@kweaver-ai/kweaver-sdk 0.6.5 → 0.6.6

package/README.md

@@ -153,8 +153,8 @@ const skillMd = await client.skills.fetchContent("skill-id");
 ## CLI Reference
 
 ```
-kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--playwright] [--insecure|-k]
-# -u/-p: tries HTTP /oauth2/signin first (refresh_token). If studioweb is missing: falls back to Playwright when installed, else prints install hint. --http-signin: HTTP only. --playwright: force browser automation.
+kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--insecure|-k]
+# -u/-p (with or without --http-signin): HTTP POST /oauth2/signin (yields refresh_token). Missing -u/-p are prompted from stdin (password hidden when TTY).
 kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (headless login)
 kweaver auth export [url|alias] [--json]   (export command to run on a headless host)
 kweaver auth status / whoami [url|alias] [--json]   # whoami: --json; with KWEAVER_BASE_URL+KWEAVER_TOKEN when no ~/.kweaver/ platform

package/README.zh.md

@@ -146,8 +146,8 @@ const skillMd = await client.skills.fetchContent("skill-id");
 ## 命令速查
 
 ```
-kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--playwright] [--insecure|-k]
-# -u/-p：默认先试 HTTP /oauth2/signin（可拿 refresh_token）；无 studioweb 时：已装 Playwright 则回退无头浏览器，否则提示安装 Playwright；--http-signin 仅 HTTP；--playwright 强制浏览器
+kweaver auth login <url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--insecure|-k]
+# -u/-p（无论是否带 --http-signin）：HTTP POST /oauth2/signin（可拿 refresh_token）；缺失的用户名/密码会从 stdin 提示输入（TTY 下密码隐藏）
 kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (无浏览器登录)
 kweaver auth export [url|alias] [--json]   (导出在无浏览器机器上运行的命令)
 kweaver auth status / whoami [url|alias] [--json]   # whoami 支持 --json；无 ~/.kweaver/ 当前平台时可配 KWEAVER_BASE_URL+KWEAVER_TOKEN

package/dist/auth/oauth.d.ts

@@ -32,6 +32,40 @@ export declare function normalizeBaseUrl(value: string): string;
  */
 /** @internal Exported for CLI env-only identity resolution (`env-snapshot.ts`). */
 export declare function runWithTlsInsecure<T>(tlsInsecure: boolean | undefined, fn: () => Promise<T>): Promise<T>;
+/**
+ * Headless login: read authorization code from stdin (full callback URL or raw code).
+ * Used with `--no-browser` or when automatic browser launch fails.
+ *
+ * `io` is injectable for tests; defaults to `process.stdin` / `process.stderr`.
+ */
+export declare function promptForCode(authUrl: string, state: string, port: number, pasteMode?: "explicit" | "fallback", io?: {
+    input?: NodeJS.ReadableStream;
+    output?: NodeJS.WritableStream;
+}): Promise<string>;
+/**
+ * Prompt the user for a username on stderr (input echoed).
+ *
+ * `io` is injectable for tests; defaults to `process.stdin` / `process.stderr`.
+ */
+export declare function promptForUsername(promptLabel?: string, io?: {
+    input?: NodeJS.ReadableStream;
+    output?: NodeJS.WritableStream;
+}): Promise<string>;
+/**
+ * Prompt the user for a password on stderr without echoing keystrokes (TTY only).
+ *
+ * Falls back to a regular readline prompt when stdin is not a TTY (e.g. piped input
+ * during scripted use); callers needing strict no-echo should detect this case themselves.
+ *
+ * `io` is injectable for tests.
+ */
+export declare function promptForPassword(promptLabel?: string, io?: {
+    input?: NodeJS.ReadableStream & {
+        isTTY?: boolean;
+        setRawMode?: (mode: boolean) => unknown;
+    };
+    output?: NodeJS.WritableStream;
+}): Promise<string>;
 /**
  * OAuth2 Authorization Code login flow.
  * 1. Register client (if not already registered), OR use a provided client ID
@@ -53,24 +87,6 @@ export declare function oauth2Login(baseUrl: string, options?: {
      */
     noBrowser?: boolean;
 }): Promise<TokenConfig>;
-/**
- * Playwright-automated OAuth2 login.
- *
- * Uses the full OAuth2 authorization code flow (same as `oauth2Login`) but
- * automates the browser interaction with Playwright.  This produces a
- * refresh_token so the CLI can auto-refresh without re-login.
- *
- * When `username` and `password` are provided the browser runs headless and
- * fills the login form automatically.  Otherwise it opens a visible browser
- * window for manual login (same UX as the old cookie-based flow).
