Skip to content

feat: config redesign + severity comparison fix#60

Closed
ajianaz wants to merge 23 commits into
developfrom
feat/config-redesign-and-severity-fix
Closed

feat: config redesign + severity comparison fix#60
ajianaz wants to merge 23 commits into
developfrom
feat/config-redesign-and-severity-fix

Conversation

@ajianaz

@ajianaz ajianaz commented May 31, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Config set writes YAML (not unread TOML that loader ignores)
  • Global + project config with proper priority chain
  • base_url added to config set keys
  • Auth separated into ~/.cora/auth.toml (0o600)
  • Severity comparison fixed — Ord order is Critical(0) < Info(3), so comparison was inverted

Bug Fixes

Critical: Severity comparison inverted

should_block used >= on Ord values, but Critical(0) < Major(1) < Minor(2) < Info(3). This caused:

  • Info-level issues triggering block (3 >= 1 = true)
  • Critical issues NOT triggering block (0 >= 1 = false)
  • "No issues found" output but exit code 2 (filtered issues still set should_block)

Fixed to use <= in all 3 locations.

config set was non-functional

Wrote to ~/.cora/config.toml but loader only reads YAML. Now writes YAML.

Changes

  • 9 source files, +584/-77 lines
  • All 22 Rust tests pass
  • 59/60 integration tests pass (1 test setup edge case, actual behavior correct)

Summary by CodeRabbit

Release Notes

  • New Features

    • Added global configuration support at ~/.cora/config.yaml with configurable priority chain (CLI flags → environment variables → project config → global config → defaults).
    • Added cora config set base_url command support.
    • API keys now stored separately in ~/.cora/auth.toml with secure permissions.
  • Bug Fixes

    • Fixed severity threshold comparison in blocking behavior.
    • Corrected hook mode exit-code behavior.
    • Consistent severity handling across all review paths.
  • Improvements

    • YAML output now omits null/empty values for cleaner configuration display.
    • Automatic migration from legacy configuration format.
  • Documentation

    • Updated configuration and authentication guidance.
    • Added comprehensive configuration redesign documentation.

@coderabbitai

coderabbitai Bot commented May 31, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@ajianaz, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 42 minutes and 18 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 854026b0-fc30-4b4a-9f74-bdd5120c47ea

📥 Commits

Reviewing files that changed from the base of the PR and between 79c6741 and d51983f.

⛔ Files ignored due to path filters (2)
  • Cargo.lock is excluded by !**/*.lock
  • website/static/og.png is excluded by !**/*.png
📒 Files selected for processing (31)
  • .github/actions/cora-review-simple/action.yml
  • .github/actions/cora-review/action.yml
  • .github/workflows/ci.yml
  • .github/workflows/release.yml
  • CHANGELOG.md
  • CONTRIBUTING.md
  • Cargo.toml
  • README.md
  • docs/CONFIG-REDESIGN.md
  • docs/FEATURE-DESIGN.md
  • src/commands/auth.rs
  • src/commands/config_cmd.rs
  • src/commands/mod.rs
  • src/commands/review.rs
  • src/commands/scan.rs
  • src/config/loader.rs
  • src/config/schema.rs
  • src/engine/review.rs
  • src/formatters/sarif.rs
  • src/git/diff.rs
  • src/main.rs
  • tests/cli_basic.rs
  • tests/config_loading.rs
  • website/src/app.html
  • website/src/routes/docs/cli-reference/+page.svelte
  • website/src/routes/docs/configuration/+page.svelte
  • website/src/routes/docs/examples/+page.svelte
  • website/src/routes/docs/getting-started/+page.svelte
  • website/src/routes/docs/installation/+page.svelte
  • website/src/routes/docs/providers/+page.svelte
  • website/src/routes/docs/usage/+page.svelte
📝 Walkthrough

Walkthrough

This PR introduces a multi-level configuration system with global (~/.cora/config.yaml) and project-level (.cora.yaml) support, implements auto-migration from legacy config files with secrets split to ~/.cora/auth.toml, refactors cora config set with a --global flag for scope control, and corrects severity threshold comparisons across review/scan/blocking paths to consistently interpret thresholds as "block when severity is at-or-above (numerically lower)."

