fix: Address full-repo review findings (28 of 61) (#21)

- Remove parser repoRoot global, thread root parameter (CRITICAL)
- Fix FetchAll data races with teamPartials struct
- Add GetProfiles pagination loop
- Validate Fleet server URL with url.Parse
- Warn on insecure HTTP and world-readable config files
- Reject .. in branch names, enforce HTTPS in doRequest
- Add -- separator to git fetch/diff commands
- Add .. path traversal check in scope.go
- Escape resource names in markdown table cells
- Sanitize HTTPError body (strip newlines)
- Remove repoRoot global, accept .yaml team files
- Error on non-map YAML overlay in merge
- Report query logging changes to empty string
- Deduplicate matchesAnyTeam, normalizeSoftwarePath
- Remove bare block scope in diffSoftware
- Fix stale docs: API endpoints, config paths, merge description

Ref #20

Author: TsekNet

README.md

@@ -70,7 +70,7 @@ fleet-plan --git --base base.yml --env environments/prod.yml --format markdown
 | `-v`, `--verbose` | Show full old/new values for modified fields | `-v` |
 | `--heading` | Custom heading for markdown output | `--heading "Staging diff"` |
 | `--detailed-exitcodes` | Exit 2 when changes detected (0=none, 1=error) | `--detailed-exitcodes` |
-| `--git` | CI mode: auto-detect platform, resolve changed files, infer teams, post MR/PR comment | `--git` |
+| `--git` | CI mode: auto-detect platform, resolve changed files, infer teams, post MR/PR comment (requires `--format markdown`) | `--git` |
 | `--base` | Path to base.yml for multi-env config merge (requires `--env`) | `--base base.yml` |
 | `--env` | Path to environment overlay YAML, merged with `--base` in-memory | `--env environments/prod.yml` |
 
@@ -87,7 +87,11 @@ Use `fleetctl gitops --dry-run` for secret substitution, server-side validation,
 
