@kiipu/cli 0.0.4 → 0.0.5

package/README.md

@@ -1,17 +1,17 @@
 # Kiipu CLI
 
-`@kiipu/cli` is the publishable Kiipu command line interface for local authentication, doctor checks, and direct post actions.
+Publish to Kiipu from your terminal.
 
-## What It Does
+`@kiipu/cli` is the official command line interface for Kiipu. It is the best place to start if you want to authenticate locally and post directly from the command line.
 
-- authenticate a local machine with a Kiipu API key
-- publish posts directly from the terminal
-- delete, restore, or permanently purge posts by id
-- verify local setup and API reachability with `kiipu doctor`
-- point developers to the separate Claude Code plugin and skills packages
+Use it to:
 
-By default, the CLI talks to the production Kiipu API at `https://api.kiipu.com`.
-For local development, you can explicitly override the base URL with `KIIPU_API_URL`.
+- sign in on the current device
+- publish posts from the command line
+- delete, restore, or permanently remove posts by id
+- verify local authentication and API access with `kiipu doctor`
+
+If you want Claude Code integration on top of the CLI, use `@kiipu/claude-plugin`.
 
 ## Install
 
@@ -21,85 +21,106 @@ npm install -g @kiipu/cli
 
 ## Quick Start
 
-Authenticate once on the current machine:
+1. Sign in:
 
 ```bash
-kiipu auth login --api-key <cpk_...>
+kiipu auth login
 ```
 
-Create a post:
+2. Publish a post:
 
 ```bash
-kiipu post create "Ship the beta today"
+kiipu post create "Hello Kiipu"
 ```
 
-Check local setup:
+3. Confirm local setup:
 
 ```bash
 kiipu doctor
 ```
 
-## Commands
+## Example Workflow
 
 ```bash
-kiipu auth login --api-key <cpk_...>
+kiipu auth login
+kiipu post create "Ship the beta today"
 kiipu auth status
-kiipu auth logout
-
-kiipu post create "Hello Kiipu"
-kiipu post delete --id post_123
-kiipu post restore --id post_123
-kiipu post purge --id post_123
-
-kiipu doctor
-kiipu skills
 ```
 
-## API Base URL
+## Authentication
 
-The CLI uses the production Kiipu API by default:
+By default, `kiipu auth login` opens your browser and connects the current device to your Kiipu account.
 
-```text
-https://api.kiipu.com
+```bash
+kiipu auth login
 ```
 
-To point the CLI at another environment during development, set `KIIPU_API_URL` explicitly:
+Useful authentication commands:
 
 ```bash
-KIIPU_API_URL=http://localhost:3001 kiipu doctor
+kiipu auth login --device-name "MacBook Pro"
+kiipu auth login --no-browser
+kiipu auth login --api-key <cpk_...>
+kiipu auth status
+kiipu auth logout
 ```
 
-The CLI no longer relies on a persisted `apiBaseUrl` in local config, which helps avoid stale non-production endpoints leaking into normal usage.
-
-## Claude Code Packages
-
-The Claude Code integration ships separately:
+## Posting
 
-- plugin package: `@kiipu/claude-plugin`
-- skill assets package: `@kiipu/skills`
-
-In this monorepo, you can test the plugin locally with:
+Create a post:
 
 ```bash
-claude --plugin-dir ./packages/claude-plugin
+kiipu post create "Ship the beta today"
+kiipu post create --content "Ship the beta today"
 ```
 
-## Standalone Repo Sync
-
-Export a clean standalone CLI repository snapshot from the monorepo root:
+Delete, restore, or permanently remove a post by id:
 
 ```bash
-pnpm export:cli:repo
+kiipu post delete --id post_123
+kiipu post restore --id post_123
+kiipu post purge --id post_123
 ```
 
-Push that exported snapshot to a dedicated GitHub repository:
+## Core Commands
 
