Kong · Copilot · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026
@@ -73,6 +73,11 @@ func (p *portalAPIStub) DeletePortal(context.Context, string, bool) (*kkOps.Dele
 	return nil, nil
 }
 
+func (p *portalAPIStub) ClearPortalDefaultAuthStrategyID(context.Context, string) error {
+	p.t.Fatalf("unexpected ClearPortalDefaultAuthStrategyID call")
+	return nil
+}
+
 func TestAdoptPortalAssignsNamespaceLabel(t *testing.T) {
 	helper := new(cmd.MockHelper)
 	helper.EXPECT().GetContext().Return(context.Background())

@@ -224,7 +224,9 @@ func KonnectSDKFactory(cfg config.Hook, logger *slog.Logger) (helpers.SDKAPI, er
 	}
 
 	return &helpers.KonnectSDK{
-		SDK: sdk,
+		SDK:         sdk,
+		BaseURL:     baseURL,
+		BearerToken: token,
 	}, nil
 }
 

@@ -5,9 +5,9 @@ import (
 	"strings"
 	"time"
 
+	"charm.land/bubbles/v2/table"
 	kkComps "github.com/Kong/sdk-konnect-go/models/components"
 	kkOps "github.com/Kong/sdk-konnect-go/models/operations"
-	"charm.land/bubbles/v2/table"
 	"github.com/kong/kongctl/internal/cmd"
 	cmdCommon "github.com/kong/kongctl/internal/cmd/common"
 	"github.com/kong/kongctl/internal/cmd/output/tableview"
@@ -45,15 +45,15 @@ type clusterPolicySummaryRecord struct {
 // clusterPolicyWithConfig is a wrapper that includes the full config from raw API response.
 // The SDK's EventGatewayPolicyConfig struct is empty, so we use map[string]any to capture actual config.
 type clusterPolicyWithConfig struct {
-	Type           string            `json:"type" yaml:"type"`
-	Name           *string           `json:"name,omitempty" yaml:"name,omitempty"`
-	Description    *string           `json:"description,omitempty" yaml:"description,omitempty"`
-	Enabled        *bool             `json:"enabled,omitempty" yaml:"enabled,omitempty"`
-	Labels         map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
-	ID             string            `json:"id" yaml:"id"`
-	Config         map[string]any    `json:"config" yaml:"config"`
-	CreatedAt      time.Time         `json:"created_at" yaml:"created_at"`
-	UpdatedAt      time.Time         `json:"updated_at" yaml:"updated_at"`
+	Type           string            `json:"type"                       yaml:"type"`
+	Name           *string           `json:"name,omitempty"             yaml:"name,omitempty"`
+	Description    *string           `json:"description,omitempty"      yaml:"description,omitempty"`
+	Enabled        *bool             `json:"enabled,omitempty"          yaml:"enabled,omitempty"`
+	Labels         map[string]string `json:"labels,omitempty"           yaml:"labels,omitempty"`
+	ID             string            `json:"id"                         yaml:"id"`
+	Config         map[string]any    `json:"config"                     yaml:"config"`
+	CreatedAt      time.Time         `json:"created_at"                 yaml:"created_at"`
+	UpdatedAt      time.Time         `json:"updated_at"                 yaml:"updated_at"`
 	ParentPolicyID *string           `json:"parent_policy_id,omitempty" yaml:"parent_policy_id,omitempty"`
 }
 
@@ -62,8 +62,10 @@ var (
 
 	clusterPoliciesShort = i18n.T("root.products.konnect.eventgateway.clusterPoliciesShort",
 		"Manage cluster policies for an Event Gateway Virtual Cluster")
-	clusterPoliciesLong = normalizers.LongDesc(i18n.T("root.products.konnect.eventgateway.clusterPoliciesLong",
-		`Use the cluster-policies command to list or retrieve cluster policies for a specific Event Gateway Virtual Cluster.`)) //nolint:lll
+	clusterPoliciesLong = normalizers.LongDesc(i18n.T(
+		"root.products.konnect.eventgateway.clusterPoliciesLong",
+		`Use the cluster-policies command to list or retrieve cluster policies for a specific Event Gateway Virtual Cluster.`,
+	)) //nolint:lll
 	clusterPoliciesExample = normalizers.Examples(
 		i18n.T("root.products.konnect.eventgateway.clusterPoliciesExamples",
 			fmt.Sprintf(`

@@ -16,7 +16,7 @@ import (
 )
 
 const (
-	Verb                    = verbs.Scaffold
+	Verb                     = verbs.Scaffold
 	outputFlagUnsupportedMsg = "flags -o/--" + cmdcommon.OutputFlagName + " are not supported for the scaffold command"
 )
 

@@ -1861,7 +1861,8 @@ func (e *Executor) createResource(ctx context.Context, change *planner.PlannedCh
 			change.References["event_gateway_id"] = gatewayRef
 		}
 		// Resolve event gateway virtual cluster reference if needed
-		if virtualClusterRef, ok := change.References["event_gateway_virtual_cluster_id"]; ok && virtualClusterRef.ID == "" {
+		if virtualClusterRef, ok := change.References["event_gateway_virtual_cluster_id"]; ok &&
+			virtualClusterRef.ID == "" {
 			gatewayID := change.References["event_gateway_id"].ID
 			virtualClusterID, err := e.resolveEventGatewayVirtualClusterRef(ctx, gatewayID, virtualClusterRef)
 			if err != nil {
@@ -2172,7 +2173,8 @@ func (e *Executor) updateResource(ctx context.Context, change *planner.PlannedCh
 			change.References["event_gateway_id"] = gatewayRef
 		}
 		// Resolve event gateway virtual cluster reference if needed
-		if virtualClusterRef, ok := change.References["event_gateway_virtual_cluster_id"]; ok && virtualClusterRef.ID == "" {
+		if virtualClusterRef, ok := change.References["event_gateway_virtual_cluster_id"]; ok &&
+			virtualClusterRef.ID == "" {
 			gatewayID := change.References["event_gateway_id"].ID
 			virtualClusterID, err := e.resolveEventGatewayVirtualClusterRef(ctx, gatewayID, virtualClusterRef)
 			if err != nil {

@@ -152,7 +152,12 @@ func (e *Executor) updatePortal(ctx context.Context, change planner.PlannedChang
 			}
 		case "default_application_auth_strategy_id":
 			if authID, ok := value.(string); ok {
-				updatePortal.DefaultApplicationAuthStrategyID = &authID
+				if authID == planner.ClearDefaultAuthStrategyID {
+					// Sentinel: unset via explicit null PATCH after the SDK update completes.
+					// We skip setting the SDK field here; the clear call is made below.
+				} else {
+					updatePortal.DefaultApplicationAuthStrategyID = &authID
+				}
 			}
 		case "default_api_visibility":
 			if visibility, ok := value.(string); ok {
@@ -203,6 +208,16 @@ func (e *Executor) updatePortal(ctx context.Context, change planner.PlannedChang
 		return "", err
 	}
 
+	// If the plan requested clearing default_application_auth_strategy_id, send
+	// an explicit JSON null via a separate raw PATCH (the SDK's UpdatePortal
+	// struct cannot express explicit null due to omitempty).
+	if authID, ok := change.Fields["default_application_auth_strategy_id"].(string); ok &&
+		authID == planner.ClearDefaultAuthStrategyID {
+		if err := e.client.ClearPortalDefaultAuthStrategyID(ctx, change.ResourceID, change.Namespace); err != nil {
+			return "", fmt.Errorf("clear portal default auth strategy: %w", err)
+		}
+	}
+
 	return resp.ID, nil
 }
 

@@ -82,6 +82,11 @@ func (m *MockPortalAPI) DeletePortal(
 	return args.Get(0).(*kkOps.DeletePortalResponse), args.Error(1)
 }
 
+func (m *MockPortalAPI) ClearPortalDefaultAuthStrategyID(ctx context.Context, portalID string) error {
+	args := m.Called(ctx, portalID)
+	return args.Error(0)
+}
+
 func TestExecutor_createPortal(t *testing.T) {
 	tests := []struct {
 		name         string

@@ -14,6 +14,14 @@ import (
 	"github.com/kong/kongctl/internal/declarative/tags"
 )
 
