feat: update golangci-lint version and improve lint handling in CI

fix: change skip-dirs to exclude-dirs in golangci configuration
chore: remove deprecated .openboot.yml and .openboot.yml.example files
docs: update CHANGELOG for command removals and changes in v1.0
docs: enhance CLAUDE.md with project structure and guidelines
feat: add context support to LoginInteractive and related functions
test: refactor login tests to use context and improve coverage
fix: improve error handling in GetInstalledPackages
feat: implement context handling in CLI commands for better cancellation
test: enhance snapshot tests to verify health records for failed steps
refactor: streamline API URL validation to prevent prefix-bypass attacks
chore: add quality score JSON file for tracking code quality metrics

Author: fullstackjam

.github/workflows/test.yml

@@ -31,7 +31,7 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
-          version: latest
+          version: v2.11.4
 
   unit:
     name: unit (L1)

.golangci.yml

@@ -2,7 +2,7 @@ version: "2"
 
 run:
   timeout: 5m
-  skip-dirs:
+  exclude-dirs:
     - vendor
     - testutil
 

.openboot.yml

@@ -21,13 +21,13 @@ Six commands are removed outright. Each prints an error with a migration hint wh
 | `openboot doctor` | **no replacement** — use `brew doctor` and `git config --list` directly |
 | `openboot update` | **no replacement** — use `brew upgrade` directly; OpenBoot self-updates on launch |
 
-Three flat commands move under a `config` namespace:
+Three flat commands are removed with no replacement — manage configs directly at openboot.dev:
 
-| Before | After |
-|--------|-------|
-| `openboot list` | `openboot config list` |
-| `openboot edit` | `openboot config edit` |
-| `openboot delete` | `openboot config delete` |
+| Command | Status |
+|---------|--------|
+| `openboot list` | **no replacement** — use openboot.dev dashboard |
+| `openboot edit` | **no replacement** — use openboot.dev dashboard |
+| `openboot delete` | **no replacement** — use openboot.dev dashboard |
 
 No aliases are kept — silent aliasing would regress behavior invisibly (the old `pull` did uninstalls, the new `install` does not).
 

.openboot.yml.example

@@ -41,7 +41,7 @@ make clean
 cmd/openboot/        # main.go → cli.Execute()
 internal/
   auth/              # OAuth-like login, token in ~/.openboot/auth.json (0600)
-  brew/              # Homebrew ops, parallel workers (4 max), retry, uninstall
+  brew/              # Homebrew ops, sequential install with retry, uninstall
   cli/               # Cobra cmds: install, snapshot, login, logout, version
   config/            # Package catalog + presets + remote fetch (embed fallback in data/)
   diff/              # Pure-logic system-vs-config comparison
@@ -94,7 +94,7 @@ These cannot be inferred from code alone — everything else is enforced by `go
 - **Destructive ops**: check `cfg.DryRun` first. Always.
 - **Paths**: `os.UserHomeDir()` — never hardcode `~` or `/Users/...`.
 - **State**: everything user-local goes under `~/.openboot/` (auth, cache, snapshots, state).
-- **Concurrency**: bounded `sync.WaitGroup` — brew uses max 4 workers. No unbounded goroutines.
+- **Concurrency**: bounded `sync.WaitGroup` — brew install is sequential with retry; `GetInstalledPackages` uses 2 goroutines for formula+cask list. No unbounded goroutines.
 - **Embedded data**: `//go:embed data/*.yaml` loaded in `init()`.
 - **Tests**: table-driven, `testify/require` for fatal, `testify/assert` for non-fatal. L1 uses the `Runner` interface to fake subprocess calls — no real network, no real fork.
 - **Commits**: Conventional (`feat:` / `fix:` / `docs:` / `refactor:` / `test:` / `chore:` / `ci:`), one thing per commit.

