@sellable/install 0.1.219 → 0.1.221

package/README.md

@@ -35,8 +35,9 @@ Campaign creation, foundation memory, content capture/ideation, and post
 drafting run inside Claude Code or Codex, where the Sellable MCP tools and
 approval flows are available.
 
-Install is auth-free by default. If you do not pass a token, the agent handles
-Sellable sign-in on the first campaign run with a magic-link handoff.
+Install is auth-free by default. The normal path is first-run login: launch a
+Sellable workflow in Claude Code or Codex and the agent handles Sellable
+sign-in with a browser magic-link handoff.
 
 The installer uses package stdio MCP by default:
 
@@ -64,14 +65,15 @@ verification in one path:
 curl -fsSL "https://app.sellable.dev/api/v2/cli/install" | sh
 ```
 
-For CI/scripted installs, get a Sellable API token from:
+For scripted fallback after browser login, paste the command shown by Sellable:
 
-```text
-https://app.sellable.dev/settings
+```bash
+sellable auth set <token> --workspace-id <workspace_id>
 ```
 
-Then pass it with `--token` / `SELLABLE_TOKEN` plus `--workspace-id` /
-`SELLABLE_WORKSPACE_ID`.
+For CI/env-only installs, operators can still pass `--token` / `SELLABLE_TOKEN`
+plus `--workspace-id` / `SELLABLE_WORKSPACE_ID`. Do not use env vars as the
+primary human setup path.
 
 Auth is stored once at:
 

package/bin/sellable-install.mjs

@@ -13,6 +13,7 @@ import {
 import { homedir } from "node:os";
 import { dirname, join, relative } from "node:path";
 import { stdout as output } from "node:process";
+import { createInterface } from "node:readline/promises";
 import { fileURLToPath } from "node:url";
 import {
   REQUIRED_SELLABLE_MCP_TOOLS,
@@ -22,6 +23,7 @@ import {
 const DEFAULT_API_URL = "https://app.sellable.dev";
 const DEFAULT_SERVER_PACKAGE =
   process.env.SELLABLE_MCP_PACKAGE || "@sellable/mcp@latest";
+const CODEX_INSTALL_URL = "https://chatgpt.com/codex/install";
 
 function getInstallVersion() {
   try {
@@ -175,6 +177,8 @@ Options:
   --hosted-url <url>        Hosted MCP URL for --server hosted.
   --verbose                 Print every file write and shell command.
   --dry-run                 Print actions without writing or running host commands.
+  --install-codex-cli       Install Codex CLI without prompting if it is missing or blocked.
+  --no-install-codex-cli    Do not prompt to install Codex CLI; install Desktop config only when possible.
   --verify-only             Verify installed host config where possible.
   --json                    Print machine-readable verification JSON.
   --artifact <path>         Write verification JSON to a file.
@@ -247,6 +251,7 @@ function parseArgs(argv) {
     json: false,
     artifactPath: process.env.SELLABLE_VERIFY_ARTIFACT || "",
     verbose: false,
+    codexCliInstall: codexCliInstallPreference(),
   };
 
   for (let i = 0; i < argv.length; i += 1) {
@@ -280,6 +285,10 @@ function parseArgs(argv) {
       opts.hostedUrl = next();
     } else if (arg === "--dry-run") {
       opts.dryRun = true;
+    } else if (arg === "--install-codex-cli") {
+      opts.codexCliInstall = "install";
+    } else if (arg === "--no-install-codex-cli") {
+      opts.codexCliInstall = "skip";
     } else if (arg === "--verify-only") {
       opts.verifyOnly = true;
     } else if (arg === "--json") {
@@ -303,6 +312,14 @@ function parseArgs(argv) {
   return opts;
 }
 
+function codexCliInstallPreference() {
+  const raw = process.env.SELLABLE_INSTALL_CODEX_CLI || "";
+  const value = raw.trim().toLowerCase();
+  if (["1", "true", "yes", "y", "install"].includes(value)) return "install";
+  if (["0", "false", "no", "n", "skip"].includes(value)) return "skip";
+  return "ask";
+}
+
 function redact(value) {
   if (!value) return "";
   if (value.length <= 10) return "[redacted]";
@@ -360,6 +377,175 @@ function commandExistsDetails(command, platform = process.platform) {
   };
 }
 
+function summarizeSpawnFailure(result) {
+  const errorMessage = result.error?.message || "";
+  const stderr = (result.stderr || "").trim();
+  const stdout = (result.stdout || "").trim();
+  return (
+    errorMessage ||
+    stderr ||
+    stdout ||
+    (Number.isInteger(result.status) ? `exit ${result.status}` : "unknown failure")
+  );
+}
+
+function codexCliStatus(opts = {}) {
+  const details = commandExistsDetails("codex");
+  if (!details.exists) {
+    return {
+      exists: false,
+      usable: false,
+      reason: "Codex CLI not found on PATH",
+      details,
+    };
+  }
+  if (opts.dryRun) {
+    return {
+      exists: true,
+      usable: true,
+      reason: "dry-run",
+      details,
+    };
+  }
+
+  const result = spawnSync("codex", ["mcp", "--help"], {
+    encoding: "utf8",
+    stdio: "pipe",
+    timeout: 10000,
+  });
+  if (result.status === 0) {
+    return {
+      exists: true,
+      usable: true,
+      reason: "Codex CLI responded to `codex mcp --help`",
+      details,
+    };
+  }
+
+  return {
+    exists: true,
+    usable: false,
+    reason: `Codex CLI found but not usable: ${summarizeSpawnFailure(result)}`,
+    details,
+  };
+}
+
+function codexDesktopLikelyInstalled(status = null) {
+  if (process.env.SELLABLE_INSTALL_ASSUME_CODEX_DESKTOP === "1") return true;
+  const home = codexHome();
+  const probes = [
+    status?.details?.stdout || "",
+    process.env.PATH || "",
+  ].join("\n");
+
+  if (/WindowsApps[\\/]+codex\.exe/i.test(probes)) return true;
+  if (existsSync(join(home, "config.toml"))) return true;
+  if (existsSync(join(home, "plugins", ".plugin-appserver"))) return true;
+  if (existsSync(join(home, "plugins", "cache"))) return true;
+  if (process.platform === "darwin" && existsSync("/Applications/Codex.app")) {
+    return true;
+  }
+  return false;
+}
+
+function isNonInteractiveInstall() {
+  return (
+    process.env.CI === "true" ||
+    process.env.SELLABLE_NON_INTERACTIVE === "1" ||
+    process.env.SELLABLE_NON_INTERACTIVE === "true" ||
+    process.env.SELLABLE_NON_INTERACTIVE === "yes"
+  );
+}
+
+async function askYesNo(question, defaultAnswer = false) {
+  if (!process.stdin.isTTY || !output.isTTY || isNonInteractiveInstall()) {
+    return null;
+  }
+  const suffix = defaultAnswer ? " [Y/n] " : " [y/N] ";
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+  try {
+    const answer = (await rl.question(`${question}${suffix}`)).trim().toLowerCase();
+    if (!answer) return defaultAnswer;
+    return ["y", "yes"].includes(answer);
+  } finally {
+    rl.close();
+  }
+}
+
+function codexInstallCommand(platform = process.platform) {
+  const override = process.env.SELLABLE_CODEX_INSTALL_COMMAND;
+  if (override) {
+    return isWindowsPlatform(platform)
+      ? ["cmd.exe", ["/d", "/s", "/c", override]]
+      : ["sh", ["-c", override]];
+  }
+  if (isWindowsPlatform(platform)) {
+    return [
+      "powershell.exe",
+      [
+        "-NoProfile",
+        "-ExecutionPolicy",
+        "Bypass",
+        "-Command",
+        `$env:CODEX_NON_INTERACTIVE='1'; irm ${CODEX_INSTALL_URL}.ps1 | iex`,
+      ],
+    ];
+  }
+  return [
+    "sh",
+    ["-c", `curl -fsSL ${CODEX_INSTALL_URL}.sh | CODEX_NON_INTERACTIVE=1 sh`],
+  ];
+}
+
+function codexManualInstallCommand(platform = process.platform) {
+  return isWindowsPlatform(platform)
+    ? `$env:CODEX_NON_INTERACTIVE=1; irm ${CODEX_INSTALL_URL}.ps1 | iex`
+    : `curl -fsSL ${CODEX_INSTALL_URL}.sh | sh`;
+}
+
+async function maybeInstallCodexCli(status, opts) {
+  if (opts.dryRun) return false;
+  if (opts.codexCliInstall === "skip") {
+    logWarn(`${status.reason}. Skipping Codex CLI install by request.`);
+    return false;
+  }
+
+  let shouldInstall = opts.codexCliInstall === "install";
+  if (!shouldInstall) {
+    const answer = await askYesNo(
+      `${status.reason}. Install the Codex CLI now?`,
+      false
+    );
+    if (answer === null) {
+      logWarn(
+        `${status.reason}. Non-interactive shell; skipping Codex CLI install. Re-run with --install-codex-cli to install it.`
+      );
+      return false;
+    }
+    shouldInstall = answer;
+  }
+
+  if (!shouldInstall) {
+    logWarn(`${status.reason}. Continuing with Codex Desktop plugin setup only.`);
+    return false;
+  }
+
+  const [command, args] = codexInstallCommand();
+  logStep("Installing Codex CLI using the official Codex installer...");
+  try {
+    run(command, args, opts);
+    return true;
+  } catch (err) {
+    logWarn(
+      `Codex CLI install failed: ${err instanceof Error ? err.message : String(err)}`
+    );
+    return false;
+  }
+}
+
 function shellQuote(value) {
   return `'${String(value).replace(/'/g, `'\\''`)}'`;
 }
@@ -419,13 +605,26 @@ async function loadAuthIfPresent(opts) {
   return opts;
 }
 
+function redactTokensForLog(value) {
+  if (Array.isArray(value)) {
+    return value.map((item) => redactTokensForLog(item));
+  }
+  if (value && typeof value === "object") {
+    return Object.fromEntries(
+      Object.entries(value).map(([key, item]) => [
+        key,
+        key.toLowerCase().includes("token") && typeof item === "string"
+          ? redact(item)
+          : redactTokensForLog(item),
+      ])
+    );
+  }
+  return value;
+}
+
 function writeJson(path, data, opts) {
   if (VERBOSE) {
-    const redacted = JSON.stringify(
-      { ...data, token: redact(data.token) },
-      null,
-      2
-    );
+    const redacted = JSON.stringify(redactTokensForLog(data), null, 2);
     logVerbose(`${C.grey}Writing ${path}: ${redacted}${C.reset}`);
   }
   if (opts.dryRun) return;
@@ -442,6 +641,56 @@ function readExisting(path) {
   }
 }
 
+function mergeAuthConfig(raw, auth) {
+  const existing =
+    raw && typeof raw === "object" && !Array.isArray(raw) ? raw : {};
+  const authFields = {
+    token: auth.token,
+    activeWorkspaceId: auth.activeWorkspaceId,
+    apiUrl: auth.apiUrl,
+  };
+
+  if (existing.activeEnv && existing.environments) {
+    const activeEnv = existing.activeEnv;
+    const envConfig = existing.environments[activeEnv];
+    if (
+      !envConfig ||
+      typeof envConfig !== "object" ||
+      Array.isArray(envConfig)
+    ) {
+      throw new Error(
+        `Unknown active environment '${activeEnv}' in ${authPath()}`
+      );
+    }
+    return {
+      ...existing,
+      environments: {
+        ...existing.environments,
+        [activeEnv]: {
+          ...envConfig,
+          ...authFields,
+        },
+      },
+    };
+  }
+
+  return {
+    ...existing,
+    ...authFields,
+  };
+}
+
+function writeAuthSetConfig({ token, workspaceId, apiUrl, dryRun }) {
+  const configPath = authPath();
+  const raw = readExisting(configPath) || {};
+  const config = mergeAuthConfig(raw, {
+    token,
+    activeWorkspaceId: workspaceId || null,
+    apiUrl,
+  });
+  writeJson(configPath, config, { dryRun });
+}
+
 function sellableHostEnvPath() {
   return join(homedir(), ".local", "sellable", "app-sellable-dev", ".env");
 }
@@ -742,6 +991,9 @@ const CREATE_CAMPAIGN_ALLOWED_TOOLS = [
   "mcp__sellable__record_campaign_review_batch",
   "mcp__sellable__queue_campaign_cells",
   "mcp__sellable__wait_for_campaign_processing",
+  "mcp__sellable__resolve_campaign_fill_route",
+  "mcp__sellable__get_campaign_refill_state",
+  "mcp__sellable__fill_campaign_horizon",
   "mcp__sellable__start_campaign_message_preparation",
   "mcp__sellable__get_campaign_message_preparation_status",
   "mcp__sellable__cancel_campaign_message_preparation",
@@ -2455,6 +2707,27 @@ function writeAuth(opts) {
   return { written: true, reused: false };
 }
 
+function resolveWindowsNpmCommand() {
+  const explicit =
+    process.env.SELLABLE_INSTALL_NPM_CMD_COMMAND ||
+    process.env.SELLABLE_INSTALL_NPM_COMMAND;
+  if (explicit) return explicit;
+
+  const nodeBin = process.env.SELLABLE_INSTALL_NODE_BIN || "";
+  for (const name of ["npm.cmd", "npm"]) {
+    const candidate = nodeBin ? join(nodeBin, name) : "";
+    if (candidate && existsSync(candidate)) return candidate;
+  }
+
+  if (isWindowsPlatform()) {
+    const details = commandExistsDetails("npm.cmd");
+    const first = details.stdout.split(/\r?\n/).find((line) => line.trim());
+    if (details.exists && first) return first.trim();
+  }
+
+  return packageManagerCommand("win32");
+}
+
 function installSelfShim(opts) {
   const installDir =
     process.env.SELLABLE_INSTALL_DIR || join(homedir(), ".local", "bin");
@@ -2475,12 +2748,11 @@ exec ${shellQuote(npmCommand)} exec --yes --package ${shellQuote(INSTALL_PACKAGE
     isWindowsPlatform() || process.env.SELLABLE_INSTALL_WRITE_CMD_SHIM === "1";
   if (shouldWriteCmdShim) {
     const cmdPath = `${binPath}.cmd`;
-    const npmCmdCommand =
-      process.env.SELLABLE_INSTALL_NPM_CMD_COMMAND ||
-      process.env.SELLABLE_INSTALL_NPM_COMMAND ||
-      packageManagerCommand("win32");
+    const npmCmdCommand = resolveWindowsNpmCommand();
     const cmdPathPrefix = nodeBin ? `set "PATH=${nodeBin};%PATH%"\r\n` : "";
-    const cmdShim = `@echo off\r\n${cmdPathPrefix}"${npmCmdCommand}" exec --yes --package ${INSTALL_PACKAGE_SPEC} -- sellable %*\r\n`;
+    const cmdShim =
+      `@echo off\r\n${cmdPathPrefix}` +
+      `call "${npmCmdCommand}" exec --yes --package ${INSTALL_PACKAGE_SPEC} -- sellable %*\r\n`;
     writeFile(cmdPath, cmdShim, opts, 0o755);
   }
 }
@@ -2820,32 +3092,70 @@ function patchClaudeAlwaysLoad(opts) {
   }
 }
 
-function installCodex(opts) {
-  if (!opts.dryRun && !commandExists("codex")) {
+function registerCodexCliMcp(opts) {
+  try {
+    if (opts.server !== "hosted") {
+      run("codex", ["mcp", "remove", "sellable"], {
+        ...opts,
+        dryRun: opts.dryRun,
+        allowFail: true,
+      });
+    }
+    run("codex", codexMcpAddArgs(opts), opts);
+    return true;
+  } catch (err) {
+    logWarn(
+      `Codex CLI MCP registration skipped: ${err instanceof Error ? err.message : String(err)}`
+    );
+    return false;
+  }
+}
+
+async function installCodex(opts) {
+  let cliStatus = codexCliStatus(opts);
+  let desktopLikely = codexDesktopLikelyInstalled(cliStatus);
+  let attemptedCliInstall = false;
+
+  if (!opts.dryRun && !cliStatus.usable) {
+    attemptedCliInstall = await maybeInstallCodexCli(cliStatus, opts);
+    if (attemptedCliInstall) {
+      cliStatus = codexCliStatus(opts);
+      desktopLikely = codexDesktopLikelyInstalled(cliStatus) || desktopLikely;
+      if (!cliStatus.usable) {
+        logWarn(
+          `${cliStatus.reason}. Continuing with Codex Desktop plugin setup where possible.`
+        );
+      }
+    }
+  }
+
+  const shouldInstallDesktop =
+    opts.host === "codex" ||
+    cliStatus.usable ||
+    desktopLikely ||
+    attemptedCliInstall;
+  if (!shouldInstallDesktop) {
     const message =
-      "Codex CLI not found. Install/login to Codex, then rerun: sellable --host codex";
+      "Codex CLI not found and Codex Desktop was not detected. Install/login to Codex, then rerun: sellable --host codex";
     if (opts.host === "all") {
       logWarn(`Skipping Codex: ${message}`);
       return { installed: false };
     }
     throw new Error(message);
   }
+
   if (!opts.dryRun) {
     mkdirSync(codexHome(), { recursive: true, mode: 0o700 });
   }
-  if (opts.server === "hosted") {
-    run("codex", codexMcpAddArgs(opts), opts);
-    const info = installCodexDesktopPlugin(opts);
-    return { installed: true, ...info };
+
+  const cliRegistered = cliStatus.usable ? registerCodexCliMcp(opts) : false;
+  if (!cliRegistered && !opts.dryRun) {
+    logWarn(
+      "Codex CLI MCP registration did not run; writing Codex Desktop plugin and config directly."
+    );
   }
-  run("codex", ["mcp", "remove", "sellable"], {
-    ...opts,
-    dryRun: opts.dryRun,
-    allowFail: true,
-  });
-  run("codex", codexMcpAddArgs(opts), opts);
   const info = installCodexDesktopPlugin(opts);
-  return { installed: true, ...info };
+  return { installed: true, cliRegistered, ...info };
 }
 
 function requiredCheck(ok, label) {
@@ -2996,11 +3306,11 @@ async function verify(opts) {
     );
   }
   if (opts.host === "codex" || opts.host === "all") {
-    const hasCodexCli = commandExists("codex");
+    const codexStatus = codexCliStatus(opts);
     checks.push(
       warningCheck(
-        hasCodexCli,
-        hasCodexCli ? "Codex CLI present" : "Codex CLI missing"
+        codexStatus.usable,
+        codexStatus.usable ? "Codex CLI usable" : codexStatus.reason
       )
     );
     const pluginPath = join(
@@ -3358,8 +3668,8 @@ function printNextSteps(installedHosts, authReused) {
     console.log("");
     printInstallAgentBox(
       "Install Codex",
-      "npm install -g @openai/codex",
-      "https://github.com/openai/codex"
+      codexManualInstallCommand(),
+      "https://developers.openai.com/codex/quickstart"
     );
     console.log("");
     console.log("");
@@ -3665,18 +3975,31 @@ async function main() {
       }
       const token = rawArgs[2];
       const authSetFlags = rawArgs.slice(3);
-      const dryRun = authSetFlags.includes("--dry-run");
-      const unknownAuthSetFlag = authSetFlags.find(
-        (arg) => arg !== "--dry-run"
-      );
-      if (unknownAuthSetFlag) {
-        console.error(`Unknown auth set option: ${unknownAuthSetFlag}`);
+      let dryRun = false;
+      let workspaceId = "";
+      for (let i = 0; i < authSetFlags.length; i += 1) {
+        const flag = authSetFlags[i];
+        if (flag === "--dry-run") {
+          dryRun = true;
+          continue;
+        }
+        if (flag === "--workspace-id") {
+          const value = authSetFlags[i + 1];
+          if (!value || value.startsWith("--")) {
+            console.error("Missing value for --workspace-id");
+            process.exit(2);
+          }
+          workspaceId = value;
+          i += 1;
+          continue;
+        }
+        console.error(`Unknown auth set option: ${flag}`);
         process.exit(2);
       }
       if (!token) {
         console.error(
-          "Usage: sellable auth set <token>\n" +
-            "Get the token from the Sellable browser confirm page (after clicking the magic link)."
+          "Usage: sellable auth set <token> [--workspace-id <id>]\n" +
+            "Use this only when the Sellable browser login page shows a manual fallback command."
         );
         process.exit(2);
       }
@@ -3688,23 +4011,22 @@ async function main() {
         );
         process.exit(2);
       }
-      // Bypass writeAuth() — its workspaceId guard early-returns on missing
-      // workspaceId, but on the auth-set path we don't have one yet (next MCP
-      // call hydrates it). Write the same shape directly.
+      // Bypass writeAuth() because auth-set is a first-run browser fallback:
+      // the workspace id is optional for legacy fallback pages, and existing
+      // config metadata must be preserved.
       // Skip installSelfShim() — by definition the user has the shim already
       // (they invoked `sellable auth set` from it).
       const apiUrl = process.env.SELLABLE_API_URL || DEFAULT_API_URL;
-      writeJson(
-        authPath(),
-        { token, activeWorkspaceId: null, apiUrl },
-        { dryRun }
-      );
+      writeAuthSetConfig({ token, workspaceId, apiUrl, dryRun });
       if (dryRun) {
         console.log(`Dry run: token would be saved to ${authPath()}`);
       } else {
         console.log(`✓ Token saved to ${authPath()}`);
       }
       console.log(`  apiUrl: ${apiUrl}`);
+      if (workspaceId) {
+        console.log(`  activeWorkspaceId: ${workspaceId}`);
+      }
       console.log(`  Continue in your agent:`);
       console.log(`    Claude Code: /sellable:create-campaign`);
       console.log(`    Claude Code: /sellable:foundation`);
@@ -3805,7 +4127,7 @@ async function main() {
         }
       }
       if (opts.host === "codex" || opts.host === "all") {
-        const result = installCodex(opts);
+        const result = await installCodex(opts);
         if (result.installed) {
           installedHosts.push("Codex");
         }

