Add homebrew formula

[elie222]

Add a Homebrew formula and CI release workflow to build and publish Bun-based Inbox Zero CLI binaries for macOS (arm64/x64) and Linux x64 with version 2.21.15

Introduce a dispatchable GitHub Actions release workflow that builds, tars, checksums, and publishes Bun-compiled CLI binaries and add a Homebrew formula with platform URLs and tests. Update the CLI to run under bun, set version 2.21.15, add a setup subcommand with defaulting, and improve project root detection. Add a dedicated CLI package.json and tsconfig, and update the top-level setup script to invoke the CLI.

📍Where to Start

Start with the CLI entry point in main.ts, then review the release workflow in cli-release.yml and the formula in inbox-zero.rb.

---

📊 Macroscope summarized 44b5e87. 2 files reviewed, 10 issues evaluated, 5 issues filtered, 1 comment posted

🗂️ Filtered Issues

packages/cli/src/main.ts — 0 comments posted, 7 evaluated, 5 filtered

• line 50: Mutates the global process.argv array in place (process.argv.push("setup")) to inject a default command when no args are provided. This persistent mutation is not restored on any exit path and can leak into subsequent invocations within the same process (e.g., tests or embedded usage), causing unexpected behavior for other code that reads process.argv or for later calls to main(). Use a local copy when parsing (e.g., pass an augmented args array to program.parseAsync(...)) rather than mutating the global state. [ Low confidence ]
• line 542: No error handling around .env file writing can cause an uncaught exception and leave the spinner running without a graceful terminal state. writeFileSync(ENV_FILE, envContent) may throw (e.g., permission denied, disk full), but the code does not catch and stop the spinner or provide a fallback log/exit. Add try/catch around file write, ensure spinner.stop(...) executes on all paths, and report the error before exiting. [ Out of scope ]
• line 596: The guard in addSection (if (!hasAnyNonComment && vars.every((v) => env[v.name] === undefined)) return;) skips entire sections when all variables are marked comment: true and none exist in env. This contradicts the stated helper contract comment "comment: true = always show as comment", because such sections would not be shown at all instead of being rendered as commented lines. If a caller ever provides a section comprised solely of comment-only vars, the section would be silently omitted, violating the documented behavior. [ Out of scope ]
• line 735: Converting the caught error to a string via String(error) before logging (p.log.error(String(error))) loses diagnostic information (e.g., stack trace, error name, nested causes). This degrades error reporting and can hinder troubleshooting. Prefer logging the error object directly or including error.stack/error.message when available. [ Out of scope ]
• line 735: Potential ReferenceError if p (and p.log) is not initialized before use in p.log.error(String(error)). At runtime, a missing or undefined p would cause the catch handler itself to throw, preventing the intended error logging and exit path. Ensure p is defined and initialized or guard its usage. [ Out of scope ]

Summary by CodeRabbit

Release Notes

• New Features

  • Inbox Zero CLI now installable via Homebrew on macOS and Linux.
  • Setup command guides users through configuration of OAuth providers, database, and environment settings.

• Documentation

  • Added CLI documentation including installation methods, usage examples, and development setup instructions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
inbox-zero	Ready	Preview	Nov 30, 2025 1:53pm

[coderabbitai]

Walkthrough

Establishes a new CLI package for Inbox Zero with source code, TypeScript configuration, and package metadata. Introduces a GitHub Actions workflow for automated multi-platform builds and releases, adds a Homebrew formula for package distribution, updates the root setup command to invoke the CLI, and provides CLI documentation and installation guidance.

