fix: apply .toclirc and saved profile auth to API requests

[lucianfialho]

Summary

• Fixed auth resolution to use all configured auth sources (.toclirc token, .toclirc envVar, auth login profiles), not just inline --token/--api-key flags
• Added auth.token field support in .toclirc for direct token configuration
• Replaced local resolveAuth() in index.ts with the proper one from auth/flags.ts that handles the full priority chain

Changes

• src/index.ts — Replaced local resolveAuth() with async resolveAuthFromFlags(), passing .toclirc auth config
• src/auth/flags.ts — Added rcAuthType, rcAuthToken, rcAuthEnvVar fields to AuthFlags; added priority 2 resolution for .toclirc auth
• src/config/rc.ts — Added token field to RcConfig.auth; resolveConfig() now returns authType and authToken
• src/auth/auth.test.ts — 7 new tests for .toclirc auth resolution
• src/config/config.test.ts — 2 new tests for resolveConfig auth token support

Test plan

• All 90 tests pass (82 existing + 8 new)
• Build passes clean
• Manual: create .toclirc with auth.token, verify requests include Bearer header
• Manual: create .toclirc with auth.envVar, set env var, verify auth works
• Manual: run auth login --token <tok>, verify subsequent requests use saved token

Closes #16

---

🤖 Implemented by Claude Code dev-pipeline

[lucianfialho]

@claude

[lucianfialho]

@claude Review this PR

[lucianfialho]

@claude review this pr

[claude]

Claude finished @lucianfialho's task in 1m 35s —— View job

---

PR Review

• Read changed files
• Analyze diff and logic
• Check tests
• Post review feedback

---

The fix correctly addresses the core bug: .toclirc auth config and saved profiles were being ignored. The overall approach is sound — threading rcAuthType, rcAuthToken, and rcAuthEnvVar from resolveConfig() through to resolveAuth() is clean and keeps auth resolution in one place. Tests cover the priority chain well. A few issues worth addressing:

---

Bug: .toclirc auth skipped when --spec is provided

src/index.ts lines 67–77

if (!specPath) {
  const rc = await loadConfig();
  if (rc) {
    const resolved = resolveConfig(rc, envName);
    specPath = resolved.spec;
    configBaseUrl = resolved.baseUrl;
    rcAuthType = resolved.authType;
    // ...
  }
}

.toclirc is only loaded when --spec is absent. If a user has .toclirc with auth config but runs spec2cli --spec ./api.yaml pets list, the auth is silently ignored. This is likely unintentional — the auth block in .toclirc should still apply regardless of how the spec is provided.

Fix this →

---

Design: Double env-var resolution on authToken

resolveConfig() in rc.ts pre-resolves env vars in authToken at config load time (line 57), and then resolveAuth() in flags.ts resolves them again (line 35). This works fine today since the regex is idempotent on already-resolved strings, but if a resolved value happens to contain something like $VAR, it could silently mangle it. The cleaner approach is to resolve env vars in one place — either skip the early resolution in rc.ts for auth tokens and rely on flags.ts, or pass the resolved value as-is and skip re-resolution in flags.ts.

---

Security: Plaintext token in .toclirc

The new auth.token field in .toclirc stores a secret in a project-level config file that may be committed to version control. The documentation / --help output should warn users to use auth.envVar or auth login profiles for sensitive tokens, and .toclirc with auth.token should ideally be added to .gitignore by the init command.

---

Minor: resolveEnvVars in rc.ts uses process.env directly

src/config/rc.ts lines 81–86

function resolveEnvVars(value: string): string {
  return value.replace(..., (_, braced, plain) => {
    const name = braced ?? plain;
    return process.env[name] ?? "";  // ← not injectable
  });
}

Unlike the equivalent function in flags.ts which accepts env: NodeJS.ProcessEnv, this one reads process.env directly. This makes it harder to unit-test in isolation (tests have to stub the real env) and is inconsistent with the overall pattern. Low priority, but worth aligning.

---

Minor: Missing test — rcAuthEnvVar not set in environment

There's a test for when the env var IS set, but not for the fallthrough case when rcAuthEnvVar is configured but the env var is absent. The current code silently falls through to Priority 3 (spec-detected auth). A test documenting this behavior would prevent regressions.

---

Tests — overall good

The 7 new auth tests and 2 config tests are well-structured, use isolated temp dirs, and cover the priority chain clearly. The test at line 107 (".toclirc auth takes priority over saved profile") is especially useful.

Summary: The core fix is correct. The main issue to address before merging is the --spec bypass (bug), and the plaintext token security concern (UX/docs). The rest are improvements.