fix(tui): skip providers requiring interactive auth#333
Conversation
FIDO2 and YubiKey providers require physical key interaction (touch, PIN prompt) which would corrupt the TUI display. Add a `requires_interactive_auth()` method to the Provider trait and check it during secret resolution when running in non-interactive mode. Affected providers show an error directing users to `fnox exec` instead. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly improves the stability and user experience of the Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
Greptile SummaryThis PR introduces a
One remaining issue: Confidence Score: 3/5
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[TUI starts\nset_non_interactive true] --> B[resolve_secrets called]
B --> C{Provider-backed\nor no-provider?}
C -->|Provider-backed| D[resolve_provider_batch]
C -->|No-provider| E[resolve_secret\ntry_get_secret]
D --> F{is_non_interactive\n&& requires_interactive_auth?}
F -->|Yes| G{if_missing policy\nper secret}
G -->|ignore / warn| H[return Ok with None\nother providers unaffected]
G -->|error| I[return Err\nfail fast]
F -->|No| J[try_batch_with_auth_retry]
J --> K[try_get_secrets_batch]
K --> L{Batch succeeds?}
L -->|Yes| M[return results]
L -->|No auth error| N[prompt_and_run_auth\n⚠️ NOT guarded by is_non_interactive]
N -->|is_auth_error? No| O[return Err]
N -->|is_auth_error? Yes\n& is TTY| P[eprintln! + demand::Confirm\n💥 TUI corruption risk]
E --> Q{is_non_interactive\n&& requires_interactive_auth?}
Q -->|Yes| R[return Err\nbypasses if_missing]
Q -->|No| S[get_provider_resolved\nthen get_secret]
|
There was a problem hiding this comment.
Code Review
This pull request introduces a mechanism to handle providers that require interactive authentication in non-interactive environments like the TUI. It adds a requires_interactive_auth method to the Provider trait and a global non_interactive flag. The changes are well-structured and address the problem described. I have a couple of suggestions to improve the robustness and maintainability of the implementation.
| NON_INTERACTIVE.store(value, Ordering::Relaxed); | ||
| } | ||
|
|
||
| pub fn is_non_interactive() -> bool { | ||
| NON_INTERACTIVE.load(Ordering::Relaxed) |
There was a problem hiding this comment.
While Ordering::Relaxed might be sufficient here since this flag is set once at startup, using Ordering::SeqCst would be safer and make the code easier to reason about in the future if the usage of this flag becomes more complex. SeqCst provides the strongest guarantees (sequential consistency) and prevents potential reordering issues with other memory operations across threads. The performance difference is likely negligible in this context.
| NON_INTERACTIVE.store(value, Ordering::Relaxed); | |
| } | |
| pub fn is_non_interactive() -> bool { | |
| NON_INTERACTIVE.load(Ordering::Relaxed) | |
| NON_INTERACTIVE.store(value, Ordering::SeqCst); | |
| } | |
| pub fn is_non_interactive() -> bool { | |
| NON_INTERACTIVE.load(Ordering::SeqCst) | |
| } |
| return Err(FnoxError::Provider(format!( | ||
| "Provider '{}' requires interactive authentication (e.g. physical key touch) and cannot be used in the TUI. Use 'fnox exec' instead.", | ||
| provider_name | ||
| ))); |
There was a problem hiding this comment.
The error message is specific to the TUI, but the check is_non_interactive() is generic. If other non-interactive contexts are added in the future, this error message would be inaccurate. It's better to make the message more generic to reflect the nature of the check.
