chore(auth): remove sf provar auth set-key command

No AWS route backs this command and keys can only be obtained via
sf provar auth login. set-key was clutter in --help.

Removed: src command, messages file, unit tests, NUT file.
Updated: status.ts, testCaseValidate.ts, README, mcp.md,
mcp-pilot-guide.md all point to sf provar auth login instead.
clear/status NUTs now seed credentials.json directly rather than
depending on set-key as a test fixture.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: mrdailey99

README.md

@@ -60,7 +60,6 @@ When `NODE_ENV=test` the validation step is skipped entirely. This is intended o
 # Commands
 
 - [`sf provar auth login`](#sf-provar-auth-login)
-- [`sf provar auth set-key`](#sf-provar-auth-set-key)
 - [`sf provar auth status`](#sf-provar-auth-status)
 - [`sf provar auth clear`](#sf-provar-auth-clear)
 - [`sf provar mcp start`](#sf-provar-mcp-start)
@@ -121,28 +120,6 @@ EXAMPLES
     $ sf provar auth login --url https://dev.api.example.com
 ```
 
-## `sf provar auth set-key`
-
-Store a Provar Quality Hub API key manually.
-
-```
-USAGE
-  $ sf provar auth set-key --key <value>
-
-FLAGS
-  --key=<value>  (required) API key to store. Must start with pv_k_.
-
-DESCRIPTION
-  Stores a pv_k_ API key in ~/.provar/credentials.json. Use this if you obtained
-  your key from https://success.provartesting.com rather than via browser login.
-  For CI/CD pipelines, set the PROVAR_API_KEY environment variable instead.
-
-EXAMPLES
-  Store an API key:
-
-    $ sf provar auth set-key --key pv_k_your_key_here
-```
-
 ## `sf provar auth status`
 
 Show the current API key configuration and validate it against Quality Hub.

docs/mcp-pilot-guide.md

@@ -346,7 +346,7 @@ The MCP server uses **stdio transport** exclusively. Communication travels over
 
 **Salesforce org credentials** — the Quality Hub and Automation tools invoke `sf` subprocesses. Salesforce org credentials are managed entirely by the Salesforce CLI and stored in its own credential store (`~/.sf/`). The Provar MCP server never reads, parses, or transmits those credentials.
 
-**Provar API key** — the `provar.testcase.validate` tool optionally reads a `pv_k_` API key to enable Quality Hub API validation. The key is stored at `~/.provar/credentials.json` (written by `sf provar auth login` or `sf provar auth set-key`) or read from the `PROVAR_API_KEY` environment variable. The key is sent to the Provar Quality Hub API only when a validation request is made — it is never logged or written anywhere other than `~/.provar/credentials.json`.
+**Provar API key** — the `provar.testcase.validate` tool optionally reads a `pv_k_` API key to enable Quality Hub API validation. The key is stored at `~/.provar/credentials.json` (written by `sf provar auth login`) or read from the `PROVAR_API_KEY` environment variable. The key is sent to the Provar Quality Hub API only when a validation request is made — it is never logged or written anywhere other than `~/.provar/credentials.json`.
 
 ### Path policy enforcement
 

docs/mcp.md

@@ -167,11 +167,6 @@ sf provar auth login
 ```
 Opens a browser to the Provar login page. After you authenticate, the key is stored automatically at `~/.provar/credentials.json`.
 
-**Manual key entry:**
-```sh
-sf provar auth set-key --key pv_k_your_key_here
-```
-
 **Check current status:**
 ```sh
 sf provar auth status

messages/sf.provar.auth.set-key.md

@@ -78,9 +78,7 @@ export default class SfProvarAuthStatus extends SfCommand<void> {
     this.log('No API key configured.');
     this.log('');
     this.log('To enable Quality Hub validation (170 rules):');
-    this.log('  1. Run: sf provar auth login');
-    this.log('     Or get your key from https://success.provartesting.com and run:');
-    this.log('     sf provar auth set-key --key <your-key>');
+    this.log('  Run: sf provar auth login');
     this.log('');
     this.log('For CI/CD: set the PROVAR_API_KEY environment variable.');
     this.log('');

src/commands/provar/auth/set-key.ts

@@ -26,13 +26,12 @@ import { runBestPractices } from './bestPracticesEngine.js';
 
 const ONBOARDING_MESSAGE =
   'Quality Hub validation unavailable — running local validation only (structural rules, no quality scoring).\n' +
-  'To enable Quality Hub (170 rules): visit https://success.provartesting.com, copy your API key, then run:\n' +
-  '  sf provar auth set-key --key <your-key>\n' +
+  'To enable Quality Hub (170 rules): run sf provar auth login\n' +
   'For CI/CD: set the PROVAR_API_KEY environment variable.';
 
 const AUTH_WARNING =
   'Quality Hub API key is invalid or expired. Running local validation only.\n' +
-  'To update your key: sf provar auth set-key --key <your-key>';
+  'Run sf provar auth login to get a new key.';
 
 const RATE_LIMIT_WARNING = 'Quality Hub API rate limit reached. Running local validation only. Try again shortly.';
 
@@ -43,7 +42,7 @@ const UNREACHABLE_WARNING =
 export function registerTestCaseValidate(server: McpServer, config: ServerConfig): void {
   server.tool(
     'provar.testcase.validate',
-    'Validate a Provar XML test case for structural correctness and quality. Checks XML declaration, root element, required attributes (guid UUID v4, testItemId integer), <steps> presence, and applies best-practice rules. When a Provar API key is configured (sf provar auth set-key), calls the Quality Hub API for full 170-rule scoring. Falls back to local validation if no key is set or the API is unavailable. Returns validity_score (schema compliance), quality_score (best practices, 0–100), and validation_source indicating which ruleset was applied.',
+    'Validate a Provar XML test case for structural correctness and quality. Checks XML declaration, root element, required attributes (guid UUID v4, testItemId integer), <steps> presence, and applies best-practice rules. When a Provar API key is configured (via sf provar auth login or PROVAR_API_KEY env var), calls the Quality Hub API for full 170-rule scoring. Falls back to local validation if no key is set or the API is unavailable. Returns validity_score (schema compliance), quality_score (best practices, 0–100), and validation_source indicating which ruleset was applied.',
     {
       content: z.string().optional().describe('XML content to validate directly (alias: xml)'),
       xml: z.string().optional().describe('XML content to validate — API-compatible alias for content'),

src/commands/provar/auth/status.ts

@@ -14,6 +14,15 @@ import { SfProvarCommandResult } from '@provartesting/provardx-plugins-utils';
 
 const CREDS_PATH = path.join(os.homedir(), '.provar', 'credentials.json');
 
+function seedCredentials(): void {
+  fs.mkdirSync(path.dirname(CREDS_PATH), { recursive: true });
+  fs.writeFileSync(
+    CREDS_PATH,
+    JSON.stringify({ api_key: 'pv_k_cleartest123456', prefix: 'pv_k_clearte', set_at: new Date().toISOString(), source: 'manual' }),
+    'utf-8'
+  );
+}
+
 describe('sf provar auth clear NUTs', () => {
   let credentialsBackup: string | null = null;
 
@@ -40,7 +49,7 @@ describe('sf provar auth clear NUTs', () => {
   });
 
   it('removes the credentials file and reports success', () => {
-    execCmd<SfProvarCommandResult>('provar auth set-key --key pv_k_cleartest123456');
+    seedCredentials();
     expect(fs.existsSync(CREDS_PATH)).to.equal(true);
 
     const output = execCmd<SfProvarCommandResult>('provar auth clear').shellOutput;
@@ -50,15 +59,15 @@ describe('sf provar auth clear NUTs', () => {
   });
 
   it('is idempotent — clearing twice does not throw', () => {
-    execCmd<SfProvarCommandResult>('provar auth set-key --key pv_k_cleartest123456');
+    seedCredentials();
     execCmd<SfProvarCommandResult>('provar auth clear');
     const output = execCmd<SfProvarCommandResult>('provar auth clear').shellOutput;
     expect(output.stderr).to.equal('');
     expect(output.stdout).to.include('API key cleared');
   });
 
   it('status shows no key after clear', () => {
-    execCmd<SfProvarCommandResult>('provar auth set-key --key pv_k_cleartest123456');
+    seedCredentials();
     execCmd<SfProvarCommandResult>('provar auth clear');
     const output = execCmd<SfProvarCommandResult>('provar auth status').shellOutput;
     expect(output.stdout).to.include('No API key configured');

src/mcp/tools/testCaseValidate.ts

@@ -55,8 +55,13 @@ describe('sf provar auth status NUTs', () => {
     expect(output.stdout).to.include('local only');
   });
 
-  it('reports key source as credentials file when set via set-key', () => {
-    execCmd<SfProvarCommandResult>('provar auth set-key --key pv_k_statustest12345');
+  it('reports key source as credentials file when credentials file exists', () => {
+    fs.mkdirSync(path.dirname(CREDS_PATH), { recursive: true });
+    fs.writeFileSync(
+      CREDS_PATH,
+      JSON.stringify({ api_key: 'pv_k_statustest12345', prefix: 'pv_k_statust', set_at: new Date().toISOString(), source: 'manual' }),
+      'utf-8'
+    );
     const output = execCmd<SfProvarCommandResult>('provar auth status').shellOutput;
     expect(output.stderr).to.equal('');
     expect(output.stdout).to.include('API key configured');