feat(cli): keyed credentials — servers:, the token chain, login/logout (RFC-007 PR 2)

The operator config gains servers: (name -> url; never a token). A remote command whose URL prefix-matches an operator server resolves its bearer token through the keyed chain first — OMNIGRAPH_TOKEN_<NAME> env, then the [<name>] section of ~/.omnigraph/credentials (created 0600 via temp+rename, #139 finding 7; group/world-readable files refused loudly) — falling through to the legacy chain unchanged. URL keying makes §D5 rule 3 structural: a token is only ever sent to the server it is keyed to. Longest-prefix matching with a path-boundary check (http://h:8080 never matches http://h:8080-evil). Inserting the keyed hop above the legacy chain is safe by construction — no existing setup can have servers: defined. omnigraph login <name> stores/rotates one section (token from --token or one stdin line — the pipe flow keeps secrets out of shell history); omnigraph logout removes it, idempotently; logging in before declaring the server warns instead of failing (the gh model). Coverage: URL-match/no-substring-trap, credentials round-trip preserving sibling sections, 0600 write + over-permissive refusal, env-name mapping; the legacy resolve test is now hermetic against a real ~/.omnigraph and asserts byte-identical legacy behavior with no servers defined; one spawned-binary e2e walks the whole lifecycle against an authed server: refusal -> wrong-token login (stdin) -> rotate (--token) -> authorized read -> env-beats-file -> non-matching-URL negative -> logout revokes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-27 02:39:38 +02:00 · 2026-06-11 21:24:51 +03:00 · 2026-06-11 21:24:51 +03:00 · a819ab500e
commit a819ab500e
parent 5db42fb660
10 changed files with 603 additions and 4 deletions
--- a/crates/omnigraph-cli/src/output.rs
+++ b/crates/omnigraph-cli/src/output.rs
@ -828,3 +828,48 @@ pub(crate) struct QueriesListItem {
 pub(crate) struct QueriesListOutput {
    pub(crate) queries: Vec<QueriesListItem>,
 }
+
+pub(crate) fn finish_login(
+    server: &str,
+    credentials_path: &std::path::Path,
+    declared: bool,
+    json: bool,
+) -> Result<()> {
+    if json {
+        print_json(&serde_json::json!({
+            "server": server,
+            "credentials_path": credentials_path.display().to_string(),
+            "declared": declared,
+        }))?;
+    } else {
+        println!(
+            "stored credential for '{server}' in {}",
+            credentials_path.display()
+        );
+    }
+    if !declared {
+        eprintln!(
+            "note: '{server}' is not declared under servers: in the operator config; the token applies once you add `servers:\n  {server}:\n    url: <server url>` to ~/.omnigraph/config.yaml"
+        );
+    }
+    Ok(())
+}
+
+pub(crate) fn finish_logout(
+    server: &str,
+    credentials_path: &std::path::Path,
+    json: bool,
+) -> Result<()> {
+    if json {
+        print_json(&serde_json::json!({
+            "server": server,
+            "credentials_path": credentials_path.display().to_string(),
+        }))?;
+    } else {
+        println!(
+            "removed credential for '{server}' from {}",
+            credentials_path.display()
+        );
+    }
+    Ok(())
+}