cleanlib-cli 0.1.1

Terminal interface to CleanLibrary — query dependency verdicts and scan package manifests for ALLOW / DENY / WARN signals from the terminal or CI pipelines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

//! `cleanlib status` (cycle-7 Cli2). Migrates `cmd_status` from `main.rs`
//! and extends it to surface the bearer source via the Cli6 resolver.

use anyhow::Result;
use cleanlib_client::config;

use crate::auth;

pub fn run() -> Result<()> {
    let path = config::default_path();
    let cfg = config::load_with_env_overrides(path.as_deref())?;

    match path.as_deref() {
        Some(p) if p.exists() => println!("config:       {}", p.display()),
        Some(p) => println!(
            "config:       {} (not present; defaults in effect)",
            p.display()
        ),
        None => println!("config:       <home dir not discoverable; defaults in effect>"),
    }
    println!("endpoint:     {}", cfg.endpoint.url);
    println!("api_version:  {}", cfg.endpoint.api_version);
    println!(
        "telemetry:    {}",
        if cfg.telemetry.enabled {
            "enabled"
        } else {
            "disabled"
        }
    );

    // Auth surface — never print the bearer; only the source tier.
    // CLEANLIB-129 / Jira CLEANLIB-27 close: treat an empty / whitespace-
    // only stored bearer the same as "not configured" so we never report
    // a false-positive "configured" when the stored value cannot
    // authenticate against the backend. Sister of
    // `[[feedback_substrate_state_fresh_read_before_banking]]`.
    match auth::resolve_bearer() {
        Ok((source, bearer)) => {
            if bearer.trim().is_empty() {
                // Defensive: resolver already filters empties at each
                // tier, but the back-compat config-file tier (below) goes
                // through `auth.api_key` and we want a single shape.
                println!("auth:         <not configured> (empty bearer rejected; run `cleanlib login --api-key <KEY>`)");
            } else {
                println!("auth:         configured (source={})", source);
            }
        }
        Err(_) => {
            // Back-compat fallback: if the cycle-4 config.toml api_key is
            // set, surface "configured" even though the cycle-7 resolver
            // didn't find an env/keyring/gcloud match (it doesn't read
            // the legacy TOML — that's by design per dispatch §2.5).
            //
            // CLEANLIB-27 close: reject empty / whitespace-only stored
            // value here too so the same fail-loud shape applies to the
            // config-file tier as to the env / keyring / gcloud tiers.
            match cfg.auth.api_key.as_deref() {
                Some(k) if !k.trim().is_empty() => {
                    println!("auth:         configured (source=config-file)");
                }
                Some(_) => {
                    println!("auth:         <not configured> (config-file api_key is empty; run `cleanlib login --api-key <KEY>`)");
                }
                None => {
                    println!("auth:         <not configured>");
                }
            }
        }
    }

    Ok(())
}