+// ClearDefaultAuthStrategyID is the sentinel value written into
+// PlannedChange.Fields["default_application_auth_strategy_id"] when the
+// desired configuration omits the field but the current portal still has it
+// set.  The executor recognises this value and sends an explicit JSON null via
+// ClearPortalDefaultAuthStrategyID instead of using the SDK's UpdatePortal
+// (which cannot express explicit null due to omitempty).
+const ClearDefaultAuthStrategyID = "$clear-default-auth-strategy"
+
 // portalPlannerImpl implements planning logic for portal resources
 type portalPlannerImpl struct {
 	*BasePlanner
@@ -469,6 +477,17 @@ func (p *portalPlannerImpl) shouldUpdatePortal(
 				}
 			}
 		}
+	} else {
+		// When the field is absent from the desired configuration but the current
+		// portal has it set, plan an UPDATE to clear it.
+		currentAuthID := p.GetString(current.DefaultApplicationAuthStrategyID)
+		if currentAuthID != "" {
+			updates["default_application_auth_strategy_id"] = ClearDefaultAuthStrategyID
+			changedFields["default_application_auth_strategy_id"] = FieldChange{
+				Old: currentAuthID,
+				New: nil,
+			}
+		}
 	}
 
 	if desired.AuthenticationEnabled != nil {

@@ -76,6 +76,11 @@ func (m *MockPortalAPI) DeletePortal(
 	return args.Get(0).(*kkOps.DeletePortalResponse), args.Error(1)
 }
 
+func (m *MockPortalAPI) ClearPortalDefaultAuthStrategyID(ctx context.Context, portalID string) error {
+	args := m.Called(ctx, portalID)
+	return args.Error(0)
+}
+
 // MockAPIAPI is a mock implementation of APIAPI
 type MockAPIAPI struct {
 	mock.Mock

@@ -20,8 +20,8 @@ func init() {
 // The SDK represents cluster policies as a union type (EventGatewayClusterPolicyModify)
 // with the "acls" variant (EventGatewayACLsPolicy).
 type EventGatewayClusterPolicyResource struct {
-	kkComps.EventGatewayClusterPolicyModify `yaml:",inline" json:",inline"`
-	Ref                                     string `yaml:"ref"                            json:"ref"`
+	kkComps.EventGatewayClusterPolicyModify `       yaml:",inline"                   json:",inline"`
+	Ref                                     string `yaml:"ref"                       json:"ref"`
 	// Parent Event Gateway Virtual Cluster reference (for root-level definitions)
 	VirtualCluster string `yaml:"virtual_cluster,omitempty" json:"virtual_cluster,omitempty"`
 	EventGateway   string `yaml:"event_gateway,omitempty"   json:"event_gateway,omitempty"`

@@ -47,10 +47,10 @@ type ExplainBuildContext struct {
 }
 
 type ExplainRelation struct {
-	ParentAlias   string `json:"parent_alias"   yaml:"parent_alias"`
-	ParentType    string `json:"parent_type"    yaml:"parent_type"`
-	FieldName     string `json:"field_name"     yaml:"field_name"`
-	ChildAlias    string `json:"child_alias"    yaml:"child_alias"`
+	ParentAlias   string `json:"parent_alias"    yaml:"parent_alias"`
+	ParentType    string `json:"parent_type"     yaml:"parent_type"`
+	FieldName     string `json:"field_name"      yaml:"field_name"`
+	ChildAlias    string `json:"child_alias"     yaml:"child_alias"`
 	ParentRootKey string `json:"parent_root_key" yaml:"parent_root_key"`
 }
 
@@ -66,7 +66,7 @@ type ExplainDoc struct {
 	ParentRelations           []ExplainRelation `json:"parent_relations,omitempty"  yaml:"parent_relations,omitempty"`
 	SupportsKongctl           bool              `json:"supports_kongctl"            yaml:"supports_kongctl"`
 	Schema                    *ExplainNode      `json:"-"                           yaml:"-"`
-	nestedFields    map[string]ResourceType
+	nestedFields              map[string]ResourceType
 }
 
 type ExplainSubject struct {
@@ -123,49 +123,49 @@ type ExplainField struct {
 }
 
 type JSONSchema struct {
-	Schema      string                  `json:"$schema,omitempty" yaml:"$schema,omitempty"`
-	ID          string                  `json:"$id,omitempty" yaml:"$id,omitempty"`
-	Title       string                  `json:"title,omitempty" yaml:"title,omitempty"`
-	Description string                  `json:"description,omitempty" yaml:"description,omitempty"`
-	Type        any                     `json:"type,omitempty" yaml:"type,omitempty"`
-	Properties  map[string]*JSONSchema  `json:"properties,omitempty" yaml:"properties,omitempty"`
-	Required    []string                `json:"required,omitempty" yaml:"required,omitempty"`
-	Items       *JSONSchema             `json:"items,omitempty" yaml:"items,omitempty"`
-	Additional  any                     `json:"additionalProperties,omitempty" yaml:"additionalProperties,omitempty"`
-	OneOf       []*JSONSchema           `json:"oneOf,omitempty" yaml:"oneOf,omitempty"`
-	Const       any                     `json:"const,omitempty" yaml:"const,omitempty"`
-	Enum        []any                   `json:"enum,omitempty" yaml:"enum,omitempty"`
-	Default     any                     `json:"default,omitempty" yaml:"default,omitempty"`
-	XResource   any                     `json:"x-kongctl-resource,omitempty" yaml:"x-kongctl-resource,omitempty"`
-	XPath       string                  `json:"x-kongctl-path,omitempty" yaml:"x-kongctl-path,omitempty"`
-	XRootKey    string                  `json:"x-kongctl-root-key,omitempty" yaml:"x-kongctl-root-key,omitempty"`
-	XClass      string                  `json:"x-kongctl-resource-class,omitempty" yaml:"x-kongctl-resource-class,omitempty"` //nolint:lll
-	XRefKind    string                  `json:"x-kongctl-ref-kind,omitempty" yaml:"x-kongctl-ref-kind,omitempty"`
-	XTag        string                  `json:"x-kongctl-preferred-tag,omitempty" yaml:"x-kongctl-preferred-tag,omitempty"`
-	XDefault    string                  `json:"x-kongctl-default-from,omitempty" yaml:"x-kongctl-default-from,omitempty"`
-	XNotes      []string                `json:"x-kongctl-notes,omitempty" yaml:"x-kongctl-notes,omitempty"`
-	XSubject    *ExplainSchemaSubject   `json:"x-kongctl-subject,omitempty" yaml:"x-kongctl-subject,omitempty"`
-	XPlacement  *ExplainSchemaPlacement `json:"x-kongctl-placement,omitempty" yaml:"x-kongctl-placement,omitempty"`
-	XRoot       *bool                   `json:"x-kongctl-supports-root,omitempty" yaml:"x-kongctl-supports-root,omitempty"`
+	Schema      string                  `json:"$schema,omitempty"                               yaml:"$schema,omitempty"`
+	ID          string                  `json:"$id,omitempty"                                   yaml:"$id,omitempty"`
+	Title       string                  `json:"title,omitempty"                                 yaml:"title,omitempty"`
+	Description string                  `json:"description,omitempty"                           yaml:"description,omitempty"`
+	Type        any                     `json:"type,omitempty"                                  yaml:"type,omitempty"`
+	Properties  map[string]*JSONSchema  `json:"properties,omitempty"                            yaml:"properties,omitempty"`
+	Required    []string                `json:"required,omitempty"                              yaml:"required,omitempty"`
+	Items       *JSONSchema             `json:"items,omitempty"                                 yaml:"items,omitempty"`
+	Additional  any                     `json:"additionalProperties,omitempty"                  yaml:"additionalProperties,omitempty"`
+	OneOf       []*JSONSchema           `json:"oneOf,omitempty"                                 yaml:"oneOf,omitempty"`
+	Const       any                     `json:"const,omitempty"                                 yaml:"const,omitempty"`
+	Enum        []any                   `json:"enum,omitempty"                                  yaml:"enum,omitempty"`
+	Default     any                     `json:"default,omitempty"                               yaml:"default,omitempty"`
+	XResource   any                     `json:"x-kongctl-resource,omitempty"                    yaml:"x-kongctl-resource,omitempty"`
+	XPath       string                  `json:"x-kongctl-path,omitempty"                        yaml:"x-kongctl-path,omitempty"`
+	XRootKey    string                  `json:"x-kongctl-root-key,omitempty"                    yaml:"x-kongctl-root-key,omitempty"`
+	XClass      string                  `json:"x-kongctl-resource-class,omitempty"              yaml:"x-kongctl-resource-class,omitempty"` //nolint:lll
+	XRefKind    string                  `json:"x-kongctl-ref-kind,omitempty"                    yaml:"x-kongctl-ref-kind,omitempty"`
+	XTag        string                  `json:"x-kongctl-preferred-tag,omitempty"               yaml:"x-kongctl-preferred-tag,omitempty"`
+	XDefault    string                  `json:"x-kongctl-default-from,omitempty"                yaml:"x-kongctl-default-from,omitempty"`
+	XNotes      []string                `json:"x-kongctl-notes,omitempty"                       yaml:"x-kongctl-notes,omitempty"`
+	XSubject    *ExplainSchemaSubject   `json:"x-kongctl-subject,omitempty"                     yaml:"x-kongctl-subject,omitempty"`
+	XPlacement  *ExplainSchemaPlacement `json:"x-kongctl-placement,omitempty"                   yaml:"x-kongctl-placement,omitempty"`
+	XRoot       *bool                   `json:"x-kongctl-supports-root,omitempty"               yaml:"x-kongctl-supports-root,omitempty"`
 	XNestedDecl *bool                   `json:"x-kongctl-supports-nested-declaration,omitempty" yaml:"x-kongctl-supports-nested-declaration,omitempty"` //nolint:lll
 }
 
 type ExplainSchemaSubject struct {
-	Kind        string `json:"kind" yaml:"kind"`
-	Path        string `json:"path" yaml:"path"`
-	Required    *bool  `json:"required,omitempty" yaml:"required,omitempty"`
+	Kind        string `json:"kind"                  yaml:"kind"`
+	Path        string `json:"path"                  yaml:"path"`
+	Required    *bool  `json:"required,omitempty"    yaml:"required,omitempty"`
 	Recommended *bool  `json:"recommended,omitempty" yaml:"recommended,omitempty"`
 }
 
 type ExplainSchemaPlacement struct {
-	YAMLPath        string   `json:"yaml_path,omitempty" yaml:"yaml_path,omitempty"`
-	RootYAMLPath    string   `json:"root_yaml_path,omitempty" yaml:"root_yaml_path,omitempty"`
-	NestedYAMLPath  string   `json:"nested_yaml_path,omitempty" yaml:"nested_yaml_path,omitempty"`
+	YAMLPath        string   `json:"yaml_path,omitempty"         yaml:"yaml_path,omitempty"`
+	RootYAMLPath    string   `json:"root_yaml_path,omitempty"    yaml:"root_yaml_path,omitempty"`
+	NestedYAMLPath  string   `json:"nested_yaml_path,omitempty"  yaml:"nested_yaml_path,omitempty"`
 	NestedYAMLPaths []string `json:"nested_yaml_paths,omitempty" yaml:"nested_yaml_paths,omitempty"`
 }
 
 type ExplainSchemaResource struct {
-	Name          string `json:"name" yaml:"name"`
+	Name          string `json:"name"           yaml:"name"`
 	ResourceClass string `json:"resource_class" yaml:"resource_class"`
 }
 
@@ -463,7 +463,7 @@ func buildExplainDoc(rt ResourceType) (*ExplainDoc, error) {
 		ParentRelations:           parentRelations,
 		SupportsKongctl:           node.propertyExists("kongctl"),
 		Schema:                    node,
-		nestedFields:    nestedFieldMap(childRelations),
+		nestedFields:              nestedFieldMap(childRelations),
 	}
 
 	explainDocCacheMu.Lock()
-Original file line number
+Diff line change
@@ Expand Up / @@ -16,7 +16,7 @@ import ( @@
     )
     const (
-    	Verb                    = verbs.Scaffold
+    	Verb                     = verbs.Scaffold
     	outputFlagUnsupportedMsg = "flags -o/--" + cmdcommon.OutputFlagName + " are not supported for the scaffold command"
     )
@@ Expand Down @@