streamline auth configure/reset UX

- single prompt gate: gh-auth mode choice replaces separate Proceed? confirm
- banner shows bot identity before prompting
- auth reset runs without confirmation
- --gh-auth flag makes auth configure fully non-interactive
- remove --yes flag (no longer needed)

Author: rmorse

README.md

@@ -67,30 +67,49 @@ Select **Repository permissions** based on what you need:
 
 ## Quick Start
 
-```bash
-# 1. Setup — enter App ID, Installation ID, key path
-#    (optionally configures git + gh auth at the end)
-ghapp setup
+### Interactive
 
-# 2. Use git/gh normally — auth is transparent
+```bash
+ghapp setup                    # prompts for App ID, Installation ID, key path
 git clone https://github.com/org/repo.git
 gh pr list
 ```
 
 > If you skipped auth configuration during setup, run `ghapp auth configure` separately.
 
+### Non-interactive (scripted / CI / LLM)
+
+```bash
+ghapp config set --app-id 123 --installation-id 456 --private-key-path /path/to/key.pem
+ghapp auth configure --gh-auth shell-function
+```
+
 ## Commands
 
 | Command | Description |
 |---------|-------------|
 | `ghapp setup [--import-key]` | Interactive setup — App ID, Installation ID, PEM key |
+| `ghapp config set [flags]` | Set config values non-interactively (see below) |
+| `ghapp config get [key]` | Print config values (all or single key) |
+| `ghapp config path` | Print config file location |
 | `ghapp token [--no-cache]` | Print an installation token (cached; `--no-cache` forces fresh) |
 | `ghapp auth configure [--gh-auth MODE]` | Configure git credential helper, gh CLI, and git identity |
 | `ghapp auth status` | Show current auth configuration and diagnostics |
 | `ghapp auth reset [--remove-key]` | Remove all auth config and restore previous git identity |
 | `ghapp update` | Self-update to the latest release |
 | `ghapp version` | Print version info |
 
+### `ghapp config set` flags
+
+| Flag | Description |
+|------|-------------|
+| `--app-id` | GitHub App ID |
+| `--installation-id` | GitHub App installation ID |
+| `--private-key-path` | Path to private key PEM file |
+| `--import-key` | Import private key into OS keyring from PEM file (mutually exclusive with `--private-key-path`) |
+
+Only flags that are explicitly provided are written — omitted fields are preserved from the existing config.
+
 ### `--gh-auth` modes
 
 During `auth configure`, you're prompted to choose how `gh` CLI gets authenticated. You can also pass it non-interactively:

internal/cmd/auth.go

@@ -68,96 +68,100 @@ func runAuthConfigure(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	fmt.Fprintln(out, "This will:")
+	// Resolve bot identity early so we can show it in the banner
+	identityLine := "app bot identity"
+	slug, botUserID, identityErr := resolveAppIdentity()
+	if identityErr == nil {
+		botName := fmt.Sprintf("%s[bot]", slug)
+		botEmail := fmt.Sprintf("%d+%s[bot]@users.noreply.github.com", botUserID, slug)
+		identityLine = fmt.Sprintf("%s <%s>", botName, botEmail)
+	}
+
+	// Banner
+	fmt.Fprintln(out, "Auth will automatically configure:")
 	fmt.Fprintf(out, "  1. Set git credential helper: %s\n", helperCmd)
 	fmt.Fprintln(out, "  2. Write github.com entry to gh hosts.yml")
 	fmt.Fprintln(out, "  3. Rewrite git@github.com SSH URLs to HTTPS (insteadOf)")
+	fmt.Fprintf(out, "  4. Set git identity to %s\n", identityLine)
 	fmt.Fprintln(out)
 
-	if !confirm(cmd, "Proceed?") {
-		fmt.Fprintln(out, "Aborted.")
-		return nil
+	// Resolve gh-auth mode — this is the single gate for interactive use
+	mode := ghAuthFlag
+	if mode == "" {
+		if !isInteractive(cmd) {
+			mode = "none"
+		} else {
+			fmt.Fprintln(out, "How would you like to authenticate gh CLI commands?")
+			fmt.Fprintln(out, "  1. Shell function (recommended) — auto-refreshes token per invocation")
+			fmt.Fprintln(out, "  2. PATH binary — wrapper binary that injects token")
+			fmt.Fprintln(out, "  3. None — keep hosts.yml only (token expires in ~1hr)")
+			fmt.Fprintln(out)
+
+			choice := promptChoice(cmd, "Choice [1/2/3]:", "")
+			switch choice {
+			case "1":
+				mode = "shell-function"
+			case "2":
+				mode = "path-shim"
+			case "3":
+				mode = "none"
+			default:
+				fmt.Fprintln(out, "Skipped. Run 'ghapp auth configure' to set up later.")
+				return nil
+			}
+		}
 	}
 
-	// Configure git credential helper
+	// --- Execute all steps ---
+
+	// 1. Git credential helper
 	gitHelper := fmt.Sprintf("!%s credential-helper", helperCmd)
 	gitCmd := exec.Command("git", "config", "--global", "credential.https://github.com.helper", gitHelper)
 	if output, err := gitCmd.CombinedOutput(); err != nil {
 		return fmt.Errorf("git config: %s: %w", strings.TrimSpace(string(output)), err)
 	}
 	fmt.Fprintln(out, "Git credential helper configured.")
 
-	// Configure gh CLI (hosts.yml as baseline)
+	// 2. gh CLI (hosts.yml as baseline)
 	if err := configureGhHosts(); err != nil {
 		fmt.Fprintf(out, "Warning: could not configure gh CLI: %v\n", err)
 		fmt.Fprintln(out, "Use: export GH_TOKEN=$(ghapp token)")
 	} else {
 		fmt.Fprintln(out, "gh CLI configured.")
 	}
 
-	// Configure git identity as the app bot
-	if err := configureGitIdentity(cmd); err != nil {
-		fmt.Fprintf(out, "Warning: could not configure git identity: %v\n", err)
+	// 3. Git identity
+	if identityErr != nil {
+		fmt.Fprintf(out, "Warning: could not configure git identity: %v\n", identityErr)
+	} else {
+		if err := configureGitIdentity(cmd, slug, botUserID); err != nil {
+			fmt.Fprintf(out, "Warning: could not configure git identity: %v\n", err)
+		}
 	}
 
-	// Rewrite git@github.com SSH URLs to HTTPS
+	// 4. SSH-to-HTTPS URL rewrite
 	configureInsteadOf(cmd)
 
-	// gh CLI dynamic auth setup
-	if err := configureGhAuth(cmd, helperCmd); err != nil {
-		fmt.Fprintf(out, "Warning: gh dynamic auth: %v\n", err)
-	}
-
-	return nil
-}
-
-// configureGhAuth handles the interactive gh auth mode selection.
-func configureGhAuth(cmd *cobra.Command, ghappBin string) error {
-	out := cmd.OutOrStdout()
-
-	mode := ghAuthFlag
-	if mode == "" {
-		// Check if interactive
-		if !isInteractive(cmd) {
-			fmt.Fprintln(out)
-			fmt.Fprintln(out, "Note: gh hosts.yml token expires in ~1hr.")
-			fmt.Fprintln(out, "For long sessions, use: export GH_TOKEN=$(ghapp token)")
-			return nil
-		}
-
-		fmt.Fprintln(out)
-		fmt.Fprintln(out, "How would you like to authenticate gh CLI commands?")
-		fmt.Fprintln(out, "  1. Shell function (recommended) — auto-refreshes token per invocation")
-		fmt.Fprintln(out, "  2. PATH binary — wrapper binary that injects token")
-		fmt.Fprintln(out, "  3. None — keep hosts.yml only (token expires in ~1hr)")
-		fmt.Fprintln(out)
-
-		choice := promptChoice(cmd, "Choice [1/2/3]", "1")
-		switch choice {
-		case "1":
-			mode = "shell-function"
-		case "2":
-			mode = "path-shim"
-		default:
-			mode = "none"
-		}
-	}
-
+	// 5. gh CLI dynamic auth
 	switch mode {
 	case "shell-function":
-		return configureShellFunction(cmd, ghappBin)
+		if err := configureShellFunction(cmd, helperCmd); err != nil {
+			fmt.Fprintf(out, "Warning: gh dynamic auth: %v\n", err)
+		}
 	case "path-shim":
-		return configurePathShim(cmd, ghappBin)
+		if err := configurePathShim(cmd, helperCmd); err != nil {
+			fmt.Fprintf(out, "Warning: gh dynamic auth: %v\n", err)
+		}
 	case "none":
 		fmt.Fprintln(out)
 		fmt.Fprintln(out, "Note: gh hosts.yml token expires in ~1hr.")
 		fmt.Fprintln(out, "For long sessions, use: export GH_TOKEN=$(ghapp token)")
-		return nil
-	default:
-		return fmt.Errorf("unknown --gh-auth mode: %s", mode)
 	}
+
+	return nil
 }
 
+
 func configureShellFunction(cmd *cobra.Command, ghappBin string) error {
 	out := cmd.OutOrStdout()
 
@@ -427,11 +431,6 @@ func runAuthStatus(cmd *cobra.Command, args []string) error {
 func runAuthReset(cmd *cobra.Command, args []string) error {
 	out := cmd.OutOrStdout()
 
-	if !confirm(cmd, "Remove git credential helper and gh auth config?") {
-		fmt.Fprintln(out, "Aborted.")
-		return nil
-	}
-
 	// Remove git credential helper
