feat: --api-key CLI override + CI oneshot workflow (#100)

* Initial plan

* feat: --api-key CLI override encapsulated in config.ts for all start modes

Agent-Logs-Url: https://github.com/huberp/agentloop/sessions/587451dc-93d3-494c-8bc3-23367dd6b13c

Co-authored-by: huberp <4027454+huberp@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: huberp <4027454+huberp@users.noreply.github.com>

Author: Copilot

.env.test

@@ -0,0 +1,130 @@
+# Test environment defaults for agentloop.
+#
+# MISTRAL_API_KEY is intentionally absent — supply it via the --api-key CLI
+# flag so that secrets are never committed to the repository:
+#
+#   npm run oneshot -- agent --api-key "$MISTRAL_API_KEY" -u "Your prompt here"
+#
+# In CI the GitHub Actions workflow injects the key through that flag using the
+# MISTRAL_API_KEY repository secret.
+#
+# To run locally:
+#   cp .env.test .env
+#   npm run oneshot -- agent --api-key "sk-..." -u "Your prompt here"
+
+# Agent loop — keep iterations low for fast, cheap tests
+MAX_ITERATIONS=5
+MAX_TOKENS_BUDGET=0
+MAX_CONTEXT_TOKENS=28000
+
+# LLM retry settings
+LLM_RETRY_MAX=2
+LLM_RETRY_BASE_DELAY_MS=500
+
+# Per-tool execution timeout
+TOOL_TIMEOUT_MS=30000
+
+# LLM provider — use a fast, affordable model for tests
+LLM_PROVIDER=mistral
+LLM_MODEL=mistral-small-latest
+LLM_TEMPERATURE=0.0
+
+# System prompt override (none by default)
+SYSTEM_PROMPT_PATH=
+
+# Skip all confirmation prompts in non-interactive test runs
+AUTO_APPROVE_ALL=true
+TOOL_ALLOWLIST=
+TOOL_BLOCKLIST=
+
+# Shell command execution
+SHELL_COMMAND_BLOCKLIST=
+
+# Code execution
+EXECUTION_TIMEOUT_MS=60000
+EXECUTION_ENVIRONMENT=local
+
+# Sandboxing (keep off for tests)
+SANDBOX_MODE=none
+SANDBOX_DOCKER_IMAGE=node:20-alpine
+
+# Workspace
+WORKSPACE_ROOT=
+
+# Instruction files
+INSTRUCTIONS_ROOT=
+
+# Prompt templates / history (disabled in tests)
+PROMPT_TEMPLATES_DIR=
+PROMPT_HISTORY_FILE=
+PROMPT_CONTEXT_REFRESH_MS=5000
+
+# MCP (disabled in tests)
+MCP_SERVERS=
+
+# Security hardening
+MAX_FILE_SIZE_BYTES=10485760
+MAX_SHELL_OUTPUT_BYTES=1048576
+MAX_CONCURRENT_TOOLS=10
+NETWORK_ALLOWED_DOMAINS=
+
+# Streaming — off for deterministic test output
+STREAMING_ENABLED=false
+
+# Tracing — off for tests
+TRACING_ENABLED=false
+TRACE_OUTPUT_DIR=./traces
+TRACING_COST_PER_INPUT_TOKEN_USD=0
+TRACING_COST_PER_OUTPUT_TOKEN_USD=0
+
+# Logging — minimal output during tests
+LOG_LEVEL=warn
+LOG_ENABLED=true
+LOG_DESTINATION=stdout
+LOG_NAME=agentloop
+LOG_TIMESTAMP=false
+
+# Web search — disabled by default to avoid network calls in tests
+WEB_SEARCH_PROVIDER=none
+TAVILY_API_KEY=
+TAVILY_MAX_RESULTS=5
+LANGSEARCH_API_KEY=
+LANGSEARCH_MAX_RESULTS=5
+DUCKDUCKGO_MAX_RESULTS=5
+DUCKDUCKGO_MIN_DELAY_MS=1000
+DUCKDUCKGO_RETRY_MAX=2
+DUCKDUCKGO_RETRY_BASE_DELAY_MS=400
+DUCKDUCKGO_RATE_LIMIT_PENALTY_MS=1000
+DUCKDUCKGO_CACHE_TTL_MS=300000
+DUCKDUCKGO_CACHE_MAX_ENTRIES=128
+DUCKDUCKGO_SERVE_STALE_ON_ERROR=true
+
+# Web fetch tool
+WEB_DOMAIN_BLOCKLIST=
+WEB_DOMAIN_ALLOWLIST=
+WEB_ALLOW_HTTP=false
+WEB_MAX_RESPONSE_BYTES=5242880
+WEB_MAX_CONTENT_CHARS=20000
+WEB_USER_AGENT=AgentLoop/1.0
+WEB_FETCH_TIMEOUT_MS=15000
+
+# Runtime context injection — off for reproducible test output
+RUNTIME_CONTEXT_ENABLED=false
+
+# Interactive UI mode
+UI_MODE=cli
+
+# Skills / agent profiles (use built-ins only)
+SKILLS_DIR=
+AGENT_PROFILES_DIR=
+
+# LLM response recording (off for tests)
+RECORD_LLM_RESPONSES=false
+LLM_FIXTURE_DIR=tests/fixtures/llm-responses
+
+# Orchestrator engine
+ORCHESTRATOR=default
+
+# Coordinator (off for tests)
+COORDINATOR_ENABLED=false
+COORDINATOR_PLAN_THRESHOLD=1

