@ritualai/cli 0.3.0 → 0.3.2

package/README.md

@@ -13,19 +13,33 @@ npm install -g @ritualai/cli
 ## Quick start
 
 ```bash
-ritual login          # browser-based sign-in (OAuth 2.1 + PKCE)
 ritual init           # scaffold skills + register MCP with every detected agent
+                      # (prompts to open browser for sign-in on first run)
 ritual doctor         # sanity-check the environment
 ```
 
-That's it. `init` does three things:
+That's it — one command. On first run, `init` detects you're not signed
+in and prompts:
 
-1. Detects which AI coding agents you have installed (Claude Code,
+```
+  You are not signed in.
+  Press Enter to sign in (opens browser), or Ctrl-C to abort:
+```
+
+Hit Enter, complete the browser OAuth flow, and `init` resumes
+automatically. Subsequent `init` runs skip the prompt (credentials are
+cached and refreshed automatically).
+
+`init` does four things:
+
+1. **Signs you in** if you aren't already (browser OAuth, npm-style
+   "press Enter to open browser" prompt). Skipped if already signed in.
+2. **Detects** which AI coding agents you have installed (Claude Code,
    Cursor, Windsurf, Kiro, Gemini CLI, VS Code / Copilot, Codex).
-2. Mints a long-lived **Personal Access Token** via the Ritual API
+3. **Mints a long-lived Personal Access Token** via the Ritual API
    named `Ritual CLI — <hostname>`, so the agent has a credential
    that doesn't expire every 5 minutes the way OAuth tokens do.
-3. For each detected agent: copies the Ritual skill files into your
+4. **For each detected agent:** copies the Ritual skill files into your
    project (`.claude/skills/`, `.cursor/rules/`, etc.) AND writes
    the MCP server config (`claude mcp add-json` for Claude Code, or
    `mcp.json` merge for the others) with the PAT as the Bearer.
@@ -36,8 +50,8 @@ then try `/ritual build <feature>` from inside the agent.
 ## Commands
 
 ```bash
-ritual init [--agent <id>] [--list]   # scaffold + register
-ritual login                          # browser sign-in
+ritual init [--agent <id>] [--list]   # scaffold + register (signs in if needed)
+ritual login                          # explicit browser sign-in
 ritual logout                         # clear creds
 ritual whoami                         # session info, auto-refresh
 ritual refresh                        # force token refresh

package/dist/commands/init.js

@@ -1,5 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEV_ISSUER = void 0;
 exports.initCommand = initCommand;
 const config_1 = require("../lib/config");
 const api_client_1 = require("../lib/api-client");
@@ -8,6 +9,32 @@ const detector_1 = require("../lib/agents/detector");
 const providers_1 = require("../lib/agents/providers");
 const configure_mcp_1 = require("../lib/agents/configure-mcp");
 const skill_copy_1 = require("../lib/skill-copy");
+const auth_flow_1 = require("../lib/auth-flow");
+const prompt_1 = require("../lib/prompt");
+/**
+ * Issuer URL for the dev shortcut. Exported so `ritual login --dev`
+ * can use the same constant (single source of truth — if we ever flip
+ * the dev domain, one place to update).
+ */
+exports.DEV_ISSUER = 'https://auth.dev.ritualapp.cloud/realms/ritual';
+/**
+ * Resolve the OIDC issuer to use for lazy-auth in this `init` run.
+ *
+ *   1. --dev (highest priority — explicit shortcut for the Ritual team)
+ *   2. --issuer (explicit URL for self-hosted enterprise)
+ *   3. RITUAL_KEYCLOAK_URL env var (covered inside runBrowserLoginAndSave)
+ *   4. Default (prod)
+ *
+ * Step 3+ are handled by `runBrowserLoginAndSave` if we pass undefined
+ * — so we only need to return a string for #1 and #2.
+ */
+function resolveIssuerForInit(opts) {
+    if (opts.dev)
+        return exports.DEV_ISSUER;
+    if (opts.issuer)
+        return opts.issuer;
+    return undefined; // let auth-flow.ts pick from env / default
+}
 async function initCommand(opts = {}) {
     console.log('');
     console.log('  Ritual — scaffolding skills + connecting AI coding agents');
@@ -21,20 +48,62 @@ async function initCommand(opts = {}) {
         console.log('');
         return;
     }
-    // --- 1. Auth check -----------------------------------------------
-    const tokenStatus = await (0, config_1.getValidAccessToken)();
-    if (tokenStatus.kind === 'not-signed-in') {
-        console.error('  ✗ Not signed in. Run `ritual login` first, then `ritual init`.');
-        console.error('');
-        process.exitCode = 1;
-        return;
-    }
-    if (tokenStatus.kind === 're-auth-required') {
-        console.error('  ✗ Your session expired. Run `ritual login` to re-authenticate.');
-        console.error(`    Reason: ${tokenStatus.reason}`);
-        console.error('');
-        process.exitCode = 1;
-        return;
+    // --- 1. Auth check (lazy login — npm-style "press Enter to sign in") ---
+    //
+    // If we're signed in, fast-path: continue.
