feat(cli): add supports subcommand and xtest env auth fallbacks#167
Conversation
Enable community xtest Stage-1 integration: - supports <feature> exits 0/1/2 for supported/unsupported/unknown - Read CLIENTID/CLIENTSECRET/PLATFORMURL/KASURL/KCFULLURL when flags omit - Keep advertised features conservative (autoconfigure, connectrpc, hexless, kasallowlist)
There was a problem hiding this comment.
Code Review
This pull request introduces environment variable fallbacks for SDK configuration (such as CLIENTID, CLIENTSECRET, PLATFORMURL, KCFULLURL, and KASURL) and adds a new 'supports' CLI subcommand to query supported features. The review feedback suggests improving robustness by using getattr and setattr on the arguments object to prevent potential AttributeErrors, and refactoring cmd_supports to return exit codes instead of calling sys.exit() directly to improve testability.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
- Use getattr/setattr in build_sdk for robust args handling (mocks/tests) - cmd_supports returns int (0/1/2); main() calls sys.exit with the result - Add in-process unit test for cmd_supports return codes
|
Addressed Gemini Code Assist feedback in b93ea22:
|
…ail-fast auth Fixes the three failures observed in community conformance run arkavo-org/opentdf-tests 29210974140: - encrypt: an explicit --kas-endpoint now replaces the platform-derived default KAS instead of extending it, and _validate_kas_infos dedupes same-URL entries — the manifest carried two key access objects for the same KAS (expected one). - OIDC discovery: an --oidc-endpoint that already names a realm is used verbatim; the realm segment was being appended twice (…/auth/realms/opentdf/realms/opentdf/…) and 404'd. - rewrap: token-acquisition failure now raises instead of sending an unauthenticated request that KAS rejects with a misleading "missing authorization header". Also clears ruff findings (B010 setattr, D413, C901 main complexity) introduced by the earlier review-feedback commit so CI lint passes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Dvm7uKaNssz7ztu3nAmf7u
|
Pushed
Also cleared the ruff findings ( Regression tests: |
|
Local end-to-end verification of
3 passed, 1 skipped (out-of-focus go→go). Inspected the python-encrypted manifest directly: (One local-env note, unrelated to this SDK: the EC-rewrap re-decrypt step needs These are the same three cases that failed in community conformance run 29210974140. The Test Suite / Build Wheel workflows on this PR are waiting on maintainer approval to run. |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces several fixes and enhancements to align with the community xtest contract. Key changes include adding environment variable fallbacks for authentication and endpoint configuration, implementing a supports CLI subcommand to probe features, and improving OIDC discovery to handle realm paths correctly without doubling them. Additionally, it ensures KAS endpoints are deduplicated and that KAS rewrap fails fast if token acquisition fails. Unit and regression tests are added to cover these scenarios. The reviewer suggested normalizing KAS URLs to lowercase during deduplication to prevent duplicates caused by casing differences.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| seen_urls = set() | ||
| unique_kas_infos = [] | ||
| for kas in kas_infos: | ||
| url_key = (getattr(kas, "url", "") or "").rstrip("/") |
There was a problem hiding this comment.
When deduplicating KAS URLs, comparing them with case sensitivity can lead to duplicate entries if there are minor casing differences in the scheme or hostname (e.g., http:// vs HTTP:// or localhost vs Localhost). Normalizing the URL key to lowercase ensures robust deduplication.
| url_key = (getattr(kas, "url", "") or "").rstrip("/") | |
| url_key = (getattr(kas, "url", "") or "").rstrip("/").lower() |
|
This looks great, thank you for the contribution @arkavo-com ! 🙇 🎉 |
Summary
Adds community xtest integration surface for OpenTDF cross-SDK conformance:
supports <feature>— exit codes0supported /1unsupported /2unknown (matches official go/java/js CLI contract)CLIENTID/CLIENTSECRET/PLATFORMURL/KASURL/KCFULLURLwhen CLI flags are omitted (so shims need not put secrets on argv)autoconfigure,connectrpc,hexless,kasallowlistContext
Used by arkavo-org/opentdf-tests community Stage-1 CI (
python↔go@mainztdf roundtrips). See community-conformance.md.Test plan
tests/test_cli_supports.pypython -m otdf_python supports autoconfigure→ 0;ecwrap→ 1; unknown → 2