npm - @nalvietnam/avatar-cli - Versions diffs - 1.2.1 → 1.2.3 - Mend

@nalvietnam/avatar-cli 1.2.1 → 1.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js +447 -234
package/dist/index.js.map +1 -1
package/dist/lib/print-welcome-screen.js +1 -1
package/dist/lib/print-welcome-screen.js.map +1 -1
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -4,7 +4,6 @@
 import { Command } from "commander";
 // src/commands/ai.ts
-import { spawnSync as spawnSync4 } from "child_process";
 import { promises as fs4 } from "fs";
 import { join as join5 } from "path";
 import { confirm } from "@inquirer/prompts";
@@ -654,6 +653,102 @@ async function runAiSetupPhase(args) {
   }
 }
+// src/lib/test-ai-provider-by-detected-mode.ts
+import { spawnSync as spawnSync4 } from "child_process";
+var FETCH_TIMEOUT_MS2 = 1e4;
+var CLAUDE_PRINT_TIMEOUT_MS = 3e4;
+var TEST_CHAT_MAX_TOKENS = 5;
+var TEST_CHAT_PROMPT = "say ok";
+async function testLLMLiteProvider(baseUrl, token, model) {
+  log.info(`Testing LLMLite provider: ${baseUrl} (key: ${maskApiKey(token)})`);
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS2);
+  try {
+    const modelsRes = await fetch(`${baseUrl}/v1/models`, {
+      headers: { Authorization: `Bearer ${token}` },
+      signal: controller.signal
+    });
+    if (modelsRes.status === 401 || modelsRes.status === 403) {
+      throw new Error(`API key invalid (HTTP ${modelsRes.status}). Re-run: avatar ai setup`);
+    }
+    if (!modelsRes.ok) {
+      throw new Error(`Endpoint /v1/models l\u1ED7i (HTTP ${modelsRes.status}).`);
+    }
+    const modelsJson = await modelsRes.json();
+    const models = (modelsJson.data || []).map((m) => typeof m.id === "string" ? m.id : null).filter((id) => id !== null);
+    log.success(`Connectivity OK \xB7 ${models.length} models available`);
+    if (models.length > 0) {
+      const preview = models.slice(0, 5).join(", ");
+      const more = models.length > 5 ? ` ...+${models.length - 5} more` : "";
+      log.dim(`  Models: ${preview}${more}`);
+    }
+    log.info(`Testing chat completion v\u1EDBi model "${model}"...`);
+    const chatRes = await fetch(`${baseUrl}/v1/chat/completions`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        model,
+        messages: [{ role: "user", content: TEST_CHAT_PROMPT }],
+        max_tokens: TEST_CHAT_MAX_TOKENS
+      }),
+      signal: controller.signal
+    });
+    if (!chatRes.ok) {
+      const errBody = (await chatRes.text()).slice(0, 200);
+      throw new Error(`Chat completion fail (HTTP ${chatRes.status}). ${errBody}`);
+    }
+    const chatJson = await chatRes.json();
+    const reply = typeof chatJson.choices?.[0]?.message?.content === "string" ? chatJson.choices[0].message.content : "(empty response)";
+    const tokens = chatJson.usage?.total_tokens ?? "?";
+    log.success(`Response: "${String(reply).trim().slice(0, 100)}"`);
+    log.dim(`  Tokens used: ${tokens}`);
+  } catch (err) {
+    if (err.name === "AbortError") {
+      throw new Error(`Timeout ${FETCH_TIMEOUT_MS2 / 1e3}s. Check m\u1EA1ng / endpoint ${baseUrl}.`);
+    }
+    throw err;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function testSubscriptionProvider() {
+  log.info("Testing Subscription provider qua `claude --print`...");
+  const result = spawnSync4("claude", ["--print", TEST_CHAT_PROMPT], {
+    encoding: "utf8",
+    timeout: CLAUDE_PRINT_TIMEOUT_MS
+  });
+  if (result.signal === "SIGTERM") {
+    throw new Error(`Timeout ${CLAUDE_PRINT_TIMEOUT_MS / 1e3}s. Check m\u1EA1ng / endpoint.`);
+  }
+  if (result.status !== 0) {
+    const stderr = (result.stderr || "").toLowerCase();
+    if (stderr.includes("401") || stderr.includes("invalid authentication") || stderr.includes("unauthorized")) {
+      throw new Error(
+        "Token Claude Code stale (401). Fix: `claude auth logout && claude auth login`."
