fix: harden auth flow and standardize CLI language

[malinosqui]

Summary

• hardens auth mode switching between personal login and team key
• prioritizes personal login token and adds safe refresh deduplication
• makes credential/config persistence more resilient (atomic writes + self-heal malformed JSON)
• standardizes CLI/API surfaced language to English and avoids backend message leakage
• adds broad auth-focused test coverage for commands, services, API headers, and persistence

Key changes

• AuthService now:
  • uses personal credentials first
  • deduplicates concurrent refresh calls
  • clears team config on successful login
  • clears both credentials and team config on logout
• auth team-key now clears stale personal credentials after successful setup
• API client now normalizes auth-related HTTP errors to deterministic English CLI messages
• pr suggestions now supports both auth headers (Authorization and X-Team-Key)
• removed remaining PT-BR comments/strings from runtime code paths

Tests

• npm test
• npm run build
• added new tests:
  • src/commands/tests/auth.login-logout.test.ts
  • src/commands/tests/auth.team-key.test.ts
  • src/services/api/tests/api.real.test.ts
  • src/utils/tests/config.test.ts
  • src/utils/tests/credentials.test.ts

---

This pull request significantly hardens the CLI's authentication flow and standardizes its language for improved reliability and user experience.

Key changes include:

• Enhanced Authentication Reliability:

  • Conflict Resolution: When a user logs in with an account, any existing team key configuration is automatically cleared. Conversely, setting a team key now clears any existing user login credentials, ensuring a single, consistent authentication method is active.
  • Comprehensive Logout: The auth logout command now removes both user login credentials and any configured team key, providing a complete local authentication reset.
  • Intelligent Token Handling: The getValidToken logic has been refined to prioritize valid user access tokens. If an access token is expired, it attempts to refresh it; if the refresh fails, it gracefully falls back to a configured team key.
  • Concurrent Refresh Deduplication: Implemented a mechanism to prevent multiple concurrent token refresh requests, improving efficiency and preventing race conditions.
  • Improved Login Prompts: The auth login command now provides more informative prompts when a user is already authenticated, distinguishing between user account and team key sessions and offering clear options for switching.

• Self-Healing Configuration and Credentials:

  • Atomic File Writes: Implemented atomic write operations for config.json and credentials.json using temporary files and renames. This prevents file corruption if the CLI process crashes during a write operation.
  • Malformed JSON Recovery: Added self-healing logic to automatically detect and isolate corrupted config.json and credentials.json files (by renaming them to .corrupted files). This allows the CLI to recover gracefully from malformed data by treating it as if no configuration or credentials exist, preventing startup failures.

• Standardized CLI Language and Error Messages:

  • Consistent API Error Handling: Introduced a new mechanism to normalize API error messages, ensuring that authentication, permission, and server-side errors are consistently presented in clear, user-friendly English, regardless of the backend's original message.
  • Updated Command Descriptions: Modified auth logout description and other CLI output messages for clarity and consistency (e.g., "Not logged in" changed to "Not authenticated").
  • Comment Standardization: Translated minor comments in git.service.ts from Portuguese to English.

• Robust API Interaction:

  • Ensured the RealApi correctly sends either Authorization: Bearer (for user tokens) or X-Team-Key (for team keys) headers based on the authentication token type, improving API request accuracy.

• Expanded Test Coverage:

  • Added comprehensive unit tests for auth login, auth logout, auth team-key, auth team-status, AuthService, RealApi authentication headers, and the config and credentials utility functions, validating the new behaviors and ensuring stability.

[kody-ai]

This pull request introduces the use of the KODUS_VERBOSE environment variable in src/services/api/api.real.ts. Please check with @Wellington01 to determine if this variable needs to be documented and configured in the self-hosted deployment environment. Kody Rule violation: Verificar atualizações de variáveis de ambiente

[kody-ai]

The pull request description does not contain a reference to a GitHub issue. Please edit the description to include a closing keyword like Closes #123 or Fixes #123 to ensure the issue is automatically closed upon merging. Kody Rule violation: Ensure PR closes referenced issues

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: abc4844508

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fail team-key setup when credential cleanup fails

getValidToken() now prefers stored user credentials over team keys, so swallowing errors from clearCredentials() can leave the old login token active while still printing a successful team-key authentication message. If credentials.json cannot be removed (for example due to file locking/permission issues), users think they switched modes but subsequent API calls continue using the stale bearer token.

Useful? React with 👍 / 👎.

[kody-ai]

This pull request does not seem to reference any issue. Please add a closing keyword like 'Closes #123' or 'Fixes #123' to the PR description to automatically link and close the relevant issue upon merging. Kody Rule violation: Ensure PR closes referenced issues

[kody-ai]

The pull request description does not contain a reference to a GitHub issue. Please add a closing statement like 'Closes #123' or 'Fixes #123' to automatically link and close the relevant issue upon merging. Kody Rule violation: Ensure PR closes referenced issues

[kody-ai]

Kody Review Complete

Great news! 🎉
No issues were found that match your current review configurations.

Keep up the excellent work! 🚀

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Validate Business Logic: Ask Kody to validate your code against business rules by adding a comment with the @kody -v business-logic command.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Bug	✅
Performance	✅
Security	✅
Cross File	✅

Access your configuration settings here.

​

[kody-ai]

The pull request description does not contain a reference to a GitHub issue (e.g., #123) or a closing keyword (e.g., 'Closes #123', 'Fixes #123'). Please update the description to link to the relevant issue. Kody Rule violation: Ensure PR closes referenced issues