feat: add GoReleaser, install script, and distribution channels (#122)

* feat: add GoReleaser, install script, and distribution channels

Replace manual cross-compilation and release workflow with GoReleaser
for consistent artifact naming, checksums, and automatic publishing to
Homebrew tap and Scoop bucket. Add a curl|sh install script for easy
Linux/macOS installation. Rewrite README installation section with
platform-specific one-liners and fix badge links.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: remove Homebrew tap, Scoop bucket, and extra token config

Keep everything self-contained in this repo — no separate tap/bucket
repos or additional token secrets needed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: restore original release trigger and versioning flow

Keep push-to-main trigger and PR-label-based semver calculation via
release-version action. GoReleaser runs after the version is calculated
and the tag is created.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add output formatting, MCP tools, tests, and security fixes (#123)

* feat: add output formatting, enhanced MCP tools, unit tests, and security fixes

- Add output formatting package (json/yaml/table) with --output flag support
- Update code generator to use output.Print() for all 326 generated commands
- Add composite MCP tools: get_security_posture_summary, get_findings_for_repo
- Add triage tools for SCA, secrets, and DAST findings
- Add --repo flag to MCP serve with git remote auto-detection
- Add unit tests for auth, MCP server helpers, output formatters, API client
- Fix: config file permissions changed from 0644 to 0600
- Fix: add HTTP status code check in device token polling
- Fix: show manual URL message when browser can't be opened
- Fix: remove token value from debug log output

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: replace device flow with localhost callback auth (#124)

* feat: replace device code polling with localhost callback auth

Rewrite login flow: CLI starts a localhost HTTP server, opens browser
to Cognito, receives callback with session ID, fetches tokens from
backend. No more code confirmation or polling delay.

- Replace DeviceFlowLogin() with Login() using localhost callback
- Use http.NewRequestWithContext for proper context propagation
- Add tracer spans to all auth functions
- Simplify get_token.go to delegate to auth.GetValidToken()

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: harden login with CSRF check, duplicate guard, and ctx cancellation

- Verify received session_id matches expected one (CSRF protection)
- Use sync.Once to guard against duplicate callback invocations
- Add ctx.Done() case to select for proper Ctrl+C cancellation
- Improve success HTML with checkmark SVG
- Create session before starting server to have expected session ID

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix duplicate callback handling: serve success page on repeated requests

Previously, a second callback to the CLI localhost server after sync.Once
would return an empty response. Now it returns the success HTML page.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add signal handling for graceful Ctrl+C during login

Wrap login context with signal.NotifyContext so Ctrl+C triggers the
ctx.Done() select case, printing "authentication cancelled" cleanly
instead of an abrupt process termination.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix go.mod: run go mod tidy to sync dependencies

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Migrate CLI from go-arg to cobra and clean up struct tags

- Replace go-arg-based main.go with cobra command structure
- Remove go-arg struct tags from DAST and auth models
- Add HTTP client timeout to NullifyClient
- Add generate-api Makefile target

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix Makefile build target for cobra package structure

Change ./cmd/cli/... to ./cmd/cli since the cobra cmd subpackage
is not a separate binary target.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix lint errors: errcheck and gofmt issues

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* fix: address security review findings

- Fail install if no checksum tool available instead of silently bypassing
- Create config dir with 0700 permissions, config file with 0600
- Sanitize host value before JSON interpolation
- URL-encode refresh token in query parameter

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: tim-thacker-nullify

.github/workflows/release.yml

@@ -1,12 +1,6 @@
 name: Release
 on:
   workflow_dispatch:
-    inputs:
-      releaseType:
-        description: Create a draft release
-        required: true
-        type: boolean
-        default: false
   push:
     branches:
       - main
@@ -32,45 +26,28 @@ jobs:
       - run: |
           echo "**Version:** ${{ steps.get-version.outputs.version }}" >> $GITHUB_STEP_SUMMARY
           echo "**Short SHA:** $(git rev-parse --short HEAD)" >> $GITHUB_STEP_SUMMARY
-  build:
-    if: ${{ needs.get-version.outputs.version != 'undefined' || (github.event_name == 'workflow_dispatch' && needs.get-version.outputs.version != 'undefined') }}
-    name: Build
-    needs: [ get-version ]
+  goreleaser:
+    if: ${{ needs.get-version.outputs.version != 'undefined' }}
+    name: GoReleaser
+    needs: [get-version]
     runs-on: blacksmith-4vcpu-ubuntu-2404
     steps:
       - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
-      - name: Set Release Variables
-        run: echo "VERSION=${{ needs.get-version.outputs.version }}" >> $GITHUB_ENV
-      - name: Build CLI
-        run: make package
-      - name: Upload Binaries
-        uses: actions/upload-artifact@v6
-        with:
-          name: binaries
-          retention-days: 2
-          path: bin/*
-  release:
-    if: ${{ needs.get-version.outputs.version != 'undefined' || (github.event_name == 'workflow_dispatch' && needs.get-version.outputs.version != 'undefined') }}
-    name: Release
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    needs: [ get-version, build ]
-    steps:
-      - name: Download Binaries
-        uses: actions/download-artifact@v7
-        with:
-          path: ${{ github.workspace }}
-      - name: Generate Release
-        uses: softprops/action-gh-release@v2
+      - name: Create and push tag
         env:
           VERSION: ${{ needs.get-version.outputs.version }}
+        run: |
+          git tag "v${VERSION}"
+          git push origin "v${VERSION}"
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
         with:
-          draft: false
-          generate_release_notes: true
-          append_body: true
-          tag_name: v${{ env.VERSION }}
-          token: ${{ github.token }}
-          files: |
-            ${{ github.workspace }}/binaries/*
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ github.token }}