package/lib/runtime-verify.mjs

@@ -28,12 +28,16 @@ export const REQUIRED_SELLABLE_MCP_TOOLS = [
   "get_campaign_messages_preview",
   "attach_sequence",
   "attach_recommended_sequence",
+  "resolve_campaign_fill_route",
+  "get_campaign_refill_state",
   "start_campaign_message_preparation",
   "get_campaign_message_preparation_status",
   "cancel_campaign_message_preparation",
   "start_campaign",
 ];
 
+export const FORBIDDEN_SELLABLE_MCP_TOOLS = ["refill_campaign_sends"];
+
 export const CREATE_CAMPAIGN_SMOKE_CALLS = [
   {
     name: "get_auth_status",
@@ -57,6 +61,14 @@ export const CREATE_CAMPAIGN_SMOKE_CALLS = [
       limit: 1200,
     },
   },
+  {
+    name: "get_subskill_prompt",
+    arguments: {
+      subskillName: "refill-sends-workflow",
+      offset: 0,
+      limit: 1200,
+    },
+  },
   {
     name: "get_subskill_asset",
     arguments: {
@@ -308,6 +320,7 @@ function summarizeAttempt(result, attempt) {
     ok: result.ok === true,
     availableToolCount: result.availableTools?.length || 0,
     missingToolCount: result.missingTools?.length || 0,
+    forbiddenToolCount: result.forbiddenTools?.length || 0,
     error: result.error || null,
     createCampaignSmoke: result.createCampaignSmoke
       ? {
@@ -377,6 +390,7 @@ async function verifySellableMcpRuntimeOnce({
 
   let availableTools = [];
   let missingTools = [...requiredTools];
+  let forbiddenTools = [];
   let createCampaignSmoke = null;
   let error = null;
 
@@ -388,7 +402,19 @@ async function verifySellableMcpRuntimeOnce({
     });
     availableTools = toolList.tools.map((tool) => tool.name).sort();
     missingTools = missingRequiredTools(toolList.tools, requiredTools);
-    if (missingTools.length === 0) {
+    forbiddenTools = availableTools.filter((tool) =>
+      FORBIDDEN_SELLABLE_MCP_TOOLS.includes(tool)
+    );
+    if (forbiddenTools.length > 0) {
+      createCampaignSmoke = {
+        ok: false,
+        missingTools: [],
+        calls: [],
+        error: `Forbidden MCP tool(s) exposed: ${forbiddenTools.join(", ")}`,
+        startedAt: new Date().toISOString(),
+        completedAt: new Date().toISOString(),
+      };
+    } else if (missingTools.length === 0) {
       createCampaignSmoke = await verifyCreateCampaignSmoke({
         client,
         availableTools,
@@ -418,13 +444,18 @@ async function verifySellableMcpRuntimeOnce({
   }
 
   return {
-    ok: !error && missingTools.length === 0 && createCampaignSmoke?.ok === true,
+    ok:
+      !error &&
+      missingTools.length === 0 &&
+      forbiddenTools.length === 0 &&
+      createCampaignSmoke?.ok === true,
     skipped: false,
     command,
     args,
     requiredTools,
     availableTools,
     missingTools,
+    forbiddenTools,
     createCampaignSmoke,
     stderrTail: stderrLines,
     error: error ? redact(error) : null,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sellable/install",
-  "version": "0.1.219",
+  "version": "0.1.221",
   "type": "module",
   "description": "One-command installer for Sellable MCP in Claude Code and Codex",
   "bin": {

package/skill-templates/create-campaign.md

@@ -47,6 +47,9 @@ allowed-tools:
   - mcp__sellable__record_campaign_review_batch
   - mcp__sellable__queue_campaign_cells
   - mcp__sellable__wait_for_campaign_processing
+  - mcp__sellable__resolve_campaign_fill_route
+  - mcp__sellable__get_campaign_refill_state
+  - mcp__sellable__fill_campaign_horizon
   - mcp__sellable__start_campaign_message_preparation
   - mcp__sellable__get_campaign_message_preparation_status
   - mcp__sellable__cancel_campaign_message_preparation
@@ -113,27 +116,37 @@ source only when safe relaxation and same-source sampling would still fail or
 would pass bad-fit rows.
 The default path stays the existing first campaign-table execution slice:
 review the normal `reviewBatchLimit:15`, approve reviewed draft rows, then move
-to Settings/sequence/final greenlight. Only call
-`start_campaign_message_preparation` when the user explicitly asks for more
-prepared messages, a send count, or language like "fill up/load sends for these
-senders." Treat those requests as capacity-fill preparation: calculate the
-bounded target from sender capacity when needed, then let the preparation job
-queue pending `Enrich Prospect` cells, wait for ICP/rubric and Generate Message
-cells to cascade, and mark ready or approve only the target cohort. Do not
-count `checkedRows` as enriched rows; it is only the table cursor. Use
-`progress.enrichedRows`, `progress.needsEnrichRows`, `activeCellCount`,
-`preparedMessages`, `approvedRows`, target, estimated row budget remaining, and
-`stopReason` to explain progress. If the user says "prepare/generate X
-messages", set `targetPreparedMessages:X`, omit `maxRowsToCheck`, and keep
-`approvalMode:"mark_ready"`. The backend calibrates on at least 100 actually
-enriched rows, estimates the row budget from observed rubric/pass yield, caps
-`maxRowsToCheck` at 2500, then adapts later batches up to 250 rows while
-recalculating yield. If the user says "approve X messages", use
-`approvalMode:"approve"` but still do not launch. If the user says "schedule X
-sends" or asks to fill sender sends, use `approvalMode:"approve"` to approve
-exactly the bounded X-message cohort during preparation, then continue through
-sender, sequence, and final launch greenlight; the launch path must verify that
-bounded cohort and must not broad approve-all.
+to Settings/sequence/final greenlight. For any plain post-mint fill request
+such as "fill campaigns", "fill up", "refill sends", "max out sends", or
+"load sends", hand off to the skill-led refill workflow:
+
+```text
+get_subskill_prompt({ subskillName: "refill-sends-workflow" })
+resolve_campaign_fill_route
+get_campaign_refill_state
+```
+
+Plain fill is not an alias for `fill_campaign_horizon` or campaign creation.
+`fill_campaign_horizon` is evergreen-only and must not be used for regular
+campaign refill. If route resolution returns `route:"ask_create"`, ask whether
+to create a normal campaign or evergreen campaigns; campaign creation is never
+the default response to plain fill. When more leads are needed, the refill
+workflow must recommend same-campaign source-ladder replenishment; do not
+create warm-post-engager side campaigns, on-demand campaigns, or unrelated
+campaigns.
+
+Treat active fills as capacity-fill preparation: calculate the bounded target
+from sender capacity when needed, then use the refill workflow to decide source
+replenishment, enrichment/prep, approval policy, and scheduler proof. Mutation
+requires exact visible approval and a fresh `get_campaign_refill_state` reread.
+If the user says "prepare/generate X messages", use message-prep primitives with
+`targetPreparedMessages:X` and default `approvalMode:"mark_ready"`. If the user
+says "approve X messages", use `approvalMode:"approve"` only for the bounded
+cohort and still do not launch. If the user says "schedule X sends", approve
+only when explicitly requested, then reread scheduled counts; if
+scheduler-owned cells are not present, report prepared/approved/ready awaiting
+scheduler instead of success. Final launch remains a separate explicit user
+greenlight and must not broad approve-all.
 When approving reviewed draft rows in the campaign table, resolve the actual
 visible `Approved` cells with `select_campaign_cells({ columnRole: "approved",
 rowSelector: { type: "rowIds", rowIds } })` and `update_cell` those returned
@@ -891,7 +904,11 @@ updates.
 
 1. Call `mcp__sellable__get_auth_status({})`.
 2. If auth is not OK with `error.type === "config"` or `error.type === "auth"`,
-   the user has not signed in yet. Run the FTUX magic-link handoff:
+   the user has not signed in yet. Run first-run login through the FTUX
+   magic-link handoff. If a browser page or tool guidance gives the user a
+   manual fallback, it must be
+   `sellable auth set <token> --workspace-id <workspace_id>`. Do not instruct
+   the user to hand-edit JSON auth config.
 
    a. Say to the user verbatim:
 

package/skill-templates/refill-sends.md

@@ -0,0 +1,54 @@
+---
+name: refill-sends
+description: Plan regular campaign and evergreen campaign send refill work through the skill-led refill workflow.
+visibility: public
+allowed-tools:
+  - mcp__sellable__get_subskill_prompt
+  - mcp__sellable__search_subskill_prompts
+  - mcp__sellable__resolve_campaign_fill_route
+  - mcp__sellable__get_campaign_refill_state
+  - mcp__sellable__fill_campaign_horizon
+  - mcp__sellable__get_campaign
+  - mcp__sellable__get_campaign_message_preparation_status
+  - mcp__sellable__start_campaign_message_preparation
+  - mcp__sellable__cancel_campaign_message_preparation
+  - mcp__sellable__import_leads
+  - mcp__sellable__wait_for_lead_list_ready
+  - mcp__sellable__confirm_lead_list
+  - mcp__sellable__search_signals
+  - mcp__sellable__fetch_post_engagers
+  - mcp__sellable__search_sales_nav
+  - mcp__sellable__lookup_sales_nav_filter
+  - mcp__sellable__search_prospeo
+  - mcp__sellable__search_prospeo_companies
+  - mcp__sellable__confirm_prospeo_company_accounts
+  - mcp__sellable__load_csv_linkedin_leads
+  - mcp__sellable__load_csv_domains
+  - mcp__sellable__list_dnc_entries
+  - mcp__sellable__load_csv_dnc_entries
+  - mcp__sellable__get_rows
+  - mcp__sellable__get_rows_minimal
+  - mcp__sellable__get_table_rows
+---
+
+# Refill Sends
+
+Use this public wrapper for plain operator requests such as "fill", "refill sends",
+"max out sends", "load everyone up", or "fill horizon sends".
+
+Load the internal workflow prompt before taking any operational step:
+
+```text
+get_subskill_prompt({ subskillName: "refill-sends-workflow" })
+```
+
+Then follow that workflow exactly. The default path is read-only research:
+resolve the route, read target refill state, report the next safe step, and stop
+before mutation unless the user has explicitly approved the exact workspace,
+campaign/table/source ids, caps/dates, approval mode, expected side effects,
+and stop/rollback condition.
+
+Public concepts are regular campaign and evergreen campaign. Internal direct
+campaign types are unsupported refill targets. `fill_campaign_horizon` is only a
+legacy evergreen-only lower-level primitive after route and refill-state
+evidence proves an evergreen target.