fix: validate API key against Resend API before saving

[Bensonn5151]

The login command accepted any key with the re_ prefix without verifying it against the API. The Resend SDK returns errors in the response object rather than throwing exceptions, so the try/catch block never caught invalid keys.

Check the error field in the response from resend.domains.list() and exit with validation_failed if the API rejects the key.

Fixes #70

---

Summary by cubic

Validate the API key during login by calling the Resend API and reject invalid keys before saving. This prevents saving bad keys and shows a clear validation error from the API.

• Bug Fixes
  • Read { error } from resend.domains.list(); on error, fail the spinner, outputError with code validation_failed, and return to avoid the "valid" message and skip writing credentials.
  • Tests mock overrideable resend responses and add an invalid-key case; assert exit code 1, the validation_failed error, and no credentials file.

^{Written for commit f4a361b. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="tests/commands/auth/login.test.ts">

<violation number="1" location="tests/commands/auth/login.test.ts:81">
P2: Invalid-key regression test does not verify that credentials are not persisted, leaving the PR’s core guarantee unprotected.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Add one-off context when rerunning by tagging @cubic-dev-ai with guidance or docs links (including llms.txt)
• Ask questions if you need clarification on any suggestion

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[kevkevinpal]

I was able to test this, and it looks good to me

Before:
I was able to log in and save credentials with any token prefixed with re_

After

pnpm dev login --json

> resend-cli@1.4.1 dev /mnt/shared_drive/DEVDIR/resend-cli
> tsx src/cli.ts login --json

┌  Resend Authentication
│
●  Existing API key found (source: config). Enter a new key to replace it.
│
◇  How would you like to get your API key?
│  Enter API key manually
│
◇  Enter your Resend API key:
│  ▪▪▪▪▪▪
  ✗ API key validation failed
{
  "error": {
    "message": "API key is invalid",
    "code": "validation_failed"
  }
}
 ELIFECYCLE  Command failed with exit code 1.
 ```

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="src/commands/auth/login.ts">

<violation number="1" location="src/commands/auth/login.ts:150">
P2: Validation uses `domains.list()` and now hard-fails on any error, which rejects valid `sending_access` API keys that lack domain-read permissions.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}