.github/workflows/cli-test.yml

@@ -0,0 +1,36 @@
+name: CLI Test
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  cli-oneshot:
+    name: CLI Oneshot Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Set up test environment
+        run: cp .env.test .env
+
+      - name: Run oneshot agent (oneshot mode)
+        run: |
+          npm run oneshot -- agent \
+            --api-key "$MISTRAL_API_KEY" \
+            --json \
+            -u "Reply with exactly one word: hello"
+        env:
+          MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}

README.md

@@ -176,6 +176,28 @@ npm run oneshot -- list providers
 | `skills` | All active skills with name, source, description |
 | `providers` | Configured LLM and search providers with their active status |
 
+### Global option: `--api-key`
+
+Every subcommand accepts a global `--api-key` flag that overrides the `MISTRAL_API_KEY` value from `.env`.
+This makes it easy to supply the key from CI secrets or per-invocation without modifying your environment file:
+
+```bash
+# Provide the API key directly on the command line
+npm run oneshot -- agent --api-key "sk-my-key" -u "Summarise the README"
+
+# Useful in CI pipelines:
+npm run oneshot -- agent --api-key "$MISTRAL_API_KEY" -u "Run a quick sanity check"
+```
+
+The override is handled entirely inside the `config` module (`applyApiKeyOverride`) so no other part of the codebase needs to know where the key came from.
+
+For CI use, copy `.env.test` (which intentionally omits `MISTRAL_API_KEY`) to `.env` and inject the key via `--api-key`:
+
+```bash
+cp .env.test .env
+npm run oneshot -- agent --api-key "$MISTRAL_API_KEY" -u "Your prompt"
+```
+
 ## Deployment
 
