fix: remove broken GitHub App install link

[anandgupta42]

Summary

• remove the nonexistent public altimate-code-agent GitHub App links from README/docs
• stop hardcoding a public GitHub App URL in the CLI
• allow private deployments to provide ALTIMATE_CODE_GITHUB_APP_INSTALL_URL explicitly
• fail clearly when the CLI install flow needs an app URL but none is configured

Validation

• rg -n "github.com/apps/altimate-code-agent|installations/new|Install GitHub App|Install the GitHub App" README.md docs github packages/opencode/src/cli/cmd/github.ts packages/opencode/test/cli/github-action.test.ts returned no matches
• bun test --timeout 30000 test/cli/github-action.test.ts test/skill/release-v0.8.5-adversarial.test.ts
• bun run typecheck

Context: PR #900 was already merged and released. GitHub returns 404 for /apps/altimate-code-agent, so this PR removes the broken public link instead of replacing it with another guessed URL.

Summary by CodeRabbit

• Bug Fixes

  • Stop relying on a hardcoded GitHub App installation URL; CLI now validates the install URL and halts with a clear configuration message if unset.

• Documentation

  • Removed/updated explicit GitHub App install links and adjusted installation instructions across READMEs and docs.

• Tests

  • Updated tests to expect the install URL value is not hardcoded.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The CLI now reads the GitHub App install URL from ALTIMATE_CODE_GITHUB_APP_INSTALL_URL (empty by default) and validates it before opening a browser; the test and multiple README/docs links/badge were updated to remove the hardcoded /installations/new reference.

Changes

GitHub App install URL config & docs

Layer / File(s)	Summary
CLI: env-driven URL and runtime validation packages/opencode/src/cli/cmd/github.ts, packages/opencode/test/cli/github-action.test.ts	GITHUB_APP_INSTALL_URL now comes from process.env.ALTIMATE_CODE_GITHUB_APP_INSTALL_URL ?? "". The installer flow checks the value, emits a configuration error and throws UI.CancelledError when unset; the test expects "" instead of a hardcoded installations/new URL.
Documentation and README link updates README.md, docs/docs/usage/dbt-pr-review.md, github/README.md	Badge and inline install links/instructions were removed or changed so docs no longer point to the /installations/new repository-selection flow; github/README.md now documents the deployment-specific install URL and reorders manual setup steps.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• AltimateAI/altimate-code#900: Modifies packages/opencode/src/cli/cmd/github.ts around the GitHub App install URL behavior and constants.

Suggested labels

needs-review:blocked

Poem

🐰 I twitch my nose at links that stray,
From /installations/new I hop away,
Env-driven paths and docs made neat,
One constant, one test, the setup complete—
Hooray for tidy URLs and a carrot treat! 🥕🐇

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is missing the required 'PINEAPPLE' declaration at the top (required for AI-generated contributions) and lacks a 'Test Plan' section with testing details.	Add 'PINEAPPLE' at the very beginning of the description and include a 'Test Plan' section describing how the changes were validated.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: removing broken GitHub App install links from documentation and CLI code.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/stable-github-app-install-url

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 5 files

_{Re-trigger cubic}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/opencode/src/cli/cmd/github.ts (1)

337-352: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Command injection risk from env-controlled install URL.

On Line 337/345-352, GITHUB_APP_INSTALL_URL comes from ALTIMATE_CODE_GITHUB_APP_INSTALL_URL and is interpolated into a shell command passed to exec(...). A crafted value with quotes/metacharacters can break out of the quoted URL and execute arbitrary commands.

Use non-shell process APIs (execFile/spawn with argument arrays) and validate with new URL(...) + allowlisted host/path before launching.

Suggested hardening

-import { exec } from "child_process"
+import { execFile } from "child_process"

...
-            const command =
-              process.platform === "darwin"
-                ? `open "${url}"`
-                : process.platform === "win32"
-                  ? `start "" "${url}"`
-                  : `xdg-open "${url}"`
-
-            exec(command, (error) => {
+            let parsed: URL
+            try {
+              parsed = new URL(url)
+            } catch {
+              s.stop("GitHub app installation URL is invalid.")
+              throw new UI.CancelledError()
+            }
+            if (parsed.protocol !== "https:" || parsed.hostname !== "github.com" || !parsed.pathname.startsWith("/apps/")) {
+              s.stop("GitHub app installation URL must be a https://github.com/apps/... URL.")
+              throw new UI.CancelledError()
+            }
+
+            const [bin, args] =
+              process.platform === "darwin"
+                ? ["open", [parsed.toString()]]
+                : process.platform === "win32"
+                  ? ["rundll32", ["url.dll,FileProtocolHandler", parsed.toString()]]
+                  : ["xdg-open", [parsed.toString()]]
+
+            execFile(bin, args, (error) => {
               if (error) {
                 prompts.log.warn(`Could not open browser. Please visit: ${url}`)
               }
             })

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/opencode/src/cli/cmd/github.ts` around lines 337 - 352, The code
builds a shell command using GITHUB_APP_INSTALL_URL and passes it to exec (see
the exec call and command variable assembled based on process.platform), which
allows command injection; fix by parsing and validating GITHUB_APP_INSTALL_URL
with new URL(...) and enforcing an allowlist on hostname/path, then launch the
browser without a shell by using execFile or spawn with an argument array
(platform-specific handling for "open"/"start"/"xdg-open" commands) instead of
interpolating the URL into a shell string; update the code around the command
variable, the exec(...) invocation, and any error handling to use the new
validated URL and non-shell process API.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/opencode/src/cli/cmd/github.ts`:
- Around line 337-352: The code builds a shell command using
GITHUB_APP_INSTALL_URL and passes it to exec (see the exec call and command
variable assembled based on process.platform), which allows command injection;
fix by parsing and validating GITHUB_APP_INSTALL_URL with new URL(...) and
enforcing an allowlist on hostname/path, then launch the browser without a shell
by using execFile or spawn with an argument array (platform-specific handling
for "open"/"start"/"xdg-open" commands) instead of interpolating the URL into a
shell string; update the code around the command variable, the exec(...)
invocation, and any error handling to use the new validated URL and non-shell
process API.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 43a90369-b9c8-455b-a944-2bd25d975c4a

📥 Commits

Reviewing files that changed from the base of the PR and between 3f2bf72 and 6aded6e.

📒 Files selected for processing (5)

• README.md
• docs/docs/usage/dbt-pr-review.md
• github/README.md
• packages/opencode/src/cli/cmd/github.ts
• packages/opencode/test/cli/github-action.test.ts

[dev-punia-altimate]

Multi-Persona Review — Verdict: skipped

Multi-persona review completed.

0/0 agents completed · 2s · 0 findings (0 critical, 0 high, 0 medium)

---

_{Multi-Persona Review · vllm:qwen3-next-80b (waves) + vllm-fallback (synth) ·}