feat: add self-update command and unify versioning to v9.1.0

[AnkanSaha]

Summary

This PR introduces a self-update mechanism for the BanglaCode CLI and bumps the version from 9.0.1 to 9.1.0. It also adds checksum verification to the installation scripts for improved security.

Changes

• CLI: Added banglacode update command to trigger the update process.
• Updater: New update package in Go that detects the OS and executes the corresponding shell script (install.sh or install.ps1).
• Security: Added SHA-256 checksum verification in both Bash and PowerShell installation scripts.
• Versioning: Updated version strings across package.json, main.go, repl.go, and VERSION file.

Verification

• Run banglacode update on Windows/Linux/macOS.
• Verify that the checksum check fails if the downloaded file is tampered with.
• Verify banglacode --version shows 9.1.0.

[github-actions]

🤖 Review Buddy - General Code Review

👥 Attention: @AnkanSaha @Copilot

Oho, @AnkanSaha! Kya baat hai! 9.0.1 se 9.1.0 pe jump maar di? Version number badhane se code quality nahi badhti bhai. Ye 'self-update' feature dekh ke toh lag raha hai ki tumne bas 'curl | bash' ko Go code mein lapet ke bech diya hai.

Bhai, version strings ko har file mein manually change kar rahe ho? Documentation, Extension, VERSION file, main.go, repl.go... Arre bhai, DRY (Don't Repeat Yourself) ka naam suna hai ya tum bas copy-paste engineering mein PhD kar rahe ho?

Checksum verification add toh kiya hai, chalo thoda dimaag toh lagaya, par shell scripts mein itna hardcoded logic? Aur Go code mein command line parsing ke naam pe ye kya mazaak hai?

Code Quality Score: 3/10 (Sirf isliye kyunki checksum check kiya, warna toh 1 milta).

---

Generated by Review Buddy | Tone: roast | Language: hinglish

[github-actions]

⚡ Review Buddy - Performance Analysis

👥 Attention: @AnkanSaha @Copilot

Bhai, performance ki toh tumne 'Dhoom 3' bana di hai—sirf dikhava, logic zero!

1. Process Spawning Overload:
   Tumhara Updater.go kya kar raha hai? exec.Command chala raha hai system shell (bash/powershell) kholne ke liye. Bhai, ek simple binary update ke liye tum poora ek naya shell environment spawn kar rahe ho? Ye toh wahi baat ho gayi ki macchar marne ke liye tum top (cannon) chala rahe ho.
   Recommendation: Go ke native http aur os packages use karo binary download aur replace karne ke liye. Shell dependencies hatao!

2. Network Blocking (The 'Wait' Game):
   curl aur irm command line se chal rahe hain bina kisi timeout control ke. Agar user ka internet Slow-Motion mein chal raha hai, toh tumhara program hang ho jayega. Go context handles timeouts beautifully, par nahi, hume toh 'shell' ka sahara lena hai.

3. Memory Management in Scripts:
   install.ps1 mein tum $checksumContent = Get-Content $CHECKSUM_FILE kar rahe ho. Agar kal ko checksum file badi ho gayi (mana ki nahi hogi, par engineering mindset toh rakho), toh tum poori file memory mein load kar rahe ho.

4. Linear Search in Arguments:
   CheckUpdateCommand mein loop chala rahe ho? os.Args[1:] pe? Bhai, agar 2 hi arguments expected hain, toh slice indexing use karo na. Loop karke O(n) kyun kar rahe ho jab O(1) possible hai?

5. Inefficient Versioning:
   Har baar version update karne ke liye tumne 5 files change ki hain. CI/CD mein ye bottleneck hai. Ek single source of truth rakho.

6. Shell Pipe Performance:
   curl -fsSL ... | bash is slow because it starts the bash interpreter before the download even finishes in some stream scenarios.

7. Redundant String Operations:
   strings.ToLower(arg) == target in a loop. Bhai, agar target 'update' hai, toh har iteration mein lowering ki kya zaroorat hai? Pehle hi sanitize kar lo.

8. Garbage Collection (Not your concern, right?):
   Jitne tum external processes spawn kar rahe ho, utna system overhead badh raha hai. Cleanup logic is minimal.

