Skip to content

feat: add --admin and --env flags to base44 exec#435

Open
netanelgilad wants to merge 2 commits intomainfrom
feat/exec-admin-env-flags
Open

feat: add --admin and --env flags to base44 exec#435
netanelgilad wants to merge 2 commits intomainfrom
feat/exec-admin-env-flags

Conversation

@netanelgilad
Copy link
Contributor

@netanelgilad netanelgilad commented Mar 21, 2026
edited by claude bot
Loading

Note

Description

This PR adds --admin and --env flags to the base44 exec command. The --admin flag enables admin-level access by sending the X-Bypass-RLS header, bypassing row-level security for users with owner/editor roles. The --env flag allows specifying a data environment (e.g., dev, share, production) via the X-Data-Env header.

Related Issue

None

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)
  • Other (please describe):

Changes Made

  • Added --admin flag to base44 exec that passes BASE44_ADMIN=true env var to the Deno subprocess, causing it to send X-Bypass-RLS: true on all SDK requests
  • Added --env <environment> flag to base44 exec that passes BASE44_DATA_ENV to the Deno subprocess, which sets X-Data-Env on all SDK requests
  • Updated RunScriptOptions interface in run-script.ts to accept admin and dataEnv options
  • Updated deno-runtime/exec.ts to read the new env vars and inject them as custom headers when creating the SDK client
  • Added comprehensive integration tests covering all flag combinations and header verification

Testing

  • I have tested these changes locally
  • I have added/updated tests as needed
  • All tests pass (npm test)

Checklist

  • My code follows the project's style guidelines
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (if applicable)
  • My changes generate no new warnings
  • I have updated docs/ (AGENTS.md) if I made architectural changes

Additional Notes

The --admin flag requires the user to have app owner or editor role. Both flags are optional and can be combined. The env var approach cleanly passes these settings from the CLI process through to the Deno subprocess without requiring IPC.

🤖 Generated by Claude | 2026-03-21 14:49 UTC

@netanelgilad @claude
feat: add --admin and --env flags to base44 exec
9e72eb0 
Add two new flags to the exec command:
- `--admin` sends X-Bypass-RLS: true header via the SDK client, enabling
  admin access that bypasses Row Level Security rules
- `--env <environment>` sends X-Data-Env header (accepts dev, share, or
  prod) to target a specific data environment

The flags are passed as env vars (BASE44_ADMIN, BASE44_DATA_ENV) to the
Deno subprocess, which reads them and builds custom headers for the SDK
client.

Includes 8 new tests covering header injection, absence without flags,
combined usage, and env var propagation to the Deno subprocess.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Contributor

github-actions bot commented Mar 21, 2026
edited
Loading

🚀 Package Preview Available!

Install this PR's preview build with npm:

npm i @base44-preview/cli@0.0.47-pr.435.27294cb

Prefer not to change any import paths? Install using npm alias so your code still imports base44:

npm i "base44@npm:@base44-preview/cli@0.0.47-pr.435.27294cb"

Or add it to your package.json dependencies:

{
  "dependencies": {
    "base44": "npm:@base44-preview/cli@0.0.47-pr.435.27294cb"
  }
}

Preview published to npm registry — try new features instantly!

@netanelgilad @claude
fix: biome formatting for exec command action callback
82b4510 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
kfirstri
kfirstri reviewed Mar 22, 2026
View reviewed changes
packages/cli/src/cli/commands/exec.ts
Comment on lines +70 to +73
.option(
"--env <environment>",
"Data environment to use (dev, share, or production). Defaults to production.",
)
Copy link
Collaborator

@kfirstri kfirstri Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is this? is this a documented feature? for example with is dev vs shared?

Copy link
Contributor Author

@netanelgilad netanelgilad Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.base44.com/documentation/managing-app-data/testing-your-data

kfirstri
kfirstri reviewed Mar 22, 2026
View reviewed changes
packages/cli/src/cli/commands/exec.ts
Comment on lines +66 to +69
.option(
"--admin",
"Run with admin privileges (bypass RLS). Requires app owner/editor role.",
)
Copy link
Collaborator

@kfirstri kfirstri Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we should be specific and call this --skip-rls or something?

Copy link
Contributor Author

@netanelgilad netanelgilad Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, just thinking how not to "scare" users /agetns with such a name to the flag. @claude got a good idea for a flag name?

Copy link

@claude claude bot Mar 22, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude finished @netanelgilad's task in 21s —— View job

Here are a few flag name ideas that convey elevated access without being alarming:

Name Pros Cons
--privileged Familiar from Docker/containers, clearly signals elevated access Still sounds "serious"
--full-access Plain English, self-explanatory A bit verbose
--unrestricted Describes exactly what it does (no RLS restrictions) Could imply security risk
--as-owner Communicates who you're acting as, not what you're bypassing Slightly misleading (editor role also works)
--bypass-filters Softer than "bypass-rls", avoids technical jargon Vague

My recommendation: --privileged

It's already familiar to developers from tools like Docker (docker run --privileged), signals that the user is opting into elevated permissions intentionally, and is less alarming than --admin or --skip-rls. It also doesn't expose the internal "RLS" terminology to users who may not know what that means.

Runner-up: --full-access — if you want something even more self-documenting for non-technical users or agents reading the help text.

Copy link
Contributor Author

@netanelgilad netanelgilad Mar 22, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kfirstri I don't have any strong opinion here, got something you liked here?

kfirstri
kfirstri reviewed Mar 22, 2026
View reviewed changes
Copy link
Collaborator

@kfirstri kfirstri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some comments. i not clear about what is this --env flag? what are shared data environments? is this something users are aware of?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kfirstri kfirstri kfirstri left review comments

@claude claude[bot] claude[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@netanelgilad @kfirstri