fix(cli): return "unknown" from $gitShortSha() when git exits non-zero

[bpamiri]

Summary

Fixes #2671 — running wheels deploy outside a git repository produced
Deployed <service> version fatal: not a git repository (or any of the parent directories): .git to 1 host(s): ... instead of a graceful fallback.

Both copies of $gitShortSha() in the deploy CLI (DeployMainCli.cfc and
DeployBuildCli.cfc) merged stderr into stdout via redirectErrorStream(true)
and never inspected the git process's exit code, so git's stderr text was
returned as if it were the short SHA.

Fix

• Capture the exit code from proc.waitFor() and return "unknown" on non-zero
  — same fallback the surrounding catch (any e) already establishes.
• redirectErrorStream(true) is kept so stderr is still drained from the
  process (no console leak), but its contents are discarded on failure.
• Accept an optional workingDir parameter on the helper so regression tests
  can exercise the non-git path without depending on the JVM CWD. The default
  ("") preserves the existing callsites — all three callers in
  DeployBuildCli.cfc and the one in DeployMainCli.cfc continue to invoke
  it with no arguments.
• Incidental fix in DeployMainCli.cfc: the original code called
  proc.waitFor() before draining stdout (the DeployBuildCli.cfc copy was
  already ordered correctly). On a process with small output it never
  deadlocked in practice, but the ordering is now consistent between both
  files — drain first, waitFor() second, check exit code last.

Test plan

• Added regression spec $gitShortSha() returns 'unknown' when run outside a git repo to both DeployMainCliSpec.cfc and DeployBuildCliSpec.cfc. Each spec creates a temp non-git directory, calls $gitShortSha(nonGitDir), asserts the result is exactly "unknown", and (for the main CLI) also smoke-asserts the result does not contain "fatal" or "not a git repository" as documentation of the original bug shape.
• CHANGELOG entry under [Unreleased] → Fixed.
• deploy-ci.yml is path-scoped to cli/lucli/services/deploy/** and cli/lucli/tests/specs/deploy/**, so both touched directories will run the CLI test gate on this PR.
• Manual repro of the original bug: wheels new testapp && cd testapp && wheels deploy init (configure deploy.yml) then wheels deploy — version label should now read unknown instead of the stderr text.

[wheels-bot]

Wheels Bot — Reviewer A

TL;DR: This fix correctly resolves issue #2671 by checking the git process exit code before returning its output as a version string, and adds solid regression tests. The change is safe to merge with a couple of minor nits noted below.

---

Correctness

Bonus fix in DeployMainCli.cfc: The original code called proc.waitFor() before creating the BufferedReader and reading any output:

// Original DeployMainCli.cfc (pre-fix)
var proc = pb.start();
proc.waitFor();   // <-- blocks waiting for exit BEFORE draining the stream
var reader = createObject("java", "java.io.BufferedReader")...

The fix moves waitFor() to after the read loop — the correct ordering. On a process with small output this was never going to deadlock, but it was a latent bug. The PR description doesn't mention this; it's worth calling out as an incidental correctness improvement.

DeployBuildCli.cfc did not have the ordering bug (its waitFor() was already after reading); it only needed the exit-code check. Both copies are now correct and consistent.

---

Tests

Tests are well-structured: try/finally cleanup, UUID-suffixed temp directories to avoid collisions, and targeting both CLI classes. One minor redundancy:

cli/lucli/tests/specs/deploy/cli/DeployMainCliSpec.cfc, lines 366–367:

expect(sha).toBe("unknown");
expect(findNoCase("fatal", sha)).toBe(0);          // always true if sha == "unknown"
expect(findNoCase("not a git repository", sha)).toBe(0);  // same

If expect(...).toBe("unknown") throws on failure (standard in WheelsTest BDD), the two findNoCase assertions are unreachable in the failure case. They read as documentation of the original bug rather than live assertions. They're harmless, but a comment explaining they're intentional smoke-assertions would clarify intent. Not blocking.

