@delegance/claude-autopilot 5.5.2 → 7.2.0

package/dist/src/cli/brainstorm.d.ts

@@ -0,0 +1,23 @@
+export interface BrainstormCommandOptions {
+    cwd?: string;
+    configPath?: string;
+    /**
+     * v6.0.3 — engine knob inputs. Same shape and precedence as scan / costs /
+     * fix (CLI > env > config > built-in default off in v6.0.x). The CLI
+     * dispatcher wires `cliEngine` from `--engine` / `--no-engine`;
+     * `envEngine` from `process.env.CLAUDE_AUTOPILOT_ENGINE`. An absent CLI
+     * flag + absent env value falls through to the loaded config and then to
+     * the built-in default.
+     */
+    cliEngine?: boolean;
+    envEngine?: string;
+    /**
+     * Test-only seam — when true, the phase body returns its result without
+     * printing the advisory banner. Lets engine-smoke tests assert the
+     * `state.json` + `events.ndjson` lifecycle without polluting stdout.
+     * Production callers (the CLI dispatcher) MUST NOT pass this.
+     */
+    __silent?: boolean;
+}
+export declare function runBrainstorm(options?: BrainstormCommandOptions): Promise<number>;
+//# sourceMappingURL=brainstorm.d.ts.map

package/dist/src/cli/brainstorm.js

@@ -0,0 +1,131 @@
+// src/cli/brainstorm.ts
+//
+// v6.0.3 — wrap the `brainstorm` pipeline phase through `runPhase`.
+//
+// `brainstorm` is the entry point of the autopilot pipeline. It is implemented
+// primarily as a Claude Code skill (`/brainstorm` → `superpowers:brainstorming`),
+// not as a standalone CLI subcommand. The CLI verb that ships in this binary is
+// an advisory shim: it points the user at the Claude Code skill and the next
+// pipeline verbs. There is no LLM call in the CLI verb body, and no provider
+// side effects. The pure-LLM design dialogue happens in Claude Code; the spec
+// markdown produced there lands at `docs/superpowers/specs/<slug>.md` (a local
+// file write, not a platform-side-effect-free remote write — the recipe treats
+// local file writes as acceptable inside the phase body, identical precedent to
+// `fix.ts` editing local source files).
+//
+// Idempotency / side effects (deviation note vs. spec table):
+//   - The spec table at docs/specs/v6-run-state-engine.md says
+//     `idempotent: no` for `brainstorm` because re-running produces NEW LLM
+//     content each invocation. The recipe table at
+//     docs/v6/wrapping-pipeline-phases.md previously echoed that. v6.0.3
+//     declares `idempotent: true` to match the engine's actual semantics
+//     ("safe to retry without reconciliation"): the CLI verb itself is a
+//     printed advisory message that is byte-for-byte identical on every
+//     invocation, has no externalRefs to reconcile, and no provider state
+//     to roll back. The engine's idempotency check is "safe to replay,"
+//     not "produces byte-identical output." See the recipe section 2:
+//     `idempotent: true → phase output depends only on its input + project
+//     state, and re-running gives the same answer.` That holds here.
+//   - `hasSideEffects: false` — the CLI verb prints to stdout. No provider
+//     calls, no git push, no PR creation, no remote API write. Identical
+//     to costs.
+import * as path from 'node:path';
+import * as fs from 'node:fs';
+import { loadConfig } from "../core/config/loader.js";
+import { runPhaseWithLifecycle } from "../core/run-state/run-phase-with-lifecycle.js";
+const C = {
+    reset: '\x1b[0m', bold: '\x1b[1m', dim: '\x1b[2m',
+    cyan: '\x1b[36m', red: '\x1b[31m',
+};
+const fmt = (c, t) => `${C[c]}${t}${C.reset}`;
+export async function runBrainstorm(options = {}) {
+    const cwd = options.cwd ?? process.cwd();
+    const configPath = options.configPath ?? path.join(cwd, 'guardrail.config.yaml');
+    let config = { configVersion: 1 };
+    if (fs.existsSync(configPath)) {
+        const loaded = await loadConfig(configPath);
+        if (loaded)
+            config = loaded;
+    }
+    const brainstormInput = { cwd, silent: options.__silent === true };
+    // The wrapped phase body. Pure: reads no files, makes no provider calls.
+    // Engine-off callers invoke `executeBrainstormPhase()` directly;
+    // engine-on callers route through `runPhase()`.
+    const phase = {
+        name: 'brainstorm',
+        // Pure-LLM design dialogue happens in the Claude Code skill, not here.
