feat(doctor): v0.4 Phase 1 — --fix + --extensive flags#49
Merged
TechAlchemistX merged 1 commit intomainfrom Apr 20, 2026
Merged
feat(doctor): v0.4 Phase 1 — --fix + --extensive flags#49TechAlchemistX merged 1 commit intomainfrom
TechAlchemistX merged 1 commit intomainfrom
Conversation
Adds two operationally load-bearing flags to `secretenv doctor`: - `--fix`: when a backend reports `NotAuthenticated`, shells out to the canonical remediation CLI (`aws sso login`, `op signin`, `gcloud auth login`, `az login`, `vault login`) with inherited stdio so the user can complete interactive auth (SSO browser, MFA, password). After all remediation attempts the report is re-checked and re-rendered. Spawn errors are surfaced distinctly from child-exit failures. The audit trail lives in a new `Remediation actions` human section + a `fix_actions` JSON array. - `--extensive`: Level 3 depth probe. For each `Ok` backend, reads every `[registries.*]` source served by that backend instance and runs `Backend::check_extensive(uri)`. Renders alias counts (or read failures) per source under the backend's tree node, and serializes into `backends[*].depth` of `--json` output. Source URIs are deduped across registries. The two flags compose: `doctor --fix --extensive` first remediates, then probes depth against the post-remediation backend set. `run_doctor` now takes a `DoctorOpts` struct (vs three positional booleans) so future Phase 2+ knobs grow the struct, not the signature. `Default` impl preserves existing setup-embedded doctor behavior. Tests: - 11 new unit tests in `doctor.rs`: `remediation_argv` lookup table, `Remediation actions` render path + spawn-error path, `fix_actions` JSON shape, `depth probe` block + plural form + read-failure path, `depth` JSON array (`depth_status` discriminator + `entry_count` + `error`), and `omits-when-empty` keys for both `fix_actions` and `depth` (preserves the v0.3 default JSON contract). - 5 new CLI integration tests: `--extensive` happy path (human + JSON), `--fix` no-op behavior, `--fix --extensive` composition, `--help` flag-discovery lock. Workspace tests: 458/458 (was 442; +16). fmt + clippy + deny + audit clean. Refs build-plan-v0.4 §Phase 1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: TechAlchemistX <mandeep@techalchemist.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
v0.4 Phase 1 lands per build-plan-v0.4: two operationally load-bearing flags on
secretenv doctor.--fix— when a backend reportsNotAuthenticated, shell out to the canonical remediation CLI (aws sso login,op signin,gcloud auth login,az login,vault login) with inherited stdio so the user can complete interactive auth (SSO browser, MFA, password). Re-runscheck()after all remediation attempts; surfaces an audit trail (which command, exit success, any spawn-error) in a newRemediation actionshuman section +fix_actionsJSON array.--extensive— Level 3 depth probe. For eachOkbackend, reads every[registries.*]source served by that backend instance and runsBackend::check_extensive(uri). Renders alias counts (or read failures with the underlying error) per source under the backend's tree node, and serializes into abackends[*].depthJSON array. Source URIs are deduped across registries.doctor --fix --extensivefirst remediates, then probes depth against the post-remediation backend set.run_doctornow takes aDoctorOptsstruct (vs three positional booleans) so future Phase 2+ knobs grow the struct, not the signature.Defaultimpl preserves existing setup-embedded doctor behavior.Tests
crates/secretenv-cli/src/doctor.rs:remediation_argvlookup table (3 tests),Remediation actionsrender path + spawn-error path,fix_actionsJSON shape,depth probeblock + plural form + read-failure path,depthJSON array (depth_statusdiscriminator +entry_count+error), andomits-when-emptykeys for bothfix_actionsanddepth(preserves the v0.3 default JSON contract for non---fix/--extensiveconsumers).crates/secretenv-cli/tests/cli.rs:--extensivehappy path (human + JSON),--fixno-op behavior,--fix --extensivecomposition,--helpflag-discovery lock.-D warnings+ deny + audit clean.Test plan
cargo test --workspace— 458/458 greencargo fmt --all -- --check— cleancargo clippy --workspace --all-targets --all-features -- -D warnings— cleancargo deny check—advisories ok, bans ok, licenses ok, sources okcargo audit— no advisoriesOut of scope
Live-backend integration smoke (against
/tmp/secretenv-test/) is deferred to the v0.4 Phase 7 closing audit per the aggregate-release posture — Phase 1 work is mock-validated end-to-end. The 1Password/AWS/GCP/Azure/Vault remediation argv is locked byremediation_argv_known_backendsagainst the canonical static table.🤖 Generated with Claude Code