@aexol/opencode-wizard 0.1.11 → 0.1.14

package/README.md

@@ -45,7 +45,7 @@ Use `skills.urls` only for public registries that are intentionally cacheable by
 
 ## Catalog discovery and auth bootstrap
 
-On chat/system-context startup, the plugin attempts to load the catalog automatically with the stored plugin session at `plugin/opencode-wizard/.generated/auth-state.json`. If no valid plugin session exists, startup stays passive and reports that interactive fetch will bootstrap browser login when needed; it does not open the browser from system context.
+On chat/system-context startup, the plugin attempts to load the catalog automatically with the stored plugin auth at `~/.config/opencode/opencode-wizard.json` (`auth` field). If no valid plugin session exists, startup stays passive and reports that interactive fetch will bootstrap browser login when needed; it does not open the browser from system context.
 
 Call `opencode_wizard_published_skills_fetch` without `skill` or `skills` to manually bootstrap plugin login if needed and return catalog-only discovery output for the current directory scope.
 

package/dist/server.d.ts

@@ -25,7 +25,7 @@ export type PublishedSkillCatalogPayload = {
         repositoryUrl?: string | null;
         defaultBranch?: string | null;
         status: string;
-    };
+    } | null;
     directoryPath: string;
     skills: PublishedSkillCatalogItem[];
 };
@@ -226,6 +226,11 @@ export declare const resolvePluginStatusSnapshot: ({ worktree, directory, signal
     directory: string;
     signal: AbortSignal;
 }) => Promise<PluginStatusSnapshot>;
+export declare const resolvePluginStatusSnapshotWithAuthBootstrap: ({ worktree, directory, signal, }: {
+    worktree: string;
+    directory: string;
+    signal: AbortSignal;
+}) => Promise<PluginStatusSnapshot>;
 declare const _default: {
     id: string;
     server: OpencodePluginServer;

package/dist/server.js

@@ -1,5 +1,6 @@
 import fs from 'node:fs/promises';
 import http from 'node:http';
+import os from 'node:os';
 import path from 'node:path';
 import crypto from 'node:crypto';
 import { execFile } from 'node:child_process';
@@ -11,7 +12,8 @@ const PACKAGE_ROOT_PATH = path.resolve(path.dirname(MODULE_FILE_PATH), '..');
 export const PLUGIN_ID = 'opencode-wizard';
 const CACHE_TTL_MS = 30_000;
 const ROOT_SKILL_SEED_PATH = '.opencode/skills';
-const AUTH_STATE_PATH = 'plugin/opencode-wizard/.generated/auth-state.json';
+const GLOBAL_CONFIG_PATH = path.join(os.homedir(), '.config', 'opencode', 'opencode-wizard.json');
+const LEGACY_AUTH_STATE_PATH = 'plugin/opencode-wizard/.generated/auth-state.json';
 const PUBLISHED_BACKEND_ORIGIN = 'https://opencode-wizard.aexol.work';
 const OIDC_ISSUER = 'https://login.microsoftonline.com/86f4caf4-0d6f-4682-9a06-ea57f3e4e76c/v2.0';
 const OIDC_CLIENT_ID = 'da963901-2375-442b-9e99-14e59f43eda2';
@@ -43,6 +45,13 @@ const createIdleLoginBootstrapSnapshot = () => ({
   email: null,
   message: null
 });
+const STATUS_PATH_LOGIN_RETRY_COOLDOWN_MS = 60_000;
+const statusPathLoginBootstrap = {
+  promise: null,
+  status: 'idle',
+  message: null,
+  failedAt: null
+};
 const importOpencodePluginModule = new Function('specifier', 'return import(specifier)');
 export const AVAILABLE_PUBLISHED_SKILL_TOOLS = ['opencode_wizard_published_skills_fetch', 'opencode_wizard_status'];
 export const NATIVE_SKILLS_URL_COMPATIBILITY = {
@@ -201,7 +210,7 @@ export const resolveConfig = async worktree => {
     actionsUrl: `${backendOrigin}/api/opencode-plugin/actions`,
     fallbackWorkspaceSlug: resolveFallbackWorkspaceSlug(worktree),
     rootSkillSeedPath: ROOT_SKILL_SEED_PATH,
-    authStatePath: AUTH_STATE_PATH
+    authStatePath: GLOBAL_CONFIG_PATH
   };
 };
 const normalizeAbsolutePath = value => path.resolve(value);
@@ -325,15 +334,45 @@ const isAuthState = value => {
   if (!isRecord(value)) return false;
   return value.pluginId === PLUGIN_ID && typeof value.sessionToken === 'string' && isValidIsoDateString(value.expiresAt) && isValidIsoDateString(value.authenticatedAt) && typeof value.userId === 'string' && typeof value.email === 'string';
 };
-const readAuthState = async authStateFile => {
+const readGlobalConfig = async configFile => {
+  const storedConfig = await readJsonFile(configFile);
+  if (isRecord(storedConfig)) return storedConfig;
+  return {};
+};
+const writeGlobalConfig = async (configFile, config) => {
+  await writeJsonFile(configFile, config);
+};
+const readGlobalAuthState = async configFile => {
+  const storedConfig = await readGlobalConfig(configFile);
+  const storedAuthState = storedConfig.auth;
+  if (storedAuthState === undefined || storedAuthState === null) return null;
+  if (isAuthState(storedAuthState)) return storedAuthState;
+  await writeGlobalConfig(configFile, {
+    ...storedConfig,
+    auth: null
+  });
+  return null;
+};
+const readLegacyAuthState = async authStateFile => {
   const storedAuthState = await readJsonFile(authStateFile);
   if (storedAuthState === null) return null;
   if (isAuthState(storedAuthState)) return storedAuthState;
   await deleteFileIfExists(authStateFile);
   return null;
 };
-const writeAuthState = async (authStateFile, authState) => {
-  await writeJsonFile(authStateFile, authState);
+const writeAuthState = async (configFile, authState) => {
+  const storedConfig = await readGlobalConfig(configFile);
+  await writeGlobalConfig(configFile, {
+    ...storedConfig,
+    auth: authState
+  });
+};
+const clearAuthState = async configFile => {
+  const storedConfig = await readGlobalConfig(configFile);
+  await writeGlobalConfig(configFile, {
+    ...storedConfig,
+    auth: null
+  });
 };
 const toAuthState = session => ({
   pluginId: PLUGIN_ID,
@@ -344,16 +383,24 @@ const toAuthState = session => ({
   email: session.user.email
 });
 const resolveStoredAuthState = async (worktree, config) => {
-  const authStateFile = path.resolve(worktree, config.authStatePath);
-  const authState = await readAuthState(authStateFile);
-  if (!authState) {
+  const authState = await readGlobalAuthState(config.authStatePath);
+  if (authState && Date.parse(authState.expiresAt) > Date.now()) {
+    return authState;
+  }
+  if (authState) {
+    await clearAuthState(config.authStatePath);
     return null;
   }
-  if (Date.parse(authState.expiresAt) > Date.now()) {
-    return authState;
+  const legacyAuthStateFile = path.resolve(worktree, LEGACY_AUTH_STATE_PATH);
+  const legacyAuthState = await readLegacyAuthState(legacyAuthStateFile);
+  if (!legacyAuthState) return null;
+  if (Date.parse(legacyAuthState.expiresAt) <= Date.now()) {
+    await deleteFileIfExists(legacyAuthStateFile);
+    return null;
   }
-  await deleteFileIfExists(authStateFile);
-  return null;
+  await writeAuthState(config.authStatePath, legacyAuthState);
+  await deleteFileIfExists(legacyAuthStateFile);
+  return legacyAuthState;
 };
 export const buildSkillMarkdown = item => {
   const artifactBody = item.publishedArtifact.markdownBody.trim();
@@ -480,6 +527,10 @@ export const toPublishedSkillCatalog = payload => ({
   facets: getPublishedSkillFacets(payload.skills),
   skills: payload.skills.map(toPublishedSkillSummary)
 });
+const getWorkspaceUnavailableMessage = payload => {
+  if (payload.workspace) return null;
+  return 'Workspace-specific skills are unavailable because the workspace was not found; global skills are still loaded.';
+};
 const normalizeSkillIdentifier = value => value.trim().toLowerCase();
 const parseSkillIdentifiers = value => {
   const seen = new Set();
@@ -561,7 +612,7 @@ const buildSystemNote = (result, config, details) => {
   const projectSkills = catalog.skills.filter(skill => skill.contextKind === 'project').slice(0, 5).map(buildSkillCatalogLine);
   const detailLines = details.slice(0, SYSTEM_NOTE_DETAIL_LIMIT).map(buildSkillDetailSnippetLine);
   const detailBlock = detailLines.length > 0 ? ` Loaded body snippets (capped):\n${truncateText(detailLines.join('\n'), SYSTEM_NOTE_DETAIL_CHAR_LIMIT)}` : '';
-  return [`opencode-wizard published skills are available from backend runtime delivery for workspace ${result.fetchResult.payload.workspace.slug}.`, `Current directory: ${result.directoryPath}.`, `Published skills for this scope: ${renderedSkillNames}${renderedCountSuffix}; counts: ${catalog.assignmentCounts.global} global, ${catalog.assignmentCounts.project} project, ${catalog.assignmentCounts.other} other.`, 'Catalog lines use short whenToUse guidance when available; fetch the full skill only when that guidance matches the task.', 'GLOBAL_CONTEXT skills are active context skills and are not project-installable; PROJECT_INSTALLABLE skills can be assigned globally or to project/workspace scopes; assignment rows decide which skills are active here.', globalSkills.length > 0 ? `Global context skills:\n${globalSkills.join('\n')}` : 'Global context skills: none.', projectSkills.length > 0 ? `Project-scoped active skills:\n${projectSkills.join('\n')}` : 'Project-scoped active skills: none.', detailBlock, 'Use opencode_wizard_published_skills_fetch for one or multiple skills.', `Root source seed path remains non-runtime input only: ${config.rootSkillSeedPath}/**.`].filter(line => line.length > 0).join(' ');
+  return [result.fetchResult.payload.workspace ? `opencode-wizard published skills are available from backend runtime delivery for workspace ${result.fetchResult.payload.workspace.slug}.` : 'opencode-wizard published global skills are available from backend runtime delivery; workspace-specific skills are unavailable because the workspace was not found.', `Current directory: ${result.directoryPath}.`, `Published skills for this scope: ${renderedSkillNames}${renderedCountSuffix}; counts: ${catalog.assignmentCounts.global} global, ${catalog.assignmentCounts.project} project, ${catalog.assignmentCounts.other} other.`, 'Catalog lines use short whenToUse guidance when available; fetch the full skill only when that guidance matches the task.', 'GLOBAL_CONTEXT skills are active context skills and are not project-installable; PROJECT_INSTALLABLE skills can be assigned globally or to project/workspace scopes; assignment rows decide which skills are active here.', globalSkills.length > 0 ? `Global context skills:\n${globalSkills.join('\n')}` : 'Global context skills: none.', projectSkills.length > 0 ? `Project-scoped active skills:\n${projectSkills.join('\n')}` : 'Project-scoped active skills: none.', detailBlock, 'Use opencode_wizard_published_skills_fetch for one or multiple skills.', `Root source seed path remains non-runtime input only: ${config.rootSkillSeedPath}/**.`].filter(line => line.length > 0).join(' ');
 };
 const toWorkspaceResolutionOutput = resolution => ({
   requestedDirectory: resolution.requestedDirectory,
@@ -619,7 +670,8 @@ const formatStatusOutput = async (worktree, config, publishedSkillsResult, login
   }
   return JSON.stringify({
     ...base,
-    ...toPublishedSkillCatalog(publishedSkillsResult.fetchResult.payload)
+    ...toPublishedSkillCatalog(publishedSkillsResult.fetchResult.payload),
+    message: getWorkspaceUnavailableMessage(publishedSkillsResult.fetchResult.payload)
   }, null, 2);
 };
 export const toPluginAuthStateSummary = authState => {
@@ -668,10 +720,80 @@ export const resolvePluginStatusSnapshot = async ({
     fetchedAt: fetchResult.fetchedAt,
     source: fetchResult.source,
     availableTools: AVAILABLE_PUBLISHED_SKILL_TOOLS,
-    message: fetchResult.ok ? null : fetchResult.message,
+    message: fetchResult.ok ? getWorkspaceUnavailableMessage(fetchResult.payload) : fetchResult.message,
     catalog: fetchResult.ok ? toPublishedSkillCatalog(fetchResult.payload) : null
   };
 };
+const withStatusMessage = (snapshot, message) => ({
+  ...snapshot,
+  message
+});
+const startStatusPathLoginBootstrap = (worktree, config) => {
+  if (statusPathLoginBootstrap.promise) return;
+  if (statusPathLoginBootstrap.status === 'failed' && statusPathLoginBootstrap.failedAt && Date.now() - statusPathLoginBootstrap.failedAt < STATUS_PATH_LOGIN_RETRY_COOLDOWN_MS) {
+    return;
+  }
+  statusPathLoginBootstrap.status = 'pending';
+  statusPathLoginBootstrap.message = 'Browser login started automatically from the TUI/status path.';
+  statusPathLoginBootstrap.failedAt = null;
+  statusPathLoginBootstrap.promise = (async () => {
+    const loginSignal = AbortSignal.timeout(LOGIN_TIMEOUT_MS);
+    const loginStart = await startLoginFlow(loginSignal);
+    const browserOpenError = await openBrowser(loginStart.browserUrl);
+    if (browserOpenError) {
+      statusPathLoginBootstrap.message = `Automatic browser open failed. Open ${loginStart.browserUrl} manually.`;
+    }
+    try {
+      const callbackPayload = await loginStart.callbackPromise;
+      if (callbackPayload.status === 'error') {
+        throw new Error(callbackPayload.message);
+      }
+      if (callbackPayload.state !== loginStart.expectedState) {
+        throw new Error('OAuth callback state did not match the original login request.');
+      }
+      const pluginSession = await createPluginSession({
+        code: callbackPayload.code,
+        codeVerifier: loginStart.codeVerifier,
+        redirectUri: OIDC_CALLBACK_URL,
+        config,
+        signal: loginSignal
+      });
+      const authState = toAuthState(pluginSession);
+      await writeAuthState(config.authStatePath, authState);
+      statusPathLoginBootstrap.status = 'authenticated';
+      statusPathLoginBootstrap.message = `Browser login completed successfully for ${authState.email}.`;
+      return authState;
+    } finally {
+      await loginStart.closeCallbackServer().catch(() => undefined);
+    }
+  })().catch(error => {
+    statusPathLoginBootstrap.status = 'failed';
+    statusPathLoginBootstrap.failedAt = Date.now();
+    statusPathLoginBootstrap.message = error instanceof Error ? error.message : 'Browser login failed.';
+    throw error;
+  }).finally(() => {
+    statusPathLoginBootstrap.promise = null;
+  });
+  statusPathLoginBootstrap.promise.catch(() => undefined);
+};
+export const resolvePluginStatusSnapshotWithAuthBootstrap = async ({
+  worktree,
+  directory,
+  signal
+}) => {
+  const snapshot = await resolvePluginStatusSnapshot({
+    worktree,
+    directory,
+    signal
+  });
+  if (snapshot.status !== 'missing_auth') return snapshot;
+  const config = await resolveConfig(worktree);
+  startStatusPathLoginBootstrap(worktree, config);
+  if (statusPathLoginBootstrap.message) {
+    return withStatusMessage(snapshot, statusPathLoginBootstrap.message);
+  }
+  return withStatusMessage(snapshot, 'Browser login is pending from the TUI/status path.');
+};
 const toPluginStatusMetadata = snapshot => ({
   backendOrigin: snapshot.backendOrigin,
   graphqlUrl: snapshot.graphqlUrl,
@@ -714,12 +836,204 @@ const fetchOidcDiscoveryDocument = async signal => {
   }
   return await response.json();
 };
+const isCallbackPortInUseError = error => {
+  if (!error || typeof error !== 'object') return false;
+  if (!('code' in error)) return false;
+  return error.code === 'EADDRINUSE';
+};
+const toCallbackServerStartError = error => {
+  if (!isCallbackPortInUseError(error)) {
+    return error instanceof Error ? error : new Error('Failed to start local OAuth callback server.');
