Address security and portability issues in CI scripts

1. Security: Remove eval from bin/ci-run-failed-specs
   - Use bash array instead of string for RSPEC_CMD
   - Execute command directly with "${RSPEC_CMD[@]}" (safer)
   - Eliminates command injection risk from spec paths

2. Security: Document safe eval usage in bin/ci-rerun-failures
   - Add comment explaining eval is safe (commands from predefined JOB_MAP)
   - Fix REPLY variable to use explicit naming

3. Error handling: Add dependency checks
   - bin/ci-rerun-failures: Check for gh and jq
   - bin/ci-run-failed-specs: Check for bundle
   - Provide clear error messages with install instructions

4. Portability: Document cross-platform clipboard alternatives
   - Add Linux alternatives (xclip, wl-clipboard) in CLAUDE.md
   - Maintain pbpaste as primary example for macOS

5. Consistency: Fix REPLY variable handling
   - Explicitly name REPLY in all read commands
   - Use ${REPLY} with quotes for -u compatibility

All scripts now have consistent error handling, better security,
and clearer documentation for cross-platform usage.

Author: justin808

CLAUDE.md

@@ -100,7 +100,9 @@ When RSpec tests fail, run just those specific examples:
 
 ```bash
 # Copy failure output from GitHub Actions, then:
-pbpaste | bin/ci-run-failed-specs
+pbpaste | bin/ci-run-failed-specs        # macOS
+# xclip -o | bin/ci-run-failed-specs     # Linux (requires: apt install xclip)
+# wl-paste | bin/ci-run-failed-specs     # Wayland (requires: apt install wl-clipboard)
 
 # Or pass spec paths directly:
 bin/ci-run-failed-specs './spec/system/integration_spec.rb[1:1:1:1]'

bin/ci-rerun-failures

@@ -71,6 +71,22 @@ done
 echo -e "${BLUE}=== CI Failure Re-runner ===${NC}"
 echo ""
 
+# Check required dependencies
+MISSING_DEPS=()
+command -v gh >/dev/null 2>&1 || MISSING_DEPS+=("gh (GitHub CLI)")
+command -v jq >/dev/null 2>&1 || MISSING_DEPS+=("jq")
+
+if [ ${#MISSING_DEPS[@]} -gt 0 ]; then
+  echo -e "${RED}Error: Missing required dependencies:${NC}"
+  for dep in "${MISSING_DEPS[@]}"; do
+    echo "  - $dep"
+  done
+  echo ""
+  echo "Install with:"
+  echo "  brew install gh jq"
+  exit 1
+fi
+
 # Fetch PR info
 if [ -z "$PR_NUMBER" ]; then
   if ! gh pr view --json number,commits >/dev/null 2>&1; then
@@ -214,9 +230,9 @@ echo "   3. Run: pbpaste | bin/ci-run-failed-specs"
 echo ""
 
 # Confirm before running
-read -p "Run these tests now? [Y/n] " -n 1 -r
+read -p "Run these tests now? [Y/n] " -n 1 -r REPLY
 echo
-if [[ ! $REPLY =~ ^[Yy]$ ]] && [[ ! -z $REPLY ]]; then
+if [[ ! "${REPLY}" =~ ^[Yy]$ ]] && [[ ! -z "${REPLY}" ]]; then
   echo "Cancelled."
   exit 0
 fi
@@ -239,6 +255,8 @@ for cmd in "${!COMMANDS_TO_RUN[@]}"; do
   echo -e "${BLUE}Command: $cmd${NC}"
   echo ""
 
+  # Note: Using eval here is safe because $cmd comes from predefined JOB_MAP,
+  # not from user input. Commands may contain shell operators like && and ||.
   if eval "$cmd"; then
     echo -e "${GREEN}✓ $job_name passed${NC}"
     echo ""

bin/ci-run-failed-specs

@@ -18,6 +18,21 @@ YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 
+# Check required dependencies
+MISSING_DEPS=()
+command -v bundle >/dev/null 2>&1 || MISSING_DEPS+=("bundle (Ruby bundler)")
+
+if [ ${#MISSING_DEPS[@]} -gt 0 ]; then
+  echo -e "${RED}Error: Missing required dependencies:${NC}"
+  for dep in "${MISSING_DEPS[@]}"; do
+    echo "  - $dep"
+  done
+  echo ""
+  echo "Install with:"
+  echo "  gem install bundler"
+  exit 1
+fi
+
 # Show help
 show_help() {
   cat << EOF
@@ -122,30 +137,35 @@ if [[ "${UNIQUE_SPECS[0]}" == *"spec/system"* ]] || [[ "${UNIQUE_SPECS[0]}" == *
   fi
 fi
 
-# Build rspec command
-RSPEC_CMD="bundle exec rspec"
+# Build rspec command as array (safer than eval)
+RSPEC_CMD=("bundle" "exec" "rspec")
 for spec in "${UNIQUE_SPECS[@]}"; do
-  RSPEC_CMD="$RSPEC_CMD '$spec'"
+  RSPEC_CMD+=("$spec")
 done
 
-echo -e "${BLUE}Command:${NC} cd $WORKING_DIR && $RSPEC_CMD"
+# Display command for user
+DISPLAY_CMD="bundle exec rspec"
+for spec in "${UNIQUE_SPECS[@]}"; do
+  DISPLAY_CMD="$DISPLAY_CMD '$spec'"
+done
+echo -e "${BLUE}Command:${NC} cd $WORKING_DIR && $DISPLAY_CMD"
 echo ""
 
 # Confirm (read from /dev/tty to handle piped input)
 if [ -t 0 ]; then
-  read -p "Run these specs now? [Y/n] " -n 1 -r
+  read -p "Run these specs now? [Y/n] " -n 1 -r REPLY
 else
-  read -p "Run these specs now? [Y/n] " -n 1 -r < /dev/tty
+  read -p "Run these specs now? [Y/n] " -n 1 -r REPLY < /dev/tty
 fi
 echo
-if [[ ! $REPLY =~ ^[Yy]$ ]] && [[ ! -z $REPLY ]]; then
+if [[ ! "${REPLY}" =~ ^[Yy]$ ]] && [[ ! -z "${REPLY}" ]]; then
   echo "Cancelled."
   exit 0
 fi
 
-# Run the specs
+# Run the specs directly (no eval - safer)
 cd "$WORKING_DIR"
-eval "$RSPEC_CMD"
+"${RSPEC_CMD[@]}"
 RESULT=$?
 
 echo ""