feat #197: implement Bloomreach webapp authentication (browser login, session management, CLI/MCP/API interfaces) (#198)

- Add auth/ module directory with loginSelectors, apiAuth, webappApiClient, authManager
- Add login page selectors with Bloomreach-specific data-e2e-id strategies and auto-fill
- Add BloomreachApiAuth class for API credential resolution and verification
- Add BloomreachWebappApiClient for session-cookie-based webapp API calls
- Add BloomreachAuthManager unified coordinator with createAuthManager() factory
- Enhance bloomreachAuth.ts with getSessionCookies(), logout(), auto-fill in openLogin()
- Add deleteSession() to bloomreachSessionStore.ts
- Add CLI commands: logout, auth status (unified), auth verify-api
- Add 4 MCP tools: auth.status, auth.login, auth.logout, auth.verify_api
- Update barrel exports and .env.example with BLOOMREACH_URL/EMAIL/PASSWORD
- All quality gates pass: typecheck, lint, 9942 tests, build

Author: sigvardt

.env.example

@@ -16,6 +16,14 @@ BLOOMREACH_API_SECRET=your-api-secret
 # BLOOMREACH_ENVIRONMENT=my-env
 # BLOOMREACH_API_TOKEN=my-token
 
+# Optional: Override the Bloomreach webapp URL (default: https://app.bloomreach.com/)
+# BLOOMREACH_URL=https://app.bloomreach.com/
+
+# Optional: Auto-fill login credentials (used by "bloomreach login" auto-fill)
+# Credentials are only used for auto-fill — manual login is always available.
+# BLOOMREACH_EMAIL=your-email@example.com
+# BLOOMREACH_PASSWORD=your-password
+
 # Optional: Browser authentication settings
 # Directory for Playwright persistent browser profiles (default: ~/.bloomreach-buddy/profiles)
 # BLOOMREACH_PROFILE_DIR=~/.bloomreach-buddy/profiles

packages/cli/src/bin/bloomreach.ts

@@ -53,6 +53,7 @@ import {
   openBrowserUrl,
   BloomreachProfileManager,
   BLOOMREACH_API_SETTINGS_URL,
+  createAuthManager,
 } from '@bloomreach-buddy/core';
 import type {
   ActionExecutor,
@@ -12364,38 +12365,88 @@ program
     },
   );
 
+program
+  .command('logout')
+  .description('Clear stored Bloomreach browser session')
+  .option('--profile <name>', 'Browser profile name', 'default')
+  .option('--json', 'Output as JSON')
+  .action(
+    async (options: { profile: string; json?: boolean }) => {
+      try {
+        const authManager = createAuthManager();
+        const result = await authManager.logout({ profileName: options.profile });
+
+        if (options.json) {
+          console.log(JSON.stringify(result, null, 2));
+        } else if (result.cleared) {
+          console.log(`  Session cleared for profile "${result.profileName}".`);
+        } else {
+          console.log(`  No session found for profile "${result.profileName}".`);
+        }
+      } catch (error) {
+        if (options.json) {
+          console.log(
+            JSON.stringify(
+              {
+                cleared: false,
+                error: error instanceof Error ? error.message : String(error),
+              },
+              null,
+              2,
+            ),
+          );
+        } else {
+          console.error(
+            `Error: ${error instanceof Error ? error.message : String(error)}`,
+          );
+        }
+        process.exit(1);
+      }
+    },
+  );
+
 const auth = program
   .command('auth')
   .description('Manage Bloomreach browser authentication');
 
 auth
   .command('status')
-  .description('Check browser session authentication status')
+  .description('Check all authentication states (API credentials + browser session)')
   .option('--profile <name>', 'Browser profile name', 'default')
   .option('--json', 'Output as JSON')
   .action(
     async (options: { profile: string; json?: boolean }) => {
       try {
-        const profilesDir = resolveProfilesDir();
-        const profileManager = new BloomreachProfileManager({ profilesDir });
-        const authService = new BloomreachAuthService(profileManager, { profilesDir });
-
-        const status = await authService.status({ profileName: options.profile });
+        const authManager = createAuthManager();
+        const status = await authManager.status({ profileName: options.profile });
 
         if (options.json) {
           console.log(JSON.stringify(status, null, 2));
         } else {
           console.log('');
-          console.log(`  Authenticated: ${status.authenticated ? 'yes' : 'no'}`);
-          console.log(`  Profile:       ${status.profileName}`);
-          console.log(`  Reason:        ${status.reason}`);
-          if (status.sessionExpired) {
-            console.log('  Session:       expired');
+          console.log('  Bloomreach Auth Status');
+          console.log('  =====================');
+          console.log('');
+          console.log('  API Credentials (Tier 1):');
+          console.log(`    Configured: ${status.api.configured ? 'yes' : 'no'}`);
+          if (status.api.projectToken) console.log(`    Token:      ${status.api.projectToken}`);
+          if (status.api.apiKeyId) console.log(`    Key ID:     ${status.api.apiKeyId}`);
+          if (status.api.baseUrl) console.log(`    Base URL:   ${status.api.baseUrl}`);
+          console.log('');
+          console.log('  Browser Session (Tier 2/3):');
+          console.log(`    Authenticated: ${status.browser.authenticated ? 'yes' : 'no'}`);
+          console.log(`    Profile:       ${status.browser.profileName}`);
+          console.log(`    Reason:        ${status.browser.reason}`);
+          if (status.browser.sessionExpired) {
+            console.log('    Session:       expired');
           }
-          if (status.cookieSummary && status.cookieSummary.length > 0) {
-            console.log(`  Cookies:       ${status.cookieSummary.length} stored`);
+          if (status.browser.cookieSummary && status.browser.cookieSummary.length > 0) {
+            console.log(`    Cookies:       ${status.browser.cookieSummary.length} stored`);
           }
           console.log('');
+          console.log('  Webapp API (Tier 2):');
+          console.log(`    Ready: ${status.webappApiReady ? 'yes' : 'no'}`);
+          console.log('');
         }
       } catch (error) {
         if (options.json) {
@@ -12486,4 +12537,62 @@ auth
     },
   );
 
+auth
+  .command('verify-api')
+  .description('Verify Bloomreach API credentials against the live API')
+  .option('--json', 'Output as JSON')
+  .action(
+    async (options: { json?: boolean }) => {
+      try {
+        const authManager = createAuthManager();
+        const result = await authManager.verifyApi();
+
+        if (options.json) {
+          console.log(JSON.stringify(result, null, 2));
+        } else {
+          console.log('');
+          console.log('  API Credential Verification');
+          console.log('  --------------------------');
+          console.log(`  Configured: ${result.configured ? 'yes' : 'no'}`);
+          if (!result.configured) {
+            console.log(
+              '  Set BLOOMREACH_PROJECT_TOKEN, BLOOMREACH_API_KEY_ID, and BLOOMREACH_API_SECRET.',
+            );
+            console.log('');
+            process.exit(1);
+          }
+          console.log(`  Verified:   ${result.verified ? 'yes' : 'no'}`);
+          if (result.projectToken) console.log(`  Token:      ${result.projectToken}`);
+          if (result.apiKeyId) console.log(`  Key ID:     ${result.apiKeyId}`);
+          if (result.baseUrl) console.log(`  Base URL:   ${result.baseUrl}`);
+          if (result.serverTime) {
+            console.log(`  Server time: ${new Date(result.serverTime * 1000).toISOString()}`);
+          }
+          if (result.error && !result.verified) {
+            console.log(`  Error:      ${result.error}`);
+          }
+          console.log('');
+          if (!result.verified) process.exit(1);
+        }
+      } catch (error) {
+        if (options.json) {
+          console.log(
+            JSON.stringify(
+              {
+                configured: false,
+                verified: false,
+                error: error instanceof Error ? error.message : String(error),
+              },
+              null,
+              2,
+            ),
+          );
+        } else {
+          console.error(`Error: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        process.exit(1);
+      }
+    },
+  );
+
 program.parse();

