@nalvietnam/avatar-cli 1.2.0 → 1.2.2

package/dist/index.js

@@ -157,8 +157,17 @@ function spinner(text) {
 var QUOTA_VERIFY_TIMEOUT_MS = 3e4;
 var QUOTA_VERIFY_PROMPT = "ok";
 function checkClaudeCodeSubscriptionAuth() {
-  const result = spawnSync("claude", ["auth", "status"], { stdio: "ignore" });
+  const result = spawnSync("claude", ["auth", "status"], { encoding: "utf8" });
   if (result.error || result.status !== 0) return "not-authenticated";
+  const stdout = (result.stdout || "").trim();
+  if (stdout.startsWith("{")) {
+    try {
+      const parsed = JSON.parse(stdout);
+      return parsed.loggedIn === true ? "authenticated" : "not-authenticated";
+    } catch {
+      return "authenticated";
+    }
+  }
   return "authenticated";
 }
 function triggerClaudeCodeAuthLogin() {
@@ -179,14 +188,37 @@ function classifyQuotaError(combinedOutput) {
   if (text.includes("insufficient_quota") || text.includes("insufficient quota")) {
     return "insufficient_quota";
   }
+  if (text.includes("quota_exceeded") || text.includes("quota exceeded") || text.includes("usage limit") || text.includes("you've used all")) {
+    return "insufficient_quota";
+  }
+  if (text.includes("401") || text.includes("invalid authentication") || text.includes("authentication credentials") || text.includes("failed to authenticate") || text.includes("authentication failed") || text.includes("unauthorized")) {
+    return "auth-expired";
+  }
   if (text.includes("invalid_api_key") || text.includes("invalid api key")) {
     return "invalid_api_key";
   }
-  if (text.includes("rate_limit") || text.includes("rate limit")) {
+  if (text.includes("rate_limit") || text.includes("rate limit") || text.includes("429")) {
     return "rate_limit";
   }
   return "unknown";
 }
+function getQuotaErrorHint(reason) {
+  switch (reason) {
+    case "auth-expired":
+      return "Token Claude Code \u0111\xE3 h\u1EBFt h\u1EA1n/b\u1ECB revoke. Ch\u1EA1y: `claude auth logout && claude auth login`.";
+    case "credit_balance_too_low":
+    case "insufficient_quota":
+      return "H\u1EBFt quota subscription. Upgrade plan ho\u1EB7c d\xF9ng LLMLite (avatar ai setup \u2192 ch\u1ECDn LLMLite).";
+    case "invalid_api_key":
+      return "API key invalid. Re-login: `claude auth login`.";
+    case "rate_limit":
+      return "B\u1ECB rate limit t\u1EA1m th\u1EDDi. Ch\u1EDD v\xE0i ph\xFAt r\u1ED3i ch\u1EA1y `avatar ai setup`.";
+    case "timeout":
+      return "Network ch\u1EADm ho\u1EB7c Anthropic API down. Check m\u1EA1ng r\u1ED3i ch\u1EA1y l\u1EA1i.";
+    default:
+      return "L\u1ED7i ch\u01B0a bi\u1EBFt. Xem stderr \u1EDF tr\xEAn + ch\u1EA1y `claude --print ok` tay \u0111\u1EC3 debug.";
+  }
+}
 function verifyClaudeCodeQuota() {
   const result = spawnSync("claude", ["--print", QUOTA_VERIFY_PROMPT], {
     encoding: "utf8",
@@ -202,6 +234,9 @@ function verifyClaudeCodeQuota() {
   }
   const reason = classifyQuotaError(`${stderr}
 ${stdout}`);
+  if (reason === "unknown" && stderr.trim()) {
+    log.dim(`[debug] claude --print stderr: ${stderr.slice(0, 500)}`);
+  }
   return { ok: false, reason, detail: stderr.slice(0, 500) };
 }
 
@@ -221,12 +256,8 @@ var VERSION_PROBE_TIMEOUT_MS = 5e3;
 var SEMVER_REGEX = /(\d+\.\d+\.\d+)/;
 function probeClaudeBinaryPath() {
   const isWindows = detectHostPlatform() === "win32";
-  const probeCmd = isWindows ? "where" : "command";
-  const probeArgs = isWindows ? ["claude"] : ["-v", "claude"];
-  const result = spawnSync2(probeCmd, probeArgs, {
-    encoding: "utf8",
-    shell: !isWindows
-  });
+  const probeCmd = isWindows ? "where" : "which";