- */
-export declare function playwrightLogin(baseUrl: string, options?: {
-    username?: string;
-    password?: string;
-    port?: number;
-    scope?: string;
-    tlsInsecure?: boolean;
-}): Promise<TokenConfig>;
 /**
  * Parse Next.js `__NEXT_DATA__` from the OAuth2 sign-in HTML shell (CSRF + optional challenge/remember for POST /oauth2/signin).
  * Hydra `login_challenge` may appear only in the sign-in URL; use that when `pageProps.challenge` is absent.
@@ -83,10 +99,25 @@ export declare function parseSigninPageHtmlProps(html: string): {
     rsaPublicKeyMaterial?: string;
 };
 /**
- * True when {@link oauth2PasswordSigninLogin} failed because the Studio web sign-in shell
- * (`/interface/studioweb/login`) is missing or unreachable — callers may fall back to Playwright.
+ * Build the JSON body for `POST /oauth2/signin` (matches the browser `oauth2-ui` form).
+ *
+ * `device.client_type` MUST be a value present in the EACP whitelist defined by
+ * `kweaver/deploy/auto_cofig/auto_config.sh`. `console_web` is the canonical CLI value
+ * (also used by `kweaver-admin`); other values such as `unknown` are rejected by strict
+ * deployments with `管理员已禁止此类客户端登录` — surfaced upstream as a `request_forbidden`
+ * `No CSRF value available in the session cookie` error after Hydra discards the rejected
+ * login challenge.
+ *
+ * `vcode` and `dualfactorauthinfo` must be present even when empty; otherwise eachttpserver
+ * returns HTTP 400 (invalid parameter).
  */
-export declare function isStudiowebShellUnavailableError(err: unknown): boolean;
+export declare function buildOauth2SigninPostBody(opts: {
+    csrftoken: string;
+    challenge: string;
+    account: string;
+    passwordCipher: string;
+    remember: boolean;
+}): Record<string, unknown>;
 /**
  * OAuth2 Authorization Code login using HTTP **only**: `GET /oauth2/signin` (Next.js shell) and
  * `POST /oauth2/signin` with an RSA PKCS#1 v1.5–encrypted password (same as the browser `rsa.min` / Studio

package/dist/auth/oauth.js

@@ -463,23 +463,36 @@ function stderrEmphasis(text) {
 /**
  * Headless login: read authorization code from stdin (full callback URL or raw code).
  * Used with `--no-browser` or when automatic browser launch fails.
+ *
+ * `io` is injectable for tests; defaults to `process.stdin` / `process.stderr`.
  */
-async function promptForCode(authUrl, state, port, pasteMode = "explicit") {
+export async function promptForCode(authUrl, state, port, pasteMode = "explicit", io) {
     const { createInterface } = await import("node:readline");
+    const stdin = io?.input ?? process.stdin;
+    const stderr = io?.output ?? process.stderr;
     const intro = pasteMode === "explicit"
         ? "Open this URL on any device (use a private/incognito window if you need the full sign-in form):\n\n"
         : "Could not open a browser automatically. Open this URL on any device:\n\n";
     const pasteInstructions = "After login, the browser may show an error page (this is expected if nothing listens on localhost).\n" +
         "Copy the FULL URL from the address bar and paste it here, or paste only the authorization code.\n" +
         `The URL looks like: http://127.0.0.1:${port}/callback?code=THIS_PART&state=...\n\n`;
-    process.stderr.write("\n" +
+    stderr.write("\n" +
         intro +
         `  ${authUrl}\n\n` +
         stderrEmphasis(pasteInstructions));
-    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    const rl = createInterface({ input: stdin, output: stderr });
+    // The `close` listener exists to surface Ctrl-D / EOF before the user answers.
+    // It MUST be a no-op once the question callback has fired, because `rl.close()`
+    // emits `close` synchronously and would otherwise reject the promise before
+    // `resolve(answer)` runs (race condition that turns valid input into "Login cancelled.").
     const input = await new Promise((resolve, reject) => {
-        rl.on("close", () => reject(new Error("Login cancelled.")));
+        let answered = false;
+        rl.on("close", () => {
+            if (!answered)
+                reject(new Error("Login cancelled."));
+        });
         rl.question("Paste URL or code> ", (answer) => {
+            answered = true;
             rl.close();
             resolve(answer.trim());
         });
@@ -512,6 +525,128 @@ async function promptForCode(authUrl, state, port, pasteMode = "explicit") {
     }
     return input;
 }
+/**
+ * Prompt the user for a username on stderr (input echoed).
+ *
+ * `io` is injectable for tests; defaults to `process.stdin` / `process.stderr`.