Changes

Cohort / File(s)	Summary
CLI Package Infrastructure packages/cli/package.json, packages/cli/tsconfig.json	Defines new ESM CLI package with bin entry, build scripts, dependencies (commander, clack/prompts), and TypeScript configuration extending base config with dist output directory.
CLI Source Code packages/cli/src/main.ts	Implements CLI entry point with project-root detection logic (findProjectRoot), interactive setup prompts, environment file generation, and validation checks for inbox-zero project layout.
CLI Documentation packages/cli/README.md	Provides installation instructions (Homebrew, manual, from source), usage examples, development commands, and configuration guidance for OAuth, database, Redis, and LLM providers.
Release Automation .github/workflows/cli-release.yml	Defines GitHub Actions workflow with build matrix for macOS (arm64, x64) and Linux x64, artifact uploads, version extraction, SHA256 checksum computation, and GitHub release creation with installation instructions.
Package Distribution Formula/inbox-zero.rb	Introduces Homebrew formula with platform-specific URL sources, SHA256 checksums, and installation logic mapping binaries to standard bin/inbox-zero across macOS and Linux.
Root Configuration Update package.json	Updates setup script entry point from scripts/setup-env.ts to packages/cli/src/main.ts with "setup" argument.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• packages/cli/src/main.ts: Verify findProjectRoot() logic correctly identifies inbox-zero project structure; review environment file path resolution and error handling
• .github/workflows/cli-release.yml: Validate build matrix configuration, artifact naming consistency with Homebrew formula URLs, and SHA256 checksum generation/output steps
• Formula/inbox-zero.rb: Confirm SHA256 placeholders will be populated correctly by the workflow; verify platform/architecture URL mappings match workflow outputs
• packages/cli/package.json: Ensure bin entry path and build script targets are aligned with tsconfig output configuration

Possibly related PRs

• Add setup cli #1037: Directly related—this PR replaces and relocates the setup logic from scripts/setup-env.ts into packages/cli/src/main.ts and updates the root package.json setup entry point accordingly.

Poem

🐰 A CLI born from setup's dreams,
With workflows, formulas, and release schemes,
Cross-platform binaries, Homebrew's embrace—
Inbox Zero hops to every place! 🚀

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Add homebrew formula' accurately summarizes a primary component of the changeset, but the PR involves significantly more substantial changes beyond just the Homebrew formula, including a new GitHub Actions CLI release workflow, CLI package setup, TypeScript configuration, and package.json updates.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/homebrew

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Suggestion: Formula/inbox-zero.rb uses placeholder sha256 values; replace with the real 64‑char hex digests for each platform tarball so Homebrew verification succeeds (e.g., via shasum -a 256).

🚀 Reply to ask Macroscope to explain or update this suggestion.

👍 Helpful? React to give us feedback.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

packages/cli/README.md (1)

3-3: Minor wording nit: hyphenate “open‑source”

Consider changing “an open source AI email assistant” to “an open‑source AI email assistant” for consistency with common style guides. (From LanguageTool hint.)

.github/workflows/cli-release.yml (1)

64-76: Keep version.txt and Homebrew SHA placeholders in sync with releases

This workflow assumes:

• version.txt exists and is updated before running the workflow.
• The computed cli-v${version} tag matches the Homebrew formula’s version/URL.
• SHA outputs here are copied into the formula’s sha256 fields.

If any of these drift (e.g., version.txt not updated, or formula version changed independently), releases or brew install inbox-zero will break. Consider documenting this release flow or adding a brief maintainer note near version.txt/the formula to reduce sync errors.

Also applies to: 126-131

Formula/inbox-zero.rb (1)

6-7: Formula structure is sound; ensure version/SHA consistency before publishing

Class name, URLs, arch‑specific installs, and the version test all look correct and align with the release workflow and CLI program.version("2.21.15"). Before exposing this via the tap, remember to:

• Replace the REPLACE_WITH_..._SHA256 placeholders with the values printed by the workflow.
• Keep version here, the CLI --version string, and version.txt in sync when cutting new releases.

Also applies to: 11-12, 20-21, 31-32, 40-42

packages/cli/src/main.ts (2)

520-533: Update generated .env header to reflect the new CLI name

The env generator still writes # Generated by setup-env CLI, but the tool is now presented as inbox-zero / @inbox-zero/cli. Updating this string will avoid confusion about where the file came from.

-    "# Generated by setup-env CLI",
+    "# Generated by Inbox Zero CLI",

Also applies to: 582-588

---

385-456: Define a shared LLM provider type to prevent map key drift during future additions

The llmProvider select returns a narrow union type inferred from its options array. However, defaultModels, llmLinks, and apiKeyEnvVar are typed as plain Record<string, …>, creating coupling risk: if someone adds a new provider to the select but forgets to update one of these maps, the code will fail at runtime when accessing that map with the new provider key.

