arcade-mcp/libs/arcade-cli/arcade_cli/secret.py
Eric Gustin 113d0d3086
CLI Usage (#593)
TLDR; 

The philosophy of CLI usage is "fire and forget" and "best effort". You
can opt out by setting `ARCADE_USAGE_TRACKING=0`.

We are capturing two events: `CLI execution succeeded` and `CLI
execution failed`. Reporting to PostHog is a short lived (maximum 10
seconds) subprocess that does not block the main CLI execution process.

`~/.arcade/usage.json` persists two values `anon_id` and
`linked_principal_id`. The logged in status of the CLI user determines
which ID is used. Upon `arcade login`, the `anon_id` is aliased with
`linked_principal_id`. Upon `arcade logout` the `linked_principal_id` is
removed and the `anon_id` is rotated.

## CLI Usage Tracking - How It Works

The usage tracking system implements an identity management and event
tracking pipeline. Here's how the pieces work together:

### **Identity State Management (`usage.json`)**

The system maintains a persistent identity file at
`~/.arcade/usage.json` with this structure:
```json
{
  "anon_id": "uuid",
  "linked_principal_id": "uuid" | null
}
```

**Key mechanics:**
- **`anon_id`**: Generated once on first CLI use and persists across
sessions. This UUID tracks all anonymous activity.
- **`linked_principal_id`**: Initially `null`. Once the user logs in and
we successfully alias their identity, this field stores their
`principal_id` to indicate this `anon_id` has been linked.
- **Atomic writes**: All updates use a temp file + atomic rename pattern
to prevent corruption from concurrent CLI processes
- **File locking**: Uses `fcntl` (Unix) to coordinate reads/writes
across multiple simultaneous CLI invocations
- **In-memory cache**: The `UsageIdentity` class caches the loaded data
to avoid repeated file I/O within a single CLI invocation

### **Identity Resolution Flow**

When tracking an event, the system determines the `distinct_id` (who to
attribute the event to) via this waterfall:

1. **Check `linked_principal_id`** in `usage.json`
   - If present → use it (user was previously aliased)
   - This is the fastest path and avoids API calls

2. **Fetch `principal_id` from Arcade Cloud API**
- Makes HTTP request to `/api/v1/auth/validate` with the user's API key
from `~/.arcade/credentials.yaml`
   - If authenticated → returns `principal_id`
   - Has 2s timeout for responsiveness

3. **Fall back to `anon_id`**
   - If not authenticated or API call fails → use anonymous ID
   - Marks event with `is_anon=True` flag

### **The Aliasing Lifecycle**

PostHog aliasing links anonymous activity to authenticated users. Here's
the state machine:

#### **Stage 1: Anonymous User**
```
usage.json: { "anon_id": "abc-123", "linked_principal_id": null }
All events → sent with distinct_id="abc-123" and is_anon=True
```

#### **Stage 2: Login Event**
1. User runs `arcade login`
2. Command completes successfully (auth token saved)
3. `CommandTracker` detects successful login
4. Fetches `principal_id` from API
5. Checks `should_alias()` → returns `True` because
`linked_principal_id` is `null`
6. **Calls `alias()` synchronously** (blocking):
   ```python
   posthog.alias(previous_id="abc-123", distinct_id="zyx-321")
   ```
7. Updates `usage.json`:
   ```json
   { "anon_id": "abc-123", "linked_principal_id": "zyx-321" }
   ```
8. PostHog backend merges all events with `distinct_id="abc-123"` into
the user profile for `"zyx-321"`

#### **Stage 3: Authenticated User**
```
usage.json: { "anon_id": "abc-123", "linked_principal_id": "zyx-321" }
All events → sent with distinct_id="zyx-321" and is_anon=False
```
- Events are directly attributed to the authenticated user
- No more API calls needed (uses cached `linked_principal_id`)

#### **Stage 4: Logout Event**
1. User runs `arcade logout`
2. Logout event is sent with the authenticated `distinct_id`
3. `CommandTracker` detects successful logout
4. **Rotates identity** by calling `reset_to_anonymous()`:
   ```json
   { "anon_id": "xyz-789", "linked_principal_id": null }
   ```
5. New `anon_id` prevents cross-contamination if another user logs in

### **Critical Constraint: Alias Timing**

PostHog requires that `alias()` is called **BEFORE** any events are sent
with the new `distinct_id`. This is why:
- **`alias()` is synchronous (blocking)**: Guarantees it completes
before the login success event is sent
- **Subsequent events use `linked_principal_id`**: Once aliased, all
future events use the authenticated ID
- **Lazy aliasing**: If a user authenticates via another mechanism (not
through `arcade login`), the system detects this on the next command and
performs aliasing before sending that command's event

### **Event Capture Pipeline**

When `CommandTracker.track_command_execution()` is called:

1. **Resolve identity** → determines `distinct_id` and `is_anon` flag
2. **Build event properties**:
   ```python
   {
     "command_name": "toolkit.run",
     "cli_version": "1.2.3",
     "python_version": "3.11.0",
     "os_type": "Darwin",
     "os_release": "23.4.0",
     "duration": 1250.42,  # milliseconds
     "error_message": "..."  # if failed
   }
   ```
3. **Call `UsageService.capture()`**:
   - Serializes event data to JSON
   - Spawns detached subprocess: `python -m arcade_cli.usage`
   - Passes data via `ARCADE_USAGE_EVENT_DATA` env var
   - **Returns immediately** (non-blocking)

4. **Detached subprocess (`__main__.py`)**:
   - Runs independently, survives parent CLI exit
   - Deserializes event data
- If `is_anon=True`, sets `$process_person_profile=False` (tells PostHog
not to create a full profile)
   - Sends event to PostHog with 5s timeout
   - Exits (hard exit after 10s max via timeout thread)

### **Concurrency Handling**

Multiple CLI processes can run simultaneously. The system handles this
via:
- **File locking** on `usage.json` (shared lock for reads, exclusive for
writes)
- **Atomic writes** via temp files ensure incomplete writes never
corrupt the file
- **Idempotent aliasing**: `should_alias()` prevents redundant alias
calls

### **Edge Cases Handled**

1. **Side-channel authentication**: User authenticates outside of
`arcade login` (e.g., manually editing credentials)
   - Detected via "lazy aliasing" check on every command
- Performs alias if `linked_principal_id` doesn't match current
`principal_id`

2. **API failures during identity fetch**: Falls back to anonymous
tracking
   - 2s timeout prevents hanging
   - Silent failure doesn't disrupt CLI

3. **PostHog merge restrictions**: Can't alias returning users who
already have a profile
- System stores `linked_principal_id` to avoid retrying impossible
aliases
   - New users (never logged in before) get full history stitched

4. **Multiple accounts on same machine**: Logout rotates `anon_id`
   - User A's anonymous activity won't leak into User B's profile

### **Privacy & Performance**

- **Opt-out**: `ARCADE_USAGE_TRACKING=0` disables all tracking
- **Non-blocking**: Events never slow down CLI (detached subprocess)
- **Anonymous profiles**: `$process_person_profile=False` for `anon_id`
events minimizes data collection
- **Silent failures**: Network issues or PostHog errors never surface to
users
2025-10-03 10:15:08 -07:00

