Add interactive login

[ramilamparo]

Summary

Adds interactive qasphere auth commands for login, logout, and status — replacing the need to manually manage API keys and environment variables.

For testing purposes, you can override the QAS_LOGIN_SERVICE_URL.

Login methods

• Device Authorization Grant (RFC 8628) — default flow. Opens a browser to the QA Sphere verification page, displays a user code, and polls until the user approves. No secrets typed into the terminal.

Credential storage

Credentials are persisted in priority order:

1. System keyring (@napi-rs/keyring) — preferred, used when the OS keyring daemon is available
2. File fallback (~/.config/qasphere/credentials.json) — restricted permissions (0600), used when keyring is unavailable

Credential resolution

resolveCredentialSource() checks sources in priority order:

1. QAS_TOKEN + QAS_URL environment variables
2. .env file in cwd
3. System keyring
4. ~/.config/qasphere/credentials.json
5. .qaspherecli file (searched up directory tree)

Auth subcommands

Command	Description
qasphere auth login	Device authorization flow (browser-based)
qasphere auth status	Shows current auth source and validates the API key
qasphere auth logout	Clears keyring or file credentials; warns if env-based credentials remain

[claude]

Code Review: Add interactive login

• Read review instructions
• Gather full PR diff and context
• Run specialized review subagents (code quality, security, performance, test coverage)
• Aggregate findings and post review with inline comments
• Clean up outdated bot comments and threads

Running specialized review subagents...

View job run

[claude]

Claude finished @ramilamparo's task in 8m 37s —— View job

---

Code Review: Add interactive login

• Gather PR context and full diff
• Run specialized review subagents (code quality, security, performance, test coverage)
• Aggregate findings and post review
• Clean up outdated bot comments and threads

The latest push (9837ba6 — "Fixes") addresses three open items from prior reviews: replace('-', '') → replaceAll, sourceLabels now includes keyring/credentials.json, and resolveAuth error output uses console.error.

Ran four specialized subagents against the full PR diff. No new noteworthy findings beyond what prior reviews have already raised. Five open items remain unaddressed but none are blocking:

1. oauth.ts:134 — refreshAccessToken omits client_id
2. browser.ts:15 — Windows cmd /c start shell metacharacter handling
3. keyring.ts:22 — loadKeyringModule() cache opportunity
4. oauth.ts — OAuth responses lack Zod runtime validation
5. auth-e2e.spec.ts — test gaps (default OAuth error branch, polling network error, keyring-backed refresh persistence, clearCredentials failure in logout)

Resolved 3 now-addressed bot threads, minimized 14 outdated bot review summaries, and deleted 1 progress-tracking comment. Submitted as APPROVE.

[hi-rai]

PR looks okay. Few minor nits

[hi-rai]

Should we expose the internal details of how the oauth credentials are stored to the user ? Or simply mention oauth ?

[ramilamparo]

I don't see the harm. Showing "OAuth" could be a bit misleading. Since keyring also uses OAuth.

[claude]

Claude finished @ramilamparo's task in 10m 18s —— View job

---

Code Review: Add interactive login

• Gather PR context and full diff
• Run specialized review subagents (code quality, security, performance, test coverage)
• Aggregate findings, deduplicate against existing comments, and post review
• Clean up outdated bot comments and threads

The latest commit (b103da8 — "Tweaks") addresses hi-rai's review feedback: REFRESH_TOKEN_GRANT_TYPE constant added, status message changed to "Credentials connected via", token expiry only shown when status is valid, more specific revocation instructions, and simplified "Remove them manually." text.

Ran four specialized subagents against the full PR diff. No new noteworthy findings beyond what prior reviews have already raised. Two previously-open test gaps are now addressed (clearCredentials failure path at line 1001, keyring-backed refresh persistence at line 945). Resolved 2 now-addressed bot threads and minimized 13 outdated bot review summaries. Submitted as APPROVE.

[claude]

Claude finished @ramilamparo's task in 10m 25s —— View job

---

Code Review: Add interactive login

• Gather PR context and full diff
• Run specialized review subagents (code quality, security, performance, test coverage)
• Aggregate findings, deduplicate against existing comments, and post review
• Clean up outdated bot comments and threads

The latest commit (ba1fe61 — "Improve command description") updates the auth status describe text to better reflect its behavior, addressing hi-rai's feedback.

Ran four specialized subagents against the full PR diff. Two new findings posted as inline comments:

1. types.ts:9 — tenantUrl schema uses .min(1) instead of .url(), missing URL format validation at the credential boundary
2. resolvers.ts:153 — resolveAuth() error message leads with "Missing required environment variables" when OAuth is now the primary auth path

Minimized 16 outdated bot review summaries. Three open items from prior reviews remain unaddressed but none are blocking. Submitted as APPROVE.

[claude]

Code Review: Add interactive login

• Gather PR context and full diff
• Run specialized review subagents (code quality, security, performance, test coverage)
• Aggregate findings, deduplicate against existing comments, and post review
• Clean up outdated bot comments and threads

Running specialized review subagents...

View job run

[claude]

Claude finished @ramilamparo's task in 14m 7s —— View job

---

Code Review: Add interactive login

• Gather PR context and full diff
• Run specialized review subagents (code quality, security, performance, test coverage)
• Aggregate findings, deduplicate against existing comments, and post review
• Clean up outdated bot comments and threads

The latest commits (5ce6d76 — "Nits", 90bac86 — "Add refresh token expiration") address both findings from the prior review: tenantUrl schema now uses .url() for proper URL validation, and resolveAuth error message now leads with "Not authenticated" and suggests auth login first. Status now shows refresh token expiry in days, and user code is shown as-is without normalization.

Ran four specialized subagents against the full PR diff. One new finding posted as an inline comment: refresh_token_expires_in is used without a fallback default — if the server hasn't been updated to return this field yet, login will crash with a RangeError.

Minimized 17 outdated bot review summaries. Three open items from prior reviews remain unaddressed but none are blocking. Submitted as APPROVE.

[claude]

The latest commits (5ce6d76 — "Nits", 90bac86 — "Add refresh token expiration") address both findings from the prior review:

1. tenantUrl schema now uses z.string().url() for proper URL validation ✓
2. resolveAuth error message now leads with "Not authenticated" and suggests auth login first ✓
3. Status now shows refresh token expiry in days instead of access token expiry in minutes ✓
4. User code shown as-is from server without normalization ✓

One new finding posted inline — refresh_token_expires_in is used without a fallback default, which could crash login if the backend hasn't been updated to return this field yet.

Three open items from prior reviews remain unaddressed but none are blocking:

1. oauth.ts:134 — refreshAccessToken omits client_id (consistency with other OAuth calls)
2. browser.ts:15 — Windows cmd /c start shell metacharacter handling (URLs are server-controlled, low practical risk)
3. keyring.ts:22 — loadKeyringModule() cache opportunity

LGTM.