+    // If we're not (or session is dead), and stdin is a TTY, prompt to
+    // open the browser inline so `init` is a one-command experience.
+    // If stdin is non-TTY (CI / piped), keep the old behavior: clear
+    // error + non-zero exit. Unattended runs MUST NOT hang waiting
+    // for an Enter that's never coming.
+    let tokenStatus = await (0, config_1.getValidAccessToken)();
+    if (tokenStatus.kind !== 'signed-in') {
+        const reason = tokenStatus.kind === 're-auth-required'
+            ? `session expired (${tokenStatus.reason})`
+            : 'you are not signed in';
+        if (!process.stdin.isTTY) {
+            console.error(`  ✗ ${reason}. Run \`ritual login\` first, then \`ritual init\`.`);
+            console.error('');
+            process.exitCode = 1;
+            return;
+        }
+        console.log(`  ${capitalize(reason)}.`);
+        try {
+            await (0, prompt_1.prompt)('  Press Enter to sign in (opens browser), or Ctrl-C to abort: ');
+        }
+        catch {
+            // Ctrl-D / stdin closed mid-prompt — treat as abort.
+            console.log('');
+            console.log('  Sign-in aborted.');
+            process.exitCode = 1;
+            return;
+        }
+        try {
+            await (0, auth_flow_1.runBrowserLoginAndSave)({
+                issuer: resolveIssuerForInit(opts),
+                clientId: opts.clientId,
+            });
+        }
+        catch (err) {
+            console.error('');
+            console.error(`  ✗ Sign-in did not complete: ${err.message}`);
+            console.error('  Run `ritual login` to retry, then re-run `ritual init`.');
+            console.error('');
+            process.exitCode = 1;
+            return;
+        }
+        // Re-read credentials now that login succeeded. We use this to
+        // hand the OAuth access token to mintAgentPat below.
+        tokenStatus = await (0, config_1.getValidAccessToken)();
+        if (tokenStatus.kind !== 'signed-in') {
+            // Should never happen — login just succeeded and saved tokens.
+            console.error('  ✗ Sign-in succeeded but credentials still unreadable. Please re-run.');
+            process.exitCode = 1;
+            return;
+        }
+        console.log('');
+        console.log(`  ✓ Signed in as ${tokenStatus.creds.user?.email ?? tokenStatus.creds.user?.sub ?? 'unknown'}`);
+        console.log('');
     }
     // --- 2. Detect agents (or pick a specific one) -------------------
     let targets;
@@ -133,6 +202,10 @@ async function initCommand(opts = {}) {
     console.log('        In your agent, try:  /ritual build <feature>');
     console.log('');
 }
+/** Tiny helper for the lazy-auth message ("you are not signed in" → "You are..."). */
+function capitalize(s) {
+    return s.length === 0 ? s : s[0].toUpperCase() + s.slice(1);
+}
 /**
  * Mirror of `apiBaseFromIssuer` but for the web app. Used in the
  * "manage tokens at <url>" hint above.

package/dist/commands/init.js.map

@@ -1 +1 @@
-{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":";;AAuDA,kCAsIC;AA7LD,0CAAoD;AACpD,kDAAgE;AAChE,gDAAgD;AAChD,qDAGgC;AAChC,uDAAsE;AACtE,+DAGqC;AACrC,kDAA2E;AA2CpE,KAAK,UAAU,WAAW,CAAC,OAAoB,EAAE;IACvD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;IAC3E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,mEAAmE;IACnE,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,qBAAS,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO;IACR,CAAC;IAED,oEAAoE;IACpE,MAAM,WAAW,GAAG,MAAM,IAAA,4BAAmB,GAAE,CAAC;IAEhD,IAAI,WAAW,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAC;QAClF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IACD,IAAI,WAAW,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QAC7C,OAAO,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAC;QAClF,OAAO,CAAC,KAAK,CAAC,eAAe,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;QACnD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IAED,oEAAoE;IACpE,IAAI,OAA0B,CAAC;IAE/B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,QAAQ,GAAG,IAAA,4BAAgB,EAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,sBAAsB,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;YAClD,OAAO,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACnE,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACR,CAAC;QACD,+DAA+D;QAC/D,6DAA6D;QAC7D,qBAAqB;QACrB,OAAO,GAAG;YACT;gBACC,EAAE,EAAE,QAAQ,CAAC,EAAE;gBACf,IAAI,EAAE,QAAQ,CAAC,IAAI;gBACnB,QAAQ,EAAE,IAAI;gBACd,QAAQ;aACR;SACD,CAAC;IACH,CAAC;SAAM,CAAC;QACP,MAAM,GAAG,GAAG,IAAA,uBAAY,GAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,0DAA0D;YAC1D,wDAAwD;YACxD,kDAAkD;YAClD,MAAM,cAAc,GAAG,IAAA,4BAAgB,EAAC,aAAa,CAAE,CAAC;YACxD,OAAO,GAAG;gBACT;oBACC,EAAE,EAAE,cAAc,CAAC,EAAE;oBACrB,IAAI,EAAE,cAAc,CAAC,IAAI;oBACzB,QAAQ,EAAE,KAAK;oBACf,QAAQ,EAAE,cAAc;iBACxB;aACD,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;YAC5D,OAAO,CAAC,GAAG,CAAC,mBAAmB,cAAc,CAAC,IAAI,0CAA0C,CAAC,CAAC;YAC9F,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;aAAM,CAAC;YACP,OAAO,GAAG,QAAQ,CAAC;YACnB,OAAO,CAAC,GAAG,CAAC,cAAc,QAAQ,CAAC,MAAM,cAAc,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACjG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;IACF,CAAC;IAED,oEAAoE;IACpE,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC;IACxC,MAAM,GAAG,GAAG,IAAI,sBAAS,CAAC;QACzB,MAAM;QACN,WAAW,EAAE,WAAW,CAAC,WAAW;KACpC,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,MAAM,CAAC,CAAC;IAExC,IAAI,GAA6C,CAAC;IAClD,IAAI,CAAC;QACJ,GAAG,GAAG,MAAM,IAAA,wBAAY,EAAC,EAAE,GAAG,EAAE,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,oCAAqC,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5E,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACtC,OAAO,CAAC,GAAG,CAAC,yBAAyB,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;IACpF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,oEAAoE;IACpE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAC7C,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,MAAM,mBAAmB,GAAyB,EAAE,CAAC;IAErD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACzB,WAAW,CAAC,IAAI,CAAC,IAAA,kCAAqB,EAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC;QAChE,mBAAmB,CAAC,IAAI,CACvB,IAAA,oCAAoB,EAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,CAAC,cAAc,EAAE,CAAC,CAC5E,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACpC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAE,CAAC;QACvE,MAAM,GAAG,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAE,CAAC;QAC9E,MAAM,YAAY,GACjB,IAAI,CAAC,MAAM,GAAG,CAAC;YACd,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,QAAQ,CAAC,eAAe,GAAG;YAC5D,CAAC,CAAC,mBAAmB,IAAI,CAAC,MAAM,IAAI,SAAS,GAAG,CAAC;QACnD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO;YAC7B,CAAC,CAAC,uBAAuB;YACzB,CAAC,CAAC,wBAAwB,GAAG,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QACtC,OAAO,CAAC,GAAG,CAAC,SAAS,YAAY,EAAE,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,SAAS,UAAU,EAAE,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,yEAAyE,CAAC,CAAC;IACvF,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;IACpE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AACjB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,MAAc;IAC1C,IAAI,CAAC;QACJ,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1B,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;QACpB,IAAI,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;YAAE,OAAO,6BAA6B,CAAC;QACvE,IAAI,IAAI,KAAK,sBAAsB;YAAE,OAAO,6BAA6B,CAAC;QAC1E,qDAAqD;QACrD,OAAO,WAAW,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,CAAC;IACrD,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,6BAA6B,CAAC;IACtC,CAAC;AACF,CAAC"}
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":";;;AA2FA,kCAmLC;AA9QD,0CAAoD;AACpD,kDAAgE;AAChE,gDAAgD;AAChD,qDAGgC;AAChC,uDAAsE;AACtE,+DAGqC;AACrC,kDAA2E;AAC3E,gDAA0D;AAC1D,0CAAuC;AAqDvC;;;;GAIG;AACU,QAAA,UAAU,GAAG,gDAAgD,CAAC;AAE3E;;;;;;;;;;GAUG;AACH,SAAS,oBAAoB,CAAC,IAAiB;IAC9C,IAAI,IAAI,CAAC,GAAG;QAAE,OAAO,kBAAU,CAAC;IAChC,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC,MAAM,CAAC;IACpC,OAAO,SAAS,CAAC,CAAC,2CAA2C;AAC9D,CAAC;AAEM,KAAK,UAAU,WAAW,CAAC,OAAoB,EAAE;IACvD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;IAC3E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,mEAAmE;IACnE,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,qBAAS,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO;IACR,CAAC;IAED,0EAA0E;IAC1E,EAAE;IACF,2CAA2C;IAC3C,mEAAmE;IACnE,iEAAiE;IACjE,iEAAiE;IACjE,+DAA+D;IAC/D,oCAAoC;IACpC,IAAI,WAAW,GAAG,MAAM,IAAA,4BAAmB,GAAE,CAAC;IAE9C,IAAI,WAAW,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QACtC,MAAM,MAAM,GACX,WAAW,CAAC,IAAI,KAAK,kBAAkB;YACtC,CAAC,CAAC,oBAAoB,WAAW,CAAC,MAAM,GAAG;YAC3C,CAAC,CAAC,uBAAuB,CAAC;QAE5B,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YAC1B,OAAO,CAAC,KAAK,CAAC,OAAO,MAAM,qDAAqD,CAAC,CAAC;YAClF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACR,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,KAAK,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,CAAC;YACJ,MAAM,IAAA,eAAM,EAAC,gEAAgE,CAAC,CAAC;QAChF,CAAC;QAAC,MAAM,CAAC;YACR,qDAAqD;YACrD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YAClC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACR,CAAC;QAED,IAAI,CAAC;YACJ,MAAM,IAAA,kCAAsB,EAAC;gBAC5B,MAAM,EAAE,oBAAoB,CAAC,IAAI,CAAC;gBAClC,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACvB,CAAC,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,iCAAkC,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YACzE,OAAO,CAAC,KAAK,CAAC,2DAA2D,CAAC,CAAC;YAC3E,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACR,CAAC;QAED,+DAA+D;QAC/D,qDAAqD;QACrD,WAAW,GAAG,MAAM,IAAA,4BAAmB,GAAE,CAAC;QAC1C,IAAI,WAAW,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YACtC,+DAA+D;YAC/D,OAAO,CAAC,KAAK,CAAC,wEAAwE,CAAC,CAAC;YACxF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACR,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,oBAAoB,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,IAAI,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,GAAG,IAAI,SAAS,EAAE,CAAC,CAAC;QAC7G,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,oEAAoE;IACpE,IAAI,OAA0B,CAAC;IAE/B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,QAAQ,GAAG,IAAA,4BAAgB,EAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,sBAAsB,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;YAClD,OAAO,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACnE,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACR,CAAC;QACD,+DAA+D;QAC/D,6DAA6D;QAC7D,qBAAqB;QACrB,OAAO,GAAG;YACT;gBACC,EAAE,EAAE,QAAQ,CAAC,EAAE;gBACf,IAAI,EAAE,QAAQ,CAAC,IAAI;gBACnB,QAAQ,EAAE,IAAI;gBACd,QAAQ;aACR;SACD,CAAC;IACH,CAAC;SAAM,CAAC;QACP,MAAM,GAAG,GAAG,IAAA,uBAAY,GAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,0DAA0D;YAC1D,wDAAwD;YACxD,kDAAkD;YAClD,MAAM,cAAc,GAAG,IAAA,4BAAgB,EAAC,aAAa,CAAE,CAAC;YACxD,OAAO,GAAG;gBACT;oBACC,EAAE,EAAE,cAAc,CAAC,EAAE;oBACrB,IAAI,EAAE,cAAc,CAAC,IAAI;oBACzB,QAAQ,EAAE,KAAK;oBACf,QAAQ,EAAE,cAAc;iBACxB;aACD,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;YAC5D,OAAO,CAAC,GAAG,CAAC,mBAAmB,cAAc,CAAC,IAAI,0CAA0C,CAAC,CAAC;YAC9F,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;aAAM,CAAC;YACP,OAAO,GAAG,QAAQ,CAAC;YACnB,OAAO,CAAC,GAAG,CAAC,cAAc,QAAQ,CAAC,MAAM,cAAc,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACjG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;IACF,CAAC;IAED,oEAAoE;IACpE,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC;IACxC,MAAM,GAAG,GAAG,IAAI,sBAAS,CAAC;QACzB,MAAM;QACN,WAAW,EAAE,WAAW,CAAC,WAAW;KACpC,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,MAAM,CAAC,CAAC;IAExC,IAAI,GAA6C,CAAC;IAClD,IAAI,CAAC;QACJ,GAAG,GAAG,MAAM,IAAA,wBAAY,EAAC,EAAE,GAAG,EAAE,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,oCAAqC,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5E,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACtC,OAAO,CAAC,GAAG,CAAC,yBAAyB,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;IACpF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,oEAAoE;IACpE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAC7C,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,MAAM,mBAAmB,GAAyB,EAAE,CAAC;IAErD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACzB,WAAW,CAAC,IAAI,CAAC,IAAA,kCAAqB,EAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC;QAChE,mBAAmB,CAAC,IAAI,CACvB,IAAA,oCAAoB,EAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,CAAC,cAAc,EAAE,CAAC,CAC5E,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACpC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAE,CAAC;QACvE,MAAM,GAAG,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAE,CAAC;QAC9E,MAAM,YAAY,GACjB,IAAI,CAAC,MAAM,GAAG,CAAC;YACd,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,QAAQ,CAAC,eAAe,GAAG;YAC5D,CAAC,CAAC,mBAAmB,IAAI,CAAC,MAAM,IAAI,SAAS,GAAG,CAAC;QACnD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO;YAC7B,CAAC,CAAC,uBAAuB;YACzB,CAAC,CAAC,wBAAwB,GAAG,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QACtC,OAAO,CAAC,GAAG,CAAC,SAAS,YAAY,EAAE,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,SAAS,UAAU,EAAE,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,yEAAyE,CAAC,CAAC;IACvF,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;IACpE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AACjB,CAAC;AAED,sFAAsF;AACtF,SAAS,UAAU,CAAC,CAAS;IAC5B,OAAO,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,MAAc;IAC1C,IAAI,CAAC;QACJ,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1B,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;QACpB,IAAI,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;YAAE,OAAO,6BAA6B,CAAC;QACvE,IAAI,IAAI,KAAK,sBAAsB;YAAE,OAAO,6BAA6B,CAAC;QAC1E,qDAAqD;QACrD,OAAO,WAAW,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,CAAC;IACrD,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,6BAA6B,CAAC;IACtC,CAAC;AACF,CAAC"}

package/dist/commands/login.js

@@ -1,15 +1,8 @@
 "use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.loginCommand = loginCommand;
-const open_1 = __importDefault(require("open"));
-const oidc_1 = require("../lib/oidc");
-const config_1 = require("../lib/config");
-const DEFAULT_ISSUER = process.env.RITUAL_KEYCLOAK_URL ?? 'https://auth.ritualapp.cloud/realms/ritual';
-const DEFAULT_CLIENT_ID = process.env.RITUAL_KEYCLOAK_CLIENT_ID ?? 'ritual-cli';
-const DEFAULT_SCOPE = 'openid profile email ritual:read ritual:write';
+const auth_flow_1 = require("../lib/auth-flow");
+const init_1 = require("./init");
 /**
  * `ritual login` — browser-based Auth Code + PKCE flow against
  * Keycloak. On success, stores the access + refresh tokens in
@@ -17,17 +10,23 @@ const DEFAULT_SCOPE = 'openid profile email ritual:read ritual:write';
  *
  * Defaults point at production (`auth.ritualapp.cloud`); override via
  * `--issuer https://auth.dev.ritualapp.cloud/realms/ritual` for dev,
- * or set `RITUAL_KEYCLOAK_URL` env var.
+ * `--dev` as the shortcut, or set `RITUAL_KEYCLOAK_URL` env var.
+ *
+ * The flow itself lives in `lib/auth-flow.ts` so `ritual init` can
+ * invoke the same path when it lazily prompts the user to sign in.
  */
 async function loginCommand(options) {
-    const issuer = options.issuer ?? DEFAULT_ISSUER;
-    const clientId = options.clientId ?? DEFAULT_CLIENT_ID;
     console.log('');
     console.log('  Ritual — sign in');
     console.log('');
-    let tokenSet;
+    // --dev wins over --issuer (consistent with init); both win over env.
+    const issuer = options.dev ? init_1.DEV_ISSUER : options.issuer;
+    let creds;
     try {
-        tokenSet = await (0, oidc_1.performLoginFlow)({ issuer, clientId, scope: DEFAULT_SCOPE }, (url) => (0, open_1.default)(url), (msg) => console.log(`  ${msg}`));
+        creds = await (0, auth_flow_1.runBrowserLoginAndSave)({
+            issuer,
+            clientId: options.clientId,
+        });
     }
     catch (err) {
         console.error('');
@@ -35,23 +34,6 @@ async function loginCommand(options) {
         process.exitCode = 1;
         return;
     }
-    const claims = (0, oidc_1.decodeJwtPayloadUnsafe)(tokenSet.access_token);
-    const creds = {
-        version: 1,
-        issuer,
-        clientId,
-        tokenSet: {
-            access_token: tokenSet.access_token,
-            refresh_token: tokenSet.refresh_token,
-            expires_at: Math.floor(Date.now() / 1000) + tokenSet.expires_in,
-            id_token: tokenSet.id_token,
-            scope: tokenSet.scope,
-        },
-        user: claims
-            ? { sub: claims.sub, email: claims.email ?? claims.preferred_username }
-            : undefined,
-    };
-    (0, config_1.saveCredentials)(creds);
     const display = creds.user?.email ?? creds.user?.sub ?? 'unknown';
     console.log('');
     console.log(`  ✓ Signed in as ${display}`);

package/dist/commands/login.js.map

@@ -1 +1 @@
