Releases: codecoradev/cora-cli
Release list
Release v0.6.2
What's New in v0.6.2
Fixed — Token Usage Tracking
-
tokens_usedis no longer alwaysNonein review and scan responses.parse_review_responseandparse_scan_responsepreviously discarded theusageobject returned by the LLM API, hardcodingOk((..., None)). Token counts and cost estimates were silently dropped.chat_completionnow returns(content, Option<Usage>)and the parse functions threadusagethrough asTokenUsage. All call sites updated.ReviewResponse.tokens_usedandScanResponse.tokens_usednow report real values when the provider supplies them.
-
cora review --streamnow collects token usage.- The streaming path (
chat_completion_stream) previously only accumulateddelta.contentand ignored theusagefield. It now sendsstream_options: { include_usage: true }and parsesusagefrom the final SSE chunk (top-level or nested inchoices[0].delta.usage). - Token counts are now reported correctly for both streaming and non-streaming review.
- The streaming path (
-
cora scanmulti-batch token accumulation.- When scanning multiple batches,
total_tokenswas overwritten by each batch instead of accumulated. Only the last successful batch's tokens were reported. - Token usage now accumulates across all batches (
input_tokens,output_tokens, andestimated_cost_usdare summed).
- When scanning multiple batches,
Changed — Code Quality
- Extracted magic numbers into named constants.
scan.rs: the hardcoded batch size fallback20and token budget60_000are nowDEFAULT_MAX_FILES_PER_BATCHandDEFAULT_BATCH_TOKEN_BUDGET.
Usagestruct now accepts camelCase aliases.- Some providers (e.g. Azure OpenAI, certain third-party gateways) return
promptTokens/completionTokens/totalTokensinstead of snake_case. Both forms are now accepted via#[serde(alias = ...)].
- Some providers (e.g. Azure OpenAI, certain third-party gateways) return
Tests
- Added 4 regression tests for token usage threading:
parse_review_preserves_usage_when_provided,parse_review_returns_none_usage_when_not_provided,parse_scan_preserves_usage_when_provided,usage_to_token_usage_maps_fields_correctly.
📦 Platforms
| Platform | File |
|---|---|
| Linux (x86_64) | cora-x86_64-unknown-linux-gnu-v0.6.2.tar.gz |
| Linux (ARM64) | cora-aarch64-unknown-linux-gnu-v0.6.2.tar.gz |
| macOS (Apple Silicon) | cora-aarch64-apple-darwin-v0.6.2.tar.gz |
| Windows (x86_64) | cora-x86_64-pc-windows-msvc-v0.6.2.zip |
🚀 Quick Start
# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh
# Or via cargo
cargo install cora
# Init project
cora init
# Review staged changes
CORA_API_KEY=your-key cora review --stagedFull changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md
Release v0.6.1
What's New in v0.6.1
Fixed — Scan
cora scanno longer aborts on non-JSON LLM responses (#316)- Detect non-JSON responses early (provider error pages, rate-limit bodies, empty responses, prose wrappers) and surface the raw response prefix (first 512 bytes) in the error message so users can diagnose the cause.
- Per-batch parse failures are now non-fatal by default: the failing batch is skipped with a
warn-level log and a stderr warning listing the affected files, and the scan continues with the remaining batches. Set--no-continue-on-batch-errorto restore the old abort behavior. - Added
--batch-files <N>flag (default: 20) to control the maximum number of files per LLM batch — lower it to work around provider token limits or rate-limit errors on large scans. - Truncated-JSON and general parse errors now include the raw response prefix for easier debugging without
--verbose.
Fixed — Review
cora reviewno longer exits 2 when severity filtering removes all blocking findings (#312)- Recompute
should_blockagainst the filtered issue list (after--severityfiltering) so the exit code matches the SARIF/pretty output the user sees. - Extracted exit-code logic into
compute_exit_code()helper (pure function) with 8 unit tests covering gate pass/fail, CI mode, and hookblockvs non-blockmodes. - Applies to both the single-chunk and auto-chunked (
--auto-chunk) review paths.
- Recompute
Fixed — Install (macOS)
- macOS installer now strips Gatekeeper quarantine attributes (#313)
- Prebuilt macOS binaries (
aarch64-apple-darwin) are not Apple-notarized. When downloaded directly, macOS attachescom.apple.quarantine/com.apple.provenancexattrs and kills the binary withKilled: 9on first launch. install.shnow runsxattr -drfor both attributes on the installed binary on macOS (best-effort, non-fatal).- Added a prominent
<details>block in the README install section explaining the symptom, the manualxattrworkaround for users who download the binary directly, and thecargo/ Homebrew alternatives.
