@askthew/mcp-plugin 0.4.3 → 0.4.5

package/README.md

@@ -45,6 +45,24 @@ Free install is local-first: it generates `~/.askthew/identity.json`, writes MCP
 
 Telemetry is aggregate-only and opt-out. Ask The W does not receive code, file contents, file paths, file names, command text, summaries, or decision content in free mode telemetry. Aggregate summaries are signed by the local install identity and stored under the generated install ID. Opt out with `--no-telemetry`, `ASKTHEW_TELEMETRY=off`, or `askthew-mcp telemetry opt-out`.
 
+## Refresh vs Uninstall
+
+Use `refresh` when you want the latest installed MCP config and instruction blocks without touching local identity or local data:
+
+```bash
+npx -y --prefer-online @askthew/mcp-plugin@latest refresh --host claude_code
+```
+
+`refresh` preserves `~/.askthew/identity.json` and `~/.askthew/store.sqlite`, reuses any existing email claim silently, rewrites the host MCP config, and rewrites the marked Ask The W blocks in `CLAUDE.md` and `AGENTS.md`. This is the recommended QA update path after a plugin publish.
+
+Use `uninstall` when you want to remove the plugin from a host:
+
+```bash
+npx -y @askthew/mcp-plugin@latest uninstall --host claude_code --keep-local-data --keep-auth
+```
+
+Without `--keep-local-data`, uninstall removes `~/.askthew`; without `--keep-auth`, it removes the local install identity. Uninstall does not clear npm's cache.
+
 ## Workspace Install
 
 Create a workspace token in Ask The W at `/decisions/settings/connectors`, then run the installer from your coding agent or terminal. Treat the token like a password; anyone with it can write compact source signals into that workspace.

package/dist/cli.d.ts

@@ -1,10 +1,7 @@
 #!/usr/bin/env node
-import { requestMagicLinkCode as requestMagicLinkCodeDefault, verifyMagicLinkCode as verifyMagicLinkCodeDefault } from "./lib/auth-magic-link.js";
 import { tryRegisterFreeInstall } from "./lib/free-install-registration.js";
 type AuthCommandDeps = {
     log?: (message: string) => void;
-    requestMagicLinkCode?: typeof requestMagicLinkCodeDefault;
-    verifyMagicLinkCode?: typeof verifyMagicLinkCodeDefault;
     registerFreeInstall?: typeof tryRegisterFreeInstall;
 };
 export declare function runAuthCommand(argv: string[], deps?: AuthCommandDeps): Promise<void>;

