@aiam/ciba 0.7.9 → 0.8.1

package/ciba.mjs

@@ -368,6 +368,19 @@ async function runAuthFlow(serverUrl, extraAttrs, opts) {
   log('');
   log('  Waiting for authentication...');
 
+  // For daemon mode we don't need to wait for the initial token — the daemon
+  // handles token delivery on demand via `ciba token`. Skip the blocking wait
+  // and go straight to starting the socket server after approval is confirmed.
+  // We detect approval by watching authResults indirectly: the server writes
+  // to the device doc's `meta.user_id` after approve (set in server.tsx).
+  if (opts.daemonMode) {
+    const meta2 = deviceDoc.getMap('meta');
+    await firstInYMap(meta2, (key) => key === 'user_id', TIMEOUT)
+      .catch((e) => { provider.destroy(); throw e; });
+    log('  ✓ Approved');
+    return { provider, deviceDoc, privateKey, plainToken: '', serverUrl, tokenMap: null };
+  }
+
   const resourcesMap = deviceDoc.getMap('resources');
   const tokenMapName = await firstInYMap(resourcesMap, () => true, TIMEOUT)
     .catch((e) => { provider.destroy(); throw e; });
@@ -629,9 +642,9 @@ const loginCmd = defineCommand({
       child.stderr.on('data', (d) => {
         output += d.toString();
         process.stderr.write(d);
-        // Wait for Session ready — socket is up and first token is cached.
-        // The URL + user_code are printed before this so the user can approve.
-        if (output.includes('Session ready')) {
+        // Detach as soon as url: is printed — user has what they need to approve.
+        // The daemon keeps running in background waiting for approval then starts socket.
+        if (output.includes('url:') || output.includes('Session ready')) {
           child.unref();
           process.exit(0);
         }
@@ -643,7 +656,7 @@ const loginCmd = defineCommand({
     // --daemon: internal flag used by --persist fork
     const isDaemon = process.argv.includes('--daemon');
 
-    const { provider, deviceDoc, privateKey, plainToken } = await runAuthFlow(serverUrl, extraAttrs, opts);
+    const { provider, deviceDoc, privateKey, plainToken } = await runAuthFlow(serverUrl, extraAttrs, { ...opts, daemonMode: isDaemon });
 
     if (isDaemon) {
       startDaemon(provider, deviceDoc, privateKey, serverUrl);
@@ -709,6 +722,33 @@ const refreshCmd = defineCommand({
   },
 });
 
+const logoutCmd = defineCommand({
+  meta: { description: 'Clear device keys, session and config (next login generates a new device identity)' },
+  args: {},
+  run() {
+    // Stop daemon if running.
+    const cfg = loadConfig();
+    if (cfg.pid) { try { process.kill(parseInt(cfg.pid)); } catch {} }
+    if (existsSync(SOCKET_PATH)) unlinkSync(SOCKET_PATH);
+    const sessionFile = join(CONFIG_DIR, 'session');
+    if (existsSync(sessionFile)) unlinkSync(sessionFile);
+
+    // Clear ECDH keypair from keychain.
+    if (keychainAvailable()) {
+      try { keychainSet(KEYCHAIN_KEY, ''); } catch {}
+    }
+
+    // Remove keys file.
+    if (existsSync(KEYS_FILE)) unlinkSync(KEYS_FILE);
+
+    // Remove config (url, pid).
+    if (existsSync(CONFIG_FILE)) unlinkSync(CONFIG_FILE);
+
+    process.stderr.write('Logged out. Device keys cleared — next login will generate a new device identity.\n');
+    process.exit(0);
+  },
+});
+
 const stopCmd = defineCommand({
   meta: { description: 'Stop daemon and clear session' },
   args: {},
@@ -757,6 +797,7 @@ const main = defineCommand({
     refresh: refreshCmd,
     stop:    stopCmd,
     status:  statusCmd,
+    logout:  logoutCmd,
   },
 });
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aiam/ciba",
-  "version": "0.7.9",
+  "version": "0.8.1",
   "description": "OAuth 2.0 Device Authorization Grant CLI with cross-device push approval (Yjs sync, ECDH-encrypted token delivery, persistent device id)",
   "type": "module",
   "bin": {