security: remove GRN_CLIENT_ID/SECRET env var support (#9)

Author: tvt286

CLAUDE.md

@@ -76,11 +76,14 @@ python -m pytest tests/ -v
 
 2. **CHANGELOG**: Add changelog fragment via `./scripts/new-change`
 
-3. **Spec** (`docs/superpowers/specs/2026-04-10-greenode-cli-design.md`):
-   - Update command list in Section 4
-   - Update file structure in Section 2 if new files added
+3. **README.md**: Update if installation, configuration, or basic commands change
 
-This is not optional. Code without docs is not done.
+4. **CLAUDE.md**: Update if conventions, security rules, or key files change
+
+**After ANY change to business logic, security, configuration, or commands:**
+Review ALL docs above and update what's affected. If unsure whether a doc needs updating, read it and check.
+
+Code without docs is not done.
 
 ## Key files
 

README.md

@@ -59,11 +59,9 @@ Default output format [json]:
 
 Credentials are obtained from the [VNG Cloud IAM Portal](https://hcm-3.console.vngcloud.vn/iam/) under Service Accounts.
 
-You can also configure credentials via environment variables:
+You can also configure the region via environment variable:
 
 ```bash
-export GRN_CLIENT_ID=<your-client-id>
-export GRN_CLIENT_SECRET=<your-client-secret>
 export GRN_DEFAULT_REGION=HCM-3
 ```
 

docs/configuration.md

@@ -84,8 +84,6 @@ grn vks list-clusters
 
 | Variable | Description |
 |----------|-------------|
-| `GRN_CLIENT_ID` | Client ID (overrides config file) |
-| `GRN_CLIENT_SECRET` | Client Secret (overrides config file) |
 | `GRN_DEFAULT_REGION` | Default region |
 | `GRN_PROFILE` | Profile name |
 | `GRN_DEFAULT_OUTPUT` | Output format |

grncli/customizations/configure/list.py

@@ -45,11 +45,6 @@ def _resolve_profile(self, profile):
         return ('profile', '<not set>', 'None', 'None')
 
     def _resolve_credential(self, key):
-        env_map = {'client_id': 'GRN_CLIENT_ID', 'client_secret': 'GRN_CLIENT_SECRET'}
-        env_var = env_map.get(key, '')
-        env_val = os.environ.get(env_var)
-        if env_val:
-            return (key, self._mask_value(env_val), 'env', env_var)
         try:
             creds = self._session.get_credentials()
             value = creds.get(key)

grncli/session.py

@@ -31,8 +31,7 @@ class Session:
     """Manages config, credentials, region, and service endpoints.
 
     Credential resolution order (high → low priority):
-    1. Environment variables: GRN_CLIENT_ID, GRN_CLIENT_SECRET
-    2. Profile in ~/.greenode/credentials
+    1. Profile in ~/.greenode/credentials
     """
 
     def __init__(
@@ -98,11 +97,6 @@ def emit_first_non_none(self, event_name: str, **kwargs) -> Any:
         return self._emitter.emit_first_non_none(event_name, **kwargs)
 
     def get_credentials(self) -> dict[str, str]:
-        env_id = os.environ.get('GRN_CLIENT_ID')
-        env_secret = os.environ.get('GRN_CLIENT_SECRET')
-        if env_id and env_secret:
-            return {'client_id': env_id, 'client_secret': env_secret}
-
         if self._credentials_cache is not None:
             return self._credentials_cache
 

tests/functional/test_cli_integration.py

@@ -24,8 +24,6 @@ def greenode_config(tmp_path):
     config.write_text("[default]\nregion = HCM-3\noutput = json\n")
 
     with patch.dict(os.environ, {}, clear=False):
-        os.environ.pop('GRN_CLIENT_ID', None)
-        os.environ.pop('GRN_CLIENT_SECRET', None)
         os.environ.pop('GRN_DEFAULT_REGION', None)
         os.environ.pop('GRN_PROFILE', None)
 

tests/unit/test_session.py

@@ -49,16 +49,6 @@ def test_load_profile_credentials(self, config_dir):
         assert creds['client_id'] == 'staging-id'
         assert creds['client_secret'] == 'staging-secret'
 
-    def test_env_vars_override_file(self, config_dir):
-        with patch.dict(os.environ, {
-            'GRN_CLIENT_ID': 'env-id',
-            'GRN_CLIENT_SECRET': 'env-secret',
-        }):
-            session = Session(config_dir=str(config_dir))
-            creds = session.get_credentials()
-            assert creds['client_id'] == 'env-id'
-            assert creds['client_secret'] == 'env-secret'
-
     def test_missing_credentials_raises(self, tmp_path):
         session = Session(config_dir=str(tmp_path))
         with pytest.raises(Exception, match="credentials"):