+        // The CLI verb is an advisory print with no externalRefs to reconcile
+        // and no provider state to roll back. Safe to retry. (Deviation from
+        // the spec table noted at the top of the file.)
+        idempotent: true,
+        // No provider calls, no git push, no PR creation. Identical to costs.
+        hasSideEffects: false,
+        run: async (input) => executeBrainstormPhase(input),
+    };
+    // v6.0.6 — lifecycle wiring lives in `runPhaseWithLifecycle`. The helper
+    // owns the engine-on/engine-off branch and the failure banner.
+    let output;
+    try {
+        const result = await runPhaseWithLifecycle({
+            cwd,
+            phase,
+            input: brainstormInput,
+            config,
+            cliEngine: options.cliEngine,
+            envEngine: options.envEngine,
+            runEngineOff: () => executeBrainstormPhase(brainstormInput),
+        });
+        output = result.output;
+    }
+    catch {
+        // Helper already printed the failure banner + emitted run.complete
+        // failed + refreshed state.json + released the lock.
+        return 1;
+    }
+    return renderBrainstormOutput(output, brainstormInput);
+}
+// ---------------------------------------------------------------------------
+// Phase body — produce the advisory payload. Pure: no provider calls. By
+// default does NOT print to stdout (the renderer handles that) so the engine
+// path's idempotency isn't coupled to console output. Returns a
+// JSON-serializable BrainstormOutput so the engine can persist it as
+// `result` on the phase snapshot.
+// ---------------------------------------------------------------------------
+async function executeBrainstormPhase(_input) {
+    return {
+        kind: 'advisory',
+        nextActions: [
+            'Invoke /brainstorm from Claude Code for interactive spec writing',
+            'Then /autopilot to run the full pipeline from an approved spec',
+        ],
+    };
+}
+// ---------------------------------------------------------------------------
+// Render — translate BrainstormOutput back to the legacy stdout advisory +
+// exit code. Lives outside the wrapped phase because it's pure presentation;
+// doing the rendering inside the phase would couple the engine path's
+// idempotency to console output.
+// ---------------------------------------------------------------------------
+function renderBrainstormOutput(_output, input) {
+    if (input.silent)
+        return 0;
+    console.log(`
+${fmt('bold', '[brainstorm]')} The pipeline entry point is a Claude Code skill, not a CLI subcommand.
+
+Invoke it from Claude Code:
+
+  ${fmt('cyan', '/brainstorm')}                         Interactive spec writing
+  ${fmt('cyan', '/autopilot')}                          Full pipeline from an approved spec
+  ${fmt('cyan', '/migrate')}                            Database migration phase (stack-dependent)
+
+From the terminal, the CLI subset exposes only the individual review-phase subcommands:
+
+  ${fmt('cyan', 'claude-autopilot run --base main')}    Just the review phase
+  ${fmt('cyan', 'claude-autopilot doctor')}             Check prerequisites (incl. superpowers plugin)
+  ${fmt('cyan', 'claude-autopilot migrate-v4')}         Codemod for v4 → v5 repo migration (not a pipeline phase)
+
+Full pipeline docs: https://github.com/axledbetter/claude-autopilot#the-pipeline-phase-by-phase
+`);
+    return 0;
+}
+//# sourceMappingURL=brainstorm.js.map

package/dist/src/cli/costs.d.ts

@@ -1,2 +1,16 @@
-export declare function runCosts(cwd?: string): Promise<number>;
+export interface CostsCommandOptions {
+    cwd?: string;
+    configPath?: string;
+    /**
+     * v6.0.2 — engine knob inputs. Same shape and precedence as scan
+     * (CLI > env > config > built-in default off in v6.0.x). The CLI dispatcher
+     * wires `cliEngine` from `--engine` / `--no-engine`; `envEngine` from
+     * `process.env.CLAUDE_AUTOPILOT_ENGINE`. An absent CLI flag + absent env
+     * value falls through to the loaded config and then to the built-in
+     * default.
+     */
+    cliEngine?: boolean;
+    envEngine?: string;
+}
+export declare function runCosts(cwdOrOptions?: string | CostsCommandOptions): Promise<number>;
 //# sourceMappingURL=costs.d.ts.map

