@postplus/cli 0.1.14 → 0.1.16

package/README.md

@@ -33,7 +33,7 @@ Requires Node.js and npm.
 ```bash
 npm install -g @postplus/cli
 postplus auth login
-npx -y skills add PostPlusAI/postplus-skills --full-depth --skill '*' --agent claude-code codex cursor --yes
+npx -y skills add PostPlusAI/postplus-skills --full-depth --skill '*' --agent claude-code codex cursor github-copilot windsurf trae trae-cn --yes
 ```
 
 Useful checks:

package/build/auth-lifecycle.js

@@ -1,53 +1,16 @@
+import { refreshRemoteAuthSession } from './auth-session.js';
 import { clearAuthState, generateAuthStatusReport } from './auth.js';
 import { requireHostedBaseUrl } from './hosted-release.js';
-import { resolveAccessTokenState, resolveRefreshTokenState, setLocalSession, } from './local-state.js';
+import { resolveAccessTokenState, resolveRefreshTokenState, } from './local-state.js';
 export async function refreshRemoteAuth() {
-    const [apiBaseUrl, accessTokenState, refreshTokenState] = await Promise.all([
-        requireHostedBaseUrl(),
-        resolveAccessTokenState(),
-        resolveRefreshTokenState(),
-    ]);
-    if (!refreshTokenState.present || !refreshTokenState.value) {
-        throw new Error('Run `postplus auth login` before refreshing PostPlus auth.');
-    }
-    const response = await fetch(`${apiBaseUrl}/api/postplus-cli/auth/refresh`, {
-        method: 'POST',
-        headers: {
-            accept: 'application/json',
-            ...(accessTokenState.value
-                ? { authorization: `Bearer ${accessTokenState.value}` }
-                : {}),
-            'content-type': 'application/json',
-        },
-        body: JSON.stringify({
-            refreshToken: refreshTokenState.value,
-        }),
-        signal: AbortSignal.timeout(15000),
-    });
-    const payload = (await response.json());
-    if (!response.ok) {
-        throw new Error('error' in payload && typeof payload.error === 'string'
-            ? payload.error
-            : 'Failed to refresh remote PostPlus auth.');
-    }
-    const successPayload = payload;
-    await setLocalSession({
-        accessToken: successPayload.accessToken,
-        accountId: successPayload.accountId,
-        apiBaseUrl,
-        refreshToken: successPayload.refreshToken,
-        sessionExpiresAt: successPayload.sessionExpiresAt,
-        userEmail: successPayload.userEmail,
-        userId: successPayload.userId,
-    });
+    const refreshed = await refreshRemoteAuthSession();
     return {
-        accessTokenExpiresAt: successPayload.sessionExpiresAt,
-        accountId: successPayload.accountId,
-        apiBaseUrl,
+        accountId: refreshed.accountId,
+        apiBaseUrl: refreshed.apiBaseUrl,
         ok: true,
-        subscriptionStatus: successPayload.subscriptionStatus,
-        userEmail: successPayload.userEmail,
-        userId: successPayload.userId,
+        subscriptionStatus: refreshed.subscriptionStatus,
+        userEmail: refreshed.userEmail,
+        userId: refreshed.userId,
     };
 }
 export function formatAuthRefreshReport(report) {
@@ -59,9 +22,6 @@ export function formatAuthRefreshReport(report) {
         `Account: ${report.accountId}`,
         `User: ${report.userEmail ?? report.userId}`,
         `Subscription: ${report.subscriptionStatus ?? 'unknown'}`,
-        `Session expires at: ${typeof report.accessTokenExpiresAt === 'number'
-            ? new Date(report.accessTokenExpiresAt * 1000).toISOString()
-            : 'unknown'}`,
     ].join('\n');
 }
 export async function revokeRemoteAuth() {

package/build/auth-login.js

@@ -1,61 +1,104 @@
-import { randomUUID } from 'node:crypto';
-import { createServer } from 'node:http';
 import { requireHostedBaseUrl } from './hosted-release.js';
 import { setLocalSession } from './local-state.js';
-export const CLI_AUTH_HANDOFF_TIMEOUT_MS = 30 * 60 * 1000;
-export async function loginWithBrowserHandoff() {
+export const CLI_AUTH_LOGIN_TIMEOUT_MS = 30 * 60 * 1000;
+export async function loginWithCloudHandoff() {
     const baseUrl = await requireHostedBaseUrl();
-    const handoff = await createCliAuthHandoffServer({
-        allowedOrigin: new URL(baseUrl).origin,
-    });
-    const loginUrl = buildCliLoginUrl({
-        baseUrl,
-        bridgeUrl: handoff.bridgeUrl,
-        requestId: handoff.requestId,
-    });
+    const started = await startCloudAuthLogin(baseUrl);
     process.stdout.write([
         'PostPlus CLI login',
         '',
         'Open this URL in your browser to continue:',
-        loginUrl,
+        started.verificationUrl,
+        '',
+        `Code: ${started.userCode}`,
         '',
-        'Waiting for browser sign-in (up to 30 minutes)...',
+        'Waiting for browser sign-in...',
         '',
     ].join('\n'));
-    try {
-        const handoffPayload = await handoff.waitForPayload();
-        if ('error' in handoffPayload) {
-            throw new Error(handoffPayload.error);
-        }
-        const validated = await validateCliSession({
-            accessToken: handoffPayload.accessToken,
-            apiBaseUrl: baseUrl,
-        });
-        await setLocalSession({
-            accessToken: handoffPayload.accessToken,
-            accountId: validated.accountId,
-            apiBaseUrl: baseUrl,
-            refreshToken: handoffPayload.refreshToken,
-            sessionExpiresAt: validated.sessionExpiresAt ?? handoffPayload.expiresAt ?? null,
-            userEmail: validated.userEmail,
-            userId: validated.userId,
-        });
-        return {
-            accountId: validated.accountId,
-            apiBaseUrl: baseUrl,
-            ok: true,
-            sessionExpiresAt: validated.sessionExpiresAt ?? handoffPayload.expiresAt ?? null,
-            userEmail: validated.userEmail,
-            userId: validated.userId,
-        };
+    const handoffPayload = await waitForCloudAuthLogin({
+        apiBaseUrl: baseUrl,
+        expiresAt: started.expiresAt,
+        pollIntervalSeconds: started.pollIntervalSeconds,
+        pollSecret: started.pollSecret,
+        requestId: started.requestId,
+    });
+    const validated = await validateCliSession({
+        accessToken: handoffPayload.accessToken,
+        apiBaseUrl: baseUrl,
+    });
+    await setLocalSession({
+        accessToken: handoffPayload.accessToken,
+        accountId: validated.accountId,
+        apiBaseUrl: baseUrl,
+        refreshToken: handoffPayload.refreshToken,
+        sessionExpiresAt: validated.sessionExpiresAt ?? handoffPayload.sessionExpiresAt ?? null,
+        userEmail: validated.userEmail,
+        userId: validated.userId,
+    });
+    return {
+        accountId: validated.accountId,
+        apiBaseUrl: baseUrl,
+        ok: true,
+        userEmail: validated.userEmail,
+        userId: validated.userId,
+    };
+}
+export async function startCloudAuthLogin(apiBaseUrl) {
+    const response = await fetch(`${apiBaseUrl}/api/postplus-cli/auth/login/start`, {
+        method: 'POST',
+        headers: {
+            accept: 'application/json',
+        },
+        signal: AbortSignal.timeout(15000),
+    });
+    const payload = (await response.json());
+    if (!response.ok) {
+        throw new Error(formatRemoteAuthLoginError(payload));
     }
-    finally {
-        await handoff.close();
+    if (!isCliAuthLoginStartSuccessPayload(payload)) {
+        throw new Error('PostPlus CLI sign-in start returned incomplete data.');
+    }
+    return payload;
+}
+async function waitForCloudAuthLogin(input) {
+    const expiresAtMs = Date.parse(input.expiresAt);
+    const deadlineMs = Number.isFinite(expiresAtMs)
+        ? expiresAtMs
+        : Date.now() + CLI_AUTH_LOGIN_TIMEOUT_MS;
+    const pollIntervalMs = Math.max(1000, input.pollIntervalSeconds * 1000);
+    while (Date.now() < deadlineMs) {
+        const payload = await pollCloudAuthLogin(input);
+        if (payload.status === 'completed') {
+            return payload;
+        }
+        await delay(pollIntervalMs);
     }
+    throw new Error('Timed out waiting for the cloud sign-in handoff.');
 }
-function buildCliLoginUrl(input) {
-    const nextPath = `/auth/cli-callback?bridgeUrl=${encodeURIComponent(input.bridgeUrl)}&requestId=${encodeURIComponent(input.requestId)}`;
-    return `${input.baseUrl}/auth/sign-in?next=${encodeURIComponent(nextPath)}`;
+export async function pollCloudAuthLogin(input) {
+    const response = await fetch(`${input.apiBaseUrl}/api/postplus-cli/auth/login/poll`, {
+        method: 'POST',
+        headers: {
+            accept: 'application/json',
+            'content-type': 'application/json',
+        },
+        body: JSON.stringify({
+            pollSecret: input.pollSecret,
+            requestId: input.requestId,
+        }),
+        signal: AbortSignal.timeout(15000),
+    });
+    const payload = (await response.json());
+    if (!response.ok) {
+        throw new Error(formatRemoteAuthLoginError(payload));
+    }
+    if (isCliAuthLoginCompletedPayload(payload)) {
+        return payload;
+    }
+    if (isCliAuthLoginPendingPayload(payload)) {
+        return payload;
+    }
+    throw new Error('PostPlus CLI sign-in poll returned incomplete data.');
 }
 export async function validateCliSession(input) {
     const response = await fetch(`${input.apiBaseUrl}/api/postplus-cli/auth/whoami`, {
@@ -85,125 +128,33 @@ export function formatCliSessionAuthError(payload) {
     }
     return 'Failed to validate the browser session for PostPlus CLI.';
 }
-export async function createCliAuthHandoffServer(input) {
-    const requestId = randomUUID();
-    return new Promise((resolve, reject) => {
-        let settled = false;
-        let cleanupTimer = null;
-        let resolvePayload = null;
-        let rejectPayload = null;
-        const payloadPromise = new Promise((innerResolve, innerReject) => {
-            resolvePayload = innerResolve;
-            rejectPayload = innerReject;
-        });
-        const server = createServer((request, response) => {
-            const origin = request.headers.origin ?? null;
-            const allowOrigin = origin === input.allowedOrigin ? input.allowedOrigin : null;
-            if (request.method === 'OPTIONS') {
-                if (!allowOrigin) {
-                    response.writeHead(403);
-                    response.end();
-                    return;
-                }
-                response.writeHead(204, {
-                    'Access-Control-Allow-Headers': 'Content-Type',
-                    'Access-Control-Allow-Methods': 'POST, OPTIONS',
-                    'Access-Control-Allow-Private-Network': 'true',
-                    'Access-Control-Allow-Origin': allowOrigin,
-                    'Access-Control-Max-Age': '600',
-                    Vary: 'Origin',
-                });
-                response.end();
-                return;
-            }
-            if (request.method !== 'POST' || request.url !== '/handoff') {
-                response.writeHead(404);
-                response.end();
-                return;
-            }
-            if (!allowOrigin) {
-                response.writeHead(403);
-                response.end();
-                return;
-            }
-            const chunks = [];
-            request.on('data', (chunk) => {
-                chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
-            });
-            request.on('end', () => {
-                try {
-                    const payload = JSON.parse(Buffer.concat(chunks).toString('utf8'));
-                    if (payload.requestId !== requestId) {
-                        throw new Error('Mismatched CLI auth handoff request id.');
-                    }
-                    response.writeHead(200, {
-                        'Access-Control-Allow-Origin': allowOrigin,
-                        'Content-Type': 'application/json',
-                        Vary: 'Origin',
-                    });
-                    response.end(JSON.stringify({ ok: true }));
-                    if (!settled) {
-                        settled = true;
-                        resolvePayload?.(payload);
-                    }
-                }
-                catch (error) {
-                    response.writeHead(400, {
-                        'Access-Control-Allow-Origin': allowOrigin,
-                        'Content-Type': 'application/json',
-                        Vary: 'Origin',
-                    });
-                    response.end(JSON.stringify({
-                        error: error instanceof Error
-                            ? error.message
-                            : 'Invalid CLI auth handoff payload.',
-                    }));
-                }
-            });
-        });
-        server.on('error', (error) => {
-            if (!settled) {
-                settled = true;
-                reject(error);
-            }
-            else {
-                rejectPayload?.(error);
-            }
-        });
-        server.listen(0, '127.0.0.1', () => {
-            const address = server.address();
-            if (!address || typeof address === 'string') {
-                const error = new Error('Failed to bind the local CLI auth bridge.');
-                if (!settled) {
-                    settled = true;
-                    reject(error);
-                }
-                return;
-            }
-            cleanupTimer = setTimeout(() => {
-                if (!settled) {
-                    settled = true;
-                    rejectPayload?.(new Error('Timed out waiting for the browser sign-in handoff.'));
-                }
-                server.close();
-            }, CLI_AUTH_HANDOFF_TIMEOUT_MS);
-            resolve({
-                bridgeUrl: `http://127.0.0.1:${address.port}/handoff`,
-                close: async () => new Promise((innerResolve, innerReject) => {
-                    if (cleanupTimer) {
-                        clearTimeout(cleanupTimer);
-                    }
-                    server.close((error) => {
-                        if (error) {
-                            innerReject(error);
-                            return;
-                        }
-                        innerResolve();
-                    });
-                }),
-                requestId,
-                waitForPayload: () => payloadPromise,
-            });
-        });
-    });
+function isCliAuthLoginStartSuccessPayload(payload) {
+    return ('requestId' in payload &&
+        typeof payload.requestId === 'string' &&
+        typeof payload.pollSecret === 'string' &&
+        typeof payload.userCode === 'string' &&
+        typeof payload.verificationUrl === 'string' &&
+        typeof payload.expiresAt === 'string' &&
+        typeof payload.pollIntervalSeconds === 'number');
+}
+function isCliAuthLoginCompletedPayload(payload) {
+    return ('status' in payload &&
+        payload.status === 'completed' &&
+        typeof payload.accessToken === 'string' &&
+        typeof payload.refreshToken === 'string' &&
+        typeof payload.accountId === 'string' &&
+        typeof payload.userId === 'string');
+}
+function isCliAuthLoginPendingPayload(payload) {
+    return 'status' in payload && payload.status === 'pending';
+}
+function formatRemoteAuthLoginError(payload) {
+    return 'error' in payload &&
+        typeof payload.error === 'string' &&
+        payload.error.trim().length > 0
+        ? payload.error
+        : 'PostPlus CLI sign-in failed.';
+}
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
 }

package/build/auth-session.js

@@ -0,0 +1,137 @@
+import { requireHostedBaseUrl } from './hosted-release.js';
+import { readLocalConfig, resolveAccessTokenState, resolveRefreshTokenState, setLocalSession, } from './local-state.js';
+export const AUTH_SESSION_REFRESH_LEEWAY_SECONDS = 60;
+export async function resolveFreshRemoteAuth(options = {}) {
+    const [apiBaseUrl, accessTokenState, refreshTokenState, config] = await Promise.all([
+        requireHostedBaseUrl(),
+        resolveAccessTokenState(),
+        resolveRefreshTokenState(),
+        readLocalConfig(),
+    ]);
+    if (!refreshTokenState.present || !refreshTokenState.value) {
+        if (!accessTokenState.present || !accessTokenState.value) {
+            throw new Error('Run `postplus auth login` before validating PostPlus auth.');
+        }
+        return {
+            accessToken: accessTokenState.value,
+            apiBaseUrl,
+            refreshed: false,
+            source: 'config',
+        };
+    }
+    const existingAccessToken = accessTokenState.value;
+    const decodedTokenExpiresAt = existingAccessToken
+        ? decodeAccessTokenExpiration(existingAccessToken)
+        : null;
+    const tokenExpiresAt = typeof decodedTokenExpiresAt === 'number'
+        ? decodedTokenExpiresAt
+        : typeof config?.sessionExpiresAt === 'number'
+            ? config.sessionExpiresAt
+            : null;
+    const shouldRefresh = options.forceRefresh === true ||
+        !accessTokenState.present ||
+        !accessTokenState.value ||
+        isExpiringSoon(tokenExpiresAt);
+    if (!shouldRefresh) {
+        if (!existingAccessToken) {
+            throw new Error('Run `postplus auth login` before validating PostPlus auth.');
+        }
+        return {
+            accessToken: existingAccessToken,
+            apiBaseUrl,
+            refreshed: false,
+            source: 'config',
+        };
+    }
+    const refreshed = await refreshRemoteAuthSession({
+        accessToken: accessTokenState.value,
+        apiBaseUrl,
+        refreshToken: refreshTokenState.value,
+    });
+    return {
+        accessToken: refreshed.accessToken,
+        apiBaseUrl,
+        refreshed: true,
+        source: 'config',
+    };
+}
+export async function refreshRemoteAuthSession(input) {
+    const [apiBaseUrl, accessTokenState, refreshTokenState] = await Promise.all([
+        input?.apiBaseUrl ?? requireHostedBaseUrl(),
+        input?.accessToken === undefined ? resolveAccessTokenState() : null,
+        input?.refreshToken === undefined ? resolveRefreshTokenState() : null,
+    ]);
+    const accessToken = input?.accessToken === undefined
+        ? accessTokenState?.value
+        : input.accessToken;
+    const refreshToken = input?.refreshToken === undefined
+        ? refreshTokenState?.value
+        : input.refreshToken;
+    if (!refreshToken) {
+        throw new Error('Run `postplus auth login` before refreshing PostPlus auth.');
+    }
+    const response = await fetch(`${apiBaseUrl}/api/postplus-cli/auth/refresh`, {
+        method: 'POST',
+        headers: {
+            accept: 'application/json',
+            ...(accessToken ? { authorization: `Bearer ${accessToken}` } : {}),
+            'content-type': 'application/json',
+        },
+        body: JSON.stringify({
+            refreshToken,
+        }),
+        signal: AbortSignal.timeout(15000),
+    });
+    const payload = (await response.json());
+    if (!response.ok) {
+        throw new Error('error' in payload && typeof payload.error === 'string'
+            ? payload.error
+            : 'Failed to refresh remote PostPlus auth.');
+    }
+    if (!isRemoteAuthRefreshSuccessPayload(payload)) {
+        throw new Error('PostPlus auth refresh returned incomplete session tokens.');
+    }
+    await setLocalSession({
+        accessToken: payload.accessToken,
+        accountId: payload.accountId,
+        apiBaseUrl,
+        refreshToken: payload.refreshToken,
+        sessionExpiresAt: payload.sessionExpiresAt,
+        userEmail: payload.userEmail,
+        userId: payload.userId,
+    });
+    return {
+        ...payload,
+        apiBaseUrl,
+    };
+}
+export function decodeAccessTokenExpiration(accessToken) {
+    try {
+        const [, payload] = accessToken.split('.');
+        if (!payload) {
+            return null;
+        }
+        const decoded = JSON.parse(Buffer.from(payload, 'base64url').toString('utf8'));
+        return typeof decoded.exp === 'number' ? decoded.exp : null;
+    }
+    catch {
+        return null;
+    }
+}
+function isExpiringSoon(expiresAt) {
+    if (typeof expiresAt !== 'number' || !Number.isFinite(expiresAt)) {
+        return false;
+    }
+    const nowSeconds = Math.floor(Date.now() / 1_000);
+    return expiresAt - nowSeconds <= AUTH_SESSION_REFRESH_LEEWAY_SECONDS;
+}
+function isRemoteAuthRefreshSuccessPayload(payload) {
+    return (typeof payload === 'object' &&
+        payload !== null &&
+        typeof payload.accessToken === 'string' &&
+        payload.accessToken.trim().length > 0 &&
+        typeof payload.refreshToken === 'string' &&
+        payload.refreshToken.trim().length > 0 &&
+        typeof payload.accountId === 'string' &&
+        typeof payload.userId === 'string');
+}

package/build/auth-validate.js

@@ -1,21 +1,13 @@
-import { requireHostedBaseUrl } from './hosted-release.js';
-import { resolveAccessTokenState } from './local-state.js';
+import { resolveFreshRemoteAuth } from './auth-session.js';
 export async function validateRemoteAuth() {
-    const [apiBaseUrl, accessTokenState] = await Promise.all([
-        requireHostedBaseUrl(),
-        resolveAccessTokenState(),
-    ]);
-    if (!accessTokenState.present || !accessTokenState.value) {
-        throw new Error('Run `postplus auth login` before validating PostPlus auth.');
+    let auth = await resolveFreshRemoteAuth();
+    let response = await fetchWhoami(auth);
+    if (response.status === 401) {
+        auth = await resolveFreshRemoteAuth({
+            forceRefresh: true,
+        });
+        response = await fetchWhoami(auth);
     }
-    const response = await fetch(`${apiBaseUrl}/api/postplus-cli/auth/whoami`, {
-        method: 'GET',
-        headers: {
-            accept: 'application/json',
-            authorization: `Bearer ${accessTokenState.value}`,
-        },
-        signal: AbortSignal.timeout(15000),
-    });
     const payload = (await response.json());
     if (!response.ok) {
         throw new Error('error' in payload && typeof payload.error === 'string'
@@ -25,12 +17,9 @@ export async function validateRemoteAuth() {
     const successPayload = payload;
     return {
         accountId: successPayload.accountId,
-        apiBaseUrl,
+        apiBaseUrl: auth.apiBaseUrl,
         ok: true,
-        sessionExpiresAt: successPayload.sessionExpiresAt,
-        source: accessTokenState.source === 'missing'
-            ? 'config'
-            : accessTokenState.source,
+        source: auth.source,
         subscriptionStatus: successPayload.subscriptionStatus,
         userEmail: successPayload.userEmail,
         userId: successPayload.userId,
@@ -45,8 +34,15 @@ export function formatAuthValidateReport(report) {
         `Account: ${report.accountId}`,
         `User: ${report.userEmail ?? report.userId}`,
         `Subscription: ${report.subscriptionStatus ?? 'unknown'}`,
-        `Session expires at: ${typeof report.sessionExpiresAt === 'number'
-            ? new Date(report.sessionExpiresAt * 1000).toISOString()
-            : 'unknown'}`,
     ].join('\n');
 }
+function fetchWhoami(input) {
+    return fetch(`${input.apiBaseUrl}/api/postplus-cli/auth/whoami`, {
+        method: 'GET',
+        headers: {
+            accept: 'application/json',
+            authorization: `Bearer ${input.accessToken}`,
+        },
+        signal: AbortSignal.timeout(15000),
+    });
+}

package/build/auth.js

@@ -1,4 +1,4 @@
-import { clearLocalAuthState, getPostPlusConfigPath, hasLocalConfigFile, maskSecret, readLocalConfig, resolveApiBaseUrlState, resolveLocalSessionState, setLocalAccessToken, setLocalApiBaseUrl, setLocalRefreshToken, } from './local-state.js';
+import { clearLocalAuthState, getPostPlusConfigPath, hasLocalConfigFile, maskSecret, readLocalConfig, resolveApiBaseUrlState, resolveLocalSessionState, setLocalApiBaseUrl, } from './local-state.js';
 export async function generateAuthStatusReport() {
     const [sessionState, apiBaseUrlState, configExists, config] = await Promise.all([
         resolveLocalSessionState(),
@@ -32,7 +32,6 @@ export async function generateAuthStatusReport() {
             present: sessionState.refreshToken.present,
             maskedValue: maskSecret(sessionState.refreshToken.value),
         },
-        sessionExpiresAt: sessionState.expiresAt,
     };
 }
 export function formatAuthStatusReport(report) {
@@ -60,20 +59,9 @@ export function formatAuthStatusReport(report) {
         : `[PASS] local config path: ${report.config.path}`);
     lines.push(`  Account: ${report.config.accountId ?? 'not bound'}`);
     lines.push(`  User: ${report.config.userEmail ?? report.config.userId ?? 'not bound'}`);
-    lines.push(`  Session expires at: ${typeof report.sessionExpiresAt === 'number'
-        ? new Date(report.sessionExpiresAt * 1000).toISOString()
-        : 'unknown'}`);
     lines.push('', report.ok ? 'Auth status OK.' : 'Auth status incomplete.');
     return lines.join('\n');
 }
-export async function configureAccessToken(accessToken) {
-    await setLocalAccessToken(accessToken);
-    return generateAuthStatusReport();
-}
-export async function configureRefreshToken(refreshToken) {
-    await setLocalRefreshToken(refreshToken);
-    return generateAuthStatusReport();
-}
 export async function configureApiBaseUrl(apiBaseUrl) {
     await setLocalApiBaseUrl(apiBaseUrl);
     return generateAuthStatusReport();

package/build/doctor.js

@@ -1,5 +1,5 @@
+import { resolveFreshRemoteAuth, } from './auth-session.js';
 import { resolveHostedBaseUrl } from './hosted-release.js';
-import { resolveAccessTokenState } from './local-state.js';
 function createPass(id, label, detail) {
     return {
         id,
@@ -22,25 +22,24 @@ export async function generateDoctorReport() {
     const checks = [
         createPass('hosted_base_url', 'PostPlus Cloud', `Using ${hostedBaseUrl ?? 'https://postplus.io'}`),
     ];
-    const accessToken = await resolveAccessTokenState();
     if (!hostedBaseUrl) {
         checks.push(createFail('remote_auth', 'Remote auth', 'PostPlus Cloud base URL could not be resolved.', 'Configure POSTPLUS_API_BASE_URL or run `postplus auth login`.'));
         return buildDoctorReport(checks);
     }
-    if (!accessToken.present || !accessToken.value) {
-        checks.push(createFail('remote_auth', 'Remote auth', 'No PostPlus CLI session is configured.', 'Run `postplus auth login`.'));
+    const auth = await resolveFreshRemoteAuth().catch((error) => {
+        const message = error instanceof Error
+            ? error.message
+            : 'No PostPlus CLI session is configured.';
+        checks.push(createFail('remote_auth', 'Remote auth', message, 'Run `postplus auth login`.'));
+        return null;
+    });
+    if (!auth) {
         return buildDoctorReport(checks);
     }
-    const authCheck = await checkRemoteAuth({
-        accessToken: accessToken.value,
-        hostedBaseUrl,
-    });
+    const authCheck = await checkRemoteAuth(auth);
     checks.push(authCheck);
     if (authCheck.status === 'pass') {
-        checks.push(await checkHostedCapabilities({
-            accessToken: accessToken.value,
-            hostedBaseUrl,
-        }));
+        checks.push(await checkHostedCapabilities(auth));
     }
     return buildDoctorReport(checks);
 }
@@ -52,13 +51,13 @@ function buildDoctorReport(checks) {
 }
 async function checkRemoteAuth(input) {
     try {
-        const response = await fetch(`${input.hostedBaseUrl}/api/postplus-cli/auth/whoami`, {
-            headers: {
-                accept: 'application/json',
-                authorization: `Bearer ${input.accessToken}`,
-            },
-            signal: AbortSignal.timeout(15000),
-        });
+        let response = await requestWithAuth(input, '/api/postplus-cli/auth/whoami');
+        if (response.status === 401) {
+            const refreshedAuth = await resolveFreshRemoteAuth({
+                forceRefresh: true,
+            });
+            response = await requestWithAuth(refreshedAuth, '/api/postplus-cli/auth/whoami');
+        }
         const payload = (await response.json());
         if (!response.ok) {
             return createFail('remote_auth', 'Remote auth', readErrorMessage(payload, 'PostPlus Cloud rejected the CLI session.'), 'Run `postplus auth login`.');
@@ -82,13 +81,13 @@ async function checkRemoteAuth(input) {
 }
 async function checkHostedCapabilities(input) {
     try {
-        const response = await fetch(`${input.hostedBaseUrl}/api/postplus-cli/hosted/readiness`, {
-            headers: {
-                accept: 'application/json',
-                authorization: `Bearer ${input.accessToken}`,
-            },
-            signal: AbortSignal.timeout(15000),
-        });
+        let response = await requestWithAuth(input, '/api/postplus-cli/hosted/readiness');
+        if (response.status === 401) {
+            const refreshedAuth = await resolveFreshRemoteAuth({
+                forceRefresh: true,
+            });
+            response = await requestWithAuth(refreshedAuth, '/api/postplus-cli/hosted/readiness');
+        }
         const payload = (await response.json());
         if (!response.ok) {
             return createFail('hosted_capabilities', 'Hosted capabilities', readErrorMessage(payload, 'PostPlus Cloud hosted readiness check failed.'));
@@ -132,6 +131,15 @@ function readErrorMessage(payload, fallback) {
         ? payload.error
         : fallback;
 }
+function requestWithAuth(input, path) {
+    return fetch(`${input.apiBaseUrl}${path}`, {
+        headers: {
+            accept: 'application/json',
+            authorization: `Bearer ${input.accessToken}`,
+        },
+        signal: AbortSignal.timeout(15000),
+    });
+}
 export function formatDoctorReport(report) {
     const lines = ['PostPlus CLI doctor', ''];
     for (const check of report.checks) {

package/build/index.js

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 import { formatAuthRefreshReport, refreshRemoteAuth, revokeRemoteAuthAndReport, } from './auth-lifecycle.js';
-import { loginWithBrowserHandoff } from './auth-login.js';
+import { loginWithCloudHandoff } from './auth-login.js';
 import { formatAuthValidateReport, validateRemoteAuth, } from './auth-validate.js';
 import { clearAuthState, formatAuthStatusReport, generateAuthStatusReport, } from './auth.js';
-import { formatDoctorReport, generateDoctorReport, } from './doctor.js';
+import { formatDoctorReport, generateDoctorReport } from './doctor.js';
 import { assertConfigFilePermissions } from './local-state.js';
 import { POSTPLUS_SKILLS_INSTALL_COMMAND, loadPublicSkillCatalog, } from './skill-catalog.js';
 import { runPostPlusSkillUninstall, runPostPlusSkillUpdate, } from './skill-management.js';
@@ -140,16 +140,13 @@ async function runAuthRevoke(json) {
     return 0;
 }
 async function runAuthLogin() {
-    const report = await loginWithBrowserHandoff();
+    const report = await loginWithCloudHandoff();
     process.stdout.write([
         '',
         'PostPlus CLI login complete.',
         `Account: ${report.accountId}`,
         `PostPlus Cloud: ${report.apiBaseUrl}`,
         `User: ${report.userEmail ?? 'unknown'}`,
-        `Session expires at: ${typeof report.sessionExpiresAt === 'number'
-            ? new Date(report.sessionExpiresAt * 1000).toISOString()
-            : 'unknown'}`,
         '',
     ].join('\n'));
     return report.ok ? 0 : 1;

package/build/local-state.js

@@ -1,5 +1,5 @@
 import { constants as fsConstants } from 'node:fs';
-import { access, chmod, mkdir, readFile, stat, writeFile } from 'node:fs/promises';
+import { access, chmod, mkdir, readFile, stat, writeFile, } from 'node:fs/promises';
 import { homedir, platform } from 'node:os';
 import { dirname, join, resolve } from 'node:path';
 export const DEFAULT_POSTPLUS_API_BASE_URL = 'https://postplus.io';
@@ -103,26 +103,6 @@ export async function clearLocalAuthState() {
         return next;
     });
 }
-export async function setLocalAccessToken(accessToken) {
-    const normalizedAccessToken = accessToken.trim();
-    if (normalizedAccessToken.length === 0) {
-        throw new Error('POSTPLUS_ACCESS_TOKEN cannot be empty.');
-    }
-    return updateLocalConfig((current) => ({
-        ...(current ?? {}),
-        accessToken: normalizedAccessToken,
-    }));
-}
-export async function setLocalRefreshToken(refreshToken) {
-    const normalizedRefreshToken = refreshToken.trim();
-    if (normalizedRefreshToken.length === 0) {
-        throw new Error('POSTPLUS_REFRESH_TOKEN cannot be empty.');
-    }
-    return updateLocalConfig((current) => ({
-        ...(current ?? {}),
-        refreshToken: normalizedRefreshToken,
-    }));
-}
 export async function setLocalApiBaseUrl(apiBaseUrl) {
     const normalizedApiBaseUrl = apiBaseUrl.trim();
     if (normalizedApiBaseUrl.length === 0) {
@@ -139,10 +119,10 @@ export async function setLocalSession(input) {
     const refreshToken = input.refreshToken.trim();
     const apiBaseUrl = input.apiBaseUrl.trim().replace(/\/+$/, '');
     if (accessToken.length === 0) {
-        throw new Error('POSTPLUS_ACCESS_TOKEN cannot be empty.');
+        throw new Error('PostPlus CLI access token cannot be empty.');
     }
     if (refreshToken.length === 0) {
-        throw new Error('POSTPLUS_REFRESH_TOKEN cannot be empty.');
+        throw new Error('PostPlus CLI refresh token cannot be empty.');
     }
     if (apiBaseUrl.length === 0) {
         throw new Error('POSTPLUS_API_BASE_URL cannot be empty.');
@@ -168,14 +148,6 @@ export async function hasLocalConfigFile() {
     }
 }
 export async function resolveAccessTokenState() {
-    const envValue = process.env.POSTPLUS_ACCESS_TOKEN?.trim();
-    if (envValue && envValue.length > 0) {
-        return {
-            source: 'env',
-            present: true,
-            value: envValue,
-        };
-    }
     const config = await readLocalConfig();
     const configValue = config?.accessToken?.trim();
     if (configValue && configValue.length > 0) {
@@ -192,14 +164,6 @@ export async function resolveAccessTokenState() {
     };
 }
 export async function resolveRefreshTokenState() {
-    const envValue = process.env.POSTPLUS_REFRESH_TOKEN?.trim();
-    if (envValue && envValue.length > 0) {
-        return {
-            source: 'env',
-            present: true,
-            value: envValue,
-        };
-    }
     const config = await readLocalConfig();
     const configValue = config?.refreshToken?.trim();
     if (configValue && configValue.length > 0) {
@@ -216,16 +180,12 @@ export async function resolveRefreshTokenState() {
     };
 }
 export async function resolveLocalSessionState() {
-    const [accessToken, refreshToken, config] = await Promise.all([
+    const [accessToken, refreshToken] = await Promise.all([
         resolveAccessTokenState(),
         resolveRefreshTokenState(),
-        readLocalConfig(),
     ]);
     return {
         accessToken,
-        expiresAt: typeof config?.sessionExpiresAt === 'number'
-            ? config.sessionExpiresAt
-            : null,
         refreshToken,
     };
 }

package/build/skill-catalog.js

@@ -1,5 +1,15 @@
 export const POSTPLUS_SKILLS_REPO = 'PostPlusAI/postplus-skills';
-export const POSTPLUS_SKILLS_INSTALL_COMMAND = "npx -y skills add PostPlusAI/postplus-skills --full-depth --skill '*' --agent claude-code codex cursor --yes";
+export const POSTPLUS_SKILLS_AGENT_TARGETS = [
+    'claude-code',
+    'codex',
+    'cursor',
+    'github-copilot',
+    'windsurf',
+    'trae',
+    'trae-cn',
+];
+const POSTPLUS_SKILLS_AGENT_ARGS = POSTPLUS_SKILLS_AGENT_TARGETS.join(' ');
+export const POSTPLUS_SKILLS_INSTALL_COMMAND = `npx -y skills add PostPlusAI/postplus-skills --full-depth --skill '*' --agent ${POSTPLUS_SKILLS_AGENT_ARGS} --yes`;
 export const POSTPLUS_SKILLS_LIST_COMMAND = 'npx -y skills add PostPlusAI/postplus-skills --list --full-depth';
 const POSTPLUS_SKILLS_INDEX_URL = 'https://raw.githubusercontent.com/PostPlusAI/postplus-skills/main/skills/INDEX.md';
 export async function loadPublicSkillCatalog() {

package/build/skill-management.js

@@ -1,6 +1,5 @@
-import { POSTPLUS_SKILLS_INSTALL_COMMAND, POSTPLUS_SKILLS_REPO, loadPublicSkillCatalog, } from './skill-catalog.js';
+import { POSTPLUS_SKILLS_AGENT_TARGETS, POSTPLUS_SKILLS_INSTALL_COMMAND, POSTPLUS_SKILLS_REPO, loadPublicSkillCatalog, } from './skill-catalog.js';
 import { runCommand, runInteractiveCommand } from './command-runner.js';
-const SKILLS_AGENTS = ['claude-code', 'codex', 'cursor'];
 const NPX_SKILLS = ['-y', 'skills'];
 export async function runPostPlusSkillUpdate() {
     const catalog = await loadPublicSkillCatalog();
@@ -93,7 +92,7 @@ export function buildPostPlusSkillUninstallArgs(skillNames) {
         'remove',
         ...skillNames,
         '--agent',
-        ...SKILLS_AGENTS,
+        ...POSTPLUS_SKILLS_AGENT_TARGETS,
         '--yes',
     ];
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@postplus/cli",
-  "version": "0.1.14",
+  "version": "0.1.16",
   "packageManager": "pnpm@10.30.3+sha512.c961d1e0a2d8e354ecaa5166b822516668b7f44cb5bd95122d590dd81922f606f5473b6d23ec4a5be05e7fcd18e8488d47d978bbe981872f1145d06e9a740017",
   "type": "module",
   "description": "PostPlus CLI for PostPlus Cloud auth, status, and diagnostics.",
@@ -8,6 +8,7 @@
   "files": [
     "build/auth-lifecycle.js",
     "build/auth-login.js",
+    "build/auth-session.js",
     "build/auth-validate.js",
     "build/auth.js",
     "build/command-runner.js",
@@ -31,7 +32,7 @@
     "node": ">=20.10.0"
   },
   "bin": {
-    "postplus": "./build/index.js"
+    "postplus": "build/index.js"
   },
   "scripts": {
     "build": "node ./scripts/clean-build.mjs && tsc",