feat(cli,sdk): credential name resolution + FindByName across all subcommands

user · claude · user · commit a5ef660cf3b2 · 2026-05-18T14:10:46.000-04:00
Add resolveCredentialID helper to credential subcommand (get, update, delete, token) enabling name-based lookups with ID fallback. Add FindByName to SDK credential_extensions.go using TSL search. Fix apply to use FindByName for upsert. Add platform-managed pod ingress rule to runner NetworkPolicy. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.gitignore b/.gitignore
@@ -138,6 +138,7 @@ scripts/feedback-loop/.last-run
 **/minio-credentials-secret.yaml
 **/postgresql-credentials-secret.yaml
 **/unleash-credentials-secret.yaml
+.secrets/
 
 # One-off analysis and experiments
 repomix-analysis/
diff --git a/components/ambient-cli/cmd/acpctl/apply/cmd.go b/components/ambient-cli/cmd/acpctl/apply/cmd.go
@@ -243,7 +243,7 @@ func applyProject(ctx context.Context, client *sdkclient.Client, doc resource) (
 }
 
 func applyCredential(ctx context.Context, client *sdkclient.Client, doc resource) (applyResult, error) {
-	existing, err := client.Credentials().Get(ctx, doc.Name)
+	existing, err := client.Credentials().FindByName(ctx, doc.Name)
 	if err != nil {
 		token := os.ExpandEnv(doc.Token)
 		builder := sdktypes.NewCredentialBuilder().
@@ -271,7 +271,7 @@ func applyCredential(ctx context.Context, client *sdkclient.Client, doc resource
 		if buildErr != nil {
 			return applyResult{}, buildErr
 		}
-		if _, createErr := client.Credentials().Create(ctx, cred); createErr != nil {
+		if _, createErr := client.Credentials().CreateCompat(ctx, cred); createErr != nil {
 			return applyResult{}, createErr
 		}
 		return applyResult{Kind: "Credential", Name: doc.Name, Status: "created"}, nil
diff --git a/components/ambient-cli/cmd/acpctl/credential/cmd.go b/components/ambient-cli/cmd/acpctl/credential/cmd.go
@@ -9,6 +9,7 @@ import (
 	"github.com/ambient-code/platform/components/ambient-cli/pkg/config"
 	"github.com/ambient-code/platform/components/ambient-cli/pkg/connection"
 	"github.com/ambient-code/platform/components/ambient-cli/pkg/output"
+	sdkclient "github.com/ambient-code/platform/components/ambient-sdk/go-sdk/client"
 	sdktypes "github.com/ambient-code/platform/components/ambient-sdk/go-sdk/types"
 	"github.com/spf13/cobra"
 )
@@ -103,7 +104,11 @@ var getCmd = &cobra.Command{
 		ctx, cancel := context.WithTimeout(context.Background(), cfg.GetRequestTimeout())
 		defer cancel()
 
-		credential, err := client.Credentials().Get(ctx, args[0])
+		credID, err := resolveCredentialID(ctx, client, args[0])
+		if err != nil {
+			return err
+		}
+		credential, err := client.Credentials().Get(ctx, credID)
 		if err != nil {
 			return fmt.Errorf("get credential %q: %w", args[0], err)
 		}
@@ -187,7 +192,7 @@ var createCmd = &cobra.Command{
 			return fmt.Errorf("build credential: %w", err)
 		}
 
-		created, err := client.Credentials().Create(ctx, cred)
+		created, err := client.Credentials().CreateCompat(ctx, cred)
 		if err != nil {
 			return fmt.Errorf("create credential: %w", err)
 		}
@@ -259,7 +264,11 @@ var updateCmd = &cobra.Command{
 			patch = patch.Annotations(updateArgs.annotations)
 		}
 