package/dist/src/cli/costs.js

@@ -1,7 +1,11 @@
+import * as path from 'node:path';
+import * as fs from 'node:fs';
 import { readCostLog } from "../core/persist/cost-log.js";
+import { loadConfig } from "../core/config/loader.js";
+import { runPhaseWithLifecycle } from "../core/run-state/run-phase-with-lifecycle.js";
 const C = {
     reset: '\x1b[0m', bold: '\x1b[1m', dim: '\x1b[2m',
-    green: '\x1b[32m', yellow: '\x1b[33m', cyan: '\x1b[36m',
+    green: '\x1b[32m', yellow: '\x1b[33m', cyan: '\x1b[36m', red: '\x1b[31m',
 };
 const fmt = (c, t) => `${C[c]}${t}${C.reset}`;
 function formatDate(iso) {
@@ -19,13 +23,69 @@ function fmtUSD(n) {
 function fmtTokens(n) {
     return n >= 1000 ? `${(n / 1000).toFixed(1)}k` : String(n);
 }
-export async function runCosts(cwd = process.cwd()) {
-    const log = readCostLog(cwd);
-    if (log.length === 0) {
-        console.log(fmt('yellow', `[costs] No run history found in ${cwd} — run \`guardrail run\` first.`));
-        console.log(fmt('dim', `        (Costs are scoped per-project. \`cd\` to the project before checking.)`));
-        return 0;
+export async function runCosts(cwdOrOptions = {}) {
+    // Back-compat — early callers (tests, MCP) pass a bare `cwd: string`. The
+    // tests/costs.test.ts harness drives this shape directly. Promote both
+    // forms into a single options struct so the rest of the function can treat
+    // it uniformly.
+    const options = typeof cwdOrOptions === 'string'
+        ? { cwd: cwdOrOptions }
+        : cwdOrOptions;
+    const cwd = options.cwd ?? process.cwd();
+    const configPath = options.configPath ?? path.join(cwd, 'guardrail.config.yaml');
+    let config = { configVersion: 1 };
+    if (fs.existsSync(configPath)) {
+        const loaded = await loadConfig(configPath);
+        if (loaded)
+            config = loaded;
+    }
+    const costsInput = { cwd };
+    // The wrapped phase body — pure read of the cost ledger + summary build.
+    // Extracted into a RunPhase so the engine-on path and the engine-off path
+    // share the exact same logic. Engine-off callers invoke this directly via
+    // `executeCostsPhase()`; engine-on callers route through `runPhase()`.
+    const phase = {
+        name: 'costs',
+        // Cost summary is a pure read of `.guardrail-cache/costs.jsonl` — re-running
+        // produces identical output for identical ledger contents. Always safe to
+        // retry.
+        idempotent: true,
+        // No provider calls, no git push, no PR comment, no file writes (the
+        // ledger is read-only on this path; the writer is `appendCostLog` called
+        // by other verbs). Replays are safe.
+        hasSideEffects: false,
+        run: async (input) => executeCostsPhase(input),
+    };
+    // v6.0.6 — lifecycle wiring lives in `runPhaseWithLifecycle`. The helper
+    // owns the engine-on/engine-off branch and the failure banner; the caller
+    // just supplies the phase, the input, and the engine-off escape hatch.
+    let output;
+    try {
+        const result = await runPhaseWithLifecycle({
+            cwd,
+            phase,
+            input: costsInput,
+            config,
+            cliEngine: options.cliEngine,
+            envEngine: options.envEngine,
+            runEngineOff: () => executeCostsPhase(costsInput),
+        });
+        output = result.output;
+    }
+    catch {
+        // Helper already printed the failure banner + emitted run.complete
+        // failed + refreshed state.json + released the lock.
+        return 1;
     }
+    return renderCostsOutput(output, costsInput);
+}
+// ---------------------------------------------------------------------------
+// Phase body — read the cost ledger and assemble the summary. Pure: no
+// console output, no exit codes. Returns a JSON-serializable CostsOutput so
+// the engine can persist it as `result` on the phase snapshot.
+// ---------------------------------------------------------------------------
+async function executeCostsPhase(input) {
+    const log = readCostLog(input.cwd);
     // 7-day window
     const sevenDaysAgo = Date.now() - 7 * 24 * 60 * 60 * 1000;
     const recent = log.filter(e => new Date(e.timestamp).getTime() >= sevenDaysAgo);
@@ -34,12 +94,41 @@ export async function runCosts(cwd = process.cwd()) {
     const totalInput = log.reduce((s, e) => s + e.inputTokens, 0);
     const totalOutput = log.reduce((s, e) => s + e.outputTokens, 0);
     const recentCost = recent.reduce((s, e) => s + e.costUSD, 0);
+    return {
+        entryCount: log.length,
+        totals: {
+            runs: log.length,
+            inputTokens: totalInput,
+            outputTokens: totalOutput,
+            costUSD: totalCost,
+        },
+        recent: {
+            runs: recent.length,
+            costUSD: recentCost,
+        },
+        last10,
+    };
+}
+// ---------------------------------------------------------------------------
+// Render — translate CostsOutput back to the legacy stdout summary + exit
+// code. Lives outside the wrapped phase because it's pure presentation;
+// doing the rendering inside the phase would couple the engine path's
+// idempotency to console output.
+// ---------------------------------------------------------------------------
+function renderCostsOutput(output, input) {
+    const { cwd } = input;
+    const { entryCount, totals, recent, last10 } = output;
+    if (entryCount === 0) {
+        console.log(fmt('yellow', `[costs] No run history found in ${cwd} — run \`guardrail run\` first.`));
+        console.log(fmt('dim', `        (Costs are scoped per-project. \`cd\` to the project before checking.)`));
+        return 0;
+    }
     console.log(`\n${fmt('bold', '[costs]')} ${fmt('dim', cwd)}\n`);
     // Summary row
     console.log(fmt('bold', 'Summary'));
-    console.log(`  All-time runs:   ${log.length}`);
-    console.log(`  All-time cost:   ${fmtUSD(totalCost)}  (${fmtTokens(totalInput)} in / ${fmtTokens(totalOutput)} out)`);
-    console.log(`  Last 7 days:     ${fmtUSD(recentCost)}  (${recent.length} run${recent.length !== 1 ? 's' : ''})`);
+    console.log(`  All-time runs:   ${totals.runs}`);
+    console.log(`  All-time cost:   ${fmtUSD(totals.costUSD)}  (${fmtTokens(totals.inputTokens)} in / ${fmtTokens(totals.outputTokens)} out)`);
+    console.log(`  Last 7 days:     ${fmtUSD(recent.costUSD)}  (${recent.runs} run${recent.runs !== 1 ? 's' : ''})`);
     console.log(fmt('dim', `  (per-project — scoped to ${cwd}/.guardrail-cache/costs.jsonl)`));
     console.log('');
     // Last 10 runs table