+  }
+  return new Error('OAuth login cannot start because localhost:24953 is already in use. Another OpenCode login is likely in progress; finish it or close the other instance, then retry.');
+};
+const escapeHtml = value => {
+  return value.replace(/[&<>'"]/g, character => {
+    const replacements = {
+      '&': '&amp;',
+      '<': '&lt;',
+      '>': '&gt;',
+      "'": '&#39;',
+      '"': '&quot;'
+    };
+    return replacements[character] ?? character;
+  });
+};
 const sendHtmlResponse = (response, statusCode, title, message) => {
+  const escapedTitle = escapeHtml(title);
+  const escapedMessage = escapeHtml(message);
+  const isSuccess = statusCode >= 200 && statusCode < 300;
+  const pageState = isSuccess ? 'success' : statusCode === 404 ? 'not-found' : 'error';
+  const cardTitle = isSuccess ? 'Authorization successful' : statusCode === 404 ? 'Callback not found' : 'Authorization failed';
+  const escapedCardTitle = escapeHtml(cardTitle);
+  const eyebrow = isSuccess ? 'Authorization complete' : statusCode === 404 ? 'Callback route not found' : 'Authorization needs attention';
+  const actionText = isSuccess ? 'This window will close automatically in a moment. You can also close it now and return to OpenCode.' : 'You can close this window and return to OpenCode to try again.';
+  const autoCloseScript = isSuccess ? `<script>
+      window.setTimeout(() => window.close(), 2000);
+    </script>` : '';
+  const stateIcon = isSuccess ? '<path d="M7 12.5l3.1 3.1L17.5 8" stroke="currentColor" stroke-width="2.4" stroke-linecap="round" stroke-linejoin="round"/>' : statusCode === 404 ? '<path d="M10.5 17a6.5 6.5 0 1 0 0-13 6.5 6.5 0 0 0 0 13Z" stroke="currentColor" stroke-width="2.2"/><path d="m15.5 15.5 4 4" stroke="currentColor" stroke-width="2.2" stroke-linecap="round"/>' : '<path d="M12 7v6" stroke="currentColor" stroke-width="2.4" stroke-linecap="round"/><path d="M12 17.2v.1" stroke="currentColor" stroke-width="3.2" stroke-linecap="round"/>';
   response.writeHead(statusCode, {
     'content-type': 'text/html; charset=utf-8',
     'cache-control': 'no-store'
   });
-  response.end(`<!doctype html><html><head><meta charset="utf-8"><title>${title}</title></head><body><h1>${title}</h1><p>${message}</p><p>You can close this window and return to OpenCode.</p></body></html>`);
+  response.end(`<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="color-scheme" content="light dark">
+    <title>${escapedTitle}</title>
+    <style>
+      :root {
+        color-scheme: light dark;
+        --page-bg: #f2efe7;
+        --page-ink: #211d18;
+        --muted: #6c6258;
+        --panel: rgba(255, 252, 245, 0.82);
+        --panel-border: rgba(78, 66, 52, 0.16);
+        --success: #167848;
+        --error: #ba3329;
+        --not-found: #986614;
+        --glow: rgba(22, 120, 72, 0.18);
+      }
+
+      @media (prefers-color-scheme: dark) {
+        :root {
+          --page-bg: #12100d;
+          --page-ink: #f7efe2;
+          --muted: #b8aa98;
+          --panel: rgba(30, 26, 22, 0.78);
+          --panel-border: rgba(255, 244, 224, 0.14);
+          --success: #71e0a6;
+          --error: #ff897e;
+          --not-found: #f7c96f;
+          --glow: rgba(113, 224, 166, 0.2);
+        }
+      }
+
+      * {
+        box-sizing: border-box;
+      }
+
+      body {
+        min-height: 100vh;
+        margin: 0;
+        display: grid;
+        place-items: center;
+        padding: 24px;
+        overflow: hidden;
+        background:
+          radial-gradient(circle at 18% 18%, var(--glow), transparent 34rem),
+          radial-gradient(circle at 82% 12%, rgba(209, 142, 72, 0.18), transparent 30rem),
+          linear-gradient(135deg, var(--page-bg), color-mix(in srgb, var(--page-bg) 76%, #000 24%));
+        color: var(--page-ink);
+        font-family: ui-rounded, "SF Pro Rounded", "Segoe UI", system-ui, sans-serif;
+      }
+
+      body::before {
+        content: "";
+        position: fixed;
+        inset: -20%;
+        pointer-events: none;
+        background-image:
+          linear-gradient(rgba(128, 104, 74, 0.08) 1px, transparent 1px),
+          linear-gradient(90deg, rgba(128, 104, 74, 0.08) 1px, transparent 1px);
+        background-size: 42px 42px;
+        mask-image: radial-gradient(circle at center, black, transparent 68%);
+      }
+
+      main {
+        position: relative;
+        width: min(100%, 560px);
+        padding: clamp(28px, 7vw, 56px);
+        border: 1px solid var(--panel-border);
+        border-radius: 32px;
+        background: var(--panel);
+        box-shadow: 0 24px 90px rgba(0, 0, 0, 0.24);
+        text-align: center;
+        backdrop-filter: blur(18px) saturate(1.2);
+      }
+
+      .mark {
+        width: 72px;
+        height: 72px;
+        margin: 0 auto 24px;
+        display: grid;
+        place-items: center;
+        border-radius: 24px;
+        color: var(--state-color);
+        background: color-mix(in srgb, var(--state-color) 16%, transparent);
+        box-shadow: inset 0 0 0 1px color-mix(in srgb, var(--state-color) 28%, transparent);
+      }
+
+      [data-state="success"] { --state-color: var(--success); }
+      [data-state="error"] { --state-color: var(--error); }
+      [data-state="not-found"] { --state-color: var(--not-found); }
+
+      .eyebrow {
+        margin: 0 0 10px;
+        color: var(--state-color);
+        font-size: 0.78rem;
+        font-weight: 800;
+        letter-spacing: 0.14em;
+        text-transform: uppercase;
+      }
+
+      h1 {
+        margin: 0;
+        font-size: clamp(2rem, 7vw, 3.35rem);
+        line-height: 0.95;
+        letter-spacing: -0.06em;
+      }
+
+      .message {
+        margin: 22px auto 0;
+        max-width: 38rem;
+        color: var(--muted);
+        font-size: clamp(1rem, 2.5vw, 1.1rem);
+        line-height: 1.65;
+      }
+
+      .next-step {
+        margin: 26px 0 0;
+        padding: 14px 18px;
+        border-radius: 999px;
+        background: color-mix(in srgb, var(--state-color) 12%, transparent);
+        color: var(--page-ink);
+        font-size: 0.94rem;
+        line-height: 1.5;
+      }
+
+      @media (max-width: 520px) {
+        body {
+          padding: 16px;
+        }
+
+        main {
+          border-radius: 24px;
+        }
+
+        .next-step {
+          border-radius: 18px;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <main data-state="${pageState}" aria-labelledby="callback-title">
+      <div class="mark" aria-hidden="true">
+        <svg width="34" height="34" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+          ${stateIcon}
+        </svg>
+      </div>
+      <p class="eyebrow">${eyebrow}</p>
+      <h1 id="callback-title">${escapedCardTitle}</h1>
+      <p class="message">${escapedMessage}</p>
+      <p class="next-step">${actionText}</p>
+    </main>
+    ${autoCloseScript}
+  </body>
+</html>`);
 };
 const startLocalCallbackServer = async ({
   expectedState,
@@ -784,9 +1098,6 @@ const startLocalCallbackServer = async ({
       state
     });
   });
-  server.on('error', error => {
-    fail(error instanceof Error ? error : new Error('Failed to start local OAuth callback server.'));
-  });
   const close = async () => {
     await new Promise((resolve, reject) => {
       server.close(error => {
@@ -799,8 +1110,17 @@ const startLocalCallbackServer = async ({
     });
   };
   await new Promise((resolve, reject) => {
-    server.listen(24953, 'localhost', () => resolve());
-    server.once('error', reject);
+    const rejectStart = error => {
+      reject(toCallbackServerStartError(error));
+    };
+    server.once('error', rejectStart);
+    server.listen(24953, 'localhost', () => {
+      server.off('error', rejectStart);
+      server.on('error', error => {
+        fail(error instanceof Error ? error : new Error('Local OAuth callback server failed.'));
+      });
+      resolve();
+    });
   });
   signal.addEventListener('abort', () => {
     fail(signal.reason instanceof Error ? signal.reason : new Error('OAuth login aborted.'));
@@ -864,7 +1184,7 @@ const fetchPublishedSkillsGraphQl = async ({
     };
   }
   if (response.status === 401 || response.status === 403) {
-    await deleteFileIfExists(path.resolve(worktree, config.authStatePath));
+    await clearAuthState(config.authStatePath);
     onAuthStateChanged?.();
     return {
       ok: false,
@@ -910,7 +1230,7 @@ const fetchPublishedSkillsGraphQl = async ({
   if (body.errors?.length) {
     const message = body.errors.map(error => error.message).join('; ');
     if (body.errors.some(error => isUnauthorizedGraphQlMessage(error.message))) {
-      await deleteFileIfExists(path.resolve(worktree, config.authStatePath));
+      await clearAuthState(config.authStatePath);
       onAuthStateChanged?.();
       return {
         ok: false,
@@ -1199,7 +1519,6 @@ const OpencodeWizardSkillsPlugin = async input => {
   const catalogInflight = new Map();
   const detailCache = new Map();
   const detailInflight = new Map();
-  const authStateFile = path.resolve(input.worktree, config.authStatePath);
   const initialAuthState = await resolveStoredAuthState(input.worktree, config);
   const loginBootstrap = {
     promise: null,
@@ -1298,7 +1617,7 @@ const OpencodeWizardSkillsPlugin = async input => {
   };
   const persistAuthState = async session => {
     const authState = toAuthState(session);
-    await writeAuthState(authStateFile, authState);
+    await writeAuthState(config.authStatePath, authState);
     clearPublishedSkillState();
     return authState;
   };
@@ -1319,19 +1638,20 @@ const OpencodeWizardSkillsPlugin = async input => {
     };
     const loginPromise = (async () => {
       const loginSignal = AbortSignal.timeout(LOGIN_TIMEOUT_MS);
-      const loginStart = await startLoginFlow(loginSignal);
-      const browserOpenError = await openBrowser(loginStart.browserUrl);
-      loginBootstrap.snapshot = {
-        status: 'pending',
-        trigger,
-        startedAt,
-        expiresAt: loginStart.expiresAt,
-        browserUrl: loginStart.browserUrl,
-        browserOpenError,
-        email: null,
-        message: browserOpenError ? `Automatic browser open failed. Open ${loginStart.browserUrl} manually.` : `Browser login started for published skill ${trigger}.`
-      };
+      let loginStart = null;
       try {
+        loginStart = await startLoginFlow(loginSignal);
+        const browserOpenError = await openBrowser(loginStart.browserUrl);
+        loginBootstrap.snapshot = {
+          status: 'pending',
+          trigger,
+          startedAt,
+          expiresAt: loginStart.expiresAt,
+          browserUrl: loginStart.browserUrl,
+          browserOpenError,
+          email: null,
+          message: browserOpenError ? `Automatic browser open failed. Open ${loginStart.browserUrl} manually.` : `Browser login started for published skill ${trigger}.`
+        };
         const callbackPayload = await loginStart.callbackPromise;
         if (callbackPayload.status === 'error') {
           throw new Error(callbackPayload.message);
@@ -1390,7 +1710,7 @@ const OpencodeWizardSkillsPlugin = async input => {
         };
         throw error;
       } finally {
-        await loginStart.closeCallbackServer().catch(() => undefined);
+        await loginStart?.closeCallbackServer().catch(() => undefined);
         loginBootstrap.promise = null;
       }
     })();