Skip to content

feat(cli): login --endpoint — point honeycomb at a self-hosted backend without Activeloop#131

Open
chrisl10 wants to merge 2 commits into
legioncodeinc:mainfrom
chrisl10:feat/self-hosted-login
Open

feat(cli): login --endpoint — point honeycomb at a self-hosted backend without Activeloop#131
chrisl10 wants to merge 2 commits into
legioncodeinc:mainfrom
chrisl10:feat/self-hosted-login

Conversation

@chrisl10

@chrisl10 chrisl10 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

What

Adds honeycomb login --endpoint <url> [--token <tok>] [--org <o>] [--workspace <w>]: one supported command to point honeycomb at a self-hosted backend, instead of env-var / hand-edit gymnastics, and without any call to api.deeplake.ai.

It skips the device flow and the GET /me validation and writes ~/.deeplake/credentials.json directly (same 0700 dir / 0600 file / server-stamped savedAt discipline as every other login) with the supplied apiUrl, org (default local), and workspace (default default). When --token is omitted (and no HONEYCOMB_TOKEN), a local stub token is minted via the existing encodeStubToken machinery, so a self-hoster needs no Activeloop token.

Purely additive: with no --endpoint, all existing login behavior is unchanged.

Why

The storage read path already honors a custom endpoint (HONEYCOMB_DEEPLAKE_* env, or a hand-edited apiUrl in the credentials file), but there is no supported way to set it without gymnastics, and login hardcodes apiUrl = api.deeplake.ai and dials Activeloop. This turns the workaround into one command.

Details

  • internalToDisk / saveCredentials now take an optional apiUrl (defaulting to the canonical endpoint, so every existing caller and the device/headless login paths are unchanged).
  • New docs library/knowledge/public/guides/self-hosting.md: run pg_deeplake (quay.io/activeloopai/pg-deeplake:18), point honeycomb via --endpoint https://... (HTTP gateway) or --endpoint postgres://... (direct, with feat(storage): PgDeepLakeTransport — direct self-hosted Postgres (pg_deeplake) backend #130), and the backend contract a self-hoster must honor (workspace = Postgres schema + search_path; raw error text, never JSON-wrapped).

Open question

The auth plane (login device flow, org / workspace switch) still calls api.deeplake.ai outside this direct-write path. This PR's --endpoint branch is what lets a self-hoster avoid it. Whether "local-stub-token login" should be a first-class supported mode vs. an escape hatch is a design call I would defer to you, and am happy to adjust.

Testing

tests/cli/auth.test.ts: flag parsing (--flag value and --flag=value), the minted-token path (org local, workspace default, a token that round-trips verifyTokenClaims), explicit --token with a postgres:// endpoint, 0600 file mode, proof that no api.deeplake.ai call is made (a throwing fake fetch), and that the token is never printed. npm run typecheck, npm run dup, and the auth suite are green.

Context

Validated end to end against a real self-hosted pg_deeplake before submitting. Pairs with #130 (the direct Postgres transport) but is independent.

Summary by CodeRabbit

  • New Features

    • Added self-hosting support for the storage backend using a self-managed Postgres-based option, with CLI login via --endpoint plus optional --org and --workspace.
    • Updated login to support endpoint-based flows without device/headless steps.
  • Documentation

    • Added a self-hosting guide (including backend contract details and verification steps) and updated the README with self-hosting notes and honeycomb login examples.
  • Bug Fixes

    • Credentials are now stored for a custom backend URL, and the login output no longer reveals tokens (including stricter handling of empty --endpoint / empty token).

…ackend

Add one supported command to point honeycomb at a self-hosted storage
backend instead of env-var or hand-edit gymnastics, and without dialing
api.deeplake.ai:

  honeycomb login --endpoint <url> [--token <tok>] [--org <o>] [--workspace <w>]

When --endpoint is present, login skips the device flow and the GET /me
validation entirely and writes the shared ~/.deeplake/credentials.json
(0600) directly with apiUrl set to the supplied endpoint, the org (default
local), and the workspace (default default). The endpoint may be an HTTP
gateway URL or a postgres:// URL for the direct Postgres transport.

If --token is omitted (and HONEYCOMB_TOKEN is unset), a local stub token is
minted via the existing encodeStubToken machinery, bound to the supplied
org and workspace, so a self-hoster needs no Activeloop token. The minted
token round-trips verifyTokenClaims, so the daemon's tenancy-integrity gate
passes for the default org. The token is never printed.

The endpoint is threaded through saveCredentials and internalToDisk as the
on-disk apiUrl instead of the previously hardcoded default; both keep their
prior default so every existing caller and the existing device and headless
login paths are unchanged. The new flags are purely additive.

Docs: add a self-hosting guide (run pg_deeplake via
quay.io/activeloopai/pg-deeplake:18; point honeycomb at it over HTTP or
direct postgres://) that bakes in the backend contract: a workspace maps to
its own Postgres schema with search_path set, and a backend must return raw
error text rather than JSON-wrapping it or schema-heal breaks. The guide and
a short README pointer also record the known limitation that login and org
switch still call api.deeplake.ai unless this direct-write path is used, as
an open question for the maintainer.

Tests cover flag parsing, the minted-token path (org local, workspace
default, verifiable token), an explicit token with a postgres:// endpoint,
the 0600 file mode, and that no api.deeplake.ai call is made and the token is
never printed.
@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 163d4dba-bfe5-4012-9987-3afab549ee03

📥 Commits

Reviewing files that changed from the base of the PR and between f8eeadf and 0fbc8f2.

