@clubnet/seedclub 0.2.28 → 0.2.29

package/README.md

@@ -30,9 +30,10 @@ seedclub
 
 On a fresh install, the normal setup flow is:
 
-1. `/login` to sign in to a model provider such as Anthropic, OpenAI, or Gemini
-2. `/model` to choose the model you want to use
-3. `/connect` to connect your Seed Club account
+1. Run `seedclub`
+2. Seed Club auth opens automatically
+3. `/login` to sign in to a model provider such as Anthropic, OpenAI, or Gemini
+4. `/model` to choose the model you want to use
 
 After that, run `/seedclub` to open the main Seed Club menu.
 
@@ -42,24 +43,19 @@ After that, run `/seedclub` to open the main Seed Club menu.
 curl -fsSL https://raw.githubusercontent.com/seedclub/seedclub-agent/main/install.sh | bash
 ```
 
-### Internal install auth
+### Package access
 
-`@clubnet/seedclub` is currently a private npm package. This auth is only for installing or updating the package from npm. It is separate from `/login` and `/connect` inside the app.
-
-```bash
-npm login
-```
-
-Then `npm install -g @clubnet/seedclub` and `seedclub update` work.
+`@clubnet/seedclub` is a public npm package. Install access is open; runtime access is enforced by Seed Club auth inside the app.
 
 ## Core workflow
 
 The normal interactive flow is:
 
 1. Start the app with `seedclub`
-2. Complete `/login`, `/model`, and `/connect` if this is your first run
-3. Open `/seedclub`
-4. Choose the CRM, meetings, media, recordings, or transcript workflow you need
+2. Complete Seed Club auth when the browser opens
+3. Complete `/login` and `/model` if this is your first run
+4. Open `/seedclub`
+5. Choose the CRM, meetings, media, recordings, or transcript workflow you need
 
 ## Commands
 
@@ -78,15 +74,21 @@ Natural-language transcript retrieval is also supported (no slash command requir
 
 There are two separate auth layers in the product:
 
-1. Model auth: `/login`
-   This signs you into the LLM provider you want the agent to use.
-2. Seed Club auth: `/connect`
+1. Seed Club auth: auto-start on launch or `/connect`
    This connects the CLI to your Seed Club account so Seed Club tools and commands can read and write account data.
+2. Model auth: `/login`
+   This signs you into the LLM provider you want the agent to use.
 3. Personal calendar connect: `/connect-calendar`
    This connects a Google Calendar to your Seed Club account for booking and availability workflows. It is only needed if you want the agent to schedule using your personal calendar.
 
+Seed Club auth is the first gate. Until it succeeds, normal harness usage is blocked and only the setup commands are available.
+
 `/seedclub` is the main entry point for Seed Club actions. If you are not connected yet, it will start the Seed Club connect flow automatically.
 
+CLI auth now prefers an authorization-code exchange:
+- browser callback: `http://127.0.0.1:<port>/callback?code=...&state=...`
+- CLI exchange: `POST ${SEEDCLUB_API_URL}/auth/cli/exchange` with `{ code, state }`
+
 Power-user env overrides:
 
 ```bash

package/assets/extensions/seedclub/auth.ts

@@ -1,7 +1,7 @@
 /**
  * Token storage for Seed Club.
  *
- * Priority: SEEDCLUB_ACCESS_TOKEN / SEEDCLUB_TOKEN env var > stored token file.
+ * Priority: SEEDCLUB_ACCESS_TOKEN env var > stored token file.
  * Use /seedclub to connect.
  */
 
@@ -76,12 +76,7 @@ function tryReadStoredBasesSync(): StoredBases | null {
 }
 
 export function getApiBase(): string {
-	if (
-		process.env.SEEDCLUB_API_URL ||
-		process.env.SEEDCLUB_API ||
-		process.env.SEED_NETWORK_API
-	)
-		return process.env.SEEDCLUB_API_URL || process.env.SEEDCLUB_API || process.env.SEED_NETWORK_API!;
+	if (process.env.SEEDCLUB_API_URL) return process.env.SEEDCLUB_API_URL;
 	if (shouldPreferLocalBases()) return LOCAL_API_BASE;
 	const storedBases = tryReadStoredBasesSync();
 	if (storedBases?.apiBase) return storedBases.apiBase;
@@ -90,12 +85,7 @@ export function getApiBase(): string {
 }
 
 export function getAuthBase(): string {
-	if (
-		process.env.SEEDCLUB_AUTH_URL ||
-		process.env.SEEDCLUB_AUTH ||
-		process.env.SEED_NETWORK_AUTH
-	)
-		return process.env.SEEDCLUB_AUTH_URL || process.env.SEEDCLUB_AUTH || process.env.SEED_NETWORK_AUTH!;
+	if (process.env.SEEDCLUB_AUTH_URL) return process.env.SEEDCLUB_AUTH_URL;
 	if (shouldPreferLocalBases()) return LOCAL_AUTH_BASE;
 	const storedBases = tryReadStoredBasesSync();
 	if (storedBases?.authBase) return storedBases.authBase;
@@ -141,18 +131,14 @@ async function tryReadTokenFile(path: string): Promise<StoredToken | null> {
 		if (
 			stored.apiBase &&
 			!shouldPreferLocalBases() &&
-			!process.env.SEEDCLUB_API_URL &&
-			!process.env.SEEDCLUB_API &&
-			!process.env.SEED_NETWORK_API
+			!process.env.SEEDCLUB_API_URL
 		) {
 			_cachedApiBase = stored.apiBase;
 		}
 		if (
 			stored.authBase &&
 			!shouldPreferLocalBases() &&
-			!process.env.SEEDCLUB_AUTH_URL &&
-			!process.env.SEEDCLUB_AUTH &&
-			!process.env.SEED_NETWORK_AUTH
+			!process.env.SEEDCLUB_AUTH_URL
 		) {
 			_cachedAuthBase = stored.authBase;
 		}
@@ -189,8 +175,7 @@ export async function getStoredBases(): Promise<StoredBases | null> {
 }
 
 export async function getToken(): Promise<string | null> {
-	if (process.env.SEEDCLUB_ACCESS_TOKEN || process.env.SEEDCLUB_TOKEN || process.env.SEED_NETWORK_TOKEN)
-		return (process.env.SEEDCLUB_ACCESS_TOKEN || process.env.SEEDCLUB_TOKEN || process.env.SEED_NETWORK_TOKEN)!;
+	if (process.env.SEEDCLUB_ACCESS_TOKEN) return process.env.SEEDCLUB_ACCESS_TOKEN;
 	const stored = await getStoredToken();
 	return stored?.token ?? null;
 }

package/assets/extensions/seedclub/commands/seedclub.ts

@@ -15,7 +15,7 @@ import {
 import { getCurrentUser, getSessionContext } from "../tools/utility.js";
 
 interface SeedclubDeps {
-	connect: (args: string | undefined, ctx: any) => Promise<void>;
+	connect: (args: string | undefined, ctx: any) => Promise<boolean>;
 	connectCalendar: (ctx: any) => Promise<void>;
 	disconnect: (ctx: any) => Promise<void>;
 }
@@ -109,10 +109,7 @@ export function registerSeedclubCommand(pi: ExtensionAPI, deps: SeedclubDeps) {
 		description: "Seed Club",
 		handler: async (args, ctx) => {
 			const stored = await getStoredToken();
-			const hasEnvToken =
-				!!process.env.SEEDCLUB_ACCESS_TOKEN ||
-				!!process.env.SEEDCLUB_TOKEN ||
-				!!process.env.SEED_NETWORK_TOKEN;
+			const hasEnvToken = !!process.env.SEEDCLUB_ACCESS_TOKEN;
 			const isConnected = !!stored || hasEnvToken;
 
 			if (!isConnected) {

package/assets/extensions/seedclub/gate-state.ts

@@ -0,0 +1,85 @@
+export type SeedclubAuthGateStatus = "auth_required" | "auth_in_progress" | "auth_complete";
+
+export interface SeedclubAuthGateState {
+	status: SeedclubAuthGateStatus;
+	authUrl: string | null;
+	message: string | null;
+	error: string | null;
+}
+
+export const AUTH_GATE_ALLOWED_COMMANDS = new Set([
+	"connect",
+	"seedclub",
+	"seedenv",
+	"commands",
+	"extensions",
+]);
+
+const state: SeedclubAuthGateState = {
+	status: "auth_required",
+	authUrl: null,
+	message: "Seed Club sign-in is required before /login or /model.",
+	error: null,
+};
+
+const listeners = new Set<() => void>();
+
+function emit() {
+	for (const listener of listeners) listener();
+}
+
+function setState(next: Partial<SeedclubAuthGateState>) {
+	Object.assign(state, next);
+	emit();
+}
+
+export function getAuthGateState(): SeedclubAuthGateState {
+	return { ...state };
+}
+
+export function subscribeToAuthGate(listener: () => void): () => void {
+	listeners.add(listener);
+	return () => listeners.delete(listener);
+}
+
+export function markAuthRequired(options?: { authUrl?: string | null; message?: string | null; error?: string | null }) {
+	setState({
+		status: "auth_required",
+		authUrl: options?.authUrl ?? state.authUrl,
+		message: options?.message ?? "Seed Club sign-in is required before /login or /model.",
+		error: options?.error ?? null,
+	});
+}
+
+export function markAuthInProgress(options?: { authUrl?: string | null; message?: string | null; error?: string | null }) {
+	setState({
+		status: "auth_in_progress",
+		authUrl: options?.authUrl ?? state.authUrl,
+		message: options?.message ?? "Opening your browser for Seed Club sign-in.",
+		error: options?.error ?? null,
+	});
+}
+
+export function markAuthComplete(message?: string | null) {
+	setState({
+		status: "auth_complete",
+		authUrl: null,
+		message: message ?? null,
+		error: null,
+	});
+}
+
+export function isAuthGateBlocking(): boolean {
+	return state.status !== "auth_complete";
+}
+
+export function getCommandName(text: string): string | null {
+	const trimmed = text.trim();
+	if (!trimmed.startsWith("/")) return null;
+	const token = trimmed.slice(1).split(/\s+/).find(Boolean);
+	return token ? token.toLowerCase() : null;
+}
+
+export function isAllowedDuringAuthGate(commandName: string | null): boolean {
+	return !!commandName && AUTH_GATE_ALLOWED_COMMANDS.has(commandName);
+}

package/assets/extensions/seedclub/index.ts

@@ -19,8 +19,19 @@ import { registerCrmTools } from "./tools/crm.js";
 import { registerMeetingTools } from "./tools/meetings.js";
 import { registerMediaTools } from "./tools/media.js";
 import registerBrandingGuard from "./branding.js";
+import {
+	getCommandName,
+	isAllowedDuringAuthGate,
+	isAuthGateBlocking,
+	markAuthComplete,
+	markAuthInProgress,
+	markAuthRequired,
+} from "./gate-state.js";
 
 export default function (pi: ExtensionAPI) {
+	const ENV_TOKEN_KEYS = ["SEEDCLUB_ACCESS_TOKEN"] as const;
+	let connectInFlight: Promise<boolean> | null = null;
+
 	const formatSeedLabel = (name?: string, email?: string) => {
 		const label = (name?.trim() || email?.trim() || "connected").replace(/\s+/g, " ");
 		return label;
@@ -65,60 +76,176 @@ export default function (pi: ExtensionAPI) {
 		registerTranscriptIntentInterceptor(pi);
 	}
 
