fix: have login attempt to use browser and fallback to ticket instead of forcing tickets

[sean-roberts]

Try browser-based auth first in non-interactive environments before falling back to the agent copy/paste flow. Previously, non-interactive sessions (CI, piped input, etc.) skipped the browser entirely and went straight to the ticket/URL output. Now we attempt to open the browser and only fall back to the agent-friendly flow if it fails.

This should help agents that allow a graceful timeout situation to have a good experience

---

For us to review and ship your PR efficiently, please perform the following steps:

• Open a bug/issue before writing your code 🧑‍💻. This ensures we can discuss the changes and get feedback from everyone that should be involved. If you`re fixing a typo or something that`s on fire 🔥 (e.g. incident related), you can skip this step.
• Read the contribution guidelines 📖. This ensures your code follows our style guide and
  passes our tests.
• Update or add tests (if any source code was changed or added) 🧪
• Update or add documentation (if features were changed or added) 📝
• Make sure the status checks below are successful ✅

A picture of a cute animal (not mandatory, but encouraged)

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes
  • Improved login command in non-interactive environments. When automatic browser opening is unavailable, users now receive a ticket ID and clear instructions to complete authentication.

Walkthrough

The pull request modifies the authentication flow across three files. The openBrowser utility now explicitly returns a Promise<boolean> indicating success or failure. The login command removes its non-interactive fallback path that previously called loginRequest(). The BaseCommand.expensivelyAuthenticate() method now captures the openBrowser result and, when browser opening fails in non-interactive mode with a ticket ID, outputs structured JSON containing the ticket ID, authorization URL, and a check command, prints human-readable guidance, and exits immediately.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: switching login behavior to attempt browser-based authentication first before falling back to tickets in non-interactive environments.
Description check	✅ Passed	The description is directly related to the changeset, explaining the motivation for attempting browser-based auth first in non-interactive environments before fallback.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sr/cli-auth-login

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📊 Benchmark results

Comparing with 8976f0b

• Dependency count: 1,061 (no change)
• Package size: 355 MB (no change)
• Number of ts-expect-error directives: 356 (no change)

[coderabbitai]

🧹 Nitpick comments (1)

src/commands/base-command.ts (1)

523-535: De-duplicate check_command construction to prevent drift.

netlify login --check ${ticketId} is built twice. Extracting once improves maintainability.

♻️ Proposed refactor

     if (!browserOpened && !isInteractive() && ticket.id) {
       const ticketId = ticket.id
+      const checkCommand = `netlify login --check ${ticketId}`
       logJson({
         ticket_id: ticketId,
         url: authLink,
-        check_command: `netlify login --check ${ticketId}`,
+        check_command: checkCommand,
         agent_next_steps:
           'Give the URL to the user so they can authorize. Then poll the check_command for up to ten minutes to see if the user has logged in, or wait for them to tell you and then use check_command after.',
       })
       log(`Ticket ID: ${ticketId}`)
       log(`Authorize URL: ${authLink}`)
       log()
-      log(`After authorizing, run: netlify login --check ${ticketId}`)
+      log(`After authorizing, run: ${checkCommand}`)
       log()
       log('After user opens the authorization URL and approves, the login will be complete.')
       return exit()
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/commands/base-command.ts` around lines 523 - 535, The check command
string is constructed twice causing potential drift; create a single variable
(e.g., checkCommand) after ticketId is set and use that variable in the logJson
payload (check_command) and in the subsequent log calls (the "After authorizing,
run:" line) instead of interpolating `netlify login --check ${ticketId}` inline;
update references around ticketId, logJson, and log to use checkCommand.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/commands/base-command.ts`:
- Around line 523-535: The check command string is constructed twice causing
potential drift; create a single variable (e.g., checkCommand) after ticketId is
set and use that variable in the logJson payload (check_command) and in the
subsequent log calls (the "After authorizing, run:" line) instead of
interpolating `netlify login --check ${ticketId}` inline; update references
around ticketId, logJson, and log to use checkCommand.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b1335338-40d6-4416-8ffd-388df64bb227

📥 Commits

Reviewing files that changed from the base of the PR and between 8976f0b and d3a7ac6.

📒 Files selected for processing (3)

• src/commands/base-command.ts
• src/commands/login/login.ts
• src/utils/open-browser.ts

💤 Files with no reviewable changes (1)

• src/commands/login/login.ts