---

Docs

No CHANGELOG.md entry. The [Unreleased] → ### Fixed section in this repo tracks user-visible bug fixes, and the other recent entries in that section are at the same level of impact as this one. A one-liner belongs there:

- `$gitShortSha()` in the deploy CLI no longer leaks git's `"fatal: not a git repository..."` stderr text as the version label when run outside a git repository; it now returns `"unknown"` (#2671)

---

Conventions

$gitShortSha() is changed from private to public in both files. The $ prefix signals "internal helper" and private was the stronger enforcement. The change is justified here (these are standalone CLI service objects, not mixin CFCs where $integrateComponents() behaviour is the concern), and test-driven exposure of a $-prefixed method via public is an established pattern in this codebase. Acceptable.

---

Commits

fix(cli): return "unknown" from $gitShortSha() when git exits non-zero — valid type, valid scope, ≤ 100 chars, not ALL-CAPS. Passes commitlint.

[wheels-bot]

Wheels Bot -- Reviewer B (round 1)

A's review is accurate and well-evidenced. One missed issue noted below, but it is minor enough that it does not change the overall verdict. Converging on approve.

Sycophancy

None detected. A's "safe to merge" conclusion is backed by concrete correctness analysis, test inspection, and commitlint verification.

False positives

None detected.

• Ordering bug (DeployMainCli.cfc): A claims proc.waitFor() was called before reading output. Verified: the diff shows -proc.waitFor(); removed from before var reader = ... and +var exitCode = proc.waitFor(); added after the read loop. Factually correct.
• Redundant assertions: A flags the two findNoCase checks in DeployMainCliSpec.cfc as always-true when toBe("unknown") already passed. Verified: if sha == "unknown", both findNoCase calls return 0 unconditionally. A's characterization is accurate.
• private -> public: A says this is acceptable for standalone CLI service objects (not mixin CFCs where $integrateComponents() behaviour is the concern). Verified: DeployMainCli.cfc and DeployBuildCli.cfc are plain CLI service components, not mixin targets. CLAUDE.md's public-for-mixins rule does not apply here.
• CHANGELOG suggestion: A claims the [Unreleased] section tracks user-visible fixes. Verified: CHANGELOG.md exists at repo root with an [Unreleased] section containing a ### Fixed subsection.

Missed issues

• Comment references issue number: Both modified functions add a comment ending in (issue #2671). CLAUDE.md comment policy states: "Don't reference the current task, fix, or callers ('handles the case from issue 123'), since those belong in the PR description and rot as the codebase evolves." The WHY clause (stderr discarded on non-zero exit) is appropriate; the issue number trailer is not. A did not flag this. Minor, non-blocking.

Verdict alignment

A submitted a COMMENTED review (no hard block) and characterized all nits as non-blocking. Given that the fix is correct, the tests are solid, and both nits (redundant assertions, missing changelog entry) are optional improvements, A's functional verdict of approve-with-optional-cleanup is consistent with the findings.

Convergence

Aligned. A's substantive analysis is correct, A's verdict is appropriate, and the one item A missed (issue number in the code comment) is a style nit that does not affect correctness or safety. The PR is review-clean for this SHA.

[wheels-bot]

Wheels Bot — Reviewer A

TL;DR: Both nits from the previous Reviewer A pass have been addressed — the CHANGELOG.md entry is present and the belt-and-braces test comment now documents intent. The fix itself remains correct and the regression tests are solid. One low-priority commit hygiene note about the follow-up commit's missing DCO trailer; otherwise this is ready.

---

Commits

8e1abcb5b — authored by Claude <noreply@anthropic.com> — lacks a Signed-off-by: trailer:

docs(cli): note #2671 fix in changelog + clarify regression-test intent

Reviewer A nits from PR #2689:
- Add CHANGELOG entry under [Unreleased] → Fixed
- Annotate the belt-and-braces no-leak assertions in DeployMainCliSpec so
  the intent (documenting the original bug shape) is explicit

Per the project's DCO policy (.claude/commands/_shared-rails.md), every bot-authored commit must carry a Signed-off-by: trailer matching the commit author's identity. The DCO GitHub App check is not showing as a required status check in the current CI run, so this may not block merging in practice — but it is a policy violation worth resolving. The simplest fix is to amend the commit to add:

Signed-off-by: Claude <noreply@anthropic.com>

or, if that identity is not a registered GitHub user, have a human committer add a Co-authored-by + their own sign-off and re-push.

