feat(root): --non-interactive persistent flag for jtk + cfl (#391) (#394)

* feat(root): add --non-interactive persistent flag for jtk + cfl

Add --non-interactive as a persistent root flag on both tools per
cli-common scriptability.md §3.4/§4.1. Under it:

- Init wizards (jtk init / cfl init) skip the huh form entirely and
  fail loud naming the first missing required field (URL, email or
  cloud-id, token). cfl's error points to `cfl set-credential` since
  cfl init has no --token flag.
- The sibling-impact confirm proceeds (the user opted in by passing
  --non-interactive on the shared store) with an info line to stderr
  for the audit trail. The legacy-cleanup confirm skips both prompt
  and deletion (non-destructive default).
- All 11 destructive-confirm sites (jtk issues/projects/automation/
  fields*3/configcmd, cfl page/space/attachment/configcmd) adopt
  prompt.ConfirmOrFail(force, nonInteractive, stdin); without --force
  they return prompt.ErrConfirmationRequired ("re-run with --force to
  proceed"). The prompt-text emission is also gated on
  !NonInteractive so CI logs stay clean — stderr is empty too.
- The file-backend passphrase callback consults a package-level
  GetNonInteractive() and fails loud asking for
  ATLASSIAN_CLI_KEYRING_PASSPHRASE rather than prompting on a real TTY.

Wiring threads through WireBackendSelection (the single chokepoint
shadowing PersistentPreRunE subcommands already remember to call) so
dashboards/boards/automation/sprints get the gate automatically. A
regression test pins this coupling.

Closes #391

* fix(non-interactive): short-circuit destructive paths before API/keyring inspection

Address Codex PR #394 majors:

- All destructive paths that previously fetched a remote resource or
  opened the keyring before checking the confirmation gate now
  short-circuit early: `if NonInteractive && !force { return
  prompt.ErrConfirmationRequired }`. Affected: cfl page/space/attachment
  delete, jtk automation delete, and both config clear commands. Under
  --non-interactive without --force the user now gets the confirmation
  error verbatim, never an API/auth/not-found or keyring/passphrase
  error winning first.

- The two config-clear commands also gain the early short-circuit so
  the destructive warning block (which prints to stderr unconditionally
  before the `confirm("Proceed?")` call) cannot leak under
  --non-interactive. CI logs see neither warning nor `[y/N]` prompt
  before the fail-loud error.

- passphrase_test.go no longer hangs when run from a real TTY: skips
  the non-TTY-fallback path under term.IsTerminal(os.Stdin) since the
  callback would block in term.ReadPassword. The --non-interactive
  branch still covers fail-loud independently.

- Add destructive-confirm regression coverage at the API-lookup-before
  -confirm boundary (cfl page delete) and the config-clear boundary
  (cfl configcmd clear) — both assert ErrConfirmationRequired surfaces,
  the API isn't hit / the keyring isn't inspected, and stderr stays
  empty. The pattern is identical across jtk/cfl resource delete
  commands and across both config-clear paths.

* test(non-interactive): close TDD-pass coverage gaps

Address the TDD-pass majors by pinning the §3.4 contract at sites
that weren't previously asserted:

- cfl wireBackendSelection NonInteractive threading + default-false
  (mirrors the existing jtk test that pins this single chokepoint).
- cfl attachment delete: API not hit + stderr empty under
  --non-interactive without --force; ErrConfirmationRequired surfaces.
- jtk automation delete: same short-circuit assertion + API-miss check.
- jtk configcmd clear: short-circuit + stderr-empty + token-preserved
  assertions.

The pattern is identical at each call-site; pinning the four most
critical destructive paths (each of which involved a pre-confirm API
or keyring fetch the short-circuit must precede) makes a regression
loud across the family.

* fix+test(non-interactive): close daemon-round-1 coverage + positioning gaps

- cfl space delete: move the --non-interactive short-circuit before
  view.ValidateFormat so a bogus --output value can't win precedence
  over the §3.4 confirmation contract. New delete_test pins both the
  short-circuit AND the format-validation precedence.

