oxidecomputer · augustuswm · Apr 28, 2026 · Apr 29, 2026 · Apr 29, 2026 · Apr 30, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -4,6 +4,7 @@ members = [
   "v-api-installer",
   "v-api-param",
   "v-api-permission-derive",
+  "v-cli-sdk",
   "v-model",
   "xtask"
 ]
@@ -12,7 +13,7 @@ resolver = "2"
 [workspace.package]
 publish = true
 edition = "2024"
-version = "0.3.0"
+version = "0.4.0"
 
 [workspace.dependencies]
 anyhow = "1.0"
@@ -34,14 +35,16 @@ hex = "0.4.3"
 http = "1"
 http-body-util = "0.1.3"
 hyper = "1.9.0"
+hyper-util = "0.1"
 jsonwebtoken = { version = "10.2", features = ["aws_lc_rs"] }
 mockall = "0.14.0"
 newtype-uuid = { version = "1.3.2", features = ["schemars08", "serde", "v4"] }
 oauth2 = { version = "5.0.0", default-features = false }
 oauth2-reqwest = "0.1.0-alpha.3"
+owo-colors = "4.2.3"
 partial-struct = { git = "https://github.com/oxidecomputer/partial-struct" }
-percent-encoding = "2.3.2"
 proc-macro2 = "1"
+progenitor-client = "0.14.0"
 quote = "1"
 rand = "0.10.1"
 rand_core = "0.10.1"
@@ -58,6 +61,7 @@ sha2 = "0.11.0"
 slog = "2.8.2"
 steno = { git = "https://github.com/oxidecomputer/steno" }
 syn = "2"
+tabwriter = "1.4.1"
 tap = "1.0.1"
 tempfile = "3"
 thiserror = "2"

diff --git a/v-api-permission-derive/src/lib.rs b/v-api-permission-derive/src/lib.rs
@@ -439,6 +439,7 @@ fn from_system_permission_tokens(
                         VPermission::ManageMagicLinkClientsAll => Self::ManageMagicLinkClientsAll,
 
                         VPermission::CreateAccessToken => Self::CreateAccessToken,
+                        VPermission::RetrieveRemoteAccessToken => Self::RetrieveRemoteAccessToken,
 
                         VPermission::GetSagasAll => Self::GetSagasAll,
                         VPermission::ManageSagasAll => Self::ManageSagasAll,
@@ -722,6 +723,7 @@ fn system_permission_tokens() -> TokenStream {
             ManageMagicLinkClientsAll,
 
             CreateAccessToken,
+            RetrieveRemoteAccessToken,
 
             #[v_api(scope(to = "saga:r", from = "saga:r"))]
             GetSagasAll,

diff --git a/v-api/Cargo.toml b/v-api/Cargo.toml
@@ -29,7 +29,6 @@ oauth2 = { workspace = true }
 oauth2-reqwest = { workspace = true }
 newtype-uuid = { workspace = true }
 partial-struct = { workspace = true }
-percent-encoding = { workspace = true }
 rand = { workspace = true, features = ["std"] }
 reqwest = { workspace = true }
 rsa = { workspace = true, features = ["sha2"] }

diff --git a/v-api/src/config.rs b/v-api/src/config.rs
@@ -8,20 +8,23 @@ use jsonwebtoken::jwk::{
     AlgorithmParameters, CommonParameters, Jwk, KeyAlgorithm, PublicKeyUse, RSAKeyParameters,
     RSAKeyType,
 };
+use newtype_uuid::TypedUuid;
+use partial_struct::partial;
 use rsa::{
     RsaPrivateKey, RsaPublicKey,
     pkcs1v15::{SigningKey, VerifyingKey},
     pkcs8::{DecodePrivateKey, DecodePublicKey},
     traits::PublicKeyParts,
 };
-use secrecy::ExposeSecret;
+use secrecy::{ExposeSecret, SecretString};
 use serde::{
     Deserialize, Deserializer,
     de::{self, Visitor},
 };
 use std::path::PathBuf;
 use thiserror::Error;
-use v_api_param::StringParam;
+use v_api_param::{ParamResolutionError, StringParam};
+use v_model::OAuthClientId;
 
 use crate::{
     authn::{
@@ -151,25 +154,108 @@ pub struct SendGridConfig {
 pub struct OAuthProviders {
     pub github: Option<OAuthConfig>,
     pub google: Option<OAuthConfig>,
+    pub zendesk: Option<OAuthConfig>,
 }
 