-		updated, err := client.Credentials().Update(ctx, args[0], patch.Build())
+		credID, err := resolveCredentialID(ctx, client, args[0])
+		if err != nil {
+			return err
+		}
+		updated, err := client.Credentials().Update(ctx, credID, patch.Build())
 		if err != nil {
 			return fmt.Errorf("update credential: %w", err)
 		}
@@ -296,7 +305,11 @@ var deleteCmd = &cobra.Command{
 		ctx, cancel := context.WithTimeout(context.Background(), cfg.GetRequestTimeout())
 		defer cancel()
 
-		if err := client.Credentials().Delete(ctx, args[0]); err != nil {
+		credID, err := resolveCredentialID(ctx, client, args[0])
+		if err != nil {
+			return err
+		}
+		if err := client.Credentials().Delete(ctx, credID); err != nil {
 			return fmt.Errorf("delete credential: %w", err)
 		}
 
@@ -329,7 +342,11 @@ var tokenCmd = &cobra.Command{
 		ctx, cancel := context.WithTimeout(context.Background(), cfg.GetRequestTimeout())
 		defer cancel()
 
-		resp, err := client.Credentials().GetToken(ctx, args[0])
+		credID, err := resolveCredentialID(ctx, client, args[0])
+		if err != nil {
+			return err
+		}
+		resp, err := client.Credentials().GetToken(ctx, credID)
 		if err != nil {
 			return fmt.Errorf("get token for credential %q: %w", args[0], err)
 		}
@@ -451,6 +468,18 @@ func init() {
 	bindCmd.Flags().StringVar(&bindArgs.project, "project", "", "Project to bind the credential to (required)")
 }
 
+func resolveCredentialID(ctx context.Context, client *sdkclient.Client, nameOrID string) (string, error) {
+	cred, err := client.Credentials().Get(ctx, nameOrID)
+	if err == nil {
+		return cred.ID, nil
+	}
+	cred, err = client.Credentials().FindByName(ctx, nameOrID)
+	if err != nil {
+		return "", fmt.Errorf("credential %q not found by ID or name", nameOrID)
+	}
+	return cred.ID, nil
+}
+
 func printCredentialTable(printer *output.Printer, credentials []sdktypes.Credential) error {
 	columns := []output.Column{
 		{Name: "ID", Width: 27},
diff --git a/components/ambient-cli/cmd/acpctl/delete/cmd.go b/components/ambient-cli/cmd/acpctl/delete/cmd.go
@@ -132,7 +132,11 @@ func run(cmd *cobra.Command, cmdArgs []string) error {
 		return nil
 
 	case "credential", "credentials", "cred", "creds":
-		if err := client.Credentials().Delete(ctx, name); err != nil {
+		deleteID := name
+		if cred, findErr := client.Credentials().FindByName(ctx, name); findErr == nil {
+			deleteID = cred.ID
+		}
+		if err := client.Credentials().Delete(ctx, deleteID); err != nil {
 			return fmt.Errorf("delete credential %q: %w", name, err)
 		}
 		fmt.Fprintf(cmd.OutOrStdout(), "credential/%s deleted\n", name)
diff --git a/components/ambient-cli/cmd/acpctl/describe/cmd.go b/components/ambient-cli/cmd/acpctl/describe/cmd.go
@@ -102,7 +102,10 @@ func run(cmd *cobra.Command, cmdArgs []string) error {
 	case "credential", "credentials", "cred", "creds":
 		cred, err := client.Credentials().Get(ctx, name)
 		if err != nil {
-			return fmt.Errorf("describe credential %q: %w", name, err)
+			cred, err = client.Credentials().FindByName(ctx, name)
+			if err != nil {
+				return fmt.Errorf("describe credential %q: %w", name, err)
+			}
 		}
 		return printer.PrintJSON(cred)
 
