token: unlock with PIN, print + verify saved token, fix launcher warning#70
Merged
Merged
Conversation
Wire the existing unlock_token() helper into the token command so the token can be unlocked directly: 'bond token --pin <pin>' unlocks with the given PIN and 'bond token --pin' prompts for it. Previously only 'bond select --pin' could unlock the token this way. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Include the token in update_token's output so 'bond token' and the unlock paths that funnel through it show the value, not just a confirmation that it was saved. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
When 'bond token' finds the token locked but one is already saved locally, probe it against an authenticated endpoint (devices) and report whether it is still valid, obsolete, or could not be checked, instead of just telling the user to figure out whether it is obsolete. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Replace the deprecated scripts=["bond/bond"] with a console_scripts entry point (bond=bond.app:main). The old mechanism made setuptools wrap the launcher in a pkg_resources.require() shim that printed a DeprecationWarning on every invocation. Extract a main() into bond.app and have __main__.py reuse it so 'bond' and 'python -m bond' share one code path. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The CI lint step (flake8 --max-line-length=127) treats any violation as fatal, and upgrade.py:89 was 131 chars. Split the help string across two implicitly-concatenated literals, matching the style of the 'branch' help above it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The runner image no longer ships Python 3.7/3.8/3.9, so the pinned [3.7, 3.8, 3.9] matrix on actions/setup-python@v1 failed at setup before running any tests. Move to [3.9-3.13], bump checkout@v2->v4, setup-python@v1->v5 (v5 fetches versions from the registry), and the markdown job's checkout@master->v4. Quote the versions so YAML does not read 3.10 as 3.1. Bump python_requires to >=3.9 to match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release Note
bond tokencan now unlock the token with the Bond PIN, prints the token value when it saves one, and — when the token is locked but one is already saved locally — tells you whether that saved token is still valid, obsolete, or unreachable instead of leaving you to guess. The launcher no longer prints apkg_resourcesdeprecation warning on every run.Why
bond tokenwas for the Bond to already be unlocked (e.g. just after a reboot). Unlocking with the PIN was only possible throughbond select --pin.bond tokenconfirmed it saved a token but never showed the value.bond tokentold the user "If this token is obsolete, you will need to set the new token" — pushing the work of figuring out obsolescence onto them, even though the CLI can just test it.bondlauncher printed aDeprecationWarning: pkg_resources is deprecatedon every invocation.What Changed
Four focused commits:
bond token --pin— wires the existingunlock_token()helper into the command.bond token --pin <pin>unlocks with the PIN;bond token --pinprompts for it.update_token()now includes the token in its output, so every save path (bond token <token>,--pin, and the unlocked-grace-period path) shows the value.check_stored_token()probes the saved token against an authenticated endpoint (devices) and reports valid / obsolete / unreachable. Per the Bond Local API v2 spec, every endpoint except/sys/versionand/tokenrequires theBOND-Token, sodevicesis a reliable probe (2xx = valid, 401 = obsolete).scripts=["bond/bond"]with aconsole_scriptsentry point (bond=bond.app:main), eliminating thepkg_resourcesshim/warning. Extractsmain()intobond.appand has__main__.pyreuse it sobondandpython -m bondshare one code path. Thebond/bondscript is removed.Testing Notes
bond token --pin <pin>against a real Bond — successfully unlocked and saved the token.bond token(locked, with a valid saved token) against a real Bond — correctly reported the saved token as still valid.flake8clean on all changed files; existing test suite passes.Security Analysis
No new auth or transport behavior. The validity probe reuses the existing authenticated HTTP path and the locally-stored token; it sends one read-only
GET /v2/devices.bond tokennow prints the token value to stdout, consistent with the CLI already printing stored tokens elsewhere (Bond Local API tokens are local-network credentials).Agentic Engineering
Model: Claude Opus 4.8 (1M context)
Context: Bond Local API v2 docs (
bondhome/api-v2,token/paths.yaml) were consulted to confirm which endpoints require theBOND-Tokenbefore choosingdevicesas the validity probe.Prompt: Kicked off with:
then redirected with:
Tool:
org-knowledgeMCP for the Bond API v2 endpoint-auth reference.Skill:
superpowers:brainstormingfor the initial design;commitandbond-dev:prfor delivery.