Skip to content

fix(config): persist config set under an env token; fail on ephemeral overrides#1366

Merged
Martin Torp (mtorp) merged 1 commit into
v1.xfrom
fix/config-set-warn-when-not-persisted
Jun 17, 2026
Merged

fix(config): persist config set under an env token; fail on ephemeral overrides#1366
Martin Torp (mtorp) merged 1 commit into
v1.xfrom
fix/config-set-warn-when-not-persisted

Conversation

@mtorp

@mtorp Martin Torp (mtorp) commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Problem

When a Socket API token was supplied via an environment variable
(SOCKET_CLI_API_TOKEN / SOCKET_SECURITY_API_TOKEN, or the legacy aliases),
the entire config was put into read-only mode. As a result,
socket config set <key> <value> silently failed to persist — yet still printed
a reassuring OK — and a later socket config get showed nothing, so it looked
like the value had been silently lost.

This is a common setup (keeping the token in an env var), and there's no good
reason that having a token in the environment should prevent saving an unrelated
key such as defaultOrg.

Fix

A token from the environment now overrides authentication only:

  • getDefaultApiToken() already resolves the env token directly from the
    environment, so it is no longer mirrored into the persisted config cache and no
    longer flips the config to read-only. Unrelated keys (e.g. defaultOrg) are
    written to disk as expected via socket config set.
  • The env-supplied token itself is still never persisted to disk.
  • socket config get apiToken still reports the env token, which continues to
    take precedence over persisted / --config values.
  • Updated the now-stale bootstrap comment in meow-with-subcommands.mts that
    still claimed the env token was injected into the cache and marked read-only.

When the config is genuinely ephemeral — fully overridden via --config,
SOCKET_CLI_CONFIG, or SOCKET_CLI_NO_API_TOKENsocket config set now
fails with a clear error instead of pretending it succeeded. For a one-shot
command, an in-memory-only change is a no-op (nothing reads it before the process
exits), so failing is the honest outcome. (Note: under a full override,
config set --json now emits ok:false and exits 1, where it previously
reported ok:true.)

Testing

  • pnpm check:tsc — clean. oxlint — clean on the changed config files (the
    constants.ENV import-style warnings in meow-with-subcommands.mts are
    pre-existing and unchanged by this PR).
  • src/utils/config.test.mts — updated read-only message snapshot; added
    coverage asserting a token-env override is not read-only while --config
    and SOCKET_CLI_NO_API_TOKEN are.
  • src/commands/config/cmd-config-set.test.mts — added: (1) a full --config
    override makes config set fail; (2) with only a token env var, config set defaultOrg persists to disk (verified by reading the written config file) and
    the env token is not written.
  • Full config + login + logout suites pass (36 tests).

Bumps the CLI to 1.1.121 with a CHANGELOG entry.

@mtorp Martin Torp (mtorp) force-pushed the fix/config-set-warn-when-not-persisted branch 2 times, most recently from d34ca06 to db94217 Compare June 17, 2026 08:29
@mtorp Martin Torp (mtorp) force-pushed the fix/config-set-warn-when-not-persisted branch from db94217 to 1576fb5 Compare June 17, 2026 11:15
@mtorp Martin Torp (mtorp) changed the title fix(config): warn instead of reporting OK when config set can't persist fix(config): persist config set under an env token; fail on ephemeral overrides Jun 17, 2026
@mtorp Martin Torp (mtorp) force-pushed the fix/config-set-warn-when-not-persisted branch from 1576fb5 to f3d6fb3 Compare June 17, 2026 11:20
@mtorp
fix(config): persist config set under an env token; fail on ephemer…
1fd205d 
…al overrides (1.1.121)

A Socket API token supplied via env (SOCKET_CLI_API_TOKEN / SOCKET_SECURITY_API_TOKEN
and legacy aliases) used to put the entire config into read-only mode, so
`socket config set <key> <value>` silently failed to save while still printing
`OK`, and a later `socket config get` then showed nothing. A token from the
environment now overrides authentication only: unrelated keys such as defaultOrg
are written to disk as expected, while the env token itself is still never
persisted (getDefaultApiToken resolves it straight from the environment, so it is
no longer mirrored into the cached config).

When the config is genuinely ephemeral, because it was fully overridden via
--config, SOCKET_CLI_CONFIG, or SOCKET_CLI_NO_API_TOKEN, `socket config set` now
fails with a clear error instead of pretending it succeeded; the in-memory-only
change is a no-op for a one-shot command.

`config get apiToken` still reports the env-supplied token, which takes
precedence over persisted / --config values. Adds unit and command-level
regression tests and bumps the CLI to 1.1.121.
@mtorp Martin Torp (mtorp) force-pushed the fix/config-set-warn-when-not-persisted branch from f3d6fb3 to 1fd205d Compare June 17, 2026 11:31
@mtorp Martin Torp (mtorp) merged commit 10764c7 into v1.x Jun 17, 2026
12 checks passed
@mtorp Martin Torp (mtorp) deleted the fix/config-set-warn-when-not-persisted branch June 17, 2026 11:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@barslev Benjamin Barslev Nielsen (barslev) barslev approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtorp @barslev