package/dist/cli.js

@@ -5,9 +5,7 @@ import path from "node:path";
 import { execFileSync } from "node:child_process";
 import { fileURLToPath } from "node:url";
 import { createAskTheWMcpServer } from "./index.js";
-import { clearPendingAuth, pendingAuth, pendingAuthForEmail } from "./lib/auth-pending.js";
-import { verifyMagicLinkCode as verifyMagicLinkCodeDefault, } from "./lib/auth-magic-link.js";
-import { credentialsPath, ensureAskTheWDataDir } from "./lib/paths.js";
+import { ensureAskTheWDataDir, identityPath } from "./lib/paths.js";
 import { loadCliCredentials } from "./lib/free-tier-policy.js";
 import { describeFreeIdentity, tryRegisterFreeInstall } from "./lib/free-install-registration.js";
 import { ensureLocalIdentity, loadLocalIdentity, publicIdentity } from "./lib/local-identity.js";
@@ -24,17 +22,17 @@ function usage() {
         "  askthew-mcp",
         "  askthew-mcp install --host <claude_code|codex|cursor> --token <install-token> --api-url <url> --server-name <name> [--client-id <id>] [--client-label <label>] [--dry-run] [--no-agent-instructions]",
         "  askthew-mcp install --host <claude_code|codex|cursor> --free [--email <email>] [--api-url <url>] [--server-name <name>]",
+        "  askthew-mcp refresh --host <claude_code|codex|cursor> [--free] [--token <install-token>] [--api-url <url>] [--server-name <name>] [--dry-run]",
         "  askthew-mcp uninstall --host <claude_code|codex|cursor> [--server-name <name>] [--dry-run] [--keep-local-data] [--keep-auth] [--keep-agent-instructions]",
         "  askthew-mcp identify --email <email> [--no-telemetry]",
         "  askthew-mcp identity status",
         "  askthew-mcp auth login --email <email> [--no-telemetry]",
-        "  askthew-mcp auth verify --code <code> [--email <email>]",
         "  askthew-mcp auth logout | status",
         "  askthew-mcp telemetry status | opt-out | opt-in | preview",
         "  askthew-mcp local stats | reset --hard",
         "  askthew-mcp install-hook --pre-commit",
         "  askthew-mcp digest --weekly",
-        "  askthew-mcp sync upload [--dry-run]",
+        "  askthew-mcp sync upload [--token <workspace-install-token>] [--dry-run]",
         "  askthew-mcp print-config --host <claude_code|codex|cursor> --token <install-token> --api-url <url> --server-name <name> [--client-id <id>] [--client-label <label>]",
     ].join("\n");
 }
@@ -135,6 +133,16 @@ function parseInstallArgs(argv) {
 function normalizeInstallToken(token) {
     return String(token ?? "").trim().replace(/^['"]/, "").replace(/['"]$/, "");
 }
+function packageVersion() {
+    try {
+        const packagePath = fileURLToPath(new URL("../package.json", import.meta.url));
+        const parsed = JSON.parse(fs.readFileSync(packagePath, "utf8"));
+        return typeof parsed.version === "string" ? parsed.version : "unknown";
+    }
+    catch {
+        return "unknown";
+    }
+}
 function detectLoginEmail() {
     for (const value of [
         process.env.ASKTHEW_EMAIL,
@@ -232,6 +240,10 @@ async function main() {
         }
         return;
     }
+    if (command === "refresh") {
+        await runRefreshCommand(argv);
+        return;
+    }
     if (command === "identify") {
         await runIdentifyCommand(argv);
         return;
@@ -273,7 +285,7 @@ async function main() {
         return;
     }
     if (command === "upgrade") {
-        console.log("Open https://askthew.com/mcp to upgrade, then run `askthew-mcp upgrade --finalize`.");
+        console.log("Open https://askthew.com/plugin to upgrade, then run `askthew-mcp upgrade --finalize`.");
         if (argv.includes("--finalize")) {
             console.log("Finalize will rewrite host config after a paid workspace token is available in the web app.");
         }
@@ -340,7 +352,7 @@ async function runUninstallCommand(argv) {
         fs.rmSync(ensureAskTheWDataDir(), { recursive: true, force: true });
     }
     if (!keepAuth && !dryRun) {
-        const file = credentialsPath();
+        const file = identityPath();
         if (fs.existsSync(file))
             fs.rmSync(file, { force: true });
     }
@@ -356,61 +368,103 @@ async function runUninstallCommand(argv) {
         console.log(config.json);
     }
 }
+async function runRefreshCommand(argv) {
+    const parsed = parseInstallArgs(["--free", ...argv]);
+    const isPaidRefresh = Boolean(parsed.token && !argv.includes("--free"));
+    const options = {
+        ...parsed,
+        free: !isPaidRefresh,
+    };
+    const existingIdentity = loadLocalIdentity();
+    let freeIdentity = existingIdentity;
+    if (options.free && !options.dryRun && !freeIdentity) {
+        freeIdentity = ensureLocalIdentity({
+            emailClaim: options.email,
+            apiUrl: options.apiUrl,
+        });
+    }
+    const uninstall = uninstallHostConfig({
+        hostType: options.hostType,
+        serverName: options.serverName,
+        dryRun: options.dryRun,
+    });
+    const removedInstructions = uninstallBehaviorInstructions({
+        hostType: options.hostType,
+        dryRun: options.dryRun,
+    });
+    const install = installHostConfig(options);
+    const installedInstructions = options.installAgentInstructions
+        ? installBehaviorInstructions({
+            hostType: options.hostType,
+            dryRun: options.dryRun,
+        })
+        : null;
+    if (options.free && freeIdentity && !options.dryRun) {
+        await tryRegisterFreeInstall({
+            identity: freeIdentity,
+            deviceLabel: options.clientLabel ?? `${options.hostType} free refresh`,
+            repo: {
+                repoName: process.env.ASKTHEW_REPO_NAME,
+                repoRoot: process.env.ASKTHEW_REPO_ROOT,
+                hostType: options.hostType,
+            },
+            options: { apiUrl: options.apiUrl },
+        });
+    }
+    console.log(options.dryRun ? "Ask The W plugin refresh dry run complete." : "Ask The W plugin refresh complete.");
+    console.log(`Plugin package version: ${packageVersion()}`);
+    console.log(`Settings path: ${install.settingsPath}`);
+    console.log(`Removed instructions: ${removedInstructions.paths.join(", ") || "none"}`);
+    if (installedInstructions) {
+        console.log(`Installed instructions: ${installedInstructions.paths.join(", ") || installedInstructions.path}`);
+    }
+    if (options.free) {
+        console.log(freeIdentity
+            ? `Local identity preserved: ${freeIdentity.installId}`
+            : "Local identity would be created on a non-dry-run refresh.");
+        console.log("Local data preserved: ~/.askthew/store.sqlite");
+    }
+    else {
+        const heartbeatSent = install.wroteFile
+            ? await sendInstallHeartbeat(options).catch(() => false)
+            : false;
+        console.log(heartbeatSent ? "Paid workspace heartbeat sent." : "Paid workspace heartbeat not sent yet.");
+    }
+    console.log(`Next step: ${install.nextStep}`);
+    if (options.dryRun) {
+        console.log("");
+        console.log(uninstall.json);
+        console.log("");
+        console.log(install.json);
+    }
+}
 function argValue(argv, name) {
     const index = argv.indexOf(name);
     return index >= 0 ? argv[index + 1] : undefined;
 }
 export async function runAuthCommand(argv, deps = {}) {
     const log = deps.log ?? console.log;
-    const verifyCode = deps.verifyMagicLinkCode ?? verifyMagicLinkCodeDefault;
     const registerInstall = deps.registerFreeInstall ?? tryRegisterFreeInstall;
     const [subcommand] = argv;
     if (subcommand === "status") {
         const identity = loadLocalIdentity();
-        const credentials = loadCliCredentials();
         log(identity
             ? `Identified local free install ${identity.installId}${identity.emailClaim ? ` with email claim ${identity.emailClaim}` : ""}. Email claim is unverified until upgrade.`
-            : credentials
-                ? `Logged in as ${credentials.email ?? credentials.userId}. Telemetry: ${credentials.telemetryOptOut ? "off" : "on"}`
-                : pendingAuth()
-                    ? `Not logged in. Pending code for ${pendingAuth()?.email}. Run \`askthew-mcp auth verify --code <6-digit-code>\`.`
-                    : `No local identity yet. Run \`askthew-mcp identify --email <your-email>\`, or install with \`--free --email <your-email>\`.`);
+            : `No local identity yet. Run \`askthew-mcp identify --email <your-email>\`, or install with \`--free --email <your-email>\`.`);
         return;
     }
     if (subcommand === "logout") {
-        const file = credentialsPath();
+        const file = identityPath();
         if (fs.existsSync(file))
             fs.rmSync(file);
-        log("Logged out of Ask The W local free tier.");
+        log("Removed Ask The W local free install identity.");
         return;
     }
-    if (subcommand !== "login" && subcommand !== "verify") {
-        throw new Error("Usage: askthew-mcp auth login --email <email> [--no-telemetry] | askthew-mcp auth verify --code <code> [--email <email>]");
+    if (subcommand !== "login") {
+        throw new Error("Usage: askthew-mcp auth login --email <email> [--no-telemetry] | askthew-mcp auth logout | status");
     }
     ensureAskTheWDataDir();
     const email = argValue(argv, "--email")?.trim();
-    const code = argValue(argv, "--code")?.trim();
-    if (subcommand === "verify" || code) {
-        if (!code)
-            throw new Error("Missing --code.");
-        const pending = email ? pendingAuthForEmail(email) : pendingAuth();
-        if (!pending) {
-            throw new Error(email
-                ? `No pending Ask The W login request for ${email}. Run \`askthew-mcp auth login --email ${email}\` first.`
-                : "No pending Ask The W login request. Run `askthew-mcp auth login --email <email>` first.");
-        }
-        if (subcommand === "login") {
-            log("Using the pending Ask The W login request. Next time, run `askthew-mcp auth verify --code <6-digit-code>`.");
-        }
-        const credentials = await verifyCode({
-            requestId: pending.requestId,
-            code,
-            telemetryOptOut: pending.telemetryOptOut,
-        });
-        clearPendingAuth();
-        log(`Logged in. Account status: ${credentials.accountStatus}. Credentials stored with mode 0600.`);
-        return;
-    }
     if (!email)
         throw new Error("Missing --email.");
     const noTelemetry = argv.includes("--no-telemetry");
@@ -464,15 +518,8 @@ async function runTelemetryCommand(argv) {
         return;
     }
     if (subcommand === "opt-out" || subcommand === "opt-in") {
-        if (credentials.identityKind === "local_install" && credentials.localIdentity) {
-            ensureLocalIdentity({ telemetryOptOut: subcommand === "opt-out" });
-            console.log(`Telemetry: ${subcommand === "opt-out" ? "off" : "on"}`);
-            return;
-        }
-        const next = { ...credentials, telemetryOptOut: subcommand === "opt-out" };
-        fs.writeFileSync(credentialsPath(), `${JSON.stringify(next, null, 2)}\n`, { encoding: "utf8", mode: 0o600 });
-        fs.chmodSync(credentialsPath(), 0o600);
-        console.log(`Telemetry: ${next.telemetryOptOut ? "off" : "on"}`);
+        ensureLocalIdentity({ telemetryOptOut: subcommand === "opt-out" });
+        console.log(`Telemetry: ${subcommand === "opt-out" ? "off" : "on"}`);
         return;
     }
     if (subcommand === "preview") {
@@ -525,7 +572,7 @@ async function runDigestCommand(argv) {
 }
 async function runSyncCommand(argv) {
     if (argv[0] !== "upload")
-        throw new Error("Usage: askthew-mcp sync upload [--dry-run]");
+        throw new Error("Usage: askthew-mcp sync upload [--token <workspace-install-token>] [--dry-run]");
     const credentials = loadCliCredentials();
     if (!credentials)
         throw new Error("No local identity. Run `askthew-mcp identify --email <your-email>` first.");
@@ -534,7 +581,11 @@ async function runSyncCommand(argv) {
         console.log(JSON.stringify(syncDryRun(store), null, 2));
         return;
     }
-    console.log(JSON.stringify(await uploadLocalStore({ store, credentials }), null, 2));
+    const syncToken = argValue(argv, "--token")?.trim() || process.env.ASKTHEW_INSTALL_TOKEN?.trim();
+    if (!syncToken) {
+        throw new Error("Missing workspace install token. Pass `--token <workspace-install-token>` after upgrading.");
+    }
+    console.log(JSON.stringify(await uploadLocalStore({ store, credentials, syncToken }), null, 2));
 }
 const isDirectCliExecution = Boolean(process.argv[1]) && path.resolve(process.argv[1]) === fileURLToPath(import.meta.url);
 if (isDirectCliExecution) {

package/dist/cli.test.js

@@ -6,7 +6,7 @@ import os from "node:os";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import { runAuthCommand } from "./cli.js";
-import { configPath, credentialsPath, identityPath, writePrivateJson } from "./lib/paths.js";
+import { identityPath } from "./lib/paths.js";
 const cliPath = fileURLToPath(new URL("./cli.js", import.meta.url));
 function makeFixture() {
     const root = fs.mkdtempSync(path.join(os.tmpdir(), "askthew-cli-install-"));
@@ -38,14 +38,6 @@ function runCli(input) {
         },
     });
 }
-function writeCredentials(dataDir) {
-    fs.writeFileSync(path.join(dataDir, "credentials.json"), `${JSON.stringify({
-        email: "founder@example.com",
-        userId: "user_1",
-        cliToken: "cli_token",
-        cliTokenId: "cli_token_1",
-    }, null, 2)}\n`, { encoding: "utf8", mode: 0o600 });
-}
 async function withCliEnv(dataDir, fn) {
     const previous = {
         ASKTHEW_DATA_DIR: process.env.ASKTHEW_DATA_DIR,
@@ -120,10 +112,10 @@ test("free install dry-run stays non-mutating and does not create identity", ()
         fs.rmSync(fixture.root, { recursive: true, force: true });
     }
 });
-test("free install with auth writes host config and agent instructions", () => {
+test("free install ignores stale legacy credentials and writes local identity", () => {
     const fixture = makeFixture();
     try {
-        writeCredentials(fixture.dataDir);
+        fs.writeFileSync(path.join(fixture.dataDir, "credentials.json"), "{\"legacy\":true}\n", "utf8");
         const result = runCli({
             args: ["install", "--host", "claude_code", "--free", "--api-url", "http://127.0.0.1:9"],
             cwd: fixture.project,
@@ -140,21 +132,66 @@ test("free install with auth writes host config and agent instructions", () => {
         assert.equal("ASKTHEW_CLI_TOKEN" in server.env, false);
         assert.equal("ASKTHEW_INSTALL_TOKEN" in server.env, false);
         assert.match(fs.readFileSync(path.join(fixture.project, "CLAUDE.md"), "utf8"), /capture_session_signal/);
+        assert.equal(fs.existsSync(path.join(fixture.dataDir, "identity.json")), true);
+    }
+    finally {
+        fs.rmSync(fixture.root, { recursive: true, force: true });
+    }
+});
+test("refresh rewrites host config and instructions while preserving local identity and data", () => {
+    const fixture = makeFixture();
+    try {
+        const install = runCli({
+            args: ["install", "--host", "claude_code", "--free", "--email", "founder@example.com", "--api-url", "http://127.0.0.1:9"],
+            cwd: fixture.project,
+            home: fixture.home,
+            dataDir: fixture.dataDir,
+        });
+        assert.equal(install.status, 0, install.stderr);
+        const beforeIdentity = JSON.parse(fs.readFileSync(path.join(fixture.dataDir, "identity.json"), "utf8"));
+        fs.writeFileSync(path.join(fixture.dataDir, "store.sqlite"), "keep me", "utf8");
+        const refresh = runCli({
+            args: ["refresh", "--host", "claude_code", "--api-url", "http://127.0.0.1:9"],
+            cwd: fixture.project,
+            home: fixture.home,
+            dataDir: fixture.dataDir,
+        });
+        assert.equal(refresh.status, 0, refresh.stderr);
+        assert.match(refresh.stdout, /plugin refresh complete/);
+        assert.match(refresh.stdout, /Local identity preserved/);
+        assert.match(refresh.stdout, /Plugin package version:/);
+        const afterIdentity = JSON.parse(fs.readFileSync(path.join(fixture.dataDir, "identity.json"), "utf8"));
+        assert.equal(afterIdentity.installId, beforeIdentity.installId);
+        assert.equal(afterIdentity.emailClaim, "founder@example.com");
+        assert.equal(fs.readFileSync(path.join(fixture.dataDir, "store.sqlite"), "utf8"), "keep me");
+        assert.match(fs.readFileSync(path.join(fixture.project, "CLAUDE.md"), "utf8"), /ASKTHEW_PLUGIN_INSTRUCTIONS_START/);
+        assert.match(fs.readFileSync(path.join(fixture.project, "AGENTS.md"), "utf8"), /ASKTHEW_PLUGIN_INSTRUCTIONS_START/);
+    }
+    finally {
+        fs.rmSync(fixture.root, { recursive: true, force: true });
+    }
+});
+test("refresh dry-run does not create a local identity", () => {
+    const fixture = makeFixture();
+    try {
+        const refresh = runCli({
+            args: ["refresh", "--host", "codex", "--dry-run"],
+            cwd: fixture.project,
+            home: fixture.home,
+            dataDir: fixture.dataDir,
+        });
+        assert.equal(refresh.status, 0, refresh.stderr);
+        assert.match(refresh.stdout, /refresh dry run complete/);
+        assert.equal(fs.existsSync(path.join(fixture.dataDir, "identity.json")), false);
+        assert.equal(fs.existsSync(path.join(fixture.home, ".codex", "config.toml")), false);
     }
     finally {
         fs.rmSync(fixture.root, { recursive: true, force: true });
     }
 });
-test("auth status reports a pending verification code", () => {
+test("auth status reports missing local identity without pending-code guidance", () => {
     const fixture = makeFixture();
     try {
-        fs.writeFileSync(path.join(fixture.dataDir, "config.json"), `${JSON.stringify({
-            pendingAuth: {
-                email: "founder@example.com",
-                requestId: "request_1",
-                expiresAt: new Date(Date.now() + 60_000).toISOString(),
-            },
-        }, null, 2)}\n`, { encoding: "utf8", mode: 0o600 });
         const result = runCli({
             args: ["auth", "status"],
             cwd: fixture.project,
@@ -162,31 +199,35 @@ test("auth status reports a pending verification code", () => {
             dataDir: fixture.dataDir,
         });
         assert.equal(result.status, 0, result.stderr);
-        assert.match(result.stdout, /Pending code for founder@example\.com/);
-        assert.match(result.stdout, /askthew-mcp auth verify --code/);
+        assert.match(result.stdout, /No local identity yet/);
+        assert.doesNotMatch(result.stdout, /verify --code|Pending code/);
     }
     finally {
         fs.rmSync(fixture.root, { recursive: true, force: true });
     }
 });
-test("auth code commands require pending state and do not issue a new code", () => {
+test("removed auth code commands do not issue or verify email codes", () => {
     const fixture = makeFixture();
     try {
-        for (const args of [
-            ["auth", "verify", "--code", "123456"],
-            ["auth", "login", "--email", "founder@example.com", "--code", "123456"],
-        ]) {
-            const result = runCli({
-                args,
-                cwd: fixture.project,
-                home: fixture.home,
-                dataDir: fixture.dataDir,
-                extraEnv: { ASKTHEW_API_URL: "http://127.0.0.1:9" },
-            });
-            assert.equal(result.status, 1);
-            assert.match(result.stderr, /No pending Ask The W login request/);
-            assert.doesNotMatch(result.stdout, /Code sent/);
-        }
+        const verify = runCli({
+            args: ["auth", "verify", "--code", "123456"],
+            cwd: fixture.project,
+            home: fixture.home,
+            dataDir: fixture.dataDir,
+            extraEnv: { ASKTHEW_API_URL: "http://127.0.0.1:9" },
+        });
+        assert.equal(verify.status, 1);
+        assert.match(verify.stderr, /Usage: askthew-mcp auth login/);
+        const loginWithCode = runCli({
+            args: ["auth", "login", "--email", "founder@example.com", "--code", "123456"],
+            cwd: fixture.project,
+            home: fixture.home,
+            dataDir: fixture.dataDir,
+            extraEnv: { ASKTHEW_API_URL: "http://127.0.0.1:9" },
+        });
+        assert.equal(loginWithCode.status, 0, loginWithCode.stderr);
+        assert.match(loginWithCode.stdout, /No email code is required/);
+        assert.doesNotMatch(loginWithCode.stdout, /Code sent|Logged in/);
     }
     finally {
         fs.rmSync(fixture.root, { recursive: true, force: true });
@@ -200,14 +241,6 @@ test("auth login now identifies the local free install without requesting an ema
         await withCliEnv(fixture.dataDir, async () => {
             await runAuthCommand(["login", "--email", "ymtest89+test5@gmail.com"], {
                 log: (message) => logs.push(message),
-                requestMagicLinkCode: async () => {
-                    calls.push({ type: "unexpected_request" });
-                    throw new Error("auth login must not request a new code.");
-                },
-                verifyMagicLinkCode: async () => {
-                    calls.push({ type: "unexpected_verify" });
-                    throw new Error("auth login must not verify a code.");
-                },
                 registerFreeInstall: async ({ identity }) => {
                     calls.push({ type: "register", installId: identity.installId, emailClaim: identity.emailClaim });
                     return { ok: true, registeredAt: new Date().toISOString() };
@@ -218,57 +251,10 @@ test("auth login now identifies the local free install without requesting an ema
         assert.equal(calls[0].type, "register");
         assert.equal(calls[0].emailClaim, "ymtest89+test5@gmail.com");
         assert.equal(fs.existsSync(identityPath({ ASKTHEW_DATA_DIR: fixture.dataDir })), true);
-        assert.equal(fs.existsSync(credentialsPath({ ASKTHEW_DATA_DIR: fixture.dataDir })), false);
+        assert.equal(fs.existsSync(path.join(fixture.dataDir, "credentials.json")), false);
         assert.match(logs.join("\n"), /No email code is required/);
     }
     finally {
         fs.rmSync(fixture.root, { recursive: true, force: true });
     }
 });
-test("backwards-compatible auth login --code verifies pending state without requesting a new code", async () => {
-    const fixture = makeFixture();
-    const calls = [];
-    const logs = [];
-    try {
-        await withCliEnv(fixture.dataDir, async () => {
-            writePrivateJson(configPath(), {
-                pendingAuth: {
-                    email: "ymtest89+test5@gmail.com",
-                    requestId: "22222222-2222-4222-8222-222222222222",
-                    expiresAt: new Date(Date.now() + 10 * 60_000).toISOString(),
-                },
-            });
-            await runAuthCommand(["login", "--email", "ymtest89+test5@gmail.com", "--code", "150259"], {
-                log: (message) => logs.push(message),
-                requestMagicLinkCode: async () => {
-                    calls.push({ type: "unexpected_request" });
-                    throw new Error("login --code must not request a new code.");
-                },
-                verifyMagicLinkCode: async (input) => {
-                    calls.push({ type: "verify", requestId: input.requestId, code: input.code });
-                    const credentials = {
-                        email: "ymtest89+test5@gmail.com",
-                        userId: "user_2",
-                        cliToken: "cli_token_2",
-                        cliTokenId: "cli_token_2",
-                        accountStatus: "new_dormant",
-                    };
-                    writePrivateJson(credentialsPath(), credentials);
-                    return credentials;
-                },
-            });
-        });
-        assert.deepEqual(calls, [
-            {
-                type: "verify",
-                requestId: "22222222-2222-4222-8222-222222222222",
-                code: "150259",
-            },
-        ]);
-        assert.match(logs.join("\n"), /Using the pending Ask The W login request/);
-        assert.match(logs.join("\n"), /Logged in/);
-    }
-    finally {
-        fs.rmSync(fixture.root, { recursive: true, force: true });
-    }
-});

package/dist/free-tier-policy.test.js

@@ -4,6 +4,7 @@ import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { resolveMcpMode } from "./lib/free-tier-policy.js";
+import { ensureLocalIdentity } from "./lib/local-identity.js";
 function withTempDataDir(fn) {
     const dataDir = fs.mkdtempSync(path.join(os.tmpdir(), "askthew-mode-"));
     try {
@@ -21,15 +22,15 @@ test("mode resolution prefers paid install tokens", () => {
     assert.equal(mode.mode, "paid");
     assert.equal(mode.reason, "workspace_install_token");
 });
-test("mode resolution detects authenticated free credentials", () => {
-    const mode = resolveMcpMode({
-        ASKTHEW_CLI_TOKEN: "cli_token",
-        ASKTHEW_USER_ID: "user_1",
-        ASKTHEW_CLI_TOKEN_ID: "cli_token_1",
+test("mode resolution detects local free install identity", () => {
+    withTempDataDir((env) => {
+        ensureLocalIdentity({ emailClaim: "founder@example.com", env });
+        const mode = resolveMcpMode(env);
+        assert.equal(mode.mode, "free");
+        assert.equal(mode.reason, "local_install_identity");
+        assert.equal(mode.cliCredentials?.userId, mode.cliCredentials?.installId);
+        assert.equal(mode.cliCredentials?.email, "founder@example.com");
     });
-    assert.equal(mode.mode, "free");
-    assert.equal(mode.reason, "cli_free_tier_credentials");
-    assert.equal(mode.cliCredentials?.userId, "user_1");
 });
 test("mode resolution distinguishes pending free auth from no identity", () => {
     withTempDataDir((env) => {
@@ -39,12 +40,12 @@ test("mode resolution distinguishes pending free auth from no identity", () => {
         });
         const none = resolveMcpMode(env);
         assert.equal(pending.mode, "free_pending_auth");
-        assert.equal(pending.reason, "free_mode_no_credentials");
+        assert.equal(pending.reason, "free_mode_no_identity");
         assert.equal(none.mode, "unauthenticated");
         assert.equal(none.reason, "no_identity");
     });
 });
-test("mode resolution marks malformed free credentials as pending auth", () => {
+test("mode resolution ignores legacy credentials files", () => {
     withTempDataDir((env, dataDir) => {
         fs.writeFileSync(path.join(dataDir, "credentials.json"), "{\"not\":\"credentials\"}\n", "utf8");
         const mode = resolveMcpMode({
@@ -52,6 +53,6 @@ test("mode resolution marks malformed free credentials as pending auth", () => {
             ASKTHEW_FREE_MODE: "1",
         });
         assert.equal(mode.mode, "free_pending_auth");
-        assert.equal(mode.reason, "invalid_cli_credentials");
+        assert.equal(mode.reason, "free_mode_no_identity");
     });
 });

package/dist/index.js

@@ -1278,7 +1278,7 @@ export function createAskTheWMcpServer(options = {}) {
                 extra: {
                     tool: "review_session",
                     limit: 3,
-                    upgradeUrl: "https://askthew.com/mcp?utm_source=mcp-plugin&utm_medium=tool-nudge&utm_campaign=mcp-free&tool=review_session",
+                    upgradeUrl: "https://askthew.com/plugin?utm_source=mcp-plugin&utm_medium=tool-nudge&utm_campaign=mcp-free&tool=review_session",
                     cta: "Upgrade to review more than three sessions in the workspace dashboard.",
                 },
             });

package/dist/index.test.js

@@ -5,7 +5,7 @@ import os from "node:os";
 import path from "node:path";
 import { codingSessionSignalSchema, createAskTheWMcpServer, normalizeInstallTokenInput, redactCodingSessionSignal, redactProvenanceSignal, } from "./index.js";
 import { LocalStore } from "./lib/local-store.js";
-import { credentialsPath, writePrivateJson } from "./lib/paths.js";
+import { ensureLocalIdentity } from "./lib/local-identity.js";
 function toolResultJson(result) {
     return JSON.parse(result.content[0].text);
 }
@@ -19,10 +19,11 @@ async function withFreeEnv(fn) {
         ASKTHEW_FREE_MODE: process.env.ASKTHEW_FREE_MODE,
     };
     const dataDir = fs.mkdtempSync(path.join(os.tmpdir(), "askthew-free-tools-"));
-    process.env.ASKTHEW_CLI_TOKEN = "cli_free_token";
-    process.env.ASKTHEW_USER_ID = "local-user";
-    process.env.ASKTHEW_CLI_TOKEN_ID = "cli-token-id";
     process.env.ASKTHEW_DATA_DIR = dataDir;
+    ensureLocalIdentity({ emailClaim: "founder@example.com" });
+    delete process.env.ASKTHEW_CLI_TOKEN;
+    delete process.env.ASKTHEW_USER_ID;
+    delete process.env.ASKTHEW_CLI_TOKEN_ID;
     delete process.env.ASKTHEW_INSTALL_TOKEN;
     delete process.env.ASKTHEW_FREE_MODE;
     try {
@@ -83,16 +84,11 @@ async function withInstalledFreeEnv(fn) {
     const dataDir = fs.mkdtempSync(path.join(os.tmpdir(), "askthew-installed-free-tools-"));
     process.env.ASKTHEW_FREE_MODE = "1";
     process.env.ASKTHEW_DATA_DIR = dataDir;
+    ensureLocalIdentity({ emailClaim: "ymtest89+test5@gmail.com" });
     delete process.env.ASKTHEW_CLI_TOKEN;
     delete process.env.ASKTHEW_USER_ID;
     delete process.env.ASKTHEW_CLI_TOKEN_ID;
     delete process.env.ASKTHEW_INSTALL_TOKEN;
-    writePrivateJson(credentialsPath(), {
-        email: "ymtest89+test5@gmail.com",
-        userId: "local-user",
-        cliToken: "cli_free_token",
-        cliTokenId: "cli-token-id",
-    });
     try {
         return await fn();
     }
@@ -644,7 +640,8 @@ test("authenticated free mode keeps capture, decisions, and review local without
         assert.equal(capture.ok, true);
         assert.match(decision.id, /^d_/);
         assert.equal(review.ok, true);
-        assert.equal(calls.length, 0);
+        assert.equal(calls.length, 1);
+        assert.match(calls[0].url, /\/api\/cli\/v1\/free-installs\/register$/);
         const store = LocalStore.open();
         try {
             const stats = store.stats();
@@ -686,7 +683,8 @@ test("installed free mode with credential file captures locally even if hosted a
         assert.equal(capture.sessionId, "session-installed-free");
         assert.equal("code" in capture, false);
         assert.equal(JSON.stringify(capture).includes("local_only_free_feature"), false);
-        assert.equal(calls.length, 0);
+        assert.equal(calls.length, 1);
+        assert.match(calls[0].url, /\/api\/cli\/v1\/free-installs\/register$/);
         const store = LocalStore.open();
         try {
             const signals = store.listSignals({ sessionId: "session-installed-free", limit: 10 });
@@ -745,7 +743,7 @@ test("free decisions, recap, coach, and promote return human-readable compact ou
             assert.equal(response.ok, false);
             assert.equal(response.code, "free_tier_paid_feature");
             assert.equal(response.tool, "coach");
-            assert.match(response.upgradeUrl, /askthew\.com\/mcp/);
+            assert.match(response.upgradeUrl, /askthew\.com\/plugin/);
         }
     });
 });
@@ -912,7 +910,7 @@ test("free review_session markdown is capped and json is cursor-paginated with a
         assert.equal(capped.ok, false);
         assert.equal(capped.code, "free_tier_limit");
         assert.equal(capped.limit, 3);
-        assert.match(capped.upgradeUrl, /askthew\.com\/mcp/);
+        assert.match(capped.upgradeUrl, /askthew\.com\/plugin/);
     });
 });
 test("paid tools return canonical paywall envelope before transport in free mode", async () => {
@@ -945,7 +943,7 @@ test("paid tools return canonical paywall envelope before transport in free mode
             assert.equal(response.ok, false, toolName);
             assert.equal(response.code, "free_tier_paid_feature", toolName);
             assert.equal(response.tool, toolName, toolName);
-            assert.match(response.upgradeUrl, /askthew\.com\/mcp/, toolName);
+            assert.match(response.upgradeUrl, /askthew\.com\/plugin/, toolName);
             assert.equal(response.supportEmail, "support@askthew.com", toolName);
         }
     });

package/dist/lib/free-tier-policy.d.ts

@@ -7,8 +7,7 @@ export interface CliCredentials {
     cliTokenId: string;
     apiUrl?: string;
     telemetryOptOut?: boolean;
-    accountStatus?: "new_dormant" | "existing_active";
-    identityKind?: "legacy_token" | "local_install";
+    identityKind: "local_install";
     installId?: string;
     localIdentity?: LocalInstallIdentity;
 }

package/dist/lib/free-tier-policy.js

@@ -1,20 +1,8 @@
-import fs from "node:fs";
-import { credentialsPath, readJsonFile } from "./paths.js";
 import { loadLocalIdentity } from "./local-identity.js";
 function clean(value) {
     return String(value ?? "").trim().replace(/^['"]/, "").replace(/['"]$/, "");
 }
 export function loadCliCredentials(env = process.env) {
-    const explicitToken = clean(env.ASKTHEW_CLI_TOKEN);
-    if (explicitToken) {
-        return {
-            userId: clean(env.ASKTHEW_USER_ID) || "local",
-            cliToken: explicitToken,
-            cliTokenId: clean(env.ASKTHEW_CLI_TOKEN_ID) || "env",
-            apiUrl: clean(env.ASKTHEW_API_URL) || undefined,
-            telemetryOptOut: env.ASKTHEW_TELEMETRY === "off",
-        };
-    }
     const localIdentity = loadLocalIdentity(env);
     if (localIdentity) {
         return {
@@ -29,11 +17,7 @@ export function loadCliCredentials(env = process.env) {
             localIdentity,
         };
     }
-    const creds = readJsonFile(credentialsPath(env));
-    if (!creds?.cliToken || !creds.userId || !creds.cliTokenId) {
-        return null;
-    }
-    return creds;
+    return null;
 }
 export function resolveMcpMode(env = process.env) {
     const installToken = clean(env.ASKTHEW_INSTALL_TOKEN);
@@ -49,13 +33,13 @@ export function resolveMcpMode(env = process.env) {
         return {
             mode: "free",
             cliCredentials: credentials,
-            reason: "cli_free_tier_credentials",
+            reason: "local_install_identity",
         };
     }
     if (clean(env.ASKTHEW_FREE_MODE) === "1" || clean(env.ASKTHEW_FREE_MODE).toLowerCase() === "true") {
         return {
             mode: "free_pending_auth",
-            reason: fs.existsSync(credentialsPath(env)) ? "invalid_cli_credentials" : "free_mode_no_credentials",
+            reason: "free_mode_no_identity",
         };
     }
     return {

