feat(client/cli): reusable client configuration

[tkircsi]

Closes #1158

Context CLI Summary

This PR adds a dirctl context command group for inspecting and switching reusable client configuration profiles:

• dirctl context list lists configured contexts and marks the persisted current_context.
• dirctl context current prints the persisted current context, with --quiet and --json variants for prompt/status integrations.
• dirctl context set <name> persists a configured context as the active default.
• dirctl context show [name] displays the effective resolved client configuration with sensitive values redacted.
• dirctl context validate [name] validates one or all configured contexts and reports actionable errors.

Contexts are selected by --context, DIRECTORY_CLIENT_CONTEXT, or the persisted current_context, and are resolved through the shared client config package for CLI and SDK reuse.

Default Config Path

The default client config path is:

$XDG_CONFIG_HOME/dirctl/config.yaml

If XDG_CONFIG_HOME is not set, the path falls back to:

~/.config/dirctl/config.yaml

Config Schema

The config file contains a persisted current context and a map of named contexts:

current_context: <context-name>
contexts:
  <context-name>:
    server_address: <host:port>
    auth_mode: <insecure|none|jwt|x509|token|tls|oidc>
    spiffe_socket_path: <path>
    spiffe_token: <token>
    jwt_audience: <audience>
    tls_skip_verify: <true|false>
    tls_ca_file: <path>
    tls_cert_file: <path>
    tls_key_file: <path>
    oidc_issuer: <issuer-url>
    oidc_client_id: <client-id>
    auth_token: <bearer-token>

Only fields required for the selected auth mode need to be set. Sensitive values such as auth_token and spiffe_token are redacted by dirctl context show.

Example Config

current_context: dev
contexts:
  dev:
    server_address: dev.gateway.example.com:443
    auth_mode: oidc
    oidc_issuer: https://dev.idp.example.com
    oidc_client_id: dirctl

  prod:
    server_address: prod.gateway.example.com:443
    auth_mode: oidc
    oidc_issuer: https://prod.idp.example.com
    oidc_client_id: dirctl

  daemon:
    server_address: localhost:8888
    auth_mode: insecure

[github-actions]

The latest Buf updates on your PR. Results from workflow Buf CI / verify-proto (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	⏩ skipped	✅ passed	May 12, 2026, 3:08 PM

[codecov]

Codecov Report

❌ Patch coverage is 65.20076% with 182 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
client/config/config.go	56.5%	106 Missing and 31 partials ⚠️
cli/cmd/context/current.go	71.7%	7 Missing and 6 partials ⚠️
cli/cmd/context/show.go	82.1%	5 Missing and 5 partials ⚠️
cli/cmd/context/validate.go	60.0%	5 Missing and 3 partials ⚠️
cli/cmd/context/list.go	61.5%	3 Missing and 2 partials ⚠️
cli/cmd/context/context.go	72.7%	3 Missing ⚠️
cli/cmd/auth/auth.go	86.7%	1 Missing and 1 partial ⚠️
cli/cmd/context/set.go	66.7%	1 Missing and 1 partial ⚠️
cli/cmd/root.go	89.5%	1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

[arpad-csepi]

nit: might worth to add a flag for disable redact if the user want to see the sensitive data as well in the dirctl context show