7) remote add gen3: INI key persistence review
This section documents how git drs remote add gen3 persists credentials into ~/.gen3/gen3_client_config.ini and where current behavior is incorrect.
7.1 Current implementation path
- Command path:
cmd/remote/add/gen3.go (Gen3Cmd -> gen3Init(...)).
- Credentials are persisted via
configure.Save(cred) where configure is github.com/calypr/syfon/client/config manager.
- INI keys used by syfon config manager are:
key_id
api_key
access_token
api_endpoint
7.2 What gets written for each auth mode
A) --cred <json> mode
gen3Init(...) imports a credentials file and sets:
cred.APIKey -> saved as api_key
cred.KeyID -> saved as key_id
cred.AccessToken -> saved as access_token
This is generally correct for durable profile auth and token refresh behavior.
B) --token <token> mode
gen3Init(...) sets only:
AccessToken (saved as access_token)
APIKey is empty
KeyID is empty
Expected intent: profile should behave as token-only (no stale api_key/key_id).
7.3 Confirmed bug: stale INI keys are not cleared
syfon/client/config.Manager.Save(...) only writes keys when non-empty and does not clear existing keys when a field is empty.
Result:
- If a profile previously had
api_key/key_id (from --cred) and is later updated with --token, old api_key/key_id remain in the INI section.
- This can leave the profile in a mixed state (new
access_token, stale api_key/key_id).
Impact:
- Behavior may be confusing and can trigger unintended refresh attempts/validation paths that consider stale
api_key.
- Operators may think they switched to token-only auth, but persisted profile still carries old key material.
7.4 Secondary add remote bug (related)
--url is declared for git drs remote add gen3 (cmd/remote/add/init.go) but is not used in gen3Init(...).
gen3Init(...) always derives api_endpoint from token/profile data.
This is not an INI key-name bug, but it is an add remote correctness bug that affects what endpoint is saved to INI.
7.5 Potential fixes
Fix option 1 (preferred): make Save clear absent keys
In syfon/client/config.Manager.Save(...):
- If
APIKey == "", delete api_key from section.
- If
KeyID == "", delete key_id from section.
- If
AccessToken == "", delete access_token from section.
This makes INI persistence reflect the caller's credential intent and prevents stale key carry-over.
Fix option 2: explicit cleanup in gen3Init(...)
Before configure.Save(cred) in token-mode:
- Load existing profile
- explicitly blank/remove
api_key and key_id
- then save
This localizes fix to git-drs but duplicates config semantics that are better handled in syfon manager.
Fix option 3: wire --url and endpoint precedence
Update gen3Init(...) signature and call site to accept endpoint flag and use precedence:
- explicit
--url (if provided)
- parse from provided auth token/cred
- existing profile fallback
This resolves endpoint persistence drift and matches CLI expectation.
7.6 Suggested regression tests
- Start with profile containing
api_key + key_id + access_token.
- Run
git drs remote add gen3 ... --token ....
- Assert INI section no longer contains stale
api_key/key_id (or contains explicit empty values by chosen policy).
- Assert
api_endpoint honors --url when provided.
7)
remote add gen3: INI key persistence reviewThis section documents how
git drs remote add gen3persists credentials into~/.gen3/gen3_client_config.iniand where current behavior is incorrect.7.1 Current implementation path
cmd/remote/add/gen3.go(Gen3Cmd->gen3Init(...)).configure.Save(cred)whereconfigureisgithub.com/calypr/syfon/client/configmanager.key_idapi_keyaccess_tokenapi_endpoint7.2 What gets written for each auth mode
A)
--cred <json>modegen3Init(...)imports a credentials file and sets:cred.APIKey-> saved asapi_keycred.KeyID-> saved askey_idcred.AccessToken-> saved asaccess_tokenThis is generally correct for durable profile auth and token refresh behavior.
B)
--token <token>modegen3Init(...)sets only:AccessToken(saved asaccess_token)APIKeyis emptyKeyIDis emptyExpected intent: profile should behave as token-only (no stale
api_key/key_id).7.3 Confirmed bug: stale INI keys are not cleared
syfon/client/config.Manager.Save(...)only writes keys when non-empty and does not clear existing keys when a field is empty.Result:
api_key/key_id(from--cred) and is later updated with--token, oldapi_key/key_idremain in the INI section.access_token, staleapi_key/key_id).Impact:
api_key.7.4 Secondary
add remotebug (related)--urlis declared forgit drs remote add gen3(cmd/remote/add/init.go) but is not used ingen3Init(...).gen3Init(...)always derivesapi_endpointfrom token/profile data.This is not an INI key-name bug, but it is an
add remotecorrectness bug that affects what endpoint is saved to INI.7.5 Potential fixes
Fix option 1 (preferred): make Save clear absent keys
In
syfon/client/config.Manager.Save(...):APIKey == "", deleteapi_keyfrom section.KeyID == "", deletekey_idfrom section.AccessToken == "", deleteaccess_tokenfrom section.This makes INI persistence reflect the caller's credential intent and prevents stale key carry-over.
Fix option 2: explicit cleanup in
gen3Init(...)Before
configure.Save(cred)in token-mode:api_keyandkey_idThis localizes fix to git-drs but duplicates config semantics that are better handled in syfon manager.
Fix option 3: wire
--urland endpoint precedenceUpdate
gen3Init(...)signature and call site to accept endpoint flag and use precedence:--url(if provided)This resolves endpoint persistence drift and matches CLI expectation.
7.6 Suggested regression tests
api_key+key_id+access_token.git drs remote add gen3 ... --token ....api_key/key_id(or contains explicit empty values by chosen policy).api_endpointhonors--urlwhen provided.