-	// Show connection status on session start
-	pi.on("session_start", async (_event, ctx) => {
-		const stored = await getStoredToken();
+	function getPostAuthInstruction(ctx: any): string | null {
+		const hasProviderAuth = ctx.modelRegistry.getAvailable().length > 0;
+		const hasSelectedModel = !!ctx.model;
+		if (!hasProviderAuth) return "Next: /login, then /model.";
+		if (!hasSelectedModel) return "Next: /model.";
+		return null;
+	}
+
+	function clearSeedStatuses(ctx: any) {
+		ctx.ui.setStatus("seed", undefined);
+		ctx.ui.setStatus("seed-env", undefined);
+		ctx.ui.setStatus("seed-api", undefined);
+		ctx.ui.setStatus("seed-auth", undefined);
+	}
+
+	async function applyConnectedStatus(ctx: any, user: { name?: string | null; email?: string | null }) {
 		const storedBases = await getStoredBases();
 		const effectiveApiBase = getApiBase();
 		const effectiveAuthBase = getAuthBase();
-		if (stored) {
-			const isDev = effectiveApiBase.includes("localhost") || effectiveApiBase.includes("127.0.0.1");
-			const hasSeparateDevAuthBase =
-				effectiveAuthBase !== effectiveApiBase &&
-				(effectiveAuthBase.includes("localhost") || effectiveAuthBase.includes("127.0.0.1"));
-			ctx.ui.setStatus("seed", formatSeedLabel(stored.name, stored.email));
-			if (storedBases?.mode) ctx.ui.setStatus("seed-env", `env: ${storedBases.mode}`);
-			if (isDev) ctx.ui.setStatus("seed-api", `dev: ${effectiveApiBase}`);
-			if (hasSeparateDevAuthBase) ctx.ui.setStatus("seed-auth", `auth: ${effectiveAuthBase}`);
-		} else if (process.env.SEEDCLUB_ACCESS_TOKEN || process.env.SEEDCLUB_TOKEN || process.env.SEED_NETWORK_TOKEN) {
-			ctx.ui.setStatus("seed", "seed: connected (env)");
+		const isDev = effectiveApiBase.includes("localhost") || effectiveApiBase.includes("127.0.0.1");
+		const hasSeparateDevAuthBase =
+			effectiveAuthBase !== effectiveApiBase &&
+			(effectiveAuthBase.includes("localhost") || effectiveAuthBase.includes("127.0.0.1"));
+
+		ctx.ui.setStatus("seed", formatSeedLabel(user.name ?? undefined, user.email ?? undefined));
+		if (storedBases?.mode) ctx.ui.setStatus("seed-env", `env: ${storedBases.mode}`);
+		else ctx.ui.setStatus("seed-env", undefined);
+		if (isDev) ctx.ui.setStatus("seed-api", `dev: ${effectiveApiBase}`);
+		else ctx.ui.setStatus("seed-api", undefined);
+		if (hasSeparateDevAuthBase) ctx.ui.setStatus("seed-auth", `auth: ${effectiveAuthBase}`);
+		else ctx.ui.setStatus("seed-auth", undefined);
+	}
+
+	function getRuntimeEnvToken(): string | null {
+		for (const key of ENV_TOKEN_KEYS) {
+			const value = process.env[key];
+			if (value?.trim()) return value;
 		}
+		return null;
+	}
+
+	function clearRuntimeEnvTokens() {
+		for (const key of ENV_TOKEN_KEYS) delete process.env[key];
+	}
+
+	async function validateCurrentCredential(ctx: any): Promise<{ name?: string | null; email?: string | null } | null> {
+		const envToken = getRuntimeEnvToken();
+		const stored = envToken ? null : await getStoredToken();
+		const token = envToken || stored?.token;
+		if (!token) return null;
+
+		markAuthInProgress({ message: "Checking Seed Club access..." });
+		setCachedToken(token, getApiBase());
+		const user = await getCurrentUser();
+		if ("error" in user) {
+			await clearCredentials();
+			if (envToken) clearRuntimeEnvTokens();
+			clearSeedStatuses(ctx);
+			return null;
+		}
+
+		await applyConnectedStatus(ctx, user);
+		return user;
+	}
+
+	async function ensureSeedclubAuthenticated(ctx: any): Promise<boolean> {
+		const existing = await validateCurrentCredential(ctx);
+		if (existing) {
+			markAuthComplete(getPostAuthInstruction(ctx));
+			return true;
+		}
+		return connect(undefined, ctx, { autoStart: true });
+	}
+
+	pi.on("session_start", (_event, ctx) => {
+		if (getRuntimeEnvToken()) {
+			markAuthInProgress({ message: "Checking Seed Club access..." });
+		}
+		void ensureSeedclubAuthenticated(ctx);
 	});
 
 	// --- Auth handlers ---
 
-	async function connect(args: string | undefined, ctx: any) {
-		const token = args?.trim();
-		if (token) {
-			if (!token) {
-				ctx.ui.notify("Invalid token.", "error");
-				return;
-			}
-			await verifyAndStore(token, ctx);
-			return;
+	async function connect(args: string | undefined, ctx: any, options?: { autoStart?: boolean }) {
+		if (connectInFlight) {
+			ctx.ui.notify("Seed Club sign-in is already in progress.", "info");
+			return connectInFlight;
 		}
 
