feature(eng-5200): support domain in .infisical.json and INFISICAL_DOMAIN env var

[PrestigePvP]

Description 📣

Adds a domain field to .infisical.json and a new INFISICAL_DOMAIN environment variable so the Infisical instance can be configured per-project, not just via --domain or the env var.

• Add domain field to .infisical.json, resolved when --domain is not passed
• Add INFISICAL_DOMAIN env var; keep INFISICAL_API_URL working as a legacy alias
• Precedence (highest to lowest): --domain flag > INFISICAL_DOMAIN (or legacy INFISICAL_API_URL) env > .infisical.json domain > default
• Centralize env precedence in util.DomainEnvNames, consumed by GetEnvDomain and GetCmdFlagOrEnvWithDefaultValue (no duplicated ordering across kmip/bootstrap)
• Move domain resolution to PersistentPreRun so the parsed --domain flag is reliably honored (it isn't parsed yet in init())
• Warn and ignore a malformed domain (must start with http:///https://); print an [INFO] line when the domain comes from .infisical.json

Net-new work; takes over the intent of community PR #242 but reworks it (field named domain not apiUrl, since apiUrl never shipped).

Docs at /docs/cli/project-config live in the monorepo and will follow up separately.

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Tests 🛠️

Table-driven unit tests for domain parsing and env precedence:

go test ./packages/util/ -run 'TestWorkspaceConfigDomain|TestGetEnvDomain' -v
# ok  github.com/Infisical/infisical-merge/packages/util

Verified end-to-end against the real binary that the API request URL resolves correctly for flag > env > .infisical.json, that a malformed domain warns and is ignored, that --silent suppresses the info line, and that the legacy INFISICAL_API_URL env var still works.

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[linear]

ENG-5200

[infisical-review-police]

💬 Discussion in Slack: #pr-review-cli-256-feature-eng-5200-support-domain-in-infisical-json-and-infisica

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

[greptile-apps]

Greptile Summary

This PR adds a domain field to .infisical.json and a new INFISICAL_DOMAIN environment variable so the Infisical instance URL can be configured per-project, centralising precedence logic in resolveDomain / GetEnvDomain and DomainEnvNames.

• Domain resolution refactored: resolveDomain in root.go implements flag > env > .infisical.json > default precedence and is called from PersistentPreRun (after flag parsing), replacing the old init()-time env check.
• INFISICAL_API_URL kept as legacy alias: renamed to LEGACY_INFISICAL_API_URL_ENV_NAME; DomainEnvNames ensures both bootstrap and kmip commands pick up the new name and fall back to the old one.
• New tests: table-driven unit tests cover domain parsing from file and env-var precedence including blank-env edge cases.

Confidence Score: 3/5

Two issues need attention before merging: the --token guard in login status will reject valid .infisical.json-sourced domains, and reading the API endpoint from a version-controlled file means a compromised or malicious repository can silently redirect CLI traffic — including auth tokens — to an arbitrary HTTPS server.

The file-sourced domain override is the core of this feature, but it creates a credential-exfiltration path for any developer who clones a repository with a manipulated .infisical.json. Because --silent suppresses the only user-visible signal, CI/CD pipelines are especially exposed. Separately, the login status --token guard was not updated to recognise .infisical.json as a valid domain source, so the new code path produces a false error in a common workflow.

packages/cmd/root.go (SSRF path in resolveDomain) and packages/cmd/login_status.go (incomplete guard for the new domain source).

Important Files Changed

Filename	Overview
packages/cmd/root.go	Adds resolveDomain to centralize domain precedence (flag > env > .infisical.json > default) and moves resolution to PersistentPreRun; introduces SSRF risk where a file-controlled domain silently redirects CLI traffic including auth tokens.
packages/cmd/login_status.go	Switches domain env check to GetEnvDomain() but the guard for --token still fails when the domain is resolved from .infisical.json, causing a false error for a valid use-case.
packages/util/helper.go	Adds DomainEnvNames slice and GetEnvDomain() helper that centralises env-var precedence for domain resolution; straightforward and well-tested.
packages/util/constants.go	Renames INFISICAL_API_URL_ENV_NAME to INFISICAL_DOMAIN_ENV_NAME and retains LEGACY_INFISICAL_API_URL_ENV_NAME for backward compatibility; clean.
packages/util/config_test.go	New table-driven tests cover domain parsing from file and env-var precedence; good coverage of edge cases including blank-env fallthrough.
packages/models/cli.go	Adds Domain field (omitempty) to WorkspaceConfigFile; non-breaking schema addition.
packages/cmd/bootstrap.go	Switches to GetCmdFlagOrEnvWithDefaultValue with DomainEnvNames; consistent with the rest of the refactor.
packages/cmd/kmip.go	Updates env-names slice to DomainEnvNames; simple one-line deduplication change.
packages/cmd/login.go	Updates info message text to reference INFISICAL_DOMAIN and renames the prompt label; cosmetic.
packages/util/testdata/infisical-with-domain.json	New test fixture for domain-field parsing.

_{Reviews (1): Last reviewed commit: "feature(eng-5200): add domain support in..." | Re-trigger Greptile}

[veria-ai]

PR overview

All previously flagged issues have been addressed. No open security concerns remain on this pull request.

Security review

No open security issues remain on this pull request.

Fixed/addressed: 1 · PR risk: 0/10

[maidul98]

we need to update the docs at https://infisical.com/docs