@leeguoo/wrangler-accounts 1.3.0 → 1.4.0

package/bin/wrangler-accounts.js

@@ -695,6 +695,64 @@ function main() {
     if (!isValidName(name)) die(`Invalid profile name: ${name}`);
     ensureDir(profilesDir);
 
+    // Guard 1: refuse to run in a non-interactive context (CI, sub-agent,
+    // pipe). 'wrangler login' opens a browser and requires the user to
+    // click an authorize button. In a non-TTY context this hangs forever
+    // and any attempt is almost certainly an AI/script applying 'login'
+    // as if it were idempotent — it isn't.
+    if (!process.stdin.isTTY && !opts.force) {
+      die(
+        [
+          `'login' requires an interactive terminal — wrangler will open a browser`,
+          `and wait for authorization. Stdin is not a TTY here.`,
+          ``,
+          `If you are an AI agent or script trying to verify a profile is`,
+          `working, do NOT use 'login'. Use one of these instead:`,
+          ``,
+          `  wrangler-accounts whoami --profile ${name}    # static check (meta.json)`,
+          `  wrangler-accounts list --deep                 # live check (network call)`,
+          ``,
+          `If you really need to re-authenticate this profile non-interactively,`,
+          `pass --force to bypass this guard (the OAuth flow will still need a`,
+          `browser to complete).`,
+        ].join("\n"),
+        1,
+      );
+    }
+
+    // Guard 2: refuse to overwrite an existing profile that's already
+    // healthy unless --force is passed. 'login' is destructive — it
+    // OVERWRITES the saved profile by design. If the profile is already
+    // valid, the caller almost certainly meant to verify, not re-create.
+    const existingCfg = path.join(profilesDir, name, "config.toml");
+    if (fs.existsSync(existingCfg) && !opts.force) {
+      const session = readSessionState(existingCfg);
+      const looksHealthy = session.effective === "valid" || session.effective === "refreshable";
+      if (looksHealthy) {
+        die(
+          [
+            `Profile '${name}' already exists and looks healthy:`,
+            `  status:           ${session.effective}`,
+            `  expirationTime:   ${session.expirationTime || "(none)"}`,
+            `  hasRefreshToken:  ${session.hasRefreshToken}`,
+            ``,
+            `'login' is DESTRUCTIVE — it opens a browser and overwrites the saved`,
+            `profile. If you only wanted to verify the profile works, run instead:`,
+            ``,
+            `  wrangler-accounts whoami --profile ${name}     # fast, no network`,
+            `  wrangler-accounts list --deep                  # authoritative, hits Cloudflare API`,
+            ``,
+            `If you really intend to re-authenticate (e.g. you revoked the token`,
+            `in the Cloudflare dashboard, or want to switch which OAuth account`,
+            `this profile is bound to), pass --force:`,
+            ``,
+            `  wrangler-accounts login ${name} --force`,
+          ].join("\n"),
+          1,
+        );
+      }
+    }
+
     // Create a shadow HOME without pre-linking .wrangler/config/default.toml.
     // wrangler login will write a fresh file into shadow/.wrangler/config/
     // which we then move into the profile directory.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@leeguoo/wrangler-accounts",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Cloudflare Wrangler multi-account manager — save, switch, and run wrangler against multiple Cloudflare Workers accounts with AWS-style --profile and per-invocation shadow HOME isolation.",
   "license": "MIT",
   "bin": {

package/skills/wrangler-accounts/SKILL.md

@@ -160,6 +160,34 @@ wrangler-accounts list                 # confirm the profile is saved
 
 The login flow runs inside an isolated shadow `HOME`, so the user's real `~/.wrangler/config/default.toml` is never touched.
 
+> ⚠️ **`login` is destructive.** It opens a browser, requires the user to click "Authorize" interactively, and **OVERWRITES** the named profile. As of 1.4.0, `wrangler-accounts login <name>` refuses to run if (a) stdin is not a TTY, or (b) the profile already exists and looks healthy — both unless you pass `--force`. **Never run `login` to "verify" or "refresh" a profile** — see the antipattern below.
+
+### ❌ Antipattern: running `login` to verify a profile works
+
+This is wrong:
+```bash
+wrangler-accounts login Xdreamstar2025   # ❌ DON'T do this just to check
+```
+
+Reasons:
+1. `login` is **destructive** — it overwrites the saved profile with a brand new OAuth flow.
+2. `login` requires a **browser and an interactive terminal** — it cannot complete in a Bash sub-shell, CI runner, or sub-agent context. The command will hang waiting for the user.
+3. The Cloudflare access token in a healthy profile auto-refreshes via `refresh_token` — there is **nothing to "log in to"** when the profile already works.
+
+Use one of these instead:
+
+```bash
+wrangler-accounts whoami --profile Xdreamstar2025   # fast, reads meta.json, no network
+wrangler-accounts list --deep                       # authoritative, runs wrangler whoami per profile
+wrangler-accounts list                              # quick STATUS overview (valid / valid* / EXPIRED / unknown)
+```
+
+Only fall back to `wrangler-accounts login <name>` when:
+- The profile **does not exist yet** (creating a new account profile from scratch)
+- The profile shows `EXPIRED` (truly expired, no refresh_token left) — see STATUS table above
+- `list --deep` returns `✗` with "Not logged in" / "refresh token may be revoked" (server-side revocation)
+- The user **explicitly says** "re-authenticate this profile" / "log me in again"
+
 ### User wants: check which account a profile is tied to, without running wrangler
 
 ```bash