- jtk automation delete: defense-in-depth — guard the warning-text
  block on `!force && !opts.NonInteractive` to match issues/page/
  attachment so a future refactor that moves the early short-circuit
  can't leak warning text under --non-interactive. Add WithForce
  proceeds test + stdout-empty assertion to the existing short-circuit
  test.

- jtk projects delete: add WithoutForce_FailsLoud + WithForce_Proceeds
  tests (mirrors the issues pattern).

- jtk fields delete×3 (runDelete + runContextsDelete + runOptionsDelete):
  single table-driven test covers all three sites' §3.4 contract.

- jtk configcmd clear: add WithForce_Proceeds test (mirrors cfl).

Author: rianjs

CLAUDE.md

@@ -204,6 +204,21 @@ backend only (never the value). `config clear` removes the single shared
 resolve the same key); `config clear --all` removes the whole bundle
 (including any deprecated per-tool keys) plus the non-secret config file.
 
+**`--non-interactive` persistent root flag (§3.4):** both jtk and cfl
+accept `--non-interactive` on every command. Under it: no interactive
+prompts run (init wizards, destructive-confirm questions, file-backend
+passphrase TTY prompt). Init wizards fail loud naming the first missing
+required field (URL, email/cloud-id, token). Destructive commands
+(`issues/projects/automation/fields/config clear` on jtk;
+`page/space/attachment/config clear` on cfl) require `--force` to
+proceed; without it they return a clear "confirmation required;
+re-run with --force" error. Init's sibling-impact confirm and
+legacy-cleanup confirms default to safe behavior under
+`--non-interactive` (proceed-with-save, leave-legacy-files-in-place).
+The flag is forwarded into the keyring package via `WireBackendSelection`
+so the file-backend passphrase callback fails loud asking for
+`ATLASSIAN_CLI_KEYRING_PASSPHRASE` rather than prompting on a real TTY.
+
 ## Git History
 
 This monorepo was created using `git subtree` to preserve the full commit history of both tools. Use `git log --oneline` to see the complete history from both source repositories.

shared/keyring/non_interactive.go

@@ -0,0 +1,31 @@
+package keyring
+
+import "sync"
+
+// SetNonInteractive wires the root-command --non-interactive policy into
+// the package state consulted by the file-backend passphrase callback.
+//
+// Mirrors the SetBackendSelection pattern at keyring.go:28. Callers
+// (each tool's root PersistentPreRunE) invoke this once before any
+// Open* runs; the mutex guards against surprise concurrent callers
+// (test code rebuilding the command tree, future goroutine-launching
+// subcommands).
+func SetNonInteractive(nonInteractive bool) {
+	nonInteractiveMu.Lock()
+	defer nonInteractiveMu.Unlock()
+	selectedNonInteractive = nonInteractive
+}
+
+// GetNonInteractive returns the current package-level non-interactive
+// state. Consumed by passphraseFunc to fail loud on --non-interactive
+// even when stdin is a real TTY.
+func GetNonInteractive() bool {
+	nonInteractiveMu.RLock()
+	defer nonInteractiveMu.RUnlock()
+	return selectedNonInteractive
+}
+
+var (
+	nonInteractiveMu       sync.RWMutex
+	selectedNonInteractive bool
+)

shared/keyring/passphrase.go

@@ -31,6 +31,15 @@ func passphraseFunc(service string) func() (string, error) {
 		// must supply ATLASSIAN_CLI_KEYRING_PASSPHRASE in that case (the
 		// error message says so). Token delivery and passphrase entry
 		// cannot share stdin.
+		//
+		// Additionally, the --non-interactive root flag (§3.4) forces
+		// fail-loud even on a real TTY: a scripted/CI run must never
+		// block on a prompt, regardless of where it is invoked from.
+		if GetNonInteractive() {
+			return "", fmt.Errorf(
+				"file keyring backend needs a passphrase: set %s (--non-interactive disables the TTY prompt fallback)",
+				passphraseEnvVar(service))
+		}
 		if !term.IsTerminal(int(os.Stdin.Fd())) {
 			return "", fmt.Errorf(
 				"file keyring backend needs a passphrase: set %s, or run interactively",

