feat: apply remote admin settings (no-op) (#16106)

2026-04-22 11:04:42 -07:00 · 2026-01-09 17:04:57 -05:00
parent e04a5f0cb0
commit d74bf9ef2f
5 changed files with 281 additions and 125 deletions
@@ -375,6 +375,51 @@ export async function main() {
    }
  }

+  const partialConfig = await loadCliConfig(settings.merged, sessionId, argv, {
+    projectHooks: settings.workspace.settings.hooks,
+  });
+
+  // Refresh auth to fetch remote admin settings from CCPA and before entering
+  // the sandbox because the sandbox will interfere with the Oauth2 web
+  // redirect.
+  if (
+    settings.merged.security?.auth?.selectedType &&
+    !settings.merged.security?.auth?.useExternal
+  ) {
+    try {
+      if (partialConfig.isInteractive()) {
+        const err = validateAuthMethod(
+          settings.merged.security.auth.selectedType,
+        );
+        if (err) {
+          throw new Error(err);
+        }
+
+        await partialConfig.refreshAuth(
+          settings.merged.security.auth.selectedType,
+        );
+      } else {
+        const authType = await validateNonInteractiveAuth(
+          settings.merged.security?.auth?.selectedType,
+          settings.merged.security?.auth?.useExternal,
+          partialConfig,
+          settings,
+        );
+        await partialConfig.refreshAuth(authType);
+      }
+    } catch (err) {
+      debugLogger.error('Error authenticating:', err);
+      await runExitCleanup();
+      process.exit(ExitCodes.FATAL_AUTHENTICATION_ERROR);
+    }
+  }
+
+  const remoteAdminSettings = partialConfig.getRemoteAdminSettings();
+  // Set remote admin settings if returned from CCPA.
+  if (remoteAdminSettings) {
+    settings.setRemoteAdminSettings(remoteAdminSettings);
+  }
+
  // hop into sandbox if we are outside and sandboxing is enabled
  if (!process.env['SANDBOX']) {
    const memoryArgs = settings.merged.advanced?.autoConfigureMemory
@@ -388,45 +433,6 @@ export async function main() {
    // another way to decouple refreshAuth from requiring a config.

    if (sandboxConfig) {
-      const partialConfig = await loadCliConfig(
-        settings.merged,
-        sessionId,
-        argv,
-        { projectHooks: settings.workspace.settings.hooks },
-      );
-
-      if (
-        settings.merged.security?.auth?.selectedType &&
-        !settings.merged.security?.auth?.useExternal
-      ) {
-        try {
-          if (partialConfig.isInteractive()) {
-            // Validate authentication here because the sandbox will interfere with the Oauth2 web redirect.
-            const err = validateAuthMethod(
-              settings.merged.security.auth.selectedType,
-            );
-            if (err) {
-              throw new Error(err);
-            }
-
-            await partialConfig.refreshAuth(
-              settings.merged.security.auth.selectedType,
-            );
-          } else {
-            const authType = await validateNonInteractiveAuth(
-              settings.merged.security?.auth?.selectedType,
-              settings.merged.security?.auth?.useExternal,
-              partialConfig,
-              settings,
-            );
-            await partialConfig.refreshAuth(authType);
-          }
-        } catch (err) {
-          debugLogger.error('Error authenticating:', err);
-          await runExitCleanup();
-          process.exit(ExitCodes.FATAL_AUTHENTICATION_ERROR);
-        }
-      }
      let stdinData = '';
      if (!process.stdin.isTTY) {
        stdinData = await readStdin();