fix: minor bugs in CLI

[SiebeBaree]

Summary by CodeRabbit

• New Features

  • Configure now returns an outcome that reports status (configured/kept) and the effective scope.

• Bug Fixes

  • Improved Git detection for --git with clear error when no repo is found.
  • Prevented path-scoped setups from shadowing Git-scoped setups and improved symlink-aware project resolution.

• Refactor

  • Consolidated browser auth page rendering.
  • Removed legacy secret-cache migration paths.

• Tests

  • Added/updated integration tests covering config, configure flow, and secret-cache behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 00a5a794-d9f6-4795-a6b2-7afd4ad990e3

📥 Commits

Reviewing files that changed from the base of the PR and between 24f3827 and 015245d.

📒 Files selected for processing (5)

• src/api/client.ts
• src/cmd/configure.ts
• src/lib/config.ts
• tests/integration/configure-command.test.ts
• tests/integration/configure-flow.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/lib/config.ts

---

Walkthrough

This PR implements git-scoped configuration alongside path-scoped setups, refactors auth callback HTML into shared renderAuthPage/logoSvg, and removes legacy secret-cache migration. The CLI now validates --git against repository presence. The config module threads repo info into setup-key resolution, removes shadowing path setups when switching to git scope, and uses symlink-canonical repo roots in lookup. EnkryptifyClient.configure returns a { status, scope, config } outcome and tests were updated to reflect these behaviors.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Enkryptify/cli#38: Introduced the secret caching implementation now refined by removal of legacy migration paths.
• Enkryptify/cli#46: Prior auth callback HTML changes; this PR centralizes rendering into shared helpers and adds auto-close behavior.
• Feature/v0.4.0 #73: Related prior work on git/path configuration scoping and threading scope through configure flows.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 9.09% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The PR title 'fix: minor bugs in CLI' is vague and generic. It does not clearly convey the specific changes made across multiple files (auth UI refactoring, configure scope handling, legacy cache removal, git repo detection, etc.). The word 'minor bugs' lacks specificity and does not meaningfully describe the actual scope of the changes.	Use a more descriptive title that highlights the primary change. For example: 'refactor: consolidate auth UI rendering and improve git scope configuration' or 'refactor: improve configure scope handling and remove legacy cache migration'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/v0.4.1

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

src/api/auth.ts (1)

250-257: ⚡ Quick win

Escape text fields inside renderAuthPage to make XSS safety default.

Right now only authErrorResponse escapes input before passing subtitle. Escaping should happen in renderAuthPage for documentTitle, title, subtitle, and hint so future call sites can’t accidentally inject HTML.

Suggested patch

 private renderAuthPage(params: {
     state: "success" | "error";
     documentTitle: string;
     title: string;
     subtitle: string;
     hint: string;
     autoClose?: boolean;
 }): string {
     const { state, documentTitle, title, subtitle, hint, autoClose } = params;
+    const safeDocumentTitle = this.escapeHtml(documentTitle);
+    const safeTitle = this.escapeHtml(title);
+    const safeSubtitle = this.escapeHtml(subtitle);
+    const safeHint = this.escapeHtml(hint);

@@
-<title>${documentTitle}</title>
+<title>${safeDocumentTitle}</title>
@@
-        <h1>${title}</h1>
-        <p class="desc">${subtitle}</p>
+        <h1>${safeTitle}</h1>
+        <p class="desc">${safeSubtitle}</p>
@@
-    <p class="hint">${hint}</p>
+    <p class="hint">${safeHint}</p>

Also applies to: 272-273, 306-307, 309-309

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/api/auth.ts` around lines 250 - 257, renderAuthPage currently
interpolates documentTitle, title, subtitle, and hint without escaping, risking
XSS; update renderAuthPage to HTML-escape those four fields (documentTitle,
title, subtitle, hint) at the start of the method (e.g., via a shared escapeHtml
helper or existing escape utility) and use the escaped values for all template
interpolation (also ensure autoClose rendering unaffected). Apply the same
escape usage for call sites referenced around the renderAuthPage usages (the
places noted near lines ~272-273, ~306-307, ~309) so every path into
renderAuthPage or its templates uses escaped strings.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/api/client.ts`:
- Around line 109-119: The code in the git-branch of configure flow swallows
real read errors by using .catch(() => null) on config.getConfigure and
returning a plain ProjectConfig when the user declines replacement, which the
caller interprets as "use git"; change the behavior so that
config.getConfigure(options, { scope: "path" }) only catches a specific
NotFound/NoConfig error (rethrow other errors), and stop returning a raw
ProjectConfig to signal intent—introduce and return an explicit result shape
(e.g., { status: "kept" | "replaced" | "canceled", effectiveScope?: "path" |
"git", config?: ProjectConfig }) from the function handling the confirm() branch
(the block that calls confirm("A path-only setup already exists...")), returning
{ status: "kept", effectiveScope: "path", config: pathSetup } when replace is
false so the downstream persister can honor the user's choice.

In `@src/lib/config.ts`:
- Around line 241-244: The removal logic only compares resolved pathKey to
setupKey, missing symlink aliases; change it to canonicalize both sides using
fs.realpath (or fs.realpathSync) so you compare and delete by real paths:
compute realPathKey = realpath(projectPath) and realSetupKey =
realpath(setupKey) (falling back to path.resolve if realpath fails), then remove
config.setups entries matching either the resolved or real canonical keys
(pathKey, realPathKey, setupKey, realSetupKey) so stale setups saved under
symlinked aliases (e.g., /var vs /private/var) are also deleted; apply the same
canonicalization approach where create/get/find path keys are produced
(functions referencing pathKey, setupKey, config.setups).

---

Nitpick comments:
In `@src/api/auth.ts`:
- Around line 250-257: renderAuthPage currently interpolates documentTitle,
title, subtitle, and hint without escaping, risking XSS; update renderAuthPage
to HTML-escape those four fields (documentTitle, title, subtitle, hint) at the
start of the method (e.g., via a shared escapeHtml helper or existing escape
utility) and use the escaped values for all template interpolation (also ensure
autoClose rendering unaffected). Apply the same escape usage for call sites
referenced around the renderAuthPage usages (the places noted near lines
~272-273, ~306-307, ~309) so every path into renderAuthPage or its templates
uses escaped strings.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 86b79113-1e19-41c0-aad8-10de765f4e37

📥 Commits

Reviewing files that changed from the base of the PR and between 1fd467f and 24f3827.

📒 Files selected for processing (10)

• src/api/auth.ts
• src/api/client.ts
• src/cmd/configure.ts
• src/lib/config.ts
• src/lib/secretCache.ts
• src/lib/secureStore.ts
• tests/integration/config.test.ts
• tests/integration/configure-command.test.ts
• tests/integration/secret-cache.test.ts
• tests/integration/secure-store.test.ts

💤 Files with no reviewable changes (1)

• src/lib/secureStore.ts