@gethmy/mcp 2.9.4 → 2.9.6

package/src/tui/setup.ts

@@ -22,6 +22,7 @@ import {
   setActiveProject,
   setActiveWorkspace,
 } from "../config.js";
+import { loginWithBrowser, type OAuthTokens } from "../oauth-login.js";
 import { onboardNewUser } from "../onboard.js";
 import { buildSkillFile, HARMONY_WORKFLOW_PROMPT } from "../skills.js";
 import { type AgentId, detectAgents } from "./agents.js";
@@ -708,7 +709,10 @@ export async function runSetup(options: SetupOptions = {}): Promise<void> {
   }
 
   // Step 1: API Key (or create account)
-  let apiKey = options.apiKey || existingConfig.apiKey;
+  // Prefer an existing OAuth access token, then a legacy key. A `hmy_at_` OAuth
+  // token also starts with `hmy_`, so the reuse check below accepts both.
+  let apiKey =
+    options.apiKey || existingConfig.oauthAccessToken || existingConfig.apiKey;
   let userEmail: string | undefined =
     options.userEmail || existingConfig.userEmail || undefined;
   let selectedWorkspaceIdFromSignup: string | undefined;
@@ -716,28 +720,53 @@ export async function runSetup(options: SetupOptions = {}): Promise<void> {
   let selectedWorkspaceNameFromSignup: string | undefined;
   let selectedProjectNameFromSignup: string | undefined;
   let createdNewAccount = false;
+  // Set when the browser OAuth flow ran — persisted to config in Step 4.
+  let oauthTokens: OAuthTokens | undefined;
+
+  if (options.apiKey) {
+    // --- Deprecated: key passed via --api-key argv (card #364) ---
+    // A long-lived, unscoped account key in argv leaks via shell history,
+    // scrollback, and the process list. Kept as a CI/scripting escape hatch,
+    // but the browser OAuth flow is the supported onboarding path and the
+    // SetupWizard no longer emits this.
+    p.log.warn(
+      colors.warning(
+        "--api-key is deprecated and insecure: the key is exposed in your shell\n" +
+          "history, terminal scrollback, and the process list. Prefer the browser\n" +
+          "sign-in (run `npx @gethmy/mcp setup` with no --api-key). Use --api-key\n" +
+          "only for unattended CI where you accept that risk.",
+      ),
+    );
+  }
 
   if (needsApiKey || !apiKey || !apiKey.startsWith("hmy_")) {
-    // Determine path: create account or enter API key
+    // Determine path: browser OAuth (default), create account, or paste key.
     let useNewAccount = options.newAccount === true;
+    let useBrowserAuth = false;
 
     if (!useNewAccount && options.apiKey) {
       // API key passed via flag — skip the choice prompt
       useNewAccount = false;
     } else if (!useNewAccount && !options.apiKey) {
       const getStarted = await p.select({
-        message: "How would you like to get started?",
+        message: "How would you like to connect?",
         options: [
+          {
+            value: "browser",
+            label: "Sign in with your browser",
+            hint: "recommended — secure, no key handling",
+          },
           {
             value: "create",
             label: "Create a free account",
-            hint: "recommended for new users",
           },
           {
             value: "apikey",
-            label: "I already have an API key",
+            label: "Paste an API key",
+            hint: "advanced / CI",
           },
         ],
+        initialValue: "browser",
       });
 
       if (p.isCancel(getStarted)) {
@@ -746,9 +775,47 @@ export async function runSetup(options: SetupOptions = {}): Promise<void> {
       }
 
       useNewAccount = getStarted === "create";
+      useBrowserAuth = getStarted === "browser";
     }
 
