Skip to content

cli/auth: unhide entire auth token and add --jurisdiction#1619

Merged
Soph merged 5 commits into
mainfrom
chore/unhide-auth-token
Jul 4, 2026
Merged

cli/auth: unhide entire auth token and add --jurisdiction#1619
Soph merged 5 commits into
mainfrom
chore/unhide-auth-token

Conversation

@georg

@georg georg commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

https://entire.io/gh/entireio/cli/trails/743

What

Two related changes to entire auth token:

  1. Unhide the command so it appears in entire auth --help and entire agent-help, surfacing the supported way to authenticate ad-hoc requests.
  2. Add --jurisdiction <slug> (e.g. us, eu) to mint a jurisdictional identity token for that jurisdiction's entire-api cells, plus a Jurisdiction: line in entire auth status so the slug is discoverable.
# control-plane bearer (default)
curl -H "Authorization: Bearer $(entire auth token)" "https://us.console.entire.io/api/v1/clusters"

# jurisdictional cell token
curl -H "Authorization: Bearer $(entire auth token --jurisdiction us)" "https://aws-us-east-2.api.entire.io/api/v1/me/activity"

Why

entire auth token was a hidden, scripting-only escape hatch that printed the control-plane bearer. Two gaps:

  • It wasn't discoverable — users and agents had no surfaced way to authenticate ad-hoc curl against the core API.
  • The per-jurisdiction data-plane cells (e.g. https://aws-us-east-2.api.entire.io/api/v1) reject the control-plane bearer; they require a jurisdictional identity token (RFC 8693 exchange, scope=openid, aud=<jurisdiction host>, per COR-666). There was no way to obtain that token.

Details

Unhide (05f3feb, 58f798b, ccc62a4)

  • Remove Hidden: true from newAuthTokenCmd; reword the doc comment to drop the "not part of the everyday surface" framing while keeping the "treat the output as a secret" caveat. --insecure-http-auth on the command stays hidden. RunE is otherwise unchanged; agent-help renders live from the Cobra tree so it picks up the visibility change automatically.

--jurisdiction (2b08ff1)

  • New exported auth.JurisdictionToken, built by extracting a shared subject-resolution helper out of NewEntireAPICellClient (whose behavior is unchanged). No new exchange/URL/security logic — it reuses the audited exchangeJurisdictionToken / jurisdictionAudience / jurisdictionCoreURL helpers and returns the raw token instead of a client (skipping the cell-URL round-trip a client would need).
  • ENTIRE_TOKEN is honored as the exchange subject (exclusive, fail-closed), with the environment (prod/staging/loopback) derived from the token's own aud — so CI works with only ENTIRE_TOKEN set, no ENTIRE_API_BASE_URL. Only the --jurisdiction path gains this; NewEntireAPICellClient / entire api --to cell are unchanged.
  • The slug is a bare lowercase jurisdiction (normalized: US/" us " -> us); the one token works against any cell in that jurisdiction.
  • entire auth status now shows the caller's home jurisdiction so the slug is discoverable non-interactively.

Testing

  • Unit tests for JurisdictionToken (stored-context + ENTIRE_TOKEN subject paths, asserting subject_token, scope=openid, and the jurisdiction audience).
  • Command-level tests for --jurisdiction (env-token success + not-logged-in hint) and the new auth status slug line.
  • mise run lint clean; the cmd/entire/cli and cmd/entire/cli/auth packages pass.

Note: mise run test:ci fails locally only in unrelated cmd/entire/cli/strategy git-hook tests, caused by a global ~/.git_template leaking hooks into test repos — those tests are untouched by this change and fail the same way on the base branch.

🤖 Generated with Claude Code

https://claude.ai/code/session_014ByabUEH7Egwn2rMt8o6bB

@georg georg requested a review from a team as a code owner July 2, 2026 23:36
Copilot AI review requested due to automatic review settings July 2, 2026 23:36

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes entire auth token discoverable by unhiding the Cobra subcommand so it appears in entire auth --help and is included in entire agent-help’s live-rendered command tree, while keeping the command’s runtime behavior unchanged.

Changes:

  • Unhide entire auth token by removing Hidden: true from the Cobra command definition.
  • Reword the newAuthTokenCmd Go doc comment to emphasize that the output is a live credential and should be treated as a secret.
  • Update developer-facing docs/comments to remove the “hidden” framing.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
cmd/entire/cli/auth.go Unhides the auth token command and updates the surrounding doc comment.
cmd/entire/cli/auth_token_test.go Updates the test doc comment to match the command no longer being hidden.
CLAUDE.md Updates command-surface documentation to reflect auth token is no longer hidden.

Comment thread cmd/entire/cli/auth.go Outdated
georg added a commit that referenced this pull request Jul 2, 2026
The "treat the output as a secret" warning only lived in the Go doc comment, which `--help` never shows. Now that the command is discoverable, put the caveat in Short (so it appears in the `entire auth --help` subcommand list) and add a Long + curl Example that carry it in full. Trim the doc comment to point at them instead of duplicating the prose.

Addresses Copilot review comment on #1619.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01YSh5ZQgN61faDCkUPXU1G3
Entire-Checkpoint: 56c477a9ab1f
@georg georg changed the title cli/auth: unhide entire auth token cli/auth: unhide entire auth token and add --jurisdiction Jul 4, 2026
toothbrush
toothbrush previously approved these changes Jul 4, 2026

@toothbrush toothbrush left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good idea, thanks Georg!

@Soph Soph left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as written in slack, I'd rather want the agent to use:

entire api api/v1/clusters
entire api --to cell "/api/v1/me/activity?timezone=UTC&timeframe=last-3-months"

Instead of juggling the token and using curl, or? Like fine making auth token visible but rather updated the agent-help to point it to entire api. I'll make a PR for that.

