fix(cli): no silent allowOverride downgrade; surface comma hint; harden dry-run

jamesadevine · Copilot · jamesadevine · commit fda942c378e7 · 2026-05-17T22:28:30.000+01:00
Four follow-ups on PR #602: 1. **`apply_variable_set`: silent `allowOverride` downgrade on secret rotation.** Previously, running `secrets set TOKEN <new>` without `--allow-override` would re-emit the variable with `allowOverride: false`, silently downgrading any variable that was previously created (manually or by another tool) with `allowOverride: true`. The legacy `configure` code in src/configure.rs had explicit preservation logic; the consolidated `apply_variable_set` had lost it. Changed the signature from `allow_override: bool` to `allow_override: Option<bool>`: - `Some(true)` / `Some(false)` — force the flag (CLI `--allow-override` passes `Some(true)`). - `None` — **preserve** existing variable's `allowOverride` when overwriting; default to `false` when creating. `run_set` translates the CLI flag: `--allow-override` → `Some(true)`; absence → `None`. The deprecation alias (`run_set_github_token`) stays at `allow_override: false` on the CLI side, which now maps to `None` (preserve) — restoring parity with the pre-consolidation `configure` body. Help text in `src/main.rs` and `docs/cli.md` updated. Five new unit tests pin the matrix: - `Some(true)` / `Some(false)` / `None` × create/overwrite - Specifically asserts `None` preserves `allowOverride: true` (the silent-downgrade regression guard). 2. **`run.rs::print_queue_plan` silent serialize-failure.** `serde_json::to_string_pretty(&body).unwrap_or_default()` would have printed blank output if serialization ever failed. The value is provably JSON-safe, but defensive code should surface regressions instead of silently swallowing them. Switched to `unwrap_or_else(|e| format!("<serialization error: {e}>"))`. 3. **`run.rs::parse_parameters` opaque comma-in-value error.** When a user writes `--parameters urls=https://a,b`, the error was `Invalid --parameters pair 'b': expected key=value (no '=' found).` — technically accurate but doesn't hint at the comma constraint documented above the function. Added a raw-argument-contains-comma detection branch that produces a self-diagnosable hint: `... Hint: values must not contain commas. The raw argument '...' was split on ',' before the '=' split; use a separate --parameters flag per pair.` 4. **`run.rs::dispatch` deliberate partial-queue + `--wait` behaviour.** When `--wait` is set and some builds fail to queue, the code polls the successfully-queued ones rather than bailing early; `queue_failure` is folded into the final exit code. This is intentional and the only sensible UX, but lacked a comment. Added a multi-paragraph block explaining all three cases (partial queue, zero queued, all queued) and why `poll_until_complete` is called with the partial slice. Not addressed (acknowledged follow-ups, tracked elsewhere): - Sequential `get_latest_build` fanout in `list`/`status`. Already documented inline; tracked as a future improvement. `cargo test` (1572 unit + 14 integration crates, all green) and `cargo clippy --all-targets --all-features` pass. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/docs/cli.md b/docs/cli.md
@@ -38,7 +38,7 @@ Global flags (apply to all subcommands): `--verbose, -v` (enable info-level logg
 - `configure` *(deprecated; hidden in --help)* - Alias forwarding to `secrets set GITHUB_TOKEN`. Existing scripts keep working but get a stderr warning. The alias will be removed in the next minor release.
 
 - `secrets set <name> [<value>] [PATH]` - Set a pipeline variable (with `isSecret=true`) on every matched ADO definition. Value resolution: positional `<value>` → `--value-stdin` (one line) → interactive tty prompt with echo off.
-  - `--allow-override` - Mark the variable as `allowOverride=true` (default: false).
+  - `--allow-override` - Force `allowOverride=true` on the set variable. When omitted, `allowOverride` is **preserved** on existing variables (so secret rotation does not silently downgrade an existing `allowOverride=true`) and defaults to `false` for new variables.
   - `--value-stdin` - Read the value from a single line on stdin.
   - `--dry-run` - Print the planned set without calling the ADO API.
   - `--org / --project / --pat` - ADO context overrides (same semantics as the other lifecycle commands).
diff --git a/src/main.rs b/src/main.rs
@@ -47,7 +47,11 @@ enum SecretsCmd {
         project: Option<String>,
         #[arg(long, env = "AZURE_DEVOPS_EXT_PAT")]
         pat: Option<String>,
-        /// Mark the variable as `allowOverride=true` (default: false).
+        /// Force `allowOverride=true` on the set variable. When omitted,
+        /// `allowOverride` is preserved on existing variables (so secret
+        /// rotation does not silently downgrade an existing
+        /// `allowOverride=true`) and defaults to `false` for new
+        /// variables.
         #[arg(long)]
         allow_override: bool,
         /// Read the value from a single line on stdin. Mutually exclusive
diff --git a/src/run.rs b/src/run.rs
@@ -54,12 +54,28 @@ use crate::detect;
 pub fn parse_parameters(values: &[String]) -> Result<serde_json::Map<String, serde_json::Value>> {
     let mut out = serde_json::Map::new();
     for raw in values {
+        // The argument-level comma split makes values containing
+        // commas impossible to express today. Detect the
+        // ambiguous-fragment case (a comma in the raw argument and
+        // a fragment with no `=`) and produce a self-diagnosable
+        // hint instead of the bare "no '=' found" error.
+        let raw_has_comma = raw.contains(',');
         for pair in raw.split(',') {
             let pair = pair.trim();
             if pair.is_empty() {
                 continue;
             }
             let Some((k, v)) = pair.split_once('=') else {
+                if raw_has_comma {
+                    anyhow::bail!(
+                        "Invalid --parameters pair '{}': expected key=value (no '=' found). \
+                         Hint: values must not contain commas. The raw argument '{}' was \
+                         split on ',' before the '=' split; use a separate --parameters flag \
+                         per pair.",
+                        pair,
+                        raw
+                    );
+                }
                 anyhow::bail!(
                     "Invalid --parameters pair '{}': expected key=value (no '=' found).",
                     pair
@@ -215,6 +231,22 @@ pub async fn dispatch(opts: RunOptions<'_>) -> Result<()> {
         return Ok(());
     }
 
