Add re-auth y/N confirmation across auth provider commands

docs/plans/state.json

@@ -81,6 +81,22 @@
       "test_status": "pnpm test:run src/cli/zai-auth.test.ts + pnpm typecheck passing"
     },
 
+    "auth-commands-reauthenticate-confirmation": {
+      "status": "completed",
+      "date": "2026-02-16",
+      "updated": "2026-02-16",
+      "summary": "Extended re-auth confirmation dialog (`Re-authenticate and replace it? (y/N)`) to other auth providers/commands: openai-key, openai-auth, and anthropic-auth (API key + --token). Added tests for cancel and proceed flows across all commands.",
+      "files_modified": [
+        "src/cli/openai-key.ts",
+        "src/cli/openai-auth.ts",
+        "src/cli/anthropic-auth.ts",
+        "src/cli/openai-key.test.ts",
+        "src/cli/openai-auth.test.ts",
+        "src/cli/anthropic-auth.test.ts"
+      ],
+      "test_status": "pnpm test:run src/cli/openai-key.test.ts src/cli/anthropic-auth.test.ts src/cli/openai-auth.test.ts src/cli/zai-auth.test.ts + pnpm typecheck passing"
+    },
+
     "deployment-port-env-override": {
       "status": "completed",
       "date": "2026-02-16",

src/cli/anthropic-auth.test.ts

@@ -0,0 +1,132 @@
+import { Command } from 'commander';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+const {
+  mockLoadStoredAnthropicAuth,
+  mockLoadStoredAnthropicAuthToken,
+  mockStoreAnthropicAuth,
+  mockStoreAnthropicAuthToken,
+} = vi.hoisted(() => ({
+  mockLoadStoredAnthropicAuth: vi.fn(),
+  mockLoadStoredAnthropicAuthToken: vi.fn(),
+  mockStoreAnthropicAuth: vi.fn(),
+  mockStoreAnthropicAuthToken: vi.fn(),
+}));
+
+const { mockCreateInterface } = vi.hoisted(() => ({
+  mockCreateInterface: vi.fn(),
+}));
+
+vi.mock('../auth/index.js', () => ({
+  loadStoredAnthropicAuth: mockLoadStoredAnthropicAuth,
+  loadStoredAnthropicAuthToken: mockLoadStoredAnthropicAuthToken,
+  storeAnthropicAuth: mockStoreAnthropicAuth,
+  storeAnthropicAuthToken: mockStoreAnthropicAuthToken,
+}));
+
+vi.mock('readline', () => ({
+  default: {
+    createInterface: mockCreateInterface,
+  },
+}));
+
+function mockReadlineAnswers(answers: string[]): void {
+  const queue = [...answers];
+  mockCreateInterface.mockImplementation(() => ({
+    question: (_prompt: string, cb: (answer: string) => void) => cb(queue.shift() ?? ''),
+    close: () => undefined,
+  }));
+}
+
+describe('anthropic-auth command', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockLoadStoredAnthropicAuth.mockReset();
+    mockLoadStoredAnthropicAuthToken.mockReset();
+    mockStoreAnthropicAuth.mockReset();
+    mockStoreAnthropicAuthToken.mockReset();
+    mockCreateInterface.mockReset();
+  });
+
+  it('cancels key re-auth when key exists and user answers no', async () => {
+    mockLoadStoredAnthropicAuth.mockReturnValue({ api_key: 'sk-ant-existing', created_at: '2026-02-16T00:00:00.000Z' });
+    mockReadlineAnswers(['n']);
+
+    const program = new Command();
+    const { registerAnthropicAuthCommand } = await import('./anthropic-auth.js');
+    registerAnthropicAuthCommand(program);
+
+    const consoleLog = vi.spyOn(console, 'log').mockImplementation(() => undefined);
+    const exitSpy = vi.spyOn(process, 'exit').mockImplementation(((code?: number) => {
+      throw new Error(`EXIT:${code ?? 0}`);
+    }) as never);
+
+    await expect(program.parseAsync(['node', 'test', 'anthropic-auth'])).rejects.toThrow('EXIT:0');
+    expect(mockStoreAnthropicAuth).not.toHaveBeenCalled();
+    expect(consoleLog).toHaveBeenCalledWith('Cancelled.');
+
+    exitSpy.mockRestore();
+    consoleLog.mockRestore();
+  });
+
+  it('stores a new key when key exists and user answers yes', async () => {
+    mockLoadStoredAnthropicAuth.mockReturnValue({ api_key: 'sk-ant-existing', created_at: '2026-02-16T00:00:00.000Z' });
+    mockReadlineAnswers(['y', 'sk-ant-new']);
+
+    const program = new Command();
+    const { registerAnthropicAuthCommand } = await import('./anthropic-auth.js');
+    registerAnthropicAuthCommand(program);
+
+    const consoleLog = vi.spyOn(console, 'log').mockImplementation(() => undefined);
+    const consoleError = vi.spyOn(console, 'error').mockImplementation(() => undefined);
+
+    await program.parseAsync(['node', 'test', 'anthropic-auth']);
+
+    expect(mockStoreAnthropicAuth).toHaveBeenCalledWith('sk-ant-new');
+    expect(consoleError).not.toHaveBeenCalled();
+
+    consoleLog.mockRestore();
+    consoleError.mockRestore();
+  });
+
+  it('cancels token re-auth when token exists and user answers no', async () => {
+    mockLoadStoredAnthropicAuthToken.mockReturnValue('tok-existing');
+    mockReadlineAnswers(['n']);
+
+    const program = new Command();
+    const { registerAnthropicAuthCommand } = await import('./anthropic-auth.js');
+    registerAnthropicAuthCommand(program);
+
+    const consoleLog = vi.spyOn(console, 'log').mockImplementation(() => undefined);
+    const exitSpy = vi.spyOn(process, 'exit').mockImplementation(((code?: number) => {
+      throw new Error(`EXIT:${code ?? 0}`);
+    }) as never);
+
+    await expect(program.parseAsync(['node', 'test', 'anthropic-auth', '--token'])).rejects.toThrow('EXIT:0');
+    expect(mockStoreAnthropicAuthToken).not.toHaveBeenCalled();
+    expect(consoleLog).toHaveBeenCalledWith('Cancelled.');
+
+    exitSpy.mockRestore();
+    consoleLog.mockRestore();
+  });
+
+  it('stores a new token when token exists and user answers yes', async () => {
+    mockLoadStoredAnthropicAuthToken.mockReturnValue('tok-existing');
+    mockReadlineAnswers(['y', 'tok-new']);
+
+    const program = new Command();
+    const { registerAnthropicAuthCommand } = await import('./anthropic-auth.js');
+    registerAnthropicAuthCommand(program);
+
+    const consoleLog = vi.spyOn(console, 'log').mockImplementation(() => undefined);
+    const consoleError = vi.spyOn(console, 'error').mockImplementation(() => undefined);
+
+    await program.parseAsync(['node', 'test', 'anthropic-auth', '--token']);
+
+    expect(mockStoreAnthropicAuthToken).toHaveBeenCalledWith('tok-new');
+    expect(consoleError).not.toHaveBeenCalled();
+
+    consoleLog.mockRestore();
+    consoleError.mockRestore();
+  });
+});

src/cli/anthropic-auth.ts

@@ -31,6 +31,14 @@ async function promptHidden(question: string): Promise<string> {
   return answer.trim();
 }
 
+async function promptYesNo(question: string): Promise<boolean> {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout, terminal: true });
+  const answer = await new Promise<string>((resolve) => rl.question(question, resolve));
+  rl.close();
+  const normalized = answer.trim().toLowerCase();
+  return normalized === 'y' || normalized === 'yes';
+}
+
 export function registerAnthropicAuthCommand(program: Command): void {
   program
     .command('anthropic-auth')
@@ -41,15 +49,21 @@ export function registerAnthropicAuthCommand(program: Command): void {
       if (opts.token) {
         if (loadStoredAnthropicAuthToken()) {
           console.log('Anthropic auth token already exists.');
-          console.log('Delete ~/.config/flynn/auth.json anthropic.auth_token entry if you want to re-authenticate.');
-          process.exit(0);
+          const confirmed = await promptYesNo('Re-authenticate and replace it? (y/N): ');
+          if (!confirmed) {
+            console.log('Cancelled.');
+            process.exit(0);
+          }
         }
       } else {
         const existing = loadStoredAnthropicAuth();
         if (existing?.api_key) {
           console.log('Anthropic API key already exists.');
-          console.log('Delete ~/.config/flynn/auth.json anthropic.api_key entry if you want to re-authenticate.');
-          process.exit(0);
+          const confirmed = await promptYesNo('Re-authenticate and replace it? (y/N): ');
+          if (!confirmed) {
+            console.log('Cancelled.');
+            process.exit(0);
+          }
         }
       }
 

src/cli/openai-auth.test.ts

@@ -0,0 +1,81 @@
+import { Command } from 'commander';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+const { mockLoadStoredOpenAIAuth, mockLoginOpenAI } = vi.hoisted(() => ({
+  mockLoadStoredOpenAIAuth: vi.fn(),
+  mockLoginOpenAI: vi.fn(),
+}));
+
+const { mockCreateInterface } = vi.hoisted(() => ({
+  mockCreateInterface: vi.fn(),
+}));
+
+vi.mock('../auth/index.js', () => ({
+  loadStoredOpenAIAuth: mockLoadStoredOpenAIAuth,
+  loginOpenAI: mockLoginOpenAI,
+}));
+
+vi.mock('readline', () => ({
+  default: {
+    createInterface: mockCreateInterface,
+  },
+}));
+
+function mockReadlineAnswers(answers: string[]): void {
+  const queue = [...answers];
+  mockCreateInterface.mockImplementation(() => ({
+    question: (_prompt: string, cb: (answer: string) => void) => cb(queue.shift() ?? ''),
+    close: () => undefined,
+  }));
+}
+
+describe('openai-auth command', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockLoadStoredOpenAIAuth.mockReset();
+    mockLoginOpenAI.mockReset();
+    mockCreateInterface.mockReset();
+  });
+
+  it('cancels when OAuth token exists and user answers no', async () => {
+    mockLoadStoredOpenAIAuth.mockReturnValue({ access_token: 'at', refresh_token: 'rt', expires_at: Date.now() + 1000, created_at: new Date().toISOString() });
+    mockReadlineAnswers(['n']);
+
+    const program = new Command();
+    const { registerOpenaiAuthCommand } = await import('./openai-auth.js');
+    registerOpenaiAuthCommand(program);
+
+    const consoleLog = vi.spyOn(console, 'log').mockImplementation(() => undefined);
+    const exitSpy = vi.spyOn(process, 'exit').mockImplementation(((code?: number) => {
+      throw new Error(`EXIT:${code ?? 0}`);
+    }) as never);
+
+    await expect(program.parseAsync(['node', 'test', 'openai-auth'])).rejects.toThrow('EXIT:0');
+    expect(mockLoginOpenAI).not.toHaveBeenCalled();
+    expect(consoleLog).toHaveBeenCalledWith('Cancelled.');
+
+    exitSpy.mockRestore();
+    consoleLog.mockRestore();
+  });
+
+  it('starts login flow when user confirms re-authentication', async () => {
+    mockLoadStoredOpenAIAuth.mockReturnValue({ access_token: 'at', refresh_token: 'rt', expires_at: Date.now() + 1000, created_at: new Date().toISOString() });
+    mockReadlineAnswers(['y']);
+    mockLoginOpenAI.mockResolvedValue(undefined);
+
+    const program = new Command();
+    const { registerOpenaiAuthCommand } = await import('./openai-auth.js');
+    registerOpenaiAuthCommand(program);
+
+    const consoleLog = vi.spyOn(console, 'log').mockImplementation(() => undefined);
+    const consoleError = vi.spyOn(console, 'error').mockImplementation(() => undefined);
+
+    await program.parseAsync(['node', 'test', 'openai-auth']);
+
+    expect(mockLoginOpenAI).toHaveBeenCalledOnce();
+    expect(consoleError).not.toHaveBeenCalled();
+
+    consoleLog.mockRestore();
+    consoleError.mockRestore();
+  });
+});

src/cli/openai-auth.ts

@@ -1,6 +1,15 @@
 import type { Command } from 'commander';
+import readline from 'readline';
 import { loadStoredOpenAIAuth, loginOpenAI } from '../auth/index.js';
 
+async function promptYesNo(question: string): Promise<boolean> {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout, terminal: true });
+  const answer = await new Promise<string>((resolve) => rl.question(question, resolve));
+  rl.close();
+  const normalized = answer.trim().toLowerCase();
+  return normalized === 'y' || normalized === 'yes';
+}
+
 export function registerOpenaiAuthCommand(program: Command): void {
   program
     .command('openai-auth')
@@ -9,8 +18,11 @@ export function registerOpenaiAuthCommand(program: Command): void {
       const existing = loadStoredOpenAIAuth();
       if (existing) {
         console.log('OpenAI OAuth token already exists.');
-        console.log('Delete ~/.config/flynn/auth.json openai entry if you want to re-authenticate.');
-        process.exit(0);
+        const confirmed = await promptYesNo('Re-authenticate and replace it? (y/N): ');
+        if (!confirmed) {
+          console.log('Cancelled.');
+          process.exit(0);
+        }
       }
 
       console.log('Starting OpenAI OAuth device flow...');

src/cli/openai-key.test.ts

@@ -0,0 +1,80 @@
+import { Command } from 'commander';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+const { mockLoadStoredOpenAIApiKey, mockStoreOpenAIApiKey } = vi.hoisted(() => ({
+  mockLoadStoredOpenAIApiKey: vi.fn(),
+  mockStoreOpenAIApiKey: vi.fn(),
+}));
+
+const { mockCreateInterface } = vi.hoisted(() => ({
+  mockCreateInterface: vi.fn(),
+}));
+
+vi.mock('../auth/index.js', () => ({
+  loadStoredOpenAIApiKey: mockLoadStoredOpenAIApiKey,
+  storeOpenAIApiKey: mockStoreOpenAIApiKey,
+}));
+
+vi.mock('readline', () => ({
+  default: {
+    createInterface: mockCreateInterface,
+  },
+}));
+
+function mockReadlineAnswers(answers: string[]): void {
+  const queue = [...answers];
+  mockCreateInterface.mockImplementation(() => ({
+    question: (_prompt: string, cb: (answer: string) => void) => cb(queue.shift() ?? ''),
+    close: () => undefined,
+  }));
+}
+
+describe('openai-key command', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockLoadStoredOpenAIApiKey.mockReset();
+    mockStoreOpenAIApiKey.mockReset();
+    mockCreateInterface.mockReset();
+  });
+
+  it('cancels when key exists and user answers no', async () => {
+    mockLoadStoredOpenAIApiKey.mockReturnValue('sk-existing');
+    mockReadlineAnswers(['n']);
+
+    const program = new Command();
+    const { registerOpenaiKeyCommand } = await import('./openai-key.js');
+    registerOpenaiKeyCommand(program);
+
+    const consoleLog = vi.spyOn(console, 'log').mockImplementation(() => undefined);
+    const exitSpy = vi.spyOn(process, 'exit').mockImplementation(((code?: number) => {
+      throw new Error(`EXIT:${code ?? 0}`);
+    }) as never);
+
+    await expect(program.parseAsync(['node', 'test', 'openai-key'])).rejects.toThrow('EXIT:0');
+    expect(mockStoreOpenAIApiKey).not.toHaveBeenCalled();
+    expect(consoleLog).toHaveBeenCalledWith('Cancelled.');
+
+    exitSpy.mockRestore();
+    consoleLog.mockRestore();
+  });
+
+  it('stores a new key when user confirms re-authentication', async () => {
+    mockLoadStoredOpenAIApiKey.mockReturnValue('sk-existing');
+    mockReadlineAnswers(['y', 'sk-new']);
+
+    const program = new Command();
+    const { registerOpenaiKeyCommand } = await import('./openai-key.js');
+    registerOpenaiKeyCommand(program);
+
+    const consoleLog = vi.spyOn(console, 'log').mockImplementation(() => undefined);
+    const consoleError = vi.spyOn(console, 'error').mockImplementation(() => undefined);
+
+    await program.parseAsync(['node', 'test', 'openai-key']);
+
+    expect(mockStoreOpenAIApiKey).toHaveBeenCalledWith('sk-new');
+    expect(consoleError).not.toHaveBeenCalled();
+
+    consoleLog.mockRestore();
+    consoleError.mockRestore();
+  });
+});

src/cli/openai-key.ts

@@ -26,6 +26,14 @@ async function promptHidden(question: string): Promise<string> {
   return answer.trim();
 }
 
+async function promptYesNo(question: string): Promise<boolean> {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout, terminal: true });
+  const answer = await new Promise<string>((resolve) => rl.question(question, resolve));
+  rl.close();
+  const normalized = answer.trim().toLowerCase();
+  return normalized === 'y' || normalized === 'yes';
+}
+
 export function registerOpenaiKeyCommand(program: Command): void {
   program
     .command('openai-key')
@@ -34,8 +42,11 @@ export function registerOpenaiKeyCommand(program: Command): void {
       const existing = loadStoredOpenAIApiKey();
       if (existing) {
         console.log('OpenAI API key already exists.');
-        console.log('Delete ~/.config/flynn/auth.json openai.api_key entry if you want to re-authenticate.');
-        process.exit(0);
+        const confirmed = await promptYesNo('Re-authenticate and replace it? (y/N): ');
+        if (!confirmed) {
+          console.log('Cancelled.');
+          process.exit(0);
+        }
       }
 
       console.log('OpenAI uses API keys for standard API access.');