 ```bash
-pnpm sync:cli:repo -- git@github.com:kiipu/cli.git
+kiipu auth login
+kiipu auth status
+kiipu auth logout
+
+kiipu post create "Hello Kiipu"
+kiipu post delete --id post_123
+kiipu post restore --id post_123
+kiipu post purge --id post_123
+
+kiipu doctor
+kiipu --help
 ```
 
-If your SSH remote is the default `kiipu/cli` repository, you can use:
+## Troubleshooting
+
+If browser login does not finish:
+
+- Complete sign-in in the browser tab opened by `kiipu auth login`.
+- If the browser does not open automatically, run `kiipu auth login --no-browser` and open the printed URL yourself.
+
+If a command fails with an authentication error:
+
+- Run `kiipu auth status` to confirm the current device is still signed in.
+- Re-run `kiipu auth login` if you need to refresh local credentials.
+
+If `kiipu doctor` reports a problem:
+
+- Re-run `kiipu auth login`.
+- Confirm you can reach Kiipu from the same machine in your browser.
+
+## Help
+
+See the full command reference in the terminal:
 
 ```bash
-pnpm sync:cli:ssh
+kiipu --help
+kiipu auth --help
+kiipu post --help
 ```

package/dist/commands/auth.js

@@ -1,5 +1,110 @@
-import { KiipuUserApiClient } from '../lib/kiipu-user-client.js';
 import { saveKiipuConfig } from '../config/config.js';
+import { createAuthState, createLoopbackServer, createPkcePair, getDefaultDeviceName, openBrowser, waitForEnterBeforeOpeningBrowser } from '../lib/browser-auth.js';
+import { KiipuUserApiClient } from '../lib/kiipu-user-client.js';
+import { logCliEvent } from '../logger/cli-logger.js';
+async function storeAuthenticatedConfig(config, payload) {
+    config.apiKey = payload.apiKey;
+    config.keyPrefix = payload.keyPrefix ?? undefined;
+    config.authUserId = payload.userId;
+    config.authUsername = payload.username;
+    await saveKiipuConfig(config);
+}
+async function loginWithApiKey(config, apiKey) {
+    const client = new KiipuUserApiClient({
+        apiBaseUrl: config.apiBaseUrl,
+        apiKey,
+    });
+    const response = await client.getApiKeyMe();
+    if (!response.ok) {
+        return {
+            ok: false,
+            message: response.error.message,
+        };
+    }
+    await storeAuthenticatedConfig(config, {
+        apiKey,
+        keyPrefix: response.data.keyPrefix,
+        userId: response.data.userId,
+        username: response.data.username,
+    });
+    return {
+        ok: true,
+        message: `Authenticated as ${response.data.username} (${response.data.displayName}). Key ${response.data.keyPrefix ?? 'unknown'} is now stored locally.`,
+        data: response.data,
+    };
+}
+async function loginWithBrowser(config, input) {
+    const deviceName = input.deviceName?.trim() || getDefaultDeviceName();
+    const state = createAuthState();
+    const { verifier, challenge } = createPkcePair();
+    const server = await createLoopbackServer(state);
+    const client = new KiipuUserApiClient({
+        apiBaseUrl: config.apiBaseUrl,
+    });
+    try {
+        const session = await client.createCliAuthSession({
+            deviceName,
+            redirectUri: server.redirectUri,
+            state,
+            codeChallenge: challenge,
+        });
+        if (!session.ok) {
+            return {
+                ok: false,
+                message: session.error.message,
+            };
+        }
+        console.log(`Kiipu CLI will connect this device as "${deviceName}".`);
+        console.log(`Waiting for browser login at ${session.data.authorizeUrl}`);
+        if (input.noBrowser) {
+            console.log('Open the URL above in your browser to continue.');
+        }
+        else {
+            await waitForEnterBeforeOpeningBrowser();
+            const opened = openBrowser(session.data.authorizeUrl);
+            if (!opened) {
+                console.log('Could not open the browser automatically. Open this URL manually:');
+                console.log(session.data.authorizeUrl);
+            }
+        }
+        const callback = await server.waitForCallback(new Date(session.data.expiresAt).getTime() - Date.now());
+        const exchange = await client.exchangeCliAuthSession({
+            sessionId: session.data.sessionId,
+            authorizationCode: callback.code,
+            codeVerifier: verifier,
+        });
+        if (!exchange.ok) {
+            return {
+                ok: false,
+                message: exchange.error.message,
+            };
+        }
+        await storeAuthenticatedConfig(config, {
+            apiKey: exchange.data.apiKey,
+            keyPrefix: exchange.data.keyPrefix,
+            userId: exchange.data.userId,
+            username: exchange.data.username,
+        });
+        logCliEvent('auth_browser_login_complete', {
+            username: exchange.data.username,
+            deviceName,
+        });
+        return {
+            ok: true,
+            message: `Authenticated as ${exchange.data.username} (${exchange.data.displayName}). This device is now connected to Kiipu and stored locally.`,
+            data: exchange.data,
+        };
+    }
+    catch (error) {
+        return {
+            ok: false,
+            message: error instanceof Error ? error.message : 'Kiipu browser login failed.',
+        };
+    }
+    finally {
+        await server.close().catch(() => undefined);
+    }
+}
 export async function runAuthCommand(config, input) {
     if (input.action === 'logout') {
         delete config.apiKey;
@@ -9,14 +114,14 @@ export async function runAuthCommand(config, input) {
         await saveKiipuConfig(config);
         return {
             ok: true,
-            message: 'Kiipu API key authentication was cleared from the local config.',
+            message: 'Kiipu authentication was cleared from the local config. Connected devices stay revocable from the web settings page.',
         };
     }
     if (input.action === 'status') {
         if (!config.apiKey) {
             return {
                 ok: true,
-                message: 'Kiipu CLI is not authenticated yet. Run `kiipu auth login --api-key <cpk_...>` first.',
+                message: 'Kiipu CLI is not authenticated yet. Run `kiipu auth login` first.',
             };
         }
         const client = new KiipuUserApiClient({
@@ -30,41 +135,23 @@ export async function runAuthCommand(config, input) {
                 message: response.error.message,
             };
         }
-        config.keyPrefix = response.data.keyPrefix ?? config.keyPrefix;
-        config.authUserId = response.data.userId;
-        config.authUsername = response.data.username;
-        await saveKiipuConfig(config);
+        await storeAuthenticatedConfig(config, {
+            apiKey: config.apiKey,
+            keyPrefix: response.data.keyPrefix,
+            userId: response.data.userId,
+            username: response.data.username,
+        });
         return {
             ok: true,
             message: `Authenticated as ${response.data.username} (${response.data.displayName}) with key ${response.data.keyPrefix ?? 'unknown'}.`,
             data: response.data,
         };
     }
-    if (!input.apiKey) {
-        return {
-            ok: false,
-            message: 'Usage: kiipu auth login --api-key <cpk_...>',
-        };
+    if (input.apiKey) {
+        return loginWithApiKey(config, input.apiKey);
     }
-    const client = new KiipuUserApiClient({
-        apiBaseUrl: config.apiBaseUrl,
-        apiKey: input.apiKey,
+    return loginWithBrowser(config, {
+        deviceName: input.deviceName,
+        noBrowser: input.noBrowser,
     });
-    const response = await client.getApiKeyMe();
-    if (!response.ok) {
-        return {
-            ok: false,
-            message: response.error.message,
-        };
-    }
-    config.apiKey = input.apiKey;
-    config.keyPrefix = response.data.keyPrefix ?? undefined;
-    config.authUserId = response.data.userId;
-    config.authUsername = response.data.username;
-    await saveKiipuConfig(config);
-    return {
-        ok: true,
-        message: `Authenticated as ${response.data.username} (${response.data.displayName}). Key ${response.data.keyPrefix ?? 'unknown'} is now stored locally.`,
-        data: response.data,
-    };
 }

package/dist/commands/doctor.js

@@ -1,6 +1,6 @@
 import { KiipuUserApiClient } from '../lib/kiipu-user-client.js';
 import { access } from 'node:fs/promises';
-import { DEFAULT_KIIPU_API_BASE_URL, getConfiguredApiBaseUrl, getDefaultConfigPath } from '../config/config.js';
+import { getConfiguredApiBaseUrl, getDefaultConfigPath } from '../config/config.js';
 import { logCliEvent } from '../logger/cli-logger.js';
 export async function runDoctorCommand(config) {
     logCliEvent('doctor_start');
@@ -8,13 +8,13 @@ export async function runDoctorCommand(config) {
     if (!config) {
         return {
             ok: false,
-            message: `Missing config at ${configPath}. Run \`kiipu auth login --api-key <cpk_...>\` first.`,
+            message: `Missing config at ${configPath}. Run \`kiipu auth login\` first.`,
