npm - @promptcellar/pc - Versions diffs - 0.5.4 → 0.5.5 - Mend

@promptcellar/pc 0.5.4 → 0.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/hooks/codex-capture.js +9 -9
package/hooks/gemini-capture.js +5 -9
package/hooks/prompt-capture.js +5 -9
package/package.json +2 -1
package/src/commands/login.js +12 -116
package/src/commands/save.js +5 -2
package/src/lib/api.js +28 -47
package/src/lib/context.js +14 -73
package/src/lib/crypto.js +1 -39
package/src/lib/device-transfer.js +1 -43
package/README.md +0 -119
package/docs/plans/2026-01-30-wa-auth-integration-design.md +0 -118
package/docs/plans/2026-01-30-wa-auth-integration-plan.md +0 -776
package/docs/plans/2026-02-03-multi-prompt-capture-design.md +0 -501

package/docs/plans/2026-01-30-wa-auth-integration-plan.md DELETED Viewed

@@ -1,776 +0,0 @@
-# wa-auth Integration Implementation Plan
-> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
-**Goal:** Migrate pc-cli authentication to wa-auth device flow, add client-side encryption for zero-knowledge prompt capture.
-**Architecture:** Three repos change: wa-auth gets `client_id` on device flow + JWT issuance, prompt-registry gets a JWT-to-API-key exchange endpoint, pc-cli rewrites login and adds encryption. Changes are independent per-repo and can be implemented in sequence: wa-auth first, prompt-registry second, pc-cli third.
-**Tech Stack:** Python/Flask (wa-auth, prompt-registry), Node.js/ESM (pc-cli), AES-256-GCM (encryption), JWT/HS256 (tokens), Node.js built-in `crypto` module.
-**Design doc:** `docs/plans/2026-01-30-wa-auth-integration-design.md`
----
-## Task 1: wa-auth -- Add `client_id` to DeviceAuthRequest model
-**Files:**
-- Modify: `/home/ddnewell/weldedanvil/wa-auth/models.py:45-52`
-**Step 1: Add `client_id` column to DeviceAuthRequest**
-```python
-class DeviceAuthRequest(db.Model):
-    __tablename__ = 'device_auth_requests'
-    id = db.Column(db.String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
-    device_code = db.Column(db.String(64), unique=True, nullable=False)
-    user_code = db.Column(db.String(16), unique=True, nullable=False)
-    user_id = db.Column(db.String(36), db.ForeignKey('users.id'), nullable=True)
-    client_id = db.Column(db.String(64), nullable=True)
-    status = db.Column(db.String(16), default='pending')
-    expires_at = db.Column(db.DateTime, nullable=False)
-```
-**Step 2: Commit**
-```bash
-cd /home/ddnewell/weldedanvil/wa-auth
-git add models.py
-git commit -m "feat: add client_id column to DeviceAuthRequest model"
-```
----
-## Task 2: wa-auth -- Accept `client_id` in `POST /device/code`
-**Files:**
-- Modify: `/home/ddnewell/weldedanvil/wa-auth/app.py:113-128`
-**Step 1: Update device_code route to validate and store client_id**
-```python
-@app.route('/device/code', methods=['POST'])
-def device_code():
-    payload = request.get_json(silent=True) or {}
-    client_id = payload.get('client_id')
-    # Validate client_id if provided
-    if client_id:
-        oidc_clients = app.config.get('OIDC_CLIENTS') or {}
-        if client_id not in oidc_clients:
-            return {'error': 'invalid_client'}, 400
-    code = secrets.token_urlsafe(32)
-    user_code = secrets.token_hex(4)
-    req = DeviceAuthRequest(
-        device_code=code,
-        user_code=user_code,
-        client_id=client_id,
-        expires_at=datetime.utcnow() + timedelta(minutes=10),
-    )
-    db.session.add(req)
-    db.session.commit()
-    return {
-        'device_code': code,
-        'user_code': user_code,
-        'verification_url': 'https://account.weldedanvil.com/device',
-    }
-```
-**Step 2: Commit**
-```bash
-git add app.py
-git commit -m "feat: accept client_id in POST /device/code"
-```
----
-## Task 3: wa-auth -- Return JWT from `POST /device/poll` on approval
-**Files:**
-- Modify: `/home/ddnewell/weldedanvil/wa-auth/app.py:168-192`
-**Context:** wa-auth already has JWT generation in the `/token` endpoint. Check how it's done there and reuse the same pattern. The app config has `JWT_SECRET`, `JWT_ISSUER`, and `ACCESS_TOKEN_TTL_SECONDS`.
-**Step 1: Find existing JWT generation code**
-Read `/home/ddnewell/weldedanvil/wa-auth/app.py` to find the `/token` endpoint and its JWT creation logic. Reuse the same `jwt.encode()` call pattern.
-**Step 2: Update device_poll to return JWT on approval**
-When `status == 'approved'`, generate a JWT with:
-- `sub`: `req.user_id`
-- `aud`: `req.client_id` (from the stored device request)
-- `iss`: `app.config['JWT_ISSUER']`
-- `iat`: current timestamp
-- `exp`: current timestamp + `app.config.get('ACCESS_TOKEN_TTL_SECONDS', 900)`
-Return:
-```json
-{
-  "status": "approved",
-  "user_id": "...",
-  "access_token": "<jwt>"
-}
-```
-If `req.client_id` is `None` (legacy requests without client_id), omit `aud` from JWT and don't return `access_token` -- just return the existing `user_id`-only response for backward compatibility.
-**Step 3: Commit**
-```bash
-git add app.py
-git commit -m "feat: return JWT from device poll on approval"
-```
----
-## Task 4: prompt-registry -- Add `POST /api/v1/auth/device-token` endpoint
-**Files:**
-- Modify: `/home/ddnewell/weldedanvil/prompt-registry/app.py`
-**Context:** This endpoint exchanges a wa-auth JWT for a `pk_*` API key. It uses existing functions: `verify_account_token()` from `auth.py`, `create_or_get_user()` from `auth.py`, `generate_api_key()` and `hash_api_key()` from `app.py`.
-**Step 1: Add the endpoint inside `register_routes(app)`**
-Place it after the existing device_auth_verify route (around line 193). The endpoint:
-1. Reads JWT from `Authorization: Bearer <jwt>` header
-2. Validates with `verify_account_token(jwt_str)` -- checks signature, audience, issuer, expiry
-3. Extracts `sub` (user ID) and `email` from JWT payload
-4. Calls `create_or_get_user(account_sub=sub, email=email)` to resolve user
-5. Reads `device_name` from request JSON body
-6. Deletes any existing `UserApiKey` where `user_id == user.id` and `name == device_name`
-7. Creates new `UserApiKey` with `generate_api_key()`, stores `hash_api_key(key)` and `key_prefix`
-8. Checks if vault exists by fetching from wa-auth `GET /vault` using the JWT (or a server-to-server call)
-9. Returns JSON response
-```python
-@app.route('/api/v1/auth/device-token', methods=['POST'])
-def device_token_exchange():
-    """Exchange a wa-auth JWT for a pk_* API key."""
-    auth_header = request.headers.get('Authorization', '')
-    if not auth_header.startswith('Bearer '):
-        return {'error': 'missing_token'}, 401
-    jwt_str = auth_header[7:]
-    payload, err = verify_account_token(jwt_str)
-    if err:
-        return {'error': err}, 401
-    account_sub = payload.get('sub')
-    email = payload.get('email')
-    if not account_sub:
-        return {'error': 'invalid_token'}, 401
-    user = create_or_get_user(account_sub, email)
-    data = request.get_json(silent=True) or {}
-    device_name = data.get('device_name', 'CLI')
-    # Auto-revoke previous key with same device name
-    existing = UserApiKey.query.filter_by(user_id=user.id, name=device_name).all()
-    for key in existing:
-        db.session.delete(key)
-    # Create new API key
-    raw_key = generate_api_key()
-    new_key = UserApiKey(
-        id=str(uuid.uuid4()),
-        user_id=user.id,
-        name=device_name,
-        key_hash=hash_api_key(raw_key),
-        key_prefix=raw_key[:12],
-    )
-    db.session.add(new_key)
-    db.session.commit()
-    # Check vault availability
-    vault_response = {'available': False}
-    try:
-        account_url = current_app.config['ACCOUNT_BASE_URL'].rstrip('/')
-        vault_resp = requests.get(
-            f"{account_url}/vault",
-            headers={'Authorization': f'Bearer {jwt_str}'},
-            timeout=5,
-        )
-        if vault_resp.status_code == 200:
-            vault_data = vault_resp.json()
-            vault_response = {
-                'available': True,
-                'encrypted_metadata': vault_data.get('encrypted_metadata'),
-            }
-    except Exception:
-        pass
-    return {
-        'api_key': raw_key,
-        'email': user.email,
-        'vault': vault_response,
-    }, 201
-```
-**Important notes:**
-- `uuid` import already exists at top of file
-- `requests` import already exists (used by auth.py, check if app.py needs it too)
-- `verify_account_token` and `create_or_get_user` need to be imported from `auth.py`
-- The vault check calls wa-auth's `/vault` endpoint using the JWT as bearer token. wa-auth's `/vault` currently uses session auth -- this will need wa-auth to also accept JWT bearer auth on `/vault`. See Task 5.
-**Step 2: Commit**
-```bash
-cd /home/ddnewell/weldedanvil/prompt-registry
-git add app.py
-git commit -m "feat: add device-token exchange endpoint"
-```
----
-## Task 5: wa-auth -- Accept JWT bearer auth on `GET /vault`
-**Files:**
-- Modify: `/home/ddnewell/weldedanvil/wa-auth/app.py:232-242`
-**Context:** The vault endpoint currently only accepts session-based auth. prompt-registry needs to fetch vault metadata using the JWT it received. Add bearer token support.
-**Step 1: Update get_vault to accept JWT bearer token**
-```python
-@app.route('/vault')
-def get_vault():
-    user_id = session.get('user_id')
-    # Also accept JWT bearer token
-    if not user_id:
-        auth_header = request.headers.get('Authorization', '')
-        if auth_header.startswith('Bearer '):
-            try:
-                payload = jwt.decode(
-                    auth_header[7:],
-                    app.config['JWT_SECRET'],
-                    algorithms=['HS256'],
-                    options={'require': ['exp', 'sub']},
-                )
-                user_id = payload.get('sub')
-            except Exception:
-                pass
-    if not user_id:
-        return {'error': 'unauthorized'}, 401
-    vault = Vault.query.filter_by(user_id=user_id).first()
-    if not vault:
-        return {'error': 'not_found'}, 404
-    return {'vault_id': vault.id, 'encrypted_metadata': vault.encrypted_metadata}
-```
-**Step 2: Commit**
-```bash
-cd /home/ddnewell/weldedanvil/wa-auth
-git add app.py
-git commit -m "feat: accept JWT bearer auth on GET /vault"
-```
----
-## Task 6: pc-cli -- Add new config fields
-**Files:**
-- Modify: `/home/ddnewell/weldedanvil/pc-cli/.worktrees/wa-auth-integration/src/lib/config.js`
-**Step 1: Add accountUrl, vaultMetadata, and vaultAvailable to schema and exports**
-Add three new fields to the `Conf` schema:
-```javascript
-accountUrl: {
-  type: 'string',
-  default: 'https://account.weldedanvil.com'
-},
-vaultMetadata: {
-  type: 'string',
-  default: ''
-},
-vaultAvailable: {
-  type: 'boolean',
-  default: false
-}
-```
-Add getter/setter exports:
-```javascript
-export function getAccountUrl() {
-  return config.get('accountUrl');
-}
-export function setAccountUrl(url) {
-  config.set('accountUrl', url);
-}
-export function getVaultMetadata() {
-  return config.get('vaultMetadata');
-}
-export function setVaultMetadata(metadata) {
-  config.set('vaultMetadata', metadata);
-}
-export function isVaultAvailable() {
-  return config.get('vaultAvailable');
-}
-export function setVaultAvailable(available) {
-  config.set('vaultAvailable', available);
-}
-```
-**Step 2: Update clearApiKey to also clear vault state**
-Rename to `clearCredentials` or update `clearApiKey`:
-```javascript
-export function clearApiKey() {
-  config.delete('apiKey');
-  config.delete('vaultMetadata');
-  config.set('vaultAvailable', false);
-}
-```
-**Step 3: Commit**
-```bash
-cd /home/ddnewell/weldedanvil/pc-cli/.worktrees/wa-auth-integration
-git add src/lib/config.js
-git commit -m "feat: add vault and account config fields"
-```
----
-## Task 7: pc-cli -- Create crypto module
-**Files:**
-- Create: `/home/ddnewell/weldedanvil/pc-cli/.worktrees/wa-auth-integration/src/lib/crypto.js`
-**Context:** Must match the encryption format used by the web client in `prompt-registry/static/js/vault.js`. The web client uses:
-- AES-256-GCM via WebCrypto
-- Random 12-byte IV per encryption
-- Base64url encoding (no padding) for encrypted content and IV
-- The master key is stored as `encrypted_metadata` JSON containing `wrapped_master_key`, `wrap_iv`, `prf_salt`, `hkdf_info`, `version`
-**Important design note:** The vault master key is wrapped with a WebAuthn PRF-derived key. The CLI cannot perform passkey ceremonies. For the CLI to encrypt, it needs the raw master key. This requires a CLI key export mechanism in the web UI (out of scope for this plan -- see Task 10 for the interim approach).
-For now, implement the encryption functions assuming the CLI has a raw AES-256 key (32 bytes, base64url encoded) stored in config as `vaultMetadata`. The key provisioning mechanism (how the CLI gets this key) will be addressed separately.
-**Step 1: Create crypto.js**
-```javascript
-import { createCipheriv, randomBytes } from 'crypto';
-function b64urlEncode(buffer) {
-  return Buffer.from(buffer)
-    .toString('base64')
-    .replace(/\+/g, '-')
-    .replace(/\//g, '_')
-    .replace(/=+$/, '');
-}
-function b64urlDecode(str) {
-  let base64 = str.replace(/-/g, '+').replace(/_/g, '/');
-  while (base64.length % 4) base64 += '=';
-  return Buffer.from(base64, 'base64');
-}
-export function encryptPrompt(plaintext, keyBase64url) {
-  const key = b64urlDecode(keyBase64url);
-  if (key.length !== 32) {
-    throw new Error('Invalid vault key length');
-  }
-  const iv = randomBytes(12);
-  const cipher = createCipheriv('aes-256-gcm', key, iv);
-  const encoded = Buffer.from(plaintext, 'utf8');
-  const encrypted = Buffer.concat([cipher.update(encoded), cipher.final()]);
-  const authTag = cipher.getAuthTag();
-  // AES-GCM ciphertext = encrypted + authTag (WebCrypto format)
-  const ciphertext = Buffer.concat([encrypted, authTag]);
-  return {
-    encrypted_content: b64urlEncode(ciphertext),
-    content_iv: b64urlEncode(iv),
-  };
-}
-export { b64urlEncode, b64urlDecode };
-```
-**Step 2: Commit**
-```bash
-git add src/lib/crypto.js
-git commit -m "feat: add AES-256-GCM encryption module"
-```
----
-## Task 8: pc-cli -- Rewrite login command
-**Files:**
-- Modify: `/home/ddnewell/weldedanvil/pc-cli/.worktrees/wa-auth-integration/src/commands/login.js`
-**Step 1: Rewrite login.js**
-The new flow:
-1. Request device code from wa-auth (`POST /device/code` with `client_id`)
-2. Show verification URL to user
-3. Poll wa-auth (`POST /device/poll`) until approved
-4. Exchange JWT for API key at prompt-registry (`POST /api/v1/auth/device-token`)
-5. Store API key, vault metadata, and URLs
-```javascript
-import ora from 'ora';
-import chalk from 'chalk';
-import {
-  setApiKey, setApiUrl, setAccountUrl,
-  setVaultMetadata, setVaultAvailable,
-  isLoggedIn, getAccountUrl
-} from '../lib/config.js';
-const DEFAULT_API_URL = 'https://prompts.weldedanvil.com';
-const DEFAULT_ACCOUNT_URL = 'https://account.weldedanvil.com';
-const CLIENT_ID = 'prompts-prod';
-async function requestDeviceCode(accountUrl) {
-  const response = await fetch(`${accountUrl}/device/code`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ client_id: CLIENT_ID }),
-  });
-  if (!response.ok) {
-    const data = await response.json().catch(() => ({}));
-    throw new Error(data.error || 'Failed to request device code');
-  }
-  return response.json();
-}
-async function pollForApproval(accountUrl, deviceCode, expiresIn) {
-  const expiresAt = Date.now() + (expiresIn || 600) * 1000;
-  const interval = 5000;
-  while (Date.now() < expiresAt) {
-    await sleep(interval);
-    const response = await fetch(`${accountUrl}/device/poll`, {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ device_code: deviceCode }),
-    });
-    const data = await response.json();
-    if (data.status === 'approved' && data.access_token) {
-      return data;
-    }
-    if (data.status === 'expired') {
-      throw new Error('Authorization request expired. Please try again.');
-    }
-    // status === 'pending' -- keep polling
-  }
-  throw new Error('Authorization request timed out. Please try again.');
-}
-async function exchangeTokenForApiKey(apiUrl, jwt, deviceName) {
-  const response = await fetch(`${apiUrl}/api/v1/auth/device-token`, {
-    method: 'POST',
-    headers: {
-      'Authorization': `Bearer ${jwt}`,
-      'Content-Type': 'application/json',
-    },
-    body: JSON.stringify({ device_name: deviceName }),
-  });
-  if (!response.ok) {
-    const data = await response.json().catch(() => ({}));
-    throw new Error(data.error || 'Failed to exchange token');
-  }
-  return response.json();
-}
-function getDeviceName() {
-  const os = process.platform;
-  const hostname = process.env.HOSTNAME || process.env.COMPUTERNAME || 'CLI';
-  const osNames = { darwin: 'macOS', linux: 'Linux', win32: 'Windows' };
-  return `${osNames[os] || os} - ${hostname}`;
-}
-function sleep(ms) {
-  return new Promise(resolve => setTimeout(resolve, ms));
-}
-export async function login(options) {
-  const apiUrl = options?.url || DEFAULT_API_URL;
-  const accountUrl = options?.accountUrl || DEFAULT_ACCOUNT_URL;
-  if (isLoggedIn()) {
-    console.log(chalk.yellow('Already logged in.'));
-    console.log('Run ' + chalk.cyan('pc logout') + ' first to switch accounts.\n');
-    return;
-  }
-  console.log(chalk.bold('\nPromptCellar CLI Login\n'));
-  const spinner = ora('Connecting...').start();
-  try {
-    // Step 1: Request device code from wa-auth
-    const authData = await requestDeviceCode(accountUrl);
-    spinner.stop();
-    // Step 2: Show login URL
-    const verifyUrl = `${authData.verification_url}?code=${authData.user_code}`;
-    console.log('Open this URL in your browser to log in:\n');
-    console.log(chalk.cyan.bold(`  ${verifyUrl}\n`));
-    console.log(chalk.dim(`Or go to ${authData.verification_url} and enter code: ${authData.user_code}\n`));
-    // Step 3: Poll for approval
-    spinner.start('Waiting for you to authorize in browser...');
-    const approval = await pollForApproval(accountUrl, authData.device_code);
-    spinner.text = 'Setting up credentials...';
-    // Step 4: Exchange JWT for API key
-    const deviceName = getDeviceName();
-    const result = await exchangeTokenForApiKey(apiUrl, approval.access_token, deviceName);
-    // Step 5: Store credentials
-    setApiKey(result.api_key);
-    setApiUrl(apiUrl);
-    setAccountUrl(accountUrl);
-    if (result.vault && result.vault.available) {
-      setVaultMetadata(result.vault.encrypted_metadata);
-      setVaultAvailable(true);
-    } else {
-      setVaultMetadata('');
-      setVaultAvailable(false);
-    }
-    spinner.succeed(chalk.green('Logged in successfully!'));
-    console.log(`\nWelcome, ${chalk.cyan(result.email)}!`);
-    if (!result.vault || !result.vault.available) {
-      console.log(chalk.yellow('\nVault not set up.') + ' Prompt capture requires a vault.');
-      console.log('Set up your vault at: ' + chalk.cyan(`${apiUrl}/dashboard/settings`));
-    }
-    console.log('\nRun ' + chalk.cyan('pc setup') + ' to configure auto-capture for your CLI tools.\n');
-  } catch (error) {
-    spinner.fail(chalk.red('Login failed: ' + error.message));
-    console.log('\nPlease try again or visit ' + chalk.cyan(apiUrl) + ' to sign up.\n');
-  }
-}
-export default login;
-```
-**Step 2: Commit**
-```bash
-git add src/commands/login.js
-git commit -m "feat: rewrite login to use wa-auth device flow"
-```
----
-## Task 9: pc-cli -- Update hooks and save to use encryption
-**Files:**
-- Modify: `/home/ddnewell/weldedanvil/pc-cli/.worktrees/wa-auth-integration/hooks/prompt-capture.js`
-- Modify: `/home/ddnewell/weldedanvil/pc-cli/.worktrees/wa-auth-integration/hooks/codex-capture.js`
-- Modify: `/home/ddnewell/weldedanvil/pc-cli/.worktrees/wa-auth-integration/hooks/gemini-capture.js`
-- Modify: `/home/ddnewell/weldedanvil/pc-cli/.worktrees/wa-auth-integration/src/commands/save.js`
-**Step 1: Update prompt-capture.js**
-Add vault check and encryption. Key changes:
-- Import `isVaultAvailable`, `getVaultMetadata` from config
-- Import `encryptPrompt` from crypto
-- After `isLoggedIn()` check, add `isVaultAvailable()` check -- exit silently if not available
-- Before calling `capturePrompt()`, encrypt the content
-- Send `{ encrypted_content, content_iv }` instead of `{ content }`
-```javascript
-import { isLoggedIn, isVaultAvailable, getVaultMetadata } from '../src/lib/config.js';
-import { encryptPrompt } from '../src/lib/crypto.js';
-// ... (existing code) ...
-// After isLoggedIn check:
-if (!isVaultAvailable()) {
-  process.exit(0);
-}
-// Before capturePrompt call:
-const vaultKey = getVaultMetadata();
-const { encrypted_content, content_iv } = encryptPrompt(initialPrompt.content, vaultKey);
-await capturePrompt({
-  encrypted_content,
-  content_iv,
-  ...context,
-  captured_at: initialPrompt.timestamp
-});
-```
-Apply the same pattern to `codex-capture.js` and `gemini-capture.js`.
-**Step 2: Update save.js**
-Add vault check before save. If vault not available, show actionable error:
-```javascript
-import { isLoggedIn, isVaultAvailable, getVaultMetadata, getApiUrl } from '../lib/config.js';
-import { encryptPrompt } from '../lib/crypto.js';
-// In save():
-if (!isVaultAvailable()) {
-  console.log(chalk.red('Vault not set up.') + ' Prompt capture requires a vault.');
-  console.log('Set up your vault at: ' + chalk.cyan(`${getApiUrl()}/dashboard/settings`));
-  return;
-}
-// Before capturePrompt:
-const vaultKey = getVaultMetadata();
-const { encrypted_content, content_iv } = encryptPrompt(content.trim(), vaultKey);
-const result = await capturePrompt({
-  encrypted_content,
-  content_iv,
-  ...context
-});
-```
-**Step 3: Commit**
-```bash
-git add hooks/prompt-capture.js hooks/codex-capture.js hooks/gemini-capture.js src/commands/save.js
-git commit -m "feat: encrypt prompts before capture"
-```
----
-## Task 10: pc-cli -- Update status command to show vault status
-**Files:**
-- Modify: `/home/ddnewell/weldedanvil/pc-cli/.worktrees/wa-auth-integration/src/commands/status.js`
-**Step 1: Add vault status display**
-```javascript
-import { isLoggedIn, getApiUrl, getCaptureLevel, getSessionId, isVaultAvailable } from '../lib/config.js';
-// After capture level display:
-if (isVaultAvailable()) {
-  console.log(`  Vault: ${chalk.green('configured')}`);
-} else {
-  console.log(`  Vault: ${chalk.yellow('not configured')} - capture disabled`);
-}
-```
-**Step 2: Commit**
-```bash
-git add src/commands/status.js
-git commit -m "feat: show vault status in pc status"
-```
----
-## Task 11: pc-cli -- Update logout to clear vault state
-**Files:**
-- Modify: `/home/ddnewell/weldedanvil/pc-cli/.worktrees/wa-auth-integration/src/commands/logout.js`
-**Step 1: Read logout.js and verify it calls clearApiKey**
-The `clearApiKey` function was updated in Task 6 to also clear vault state. Verify logout.js calls it. If it uses a different clearing mechanism, update accordingly.
-**Step 2: Commit if changes needed**
-```bash
-git add src/commands/logout.js
-git commit -m "fix: ensure logout clears vault state"
-```
----
-## Task 12: Manual integration test
-**No code changes -- verification only.**
-**Step 1: Verify wa-auth changes**
-```bash
-cd /home/ddnewell/weldedanvil/wa-auth
-# Run existing tests if any
-python -m pytest tests/ -v 2>/dev/null || echo "Check tests manually"
-```
-**Step 2: Verify prompt-registry changes**
-```bash
-cd /home/ddnewell/weldedanvil/prompt-registry
-python -m pytest tests/ -v 2>/dev/null || echo "Check tests manually"
-```
-**Step 3: Verify pc-cli syntax**
-```bash
-cd /home/ddnewell/weldedanvil/pc-cli/.worktrees/wa-auth-integration
-node -e "import('./src/lib/crypto.js').then(m => { const r = m.encryptPrompt('test', 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'); console.log('OK:', r); })"
-node -e "import('./src/lib/config.js').then(m => { console.log('Config OK'); })"
-node -e "import('./src/commands/login.js').then(m => { console.log('Login OK'); })"
-```
-**Step 4: Verify end-to-end flow description**
-Confirm the flow works conceptually:
-1. `pc login` → calls wa-auth `/device/code` with `client_id=prompts-prod`
-2. User approves in browser
-3. CLI polls → gets JWT with `aud=prompts-prod`
-4. CLI calls prompt-registry `/api/v1/auth/device-token` with JWT
-5. Gets back `pk_*` key + vault metadata
-6. `pc save -m "test"` → encrypts with vault key → sends encrypted blob
-7. `pc status` → shows vault status
----
-## Notes
-### Vault key provisioning (deferred)
-The vault master key is wrapped with a WebAuthn PRF-derived key. The CLI cannot perform passkey ceremonies. A separate mechanism is needed to export the raw master key to the CLI. Options:
-1. Web UI "Enable CLI Access" button that re-wraps master key with a CLI-specific passphrase
-2. QR code in web UI containing the raw key for one-time transfer
-3. Temporary API endpoint that returns the raw key during an authenticated browser session
-This is intentionally deferred. For initial development, the `vaultMetadata` config field stores the raw key directly (base64url-encoded 32 bytes). The provisioning UX will be designed separately.
-### Cross-repo deployment order
-1. Deploy wa-auth (Tasks 1-3, 5) -- backward compatible, existing device flow still works
-2. Deploy prompt-registry (Task 4) -- new endpoint, no existing behavior changes
-3. Release pc-cli (Tasks 6-11) -- requires both backends deployed first