 ### Auth
 
-Set via flags, environment variables, or a config file (`~/.config/fleet-plan.json`):
+Set via flags, environment variables, or a config file. Config file search order (first found wins):
+
+1. `<repo>/.config/fleet-plan.json`
+2. `~/.config/fleet-plan.json`
+
 
 ```bash
 # Env vars (CI)
@@ -133,6 +137,7 @@ When `--git` is active, fleet-plan:
 | Env var | Used for |
 |---|---|
 | `FLEET_URL` / `FLEET_TOKEN` | Fleet API auth |
+| `FLEET_PLAN_INSECURE` | Set to `1` to allow plain HTTP connections (local dev only) |
 | `FLEET_PLAN_BOT` | GitLab: token for posting MR comments |
 | `GITHUB_TOKEN` | GitHub: token for posting PR comments |
 | `CI_JOB_URL` / `GITHUB_SERVER_URL` + `GITHUB_REPOSITORY` + `GITHUB_RUN_ID` | Link back to the pipeline job in the comment |

cmd/fleet-plan/main.go

@@ -144,8 +144,7 @@ func runDiff(cmd *cobra.Command, _ []string) error {
 
 	fmt.Fprintf(os.Stderr, "Fetching Fleet state from %s...\n", auth.URL)
 
-	fetchGlobal := repo.Global != nil
-	state, err := client.FetchAll(ctx, fetchGlobal)
+	state, err := client.FetchAll(ctx, repo.Global != nil)
 	if err != nil {
 		return err
 	}

docs/API-Endpoints.md

@@ -10,10 +10,12 @@ All read-only. fleet-plan never writes to your Fleet server.
 | `GET` | `/api/v1/fleet/teams/{id}/policies` | Per-team policies |
 | `GET` | `/api/v1/fleet/global/policies` | Global policies (when default.yml parsed) |
 | `GET` | `/api/v1/fleet/queries` | Per-team and global queries |
-| `GET` | `/api/v1/fleet/mdm/profiles` | MDM configuration profiles |
+| `GET` | `/api/v1/fleet/configuration_profiles` | MDM configuration profiles |
 | `GET` | `/api/v1/fleet/software/titles` | Managed software titles (paginated) |
 | `GET` | `/api/v1/fleet/software/fleet_maintained_apps` | Fleet-maintained app catalog (paginated) |
 | `GET` | `/api/v1/fleet/scripts` | Team scripts for line-count diff (paginated) |
+| `GET` | `/api/v1/fleet/scripts/{id}?alt=media` | Script content download |
+| `GET` | `/api/v1/fleet/software/titles/{id}` | Software title detail |
 
 Global endpoints (`/config`, `/global/policies`, `/queries` with teamID=0) are only called when `default.yml` defines global sections.
 

docs/Architecture.md

@@ -66,7 +66,7 @@ Priority order (highest wins):
 
 1. `--url` / `--token` flags
 2. `FLEET_URL` / `FLEET_TOKEN` env vars
-3. Config file: `~/.config/fleet-plan.json` or `<repo>/.config/fleet-plan.json`
+3. Config file: `<repo>/.config/fleet-plan.json` (checked first), then `~/.config/fleet-plan.json` (fallback)
 
 Config file supports multiple contexts:
 
@@ -118,11 +118,7 @@ Whitespace is normalized before comparison to avoid false positives from YAML vs
 
 ## Demo GIF
 
-`assets/vhs-demo.go` renders representative output from testdata for the README demo GIF. See [assets/README.md](https://github.com/TsekNet/fleet-plan/blob/main/assets/README.md) for prerequisites and setup. Regenerate:
-
-```bash
-vhs assets/demo.tape
-```
+`assets/vhs-demo.go` renders representative output from testdata for the README demo GIF. See [assets/README.md](https://github.com/TsekNet/fleet-plan/blob/main/assets/README.md) for prerequisites, setup, and regeneration steps.
 
 ---
 
@@ -148,7 +144,7 @@ When `--git` is active, the `git` package detects the CI platform and drives the
 - Maps are deep-merged: nested keys in the overlay are merged into the base map recursively.
 - Arrays are replaced: an overlay array replaces the base array entirely (no element-level merge).
 
-This mirrors how fleet-gitops environment overlays work, so the diff reflects the final merged config without writing a temporary file.
+This mirrors how fleet-gitops environment overlays work. The merged result is written to a temp file that is cleaned up on exit, so no persistent files are left behind.
 
 ---
 

internal/api/client.go

@@ -31,8 +31,17 @@ type Client struct {
 func NewClient(baseURL, token string) (*Client, error) {
 	baseURL = strings.TrimRight(baseURL, "/")
 
-	if strings.HasPrefix(strings.ToLower(baseURL), "http://") && os.Getenv("FLEET_PLAN_INSECURE") != "1" {
-		return nil, fmt.Errorf("refusing to send API token over plain HTTP (%s)\nUse https:// or set FLEET_PLAN_INSECURE=1 to override", baseURL)
+	parsed, err := url.Parse(baseURL)
+	if err != nil || parsed.Scheme == "" || parsed.Host == "" {
+		return nil, fmt.Errorf("invalid Fleet server URL %q: must include scheme and host", baseURL)
+	}
+
+	insecure := os.Getenv("FLEET_PLAN_INSECURE") == "1"
+	if strings.ToLower(parsed.Scheme) == "http" {
+		if !insecure {
+			return nil, fmt.Errorf("refusing to send API token over plain HTTP (%s)\nUse https:// or set FLEET_PLAN_INSECURE=1 to override", baseURL)
+		}
+		fmt.Fprintf(os.Stderr, "warning: FLEET_PLAN_INSECURE=1, sending API token over plain HTTP\n")
 	}
 
 	return &Client{
@@ -88,7 +97,9 @@ type HTTPError struct {
 }
 
 func (e *HTTPError) Error() string {
-	return fmt.Sprintf("HTTP %d from %s: %s", e.StatusCode, e.URL, e.Body)
+	body := strings.ReplaceAll(e.Body, "\n", " ")
+	body = strings.ReplaceAll(body, "\r", " ")
+	return fmt.Sprintf("HTTP %d from %s: %s", e.StatusCode, e.URL, body)
 }
 
 // isPermissionError returns true if err is an HTTP 403 or 404, which indicates
@@ -291,6 +302,9 @@ type labelsResponse struct {
 
 type profilesResponse struct {
 	Profiles []Profile `json:"profiles"`
+	Meta     struct {
+		HasNextResults bool `json:"has_next_results"`
+	} `json:"meta"`
 }
 
 type scriptsResponse struct {
@@ -525,17 +539,32 @@ func (c *Client) GetLabels(ctx context.Context) ([]Label, error) {
 	return all, nil
 }
 
-// GetProfiles fetches MDM profiles for a team.
+// GetProfiles fetches MDM profiles for a team with pagination.
 func (c *Client) GetProfiles(ctx context.Context, teamID uint) ([]Profile, error) {
-	q := url.Values{"per_page": {"250"}}
-	if teamID > 0 {
-		q.Set("team_id", strconv.FormatUint(uint64(teamID), 10))
-	}
-	var resp profilesResponse
-	if err := c.get(ctx, "/api/v1/fleet/configuration_profiles", q, &resp); err != nil {
-		return nil, fmt.Errorf("fetching profiles (team %d): %w", teamID, err)
+	var all []Profile
+	page := 0
+	for {
+		q := url.Values{
+			"per_page": {"250"},
+			"page":     {strconv.Itoa(page)},
+		}
+		if teamID > 0 {
+			q.Set("team_id", strconv.FormatUint(uint64(teamID), 10))
+		}
+		var resp profilesResponse
+		if err := c.get(ctx, "/api/v1/fleet/configuration_profiles", q, &resp); err != nil {
+			return nil, fmt.Errorf("fetching profiles (team %d): %w", teamID, err)
+		}
+		all = append(all, resp.Profiles...)
+		if !resp.Meta.HasNextResults || len(resp.Profiles) == 0 {
+			break
+		}
+		page++
+		if page > 100 { // safety: max 25k profiles
+			break
+		}
 	}
-	return resp.Profiles, nil
+	return all, nil
 }
 
 // GetScripts fetches scripts for a team with pagination.
@@ -646,34 +675,55 @@ func (c *Client) FetchAll(ctx context.Context, fetchGlobal ...bool) (*FleetState
 	g, gctx := errgroup.WithContext(ctx)
 	g.SetLimit(5)
 
+	// Local variables for global results; assigned to state after g.Wait().
+	var (
+		globalConfig   map[string]any
+		globalPolicies []Policy
+		globalQueries  []Query
+	)
+
 	// Fetch global config/policies/queries in parallel with team resources
 	if wantGlobal {
 		g.Go(func() error {
 			cfg, err := c.GetConfig(gctx)
 			if err != nil {
 				return err
 			}
-			state.Config = cfg
+			globalConfig = cfg
 			return nil
 		})
 		g.Go(func() error {
 			policies, err := c.GetPolicies(gctx, 0)
 			if err != nil {
 				return err
 			}
-			state.GlobalPolicies = policies
+			globalPolicies = policies
 			return nil
 		})
 		g.Go(func() error {
 			queries, err := c.GetQueries(gctx, 0)
 			if err != nil {
 				return err
 			}
-			state.GlobalQueries = queries
+			globalQueries = queries
 			return nil
 		})
 	}
 
+	// teamPartials holds per-goroutine results indexed by team slot.
+	// Each field is written by exactly one goroutine, so there is no data race.
+	type teamPartial struct {
+		policies            []Policy
+		queries             []Query
+		profiles            []Profile
+		profilesUnavailable bool
+		softwareTitles      []SoftwareTitle
+		softwareUnavailable bool
+		scripts             []Script
+		scriptsUnavailable  bool
+	}
+	teamPartials := make([]teamPartial, len(teams))
+
 	teamResults := make([]Team, len(teams))
 	for i, t := range teams {
 		teamResults[i] = t
@@ -685,7 +735,7 @@ func (c *Client) FetchAll(ctx context.Context, fetchGlobal ...bool) (*FleetState
 			if err != nil {
 				return err
 			}
-			teamResults[idx].Policies = policies
+			teamPartials[idx].policies = policies
 			return nil
 		})
 
@@ -694,7 +744,7 @@ func (c *Client) FetchAll(ctx context.Context, fetchGlobal ...bool) (*FleetState
 			if err != nil {
 				return err
 			}
-			teamResults[idx].Queries = queries
+			teamPartials[idx].queries = queries
 			return nil
 		})
 
@@ -704,10 +754,10 @@ func (c *Client) FetchAll(ctx context.Context, fetchGlobal ...bool) (*FleetState
 				if !isPermissionError(err) {
 					return err
 				}
-				teamResults[idx].ProfilesUnavailable = true
+				teamPartials[idx].profilesUnavailable = true
 				profiles = nil
 			}
-			teamResults[idx].Profiles = profiles
+			teamPartials[idx].profiles = profiles
 			return nil
 		})
 
@@ -717,10 +767,10 @@ func (c *Client) FetchAll(ctx context.Context, fetchGlobal ...bool) (*FleetState
 				if !isPermissionError(err) {
 					return err
 				}
-				teamResults[idx].SoftwareUnavailable = true
+				teamPartials[idx].softwareUnavailable = true
 				softwareTitles = nil
 			}
-			teamResults[idx].SoftwareTitles = softwareTitles
+			teamPartials[idx].softwareTitles = softwareTitles
 			return nil
 		})
 
@@ -730,10 +780,10 @@ func (c *Client) FetchAll(ctx context.Context, fetchGlobal ...bool) (*FleetState
 				if !isPermissionError(err) {
 					return err
 				}
-				teamResults[idx].ScriptsUnavailable = true
+				teamPartials[idx].scriptsUnavailable = true
 				scripts = nil
 			}
-			teamResults[idx].Scripts = scripts
+			teamPartials[idx].scripts = scripts
 			return nil
 		})
 	}
@@ -742,6 +792,26 @@ func (c *Client) FetchAll(ctx context.Context, fetchGlobal ...bool) (*FleetState
 		return nil, err
 	}
 
+	// Assign global results after all goroutines have completed.
+	if wantGlobal {
+		state.Config = globalConfig
+		state.GlobalPolicies = globalPolicies
+		state.GlobalQueries = globalQueries
+	}
+
+	// Assign per-team partial results.
+	for i := range teamResults {
+		p := &teamPartials[i]
+		teamResults[i].Policies = p.policies
+		teamResults[i].Queries = p.queries
+		teamResults[i].Profiles = p.profiles
+		teamResults[i].ProfilesUnavailable = p.profilesUnavailable
+		teamResults[i].SoftwareTitles = p.softwareTitles
+		teamResults[i].SoftwareUnavailable = p.softwareUnavailable
+		teamResults[i].Scripts = p.scripts
+		teamResults[i].ScriptsUnavailable = p.scriptsUnavailable
+	}
+
 	// Enrich script contents (second pass, needs script IDs from first pass)
 	for i := range teamResults {
 		if !teamResults[i].ScriptsUnavailable && len(teamResults[i].Scripts) > 0 {

internal/config/config.go

@@ -62,6 +62,11 @@ func loadConfigFile(root string) configFile {
 	if err != nil {
 		return configFile{}
 	}
+	if info, err := os.Stat(path); err == nil {
+		if mode := info.Mode().Perm(); mode&0o077 != 0 {
+			fmt.Fprintf(os.Stderr, "warning: %s is readable by others (mode %04o), consider chmod 600\n", path, mode)
+		}
+	}
 	var cfg configFile
 	if err := json.Unmarshal(data, &cfg); err != nil {
 		return configFile{}