+  const result = spawnSync2(probeCmd, ["claude"], { encoding: "utf8" });
   if (result.error || result.status !== 0) return null;
   const out = (result.stdout || "").trim();
   if (!out) return null;
@@ -562,16 +593,21 @@ async function runAiSetupPhase(args) {
         if (checkClaudeCodeSubscriptionAuth() !== "authenticated") {
           triggerClaudeCodeAuthLogin();
         }
-        const quota = verifyClaudeCodeQuota();
+        let quota = verifyClaudeCodeQuota();
+        if (!quota.ok && quota.reason === "auth-expired") {
+          log.warn("Token Claude Code \u0111\xE3 h\u1EBFt h\u1EA1n. T\u1EF1 \u0111\u1ED9ng re-login...");
+          triggerClaudeCodeAuthLogin();
+          quota = verifyClaudeCodeQuota();
+        }
         if (!quota.ok) {
+          const reason = quota.reason ?? "unknown";
           await appendAuditEntry(
             "ai_setup",
-            `provider=subscription,result=no-quota,reason=${quota.reason ?? "unknown"}`
-          );
-          log.warn(
-            `Subscription verify th\u1EA5t b\u1EA1i (${quota.reason ?? "unknown"}). Suggest LLMLite ho\u1EB7c upgrade plan.`
+            `provider=subscription,result=no-quota,reason=${reason}`
           );
-          return { ok: false, reason: `subscription-${quota.reason ?? "unknown"}`, phase: "quota" };
+          log.warn(`Subscription verify th\u1EA5t b\u1EA1i (${reason}).`);
+          log.dim(`\u2192 ${getQuotaErrorHint(reason)}`);
+          return { ok: false, reason: `subscription-${reason}`, phase: "quota" };
         }
         await writeClaudeSettings(args.workspacePath, {
           provider: "subscription",
@@ -1073,7 +1109,7 @@ async function applyFixes(checks) {
 // src/commands/init.ts
 import { basename, join as join16, relative as relative2, resolve } from "path";
 import { confirm as confirm2, input as input2, select as select4 } from "@inquirer/prompts";
-import boxen2 from "boxen";
+import boxen3 from "boxen";
 
 // src/lib/avatar-ascii-banner.ts
 import chalk2 from "chalk";
@@ -1742,6 +1778,196 @@ function buildScaffoldVariables(args) {
   };
 }
 
+// src/commands/login.ts
+import boxen2 from "boxen";
+import open from "open";
+
+// src/lib/google-oauth-device-flow.ts
+var GOOGLE_CLIENT_ID = "1014766441755-i4jimivh5rd7vt8phuhmepmt45sovtph.apps.googleusercontent.com";
+var GOOGLE_CLIENT_SECRET = "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";
+var HOSTED_DOMAIN = "nal.vn";
+var SCOPES = ["openid", "email", "profile"];
+var DEVICE_CODE_URL = "https://oauth2.googleapis.com/device/code";
+var TOKEN_URL = "https://oauth2.googleapis.com/token";
+var REVOKE_URL = "https://oauth2.googleapis.com/revoke";
+async function requestDeviceCode() {
+  const body = new URLSearchParams({
+    client_id: GOOGLE_CLIENT_ID,
+    scope: SCOPES.join(" ")
+  });
+  const res = await fetch(DEVICE_CODE_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Device code request failed (${res.status}): ${text}`);
+  }
+  return await res.json();
+}
+async function pollForToken(deviceCode) {
+  const body = new URLSearchParams({
+    client_id: GOOGLE_CLIENT_ID,
+    client_secret: GOOGLE_CLIENT_SECRET,
+    device_code: deviceCode,
+    grant_type: "urn:ietf:params:oauth:grant-type:device_code"
+  });
+  const res = await fetch(TOKEN_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+  if (res.ok) {
+    return await res.json();
+  }
+  let errorCode = "";
+  try {
+    const data = await res.json();
+    errorCode = data.error ?? "";
+  } catch {
+    errorCode = "";
+  }
+  if (errorCode === "authorization_pending" || errorCode === "slow_down") {
+    return null;
+  }
+  if (errorCode === "access_denied") {
