feat: first-class environments, per-env OAuth, consistent User-Agent, token timeout#27
Merged
Conversation
…, env design+plan Snapshot of in-progress work before the engine-environments plan reshapes it: - PkceAuthProvider per-env OAuth (with_environment/OAuthEnvironment) — to be replaced by the Environments resolver per the plan - consistent outbound User-Agent (auto-wired from CliConfig; token traffic too) - default 30s token-endpoint timeout + shared reqwest client - design spec (docs/specs) and implementation plan (docs/plans) Co-Authored-By: Claude Opus 4.8 <[email protected]>
Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
…r, and active-env persistence Tasks 3-6: resolve() with env-var override layer, environments.toml path helper, file-based resolution layer with path override seam, and active-env read/write via ConfigFile. Also fix broken intra-doc link forward-referencing with_environments. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
…h docs, panic-safe test Co-Authored-By: Claude Opus 4.8 <[email protected]>
Co-Authored-By: Claude Opus 4.8 <[email protected]>
Co-Authored-By: Claude Opus 4.8 <[email protected]>
Co-Authored-By: Claude Opus 4.8 <[email protected]>
Co-Authored-By: Claude Opus 4.8 <[email protected]>
Mount env list/get/set/info automatically when CliConfig::with_environments is used. Mirrors the ensure_config_command pattern exactly. Integration tests cover list/get/info; set persistence is already unit-tested in environments.rs (Task 6). Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
Replace the unreleased per-env OAuthEnvironment/with_environment builder with a shared Environments resolver. with_environments(Arc<Environments>) wires the provider; effective_* prefers the resolved OAuthConfig field when non-empty, then the legacy <PROVIDER>_OAUTH_* env var, then base config. Empty resolved fields fall through so a partial env inherits base endpoints. Co-Authored-By: Claude Opus 4.8 <[email protected]>
…t panic
apply_env_flag eagerly called matches.get_one::<String>("env"), but the --env
arg is only registered when environments are configured. clap panics on
get_one for an undefined arg, so every CLI that doesn't use environments
panicked on every run (caught by the full argv0_dispatch + foundation suites,
which per-task --lib verification had skipped). Guard on middleware.environments
first — the same condition that registers the flag.
Co-Authored-By: Claude Opus 4.8 <[email protected]>
…nv set tier, resolve trace - src/cli.rs apply_env_flag: use .as_ref() instead of .clone() on middleware.environments to avoid an unnecessary Arc refcount bump; Environments::resolve takes &self so the borrow suffices. - src/cli.rs --env flag: improve help text from "Target environment" to "Override the active environment (see: env list)". - src/env_commands.rs set: add .with_tier(Tier::Mutate).mutates(true) so --dry-run short-circuits the config-file write before it persists. - src/auth/pkce.rs resolved_oauth: replace .ok() with a match arm that logs the discarded error via tracing::debug! (env name + error, no token/secret); fallback behavior is unchanged. Co-Authored-By: Claude Opus 4.8 <[email protected]>
Adds docs/environments.md covering the three resolution layers and their precedence, the environments.toml schema (OAuth keys + extra bag), the env-var override convention and the -/_ prefix-collision caveat, sticky active env + --env override + the built-in env list/get/set/info commands, and the PkceAuthProvider::with_environments single-source pattern with a full runnable example (no_run). Updates docs/concepts.md Environments section to a one-line pointer to the new reference doc. Co-Authored-By: Claude Opus 4.8 <[email protected]>
… CliConfig and provider CliConfig::with_environments auto-stamped app_id onto a hidden copy of the Environments, but a PkceAuthProvider is wired with a separate Arc<Environments> that never received app_id. With an empty app_id, config_file_path returns None, so the provider's environments.toml file layer always resolved empty: a file-defined environment (or a file override of a compiled env's client_id) was visible to env info but invisible to the actual OAuth login. Make the shared instance explicit: with_environments now takes Arc<Environments> and stores it as-is (no hidden stamp), and Cli::new reuses that same Arc for middleware. The consumer sets app_id on the Environments and shares one Arc between the provider and CliConfig. Co-Authored-By: Claude Opus 4.8 <[email protected]>
… code The CI Rust/Docs step runs `cargo doc` without features as well as with `pkce-auth`. Two intra-doc links to `PkceAuthProvider::with_environments` (in CliConfig and Environments docs) failed the no-feature build because the `pkce` module is feature-gated (`no item named pkce in module auth`), and `-D warnings` promotes broken-intra-doc-links to an error. Use plain code spans referencing the `pkce-auth` feature instead. Co-Authored-By: Claude Opus 4.8 <[email protected]>
There was a problem hiding this comment.