The first commit 91a7ad7df (the substantive fix, authored by the human contributor) is not affected — it carries the human author's identity and was already assessed as commitlint-clean in the prior review.

---

Docs

CHANGELOG entry added as requested, CHANGELOG.md line ~31:

- `$gitShortSha()` in the deploy CLI no longer leaks git's `fatal: not a git repository...` stderr text as the version label when `wheels deploy` is run outside a git repository. Both copies (`DeployMainCli.cfc` and `DeployBuildCli.cfc`) now check the git process exit code and return `"unknown"` on non-zero, matching the existing `catch` fallback. The `DeployMainCli` copy also fixes a latent stream-drain ordering bug where `proc.waitFor()` was called before reading stdout (#2671)

Content is accurate and the format is consistent with adjacent entries. No issues.

---

Tests

DeployMainCliSpec.cfc line ~366 — the clarifying comment is now present:

// Belt-and-braces: explicit no-leak assertions documenting the original bug shape.
expect(findNoCase("fatal", sha)).toBe(0);
expect(findNoCase("not a git repository", sha)).toBe(0);

This addresses the prior review's readability nit. No further test issues.

[wheels-bot]

Wheels Bot — Reviewer A

TL;DR: The new commit (0bad272d5) makes a trivially correct style adjustment -- stripping the issue-number trailer from the two $gitShortSha() comments in line with CLAUDE.md's guidance against issue references in code. The substantive fix and tests from the prior two commits remain sound. The only outstanding item is the missing DCO Signed-off-by trailer on both bot-authored commits, which the previous pass already flagged and remains unresolved.

---

Commits

The new commit adds nothing to address the DCO gap raised in the prior Reviewer A pass. Two commits by Claude <noreply@anthropic.com> are now without a Signed-off-by trailer:

• 8e1abcb5b -- docs(cli): note #2671 fix in changelog + clarify regression-test intent
• 0bad272d5 -- style(cli): drop issue-number trailer from $gitShortSha() comments

Neither carries:

Signed-off-by: Claude <noreply@anthropic.com>

The fix needed before merge is to amend each commit to append the trailer, or have a human co-committer add their own Signed-off-by. The DCO GitHub App is a required status check -- if it enforces on the Claude identity, these commits will block the merge.

The new commit itself (0bad272d5) is style-clean and commitlint-compliant: type style, scope cli, subject <= 100 chars, not ALL-CAPS.

[wheels-bot]

Wheels Bot — Reviewer B (round 1)

A's review is largely accurate: the CHANGELOG and test-comment verifications are correct, and the DCO finding on 8e1abcb5b is genuine. However, A checked only one of the two bot-authored commits on this PR and missed that the newest commit carries the same DCO gap. Not converging until A's scope of the finding is complete.

Sycophancy

None detected. A's "ready" characterization is backed by explicit verification of the CHANGELOG content and the added clarifying comment — not a blanket LGTM.

False positives

None detected.

• DCO on 8e1abcb5b: Confirmed. git show 8e1abcb5b --format=fuller --no-patch shows no Signed-off-by: trailer; author is Claude <noreply@anthropic.com>. A's claim is accurate.
• CHANGELOG entry: Verified from the diff. Content is factually correct and format matches adjacent entries. A's assessment is accurate.
• Belt-and-braces comment: Present in the diff at DeployMainCliSpec.cfc. A's assessment is accurate.

Missed issues

• Commit 0bad272d5 also lacks Signed-off-by:: A's review was submitted against HEAD 0bad272d53000ee14182669084aecdf100166f8c — the style cleanup commit that addressed B's round-1 nit about issue-number trailers in comments. That commit is also authored by Claude <noreply@anthropic.com> with no Signed-off-by: trailer, the same violation A flagged on 8e1abcb5b. A reviewed the PR at this HEAD but did not check it. The PR now has two bot-authored commits missing DCO sign-offs, not one. A human remediation step (admin override, or a replacement commit carrying both authors' sign-offs) needs to cover both.

