Skip to content

Releases: codecoradev/cora-cli

Release v0.6.2

Choose a tag to compare

@github-actions github-actions released this 21 Jun 10:25
4f0d027

What's New in v0.6.2

Fixed — Token Usage Tracking

  • tokens_used is no longer always None in review and scan responses.

    • parse_review_response and parse_scan_response previously discarded the usage object returned by the LLM API, hardcoding Ok((..., None)). Token counts and cost estimates were silently dropped.
    • chat_completion now returns (content, Option<Usage>) and the parse functions thread usage through as TokenUsage. All call sites updated.
    • ReviewResponse.tokens_used and ScanResponse.tokens_used now report real values when the provider supplies them.
  • cora review --stream now collects token usage.

    • The streaming path (chat_completion_stream) previously only accumulated delta.content and ignored the usage field. It now sends stream_options: { include_usage: true } and parses usage from the final SSE chunk (top-level or nested in choices[0].delta.usage).
    • Token counts are now reported correctly for both streaming and non-streaming review.
  • cora scan multi-batch token accumulation.

    • When scanning multiple batches, total_tokens was overwritten by each batch instead of accumulated. Only the last successful batch's tokens were reported.
    • Token usage now accumulates across all batches (input_tokens, output_tokens, and estimated_cost_usd are summed).

Changed — Code Quality

  • Extracted magic numbers into named constants.
    • scan.rs: the hardcoded batch size fallback 20 and token budget 60_000 are now DEFAULT_MAX_FILES_PER_BATCH and DEFAULT_BATCH_TOKEN_BUDGET.
  • Usage struct now accepts camelCase aliases.
    • Some providers (e.g. Azure OpenAI, certain third-party gateways) return promptTokens / completionTokens / totalTokens instead of snake_case. Both forms are now accepted via #[serde(alias = ...)].

Tests

  • Added 4 regression tests for token usage threading: parse_review_preserves_usage_when_provided, parse_review_returns_none_usage_when_not_provided, parse_scan_preserves_usage_when_provided, usage_to_token_usage_maps_fields_correctly.

📦 Platforms

Platform File
Linux (x86_64) cora-x86_64-unknown-linux-gnu-v0.6.2.tar.gz
Linux (ARM64) cora-aarch64-unknown-linux-gnu-v0.6.2.tar.gz
macOS (Apple Silicon) cora-aarch64-apple-darwin-v0.6.2.tar.gz
Windows (x86_64) cora-x86_64-pc-windows-msvc-v0.6.2.zip

🚀 Quick Start

# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh

# Or via cargo
cargo install cora

# Init project
cora init

# Review staged changes
CORA_API_KEY=your-key cora review --staged

Full changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md

Release v0.6.1

Choose a tag to compare

@github-actions github-actions released this 17 Jun 07:14
3d0dd65

What's New in v0.6.1

Fixed — Scan

  • cora scan no longer aborts on non-JSON LLM responses (#316)
    • Detect non-JSON responses early (provider error pages, rate-limit bodies, empty responses, prose wrappers) and surface the raw response prefix (first 512 bytes) in the error message so users can diagnose the cause.
    • Per-batch parse failures are now non-fatal by default: the failing batch is skipped with a warn-level log and a stderr warning listing the affected files, and the scan continues with the remaining batches. Set --no-continue-on-batch-error to restore the old abort behavior.
    • Added --batch-files <N> flag (default: 20) to control the maximum number of files per LLM batch — lower it to work around provider token limits or rate-limit errors on large scans.
    • Truncated-JSON and general parse errors now include the raw response prefix for easier debugging without --verbose.

Fixed — Review

  • cora review no longer exits 2 when severity filtering removes all blocking findings (#312)
    • Recompute should_block against the filtered issue list (after --severity filtering) so the exit code matches the SARIF/pretty output the user sees.
    • Extracted exit-code logic into compute_exit_code() helper (pure function) with 8 unit tests covering gate pass/fail, CI mode, and hook block vs non-block modes.
    • Applies to both the single-chunk and auto-chunked (--auto-chunk) review paths.

