docs(skills): correct databases-run token claims (E2E-verified)#191
Merged
Conversation
…tion) E2E testing against the live API revealed my earlier "fix" was wrong. The token minted by `databases run` decodes to: source: database_token, permissions: [read, write], workspaces: [<ws>], database: <db> and in practice performs reads, create-database, create-index, delete-database, and uploads with zero 403s. The `database_api_token` + "create databases / run queries / upload data only" allow-list in sdk.rs/databases.rs refers to a *different* credential (a database-scoped API key), which I incorrectly conflated into this section. The original wording was accurate; restore it (with a small env-pickup note). Validated E2E: auth/workspaces/connections/databases/tables/indexes/ embedding-providers/results/queries/jobs/usage/context/search/query (+status exit codes 0/1/2) and the full create→load→query→index→search→run lifecycle all behave as the skills document. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Documentation correction verified against the code: database_session.rs:6 documents the minted JWT as carrying "workspace + database read/write scope," matching the corrected permissions:["read","write"] wording, and the codebase treats database_api_token as a distinct credential (databases.rs:1006-1011, auth.rs) — confirming the prior wording conflated two different tokens. The fix makes the docs accurate.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Corrects the
databases runtoken description inhotdata/SKILL.md. A follow-up to #186, prompted by end-to-end testing against the live API.In #186 I changed this line to claim the minted credential is a
database_api_tokenrestricted to "create databases, run queries, and upload data," with workspace-level operations returning403. E2E testing proved that wrong.What the E2E test found
Decoding the JWT actually minted by
databases run:{ "permissions": ["read", "write"], "source": "database_token", "workspaces": ["work…"], "database": "dbid…", "scope": "permission:read_write workspace:… database:…" }Running a full permission matrix with this token in isolation (empty config dir, token only) produced zero 403s — it can list databases/workspaces/connections/usage/queries/indexes/tables, create databases, create indexes, delete databases, and upload data.
The
database_api_token+ create/query/upload allow-list insdk.rs/databases.rsrefers to a different credential (a database-scoped API key), which I incorrectly conflated into this section. The original wording (source:"database_token",permissions:["read","write"]) was accurate.Fix
Restore the accurate JWT-claims description (verified against the decoded live token) and add a note that the child picks up the token from
HOTDATA_DATABASE_TOKEN.Broader E2E validation (no other doc changes needed)
Ran the real CLI against
api.hotdata.devacross every documented command and the full managed-database lifecycle — all behave as the skills document:auth status,workspaces/connections/databases/tables/indexes/embedding-providers/results/queries/jobs list,usage,context list,queries <id>,results <id>queryexecute (table/json/csv),query statusexit codes0/1/2(3 on truncation is code/unit-test-backed; the live dataset didn't truncate)searchbm25 (auto-infers--type/--columnfrom a single index; returnsscore; scoped via catalog-qualified--table, no-d— matches docs)databases create --table … --expires-at→databases load --file→query→databases tables list→indexes create(sorted + bm25) →search→databases run→ cleanup🤖 Generated with Claude Code