Merge pull request #204 from hdresearch/ty/fix-dotenv-credential-shadowing

fix(root): stop loading .env at runtime (silent credential shadow)

Author: AlephNotation

cmd/root.go

@@ -16,7 +16,6 @@ import (
 	runrt "github.com/hdresearch/vers-cli/internal/runtime"
 	"github.com/hdresearch/vers-cli/internal/update"
 	vers "github.com/hdresearch/vers-sdk-go"
-	"github.com/joho/godotenv"
 	"github.com/spf13/cobra"
 )
 
@@ -196,8 +195,15 @@ interaction capabilities, and more.`,
 			return nil
 		}
 
-		// Load .env for the VERS_URL
-		godotenv.Load()
+		// NOTE: previously this called godotenv.Load() to pick up VERS_URL
+		// from a local .env for dev convenience. That had the side effect of
+		// silently shadowing the user's ~/.versrc credentials with a stale
+		// VERS_API_KEY whenever the user happened to be in a directory
+		// containing a .env file — with no warning about which credential
+		// source won. We now only honor the real environment and ~/.versrc.
+		// Devs who want .env-style loading can use direnv or `export $(cat
+		// .env | xargs)`. Tests load their own .env explicitly via
+		// test/testutil/helpers.go.
 
 		// Initialize the client with API key if available
 		apiKey, err := auth.GetAPIKey()

go.mod

@@ -24,7 +24,7 @@ require (
 require (
 	github.com/hdresearch/vers-sdk-go v0.1.0-alpha.32
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.6
 	github.com/tidwall/gjson v1.18.0 // indirect
 	github.com/tidwall/match v1.2.0 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect

go.sum

@@ -7,8 +7,6 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/jsonschema-go v0.2.3 h1:dkP3B96OtZKKFvdrUSaDkL+YDx8Uw9uC4Y+eukpCnmM=
 github.com/google/jsonschema-go v0.2.3/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE=
-github.com/hdresearch/vers-sdk-go v0.1.0-alpha.31 h1:JXEU1lXHzfIpi5Aq5LQjtdSnZDGTqqTZK4TcbAJTfcQ=
-github.com/hdresearch/vers-sdk-go v0.1.0-alpha.31/go.mod h1:aJoQGYzJHXdbj7uhCekUZaxbMu+XhVMOCtVQEdA0NFI=
 github.com/hdresearch/vers-sdk-go v0.1.0-alpha.32 h1:b1+KSJbLQgsC9KEnoQxrbHq/sxtHDM/cB1+XwHMYOBs=
 github.com/hdresearch/vers-sdk-go v0.1.0-alpha.32/go.mod h1:aJoQGYzJHXdbj7uhCekUZaxbMu+XhVMOCtVQEdA0NFI=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=