From 00d307b19cfd580231602623a454c2f27f66abd3 Mon Sep 17 00:00:00 2001 From: dimavrem22 Date: Sat, 27 Jun 2026 22:41:52 +0000 Subject: [PATCH] fix: reject unknown api key subtypes --- inkbox_codex/setup_wizard.py | 6 +++--- tests/test_setup_wizard.py | 37 ++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/inkbox_codex/setup_wizard.py b/inkbox_codex/setup_wizard.py index ea07298..557c13b 100644 --- a/inkbox_codex/setup_wizard.py +++ b/inkbox_codex/setup_wizard.py @@ -1359,9 +1359,9 @@ def _api_key_flow( if subtype == _enum_value(ADMIN_SCOPED): return _pick_admin_scoped(client, api_key, IdentityPhoneNumberCreateOptions, InkboxAPIError) - print_warning(f" Unrecognized API-key subtype: {subtype!r}.") - print_info(" Falling back to list_identities().") - return _pick_admin_scoped(client, api_key, IdentityPhoneNumberCreateOptions, InkboxAPIError) + print_error(f" Unsupported API-key subtype: {subtype!r}.") + print_info(" Use an admin-scoped or agent-scoped Inkbox API key.") + return None, "", False def _pick_agent_scoped(client: Any, api_key: str) -> tuple[Any | None, str, bool]: diff --git a/tests/test_setup_wizard.py b/tests/test_setup_wizard.py index 4175cab..247f9d1 100644 --- a/tests/test_setup_wizard.py +++ b/tests/test_setup_wizard.py @@ -118,6 +118,43 @@ def fail_import(): assert "inkbox>=0.4.10" in out +# ---------------------------------------------------------------------- +# API key scope handling +# ---------------------------------------------------------------------- + + +def test_api_key_flow_rejects_unknown_auth_subtype(monkeypatch, capsys): + class FakeWhoamiApiKeyResponse: + auth_subtype = "future_scope" + organization_id = "org_123" + + class FakeInkbox: + def __init__(self, **_kwargs): + pass + + def whoami(self): + return FakeWhoamiApiKeyResponse() + + def list_identities(self): + raise AssertionError("unknown subtypes must not fall back to identity listing") + + monkeypatch.setattr(setup_wizard, "prompt", lambda *_args, **_kwargs: "ApiKey_test") + + result = setup_wizard._api_key_flow( + "https://inkbox.ai", + FakeInkbox, + Exception, + FakeWhoamiApiKeyResponse, + "admin_scoped", + "agent_scoped_claimed", + "agent_scoped_unclaimed", + object, + ) + + assert result == (None, "", False) + assert "Unsupported API-key subtype" in capsys.readouterr().out + + # ---------------------------------------------------------------------- # Project directory # ----------------------------------------------------------------------