- Prebuilt macOS binaries (
Changed — Docs
- Install section now warns about multiple distribution channels (#314)
- Recommends a single install method per platform and lists the supported channels (installer script,
cargo, pre-built binaries). - Adds a
which -a cora && cora --versioncheck snippet and guidance for removing stale copies when more than onecorais onPATH(e.g.~/.local/binvs~/.cargo/binvs npm global). - Cross-links the original issue for background.
- Recommends a single install method per platform and lists the supported channels (installer script,
📦 Platforms
| Platform | File |
|---|---|
| Linux (x86_64) | cora-x86_64-unknown-linux-gnu-v0.6.1.tar.gz |
| Linux (ARM64) | cora-aarch64-unknown-linux-gnu-v0.6.1.tar.gz |
| macOS (Apple Silicon) | cora-aarch64-apple-darwin-v0.6.1.tar.gz |
| Windows (x86_64) | cora-x86_64-pc-windows-msvc-v0.6.1.zip |
🚀 Quick Start
# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh
# Or via cargo
cargo install cora
# Init project
cora init
# Review staged changes
CORA_API_KEY=your-key cora review --stagedFull changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md
Release v0.6.0
What's New in v0.6.0
Added — Code Intelligence
-
cora index— persistent SQLite symbol index with FTS5 (#264)- Regex-based definition extraction for 13 languages
- Incremental reindex via SHA-256 file fingerprints
--stats,--prune,--rebuild,--watchflags- Database:
.cora/index.db
-
cora explore— search the symbol index (#265)- FTS5 full-text search with bm25 ranking
- Filter by
--kind,--file,--language - JSON output mode
-
cora callers/cora impact— call graph analysis (#266)- Reverse call graph traversal (who calls this?)
- Forward impact analysis (what breaks if changed?)
- Depth-limited traversal
-
cora affected— test file selection (#267)- Find tests affected by source changes
- Call graph + naming convention strategies
- stdin support for
git diff --name-only | cora affected --stdin
-
Language expansion — 6 → 13 languages (#268)
- Ruby, PHP, Swift, Scala, Lua, Zig
-
cora index --watch— auto-sync file watcher (#269)- Poll-based incremental reindex (2s interval)
- No extra dependencies
Added — MCP Server (14 tools)
-
Phase 1: Code Intelligence (#284) — 5 new MCP tools:
cora.search_symbols,cora.find_callers,cora.find_impact,cora.find_affected_tests,cora.index_status -
Phase 2: Review Pipeline (#285) — 2 new MCP tools:
cora.review_diff,cora.get_debt -
Phase 3: Context Enrichment (#286) — 2 new MCP tools:
cora.get_project_info,cora.get_memory
Added — Cross-Product Bundle
- Cora + Uteke bundle installer (#235)
install-bundle.sh— single command installs both tools- Cross-referencing documentation across all docs
Fixed
- Uteke recall flag —
--format json→--json(uteke v0.0.13+ API) (#259) - Uteke v0.1.0 empty results parser — handle both bare
[]and wrapped{"results":[]}
📦 Platforms
| Platform | File |
|---|---|
| Linux (x86_64) | cora-x86_64-unknown-linux-gnu-v0.6.0.tar.gz |
| Linux (ARM64) | cora-aarch64-unknown-linux-gnu-v0.6.0.tar.gz |
| macOS (Apple Silicon) | cora-aarch64-apple-darwin-v0.6.0.tar.gz |
| Windows (x86_64) | cora-x86_64-pc-windows-msvc-v0.6.0.zip |
🚀 Quick Start
# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh
# Or via cargo
cargo install cora
# Init project
cora init
# Review staged changes
CORA_API_KEY=your-key cora review --stagedFull changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md
Release v0.5.1
What's New in v0.5.1
Added
cora commit— review staged diff + generate commit message + commit (#262)- HITL mode (default): interactive
[Y]es / [E]dit / [N]oprompt - YOLO mode (
--yolo): auto-commit without prompts --force: commit even if quality gate fails--no-review: skip review, only generate commit message--edit: always open$EDITOR- Conventional commit format (feat/fix/refactor/perf/docs/test/chore/style/build/ci)
- Auto-truncates subjects to 72 chars
- Quality gate integration (block on FAIL unless
--force) - Debt snapshot saved after commit
chat_completion_raw()+chat_completion_stream_raw()inengine/llm.rs- 22 unit tests
- HITL mode (default): interactive
Fixed
- Uteke recall flag —
--format json→--json(uteke v0.0.13+ API change) (#259) - Uteke recall JSON parser — handle both bare
[]and wrapped{"results":[]}formats (uteke v0.1.0+) - Extracted
parse_recall_json()with 6 unit tests for format compatibility
📦 Platforms
| Platform | File |
