[codex] Fix credential precedence and env token save#490
Conversation
|
@claude review |
|
Claude finished @axisrow's task in 2m 51s —— View job Review: Credential precedence & env token save
Overall this is a clean, well-tested change. The refactor of 1.
|
There was a problem hiding this comment.
Pull request overview
Adjusts Direct CLI credential resolution so project-local base env / cwd .env credentials take precedence over a global active OAuth profile unless --profile is explicitly selected, and enhances direct auth status/login to better reflect and persist the effective credentials.
Changes:
- Reworked
get_credentials()precedence: explicit--profilestays isolated; otherwise baseYANDEX_DIRECT_TOKEN/.envwins over active profile. - Updated
direct auth statusto report the effective credential source and added an optional interactive flow to save token/login to cwd.env. - Refreshed docs, translations, and tests to match the new credential contract.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
direct_cli/auth.py |
Implements new credential precedence and adds .env credential writer. |
direct_cli/commands/auth.py |
Updates auth status semantics/output and adds save-to-.env prompt after login flows. |
direct_cli/cli.py |
Aligns early login handling with the new “explicit profile isolates base login” behavior and updates help epilog text. |
direct_cli/translations/auth.json |
Adds/updates strings for new auth status wording and .env save prompt. |
direct_cli/translations/common.json |
Updates help text to refer to “selected credentials” (not only OAuth profile). |
README.md |
Documents the new credential precedence and the .env save prompt behavior (EN/RU sections). |
CLAUDE.md |
Updates the documented credential precedence contract for CLI and tests. |
tests/test_auth_oauth.py |
Adds regression tests for cwd .env precedence vs active profile and for .env save prompt behavior. |
tests/test_cli.py |
Hardens CLI tests by clearing env and mocking dotenv loading to avoid leakage across tests. |
tests/test_env_loading.py |
Adds test ensuring saving credentials creates a private-permission cwd .env. |
tests/test_integration.py |
Updates integration-test expectations around auth status reporting effective sources. |
| dotenv_path.write_text("".join(updated_lines), encoding="utf-8") | ||
| if not existed: | ||
| os.chmod(dotenv_path, 0o600) | ||
| return dotenv_path |
| if not selected: | ||
| print_info(t("No active profile.")) | ||
| return |
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ab8385c204
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if login: | ||
| replacements["YANDEX_DIRECT_LOGIN"] = _format_dotenv_value(login) |
There was a problem hiding this comment.
Clear stale env login when saving a login-less token
When the user saves a new token but resolve_account_login() returns None (for example due to a temporary network/API failure, or an imported token without --login), this branch omits YANDEX_DIRECT_LOGIN from replacements, so an existing .env keeps its old login while the token is overwritten. Subsequent commands will pair the new token with the stale client login from .env, which can target the wrong Direct client or fail unexpectedly; the save path should remove or reset the old login when no current login is known.
Useful? React with 👍 / 👎.
| dotenv_path.write_text("".join(updated_lines), encoding="utf-8") | ||
| if not existed: | ||
| os.chmod(dotenv_path, 0o600) |
There was a problem hiding this comment.
Tighten permissions on existing dotenv files
If the user accepts the new “Save token to .env?” prompt in a directory where .env already exists with common default permissions such as 0644, this writes the OAuth token into that world-readable file but skips chmod because existed is true. Since this path is newly storing a secret, it should set private permissions after writing regardless of whether the file was pre-existing.
Useful? React with 👍 / 👎.
|
@codex review |
|
@codex review |
|
Codex Review: Didn't find any major issues. Hooray! ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Summary
.env/ baseYANDEX_DIRECT_TOKENcredentials win over the active OAuth profile when--profileis not explicitly passed.--profileisolated from base.envlogin fallback.direct auth statusto report the effective credential source, including env/.env, active profile, 1Password, and Bitwarden fallbacks..env.Root Cause
The previous credential resolver selected the active OAuth profile before base env/cwd
.env, so project-local credentials could be ignored when a global active profile existed.auth statusalso reported the active profile instead of the effective credentials.Validation
python3 -m pytest tests/test_auth_oauth.py tests/test_env_loading.py tests/test_auth_op.py tests/test_auth_bw.py tests/test_cli.py -qpython3 -m pytest -m "not integration and not integration_write and not integration_live_write and not v4_live_read" -qrg/git grepaudit for old precedence-contract wordingpython3 -m json.tool direct_cli/translations/auth.jsonanddirect_cli/translations/common.jsonpython3 -m black --check direct_cli/cli.py direct_cli/commands/auth.py tests/test_auth_op.py tests/test_auth_bw.py tests/test_env_loading.py tests/test_auth_oauth.pygit diff --checkFixes #489