Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
- Replace string-matching is_usage_error() with LoginUsageError subclass - Route 'Stored API key' message to stderr so stdout carries only the secret - Note in --password help that inline arg is visible in process listings Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
quiltx catalog api-keycommand to print, mint (--new), and store a catalog API key. Supports browser-based login,--username/--passwordU/P bootstrap, and--insecurefor localhost.quiltx catalog loginnow mints and stores a catalog API key as part of the auth flow so downstream tools can reuse it.Test plan
./poe testquiltx catalog api-keyprints stored keyquiltx catalog api-key --newmints and stores a fresh keyquiltx catalog loginstores an API key on success🤖 Generated with Claude Code
Greptile Summary
This PR adds
quiltx catalog api-key— a new subcommand that prints, mints, and stores a catalog API key — and wires the samemint_api_keyhelper intoquiltx catalog loginand the interactive credential-resolution ladder inauth.py.api_key.pycommand: prints the stored key by default;--newmints a replacement via browser SSO or--username/--passwordbootstrap; supports--insecurefor localhost.login.pyrefactor: login logic extracted intomint_api_key()/MintedApiKeyso bothcatalog loginandcatalog api-keyshare one implementation;SystemExitcalls replaced withLoginError.auth.pycredential ladder step 4: the oldgetpasspaste-prompt is replaced with the full browser/SSOmint_api_keyflow.Confidence Score: 3/5
The new api-key command is functional but its stdout output is inconsistent: printing the stored key emits only the key, while minting a new one mixes an informational status line with the key on the same stream, breaking the common shell pattern of capturing command output into a variable.
The stdout-mixing issue in api_key.py affects a core use case — automating key retrieval — and leaves the two code paths in an inconsistent state that tests only partially catch (the mint tests assert 'key in out' rather than strict equality). The rest of the refactor is clean and well-structured.
quiltx/tools/catalog/api_key.py (stdout mixing) and quiltx/tools/catalog/login.py (is_usage_error string matching).
Security Review
--passwordexposed in process listing (quiltx/tools/catalog/api_key.py,login.py): passing the catalog admin password as a command-line argument makes it readable viaps aux//proc/<pid>/cmdlinefor the duration of the process. The interactivegetpassprompt (used when--passwordis omitted) is the safer path; the help text for--passwordshould warn that inline use is insecure.Important Files Changed
mint_api_key+MintedApiKey; introducesLoginErrorand fragile string-basedis_usage_errorclassifier.getpassprompt to browser/SSO auth flow via deferredlogin_tool.mint_api_key; doc comments updated to match.api-keysubcommand; straightforward addition with no issues.api-keycommand and updates existing login tests to reflect refactored error surface.Sequence Diagram
sequenceDiagram participant User participant api_key_cmd as catalog api-key participant login_cmd as login.mint_api_key participant auth_py as auth.resolve_cli participant Catalog as Catalog API User->>api_key_cmd: quiltx catalog api-key [--new] alt stored key exists and not --new api_key_cmd->>User: print stored key (stdout) else mint new key api_key_cmd->>login_cmd: mint_api_key(catalog_url, dns, ...) alt browser flow (default TTY) login_cmd->>User: open browser, prompt for code User->>login_cmd: paste refresh_token login_cmd->>Catalog: bootstrap_api_key_from_refresh_token else U/P flow (--username given) login_cmd->>Catalog: bootstrap_api_key(username, password) end Catalog-->>login_cmd: "{secret, name, expires_at}" login_cmd->>login_cmd: credentials.store(dns, secret) login_cmd-->>api_key_cmd: MintedApiKey api_key_cmd->>User: print stored message + secret (both stdout) end User->>auth_py: any catalog command (no stored key, TTY) auth_py->>login_cmd: "mint_api_key(catalog_url, dns, no_prompt=False)" login_cmd-->>auth_py: MintedApiKey auth_py-->>User: ResolvedCredentials(secret, auth-flow)Reviews (1): Last reviewed commit: "CHANGELOG: 0.16.0" | Re-trigger Greptile