.goreleaser.yaml

@@ -0,0 +1,48 @@
+version: 2
+
+project_name: nullify
+
+before:
+  hooks:
+    - go mod tidy
+
+builds:
+  - main: ./cmd/cli
+    binary: nullify
+    env:
+      - CGO_ENABLED=0
+    ldflags:
+      - -X 'github.com/nullify-platform/logger/pkg/logger.Version={{ .Version }}'
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ignore:
+      - goos: windows
+        goarch: arm64
+
+archives:
+  - format: tar.gz
+    name_template: "nullify_{{ .Os }}_{{ .Arch }}"
+    format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - LICENSE*
+      - README*
+
+checksum:
+  name_template: "checksums.txt"
+
+changelog:
+  use: github-native
+
+release:
+  github:
+    owner: Nullify-Platform
+    name: cli
+  draft: false
+  prerelease: auto

Makefile

@@ -1,4 +1,4 @@
-.PHONY: build clean deploy
+.PHONY: build clean
 
 # set the version as the latest commit sha if it's not already defined
 ifndef VERSION
@@ -16,19 +16,7 @@ GOFLAGS := -ldflags "-X 'github.com/nullify-platform/logger/pkg/logger.Version=$
 all: build
 
 build:
-	$(GOENV) go build $(GOFLAGS) -o bin/cli ./cmd/cli/...
-
-package:
-	# linux
-	$(GOENV) GOOS=linux   GOARCH=amd64 go build $(GOFLAGS) -o bin/nullify_linux_amd64_$(VERSION) ./cmd/cli/...
-	$(GOENV) GOOS=linux   GOARCH=arm64 go build $(GOFLAGS) -o bin/nullify_linux_arm64_$(VERSION) ./cmd/cli/...
-	$(GOENV) GOOS=linux   GOARCH=386   go build $(GOFLAGS) -o bin/nullify_linux_386_$(VERSION)   ./cmd/cli/...
-	# mac
-	$(GOENV) GOOS=darwin  GOARCH=amd64 go build $(GOFLAGS) -o bin/nullify_macos_amd64_$(VERSION) ./cmd/cli/...
-	$(GOENV) GOOS=darwin  GOARCH=arm64 go build $(GOFLAGS) -o bin/nullify_macos_arm64_$(VERSION) ./cmd/cli/...
-	# windows
-	$(GOENV) GOOS=windows GOARCH=amd64 go build $(GOFLAGS) -o bin/nullify_windows_amd64_$(VERSION).exe ./cmd/cli/...
-	$(GOENV) GOOS=windows GOARCH=386   go build $(GOFLAGS) -o bin/nullify_windows_386_$(VERSION).exe   ./cmd/cli/...
+	$(GOENV) go build $(GOFLAGS) -o bin/cli ./cmd/cli
 
 clean:
 	rm -rf ./bin ./vendor Gopkg.lock coverage.*
@@ -46,6 +34,9 @@ lint-docker:
 	docker build --quiet --target hadolint -t hadolint:latest .
 	docker run --rm -v $(shell pwd):/app -w /app hadolint hadolint Dockerfile demo_server/Dockerfile
 
+generate-api:
+	go run ./scripts/generate/main.go --spec ../public-docs/specs/merged-openapi.yml --output internal/api --cmd-output internal/commands
+
 unit:
 	go test -v -skip TestIntegration ./...
 

README.md

@@ -8,8 +8,8 @@
   <a href="https://github.com/Nullify-Platform/cli/releases">
     <img src="https://img.shields.io/github/v/release/Nullify-Platform/cli" alt="GitHub release" />
   </a>
-  <a href="https://github.com/Nullify-Platform/Kuat-Shipyards/actions/workflows/release.yml">
-    <img src="https://github.com/Nullify-Platform/Kuat-Shipyards/actions/workflows/release.yml/badge.svg" alt="Release Status" />
+  <a href="https://github.com/Nullify-Platform/cli/actions/workflows/release.yml">
+    <img src="https://github.com/Nullify-Platform/cli/actions/workflows/release.yml/badge.svg" alt="Release Status" />
   </a>
   <a href="https://docs.nullify.ai/features/api-scanning/cli/">
     <img src="https://img.shields.io/badge/docs-docs.nullify.ai-purple" alt="Documentation" />
@@ -29,9 +29,40 @@
 
 [Nullify](https://nullify.ai) CLI dynamically tests and fuzzes your endpoints for security vulnerabilities.
 
-## Getting Started
- * Download the [latest release](https://github.com/Nullify-Platform/cli/releases) or build from source
- * See our [quickstart guide](https://docs.nullify.ai/features/api-testing) for more info
+## Installation
+
+### macOS / Linux
+
+```sh
+curl -sSfL https://raw.githubusercontent.com/Nullify-Platform/cli/main/install.sh | sh
+```
+
+### Windows
+
+Download the latest `.zip` archive for your platform from the [GitHub Releases](https://github.com/Nullify-Platform/cli/releases) page and add the binary to your `PATH`.
+
+### GitHub Actions
+
+Download the latest release in your workflow:
+
+```yaml
+- name: Install Nullify CLI
+  run: curl -sSfL https://raw.githubusercontent.com/Nullify-Platform/cli/main/install.sh | sh
+```
+
+### Manual Download
+
+Download the latest binary for your platform from the [GitHub Releases](https://github.com/Nullify-Platform/cli/releases) page.
+
+### Verify Installation
+
+```sh
+nullify --version
+```
+
+### Getting Started
+
+See our [quickstart guide](https://docs.nullify.ai/features/api-testing) for more info.
 
 ## Usage