Rename Go client package from mciasgoclient to mcias

- Update package declaration in client.go - Update error message strings to reference new package name - Update test package and imports to use new name - Update README.md documentation and examples with new package name - All tests pass
2026-03-14 19:01:07 -07:00
parent 7e5fc9f111
commit 8f09e0e81a
7 changed files with 126 additions and 33 deletions
--- a/PROGRESS.md
+++ b/PROGRESS.md
@@ -4,6 +4,32 @@ Source of truth for current development state.
 ---
 All phases complete. **v1.0.0 tagged.** All packages pass `go test ./...`; `golangci-lint run ./...` clean.
 ### 2026-03-13 — Make pgcreds discoverable via CLI and UI
 **Problem:** Users had no way to discover which pgcreds were available to them or what their credential IDs were, making it functionally impossible to use the system without manual database inspection.
 **Solution:** Added two complementary discovery paths:
 **REST API:**
 - New `GET /v1/pgcreds` endpoint (requires authentication) returns all accessible credentials (owned + explicitly granted) with their IDs, host, port, database, username, and timestamps
 - Response includes `id` field so users can then fetch full credentials via `GET /v1/accounts/{id}/pgcreds`
 **CLI (`cmd/mciasctl/main.go`):**
 - New `pgcreds list` subcommand calls `GET /v1/pgcreds` and displays accessible credentials with IDs
 - Updated usage documentation to include `pgcreds list`
 **Web UI (`web/templates/pgcreds.html`):**
 - Credential ID now displayed in a `<code>` element at the top of each credential's metadata block
 - Styled with monospace font for easy copying and reference
 **Files modified:**
 - `internal/server/server.go`: Added route `GET /v1/pgcreds` (requires auth, not admin) + handler `handleListAccessiblePGCreds`
 - `cmd/mciasctl/main.go`: Added `pgCredsList` function and switch case
 - `web/templates/pgcreds.html`: Display credential ID in the credentials list
 - Struct field alignment fixed in `pgCredResponse` to pass `go vet`
 All tests pass; `go vet ./...` clean.
 ### 2026-03-12 — Update web UI and model for all compile-time roles
 - `internal/model/model.go`: added `RoleGuest`, `RoleViewer`, `RoleEditor`, and
--- a/clients/go/README.md
+++ b/clients/go/README.md
@@ -15,10 +15,10 @@ go get git.wntrmute.dev/kyle/mcias/clients/go
 ## Quick Start
 ```go
-import mciasgoclient "git.wntrmute.dev/kyle/mcias/clients/go"
+import "git.wntrmute.dev/kyle/mcias/clients/go/mcias"
 // Connect to the MCIAS server.
-client, err := mciasgoclient.New("https://auth.example.com", mciasgoclient.Options{})
+client, err := mcias.New("https://auth.example.com", mcias.Options{})
 if err != nil {
    log.Fatal(err)
 }
@@ -43,7 +43,7 @@ if err := client.Logout(); err != nil {
 ## Custom CA Certificate
 ```go
-client, err := mciasgoclient.New("https://auth.example.com", mciasgoclient.Options{
+client, err := mcias.New("https://auth.example.com", mcias.Options{
    CACertPath: "/etc/mcias/ca.pem",
 })
 ```
@@ -55,17 +55,17 @@ All methods return typed errors:
 ```go
 _, _, err := client.Login("alice", "wrongpass", "")
 switch {
-case errors.Is(err, new(mciasgoclient.MciasAuthError)):
+case errors.Is(err, new(mcias.MciasAuthError)):
    // 401 — wrong credentials or token invalid
-case errors.Is(err, new(mciasgoclient.MciasForbiddenError)):
+case errors.Is(err, new(mcias.MciasForbiddenError)):
    // 403 — insufficient role
-case errors.Is(err, new(mciasgoclient.MciasNotFoundError)):
+case errors.Is(err, new(mcias.MciasNotFoundError)):
    // 404 — resource not found
-case errors.Is(err, new(mciasgoclient.MciasInputError)):
+case errors.Is(err, new(mcias.MciasInputError)):
    // 400 — malformed request
-case errors.Is(err, new(mciasgoclient.MciasConflictError)):
+case errors.Is(err, new(mcias.MciasConflictError)):
    // 409 — conflict (e.g. duplicate username)
-case errors.Is(err, new(mciasgoclient.MciasServerError)):
+case errors.Is(err, new(mcias.MciasServerError)):
    // 5xx — unexpected server error
 }
 ```
--- a/clients/go/client.go
+++ b/clients/go/client.go
@@ -1,8 +1,8 @@
-// Package mciasgoclient provides a thread-safe Go client for the MCIAS REST API.
