Implement Task 3.6: Add confirmation for existing values

ritwik-g · claude · ritwik-g · commit 64aca0c2f61c · 2025-06-14T00:35:50.000+05:30
Enhanced values set and set-secret commands with overwrite protection: Features: - Check for existing values before setting new ones - Show current value (masked for secrets) when confirming overwrite - Prompt "Value already exists. Overwrite? [y/N]" with safe default - Special handling for secrets showing "env:VAR_NAME" format - Warning when overwriting regular values with secrets - --force flag to bypass confirmation prompts on both commands User Experience: - Prevents accidental overwrites with confirmation prompts - Clear display of current values for informed decisions - Graceful cancellation with proper exit handling - Consistent behavior across set and set-secret commands Safety: - Default "No" on confirmation prompts - Force flag available for automation/scripting - Proper masking of sensitive information - Comprehensive test coverage for all scenarios 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/guide/prompt_plan.md b/guide/prompt_plan.md
@@ -137,6 +137,23 @@ Update `values set-secret` command to:
 ```
 **Status**: Completed - Extensible menu with validation framework
 
+#### Task 3.6: Add Confirmation for Existing Values ✅
+```prompt
+Update both `values set` and `values set-secret` commands to:
+1. Check if the key already exists in the specified environment
+2. If exists:
+   a. Show current value (masked for secrets)
+   b. Prompt: "Value already exists. Overwrite? [y/N]"
+   c. Abort if not confirmed
+3. For `values set-secret`:
+   a. Show both current type and name if available
+   b. Example prompt: 
+        "Key 'database-password' already set as env:PROD_DB_PASSWORD
+         Overwrite? [y/N]"
+4. Add --force flag to bypass confirmation
+```
+**Status**: Completed - Confirmation prompts with --force flag bypass
+
 ### Phase 4: Core Engine
 #### Task 4.1: Validator
 ```prompt
diff --git a/helm_values_manager/commands/values.py b/helm_values_manager/commands/values.py
@@ -33,6 +33,7 @@ def set_command(
     env: str = typer.Option(..., "--env", "-e", help="Environment name"),
     schema_path: str = typer.Option("schema.json", "--schema", help="Path to schema file"),
     values_path: Optional[str] = typer.Option(None, "--values", help="Path to values file"),
+    force: bool = typer.Option(False, "--force", "-f", help="Skip confirmation for existing values"),
 ):
     """Set a value for a specific environment."""
     # Load schema
@@ -62,6 +63,26 @@ def set_command(
     # Load existing values
     values = load_values(env, values_path)
     
+    # Check if key already exists and confirm overwrite
+    if key in values and not force:
+        current_value = values[key]
+        
+        # Display current value
+        if is_secret_reference(current_value):
+            console.print(f"Key '{key}' already set as [red][SECRET - {current_value['name']}][/red]")
+        else:
+            if isinstance(current_value, (dict, list)):
+                display_value = json.dumps(current_value)
+                if len(display_value) > 50:
+                    display_value = display_value[:47] + "..."
+            else:
+                display_value = str(current_value)
+            console.print(f"Key '{key}' already set to: {display_value}")
+        
+        if not Confirm.ask("Value already exists. Overwrite?", default=False):
+            console.print("Cancelled")
+            raise typer.Exit(0)
+    
     # Set the value
     values[key] = parsed_value
     
@@ -77,6 +98,7 @@ def set_secret_command(
     env: str = typer.Option(..., "--env", "-e", help="Environment name"),
     schema_path: str = typer.Option("schema.json", "--schema", help="Path to schema file"),
     values_path: Optional[str] = typer.Option(None, "--values", help="Path to values file"),
+    force: bool = typer.Option(False, "--force", "-f", help="Skip confirmation for existing values"),
 ):
     """Set a secret value for a specific environment."""
     # Load schema
@@ -117,6 +139,28 @@ def set_secret_command(
         # Load existing values
         values = load_values(env, values_path)
         
+        # Check if key already exists and confirm overwrite
+        if key in values and not force:
+            current_value = values[key]
+            
+            # Display current value
+            if is_secret_reference(current_value):
+                console.print(f"Key '{key}' already set as [red]{current_value['type']}:{current_value['name']}[/red]")
+            else:
+                # Show non-secret value (shouldn't happen for set-secret, but handle gracefully)
+                if isinstance(current_value, (dict, list)):
+                    display_value = json.dumps(current_value)
+                    if len(display_value) > 50:
+                        display_value = display_value[:47] + "..."
