feat: app admin-controlled app profiles

[solimander]

Adds public app profile management via API, replacing local-only name storage.

New Command

eigenx app profile set <app-id|name> - Set name, website, description, X URL, and image (name required)

Deploy Flow

Profile collected after transaction confirms, while instance provisions. Uploaded immediately upon confirmation.

[claude]

Claude finished @solimander's task —— View job

---

Code Review Complete ✅

I've conducted a comprehensive review of the 15 changed files in this PR that adds admin-controlled app profiles functionality.

Todo List

• Read and analyze all 15 changed files
• Check code quality and Go best practices
• Look for potential bugs and security concerns
• Assess performance considerations
• Review error handling and user experience
• Check test coverage
• Provide comprehensive feedback

---

Summary

This PR implements a solid app profile management system with proper validation, user interaction flows, and API integration. The code quality is generally high with good error handling and user experience patterns.

✅ Strengths

Code Quality & Architecture

• Clean separation of concerns: Profile logic is well-organized in dedicated utilities (profile_utils.go, profile command)
• Consistent patterns: Follows existing CLI patterns for interactive prompts and flag handling
• Good abstraction: Shared validation and sanitization functions are reusable
• Proper error handling: Comprehensive error messages with context

Security

• Input validation: All user inputs are validated (URLs, image files, text lengths)
• File safety: Image validation includes size limits, format checking, and path sanitization
• XSS protection: HTML escaping for user-provided text with html.EscapeString()
• Authentication: Proper API permission handling for profile operations

User Experience

• Smart defaults: Automatic name suggestions from image references
• Flexible input: Supports both CLI flags and interactive prompts
• Context detection: Shows appropriate options based on current state
• Good feedback: Clear progress messages and confirmations

⚠️ Areas for Improvement

1. Input Validation Edge Cases

File: pkg/commands/utils/profile_utils.go:109

filePath = strings.Trim(strings.TrimSpace(filePath), "'\"")

Issue: This quote stripping could be fragile with nested quotes or mixed quote types.
Recommendation: Use more robust path parsing or validate the cleaned path.

2. Potential Race Condition

File: pkg/commands/utils/interactive.go:1296-1314

for _, batch := range batches {
    go func(b []ethcommon.Address) {
        infos, _ := userApiClient.GetInfos(cCtx, b, 0)
        resultsCh <- batchResult{batch: b, infos: infos}
    }(batch)
}

Issue: Goroutines created without proper error handling, silent failures with _.
Recommendation: Handle errors properly and consider using sync.WaitGroup or errgroup.

3. Large Function Complexity

File: pkg/commands/utils/interactive.go:242-385
The GetAppIDInteractive function is quite large (143 lines) and handles multiple concerns.
Recommendation: Consider breaking into smaller functions for better maintainability.

4. Hardcoded Constants

File: pkg/commands/utils/profile_utils.go:16-21

const (
    MaxImageSize         = 4 * 1024 * 1024 // 4MB
    MaxAppNameLength     = 100
    MaxDescriptionLength = 1000
)

Recommendation: Consider making these configurable or document why these specific limits were chosen.

5. Missing Context Propagation

File: pkg/commands/utils/interactive.go:1310-1314

go func(b []ethcommon.Address) {
    infos, _ := userApiClient.GetInfos(cCtx, b, 0)  // cCtx captured from closure
    resultsCh <- batchResult{batch: b, infos: infos}
}(batch)

Issue: Context is captured from closure which could lead to issues.
Recommendation: Pass context explicitly to the goroutine.

🧪 Testing Considerations

Observation: No test files were modified or added in this PR.

Recommendations:

• Add unit tests for validation functions in profile_utils.go
• Test image validation with various file types and sizes
• Test URL sanitization and validation logic
• Add integration tests for the profile upload flow
• Test error handling for network failures during profile operations

🚀 Performance Notes

Positive

• Efficient batching: Profile name fetching uses batching (max 10 apps per request) and parallel processing
• Sensible limits: Image size and text length limits prevent resource abuse
• Lazy loading: Profile info only fetched when needed

Minor Concerns

• Parallel API calls: Multiple concurrent API calls could overwhelm servers under load
• Image processing: All image validation happens in memory, could be optimized for very large files

🔧 Minor Issues

1. Magic Numbers

File: pkg/commands/utils/interactive.go:267

tail := prevLogs[max(0, len(prevLogs)-tailSize):]

Consider documenting why 65536 bytes was chosen for the tail size.

2. Error Message Consistency

Some error messages use different formats. Consider standardizing:

• "failed to X: %w" vs "X failed: %w"

3. Unused Import Potential

File: pkg/commands/utils/profile_utils.go:12
The slices package is imported but only used in a few places - confirm all usages are necessary.

✨ Recommendations

1. Add comprehensive tests - This is the most important improvement
2. Improve error handling in concurrent operations
3. Consider breaking up large functions for better maintainability
4. Document the profile validation rules clearly for users
5. Add configuration for size limits and validation rules
6. Consider adding profile validation dry-run mode for debugging

Overall Assessment

This is a well-implemented feature that follows Go best practices and maintains consistency with the existing codebase. The code is production-ready with proper error handling, security considerations, and user experience. The main areas for improvement are around testing coverage and handling concurrent operations more robustly.

Recommended action: ✅ Approve with minor suggestions - The code can be merged as-is, with the testing and error handling improvements implemented in follow-up PRs.

---