Formatting code", Fmt},
+		{"Verifying go.mod consistency", ModVerify},
+		{"Tidying go.mod and go.sum", ModTidy},
 		{"Building and linting dashboard", DashboardBuild},
 		{"Running dashboard tests", DashboardTest},
 		{"Building Go binary", Build},
 		{"Running go vet", Vet},
+		{"Running staticcheck", Staticcheck},
 		{"Running standard linting", Lint},
 		{"Running quick security scan", runQuickSecurity},
+		{"Checking for known vulnerabilities", runVulncheck},
 		{"Running all tests with coverage", TestCoverage},
 	}
 
@@ -387,7 +459,8 @@ func Preflight() error {
 	}
 
 	fmt.Println("✅ All preflight checks passed!")
-	fmt.Println("💡 Tip: Run 'mage security' for a full security scan (~4 minutes)")
+	fmt.Println("💡 Tips:")
+	fmt.Println("   • Run 'mage security' for a full security scan (~4 minutes)")
 	fmt.Println("🎉 Ready to ship!")
 	return nil
 }

cli/src/cmd/app/commands/core.go

@@ -360,7 +360,8 @@ func (di *DependencyInstaller) installProject(projectType, dir, manager string,
 func executeDeps() error {
 	if !output.IsJSON() {
 		output.Newline()
-		output.Section("🔍", "Installing dependencies")
+		output.Section("📦", "Installing Dependencies")
+		output.Newline()
 	}
 
 	// Determine search root
@@ -372,37 +373,89 @@ func executeDeps() error {
 		return err
 	}
 
-	// Install dependencies
-	installer := NewDependencyInstaller(searchRoot)
-	results, err := installer.InstallAll()
+	// Detect all projects
+	nodeProjects, err := detector.FindNodeProjects(searchRoot)
 	if err != nil {
-		return err
+		if output.IsJSON() {
+			return output.PrintJSON(DepsResult{Error: fmt.Sprintf("failed to detect Node.js projects: %v", err)})
+		}
+		return fmt.Errorf("failed to detect Node.js projects: %w", err)
 	}
+	pythonProjects, err := detector.FindPythonProjects(searchRoot)
+	if err != nil {
+		if output.IsJSON() {
+			return output.PrintJSON(DepsResult{Error: fmt.Sprintf("failed to detect Python projects: %v", err)})
+		}
+		return fmt.Errorf("failed to detect Python projects: %w", err)
+	}
+	dotnetProjects, err := detector.FindDotnetProjects(searchRoot)
+	if err != nil {
+		if output.IsJSON() {
+			return output.PrintJSON(DepsResult{Error: fmt.Sprintf("failed to detect .NET projects: %v", err)})
+		}
+		return fmt.Errorf("failed to detect .NET projects: %w", err)
+	}
+
+	totalProjects := len(nodeProjects) + len(pythonProjects) + len(dotnetProjects)
 
 	// Handle no projects case
-	if len(results) == 0 {
+	if totalProjects == 0 {
 		if output.IsJSON() {
 			return output.PrintJSON(DepsResult{
 				Success:  true,
 				Projects: []InstallResult{},
 				Message:  msgNoProjectsDetected,
 			})
 		}
-		output.Info(msgNoProjectsDetected + " - skipping dependency installation")
+		output.Info(msgNoProjectsDetected)
 		return nil
 	}
 
-	// Output results
-	if output.IsJSON() {
-		allSuccess := checkAllSuccess(results)
-		return output.PrintJSON(DepsResult{
-			Success:  allSuccess,
-			Projects: results,
-		})
+	// Use parallel installer for concurrent installation with progress bars
+	if !output.IsJSON() {
+		parallelInstaller := installer.NewParallelInstaller()
+		parallelInstaller.Verbose = depsVerbose
+
+		// Add all projects to the parallel installer
+		for _, project := range nodeProjects {
+			parallelInstaller.AddNodeProject(project)
+		}
+		for _, project := range pythonProjects {
+			parallelInstaller.AddPythonProject(project)
+		}
+		for _, project := range dotnetProjects {
+			parallelInstaller.AddDotnetProject(project)
+		}
+
+		// Run all installations in parallel
+		if err := parallelInstaller.Run(); err != nil {
+			return err
+		}
+
+		// Check for failures
+		if parallelInstaller.HasFailures() {
+			failedProjects := parallelInstaller.FailedProjects()
+			if len(failedProjects) > 0 {
+				return fmt.Errorf("failed to install %d of %d projects: %v", len(failedProjects), parallelInstaller.TotalProjects(), failedProjects)
+			}
+			return fmt.Errorf("some installations failed")
+		}
+
+		return nil
 	}
 
-	output.Success("Dependencies installed successfully!")
-	return nil
+	// JSON mode: use sequential installer
+	depInstaller := NewDependencyInstaller(searchRoot)
+	results, err := depInstaller.InstallAll()
+	if err != nil {
+		return err
+	}
+
+	allSuccess := checkAllSuccess(results)
+	return output.PrintJSON(DepsResult{
+		Success:  allSuccess,
+		Projects: results,
+	})
 }
 
 // getSearchRoot determines the search root for finding projects.