diff --git a/components/ambient-cli/cmd/acpctl/get/cmd.go b/components/ambient-cli/cmd/acpctl/get/cmd.go
@@ -472,7 +472,10 @@ func getCredentials(ctx context.Context, client *sdkclient.Client, printer *outp
 	if name != "" {
 		cred, err := client.Credentials().Get(ctx, name)
 		if err != nil {
-			return fmt.Errorf("get credential %q: %w", name, err)
+			cred, err = client.Credentials().FindByName(ctx, name)
+			if err != nil {
+				return fmt.Errorf("get credential %q: %w", name, err)
+			}
 		}
 		if printer.Format() == output.FormatJSON {
 			return printer.PrintJSON(cred)
diff --git a/components/ambient-sdk/go-sdk/client/credential_extensions.go b/components/ambient-sdk/go-sdk/client/credential_extensions.go
@@ -2,6 +2,8 @@ package client
 
 import (
 	"context"
+	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/url"
 
@@ -15,3 +17,40 @@ func (a *CredentialAPI) GetToken(ctx context.Context, id string) (*types.Credent
 	}
 	return &result, nil
 }
+
+func (a *CredentialAPI) FindByName(ctx context.Context, name string) (*types.Credential, error) {
+	opts := types.NewListOptions().Size(100).Build()
+	opts.Search = fmt.Sprintf("name = '%s'", name)
+	list, err := a.List(ctx, opts)
+	if err != nil {
+		return nil, err
+	}
+	for _, c := range list.Items {
+		if c.Name == name {
+			return &c, nil
+		}
+	}
+	return nil, fmt.Errorf("credential with name %q not found", name)
+}
+
+// CreateCompat creates a credential with project_id for backward compatibility
+// with server images that predate migration 202505120001 (drop project_id column).
+// Remove once all environments run the updated server.
+func (a *CredentialAPI) CreateCompat(ctx context.Context, resource *types.Credential) (*types.Credential, error) {
+	payload := struct {
+		*types.Credential
+		ProjectID string `json:"project_id,omitempty"`
+	}{
+		Credential: resource,
+		ProjectID:  a.client.project,
+	}
+	body, err := json.Marshal(payload)
+	if err != nil {
+		return nil, fmt.Errorf("marshal credential: %w", err)
+	}
+	var result types.Credential
+	if err := a.client.do(ctx, http.MethodPost, "/credentials", body, http.StatusCreated, &result); err != nil {
+		return nil, err
+	}
+	return &result, nil
+}
diff --git a/components/manifests/base/runner-networkpolicy.yaml b/components/manifests/base/runner-networkpolicy.yaml
@@ -18,3 +18,8 @@ spec:
           podSelector:
             matchLabels:
               app: ambient-code-runner
+    - from:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              ambient-code.io/managed: "true"

Original file line number	Diff line number	Diff line change
`@@ -243,7 +243,7 @@ func applyProject(ctx context.Context, client *sdkclient.Client, doc resource) (`
`243`	`243`	`}`
`244`	`244`
`245`	`245`	`func applyCredential(ctx context.Context, client *sdkclient.Client, doc resource) (applyResult, error) {`
`246`		`- existing, err := client.Credentials().Get(ctx, doc.Name)`
	`246`	`+ existing, err := client.Credentials().FindByName(ctx, doc.Name)`
`247`	`247`	`if err != nil {`
`248`	`248`	`token := os.ExpandEnv(doc.Token)`
`249`	`249`	`builder := sdktypes.NewCredentialBuilder().`
`@@ -271,7 +271,7 @@ func applyCredential(ctx context.Context, client *sdkclient.Client, doc resource`
`271`	`271`	`if buildErr != nil {`
`272`	`272`	`return applyResult{}, buildErr`
`273`	`273`	`}`
`274`		`- if _, createErr := client.Credentials().Create(ctx, cred); createErr != nil {`
	`274`	`+ if _, createErr := client.Credentials().CreateCompat(ctx, cred); createErr != nil {`
`275`	`275`	`return applyResult{}, createErr`
`276`	`276`	`}`
`277`	`277`	`return applyResult{Kind: "Credential", Name: doc.Name, Status: "created"}, nil`