zhi/HarborForge.Cli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: zhi:feat/knowledge-base
Branches Tags
zhi:main zhi:fix/milestone-nested-routes zhi:fix/worklog-logged-date zhi:feat/kb-leaf-help zhi:fix/security-audit zhi:feat/knowledge-base zhi:fix/assign-schedule-type-dispatch zhi:fix/apikey-auth-header-and-help-introspect zhi:docs/readme-refresh
...
pull from: zhi:fix/milestone-nested-routes
Branches Tags
zhi:main zhi:fix/milestone-nested-routes zhi:fix/worklog-logged-date zhi:feat/kb-leaf-help zhi:fix/security-audit zhi:feat/knowledge-base zhi:fix/assign-schedule-type-dispatch zhi:fix/apikey-auth-header-and-help-introspect zhi:docs/readme-refresh

5 Commits
feat/knowl ... fix/milest

Author SHA1 Message Date
hzhang
fdf1ba1b17 fix(milestone): use nested /projects/{project}/milestones routes + datetime due 
Two contract bugs broke `hf milestone *` against the backend:

- The backend mounts milestones at prefix /projects/{project_id}/milestones
  (nested), but the CLI used flat /milestones, /milestones/<code>, etc. →
  every milestone create/get/update/delete/progress/list 404'd. Switch to
  the nested routes: list/create take --project; get/update/delete/progress
  derive the project from the milestone code (PFIXTU:00001 → PFIXTU) via a
  new milestoneProject() helper. list now requires --project.
- due_date is a REQUIRED datetime on the backend, but --due <yyyy-mm-dd>
  was sent date-only → 422 datetime_parsing. Anchor a bare date to
  start-of-day (toMilestoneDateTime), same as the worklog logged_date fix.

Verified on sim: milestone create/list/get/progress all succeed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-10 12:56:58 +01:00
hzhang
6dcf43ce41 feat(help): add knowledge-base leaf help (per-command usage) 
The knowledge-base command family was registered in the help surface
(group + subcommands) but had NO leaf entries in internal/help/leaf.go, so
`hf knowledge-base add-fact --help` (and every other kb subcommand) printed
no usage. Weak agents then guessed flags (e.g. `add-fact --kb --topic-id
--title` instead of `--topic <id> --fact <text>`).

Add leaf help for all 18 kb subcommands (list/get/tree/topics/create/update/
delete/link/unlink/add-topic/update-topic/delete-topic/add-category/
update-category/delete-category/add-fact/update-fact/delete-fact), with the
authoritative usage strings copied from internal/commands/knowledge_base.go.
Now `hf knowledge-base <sub> --help` renders proper usage.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-10 08:52:40 +01:00
hzhang
729365ca46 Merge fix/security-audit: CLI credential hardening 2026-06-01 09:23:52 +01:00
hzhang
ef8d4dbdad Merge feat/knowledge-base: KnowledgeBase CLI commands 2026-06-01 09:23:52 +01:00
hzhang
4125a4c102 fix(security): keep credentials off argv and plaintext transports 
- M7: ResolveToken accepts the token via the HF_TOKEN env var (so it need
  not appear in argv, where it's visible in ps/shell history); the HTTP
  client refuses to send a token / API key over plaintext http:// to a
  non-loopback host (use https://). Loopback http is still allowed for
  local dev.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-05-31 20:16:36 +01:00
4 changed files with 170 additions and 87 deletions
Expand all files Collapse all files

33
internal/client/client.go
View File

@@ -5,7 +5,9 @@ import (
"encoding/json"
"fmt"
"io"
"net"
"net/http"
neturl "net/url"
"strings"
"time"
)
@@ -70,8 +72,39 @@ func (e *RequestError) Error() string {
return fmt.Sprintf("HTTP %d: %s", e.StatusCode, e.Body)
}
// guardPlaintextCreds refuses to transmit a token / API key over a plaintext
// http:// connection to a non-loopback host (prevents credential interception).
func (c *Client) guardPlaintextCreds() error {
if c.Token == "" && c.APIKey == "" {
return nil
}
u, err := neturl.Parse(c.BaseURL)
if err != nil || u.Scheme != "http" {
return nil // parse errors and https:// are fine
}
if isLoopbackHost(u.Hostname()) {
return nil
}
return fmt.Errorf("refusing to send credentials over plaintext http:// to non-loopback host %q — use an https:// base URL (hf config set-url ...)", u.Hostname())
}
// isLoopbackHost reports whether h is a loopback address or localhost name.
func isLoopbackHost(h string) bool {
h = strings.ToLower(h)
if h == "localhost" || strings.HasSuffix(h, ".localhost") {
return true
}
if ip := net.ParseIP(h); ip != nil {
return ip.IsLoopback()
}
return false
}
// Do executes an HTTP request and returns the response body bytes.
func (c *Client) Do(method, path string, body io.Reader) ([]byte, error) {
if err := c.guardPlaintextCreds(); err != nil {
return nil, err
}
url := c.BaseURL + path
req, err := http.NewRequest(method, url, body)
if err != nil {