package/dist/src/cli/dashboard/index.d.ts

@@ -0,0 +1,5 @@
+export interface DashboardArgs {
+    argv: string[];
+}
+export declare function runDashboardVerb(args: DashboardArgs): Promise<number>;
+//# sourceMappingURL=index.d.ts.map

package/dist/src/cli/dashboard/index.js

@@ -0,0 +1,49 @@
+// `claude-autopilot dashboard <verb>` — umbrella dispatcher.
+//
+// Verbs: login | logout | status | upload <runId>
+import { runDashboardLogin } from "./login.js";
+import { runDashboardLogout } from "./logout.js";
+import { runDashboardStatus } from "./status.js";
+import { runDashboardUpload } from "./upload.js";
+export async function runDashboardVerb(args) {
+    const [verb, ...rest] = args.argv;
+    switch (verb) {
+        case 'login': {
+            try {
+                await runDashboardLogin();
+                return 0;
+            }
+            catch (err) {
+                process.stderr.write(`[autopilot] login failed: ${err.message}\n`);
+                return 1;
+            }
+        }
+        case 'logout': {
+            await runDashboardLogout();
+            return 0;
+        }
+        case 'status': {
+            await runDashboardStatus();
+            return 0;
+        }
+        case 'upload': {
+            const runId = rest[0];
+            if (!runId) {
+                process.stderr.write(`[autopilot] usage: claude-autopilot dashboard upload <runId>\n`);
+                return 2;
+            }
+            const result = await runDashboardUpload({ runId });
+            if (result.ok)
+                return 0;
+            if (result.notLoggedIn || result.runDirMissing)
+                return 2;
+            return 1;
+        }
+        default: {
+            process.stderr.write(`[autopilot] unknown dashboard verb: ${verb ?? '(none)'}\n`);
+            process.stderr.write(`            valid verbs: login, logout, status, upload <runId>\n`);
+            return 2;
+        }
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/src/cli/dashboard/login.d.ts