Pull request overview
Adds a first-class “environments” system to cli-engine, wires per-environment OAuth configuration into PkceAuthProvider, and standardizes outbound HTTP User-Agent behavior across both command transports and OAuth/token traffic.
Changes:
- Introduces
Environments/Environment/EnvironmentDef/OAuthConfigwith layered resolution (compiled +environments.toml+ env-var overrides) and active-env persistence. - Auto-mounts a built-in
envcommand group and a global--envflag when environments are configured; exposesCommandContext::environment(). - Publishes a config-derived process-wide User-Agent and applies it to OAuth token requests and client-credentials token requests; adds default token endpoint timeout + pooled
reqwest::Clientfor PKCE token traffic.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/foundation.rs | Serializes UA-mutation tests and adds coverage for env command group + UA headers on token requests. |
| src/transport/injector.rs | Adds User-Agent header to client-credentials token request. |
| src/transport/client.rs | Documents/exports default UA getter (crate-only) and adds a unit-test lock for UA mutations. |
| src/middleware.rs | Threads optional Environments through middleware snapshots for handler access. |
| src/lib.rs | Registers new environments modules and re-exports environment types. |
| src/environments.rs | Implements environment definitions, layered resolution, config-file support, and active-env helpers. |
| src/env_commands.rs | Adds built-in env list/get/set/info command group. |
| src/command.rs | Adds CommandContext::environment() accessor to resolve the active environment. |
| src/cli.rs | Adds CliConfig::with_environments, global --env, env group mounting, and User-Agent publishing. |
| src/auth/pkce.rs | Adds per-env OAuth via shared Environments, shared token client, UA + timeout on token traffic. |
| docs/specs/2026-06-17-engine-environments-design.md | Design doc for first-class environments and OAuth wiring. |
| docs/plans/2026-06-17-engine-environments-plan.md | Implementation plan for the environments feature set. |
| docs/environments.md | User-facing reference for environments, selection, overrides, and PKCE wiring. |
| docs/concepts.md | Updates “Environments” concept section to point to the full reference. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…fine) Copilot review: the design spec and environments.md implied env-var-only environments are resolvable/selectable, but resolve() treats an env as known only if defined by a compiled default or environments.toml — env vars only override fields of a defined env. Corrected the wording in both docs. Co-Authored-By: Claude Opus 4.8 <[email protected]>
Copilot review round 2: - tests/foundation.rs: the two execute_from tests reset the process-wide User-Agent at the end; a panicking assert would skip it and leak the derived UA into later tests. Replace the manual reset with a RestoreDefaultUserAgent RAII guard (drops while the UA lock is still held). - src/environments.rs: document that Environments::resolve performs blocking filesystem I/O when the config-file layer is enabled, so it isn't called per-request from async handlers. Co-Authored-By: Claude Opus 4.8 <[email protected]>
…environment() Copilot review round 3: - Environments::list() swallows ANY file read/parse error, not just parse errors — corrected the doc comment. - CommandContext::environment() can block on filesystem I/O via resolve(); added a # Blocking note advising call-once-per-invocation. Co-Authored-By: Claude Opus 4.8 <[email protected]>
Copilot review round 9: the implementation plan referenced internal superpowers:* tool names that aren't actionable for repo readers. It was one-off process scaffolding; remove it. The design spec (tool-agnostic) and the durable user docs (docs/environments.md, docs/concepts.md) remain. Co-Authored-By: Claude Opus 4.8 <[email protected]>
