From 8b448b948132d0a05b6d4bfcf1bfdd18f794c240 Mon Sep 17 00:00:00 2001
From: DhanushSantosh <dhanushsantoshs05@gmail.com>
Date: Fri, 16 Jan 2026 12:54:45 +0530
Subject: [PATCH] fix: address CodeRabbit security and validation issues in
 Fedora docs and backlog plan

Documentation improvements:
- Fix GitHub URL placeholder issues in install-fedora.md - GitHub /latest/download/ endpoint
  doesn't support version substitution, use explicit download URL pattern instead
- Improve security in network troubleshooting section:
  - Change ping target from claude.ai (marketing site) to api.anthropic.com (actual API)
  - Remove unsafe 'echo \$ANTHROPIC_API_KEY' command that exposes secrets in shell history
  - Use safe API key check with conditional output instead

Code improvements:
- apps/server/src/routes/backlog-plan/common.ts: Add Array.isArray() validation
  for stored plan shape before returning it. Ensures changes is actually an array,
  not just truthy, preventing downstream runtime errors.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 apps/server/src/routes/backlog-plan/common.ts |  2 +-
 docs/install-fedora.md                        | 20 ++++++++++++-------
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/apps/server/src/routes/backlog-plan/common.ts b/apps/server/src/routes/backlog-plan/common.ts
index 254e8d40..1fab1e2a 100644
--- a/apps/server/src/routes/backlog-plan/common.ts
+++ b/apps/server/src/routes/backlog-plan/common.ts
@@ -78,7 +78,7 @@ export async function loadBacklogPlan(projectPath: string): Promise<StoredBacklo
     const filePath = getBacklogPlanPath(projectPath);
     const raw = await secureFs.readFile(filePath, 'utf-8');
     const parsed = JSON.parse(raw as string) as StoredBacklogPlan;
-    if (!parsed?.result?.changes) {
+    if (!Array.isArray(parsed?.result?.changes)) {
       return null;
     }
     return parsed;
diff --git a/docs/install-fedora.md b/docs/install-fedora.md
index 5877e8ea..e43a3ccf 100644
--- a/docs/install-fedora.md
+++ b/docs/install-fedora.md
@@ -43,18 +43,20 @@ See main [README.md authentication section](../README.md#authentication) for det
 
 ### Option 2: Install Directly from URL
 
-Install from GitHub releases URL without downloading first:
+Install from GitHub releases URL without downloading first. Visit [releases page](https://github.com/AutoMaker-Org/automaker/releases) to find the latest version.
 
 **Fedora:**
 
 ```bash
-sudo dnf install https://github.com/AutoMaker-Org/automaker/releases/latest/download/Automaker-<version>-x86_64.rpm
+# Replace v0.11.0 with the actual latest version
+sudo dnf install https://github.com/AutoMaker-Org/automaker/releases/download/v0.11.0/Automaker-0.11.0-x86_64.rpm
 ```
 
 **RHEL/CentOS:**
 
 ```bash
-sudo yum install https://github.com/AutoMaker-Org/automaker/releases/latest/download/Automaker-<version>-x86_64.rpm
+# Replace v0.11.0 with the actual latest version
+sudo yum install https://github.com/AutoMaker-Org/automaker/releases/download/v0.11.0/Automaker-0.11.0-x86_64.rpm
 ```
 
 ## Running Automaker
@@ -289,13 +291,13 @@ If Claude API calls fail:
 
 ```bash
 # Test internet connectivity
-ping claude.ai
+ping -c 3 api.anthropic.com
 
 # Test API access
 curl -I https://api.anthropic.com
 
-# Verify API key
-echo $ANTHROPIC_API_KEY
+# Verify API key is set (without exposing the value)
+[ -n "$ANTHROPIC_API_KEY" ] && echo "API key is set" || echo "API key is NOT set"
 ```
 
 ## Uninstallation
@@ -384,7 +386,11 @@ sudo yum update automaker
 
 # Or reinstall latest release
 sudo dnf remove automaker
-sudo dnf install https://github.com/AutoMaker-Org/automaker/releases/latest/download/Automaker-<version>-x86_64.rpm
+
+# Download the latest .rpm from releases page
+# https://github.com/AutoMaker-Org/automaker/releases
+# Then reinstall with:
+# sudo dnf install ./Automaker-<VERSION>-x86_64.rpm
 ```
 
 ## Getting Help