Fixed — Install (macOS)

  • macOS installer now strips Gatekeeper quarantine attributes (#313)
    • Prebuilt macOS binaries (aarch64-apple-darwin) are not Apple-notarized. When downloaded directly, macOS attaches com.apple.quarantine / com.apple.provenance xattrs and kills the binary with Killed: 9 on first launch.
    • install.sh now runs xattr -dr for both attributes on the installed binary on macOS (best-effort, non-fatal).
    • Added a prominent <details> block in the README install section explaining the symptom, the manual xattr workaround for users who download the binary directly, and the cargo / Homebrew alternatives.

Changed — Docs

  • Install section now warns about multiple distribution channels (#314)
    • Recommends a single install method per platform and lists the supported channels (installer script, cargo, pre-built binaries).
    • Adds a which -a cora && cora --version check snippet and guidance for removing stale copies when more than one cora is on PATH (e.g. ~/.local/bin vs ~/.cargo/bin vs npm global).
    • Cross-links the original issue for background.

📦 Platforms

Platform File
Linux (x86_64) cora-x86_64-unknown-linux-gnu-v0.6.1.tar.gz
Linux (ARM64) cora-aarch64-unknown-linux-gnu-v0.6.1.tar.gz
macOS (Apple Silicon) cora-aarch64-apple-darwin-v0.6.1.tar.gz
Windows (x86_64) cora-x86_64-pc-windows-msvc-v0.6.1.zip

🚀 Quick Start

# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh

# Or via cargo
cargo install cora

# Init project
cora init

# Review staged changes
CORA_API_KEY=your-key cora review --staged

Full changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md

Release v0.6.0

Choose a tag to compare

@ajianaz ajianaz released this 14 Jun 13:17

What's New in v0.6.0

Added — Code Intelligence

  • cora index — persistent SQLite symbol index with FTS5 (#264)

    • Regex-based definition extraction for 13 languages
    • Incremental reindex via SHA-256 file fingerprints
    • --stats, --prune, --rebuild, --watch flags
    • Database: .cora/index.db
  • cora explore — search the symbol index (#265)

    • FTS5 full-text search with bm25 ranking
    • Filter by --kind, --file, --language
    • JSON output mode
  • cora callers / cora impact — call graph analysis (#266)

    • Reverse call graph traversal (who calls this?)
    • Forward impact analysis (what breaks if changed?)
    • Depth-limited traversal
  • cora affected — test file selection (#267)

    • Find tests affected by source changes
    • Call graph + naming convention strategies
    • stdin support for git diff --name-only | cora affected --stdin
  • Language expansion — 6 → 13 languages (#268)

    • Ruby, PHP, Swift, Scala, Lua, Zig
  • cora index --watch — auto-sync file watcher (#269)

    • Poll-based incremental reindex (2s interval)
    • No extra dependencies

Added — MCP Server (14 tools)

  • Phase 1: Code Intelligence (#284) — 5 new MCP tools:
    cora.search_symbols, cora.find_callers, cora.find_impact, cora.find_affected_tests, cora.index_status

  • Phase 2: Review Pipeline (#285) — 2 new MCP tools:
    cora.review_diff, cora.get_debt

  • Phase 3: Context Enrichment (#286) — 2 new MCP tools:
    cora.get_project_info, cora.get_memory

Added — Cross-Product Bundle

  • Cora + Uteke bundle installer (#235)
    • install-bundle.sh — single command installs both tools
    • Cross-referencing documentation across all docs

Fixed

  • Uteke recall flag--format json--json (uteke v0.0.13+ API) (#259)
  • Uteke v0.1.0 empty results parser — handle both bare [] and wrapped {"results":[]}

