@sellable/install 0.1.163 → 0.1.165

package/bin/sellable-install.mjs

@@ -31,7 +31,7 @@ function getInstallVersion() {
   }
 }
 
-const CODEX_PLUGIN_VERSION = "0.1.33";
+const CODEX_PLUGIN_VERSION = "0.1.34";
 const CODEX_PLUGIN_COMPAT_VERSIONS = [
   "0.1.8",
   "0.1.9",
@@ -55,6 +55,10 @@ const CODEX_PLUGIN_COMPAT_VERSIONS = [
   "0.1.27",
   "0.1.28",
   "0.1.29",
+  "0.1.30",
+  "0.1.31",
+  "0.1.32",
+  "0.1.33",
 ];
 const INSTALL_PACKAGE_SPEC =
   process.env.SELLABLE_INSTALL_PACKAGE_SPEC || "@sellable/install@latest";
@@ -522,7 +526,7 @@ function codexPluginMcp(opts) {
       mcpServers: {
         sellable: {
           type: "http",
-          url: opts.hostedUrl,
+          url: withHostedWatchModeDriver(opts.hostedUrl, "codex"),
         },
       },
     };
@@ -802,20 +806,21 @@ that we are checking people from these posts to confirm the right people are
 actually engaging and the source is viable.
 
 Only the first brief approval handoff should include live campaign access after
-the readable inline content. Show a short \`Watch link:\` line once, immediately
-after shell creation and before brief approval. Later approval gates should
-describe what the already-open campaign app is showing and rely on
-currentStep/watchNarration; do not print the URL again unless the user asks or a
-recovery path must replace a missing/broken link. In normal customer runs, do
-not show local draft filenames or filesystem paths unless the user asks for
-debug artifacts. The link is for deeper inspection; never use it as a substitute
-for showing the content in chat.
+the readable inline content. Show the exact \`create_campaign.watchHandoff.markdown\`
+block once, immediately after shell creation and before brief approval. Later
+approval gates should describe what the already-open campaign app is showing and
+rely on currentStep/watchNarration; do not print the URL again unless the user
+asks or a recovery path must replace a missing/broken link. In normal customer
+runs, do not show \`Open artifact:\` lines, raw filesystem paths, or local draft
+filenames. Local artifacts are debug/UAT-only unless the user asks for them. The
+link is for deeper inspection; never use it as a substitute for showing the
+content in chat.
 
 Never mention MCP namespaces, prompt chunking, plugin cache paths, missing
 linked skill versions, runbooks, or local skill files in normal customer-facing
 copy.
 
-## Codex Watch Link Handoff
+## Live Watch Link Handoff
 
 When a campaign tool returns \`watchUrl\`, treat it as a user-opened app link, not
 as permission to drive the browser. A valid first handoff link must be the exact
@@ -828,25 +833,32 @@ derive, shorten, reconstruct, or print a bare \`/campaign-builder/{campaignId}\`
 URL.
 
 Never call browser-opening tools, shell \`open\`, Computer Use, or in-app browser
-automation just because a watch link exists. Print the first watch link exactly
-once, directly before the brief approval question, in this shape:
+automation just because a watch link exists. If \`create_campaign\` returns
+\`watchHandoff.markdown\`, print that exact value once, directly before the brief
+approval question. It will use the URL mode to say Codex or Claude Code:
 
 \`\`\`text
-Campaign shell is ready. We'll keep building the campaign in this chat.
-You can watch it being built in real time in the app here:
+╔══════════════════════════════════════════════════════════════╗
+║    OPEN THIS LINK TO WATCH CODEX BUILD THE CAMPAIGN LIVE    ║
+╚══════════════════════════════════════════════════════════════╝
 
-Watch link: {watchUrl}
+[Open live campaign builder]({watchUrl})
 
-Send changes here. I’ll ask for your approval whenever I need your expertise or
-taste before moving forward.
+Keep this chat open. I'll ask approval questions here before making decisions
+that need your judgment.
 \`\`\`
 
+The Markdown link is intentional: rendered chat clients turn it into a large
+click target, and plain terminals still expose the tokenized URL inside the
+Markdown target. Do not replace it with a shell command or a browser-opening
+instruction.
+
 The watch link should auto-login through the token in the URL. If the user says
 the link lands on auth, 404, permission, blank, or a visible error state, recover
 a fresh watch link once with \`create_campaign({ campaignId })\` or \`get_campaign\`
 and print that link. Do not claim the browser was opened, inspected, or
 synchronized.
-Do not print another \`Watch link:\` line during source/provider selection or
+Do not print another watch-link handoff during source/provider selection or
 normal approval turns unless the user explicitly asks for the link or you are
 recovering a missing/broken URL.
 
@@ -1365,12 +1377,13 @@ approval should show who we are targeting, why they should care, the offer/CTA,
 proof, lead source hypothesis, message angle, risks/assumptions, and what
 happens after approval.
 
-Only the first brief approval handoff should print the campaign watch URL. After
-that, every approval should say what the already-open app is showing, but must
-not include another \`Watch link:\` line unless the user explicitly asks for the
-link again or a recovery path needs to replace a broken/missing URL. Local
-artifacts are optional debug/UAT diagnostics only; do not surface file paths or
-local draft filenames in normal customer runs.
+Only the first brief approval handoff should print the exact
+\`create_campaign.watchHandoff.markdown\` block. After that, every approval should
+say what the already-open app is showing, but must not include another
+watch-link handoff unless the user explicitly asks for the link again or a
+recovery path needs to replace a broken/missing URL. Local artifacts are
+optional debug/UAT diagnostics only; do not surface file paths or local draft
+filenames in normal customer runs.
 
 This applies especially to message approvals. Never ask someone to approve a
 message they cannot see. Show the subject, tokenized template, a filled sample
@@ -1922,12 +1935,20 @@ const WATCH_MODE_DRIVER_ENV = {
   codex: "SELLABLE_WATCH_MODE_DRIVER=codex",
 };
 
-function withWatchModeDriver(command, args, driver) {
-  const envArg = WATCH_MODE_DRIVER_ENV[driver];
-  if (!envArg) {
+function withHostedWatchModeDriver(rawUrl, driver) {
+  if (!WATCH_MODE_DRIVER_ENV[driver]) {
     throw new Error(`Unknown watch mode driver: ${driver}`);
   }
-  return ["env", [envArg, command, ...args]];
+  try {
+    const url = new URL(rawUrl);
+    if (!url.searchParams.has("driver")) {
+      url.searchParams.set("driver", driver);
+    }
+    return url.toString();
+  } catch {
+    const separator = rawUrl.includes("?") ? "&" : "?";
+    return `${rawUrl}${separator}driver=${encodeURIComponent(driver)}`;
+  }
 }
 
 function mcpCommand(opts) {
@@ -1948,37 +1969,28 @@ function mcpCommand(opts) {
   return ["hosted", [opts.hostedUrl]];
 }
 
-function mcpCommandForHost(opts, driver) {
-  const [command, args] = mcpCommand(opts);
-  if (command === "hosted") return [command, args];
-  return withWatchModeDriver(command, args, driver);
-}
-
 function codexMcpAddArgs(opts) {
   const [command, args] = mcpCommand(opts);
   if (command === "hosted") {
-    return ["mcp", "add", "sellable", "--url", args[0]];
-  }
-
-  if (isWindowsPlatform()) {
     return [
       "mcp",
       "add",
       "sellable",
-      "--env",
-      WATCH_MODE_DRIVER_ENV.codex,
-      "--",
-      command,
-      ...args,
+      "--url",
+      withHostedWatchModeDriver(args[0], "codex"),
     ];
   }
 
-  const [wrappedCommand, wrappedArgs] = withWatchModeDriver(
+  return [
+    "mcp",
+    "add",
+    "sellable",
+    "--env",
+    WATCH_MODE_DRIVER_ENV.codex,
+    "--",
     command,
-    args,
-    "codex"
-  );
-  return ["mcp", "add", "sellable", "--", wrappedCommand, ...wrappedArgs];
+    ...args,
+  ];
 }
 
 function installClaude(opts) {
@@ -1995,13 +2007,20 @@ function installClaude(opts) {
   if (opts.server === "hosted") {
     run(
       "claude",
-      ["mcp", "add", "--transport", "http", "sellable", opts.hostedUrl],
+      [
+        "mcp",
+        "add",
+        "--transport",
+        "http",
+        "sellable",
+        withHostedWatchModeDriver(opts.hostedUrl, "claude"),
+      ],
       opts
     );
     patchClaudeAlwaysLoad(opts);
     return true;
   }
-  const [command, args] = mcpCommandForHost(opts, "claude");
+  const [command, args] = mcpCommand(opts);
   run("claude", ["mcp", "remove", "sellable"], {
     ...opts,
     dryRun: opts.dryRun,
@@ -2038,19 +2057,36 @@ function patchClaudeAlwaysLoad(opts) {
     const raw = readFileSync(claudeJsonPath, "utf8");
     const config = JSON.parse(raw);
     let touched = false;
-    // Top-level mcpServers.sellable (older claude versions)
-    if (config.mcpServers?.sellable) {
-      if (config.mcpServers.sellable.alwaysLoad !== true) {
-        config.mcpServers.sellable.alwaysLoad = true;
+    const patchSellableServer = (server) => {
+      if (!server || typeof server !== "object") return;
+      if (server.alwaysLoad !== true) {
+        server.alwaysLoad = true;
         touched = true;
       }
+      const isHttpServer =
+        typeof server.url === "string" ||
+        server.type === "http" ||
+        server.transport === "http";
+      if (!isHttpServer) {
+        const existingDriver = server.env?.SELLABLE_WATCH_MODE_DRIVER;
+        server.env = {
+          ...(server.env && typeof server.env === "object" ? server.env : {}),
+          SELLABLE_WATCH_MODE_DRIVER: "claude",
+        };
+        if (existingDriver !== "claude") {
+          touched = true;
+        }
+      }
+    };
+    // Top-level mcpServers.sellable (older claude versions)
+    if (config.mcpServers?.sellable) {
+      patchSellableServer(config.mcpServers.sellable);
     }
     // Per-project mcpServers.sellable (current claude default)
     for (const projectPath of Object.keys(config.projects || {})) {
       const projServers = config.projects[projectPath]?.mcpServers;
-      if (projServers?.sellable && projServers.sellable.alwaysLoad !== true) {
-        projServers.sellable.alwaysLoad = true;
-        touched = true;
+      if (projServers?.sellable) {
+        patchSellableServer(projServers.sellable);
       }
     }
     if (touched) {
@@ -2099,6 +2135,11 @@ function installCodex(opts) {
 function verify(opts) {
   const stored = readStoredAuth();
   const checks = [];
+  const hasWatchModeDriverMarker = (content, driver) =>
+    new RegExp(`SELLABLE_WATCH_MODE_DRIVER[\\s\\S]{0,80}${driver}`).test(
+      content
+    ) || new RegExp(`[?&]driver=${driver}(?:\\b|&)`).test(content);
+
   if (stored?.token && stored?.workspaceId) {
     checks.push({ ok: true, label: `Auth config: ${authPath()}` });
   } else {
@@ -2156,6 +2197,20 @@ function verify(opts) {
         ? "Legacy Claude Sellable host artifacts cleaned"
         : "Legacy Claude Sellable host artifacts still present",
     });
+    const claudeJsonPath = join(homedir(), ".claude.json");
+    const claudeConfigContent = existsSync(claudeJsonPath)
+      ? readFileSync(claudeJsonPath, "utf8")
+      : "";
+    const hasClaudeWatchModeDriver = hasWatchModeDriverMarker(
+      claudeConfigContent,
+      "claude"
+    );
+    checks.push({
+      ok: hasClaudeWatchModeDriver,
+      label: hasClaudeWatchModeDriver
+        ? "Claude watch mode driver pinned to claude"
+        : "Claude watch mode driver missing",
+    });
   }
   if (opts.host === "codex" || opts.host === "all") {
     checks.push({
@@ -2216,6 +2271,38 @@ function verify(opts) {
     const configContent = existsSync(configPath)
       ? readFileSync(configPath, "utf8")
       : "";
+    const pluginMcpPath = join(
+      codexHome(),
+      "plugins",
+      "cache",
+      "sellable",
+      "sellable",
+      CODEX_PLUGIN_VERSION,
+      ".mcp.json"
+    );
+    const pluginMcpContent = existsSync(pluginMcpPath)
+      ? readFileSync(pluginMcpPath, "utf8")
+      : "";
+    const hasCodexMcpDriver = hasWatchModeDriverMarker(
+      configContent,
+      "codex"
+    );
+    const hasCodexPluginDriver = hasWatchModeDriverMarker(
+      pluginMcpContent,
+      "codex"
+    );
+    checks.push({
+      ok: hasCodexMcpDriver,
+      label: hasCodexMcpDriver
+        ? "Codex CLI watch mode driver pinned to codex"
+        : "Codex CLI watch mode driver missing",
+    });
+    checks.push({
+      ok: hasCodexPluginDriver,
+      label: hasCodexPluginDriver
+        ? "Codex Desktop plugin watch mode driver pinned to codex"
+        : "Codex Desktop plugin watch mode driver missing",
+    });
     const hasCodexAgentRegistrations = codexCustomAgents().every((agent) =>
       configContent.includes(`[agents.${agent.name}]`)
     );

