Show env var auth status in cloud auth status#119
Merged
Conversation
Check for CLICKHOUSE_CLOUD_API_KEY and CLICKHOUSE_CLOUD_API_SECRET environment variables and display their status (Active, Incomplete, or Not configured) in the auth status table. Closes #109 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
iskakaushik
approved these changes
Apr 16, 2026
Closes #48. Credentials can come from CLI flags, `.clickhouse/credentials.json`, env vars, or OAuth tokens, and it was hard to tell which one actually won precedence when debugging. `--debug` now prints the resolved source and API URL to stderr, so it works equally well with and without `--json`. `cloud auth status` also gains an `Active` column that marks the winning source, reusing the same resolution logic.
3 tasks
Plumbs all 13 ClickHouse Cloud managed Postgres operations into the CLI under `clickhousectl cloud postgres ...` — CRUD, lifecycle (restart/ promote/switchover), CA certs, runtime config (get/replace/patch with --set key=value overrides), password reset, read replica creation, and PITR restore. Lives in its own src/cloud/postgres.rs module with 33 new unit + parse tests and the full write-classification coverage. Closes #116 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirrors the ClickHouse service lifecycle test (create, wait-running, list, certs, config get, PATCH tags, password reset, restart, delete) against the Postgres endpoints, wired into the scheduled Cloud Integration workflow. Password step treats a successful 200 as the pass condition: per the OpenAPI spec, PostgresServicePasswordResource.password is only populated when the request omits `password`, so the supplied-password path returns empty by design. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tables now render using only ASCII `|` and `-` instead of the non-standard rounded box-drawing characters, so output is readable in minimal terminals and log aggregators and pasteable into issues/PRs. Closes #126
Closes #133. Uses the is-ai-agent crate to detect when the CLI is invoked under a known agent (Claude Code, Cursor, Gemini CLI, Codex, Goose, Devin, etc.) and appends an agent=<id> query param to outbound requests to ClickHouse-owned hosts (builds.clickhouse.com, packages.clickhouse.com, api.clickhouse.cloud). GitHub and other third-party hosts are not annotated. The cloud library gains a generic Client::with_extra_query_params builder so the CLI can attach the tag to every request.
Three of the four credential branches in CloudClient::new differed only in which (key, secret) pair they pulled and which AuthSource label to attach. Introduce ResolvedAuth + resolve_auth() to walk the precedence ladder once, then build the lib client and tag it with the agent param at a single site. resolve_active_auth_source becomes a thin wrapper that preserves its lenient half-set CLI-flag behavior for cloud auth status.
The helper is only called from cloud auth status, which never has --api-key/--api-secret to pass (the subcommand doesn't accept them). The half-set lenient branch and its test were protecting a contract no production caller exercises. Inlining the only sensible call removes the dead parameters and the dead branch, leaving a one-line wrapper that documents its actual purpose: peek at credential precedence without erroring on the empty case (which auth status needs to render no-creds-configured correctly).
The local AgentId -> kebab-case match arm was duplicating a mapping the crate already maintains for its AGENT= env var parser. is-ai-agent 0.2.1 exposes AgentId::as_str returning the canonical kebab-case id (claude-code, gemini-cli, etc.) — the inverse of the parser. Switch to it. Replaces our 12-arm match plus exhaustive variant test with a single delegation and a contract test against the upstream lookup. New agents added upstream automatically flow through without code changes here.
…arams Rather than thread an agent search param through every clickhouse.com request (with a URL-domain gate, two helpers, and a generic extra-query-params feature on the cloud library), fold the signal into the User-Agent header that every outbound request already carries: clickhousectl/0.1.18 (agent=claude-code). RFC 7231 allows parenthesised comments in User-Agent, and this matches conventional shapes (Mozilla/5.0 etc). Detection still uses is-ai-agent. The change deletes the agent_signal module, the cloud library extra_query_params API + tests, the URL-host parser, and the per-call-site wrappers in version_manager — net -146 lines vs the previous implementation. Every reqwest::Client::builder() in the codebase already calls user_agent::user_agent(), so the new attribution flows through with zero per-call-site wiring.
It's now a one-line implementation detail of an analytics signal — not user-facing functionality, not configurable, not surprising for a future reader to understand from the user_agent.rs source. Doesn't earn a documentation entry.
Pull in upstream security fixes flagged by Dependabot. Both are transitive dependencies; lockfile-only update, no API or behaviour changes. Build and full workspace tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bump clickhousectl to 0.2.0
Tag clickhouse.com requests with detected AI agent
Switch tabled tables to markdown style
Add cloud postgres subcommand tree
Add --debug flag to report winning cloud credential source
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cloud auth statusthat checks forCLICKHOUSE_CLOUD_API_KEYandCLICKHOUSE_CLOUD_API_SECRETenvironment variables--jsonoutputCloses #109
Test plan
cargo build— cleancargo test -p clickhousectl— 204 tests passcargo clippy— no warnings--jsonoutput includes the env vars row🤖 Generated with Claude Code