@creativeintelligence/abbie 0.1.1 → 0.1.3

package/dist/cli/commands/start.d.ts

@@ -5,7 +5,8 @@
  *   1. Check Pi → not found → auto-install
  *   2. Install Abbie Pi extension
  *   3. Open browser for Clerk auth
- *   4. Launch Pi (extension auto-starts bridge)
+ *   4. Connect AI provider (OAuth — uses your subscription)
+ *   5. Launch Pi (extension auto-starts bridge)
  *
  * Subsequent runs:
  *   Launch Pi directly (extension handles bridge)

package/dist/cli/commands/start.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"start.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/start.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAQH,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAmCjD,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,WAAW;IACrD,OAAgB,EAAE,SAAM;IACxB,OAAgB,OAAO,SAAkB;IACzC,OAAgB,WAAW,SAQsB;IAEjD,OAAgB,QAAQ,WAItB;IAEF,OAAgB,KAAK;;;;;;;MAUnB;IAGF,OAAgB,MAAM,UAAS;IAEzB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC;YAsDnB,QAAQ;IAoFtB;;;OAGG;IACH,OAAO,CAAC,mBAAmB;CAmB5B"}
+{"version":3,"file":"start.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/start.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAQH,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAoCjD,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,WAAW;IACrD,OAAgB,EAAE,SAAM;IACxB,OAAgB,OAAO,SAAkB;IACzC,OAAgB,WAAW,SAQsB;IAEjD,OAAgB,QAAQ,WAItB;IAEF,OAAgB,KAAK;;;;;;;MAUnB;IAGF,OAAgB,MAAM,UAAS;IAEzB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC;YAyDnB,QAAQ;IAqFtB;;;OAGG;IACH,OAAO,CAAC,mBAAmB;CAmB5B"}

package/dist/cli/commands/start.js

@@ -5,7 +5,8 @@
  *   1. Check Pi → not found → auto-install
  *   2. Install Abbie Pi extension
  *   3. Open browser for Clerk auth
- *   4. Launch Pi (extension auto-starts bridge)
+ *   4. Connect AI provider (OAuth — uses your subscription)
+ *   5. Launch Pi (extension auto-starts bridge)
  *
  * Subsequent runs:
  *   Launch Pi directly (extension handles bridge)
@@ -17,6 +18,7 @@ import { fileURLToPath } from "node:url";
 import { spawnSync, spawn, execSync } from "node:child_process";
 import { Flags } from "@oclif/core";
 import { BaseCommand } from "../base-command.js";
+import { hasAnyProvider, ensureProviderConnected, getConnectedProviders } from "../../lib/provider-auth.js";
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 const PI_PACKAGE = "@mariozechner/pi-coding-agent";
@@ -86,17 +88,20 @@ After setup, just run \`abbie\` to start working.`;
         const extOk = extensionInstalled();
         // --status: show state and exit
         if (flags.status) {
+            const providers = getConnectedProviders();
             this.log("");
             this.log("  abbie status");
             this.log("");
             this.log(`  pi:        ${pi.installed ? `✓ ${pi.version}` : "✗ not installed"}`);
             this.log(`  extension: ${extOk ? "✓ installed" : "✗ not installed"}`);
             this.log(`  auth:      ${configured ? "✓ configured" : "✗ not configured"}`);
+            this.log(`  providers: ${providers.length > 0 ? `✓ ${providers.join(", ")}` : "✗ none connected"}`);
             this.log("");
-            return { pi: pi.installed, extension: extOk, auth: configured };
+            return { pi: pi.installed, extension: extOk, auth: configured, providers };
         }
         // Setup needed?
-        const needsSetup = flags.setup || !pi.installed || !configured || !extOk;
+        const providerOk = hasAnyProvider();
+        const needsSetup = flags.setup || !pi.installed || !configured || !extOk || !providerOk;
         if (needsSetup) {
             await this.runSetup(pi, configured, extOk);
             // Re-check after setup
@@ -130,7 +135,7 @@ After setup, just run \`abbie\` to start working.`;
         this.log("");
         // Step 1: Install Pi
         if (!pi.installed) {
-            this.log("  [1/3] installing pi...");
+            this.log("  [1/4] installing pi...");
             this.log(`         npm install -g ${PI_PACKAGE}`);
             this.log("");
             try {
@@ -158,12 +163,12 @@ After setup, just run \`abbie\` to start working.`;
             }
         }
         else {
-            this.log(`  [1/3] pi ${pi.version} ✓`);
+            this.log(`  [1/4] pi ${pi.version} ✓`);
         }
         this.log("");
         // Step 2: Install Abbie extension
         if (!extOk) {
-            this.log("  [2/3] installing abbie extension...");
+            this.log("  [2/4] installing abbie extension...");
             // Find the bundled extension
             const extSource = this.findExtensionSource();
             if (extSource) {
@@ -177,12 +182,12 @@ After setup, just run \`abbie\` to start working.`;
             }
         }
         else {
-            this.log("  [2/3] extension ✓");
+            this.log("  [2/4] extension ✓");
         }
         this.log("");
         // Step 3: Authenticate
         if (!configured) {
-            this.log("  [3/3] authenticating...");
+            this.log("  [3/4] authenticating...");
             this.log("         opening browser for login...");
             this.log("");
             // Delegate to the login command
@@ -194,13 +199,13 @@ After setup, just run \`abbie\` to start working.`;
             }
         }
         else {
-            this.log("  [3/3] authenticated ✓");
+            this.log("  [3/4] authenticated ✓");
         }
         this.log("");
-        this.log("  setup complete");
+        // Step 4: Connect AI provider
+        await ensureProviderConnected((msg) => this.log(msg));
         this.log("");
-        this.log("  tip: open Pi and type /login to connect an AI provider");
-        this.log("       (Anthropic, OpenAI, Google, or GitHub Copilot)");
+        this.log("  setup complete ✓");
     }
     /**
      * Find the bundled extension source directory.

