@supatest/cli 0.0.41 → 0.0.42

package/dist/index.js

@@ -313,7 +313,7 @@ Use these commands in interactive mode (type them and press Enter):
   - Choose between "Supatest Managed" (default) or "Claude Max"
   - Supatest Managed: Uses models through Supatest infrastructure
   - Claude Max: Uses your Claude subscription directly
-  - Requires Claude Code login for Claude Max
+  - Authentication flow starts automatically when selecting Claude Max
   - Available on macOS, Linux, and Windows
 
 - **/mcp** - Show configured MCP servers
@@ -6054,591 +6054,9 @@ var init_shared_es = __esm({
   }
 });
 
-// src/utils/claude-oauth.ts
-var claude_oauth_exports = {};
-__export(claude_oauth_exports, {
-  ClaudeOAuthService: () => ClaudeOAuthService
-});
-import { spawn } from "child_process";
-import { createHash, randomBytes } from "crypto";
-import http from "http";
-import { platform } from "os";
-var OAUTH_CONFIG, CALLBACK_PORT, CALLBACK_TIMEOUT_MS, ClaudeOAuthService;
-var init_claude_oauth = __esm({
-  "src/utils/claude-oauth.ts"() {
-    "use strict";
-    OAUTH_CONFIG = {
-      clientId: "9d1c250a-e61b-44d9-88ed-5944d1962f5e",
-      // Claude Code's client ID
-      authorizationEndpoint: "https://claude.ai/oauth/authorize",
-      tokenEndpoint: "https://console.anthropic.com/v1/oauth/token",
-      redirectUri: "http://localhost:8421/callback",
-      // Local callback for CLI
-      scopes: ["user:inference", "user:profile", "org:create_api_key"]
-    };
-    CALLBACK_PORT = 8421;
-    CALLBACK_TIMEOUT_MS = 3e5;
-    ClaudeOAuthService = class _ClaudeOAuthService {
-      secretStorage;
-      static TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1e3;
-      // 5 minutes
-      pendingCodeVerifier = null;
-      // Store code verifier for PKCE
-      constructor(secretStorage) {
-        this.secretStorage = secretStorage;
-      }
-      /**
-       * Starts the OAuth authorization flow
-       * Opens the default browser for user authentication
-       * Returns after successful authentication
-       */
-      async authorize() {
-        try {
-          const state = this.generateRandomState();
-          const pkce = this.generatePKCEChallenge();
-          this.pendingCodeVerifier = pkce.codeVerifier;
-          const authUrl = this.buildAuthorizationUrl(state, pkce.codeChallenge);
-          console.log("\nAuthenticating with Claude...\n");
-          console.log(`Opening browser to: ${authUrl}
-`);
-          const tokenPromise = this.startCallbackServer(CALLBACK_PORT, state);
-          try {
-            this.openBrowser(authUrl);
-          } catch (error) {
-            console.warn("Failed to open browser automatically:", error);
-            console.log(`
-Please manually open this URL in your browser:
-${authUrl}
-`);
-          }
-          await tokenPromise;
-          console.log("\n\u2705 Successfully authenticated with Claude!\n");
-          return { success: true };
-        } catch (error) {
-          this.pendingCodeVerifier = null;
-          return {
-            success: false,
-            error: error instanceof Error ? error.message : "Authentication failed"
-          };
-        }
-      }
-      /**
-       * Start local HTTP server to receive OAuth callback
-       */
-      startCallbackServer(port, expectedState) {
-        return new Promise((resolve2, reject) => {
-          const server = http.createServer(async (req, res) => {
-            if (req.method !== "GET" || !req.url?.startsWith("/callback")) {
-              res.writeHead(404);
-              res.end("Not Found");
-              return;
-            }
-            const url = new URL(req.url, `http://localhost:${port}`);
-            const code = url.searchParams.get("code");
-            const returnedState = url.searchParams.get("state");
-            const error = url.searchParams.get("error");
-            if (error) {
-              res.writeHead(200, { "Content-Type": "text/html" });
-              res.end(this.buildErrorPage(error));
-              server.close();
-              reject(new Error(`OAuth error: ${error}`));
-              return;
-            }
-            if (returnedState !== expectedState) {
-              const errorMsg = "Security error: state parameter mismatch";
-              res.writeHead(200, { "Content-Type": "text/html" });
-              res.end(this.buildErrorPage(errorMsg));
-              server.close();
-              reject(new Error(errorMsg));
-              return;
-            }
-            if (!code) {
-              const errorMsg = "No authorization code received";
-              res.writeHead(400, { "Content-Type": "text/html" });
-              res.end(this.buildErrorPage(errorMsg));
-              server.close();
-              reject(new Error(errorMsg));
-              return;
-            }
-            try {
-              await this.submitAuthCode(code, returnedState);
-              res.writeHead(200, { "Content-Type": "text/html" });
-              res.end(this.buildSuccessPage());
-              server.close();
-              resolve2();
-            } catch (err) {
-              const errorMsg = err instanceof Error ? err.message : "Token exchange failed";
-              res.writeHead(200, { "Content-Type": "text/html" });
-              res.end(this.buildErrorPage(errorMsg));
-              server.close();
-              reject(err);
-            }
-          });
-          server.on("error", (error) => {
-            if (error.code === "EADDRINUSE") {
-              reject(new Error("Port already in use. Please try again."));
-            } else {
-              reject(error);
-            }
-          });
-          const timeout = setTimeout(() => {
-            server.close();
-            reject(new Error("Authentication timeout - no response received after 5 minutes"));
-          }, CALLBACK_TIMEOUT_MS);
-          server.on("close", () => {
-            clearTimeout(timeout);
-          });
-          server.listen(port, "127.0.0.1", () => {
-            console.log(`Waiting for authentication callback on http://localhost:${port}/callback`);
-          });
-        });
-      }
-      /**
-       * Submits the authorization code and exchanges it for tokens
-       */
-      async submitAuthCode(code, state) {
-        const tokens = await this.exchangeCodeForTokens(code, state);
-        await this.saveTokens(tokens);
-        return tokens;
-      }
-      /**
-       * Exchanges authorization code for access and refresh tokens
-       */
-      async exchangeCodeForTokens(code, state) {
-        if (!this.pendingCodeVerifier) {
-          throw new Error("No PKCE code verifier found. Please start the auth flow first.");
-        }
-        const body = {
-          grant_type: "authorization_code",
-          code,
-          state,
-          // Non-standard: state in body
-          redirect_uri: OAUTH_CONFIG.redirectUri,
-          client_id: OAUTH_CONFIG.clientId,
-          code_verifier: this.pendingCodeVerifier
-          // PKCE verifier
-        };
-        const response = await fetch(OAUTH_CONFIG.tokenEndpoint, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json"
-            // Non-standard: JSON instead of form-encoded
-          },
-          body: JSON.stringify(body)
-        });
-        this.pendingCodeVerifier = null;
-        if (!response.ok) {
-          const error = await response.text();
-          throw new Error(`Token exchange failed: ${error}`);
-        }
-        const data = await response.json();
-        return {
-          accessToken: data.access_token,
-          refreshToken: data.refresh_token,
-          expiresAt: Date.now() + data.expires_in * 1e3
-        };
-      }
-      /**
-       * Refreshes the access token using the refresh token
-       */
-      async refreshTokens() {
-        const tokens = await this.getTokens();
-        if (!tokens) {
-          throw new Error("No tokens found to refresh");
-        }
-        const body = {
-          grant_type: "refresh_token",
-          refresh_token: tokens.refreshToken,
-          client_id: OAUTH_CONFIG.clientId
-        };
-        const response = await fetch(OAUTH_CONFIG.tokenEndpoint, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json"
-          },
-          body: JSON.stringify(body)
-        });
-        if (!response.ok) {
-          const error = await response.text();
-          throw new Error(`Token refresh failed: ${error}`);
-        }
-        const data = await response.json();
-        const newTokens = {
-          accessToken: data.access_token,
-          refreshToken: data.refresh_token,
-          expiresAt: Date.now() + data.expires_in * 1e3
-        };
-        await this.saveTokens(newTokens);
-        return newTokens;
-      }
-      /**
-       * Gets the current access token, refreshing if necessary
-       */
-      async getAccessToken() {
-        const tokens = await this.getTokens();
-        if (!tokens) {
-          return null;
-        }
-        if (Date.now() > tokens.expiresAt - _ClaudeOAuthService.TOKEN_REFRESH_BUFFER_MS) {
-          try {
-            const refreshedTokens = await this.refreshTokens();
-            return refreshedTokens.accessToken;
-          } catch (error) {
-            console.warn("Token refresh failed:", error);
-            return null;
-          }
-        }
-        return tokens.accessToken;
-      }
-      /**
-       * Gets the stored tokens
-       */
-      async getTokens() {
-        try {
-          const accessToken = await this.secretStorage.getSecret("claude_oauth_access_token");
-          const refreshToken = await this.secretStorage.getSecret("claude_oauth_refresh_token");
-          const expiresAt = await this.secretStorage.getSecret("claude_oauth_expires_at");
-          if (!accessToken || !refreshToken || !expiresAt) {
-            return null;
-          }
-          return {
-            accessToken,
-            refreshToken,
-            expiresAt: parseInt(expiresAt, 10)
-          };
-        } catch (error) {
-          console.error("Failed to get OAuth tokens:", error);
-          return null;
-        }
-      }
-      /**
-       * Saves OAuth tokens to secure storage
-       */
-      async saveTokens(tokens) {
-        await this.secretStorage.setSecret("claude_oauth_access_token", tokens.accessToken);
-        await this.secretStorage.setSecret("claude_oauth_refresh_token", tokens.refreshToken);
-        await this.secretStorage.setSecret("claude_oauth_expires_at", tokens.expiresAt.toString());
-      }
-      /**
-       * Deletes stored OAuth tokens
-       */
-      async deleteTokens() {
-        await this.secretStorage.deleteSecret("claude_oauth_access_token");
-        await this.secretStorage.deleteSecret("claude_oauth_refresh_token");
-        await this.secretStorage.deleteSecret("claude_oauth_expires_at");
-      }
-      /**
-       * Checks if user is authenticated via OAuth
-       */
-      async isAuthenticated() {
-        const tokens = await this.getTokens();
-        return tokens !== null;
-      }
-      /**
-       * Gets the current OAuth authentication status
-       */
-      async getStatus() {
-        try {
-          const tokens = await this.getTokens();
-          if (!tokens) {
-            return { isAuthenticated: false };
-          }
-          return {
-            isAuthenticated: true,
-            expiresAt: tokens.expiresAt
-          };
-        } catch (error) {
-          return {
-            isAuthenticated: false,
-            error: error instanceof Error ? error.message : "Failed to get OAuth status"
-          };
-        }
-      }
-      /**
-       * Builds the authorization URL with all required parameters
-       */
-      buildAuthorizationUrl(state, codeChallenge) {
-        const params = new URLSearchParams({
-          response_type: "code",
-          client_id: OAUTH_CONFIG.clientId,
