@kweaver-ai/kweaver-sdk 0.4.10 → 0.4.11

package/dist/auth/oauth.js

@@ -8,82 +8,137 @@ const DEFAULT_SCOPE = "openid offline all";
 export function normalizeBaseUrl(value) {
     return value.replace(/\/+$/, "");
 }
+/**
+ * Temporarily disable TLS certificate verification for Node `fetch` (sets
+ * NODE_TLS_REJECT_UNAUTHORIZED). Used for `--insecure` login and token refresh.
+ */
+async function runWithTlsInsecure(tlsInsecure, fn) {
+    if (!tlsInsecure) {
+        return fn();
+    }
+    const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+    try {
+        return await fn();
+    }
+    finally {
+        if (prev === undefined) {
+            delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+        }
+        else {
+            process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
+        }
+    }
+}
+/** Generate a PKCE code_verifier and code_challenge (S256). */
+async function generatePkce() {
+    const { randomBytes, createHash } = await import("node:crypto");
+    const verifier = randomBytes(48).toString("base64url");
+    const challenge = createHash("sha256").update(verifier).digest("base64url");
+    return { verifier, challenge };
+}
 /**
  * OAuth2 Authorization Code login flow.
- * 1. Register client (if not already registered)
+ * 1. Register client (if not already registered), OR use a provided client ID
  * 2. Open browser to /oauth2/auth
  * 3. Receive authorization code via local HTTP callback
  * 4. Exchange code for access_token + refresh_token
  * 5. Save token.json + client.json to ~/.kweaver/
  */
 export async function oauth2Login(baseUrl, options) {
-    const { createServer } = await import("node:http");
-    const { randomBytes } = await import("node:crypto");
-    const base = normalizeBaseUrl(baseUrl);
-    const port = options?.port ?? DEFAULT_REDIRECT_PORT;
-    const scope = options?.scope ?? DEFAULT_SCOPE;
-    const redirectUri = `http://127.0.0.1:${port}/callback`;
-    // Step 1: Ensure registered client
-    let client = loadClientConfig(base);
-    if (!client?.clientId) {
-        client = await registerOAuth2Client(base, redirectUri, scope);
-        saveClientConfig(base, client);
-    }
-    // Step 2: Generate CSRF state
-    const state = randomBytes(12).toString("hex");
-    // Step 3: Build authorization URL
-    const authParams = new URLSearchParams({
-        redirect_uri: redirectUri,
-        "x-forwarded-prefix": "",
-        client_id: client.clientId,
-        scope,
-        response_type: "code",
-        state,
-        lang: "zh-cn",
-        product: "adp",
-    });
-    const authUrl = `${base}/oauth2/auth?${authParams.toString()}`;
-    // Step 4: Start local callback server, wait for code
-    const code = await new Promise((resolve, reject) => {
-        const timeoutId = setTimeout(() => {
-            server.close();
-            reject(new Error("OAuth2 login timed out (120s). No authorization code received."));
-        }, 120_000);
-        const server = createServer((req, res) => {
-            const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
-            if (url.pathname === "/callback") {
-                const receivedState = url.searchParams.get("state");
-                const receivedCode = url.searchParams.get("code");
-                res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-                res.end("<html><body><h2>Login successful. You can close this tab.</h2></body></html>");
-                clearTimeout(timeoutId);
+    return runWithTlsInsecure(options?.tlsInsecure, async () => {
+        const { createServer } = await import("node:http");
+        const { randomBytes } = await import("node:crypto");
+        const base = normalizeBaseUrl(baseUrl);
+        const port = options?.port ?? DEFAULT_REDIRECT_PORT;
+        const scope = options?.scope ?? DEFAULT_SCOPE;
+        const redirectUri = `http://127.0.0.1:${port}/callback`;
+        // Step 1: Determine client — use provided client ID or fall back to dynamic registration
+        let client = loadClientConfig(base);
+        if (options?.clientId) {
+            // Use the platform's existing client (e.g. the web app client).
+            // Persist it so future logins reuse it without re-registering.