Define a shared type and use it consistently:

const llmProviders = ["anthropic", "openai", "google", "openrouter", "groq", "aigateway"] as const;
type LlmProvider = (typeof llmProviders)[number];

const defaultModels: Record<LlmProvider, { default: string; economy: string }> = {
  anthropic: { /* ... */ },
  // ...
} as const;

const llmLinks: Record<LlmProvider, string> = { /* ... */ };
const apiKeyEnvVar: Record<LlmProvider, string> = { /* ... */ };

This enforces TypeScript coverage—missing a provider in any map will cause a compilation error rather than a runtime crash during setup.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b83058a and 44b5e87.

📒 Files selected for processing (7)

• .github/workflows/cli-release.yml (1 hunks)
• Formula/inbox-zero.rb (1 hunks)
• package.json (1 hunks)
• packages/cli/README.md (1 hunks)
• packages/cli/package.json (1 hunks)
• packages/cli/src/main.ts (20 hunks)
• packages/cli/tsconfig.json (1 hunks)

🧰 Additional context used

📓 Path-based instructions (9)

!(pages/_document).{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

Don't use the next/head module in pages/_document.js on Next.js projects

Files:

• packages/cli/README.md
• .github/workflows/cli-release.yml
• packages/cli/tsconfig.json
• package.json
• packages/cli/src/main.ts
• packages/cli/package.json
• Formula/inbox-zero.rb

**/package.json

📄 CodeRabbit inference engine (.cursor/rules/installing-packages.mdc)

Use pnpm as the package manager

Files:

• package.json
• packages/cli/package.json

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/data-fetching.mdc)

**/*.{ts,tsx}: For API GET requests to server, use the swr package
Use result?.serverError with toastError from @/components/Toast for error handling in async operations

**/*.{ts,tsx}: Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls
Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls
Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

**/*.{ts,tsx}: For early access feature flags, create hooks using the naming convention use[FeatureName]Enabled that return a boolean from useFeatureFlagEnabled("flag-key")
For A/B test variant flags, create hooks using the naming convention use[FeatureName]Variant that define variant types, use useFeatureFlagVariantKey() with type casting, and provide a default "control" fallback
Use kebab-case for PostHog feature flag keys (e.g., inbox-cleaner, pricing-options-2)
Always define types for A/B test variant flags (e.g., type PricingVariant = "control" | "variant-a" | "variant-b") and provide type safety through type casting

**/*.{ts,tsx}: Don't use primitive type aliases or misleading types
Don't use empty type parameters in type aliases and interfaces
Don't use this and super in static contexts
Don't use any or unknown as type constraints
Don't use the TypeScript directive @ts-ignore
Don't use TypeScript enums
Don't export imported variables
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions
Don't use TypeScript namespaces
Don't use non-null assertions with the ! postfix operator
Don't use parameter properties in class constructors
Don't use user-defined types
Use as const instead of literal types and type annotations
Use either T[] or Array<T> consistently
Initialize each enum member value explicitly
Use export type for types
Use `impo...

Files:

• packages/cli/src/main.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/prisma-enum-imports.mdc)

Always import Prisma enums from @/generated/prisma/enums instead of @/generated/prisma/client to avoid Next.js bundling errors in client components

Import Prisma using the project's centralized utility: import prisma from '@/utils/prisma'

Files:

• packages/cli/src/main.ts

**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/*.ts: ALL database queries MUST be scoped to the authenticated user/account by including user/account filtering in WHERE clauses to prevent unauthorized data access
Always validate that resources belong to the authenticated user before performing operations, using ownership checks in WHERE clauses or relationships
Always validate all input parameters for type, format, and length before using them in database queries
Use SafeError for error responses to prevent information disclosure. Generic error messages should not reveal internal IDs, logic, or resource ownership details
Only return necessary fields in API responses using Prisma's select option. Never expose sensitive data such as password hashes, private keys, or system flags
Prevent Insecure Direct Object References (IDOR) by validating resource ownership before operations. All findUnique/findFirst calls MUST include ownership filters
Prevent mass assignment vulnerabilities by explicitly whitelisting allowed fields in update operations instead of accepting all user-provided data
Prevent privilege escalation by never allowing users to modify system fields, ownership fields, or admin-only attributes through user input
All findMany queries MUST be scoped to the user's data by including appropriate WHERE filters to prevent returning data from other users
Use Prisma relationships for access control by leveraging nested where clauses (e.g., emailAccount: { id: emailAccountId }) to validate ownership

