Default --credential-auto to true when --credential-provider is set alone#152
Merged
masnwilliams merged 3 commits intomainfrom Apr 29, 2026
Merged
Conversation
…lone
auth connections create accepted --credential-provider without
--credential-path or --credential-auto and dutifully sent a
CredentialReference of { provider } with no auto flag. The server
accepted that as valid but never fetched credentials, so managed
auth sessions dead-ended in awaiting_input and the user was prompted
to enter credentials manually.
Match the dashboard's UX (create-managed-auth-dialog.tsx): picking a
provider without a specific item always means "look up by domain".
An explicit --credential-path still pins the reference, and passing
--credential-auto is now redundant but still honored.
Covered by four new cases in auth_connections_test.go.
Made-with: Cursor
|
Firetiger deploy monitoring skipped This PR didn't match the auto-monitor filter configured on your GitHub connection:
Reason: PR modifies CLI command behavior in the auth package, not API endpoints (packages/api/cmd/api/) or Temporal workflows (packages/api/lib/temporal) as specified in the filter. To monitor this PR anyway, reply with |
hiroTamada
approved these changes
Apr 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
kernel auth connections create --domain foo.com --credential-provider my-1pcurrently builds aCredentialReferenceof{ provider: "my-1p" }with nopathand noautoflag. The API accepts that as a valid-but-inert reference, so the managed auth session never fetches credentials and dead-ends inawaiting_input(user gets prompted for manual input).auto: truein that branch to match the dashboard's UX (create-managed-auth-dialog.tsx), where picking a provider without a specific item always means "look up by domain".--credential-pathstill pins the reference (no implicit auto). Explicit--credential-autois now redundant but still honored.Companion API/workflow fix: https://github.com/kernel/kernel/pull/1794 — without that PR, even a correctly-sent
auto: trueis ignored by the CUA managed auth path.Test plan
go build ./...go test ./cmd/ -count=1(full suite passes; 4 new focused cases)--credential-provideralone →auto: truedefaulted--credential-provider+--credential-path→ no implicit auto--credential-provider+--credential-auto→ auto honored--credential-name→ unaffected by auto defaultkernel auth connections create --domain google.com --profile-name pn --credential-provider my-1pand confirm the resulting connection resolves credentials without prompting.Made with Cursor
Note
Low Risk
Small CLI request-mapping change with targeted tests; primary risk is a behavior change for users who previously relied on provider-only meaning “no lookup,” which is unlikely/intended to be inert anyway.
Overview
Fixes
kernel auth connections createso that providing--credential-providerwithout--credential-pathimplicitly setscredential.auto=true, avoiding a valid-but-inert credential reference that would stall managed auth sessions.Updates the
--credential-autoflag help text to document the new default, and adds focused regression tests covering provider-only, provider+path, explicit--credential-auto, and--credential-namebranches.Reviewed by Cursor Bugbot for commit 39c0423. Bugbot is set up for automated code reviews on this repo. Configure here.