chore: bump CLI to 3.28.1 — stop leaking gen_codex_skills via cargo install#292
Merged
Conversation
Gate the internal gen_codex_skills build tool behind the non-default `dev-tools` feature so `cargo install straymark-cli` (the path used by `straymark update-cli`) no longer leaks it into users' ~/.cargo/bin/. Cargo auto-discovered cli/src/bin/gen_codex_skills.rs as a second binary target, so the cargo-install path installed it alongside `straymark`. It is now declared explicitly with required-features = ["dev-tools"]; CI and local regeneration pass --features dev-tools. The GitHub-release tarballs were never affected (they only ever packaged `straymark`). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
straymark update-clirunscargo install, which installs all binary targets ofstraymark-cli. Because the internal build toolcli/src/bin/gen_codex_skills.rsis auto-discovered by Cargo as a second binary, it leaked into users'~/.cargo/bin/alongsidestraymark:gen_codex_skillsis a dev/CI-only tool (regeneratesdist/.codex/skills/fromdist/.claude/skills/) and should never ship to adopters. The GitHub-release tarballs were never affected (they only ever packagedstraymark) — only the cargo-install path leaked it.Fix
Gate the tool behind a non-default
dev-toolsfeature viarequired-features.cargo install(default features) now skips it; CI and local regeneration pass--features dev-tools.cli/Cargo.toml: explicit[[bin]] gen_codex_skillswithrequired-features = ["dev-tools"]; new emptydev-toolsfeature; bump to3.28.1..github/workflows/ci.yml:codex-skills-syncjob runs with--features dev-tools.CHANGELOG.md+ version tables (README + CLI-REFERENCE EN/es/zh-CN) updated tocli-3.28.1.Verification
cargo install --path . --root /tmp/sm-install-test --locked→ installs onlystraymark(nogen_codex_skills). ✅cargo run --bin gen_codex_skills --features dev-tools -- --check→ "Codex skills are in sync (12 skills)." ✅cargo run --bin gen_codex_skills(no feature) → clear error requiringdev-tools. ✅cargo test(full workspace) → all green, 0 failures. ✅Adopter note
The fix prevents future leaks; it does not remove an already-installed copy. Users who have it can run
rm ~/.cargo/bin/gen_codex_skills.🤖 Generated with Claude Code