chore: Add displayName

[gonzalezzfelipe]

Summary by CodeRabbit

• New Features

  • Added configurable displayName option across multiple Helm charts for custom display name overrides.

• Security

  • Improved command execution security by escaping user-supplied arguments in Helm install operations.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds displayName Helm value field across multiple extension charts, introduces shell escaping for user-supplied arguments in dashboard Helm install utilities, and updates annotation handling to incorporate custom display names from release configurations.

Changes

Cohort / File(s)	Summary
Helm Chart Values extensions/apex-fusion/values.yaml, extensions/cardano-node/values.yaml, extensions/dolos/values.yaml, extensions/hydra-node/values.yaml, extensions/midnight/values.yaml	Added top-level displayName: "" field to each chart's values file, providing configurable display name metadata.
Shell Command Escaping frontends/dashboard/src/utils/helm-install/dolos.ts, frontends/dashboard/src/utils/helm-install/midnight.ts, frontends/dashboard/src/utils/helm-install/index.ts	Wrapped user-supplied arguments (name, image, namespace, version) with shellEscape() before interpolating into helm install commands to prevent shell injection.
Shell Escape Utility frontends/dashboard/src/utils/process.ts	Added new exported shellEscape(value: string) helper function that wraps strings in single quotes and escapes embedded quotes for shell-safe execution.
Display Name Annotation Handling frontends/dashboard/src/utils/home/calls.ts	Updated getAnnotationsFromRelease to prioritize release.config.displayName override (trimmed if present) over chart metadata annotations when building returned annotation object.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Possibly related PRs

• feat: ui updates on console #20: Modifies the same dashboard Helm install utilities and process helpers (frontends/dashboard/src/utils/helm-install/* and frontends/dashboard/src/utils/process.ts).
• chore: Add apex extension #15: Updates extensions/apex-fusion/values.yaml with identical displayName field addition to the main PR.
• feat: update supernode console #18: Modifies both the Helm install utilities and home annotation handling functions that this PR addresses.

Poem

🐰 With escapes and display names so bright,
Shell injections flee into the night,
Annotations dance, displayName takes flight,
Each Helm chart glows with metadata's delight!
🎨✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: Add displayName' accurately summarizes the main changes, which add a new displayName configuration field across multiple files and introduce shell escaping utilities.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/add-display-name

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@frontends/dashboard/src/utils/process.ts`:
- Around line 7-10: The helper shellEscape is fine but runCommand currently
accepts raw shell strings allowing command injection; change runCommand to use
argv-style execution (e.g., execFile/spawn with an args array) instead of
interpolating into a shell, update callers that build shell templates
(references: runCommand, shellEscape and the helm-related callsites that
interpolate namespace/releaseName/image/secretName and the home callsite that
interpolates name/namespace) to pass each token as a separate argument rather
than embedding them in a shell string, and remove reliance on manual shellEscape
at those callsites so all command construction uses safe argv parameters.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e941cced-ff10-4ec4-aa47-aaa6ae76ab50

📥 Commits

Reviewing files that changed from the base of the PR and between b230e64 and 95b59b9.

📒 Files selected for processing (10)

• extensions/apex-fusion/values.yaml
• extensions/cardano-node/values.yaml
• extensions/dolos/values.yaml
• extensions/hydra-node/values.yaml
• extensions/midnight/values.yaml
• frontends/dashboard/src/utils/helm-install/dolos.ts
• frontends/dashboard/src/utils/helm-install/index.ts
• frontends/dashboard/src/utils/helm-install/midnight.ts
• frontends/dashboard/src/utils/home/calls.ts
• frontends/dashboard/src/utils/process.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find runCommand template literals with interpolations not wrapped by shellEscape(...)
python - <<'PY'
import pathlib, re
for p in pathlib.Path('.').rglob('*.ts'):
    txt = p.read_text(encoding='utf-8', errors='ignore')
    for m in re.finditer(r'runCommand\(`([\s\S]*?)`\.trim\(\)\)', txt):
        cmd = m.group(1)
        if '${' not in cmd:
            continue
        exprs = re.findall(r'\$\{([^}]*)\}', cmd)
        bad = [e.strip() for e in exprs if not e.strip().startswith('shellEscape(')]
        if bad:
            line = txt.count('\n', 0, m.start()) + 1
            print(f"{p}:{line} -> {bad}")
PY