+    throw new Error("User t\u1EEB ch\u1ED1i quy\u1EC1n truy c\u1EADp");
+  }
+  if (errorCode === "expired_token") {
+    throw new Error("H\u1EBFt h\u1EA1n ch\u1EDD (5 ph\xFAt). Ch\u1EA1y l\u1EA1i 'avatar login'.");
+  }
+  throw new Error(`OAuth token endpoint tr\u1EA3 l\u1ED7i: ${errorCode || res.status}`);
+}
+function decodeIdToken(idToken) {
+  const parts = idToken.split(".");
+  if (parts.length !== 3) {
+    throw new Error("id_token format kh\xF4ng h\u1EE3p l\u1EC7");
+  }
+  const payload = parts[1];
+  if (!payload) throw new Error("id_token thi\u1EBFu payload");
+  const base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
+  const json = Buffer.from(base64, "base64").toString("utf8");
+  return JSON.parse(json);
+}
+function verifyHostedDomain(claims) {
+  if (claims.hd !== HOSTED_DOMAIN) {
+    throw new Error(
+      `Email kh\xF4ng thu\u1ED9c workspace NAL (y\xEAu c\u1EA7u @${HOSTED_DOMAIN}). Nh\u1EADn: ${claims.email}`
+    );
+  }
+  if (!claims.email_verified) {
+    throw new Error("Email ch\u01B0a \u0111\u01B0\u1EE3c Google verify");
+  }
+}
+function buildUserConfig(token, claims) {
+  const expiresAt = new Date(Date.now() + token.expires_in * 1e3).toISOString();
+  return {
+    email: claims.email,
+    name: claims.name ?? claims.email,
+    access_token: token.access_token,
+    refresh_token: token.refresh_token,
+    expires_at: expiresAt,
+    id_token: token.id_token
+  };
+}
+async function revokeToken(token) {
+  const body = new URLSearchParams({ token });
+  await fetch(REVOKE_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  }).catch(() => {
+  });
+}
+function buildVerificationUrl(response) {
+  const url = new URL(response.verification_url);
+  url.searchParams.set("user_code", response.user_code);
+  url.searchParams.set("hd", HOSTED_DOMAIN);
+  return url.toString();
+}
+
+// src/commands/login.ts
+function registerLoginCommand(program2) {
+  program2.command("login").description("\u0110\u0103ng nh\u1EADp Google SSO (workspace @nal.vn)").option("--reset", "X\xF3a credential c\u0169 v\xE0 \u0111\u0103ng nh\u1EADp l\u1EA1i").action(async (opts) => {
+    try {
+      await runLogin(opts);
+    } catch (err) {
+      log.error(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+}
+async function runLogin(opts) {
+  printAvatarBanner({ tagline: "\u0110\u0103ng nh\u1EADp Google SSO \xB7 workspace @nal.vn" });
+  if (opts.reset) {
+    await clearUserConfig();
+    await appendAuditEntry("login_reset");
+  } else {
+    const existing = await readUserConfig();
+    if (existing && !isTokenExpired(existing)) {
+      log.success(`\u0110\xE3 \u0111\u0103ng nh\u1EADp: ${existing.email}`);
+      return;
+    }
+  }
+  const deviceSpinner = spinner("\u0110ang y\xEAu c\u1EA7u device code t\u1EEB Google...");
+  let deviceCode;
+  try {
+    deviceCode = await requestDeviceCode();
+    deviceSpinner.succeed("Nh\u1EADn device code");
+  } catch (err) {
+    deviceSpinner.fail("Kh\xF4ng k\u1EBFt n\u1ED1i \u0111\u01B0\u1EE3c Google");
+    throw err;
+  }
+  const verificationUrl = buildVerificationUrl(deviceCode);
+  const instructions = [
+    `1. Truy c\u1EADp:    ${chalk.cyan(deviceCode.verification_url)}`,
+    `2. Nh\u1EADp code:   ${chalk.bold.yellow(deviceCode.user_code)}`,
+    "",
+    `Ho\u1EB7c Avatar t\u1EF1 m\u1EDF browser, click ${chalk.green("Allow")}...`
+  ].join("\n");
+  process.stdout.write(`${boxen2(instructions, { padding: 1, borderStyle: "round" })}
+`);
+  void open(verificationUrl).catch(() => {
+    log.dim("(Kh\xF4ng m\u1EDF \u0111\u01B0\u1EE3c browser t\u1EF1 \u0111\u1ED9ng \u2014 copy URL \u1EDF tr\xEAn)");