…gn spec Copilot review round 10: - env set: give the `name` positional a value_name and help text, matching the config/auth built-in groups for consistent --help output. - Remove the design spec: as a pre-implementation doc it had drifted from the shipped API (active_environment vs environment.active, &Environment vs owned, with_oauth vs with_client_id/...). The durable, accurate docs (docs/environments.md, docs/concepts.md) remain the source of truth. Co-Authored-By: Claude Opus 4.8 <[email protected]>
…tests Copilot review round 11 flagged one more UA-mutating test lacking the panic-safe guard. Rather than fix piecemeal, audited every test holding USER_AGENT_TEST_LOCK and applied the RestoreDefaultUserAgent RAII guard (and an explicit cli/dev pin where asserting the default) to all of them, so a panicking assertion can never leak a mutated default UA into later tests in this binary. Co-Authored-By: Claude Opus 4.8 <[email protected]>
Copilot review round 12: with no compiled or file-defined environments, the unknown-env error rendered a dangling "known: ". Render "(none defined)" instead (+ test). Co-Authored-By: Claude Opus 4.8 <[email protected]>
get_credential_for resolved effective_scopes(env) up front on every credential lookup, triggering an environments.toml read even when a cached token already covers the required scopes. plan_step_up's coverage decision needs only granted/required, so drop defaults from it (StepUp::Reauthenticate no longer carries the union) and resolve per-env defaults only on the two paths that actually re-authenticate. Hot path (cached token covers required) now does no environment file I/O. Co-Authored-By: Claude Opus 4.8 <[email protected]>
Copilot review round 14: the doc said it only affected subsequently-created HttpClients, but the default UA now also applies to the PKCE provider's token/refresh requests and the client-credentials injector. Updated the doc. Co-Authored-By: Claude Opus 4.8 <[email protected]>
axburgess-godaddy
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the gdx/gddy OAuth feature gaps and adds a first-class environment system to
cli-engine. Three cumulative pieces (all in this PR):PkceAuthProvidercan now servedev/test/ote/prod(and custom envs) with different client ids and endpoints, sourced from a shared environment resolver. This is the gdx feature gap: previously the provider had a single client id/endpoints and ignored theenv.CliConfig(name/version, overridable viaCliConfig::with_user_agent) and applied to every outbound request — commandHttpClients and the engine's own OAuth token traffic (PkceAuthProvidertoken/refresh +ClientCredentialsInjector), so APIs that require a UA stop 403ing.reqwest::Clientfor token traffic (with_token_timeoutto override).First-class environments
CliConfig::with_environments(Arc<Environments>): layered resolution — compiled defaults <environments.toml<<ENV>_*env-var overrides (later wins). Records carry typed OAuth config (client_id/auth_url/token_url/scopes) plus a free-formextrastring bag for app-specific fields (e.g.api_url).environment.active), a global--envoverride, and a built-inenv list/get/set/infocommand group (auto-mounted likeauth/config).CommandContext::environment()exposes the resolved active env to handlers.PkceAuthProvider::with_environmentsreads per-env OAuth from the same resolver. Empty resolved fields fall back to the provider's base config /<PROVIDER>_OAUTH_*.This lets consumers like
gddyandgdxdelete hand-rolled env flags, persistence, subcommands, and per-env OAuth wiring. (gddymigration is a one-time re-login due to credential storage key changes; documented.)Docs
docs/environments.md— full reference;docs/concepts.mdupdated.Test Plan
cargo fmt --all --checkcargo clippy --all-targets --features pkce-auth -- -D warningsand without the featurecargo test --features pkce-auth --all-targets— 453 passed, 0 failedcargo test --all-targets(no feature) — 406 passed, 0 failedcargo test --doc --features pkce-auth;cargo rustdoc --lib -- -W missing-docs(zero)--envresolution, and that an env-wired provider resolves a file-definedclient_id.🤖 Generated with Claude Code