feat: organize CLI help commands into logical groups #317
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Organize the sourcetool CLI help output into three logical command groups to improve discoverability and user experience: - Verification Commands: verifycommit, audit, status - Attestation & Evaluation Commands: checklevel, checklevelprov, checktag, prov - Configuration & Setup Commands: setup, auth, policy, createpolicy This uses Cobra's AddGroup feature to categorize commands by their primary function, making it easier for users to find the command they need. Assisted-by: Claude Code Signed-off-by: Ralph Bean <[email protected]>
Move createpolicy and policy commands from the Configuration & Setup group into their own Policy Commands group for better organization. The help output now shows four distinct command groups: - Verification Commands - Attestation & Evaluation Commands - Policy Commands - Configuration & Setup Commands This makes policy management commands more discoverable and logically separated from general configuration tasks. Assisted-by: Claude Code Signed-off-by: Ralph Bean <[email protected]>
Change audit command short description from "Audits the SLSA properties and controls of a repository" to "Verifies multiple commits in the branch history" to better describe what the command actually does. The word "multiple" is more accurate than "all" since the command can be limited with --depth and --ending-commit flags. Assisted-by: Claude Code Signed-off-by: Ralph Bean <[email protected]>
Rename "Attestation & Evaluation Commands" to "Assessment Commands" and move status from Verification to Assessment group. The new organization better reflects command behavior: Verification Commands (2): - audit: verifies multiple commits by reading existing VSAs - verifycommit: verifies single commit by reading existing VSA Assessment Commands (5): - status: assesses current repository controls - checklevel: assesses controls and creates VSA - checklevelprov: assesses with provenance creation - checktag: assesses tag operations - prov: creates provenance without policy evaluation "Assessment" encompasses both evaluation (status, checklevel) and attestation creation (prov), making it a better umbrella term than "Attestation & Evaluation". Assisted-by: Claude Code Signed-off-by: Ralph Bean <[email protected]>
TomHennen
reviewed
Oct 11, 2025
There was a problem hiding this comment.
Thanks, this generally LGTM. I definitely understand the confusion around the many commands, most of that is my fault. I think @puerco has plans to eventually remove some of the redundant ones.
Does this look good to you Puerco?
puerco
approved these changes
Oct 12, 2025
There was a problem hiding this comment.
I love how much clearer the CLI is now @ralphbean !
Even if we consolidate some of the commands later, the groups describe well the current and planned functions of the tool, so any upcoming features will fit within them. Thanks!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
As a new user, I felt overwhelmed by the variety of subcommands. Lots of check* options mixed in with audit and verify. At a certain level, "check" and "verify" feel like synonyms. The --help didn't help me build a mental model for how the subcommands should be used in a workflow.
In this change, I organized the sourcetool CLI help output into four logical command groups to hopefully improve comprehension and user experience.
Changes
Command Groups
Verification Commands (2 commands)
audit- Verifies multiple commits in the branch historyverifycommit- Verifies the specified commit is validAssessment Commands (5 commands)
status- Check the SLSA Source status of a repo/branchchecklevel- Determines the SLSA Source Level of the repochecklevelprov- Checks the given commit against policy using & creating provenancechecktag- Checks to see if the tag operation should be allowed and issues a VSAprov- Creates provenance for the given commit, but does not check policyPolicy Commands (2 commands)
policy- tools to work with source policiescreatepolicy- Creates a policy in a local copy of source-policiesConfiguration & Setup Commands (2 commands)
auth- Manage user authenticationsetup- configure SLSA source features in a repositoryImplementation Details
AddGroupfeature (supported in v1.10.1+)GroupIDto categorize itRationale
Why move
statusto Assessment?statusreads GitHub API controls, not VSAs (same data sources aschecklevel)checklevel- both evaluate controls to determine SLSA levelstatusis essentially a read-only version ofchecklevelWhy "Assessment" instead of "Evaluation"?
Testing
Before/After
Before:
After:
Generated with assistance from Claude Code