michal/mcpctl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(wizard): rename --admin-token → --setup-token
Some checks failed
CI/CD / typecheck (push) Has been cancelled
Details
CI/CD / test (push) Has been cancelled
Details
CI/CD / smoke (push) Has been cancelled
Details
CI/CD / build (push) Has been cancelled
Details
CI/CD / publish (push) Has been cancelled
Details
CI/CD / lint (push) Has been cancelled
Details

Browse Source 
Any token with policy-write + auth/token admin works; root is a convenient
default but a scoped service account is fine too. The previous naming
misrepresented the permission floor as root-only.

- flag: --admin-token → --setup-token
- wizard field: adminToken → setupToken
- prompt label: "OpenBao admin / root token" → "OpenBao setup token (needs
  policy write + auth/token admin perms; root is fine)"
- file doc + one comment reworded
- tests updated for the new label
- regression test (token-absent-from-stdout) kept unchanged

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Michal
2026-04-20 17:27:09 +01:00
parent ba4129a1e4
commit 1c5301289c
3 changed files with 21 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/cli/tests/commands/create-secretbackend-wizard.test.ts
View File

@@ -83,7 +83,7 @@ describe('runSecretBackendOpenbaoWizard', () => {
'Token role name': 'app-mcpd-role',
},
password: {
'OpenBao admin / root token': 'root.admin.token',
'OpenBao setup token (needs policy write + auth/token admin perms; root is fine)': 'root.admin.token',
},
confirm: {
"Promote 'bao' to default backend?": true,
@@ -99,7 +99,7 @@ describe('runSecretBackendOpenbaoWizard', () => {
const firstCallInit = fetchFn.mock.calls[0]![1] as RequestInit;
expect((firstCallInit.headers as Record<string, string>)['X-Vault-Token']).toBe('root.admin.token');
// Secret was created with the minted token value (hvs.AAA), not the admin token
// Secret was created with the minted token value (hvs.AAA), not the setup token
expect(created.secret).toMatchObject({ name: 'bao-creds', data: { token: 'hvs.AAA' } });
// SecretBackend created with rotation config
@@ -119,19 +119,19 @@ describe('runSecretBackendOpenbaoWizard', () => {
expect(fullLog).toContain("You have 2 secret(s) on 'default'");
expect(fullLog).toContain('mcpctl --direct migrate secrets --from default --to bao');
// Admin token never appears in the log (critical)
// Setup token never appears in the log (critical)
expect(fullLog).not.toContain('root.admin.token');
});
it('rejects when admin token is empty', async () => {
it('rejects when setup token is empty', async () => {
const prompt = scriptedPrompt({
input: { 'OpenBao URL': 'http://x' },
password: { 'OpenBao admin / root token': '' },
password: { 'OpenBao setup token (needs policy write + auth/token admin perms; root is fine)': '' },
});
await expect(runSecretBackendOpenbaoWizard(
{ name: 'bao' },
{ client: mockClient({}), log: () => {}, prompt, fetch: vi.fn() as unknown as typeof fetch },
)).rejects.toThrow(/admin token is required/);
)).rejects.toThrow(/setup token is required/);
});
it('rejects when vault is sealed', async () => {
@@ -140,7 +140,7 @@ describe('runSecretBackendOpenbaoWizard', () => {
]);
const prompt = scriptedPrompt({
input: { 'OpenBao URL': 'http://x' },
password: { 'OpenBao admin / root token': 't' },
password: { 'OpenBao setup token (needs policy write + auth/token admin perms; root is fine)': 't' },
});
await expect(runSecretBackendOpenbaoWizard(
{ name: 'bao' },