fix/feat(cli): waiter fatal errors, --dry-run standardization, rename + secret masking#23
Merged
Conversation
The waiters treated every describe() error as transient and kept polling, so a 403 Forbidden (a key without permission) hung for the full attempt budget (e.g. 80 polls). Evaluators now return a fatal error for permanent client errors (400/401/403, and 404 for an active waiter) and runWaiter aborts immediately with exit 255. Transient errors (5xx, network) still retry; the deleted waiter still treats 404 as success. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…auto-upgrade-config Add shared cli.DryRunNotice/cli.Confirm helpers and apply a consistent preview -> --dry-run short-circuit -> [y/N] confirmation flow across destructive commands. Add --dry-run where it was missing: vServer server stop/reboot/delete, volume/vpc/subnet/secgroup/secgroup-rule delete, and vks delete-auto-upgrade-config. Existing vks delete-cluster/delete-nodegroup are retrofitted to the shared helpers (confirmation prompt unified to [y/N]). Rename `vks set-auto-upgrade-config` to `vks config-auto-upgrade`, keeping the old name as a deprecated cobra alias for backward compatibility. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
`configure set client_secret <SECRET>` echoed the raw secret to stdout
("Set 'client_secret' to '<SECRET>' ..."), leaking it into terminal
scrollback, CI logs, and redirects — even though `configure list` already
masks it. Mask client_id/client_secret in the confirmation line using the same
MaskCredential helper; non-sensitive values (region/output/project_id) are
still shown in full.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Several CLI-correctness, consistency, and hardening improvements.
1. Waiter aborts on permanent errors (bugfix)
grn vks waittreated every describe error as transient and polled until timeout, so a 403 Forbidden hung for the full attempt budget (~80 polls). Waiters now abort immediately on permanent client errors (400/401/403, and404for an active waiter) with exit 255; transient errors (5xx, network) still retry; the deleted waiter still treats404as success.2.
--dry-runstandardized on destructive commands (enhancement)Shared helpers
cli.DryRunNotice(verb)+cli.Confirm(force, prompt)drive a consistent preview →--dry-runshort-circuit →[y/N]confirm flow. Added--dry-runwhere missing:server stop/reboot/delete,volume/vpc/subnet/secgroup/secgroup-rule deletedelete-auto-upgrade-configvks delete-cluster/delete-nodegroupretrofitted to the shared helpers (prompt unified(yes/no)→[y/N]).3. Rename
set-auto-upgrade-config→config-auto-upgrade(api-change)Old name kept as a deprecated cobra alias; docs updated.
4. Mask secrets in
configure setoutput (bugfix / hardening)configure set client_secret <SECRET>echoed the raw secret to stdout, leaking it into scrollback / CI logs / redirects — even thoughconfigure listalready masks. Nowclient_id/client_secretare masked in the confirmation line (sameMaskCredentialhelper); non-sensitive values still shown.Testing
cli.Confirmforce path,displaySetValuemasking.go vet ./...clean; fullgo test ./...passes; build clean;--help/--dry-run/rename/alias/mask verified via the binary.🤖 Generated with Claude Code