-{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/commands/login.ts"],"names":[],"mappings":";;;;;AAuBA,oCAkDC;AAzED,gDAAwB;AACxB,sCAAuE;AACvE,0CAAqE;AAOrE,MAAM,cAAc,GACnB,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,4CAA4C,CAAC;AACjF,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,IAAI,YAAY,CAAC;AAChF,MAAM,aAAa,GAAG,+CAA+C,CAAC;AAEtE;;;;;;;;GAQG;AACI,KAAK,UAAU,YAAY,CAAC,OAAqB;IACvD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC;IAChD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,iBAAiB,CAAC;IAEvD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,IAAI,QAAQ,CAAC;IACb,IAAI,CAAC;QACJ,QAAQ,GAAG,MAAM,IAAA,uBAAgB,EAChC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,aAAa,EAAE,EAC1C,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,cAAI,EAAC,GAAG,CAAC,EAClB,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC,CAChC,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,qBAAsB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IAED,MAAM,MAAM,GAAG,IAAA,6BAAsB,EACpC,QAAQ,CAAC,YAAY,CACrB,CAAC;IAEF,MAAM,KAAK,GAAmB;QAC7B,OAAO,EAAE,CAAC;QACV,MAAM;QACN,QAAQ;QACR,QAAQ,EAAE;YACT,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,aAAa,EAAE,QAAQ,CAAC,aAAa;YACrC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,QAAQ,CAAC,UAAU;YAC/D,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,KAAK,EAAE,QAAQ,CAAC,KAAK;SACrB;QACD,IAAI,EAAE,MAAM;YACX,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,kBAAkB,EAAE;YACvE,CAAC,CAAC,SAAS;KACZ,CAAC;IACF,IAAA,wBAAe,EAAC,KAAK,CAAC,CAAC;IAEvB,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,GAAG,IAAI,SAAS,CAAC;IAClE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;IAC3C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AACjB,CAAC"}
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/commands/login.ts"],"names":[],"mappings":";;AAwBA,oCA4BC;AApDD,gDAA0D;AAC1D,iCAAoC;AAWpC;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,YAAY,CAAC,OAAqB;IACvD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,sEAAsE;IACtE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,iBAAU,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAEzD,IAAI,KAAK,CAAC;IACV,IAAI,CAAC;QACJ,KAAK,GAAG,MAAM,IAAA,kCAAsB,EAAC;YACpC,MAAM;YACN,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC1B,CAAC,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,qBAAsB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,GAAG,IAAI,SAAS,CAAC;IAClE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;IAC3C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AACjB,CAAC"}

package/dist/index.js

@@ -13,7 +13,7 @@ program
     .name('ritual')
     .description('Ritual CLI — connect AI coding agents to Ritual Cloud. ' +
     'Scaffold skills, register MCP servers, manage sessions.')
-    .version('0.3.0');
+    .version('0.3.2');
 // `init` is the headline command: scaffold + register against every
 // detected agent. Listed first so `ritual --help` surfaces it.
 program
@@ -21,12 +21,16 @@ program
     .description('Scaffold Ritual skills + register MCP server with every detected AI coding agent')
     .option('--agent <id>', 'Restrict to one agent (e.g. claude-code, cursor, kiro)')
     .option('--list', 'List known agents and exit')
+    .option('--issuer <url>', 'OIDC issuer for the lazy-auth flow (defaults to prod or RITUAL_KEYCLOAK_URL env)')
+    .option('--client-id <id>', 'OIDC client id (defaults to "ritual-cli")')
+    .option('--dev', '[internal] shortcut for --issuer https://auth.dev.ritualapp.cloud/realms/ritual')
     .action(init_1.initCommand);
 program
     .command('login')
     .description('Authenticate with Ritual via your browser')
     .option('--issuer <url>', 'OIDC issuer (defaults to https://auth.ritualapp.cloud/realms/ritual or RITUAL_KEYCLOAK_URL env)')
     .option('--client-id <id>', 'OIDC client id (defaults to "ritual-cli" or RITUAL_KEYCLOAK_CLIENT_ID env)')
+    .option('--dev', '[internal] shortcut for --issuer https://auth.dev.ritualapp.cloud/realms/ritual')
     .action(login_1.loginCommand);
 program
     .command('logout')

