Fizzy CLI #2360
Closed
Fizzy CLI #2360
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- OAuth tokens = Access Token that belongs to an OAuth client - One table (oauth_clients) + one column (oauth_client_id) - Stateless authorization codes via MessageEncryptor (60s TTL) - Implicit grants (token exists = grant, revoke = delete tokens) - Dynamic client registration for MCPs - Token lifetime: no expiry, explicit revocation only - Scope mapping: space-delimited OAuth scopes → permission enum - Security: PKCE required, loopback-only DCR, rate limiting - RFC compliance: 6749, 6750, 7636, 7591, 8252, 8414, 9728 Authorization flow with PKCE (S256 only) - Consent screen showing client name and requested scopes - Stateless authorization codes via MessageEncryptor Token endpoint - Authorization code exchange with PKCE verification - Issues Identity::AccessToken linked to OAuth client Revocation endpoint (RFC 7009) - Revoke access tokens by value - Always returns 200 per spec
Discovery endpoints (RFC 8414): - /.well-known/oauth-authorization-server - /.well-known/oauth-protected-resource Dynamic Client Registration (RFC 7591): - POST /oauth/clients for MCP clients - Loopback redirects only (127.0.0.1, localhost, [::1]) - Rate limited to 10 requests/minute
View and revoke OAuth client access at /my/connected_apps. Scoped through identity's OAuth tokens for proper authorization. Links from access tokens index for discoverability.
Agent-first CLI for Fizzy API interaction: - OAuth 2.1 with RFC 8414 discovery, DCR, and PKCE - 7-layer config hierarchy (system/user/repo/local/env/flags) - HTTP client with ETag caching and exponential backoff - JSON/Markdown output with auto-detection - 72 passing bats tests
Three improvements: 1. _wait_for_callback: Avoid SIGPIPE killing nc before HTTP response sent. The `nc | head -1` pipe causes head to close stdin after reading one line, sending SIGPIPE to nc before it finishes writing the response. Now captures nc output to temp file before reading with head. 2. _exchange_code: Only include client_secret for confidential clients. Public clients (registered via DCR) have no secret, and sending an empty client_secret= parameter can cause some OAuth servers to reject the request. 3. _register_client: Request scope in DCR to ensure CLI gets proper permissions.
The symlink was pointing to $INSTALL_DIR/fizzy but the binary is at $INSTALL_DIR/bin/fizzy after extraction.
- Tag API returns .title not .name - fix resolve_tag_id matching - Strip leading # from tag input (users type #bug or bug) - Use api_get_all for boards/users/tags to fetch all pages - Use grep -iF in _suggest_similar to avoid regex errors on special characters like [ ] * Adds contract tests for tag resolution and regex handling.
The API only accepts title/description on POST /cards. Flags like
--column, --tag, and --assign were being silently ignored.
Now chains follow-up API calls after card creation:
- POST /cards/{n}/triage for --column
- POST /cards/{n}/taggings for --tag
- POST /cards/{n}/assignments for --assign
Also strips leading # from tag names in fizzy tag --with.
Multi-origin setups (dev + prod) were sharing a global account_slug, causing mismatches when switching between instances. Now stores account_slug alongside access_token in per-origin credentials file, with fallback to global config for compatibility.
- boards, tags, people, notifications: add --page N pagination - search: add board name resolution via resolve_board_id - Consistent validation (positive integer required) - Breadcrumbs show next page command Adds pagination tests for all query commands.
api_get_all: - Fall back to ?page=N when Link headers absent - Stop on empty response to prevent infinite loops urlencode: - Replace python3 urllib.parse with jq -sRr @uri - Removes undocumented Python dependency
Completions: - Zsh: use \$words[1] in args state (array is shifted) - Remove --page from global flags (it's per-command) cards: - Add postponing_soon to --status filter help + completion
- Global flags (--json, --quiet) must precede command name - Default base URL is local dev, not production - Add pagination note for cards command
Adds --all/-a flag to boards, tags, people, and notifications commands to fetch all pages automatically using api_get_all. When --all is used: - Summary shows "(all)" instead of page number - "Next page" breadcrumb is omitted This matches the Go CLI's full-fetch behavior while maintaining the per-page --page flag for incremental fetching. Smoke test notes: - fizzy boards --all returns all boards (verified with 3 boards) - fizzy tags --all returns all tags - fizzy people --all returns all users - fizzy notifications --all returns all notifications
Adds `fizzy update <number> [options]` to update a card's title or
description. Uses PATCH /cards/{number} endpoint.
Options:
- --title, -t: New card title
- --description, -d: New card description (HTML)
- --description-file: Read description from file
This brings parity with the Go CLI's card update functionality.
Smoke test notes:
- fizzy update 1 --title "New title" updates title
- fizzy update 1 --description "content" updates description
- fizzy update 1 --title "A" --description "B" updates both
- fizzy update 1 --description-file notes.html works
- Error if no options provided (nothing to update)
Changed from standalone commands (fizzy edit-comment, fizzy delete-comment) to subcommands of comment (fizzy comment edit, fizzy comment delete). Usage: fizzy comment "text" --on <num> # Create comment (unchanged) fizzy comment edit <id> --on <num> "new text" # Update comment fizzy comment delete <id> --on <num> # Delete comment API: PATCH/DELETE /cards/:num/comments/:id Smoke test: fizzy comment edit --help; fizzy comment delete --help
fizzy delete <number> [numbers...] Permanently deletes cards. Shows warning in help that action cannot be undone. API: DELETE /cards/:number (returns 204 No Content) Smoke test: fizzy delete --help
fizzy delete-image <number> removes the header image from a card. Uses DELETE /cards/:number/image (returns 204), then fetches the card to show updated state.
Card update: wrap params in {card: {...}} as Rails expects params[:card]
Comment edit: Rails returns 204 No Content on PATCH, so fetch the
updated comment after to get its current state for display.
Steps:
- Add --completed flag to step create
- Add step show/update/delete subcommands
- Fix body wrapper to {step: {...}} as Rails expects
Reactions:
- Add fizzy reactions --card <num> --comment <id> to list reactions
- Add fizzy react delete <id> --card <num> --comment <id>
- Update fizzy react to manage reactions (add + delete)
All commands follow existing subcommand patterns (like comment edit/delete).
Shell completions updated for new subcommands.
Identity & Users: - fizzy identity: show current user and accounts - fizzy user show/update/delete: manage users - User avatar upload via multipart form Card Images: - --image flag on card create and card update - Multipart upload with retry/backoff for 429/5xx - Use --form-string for non-file fields (prevents @-prefix hazard) Auth & Config: - FIZZY_URL convenience var (extracts base URL + account slug) - Allow re-login without logout - Improved token and scope handling Reliability: - api_multipart_request helper with retry logic - Regression test for --form-string usage 387 tests passing, smoke tested against live server.
Member
Author
|
#2358 dupe |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Agent-first Bash CLI for the Fizzy API.
Features
Authentication
FIZZY_TOKENenv var for CI/scriptsFIZZY_URLconvenience var (extracts base + account slug)Core Queries
boards,cards,show,columns,people,tags,notifications,search,comments,reactionsCore Actions
cardcreate/update/delete,card image deleteclose/reopen/triage/untriage/postponecommentcreate/edit/deleteassign/tag/watch/gildstepCRUD,reactCRUDAdmin / Structure
boardcreate/update/deletecolumncreate/update/deleteconfigcommand for layered settingsUploads
--image(multipart, with retry/backoff)Output & Reliability
Test plan
bats test/*.bats)