refactor(config): migrate commands to NewCommandSetup and remove lega… (#640)

* refactor(config): migrate commands to NewCommandSetup and remove legacy bind APIs

---------

Co-authored-by: vscode <vscode@vscode.com>

Author: frjcomp

.github/copilot-instructions.md

@@ -216,7 +216,7 @@ func CommandRun(cmd *cobra.Command, args []string) {
 **Migration policy (mandatory):**
 - When modifying an existing command, migrate that touched command to `config.NewCommandSetup`.
 - Do not leave mixed setup styles in the same command implementation.
-- `config.AutoBindFlags` is still an internal building block, but command code should use `NewCommandSetup`.
+- Use `config.NewCommandSetup` for command binding and validation.
 
 **Key naming convention:**
 - Platform settings: `<platform>.<key>` (e.g., `github.url`, `gitlab.token`)
@@ -239,7 +239,7 @@ func CommandRun(cmd *cobra.Command, args []string) {
 
 **DO NOT:**
 - Read flags directly with `cmd.Flags().GetString()` - always use config system
-- Use `config.BindCommandFlags` - it's deprecated
+- Use legacy binder APIs removed from `pkg/config`
 - Skip required key validation for mandatory config values
 
 ### Package Organization

internal/cmd/bitbucket/scan/scan.go

@@ -25,6 +25,18 @@ var options = BitBucketScanOptions{
 }
 var maxArtifactSize string
 
+var flagBindings = map[string]string{
+	"url":                      "bitbucket.url",
+	"token":                    "bitbucket.token",
+	"email":                    "bitbucket.email",
+	"cookie":                   "bitbucket.cookie",
+	"threads":                  "common.threads",
+	"truffle-hog-verification": "common.trufflehog_verification",
+	"max-artifact-size":        "common.max_artifact_size",
+	"confidence":               "common.confidence_filter",
+	"hit-timeout":              "common.hit_timeout",
+}
+
 func NewScanCmd() *cobra.Command {
 	scanCmd := &cobra.Command{
 		Use:   "scan",
@@ -63,19 +75,9 @@ pipeleek bb scan --token ATATTxxxxxx --email auser@example.com --public --maxPip
 }
 
 func Scan(cmd *cobra.Command, args []string) {
-	if err := config.AutoBindFlags(cmd, map[string]string{
-		"url":                      "bitbucket.url",
-		"token":                    "bitbucket.token",
-		"email":                    "bitbucket.email",
-		"cookie":                   "bitbucket.cookie",
-		"threads":                  "common.threads",
-		"truffle-hog-verification": "common.trufflehog_verification",
-		"max-artifact-size":        "common.max_artifact_size",
-		"confidence":               "common.confidence_filter",
-		"hit-timeout":              "common.hit_timeout",
-	}); err != nil {
-		log.Fatal().Err(err).Msg("Failed to bind command flags to configuration keys")
-	}
+	config.NewCommandSetup(cmd).
+		WithFlagBindings(flagBindings).
+		MustBind()
 
 	options.BitBucketURL = config.GetString("bitbucket.url")
 	options.AccessToken = config.GetString("bitbucket.token")

internal/cmd/circle/scan/scan_test.go

@@ -69,8 +69,8 @@ func TestCircleScanFlagBindings(t *testing.T) {
 		t.Fatalf("Failed to set artifacts flag: %v", err)
 	}
 
-	if err := config.AutoBindFlags(cmd, flagBindings); err != nil {
-		t.Fatalf("AutoBindFlags failed: %v", err)
+	if err := config.NewCommandSetup(cmd).WithFlagBindings(flagBindings).Bind(); err != nil {
+		t.Fatalf("Bind failed: %v", err)
 	}
 
 	if got := config.GetString("circle.scan.org"); got != "my-org" {
@@ -95,11 +95,11 @@ func TestCircleScanEnvVarBinding(t *testing.T) {
 
 	cmd := NewScanCmd()
 