+                else:
+                    display_value = str(current_value)
+                console.print(f"Key '{key}' currently set to: {display_value}")
+                console.print("[yellow]Warning:[/yellow] This will overwrite a non-secret value with a secret")
+            
+            if not Confirm.ask("Overwrite?", default=False):
+                console.print("Cancelled")
+                raise typer.Exit(0)
+        
         # Set the secret reference
         values[key] = {"type": "env", "name": env_var_name}
     else:
diff --git a/tests/test_values.py b/tests/test_values.py
@@ -398,4 +398,191 @@ def test_validate_secret_reference():
     not_secret = "plain-value"
     is_valid, error = validate_secret_reference(not_secret)
     assert not is_valid
-    assert "Not a valid secret reference" in error
+    assert "Not a valid secret reference" in error
+
+
+def test_values_set_existing_value_confirmation(tmp_path):
+    """Test confirmation when overwriting existing value."""
+    with runner.isolated_filesystem(temp_dir=tmp_path):
+        schema = create_test_schema()
+        with open("schema.json", "w") as f:
+            json.dump(schema.model_dump(), f)
+        
+        # Set initial value
+        result = runner.invoke(app, ["values", "set", "app-name", "initial-app", "--env", "dev"])
+        assert result.exit_code == 0
+        
+        # Try to overwrite without force, but cancel
+        result = runner.invoke(app, ["values", "set", "app-name", "new-app", "--env", "dev"], input="n\n")
+        
+        assert result.exit_code == 0
+        assert "already set to: initial-app" in result.output
+        assert "Value already exists. Overwrite?" in result.output
+        assert "Cancelled" in result.output
+        
+        # Verify value wasn't changed
+        with open("values-dev.json") as f:
+            values = json.load(f)
+        assert values["app-name"] == "initial-app"
+
+
+def test_values_set_existing_value_overwrite(tmp_path):
+    """Test overwriting existing value with confirmation."""
+    with runner.isolated_filesystem(temp_dir=tmp_path):
+        schema = create_test_schema()
+        with open("schema.json", "w") as f:
+            json.dump(schema.model_dump(), f)
+        
+        # Set initial value
+        result = runner.invoke(app, ["values", "set", "app-name", "initial-app", "--env", "dev"])
+        assert result.exit_code == 0
+        
+        # Overwrite with confirmation
+        result = runner.invoke(app, ["values", "set", "app-name", "new-app", "--env", "dev"], input="y\n")
+        
+        assert result.exit_code == 0
+        assert "already set to: initial-app" in result.output
+        assert "Set 'app-name' = new-app" in result.output
+        
+        # Verify value was changed
+        with open("values-dev.json") as f:
+            values = json.load(f)
+        assert values["app-name"] == "new-app"
+
+
+def test_values_set_existing_value_force(tmp_path):
+    """Test overwriting existing value with --force flag."""
+    with runner.isolated_filesystem(temp_dir=tmp_path):
+        schema = create_test_schema()
+        with open("schema.json", "w") as f:
+            json.dump(schema.model_dump(), f)
+        
+        # Set initial value
+        result = runner.invoke(app, ["values", "set", "app-name", "initial-app", "--env", "dev"])
+        assert result.exit_code == 0
+        
+        # Overwrite with force (no confirmation)
+        result = runner.invoke(app, ["values", "set", "app-name", "forced-app", "--env", "dev", "--force"])
+        
+        assert result.exit_code == 0
+        assert "already set" not in result.output  # No confirmation shown
+        assert "Set 'app-name' = forced-app" in result.output
+        
+        # Verify value was changed
+        with open("values-dev.json") as f:
+            values = json.load(f)
+        assert values["app-name"] == "forced-app"
+
+
+def test_values_set_secret_existing_confirmation(tmp_path, monkeypatch):
+    """Test confirmation when overwriting existing secret."""
