From 9ced2addac1cce3e26330f878e15f846407a2573 Mon Sep 17 00:00:00 2001 From: Ilia Shkolyar Date: Sun, 21 Jun 2026 14:16:44 +0300 Subject: [PATCH] CM-67318: warn when env vars override configured credentials/URLs cycode configure writes credentials to the file but CYCODE_CLIENT_ID/ CYCODE_CLIENT_SECRET (and the URL env vars) take precedence on every subsequent call. Previously the override notice was only appended to the success message when a value actually changed, so a stale env var could silently shadow freshly configured credentials with no indication. Split the override notice into its own helpers and print it as a warning whenever the relevant env vars are set, regardless of whether anything was updated. Co-Authored-By: Claude Opus 4.8 --- .../cli/apps/configure/configure_command.py | 18 +++++++++++- cycode/cli/apps/configure/messages.py | 20 +++++++++---- tests/cli/commands/configure/test_messages.py | 28 +++++++++++++++++++ 3 files changed, 59 insertions(+), 7 deletions(-) create mode 100644 tests/cli/commands/configure/test_messages.py diff --git a/cycode/cli/apps/configure/configure_command.py b/cycode/cli/apps/configure/configure_command.py index 1811271c..3c2f269b 100644 --- a/cycode/cli/apps/configure/configure_command.py +++ b/cycode/cli/apps/configure/configure_command.py @@ -1,7 +1,12 @@ from typing import Optional from cycode.cli.apps.configure.consts import CONFIGURATION_MANAGER, CREDENTIALS_MANAGER -from cycode.cli.apps.configure.messages import get_credentials_update_result_message, get_urls_update_result_message +from cycode.cli.apps.configure.messages import ( + get_credentials_environment_variables_override_warning, + get_credentials_update_result_message, + get_urls_environment_variables_override_warning, + get_urls_update_result_message, +) from cycode.cli.apps.configure.prompts import ( get_api_url_input, get_app_url_input, @@ -73,3 +78,14 @@ def configure_command() -> None: console.print(get_urls_update_result_message()) if credentials_updated or oidc_credentials_updated: console.print(get_credentials_update_result_message()) + + # Warn about environment variables that override the configured file values, regardless of whether anything was + # updated. The env vars take precedence on every subsequent call, so configuring the file alone has no effect while + # they are set. + urls_override_warning = get_urls_environment_variables_override_warning() + if urls_override_warning: + console.print(f'[yellow]Warning:[/] {urls_override_warning}') + + credentials_override_warning = get_credentials_environment_variables_override_warning() + if credentials_override_warning: + console.print(f'[yellow]Warning:[/] {credentials_override_warning}') diff --git a/cycode/cli/apps/configure/messages.py b/cycode/cli/apps/configure/messages.py index 36ce807b..f008f09d 100644 --- a/cycode/cli/apps/configure/messages.py +++ b/cycode/cli/apps/configure/messages.py @@ -1,3 +1,5 @@ +from typing import Optional + from cycode.cli.apps.configure.consts import ( CONFIGURATION_MANAGER, CREDENTIALS_ARE_SET_IN_ENVIRONMENT_VARIABLES_MESSAGE, @@ -14,11 +16,14 @@ def _are_credentials_exist_in_environment_variables() -> bool: def get_credentials_update_result_message() -> str: - success_message = CREDENTIALS_UPDATED_SUCCESSFULLY_MESSAGE.format(filename=CREDENTIALS_MANAGER.get_filename()) + return CREDENTIALS_UPDATED_SUCCESSFULLY_MESSAGE.format(filename=CREDENTIALS_MANAGER.get_filename()) + + +def get_credentials_environment_variables_override_warning() -> Optional[str]: if _are_credentials_exist_in_environment_variables(): - return f'{success_message}. {CREDENTIALS_ARE_SET_IN_ENVIRONMENT_VARIABLES_MESSAGE}' + return CREDENTIALS_ARE_SET_IN_ENVIRONMENT_VARIABLES_MESSAGE - return success_message + return None def _are_urls_exist_in_environment_variables() -> bool: @@ -28,10 +33,13 @@ def _are_urls_exist_in_environment_variables() -> bool: def get_urls_update_result_message() -> str: - success_message = URLS_UPDATED_SUCCESSFULLY_MESSAGE.format( + return URLS_UPDATED_SUCCESSFULLY_MESSAGE.format( filename=CONFIGURATION_MANAGER.global_config_file_manager.get_filename() ) + + +def get_urls_environment_variables_override_warning() -> Optional[str]: if _are_urls_exist_in_environment_variables(): - return f'{success_message}. {URLS_ARE_SET_IN_ENVIRONMENT_VARIABLES_MESSAGE}' + return URLS_ARE_SET_IN_ENVIRONMENT_VARIABLES_MESSAGE - return success_message + return None diff --git a/tests/cli/commands/configure/test_messages.py b/tests/cli/commands/configure/test_messages.py new file mode 100644 index 00000000..9eb0190a --- /dev/null +++ b/tests/cli/commands/configure/test_messages.py @@ -0,0 +1,28 @@ +from typing import TYPE_CHECKING + +from cycode.cli.apps.configure import messages +from cycode.cli.config import CYCODE_CLIENT_ID_ENV_VAR_NAME, CYCODE_CLIENT_SECRET_ENV_VAR_NAME + +if TYPE_CHECKING: + import pytest + + +def test_credentials_override_warning_absent_when_no_env_vars(monkeypatch: 'pytest.MonkeyPatch') -> None: + monkeypatch.delenv(CYCODE_CLIENT_ID_ENV_VAR_NAME, raising=False) + monkeypatch.delenv(CYCODE_CLIENT_SECRET_ENV_VAR_NAME, raising=False) + + assert messages.get_credentials_environment_variables_override_warning() is None + + +def test_credentials_override_warning_present_when_only_client_id_set(monkeypatch: 'pytest.MonkeyPatch') -> None: + monkeypatch.setenv(CYCODE_CLIENT_ID_ENV_VAR_NAME, 'env-client-id') + monkeypatch.delenv(CYCODE_CLIENT_SECRET_ENV_VAR_NAME, raising=False) + + assert messages.get_credentials_environment_variables_override_warning() is not None + + +def test_credentials_success_message_does_not_embed_override_warning(monkeypatch: 'pytest.MonkeyPatch') -> None: + monkeypatch.setenv(CYCODE_CLIENT_ID_ENV_VAR_NAME, 'env-client-id') + monkeypatch.setenv(CYCODE_CLIENT_SECRET_ENV_VAR_NAME, 'env-client-secret') + + assert 'environment variables' not in messages.get_credentials_update_result_message()