Add API key management commands

[IlyaasK]

Summary

Adds first-class programmatic API key management to the Kernel CLI using github.com/kernel/kernel-go-sdk v0.58.0, which exposes the generated client.APIKeys surface.

This PR also normalizes the repeated JSON output plumbing across CLI commands so the new API key commands use the same small helper path as the rest of the CLI instead of adding another copy of the same --output json validation pattern.

What changed

API key CLI commands

Adds a new top-level api-keys command with aliases api-key, apikeys, and apikey.

New subcommands:

• kernel api-keys create

  • creates an org-wide API key by default
  • accepts --name as required input
  • accepts --days-to-expire for optional expiry, validated to 1..3650
  • accepts --project-id to create a key whose own access is scoped to a project
  • supports -o json / --output json
  • prints the one-time plaintext key in human output because the API only returns it once

• kernel api-keys list

  • supports --limit and --offset
  • rejects negative pagination values locally before making an API request
  • renders human-readable tables by default and JSON arrays with --output json

• kernel api-keys get <id>

  • fetches a single API key
  • renders details in human output or the raw SDK response in JSON output

• kernel api-keys update <id>

  • renames an API key via required --name
  • supports human and JSON output

• kernel api-keys delete <id>

  • prompts for confirmation by default
  • supports -y / --yes to skip confirmation
  • returns a non-zero not-found error so revocation scripts do not silently pass on typoed or inaccessible key IDs

SDK bump

• Bumps github.com/kernel/kernel-go-sdk from v0.53.0 to v0.58.0.
• This is required because the API-key resource surface is generated in v0.58.0.
• Adds small compatibility casts for ManagedAuthCanReauthReason, which is now a named SDK type.

Output helper normalization

Adds shared helpers for the repeated --output json command behavior:

• pkg/util.ValidateJSONOutput
• pkg/util.AddJSONOutputFlag
• package-local wrappers in cmd and cmd/proxies

Then applies those helpers across existing commands that already had the same JSON-only output contract:

• apps
• auth connections
• browser pools
• browsers
• credential providers
• credentials
• deploy/history/get flows
• extensions
• invocations
• profiles
• projects limits
• proxies
• ssh setup output validation
• status

Why: the CLI had many copies of the same validation branch and flag description. Centralizing the behavior makes the new API-key command cheaper to review and keeps future commands from drifting on error text or flag help.

Shared flag/test helpers

• Moves BoolFlag and Int64Flag into cmd/flag_values.go so generic flag-state types are no longer accidentally owned by cmd/browsers.go.
• Adds capturePtermOutput in cmd/test_helpers_test.go and reuses it in touched tests for projects, profiles, extensions, and API keys.

Docs

Updates README.md to document:

• API-key commands and flags
• JSON output support for API-key create/list/get/update
• the difference between --project-id on API-key creation and the global --project request-scoping flag

Why

Programmatic API key CRUD now exists in the generated SDKs. The CLI needs the same capability so users can create, inspect, rotate/rename, and delete API keys without going through the dashboard.

The implementation intentionally stays direct instead of introducing a generic CRUD framework:

• command input structs keep Cobra parsing separate from behavior
• APIKeysService is a small test seam over the generated SDK surface
• output formatting is explicit and local to API keys
• project scoping is derived from the typed SDK ProjectID field rather than reading SDK extra fields

The normalization pieces were included because API-key commands need the same JSON-only output behavior that already existed throughout the CLI. Pulling that behavior into shared helpers avoids adding another local copy and makes the surrounding CLI more consistent.

Verification

• make test
  • go vet ./...
  • go test ./...
• make build
• Autoreview closeout:
  • python3 /Users/ilyaas/.codex/skills/autoreview/scripts/autoreview --mode branch --base origin/main
  • result: autoreview clean: no accepted/actionable findings reported

I also smoke-tested the API-key flow locally against the test API earlier in the branch work:

• create a short-lived key
• list keys
• get the created key
• rename/update the key
• delete the key
• verify delete cleanup

Notes for reviewers

• --project-id on api-keys create scopes the new key itself.
• global --project scopes the CLI request being made.
• The SDK currently does not expose a stable typed IsProjectScoped; scope display is derived from typed ProjectID instead.

---

Note

Medium Risk
New credential lifecycle commands and SDK bump touch auth-related surfaces; broad --output refactor is mostly mechanical but wide in scope.

Overview
Adds kernel api-keys (create, list, get, update, delete) backed by kernel-go-sdk v0.58.0, including optional expiry, --project-id for project-scoped keys (distinct from global --project), human tables plus --output json, and showing the one-time plaintext key on create.

Centralizes JSON-only --output handling via pkg/util helpers and applies them across many existing commands; moves BoolFlag/Int64Flag to flag_values.go and shares capturePtermOutput in tests. README documents API key commands; auth-connection display casts CanReauthReason for the SDK type change.

^{Reviewed by Cursor Bugbot for commit 689378a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​github.com/​kernel/​kernel-go-sdk@​v0.53.0 ⏵ v0.58.0	+1

View full report

[firetiger-agent]

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: This PR adds CLI commands for API key management and does not modify the kernel API endpoints (packages/api/cmd/api/) or Temporal workflows (packages/api/lib/temporal) specified in the filter.

To monitor this PR anyway, reply with @firetiger monitor this.

[IlyaasK]

Production smoke against https://api.onkernel.com passed with the built PR binary (./bin/kernel).

Auth used an org-wide production API key via KERNEL_API_KEY.

Coverage run:

• Build: make build
• Non-mutating checks:
  • auth reports API-key auth
  • status reaches production API
  • org-level api-keys list --limit 5 -o json returns a JSON array
  • project-request-scoped --project xfqjwpikc7udw5u8fsvu1t96 api-keys list --limit 5 -o json returns a JSON array

Org-wide key flow:

• api-keys create --days-to-expire 1 -o json
• confirmed returned id, one-time key, masked_key, non-null expires_at, and no project_id
• api-keys list --limit 50 -o json and confirmed created key was present
• api-keys get <id> -o json
• human api-keys get <id> and confirmed Org scope plus masked-key display
• api-keys update <id> --name <renamed> -o json
• api-keys create -o json with omitted --days-to-expire and confirmed expires_at is null / human output shows Never
• deleted both org-wide smoke keys with api-keys delete <id> -y
• confirmed api-keys get <id> -o json fails after deletion for both

Project-scoped key flow:

• --project xfqjwpikc7udw5u8fsvu1t96 api-keys create --days-to-expire 1 --project-id xfqjwpikc7udw5u8fsvu1t96 -o json
• confirmed returned id, one-time key, masked_key, matching project_id, and non-null expires_at
• project-scoped api-keys list --limit 50 -o json and confirmed created key was present
• project-scoped api-keys get <id> -o json
• human project-scoped api-keys get <id> and confirmed Project scope plus masked-key display
• project-scoped api-keys update <id> --name <renamed> -o json
• verified global --project alone does not create a project-scoped key unless --project-id is also passed
• deleted project smoke keys with api-keys delete <id> -y
• confirmed api-keys get <id> -o json fails after deletion for both

Validation / edge cases:

• invalid -o yaml/xml for create/list/get/update fails locally with the shared output error
• invalid --days-to-expire 0 fails locally
• invalid --days-to-expire 3651 fails locally
• negative --limit fails locally
• negative --offset fails locally
• update without required --name fails
• deleting a nonexistent API key exits successfully with a not found message

Cleanup:

• no codex-prod-* smoke keys remain in production after the run
• local temp JSON response files from the smoke were removed

[hiroTamada]

lgtm — clean api-keys CLI surface, SDK bump compat shim is correct, output validator centralization checks out. minor nits (no "Created API key: " success line on create, update prints full details table where peer commands don't, kernel.Int vs kernel.Opt picks the browsers dialect over the credentials dialect) — non-blocking.

[IlyaasK]

fixed created api key consistency. will add a pr later to normalize cli

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 689378a. Configure here.}