refactor(config): centralize silent credential clear for logout and MCP

leggetter · leggetter · commit 310146ba8095 · 2026-04-01T12:15:04.000+01:00
- Rename ClearMCPProfileCredentials to ClearActiveProfileCredentials; document disk vs memory paths
- Logout uses the same helper as MCP reauth; zeroProfileCredentialFields helper
- RemoveAllProfiles clears in-memory credential fields after wiping the file (parity with logout -a)
- Rename config test to match new API

Made-with: Cursor
diff --git a/pkg/config/clear_active_profile_credentials_test.go b/pkg/config/clear_active_profile_credentials_test.go
@@ -7,13 +7,13 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestClearMCPProfileCredentials_MemoryOnly(t *testing.T) {
+func TestClearActiveProfileCredentials_MemoryOnly(t *testing.T) {
 	c := &Config{}
 	c.Profile.APIKey = "sk_test_123456789012"
 	c.Profile.ProjectId = "proj_1"
 	c.Profile.ProjectMode = "inbound"
 	c.Profile.ProjectType = ProjectTypeGateway
-	require.NoError(t, c.ClearMCPProfileCredentials())
+	require.NoError(t, c.ClearActiveProfileCredentials())
 	assert.Empty(t, c.Profile.APIKey)
 	assert.Empty(t, c.Profile.ProjectId)
 }
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -293,7 +293,13 @@ func (c *Config) RemoveAllProfiles() error {
 	runtimeViper.SetConfigType("toml")
 	runtimeViper.SetConfigFile(c.viper.ConfigFileUsed())
 	c.viper = runtimeViper
-	return c.writeConfig()
+	if err := c.writeConfig(); err != nil {
+		return err
+	}
+	// Match single-profile logout: clear credential fields in memory so a long-lived
+	// process does not keep using stale keys after the file was wiped.
+	zeroProfileCredentialFields(&c.Profile)
+	return nil
 }
 
 func (c *Config) writeConfig() error {
@@ -359,32 +365,41 @@ func (c *Config) SetTelemetryDisabled(disabled bool) error {
 	return c.writeConfig()
 }
 
-// ClearMCPProfileCredentials clears the active profile API key and project fields for an MCP
-// reauth flow. When viper is initialized (normal CLI config), the profile block is removed
-// from disk; otherwise only in-memory fields are cleared (e.g. tests).
-func (c *Config) ClearMCPProfileCredentials() error {
+// ClearActiveProfileCredentials removes stored credentials for the active profile without
+// printing.
+//
+// Two paths:
+//   - Persisted config (viper set): removes the active profile section from the config file
+//     (same as RemoveProfile) and clears api_key / project_* / guest_url on the in-memory
+//     Profile. This is what the real CLI and MCP server use after InitConfig.
+//   - No viper (e.g. some tests): only clears those Profile fields in memory; nothing is
+//     written to disk.
+//
+// MCP reauth uses the persisted path in production. The shared *hookdeck.Client is also
+// cleared separately in the MCP handler so API calls stop using the old key immediately.
+func (c *Config) ClearActiveProfileCredentials() error {
 	if c == nil || c.Profile.APIKey == "" {
 		return nil
 	}
 	if c.viper == nil {
-		c.Profile.APIKey = ""
-		c.Profile.ProjectId = ""
-		c.Profile.ProjectMode = ""
-		c.Profile.ProjectType = ""
-		c.Profile.GuestURL = ""
+		zeroProfileCredentialFields(&c.Profile)
 		return nil
 	}
 	if err := c.Profile.RemoveProfile(); err != nil {
 		return err
 	}
-	c.Profile.APIKey = ""
-	c.Profile.ProjectId = ""
-	c.Profile.ProjectMode = ""
-	c.Profile.ProjectType = ""
-	c.Profile.GuestURL = ""
+	zeroProfileCredentialFields(&c.Profile)
 	return nil
 }
 
+func zeroProfileCredentialFields(p *Profile) {
+	p.APIKey = ""
+	p.ProjectId = ""
+	p.ProjectMode = ""
+	p.ProjectType = ""
+	p.GuestURL = ""
+}
+
 // getConfigPath returns the path for the config file.
 // Precedence:
 // - path (if path is provided, e.g. from --hookdeck-config flag)
diff --git a/pkg/gateway/mcp/tool_login.go b/pkg/gateway/mcp/tool_login.go
@@ -58,7 +58,7 @@ func handleLogin(client *hookdeck.Client, cfg *config.Config) mcpsdk.ToolHandler
 					), nil
 				}
 			}
-			if err := cfg.ClearMCPProfileCredentials(); err != nil {
+			if err := cfg.ClearActiveProfileCredentials(); err != nil {
 				return ErrorResult(fmt.Sprintf("reauth: could not clear stored credentials: %v", err)), nil
 			}
 			client.APIKey = ""
diff --git a/pkg/logout/logout.go b/pkg/logout/logout.go
@@ -18,7 +18,7 @@ func Logout(config *config.Config) error {
 	fmt.Println("Logging out...")
 
 	profileName := config.Profile.Name
-	if err := config.Profile.RemoveProfile(); err != nil {
+	if err := config.ClearActiveProfileCredentials(); err != nil {
 		return err
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ func handleLogin(client hookdeck.Client, cfg config.Config) mcpsdk.ToolHandler`
`58`	`58`	`), nil`
`59`	`59`	`}`
`60`	`60`	`}`
`61`		`- if err := cfg.ClearMCPProfileCredentials(); err != nil {`
	`61`	`+ if err := cfg.ClearActiveProfileCredentials(); err != nil {`
`62`	`62`	`return ErrorResult(fmt.Sprintf("reauth: could not clear stored credentials: %v", err)), nil`
`63`	`63`	`}`
`64`	`64`	`client.APIKey = ""`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ func Logout(config *config.Config) error {`
`18`	`18`	`fmt.Println("Logging out...")`
`19`	`19`
`20`	`20`	`profileName := config.Profile.Name`
`21`		`- if err := config.Profile.RemoveProfile(); err != nil {`
	`21`	`+ if err := config.ClearActiveProfileCredentials(); err != nil {`
`22`	`22`	`return err`
`23`	`23`	`}`
`24`	`24`