feat(datasets): warn before public visibility and gate --yes for agents

[EoinFalconer]

Description

Makes the safety implications of public datasets clearly visible in the CLI, and prevents non-interactive callers (agents, CI) from silently flipping a dataset from private to public.

Specifically:

• datasets create interactive prompt (promptForDatasetAclMode): when the user picks "Public", emit an explicit warning that anyone on the internet can read the data and suggest "Private" for sensitive content.
• datasets create --visibility public (determineDatasetAclMode): emit the same style of warning so agents that pass the flag are warned too.
• datasets visibility set <ds> public:
  • Always emit a strong warning describing the exposure (docs + assets, anyone on the internet).
  • In an interactive terminal, prompt for confirmation (default: No).
  • In a non-interactive environment (no TTY), error out with exit 1 unless --yes / -y is provided — so agents/CI cannot accidentally leak data.
  • New --yes flag documented in help and examples.

The public → private path is intentionally unchanged — only the direction that exposes data is gated.

What to review

• packages/@sanity/cli/src/prompts/promptForDatasetAclMode.ts — new public-side warning; existing private-side note preserved.
• packages/@sanity/cli/src/actions/dataset/determineDatasetAclMode.ts — warning for explicit --visibility public.
• packages/@sanity/cli/src/commands/datasets/visibility/set.ts — new --yes flag, warning + confirmation, NonInteractiveError handling.
• packages/@sanity/cli/src/commands/datasets/visibility/__tests__/set.test.ts — new coverage for the four flows (confirm accept, confirm decline, --yes bypass, non-interactive without --yes error).

Please eyeball the warning copy — happy to tighten it if it's too verbose or too mild. Open question: should datasets create also gate with --yes for agents, or is a warning enough since no data exists yet?

Testing

• Unit: 4 new test cases in set.test.ts. Full pnpm test --changed green (134/134).
• Type check + lint clean.
• Live end-to-end against a scratch project + dataset:
  • datasets create --visibility public → warning printed ✅
  • datasets visibility set <ds> public (no TTY, no --yes) → exit 1, no API call ✅
  • datasets visibility set <ds> public --yes → warning + acknowledgement + flip ✅
  • datasets visibility set <ds> private → unchanged ✅

[claude]

Claude finished @EoinFalconer's task in 2m 13s —— View job

---

Code Review

• Gather context and read changed files
• Review changeset
• Review source changes
• Review test coverage
• Post findings

---

Issues

1. Missing tests for promptForDatasetAclMode.ts — coverage down 14.3%

There is no test file for promptForDatasetAclMode.ts, and the new warning branches (lines 28–35) aren't covered by any test. Since the PR explicitly aims for maximum coverage, this is a gap that should be closed.

packages/@sanity/cli/src/prompts/promptForDatasetAclMode.ts  85.7%  (-14.3%)

The two untested paths are:

• mode === 'public' → output.warn(...) (line 29–31)
• mode === 'private' → output.warn(...) (line 32–35)

A test file at src/prompts/__tests__/promptForDatasetAclMode.test.ts is needed. Fix this →%20mode%20%3D%3D%3D%20%27public%27%20with%20output%20provided%20-%20warn%20should%20be%20called%2C%202)%20mode%20%3D%3D%3D%20%27private%27%20with%20output%20provided%20-%20warn%20should%20be%20called%2C%203)%20output%20not%20provided%20-%20no%20warn%20call.%20Follow%20the%20testing%20rules%20in%20CLAUDE.md%20and%20mock%20select%20from%20%40sanity%2Fcli-core%2Fux%20with%20vi.mock.&repo=sanity-io/cli)

---

2. Unreachable throw error re-throw in set.ts line 125

The catch block around confirm re-throws any non-NonInteractiveError:

// set.ts lines 118–126
} catch (error) {
  if (error instanceof NonInteractiveError) {
    this.error('Refusing to change dataset to public ...', {exit: 1})
  }
  throw error  // ← unreachable in practice
}

confirm from @sanity/cli-core/ux only ever resolves with a boolean or throws NonInteractiveError. The re-throw is dead code and accounts for the 2.2% coverage gap in set.ts. Either remove it (and let any unexpected error bubble naturally from the try scope), or add a test for it. Removing is cleaner.

Fix this →

---

3. Changeset

The minor bump is appropriate for a behavior change + new flag. One note on the summary:

"Changing a dataset to public visibility now requires explicit confirmation or --yes in non-interactive environments."

This is accurate but undersells the breaking impact for existing non-interactive callers. Consider: "Non-interactive callers (CI, agents) must now pass --yes to change a dataset to public visibility; omitting it exits with an error."

---

Open question (from PR description)

Should datasets create also gate with --yes for agents?

Agreed that a warning is sufficient for datasets create — no data exists yet and the risk of accidental leakage is much lower. The current approach (warn only) is the right call.

[github-actions]

⏳ Bundle Stats — Calculating bundle sizes for @sanity/cli, @sanity/cli-core, create-sanity...

[github-actions]

Coverage Delta

File	Statements
packages/@sanity/cli/src/actions/dataset/determineDatasetAclMode.ts	100.0% (±0%)
packages/@sanity/cli/src/commands/datasets/visibility/set.ts	97.8% (- 2.2%)
packages/@sanity/cli/src/prompts/promptForDatasetAclMode.ts	85.7% (- 14.3%)

Comparing 3 changed files against main @ bc0f1d3cedd5a19c85da511517ac552a4d21f94c

Overall Coverage

Metric	Coverage
Statements	84.1% (±0%)
Branches	74.0% (±0%)
Functions	84.0% (±0%)
Lines	84.5% (+ 0.0%)