config

package
v0.22.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 22, 2026 License: MIT Imports: 27 Imported by: 0

Documentation

Overview

Package config implements the "config" CLI command and its subcommands for programmatic read/write access to individual configuration keys. It is intended for CI automation and scripted setup rather than interactive use (for interactive reconfiguration, use "init <subsystem>" instead).

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewCmdConfig 

func NewCmdConfig(props *p.Props, opts ...MaskerOption) *setup.Command

NewCmdConfig returns the top-level "config" command with all subcommands attached. MaskerOptions extend the built-in sensitive key and value patterns, allowing tool authors to register their own credential formats.

func NewCmdEdit added in v0.22.0 

func NewCmdEdit(props *p.Props, opts ...EditOption) *cobra.Command

NewCmdEdit returns the "config edit" subcommand. It opens the writable config file in the user's editor, re-validates the result on save, and persists only if it is valid — aborting (and leaving the original untouched) on a non-zero editor exit, a YAML syntax error, or a schema validation failure.

func NewCmdGet 

func NewCmdGet(props *p.Props, masker *Masker) *cobra.Command

NewCmdGet returns the "config get <key>" subcommand.

func NewCmdList 

func NewCmdList(props *p.Props, masker *Masker) *cobra.Command

NewCmdList returns the "config list" subcommand.

func NewCmdMigrate 

func NewCmdMigrate(props *p.Props) *cobra.Command

NewCmdMigrate returns the `config migrate-credentials` subcommand. The command is wired into NewCmdConfig alongside get / set / list / validate.

func NewCmdPath added in v0.22.0 

func NewCmdPath(props *p.Props) *cobra.Command

NewCmdPath returns the "config path" subcommand. It prints the ordered list of config files that contributed to the live configuration (in merge order) followed by the writable target that set/unset/edit mutate. With --writable it prints only that target, for use in scripts.

func NewCmdSet 

func NewCmdSet(props *p.Props) *cobra.Command

NewCmdSet returns the "config set <key> <value>" subcommand.

func NewCmdUnset added in v0.22.0 

func NewCmdUnset(props *p.Props) *cobra.Command

NewCmdUnset returns the "config unset <key>" subcommand — the inverse of "config set". It removes a single dot-notation key from the user's writable config file, re-validates the result, and persists atomically only if valid.

func NewCmdValidate 

func NewCmdValidate(props *p.Props) *cobra.Command

NewCmdValidate returns the "config validate" subcommand.

func PrintResult 

func PrintResult(w io.Writer, result *MigrateResult, dryRun bool)

PrintResult writes a human-readable summary of result to w. Used by NewCmdMigrate but exported for reuse in tests and custom output paths.

Types

type EditOption added in v0.22.0 

type EditOption func(*editConfig)

EditOption configures NewCmdEdit. Used by tests to inject a fake editor and interactivity check; production uses the defaults.

func WithEditorRunner added in v0.22.0 

func WithEditorRunner(r editorRunner) EditOption

WithEditorRunner overrides the editor-launch seam (default: a real subprocess via exec.CommandContext). Tests inject a deterministic mutator.

func WithInteractiveCheck added in v0.22.0 

func WithInteractiveCheck(fn func() bool) EditOption

WithInteractiveCheck overrides the TTY gate (default: utils.IsInteractive). Tests inject a constant so the round-trip runs without a real terminal.

type Masker 

type Masker struct {
	// contains filtered or unexported fields
}

Masker detects and masks sensitive configuration values using two independent strategies: key-name pattern matching and value content regular expressions. The zero value is not useful; construct with NewMasker.

func NewMasker 

func NewMasker(opts ...MaskerOption) *Masker

NewMasker constructs a Masker with built-in key patterns and value regexes, extended by any provided options. Built-in defaults are never mutated.

func (*Masker) IsSensitive 

func (m *Masker) IsSensitive(key, value string) bool

IsSensitive returns true if any dot-segment of the key matches a sensitive key pattern OR the value matches a sensitive value pattern. Segment-level matching catches credential keys like "github.auth.value" or "bitbucket.username.env" whose leaf is generic ("value", "env") but whose mid-path identifies the credential.

