fix: batch fixes for issues #1924, #1925, #1927, #1928, #1930, #1931, #1933, #1934, #1935 [skip ci] (#378)

Fixes:
- #1924: Add auth requirement note to --generate help
- #1925: Clarify --bearer-token-env-var expects env var name, not value
- #1927: Add commit hash and build date to --version output
- #1928: Show clickable http:// URL in serve output
- #1930: Display Content-Length header in scrape -v output
- #1931: Accept CORTEX_API_KEY env var as auth token alias
- #1933: Use correct install.sh URL (software.cortex.foundation)
- #1934: Check env vars in login status command
- #1935: Prevent directory traversal in github install --path

Also fixes pre-existing issue:
- Add missing trust_proxy field to RateLimitConfig

Note: #1932 skipped - FABRIC_HOME not found in codebase

Co-authored-by: Bounty Bot <bounty-bot@factory.ai>

Author: echobt

cortex-app-server/src/config.rs

@@ -263,6 +263,10 @@ pub struct RateLimitConfig {
     /// Rate limit by user.
     #[serde(default)]
     pub by_user: bool,
+    /// Trust proxy headers (X-Real-IP, X-Forwarded-For) for client IP detection.
+    /// Enable this when running behind a reverse proxy.
+    #[serde(default)]
+    pub trust_proxy: bool,
     /// Exempt paths from rate limiting.
     #[serde(default)]
     pub exempt_paths: Vec<String>,
@@ -288,6 +292,7 @@ impl Default for RateLimitConfig {
             by_ip: true,
             by_api_key: false,
             by_user: false,
+            trust_proxy: false,
             exempt_paths: vec!["/health".to_string()],
             trust_proxy: false,
         }

cortex-cli/Cargo.toml

@@ -89,3 +89,6 @@ libc = { workspace = true }
 # For SIGTERM signal handling on Unix (graceful container shutdown)
 [target.'cfg(unix)'.dependencies]
 signal-hook = "0.3"
+
+[build-dependencies]
+chrono = "0.4"

cortex-cli/build.rs

@@ -0,0 +1,33 @@
+//! Build script for cortex-cli.
+//!
+//! Captures build-time information (git commit, build date) for --version output.
+
+use std::process::Command;
+
+fn main() {
+    // Capture git commit hash
+    let git_hash = Command::new("git")
+        .args(["rev-parse", "--short=7", "HEAD"])
+        .output()
+        .ok()
+        .and_then(|o| {
+            if o.status.success() {
+                String::from_utf8(o.stdout).ok()
+            } else {
+                None
+            }
+        })
+        .map(|s| s.trim().to_string())
+        .unwrap_or_else(|| "unknown".to_string());
+
+    // Capture build date (UTC)
+    let build_date = chrono::Utc::now().format("%Y-%m-%d").to_string();
+
+    // Emit cargo instructions
+    println!("cargo:rustc-env=CORTEX_GIT_HASH={}", git_hash);
+    println!("cargo:rustc-env=CORTEX_BUILD_DATE={}", build_date);
+
+    // Rerun if git HEAD changes
+    println!("cargo:rerun-if-changed=../.git/HEAD");
+    println!("cargo:rerun-if-changed=../.git/refs/heads");
+}

cortex-cli/src/agent_cmd.rs

@@ -124,6 +124,7 @@ pub struct CreateArgs {
 
     /// Generate agent using AI from a natural language description.
     /// Example: --generate "A Rust expert that helps with memory safety and performance"
+    /// Note: This feature requires authentication. Run 'cortex login' first or set CORTEX_AUTH_TOKEN.
     #[arg(short, long, value_name = "DESCRIPTION")]
     pub generate: Option<String>,
 

cortex-cli/src/github_cmd.rs

@@ -169,6 +169,16 @@ async fn run_install(args: InstallArgs) -> Result<()> {
 
     let repo_path = args.path.unwrap_or_else(|| PathBuf::from("."));
 
