Three related gaps in the run command and scope management
1. agentkeys run broken for master sessions
cmd_run discovers which credentials to inject from session.scope.services. Master sessions have scope: None (unrestricted), so services_to_try is empty and nothing gets injected.
// lib.rs:156-160
let services_to_try = if let Some(scope) = &session.scope {
scope.services.iter().map(|s| s.0.clone()).collect::<Vec<_>>()
} else {
vec![] // BUG: master session gets nothing
};Fix: When scope is None, query all stored credentials for the agent and inject all of them.
2. No CLI command to edit agent scope
ScopeChange exists as an AuthRequestType variant and the mock server handles it in approve_auth_request, but there is no CLI command to trigger it. Without scope editing, there's no way to set session.scope.services for the run command to use.
Proposed: agentkeys scope <agent> --add openrouter --add anthropic or similar.
3. Missing --env override flag on run
The spec (1-step-analysis.md:250) describes:
User can override with agentkeys run --env FOO=openrouter -- ./cmd
This allows explicit service-to-env-var mapping when the automatic convention (SERVICE_API_KEY) doesn't match. Not implemented.
Service name convention concern
The automatic naming service.to_uppercase() + "_API_KEY" may not match real-world env var names:
openrouter -> OPENROUTER_API_KEY (correct)anthropic -> ANTHROPIC_API_KEY (correct)brave-search -> BRAVE_SEARCH_API_KEY (is it brave-search or brave?)github -> GITHUB_API_KEY (but GitHub uses GITHUB_TOKEN)
This needs a documented mapping table. The --env flag is the escape hatch for mismatches.
Impact on manual testing
Test 9 (run $WALLET -- printenv OPENROUTER_API_KEY) fails because the master session has no scope. Blocked until either:
Files to change
crates/agentkeys-cli/src/lib.rs (cmd_run) -- fix credential discovery for scopeless sessionscrates/agentkeys-cli/src/main.rs -- add Scope subcommand, add --env flag to Runwiki/ -- document service name -> env var mapping convention
References
docs/spec/1-step-analysis.md:244-250 -- env var injection designdocs/spec/plans/development-stages.md:294 -- cli::run_injects_env test specwiki/key-security.md:226-232 -- run as production path
Three related gaps in the
runcommand and scope management1.
agentkeys runbroken for master sessionscmd_rundiscovers which credentials to inject fromsession.scope.services. Master sessions havescope: None(unrestricted), soservices_to_tryis empty and nothing gets injected.Fix: When scope is
None, query all stored credentials for the agent and inject all of them.2. No CLI command to edit agent scope
ScopeChangeexists as anAuthRequestTypevariant and the mock server handles it inapprove_auth_request, but there is no CLI command to trigger it. Without scope editing, there's no way to setsession.scope.servicesfor theruncommand to use.Proposed:
agentkeys scope <agent> --add openrouter --add anthropicor similar.3. Missing
--envoverride flag onrunThe spec (
1-step-analysis.md:250) describes:This allows explicit service-to-env-var mapping when the automatic convention (
SERVICE_API_KEY) doesn't match. Not implemented.Service name convention concern
The automatic naming
service.to_uppercase() + "_API_KEY"may not match real-world env var names:openrouter->OPENROUTER_API_KEY(correct)anthropic->ANTHROPIC_API_KEY(correct)brave-search->BRAVE_SEARCH_API_KEY(is itbrave-searchorbrave?)github->GITHUB_API_KEY(but GitHub usesGITHUB_TOKEN)This needs a documented mapping table. The
--envflag is the escape hatch for mismatches.Impact on manual testing
Test 9 (
run $WALLET -- printenv OPENROUTER_API_KEY) fails because the master session has no scope. Blocked until either:--envflag is implementedFiles to change
crates/agentkeys-cli/src/lib.rs(cmd_run) -- fix credential discovery for scopeless sessionscrates/agentkeys-cli/src/main.rs-- addScopesubcommand, add--envflag toRunwiki/-- document service name -> env var mapping conventionReferences
docs/spec/1-step-analysis.md:244-250-- env var injection designdocs/spec/plans/development-stages.md:294--cli::run_injects_envtest specwiki/key-security.md:226-232--runas production path