reportify-cli 0.1.44__tar.gz → 0.1.45__tar.gz

{reportify_cli-0.1.44 → reportify_cli-0.1.45}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: reportify-cli
-Version: 0.1.44
+Version: 0.1.45
 Summary: CLI wrapper for Reportify SDK - Access Reportify API through command line
 Project-URL: Homepage, https://reportify.ai
 Project-URL: Documentation, https://docs.reportify.ai
@@ -23,7 +23,7 @@ Classifier: Topic :: Software Development :: Libraries :: Python Modules
 Requires-Python: >=3.10
 Requires-Dist: pandas>=2.0.0
 Requires-Dist: python-dotenv>=1.2.1
-Requires-Dist: reportify-sdk>=0.3.46
+Requires-Dist: reportify-sdk>=0.3.49
 Requires-Dist: tabulate>=0.9.0
 Requires-Dist: typer>=0.21.1
 Description-Content-Type: text/markdown

{reportify_cli-0.1.44 → reportify_cli-0.1.45}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "reportify-cli"
-version = "0.1.44"
+version = "0.1.45"
 description = "CLI wrapper for Reportify SDK - Access Reportify API through command line"
 readme = "README.md"
 requires-python = ">=3.10"
@@ -30,7 +30,7 @@ classifiers = [
     "Topic :: Software Development :: Libraries :: Python Modules",
 ]
 dependencies = [
-    "reportify-sdk>=0.3.46",
+    "reportify-sdk>=0.3.49",
     "typer>=0.21.1",
     "pandas>=2.0.0",
     "python-dotenv>=1.2.1",

reportify_cli-0.1.45/src/auth_config.py

@@ -0,0 +1,150 @@
+"""Reportify CLI 凭证文件读写。
+
+存储位置：``~/.reportify/config`` (INI 格式)，权限 0600。
+
+```ini
+[default]
+api_key = 12345abcdef...
+user_id = 12345
+nickname = Foo
+email = foo@bar.com
+subscription_tier = plus
+```
+
+仅 first-party CLI 内部使用；Skill 不要直接读这个文件，应通过 ``reportify-cli`` 间接使用。
+"""
+
+from __future__ import annotations
+
+import configparser
+import os
+import stat
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Optional
+
+DEFAULT_PROFILE = "default"
+CONFIG_DIR = Path.home() / ".reportify"
+CONFIG_PATH = CONFIG_DIR / "config"
+
+
+@dataclass
+class AuthCredential:
+    """单个 profile 下保存的凭证。"""
+
+    api_key: str
+    user_id: Optional[str] = None
+    nickname: Optional[str] = None
+    email: Optional[str] = None
+    subscription_tier: Optional[str] = None
+
+    def to_dict(self) -> dict[str, str]:
+        d = {"api_key": self.api_key}
+        if self.user_id:
+            d["user_id"] = str(self.user_id)
+        if self.nickname:
+            d["nickname"] = self.nickname
+        if self.email:
+            d["email"] = self.email
+        if self.subscription_tier:
+            d["subscription_tier"] = self.subscription_tier
+        return d
+
+
+def _config_path() -> Path:
+    """允许通过 REPORTIFY_CONFIG_PATH 环境变量覆盖（测试用）。"""
+    override = os.environ.get("REPORTIFY_CONFIG_PATH")
+    return Path(override) if override else CONFIG_PATH
+
+
+def _load_parser() -> configparser.ConfigParser:
+    parser = configparser.ConfigParser()
+    path = _config_path()
+    if path.exists():
+        parser.read(path, encoding="utf-8")
+    return parser
+
+
+def load_credential(profile: str = DEFAULT_PROFILE) -> Optional[AuthCredential]:
+    """读取指定 profile 的凭证；不存在或缺 api_key 时返回 None。"""
+    parser = _load_parser()
+    if not parser.has_section(profile):
+        return None
+    section = parser[profile]
+    api_key = section.get("api_key")
+    if not api_key:
+        return None
+    return AuthCredential(
+        api_key=api_key,
+        user_id=section.get("user_id"),
+        nickname=section.get("nickname"),
+        email=section.get("email"),
+        subscription_tier=section.get("subscription_tier"),
+    )
+
+
+def save_credential(
+    credential: AuthCredential, profile: str = DEFAULT_PROFILE
+) -> Path:
+    """写入指定 profile 的凭证；文件权限强制 0600（owner-only read/write）。"""
+    path = _config_path()
+    path.parent.mkdir(parents=True, exist_ok=True)
+
+    parser = _load_parser()
+    parser[profile] = credential.to_dict()
+
+    # 先以受限权限创建文件，再写入内容，避免凭证被其他用户读到
+    fd = os.open(
+        path,
+        os.O_WRONLY | os.O_CREAT | os.O_TRUNC,
+        stat.S_IRUSR | stat.S_IWUSR,   # 0600
+    )
+    try:
+        with os.fdopen(fd, "w", encoding="utf-8") as f:
+            parser.write(f)
+    finally:
+        # 防御性：如果文件已存在权限可能不对，强制修正
+        try:
+            os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
+        except OSError:
+            pass
+
+    # 同样确保目录权限不要过宽（0700）
+    try:
+        os.chmod(path.parent, stat.S_IRWXU)
+    except OSError:
+        pass
+    return path
+
+
+def delete_credential(profile: str = DEFAULT_PROFILE) -> bool:
+    """删除指定 profile 的凭证。
+
+    Returns:
+        True 如果删了；False 如果原本就不存在。
+    """
+    parser = _load_parser()
+    if not parser.has_section(profile):
+        return False
+    parser.remove_section(profile)
+
+    path = _config_path()
+    if not parser.sections():
+        # 没有任何 profile 剩下了 → 直接删整个文件
+        try:
+            path.unlink()
+        except FileNotFoundError:
+            pass
+        return True
+
+    with open(path, "w", encoding="utf-8") as f:
+        parser.write(f)
+    try:
+        os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
+    except OSError:
+        pass
+    return True
+
+
+def list_profiles() -> list[str]:
+    return _load_parser().sections()

