fix: resolve CWE-665 — make xurl importable as a Go library#1
fix: resolve CWE-665 — make xurl importable as a Go library#1drQedwards merged 4 commits intomainfrom
Conversation
… Go library - Create xurl.go (package xurl) with exported library API - Move CLI entry point to cmd/xurl/main.go - Fix WithAppName to always overwrite credentials - Add AppName() getter for multi-app token resolution - Use ForApp variants in auth and API client - Update Makefile and README for new package structure - Add comprehensive multi-app tests Co-authored-by: drQedwards <213266729+drQedwards@users.noreply.github.com>
…l/main.go Co-authored-by: drQedwards <213266729+drQedwards@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR restructures the repository so it can be imported as a Go library (github.com/xdevplatform/xurl) while keeping the CLI as a separate cmd/xurl entrypoint, and it fixes multi-app authentication behavior so token/credential operations respect the active app context.
Changes:
- Converted module root into
package xurland addedNewRootCommand,CreateRootCommand, andExecutefor library consumers. - Moved CLI entrypoint to
cmd/xurl/main.goand updated build/install instructions (Makefile,README,.gitignore). - Updated auth + API client logic to use app-scoped token store operations; added multi-app tests.
Reviewed changes
Copilot reviewed 8 out of 10 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| xurl.go | Adds importable library API for constructing/executing the root Cobra command. |
| cmd/xurl/main.go | New CLI entrypoint under cmd/xurl. |
| auth/auth.go | Makes credential/token operations app-aware; adds AppName() getter. |
| auth/auth_test.go | Adds multi-app auth tests (credential overwrite, token isolation, etc.). |
| api/client.go | Updates auto-auth cascade to use app-scoped token lookups. |
| api/client_test.go | Adds test ensuring active app’s bearer token is used. |
| api/media.go | Import formatting adjustment (needs gofmt grouping). |
| README.md | Updates install path + documents library usage (one section is currently misleading). |
| Makefile | Builds/installs from ./cmd/xurl. |
| .gitignore | Stops ignoring cmd/xurl by narrowing ignore rule to /xurl. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
README.md
Outdated
| If your consuming project uses a local replace for this repo and requires the short path, `import "xurl"` also works with: | ||
|
|
||
| ```go | ||
| require xurl v0.0.0 | ||
|
|
||
| replace xurl => ../xurl |
There was a problem hiding this comment.
The README suggests import "xurl" will work with require xurl v0.0.0 + replace xurl => ../xurl, but this repo’s packages import each other via the full module path (github.com/xdevplatform/xurl/...). Using the short module path will break those internal imports unless they’re rewritten too. Consider removing the import "xurl" guidance or instead documenting replace github.com/xdevplatform/xurl => ../xurl (while keeping import "github.com/xdevplatform/xurl").
| If your consuming project uses a local replace for this repo and requires the short path, `import "xurl"` also works with: | |
| ```go | |
| require xurl v0.0.0 | |
| replace xurl => ../xurl | |
| If your consuming project uses a local checkout of this repo, you can use a `replace` directive in your `go.mod` while still importing by the full module path: | |
| ```go | |
| require github.com/xdevplatform/xurl v0.0.0 | |
| replace github.com/xdevplatform/xurl => ../xurl |
| "time" | ||
|
|
||
| "bufio" | ||
| "mime/multipart" | ||
| "os" | ||
| "path/filepath" | ||
| "github.com/xdevplatform/xurl/auth" | ||
| "github.com/xdevplatform/xurl/config" | ||
| xurlErrors "github.com/xdevplatform/xurl/errors" | ||
| "github.com/xdevplatform/xurl/version" | ||
| "mime/multipart" | ||
| "os" | ||
| "path/filepath" | ||
| ) |
There was a problem hiding this comment.
The import block isn’t gofmt-compliant: stdlib imports (bufio, mime/multipart, os, path/filepath, etc.) are interleaved with module imports and not separated into groups. Please run gofmt (or reorder into stdlib / third-party / local groups) to keep consistent formatting and avoid noisy diffs.
|
@copilot apply changes based on the comments in this thread |
… directive - README.md: Replace incorrect `import "xurl"` guidance with proper `replace github.com/xdevplatform/xurl => ../xurl` directive - api/client.go: Reorder imports into stdlib / third-party groups - api/media.go: Reorder imports into stdlib / third-party groups Co-authored-by: drQedwards <213266729+drQedwards@users.noreply.github.com>
Applied all three review comments in ad5449d:
|
xurl.goat root aspackage xurlwith exported library API (NewRootCommand, CreateRootCommand, Execute)cmd/xurl/main.goas CLI entry point (package main)main.go(replaced by xurl.go + cmd/xurl/main.go)Makefilebuild/install targets to use./cmd/xurlREADME.mdwith correct install path and library usage docsauth/auth.go:WithAppNamealways overwrites credentials; addAppName()getter; use ForApp variants throughoutapi/client.go: useForAppvariants so active app is respected.gitignoreto use root-anchored/xurlpattern (avoids ignoringcmd/xurl/)api/client.goandapi/media.go(stdlib / third-party separation)replacedirective to use full module path instead of shortxurlpath💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.