16
internal/commands/auth.go
View File

@@ -1,6 +1,9 @@
package commands
import (
"os"
"strings"
"git.hangman-lab.top/zhi/HarborForge.Cli/internal/mode"
"git.hangman-lab.top/zhi/HarborForge.Cli/internal/output"
"git.hangman-lab.top/zhi/HarborForge.Cli/internal/passmgr"
@@ -20,11 +23,16 @@ func ResolveToken(tokenFlag string) string {
}
return tok
}
// manual mode
if tokenFlag == "" {
output.Error("--token <token> required or execute this with pcexec")
}
// manual mode — prefer the explicit flag, else fall back to the HF_TOKEN
// env var so the token need not appear in argv (visible via `ps`/history).
if tokenFlag != "" {
return tokenFlag
}
if env := strings.TrimSpace(os.Getenv("HF_TOKEN")); env != "" {
return env
}
output.Error("--token <token> or HF_TOKEN env required, or execute this with pcexec")
return ""
}
// RejectTokenInPaddedCell checks if --token was passed in padded-cell mode

43
internal/commands/milestone.go
View File

@@ -4,6 +4,7 @@ import (
"bytes"
"encoding/json"
"fmt"
"strings"
"git.hangman-lab.top/zhi/HarborForge.Cli/internal/client"
"git.hangman-lab.top/zhi/HarborForge.Cli/internal/config"
@@ -32,11 +33,30 @@ type milestoneProgressResponse struct {
Progress float64 `json:"progress"`
}
// milestoneProject extracts the project code from a milestone code
// (e.g. "PFIXTU:00001" -> "PFIXTU"); milestones are nested under their
// project in the API (/projects/{project}/milestones/{code}).
func milestoneProject(code string) string {
if i := strings.IndexByte(code, ':'); i >= 0 {
return code[:i]
}
return code
}
// toMilestoneDateTime anchors a bare YYYY-MM-DD due date to a datetime, since
// the backend's due_date field requires a full datetime.
func toMilestoneDateTime(d string) string {
if len(d) == 10 {
return d + "T00:00:00Z"
}
return d
}
// RunMilestoneList implements `hf milestone list --project <project-code>`.
func RunMilestoneList(args []string, tokenFlag string) {
token := ResolveToken(tokenFlag)
query := ""
query, project := "", ""
for i := 0; i < len(args); i++ {
switch args[i] {
case "--project":
@@ -44,7 +64,7 @@ func RunMilestoneList(args []string, tokenFlag string) {
output.Error("--project requires a value")
}
i++
query = appendQuery(query, "project_code", args[i])
project = args[i]
case "--status":
if i+1 >= len(args) {
output.Error("--status requires a value")
@@ -66,8 +86,11 @@ func RunMilestoneList(args []string, tokenFlag string) {
if err != nil {
output.Errorf("config error: %v", err)
}
if project == "" {
output.Error("--project is required (milestones are listed per project)")
}
c := client.New(cfg.BaseURL, token)
path := "/milestones"
path := "/projects/" + project + "/milestones"
if query != "" {
path += "?" + query
}
@@ -110,7 +133,7 @@ func RunMilestoneGet(milestoneCode, tokenFlag string) {
output.Errorf("config error: %v", err)
}
c := client.New(cfg.BaseURL, token)
data, err := c.Get("/milestones/" + milestoneCode)
data, err := c.Get("/projects/" + milestoneProject(milestoneCode) + "/milestones/" + milestoneCode)
if err != nil {
output.Errorf("failed to get milestone: %v", err)
}
@@ -196,7 +219,7 @@ func RunMilestoneCreate(args []string, tokenFlag string) {
payload["description"] = desc
}
if due != "" {
payload["due_date"] = due
payload["due_date"] = toMilestoneDateTime(due)
}
body, err := json.Marshal(payload)
@@ -209,7 +232,7 @@ func RunMilestoneCreate(args []string, tokenFlag string) {
output.Errorf("config error: %v", err)
}
c := client.New(cfg.BaseURL, token)
data, err := c.Post("/milestones", bytes.NewReader(body))
data, err := c.Post("/projects/"+project+"/milestones", bytes.NewReader(body))
if err != nil {
output.Errorf("failed to create milestone: %v", err)
}
@@ -261,7 +284,7 @@ func RunMilestoneUpdate(milestoneCode string, args []string, tokenFlag string) {
output.Error("--due requires a value")
}
i++
payload["due_date"] = args[i]
payload["due_date"] = toMilestoneDateTime(args[i])
default:
output.Errorf("unknown flag: %s", args[i])
}
@@ -281,7 +304,7 @@ func RunMilestoneUpdate(milestoneCode string, args []string, tokenFlag string) {
output.Errorf("config error: %v", err)
}
c := client.New(cfg.BaseURL, token)
_, err = c.Patch("/milestones/"+milestoneCode, bytes.NewReader(body))
_, err = c.Patch("/projects/"+milestoneProject(milestoneCode)+"/milestones/"+milestoneCode, bytes.NewReader(body))
if err != nil {
output.Errorf("failed to update milestone: %v", err)
}
@@ -297,7 +320,7 @@ func RunMilestoneDelete(milestoneCode, tokenFlag string) {
output.Errorf("config error: %v", err)
}
c := client.New(cfg.BaseURL, token)
_, err = c.Delete("/milestones/" + milestoneCode)
_, err = c.Delete("/projects/" + milestoneProject(milestoneCode) + "/milestones/" + milestoneCode)
if err != nil {
output.Errorf("failed to delete milestone: %v", err)
}
@@ -312,7 +335,7 @@ func RunMilestoneProgress(milestoneCode, tokenFlag string) {
output.Errorf("config error: %v", err)
}
c := client.New(cfg.BaseURL, token)
data, err := c.Get("/milestones/" + milestoneCode + "/progress")
data, err := c.Get("/projects/" + milestoneProject(milestoneCode) + "/milestones/" + milestoneCode + "/progress")
if err != nil {
output.Errorf("failed to get milestone progress: %v", err)
}