reportify_cli-0.1.45/src/commands/auth.py

@@ -0,0 +1,240 @@
+"""Reportify CLI authentication commands.
+
+实现 OAuth 2.0 Device Authorization Grant (RFC 8628) 客户端：
+
+    reportify-cli auth login       # 跑 device flow, 拿 api_key, 写本地配置
+    reportify-cli auth logout      # 删除本地配置
+    reportify-cli auth status      # 显示当前登录状态
+
+后端契约：
+    POST {base}/v1/cli-oauth/device/code   (form: client_id, scope?)
+    POST {base}/v1/cli-oauth/device/token  (form: grant_type, device_code, client_id)
+    POST {base}/v1/api-keys/ensure         (json: {client_id, source}, Bearer access_token)
+"""
+
+from __future__ import annotations
+
+import sys
+import time
+import webbrowser
+from typing import Annotated, Optional
+
+import httpx
+import typer
+
+from src.auth_config import (
+    AuthCredential,
+    delete_credential,
+    load_credential,
+    save_credential,
+)
+from src.settings import get_api_base_url
+
+app = typer.Typer(help="Authentication", rich_markup_mode="rich")
+
+CLIENT_ID = "reportify-cli"
+SCOPE = "profile api_key"
+GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code"
+
+# 端点路径（统一 /v1 前缀，与 SDK 同源）
+ENDPOINT_DEVICE_CODE = "/v1/cli-oauth/device/code"
+ENDPOINT_DEVICE_TOKEN = "/v1/cli-oauth/device/token"
+ENDPOINT_API_KEY_ENSURE = "/v1/api-keys/ensure"
+
+
+# ------------------------------------------------------------------ #
+# Helpers
+# ------------------------------------------------------------------ #
+
+
+def _err(msg: str, exit_code: int = 1) -> None:
+    typer.echo(f"Error: {msg}", err=True)
+    raise typer.Exit(exit_code)
+
+
+def _oauth_error(response: httpx.Response) -> tuple[str, str]:
+    """Extract RFC 8628 OAuth error from a 4xx response.
+
+    Server returns ``{"detail": {"error": ..., "error_description": ...}}``.
+    """
+    try:
+        body = response.json()
+    except Exception:
+        return ("unknown_error", response.text or "")
+
+    # FastAPI HTTPException 的 detail 嵌在 'detail' 里
+    detail = body.get("detail", body)
+    if isinstance(detail, dict):
+        return (
+            detail.get("error", "unknown_error"),
+            detail.get("error_description", ""),
+        )
+    return ("unknown_error", str(detail))
+
+
+def _request_device_code(client: httpx.Client) -> dict:
+    resp = client.post(
+        ENDPOINT_DEVICE_CODE,
+        data={"client_id": CLIENT_ID, "scope": SCOPE},
+    )
+    if resp.status_code != 200:
+        err, desc = _oauth_error(resp)
+        _err(f"failed to start device flow ({err}): {desc}")
+    return resp.json()
+
+
+def _poll_token(client: httpx.Client, device_code: str, interval: int, expires_in: int) -> dict:
+    """轮询 /device/token，直到拿到 access_token 或超时 / 用户拒绝。"""
+    deadline = time.monotonic() + expires_in
+    current_interval = max(interval, 1)
+    typer.echo("Waiting for authorization", nl=False)
+    while True:
+        if time.monotonic() >= deadline:
+            typer.echo("")
+            _err("device code expired before authorization; please try `auth login` again")
+
+        time.sleep(current_interval)
+        typer.echo(".", nl=False)
+
+        resp = client.post(
+            ENDPOINT_DEVICE_TOKEN,
+            data={
+                "grant_type": GRANT_TYPE,
+                "device_code": device_code,
+                "client_id": CLIENT_ID,
+            },
+        )
+
+        if resp.status_code == 200:
+            typer.echo(" ✓")
+            return resp.json()
+
+        err, desc = _oauth_error(resp)
+        if err == "authorization_pending":
+            continue
+        if err == "slow_down":
+            current_interval += 5
+            continue
+        if err == "access_denied":
+            typer.echo("")
+            _err("authorization was denied in the browser")
+        if err == "expired_token":
+            typer.echo("")
+            _err("device code expired before authorization; please try `auth login` again")
+
+        # Any other error → fail loud
+        typer.echo("")
+        _err(f"failed to obtain access token ({err}): {desc}")
+
+
+def _ensure_api_key(client: httpx.Client, access_token: str) -> dict:
+    resp = client.post(
+        ENDPOINT_API_KEY_ENSURE,
+        headers={"Authorization": f"Bearer {access_token}"},
+        json={"client_id": CLIENT_ID, "source": "cli"},
+    )
+    if resp.status_code != 200:
+        try:
+            detail = resp.json().get("detail", resp.text)
+        except Exception:
+            detail = resp.text
+        _err(f"failed to obtain api key (HTTP {resp.status_code}): {detail}")
+    return resp.json()
+
+
+# ------------------------------------------------------------------ #
+# Commands
+# ------------------------------------------------------------------ #
+
+
+@app.command(name="login")
+def login(
+    no_browser: Annotated[
+        bool,
+        typer.Option(
+            "--no-browser",
+            help="Do not attempt to open the browser automatically.",
+        ),
+    ] = False,
+) -> None:
+    """Authenticate to Reportify via the device authorization flow.
+
+    Opens the browser to a verification page. After you approve the request,
+    the CLI fetches a long-lived API key and stores it in ``~/.reportify/config``.
+    """
+    base_url = get_api_base_url().rstrip("/")
+    with httpx.Client(base_url=base_url, timeout=30.0) as client:
+        device_resp = _request_device_code(client)
+
+        verification_uri_complete = device_resp.get("verification_uri_complete")
+        verification_uri = device_resp.get("verification_uri")
+        user_code = device_resp.get("user_code")
+        device_code = device_resp["device_code"]
+        interval = int(device_resp.get("interval", 5))
+        expires_in = int(device_resp.get("expires_in", 600))
+
+        typer.echo("")
+        typer.echo("Open the following URL in your browser to authorize Reportify CLI:")
+        typer.echo(f"  {verification_uri_complete or verification_uri}")
+        typer.echo(f"Verification code: {user_code}")
+        typer.echo("")
+
+        if not no_browser and verification_uri_complete:
+            try:
+                webbrowser.open(verification_uri_complete)
+            except Exception:
+                # 浏览器打开失败不影响主流程，用户可以自己复制链接
+                pass
+
+        token_resp = _poll_token(client, device_code, interval, expires_in)
+        access_token = token_resp["access_token"]
+        user = token_resp.get("user") or {}
+
+        key_resp = _ensure_api_key(client, access_token)
+
+    credential = AuthCredential(
+        api_key=key_resp["key"],
+        user_id=str(user.get("user_id") or ""),
+        nickname=user.get("nickname") or None,
+        email=user.get("email") or None,
+        subscription_tier=user.get("subscription_tier") or None,
+    )
+    path = save_credential(credential)
+
+    typer.echo("")
+    who = credential.nickname or credential.email or credential.user_id or "unknown"
+    tier = credential.subscription_tier or "free"
+    typer.echo(f"Logged in as {who} (plan: {tier})")
+    typer.echo(f"Credential saved to {path}")
+
+
+@app.command(name="logout")
+def logout() -> None:
+    """Remove the locally stored Reportify credential.
+
+    Does **not** revoke the API key on the server side. If you want the key
+    invalidated, also delete it from your Reportify settings page.
+    """
+    removed = delete_credential()
+    if removed:
+        typer.echo("Local credential removed.")
+    else:
+        typer.echo("No local credential to remove.")
+
+
+@app.command(name="status")
+def status() -> None:
+    """Show the current authentication status.
+
+    Exit code is 0 if logged in, 1 otherwise (useful for Skill scripts to gate
+    on ``reportify-cli auth status`` before invoking business commands).
+    """
+    cred = load_credential()
+    if not cred:
+        typer.echo("Not logged in. Run `reportify-cli auth login`.")
+        raise typer.Exit(1)
+
+    who = cred.nickname or cred.email or cred.user_id or "unknown"
+    tier = cred.subscription_tier or "unknown"
+    typer.echo(f"Logged in as {who} (plan: {tier})")
+    typer.echo(f"API base: {get_api_base_url()}")