         };
     }
     const checks = [];
     let ok = true;
     const apiBaseUrlConfig = getConfiguredApiBaseUrl();
-    checks.push(config.apiKey ? `OK API key: ${config.keyPrefix ?? 'configured'}` : 'Missing API key. Run `kiipu auth login --api-key <cpk_...>`.');
+    checks.push(config.apiKey ? `OK API key: ${config.keyPrefix ?? 'configured'}` : 'Missing API key. Run `kiipu auth login`.');
     if (!(config.apiKey || process.env.KIIPU_API_KEY)) {
         ok = false;
     }
@@ -22,10 +22,6 @@ export async function runDoctorCommand(config) {
     checks.push(apiBaseUrlConfig.source === 'env'
         ? `WARN API base URL override: ${config.apiBaseUrl}`
         : `OK API base URL: ${config.apiBaseUrl}`);
-    if (apiBaseUrlConfig.source === 'default' && config.apiBaseUrl !== DEFAULT_KIIPU_API_BASE_URL) {
-        ok = false;
-        checks.push(`Config mismatch: expected ${DEFAULT_KIIPU_API_BASE_URL} but loaded ${config.apiBaseUrl}. Re-run auth to refresh local config.`);
-    }
     let apiStatus = `API unreachable at ${config.apiBaseUrl}`;
     try {
         const response = await fetch(`${config.apiBaseUrl}/health`);

package/dist/commands/help.js

@@ -59,17 +59,25 @@ export function getHelpResult(command) {
                 'Kiipu CLI',
                 '',
                 'Usage:',
+                '  kiipu auth login',
+                '  kiipu auth login --device-name "<name>"',
+                '  kiipu auth login --no-browser',
                 '  kiipu auth login --api-key <cpk_...>',
                 '  kiipu auth status',
                 '  kiipu auth logout',
                 '',
                 'Description:',
-                '  Manage local Kiipu API key authentication.',
+                '  Manage local Kiipu authentication. Browser login is the default flow.',
                 '',
                 'Options:',
-                '  --api-key <cpk_...>   API key created on /connect. Required for login.',
+                '  --device-name "<name>" Name shown under Connected Devices for browser login.',
+                '  --no-browser          Print the browser login URL instead of opening it automatically.',
+                '  --api-key <cpk_...>   Manually store an existing API key for compatibility or CI.',
                 '',
                 'Examples:',
+                '  kiipu auth login',
+                '  kiipu auth login --device-name "MacBook Pro"',
+                '  kiipu auth login --no-browser',
                 '  kiipu auth login --api-key cpk_abc123...',
                 '  kiipu auth status',
                 '  kiipu auth logout',
@@ -112,7 +120,7 @@ export function getHelpResult(command) {
             'Core examples:',
             '  kiipu post create "Hello Kiipu"',
             '  kiipu post delete --id 123',
-            '  kiipu auth login --api-key <cpk_...>',
+            '  kiipu auth login',
             '  kiipu doctor',
             '  claude --plugin-dir ./packages/claude-plugin',
             '  KIIPU_API_URL=http://localhost:3001 kiipu doctor',

package/dist/config/config.js

@@ -25,6 +25,16 @@ export function getConfiguredApiBaseUrl() {
         source: 'default',
     };
 }
+function getFileConfiguredApiBaseUrl(raw) {
+    const value = typeof raw.apiBaseUrl === 'string' ? raw.apiBaseUrl.trim() : '';
+    if (!value) {
+        return null;
+    }
+    return {
+        value,
+        source: 'file',
+    };
+}
 export function createDefaultConfig() {
     return {
         apiBaseUrl: getConfiguredApiBaseUrl().value,
@@ -37,6 +47,11 @@ export async function loadKiipuConfig(configPath = getDefaultConfigPath()) {
     const content = await readFile(configPath, 'utf8');
     const raw = JSON.parse(content);
     const nextConfig = createDefaultConfig();
+    const envConfiguredApiBaseUrl = process.env.KIIPU_API_URL?.trim();
+    const fileConfiguredApiBaseUrl = getFileConfiguredApiBaseUrl(raw);
+    if (!envConfiguredApiBaseUrl && fileConfiguredApiBaseUrl) {
+        nextConfig.apiBaseUrl = fileConfiguredApiBaseUrl.value;
+    }
     if (typeof raw.apiKey === 'string') {
         nextConfig.apiKey = raw.apiKey;
     }

package/dist/index.js

@@ -26,7 +26,7 @@ async function main() {
     const wantsHelp = hasFlag(normalizedArgs, '--help') || hasFlag(normalizedArgs, '-h');
     const wantsVersion = hasFlag(normalizedArgs, '--version') || hasFlag(normalizedArgs, '-v');
     const positionalArgs = normalizedArgs.filter((arg, index, all) => {