-          redirect_uri: OAUTH_CONFIG.redirectUri,
-          scope: OAUTH_CONFIG.scopes.join(" "),
-          state
-        });
-        if (codeChallenge) {
-          params.set("code_challenge", codeChallenge);
-          params.set("code_challenge_method", "S256");
-        }
-        return `${OAUTH_CONFIG.authorizationEndpoint}?${params.toString()}`;
-      }
-      /**
-       * Generates a random state string for CSRF protection
-       */
-      generateRandomState() {
-        return Array.from(crypto.getRandomValues(new Uint8Array(32))).map((b) => b.toString(16).padStart(2, "0")).join("");
-      }
-      /**
-       * Generates PKCE code verifier and challenge
-       * PKCE (Proof Key for Code Exchange) adds security to OAuth for public clients
-       */
-      generatePKCEChallenge() {
-        const codeVerifier = randomBytes(32).toString("base64url");
-        const hash = createHash("sha256").update(codeVerifier).digest("base64url");
-        return {
-          codeVerifier,
-          codeChallenge: hash
-        };
-      }
-      /**
-       * Open a URL in the default browser cross-platform
-       */
-      openBrowser(url) {
-        const os3 = platform();
-        let command;
-        let args;
-        switch (os3) {
-          case "darwin":
-            command = "open";
-            args = [url];
-            break;
-          case "win32":
-            command = "start";
-            args = ["", url];
-            break;
-          default:
-            command = "xdg-open";
-            args = [url];
-            break;
-        }
-        const options = { detached: true, stdio: "ignore", shell: os3 === "win32" };
-        spawn(command, args, options).unref();
-      }
-      /**
-       * Build success HTML page
-       */
-      buildSuccessPage() {
-        return `
-			<!DOCTYPE html>
-			<html lang="en">
-				<head>
-					<meta charset="UTF-8" />
-					<meta name="viewport" content="width=device-width, initial-scale=1.0" />
-					<title>Authentication Successful - Supatest CLI</title>
-					<style>
-						body {
-							font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-							display: flex;
-							align-items: center;
-							justify-content: center;
-							height: 100vh;
-							margin: 0;
-							background: #fefefe;
-						}
-						.container {
-							background: white;
-							padding: 3rem 2rem;
-							border-radius: 12px;
-							box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1);
-							border: 1px solid #e5e7eb;
-							text-align: center;
-							max-width: 400px;
-						}
-						.success-icon {
-							font-size: 48px;
-							margin-bottom: 1rem;
-						}
-						h1 {
-							color: #10b981;
-							margin: 0 0 1rem 0;
-							font-size: 24px;
-						}
-						p {
-							color: #666;
-							margin: 0;
-							line-height: 1.5;
-						}
-					</style>
-				</head>
-				<body>
-					<div class="container">
-						<div class="success-icon">\u2705</div>
-						<h1>Authentication Successful!</h1>
-						<p>You're now authenticated with Claude.</p>
-						<p style="margin-top: 1rem;">You can close this window and return to your terminal.</p>
-					</div>
-				</body>
-			</html>
-		`;
-      }
-      /**
-       * Build error HTML page
-       */
-      buildErrorPage(errorMessage) {
-        const escapedError = errorMessage.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
-        return `
-			<!DOCTYPE html>
-			<html lang="en">
-				<head>
-					<meta charset="UTF-8" />
-					<meta name="viewport" content="width=device-width, initial-scale=1.0" />
-					<title>Authentication Failed - Supatest CLI</title>
-					<style>
-						body {
-							font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-							display: flex;
-							align-items: center;
-							justify-content: center;
-							height: 100vh;
-							margin: 0;
-							background: #fefefe;
-						}
-						.container {
-							background: white;
-							padding: 3rem 2rem;
-							border-radius: 12px;
-							box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1);
-							border: 1px solid #e5e7eb;
-							text-align: center;
-							max-width: 400px;
-						}
-						.error-icon {
-							font-size: 48px;
-							margin-bottom: 1rem;
-						}
-						h1 {
-							color: #dc2626;
-							margin: 0 0 1rem 0;
-							font-size: 24px;
-						}
-						p {
-							color: #666;
-							margin: 0;
-							line-height: 1.5;
-						}
-					</style>
-				</head>
-				<body>
-					<div class="container">
-						<div class="error-icon">\u274C</div>
-						<h1>Authentication Failed</h1>
-						<p>${escapedError}</p>
-						<p style="margin-top: 1rem;">You can close this window and try again.</p>
-					</div>
-				</body>
-			</html>
-		`;
-      }
-    };
-  }
-});
-
-// src/utils/secret-storage.ts
-var secret_storage_exports = {};
-__export(secret_storage_exports, {
-  deleteSecret: () => deleteSecret,
-  getSecret: () => getSecret,
-  getSecretStorage: () => getSecretStorage,
-  listSecrets: () => listSecrets,
-  setSecret: () => setSecret
-});
-import { promises as fs } from "fs";
-import { homedir } from "os";
-import { dirname, join } from "path";
-async function getSecret(key) {
-  return storage.getSecret(key);
-}
-async function setSecret(key, value) {
-  await storage.setSecret(key, value);
-}
-async function deleteSecret(key) {
-  return storage.deleteSecret(key);
-}
-async function listSecrets() {
-  return storage.listSecrets();
-}
-function getSecretStorage() {
-  return storage;
-}
-var SECRET_FILE_NAME, FileSecretStorage, storage;
-var init_secret_storage = __esm({
-  "src/utils/secret-storage.ts"() {
-    "use strict";
-    SECRET_FILE_NAME = "secrets.json";
-    FileSecretStorage = class {
-      secretFilePath;
-      constructor() {
-        const rootDirName = process.env.NODE_ENV === "development" ? ".supatest-dev" : ".supatest";
-        const secretsDir = join(homedir(), rootDirName, "claude-auth");
-        this.secretFilePath = join(secretsDir, SECRET_FILE_NAME);
-      }
-      async ensureDirectoryExists() {
-        const dir = dirname(this.secretFilePath);
-        await fs.mkdir(dir, { recursive: true, mode: 448 });
-      }
-      async loadSecrets() {
-        try {
-          const data = await fs.readFile(this.secretFilePath, "utf-8");
-          const secrets = JSON.parse(data);
-          return new Map(Object.entries(secrets));
-        } catch (error) {
-          const err = error;
-          if (err.code === "ENOENT") {
-            return /* @__PURE__ */ new Map();
-          }
-          try {
-            await fs.unlink(this.secretFilePath);
-          } catch {
-          }
-          return /* @__PURE__ */ new Map();
-        }
-      }
-      async saveSecrets(secrets) {
-        await this.ensureDirectoryExists();
-        const data = Object.fromEntries(secrets);
-        const json = JSON.stringify(data, null, 2);
-        await fs.writeFile(this.secretFilePath, json, { mode: 384 });
-      }
-      async getSecret(key) {
-        const secrets = await this.loadSecrets();
-        return secrets.get(key) ?? null;
-      }
-      async setSecret(key, value) {
-        const secrets = await this.loadSecrets();
-        secrets.set(key, value);
-        await this.saveSecrets(secrets);
-      }
-      async deleteSecret(key) {
-        const secrets = await this.loadSecrets();
-        if (!secrets.has(key)) {
-          return false;
-        }
-        secrets.delete(key);
-        if (secrets.size === 0) {
-          try {
-            await fs.unlink(this.secretFilePath);
-          } catch (error) {
-            const err = error;
-            if (err.code !== "ENOENT") {
-              throw error;
-            }
-          }
-        } else {
-          await this.saveSecrets(secrets);
-        }
-        return true;
-      }
-      async listSecrets() {
-        const secrets = await this.loadSecrets();
-        return Array.from(secrets.keys());
-      }
-    };
-    storage = new FileSecretStorage();
-  }
-});
-
 // src/commands/setup.ts
-import { execSync, spawn as spawn2, spawnSync } from "child_process";
-import fs2 from "fs";
+import { execSync, spawn, spawnSync } from "child_process";
+import fs from "fs";
 import os from "os";
 import path from "path";
 function parseVersion(versionString) {
@@ -6692,7 +6110,7 @@ function getPlaywrightCachePath() {
     // Windows
   ];
   for (const cachePath of cachePaths) {
-    if (fs2.existsSync(cachePath)) {
+    if (fs.existsSync(cachePath)) {
       return cachePath;
     }
   }
@@ -6702,7 +6120,7 @@ function getInstalledChromiumVersion() {
   const cachePath = getPlaywrightCachePath();
   if (!cachePath) return null;
   try {
-    const entries = fs2.readdirSync(cachePath);
+    const entries = fs.readdirSync(cachePath);
     const chromiumVersions = entries.filter((entry) => entry.startsWith("chromium-") && !entry.includes("headless")).map((entry) => entry.replace("chromium-", "")).sort((a, b) => Number(b) - Number(a));
     return chromiumVersions[0] || null;
   } catch {
@@ -6736,7 +6154,7 @@ function checkNodeVersion() {
 }
 async function installChromium() {
   return new Promise((resolve2) => {
-    const child = spawn2("npx", ["playwright", "install", "chromium"], {
+    const child = spawn("npx", ["playwright", "install", "chromium"], {
       stdio: "inherit",
       shell: true
       // Required for Windows where npx is npx.cmd
@@ -6766,14 +6184,14 @@ function createSupatestConfig(cwd) {
   const supatestDir = path.join(cwd, ".supatest");
   const mcpJsonPath = path.join(supatestDir, "mcp.json");
   try {
-    if (!fs2.existsSync(supatestDir)) {
-      fs2.mkdirSync(supatestDir, { recursive: true });
+    if (!fs.existsSync(supatestDir)) {
+      fs.mkdirSync(supatestDir, { recursive: true });
     }
     let config2;
     let fileExisted = false;
-    if (fs2.existsSync(mcpJsonPath)) {
+    if (fs.existsSync(mcpJsonPath)) {
       fileExisted = true;
-      const existingContent = fs2.readFileSync(mcpJsonPath, "utf-8");
+      const existingContent = fs.readFileSync(mcpJsonPath, "utf-8");
       config2 = JSON.parse(existingContent);
     } else {
       config2 = {};
@@ -6784,7 +6202,7 @@ function createSupatestConfig(cwd) {
     if (!config2.mcpServers.playwright) {
       config2.mcpServers.playwright = DEFAULT_MCP_CONFIG.mcpServers.playwright;
     }
-    fs2.writeFileSync(mcpJsonPath, JSON.stringify(config2, null, 2) + "\n", "utf-8");
+    fs.writeFileSync(mcpJsonPath, JSON.stringify(config2, null, 2) + "\n", "utf-8");
     if (fileExisted) {
       return {
         ok: true,
@@ -6911,18 +6329,18 @@ var CLI_VERSION;
 var init_version = __esm({
   "src/version.ts"() {
     "use strict";
-    CLI_VERSION = "0.0.41";
+    CLI_VERSION = "0.0.42";
   }
 });
 
 // src/utils/error-logger.ts
-import * as fs3 from "fs";
+import * as fs2 from "fs";
 import * as os2 from "os";
 import * as path2 from "path";
 function ensureLogDir() {
   try {
-    if (!fs3.existsSync(LOGS_DIR)) {
-      fs3.mkdirSync(LOGS_DIR, { recursive: true });
+    if (!fs2.existsSync(LOGS_DIR)) {
+      fs2.mkdirSync(LOGS_DIR, { recursive: true });
     }
     return true;
   } catch {
@@ -6931,14 +6349,14 @@ function ensureLogDir() {
 }
 function rotateLogIfNeeded() {
   try {
-    if (!fs3.existsSync(ERROR_LOG_FILE)) return;
-    const stats = fs3.statSync(ERROR_LOG_FILE);
+    if (!fs2.existsSync(ERROR_LOG_FILE)) return;
+    const stats = fs2.statSync(ERROR_LOG_FILE);
     if (stats.size > MAX_LOG_SIZE) {
       const oldLogFile = `${ERROR_LOG_FILE}.old`;
-      if (fs3.existsSync(oldLogFile)) {
-        fs3.unlinkSync(oldLogFile);
+      if (fs2.existsSync(oldLogFile)) {
+        fs2.unlinkSync(oldLogFile);
       }
-      fs3.renameSync(ERROR_LOG_FILE, oldLogFile);
+      fs2.renameSync(ERROR_LOG_FILE, oldLogFile);
     }
   } catch {
   }
@@ -6974,7 +6392,7 @@ function logError(error, context) {
   const logLine = `${JSON.stringify(entry)}
 `;
   try {
-    fs3.appendFileSync(ERROR_LOG_FILE, logLine);
+    fs2.appendFileSync(ERROR_LOG_FILE, logLine);
   } catch {
   }
 }
@@ -6991,7 +6409,7 @@ var init_error_logger = __esm({
 });
 
 // src/utils/logger.ts
-import * as fs4 from "fs";
+import * as fs3 from "fs";
 import * as path3 from "path";
 import chalk from "chalk";
 var Logger, logger;
@@ -7025,7 +6443,7 @@ ${"=".repeat(80)}
 ${"=".repeat(80)}
 `;
         try {
-          fs4.appendFileSync(this.logFile, separator);
+          fs3.appendFileSync(this.logFile, separator);
         } catch (error) {
         }
       }
@@ -7039,7 +6457,7 @@ ${"=".repeat(80)}
 ` : `[${timestamp}] [${level}] ${message}
 `;
         try {
-          fs4.appendFileSync(this.logFile, logEntry);
+          fs3.appendFileSync(this.logFile, logEntry);
         } catch (error) {
         }
       }
@@ -7785,7 +7203,7 @@ var init_api_client = __esm({
 
 // src/utils/command-discovery.ts
 import { existsSync as existsSync2, readdirSync, readFileSync, statSync as statSync2 } from "fs";
-import { join as join4, relative } from "path";
+import { join as join3, relative } from "path";
 function parseMarkdownFrontmatter(content) {
   const frontmatterRegex = /^---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
   const match = content.match(frontmatterRegex);
@@ -7810,7 +7228,7 @@ function discoverMarkdownFiles(dir, baseDir, files = []) {
   }
   const entries = readdirSync(dir);
   for (const entry of entries) {
-    const fullPath = join4(dir, entry);
+    const fullPath = join3(dir, entry);
     const stat = statSync2(fullPath);
     if (stat.isDirectory()) {
       discoverMarkdownFiles(fullPath, baseDir, files);
@@ -7821,7 +7239,7 @@ function discoverMarkdownFiles(dir, baseDir, files = []) {
   return files;
 }
 function discoverCommands(cwd) {
-  const commandsDir = join4(cwd, ".supatest", "commands");
+  const commandsDir = join3(cwd, ".supatest", "commands");
   if (!existsSync2(commandsDir)) {
     return [];
   }
@@ -7844,9 +7262,9 @@ function discoverCommands(cwd) {
   return commands.sort((a, b) => a.name.localeCompare(b.name));
 }
 function expandCommand(cwd, commandName, args) {
-  const commandsDir = join4(cwd, ".supatest", "commands");
+  const commandsDir = join3(cwd, ".supatest", "commands");
   const relativePath = commandName.replace(/\./g, "/") + ".md";
-  const filePath = join4(commandsDir, relativePath);
+  const filePath = join3(commandsDir, relativePath);
   if (!existsSync2(filePath)) {
     return null;
   }
@@ -7869,7 +7287,7 @@ function expandCommand(cwd, commandName, args) {
   }
 }
 function discoverAgents(cwd) {
-  const agentsDir = join4(cwd, ".supatest", "agents");
+  const agentsDir = join3(cwd, ".supatest", "agents");
   if (!existsSync2(agentsDir)) {
     return [];
   }
@@ -7900,8 +7318,8 @@ var init_command_discovery = __esm({
 
 // src/utils/mcp-loader.ts
 import { existsSync as existsSync3, readFileSync as readFileSync2 } from "fs";
-import { homedir as homedir3 } from "os";
-import { join as join5 } from "path";
+import { homedir as homedir2 } from "os";
+import { join as join4 } from "path";
 function expandEnvVar(value) {
   return value.replace(/\$\{([^}]+)\}/g, (_, expr) => {
     const [varName, defaultValue] = expr.split(":-");
@@ -7950,9 +7368,9 @@ function loadMcpServersFromFile(mcpPath) {
   }
 }
 function loadMcpServers(cwd) {
-  const globalMcpPath = join5(homedir3(), ".supatest", "mcp.json");
+  const globalMcpPath = join4(homedir2(), ".supatest", "mcp.json");
   const globalServers = loadMcpServersFromFile(globalMcpPath);
-  const projectMcpPath = join5(cwd, ".supatest", "mcp.json");
+  const projectMcpPath = join4(cwd, ".supatest", "mcp.json");
   const projectServers = loadMcpServersFromFile(projectMcpPath);
   return { ...globalServers, ...projectServers };
 }
@@ -7964,11 +7382,11 @@ var init_mcp_loader = __esm({
 
 // src/utils/project-instructions.ts
 import { existsSync as existsSync4, readFileSync as readFileSync3 } from "fs";
-import { join as join6 } from "path";
+import { join as join5 } from "path";
 function loadProjectInstructions(cwd) {
   const paths = [
-    join6(cwd, "SUPATEST.md"),
-    join6(cwd, ".supatest", "SUPATEST.md")
+    join5(cwd, "SUPATEST.md"),
+    join5(cwd, ".supatest", "SUPATEST.md")
   ];
   for (const path6 of paths) {
     if (existsSync4(path6)) {
@@ -7988,8 +7406,8 @@ var init_project_instructions = __esm({
 
 // src/core/agent.ts
 import { createRequire } from "module";
-import { homedir as homedir4 } from "os";
-import { dirname as dirname2, join as join7 } from "path";
+import { homedir as homedir3 } from "os";
+import { dirname, join as join6 } from "path";
 import { query } from "@anthropic-ai/claude-agent-sdk";
 var CoreAgent;
 var init_agent = __esm({
@@ -8119,7 +7537,7 @@ ${projectInstructions}`,
           this.presenter.onLog(`Auth: Using Claude Max (default Claude Code credentials)`);
           logger.debug("[agent] Claude Max mode: Using default ~/.claude/ config, cleared provider credentials");
         } else {
-          const internalConfigDir = join7(homedir4(), ".supatest", "claude-internal");
+          const internalConfigDir = join6(homedir3(), ".supatest", "claude-internal");
           cleanEnv.CLAUDE_CONFIG_DIR = internalConfigDir;
           cleanEnv.ANTHROPIC_API_KEY = config2.supatestApiKey || "";
           cleanEnv.ANTHROPIC_BASE_URL = process.env.ANTHROPIC_BASE_URL || "";
@@ -8449,7 +7867,7 @@ ${projectInstructions}`,
         let claudeCodePath;
         const require2 = createRequire(import.meta.url);
         const sdkPath = require2.resolve("@anthropic-ai/claude-agent-sdk/sdk.mjs");
-        claudeCodePath = join7(dirname2(sdkPath), "cli.js");
+        claudeCodePath = join6(dirname(sdkPath), "cli.js");
         this.presenter.onLog(`Using SDK CLI: ${claudeCodePath}`);
         if (config.claudeCodeExecutablePath) {
           claudeCodePath = config.claudeCodeExecutablePath;
@@ -10143,642 +9561,1224 @@ function createInkStdio() {
       if (prop === "write") {
         return writeToStdout;
       }
-      const value = Reflect.get(target, prop, receiver);
-      if (typeof value === "function") {
-        return value.bind(target);
+      const value = Reflect.get(target, prop, receiver);
+      if (typeof value === "function") {
+        return value.bind(target);
+      }
+      return value;
+    }
+  });
+  const inkStderr = new Proxy(process.stderr, {
+    get(target, prop, receiver) {
+      if (prop === "write") {
+        return writeToStderr;
+      }
+      const value = Reflect.get(target, prop, receiver);
+      if (typeof value === "function") {
+        return value.bind(target);
+      }
+      return value;
+    }
+  });
+  return { stdout: inkStdout, stderr: inkStderr };
+}
+function clearTerminalViewportAndScrollback() {
+  writeToStdout("\x1B[3J\x1B[H\x1B[2J");
+}
+var originalStdoutWrite, originalStderrWrite;
+var init_stdio = __esm({
+  "src/utils/stdio.ts"() {
+    "use strict";
+    originalStdoutWrite = process.stdout.write.bind(process.stdout);
+    originalStderrWrite = process.stderr.write.bind(process.stderr);
+  }
+});
+
+// src/utils/encryption.ts
+import crypto2 from "crypto";
+import { hostname, userInfo } from "os";
+function deriveEncryptionKey() {
+  const host = hostname();
+  const user = userInfo().username;
+  const salt = `${host}-${user}-supatest-cli`;
+  if (process.env.DEBUG_ENCRYPTION) {
+    console.error(`[encryption] hostname=${host}, username=${user}, salt=${salt}`);
+  }
+  return crypto2.scryptSync("supatest-cli-token", salt, KEY_LENGTH);
+}
+function getEncryptionKey() {
+  if (!cachedKey) {
+    cachedKey = deriveEncryptionKey();
+  }
+  return cachedKey;
+}
+function encrypt(plaintext) {
+  const key = getEncryptionKey();
+  const iv = crypto2.randomBytes(IV_LENGTH);
+  const cipher = crypto2.createCipheriv(ALGORITHM, key, iv);
+  let encrypted = cipher.update(plaintext, "utf8", "hex");
+  encrypted += cipher.final("hex");
+  const authTag = cipher.getAuthTag();
+  return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}`;
+}
+function decrypt(encryptedData) {
+  const parts = encryptedData.split(":");
+  if (parts.length !== 3) {
+    throw new Error("Invalid encrypted data format");
+  }
+  const [ivHex, authTagHex, encrypted] = parts;
+  const iv = Buffer.from(ivHex, "hex");
+  const authTag = Buffer.from(authTagHex, "hex");
+  const key = getEncryptionKey();
+  const decipher = crypto2.createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(authTag);
+  let decrypted = decipher.update(encrypted, "hex", "utf8");
+  decrypted += decipher.final("utf8");
+  return decrypted;
+}
+var ALGORITHM, KEY_LENGTH, IV_LENGTH, cachedKey;
+var init_encryption = __esm({
+  "src/utils/encryption.ts"() {
+    "use strict";
+    ALGORITHM = "aes-256-gcm";
+    KEY_LENGTH = 32;
+    IV_LENGTH = 16;
+    cachedKey = null;
+  }
+});
+
+// src/utils/token-storage.ts
+import { existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync4, unlinkSync as unlinkSync2, writeFileSync } from "fs";
+import { homedir as homedir5 } from "os";
+import { join as join7 } from "path";
+function getTokenFilePath() {
+  const apiUrl = process.env.SUPATEST_API_URL || PRODUCTION_API_URL;
+  if (apiUrl === PRODUCTION_API_URL) {
+    return join7(CONFIG_DIR, "token.json");
+  }
+  return join7(CONFIG_DIR, "token.local.json");
+}
+function isV2Format(stored) {
+  return "version" in stored && stored.version === 2;
+}
+function ensureConfigDir() {
+  if (!existsSync5(CONFIG_DIR)) {
+    mkdirSync2(CONFIG_DIR, { recursive: true, mode: 448 });
+  }
+}
+function saveToken(token, expiresAt) {
+  ensureConfigDir();
+  const payload = {
+    token,
+    expiresAt,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const stored = {
+    version: STORAGE_VERSION,
+    encryptedData: encrypt(JSON.stringify(payload))
+  };
+  const tokenFile = getTokenFilePath();
+  writeFileSync(tokenFile, JSON.stringify(stored, null, 2), { mode: 384 });
+}
+function loadToken() {
+  const tokenFile = getTokenFilePath();
+  if (!existsSync5(tokenFile)) {
+    return null;
+  }
+  try {
+    const data = readFileSync4(tokenFile, "utf8");
+    const stored = JSON.parse(data);
+    let payload;
+    if (isV2Format(stored)) {
+      payload = JSON.parse(decrypt(stored.encryptedData));
+    } else {
+      payload = stored;
+    }
+    if (payload.expiresAt) {
+      const expiresAt = new Date(payload.expiresAt);
+      if (expiresAt < /* @__PURE__ */ new Date()) {
+        console.warn("CLI token has expired. Please run 'supatest login' again.");
+        return null;
+      }
+    }
+    return payload.token;
+  } catch (error) {
+    const err = error;
+    if (err.message?.includes("Invalid encrypted data format") || err.message?.includes("Unsupported state or unable to authenticate data")) {
+      try {
+        unlinkSync2(tokenFile);
+      } catch {
+      }
+    }
+    return null;
+  }
+}
+function removeToken() {
+  const tokenFile = getTokenFilePath();
+  if (existsSync5(tokenFile)) {
+    unlinkSync2(tokenFile);
+  }
+}
+var CONFIG_DIR, PRODUCTION_API_URL, STORAGE_VERSION, TOKEN_FILE;
+var init_token_storage = __esm({
+  "src/utils/token-storage.ts"() {
+    "use strict";
+    init_encryption();
+    CONFIG_DIR = join7(homedir5(), ".supatest");
+    PRODUCTION_API_URL = "https://code-api.supatest.ai";
+    STORAGE_VERSION = 2;
+    TOKEN_FILE = join7(CONFIG_DIR, "token.json");
+  }
+});
+
+// src/core/message-bridge.ts
+var MessageBridge;
+var init_message_bridge = __esm({
+  "src/core/message-bridge.ts"() {
+    "use strict";
+    MessageBridge = class {
+      queue = [];
+      resolvers = [];
+      closed = false;
+      sessionId;
+      constructor(sessionId) {
+        this.sessionId = sessionId;
+      }
+      /**
+       * Update the session ID (useful when session is created after bridge).