{reportify_cli-0.1.44 → reportify_cli-0.1.45}/src/main.py

@@ -3,7 +3,7 @@
 import typer
 from typer.core import TyperGroup
 
-from src.commands import agent, channels, concepts, docs, following, kb, macro, quant, search, stock, timeline, user
+from src.commands import agent, auth, channels, concepts, docs, following, kb, macro, quant, search, stock, timeline, user
 
 
 class AliasGroup(TyperGroup):
@@ -23,6 +23,7 @@ app = typer.Typer(
 )
 
 # Add all command modules as sub-apps
+app.add_typer(auth.app, name="auth", help="Authentication (login / logout / status)")
 app.add_typer(search.app, name="search", help="Document search")
 app.add_typer(docs.app, name="docs", help="Document management")
 app.add_typer(kb.app, name="kb", help="Knowledge base")

reportify_cli-0.1.45/src/settings.py

@@ -0,0 +1,55 @@
+"""Settings and configuration for Reportify API CLI."""
+
+import os
+import sys
+
+# Try to load .env file if python-dotenv is available
+try:
+    from dotenv import load_dotenv
+
+    load_dotenv()
+except ImportError:
+    # python-dotenv not installed, skip loading .env file
+    pass
+
+from src.auth_config import load_credential
+
+# Default API base URL. SDK 默认也是这个；CLI 自己的 auth 命令也走它。
+DEFAULT_API_BASE_URL = "https://api.reportify.cn"
+
+
+def get_api_base_url() -> str:
+    """API 基础 URL。优先级: REPORTIFY_BASE_URL > 默认值。
+
+    与 reportify-sdk 的 Reportify 客户端保持一致，便于 dev / staging 切换。
+    """
+    return os.getenv("REPORTIFY_BASE_URL") or DEFAULT_API_BASE_URL
+
+
+def get_api_key() -> str:
+    """Get API key, in priority order:
+
+    1. ``REPORTIFY_API_KEY`` environment variable
+    2. ``~/.reportify/config`` [default] profile (written by ``reportify-cli auth login``)
+
+    Raises:
+        SystemExit: If neither source has a key.
+    """
+    api_key = os.getenv("REPORTIFY_API_KEY")
+    if api_key:
+        return api_key
+
+    cred = load_credential()
+    if cred and cred.api_key:
+        return cred.api_key
+
+    print("Error: no Reportify API key found.", file=sys.stderr)
+    print(
+        "  - Run `reportify-cli auth login` to authenticate, or",
+        file=sys.stderr,
+    )
+    print(
+        "  - Set the REPORTIFY_API_KEY environment variable manually.",
+        file=sys.stderr,
+    )
+    sys.exit(1)

reportify_cli-0.1.45/tests/test_commands/test_auth_commands.py

@@ -0,0 +1,255 @@
+"""Tests for src.commands.auth — device flow + login/logout/status."""
+
+from __future__ import annotations
+
+from pathlib import Path
+from unittest.mock import MagicMock, patch
+
+import httpx
+import pytest
+from typer.testing import CliRunner
+
+from src.auth_config import AuthCredential, load_credential, save_credential
+from src.commands.auth import app
+
+# mix_stderr=True 让 result.stdout 同时包含 stderr，便于断言错误信息（typer.echo(err=True) 走 stderr）
+try:
+    runner = CliRunner(mix_stderr=True)
+except TypeError:  # click >= 8.2 removed the kwarg
+    runner = CliRunner()
+
+
+def _all_output(result) -> str:
+    """合并 stdout + stderr 用于断言（兼容不同 click 版本）。"""
+    parts = [result.output or ""]
+    stderr = getattr(result, "stderr", None)
+    if stderr:
+        parts.append(stderr)
+    return "\n".join(parts)
+
+
+# ----------------------------- fixtures ----------------------------- #
+
+
+@pytest.fixture
+def tmp_config(monkeypatch, tmp_path: Path):
+    path = tmp_path / "config"
+    monkeypatch.setenv("REPORTIFY_CONFIG_PATH", str(path))
+    return path
+
+
+@pytest.fixture
+def fast_sleep(monkeypatch):
+    """轮询测试加速：把 time.sleep 替换成 no-op。"""
+    monkeypatch.setattr("src.commands.auth.time.sleep", lambda _s: None)
+
+
+def _ok(json_body: dict, status: int = 200) -> httpx.Response:
+    return httpx.Response(status_code=status, json=json_body)
+
+
+def _oauth_err(error: str, desc: str = "", status: int = 400) -> httpx.Response:
+    return httpx.Response(
+        status_code=status,
+        json={"detail": {"error": error, "error_description": desc}},
+    )
+
+
+def _device_code_payload() -> dict:
+    return {
+        "device_code": "fake-device-code",
+        "user_code": "WDJB-MJHT",
+        "verification_uri": "https://reportify.cn/oauth/device",
+        "verification_uri_complete": "https://reportify.cn/oauth/device?user_code=WDJB-MJHT",
+        "expires_in": 600,
+        "interval": 5,
+    }
+
+
+def _token_payload() -> dict:
+    return {
+        "access_token": "fake-access-token",
+        "token_type": "Bearer",
+        "expires_in": 3600,
+        "scope": "profile api_key",
+        "user": {
+            "user_id": "12345",
+            "nickname": "Foo",
+            "email": "foo@bar.com",
+            "subscription_tier": "plus",
+        },
+        "entitlements": ["official_skills"],
+    }
+
+
+def _api_key_payload() -> dict:
+    return {
+        "id": 99,
+        "key": "raw-api-key-12345",
+        "name": "Reportify CLI",
+        "client_id": "reportify-cli",
+        "source": "cli",
+        "created_at": 0,
+    }
+
+
+@pytest.fixture
+def patch_client(monkeypatch):
+    """Patch httpx.Client to return a MagicMock whose .post we drive per test.
+
+    Returns the mock client object so the test can configure side_effect.
+    """
+    mock_client = MagicMock()
+    # httpx.Client used as context manager
+    mock_client.__enter__.return_value = mock_client
+    mock_client.__exit__.return_value = False
+
+    def _ctor(*a, **kw):
+        return mock_client
+
+    monkeypatch.setattr("src.commands.auth.httpx.Client", _ctor)
+    # 阻止真实打开浏览器
+    monkeypatch.setattr("src.commands.auth.webbrowser.open", lambda *_a, **_kw: True)
+    return mock_client
+
+
+# ----------------------------- status / logout ----------------------------- #
+
+
+class TestStatus:
+    def test_not_logged_in_exits_nonzero(self, tmp_config):
+        result = runner.invoke(app, ["status"])
+        assert result.exit_code == 1
+        assert "Not logged in" in result.stdout
+
+    def test_logged_in_exits_zero(self, tmp_config):
+        save_credential(
+            AuthCredential(api_key="x", nickname="Foo", subscription_tier="plus")
+        )
+        result = runner.invoke(app, ["status"])
+        assert result.exit_code == 0
+        assert "Foo" in result.stdout
+        assert "plus" in result.stdout
+
+
+class TestLogout:
+    def test_no_op_when_not_logged_in(self, tmp_config):
+        result = runner.invoke(app, ["logout"])
+        assert result.exit_code == 0
+        assert "No local credential" in result.stdout
+
+    def test_removes_credential(self, tmp_config):
+        save_credential(AuthCredential(api_key="x"))
+        result = runner.invoke(app, ["logout"])
+        assert result.exit_code == 0
+        assert "removed" in result.stdout
+        assert load_credential() is None
+
+
+# ----------------------------- login: happy path ----------------------------- #
+
+
+class TestLoginHappyPath:
+    def test_full_flow_persists_credential(
+        self, tmp_config, fast_sleep, patch_client
+    ):
+        patch_client.post.side_effect = [
+            _ok(_device_code_payload()),       # /device/code
+            _ok(_token_payload()),             # /device/token (approved)
+            _ok(_api_key_payload()),           # /api-keys/ensure
+        ]
+
+        result = runner.invoke(app, ["login", "--no-browser"])
+        assert result.exit_code == 0, result.stdout
+        assert "WDJB-MJHT" in result.stdout
+        assert "Logged in as Foo" in result.stdout
+
+        cred = load_credential()
+        assert cred is not None
+        assert cred.api_key == "raw-api-key-12345"
+        assert cred.user_id == "12345"
+        assert cred.nickname == "Foo"
+        assert cred.email == "foo@bar.com"
+        assert cred.subscription_tier == "plus"
+
+    def test_authorization_pending_then_approved(
+        self, tmp_config, fast_sleep, patch_client
+    ):
+        patch_client.post.side_effect = [
+            _ok(_device_code_payload()),
+            _oauth_err("authorization_pending"),
+            _oauth_err("authorization_pending"),
+            _ok(_token_payload()),
+            _ok(_api_key_payload()),
+        ]
+        result = runner.invoke(app, ["login", "--no-browser"])
+        assert result.exit_code == 0, result.stdout
+        assert load_credential().api_key == "raw-api-key-12345"
+
+    def test_slow_down_increments_interval_but_succeeds(
+        self, tmp_config, fast_sleep, patch_client
+    ):
+        patch_client.post.side_effect = [
+            _ok(_device_code_payload()),
+            _oauth_err("slow_down"),
+            _ok(_token_payload()),
+            _ok(_api_key_payload()),
+        ]
+        result = runner.invoke(app, ["login", "--no-browser"])
+        assert result.exit_code == 0, result.stdout
+
+
+# ----------------------------- login: failure paths ----------------------------- #
+
+
+class TestLoginFailurePaths:
+    def test_access_denied_aborts(self, tmp_config, fast_sleep, patch_client):
+        patch_client.post.side_effect = [
+            _ok(_device_code_payload()),
+            _oauth_err("access_denied"),
+        ]
+        result = runner.invoke(app, ["login", "--no-browser"])
+        assert result.exit_code == 1
+        assert "denied" in _all_output(result)
+        assert load_credential() is None
+
+    def test_expired_token_aborts(self, tmp_config, fast_sleep, patch_client):
+        patch_client.post.side_effect = [
+            _ok(_device_code_payload()),
+            _oauth_err("expired_token"),
+        ]
+        result = runner.invoke(app, ["login", "--no-browser"])
+        assert result.exit_code == 1
+        assert "expired" in _all_output(result)
+
+    def test_device_code_endpoint_failure(self, tmp_config, patch_client):
+        patch_client.post.side_effect = [
+            _oauth_err("invalid_client", "unknown client_id"),
+        ]
+        result = runner.invoke(app, ["login", "--no-browser"])
+        assert result.exit_code == 1
+        assert "invalid_client" in _all_output(result)
+
+    def test_api_key_ensure_failure(
+        self, tmp_config, fast_sleep, patch_client
+    ):
+        patch_client.post.side_effect = [
+            _ok(_device_code_payload()),
+            _ok(_token_payload()),
+            httpx.Response(status_code=500, json={"detail": "server error"}),
+        ]
+        result = runner.invoke(app, ["login", "--no-browser"])
+        assert result.exit_code == 1
+        assert "api key" in _all_output(result).lower()
+        assert load_credential() is None
+
+    def test_unknown_oauth_error_aborts(
+        self, tmp_config, fast_sleep, patch_client
+    ):
+        patch_client.post.side_effect = [
+            _ok(_device_code_payload()),
+            _oauth_err("invalid_grant", "device_code already used"),
+        ]
+        result = runner.invoke(app, ["login", "--no-browser"])
+        assert result.exit_code == 1
+        assert "invalid_grant" in _all_output(result)

reportify_cli-0.1.45/tests/test_commands/test_auth_config.py

@@ -0,0 +1,99 @@
+"""Tests for src.auth_config — credential file read/write."""
+
+import os
+import stat
+from pathlib import Path
+
+import pytest
+
+from src.auth_config import (
+    AuthCredential,
+    delete_credential,
+    list_profiles,
+    load_credential,
+    save_credential,
+)
+
+
+@pytest.fixture
+def tmp_config(monkeypatch, tmp_path: Path):
+    """每个测试用例独立的临时配置文件，避免污染真实 ~/.reportify/config。"""
+    path = tmp_path / "config"
+    monkeypatch.setenv("REPORTIFY_CONFIG_PATH", str(path))
+    return path
+
+
+def test_load_returns_none_when_missing(tmp_config):
+    assert load_credential() is None
+
+
+def test_save_and_load_roundtrip(tmp_config):
+    cred = AuthCredential(
+        api_key="sekret-key",
+        user_id="12345",
+        nickname="Foo",
+        email="foo@bar.com",
+        subscription_tier="plus",
+    )
+    save_credential(cred)
+
+    loaded = load_credential()
+    assert loaded is not None
+    assert loaded.api_key == "sekret-key"
+    assert loaded.user_id == "12345"
+    assert loaded.nickname == "Foo"
+    assert loaded.email == "foo@bar.com"
+    assert loaded.subscription_tier == "plus"
+
+
+def test_save_writes_owner_only_perms(tmp_config):
+    save_credential(AuthCredential(api_key="x"))
+    mode = stat.S_IMODE(os.stat(tmp_config).st_mode)
+    # 0600 - owner read/write only
+    assert mode == 0o600, f"expected 0600 perms, got {oct(mode)}"
+
+
+def test_save_overwrites_existing_profile(tmp_config):
+    save_credential(AuthCredential(api_key="old"))
+    save_credential(AuthCredential(api_key="new", nickname="Updated"))
+    loaded = load_credential()
+    assert loaded.api_key == "new"
+    assert loaded.nickname == "Updated"
+
+
+def test_delete_returns_false_when_missing(tmp_config):
+    assert delete_credential() is False
+
+
+def test_delete_removes_credential(tmp_config):
+    save_credential(AuthCredential(api_key="x"))
+    assert delete_credential() is True
+    assert load_credential() is None
+    # 唯一 profile 被删 → 文件也应不在
+    assert not tmp_config.exists()
+
+
+def test_multi_profile(tmp_config):
+    save_credential(AuthCredential(api_key="key-default"), profile="default")
+    save_credential(AuthCredential(api_key="key-work"), profile="work")
+
+    assert sorted(list_profiles()) == ["default", "work"]
+    assert load_credential("default").api_key == "key-default"
+    assert load_credential("work").api_key == "key-work"
+
+    delete_credential("default")
+    # 还有 work，文件应保留
+    assert tmp_config.exists()
+    assert load_credential("default") is None
+    assert load_credential("work").api_key == "key-work"
+
+
+def test_missing_api_key_treated_as_no_credential(tmp_config):
+    """配置文件 section 存在但缺 api_key 视为 None。"""
+    import configparser
+
+    parser = configparser.ConfigParser()
+    parser["default"] = {"nickname": "Foo"}  # 没有 api_key
+    with open(tmp_config, "w") as f:
+        parser.write(f)
+    assert load_credential() is None