9. PowerShell Pipeline Slowness:
   Select-String aur Select-Object PowerShell mein kaafi 'heavy' objects create karte hain. Simple regex use karte toh fast hota.

10. Binary Bloat:
    Har version update pe tum print statements badhate ja rahe ho. Console output bhi performance hit deta hai jab verbose ho.

Summary: Tumhara code performance ke maamle mein 'Race 3' hai. Dekhne mein fast lagta hai, par actually bohot slow aur bloated hai.

---

Generated by Review Buddy | Tone: roast | Language: hinglish

[github-actions]

🔐 Review Buddy - Security Audit

👥 Attention: @AnkanSaha @Copilot

Arre bhai bhai bhai! Security ke naam pe toh tumne darwaze khulle chhod diye hain aur bahar 'Chori Mana Hai' ka board laga diya hai.

1. RCE (Remote Code Execution) via Pipe to Bash:
   Severity: Critical
   Location: src/Update/Updater.go and installation scripts.
   Scenario: Tum curl ... | bash use kar rahe ho. Agar koi tumhare DNS ya GitHub ko hijack kar le, toh wo user ke system pe 'rm -rf /' chala sakta hai.
   Remediation: Never pipe remote scripts to a shell. Download the binary, verify the signature (not just checksum), and then execute.

2. Checksum over Insecure Channel?
   Severity: Medium
   Location: Scripts/install.sh, Scripts/install.ps1
   Scenario: Tum HTTPS use kar rahe ho, but checksum file usi server se aa rahi hai jahan se binary. Agar attacker binary badal sakta hai, toh wo checksums.txt bhi badal dega.
   Remediation: Use GPG signatures or a separate trusted keyserver.

3. Hardcoded URLs:
   Severity: Low
   Location: src/Update/Updater.go
   Scenario: Attacker can potentially use a man-in-the-middle if SSL is bypassed.
   Remediation: Ensure certificate pinning or at least use environment variables for URLs to allow testing/overriding.

4. Shell Injection Risk:
   Severity: Medium
   Location: exec.Command(cmd.shell, cmd.shellArg, cmd.script)
   Scenario: Although current input is hardcoded, if any part of cmd.script ever becomes dynamic based on user input, you're dead.

5. OWASP A05:2021 (Security Misconfiguration):
   Running scripts from the internet directly with higher privileges is a classic misconfiguration. You are encouraging users to do iex on PowerShell, which is essentially 'Invite Evil X'.

---

Generated by Review Buddy | Tone: roast | Language: hinglish

[github-actions]

📊 Review Buddy - Code Quality & Maintainability Analysis

👥 Attention: @AnkanSaha @Copilot

🎯 Overall Benchmark: 40/100 (Poor)

Quality? Bhai, quality toh 'Gunda' movie ki script jaisi hai—legendary for all the wrong reasons.

1. DRY Principle ki Maut:

   • package.json (Documentation) - v9.1.0
   • package.json (Extension) - v9.1.0
   • VERSION - v9.1.0
   • main.go - v9.1.0
   • repl.go - v9.1.0
     Bhai, kya ek file se version read nahi ho sakta? Har jagah manually update karoge toh kisi din bhool jaoge aur user confuse ho jayega.

2. Single Responsibility Principle (SRP) Violation:
   main.go ab update logic bhi handle kar raha hai, help bhi, version bhi. God Object ban raha hai ye.

3. Error Handling (The 'Exit 1' Disaster):
   os.Exit(1) har jagah? Bhai, Go mein errors return kiye jaate hain. Program ko abrupt band karna bad practice hai. Wrapper functions banao!

4. Naming Conventions:
   Package ka naam Update (Capital U)? Go conventions ke hisaab se package names lowercase hone chahiye (update). Updater.go mein function Updater()? Thoda descriptive naam rakho like RunSelfUpdate().

5. Hardcoding Everywhere:
   OS names like "linux", "darwin", "windows" hardcoded hain map mein. Environment variables ya constants use karo.

6. Magic Strings in CLI:
   if len(os.Args) == 2 && update.CheckUpdateCommand(os.Args[1:], "update") - Ye logic thoda fragile hai. Agar user banglacode file.bang update likh de toh kya hoga?

