feat(cli): default relayfile login to cloud browser flow

[khaliqgant]

Summary

• relayfile login with no --token (and no RELAYFILE_TOKEN) now runs the cloud browser sign-in flow instead of blocking on an API key: stdin prompt — same flow relayfile setup already uses.
• Legacy API-key path is preserved: pass --token (or set RELAYFILE_TOKEN) for the scriptable, non-interactive flow, or pass --api-key to opt back into the interactive prompt for self-hosted servers.
• Adds --cloud-api-url, --cloud-token, --no-open, --login-timeout flags mirroring setup so the two commands behave consistently.

Why

A user expected relayfile login to "just log me in" via the browser, the way setup does. Today it forces the user to find and paste an API key, which is awkward for cloud users (they don't routinely have one) and surprising given that the cloud OAuth-style flow already exists in the binary — it just wasn't wired into login.

Behavior matrix

Invocation	Behavior
relayfile login	Cloud browser flow → cloud creds saved (new default)
relayfile login --token X --server Y	Validate X against Y/health, save server creds (unchanged)
RELAYFILE_TOKEN=X relayfile login	Same as above, server defaults to RELAYFILE_SERVER (unchanged)
relayfile login --api-key --server Y	Prompt for API key on stdin, validate, save server creds (legacy interactive opt-in)
relayfile login --cloud-token X	Skip browser, save cloud creds with token X (parity with setup --cloud-token)

Test plan

• go test ./cmd/relayfile-cli/ — full suite passes
• New TestLoginWithExplicitTokenPersistsServerCreds — --token still hits /health and writes ~/.relayfile/credentials.json, no cloud creds touched
• New TestLoginDefaultsToCloudBrowserFlow — bare relayfile login (with --cloud-token to bypass the browser in CI) writes cloud creds and prints "Signed in to Relayfile Cloud"
• New TestLoginAPIKeyFlagPromptsForToken — --api-key opt-in still drops into the interactive prompt
• Manual: run relayfile login against staging cloud and confirm the browser opens and cloud creds land at ~/.relayfile/cloud_credentials.json

🤖 Generated with Claude Code

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

The relayfile login command is refactored to default to cloud browser authentication when no --token is provided. Legacy server-credential paths remain available: explicit --token directly, or interactive prompt via --api-key. A new loginWithAPIKey helper encapsulates server health checks and credential persistence, and three unit tests validate each path.

Changes

Login Control Flow Refactoring

Layer / File(s)	Summary
Help Text Updates cmd/relayfile-cli/main.go	Usage documentation updated to describe login as cloud browser flow (with --api-key self-hosted alternative).
Login Control Flow cmd/relayfile-cli/main.go	runLogin refactored into three explicit branches: --token for legacy server auth, --api-key for interactive prompt, default to cloud browser with ensureCloudCredentials.
Server Credential Helper cmd/relayfile-cli/main.go	New loginWithAPIKey helper normalizes server URL, validates health endpoint, and persists server credentials.
Login Path Tests cmd/relayfile-cli/main_test.go	Three tests cover explicit token path (health/server creds), default cloud path (cloud creds), and interactive API-key path (stdin prompt/server creds).
Trajectory Documentation .trajectories/completed/2026-05/traj_4vdcwo2iy630.*, .trajectories/index.json	Completed trajectory entry documents the login refactoring, control-flow decision, flags, tests, and task metadata.

Sequence Diagram

sequenceDiagram
  participant User
  participant CLI as login CLI
  participant Server
  participant Cloud as Cloud API
  
  User->>CLI: login --token abc123
  CLI->>Server: GET /health (Bearer abc123)
  Server-->>CLI: 200 OK
  CLI->>CLI: saveCredentials (server)
  
  User->>CLI: login (no flags)
  CLI->>Cloud: ensureCloudCredentials
  Cloud-->>CLI: cloud sign-in flow
  CLI->>CLI: saveCredentials (cloud)
  
  User->>CLI: login --api-key --server myhost
  CLI->>User: [prompt] API Key:
  User-->>CLI: key123
  CLI->>Server: GET /health (Bearer key123)
  Server-->>CLI: 200 OK
  CLI->>CLI: saveCredentials (server)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Three paths to login now unfold,
Cloud browser dances, bright and bold,
Legacy tokens stand by still,
While API-key respects your will—
A clearer flow, both clean and spry!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 42.86% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(cli): default relayfile login to cloud browser flow' accurately and concisely summarizes the main change: making the cloud browser flow the default behavior for relayfile login when no token is provided.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, clearly explaining the motivation, behavior changes, testing approach, and impact of defaulting relayfile login to the cloud browser flow.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch login-cloud-fallback

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.