+// Package mcias provides a thread-safe Go client for the MCIAS REST API.
 //
 // Security: bearer tokens are stored under a sync.RWMutex and are never written
 // to logs or included in error messages anywhere in this package.
-package mciasgoclient
+package mcias
 import (
 	"bytes"
@@ -28,7 +28,7 @@ type MciasError struct {
 }
 func (e *MciasError) Error() string {
-	return fmt.Sprintf("mciasgoclient: HTTP %d: %s", e.StatusCode, e.Message)
+	return fmt.Sprintf("mcias: HTTP %d: %s", e.StatusCode, e.Message)
 }
 // MciasAuthError is returned for 401 Unauthorized responses.
--- a/clients/go/client_test.go
+++ b/clients/go/client_test.go
@@ -1,7 +1,7 @@
-// Package mciasgoclient_test provides tests for the MCIAS Go client.
+// Package mcias_test provides tests for the MCIAS Go client.
 // All tests use inline httptest.NewServer mocks to keep this module
 // self-contained (no cross-module imports).
-package mciasgoclient_test
+package mcias_test
 import (
 	"encoding/json"
@@ -11,16 +11,16 @@ import (
 	"strings"
 	"testing"
-	mciasgoclient "git.wntrmute.dev/kyle/mcias/clients/go"
+	mcias "git.wntrmute.dev/kyle/mcias/clients/go"
 )
 // ---------------------------------------------------------------------------
 // helpers
 // ---------------------------------------------------------------------------
-func newTestClient(t *testing.T, serverURL string) *mciasgoclient.Client {
+func newTestClient(t *testing.T, serverURL string) *mcias.Client {
 	t.Helper()
-	c, err := mciasgoclient.New(serverURL, mciasgoclient.Options{})
+	c, err := mcias.New(serverURL, mcias.Options{})
 	if err != nil {
 		t.Fatalf("New: %v", err)
 	}
@@ -42,7 +42,7 @@ func writeError(w http.ResponseWriter, status int, msg string) {
 // ---------------------------------------------------------------------------
 func TestNew(t *testing.T) {
-	c, err := mciasgoclient.New("https://example.com", mciasgoclient.Options{})
+	c, err := mcias.New("https://example.com", mcias.Options{})
 	if err != nil {
 		t.Fatalf("expected no error, got %v", err)
 	}
@@ -52,7 +52,7 @@ func TestNew(t *testing.T) {
 }
 func TestNewWithPresetToken(t *testing.T) {
-	c, err := mciasgoclient.New("https://example.com", mciasgoclient.Options{Token: "preset-tok"})
+	c, err := mcias.New("https://example.com", mcias.Options{Token: "preset-tok"})
 	if err != nil {
 		t.Fatalf("expected no error, got %v", err)
 	}
@@ -62,7 +62,7 @@ func TestNewWithPresetToken(t *testing.T) {
 }
 func TestNewBadCACert(t *testing.T) {
-	_, err := mciasgoclient.New("https://example.com", mciasgoclient.Options{CACertPath: "/nonexistent/ca.pem"})
+	_, err := mcias.New("https://example.com", mcias.Options{CACertPath: "/nonexistent/ca.pem"})
 	if err == nil {
 		t.Fatal("expected error for missing CA cert file")
 	}
@@ -97,7 +97,7 @@ func TestHealthError(t *testing.T) {
 	if err == nil {
 		t.Fatal("expected error for 503")
 	}
-	var srvErr *mciasgoclient.MciasServerError
+	var srvErr *mcias.MciasServerError
 	if !errors.As(err, &srvErr) {
 		t.Errorf("expected MciasServerError, got %T: %v", err, err)
 	}
@@ -183,7 +183,7 @@ func TestLoginUnauthorized(t *testing.T) {
 	if err == nil {
 		t.Fatal("expected error for 401")
 	}
-	var authErr *mciasgoclient.MciasAuthError
+	var authErr *mcias.MciasAuthError
 	if !errors.As(err, &authErr) {
 		t.Errorf("expected MciasAuthError, got %T: %v", err, err)
 	}
@@ -312,7 +312,7 @@ func TestConfirmTOTPBadCode(t *testing.T) {
 	if err == nil {
 		t.Fatal("expected error for bad TOTP code")
 	}
-	var inputErr *mciasgoclient.MciasInputError
+	var inputErr *mcias.MciasInputError
 	if !errors.As(err, &inputErr) {
 		t.Errorf("expected MciasInputError, got %T: %v", err, err)
 	}
@@ -347,7 +347,7 @@ func TestChangePasswordWrongCurrent(t *testing.T) {
 	if err == nil {
 		t.Fatal("expected error for wrong current password")
 	}
-	var authErr *mciasgoclient.MciasAuthError
+	var authErr *mcias.MciasAuthError
 	if !errors.As(err, &authErr) {
 		t.Errorf("expected MciasAuthError, got %T: %v", err, err)
 	}
@@ -456,7 +456,7 @@ func TestCreateAccountConflict(t *testing.T) {
 	if err == nil {
 		t.Fatal("expected error for 409")
 	}
-	var conflictErr *mciasgoclient.MciasConflictError
+	var conflictErr *mcias.MciasConflictError
 	if !errors.As(err, &conflictErr) {
 		t.Errorf("expected MciasConflictError, got %T: %v", err, err)
 	}
@@ -801,7 +801,7 @@ func TestListAudit(t *testing.T) {
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
-	resp, err := c.ListAudit(mciasgoclient.AuditFilter{})
+	resp, err := c.ListAudit(mcias.AuditFilter{})
 	if err != nil {
 		t.Fatalf("ListAudit: %v", err)
 	}
@@ -827,7 +827,7 @@ func TestListAuditWithFilter(t *testing.T) {
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
-	_, err := c.ListAudit(mciasgoclient.AuditFilter{
+	_, err := c.ListAudit(mcias.AuditFilter{
 		Limit: 10, Offset: 5, EventType: "login_fail", ActorID: "acct-uuid-1",
 	})
 	if err != nil {
@@ -896,10 +896,10 @@ func TestCreatePolicyRule(t *testing.T) {
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
-	rule, err := c.CreatePolicyRule(mciasgoclient.CreatePolicyRuleRequest{
+	rule, err := c.CreatePolicyRule(mcias.CreatePolicyRuleRequest{
 		Description: "Test rule",
 		Priority:    50,
-		Rule:        mciasgoclient.PolicyRuleBody{Effect: "deny"},
+		Rule:        mcias.PolicyRuleBody{Effect: "deny"},
 	})
 	if err != nil {
 		t.Fatalf("CreatePolicyRule: %v", err)
@@ -950,7 +950,7 @@ func TestGetPolicyRuleNotFound(t *testing.T) {
 	if err == nil {
 		t.Fatal("expected error for 404")
 	}
-	var notFoundErr *mciasgoclient.MciasNotFoundError
+	var notFoundErr *mcias.MciasNotFoundError
 	if !errors.As(err, &notFoundErr) {
 		t.Errorf("expected MciasNotFoundError, got %T: %v", err, err)
 	}
@@ -976,7 +976,7 @@ func TestUpdatePolicyRule(t *testing.T) {
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
-	rule, err := c.UpdatePolicyRule(7, mciasgoclient.UpdatePolicyRuleRequest{Enabled: &enabled})
+	rule, err := c.UpdatePolicyRule(7, mcias.UpdatePolicyRuleRequest{Enabled: &enabled})
 	if err != nil {
 		t.Fatalf("UpdatePolicyRule: %v", err)
 	}
@@ -1073,7 +1073,7 @@ func TestIntegration(t *testing.T) {
 	if err == nil {
 		t.Fatal("expected error for wrong credentials")
 	}
-	var authErr *mciasgoclient.MciasAuthError
+	var authErr *mcias.MciasAuthError
 	if !errors.As(err, &authErr) {
 		t.Errorf("expected MciasAuthError, got %T", err)
 	}
--- a/cmd/mciasctl/main.go
+++ b/cmd/mciasctl/main.go
@@ -34,6 +34,7 @@
 //	token issue  -id UUID
 //	token revoke -jti JTI
 //
 //	pgcreds list
 //	pgcreds set -id UUID -host HOST [-port PORT] -db DB -user USER [-password PASS]
 //	pgcreds get -id UUID
 //
@@ -526,9 +527,11 @@ func (c *controller) tokenRevoke(args []string) {
 func (c *controller) runPGCreds(args []string) {
 	if len(args) == 0 {
-		fatalf("pgcreds requires a subcommand: get, set")
+		fatalf("pgcreds requires a subcommand: list, get, set")
 	}
 	switch args[0] {
 	case "list":
 		c.pgCredsList(args[1:])
 	case "get":
 		c.pgCredsGet(args[1:])
 	case "set":
@@ -538,6 +541,15 @@ func (c *controller) runPGCreds(args []string) {
 	}
 }
 func (c *controller) pgCredsList(args []string) {
 	fs := flag.NewFlagSet("pgcreds list", flag.ExitOnError)
 	_ = fs.Parse(args)
 	var result json.RawMessage
 	c.doRequest("GET", "/v1/pgcreds", nil, &result)
 	printJSON(result)
 }
 func (c *controller) pgCredsGet(args []string) {
 	fs := flag.NewFlagSet("pgcreds get", flag.ExitOnError)
 	id := fs.String("id", "", "account UUID (required)")