+            client = {
+                baseUrl: base,
+                clientId: options.clientId,
+                clientSecret: options.clientSecret ?? "",
+                redirectUri,
+                logoutRedirectUri: redirectUri.replace("/callback", "/successful-logout"),
+                scope,
+                lang: "zh-cn",
+                product: "adp",
+                xForwardedPrefix: "",
+            };
+            saveClientConfig(base, client);
+        }
+        else if (!client?.clientId) {
+            client = await registerOAuth2Client(base, redirectUri, scope);
+            saveClientConfig(base, client);
+        }
+        // Use PKCE when no client secret is available (public client / platform client).
+        const usePkce = !client.clientSecret;
+        const pkce = usePkce ? await generatePkce() : null;
+        // Step 2: Generate CSRF state
+        const state = randomBytes(12).toString("hex");
+        // Step 3: Build authorization URL
+        const authParams = new URLSearchParams({
+            redirect_uri: redirectUri,
+            "x-forwarded-prefix": "",
+            client_id: client.clientId,
+            scope,
+            response_type: "code",
+            state,
+            lang: "zh-cn",
+            product: "adp",
+        });
+        if (pkce) {
+            authParams.set("code_challenge", pkce.challenge);
+            authParams.set("code_challenge_method", "S256");
+        }
+        const authUrl = `${base}/oauth2/auth?${authParams.toString()}`;
+        // Step 4: Start local callback server, wait for code
+        const code = await new Promise((resolve, reject) => {
+            const timeoutId = setTimeout(() => {
                 server.close();
-                if (receivedState !== state) {
-                    reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
-                }
-                else if (!receivedCode) {
-                    reject(new Error("No authorization code received in callback."));
+                reject(new Error("OAuth2 login timed out (120s). No authorization code received."));
+            }, 120_000);
+            const server = createServer((req, res) => {
+                const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+                if (url.pathname === "/callback") {
+                    const receivedState = url.searchParams.get("state");
+                    const receivedCode = url.searchParams.get("code");
+                    res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+                    res.end("<html><body><h2>Login successful. You can close this tab.</h2></body></html>");
+                    clearTimeout(timeoutId);
+                    server.close();
+                    if (receivedState !== state) {
+                        reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
+                    }
+                    else if (!receivedCode) {
+                        reject(new Error("No authorization code received in callback."));
+                    }
+                    else {
+                        resolve(receivedCode);
+                    }
                 }
                 else {
-                    resolve(receivedCode);
+                    res.writeHead(404);
+                    res.end();
                 }
-            }
-            else {
-                res.writeHead(404);
-                res.end();
-            }
-        });
-        server.listen(port, "127.0.0.1", () => {
-            // Step 5: Open browser (uses spawn with proper Windows quoting)
-            import("../utils/browser.js").then(({ openBrowser }) => {
-                openBrowser(authUrl);
+            });
+            server.listen(port, "127.0.0.1", () => {
+                // Step 5: Open browser (uses spawn with proper Windows quoting)
+                import("../utils/browser.js").then(({ openBrowser }) => {
+                    openBrowser(authUrl);
+                });
+                process.stderr.write(`If the wrong browser opens, copy this URL to your correct browser:\n  ${authUrl}\n`);
             });
         });
+        // Step 6: Exchange code for tokens
+        const token = await exchangeCodeForToken(base, code, client.clientId, client.clientSecret, redirectUri, pkce?.verifier, options?.tlsInsecure);
+        setCurrentPlatform(base);
+        return token;
     });
-    // Step 6: Exchange code for tokens
-    const token = await exchangeCodeForToken(base, code, client.clientId, client.clientSecret, redirectUri);
-    setCurrentPlatform(base);
-    return token;
 }
 async function registerOAuth2Client(baseUrl, redirectUri, scope) {
     const logoutUri = redirectUri.replace("/callback", "/successful-logout");
@@ -123,20 +178,31 @@ async function registerOAuth2Client(baseUrl, redirectUri, scope) {