CHANGELOG.md

@@ -180,6 +180,7 @@ Removed in v1.0: `pull`, `push`, `diff`, `clean`, `log`, `restore`, `init`, `set
 ```
 -p, --preset NAME      Set preset (minimal, developer, full)
 -u, --user NAME        Use alias or openboot.dev username/slug config
+    --from FILE        Install from a local config or snapshot JSON file
 -s, --silent           Non-interactive mode (requires env vars)
     --dry-run          Preview what would be installed
     --packages-only    Install packages only, skip system config
@@ -188,6 +189,7 @@ Removed in v1.0: `pull`, `push`, `diff`, `clean`, `log`, `restore`, `init`, `set
     --macos MODE       macOS prefs: configure, skip
     --dotfiles MODE    Dotfiles: clone, link, skip
     --post-install MODE  Post-install script: skip
+    --allow-post-install Allow post-install scripts in silent mode
 ```
 
 </details>

CLAUDE.md

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"context"
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
@@ -51,7 +52,7 @@ type cliPollResponse struct {
 	ExpiresAt string `json:"expires_at,omitempty"`
 }
 
-func LoginInteractive(apiBase string) (*StoredAuth, error) {
+func LoginInteractive(ctx context.Context, apiBase string) (*StoredAuth, error) {
 	codeID, code, err := startAuthSession(apiBase)
 	if err != nil {
 		return nil, err
@@ -69,7 +70,7 @@ func LoginInteractive(apiBase string) (*StoredAuth, error) {
 
 	fmt.Fprintf(os.Stderr, "\nWaiting for approval...\n")
 
-	result, err := pollForApproval(apiBase, codeID)
+	result, err := pollForApproval(ctx, apiBase, codeID)
 	if err != nil {
 		return nil, err
 	}
@@ -135,14 +136,16 @@ var (
 	pollInterval = 2 * time.Second
 )
 
-func pollForApproval(apiBase, codeID string) (*cliPollResponse, error) {
+func pollForApproval(ctx context.Context, apiBase, codeID string) (*cliPollResponse, error) {
 	pollURL := fmt.Sprintf("%s/api/auth/cli/poll?code_id=%s", apiBase, url.QueryEscape(codeID))
 	timeout := time.After(pollTimeout)
 	ticker := time.NewTicker(pollInterval)
 	defer ticker.Stop()
 
 	for {
 		select {
+		case <-ctx.Done():
+			return nil, fmt.Errorf("login cancelled")
 		case <-timeout:
 			return nil, fmt.Errorf("authentication timed out after 5 minutes")
 		case <-ticker.C:

README.md

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"io"
@@ -204,7 +205,7 @@ func TestPollForApproval_Approved(t *testing.T) {
 		json.NewEncoder(w).Encode(resp) //nolint:errcheck // test helper
 	}))
 
-	result, err := pollForApproval(fakeBase+"/poll", "code_id_123")
+	result, err := pollForApproval(context.Background(), fakeBase+"/poll", "code_id_123")
 	require.NoError(t, err)
 	assert.NotNil(t, result)
 	assert.Equal(t, "approved", result.Status)
@@ -222,7 +223,7 @@ func TestPollForApproval_Expired(t *testing.T) {
 		json.NewEncoder(w).Encode(resp) //nolint:errcheck // test helper
 	}))
 
-	result, err := pollForApproval(fakeBase+"/poll", "code_id_123")
+	result, err := pollForApproval(context.Background(), fakeBase+"/poll", "code_id_123")
 	assert.Error(t, err)
 	assert.Nil(t, result)
 	assert.Contains(t, err.Error(), "authorization code expired")
@@ -250,7 +251,7 @@ func TestPollForApproval_Pending(t *testing.T) {
 		}
 	}))
 
