Address PR review feedback: security, CLI ergonomics, git2 add_submodule, and correctness fixes

[Copilot]

Addresses all suggestions from the review of #12. Fixes a security concern in MCP config, corrects Cargo.toml metadata, improves CLI UX by hiding internal sentinel values, and replaces the always-failing git2 add_submodule stub with a real implementation.

Cargo.toml

• Remove duplicate license/license-file fields — keep only license-file = "LICENSE.md"
• Reduce keywords to 5 (crates.io hard limit)

Security

• Remove ~/.cargo from .roo/mcp.json filesystem MCP allowlist to prevent exposure of registry credentials

src/utilities.rs

• Drop invalid use anyhow::Ok and redundant use std::result::Result; use use anyhow::Result
• Fix name_from_osstring(): null-byte check was unreachable for non-empty strings; now validates null bytes first, then rejects empty/whitespace-only names

CLI — Unspecified sentinel hiding

• Add #[value(skip)] to the Unspecified variant on SerializableIgnore, SerializableFetchRecurse, and SerializableUpdate so it never surfaces in --help or tab completion

CLI — add command option types

• Change --ignore, --fetch, --update in Add from default_value = "unspecified" non-optional fields to Option<...> — users only see semantically meaningful choices:

# Before: "unspecified" visible as a valid CLI value
# After: flag is simply omitted when not provided, None propagated downstream
submod add https://example.com/repo.git --ignore dirty --update rebase

git2 — real add_submodule implementation

Replace the stub that always returned an error (forcing CLI fallback as the primary path) with a proper git2 implementation:

1. repo.submodule(url, path, use_gitlink) — registers in .gitmodules + index
2. sub.clone(update_opts) — clones with optional depth(1) for shallow
3. sub.add_to_index() + sub.add_finalize()
4. Post-clone git config writes for branch, ignore, fetchRecurseSubmodules, and update

CLI fallback (git_ops/mod.rs)

• Last-resort git submodule add invocation now forwards --branch and --depth 1 (shallow) from SubmoduleAddOptions

Docs / samples

• Add submodule name to submod delete and submod disable README examples
• Fix typo "fetchest" → "fetches" in sample_config/submod.toml

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• nonexistent.domain.invalid
  • Triggering command: /home/REDACTED/work/submod/submod/target/debug/submod /home/REDACTED/work/submod/submod/target/debug/submod add REDACTED --name invalid-test --path lib/invalid o o o target/debug/deps/config_tests-cuser.email git chec�� -b main /home/REDACTED/.local/bin/git .o .o .o git (dns block)
  • Triggering command: /home/REDACTED/work/submod/submod/target/debug/submod /home/REDACTED/work/submod/submod/target/debug/submod add REDACTED --name invalid-test --path lib/invalid cal/bin/cargo o o o git comm�� (dns block)
• nonexistent.invalid.domain.test
  • Triggering command: /home/REDACTED/work/submod/submod/target/debug/submod /home/REDACTED/work/submod/submod/target/debug/submod add REDACTED --name timeout-test --path lib/timeout e/git (dns block)
  • Triggering command: /home/REDACTED/work/submod/submod/target/debug/submod /home/REDACTED/work/submod/submod/target/debug/submod add REDACTED --name timeout-test --path lib/timeout nfig/composer/vendor/bin/git k/submod/submod/git k/submod/submod/config rgo/bin/git git conf�� user.name Test User cal/bin/git k/submod/submod/git k/submod/submod/submodule de/node/bin/git git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

This PR addresses prior review feedback by tightening MCP filesystem allowlists, improving CLI ergonomics around internal sentinel values, fixing name parsing correctness, and implementing a real git2-backed add_submodule (with CLI fallback improvements).

Changes:

• Harden MCP config by removing ~/.cargo from the filesystem allowlist.
• Improve CLI UX by hiding internal Unspecified sentinel variants and making add --ignore/--fetch/--update truly optional (Option<...>).
• Replace the git2 add_submodule stub with a functional implementation and enhance the CLI fallback to forward --branch and shallow depth.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/utilities.rs	Fixes name_from_osstring validation ordering and updates anyhow imports.
src/options.rs	Hides internal Unspecified sentinel variants from clap help/completions.
src/commands.rs	Makes add command’s --ignore/--fetch/--update optional (Option<...>).
src/main.rs	Propagates optional ignore/fetch/update values into GitManager::add_submodule.
src/git_ops/mod.rs	Improves CLI fallback git submodule add invocation by forwarding --branch and --depth 1.
src/git_ops/git2_ops.rs	Implements git2-based add_submodule with clone/index/finalize and config writes.
.roo/mcp.json	Removes ~/.cargo from MCP filesystem server args to avoid credential exposure.
Cargo.toml	Removes duplicate license metadata and reduces keywords count.
README.md	Updates example usage to include submodule names for delete/disable.
sample_config/submod.toml	Fixes typo (“fetchest” → “fetches”).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

repo.submodule(&opts.url, opts.path.as_path(), true) ignores opts.name (it only appears in error messages). This makes backend behavior diverge from the CLI fallback (which passes --name) and can lead to the submodule being registered under its path instead of the user-supplied name. If opts.name is intended to be authoritative, adjust the git2 path to ensure .gitmodules/submodule naming matches it (or explicitly document/enforce that name == path for the git2 backend).

[Copilot]

Config writes in add_submodule() use path_str in keys like submodule.<...>.branch/ignore/update/fetchRecurseSubmodules, but the rest of this module reads these settings using the submodule name (e.g. get_submodule_branch() builds submodule.{name}.branch). This mismatch means the settings written here may never be read back (especially when name != path). Use a consistent identifier for both reading and writing (ideally the actual git submodule name returned by git2 after creation).

[Copilot]

This implementation performs side-effecting steps (creating the submodule entry / writing .gitmodules, cloning, staging) before returning an error. Since the higher-level fallback chain will try the CLI path on failure, a mid-way failure here can leave a partially-added submodule that makes the CLI fallback fail or produce a broken repo state. Consider making this operation transactional (best-effort cleanup of .gitmodules/index/workdir on error) or preventing CLI fallback if git2 has already mutated repo state.

[Copilot]

name_from_osstring() can still return an empty name when the input ends with a path separator (e.g. "foo/bar/") because split(MAIN_SEPARATOR).last() becomes "", which bypasses the earlier trim().is_empty() check. Consider trimming trailing separators before splitting, or (more robustly) using Path::new(..).file_name() and validating the extracted component is non-empty/non-whitespace.

Suggested change

	if s.trim().is_empty() {
	return Err(anyhow::anyhow!("Name cannot be empty or whitespace-only"));
	}
	let sep = std::path::MAIN_SEPARATOR.to_string();
	s.trim()
	.split(&sep)
	.last()
	.map(|name| name.to_string())
	.ok_or_else(|| anyhow::anyhow!("Failed to extract name from OsString"))
	let trimmed = s.trim();
	if trimmed.is_empty() {
	return Err(anyhow::anyhow!("Name cannot be empty or whitespace-only"));
	}
	let path = std::path::Path::new(trimmed);
	let component = path
	.file_name()
	.ok_or_else(|| anyhow::anyhow!("Failed to extract name from OsString"))?;
	let component_str = component
	.to_str()
	.ok_or_else(|| anyhow::anyhow!("Failed to convert OsString component to UTF-8"))?;
	let name = component_str.trim();
	if name.is_empty() {
	return Err(anyhow::anyhow!("Name cannot be empty or whitespace-only"));
	}
	Ok(name.to_string())