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sellable/install",
-  "version": "0.1.163",
+  "version": "0.1.165",
   "type": "module",
   "description": "One-command installer for Sellable MCP in Claude Code and Codex",
   "bin": {

package/skill-templates/create-campaign.md

@@ -296,22 +296,22 @@ lines short, use indexed section labels and bullets, and translate internal
 sourcing terms into plain language.
 
 Only the first brief approval handoff should include live campaign access after
-the readable inline content. Show a short `Watch link:` line once, immediately
-after shell creation and before brief approval. Later approval gates should
-describe what the already-open campaign app is showing and rely on
-currentStep/watchNarration; do not print the URL again unless the user asks or a
-recovery path must replace a missing/broken link. In normal customer runs, do
-not show `Open artifact:` lines, raw filesystem paths, or local draft filenames.
-Local artifacts are debug/UAT-only unless the user asks for them. The link is
-for deeper inspection; never use it as a substitute for showing the content in
-chat.
+the readable inline content. Show the exact `create_campaign.watchHandoff.markdown`
+block once, immediately after shell creation and before brief approval. Later
+approval gates should describe what the already-open campaign app is showing and
+rely on currentStep/watchNarration; do not print the URL again unless the user
+asks or a recovery path must replace a missing/broken link. In normal customer
+runs, do not show `Open artifact:` lines, raw filesystem paths, or local draft
+filenames. Local artifacts are debug/UAT-only unless the user asks for them. The
+link is for deeper inspection; never use it as a substitute for showing the
+content in chat.
 
 Never mention MCP namespaces, prompt chunking, plugin cache paths, missing
 linked skill versions, runbooks, npm/package details, repo-local files, VPS or
 browser automation limitations, or local skill files in normal customer-facing
 copy.
 
-## Codex Watch Link Handoff
+## Live Watch Link Handoff
 
 When a campaign tool returns `watchUrl`, treat it as a user-opened app link, not
 as permission to drive the browser. A valid first handoff link must be the exact
@@ -324,19 +324,26 @@ derive, shorten, reconstruct, or print a bare `/campaign-builder/{campaignId}`
 URL.
 
 Never call browser-opening tools, shell `open`, Computer Use, or in-app browser
-automation just because a watch link exists. Print the first watch link exactly
-once, directly before the brief approval question, in this shape:
+automation just because a watch link exists. If `create_campaign` returns
+`watchHandoff.markdown`, print that exact value once, directly before the brief
+approval question. It will use the URL mode to say Codex or Claude Code:
 
 ```text
-Campaign shell is ready. We'll keep building the campaign in this chat.
-You can watch it being built in real time in the app here:
+╔══════════════════════════════════════════════════════════════╗
+║    OPEN THIS LINK TO WATCH CODEX BUILD THE CAMPAIGN LIVE    ║
+╚══════════════════════════════════════════════════════════════╝
 
-Watch link: {watchUrl}
+[Open live campaign builder]({watchUrl})
 
-Send changes here. I’ll ask for your approval whenever I need your expertise or
-taste before moving forward.
+Keep this chat open. I'll ask approval questions here before making decisions
+that need your judgment.
 ```
 
+The Markdown link is intentional: rendered chat clients turn it into a large
+click target, and plain terminals still expose the tokenized URL inside the
+Markdown target. Do not replace it with a shell command or a browser-opening
+instruction.
+
 The watch link should auto-login through the token in the URL. If the user says
 the link lands on auth, 404, permission, blank, or a visible error state, recover
 a fresh watch link once with `create_campaign({ campaignId })` or `get_campaign`
@@ -347,7 +354,7 @@ Never print a placeholder watch link such as "Open campaign" or "link will
 update once the shell is created." If the shell is not created yet, call
 `create_campaign` first. If `create_campaign` does not return `watchUrl`, stop
 and surface the missing watch-link error before lead sourcing.
-Do not print another `Watch link:` line during source/provider selection or
+Do not print another watch-link handoff during source/provider selection or
 normal approval turns unless the user explicitly asks for the link or you are
 recovering a missing/broken URL.