Skip to content

feat: switch execute to orchestrator API, add secret command#174

Open
AlephNotation wants to merge 6 commits intomainfrom
ty/exec-api
Open

feat: switch execute to orchestrator API, add secret command#174
AlephNotation wants to merge 6 commits intomainfrom
ty/exec-api

Conversation

@AlephNotation
Copy link
Copy Markdown
Contributor

@AlephNotation AlephNotation commented Apr 7, 2026

Summary

Switches vers execute from direct SSH to the orchestrator's exec streaming API, and adds a new vers secret command for managing sensitive environment variables.

Execute via orchestrator API

vers execute now uses POST /api/v1/vm/{id}/exec/stream by default. Commands flow through the vsock agent inside the VM, which means they automatically inherit /etc/environment (secrets and env vars).

vers execute <vm> ls -la /
vers execute <vm> echo $ANTHROPIC_API_KEY
vers execute --ssh <vm> echo "legacy path"   # direct SSH fallback
vers execute -w /app <vm> npm start           # working directory support

Key changes:

  • Streams NDJSON output (stdout/stderr) in real time
  • Propagates remote exit codes to the CLI process
  • --ssh flag preserves legacy SSH behavior
  • SetInterspersed(false) so command flags like -la pass through correctly
  • --workdir / -w for remote working directory

vers secret command

New command for managing sensitive values with security-conscious UX. Uses the same /api/v1/env_vars backend — no API changes needed.

vers secret set ANTHROPIC_API_KEY              # prompts with hidden input
vers secret set DATABASE_URL postgres://...     # inline value
echo "sk-ant-..." | vers secret set API_KEY     # piped stdin
vers secret list                                # masked: sk-a****yz
vers secret list --reveal                       # full values
vers secret delete OLD_TOKEN

Differences from vers env:

vers env vers secret
Value input Required inline arg Optional — hidden prompt if omitted
List output Full values Masked unless --reveal
Shell history Value visible Value never in history

Files changed

File Change
cmd/execute.go API by default, --ssh fallback, --workdir, flag passthrough
internal/handlers/execute.go Dual path: API streaming + SSH fallback
internal/services/vm/exec.go New — orchestrator exec stream client
internal/presenters/execute_types.go Added ExitCode to view
cmd/secret.go New — vers secret set/list/delete
cmd/secret_test.go Masking tests
cmd/env.go Cross-reference to vers secret in help

Context

Part of the virtual secrets work (design doc). Routing exec through the orchestrator API ensures secrets in /etc/environment are visible to all commands, and sets up the foundation for cross-account secret isolation on the backend.

@AlephNotation
feat: switch execute to orchestrator API, add secret command
a8265e5 
- Execute now uses POST /api/v1/vm/{id}/exec/stream by default
  instead of direct SSH. This routes through the vsock agent,
  which inherits /etc/environment (secrets/env vars). --ssh flag
  preserves legacy SSH behavior.

- Flags pass through correctly to remote commands (SetInterspersed)

- New 'vers secret' command (set/list/delete) with:
  - Masked output by default (--reveal to show)
  - Hidden terminal input when value omitted
  - Piped stdin support

- New exec service (internal/services/vm/exec.go) for orchestrator API

- Cross-reference from 'vers env' help to 'vers secret'
@AlephNotation
style: gofmt formatting
503be15
@AlephNotation
feat: add exec alias for execute command
6191bd3
@AlephNotation
style: gofmt
403980a
@AlephNotation
docs: tweak --ssh flag description
46c984a
@AlephNotation
chore: remove vers secret command (not ready yet)
cb7b0dd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AlephNotation