 	gitCmd := exec.Command("git", "config", "--global", "--unset", "credential.https://github.com.helper")
 	if output, err := gitCmd.CombinedOutput(); err != nil {
@@ -562,31 +561,18 @@ func confirm(cmd *cobra.Command, prompt string) bool {
 
 // git identity management
 
-func configureGitIdentity(cmd *cobra.Command) error {
+func configureGitIdentity(cmd *cobra.Command, slug string, botUserID int64) error {
 	out := cmd.OutOrStdout()
 
-	// Fetch app slug + bot user ID (or use cached values)
-	slug, botUserID, err := resolveAppIdentity()
-	if err != nil {
-		return err
-	}
-
 	botName := fmt.Sprintf("%s[bot]", slug)
 	botEmail := fmt.Sprintf("%d+%s[bot]@users.noreply.github.com", botUserID, slug)
 
-	// Check existing git identity
+	// Backup existing identity if present
 	existingName := gitConfigGet("user.name")
 	existingEmail := gitConfigGet("user.email")
-
 	if existingName != "" || existingEmail != "" {
-		fmt.Fprintf(out, "\nGit identity already set as %q <%s>.\n", existingName, existingEmail)
-		if !confirm(cmd, "Switch to app bot identity?") {
-			return nil
-		}
-		// Backup previous identity
 		cfg.PrevGitUserName = existingName
 		cfg.PrevGitUserEmail = existingEmail
-		fmt.Fprintln(out, "Previous identity saved — will be restored on 'ghapp auth reset'.")
 	}
 
 	// Set bot identity

internal/cmd/cmd_test.go

@@ -468,15 +468,17 @@ func gitCfg(t *testing.T, key string) string {
 func TestAuthConfigure_E2E(t *testing.T) {
 	_, buf := setupE2E(t)
 
-	// "y" = proceed, "y" = switch to bot identity
-	rootCmd.SetIn(strings.NewReader("y\ny\n"))
+	// --gh-auth flag = non-interactive, no prompts needed
 	rootCmd.SetArgs([]string{"auth", "configure", "--gh-auth", "none"})
 	require.NoError(t, rootCmd.Execute())
 
 	output := buf.String()
 	assert.Contains(t, output, "Git credential helper configured")
 	assert.Contains(t, output, "Git identity set to testbot[bot]")
 
+	// Verify banner shows bot identity
+	assert.Contains(t, output, "Set git identity to testbot[bot]")
+
 	// Verify git config was written to isolated gitconfig
 	assert.Contains(t, gitCfg(t, "credential.https://github.com.helper"), "credential-helper")
 	assert.Equal(t, "testbot[bot]", gitCfg(t, "user.name"))
@@ -501,16 +503,14 @@ func TestAuthReset_E2E(t *testing.T) {
 	_, buf := setupE2E(t)
 
 	// First: configure
-	rootCmd.SetIn(strings.NewReader("y\ny\n"))
 	rootCmd.SetArgs([]string{"auth", "configure", "--gh-auth", "none"})
 	require.NoError(t, rootCmd.Execute())
 
 	// Sanity: credential helper is set
 	assert.NotEmpty(t, gitCfg(t, "credential.https://github.com.helper"))
 
-	// Now: reset
+	// Now: reset (no confirm needed)
 	buf.Reset()
-	rootCmd.SetIn(strings.NewReader("y\n"))
 	rootCmd.SetArgs([]string{"auth", "reset"})
 	require.NoError(t, rootCmd.Execute())
 
@@ -526,7 +526,6 @@ func TestAuthStatus_E2E(t *testing.T) {
 	_, buf := setupE2E(t)
 
 	// Configure first
-	rootCmd.SetIn(strings.NewReader("y\ny\n"))
 	rootCmd.SetArgs([]string{"auth", "configure", "--gh-auth", "none"})
 	require.NoError(t, rootCmd.Execute())
 
@@ -548,8 +547,7 @@ func TestAuthConfigure_ShellFunction_E2E(t *testing.T) {
 	// Override shell detection so the test doesn't depend on parent process
 	shellinit.ShellOverride = shellinit.ShellByName("bash")
 
-	// "y" = proceed, "y" = switch to bot identity
-	rootCmd.SetIn(strings.NewReader("y\ny\n"))
+	// --gh-auth flag = non-interactive, no prompts needed
 	rootCmd.SetArgs([]string{"auth", "configure", "--gh-auth", "shell-function"})
 	require.NoError(t, rootCmd.Execute())
 

internal/cmd/config_test.go

@@ -187,3 +187,15 @@ func TestConfigPath(t *testing.T) {
 
 	assert.Equal(t, cfgFile+"\n", buf.String())
 }
+
+func TestAuthConfigure_NonInteractive(t *testing.T) {
+	_, buf := setupE2E(t)
+
+	// --gh-auth flag makes it fully non-interactive
+	rootCmd.SetArgs([]string{"auth", "configure", "--gh-auth", "none"})
+	require.NoError(t, rootCmd.Execute())
+
+	output := buf.String()
+	assert.Contains(t, output, "Git credential helper configured")
+	assert.Contains(t, output, "gh CLI configured")
+}