From f048447ec551ced6606e6ac59089df7741211230 Mon Sep 17 00:00:00 2001 From: gavrielc Date: Mon, 27 Apr 2026 00:00:59 +0300 Subject: [PATCH] feat(setup): authenticate onecli CLI for remote vault setup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without `onecli auth login`, setup-time CLI calls (e.g. `secrets list` inside anthropicSecretExists, `secrets create` in runPasteAuth) hit a secured remote vault unauthenticated and fail silently — the auth step sees no existing Anthropic credential and prompts the user to add one even when it's already in the remote vault. Two auth surfaces matter here: the CLI's persistent store via `onecli auth login --api-key`, and ONECLI_API_KEY in .env that the runtime SDK reads at request time. We need both. Co-Authored-By: Claude Opus 4.7 (1M context) --- setup/onecli.ts | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/setup/onecli.ts b/setup/onecli.ts index d6dda38..fbf76a9 100644 --- a/setup/onecli.ts +++ b/setup/onecli.ts @@ -288,6 +288,18 @@ export async function run(args: string[]): Promise { log.info('Wrote ONECLI_URL to .env', { url: remoteUrl }); const remoteToken = process.env.NANOCLAW_ONECLI_API_TOKEN?.trim(); if (remoteToken) { + // Two auth surfaces: `onecli auth login` persists the key for CLI + // calls during setup itself (e.g. detecting an existing Anthropic + // secret via `onecli secrets list`), and ONECLI_API_KEY in .env is + // read by the runtime SDK at request time. Both are needed. + try { + execFileSync('onecli', ['auth', 'login', '--api-key', remoteToken], { + stdio: 'ignore', + env: childEnv(), + }); + } catch (err) { + log.warn('onecli auth login failed', { err }); + } writeEnvVar('ONECLI_API_KEY', remoteToken); log.info('Wrote ONECLI_API_KEY to .env'); }