func (*Masker) Mask 

func (m *Masker) Mask(value string) string

Mask returns the value with all but the last 4 characters replaced by asterisks. Returns a fully asterisked string if the value is 4 characters or fewer.

func (*Masker) MaskIfSensitive 

func (m *Masker) MaskIfSensitive(key, value string) string

MaskIfSensitive applies Mask only when IsSensitive returns true for the given key/value pair; otherwise returns the value unchanged.

type MaskerOption 

type MaskerOption func(*Masker)

MaskerOption configures a Masker.

func WithKeyPattern 

func WithKeyPattern(pattern string) MaskerOption

WithKeyPattern registers an additional key-name substring (case-insensitive) that marks a key as sensitive. Extends the built-in list; does not replace it.

func WithValuePattern 

func WithValuePattern(re *regexp.Regexp) MaskerOption

WithValuePattern registers an additional compiled regexp that, when matched against a value, marks it as sensitive regardless of the key name.

type MigrateOptions 

type MigrateOptions struct {
	// DryRun prints the planned changes but does not write the
	// config or call the keychain backend.
	DryRun bool

	// Target selects the destination storage mode. Defaults to
	// [credentials.ModeEnvVar] if unset.
	Target credentials.Mode

	// AssumeYes skips every interactive prompt. Env-var names fall
	// back to the upstream-standard defaults; keychain account names
	// follow the wizard convention. Intended for CI pipelines and
	// scripted migrations.
	AssumeYes bool

	// EnvVarOverrides maps source config key → chosen env var name.
	// Lets non-interactive callers pin a specific env var per
	// credential (e.g. `--env-var anthropic.api.key=MYTOOL_ANTHROPIC`).
	// Overrides both defaults and interactive prompts.
	EnvVarOverrides map[string]string

	// KeychainService overrides the keychain service (the first half
	// of the <service>/<account> reference). Defaults to the tool's
	// name (`props.Tool.Name`), matching the setup wizards.
	KeychainService string

	// SkipVerify disables the post-export verification step in
	// interactive env-var mode. Useful for headless automation
	// where the user sets env vars via /etc/profile or systemd
	// drop-ins rather than an interactive shell.
	SkipVerify bool
}

MigrateOptions configures the migrate-credentials flow. The zero value is a dry-run against credentials.ModeEnvVar with interactive prompting — safe to run without fear of mutation.

type MigrateResult 

type MigrateResult struct {
	// Actions is the set of candidate migrations found in config,
	// with status filled in. Useful for machine-readable output.
	Actions []MigrationAction

	// WroteConfig is true when the config file on disk was rewritten.
	// Always false in DryRun mode.
	WroteConfig bool
}

MigrateResult summarises the outcome of a migrate run.

func Migrate 

func Migrate(ctx context.Context, props *p.Props, opts MigrateOptions) (*MigrateResult, error)

Migrate performs the migration described by opts against [props.Config]. Safe to call multiple times — already-migrated credentials are detected and skipped.

type MigrationAction 

type MigrationAction struct {
	// SourceKey is the config key currently holding the literal
	// credential (e.g. `anthropic.api.key`, `github.auth.value`).
	// For dual credentials this is the "primary" half (username).
	SourceKey string

	// PartnerKey is set for dual-credential pairs where both halves
	// migrate together (only `bitbucket.username` + `bitbucket.app_password`
	// today). Empty for single-value credentials.
	PartnerKey string

	// Target is the mode this credential was migrated to.
	Target credentials.Mode

	// DestKey is the config key written after migration. For
	// env-var targets: `<prefix>.env`. For keychain: `<prefix>.keychain`.
	// For Bitbucket dual-cred keychain target, only one key is
	// written (the shared `bitbucket.keychain`); PartnerKey is still
	// set so the report lists both removed literals.
	DestKey string

	// DestValue is the written value — an env var name (env-var
	// target) or a `<service>/<account>` reference (keychain
	// target). The source credential value is NEVER included here.
	DestValue string

	// Skipped is true when the credential was already migrated or
	// could not be migrated (e.g. keychain target with no backend
	// registered). Reason explains why.
	Skipped bool
	Reason  string
}

MigrationAction describes a single migration the command will perform (dry-run) or has performed.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.