package/dist/lib/provider-auth.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Provider OAuth Authentication
+ *
+ * Runs AI provider OAuth flows (Anthropic, OpenAI, Google, GitHub Copilot)
+ * using Pi's OAuth libraries, resolved dynamically from Pi's global install.
+ *
+ * Writes credentials to ~/.pi/agent/auth.json (Pi's auth storage format).
+ * This means Pi starts with providers already configured — no /login needed.
+ */
+export interface ProviderCredential {
+    type: "oauth";
+    refresh: string;
+    access: string;
+    expires: number;
+    [key: string]: unknown;
+}
+type AuthData = Record<string, ProviderCredential>;
+export declare function readAuthJson(): AuthData;
+export declare function getConnectedProviders(): string[];
+export declare function hasAnyProvider(): boolean;
+export interface ProviderInfo {
+    id: string;
+    name: string;
+    description: string;
+}
+export declare const PROVIDERS: ProviderInfo[];
+/**
+ * Run the provider selection + OAuth flow.
+ * Returns the provider ID that was connected, or null if cancelled.
+ */
+export declare function connectProvider(log: (msg: string) => void): Promise<string | null>;
+/**
+ * Check providers and optionally prompt for connection.
+ * Used in the setup wizard.
+ */
+export declare function ensureProviderConnected(log: (msg: string) => void): Promise<boolean>;
+export {};
+//# sourceMappingURL=provider-auth.d.ts.map

package/dist/lib/provider-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-auth.d.ts","sourceRoot":"","sources":["../../src/lib/provider-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAeH,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,KAAK,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;AAEnD,wBAAgB,YAAY,IAAI,QAAQ,CAOvC;AASD,wBAAgB,qBAAqB,IAAI,MAAM,EAAE,CAKhD;AAED,wBAAgB,cAAc,IAAI,OAAO,CAExC;AAMD,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,eAAO,MAAM,SAAS,EAAE,YAAY,EAMnC,CAAC;AAoEF;;;GAGG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GACzB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAiFxB;AAED;;;GAGG;AACH,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GACzB,OAAO,CAAC,OAAO,CAAC,CAkBlB"}

package/dist/lib/provider-auth.js

@@ -0,0 +1,193 @@
+/**
+ * Provider OAuth Authentication
+ *
+ * Runs AI provider OAuth flows (Anthropic, OpenAI, Google, GitHub Copilot)
+ * using Pi's OAuth libraries, resolved dynamically from Pi's global install.
+ *
+ * Writes credentials to ~/.pi/agent/auth.json (Pi's auth storage format).
+ * This means Pi starts with providers already configured — no /login needed.
+ */
+import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { execSync } from "node:child_process";
+import { createInterface } from "node:readline";
+import { exec } from "node:child_process";
+const AUTH_JSON = join(homedir(), ".pi", "agent", "auth.json");
+export function readAuthJson() {
+    try {
+        if (!existsSync(AUTH_JSON))
+            return {};
+        return JSON.parse(readFileSync(AUTH_JSON, "utf8"));
+    }
+    catch {
+        return {};
+    }
+}
+function writeAuthJson(data) {
+    const dir = join(homedir(), ".pi", "agent");
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
+    writeFileSync(AUTH_JSON, JSON.stringify(data, null, 2), "utf8");
+    chmodSync(AUTH_JSON, 0o600);
+}
+export function getConnectedProviders() {
+    const data = readAuthJson();
+    return Object.entries(data)
+        .filter(([, v]) => v?.type === "oauth" && v.access)
+        .map(([k]) => k);
+}
+export function hasAnyProvider() {
+    return getConnectedProviders().length > 0;
+}
+export const PROVIDERS = [
+    { id: "anthropic", name: "Anthropic", description: "Claude Pro/Max subscription" },
+    { id: "openai-codex", name: "OpenAI", description: "ChatGPT Plus/Pro subscription" },
+    { id: "google-gemini-cli", name: "Google Gemini", description: "Google Cloud Code Assist" },
+    { id: "github-copilot", name: "GitHub Copilot", description: "Copilot Individual/Business" },
+    { id: "google-antigravity", name: "Google Antigravity", description: "Gemini 3, Claude, GPT via Google Cloud" },
+];
+async function importPiOAuth() {
+    // Strategy: find @mariozechner/pi-ai from Pi's global install
+    const candidates = [];
+    // 1. Try resolving from pi binary location
+    try {
+        const piPath = execSync("which pi", { encoding: "utf8", timeout: 3000 }).trim();
+        if (piPath) {
+            const { realpathSync } = await import("node:fs");
+            const realPath = realpathSync(piPath);
+            // pi binary -> bin/pi.mjs -> package root -> node_modules/@mariozechner/pi-ai
+            const pkgRoot = join(realPath, "..", "..");
+            candidates.push(join(pkgRoot, "node_modules", "@mariozechner", "pi-ai", "dist", "index.js"));
+        }
+    }
+    catch { /* not found */ }
+    // 2. Try common global paths
+    const nodeVersion = process.version.replace("v", "");
+    candidates.push(join(homedir(), ".nvm", "versions", "node", `v${nodeVersion}`, "lib", "node_modules", "@mariozechner", "pi-coding-agent", "node_modules", "@mariozechner", "pi-ai", "dist", "index.js"), join("/usr", "local", "lib", "node_modules", "@mariozechner", "pi-coding-agent", "node_modules", "@mariozechner", "pi-ai", "dist", "index.js"));
+    for (const candidate of candidates) {
+        if (existsSync(candidate)) {
+            try {
+                return await import(candidate);
+            }
+            catch { /* import failed */ }
+        }
+    }
+    return null;
+}
+// ============================================================================
+// CLI OAuth flow helpers
+// ============================================================================
+function prompt(question) {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    return new Promise((resolve) => {
+        rl.question(question, (answer) => {
+            rl.close();