# Scope where shell-based exec is used
rg -nP --type=ts '\bexec\(' -C2

Repository: txpipe/metis

Length of output: 930

---

🏁 Script executed:

# Check if helm.ts exists and inspect the mentioned lines
fd -t f "helm.ts" 2>/dev/null | head -5

# Check the exact location in midnight.ts
cat -n frontends/dashboard/src/utils/helm-install/midnight.ts 2>/dev/null | sed -n '20,35p'

# Check home/calls.ts at the mentioned line
cat -n frontends/dashboard/src/utils/home/calls.ts 2>/dev/null | sed -n '325,340p'

# Verify the shellEscape function is correctly implemented
cat -n frontends/dashboard/src/utils/process.ts 2>/dev/null | head -20

Repository: txpipe/metis

Length of output: 1989

---

🏁 Script executed:

# Check the full helm.ts file for lines around 126-139
wc -l frontends/dashboard/src/utils/helm.ts

# Show lines 120-145 if they exist
cat -n frontends/dashboard/src/utils/helm.ts 2>/dev/null | sed -n '120,145p'

Repository: txpipe/metis

Length of output: 935

---

Shell escaping is incomplete; multiple callsites have unescaped interpolations that expose command injection.

The shellEscape() helper is correctly implemented, but runCommand() still accepts raw shell strings—making safety dependent on every caller remembering to escape. Current code has unescaped variables at:

• frontends/dashboard/src/utils/helm.ts:126-127 (${namespace} in template)
• frontends/dashboard/src/utils/helm.ts:139 (${releaseName}, ${image}, ${namespace})
• frontends/dashboard/src/utils/helm.ts:30 (${secretName} in helm set)
• frontends/dashboard/src/utils/home/calls.ts:332 (${name}, ${namespace})

Prefer argv-based execution (execFile/spawn) to eliminate interpolation risks entirely—this prevents the class of errors already present in the codebase.

Proposed hardening direction (root-cause fix)

 import { promisify } from 'util';
 import childProcess from 'child_process';

 const exec = promisify(childProcess.exec);
+const execFile = promisify(childProcess.execFile);
 const DEFAULT_TIMEOUT = 30000; // 30 seconds

 export function shellEscape(value: string): string {
   const quote = '\'';
   return quote + value.replace(/'/g, `${quote}\\${quote}${quote}`) + quote;
 }
 
+export async function runCommandArgs(command: string, args: string[]): Promise<string> {
+  const { stdout, stderr } = await execFile(command, args, { timeout: DEFAULT_TIMEOUT });
+  if (stderr && !stderr.toLowerCase().includes('warning')) {
+    throw new Error(stderr);
+  }
+  return stdout;
+}
+
 export async function runCommand(command: string): Promise<string> {
   const { stdout, stderr } = await exec(command, { timeout: DEFAULT_TIMEOUT });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontends/dashboard/src/utils/process.ts` around lines 7 - 10, The helper
shellEscape is fine but runCommand currently accepts raw shell strings allowing
command injection; change runCommand to use argv-style execution (e.g.,
execFile/spawn with an args array) instead of interpolating into a shell, update
callers that build shell templates (references: runCommand, shellEscape and the
helm-related callsites that interpolate namespace/releaseName/image/secretName
and the home callsite that interpolates name/namespace) to pass each token as a
separate argument rather than embedding them in a shell string, and remove
reliance on manual shellEscape at those callsites so all command construction
uses safe argv parameters.