[codex] fix(cli): clarify zip responsibility

[riderx]

Summary (AI generated)

• Added inline notes that uploaded zip contents are the user's responsibility, not Capgo's.
• Scoped updater package resolution to the project node_modules tree so Bun does not satisfy temp-project checks from this repo's root dependencies.

Motivation (AI generated)

Security advisory triage needed a clear source-level statement for bundle and cloud-build zip archives. The local CLI check also exposed a Bun resolution edge case that would make CI fail after dependencies are installed.

Business Impact (AI generated)

• Makes Capgo's responsibility boundary clearer in the CLI code path that creates zip archives.
• Keeps the CLI validation suite stable, reducing friction for this and future CLI changes.

Test Plan (AI generated)

• bun run --cwd cli test:onboarding-recovery
• bun run cli:check

Summary by CodeRabbit

Release Notes

• Style

  • Updated sidebar navigation button spacing.
  • Adjusted loading spinner sizing on admin replication dashboard.

• Documentation

  • Clarified that uploaded ZIP contents are the user’s responsibility (packaging noted in two CLI areas).

• Changes

  • Admin replication dashboard now uses session-based authentication only.
  • Improved CLI package path-resolution safety when detecting updater installations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: deabe26b-103f-45b2-a806-baa664835827

📥 Commits

Reviewing files that changed from the base of the PR and between 288f670 and 47baf3f.

📒 Files selected for processing (1)

• src/pages/admin/dashboard/replication.vue

🚧 Files skipped from review as they are similar to previous changes (1)

• src/pages/admin/dashboard/replication.vue

---

📝 Walkthrough

Walkthrough

Adds path-scoping checks to CLI package resolution, clarifies zip-content responsibility in CLI docs/comments, switches replication dashboard requests to Supabase session token auth only, and applies small Tailwind min-height class adjustments in UI components.

Changes

CLI Path Resolution Safety and Zip Responsibility

Layer / File(s)	Summary
Path Utilities Import cli/src/init/updater.ts	Node path module now imports relative, resolve, and absolute-path detection utilities for new validation logic.
Path Validation Helper Functions cli/src/init/updater.ts	Two helpers added: isPathInside() checks if a path resides within another (rejecting upward traversal), and isResolvedFromProjectNodeModules() verifies a resolved package path is under project node_modules.
Package Resolution with Validation cli/src/init/updater.ts	readInstalledPackageVersion() now validates that createRequire().resolve() results are scoped to the project's node_modules; invalid resolutions throw and fall back to direct scanning.
Zip Contents Responsibility Documentation cli/src/build/request.ts, cli/src/utils.ts	Documentation blocks and inline comments clarify that Capgo packages user-provided files as-is and zip contents are the user's responsibility.

Replication Dashboard Auth Migration and UI Styling

Layer / File(s)	Summary
Supabase Session-Only Authentication src/pages/admin/dashboard/replication.vue	loadReplicationStatus() refactored to remove internal replication API secret fallback (apisecret header) and now exclusively uses Supabase session access token, throwing if unavailable.
Component Minimum Height Updates src/components/Sidebar.vue, src/pages/admin/dashboard/replication.vue	Sidebar nav button min-height changed from min-h-[44px] to min-h-11; replication loading spinner container changed from min-h-[300px] to min-h-80.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Cap-go/capgo#2003: Also touches cli/src/build/request.ts and zip handling; focuses on pnpm path-rewriting logic.

Poem

🐰 Paths checked in the midnight light,
Packages scoped safe, tucked in tight,
Tokens now gate the replication door,
Heights trimmed small, styles restore,
Zip contents hop home — your files, your flight.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description includes a summary of changes and motivation, but is missing key required sections: the formal 'Test plan' section with reproducible steps and the checklist.	Add the formal 'Test plan' section with clear reproduction steps and complete the checklist by marking applicable items with an [x].
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[codex] fix(cli): clarify zip responsibility' clearly summarizes the main changes: clarifying that zip contents are the user's responsibility in the CLI code.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/zip-content-responsibility-comment

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch codex/zip-content-responsibility-comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 43 untouched benchmarks
⏩ 2 skipped benchmarks¹

---

_{Comparing codex/zip-content-responsibility-comment (d2eea05) with main (f049883)}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[riderx]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/pages/admin/dashboard/replication.vue`:
- Around line 111-112: The thrown error message referencing the replication
secret is stale; update the check that uses session?.access_token (the if
(!session?.access_token) throw new Error(...)) to throw a clear, accurate
message like "No active session (missing or expired); please sign in again" or
similar that directs the user to re-authenticate rather than mentioning the
replication secret.
- Line 205: The Tailwind utility class "min-h-75" used in the template's
conditional div (the element with v-else-if="isLoading && !data") is invalid;
replace "min-h-75" with a valid token such as "min-h-80" (or "min-h-72") in that
element's class list so the component uses a supported Tailwind min-height
utility.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1a3a8983-c4ec-4a6c-974d-a7011be2388b

📥 Commits

Reviewing files that changed from the base of the PR and between dcd0dd6 and 288f670.

📒 Files selected for processing (5)

• cli/src/build/request.ts
• cli/src/init/updater.ts
• cli/src/utils.ts
• src/components/Sidebar.vue
• src/pages/admin/dashboard/replication.vue

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud