stacklok · JAORMX · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025
diff --git a/cmd/thv/app/config_buildauthfile.go b/cmd/thv/app/config_buildauthfile.go
@@ -0,0 +1,301 @@
+package app
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"sort"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"github.com/stacklok/toolhive/pkg/config"
+)
+
+var (
+	unsetBuildAuthFileAll bool
+	showAuthFileContent   bool
+	authFileFromStdin     bool
+)
+
+var setBuildAuthFileCmd = &cobra.Command{
+	Use:   "set-build-auth-file <name> [content]",
+	Short: "Set an auth file for protocol builds",
+	Long: `Set authentication file content that will be injected into the container
+during protocol builds (npx://, uvx://, go://). This is useful for authenticating
+to private package registries.
+
+Supported file types:
+  npmrc  - NPM configuration (~/.npmrc) for npm/npx registries
+  netrc  - Netrc file (~/.netrc) for pip, Go, and other tools
+  yarnrc - Yarn configuration (~/.yarnrc)
+
+The file content is injected into the build stage only and is NOT included
+in the final container image.
+
+Examples:
+  # Set npmrc for private npm registry
+  thv config set-build-auth-file npmrc '//npm.corp.example.com/:_authToken=TOKEN'
+
+  # Set netrc for pip/Go authentication
+  thv config set-build-auth-file netrc 'machine github.com login git password TOKEN'
+
+  # Read content from stdin (avoids exposing secrets in shell history)
+  cat ~/.npmrc | thv config set-build-auth-file npmrc --stdin
+  thv config set-build-auth-file npmrc --stdin < ~/.npmrc
+
+Note: For multi-line content, use quotes, heredoc syntax, or --stdin.`,
+	Args: cobra.RangeArgs(1, 2),
+	RunE: setBuildAuthFileCmdFunc,
+}
+
+var getBuildAuthFileCmd = &cobra.Command{
+	Use:   "get-build-auth-file [name]",
+	Short: "Get build auth file configuration",
+	Long: `Display configured build auth files.
+If a name is provided, shows only that specific file.
+If no name is provided, shows all configured files.
+
+By default, file contents are hidden to prevent credential exposure.
+Use --show-content to display the actual content.
+
+Examples:
+  thv config get-build-auth-file                    # Show all files (content hidden)
+  thv config get-build-auth-file npmrc              # Show specific file (content hidden)
+  thv config get-build-auth-file npmrc --show-content  # Show with content`,
+	Args: cobra.MaximumNArgs(1),
+	RunE: getBuildAuthFileCmdFunc,
+}
+
+var unsetBuildAuthFileCmd = &cobra.Command{
+	Use:   "unset-build-auth-file [name]",
+	Short: "Remove build auth file(s)",
+	Long: `Remove a specific build auth file or all files.
+
+Examples:
+  thv config unset-build-auth-file npmrc  # Remove specific file
+  thv config unset-build-auth-file --all  # Remove all files`,
+	Args: cobra.MaximumNArgs(1),
+	RunE: unsetBuildAuthFileCmdFunc,
+}
+
+func init() {
+	configCmd.AddCommand(setBuildAuthFileCmd)
+	configCmd.AddCommand(getBuildAuthFileCmd)
+	configCmd.AddCommand(unsetBuildAuthFileCmd)
+
+	unsetBuildAuthFileCmd.Flags().BoolVar(
+		&unsetBuildAuthFileAll,
+		"all",
+		false,
+		"Remove all build auth files",
+	)
+
+	getBuildAuthFileCmd.Flags().BoolVar(
+		&showAuthFileContent,
+		"show-content",
+		false,
+		"Show the actual file content (contains credentials)",
+	)
+
+	setBuildAuthFileCmd.Flags().BoolVar(
+		&authFileFromStdin,
+		"stdin",
+		false,
+		"Read file content from stdin instead of command line argument",
+	)
+}
+
+func setBuildAuthFileCmdFunc(_ *cobra.Command, args []string) error {
+	name := args[0]
+
+	// Validate the file name first
+	if err := config.ValidateBuildAuthFileName(name); err != nil {
+		return err
+	}
+
+	var content string
+	if authFileFromStdin {
+		// Read from stdin
+		data, err := readFromStdin()
+		if err != nil {
+			return fmt.Errorf("failed to read from stdin: %w", err)
+		}
+		content = data
+	} else {
+		// Read from command line argument
+		if len(args) < 2 {
+			return fmt.Errorf("content argument required (or use --stdin to read from stdin)")
+		}
+		content = args[1]
+	}
+
+	// Get the secrets manager to store the content securely
+	manager, err := getSecretsManager()
+	if err != nil {
+		return fmt.Errorf("failed to get secrets manager: %w (run 'thv secret setup' first)", err)
+	}
+
+	// Store the content in the secrets provider
+	secretName := config.BuildAuthFileSecretName(name)
+	ctx := context.Background()
+	if err := manager.SetSecret(ctx, secretName, content); err != nil {
+		return fmt.Errorf("failed to store auth file in secrets: %w", err)
+	}
+
+	// Mark the auth file as configured in the config (only a marker, no content)
+	provider := config.NewDefaultProvider()
+	if err := provider.MarkBuildAuthFileConfigured(name); err != nil {
+		// Try to clean up the secret if marking fails
+		_ = manager.DeleteSecret(ctx, secretName)
+		return fmt.Errorf("failed to mark build auth file as configured: %w", err)
+	}
+
+	fmt.Printf("Successfully set build auth file: %s (stored securely in secrets)\n", name)
+	return nil
+}
+
+// readFromStdin reads all content from stdin.
+func readFromStdin() (string, error) {
+	// Check if stdin has data (is not a terminal)
+	stat, err := os.Stdin.Stat()
+	if err != nil {
+		return "", fmt.Errorf("failed to stat stdin: %w", err)
+	}
+
+	// If stdin is a terminal with no piped data, return an error
+	if (stat.Mode() & os.ModeCharDevice) != 0 {
+		return "", fmt.Errorf("no input provided on stdin (pipe content or redirect from a file)")
+	}
+
+	reader := bufio.NewReader(os.Stdin)
+	data, err := io.ReadAll(reader)
+	if err != nil {
+		return "", err
+	}
+
+	// Trim trailing newline that's often added by echo/cat
+	content := strings.TrimSuffix(string(data), "\n")
+	return content, nil
+}
+
+func getBuildAuthFileCmdFunc(_ *cobra.Command, args []string) error {
+	provider := config.NewDefaultProvider()
+	ctx := context.Background()
+
+	if len(args) == 1 {
+		name := args[0]
+		if !provider.IsBuildAuthFileConfigured(name) {
+			fmt.Printf("Build auth file %s is not configured.\n", name)
+			return nil
+		}
+
+		// Get content from secrets if requested
+		if showAuthFileContent {
+			manager, err := getSecretsManager()
+			if err != nil {
+				return fmt.Errorf("failed to get secrets manager: %w", err)
+			}
+			secretName := config.BuildAuthFileSecretName(name)
+			content, err := manager.GetSecret(ctx, secretName)
+			if err != nil {
+				return fmt.Errorf("failed to retrieve auth file content: %w", err)
+			}
+			lines := strings.Count(content, "\n") + 1
+			fmt.Printf("%s: %d line(s) -> %s\n", name, lines, config.SupportedAuthFiles[name])
+			fmt.Printf("Content:\n%s\n", content)
+		} else {
+			fmt.Printf("%s: configured -> %s\n", name, config.SupportedAuthFiles[name])
+		}
+		return nil
+	}
+
+	configuredFiles := provider.GetConfiguredBuildAuthFiles()
+	if len(configuredFiles) == 0 {
+		fmt.Println("No build auth files are configured.")
+		return nil
+	}
+
+	sort.Strings(configuredFiles)
+
+	fmt.Println("Configured build auth files:")
+	for _, name := range configuredFiles {
+		if showAuthFileContent {
+			manager, err := getSecretsManager()
+			if err != nil {
+				fmt.Printf("  %s: configured -> %s (unable to retrieve content: %v)\n",
+					name, config.SupportedAuthFiles[name], err)
+				continue
+			}
+			secretName := config.BuildAuthFileSecretName(name)
+			content, err := manager.GetSecret(ctx, secretName)
+			if err != nil {
+				fmt.Printf("  %s: configured -> %s (unable to retrieve content: %v)\n",
+					name, config.SupportedAuthFiles[name], err)
+				continue
+			}
+			lines := strings.Count(content, "\n") + 1
+			fmt.Printf("  %s: %d line(s) -> %s\n", name, lines, config.SupportedAuthFiles[name])
+			fmt.Printf("  Content:\n%s\n", content)
+		} else {
+			fmt.Printf("  %s: configured -> %s\n", name, config.SupportedAuthFiles[name])
+		}
+	}
+	return nil
+}
+
+func unsetBuildAuthFileCmdFunc(_ *cobra.Command, args []string) error {
+	provider := config.NewDefaultProvider()
+	ctx := context.Background()
+
+	if unsetBuildAuthFileAll {
+		configuredFiles := provider.GetConfiguredBuildAuthFiles()
+		if len(configuredFiles) == 0 {
+			fmt.Println("No build auth files are configured.")
+			return nil
+		}
+
+		// Try to get secrets manager to delete secrets (but don't fail if unavailable)
+		manager, err := getSecretsManager()
+		if err == nil {
+			for _, name := range configuredFiles {
+				secretName := config.BuildAuthFileSecretName(name)
+				// Best effort - don't fail if secret doesn't exist
+				_ = manager.DeleteSecret(ctx, secretName)
+			}
+		}
+
+		if err := provider.UnsetAllBuildAuthFiles(); err != nil {
+			return fmt.Errorf("failed to remove build auth files: %w", err)
+		}
+
+		fmt.Printf("Successfully removed %d build auth file(s).\n", len(configuredFiles))
+		return nil
+	}
+
+	if len(args) == 0 {
+		return fmt.Errorf("please specify a file name or use --all")
+	}
+
+	name := args[0]
+	if !provider.IsBuildAuthFileConfigured(name) {
+		fmt.Printf("Build auth file %s is not configured.\n", name)
+		return nil
+	}
+
+	// Try to delete the secret (but don't fail if secrets manager unavailable)
+	manager, err := getSecretsManager()
+	if err == nil {
+		secretName := config.BuildAuthFileSecretName(name)
+		_ = manager.DeleteSecret(ctx, secretName)
+	}
+
+	if err := provider.UnsetBuildAuthFile(name); err != nil {
+		return fmt.Errorf("failed to remove build auth file: %w", err)
+	}
+
+	fmt.Printf("Successfully removed build auth file: %s\n", name)
+	return nil
+}
diff --git a/docs/cli/thv_config.md b/docs/cli/thv_config.md
diff --git a/docs/cli/thv_config_get-build-auth-file.md b/docs/cli/thv_config_get-build-auth-file.md