@@ -943,6 +955,7 @@ Commands:
  token issue   -id UUID
  token revoke  -jti JTI
  pgcreds list
  pgcreds get  -id UUID
  pgcreds set  -id UUID -host HOST [-port PORT] -db DB -user USER [-password PASS]
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -134,6 +134,7 @@ func (s *Server) Handler() http.Handler {
 	mux.Handle("PUT /v1/accounts/{id}/roles", requireAdmin(http.HandlerFunc(s.handleSetRoles)))
 	mux.Handle("POST /v1/accounts/{id}/roles", requireAdmin(http.HandlerFunc(s.handleGrantRole)))
 	mux.Handle("DELETE /v1/accounts/{id}/roles/{role}", requireAdmin(http.HandlerFunc(s.handleRevokeRole)))
 	mux.Handle("GET /v1/pgcreds", requireAuth(http.HandlerFunc(s.handleListAccessiblePGCreds)))
 	mux.Handle("GET /v1/accounts/{id}/pgcreds", requireAdmin(http.HandlerFunc(s.handleGetPGCreds)))
 	mux.Handle("PUT /v1/accounts/{id}/pgcreds", requireAdmin(http.HandlerFunc(s.handleSetPGCreds)))
 	mux.Handle("GET /v1/audit", requireAdmin(http.HandlerFunc(s.handleListAudit)))
@@ -1223,6 +1224,58 @@ func (s *Server) handleSetPGCreds(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusNoContent)
 }
 // handleListAccessiblePGCreds returns all pg_credentials accessible to the
 // authenticated user: those owned + those explicitly granted. The credential ID
 // is included so callers can fetch a specific credential via /v1/accounts/{id}/pgcreds.
 func (s *Server) handleListAccessiblePGCreds(w http.ResponseWriter, r *http.Request) {
 	claims := middleware.ClaimsFromContext(r.Context())
 	if claims == nil {
 		middleware.WriteError(w, http.StatusUnauthorized, "not authenticated", "unauthorized")
 		return
 	}
 	acct, err := s.db.GetAccountByUUID(claims.Subject)
 	if err != nil {
 		middleware.WriteError(w, http.StatusUnauthorized, "account not found", "unauthorized")
 		return
 	}
 	creds, err := s.db.ListAccessiblePGCreds(acct.ID)
 	if err != nil {
 		middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
 		return
 	}
 	// Convert credentials to response format with credential ID.
 	type pgCredResponse struct {
 		CreatedAt          time.Time `json:"created_at"`
 		UpdatedAt          time.Time `json:"updated_at"`
 		ID                 int64     `json:"id"`
 		Port               int       `json:"port"`
 		Host               string    `json:"host"`
 		Database           string    `json:"database"`
 		Username           string    `json:"username"`
 		ServiceAccountID   string    `json:"service_account_id"`
 		ServiceAccountName string    `json:"service_account_name,omitempty"`
 	}
 	response := make([]pgCredResponse, len(creds))
 	for i, cred := range creds {
 		response[i] = pgCredResponse{
 			ID:               cred.ID,
 			ServiceAccountID: cred.ServiceAccountUUID,
 			Host:             cred.PGHost,
 			Port:             cred.PGPort,
 			Database:         cred.PGDatabase,
 			Username:         cred.PGUsername,
 			CreatedAt:        cred.CreatedAt,
 			UpdatedAt:        cred.UpdatedAt,
 		}
 	}
 	writeJSON(w, http.StatusOK, response)
 }
 // ---- Audit endpoints ----
 // handleListAudit returns paginated audit log entries with resolved usernames.
--- a/web/templates/pgcreds.html
+++ b/web/templates/pgcreds.html
@@ -12,6 +12,7 @@
  {{range .Creds}}
  <div style="border:1px solid var(--color-border);border-radius:6px;padding:1rem;margin-bottom:1rem">
    <dl style="display:grid;grid-template-columns:140px 1fr;gap:.35rem .75rem;font-size:.9rem;margin-bottom:.75rem">
      <dt class="text-muted">Credential ID</dt><dd><code style="font-size:.8rem;color:var(--color-fg-muted)">{{.ID}}</code></dd>
      <dt class="text-muted">Service Account</dt><dd>{{.ServiceUsername}}</dd>
      <dt class="text-muted">Host</dt><dd>{{.PGHost}}:{{.PGPort}}</dd>
      <dt class="text-muted">Database</dt><dd>{{.PGDatabase}}</dd>