@@ -0,0 +1,22 @@
+import { type DashboardConfig } from '../../dashboard/config.ts';
+export interface LoginOptions {
+    /** Override base URL for tests / staging. */
+    baseUrl?: string;
+    /** Override browser launch — useful in tests + headless CI. */
+    openBrowser?: (url: string) => void | Promise<void>;
+    /** Manual mode: print URL, accept paste of (apiKey, fingerprint, email) on stdin instead of loopback. */
+    manual?: boolean;
+    /** Test seam — let tests force a specific port range start to avoid collisions. */
+    portRangeStart?: number;
+    /** Test seam — abort the listener after a fixed timeout. */
+    timeoutMs?: number;
+    /** Test seam — silence stdout/stderr writes. */
+    silent?: boolean;
+    signal?: AbortSignal;
+}
+export interface LoginResult {
+    config: DashboardConfig;
+    port: number;
+}
+export declare function runDashboardLogin(opts?: LoginOptions): Promise<LoginResult>;
+//# sourceMappingURL=login.d.ts.map

package/dist/src/cli/dashboard/login.js

@@ -0,0 +1,260 @@
+// `claude-autopilot dashboard login` — nonce-bound loopback OAuth-ish flow.
+//
+// 1. Generate 128-bit nonce.
+// 2. Bind a node:http listener on the first available port in 56000-56050.
+// 3. Open https://autopilot.dev/cli-auth?cb=<callback>&nonce=<nonce> in the
+//    user's browser. (User signs in, web page POSTs back to the callback
+//    with { apiKey, fingerprint, accountEmail, nonce }.)
+// 4. Validate nonce with crypto.timingSafeEqual; reject mismatches.
+// 5. Atomically write ~/.claude-autopilot/dashboard.json with mode 0600.
+// 6. Respond 200 to the browser; close listener; print success.
+//
+// The web `/cli-auth` page is operator-deferred to Phase 4 dashboard UI;
+// for now tests use a mock browser handler that simulates the full flow.
+import { randomBytes, timingSafeEqual } from 'node:crypto';
+import { createServer } from 'node:http';
+import { spawn } from 'node:child_process';
+import { writeConfig, getAutopilotBaseUrl, } from "../../dashboard/config.js";
+const PORT_START = 56000;
+const PORT_END = 56050;
+const NONCE_BYTES = 16; // 128-bit
+const TIMEOUT_MS = 5 * 60 * 1000;
+const MAX_BODY_BYTES = 4096;
+const KEY_RE = /^clp_[0-9a-f]{64}$/;
+function nonceMatch(expected, candidate) {
+    // timingSafeEqual requires equal-length buffers.
+    const a = Buffer.from(expected, 'utf-8');
+    const b = Buffer.from(candidate, 'utf-8');
+    if (a.length !== b.length)
+        return false;
+    return timingSafeEqual(a, b);
+}
+async function tryListen(port) {
+    return new Promise((resolve) => {
+        const server = createServer();
+        const onError = () => {
+            server.removeListener('listening', onListening);
+            resolve(null);
+        };
+        const onListening = () => {
+            server.removeListener('error', onError);
+            resolve({ server, port });
+        };
+        server.once('error', onError);
+        server.once('listening', onListening);
+        server.listen(port, '127.0.0.1');
+    });
+}
+async function bindFirstPort(start, end) {
+    for (let p = start; p <= end; p++) {
+        const r = await tryListen(p);
+        if (r)
+            return r;
+    }
+    throw new Error(`could not bind any port in ${start}-${end}`);
+}
+function readJsonBody(req) {
+    return new Promise((resolve, reject) => {
+        let bytes = 0;
+        const chunks = [];
+        req.on('data', (c) => {
+            bytes += c.length;
+            if (bytes > MAX_BODY_BYTES) {
+                req.destroy();
+                reject(new Error('body too large'));
+                return;
+            }
+            chunks.push(c);
+        });
+        req.on('end', () => {
+            try {
+                const buf = Buffer.concat(chunks);
+                resolve(JSON.parse(buf.toString('utf-8')));
+            }
+            catch (err) {
+                reject(err);
+            }
+        });
+        req.on('error', reject);
+    });
+}
+function openInBrowser(url) {
