@andreasnlarsen/whoop-cli 0.1.2 → 0.1.4

package/README.md

@@ -32,38 +32,45 @@ There is **no managed/shared auth service** in this repo right now.
 - Do **not** embed or publish client secrets/tokens in source code, examples, or public logs.
 - If WHOOP requests naming/branding/compliance changes, maintainers should address them promptly and cooperatively.
 
+## Trust & Safety (quick)
+
+- Package: `@andreasnlarsen/whoop-cli`
+- Releases are published via GitHub Actions trusted publishing (OIDC) with npm provenance.
+- This integration is unofficial and not affiliated with Whoop, Inc.
+- Never paste OAuth client secrets/tokens into chat. Run login locally:
+  - `whoop auth login --client-id ... --client-secret ... --redirect-uri ...`
+- Verify install quickly:
+  - `npx -y @andreasnlarsen/whoop-cli --help`
+  - `whoop auth status --json`
+  - `whoop day-brief --json`
+
 ---
 
 ## One-line options (no clone)
 
 If you want agents/users to run it immediately without cloning:
 
-### Current (works now via GitHub source)
+### Recommended (npm registry)
 
 Run once (ephemeral):
 
 ```bash
-npm exec --yes --package=github:andreasnlarsen/whoop-cli -- whoop summary --json --pretty
+npx -y @andreasnlarsen/whoop-cli summary --json --pretty
 ```
 
 Install globally:
 
 ```bash
-npm install -g github:andreasnlarsen/whoop-cli
+npm install -g @andreasnlarsen/whoop-cli
 ```
 
-### After npm publish (recommended)
+### Fallback (GitHub source)
 
-Run once (ephemeral):
+If npm registry is unavailable for any reason:
 
 ```bash
-npx -y @andreasnlarsen/whoop-cli summary --json --pretty
-```
-
-Install globally:
-
-```bash
-npm install -g @andreasnlarsen/whoop-cli
+npm exec --yes --package=github:andreasnlarsen/whoop-cli -- whoop summary --json --pretty
+npm install -g github:andreasnlarsen/whoop-cli
 ```
 
 Then use:
@@ -177,6 +184,14 @@ Copy the **full redirected URL** from the browser address bar and paste it into
 
 (If localhost page fails to load, that is usually fine—just copy the URL.)
 
+If browser auto-open does not work on your machine, run login with:
+
+```bash
+whoop auth login --no-open
+```
+
+Then open the printed URL manually in your browser.
+
 ---
 
 ## For non-technical users
@@ -304,17 +319,33 @@ One-time setup on npmjs.com (**required**):
 3. Optional hardening (recommended): package Settings → Publishing access →
    - "Require two-factor authentication and disallow tokens"
 
-Release flow:
+Release flow (branch-protected safe):
 
 ```bash
-# bump version first (example)
-npm version patch
-
-git push origin main --follow-tags
-# OR manually tag: git tag v0.1.1 && git push origin v0.1.1
+# 1) prepare release commit on a branch
+git switch main
+git pull --ff-only
+
+git switch -c release/vX.Y.Z
+npm version X.Y.Z --no-git-tag-version
+npm install --package-lock-only
+npm run typecheck && npm test && npm run build
+
+git add package.json package-lock.json
+git commit -m "chore(release): vX.Y.Z"
+git push -u origin release/vX.Y.Z
+
+# 2) open PR: release/vX.Y.Z -> main, then merge
+
+# 3) tag from merged main commit
+git switch main
+git fetch origin
+git reset --hard origin/main
+git tag vX.Y.Z
+git push origin vX.Y.Z
 ```
 
-The GitHub workflow will publish automatically on `v*` tags via OIDC.
+The GitHub workflow publishes automatically on `v*` tags via OIDC trusted publishing.
 
 ### Bootstrap note (first publish)
 

package/dist/auth/oauth.js

@@ -59,15 +59,17 @@ export const exchangeAuthCode = async (config, code) => {
         redirect_uri: config.redirectUri,
     });
 };
-export const refreshAuthToken = async (config, refreshToken, scope) => {
+export const refreshAuthToken = async (config, refreshToken) => {
     if (!refreshToken)
         throw usageError('Refresh token is required');
+    // WHOOP docs (OAuth refresh flow) require scope=offline in refresh requests.
+    // Using token-issued scope strings here can produce malformed refresh requests.
     return exchange(config, {
         grant_type: 'refresh_token',
         refresh_token: refreshToken,
         client_id: config.clientId,
         client_secret: config.clientSecret,
-        ...(scope ? { scope } : {}),
+        scope: 'offline',
     });
 };
 export const parseAuthInput = (input) => {

package/dist/auth/token-service.js

@@ -41,7 +41,7 @@ export const refreshProfileToken = async (profileName) => withRefreshLock(profil
     if (!refreshToken) {
         throw authError('No refresh token available. Re-run whoop auth login with offline scope.');
     }
-    const refreshed = await refreshAuthToken(toOAuthConfig(profile), refreshToken, profile.tokens?.scope);
+    const refreshed = await refreshAuthToken(toOAuthConfig(profile), refreshToken);
     profile.tokens = tokenFromOAuth(refreshed, refreshToken);
     await saveProfile(profileName, profile);
     return profile;

package/dist/commands/auth.js

@@ -70,7 +70,7 @@ export const registerAuthCommands = (program) => {
             }, profile.scopes, state);
             let openAttempted = false;
             if (opts.open !== false) {
-                openAttempted = tryOpenBrowser(authUrl);
+                openAttempted = await tryOpenBrowser(authUrl);
             }
             let code = opts.code;
             if (!code) {

package/dist/util/open-browser.js

@@ -1,19 +1,50 @@
 import { spawn } from 'node:child_process';
-export const tryOpenBrowser = (url) => {
-    const cmds = [
+const getOpenCommands = (url) => {
+    if (process.platform === 'darwin') {
+        return [
+            ['open', [url]],
+            ['xdg-open', [url]],
+            ['cmd', ['/c', 'start', '', url]],
+        ];
+    }
+    if (process.platform === 'win32') {
+        return [
+            ['cmd', ['/c', 'start', '', url]],
+            ['xdg-open', [url]],
+            ['open', [url]],
+        ];
+    }
+    return [
         ['xdg-open', [url]],
         ['open', [url]],
         ['cmd', ['/c', 'start', '', url]],
     ];
+};
+const tryCommand = (cmd, args) => new Promise((resolve) => {
+    try {
+        const child = spawn(cmd, args, { stdio: 'ignore', detached: true });
+        let settled = false;
+        const finish = (ok) => {
+            if (settled)
+                return;
+            settled = true;
+            resolve(ok);
+        };
+        child.once('error', () => finish(false));
+        child.once('spawn', () => finish(true));
+        child.unref();
+        setTimeout(() => finish(true), 200);
+    }
+    catch {
+        resolve(false);
+    }
+});
+export const tryOpenBrowser = async (url) => {
+    const cmds = getOpenCommands(url);
     for (const [cmd, args] of cmds) {
-        try {
-            const child = spawn(cmd, args, { stdio: 'ignore', detached: true });
-            child.unref();
+        if (await tryCommand(cmd, args)) {
             return true;
         }
-        catch {
-            // try next
-        }
     }
     return false;
 };

package/openclaw-skill/SKILL.md

@@ -1,17 +1,58 @@
 ---
 name: whoop-cli
-description: Use whoop-cli to fetch WHOOP data, generate day briefs/health flags, and export trend data for automation workflows.
+description: Companion skill for @andreasnlarsen/whoop-cli: agent-friendly WHOOP access via stable CLI JSON (day briefs, health flags, trends, exports) without raw API plumbing.
+metadata:
+  openclaw:
+    requires:
+      bins:
+        - whoop
+      env:
+        - WHOOP_CLIENT_ID
+        - WHOOP_CLIENT_SECRET
+        - WHOOP_REDIRECT_URI
+    primaryEnv: WHOOP_CLIENT_SECRET
+    homepage: https://github.com/andreasnlarsen/whoop-cli
+    install:
+      - kind: node
+        package: "@andreasnlarsen/whoop-cli@0.1.3"
+        bins:
+          - whoop
+        label: Install whoop-cli from npm
 ---
 
 # whoop-cli
 
 Use the installed `whoop` command.
 
+## Security + credential handling (required)
+
+- Never ask users to paste client secrets/tokens into chat.
+- For first-time auth, the user should run login **locally on their own shell**.
+- Prefer read-only operational commands in agent flows (`summary`, `day-brief`, `health`, `trend`, `sync pull`).
+- Do not run `whoop auth login` unless the user explicitly asks for login help.
+- Tokens are stored locally at `~/.whoop-cli/profiles/<profile>.json` by the CLI.
+
+## Install / bootstrap
+
+If `whoop` is missing:
+
+```bash
+npm install -g @andreasnlarsen/whoop-cli@0.1.3
+```
+
+Optional OpenClaw skill install from package bundle:
+
+```bash
+whoop openclaw install-skill --force
+```
+
 ## Core checks
 
 1. `whoop auth status --json`
-2. If unauthenticated: `whoop auth login --client-id ... --client-secret ... --redirect-uri ...`
-3. Validate: `whoop day-brief --json --pretty`
+2. If unauthenticated, ask the user to run local login:
+   - `whoop auth login --client-id ... --client-secret ... --redirect-uri ...`
+3. Validate:
+   - `whoop day-brief --json --pretty`
 
 ## Useful commands
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@andreasnlarsen/whoop-cli",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Open-source WHOOP CLI for humans and agents",
   "type": "module",
   "license": "MIT",