@@ -205,6 +205,122 @@ func TestAuthConnectionsList_JSONOutput_PrintsRawResponse(t *testing.T) {
205205 assert .Contains (t , out , "\" raf-leaseweb\" " )
206206}
207207
208+ // Regression test for the 1Password auto-lookup UX gap: before this fix,
209+ // `kernel auth connections create --credential-provider foo` sent a
210+ // CredentialReference of { provider } with no auto flag, which the API accepted
211+ // as valid-but-inert — the managed auth session would never fetch credentials
212+ // and would prompt the user for manual input. The dashboard already defaults
213+ // to auto: true for this case (see packages/dashboard/src/components/create-managed-auth-dialog.tsx);
214+ // the CLI now matches that UX.
215+ func TestAuthConnectionsCreate_ProviderWithoutPath_DefaultsAutoTrue (t * testing.T ) {
216+ var captured kernel.AuthConnectionNewParams
217+ fake := & FakeAuthConnectionService {
218+ NewFunc : func (ctx context.Context , body kernel.AuthConnectionNewParams , opts ... option.RequestOption ) (* kernel.ManagedAuth , error ) {
219+ captured = body
220+ return & kernel.ManagedAuth {ID : "conn-new" }, nil
221+ },
222+ }
223+
224+ c := AuthConnectionCmd {svc : fake }
225+ err := c .Create (context .Background (), AuthConnectionCreateInput {
226+ Domain : "google.com" ,
227+ ProfileName : "my-profile" ,
228+ CredentialProvider : "my-1p" ,
229+ Output : "json" ,
230+ })
231+ require .NoError (t , err )
232+
233+ cred := captured .ManagedAuthCreateRequest .Credential
234+ require .True (t , cred .Provider .Valid ())
235+ assert .Equal (t , "my-1p" , cred .Provider .Value )
236+ assert .False (t , cred .Path .Valid (), "path should not be set when only --credential-provider is given" )
237+ require .True (t , cred .Auto .Valid (), "auto should default to true when provider is set without path" )
238+ assert .True (t , cred .Auto .Value )
239+ }
240+
241+ // Explicit --credential-path should keep the credential reference as a pinned
242+ // path lookup (no implicit auto).
243+ func TestAuthConnectionsCreate_ProviderWithPath_DoesNotSetAuto (t * testing.T ) {
244+ var captured kernel.AuthConnectionNewParams
245+ fake := & FakeAuthConnectionService {
246+ NewFunc : func (ctx context.Context , body kernel.AuthConnectionNewParams , opts ... option.RequestOption ) (* kernel.ManagedAuth , error ) {
247+ captured = body
248+ return & kernel.ManagedAuth {ID : "conn-new" }, nil
249+ },
250+ }
251+
252+ c := AuthConnectionCmd {svc : fake }
253+ err := c .Create (context .Background (), AuthConnectionCreateInput {
254+ Domain : "google.com" ,
255+ ProfileName : "my-profile" ,
256+ CredentialProvider : "my-1p" ,
257+ CredentialPath : "Employees/Google Workspace" ,
258+ Output : "json" ,
259+ })
260+ require .NoError (t , err )
261+
262+ cred := captured .ManagedAuthCreateRequest .Credential
263+ require .True (t , cred .Provider .Valid ())
264+ assert .Equal (t , "my-1p" , cred .Provider .Value )
265+ require .True (t , cred .Path .Valid ())
266+ assert .Equal (t , "Employees/Google Workspace" , cred .Path .Value )
267+ assert .False (t , cred .Auto .Valid (), "auto should remain unset when --credential-path is explicit" )
268+ }
269+
270+ // --credential-auto should still be honored (it was a no-op redundant flag
271+ // before the default changed, but callers may pass it for clarity).
272+ func TestAuthConnectionsCreate_ProviderWithExplicitAuto_SetsAuto (t * testing.T ) {
273+ var captured kernel.AuthConnectionNewParams
274+ fake := & FakeAuthConnectionService {
275+ NewFunc : func (ctx context.Context , body kernel.AuthConnectionNewParams , opts ... option.RequestOption ) (* kernel.ManagedAuth , error ) {
276+ captured = body
277+ return & kernel.ManagedAuth {ID : "conn-new" }, nil
278+ },
279+ }
280+
281+ c := AuthConnectionCmd {svc : fake }
282+ err := c .Create (context .Background (), AuthConnectionCreateInput {
283+ Domain : "google.com" ,
284+ ProfileName : "my-profile" ,
285+ CredentialProvider : "my-1p" ,
286+ CredentialAuto : true ,
287+ Output : "json" ,
288+ })
289+ require .NoError (t , err )
290+
291+ cred := captured .ManagedAuthCreateRequest .Credential
292+ require .True (t , cred .Auto .Valid ())
293+ assert .True (t , cred .Auto .Value )
294+ }
295+
296+ // --credential-name references a Kernel-managed credential and should never
297+ // carry a provider/auto/path — the default-auto logic must not kick in here.
298+ func TestAuthConnectionsCreate_CredentialName_UnaffectedByAutoDefault (t * testing.T ) {
299+ var captured kernel.AuthConnectionNewParams
300+ fake := & FakeAuthConnectionService {
301+ NewFunc : func (ctx context.Context , body kernel.AuthConnectionNewParams , opts ... option.RequestOption ) (* kernel.ManagedAuth , error ) {
302+ captured = body
303+ return & kernel.ManagedAuth {ID : "conn-new" }, nil
304+ },
305+ }
306+
307+ c := AuthConnectionCmd {svc : fake }
308+ err := c .Create (context .Background (), AuthConnectionCreateInput {
309+ Domain : "google.com" ,
310+ ProfileName : "my-profile" ,
311+ CredentialName : "my-google-creds" ,
312+ Output : "json" ,
313+ })
314+ require .NoError (t , err )
315+
316+ cred := captured .ManagedAuthCreateRequest .Credential
317+ require .True (t , cred .Name .Valid ())
318+ assert .Equal (t , "my-google-creds" , cred .Name .Value )
319+ assert .False (t , cred .Provider .Valid ())
320+ assert .False (t , cred .Auto .Valid ())
321+ assert .False (t , cred .Path .Valid ())
322+ }
323+
208324func TestAuthConnectionsUpdate_MapsParams (t * testing.T ) {
209325 var captured kernel.AuthConnectionUpdateParams
210326 fake := & FakeAuthConnectionService {
0 commit comments