@kweaver-ai/kweaver-sdk 0.6.5 → 0.6.7

package/dist/commands/auth.js

@@ -1,18 +1,8 @@
 import { isNoAuth } from "../config/no-auth.js";
-import { autoSelectBusinessDomain, clearPlatformSession, deletePlatform, deleteUser, getActiveUser, getConfigDir, getCurrentPlatform, getPlatformAlias, hasPlatform, listPlatforms, listUserProfiles, loadClientConfig, loadTokenConfig, resolveBusinessDomain, resolvePlatformIdentifier, resolveUserId, saveNoAuthPlatform, setActiveUser, setCurrentPlatform, setPlatformAlias, } from "../config/store.js";
+import { autoSelectBusinessDomain, clearPlatformSession, deletePlatform, deleteUser, getActiveUser, getConfigDir, getCurrentPlatform, getPlatformAlias, hasPlatform, listPlatforms, listUserProfiles, loadClientConfig, loadTokenConfig, loadUserTokenConfig, resolveBusinessDomain, resolvePlatformIdentifier, resolveUserId, saveNoAuthPlatform, setActiveUser, setCurrentPlatform, setPlatformAlias, } from "../config/store.js";
 import { decodeJwtPayload } from "../config/jwt.js";
-import { buildCopyCommand, formatHttpError, isStudiowebShellUnavailableError, normalizeBaseUrl, oauth2Login, oauth2PasswordSigninLogin, playwrightLogin, refreshTokenLogin, } from "../auth/oauth.js";
-/** True when the `playwright` npm package can be imported (browser binaries may still need `npx playwright install`). */
-async function isPlaywrightPackageResolvable() {
-    try {
-        const modName = "playwright";
-        await import(/* webpackIgnore: true */ modName);
-        return true;
-    }
-    catch {
-        return false;
-    }
-}
+import { eacpModifyPassword } from "../auth/eacp-modify-password.js";
+import { buildCopyCommand, formatHttpError, InitialPasswordChangeRequiredError, normalizeBaseUrl, oauth2Login, oauth2PasswordSigninLogin, promptForUsername, promptForPassword, refreshTokenLogin, } from "../auth/oauth.js";
 export async function runAuthCommand(args) {
     const target = args[0];
     const rest = args.slice(1);
@@ -28,6 +18,7 @@ kweaver auth users [url|alias]       List all user profiles (with usernames) for
 kweaver auth switch [url|alias] --user <id|username>  Switch active user for a platform
 kweaver auth logout [url|alias] [--user <id>]  Logout (clear local token)
 kweaver auth delete <url|alias> [--user <id>]  Delete saved credentials
+kweaver auth change-password [<url>] [-u <account>] [-o <old>] [-n <new>]  Change password
 
 Login options:
   --alias <name>         Save platform with a short alias (use with use / status / logout)
@@ -39,24 +30,25 @@ Login options:
                          Requires --client-id and --client-secret.
                          Get these from the callback page after browser login or \`auth export\`.
   --port <n>             Local callback port (default: 9010). Use when 9010 is occupied.
-  --no-browser           Do not open a browser; print the auth URL and prompt for the callback URL or code (stdin).
-                         Use on headless servers or when automatic browser launch fails.
-  -u, --username         Username (with -p: tries HTTP /oauth2/signin first when the Studio web shell is available)
-  -p, --password         Password (with -u: falls back to Playwright headless only when studioweb is unavailable and Playwright is installed)
-  --http-signin          With -u/-p: HTTP POST /oauth2/signin only (no Playwright fallback). Uses the built-in RSA public key.
-  --playwright           With -u/-p: force Playwright (skip HTTP sign-in). Without -u/-p: open Playwright for manual login.
+  --no-browser           Do not open a browser. Without -u/-p: print the auth URL and prompt for the
+                         callback URL or code (stdin). With -u and/or -p: route through HTTP sign-in
+                         (any missing credential is prompted; password is hidden when stdin is a TTY).
+  -u, --username         Username for HTTP /oauth2/signin (POST). If -p is omitted, password is prompted.
+  -p, --password         Password for HTTP /oauth2/signin (POST). If -u is omitted, username is prompted.
+  --http-signin          Force HTTP /oauth2/signin (no browser). Missing -u/-p are prompted from stdin.
+  --new-password <pwd>   After HTTP sign-in error 401001017 (initial password), set the new password non-interactively, then retry login.
   --insecure, -k         Skip TLS certificate verification (self-signed / dev HTTPS only)
   --no-auth              Save platform without OAuth (servers with no authentication). Same as detecting OAuth 404 during login.`);
         return 0;
     }
     if (target === "login") {
         if (rest[0] === "--help" || rest[0] === "-h") {
-            console.log(`kweaver auth login <platform-url> [--alias <name>] [--no-auth] [--no-browser] [-u user] [-p pass] [--http-signin] [--playwright] [--refresh-token T --client-id ID --client-secret S]`);
+            console.log(`kweaver auth login <platform-url> [--alias <name>] [--no-auth] [--no-browser] [-u user] [-p pass] [--new-password <pwd>] [--http-signin] [--refresh-token T --client-id ID --client-secret S]`);
             return 0;
         }
         const url = rest[0];
         if (!url || url.startsWith("-")) {
-            console.error("Usage: kweaver auth login <platform-url> [--alias <name>] [-u user] [-p pass] [--playwright]");
+            console.error("Usage: kweaver auth login <platform-url> [--alias <name>] [-u user] [-p pass]");
             return 1;
         }
         return runAuthCommand([url, ...rest.slice(1)]);
@@ -73,14 +65,16 @@ Login options:
     if (target === "switch") {
         return runAuthSwitchCommand(rest);
     }
+    if (target === "change-password") {
+        return runAuthChangePasswordCommand(rest);
+    }
     const LOGIN_SUBCOMMANDS = new Set(["status", "list", "use", "delete", "logout", "export", "whoami", "users", "switch"]);
     if (target && !LOGIN_SUBCOMMANDS.has(target)) {
         try {
             const normalizedTarget = normalizeBaseUrl(target);
             const alias = readOption(args, "--alias");
-            const username = readOption(args, "--username") ?? readOption(args, "-u");
-            const password = readOption(args, "--password") ?? readOption(args, "-p");
-            const usePlaywright = args.includes("--playwright");
+            let username = readOption(args, "--username") ?? readOption(args, "-u");
+            let password = readOption(args, "--password") ?? readOption(args, "-p");
             const httpSignin = args.includes("--http-signin");
             const oauthProduct = readOption(args, "--oauth-product");
             const signinPublicKeyFile = readOption(args, "--signin-public-key-file");
@@ -92,6 +86,7 @@ Login options:
             const tlsInsecure = args.includes("--insecure") || args.includes("-k");
             const noAuth = args.includes("--no-auth");
             const noBrowser = args.includes("--no-browser");
+            const newPasswordFlag = readOption(args, "--new-password");
             if (args.includes("--redirect-uri")) {
                 console.error("Warning: --redirect-uri is deprecated and ignored. The redirect URI is always http://127.0.0.1:<port>/callback.");
             }
@@ -99,13 +94,15 @@ Login options:
                 "--alias", "--client-id", "--client-secret", "--refresh-token",
                 "--port", "--no-browser", "--username", "-u", "--password", "-p",
                 "--http-signin",
+                "--new-password",
                 "--oauth-product",
                 "--signin-public-key-file",
-                "--playwright", "--insecure", "-k", "--no-auth", "--redirect-uri",
+                "--insecure", "-k", "--no-auth", "--redirect-uri",
             ]);
             const KNOWN_VALUE_FLAGS = new Set([
                 "--alias", "--client-id", "--client-secret", "--refresh-token",
                 "--port", "--username", "-u", "--password", "-p", "--redirect-uri",
+                "--new-password",
                 "--oauth-product",
                 "--signin-public-key-file",
             ]);
@@ -130,30 +127,38 @@ Login options:
             if (noAuth && noBrowser) {
                 console.error("--no-auth does not require a browser; --no-browser is ignored.");
             }
-            if (noAuth && (username || password || usePlaywright || httpSignin)) {
-                console.error("--no-auth cannot be used with Playwright login, HTTP sign-in, or -u/-p.");
+            if (noAuth && (username || password || httpSignin)) {
+                console.error("--no-auth cannot be used with HTTP sign-in or -u/-p.");
                 return 1;
             }
-            if (noBrowser && (username || password || usePlaywright || httpSignin)) {
-                console.error("--no-browser cannot be used with Playwright login, HTTP sign-in, or -u/-p.");
+            if (newPasswordFlag !== undefined && (!username || !password)) {
+                console.error("--new-password requires -u/--username and -p/--password (HTTP sign-in).");
                 return 1;
             }
-            if (httpSignin && usePlaywright) {
-                console.error("--http-signin cannot be used with --playwright.");
-                return 1;
+            if (noBrowser && httpSignin) {
+                // HTTP sign-in already runs without a browser; --no-browser is a no-op signal here.
+                console.error("--http-signin already runs without a browser; --no-browser is redundant and ignored.");
             }
             if (httpSignin && refreshToken) {
                 console.error("--http-signin cannot be used with --refresh-token.");
                 return 1;
             }
-            if (httpSignin && (!username || !password)) {
-                console.error("--http-signin requires -u/--username and -p/--password.");
-                return 1;
-            }
             if (noBrowser && refreshToken) {
                 console.error("--no-browser cannot be used with --refresh-token.");
                 return 1;
             }
+            // Headless credential login: if the user signalled HTTP sign-in (--http-signin,
+            // or partial -u/-p, or --no-browser combined with -u/-p) but didn't provide both
+            // credentials inline, prompt for the missing one(s) on stderr. Password is read
+            // without echo when stdin is a TTY.
+            const wantsCredentialLogin = !noAuth && !refreshToken &&
+                (httpSignin || (noBrowser && (username || password)) || (!!username !== !!password));
+            if (wantsCredentialLogin) {
+                if (!username)
+                    username = await promptForUsername("Username");
+                if (!password)
+                    password = await promptForPassword("Password");
+            }
             let token;
             if (noAuth) {
                 token = saveNoAuthPlatform(normalizedTarget, { tlsInsecure });
@@ -169,30 +174,9 @@ Login options:
                     clientId, clientSecret, refreshToken, tlsInsecure,
                 });
             }
-            else if (username && password && httpSignin) {
-                console.log("Logging in (HTTP /oauth2/signin)...");
-                token = await oauth2PasswordSigninLogin(normalizedTarget, {
-                    username,
-                    password,
-                    tlsInsecure,
-                    port: customPort,
-                    clientId: clientId ?? undefined,
-                    clientSecret: clientSecret ?? undefined,
-                    oauthProduct: oauthProduct ?? undefined,
-                    signinPublicKeyPemPath: signinPublicKeyFile ?? undefined,
-                });
-            }
-            else if (username && password && usePlaywright) {
-                console.log("Logging in (headless, Playwright)...");
-                token = await playwrightLogin(normalizedTarget, {
-                    username,
-                    password,
-                    tlsInsecure,
-                    port: customPort,
-                });
-            }
             else if (username && password) {
-                const signinOpts = {
+                console.log("Logging in (HTTP /oauth2/signin)...");
+                token = await loginWithInitialPasswordRecovery(normalizedTarget, {
                     username,
                     password,
                     tlsInsecure,
@@ -201,40 +185,7 @@ Login options:
                     clientSecret: clientSecret ?? undefined,
                     oauthProduct: oauthProduct ?? undefined,
                     signinPublicKeyPemPath: signinPublicKeyFile ?? undefined,
-                };
-                console.log("Logging in (HTTP /oauth2/signin)...");
-                try {
-                    token = await oauth2PasswordSigninLogin(normalizedTarget, signinOpts);
-                }
-                catch (err) {
-                    if (!isStudiowebShellUnavailableError(err)) {
-                        throw err;
-                    }
-                    const playwrightOk = await isPlaywrightPackageResolvable();
-                    if (playwrightOk) {
-                        process.stderr.write("Studio web sign-in shell is not available; falling back to Playwright headless login.\n");
-                        console.log("Logging in (headless, Playwright)...");
-                        token = await playwrightLogin(normalizedTarget, {
-                            username,
-                            password,
-                            tlsInsecure,
-                            port: customPort,
-                        });
-                    }
-                    else {
-                        console.error("Studio web sign-in shell is not available on this platform, and the Playwright package is not installed.");
-                        console.error("Install Playwright for headless browser login: npm install playwright && npx playwright install chromium");
-                        console.error("Alternatively, use OAuth without credentials:");
-                        console.error(`  kweaver auth login ${normalizedTarget} --no-browser`);
-                        throw err;
-                    }
-                }
-            }
-            else if (usePlaywright) {
-                console.log("Opening browser for login (Playwright)...");
-                token = await playwrightLogin(normalizedTarget, {
-                    tlsInsecure, port: customPort,
-                });
+                }, { newPasswordFlag, tlsInsecure });
             }
             else {
                 if (noBrowser) {
@@ -456,7 +407,7 @@ Login options:
         console.log(`Run \`kweaver auth login ${logoutTarget}\` to sign in again.`);
         return 0;
     }
-    console.error("Usage: kweaver auth login <platform-url> [--alias <name>] [-u user] [-p pass] [--playwright]");
+    console.error("Usage: kweaver auth login <platform-url> [--alias <name>] [-u user] [-p pass]");
     console.error("       kweaver auth whoami [platform-url|alias] [--json]");
     console.error("       kweaver auth export [platform-url|alias] [--json]");
     console.error("       kweaver auth status [platform-url|alias]");
@@ -684,3 +635,217 @@ function readOption(args, name) {
     }
     return args[index + 1];
 }
+const EACP_NEW_PWD_MIN = 6;
+const EACP_NEW_PWD_MAX = 100;
+function validateNewPasswordLengthForEacp(pwd) {
+    if (pwd.length < EACP_NEW_PWD_MIN || pwd.length > EACP_NEW_PWD_MAX) {
+        throw new Error(`New password must be between ${EACP_NEW_PWD_MIN} and ${EACP_NEW_PWD_MAX} characters.`);
+    }
+}
+function formatEacpModifyFailure(status, json, body) {
+    if (json && typeof json === "object" && json !== null) {
+        const o = json;
+        const msg = typeof o.message === "string" && o.message.trim() !== ""
+            ? o.message
+            : typeof o.cause === "string"
+                ? o.cause
+                : "";
+        if (msg)
+            return `Password change failed (HTTP ${status}): ${msg}`;
+    }
+    return `Password change failed (HTTP ${status}): ${body.slice(0, 500)}`;
+}
+async function promptYesNo(message) {
+    const { createInterface } = await import("node:readline");
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    return await new Promise((resolve, reject) => {
+        let answered = false;
+        rl.on("close", () => {
+            if (!answered)
+                reject(new Error("Login cancelled."));
+        });
+        rl.question(`${message} [Y/n] `, (answer) => {
+            answered = true;
+            rl.close();
+            const a = answer.trim().toLowerCase();
+            resolve(a === "" || a === "y" || a === "yes");
+        });
+    });
+}
+async function loginWithInitialPasswordRecovery(normalizedTarget, signinOpts, recovery) {
+    try {
+        return await oauth2PasswordSigninLogin(normalizedTarget, signinOpts);
+    }
+    catch (e) {
+        if (!(e instanceof InitialPasswordChangeRequiredError))
+            throw e;
+        const err = e;
+        const account = signinOpts.username;
+        const oldPwd = signinOpts.password;
+        let newPwd = recovery.newPasswordFlag;
+        if (newPwd !== undefined) {
+            validateNewPasswordLengthForEacp(newPwd);
+        }
+        else if (process.stderr.isTTY) {
+            process.stderr.write(`${err.serverMessage}\n`);
+            const ok = await promptYesNo(`Account "${account}" must change its initial password. Proceed with password change now?`);
+            if (!ok) {
+                throw new Error("Initial password change declined. Run again when ready.");
+            }
+            const np1 = await promptForPassword("New password (6-100 characters)");
+            const np2 = await promptForPassword("Confirm new password");
+            if (np1 !== np2) {
+                throw new Error("New passwords do not match.");
+            }
+            validateNewPasswordLengthForEacp(np1);
+            newPwd = np1;
+        }
+        else {
+            throw new Error("This account must change its initial password (error 401001017). Re-run with --new-password <password> (non-interactive).");
+        }
+        const mod = await eacpModifyPassword(normalizedTarget, {
+            account,
+            oldPassword: oldPwd,
+            newPassword: newPwd,
+            tlsInsecure: recovery.tlsInsecure,
+        });
+        if (!mod.ok) {
+            throw new Error(formatEacpModifyFailure(mod.status, mod.json, mod.body));
+        }
+        return oauth2PasswordSigninLogin(normalizedTarget, {
+            ...signinOpts,
+            password: newPwd,
+        });
+    }
+}
+async function runAuthChangePasswordCommand(args) {
+    if (args[0] === "--help" || args[0] === "-h") {
+        console.log(`kweaver auth change-password [<platform-url>] [options]
+
+Change the EACP account password via POST /api/eacp/v1/auth1/modifypassword.
+No saved OAuth token is required.
+
+Options:
+  -u, --account <name>       Account / login name. On TTY, defaults to the current active user
+                             after a confirmation prompt. Required in non-interactive mode.
+  -o, --old-password <pwd>   Current password (omit on TTY to be prompted)
+  -n, --new-password <pwd>   New password, 6-100 characters (omit on TTY to be prompted)
+  --insecure, -k             Skip TLS certificate verification (defaults to the platform's saved
+                             preference set at login with -k; pass to override per-call)
+
+Platform URL is optional; defaults to the current active platform (kweaver auth use).`);
+        return 0;
+    }
+    const KNOWN_CP_FLAGS = new Set([
+        "-u",
+        "--account",
+        "-o",
+        "--old-password",
+        "-n",
+        "--new-password",
+        "--insecure",
+        "-k",
+        "--help",
+        "-h",
+    ]);
+    const KNOWN_CP_VALUE = new Set([
+        "-u",
+        "--account",
+        "-o",
+        "--old-password",
+        "-n",
+        "--new-password",
+    ]);
+    // First positional (if present and not a flag) is the platform URL or alias.
+    const positional = args[0] && !args[0].startsWith("-") ? args[0] : undefined;
+    const flagArgs = positional ? args.slice(1) : args;
+    for (let i = 0; i < flagArgs.length; i++) {
+        const a = flagArgs[i];
+        if (a.startsWith("-") && !KNOWN_CP_FLAGS.has(a)) {
+            console.error(`Unknown option: ${a}`);
+            console.error("Run 'kweaver auth change-password --help' for usage.");
+            return 1;
+        }
+        if (KNOWN_CP_VALUE.has(a))
+            i++;
+    }
+    const normalizedTarget = resolvePlatformArg(positional ? [positional] : []);
+    if (!normalizedTarget) {
+        console.error("No platform resolved. Pass <platform-url|alias> or run `kweaver auth use <url|alias>` first.");
+        return 1;
+    }
+    let account = readOption(flagArgs, "--account") ?? readOption(flagArgs, "-u");
+    let oldPassword = readOption(flagArgs, "--old-password") ?? readOption(flagArgs, "-o");
+    let newPassword = readOption(flagArgs, "--new-password") ?? readOption(flagArgs, "-n");
+    const explicitTlsInsecure = flagArgs.includes("--insecure") || flagArgs.includes("-k");
+    // Resolve the active user's saved token; we use it both to default the account
+    // and to inherit the platform's saved tlsInsecure preference (set at login with -k).
+    const activeUser = getActiveUser(normalizedTarget);
+    const activeToken = activeUser ? loadUserTokenConfig(normalizedTarget, activeUser) : null;
+    const tlsInsecure = explicitTlsInsecure || activeToken?.tlsInsecure === true;
+    const interactive = process.stdin.isTTY === true && process.stderr.isTTY === true;
+    const accountWasExplicit = !!account?.trim();
+    // Account resolution (with safety guards):
+    // - Explicit -u always wins.
+    // - Non-TTY + no -u: REFUSE. Silently using the active account in CI / pipes
+    //   would let scripts modify the wrong account's password without warning.
+    // - TTY + no -u: default to the active user's displayName, but require an
+    //   interactive yes/no confirmation before proceeding.
+    if (!accountWasExplicit) {
+        const defaultAccount = activeToken?.displayName?.trim();
+        if (!defaultAccount) {
+            console.error("Cannot determine current account on the platform. Pass -u/--account, or log in first (kweaver auth login ...).");
+            return 1;
+        }
+        if (!interactive) {
+            console.error(`Refusing to default account in non-interactive mode. Pass -u/--account explicitly (would have used "${defaultAccount}").`);
+            return 1;
+        }
+        const ok = await promptYesNo(`Change password for account "${defaultAccount}" on ${normalizedTarget}?`);
+        if (!ok) {
+            console.error("Aborted by user.");
+            return 1;
+        }
+        account = defaultAccount;
+    }
+    const trimmedAccount = account.trim();
+    try {
+        if (!interactive) {
+            if (!oldPassword || !newPassword) {
+                console.error("In non-interactive mode, --old-password and --new-password are required.");
+                return 1;
+            }
+        }
+        else {
+            if (!oldPassword) {
+                oldPassword = await promptForPassword("Old password");
+            }
+            if (!newPassword) {
+                const n1 = await promptForPassword("New password (6-100 characters)");
+                const n2 = await promptForPassword("Confirm new password");
+                if (n1 !== n2) {
+                    console.error("New passwords do not match.");
+                    return 1;
+                }
+                newPassword = n1;
+            }
+        }
+        validateNewPasswordLengthForEacp(newPassword);
+        const result = await eacpModifyPassword(normalizedTarget, {
+            account: trimmedAccount,
+            oldPassword: oldPassword,
+            newPassword: newPassword,
+            tlsInsecure,
+        });
+        if (!result.ok) {
+            console.error(`${formatEacpModifyFailure(result.status, result.json, result.body)} (account="${trimmedAccount}")`);
+            return 1;
+        }
+        console.log(`Password changed for ${trimmedAccount} on ${normalizedTarget}`);
+        return 0;
+    }
+    catch (e) {
+        console.error(`${formatHttpError(e)}\n(account="${trimmedAccount}")`);
+        return 1;
+    }
+}

package/dist/index.d.ts

@@ -62,4 +62,5 @@ export type { TokenConfig, ContextLoaderEntry, ContextLoaderConfig, } from "./co
 export type { UserProfile } from "./config/store.js";
 export { NO_AUTH_TOKEN, isNoAuth, saveNoAuthPlatform, autoSelectBusinessDomain, getConfigDir, getCurrentPlatform, getActiveUser, setActiveUser, listUsers, listUserProfiles, resolveUserId, extractUserId, } from "./config/store.js";
 export { decodeJwtPayload, extractUserIdFromJwt } from "./config/jwt.js";
-export { DEFAULT_SIGNIN_RSA_MODULUS_HEX, oauth2PasswordSigninLogin, parseSigninPageHtmlProps, rsaModulusHexToSpkiPem, STUDIOWEB_LOGIN_PUBLIC_KEY_PEM, } from "./auth/oauth.js";
+export { DEFAULT_SIGNIN_RSA_MODULUS_HEX, InitialPasswordChangeRequiredError, oauth2PasswordSigninLogin, parseSigninPageHtmlProps, rsaModulusHexToSpkiPem, STUDIOWEB_LOGIN_PUBLIC_KEY_PEM, } from "./auth/oauth.js";
+export { eacpModifyPassword, encryptModifyPwd } from "./auth/eacp-modify-password.js";

package/dist/index.js

@@ -50,4 +50,5 @@ export { NO_AUTH_TOKEN, isNoAuth, saveNoAuthPlatform, autoSelectBusinessDomain,
 // ── JWT utilities ─────────────────────────────────────────────────────────────
 export { decodeJwtPayload, extractUserIdFromJwt } from "./config/jwt.js";
 // ── OAuth (advanced — CLI uses these internally; optional for custom login tools) ─
-export { DEFAULT_SIGNIN_RSA_MODULUS_HEX, oauth2PasswordSigninLogin, parseSigninPageHtmlProps, rsaModulusHexToSpkiPem, STUDIOWEB_LOGIN_PUBLIC_KEY_PEM, } from "./auth/oauth.js";
+export { DEFAULT_SIGNIN_RSA_MODULUS_HEX, InitialPasswordChangeRequiredError, oauth2PasswordSigninLogin, parseSigninPageHtmlProps, rsaModulusHexToSpkiPem, STUDIOWEB_LOGIN_PUBLIC_KEY_PEM, } from "./auth/oauth.js";
+export { eacpModifyPassword, encryptModifyPwd } from "./auth/eacp-modify-password.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kweaver-ai/kweaver-sdk",
-  "version": "0.6.5",
+  "version": "0.6.7",
   "description": "KWeaver TypeScript SDK — CLI tool and programmatic API for knowledge networks and Decision Agents.",
   "type": "module",
   "main": "./dist/index.js",
@@ -51,21 +51,11 @@
     "@types/node": "^24.6.0",
     "@types/react": "^19.2.14",
     "@types/yargs": "^17.0.35",
-    "playwright": "^1.58.2",
     "tsx": "^4.20.5",
     "typescript": "^5.9.3"
   },
-  "peerDependencies": {
-    "playwright": ">=1.40.0"
-  },
-  "peerDependenciesMeta": {
-    "playwright": {
-      "optional": true
-    }
-  },
   "dependencies": {
     "@kweaver-ai/bkn": "^0.1.0",
-    "@playwright/test": "^1.58.2",
     "chardet": "^2.1.1",
     "columnify": "^1.6.0",
     "csv-parse": "^6.2.1",