+    // Deliberate design choice: when `--wait` is set and some builds
+    // failed to queue, we still poll the successfully-queued ones
+    // rather than bailing early. Three cases:
+    //
+    // - **Partial queue + at-least-one-queued**: `targets` is
+    //   non-empty; the operator wants to know how those builds
+    //   resolve. `queue_failure` is folded into the final exit code
+    //   (non_success below).
+    // - **Zero queued, queue_failure > 0**: `targets` is empty;
+    //   `poll_until_complete` returns immediately with a default
+    //   `PollOutcome`. We still print the wait summary so the
+    //   operator sees a uniform report shape.
+    // - **All queued**: the common path, no special handling needed.
+    //
+    // The early-exit path for `!opts.wait` above already bails on
+    // queue_failure, so no further special-casing is required here.
     let poll_outcome = poll_until_complete(
         &client,
         &ado_ctx,
@@ -253,7 +285,16 @@ fn print_queue_plan(
         body["templateParameters"] = serde_json::Value::Object(parameters.clone());
     }
     println!("[dry-run] ▶ would queue: {} (id={})", m.name, m.id);
-    println!("{}", serde_json::to_string_pretty(&body).unwrap_or_default());
+    // The body is constructed in-line from primitive types and is
+    // provably JSON-serializable, so `to_string_pretty` cannot fail
+    // in practice. Surface any future regression as a visible token
+    // rather than blank output (which would be invisible in the
+    // dry-run feedback path).
+    println!(
+        "{}",
+        serde_json::to_string_pretty(&body)
+            .unwrap_or_else(|e| format!("<serialization error: {e}>"))
+    );
 }
 
 #[derive(Debug, Default, Clone, Copy, PartialEq, Eq)]
diff --git a/src/secrets.rs b/src/secrets.rs
@@ -48,23 +48,43 @@ pub fn validate_variable_name(name: &str) -> Result<()> {
 }
 
 /// Pure: produce a copy of `definition` with the named variable set
-/// to `(value, isSecret=true, allow_override)`. Preserves all other
+/// to `(value, isSecret=true, allowOverride)`. Preserves all other
 /// keys.
+///
+/// `allow_override` semantics:
+///
+/// - `Some(true)` / `Some(false)` — force the flag to the given
+///   value (this is what `--allow-override` does, and what the
+///   create path uses).
+/// - `None` — **preserve** the existing variable's `allowOverride`
+///   when overwriting; default to `false` when creating. This
+///   matters for secret rotation: running `secrets set TOKEN <new>`
+///   without `--allow-override` must not silently downgrade a
+///   variable that was previously created with
+///   `allowOverride=true`.
 pub fn apply_variable_set(
     mut definition: serde_json::Value,
     name: &str,
     value: &str,
-    allow_override: bool,
+    allow_override: Option<bool>,
 ) -> serde_json::Value {
     if definition.get("variables").is_none()
         || !definition["variables"].is_object()
     {
         definition["variables"] = serde_json::json!({});
     }
+    let resolved_override = allow_override.unwrap_or_else(|| {
+        definition
+            .get("variables")
+            .and_then(|vars| vars.get(name))
+            .and_then(|var| var.get("allowOverride"))
+            .and_then(|v| v.as_bool())
+            .unwrap_or(false)
+    });
     definition["variables"][name] = serde_json::json!({
         "value": value,
         "isSecret": true,
-        "allowOverride": allow_override,
+        "allowOverride": resolved_override,
     });
     definition
 }
@@ -197,11 +217,27 @@ pub async fn run_set(opts: SetOptions<'_>) -> Result<()> {
 
     print_matched_summary(&matched);
 