+  });
+  const waitSpinner = spinner("\u0110ang ch\u1EDD x\xE1c nh\u1EADn trong browser...");
+  const intervalMs = deviceCode.interval * 1e3;
+  const deadline = Date.now() + deviceCode.expires_in * 1e3;
+  let token = null;
+  while (Date.now() < deadline) {
+    await sleep(intervalMs);
+    try {
+      token = await pollForToken(deviceCode.device_code);
+      if (token) break;
+    } catch (err) {
+      waitSpinner.fail("X\xE1c th\u1EF1c th\u1EA5t b\u1EA1i");
+      throw err;
+    }
+  }
+  if (!token) {
+    waitSpinner.fail("H\u1EBFt h\u1EA1n ch\u1EDD (5 ph\xFAt). Ch\u1EA1y l\u1EA1i 'avatar login'.");
+    process.exit(1);
+  }
+  waitSpinner.succeed("\u0110\xE3 nh\u1EADn token t\u1EEB Google");
+  const claims = decodeIdToken(token.id_token);
+  try {
+    verifyHostedDomain(claims);
+  } catch (err) {
+    await revokeToken(token.access_token);
+    throw err;
+  }
+  const userConfig = buildUserConfig(token, claims);
+  await writeUserConfig(userConfig);
+  await appendAuditEntry("login", userConfig.email);
+  log.success(`X\xE1c th\u1EF1c th\xE0nh c\xF4ng: ${userConfig.email}`);
+  log.success(`Verify hosted domain: ${claims.hd} \u2713`);
+  log.success(`L\u01B0u credential v\xE0o ${USER_CONFIG_PATH} (chmod 600)`);
+}
+function sleep(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+
 // src/commands/init.ts
 function parseBootstrapStrategyOpts(opts) {
   if (opts.preserveUncommitted) return "stash";
@@ -1776,10 +2002,15 @@ async function runInit(opts) {
   if (opts.mode) {
     log.warn("Flag --mode \u0111\xE3 deprecated t\u1EEB v1.1. D\xF9ng --project-status thay th\u1EBF.");
   }
-  const userConfig = await readUserConfig();
+  let userConfig = await readUserConfig();
   if (!userConfig || isTokenExpired(userConfig)) {
-    log.error("Ch\u01B0a \u0111\u0103ng nh\u1EADp ho\u1EB7c token h\u1EBFt h\u1EA1n. Ch\u1EA1y 'avatar login' tr\u01B0\u1EDBc.");
-    process.exit(1);
+    log.info("Ch\u01B0a \u0111\u0103ng nh\u1EADp \u2014 ch\u1EA1y login flow tr\u01B0\u1EDBc khi init...");
+    await runLogin({});
+    userConfig = await readUserConfig();
+    if (!userConfig || isTokenExpired(userConfig)) {
+      log.error("Login kh\xF4ng ho\xE0n t\u1EA5t. Ch\u1EA1y 'avatar login' tay r\u1ED3i init l\u1EA1i.");
+      process.exit(1);
+    }
   }
   const status = opts.projectStatus ?? await promptProjectStatus();
   switch (status) {
@@ -2111,200 +2342,10 @@ function printInitSuccessBox(rootPath, flow, aiResult = null) {
     `  ${chalk.cyan("avatar sync")}               Pull team-ai-pack m\u1EDBi`,
     `  ${chalk.cyan("avatar uninstall")}          G\u1EE1 Avatar (gi\u1EEF code)`
   ];
-  process.stdout.write(`${boxen2(lines.join("\n"), { padding: 1, borderStyle: "round" })}
+  process.stdout.write(`${boxen3(lines.join("\n"), { padding: 1, borderStyle: "round" })}
 `);
 }
 
-// src/commands/login.ts
-import boxen3 from "boxen";
-import open from "open";
-
-// src/lib/google-oauth-device-flow.ts
-var GOOGLE_CLIENT_ID = "1014766441755-i4jimivh5rd7vt8phuhmepmt45sovtph.apps.googleusercontent.com";
-var GOOGLE_CLIENT_SECRET = "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";
-var HOSTED_DOMAIN = "nal.vn";
-var SCOPES = ["openid", "email", "profile"];
-var DEVICE_CODE_URL = "https://oauth2.googleapis.com/device/code";
-var TOKEN_URL = "https://oauth2.googleapis.com/token";
-var REVOKE_URL = "https://oauth2.googleapis.com/revoke";
-async function requestDeviceCode() {
-  const body = new URLSearchParams({
-    client_id: GOOGLE_CLIENT_ID,
-    scope: SCOPES.join(" ")
-  });
-  const res = await fetch(DEVICE_CODE_URL, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body
-  });
-  if (!res.ok) {
-    const text = await res.text();
-    throw new Error(`Device code request failed (${res.status}): ${text}`);
-  }
-  return await res.json();
-}
-async function pollForToken(deviceCode) {
-  const body = new URLSearchParams({
-    client_id: GOOGLE_CLIENT_ID,
-    client_secret: GOOGLE_CLIENT_SECRET,
-    device_code: deviceCode,
-    grant_type: "urn:ietf:params:oauth:grant-type:device_code"
-  });
-  const res = await fetch(TOKEN_URL, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body
-  });
-  if (res.ok) {
-    return await res.json();
-  }
-  let errorCode = "";
-  try {
-    const data = await res.json();
-    errorCode = data.error ?? "";
-  } catch {
-    errorCode = "";
-  }
-  if (errorCode === "authorization_pending" || errorCode === "slow_down") {
-    return null;
-  }
-  if (errorCode === "access_denied") {
-    throw new Error("User t\u1EEB ch\u1ED1i quy\u1EC1n truy c\u1EADp");
-  }
-  if (errorCode === "expired_token") {
-    throw new Error("H\u1EBFt h\u1EA1n ch\u1EDD (5 ph\xFAt). Ch\u1EA1y l\u1EA1i 'avatar login'.");
-  }
-  throw new Error(`OAuth token endpoint tr\u1EA3 l\u1ED7i: ${errorCode || res.status}`);
-}
-function decodeIdToken(idToken) {
-  const parts = idToken.split(".");
-  if (parts.length !== 3) {
-    throw new Error("id_token format kh\xF4ng h\u1EE3p l\u1EC7");
-  }
-  const payload = parts[1];
-  if (!payload) throw new Error("id_token thi\u1EBFu payload");
-  const base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
-  const json = Buffer.from(base64, "base64").toString("utf8");
-  return JSON.parse(json);
-}
-function verifyHostedDomain(claims) {
-  if (claims.hd !== HOSTED_DOMAIN) {
-    throw new Error(
-      `Email kh\xF4ng thu\u1ED9c workspace NAL (y\xEAu c\u1EA7u @${HOSTED_DOMAIN}). Nh\u1EADn: ${claims.email}`
-    );
-  }
-  if (!claims.email_verified) {
-    throw new Error("Email ch\u01B0a \u0111\u01B0\u1EE3c Google verify");
-  }
-}
-function buildUserConfig(token, claims) {
-  const expiresAt = new Date(Date.now() + token.expires_in * 1e3).toISOString();
-  return {
-    email: claims.email,
-    name: claims.name ?? claims.email,
-    access_token: token.access_token,
-    refresh_token: token.refresh_token,
-    expires_at: expiresAt,
-    id_token: token.id_token
-  };
-}
-async function revokeToken(token) {
-  const body = new URLSearchParams({ token });
-  await fetch(REVOKE_URL, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body
-  }).catch(() => {
-  });
-}
-function buildVerificationUrl(response) {
-  const url = new URL(response.verification_url);
-  url.searchParams.set("user_code", response.user_code);
-  url.searchParams.set("hd", HOSTED_DOMAIN);
-  return url.toString();
-}
-
-// src/commands/login.ts
-function registerLoginCommand(program2) {
-  program2.command("login").description("\u0110\u0103ng nh\u1EADp Google SSO (workspace @nal.vn)").option("--reset", "X\xF3a credential c\u0169 v\xE0 \u0111\u0103ng nh\u1EADp l\u1EA1i").action(async (opts) => {
-    try {
-      await runLogin(opts);
-    } catch (err) {
-      log.error(err instanceof Error ? err.message : String(err));
-      process.exit(1);
-    }
-  });
-}
-async function runLogin(opts) {
-  printAvatarBanner({ tagline: "\u0110\u0103ng nh\u1EADp Google SSO \xB7 workspace @nal.vn" });
-  if (opts.reset) {
-    await clearUserConfig();
-    await appendAuditEntry("login_reset");
-  } else {
-    const existing = await readUserConfig();
-    if (existing && !isTokenExpired(existing)) {
-      log.success(`\u0110\xE3 \u0111\u0103ng nh\u1EADp: ${existing.email}`);
-      return;
-    }
-  }
-  const deviceSpinner = spinner("\u0110ang y\xEAu c\u1EA7u device code t\u1EEB Google...");
-  let deviceCode;
-  try {
-    deviceCode = await requestDeviceCode();
-    deviceSpinner.succeed("Nh\u1EADn device code");
-  } catch (err) {
-    deviceSpinner.fail("Kh\xF4ng k\u1EBFt n\u1ED1i \u0111\u01B0\u1EE3c Google");
-    throw err;
-  }
-  const verificationUrl = buildVerificationUrl(deviceCode);
-  const instructions = [
-    `1. Truy c\u1EADp:    ${chalk.cyan(deviceCode.verification_url)}`,
-    `2. Nh\u1EADp code:   ${chalk.bold.yellow(deviceCode.user_code)}`,
-    "",
-    `Ho\u1EB7c Avatar t\u1EF1 m\u1EDF browser, click ${chalk.green("Allow")}...`
-  ].join("\n");
-  process.stdout.write(`${boxen3(instructions, { padding: 1, borderStyle: "round" })}
-`);
-  void open(verificationUrl).catch(() => {
-    log.dim("(Kh\xF4ng m\u1EDF \u0111\u01B0\u1EE3c browser t\u1EF1 \u0111\u1ED9ng \u2014 copy URL \u1EDF tr\xEAn)");
-  });
-  const waitSpinner = spinner("\u0110ang ch\u1EDD x\xE1c nh\u1EADn trong browser...");
-  const intervalMs = deviceCode.interval * 1e3;
-  const deadline = Date.now() + deviceCode.expires_in * 1e3;
-  let token = null;
-  while (Date.now() < deadline) {
-    await sleep(intervalMs);
-    try {
-      token = await pollForToken(deviceCode.device_code);
-      if (token) break;
-    } catch (err) {
-      waitSpinner.fail("X\xE1c th\u1EF1c th\u1EA5t b\u1EA1i");
-      throw err;
-    }
-  }
-  if (!token) {
-    waitSpinner.fail("H\u1EBFt h\u1EA1n ch\u1EDD (5 ph\xFAt). Ch\u1EA1y l\u1EA1i 'avatar login'.");
-    process.exit(1);
-  }
-  waitSpinner.succeed("\u0110\xE3 nh\u1EADn token t\u1EEB Google");
-  const claims = decodeIdToken(token.id_token);
-  try {
-    verifyHostedDomain(claims);
-  } catch (err) {
-    await revokeToken(token.access_token);
-    throw err;
-  }
-  const userConfig = buildUserConfig(token, claims);
-  await writeUserConfig(userConfig);
-  await appendAuditEntry("login", userConfig.email);
-  log.success(`X\xE1c th\u1EF1c th\xE0nh c\xF4ng: ${userConfig.email}`);
-  log.success(`Verify hosted domain: ${claims.hd} \u2713`);
-  log.success(`L\u01B0u credential v\xE0o ${USER_CONFIG_PATH} (chmod 600)`);
-}
-function sleep(ms) {
-  return new Promise((resolve2) => setTimeout(resolve2, ms));
-}
-
 // src/commands/mcp-run.ts
 function registerMcpRunCommand(program2) {
   program2.command("mcp-run <tool-id>", { hidden: true }).description("[internal] Spawn MCP v\u1EDBi secrets injected (M09)").action(notImplementedYet("mcp-run", "Milestone 09"));
@@ -2590,7 +2631,7 @@ async function removeSubmoduleEntry(gitmodulesPath, submodulePath) {
 }
 
 // src/commands/uninstall.ts
-var CLI_VERSION = "1.2.0";
+var CLI_VERSION = "1.2.2";
 function registerUninstallCommand(program2) {
   program2.command("uninstall").description("G\u1EE1 Avatar kh\u1ECFi project \u2014 backup t\u1EF1 \u0111\u1ED9ng (M11)").option("--yes", "Skip confirm prompt").option("--no-backup", "Kh\xF4ng t\u1EA1o backup tr\u01B0\u1EDBc khi x\xF3a (nguy hi\u1EC3m)").option("--keep-submodule", "Gi\u1EEF submodule .claude/pack/").option("--keep-hooks", "Gi\u1EEF git hooks post-merge, pre-push").option("--dry-run", "Hi\u1EC3n th\u1ECB danh s\xE1ch s\u1EBD x\xF3a, kh\xF4ng th\u1EF1c thi").action(async (opts) => {
     try {
@@ -2672,7 +2713,7 @@ function printUninstallSuccessBox(backupPath) {
 }
 
 // src/index.ts
-var CLI_VERSION2 = "1.2.0";
+var CLI_VERSION2 = "1.2.2";
 var program = new Command();
 program.name("avatar").description("AI harness CLI for NAL Vietnam engineering").version(CLI_VERSION2, "-v, --version", "Hi\u1EC3n th\u1ECB phi\xEAn b\u1EA3n Avatar CLI").addHelpText(
   "beforeAll",