Add interactive login

[ramilamparo]

Summary

Adds interactive qasphere auth commands for login, logout, and status — replacing the need to manually manage API keys and environment variables.

Login methods

• Device Authorization Grant (RFC 8628) — default flow. Opens a browser to the QA Sphere verification page, displays a user code, and polls until the user approves. No secrets typed into the terminal.

Credential storage

Credentials are persisted in priority order:

1. System keyring (@napi-rs/keyring) — preferred, used when the OS keyring daemon is available
2. File fallback (~/.config/qasphere/credentials.json) — restricted permissions (0600), used when keyring is unavailable

Credential resolution

resolveCredentialSource() checks sources in priority order:

1. QAS_TOKEN + QAS_URL environment variables
2. .env file in cwd
3. System keyring
4. ~/.config/qasphere/credentials.json
5. .qaspherecli file (searched up directory tree)

Auth subcommands

Command	Description
qasphere auth login	Device authorization flow (browser-based)
qasphere auth status	Shows current auth source and validates the API key
qasphere auth logout	Clears keyring or file credentials; warns if env-based credentials remain

[claude]

Code Review: Add interactive login

• Read review instructions
• Gather full PR diff and context
• Run specialized review subagents (code quality, security, performance, test coverage)
• Aggregate findings and post review with inline comments
• Clean up outdated bot comments and threads

Running specialized review subagents...

View job run

[claude]

Claude finished @ramilamparo's task in 8m 37s —— View job

---

Code Review: Add interactive login

• Gather PR context and full diff
• Run specialized review subagents (code quality, security, performance, test coverage)
• Aggregate findings and post review
• Clean up outdated bot comments and threads

The latest push (9837ba6 — "Fixes") addresses three open items from prior reviews: replace('-', '') → replaceAll, sourceLabels now includes keyring/credentials.json, and resolveAuth error output uses console.error.

Ran four specialized subagents against the full PR diff. No new noteworthy findings beyond what prior reviews have already raised. Five open items remain unaddressed but none are blocking:

1. oauth.ts:134 — refreshAccessToken omits client_id
2. browser.ts:15 — Windows cmd /c start shell metacharacter handling
3. keyring.ts:22 — loadKeyringModule() cache opportunity
4. oauth.ts — OAuth responses lack Zod runtime validation
5. auth-e2e.spec.ts — test gaps (default OAuth error branch, polling network error, keyring-backed refresh persistence, clearCredentials failure in logout)

Resolved 3 now-addressed bot threads, minimized 14 outdated bot review summaries, and deleted 1 progress-tracking comment. Submitted as APPROVE.

[claude]

The latest push (9837ba6 — "Fixes") addresses three open items from prior reviews:

1. replace('-', '') → replaceAll('-', '') in auth.ts:69 — multi-hyphen user codes now normalize correctly
2. sourceLabels now includes entries for keyring and credentials.json (auth.ts:194-195)
3. resolveAuth error output in resolvers.ts:152-174 now uses console.error instead of console.log

Ran four specialized subagents against the full PR diff. No new noteworthy findings beyond what prior reviews have already flagged. Five open items from prior reviews remain unaddressed but none are blocking:

1. oauth.ts:134 — refreshAccessToken omits client_id (consistency with other OAuth calls)
2. browser.ts:15 — cmd /c start on Windows interprets shell metacharacters (URLs are server-controlled, low practical risk)
3. keyring.ts:22 — loadKeyringModule() re-attempts dynamic import on every call
4. oauth.ts — OAuth responses lack Zod runtime validation (inconsistent with API-layer conventions)
5. auth-e2e.spec.ts — three test coverage gaps (default OAuth error branch, polling network error, keyring-backed refresh persistence, clearCredentials failure in handleLogout)

LGTM.