package/dist/lib/paths.d.ts

@@ -1,7 +1,6 @@
 export declare function askTheWDataDir(env?: NodeJS.ProcessEnv): string;
 export declare function ensureAskTheWDataDir(env?: NodeJS.ProcessEnv): string;
 export declare function localStorePath(env?: NodeJS.ProcessEnv): string;
-export declare function credentialsPath(env?: NodeJS.ProcessEnv): string;
 export declare function identityPath(env?: NodeJS.ProcessEnv): string;
 export declare function configPath(env?: NodeJS.ProcessEnv): string;
 export declare function jsonFallbackStorePath(env?: NodeJS.ProcessEnv): string;

package/dist/lib/paths.js

@@ -20,9 +20,6 @@ export function ensureAskTheWDataDir(env = process.env) {
 export function localStorePath(env = process.env) {
     return path.join(askTheWDataDir(env), "store.sqlite");
 }
-export function credentialsPath(env = process.env) {
-    return path.join(askTheWDataDir(env), "credentials.json");
-}
 export function identityPath(env = process.env) {
     return path.join(askTheWDataDir(env), "identity.json");
 }

package/dist/lib/telemetry.js

@@ -31,13 +31,11 @@ export function buildTelemetryPayload(input) {
             platform: `${process.platform}-${process.arch}`,
             node: process.version.replace(/^v/, ""),
         },
-        identity: input.credentials.identityKind === "local_install"
-            ? {
-                kind: "local_install",
-                installId: input.credentials.installId,
-                emailClaimed: Boolean(input.credentials.email),
-            }
-            : { kind: "legacy_token" },
+        identity: {
+            kind: "local_install",
+            installId: input.credentials.installId,
+            emailClaimed: Boolean(input.credentials.email),
+        },
     });
 }
 export async function flushTelemetryOutbox(input) {
@@ -46,7 +44,7 @@ export async function flushTelemetryOutbox(input) {
     }
     const fetcher = input.fetchImpl ?? fetch;
     const apiUrl = (input.apiUrl ?? input.credentials.apiUrl ?? process.env.ASKTHEW_API_URL ?? "https://app.askthew.com").replace(/\/$/, "");
-    if (input.credentials.identityKind === "local_install" && input.credentials.localIdentity) {
+    if (input.credentials.localIdentity) {
         await tryRegisterFreeInstall({
             identity: input.credentials.localIdentity,
             deviceLabel: "askthew-mcp",
@@ -56,20 +54,18 @@ export async function flushTelemetryOutbox(input) {
     let sent = 0;
     for (const row of input.store.listTelemetryOutbox({ undeliveredOnly: true, limit: 20 })) {
         const body = JSON.stringify(row.payload);
-        const signed = input.credentials.identityKind === "local_install" && input.credentials.localIdentity
-            ? signLocalIdentityPayload({ identity: input.credentials.localIdentity, body })
-            : null;
+        if (!input.credentials.localIdentity) {
+            input.store.markTelemetryAttempt(row.id, false);
+            continue;
+        }
+        const signed = signLocalIdentityPayload({ identity: input.credentials.localIdentity, body });
         const response = await fetcher(`${apiUrl}/api/cli/v1/telemetry`, {
             method: "POST",
             headers: {
                 "Content-Type": "application/json",
-                ...(signed
-                    ? {
-                        "X-AskTheW-Install-Id": input.credentials.localIdentity.installId,
-                        "X-AskTheW-Timestamp": signed.timestamp,
-                        "X-AskTheW-Signature": signed.signature,
-                    }
-                    : { Authorization: `Bearer ${input.credentials.cliToken}` }),
+                "X-AskTheW-Install-Id": input.credentials.localIdentity.installId,
+                "X-AskTheW-Timestamp": signed.timestamp,
+                "X-AskTheW-Signature": signed.signature,
             },
             body,
         }).catch(() => null);

package/dist/lib/upgrade-nudge.js

@@ -20,7 +20,7 @@ export function paidFeatureNudge(tool) {
         tool,
         message: `${feature.label} ${feature.verb} a paid feature. See ${PRICING_URL}.`,
         pricingUrl: PRICING_URL,
-        upgradeUrl: `https://askthew.com/mcp?utm_source=mcp-plugin&utm_medium=tool-nudge&utm_campaign=mcp-free&tool=${encodeURIComponent(tool)}`,
+        upgradeUrl: `https://askthew.com/plugin?utm_source=mcp-plugin&utm_medium=tool-nudge&utm_campaign=mcp-free&tool=${encodeURIComponent(tool)}`,
         supportEmail: SUPPORT_EMAIL,
         cta: "Run: npx @askthew/mcp-plugin upgrade",
     };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askthew/mcp-plugin",
-  "version": "0.4.3",
+  "version": "0.4.5",
   "private": false,
   "description": "Ask The W plugin connector for local-first coding-agent decisions, signals, and review.",
   "type": "module",

package/dist/auth-pending.test.d.ts

@@ -1 +0,0 @@
-export {};

package/dist/auth-pending.test.js

@@ -1,56 +0,0 @@
-import test from "node:test";
-import assert from "node:assert/strict";
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { clearPendingAuth, pendingAuth, pendingAuthForEmail, savePendingAuth } from "./lib/auth-pending.js";
-import { configPath } from "./lib/paths.js";
-function withTempEnv(fn) {
-    const dataDir = fs.mkdtempSync(path.join(os.tmpdir(), "askthew-auth-pending-"));
-    try {
-        return fn({ ASKTHEW_DATA_DIR: dataDir });
-    }
-    finally {
-        fs.rmSync(dataDir, { recursive: true, force: true });
-    }
-}
-test("pending auth stores and resolves the request id for the matching email", () => {
-    withTempEnv((env) => {
-        savePendingAuth({
-            email: "Founder@Example.com",
-            requestId: "request_1",
-            expiresAt: new Date(Date.now() + 60_000).toISOString(),
-            telemetryOptOut: true,
-        }, env);
-        const pending = pendingAuthForEmail("founder@example.com", env);
-        assert.equal(pending?.requestId, "request_1");
-        assert.equal(pending?.telemetryOptOut, true);
-        assert.equal(pendingAuth(env)?.email, "Founder@Example.com");
-    });
-});
-test("pending auth ignores other emails and clears expired requests", () => {
-    withTempEnv((env) => {
-        savePendingAuth({
-            email: "founder@example.com",
-            requestId: "request_1",
-            expiresAt: new Date(Date.now() - 1_000).toISOString(),
-        }, env);
-        assert.equal(pendingAuthForEmail("other@example.com", env), null);
-        assert.equal(pendingAuthForEmail("founder@example.com", env), null);
-        const config = JSON.parse(fs.readFileSync(configPath(env), "utf8"));
-        assert.equal("pendingAuth" in config, false);
-    });
-});
-test("pending auth clear keeps the config file private and removes only pending auth", () => {
-    withTempEnv((env) => {
-        savePendingAuth({
-            email: "founder@example.com",
-            requestId: "request_1",
-            expiresAt: new Date(Date.now() + 60_000).toISOString(),
-        }, env);
-        clearPendingAuth(env);
-        const config = JSON.parse(fs.readFileSync(configPath(env), "utf8"));
-        assert.equal("pendingAuth" in config, false);
-        assert.equal((fs.statSync(configPath(env)).mode & 0o777), 0o600);
-    });
-});

package/dist/lib/auth-magic-link.d.ts

@@ -1,22 +0,0 @@
-import type { CliCredentials } from "./free-tier-policy.js";
-export interface MagicLinkClientOptions {
-    apiUrl?: string;
-    fetchImpl?: typeof fetch;
-}
-export declare function requestMagicLinkCode(input: {
-    email: string;
-    deviceLabel?: string;
-    apiUrl?: string;
-    fetchImpl?: typeof fetch;
-}): Promise<{
-    requestId: string;
-    expiresAt: string;
-    devCode?: string;
-}>;
-export declare function verifyMagicLinkCode(input: {
-    requestId: string;
-    code: string;
-    apiUrl?: string;
-    fetchImpl?: typeof fetch;
-    telemetryOptOut?: boolean;
-}): Promise<CliCredentials>;

package/dist/lib/auth-magic-link.js

@@ -1,43 +0,0 @@
-import { credentialsPath, writePrivateJson } from "./paths.js";
-function baseUrl(apiUrl) {
-    return (apiUrl?.trim() || process.env.ASKTHEW_API_URL?.trim() || "https://app.askthew.com").replace(/\/$/, "");
-}
-async function requestJson(route, body, options) {
-    const fetcher = options.fetchImpl ?? fetch;
-    const response = await fetcher(`${baseUrl(options.apiUrl)}${route}`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify(body),
-    });
-    const payload = await response.json().catch(() => null);
-    if (!response.ok) {
-        const message = payload && typeof payload === "object" && "error" in payload
-            ? String(payload.error)
-            : "Ask The W auth request failed.";
-        throw new Error(message);
-    }
-    return payload;
-}
-export async function requestMagicLinkCode(input) {
-    return requestJson("/api/cli/v1/magic-link/request", {
-        email: input.email,
-        deviceLabel: input.deviceLabel,
-    }, input);
-}
-export async function verifyMagicLinkCode(input) {
-    const verified = await requestJson("/api/cli/v1/magic-link/verify", {
-        requestId: input.requestId,
-        code: input.code,
-    }, input);
-    const credentials = {
-        email: verified.email,
-        userId: verified.userId,
-        cliToken: verified.cliToken,
-        cliTokenId: verified.cliTokenId,
-        accountStatus: verified.accountStatus,
-        apiUrl: input.apiUrl,
-        telemetryOptOut: input.telemetryOptOut,
-    };
-    writePrivateJson(credentialsPath(), credentials);
-    return credentials;
-}

package/dist/lib/auth-pending.d.ts

@@ -1,23 +0,0 @@
-type CliConfig = {
-    pendingAuth?: {
-        email: string;
-        requestId: string;
-        expiresAt: string;
-        telemetryOptOut?: boolean;
-    };
-};
-export declare function savePendingAuth(input: NonNullable<CliConfig["pendingAuth"]>, env?: NodeJS.ProcessEnv): void;
-export declare function clearPendingAuth(env?: NodeJS.ProcessEnv): void;
-export declare function pendingAuthForEmail(email: string, env?: NodeJS.ProcessEnv): {
-    email: string;
-    requestId: string;
-    expiresAt: string;
-    telemetryOptOut?: boolean;
-} | null;
-export declare function pendingAuth(env?: NodeJS.ProcessEnv): {
-    email: string;
-    requestId: string;
-    expiresAt: string;
-    telemetryOptOut?: boolean;
-} | null;
-export {};

package/dist/lib/auth-pending.js

@@ -1,36 +0,0 @@
-import { configPath, readJsonFile, writePrivateJson } from "./paths.js";
-function loadCliConfig(env = process.env) {
-    return readJsonFile(configPath(env)) ?? {};
-}
-export function savePendingAuth(input, env = process.env) {
-    const config = loadCliConfig(env);
-    writePrivateJson(configPath(env), {
-        ...config,
-        pendingAuth: input,
-    });
-}
-export function clearPendingAuth(env = process.env) {
-    const config = loadCliConfig(env);
-    if (!config.pendingAuth)
-        return;
-    const { pendingAuth: _pendingAuth, ...next } = config;
-    writePrivateJson(configPath(env), next);
-}
-export function pendingAuthForEmail(email, env = process.env) {
-    const pending = pendingAuth(env);
-    if (!pending || pending.email.toLowerCase() !== email.toLowerCase()) {
-        return null;
-    }
-    return pending;
-}
-export function pendingAuth(env = process.env) {
-    const pending = loadCliConfig(env).pendingAuth;
-    if (!pending) {
-        return null;
-    }
-    if (Number.isFinite(Date.parse(pending.expiresAt)) && Date.parse(pending.expiresAt) <= Date.now()) {
-        clearPendingAuth(env);
-        return null;
-    }
-    return pending;
-}