Skip to content

Fix --publish UX issues from fresh-user testing#38

Merged
thebenignhacker merged 1 commit intomainfrom
fix/publish-ux-issues
Mar 12, 2026
Merged

Fix --publish UX issues from fresh-user testing#38
thebenignhacker merged 1 commit intomainfrom
fix/publish-ux-issues

Conversation

@thebenignhacker
Copy link
Copy Markdown
Contributor

@thebenignhacker thebenignhacker commented Mar 12, 2026

Summary

  • attack --local --publish now prints skip message instead of silently doing nothing
  • --no-registry now correctly suppresses --publish
  • Missing signing keys now show guidance to run opena2a claim
  • JSON mode includes publish field in output object

Test plan

  • 838/838 tests pass
  • Build clean

@thebenignhacker thebenignhacker merged commit 284f0b3 into main Mar 12, 2026
1 check passed
@thebenignhacker thebenignhacker deleted the fix/publish-ux-issues branch March 12, 2026 05:51
github-actions[bot]
github-actions bot approved these changes Mar 12, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

Security Review: PR #38 - Fix --publish UX issues from fresh-user testing

VERIFICATION PROCESS

I systematically verified each change against the full source files:

  1. Lines 1893-1927 (secure command JSON mode publish): Verified exception handling wraps the entire publish flow with catch block at lines 1912-1916
  2. Lines 2103-2107 (secure command text mode --no-registry check): Verified proper flag check
  3. Lines 2843-2850 (attack command --no-registry check): Verified proper flag check and local scan detection
  4. Lines 4231-4257 (scan-soul command JSON mode publish): Verified exception handling wraps publish flow with catch block at lines 4250-4254
  5. Lines 282-284 (publish.ts): Verified console.log has no user-controlled input

VERDICT: APPROVE

SUMMARY

This PR adds user-facing improvements to the --publish flag across three CLI commands (secure, attack, scan-soul). All changes are display/UX enhancements with no new security vulnerabilities introduced. Exception handling around publish operations is adequate, user messaging is safe (no injection vectors), and the --no-registry flag correctly suppresses publish operations when set.

FINDINGS

None. All potential issues were verified as adequately mitigated:

  • Command injection: No child_process calls or shell command construction in the diff
  • Console injection: The console.log at line 283 of publish.ts contains only a static string with no user-controlled interpolation
  • Unhandled rejections: All async publish calls are wrapped in try/catch blocks (lines 1896-1916, 4233-4254, 2108-2140, 2852-2876)
  • Type safety: All error handling checks instanceof Error before accessing .message property

The UX messages added for missing signing keys (line 283) and --no-registry suppression (lines 2105, 2845, 2849) improve user guidance without introducing security risks.

Reviewed 2 files changed (5759 bytes)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thebenignhacker