config

package
v0.2.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 14, 2026 License: MIT Imports: 21 Imported by: 0

Documentation

Overview

Package config implements the "config" CLI command and its subcommands for programmatic read/write access to individual configuration keys. It is intended for CI automation and scripted setup rather than interactive use (for interactive reconfiguration, use "init <subsystem>" instead).

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewCmdConfig 

func NewCmdConfig(props *p.Props, opts ...MaskerOption) *cobra.Command

NewCmdConfig returns the top-level "config" command with all subcommands attached. MaskerOptions extend the built-in sensitive key and value patterns, allowing tool authors to register their own credential formats.

func NewCmdGet 

func NewCmdGet(props *p.Props, masker *Masker) *cobra.Command

NewCmdGet returns the "config get <key>" subcommand.

func NewCmdList 

func NewCmdList(props *p.Props, masker *Masker) *cobra.Command

NewCmdList returns the "config list" subcommand.

func NewCmdMigrate 

func NewCmdMigrate(props *p.Props) *cobra.Command

NewCmdMigrate returns the `config migrate-credentials` subcommand. The command is wired into NewCmdConfig alongside get / set / list / validate.

func NewCmdSet 

func NewCmdSet(props *p.Props) *cobra.Command

NewCmdSet returns the "config set <key> <value>" subcommand.

func NewCmdValidate 

func NewCmdValidate(props *p.Props) *cobra.Command

NewCmdValidate returns the "config validate" subcommand.

func PrintResult 

func PrintResult(w io.Writer, result *MigrateResult, dryRun bool)

PrintResult writes a human-readable summary of result to w. Used by NewCmdMigrate but exported for reuse in tests and custom output paths.

Types

type Masker 

type Masker struct {
	// contains filtered or unexported fields
}

Masker detects and masks sensitive configuration values using two independent strategies: key-name pattern matching and value content regular expressions. The zero value is not useful; construct with NewMasker.

func NewMasker 

func NewMasker(opts ...MaskerOption) *Masker

NewMasker constructs a Masker with built-in key patterns and value regexes, extended by any provided options. Built-in defaults are never mutated.

func (*Masker) IsSensitive 

func (m *Masker) IsSensitive(key, value string) bool

IsSensitive returns true if any dot-segment of the key matches a sensitive key pattern OR the value matches a sensitive value pattern. Segment-level matching catches credential keys like "github.auth.value" or "bitbucket.username.env" whose leaf is generic ("value", "env") but whose mid-path identifies the credential.

func (*Masker) Mask 

func (m *Masker) Mask(value string) string

Mask returns the value with all but the last 4 characters replaced by asterisks. Returns a fully asterisked string if the value is 4 characters or fewer.

func (*Masker) MaskIfSensitive 

func (m *Masker) MaskIfSensitive(key, value string) string

MaskIfSensitive applies Mask only when IsSensitive returns true for the given key/value pair; otherwise returns the value unchanged.

type MaskerOption 

type MaskerOption func(*Masker)

MaskerOption configures a Masker.

func WithKeyPattern 

func WithKeyPattern(pattern string) MaskerOption

WithKeyPattern registers an additional key-name substring (case-insensitive) that marks a key as sensitive. Extends the built-in list; does not replace it.

func WithValuePattern 

func WithValuePattern(re *regexp.Regexp) MaskerOption

WithValuePattern registers an additional compiled regexp that, when matched against a value, marks it as sensitive regardless of the key name.

type MigrateOptions 

type MigrateOptions struct {
	// DryRun prints the planned changes but does not write the
	// config or call the keychain backend.
	DryRun bool

	// Target selects the destination storage mode. Defaults to
	// [credentials.ModeEnvVar] if unset.
	Target credentials.Mode

	// AssumeYes skips every interactive prompt. Env-var names fall
	// back to the upstream-standard defaults; keychain account names
	// follow the wizard convention. Intended for CI pipelines and
	// scripted migrations.
	AssumeYes bool

	// EnvVarOverrides maps source config key → chosen env var name.
	// Lets non-interactive callers pin a specific env var per
	// credential (e.g. `--env-var anthropic.api.key=MYTOOL_ANTHROPIC`).
	// Overrides both defaults and interactive prompts.
	EnvVarOverrides map[string]string

	// KeychainService overrides the keychain service (the first half
	// of the <service>/<account> reference). Defaults to the tool's
	// name (`props.Tool.Name`), matching the setup wizards.
	KeychainService string

	// SkipVerify disables the post-export verification step in
	// interactive env-var mode. Useful for headless automation
	// where the user sets env vars via /etc/profile or systemd
	// drop-ins rather than an interactive shell.
	SkipVerify bool
}

MigrateOptions configures the migrate-credentials flow. The zero value is a dry-run against credentials.ModeEnvVar with interactive prompting — safe to run without fear of mutation.

type MigrateResult 

type MigrateResult struct {
	// Actions is the set of candidate migrations found in config,
	// with status filled in. Useful for machine-readable output.
	Actions []MigrationAction

	// WroteConfig is true when the config file on disk was rewritten.
	// Always false in DryRun mode.
	WroteConfig bool
}

MigrateResult summarises the outcome of a migrate run.

func Migrate 

func Migrate(ctx context.Context, props *p.Props, opts MigrateOptions) (*MigrateResult, error)

Migrate performs the migration described by opts against [props.Config]. Safe to call multiple times — already-migrated credentials are detected and skipped.

type MigrationAction 

type MigrationAction struct {
	// SourceKey is the config key currently holding the literal
	// credential (e.g. `anthropic.api.key`, `github.auth.value`).
	// For dual credentials this is the "primary" half (username).
	SourceKey string

	// PartnerKey is set for dual-credential pairs where both halves
	// migrate together (only `bitbucket.username` + `bitbucket.app_password`
	// today). Empty for single-value credentials.
	PartnerKey string

	// Target is the mode this credential was migrated to.
	Target credentials.Mode

	// DestKey is the config key written after migration. For
	// env-var targets: `<prefix>.env`. For keychain: `<prefix>.keychain`.
	// For Bitbucket dual-cred keychain target, only one key is
	// written (the shared `bitbucket.keychain`); PartnerKey is still
	// set so the report lists both removed literals.
	DestKey string

	// DestValue is the written value — an env var name (env-var
	// target) or a `<service>/<account>` reference (keychain
	// target). The source credential value is NEVER included here.
	DestValue string

	// Skipped is true when the credential was already migrated or
	// could not be migrated (e.g. keychain target with no backend
	// registered). Reason explains why.
	Skipped bool
	Reason  string
}

MigrationAction describes a single migration the command will perform (dry-run) or has performed.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.