-        if (arg === '--json' || arg === '--help' || arg === '-h' || arg === '--version' || arg === '-v')
+        if (arg === '--json' || arg === '--help' || arg === '-h' || arg === '--version' || arg === '-v' || arg === '--no-browser')
             return false;
         const prev = all[index - 1];
         return (prev !== '--scheduled-at' &&
@@ -36,6 +36,7 @@ async function main() {
             prev !== '--content' &&
             prev !== '--id' &&
             prev !== '--api-key' &&
+            prev !== '--device-name' &&
             prev !== '--config-path' &&
             prev !== '--wrapper-path' &&
             prev !== '--conversation-id' &&
@@ -88,6 +89,8 @@ async function main() {
         result = await runAuthCommand(config, {
             action,
             apiKey: readFlag(normalizedArgs, '--api-key'),
+            deviceName: readFlag(normalizedArgs, '--device-name'),
+            noBrowser: hasFlag(normalizedArgs, '--no-browser'),
         });
         return printResult(result, asJson);
     }

package/dist/lib/browser-auth.js

@@ -0,0 +1,319 @@
+import { createHash, randomBytes } from 'node:crypto';
+import { createServer } from 'node:http';
+import os from 'node:os';
+import { spawn } from 'node:child_process';
+import readline from 'node:readline/promises';
+import { logCliEvent } from '../logger/cli-logger.js';
+function toBase64Url(buffer) {
+    return buffer.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+}
+function createRandomToken(size = 32) {
+    return toBase64Url(randomBytes(size));
+}
+export function createPkcePair() {
+    const verifier = createRandomToken(48);
+    const challenge = toBase64Url(createHash('sha256').update(verifier).digest());
+    return {
+        verifier,
+        challenge,
+    };
+}
+export function createAuthState() {
+    return createRandomToken(24);
+}
+export function getDefaultDeviceName() {
+    return os.hostname();
+}
+export async function createLoopbackServer(expectedState) {
+    return new Promise((resolve, reject) => {
+        let timeout = null;
+        let callbackResolver = null;
+        let callbackRejecter = null;
+        let pendingValue = null;
+        let pendingError = null;
+        function renderPage(input) {
+            const tone = input.tone ?? 'success';
+            const accent = tone === 'success' ? '#d56c47' : '#c2410c';
+            const accentSoft = tone === 'success' ? 'rgba(213, 108, 71, 0.16)' : 'rgba(194, 65, 12, 0.14)';
+            const badgeText = tone === 'success' ? 'CLI Connected' : 'Connection Error';
+            return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>${input.title}</title>
+    <style>
+      :root {
+        color-scheme: light;
+        --bg: #f7f1ec;
+        --card: rgba(255, 255, 255, 0.88);
+        --text: #201714;
+        --muted: rgba(32, 23, 20, 0.64);
+        --border: rgba(32, 23, 20, 0.08);
+        --accent: ${accent};
+        --accent-soft: ${accentSoft};
+      }
+
+      * {
+        box-sizing: border-box;
+      }
+
+      body {
+        margin: 0;
+        min-height: 100vh;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        padding: 24px;
+        font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, "SF Pro Text", "Segoe UI", sans-serif;
+        background:
+          radial-gradient(circle at top left, rgba(213, 108, 71, 0.18), transparent 30%),
+          linear-gradient(135deg, #fcf8f5 0%, #f5ece5 100%);
+        color: var(--text);
+      }
+
+      .shell {
+        width: min(100%, 560px);
+        border: 1px solid var(--border);
+        border-radius: 28px;
+        background: var(--card);
+        backdrop-filter: blur(14px);
+        box-shadow:
+          0 20px 60px rgba(61, 33, 20, 0.10),
+          inset 0 1px 0 rgba(255, 255, 255, 0.55);
+        overflow: hidden;
+      }
+
+      .hero {
+        padding: 28px 28px 18px;
+        background:
+          radial-gradient(circle at top left, var(--accent-soft), transparent 42%),
+          linear-gradient(180deg, rgba(255,255,255,0.75), rgba(255,255,255,0.4));
+      }
+
+      .badge {
+        display: inline-flex;
+        align-items: center;
+        gap: 8px;
+        padding: 8px 12px;
+        border-radius: 999px;
+        background: var(--accent-soft);
+        color: var(--accent);
+        font-size: 12px;
+        font-weight: 700;
+        letter-spacing: 0.08em;
+        text-transform: uppercase;
+      }
+
+      .dot {
+        width: 8px;
+        height: 8px;
+        border-radius: 999px;
+        background: currentColor;
+        box-shadow: 0 0 0 6px rgba(255, 255, 255, 0.55);
+      }
+
+      .content {
+        padding: 8px 28px 28px;
+      }
+
+      h1 {
+        margin: 18px 0 10px;
+        font-size: clamp(28px, 5vw, 38px);
+        line-height: 1.04;
+        letter-spacing: -0.04em;
+      }
+
+      p {
+        margin: 0;
+        color: var(--muted);
+        font-size: 15px;
+        line-height: 1.7;
+      }
+
+      .panel {
+        margin-top: 22px;
+        display: grid;
+        gap: 12px;
+        border: 1px solid var(--border);
+        border-radius: 22px;
+        background: rgba(255, 255, 255, 0.72);
+        padding: 16px 18px;
+      }
+
+      .panel strong {
+        display: block;
+        font-size: 14px;
+        color: var(--text);
+        margin-bottom: 4px;
+      }
+
+      .footer {
+        margin-top: 16px;
+        font-size: 13px;
+        color: rgba(32, 23, 20, 0.48);
+      }
+    </style>
+  </head>
+  <body>
+    <main class="shell">
+      <section class="hero">
+        <div class="badge"><span class="dot"></span>${badgeText}</div>
+        <h1>${input.title}</h1>
+      </section>
+      <section class="content">
+        <p>${input.body}</p>
+        <div class="panel">
+          <div>
+            <strong>What happens next</strong>
+            Return to your terminal and Kiipu will finish connecting this device automatically.
+          </div>
+        </div>
+        <p class="footer">This tab is only used to complete the local Kiipu CLI sign-in flow.</p>
+      </section>
+    </main>
+  </body>
+</html>`;
+        }
+        function respond(response, status, body) {
+            response.writeHead(status, {
+                'Content-Type': 'text/html; charset=utf-8',
+            });
+            response.end(body);
+        }
+        function done(error, value) {
+            if (timeout) {
+                clearTimeout(timeout);
+                timeout = null;
+            }
+            if (error) {
+                if (callbackRejecter) {
+                    callbackRejecter(error);
+                }
+                else {
+                    pendingError = error;
+                }
+            }
+            else if (value) {
+                if (callbackResolver) {
+                    callbackResolver(value);
+                }
+                else {
+                    pendingValue = value;
+                }
+            }
+        }
+        const server = createServer((request, response) => {
+            const url = new URL(request.url ?? '/', 'http://127.0.0.1');
+            if (url.pathname !== '/callback') {
+                respond(response, 404, '<h1>Not found</h1>');
+                return;
+            }
+            const code = url.searchParams.get('code')?.trim() ?? '';
+            const state = url.searchParams.get('state')?.trim() ?? '';
+            if (!code || !state) {
+                respond(response, 400, renderPage({
+                    title: 'Missing login parameters',
+                    body: 'Kiipu could not complete this local sign-in because the callback was missing required details. Close this tab and run `kiipu auth login` again.',
+                    tone: 'error',
+                }));
+                return;
+            }
+            if (state !== expectedState) {
+                respond(response, 400, renderPage({
+                    title: 'This login link is no longer valid',
+                    body: 'The browser callback did not match the active Kiipu CLI session. Start a fresh `kiipu auth login` command and try again.',
+                    tone: 'error',
+                }));
+                done(new Error('CLI login callback state did not match the expected request.'));
+                return;
+            }
+            respond(response, 200, renderPage({
+                title: 'Kiipu CLI connected',
+                body: 'This browser step is complete. You can close this tab and return to your terminal.',
+                tone: 'success',
+            }));
+            done(undefined, { code, state });
+        });
+        server.once('error', reject);
+        server.listen(0, '127.0.0.1', () => {
+            const address = server.address();
+            if (!address || typeof address === 'string') {
+                reject(new Error('Failed to determine the local CLI callback port.'));
+                return;
+            }
+            resolve({