7. No Testing:
   Ek bhi unit test nahi dikh raha is PR mein. CheckUpdateCommand ka test toh likh dete kam se kam!

8. UI/UX Consistency:
   printHelp() aur printVersion() mein ANSI escape codes (colors) hardcoded hain. Ek simple color library use kar lete toh code clean rehta.

9. Code Smell: Feature Envy:
   Updater() function poora system command control kar raha hai. Isko modularize karo—detect OS, build command, execute command.

10. Documentation:
    SYNTAX.md ka link toh diya hai help mein, par update command kaise kaam karta hai wo kahin documented nahi hai binary ke bahar.

Refactoring suggestion: Ek version package banao jahan version define ho aur baaki saari files wahan se import karein (or use build flags -ldflags "-X ...").

---

Generated by Review Buddy | Tone: roast | Language: hinglish

[github-actions]

💡 Review Buddy - Best Practices & Alternative Suggestions

👥 Attention: @AnkanSaha @Copilot

Bhai, ye lo thoda 'Gyaan' (Improvement tips):

1. Versioning - Don't Hardcode

Current:

fmt.Println("║               BanglaCode v9.1.0                        ║")

Better:

// main.go
var Version = "9.1.0" 
fmt.Printf("║               BanglaCode v%s                        ║\n", Version)

Why: Ek hi jagah change karna padega.

2. Argument Parsing

Current:

if len(os.Args) == 2 && update.CheckUpdateCommand(os.Args[1:], "update")

Better:

if len(os.Args) > 1 && os.Args[1] == "update" {
    update.Updater()
    return
}

Why: Clarity! Loop chalane ki zaroorat hi nahi hai agar command fix hai.

3. Error Printing

Current:

fmt.Fprintf(os.Stderr, "\n\033[31mError: Update failed: %v\033[0m\n", err)

Better:
Use a logging utility or a helper function like logError(err). Hardcoding ANSI codes in every Fprintf makes it hard to maintain.

4. PowerShell Cleanup

Current:

Remove-Item $TMP_FILE, $CHECKSUM_FILE -Force -ErrorAction SilentlyContinue

Better:
Use a finally block or ensure cleanup happens even if the script fails midway using an error handler.

---

Generated by Review Buddy | Tone: roast | Language: hinglish

[github-actions]

⚠️ Review Buddy - Final Recommendation

👥 Attention: @AnkanSaha @Copilot

Recommendation: REQUEST CHANGES

Changes chahiye, bhai! Abhi approve nahi kar sakte.

Reasoning:

• Version numbers are hardcoded in 5 different files. This is a maintenance nightmare.
• The self-update logic relies on piping remote scripts to a shell, which is a major security risk.
• Go package naming conventions are violated (capital letter in package name).
• Lack of unit tests for the new update logic.
• The CheckUpdateCommand function is inefficient and uses unnecessary loops.

---

📋 Review Checklist for Reviewers:

• Code changes align with the PR description
• No security vulnerabilities introduced
• Performance considerations addressed
• Code follows project conventions
• Tests are adequate (if applicable)
• Documentation updated (if needed)

🎯 Next Steps:

⚠️ Pehle suggestions address karo, phir approve karna.

Generated by Review Buddy | Tone: roast | Language: hinglish

[Copilot]

Pull request overview

This PR adds an auto-update command to the BanglaCode CLI and increments the version from 9.0.1 to 9.1.0 across all project modules. The implementation uses a controversial curl | bash pattern to execute remote installation scripts, which poses significant security risks as acknowledged in the PR description. Positively, the install scripts themselves (install.sh and install.ps1) have been enhanced with SHA256 checksum verification to validate downloaded binaries, partially mitigating supply chain risks.