+            resolve(answer.trim());
+        });
+    });
+}
+function openBrowser(url) {
+    const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+    exec(`${cmd} "${url}"`);
+}
+// ============================================================================
+// Public API
+// ============================================================================
+/**
+ * Run the provider selection + OAuth flow.
+ * Returns the provider ID that was connected, or null if cancelled.
+ */
+export async function connectProvider(log) {
+    const piOAuth = await importPiOAuth();
+    if (!piOAuth) {
+        log("  ⚠ could not find Pi's OAuth module");
+        log("    connect providers in Pi instead: /login");
+        return null;
+    }
+    const connected = getConnectedProviders();
+    // Show provider list
+    log("");
+    log("  connect an AI provider");
+    log("  ─────────────────────");
+    log("");
+    const providers = piOAuth.getOAuthProviders();
+    for (let i = 0; i < providers.length; i++) {
+        const p = providers[i];
+        const isConnected = connected.includes(p.id);
+        const status = isConnected ? " ✓ connected" : "";
+        log(`  ${i + 1}. ${p.name}${status}`);
+    }
+    log(`  ${providers.length + 1}. skip for now`);
+    log("");
+    const choice = await prompt("  select (1-" + (providers.length + 1) + "): ");
+    const idx = parseInt(choice, 10) - 1;
+    if (isNaN(idx) || idx < 0 || idx >= providers.length) {
+        return null; // skip
+    }
+    const provider = providers[idx];
+    log("");
+    log(`  connecting ${provider.name}...`);
+    log("");
+    try {
+        const credentials = await provider.login({
+            onAuth: (info) => {
+                log(`  open this URL to authenticate:`);
+                log(`  ${info.url}`);
+                if (info.instructions) {
+                    log(`  ${info.instructions}`);
+                }
+                log("");
+                openBrowser(info.url);
+            },
+            onPrompt: async (promptInfo) => {
+                const answer = await prompt(`  ${promptInfo.message} `);
+                if (!answer && !promptInfo.allowEmpty) {
+                    throw new Error("Input required");
+                }
+                return answer;
+            },
+            onProgress: (message) => {
+                log(`  ${message}`);
+            },
+            onManualCodeInput: async () => {
+                return await prompt("  paste the code or URL: ");
+            },
+        });
+        // Write to auth.json
+        const data = readAuthJson();
+        data[provider.id] = { type: "oauth", ...credentials };
+        writeAuthJson(data);
+        log(`  ✓ ${provider.name} connected`);
+        return provider.id;
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        if (msg.includes("cancelled")) {
+            log("  cancelled");
+        }
+        else {
+            log(`  ✗ connection failed: ${msg}`);
+        }
+        return null;
+    }
+}
+/**
+ * Check providers and optionally prompt for connection.
+ * Used in the setup wizard.
+ */
+export async function ensureProviderConnected(log) {
+    const connected = getConnectedProviders();
+    if (connected.length > 0) {
+        const names = connected.map((id) => {
+            const info = PROVIDERS.find((p) => p.id === id);
+            return info?.name ?? id;
+        });
+        log(`  [4/4] providers: ${names.join(", ")} ✓`);
+        return true;
+    }
+    log("  [4/4] connect an AI provider");
+    log("         (uses your existing subscription — no API keys needed)");
+    log("");
+    const result = await connectProvider(log);
+    return result !== null;
+}

package/extensions/abbie/index.ts

@@ -535,6 +535,111 @@ export default function abbieExtension(pi: ExtensionAPI) {
     },
   });
 
+  // ===========================================================================
+  // Provider auth sync: sync auth.json → Convex via bridge on startup
+  // ===========================================================================
+
+  async function getConnectedProviders(): Promise<string[]> {
+    const { existsSync, readFileSync } = await import("node:fs");
+    const { join } = await import("node:path");
+    const { homedir } = await import("node:os");
+    const authPath = join(homedir(), ".pi", "agent", "auth.json");
+    if (!existsSync(authPath)) return [];
+    try {
+      const data = JSON.parse(readFileSync(authPath, "utf8"));
+      return Object.entries(data)
+        .filter(([, v]: [string, any]) => v?.type === "oauth" && v.access)
+        .map(([k]) => k);
+    } catch { return []; }
+  }
+
+  // On session start: check if any providers are connected, try syncing from Convex
+  pi.on("session_start", async (_event, ctx) => {
+    const localProviders = await getConnectedProviders();
+
+    // If no local providers, try to pull credentials from Convex (for fresh installs)
+    if (localProviders.length === 0) {
+      await syncProvidersFromConvex();
+      const afterSync = await getConnectedProviders();
+      if (afterSync.length === 0 && ctx.hasUI) {
+        ctx.ui.notify(
+          "No AI provider connected. Connect one at Settings → Providers in the web app, or use /login here.",
+          "warning",
+        );
+      }
+    }
+  });
+
+  // Sync provider credentials to Convex after first agent interaction
+  pi.on("agent_end", async (_event, _ctx) => {
+    if ((pi as any).__providersSynced) return;
+    (pi as any).__providersSynced = true;
+
+    const providers = await getConnectedProviders();
+    if (providers.length === 0) return;
+
+    // Also sync credentials to Convex for sandbox injection
+    try {
+      const { existsSync, readFileSync } = await import("node:fs");
+      const { join } = await import("node:path");
+      const { homedir } = await import("node:os");
+      const authPath = join(homedir(), ".pi", "agent", "auth.json");
+      const configPath = join(homedir(), ".abbie", "config.json");
+      if (!existsSync(configPath) || !existsSync(authPath)) return;
+      const config = JSON.parse(readFileSync(configPath, "utf8"));
+      const convexUrl = config.convexUrl || process.env.NEXT_PUBLIC_CONVEX_URL;
+      const bridgeSecret = config.bridgeSecret || process.env.ABBIE_BRIDGE_SECRET;
+      if (!convexUrl || !bridgeSecret) return;
+
+      const siteUrl = convexUrl.replace('.convex.cloud', '.convex.site');
+      const authData = JSON.parse(readFileSync(authPath, "utf8"));
+
+      // Sync each provider's credentials
+      for (const providerId of providers) {
+        const cred = authData[providerId];
+        if (!cred?.access || !cred?.refresh) continue;
+
+        await fetch(`${siteUrl}/bridge/providers/complete`, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "x-bridge-secret": bridgeSecret,
+          },
+          body: JSON.stringify({
+            // Use a synthetic request ID (the endpoint handles upserts)
+            requestId: null,
+            accessToken: cred.access,
+            refreshToken: cred.refresh,
+            expiresAt: cred.expires || Date.now() + 3600_000,
+            provider: providerId,
+          }),
+        }).catch(() => {}); // best-effort
+      }
+    } catch { /* non-fatal */ }
+  });
+
+  /**
+   * Pull provider credentials from Convex and write to local auth.json.
+   * Used on fresh installs where user connected via web but auth.json is empty.
+   */
+  async function syncProvidersFromConvex(): Promise<void> {
+    try {
+      const { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } = await import("node:fs");
+      const { join } = await import("node:path");
+      const { homedir } = await import("node:os");
+
+      const configPath = join(homedir(), ".abbie", "config.json");
+      if (!existsSync(configPath)) return;
+      const config = JSON.parse(readFileSync(configPath, "utf8"));
+      const convexUrl = config.convexUrl || process.env.NEXT_PUBLIC_CONVEX_URL;
+      const bridgeSecret = config.bridgeSecret || process.env.ABBIE_BRIDGE_SECRET;
+      if (!convexUrl || !bridgeSecret) return;
+
+      // TODO: Add a bridge endpoint that returns stored credentials
+      // For now, the bridge handles credential sync via the poll loop
+    } catch { /* non-fatal */ }
+  }
+
   // ===========================================================================
   // Auto-bridge: start bridge daemon on Pi startup
   // ===========================================================================

package/oclif.manifest.json

@@ -11672,5 +11672,5 @@
       "summary": "Watch workspace windows (tmux panes) and stream updates"
     }
   },
-  "version": "0.1.0"
+  "version": "0.1.3"
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@creativeintelligence/abbie",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "type": "module",
   "license": "MIT",
   "description": "Abbie — agent orchestration CLI",