| return Err(FnoxError::Provider(format!( | |
| "Provider '{}' requires interactive authentication (e.g. physical key touch) and cannot be used in the TUI. Use 'fnox exec' instead.", | |
| provider_name | |
| ))); | |
| return Err(FnoxError::Provider(format!( | |
| "Provider '{}' requires interactive authentication (e.g. physical key touch) and cannot be used in non-interactive mode. Use 'fnox exec' instead.", | |
| provider_name | |
| ))); |
- Use Release/Acquire ordering for NON_INTERACTIVE AtomicBool - Add non-interactive check to try_get_secret (single-secret path) - Add non-interactive check in resolve_secret_ref to prevent bypass when provider config resolution triggers interactive providers Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Consistent with the same check in providers/resolver.rs and more future-proof if set_non_interactive is used outside the TUI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move the non-interactive guard to ProviderConfig (static, based on provider type) so it fires before async resolution, avoiding unnecessary network calls or secret-ref resolution for interactive providers. Also move the batch-path check to resolve_provider_batch so the error is always surfaced regardless of per-secret if_missing policy. Remove the now-unused requires_interactive_auth() from the Provider trait and its fido2/yubikey implementations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
The non-interactive check in resolve_provider_batch was returning a hard Err that propagated through resolve_level's ? operator, aborting resolution of ALL providers at the same dependency level — not just the interactive one. Now follows the same pattern as ProviderNotConfigured: apply per-secret if_missing policy and return Ok(results). Also moves requires_interactive_auth() from a hardcoded string match to a code-generated method driven by provider TOML definitions, so future interactive providers get compile-time enforcement. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
### 🚀 Features - **(cloudflare)** add Cloudflare API token lease backend by [@jdx](https://github.com/jdx) in [#335](#335) - **(fido2)** bump demand to v2, mask PIN during typing by [@jdx](https://github.com/jdx) in [#334](#334) - **(init)** add -f as short alias for --force by [@jdx](https://github.com/jdx) in [#329](#329) - **(lease)** add --all flag, default to creating all leases by [@jdx](https://github.com/jdx) in [#337](#337) - **(lease)** add GitHub App installation token lease backend by [@jdx](https://github.com/jdx) in [#342](#342) ### 🐛 Bug Fixes - **(config)** fix directory locations to follow XDG spec by [@jdx](https://github.com/jdx) in [#336](#336) - **(exec)** use unix exec and exit silently on subprocess failure by [@jdx](https://github.com/jdx) in [#339](#339) - **(fido2)** remove duplicate touch prompt by [@jdx](https://github.com/jdx) in [#332](#332) - **(set)** write to lowest-priority existing config file by [@jdx](https://github.com/jdx) in [#331](#331) - **(tui)** skip providers requiring interactive auth by [@jdx](https://github.com/jdx) in [#333](#333) ### 🛡️ Security - **(ci)** retry lint step to handle transient pkl fetch failures by [@jdx](https://github.com/jdx) in [#341](#341) - **(mcp)** add MCP server for secret-gated AI agent access by [@jdx](https://github.com/jdx) in [#343](#343) - add guide for fnox sync by [@jdx](https://github.com/jdx) in [#328](#328) ### 🔍 Other Changes - share Rust cache across CI jobs by [@jdx](https://github.com/jdx) in [#340](#340)
Summary
requires_interactive_auth()method to theProvidertrait (defaults tofalse)truesince they need physical key touch/PIN promptsnon_interactiveflag on startupfnox execinsteaddemand::InputpromptsTest plan
fnox tuiwith a FIDO2/YubiKey provider configured — should show error instead of hanging/corrupting displayfnox execwith the same provider should still work normally🤖 Generated with Claude Code
Note
Medium Risk
Touches core secret/provider resolution paths and changes runtime behavior in TUI/non-interactive contexts, which could cause new “missing secret/provider” outcomes if the flag is set unexpectedly.
Overview
Prevents
fnox tuifrom invoking providers that may prompt for input or write to stderr by introducing a globalNON_INTERACTIVEflag and setting it on TUI startup.Extends provider TOML and codegen to carry a
requires_interactive_authproperty (exposed asProviderConfig::requires_interactive_auth()), marksfido2/yubikeyas interactive-only, and updates both provider-config resolution and single/batch secret resolution to error/skip these providers in non-interactive mode while honoring per-secretif_missinghandling.Written by Cursor Bugbot for commit 5c790c1. This will update automatically on new commits. Configure here.