|---|---|
| Linux (x86_64) | cora-x86_64-unknown-linux-gnu-v0.5.1.tar.gz |
| Linux (ARM64) | cora-aarch64-unknown-linux-gnu-v0.5.1.tar.gz |
| macOS (Apple Silicon) | cora-aarch64-apple-darwin-v0.5.1.tar.gz |
| Windows (x86_64) | cora-x86_64-pc-windows-msvc-v0.5.1.zip |
🚀 Quick Start
# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh
# Or via cargo
cargo install cora
# Init project
cora init
# Review staged changes
CORA_API_KEY=your-key cora review --stagedFull changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md
Release v0.5.0
What's New in v0.5.0
Added
- Quality Gate — configurable threshold-based PASS/FAIL for CI enforcement (#205)
- Global thresholds:
max_critical,max_major,max_minor,max_security - Per-category overrides:
block,warn,ignoreactions - Terminal-formatted gate output with status table
- Exit code 2 on gate failure
- 12 unit tests covering all gate scenarios
- Global thresholds:
- Static Security Scanner — 11 regex patterns for common vulnerabilities (#234)
- Weak crypto (MD5/SHA1 for passwords), hardcoded secrets, SQL injection, eval(), command injection
- Hardcoded roles, debug mode, CORS wildcard, SSL verify disabled
- Auto-skips test files; only scans added lines
- Findings injected into LLM prompt as additional context
- Language-Specific Analyzers — tailored review guidance for 6 languages (#233)
- Dart/Flutter: widget lifecycle, state management, null safety
- Svelte/TypeScript: reactivity, stores, SSR, type safety
- Go: error handling, concurrency, goroutine leaks
- Rust: ownership, lifetimes, unsafe, idioms
- Python: type hints, async, security patterns
- MCP Server — expose rules and config to AI coding agents (#207)
- JSON-RPC 2.0 over stdio transport
- 5 tools:
list_rules,check_snippet,get_quality_gate,get_config,list_profiles cora mcpsubcommand- Brace-depth stdin parsing (handles pretty-printed JSON)
- 17 unit tests
- Auto-chunking — large diffs split into reviewable chunks automatically (#188)
--no-auto-chunkflag to disablesrc/engine/chunker.rsmodule (~310 lines)
- Tech debt metrics — cumulative review history and trend tracking (#206)
DebtSnapshotper-review JSON snapshots with quality score (0-10)cora debtsubcommand — terminal table,--json,--trendASCII graph,--since,--branchfilters- Auto-save after every review (best-effort, never fails review)
debt:config section in.cora.yaml(history_dir, retention_days)- 32 unit tests
- Uteke memory integration — recall project patterns and learn from reviews (#232)
--memoryflag — recall context from Uteke before review--learnflag — recall + save findings after reviewMemoryBackendwith auto-detect, graceful degradation when Uteke not installed- 11 unit tests
- Multi-platform CI docs — Gitea/Forgejo, GitLab CI, Bitbucket Pipelines workflow examples (#225)
- GitHub Marketplace action — published as
codecoradev/cora-review-action@v1 - Improved review prompt — better consistency, lower false-negative rate, explicit error handling focus area
- Comprehensive docs/examples.md — GitHub Actions section with setup guide, inputs reference, and provider table
Changed
- CI action moved to GitHub Marketplace — workflow uses marketplace action instead of
.github/actions/cora-review/ - README links — all documentation links now point to
codecora.devinstead of relative file paths - CI workflows — removed stale SvelteKit
website/jobs, replaced with VitePressdocs/build merge_into()returnsResult— fail-fast on invalid profile config instead of silently continuing- Language context reuses parsed diff —
build_language_context_from_chunks()eliminates redundantparse_diff()call - 13 stale issues closed — migration epics, website tasks, v0.4 leftovers
- 15 stale branches deleted — cleanup after merge
Fixed
- Profiles bugs — path resolution with project root, fail-fast on invalid config, dedup merge by
id(#238) - Code Scanning alert #79 — eliminated redundant
parse_diff()call in language context injection - Download hardening — 5x retry with exponential backoff, gzip validation, checksum verification for cora-cli binary download in CI (#221)
- curl hardening —
--fail --show-error+set -eguard prevents silent HTML downloads - Checksum enforcement — hard fail on missing/invalid checksums (was warning-only)
- Exact checksum match —
awkexact filename lookup replacesgrepsubstring match
Removed
- SvelteKit