-    if (useNewAccount) {
+    if (useBrowserAuth) {
+      // --- Browser OAuth flow (loopback + PKCE), card #364 ---
+      const spinner = p.spinner();
+      spinner.start("Opening your browser to authorize…");
+      try {
+        oauthTokens = await loginWithBrowser({
+          apiUrl: API_URL,
+          workspaceId: options.workspaceId,
+          onUrl: (url) => {
+            spinner.message(
+              `Authorize in your browser. If it didn't open:\n${colors.dim(url)}`,
+            );
+          },
+        });
+        apiKey = oauthTokens.accessToken;
+        needsApiKey = true;
+        // Persist immediately — the token is already minted, so saving now
+        // survives an abort later in the wizard. Null the legacy key: OAuth is
+        // now the active credential.
+        saveConfig({
+          apiKey: null,
+          oauthAccessToken: oauthTokens.accessToken,
+          oauthRefreshToken: oauthTokens.refreshToken,
+          oauthExpiresAt: oauthTokens.expiresAt,
+          oauthClientId: oauthTokens.clientId,
+          apiUrl: API_URL,
+        });
+        spinner.stop(colors.success("Authorized"));
+      } catch (error) {
+        spinner.stop(colors.error("Browser authorization failed"));
+        const msg = error instanceof Error ? error.message : "Unknown error";
+        p.log.error(msg);
+        p.log.info(
+          "You can retry, or run with --api-key for unattended setup.",
+        );
+        process.exit(1);
+      }
+    } else if (useNewAccount) {
       // --- Create account flow ---
       const fullName =
         options.name ||
@@ -843,6 +910,12 @@ export async function runSetup(options: SetupOptions = {}): Promise<void> {
         }
         process.exit(1);
       }
+    } else if (options.apiKey) {
+      // --- Key provided via --api-key: honor it non-interactively ---
+      // (the onboarding wizard's copied command depends on this path;
+      // validation below still runs against it)
+      apiKey = options.apiKey;
+      needsApiKey = true;
     } else {
       // --- Existing API key flow ---
       const keyInput = await p.text({
@@ -1102,21 +1175,32 @@ export async function runSetup(options: SetupOptions = {}): Promise<void> {
   const allFiles: FileToWrite[] = [];
   const allSymlinks: SymlinkToCreate[] = [];
 
-  // Always save global config if we have an API key change
+  // Always save global config if we have an API key change. This write is
+  // type:"text" (no merge), so it must carry the OAuth fields explicitly or the
+  // browser-auth credential would be clobbered.
   if (needsApiKey || !alreadyConfigured) {
-    allFiles.push({
-      path: getConfigPath(),
-      content: JSON.stringify(
-        {
+    const configToWrite = oauthTokens
+      ? {
+          apiKey: null,
+          apiUrl: API_URL,
+          userEmail: userEmail || null,
+          activeWorkspaceId: null,
+          activeProjectId: null,
+          oauthAccessToken: oauthTokens.accessToken,
+          oauthRefreshToken: oauthTokens.refreshToken,
+          oauthExpiresAt: oauthTokens.expiresAt,
+          oauthClientId: oauthTokens.clientId,
+        }
+      : {
           apiKey,
           apiUrl: API_URL,
           userEmail: userEmail || null,
           activeWorkspaceId: null,
           activeProjectId: null,
-        },
-        null,
-        2,
-      ),
+        };
+    allFiles.push({
+      path: getConfigPath(),
+      content: JSON.stringify(configToWrite, null, 2),
       type: "text", // Use text to avoid merging
     });
   }
@@ -1151,7 +1235,13 @@ export async function runSetup(options: SetupOptions = {}): Promise<void> {
   p.log.step("Summary");
   console.log("");
 
-  console.log(`  ${colors.bold("API Key:")} ${apiKey.slice(0, 8)}...`);
+  if (oauthTokens) {
+    console.log(
+      `  ${colors.bold("Credential:")} Browser sign-in (OAuth, workspace-scoped)`,
+    );
+  } else {
+    console.log(`  ${colors.bold("API Key:")} ${apiKey.slice(0, 8)}...`);
+  }
   if (userEmail) {
     console.log(`  ${colors.bold("Email:")} ${userEmail}`);
   }