fix: CLI v2 review feedback — input validation, escaping, type safety, and docs alignment (#66)

* Initial plan

* fix: apply review feedback — validation, escaping, type correctness, and docs alignment

Co-authored-by: sroussey <127349+sroussey@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: sroussey <127349+sroussey@users.noreply.github.com>

Author: Copilot

SPEC.md

@@ -139,10 +139,10 @@ All commands accept the following flags:
 | Flag            | Short | Description                                       |
 | --------------- | ----- | ------------------------------------------------- |
 | `--json`        |       | Output structured JSON to stdout                  |
-| `--verbose`     | `-v`  | Enable detailed log output                        |
+| `--verbose`     |       | Enable detailed log output                        |
 | `--dry-run`     |       | Show what would be done without making changes    |
 | `--no-color`    |       | Disable colored output                            |
-| `--concurrency` | `-c`  | Max parallel operations (default varies by command)|
+| `--concurrency` |       | Max parallel operations (default varies by command)|
 
 ---
 
@@ -200,14 +200,14 @@ Subcommands for running individual bootstrap phases.
 
 Download and extract bulk SEC data archives.
 
-| Option   | Description                                                  |
+| Argument | Description                                                  |
 | -------- | ------------------------------------------------------------ |
-| `--type` | One of: `submissions`, `companyfacts`, `ciks`, `all` (default: `all`) |
+| `<type>` | One of: `submissions`, `facts`, `ciks`, `all` (default: `all`) |
 
 **Behavior:**
 
 - `submissions` — Downloads `submissions.zip`, extracts to `SEC_RAW_DATA_FOLDER/submissions/`
-- `companyfacts` — Downloads `companyfacts.zip`, extracts to `SEC_RAW_DATA_FOLDER/companyfacts/`
+- `facts` — Downloads `companyfacts.zip`, extracts to `SEC_RAW_DATA_FOLDER/facts/`
 - `ciks` — Downloads `cik-lookup-data.txt` to `SEC_RAW_DATA_FOLDER/ciks/`
 - `all` — Downloads all three
 - Validates extracted paths to prevent directory traversal
@@ -355,53 +355,59 @@ Process a single accession document.
 
 Read-only commands for querying the database. All query commands support `--format` (`table`, `csv`, `json`; default: `table`) and `--limit`/`--offset` for pagination.
 
-#### `sec query entities [cik]`
+#### `sec query entities [search]`
 
 List or look up entities.
 
-| Argument | Required | Description                       |
-| -------- | -------- | --------------------------------- |
-| `cik`    | No       | Specific CIK to look up          |
+| Argument | Required | Description                              |
+| -------- | -------- | ---------------------------------------- |
+| `search` | No       | Free-text search term to filter entities |
 
-| Option             | Description                   |
-| ------------------ | ----------------------------- |
-| `--name <pattern>` | Filter by name (LIKE pattern) |
-| `--sic <code>`     | Filter by SIC code            |
+| Option             | Description                      |
+| ------------------ | -------------------------------- |
+| `--cik <cik>`      | Filter by exact CIK              |
+| `--sic <code>`     | Filter by SIC code               |
 | `--state <code>`   | Filter by state of incorporation |
-| `--limit <n>`      | Max rows (default: 25)        |
-| `--offset <n>`     | Skip rows (default: 0)        |
-| `--format <fmt>`   | Output format: table, csv, json |
+| `--sort <field>`   | Sort by field name               |
+| `--limit <n>`      | Max rows (default: 25)           |
+| `--offset <n>`     | Skip rows (default: 0)           |
+| `--format <fmt>`   | Output format: table, csv, json  |
 
-#### `sec query filings [cik]`
+#### `sec query filings [search]`
 
 List or look up filings.
 
-| Argument | Required | Description              |
-| -------- | -------- | ------------------------ |
-| `cik`    | No       | Filter by entity CIK    |
+| Argument | Required | Description                               |
+| -------- | -------- | ----------------------------------------- |
+| `search` | No       | Free-text search term to filter filings   |
 
 | Option             | Description                       |
 | ------------------ | --------------------------------- |
+| `--cik <cik>`      | Filter by entity CIK              |
 | `--form <type>`    | Filter by form type               |
-| `--from <date>`    | Filing date start (YYYY-MM-DD)    |
-| `--to <date>`      | Filing date end (YYYY-MM-DD)      |
+| `--after <date>`   | Filing date start (YYYY-MM-DD)    |
+| `--before <date>`  | Filing date end (YYYY-MM-DD)      |
 | `--limit <n>`      | Max rows (default: 25)            |
 | `--offset <n>`     | Skip rows (default: 0)            |
 | `--format <fmt>`   | Output format: table, csv, json   |
 
-#### `sec query offerings [cik]`
+#### `sec query offerings [search]`
 
 List Form D investment offerings.
 
-| Argument | Required | Description           |
-| -------- | -------- | --------------------- |
-| `cik`    | No       | Filter by issuer CIK  |
-
-| Option                  | Description                   |
-| ----------------------- | ----------------------------- |
-| `--industry <group>`    | Filter by industry group      |
-| `--limit <n>`           | Max rows (default: 25)        |
-| `--offset <n>`          | Skip rows (default: 0)        |
+| Argument | Required | Description                                |
+| -------- | -------- | ------------------------------------------ |
+| `search` | No       | Free-text search term to filter offerings  |
+
+| Option                  | Description                    |
+| ----------------------- | ------------------------------ |
+| `--cik <cik>`           | Filter by issuer CIK           |
+| `--industry <group>`    | Filter by industry group       |
+| `--exemption <type>`    | Filter by exemption type       |
+| `--after <date>`        | Filter after date              |
+| `--before <date>`       | Filter before date             |
+| `--limit <n>`           | Max rows (default: 25)         |
+| `--offset <n>`          | Skip rows (default: 0)         |
 | `--format <fmt>`        | Output format: table, csv, json |
 
 #### `sec query crowdfunding [cik]`
@@ -466,11 +472,11 @@ Show row counts for all tables and processing progress.
 
 #### `sec db reset`
 
-Drop all tables and re-create them. Prompts for confirmation unless `--force` is passed.
+Drop all tables and re-create them. Prompts for confirmation unless `--confirm` is passed.
 