Files:

• packages/cli/src/main.ts

**/*.{tsx,ts}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

**/*.{tsx,ts}: Use Shadcn UI and Tailwind for components and styling
Use next/image package for images
For API GET requests to server, use the swr package with hooks like useSWR to fetch data
For text inputs, use the Input component with registerProps for form integration and error handling

Files:

• packages/cli/src/main.ts

**/*.{tsx,ts,css}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

Implement responsive design with Tailwind CSS using a mobile-first approach

Files:

• packages/cli/src/main.ts

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

**/*.{js,jsx,ts,tsx}: Don't use accessKey attribute on any HTML element
Don't set aria-hidden="true" on focusable elements
Don't add ARIA roles, states, and properties to elements that don't support them
Don't use distracting elements like <marquee> or <blink>
Only use the scope prop on <th> elements
Don't assign non-interactive ARIA roles to interactive HTML elements
Make sure label elements have text content and are associated with an input
Don't assign interactive ARIA roles to non-interactive HTML elements
Don't assign tabIndex to non-interactive HTML elements
Don't use positive integers for tabIndex property
Don't include "image", "picture", or "photo" in img alt prop
Don't use explicit role property that's the same as the implicit/default role
Make static elements with click handlers use a valid role attribute
Always include a title element for SVG elements
Give all elements requiring alt text meaningful information for screen readers
Make sure anchors have content that's accessible to screen readers
Assign tabIndex to non-interactive HTML elements with aria-activedescendant
Include all required ARIA attributes for elements with ARIA roles
Make sure ARIA properties are valid for the element's supported roles
Always include a type attribute for button elements
Make elements with interactive roles and handlers focusable
Give heading elements content that's accessible to screen readers (not hidden with aria-hidden)
Always include a lang attribute on the html element
Always include a title attribute for iframe elements
Accompany onClick with at least one of: onKeyUp, onKeyDown, or onKeyPress
Accompany onMouseOver/onMouseOut with onFocus/onBlur
Include caption tracks for audio and video elements
Use semantic elements instead of role attributes in JSX
Make sure all anchors are valid and navigable
Ensure all ARIA properties (aria-*) are valid
Use valid, non-abstract ARIA roles for elements with ARIA roles
Use valid AR...

Files:

• packages/cli/src/main.ts

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/*.{js,ts,jsx,tsx}: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

• packages/cli/src/main.ts

🧠 Learnings (13)

📚 Learning: 2025-11-25T14:42:08.869Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/ultracite.mdc:0-0
Timestamp: 2025-11-25T14:42:08.869Z
Learning: Applies to **/*.{ts,tsx} : Use `export type` for types

Applied to files:

• packages/cli/tsconfig.json

📚 Learning: 2025-11-25T14:42:08.869Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/ultracite.mdc:0-0
Timestamp: 2025-11-25T14:42:08.869Z
Learning: Applies to **/*.{ts,tsx} : Use the namespace keyword instead of the module keyword to declare TypeScript namespaces

Applied to files:

• packages/cli/tsconfig.json

📚 Learning: 2025-11-25T14:42:08.869Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/ultracite.mdc:0-0
Timestamp: 2025-11-25T14:42:08.869Z
Learning: Applies to **/*.{ts,tsx} : Don't use TypeScript namespaces

Applied to files:

• packages/cli/tsconfig.json

📚 Learning: 2025-11-25T14:42:08.869Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/ultracite.mdc:0-0
Timestamp: 2025-11-25T14:42:08.869Z
Learning: Applies to **/*.{ts,tsx} : Use `import type` for types

Applied to files:

• packages/cli/tsconfig.json

📚 Learning: 2025-11-25T14:36:18.416Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-11-25T14:36:18.416Z
Learning: Applies to apps/web/**/*.{ts,tsx} : Centralize shared types in dedicated type files

Applied to files:

• packages/cli/tsconfig.json

📚 Learning: 2025-11-25T14:42:08.869Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/ultracite.mdc:0-0
Timestamp: 2025-11-25T14:42:08.869Z
Learning: Applies to **/*.{ts,tsx} : Don't use user-defined types

