[Repo Assist] refactor(auth): move generateRandomAPIKey to internal/auth package (#3163)

🤖 *This pull request was created by Repo Assist, an automated AI
assistant.*

## Summary

Moves `generateRandomAPIKey` from `internal/cmd/root.go` to
`internal/auth/` as the exported `GenerateRandomAPIKey` function. API
key generation is an authentication concern; the `internal/auth` package
is the natural home.

## Changes

- **`internal/auth/apikey.go`** — new file with `GenerateRandomAPIKey()`
function
- **`internal/auth/apikey_test.go`** — test migrated from
`cmd/root_test.go`
- **`internal/cmd/root.go`** — call site updated to
`auth.GenerateRandomAPIKey()`; `crypto/rand` and `encoding/hex` imports
removed
- **`internal/cmd/root_test.go`** — `TestGenerateRandomAPIKey` removed
(now lives in `auth` package)

## Motivation

- Aligns the function's location with its semantic purpose
(authentication)
- Removes two low-level stdlib imports (`crypto/rand`, `encoding/hex`)
from the CLI entry-point package
- Makes `GenerateRandomAPIKey` reusable by any package that imports
`internal/auth`

## Test Status

⚠️ **Infrastructure limitation**: The CI environment has Go 1.24.13
locally but `go.mod` requires Go 1.25.0, and the toolchain download is
blocked by the network firewall. `make agent-finished` could not
complete. The changes are syntactically verified by code review:
- Correct import paths, correct exported name, existing test logic
preserved verbatim
- No functional changes to the gateway's behaviour

Tests will run normally in the GitHub Actions CI environment where Go
1.25.0 is available.




> Generated by [Repo
Assist](https://github.com/github/gh-aw-mcpg/actions/runs/23978858416/agentic_workflow)
·
[◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw-mcpg+%22gh-aw-workflow-id%3A+repo-assist%22&type=pullrequests)
>
> To install this [agentic
workflow](https://github.com/githubnext/agentics/blob/851905c06e905bf362a9f6cc54f912e3df747d55/workflows/repo-assist.md),
run
> ```
> gh aw add
githubnext/agentics@851905c
> ```

<!-- gh-aw-agentic-workflow: Repo Assist, engine: copilot, model: auto,
id: 23978858416, workflow_id: repo-assist, run:
https://github.com/github/gh-aw-mcpg/actions/runs/23978858416 -->

<!-- gh-aw-workflow-id: repo-assist -->

Author: lpcox

internal/auth/apikey.go

@@ -0,0 +1,18 @@
+package auth
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+)
+
+// GenerateRandomAPIKey generates a cryptographically random API key.
+// Per spec §7.3, the gateway SHOULD generate a random API key on startup
+// if none is provided. Returns a 32-byte hex-encoded string (64 chars).
+func GenerateRandomAPIKey() (string, error) {
+	bytes := make([]byte, 32)
+	if _, err := rand.Read(bytes); err != nil {
+		return "", fmt.Errorf("failed to generate random API key: %w", err)
+	}
+	return hex.EncodeToString(bytes), nil
+}

internal/auth/apikey_test.go

@@ -0,0 +1,24 @@
+package auth_test
+
+import (
+	"testing"
+
+	"github.com/github/gh-aw-mcpg/internal/auth"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestGenerateRandomAPIKey verifies that GenerateRandomAPIKey produces a
+// non-empty, unique, hex-encoded string per spec §7.3.
+func TestGenerateRandomAPIKey(t *testing.T) {
+	key, err := auth.GenerateRandomAPIKey()
+	require.NoError(t, err, "GenerateRandomAPIKey() should not fail")
+	assert.NotEmpty(t, key, "generated key should not be empty")
+	// 32 bytes encoded as hex = 64 characters
+	assert.Len(t, key, 64, "generated key should be 64 hex characters")
+
+	// Verify keys are unique across calls
+	key2, err := auth.GenerateRandomAPIKey()
+	require.NoError(t, err)
+	assert.NotEqual(t, key, key2, "successive calls should produce unique keys")
+}

internal/cmd/root.go

@@ -3,8 +3,6 @@ package cmd
 import (
 	"bufio"
 	"context"
-	"crypto/rand"
-	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -17,6 +15,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/github/gh-aw-mcpg/internal/auth"
 	"github.com/github/gh-aw-mcpg/internal/config"
 	"github.com/github/gh-aw-mcpg/internal/difc"
 	"github.com/github/gh-aw-mcpg/internal/logger"
@@ -304,7 +303,7 @@ func run(cmd *cobra.Command, args []string) error {
 	// The generated key is set in the config so it propagates to both the HTTP
 	// server authentication and the stdout configuration output (spec §5.4).
 	if cfg.GetAPIKey() == "" {
-		randomKey, err := generateRandomAPIKey()
+		randomKey, err := auth.GenerateRandomAPIKey()
 		if err != nil {
 			return fmt.Errorf("failed to generate random API key: %w", err)
 		}
@@ -650,17 +649,6 @@ func loadEnvFile(path string) error {
 	return scanner.Err()
 }
 
-// generateRandomAPIKey generates a cryptographically random API key.
-// Per spec §7.3, the gateway SHOULD generate a random API key on startup
-// if none is provided. Returns a 32-byte hex-encoded string (64 chars).
-func generateRandomAPIKey() (string, error) {
-	bytes := make([]byte, 32)
-	if _, err := rand.Read(bytes); err != nil {
-		return "", fmt.Errorf("failed to generate random API key: %w", err)
-	}
-	return hex.EncodeToString(bytes), nil
-}
-
 // Execute runs the root command
 func Execute() {
 	if err := rootCmd.Execute(); err != nil {

internal/cmd/root_test.go

@@ -508,18 +508,3 @@ func TestPostRunCleanup(t *testing.T) {
 		assert.NotNil(t, rootCmd.PersistentPostRun, "PersistentPostRun should be set")
 	})
 }
-
-// TestGenerateRandomAPIKey verifies that generateRandomAPIKey produces a
-// non-empty, unique, hex-encoded string per spec §7.3.
-func TestGenerateRandomAPIKey(t *testing.T) {
-	key, err := generateRandomAPIKey()
-	require.NoError(t, err, "generateRandomAPIKey() should not fail")
-	assert.NotEmpty(t, key, "generated key should not be empty")
-	// 32 bytes encoded as hex = 64 characters
-	assert.Len(t, key, 64, "generated key should be 64 hex characters")
-
-	// Verify keys are unique across calls
-	key2, err := generateRandomAPIKey()
-	require.NoError(t, err)
-	assert.NotEqual(t, key, key2, "successive calls should produce unique keys")
-}