From 08d6c82989b711696595b504f559ae768593ebd8 Mon Sep 17 00:00:00 2001
From: Affaan Mustafa <affaan@dcube.ai>
Date: Thu, 30 Apr 2026 07:09:47 -0400
Subject: [PATCH] fix: harden consult argument parsing

---
 scripts/consult.js            | 11 +++++++----
 tests/scripts/consult.test.js | 14 ++++++++++++++
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/scripts/consult.js b/scripts/consult.js
index a560cc3c..15ec6644 100644
--- a/scripts/consult.js
+++ b/scripts/consult.js
@@ -158,15 +158,18 @@ function parseArgs(argv) {
     help: false,
   };
 
+  if (args.includes('--help') || args.includes('-h')) {
+    parsed.help = true;
+    return parsed;
+  }
+
   for (let index = 0; index < args.length; index += 1) {
     const arg = args[index];
 
-    if (arg === '--help' || arg === '-h') {
-      parsed.help = true;
-    } else if (arg === '--json') {
+    if (arg === '--json') {
       parsed.json = true;
     } else if (arg === '--target') {
-      if (!args[index + 1]) {
+      if (!args[index + 1] || args[index + 1].startsWith('-')) {
         throw new Error('Missing value for --target');
       }
       parsed.target = args[index + 1];
diff --git a/tests/scripts/consult.test.js b/tests/scripts/consult.test.js
index 3eea8c3a..1518db22 100644
--- a/tests/scripts/consult.test.js
+++ b/tests/scripts/consult.test.js
@@ -48,6 +48,13 @@ function runTests() {
     assert.match(result.stdout, /node scripts\/consult\.js "security reviews"/);
   })) passed++; else failed++;
 
+  if (test('shows help even when other flags would be invalid', () => {
+    const result = run(['--help', '--target', 'not-a-target']);
+
+    assert.strictEqual(result.status, 0, result.stderr);
+    assert.match(result.stdout, /Consult ECC install components/);
+  })) passed++; else failed++;
+
   if (test('recommends security components and profile for a natural language query', () => {
     const result = run(['security', 'reviews', '--json']);
 
@@ -108,6 +115,13 @@ function runTests() {
     assert.match(result.stderr, /Unknown install target/);
   })) passed++; else failed++;
 
+  if (test('rejects flag-like target values as missing target names', () => {
+    const result = run(['security', '--target', '--json']);
+
+    assert.strictEqual(result.status, 1);
+    assert.match(result.stderr, /Missing value for --target/);
+  })) passed++; else failed++;
+
   console.log(`\nResults: Passed: ${passed}, Failed: ${failed}`);
   process.exit(failed > 0 ? 1 : 0);
 }