         xForwardedPrefix: "",
     };
 }
-async function exchangeCodeForToken(baseUrl, code, clientId, clientSecret, redirectUri) {
-    const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+async function exchangeCodeForToken(baseUrl, code, clientId, clientSecret, redirectUri, codeVerifier, tlsInsecure) {
+    const params = {
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: redirectUri,
+    };
+    if (codeVerifier) {
+        params.code_verifier = codeVerifier;
+    }
+    const headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json",
+    };
+    if (clientSecret) {
+        // Confidential client: use HTTP Basic auth
+        headers.Authorization = `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString("base64")}`;
+    }
+    else {
+        // Public client (PKCE): send client_id in body
+        params.client_id = clientId;
+    }
     const response = await fetch(`${baseUrl}/oauth2/token`, {
         method: "POST",
-        headers: {
-            Authorization: `Basic ${credentials}`,
-            "Content-Type": "application/x-www-form-urlencoded",
-            Accept: "application/json",
-        },
-        body: new URLSearchParams({
-            grant_type: "authorization_code",
-            code,
-            redirect_uri: redirectUri,
-        }).toString(),
+        headers,
+        body: new URLSearchParams(params).toString(),
     });
     const text = await response.text();
     if (!response.ok) {
@@ -155,6 +221,7 @@ async function exchangeCodeForToken(baseUrl, code, clientId, clientSecret, redir
         refreshToken: data.refresh_token ?? "",
         idToken: data.id_token ?? "",
         obtainedAt: now.toISOString(),
+        ...(tlsInsecure ? { tlsInsecure: true } : {}),
     };
     saveTokenConfig(token);
     return token;
@@ -171,105 +238,107 @@ async function exchangeCodeForToken(baseUrl, code, clientId, clientSecret, redir
  * window for manual login (same UX as the old cookie-based flow).
  */
 export async function playwrightLogin(baseUrl, options) {
-    const { createServer } = await import("node:http");
-    const { randomBytes } = await import("node:crypto");
-    let chromium;
-    try {
-        const modName = "playwright";
-        const pw = await import(/* webpackIgnore: true */ modName);
-        chromium = pw.chromium;
-    }
-    catch {
-        throw new Error("Playwright is not installed. Run:\n  npm install playwright && npx playwright install chromium");
-    }
-    const base = normalizeBaseUrl(baseUrl);
-    const port = options?.port ?? DEFAULT_REDIRECT_PORT;
-    const scope = options?.scope ?? DEFAULT_SCOPE;
-    const redirectUri = `http://127.0.0.1:${port}/callback`;
-    const hasCredentials = !!(options?.username && options?.password);
-    // Step 1: Ensure registered OAuth2 client
-    let client = loadClientConfig(base);
-    if (!client?.clientId) {
-        client = await registerOAuth2Client(base, redirectUri, scope);
-        saveClientConfig(base, client);
-    }
-    // Step 2: Generate CSRF state
-    const state = randomBytes(12).toString("hex");
-    // Step 3: Build authorization URL
-    const authParams = new URLSearchParams({
-        redirect_uri: redirectUri,
-        "x-forwarded-prefix": "",
-        client_id: client.clientId,
-        scope,
-        response_type: "code",
-        state,
-        lang: "zh-cn",
-        product: "adp",
-    });
-    const authUrl = `${base}/oauth2/auth?${authParams.toString()}`;
-    // Step 4: Start local callback server to capture the authorization code
-    const code = await new Promise((resolve, reject) => {
-        const TIMEOUT_MS = hasCredentials ? 30_000 : 120_000;
-        const timeoutId = setTimeout(() => {
-            server.close();
-            browser?.close();
-            reject(new Error(`OAuth2 login timed out (${TIMEOUT_MS / 1000}s). No authorization code received.`));
-        }, TIMEOUT_MS);
-        const server = createServer((req, res) => {
-            const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
-            if (url.pathname === "/callback") {
-                const receivedState = url.searchParams.get("state");
-                const receivedCode = url.searchParams.get("code");
-                res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-                res.end("<html><body><h2>Login successful. You can close this tab.</h2></body></html>");
-                clearTimeout(timeoutId);
+    return runWithTlsInsecure(options?.tlsInsecure, async () => {
+        const { createServer } = await import("node:http");
+        const { randomBytes } = await import("node:crypto");
+        let chromium;
+        try {
+            const modName = "playwright";
+            const pw = await import(/* webpackIgnore: true */ modName);
+            chromium = pw.chromium;
+        }