286 lines
8.9 KiB
Python

import httpx
import typer
from rich.console import Console
from rich.table import Table
from arcade_cli.constants import (
PROD_ENGINE_HOST,
)
from arcade_cli.usage.command_tracker import TrackedTyper, TrackedTyperGroup
from arcade_cli.utils import (
compute_base_url,
validate_and_get_config,
)
console = Console()
app = TrackedTyper(
cls=TrackedTyperGroup,
add_completion=False,
no_args_is_help=True,
pretty_exceptions_enable=False,
pretty_exceptions_show_locals=False,
pretty_exceptions_short=True,
)
state = {
"engine_url": compute_base_url(
host=PROD_ENGINE_HOST, port=None, force_tls=False, force_no_tls=False
)
}
@app.callback()
def main(
host: str = typer.Option(
PROD_ENGINE_HOST,
"--host",
"-h",
help="The Arcade Engine host.",
),
port: int = typer.Option(
None,
"--port",
"-p",
help="The port of the Arcade Engine host.",
),
force_tls: bool = typer.Option(
False,
"--tls",
help="Whether to force TLS for the connection to the Arcade Engine.",
),
force_no_tls: bool = typer.Option(
False,
"--no-tls",
help="Whether to disable TLS for the connection to the Arcade Engine.",
),
) -> None:
"""
Manage tool secrets in Arcade Cloud.
Usage:
arcade secret set KEY1=value1 KEY2="value 2"
arcade secret set --from-env
arcade secret set -from-env --env-file /path/to/.env
arcade secret list
arcade secret unset KEY1 KEY2 KEY3
"""
engine_url = compute_base_url(force_tls, force_no_tls, host, port)
state["engine_url"] = engine_url
@app.command("set", help="Set tool secret(s) using KEY=VALUE pairs or from .env file")
def set_secret(
key_value_pairs: list[str] = typer.Argument(
None,
help="Key-value pairs in the format KEY=VALUE",
),
from_env: bool = typer.Option(
False,
"--from-env",
help="Load all secrets from local .env file",
),
env_file: str = typer.Option(
".env",
"--env-file",
"-f",
help="Path to .env file (default: .env)",
),
) -> None:
"""Set secrets either from .env file or KEY=VALUE pairs."""
if not from_env and not key_value_pairs:
raise typer.BadParameter(
"Either provide KEY=VALUE pairs or use --from-env to load from .env file."
)
if from_env and key_value_pairs:
raise typer.BadParameter("Cannot use both KEY=VALUE pairs and --from-env at the same time.")
config = validate_and_get_config()
if from_env:
secrets = load_env_file(env_file)
else:
secrets = {}
for pair in key_value_pairs:
if (
"=" not in pair
or pair.split("=", 1)[0].strip() == ""
or pair.split("=", 1)[1].strip() == ""
):
raise typer.BadParameter(f"Invalid format '{pair}'. Expected KEY=VALUE")
key, value = pair.split("=", 1)
key = key.strip()
if " " in key:
raise typer.BadParameter(f"Secret key '{key}' cannot contain spaces")
value = value # keep the value as is, including the whitespace
secrets[key] = value
engine_url = state["engine_url"]
for secret_key, secret_value in secrets.items():
try:
_upsert_secret_to_engine(engine_url, config.api.key, secret_key, secret_value)
except Exception as e:
console.print(f"Error setting secret '{secret_key}': {e}", style="bold red")
continue
console.print(
f"Secret '{secret_key}' with value ending in ...{secret_value[-4:]} set successfully"
)
@app.command("list", help="List all tool secrets in Arcade Cloud")
def list_secrets() -> None:
"""List all secrets (keys only, values are masked)."""
config = validate_and_get_config()
engine_url = state["engine_url"]
secrets = _get_secrets_from_engine(engine_url, config.api.key)
print_secret_table(secrets)
@app.command("unset", help="Delete tool secret(s) by key names")
def unset_secret(
keys: list[str] = typer.Argument(
...,
help="Secret keys to delete",
),
) -> None:
"""Delete tool secrets."""
config = validate_and_get_config()
engine_url = state["engine_url"]
secrets = _get_secrets_from_engine(engine_url, config.api.key)
key_to_id = {secret["key"]: secret["id"] for secret in secrets}
for key in set(keys):
secret_id = key_to_id.get(key)
if not secret_id:
console.print(f"Warning: Secret with key '{key}' not found, skipping", style="yellow")
continue
try:
_delete_secret_from_engine(engine_url, config.api.key, secret_id)
console.print(f"Secret '{key}' deleted successfully")
except Exception:
console.print(
f"Failed to delete secret '{key}'. Do you have permission to delete this secret?",
style="bold red",
)
continue
def print_secret_table(secrets: list[dict]) -> None:
"""Print a table of tool secrets (with masked values)."""
table = Table(title="Tool Secrets")
table.add_column("Key", style="cyan")
table.add_column("Type", style="green")
table.add_column("Description", style="green")
table.add_column("Hint", style="green")
table.add_column("Last Accessed", style="green")
table.add_column("Created At", style="green")
for secret in secrets:
table.add_row(
secret["key"],
secret["binding"]["type"],
secret["description"],
"..." + secret["hint"] if secret["hint"] else "-",
secret["last_accessed_at"] if secret["last_accessed_at"] else "Never",
secret["created_at"],
)
console.print(table)
def load_env_file(env_file_path: str) -> dict[str, str]:
"""Load tool secrets from a .env file."""
secrets = {}
with open(env_file_path) as file:
for line in file:
line = line.strip()
if line.startswith("#") or not line:
continue
# Split on first '=' to handle values that contain '='
if "=" not in line:
continue
key, value = line.split("=", 1)
key = key.strip()
# Remove inline comments, but respect quoted values
value = _remove_inline_comment(value)
value = value.strip()
# Skip entries with empty keys or empty values
if not key or not value:
continue
secrets[key] = value
return secrets
def _remove_inline_comment(value: str) -> str:
"""Remove inline comments from env value, respecting quoted strings."""
value = value.strip()
# Check if value starts with a quote
if value.startswith('"') or value.startswith("'"):
quote_char = value[0]
# Find the matching closing quote (not escaped)
i = 1
while i < len(value):
if value[i] == quote_char:
# Found potential closing quote
# Check if there's anything after it
remaining = value[i + 1 :]
comment_idx = remaining.find(" #")
if comment_idx != -1:
# Remove the comment part and strip quotes
quoted_value = value[: i + 1]
return quoted_value[1:-1] # Remove surrounding quotes
else:
# No comment after closing quote, strip quotes
quoted_value = value[: i + 1]
return quoted_value[1:-1] # Remove surrounding quotes
i += 1
# No closing quote, treat as unquoted
comment_idx = value.find(" #")
if comment_idx != -1:
return value[:comment_idx]
return value
else:
# For unquoted values, remove everything after ' #'
comment_idx = value.find(" #")
if comment_idx != -1:
return value[:comment_idx]
return value
def _upsert_secret_to_engine(
engine_url: str, api_key: str, secret_id: str, secret_value: str
) -> None:
response = httpx.put(
f"{engine_url}/v1/admin/secrets/{secret_id}",
headers={"Authorization": f"Bearer {api_key}"},
json={"description": "Secret set via CLI", "value": secret_value},
)
response.raise_for_status()
def _get_secrets_from_engine(engine_url: str, api_key: str) -> list[dict]:
response = httpx.get(
f"{engine_url}/v1/admin/secrets",
headers={"Authorization": f"Bearer {api_key}"},
)
response.raise_for_status()
return response.json()["items"] # type: ignore[no-any-return]
def _delete_secret_from_engine(engine_url: str, api_key: str, secret_id: str) -> None:
response = httpx.delete(
f"{engine_url}/v1/admin/secrets/{secret_id}",
headers={"Authorization": f"Bearer {api_key}"},
)
response.raise_for_status()