Update outgoing sound, reorg code

Author: tstromberg

.claude/prompt.txt

@@ -0,0 +1,16 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please follow our security reporting guidelines at:
+https://github.com/codeGROOVE-dev/vulnerability-reports/blob/main/SECURITY.md
+
+This document contains all the specifics for how to submit a security report, including contact information, expected response times, and disclosure policies.
+
+## Security Practices
+
+- GitHub tokens are never logged or stored
+- All inputs are validated
+- File permissions are restricted (0600/0700)
+- Only HTTPS URLs to github.com are allowed
+- No shell interpolation of user data

.github/SECURITY.md

@@ -0,0 +1,13 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5

.github/dependabot.yml

@@ -0,0 +1,40 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Test
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        go-version: ['1.21']
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go-version }}
+          cache: true
+
+      - name: Install dependencies (Linux)
+        if: matrix.os == 'ubuntu-latest'
+        run: sudo apt-get update && sudo apt-get install -y gcc libgl1-mesa-dev xorg-dev
+
+      - name: Lint
+        run: make lint
+
+      - name: Build
+        run: make build
+
+      - name: Test
+        run: go test -v -race ./...

.github/workflows/ci.yml

@@ -10,7 +10,10 @@ GIT_COMMIT := $(shell git rev-parse --short HEAD 2>/dev/null || echo "unknown")
 BUILD_DATE := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
 LDFLAGS := -X main.version=$(GIT_VERSION) -X main.commit=$(GIT_COMMIT) -X main.date=$(BUILD_DATE)
 
-.PHONY: build clean deps run app-bundle install install-darwin install-unix install-windows
+.PHONY: all build clean deps run app-bundle install install-darwin install-unix install-windows
+
+# Default target
+all: build
 
 # Install dependencies
 deps:
@@ -24,39 +27,38 @@ ifeq ($(shell uname),Darwin)
 	@echo "Running $(BUNDLE_NAME) from /Applications..."
 	@open "/Applications/$(BUNDLE_NAME).app"
 else
-	go run .
+	go run ./cmd/goose
 endif
 
 # Build for current platform
-build:
+build: out
 ifeq ($(OS),Windows_NT)
-	CGO_ENABLED=1 go build -ldflags "-H=windowsgui $(LDFLAGS)" -o $(APP_NAME).exe .
+	CGO_ENABLED=1 go build -ldflags "-H=windowsgui $(LDFLAGS)" -o out/$(APP_NAME).exe ./cmd/goose
 else
-	CGO_ENABLED=1 go build -ldflags "$(LDFLAGS)" -o $(APP_NAME) .
+	CGO_ENABLED=1 go build -ldflags "$(LDFLAGS)" -o out/$(APP_NAME) ./cmd/goose
 endif
 
 # Build for all platforms
 build-all: build-darwin build-linux build-windows
 
 # Build for macOS
 build-darwin:
-	CGO_ENABLED=1 GOOS=darwin GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o out/$(APP_NAME)-darwin-amd64 .
-	CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o out/$(APP_NAME)-darwin-arm64 .
+	CGO_ENABLED=1 GOOS=darwin GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o out/$(APP_NAME)-darwin-amd64 ./cmd/goose
+	CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o out/$(APP_NAME)-darwin-arm64 ./cmd/goose
 
 # Build for Linux
 build-linux:
-	CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o out/$(APP_NAME)-linux-amd64 .
-	CGO_ENABLED=1 GOOS=linux GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o out/$(APP_NAME)-linux-arm64 .
+	CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o out/$(APP_NAME)-linux-amd64 ./cmd/goose
+	CGO_ENABLED=1 GOOS=linux GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o out/$(APP_NAME)-linux-arm64 ./cmd/goose
 
 # Build for Windows
 build-windows:
-	CGO_ENABLED=1 GOOS=windows GOARCH=amd64 go build -ldflags "-H=windowsgui $(LDFLAGS)" -o out/$(APP_NAME)-windows-amd64.exe .
+	CGO_ENABLED=1 GOOS=windows GOARCH=amd64 go build -ldflags "-H=windowsgui $(LDFLAGS)" -o out/$(APP_NAME)-windows-amd64.exe ./cmd/goose
 	CGO_ENABLED=1 GOOS=windows GOARCH=arm64 go build -ldflags "-H=windowsgui $(LDFLAGS)" -o out/$(APP_NAME)-windows-arm64.exe .
 
