dotflow-io · FernandoCelmer · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/dotflow/cli/commands/__init__.py b/dotflow/cli/commands/__init__.py
@@ -4,6 +4,8 @@
 from dotflow.cli.commands.deploy import DeployCommand
 from dotflow.cli.commands.init import InitCommand
 from dotflow.cli.commands.log import LogCommand
+from dotflow.cli.commands.login import LoginCommand
+from dotflow.cli.commands.logout import LogoutCommand
 from dotflow.cli.commands.schedule import ScheduleCommand
 from dotflow.cli.commands.start import StartCommand
 
@@ -13,6 +15,8 @@
     "DeployCommand",
     "InitCommand",
     "LogCommand",
+    "LoginCommand",
+    "LogoutCommand",
     "ScheduleCommand",
     "StartCommand",
 ]
diff --git a/dotflow/cli/commands/login.py b/dotflow/cli/commands/login.py
@@ -0,0 +1,123 @@
+"""Command login module."""
+
+from __future__ import annotations
+
+import os
+import time
+import webbrowser
+
+from requests import RequestException, post
+from rich import print  # type: ignore
+
+from dotflow.cli.command import Command
+from dotflow.core.config_file import save_cloud_config
+from dotflow.settings import Settings as settings
+
+DEFAULT_BASE_URL = "https://www.host.dotflow.io/api/v1"
+DEVICE_ENDPOINT = "/cli/device"
+TOKEN_ENDPOINT = "/cli/token"
+TIMEOUT = 15
+DEFAULT_INTERVAL = 5
+MAX_POLL_INTERVAL = 60
+
+
+class LoginCommand(Command):
+    def setup(self):
+        token = getattr(self.params, "token", None)
+        base_url = self._resolve_base_url()
+
+        if token:
+            save_cloud_config(token=token, base_url=base_url)
+            print(settings.INFO_ALERT, "Token saved.")
+            return
+
+        handshake = self._start_device(base_url)
+        if handshake is None:
+            return
+
+        print(settings.INFO_ALERT, f"Opening {handshake['verification_uri']}")
+        print(settings.INFO_ALERT, f"Code: {handshake['user_code']}")
+
+        webbrowser.open(handshake["verification_uri"])
+
+        token = self._poll_token(base_url, handshake)
+
+        if not token:
+            return
+
+        save_cloud_config(token=token, base_url=base_url)
+        print(settings.INFO_ALERT, "Authenticated.")
+
+    def _resolve_base_url(self) -> str:
+        """Flag or env var wins over the default."""
+        explicit = getattr(self.params, "base_url", None) or os.environ.get(
+            "SERVER_BASE_URL"
+        )
+        return explicit.rstrip("/") if explicit else DEFAULT_BASE_URL
+
+    def _start_device(self, base_url: str) -> dict | None:
+        try:
+            response = post(
+                f"{base_url}{DEVICE_ENDPOINT}",
+                timeout=TIMEOUT,
+            )
+            response.raise_for_status()
+            return response.json()
+        except RequestException as error:
+            print(
+                settings.ERROR_ALERT,
+                f"Could not reach Dotflow Cloud: {error}",
+            )
+            return None
+
+    def _poll_token(self, base_url: str, handshake: dict) -> str | None:
+        interval = handshake.get("interval") or DEFAULT_INTERVAL
+        deadline = time.monotonic() + (handshake.get("expires_in") or 300)
+
+        while time.monotonic() < deadline:
+            try:
+                response = post(
+                    f"{base_url}{TOKEN_ENDPOINT}",
+                    json={"device_code": handshake["device_code"]},
+                    timeout=TIMEOUT,
+                )
+            except RequestException as error:
+                print(settings.ERROR_ALERT, f"Network error: {error}")
+                return None
+
+            if response.status_code == 200:
+                return response.json().get("api_token")
+
+            detail = self._detail(response)
+
+            if (
+                response.status_code == 400
+                and detail == "authorization_pending"
+            ):
+                time.sleep(interval)
+                continue
+
+            if response.status_code == 400 and detail in (
+                "slow_down",
+                "slow down",
+            ):
+                interval = min(interval + 5, MAX_POLL_INTERVAL)
+                time.sleep(interval)
+                continue
+
+            if response.status_code == 410:
+                print(settings.ERROR_ALERT, "Authorization expired.")
+                return None
+
+            print(settings.ERROR_ALERT, f"{response.status_code}: {detail}")
+            return None
+
+        print(settings.ERROR_ALERT, "Timed out waiting for authorization.")
+        return None
+
+    @staticmethod
+    def _detail(response) -> str:
+        try:
+            return str(response.json().get("detail", response.text))
+        except ValueError:
+            return response.text
diff --git a/dotflow/cli/commands/logout.py b/dotflow/cli/commands/logout.py
@@ -0,0 +1,15 @@
+"""Command logout module."""
+
+from rich import print  # type: ignore
+
+from dotflow.cli.command import Command
+from dotflow.core.config_file import clear_cloud_config
+from dotflow.settings import Settings as settings
+
+
+class LogoutCommand(Command):
+    def setup(self):
+        if clear_cloud_config():
+            print(settings.INFO_ALERT, "Signed out.")
+        else:
+            print(settings.WARNING_ALERT, "No saved credentials.")
diff --git a/dotflow/cli/setup.py b/dotflow/cli/setup.py
@@ -9,6 +9,8 @@
     DeployCommand,
     InitCommand,
     LogCommand,
+    LoginCommand,
+    LogoutCommand,
     ScheduleCommand,
     StartCommand,
 )
@@ -42,12 +44,37 @@ def __init__(self, parser):
 