+ */
+export async function promptForUsername(promptLabel = "Username", io) {
+    const { createInterface } = await import("node:readline");
+    const stdin = io?.input ?? process.stdin;
+    const stderr = io?.output ?? process.stderr;
+    const rl = createInterface({ input: stdin, output: stderr });
+    const value = await new Promise((resolve, reject) => {
+        let answered = false;
+        rl.on("close", () => {
+            if (!answered)
+                reject(new Error("Login cancelled."));
+        });
+        rl.question(`${promptLabel}: `, (answer) => {
+            answered = true;
+            rl.close();
+            resolve(answer.trim());
+        });
+    });
+    if (!value) {
+        throw new Error(`${promptLabel} is required.`);
+    }
+    return value;
+}
+/**
+ * Prompt the user for a password on stderr without echoing keystrokes (TTY only).
+ *
+ * Falls back to a regular readline prompt when stdin is not a TTY (e.g. piped input
+ * during scripted use); callers needing strict no-echo should detect this case themselves.
+ *
+ * `io` is injectable for tests.
+ */
+export async function promptForPassword(promptLabel = "Password", io) {
+    const stdin = io?.input ?? process.stdin;
+    const stderr = io?.output ?? process.stderr;
+    // Non-TTY (piped, redirected, tests): use regular readline — no masking is possible
+    // without raw mode, so we accept echoed input rather than block forever.
+    if (!stdin.isTTY || typeof stdin.setRawMode !== "function") {
+        const { createInterface } = await import("node:readline");
+        const rl = createInterface({ input: stdin, output: stderr });
+        const value = await new Promise((resolve, reject) => {
+            let answered = false;
+            rl.on("close", () => {
+                if (!answered)
+                    reject(new Error("Login cancelled."));
+            });
+            rl.question(`${promptLabel}: `, (answer) => {
+                answered = true;
+                rl.close();
+                resolve(answer);
+            });
+        });
+        if (!value)
+            throw new Error(`${promptLabel} is required.`);
+        return value;
+    }
+    // TTY: read byte-by-byte in raw mode so keystrokes are not echoed.
+    return new Promise((resolve, reject) => {
+        stderr.write(`${promptLabel}: `);
+        let buf = "";
+        const onData = (chunk) => {
+            const s = chunk.toString("utf8");
+            for (const ch of s) {
+                const code = ch.charCodeAt(0);
+                if (ch === "\n" || ch === "\r") {
+                    cleanup();
+                    stderr.write("\n");
+                    if (!buf) {
+                        reject(new Error(`${promptLabel} is required.`));
+                    }
+                    else {
+                        resolve(buf);
+                    }
+                    return;
+                }
+                if (code === 3) {
+                    // Ctrl-C
+                    cleanup();
+                    stderr.write("\n");
+                    reject(new Error("Login cancelled."));
+                    return;
+                }
+                if (code === 4 && buf.length === 0) {
+                    // Ctrl-D on empty buffer -> cancel
+                    cleanup();
+                    stderr.write("\n");
+                    reject(new Error("Login cancelled."));
+                    return;
+                }
+                if (code === 8 || code === 127) {
+                    // Backspace / DEL
+                    buf = buf.slice(0, -1);
+                    continue;
+                }
+                if (code < 32)
+                    continue; // ignore other control chars
+                buf += ch;
+            }
+        };
+        const cleanup = () => {
+            try {
+                stdin.setRawMode(false);
+            }
+            catch { /* noop */ }
+            stdin.removeListener("data", onData);
+            if (typeof stdin.pause === "function") {
+                stdin.pause();
+            }
+        };
+        try {
+            stdin.setRawMode(true);
+        }
+        catch { /* noop */ }
+        if (typeof stdin.resume === "function") {
+            stdin.resume();
+        }
+        stdin.on("data", onData);
+    });
+}
 /**
  * OAuth2 Authorization Code login flow.
  * 1. Register client (if not already registered), OR use a provided client ID
@@ -755,174 +890,6 @@ async function exchangeCodeForToken(baseUrl, code, clientId, clientSecret, redir
     saveTokenConfig(token);
     return token;
 }
-/**
- * Playwright-automated OAuth2 login.
- *
- * Uses the full OAuth2 authorization code flow (same as `oauth2Login`) but
- * automates the browser interaction with Playwright.  This produces a
- * refresh_token so the CLI can auto-refresh without re-login.
- *
- * When `username` and `password` are provided the browser runs headless and
- * fills the login form automatically.  Otherwise it opens a visible browser
- * window for manual login (same UX as the old cookie-based flow).
