- M7: ResolveToken accepts the token via the HF_TOKEN env var (so it need
not appear in argv, where it's visible in ps/shell history); the HTTP
client refuses to send a token / API key over plaintext http:// to a
non-loopback host (use https://). Loopback http is still allowed for
local dev.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
passmgr.GetToken returns an api-key in padded-cell mode (provisioned by
scripts/provision-hf-accounts.sh via 'hf user reset-apikey'), but every
call site funneled that through client.New which sent it as a
'Authorization: Bearer <hex>'. The HF backend's HTTPBearer middleware
expects JWT shape there and rejects hex strings as 'Could not validate
credentials'. The d2b83ad backend fix added a Bearer-fallback that tries
the value as an api-key, which masked the issue against current prod;
older backends or any future change in that fallback still 401.
Two changes:
- client.New auto-detects shape: 'eyJ'-prefix + two dots == JWT (Bearer),
anything else == api-key (X-API-Key). Empty token sets neither header.
- internal/help/surface.go's loadPermissionState (called by hf --help
introspection) switches to client.NewWithAPIKey explicitly so the
command-discovery path doesn't depend on the heuristic at all. When
that path failed silently (Known:false), agents would see only the
always-permitted commands ('user.*', 'agent.status', 'config',
'health', 'version') and conclude they had no project permission.
Adds internal/client/client_test.go covering both header paths plus
empty-token, isLikelyJWT cases, and NewWithAPIKey precedence.
Verified end-to-end in sim against a rebuilt hf-backend matching prod
(commit d2b83ad): cli with --token <api-key> sends X-Api-Key header,
backend returns 200 on /projects + /auth/me/permissions.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- config: resolve binary dir, load/save .hf-config.json
- mode: detect padded-cell vs manual mode via pass_mgr
- client: HTTP client wrapper with auth header support
- passmgr: pass_mgr integration (get-secret, set, generate)
- output: human-readable + JSON output formatting with tables
- help: help and help-brief renderer for groups/commands
- commands: version, health, config (--url, --acc-mgr-token, show)
- auth: token resolution helper (padded-cell auto / manual explicit)
- main: command dispatcher with --json global flag support
- README: updated with current package layout and status