-	if err := config.AutoBindFlags(cmd, map[string]string{
+	if err := config.NewCommandSetup(cmd).WithFlagBindings(map[string]string{
 		"org":       "circle.scan.org",
 		"artifacts": "circle.scan.artifacts",
-	}); err != nil {
-		t.Fatalf("AutoBindFlags failed: %v", err)
+	}).Bind(); err != nil {
+		t.Fatalf("Bind failed: %v", err)
 	}
 
 	if got := config.GetString("circle.scan.org"); got != "env-org" {

internal/cmd/devops/scan/scan.go

@@ -80,14 +80,10 @@ pipeleek ad scan --token <azdo_pat> --username auser --artifacts --organization
 }
 
 func Scan(cmd *cobra.Command, args []string) {
-	// #nosec G101 -- "token" is a configuration key name, not a hardcoded credential
-	if err := config.AutoBindFlags(cmd, flagBindings); err != nil {
-		log.Fatal().Err(err).Msg("Failed to bind command flags to configuration keys")
-	}
-
-	if err := config.RequireConfigKeys("azure_devops.token", "azure_devops.username"); err != nil {
-		log.Fatal().Err(err).Msg("required configuration missing")
-	}
+	config.NewCommandSetup(cmd).
+		WithFlagBindings(flagBindings).
+		RequireKeys("azure_devops.token", "azure_devops.username").
+		MustBind()
 
 	options.DevOpsURL = config.GetString("azure_devops.url")
 	options.AccessToken = config.GetString("azure_devops.token")

internal/cmd/devops/scan/scan_test.go

@@ -37,8 +37,8 @@ func TestDevOpsScanFlagBindings(t *testing.T) {
 		t.Fatalf("Failed to set owned flag: %v", err)
 	}
 
-	if err := config.AutoBindFlags(cmd, flagBindings); err != nil {
-		t.Fatalf("AutoBindFlags failed: %v", err)
+	if err := config.NewCommandSetup(cmd).WithFlagBindings(flagBindings).Bind(); err != nil {
+		t.Fatalf("Bind failed: %v", err)
 	}
 
 	if got := config.GetString("azure_devops.scan.organization"); got != "my-org" {
@@ -66,8 +66,8 @@ func TestDevOpsScanEnvVarBinding(t *testing.T) {
 
 	cmd := NewScanCmd()
 
-	if err := config.AutoBindFlags(cmd, flagBindings); err != nil {
-		t.Fatalf("AutoBindFlags failed: %v", err)
+	if err := config.NewCommandSetup(cmd).WithFlagBindings(flagBindings).Bind(); err != nil {
+		t.Fatalf("Bind failed: %v", err)
 	}
 
 	if got := config.GetString("azure_devops.scan.organization"); got != "env-org" {

internal/cmd/gitea/scan/scan.go

@@ -94,13 +94,10 @@ pipeleek gitea scan --token gitea_token_xxxxx --url https://gitea.example.com --
 }
 
 func Scan(cmd *cobra.Command, args []string) {
-	if err := config.AutoBindFlags(cmd, flagBindings); err != nil {
-		log.Fatal().Err(err).Msg("Failed to bind command flags to configuration keys")
-	}
-
-	if err := config.RequireConfigKeys("gitea.url", "gitea.token"); err != nil {
-		log.Fatal().Err(err).Msg("Missing required configuration")
-	}
+	config.NewCommandSetup(cmd).
+		WithFlagBindings(flagBindings).
+		RequireKeys("gitea.url", "gitea.token").
+		MustBind()
 
 	giteaURL := config.GetString("gitea.url")
 	giteaToken := config.GetString("gitea.token")

internal/cmd/gitea/scan/scan_test.go

@@ -72,8 +72,8 @@ func TestGiteaScanFlagBindings(t *testing.T) {
 		t.Fatalf("Failed to set owned flag: %v", err)
 	}
 
-	if err := config.AutoBindFlags(cmd, flagBindings); err != nil {
-		t.Fatalf("AutoBindFlags failed: %v", err)
+	if err := config.NewCommandSetup(cmd).WithFlagBindings(flagBindings).Bind(); err != nil {
+		t.Fatalf("Bind failed: %v", err)
 	}
 
 	if got := config.GetString("gitea.scan.organization"); got != "my-org" {
@@ -101,8 +101,8 @@ func TestGiteaScanEnvVarBinding(t *testing.T) {
 
 	cmd := NewScanCmd()
 
