feat(cli): add default machine user to profiles#1419
Merged
Conversation
Profiles can now store a default machine user name via `profile create/update --machine-user`. Commands that need a machine user (query, workflow start, function test-run, machineuser token) fall back to the active profile's default when neither --machine-user nor TAILOR_PLATFORM_MACHINE_USER_NAME is provided. Pass an empty string to `profile update --machine-user ""` to clear the default.
Assert the resolved machine user name (not just success) in test-run fallback tests, verify option forwarding to loadMachineUserName in workflow start tests, drop a duplicate profile update test, and add machineuser token tests for the new optional NAME argument.
The query execution error mapper still read the raw machineUser option, which is undefined when the name comes from the profile default or environment variable. Pass the resolved resource name so error messages always include the machine user.
Bind TAILOR_PLATFORM_MACHINE_USER_NAME to the positional NAME so the env fallback is declared on the command like the other machine user commands. Also clarify the changeset wording for machineuser token (positional NAME, not --machine-user) and rename a resolution variable in test-run for clarity.
`profile create/update --machine-user-override deny` locks the profile's machine user: an explicit machine user from the command line or TAILOR_PLATFORM_MACHINE_USER_NAME that differs from the stored value fails fast with PROFILE_MACHINE_USER_OVERRIDE_DENIED. The default (`allow`) keeps the stored value as a fallback only.
Validate the deny/machine-user combination only when a machine-user flag is part of the update, so a profile left in an inconsistent state by hand-editing does not block unrelated updates. Key the error message on the flag that was passed and mention the env var in the override-denied suggestion.
🦋 Changeset detectedLatest commit: 418c285 The changes in this PR will be included in the next version bump. This PR includes changesets to release 2 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
commit: |
This comment has been minimized.
This comment has been minimized.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
📖 Docs Quality & Consistency Check
✅ Docs are consistent with the implementation and contain no user-facing internal-detail leaks.
Checked areas:
- CLI reference documentation (
cli-reference.md) - environment variable descriptions updated to includemachineuser token - Command documentation (
cli/auth.md,cli/function.md,cli/query.md,cli/workflow.md,cli/workspace.md) - all option tables and descriptions accurately reflect the optional nature of--machine-userand the new profile options - Machine user resolution priority order (CLI flag > env > profile default) - consistently documented and implemented in
loadMachineUserName - Error messages across all affected commands - contextually appropriate variations (e.g.,
machineuser tokencorrectly mentions "NAME positional argument" vs--machine-userfor other commands) - Profile override deny behavior - implementation matches documented behavior with correct error code
PROFILE_MACHINE_USER_OVERRIDE_DENIED - Changeset user-facing descriptions - clear and accurate
- User-facing documentation stays focused on SDK user needs without leaking internal implementation details (no transport, module, or class name references)
Re-run this check by adding the
docs-checklabel to the PR.
…machine-user # Conflicts: # packages/sdk/src/cli/commands/profile/list.ts
This comment has been minimized.
This comment has been minimized.
toiroakr
reviewed
Jun 15, 2026
| */ | ||
| export async function loadMachineUserName( | ||
| opts?: LoadMachineUserNameOptions, | ||
| ): Promise<string | undefined> { |
Contributor
There was a problem hiding this comment.
With opts?.machineUser || ... || undefined, passing --machine-user "" explicitly to query / workflow start / function test-run / machineuser token makes the empty string falsy and silently falls back to the env var / profile default.
The "empty string = clear" semantics of profile update don't apply here since that path doesn't go through this function — for the consuming commands an empty machine user name is just invalid input. A typo like --machine-user "$UNSET_VAR" would go undetected and run as a different user, so it might be worth rejecting an empty value explicitly:
if (opts?.machineUser === "") {
throw new Error("Machine user name cannot be empty.");
}profile update doesn't call loadMachineUserName, so its clear behavior is unaffected.
Contributor
Author
There was a problem hiding this comment.
Fixed in 418c285. Used a CLIError with code MACHINE_USER_NAME_EMPTY to match the existing PROFILE_MACHINE_USER_OVERRIDE_DENIED path rather than a bare Error.
An empty --machine-user value silently fell back to the env var or profile default. Reject it explicitly so a typo like --machine-user "$UNSET_VAR" surfaces as invalid input instead of running as a different user.
Code Metrics Report (packages/sdk)
Details | | main (f5dacfb) | #1419 (d2b1ea8) | +/- |
|--------------------|----------------|-----------------|-------|
+ | Coverage | 67.9% | 68.1% | +0.2% |
| Files | 415 | 415 | 0 |
| Lines | 14572 | 14614 | +42 |
+ | Covered | 9898 | 9962 | +64 |
+ | Code to Test Ratio | 1:0.4 | 1:0.4 | +0.0 |
| Code | 96533 | 97338 | +805 |
+ | Test | 42498 | 43147 | +649 |Code coverage of files in pull request scope (50.0% → 55.6%)
SDK Configure Bundle Size
Runtime Performance
Type Performance (instantiations)
Reported by octocov |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Profiles can now store a default machine user — and optionally lock it — so application-data commands no longer need
--machine-useron every invocation. Follow-up to the suggestion in #1147 (comment).Usage
Resolution order for
query,workflow start,function test-run, andmachineuser token: command line (--machine-user, or theNAMEargument formachineuser token) >TAILOR_PLATFORM_MACHINE_USER_NAME> profile default.function test-runkeeps its existing final fallback to the first machine user intailor.config.ts. Clear the stored default withprofile update <name> --machine-user "".Locking the machine user
--machine-user-override denyturns the default into a fixed value: a differing machine user from the command line or environment fails fast.Like the readonly flag, this is a local guardrail, not a security boundary: it can be lifted with
profile update <name> --machine-user-override allow, and paths that bypass profiles (--workspace-idwith the current user, direct token use) are governed by the bearer token itself.Notes
machine_user/machine_user_overrideprofile fields and silently drop them when they rewrite the config file (e.g. on token refresh). Re-set them withprofile updateif older and newer SDK versions share a machine.