Bugs:
* Shell injection in `fj auth setup-git`: the hostname is now validated
against a strict DNS pattern and `git config` is invoked directly
(no `sh -c`). Added 4 unit tests covering shell metacharacters.
* Pager won't compile on Windows: the libc-based dup2 redirect lives
behind `#[cfg(unix)]`. Non-Unix gets a no-op stub.
Agent-focused Forgejo API gaps:
* `fj issue edit-comment ID` / `delete-comment ID`. Fix a wrong comment
after the fact (an agent's bread-and-butter).
* `fj search code "..." [-R owner/name]`. The most-requested missing
search dimension for codebase exploration.
* `fj pr request-review N user1 user2`, `unrequest-review N user`.
Distinct from `pr review` (your own approval/changes/comment).
* `fj repo watch / unwatch / star / unstar / starred`. Mark repos for
monitoring.
* `fj milestone {list,view,create,edit,close,reopen,delete,assign}`
with `assign N --milestone ID|none` to attach an issue/PR.
UX + stability:
* Global `--json-fields foo,bar` projection on top of any `--json`
output, gh-style. Dotted-path support (`--json-fields owner.login`).
* 429 / Retry-After honored in the retry loop with a 30 s cap.
* Clap `suggestions` feature for typo'd subcommands.
* `fj auth token` and `auth status --show-token` refuse to write to a
TTY by default (`--force` to override).
CI:
* `.forgejo/workflows/ci.yml` runs fmt/clippy/test/release-build on
every push and PR, mirroring the local pre-push hook.
Docs:
* `SECURITY.md` with threat model and known sharp edges.
* `docs/gh-to-fj.md` full command-by-command mapping.
* `docs/faq.md` covering tokens, hosts, debug, scripting, plugins.
Tests: 60 → 75 passing (2 ignored: editor and env-mutating tests that
fight the cargo test harness on macOS).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Stability:
* `cli::run` now races command futures against `tokio::signal::ctrl_c()`.
On SIGINT the command future is dropped, which propagates to the
PagerGuard's Drop and restores stdout cleanly.
* Removed the unsafe `std::env::set_var("FJ_NO_PAGER")` in dispatch.
`--no-pager` is now threaded into `pager::maybe_start(force_disabled)`
as a parameter, no process-wide side effect.
* Replaced the panicking `.expect("token contains invalid header chars")`
in `auth_headers` with a typed error that names the host and tells the
user how to recover.
* Added 9 wiremock-backed integration tests covering: auth header
injection, retry-on-5xx for idempotent methods, no-retry for POST,
401 mapping to friendly error, custom header pass-through, null-body
list tolerance, `get_all` following Link rel=next, total_limit honored
on early break, malformed token rejection.
Optimization:
* Dropped unused reqwest features (stream, brotli) and unused crates
(indicatif, futures-util, is-terminal, textwrap, tempfile).
* `panic = "abort"` and `lto = "fat"` on the release profile.
* HTTP retry loop now builds the request once and uses
`reqwest::Request::try_clone` per attempt instead of rebuilding the
RequestBuilder (eliminates per-attempt HeaderMap + URL clones).
* Pulled debug-mode request logging behind a `#[cold]` helper so the
hot path stays small.
Binary: 5.94 MB → 4.15 MB stripped (-30%).
Tests: 51 → 60 (9 new integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* New `output::pager` module spawns `$FJ_PAGER` / `$PAGER` / `less -FRX`
when stdout is a TTY and dup2's our stdout onto its stdin. The
`PagerGuard` restores the original stdout and waits on the child on
drop so all output flushes before exit.
* Wired into the top-level dispatch: list/view/diff/api/search/status
output is now paged automatically. Short output passes through via
`less -F`. Global `--no-pager` flag and `FJ_NO_PAGER` env opt out.
* libc 0.2 added as a small dep (needed for dup/dup2/close).
* Pre-push hook now drains and closes stdin at the top, then runs every
step with `</dev/null`. Previously a test or build could in principle
inherit git push's stdin (the list of refs being pushed) and block
if it ever tried to read it. Adds CARGO_TERM_PROGRESS_WHEN=never so
the progress bar doesn't muddle non-TTY runs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Multi-host auth (tokens in OS keychain), repo/issue/pr CRUD, and a
gh-style `api` escape hatch with -f/-F/-X/-q. Targets Forgejo 7.x via
the Gitea-compatible /api/v1 surface.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Stephen Way