Add interactive login

[ramilamparo]

Summary

Adds interactive qasphere auth commands for login, logout, and status — replacing the need to manually manage API keys and environment variables.

Login methods

• Device Authorization Grant (RFC 8628) — default flow. Opens a browser to the QA Sphere verification page, displays a user code, and polls until the user approves. No secrets typed into the terminal.
• API Key (--api-key flag) — prompts for team name and API key directly (hidden input).

Credential storage

Credentials are persisted in priority order:

1. System keyring (@napi-rs/keyring) — preferred, used when the OS keyring daemon is available
2. File fallback (~/.config/qasphere/credentials.json) — restricted permissions (0600), used when keyring is unavailable

Credential resolution

resolveCredentialSource() checks sources in priority order:

1. QAS_TOKEN + QAS_URL environment variables
2. .env file in cwd
3. System keyring
4. ~/.config/qasphere/credentials.json
5. .qaspherecli file (searched up directory tree)

Auth subcommands

Command	Description
qasphere auth login	Device authorization flow (browser-based)
qasphere auth login --api-key	Direct API key entry
qasphere auth status	Shows current auth source and validates the API key
qasphere auth logout	Clears keyring or file credentials; warns if env-based credentials remain

[claude]

Code Review: Add interactive login

• Read review instructions
• Gather full PR diff and context
• Run specialized review subagents (code quality, security, performance, test coverage)
• Aggregate findings and post review with inline comments
• Clean up outdated bot comments and threads

Running specialized review subagents...

View job run

[claude]

Claude finished @ramilamparo's task in 4m 10s —— View job

---

Code Review: Add interactive login

• Read review instructions
• Gather PR diff and context
• Run code review (quality, security, performance, test coverage)
• Aggregate findings and post review with inline comments
• Clean up outdated bot reviews and progress comments

The latest commit (f35cc5e — "Check suspended flag") is a small, focused addition: checkTenant now returns a suspended boolean alongside the tenant URL, and resolveTenantUrl fails fast with a clear error message when a suspended team is detected. The change is well-tested — the new suspended team shows error case in auth-e2e.spec.ts:383 exercises the fail path end-to-end.

Nothing new worth flagging on top of prior reviews. The two remaining items from the previous review — HTTPS enforcement on the resolved tenant origin (oauth.ts:83) and auth status exiting on refresh failure (auth.ts:162) — have been reviewed and waved off by the author as intentional, so I haven't re-raised them.

LGTM. Submitted as an APPROVE review. Minimized 7 outdated bot review summaries and deleted 1 progress tracking comment.

[claude]

Code Review: Add interactive login

The latest commit (f35cc5e — "Check suspended flag") is a small, focused addition: checkTenant now returns a suspended boolean alongside the tenant URL, and resolveTenantUrl fails fast with a clear error message when a suspended team is detected. The change is well-tested — the new suspended team shows error case in auth-e2e.spec.ts:383 exercises the fail path end-to-end.

Nothing new worth flagging on top of prior reviews. The two remaining items from the previous review — HTTPS enforcement on the resolved tenant origin (oauth.ts:83) and auth status exiting on refresh failure (auth.ts:162) — have been reviewed and waved off by the author as intentional, so I won't re-raise them.

LGTM.