feat: replace hardcoded API token with per-user key registration

Bharatram-altimate-ai · claude · Bharatram-altimate-ai · commit 5ed4880466ea · 2026-03-16T11:38:20.000+05:30
- `api.py`: add `POST /auth/register` and `GET /auth/register` endpoints;
  split auth into `_verify_log_token` (static, for `/log-conversation`) and
  `_verify_validate_token` (checks registered `instance`+`api_key` pair from
  `registered_keys.json`, for `/validate*`); remove single `BearerTokenMiddleware`
- `validate.ts`: add `configure` subcommand — prompts for `--api-key` and
  `--instance`, POSTs to `/auth/register`, persists credentials to
  `~/.altimate-code/settings.json`
- `batch_validate.py`: replace hardcoded `API_TOKEN` with `_load_credentials()`
  that reads `altimate_api_key` + `altimate_instance` from `settings.json`;
  adds `x-tenant` header to all requests; exits with a clear error if
  credentials are missing (directs user to run `altimate validate configure`)

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/packages/opencode/src/cli/cmd/validate.ts b/packages/opencode/src/cli/cmd/validate.ts
@@ -5,6 +5,27 @@ import fs from "fs/promises"
 import path from "path"
 import os from "os"
 
+const BASE_URL = "https://apimi.tryaltimate.com"
+
+function getAltimateDotDir(): string {
+  return path.join(os.homedir(), ".altimate-code")
+}
+
+async function readSettings(): Promise<Record<string, unknown>> {
+  const settingsPath = path.join(getAltimateDotDir(), "settings.json")
+  try {
+    return JSON.parse(await fs.readFile(settingsPath, "utf-8"))
+  } catch {
+    return {}
+  }
+}
+
+async function writeSettings(settings: Record<string, unknown>): Promise<void> {
+  const dir = getAltimateDotDir()
+  await fs.mkdir(dir, { recursive: true })
+  await fs.writeFile(path.join(dir, "settings.json"), JSON.stringify(settings, null, 2))
+}
+
 // Injected at build time by build.ts (same pattern as ALTIMATE_CLI_MIGRATIONS).
 // In development these fall back to reading from disk via getAssets().
 declare const ALTIMATE_VALIDATE_SKILL_MD: string
@@ -75,9 +96,79 @@ const StatusSubcommand = cmd({
   },
 })
 
+const ConfigureSubcommand = cmd({
+  command: "configure",
+  describe: "register your Altimate API key to enable /validate",
+  builder: (yargs: Argv) =>
+    yargs
+      .option("api-key", { type: "string", description: "Your Altimate API key" })
+      .option("instance", { type: "string", description: "Your Altimate instance name (e.g. braltimate)" }),
+  handler: async (args) => {
+    prompts.intro("Altimate Validate — Configure")
+
+    const apiKey =
+      (args["api-key"] as string | undefined) ||
+      ((await prompts.text({
+        message: "Enter your Altimate API key:",
+        placeholder: "8a5b279d...",
+        validate: (v) => ((v ?? "").trim().length > 0 ? undefined : "API key is required"),
+      })) as string)
+
+    const instance =
+      (args["instance"] as string | undefined) ||
+      ((await prompts.text({
+        message: "Enter your Altimate instance name:",
+        placeholder: "braltimate",
+        validate: (v) => ((v ?? "").trim().length > 0 ? undefined : "Instance name is required"),
+      })) as string)
+
+    if (prompts.isCancel(apiKey) || prompts.isCancel(instance)) {
+      prompts.cancel("Cancelled.")
+      process.exit(0)
+    }
+
+    const spinner = prompts.spinner()
+    spinner.start("Registering with validation server...")
+
+    try {
+      const res = await fetch(`${BASE_URL}/auth/register`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ api_key: apiKey, instance }),
+      })
+
+      if (!res.ok) {
+        const body = await res.text()
+        spinner.stop("Registration failed.")
+        prompts.log.error(`Server returned ${res.status}: ${body}`)
+        process.exit(1)
+      }
+
+      spinner.stop("Registered with validation server.")
+    } catch (err) {
+      spinner.stop("Could not reach validation server.")
+      prompts.log.warn(`Warning: ${err}. Credentials saved locally anyway.`)
+    }
+
+    // Save credentials to ~/.altimate-code/settings.json
+    const settings = await readSettings()
+    settings.altimate_api_key = apiKey
+    settings.altimate_instance = instance
+    await writeSettings(settings)
+
+    prompts.log.success(`Credentials saved to ${path.join(getAltimateDotDir(), "settings.json")}`)
+    prompts.outro("Configuration complete. You can now run /validate.")
+  },
+})
+
 export const ValidateCommand = cmd({
   command: "validate",
   describe: "manage the Altimate validation framework (/validate skill)",
-  builder: (yargs: Argv) => yargs.command(InstallSubcommand).command(StatusSubcommand).demandCommand(),
+  builder: (yargs: Argv) =>
+    yargs
+      .command(InstallSubcommand)
+      .command(StatusSubcommand)
+      .command(ConfigureSubcommand)
+      .demandCommand(),
   handler: () => {},
 })
diff --git a/packages/opencode/src/skill/validate/batch_validate.py b/packages/opencode/src/skill/validate/batch_validate.py
@@ -60,11 +60,47 @@ def _find_project_root(override=None):
 # Configuration
 # ---------------------------------------------------------------------------
 BASE_URL = "https://apimi.tryaltimate.com"
-API_TOKEN = "tDhUZUPjzXceL91SqFDoelSTsL1TRtIBFGfHAggCAEO8SBUN-EAOIh4fbeOJKd_h"
 
 LOG_DIR = _project_root / "logs"
 LOG_DIR.mkdir(exist_ok=True)
 
+
+def _load_credentials() -> tuple[str, str]:
+    """Read api_key and instance from ~/.altimate-code/settings.json.
+
+    Exits with a clear message if credentials are missing.
+    """
+    settings_path = Path.home() / ".altimate-code" / "settings.json"
+    if not settings_path.exists():
+        print(
+            "ERROR: Altimate credentials not found.\n"
+            "Run: altimate validate configure --api-key <key> --instance <instance>",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+    try:
+        settings = json.loads(settings_path.read_text())
+    except Exception as e:
+        print(f"ERROR: Could not read settings.json: {e}", file=sys.stderr)
+        sys.exit(1)
+
+    api_key = settings.get("altimate_api_key", "").strip()
+    instance = settings.get("altimate_instance", "").strip()
+
+    if not api_key or not instance:
+        print(
+            "ERROR: altimate_api_key or altimate_instance missing from settings.json.\n"
+            "Run: altimate validate configure --api-key <key> --instance <instance>",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+    return api_key, instance
+
+
+_API_KEY, _INSTANCE = _load_credentials()
+
 # ---------------------------------------------------------------------------
 # HTTP session — retry adapter handles stale keep-alive connections mid-batch
 # ---------------------------------------------------------------------------
@@ -76,8 +112,9 @@ def _find_project_root(override=None):
 _SESSION.mount("http://", _adapter)
 
 _HEADERS = {
-    "Authorization": f"Bearer {API_TOKEN}",
+    "Authorization": f"Bearer {_API_KEY}",
     "Content-Type": "application/json",
+    "x-tenant": _INSTANCE,
 }
 
 