Applied to files:

• packages/cli/tsconfig.json

📚 Learning: 2025-11-25T14:42:08.869Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/ultracite.mdc:0-0
Timestamp: 2025-11-25T14:42:08.869Z
Learning: Applies to **/*.{js,jsx,ts,tsx} : Use `with { type: "json" }` for JSON module imports

Applied to files:

• packages/cli/tsconfig.json

📚 Learning: 2025-11-25T14:42:08.869Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/ultracite.mdc:0-0
Timestamp: 2025-11-25T14:42:08.869Z
Learning: Applies to **/*.{ts,tsx} : Use `as const` instead of literal types and type annotations

Applied to files:

• packages/cli/tsconfig.json

📚 Learning: 2025-11-25T14:38:07.606Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm.mdc:0-0
Timestamp: 2025-11-25T14:38:07.606Z
Learning: Applies to apps/web/utils/ai/**/*.ts : Use TypeScript types for all LLM function parameters and return values, and define clear interfaces for complex input/output structures

Applied to files:

• packages/cli/tsconfig.json

📚 Learning: 2025-11-25T14:42:08.869Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/ultracite.mdc:0-0
Timestamp: 2025-11-25T14:42:08.869Z
Learning: Applies to **/*.{ts,tsx} : Don't use the TypeScript directive ts-ignore

Applied to files:

• packages/cli/tsconfig.json

📚 Learning: 2025-11-25T14:42:08.869Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/ultracite.mdc:0-0
Timestamp: 2025-11-25T14:42:08.869Z
Learning: Applies to **/*.{js,jsx,ts,tsx} : Don't hardcode sensitive data like API keys and tokens

Applied to files:

• packages/cli/src/main.ts

📚 Learning: 2025-11-25T14:38:42.022Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/prisma.mdc:0-0
Timestamp: 2025-11-25T14:38:42.022Z
Learning: Applies to **/prisma/schema.prisma : Use PostgreSQL as the database system with Prisma

Applied to files:

• packages/cli/src/main.ts

📚 Learning: 2025-11-25T14:38:07.606Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm.mdc:0-0
Timestamp: 2025-11-25T14:38:07.606Z
Learning: Applies to apps/web/utils/ai/**/*.ts : System prompts must define the LLM's role and task specifications

Applied to files:

• packages/cli/src/main.ts

🧬 Code graph analysis (1)

packages/cli/src/main.ts (1)

apps/web/env.ts (1)

• env (17-246)

🪛 LanguageTool

packages/cli/README.md

[grammar] ~3-~3: Use a hyphen to join words.
Context: ...(https://www.getinboxzero.com) - an open source AI email assistant. ## Installat...

(QB_NEW_EN_HYPHEN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: test

🔇 Additional comments (6)

packages/cli/tsconfig.json (1)

1-13: CLI tsconfig looks consistent with build setup

Extends the shared base, uses src → dist, ESNext/bundler resolution and Node types; matches the CLI build scripts and bun usage with no obvious gaps.

.github/workflows/cli-release.yml (1)

11-22: Build matrix and artifact packaging look coherent

OS/target/artifact triplets, bun compile command, tarball creation, and upload paths are all aligned and match the install instructions and Homebrew formula URLs.

Also applies to: 33-51

packages/cli/package.json (1)

6-17: CLI manifest and scripts line up with the build/release workflow

Bin path, bun-based build scripts (JS and native binaries), and build:binary:* targets match src/main.ts, dist layout, and the GitHub Actions workflow. No blocking issues here.

packages/cli/src/main.ts (2)

9-29: Project-root detection and repo validation look robust

findProjectRoot() correctly handles being run from the repo root, apps/web, or packages/cli, and runSetup then validates that an apps/web directory actually exists before proceeding. Combined with the clear error message, this should prevent mis-running the CLI outside a cloned inbox-zero repo.

Also applies to: 57-73

---

38-55: Defaulting to setup when no command is given is a good UX choice

The program configuration plus process.argv.length === 2 check cleanly route bare inbox-zero invocations to the setup command, while still allowing explicit subcommands in the future.

package.json (1)

13-13: Root setup script correctly delegates to the CLI entrypoint

Pointing setup at tsx packages/cli/src/main.ts setup is consistent with the new CLI package and allows running the same flow without a prebuilt binary. No issues here.