+        catch {
+            throw new Error("Playwright is not installed. Run:\n  npm install playwright && npx playwright install chromium");
+        }
+        const base = normalizeBaseUrl(baseUrl);
+        const port = options?.port ?? DEFAULT_REDIRECT_PORT;
+        const scope = options?.scope ?? DEFAULT_SCOPE;
+        const redirectUri = `http://127.0.0.1:${port}/callback`;
+        const hasCredentials = !!(options?.username && options?.password);
+        // Step 1: Ensure registered OAuth2 client
+        let client = loadClientConfig(base);
+        if (!client?.clientId) {
+            client = await registerOAuth2Client(base, redirectUri, scope);
+            saveClientConfig(base, client);
+        }
+        // Step 2: Generate CSRF state
+        const state = randomBytes(12).toString("hex");
+        // Step 3: Build authorization URL
+        const authParams = new URLSearchParams({
+            redirect_uri: redirectUri,
+            "x-forwarded-prefix": "",
+            client_id: client.clientId,
+            scope,
+            response_type: "code",
+            state,
+            lang: "zh-cn",
+            product: "adp",
+        });
+        const authUrl = `${base}/oauth2/auth?${authParams.toString()}`;
+        // Step 4: Start local callback server to capture the authorization code
+        const code = await new Promise((resolve, reject) => {
+            const TIMEOUT_MS = hasCredentials ? 30_000 : 120_000;
+            const timeoutId = setTimeout(() => {
                 server.close();
                 browser?.close();
-                if (receivedState !== state) {
-                    reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
-                }
-                else if (!receivedCode) {
-                    reject(new Error("No authorization code received in callback."));
+                reject(new Error(`OAuth2 login timed out (${TIMEOUT_MS / 1000}s). No authorization code received.`));
+            }, TIMEOUT_MS);
+            const server = createServer((req, res) => {
+                const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+                if (url.pathname === "/callback") {
+                    const receivedState = url.searchParams.get("state");
+                    const receivedCode = url.searchParams.get("code");
+                    res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+                    res.end("<html><body><h2>Login successful. You can close this tab.</h2></body></html>");
+                    clearTimeout(timeoutId);
+                    server.close();
+                    browser?.close();
+                    if (receivedState !== state) {
+                        reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
+                    }
+                    else if (!receivedCode) {
+                        reject(new Error("No authorization code received in callback."));
+                    }
+                    else {
+                        resolve(receivedCode);
+                    }
                 }
                 else {
-                    resolve(receivedCode);
+                    res.writeHead(404);
+                    res.end();
                 }
-            }
-            else {
-                res.writeHead(404);
-                res.end();
-            }
-        });
-        let browser;
-        server.listen(port, "127.0.0.1", async () => {
-            try {
-                browser = await chromium.launch({ headless: hasCredentials });
-                const context = await browser.newContext();
-                const page = await context.newPage();
-                // Navigate to OAuth2 auth URL — redirects to signin page
-                await page.goto(authUrl, { waitUntil: "networkidle", timeout: 30_000 });
-                if (hasCredentials) {
-                    // Auto-fill credentials
-                    await page.waitForSelector('input[name="account"]', { timeout: 10_000 });
-                    await page.fill('input[name="account"]', options.username);
-                    await page.fill('input[name="password"]', options.password);
-                    await page.click("button.ant-btn-primary");
+            });
+            let browser;
+            server.listen(port, "127.0.0.1", async () => {
+                try {
+                    browser = await chromium.launch({ headless: hasCredentials });
+                    const context = await browser.newContext({ ignoreHTTPSErrors: !!options?.tlsInsecure });
+                    const page = await context.newPage();
+                    // Navigate to OAuth2 auth URL — redirects to signin page
+                    await page.goto(authUrl, { waitUntil: "networkidle", timeout: 30_000 });
+                    if (hasCredentials) {
+                        // Auto-fill credentials
+                        await page.waitForSelector('input[name="account"]', { timeout: 10_000 });
+                        await page.fill('input[name="account"]', options.username);
+                        await page.fill('input[name="password"]', options.password);
+                        await page.click("button.ant-btn-primary");
+                    }
+                    // else: visible browser — user logs in manually
+                    // The OAuth2 callback will fire when login completes, resolving the promise above
                 }
-                // else: visible browser — user logs in manually
-                // The OAuth2 callback will fire when login completes, resolving the promise above
-            }
-            catch (err) {
-                clearTimeout(timeoutId);
-                server.close();
-                browser?.close();
-                reject(err);
-            }
+                catch (err) {
+                    clearTimeout(timeoutId);
+                    server.close();
+                    browser?.close();
+                    reject(err);
+                }
+            });
         });
+        // Step 5: Exchange authorization code for tokens (includes refresh_token)
+        const token = await exchangeCodeForToken(base, code, client.clientId, client.clientSecret, redirectUri, undefined, options?.tlsInsecure);
+        setCurrentPlatform(base);
+        return token;
     });
-    // Step 5: Exchange authorization code for tokens (includes refresh_token)
-    const token = await exchangeCodeForToken(base, code, client.clientId, client.clientSecret, redirectUri);
-    setCurrentPlatform(base);
-    return token;
 }
 function tokenNeedsRefresh(token) {
     if (!token.expiresAt) {
@@ -306,7 +375,7 @@ export async function refreshAccessToken(token) {
     });
     let response;
     try {
-        response = await fetch(url, {
+        response = await runWithTlsInsecure(token.tlsInsecure, () => fetch(url, {
             method: "POST",
             headers: {
                 Authorization: `Basic ${credentials}`,
@@ -314,7 +383,7 @@ export async function refreshAccessToken(token) {
                 Accept: "application/json",
             },
             body: body.toString(),
-        });
+        }));
     }
     catch (cause) {
         const hint = cause instanceof Error ? cause.message : String(cause);
@@ -346,6 +415,7 @@ export async function refreshAccessToken(token) {
         refreshToken: data.refresh_token ?? refreshToken,
         idToken: data.id_token ?? token.idToken ?? "",
         obtainedAt: now.toISOString(),
+        ...(token.tlsInsecure ? { tlsInsecure: true } : {}),
     };
     saveTokenConfig(newToken);
     return newToken;
@@ -486,6 +556,10 @@ export function formatHttpError(error) {
         ].join("\n").trim();
     }
     if (error instanceof Error) {
+        const cause = "cause" in error && error.cause instanceof Error ? error.cause.message : "";
+        if (cause && error.message === "fetch failed") {
+            return `${error.message}: ${cause}\nHint: use --insecure (-k) to skip TLS verification for self-signed certificates.`;
+        }
         return error.message;
     }
     return String(error);

package/dist/cli.js

@@ -1,3 +1,4 @@
+import { applyTlsEnvFromSavedTokens } from "./config/tls-env.js";
 import { runAgentCommand } from "./commands/agent.js";
 import { runAuthCommand } from "./commands/auth.js";
 import { runKnCommand } from "./commands/bkn.js";
@@ -14,7 +15,7 @@ Usage:
   kweaver --version | -V
   kweaver --help | -h
 
-  kweaver auth <platform-url> [--alias name] [-u user] [-p pass] [--playwright]
+  kweaver auth <platform-url> [--alias name] [-u user] [-p pass] [--playwright] [--insecure|-k]
   kweaver auth login <platform-url>          (alias for auth <url>)
   kweaver auth status [platform-url|alias]
   kweaver auth list
@@ -97,6 +98,7 @@ Commands:
   help           Show this message`);
 }
 export async function run(argv) {
+    applyTlsEnvFromSavedTokens();
     const [command, ...rest] = argv;
     if (command === "--version" || command === "-V" || command === "version") {
         const { createRequire } = await import("node:module");

package/dist/client.js

@@ -1,3 +1,4 @@
+import { applyTlsEnvFromSavedTokens } from "./config/tls-env.js";
 import { getCurrentPlatform, loadTokenConfig, } from "./config/store.js";
 import { ensureValidToken } from "./auth/oauth.js";
 import { AgentsResource } from "./resources/agents.js";
@@ -111,6 +112,7 @@ export class KWeaverClient {
      * ```
      */
     static async connect(opts = {}) {
+        applyTlsEnvFromSavedTokens();
         // Try with current token first
         let token = await ensureValidToken();
         const client = new KWeaverClient({

package/dist/commands/auth.js

