fix: comprehensive code review fixes across security, correctness, and robustness (#131)

* feat: comprehensive CLI improvements across security, MCP, UX, HTTP, and distribution

Phase 1 (Security): Redact token from debug logs, add HTTP timeouts,
add 10MB response body limits, fix remediate_finding silent error bug.

Phase 2 (MCP): Add unified abstract tools (search/get/triage/ticket/events/fix),
ToolSet flag (default/all/minimal/findings/admin), 5 new prompts, 2 new resources.

Phase 3 (UX): Move generated commands under `nullify api`, add new commands
(scan, fix, open, repos, whoami, version), concurrent API calls via errgroup,
output consistency with --output flag, --quiet/--no-color flags, help examples.

Phase 4 (HTTP): User-Agent header, retry with exponential backoff, fix env var
precedence, refreshing auth transport for MCP sessions, shared apierror package,
distinct exit codes.

Phase 5 (Distribution): Homebrew tap config, `nullify update` command, SARIF
output format, enhanced `nullify version` with build metadata.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: address critical and high issues from code review

- Buffer request body in retry transport to prevent empty bodies on retry
- Clone request in RoundTrip to avoid mutating the original (both transports)
- Fix generator template missing api. prefix logic for host
- Strip api. prefix in open.go to navigate to dashboard, not API
- Remove unnecessary mutex in findings.go (goroutines write to distinct indices)
- Use DoPost instead of DoGet for mutation operations in fix.go
- Fix Content-Type check in apierror to use HasPrefix for charset variants
- Sort finding type names for deterministic MCP tool enum ordering
- Parallelize ci report API calls with errgroup
- Use structured exit codes (ExitAuthError) instead of bare os.Exit(1)
- Remove misleading _ = token in mcp.go, validate auth inline

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: address code review findings across security, correctness, and robustness

Critical fixes:
- Fix broken refresh token flow: send token as HTTP cookie instead of query param
  to match backend expectation (security-droid reads from cookie)
- Fix GITHUB_ACTION_REPOSITORY → GITHUB_REPOSITORY (non-standard env var)
- Add url.PathEscape for finding IDs in all URL path interpolations (MCP, CLI)
- Replace bare http.Get with http.NewRequestWithContext for proper timeout/context
- URL-encode GitHub token and owner in token exchange request

Security & correctness:
- Fix retry transport to respect context cancellation (select on ctx.Done)
- Fix file handle leak in openapi.go (missing defer Close)
- Fix openapi.go nil,nil return to return descriptive error
- SanitizeNullifyHost now delegates to ParseCustomerDomain, accepting
  'acme', 'acme.nullify.ai', and 'api.acme.nullify.ai' formats
- Strip path/query from host input, validate hostname characters
- Add severity-threshold validation in ci gate command
- Mark pentest --spec-path as required flag

Exit codes & UX:
- Use ExitAuthError(2) for auth failures, ExitNetworkError(3) for API errors,
  ExitFindings(1) for gate failures across all commands
- Fix ci report to use limit=1000 for accurate counts (was limit=1)
- Fix "1 findings" → "1 finding" singular form in status output
- Fix auth token command to print trailing newline
- Add periodic "still waiting" message during login authentication
- Improve auth config error message

Architecture & deduplication:
- Deduplicate buildQueryString in MCP package to use lib.BuildQueryString
- Add ClientOption/WithHTTPClient to generated API client for retry support
- Export NewRetryTransport and wire retry into generated API client
- Remove unused --auth-config global flag
- Parallelize status command scanner queries with errgroup
- Add missing scanner types (pentest, bughunt, cspm) to MCP composite tools
- Use promptResult helper consistently in MCP prompts
- Fix wizard to use absolute paths via os.Getwd()
- Handle output.Print errors with stderr fallback
- Clear stale Token field on refreshing transport client
- Log warning when NULLIFY_HOST env var is invalid

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: run go mod tidy to promote golang.org/x/sync to direct dependency

The status command now directly imports errgroup from golang.org/x/sync.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* style: fix gofmt formatting and remove unnecessary leading newline

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* style: fix gofmt formatting in login.go and spinner.go

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: resolve timeout, host sanitization, and credential key mismatch bugs

- Move time.After(10min) outside for/select loop so it fires correctly
- Sanitize config file host through SanitizeNullifyHost in resolveHost
- Normalize credential keys to bare form (strip api. prefix) at save/lookup
- Fix SanitizeNullifyHost to return bare host form consistently

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* wip

* fix: address PR #131 review comments

- Use cmd.Context() instead of context.Background() in update command
- Accept context.Context param in setupLogger() so cobra commands pass
  their own context instead of always creating a new background context
- Delete unused scan command that only printed help text
- Add credential key migration in LoadCredentials() to normalize old
  "api." prefixed keys to bare form, preventing auth failures after
  host sanitization changes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: handle errcheck lint error and normalize credential key lookups

- Check io.Copy return value in local_scan.go to fix golangci-lint errcheck
- Use auth.CredentialKey() for credential map lookups in all commands
  (chat, mcp, status, whoami, fix, ci, findings) to match the normalized
  key format used when saving credentials

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: tim-thacker-nullify

.goreleaser.yaml

@@ -13,6 +13,9 @@ builds:
       - CGO_ENABLED=0
     ldflags:
       - -X 'github.com/nullify-platform/logger/pkg/logger.Version={{ .Version }}'
+      - -X 'github.com/nullify-platform/cli/internal/api.Version={{ .Version }}'
+      - -X 'github.com/nullify-platform/cli/cmd/cli/cmd.buildCommit={{ .Commit }}'
+      - -X 'github.com/nullify-platform/cli/cmd/cli/cmd.buildDate={{ .Date }}'
     goos:
       - linux
       - darwin
@@ -40,6 +43,16 @@ checksum:
 changelog:
   use: github-native
 
+brews:
+  - name: nullify
+    repository:
+      owner: Nullify-Platform
+      name: homebrew-tap
+    homepage: "https://github.com/Nullify-Platform/cli"
+    description: "Nullify CLI - autonomous AI workforce for product security"
+    install: |
+      bin.install "nullify"
+
 release:
   github:
     owner: Nullify-Platform

cmd/cli/cmd/api.go

@@ -0,0 +1,13 @@
+package cmd
+
+import "github.com/spf13/cobra"
+
+var apiCmd = &cobra.Command{
+	Use:   "api",
+	Short: "Direct API access (advanced)",
+	Long:  "Low-level commands for direct Nullify API access. These map 1:1 to API endpoints and are intended for advanced users and scripting.",
+}
+
+func init() {
+	rootCmd.AddCommand(apiCmd)
+}

cmd/cli/cmd/auth.go

@@ -26,7 +26,7 @@ var loginCmd = &cobra.Command{
 	Short: "Log in to Nullify",
 	Long:  "Authenticate with your Nullify instance. Opens your browser to log in with your identity provider.",
 	Run: func(cmd *cobra.Command, args []string) {
-		ctx := setupLogger()
+		ctx := setupLogger(cmd.Context())
 		defer logger.L(ctx).Sync()
 
 		// Wrap context with signal handling so Ctrl+C triggers graceful cancellation
@@ -68,7 +68,7 @@ var logoutCmd = &cobra.Command{
 	Short: "Log out of Nullify",
 	Long:  "Clear stored credentials for the current or specified host.",
 	Run: func(cmd *cobra.Command, args []string) {
-		ctx := setupLogger()
+		ctx := setupLogger(cmd.Context())
 		defer logger.L(ctx).Sync()
 
 		logoutHost := resolveHostForAuth(ctx)
@@ -107,7 +107,7 @@ var statusCmd = &cobra.Command{
 			return
 		}
 
-		hostCreds, ok := creds[cfg.Host]
+		hostCreds, ok := creds[auth.CredentialKey(cfg.Host)]
 		if !ok {
 			fmt.Println("Status: not authenticated")
 			return
@@ -131,7 +131,7 @@ var tokenCmd = &cobra.Command{
 	Short: "Print access token to stdout",
 	Long:  "Print the current access token. Useful for piping to other tools.",
 	Run: func(cmd *cobra.Command, args []string) {
-		ctx := setupLogger()
+		ctx := setupLogger(cmd.Context())
 		defer logger.L(ctx).Sync()
 
 		hostForToken := resolveHostForAuth(ctx)
@@ -142,7 +142,7 @@ var tokenCmd = &cobra.Command{
 			os.Exit(1)
 		}
 
-		fmt.Print(token)
+		fmt.Println(token)
 	},
 }
 
@@ -168,7 +168,7 @@ var switchCmd = &cobra.Command{
 			fmt.Println("Configured hosts:")
 			for h := range creds {
 				marker := "  "
-				if cfg != nil && cfg.Host == h {
+				if cfg != nil && auth.CredentialKey(cfg.Host) == h {
 					marker = "* "
 				}
 				fmt.Printf("%s%s\n", marker, h)
@@ -206,7 +206,7 @@ var configShowCmd = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		cfg, err := auth.LoadConfig()
 		if err != nil {
-			fmt.Println("{}")
+			fmt.Fprintf(os.Stderr, "No config found. Run 'nullify init' to set up.\n")
 			return
 		}
 
@@ -237,7 +237,10 @@ func resolveHostForAuth(ctx context.Context) string {
 
 	cfg, err := auth.LoadConfig()
 	if err == nil && cfg.Host != "" {
-		return cfg.Host
+		sanitized, sErr := lib.SanitizeNullifyHost(cfg.Host)
+		if sErr == nil {
+			return sanitized
+		}
 	}
 
 	fmt.Fprintln(os.Stderr, "Error: no host configured. Use --host or run 'nullify auth login'")

cmd/cli/cmd/chat.go

@@ -24,15 +24,15 @@ Examples:
   nullify chat "what are my critical findings?"   # Single-shot mode
   nullify chat --chat-id abc123 "follow up"       # Resume conversation`,
 	Run: func(cmd *cobra.Command, args []string) {
-		ctx := setupLogger()
+		ctx := setupLogger(cmd.Context())
 		defer logger.L(ctx).Sync()
 
 		chatHost := resolveHost(ctx)
 
 		token, err := auth.GetValidToken(ctx, chatHost)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "Error: not authenticated. Run 'nullify auth login' first.\n")
-			os.Exit(1)
+			os.Exit(ExitAuthError)
 		}
 
 		creds, err := auth.LoadCredentials()
@@ -41,7 +41,7 @@ Examples:
 			os.Exit(1)
 		}
 
-		hostCreds := creds[chatHost]
+		hostCreds := creds[auth.CredentialKey(chatHost)]
 		queryParams := hostCreds.QueryParameters
 		if queryParams == nil {
 			queryParams = make(map[string]string)