cli/auth: unhide entire auth token and add --jurisdiction#1619
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR makes entire auth token discoverable by unhiding the Cobra subcommand so it appears in entire auth --help and is included in entire agent-help’s live-rendered command tree, while keeping the command’s runtime behavior unchanged.
Changes:
- Unhide
entire auth tokenby removingHidden: truefrom the Cobra command definition. - Reword the
newAuthTokenCmdGo doc comment to emphasize that the output is a live credential and should be treated as a secret. - Update developer-facing docs/comments to remove the “hidden” framing.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| cmd/entire/cli/auth.go | Unhides the auth token command and updates the surrounding doc comment. |
| cmd/entire/cli/auth_token_test.go | Updates the test doc comment to match the command no longer being hidden. |
| CLAUDE.md | Updates command-surface documentation to reflect auth token is no longer hidden. |
georg
added a commit
that referenced
this pull request
Jul 2, 2026
The "treat the output as a secret" warning only lived in the Go doc comment, which `--help` never shows. Now that the command is discoverable, put the caveat in Short (so it appears in the `entire auth --help` subcommand list) and add a Long + curl Example that carry it in full. Trim the doc comment to point at them instead of duplicating the prose. Addresses Copilot review comment on #1619. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01YSh5ZQgN61faDCkUPXU1G3 Entire-Checkpoint: 56c477a9ab1f
entire auth tokenentire auth token and add --jurisdiction
toothbrush
previously approved these changes
Jul 4, 2026
toothbrush
left a comment
Contributor
There was a problem hiding this comment.
good idea, thanks Georg!
Soph
reviewed
Jul 4, 2026
Soph
left a comment
Collaborator
There was a problem hiding this comment.
as written in slack, I'd rather want the agent to use:
entire api api/v1/clusters
entire api --to cell "/api/v1/me/activity?timezone=UTC&timeframe=last-3-months"
Instead of juggling the token and using curl, or? Like fine making auth token visible but rather updated the agent-help to point it to entire api. I'll make a PR for that.
Soph
reviewed
Jul 4, 2026
Make the control-plane bearer helper discoverable in `entire auth --help` and agent-help instead of a hidden scripting-only escape hatch. It still prints a live credential (documented as a secret in the doc comment), resolves the same bearer the API client uses (ENTIRE_TOKEN verbatim, else the refreshed active-context login JWT), and keeps errors on stderr so command substitution stays clean. Behavior is unchanged; only visibility. The `--insecure-http-auth` flag stays hidden. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01YSh5ZQgN61faDCkUPXU1G3 Entire-Checkpoint: 860e188caf74
The "treat the output as a secret" warning only lived in the Go doc comment, which `--help` never shows. Now that the command is discoverable, put the caveat in Short (so it appears in the `entire auth --help` subcommand list) and add a Long + curl Example that carry it in full. Trim the doc comment to point at them instead of duplicating the prose. Addresses Copilot review comment on #1619. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01YSh5ZQgN61faDCkUPXU1G3 Entire-Checkpoint: 56c477a9ab1f
`entire auth token` printed only the control-plane bearer, which the per-jurisdiction entire-api cells (e.g. https://aws-us-east-2.api.entire.io/api/v1) reject. Add `--jurisdiction <slug>` to mint a jurisdictional identity token (RFC 8693 exchange, scope=openid, aud=<jurisdiction host>) for that jurisdiction's cells, reusing the existing exchange pipeline in cell_data_api.go. It exchanges ENTIRE_TOKEN when set (deriving the environment from the env token's aud so it works with no ENTIRE_API_BASE_URL, else the active stored login. Also surface the caller's home jurisdiction in Logged in to https://us.auth.entire.io User: Georg Friedrich @georg Identity: github/1940 Context: us.auth.entire.io Token: stored in OS keychain Active sessions (32): NAME CREATED LAST USED EXPIRES OIDC login 2026-06-30 2026-06-30 2026-07-03 2026-08-02 OIDC login 2026-06-30 2026-06-30 2026-07-03 2026-08-02 OIDC login 2026-07-01 2026-07-01 2026-07-03 2026-08-02 Console login 2026-07-02 2026-07-02 2026-07-02 2026-07-09 Console login 2026-07-01 2026-07-01 2026-07-01 2026-07-08 OIDC login 2026-06-29 2026-06-29 2026-06-30 2026-07-30 Console login 2026-06-30 2026-06-30 2026-06-30 2026-07-07 OIDC login 2026-06-25 