fix(vertex): include prefix in auth filename and validate at import

Address two blocking issues from PR review: - Auth file now named vertex-{prefix}-{project}.json so importing the same project with different prefixes no longer overwrites credentials - Prefix containing "/" is rejected at import time instead of being silently ignored at runtime - Add prefix to in-memory metadata map for consistency Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 19:51:18 +00:00 · 2026-03-17 15:06:04 +07:00
parent a337ecf35c
commit 36efcc6e28
3 changed files with 20 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -54,4 +54,4 @@ _bmad-output/*
 .beads/
 .opencode/
 .cli-proxy-api/
-.venv/
+.venv/
--- a/internal/auth/vertex/vertex_credentials.go
+++ b/internal/auth/vertex/vertex_credentials.go
@@ -31,7 +31,8 @@ type VertexCredentialStorage struct {
 	// Type is the provider identifier stored alongside credentials. Always "vertex".
 	Type string `json:"type"`

-	// Prefix optionally namespaces models for this credential (e.g., "teamA/gemini-2.0-flash").
+	// Prefix optionally namespaces models for this credential (e.g., "teamA").
+	// This results in model names like "teamA/gemini-2.0-flash".
 	Prefix string `json:"prefix,omitempty"`
 }

--- a/internal/cmd/vertex_import.go
+++ b/internal/cmd/vertex_import.go
@@ -62,14 +62,28 @@ func DoVertexImport(cfg *config.Config, keyPath string, prefix string) {
 	// Default location if not provided by user. Can be edited in the saved file later.
 	location := "us-central1"

-	fileName := fmt.Sprintf("vertex-%s.json", sanitizeFilePart(projectID))
+	// Normalize and validate prefix: must be a single segment (no "/" allowed).
+	prefix = strings.TrimSpace(prefix)
+	prefix = strings.Trim(prefix, "/")
+	if prefix != "" && strings.Contains(prefix, "/") {
+		log.Errorf("vertex-import: prefix must be a single segment (no '/' allowed): %q", prefix)
+		return
+	}
+
+	// Include prefix in filename so importing the same project with different
+	// prefixes creates separate credential files instead of overwriting.
+	baseName := sanitizeFilePart(projectID)
+	if prefix != "" {
+		baseName = sanitizeFilePart(prefix) + "-" + baseName
+	}
+	fileName := fmt.Sprintf("vertex-%s.json", baseName)
 	// Build auth record
 	storage := &vertex.VertexCredentialStorage{
 		ServiceAccount: sa,
 		ProjectID:      projectID,
 		Email:          email,
 		Location:       location,
-		Prefix:         strings.TrimSpace(prefix),
+		Prefix:         prefix,
 	}
 	metadata := map[string]any{
 		"service_account": sa,
@@ -77,6 +91,7 @@ func DoVertexImport(cfg *config.Config, keyPath string, prefix string) {
 		"email":           email,
 		"location":        location,
 		"type":            "vertex",
+		"prefix":          prefix,
 		"label":           labelForVertex(projectID, email),
 	}
 	record := &coreauth.Auth{