Open
Conversation
Implement interactive first-time setup for ghissues TUI application. - Add config package for loading/saving TOML configuration - Add setup package with interactive prompts using charmbracelet/huh - Add CLI commands (root and config subcommand) using cobra - Configuration saved to ~/.config/ghissues/config.toml with 0600 permissions - Support for three auth methods: env, token, and gh - Repository validation (owner/repo format) - Non-interactive mode with --repo, --auth-method, and --token flags - Skip setup prompt if config already exists - Re-run setup with `ghissues config` command Acceptance criteria met: - [x] Interactive prompt asks for GitHub repository (owner/repo format) - [x] Interactive prompt asks for authentication method preference - [x] Configuration saved to ~/.config/ghissues/config.toml - [x] User can skip interactive setup if config file already exists - [x] User can re-run setup with ghissues config command Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement GitHub token authentication with three fallback methods: 1. GITHUB_TOKEN environment variable (highest priority) 2. Token from config file (when auth.method is "token") 3. GitHub CLI (gh auth token) Add token validation via GitHub API with helpful error messages for invalid/expired tokens. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add configurable database path with three-level precedence: 1. --db flag (highest precedence) 2. database.path in config file 3. Default .ghissues.db in current directory - Add DatabaseConfig struct to configuration - Create internal/db package for path resolution - Implement parent directory creation for custom paths - Add writability validation with clear error messages Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add sync command to fetch all open issues and comments from GitHub: - GitHub GraphQL API client with automatic pagination - LibSQL database storage for issues, comments, labels, assignees - Progress bar display showing issues fetched / total - Graceful cancellation with Ctrl+C - Sync command: `ghissues sync` Issue data captured: number, title, body, author, created date, updated date, comment count, labels, and assignees. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement TUI for browsing synced GitHub issues using charmbracelet/bubbletea. Features: - Issues displayed in vertical list with configurable columns - Default columns: number, title, author, date, comments - Column configuration stored in config file under display.columns - Selected issue highlighting with cursor indicator - Vim keys (j/k) and arrow keys for navigation - Issue count shown in status bar - Empty state handling when no issues are synced Technical: - New internal/tui package with Model implementing tea.Model - DisplayConfig struct added to config for column settings - SetDisableTUI() function for testing without TTY requirement - Uses lipgloss for styling and layout Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add sorting functionality to the issue list view: - Default sort: most recently updated first (updated date, descending) - Available sort options: updated date, created date, issue number, comment count - 's' key cycles through sort fields - 'S' key (shift+s) reverses sort order (toggles ascending/descending) - Current sort field and direction shown in status bar with ↑/↓ indicators - Sort preference automatically saved to config file when changed Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add right panel showing selected issue details with: - Header with issue number, title, author, status, dates - Body rendered with glamour (charmbracelet markdown renderer) - Toggle between raw markdown and rendered with 'm' key - Labels and assignees displayed if present - Scrollable detail panel with h/l keys - Enter key opens dedicated comments view (state tracked) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement drill-down comments view for GitHub issues with: - Full-screen comments view that replaces main interface when Enter is pressed - Issue title/number as header - Comments displayed chronologically with author and date - Markdown rendering toggle with 'm' key (reuses existing glamour renderer) - Scrollable comment list with 'h' (up) and 'l' (down) keys - Esc or 'q' returns to issue list view Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add manual refresh with 'r' or 'R' keybinding in TUI - Auto-refresh triggered on app launch - Progress indicator shown in status bar during refresh - Sync now removes closed/deleted issues from local database - New issues and comments are fetched and existing ones are updated - Cursor position maintained after refresh when possible - Refresh disabled during comments view for better UX Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add comprehensive error handling to the TUI with two display modes: - Minor errors (network timeouts, rate limits) shown in status bar with red styling and retry hint - Critical errors (invalid token, database corruption) shown as modal dialog requiring acknowledgment before continuing Error modal features: - Centered modal with bordered display - Title, message, and optional actionable guidance - Dismissible with Enter, Escape, or 'q' - Blocks all navigation/refresh while shown - Ctrl+C still available for emergency exit Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add help overlay and context-sensitive footer for keyboard shortcuts. - ? key toggles help overlay with all keybindings organized by context - Help overlay shows Navigation, Sorting, Detail Panel/Scrolling, and Actions - Help overlay dismissible with ? or