[cubic-dev-ai]

4 issues found across 7 files

Prompt for AI agents (all 4 issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="Formula/inbox-zero.rb">

<violation number="1" location="Formula/inbox-zero.rb:12">
P1: Replace the placeholder Homebrew checksum with the actual SHA-256 of the darwin-arm64 tarball so the formula can be installed securely.</violation>

<violation number="2" location="Formula/inbox-zero.rb:21">
P1: Provide the real SHA-256 checksum for the darwin-x64 archive instead of the placeholder, otherwise `brew install` will fail during verification.</violation>

<violation number="3" location="Formula/inbox-zero.rb:32">
P1: Fill in the actual SHA-256 for the linux-x64 release tarball so Linux installations pass Homebrew’s checksum validation.</violation>
</file>

<file name="packages/cli/package.json">

<violation number="1" location="packages/cli/package.json:43">
P2: The `license` field points to `../../LICENSE`, which is outside the package and isn’t included in the published tarball (the `files` array limits contents to `dist`). Consumers will not receive any license text. Copy the license into this package or reference an SPDX identifier that matches the included file.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[cubic-dev-ai]

P1: Fill in the actual SHA-256 for the linux-x64 release tarball so Linux installations pass Homebrew’s checksum validation.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At Formula/inbox-zero.rb, line 32:

<comment>Fill in the actual SHA-256 for the linux-x64 release tarball so Linux installations pass Homebrew’s checksum validation.</comment>

<file context>
@@ -0,0 +1,44 @@
+  on_linux do
+    on_intel do
+      url &quot;https://github.com/elie222/inbox-zero/releases/download/cli-v#{version}/inbox-zero-linux-x64.tar.gz&quot;
+      sha256 &quot;REPLACE_WITH_LINUX_X64_SHA256&quot;
+
+      def install
</file context>

[cubic-dev-ai]

P1: Provide the real SHA-256 checksum for the darwin-x64 archive instead of the placeholder, otherwise brew install will fail during verification.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At Formula/inbox-zero.rb, line 21:

<comment>Provide the real SHA-256 checksum for the darwin-x64 archive instead of the placeholder, otherwise `brew install` will fail during verification.</comment>

<file context>
@@ -0,0 +1,44 @@
+
+    on_intel do
+      url &quot;https://github.com/elie222/inbox-zero/releases/download/cli-v#{version}/inbox-zero-darwin-x64.tar.gz&quot;
+      sha256 &quot;REPLACE_WITH_DARWIN_X64_SHA256&quot;
+
+      def install
</file context>

[cubic-dev-ai]

P1: Replace the placeholder Homebrew checksum with the actual SHA-256 of the darwin-arm64 tarball so the formula can be installed securely.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At Formula/inbox-zero.rb, line 12:

<comment>Replace the placeholder Homebrew checksum with the actual SHA-256 of the darwin-arm64 tarball so the formula can be installed securely.</comment>

<file context>
@@ -0,0 +1,44 @@
+  on_macos do
+    on_arm do
+      url &quot;https://github.com/elie222/inbox-zero/releases/download/cli-v#{version}/inbox-zero-darwin-arm64.tar.gz&quot;
+      sha256 &quot;REPLACE_WITH_DARWIN_ARM64_SHA256&quot;
+
+      def install
</file context>

[cubic-dev-ai]

P2: The license field points to ../../LICENSE, which is outside the package and isn’t included in the published tarball (the files array limits contents to dist). Consumers will not receive any license text. Copy the license into this package or reference an SPDX identifier that matches the included file.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/cli/package.json, line 43:

<comment>The `license` field points to `../../LICENSE`, which is outside the package and isn’t included in the published tarball (the `files` array limits contents to `dist`). Consumers will not receive any license text. Copy the license into this package or reference an SPDX identifier that matches the included file.</comment>

<file context>
@@ -0,0 +1,44 @@
+    &quot;cli&quot;,
+    &quot;setup&quot;
+  ],
+  &quot;license&quot;: &quot;SEE LICENSE IN ../../LICENSE&quot;
+}
</file context>