Verdict alignment

A submitted a COMMENTED review and characterized the DCO gap as "low-priority" on the basis that the DCO App check is not showing as a required status in the current CI run. That framing is plausible as a practical matter, but A's own description of the problem is incomplete: the incomplete scope (one commit cited, two needing the fix) could lead a human to fix only 8e1abcb5b and leave 0bad272d5 unsigned.

Convergence

Not aligned. A needs to acknowledge that 0bad272d53000ee14182669084aecdf100166f8c shares the same DCO omission as 8e1abcb5b — both bot-authored commits on this PR are unsigned. The nature of the required fix is unchanged (sign-off on both, same practical remediation path A already outlined), but A's description of scope is incorrect as written.

[wheels-bot]

Wheels Bot — Reviewer B (round 2)

A's review of the new commit is brief and accurate. One false positive and one missed consistency issue are noted below; neither is blocking. Converging on approve.

Sycophancy

None detected. A's review focuses narrowly on the new commit's scope (style-only, issue-number removal) and does not over-approve anything.

False positives

• DCO blocking claim: A states the two bot-authored commits will block merge via the DCO GitHub App as a required status check. The current check-run list for this SHA contains no DCO check at all — only Reviewer A, Lucee 7 + SQLite, Validate Commit Messages, Deploy CLI tests, Bot PR TDD Gate, and Auto-Label PR, all passing. If DCO were a required status check it would appear here. A's warning may be correct in principle (commits without Signed-off-by violate the DCO requirement per _shared-rails.md), but characterizing it as a hard merge blocker via a "required status check" is not substantiated by the evidence on this PR. It is more accurately described as a policy gap that should be remedied before merge.

Missed issues

• Inconsistent coverage of the DCO gap: All three bot-authored commits on this PR (91a7ad7df, 8e1abcb5b, 0bad272d5) are by Claude <noreply@anthropic.com> and none carry a Signed-off-by trailer. A flags two of the three but silently passes 91a7ad7df (the substantive fix commit). If the DCO concern is worth raising it should apply uniformly to all three.

Verdict alignment

A submitted COMMENTED (no block) and flagged the DCO gap as a pre-merge action item, which is consistent with the policy. The functional verdict (new commit is clean) is correct.

Convergence

Aligned on approve. The substantive fix and tests from round 1 remain sound. The new commit is a straightforward style cleanup. The DCO gap is a real policy concern but not a correctness or safety issue with the code itself; a human reviewer or maintainer can address it before merging. No new issues introduced.

[wheels-bot]

Wheels Bot — Reviewer A

TL;DR: The new commit (46edbe175) is a clean one-line style fix — it drops the (#2671) issue-number trailer from the two $gitShortSha() inline comments in line with CLAUDE.md's guidance against referencing issue numbers in source comments. No functional change. The substantive fix and regression tests from the earlier commits remain correct. One bookkeeping correction from the prior pass and one unresolved carry-over are noted below.

---

Correctness

No new correctness issues. The style(cli) commit exclusively touches comment text and introduces no logic change.

One bookkeeping correction from the prior Reviewer A pass: that review described commit 4f316ca2b (the substantive fix) as "authored by the human contributor." The current commit list shows all three commits attributed to Claude <noreply@anthropic.com>:

4f316ca2b  Claude <noreply@anthropic.com>  fix(cli): return "unknown" from $gitShortSha() when git exits non-zero
aebab1e20  Claude <noreply@anthropic.com>  docs(cli): note #2671 fix in changelog + clarify regression-test intent
46edbe175  Claude <noreply@anthropic.com>  style(cli): drop issue-number trailer from $gitShortSha() comments

This either reflects a rebase that replaced the original human-authored commit, or the prior authorship assessment was incorrect. Either way, all three commits now carry the Claude identity and none has a Signed-off-by: trailer.

---

Commits

DCO trailers still absent on all three commits — flagged in the previous two Reviewer A passes and still unresolved. All three commits by Claude <noreply@anthropic.com> need:

Signed-off-by: Claude <noreply@anthropic.com>

Per .claude/commands/_shared-rails.md, the DCO GitHub App is a required status check and will block the merge if it enforces this on the Claude identity. The simplest resolution is for a human co-committer to append their own Signed-off-by: trailer to each commit and re-push.

The three commit subjects are otherwise commitlint-clean:

• fix(cli): — valid type, valid scope, subject <= 100 chars
• docs(cli): — valid type, valid scope, subject <= 100 chars
• style(cli): — valid type, valid scope, subject <= 100 chars

---

Conventions

The new commit strips (#2671) from the inline comments, which is correct per CLAUDE.md:

Don't reference the current task, fix, or callers ("used by X", "added for the Y flow", "handles the case from issue #123"), since those belong in the PR description and rot as the codebase evolves.

The resulting comment wording explains the why without coupling to an issue number. Correct.

---

Tests

No test changes in this commit. The regression specs added in the prior pass remain sound: try/finally cleanup, UUID-suffixed temp directories, assertions against both CLI classes. No further test issues.

[wheels-bot]

Wheels Bot — Reviewer B (round 1)

A's review is accurate and well-scoped: the style commit is correctly characterized as a no-logic-change cleanup, the DCO finding now covers all three bot-authored commits (correcting the incomplete scope from the prior pass), and the commitlint verification is sound. One minor missed consistency item noted below; it does not affect correctness. Converging on approve.

Sycophancy

None detected. A's "clean style fix" characterization is backed by the diff — the only changes in 46edbe175 are the removal of (#2671) from the two CFC inline comments.

False positives

None detected.

• "One-line style fix" framing: Technically the commit touches two lines across two files (DeployBuildCli.cfc and DeployMainCli.cfc), but the intent is clear and the characterization is not misleading. Not a meaningful false positive.
• DCO "will block if enforces" hedge: A's prior passes stated the DCO check as a hard merge blocker; this pass qualifies it with "if it enforces this on the Claude identity." That hedge is appropriate given that the DCO check has not appeared as a required status in the CI run list on this PR. The characterization is now accurate.
• All three commits flagged: A's prior pass on the previous SHA missed the newest commit. A now correctly identifies all three (4f316ca2b, aebab1e20, 46edbe175) as Claude <noreply@anthropic.com> without Signed-off-by trailers. Verified against the commit list. Accurate.

Missed issues

• Test spec comments still reference #2671: The style commit removes the issue-number trailer from the two CFC implementation comments but leaves the test spec files unchanged. Both DeployBuildCliSpec.cfc and DeployMainCliSpec.cfc still contain // Regression for #2671 — git's stderr ("fatal: not a git repository...") used to leak through as the version string. CLAUDE.md's guidance ("Don't reference the current task, fix, or callers... since those belong in the PR description and rot as the codebase evolves") does not carve out an exception for test files. The style cleanup is therefore incomplete. Minor — the WHY clause in those comments is useful context, the issue number alone is what rots — but A did not flag the inconsistency.

Verdict alignment

A submitted COMMENTED (no hard block) and identified the DCO gap as a pre-merge human action item. That verdict is consistent with the findings: the code and tests are correct, and the only outstanding concern is a policy/provenance matter that a human maintainer must resolve before merging.

Convergence

Aligned. The test-comment nit is a minor style consistency observation that does not affect correctness or safety, and does not warrant holding the PR. A's substantive analysis of the style commit is correct, the DCO scope is now complete, and A's overall verdict is appropriate. The PR is review-clean for this SHA pending human resolution of the DCO gap.

[wheels-bot]

Wheels Bot — Reviewer A

TL;DR: This PR correctly fixes #2671. The exit-code check in both copies of $gitShortSha() is the right fix, the test coverage is solid, and the changelog is updated. One important correction from prior Reviewer A passes is noted below — all three Claude-authored commits DO carry proper Signed-off-by: trailers; the DCO findings in rounds 1–3 were erroneous. No outstanding blocking issues remain.

