Describe the bug
wheels upgrade check --to=4.0.0 for currentMajor <= 3 && targetMajor >= 4 in cli/lucli/Module.cfc (around line 3591) only checks:
- Legacy
plugins/ directory exists
extends="wheels.Test" in any file under tests/application.wirebox references in any file under app/
It misses 8 of the 11 documented breakers from the canonical 3.x → 4.0 guide:
- CORS default flip (deny-all)
- HSTS default on in production
- CSRF key + JWT alg validation
allowEnvironmentSwitchViaUrl defaults to false in production- RateLimiter
trustProxy=false and proxyStrategy="last"
- CSRF cookie
SameSite=Lax
wheels snippets → wheels generate snippets CLI renametests/specs/functions/ → tests/specs/functional/ directory rename- Vite manifest strictness (
viteStrictManifest defaults to true)
Why this matters
A 3.x user runs wheels upgrade check, sees only the WireBox bootstrap, the plugin folder, and the test base class flagged, upgrades, and then hits one of the unscanned breakers in production. The tool's silence is interpreted as a green light. The whole point of an "upgrade check" command is to surface what needs attention before you ship.
Suggested fix
Extend the 3.x → 4.x checks block in runUpgradeCheck() to scan for each of the 8 missing breakers. Most can be done with simple greps:
- Grep
config/ for allowEnvironmentSwitchViaUrl=true and warn if not explicitly disabled or scoped to staging.
- Grep
config/ for set(reloadPassword="") or absence of reloadPassword.
- Check for
tests/specs/functions/ directory.
- Grep
Makefile, package.json, *.sh, .github/workflows/* for wheels snippets (no generate).
- Grep views for
viteScriptTag/viteStyleTag/vitePreloadTag and warn that the strictness default has flipped.
- Grep
config/ for set(middleware=[...]) and parse for new wheels.middleware.Cors() without an allowOrigins argument.
- Grep
config/ for set(middleware=[...]) with RateLimiter and no explicit trustProxy/proxyStrategy.
A textual scan won't catch every case (middleware built up across files, dynamically-constructed config) but it raises the floor significantly.
Environment
- Wheels CLI: 4.0.0-SNAPSHOT+1779
🤖 Filed by Claude Code while assisting with a 4.0 upgrade testbed
Describe the bug
wheels upgrade check --to=4.0.0forcurrentMajor <= 3 && targetMajor >= 4incli/lucli/Module.cfc(around line 3591) only checks:plugins/directory existsextends="wheels.Test"in any file undertests/application.wireboxreferences in any file underapp/It misses 8 of the 11 documented breakers from the canonical 3.x → 4.0 guide:
allowEnvironmentSwitchViaUrldefaults to false in productiontrustProxy=falseandproxyStrategy="last"SameSite=Laxwheels snippets→wheels generate snippetsCLI renametests/specs/functions/→tests/specs/functional/directory renameviteStrictManifestdefaults totrue)Why this matters
A 3.x user runs
wheels upgrade check, sees only the WireBox bootstrap, the plugin folder, and the test base class flagged, upgrades, and then hits one of the unscanned breakers in production. The tool's silence is interpreted as a green light. The whole point of an "upgrade check" command is to surface what needs attention before you ship.Suggested fix
Extend the
3.x → 4.xchecks block inrunUpgradeCheck()to scan for each of the 8 missing breakers. Most can be done with simple greps:config/forallowEnvironmentSwitchViaUrl=trueand warn if not explicitly disabled or scoped to staging.config/forset(reloadPassword="")or absence ofreloadPassword.tests/specs/functions/directory.Makefile,package.json,*.sh,.github/workflows/*forwheels snippets(nogenerate).viteScriptTag/viteStyleTag/vitePreloadTagand warn that the strictness default has flipped.config/forset(middleware=[...])and parse fornew wheels.middleware.Cors()without anallowOriginsargument.config/forset(middleware=[...])withRateLimiterand no explicittrustProxy/proxyStrategy.A textual scan won't catch every case (middleware built up across files, dynamically-constructed config) but it raises the floor significantly.
Environment
🤖 Filed by Claude Code while assisting with a 4.0 upgrade testbed