Extract command for secrets

Signed-off-by: David Gageot <[email protected]>

Author: dgageot

cmd/docker-mcp/commands/root.go

@@ -14,7 +14,6 @@ import (
 	"github.com/docker/mcp-gateway/cmd/docker-mcp/internal/docker"
 	"github.com/docker/mcp-gateway/cmd/docker-mcp/oauth"
 	"github.com/docker/mcp-gateway/cmd/docker-mcp/secret-management/policy"
-	"github.com/docker/mcp-gateway/cmd/docker-mcp/secret-management/secret"
 	"github.com/docker/mcp-gateway/cmd/docker-mcp/version"
 )
 
@@ -74,7 +73,7 @@ func Root(ctx context.Context, cwd string, dockerCli command.Cli) *cobra.Command
 
 	dockerClient := docker.NewClient(dockerCli)
 
-	cmd.AddCommand(secret.NewSecretsCmd(dockerClient))
+	cmd.AddCommand(secretCommand(dockerClient))
 	cmd.AddCommand(policy.NewPolicyCmd())
 	cmd.AddCommand(oauth.NewOAuthCmd())
 	cmd.AddCommand(client.NewClientCmd(cwd))

cmd/docker-mcp/commands/secret.go

@@ -0,0 +1,132 @@
+package commands
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"github.com/docker/mcp-gateway/cmd/docker-mcp/internal/docker"
+	"github.com/docker/mcp-gateway/cmd/docker-mcp/secret-management/secret"
+)
+
+const setExample = `
+# Using secrets for postgres password with default policy:
+docker mcp secret set POSTGRES_PASSWORD=my-secret-password
+docker run -d -l x-secret:POSTGRES_PASSWORD=/pwd.txt -e POSTGRES_PASSWORD_FILE=/pwd.txt -p 5432 postgres
+
+# Or pass the secret via STDIN:
+echo my-secret-password > pwd.txt
+cat pwd.txt | docker mcp secret set POSTGRES_PASSWORD
+`
+
+func secretCommand(docker docker.Client) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "secret",
+		Short:   "Manage secrets",
+		Example: strings.Trim(setExample, "\n"),
+	}
+	cmd.AddCommand(rmCommand())
+	cmd.AddCommand(listCommand())
+	cmd.AddCommand(setCommand())
+	cmd.AddCommand(exportCommand(docker))
+	return cmd
+}
+
+func rmCommand() *cobra.Command {
+	var opts secret.RmOpts
+	cmd := &cobra.Command{
+		Use:   "rm name1 name2 ...",
+		Short: "Remove secrets from Docker Desktop's secret store",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := validateRmArgs(args, opts); err != nil {
+				return err
+			}
+			return secret.Remove(cmd.Context(), args, opts)
+		},
+	}
+	flags := cmd.Flags()
+	flags.BoolVar(&opts.All, "all", false, "Remove all secrets")
+	return cmd
+}
+
+func validateRmArgs(args []string, opts secret.RmOpts) error {
+	if len(args) == 0 && !opts.All {
+		return errors.New("either provide a secret name or use --all to remove all secrets")
+	}
+	return nil
+}
+
+func listCommand() *cobra.Command {
+	var opts secret.ListOptions
+	cmd := &cobra.Command{
+		Use:   "ls",
+		Short: "List all secret names in Docker Desktop's secret store",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			return secret.List(cmd.Context(), opts)
+		},
+	}
+	flags := cmd.Flags()
+	flags.BoolVar(&opts.JSON, "json", false, "Print as JSON.")
+	return cmd
+}
+
+func setCommand() *cobra.Command {
+	opts := &secret.SetOpts{}
+	cmd := &cobra.Command{
+		Use:     "set key[=value]",
+		Short:   "Set a secret in Docker Desktop's secret store",
+		Example: strings.Trim(setExample, "\n"),
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !secret.IsValidProvider(opts.Provider) {
+				return fmt.Errorf("invalid provider: %s", opts.Provider)
+			}
+			var s secret.Secret
+			if isNotImplicitReadFromStdinSyntax(args, *opts) {
+				va, err := secret.ParseArg(args[0], *opts)
+				if err != nil {
+					return err
+				}
+				s = *va
+			} else {
+				val, err := secret.MappingFromSTDIN(cmd.Context(), args[0])
+				if err != nil {
+					return err
+				}
+				s = *val
+			}
+			return secret.Set(cmd.Context(), s, *opts)
+		},
+	}
+	flags := cmd.Flags()
+	flags.StringVar(&opts.Provider, "provider", "", "Supported: credstore, oauth/<provider>")
+	return cmd
+}
+
+func isNotImplicitReadFromStdinSyntax(args []string, opts secret.SetOpts) bool {
+	return strings.Contains(args[0], "=") || len(args) > 1 || opts.Provider != ""
+}
+
+func exportCommand(docker docker.Client) *cobra.Command {
+	return &cobra.Command{
+		Use:    "export [server1] [server2] ...",
+		Short:  "Export secrets for the specified servers",
+		Hidden: true,
+		Args:   cobra.MinimumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			secrets, err := secret.Export(cmd.Context(), docker, args)
+			if err != nil {
+				return err
+			}
+
+			for name, secret := range secrets {
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s=%s\n", name, secret)
+			}
+
+			return nil
+		},
+	}
+}