shared/keyring/passphrase_test.go

@@ -0,0 +1,61 @@
+package keyring
+
+import (
+	"os"
+	"strings"
+	"testing"
+
+	"golang.org/x/term"
+)
+
+// TestPassphraseFunc_NonInteractiveFailsLoud — under --non-interactive
+// the file-backend passphrase callback MUST fail loud asking for the
+// env var, regardless of whether stdin is a real TTY. The error message
+// must NOT include the "or run interactively" hint that the non-TTY
+// path uses, since the user explicitly opted out of interactive mode.
+func TestPassphraseFunc_NonInteractiveFailsLoud(t *testing.T) {
+	SetNonInteractive(true)
+	defer SetNonInteractive(false)
+
+	fn := passphraseFunc("atlassian-cli")
+	got, err := fn()
+	if err == nil {
+		t.Fatalf("expected error, got passphrase %q", got)
+	}
+	if got != "" {
+		t.Fatalf("passphrase must be empty on failure, got %q", got)
+	}
+	if !strings.Contains(err.Error(), "ATLASSIAN_CLI_KEYRING_PASSPHRASE") {
+		t.Fatalf("error must name the env var, got %v", err)
+	}
+	if !strings.Contains(err.Error(), "--non-interactive") {
+		t.Fatalf("error must explain the --non-interactive policy, got %v", err)
+	}
+	if strings.Contains(err.Error(), "or run interactively") {
+		t.Fatalf("under --non-interactive the 'or run interactively' hint is wrong, got %v", err)
+	}
+}
+
+// TestPassphraseFunc_NonInteractiveOff_NonTTYPath — the non-TTY-stdin
+// path (the pre-existing contract) keeps working when --non-interactive
+// is NOT set. Skip when os.Stdin IS a real TTY (running tests in a
+// terminal) because the callback would enter term.ReadPassword and
+// block. The non-interactive-true branch above covers fail-loud; the
+// interactive prompt branch requires a PTY harness we don't have here.
+func TestPassphraseFunc_NonInteractiveOff_NonTTYPath(t *testing.T) {
+	SetNonInteractive(false)
+	if term.IsTerminal(int(os.Stdin.Fd())) {
+		t.Skip("os.Stdin is a real TTY; the prompt path would block — skipping (covered by the --non-interactive=true branch)")
+	}
+	fn := passphraseFunc("atlassian-cli")
+	got, err := fn()
+	if err == nil {
+		t.Fatalf("expected non-TTY-fallback error, got passphrase %q", got)
+	}
+	if got != "" {
+		t.Fatalf("passphrase must be empty on failure, got %q", got)
+	}
+	if !strings.Contains(err.Error(), "or run interactively") {
+		t.Fatalf("non-TTY fallback error must mention 'or run interactively', got %v", err)
+	}
+}

shared/prompt/confirm.go

@@ -3,8 +3,12 @@ package prompt
 
 import (
 	"bufio"
+	"errors"
 	"io"
+	"os"
 	"strings"
+
+	"golang.org/x/term"
 )
 
 // Confirm prompts the user for confirmation and returns true if they answer yes.
@@ -30,3 +34,38 @@ func ConfirmOrForce(force bool, stdin io.Reader) (bool, error) {
 	}
 	return Confirm(stdin)
 }
+
+// ErrConfirmationRequired is the §3.4 sentinel: destructive operations
+// under --non-interactive without --force MUST fail loud rather than
+// block on stdin or silently cancel. The text is the actionable hint.
+var ErrConfirmationRequired = errors.New("--non-interactive: confirmation required; re-run with --force to proceed")
+
+// ConfirmOrFail upgrades ConfirmOrForce with the §3.4 non-interactive
+// gate. Precedence: --force wins (returns true); --non-interactive
+// without --force returns ErrConfirmationRequired; otherwise prompts
+// via Confirm.
+func ConfirmOrFail(force, nonInteractive bool, stdin io.Reader) (bool, error) {
+	if force {
+		return true, nil
+	}
+	if nonInteractive {
+		return false, ErrConfirmationRequired
+	}
+	return Confirm(stdin)
+}
+
+// WantPrompt reports whether interactive prompts should run. Returns
+// false under --non-interactive (regardless of stdin) AND when stdin is
+// not a TTY. Used by init wizards to choose between a huh form (TTY +
+// interactive) and a fail-loud validator (non-interactive or non-TTY).
+func WantPrompt(nonInteractive bool, stdin io.Reader) bool {
+	if nonInteractive {
+		return false
+	}
+	return isTerminal(stdin)
+}
+
+func isTerminal(r io.Reader) bool {
+	f, ok := r.(*os.File)
+	return ok && term.IsTerminal(int(f.Fd()))
+}

shared/prompt/confirm_test.go

@@ -1,6 +1,8 @@
 package prompt
 
 import (
+	"errors"
+	"os"
 	"strings"
 	"testing"
 
@@ -114,3 +116,78 @@ func TestConfirmOrForce(t *testing.T) {
 		})
 	}
 }
+
+func TestConfirmOrFail(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name           string
+		force          bool
+		nonInteractive bool
+		input          string
+		want           bool
+		wantErr        error
+	}{
+		{
+			name:           "force wins over non-interactive",
+			force:          true,
+			nonInteractive: true,
+			want:           true,
+		},
+		{
+			name:           "non-interactive without force surfaces sentinel",
+			nonInteractive: true,
+			wantErr:        ErrConfirmationRequired,
+		},
+		{
+			name:  "interactive y confirms",
+			input: "y\n",
+			want:  true,
+		},
+		{
+			name:  "interactive n cancels",
+			input: "n\n",
+			want:  false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got, err := ConfirmOrFail(tt.force, tt.nonInteractive, strings.NewReader(tt.input))
+			if tt.wantErr != nil {
+				if !errors.Is(err, tt.wantErr) {
+					t.Fatalf("want %v, got %v", tt.wantErr, err)
+				}
+				return
+			}
+			testutil.RequireNoError(t, err)
+			testutil.Equal(t, got, tt.want)
+		})
+	}
+}
+
+func TestWantPrompt(t *testing.T) {
+	t.Parallel()
+
+	// Non-TTY reader (strings.Reader isn't *os.File so isTerminal returns false).
+	nonTTY := strings.NewReader("")
+
+	if WantPrompt(true, nonTTY) {
+		t.Fatal("nonInteractive=true must force WantPrompt=false")
+	}
+	if WantPrompt(false, nonTTY) {
+		t.Fatal("non-TTY stdin must yield WantPrompt=false")
+	}
+
+	// Build a real TTY-like *os.File via os.Pipe(); the read end isn't a
+	// terminal so isTerminal returns false. We can't easily fabricate a
+	// real TTY in a unit test, so assert the false-case from a real *os.File
+	// to cover that branch of the type assertion.
+	r, w, err := os.Pipe()
+	if err != nil {
+		t.Fatalf("os.Pipe: %v", err)
+	}
+	defer func() { _ = r.Close(); _ = w.Close() }()
+	if WantPrompt(false, r) {
+		t.Fatal("pipe read end is not a TTY; WantPrompt must be false")
+	}
+}

tools/cfl/internal/cmd/attachment/delete.go

@@ -1,12 +1,13 @@
 package attachment
 
 import (
-	"bufio"
 	"context"
 	"fmt"
 
 	"github.com/spf13/cobra"
 