+       */
+      setSessionId(sessionId) {
+        this.sessionId = sessionId;
+      }
+      /**
+       * Push a user message to be injected into the session.
+       * Call this from the UI when user submits a message during agent execution.
+       */
+      push(text) {
+        if (this.closed) {
+          console.warn("[MessageBridge] Cannot push to closed bridge");
+          return;
+        }
+        const message = {
+          type: "user",
+          message: {
+            role: "user",
+            content: [{ type: "text", text }]
+          },
+          parent_tool_use_id: null,
+          session_id: this.sessionId
+        };
+        const resolver = this.resolvers.shift();
+        if (resolver) {
+          resolver({ value: message, done: false });
+        } else {
+          this.queue.push(message);
+        }
       }
-      return value;
-    }
-  });
-  const inkStderr = new Proxy(process.stderr, {
-    get(target, prop, receiver) {
-      if (prop === "write") {
-        return writeToStderr;
+      /**
+       * Check if there are pending messages in the queue.
+       */
+      hasPending() {
+        return this.queue.length > 0;
       }
-      const value = Reflect.get(target, prop, receiver);
-      if (typeof value === "function") {
-        return value.bind(target);
+      /**
+       * Close the bridge. No more messages will be accepted.
+       * Any pending async iterators will receive done: true.
+       */
+      close() {
+        if (this.closed) return;
+        this.closed = true;
+        for (const resolver of this.resolvers) {
+          resolver({ value: void 0, done: true });
+        }
+        this.resolvers = [];
       }
-      return value;
-    }
-  });
-  return { stdout: inkStdout, stderr: inkStderr };
-}
-function clearTerminalViewportAndScrollback() {
-  writeToStdout("\x1B[3J\x1B[H\x1B[2J");
-}
-var originalStdoutWrite, originalStderrWrite;
-var init_stdio = __esm({
-  "src/utils/stdio.ts"() {
-    "use strict";
-    originalStdoutWrite = process.stdout.write.bind(process.stdout);
-    originalStderrWrite = process.stderr.write.bind(process.stderr);
+      /**
+       * Check if the bridge is closed.
+       */
+      isClosed() {
+        return this.closed;
+      }
+      [Symbol.asyncIterator]() {
+        return {
+          next: () => {
+            const queued = this.queue.shift();
+            if (queued) {
+              return Promise.resolve({ value: queued, done: false });
+            }
+            if (this.closed) {
+              return Promise.resolve({
+                value: void 0,
+                done: true
+              });
+            }
+            return new Promise((resolve2) => {
+              this.resolvers.push(resolve2);
+            });
+          }
+        };
+      }
+    };
   }
 });
 
-// src/utils/encryption.ts
-import crypto2 from "crypto";
-import { hostname, userInfo } from "os";
-function deriveEncryptionKey() {
-  const host = hostname();
-  const user = userInfo().username;
-  const salt = `${host}-${user}-supatest-cli`;
-  if (process.env.DEBUG_ENCRYPTION) {
-    console.error(`[encryption] hostname=${host}, username=${user}, salt=${salt}`);
-  }
-  return crypto2.scryptSync("supatest-cli-token", salt, KEY_LENGTH);
-}
-function getEncryptionKey() {
-  if (!cachedKey) {
-    cachedKey = deriveEncryptionKey();
-  }
-  return cachedKey;
+// src/commands/login.ts
+import { spawn as spawn3 } from "child_process";
+import crypto3 from "crypto";
+import http from "http";
+import { platform } from "os";
+function escapeHtml(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
 }
-function encrypt(plaintext) {
-  const key = getEncryptionKey();
-  const iv = crypto2.randomBytes(IV_LENGTH);
-  const cipher = crypto2.createCipheriv(ALGORITHM, key, iv);
-  let encrypted = cipher.update(plaintext, "utf8", "hex");
-  encrypted += cipher.final("hex");
-  const authTag = cipher.getAuthTag();
-  return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}`;
+function generateState() {
+  return crypto3.randomBytes(STATE_LENGTH).toString("hex");
 }
-function decrypt(encryptedData) {
-  const parts = encryptedData.split(":");
-  if (parts.length !== 3) {
-    throw new Error("Invalid encrypted data format");
+async function exchangeCodeForToken(code, state) {
+  const response = await fetch(`${API_URL}/web/auth/cli-token-exchange`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ code, state })
+  });
+  if (!response.ok) {
+    const error = await response.json();
+    throw new Error(error.error || "Failed to exchange code for token");
   }
-  const [ivHex, authTagHex, encrypted] = parts;
-  const iv = Buffer.from(ivHex, "hex");
-  const authTag = Buffer.from(authTagHex, "hex");
-  const key = getEncryptionKey();
-  const decipher = crypto2.createDecipheriv(ALGORITHM, key, iv);
-  decipher.setAuthTag(authTag);
-  let decrypted = decipher.update(encrypted, "hex", "utf8");
-  decrypted += decipher.final("utf8");
-  return decrypted;
+  const data = await response.json();
+  return { token: data.token, expiresAt: data.expiresAt };
 }
-var ALGORITHM, KEY_LENGTH, IV_LENGTH, cachedKey;
-var init_encryption = __esm({
-  "src/utils/encryption.ts"() {
-    "use strict";
-    ALGORITHM = "aes-256-gcm";
-    KEY_LENGTH = 32;
-    IV_LENGTH = 16;
-    cachedKey = null;
-  }
-});
-
-// src/utils/token-storage.ts
-import { existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync4, unlinkSync as unlinkSync2, writeFileSync } from "fs";
-import { homedir as homedir6 } from "os";
-import { join as join8 } from "path";
-function getTokenFilePath() {
-  const apiUrl = process.env.SUPATEST_API_URL || PRODUCTION_API_URL;
-  if (apiUrl === PRODUCTION_API_URL) {
-    return join8(CONFIG_DIR, "token.json");
+function openBrowser(url) {
+  const os3 = platform();
+  let command;
+  let args;
+  switch (os3) {
+    case "darwin":
+      command = "open";
+      args = [url];
+      break;
+    case "win32":
+      command = "start";
+      args = ["", url];
+      break;
+    default:
+      command = "xdg-open";
+      args = [url];
   }
-  return join8(CONFIG_DIR, "token.local.json");
+  const options = { detached: true, stdio: "ignore", shell: os3 === "win32" };
+  spawn3(command, args, options).unref();
 }
-function isV2Format(stored) {
-  return "version" in stored && stored.version === 2;
+function startCallbackServer(port, expectedState) {
+  return new Promise((resolve2, reject) => {
+    const server = http.createServer(async (req, res) => {
+      if (req.method !== "GET" || !req.url?.startsWith("/callback")) {
+        res.writeHead(404);
+        res.end("Not Found");
+        return;
+      }
+      const url = new URL(req.url, `http://localhost:${port}`);
+      const code = url.searchParams.get("code");
+      const state = url.searchParams.get("state");
+      const error = url.searchParams.get("error");
+      if (error) {
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(buildErrorPage(error));
+        server.close();
+        reject(new Error(error));
+        return;
+      }
+      if (state !== expectedState) {
+        const errorMsg = "Security error: state parameter mismatch";
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(buildErrorPage(errorMsg));
+        server.close();
+        reject(new Error(errorMsg));
+        return;
+      }
+      if (!code) {
+        const errorMsg = "No authorization code received";
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(buildErrorPage(errorMsg));
+        server.close();
+        reject(new Error(errorMsg));
+        return;
+      }
+      try {
+        const result = await exchangeCodeForToken(code, state);
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(buildSuccessPage());
+        server.close();
+        resolve2(result);
+      } catch (err) {
+        const errorMsg = err instanceof Error ? err.message : "Token exchange failed";
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(buildErrorPage(errorMsg));
+        server.close();
+        reject(err);
+      }
+    });
+    server.on("error", (error) => {
+      if (error.code === "EADDRINUSE") {
+        const portError = new Error(
+          "Something went wrong. Please restart the CLI and try again."
+        );
+        portError.code = "EADDRINUSE";
+        reject(portError);
+      } else {
+        reject(error);
+      }
+    });
+    const timeout = setTimeout(() => {
+      server.close();
+      reject(new Error("Login timeout - no response received after 5 minutes"));
+    }, CALLBACK_TIMEOUT_MS);
+    server.on("close", () => {
+      clearTimeout(timeout);
+    });
+    server.listen(port, "127.0.0.1", () => {
+      console.log(`Waiting for authentication callback on http://localhost:${port}/callback`);
+    });
+  });
 }
-function ensureConfigDir() {
-  if (!existsSync5(CONFIG_DIR)) {
-    mkdirSync2(CONFIG_DIR, { recursive: true, mode: 448 });
-  }
+function buildSuccessPage() {
+  return `
+		<!DOCTYPE html>
+		<html lang="en">
+			<head>
+				<meta charset="UTF-8" />
+				<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+				<title>Login Successful - Supatest CLI</title>
+				<style>
+					body {
+						font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+						display: flex;
+						align-items: center;
+						justify-content: center;
+						height: 100vh;
+						margin: 0;
+						background: #fefefe;
+					}
+					.container {
+						background: white;
+						padding: 3rem 2rem;
+						border-radius: 12px;
+						box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1), 0 1px 2px rgba(0, 0, 0, 0.06);
+						border: 1px solid #e5e7eb;
+						text-align: center;
+						max-width: 400px;
+						width: 90%;
+					}
+					.logo {
+						margin: 0 auto 2rem;
+						display: flex;
+						align-items: center;
+						justify-content: center;
+						gap: 8px;
+					}
+					.logo img {
+						width: 24px;
+						height: 24px;
+						border-radius: 6px;
+						object-fit: contain;
+					}
+					.logo-text {
+						font-weight: 600;
+						font-size: 16px;
+						color: inherit;
+					}
+					.success-icon {
+						width: 64px;
+						height: 64px;
+						border-radius: 50%;
+						background: #d1fae5;
+						display: flex;
+						align-items: center;
+						justify-content: center;
+						font-size: 32px;
+						margin: 0 auto 1.5rem;
+					}
+					h1 {
+						color: #10b981;
+						margin: 0 0 1rem 0;
+						font-size: 24px;
+						font-weight: 600;
+					}
+					p {
+						color: #666;
+						margin: 0;
+						line-height: 1.5;
+					}
+					@media (prefers-color-scheme: dark) {
+						body {
+							background: #1a1a1a;
+						}
+						.container {
+							background: #1f1f1f;
+							border-color: #333;
+							box-shadow: 0 1px 3px rgba(0, 0, 0, 0.3), 0 1px 2px rgba(0, 0, 0, 0.2);
+						}
+						.success-icon {
+							background: #064e3b;
+						}
+						h1 {
+							color: #34d399;
+						}
+						p {
+							color: #a3a3a3;
+						}
+						.logo-text {
+							color: #e5e7eb;
+						}
+					}
+				</style>
+			</head>
+			<body>
+				<div class="container">
+					<div class="logo">
+						<img src="${FRONTEND_URL}/logo.png" alt="Supatest Logo" />
+						<span class="logo-text">Supatest</span>
+					</div>
+					<div class="success-icon" role="img" aria-label="Success">\u2705</div>
+					<h1>Login Successful!</h1>
+					<p>You're now authenticated with Supatest CLI.</p>
+					<p style="margin-top: 1rem;">You can close this window and return to your terminal.</p>
+				</div>
+			</body>
+		</html>
+	`;
 }
-function saveToken(token, expiresAt) {
-  ensureConfigDir();
-  const payload = {
-    token,
-    expiresAt,
-    createdAt: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  const stored = {
-    version: STORAGE_VERSION,
-    encryptedData: encrypt(JSON.stringify(payload))
-  };
-  const tokenFile = getTokenFilePath();
-  writeFileSync(tokenFile, JSON.stringify(stored, null, 2), { mode: 384 });
+function buildErrorPage(errorMessage) {
+  return `
+		<!DOCTYPE html>
+		<html lang="en">
+			<head>
+				<meta charset="UTF-8" />
+				<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+				<title>Login Failed - Supatest CLI</title>
+				<style>
+					body {
+						font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+						display: flex;
+						align-items: center;
+						justify-content: center;
+						height: 100vh;
+						margin: 0;
+						background: #fefefe;
+					}
+					.container {
+						background: white;
+						padding: 3rem 2rem;
+						border-radius: 12px;
+						box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1), 0 1px 2px rgba(0, 0, 0, 0.06);
+						border: 1px solid #e5e7eb;
+						text-align: center;
+						max-width: 400px;
+						width: 90%;
+					}
+					.logo {
+						width: 48px;
+						height: 48px;
+						margin: 0 auto 2rem;
+						display: flex;
+						align-items: center;
+						justify-content: center;
+					}
+					.logo img {
+						width: 48px;
+						height: 48px;
+						border-radius: 8px;
+						object-fit: contain;
+					}
+					.error-icon {
+						width: 64px;
+						height: 64px;
+						border-radius: 50%;
+						background: #fee2e2;
+						display: flex;
+						align-items: center;
+						justify-content: center;
+						font-size: 32px;
+						margin: 0 auto 1.5rem;
+					}
+					h1 {
+						color: #dc2626;
+						margin: 0 0 1rem 0;
+						font-size: 24px;
+						font-weight: 600;
+					}
+					p {
+						color: #666;
+						margin: 0;
+						line-height: 1.5;
+					}
+					.brand {
+						margin-top: 2rem;
+						padding-top: 1.5rem;
+						border-top: 1px solid #e5e7eb;
+						color: #9333ff;
+						font-weight: 600;
+						font-size: 14px;
+					}
+					@media (prefers-color-scheme: dark) {
+						body {
+							background: #1a1a1a;
+						}
+						.container {
+							background: #1f1f1f;
+							border-color: #333;
+							box-shadow: 0 1px 3px rgba(0, 0, 0, 0.3), 0 1px 2px rgba(0, 0, 0, 0.2);
+						}
+						.error-icon {
+							background: #7f1d1d;
+						}
+						h1 {
+							color: #f87171;
+						}
+						p {
+							color: #a3a3a3;
+						}
+						.brand {
+							border-top-color: #333;
+							color: #a855f7;
+						}
+					}
+				</style>
+			</head>
+			<body>
+				<div class="container">
+					<div class="logo">
+						<img src="${FRONTEND_URL}/logo.png" alt="Supatest Logo" />
+						<span class="logo-text">Supatest</span>
+					</div>
+					<div class="error-icon" role="img" aria-label="Error">\u274C</div>
+					<h1>Login Failed</h1>
+					<p>${escapeHtml(errorMessage)}</p>
+					<p style="margin-top: 1rem;">You can close this window and try again.</p>
+				</div>
+			</body>
+		</html>
+	`;
 }
-function loadToken() {
-  const tokenFile = getTokenFilePath();
-  if (!existsSync5(tokenFile)) {
-    return null;
+async function loginCommand() {
+  console.log("\nAuthenticating with Supatest...\n");
+  const state = generateState();
+  const loginPromise = startCallbackServer(CLI_LOGIN_PORT, state);
+  const loginUrl = `${FRONTEND_URL}/cli-login?port=${CLI_LOGIN_PORT}&state=${state}`;
+  console.log(`Opening browser to: ${loginUrl}`);
+  console.log("\nIf your browser doesn't open automatically, please visit the URL above.\n");
+  try {
+    openBrowser(loginUrl);
+  } catch (error) {
+    console.warn("Failed to open browser automatically:", error);
+    console.log(`
+Please manually open this URL in your browser:
+${loginUrl}
+`);
   }
   try {
-    const data = readFileSync4(tokenFile, "utf8");
-    const stored = JSON.parse(data);
-    let payload;
-    if (isV2Format(stored)) {
-      payload = JSON.parse(decrypt(stored.encryptedData));
-    } else {
-      payload = stored;
-    }
-    if (payload.expiresAt) {
-      const expiresAt = new Date(payload.expiresAt);
-      if (expiresAt < /* @__PURE__ */ new Date()) {
-        console.warn("CLI token has expired. Please run 'supatest login' again.");
-        return null;
-      }
-    }
-    return payload.token;
+    const result = await loginPromise;
+    console.log("\n\u2705 Login successful!\n");
+    return result;
   } catch (error) {
     const err = error;
-    if (err.message?.includes("Invalid encrypted data format") || err.message?.includes("Unsupported state or unable to authenticate data")) {
-      try {
-        unlinkSync2(tokenFile);
-      } catch {
-      }
+    if (err.code === "EADDRINUSE") {
+      console.error("\n\u274C Login failed: Something went wrong.");
+      console.error("   Please restart the CLI and try again.\n");
+    } else {
+      console.error("\n\u274C Login failed:", error.message, "\n");
     }
-    return null;
-  }
-}
-function removeToken() {
-  const tokenFile = getTokenFilePath();
-  if (existsSync5(tokenFile)) {
-    unlinkSync2(tokenFile);
+    throw error;
   }
 }
-var CONFIG_DIR, PRODUCTION_API_URL, STORAGE_VERSION, TOKEN_FILE;
-var init_token_storage = __esm({
-  "src/utils/token-storage.ts"() {
+var CLI_LOGIN_PORT, FRONTEND_URL, API_URL, CALLBACK_TIMEOUT_MS, STATE_LENGTH;
+var init_login = __esm({
+  "src/commands/login.ts"() {
     "use strict";
-    init_encryption();
-    CONFIG_DIR = join8(homedir6(), ".supatest");
-    PRODUCTION_API_URL = "https://code-api.supatest.ai";
-    STORAGE_VERSION = 2;
-    TOKEN_FILE = join8(CONFIG_DIR, "token.json");
+    CLI_LOGIN_PORT = 8420;
+    FRONTEND_URL = process.env.SUPATEST_FRONTEND_URL || "https://code.supatest.ai";
+    API_URL = process.env.SUPATEST_API_URL || "https://code-api.supatest.ai";
+    CALLBACK_TIMEOUT_MS = 3e5;
+    STATE_LENGTH = 32;
   }
 });
 
-// src/core/message-bridge.ts
-var MessageBridge;
-var init_message_bridge = __esm({
-  "src/core/message-bridge.ts"() {
+// src/utils/claude-oauth.ts
+var claude_oauth_exports = {};
+__export(claude_oauth_exports, {
+  ClaudeOAuthService: () => ClaudeOAuthService
+});
+import { spawn as spawn4 } from "child_process";
+import { createHash, randomBytes } from "crypto";
+import http2 from "http";
+import { platform as platform2 } from "os";
+var OAUTH_CONFIG, CALLBACK_PORT, CALLBACK_TIMEOUT_MS2, ClaudeOAuthService;
+var init_claude_oauth = __esm({
+  "src/utils/claude-oauth.ts"() {
     "use strict";
-    MessageBridge = class {
-      queue = [];
-      resolvers = [];
-      closed = false;
-      sessionId;
-      constructor(sessionId) {
-        this.sessionId = sessionId;
+    OAUTH_CONFIG = {
+      clientId: "9d1c250a-e61b-44d9-88ed-5944d1962f5e",
+      // Claude Code's client ID
+      authorizationEndpoint: "https://claude.ai/oauth/authorize",
+      tokenEndpoint: "https://console.anthropic.com/v1/oauth/token",
+      redirectUri: "http://localhost:8421/callback",
+      // Local callback for CLI
+      scopes: ["user:inference", "user:profile", "org:create_api_key"]
+    };
+    CALLBACK_PORT = 8421;
+    CALLBACK_TIMEOUT_MS2 = 3e5;
+    ClaudeOAuthService = class _ClaudeOAuthService {
+      secretStorage;
+      static TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1e3;
+      // 5 minutes
+      pendingCodeVerifier = null;
+      // Store code verifier for PKCE
+      constructor(secretStorage) {
+        this.secretStorage = secretStorage;
+      }
+      /**
+       * Starts the OAuth authorization flow
+       * Opens the default browser for user authentication
+       * Returns after successful authentication
+       */
+      async authorize() {
+        try {
+          const state = this.generateRandomState();
+          const pkce = this.generatePKCEChallenge();
+          this.pendingCodeVerifier = pkce.codeVerifier;
+          const authUrl = this.buildAuthorizationUrl(state, pkce.codeChallenge);
+          console.log("\nAuthenticating with Claude...\n");
+          console.log(`Opening browser to: ${authUrl}
+`);
+          const tokenPromise = this.startCallbackServer(CALLBACK_PORT, state);
+          try {
+            this.openBrowser(authUrl);
+          } catch (error) {
+            console.warn("Failed to open browser automatically:", error);
+            console.log(`
+Please manually open this URL in your browser:
+${authUrl}
+`);
+          }
+          await tokenPromise;
+          console.log("\n\u2705 Successfully authenticated with Claude!\n");
+          return { success: true };
+        } catch (error) {
+          this.pendingCodeVerifier = null;
+          return {
+            success: false,
+            error: error instanceof Error ? error.message : "Authentication failed"
+          };
+        }
+      }
+      /**
+       * Start local HTTP server to receive OAuth callback
+       */
+      startCallbackServer(port, expectedState) {
+        return new Promise((resolve2, reject) => {
+          const server = http2.createServer(async (req, res) => {
+            if (req.method !== "GET" || !req.url?.startsWith("/callback")) {
+              res.writeHead(404);
+              res.end("Not Found");
+              return;
+            }
+            const url = new URL(req.url, `http://localhost:${port}`);
+            const code = url.searchParams.get("code");
+            const returnedState = url.searchParams.get("state");
+            const error = url.searchParams.get("error");
+            if (error) {
+              res.writeHead(200, { "Content-Type": "text/html" });
+              res.end(this.buildErrorPage(error));
+              server.close();
+              reject(new Error(`OAuth error: ${error}`));
+              return;
+            }
+            if (returnedState !== expectedState) {
+              const errorMsg = "Security error: state parameter mismatch";
+              res.writeHead(200, { "Content-Type": "text/html" });
+              res.end(this.buildErrorPage(errorMsg));
+              server.close();
+              reject(new Error(errorMsg));
+              return;
+            }
+            if (!code) {
+              const errorMsg = "No authorization code received";
+              res.writeHead(400, { "Content-Type": "text/html" });
+              res.end(this.buildErrorPage(errorMsg));
+              server.close();
+              reject(new Error(errorMsg));
+              return;
+            }
+            try {
+              await this.submitAuthCode(code, returnedState);
+              res.writeHead(200, { "Content-Type": "text/html" });
+              res.end(this.buildSuccessPage());
+              server.close();
+              resolve2();
+            } catch (err) {
+              const errorMsg = err instanceof Error ? err.message : "Token exchange failed";
+              res.writeHead(200, { "Content-Type": "text/html" });
+              res.end(this.buildErrorPage(errorMsg));
+              server.close();
+              reject(err);
+            }
+          });
+          server.on("error", (error) => {
+            if (error.code === "EADDRINUSE") {
+              reject(new Error("Port already in use. Please try again."));
+            } else {
+              reject(error);
+            }
+          });
+          const timeout = setTimeout(() => {
+            server.close();
+            reject(new Error("Authentication timeout - no response received after 5 minutes"));
+          }, CALLBACK_TIMEOUT_MS2);
+          server.on("close", () => {
+            clearTimeout(timeout);
+          });
+          server.listen(port, "127.0.0.1", () => {
+            console.log(`Waiting for authentication callback on http://localhost:${port}/callback`);
+          });
+        });
+      }
+      /**
+       * Submits the authorization code and exchanges it for tokens
+       */
+      async submitAuthCode(code, state) {
+        const tokens = await this.exchangeCodeForTokens(code, state);
+        await this.saveTokens(tokens);
+        return tokens;
+      }
+      /**
+       * Exchanges authorization code for access and refresh tokens
+       */
+      async exchangeCodeForTokens(code, state) {
+        if (!this.pendingCodeVerifier) {
+          throw new Error("No PKCE code verifier found. Please start the auth flow first.");
+        }
+        const body = {
+          grant_type: "authorization_code",
+          code,
+          state,
+          // Non-standard: state in body
+          redirect_uri: OAUTH_CONFIG.redirectUri,
+          client_id: OAUTH_CONFIG.clientId,
+          code_verifier: this.pendingCodeVerifier
+          // PKCE verifier
+        };
+        const response = await fetch(OAUTH_CONFIG.tokenEndpoint, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json"
+            // Non-standard: JSON instead of form-encoded
+          },
+          body: JSON.stringify(body)
+        });
+        this.pendingCodeVerifier = null;
+        if (!response.ok) {
+          const error = await response.text();
+          throw new Error(`Token exchange failed: ${error}`);
+        }
+        const data = await response.json();
+        return {
+          accessToken: data.access_token,
+          refreshToken: data.refresh_token,
+          expiresAt: Date.now() + data.expires_in * 1e3
+        };
+      }
+      /**
+       * Refreshes the access token using the refresh token
+       */
+      async refreshTokens() {
+        const tokens = await this.getTokens();
+        if (!tokens) {
+          throw new Error("No tokens found to refresh");
+        }
+        const body = {
+          grant_type: "refresh_token",
+          refresh_token: tokens.refreshToken,
+          client_id: OAUTH_CONFIG.clientId
+        };
+        const response = await fetch(OAUTH_CONFIG.tokenEndpoint, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json"
+          },
+          body: JSON.stringify(body)
+        });
+        if (!response.ok) {
+          const error = await response.text();
+          throw new Error(`Token refresh failed: ${error}`);
+        }
+        const data = await response.json();
+        const newTokens = {
+          accessToken: data.access_token,
+          refreshToken: data.refresh_token,
+          expiresAt: Date.now() + data.expires_in * 1e3
+        };
+        await this.saveTokens(newTokens);
+        return newTokens;
       }
       /**
-       * Update the session ID (useful when session is created after bridge).
+       * Gets the current access token, refreshing if necessary
        */
-      setSessionId(sessionId) {
-        this.sessionId = sessionId;
+      async getAccessToken() {
+        const tokens = await this.getTokens();
+        if (!tokens) {
+          return null;
+        }
+        if (Date.now() > tokens.expiresAt - _ClaudeOAuthService.TOKEN_REFRESH_BUFFER_MS) {
+          try {
+            const refreshedTokens = await this.refreshTokens();
+            return refreshedTokens.accessToken;
+          } catch (error) {
+            console.warn("Token refresh failed:", error);
+            return null;
+          }
+        }
+        return tokens.accessToken;
       }
       /**
-       * Push a user message to be injected into the session.
-       * Call this from the UI when user submits a message during agent execution.
+       * Gets the stored tokens
        */
-      push(text) {
-        if (this.closed) {
-          console.warn("[MessageBridge] Cannot push to closed bridge");
-          return;
-        }
-        const message = {
-          type: "user",
-          message: {
-            role: "user",
-            content: [{ type: "text", text }]
-          },
-          parent_tool_use_id: null,
-          session_id: this.sessionId
-        };
-        const resolver = this.resolvers.shift();
-        if (resolver) {
-          resolver({ value: message, done: false });
-        } else {
-          this.queue.push(message);
+      async getTokens() {
+        try {
+          const accessToken = await this.secretStorage.getSecret("claude_oauth_access_token");
+          const refreshToken = await this.secretStorage.getSecret("claude_oauth_refresh_token");
+          const expiresAt = await this.secretStorage.getSecret("claude_oauth_expires_at");
+          if (!accessToken || !refreshToken || !expiresAt) {
+            return null;
+          }
+          return {
+            accessToken,
+            refreshToken,
+            expiresAt: parseInt(expiresAt, 10)
+          };
+        } catch (error) {
+          console.error("Failed to get OAuth tokens:", error);
+          return null;
         }
       }
       /**
-       * Check if there are pending messages in the queue.
+       * Saves OAuth tokens to secure storage
        */
-      hasPending() {
-        return this.queue.length > 0;
+      async saveTokens(tokens) {
+        await this.secretStorage.setSecret("claude_oauth_access_token", tokens.accessToken);
+        await this.secretStorage.setSecret("claude_oauth_refresh_token", tokens.refreshToken);
+        await this.secretStorage.setSecret("claude_oauth_expires_at", tokens.expiresAt.toString());
       }
       /**
-       * Close the bridge. No more messages will be accepted.
-       * Any pending async iterators will receive done: true.
+       * Deletes stored OAuth tokens
        */
-      close() {
-        if (this.closed) return;
-        this.closed = true;
-        for (const resolver of this.resolvers) {
-          resolver({ value: void 0, done: true });
-        }
-        this.resolvers = [];
+      async deleteTokens() {
+        await this.secretStorage.deleteSecret("claude_oauth_access_token");
+        await this.secretStorage.deleteSecret("claude_oauth_refresh_token");
+        await this.secretStorage.deleteSecret("claude_oauth_expires_at");
       }
       /**
-       * Check if the bridge is closed.
+       * Checks if user is authenticated via OAuth
        */
-      isClosed() {
-        return this.closed;
+      async isAuthenticated() {
+        const tokens = await this.getTokens();
+        return tokens !== null;
       }
-      [Symbol.asyncIterator]() {
-        return {
-          next: () => {
-            const queued = this.queue.shift();
-            if (queued) {
-              return Promise.resolve({ value: queued, done: false });
-            }
-            if (this.closed) {
-              return Promise.resolve({
-                value: void 0,
-                done: true
-              });
-            }
-            return new Promise((resolve2) => {
-              this.resolvers.push(resolve2);
-            });
+      /**
+       * Gets the current OAuth authentication status
+       */
+      async getStatus() {
+        try {
+          const tokens = await this.getTokens();
+          if (!tokens) {
+            return { isAuthenticated: false };
           }
-        };
-      }
-    };
-  }
-});
-
-// src/commands/login.ts
-import { spawn as spawn4 } from "child_process";
-import crypto3 from "crypto";
-import http2 from "http";
-import { platform as platform2 } from "os";
-function escapeHtml(text) {
-  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
-}
-function generateState() {
-  return crypto3.randomBytes(STATE_LENGTH).toString("hex");
-}
-async function exchangeCodeForToken(code, state) {
-  const response = await fetch(`${API_URL}/web/auth/cli-token-exchange`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ code, state })
-  });
-  if (!response.ok) {
-    const error = await response.json();
-    throw new Error(error.error || "Failed to exchange code for token");
-  }
-  const data = await response.json();
-  return { token: data.token, expiresAt: data.expiresAt };
-}
-function openBrowser(url) {
-  const os3 = platform2();
-  let command;
-  let args;
-  switch (os3) {
-    case "darwin":
-      command = "open";
-      args = [url];
-      break;
-    case "win32":
-      command = "start";
-      args = ["", url];
-      break;
-    default:
-      command = "xdg-open";
-      args = [url];
-  }
-  const options = { detached: true, stdio: "ignore", shell: os3 === "win32" };
-  spawn4(command, args, options).unref();
-}
-function startCallbackServer(port, expectedState) {
-  return new Promise((resolve2, reject) => {
-    const server = http2.createServer(async (req, res) => {
-      if (req.method !== "GET" || !req.url?.startsWith("/callback")) {
-        res.writeHead(404);
-        res.end("Not Found");
-        return;
-      }
-      const url = new URL(req.url, `http://localhost:${port}`);
-      const code = url.searchParams.get("code");
-      const state = url.searchParams.get("state");
-      const error = url.searchParams.get("error");
-      if (error) {
-        res.writeHead(200, { "Content-Type": "text/html" });
-        res.end(buildErrorPage(error));
-        server.close();
-        reject(new Error(error));
-        return;
+          return {
+            isAuthenticated: true,
+            expiresAt: tokens.expiresAt
+          };
+        } catch (error) {
+          return {
+            isAuthenticated: false,
+            error: error instanceof Error ? error.message : "Failed to get OAuth status"
+          };
+        }
       }
-      if (state !== expectedState) {
-        const errorMsg = "Security error: state parameter mismatch";
-        res.writeHead(200, { "Content-Type": "text/html" });
-        res.end(buildErrorPage(errorMsg));
-        server.close();
-        reject(new Error(errorMsg));
-        return;
+      /**
+       * Builds the authorization URL with all required parameters
+       */
+      buildAuthorizationUrl(state, codeChallenge) {
+        const params = new URLSearchParams({
+          response_type: "code",
+          client_id: OAUTH_CONFIG.clientId,
+          redirect_uri: OAUTH_CONFIG.redirectUri,
+          scope: OAUTH_CONFIG.scopes.join(" "),
+          state
+        });
+        if (codeChallenge) {
+          params.set("code_challenge", codeChallenge);
+          params.set("code_challenge_method", "S256");
+        }
+        return `${OAUTH_CONFIG.authorizationEndpoint}?${params.toString()}`;
       }
-      if (!code) {
-        const errorMsg = "No authorization code received";
-        res.writeHead(400, { "Content-Type": "text/html" });
-        res.end(buildErrorPage(errorMsg));
-        server.close();
-        reject(new Error(errorMsg));
-        return;
+      /**
+       * Generates a random state string for CSRF protection
+       */
+      generateRandomState() {
+        return Array.from(crypto.getRandomValues(new Uint8Array(32))).map((b) => b.toString(16).padStart(2, "0")).join("");
       }
-      try {
-        const result = await exchangeCodeForToken(code, state);
-        res.writeHead(200, { "Content-Type": "text/html" });
-        res.end(buildSuccessPage());
-        server.close();
-        resolve2(result);
-      } catch (err) {
-        const errorMsg = err instanceof Error ? err.message : "Token exchange failed";
-        res.writeHead(200, { "Content-Type": "text/html" });
-        res.end(buildErrorPage(errorMsg));
-        server.close();
-        reject(err);
+      /**
+       * Generates PKCE code verifier and challenge
+       * PKCE (Proof Key for Code Exchange) adds security to OAuth for public clients
+       */
+      generatePKCEChallenge() {
+        const codeVerifier = randomBytes(32).toString("base64url");
+        const hash = createHash("sha256").update(codeVerifier).digest("base64url");
+        return {
+          codeVerifier,
+          codeChallenge: hash
+        };
       }
-    });
-    server.on("error", (error) => {
-      if (error.code === "EADDRINUSE") {
-        const portError = new Error(
-          "Something went wrong. Please restart the CLI and try again."
-        );
-        portError.code = "EADDRINUSE";
-        reject(portError);
-      } else {
-        reject(error);
+      /**
+       * Open a URL in the default browser cross-platform
+       */
+      openBrowser(url) {
+        const os3 = platform2();
+        let command;
+        let args;
+        switch (os3) {
+          case "darwin":
+            command = "open";
+            args = [url];
+            break;
+          case "win32":
+            command = "start";
+            args = ["", url];
+            break;
+          default:
+            command = "xdg-open";
+            args = [url];
+            break;
+        }
+        const options = { detached: true, stdio: "ignore", shell: os3 === "win32" };
+        spawn4(command, args, options).unref();
       }
-    });
-    const timeout = setTimeout(() => {
-      server.close();
-      reject(new Error("Login timeout - no response received after 5 minutes"));
-    }, CALLBACK_TIMEOUT_MS2);
-    server.on("close", () => {
-      clearTimeout(timeout);
-    });
-    server.listen(port, "127.0.0.1", () => {
-      console.log(`Waiting for authentication callback on http://localhost:${port}/callback`);
-    });
-  });
-}
-function buildSuccessPage() {
-  return `
-		<!DOCTYPE html>
-		<html lang="en">
-			<head>
-				<meta charset="UTF-8" />
-				<meta name="viewport" content="width=device-width, initial-scale=1.0" />
-				<title>Login Successful - Supatest CLI</title>
-				<style>
-					body {
-						font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-						display: flex;
-						align-items: center;
-						justify-content: center;
-						height: 100vh;
-						margin: 0;
-						background: #fefefe;
-					}
-					.container {
-						background: white;
-						padding: 3rem 2rem;
-						border-radius: 12px;
-						box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1), 0 1px 2px rgba(0, 0, 0, 0.06);
-						border: 1px solid #e5e7eb;
-						text-align: center;
-						max-width: 400px;
-						width: 90%;
-					}
-					.logo {
-						margin: 0 auto 2rem;
-						display: flex;
-						align-items: center;
-						justify-content: center;
-						gap: 8px;
-					}
-					.logo img {
-						width: 24px;
-						height: 24px;
-						border-radius: 6px;
-						object-fit: contain;
-					}
-					.logo-text {
-						font-weight: 600;
-						font-size: 16px;
-						color: inherit;
-					}
-					.success-icon {
-						width: 64px;
-						height: 64px;
-						border-radius: 50%;
-						background: #d1fae5;
-						display: flex;
-						align-items: center;
-						justify-content: center;
-						font-size: 32px;
-						margin: 0 auto 1.5rem;
-					}
-					h1 {
-						color: #10b981;
-						margin: 0 0 1rem 0;
-						font-size: 24px;
-						font-weight: 600;
-					}
-					p {
-						color: #666;
-						margin: 0;
-						line-height: 1.5;
-					}
-					@media (prefers-color-scheme: dark) {
+      /**
+       * Build success HTML page
+       */
+      buildSuccessPage() {
+        return `
+			<!DOCTYPE html>
+			<html lang="en">
+				<head>
+					<meta charset="UTF-8" />
+					<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+					<title>Authentication Successful - Supatest CLI</title>
+					<style>
 						body {
-							background: #1a1a1a;
+							font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+							display: flex;
+							align-items: center;
+							justify-content: center;
+							height: 100vh;
+							margin: 0;
+							background: #fefefe;
 						}
 						.container {
-							background: #1f1f1f;
-							border-color: #333;
-							box-shadow: 0 1px 3px rgba(0, 0, 0, 0.3), 0 1px 2px rgba(0, 0, 0, 0.2);
+							background: white;
+							padding: 3rem 2rem;
+							border-radius: 12px;
+							box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1);
+							border: 1px solid #e5e7eb;
+							text-align: center;
+							max-width: 400px;
 						}
 						.success-icon {
-							background: #064e3b;
+							font-size: 48px;
+							margin-bottom: 1rem;
 						}
 						h1 {
-							color: #34d399;
+							color: #10b981;
+							margin: 0 0 1rem 0;
+							font-size: 24px;
 						}
 						p {
-							color: #a3a3a3;
-						}
-						.logo-text {
-							color: #e5e7eb;
+							color: #666;
+							margin: 0;
+							line-height: 1.5;
 						}
-					}
-				</style>
-			</head>
-			<body>
-				<div class="container">
-					<div class="logo">
-						<img src="${FRONTEND_URL}/logo.png" alt="Supatest Logo" />
-						<span class="logo-text">Supatest</span>
-					</div>
-					<div class="success-icon" role="img" aria-label="Success">\u2705</div>
-					<h1>Login Successful!</h1>
-					<p>You're now authenticated with Supatest CLI.</p>
-					<p style="margin-top: 1rem;">You can close this window and return to your terminal.</p>
-				</div>
-			</body>
-		</html>
-	`;
-}
-function buildErrorPage(errorMessage) {
-  return `
-		<!DOCTYPE html>
-		<html lang="en">
-			<head>
-				<meta charset="UTF-8" />
-				<meta name="viewport" content="width=device-width, initial-scale=1.0" />
-				<title>Login Failed - Supatest CLI</title>
-				<style>
-					body {
-						font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-						display: flex;
-						align-items: center;
-						justify-content: center;
-						height: 100vh;
-						margin: 0;
-						background: #fefefe;
-					}
-					.container {
-						background: white;
-						padding: 3rem 2rem;
-						border-radius: 12px;
-						box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1), 0 1px 2px rgba(0, 0, 0, 0.06);
-						border: 1px solid #e5e7eb;
-						text-align: center;
-						max-width: 400px;
-						width: 90%;
-					}
-					.logo {
-						width: 48px;
-						height: 48px;
-						margin: 0 auto 2rem;
-						display: flex;
-						align-items: center;
-						justify-content: center;
-					}
-					.logo img {
-						width: 48px;
-						height: 48px;
-						border-radius: 8px;
-						object-fit: contain;
-					}
-					.error-icon {
-						width: 64px;
-						height: 64px;
-						border-radius: 50%;
-						background: #fee2e2;
-						display: flex;
-						align-items: center;
-						justify-content: center;
-						font-size: 32px;
-						margin: 0 auto 1.5rem;
-					}
-					h1 {
-						color: #dc2626;
-						margin: 0 0 1rem 0;
-						font-size: 24px;
-						font-weight: 600;
-					}
-					p {
-						color: #666;
-						margin: 0;
-						line-height: 1.5;
-					}
-					.brand {
-						margin-top: 2rem;
-						padding-top: 1.5rem;
-						border-top: 1px solid #e5e7eb;
-						color: #9333ff;
-						font-weight: 600;
-						font-size: 14px;
-					}
-					@media (prefers-color-scheme: dark) {
+					</style>
+				</head>
+				<body>
+					<div class="container">
+						<div class="success-icon">\u2705</div>
+						<h1>Authentication Successful!</h1>
+						<p>You're now authenticated with Claude.</p>
+						<p style="margin-top: 1rem;">You can close this window and return to your terminal.</p>
+					</div>
+				</body>
+			</html>
+		`;
+      }