📦 Platforms

Platform File
Linux (x86_64) cora-x86_64-unknown-linux-gnu-v0.6.0.tar.gz
Linux (ARM64) cora-aarch64-unknown-linux-gnu-v0.6.0.tar.gz
macOS (Apple Silicon) cora-aarch64-apple-darwin-v0.6.0.tar.gz
Windows (x86_64) cora-x86_64-pc-windows-msvc-v0.6.0.zip

🚀 Quick Start

# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh

# Or via cargo
cargo install cora

# Init project
cora init

# Review staged changes
CORA_API_KEY=your-key cora review --staged

Full changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md

Release v0.5.1

Choose a tag to compare

@ajianaz ajianaz released this 13 Jun 23:20
fe4fcb0

What's New in v0.5.1

Added

  • cora commit — review staged diff + generate commit message + commit (#262)
    • HITL mode (default): interactive [Y]es / [E]dit / [N]o prompt
    • YOLO mode (--yolo): auto-commit without prompts
    • --force: commit even if quality gate fails
    • --no-review: skip review, only generate commit message
    • --edit: always open $EDITOR
    • Conventional commit format (feat/fix/refactor/perf/docs/test/chore/style/build/ci)
    • Auto-truncates subjects to 72 chars
    • Quality gate integration (block on FAIL unless --force)
    • Debt snapshot saved after commit
    • chat_completion_raw() + chat_completion_stream_raw() in engine/llm.rs
    • 22 unit tests

Fixed

  • Uteke recall flag--format json--json (uteke v0.0.13+ API change) (#259)
  • Uteke recall JSON parser — handle both bare [] and wrapped {"results":[]} formats (uteke v0.1.0+)
  • Extracted parse_recall_json() with 6 unit tests for format compatibility

📦 Platforms

Platform File
Linux (x86_64) cora-x86_64-unknown-linux-gnu-v0.5.1.tar.gz
Linux (ARM64) cora-aarch64-unknown-linux-gnu-v0.5.1.tar.gz
macOS (Apple Silicon) cora-aarch64-apple-darwin-v0.5.1.tar.gz
Windows (x86_64) cora-x86_64-pc-windows-msvc-v0.5.1.zip

🚀 Quick Start

# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh

# Or via cargo
cargo install cora

# Init project
cora init

# Review staged changes
CORA_API_KEY=your-key cora review --staged

Full changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md

Release v0.5.0

Choose a tag to compare

@github-actions github-actions released this 11 Jun 03:00
53df008

What's New in v0.5.0

Added

  • Quality Gate — configurable threshold-based PASS/FAIL for CI enforcement (#205)
    • Global thresholds: max_critical, max_major, max_minor, max_security
    • Per-category overrides: block, warn, ignore actions
    • Terminal-formatted gate output with status table
    • Exit code 2 on gate failure
    • 12 unit tests covering all gate scenarios
  • Static Security Scanner — 11 regex patterns for common vulnerabilities (#234)
    • Weak crypto (MD5/SHA1 for passwords), hardcoded secrets, SQL injection, eval(), command injection
    • Hardcoded roles, debug mode, CORS wildcard, SSL verify disabled
    • Auto-skips test files; only scans added lines
    • Findings injected into LLM prompt as additional context
  • Language-Specific Analyzers — tailored review guidance for 6 languages (#233)
    • Dart/Flutter: widget lifecycle, state management, null safety
    • Svelte/TypeScript: reactivity, stores, SSR, type safety
    • Go: error handling, concurrency, goroutine leaks
    • Rust: ownership, lifetimes, unsafe, idioms
    • Python: type hints, async, security patterns
  • MCP Server — expose rules and config to AI coding agents (#207)
    • JSON-RPC 2.0 over stdio transport
    • 5 tools: list_rules, check_snippet, get_quality_gate, get_config, list_profiles
    • cora mcp subcommand
    • Brace-depth stdin parsing (handles pretty-printed JSON)
    • 17 unit tests
  • Auto-chunking — large diffs split into reviewable chunks automatically (#188)
    • --no-auto-chunk flag to disable
    • src/engine/chunker.rs module (~310 lines)
  • Tech debt metrics — cumulative review history and trend tracking (#206)
    • DebtSnapshot per-review JSON snapshots with quality score (0-10)
    • cora debt subcommand — terminal table, --json, --trend ASCII graph, --since, --branch filters
    • Auto-save after every review (best-effort, never fails review)
    • debt: config section in .cora.yaml (history_dir, retention_days)
    • 32 unit tests
  • Uteke memory integration — recall project patterns and learn from reviews (#232)
    • --memory flag — recall context from Uteke before review
    • --learn flag — recall + save findings after review
    • MemoryBackend with auto-detect, graceful degradation when Uteke not installed
    • 11 unit tests
  • Multi-platform CI docs — Gitea/Forgejo, GitLab CI, Bitbucket Pipelines workflow examples (#225)
  • GitHub Marketplace action — published as codecoradev/cora-review-action@v1
  • Improved review prompt — better consistency, lower false-negative rate, explicit error handling focus area
  • Comprehensive docs/examples.md — GitHub Actions section with setup guide, inputs reference, and provider table

