feat(auth): add anthropic api key storage and cli auth

src/auth/anthropic.test.ts

@@ -0,0 +1,50 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import { mkdtempSync, statSync } from 'fs';
+import { tmpdir } from 'os';
+import { join } from 'path';
+
+describe('auth/anthropic', () => {
+  const originalHome = process.env.HOME;
+  const originalEnvKey = process.env.ANTHROPIC_API_KEY;
+
+  let homeDir: string;
+
+  beforeEach(() => {
+    homeDir = mkdtempSync(join(tmpdir(), 'flynn-auth-anthropic-'));
+    process.env.HOME = homeDir;
+    delete process.env.ANTHROPIC_API_KEY;
+    vi.resetModules();
+  });
+
+  afterEach(() => {
+    process.env.HOME = originalHome;
+    if (originalEnvKey) {
+      process.env.ANTHROPIC_API_KEY = originalEnvKey;
+    } else {
+      delete process.env.ANTHROPIC_API_KEY;
+    }
+  });
+
+  it('stores, loads, and clears Anthropic API key', async () => {
+    const mod = await import('./anthropic.js');
+
+    expect(mod.loadStoredAnthropicAuth()).toBeNull();
+
+    mod.storeAnthropicAuth('sk-test');
+    expect(mod.loadStoredAnthropicAuth()?.api_key).toBe('sk-test');
+
+    const authFile = join(homeDir, '.config/flynn/auth.json');
+    const mode = statSync(authFile).mode & 0o777;
+    expect(mode).toBe(0o600);
+
+    mod.clearAnthropicAuth();
+    expect(mod.loadStoredAnthropicAuth()).toBeNull();
+  });
+
+  it('getAnthropicApiKey prefers environment variable', async () => {
+    process.env.ANTHROPIC_API_KEY = 'sk-env';
+    const mod = await import('./anthropic.js');
+    expect(mod.getAnthropicApiKey()).toBe('sk-env');
+  });
+});
+

src/auth/anthropic.ts

@@ -0,0 +1,72 @@
+import { readFileSync, writeFileSync, mkdirSync, chmodSync } from 'fs';
+import { resolve } from 'path';
+import { homedir } from 'os';
+
+const AUTH_DIR = resolve(homedir(), '.config/flynn');
+const AUTH_FILE = resolve(AUTH_DIR, 'auth.json');
+
+export interface AnthropicAuthInfo {
+  /** Anthropic API key. */
+  api_key: string;
+  created_at: string;
+}
+
+interface AuthStore {
+  anthropic?: AnthropicAuthInfo;
+  [key: string]: unknown;
+}
+
+function safeJsonParse<T>(raw: string): T | null {
+  try {
+    return JSON.parse(raw) as T;
+  } catch {
+    return null;
+  }
+}
+
+function readAuthStore(): AuthStore {
+  try {
+    const raw = readFileSync(AUTH_FILE, 'utf-8');
+    const parsed = safeJsonParse<AuthStore>(raw);
+    return parsed ?? {};
+  } catch {
+    return {};
+  }
+}
+
+function writeAuthStore(store: AuthStore): void {
+  mkdirSync(AUTH_DIR, { recursive: true });
+  writeFileSync(AUTH_FILE, JSON.stringify(store, null, 2) + '\n', 'utf-8');
+  chmodSync(AUTH_FILE, 0o600);
+}
+
+export function loadStoredAnthropicAuth(): AnthropicAuthInfo | null {
+  const store = readAuthStore();
+  return store.anthropic ?? null;
+}
+
+export function storeAnthropicAuth(apiKey: string): void {
+  const trimmed = apiKey.trim();
+  if (!trimmed) {
+    throw new Error('Anthropic API key is empty');
+  }
+  const store = readAuthStore();
+  store.anthropic = { api_key: trimmed, created_at: new Date().toISOString() };
+  writeAuthStore(store);
+}
+
+export function clearAnthropicAuth(): void {
+  const store = readAuthStore();
+  delete store.anthropic;
+  writeAuthStore(store);
+}
+
+/**
+ * Get an Anthropic API key from any available source.
+ * Priority: ANTHROPIC_API_KEY → stored auth.json.
+ */
+export function getAnthropicApiKey(): string | null {
+  return process.env.ANTHROPIC_API_KEY
+    ?? loadStoredAnthropicAuth()?.api_key
+    ?? null;
+}

src/auth/index.ts

@@ -1,3 +1,11 @@
+export {
+  loadStoredAnthropicAuth,
+  storeAnthropicAuth,
+  clearAnthropicAuth,
+  getAnthropicApiKey,
+  type AnthropicAuthInfo,
+} from './anthropic.js';
+
 export {
   requestDeviceCode,
   pollForToken,