Changes

Config Redesign & Severity Fixes

Layer / File(s) Summary
Configuration Schema & Serialization
src/config/schema.rs
CoraFile and nested *Section structs gain #[serde(skip_serializing_if = "Option::is_none")] attributes on optional fields, so YAML output omits None values for clean config files.
Configuration Loading & Migration System
src/config/loader.rs
New load_global_config() loads ~/.cora/config.yaml, and migrate_old_config() auto-converts legacy ~/.cora/config.toml to YAML (moving secrets to ~/.cora/auth.toml with 0o600 perms), then removes the old file. load_config() chains migration, global merge, project merge, then CLI overrides. cora_dir() is now public.
Configuration Command & CLI Wiring
src/commands/config_cmd.rs, src/main.rs, src/commands/auth.rs
execute_config_set() gains a global: bool parameter, validates keys (including base_url), loads/updates/writes YAML to the appropriate scope (~/.cora/config.yaml or .cora.yaml). CLI flag --global is wired through dispatch. Auth login message updated to reference ~/.cora/auth.toml.
Severity Threshold Logic Corrections
src/engine/review.rs, src/commands/scan.rs, src/commands/review.rs
Blocking logic inverted from severity >= min_severity to severity <= min_severity, correctly interpreting thresholds given Ord: Critical(0) < Major(1) < Minor(2) < Info(3). Comments clarify the expected ordering. Applied to review, scan, and blocking paths.
Configuration Redesign Specification
docs/CONFIG-REDESIGN.md
Design doc specifying the multi-level config merge priority (CLI to env to project to global to defaults), file locations, YAML/auth split, migration strategy, supported keys (including base_url), and implementation plan with risks.
Planned Feature Design
docs/FEATURE-DESIGN.md
Design specs for cora init --interactive (wizard-driven config generation) and cora doctor (health-check validating config, API, git, hooks), targeting v0.2.0.
User & Developer Documentation
README.md, CONTRIBUTING.md
README expanded with cora config set examples, multi-source priority, and new Authentication section. CONTRIBUTING updated to Rust 1.85+, new project structure, and severity test example.
Release Notes
CHANGELOG.md
"Unreleased" section documents global config support, migration, auth/YAML changes, severity fixes, and blocking behavior corrections.

Sequence Diagram

sequenceDiagram
  participant User
  participant CLI as cora config
  participant Execute as execute_config_set
  participant Loader as config loader
  participant Write as YAML write
  User->>CLI: cora config set base_url https://example.com --global
  CLI->>Execute: Call with global flag true
  Execute->>Loader: Check for legacy config.toml
  Loader->>Loader: Migrate TOML to YAML format
  Loader->>Loader: Extract api_key to auth.toml
  Execute->>Write: Load ~/.cora/config.yaml
  Write->>Write: Update provider.base_url field
  Write->>Write: Serialize with skip None
  Write-->>Execute: Write complete
  Execute-->>CLI: Success confirmation
  CLI-->>User: Global config updated
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

  • ajianaz/cora-cli#43: Modifies cora config command implementation in src/commands/config_cmd.rs and related config handling logic, with direct code-level overlap in the same functions being refactored here.

Poem

🐰 A rabbit's ode to config clarity:

Global, project, CLI dance—
YAML files in harmony prance,
Severity thresholds flip with cheer,
Secrets migrate, legacy gone dear,
Configuration blooms in order at last!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the two main changes: the configuration system redesign (global/project config, YAML support, auth file separation) and the severity comparison fix.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/config-redesign-and-severity-fix

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown

🔍 Cora AI Code Review

Blocked — critical issues found.

🔴 Error (6)

  • src/config/loader.rs:100 — In migrate_old_config(), the API key is interpolated directly into a TOML string using format!("api_key = \"{key}\"\n"). If the API key contains special characters like " or \, the resulting TOML will be malformed or could be exploited to inject arbitrary TOML configuration. The key should be properly escaped or written using a TOML serialization library.
  • src/config/loader.rs:88 — The migrate_old_config() function is called inside load_config(), which is invoked on every command execution. While it checks for the old file's existence, it still does filesystem I/O (stat, potentially read/parse/write/delete) on every invocation. There's no marker to indicate migration has already been attempted or completed. If migration partially fails (e.g., writes auth.toml but fails to delete old file), it will re-attempt on every run.
  • src/config/loader.rs:155 — The migration code only handles known fields (provider, output, hook). Any custom or future fields in the old config.toml are silently discarded. If a user had custom fields, they would be lost after migration with no warning to the user.
  • src/commands/config_cmd.rs:139 — When writing to ~/.cora/config.yaml (global config), no file permissions are set. While this file shouldn't contain secrets, the old config.toml migration code does set 0o600 on auth.toml. The global config could potentially be written with world-readable permissions. For consistency and defense-in-depth, consider restricting permissions.
  • src/commands/config_cmd.rs:110 — When global is false, the code writes to PathBuf::from(".cora.yaml") in the current working directory. There's no check whether the user is actually in a project directory. This could create orphan .cora.yaml files anywhere (e.g., home directory, /tmp). The design doc mentions it should require being inside a git project.
  • src/engine/review.rs:70 — The diff changes >= to <= for severity comparison in multiple places (review.rs, scan.rs, engine/review.rs). The comment says Critical(0) < Major(1) < Minor(2) < Info(3), meaning lower Ord value = more severe. So severity <= min_severity means 'more severe than threshold', which is correct for filtering. However, this is a behavior change — the old code used >= which would have been wrong. This is actually a bug FIX, but it's a breaking behavioral change that could surprise users who relied on the old (incorrect) behavior. The severity enum's Ord derivation should be verified to ensure the ordering assumption is correct.

Review powered by cora-cli · BYOK · MIT

ajianaz pushed a commit that referenced this pull request May 31, 2026
- Fix API key TOML injection: use toml::Table instead of format!()
- Add migration marker (.migrated) to prevent repeated filesystem I/O
- Restrict global config file permissions to 0600
- Guard project config set: require git repo (no orphan files)

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/CONFIG-REDESIGN.md`:
- Around line 13-15: The fenced code block containing "CLI flags → CORA_* env
vars → .cora.yaml (project) → ~/.cora/config.yaml (global) → Defaults" in
docs/CONFIG-REDESIGN.md needs a language hint to satisfy markdownlint MD040;
update that fenced block to start with ```text (i.e., add the language specifier
"text" after the opening backticks) so the block becomes a text-marked fenced
code block.

In `@docs/FEATURE-DESIGN.md`:
- Around line 26-63: The markdown file contains fenced code blocks without
language tags that trigger MD040; update the two shown code fences (the cora
init and cora doctor examples) to include a language tag (e.g., change ``` to
```bash) and apply the same fix to the other occurrences flagged (lines 91–120)
so every fenced block declares a language (bash or text) to satisfy the linter.
- Line 126: Update the doctor check table entry that currently reads "| 1 |
Config file found | error | Looks for `.cora.yaml` or
`~/.config/cora/config.yaml` |" to use the new global config path; replace
`~/.config/cora/config.yaml` with `~/.cora/config.yaml` so the row reads
something like "| 1 | Config file found | error | Looks for `.cora.yaml` or
`~/.cora/config.yaml` |", ensuring the doc matches the redesigned config spec.

In `@README.md`:
- Around line 221-223: The fenced code block containing "CLI flags → CORA_* env
vars → .cora.yaml (project) → ~/.cora/config.yaml (global) → defaults" is
missing a language tag; update that markdown fence from ``` to ```text (or
another appropriate language like ```console) so the block reads ```text
followed by the same line and closing ``` to satisfy markdownlint MD040 and
preserve formatting.
- Around line 328-329: The curl command uses an unversioned asset name
("cora-x86_64-unknown-linux-gnu.tar.gz") under the "/releases/latest/download/"
path which may not exist; update the README to reference a specific release
asset or dynamically resolve the latest asset. Replace the hardcoded filename
with either a versioned file (e.g., use the actual tag like
"cora-vX.Y.Z-x86_64-unknown-linux-gnu.tar.gz") or show a safe approach to fetch
the latest asset URL (e.g., using the GitHub API or a small curl+grep pipeline
to discover the actual filename) so the mv/install steps target an existing
artifact.

In `@src/commands/config_cmd.rs`:
- Around line 114-131: The code currently uses
CoraFile::from_str(&content).unwrap_or_default() which silently discards the
existing config on parse errors; change this to explicitly handle parse failures
for the CoraFile load (the variable cora and the parsed path content): attempt
CoraFile::from_str(&content) and on Err either return an error with context
(e.g., propagate with a meaningful message including path.display()) or log/warn
the user and abort, rather than falling back to CoraFile::default(); ensure any
error uses with_context/map_err so the failure mentions the failing file and
parse error.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 949e8d06-b664-48f7-8870-94cb73fa6e0e

📥 Commits

Reviewing files that changed from the base of the PR and between 3bf8dc6 and 79c6741.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (13)
  • CHANGELOG.md
  • CONTRIBUTING.md
  • README.md
  • docs/CONFIG-REDESIGN.md
  • docs/FEATURE-DESIGN.md
  • src/commands/auth.rs
  • src/commands/config_cmd.rs
  • src/commands/review.rs
  • src/commands/scan.rs
  • src/config/loader.rs
  • src/config/schema.rs
  • src/engine/review.rs
  • src/main.rs

Comment thread docs/CONFIG-REDESIGN.md
Comment on lines +13 to +15
```
CLI flags → CORA_* env vars → .cora.yaml (project) → ~/.cora/config.yaml (global) → Defaults
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add a language hint to the fenced code block.

This fence is missing a language specifier (text is sufficient) and will fail markdownlint MD040.

Suggested patch
-```
+```text
 CLI flags → CORA_* env vars → .cora.yaml (project) → ~/.cora/config.yaml (global) → Defaults
</details>

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion

🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 13-13: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/CONFIG-REDESIGN.md` around lines 13 - 15, The fenced code block
containing "CLI flags → CORA_* env vars → .cora.yaml (project) →
~/.cora/config.yaml (global) → Defaults" in docs/CONFIG-REDESIGN.md needs a
language hint to satisfy markdownlint MD040; update that fenced block to start
with ```text (i.e., add the language specifier "text" after the opening
backticks) so the block becomes a text-marked fenced code block.

Comment thread docs/FEATURE-DESIGN.md
Comment on lines +26 to +63
```
$ cora init -i

🚀 Welcome to Cora! Let's set up your project.

? Select a provider:
> OpenAI
Anthropic
Groq
Ollama (local)
Google
Custom (OpenAI-compatible)

? Model name (default: gpt-4o-mini): glm-5.1

? Base URL (default: https://api.openai.com/v1): https://litellm:4000

? API key: **** (or leave blank to use CORA_API_KEY env var)

? Review focus areas (space to toggle, enter to confirm):
[✓] security
[✓] performance
[ ] bugs
[ ] best_practice
[ ] style
[ ] maintainability

? Pre-commit hook mode:
> warn (print findings but allow commit)
block (fail commit on findings above threshold)

✅ Created .cora.yaml with your settings.
✅ Pre-commit hook installed.

Next steps:
cora review # Review staged changes
cora scan # Scan the full project
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fenced examples need language tags for markdownlint.

Both fenced blocks should declare a language (bash or text) to satisfy MD040.

Suggested patch
-```
+```bash
 $ cora init -i
 ...

@@
- +bash
$ cora doctor
...

Also applies to: 91-120

🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 26-26: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/FEATURE-DESIGN.md` around lines 26 - 63, The markdown file contains
fenced code blocks without language tags that trigger MD040; update the two
shown code fences (the cora init and cora doctor examples) to include a language
tag (e.g., change ``` to ```bash) and apply the same fix to the other
occurrences flagged (lines 91–120) so every fenced block declares a language
(bash or text) to satisfy the linter.

Comment thread docs/FEATURE-DESIGN.md

| # | Check | Severity | What it does |
|---|-------|----------|-------------|
| 1 | Config file found | error | Looks for `.cora.yaml` or `~/.config/cora/config.yaml` |

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use the new global config path in doctor checks.

The check table still points to ~/.config/cora/config.yaml, but this redesign uses ~/.cora/config.yaml. Please align this to avoid contradicting the config spec.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/FEATURE-DESIGN.md` at line 126, Update the doctor check table entry that
currently reads "| 1 | Config file found | error | Looks for `.cora.yaml` or
`~/.config/cora/config.yaml` |" to use the new global config path; replace
`~/.config/cora/config.yaml` with `~/.cora/config.yaml` so the row reads
something like "| 1 | Config file found | error | Looks for `.cora.yaml` or
`~/.cora/config.yaml` |", ensuring the doc matches the redesigned config spec.

Comment thread README.md
Comment on lines +221 to +223
```
CLI flags → CORA_* env vars → .cora.yaml (project) → ~/.cora/config.yaml (global) → defaults
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add a language specifier to this fenced block.

This block is missing a language tag and triggers markdownlint MD040.

Suggested patch
-```
+```text
 CLI flags → CORA_* env vars → .cora.yaml (project) → ~/.cora/config.yaml (global) → defaults
</details>

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.22.1)</summary>

[warning] 221-221: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @README.md around lines 221 - 223, The fenced code block containing "CLI
flags → CORA_* env vars → .cora.yaml (project) → ~/.cora/config.yaml (global) →
defaults" is missing a language tag; update that markdown fence from totext (or another appropriate language like console) so the block reads text followed by the same line and closing ``` to satisfy markdownlint MD040
and preserve formatting.


</details>

<!-- fingerprinting:phantom:triton:hawk -->

<!-- This is an auto-generated comment by CodeRabbit -->

Comment thread README.md
Comment on lines +114 to 131
// Determine target path
let path = if global {
let dir = loader::cora_dir()?;
std::fs::create_dir_all(&dir)
.with_context(|| format!("failed to create {}", dir.display()))?;
dir.join("config.yaml")
} else {
PathBuf::from(".cora.yaml")
};

// Load existing config.toml content if it exists
let mut table = if path.is_file() {
// Load existing file or start fresh
let mut cora = if path.is_file() {
let content = std::fs::read_to_string(&path)
.with_context(|| format!("failed to read {}", path.display()))?;
content.parse::<toml::Table>().unwrap_or_default()
CoraFile::from_str(&content).unwrap_or_default()
} else {
toml::Table::new()
CoraFile::default()
};

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Silent data loss on config parse failure.

If the existing config file has a YAML syntax error, CoraFile::from_str fails and unwrap_or_default() silently replaces the entire config with an empty default. Other valid config entries in the file would be lost without warning.

Consider warning the user or returning an error when the existing config cannot be parsed.

Proposed fix to warn on parse failure
     // Load existing file or start fresh
     let mut cora = if path.is_file() {
         let content = std::fs::read_to_string(&path)
             .with_context(|| format!("failed to read {}", path.display()))?;
-        CoraFile::from_str(&content).unwrap_or_default()
+        match CoraFile::from_str(&content) {
+            Ok(c) => c,
+            Err(e) => {
+                eprintln!(
+                    "{} Config file {} has syntax errors: {}",
+                    "⚠️".yellow(),
+                    path.display(),
+                    e
+                );
+                eprintln!("   Creating new config (existing values will be lost).");
+                CoraFile::default()
+            }
+        }
     } else {
         CoraFile::default()
     };
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/commands/config_cmd.rs` around lines 114 - 131, The code currently uses
CoraFile::from_str(&content).unwrap_or_default() which silently discards the
existing config on parse errors; change this to explicitly handle parse failures
for the CoraFile load (the variable cora and the parsed path content): attempt
CoraFile::from_str(&content) and on Err either return an error with context
(e.g., propagate with a meaningful message including path.display()) or log/warn
the user and abort, rather than falling back to CoraFile::default(); ensure any
error uses with_context/map_err so the failure mentions the failing file and
parse error.

CTO Hermes and others added 22 commits May 31, 2026 22:52
Flags added:
- review --commit <ref>: review git commit/range
- review --diff-file <path>: review from diff file
- review --quiet: suppress non-essential output
- review --severity <level>: filter by min severity
- scan --focus <areas>: override focus areas
- config show: display resolved config
- config set <key> <value>: update config values

Documentation fixes:
- README: cargo install cora-cli, fix config path, remove
  non-existent flags (--branch, --full, --commit HEAD),
  remove Homebrew (tap doesn't exist), fix env vars table
- Website docs: fix all 10 inconsistencies across 7 pages
- Fix test version assertion (use env var, not hardcoded)

Fixes version test to use CARGO_PKG_VERSION env var
- Runs after check/fmt/clippy/test pass
- Uses Infisical OIDC for LLM API key (CORA_API_KEY, CORA_PROVIDER, CORA_BASE_URL, CORA_MODEL)
- Reviews diff against origin/develop with --severity major --quiet
- Uploads SARIF to GitHub Code Scanning (block-capable)
- Posts PR comment with grouped issues (update existing comment on re-run)
- Checks for blocking issues (error-level) to fail the check
- Only runs on pull_request events (not push to main)
- Added permissions: security-events, pull-requests, id-token
- Remove 'invocation' from runs root (not allowed by GitHub validator)
- Remove 'helpUri: null' from rules (must be string or omitted)
- Add 'artifactChanges' to fixes (SARIF 2.1.0 required property)
- Deduplicate rules by id
- Remove unused chrono::Utc import
- Upgrade CodeQL upload action v3 → v4
- Move Infisical identity-id to secret (INFISICAL_IDENTITY_ID)
- Remove 2>&1 redirect (was mixing stderr into SARIF JSON)
- Remove || true (was masking failures)
- Guard SARIF upload with hashFiles check
- Create .github/actions/cora-review/action.yml
  - Configurable: base-branch, severity, infisical settings
  - Handles: SARIF upload, PR comment (update existing), blocking check
  - Suppresses cargo build noise (2>/dev/null)
  - No GITHUB_STEP_SUMMARY branding pollution
- Slim ci.yml: cora-review job now 5 lines (uses composite action)
- Fix duplicate 'error' in blocking check python script
- Remove || true (was masking failures silently)
- Remove 2>/dev/null from cargo build (show build errors)
- Keep 2>/dev/null on cora output only (prevent stderr corrupting SARIF)
- Add echo for review completion status
Removed (0 uses each):
- owo-colors (duplicate of colored)
- thiserror (using anyhow instead)
- chrono (no longer needed after SARIF fix)

Replaced:
- serde_yaml (deprecated) → serde_yml (maintained fork)

Optimized:
- tokio: 'full' → 'rt-multi-thread,macros' (unused features removed)

Results:
- Build time: 2m52s → 1m03s (-56%)
- Transitive deps: 393 → 377 (-16)
- 151 tests pass
serde_yml itself is deprecated. serde_yaml_ng v0.10 is the
community-maintained fork with stable API.

151 tests pass.
Release binary now packaged as 'cora' (not target triple) inside tar.
Updated release notes template to match new naming.
Synced cora-review action with consumer repos:
- Download from releases (not build from source)
- cora-version default: 'latest'
- SARIF upload: optional (default false)

Co-authored-by: CTO Hermes <cto-hermes@users.noreply.github.com>
Co-authored-by: CTO Hermes <cto-hermes@users.noreply.github.com>
- Add website link (codecora.dev) to README header
- Rewrite CI/CD Integration section with full setup guide
- Add cora-review-simple action (GitHub Secrets, no Infisical)
- Fix cora-review action: add latest version resolve step
- Add troubleshooting section with real-world pitfalls
- Add comparison table: cora-review vs cora-review-simple
Co-authored-by: CTO Hermes <cto-hermes@users.noreply.github.com>
…tructure (#58)

Co-authored-by: CTO Hermes <cto-hermes@users.noreply.github.com>
- config set now writes YAML (not unread TOML)
- support project (.cora.yaml) and global (~/.cora/config.yaml) config
- config set --global flag for global config
- add base_url to config set keys
- auth writes to separate ~/.cora/auth.toml (0o600)
- config show displays resolved config with priority chain
- skip_serializing_if on all Option fields (no more null in YAML)
- fix severity comparison: Ord is Critical(0)<Major(1)<Minor(2)<Info(3),
  so 'at or above min_severity' uses <= not >=
- fix should_block in engine/review.rs and commands/scan.rs
- fix display filter in commands/review.rs (consistent direction)
- add config set --help, --global flag
- design docs: CONFIG-REDESIGN.md, FEATURE-DESIGN.md
…verity fix

- Fix global config path (~/.config/cora → ~/.cora/config.yaml)
- Document --global flag, base_url key, config priority chain
- Add Authentication section with auth.toml details
- Update CI/CD section with composite action example
- Fix CONTRIBUTING: Rust version, project structure, test example
- Add Unreleased changelog entry for all changes
- Fix API key TOML injection: use toml::Table instead of format!()
- Add migration marker (.migrated) to prevent repeated filesystem I/O
- Restrict global config file permissions to 0600
- Guard project config set: require git repo (no orphan files)
@ajianaz
ajianaz force-pushed the feat/config-redesign-and-severity-fix branch from e827bdf to b64d401 Compare May 31, 2026 15:52
@ajianaz ajianaz closed this May 31, 2026
@ajianaz ajianaz reopened this May 31, 2026
@ajianaz ajianaz closed this May 31, 2026
ajianaz pushed a commit that referenced this pull request May 31, 2026
- Fix API key TOML injection: use toml::Table instead of format!()
- Add migration marker (.migrated) to prevent repeated filesystem I/O
- Restrict global config file permissions to 0600
- Guard project config set: require git repo (no orphan files)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant