Kora CLI: Architecture & Competitive Analysis

1. Architecture

1.1. Technology Stack

Layer Technology Rationale

Language

Go 1.22+

Single binary, cross-platform, fast compilation, massive ecosystem

CLI Framework

Cobra + Viper

Industry standard (kubectl, docker, gh). ? argument discovery built-in. Viper for config.

Terminal UI

Charm (Lipgloss, Bubbletea, Glamour)

Beautiful tables, styled output, interactive prompts. This is what makes it amaze.

HTTP Client

net/http (stdlib) + Resty

Retry logic, TLS config, no CVE-prone dependencies

Credential Storage

go-keyring + age encryption

OS keyring for runtime, age for portable encrypted config

Configuration

Viper (YAML/TOML/env)

Unified config from files, env vars, and flags

Distribution

GoReleaser + Cosign

Cross-platform builds, signed binaries, Homebrew/AUR/Scoop

1.2. High-Level Design

kora <vendor> <resource> [action] [flags]

Examples:
  kora ise endpoints --format table
  kora ise endpoint AA:BB:CC:DD:EE:FF --detail
  kora github repos --org myco --format json
  kora vault secrets list --mount kv
  kora stripe customers --limit 10
  kora ?                          # list all vendors
  kora ise ?                      # list ISE resources
  kora ise endpoints ?            # list endpoint actions

Core architecture (from netapi Atomic Design):

cmd/           -> Cobra command definitions (one file per vendor)
internal/
  client/      -> HTTP client with retry, TLS, auth provider injection
  auth/        -> Credential providers (keyring, env, age, interactive)
  output/      -> Formatters (table, json, csv, yaml, xlsx) via Lipgloss
  config/      -> Viper-based config management
  discovery/   -> API schema introspection for ? discovery
pkg/kora/      -> Public interfaces (for library consumers)

1.3. Security Considerations

Concern Mitigation

Credential storage

OS keyring (macOS Keychain, Linux Secret Service, Windows Credential Manager) + age encryption for portable configs. No --password flag. Credentials via keyring, env var, or interactive prompt only.

Data in transit

TLS verification ON by default. Explicit --insecure flag required to skip (with printed warning). Go stdlib crypto/tls — FIPS-capable.

Output sanitization

API keys, tokens, passwords masked in all output modes. Redaction filter on stdout/stderr.

Supply chain

govulncheck in CI pipeline. Signed releases via Cosign (Sigstore). Go module checksum DB for tamper-proof deps.

Binary integrity

Every release signed. Users verify: cosign verify-blob --signature kora.sig kora

Secret leakage

No credentials in config files. No credentials in shell history. kora login uses interactive TTY input.

Dependency audit

Minimal dependencies. Go stdlib preferred. Every third-party dep reviewed for CVEs before inclusion.

2. Competitive Analysis

Existing Tool Strengths Weaknesses Kora Differentiator

curl/httpie

Universal, scriptable

Generic HTTP — no vendor awareness, no credential management, ugly output

Vendor-aware commands, built-in auth, beautiful tables

Postman/Insomnia

GUI, collection sharing

Not CLI, not scriptable, heavy, requires account

Terminal-native, zero dependencies, no account needed

Vendor CLIs (aws, az, gcloud, oc)

Deep vendor integration

One CLI per vendor, inconsistent UX, different auth per tool

One CLI for all vendors, consistent UX, unified auth

Ansible/Terraform

Infrastructure-as-code, idempotent

Not interactive, YAML overhead, slow feedback loop

Interactive exploration, instant results, no YAML needed

jq + scripts

Flexible, composable

One-off, fragile, no auth handling, no discovery

Built-in formatting, auth, discovery — no scripting required