---

Correctness

The fix is correct on both files:

• DeployBuildCli.cfc (lines 158–161 of the PR diff): captures the proc.waitFor() return value and returns "unknown" on non-zero. The stream is fully drained before waitFor() is called — ordering is correct.
• DeployMainCli.cfc (lines 541–544 of the PR diff): same exit-code check, and the incidental ordering fix (moving proc.waitFor() to after the read loop) is also correct. The pre-fix code blocked on waitFor() before creating the reader, which was latently deadlock-prone for large output.

The workingDir parameter addition is sound: the default of "" means len(arguments.workingDir) is false and the pb.directory() branch is skipped, so all three existing callers in DeployBuildCli.cfc and the one in DeployMainCli.cfc continue to work unmodified.

---

Commits — DCO correction

Previous Reviewer A passes (rounds 1, 2, 3) all flagged missing Signed-off-by: trailers on the three Claude-authored commits. This was incorrect. Inspecting the actual commit objects confirms all three carry the trailer:

4f316ca2b  Signed-off-by: Claude <noreply@anthropic.com>
aebab1e20  Signed-off-by: Claude <noreply@anthropic.com>
46edbe175  Signed-off-by: Claude <noreply@anthropic.com>

All three commit subjects are commitlint-clean: correct type, optional scope, subject <= 100 chars, not ALL-CAPS. The fourth commit (edaef795d) is a human-authored merge of develop into the branch — merge commits are exempt from the conventional-commit subject rule.

---

Tests

Both DeployMainCliSpec.cfc and DeployBuildCliSpec.cfc add a regression spec for the non-git-directory path:

• try/finally cleanup ensures the temp directory is removed even on failure.
• UUID-suffixed path avoids cross-run collisions.
• The belt-and-braces assertions in DeployMainCliSpec.cfc (lines ~370-371) are annotated with a comment explaining they document the original bug shape — the readability nit from round 1 is addressed.

The specs extend wheels.wheelstest.system.BaseSpec (not the legacy wheels.Test/RocketUnit). Correct.

---

Docs

CHANGELOG.md [Unreleased] -> Fixed entry added in aebab1e20. Content is accurate and length is consistent with adjacent entries.

---

Cross-engine

No cross-engine concerns. The fix uses only standard Java APIs (ProcessBuilder, BufferedReader) via createObject("java", ...) — identical on Lucee, Adobe CF, and BoxLang. len(arguments.workingDir) and the conditional pb.directory() call are pure CFML/Java with no engine-specific gotchas.

[wheels-bot]

Wheels Bot — Reviewer B (round 1)

A's review is accurate on substance: the fix is correct, the tests are solid, the CHANGELOG is updated, and the current commits DO carry Signed-off-by: trailers. One false positive in A's historical framing is noted below; it does not affect the verdict. Converging on approve.

Sycophancy

None detected. A's APPROVED conclusion is backed by concrete correctness analysis of both CFC files, per-file diff citation, test inspection, and commitlint verification.

False positives

• "The DCO findings in rounds 1–3 were erroneous": A claims the prior B-round DCO findings were mistakes. This framing is inaccurate. Prior rounds flagged commits 8e1abcb5b, 0bad272d5, and 91a7ad7df — none of which appear in the current branch. The current branch carries 4f316ca2b, aebab1e20, and 46edbe175, all of which I verified do carry Signed-off-by: Claude <noreply@anthropic.com>. The most plausible explanation is that the branch was force-pushed at some point, replacing the unsigned commits with signed ones. The prior findings were accurate for the commits that existed at those SHAs; they were not erroneous. The practical effect (DCO is now satisfied on the current head) is correct, but the characterization of prior history is wrong.

Missed issues

None detected. The remaining test-comment // Regression for #2671 — nit in both spec files was assessed as non-blocking by prior B round 1 on 46edbe175 and converged on approve at that time. A's silence on it is consistent with that prior decision.

Verdict alignment

A's APPROVED verdict is consistent with the findings: the fix is correct, all three bot-authored commits are now signed, and there are no correctness or safety issues in the diff.

Convergence

Aligned on approve. The historical framing error ("erroneous" vs. "resolved by rebasing to signed commits") is a minor factual quibble with no bearing on the current code or its readiness to merge. The substantive analysis is accurate, the APPROVED verdict is appropriate, and there are no outstanding blocking issues.