feat: Update moonbit.nu with latest upstream changes

[hustcer]

feat: Update moonbit.nu with latest upstream changes

[github-actions]

Reasoning Details

We are reviewing a diff of changes to GitHub workflows and setup scripts. The main changes are:

1. Renaming "bleeding" to "nightly" in workflow definitions and READMEs.
2. Removing the setup-bleeding job from daily.yml and adjusting dependencies.
3. Adding a step to create a symlink/hardlink for AGENTS.md in moonbit.nu.

However, note that the provided code snippet for review includes a diff of multiple files, but the focus for Nushell script review is only on the nu/moonbit.nu file.

Let's extract the relevant part from nu/moonbit.nu:

diff --git a/nu/moonbit.nu b/nu/moonbit.nu
index 77e6238..d7d183c 100644
--- a/nu/moonbit.nu
+++ b/nu/moonbit.nu
@@ -7,7 +7,6 @@
 #   [√] This script should run both in Github Runners and local machines
 #   [√] Setup moonbit toolchains of specified version
 #   [√] Setup Moonbit Core support
-#   [√] Setup moonbit core of `bleeding` version support
 # Description: Scripts for setting up MoonBit environment
 # REF:
 #   - https://cli.moonbitlang.com/version.json
@@ -17,7 +16,7 @@
 
 const CLI_HOST = 'https://cli.moonbitlang.com'
 
-const VALID_VERSION_TAG = [latest, bleeding, pre-release, nightly]
+const VALID_VERSION_TAG = [latest, pre-release, nightly]
 const ARCH_TARGET_MAP = {
   linux_x86_64: 'linux-x86_64',
   macos_x86_64: 'darwin-x86_64',
@@ -98,6 +97,20 @@ export def 'setup moonbit' [
     rm moonbit*.tar.gz
   }
 
+  # Link AGENTS.md to moon-pilot prompt if available
+  let agents_src = $"($MOONBIT_HOME)/bin/internal/moon-pilot/lib/prompt/moonbitlang.mbt.md"
+  if ($agents_src | path exists) {
+    let agents_dst = $"($MOONBIT_HOME)/AGENTS.md"
+    if ($agents_dst | path exists) { rm -f $agents_dst }
+    if (windows?) {
+      let agents_src_win = $"($MOONBIT_HOME)\\bin\\internal\\moon-pilot\\lib\\prompt\\moonbitlang.mbt.md"
+      let agents_dst_win = $"($MOONBIT_HOME)\\AGENTS.md"
+      try { ^cmd /c mklink /H $agents_dst_win $agents_src_win } catch { print $"(ansi r)Failed to create hard link for ($agents_src_win)(ansi reset)" }
+    } else {
+      try { ^ln -sf $agents_src $agents_dst } catch { print $"(ansi r)Failed to create symlink for ($agents_src)(ansi reset)" }
+    }
+  }
+
   print 'OS Info:'; print $nu.os-info; hr-line
   print $'Contents of ($MOONBIT_BIN_DIR):'; hr-line -b
   ls $MOONBIT_BIN_DIR | table -w 150 -t psql | print
@@ -114,14 +127,6 @@ export def 'setup moonbit' [
   if $setup_core {
     print $'(char nl)Setup moonbit core of version: (ansi g)($core_version)(ansi reset)'; hr-line
     cd $MOONBIT_LIB_DIR; rm -rf ./core/*
-    if $core_version == 'bleeding' {
-      if ($coreDir | path exists) { rm -rf $coreDir }
-      try { git clone --depth 1 https://github.com/moonbitlang/core.git $coreDir } catch {
-        print $'(ansi r)Failed to clone bleeding core from GitHub(ansi reset)'
-      }
-      bundle-core $coreDir $version
-      return
-    }
 
     fetch-core $core_version
 
@@ -148,7 +153,7 @@ def bundle-core [coreDir: string, version: string] {
   } catch {
     print $'(ansi r)Failed to bundle core to wasm-gc(ansi reset)'
   }
-  if $version != 'bleeding' or (windows?) { return }
+  if $version != 'nightly' or (windows?) { return }
   print $'(ansi g)Bundle core for llvm backend(ansi reset)'
   try {
     ^$moonBin bundle --warn-list -a --target llvm --source-dir $coreDir

Now, we'll review the changes in this Nushell script.

Script Analysis

The changes are:

1. Removed the bleeding version tag and replaced it with nightly in the VALID_VERSION_TAG constant.
2. Added a block to create a symlink (or hardlink on Windows) for AGENTS.md.
3. Removed the special handling for core_version == 'bleeding' and replaced it with a note that we are now using fetch-core for all versions (including nightly?).
4. In the bundle-core function, changed the condition from $version != 'bleeding' to $version != 'nightly'.

Key observations:

• The script now uses nightly instead of bleeding.
• The script adds a step to link AGENTS.md for the moon-pilot prompt.
• The removal of the bleeding core setup block indicates that the fetch-core function now handles the nightly version appropriately.

Security Review

• The new linking step uses path exists checks and rm -f to avoid overwriting issues, which is safe.
• The use of try/catch for the linking commands is good practice to avoid script failure on non-critical operations.
• The external command ln -sf (on Unix) and cmd /c mklink (on Windows) are used safely because the paths are constructed from known variables and not user input (they are set by the script). However, note that the paths are built from $MOONBIT_HOME which is set by the script, so it's safe.

Optimization Suggestions

• The added block does file operations conditionally. It's efficient because it first checks if the source exists.
• The removal of the special bleeding core setup block simplifies the code and avoids a git clone operation. Instead, it relies on fetch-core which is presumably more efficient and consistent.

However, note that the fetch-core function is not shown in the diff. We must assume that it handles the nightly version appropriately.

Overall Quality

The changes are focused and maintain the structure of the script. The addition of linking AGENTS.md is a nice touch for documentation. The switch from bleeding to nightly is consistent with the changes in the workflows and READMEs.

Rating: 4/5 (Very good, but without seeing the entire context of fetch-core we cannot be sure about the handling of nightly)

Checklist:

• Compatibility:
  • Nu version: The script uses modern Nushell features (e.g., const, $nu, path exists) which are available in 0.90+.
  • Cross-platform support: The script handles Windows and Unix separately for the linking step.
  • Plugin dependencies: None apparent.
• Security:
  • Input sanitization: The script uses hardcoded paths and environment variables, so no injection risk.
  • Temporary file handling: Not used in the diff.
  • Env exposure: The script uses environment variables but they are set by the script or system.
• Reliability:
  • Error propagation: The script uses try/catch for non-critical operations (linking) and prints errors, but does not fail the entire script.
  • Null handling: The script checks for file existence before operations.
  • Type validation: The arguments to the setup moonbit command are not validated in the diff, but the VALID_VERSION_TAG is used for the version.
• Performance:
  • Lazy evaluation: Not applicable in this context.
  • Batch processing: The script does file operations and then runs core setup. The linking step is efficient.
  • Stream handling: Not used in the diff.

Output Structure

Script Analysis

• Renamed version tag from bleeding to nightly and removed special handling for bleeding core setup
• Added AGENTS.md symlink/hardlink creation for moon-pilot prompt
• Updated condition in bundle-core to check for nightly version

Security Review

• Safe use of external commands (ln and mklink) with fixed paths and error handling

Optimization Suggestions

• Removal of redundant git clone step simplifies the core setup flow

Overall Quality: 4

Script Analysis

• Renamed version tag from bleeding to nightly in workflow definitions and READMEs
• Removed setup-bleeding job from daily.yml workflow
• Added AGENTS.md symlink/hardlink creation for moon-pilot prompt
• Removed special handling for bleeding core installation
• Updated condition in bundle-core to check nightly instead of bleeding

Security Review

• ❗ Potential path traversal risk in AGENTS.md linking (line 105):
  Unescaped $MOONBIT_HOME in path construction could allow injection if variable is compromised
• ⚠️ Windows hardlink command uses unquoted paths (line 107):
  Spaces in path could cause command injection via agents_src_win content
• ❗ External commands (ln/mklink) executed without full path validation (lines 107/110):
  Risk if $MOONBIT_HOME contains special characters or command separators

Optimization Suggestions

• Use path join for AGENTS.md paths instead of string interpolation:
  let agents_src = ([$MOONBIT_HOME bin internal ...] | path join)
• Replace rm -f + link with mv -f atomic replacement pattern
• Merge rm ./core/* and fetch-core into single pipeline with error handling
• Add --progress none to git clone in removed code block for cleaner output (historical)

Overall Quality: 4

checklist:
  - Compatibility: ["Nu 0.90+ features used", "Windows/Unix support maintained", "No plugin dependencies"]
  - Security: ["Fixed path handling needed", "External command quoting", "Env variable trust"]
  - Reliability: ["Error handling present", "Path existence checks", "Conditional execution"]
  - Performance: ["File ops optimization", "Removed redundant steps", "Parallelism not applicable"]