cmd/docker-mcp/secret-management/secret/export.go

@@ -5,33 +5,10 @@ import (
 	"fmt"
 	"sort"
 
-	"github.com/spf13/cobra"
-
 	"github.com/docker/mcp-gateway/cmd/docker-mcp/internal/catalog"
 	"github.com/docker/mcp-gateway/cmd/docker-mcp/internal/docker"
 )
 
-func exportCommand(docker docker.Client) *cobra.Command {
-	return &cobra.Command{
-		Use:    "export [server1] [server2] ...",
-		Short:  "Export secrets for the specified servers",
-		Hidden: true,
-		Args:   cobra.MinimumNArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			secrets, err := Export(cmd.Context(), docker, args)
-			if err != nil {
-				return err
-			}
-
-			for name, secret := range secrets {
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s=%s\n", name, secret)
-			}
-
-			return nil
-		},
-	}
-}
-
 func Export(ctx context.Context, docker docker.Client, serverNames []string) (map[string]string, error) {
 	catalog, err := catalog.Get(ctx)
 	if err != nil {

cmd/docker-mcp/secret-management/secret/list.go

@@ -5,8 +5,6 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/spf13/cobra"
-
 	"github.com/docker/mcp-gateway/cmd/docker-mcp/internal/desktop"
 	"github.com/docker/mcp-gateway/cmd/docker-mcp/secret-management/formatting"
 )
@@ -15,21 +13,6 @@ type ListOptions struct {
 	JSON bool
 }
 
-func listCommand() *cobra.Command {
-	var opts ListOptions
-	cmd := &cobra.Command{
-		Use:   "ls",
-		Short: "List all secret names in Docker Desktop's secret store",
-		Args:  cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return List(cmd.Context(), opts)
-		},
-	}
-	flags := cmd.Flags()
-	flags.BoolVar(&opts.JSON, "json", false, "Print as JSON.")
-	return cmd
-}
-
 func List(ctx context.Context, opts ListOptions) error {
 	l, err := desktop.NewSecretsClient().ListJfsSecrets(ctx)
 	if err != nil {

cmd/docker-mcp/secret-management/secret/rm.go

@@ -5,39 +5,13 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/spf13/cobra"
-
 	"github.com/docker/mcp-gateway/cmd/docker-mcp/internal/desktop"
 )
 
 type RmOpts struct {
 	All bool
 }
 
-func rmCommand() *cobra.Command {
-	var opts RmOpts
-	cmd := &cobra.Command{
-		Use:   "rm name1 name2 ...",
-		Short: "Remove secrets from Docker Desktop's secret store",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			if err := validateArgs(args, opts); err != nil {
-				return err
-			}
-			return Remove(cmd.Context(), args, opts)
-		},
-	}
-	flags := cmd.Flags()
-	flags.BoolVar(&opts.All, "all", false, "Remove all secrets")
-	return cmd
-}
-
-func validateArgs(args []string, opts RmOpts) error {
-	if len(args) == 0 && !opts.All {
-		return errors.New("either provide a secret name or use --all to remove all secrets")
-	}
-	return nil
-}
-
 func Remove(ctx context.Context, names []string, opts RmOpts) error {
 	c := desktop.NewSecretsClient()
 	if opts.All && len(names) == 0 {

cmd/docker-mcp/secret-management/secret/root.go

@@ -6,22 +6,10 @@ import (
 	"os"
 	"strings"
 