packages/core/src/__tests__/auth/apiAuth.test.ts

@@ -0,0 +1,182 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import { BloomreachBuddyError } from '../../errors.js';
+import { BloomreachApiAuth, maskSecret } from '../../auth/apiAuth.js';
+import type { BloomreachApiConfig } from '../../bloomreachApiClient.js';
+import type { ValidateCredentialsResult } from '../../bloomreachSetup.js';
+
+vi.mock('../../bloomreachApiClient.js', () => ({
+  resolveApiConfig: vi.fn(),
+}));
+
+vi.mock('../../bloomreachSetup.js', () => ({
+  validateCredentials: vi.fn(),
+}));
+
+import { resolveApiConfig } from '../../bloomreachApiClient.js';
+import { validateCredentials } from '../../bloomreachSetup.js';
+
+const CONFIG: BloomreachApiConfig = {
+  projectToken: 'projecttoken-12345',
+  apiKeyId: 'apikeyid-67890',
+  apiSecret: 'secret-00000',
+  baseUrl: 'https://api.exponea.com',
+};
+
+describe('maskSecret', () => {
+  it('masks long values with default visible length', () => {
+    expect(maskSecret('abcdefghijklmnop')).toBe('abcdefgh...');
+  });
+
+  it('returns short values unchanged', () => {
+    expect(maskSecret('short')).toBe('short');
+  });
+
+  it('supports custom visible length', () => {
+    expect(maskSecret('abcdef', 3)).toBe('abc...');
+  });
+});
+
+describe('BloomreachApiAuth', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date('2026-02-01T12:00:00.000Z'));
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  it('constructor stores resolved config when credentials are present', () => {
+    vi.mocked(resolveApiConfig).mockReturnValue(CONFIG);
+
+    const auth = new BloomreachApiAuth();
+
+    expect(resolveApiConfig).toHaveBeenCalledWith(undefined);
+    expect(auth.isConfigured()).toBe(true);
+    expect(auth.getConfig()).toEqual(CONFIG);
+  });
+
+  it('constructor treats resolver errors as unconfigured state', () => {
+    vi.mocked(resolveApiConfig).mockImplementation(() => {
+      throw new BloomreachBuddyError('CONFIG_MISSING', 'Missing credentials');
+    });
+
+    const auth = new BloomreachApiAuth();
+
+    expect(auth.isConfigured()).toBe(false);
+    expect(() => auth.getConfig()).toThrow(BloomreachBuddyError);
+  });
+
+  it('status returns configured details with masked secrets', () => {
+    vi.mocked(resolveApiConfig).mockReturnValue(CONFIG);
+
+    const auth = new BloomreachApiAuth();
+    const result = auth.status();
+
+    expect(result).toEqual({
+      configured: true,
+      verified: false,
+      projectToken: 'projectt...',
+      apiKeyId: 'apikeyid...',
+      baseUrl: 'https://api.exponea.com',
+      checkedAt: '2026-02-01T12:00:00.000Z',
+    });
+  });
+
+  it('status returns unconfigured details when config is missing', () => {
+    vi.mocked(resolveApiConfig).mockImplementation(() => {
+      throw new BloomreachBuddyError('CONFIG_MISSING', 'Missing credentials');
+    });
+
+    const auth = new BloomreachApiAuth();
+    const result = auth.status();
+
+    expect(result).toEqual({
+      configured: false,
+      verified: false,
+      projectToken: undefined,
+      apiKeyId: undefined,
+      baseUrl: undefined,
+      checkedAt: '2026-02-01T12:00:00.000Z',
+    });
+  });
+
+  it('verify returns mapped success result when credentials are valid', async () => {
+    const validationResult: ValidateCredentialsResult = {
+      valid: true,
+      serverTime: 1_700_000_000,
+    };
+    vi.mocked(resolveApiConfig).mockReturnValue(CONFIG);
+    vi.mocked(validateCredentials).mockResolvedValue(validationResult);
+
+    const auth = new BloomreachApiAuth();
+    const result = await auth.verify();
+
+    expect(validateCredentials).toHaveBeenCalledWith(CONFIG);
+    expect(result).toEqual({
+      configured: true,
+      verified: true,
+      projectToken: 'projectt...',
+      apiKeyId: 'apikeyid...',
+      baseUrl: 'https://api.exponea.com',
+      serverTime: 1_700_000_000,
+      error: undefined,
+      errorCategory: undefined,
+      checkedAt: '2026-02-01T12:00:00.000Z',
+    });
+  });
+
+  it('verify returns mapped failure result when credentials are invalid', async () => {
+    const validationResult: ValidateCredentialsResult = {
+      valid: false,
+      error: 'invalid_credentials',
+      message: 'API key ID or secret is incorrect.',
+    };
+    vi.mocked(resolveApiConfig).mockReturnValue(CONFIG);
+    vi.mocked(validateCredentials).mockResolvedValue(validationResult);
+
+    const auth = new BloomreachApiAuth();
+    const result = await auth.verify();
+
+    expect(result.verified).toBe(false);
+    expect(result.error).toBe('API key ID or secret is incorrect.');
+    expect(result.errorCategory).toBe('invalid_credentials');
+    expect(result.checkedAt).toBe('2026-02-01T12:00:00.000Z');
+  });
+
+  it('verify returns unconfigured status without calling validateCredentials', async () => {
+    vi.mocked(resolveApiConfig).mockImplementation(() => {
+      throw new BloomreachBuddyError('CONFIG_MISSING', 'Missing credentials');
+    });
+
+    const auth = new BloomreachApiAuth();
+    const result = await auth.verify();
+
+    expect(validateCredentials).not.toHaveBeenCalled();
+    expect(result.configured).toBe(false);
+    expect(result.verified).toBe(false);
+  });
+
+  it('getConfig throws CONFIG_MISSING when unconfigured', () => {
+    vi.mocked(resolveApiConfig).mockImplementation(() => {
+      throw new BloomreachBuddyError('CONFIG_MISSING', 'Missing credentials');
+    });
+
+    const auth = new BloomreachApiAuth();
+
+    expect(() => auth.getConfig()).toThrow(
+      expect.objectContaining({ code: 'CONFIG_MISSING' }),
+    );
+  });
+
+  it('isConfigured returns false when constructor failed to resolve config', () => {
+    vi.mocked(resolveApiConfig).mockImplementation(() => {
+      throw new BloomreachBuddyError('CONFIG_MISSING', 'Missing credentials');
+    });
+
+    const auth = new BloomreachApiAuth();
+
+    expect(auth.isConfigured()).toBe(false);
+  });
+});