19
internal/help/leaf.go
View File

@@ -193,6 +193,25 @@ func leafHelpSpec(group, cmd string) (leafHelp, bool) {
"monitor/api-key": {Summary: "Manage monitor API keys", Usage: []string{"hf monitor api-key generate <identifier>", "hf monitor api-key revoke <identifier>"}, Flags: authFlagHelp()},
"monitor/api-key/generate": {Summary: "Generate a monitor API key", Usage: []string{"hf monitor api-key generate <identifier>"}, Flags: authFlagHelp()},
"monitor/api-key/revoke": {Summary: "Revoke a monitor API key", Usage: []string{"hf monitor api-key revoke <identifier>"}, Flags: authFlagHelp()},
"knowledge-base/list": {Summary: "List knowledge bases", Usage: []string{"hf knowledge-base list [--project <project-code>]"}, Flags: authFlagHelp()},
"knowledge-base/get": {Summary: "Show a knowledge base by code", Usage: []string{"hf knowledge-base get <kb-code>"}, Flags: authFlagHelp()},
"knowledge-base/tree": {Summary: "Show the full topic/category/fact tree", Usage: []string{"hf knowledge-base tree <kb-code>"}, Flags: authFlagHelp()},
"knowledge-base/topics": {Summary: "List topics in a knowledge base", Usage: []string{"hf knowledge-base topics <kb-code>"}, Flags: authFlagHelp()},
"knowledge-base/create": {Summary: "Create a knowledge base", Usage: []string{"hf knowledge-base create --title <title> [--desc <description>]"}, Flags: authFlagHelp()},
"knowledge-base/update": {Summary: "Update a knowledge base", Usage: []string{"hf knowledge-base update <kb-code> [--title <title>] [--desc <description>]"}, Flags: authFlagHelp()},
"knowledge-base/delete": {Summary: "Delete a knowledge base", Usage: []string{"hf knowledge-base delete <kb-code>"}, Flags: authFlagHelp()},
"knowledge-base/link": {Summary: "Link a knowledge base to a project", Usage: []string{"hf knowledge-base link <kb-code> --project <project-code>"}, Flags: authFlagHelp()},
"knowledge-base/unlink": {Summary: "Unlink a knowledge base from a project", Usage: []string{"hf knowledge-base unlink <kb-code> --project <project-code>"}, Flags: authFlagHelp()},
"knowledge-base/add-topic": {Summary: "Add a topic to a knowledge base", Usage: []string{"hf knowledge-base add-topic <kb-code> --topic <name> [--desc <description>]"}, Flags: authFlagHelp()},
"knowledge-base/update-topic": {Summary: "Update a topic", Usage: []string{"hf knowledge-base update-topic <topic-id> [--topic <name>] [--desc <description>]"}, Flags: authFlagHelp()},
"knowledge-base/delete-topic": {Summary: "Delete a topic", Usage: []string{"hf knowledge-base delete-topic <topic-id>"}, Flags: authFlagHelp()},
"knowledge-base/add-category": {Summary: "Add a category under a topic", Usage: []string{"hf knowledge-base add-category --topic <topic-id> --name <name> [--parent <category-id>] [--desc <description>]"}, Flags: authFlagHelp()},
"knowledge-base/update-category": {Summary: "Update a category", Usage: []string{"hf knowledge-base update-category <category-id> [--name <name>] [--parent <category-id>] [--desc <description>]"}, Flags: authFlagHelp()},
"knowledge-base/delete-category": {Summary: "Delete a category", Usage: []string{"hf knowledge-base delete-category <category-id>"}, Flags: authFlagHelp()},
"knowledge-base/add-fact": {Summary: "Add a fact under a topic (optionally a category)", Usage: []string{"hf knowledge-base add-fact --topic <topic-id> [--category <category-id>] --fact <text>"}, Flags: authFlagHelp()},
"knowledge-base/update-fact": {Summary: "Update a fact", Usage: []string{"hf knowledge-base update-fact <fact-id> [--fact <text>] [--category <category-id>]"}, Flags: authFlagHelp()},
"knowledge-base/delete-fact": {Summary: "Delete a fact", Usage: []string{"hf knowledge-base delete-fact <fact-id>"}, Flags: authFlagHelp()},
}
if group == "" {