Tighten CLI parity, monorepo annotations, and workflow noise#19
Merged
Conversation
- Add --fail-on threshold to the CLI matching the Action behavior so local pre-commit and non-GHA CI runs can fail on findings instead of always exiting 0. - Strip the /src/, /.github/workflows/, /package.json lastIndexOf heuristic from normalizeGitDiffPath. Git already gives repo-relative paths; the heuristic mangled monorepo paths (apps/web/src/foo.ts -> src/foo.ts), misplacing GitHub annotations. - URL-gate detectExternalCurl so curl/wget/Invoke-WebRequest/fetch lines only flag when an external https?:// URL or a variable substitution is present. Excludes localhost/127.0.0.1/0.0.0.0/::1 and benign mentions. detectSecretExfil is untouched. - Share severityRank between report.ts and action.ts; CLI uses the same export. - Align the README demo bullet with the actual fixture file (src/api/sync.ts). Adds 9 tests (73 total, all passing). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bundles four small, related fixes that make v0 more trustworthy and consistent — surfaced by a Cursor review of CapabilityEcho end-to-end. Each is tight and testable; none touches the detection schema or API.
--fail-on— src/index.ts always returned 0 regardless of findings, so the CLI couldn't gate local pre-commit / non-GHA CI runs. Added--fail-on none|low|medium|high|criticalmirroring the Action behavior; returns 1 when rating meets threshold, 2 on invalid input.normalizeGitDiffPathdidlastIndexOf('/src/')etc., which mangledapps/web/src/foo.ts→src/foo.tsand misplaced GitHub annotations onto the wrong file. Git already gives repo-relative paths throughb/<path>; stripped the heuristic and kept onlyb/+ Windows drive normalization.detectExternalCurlflagged anycurl/wget/fetch(regardless of URL. Now requires an externalhttps?://URL or a variable substitution ($VAR/${{...}}), excludinglocalhost/127.0.0.1/0.0.0.0/::1.detectSecretExfilis untouched, so secret-adjacent network calls still flag.src/telemetry/client.ts; the local fixture is atsrc/api/sync.ts. Aligned the bullet with the actual fixture.Also deduplicated
severityRank— exported once fromreport.tsand consumed by bothaction.tsandindex.ts.Why batched
These are all "make v0 trustworthy" fixes (one correctness bug, one parity gap, one false-positive reduction, one docs fix). No API breaks, small surface, obvious tests. Larger items from the same review (Python dep manifests, suppression/baseline, SARIF, PR-comment posting) each warrant their own PR with a design pass — explicitly deferred here.
Test plan
npm test— 73 passing (was 64; +9 new):--fail-on HIGHreturns 1, below-threshold returns 0, invalid value returns 2apps/web/src/api.tsandpackages/core/src/util.tssurvive normalizationnpm run build— clean tsc + ncc bundle--fail-onexit-code semantics match expectations for local pre-commit usage🤖 Generated with Claude Code