fix(cve): use base64 -w 0 to prevent newline-broken auth headers

[angaduom]

base64 wraps output at 76 characters by default, which injects newlines into the Authorization header when credentials are long enough. This causes curl error 43 ("bad argument") and HTTP 000 responses.

[coderabbitai]

Caution

Review failed

Failed to post review comments

Walkthrough

Adds a new interactive /onboard command; reworks Jira access checks to prefer an MCP-based workflow with a curl fallback; tightens cve.fix flow (mandatory step ordering, --automerge, fork/sync robustness, post-fix verification blocking PRs); updates startupPrompt and README guidance.

Changes

Cohort / File(s)	Summary
Onboard command workflows/cve-fixer/.claude/commands/onboard.md	Adds a new interactive onboarding flow: collect Jira component and repos, validate Jira via MCP then curl fallback, auto-discover GitHub branches, update component-repository-mappings.json, create branch/PR with robust fork/sync logic.
CVE find — Jira MCP preference workflows/cve-fixer/.claude/commands/cve.find.md	Reworks Jira verification to prefer MCP tool calls (mcp__session__refresh_credentials + select:mcp__mcp-atlassian__jira_search) and fall back to curl; adjusts curl auth diagnostics and Basic Auth base64 handling.
CVE fix — workflow and gating workflows/cve-fixer/.claude/commands/cve.fix.md	Adds mandatory ordered execution, --automerge flag, improved fork/remote sync resilience, expanded open-PR detection strategy, adds mandatory post-fix verification (govulncheck/tool scans) that blocks PR creation and produces a “Fix Failed Report” artifact. Also updates Jira curl base64 auth handling.
Ambient startup prompt workflows/cve-fixer/.ambient/ambient.json	Updates startupPrompt to advertise /onboard, /cve.find, /cve.fix and to recommend /onboard for first-time/component onboarding.
Docs update workflows/cve-fixer/README.md	Replaces manual onboarding instructions with the new interactive /onboard workflow and documents the automated PR-based mapping update process.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant OnboardCmd as /onboard
    participant MCP as MCP Tool
    participant Jira
    participant GH as GitHub (gh)
    participant Repo as ambient-code/workflows

    User->>OnboardCmd: start onboarding
    OnboardCmd->>MCP: refresh credentials / jira_search (optional)
    alt MCP available
        MCP->>OnboardCmd: jira component validation result
    else MCP not available
        OnboardCmd->>Jira: curl JQL /rest/api/3/myself (with Basic Auth fallback)
        Jira-->>OnboardCmd: validation result
    end
    OnboardCmd->>User: collect repos, confirm branches
    OnboardCmd->>GH: check push access / fork (gh repo fork || true)
    GH-->>OnboardCmd: fork/remote/sync status
    OnboardCmd->>Repo: create branch, update mappings file
    OnboardCmd->>GH: push branch, create PR (gh pr create)
    GH-->>User: PR created (await merge)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly addresses the main technical fix in the changeset: preventing base64-induced newline characters from breaking auth headers via base64 -w 0 (or tr -d '\n' equivalent).
Description check	✅ Passed	The description explains the root cause (base64 wrapping at 76 chars), the problem it creates (broken Authorization headers, curl error 43, HTTP 000), and the intent of the fix, all of which are reflected in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@workflows/cve-fixer/.claude/commands/cve.find.md`:
- Line 61: The AUTH generation uses GNU-specific base64 option `-w 0` which
breaks on macOS/BSD; replace that invocation so it works cross-platform by
removing `-w 0` and stripping the trailing newline instead (e.g., change the
line that sets AUTH to use `echo -n "${JIRA_EMAIL}:${JIRA_API_TOKEN}" | base64 |
tr -d '\n'` or use `printf "%s" "${JIRA_EMAIL}:${JIRA_API_TOKEN}" | base64`) so
the Authorization value remains a single-line base64 string.

In `@workflows/cve-fixer/.claude/commands/cve.fix.md`:
- Line 530: The line that sets the AUTH variable using base64 ("AUTH=$(echo -n
\"${JIRA_EMAIL}:${JIRA_API_TOKEN}\" | base64 -w 0)") uses the GNU-only -w flag
which breaks on macOS/BSD; replace the pipeline so it omits the -w option and
strips newlines portably (for example: remove "-w 0" from the base64 call and
pipe the output through tr -d '\n') so the AUTH assignment remains
cross-platform and still yields a single-line base64 token.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4ea0d50d-e678-4617-aea4-418b5dafd31f

📥 Commits

Reviewing files that changed from the base of the PR and between 2239b41 and bd1021e.

📒 Files selected for processing (2)

• workflows/cve-fixer/.claude/commands/cve.find.md
• workflows/cve-fixer/.claude/commands/cve.fix.md

[vmrh21]

This PR's change () was already included in PR #104 (commit af906eb) which has been merged into main. Closing as superseded.

[vmrh21]

This PR's change (base64 | tr -d newline) was already included in PR #104 commit af906eb which merged into main. Closing as superseded.