@clubnet/seedclub 0.2.27 → 0.2.29

package/README.md

@@ -30,9 +30,10 @@ seedclub
 
 On a fresh install, the normal setup flow is:
 
-1. `/login` to sign in to a model provider such as Anthropic, OpenAI, or Gemini
-2. `/model` to choose the model you want to use
-3. `/connect` to connect your Seed Club account
+1. Run `seedclub`
+2. Seed Club auth opens automatically
+3. `/login` to sign in to a model provider such as Anthropic, OpenAI, or Gemini
+4. `/model` to choose the model you want to use
 
 After that, run `/seedclub` to open the main Seed Club menu.
 
@@ -42,24 +43,19 @@ After that, run `/seedclub` to open the main Seed Club menu.
 curl -fsSL https://raw.githubusercontent.com/seedclub/seedclub-agent/main/install.sh | bash
 ```
 
-### Internal install auth
+### Package access
 
-`@clubnet/seedclub` is currently a private npm package. This auth is only for installing or updating the package from npm. It is separate from `/login` and `/connect` inside the app.
-
-```bash
-npm login
-```
-
-Then `npm install -g @clubnet/seedclub` and `seedclub update` work.
+`@clubnet/seedclub` is a public npm package. Install access is open; runtime access is enforced by Seed Club auth inside the app.
 
 ## Core workflow
 
 The normal interactive flow is:
 
 1. Start the app with `seedclub`
-2. Complete `/login`, `/model`, and `/connect` if this is your first run
-3. Open `/seedclub`
-4. Choose the CRM, meetings, media, recordings, or transcript workflow you need
+2. Complete Seed Club auth when the browser opens
+3. Complete `/login` and `/model` if this is your first run
+4. Open `/seedclub`
+5. Choose the CRM, meetings, media, recordings, or transcript workflow you need
 
 ## Commands
 
@@ -68,6 +64,7 @@ The normal interactive flow is:
 | `/login` | Sign in to a model provider for the underlying agent |
 | `/model` | Choose which model to use |
 | `/connect` | Connect your Seed Club account |
+| `/connect-calendar` | Connect a personal Google Calendar to your Seed Club account |
 | `/seedclub` | Main menu — connect, inspect access, and jump into CRM/meetings/media/headlines workflows |
 | `/transcripts` | Export transcript VTT files with filters (date, person, time, output dir) |
 
@@ -77,13 +74,21 @@ Natural-language transcript retrieval is also supported (no slash command requir
 
 There are two separate auth layers in the product:
 
-1. Model auth: `/login`
-   This signs you into the LLM provider you want the agent to use.
-2. Seed Club auth: `/connect`
+1. Seed Club auth: auto-start on launch or `/connect`
    This connects the CLI to your Seed Club account so Seed Club tools and commands can read and write account data.
+2. Model auth: `/login`
+   This signs you into the LLM provider you want the agent to use.
+3. Personal calendar connect: `/connect-calendar`
+   This connects a Google Calendar to your Seed Club account for booking and availability workflows. It is only needed if you want the agent to schedule using your personal calendar.
+
+Seed Club auth is the first gate. Until it succeeds, normal harness usage is blocked and only the setup commands are available.
 
 `/seedclub` is the main entry point for Seed Club actions. If you are not connected yet, it will start the Seed Club connect flow automatically.
 
+CLI auth now prefers an authorization-code exchange:
+- browser callback: `http://127.0.0.1:<port>/callback?code=...&state=...`
+- CLI exchange: `POST ${SEEDCLUB_API_URL}/auth/cli/exchange` with `{ code, state }`
+
 Power-user env overrides:
 
 ```bash

package/assets/extensions/seedclub/auth.ts

@@ -1,7 +1,7 @@
 /**
  * Token storage for Seed Club.
  *
- * Priority: SEEDCLUB_ACCESS_TOKEN / SEEDCLUB_TOKEN env var > stored token file.
+ * Priority: SEEDCLUB_ACCESS_TOKEN env var > stored token file.
  * Use /seedclub to connect.
  */
 
@@ -76,12 +76,7 @@ function tryReadStoredBasesSync(): StoredBases | null {
 }
 
 export function getApiBase(): string {
-	if (
-		process.env.SEEDCLUB_API_URL ||
-		process.env.SEEDCLUB_API ||
-		process.env.SEED_NETWORK_API
-	)
-		return process.env.SEEDCLUB_API_URL || process.env.SEEDCLUB_API || process.env.SEED_NETWORK_API!;
+	if (process.env.SEEDCLUB_API_URL) return process.env.SEEDCLUB_API_URL;
 	if (shouldPreferLocalBases()) return LOCAL_API_BASE;
 	const storedBases = tryReadStoredBasesSync();
 	if (storedBases?.apiBase) return storedBases.apiBase;
@@ -90,12 +85,7 @@ export function getApiBase(): string {
 }
 
 export function getAuthBase(): string {
-	if (
-		process.env.SEEDCLUB_AUTH_URL ||
-		process.env.SEEDCLUB_AUTH ||
-		process.env.SEED_NETWORK_AUTH
-	)
-		return process.env.SEEDCLUB_AUTH_URL || process.env.SEEDCLUB_AUTH || process.env.SEED_NETWORK_AUTH!;
+	if (process.env.SEEDCLUB_AUTH_URL) return process.env.SEEDCLUB_AUTH_URL;
 	if (shouldPreferLocalBases()) return LOCAL_AUTH_BASE;
 	const storedBases = tryReadStoredBasesSync();
 	if (storedBases?.authBase) return storedBases.authBase;
@@ -141,18 +131,14 @@ async function tryReadTokenFile(path: string): Promise<StoredToken | null> {
 		if (
 			stored.apiBase &&
 			!shouldPreferLocalBases() &&
-			!process.env.SEEDCLUB_API_URL &&
-			!process.env.SEEDCLUB_API &&
-			!process.env.SEED_NETWORK_API
+			!process.env.SEEDCLUB_API_URL
 		) {
 			_cachedApiBase = stored.apiBase;
 		}
 		if (
 			stored.authBase &&
 			!shouldPreferLocalBases() &&
-			!process.env.SEEDCLUB_AUTH_URL &&
-			!process.env.SEEDCLUB_AUTH &&
-			!process.env.SEED_NETWORK_AUTH
+			!process.env.SEEDCLUB_AUTH_URL
 		) {
 			_cachedAuthBase = stored.authBase;
 		}
@@ -189,8 +175,7 @@ export async function getStoredBases(): Promise<StoredBases | null> {
 }
 
 export async function getToken(): Promise<string | null> {
-	if (process.env.SEEDCLUB_ACCESS_TOKEN || process.env.SEEDCLUB_TOKEN || process.env.SEED_NETWORK_TOKEN)
-		return (process.env.SEEDCLUB_ACCESS_TOKEN || process.env.SEEDCLUB_TOKEN || process.env.SEED_NETWORK_TOKEN)!;
+	if (process.env.SEEDCLUB_ACCESS_TOKEN) return process.env.SEEDCLUB_ACCESS_TOKEN;
 	const stored = await getStoredToken();
 	return stored?.token ?? null;
 }

package/assets/extensions/seedclub/commands/seedclub.ts

@@ -15,7 +15,8 @@ import {
 import { getCurrentUser, getSessionContext } from "../tools/utility.js";
 
 interface SeedclubDeps {
-	connect: (args: string | undefined, ctx: any) => Promise<void>;
+	connect: (args: string | undefined, ctx: any) => Promise<boolean>;
+	connectCalendar: (ctx: any) => Promise<void>;
 	disconnect: (ctx: any) => Promise<void>;
 }
 
@@ -64,6 +65,13 @@ export function registerSeedclubCommand(pi: ExtensionAPI, deps: SeedclubDeps) {
 		},
 	});
 