website/— 6,286 lines removed, replaced by VitePressdocs/ Website LintCI job — removed from required status checks- Internal composite action —
.github/actions/cora-review/deleted, replaced by marketplace action cora-review-simple— unused duplicate action deleted
📦 Platforms
| Platform | File |
|---|---|
| Linux (x86_64) | cora-x86_64-unknown-linux-gnu-v0.5.0.tar.gz |
| Linux (ARM64) | cora-aarch64-unknown-linux-gnu-v0.5.0.tar.gz |
| macOS (Apple Silicon) | cora-aarch64-apple-darwin-v0.5.0.tar.gz |
| Windows (x86_64) | cora-x86_64-pc-windows-msvc-v0.5.0.zip |
🚀 Quick Start
# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh
# Or via cargo
cargo install cora
# Init project
cora init
# Review staged changes
CORA_API_KEY=your-key cora review --stagedFull changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md
Release v0.4.6
What's New in v0.4.6
Changed
- README redesigned — 568 → 148 lines, professional layout with star badge, docs index table, links to docs/ for details (#162)
- All docs updated for v0.4.5+ — changelog, getting-started, usage, roadmap, examples, installation
Added
- Deterministic secrets pre-scan — 12 built-in patterns (AWS, GitHub, OpenAI, Anthropic, Groq, xAI, Slack, Stripe, Google, JWT, Private Key) run before AI review (#204)
- Masked output:
AKIA****CDEF(first 4 + last 4 chars shown) - Auto-skip test/spec/fixture/mock/example files
- Secrets findings injected into LLM context for consistent summary
- Fallback path blocks on critical findings even when LLM fails
- Masked output:
- Diff parser hardening — hunk line count validation, broader binary detection (GIT binary patch, singular form), graceful truncated diff handling (#195 Phase 1)
.agent.mdrelease checklist — pre-release checklist to prevent docs drift between versions
Fixed
cora config show --global/--projectdocumented in cli-reference.md (was missing)cora auth loginpath corrected fromconfig.tomltoauth.tomlin cli-reference.md- CI example in docs now includes CORA_BASE_URL and CORA_MODEL secrets
📦 Platforms
| Platform | File |
|---|---|
| Linux (x86_64) | cora-x86_64-unknown-linux-gnu-v0.4.6.tar.gz |
| Linux (ARM64) | cora-aarch64-unknown-linux-gnu-v0.4.6.tar.gz |
| macOS (Apple Silicon) | cora-aarch64-apple-darwin-v0.4.6.tar.gz |
| Windows (x86_64) | cora-x86_64-pc-windows-msvc-v0.4.6.zip |
🚀 Quick Start
# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh
# Or via cargo
cargo install cora
# Init project
cora init
# Review staged changes
CORA_API_KEY=your-key cora review --stagedFull changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md
Release v0.4.5
What's New in v0.4.5
Changed
- Config architecture redesign — clear separation of concerns between config files (#209)
~/.cora/auth.tomlnow stores only the API key (secret)~/.cora/config.yamlstores provider, model, base_url, and other settings (global).cora.yaml(project) overrides global config per-projectCORA_API_KEYenv var reserved for CI use only
- Provider info auto-migration — if
auth.tomlstill contains provider/model/base_url, automatically moved toconfig.yamlon first run - Deterministic rules —
rules/added to default exclude paths, preventing rules from matching their own source definitions (#185)
Fixed
cora config show— now displays the effective resolved config with source annotations like[from: env CORA_PROVIDER]instead of raw file values (#189)cora config show --global— new flag to show only~/.cora/config.yamlcontentscora config show --project— new flag to show only.cora.yamlcontents (mutually exclusive with--global)cora reviewsends to wrong provider — provider info fromauth.toml/config.yamlwas ignored at runtime, always defaulting to OpenAI. Now correctly reads from merged config (#209)save_provider_infodata loss — parse failure onconfig.yamlno longer silently replaces the entire file with defaults (now returns error)cora auth logininteractive flow — now auto-detects provider env vars (e.g. pick ZAI → detectsZAI_API_KEY), suggests model and base URL defaults from presets (enter to accept) (#203)cora auth login --provider zai— now auto-detectsZAI_API_KEYfrom environment, no need for--api-keyflag (#184)- Env var override visibility —
cora config shownow annotates which values come from env vars vs config files (#182) - Truncated JSON repair tests — 12 new tests confirming
repair_truncated_json()works correctly for all edge cases (#186)
Added