- */
-export async function playwrightLogin(baseUrl, options) {
-    return runWithTlsInsecure(options?.tlsInsecure, async () => {
-        const { createServer } = await import("node:http");
-        const { randomBytes } = await import("node:crypto");
-        let chromium;
-        try {
-            const modName = "playwright";
-            const pw = await import(/* webpackIgnore: true */ modName);
-            chromium = pw.chromium;
-        }
-        catch {
-            throw new Error("Playwright is not installed. Run:\n  npm install playwright && npx playwright install chromium");
-        }
-        const base = normalizeBaseUrl(baseUrl);
-        const port = options?.port ?? DEFAULT_REDIRECT_PORT;
-        const scope = options?.scope ?? DEFAULT_SCOPE;
-        const redirectUri = `http://127.0.0.1:${port}/callback`;
-        const hasCredentials = !!(options?.username && options?.password);
-        // Step 1: Ensure registered OAuth2 client (with stale-client auto-recovery)
-        let client;
-        try {
-            client = await resolveOrRegisterClient(base, redirectUri, scope);
-        }
-        catch (e) {
-            if (e instanceof HttpError && e.status === 404) {
-                process.stderr.write("OAuth2 endpoint not found (404). Saving platform in no-auth mode.\n");
-                return saveNoAuthPlatform(base, { tlsInsecure: options?.tlsInsecure });
-            }
-            throw e;
-        }
-        // Step 2: Generate CSRF state
-        const state = randomBytes(12).toString("hex");
-        // Step 3: Build authorization URL
-        const authParams = new URLSearchParams({
-            redirect_uri: redirectUri,
-            "x-forwarded-prefix": "",
-            client_id: client.clientId,
-            scope,
-            response_type: "code",
-            state,
-            lang: "zh-cn",
-            product: "adp",
-        });
-        const authUrl = `${base}/oauth2/auth?${authParams.toString()}`;
-        // Step 4: Start local callback server; exchange code inside handler, then show credentials HTML
-        let browser;
-        const token = await new Promise((resolve, reject) => {
-            const TIMEOUT_MS = hasCredentials ? 30_000 : 120_000;
-            let server;
-            const timeoutId = setTimeout(() => {
-                server?.close();
-                browser?.close();
-                reject(new Error(`OAuth2 login timed out (${TIMEOUT_MS / 1000}s). No authorization code received.`));
-            }, TIMEOUT_MS);
-            server = createServer((req, res) => {
-                void (async () => {
-                    try {
-                        const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
-                        if (url.pathname !== "/callback") {
-                            res.writeHead(404);
-                            res.end();
-                            return;
-                        }
-                        const receivedState = url.searchParams.get("state");
-                        const receivedCode = url.searchParams.get("code");
-                        const callbackError = url.searchParams.get("error");
-                        const callbackErrorDesc = url.searchParams.get("error_description");
-                        if (receivedState !== state) {
-                            res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
-                            res.end(buildCallbackExchangeErrorHtml("OAuth2 state mismatch — possible CSRF attack."));
-                            clearTimeout(timeoutId);
-                            server.close();
-                            browser?.close();
-                            reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
-                            return;
-                        }
-                        if (callbackError) {
-                            const msg = callbackErrorDesc
-                                ? `Authorization failed: ${callbackError} — ${callbackErrorDesc}`
-                                : `Authorization failed: ${callbackError}`;
-                            res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
-                            res.end(buildCallbackExchangeErrorHtml(msg));
-                            clearTimeout(timeoutId);
-                            server.close();
-                            browser?.close();
-                            reject(new Error(msg));
-                            return;
-                        }
-                        if (!receivedCode) {
-                            res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
-                            res.end(buildCallbackExchangeErrorHtml("No authorization code received in callback."));
-                            clearTimeout(timeoutId);
-                            server.close();
-                            browser?.close();
-                            reject(new Error("No authorization code received in callback."));
-                            return;
-                        }
-                        const exchanged = await exchangeCodeForToken(base, receivedCode, client.clientId, client.clientSecret, redirectUri, undefined, options?.tlsInsecure);
-                        const copyCommand = buildCopyCommand(base, client.clientId, client.clientSecret, exchanged.refreshToken, options?.tlsInsecure);
-                        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-                        res.end(buildCallbackHtml(copyCommand));
-                        clearTimeout(timeoutId);
-                        server.close();
-                        browser?.close();
-                        resolve(exchanged);
-                    }
-                    catch (err) {
-                        const message = err instanceof Error ? err.message : String(err);
-                        try {
-                            res.writeHead(500, { "Content-Type": "text/html; charset=utf-8" });
-                            res.end(buildCallbackExchangeErrorHtml(message));
-                        }
-                        catch {
-                            /* response may already be sent */
-                        }
-                        clearTimeout(timeoutId);
-                        server.close();
-                        browser?.close();
-                        reject(err instanceof Error ? err : new Error(message));
-                    }
-                })();
-            });
-            server.listen(port, "127.0.0.1", async () => {
-                try {
-                    browser = await chromium.launch({ headless: hasCredentials });
-                    const context = await browser.newContext({ ignoreHTTPSErrors: !!options?.tlsInsecure });
-                    const page = await context.newPage();
-                    // Navigate to OAuth2 auth URL — redirects to signin page
-                    await page.goto(authUrl, { waitUntil: "networkidle", timeout: 30_000 });
-                    if (hasCredentials) {
-                        // Auto-fill credentials
-                        await page.waitForSelector('input[name="account"]', { timeout: 10_000 });
-                        await page.fill('input[name="account"]', options.username);
-                        await page.fill('input[name="password"]', options.password);
-                        await page.click("button.ant-btn-primary");
-                    }
-                    // else: visible browser — user logs in manually
-                    // The OAuth2 callback will fire when login completes, resolving the promise above
-                }
-                catch (err) {
-                    clearTimeout(timeoutId);
-                    server.close();
-                    browser?.close();
-                    reject(err);
-                }
-            });
-        });
-        if (hasCredentials) {
-            const copyCommand = buildCopyCommand(base, client.clientId, client.clientSecret, token.refreshToken, options?.tlsInsecure);
-            process.stderr.write("\nHeadless login: copy this command and run it on a machine without a browser, or use `kweaver auth export`:\n\n" +
-                copyCommand +
-                "\n\n");
-        }
-        setCurrentPlatform(base);
-        return token;
-    });
-}
 function mergeCookieJarForSignin(existing, response) {
     const setCookies = typeof response.headers.getSetCookie === "function"
         ? response.headers.getSetCookie()
@@ -1041,7 +1008,7 @@ async function followSigninRedirectsUntilCallback(startUrl, initialJar, state, r
                 return consentResult;
             }
             throw new Error(`Unexpected OAuth page (HTTP 200) at ${url.slice(0, 120)}… ` +
-                `If this is a consent or MFA screen, use browser login or Playwright.`);
+                `If this is a consent or MFA screen, use browser login (kweaver auth login <url>).`);
         }
         const text = await resp.text().catch(() => "");
         throw new HttpError(resp.status, resp.statusText, text);
@@ -1094,17 +1061,38 @@ async function tryAcceptConsentAfterSignin(base, pageUrl, html, jar, scope, stat
     }
     return null;
 }
-const STUDIOWEB_SHELL_UNAVAILABLE_SNIPPETS = [
-    "Studioweb signin endpoint not available",
-    "Cannot reach studioweb signin endpoint",
-];
 /**
- * True when {@link oauth2PasswordSigninLogin} failed because the Studio web sign-in shell
- * (`/interface/studioweb/login`) is missing or unreachable — callers may fall back to Playwright.
+ * Build the JSON body for `POST /oauth2/signin` (matches the browser `oauth2-ui` form).
+ *
+ * `device.client_type` MUST be a value present in the EACP whitelist defined by
+ * `kweaver/deploy/auto_cofig/auto_config.sh`. `console_web` is the canonical CLI value
+ * (also used by `kweaver-admin`); other values such as `unknown` are rejected by strict
+ * deployments with `管理员已禁止此类客户端登录` — surfaced upstream as a `request_forbidden`
+ * `No CSRF value available in the session cookie` error after Hydra discards the rejected
+ * login challenge.
+ *
+ * `vcode` and `dualfactorauthinfo` must be present even when empty; otherwise eachttpserver
+ * returns HTTP 400 (invalid parameter).
  */
-export function isStudiowebShellUnavailableError(err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    return STUDIOWEB_SHELL_UNAVAILABLE_SNIPPETS.some((s) => msg.includes(s));
+export function buildOauth2SigninPostBody(opts) {
+    return {
+        _csrf: opts.csrftoken,
+        challenge: opts.challenge,
+        account: opts.account,
+        password: opts.passwordCipher,
+        vcode: { id: "", content: "" },
+        dualfactorauthinfo: {
+            validcode: { vcode: "" },
+            OTP: { OTP: "" },
+        },
+        remember: opts.remember,
+        device: {
+            name: "",
+            description: "",
+            client_type: "console_web",
+            udids: [],
+        },
+    };
 }
 /**
  * OAuth2 Authorization Code login using HTTP **only**: `GET /oauth2/signin` (Next.js shell) and
@@ -1127,27 +1115,10 @@ export async function oauth2PasswordSigninLogin(baseUrl, options) {
             (typeof process.env.KWEAVER_OAUTH_PRODUCT === "string" && process.env.KWEAVER_OAUTH_PRODUCT.trim()
                 ? process.env.KWEAVER_OAUTH_PRODUCT.trim()
                 : "adp");
-        // Pre-flight: verify studioweb signin shell exists (same entry as deploy auto_config.sh get_token).
-        // If the deployment lacks studioweb, abort before OAuth client registration.
