skyvern/cli/credentials.py

"""Credential management CLI commands.

Provides `skyvern credentials add/list/get/delete` for managing stored
credentials. Passwords and secrets are collected via getpass (stdin) so they
never appear in shell history or LLM conversation logs.
"""

from __future__ import annotations

import os

import typer
from dotenv import load_dotenv
from rich.table import Table

from skyvern.client import Skyvern
from skyvern.client.types.non_empty_credit_card_credential import NonEmptyCreditCardCredential
from skyvern.client.types.non_empty_password_credential import NonEmptyPasswordCredential
from skyvern.client.types.secret_credential import SecretCredential
from skyvern.config import settings
from skyvern.utils.env_paths import resolve_backend_env_path

from .console import console

credentials_app = typer.Typer(
    help="Manage stored credentials for secure login. Use `credential` commands for MCP-parity list/get/delete."
)


@credentials_app.callback()
def credentials_callback(
    ctx: typer.Context,
    api_key: str | None = typer.Option(
        None,
        "--api-key",
        help="Skyvern API key",
        envvar="SKYVERN_API_KEY",
    ),
) -> None:
    """Store API key in Typer context."""
    ctx.obj = {"api_key": api_key}


def _get_client(api_key: str | None = None) -> Skyvern:
    """Instantiate a Skyvern SDK client using environment variables."""
    load_dotenv(resolve_backend_env_path())
    key = api_key or os.getenv("SKYVERN_API_KEY") or settings.SKYVERN_API_KEY
    return Skyvern(base_url=settings.SKYVERN_BASE_URL, api_key=key)


@credentials_app.command("add")
def add_credential(
    ctx: typer.Context,
    name: str = typer.Option(..., "--name", "-n", help="Human-readable credential name"),
    credential_type: str = typer.Option(
        "password",
        "--type",
        "-t",
        help="Credential type: password, credit_card, or secret",
    ),
    username: str | None = typer.Option(None, "--username", "-u", help="Username (for password type)"),
) -> None:
    """Create a credential with secrets entered securely via stdin."""
    valid_types = ("password", "credit_card", "secret")
    if credential_type not in valid_types:
        console.print(f"[red]Invalid credential type: {credential_type}. Use one of: {', '.join(valid_types)}[/red]")
        raise typer.Exit(code=1)

    client = _get_client(ctx.obj.get("api_key") if ctx.obj else None)

    if credential_type == "password":
        if not username:
            username = typer.prompt("Username")
        password = typer.prompt("Password", hide_input=True)
        if not password:
            console.print("[red]Password cannot be empty.[/red]")
            raise typer.Exit(code=1)
        totp = typer.prompt("TOTP secret (leave blank to skip)", default="", hide_input=True)
        credential = NonEmptyPasswordCredential(
            username=username,
            password=password,
            totp=totp if totp else None,
        )

    elif credential_type == "credit_card":
        card_number = typer.prompt("Card number", hide_input=True)
        if not card_number:
            console.print("[red]Card number cannot be empty.[/red]")
            raise typer.Exit(code=1)
        cvv = typer.prompt("CVV", hide_input=True)
        if not cvv:
            console.print("[red]CVV cannot be empty.[/red]")
            raise typer.Exit(code=1)
        exp_month = typer.prompt("Expiration month (MM)")
        exp_year = typer.prompt("Expiration year (YYYY)")
        brand = typer.prompt("Card brand (e.g. visa, mastercard)")
        holder_name = typer.prompt("Cardholder name")
        credential = NonEmptyCreditCardCredential(
            card_number=card_number,
            card_cvv=cvv,
            card_exp_month=exp_month,
            card_exp_year=exp_year,
            card_brand=brand,
            card_holder_name=holder_name,
        )

    else:
        secret_value = typer.prompt("Secret value", hide_input=True)
        if not secret_value:
            console.print("[red]Secret value cannot be empty.[/red]")
            raise typer.Exit(code=1)
        secret_label = typer.prompt("Secret label (leave blank to skip)", default="")
        credential = SecretCredential(
            secret_value=secret_value,
            secret_label=secret_label if secret_label else None,
        )

    try:
        result = client.create_credential(
            name=name,
            credential_type=credential_type,
            credential=credential,
        )
    except Exception as e:
        console.print(f"[red]Failed to create credential: {e}[/red]")
        raise typer.Exit(code=1)

    console.print(f"[green]Created credential:[/green] {result.credential_id}")


@credentials_app.command("list")
def list_credentials(
    ctx: typer.Context,
    page: int = typer.Option(1, "--page", help="Page number"),
    page_size: int = typer.Option(10, "--page-size", help="Results per page"),
) -> None:
    """List stored credentials (metadata only, never passwords)."""
    client = _get_client(ctx.obj.get("api_key") if ctx.obj else None)

    try:
        credentials = client.get_credentials(page=page, page_size=page_size)
    except Exception as e:
        console.print(f"[red]Failed to list credentials: {e}[/red]")
        raise typer.Exit(code=1)

    if not credentials:
        console.print("No credentials found.")
        return

    table = Table(title="Credentials")
    table.add_column("ID", style="cyan")
    table.add_column("Name", style="green")
    table.add_column("Type")
    table.add_column("Details")

    for cred in credentials:
        details = ""
        c = cred.credential
        if hasattr(c, "username"):
            details = f"username={c.username}"
        elif hasattr(c, "last_four"):
            details = f"****{c.last_four} ({c.brand})"
        elif hasattr(c, "secret_label") and c.secret_label:
            details = f"label={c.secret_label}"
        table.add_row(cred.credential_id, cred.name, str(cred.credential_type), details)

    console.print(table)


@credentials_app.command("get")
def get_credential(
    ctx: typer.Context,
    credential_id: str = typer.Argument(..., help="Credential ID (starts with cred_)"),
) -> None:
    """Show metadata for a single credential."""
    client = _get_client(ctx.obj.get("api_key") if ctx.obj else None)

    try:
        cred = client.get_credential(credential_id)
    except Exception as e:
        console.print(f"[red]Failed to get credential: {e}[/red]")
        raise typer.Exit(code=1)

    table = Table(title=f"Credential: {cred.name}")
    table.add_column("Field", style="cyan")
    table.add_column("Value")

    table.add_row("ID", cred.credential_id)
    table.add_row("Name", cred.name)
    table.add_row("Type", str(cred.credential_type))

    c = cred.credential
    if hasattr(c, "username"):
        table.add_row("Username", c.username)
        if hasattr(c, "totp_type") and c.totp_type:
            table.add_row("TOTP Type", str(c.totp_type))
    elif hasattr(c, "last_four"):
        table.add_row("Card Last Four", c.last_four)
        table.add_row("Card Brand", c.brand)
    elif hasattr(c, "secret_label") and c.secret_label:
        table.add_row("Secret Label", c.secret_label)

    console.print(table)


@credentials_app.command("delete")
def delete_credential(
    ctx: typer.Context,
    credential_id: str = typer.Argument(..., help="Credential ID to delete (starts with cred_)"),
    yes: bool = typer.Option(False, "--yes", "-y", help="Skip confirmation prompt"),
) -> None:
    """Permanently delete a stored credential."""
    if not yes:
        confirm = typer.confirm(f"Delete credential {credential_id}?")
        if not confirm:
            console.print("Aborted.")
            raise typer.Exit()

    client = _get_client(ctx.obj.get("api_key") if ctx.obj else None)

    try:
        client.delete_credential(credential_id)
    except Exception as e:
        console.print(f"[red]Failed to delete credential: {e}[/red]")
        raise typer.Exit(code=1)

    console.print(f"[green]Deleted credential:[/green] {credential_id}")
Remove setup.sh in favor of skyvern CLI (#4737) 2026-02-12 20:43:27 -08:00			`"""Credential management CLI commands.`

			Provides `skyvern credentials add/list/get/delete` for managing stored
			`credentials. Passwords and secrets are collected via getpass (stdin) so they`
			`never appear in shell history or LLM conversation logs.`
			`"""`

			`from __future__ import annotations`

			`import os`

			`import typer`
			`from dotenv import load_dotenv`
			`from rich.table import Table`

			`from skyvern.client import Skyvern`
			`from skyvern.client.types.non_empty_credit_card_credential import NonEmptyCreditCardCredential`
			`from skyvern.client.types.non_empty_password_credential import NonEmptyPasswordCredential`
			`from skyvern.client.types.secret_credential import SecretCredential`
			`from skyvern.config import settings`
			`from skyvern.utils.env_paths import resolve_backend_env_path`

			`from .console import console`

add CLI parity commands for credential, block, and browser (#4793) 2026-02-18 11:45:07 -08:00			`credentials_app = typer.Typer(`
			help="Manage stored credentials for secure login. Use `credential` commands for MCP-parity list/get/delete."
			`)`
Remove setup.sh in favor of skyvern CLI (#4737) 2026-02-12 20:43:27 -08:00

			`@credentials_app.callback()`
			`def credentials_callback(`
			`ctx: typer.Context,`
			`api_key: str \| None = typer.Option(`
			`None,`
			`"--api-key",`
			`help="Skyvern API key",`
			`envvar="SKYVERN_API_KEY",`
			`),`
			`) -> None:`
			`"""Store API key in Typer context."""`
			`ctx.obj = {"api_key": api_key}`


			`def _get_client(api_key: str \| None = None) -> Skyvern:`
			`"""Instantiate a Skyvern SDK client using environment variables."""`
			`load_dotenv(resolve_backend_env_path())`
			`key = api_key or os.getenv("SKYVERN_API_KEY") or settings.SKYVERN_API_KEY`
			`return Skyvern(base_url=settings.SKYVERN_BASE_URL, api_key=key)`


			`@credentials_app.command("add")`
			`def add_credential(`
			`ctx: typer.Context,`
			`name: str = typer.Option(..., "--name", "-n", help="Human-readable credential name"),`
			`credential_type: str = typer.Option(`
			`"password",`
			`"--type",`
			`"-t",`
			`help="Credential type: password, credit_card, or secret",`
			`),`
			`username: str \| None = typer.Option(None, "--username", "-u", help="Username (for password type)"),`
			`) -> None:`
			`"""Create a credential with secrets entered securely via stdin."""`
			`valid_types = ("password", "credit_card", "secret")`
			`if credential_type not in valid_types:`
			`console.print(f"[red]Invalid credential type: {credential_type}. Use one of: {', '.join(valid_types)}[/red]")`
			`raise typer.Exit(code=1)`

			`client = _get_client(ctx.obj.get("api_key") if ctx.obj else None)`

			`if credential_type == "password":`
			`if not username:`
			`username = typer.prompt("Username")`
			`password = typer.prompt("Password", hide_input=True)`
			`if not password:`
			`console.print("[red]Password cannot be empty.[/red]")`
			`raise typer.Exit(code=1)`
			`totp = typer.prompt("TOTP secret (leave blank to skip)", default="", hide_input=True)`
			`credential = NonEmptyPasswordCredential(`
			`username=username,`
			`password=password,`
			`totp=totp if totp else None,`
			`)`

			`elif credential_type == "credit_card":`
			`card_number = typer.prompt("Card number", hide_input=True)`
			`if not card_number:`
			`console.print("[red]Card number cannot be empty.[/red]")`
			`raise typer.Exit(code=1)`
			`cvv = typer.prompt("CVV", hide_input=True)`
			`if not cvv:`
			`console.print("[red]CVV cannot be empty.[/red]")`
			`raise typer.Exit(code=1)`
			`exp_month = typer.prompt("Expiration month (MM)")`
			`exp_year = typer.prompt("Expiration year (YYYY)")`
			`brand = typer.prompt("Card brand (e.g. visa, mastercard)")`
			`holder_name = typer.prompt("Cardholder name")`
			`credential = NonEmptyCreditCardCredential(`
			`card_number=card_number,`
			`card_cvv=cvv,`
			`card_exp_month=exp_month,`
			`card_exp_year=exp_year,`
			`card_brand=brand,`
			`card_holder_name=holder_name,`
			`)`

			`else:`
			`secret_value = typer.prompt("Secret value", hide_input=True)`
			`if not secret_value:`
			`console.print("[red]Secret value cannot be empty.[/red]")`
			`raise typer.Exit(code=1)`
			`secret_label = typer.prompt("Secret label (leave blank to skip)", default="")`
			`credential = SecretCredential(`
			`secret_value=secret_value,`
			`secret_label=secret_label if secret_label else None,`
			`)`

			`try:`
			`result = client.create_credential(`
			`name=name,`
			`credential_type=credential_type,`
			`credential=credential,`
			`)`
			`except Exception as e:`
			`console.print(f"[red]Failed to create credential: {e}[/red]")`
			`raise typer.Exit(code=1)`

			`console.print(f"[green]Created credential:[/green] {result.credential_id}")`


			`@credentials_app.command("list")`
			`def list_credentials(`
			`ctx: typer.Context,`
			`page: int = typer.Option(1, "--page", help="Page number"),`
			`page_size: int = typer.Option(10, "--page-size", help="Results per page"),`
			`) -> None:`
			`"""List stored credentials (metadata only, never passwords)."""`
			`client = _get_client(ctx.obj.get("api_key") if ctx.obj else None)`

			`try:`
			`credentials = client.get_credentials(page=page, page_size=page_size)`
			`except Exception as e:`
			`console.print(f"[red]Failed to list credentials: {e}[/red]")`
			`raise typer.Exit(code=1)`

			`if not credentials:`
			`console.print("No credentials found.")`
			`return`

			`table = Table(title="Credentials")`
			`table.add_column("ID", style="cyan")`
			`table.add_column("Name", style="green")`
			`table.add_column("Type")`
			`table.add_column("Details")`

			`for cred in credentials:`
			`details = ""`
			`c = cred.credential`
			`if hasattr(c, "username"):`
			`details = f"username={c.username}"`
			`elif hasattr(c, "last_four"):`
			`details = f"****{c.last_four} ({c.brand})"`
			`elif hasattr(c, "secret_label") and c.secret_label:`
			`details = f"label={c.secret_label}"`
			`table.add_row(cred.credential_id, cred.name, str(cred.credential_type), details)`

			`console.print(table)`


			`@credentials_app.command("get")`
			`def get_credential(`
			`ctx: typer.Context,`
			`credential_id: str = typer.Argument(..., help="Credential ID (starts with cred_)"),`
			`) -> None:`
			`"""Show metadata for a single credential."""`
			`client = _get_client(ctx.obj.get("api_key") if ctx.obj else None)`

			`try:`
			`cred = client.get_credential(credential_id)`
			`except Exception as e:`
			`console.print(f"[red]Failed to get credential: {e}[/red]")`
			`raise typer.Exit(code=1)`

			`table = Table(title=f"Credential: {cred.name}")`
			`table.add_column("Field", style="cyan")`
			`table.add_column("Value")`

			`table.add_row("ID", cred.credential_id)`
			`table.add_row("Name", cred.name)`
			`table.add_row("Type", str(cred.credential_type))`

			`c = cred.credential`
			`if hasattr(c, "username"):`
			`table.add_row("Username", c.username)`
			`if hasattr(c, "totp_type") and c.totp_type:`
			`table.add_row("TOTP Type", str(c.totp_type))`
			`elif hasattr(c, "last_four"):`
			`table.add_row("Card Last Four", c.last_four)`
			`table.add_row("Card Brand", c.brand)`
			`elif hasattr(c, "secret_label") and c.secret_label:`
			`table.add_row("Secret Label", c.secret_label)`

			`console.print(table)`


			`@credentials_app.command("delete")`
			`def delete_credential(`
			`ctx: typer.Context,`
			`credential_id: str = typer.Argument(..., help="Credential ID to delete (starts with cred_)"),`
			`yes: bool = typer.Option(False, "--yes", "-y", help="Skip confirmation prompt"),`
			`) -> None:`
			`"""Permanently delete a stored credential."""`
			`if not yes:`
			`confirm = typer.confirm(f"Delete credential {credential_id}?")`
			`if not confirm:`
			`console.print("Aborted.")`
			`raise typer.Exit()`

			`client = _get_client(ctx.obj.get("api_key") if ctx.obj else None)`

			`try:`
			`client.delete_credential(credential_id)`
			`except Exception as e:`
			`console.print(f"[red]Failed to delete credential: {e}[/red]")`
			`raise typer.Exit(code=1)`

			`console.print(f"[green]Deleted credential:[/green] {credential_id}")`