feat(cli): Remove scaffold dependency, add JWT identity and per-repo auth#8
Open
thecodedrift wants to merge 8 commits intomainfrom
Open
feat(cli): Remove scaffold dependency, add JWT identity and per-repo auth#8thecodedrift wants to merge 8 commits intomainfrom
thecodedrift wants to merge 8 commits intomainfrom
Conversation
Define the plan to remove CLI dependency on backend-managed scaffold files (taskless.json, sgconfig.yml, update-engine). CLI becomes self-sufficient via JWT-based identity, git remote inference, and ephemeral ast-grep config generation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove the update-engine subcommand, its API action, schema, help file, skill, and tskl command. Strip MIN_SCAFFOLD_VERSION and scaffold version checks from capabilities, check command, and project-config. The backend is decommissioning these endpoints as part of TSKL-212. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…JWT decoding Add new action modules for the CLI to operate without the backend-managed scaffold: - gitignore.ts: manages .taskless/.gitignore for local-only files - sgconfig.ts: generates ephemeral ast-grep config at check time - git-remote.ts: infers repositoryUrl from git remote origin - jwt.ts: decodes orgId from JWT via jose (no signature verification) Rewrite check command to skip taskless.json validation entirely, generate sgconfig.yml on the fly, and handle missing .taskless/ gracefully. Add jose as a dependency for JWT claim extraction. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ommands - token.ts: getToken/saveToken/removeToken now support per-repo .taskless/.env.local.json alongside global XDG auth, with git tracking warning - identity.ts: resolveIdentity() combines JWT orgId decoding with git remote inference, replacing readProjectConfig/validateRulesConfig - rules.ts: create and improve commands use resolveIdentity() instead of reading taskless.json for orgId and repositoryUrl - rule-api.ts: remove taskless.json references from error messages Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Delete project-config.ts (no longer needed — identity comes from JWT and git remote). Update help text for check, rules create, and rules improve to remove taskless.json and scaffold references. Update create-rule and improve-rule skills to suggest re-authentication instead of update-engine for org identity errors. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR makes the Taskless CLI scaffold-independent by removing the backend-managed scaffold/update flow and switching identity/auth resolution to JWT claims + git remote inference, while adding CLI-managed local-only files under .taskless/.
Changes:
- Removed the
update-enginesubcommand (and associated schemas/help/actions) and scaffold version gating (taskless.json/MIN_SCAFFOLD_VERSION). - Added identity resolution via JWT decoding (
orgId) and git remote inference (repositoryUrl), and updated rules commands to use it. - Added per-repo token storage (
.taskless/.env.local.json), CLI-managed.taskless/.gitignore, and ephemeral.taskless/sgconfig.ymlgeneration forcheck.
Reviewed changes
Copilot reviewed 34 out of 35 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| skills/taskless-update-engine/SKILL.md | Removes deprecated skill documentation for update-engine. |
| skills/taskless-improve-rule/SKILL.md | Updates error handling guidance to re-auth for missing org info. |
| skills/taskless-create-rule/SKILL.md | Updates error handling guidance to re-auth for missing org info. |
| pnpm-lock.yaml | Adds jose dependency lock entries. |
| packages/cli/package.json | Adds jose dependency for JWT decoding. |
| packages/cli/test/capabilities.test.ts | Removes tests for scaffold version gating that no longer exists. |
| packages/cli/src/index.ts | Unregisters update-engine subcommand. |
| packages/cli/src/help/update-engine.txt | Removes help for deleted command. |
| packages/cli/src/help/check.txt | Updates prerequisites messaging (rules-only). |
| packages/cli/src/help/rules-create.txt | Updates prerequisites to require GitHub origin remote. |
| packages/cli/src/help/rules-improve.txt | Updates prerequisites to require GitHub origin remote. |
| packages/cli/src/capabilities.ts | Removes scaffold version gating helpers, keeps spec version validation. |
| packages/cli/src/actions/token.ts | Adds per-repo token read/write/remove + git-tracked warning. |
| packages/cli/src/actions/gitignore.ts | Adds .taskless/.gitignore management for local-only files. |