package/src/cli/commands/start.ts

@@ -5,7 +5,8 @@
  *   1. Check Pi → not found → auto-install
  *   2. Install Abbie Pi extension
  *   3. Open browser for Clerk auth
- *   4. Launch Pi (extension auto-starts bridge)
+ *   4. Connect AI provider (OAuth — uses your subscription)
+ *   5. Launch Pi (extension auto-starts bridge)
  *
  * Subsequent runs:
  *   Launch Pi directly (extension handles bridge)
@@ -18,6 +19,7 @@ import { fileURLToPath } from "node:url";
 import { spawnSync, spawn, execSync } from "node:child_process";
 import { Flags } from "@oclif/core";
 import { BaseCommand } from "../base-command.js";
+import { hasAnyProvider, ensureProviderConnected, getConnectedProviders } from "../../lib/provider-auth.js";
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -96,18 +98,21 @@ After setup, just run \`abbie\` to start working.`;
 
     // --status: show state and exit
     if (flags.status) {
+      const providers = getConnectedProviders();
       this.log("");
       this.log("  abbie status");
       this.log("");
       this.log(`  pi:        ${pi.installed ? `✓ ${pi.version}` : "✗ not installed"}`);
       this.log(`  extension: ${extOk ? "✓ installed" : "✗ not installed"}`);
       this.log(`  auth:      ${configured ? "✓ configured" : "✗ not configured"}`);
+      this.log(`  providers: ${providers.length > 0 ? `✓ ${providers.join(", ")}` : "✗ none connected"}`);
       this.log("");
-      return { pi: pi.installed, extension: extOk, auth: configured };
+      return { pi: pi.installed, extension: extOk, auth: configured, providers };
     }
 
     // Setup needed?
-    const needsSetup = flags.setup || !pi.installed || !configured || !extOk;
+    const providerOk = hasAnyProvider();
+    const needsSetup = flags.setup || !pi.installed || !configured || !extOk || !providerOk;
 
     if (needsSetup) {
       await this.runSetup(pi, configured, extOk);
@@ -152,7 +157,7 @@ After setup, just run \`abbie\` to start working.`;
 
     // Step 1: Install Pi
     if (!pi.installed) {
-      this.log("  [1/3] installing pi...");
+      this.log("  [1/4] installing pi...");
       this.log(`         npm install -g ${PI_PACKAGE}`);
       this.log("");
 
@@ -178,13 +183,13 @@ After setup, just run \`abbie\` to start working.`;
         this.error("Pi is required to continue.");
       }
     } else {
-      this.log(`  [1/3] pi ${pi.version} ✓`);
+      this.log(`  [1/4] pi ${pi.version} ✓`);
     }
     this.log("");
 
     // Step 2: Install Abbie extension
     if (!extOk) {
-      this.log("  [2/3] installing abbie extension...");
+      this.log("  [2/4] installing abbie extension...");
 
       // Find the bundled extension
       const extSource = this.findExtensionSource();
@@ -197,13 +202,13 @@ After setup, just run \`abbie\` to start working.`;
         this.logWarn("this is non-fatal; you can install it manually later");
       }
     } else {
-      this.log("  [2/3] extension ✓");
+      this.log("  [2/4] extension ✓");
     }
     this.log("");
 
     // Step 3: Authenticate
     if (!configured) {
-      this.log("  [3/3] authenticating...");
+      this.log("  [3/4] authenticating...");
       this.log("         opening browser for login...");
       this.log("");
 
@@ -214,14 +219,15 @@ After setup, just run \`abbie\` to start working.`;
         this.logWarn("login failed or was cancelled — you can run `abbie login` later");
       }
     } else {
-      this.log("  [3/3] authenticated ✓");
+      this.log("  [3/4] authenticated ✓");
     }
-
     this.log("");
-    this.log("  setup complete");
+
+    // Step 4: Connect AI provider
+    await ensureProviderConnected((msg) => this.log(msg));
+
     this.log("");
-    this.log("  tip: open Pi and type /login to connect an AI provider");
-    this.log("       (Anthropic, OpenAI, Google, or GitHub Copilot)");
+    this.log("  setup complete ✓");
   }
 
