Skip to content

feat: meta-gov-env CLI — org environments, cloud accounts, env types#445

Merged
fhacloid merged 14 commits into
developfrom
fix/env-canonical-api-drift
May 27, 2026
Merged

feat: meta-gov-env CLI — org environments, cloud accounts, env types#445
fhacloid merged 14 commits into
developfrom
fix/env-canonical-api-drift

Conversation

@fhacloid

@fhacloid fhacloid commented May 24, 2026

Copy link
Copy Markdown
Contributor

Summary

Org-scoped environment governance for the meta-gov-env API:

  • cy environment — org CRUD (create, get, list, update, delete), project link/unlink, PATCH semantics (only flags you pass are sent; fetch current state to preserve links/variables)
  • cy cloud-account — org CRUD; inline credential on create and update (--new-credential or --credential); create --update upsert
  • cy environment-type — org CRUD with required --color
  • Upsert everywherecreate --update and update both create-or-update (no 404 on missing env)
  • --color on environments — deprecated; emits warning only, does not error
  • delete --project — removed; use unlink then org-level delete

Migration note: auto-link → explicit link

Previously cy env create --project X created and linked in one step. Environments are now org entities first; project association is a separate relation:

cy env create --env prod --name Production
cy env link --project my-app --env prod

Scripts must add an explicit link after create (or use Terraform/provider which handles both steps).

Env scope: org vs project

Layer API CLI
Org CRUD on /organizations/{org}/environments/{env} cy env create/get/list/update/delete
Project link POST/DELETE /projects/{p}/environments cy env link/unlink, cy env list --project
Project view GET /projects/{p}/environmentsProjectEnvironment (+ components) list with --project

The CLI middleware no longer exposes project-scoped env CRUD (CreateEnv, UpdateEnv, DeleteEnv on project routes). All mutations go through org endpoints; project commands only manage the link.

Backend caveats

  • type still sent as "production" fallback until Lukasz lands optional-type inference (TODO(meta-gov-env) in code)
  • Explicit empty arrays (--cloud-account "") wipe links; omitting the flag preserves current links

Test plan

@fhacloid fhacloid changed the title fix: adapt env middleware to org-scoped API (meta-gov-env) feat: meta-gov-env CLI — org environments, cloud accounts, env types May 25, 2026
@fhacloid fhacloid self-assigned this May 25, 2026

@locycloid locycloid left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code looks good, but I got two questions

  1. I suppose we don't need finops operations for the CLI ?
  2. I see almost no tests - at least unit ones would be nice

@fhacloid

Copy link
Copy Markdown
Contributor Author

@lukasz we'll add finops if customer ask for it. For the test, good point, will ad them.

locycloid
locycloid previously approved these changes May 26, 2026
@fhacloid

Copy link
Copy Markdown
Contributor Author

Status update

PR updated and tested following Lukasz's review.

Changes since initial review

Critical fix — --update upsert now works for environment-type
GetEnvironmentType previously returned a plain fmt.Errorf on miss; the stderrors.As check in the upsert path always failed, so cy environment-type create --update would error instead of creating. Now returns *APIResponseError{StatusCode: 404} so the upsert path works correctly.

Security — debug logger no longer leaks credentials
--verbosity=debug was logging raw request/response bodies before sanitization. Both logRequest and logResponse in debug.go now pass bodies through sanitizeBody() first. Audit also confirms the error path in generic_client.go already sanitized correctly — only the debug path was affected.

Other fixes

  • Pagination capped at 1000 pages (guard against infinite loop on buggy backends)
  • LinkEnvToProject returns nil, nil on idempotent no-op instead of synthetic http.Response
  • All MarkFlagRequired return values now captured (_ =)
  • environments --color replaced custom warnDeprecatedColor with cobra MarkDeprecated
  • cloudaccounts/update mutual-exclusion error returns directly (consistent with create)
  • cloudaccounts/delete logs per-canonical on success so partial failures are visible
  • ptrValue helper removed from both packages, replaced with ptr.Value
  • Test: require.NotNil(resp) guard before .StatusCode deref in NotFound test

locycloid
locycloid previously approved these changes May 26, 2026
fhacloid and others added 14 commits May 27, 2026 13:43
Create and update environments now target the org-level endpoint, with
a separate link call to attach to a project. DeleteOrgEnv added for
cleanup. Color assertions dropped as color moved to EnvironmentType.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sync generated client with org-scoped environments, cloud accounts,
environment types, and related payload shapes from meta-gov-env swagger.

