fix: update Makefile and README for correct installation paths; add xurl package structure#43
Open
drQedwards wants to merge 3 commits intoxdevplatform:mainfrom
Open
Conversation
Fixes NOVA-Openclaw#2 — the --app flag had no effect on shortcut subcommands because four interconnected bugs prevented credential and token switching. Bug 1 (auth/auth.go): WithAppName() conditionally updated clientID/ clientSecret only when they were empty. Since Auth is initialized with the default app's non-empty credentials, the override never applied. Fixed by making the credential update unconditional. Bug 2 (auth/auth.go): GetOAuth1Header(), GetOAuth2Header(), GetBearerTokenHeader(), RefreshOAuth2Token(), and OAuth2Flow() all called non-ForApp TokenStore methods (resolving to the default app) instead of the ForApp variants that respect a.appName. Fixed by threading a.appName through all token retrieval and save calls. Bug 4 (api/client.go): The auto-selection cascade in getAuthHeader() called TokenStore.GetFirstOAuth2Token() and GetOAuth1Tokens() directly, bypassing Auth entirely. Fixed by using GetFirstOAuth2TokenForApp() and GetOAuth1TokensForApp() with auth.AppName(). Also adds an AppName() accessor to Auth for use by api/client.go. Tests: 18 new test cases covering happy path, edge cases, error conditions, boundary cases, and domain-specific regression tests. All existing tests continue to pass.
…url package structure
|
|
fix: resolve CWE-665 package initialization so xurl is importable as a Go library (supersedes xdevplatform#28) PR Body (paste-ready) This PR replaces xdevplatform#28 and re-submits the fix under @drQedwards so CLA can be signed by the active contributor. Summary The root configuration is already correct (xdevplatform), but importing XURL as a Go dependency still failed due to package initialization/layout issues (CWE-665). This change makes XURL importable as a library while preserving CLI behavior. Problem Consumer code like: import "xurl" (with local replace) import "github.com/xdevplatform/xurl" (module path) could fail because the module root was package main (program-only), not an importable package. Root Cause (CWE-665) Improper initialization of package boundaries: Module root implemented as executable (package main) No importable root package API for library consumers Fix Added importable root package API (package xurl) with: NewRootCommand() CreateRootCommand(...) Execute() Moved CLI entrypoint to main.go Updated build/install targets to use xurl Updated docs for: CLI install path: go install github.com/xdevplatform/xurl/cmd/xurl@latest Library import usage for consumers Validation go test [workspaces](http://_vscodecontentref_/8). passes go build [workspaces](http://_vscodecontentref_/9). passes Consumer smoke test passes with local replace: require xurl v0.0.0 replace xurl => ../xurl import "xurl" Notes pmll-memory-mcp is a Python package (pip) and is not importable in Go as import "pmll" unless a real Go module named pmll exists. This PR focuses on Go module/package initialization and importability. Supersedes Closed PR xdevplatform#28 (CLA/signature unavailable from previous submitter) CLA-ready checklist for @drQedwards Sign CLA at: https://cla-assistant.io/xdevplatform/xurl Confirm GitHub account used for signing is @drqsatoshi / @drQedwards Re-run CLA check (if still pending): https://cla-assistant.io/check/xdevplatform/xurl?pullRequest=<NEW_PR_NUMBER> Ensure PR author is the same account that signed CLA Confirm CI checks are green Request review from @santiagomed If you want, I can also draft a shorter “maintainer-facing” variant of this PR body (less narrative, more changelog-style).
Author
CLA Required — @drQedwardsThe CLA check is the only blocker on this PR. Sign here: https://cla-assistant.io/xdevplatform/xurl?pullRequest=43 After signing, if the status stays pending, trigger a recheck: Context
Work Changes (Copilot + Claude Opus session)Files changed in this PR:
Tooling used during session:
Validation:
cc @santiagomed for review once CLA is signed |
13 tasks
Author
CLA Update — Both committers need to signThe CLA bot reports 0 out of 2 committers have signed:
Both authors must sign for the check to pass:
Alternative: If NOVA-Openclaw is unavailable, @drQedwards can squash the branch into a single commit under their own authorship to reduce the CLA requirement to 1 signer: git rebase -i main
# Mark all commits as 'squash' except the first, set author to drQedwards
git push --force-with-leaseAfter signing/squashing, trigger recheck: https://cla-assistant.io/check/xdevplatform/xurl?pullRequest=43 Task reference: https://github.com/drQedwards/xurl/tasks/60758228-2440-4ffb-9b45-8639dc5f6219 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Title
fix: resolve CWE-665 package initialization so xurl is importable as a Go library (supersedes #28)
PR Body (paste-ready)
This PR replaces #28 and re-submits the fix under @drQedwards so CLA can be signed by the active contributor.
Summary
The root configuration is already correct (xdevplatform), but importing XURL as a Go dependency still failed due to package initialization/layout issues (CWE-665).
This change makes XURL importable as a library while preserving CLI behavior.
Problem
Consumer code like:
import "xurl" (with local replace)
import "github.com/xdevplatform/xurl" (module path)
could fail because the module root was package main (program-only), not an importable package.
Root Cause (CWE-665)
Improper initialization of package boundaries:
Module root implemented as executable (package main)
No importable root package API for library consumers
Fix
Added importable root package API (package xurl) with:
NewRootCommand()
CreateRootCommand(...)
Execute()
Moved CLI entrypoint to main.go
Updated build/install targets to use xurl
Updated docs for:
CLI install path: go install github.com/xdevplatform/xurl/cmd/xurl@latest
Library import usage for consumers
Validation
go test workspaces. passes
go build workspaces. passes
Consumer smoke test passes with local replace:
require xurl v0.0.0
replace xurl => ../xurl
import "xurl"
Notes
pmll-memory-mcp is a Python package (pip) and is not importable in Go as import "pmll" unless a real Go module named pmll exists.
This PR focuses on Go module/package initialization and importability.
Supersedes
Closed PR #28 (CLA/signature unavailable from previous submitter)
CLA-ready checklist for @drQedwards
Sign CLA at: https://cla-assistant.io/xdevplatform/xurl
Confirm GitHub account used for signing is @drqsatoshi / @drQedwards
Re-run CLA check (if still pending): https://cla-assistant.io/check/xdevplatform/xurl?pullRequest=<NEW_PR_NUMBER>
Ensure PR author is the same account that signed CLA
Confirm CI checks are green
Request review from @santiagomed
If you want, I can also draft a shorter “maintainer-facing” variant of this PR body (less narrative, more changelog-style).