-        const studiowebProbeUrl = `${base}/interface/studioweb/login?lang=zh-cn&state=${encodeURIComponent(state)}` +
-            `&x-forwarded-prefix=&integrated=false&product=${encodeURIComponent(oauthProduct)}&_t=${Date.now()}`;
-        let probeResp;
-        try {
-            probeResp = await fetch(studiowebProbeUrl, { method: "GET", redirect: "manual" });
-        }
-        catch (cause) {
-            throw new Error(`Cannot reach studioweb signin endpoint at ${base}/interface/studioweb/login. ` +
-                `The deployment may not include studioweb. Use \`kweaver auth login ${base}\` ` +
-                `(OAuth code flow) instead.\n  Cause: ${cause instanceof Error ? cause.message : String(cause)}`);
-        }
-        const probeOk2xx = probeResp.status >= 200 && probeResp.status < 300;
-        const probeOkRedirect = [301, 302, 303, 307, 308].includes(probeResp.status);
-        await probeResp.text().catch(() => "");
-        if (!probeOk2xx && !probeOkRedirect) {
-            throw new Error(`Studioweb signin endpoint not available at ${base}/interface/studioweb/login ` +
-                `(HTTP ${probeResp.status}). The deployment may not include studioweb. ` +
-                `Use \`kweaver auth login ${base}\` (OAuth code flow) instead.`);
-        }
+        // Note: previously we pre-flighted `/interface/studioweb/login` to detect deployments
+        // missing the Studio web shell. The probe added an extra round-trip and was unreliable
+        // (see kweaver-admin which works fine without it). HTTP sign-in only needs `/oauth2/auth`
+        // and `/oauth2/signin`; if either is missing the request below will surface a precise error.
         let client;
         try {
             client = await resolveOrRegisterClient(base, redirectUri, scope, {
@@ -1231,26 +1202,13 @@ export async function oauth2PasswordSigninLogin(baseUrl, options) {
             : options.signinPasswordBase64Plain === false
                 ? false
                 : process.env.KWEAVER_SIGNIN_PASSWORD_B64_RSA_MIN !== "1";
-        // Body shape matches browser `POST /oauth2/signin` (EACP / oauth2-ui); omitting vcode/dualfactorauthinfo
-        // causes 400 from eachttpserver (invalid parameter).
-        const postBody = {
-            _csrf: csrftoken,
+        const postBody = buildOauth2SigninPostBody({
+            csrftoken,
             challenge: loginChallenge,
             account: options.username,
-            password: "",
-            vcode: { id: "", content: "" },
-            dualfactorauthinfo: {
-                validcode: { vcode: "" },
-                OTP: { OTP: "" },
-            },
+            passwordCipher: "",
             remember,
-            device: {
-                name: "",
-                description: "",
-                client_type: "unknown",
-                udids: [],
-            },
-        };
+        });
         const origin = new URL(base).origin;
         /** Some gateways (e.g. DIP) return HTTP 200 + `{"redirect":"..."}` instead of 3xx Location. */
         let signinRedirectFromJson;

package/dist/cli.js

@@ -23,7 +23,7 @@ Usage:
   kweaver --version | -V
   kweaver --help | -h
 
-  kweaver auth <platform-url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--playwright] [--insecure|-k]
+  kweaver auth <platform-url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--insecure|-k]
   kweaver auth login <platform-url>          (alias for auth <url>)
   kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (run on host without browser)
   kweaver auth whoami [platform-url|alias] [--json]

package/dist/commands/auth.js

@@ -1,18 +1,7 @@
 import { isNoAuth } from "../config/no-auth.js";
 import { autoSelectBusinessDomain, clearPlatformSession, deletePlatform, deleteUser, getActiveUser, getConfigDir, getCurrentPlatform, getPlatformAlias, hasPlatform, listPlatforms, listUserProfiles, loadClientConfig, loadTokenConfig, resolveBusinessDomain, resolvePlatformIdentifier, resolveUserId, saveNoAuthPlatform, setActiveUser, setCurrentPlatform, setPlatformAlias, } from "../config/store.js";
 import { decodeJwtPayload } from "../config/jwt.js";
-import { buildCopyCommand, formatHttpError, isStudiowebShellUnavailableError, normalizeBaseUrl, oauth2Login, oauth2PasswordSigninLogin, playwrightLogin, refreshTokenLogin, } from "../auth/oauth.js";
-/** True when the `playwright` npm package can be imported (browser binaries may still need `npx playwright install`). */
-async function isPlaywrightPackageResolvable() {
-    try {
-        const modName = "playwright";
-        await import(/* webpackIgnore: true */ modName);
-        return true;
-    }
-    catch {
-        return false;
-    }
-}
+import { buildCopyCommand, formatHttpError, normalizeBaseUrl, oauth2Login, oauth2PasswordSigninLogin, promptForUsername, promptForPassword, refreshTokenLogin, } from "../auth/oauth.js";
 export async function runAuthCommand(args) {
     const target = args[0];
     const rest = args.slice(1);
@@ -39,24 +28,24 @@ Login options:
                          Requires --client-id and --client-secret.
                          Get these from the callback page after browser login or \`auth export\`.
