Skip to content

Add context configuration and token-based authentication (client-side)#66

Merged
Furisto merged 6 commits into
mainfrom
remote-context
Dec 30, 2025
Merged

Add context configuration and token-based authentication (client-side)#66
Furisto merged 6 commits into
mainfrom
remote-context

Conversation

@Furisto
Copy link
Copy Markdown
Owner

@Furisto Furisto commented Dec 29, 2025

Summary

Add client-side context configuration and token-based authentication support, enabling users to connect to remote Construct daemons with secure token storage.

Context

This implements Phase 1 (Context Configuration System) and Phase 2 (Client Token Resolution) from the multi-environment context and authentication plan. Users need the ability to:

  • Connect to remote Construct daemons (EC2, VMs, shared servers)
  • Securely store authentication tokens in the system keyring
  • Switch between multiple environments (local, dev, staging, prod)

Related: plan.md outlines the full implementation including server-side token management (future phases).

Changes

API Client ()

  • Added struct with type, token, and token-ref fields
  • Added ClientOption with Connect interceptor for Bearer token injection
  • Tokens injected on both unary and streaming RPC requests

Shared Package ()

  • New package wrapping for cross-platform secure storage
    • macOS: Keychain
    • Linux: Secret Service (GNOME Keyring, KWallet)
    • Windows: Credential Manager
  • Extended with:
    • Auth-aware
    • with automatic keyring cleanup
    • Token storage/retrieval wrapper methods

CLI ()

  • Added global flag to override current context
  • Added environment variable support
  • Resolution order: flag > env > config
  • Token resolution from inline config or keyring reference
  • Updated existing callers to pass nil auth

Testing

Integration testing requires the context CLI commands (Phase 3) which will be implemented next.

Notes

  • ⚠️ This is the client-side implementation only. Server-side token generation/validation is Phase 2 of the plan.
  • Follow-up: Implement CLI commands (list, add, remove, use, show, current)
  • Follow-up: Implement setup code exchange for secure onboarding

Furisto and others added 6 commits December 29, 2025 12:36
@Furisto @construct-agent
Add AuthConfig to EndpointContext for token-based authentication
99f97f5 
Extend the context configuration schema to support authentication:
- Add AuthConfig struct with type, token, and token-ref fields
- Support inline tokens and keyring references (keyring://construct/<name>)
- Add validation for auth configuration in EndpointContext.Validate()
- Add helper methods IsConfigured() and KeyringKey() for token resolution

Co-authored-by: construct-agent <noreply@construct.sh>
@Furisto @construct-agent
Add keyring package to shared module for secure token storage
35839b9 
Introduce shared/keyring package for cross-platform secure credential storage:
- KeyringProvider wraps zalando/go-keyring for macOS Keychain, Linux Secret
  Service, and Windows Credential Manager support
- Custom error types ErrSecretNotFound and ErrSecretTooLarge for typed handling
- Provider interface for dependency injection and testing
- Configurable service name with default construct

This enables CLI to store authentication tokens securely in the system keyring.

Co-authored-by: construct-agent <noreply@construct.sh>
@Furisto @construct-agent
Extend ContextManager with auth support and keyring integration
14177e4 
Update ContextManager to support authentication configuration:
- Add keyringProvider field for secure token storage operations
- Add NewContextManagerWithKeyring constructor for dependency injection
- Extend UpsertContext with optional auth parameter
- Add GetContext and ListContexts helper methods
- Add DeleteContext that cleans up keyring tokens automatically
- Add StoreToken, RetrieveToken, DeleteToken wrapper methods

Update existing callers to pass nil for auth parameter (local contexts).

Co-authored-by: construct-agent <noreply@construct.sh>
@Furisto @construct-agent
Add Connect auth interceptor for Bearer token injection
44bc366 
Implement WithAuthToken ClientOption that adds a Connect interceptor to
inject Authorization: Bearer headers on all requests:
- authInterceptor implements connect.Interceptor interface
- WrapUnary adds auth header to unary RPC requests
- WrapStreamingClient adds auth header to streaming client requests
- WrapStreamingHandler passes through (client-side only)

Co-authored-by: construct-agent <noreply@construct.sh>
@Furisto @construct-agent
Add --context flag and token resolution to CLI client
33debda 
Integrate authentication token resolution into API client creation:
- Add --context global flag to override current context for single invocation
- Support CONSTRUCT_CONTEXT environment variable with resolution order:
  flag > env > config
- Add resolveContextName helper for context selection logic
- Add buildClientOptions to configure auth when context has token configured
- Add resolveToken to retrieve tokens from inline config or keyring
- Skip context requirement for context.* commands (upcoming)
- Update error messages to reference new context commands

Co-authored-by: construct-agent <noreply@construct.sh>
@Furisto
Formatting
5c9599b
@Furisto Furisto marked this pull request as ready for review December 29, 2025 22:57
@Furisto Furisto merged commit 6065526 into main Dec 30, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Furisto