Co-authored-by: Cursor <cursoragent@cursor.com>
Add org-scoped environment CRUD, idempotent project link/unlink, cloud
account and environment-type APIs, and auto-paginated list helpers.

Co-authored-by: Cursor <cursoragent@cursor.com>
Add IsSet helper plus flags for environment PATCH fields, cloud account
credential options, and environment-type commands.

Co-authored-by: Cursor <cursoragent@cursor.com>
Rewrite environment commands for org CRUD with link/unlink, PATCH semantics,
and deprecated --color/--project delete behavior. Add cloud-account and
environment-type command trees.

Co-authored-by: Cursor <cursoragent@cursor.com>
Update test helpers to create/link org environments and refresh e2e
coverage for link, org-level get/update/delete, and upsert flows.

Co-authored-by: Cursor <cursoragent@cursor.com>
MarkFlagsOneRequired and MarkFlagRequired must run after flags exist;
fixes panic when loading environment, cloud-account, and env-type commands.

Co-authored-by: Cursor <cursoragent@cursor.com>
Avoid duplicate description flags on cloud-account create, silence link/unlink
table rendering on success, and unlink project associations before deleting
org environments in tests.

Co-authored-by: Cursor <cursoragent@cursor.com>
Wire environment update through createOrUpdateEnvironment so missing envs
are created instead of 404. Support --new-credential on cloud-account
update via inline credential creation. Add e2e coverage for update
upsert and explicit empty --cloud-account clearing.

Co-authored-by: Cursor <cursoragent@cursor.com>
…, address review

- Extract BuildCredentialRaw / AddAllRawFlags into the credentials package
  so cy credential and cy cloud-account share one source of truth for the
  per-type switch and the inline-credential flag set.
- Add cyargs.AddUpdateFlag / GetUpdate / UpdateFlag and cyargs.CloudAccountFlag
  constant; make AddCloudProviderFlag and AddColorFlag return the flag name
  for symmetry with the rest of cyargs.
- Split cloud-account list.go into list.go / get.go / delete.go; drop the
  retro-compat --cloud-account flag from get and delete (positional args only).
- Fix shadowed err in cloud-account create (the with_credentials branch was
  silently dropping API errors); explicit error checks throughout.
- Document why GetString/GetBool err returns are intentionally ignored on the
  PATCH-style merge in cloud-account update.
- Make the org-env CRUD middleware test cleanup unlink before delete and use
  a randomized canonical so a panicked run does not pin the next one.
- Pin client/version to v6.10.12-rc (backend tag where meta-gov-env merged).

Co-authored-by: Cursor <cursoragent@cursor.com>
Add middleware CRUD tests (TestCloudAccountCRUD, TestEnvironmentTypeCRUD)
and not-found edge cases, plus CLI command-tree/flag unit tests for both
packages including appendUniqueArg dedup logic and cloudAccountName fallback.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- debug: sanitize request/response bodies before logging (cred leak fix)
- GetEnvironmentType: return *APIResponseError{404} on miss so --update upsert works
- pagination: cap at 1000 pages to prevent infinite loop on buggy backends
- LinkEnvToProject: return nil,nil on idempotent no-op (drop synthetic http.Response)
- MarkFlagRequired: prefix _ = on all discarded return values
- environments --color: replace warnDeprecatedColor with cobra MarkDeprecated
- environmenttypes/create: replace local ptrValue with ptr.Value

Remaining: cloudaccounts/update mutual-exclusion error, cloudaccounts/delete
per-canonical logging, test resp nil-check.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- cloudaccounts/update: return fmt.Errorf directly for mutual-exclusion
  error (consistent with create.go); replace local ptrValue with ptr.Value
- cloudaccounts/delete: log per-canonical on success so partial failures
  are visible; drop redundant {"status":"ok"} response
- test: require.NotNil(resp) before .StatusCode deref in NotFound test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The backend now infers the environment type from the canonical when no
type is provided. Drop the `defaultEnvType = "production"` hardcode:

- buildNewEnvironment: only sets Type when --type is explicit or
  inherited from an existing environment; omits the field otherwise
- buildUpdateEnvironment: same — preserves existing type from current
  state, respects --type override, omits if neither applies
- envTypeFromCurrent: returns "" instead of "production" fallback

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@fhacloid
fhacloid force-pushed the fix/env-canonical-api-drift branch from 52cb55b to e75e557 Compare May 27, 2026 11:43
@fhacloid
fhacloid merged commit 4123e3e into develop May 27, 2026
@fhacloid
fhacloid deleted the fix/env-canonical-api-drift branch May 27, 2026 11:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants