npm - @sellable/install - Versions diffs - 0.1.216 → 0.1.217 - Mend

@sellable/install 0.1.216 → 0.1.217

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +9 -7
package/bin/sellable-install.mjs +96 -21
package/package.json +1 -1
package/skill-templates/create-campaign.md +5 -1

package/README.md CHANGED Viewed

@@ -35,8 +35,9 @@ Campaign creation, foundation memory, content capture/ideation, and post
 drafting run inside Claude Code or Codex, where the Sellable MCP tools and
 approval flows are available.
-Install is auth-free by default. If you do not pass a token, the agent handles
-Sellable sign-in on the first campaign run with a magic-link handoff.
+Install is auth-free by default. The normal path is first-run login: launch a
+Sellable workflow in Claude Code or Codex and the agent handles Sellable
+sign-in with a browser magic-link handoff.
 The installer uses package stdio MCP by default:
@@ -64,14 +65,15 @@ verification in one path:
 curl -fsSL "https://app.sellable.dev/api/v2/cli/install" | sh
 ```
-For CI/scripted installs, get a Sellable API token from:
+For scripted fallback after browser login, paste the command shown by Sellable:
-```text
-https://app.sellable.dev/settings
+```bash
+sellable auth set <token> --workspace-id <workspace_id>
 ```
-Then pass it with `--token` / `SELLABLE_TOKEN` plus `--workspace-id` /
-`SELLABLE_WORKSPACE_ID`.
+For CI/env-only installs, operators can still pass `--token` / `SELLABLE_TOKEN`
+plus `--workspace-id` / `SELLABLE_WORKSPACE_ID`. Do not use env vars as the
+primary human setup path.
 Auth is stored once at:

package/bin/sellable-install.mjs CHANGED Viewed

@@ -419,13 +419,26 @@ async function loadAuthIfPresent(opts) {
   return opts;
 }
+function redactTokensForLog(value) {
+  if (Array.isArray(value)) {
+    return value.map((item) => redactTokensForLog(item));
+  }
+  if (value && typeof value === "object") {
+    return Object.fromEntries(
+      Object.entries(value).map(([key, item]) => [
+        key,
+        key.toLowerCase().includes("token") && typeof item === "string"
+          ? redact(item)
+          : redactTokensForLog(item),
+      ])
+    );
+  }
+  return value;
+}
 function writeJson(path, data, opts) {
   if (VERBOSE) {
-    const redacted = JSON.stringify(
-      { ...data, token: redact(data.token) },
-      null,
-      2
-    );
+    const redacted = JSON.stringify(redactTokensForLog(data), null, 2);
     logVerbose(`${C.grey}Writing ${path}: ${redacted}${C.reset}`);
   }
   if (opts.dryRun) return;
@@ -442,6 +455,56 @@ function readExisting(path) {
   }
 }
+function mergeAuthConfig(raw, auth) {
+  const existing =
+    raw && typeof raw === "object" && !Array.isArray(raw) ? raw : {};
+  const authFields = {
+    token: auth.token,
+    activeWorkspaceId: auth.activeWorkspaceId,
+    apiUrl: auth.apiUrl,
+  };
+  if (existing.activeEnv && existing.environments) {
+    const activeEnv = existing.activeEnv;
+    const envConfig = existing.environments[activeEnv];
+    if (
+      !envConfig ||
+      typeof envConfig !== "object" ||
+      Array.isArray(envConfig)
+    ) {
+      throw new Error(
+        `Unknown active environment '${activeEnv}' in ${authPath()}`
+      );
+    }
+    return {
+      ...existing,
+      environments: {
+        ...existing.environments,
+        [activeEnv]: {
+          ...envConfig,
+          ...authFields,
+        },
+      },
+    };
+  }
+  return {
+    ...existing,
+    ...authFields,
+  };
+}
+function writeAuthSetConfig({ token, workspaceId, apiUrl, dryRun }) {
+  const configPath = authPath();
+  const raw = readExisting(configPath) || {};
+  const config = mergeAuthConfig(raw, {
+    token,
+    activeWorkspaceId: workspaceId || null,
+    apiUrl,
+  });
+  writeJson(configPath, config, { dryRun });
+}
 function sellableHostEnvPath() {
   return join(homedir(), ".local", "sellable", "app-sellable-dev", ".env");
 }
@@ -3665,18 +3728,31 @@ async function main() {
       }
       const token = rawArgs[2];
       const authSetFlags = rawArgs.slice(3);
-      const dryRun = authSetFlags.includes("--dry-run");
-      const unknownAuthSetFlag = authSetFlags.find(
-        (arg) => arg !== "--dry-run"
-      );
-      if (unknownAuthSetFlag) {
-        console.error(`Unknown auth set option: ${unknownAuthSetFlag}`);
+      let dryRun = false;
+      let workspaceId = "";
+      for (let i = 0; i < authSetFlags.length; i += 1) {
+        const flag = authSetFlags[i];
+        if (flag === "--dry-run") {
+          dryRun = true;
+          continue;
+        }
+        if (flag === "--workspace-id") {
+          const value = authSetFlags[i + 1];
+          if (!value || value.startsWith("--")) {
+            console.error("Missing value for --workspace-id");
+            process.exit(2);
+          }
+          workspaceId = value;
+          i += 1;
+          continue;
+        }
+        console.error(`Unknown auth set option: ${flag}`);
         process.exit(2);
       }
       if (!token) {
         console.error(
-          "Usage: sellable auth set <token>\n" +
-            "Get the token from the Sellable browser confirm page (after clicking the magic link)."
+          "Usage: sellable auth set <token> [--workspace-id <id>]\n" +
+            "Use this only when the Sellable browser login page shows a manual fallback command."
         );
         process.exit(2);
       }
@@ -3688,23 +3764,22 @@ async function main() {
         );
         process.exit(2);
       }
-      // Bypass writeAuth() — its workspaceId guard early-returns on missing
-      // workspaceId, but on the auth-set path we don't have one yet (next MCP
-      // call hydrates it). Write the same shape directly.
+      // Bypass writeAuth() because auth-set is a first-run browser fallback:
+      // the workspace id is optional for legacy fallback pages, and existing
+      // config metadata must be preserved.
       // Skip installSelfShim() — by definition the user has the shim already
       // (they invoked `sellable auth set` from it).
       const apiUrl = process.env.SELLABLE_API_URL || DEFAULT_API_URL;
-      writeJson(
-        authPath(),
-        { token, activeWorkspaceId: null, apiUrl },
-        { dryRun }
-      );
+      writeAuthSetConfig({ token, workspaceId, apiUrl, dryRun });
       if (dryRun) {
         console.log(`Dry run: token would be saved to ${authPath()}`);
       } else {
         console.log(`✓ Token saved to ${authPath()}`);
       }
       console.log(`  apiUrl: ${apiUrl}`);
+      if (workspaceId) {
+        console.log(`  activeWorkspaceId: ${workspaceId}`);
+      }
       console.log(`  Continue in your agent:`);
       console.log(`    Claude Code: /sellable:create-campaign`);
       console.log(`    Claude Code: /sellable:foundation`);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sellable/install",
-  "version": "0.1.216",
+  "version": "0.1.217",
   "type": "module",
   "description": "One-command installer for Sellable MCP in Claude Code and Codex",
   "bin": {

package/skill-templates/create-campaign.md CHANGED Viewed

@@ -893,7 +893,11 @@ updates.
 1. Call `mcp__sellable__get_auth_status({})`.
 2. If auth is not OK with `error.type === "config"` or `error.type === "auth"`,
-   the user has not signed in yet. Run the FTUX magic-link handoff:
+   the user has not signed in yet. Run first-run login through the FTUX
+   magic-link handoff. If a browser page or tool guidance gives the user a
+   manual fallback, it must be
+   `sellable auth set <token> --workspace-id <workspace_id>`. Do not instruct
+   the user to hand-edit JSON auth config.
    a. Say to the user verbatim: