CR2 review findings on PR #13 (branch feat/management-cli-verbs):
1. [HIGH] PathEscape user-controlled path segments. platform.go built paths
via fmt.Sprintf on raw caller IDs (GetWorkspace/DeleteWorkspace/
RestartWorkspace/ListWorkspaceAgents/GetAgent/GetPeers/GetDelegations) and
the agent-send / workspace-delegate runHTTP call sites concatenated raw IDs.
An ID with '/', '?' or '#' could alter the endpoint or leak into the query.
Wrapped every caller-supplied segment in url.PathEscape (management.go
already did this). DeleteWorkspace's ?confirm=true is now injection-safe.
Severity note: this runs under the user's own management creds, so it is
primarily robustness/correctness rather than a privilege-escalation hole.
2. [MED] Config not bound to globals. viper read the config file but the
flag-backed apiURL/outputFormat globals were never populated from it, so
`molecule config set api_url` did not affect newClient()/cpURL(). Added
applyConfigDefaults(): config file is adopted only when no env override and
the global is still at its built-in default, so precedence stays
flag > env > config file > default.
3. [MED] MintWorkspaceToken sent a nil body → JSON `null`. Now sends an empty
object (struct{}{}) → `{}`, matching sibling tooling and avoiding rejection
by a handler that decodes into a struct/map.
4. [MED] cpURL defaulted to apiURL (tenant host), so an unset MOLECULE_CP_URL
would send the privileged CP-admin bearer to a tenant host. cpURL() no
longer falls back to apiURL; cpAdminClient() now requires an explicit
MOLECULE_CP_URL and fails fast otherwise. Updated org.go help text.
5. [LOW] config set now os.MkdirAll's the config dir before WriteConfig/
SafeWriteConfig, which otherwise fail on a fresh machine where ~/.config
doesn't exist yet.
Tests: added path-segment escaping coverage (platform + delete), MintWorkspaceToken
body={}, applyConfigDefaults precedence, config-set mkdir, and CP-admin credential
targeting; retargeted TestCPURLFallback → TestCPURLNoTenantFallback.
go build/vet/test all green; gofmt clean on edited files.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
sdk-dev
0ec3db81e6