@botdocs/cli 0.14.0 → 0.14.1

package/dist/commands/login.js

@@ -1,4 +1,5 @@
 import React from 'react';
+import os from 'node:os';
 import { randomBytes } from 'node:crypto';
 import open from 'open';
 import { render } from 'ink';
@@ -36,11 +37,22 @@ async function loginWithToken(token, syncLibrary) {
         process.exit(1);
     }
     const baseUrl = getApiUrl();
+    // Stamp the device identity on the validating call so the token's device
+    // registers (and the free-tier device/session caps bind) the moment it's
+    // saved — not just on the next command. Best-effort: a failure to resolve
+    // the id never blocks login.
+    const { deviceId, machineName } = deviceIdentity();
+    const headers = {
+        Authorization: `Bearer ${token}`,
+        Accept: 'application/json',
+    };
+    if (deviceId)
+        headers['X-Device-Id'] = deviceId;
+    if (machineName)
+        headers['X-Machine-Name'] = machineName;
     let res;
     try {
-        res = await fetch(`${baseUrl}/api/cli/whoami`, {
-            headers: { Authorization: `Bearer ${token}`, Accept: 'application/json' },
-        });
+        res = await fetch(`${baseUrl}/api/cli/whoami`, { headers });
     }
     catch (err) {
         console.error(`Failed to contact ${baseUrl}: ${err instanceof Error ? err.message : String(err)}`);
@@ -70,21 +82,51 @@ async function loginWithToken(token, syncLibrary) {
         process.exit(1);
     }
     const user = (await res.json());
+    // Persist the SAME device id we sent on the whoami header so the device that
+    // just registered server-side matches every subsequent request.
     saveAuth({
         token,
         username: user.username,
         displayName: user.displayName,
         syncLibrary,
+        ...persistedDeviceField(deviceId),
     });
-    // Generate + persist the stable device identity now, so the very next
-    // authenticated request carries an X-Device-Id (no-op when BOTDOCS_DEVICE_ID
-    // is set — that override always wins and isn't persisted).
-    getOrCreateDeviceId();
     printSignedIn(user.username, syncLibrary);
 }
+/** Best-effort stable device identity for this CLI install. Mirrors
+ * `attachDeviceHeaders` in lib/api.ts, but the login flows can't reuse it: they
+ * use raw `fetch` (there's no bearer to attach yet) and they ALSO need the id
+ * for the browser auth URL. Returns nulls if it can't be resolved (e.g. a
+ * read-only home dir) so login never hard-fails on device identity.
+ *
+ * Resolve this ONCE per login and thread the same id into both the request
+ * (header/URL) and `persistedDeviceField` — the server registers the device
+ * under the forwarded id, so the persisted id must match or the next command
+ * would present as a different device. */
+function deviceIdentity() {
+    try {
+        return { deviceId: getOrCreateDeviceId(), machineName: os.hostname() };
+    }
+    catch {
+        return { deviceId: null, machineName: null };
+    }
+}
+/** The `auth.json` fragment carrying the device id to persist. `getOrCreateDeviceId`
+ * only persists when an auth file already exists, but at login time we're
+ * writing that file for the first time — so we fold the id straight into the
+ * `saveAuth` payload. A `BOTDOCS_DEVICE_ID` override always wins at read time
+ * and is intentionally NOT persisted (so auth.json stays portable across CI
+ * runners), so we omit it in that case. */
+function persistedDeviceField(deviceId) {
+    if (process.env.BOTDOCS_DEVICE_ID?.trim())
+        return {};
+    return deviceId ? { deviceId } : {};
+}
 /** Helper: register a new state with the server and return the public auth
- * URL plus the last-6-chars suffix the user can verify in their browser. */
-async function initLoginState(baseUrl) {
+ * URL plus the last-6-chars suffix the user can verify in their browser. The
+ * caller passes the resolved device identity so the SAME id is forwarded in
+ * the URL and persisted to auth.json. */
+async function initLoginState(baseUrl, deviceId, machineName) {
     const state = randomBytes(32).toString('hex');
     const initRes = await fetch(`${baseUrl}/api/cli/auth/init`, {
         method: 'POST',
@@ -118,9 +160,19 @@ async function initLoginState(baseUrl) {
     // state carried in the URL hash fragment (#state=...), which browsers
     // never send to the server and never write to history. That refactor is
     // out of scope for the P3 bucket — tracked as a separate item.
+    //
+    // Forward this install's device identity in the URL. The browser that lands
+    // /cli-auth has no X-Device-Id header of its own, so the page relays these
+    // into the grant POST body — that's what registers the device + binds the
+    // free-tier caps at login time (rather than only on the next CLI command).
+    const params = new URLSearchParams({ state });
+    if (deviceId)
+        params.set('device', deviceId);
+    if (machineName)
+        params.set('machine', machineName);
     return {
         state,
-        authUrl: `${baseUrl}/cli-auth?state=${state}`,
+        authUrl: `${baseUrl}/cli-auth?${params.toString()}`,
         tail: state.slice(-6),
     };
 }
@@ -131,6 +183,9 @@ async function initLoginState(baseUrl) {
  * the component's effect call `useApp().exit()` to unmount. */
 async function loginInkInteractive(syncLibrary) {
     const baseUrl = getApiUrl();
+    // Resolve the device identity ONCE — forwarded to the browser via the auth
+    // URL and persisted (below) under the same id.
+    const { deviceId, machineName } = deviceIdentity();
     let status = 'initializing';
     let authUrl;
     let stateTail;
@@ -164,7 +219,7 @@ async function loginInkInteractive(syncLibrary) {
         // Phase 1: register state with the server.
         let init;
         try {
-            init = await initLoginState(baseUrl);
+            init = await initLoginState(baseUrl, deviceId, machineName);
         }
         catch (err) {
             status = 'error';
@@ -201,8 +256,8 @@ async function loginInkInteractive(syncLibrary) {
             username: granted.username,
             displayName: granted.displayName,
             syncLibrary,
+            ...persistedDeviceField(deviceId),
         });
-        getOrCreateDeviceId();
         resolvedUsername = granted.username;
         status = 'success';
         rerender();
@@ -217,9 +272,12 @@ async function loginInkInteractive(syncLibrary) {
  * polling indicator; the spinner degrades gracefully when stdout isn't a TTY. */
 async function loginPlainInteractive(syncLibrary) {
     const baseUrl = getApiUrl();
+    // Resolve the device identity ONCE — forwarded to the browser via the auth
+    // URL and persisted (below) under the same id.
+    const { deviceId, machineName } = deviceIdentity();
     let init;
     try {
-        init = await initLoginState(baseUrl);
+        init = await initLoginState(baseUrl, deviceId, machineName);
     }
     catch (err) {
         console.error(err instanceof Error ? err.message : String(err));
@@ -250,8 +308,8 @@ async function loginPlainInteractive(syncLibrary) {
         username: granted.username,
         displayName: granted.displayName,
         syncLibrary,
+        ...persistedDeviceField(deviceId),
     });
-    getOrCreateDeviceId();
     printSyncLibraryHint(syncLibrary);
 }
 /** Polls the server with exponential backoff. Returns the granted payload on

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botdocs/cli",
-  "version": "0.14.0",
+  "version": "0.14.1",
   "description": "CLI for BotDocs — author, publish, install, and sync agent skills across Claude, Claude Code, Cursor, Codex, ChatGPT, Windsurf, Copilot, Gemini, Antigravity, and OpenCode.",
   "keywords": [
     "botdocs",