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAEA,yCAAoC;AACpC,4CAAgD;AAChD,8CAAkD;AAClD,8CAAkD;AAClD,gDAAoD;AACpD,0CAA8C;AAC9C,8CAAkD;AAElD,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACL,IAAI,CAAC,QAAQ,CAAC;KACd,WAAW,CACX,yDAAyD;IACxD,yDAAyD,CAC1D;KACA,OAAO,CAAC,OAAO,CAAC,CAAC;AAEnB,oEAAoE;AACpE,+DAA+D;AAC/D,OAAO;KACL,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,kFAAkF,CAAC;KAC/F,MAAM,CAAC,cAAc,EAAE,wDAAwD,CAAC;KAChF,MAAM,CAAC,QAAQ,EAAE,4BAA4B,CAAC;KAC9C,MAAM,CAAC,kBAAW,CAAC,CAAC;AAEtB,OAAO;KACL,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,2CAA2C,CAAC;KACxD,MAAM,CACN,gBAAgB,EAChB,iGAAiG,CACjG;KACA,MAAM,CACN,kBAAkB,EAClB,4EAA4E,CAC5E;KACA,MAAM,CAAC,oBAAY,CAAC,CAAC;AAEvB,OAAO;KACL,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,yBAAyB,CAAC;KACtC,MAAM,CAAC,sBAAa,CAAC,CAAC;AAExB,OAAO;KACL,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,6DAA6D,CAAC;KAC1E,MAAM,CAAC,sBAAa,CAAC,CAAC;AAExB,OAAO;KACL,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,sEAAsE,CAAC;KACnF,MAAM,CAAC,wBAAc,CAAC,CAAC;AAEzB,OAAO;KACL,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,2EAA2E,CAAC;KACxF,MAAM,CAAC,sBAAa,CAAC,CAAC;AAExB,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;IACrD,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;IACxC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACjB,CAAC,CAAC,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAEA,yCAAoC;AACpC,4CAAgD;AAChD,8CAAkD;AAClD,8CAAkD;AAClD,gDAAoD;AACpD,0CAA8C;AAC9C,8CAAkD;AAElD,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACL,IAAI,CAAC,QAAQ,CAAC;KACd,WAAW,CACX,yDAAyD;IACxD,yDAAyD,CAC1D;KACA,OAAO,CAAC,OAAO,CAAC,CAAC;AAEnB,oEAAoE;AACpE,+DAA+D;AAC/D,OAAO;KACL,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,kFAAkF,CAAC;KAC/F,MAAM,CAAC,cAAc,EAAE,wDAAwD,CAAC;KAChF,MAAM,CAAC,QAAQ,EAAE,4BAA4B,CAAC;KAC9C,MAAM,CACN,gBAAgB,EAChB,kFAAkF,CAClF;KACA,MAAM,CAAC,kBAAkB,EAAE,2CAA2C,CAAC;KACvE,MAAM,CAAC,OAAO,EAAE,iFAAiF,CAAC;KAClG,MAAM,CAAC,kBAAW,CAAC,CAAC;AAEtB,OAAO;KACL,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,2CAA2C,CAAC;KACxD,MAAM,CACN,gBAAgB,EAChB,iGAAiG,CACjG;KACA,MAAM,CACN,kBAAkB,EAClB,4EAA4E,CAC5E;KACA,MAAM,CAAC,OAAO,EAAE,iFAAiF,CAAC;KAClG,MAAM,CAAC,oBAAY,CAAC,CAAC;AAEvB,OAAO;KACL,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,yBAAyB,CAAC;KACtC,MAAM,CAAC,sBAAa,CAAC,CAAC;AAExB,OAAO;KACL,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,6DAA6D,CAAC;KAC1E,MAAM,CAAC,sBAAa,CAAC,CAAC;AAExB,OAAO;KACL,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,sEAAsE,CAAC;KACnF,MAAM,CAAC,wBAAc,CAAC,CAAC;AAEzB,OAAO;KACL,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,2EAA2E,CAAC;KACxF,MAAM,CAAC,sBAAa,CAAC,CAAC;AAExB,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;IACrD,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;IACxC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACjB,CAAC,CAAC,CAAC"}

package/dist/lib/auth-flow.js

@@ -0,0 +1,62 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_SCOPE = exports.DEFAULT_CLIENT_ID = exports.DEFAULT_ISSUER = void 0;
+exports.runBrowserLoginAndSave = runBrowserLoginAndSave;
+const open_1 = __importDefault(require("open"));
+const oidc_1 = require("./oidc");
+const config_1 = require("./config");
+/**
+ * Shared OAuth defaults + the "run the browser flow and save tokens"
+ * helper. Both `ritual login` and `ritual init`'s lazy-auth path use
+ * this so the auth surface stays in one place.
+ *
+ * If you find yourself wanting a third caller, add it here — don't
+ * inline `performLoginFlow` in another command file; the
+ * decode-JWT → build CliCredentials → save lockstep is easy to miss
+ * a step on.
+ */
+exports.DEFAULT_ISSUER = process.env.RITUAL_KEYCLOAK_URL ?? 'https://auth.ritualapp.cloud/realms/ritual';
+exports.DEFAULT_CLIENT_ID = process.env.RITUAL_KEYCLOAK_CLIENT_ID ?? 'ritual-cli';
+exports.DEFAULT_SCOPE = 'openid profile email ritual:read ritual:write';
+/**
+ * Run the browser-based OAuth Auth-Code + PKCE flow, decode the
+ * resulting JWT to pull out the user identity, and persist the
+ * credentials to `~/.config/ritual/credentials.json`.
+ *
+ * Returns the saved credentials. Callers can use that to immediately
+ * call API endpoints without re-reading from disk.
+ *
+ * Throws on any failure (user dismissed the browser flow, network
+ * error, refused at IdP). The caller decides how to surface that —
+ * `ritual login` prints to stderr and sets exit code; `ritual init`
+ * prints a clearer "sign-in didn't complete" hint and continues to
+ * skip the registration step.