-		const apiBase = getApiBase();
-		const authBase = getAuthBase();
-		const port = await findAvailablePort();
-		const state = randomBytes(16).toString("hex");
-		const authUrl = `${authBase}/auth/cli/authorize?port=${port}&state=${state}`;
+		const run = async () => {
+			const trimmedArgs = args?.trim();
+			const isReset = trimmedArgs?.toLowerCase() === "reset";
+			const token = isReset ? undefined : trimmedArgs;
+			if (token) return verifyAndStore(token, ctx, { notifyOnSuccess: true });
+
+			const apiBase = getApiBase();
+			const authBase = getAuthBase();
+			const port = await findAvailablePort();
+			const state = randomBytes(16).toString("hex");
+			const authorizePath = `/auth/cli/authorize?port=${port}&state=${state}`;
+			const authUrl = isReset
+				? new URL(`/auth/sign-out?redirect=${encodeURIComponent(authorizePath)}`, authBase.endsWith("/") ? authBase : `${authBase}/`).toString()
+				: new URL(authorizePath, authBase.endsWith("/") ? authBase : `${authBase}/`).toString();
+
+			if (isReset) {
+				await clearCredentials();
+				clearRuntimeEnvTokens();
+				clearSeedStatuses(ctx);
+				markAuthRequired({
+					authUrl: null,
+					message: "Seed Club sign-in is required before /login or /model.",
+					error: null,
+				});
+			}
 
-		ctx.ui.notify("Opening browser to sign in...", "info");
+			markAuthInProgress({
+				authUrl,
+				message: isReset
+					? "Resetting your Seed Club sign-in and opening the browser to switch accounts."
+					: options?.autoStart
+						? "Seed Club sign-in is required before /login or /model. Opening your browser now."
+						: "Opening your browser for Seed Club sign-in.",
+				error: null,
+			});
+			ctx.ui.notify(isReset ? "Opening browser to switch Seed Club accounts..." : "Opening browser to sign in...", "info");
+
+			const opened = await openExternalUrl(pi, authUrl, ctx);
+			if (!opened) {
+				markAuthInProgress({
+					authUrl,
+					message: "Open the Seed Club auth link below to continue.",
+					error: "Browser launch failed. Open the auth URL manually.",
+				});
+			}
 
-		openExternalUrl(pi, authUrl, ctx);
+			try {
+				const result = await waitForCallback(port, state, apiBase);
+				return verifyAndStore(result.token, ctx, {
+					emailHint: result.email,
+					notifyOnSuccess: true,
+				});
+			} catch (error) {
+				const message = error instanceof Error ? error.message : "Auth failed";
+				markAuthRequired({
+					authUrl,
+					message: "Seed Club sign-in is still required. Run /connect to retry.",
+					error: message,
+				});
+				ctx.ui.notify(message, "error");
+				return false;
+			}
+		};
 
+		connectInFlight = run();
 		try {
-			const result = await waitForCallback(port, state);
-			await verifyAndStore(result.token, ctx, result.email);
-		} catch (error) {
-			ctx.ui.notify(error instanceof Error ? error.message : "Auth failed", "error");
+			return await connectInFlight;
+		} finally {
+			connectInFlight = null;
 		}
 	}
 
 	async function disconnect(ctx: any) {
 		await clearCredentials();
-		ctx.ui.setStatus("seed", undefined);
+		clearRuntimeEnvTokens();
+		clearSeedStatuses(ctx);
+		markAuthRequired({
+			authUrl: null,
+			message: "Seed Club sign-in is required before /login or /model.",
+			error: null,
+		});
 		ctx.ui.notify("Logged out", "info");
 	}
 
@@ -192,23 +319,61 @@ export default function (pi: ExtensionAPI) {
 		}
 	}
 
-	async function verifyAndStore(token: string, ctx: any, emailHint?: string) {
+	async function verifyAndStore(
+		token: string,
+		ctx: any,
+		options?: { emailHint?: string; notifyOnSuccess?: boolean },
+	): Promise<boolean> {
 		const apiBase = getApiBase();
 		const authBase = getAuthBase();
-		await storeToken(token, emailHint || "pending", apiBase, { authBase });
+		markAuthInProgress({ message: "Verifying Seed Club access...", error: null });
+		await storeToken(token, options?.emailHint || "pending", apiBase, { authBase });
 		setCachedToken(token, apiBase);
 
 		const result = await getCurrentUser();
 		if ("error" in result) {
 			await clearCredentials();
+			clearSeedStatuses(ctx);
+			markAuthRequired({
+				authUrl: null,
+				message: "Seed Club sign-in is still required. Run /connect to retry.",
+				error: `Token verification failed: ${result.error}`,
+			});
 			ctx.ui.notify(`Token verification failed: ${result.error}`, "error");
-			return;
+			return false;
 		}
 
 		await storeToken(token, result.email, apiBase, { authBase, name: result.name });
-		ctx.ui.notify(`Connected as ${result.name || result.email}`, "info");
-		ctx.ui.setStatus("seed", formatSeedLabel(result.name, result.email));
+		await applyConnectedStatus(ctx, result);
+		const nextStep = getPostAuthInstruction(ctx);
+		markAuthComplete(nextStep);
+		if (options?.notifyOnSuccess) {
+			const suffix = nextStep ? ` ${nextStep}` : "";
+			ctx.ui.notify(`Connected as ${result.name || result.email}.${suffix}`.trim(), "info");
+		}
+		return true;
 	}
+
+	pi.on("input", async (event, ctx) => {
+		if (event.source !== "interactive" || !isAuthGateBlocking()) return;
+
+		const text = event.text.trim();
+		if (!text) return { action: "handled" as const };
+
+		const commandName = getCommandName(text);
+		if (commandName && isAllowedDuringAuthGate(commandName)) return;
+
+		if (commandName === "login" || commandName === "model") {
+			ctx.ui.notify("Connect to Seed Club first.", "info");
+			return { action: "handled" as const };
+		}
+
+		ctx.ui.notify(
+			"Connect to Seed Club first. Allowed now: /connect, /seedclub, /seedenv, /commands, /extensions.",
+			"info",
+		);
+		return { action: "handled" as const };
+	});
 }
 