2026-06-25 2026-06-29 2026-07-29 Console login 2026-06-29 2026-06-29 2026-06-29 2026-07-06 OIDC login 2026-06-22 2026-06-22 2026-06-29 2026-07-29 OIDC login 2026-06-18 2026-06-18 2026-06-25 2026-07-25 OIDC login 2026-06-24 2026-06-24 2026-06-24 2026-07-24 OIDC login 2026-06-16 2026-06-16 2026-06-21 2026-07-21 OIDC login 2026-06-19 2026-06-19 2026-06-19 2026-07-19 OIDC login 2026-06-14 2026-06-14 2026-06-18 2026-07-18 OIDC login 2026-06-13 2026-06-13 2026-06-13 2026-07-13 OIDC login 2026-06-11 2026-06-11 2026-06-12 2026-07-12 OIDC login 2026-06-11 2026-06-11 2026-06-11 2026-07-11 OIDC login 2026-06-09 2026-06-09 2026-06-09 2026-07-09 OIDC login 2026-06-08 2026-06-08 2026-06-08 2026-07-08 OIDC login 2026-06-08 2026-06-08 2026-06-08 2026-07-08 OIDC login 2026-06-08 2026-06-08 2026-06-08 2026-07-08 OIDC login 2026-06-07 2026-06-07 2026-06-07 2026-07-07 OIDC login 2026-06-06 2026-06-06 2026-06-06 2026-07-06 OIDC login 2026-06-06 2026-06-06 2026-06-06 2026-07-06 OIDC login 2026-06-06 2026-06-06 2026-06-06 2026-07-06 OIDC login 2026-06-05 2026-06-05 2026-06-05 2026-07-05 OIDC login 2026-06-05 2026-06-05 2026-06-05 2026-07-05 OIDC login 2026-06-05 2026-06-05 2026-06-05 2026-07-05 OIDC login 2026-06-05 2026-06-05 2026-06-05 2026-07-05 OIDC login 2026-06-05 2026-06-05 2026-06-05 2026-07-05 OIDC login 2026-06-04 2026-06-04 2026-06-04 2026-07-04 Run 'entire logout' to end this session, or 'entire logout --everywhere' to end all of them. 2 login contexts saved; run 'entire auth contexts' to list or 'entire auth use <name>' to switch. Update available! 0.7.9-nightly.202607020716.b58b5fe8e -> 0.7.9-nightly.202607030712.7b6b53b52 Release notes: https://github.com/entireio/cli/releases/tag/v0.7.9-nightly.202607030712.7b6b53b52 To update, run: brew upgrade entire@nightly so the slug is discoverable non-interactively. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_014ByabUEH7Egwn2rMt8o6bB EOF ) Entire-Checkpoint: 0cfa773385c4
2b08ff1 to
4161f32
Compare
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01WJrSU43U72744uN8SXBp7A Entire-Checkpoint: b7c4e5869310
Soph
approved these changes
Jul 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://entire.io/gh/entireio/cli/trails/743
What
Two related changes to
entire auth token:entire auth --helpandentire agent-help, surfacing the supported way to authenticate ad-hoc requests.--jurisdiction <slug>(e.g.us,eu) to mint a jurisdictional identity token for that jurisdiction's entire-api cells, plus aJurisdiction:line inentire auth statusso the slug is discoverable.Why
entire auth tokenwas a hidden, scripting-only escape hatch that printed the control-plane bearer. Two gaps:curlagainst the core API.https://aws-us-east-2.api.entire.io/api/v1) reject the control-plane bearer; they require a jurisdictional identity token (RFC 8693 exchange,scope=openid,aud=<jurisdiction host>, per COR-666). There was no way to obtain that token.Details
Unhide (
05f3feb,58f798b,ccc62a4)Hidden: truefromnewAuthTokenCmd; reword the doc comment to drop the "not part of the everyday surface" framing while keeping the "treat the output as a secret" caveat.--insecure-http-authon the command stays hidden.RunEis otherwise unchanged;agent-helprenders live from the Cobra tree so it picks up the visibility change automatically.--jurisdiction(2b08ff1)auth.JurisdictionToken, built by extracting a shared subject-resolution helper out ofNewEntireAPICellClient(whose behavior is unchanged). No new exchange/URL/security logic — it reuses the auditedexchangeJurisdictionToken/jurisdictionAudience/jurisdictionCoreURLhelpers and returns the raw token instead of a client (skipping the cell-URL round-trip a client would need).ENTIRE_TOKENis honored as the exchange subject (exclusive, fail-closed), with the environment (prod/staging/loopback) derived from the token's ownaud— so CI works with onlyENTIRE_TOKENset, noENTIRE_API_BASE_URL. Only the--jurisdictionpath gains this;NewEntireAPICellClient/entire api --to cellare unchanged.US/" us "->us); the one token works against any cell in that jurisdiction.entire auth statusnow shows the caller's home jurisdiction so the slug is discoverable non-interactively.Testing
JurisdictionToken(stored-context +ENTIRE_TOKENsubject paths, assertingsubject_token,scope=openid, and the jurisdiction audience).--jurisdiction(env-token success + not-logged-in hint) and the newauth statusslug line.mise run lintclean; thecmd/entire/cliandcmd/entire/cli/authpackages pass.🤖 Generated with Claude Code
https://claude.ai/code/session_014ByabUEH7Egwn2rMt8o6bB