         self.setup_init()
         self.setup_logs()
+        self.setup_login()
+        self.setup_logout()
         self.setup_start()
         self.setup_schedule()
         self.setup_cloud()
         self.setup_deploy()
         self.command()
 
+    def setup_login(self):
+        cmd = self.subparsers.add_parser(
+            "login", help="Authenticate the CLI via browser"
+        )
+        cmd_group = cmd.add_argument_group("Usage: dotflow login [OPTIONS]")
+        cmd_group.add_argument(
+            "--base-url",
+            default=None,
+            help="Override the Dotflow Cloud API base URL",
+        )
+        cmd_group.add_argument(
+            "--token",
+            default=None,
+            help="Skip the browser flow and save a pre-obtained API token",
+        )
+        cmd.set_defaults(exec=LoginCommand)
+
+    def setup_logout(self):
+        cmd = self.subparsers.add_parser(
+            "logout", help="Remove saved CLI credentials"
+        )
+        cmd.set_defaults(exec=LogoutCommand)
+
     def setup_init(self):
         self.cmd_init = self.subparsers.add_parser(
             "init", help="Scaffold a new dotflow project"

diff --git a/dotflow/core/config_file.py b/dotflow/core/config_file.py
@@ -0,0 +1,95 @@
+"""Persistent CLI config stored at ``~/.dotflow/config.json``."""
+
+from __future__ import annotations
+
+import contextlib
+import json
+import os
+from pathlib import Path
+
+CONFIG_DIR_NAME = ".dotflow"
+CONFIG_FILE_NAME = "config.json"
+CLOUD_SECTION = "cloud"
+
+
+def config_path() -> Path:
+    """Return the absolute path of the CLI config file."""
+    return Path.home() / CONFIG_DIR_NAME / CONFIG_FILE_NAME
+
+
+def load_cloud_config() -> dict[str, str]:
+    """Read the ``cloud`` section from the config file. ``{}`` when absent."""
+    path = config_path()
+
+    if not path.exists():
+        return {}
+
+    try:
+        raw = path.read_text(encoding="utf-8")
+    except OSError:
+        return {}
+
+    try:
+        data = json.loads(raw)
+    except json.JSONDecodeError:
+        return {}
+
+    section = data.get(CLOUD_SECTION) if isinstance(data, dict) else None
+    if not isinstance(section, dict):
+        return {}
+
+    return {
+        key: str(value)
+        for key, value in section.items()
+        if isinstance(value, str)
+    }
+
+
+def save_cloud_config(token: str, base_url: str) -> Path:
+    """Persist ``cloud`` with the given token/base_url. Returns the file path."""
+    path = config_path()
+    path.parent.mkdir(parents=True, exist_ok=True)
+
+    payload = {
+        CLOUD_SECTION: {
+            "base_url": base_url,
+            "token": token,
+        }
+    }
+    content = json.dumps(payload, indent=2) + "\n"
+
+    fd = os.open(
+        str(path),
+        os.O_WRONLY | os.O_CREAT | os.O_TRUNC,
+        0o600,
+    )
+    with contextlib.suppress(OSError):
+        os.fchmod(fd, 0o600)
+    with os.fdopen(fd, "w", encoding="utf-8") as fh:
+        fh.write(content)
+
+    return path