| packages/cli/src/actions/sgconfig.ts | Generates ephemeral .taskless/sgconfig.yml for ast-grep scans. |
| packages/cli/src/actions/git-remote.ts | Infers GitHub repo URL from git remote get-url origin. |
| packages/cli/src/actions/jwt.ts | Decodes orgId claim from JWT using jose. |
| packages/cli/src/actions/identity.ts | Centralizes identity resolution (token + orgId + repositoryUrl). |
| packages/cli/src/commands/check.ts | Removes scaffold checks; generates sgconfig and runs scan if rules exist. |
| packages/cli/src/commands/rules.ts | Uses resolveIdentity() instead of taskless.json project config. |
| packages/cli/src/actions/rule-api.ts | Adjusts error messages to remove taskless.json references. |
| packages/cli/src/actions/project-config.ts | Removes obsolete taskless.json project config reader/validator. |
| packages/cli/src/actions/update-api.ts | Removes obsolete update-engine backend API client. |
| packages/cli/src/commands/update-engine.ts | Removes obsolete update-engine command implementation. |
| packages/cli/src/schemas/update-engine.ts | Removes obsolete update-engine JSON schema definitions. |
| commands/tskl/update-engine.md | Removes obsolete command doc for update-engine. |
| openspec/changes/remove-scaffold-dependency/** | Adds OpenSpec proposal/design/specs/tasks for the scaffold removal change. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…mentation - check.test.ts: Replace taskless.json validation tests with scaffold-free behavior tests (no .taskless/, empty rules, no taskless.json required) - cli.test.ts: Assert update-engine is NOT in help output - schema.test.ts: Remove update-engine --schema tests - specs/cli/spec.md: Fix requirement text to match implementation (stale token prompts re-login, no taskless.json fallback) - tasks.md: Clarify 8.3 wording — orgId still sent in body during transition Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 37 out of 38 changed files in this pull request and generated 4 comments.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- auth.ts: login/logout now accept -d flag and pass cwd to getToken/saveToken/removeToken, enabling per-repo token storage - jwt.test.ts: Unit tests for decodeOrgId (valid JWT, missing claim, non-numeric, invalid token) - git-remote.test.ts: Unit tests for URL canonicalization (SSH, HTTPS, .git suffix, non-GitHub rejection) - specs/cli/spec.md: Fix migration text to match implementation (no taskless.json fallback, stale tokens require re-login) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 40 out of 41 changed files in this pull request and generated 2 comments.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…production code - sgconfig.test.ts: 5 tests covering generateSgConfig (correct content, gitignore creation, idempotency) and ensureTasklessGitignore (creation, append-without-duplicate) - git-remote.ts: Export canonicalizeGitHubUrl for direct testing - git-remote.test.ts: Import production function instead of duplicating regex patterns Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Remove the CLI's dependency on backend-managed scaffold files (
taskless.json,sgconfig.yml) and theupdate-enginecommand. The CLI becomes self-sufficientby resolving identity from JWT claims and git remotes, generating ast-grep config
ephemerally, and storing auth tokens per-repository.
This is the CLI-side counterpart to taskless/taskless#36, which removes the
backend's scaffold generation and onboarding PR system. Both changes are
backward-compatible and can ship independently — old CLIs continue to work
with the new backend (body
orgIdfallback), and this new CLI works withboth old and new backends.
What changes:
update-enginecommand removed (backend endpoints being decommissioned)taskless.jsonno longer read or required by any commandcheckgenerates ephemeralsgconfig.ymlat runtime instead of reading itjoseJWT decoding (orgIdclaim) +git remoteinference (
repositoryUrl), replacingreadProjectConfig().taskless/.env.local.json(gitignored) alongsideexisting global XDG storage
.taskless/.gitignorefor local-only filesorgIdclaim) prompt re-login instead of fallbackjoseadded as dependency for JWT claim extractionWhat's preserved:
.taskless/rules/*.yml) — unchangedPOST /cli/api/rule) — unchanged,orgIdstill sent in bodyfor now (deprecated but accepted by backend)
TASKLESS_TOKENenv var,~/.config/taskless/auth.json) — stillworks, per-repo is additive
Full OpenSpec change artifacts (proposal, design, 6 delta specs, tasks) are
included at
openspec/changes/remove-scaffold-dependency/.Refs TSKL-212