--global/--projectflags oncora config showfor scoped config inspection- Clap
conflicts_withon--global/--project—cora config show --global --projectnow rejected at CLI level - Interactive model/base URL prompts — during
cora auth login, shows preset defaults and allows override with enter-to-accept
📦 Platforms
| Platform | File |
|---|---|
| Linux (x86_64) | cora-x86_64-unknown-linux-gnu-v0.4.5.tar.gz |
| Linux (ARM64) | cora-aarch64-unknown-linux-gnu-v0.4.5.tar.gz |
| macOS (Apple Silicon) | cora-aarch64-apple-darwin-v0.4.5.tar.gz |
| Windows (x86_64) | cora-x86_64-pc-windows-msvc-v0.4.5.zip |
🚀 Quick Start
# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh
# Or via cargo
cargo install cora
# Init project
cora init
# Review staged changes
CORA_API_KEY=your-key cora review --stagedFull changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md
Release v0.4.4
What's New in v0.4.4
Fixed
- Spinner auto-hides in non-TTY —
indicatifprogress spinners inllm.rsandscanner.rsnow detect piped/redirected stderr and auto-hide, preventing ANSI pollution in captured output (#181) - Truncated JSON repair — LLM responses cut off by max_tokens are now auto-repaired by closing unclosed strings/brackets before parse, preserving partial findings instead of failing completely (#186)
Added
--output-file <PATH>flag — write formatted review output to a file instead of stdout, guaranteeing capture in CI/batch pipelines (#181)
📦 Platforms
| Platform | File |
|---|---|
| Linux (x86_64) | cora-x86_64-unknown-linux-gnu-v0.4.4.tar.gz |
| Linux (ARM64) | cora-aarch64-unknown-linux-gnu-v0.4.4.tar.gz |
| macOS (Apple Silicon) | cora-aarch64-apple-darwin-v0.4.4.tar.gz |
| Windows (x86_64) | cora-x86_64-pc-windows-msvc-v0.4.4.zip |
🚀 Quick Start
# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh
# Or via cargo
cargo install cora
# Init project
cora init
# Review staged changes
CORA_API_KEY=your-key cora review --stagedFull changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md
Release v0.4.3
What's New in v0.4.3
Fixed
- Provider shortcut now resolves preset defaults — bare
provider: zaiin.cora.yamlauto-fillsbase_urlandmodelfrom the preset table (#183) - Env var override warnings —
CORA_PROVIDER,CORA_MODEL,CORA_BASE_URLnow warn when they override config file settings (#182) config showdisplays effective (resolved) config — shows actual runtime values with[from: env ...]annotations when env vars override config (#189)- Auth file permissions auto-fix —
~/.cora/auth.tomlpermissions auto-corrected to 600 instead of just warning (#187) - Deterministic rules exclude own source files — security rules no longer match against
rules/andtests/directories, eliminating false positives (#185)
Added
- Non-interactive
cora auth login—--provider,--api-key,--model,--base-url,--forceflags for scriptable setup (#184)
📦 Platforms
| Platform | File |
|---|---|
| Linux (x86_64) | cora-x86_64-unknown-linux-gnu-v0.4.3.tar.gz |
| Linux (ARM64) | cora-aarch64-unknown-linux-gnu-v0.4.3.tar.gz |
| macOS (Apple Silicon) | cora-aarch64-apple-darwin-v0.4.3.tar.gz |
| Windows (x86_64) | cora-x86_64-pc-windows-msvc-v0.4.3.zip |
🚀 Quick Start
# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh
# Or via cargo
cargo install cora
# Init project
cora init
# Review staged changes
CORA_API_KEY=your-key cora review --stagedFull changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md
Release v0.4.2
What's New in v0.4.2
Fixed
- Cora Review now works on fork PRs — changed trigger from
pull_requesttopull_request_targetsoGITHUB_TOKENhas write access for PR comments on external contributor PRs. Explicitly checks out PR head SHA for correct diff (#178 context)
Added
- Top-level provider shortcuts in
.cora.yaml—model:,base_url:, and bareprovider:string now accepted at top level without needing nestedprovider:section (#178, closes #176)
📦 Platforms
| Platform | File |
|---|---|
| Linux (x86_64) | cora-x86_64-unknown-linux-gnu-v0.4.2.tar.gz |
| Linux (ARM64) | cora-aarch64-unknown-linux-gnu-v0.4.2.tar.gz |
| macOS (Apple Silicon) | cora-aarch64-apple-darwin-v0.4.2.tar.gz |
| Windows (x86_64) | cora-x86_64-pc-windows-msvc-v0.4.2.zip |
🚀 Quick Start
# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh
# Or via cargo
cargo install cora
# Init project
cora init
# Review staged changes
CORA_API_KEY=your-key cora review --stagedFull changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md