   --port <n>             Local callback port (default: 9010). Use when 9010 is occupied.
-  --no-browser           Do not open a browser; print the auth URL and prompt for the callback URL or code (stdin).
-                         Use on headless servers or when automatic browser launch fails.
-  -u, --username         Username (with -p: tries HTTP /oauth2/signin first when the Studio web shell is available)
-  -p, --password         Password (with -u: falls back to Playwright headless only when studioweb is unavailable and Playwright is installed)
-  --http-signin          With -u/-p: HTTP POST /oauth2/signin only (no Playwright fallback). Uses the built-in RSA public key.
-  --playwright           With -u/-p: force Playwright (skip HTTP sign-in). Without -u/-p: open Playwright for manual login.
+  --no-browser           Do not open a browser. Without -u/-p: print the auth URL and prompt for the
+                         callback URL or code (stdin). With -u and/or -p: route through HTTP sign-in
+                         (any missing credential is prompted; password is hidden when stdin is a TTY).
+  -u, --username         Username for HTTP /oauth2/signin (POST). If -p is omitted, password is prompted.
+  -p, --password         Password for HTTP /oauth2/signin (POST). If -u is omitted, username is prompted.
+  --http-signin          Force HTTP /oauth2/signin (no browser). Missing -u/-p are prompted from stdin.
   --insecure, -k         Skip TLS certificate verification (self-signed / dev HTTPS only)
   --no-auth              Save platform without OAuth (servers with no authentication). Same as detecting OAuth 404 during login.`);
         return 0;
     }
     if (target === "login") {
         if (rest[0] === "--help" || rest[0] === "-h") {
-            console.log(`kweaver auth login <platform-url> [--alias <name>] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--playwright] [--refresh-token T --client-id ID --client-secret S]`);
+            console.log(`kweaver auth login <platform-url> [--alias <name>] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--refresh-token T --client-id ID --client-secret S]`);
             return 0;
         }
         const url = rest[0];
         if (!url || url.startsWith("-")) {
-            console.error("Usage: kweaver auth login <platform-url> [--alias <name>] [-u user] [-p pass] [--playwright]");
+            console.error("Usage: kweaver auth login <platform-url> [--alias <name>] [-u user] [-p pass]");
             return 1;
         }
         return runAuthCommand([url, ...rest.slice(1)]);
@@ -78,9 +67,8 @@ Login options:
         try {
             const normalizedTarget = normalizeBaseUrl(target);
             const alias = readOption(args, "--alias");
-            const username = readOption(args, "--username") ?? readOption(args, "-u");
-            const password = readOption(args, "--password") ?? readOption(args, "-p");
-            const usePlaywright = args.includes("--playwright");
+            let username = readOption(args, "--username") ?? readOption(args, "-u");
+            let password = readOption(args, "--password") ?? readOption(args, "-p");
             const httpSignin = args.includes("--http-signin");
             const oauthProduct = readOption(args, "--oauth-product");
             const signinPublicKeyFile = readOption(args, "--signin-public-key-file");
@@ -101,7 +89,7 @@ Login options:
                 "--http-signin",
                 "--oauth-product",
                 "--signin-public-key-file",
-                "--playwright", "--insecure", "-k", "--no-auth", "--redirect-uri",
+                "--insecure", "-k", "--no-auth", "--redirect-uri",
             ]);
             const KNOWN_VALUE_FLAGS = new Set([
                 "--alias", "--client-id", "--client-secret", "--refresh-token",
@@ -130,30 +118,34 @@ Login options:
             if (noAuth && noBrowser) {
                 console.error("--no-auth does not require a browser; --no-browser is ignored.");
             }
-            if (noAuth && (username || password || usePlaywright || httpSignin)) {
-                console.error("--no-auth cannot be used with Playwright login, HTTP sign-in, or -u/-p.");
+            if (noAuth && (username || password || httpSignin)) {
+                console.error("--no-auth cannot be used with HTTP sign-in or -u/-p.");
                 return 1;
             }
-            if (noBrowser && (username || password || usePlaywright || httpSignin)) {
-                console.error("--no-browser cannot be used with Playwright login, HTTP sign-in, or -u/-p.");
-                return 1;
-            }
-            if (httpSignin && usePlaywright) {
-                console.error("--http-signin cannot be used with --playwright.");
-                return 1;
+            if (noBrowser && httpSignin) {
+                // HTTP sign-in already runs without a browser; --no-browser is a no-op signal here.