Esc - Footer shows context-sensitive keys: j/k nav, Enter, ?, q in list view - Footer shows h/l scroll, Esc, ? in comments view - Ctrl+C always works to quit, even with help overlay open Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add support for multiple built-in color themes in the TUI: - Six themes: default, dracula, gruvbox, nord, solarized-dark, solarized-light - Theme selected via config file display.theme setting - New 'ghissues themes' command to list, preview, and set themes - Consistent styling using lipgloss throughout the TUI Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add support for configuring and managing multiple repositories: - Add RepositoryConfig type and Repositories slice to Config struct - Add default_repository field for selecting which repo to use by default - Add automatic migration from old single-repo format to multi-repo format - Add --repo flag to root command to select which repository to view - Add 'ghissues repos' command to list and manage repositories: - List all configured repositories with default indicator - --add flag to add new repositories - --db-path flag to specify custom database path when adding - --set-default flag to set the default repository - Each repository has its own database file path - Repository selection priority: --repo flag > default_repository > single repo Acceptance criteria met: - [x] Config file supports multiple repository entries - [x] Each repository has its own database file - [x] ghissues --repo owner/repo selects which repo to view - [x] Default repository can be set in config - [x] ghissues repos lists configured repositories Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR implements a comprehensive Terminal User Interface (TUI) for managing GitHub issues, built using Claude Opus 4.5. The implementation includes a complete feature set with issue browsing, sorting, filtering, comments viewing, themes, and synchronization capabilities.
Changes:
- Complete TUI implementation with Bubble Tea framework supporting navigation, sorting, and multiple views
- Theme system with 6 built-in color schemes (default, dracula, gruvbox, nord, solarized-dark/light)
- Multi-repository support with configuration management
- Comprehensive test coverage across all packages with 978+ test cases
Reviewed changes
Copilot reviewed 33 out of 48 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| go.mod | Defines project dependencies with Go version and required packages |
| tasks/prd.json | Marks all user stories as completed with agent notes and metadata timestamp |
| internal/tui/model_test.go | Comprehensive test suite for TUI model with 1884 lines covering navigation, sorting, comments, errors |
| internal/tui/model.go | Main TUI model implementation with view rendering, state management, and event handling |
| internal/themes/themes_test.go | Tests for theme system validating all color schemes and styles |
| internal/themes/themes.go | Theme definitions with lipgloss styles for 6 color schemes |
| internal/sync/sync_test.go | Tests for synchronization logic including pagination and incremental updates |
| internal/sync/sync.go | Syncer implementation for fetching issues/comments from GitHub API |
| internal/setup/setup_test.go | Tests for interactive and programmatic setup workflows |
| internal/setup/setup.go | Setup command implementation using huh for interactive forms |
| internal/github/client_test.go | Tests for GitHub API client with mocked responses |
| internal/github/client.go | GitHub GraphQL API client for fetching issues and comments |
| internal/db/store_test.go | Database store tests covering CRUD operations |
| internal/db/store.go | SQLite database store implementation using libsql |
| internal/db/path_test.go | Tests for database path resolution and validation |
| internal/db/path.go | Database path resolution with precedence handling |
| internal/config/config_test.go | Configuration tests covering validation and multi-repo support |
| internal/config/config.go | Configuration management with TOML serialization |
| internal/cmd/themes_test.go | Tests for themes CLI command |
| internal/cmd/themes.go | Themes command for listing and setting color schemes |
| internal/cmd/sync_test.go | Tests for sync CLI command |
| internal/cmd/sync.go | Sync command for fetching issues from GitHub |
| internal/cmd/repos.go | Repos command for managing multiple repositories |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if err != nil { | ||
| return fmt.Errorf("failed to create config file: %w", err) | ||
| } | ||
| defer file.Close() |
There was a problem hiding this comment.
File handle may be writable as a result of data flow from a call to OpenFile and closing it may result in data loss upon failure, which is not handled explicitly.
Owner
Author
|
Review from Claude Code using Sonnet 4.5: Security Review ReportProject: github-issues-tui Executive SummaryA comprehensive security review was conducted on the github-issues-tui codebase, examining:
Overall Security Posture: STRONG ✓ The codebase demonstrates good security practices with no critical vulnerabilities found. All identified issues are low-priority recommendations for best practices. ✅ Positive Findings1. No Exposed Secrets or Credentials
Evidence:
2. SQL Injection Protection ✓All database operations in
Examples: // Line 92-106: SaveIssue uses parameterized query
query := `
INSERT OR REPLACE INTO issues (number, title, body, author, created_at, updated_at, comment_count, labels, assignees)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
`
_, err = s.db.ExecContext(ctx, query, issue.Number, issue.Title, ...)
// Line 119-156: SaveIssues uses prepared statements
stmt, err := tx.PrepareContext(ctx, `
INSERT OR REPLACE INTO issues (...)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
`)Verified in:
3. Command Injection Protection ✓Only one command execution found in the codebase: Location: cmd := exec.Command("gh", "auth", "token")Security Assessment: SAFE
4. Secure File Permissions ✓Configuration files are saved with appropriate security permissions: Location: info.Mode().Perm() == os.FileMode(0600) // Owner read/write onlyThis prevents unauthorized users from reading sensitive configuration data. 5. HTTP/API Security ✓Location: Secure API practices:
6. Authentication Security ✓Location: Strong authentication implementation:
Token Validation (lines 95-135): func ValidateToken(token string) error {
// Makes API call to GitHub to verify token validity
// Returns clear error messages without leaking token
}
|
| Category | Status | Notes |
|---|---|---|
| Secrets in Code | ✅ PASS | No hardcoded secrets found |
| Secrets in Git History | ✅ PASS | History clean |
| SQL Injection | ✅ PASS | Parameterized queries used throughout |
| Command Injection | ✅ PASS | Safe command execution |
| Path Traversal | ✅ PASS | No user-controlled file paths |
| XSS/Code Injection | ✅ PASS | Using Glamour for markdown rendering |
| Authentication | ✅ PASS | Secure token handling |
| Authorization | N/A | Uses GitHub's authorization |
| File Permissions | ✅ PASS | Config files use 0600 |
| HTTPS/TLS | ✅ PASS | All API calls use HTTPS |
| Error Handling | Verbose error messages (low risk) | |
| Dependency Security | Periodic scanning recommended | |
| .gitignore | ❌ MISSING | Should be added |
🔍 Files Reviewed
Core Application Files
internal/auth/auth.go- Authentication logicinternal/config/config.go- Configuration managementinternal/db/store.go- Database operationsinternal/github/client.go- GitHub API clientinternal/cmd/root.go- CLI command structureinternal/setup/setup.go- Initial setup flow
Test Files
internal/auth/auth_test.gointernal/config/config_test.gointernal/db/store_test.go- All other
*_test.gofiles
Configuration Files
go.modandgo.sum- Dependencies.ralph-tui/config.toml- Ralph TUI configurationREADME.md- Documentation
Git History
- Reviewed all commits for sensitive data
- Searched for patterns: tokens, passwords, API keys
- No secrets found in commit history
📝 Methodology
Tools and Techniques Used
-
Static Code Analysis
- Pattern matching for common secrets (API keys, tokens, passwords)
- SQL query review for injection vulnerabilities
- Command execution analysis
- File permission checks
-
Dependency Analysis
- Review of
go.modandgo.sum - Identification of third-party dependencies
- Version checking
- Review of
-
Git History Analysis
- Search for accidentally committed secrets
- Review of file changes in commits
- Pattern matching across all commits
-
Configuration Review
- Environment variable usage
- File permission settings
- Authentication methods
🎯 Conclusion
The github-issues-tui codebase demonstrates strong security practices with no critical vulnerabilities identified. The code follows Go security best practices and properly handles:
- Authentication and authorization
- Database operations (SQL injection prevention)
- External command execution
- File permissions
- API security
Recommended Actions (in priority order):
- Add .gitignore file to prevent accidental commits (Medium Priority)
- Consider sanitizing error messages (Low Priority)
- Set up periodic dependency scanning (Low Priority)
- Implement rate limiting for production use (Future Enhancement)
No immediate security fixes required.
📞 Contact
For questions about this security review, please open an issue in the repository.
Review Version: 1.0
Next Review Recommended: Before major releases or significant architectural changes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This was implemented using the Opus 4.5 model via the standard Anthropic API via Claude Code using their Max plan, managed with the ralph-tui to manage the agent and run the ralph loop.
The first-shot did a pretty good job. It responded to all keyboard inputs. The overall layout of the TUI was solid, syncing worked well. The only issue I had to address with a manual prompt was that comments weren't loading when you drilled down into an issue. A single additional prompt fixed that.