Add db save-password command with role support#60
Merged
Conversation
cevian
commented
Oct 15, 2025
| } | ||
|
|
||
| return fmt.Sprintf("password-%s-%s", *service.ProjectId, *service.ServiceId), nil | ||
| return fmt.Sprintf("password-%s-%s-%s", *service.ProjectId, *service.ServiceId, role), nil |
Contributor
Author
There was a problem hiding this comment.
This is the cause of the breaking change
murrayju
reviewed
Oct 15, 2025
cevian
force-pushed
the
add-save-password-env-and-interactive
branch
from
f94d52f to
5364139
Compare
nathanjcochran
approved these changes
Oct 17, 2025
Member
nathanjcochran
left a comment
nathanjcochran
left a comment
There was a problem hiding this comment.
Left a handful of comments/questions, but overall LGTM.
| // Note: We don't fail the service creation if password saving fails | ||
| // The error is handled by displaying the appropriate message below | ||
| result, _ := password.SavePasswordWithResult(service, initialPassword) | ||
| result, _ := password.SavePasswordWithResult(service, initialPassword, "tsdbadmin") |
Member
There was a problem hiding this comment.
Not a big deal, but tsdbadmin is hard-coded in several places now. Might be worth making a constant at some point? Doesn't have to be now, just a thought.
Contributor
Author
There was a problem hiding this comment.
Ill do this in a diff pr
Comment on lines
+357
to
+363
| if role == "" { | ||
| return PasswordStorageResult{ | ||
| Success: false, | ||
| Method: "none", | ||
| Message: "Role is required", | ||
| }, fmt.Errorf("role is required") | ||
| } |
Member
There was a problem hiding this comment.
I think this check is duplicative, as I think all of the storage.Save (called below) methods do the same validation 🤷♂️.
Contributor
Author
There was a problem hiding this comment.
I'd rather keep this for safety as it never makes sense to save without a role
…e-password spec Update the save-password command specification to support: - TIGER_NEW_PASSWORD environment variable (used when --password flag not provided) - Interactive password prompt when --password flag provided with no value - Clear precedence: explicit flag value → interactive prompt → env var 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Implement role-based password storage to support storing passwords for different database roles (tsdbadmin, readonly, custom roles, etc.) independently. This enables users to manage multiple credentials per service for different database users. Key changes: - Add role parameter to PasswordStorage interface (Save, Get, Remove) - Update KeyringStorage to use role in keyring keys - Update PgpassStorage to store role in pgpass entries - Update all callers in cmd, mcp, and password packages - Add comprehensive tests including mixed-case role names - Verify role isolation (different roles store passwords independently) All tests pass. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Add new command to save database passwords with support for different database roles. Passwords can be provided via three methods: 1. --password=value flag (highest precedence) 2. TIGER_NEW_PASSWORD environment variable 3. Interactive prompt (when neither provided) The command stores passwords according to the --password-storage setting (keyring, pgpass, or none) and supports saving passwords for different database roles independently. Features: - Save passwords for any database role (default: tsdbadmin) - Three input methods with clear precedence - Integration with existing password storage system - Comprehensive test coverage for all input methods Example usage: tiger db save-password svc-12345 --password=mypass tiger db save-password svc-12345 --role readonly tiger db save-password svc-12345 # prompts interactively 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Add -p short flag for --password option - Use term.ReadPassword instead of bufio.Scanner for secure password input - Add TTY check before interactive prompt to fail gracefully in non-terminal environments - Scope err variable to conditional block for cleaner code - Output status messages to stderr instead of stdout for consistency - Make TTY check and password reading testable via function variables - Update tests to mock terminal behavior without requiring actual TTY - Move TIGER_NEW_PASSWORD documentation from global to save-password section 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
cevian
force-pushed
the
add-save-password-env-and-interactive
branch
from
f9a5bf0 to
221ce14
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NOTE: THIS INCLUDES A BREAKING CHANGE TO PASSWORD STORAGE
Summary
tiger db save-passwordcommand to save database passwordsChanges
New Features
tiger dbto save passwords to configured storage--password=valueflag (highest precedence)TIGER_NEW_PASSWORDenvironment variableImplementation Details
Examples
Test plan
🤖 Generated with Claude Code