molecule-ai/molecule-cli
49
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity
Files
main
molecule-cli/internal/cmd/secret.go
T
sdk-dev a002b412e9
Release Go binaries / release (pull_request) Blocked by required conditions
Details
CI / Test / test (pull_request) Successful in 1m51s
Details
Release Go binaries / test (pull_request) Successful in 1m11s
Details
feat(cli): fix runHTTP auth bug + add management verbs 
Fix the auth bug FIRST: internal/cmd/http.go runHTTP (and the
internal/client Platform HTTP helpers, which had the same gap) sent NO
Authorization header, so management calls (workspace create/delete,
secrets, tokens, …) 401'd a hardened tenant. Now every request attaches
`Authorization: Bearer $MOLECULE_API_KEY` and, when set,
`X-Molecule-Org-Id: $MOLECULE_ORG_ID` (the tenant TenantGuard routing
gate). Headers are omitted when the env vars are unset so fresh
self-host/dev tenants keep working. Regression test
TestRunHTTP_SetsAuthHeader asserts the header is set and is proven
load-bearing (fails with `Authorization header = ""` when the fix is
reverted).

Add the management verbs (PLATFORM-MANAGEMENT-API.md §5(b)), each wired
to the OpenAPI-documented endpoint at the correct auth tier (verified
against the live workspace-server router.go + handlers and controlplane
orgs handler, since the parallel feat/openapi-management-spec branch
does not exist in molecule-core — reconciled to the actual handler
source instead):

  org   list|get|create --slug/--name|create --template|export
        token list|create|revoke | allowlist
  workspace list|get|create|delete|restart|pause|resume
            budget|billing-mode|token mint
  secret  ws  list|set|delete
          org list|set|delete
  template list|import|refresh
  bundle  export|import
  events
  approvals

Org-lifecycle verbs target the control plane (MOLECULE_CP_URL, default
= api-url); tenant verbs target the tenant host with the Org API Key.
All verbs honor --json (and existing -o table|json|yaml). Request/
response shapes match the handler structs (budget USD-cents
budget_limits; billing-mode {mode}; org import {dir,mode}; secrets
{key,value}; template import {name,files}; etc.).

Tests: table-driven request-construction tests (method/path/body/auth)
for all 30 management methods against an httptest mock, plus
cmd-layer branch tests (budget flag→limits, billing-mode validation,
template file mapping, --json resolution, CP-url fallback). Existing
workspace/agent/platform commands switched to the authenticated client.

go build ./..., go vet ./..., go test ./... all green; gofmt clean on
edited files. Binary smoke-tested end-to-end: auth headers reach the
server and --json output renders.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 20:53:04 -07:00

133 lines
3.8 KiB
Go
Raw Permalink Blame History

// Package cmd implements the CLI command tree.
package cmd
import (
"fmt"
"github.com/spf13/cobra"
)
// ---------------------------------------------------------------------------
// Secret command group (PLATFORM-MANAGEMENT-API.md §5(b)):
// molecule secret ws {list <ws-id>, set <ws-id> <key> <value>, delete <ws-id> <key>}
// molecule secret org {list, set <key> <value>, delete <key>}
//
// Workspace secrets ARE the workspace env vars; setting one auto-restarts the
// workspace. Org secrets are org-wide (AdminAuth). Values are never returned
// by list. Both go to the tenant host with the Org API Key.
// ---------------------------------------------------------------------------
var secretCmd = &cobra.Command{
Use: "secret",
Short: "Manage workspace and org secrets",
}
func init() {
secretCmd.AddCommand(secretWSCmd, secretOrgCmd)
secretWSCmd.AddCommand(secretWSListCmd, secretWSSetCmd, secretWSDeleteCmd)
secretOrgCmd.AddCommand(secretOrgListCmd, secretOrgSetCmd, secretOrgDeleteCmd)
}
// --- workspace secrets ------------------------------------------------------
var secretWSCmd = &cobra.Command{
Use: "ws",
Short: "Manage per-workspace secrets (env vars)",
}
var secretWSListCmd = &cobra.Command{
Use: "list <workspace-id>",
Short: "List a workspace's secret keys (values not shown)",
Args: cobra.ExactArgs(1),
RunE: runSecretWSList,
}
func runSecretWSList(_ *cobra.Command, args []string) error {
raw, err := newClient().ListWorkspaceSecrets(args[0])
if err != nil {
return fmt.Errorf("secret ws list: %w", err)
}
return printRaw(raw)
}
var secretWSSetCmd = &cobra.Command{
Use: "set <workspace-id> <key> <value>",
Short: "Set a workspace secret (auto-restarts the workspace)",
Args: cobra.ExactArgs(3),
RunE: runSecretWSSet,
}
func runSecretWSSet(_ *cobra.Command, args []string) error {
if err := newClient().SetWorkspaceSecret(args[0], args[1], args[2]); err != nil {
return fmt.Errorf("secret ws set: %w", err)
}
fmt.Printf("Secret %q set on workspace %s (workspace restarting).\n", args[1], args[0])
return nil
}
var secretWSDeleteCmd = &cobra.Command{
Use: "delete <workspace-id> <key>",
Short: "Delete a workspace secret by key",
Args: cobra.ExactArgs(2),
RunE: runSecretWSDelete,
}
func runSecretWSDelete(_ *cobra.Command, args []string) error {
if err := newClient().DeleteWorkspaceSecret(args[0], args[1]); err != nil {
return fmt.Errorf("secret ws delete: %w", err)
}
fmt.Printf("Secret %q deleted from workspace %s.\n", args[1], args[0])
return nil
}
// --- org secrets ------------------------------------------------------------
var secretOrgCmd = &cobra.Command{
Use: "org",
Short: "Manage org-wide secrets",
}
var secretOrgListCmd = &cobra.Command{
Use: "list",
Short: "List org-wide secret keys (values not shown)",
RunE: runSecretOrgList,
}
func runSecretOrgList(_ *cobra.Command, _ []string) error {
raw, err := newClient().ListOrgSecrets()
if err != nil {
return fmt.Errorf("secret org list: %w", err)
}
return printRaw(raw)
}
var secretOrgSetCmd = &cobra.Command{
Use: "set <key> <value>",
Short: "Set an org-wide secret",
Args: cobra.ExactArgs(2),
RunE: runSecretOrgSet,
}
func runSecretOrgSet(_ *cobra.Command, args []string) error {
if err := newClient().SetOrgSecret(args[0], args[1]); err != nil {
return fmt.Errorf("secret org set: %w", err)
}
fmt.Printf("Org secret %q set.\n", args[0])
return nil
}
var secretOrgDeleteCmd = &cobra.Command{
Use: "delete <key>",
Short: "Delete an org-wide secret by key",
Args: cobra.ExactArgs(1),
RunE: runSecretOrgDelete,
}
func runSecretOrgDelete(_ *cobra.Command, args []string) error {
if err := newClient().DeleteOrgSecret(args[0]); err != nil {
return fmt.Errorf("secret org delete: %w", err)
}
fmt.Printf("Org secret %q deleted.\n", args[0])
return nil
}
Reference in New Issue View Git Blame Copy Permalink