Skip to content

Expand CLI with 15 new commands and refactored architecture#1

Open
macrivello wants to merge 2 commits into
mainfrom
cli-commands-expansion
Open

Expand CLI with 15 new commands and refactored architecture#1
macrivello wants to merge 2 commits into
mainfrom
cli-commands-expansion

Conversation

@macrivello

@macrivello macrivello commented Feb 9, 2026

Copy link
Copy Markdown
Owner

Summary

  • Add 15 new commands: validate, review, subtasks, tasks, context, next, agent, cleanup, pr-comment, pr-push, pr-ready, pr-review, ticket-comment, ticket-create, ticket-update
  • Refactor merge, pr, start, and ticket commands with expanded functionality
  • Add external model integration (codex/gemini), hierarchy validation, platform mapping, and ticket file utilities
  • Remove old per-command skill files in favor of consolidated skills (PR Consolidate skills into workon-flow and workon-delivery #2)

Test plan

  • npm run build compiles without errors
  • workon --help shows all new commands
  • workon validate <id> --deep --json runs structural + semantic analysis
  • workon context shows workflow state
  • workon tasks --status "ready for eng" lists filtered tasks

🤖 Generated with Claude Code

@macrivello @claude
feat: expand CLI with 15 new commands and refactored architecture
84ecd6d 
Add validate, review, subtasks, tasks, context, next, agent, cleanup,
pr-comment, pr-push, pr-ready, pr-review, ticket-comment, ticket-create,
and ticket-update commands. Refactor merge, pr, start, and ticket commands
with expanded functionality. Add external model integration, hierarchy
validation, platform mapping, and ticket file utilities. Remove old
per-command skill files in favor of consolidated skills (next PR).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@macrivello macrivello mentioned this pull request Feb 9, 2026
Open
5 tasks
macrivello
macrivello commented Feb 10, 2026
View reviewed changes

@macrivello macrivello left a comment
edited
Loading

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All findings below have been addressed in 2db783d.

## Critical (must fix before merge)

  1. Command Injection in ui.ts:50-54 — fixed: uses shell-quote parser
  2. Command Injection in pr.ts:81 — fixed: uses spawn() with array args
  3. Race Condition in agent.ts:50-51 — fixed: persists state to ~/.workon/agent-state.json
  4. Missing Input Validation in circleci.ts:74 — fixed: branch name regex validation

## High Priority

  1. Unbounded stdin in stdin.ts:28 — fixed: 10MB max size limit
  2. Unsanitized AI output in validate.ts:228 — fixed: HTML stripping + length truncation
  3. Silent error swallowing in validate.ts:155 — fixed: console.error on failures
  4. Missing branch validation in github.ts:295 — fixed: regex validation before push

-agent:code-reviewer:claude-opus-4-6

@macrivello
fix: address security and robustness review findings
2db783d 
- Fix command injection in ui.ts (use shell-quote instead of split)
- Fix command injection in pr.ts (use spawn with array args)
- Fix agent.ts race condition (persist processed IDs to disk)
- Add branch name validation in circleci.ts and github.ts
- Add stdin size limit in stdin.ts (10MB max)
- Sanitize AI output in validate.ts (strip HTML, truncate)
- Add error logging for failed ClickUp comments in validate.ts

Co-Authored-By: agent(claude-opus-4-6) <agent@noreply>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@macrivello