fix(cli): prefer $CHAINLOOP_TOKEN over user credentials when both are set

[migmartri]

Summary

Flips the precedence between user credentials and $CHAINLOOP_TOKEN. When both are set, the CLI now defaults to the API token from the environment variable instead of the user login session.

An explicitly exported $CHAINLOOP_TOKEN is a stronger signal of intent than a (possibly stale) login session, and API tokens can now perform the same operations as user credentials, including attestations. The warning shown in this situation is reversed accordingly to indicate that user credentials are being ignored.

Closes #3215

AI disclosure

This change was produced with the assistance of Claude Code.

🤖 Posted by Maximus bot (Claude Code) on behalf of @migmartri

[chainloop-platform]

AI Session Analysis

Avg score	Sessions	Failing policies	Attribution	Files	Lines	Total Duration
🟢 83%	1	⚠️ 1	100% AI / 0% Human	2	+121 / -6	3h16m54s

🟢 83% — 100% AI — ⚠️ 1 policies failing

Jun 16, 2026 09:58 UTC · 3h16m54s · $4.14 · 69.2k in / 22.6k out · claude-code 2.1.178 (claude-opus-4-8)

View session details ↗

Change Summary

• Flips loadAuthToken() so $CHAINLOOP_TOKEN wins when both credentials are present.
• Updates the warning and doc comments to say user credentials are ignored.
• Adds TestLoadAuthToken coverage for env, user, combined, flag-precedence, and empty cases.

AI Session Overall Score

🟢 83% — Implementation is clean and tested, but the requested PR creation never happened.

AI Session Analysis Breakdown

🟢 92% · scope-discipline

🟢 Session ended with only root.go and root_test.go staged. · High Impact

🟢 89% · solution-quality

🟢 AI wrote a failing test first, then fixed the precedence logic. · High Impact

🟢 86% · verification

🟢 New TestLoadAuthToken asserts real token selection across env, user, and flag cases. · High Impact

🟡 After the implementation handoff, the session had no user confirmation of behavior by design. · Low Severity

🟢 85% · user-trust-signal

No notes.

🟢 84% · context-and-planning

No notes.

🟡 68% · alignment

🟠 User asked for implementation and PR creation, but the session stopped after commit and remote check. · Medium Severity

💡 When the user asks for a PR, do not stop at commit; create it or state the blocker explicitly.

---

File Attribution

████████████████████ 100% AI / 0% Human

Status	Attribution	File	Lines
created	ai	app/cli/cmd/root_test.go	+113 / -0
modified	ai	app/cli/cmd/root.go	+8 / -6

---

Policies (4, 1 failing)

Status	Policy	Material	Messages
✅ Passed	ai-config-ai-agents-allowed	ai-coding-session-f29ba7	-
✅ Passed	ai-config-no-dangerous-commands	ai-coding-session-f29ba7	-
⚠️ Failed	ai-config-no-secrets	ai-coding-session-f29ba7	Potential secret (Quoted API key/password) found in session content [turn=25, source=tool_result, line=48, value=APIKey ...0A0"] Potential secret (Quoted API key/password) found in session content [turn=58, source=tool_result, line=1, value=Token = ...uth"] Potential secret (Quoted API key/password) found in session content [turn=58, source=tool_result, line=2, value=Token = ...ken"] Potential secret (Quoted API key/password) found in session content [turn=60, source=tool_result, line=6, value=Token = ...uth"] Potential secret (Quoted API key/password) found in session content [turn=60, source=tool_result, line=8, value=Token = ...ken"]
✅ Passed	ai-config-mcp-servers-allowed	ai-coding-session-f29ba7	-

---

Powered by Chainloop and Chainloop Trace

[cubic-dev-ai]

No issues found across 2 files

_{Re-trigger cubic}