@@ -4,19 +4,24 @@ export async function runAuthCommand(args) {
     const target = args[0];
     const rest = args.slice(1);
     if (!target || target === "--help" || target === "-h") {
-        console.log(`kweaver auth login <url> [--alias <name>] [-u user] [-p pass] [--playwright]
-kweaver auth <url>           Login (shorthand; same options as login)
-kweaver auth status [url|alias]
-kweaver auth list            List saved platforms
-kweaver auth use <url|alias> Switch active platform
-kweaver auth logout [url|alias]   Logout (clear local token)
-kweaver auth delete <url|alias>   Delete saved credentials
+        console.log(`kweaver auth login <url> [options]   Login to a platform (browser OAuth2 by default)
+kweaver auth <url>                   Login (shorthand; same options as login)
+kweaver auth status [url|alias]      Show current auth status
+kweaver auth list                    List saved platforms
+kweaver auth use <url|alias>         Switch active platform
+kweaver auth logout [url|alias]      Logout (clear local token)
+kweaver auth delete <url|alias>      Delete saved credentials
 
-Login options (browser OAuth2 by default; use -u/-p for headless Playwright):
-  --alias <name>   Short name for this platform (use with auth use / status / logout)
-  -u, --username   Username (with -p triggers Playwright login)
-  -p, --password   Password
-  --playwright     Force browser (Playwright) login even without -u/-p`);
+Login options:
+  --alias <name>         Save platform with a short alias (use with use / status / logout)
+  --client-id <id>       Use an existing OAuth2 client ID instead of registering a new one.
+                         Use the platform's web app client ID to get the same permissions
+                         as the browser. Find it in DevTools: /oauth2/auth?client_id=<id>
+  --client-secret <s>    Client secret (omit for public/PKCE clients)
+  -u, --username         Username (with -p triggers Playwright headless login)
+  -p, --password         Password
+  --playwright           Force Playwright browser login even without -u/-p
+  --insecure, -k         Skip TLS certificate verification (self-signed / dev HTTPS only)`);
         return 0;
     }
     if (target === "login") {
@@ -38,21 +43,33 @@ Login options (browser OAuth2 by default; use -u/-p for headless Playwright):
             const username = readOption(args, "--username") ?? readOption(args, "-u");
             const password = readOption(args, "--password") ?? readOption(args, "-p");
             const usePlaywright = args.includes("--playwright");
+            const clientId = readOption(args, "--client-id");
+            const clientSecret = readOption(args, "--client-secret");
+            const tlsInsecure = args.includes("--insecure") || args.includes("-k");
             let token;
             if (username && password) {
                 // Headless Playwright login with credentials
                 console.log("Logging in (headless)...");
-                token = await playwrightLogin(normalizedTarget, { username, password });
+                token = await playwrightLogin(normalizedTarget, { username, password, tlsInsecure });
             }
             else if (usePlaywright) {
                 // Explicit Playwright fallback
                 console.log("Opening browser for login (Playwright)...");
-                token = await playwrightLogin(normalizedTarget);
+                token = await playwrightLogin(normalizedTarget, { tlsInsecure });
             }
             else {
                 // Default: OAuth2 authorization code flow (supports refresh_token)
-                console.log("Opening browser for OAuth2 login...");
-                token = await oauth2Login(normalizedTarget);
+                if (clientId) {
+                    console.log(`Opening browser for OAuth2 login (client: ${clientId})...`);
+                }
+                else {
+                    console.log("Opening browser for OAuth2 login...");
+                }
+                token = await oauth2Login(normalizedTarget, {
+                    clientId: clientId ?? undefined,
+                    clientSecret: clientSecret ?? undefined,
+                    tlsInsecure,
+                });
             }
             if (alias) {
                 setPlatformAlias(normalizedTarget, alias);
@@ -106,6 +123,9 @@ Login options (browser OAuth2 by default; use -u/-p for headless Playwright):
             `Token present: yes`,
         ];
         lines.push(`Refresh token: ${token.refreshToken ? "yes (auto-refresh enabled)" : "no"}`);
+        if (token.tlsInsecure) {
+            lines.push(`TLS: certificate verification disabled (saved; dev only)`);
+        }
         if (token.expiresAt) {
             const expiry = new Date(token.expiresAt);
             const remainingMs = expiry.getTime() - Date.now();