-	if err := config.AutoBindFlags(cmd, flagBindings); err != nil {
-		t.Fatalf("AutoBindFlags failed: %v", err)
+	if err := config.NewCommandSetup(cmd).WithFlagBindings(flagBindings).Bind(); err != nil {
+		t.Fatalf("Bind failed: %v", err)
 	}
 
 	if got := config.GetString("gitea.scan.organization"); got != "env-org" {

internal/cmd/github/scan/scan.go

@@ -87,13 +87,10 @@ pipeleek gh scan --token github_pat_xxxxxxxxxxx --artifacts --repo owner/repo
 }
 
 func Scan(cmd *cobra.Command, args []string) {
-	if err := config.AutoBindFlags(cmd, flagBindings); err != nil {
-		log.Fatal().Err(err).Msg("Failed to bind command flags to configuration keys")
-	}
-
-	if err := config.RequireConfigKeys("github.token"); err != nil {
-		log.Fatal().Err(err).Msg("Missing required configuration")
-	}
+	config.NewCommandSetup(cmd).
+		WithFlagBindings(flagBindings).
+		RequireKeys("github.token").
+		MustBind()
 
 	options.GitHubURL = config.GetString("github.url")
 	options.AccessToken = config.GetString("github.token")

internal/cmd/github/scan/scan_flag_test.go

@@ -42,8 +42,8 @@ func TestGitHubScanFlagBindings(t *testing.T) {
 		t.Fatalf("Failed to set owned flag: %v", err)
 	}
 
-	if err := config.AutoBindFlags(cmd, flagBindings); err != nil {
-		t.Fatalf("AutoBindFlags failed: %v", err)
+	if err := config.NewCommandSetup(cmd).WithFlagBindings(flagBindings).Bind(); err != nil {
+		t.Fatalf("Bind failed: %v", err)
 	}
 
 	if got := config.GetString("github.scan.org"); got != "my-org" {
@@ -80,8 +80,8 @@ func TestGitHubScanEnvVarBinding(t *testing.T) {
 
 	cmd := NewScanCmd()
 
-	if err := config.AutoBindFlags(cmd, flagBindings); err != nil {
-		t.Fatalf("AutoBindFlags failed: %v", err)
+	if err := config.NewCommandSetup(cmd).WithFlagBindings(flagBindings).Bind(); err != nil {
+		t.Fatalf("Bind failed: %v", err)
 	}
 
 	if got := config.GetString("github.scan.org"); got != "env-org" {

internal/cmd/gitlab/container/artipacked/artipacked.go

@@ -3,7 +3,6 @@ package artipacked
 import (
 	"github.com/CompassSecurity/pipeleek/pkg/config"
 	pkgcontainer "github.com/CompassSecurity/pipeleek/pkg/gitlab/container/artipacked"
-	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	gitlab "gitlab.com/gitlab-org/api/client-go"
 )
@@ -36,17 +35,14 @@ func NewArtipackedCmd() *cobra.Command {
 		Short: "Audit for artipacked misconfiguration (secrets in container images)",
 		Long:  "Scan for dangerous container build patterns that leak secrets like COPY . /path without .dockerignore",
 		Run: func(cmd *cobra.Command, args []string) {
-			if err := config.AutoBindFlags(cmd, flagBindings); err != nil {
-				log.Fatal().Err(err).Msg("Failed to bind command flags to configuration keys")
-			}
+			config.NewCommandSetup(cmd).
+				WithFlagBindings(flagBindings).
+				RequireKeys("gitlab.url", "gitlab.token").
+				MustBind()
 
 			gitlabUrl := config.GetString("gitlab.url")
 			gitlabApiToken := config.GetString("gitlab.token")
 
-			if err := config.RequireConfigKeys("gitlab.url", "gitlab.token"); err != nil {
-				log.Fatal().Err(err).Msg("required configuration missing")
-			}
-
 			owned = config.GetBool("gitlab.container.artipacked.owned")
 			member = config.GetBool("gitlab.container.artipacked.member")
 			repository = config.GetString("gitlab.container.artipacked.repo")