+                console.error("--http-signin already runs without a browser; --no-browser is redundant and ignored.");
             }
             if (httpSignin && refreshToken) {
                 console.error("--http-signin cannot be used with --refresh-token.");
                 return 1;
             }
-            if (httpSignin && (!username || !password)) {
-                console.error("--http-signin requires -u/--username and -p/--password.");
-                return 1;
-            }
             if (noBrowser && refreshToken) {
                 console.error("--no-browser cannot be used with --refresh-token.");
                 return 1;
             }
+            // Headless credential login: if the user signalled HTTP sign-in (--http-signin,
+            // or partial -u/-p, or --no-browser combined with -u/-p) but didn't provide both
+            // credentials inline, prompt for the missing one(s) on stderr. Password is read
+            // without echo when stdin is a TTY.
+            const wantsCredentialLogin = !noAuth && !refreshToken &&
+                (httpSignin || (noBrowser && (username || password)) || (!!username !== !!password));
+            if (wantsCredentialLogin) {
+                if (!username)
+                    username = await promptForUsername("Username");
+                if (!password)
+                    password = await promptForPassword("Password");
+            }
             let token;
             if (noAuth) {
                 token = saveNoAuthPlatform(normalizedTarget, { tlsInsecure });
@@ -182,17 +174,9 @@ Login options:
                     signinPublicKeyPemPath: signinPublicKeyFile ?? undefined,
                 });
             }
-            else if (username && password && usePlaywright) {
-                console.log("Logging in (headless, Playwright)...");
-                token = await playwrightLogin(normalizedTarget, {
-                    username,
-                    password,
-                    tlsInsecure,
-                    port: customPort,
-                });
-            }
             else if (username && password) {
-                const signinOpts = {
+                console.log("Logging in (HTTP /oauth2/signin)...");
+                token = await oauth2PasswordSigninLogin(normalizedTarget, {
                     username,
                     password,
                     tlsInsecure,
@@ -201,39 +185,6 @@ Login options:
                     clientSecret: clientSecret ?? undefined,
                     oauthProduct: oauthProduct ?? undefined,
                     signinPublicKeyPemPath: signinPublicKeyFile ?? undefined,
-                };
-                console.log("Logging in (HTTP /oauth2/signin)...");
-                try {
-                    token = await oauth2PasswordSigninLogin(normalizedTarget, signinOpts);
-                }
-                catch (err) {
-                    if (!isStudiowebShellUnavailableError(err)) {
-                        throw err;
-                    }
-                    const playwrightOk = await isPlaywrightPackageResolvable();
-                    if (playwrightOk) {
-                        process.stderr.write("Studio web sign-in shell is not available; falling back to Playwright headless login.\n");
-                        console.log("Logging in (headless, Playwright)...");
-                        token = await playwrightLogin(normalizedTarget, {
-                            username,
-                            password,
-                            tlsInsecure,
-                            port: customPort,
-                        });
-                    }
-                    else {
-                        console.error("Studio web sign-in shell is not available on this platform, and the Playwright package is not installed.");
-                        console.error("Install Playwright for headless browser login: npm install playwright && npx playwright install chromium");
-                        console.error("Alternatively, use OAuth without credentials:");
-                        console.error(`  kweaver auth login ${normalizedTarget} --no-browser`);
-                        throw err;
-                    }
-                }
-            }
-            else if (usePlaywright) {
-                console.log("Opening browser for login (Playwright)...");
-                token = await playwrightLogin(normalizedTarget, {
-                    tlsInsecure, port: customPort,
                 });
             }
             else {
@@ -456,7 +407,7 @@ Login options:
         console.log(`Run \`kweaver auth login ${logoutTarget}\` to sign in again.`);
         return 0;
     }
-    console.error("Usage: kweaver auth login <platform-url> [--alias <name>] [-u user] [-p pass] [--playwright]");
+    console.error("Usage: kweaver auth login <platform-url> [--alias <name>] [-u user] [-p pass]");
     console.error("       kweaver auth whoami [platform-url|alias] [--json]");
     console.error("       kweaver auth export [platform-url|alias] [--json]");
     console.error("       kweaver auth status [platform-url|alias]");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kweaver-ai/kweaver-sdk",
-  "version": "0.6.5",
+  "version": "0.6.6",
   "description": "KWeaver TypeScript SDK — CLI tool and programmatic API for knowledge networks and Decision Agents.",
   "type": "module",
   "main": "./dist/index.js",
@@ -51,21 +51,11 @@
     "@types/node": "^24.6.0",
     "@types/react": "^19.2.14",
     "@types/yargs": "^17.0.35",
-    "playwright": "^1.58.2",
     "tsx": "^4.20.5",
     "typescript": "^5.9.3"
   },
-  "peerDependencies": {
-    "playwright": ">=1.40.0"
-  },
-  "peerDependenciesMeta": {
-    "playwright": {
-      "optional": true
-    }
-  },
   "dependencies": {
     "@kweaver-ai/bkn": "^0.1.0",
-    "@playwright/test": "^1.58.2",
     "chardet": "^2.1.1",
     "columnify": "^1.6.0",
     "csv-parse": "^6.2.1",