From feda177b6a75ecd91266046b6cebe5da995637f5 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Tue, 5 Nov 2024 20:51:43 -0500
Subject: [PATCH 1/2] Replace --use-scoped-token with --no-scoped-token

---
 src/cli/cmd/apply/mod.rs | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/cli/cmd/apply/mod.rs b/src/cli/cmd/apply/mod.rs
index 59480f1..ec5b37f 100644
--- a/src/cli/cmd/apply/mod.rs
+++ b/src/cli/cmd/apply/mod.rs
@@ -25,9 +25,10 @@ pub(crate) struct ApplySubcommand {
     #[clap(subcommand)]
     system: System,
 
-    /// Use a scoped token generated by FlakeHub that allows substituting the given output _only_.
-    #[clap(long, default_value_t = true)]
-    use_scoped_token: bool,
+    /// By default, fh apply exchanges its API token for a tightly scoped token generated by FlakeHub that _only_ allows substituting the given output.
+    /// Pass --no-scoped-token to use the system's FlakeHub token, and not perform exchanging for a tightly scoped token.
+    #[clap(long, default_value_t = false)]
+    no_scoped_token: bool,
 
     #[clap(from_global)]
     api_addr: url::Url,
@@ -86,7 +87,7 @@ impl CommandExecute for ApplySubcommand {
         tracing::info!(%output_ref, "Resolving output reference");
 
         let resolved_path =
-            FlakeHubClient::resolve(self.api_addr.as_ref(), &output_ref, self.use_scoped_token)
+            FlakeHubClient::resolve(self.api_addr.as_ref(), &output_ref, !self.no_scoped_token)
                 .await?;
 
         tracing::debug!(
@@ -99,7 +100,7 @@ impl CommandExecute for ApplySubcommand {
 
         match resolved_path.token {
             Some(token) => {
-                if self.use_scoped_token {
+                if !self.no_scoped_token {
                     let mut nix_args = vec![
                         "copy".to_string(),
                         "--option".to_string(),
@@ -168,7 +169,7 @@ impl CommandExecute for ApplySubcommand {
                 }
             }
             None => {
-                if self.use_scoped_token {
+                if !self.no_scoped_token {
                     return Err(color_eyre::eyre::eyre!(
                         "FlakeHub did not return a restricted token!"
                     ));

From 24532f1e99a9d46ef91f4a59212b9e3a5489867c Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 6 Nov 2024 16:59:55 -0500
Subject: [PATCH 2/2] Replace the new flag with a value enum

---
 src/cli/cmd/apply/mod.rs | 39 ++++++++++++++++++++++++++++++---------
 1 file changed, 30 insertions(+), 9 deletions(-)

diff --git a/src/cli/cmd/apply/mod.rs b/src/cli/cmd/apply/mod.rs
index ec5b37f..814182b 100644
--- a/src/cli/cmd/apply/mod.rs
+++ b/src/cli/cmd/apply/mod.rs
@@ -19,6 +19,25 @@ use self::{home_manager::HomeManager, nix_darwin::NixDarwin, nixos::NixOs};
 
 use super::{CommandExecute, FlakeHubClient};
 
+#[derive(Copy, Clone, PartialEq, Eq, clap::ValueEnum)]
+enum TokenChoice {
+    Always,
+    Never,
+}
+
+impl std::fmt::Display for TokenChoice {
+    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+        write!(
+            f,
+            "{}",
+            match self {
+                TokenChoice::Always => "always",
+                TokenChoice::Never => "never",
+            }
+        )
+    }
+}
+
 /// Apply the configuration at the specified FlakeHub output reference to the current system
 #[derive(Parser)]
 pub(crate) struct ApplySubcommand {
@@ -26,9 +45,9 @@ pub(crate) struct ApplySubcommand {
     system: System,
 
     /// By default, fh apply exchanges its API token for a tightly scoped token generated by FlakeHub that _only_ allows substituting the given output.
-    /// Pass --no-scoped-token to use the system's FlakeHub token, and not perform exchanging for a tightly scoped token.
-    #[clap(long, default_value_t = false)]
-    no_scoped_token: bool,
+    /// Pass --use-scoped-token=never to use the system's FlakeHub token, and not perform exchanging for a tightly scoped token.
+    #[clap(long, default_value_t = TokenChoice::Always)]
+    use_scoped_token: TokenChoice,
 
     #[clap(from_global)]
     api_addr: url::Url,
@@ -86,10 +105,12 @@ impl CommandExecute for ApplySubcommand {
 
         tracing::info!(%output_ref, "Resolving output reference");
 
-        let resolved_path =
-            FlakeHubClient::resolve(self.api_addr.as_ref(), &output_ref, !self.no_scoped_token)
-                .await?;
-
+        let resolved_path = FlakeHubClient::resolve(
+            self.api_addr.as_ref(),
+            &output_ref,
+            self.use_scoped_token == TokenChoice::Always,
+        )
+        .await?;
         tracing::debug!(
             "Successfully resolved reference {} to path {}",
             &output_ref,
@@ -100,7 +121,7 @@ impl CommandExecute for ApplySubcommand {
 
         match resolved_path.token {
             Some(token) => {
-                if !self.no_scoped_token {
+                if self.use_scoped_token == TokenChoice::Always {
                     let mut nix_args = vec![
                         "copy".to_string(),
                         "--option".to_string(),
@@ -169,7 +190,7 @@ impl CommandExecute for ApplySubcommand {
                 }
             }
             None => {
-                if !self.no_scoped_token {
+                if self.use_scoped_token == TokenChoice::Always {
                     return Err(color_eyre::eyre::eyre!(
                         "FlakeHub did not return a restricted token!"
                     ));