 # Clean build artifacts
 clean:
 	rm -rf out/
-	rm -f $(APP_NAME)
 
 # Create out directory
 out:
@@ -163,7 +165,7 @@ install-darwin: app-bundle
 install-unix: build
 	@echo "Installing on $(shell uname)..."
 	@echo "Installing binary to /usr/local/bin..."
-	@sudo install -m 755 $(APP_NAME) /usr/local/bin/
+	@sudo install -m 755 out/$(APP_NAME) /usr/local/bin/
 	@echo "Installation complete! $(APP_NAME) has been installed to /usr/local/bin"
 
 # Install on Windows
@@ -172,7 +174,7 @@ install-windows: build
 	@echo "Creating program directory..."
 	@if not exist "%LOCALAPPDATA%\Programs\$(APP_NAME)" mkdir "%LOCALAPPDATA%\Programs\$(APP_NAME)"
 	@echo "Copying executable..."
-	@copy /Y "$(APP_NAME).exe" "%LOCALAPPDATA%\Programs\$(APP_NAME)\"
+	@copy /Y "out\$(APP_NAME).exe" "%LOCALAPPDATA%\Programs\$(APP_NAME)\"
 	@echo "Installation complete! $(APP_NAME) has been installed to %LOCALAPPDATA%\Programs\$(APP_NAME)"
 	@echo "You may want to add %LOCALAPPDATA%\Programs\$(APP_NAME) to your PATH environment variable."
 # BEGIN: lint-install .

Makefile

@@ -9,6 +9,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"regexp"
 	"runtime"
 	"strings"
 	"sync"
@@ -20,9 +21,23 @@ import (
 	"golang.org/x/oauth2"
 )
 
+// githubTokenRegex matches valid GitHub token formats.
+var githubTokenRegex = regexp.MustCompile(`^(ghp_[a-zA-Z0-9]{36}|gho_[a-zA-Z0-9]{36}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59})$`)
+
+// validateGitHubToken validates a GitHub token format.
+func validateGitHubToken(token string) error {
+	if token == "" {
+		return errors.New("empty token")
+	}
+	if !githubTokenRegex.MatchString(token) {
+		return errors.New("invalid GitHub token format")
+	}
+	return nil
+}
+
 // initClients initializes GitHub and Turn API clients.
 func (app *App) initClients(ctx context.Context) error {
-	token, err := app.githubToken(ctx)
+	token, err := app.token(ctx)
 	if err != nil {
 		return fmt.Errorf("get github token: %w", err)
 	}
@@ -44,8 +59,18 @@ func (app *App) initClients(ctx context.Context) error {
 	return nil
 }
 
-// githubToken retrieves the GitHub token using gh CLI.
-func (*App) githubToken(ctx context.Context) (string, error) {
+// token retrieves the GitHub token from GITHUB_TOKEN env var or gh CLI.
+func (*App) token(ctx context.Context) (string, error) {
+	// Check GITHUB_TOKEN environment variable first
+	if token := os.Getenv("GITHUB_TOKEN"); token != "" {
+		token = strings.TrimSpace(token)
+		if err := validateGitHubToken(token); err != nil {
+			return "", fmt.Errorf("invalid GITHUB_TOKEN: %w", err)
+		}
+		log.Println("Using GitHub token from GITHUB_TOKEN environment variable")
+		return token, nil
+	}
+
 	// Only check absolute paths for security - never use PATH
 	var trustedPaths []string
 	switch runtime.GOOS {
@@ -179,10 +204,19 @@ func (app *App) executeGitHubQuery(ctx context.Context, query string, opts *gith
 	return result, nil
 }
 
+// prResult holds the result of a Turn API query for a PR.
+type prResult struct {
+	err          error
+	turnData     *turn.CheckResponse
+	url          string
+	isOwner      bool
+	wasFromCache bool
+}
+
 // fetchPRsInternal is the implementation for PR fetching.
 // It returns GitHub data immediately and starts Turn API queries in the background (when waitForTurn=false),
 // or waits for Turn data to complete (when waitForTurn=true).
-func (app *App) fetchPRsInternal(ctx context.Context, waitForTurn bool) (incoming []PR, outgoing []PR, err error) {
+func (app *App) fetchPRsInternal(ctx context.Context, waitForTurn bool) (incoming []PR, outgoing []PR, _ error) {
 	// Use targetUser if specified, otherwise use authenticated user
 	user := app.currentUser.GetLogin()
 	if app.targetUser != "" {
@@ -200,9 +234,9 @@ func (app *App) fetchPRsInternal(ctx context.Context, waitForTurn bool) (incomin
 
