From 90950b2e802a1f781ca2921fef236b134374f6af Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Sun, 29 Mar 2026 15:15:03 -0700 Subject: [PATCH] fix: require OID when using --check-perm in auth whoami Checking a specific permission without an OID is ambiguous and can return misleading results. Fail early with a clear error message telling the user to specify --oid or set LC_OID. Co-Authored-By: Claude Opus 4.6 (1M context) --- limacharlie/commands/auth.py | 5 +++++ tests/unit/test_cli_commands.py | 11 +++++++++++ 2 files changed, 16 insertions(+) diff --git a/limacharlie/commands/auth.py b/limacharlie/commands/auth.py index 2a97ada1..405e5544 100644 --- a/limacharlie/commands/auth.py +++ b/limacharlie/commands/auth.py @@ -270,6 +270,11 @@ def logout(ctx: click.Context, environment: str | None) -> None: @pass_context def whoami(ctx: click.Context, show_perms: bool, check_perm: str | None) -> None: client = _get_client(ctx) + # --check-perm requires a real OID — fail early before the fallback. + if check_perm is not None and client.oid is None: + raise click.UsageError( + "--check-perm requires an OID to be specified (use --oid or set the LC_OID environment variable)" + ) # whoami works without a specific org — fall back to "-" if no OID resolved. if client.oid is None: client = _get_client(ctx, oid_override="-") diff --git a/tests/unit/test_cli_commands.py b/tests/unit/test_cli_commands.py index c97c277f..96adea2b 100644 --- a/tests/unit/test_cli_commands.py +++ b/tests/unit/test_cli_commands.py @@ -266,6 +266,17 @@ def test_whoami_check_perm_in_user_perms(self, mock_org_cls, mock_client_cls): parsed = json.loads(result.output) assert parsed["has_perm"] is True + @patch("limacharlie.commands.auth.Client") + def test_whoami_check_perm_requires_oid(self, mock_client_cls): + mock_client = MagicMock() + mock_client.oid = None + mock_client_cls.return_value = mock_client + + runner = CliRunner() + result = runner.invoke(cli, ["--output", "json", "auth", "whoami", "--check-perm", "ai_agent.operate"]) + assert result.exit_code != 0 + assert "--check-perm requires an OID" in result.output + @patch("limacharlie.commands.auth.Client") def test_auth_test_success(self, mock_client_cls): mock_client = MagicMock()