+ */
+async function runBrowserLoginAndSave(opts = {}) {
+    const issuer = opts.issuer ?? exports.DEFAULT_ISSUER;
+    const clientId = opts.clientId ?? exports.DEFAULT_CLIENT_ID;
+    const onMessage = opts.onMessage ?? ((msg) => console.log(`  ${msg}`));
+    const tokenSet = await (0, oidc_1.performLoginFlow)({ issuer, clientId, scope: exports.DEFAULT_SCOPE }, (url) => (0, open_1.default)(url), onMessage);
+    const claims = (0, oidc_1.decodeJwtPayloadUnsafe)(tokenSet.access_token);
+    const creds = {
+        version: 1,
+        issuer,
+        clientId,
+        tokenSet: {
+            access_token: tokenSet.access_token,
+            refresh_token: tokenSet.refresh_token,
+            expires_at: Math.floor(Date.now() / 1000) + tokenSet.expires_in,
+            id_token: tokenSet.id_token,
+            scope: tokenSet.scope,
+        },
+        user: claims
+            ? { sub: claims.sub, email: claims.email ?? claims.preferred_username }
+            : undefined,
+    };
+    (0, config_1.saveCredentials)(creds);
+    return creds;
+}
+//# sourceMappingURL=auth-flow.js.map

package/dist/lib/auth-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-flow.js","sourceRoot":"","sources":["../../src/lib/auth-flow.ts"],"names":[],"mappings":";;;;;;AA8CA,wDAoCC;AAlFD,gDAAwB;AACxB,iCAAkE;AAClE,qCAAgE;AAEhE;;;;;;;;;GASG;AAEU,QAAA,cAAc,GAC1B,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,4CAA4C,CAAC;AACpE,QAAA,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,IAAI,YAAY,CAAC;AAC1E,QAAA,aAAa,GAAG,+CAA+C,CAAC;AAc7E;;;;;;;;;;;;;GAaG;AACI,KAAK,UAAU,sBAAsB,CAC3C,OAA4B,EAAE;IAE9B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,sBAAc,CAAC;IAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,yBAAiB,CAAC;IACpD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,CAAC,CAAC,GAAW,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC,CAAC;IAE/E,MAAM,QAAQ,GAAG,MAAM,IAAA,uBAAgB,EACtC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,qBAAa,EAAE,EAC1C,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,cAAI,EAAC,GAAG,CAAC,EAClB,SAAS,CACT,CAAC;IAEF,MAAM,MAAM,GAAG,IAAA,6BAAsB,EAIlC,QAAQ,CAAC,YAAY,CAAC,CAAC;IAE1B,MAAM,KAAK,GAAmB;QAC7B,OAAO,EAAE,CAAC;QACV,MAAM;QACN,QAAQ;QACR,QAAQ,EAAE;YACT,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,aAAa,EAAE,QAAQ,CAAC,aAAa;YACrC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,QAAQ,CAAC,UAAU;YAC/D,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,KAAK,EAAE,QAAQ,CAAC,KAAK;SACrB;QACD,IAAI,EAAE,MAAM;YACX,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,kBAAkB,EAAE;YACvE,CAAC,CAAC,SAAS;KACZ,CAAC;IACF,IAAA,wBAAe,EAAC,KAAK,CAAC,CAAC;IACvB,OAAO,KAAK,CAAC;AACd,CAAC"}

package/dist/lib/prompt.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.prompt = prompt;
+const promises_1 = require("node:readline/promises");
+/**
+ * Tiny prompt utility for interactive console input.
+ *
+ * The CLI uses this in two places:
+ *   - `ritual init` (lazy-auth path): "Press Enter to open browser…"
+ *   - any future command that needs to confirm a destructive action
+ *
+ * We deliberately avoid pulling in `inquirer` / `prompts` / etc. — Node's
+ * built-in `readline/promises` covers everything we need with zero dep
+ * surface. Keeps the install footprint small for a CLI that lives
+ * inside dev environments.
+ */
+/**
+ * Print `message` and wait for the user to press Enter. Returns the
+ * line they typed (if any) — usually empty for the "Press Enter" UX,
+ * but supported so callers can prompt for free-form input later.
+ *
+ * Throws on TTY-less stdin (CI / piped input). Caller must gate on
+ * `process.stdin.isTTY` before invoking — see init.ts for the pattern.
+ */
+async function prompt(message) {
+    const rl = (0, promises_1.createInterface)({ input: process.stdin, output: process.stdout });
+    try {
+        const answer = await rl.question(message);
+        return answer;
+    }
+    finally {
+        rl.close();
+    }
+}
+//# sourceMappingURL=prompt.js.map

package/dist/lib/prompt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt.js","sourceRoot":"","sources":["../../src/lib/prompt.ts"],"names":[],"mappings":";;AAuBA,wBAQC;AA/BD,qDAAyD;AAEzD;;;;;;;;;;;GAWG;AAEH;;;;;;;GAOG;AACI,KAAK,UAAU,MAAM,CAAC,OAAe;IAC3C,MAAM,EAAE,GAAG,IAAA,0BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7E,IAAI,CAAC;QACJ,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,MAAM,CAAC;IACf,CAAC;YAAS,CAAC;QACV,EAAE,CAAC,KAAK,EAAE,CAAC;IACZ,CAAC;AACF,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ritualai/cli",
-	"version": "0.3.0",
+	"version": "0.3.2",
 	"description": "Ritual CLI — scaffold AI coding agent skills + register MCP servers. Connects Claude Code, Cursor, Windsurf, Kiro, Gemini CLI, VS Code/Copilot, and Codex to Ritual Cloud.",
 	"private": false,
 	"license": "Apache-2.0",