Parent issue. Bring jtk and cfl into conformance with the family-wide cli-common standards (PR open-cli-collective/cli-common#28). Items below are ordered by dependency and breaking-change weight.
1. set-credential surface conformance
Where: tools/jtk/internal/cmd/setcredential/setcredential.go:42, tools/cfl/internal/cmd/setcredential/setcredential.go, shared backing at shared/keyring/setcredential.go.
What: Add --stdin (explicit; today stdin is implicit when no flag is passed), --ref <bundle>, --key <name>, --overwrite, --json (control-plane envelope). --from-env already shipped.
Why: §1.5.2 of cli-common working-with-secrets.md. The load-bearing adds are --overwrite (today silently overwrites — surprising) and --json (for installer-script control-plane parity). --ref / --key are forward-compat reservations; today only atlassian-cli/default / api_token is valid since one token serves both tools.
2. init secret-ingress hardening
Where: tools/jtk/internal/cmd/initcmd/initcmd.go:64 (--token <value>), tools/jtk/internal/cmd/initcmd/initcmd.go:219 (huh form always runs), tools/cfl/internal/cmd/init/init.go:161 (no token-ingress flags).
What:
- Remove
jtk init --token <value> (flag-passed plaintext secret). Replace with --token-stdin / --token-from-env.
- Add
--token-stdin / --token-from-env to cfl init.
- Make both wizards flag-skippable: if every required value is provided non-interactively, skip the huh form entirely.
Why: §1.5.1 of cli-common working-with-secrets.md prohibits flag-passed plaintext secrets; §4.1 of scriptability.md requires every wizard input to have a scripted alternative. Breaking change: jtk init --token removal needs a deprecation cycle or major-version bump.
3. --non-interactive flag
Where: Root command of both jtk and cfl.
What: Add --non-interactive persistent flag; gate every prompt site (init wizard, future safety confirmations) on --non-interactive=false AND TTY-stdin.
Why: §3.4 + §4.1 of cli-common scriptability.md. nrq is the reference (newrelic-cli/internal/cmd/initcmd/init.go:77,108,156-159,336-339). Companion to #2 — both unlock scripted use of init.
4. Resource-read JSON scope reduction
Where: cfl global -o json flag. (jtk already conforms — only automation export emits JSON.)
What: Remove -o json on cfl resource-read commands.
Why: §2 of cli-common output-and-rendering.md reserves JSON for round-trip payloads + control-plane envelopes. Heaviest breaking change of the four — downstream scripts consuming cfl ... -o json will break.
Suggested order: 1 → 2 → 3 → 4. (1 unblocks the installer-script path; 2 + 3 land together to make init fully scripted; 4 is the breaking-change-heavy one to do last, with a deprecation cycle.)
Related tracking issues in cli-common:
- Family-wide JSON-on-resource-reads policy — item 4 is the atlassian-cli's share
- Family-wide
--non-interactive coverage — item 3 is the atlassian-cli's share
Source: cli-common PR #28 (commit e4d59c6), divergence catalogs in docs/command-surface.md §9, docs/output-and-rendering.md §10, docs/scriptability.md §9.
Parent issue. Bring jtk and cfl into conformance with the family-wide cli-common standards (PR open-cli-collective/cli-common#28). Items below are ordered by dependency and breaking-change weight.
1.
set-credentialsurface conformanceWhere:
tools/jtk/internal/cmd/setcredential/setcredential.go:42,tools/cfl/internal/cmd/setcredential/setcredential.go, shared backing atshared/keyring/setcredential.go.What: Add
--stdin(explicit; today stdin is implicit when no flag is passed),--ref <bundle>,--key <name>,--overwrite,--json(control-plane envelope).--from-envalready shipped.Why: §1.5.2 of cli-common
working-with-secrets.md. The load-bearing adds are--overwrite(today silently overwrites — surprising) and--json(for installer-script control-plane parity).--ref/--keyare forward-compat reservations; today onlyatlassian-cli/default/api_tokenis valid since one token serves both tools.2.
initsecret-ingress hardeningWhere:
tools/jtk/internal/cmd/initcmd/initcmd.go:64(--token <value>),tools/jtk/internal/cmd/initcmd/initcmd.go:219(huh form always runs),tools/cfl/internal/cmd/init/init.go:161(no token-ingress flags).What:
jtk init --token <value>(flag-passed plaintext secret). Replace with--token-stdin/--token-from-env.--token-stdin/--token-from-envtocfl init.Why: §1.5.1 of cli-common
working-with-secrets.mdprohibits flag-passed plaintext secrets; §4.1 ofscriptability.mdrequires every wizard input to have a scripted alternative. Breaking change:jtk init --tokenremoval needs a deprecation cycle or major-version bump.3.
--non-interactiveflagWhere: Root command of both jtk and cfl.
What: Add
--non-interactivepersistent flag; gate every prompt site (init wizard, future safety confirmations) on--non-interactive=falseAND TTY-stdin.Why: §3.4 + §4.1 of cli-common
scriptability.md. nrq is the reference (newrelic-cli/internal/cmd/initcmd/init.go:77,108,156-159,336-339). Companion to #2 — both unlock scripted use ofinit.4. Resource-read JSON scope reduction
Where:
cflglobal-o jsonflag. (jtk already conforms — onlyautomation exportemits JSON.)What: Remove
-o jsonon cfl resource-read commands.Why: §2 of cli-common
output-and-rendering.mdreserves JSON for round-trip payloads + control-plane envelopes. Heaviest breaking change of the four — downstream scripts consumingcfl ... -o jsonwill break.Suggested order: 1 → 2 → 3 → 4. (1 unblocks the installer-script path; 2 + 3 land together to make
initfully scripted; 4 is the breaking-change-heavy one to do last, with a deprecation cycle.)Related tracking issues in cli-common:
--non-interactivecoverage — item 3 is the atlassian-cli's shareSource: cli-common PR #28 (commit e4d59c6), divergence catalogs in
docs/command-surface.md§9,docs/output-and-rendering.md§10,docs/scriptability.md§9.