feat: installer-driven init flags + minimal nrq me [INT-444]#97
Merged
Conversation
Lets the central installer drive nrq init non-interactively from installer-config.json (op -> env -> --*-from-env): - nrq init --account-id-from-env <ENV>: env-bridge for the NON-secret account_id (same shape as --api-key-from-env per §1.5.1, but resolves into config.yml, NEVER the keyring — §2.5). Mutually exclusive with --account-id; empty/unset env is a hard error. - nrq init --non-interactive (init-only): every interactive fallback becomes a fail-loud error (cli-deployment-manifest §1.3). The policy is threaded through a new keychain.OpenForInit(overwrite, nonInteractive) -> passphraseFunc(service, nonInteractive) so the file backend never prompts for a passphrase even on a TTY (the keychain opens before runInit's own prompt guards). Other Open* entry points unchanged. - nrq me: minimal identity/access check reusing TestConnection (no new api/ surface). RunE stays hardwired through opts.APIClient() (single credential chokepoint); the success predicate (pure evaluate()) mirrors config test exactly — valid key AND, when an account is configured, account access — so the installer's verify:"me" can't pass on a misconfigured account. The api_key is never rendered (§1.12). Tests: --account-id-from-env e2e (config.yml not keyring), empty-env and mutually-exclusive errors, --non-interactive fail-loud, passphrase non-interactive never-prompts (keychain unit), renderMe across table/json/plain with no key leak, evaluate() predicate table. Docs swept (README init/me, repo guide files: architecture + env table + credentials). Closes #96
Codex PR review: `nrq me` used cobra.NoArgs, which quotes args[0] in its error — `nrq me NRAK-…` would echo a fat-fingered secret to stderr/logs, the same §1.12 class fixed for init/set-credential. Switch to the existing root.NoPositionalArgs static validator + a noleak regression.
Collaborator
Author
|
Blocker
Major
Minor
Nit
The updated diff matches the converged plan: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Lets the central installer (
~/monit/claude-desktop-mcp) drivenrq initnon-interactively frominstaller-config.json(1Password refs →op run→ env →--*-from-env).Closes #96 · INT-444 (child of INT-310). Per maintainer fast-follow directive: single PR, no daemon / no TDD-assessment, Codex architect convergence (plan loop 0/0 over 2 rounds; one PR re-review) then admin-merge.
Changes
nrq init --account-id-from-env <ENV>— env-bridge for the non-secret account_id: sameop→env→--*-from-envshape as--api-key-from-env(§1.5.1), but the resolved value lands inconfig.yml, never the keyring (§2.5). Mutually exclusive with--account-id; empty/unset env is a hard error (mirrors--api-key-from-env).nrq init --non-interactive(init-only) — every interactive fallback becomes fail-loud (cli-deployment-manifest §1.3). Critically, the policy is threaded through a newkeychain.OpenForInit(overwrite, nonInteractive)→passphraseFunc(service, nonInteractive)so the file backend never prompts for a passphrase even on a TTY (the keychain opens before runInit's own prompt guards — caught by Codex as a blocker on the plan). OtherOpen*entry points unchanged.nrq me— minimal identity/access check reusingTestConnection(no newapi/surface).RunEstays hardwired throughopts.APIClient()(single credential chokepoint, no client injection); the pureevaluate()success predicate mirrorsconfig testexactly (valid key AND, when an account is configured, account access) so the installer'sverify: "me"cannot pass on a misconfigured account. The api_key is never rendered (§1.12).Tests
--account-id-from-envinstaller-invocation e2e (config.yml set, keyring holds only api_key); empty-env + mutually-exclusive errors;--non-interactiveno-key/no-ingress fail-loud;passphraseFunc(_, true)never-prompts (keychain unit, the Codex-blocker pin);renderMetable/json/plain with no key leak;evaluate()predicate table. No test makes a live New Relic call (init uses--no-verify;melogic tested via pure helpers).Gate: gofmt · build · vet · 430
-racetests (29 pkgs) ·go mod tidyno-drift · golangci-lint v2.0.2 0 issues · go 1.24.0.