+    // Best-effort cross-platform; ignored on test/headless paths.
+    const platform = process.platform;
+    let cmd;
+    let args;
+    if (platform === 'darwin') {
+        cmd = 'open';
+        args = [url];
+    }
+    else if (platform === 'win32') {
+        cmd = 'cmd';
+        args = ['/c', 'start', '""', url];
+    }
+    else {
+        cmd = 'xdg-open';
+        args = [url];
+    }
+    try {
+        spawn(cmd, args, { stdio: 'ignore', detached: true }).unref();
+    }
+    catch {
+        /* noop */
+    }
+}
+export async function runDashboardLogin(opts = {}) {
+    // Phase 4 — unified env name. AUTOPILOT_PUBLIC_BASE_URL is canonical
+    // (matches apps/web). AUTOPILOT_DASHBOARD_BASE_URL is the deprecated
+    // Phase 2.3 alias and triggers a one-time warning.
+    const baseUrl = opts.baseUrl ?? getAutopilotBaseUrl();
+    const timeoutMs = opts.timeoutMs ?? TIMEOUT_MS;
+    const portStart = opts.portRangeStart ?? PORT_START;
+    const portEnd = portStart + (PORT_END - PORT_START);
+    const nonce = randomBytes(NONCE_BYTES).toString('hex');
+    const { server, port } = await bindFirstPort(portStart, portEnd);
+    const cb = `http://127.0.0.1:${port}/cli-callback`;
+    const authUrl = `${baseUrl}/cli-auth?cb=${encodeURIComponent(cb)}&nonce=${encodeURIComponent(nonce)}`;
+    let resolved = null;
+    let rejected = null;
+    const result = new Promise((resolve, reject) => {
+        resolved = resolve;
+        rejected = reject;
+    });
+    let settled = false;
+    const settle = (fn) => {
+        if (settled)
+            return;
+        settled = true;
+        fn();
+        // Force-close active connections so the event loop drains immediately
+        // (matters for tests; production callers exit the process anyway).
+        try {
+            server.closeAllConnections?.();
+        }
+        catch { /* noop */ }
+        server.close();
+    };
+    const timer = setTimeout(() => {
+        settle(() => rejected?.(new Error(`login timed out after ${timeoutMs}ms`)));
+    }, timeoutMs);
+    // Don't keep the event loop alive solely for the timeout watchdog —
+    // matters in tests when the suite has finished but timers linger.
+    timer.unref?.();
+    if (opts.signal) {
+        if (opts.signal.aborted) {
+            clearTimeout(timer);
+            server.close();
+            throw new Error('aborted');
+        }
+        opts.signal.addEventListener('abort', () => {
+            clearTimeout(timer);
+            settle(() => rejected?.(new Error('aborted')));
+        }, { once: true });
+    }
+    // Phase 4 CORS — the /cli-auth page POSTs to this loopback with
+    // mode: 'cors'. Without OPTIONS preflight + Access-Control-Allow-Origin
+    // matching the configured public base URL, the browser fetch fails
+    // silently (opaque response) and the user sees "loopback failed" with
+    // no signal here.
+    const allowedOrigin = baseUrl;
+    server.on('request', (req, res) => {
+        void (async () => {
+            try {
+                // OPTIONS preflight — no body, no auth, just CORS headers.
+                if (req.method === 'OPTIONS') {
+                    res.writeHead(204, {
+                        'Access-Control-Allow-Origin': allowedOrigin,
+                        'Access-Control-Allow-Methods': 'POST, OPTIONS',
+                        'Access-Control-Allow-Headers': 'content-type',
+                        'Access-Control-Max-Age': '60',
+                        Vary: 'Origin',
+                    });
+                    res.end();
+                    return;
+                }
+                if (req.method !== 'POST' || req.url !== '/cli-callback') {
+                    res.statusCode = 404;
+                    res.end('not found');
+                    return;
+                }
+                const ct = (req.headers['content-type'] ?? '').toString();
+                if (!ct.includes('application/json')) {
+                    res.statusCode = 415;