   /**

package/src/lib/provider-auth.ts

@@ -0,0 +1,258 @@
+/**
+ * Provider OAuth Authentication
+ *
+ * Runs AI provider OAuth flows (Anthropic, OpenAI, Google, GitHub Copilot)
+ * using Pi's OAuth libraries, resolved dynamically from Pi's global install.
+ *
+ * Writes credentials to ~/.pi/agent/auth.json (Pi's auth storage format).
+ * This means Pi starts with providers already configured — no /login needed.
+ */
+
+import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { execSync } from "node:child_process";
+import { createInterface } from "node:readline";
+import { exec } from "node:child_process";
+
+const AUTH_JSON = join(homedir(), ".pi", "agent", "auth.json");
+
+// ============================================================================
+// Auth.json helpers
+// ============================================================================
+
+export interface ProviderCredential {
+  type: "oauth";
+  refresh: string;
+  access: string;
+  expires: number;
+  [key: string]: unknown;
+}
+
+type AuthData = Record<string, ProviderCredential>;
+
+export function readAuthJson(): AuthData {
+  try {
+    if (!existsSync(AUTH_JSON)) return {};
+    return JSON.parse(readFileSync(AUTH_JSON, "utf8")) as AuthData;
+  } catch {
+    return {};
+  }
+}
+
+function writeAuthJson(data: AuthData): void {
+  const dir = join(homedir(), ".pi", "agent");
+  mkdirSync(dir, { recursive: true, mode: 0o700 });
+  writeFileSync(AUTH_JSON, JSON.stringify(data, null, 2), "utf8");
+  chmodSync(AUTH_JSON, 0o600);
+}
+
+export function getConnectedProviders(): string[] {
+  const data = readAuthJson();
+  return Object.entries(data)
+    .filter(([, v]) => v?.type === "oauth" && v.access)
+    .map(([k]) => k);
+}
+
+export function hasAnyProvider(): boolean {
+  return getConnectedProviders().length > 0;
+}
+
+// ============================================================================
+// Provider info
+// ============================================================================
+
+export interface ProviderInfo {
+  id: string;
+  name: string;
+  description: string;
+}
+
+export const PROVIDERS: ProviderInfo[] = [
+  { id: "anthropic", name: "Anthropic", description: "Claude Pro/Max subscription" },
+  { id: "openai-codex", name: "OpenAI", description: "ChatGPT Plus/Pro subscription" },
+  { id: "google-gemini-cli", name: "Google Gemini", description: "Google Cloud Code Assist" },
+  { id: "github-copilot", name: "GitHub Copilot", description: "Copilot Individual/Business" },
+  { id: "google-antigravity", name: "Google Antigravity", description: "Gemini 3, Claude, GPT via Google Cloud" },
+];
+
+// ============================================================================
+// Dynamic import of Pi's OAuth module
+// ============================================================================
+
+interface OAuthModule {
+  getOAuthProvider: (id: string) => any;
+  getOAuthProviders: () => any[];
+}
+
+async function importPiOAuth(): Promise<OAuthModule | null> {
+  // Strategy: find @mariozechner/pi-ai from Pi's global install
+  const candidates: string[] = [];
+
+  // 1. Try resolving from pi binary location
+  try {
+    const piPath = execSync("which pi", { encoding: "utf8", timeout: 3000 }).trim();
+    if (piPath) {
+      const { realpathSync } = await import("node:fs");
+      const realPath = realpathSync(piPath);
+      // pi binary -> bin/pi.mjs -> package root -> node_modules/@mariozechner/pi-ai
+      const pkgRoot = join(realPath, "..", "..");
+      candidates.push(join(pkgRoot, "node_modules", "@mariozechner", "pi-ai", "dist", "index.js"));
+    }
+  } catch { /* not found */ }
+
+  // 2. Try common global paths
+  const nodeVersion = process.version.replace("v", "");
+  candidates.push(
+    join(homedir(), ".nvm", "versions", "node", `v${nodeVersion}`, "lib", "node_modules", "@mariozechner", "pi-coding-agent", "node_modules", "@mariozechner", "pi-ai", "dist", "index.js"),
+    join("/usr", "local", "lib", "node_modules", "@mariozechner", "pi-coding-agent", "node_modules", "@mariozechner", "pi-ai", "dist", "index.js"),
+  );
+
+  for (const candidate of candidates) {
+    if (existsSync(candidate)) {
+      try {
+        return await import(candidate) as OAuthModule;
+      } catch { /* import failed */ }
+    }
+  }
+
+  return null;
+}
+
+// ============================================================================
+// CLI OAuth flow helpers
+// ============================================================================
+
+function prompt(question: string): Promise<string> {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+function openBrowser(url: string): void {
+  const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+  exec(`${cmd} "${url}"`);
+}
+
+// ============================================================================
+// Public API
+// ============================================================================
+
+/**
+ * Run the provider selection + OAuth flow.
+ * Returns the provider ID that was connected, or null if cancelled.
+ */
+export async function connectProvider(
+  log: (msg: string) => void,
+): Promise<string | null> {
+  const piOAuth = await importPiOAuth();
+
+  if (!piOAuth) {
+    log("  ⚠ could not find Pi's OAuth module");
+    log("    connect providers in Pi instead: /login");
+    return null;
+  }
+
+  const connected = getConnectedProviders();
+
+  // Show provider list
+  log("");
+  log("  connect an AI provider");
+  log("  ─────────────────────");
+  log("");
+
+  const providers = piOAuth.getOAuthProviders();
+  for (let i = 0; i < providers.length; i++) {
+    const p = providers[i];
+    const isConnected = connected.includes(p.id);
+    const status = isConnected ? " ✓ connected" : "";
+    log(`  ${i + 1}. ${p.name}${status}`);
+  }
+  log(`  ${providers.length + 1}. skip for now`);
+  log("");
+
+  const choice = await prompt("  select (1-" + (providers.length + 1) + "): ");
+  const idx = parseInt(choice, 10) - 1;
+
+  if (isNaN(idx) || idx < 0 || idx >= providers.length) {
+    return null; // skip
+  }
+
+  const provider = providers[idx];
+  log("");
+  log(`  connecting ${provider.name}...`);
+  log("");
+
+  try {
+    const credentials = await provider.login({
+      onAuth: (info: { url: string; instructions?: string }) => {
+        log(`  open this URL to authenticate:`);
+        log(`  ${info.url}`);
+        if (info.instructions) {
+          log(`  ${info.instructions}`);
+        }
+        log("");
+        openBrowser(info.url);
+      },
+      onPrompt: async (promptInfo: { message: string; placeholder?: string; allowEmpty?: boolean }) => {
+        const answer = await prompt(`  ${promptInfo.message} `);
+        if (!answer && !promptInfo.allowEmpty) {
+          throw new Error("Input required");
+        }
+        return answer;
+      },
+      onProgress: (message: string) => {
+        log(`  ${message}`);
+      },
+      onManualCodeInput: async () => {
+        return await prompt("  paste the code or URL: ");
+      },
+    });
+
+    // Write to auth.json
+    const data = readAuthJson();
+    data[provider.id] = { type: "oauth", ...credentials };
+    writeAuthJson(data);
+
+    log(`  ✓ ${provider.name} connected`);
+    return provider.id;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg.includes("cancelled")) {
+      log("  cancelled");
+    } else {
+      log(`  ✗ connection failed: ${msg}`);
+    }
+    return null;
+  }
+}
+
+/**
+ * Check providers and optionally prompt for connection.
+ * Used in the setup wizard.
+ */
+export async function ensureProviderConnected(
+  log: (msg: string) => void,
+): Promise<boolean> {
+  const connected = getConnectedProviders();
+
+  if (connected.length > 0) {
+    const names = connected.map((id) => {
+      const info = PROVIDERS.find((p) => p.id === id);
+      return info?.name ?? id;
+    });
+    log(`  [4/4] providers: ${names.join(", ")} ✓`);
+    return true;
+  }
+
+  log("  [4/4] connect an AI provider");
+  log("         (uses your existing subscription — no API keys needed)");
+  log("");
+
+  const result = await connectProvider(log);
+  return result !== null;
+}