Conversation
Add `nylas dashboard` command group for authenticating with the Nylas Dashboard and managing applications via the API gateway. Auth flows: - Email/password registration with email verification - Email/password login with MFA support - SSO device flow (Google, Microsoft, GitHub) - Session refresh and logout - DPoP proof-of-possession (Ed25519) on all requests Application management: - `nylas dashboard apps list` — queries both US and EU gateways - `nylas dashboard apps create` — creates apps in a specified region UX: - Interactive auth method picker (SSO first, recommended) - Direct flags for non-interactive use (--google, --email, --user, etc.) - Spinners on all network operations - User-friendly errors with hints Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- `nylas dashboard apps apikeys create` — creates API keys with interactive delivery options (activate in CLI keyring, copy to clipboard, or print) - `nylas dashboard apps apikeys list` — lists API keys for an application - `nylas dashboard apps use <app-id> --region <region>` — sets active app so --app/--region flags aren't needed on every command - `nylas dashboard status` now shows the active app - Improved GraphQL error messages to surface UAS error details from extensions - Auto-generated unique key names (CLI-<timestamp>) to avoid name conflicts Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove the "print to terminal" option from API key delivery to prevent keys from leaking in terminal scrollback, shell history, or CI logs. Replace with "save to file" which writes to a temp file with 0600 permissions. The three options are now: 1. Activate in CLI keyring (key never leaves the process) 2. Copy to clipboard (key never appears in terminal output) 3. Save to temp file (restrictive permissions, user deletes after) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Email/password registration is disabled for the CLI. Users must use SSO (Google, Microsoft, or GitHub) to register. Login via email/password remains available. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce a guided onboarding experience for new CLI users. Running
`nylas` with no args now detects first-run state and shows a welcome
message pointing to `nylas init`. The wizard walks through four steps:
1. Account — register or login via SSO, or paste an existing API key
2. Application — auto-create or select from existing apps
3. API Key — generate and activate into the keyring
4. Grants — sync existing email accounts from the Nylas API
Key design decisions:
- Re-entrant: running `nylas init` again skips completed steps
- Non-interactive: `nylas init --api-key <key>` for CI/scripts
- Graceful recovery: each step prints manual commands on failure
- Shared grant sync: extracted from auth/config.go for reuse
New files: internal/cli/setup/ (detect, wizard, grants, helpers, tests)
internal/cli/dashboard/exports.go (exported service wrappers)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
AaronDDM
changed the title
Adds the full Dashboard section covering account management (register, login, SSO), application management (list, create, set active), and API key management (list, create with delivery options). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds a global reset subcommand under `nylas config` that clears all stored data (API credentials, dashboard session, grants, config file) with a confirmation prompt. This ensures `IsFirstRun()` returns true afterward so first-time setup guidance is shown. Individual resets (`nylas auth config --reset`, `nylas dashboard logout`) remain unchanged and scoped to their own domains. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the plain-text welcome message with a visually polished first-run experience using Unicode box-drawing characters, color hierarchy, and a capabilities overview. No new dependencies. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…quests DPoP proofs are bound to the request URL via the htu claim. When the server redirects (e.g., staging → production), Go's http.Client silently follows the redirect but the DPoP proof still contains the original URL, causing "Invalid DPoP htu" errors on the destination server. Fix by disabling automatic redirect following and returning a clear error message when a redirect is received. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Wizard reports success on failure: steps 2 (application) and 3 (API key) now return errors instead of silently continuing to "Setup complete". 2. SSO flow ignores --org flag: orgPublicID is now threaded through runSSO → pollSSO → SSOPoll and CompleteMFA so multi-org users can target the correct organization. 3. Dashboard logout leaves stale app selection: clearTokens() now also deletes dashboard_app_id and dashboard_app_region to prevent reusing a previous account's app context after re-login. 