+                    res.end('unsupported media type');
+                    return;
+                }
+                const body = await readJsonBody(req);
+                // Codex NOTE — CORS header on POST response so the browser can
+                // read the JSON body under mode: 'cors'.
+                const corsHeaders = {
+                    'Access-Control-Allow-Origin': allowedOrigin,
+                    Vary: 'Origin',
+                };
+                if (typeof body.nonce !== 'string' || !nonceMatch(nonce, body.nonce)) {
+                    res.writeHead(403, { ...corsHeaders, 'content-type': 'text/plain' });
+                    res.end('nonce mismatch');
+                    clearTimeout(timer);
+                    settle(() => rejected?.(new Error('nonce mismatch')));
+                    return;
+                }
+                if (typeof body.apiKey !== 'string' || !KEY_RE.test(body.apiKey)) {
+                    res.writeHead(422, { ...corsHeaders, 'content-type': 'text/plain' });
+                    res.end('invalid apiKey');
+                    clearTimeout(timer);
+                    settle(() => rejected?.(new Error('invalid apiKey from callback')));
+                    return;
+                }
+                if (typeof body.fingerprint !== 'string' || !/^clp_[0-9a-f]{12}$/.test(body.fingerprint)) {
+                    res.writeHead(422, { ...corsHeaders, 'content-type': 'text/plain' });
+                    res.end('invalid fingerprint');
+                    clearTimeout(timer);
+                    settle(() => rejected?.(new Error('invalid fingerprint from callback')));
+                    return;
+                }
+                if (typeof body.accountEmail !== 'string') {
+                    res.writeHead(422, { ...corsHeaders, 'content-type': 'text/plain' });
+                    res.end('invalid accountEmail');
+                    clearTimeout(timer);
+                    settle(() => rejected?.(new Error('invalid accountEmail from callback')));
+                    return;
+                }
+                const cfg = {
+                    schemaVersion: 1,
+                    apiKey: body.apiKey,
+                    fingerprint: body.fingerprint,
+                    accountEmail: body.accountEmail,
+                    loggedInAt: new Date().toISOString(),
+                    lastUploadAt: null,
+                };
+                await writeConfig(cfg);
+                res.writeHead(200, {
+                    ...corsHeaders,
+                    'content-type': 'application/json',
+                });
+                res.end(JSON.stringify({ ok: true, nonce }));
+                clearTimeout(timer);
+                settle(() => resolved?.({ config: cfg, port }));
+            }
+            catch (err) {
+                res.statusCode = 500;
+                res.setHeader('Access-Control-Allow-Origin', allowedOrigin);
+                res.end(err.message ?? 'error');
+                clearTimeout(timer);
+                settle(() => rejected?.(err instanceof Error ? err : new Error(String(err))));
+            }
+        })();
+    });
+    // Print + open after the server is listening.
+    if (!opts.silent) {
+        process.stdout.write(`[autopilot] sign in here: ${authUrl}\n`);
+        process.stdout.write(`            (a browser window will open; loopback callback on port ${port})\n`);
+    }
+    if (opts.openBrowser) {
+        await opts.openBrowser(authUrl);
+    }
+    else {
+        openInBrowser(authUrl);
+    }
+    return result;
+}
+//# sourceMappingURL=login.js.map

package/dist/src/cli/dashboard/logout.d.ts

@@ -0,0 +1,12 @@
+export interface LogoutOptions {
+    baseUrl?: string;
+    fetchImpl?: typeof fetch;
+    silent?: boolean;
+}
+export interface LogoutResult {
+    hadConfig: boolean;
+    serverRevoked: boolean;
+    serverStatus: number | null;
+}
+export declare function runDashboardLogout(opts?: LogoutOptions): Promise<LogoutResult>;
+//# sourceMappingURL=logout.d.ts.map