feat(auth): add local token config commands#17
Open
robinbraemer wants to merge 7 commits into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Intent
Implement the next Akua CLI MVP slice for auth/config commands from docs/architecture.md in the cli repo only. Add minimal local config/token handling for akua auth login --token , akua auth status, and akua auth logout, with tests. AKUA_API_TOKEN must take precedence for noninteractive auth, stored tokens must use user-only permissions, browser/device login is out of scope, and all output must follow the existing human/agent/json/quiet runtime contract. Do not implement broad OpenAPI command execution or destructive operations; validate with mise run check before reporting done.
What Changed
akua auth login,auth status, andauth logoutlocal token/config commands with human, agent, JSON, and quiet output handling.AKUA_API_TOKEN, user-only local config permissions, redacted auth usage errors, and preservation of non-token config keys.Risk Assessment
✅ Low: The change is limited to the auth/config MVP path, preserves existing CLI output contracts, and the prior token-handling/config-preservation risks have been addressed in the current diff.
Testing
Exercised the new auth/config slice through automated CLI tests, the full Bun test suite, and a product-level transcript; all checks passed, tokens stayed out of CLI output, stored config used 700/600 permissions, and I did not run
mise run checkbecause this testing prompt forbids static-analysis steps whilecheckdepends ongenerate:checkandbuild.Evidence: Auth/config end-to-end CLI transcript
Pipeline
Updates from git push no-mistakes
✅ **intent** - passed
✅ No issues found.
✅ **Rebase** - passed
✅ No issues found.
🔧 **Review** - 2 issues found → auto-fixed (5) ✅
src/commands/auth.ts:44- Config read/write/remove failures now propagate out of auth commands as plain errors, andmainconverts those tousage_errorexit code 2 withakua --help. Permission errors, malformed config JSON, and other local config failures are runtime/config failures, so they should be wrapped into a runtime-styleAkuaCliErrorinstead of being reported as invalid user syntax.src/commands/auth.ts:170-writeFile(..., { mode: 0o600 })only applies the mode when creating a new file. If an existing config file is more permissive,auth loginwrites the new token before the laterchmod, briefly storing the secret under the old permissions. Tighten permissions before writing or write a 0600 temp file and rename it over the target.🔧 Fix: Harden auth config storage errors
2 issues (1 error, 1 warning) still open:
src/commands/auth.ts:101-auth loginechoes unexpected positional arguments in the usage error, so a common typo likeakua auth login sk_akua_secret --jsonwill print the token back to stdout. For auth token parsing, avoid including the rejected argument value in the error message.src/commands/auth.ts:80-auth logoutparses the config before attempting removal, so malformed JSON prevents logout from deleting the stored-token file at all. Since logout's primary job is cleanup, it should still attempt to remove the local config/token when the file exists even if parsing fails.🔧 Fix: Harden auth logout and login errors
1 warning still open:
src/commands/auth.ts:61-auth statusresolves the config path before checkingAKUA_API_TOKEN, so an environment-token-only invocation withHOMEunset or empty exits with a usage error even though the env token should take precedence and no config read is needed. CheckAKUA_API_TOKENbefore requiringHOME, or make the config path optional for env-authenticated status output.🔧 Fix: Honor env auth without HOME
1 error still open:
src/commands/auth.ts:39- Auth positional usage errors still echo rejected values outsidelogin; a pasted token inakua auth sk_akua_secret --jsonis returned in the error payload, and the same pattern applies to extra positional args for status/logout. Keep auth positional diagnostics generic or redact token-like values before rendering errors.🔧 Fix: Redact auth positional usage errors
1 warning still open:
src/commands/auth.ts:45-auth loginwrites a fresh{ token }config andauth logoutremoves the whole config file, so any existing non-token keys under~/.config/akua/config.jsonare lost. Since the architecture reserves this file for broader profile config, confirm whether this MVP intentionally treats it as token-only; otherwise preserve unknown keys and only remove the token.🔧 Fix: Preserve auth config keys
✅ Re-checked - no issues remain.
✅ **Test** - passed
✅ No issues found.
bun test test/cli.test.tsbun testManual CLI flow captured to/var/folders/1y/cjgf53nj31n_dxsspqnjfjvc0000gn/T/no-mistakes-evidence/01KX3JJE3JSY1X7WD5X1MVSJME/auth-config-e2e-transcript.txt:auth status --json,auth login --token ... --json, config permission checks, humanauth status, agentAKUA_API_TOKEN=... auth status, env-awareauth logout --json, post-logoutauth status --json, and quietauth login --quiet✅ **Document** - passed
✅ No issues found.
✅ **Lint** - passed
✅ No issues found.
✅ **Push** - passed
✅ No issues found.