 // --- Helpers ---
@@ -228,7 +393,84 @@ function findAvailablePort(): Promise<number> {
 	});
 }
 
-function waitForCallback(port: number, state: string): Promise<{ token: string; email: string }> {
+async function exchangeCliCode(
+	apiBase: string,
+	code: string,
+	state: string,
+): Promise<{ token: string; email: string; name?: string | null }> {
+	const url = new URL("/auth/cli/exchange", apiBase.endsWith("/") ? apiBase : `${apiBase}/`);
+	const response = await fetch(url.toString(), {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/json",
+			Accept: "application/json",
+		},
+		body: JSON.stringify({ code, state }),
+		signal: AbortSignal.timeout(10_000),
+	});
+
+	const text = await response.text();
+	let data: any = {};
+	try {
+		data = text ? JSON.parse(text) : {};
+	} catch {
+		if (!response.ok) {
+			throw new Error(`CLI code exchange failed (${response.status}).`);
+		}
+		throw new Error("CLI code exchange returned invalid JSON.");
+	}
+
+	if (!response.ok) {
+		const message =
+			typeof data?.error === "string" && data.error.trim()
+				? data.error.trim()
+				: `CLI code exchange failed (${response.status}).`;
+		throw new Error(message);
+	}
+
+	if (typeof data?.token !== "string" || !data.token.trim()) {
+		throw new Error("CLI code exchange returned no token.");
+	}
+
+	return {
+		token: data.token,
+		email: typeof data?.email === "string" && data.email.trim() ? data.email : "unknown",
+		name: typeof data?.name === "string" && data.name.trim() ? data.name : null,
+	};
+}
+
+async function verifyCliSessionContext(apiBase: string, token: string): Promise<void> {
+	const url = new URL("/session/context", apiBase.endsWith("/") ? apiBase : `${apiBase}/`);
+	const response = await fetch(url.toString(), {
+		method: "GET",
+		headers: {
+			Authorization: `Bearer ${token}`,
+			Accept: "application/json",
+		},
+		signal: AbortSignal.timeout(10_000),
+	});
+
+	const text = await response.text();
+	let data: any = {};
+	try {
+		data = text ? JSON.parse(text) : {};
+	} catch {
+		if (!response.ok) {
+			throw new Error(`Seed Club access verification failed (${response.status}).`);
+		}
+		throw new Error("Seed Club access verification returned invalid JSON.");
+	}
+
+	if (!response.ok) {
+		const message =
+			typeof data?.error === "string" && data.error.trim()
+				? data.error.trim()
+				: `Seed Club access verification failed (${response.status}).`;
+		throw new Error(message);
+	}
+}
+
+function waitForCallback(port: number, state: string, apiBase: string): Promise<{ token: string; email: string }> {
 	return new Promise((resolve, reject) => {
 		const timeout = setTimeout(() => {
 			server.close();
@@ -244,7 +486,12 @@ function waitForCallback(port: number, state: string): Promise<{ token: string;
 			}
 
 			const done = (status: number, body: string) => {
-				res.writeHead(status, { "Content-Type": "text/html; charset=utf-8" });
+				res.writeHead(status, {
+					"Content-Type": "text/html; charset=utf-8",
+					"Cache-Control": "no-store, max-age=0",
+					Pragma: "no-cache",
+					Expires: "0",
+				});
 				res.end(body);
 				clearTimeout(timeout);
 				server.close();
@@ -271,26 +518,44 @@ function waitForCallback(port: number, state: string): Promise<{ token: string;
 				reject(new Error(error));
 				return;
 			}
-			const token = url.searchParams.get("token");
-			if (!token?.trim()) {
-				done(400, renderCallbackPage({
-					eyebrow: "Seed Club Auth",
-					title: "No token was returned.",
-					message: "Seed Club completed sign-in, but the local callback did not receive a usable token. Try /connect again.",
-					status: "error",
-				}));
-				reject(new Error("Invalid token"));
-				return;
-			}
-
-			const email = url.searchParams.get("email") || "unknown";
-			done(200, renderCallbackPage({
-				eyebrow: "Seed Club Auth",
-				title: "You're connected.",
-				message: `Signed in as ${escapeHtml(email)}. Your CLI session is active and the token has been handed off to the agent.`,
-				status: "success",
-			}));
-			resolve({ token, email });
+			void (async () => {
+				try {
+					const code = url.searchParams.get("code");
+					if (!code?.trim()) {
+						done(400, renderCallbackPage({
+							eyebrow: "Seed Club Auth",
+							title: "No code was returned.",
+							message: "Seed Club completed sign-in, but the local callback did not receive a usable authorization code. Try /connect again.",
+							status: "error",
+							cleanUrlPath: "/callback",
+						}));
+						reject(new Error("Invalid authorization code"));
+						return;
+					}
+
+					const exchange = await exchangeCliCode(apiBase, code, state);
+					await verifyCliSessionContext(apiBase, exchange.token);
+					done(200, renderCallbackPage({
+						eyebrow: "Seed Club Auth",
+						title: "You're connected.",
+						message: `Signed in as ${escapeHtml(exchange.email)}. Seed Club access is verified and your CLI session is ready.`,
+						status: "success",
+						cleanUrlPath: "/callback",
+					}));
+					resolve({ token: exchange.token, email: exchange.email });
+				} catch (exchangeError) {
+					const message =
+						exchangeError instanceof Error ? exchangeError.message : "CLI code exchange failed.";
+					done(400, renderCallbackPage({
+						eyebrow: "Seed Club Auth",
+						title: "CLI token exchange failed.",
+						message,
+						status: "error",
+						cleanUrlPath: "/callback",
+					}));
+					reject(new Error(message));
+				}
+			})();
 		});
 
