CLI app support: hardened adapter, publish-api, proc.exec#31
Merged
Conversation
Make the cli backend archetype real and end-to-end publishable, so an
existing CLI can be fronted as an app: 'pilotctl appstore call <app> <args>'
translates into a local subprocess invocation.
Scaffolder / generated adapter:
- Fix the cli main: it never compiled (http-only cfg leaked in) — now builds.
- Passthrough method shape: a verbatim {"args":[...]} argv fronts the whole
CLI, so every subcommand is reachable without enumerating it.
- Hardened runner: scrubbed child env (+ backend.env_passthrough allowlist),
bounded output, structured non-zero exit, deterministic flags, missing-param
errors, stdin. No shell (argv exec'd directly).
- Manifest emits the proc.exec grant (scoped to the command) and protection
guarded; bump app-store to the version that knows proc.exec.
publish-api (internal/publish + admin):
- Submission model gains a cli backend (type/command/env_passthrough) and a
per-method cli route (args/params_as_flags/passthrough); Validate, ToConfig,
and the live HelpPreview branch on backend type. Admin case report is
backend-aware.
Tests:
- compile guard (parse-only test missed the unused-var that broke cli builds)
- publish-path e2e: a proc.exec cli app builds + clears the catalogue gate
- runtime e2e: the built adapter execs the fronted CLI over real IPC
(enumerated + passthrough + non-zero exit).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Makes the CLI backend archetype real and end-to-end publishable, so an existing CLI can be fronted as an app:
pilotctl appstore call <app> <args>translates into a local subprocess invocation.Depends on pilot-protocol/app-store#24 (the
proc.execcapability). This PR pins the app-store dep at that commit; re-pin to the merged SHA once #24 lands.Scaffolder / generated adapter
cfgleaked into the cli path →declared and not used). The parse-only test missed it because unused-var is a type-check error, not a parse error — added ago build ./...compile test.{"args":[...]}argv fronts the whole CLI, so every subcommand is reachable without enumerating it.backend.env_passthroughallow-list), bounded output (4 MiB), structured non-zero exit, deterministic flags, missing-${param}errors, optional stdin. No shell — argv is exec'd directly.proc.execgrant scoped to the command andprotection: guarded.publish-api (
internal/publish+ admin)Submissiongains a cli backend (type/command/env_passthrough) and a per-method cli route (args/params_as_flags/passthrough);Validate,ToConfig, and the liveHelpPreviewbranch on backend type. Admin case report is backend-aware.Tests
proc.execcli app builds + clears the catalogue self-verify gate on all platforms🤖 Generated with Claude Code