@braingrid/cli 0.2.24 → 0.2.26

package/dist/cli.js

@@ -1,4 +1,7 @@
 #!/usr/bin/env node
+import {
+  execAsync
+} from "./chunk-6GC3UJCM.js";
 import {
   checkInstalledCliTools,
   detectLinuxPackageManager,
@@ -20,6 +23,81 @@ import chalk6 from "chalk";
 // src/utils/axios-with-auth.ts
 import axios from "axios";
 
+// src/build-config.ts
+var BUILD_ENV = true ? "production" : process.env.NODE_ENV === "test" ? "development" : "production";
+var CLI_VERSION = true ? "0.2.26" : "0.0.0-test";
+var PRODUCTION_CONFIG = {
+  apiUrl: "https://app.braingrid.ai",
+  workosAuthUrl: "https://auth.braingrid.ai",
+  workosClientId: "client_01K6H010C9K69HSDPM9CQM85S7"
+};
+var DEVELOPMENT_CONFIG = {
+  apiUrl: "https://app.dev.braingrid.ai",
+  workosAuthUrl: "https://balanced-celebration-78-staging.authkit.app",
+  workosClientId: "client_01K6H04GF21T4JXNS3JDQM3YNE"
+};
+
+// src/utils/config.ts
+var BRAINGRID_API_TOKEN = process.env.BRAINGRID_API_TOKEN;
+function getConfig() {
+  const baseConfig = BUILD_ENV === "production" ? PRODUCTION_CONFIG : DEVELOPMENT_CONFIG;
+  let apiUrl = baseConfig.apiUrl;
+  if (BUILD_ENV === "development") {
+    if (process.env.NODE_ENV === "local" || process.env.NODE_ENV === "test") {
+      apiUrl = "http://localhost:3377";
+    } else if (process.env.NODE_ENV === "development") {
+      apiUrl = DEVELOPMENT_CONFIG.apiUrl;
+    }
+  }
+  const getWorkOSAuthUrl = () => {
+    if (process.env.WORKOS_AUTH_URL) {
+      return process.env.WORKOS_AUTH_URL;
+    }
+    if (BUILD_ENV === "production") {
+      return PRODUCTION_CONFIG.workosAuthUrl;
+    }
+    const env = process.env.NODE_ENV || "development";
+    if (env === "local" || env === "test" || env === "development" || env === "staging") {
+      return DEVELOPMENT_CONFIG.workosAuthUrl;
+    }
+    return PRODUCTION_CONFIG.workosAuthUrl;
+  };
+  const getOAuthClientId = () => {
+    if (process.env.WORKOS_CLIENT_ID) {
+      return process.env.WORKOS_CLIENT_ID;
+    }
+    if (BUILD_ENV === "production") {
+      return PRODUCTION_CONFIG.workosClientId;
+    }
+    const env = process.env.NODE_ENV || "development";
+    if (env === "local" || env === "test" || env === "development" || env === "staging") {
+      return DEVELOPMENT_CONFIG.workosClientId;
+    }
+    return PRODUCTION_CONFIG.workosClientId;
+  };
+  const getWebAppUrl = () => {
+    if (process.env.BRAINGRID_WEB_URL) {
+      return process.env.BRAINGRID_WEB_URL;
+    }
+    if (BUILD_ENV === "production") {
+      return PRODUCTION_CONFIG.apiUrl;
+    }
+    const env = process.env.NODE_ENV || "development";
+    if (env === "local" || env === "test") {
+      return "http://localhost:3377";
+    }
+    return DEVELOPMENT_CONFIG.apiUrl;
+  };
+  return {
+    apiUrl: process.env.BRAINGRID_API_URL || apiUrl,
+    organizationId: process.env.BRAINGRID_ORG_ID,
+    clientId: process.env.BRAINGRID_CLIENT_ID || "braingrid-cli",
+    oauthClientId: getOAuthClientId(),
+    getWorkOSAuthUrl,
+    getWebAppUrl
+  };
+}
+
 // src/utils/logger.ts
 import fs from "fs";
 import path from "path";
@@ -208,6 +286,10 @@ function createAuthenticatedAxios(auth) {
   });
   instance.interceptors.request.use(
     async (config) => {
+      if (BRAINGRID_API_TOKEN) {
+        config.headers.Authorization = `Bearer ${BRAINGRID_API_TOKEN}`;
+        return config;
+      }
       const session = await auth.getStoredSession();
       if (session) {
         config.headers.Authorization = `Bearer ${session.sealed_session}`;
@@ -248,6 +330,11 @@ function createAuthenticatedAxios(auth) {
       const isRedirectToAuth = isAuthRedirect(error);
       if ((is401 || isRedirectToAuth) && !originalRequest._retry) {
         originalRequest._retry = true;
+        if (BRAINGRID_API_TOKEN) {
+          logger.warn("[AUTH] Sandbox token expired or invalid");
+          const sandboxError = new Error(auth.getSandboxExpiredMessage());
+          return Promise.reject(sandboxError);
+        }
         if (isRedirectToAuth) {
           logger.debug("[AUTH] Received redirect to auth endpoint - token likely expired");
         } else {
@@ -419,82 +506,6 @@ import { createHash, randomBytes } from "crypto";
 import { createServer } from "http";
 import open from "open";
 import axios3, { AxiosError as AxiosError2 } from "axios";
-
-// src/build-config.ts
-var BUILD_ENV = true ? "production" : process.env.NODE_ENV === "test" ? "development" : "production";
-var CLI_VERSION = true ? "0.2.24" : "0.0.0-test";
-var PRODUCTION_CONFIG = {
-  apiUrl: "https://app.braingrid.ai",
-  workosAuthUrl: "https://auth.braingrid.ai",
-  workosClientId: "client_01K6H010C9K69HSDPM9CQM85S7"
-};
-var DEVELOPMENT_CONFIG = {
-  apiUrl: "https://app.dev.braingrid.ai",
-  workosAuthUrl: "https://balanced-celebration-78-staging.authkit.app",
-  workosClientId: "client_01K6H04GF21T4JXNS3JDQM3YNE"
-};
-
-// src/utils/config.ts
-function getConfig() {
-  const baseConfig = BUILD_ENV === "production" ? PRODUCTION_CONFIG : DEVELOPMENT_CONFIG;
-  let apiUrl = baseConfig.apiUrl;
-  if (BUILD_ENV === "development") {
-    if (process.env.NODE_ENV === "local" || process.env.NODE_ENV === "test") {
-      apiUrl = "http://localhost:3377";
-    } else if (process.env.NODE_ENV === "development") {
-      apiUrl = DEVELOPMENT_CONFIG.apiUrl;
-    }
-  }
-  const getWorkOSAuthUrl = () => {
-    if (process.env.WORKOS_AUTH_URL) {
-      return process.env.WORKOS_AUTH_URL;
-    }
-    if (BUILD_ENV === "production") {
-      return PRODUCTION_CONFIG.workosAuthUrl;
-    }
-    const env = process.env.NODE_ENV || "development";
-    if (env === "local" || env === "test" || env === "development" || env === "staging") {
-      return DEVELOPMENT_CONFIG.workosAuthUrl;
-    }
-    return PRODUCTION_CONFIG.workosAuthUrl;
-  };
-  const getOAuthClientId = () => {
-    if (process.env.WORKOS_CLIENT_ID) {
-      return process.env.WORKOS_CLIENT_ID;
-    }
-    if (BUILD_ENV === "production") {
-      return PRODUCTION_CONFIG.workosClientId;
-    }
-    const env = process.env.NODE_ENV || "development";
-    if (env === "local" || env === "test" || env === "development" || env === "staging") {
-      return DEVELOPMENT_CONFIG.workosClientId;
-    }
-    return PRODUCTION_CONFIG.workosClientId;
-  };
-  const getWebAppUrl = () => {
-    if (process.env.BRAINGRID_WEB_URL) {
-      return process.env.BRAINGRID_WEB_URL;
-    }
-    if (BUILD_ENV === "production") {
-      return PRODUCTION_CONFIG.apiUrl;
-    }
-    const env = process.env.NODE_ENV || "development";
-    if (env === "local" || env === "test") {
-      return "http://localhost:3377";
-    }
-    return DEVELOPMENT_CONFIG.apiUrl;
-  };
-  return {
-    apiUrl: process.env.BRAINGRID_API_URL || apiUrl,
-    organizationId: process.env.BRAINGRID_ORG_ID,
-    clientId: process.env.BRAINGRID_CLIENT_ID || "braingrid-cli",
-    oauthClientId: getOAuthClientId(),
-    getWorkOSAuthUrl,
-    getWebAppUrl
-  };
-}
-
-// src/services/oauth2-auth.ts
 var logger2 = getLogger();
 var OAuth2Handler = class {
   /**
@@ -997,6 +1008,7 @@ var KEYCHAIN_SERVICE = "braingrid-cli";
 var KEYCHAIN_ACCOUNT = "session";
 var GITHUB_KEYCHAIN_ACCOUNT = "github-token";
 var BraingridAuth = class {
+  // Cached session from env token
   constructor(baseUrl) {
     this.lastValidationTime = 0;
     this.lastValidationResult = false;
@@ -1008,11 +1020,103 @@ var BraingridAuth = class {
     this.oauthHandler = null;
     // Store refresh token separately
     this.logger = getLogger();
+    this.envTokenSession = null;
     const config = getConfig();
     this.baseUrl = baseUrl || config.apiUrl || "https://app.braingrid.ai";
   }
+  /**
+   * Check if CLI is using BRAINGRID_API_TOKEN environment variable
+   * This is used in sandbox environments where tokens are injected
+   */
+  isUsingEnvToken() {
+    return Boolean(BRAINGRID_API_TOKEN);
+  }
+  /**
+   * Get the env token value (for use in axios interceptor)
+   */
+  getEnvToken() {
+    return BRAINGRID_API_TOKEN;
+  }
+  /**
+   * Fetch user profile from server using the env token
+   * This is used to populate session data when using BRAINGRID_API_TOKEN
+   */
+  async fetchProfileFromServer() {
+    if (!BRAINGRID_API_TOKEN) {
+      return null;
+    }
+    try {
+      this.logger.debug("[AUTH] Fetching profile using BRAINGRID_API_TOKEN");
+      const response = await axiosWithRetry(
+        {
+          url: `${this.baseUrl}/api/v1/profile`,
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${BRAINGRID_API_TOKEN}`
+          },
+          maxRedirects: 0,
+          validateStatus: (status) => status < 500
+        },
+        {
+          maxRetries: 2,
+          initialDelay: 500
+        }
+      );
+      if (response.status !== 200) {
+        this.logger.warn(`[AUTH] Profile fetch failed with status ${response.status}`);
+        return null;
+      }
+      const profileData = response.data;
+      if (profileData.error || !profileData.user || !profileData.organization) {
+        this.logger.warn("[AUTH] Profile response missing user or organization data");
+        return null;
+      }
+      const user = {
+        object: "user",
+        id: profileData.user.id,
+        email: profileData.user.email,
+        emailVerified: true,
+        firstName: profileData.user.firstName || "",
+        lastName: profileData.user.lastName || "",
+        profilePictureUrl: profileData.user.avatar || "",
+        createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        lastSignInAt: (/* @__PURE__ */ new Date()).toISOString(),
+        externalId: null,
+        metadata: {
+          username: profileData.user.username,
+          organizationId: profileData.organization.id,
+          organizationName: profileData.organization.name
+        }
+      };
+      const session = {
+        user,
+        sealed_session: BRAINGRID_API_TOKEN,
+        organization_id: profileData.organization.id,
+        created_at: /* @__PURE__ */ new Date(),
+        updated_at: /* @__PURE__ */ new Date(),
+        login_time: /* @__PURE__ */ new Date()
+      };
+      this.envTokenSession = session;
+      this.logger.debug("[AUTH] Successfully fetched profile from env token");
+      return session;
+    } catch (error) {
+      this.logger.error("[AUTH] Error fetching profile with env token:", { error });
+      return null;
+    }
+  }
   async isAuthenticated(forceValidation = false) {
     try {
+      if (BRAINGRID_API_TOKEN) {
+        this.logger.debug("[AUTH] Using BRAINGRID_API_TOKEN (sandbox mode)");
+        if (isJWTExpired(BRAINGRID_API_TOKEN)) {
+          this.logger.warn("[AUTH] Sandbox session expired");
+          return false;
+        }
+        const session2 = await this.getStoredSession();
+        return session2 !== null;
+      }
       const session = await this.getStoredSession();
       if (!session) {
         this.logger.debug("[AUTH] No stored session found");
@@ -1146,6 +1250,12 @@ var BraingridAuth = class {
     }
   }
   async getStoredSession() {
+    if (BRAINGRID_API_TOKEN) {
+      if (this.envTokenSession) {
+        return this.envTokenSession;
+      }
+      return await this.fetchProfileFromServer();
+    }
     try {
       const sessionData = await credentialStore.getPassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT);
       if (!sessionData) return null;
@@ -1174,12 +1284,23 @@ var BraingridAuth = class {
     this.loginTime = nowMs;
   }
   async clearSession() {
+    if (BRAINGRID_API_TOKEN) {
+      this.logger.debug("[AUTH] Session managed by sandbox environment - clear is no-op");
+      this.envTokenSession = null;
+      return;
+    }
     await credentialStore.deletePassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT);
     await credentialStore.deletePassword(KEYCHAIN_SERVICE, "refresh-token");
     this.refreshTokenValue = void 0;
     this.lastValidationTime = 0;
     this.lastValidationResult = false;
   }
+  /**
+   * Get sandbox-specific error message for expired/invalid tokens
+   */
+  getSandboxExpiredMessage() {
+    return "Sandbox session expired. Your sandbox environment has a 5-hour limit.\nPlease create a new sandbox to continue.";
+  }
   async handleAuthenticationError() {
     this.lastValidationTime = 0;
     this.lastValidationResult = false;
@@ -1837,10 +1958,10 @@ var LocalProjectConfigSchema = z.object({
 // src/utils/git.ts
 import { exec } from "child_process";
 import { promisify } from "util";
-var execAsync = promisify(exec);
+var execAsync2 = promisify(exec);
 async function isGitRepository() {
   try {
-    const { stdout } = await execAsync("git rev-parse --is-inside-work-tree");
+    const { stdout } = await execAsync2("git rev-parse --is-inside-work-tree");
     return stdout.trim() === "true";
   } catch {
     return false;
@@ -1848,7 +1969,7 @@ async function isGitRepository() {
 }
 async function getRemoteUrl() {
   try {
-    const { stdout } = await execAsync("git config --get remote.origin.url");
+    const { stdout } = await execAsync2("git config --get remote.origin.url");
     return stdout.trim() || null;
   } catch {
     return null;
@@ -1874,7 +1995,7 @@ function parseGitHubRepo(url) {
 }
 async function getCurrentBranch() {
   try {
-    const { stdout } = await execAsync("git rev-parse --abbrev-ref HEAD");
+    const { stdout } = await execAsync2("git rev-parse --abbrev-ref HEAD");
     return stdout.trim() || null;
   } catch {
     return null;
@@ -1890,7 +2011,7 @@ function parseRequirementFromBranch(branchName) {
 }
 async function getGitRoot() {
   try {
-    const { stdout } = await execAsync("git rev-parse --show-toplevel");
+    const { stdout } = await execAsync2("git rev-parse --show-toplevel");
     return stdout.trim() || null;
   } catch {
     return null;
@@ -1900,12 +2021,12 @@ async function getGitUser() {
   let name = null;
   let email = null;
   try {
-    const { stdout: nameStdout } = await execAsync("git config --get user.name");
+    const { stdout: nameStdout } = await execAsync2("git config --get user.name");
     name = nameStdout.trim() || null;
   } catch {
   }
   try {
-    const { stdout: emailStdout } = await execAsync("git config --get user.email");
+    const { stdout: emailStdout } = await execAsync2("git config --get user.email");
     email = emailStdout.trim() || null;
   } catch {
   }
@@ -3828,6 +3949,31 @@ var RequirementService = class {
     const response = await this.axios.post(url, data, { headers });
     return response.data;
   }
+  async createGitBranch(projectId, requirementId, data) {
+    const url = `${this.baseUrl}/api/v1/projects/${projectId}/requirements/${requirementId}/create-git-branch`;
+    const headers = this.getHeaders();
+    const response = await this.axios.post(url, data, { headers });
+    return response.data;
+  }
+  async reviewAcceptance(projectId, requirementId, data, onChunk) {
+    const url = `${this.baseUrl}/api/v1/projects/${projectId}/requirements/${requirementId}/review/acceptance`;
+    const headers = this.getHeaders();
+    const response = await this.axios.post(url, data, {
+      headers,
+      responseType: "stream"
+    });
+    return new Promise((resolve, reject) => {
+      response.data.on("data", (chunk) => {
+        onChunk(chunk.toString());
+      });
+      response.data.on("end", () => {
+        resolve();
+      });
+      response.data.on("error", (error) => {
+        reject(error);
+      });
+    });
+  }
 };
 
 // src/handlers/requirement.handlers.ts
@@ -4464,6 +4610,190 @@ async function handleRequirementBuild(opts) {
     };
   }
 }
+function slugify(text) {
+  return text.toLowerCase().replace(/[^a-z0-9\s-]/g, "").replace(/\s+/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "").substring(0, 40);
+}
+async function handleCreateGitBranch(opts) {
+  let stopSpinner = null;
+  try {
+    const { requirementService, auth } = getServices2();
+    const isAuthenticated = await auth.isAuthenticated();
+    if (!isAuthenticated) {
+      return {
+        success: false,
+        message: chalk7.red("\u274C Not authenticated. Please run `braingrid login` first.")
+      };
+    }
+    const format = opts.format || "table";
+    if (!["table", "json", "markdown"].includes(format)) {
+      return {
+        success: false,
+        message: chalk7.red(
+          `\u274C Invalid format: ${format}. Supported formats: table, json, markdown`
+        )
+      };
+    }
+    const requirementResult = await workspaceManager.getRequirement(opts.id);
+    if (!requirementResult.success) {
+      return {
+        success: false,
+        message: requirementResult.error
+      };
+    }
+    const requirementId = requirementResult.requirementId;
+    const workspace = await workspaceManager.getProject(opts.project);
+    if (!workspace.success) {
+      return {
+        success: false,
+        message: workspace.error
+      };
+    }
+    const projectId = workspace.projectId;
+    const normalizedId = normalizeRequirementId(requirementId);
+    let branchName = opts.name;
+    if (!branchName) {
+      const user = await auth.getCurrentUser();
+      if (!user) {
+        return {
+          success: false,
+          message: chalk7.red("\u274C Could not get current user for branch name generation")
+        };
+      }
+      const requirement2 = await requirementService.getProjectRequirement(projectId, normalizedId);
+      const username = slugify(user.email.split("@")[0]);
+      const reqShortId = requirement2.short_id || normalizedId;
+      const sluggedName = slugify(requirement2.name);
+      branchName = `${username}/${reqShortId}-${sluggedName}`;
+    }
+    stopSpinner = showSpinner("Creating GitHub branch...", chalk7.gray);
+    const response = await requirementService.createGitBranch(projectId, normalizedId, {
+      branchName,
+      baseBranch: opts.base
+    });
+    stopSpinner();
+    stopSpinner = null;
+    let output;
+    switch (format) {
+      case "json": {
+        output = JSON.stringify(response, null, 2);
+        break;
+      }
+      case "markdown": {
+        output = `# Branch Created
+
+`;
+        output += `**Branch:** \`${response.branch.name}\`
+`;
+        output += `**SHA:** \`${response.branch.sha.substring(0, 7)}\`
+
+`;
+        output += `## Checkout Command
+
+`;
+        output += `\`\`\`bash
+git fetch origin && git checkout ${response.branch.name}
+\`\`\`
+`;
+        break;
+      }
+      case "table":
+      default: {
+        output = chalk7.green(`\u2705 Created branch: ${response.branch.name}
+
+`);
+        output += `${chalk7.bold("SHA:")} ${response.branch.sha.substring(0, 7)}
+`;
+        output += `
+${chalk7.dim("To checkout:")} git fetch origin && git checkout ${response.branch.name}`;
+        break;
+      }
+    }
+    return {
+      success: true,
+      message: output,
+      data: response
+    };
+  } catch (error) {
+    if (stopSpinner) {
+      stopSpinner();
+    }
+    return {
+      success: false,
+      message: formatError(error, getResourceContext("requirement", opts.id || "unknown"))
+    };
+  }
+}
+async function handleReviewAcceptance(opts) {
+  try {
+    const { requirementService, auth } = getServices2();
+    const isAuthenticated = await auth.isAuthenticated();
+    if (!isAuthenticated) {
+      return {
+        success: false,
+        message: chalk7.red("\u274C Not authenticated. Please run `braingrid login` first.")
+      };
+    }
+    const requirementResult = await workspaceManager.getRequirement(opts.id);
+    if (!requirementResult.success) {
+      return {
+        success: false,
+        message: requirementResult.error
+      };
+    }
+    const requirementId = requirementResult.requirementId;
+    const workspace = await workspaceManager.getProject(opts.project);
+    if (!workspace.success) {
+      return {
+        success: false,
+        message: workspace.error
+      };
+    }
+    const projectId = workspace.projectId;
+    const normalizedId = normalizeRequirementId(requirementId);
+    let prNumber = opts.pr;
+    if (!prNumber) {
+      const { execAsync: execAsync5 } = await import("./command-execution-7JMH2DK4.js");
+      try {
+        const { stdout } = await execAsync5("gh pr view --json number -q .number");
+        const detectedPrNumber = stdout.trim();
+        if (!detectedPrNumber) {
+          throw new Error("No PR number returned from gh CLI");
+        }
+        prNumber = detectedPrNumber;
+      } catch {
+        return {
+          success: false,
+          message: chalk7.red(
+            "\u274C No PR specified and could not detect PR for current branch.\n   Use --pr <number> or ensure you have an open PR for this branch."
+          )
+        };
+      }
+    }
+    console.log(chalk7.bold("\n\u{1F50D} AI Code Review\n"));
+    let fullOutput = "";
+    await requirementService.reviewAcceptance(
+      projectId,
+      normalizedId,
+      { pullRequest: prNumber },
+      (chunk) => {
+        process.stdout.write(chunk);
+        fullOutput += chunk;
+      }
+    );
+    console.log("\n");
+    return {
+      success: true,
+      message: "",
+      // Already printed via streaming
+      data: { review: fullOutput }
+    };
+  } catch (error) {
+    return {
+      success: false,
+      message: formatError(error, getResourceContext("requirement", opts.id || "unknown"))
+    };
+  }
+}
 
 // src/handlers/task.handlers.ts
 import chalk8 from "chalk";
@@ -4512,6 +4842,12 @@ var TaskService = class {
     const headers = this.getHeaders();
     await this.axios.delete(url, { headers });
   }
+  async specifyTask(projectId, requirementId, data) {
+    const url = `${this.baseUrl}/api/v1/projects/${projectId}/requirements/${requirementId}/tasks/specify`;
+    const headers = this.getHeaders();
+    const response = await this.axios.post(url, data, { headers });
+    return response.data;
+  }
 };
 
 // src/handlers/task.handlers.ts
@@ -4977,6 +5313,117 @@ async function handleTaskDelete(id, opts) {
     };
   }
 }
+async function handleTaskSpecify(opts) {
+  let stopSpinner = null;
+  try {
+    const { taskService, auth } = getServices3();
+    const isAuthenticated = await auth.isAuthenticated();
+    if (!isAuthenticated) {
+      return {
+        success: false,
+        message: chalk8.red("\u274C Not authenticated. Please run `braingrid login` first.")
+      };
+    }
+    const format = opts.format || "table";
+    if (!["table", "json", "markdown"].includes(format)) {
+      return {
+        success: false,
+        message: chalk8.red(
+          `\u274C Invalid format: ${format}. Supported formats: table, json, markdown`
+        )
+      };
+    }
+    const workspace = await workspaceManager.getProject(opts.project);
+    if (!workspace.success) {
+      return {
+        success: false,
+        message: workspace.error
+      };
+    }
+    const projectId = workspace.projectId;
+    const requirementResult = await workspaceManager.getRequirement(opts.requirement);
+    if (!requirementResult.success) {
+      return {
+        success: false,
+        message: requirementResult.error
+      };
+    }
+    const requirementId = requirementResult.requirementId;
+    if (opts.prompt.length < 10) {
+      return {
+        success: false,
+        message: chalk8.red("\u274C Prompt must be at least 10 characters long")
+      };
+    }
+    if (opts.prompt.length > 5e3) {
+      return {
+        success: false,
+        message: chalk8.red("\u274C Prompt must be no more than 5000 characters long")
+      };
+    }
+    stopSpinner = showSpinner("Creating task from prompt...", chalk8.gray);
+    const response = await taskService.specifyTask(projectId, requirementId, {
+      prompt: opts.prompt
+    });
+    stopSpinner();
+    stopSpinner = null;
+    const config = getConfig();
+    let output;
+    switch (format) {
+      case "json": {
+        output = JSON.stringify(response, null, 2);
+        break;
+      }
+      case "markdown": {
+        output = formatTaskSpecifyMarkdown(response, config.apiUrl);
+        break;
+      }
+      case "table":
+      default: {
+        output = formatTaskSpecifyTable(response);
+        break;
+      }
+    }
+    return {
+      success: true,
+      message: output,
+      data: response
+    };
+  } catch (error) {
+    if (stopSpinner) {
+      stopSpinner();
+    }
+    return {
+      success: false,
+      message: formatError(error, "specifying task")
+    };
+  }
+}
+function formatTaskSpecifyTable(response) {
+  const task2 = response.task;
+  const lines = [];
+  lines.push(chalk8.green(`\u2705 Created task ${response.requirement_short_id}/TASK-${task2.number}`));
+  lines.push("");
+  lines.push(`${chalk8.bold("Title:")}   ${task2.title}`);
+  lines.push(`${chalk8.bold("Status:")}  ${task2.status}`);
+  return lines.join("\n");
+}
+function formatTaskSpecifyMarkdown(response, _apiUrl) {
+  const task2 = response.task;
+  const lines = [];
+  lines.push(`# Task ${response.requirement_short_id}/TASK-${task2.number}: ${task2.title}`);
+  lines.push("");
+  lines.push(`**Status:** ${task2.status}`);
+  lines.push(`**Requirement:** ${response.requirement_short_id}`);
+  lines.push(`**Project:** ${response.project_short_id}`);
+  lines.push("");
+  if (task2.content) {
+    lines.push("## Content");
+    lines.push("");
+    lines.push(task2.content);
+  }
+  return lines.join("\n");
+}
 
 // src/handlers/auth.handlers.ts
 import chalk9 from "chalk";
@@ -4988,6 +5435,14 @@ function getAuth() {
 async function handleLogin() {
   try {
     const auth = getAuth();
+    if (BRAINGRID_API_TOKEN) {
+      return {
+        success: true,
+        message: chalk9.blue(
+          "\u2139\uFE0F  Using BRAINGRID_API_TOKEN - already authenticated via sandbox environment."
+        )
+      };
+    }
     console.log(chalk9.blue("\u{1F510} Starting OAuth2 authentication flow..."));
     console.log(chalk9.dim("Your browser will open to complete authentication.\n"));
     const gitUser = await getGitUser();
@@ -5021,6 +5476,12 @@ async function handleLogin() {
 async function handleLogout() {
   try {
     const auth = getAuth();
+    if (BRAINGRID_API_TOKEN) {
+      return {
+        success: true,
+        message: chalk9.blue("\u2139\uFE0F  Session managed by sandbox environment - logout not required.")
+      };
+    }
     await auth.clearSession();
     return {
       success: true,
@@ -5038,6 +5499,12 @@ async function handleWhoami() {
     const auth = getAuth();
     const isAuthenticated = await auth.isAuthenticated();
     if (!isAuthenticated) {
+      if (BRAINGRID_API_TOKEN) {
+        return {
+          success: false,
+          message: chalk9.red(auth.getSandboxExpiredMessage())
+        };
+      }
       return {
         success: false,
         message: chalk9.yellow("\u26A0\uFE0F  Not logged in. Run `braingrid login` to authenticate.")
@@ -5060,8 +5527,13 @@ async function handleWhoami() {
 `;
     output += `${chalk9.bold("Org ID:")}       ${session.organization_id}
 `;
-    output += `${chalk9.bold("Session:")}      ${new Date(session.created_at).toLocaleString()}
+    if (BRAINGRID_API_TOKEN) {
+      output += `${chalk9.bold("Auth:")}         ${chalk9.cyan("Sandbox API Token")}
+`;
+    } else {
+      output += `${chalk9.bold("Session:")}      ${new Date(session.created_at).toLocaleString()}
 `;
+    }
     return {
       success: true,
       message: output,
@@ -5332,7 +5804,7 @@ var GitHubService = class {
 import { exec as exec2 } from "child_process";
 import { promisify as promisify2 } from "util";
 import chalk11 from "chalk";
-var execAsync2 = promisify2(exec2);
+var execAsync3 = promisify2(exec2);
 async function isGitInstalled() {
   return isCliInstalled("git");
 }
@@ -5345,7 +5817,7 @@ async function getGitVersion() {
 async function installViaHomebrew() {
   console.log(chalk11.blue("\u{1F4E6} Installing Git via Homebrew..."));
   try {
-    await execAsync2("brew install git", {
+    await execAsync3("brew install git", {
       timeout: 3e5
       // 5 minutes
     });
@@ -5373,7 +5845,7 @@ async function installViaXcodeSelect() {
   console.log(chalk11.blue("\u{1F4E6} Installing Git via Xcode Command Line Tools..."));
   console.log(chalk11.dim('A system dialog will appear - click "Install" to continue.\n'));
   try {
-    await execAsync2("xcode-select --install", {
+    await execAsync3("xcode-select --install", {
       timeout: 6e5
       // 10 minutes (user interaction required)
     });
@@ -5414,7 +5886,7 @@ async function installGitWindows() {
   }
   console.log(chalk11.blue("\u{1F4E6} Installing Git via winget..."));
   try {
-    await execAsync2("winget install --id Git.Git -e --source winget --silent", {
+    await execAsync3("winget install --id Git.Git -e --source winget --silent", {
       timeout: 3e5
       // 5 minutes
     });
@@ -5469,7 +5941,7 @@ async function installGitLinux() {
           message: chalk11.red(`\u274C Unsupported package manager: ${packageManager.name}`)
         };
     }
-    await execAsync2(installCommand, {
+    await execAsync3(installCommand, {
       timeout: 3e5
       // 5 minutes
     });
@@ -5671,28 +6143,6 @@ import { select as select2 } from "@inquirer/prompts";
 import * as path4 from "path";
 import * as fs4 from "fs/promises";
 
-// src/utils/command-execution.ts
-import { exec as exec3, spawn } from "child_process";
-import { promisify as promisify3 } from "util";
-var execAsyncReal = promisify3(exec3);
-async function execAsync3(command, options, isTestMode = false, mockExecHandler) {
-  if (isTestMode && mockExecHandler) {
-    return mockExecHandler(command);
-  }
-  const defaultOptions = {
-    maxBuffer: 1024 * 1024 * 10,
-    // 10MB default
-    timeout: 3e5,
-    // 5 minutes
-    ...options
-  };
-  if (command.includes("claude")) {
-    defaultOptions.maxBuffer = 1024 * 1024 * 50;
-    defaultOptions.timeout = 6e5;
-  }
-  return execAsyncReal(command, defaultOptions);
-}
-
 // src/services/setup-service.ts
 import * as fs3 from "fs/promises";
 import * as path3 from "path";
@@ -5743,7 +6193,7 @@ async function fetchFileFromGitHub(path6) {
   return withRetry(async () => {
     try {
       const command = `gh api repos/${GITHUB_OWNER}/${GITHUB_REPO}/contents/${path6}`;
-      const { stdout } = await execAsync3(command);
+      const { stdout } = await execAsync(command);
       const response = JSON.parse(stdout);
       if (response.type !== "file") {
         throw new Error(`Path ${path6} is not a file`);
@@ -5766,7 +6216,7 @@ async function listGitHubDirectory(path6) {
   return withRetry(async () => {
     try {
       const command = `gh api repos/${GITHUB_OWNER}/${GITHUB_REPO}/contents/${path6}`;
-      const { stdout } = await execAsync3(command);
+      const { stdout } = await execAsync(command);
       const response = JSON.parse(stdout);
       if (!Array.isArray(response)) {
         throw new Error(`Path ${path6} is not a directory`);
@@ -5899,7 +6349,7 @@ async function fileExists(filePath) {
 }
 async function checkPrerequisites() {
   try {
-    await execAsync3("gh --version");
+    await execAsync("gh --version");
   } catch {
     return {
       success: false,
@@ -5907,7 +6357,7 @@ async function checkPrerequisites() {
     };
   }
   try {
-    await execAsync3("gh auth status");
+    await execAsync("gh auth status");
   } catch {
     return {
       success: false,
@@ -6281,10 +6731,10 @@ async function checkAndShowUpdateWarning() {
 import { access as access3 } from "fs/promises";
 
 // src/utils/github-repo.ts
-import { exec as exec4 } from "child_process";
-import { promisify as promisify4 } from "util";
+import { exec as exec3 } from "child_process";
+import { promisify as promisify3 } from "util";
 import path5 from "path";
-var execAsync4 = promisify4(exec4);
+var execAsync4 = promisify3(exec3);
 async function initGitRepo() {
   try {
     await execAsync4("git init");
@@ -7293,6 +7743,30 @@ requirement.command("build [id]").description(
     process.exit(1);
   }
 });
+requirement.command("create-branch [id]").description(
+  "Create a GitHub branch for a requirement (auto-detects ID from git branch if not provided)"
+).option(
+  "-p, --project <id>",
+  "project ID (auto-detects from .braingrid/project.json if not provided)"
+).option("--name <name>", "branch name (auto-generates {username}/REQ-123-slug if not provided)").option("--base <branch>", "base branch to create from (defaults to repository default branch)").option("--format <format>", "output format (table, json, markdown)", "table").action(async (id, opts) => {
+  const result = await handleCreateGitBranch({ ...opts, id });
+  console.log(result.message);
+  if (!result.success) {
+    process.exit(1);
+  }
+});
+requirement.command("review [id]").description("Run AI code review for a requirement PR (auto-detects ID and PR from git branch)").option(
+  "-p, --project <id>",
+  "project ID (auto-detects from .braingrid/project.json if not provided)"
+).option("--pr <number>", "PR number or URL (auto-detects from current branch if not provided)").action(async (id, opts) => {
+  const result = await handleReviewAcceptance({ ...opts, id });
+  if (result.message) {
+    console.log(result.message);
+  }
+  if (!result.success) {
+    process.exit(1);
+  }
+});
 var task = program.command("task").description("Manage tasks");
 task.command("list").description("List tasks for a requirement").option("-r, --requirement <id>", "requirement ID (REQ-456, auto-detects project if initialized)").option("-p, --project <id>", "project ID (PROJ-123, optional if project is initialized)").option("--format <format>", "output format (table, json, xml, markdown)", "markdown").option("--page <page>", "page number for pagination", "1").option("--limit <limit>", "number of tasks per page", "20").action(async (opts) => {
   const result = await handleTaskList(opts);
@@ -7336,6 +7810,16 @@ task.command("delete <id>").description("Delete a task").option("-r, --requireme
     process.exit(1);
   }
 });
+task.command("specify").description("Create a single task from a prompt using AI").option(
+  "-r, --requirement <id>",
+  "requirement ID (REQ-456, auto-detects from git branch if not provided)"
+).option("-p, --project <id>", "project ID (PROJ-123, optional if project is initialized)").requiredOption("--prompt <prompt>", "task description (10-5000 characters)").option("--format <format>", "output format (table, json, markdown)", "table").action(async (opts) => {
+  const result = await handleTaskSpecify(opts);
+  console.log(result.message);
+  if (!result.success) {
+    process.exit(1);
+  }
+});
 program.command("completion [shell]").description("Generate shell completion script (bash, zsh)").option("--setup", "automatically install completion for current shell").option("-s, --shell <shell>", "shell type (bash, zsh)").action(async (shell, opts) => {
   const result = await handleCompletion(shell, opts);
   console.log(result.message);