Changed

  • CI action moved to GitHub Marketplace — workflow uses marketplace action instead of .github/actions/cora-review/
  • README links — all documentation links now point to codecora.dev instead of relative file paths
  • CI workflows — removed stale SvelteKit website/ jobs, replaced with VitePress docs/ build
  • merge_into() returns Result — fail-fast on invalid profile config instead of silently continuing
  • Language context reuses parsed diffbuild_language_context_from_chunks() eliminates redundant parse_diff() call
  • 13 stale issues closed — migration epics, website tasks, v0.4 leftovers
  • 15 stale branches deleted — cleanup after merge

Fixed

  • Profiles bugs — path resolution with project root, fail-fast on invalid config, dedup merge by id (#238)
  • Code Scanning alert #79 — eliminated redundant parse_diff() call in language context injection
  • Download hardening — 5x retry with exponential backoff, gzip validation, checksum verification for cora-cli binary download in CI (#221)
  • curl hardening--fail --show-error + set -e guard prevents silent HTML downloads
  • Checksum enforcement — hard fail on missing/invalid checksums (was warning-only)
  • Exact checksum matchawk exact filename lookup replaces grep substring match

Removed

  • SvelteKit website/ — 6,286 lines removed, replaced by VitePress docs/
  • Website Lint CI job — removed from required status checks
  • Internal composite action.github/actions/cora-review/ deleted, replaced by marketplace action
  • cora-review-simple — unused duplicate action deleted

📦 Platforms

Platform File
Linux (x86_64) cora-x86_64-unknown-linux-gnu-v0.5.0.tar.gz
Linux (ARM64) cora-aarch64-unknown-linux-gnu-v0.5.0.tar.gz
macOS (Apple Silicon) cora-aarch64-apple-darwin-v0.5.0.tar.gz
Windows (x86_64) cora-x86_64-pc-windows-msvc-v0.5.0.zip

🚀 Quick Start

# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh

# Or via cargo
cargo install cora

# Init project
cora init

# Review staged changes
CORA_API_KEY=your-key cora review --staged

Full changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md

Release v0.4.6

Choose a tag to compare

@ajianaz ajianaz released this 07 Jun 16:49
e659bdb

What's New in v0.4.6

Changed

  • README redesigned — 568 → 148 lines, professional layout with star badge, docs index table, links to docs/ for details (#162)
  • All docs updated for v0.4.5+ — changelog, getting-started, usage, roadmap, examples, installation

Added

  • Deterministic secrets pre-scan — 12 built-in patterns (AWS, GitHub, OpenAI, Anthropic, Groq, xAI, Slack, Stripe, Google, JWT, Private Key) run before AI review (#204)
    • Masked output: AKIA****CDEF (first 4 + last 4 chars shown)
    • Auto-skip test/spec/fixture/mock/example files
    • Secrets findings injected into LLM context for consistent summary
    • Fallback path blocks on critical findings even when LLM fails
  • Diff parser hardening — hunk line count validation, broader binary detection (GIT binary patch, singular form), graceful truncated diff handling (#195 Phase 1)
  • .agent.md release checklist — pre-release checklist to prevent docs drift between versions

Fixed

  • cora config show --global / --project documented in cli-reference.md (was missing)
  • cora auth login path corrected from config.toml to auth.toml in cli-reference.md
  • CI example in docs now includes CORA_BASE_URL and CORA_MODEL secrets

📦 Platforms

Platform File
Linux (x86_64) cora-x86_64-unknown-linux-gnu-v0.4.6.tar.gz
Linux (ARM64) cora-aarch64-unknown-linux-gnu-v0.4.6.tar.gz
macOS (Apple Silicon) cora-aarch64-apple-darwin-v0.4.6.tar.gz
Windows (x86_64) cora-x86_64-pc-windows-msvc-v0.4.6.zip

🚀 Quick Start

# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh

# Or via cargo
cargo install cora

# Init project
cora init

# Review staged changes
CORA_API_KEY=your-key cora review --staged

Full changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md

Release v0.4.5

Choose a tag to compare

@ajianaz ajianaz released this 07 Jun 14:02
06542e8

What's New in v0.4.5

Changed

  • Config architecture redesign — clear separation of concerns between config files (#209)
    • ~/.cora/auth.toml now stores only the API key (secret)
    • ~/.cora/config.yaml stores provider, model, base_url, and other settings (global)
    • .cora.yaml (project) overrides global config per-project
    • CORA_API_KEY env var reserved for CI use only
  • Provider info auto-migration — if auth.toml still contains provider/model/base_url, automatically moved to config.yaml on first run
  • Deterministic rulesrules/ added to default exclude paths, preventing rules from matching their own source definitions (#185)

Fixed

  • cora config show — now displays the effective resolved config with source annotations like [from: env CORA_PROVIDER] instead of raw file values (#189)
  • cora config show --global — new flag to show only ~/.cora/config.yaml contents
  • cora config show --project — new flag to show only .cora.yaml contents (mutually exclusive with --global)
  • cora review sends to wrong provider — provider info from auth.toml/config.yaml was ignored at runtime, always defaulting to OpenAI. Now correctly reads from merged config (#209)
  • save_provider_info data loss — parse failure on config.yaml no longer silently replaces the entire file with defaults (now returns error)
  • cora auth login interactive flow — now auto-detects provider env vars (e.g. pick ZAI → detects ZAI_API_KEY), suggests model and base URL defaults from presets (enter to accept) (#203)
  • cora auth login --provider zai — now auto-detects ZAI_API_KEY from environment, no need for --api-key flag (#184)
  • Env var override visibilitycora config show now annotates which values come from env vars vs config files (#182)
  • Truncated JSON repair tests — 12 new tests confirming repair_truncated_json() works correctly for all edge cases (#186)

Added

  • --global / --project flags on cora config show for scoped config inspection
  • Clap conflicts_with on --global/--projectcora config show --global --project now rejected at CLI level
  • Interactive model/base URL prompts — during cora auth login, shows preset defaults and allows override with enter-to-accept

📦 Platforms

Platform File
Linux (x86_64) cora-x86_64-unknown-linux-gnu-v0.4.5.tar.gz
Linux (ARM64) cora-aarch64-unknown-linux-gnu-v0.4.5.tar.gz
macOS (Apple Silicon) cora-aarch64-apple-darwin-v0.4.5.tar.gz
Windows (x86_64) cora-x86_64-pc-windows-msvc-v0.4.5.zip