+    with runner.isolated_filesystem(temp_dir=tmp_path):
+        schema = create_test_schema()
+        with open("schema.json", "w") as f:
+            json.dump(schema.model_dump(), f)
+        
+        # Set environment variables
+        monkeypatch.setenv("OLD_PASSWORD", "old_secret")
+        monkeypatch.setenv("NEW_PASSWORD", "new_secret")
+        
+        # Set initial secret
+        result = runner.invoke(app, ["values", "set-secret", "db-password", "--env", "dev"], input="1\nOLD_PASSWORD\n")
+        assert result.exit_code == 0
+        
+        # Try to overwrite but cancel
+        result = runner.invoke(app, ["values", "set-secret", "db-password", "--env", "dev"], input="1\nNEW_PASSWORD\nn\n")
+        
+        assert result.exit_code == 0
+        assert "already set as env:OLD_PASSWORD" in result.output
+        assert "Overwrite?" in result.output
+        assert "Cancelled" in result.output
+        
+        # Verify secret wasn't changed
+        with open("values-dev.json") as f:
+            values = json.load(f)
+        assert values["db-password"]["name"] == "OLD_PASSWORD"
+
+
+def test_values_set_secret_existing_overwrite(tmp_path, monkeypatch):
+    """Test overwriting existing secret with confirmation."""
+    with runner.isolated_filesystem(temp_dir=tmp_path):
+        schema = create_test_schema()
+        with open("schema.json", "w") as f:
+            json.dump(schema.model_dump(), f)
+        
+        # Set environment variables
+        monkeypatch.setenv("OLD_PASSWORD", "old_secret")
+        monkeypatch.setenv("NEW_PASSWORD", "new_secret")
+        
+        # Set initial secret
+        result = runner.invoke(app, ["values", "set-secret", "db-password", "--env", "dev"], input="1\nOLD_PASSWORD\n")
+        assert result.exit_code == 0
+        
+        # Overwrite with confirmation
+        result = runner.invoke(app, ["values", "set-secret", "db-password", "--env", "dev"], input="1\nNEW_PASSWORD\ny\n")
+        
+        assert result.exit_code == 0
+        assert "already set as env:OLD_PASSWORD" in result.output
+        assert "Set secret 'db-password'" in result.output
+        
+        # Verify secret was changed
+        with open("values-dev.json") as f:
+            values = json.load(f)
+        assert values["db-password"]["name"] == "NEW_PASSWORD"
+
+
+def test_values_set_secret_existing_force(tmp_path, monkeypatch):
+    """Test overwriting existing secret with --force flag."""
+    with runner.isolated_filesystem(temp_dir=tmp_path):
+        schema = create_test_schema()
+        with open("schema.json", "w") as f:
+            json.dump(schema.model_dump(), f)
+        
+        # Set environment variables
+        monkeypatch.setenv("OLD_PASSWORD", "old_secret")
+        monkeypatch.setenv("NEW_PASSWORD", "new_secret")
+        
+        # Set initial secret
+        result = runner.invoke(app, ["values", "set-secret", "db-password", "--env", "dev"], input="1\nOLD_PASSWORD\n")
+        assert result.exit_code == 0
+        
+        # Overwrite with force (no confirmation)
+        result = runner.invoke(app, ["values", "set-secret", "db-password", "--env", "dev", "--force"], input="1\nNEW_PASSWORD\n")
+        
+        assert result.exit_code == 0
+        assert "already set" not in result.output  # No confirmation shown
+        assert "Set secret 'db-password'" in result.output
+        
+        # Verify secret was changed
+        with open("values-dev.json") as f:
+            values = json.load(f)
+        assert values["db-password"]["name"] == "NEW_PASSWORD"
+
+
+def test_values_set_secret_overwrite_regular_value_warning(tmp_path, monkeypatch):
+    """Test warning when overwriting regular value with secret."""
+    with runner.isolated_filesystem(temp_dir=tmp_path):
+        schema = create_test_schema()
+        with open("schema.json", "w") as f:
+            json.dump(schema.model_dump(), f)
+        
+        # Set environment variable
+        monkeypatch.setenv("SECRET_PASSWORD", "secret")
+        
+        # Set initial regular value (even though it should be secret)
+        values = {"db-password": "plain-text-password"}
+        with open("values-dev.json", "w") as f:
+            json.dump(values, f)
+        
+        # Try to overwrite with secret
+        result = runner.invoke(app, ["values", "set-secret", "db-password", "--env", "dev"], input="1\nSECRET_PASSWORD\ny\n")
+        
+        assert result.exit_code == 0
+        assert "currently set to: plain-text-password" in result.output
+        assert "This will overwrite a non-secret value with a secret" in result.output
+        
+        # Verify it was changed to secret
+        with open("values-dev.json") as f:
+            values = json.load(f)
+        assert values["db-password"]["type"] == "env"
+        assert values["db-password"]["name"] == "SECRET_PASSWORD"