+	pi.registerCommand("connect-calendar", {
+		description: "Connect a personal Google Calendar to your Seed Club account",
+		handler: async (_args, ctx) => {
+			await deps.connectCalendar(ctx);
+		},
+	});
+
 	pi.registerCommand("clearcontext", {
 		description: "Compact the current conversation to free context while keeping Seed Club state",
 		handler: async (_args, ctx) => {
@@ -101,10 +109,7 @@ export function registerSeedclubCommand(pi: ExtensionAPI, deps: SeedclubDeps) {
 		description: "Seed Club",
 		handler: async (args, ctx) => {
 			const stored = await getStoredToken();
-			const hasEnvToken =
-				!!process.env.SEEDCLUB_ACCESS_TOKEN ||
-				!!process.env.SEEDCLUB_TOKEN ||
-				!!process.env.SEED_NETWORK_TOKEN;
+			const hasEnvToken = !!process.env.SEEDCLUB_ACCESS_TOKEN;
 			const isConnected = !!stored || hasEnvToken;
 
 			if (!isConnected) {
@@ -129,6 +134,7 @@ export function registerSeedclubCommand(pi: ExtensionAPI, deps: SeedclubDeps) {
 				"Show API/Auth environment",
 				"Use local API/Auth",
 				"Use prod API/Auth",
+				"Connect personal calendar",
 				"Open CRM prompt",
 				"Open meetings prompt",
 				"Open transcripts prompt",
@@ -168,6 +174,9 @@ export function registerSeedclubCommand(pi: ExtensionAPI, deps: SeedclubDeps) {
 				case "Use prod API/Auth":
 					await setSeedEnvironment("prod", ctx);
 					break;
+				case "Connect personal calendar":
+					await deps.connectCalendar(ctx);
+					break;
 				case "Open CRM prompt":
 					await new Promise((r) => setTimeout(r, 300));
 					ctx.ui.setEditorText("List CRM records for my workspace.");

package/assets/extensions/seedclub/gate-state.ts

@@ -0,0 +1,85 @@
+export type SeedclubAuthGateStatus = "auth_required" | "auth_in_progress" | "auth_complete";
+
+export interface SeedclubAuthGateState {
+	status: SeedclubAuthGateStatus;
+	authUrl: string | null;
+	message: string | null;
+	error: string | null;
+}
+
+export const AUTH_GATE_ALLOWED_COMMANDS = new Set([
+	"connect",
+	"seedclub",
+	"seedenv",
+	"commands",
+	"extensions",
+]);
+
+const state: SeedclubAuthGateState = {
+	status: "auth_required",
+	authUrl: null,
+	message: "Seed Club sign-in is required before /login or /model.",
+	error: null,
+};
+
+const listeners = new Set<() => void>();
+
+function emit() {
+	for (const listener of listeners) listener();
+}
+
+function setState(next: Partial<SeedclubAuthGateState>) {
+	Object.assign(state, next);
+	emit();
+}
+
+export function getAuthGateState(): SeedclubAuthGateState {
+	return { ...state };
+}
+
+export function subscribeToAuthGate(listener: () => void): () => void {
+	listeners.add(listener);
+	return () => listeners.delete(listener);
+}
+
+export function markAuthRequired(options?: { authUrl?: string | null; message?: string | null; error?: string | null }) {
+	setState({
+		status: "auth_required",
+		authUrl: options?.authUrl ?? state.authUrl,
+		message: options?.message ?? "Seed Club sign-in is required before /login or /model.",
+		error: options?.error ?? null,
+	});
+}
+
+export function markAuthInProgress(options?: { authUrl?: string | null; message?: string | null; error?: string | null }) {
+	setState({
+		status: "auth_in_progress",
+		authUrl: options?.authUrl ?? state.authUrl,
+		message: options?.message ?? "Opening your browser for Seed Club sign-in.",
+		error: options?.error ?? null,
+	});
+}
+
+export function markAuthComplete(message?: string | null) {
+	setState({
+		status: "auth_complete",
+		authUrl: null,
+		message: message ?? null,
+		error: null,
+	});
+}
+
+export function isAuthGateBlocking(): boolean {
+	return state.status !== "auth_complete";
+}
+
+export function getCommandName(text: string): string | null {
+	const trimmed = text.trim();
+	if (!trimmed.startsWith("/")) return null;
+	const token = trimmed.slice(1).split(/\s+/).find(Boolean);
+	return token ? token.toLowerCase() : null;
+}
+
+export function isAllowedDuringAuthGate(commandName: string | null): boolean {
+	return !!commandName && AUTH_GATE_ALLOWED_COMMANDS.has(commandName);
+}