Parent: backend#830 (RFC-0001 epic) · RFC: §7.5, §14 R10, Appendix C.8 · Phase 1 — CLI · confirmed bug today
Related: cli#83 (shipped v1 internal/config + login/logout/auth status — this upgrades that schema to v2 and extends those commands), backend#887 (POST /auth/revoke — the server-side half of logout, also Phase 1 per §9/R2)
Why
R10 (confirmed bug): ~/.tracebloc holds a single Env + Token + ActiveClientID (the v1 schema cli#83 shipped). login --env overwrites env+token but strands the previous env's ActiveClientID, so a dev/stg/prod user can silently target the wrong client. The earlier §7.5 fix handled only the cross-account case, not cross-env.
Scope
Upgrade cli#83's internal/config package to a v2, env-scoped ~/.tracebloc/config.json (mode 0600), per Appendix C.8:
- One
active_client_id per env → fixes the cross-env clobber.
login --env X switches current_env without clearing the other profiles.- Migrate v1 → v2 by wrapping the existing single record under
profiles[current_env] (no data loss).
- Extend cli#83's
logout to clear the current env's local token + active pointer (other envs untouched), and call backend#887 (POST /auth/revoke) when available (server-side revoke; a reference, not a hard blocker for this config work).
- File stays
0600.
Acceptance
login --dev → login --prod → login --dev again: the dev active client is intact (no clobber).- A v1 config auto-migrates to v2 on first run, no data loss.
logout clears the current env's token + active pointer; other envs untouched.- Config file is
0600.
Notes
This persists expires_at per profile; displaying it is auth status (cli#83 / §7.6) — not cli#4, which shows the ingestor / k8s service-account token's JWT exp in cluster info (a different token, no overlap).
Work Type: Bug · Squad: DevEx · Area: SDK (CLI) · Priority: P1
Parent: backend#830 (RFC-0001 epic) · RFC: §7.5, §14 R10, Appendix C.8 · Phase 1 — CLI · confirmed bug today
Related: cli#83 (shipped v1
internal/config+login/logout/auth status— this upgrades that schema to v2 and extends those commands), backend#887 (POST /auth/revoke— the server-side half oflogout, also Phase 1 per §9/R2)Why
R10 (confirmed bug):
~/.traceblocholds a singleEnv+Token+ActiveClientID(the v1 schema cli#83 shipped).login --envoverwrites env+token but strands the previous env'sActiveClientID, so a dev/stg/prod user can silently target the wrong client. The earlier §7.5 fix handled only the cross-account case, not cross-env.Scope
Upgrade cli#83's
internal/configpackage to a v2, env-scoped~/.tracebloc/config.json(mode0600), per Appendix C.8:{ "version": 2, "current_env": "prod", "profiles": { "dev": { "email", "token", "expires_at", "active_client_id" }, "stg": { … }, "prod": { … } } }active_client_idper env → fixes the cross-env clobber.login --env Xswitchescurrent_envwithout clearing the other profiles.profiles[current_env](no data loss).logoutto clear the current env's local token + active pointer (other envs untouched), and call backend#887 (POST /auth/revoke) when available (server-side revoke; a reference, not a hard blocker for this config work).0600.Acceptance
login --dev→login --prod→login --devagain: the dev active client is intact (no clobber).logoutclears the current env's token + active pointer; other envs untouched.0600.Notes
This persists
expires_atper profile; displaying it isauth status(cli#83 / §7.6) — not cli#4, which shows the ingestor / k8s service-account token's JWTexpincluster info(a different token, no overlap).Work Type: Bug · Squad: DevEx · Area: SDK (CLI) · Priority: P1