-	result, err := pollForApproval(fakeBase+"/poll", "code_id_123")
+	result, err := pollForApproval(context.Background(), fakeBase+"/poll", "code_id_123")
 	require.NoError(t, err)
 	assert.NotNil(t, result)
 	assert.Equal(t, "approved", result.Status)
@@ -274,7 +275,7 @@ func TestPollForApproval_TimeoutBehavior(t *testing.T) {
 	}))
 
 	start := time.Now()
-	result, err := pollForApproval(fakeBase+"/poll", "code_id_123")
+	result, err := pollForApproval(context.Background(), fakeBase+"/poll", "code_id_123")
 	elapsed := time.Since(start)
 
 	assert.Error(t, err)
@@ -299,7 +300,7 @@ func TestPollForApproval_InvalidResponse(t *testing.T) {
 		w.Write([]byte("invalid json {")) //nolint:errcheck // test helper
 	}))
 
-	result, err := pollForApproval(fakeBase+"/poll", "code_id_123")
+	result, err := pollForApproval(context.Background(), fakeBase+"/poll", "code_id_123")
 	assert.Error(t, err)
 	assert.Nil(t, result)
 	assert.Contains(t, err.Error(), "timed out")
@@ -406,7 +407,7 @@ func TestLoginInteractive_SuccessRFC3339(t *testing.T) {
 		}
 	}))
 
-	auth, err := LoginInteractive(fakeBase)
+	auth, err := LoginInteractive(context.Background(), fakeBase)
 	require.NoError(t, err)
 	assert.NotNil(t, auth)
 	assert.Equal(t, "obt_token_123", auth.Token)
@@ -442,7 +443,7 @@ func TestLoginInteractive_SuccessSQLiteFormat(t *testing.T) {
 		}
 	}))
 
-	auth, err := LoginInteractive(fakeBase)
+	auth, err := LoginInteractive(context.Background(), fakeBase)
 	require.NoError(t, err)
 	assert.NotNil(t, auth)
 	assert.Equal(t, "obt_token_123", auth.Token)
@@ -458,7 +459,7 @@ func TestLoginInteractive_StartAuthSessionError(t *testing.T) {
 		w.WriteHeader(http.StatusInternalServerError)
 	}))
 
-	auth, err := LoginInteractive(fakeBase)
+	auth, err := LoginInteractive(context.Background(), fakeBase)
 	assert.Error(t, err)
 	assert.Nil(t, auth)
 	assert.Contains(t, err.Error(), "status 500")
@@ -483,7 +484,7 @@ func TestLoginInteractive_PollForApprovalError(t *testing.T) {
 		}
 	}))
 
-	auth, err := LoginInteractive(fakeBase)
+	auth, err := LoginInteractive(context.Background(), fakeBase)
 	assert.Error(t, err)
 	assert.Nil(t, auth)
 	assert.Contains(t, err.Error(), "authorization code expired")
@@ -513,7 +514,7 @@ func TestLoginInteractive_InvalidExpirationFormat(t *testing.T) {
 		}
 	}))
 
-	auth, err := LoginInteractive(fakeBase)
+	auth, err := LoginInteractive(context.Background(), fakeBase)
 	assert.Error(t, err)
 	assert.Nil(t, auth)
 	assert.Contains(t, err.Error(), "parse expiration")
@@ -548,7 +549,7 @@ func TestLoginInteractive_SaveTokenError(t *testing.T) {
 		}
 	}))
 
-	auth, err := LoginInteractive(fakeBase)
+	auth, err := LoginInteractive(context.Background(), fakeBase)
 	assert.Error(t, err)
 	assert.Nil(t, auth)
 	assert.Contains(t, err.Error(), "save auth token")

internal/auth/login.go

@@ -49,10 +49,10 @@ func GetInstalledPackages() (formulae map[string]bool, casks map[string]bool, er
 	wg.Wait()
 
 	if fErr != nil {
-		return nil, nil, fErr
+		return nil, nil, fmt.Errorf("list formulae: %w", fErr)
 	}
 	if cErr != nil {
-		return nil, nil, cErr
+		return nil, nil, fmt.Errorf("list casks: %w", cErr)
 	}
 
 	for _, name := range strings.Split(strings.TrimSpace(string(fOut)), "\n") {