🚀 Quick Start

# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh

# Or via cargo
cargo install cora

# Init project
cora init

# Review staged changes
CORA_API_KEY=your-key cora review --staged

Full changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md

Release v0.4.4

Choose a tag to compare

@github-actions github-actions released this 07 Jun 00:46
9274fdf

What's New in v0.4.4

Fixed

  • Spinner auto-hides in non-TTYindicatif progress spinners in llm.rs and scanner.rs now detect piped/redirected stderr and auto-hide, preventing ANSI pollution in captured output (#181)
  • Truncated JSON repair — LLM responses cut off by max_tokens are now auto-repaired by closing unclosed strings/brackets before parse, preserving partial findings instead of failing completely (#186)

Added

  • --output-file <PATH> flag — write formatted review output to a file instead of stdout, guaranteeing capture in CI/batch pipelines (#181)

📦 Platforms

Platform File
Linux (x86_64) cora-x86_64-unknown-linux-gnu-v0.4.4.tar.gz
Linux (ARM64) cora-aarch64-unknown-linux-gnu-v0.4.4.tar.gz
macOS (Apple Silicon) cora-aarch64-apple-darwin-v0.4.4.tar.gz
Windows (x86_64) cora-x86_64-pc-windows-msvc-v0.4.4.zip

🚀 Quick Start

# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh

# Or via cargo
cargo install cora

# Init project
cora init

# Review staged changes
CORA_API_KEY=your-key cora review --staged

Full changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md

Release v0.4.3

Choose a tag to compare

@github-actions github-actions released this 06 Jun 13:22
f507c9b

What's New in v0.4.3

Fixed

  • Provider shortcut now resolves preset defaults — bare provider: zai in .cora.yaml auto-fills base_url and model from the preset table (#183)
  • Env var override warningsCORA_PROVIDER, CORA_MODEL, CORA_BASE_URL now warn when they override config file settings (#182)
  • config show displays effective (resolved) config — shows actual runtime values with [from: env ...] annotations when env vars override config (#189)
  • Auth file permissions auto-fix~/.cora/auth.toml permissions auto-corrected to 600 instead of just warning (#187)
  • Deterministic rules exclude own source files — security rules no longer match against rules/ and tests/ directories, eliminating false positives (#185)

Added

  • Non-interactive cora auth login--provider, --api-key, --model, --base-url, --force flags for scriptable setup (#184)

📦 Platforms

Platform File
Linux (x86_64) cora-x86_64-unknown-linux-gnu-v0.4.3.tar.gz
Linux (ARM64) cora-aarch64-unknown-linux-gnu-v0.4.3.tar.gz
macOS (Apple Silicon) cora-aarch64-apple-darwin-v0.4.3.tar.gz
Windows (x86_64) cora-x86_64-pc-windows-msvc-v0.4.3.zip

🚀 Quick Start

# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh

# Or via cargo
cargo install cora

# Init project
cora init

# Review staged changes
CORA_API_KEY=your-key cora review --staged

Full changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md

Release v0.4.2

Choose a tag to compare

@github-actions github-actions released this 06 Jun 07:08
1c23300

What's New in v0.4.2

Fixed

  • Cora Review now works on fork PRs — changed trigger from pull_request to pull_request_target so GITHUB_TOKEN has write access for PR comments on external contributor PRs. Explicitly checks out PR head SHA for correct diff (#178 context)

Added

  • Top-level provider shortcuts in .cora.yamlmodel:, base_url:, and bare provider: string now accepted at top level without needing nested provider: section (#178, closes #176)

📦 Platforms

Platform File
Linux (x86_64) cora-x86_64-unknown-linux-gnu-v0.4.2.tar.gz
Linux (ARM64) cora-aarch64-unknown-linux-gnu-v0.4.2.tar.gz
macOS (Apple Silicon) cora-aarch64-apple-darwin-v0.4.2.tar.gz
Windows (x86_64) cora-x86_64-pc-windows-msvc-v0.4.2.zip

🚀 Quick Start

# Quick install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh

# Or via cargo
cargo install cora

# Init project
cora init

# Review staged changes
CORA_API_KEY=your-key cora review --staged

Full changelog: https://github.com/codecoradev/cora-cli/blob/main/CHANGELOG.md