Bugs:
* Shell injection in `fj auth setup-git`: the hostname is now validated
against a strict DNS pattern and `git config` is invoked directly
(no `sh -c`). Added 4 unit tests covering shell metacharacters.
* Pager won't compile on Windows: the libc-based dup2 redirect lives
behind `#[cfg(unix)]`. Non-Unix gets a no-op stub.
Agent-focused Forgejo API gaps:
* `fj issue edit-comment ID` / `delete-comment ID`. Fix a wrong comment
after the fact (an agent's bread-and-butter).
* `fj search code "..." [-R owner/name]`. The most-requested missing
search dimension for codebase exploration.
* `fj pr request-review N user1 user2`, `unrequest-review N user`.
Distinct from `pr review` (your own approval/changes/comment).
* `fj repo watch / unwatch / star / unstar / starred`. Mark repos for
monitoring.
* `fj milestone {list,view,create,edit,close,reopen,delete,assign}`
with `assign N --milestone ID|none` to attach an issue/PR.
UX + stability:
* Global `--json-fields foo,bar` projection on top of any `--json`
output, gh-style. Dotted-path support (`--json-fields owner.login`).
* 429 / Retry-After honored in the retry loop with a 30 s cap.
* Clap `suggestions` feature for typo'd subcommands.
* `fj auth token` and `auth status --show-token` refuse to write to a
TTY by default (`--force` to override).
CI:
* `.forgejo/workflows/ci.yml` runs fmt/clippy/test/release-build on
every push and PR, mirroring the local pre-push hook.
Docs:
* `SECURITY.md` with threat model and known sharp edges.
* `docs/gh-to-fj.md` full command-by-command mapping.
* `docs/faq.md` covering tokens, hosts, debug, scripting, plugins.
Tests: 60 → 75 passing (2 ignored: editor and env-mutating tests that
fight the cargo test harness on macOS).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Stability:
* `cli::run` now races command futures against `tokio::signal::ctrl_c()`.
On SIGINT the command future is dropped, which propagates to the
PagerGuard's Drop and restores stdout cleanly.
* Removed the unsafe `std::env::set_var("FJ_NO_PAGER")` in dispatch.
`--no-pager` is now threaded into `pager::maybe_start(force_disabled)`
as a parameter, no process-wide side effect.
* Replaced the panicking `.expect("token contains invalid header chars")`
in `auth_headers` with a typed error that names the host and tells the
user how to recover.
* Added 9 wiremock-backed integration tests covering: auth header
injection, retry-on-5xx for idempotent methods, no-retry for POST,
401 mapping to friendly error, custom header pass-through, null-body
list tolerance, `get_all` following Link rel=next, total_limit honored
on early break, malformed token rejection.
Optimization:
* Dropped unused reqwest features (stream, brotli) and unused crates
(indicatif, futures-util, is-terminal, textwrap, tempfile).
* `panic = "abort"` and `lto = "fat"` on the release profile.
* HTTP retry loop now builds the request once and uses
`reqwest::Request::try_clone` per attempt instead of rebuilding the
RequestBuilder (eliminates per-attempt HeaderMap + URL clones).
* Pulled debug-mode request logging behind a `#[cold]` helper so the
hot path stays small.
Binary: 5.94 MB → 4.15 MB stripped (-30%).
Tests: 51 → 60 (9 new integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* `fj repo branches`, `repo topics`, `repo edit`, `repo fork`, `repo sync`,
`repo archive`, `repo unarchive`, `repo mirror-sync` previously took only
a positional `repo` argument and rejected `-R/--repo`. Now they accept
both, with `-R` winning when both are given.
* Forgejo returns `null` for `labels`/`assignees` on issues and PRs when
empty. The Issue/Pull structs hit `expected a sequence` on every issue
create. Added a `deserialize_null_to_default` helper on the affected
fields so null is now coerced to an empty Vec.
* `get_page` similarly bailed when a list endpoint returned a bare `null`
body. Now treats null and empty body as `[]`.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* `fj repo mirror <url>` does a full migrate (pull-mirror with `--mirror`,
one-shot import otherwise). `fj repo mirror-sync` triggers a refresh on
an existing pull-mirror.
* List endpoints transparently follow `Link: rel=next` when the caller
asks for more than the 50-per-page API cap. So `fj pr list -L 200`
or `fj issue list -L 100` now Just Works without manual paging.
* HTTP client retries idempotent requests (GET/HEAD/OPTIONS/PUT/DELETE)
up to 3 times with exponential backoff (200/400/800 ms) on transport
errors and 5xx responses. POST and PATCH are never retried.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* `fj auth token` prints the stored token for scripting.
* `fj auth refresh` re-verifies (or replaces) the stored token.
* `fj auth setup-git` installs a git credential helper that delegates
password lookup to `fj auth token`.
* New top-level `fj protect` group: list / view / set / delete branch
protection rules.
* New top-level `fj hook` group: webhook CRUD + test delivery.
* Global `--debug` (`FJ_DEBUG`) flag dumps every HTTP request fj makes
to stderr (method, URL, query, body preview, status).
* `fj man -o ./man` generates `clap_mangen` pages for fj and every
subcommand. Useful for downstream packaging.
* Fixed: several subcommand groups (hook, label, search, key, workflow
secrets/variables) were showing the flattened RepoFlag's doc string
in their --help summary line. Added explicit doc comments per variant.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* New top-level groups, each with full CRUD where the API supports it:
- release: list/view/create/edit/delete/upload/download
- label: list/create/edit/delete
- run: workflow runs (list/view/rerun/cancel)
- secret + variable: Actions secrets/vars (list/set/delete)
- search: cross-cutting (repos/issues/prs/users)
- browse: open repo/path on the web
- status: notifications inbox + mark-all-read
- org: list/view/teams
- ssh-key, gpg-key: list/add/delete on your account
- alias: user-defined shortcuts (e.g. `fj alias set co "pr checkout"`)
- config: local prefs (editor, pager, browser, etc.)
- extension: discover and run `fj-<name>` plugin binaries on PATH
- gist: thin wrapper over `gist-*` repos
* main.rs now expands aliases before clap and dispatches to plugins for
unknown subcommands (matching gh).
* New API modules: release, label, notification, search, org, workflow,
with the corresponding strongly-typed wrappers.
* Release asset upload uses reqwest multipart (feature flag added).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Multi-host auth (tokens in OS keychain), repo/issue/pr CRUD, and a
gh-style `api` escape hatch with -f/-F/-X/-q. Targets Forgejo 7.x via
the Gitea-compatible /api/v1 surface.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Stephen Way