+	"github.com/open-cli-collective/atlassian-go/prompt"
+
 	"github.com/open-cli-collective/confluence-cli/internal/cmd/root"
 )
 
@@ -39,6 +40,13 @@ func newDeleteCmd(rootOpts *root.Options) *cobra.Command {
 }
 
 func runDeleteAttachment(ctx context.Context, attachmentID string, opts *deleteOptions) error {
+	// §3.4: short-circuit BEFORE any API call so --non-interactive without
+	// --force returns ErrConfirmationRequired even if the attachment
+	// lookup would have failed first (auth/not-found/network).
+	if opts.NonInteractive && !opts.force {
+		return prompt.ErrConfirmationRequired
+	}
+
 	client, err := opts.APIClient()
 	if err != nil {
 		return err
@@ -51,20 +59,17 @@ func runDeleteAttachment(ctx context.Context, attachmentID string, opts *deleteO
 
 	v := opts.View()
 
-	if !opts.force {
+	if !opts.force && !opts.NonInteractive {
 		_, _ = fmt.Fprintf(opts.Stderr, "About to delete attachment: %s (ID: %s)\n", attachment.Title, attachment.ID)
 		_, _ = fmt.Fprint(opts.Stderr, "Are you sure? [y/N]: ")
-
-		scanner := bufio.NewScanner(opts.Stdin)
-		var confirm string
-		if scanner.Scan() {
-			confirm = scanner.Text()
-		}
-
-		if confirm != "y" && confirm != "Y" {
-			_, _ = fmt.Fprintln(opts.Stderr, "Deletion cancelled.")
-			return nil
-		}
+	}
+	confirmed, err := prompt.ConfirmOrFail(opts.force, opts.NonInteractive, opts.Stdin)
+	if err != nil {
+		return err
+	}
+	if !confirmed {
+		_, _ = fmt.Fprintln(opts.Stderr, "Deletion cancelled.")
+		return nil
 	}
 
 	if err := client.DeleteAttachment(ctx, attachmentID); err != nil {

tools/cfl/internal/cmd/attachment/delete_test.go

@@ -3,11 +3,13 @@ package attachment
 import (
 	"bytes"
 	"context"
+	"errors"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 
+	"github.com/open-cli-collective/atlassian-go/prompt"
 	"github.com/open-cli-collective/atlassian-go/testutil"
 
 	"github.com/open-cli-collective/confluence-cli/api"
@@ -240,3 +242,36 @@ func TestRunDeleteAttachment_DeleteFails(t *testing.T) {
 	testutil.RequireError(t, err)
 	testutil.Contains(t, err.Error(), "deleting attachment")
 }
+
+// TestRunDeleteAttachment_NonInteractive_WithoutForce_ShortCircuits
+// pins the §3.4 early-fail contract: the API must NOT be called when
+// --non-interactive is set without --force.
+func TestRunDeleteAttachment_NonInteractive_WithoutForce_ShortCircuits(t *testing.T) {
+	t.Parallel()
+	var hits int
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		hits++
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	rootOpts := newTestRootOptions()
+	rootOpts.NonInteractive = true
+	client := api.NewClient(server.URL, "test@example.com", "token")
+	rootOpts.SetAPIClient(client)
+
+	opts := &deleteOptions{Options: rootOpts, force: false}
+	err := runDeleteAttachment(context.Background(), "att123", opts)
+	if err == nil {
+		t.Fatal("expected ErrConfirmationRequired")
+	}
+	if !errors.Is(err, prompt.ErrConfirmationRequired) {
+		t.Fatalf("expected prompt.ErrConfirmationRequired, got %v", err)
+	}
+	if hits != 0 {
+		t.Fatalf("API must not be called; got %d hits", hits)
+	}
+	if rootOpts.Stderr.(*bytes.Buffer).Len() != 0 {
+		t.Fatalf("stderr must be empty: %q", rootOpts.Stderr.(*bytes.Buffer).String())
+	}
+}