-| Option    | Description                    |
-| --------- | ------------------------------ |
-| `--force` | Skip confirmation prompt       |
+| Option      | Description                    |
+| ----------- | ------------------------------ |
+| `--confirm` | Skip confirmation prompt       |
 
 ---
 

docs/plans/2026-03-05-cli-v2-design.md

@@ -32,9 +32,7 @@ Interactive wizard:
 5. Create directories
 6. Run `db setup`
 
-Detects existing `.env.local` and offers to reconfigure or skip. PostgreSQL path prompts for connection string or individual parameters. Validates database connectivity before writing config.
-
-When `--json` is passed: outputs config as JSON, no interactivity (for scripting). Non-zero exit if any step fails.
+Detects existing `.env.local` and warns before overwriting. PostgreSQL path prompts for connection string or individual parameters. Non-zero exit if any step fails.
 
 ### 1.2 Pipeline Commands
 

src/cli/GlobalOptions.ts

@@ -28,7 +28,7 @@ export function parseGlobalOptions(cmd: Command): GlobalOptions {
   };
 }
 
-function parseIntOption(value: string): number {
+export function parseIntOption(value: string): number {
   const parsed = parseInt(value, 10);
   if (isNaN(parsed)) {
     throw new Error(`"${value}" is not a valid number`);

src/cli/groups/init.test.ts

@@ -57,4 +57,28 @@ describe("buildEnvConfig", () => {
     expect(result).toContain('SEC_PG_DATABASE="sec_data"');
     expect(result).not.toContain("SEC_PG_URL");
   });
+
+  it("escapes double quotes in values", () => {
+    const config: InitConfig = {
+      dbType: "sqlite",
+      dbFolder: '/path/with/"quotes"',
+      dbName: 'name"with"quotes',
+      rawDataFolder: "/simple/path",
+    };
+    const result = buildEnvConfig(config);
+    expect(result).toContain('SEC_DB_FOLDER="/path/with/\\"quotes\\""');
+    expect(result).toContain('SEC_DB_NAME="name\\"with\\"quotes"');
+  });
+
+  it("escapes newlines in values", () => {
+    const config: InitConfig = {
+      dbType: "postgres",
+      dbFolder: "/path",
+      dbName: "edgar",
+      rawDataFolder: "/raw",
+      pgPassword: "pass\nword",
+    };
+    const result = buildEnvConfig(config);
+    expect(result).toContain('SEC_PG_PASSWORD="pass\\nword"');
+  });
 });

src/cli/groups/init.ts

@@ -19,23 +19,27 @@ export interface InitConfig {
   readonly pgDatabase?: string;
 }
 
+function escapeEnvValue(value: string): string {
+  return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n");
+}
+
 export function buildEnvConfig(config: InitConfig): string {
   const lines: string[] = [
-    `SEC_DB_TYPE="${config.dbType}"`,
-    `SEC_DB_FOLDER="${config.dbFolder}"`,
-    `SEC_DB_NAME="${config.dbName}"`,
-    `SEC_RAW_DATA_FOLDER="${config.rawDataFolder}"`,
+    `SEC_DB_TYPE="${escapeEnvValue(config.dbType)}"`,
+    `SEC_DB_FOLDER="${escapeEnvValue(config.dbFolder)}"`,
+    `SEC_DB_NAME="${escapeEnvValue(config.dbName)}"`,
+    `SEC_RAW_DATA_FOLDER="${escapeEnvValue(config.rawDataFolder)}"`,
   ];
 
   if (config.dbType === "postgres") {
     if (config.pgUrl) {
-      lines.push(`SEC_PG_URL="${config.pgUrl}"`);
+      lines.push(`SEC_PG_URL="${escapeEnvValue(config.pgUrl)}"`);
     } else {
-      if (config.pgHost) lines.push(`SEC_PG_HOST="${config.pgHost}"`);
-      if (config.pgPort) lines.push(`SEC_PG_PORT="${config.pgPort}"`);
-      if (config.pgUser) lines.push(`SEC_PG_USER="${config.pgUser}"`);
-      if (config.pgPassword) lines.push(`SEC_PG_PASSWORD="${config.pgPassword}"`);
-      if (config.pgDatabase) lines.push(`SEC_PG_DATABASE="${config.pgDatabase}"`);
+      if (config.pgHost) lines.push(`SEC_PG_HOST="${escapeEnvValue(config.pgHost)}"`);
+      if (config.pgPort) lines.push(`SEC_PG_PORT="${escapeEnvValue(config.pgPort)}"`);
+      if (config.pgUser) lines.push(`SEC_PG_USER="${escapeEnvValue(config.pgUser)}"`);
+      if (config.pgPassword) lines.push(`SEC_PG_PASSWORD="${escapeEnvValue(config.pgPassword)}"`);
+      if (config.pgDatabase) lines.push(`SEC_PG_DATABASE="${escapeEnvValue(config.pgDatabase)}"`);
     }
   }
 
@@ -117,8 +121,6 @@ export function addInitCommand(parent: Command): void {
             ...pgFields,
           };
 
-          rl.close();
-
           const envContent = buildEnvConfig(config);
           writeFileSync(envPath, envContent, "utf-8");
           console.log(`Wrote ${envPath}`);