4. Wizard default grant not persisted to config.yaml: the user's grant selection is now written back to result.DefaultGrantID so updateConfigGrants persists it correctly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Client secret was printed via fmt.Printf on app creation, leaking it to terminal scrollback, CI logs, and screen captures. Apply the same secure delivery pattern used for API keys: clipboard or temp file with 0600 permissions. The secret is never written to stdout. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace all numbered-menu prompts with huh Select widgets that support arrow-key navigation, and replace raw readLine/readPassword calls with huh Input/Password fields. Converted prompts: - Account path selection (wizard) - SSO provider selection (wizard + dashboard) - Application selection (wizard) - Region selection (wizard) - Auth method selection (dashboard login/register) - Organization selection (dashboard) - API key delivery (dashboard) - Client secret delivery (dashboard) - Default grant selection (setup) - Privacy policy confirmation (dashboard) - Email/password/MFA inputs (dashboard login) New shared helpers in common/prompt.go: - Select[T]() — generic arrow-key select menu - ConfirmPrompt() — yes/no with arrow keys - InputPrompt() — text input with placeholder - PasswordPrompt() — masked input All prompts fall back gracefully in non-TTY environments. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The Long description duplicated every subcommand above Cobra's auto-generated Available Commands list. Replace with a 4-line quick start guide and let Cobra handle the command listing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Shows a compact "Nylas - CLI" banner in box-drawing characters when running `nylas` with no args. Only renders on the root command, not on subcommand help. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Create a consistent visual identity across all CLI prompts using a custom huh theme with the Nylas brand color palette: - Primary (Cyan #00BCD4): titles, selectors, cursors, active buttons - Success (Green #4CAF50): selected options, checkmarks - Warning (Amber #FFC107): caution messages - Error (Red #F44336): error indicators - Muted (Gray #6B7280): descriptions, placeholders, navigation hints The theme is applied to all Select, Confirm, Input, and Password prompts via the shared helpers in common/prompt.go. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the formal box-drawing ASCII art with a more casual ANSI shadow block style for the help header. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The ASCII art and welcome screen were using hardcoded fatih/color Cyan instead of the theme's ColorPrimary. Add a lipgloss Brand style derived from ColorPrimary and use it for all branded elements so changing the theme color in one place updates everything. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
nylas initwizard: Guided first-time setup that takes a new user from zero to working CLI in one command — account creation, app setup, API key generation, and grant syncnylas config reset: Full CLI reset (credentials, dashboard session, grants, config) with confirmation promptFirst-Run Welcome Screen
When a new user runs
nylaswith no configuration, they see this:With terminal colors:
◈ N Y L A S C L Iin bold cyan, box borders dim, capability names cyan,❯ nylas initbold cyan, secondary options dim. No new dependencies — uses existingfatih/color+ Unicode box-drawing characters.To test:
nylas config reset --force && nylasnylas init— First-Time User ExperienceThe wizard walks through 4 steps:
Key design decisions:
nylas initagain skips completed stepsnylas init --api-key <key>for CI/scriptsnylas config resetFull CLI reset that clears all stored state:
Requires confirmation by default,
--forceto skip. Individual resets (nylas auth config --reset,nylas dashboard logout) remain scoped to their own domains.Bug Fixes
--org:orgPublicIDis now threaded through the full SSO flow (poll + MFA) so multi-org users can target the correct organizationclearTokens()now also clearsdashboard_app_idanddashboard_app_regionto prevent reusing a previous account's app contextconfig.yaml(was only written to keyring)htumismatch errors when staging URLs redirect to productionNew Files
internal/cli/setup/setup.gonylas initCobra commandinternal/cli/setup/wizard.gointernal/cli/setup/wizard_helpers.gointernal/cli/setup/detect.goIsFirstRun()andGetSetupStatus()internal/cli/setup/grants.goSyncGrants()(extracted from auth/config)internal/cli/setup/setup_test.gointernal/cli/dashboard/exports.gointernal/cli/config/reset.gonylas config resetcommandinternal/cli/config/reset_test.gointernal/app/auth/config_test.goResetConfigscopeTest plan
go build ./...compilesgo vet ./...passesgo test ./internal/cli/setup/...)go test ./internal/cli/config/...)go test ./internal/app/auth/...)make test-unit)golangci-lint run)make security)nylas config reset --force && nylasshows new welcomenylas initinteractive wizard with SSOnylas init --api-key <key>non-interactivenylas initre-run skips completed stepsnylas dashboard login --google --org <org>targets correct orgnylas dashboard logoutclears app selection🤖 Generated with Claude Code