 		server.listen(port, "127.0.0.1");
@@ -301,13 +566,17 @@ function waitForCallback(port: number, state: string): Promise<{ token: string;
 	});
 }
 
-function openExternalUrl(pi: ExtensionAPI, url: string, ctx: any) {
+async function openExternalUrl(pi: ExtensionAPI, url: string, ctx: any): Promise<boolean> {
 	const openCmd =
 		process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
 
-	pi.exec(openCmd, [url]).catch(() => {
+	try {
+		await pi.exec(openCmd, [url]);
+		return true;
+	} catch {
 		ctx.ui.notify(`Open this link:\n${url}`, "info");
-	});
+		return false;
+	}
 }
 
 function waitForCalendarCallback(
@@ -329,7 +598,12 @@ function waitForCalendarCallback(
 			}
 
 			const done = (status: number, body: string) => {
-				res.writeHead(status, { "Content-Type": "text/html; charset=utf-8" });
+				res.writeHead(status, {
+					"Content-Type": "text/html; charset=utf-8",
+					"Cache-Control": "no-store, max-age=0",
+					Pragma: "no-cache",
+					Expires: "0",
+				});
 				res.end(body);
 				clearTimeout(timeout);
 				server.close();
@@ -368,6 +642,7 @@ function waitForCalendarCallback(
 				title: "Your calendar is connected.",
 				message: `Connected ${escapeHtml(accountLabel || accountUsername || "your Google Calendar")} to your Seed Club account.`,
 				status: "success",
+				cleanUrlPath: "/callback",
 			}));
 			resolve({
 				accountId: url.searchParams.get("accountId"),
@@ -398,6 +673,7 @@ function renderCallbackPage(input: {
 	title: string;
 	message: string;
 	status: "success" | "error";
+	cleanUrlPath?: string;
 }) {
 	const palette =
 		input.status === "success"
@@ -519,6 +795,11 @@ function renderCallbackPage(input: {
 				}
 			}
 		</style>
+		<script>
+			try {
+				${input.cleanUrlPath ? `window.history.replaceState(null, "", ${JSON.stringify(input.cleanUrlPath)});` : ""}
+			} catch {}
+		</script>
 	</head>
 	<body>
 		<main class="shell">
@@ -526,7 +807,7 @@ function renderCallbackPage(input: {
 			<p class="eyebrow">${escapeHtml(input.eyebrow)}</p>
 			<h1>${escapeHtml(input.title)}</h1>
 			<p>${escapeHtml(input.message)}</p>
-			<div class="note">You can close this tab and return to your terminal.</div>
+			<div class="note">You can close this page and return to your terminal.</div>
 		</main>
 	</body>
 </html>`;

package/assets/extensions/seedclub-ui/welcome.ts

@@ -4,11 +4,10 @@
  */
 
 import { execFileSync } from "node:child_process";
-import { existsSync } from "node:fs";
-import { homedir } from "node:os";
-import { basename, join } from "node:path";
+import { basename } from "node:path";
 import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
 import { ApiError, NotConnectedError, api } from "../seedclub/api-client.js";
+import { getAuthGateState, isAuthGateBlocking, subscribeToAuthGate } from "../seedclub/gate-state.js";
 import { uiState } from "./state.js";
 
 const BOLD = "\x1b[1m";
@@ -278,12 +277,6 @@ async function withTimeout<T>(promise: Promise<T>, ms: number, fallback: T): Pro
 	}
 }
 
-function hasSeedConnection(): boolean {
-	if (process.env.SEEDCLUB_ACCESS_TOKEN || process.env.SEEDCLUB_TOKEN || process.env.SEED_NETWORK_TOKEN) return true;
-	const tokenPath = join(homedir(), ".config", "seedclub", "token");
-	return existsSync(tokenPath);
-}
-
 function getTerminalTitle(): string {
 	const cwd = basename(process.cwd());
 	return cwd ? `⦿ - ${cwd}` : "⦿";
@@ -305,19 +298,47 @@ function formatQuote(q: MarketQuote, theme: ThemeLike): string {
 
 function renderSetupLines(setupHints: string[], theme: ThemeLike): string[] {
 	return setupHints.flatMap((hint) => {
+		if (hint === "/connect") {
+			return [`  ${theme.fg("text", "/connect")} ${theme.fg("dim", "sign in to Seed Club")}`];
+		}
 		if (hint === "/login") {
 			return [`  ${theme.fg("text", "/login")} ${theme.fg("dim", "sign in with Anthropic, OpenAI, Gemini, or others")}`];
 		}
 		if (hint === "/model") {
 			return [`  ${theme.fg("text", "/model")} ${theme.fg("dim", "choose your model")}`];
 		}
-		if (hint === "/connect") {
-			return [`  ${theme.fg("text", "/connect")} ${theme.fg("dim", "to seeclub.com")}`];
-		}
 		return [`  ${theme.fg("text", hint)}`];
 	});
 }
 