+      );
+    }
+    throw new Error(
+      `Test fail (exit ${result.status}). Stderr: ${(result.stderr || "").slice(0, 200)}`
+    );
+  }
+  log.success(`Response: "${(result.stdout || "").trim().slice(0, 100)}"`);
+}
+async function testAiProviderByDetectedMode(settings) {
+  const env = settings.env || {};
+  const baseUrl = typeof env.ANTHROPIC_BASE_URL === "string" ? env.ANTHROPIC_BASE_URL : void 0;
+  const token = typeof env.ANTHROPIC_AUTH_TOKEN === "string" ? env.ANTHROPIC_AUTH_TOKEN : void 0;
+  const model = typeof settings.model === "string" ? settings.model : "default";
+  if (baseUrl && token) {
+    await testLLMLiteProvider(baseUrl, token, model);
+    return { ok: true, provider: "llmlite", message: "LLMLite provider working" };
+  }
+  testSubscriptionProvider();
+  return { ok: true, provider: "subscription", message: "Subscription provider working" };
+}
 // src/commands/ai.ts
 async function ensureWorkspaceCwd() {
   const cwd = process.cwd();
@@ -691,24 +786,15 @@ async function runAiStatus() {
   log.info(`Token:    ${token ? maskApiKey(token) : "(kh\xF4ng set \u2014 d\xF9ng subscription auth)"}`);
 }
 async function runAiTest() {
-  await ensureWorkspaceCwd();
-  log.info("Calling provider v\u1EDBi prompt 'say ok'...");
-  const result = spawnSync4("claude", ["--print", "say ok"], {
-    encoding: "utf8",
-    timeout: 3e4
-  });
-  if (result.signal === "SIGTERM") {
-    log.error("Timeout sau 30s. Check m\u1EA1ng / endpoint.");
-    process.exit(1);
-  }
-  if (result.status !== 0) {
-    log.error(`Test th\u1EA5t b\u1EA1i (exit ${result.status}).`);
-    if (result.stderr) process.stderr.write(`${result.stderr}
-`);
+  const workspacePath = await ensureWorkspaceCwd();
+  const settings = await readWorkspaceSettings(workspacePath);
+  try {
+    const result = await testAiProviderByDetectedMode(settings);
+    log.success(`\u2713 ${result.message}`);
+  } catch (err) {
+    log.error(`Test fail: ${err.message}`);
     process.exit(1);
   }
-  log.success(`Response: ${(result.stdout || "").trim().slice(0, 200)}`);
-  log.success("AI provider working");
 }
 async function runAiReset(opts) {
   const workspacePath = await ensureWorkspaceCwd();
@@ -1108,8 +1194,8 @@ async function applyFixes(checks) {
 // src/commands/init.ts
 import { basename, join as join16, relative as relative2, resolve } from "path";
-import { confirm as confirm2, input as input2, select as select4 } from "@inquirer/prompts";
-import boxen2 from "boxen";
+import { confirm as confirm3, input as input2, select as select5 } from "@inquirer/prompts";
+import boxen3 from "boxen";
 // src/lib/avatar-ascii-banner.ts
 import chalk2 from "chalk";
@@ -1385,11 +1471,41 @@ async function ensureGitHubReady(remoteUrl) {
 }
 // src/lib/create-workspace-remote-via-gh.ts
+function canCreateInNamespace(org, ghUser) {
+  if (org.toLowerCase() === ghUser.toLowerCase()) return { ok: true };
+  const r = spawnSync14("gh", ["api", `orgs/${org}/members/${ghUser}`, "--silent"], {
+    stdio: "ignore"
+  });
+  if (r.status === 0) return { ok: true };
+  const orgCheck = spawnSync14("gh", ["api", `orgs/${org}`, "--silent"], { stdio: "ignore" });
+  if (orgCheck.status !== 0) {
+    const userCheck = spawnSync14("gh", ["api", `users/${org}`, "--silent"], { stdio: "ignore" });
+    if (userCheck.status === 0) {
+      return {
+        ok: false,
+        reason: `'${org}' l\xE0 personal account kh\xE1c (kh\xF4ng ph\u1EA3i org). B\u1EA1n (${ghUser}) kh\xF4ng th\u1EC3 t\u1EA1o repo d\u01B0\u1EDBi account c\u1EE7a user kh\xE1c. Pass --repo-org=${ghUser} ho\u1EB7c switch gh: gh auth login`
+      };
+    }
+    return {
+      ok: false,
+      reason: `'${org}' kh\xF4ng t\u1ED3n t\u1EA1i tr\xEAn GitHub. Check ch\xEDnh t\u1EA3 ho\u1EB7c t\u1EA1o org tr\u01B0\u1EDBc.`
+    };
+  }
+  return {
+    ok: false,
+    reason: `'${ghUser}' kh\xF4ng ph\u1EA3i member c\u1EE7a org '${org}'. Li\xEAn h\u1EC7 admin org \u0111\u1EC3 \u0111\u01B0\u1EE3c invite, ho\u1EB7c pass --repo-org=${ghUser} t\u1EA1o d\u01B0\u1EDBi personal account.`
+  };
+}
 async function createWorkspaceRemoteViaGh(input3) {
   validateRepoName(input3.workspaceName);
   validateRepoVisibility(input3.visibility);
   await ensureGitHubReady();
-  const org = input3.org ?? resolveGithubUsernameDefault();
+  const ghUser = resolveGithubUsernameDefault();
+  const org = input3.org ?? ghUser;
+  const namespaceCheck = canCreateInNamespace(org, ghUser);
+  if (!namespaceCheck.ok) {
+    throw new Error(`Kh\xF4ng th\u1EC3 t\u1EA1o repo d\u01B0\u1EDBi '${org}/': ${namespaceCheck.reason}`);
+  }
   const fullName = `${org}/${input3.workspaceName}`;
   log.info(`T\u1EA1o GitHub repo cho workspace: ${fullName} (${input3.visibility})...`);
   const r = spawnSync14(
@@ -1405,9 +1521,12 @@ async function createWorkspaceRemoteViaGh(input3) {
       "origin",
       "--push"
     ],
-    { stdio: "inherit" }
+    { stdio: ["inherit", "inherit", "pipe"], encoding: "utf8" }
   );
   if (r.status !== 0) {
+    const stderr = (r.stderr || "").trim();
+    if (stderr) process.stderr.write(`${stderr}
+`);
     throw new Error(
       `T\u1EA1o workspace remote th\u1EA5t b\u1EA1i (exit ${r.status}). Workspace v\u1EABn d\xF9ng \u0111\u01B0\u1EE3c local. Setup remote sau qua: gh repo create ${fullName} --${input3.visibility} --source=. --remote=origin --push`
     );
@@ -1687,25 +1806,110 @@ async function safeBootstrapGitInFolder(folderPath, opts = {}) {
 // src/lib/team-pack-submodule-manager.ts
 import { join as join14 } from "path";
+// src/lib/check-team-pack-access-with-retry-loop.ts
+import { spawnSync as spawnSync15 } from "child_process";
+import { confirm as confirm2, select as select4 } from "@inquirer/prompts";
+function parseRepoSlugFromGitUrl(url) {
+  const httpsMatch = url.match(/github\.com[/:]([^/]+\/[^/]+?)(?:\.git)?$/);
+  if (httpsMatch) return httpsMatch[1];
+  return null;
+}
+function checkRepoAccess(repoSlug) {
+  const r = spawnSync15("gh", ["api", `repos/${repoSlug}`], { stdio: "ignore" });
+  return r.status === 0;
+}
+function getCurrentGhUser() {
+  const r = spawnSync15("gh", ["api", "user", "--jq", ".login"], {
+    encoding: "utf8",
+    stdio: ["ignore", "pipe", "pipe"]
+  });
+  if (r.status !== 0) return null;
+  return r.stdout.trim() || null;
+}
+async function copyInfoToClipboardWithConsent(info) {
+  const ok = await confirm2({
+    message: "Copy th\xF4ng tin (GitHub username + email) v\xE0o clipboard \u0111\u1EC3 d\xE1n v\xE0o Slack/email?",
+    default: true
+  });
+  if (!ok) return;
+  try {
+    const { default: clipboardy } = await import("clipboardy");
+    await clipboardy.write(info);
+    log.success("\u0110\xE3 copy v\xE0o clipboard");
+  } catch (err) {
+    log.dim(`Copy clipboard fail: ${err.message}`);
+  }
+}
+function buildAccessRequestInfo(ghUser, ssoEmail) {
+  const lines = [
+    "Request access team-ai-pack (NAL)",
+    "",
+    `GitHub username: ${ghUser ?? "(ch\u01B0a gh auth \u2014 ch\u1EA1y: gh auth login)"}`,
+    `NAL email:       ${ssoEmail ?? "(ch\u01B0a avatar login \u2014 ch\u1EA1y: avatar login)"}`,
+    `Date:            ${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}`
+  ];
+  return lines.join("\n");
+}
+async function ensureTeamPackAccessWithRetry(args) {
+  if (checkRepoAccess(args.repoSlug)) return true;
+  const ghUser = getCurrentGhUser();
+  const info = buildAccessRequestInfo(ghUser, args.ssoEmail ?? null);
+  log.warn(`B\u1EA1n ch\u01B0a c\xF3 quy\u1EC1n access v\xE0o b\u1ED9 package ${args.repoSlug}.`);
+  log.info("Li\xEAn h\u1EC7 admin (Luke @nal.vn) \u0111\u1EC3 \u0111\u01B0\u1EE3c add v\xE0o org nalvn.");
+  log.plain("");
+  log.plain(info);
+  log.plain("");
+  await copyInfoToClipboardWithConsent(info);
+  while (true) {
+    const action = await select4({
+      message: "Ti\u1EBFp t\u1EE5c?",
+      choices: [
+        { name: "\u0110\xE3 \u0111\u01B0\u1EE3c add \u2014 ki\u1EC3m tra l\u1EA1i v\xE0 ti\u1EBFp t\u1EE5c", value: "retry" },
+        { name: "T\u1EA1m ng\u01B0ng \u2014 ch\u1EA1y l\u1EA1i 'avatar init' sau", value: "abort" }
+      ]
+    });
+    if (action === "abort") {
+      log.dim("T\u1EA1m ng\u01B0ng. Ch\u1EA1y l\u1EA1i 'avatar init' sau khi \u0111\xE3 accept invite t\u1EEB GitHub.");
+      return false;
+    }
+    log.info("Ki\u1EC3m tra access...");
+    if (checkRepoAccess(args.repoSlug)) {
+      log.success("\u0110\xE3 c\xF3 access \u2014 ti\u1EBFp t\u1EE5c.");
+      return true;
+    }
+    log.warn("V\u1EABn ch\u01B0a c\xF3 access. \u0110\u1EA3m b\u1EA3o b\u1EA1n \u0111\xE3 accept email invite t\u1EEB GitHub (Inbox + Spam).");
+  }
+}
 // src/lib/resolve-team-pack-repo-url.ts
-var LEGACY_FALLBACK = "https://github.com/LukeNALS/team-ai-pack.git";
+var ORG_DEFAULT = "https://github.com/nalvn/team-ai-pack.git";
 function resolveTeamPackRepoUrl() {
   if (process.env.AVATAR_TEAM_PACK_REPO_URL) {
     return process.env.AVATAR_TEAM_PACK_REPO_URL;
   }
-  try {
-    const ghUser = resolveGithubUsernameDefault();
-    if (ghUser) return `https://github.com/${ghUser}/team-ai-pack.git`;
-  } catch {
-  }
-  return LEGACY_FALLBACK;
+  return ORG_DEFAULT;
 }
 // src/lib/team-pack-submodule-manager.ts
 var TEAM_PACK_REPO_URL = resolveTeamPackRepoUrl();
 var TEAM_PACK_RELATIVE_PATH = ".claude/pack";
-async function addTeamPackSubmodule(projectRoot, tag) {
+var TeamPackAccessAbortedError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "TeamPackAccessAbortedError";
+  }
+};
+async function addTeamPackSubmodule(projectRoot, tag, ssoEmail) {
   const url = resolveTeamPackRepoUrl();
+  const repoSlug = parseRepoSlugFromGitUrl(url);
+  if (repoSlug) {
+    const hasAccess = await ensureTeamPackAccessWithRetry({ repoSlug, ssoEmail });
+    if (!hasAccess) {
+      throw new TeamPackAccessAbortedError(
+        "User ch\u1ECDn t\u1EA1m ng\u01B0ng. Ch\u1EA1y l\u1EA1i 'avatar init' sau khi \u0111\u01B0\u1EE3c add v\xE0o org."
+      );
+    }
+  }
   try {
     await addSubmodule(url, TEAM_PACK_RELATIVE_PATH, projectRoot);
   } catch (err) {
@@ -1778,6 +1982,196 @@ function buildScaffoldVariables(args) {
   };
 }
+// src/commands/login.ts
+import boxen2 from "boxen";
+import open from "open";
+// src/lib/google-oauth-device-flow.ts
+var GOOGLE_CLIENT_ID = "1014766441755-i4jimivh5rd7vt8phuhmepmt45sovtph.apps.googleusercontent.com";
+var GOOGLE_CLIENT_SECRET = "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";
+var HOSTED_DOMAIN = "nal.vn";
+var SCOPES = ["openid", "email", "profile"];
+var DEVICE_CODE_URL = "https://oauth2.googleapis.com/device/code";
+var TOKEN_URL = "https://oauth2.googleapis.com/token";
+var REVOKE_URL = "https://oauth2.googleapis.com/revoke";
+async function requestDeviceCode() {
+  const body = new URLSearchParams({
+    client_id: GOOGLE_CLIENT_ID,
+    scope: SCOPES.join(" ")
+  });
+  const res = await fetch(DEVICE_CODE_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Device code request failed (${res.status}): ${text}`);
+  }
+  return await res.json();
+}
+async function pollForToken(deviceCode) {
+  const body = new URLSearchParams({
+    client_id: GOOGLE_CLIENT_ID,
+    client_secret: GOOGLE_CLIENT_SECRET,
+    device_code: deviceCode,
+    grant_type: "urn:ietf:params:oauth:grant-type:device_code"
+  });
+  const res = await fetch(TOKEN_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+  if (res.ok) {
+    return await res.json();
+  }
+  let errorCode = "";
+  try {
+    const data = await res.json();
+    errorCode = data.error ?? "";
+  } catch {
+    errorCode = "";
+  }
+  if (errorCode === "authorization_pending" || errorCode === "slow_down") {
+    return null;
+  }
+  if (errorCode === "access_denied") {
+    throw new Error("User t\u1EEB ch\u1ED1i quy\u1EC1n truy c\u1EADp");
+  }
+  if (errorCode === "expired_token") {
+    throw new Error("H\u1EBFt h\u1EA1n ch\u1EDD (5 ph\xFAt). Ch\u1EA1y l\u1EA1i 'avatar login'.");
+  }
+  throw new Error(`OAuth token endpoint tr\u1EA3 l\u1ED7i: ${errorCode || res.status}`);
+}
+function decodeIdToken(idToken) {
+  const parts = idToken.split(".");
+  if (parts.length !== 3) {
+    throw new Error("id_token format kh\xF4ng h\u1EE3p l\u1EC7");
+  }
+  const payload = parts[1];
+  if (!payload) throw new Error("id_token thi\u1EBFu payload");
+  const base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
+  const json = Buffer.from(base64, "base64").toString("utf8");
+  return JSON.parse(json);
+}
+function verifyHostedDomain(claims) {
+  if (claims.hd !== HOSTED_DOMAIN) {
+    throw new Error(
+      `Email kh\xF4ng thu\u1ED9c workspace NAL (y\xEAu c\u1EA7u @${HOSTED_DOMAIN}). Nh\u1EADn: ${claims.email}`
+    );
+  }
+  if (!claims.email_verified) {
+    throw new Error("Email ch\u01B0a \u0111\u01B0\u1EE3c Google verify");
+  }
+}
+function buildUserConfig(token, claims) {
+  const expiresAt = new Date(Date.now() + token.expires_in * 1e3).toISOString();
+  return {
+    email: claims.email,
+    name: claims.name ?? claims.email,
+    access_token: token.access_token,
+    refresh_token: token.refresh_token,
+    expires_at: expiresAt,
+    id_token: token.id_token
+  };
+}
+async function revokeToken(token) {
+  const body = new URLSearchParams({ token });
+  await fetch(REVOKE_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  }).catch(() => {
+  });
+}
+function buildVerificationUrl(response) {
+  const url = new URL(response.verification_url);
+  url.searchParams.set("user_code", response.user_code);
+  url.searchParams.set("hd", HOSTED_DOMAIN);
+  return url.toString();
+}
+// src/commands/login.ts
+function registerLoginCommand(program2) {
+  program2.command("login").description("\u0110\u0103ng nh\u1EADp Google SSO (workspace @nal.vn)").option("--reset", "X\xF3a credential c\u0169 v\xE0 \u0111\u0103ng nh\u1EADp l\u1EA1i").action(async (opts) => {
+    try {
+      await runLogin(opts);
+    } catch (err) {
+      log.error(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+}
+async function runLogin(opts) {
+  printAvatarBanner({ tagline: "\u0110\u0103ng nh\u1EADp Google SSO \xB7 workspace @nal.vn" });
+  if (opts.reset) {
+    await clearUserConfig();
+    await appendAuditEntry("login_reset");
+  } else {
+    const existing = await readUserConfig();
+    if (existing && !isTokenExpired(existing)) {
+      log.success(`\u0110\xE3 \u0111\u0103ng nh\u1EADp: ${existing.email}`);
+      return;
+    }
+  }
+  const deviceSpinner = spinner("\u0110ang y\xEAu c\u1EA7u device code t\u1EEB Google...");
+  let deviceCode;
+  try {
+    deviceCode = await requestDeviceCode();
+    deviceSpinner.succeed("Nh\u1EADn device code");
+  } catch (err) {
+    deviceSpinner.fail("Kh\xF4ng k\u1EBFt n\u1ED1i \u0111\u01B0\u1EE3c Google");
+    throw err;
+  }
+  const verificationUrl = buildVerificationUrl(deviceCode);
+  const instructions = [
+    `1. Truy c\u1EADp:    ${chalk.cyan(deviceCode.verification_url)}`,
+    `2. Nh\u1EADp code:   ${chalk.bold.yellow(deviceCode.user_code)}`,
+    "",
+    `Ho\u1EB7c Avatar t\u1EF1 m\u1EDF browser, click ${chalk.green("Allow")}...`
+  ].join("\n");
+  process.stdout.write(`${boxen2(instructions, { padding: 1, borderStyle: "round" })}
+`);
+  void open(verificationUrl).catch(() => {
+    log.dim("(Kh\xF4ng m\u1EDF \u0111\u01B0\u1EE3c browser t\u1EF1 \u0111\u1ED9ng \u2014 copy URL \u1EDF tr\xEAn)");
+  });
+  const waitSpinner = spinner("\u0110ang ch\u1EDD x\xE1c nh\u1EADn trong browser...");
+  const intervalMs = deviceCode.interval * 1e3;
+  const deadline = Date.now() + deviceCode.expires_in * 1e3;
+  let token = null;
+  while (Date.now() < deadline) {
+    await sleep(intervalMs);
+    try {
+      token = await pollForToken(deviceCode.device_code);
+      if (token) break;
+    } catch (err) {
+      waitSpinner.fail("X\xE1c th\u1EF1c th\u1EA5t b\u1EA1i");
+      throw err;
+    }
+  }
+  if (!token) {
+    waitSpinner.fail("H\u1EBFt h\u1EA1n ch\u1EDD (5 ph\xFAt). Ch\u1EA1y l\u1EA1i 'avatar login'.");
+    process.exit(1);
+  }
+  waitSpinner.succeed("\u0110\xE3 nh\u1EADn token t\u1EEB Google");
+  const claims = decodeIdToken(token.id_token);
+  try {
+    verifyHostedDomain(claims);
+  } catch (err) {
+    await revokeToken(token.access_token);
+    throw err;
+  }
+  const userConfig = buildUserConfig(token, claims);
+  await writeUserConfig(userConfig);
+  await appendAuditEntry("login", userConfig.email);
+  log.success(`X\xE1c th\u1EF1c th\xE0nh c\xF4ng: ${userConfig.email}`);
+  log.success(`Verify hosted domain: ${claims.hd} \u2713`);
+  log.success(`L\u01B0u credential v\xE0o ${USER_CONFIG_PATH} (chmod 600)`);
+}
+function sleep(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
 // src/commands/init.ts
 function parseBootstrapStrategyOpts(opts) {
   if (opts.preserveUncommitted) return "stash";
@@ -1802,6 +2196,10 @@ function registerInitCommand(program2) {
         log.dim(err.message);
         process.exit(0);
       }
+      if (err instanceof TeamPackAccessAbortedError) {
+        log.dim(err.message);
+        process.exit(0);
+      }
       log.error(err instanceof Error ? err.message : String(err));
       process.exit(1);
     }
@@ -1812,10 +2210,15 @@ async function runInit(opts) {
   if (opts.mode) {
     log.warn("Flag --mode \u0111\xE3 deprecated t\u1EEB v1.1. D\xF9ng --project-status thay th\u1EBF.");
   }
-  const userConfig = await readUserConfig();
+  let userConfig = await readUserConfig();
   if (!userConfig || isTokenExpired(userConfig)) {
-    log.error("Ch\u01B0a \u0111\u0103ng nh\u1EADp ho\u1EB7c token h\u1EBFt h\u1EA1n. Ch\u1EA1y 'avatar login' tr\u01B0\u1EDBc.");
-    process.exit(1);
+    log.info("Ch\u01B0a \u0111\u0103ng nh\u1EADp \u2014 ch\u1EA1y login flow tr\u01B0\u1EDBc khi init...");
+    await runLogin({});
+    userConfig = await readUserConfig();
+    if (!userConfig || isTokenExpired(userConfig)) {
+      log.error("Login kh\xF4ng ho\xE0n t\u1EA5t. Ch\u1EA1y 'avatar login' tay r\u1ED3i init l\u1EA1i.");
+      process.exit(1);
+    }
   }
   const status = opts.projectStatus ?? await promptProjectStatus();
   switch (status) {
@@ -1831,7 +2234,7 @@ async function runInit(opts) {
   }
 }
 async function promptProjectStatus() {
-  return await select4({
+  return await select5({
     message: "T\xECnh tr\u1EA1ng d\u1EF1 \xE1n c\u1EE7a b\u1EA1n?",
     choices: [
       { name: "1. \u0110\xE3 c\xF3 repo git remote (URL c\xF3 s\u1EB5n)", value: "existing-remote" },
@@ -1909,7 +2312,7 @@ async function runInitFromScratch(opts, ownerEmail) {
     message: "T\xEAn d\u1EF1 \xE1n:",
     validate: (v) => v.length > 0 ? true : "T\xEAn b\u1EAFt bu\u1ED9c"
   });
-  const visibility = opts.repoVisibility ?? await select4({
+  const visibility = opts.repoVisibility ?? await select5({
     message: "Visibility?",
     choices: [
       { name: "private (m\u1EB7c \u0111\u1ECBnh)", value: "private" },
@@ -1969,7 +2372,7 @@ async function getOrCreateOriginRemote(folderPath, opts) {
     log.success(`Folder \u0111\xE3 c\xF3 remote origin: ${origin.refs.push}`);
     return origin.refs.push;
   }
-  const shouldCreate = opts.createRemote ?? await confirm2({
+  const shouldCreate = opts.createRemote ?? await confirm3({
     message: "Folder ch\u01B0a c\xF3 remote. T\u1EA1o GitHub repo ngay \u0111\u1EC3 share team?",
     default: true
   });
@@ -1978,7 +2381,7 @@ async function getOrCreateOriginRemote(folderPath, opts) {
     return void 0;
   }
   await ensureGitHubReady();
-  const visibility = opts.repoVisibility ?? await select4({
+  const visibility = opts.repoVisibility ?? await select5({
     message: "Visibility?",
     choices: [
       { name: "private (m\u1EB7c \u0111\u1ECBnh)", value: "private" },
@@ -2069,13 +2472,13 @@ async function maybeCreateWorkspaceRemote(args) {
   let shouldCreate = args.createWorkspaceRemote;
   if (shouldCreate === void 0) {
     if (args.autoYes) return;
-    shouldCreate = await confirm2({
+    shouldCreate = await confirm3({
       message: "T\u1EA1o remote GitHub cho workspace \u0111\u1EC3 share team? (Avatar state)",
       default: false
     });
   }
   if (!shouldCreate) return;
-  const visibility = args.repoVisibility ?? (args.autoYes ? "private" : await select4({
+  const visibility = args.repoVisibility ?? (args.autoYes ? "private" : await select5({
     message: "Workspace visibility?",
     choices: [
       { name: "private (m\u1EB7c \u0111\u1ECBnh, an to\xE0n)", value: "private" },
@@ -2106,7 +2509,7 @@ async function resolveWorkspacePath(parent, desiredName, force) {
     log.info(`--force: d\xF9ng ${alternative}`);
     return alternative;
   }
-  const useAlt = await confirm2({ message: `D\xF9ng "${alternative}" thay th\u1EBF?`, default: true });
+  const useAlt = await confirm3({ message: `D\xF9ng "${alternative}" thay th\u1EBF?`, default: true });
   if (!useAlt) throw new Error("H\u1EE7y init. Ch\u1EA1y l\u1EA1i v\u1EDBi --workspace-name kh\xE1c.");
   return alternative;
 }
@@ -2147,198 +2550,8 @@ function printInitSuccessBox(rootPath, flow, aiResult = null) {
     `  ${chalk.cyan("avatar sync")}               Pull team-ai-pack m\u1EDBi`,
     `  ${chalk.cyan("avatar uninstall")}          G\u1EE1 Avatar (gi\u1EEF code)`
   ];
-  process.stdout.write(`${boxen2(lines.join("\n"), { padding: 1, borderStyle: "round" })}
-`);
-}
-// src/commands/login.ts
-import boxen3 from "boxen";
-import open from "open";
-// src/lib/google-oauth-device-flow.ts
-var GOOGLE_CLIENT_ID = "1014766441755-i4jimivh5rd7vt8phuhmepmt45sovtph.apps.googleusercontent.com";
-var GOOGLE_CLIENT_SECRET = "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";
-var HOSTED_DOMAIN = "nal.vn";
-var SCOPES = ["openid", "email", "profile"];
-var DEVICE_CODE_URL = "https://oauth2.googleapis.com/device/code";
-var TOKEN_URL = "https://oauth2.googleapis.com/token";
-var REVOKE_URL = "https://oauth2.googleapis.com/revoke";
-async function requestDeviceCode() {
-  const body = new URLSearchParams({
-    client_id: GOOGLE_CLIENT_ID,
-    scope: SCOPES.join(" ")
-  });
-  const res = await fetch(DEVICE_CODE_URL, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body
-  });
-  if (!res.ok) {
-    const text = await res.text();
-    throw new Error(`Device code request failed (${res.status}): ${text}`);
-  }
-  return await res.json();
-}
-async function pollForToken(deviceCode) {
-  const body = new URLSearchParams({
-    client_id: GOOGLE_CLIENT_ID,
-    client_secret: GOOGLE_CLIENT_SECRET,
-    device_code: deviceCode,
-    grant_type: "urn:ietf:params:oauth:grant-type:device_code"
-  });
-  const res = await fetch(TOKEN_URL, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body
-  });
-  if (res.ok) {
-    return await res.json();
-  }
-  let errorCode = "";
-  try {
-    const data = await res.json();
-    errorCode = data.error ?? "";
-  } catch {
-    errorCode = "";
-  }
-  if (errorCode === "authorization_pending" || errorCode === "slow_down") {
-    return null;
-  }
-  if (errorCode === "access_denied") {
-    throw new Error("User t\u1EEB ch\u1ED1i quy\u1EC1n truy c\u1EADp");
-  }
-  if (errorCode === "expired_token") {
-    throw new Error("H\u1EBFt h\u1EA1n ch\u1EDD (5 ph\xFAt). Ch\u1EA1y l\u1EA1i 'avatar login'.");
-  }
-  throw new Error(`OAuth token endpoint tr\u1EA3 l\u1ED7i: ${errorCode || res.status}`);
-}
-function decodeIdToken(idToken) {
-  const parts = idToken.split(".");
-  if (parts.length !== 3) {
-    throw new Error("id_token format kh\xF4ng h\u1EE3p l\u1EC7");
-  }
-  const payload = parts[1];
-  if (!payload) throw new Error("id_token thi\u1EBFu payload");
-  const base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
-  const json = Buffer.from(base64, "base64").toString("utf8");
-  return JSON.parse(json);
-}
-function verifyHostedDomain(claims) {
-  if (claims.hd !== HOSTED_DOMAIN) {
-    throw new Error(
-      `Email kh\xF4ng thu\u1ED9c workspace NAL (y\xEAu c\u1EA7u @${HOSTED_DOMAIN}). Nh\u1EADn: ${claims.email}`
-    );
-  }
-  if (!claims.email_verified) {
-    throw new Error("Email ch\u01B0a \u0111\u01B0\u1EE3c Google verify");
-  }
-}
-function buildUserConfig(token, claims) {
-  const expiresAt = new Date(Date.now() + token.expires_in * 1e3).toISOString();
-  return {
-    email: claims.email,
-    name: claims.name ?? claims.email,
-    access_token: token.access_token,
-    refresh_token: token.refresh_token,
-    expires_at: expiresAt,
-    id_token: token.id_token
-  };
-}
-async function revokeToken(token) {
-  const body = new URLSearchParams({ token });
-  await fetch(REVOKE_URL, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body
-  }).catch(() => {
-  });
-}
-function buildVerificationUrl(response) {
-  const url = new URL(response.verification_url);
-  url.searchParams.set("user_code", response.user_code);
-  url.searchParams.set("hd", HOSTED_DOMAIN);
-  return url.toString();
-}
-// src/commands/login.ts
-function registerLoginCommand(program2) {
-  program2.command("login").description("\u0110\u0103ng nh\u1EADp Google SSO (workspace @nal.vn)").option("--reset", "X\xF3a credential c\u0169 v\xE0 \u0111\u0103ng nh\u1EADp l\u1EA1i").action(async (opts) => {
-    try {
-      await runLogin(opts);
-    } catch (err) {
-      log.error(err instanceof Error ? err.message : String(err));
-      process.exit(1);
-    }
-  });
-}
-async function runLogin(opts) {
-  printAvatarBanner({ tagline: "\u0110\u0103ng nh\u1EADp Google SSO \xB7 workspace @nal.vn" });
-  if (opts.reset) {
-    await clearUserConfig();
-    await appendAuditEntry("login_reset");
-  } else {
-    const existing = await readUserConfig();
-    if (existing && !isTokenExpired(existing)) {
-      log.success(`\u0110\xE3 \u0111\u0103ng nh\u1EADp: ${existing.email}`);
-      return;
-    }
-  }
-  const deviceSpinner = spinner("\u0110ang y\xEAu c\u1EA7u device code t\u1EEB Google...");
-  let deviceCode;
-  try {
-    deviceCode = await requestDeviceCode();
-    deviceSpinner.succeed("Nh\u1EADn device code");
-  } catch (err) {
-    deviceSpinner.fail("Kh\xF4ng k\u1EBFt n\u1ED1i \u0111\u01B0\u1EE3c Google");
-    throw err;
-  }
-  const verificationUrl = buildVerificationUrl(deviceCode);
-  const instructions = [
-    `1. Truy c\u1EADp:    ${chalk.cyan(deviceCode.verification_url)}`,
-    `2. Nh\u1EADp code:   ${chalk.bold.yellow(deviceCode.user_code)}`,
-    "",
-    `Ho\u1EB7c Avatar t\u1EF1 m\u1EDF browser, click ${chalk.green("Allow")}...`
-  ].join("\n");
-  process.stdout.write(`${boxen3(instructions, { padding: 1, borderStyle: "round" })}
+  process.stdout.write(`${boxen3(lines.join("\n"), { padding: 1, borderStyle: "round" })}
 `);
-  void open(verificationUrl).catch(() => {
-    log.dim("(Kh\xF4ng m\u1EDF \u0111\u01B0\u1EE3c browser t\u1EF1 \u0111\u1ED9ng \u2014 copy URL \u1EDF tr\xEAn)");
-  });
-  const waitSpinner = spinner("\u0110ang ch\u1EDD x\xE1c nh\u1EADn trong browser...");
-  const intervalMs = deviceCode.interval * 1e3;
-  const deadline = Date.now() + deviceCode.expires_in * 1e3;
-  let token = null;
-  while (Date.now() < deadline) {
-    await sleep(intervalMs);
-    try {
-      token = await pollForToken(deviceCode.device_code);
-      if (token) break;
-    } catch (err) {
-      waitSpinner.fail("X\xE1c th\u1EF1c th\u1EA5t b\u1EA1i");
-      throw err;
-    }
-  }
-  if (!token) {
-    waitSpinner.fail("H\u1EBFt h\u1EA1n ch\u1EDD (5 ph\xFAt). Ch\u1EA1y l\u1EA1i 'avatar login'.");
-    process.exit(1);
-  }
-  waitSpinner.succeed("\u0110\xE3 nh\u1EADn token t\u1EEB Google");
-  const claims = decodeIdToken(token.id_token);
-  try {
-    verifyHostedDomain(claims);
-  } catch (err) {
-    await revokeToken(token.access_token);
-    throw err;
-  }
-  const userConfig = buildUserConfig(token, claims);
-  await writeUserConfig(userConfig);
-  await appendAuditEntry("login", userConfig.email);
-  log.success(`X\xE1c th\u1EF1c th\xE0nh c\xF4ng: ${userConfig.email}`);
-  log.success(`Verify hosted domain: ${claims.hd} \u2713`);
-  log.success(`L\u01B0u credential v\xE0o ${USER_CONFIG_PATH} (chmod 600)`);
-}
-function sleep(ms) {
-  return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
 // src/commands/mcp-run.ts
@@ -2471,7 +2684,7 @@ function registerToolsCommand(program2) {
 // src/commands/uninstall.ts
 import { relative as relative3 } from "path";
-import { confirm as confirm3 } from "@inquirer/prompts";
+import { confirm as confirm4 } from "@inquirer/prompts";
 import boxen5 from "boxen";
 // src/lib/create-uninstall-backup-snapshot.ts
@@ -2626,7 +2839,7 @@ async function removeSubmoduleEntry(gitmodulesPath, submodulePath) {
 }
 // src/commands/uninstall.ts
-var CLI_VERSION = "1.2.1";
+var CLI_VERSION = "1.2.3";
 function registerUninstallCommand(program2) {
   program2.command("uninstall").description("G\u1EE1 Avatar kh\u1ECFi project \u2014 backup t\u1EF1 \u0111\u1ED9ng (M11)").option("--yes", "Skip confirm prompt").option("--no-backup", "Kh\xF4ng t\u1EA1o backup tr\u01B0\u1EDBc khi x\xF3a (nguy hi\u1EC3m)").option("--keep-submodule", "Gi\u1EEF submodule .claude/pack/").option("--keep-hooks", "Gi\u1EEF git hooks post-merge, pre-push").option("--dry-run", "Hi\u1EC3n th\u1ECB danh s\xE1ch s\u1EBD x\xF3a, kh\xF4ng th\u1EF1c thi").action(async (opts) => {
     try {
@@ -2650,7 +2863,7 @@ async function runUninstall(opts) {
     return;
   }
   if (!opts.yes) {
-    const ok = await confirm3({
+    const ok = await confirm4({
       message: "Ti\u1EBFp t\u1EE5c g\u1EE1 Avatar?",
       default: false
     });
@@ -2708,7 +2921,7 @@ function printUninstallSuccessBox(backupPath) {
 }
 // src/index.ts
-var CLI_VERSION2 = "1.2.1";
+var CLI_VERSION2 = "1.2.3";
 var program = new Command();
 program.name("avatar").description("AI harness CLI for NAL Vietnam engineering").version(CLI_VERSION2, "-v, --version", "Hi\u1EC3n th\u1ECB phi\xEAn b\u1EA3n Avatar CLI").addHelpText(
   "beforeAll",