-#[derive(Debug, Deserialize)]
+#[partial(ResolvedOAuthConfig)]
+#[derive(Clone, Debug, Deserialize)]
 pub struct OAuthConfig {
-    pub device: OAuthDeviceConfig,
-    pub web: OAuthWebConfig,
+    #[partial(ResolvedOAuthConfig(retype = Option<ResolvedOAuthDeviceConfig>))]
+    pub device: Option<OAuthDeviceConfig>,
+    #[partial(ResolvedOAuthConfig(retype = Option<ResolvedOAuthWebConfig>))]
+    pub web: Option<OAuthWebConfig>,
+    #[partial(ResolvedOAuthConfig(retype = Option<ResolvedOAuthWebProxyConfig>))]
+    pub proxy_web: Option<OAuthWebProxyConfig>,
 }
 
-#[derive(Debug, Deserialize)]
+#[partial(ResolvedOAuthDeviceConfig)]
+#[derive(Clone, Debug, Deserialize)]
 pub struct OAuthDeviceConfig {
-    pub client_id: String,
-    pub client_secret: StringParam,
+    pub client_id: TypedUuid<OAuthClientId>,
+    pub remote_client_id: String,
+    #[partial(ResolvedOAuthDeviceConfig(retype = SecretString))]
+    pub remote_client_secret: StringParam,
 }
 
-#[derive(Debug, Deserialize)]
+#[partial(ResolvedOAuthWebConfig)]
+#[derive(Clone, Debug, Deserialize)]
 pub struct OAuthWebConfig {
-    pub client_id: String,
-    pub client_secret: StringParam,
+    pub remote_client_id: String,
+    #[partial(ResolvedOAuthWebConfig(retype = SecretString))]
+    pub remote_client_secret: StringParam,
+}
+
+#[partial(ResolvedOAuthWebProxyConfig)]
+#[derive(Clone, Debug, Deserialize)]
+pub struct OAuthWebProxyConfig {
+    pub client_id: TypedUuid<OAuthClientId>,
     pub redirect_uri: String,
+    pub proxy_port: u16,
+}
+
+impl OAuthConfig {
+    pub fn resolve(
+        &self,
+        base: Option<PathBuf>,
+    ) -> Result<ResolvedOAuthConfig, ParamResolutionError> {
+        let device = self
+            .device
+            .as_ref()
+            .map(|d| d.resolve(base.clone()))
+            .transpose()?;
+        let web = self
+            .web
+            .as_ref()
+            .map(|w| w.resolve(base.clone()))
+            .transpose()?;
+        let proxy_web = self
+            .proxy_web
+            .as_ref()
+            .map(|p| p.resolve(base))
+            .transpose()?;
+        Ok(ResolvedOAuthConfig {
+            device,
+            web,
+            proxy_web,
+        })
+    }
+}
+impl OAuthDeviceConfig {
+    pub fn resolve(
+        &self,
+        base: Option<PathBuf>,
+    ) -> Result<ResolvedOAuthDeviceConfig, ParamResolutionError> {
+        let remote_client_secret = self.remote_client_secret.resolve(base)?;
+        Ok(ResolvedOAuthDeviceConfig {
+            client_id: self.client_id,
+            remote_client_id: self.remote_client_id.clone(),
+            remote_client_secret,
+        })
+    }
+}
+impl OAuthWebConfig {
+    pub fn resolve(
+        &self,
+        base: Option<PathBuf>,
+    ) -> Result<ResolvedOAuthWebConfig, ParamResolutionError> {
+        let remote_client_secret = self.remote_client_secret.resolve(base)?;
+        Ok(ResolvedOAuthWebConfig {
+            remote_client_id: self.remote_client_id.clone(),
+            remote_client_secret,
+        })
+    }
+}
+impl OAuthWebProxyConfig {
+    pub fn resolve(
+        &self,
+        _base: Option<PathBuf>,
+    ) -> Result<ResolvedOAuthWebProxyConfig, ParamResolutionError> {
+        Ok(ResolvedOAuthWebProxyConfig {
+            client_id: self.client_id,
+            redirect_uri: self.redirect_uri.clone(),
+            proxy_port: self.proxy_port,
+        })
+    }
 }
 
 impl AsymmetricKey {