fix(auth): honor config-defaulted --aspect-* flags, user-over-repo default, and migrate legacy credentials#1316
Conversation
… repo, and migrate legacy credentials Three fixes to the auth feature surfaced in review: - `_want` (deployment_flags.axl) gated capability injection on `is_explicit`, which is CLI-only, so a `config.axl` default like `aspect_remote_cache = True` was ignored in favor of the `--aspect-remote` umbrella. Honor a resolved-True granular flag regardless of source; a CLI `--aspect-remote-*=false` still opts out via `is_explicit`. (A config default of False still can't opt out of the umbrella — it's indistinguishable from the built-in default without config- explicit tracking; documented on `_want`.) - Default reconciliation across config layers only cleared the built-in seed's default, so a user `config.json` marking a different deployment default left both the repo and user entries default and `select_deployment` picked the earlier repo one. Replace `reconcile_seed_default` with `overlay_deployments`, which clears prior defaults whenever an overlaid layer introduces one, so a higher-precedence (user) layer's default wins. - The keyring backend never read the legacy `~/.aspect/credentials.json`, so users who logged in on a pre-keyring release appeared logged out after upgrade. When the keyring is empty, migrate the legacy file in (best-effort write- through to the keyring; the file's credentials are returned regardless). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 60453ca2cb
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| if map.is_empty() { | ||
| return migrate_legacy_file(); |
There was a problem hiding this comment.
Prevent stale file credentials from being re-imported
When an upgrading user still has the legacy ~/.aspect/credentials.json, this empty-keyring branch migrates it but leaves the file in place. Later logout/logout --all writes only the active keyring backend via save_all_credentials, so once the keyring entry is deleted or empty, the next credential load takes this branch again and re-imports the stale file, making logged-out credentials reappear. Remove/rename the legacy file after a successful keyring write, or otherwise record that migration has completed.
Useful? React with 👍 / 👎.
✨ Aspect Workflows Tasks📅 Tue Jul 7 00:52:13 UTC 2026 ❌ 3 failed tasks
|
Three fixes to the
aspect authfeature (#1312), each flagged in automated review on #1315 (out of scope there — the code lives in the merged auth work, not the BES change).1. Config-defaulted
--aspect-*flags were ignored._wantgated onctx.args.is_explicit(name), which only tracks CLI-supplied args — so a repoconfig.axldefault such asaspect_remote_cache = Truefell through to the--aspect-remoteumbrella instead of being honored (breaking the documented "config can default them on" path). Now a granular flag resolved toTrueis honored whatever its source, and — as before — a CLI--aspect-remote-*=falseopts that capability out of the umbrella. (A config default ofFalsestill cannot opt out of the umbrella: it's indistinguishable from the built-in default without config-explicit tracking. Documented on_want.)2. A user default couldn't override a repo default. Reconciling defaults across the seed → repo
config.json→ userconfig.jsonlayers only cleared the built-in seed's default. When a repo marked deployment A default and the user's config marked B, both stayeddefault = trueandselect_deploymentpicked the earlier (repo) A — soaspect auth use <B>/configure --defaultcouldn't take effect.reconcile_seed_defaultis replaced byoverlay_deployments, which clears prior defaults whenever an overlaid layer introduces one, so the higher-precedence (user) layer wins.3. Upgrading users appeared logged out. With a reachable keyring, the resolver read only the keyring and never the legacy
~/.aspect/credentials.jsonwritten by pre-keyring releases. It now migrates the legacy file in when the keyring is empty (best-effort write-through; the file's credentials are returned regardless of the write).Changes are visible to end-users: yes
Suggested release notes
aspect build/testnow honorconfig.axldefaults for the granular--aspect-remote-cache/--aspect-bes-backend/--aspect-remote-execflags.~/.aspect/config.jsondefault deployment now correctly overrides a repo-declared default.Test plan
deployment_flags_test.axl— a config-defaulted granular flag (value True, notis_explicit) is honored (test-deployment-flags).overlay_deployments_lets_a_layer_default_win(auth.rs) — a later layer's default wins, a no-default layer leaves the existing one, and the seed stays the fallback when nothing is default.legacy_file_is_read_for_migration(credential_store.rs) — the keyring-empty fallback reads the legacy file.test-deployment-flags,test-auth,test-aspect-endpoint-auth, and thecredential_storeunit tests.🤖 Generated with Claude Code