+
+
+def clear_cloud_config() -> bool:
+    """Remove the config file. Returns True when something was deleted."""
+    path = config_path()
+
+    if not path.exists():
+        return False
+
+    try:
+        path.unlink()
+        return True
+    except OSError:
+        return False
+
+
+def resolve(key: str, env_var: str) -> str | None:
+    """Resolve a setting with env > file precedence. ``None`` when absent."""
+    env_value = os.environ.get(env_var)
+
+    if env_value:
+        return env_value
+
+    return load_cloud_config().get(key) or None
diff --git a/dotflow/providers/server_default.py b/dotflow/providers/server_default.py
@@ -1,4 +1,4 @@
-"""ServerDefault — no-op or managed HTTP server provider."""
+"""ServerDefault - managed HTTP server provider."""
 
 from __future__ import annotations
 
@@ -24,24 +24,19 @@ def wrapper(self, *args, **kwargs):
 
 
 class ServerDefault(Server):
-    """Default Server provider with auto-detected managed mode.
-
-    When ``SERVER_BASE_URL`` and ``SERVER_USER_TOKEN`` env vars are set,
-    sends workflow and task events to the remote API. Otherwise, all
-    methods are no-ops.
-    """
+    """Default Server provider with auto-detected managed mode."""
 
     MAX_RESULT_SIZE = 5_000_000
     TIMEOUT = 15.0
 
-    ENDPOINT_WORKFLOWS = "/workflows"
-    ENDPOINT_WORKFLOW = "/workflows/{workflow_id}"
-    ENDPOINT_TASKS = "/workflows/{workflow_id}/tasks"
-    ENDPOINT_TASK = "/workflows/{workflow_id}/tasks/{task_id}"
+    ENDPOINT_WORKFLOWS = "/cli/workflows"
+    ENDPOINT_WORKFLOW = "/cli/workflows/{workflow_id}"
+    ENDPOINT_TASKS = "/cli/workflows/{workflow_id}/tasks"
+    ENDPOINT_TASK = "/cli/workflows/{workflow_id}/tasks/{task_id}"
 
     def __init__(self) -> None:
-        base_url = os.getenv("SERVER_BASE_URL")
-        user_token = os.getenv("SERVER_USER_TOKEN")
+        base_url = os.environ.get("SERVER_BASE_URL") or None
+        user_token = os.environ.get("SERVER_USER_TOKEN") or None
         self._managed = bool(base_url and user_token)
 
         self._base_url = base_url.rstrip("/") if base_url else None
@@ -56,25 +51,23 @@ def _headers(self) -> dict:
 
     def _post(self, url: str, json: dict) -> None:
         try:
-            response = post(
+            post(
                 url,
                 json=json,
                 headers=self._headers,
                 timeout=self.TIMEOUT,
             )
-            logger.info("POST %s [%s]", url, response.status_code)
         except RequestException as error:
             logger.error("POST %s failed: %s", url, error)
 
     def _patch(self, url: str, json: dict) -> None:
         try:
-            response = patch(
+            patch(
                 url,
                 json=json,
                 headers=self._headers,
                 timeout=self.TIMEOUT,
             )
-            logger.info("PATCH %s [%s]", url, response.status_code)
         except RequestException as error:
             logger.error("PATCH %s failed: %s", url, error)