📒 Files selected for processing (3)
  • library/knowledge/public/guides/self-hosting.md
  • src/cli/auth.ts
  • tests/cli/auth.test.ts
🚧 Files skipped from review as they are similar to previous changes (3)
  • library/knowledge/public/guides/self-hosting.md
  • tests/cli/auth.test.ts
  • src/cli/auth.ts

📝 Walkthrough

Walkthrough

The PR adds self-hosting documentation for Honeycomb storage, extends honeycomb login with --endpoint plus optional org/workspace/token values, and persists the selected endpoint in saved credentials.

Changes

Self-hosted backend support

Layer / File(s) Summary
Documentation updates
README.md, library/knowledge/public/guides/self-hosting.md
Adds self-hosting notes, pg_deeplake setup, honeycomb login --endpoint usage, backend contract requirements, and verification commands.
Credential apiUrl override
src/daemon/runtime/auth/credentials-store.ts
saveCredentials now accepts an optional apiUrl and writes that value through to the persisted credentials record.
Self-hosted login flow
src/cli/auth.ts
The auth CLI parses --endpoint/--org/--workspace, branches to loginSelfHosted for endpoint logins, and updates the usage text.
Self-hosted login tests
tests/cli/auth.test.ts
Adds tests for parsing, credential writing, token handling, stdout, file mode, and empty --endpoint rejection.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

  • legioncodeinc/honeycomb#38 — Shares the auth parsing and shared-credentials flow that this PR extends with endpoint-backed login and apiUrl persistence.

Suggested reviewers

  • thenotoriousllama

Poem

I hopped through tunnels, quick and bright,
to store new creds in self-hosted light.
With --endpoint set, I found my way,
and tucked my token out of sight.
🐰 The burrow keeps its secrets tight.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding login --endpoint support for self-hosted backends without Activeloop.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@chrisl10

Copy link
Copy Markdown
Contributor Author

recheck

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@library/knowledge/public/guides/self-hosting.md`:
- Around line 48-58: Clarify the transport selection rule in the self-hosting
guide because the current wording is inconsistent about `postgresql://` URLs.
Update the transport explanation near the `honeycomb login --endpoint` example
so it explicitly says both `postgres://` and `postgresql://` use the direct
Postgres transport, and that only endpoints not starting with either prefix use
the HTTP transport.

In `@src/cli/auth.ts`:
- Around line 136-147: The `parseArgs` handling in `src/cli/auth.ts` for
`--endpoint` is treating missing or empty values as if no endpoint was provided,
which later lets the login flow fall back to the hosted path. Update the
argument parsing around the `--endpoint` branch so malformed forms like a bare
flag or `--endpoint=` are rejected with a usage error instead of populating
`flags.endpoint` with an empty value, and make the login decision near the
`auth` flow respect that validation rather than defaulting to hosted login when
`endpoint` is empty.
- Line 286: The success message in the auth flow is printing the raw endpoint
from the login command, which can expose credentials for postgres DSNs. Update
the logging in the auth success path to redact any URL userinfo before
interpolating the endpoint, or remove the endpoint entirely from the message;
use the existing output around the login confirmation in auth.ts to keep the Org
and workspace text while avoiding leaking secrets.
- Around line 267-268: The token selection in auth login is treating empty
values as valid credentials because it uses nullish coalescing, so empty --token
or HONEYCOMB_TOKEN inputs get persisted and reported as success. Update the
token resolution logic in the auth flow around the inv.token /
deps.env.HONEYCOMB_TOKEN fallback to treat empty strings as absent, and fall
back to encodeStubToken(...) when the provided token is blank. Keep the fix
localized to the login path so the credential file is only written with a real
token or the generated stub token.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 38e98393-f8e8-46d7-9b63-f86da33e16d5

📥 Commits

Reviewing files that changed from the base of the PR and between 0cd392b and f8eeadf.

📒 Files selected for processing (5)
  • README.md
  • library/knowledge/public/guides/self-hosting.md
  • src/cli/auth.ts
  • src/daemon/runtime/auth/credentials-store.ts
  • tests/cli/auth.test.ts

Comment thread library/knowledge/public/guides/self-hosting.md Outdated
Comment thread src/cli/auth.ts
Comment thread src/cli/auth.ts Outdated
Comment thread src/cli/auth.ts
out(`error: login failed: ${reason}`);
return { exitCode: 1, wrote: false };
}
out(`Logged in to self-hosted backend ${endpoint}. Org ${org}, workspace ${workspace}.`);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Redact credentials before echoing the endpoint.

Line 286 prints endpoint verbatim. This command explicitly accepts postgres:// DSNs, so postgres://user:password@host/db would leak the database password into terminal history and CI logs. Please redact URL userinfo or omit the raw endpoint from the success message.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/cli/auth.ts` at line 286, The success message in the auth flow is
printing the raw endpoint from the login command, which can expose credentials
for postgres DSNs. Update the logging in the auth success path to redact any URL
userinfo before interpolating the endpoint, or remove the endpoint entirely from
the message; use the existing output around the login confirmation in auth.ts to
keep the Org and workspace text while avoiding leaking secrets.

Addresses CodeRabbit review on legioncodeinc#131:
- A value-less --endpoint (bare flag or --endpoint=) now errors instead of
  silently falling back to hosted login (which could dial api.deeplake.ai).
- Empty --token / HONEYCOMB_TOKEN= are treated as absent, so a stub token is
  minted rather than persisting a broken empty bearer.
- Clarify the transport-selection wording for postgresql:// in the guide.
Adds tests for both new guards.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant