@chainpatrol/cli 0.3.1 → 0.3.3

package/CHANGELOG.md

@@ -1,5 +1,55 @@
 # @chainpatrol/cli
 
+## 0.3.3
+
+### Patch Changes
+
+- 415dbcd: `chainpatrol login`:
+
+  - Auto-detect non-TTY stdout (Claude Code on the web, CI runners, piped
+    invocations) and fall back to a plain-text login flow that prints the
+    device code and verification URL immediately. Previously the
+    interactive Ink-based UI rendered nothing in those environments,
+    making the command appear to hang with no output until the device
+    code expired.
+  - `chainpatrol --json login` now emits the device-code line on **stdout**
+    instead of stderr, matching the `{"status":"success",...}` line. This
+    makes the URL visible without callers needing to remember `2>&1`.
+    Consumers should treat the output as JSON-lines and read the last
+    line for the terminal result.
+
+  Claude Code skill bundled with the CLI:
+
+  - New "Running `login` from an agent (headless / non-TTY)" section
+    documenting the background+tail pattern so agents surface the
+    verification URL to the user immediately instead of blocking on the
+    polling step.
+
+## 0.3.2
+
+### Patch Changes
+
+- 06ff227: `chainpatrol login`:
+
+  - Skip the browser auto-open when running in a headless / cloud context
+    (Claude Code on the web, GitHub Codespaces, Gitpod, Replit, CI, plain
+    SSH sessions, or Linux without a display server). Detection is opt-in
+    overridable with `CHAINPATROL_HEADLESS=1` / `CHAINPATROL_HEADLESS=0`.
+  - Print `verification_uri_complete` as the primary, one-step link when
+    the server returns it, so a copy-paste to another device (e.g. a
+    phone) works without separately typing the user code. The bare
+    `verification_uri` + code is shown as a fallback.
+  - `login --json` output now includes a `headless` boolean so automation
+    can adapt the way it presents the URL.
+
+  Claude Code skill bundled with the CLI:
+
+  - Stop hard-coding `/usr/local/bin/chainpatrol`. The "Running the CLI"
+    section now documents typical local vs cloud install locations
+    (e.g. `/opt/node*/bin/chainpatrol`), includes a command to discover
+    the binary path, and tells the assistant to substitute the resolved
+    full path in all invocations.
+
 ## 0.3.1
 
 ### Patch Changes

package/dist/{breakdown-BECXDJIS.js → breakdown-FFNYSXRQ.js}

@@ -4,9 +4,9 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
+} from "./chunk-44FSS3CZ.js";
 import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/metrics/breakdown.ts

package/dist/chunk-EBJMOX3Q.js

@@ -0,0 +1,83 @@
+import {
+  fetchUserEmail,
+  getCredentials,
+  isLoggedIn,
+  pollForToken,
+  requestDeviceCode,
+  storeCredentials
+} from "./chunk-EEG7T6WT.js";
+import {
+  DateTime
+} from "./chunk-TFCNKBRC.js";
+
+// src/lib/login-flow.ts
+async function runLoginFlow(emit) {
+  if (isLoggedIn()) {
+    const creds = getCredentials();
+    emit({ type: "already_logged_in", email: creds.email ?? null });
+    return true;
+  }
+  const deviceCode = await requestDeviceCode();
+  emit({ type: "device_code", code: deviceCode });
+  let interval = deviceCode.interval * 1e3;
+  while (true) {
+    await new Promise((resolve) => setTimeout(resolve, interval));
+    const result = await pollForToken(deviceCode.device_code);
+    switch (result.status) {
+      case "success": {
+        const expiresAt = DateTime.now().toUTC().plus({ seconds: result.expiresIn }).toISO();
+        if (!expiresAt) {
+          emit({ type: "error", message: "Failed to compute credential expiry." });
+          return false;
+        }
+        const email = await fetchUserEmail(result.accessToken);
+        storeCredentials({
+          accessToken: result.accessToken,
+          expiresAt,
+          ...email ? { email } : {}
+        });
+        emit({ type: "success", email: email ?? null });
+        return true;
+      }
+      case "pending":
+        continue;
+      case "slow_down":
+        interval += result.addSeconds * 1e3;
+        continue;
+      case "expired":
+        emit({ type: "expired" });
+        return false;
+      case "denied":
+        emit({ type: "denied" });
+        return false;
+      case "error":
+        emit({ type: "error", message: result.message });
+        return false;
+    }
+  }
+}
+function formatUserCode(code) {
+  return code.length === 8 ? `${code.slice(0, 4)}-${code.slice(4)}` : code;
+}
+
+// src/lib/headless.ts
+function isHeadlessEnv(env = process.env, platform = process.platform) {
+  if (env.CHAINPATROL_HEADLESS === "1") return true;
+  if (env.CHAINPATROL_HEADLESS === "0") return false;
+  if (env.CLAUDE_CODE_REMOTE === "true") return true;
+  if (env.CODESPACES === "true") return true;
+  if (env.GITPOD_WORKSPACE_ID) return true;
+  if (env.REPL_ID) return true;
+  if (env.CI === "true") return true;
+  if (env.SSH_CONNECTION || env.SSH_TTY) return true;
+  if (platform === "linux" && !env.DISPLAY && !env.WAYLAND_DISPLAY && !env.MIR_SOCKET) {
+    return true;
+  }
+  return false;
+}
+
+export {
+  runLoginFlow,
+  formatUserCode,
+  isHeadlessEnv
+};

package/dist/{chunk-T4DYUWUD.js → chunk-R7BPW32M.js}

@@ -97,15 +97,39 @@ platform using the CLI tool.
 
 ## Running the CLI
 
-IMPORTANT: Claude Code's sandbox shell has a minimal PATH (/usr/bin:/bin:/usr/sbin:/sbin)
-that does NOT include /usr/local/bin. Always use the full path to the binary:
+IMPORTANT: Claude Code's sandbox shell often has a minimal PATH
+(\`/usr/bin:/bin:/usr/sbin:/sbin\`) that may not include the directory where
+\`chainpatrol\` is installed, so bare \`chainpatrol\` calls may fail with
+"command not found". Always invoke the CLI by its full path.
+
+The install location depends on the environment:
+
+- **Local installs** typically land at \`/usr/local/bin/chainpatrol\` (when
+  installed globally via \`npm install -g @chainpatrol/cli\`).
+- **Cloud / sandboxed environments** (e.g. Claude Code on the web, Cursor
+  Cloud) often install Node into \`/opt\` and the binary ends up under a
+  Node-version-specific path like \`/opt/node22/bin/chainpatrol\`. Variants
+  such as \`/opt/node20/bin/chainpatrol\` or \`/opt/node21/bin/chainpatrol\`
+  are also possible depending on which Node version is active.
+
+To find the binary, try (in order):
 
 \`\`\`bash
+command -v chainpatrol \\
+  || ls /usr/local/bin/chainpatrol /opt/node*/bin/chainpatrol 2>/dev/null \\
+  | head -n 1
+\`\`\`
+
+Then use that full path for every subsequent command, e.g.:
+
+\`\`\`bash
+/opt/node22/bin/chainpatrol <command> [options]
+# or
 /usr/local/bin/chainpatrol <command> [options]
 \`\`\`
 
-All examples below use the short name for readability, but you MUST use
-\`/usr/local/bin/chainpatrol\` in all Bash commands.
+All examples below use the short name \`chainpatrol\` for readability, but you
+MUST substitute the full resolved path in your Bash commands.
 
 ## Available Commands
 
@@ -126,6 +150,46 @@ JSON mode (for automation):
 chainpatrol --json login
 \`\`\`
 
+#### Running \`login\` from an agent (headless / non-TTY)
+
+The login flow blocks for up to 30 minutes while polling for the user to
+authorize in their browser. If you (the agent) run it as a foreground
+command and wait for it to exit before reading output, you will appear
+stuck \u2014 the verification URL will never be shown because the process is
+still polling.
+
+**Always run \`login\` in the background and stream its output**, then
+surface the verification URL to the user as soon as it appears:
+
+\`\`\`bash
+# 1. Kick off login in the background (do NOT wait for it to exit)
+chainpatrol --json login > /tmp/cp-login.out 2>&1 &
+
+# 2. Wait briefly for the first line, which contains the URL
+for _ in 1 2 3 4 5 6 7 8 9 10; do
+  test -s /tmp/cp-login.out && break
+  sleep 1
+done
+cat /tmp/cp-login.out
+\`\`\`
+
+The first line emitted is JSON describing the device code, e.g.:
+
+\`\`\`json
+{"action":"open_url","user_code":"ABCD-1234","verification_uri":"https://app.chainpatrol.io/auth/verify-device","verification_uri_complete":"https://app.chainpatrol.io/auth/verify-device?user_code=ABCD-1234","expires_in":1800,"headless":true}
+\`\`\`
+
+Show the user the \`verification_uri_complete\` link (or
+\`verification_uri\` + \`user_code\` as a fallback) and explain that the
+CLI will pick up the token automatically once they authorize. Then keep
+the background process running and tail it for the final
+\`{"status":"success",...}\` or \`{"error":...}\` line.
+
+CLI v0.3.3+ also auto-detects non-TTY stdout and prints the URL as plain
+text immediately when you run \`chainpatrol login\` without \`--json\`,
+so the same background+tail pattern works without \`--json\`. Prefer
+\`--json\` so the output is structured and machine-parseable.
+
 ### \`logout\` \u2014 Clear stored credentials
 
 \`\`\`bash

package/dist/{chunk-B3CCMSG2.js → chunk-WBKCXGLV.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-DSOM6TZX.js";
+} from "./chunk-44FSS3CZ.js";
 import {
   DateTime
 } from "./chunk-TFCNKBRC.js";

package/dist/cli.js

@@ -13,7 +13,7 @@ import {
   getCliVersion,
   isSkillInstalled,
   readInstalledSkillVersion
-} from "./chunk-T4DYUWUD.js";
+} from "./chunk-R7BPW32M.js";
 import "./chunk-IUZB3DQW.js";
 import {
   DateTime
@@ -686,12 +686,12 @@ function parseAttachmentUrls() {
 }
 async function handleConfigsList(org) {
   if (jsonMode) {
-    const { listConfigsJson } = await import("./list-json-GANUT7SB.js");
+    const { listConfigsJson } = await import("./list-json-SUZL2GBJ.js");
     await listConfigsJson({ org });
     return;
   }
   const { render } = await import("ink");
-  const { default: ConfigsList } = await import("./list-56BS25X4.js");
+  const { default: ConfigsList } = await import("./list-TMFLCS5U.js");
   const { default: React } = await import("react");
   render(React.createElement(ConfigsList, { org }));
 }
@@ -746,11 +746,14 @@ async function main() {
         );
       }
       if (jsonMode) {
-        const { loginJson } = await import("./login-json-LKB72OFY.js");
+        const { loginJson } = await import("./login-json-XGMXT5VJ.js");
         await loginJson();
+      } else if (!process.stdout.isTTY) {
+        const { loginPlain } = await import("./login-plain-CWKOUZKE.js");
+        await loginPlain();
       } else {
         const { render } = await import("ink");
-        const { default: Login } = await import("./login-G7LPHKDR.js");
+        const { default: Login } = await import("./login-C66GRR3Y.js");
         const { default: React } = await import("react");
         render(React.createElement(Login));
       }
@@ -786,7 +789,7 @@ async function main() {
     case "detections": {
       const org = await resolveOrg();
       if (subcommand === "healthcheck") {
-        const { runDetectionsHealthcheck } = await import("./healthcheck-6RHZBEVE.js");
+        const { runDetectionsHealthcheck } = await import("./healthcheck-SIE5EXN3.js");
         await runDetectionsHealthcheck({
           org,
           source: cli.flags.source,
@@ -801,7 +804,7 @@ async function main() {
         break;
       }
       if (subcommand === "validate") {
-        const { runDetectionsValidate } = await import("./validate-NIBVL7X5.js");
+        const { runDetectionsValidate } = await import("./validate-II6GH6H6.js");
         await runDetectionsValidate({
           org,
           source: cli.flags.source,
@@ -816,7 +819,7 @@ async function main() {
         break;
       }
       if (subcommand === "drift") {
-        const { runDetectionsDrift } = await import("./drift-2JRZK2MC.js");
+        const { runDetectionsDrift } = await import("./drift-PASGDEEX.js");
         await runDetectionsDrift({
           org,
           source: cli.flags.source,
@@ -830,7 +833,7 @@ async function main() {
         break;
       }
       if (subcommand === "run") {
-        const { runDetectionsRun } = await import("./run-JZNZSCDJ.js");
+        const { runDetectionsRun } = await import("./run-MGOASUON.js");
         await runDetectionsRun({
           org,
           configId: cli.flags.configId,
@@ -849,7 +852,7 @@ async function main() {
           break;
         }
         if (action === "run") {
-          const { runDetectionsRun } = await import("./run-JZNZSCDJ.js");
+          const { runDetectionsRun } = await import("./run-MGOASUON.js");
           await runDetectionsRun({
             org,
             configId: cli.flags.configId,
@@ -867,7 +870,7 @@ async function main() {
             throw new Error("detections configs update requires --config-id");
           }
           const configPatch = getConfigPatchFromSetFlags();
-          const { runDetectionsConfigsUpdate } = await import("./configs-update-AHI7T6S4.js");
+          const { runDetectionsConfigsUpdate } = await import("./configs-update-VOWH674W.js");
           await runDetectionsConfigsUpdate({
             org,
             configId: cli.flags.configId,
@@ -894,7 +897,7 @@ async function main() {
     case "metrics": {
       const org = await resolveOrg();
       if (subcommand === "summary") {
-        const { runMetricsSummary } = await import("./summary-PA2CCZVO.js");
+        const { runMetricsSummary } = await import("./summary-QORQFCMW.js");
         await runMetricsSummary({
           org,
           from: cli.flags.from,
@@ -906,7 +909,7 @@ async function main() {
         break;
       }
       if (subcommand === "found") {
-        const { runMetricsFound } = await import("./found-YYYFF4FD.js");
+        const { runMetricsFound } = await import("./found-TIW7T4VX.js");
         await runMetricsFound({
           org,
           from: cli.flags.from,
@@ -923,7 +926,7 @@ async function main() {
         if (!by || !["day", "type", "brand"].includes(by)) {
           throw new Error("metrics breakdown requires --by <day|type|brand>");
         }
-        const { runMetricsBreakdown } = await import("./breakdown-BECXDJIS.js");
+        const { runMetricsBreakdown } = await import("./breakdown-FFNYSXRQ.js");
         await runMetricsBreakdown({
           org,
           by,
@@ -943,7 +946,7 @@ async function main() {
     case "reports": {
       if (subcommand === "list") {
         const org = await resolveOrg();
-        const { runReportsList } = await import("./list-MHEIY7LQ.js");
+        const { runReportsList } = await import("./list-CEWBMKJ3.js");
         await runReportsList({
           org,
           limit: cli.flags.limit,
@@ -959,7 +962,7 @@ async function main() {
       }
       if (subcommand === "create") {
         const org = await tryResolveOrg();
-        const { runReportsCreate } = await import("./create-RS37JAMM.js");
+        const { runReportsCreate } = await import("./create-ASGUBKZ7.js");
         await runReportsCreate({
           org,
           title: cli.flags.title,
@@ -983,7 +986,7 @@ async function main() {
     }
     case "queues": {
       if (subcommand === "snapshot") {
-        const { runQueuesSnapshot } = await import("./snapshot-KGMO44YB.js");
+        const { runQueuesSnapshot } = await import("./snapshot-MQ6DWDFG.js");
         await runQueuesSnapshot({
           org: cli.flags.org,
           all: cli.flags.all,
@@ -1001,7 +1004,7 @@ async function main() {
     }
     case "presets": {
       if (subcommand === "list") {
-        const { runPresetsList } = await import("./list-M2UQCXIO.js");
+        const { runPresetsList } = await import("./list-KTIZ3UHA.js");
         await runPresetsList({ outputFormat: cliContext.outputFormat });
         break;
       }
@@ -1012,7 +1015,7 @@ async function main() {
           );
         }
         const org = await resolveOrg();
-        const { runPresetsRun } = await import("./run-7NTCD7JI.js");
+        const { runPresetsRun } = await import("./run-3TTLZ6HA.js");
         await runPresetsRun({
           presetId: action,
           org,
@@ -1029,12 +1032,12 @@ async function main() {
     case "setup":
     case "install":
     case "i": {
-      const { setupSkill } = await import("./setup-skill-ZUZ5MYLI.js");
+      const { setupSkill } = await import("./setup-skill-KKWETU4A.js");
       setupSkill({ json: jsonMode });
       break;
     }
     case "uninstall": {
-      const { uninstallSkill } = await import("./setup-skill-ZUZ5MYLI.js");
+      const { uninstallSkill } = await import("./setup-skill-KKWETU4A.js");
       uninstallSkill({ json: jsonMode });
       break;
     }

package/dist/{configs-update-AHI7T6S4.js → configs-update-VOWH674W.js}

@@ -7,9 +7,9 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
+} from "./chunk-44FSS3CZ.js";
 import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/detections/configs-update.ts

package/dist/{create-RS37JAMM.js → create-ASGUBKZ7.js}

@@ -8,9 +8,9 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
+} from "./chunk-44FSS3CZ.js";
 import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/reports/create.ts

package/dist/{drift-2JRZK2MC.js → drift-PASGDEEX.js}

@@ -8,9 +8,9 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
+} from "./chunk-44FSS3CZ.js";
 import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/detections/drift.ts

package/dist/{found-YYYFF4FD.js → found-TIW7T4VX.js}

@@ -4,11 +4,11 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-DSOM6TZX.js";
+} from "./chunk-44FSS3CZ.js";
+import "./chunk-EEG7T6WT.js";
 import {
   DateTime
 } from "./chunk-TFCNKBRC.js";
-import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 
 // src/lib/date-range.ts

package/dist/{healthcheck-6RHZBEVE.js → healthcheck-SIE5EXN3.js}

@@ -8,9 +8,9 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
+} from "./chunk-44FSS3CZ.js";
 import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/detections/healthcheck.ts

package/dist/{list-MHEIY7LQ.js → list-CEWBMKJ3.js}

@@ -8,9 +8,9 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
+} from "./chunk-44FSS3CZ.js";
 import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/reports/list.ts

package/dist/{list-M2UQCXIO.js → list-KTIZ3UHA.js}

@@ -1,14 +1,14 @@
 import {
   PRESETS
-} from "./chunk-B3CCMSG2.js";
+} from "./chunk-WBKCXGLV.js";
 import "./chunk-E2LAMILJ.js";
 import {
   printOutput,
   toCsvRows
 } from "./chunk-VFT3TD3E.js";
-import "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
+import "./chunk-44FSS3CZ.js";
 import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/presets/list.ts

package/dist/{list-56BS25X4.js → list-TMFLCS5U.js}

@@ -1,16 +1,16 @@
-import {
-  createApiClient
-} from "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
 import {
   ErrorDisplay,
   Spinner
 } from "./chunk-JCMWDZYY.js";
+import {
+  createApiClient
+} from "./chunk-44FSS3CZ.js";
 import {
   AuthCorruptedError,
   AuthExpiredError,
   AuthNotLoggedInError
 } from "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/configs/list.tsx

package/dist/{list-json-GANUT7SB.js → list-json-SUZL2GBJ.js}

@@ -1,8 +1,8 @@
 import {
   createApiClient
-} from "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
+} from "./chunk-44FSS3CZ.js";
 import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/configs/list-json.ts

package/dist/{login-G7LPHKDR.js → login-C66GRR3Y.js}

@@ -2,6 +2,10 @@ import {
   ErrorDisplay,
   Spinner
 } from "./chunk-JCMWDZYY.js";
+import {
+  formatUserCode,
+  isHeadlessEnv
+} from "./chunk-EBJMOX3Q.js";
 import {
   fetchUserEmail,
   getCredentials,
@@ -10,6 +14,7 @@ import {
   requestDeviceCode,
   storeCredentials
 } from "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/login.tsx
@@ -43,9 +48,11 @@ function Login() {
     setState({ phase: "requesting-code" });
     requestDeviceCode().then((deviceCode) => {
       setState({ phase: "waiting-for-approval", deviceCode });
-      const uri = deviceCode.verification_uri_complete ?? deviceCode.verification_uri;
-      open(uri).catch(() => {
-      });
+      if (!isHeadlessEnv()) {
+        const uri = deviceCode.verification_uri_complete ?? deviceCode.verification_uri;
+        open(uri).catch(() => {
+        });
+      }
     }).catch((err) => {
       setState({
         phase: "error",
@@ -130,19 +137,34 @@ function Login() {
       ] });
     case "requesting-code":
       return /* @__PURE__ */ jsx(Spinner, { label: "Requesting device code..." });
-    case "waiting-for-approval":
+    case "waiting-for-approval": {
+      const completeUri = state.deviceCode.verification_uri_complete;
       return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", gap: 1, children: [
         /* @__PURE__ */ jsxs(Box, { children: [
-          /* @__PURE__ */ jsx(Text, { children: "Your code is: " }),
-          /* @__PURE__ */ jsx(Text, { bold: true, color: "cyan", children: state.deviceCode.user_code.length === 8 ? `${state.deviceCode.user_code.slice(0, 4)}-${state.deviceCode.user_code.slice(4)}` : state.deviceCode.user_code })
+          /* @__PURE__ */ jsx(Text, { children: "Your code: " }),
+          /* @__PURE__ */ jsx(Text, { bold: true, color: "cyan", children: formatUserCode(state.deviceCode.user_code) })
         ] }),
-        /* @__PURE__ */ jsxs(Text, { children: [
+        completeUri ? /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+          /* @__PURE__ */ jsx(Text, { children: "Open this URL on any device to approve in one step:" }),
+          /* @__PURE__ */ jsxs(Text, { color: "blue", underline: true, children: [
+            "  ",
+            completeUri
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { dimColor: true, children: [
+            "Or visit ",
+            state.deviceCode.verification_uri,
+            " and enter the code above."
+          ] })
+        ] }) : /* @__PURE__ */ jsxs(Text, { children: [
           "Open this URL in your browser:",
           " ",
-          /* @__PURE__ */ jsx(Text, { color: "blue", underline: true, children: state.deviceCode.verification_uri })
+          /* @__PURE__ */ jsx(Text, { color: "blue", underline: true, children: state.deviceCode.verification_uri }),
+          " ",
+          "and enter the code above."
         ] }),
         /* @__PURE__ */ jsx(Spinner, { label: "Waiting for approval..." })
       ] });
+    }
     case "success":
       return /* @__PURE__ */ jsxs(Text, { children: [
         /* @__PURE__ */ jsx(Text, { color: "green", bold: true, children: "\u2713" }),

package/dist/login-json-XGMXT5VJ.js

@@ -0,0 +1,50 @@
+import {
+  isHeadlessEnv,
+  runLoginFlow
+} from "./chunk-EBJMOX3Q.js";
+import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
+import "./chunk-U73SABXK.js";
+
+// src/commands/login-json.ts
+async function loginJson() {
+  const ok = await runLoginFlow((event) => {
+    switch (event.type) {
+      case "already_logged_in":
+        console.log(JSON.stringify({ status: "already_logged_in", email: event.email }));
+        return;
+      case "device_code":
+        console.log(
+          JSON.stringify({
+            action: "open_url",
+            user_code: event.code.user_code,
+            verification_uri: event.code.verification_uri,
+            verification_uri_complete: event.code.verification_uri_complete ?? null,
+            expires_in: event.code.expires_in,
+            headless: isHeadlessEnv()
+          })
+        );
+        return;
+      case "success":
+        console.log(JSON.stringify({ status: "success", email: event.email }));
+        return;
+      case "expired":
+        console.error(
+          JSON.stringify({ error: "Code expired. Run `chainpatrol login` again." })
+        );
+        return;
+      case "denied":
+        console.error(JSON.stringify({ error: "Authorization denied." }));
+        return;
+      case "error":
+        console.error(JSON.stringify({ error: event.message }));
+        return;
+    }
+  });
+  if (!ok) {
+    process.exit(1);
+  }
+}
+export {
+  loginJson
+};

package/dist/login-plain-CWKOUZKE.js

@@ -0,0 +1,60 @@
+import {
+  formatUserCode,
+  isHeadlessEnv,
+  runLoginFlow
+} from "./chunk-EBJMOX3Q.js";
+import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
+import "./chunk-U73SABXK.js";
+
+// src/commands/login-plain.ts
+async function loginPlain() {
+  const ok = await runLoginFlow((event) => {
+    switch (event.type) {
+      case "already_logged_in":
+        console.log(
+          event.email ? `Already logged in as ${event.email}` : "Already logged in"
+        );
+        return;
+      case "device_code": {
+        const completeUri = event.code.verification_uri_complete;
+        const userCode = formatUserCode(event.code.user_code);
+        if (completeUri) {
+          console.log("Open this URL on any device to approve in one step:");
+          console.log(`  ${completeUri}`);
+          console.log(
+            `Or visit ${event.code.verification_uri} and enter the code: ${userCode}`
+          );
+        } else {
+          console.log(`Open this URL in your browser: ${event.code.verification_uri}`);
+          console.log(`Enter the code: ${userCode}`);
+        }
+        if (isHeadlessEnv()) {
+          console.log("(headless environment detected \u2014 browser will not auto-open)");
+        }
+        console.log("Waiting for approval...");
+        return;
+      }
+      case "success":
+        console.log(
+          event.email ? `Logged in successfully as ${event.email}` : "Logged in successfully"
+        );
+        return;
+      case "expired":
+        console.error("Code expired. Run `chainpatrol login` again.");
+        return;
+      case "denied":
+        console.error("Authorization denied.");
+        return;
+      case "error":
+        console.error(event.message);
+        return;
+    }
+  });
+  if (!ok) {
+    process.exit(1);
+  }
+}
+export {
+  loginPlain
+};

package/dist/{run-7NTCD7JI.js → run-3TTLZ6HA.js}

@@ -1,15 +1,15 @@
 import {
   getPresetDefinition,
   runPreset
-} from "./chunk-B3CCMSG2.js";
+} from "./chunk-WBKCXGLV.js";
 import {
   CliExitError,
   ExitCode
 } from "./chunk-E2LAMILJ.js";
 import "./chunk-VFT3TD3E.js";
-import "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
+import "./chunk-44FSS3CZ.js";
 import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/presets/run.ts

package/dist/{run-JZNZSCDJ.js → run-MGOASUON.js}

@@ -8,9 +8,9 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
+} from "./chunk-44FSS3CZ.js";
 import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/detections/run.ts

package/dist/{setup-skill-ZUZ5MYLI.js → setup-skill-KKWETU4A.js}

@@ -6,7 +6,7 @@ import {
   readInstalledSkillVersion,
   setupSkill,
   uninstallSkill
-} from "./chunk-T4DYUWUD.js";
+} from "./chunk-R7BPW32M.js";
 import "./chunk-IUZB3DQW.js";
 export {
   getBundledSkillContent,

package/dist/{snapshot-KGMO44YB.js → snapshot-MQ6DWDFG.js}

@@ -8,9 +8,9 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
+} from "./chunk-44FSS3CZ.js";
 import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/queues/snapshot.ts

package/dist/{summary-PA2CCZVO.js → summary-QORQFCMW.js}

@@ -4,9 +4,9 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
+} from "./chunk-44FSS3CZ.js";
 import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/metrics/summary.ts

package/dist/{validate-NIBVL7X5.js → validate-II6GH6H6.js}

@@ -8,9 +8,9 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-DSOM6TZX.js";
-import "./chunk-TFCNKBRC.js";
+} from "./chunk-44FSS3CZ.js";
 import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/detections/validate.ts

package/package.json

@@ -2,7 +2,7 @@
   "name": "@chainpatrol/cli",
   "description": "The official ChainPatrol CLI — terminal interface for threat detection",
   "author": "Umar Ahmed <umar@chainpatrol.io>",
-  "version": "0.3.1",
+  "version": "0.3.3",
   "license": "UNLICENSED",
   "homepage": "https://chainpatrol.com/docs/cli",
   "keywords": [

package/dist/login-json-LKB72OFY.js

@@ -1,71 +0,0 @@
-import {
-  fetchUserEmail,
-  getCredentials,
-  isLoggedIn,
-  pollForToken,
-  requestDeviceCode,
-  storeCredentials
-} from "./chunk-EEG7T6WT.js";
-import "./chunk-U73SABXK.js";
-
-// src/commands/login-json.ts
-async function loginJson() {
-  if (isLoggedIn()) {
-    const creds = getCredentials();
-    console.log(
-      JSON.stringify({ status: "already_logged_in", email: creds.email ?? null })
-    );
-    return;
-  }
-  const deviceCode = await requestDeviceCode();
-  console.error(
-    JSON.stringify({
-      action: "open_url",
-      user_code: deviceCode.user_code,
-      verification_uri: deviceCode.verification_uri,
-      verification_uri_complete: deviceCode.verification_uri_complete ?? null,
-      expires_in: deviceCode.expires_in
-    })
-  );
-  let interval = deviceCode.interval * 1e3;
-  while (true) {
-    await new Promise((r) => setTimeout(r, interval));
-    const result = await pollForToken(deviceCode.device_code);
-    switch (result.status) {
-      case "success": {
-        const expiresAt = new Date(Date.now() + result.expiresIn * 1e3).toISOString();
-        const email = await fetchUserEmail(result.accessToken);
-        const creds = {
-          accessToken: result.accessToken,
-          expiresAt,
-          ...email ? { email } : {}
-        };
-        storeCredentials(creds);
-        console.log(JSON.stringify({ status: "success", email: email ?? null }));
-        return;
-      }
-      case "pending":
-        continue;
-      case "slow_down":
-        interval += result.addSeconds * 1e3;
-        continue;
-      case "expired":
-        console.error(
-          JSON.stringify({ error: "Code expired. Run `chainpatrol login` again." })
-        );
-        process.exit(1);
-        break;
-      case "denied":
-        console.error(JSON.stringify({ error: "Authorization denied." }));
-        process.exit(1);
-        break;
-      case "error":
-        console.error(JSON.stringify({ error: result.message }));
-        process.exit(1);
-        break;
-    }
-  }
-}
-export {
-  loginJson
-};

package/dist/{chunk-DSOM6TZX.js → chunk-44FSS3CZ.js}

@@ -1,9 +1,9 @@
-import {
-  DateTime
-} from "./chunk-TFCNKBRC.js";
 import {
   getValidCredentials
 } from "./chunk-EEG7T6WT.js";
+import {
+  DateTime
+} from "./chunk-TFCNKBRC.js";
 import {
   getConfig
 } from "./chunk-U73SABXK.js";