+    // Security: Reject paths containing directory traversal sequences
+    let path_str = repo_path.to_string_lossy();
+    if path_str.contains("..") {
+        bail!(
+            "Security error: Path contains directory traversal sequence (..): {}\n\
+            Please provide a direct path without '..' components.",
+            repo_path.display()
+        );
+    }
+
     // Validate that the target path exists and is a directory
     if !repo_path.exists() {
         bail!(
@@ -186,7 +196,15 @@ async fn run_install(args: InstallArgs) -> Result<()> {
         );
     }
 
-    let workflows_dir = repo_path.join(".github").join("workflows");
+    // Security: Canonicalize and verify the path is within expected bounds
+    let canonical_path = repo_path.canonicalize().with_context(|| {
+        format!(
+            "Failed to resolve path: {}\nPlease ensure the path is accessible.",
+            repo_path.display()
+        )
+    })?;
+
+    let workflows_dir = canonical_path.join(".github").join("workflows");
     let workflow_file = workflows_dir.join(format!("{}.yml", args.workflow_name));
 
     // Check if workflow already exists

cortex-cli/src/login.rs

@@ -130,6 +130,27 @@ pub async fn run_login_status(config_overrides: CliConfigOverrides) -> ! {
     check_duplicate_config_overrides(&config_overrides);
     let cortex_home = get_cortex_home();
 
+    // Check environment variables first (CORTEX_AUTH_TOKEN and CORTEX_API_KEY)
+    if let Ok(token) = std::env::var("CORTEX_AUTH_TOKEN") {
+        if !token.is_empty() {
+            print_success(&format!(
+                "Authenticated via CORTEX_AUTH_TOKEN environment variable: {}",
+                safe_format_key(&token)
+            ));
+            std::process::exit(0);
+        }
+    }
+
+    if let Ok(token) = std::env::var("CORTEX_API_KEY") {
+        if !token.is_empty() {
+            print_success(&format!(
+                "Authenticated via CORTEX_API_KEY environment variable: {}",
+                safe_format_key(&token)
+            ));
+            std::process::exit(0);
+        }
+    }
+
     // Use load_auth_with_fallback for automatic keyring -> encrypted file -> legacy fallback
     match load_auth_with_fallback(&cortex_home) {
         Ok(Some(auth)) => match auth.mode {

cortex-cli/src/main.rs

@@ -16,6 +16,18 @@ use clap_complete::{Shell, generate};
 use std::io;
 use std::path::PathBuf;
 
+/// Build-time version string with commit hash and build date.
+fn get_long_version() -> &'static str {
+    // Build-time environment variables from build.rs
+    const VERSION: &str = env!("CARGO_PKG_VERSION");
+    const GIT_HASH: &str = option_env!("CORTEX_GIT_HASH").unwrap_or("unknown");
+    const BUILD_DATE: &str = option_env!("CORTEX_BUILD_DATE").unwrap_or("unknown");
+
+    // Use a static to avoid allocations on every call
+    static LONG_VERSION: std::sync::OnceLock<String> = std::sync::OnceLock::new();
+    LONG_VERSION.get_or_init(|| format!("{} ({} {})", VERSION, GIT_HASH, BUILD_DATE))
+}
+
 /// Cortex CLI styled help theme.
 /// Uses a modern color scheme with cyan accents for a beautiful terminal experience.
 fn get_styles() -> Styles {
@@ -167,7 +179,7 @@ pub enum ColorMode {
 /// If no subcommand is specified, starts the interactive TUI.
 #[derive(Parser)]
 #[command(name = "cortex")]
-#[command(author, version)]
+#[command(author, version, long_version = get_long_version())]
 #[command(about = "Cortex - AI Coding Agent", long_about = None)]
 #[command(
     styles = get_styles(),
@@ -2145,7 +2157,7 @@ async fn run_serve(serve_cli: ServeCommand) -> Result<()> {
         ""
     };
     print_info(&format!(
-        "Starting Cortex server on {}:{}{}...",
+        "Server running at http://{}:{}{}",
         serve_cli.host, serve_cli.port, auth_status
     ));
 

cortex-cli/src/mcp_cmd.rs

@@ -407,7 +407,9 @@ pub struct AddMcpStreamableHttpArgs {
     #[arg(long)]
     pub url: String,
 