Comment thread CHANGELOG.md Outdated
Comment thread CHANGELOG.md Outdated
georg and others added 4 commits July 4, 2026 18:53
Make the control-plane bearer helper discoverable in `entire auth --help` and agent-help instead of a hidden scripting-only escape hatch. It still prints a live credential (documented as a secret in the doc comment), resolves the same bearer the API client uses (ENTIRE_TOKEN verbatim, else the refreshed active-context login JWT), and keeps errors on stderr so command substitution stays clean. Behavior is unchanged; only visibility. The `--insecure-http-auth` flag stays hidden.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01YSh5ZQgN61faDCkUPXU1G3
Entire-Checkpoint: 860e188caf74
The "treat the output as a secret" warning only lived in the Go doc comment, which `--help` never shows. Now that the command is discoverable, put the caveat in Short (so it appears in the `entire auth --help` subcommand list) and add a Long + curl Example that carry it in full. Trim the doc comment to point at them instead of duplicating the prose.

Addresses Copilot review comment on #1619.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01YSh5ZQgN61faDCkUPXU1G3
Entire-Checkpoint: 56c477a9ab1f
`entire auth token` printed only the control-plane bearer, which the
per-jurisdiction entire-api cells (e.g. https://aws-us-east-2.api.entire.io/api/v1)
reject. Add `--jurisdiction <slug>` to mint a jurisdictional identity token
(RFC 8693 exchange, scope=openid, aud=<jurisdiction host>) for that
jurisdiction's cells, reusing the existing exchange pipeline in
cell_data_api.go. It exchanges ENTIRE_TOKEN when set (deriving the
environment from the env token's aud so it works with no ENTIRE_API_BASE_URL,
else the active stored login.

Also surface the caller's home jurisdiction in Logged in to https://us.auth.entire.io
  User:     Georg Friedrich @georg
  Identity: github/1940
  Context:  us.auth.entire.io
  Token:    stored in OS keychain

Active sessions (32):
NAME                      CREATED     LAST USED   EXPIRES
OIDC login 2026-06-30     2026-06-30  2026-07-03  2026-08-02
OIDC login 2026-06-30     2026-06-30  2026-07-03  2026-08-02
OIDC login 2026-07-01     2026-07-01  2026-07-03  2026-08-02
Console login 2026-07-02  2026-07-02  2026-07-02  2026-07-09
Console login 2026-07-01  2026-07-01  2026-07-01  2026-07-08
OIDC login 2026-06-29     2026-06-29  2026-06-30  2026-07-30
Console login 2026-06-30  2026-06-30  2026-06-30  2026-07-07
OIDC login 2026-06-25     2026-06-25  2026-06-29  2026-07-29
Console login 2026-06-29  2026-06-29  2026-06-29  2026-07-06
OIDC login 2026-06-22     2026-06-22  2026-06-29  2026-07-29
OIDC login 2026-06-18     2026-06-18  2026-06-25  2026-07-25
OIDC login 2026-06-24     2026-06-24  2026-06-24  2026-07-24
OIDC login 2026-06-16     2026-06-16  2026-06-21  2026-07-21
OIDC login 2026-06-19     2026-06-19  2026-06-19  2026-07-19
OIDC login 2026-06-14     2026-06-14  2026-06-18  2026-07-18
OIDC login 2026-06-13     2026-06-13  2026-06-13  2026-07-13
OIDC login 2026-06-11     2026-06-11  2026-06-12  2026-07-12
OIDC login 2026-06-11     2026-06-11  2026-06-11  2026-07-11
OIDC login 2026-06-09     2026-06-09  2026-06-09  2026-07-09
OIDC login 2026-06-08     2026-06-08  2026-06-08  2026-07-08
OIDC login 2026-06-08     2026-06-08  2026-06-08  2026-07-08
OIDC login 2026-06-08     2026-06-08  2026-06-08  2026-07-08
OIDC login 2026-06-07     2026-06-07  2026-06-07  2026-07-07
OIDC login 2026-06-06     2026-06-06  2026-06-06  2026-07-06
OIDC login 2026-06-06     2026-06-06  2026-06-06  2026-07-06
OIDC login 2026-06-06     2026-06-06  2026-06-06  2026-07-06
OIDC login 2026-06-05     2026-06-05  2026-06-05  2026-07-05
OIDC login 2026-06-05     2026-06-05  2026-06-05  2026-07-05
OIDC login 2026-06-05     2026-06-05  2026-06-05  2026-07-05
OIDC login 2026-06-05     2026-06-05  2026-06-05  2026-07-05
OIDC login 2026-06-05     2026-06-05  2026-06-05  2026-07-05
OIDC login 2026-06-04     2026-06-04  2026-06-04  2026-07-04

Run 'entire logout' to end this session, or 'entire logout --everywhere' to end all of them.

2 login contexts saved; run 'entire auth contexts' to list or 'entire auth use <name>' to switch.

Update available! 0.7.9-nightly.202607020716.b58b5fe8e -> 0.7.9-nightly.202607030712.7b6b53b52
Release notes: https://github.com/entireio/cli/releases/tag/v0.7.9-nightly.202607030712.7b6b53b52
To update, run:
  brew upgrade entire@nightly so the
slug is discoverable non-interactively.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014ByabUEH7Egwn2rMt8o6bB
EOF
)

Entire-Checkpoint: 0cfa773385c4
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01WJrSU43U72744uN8SXBp7A
Entire-Checkpoint: b7c4e5869310
@Soph Soph merged commit 1ef4e0c into main Jul 4, 2026
10 checks passed
@Soph Soph deleted the chore/unhide-auth-token branch July 4, 2026 09:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

4 participants