+                redirectUri: `http://127.0.0.1:${address.port}/callback`,
+                waitForCallback(timeoutMs) {
+                    return new Promise((innerResolve, innerReject) => {
+                        if (pendingError) {
+                            const error = pendingError;
+                            pendingError = null;
+                            innerReject(error);
+                            return;
+                        }
+                        if (pendingValue) {
+                            const value = pendingValue;
+                            pendingValue = null;
+                            innerResolve(value);
+                            return;
+                        }
+                        callbackResolver = innerResolve;
+                        callbackRejecter = innerReject;
+                        timeout = setTimeout(() => {
+                            innerReject(new Error('Timed out waiting for browser login to complete.'));
+                        }, timeoutMs);
+                    });
+                },
+                close() {
+                    return new Promise((innerResolve, innerReject) => {
+                        server.close((error) => {
+                            if (error) {
+                                innerReject(error);
+                                return;
+                            }
+                            innerResolve();
+                        });
+                    });
+                },
+            });
+        });
+    });
+}
+export async function waitForEnterBeforeOpeningBrowser() {
+    if (!process.stdin.isTTY || !process.stdout.isTTY) {
+        return;
+    }
+    const rl = readline.createInterface({
+        input: process.stdin,
+        output: process.stdout,
+    });
+    try {
+        await rl.question('Press Enter to open the browser and continue login...');
+    }
+    finally {
+        rl.close();
+    }
+}
+export function openBrowser(url) {
+    const platform = process.platform;
+    const command = platform === 'darwin'
+        ? { file: 'open', args: [url] }
+        : platform === 'win32'
+            ? { file: 'cmd', args: ['/c', 'start', '', url] }
+            : { file: 'xdg-open', args: [url] };
+    try {
+        const child = spawn(command.file, command.args, {
+            detached: true,
+            stdio: 'ignore',
+        });
+        child.unref();
+        logCliEvent('auth_browser_opened', {
+            platform,
+        });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/lib/kiipu-user-client.js

@@ -19,7 +19,7 @@ export class KiipuUserApiClient {
                 ...init,
                 headers: {
                     'Content-Type': 'application/json',
-                    Authorization: `Bearer ${this.config.apiKey}`,
+                    ...(this.config.apiKey ? { Authorization: `Bearer ${this.config.apiKey}` } : {}),
                     ...(init?.headers ?? {}),
                 },
             });
@@ -47,4 +47,16 @@ export class KiipuUserApiClient {
     getApiKeyMe() {
         return this.request('/auth/api-key/me');
     }
+    createCliAuthSession(input) {
+        return this.request('/auth/cli/sessions', {
+            method: 'POST',
+            body: JSON.stringify(input),
+        });
+    }
+    exchangeCliAuthSession(input) {
+        return this.request('/auth/cli/exchange', {
+            method: 'POST',
+            body: JSON.stringify(input),
+        });
+    }
 }

package/dist/lib/post-actions.js

@@ -9,7 +9,7 @@ function getPostApiClient(config) {
         return {
             error: {
                 ok: false,
-                message: 'Kiipu API key is missing. Run `kiipu auth login --api-key <cpk_...>` first.',
+                message: 'Kiipu API key is missing. Run `kiipu auth login` first.',
             },
         };
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kiipu/cli",
-  "version": "0.0.4",
+  "version": "0.0.5",
   "description": "Kiipu CLI for local authentication, doctor checks, and direct post actions.",
   "license": "MIT",
   "type": "module",
@@ -40,7 +40,7 @@
     "release:major": "npm version major --no-git-tag-version",
     "pack:local": "node scripts/pack-local.mjs",
     "verify:package": "node scripts/verify-package.mjs",
-    "publish:dry-run": "npm publish --dry-run"
+    "publish:dry-run": "node ../../infra/scripts/prepare-cli-release.mjs && npm publish ../../.release/cli-package --dry-run"
   },
   "dependencies": {},
   "devDependencies": {