 	// Run both queries in parallel
 	type queryResult struct {
+		err    error
 		query  string
 		issues []*github.Issue
-		err    error
 	}
 
 	queryResults := make(chan queryResult, 2)
@@ -236,11 +270,13 @@ func (app *App) fetchPRsInternal(ctx context.Context, waitForTurn bool) (incomin
 	// Collect results from both queries
 	var allIssues []*github.Issue
 	seenURLs := make(map[string]bool)
+	var queryErrors []error
 
 	for range 2 {
 		result := <-queryResults
 		if result.err != nil {
 			log.Printf("[GITHUB] Query failed: %s - %v", result.query, result.err)
+			queryErrors = append(queryErrors, result.err)
 			// Continue processing other query results even if one fails
 			continue
 		}
@@ -257,6 +293,11 @@ func (app *App) fetchPRsInternal(ctx context.Context, waitForTurn bool) (incomin
 	}
 	log.Printf("[GITHUB] Both searches completed in %v, found %d unique PRs", time.Since(searchStart), len(allIssues))
 
+	// If both queries failed, return an error
+	if len(queryErrors) == 2 {
+		return nil, nil, fmt.Errorf("all GitHub queries failed: %v", queryErrors)
+	}
+
 	// Limit PRs for performance
 	if len(allIssues) > maxPRsToProcess {
 		log.Printf("Limiting to %d PRs for performance (total: %d)", maxPRsToProcess, len(allIssues))
@@ -359,13 +400,6 @@ func (app *App) updatePRData(url string, needsReview bool, isOwner bool, actionR
 // fetchTurnDataSync fetches Turn API data synchronously and updates PRs directly.
 func (app *App) fetchTurnDataSync(ctx context.Context, issues []*github.Issue, user string, incoming *[]PR, outgoing *[]PR) {
 	turnStart := time.Now()
-	type prResult struct {
-		err          error
-		turnData     *turn.CheckResponse
-		url          string
-		isOwner      bool
-		wasFromCache bool
-	}
 
 	// Create a channel for results
 	results := make(chan prResult, len(issues))
@@ -455,17 +489,7 @@ func (app *App) fetchTurnDataSync(ctx context.Context, issues []*github.Issue, u
 
 // fetchTurnDataAsync fetches Turn API data in the background and updates PRs as results arrive.
 func (app *App) fetchTurnDataAsync(ctx context.Context, issues []*github.Issue, user string) {
-	// Log start of Turn API queries
-	// Start Turn API queries in background
-
 	turnStart := time.Now()
-	type prResult struct {
-		err          error
-		turnData     *turn.CheckResponse
-		url          string
-		isOwner      bool
-		wasFromCache bool
-	}
 
 	// Create a channel for results
 	results := make(chan prResult, len(issues))

cache.go renamed to cmd/goose/cache.go

@@ -378,23 +378,24 @@ func (app *App) updatePRs(ctx context.Context) {
 // buildCurrentMenuState creates a MenuState representing the current menu items.
 func (app *App) buildCurrentMenuState() *MenuState {
 	// Apply the same filtering as the menu display (stale PR filtering)
-	var filteredIncoming, filteredOutgoing []PR
+	staleThreshold := time.Now().Add(-stalePRThreshold)
 
-	now := time.Now()
-	staleThreshold := now.Add(-stalePRThreshold)
-
-	for i := range app.incoming {
-		if !app.hideStaleIncoming || app.incoming[i].UpdatedAt.After(staleThreshold) {
-			filteredIncoming = append(filteredIncoming, app.incoming[i])
+	filterStale := func(prs []PR) []PR {
+		if !app.hideStaleIncoming {
+			return prs
 		}
-	}
-
-	for i := range app.outgoing {
-		if !app.hideStaleIncoming || app.outgoing[i].UpdatedAt.After(staleThreshold) {
-			filteredOutgoing = append(filteredOutgoing, app.outgoing[i])
+		var filtered []PR
+		for i := range prs {
+			if prs[i].UpdatedAt.After(staleThreshold) {
+				filtered = append(filtered, prs[i])
+			}
 		}
+		return filtered
 	}
 
+	filteredIncoming := filterStale(app.incoming)
+	filteredOutgoing := filterStale(app.outgoing)
+
 	// Sort PRs the same way the menu does
 	incomingSorted := sortPRsBlockedFirst(filteredIncoming)
 	outgoingSorted := sortPRsBlockedFirst(filteredOutgoing)