-	"github.com/spf13/cobra"
-
 	"github.com/docker/mcp-gateway/cmd/docker-mcp/internal/desktop"
 	"github.com/docker/mcp-gateway/cmd/docker-mcp/internal/tui"
 )
 
-const setExample = `
-# Using secrets for postgres password with default policy:
-docker mcp secret set POSTGRES_PASSWORD=my-secret-password
-docker run -d -l x-secret:POSTGRES_PASSWORD=/pwd.txt -e POSTGRES_PASSWORD_FILE=/pwd.txt -p 5432 postgres
-
-# Or pass the secret via STDIN:
-echo my-secret-password > pwd.txt
-cat pwd.txt | docker mcp secret set POSTGRES_PASSWORD
-`
-
 const (
 	Credstore = "credstore"
 )
@@ -30,79 +18,42 @@ type SetOpts struct {
 	Provider string
 }
 
-func setCommand() *cobra.Command {
-	opts := &SetOpts{}
-	cmd := &cobra.Command{
-		Use:     "set key[=value]",
-		Short:   "Set a secret in Docker Desktop's secret store",
-		Example: strings.Trim(setExample, "\n"),
-		Args:    cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			if !isValidProvider(opts.Provider) {
-				return fmt.Errorf("invalid provider: %s", opts.Provider)
-			}
-			var s secret
-			if isNotImplicitReadFromStdinSyntax(args, *opts) {
-				va, err := parseArg(args[0], *opts)
-				if err != nil {
-					return err
-				}
-				s = *va
-			} else {
-				val, err := secretMappingFromSTDIN(cmd.Context(), args[0])
-				if err != nil {
-					return err
-				}
-				s = *val
-			}
-			return Set(cmd.Context(), s, *opts)
-		},
-	}
-	flags := cmd.Flags()
-	flags.StringVar(&opts.Provider, "provider", "", "Supported: credstore, oauth/<provider>")
-	return cmd
-}
-
-func isNotImplicitReadFromStdinSyntax(args []string, opts SetOpts) bool {
-	return strings.Contains(args[0], "=") || len(args) > 1 || opts.Provider != ""
-}
-
-func secretMappingFromSTDIN(ctx context.Context, key string) (*secret, error) {
+func MappingFromSTDIN(ctx context.Context, key string) (*Secret, error) {
 	data, err := tui.ReadAllWithContext(ctx, os.Stdin)
 	if err != nil {
 		return nil, err
 	}
 
-	return &secret{
+	return &Secret{
 		key: key,
 		val: string(data),
 	}, nil
 }
 
-type secret struct {
+type Secret struct {
 	key string
 	val string
 }
 
-func parseArg(arg string, opts SetOpts) (*secret, error) {
+func ParseArg(arg string, opts SetOpts) (*Secret, error) {
 	if !isDirectValueProvider(opts.Provider) && strings.Contains(arg, "=") {
 		return nil, fmt.Errorf("provider cannot be used with key=value pairs: %s", arg)
 	}
 	if !isDirectValueProvider(opts.Provider) {
-		return &secret{key: arg, val: ""}, nil
+		return &Secret{key: arg, val: ""}, nil
 	}
 	parts := strings.Split(arg, "=")
 	if len(parts) != 2 {
 		return nil, fmt.Errorf("no key=value pair: %s", arg)
 	}
-	return &secret{key: parts[0], val: parts[1]}, nil
+	return &Secret{key: parts[0], val: parts[1]}, nil
 }
 
 func isDirectValueProvider(provider string) bool {
 	return provider == "" || provider == Credstore
 }
 
-func Set(ctx context.Context, s secret, opts SetOpts) error {
+func Set(ctx context.Context, s Secret, opts SetOpts) error {
 	if opts.Provider == Credstore {
 		p := NewCredStoreProvider()
 		if err := p.SetSecret(s.key, s.val); err != nil {
@@ -116,7 +67,7 @@ func Set(ctx context.Context, s secret, opts SetOpts) error {
 	})
 }
 
-func isValidProvider(provider string) bool {
+func IsValidProvider(provider string) bool {
 	if provider == "" {
 		return true
 	}