feat(setup): authenticate onecli CLI for remote vault setup
Without `onecli auth login`, setup-time CLI calls (e.g. `secrets list` inside anthropicSecretExists, `secrets create` in runPasteAuth) hit a secured remote vault unauthenticated and fail silently — the auth step sees no existing Anthropic credential and prompts the user to add one even when it's already in the remote vault. Two auth surfaces matter here: the CLI's persistent store via `onecli auth login --api-key`, and ONECLI_API_KEY in .env that the runtime SDK reads at request time. We need both. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
gavrielc
@@ -288,6 +288,18 @@ export async function run(args: string[]): Promise<void> {
|
|||||||
log.info('Wrote ONECLI_URL to .env', { url: remoteUrl });
|
log.info('Wrote ONECLI_URL to .env', { url: remoteUrl });
|
||||||
const remoteToken = process.env.NANOCLAW_ONECLI_API_TOKEN?.trim();
|
const remoteToken = process.env.NANOCLAW_ONECLI_API_TOKEN?.trim();
|
||||||
if (remoteToken) {
|
if (remoteToken) {
|
||||||
|
// Two auth surfaces: `onecli auth login` persists the key for CLI
|
||||||
|
// calls during setup itself (e.g. detecting an existing Anthropic
|
||||||
|
// secret via `onecli secrets list`), and ONECLI_API_KEY in .env is
|
||||||
|
// read by the runtime SDK at request time. Both are needed.
|
||||||
|
try {
|
||||||
|
execFileSync('onecli', ['auth', 'login', '--api-key', remoteToken], {
|
||||||
|
stdio: 'ignore',
|
||||||
|
env: childEnv(),
|
||||||
|
});
|
||||||
|
} catch (err) {
|
||||||
|
log.warn('onecli auth login failed', { err });
|
||||||
|
}
|
||||||
writeEnvVar('ONECLI_API_KEY', remoteToken);
|
writeEnvVar('ONECLI_API_KEY', remoteToken);
|
||||||
log.info('Wrote ONECLI_API_KEY to .env');
|
log.info('Wrote ONECLI_API_KEY to .env');
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user