feat: add Parseable Cloud API key login

[pratik50]

Summary

Adds Parseable Cloud API key support to pb.

Users can now create a Cloud profile using either:

pb cloud profile add --api-key <key> --name prod --default

or interactive login:

pb login

Then select Parseable Cloud and paste API key.

What Changed

• Added pb cloud profile add

• Enabled Parseable Cloud option in interactive pb login

• Added cloud-aware profile fields:

  • cloud
  • api_key
  • tenant_id
  • ingest_url
  • workspace_id
  • workspace_name
  • orchestrator_url

• Added API key validation through orchestrator:

  • GET /api/v1/apikey/validate
  • Authorization: Bearer <api_key>

• Added cloud request auth headers:

  • x-api-key: <api_key>
  • X-P-Tenant: <tenant_id>

• Kept self-hosted BasicAuth/token profiles backward compatible

• Config file writes with 0600 permissions because API key is stored locally

Summary by CodeRabbit

• New Features

  • Added a new cloud profile setup command for registering Parseable Cloud access from the CLI.
  • Cloud login is now supported in the interactive sign-in flow, with profile details saved automatically.

• Bug Fixes

  • Improved authentication handling across queries, streaming, saved queries, and PromQL requests.
  • Tailing now uses the correct cloud credentials when connecting to cloud deployments.

• Style

  • Updated CLI help text and prompts to better reflect cloud and self-hosted login options.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Parseable Cloud profile creation and login support, extends profile/config data for cloud credentials, centralizes request auth header handling, and updates tail streaming to use cloud-aware metadata.

Changes

Cloud profile and authentication support

Layer / File(s)	Summary
Cloud profile contracts pkg/config/config.go, pkg/http/http.go	config.Profile gains cloud fields, and HTTPClient.NewRequest/AddAuthHeaders now select cloud API-key, bearer token, or basic auth headers.
Cloud profile add command cmd/cloud.go, main.go, pkg/config/config.go	pb cloud profile add validates API keys, derives workspace-based profile names, saves cloud profiles, writes config files with 0600 permissions, and registers the new top-level command.
Cloud login flow pkg/model/login.go, cmd/login.go	The login wizard routes Parseable Cloud directly to API key entry, finalizes cloud profiles from the entered key, and saves the resulting profile after the wizard completes.
Shared request auth call sites cmd/promql.go, cmd/queryList.go, pkg/datasets/datasets.go, pkg/model/promql.go, pkg/model/query.go, pkg/model/savedQueries.go	Outbound HTTP requests in these paths now call internalHTTP.AddAuthHeaders instead of inlining bearer token or basic auth setup.
Tail gRPC auth metadata cmd/tail.go	Tail streaming now builds outgoing metadata from cloud API keys and tenant IDs when present, otherwise falls back to Basic auth.

Sequence Diagram(s)

sequenceDiagram
  participant CloudProfileAddCmd
  participant validateCloudAPIKey
  participant AddAuthHeaders
  participant Orchestrator API
  participant saveCloudProfile
  participant WriteConfigToFile
  CloudProfileAddCmd->>validateCloudAPIKey: validate API key
  validateCloudAPIKey->>AddAuthHeaders: set cloud auth headers
  AddAuthHeaders-->>validateCloudAPIKey: request headers
  validateCloudAPIKey->>Orchestrator API: GET /api/v1/apikey/validate
  Orchestrator API-->>validateCloudAPIKey: JSON response
  validateCloudAPIKey-->>CloudProfileAddCmd: validation data
  CloudProfileAddCmd->>saveCloudProfile: persist profile
  saveCloudProfile->>WriteConfigToFile: write config
  WriteConfigToFile-->>saveCloudProfile: done

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐇 I hopped through clouds with API keys bright,
and tucked new profiles in the burrow at night.
Tail winds whisper, auth paths gleam,
one little hop, one bigger dream.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 21.74% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly reflects the main change: adding Parseable Cloud API key login support.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

cmd/login.go (1)

60-77: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicated cloud-profile construction.

cloudProfileFromAPIKey builds a config.Profile from the validation result identically to CloudProfileAddCmd.RunE in cmd/cloud.go (lines 96-105). Consider extracting a single helper (e.g. profileFromValidation(apiKey, orchestratorURL, result)) used by both paths so the field mapping stays in sync.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/login.go` around lines 60 - 77, The cloud-profile construction logic is
duplicated between cloudProfileFromAPIKey and CloudProfileAddCmd.RunE, so
extract the shared mapping into a single helper such as profileFromValidation
that accepts the apiKey, orchestratorURL, and validation result and returns the
config.Profile. Update both call sites to use that helper so the field
assignments stay consistent in one place.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/cloud.go`:
- Around line 184-200: saveCloudProfile currently treats every
ReadConfigFromFile error as an empty config and then writes it back, which can
wipe existing profiles, and it also overwrites an existing profile when the
derived or provided name already exists. Update saveCloudProfile to distinguish
a missing config file from other read errors so non-fatal parse/read failures
are surfaced instead of replacing the config, and add an overwrite check before
assigning fileConfig.Profiles[name]. Use the existing stepConfirmReplace pattern
from the interactive login flow to warn or confirm when a profile name collision
would replace an existing entry, then only call WriteConfigToFile after the user
has explicitly accepted the overwrite.
- Around line 33-37: The default Cloud orchestrator URL is currently pointing at
the staging endpoint, so `defaultCloudOrchestratorURL` in `cmd/cloud.go` should
be changed to the production orchestrator unless staging is explicitly intended.
Update the default used by the Cloud validation flow, and make sure the
`envCloudOrchestratorURL` override still works so users can opt into a different
endpoint if needed.

In `@cmd/tail.go`:
- Around line 120-132: The tailAuthMetadata helper is missing bearer-token
handling and currently falls back to Basic auth for token-only profiles. Update
tailAuthMetadata to mirror the same auth precedence used by AddAuthHeaders:
handle profile.Token before the Basic fallback, returning an Authorization
header with Bearer <token> when a token is present, while keeping the existing
cloud x-api-key and tenant behavior unchanged.

In `@pkg/config/config.go`:
- Line 101: The config write path in the file-opening logic does not harden
permissions for already-existing files, so broader modes can persist after
writing sensitive values like api_key. Update the config save flow around
os.OpenFile in the config write function to explicitly set restrictive
permissions on the opened file after it is created/opened, using
file.Chmod(0600) or equivalent, so both new and existing config files end up
with 0600.

---

Nitpick comments:
In `@cmd/login.go`:
- Around line 60-77: The cloud-profile construction logic is duplicated between
cloudProfileFromAPIKey and CloudProfileAddCmd.RunE, so extract the shared
mapping into a single helper such as profileFromValidation that accepts the
apiKey, orchestratorURL, and validation result and returns the config.Profile.
Update both call sites to use that helper so the field assignments stay
consistent in one place.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 19834b75-b4c7-47e5-8e5b-cdc99993cf39

📥 Commits

Reviewing files that changed from the base of the PR and between e9d8b1e and fcb4795.

📒 Files selected for processing (13)

• cmd/cloud.go
• cmd/login.go
• cmd/promql.go
• cmd/queryList.go
• cmd/tail.go
• main.go
• pkg/config/config.go
• pkg/datasets/datasets.go
• pkg/http/http.go
• pkg/model/login/login.go
• pkg/model/promql.go
• pkg/model/query.go
• pkg/model/savedQueries.go