-    /// Optional environment variable to read for a bearer token.
+    /// Name of the environment variable containing a bearer token (not the token itself).
+    /// The CLI will read the token value from this env var at runtime.
+    /// Example: --bearer-token-env-var MY_API_TOKEN (where MY_API_TOKEN env var contains the token)
     #[arg(
         long = "bearer-token-env-var",
         value_name = "ENV_VAR",

cortex-cli/src/scrape_cmd.rs

@@ -354,8 +354,18 @@ impl ScrapeCommand {
             .and_then(|v| v.to_str().ok())
             .unwrap_or("text/html");
 
+        // Capture Content-Length header before consuming response
+        let content_length = response
+            .headers()
+            .get("content-length")
+            .and_then(|v| v.to_str().ok())
+            .and_then(|v| v.parse::<u64>().ok());
+
         if self.verbose {
             eprintln!("Content-Type: {content_type}");
+            if let Some(len) = content_length {
+                eprintln!("Content-Length: {} bytes", len);
+            }
         }
 
         let body = response

cortex-engine/src/auth_token.rs

@@ -5,14 +5,15 @@
 //!
 //! # Supported Authentication Methods
 //!
-//! 1. **API Key**: Set via `cortex login --api-key` or `CORTEX_AUTH_TOKEN` env var
+//! 1. **API Key**: Set via `cortex login --api-key` or environment variables
 //! 2. **OAuth Login**: Set via `cortex login` (device code flow)
 //!
 //! # Priority Order
 //!
 //! 1. Instance token (passed explicitly to client)
 //! 2. `CORTEX_AUTH_TOKEN` environment variable
-//! 3. System keyring (via `cortex_login::get_auth_token()` with auto-refresh)
+//! 3. `CORTEX_API_KEY` environment variable (alias for CORTEX_AUTH_TOKEN)
+//! 4. System keyring (via `cortex_login::get_auth_token()` with auto-refresh)
 
 use crate::error::{CortexError, Result};
 
@@ -21,7 +22,8 @@ use crate::error::{CortexError, Result};
 /// Priority order:
 /// 1. Instance token (if provided and non-empty)
 /// 2. `CORTEX_AUTH_TOKEN` environment variable
-/// 3. System keyring via `cortex_login::get_auth_token()` (handles OAuth token refresh)
+/// 3. `CORTEX_API_KEY` environment variable (alias for GitHub Actions compatibility)
+/// 4. System keyring via `cortex_login::get_auth_token()` (handles OAuth token refresh)
 ///
 /// # Arguments
 /// * `instance_token` - Optional token passed to the client instance
@@ -59,7 +61,15 @@ pub fn get_auth_token(instance_token: Option<&str>) -> Result<String> {
         }
     }
 
-    // Priority 3: Keyring via cortex_login (handles OAuth token refresh automatically)
+    // Priority 3: CORTEX_API_KEY environment variable (alias for GitHub Actions workflow)
+    if let Ok(token) = std::env::var("CORTEX_API_KEY") {
+        if !token.is_empty() {
+            tracing::debug!(source = "env_var", "Using auth token from CORTEX_API_KEY");
+            return Ok(token);
+        }
+    }
+
+    // Priority 4: Keyring via cortex_login (handles OAuth token refresh automatically)
     if let Some(token) = cortex_login::get_auth_token() {
         tracing::debug!(source = "keyring", "Using auth token from keyring");
         return Ok(token);
@@ -89,11 +99,16 @@ pub fn is_authenticated(instance_token: Option<&str>) -> bool {
         return true;
     }
 
-    // Check env var
+    // Check CORTEX_AUTH_TOKEN env var
     if std::env::var("CORTEX_AUTH_TOKEN").map_or(false, |t| !t.is_empty()) {
         return true;
     }
 
+    // Check CORTEX_API_KEY env var (alias)
+    if std::env::var("CORTEX_API_KEY").map_or(false, |t| !t.is_empty()) {
+        return true;
+    }
+
     // Check keyring
     cortex_login::has_valid_auth()
 }