+    // Translate the CLI bool flag into the `Option<bool>` shape that
+    // `apply_variable_set` understands: `--allow-override` forces
+    // `Some(true)`; its absence means `None` (preserve existing, or
+    // default to `false` on creation). This is the fix for the
+    // silent-downgrade bug where rotating a secret would flip an
+    // existing `allowOverride=true` back to `false`.
+    let override_action: Option<bool> = if opts.allow_override {
+        Some(true)
+    } else {
+        None
+    };
+
     if opts.dry_run {
+        let override_summary = match override_action {
+            Some(b) => format!("allowOverride={}", b),
+            None => "preserving existing allowOverride (default false on create)".to_string(),
+        };
         println!(
-            "[dry-run] Would set '{}' (isSecret=true, allowOverride={}) on {} definition(s).",
+            "[dry-run] Would set '{}' (isSecret=true, {}) on {} definition(s).",
             opts.name,
-            opts.allow_override,
+            override_summary,
             matched.len()
         );
         return Ok(());
@@ -217,7 +253,7 @@ pub async fn run_set(opts: SetOptions<'_>) -> Result<()> {
             m.id,
             opts.name,
             &value,
-            opts.allow_override,
+            override_action,
         )
         .await
         {
@@ -247,7 +283,7 @@ async fn apply_set_one(
     id: u64,
     name: &str,
     value: &str,
-    allow_override: bool,
+    allow_override: Option<bool>,
 ) -> Result<()> {
     let definition = get_definition_full(client, ctx, auth, id).await?;
     let updated = apply_variable_set(definition, name, value, allow_override);
@@ -559,7 +595,7 @@ mod tests {
     #[test]
     fn set_creates_variables_object_when_missing() {
         let def = serde_json::json!({ "name": "x" });
-        let out = apply_variable_set(def, "FOO", "bar", false);
+        let out = apply_variable_set(def, "FOO", "bar", Some(false));
         assert_eq!(out["variables"]["FOO"]["value"], "bar");
         assert_eq!(out["variables"]["FOO"]["isSecret"], true);
         assert_eq!(out["variables"]["FOO"]["allowOverride"], false);
@@ -570,7 +606,7 @@ mod tests {
         let def = serde_json::json!({
             "variables": { "OTHER": { "value": "x", "isSecret": true, "allowOverride": false } }
         });
-        let out = apply_variable_set(def, "FOO", "bar", true);
+        let out = apply_variable_set(def, "FOO", "bar", Some(true));
         assert_eq!(out["variables"]["OTHER"]["value"], "x");
         assert_eq!(out["variables"]["FOO"]["value"], "bar");
         assert_eq!(out["variables"]["FOO"]["allowOverride"], true);
@@ -581,11 +617,55 @@ mod tests {
         let def = serde_json::json!({
             "variables": { "FOO": { "value": "old", "isSecret": true, "allowOverride": false } }
         });
-        let out = apply_variable_set(def, "FOO", "new", true);
+        let out = apply_variable_set(def, "FOO", "new", Some(true));
+        assert_eq!(out["variables"]["FOO"]["value"], "new");
+        assert_eq!(out["variables"]["FOO"]["allowOverride"], true);
+    }
+
+    // ----- allow_override = None ("preserve") semantics ---------------
+
+    /// Rotation case: `secrets set TOKEN <new>` without
+    /// `--allow-override` must NOT downgrade a variable that was
+    /// previously created with `allowOverride=true`. This is the
+    /// silent-downgrade bug guard.
+    #[test]
+    fn set_preserves_existing_allow_override_true_when_none() {
+        let def = serde_json::json!({
+            "variables": { "FOO": { "value": "old", "isSecret": true, "allowOverride": true } }
+        });
+        let out = apply_variable_set(def, "FOO", "new", None);
         assert_eq!(out["variables"]["FOO"]["value"], "new");
         assert_eq!(out["variables"]["FOO"]["allowOverride"], true);
     }
 
+    #[test]
+    fn set_preserves_existing_allow_override_false_when_none() {
+        let def = serde_json::json!({
+            "variables": { "FOO": { "value": "old", "isSecret": true, "allowOverride": false } }
+        });
+        let out = apply_variable_set(def, "FOO", "new", None);
+        assert_eq!(out["variables"]["FOO"]["allowOverride"], false);
+    }
+
+    #[test]
+    fn set_defaults_allow_override_false_on_create_when_none() {
+        let def = serde_json::json!({ "name": "x" });
+        let out = apply_variable_set(def, "FOO", "bar", None);
+        assert_eq!(out["variables"]["FOO"]["allowOverride"], false);
+    }
+
+    #[test]
+    fn set_some_false_forces_downgrade_explicit() {
+        // If a caller explicitly passes Some(false), they DO want to
+        // force the flag back to false (e.g. a future `--no-override`
+        // flag). Only None preserves.
+        let def = serde_json::json!({
+            "variables": { "FOO": { "value": "old", "isSecret": true, "allowOverride": true } }
+        });
+        let out = apply_variable_set(def, "FOO", "new", Some(false));
+        assert_eq!(out["variables"]["FOO"]["allowOverride"], false);
+    }
+
     // ============ apply_variable_delete ============
 
     #[test]