{reportify_cli-0.1.44 → reportify_cli-0.1.45}/uv.lock

@@ -426,7 +426,7 @@ wheels = [
 
 [[package]]
 name = "reportify-cli"
-version = "0.1.16"
+version = "0.1.44"
 source = { editable = "." }
 dependencies = [
     { name = "pandas" },
@@ -445,7 +445,7 @@ dev = [
 requires-dist = [
     { name = "pandas", specifier = ">=2.0.0" },
     { name = "python-dotenv", specifier = ">=1.2.1" },
-    { name = "reportify-sdk", specifier = ">=0.3.15" },
+    { name = "reportify-sdk", specifier = ">=0.3.46" },
     { name = "tabulate", specifier = ">=0.9.0" },
     { name = "typer", specifier = ">=0.21.1" },
 ]
@@ -455,13 +455,16 @@ dev = [{ name = "pytest", specifier = ">=9.0.2" }]
 
 [[package]]
 name = "reportify-sdk"
-version = "0.3.24"
+version = "0.3.49"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "httpx" },
     { name = "pandas" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/62/b1/c66cde3b7651825cb80353af7df4b7821c8f136163f2e5c5568ceb804edd/reportify_sdk-0.3.24.tar.gz", hash = "sha256:d41f42c067b1547300224d93adb028f4c9b7450272c0374a8c9370fb49be199d", size = 23489, upload_time = "2026-03-09T06:29:39.994Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/51/55/05e3dcd47930cef152f1ed3dc399121c848a87ed0121e583ceeb2b6ce98d/reportify_sdk-0.3.49.tar.gz", hash = "sha256:88343639e22514cac687a7d6a509aef19a025dbabbce5e0526271b5b79d2ca00", size = 26716, upload_time = "2026-05-08T06:11:34.513Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/17/0c/927db26ca174c72640e8f224caebcb4cf86d8f72d22656d5671c44824485/reportify_sdk-0.3.49-py3-none-any.whl", hash = "sha256:4e3fa10b25175670a7107fb4c999eeff2c40d430bac4cde8874d7ceab004f889", size = 35217, upload_time = "2026-05-08T06:11:36.181Z" },
+]
 
 [[package]]
 name = "rich"

reportify_cli-0.1.44/src/settings.py

@@ -1,30 +0,0 @@
-"""Settings and configuration for Reportify API CLI."""
-
-import os
-import sys
-
-# Try to load .env file if python-dotenv is available
-try:
-    from dotenv import load_dotenv
-
-    load_dotenv()
-except ImportError:
-    # python-dotenv not installed, skip loading .env file
-    pass
-
-
-def get_api_key() -> str:
-    """Get API key from environment variable.
-
-    Returns:
-        str: API key
-
-    Raises:
-        SystemExit: If API key is not found
-    """
-    api_key = os.getenv("REPORTIFY_API_KEY")
-    if not api_key:
-        print("Error: REPORTIFY_API_KEY environment variable is not set.", file=sys.stderr)
-        print("Please set it with: export REPORTIFY_API_KEY='your-api-key'", file=sys.stderr)
-        sys.exit(1)
-    return api_key