+function renderAuthGateLines(theme: ThemeLike): string[] {
+	const gate = getAuthGateState();
+	const lines = [
+		"",
+		renderTitle(theme),
+		"",
+		`  ${theme.fg("accent", "Secure access required")}`,
+		`  ${theme.fg("dim", gate.message || "Seed Club sign-in is required before /login or /model.")}`,
+	];
+
+	if (gate.error) {
+		lines.push("");
+		lines.push(`  ${theme.fg("error", gate.error)}`);
+	}
+
+	if (gate.authUrl) {
+		lines.push("");
+		lines.push(`  ${theme.fg("text", "Auth URL")}`);
+		lines.push(`  ${theme.fg("mdLink", gate.authUrl)}`);
+	}
+
+	lines.push("");
+	lines.push(`  ${theme.fg("text", "/connect")} ${theme.fg("dim", "retry sign-in")}`);
+	lines.push(`  ${theme.fg("text", "/commands")} ${theme.fg("dim", "list commands available during setup")}`);
+	lines.push("");
+	return lines;
+}
+
 function renderTodayOn11amLines(today: TodayOn11am | null, theme: ThemeLike): string[] {
 	if (!today || !today.guests.length) return [];
 	const lines = [`  ${theme.fg("text", "Today on 11AM")}`];
@@ -392,6 +413,10 @@ function renderCoinLoaderLines(frame: number, theme: ThemeLike): string[] {
 	return [...lines, "", `${loadingIndent}${theme.fg("dim", loadingLabel)}`];
 }
 
+function shouldShowCommandInList(name: string): boolean {
+	return !name.startsWith("skill:");
+}
+
 export default function (pi: ExtensionAPI, options?: { enableFrame?: boolean }) {
 	let headerLines: string[] = [
 		"",
@@ -400,18 +425,13 @@ export default function (pi: ExtensionAPI, options?: { enableFrame?: boolean })
 		...renderCoinLoaderLines(0, PLAIN_THEME),
 		"",
 	];
+	let unsubscribeAuthGate: (() => void) | undefined;
 
 	pi.on("session_start", async (_event, ctx) => {
 		if (!ctx.hasUI) return;
 		applyTerminalTitle(ctx);
 		uiState.ready = false;
-		const hasAnyAuth = ctx.modelRegistry.getAvailable().length > 0;
-		const hasSelectedModel = !!ctx.model;
-		const connectedToSeed = hasSeedConnection();
-		const setupHints: string[] = [];
-		if (!hasAnyAuth) setupHints.push("/login");
-		if (!hasSelectedModel) setupHints.push("/model");
-		if (!connectedToSeed) setupHints.push("/connect");
+		unsubscribeAuthGate?.();
 
 		let tuiRef: any = null;
 		ctx.ui.setHeader((tui, theme) => {
@@ -436,77 +456,107 @@ export default function (pi: ExtensionAPI, options?: { enableFrame?: boolean })
 			};
 		});
 
-		const setupLines = renderSetupLines(setupHints, ctx.ui.theme);
-		let loaderFrame = 0;
-		const renderLoadingHeader = () => {
-			headerLines = [
-				"",
-				renderTitle(ctx.ui.theme),
-				"",
-				...renderCoinLoaderLines(loaderFrame, ctx.ui.theme),
-				"",
-			];
-		};
-		renderLoadingHeader();
-		const loaderTimer = setInterval(() => {
-			loaderFrame += 1;
+		let loadStarted = false;
+
+		const startReadyHeader = () => {
+			if (loadStarted) return;
+			loadStarted = true;
+			uiState.ready = false;
+
+			const setupHints: string[] = [];
+			const hasAnyAuth = ctx.modelRegistry.getAvailable().length > 0;
+			const hasSelectedModel = !!ctx.model;
+			if (!hasAnyAuth) setupHints.push("/login");
+			if (!hasSelectedModel) setupHints.push("/model");
+			const setupLines = renderSetupLines(setupHints, ctx.ui.theme);
+
+			let loaderFrame = 0;
+			const renderLoadingHeader = () => {
+				headerLines = [
+					"",
+					renderTitle(ctx.ui.theme),
+					"",
+					...renderCoinLoaderLines(loaderFrame, ctx.ui.theme),
+					"",
+				];
+			};
 			renderLoadingHeader();
+			const loaderTimer = setInterval(() => {
+				loaderFrame += 1;
+				renderLoadingHeader();
+				tuiRef?.requestRender();
+			}, 120);
+			loaderTimer.unref?.();
 			tuiRef?.requestRender();
-		}, 120);
-		loaderTimer.unref?.();
-		tuiRef?.requestRender();
-
-		const todayPromise = fetchTodayOn11am();
-		void Promise.all([
-			getData(),
-			withTimeout(todayPromise, TODAY_PREFETCH_TIMEOUT_MS, null),
-		]).then(([{ weather, market }, todayOn11am]) => {
-			clearInterval(loaderTimer);
-			const renderReadyHeader = (today: TodayOn11am | null) => {
-				const theme = ctx.ui.theme;
-				const weatherLine = `  ${weather.icon} ${theme.fg("text", weather.temp)} ${theme.fg("dim", weather.condition)}  ${theme.fg("dim", "·")}  ${theme.fg("dim", weather.location)}`;
-				const marketLine = `  ${market.map((quote) => formatQuote(quote, theme)).join(`  ${theme.fg("dim", "·")}  `)}`;
-				const todayLines = renderTodayOn11amLines(today, theme);
-				uiState.todayOn11am = today;
+
+			const todayPromise = fetchTodayOn11am();
+			void Promise.all([
+				getData(),
+				withTimeout(todayPromise, TODAY_PREFETCH_TIMEOUT_MS, null),
+			]).then(([{ weather, market }, todayOn11am]) => {
+				clearInterval(loaderTimer);
+				const renderReadyHeader = (today: TodayOn11am | null) => {
+					const theme = ctx.ui.theme;
+					const weatherLine = `  ${weather.icon} ${theme.fg("text", weather.temp)} ${theme.fg("dim", weather.condition)}  ${theme.fg("dim", "·")}  ${theme.fg("dim", weather.location)}`;
+					const marketLine = `  ${market.map((quote) => formatQuote(quote, theme)).join(`  ${theme.fg("dim", "·")}  `)}`;
+					const todayLines = renderTodayOn11amLines(today, theme);
+					uiState.todayOn11am = today;
+					headerLines = [
+						"",
+						renderTitle(theme),
+						"",
+						weatherLine,
+						marketLine,
+						"",
+						...todayLines,
+						...(todayLines.length ? [""] : []),
+						...setupLines,
+						"",
+					];
+				};
+
+				renderReadyHeader(todayOn11am);
+				uiState.ready = true;
+				ctx.ui.setEditorText("");
+				tuiRef?.requestRender();
+
+				if (!todayOn11am?.guests.length) {
+					void todayPromise.then((freshToday) => {
+						if (!freshToday?.guests.length) return;
+						renderReadyHeader(freshToday);
+						tuiRef?.requestRender();
+					}).catch(() => {});
+				}
+			}).catch(() => {
+				clearInterval(loaderTimer);
 				headerLines = [
 					"",
-					renderTitle(theme),
-					"",
-					weatherLine,
-					marketLine,
+					renderTitle(ctx.ui.theme),
 					"",
-					...todayLines,
-					...(todayLines.length ? [""] : []),
 					...setupLines,
 					"",
 				];
-			};
-
-			renderReadyHeader(todayOn11am);
-			uiState.ready = true;
-			ctx.ui.setEditorText("");
-			tuiRef?.requestRender();
+				uiState.ready = true;
+				ctx.ui.setEditorText("");
+				tuiRef?.requestRender();
+			});
+		};
 
-			if (!todayOn11am?.guests.length) {
-				void todayPromise.then((freshToday) => {
-					if (!freshToday?.guests.length) return;
-					renderReadyHeader(freshToday);
-					tuiRef?.requestRender();
-				}).catch(() => {});
+		const renderCurrentHeader = () => {
+			if (isAuthGateBlocking()) {
+				loadStarted = false;
+				uiState.todayOn11am = null;
+				headerLines = renderAuthGateLines(ctx.ui.theme);
+				uiState.ready = true;
+				ctx.ui.setEditorText("");
+				tuiRef?.requestRender();
+				return;
 			}
-		}).catch(() => {
-			clearInterval(loaderTimer);
-			headerLines = [
-				"",
-				renderTitle(ctx.ui.theme),
-				"",
-				...setupLines,
-				"",
-			];
-			uiState.ready = true;
-			ctx.ui.setEditorText("");
-			tuiRef?.requestRender();
-		});
+			startReadyHeader();
+		};
+
+		unsubscribeAuthGate = subscribeToAuthGate(renderCurrentHeader);
+		renderCurrentHeader();
 	});
 
 	pi.on("turn_start", (_event, ctx) => {
@@ -546,9 +596,10 @@ ${rows.join("\n")}`,
 	pi.on("input", async (event, ctx) => {
 		if (event.source !== "interactive") return;
 		if (!uiState.ready) return { action: "handled" };
+		if (isAuthGateBlocking()) return;
 		if (event.text.trim().startsWith("/")) return;
 		if (ctx.model) return;
-		ctx.ui.notify("Set up first: /login, then /model, then /connect.", "info");
+		ctx.ui.notify("Set up next: /login, then /model.", "info");
 		return { action: "handled" };
 	});
 
@@ -556,7 +607,7 @@ ${rows.join("\n")}`,
 		description: "List all available commands",
 		handler: async (_args, ctx) => {
 			const theme = ctx.ui.theme;
-			const commands = pi.getCommands();
+			const commands = pi.getCommands().filter((cmd) => shouldShowCommandInList(cmd.name));
 			const lines = commands
 				.sort((a, b) => a.name.localeCompare(b.name))
 				.map((cmd) => `  ${theme.fg("accent", `/${cmd.name}`)}  ${theme.fg("dim", cmd.description || "")}`)

package/bin/cli.js

@@ -15,9 +15,8 @@ const SEEDCLUB_ENV_EXCLUDE = new Set(["SEEDCLUB_PI_MAIN"]);
 
 function printPrivateRegistryHint() {
 	console.error("seedclub: install/update failed.");
-	console.error("If npm reports a private package or permission error, run:");
-	console.error("  npm login");
-	console.error("  seedclub update");
+	console.error("Retry with:");
+	console.error("  npm install -g @clubnet/seedclub@latest");
 }
 
 function findPackageRoot(fromFile, expectedName) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clubnet/seedclub",
-  "version": "0.2.28",
+  "version": "0.2.29",
   "description": "A branded command-line agent wrapper around pi, with integrated Seed Club commands, tools, and app actions",
   "license": "MIT",
   "repository": {
@@ -8,7 +8,7 @@
     "url": "git+https://github.com/seedclub/seedclub-agent.git"
   },
   "publishConfig": {
-    "access": "restricted"
+    "access": "public"
   },
   "bin": {
     "seedclub": "bin/cli.js"