Changes:

• Added new Update package with OS-specific update commands that pipe remote scripts to shell interpreters
• Bumped version to 9.1.0 in VERSION file, both package.json files, repl.go, and main.go
• Enhanced install scripts with SHA256 checksum verification for downloaded binaries

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
src/Update/Updater.go	New package implementing auto-update via remote script execution (curl|bash pattern)
main.go	Integrated update command handling, updated version strings to 9.1.0, added help text for update command
src/repl/repl.go	Bumped Version constant to 9.1.0
VERSION	Updated version to 9.1.0
Extension/package.json	Updated version to 9.1.0 for VS Code extension
Documentation/package.json	Updated version to 9.1.0 for documentation site
Scripts/install.sh	Added SHA256 checksum download and verification before binary installation
Scripts/install.ps1	Added SHA256 checksum download and verification before binary installation

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The function comment says "Update checks if the update command was passed" but the function doesn't check for command arguments - it directly executes the update. The comment should describe what the function actually does: executing the update process for the detected OS. Consider renaming this function to "Execute" or "Run" to better reflect its behavior, or update the comment to match the actual implementation.

[Copilot]

This function accepts a generic "target" parameter but it's only ever called with the hardcoded value "update". This adds unnecessary complexity. Consider simplifying the function signature to not take a target parameter, or document why this flexibility is needed if there are plans to support other commands in the future.

[Copilot]

The CheckUpdateCommand function is exported (starts with capital letter) but only used within main.go. Based on Go conventions and examining similar system packages in this codebase (like src/evaluator/builtins/system/), internal helper functions should be unexported unless they need to be part of the public API. Consider making this function unexported by renaming it to "checkUpdateCommand".

[Copilot]

The condition checks both that len(os.Args) == 2 AND that CheckUpdateCommand returns true. The CheckUpdateCommand function already validates the argument value, making the length check partially redundant with how it's being called. More importantly, this means "banglacode -h update" or "banglacode update extra-arg" would not trigger the update command, which may be unexpected behavior. Consider either: 1) Simplifying to just check for the "update" command regardless of other arguments, or 2) Explicitly validating that "update" is the only argument and showing an error for extra arguments.

Suggested change

	if len(os.Args) == 2 && update.CheckUpdateCommand(os.Args[1:], "update") {
	if update.CheckUpdateCommand(os.Args[1:], "update") {
	if len(os.Args) != 2 {
	fmt.Fprintln(os.Stderr, "Error: 'update' command does not accept additional arguments.")
	return
	}

[Copilot]

The new Update package lacks test coverage. Given that this codebase has comprehensive test coverage for other packages (as seen in the test directory), the update functionality should also have tests. Consider adding tests that: 1) Verify CheckUpdateCommand correctly identifies the update argument, 2) Mock the exec.Command to test different OS scenarios without actually executing shell commands, 3) Test error handling for unsupported operating systems. This is particularly important for security-sensitive code that executes external commands.

[Copilot]

The comment says "checkUpdateCommand" (lowercase) but the function is actually named "CheckUpdateCommand" (uppercase/exported). The comment should match the actual function name for consistency and to avoid confusion.

Suggested change

	// checkUpdateCommand checks if the "update" argument is present in the command-line args
	// CheckUpdateCommand checks if the "update" argument is present in the command-line args

[Copilot]

The implementation calls os.Exit(1) directly on error, which prevents proper cleanup and makes the function difficult to test. This pattern is inconsistent with Go best practices for library code. Consider returning an error value instead and letting the caller (main.go) decide when to exit. This would make the update package more testable and reusable.

[Copilot]

The update mechanism downloads and executes remote scripts without any verification that the script contents match what's expected. While the install scripts themselves now verify checksums of binaries (as seen in Scripts/install.sh), the updater executes the install scripts themselves without any integrity check. An attacker who compromises the GitHub repository or performs a man-in-the-middle attack could inject malicious code that would be executed with the user's privileges. Consider one of these alternatives: 1) Download the script, verify its checksum, then execute it locally, 2) Use a native Go implementation that directly downloads and verifies binaries, or 3) At minimum, document this security risk prominently in user-facing documentation.

[Copilot]

The directory is named "Update" (capitalized) which is inconsistent with Go naming conventions. All other packages in the codebase use lowercase directory names (e.g., src/repl/, src/parser/, src/evaluator/builtins/crypto/). The directory should be renamed to "update" to match Go conventions and maintain consistency with the rest of the codebase.

[Copilot]

The version strings are hardcoded in the printVersion function. This creates a maintenance burden and risk of version mismatch. Consider using the Version constant from the repl package (repl.Version) instead of hardcoding the version string twice. This would ensure consistency and make version updates less error-prone.