 ### Docker

src/__tests__/start-oneshot.test.ts

@@ -590,3 +590,182 @@ describe("start-oneshot: getActiveExecutor", () => {
     }
   });
 });
+
+// ---------------------------------------------------------------------------
+// Tests: applyApiKeyOverride() in config module
+// ---------------------------------------------------------------------------
+
+describe("config: applyApiKeyOverride", () => {
+  it("applyApiKeyOverride is exported from config", async () => {
+    const config = await import("../config");
+    expect(typeof config.applyApiKeyOverride).toBe("function");
+  });
+
+  it("updates appConfig.mistralApiKey", async () => {
+    const config = await import("../config");
+    const original = config.appConfig.mistralApiKey;
+    try {
+      config.applyApiKeyOverride("sk-override-test");
+      expect(config.appConfig.mistralApiKey).toBe("sk-override-test");
+    } finally {
+      config.applyApiKeyOverride(original);
+    }
+  });
+
+  it("updates process.env.MISTRAL_API_KEY", async () => {
+    const config = await import("../config");
+    const original = process.env.MISTRAL_API_KEY;
+    try {
+      config.applyApiKeyOverride("sk-env-test");
+      expect(process.env.MISTRAL_API_KEY).toBe("sk-env-test");
+    } finally {
+      process.env.MISTRAL_API_KEY = original;
+      config.applyApiKeyOverride(original ?? "");
+    }
+  });
+
+  it("keeps appConfig.mistralApiKey and process.env in sync after override", async () => {
+    const config = await import("../config");
+    const original = config.appConfig.mistralApiKey;
+    try {
+      config.applyApiKeyOverride("sk-sync-test");
+      expect(config.appConfig.mistralApiKey).toBe(process.env.MISTRAL_API_KEY);
+    } finally {
+      config.applyApiKeyOverride(original);
+    }
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Tests: early argv scan in config.ts (applyCliApiKeyOverride)
+//
+// The IIFE in config.ts reads process.argv at module-load time to apply
+// --api-key before appConfig is built.  These tests verify the logic by
+// directly replicating the scan behaviour so the module-singleton limitation
+// does not interfere.
+// ---------------------------------------------------------------------------
+
+describe("config: early --api-key argv scan logic", () => {
+  // Replicates the IIFE logic: returns the value, or undefined if absent,
+  // or throws if --api-key is present but has no valid value (consistent with
+  // the exit(1) in the real IIFE and with stripApiKeyArg).
+  function simulateArgvScan(argv: string[]): string | undefined {
+    const idx = argv.indexOf("--api-key");
+    if (idx === -1) return undefined;
+    const value = argv[idx + 1];
+    if (!value || value.startsWith("-")) {
+      throw new Error("Error: --api-key requires a value");
+    }
+    return value;
+  }
+
+  it("extracts the api key when --api-key is present with a value", () => {
+    const result = simulateArgvScan(["node", "script.js", "--api-key", "sk-early"]);
+    expect(result).toBe("sk-early");
+  });
+
+  it("returns undefined when --api-key is absent", () => {
+    const result = simulateArgvScan(["node", "script.js", "-u", "hello"]);
+    expect(result).toBeUndefined();
+  });
+
+  it("errors when --api-key has no value (consistent with stripApiKeyArg)", () => {
+    expect(() => simulateArgvScan(["node", "script.js", "--api-key"])).toThrow(
+      "--api-key requires a value"
+    );
+  });
+
+  it("errors when --api-key value starts with a dash (consistent with stripApiKeyArg)", () => {
+    expect(() =>
+      simulateArgvScan(["node", "script.js", "--api-key", "--other-flag"])
+    ).toThrow("--api-key requires a value");
+  });
+
+  it("works when --api-key appears after the subcommand (oneshot pattern)", () => {
+    const result = simulateArgvScan(["node", "script.js", "agent", "--api-key", "sk-sub", "-u", "hi"]);
+    expect(result).toBe("sk-sub");
+  });
+
+  it("covers all start modes — cli, tui, oneshot, and direct index", () => {
+    // All start modes use the same config module, so the argv scan fires once
+    // before appConfig is built, regardless of which entry point is used.
+    const cliResult = simulateArgvScan(["node", "start-cli.ts", "--api-key", "sk-cli"]);
+    const tuiResult = simulateArgvScan(["node", "start-tui.ts", "--api-key", "sk-tui"]);
+    const oneshotResult = simulateArgvScan(["node", "start-oneshot.ts", "agent", "--api-key", "sk-oneshot", "-u", "hi"]);
+    expect(cliResult).toBe("sk-cli");
+    expect(tuiResult).toBe("sk-tui");
+    expect(oneshotResult).toBe("sk-oneshot");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Tests: stripApiKeyArg() in config module
+// ---------------------------------------------------------------------------
+
+describe("config: stripApiKeyArg", () => {
+  it("stripApiKeyArg is exported from config", async () => {
+    const config = await import("../config");
+    expect(typeof config.stripApiKeyArg).toBe("function");
+  });
+
+  it("removes --api-key and its value from the array", async () => {
+    const { stripApiKeyArg } = await import("../config");
+    const result = stripApiKeyArg(["--api-key", "sk-my-key", "-u", "Hello"]);
+    expect(result).toEqual(["-u", "Hello"]);
+    expect(result.includes("--api-key")).toBe(false);
+  });
+
+  it("returns the array unchanged when --api-key is absent", async () => {
+    const { stripApiKeyArg } = await import("../config");
+    const result = stripApiKeyArg(["-u", "Hello"]);
+    expect(result).toEqual(["-u", "Hello"]);
+  });
+
+  it("strips --api-key placed after other flags", async () => {
+    const { stripApiKeyArg } = await import("../config");
+    const result = stripApiKeyArg(["-u", "Hello", "--api-key", "sk-after"]);
+    expect(result).toEqual(["-u", "Hello"]);
+  });
+
+  it("does not mutate the original array", async () => {
+    const { stripApiKeyArg } = await import("../config");
+    const original = ["-u", "Hello", "--api-key", "sk-key"];
+    const result = stripApiKeyArg(original);
+    expect(original).toEqual(["-u", "Hello", "--api-key", "sk-key"]);
+    expect(result).toEqual(["-u", "Hello"]);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Tests: --api-key global option pre-processing in start-oneshot main()
+// (delegates to config.stripApiKeyArg — verified via the config tests above)
+// ---------------------------------------------------------------------------
+
+describe("start-oneshot: --api-key is stripped before subcommand dispatch", () => {
+  it("stripApiKeyArg produces clean args consumable by parseArgs strict mode", async () => {
+    const { stripApiKeyArg } = await import("../config");
+    // Simulate: agent --api-key sk-key -u "Hello"
+    const cleaned = stripApiKeyArg(["--api-key", "sk-key", "-u", "Hello"]);
+    // parseArgs with strict:true must not throw on the cleaned array
+    expect(() =>
+      parseArgs({
+        args: cleaned,
+        options: {
+          system: { type: "string", short: "s" },
+          user: { type: "string", short: "u" },
+          profile: { type: "string", short: "p" },
+          stream: { type: "boolean" },
+          json: { type: "boolean" },
+        },
+        strict: true,
+        allowPositionals: false,
+      })
+    ).not.toThrow();
+    const { values } = parseArgs({
+      args: cleaned,
+      options: { user: { type: "string", short: "u" } },
+      strict: false,
+    });
+    expect(values.user).toBe("Hello");
+  });
+});