+      /**
+       * Build error HTML page
+       */
+      buildErrorPage(errorMessage) {
+        const escapedError = errorMessage.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+        return `
+			<!DOCTYPE html>
+			<html lang="en">
+				<head>
+					<meta charset="UTF-8" />
+					<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+					<title>Authentication Failed - Supatest CLI</title>
+					<style>
 						body {
-							background: #1a1a1a;
+							font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+							display: flex;
+							align-items: center;
+							justify-content: center;
+							height: 100vh;
+							margin: 0;
+							background: #fefefe;
 						}
 						.container {
-							background: #1f1f1f;
-							border-color: #333;
-							box-shadow: 0 1px 3px rgba(0, 0, 0, 0.3), 0 1px 2px rgba(0, 0, 0, 0.2);
+							background: white;
+							padding: 3rem 2rem;
+							border-radius: 12px;
+							box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1);
+							border: 1px solid #e5e7eb;
+							text-align: center;
+							max-width: 400px;
 						}
 						.error-icon {
-							background: #7f1d1d;
+							font-size: 48px;
+							margin-bottom: 1rem;
 						}
 						h1 {
-							color: #f87171;
+							color: #dc2626;
+							margin: 0 0 1rem 0;
+							font-size: 24px;
 						}
 						p {
-							color: #a3a3a3;
-						}
-						.brand {
-							border-top-color: #333;
-							color: #a855f7;
+							color: #666;
+							margin: 0;
+							line-height: 1.5;
 						}
-					}
-				</style>
-			</head>
-			<body>
-				<div class="container">
-					<div class="logo">
-						<img src="${FRONTEND_URL}/logo.png" alt="Supatest Logo" />
-						<span class="logo-text">Supatest</span>
+					</style>
+				</head>
+				<body>
+					<div class="container">
+						<div class="error-icon">\u274C</div>
+						<h1>Authentication Failed</h1>
+						<p>${escapedError}</p>
+						<p style="margin-top: 1rem;">You can close this window and try again.</p>
 					</div>
-					<div class="error-icon" role="img" aria-label="Error">\u274C</div>
-					<h1>Login Failed</h1>
-					<p>${escapeHtml(errorMessage)}</p>
-					<p style="margin-top: 1rem;">You can close this window and try again.</p>
-				</div>
-			</body>
-		</html>
-	`;
-}
-async function loginCommand() {
-  console.log("\nAuthenticating with Supatest...\n");
-  const state = generateState();
-  const loginPromise = startCallbackServer(CLI_LOGIN_PORT, state);
-  const loginUrl = `${FRONTEND_URL}/cli-login?port=${CLI_LOGIN_PORT}&state=${state}`;
-  console.log(`Opening browser to: ${loginUrl}`);
-  console.log("\nIf your browser doesn't open automatically, please visit the URL above.\n");
-  try {
-    openBrowser(loginUrl);
-  } catch (error) {
-    console.warn("Failed to open browser automatically:", error);
-    console.log(`
-Please manually open this URL in your browser:
-${loginUrl}
-`);
-  }
-  try {
-    const result = await loginPromise;
-    console.log("\n\u2705 Login successful!\n");
-    return result;
-  } catch (error) {
-    const err = error;
-    if (err.code === "EADDRINUSE") {
-      console.error("\n\u274C Login failed: Something went wrong.");
-      console.error("   Please restart the CLI and try again.\n");
-    } else {
-      console.error("\n\u274C Login failed:", error.message, "\n");
-    }
-    throw error;
+				</body>
+			</html>
+		`;
+      }
+    };
   }
+});
+
+// src/utils/secret-storage.ts
+var secret_storage_exports = {};
+__export(secret_storage_exports, {
+  deleteSecret: () => deleteSecret,
+  getSecret: () => getSecret,
+  getSecretStorage: () => getSecretStorage,
+  listSecrets: () => listSecrets,
+  setSecret: () => setSecret
+});
+import { promises as fs4 } from "fs";
+import { homedir as homedir6 } from "os";
+import { dirname as dirname2, join as join8 } from "path";
+async function getSecret(key) {
+  return storage.getSecret(key);
 }
-var CLI_LOGIN_PORT, FRONTEND_URL, API_URL, CALLBACK_TIMEOUT_MS2, STATE_LENGTH;
-var init_login = __esm({
-  "src/commands/login.ts"() {
+async function setSecret(key, value) {
+  await storage.setSecret(key, value);
+}
+async function deleteSecret(key) {
+  return storage.deleteSecret(key);
+}
+async function listSecrets() {
+  return storage.listSecrets();
+}
+function getSecretStorage() {
+  return storage;
+}
+var SECRET_FILE_NAME, FileSecretStorage, storage;
+var init_secret_storage = __esm({
+  "src/utils/secret-storage.ts"() {
     "use strict";
-    CLI_LOGIN_PORT = 8420;
-    FRONTEND_URL = process.env.SUPATEST_FRONTEND_URL || "https://code.supatest.ai";
-    API_URL = process.env.SUPATEST_API_URL || "https://code-api.supatest.ai";
-    CALLBACK_TIMEOUT_MS2 = 3e5;
-    STATE_LENGTH = 32;
+    SECRET_FILE_NAME = "secrets.json";
+    FileSecretStorage = class {
+      secretFilePath;
+      constructor() {
+        const rootDirName = process.env.NODE_ENV === "development" ? ".supatest-dev" : ".supatest";
+        const secretsDir = join8(homedir6(), rootDirName, "claude-auth");
+        this.secretFilePath = join8(secretsDir, SECRET_FILE_NAME);
+      }
+      async ensureDirectoryExists() {
+        const dir = dirname2(this.secretFilePath);
+        await fs4.mkdir(dir, { recursive: true, mode: 448 });
+      }
+      async loadSecrets() {
+        try {
+          const data = await fs4.readFile(this.secretFilePath, "utf-8");
+          const secrets = JSON.parse(data);
+          return new Map(Object.entries(secrets));
+        } catch (error) {
+          const err = error;
+          if (err.code === "ENOENT") {
+            return /* @__PURE__ */ new Map();
+          }
+          try {
+            await fs4.unlink(this.secretFilePath);
+          } catch {
+          }
+          return /* @__PURE__ */ new Map();
+        }
+      }
+      async saveSecrets(secrets) {
+        await this.ensureDirectoryExists();
+        const data = Object.fromEntries(secrets);
+        const json = JSON.stringify(data, null, 2);
+        await fs4.writeFile(this.secretFilePath, json, { mode: 384 });
+      }
+      async getSecret(key) {
+        const secrets = await this.loadSecrets();
+        return secrets.get(key) ?? null;
+      }
+      async setSecret(key, value) {
+        const secrets = await this.loadSecrets();
+        secrets.set(key, value);
+        await this.saveSecrets(secrets);
+      }
+      async deleteSecret(key) {
+        const secrets = await this.loadSecrets();
+        if (!secrets.has(key)) {
+          return false;
+        }
+        secrets.delete(key);
+        if (secrets.size === 0) {
+          try {
+            await fs4.unlink(this.secretFilePath);
+          } catch (error) {
+            const err = error;
+            if (err.code !== "ENOENT") {
+              throw error;
+            }
+          }
+        } else {
+          await this.saveSecrets(secrets);
+        }
+        return true;
+      }
+      async listSecrets() {
+        const secrets = await this.loadSecrets();
+        return Array.from(secrets.keys());
+      }
+    };
+    storage = new FileSecretStorage();
   }
 });
 
@@ -13321,7 +13321,7 @@ var init_InputPrompt = __esm({
           }
           return /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.primary, key: idx }, line);
         })), !hasContent && disabled && /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.dim, italic: true }, "Waiting for agent to complete...")))
-      ), /* @__PURE__ */ React24.createElement(Box21, { justifyContent: "space-between", paddingX: 1 }, /* @__PURE__ */ React24.createElement(Box21, { gap: 2 }, /* @__PURE__ */ React24.createElement(Box21, null, /* @__PURE__ */ React24.createElement(Text19, { color: agentMode === "plan" ? theme.status.inProgress : theme.text.dim }, agentMode === "plan" ? "\u23F8 plan" : "\u25B6 build"), /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.dim }, " (shift+tab)")), /* @__PURE__ */ React24.createElement(Box21, null, /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.dim }, "model:"), /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.info }, getModelDisplayName(selectedModel)), /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.dim }, " (Cost: "), /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.info }, getModelCostLabel(selectedModel)), /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.dim }, ") (ctrl+shift+m)"))), /* @__PURE__ */ React24.createElement(Box21, null, /* @__PURE__ */ React24.createElement(Text19, { color: usageStats && usageStats.contextPct >= 90 ? theme.text.error : usageStats && usageStats.contextPct >= 75 ? theme.text.warning : theme.text.dim }, usageStats?.contextPct ?? 0, "% context used"), /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.dim }, " ", "(", usageStats ? usageStats.inputTokens >= 1e3 ? `${(usageStats.inputTokens / 1e3).toFixed(1)}K` : usageStats.inputTokens : 0, " / ", usageStats ? usageStats.contextWindow >= 1e3 ? `${(usageStats.contextWindow / 1e3).toFixed(0)}K` : usageStats.contextWindow : "200K", ")"))));
+      ), /* @__PURE__ */ React24.createElement(Box21, { justifyContent: "space-between", paddingX: 1 }, /* @__PURE__ */ React24.createElement(Box21, { gap: 2 }, /* @__PURE__ */ React24.createElement(Box21, null, /* @__PURE__ */ React24.createElement(Text19, { color: agentMode === "plan" ? theme.status.inProgress : theme.text.dim }, agentMode === "plan" ? "\u23F8 plan" : "\u25B6 build"), /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.dim }, " (shift+tab)")), /* @__PURE__ */ React24.createElement(Box21, null, /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.dim }, "model:"), /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.info }, getModelDisplayName(selectedModel)), /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.dim }, " (Cost: "), /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.info }, getModelCostLabel(selectedModel)), /* @__PURE__ */ React24.createElement(Text19, { color: theme.text.dim }, ") (ctrl+shift+m)")))));
     });
     InputPromptInner.displayName = "InputPromptInner";
     InputPrompt = memo3(InputPromptInner);
@@ -13616,12 +13616,9 @@ var init_ProviderSelector = __esm({
     ProviderSelector = ({
       currentProvider,
       onSelect,
-      onCancel,
-      claudeMaxAvailable
+      onCancel
     }) => {
-      const availableProviders = PROVIDERS.filter(
-        (p) => p.id !== "claude-max" || claudeMaxAvailable
-      );
+      const availableProviders = PROVIDERS;
       const currentIndex = availableProviders.findIndex(
         (p) => p.id === currentProvider
       );
@@ -14168,7 +14165,6 @@ var init_App = __esm({
             return;
           }
           if (command === "/provider") {
-            isClaudeMaxAvailable().then(setClaudeMaxAvailable);
             setShowProviderSelector(true);
             return;
           }
@@ -14683,7 +14679,6 @@ var init_App = __esm({
         showProviderSelector && /* @__PURE__ */ React31.createElement(
           ProviderSelector,
           {
-            claudeMaxAvailable,
             currentProvider: llmProvider,
             onCancel: handleProviderSelectorCancel,
             onSelect: handleProviderSelect
@@ -15351,61 +15346,9 @@ var init_interactive = __esm({
 // src/index.ts
 await init_config();
 init_shared_es();
-import { Command } from "commander";
-
-// src/commands/claude-login.ts
-init_claude_oauth();
-init_secret_storage();
-async function claudeLoginCommand() {
-  const secretStorage = getSecretStorage();
-  const oauthService = new ClaudeOAuthService(secretStorage);
-  const isAuth = await oauthService.isAuthenticated();
-  if (isAuth) {
-    console.log("\u2705 You're already authenticated with Claude.");
-    console.log("\nTo re-authenticate, first run: supatest claude-logout\n");
-    return;
-  }
-  const result = await oauthService.authorize();
-  if (!result.success) {
-    console.error(`
-\u274C Authentication failed: ${result.error}
-`);
-    process.exit(1);
-  }
-}
-async function claudeLogoutCommand() {
-  const secretStorage = getSecretStorage();
-  const oauthService = new ClaudeOAuthService(secretStorage);
-  const isAuth = await oauthService.isAuthenticated();
-  if (!isAuth) {
-    console.log("You're not currently authenticated with Claude.\n");
-    return;
-  }
-  await oauthService.deleteTokens();
-  console.log("\u2705 Successfully logged out from Claude.\n");
-}
-async function claudeStatusCommand() {
-  const secretStorage = getSecretStorage();
-  const oauthService = new ClaudeOAuthService(secretStorage);
-  const status = await oauthService.getStatus();
-  if (status.isAuthenticated) {
-    console.log("\u2705 Authenticated with Claude");
-    if (status.expiresAt) {
-      const expiresDate = new Date(status.expiresAt);
-      console.log(`   Token expires: ${expiresDate.toLocaleString()}`);
-    }
-  } else {
-    console.log("\u274C Not authenticated with Claude");
-    if (status.error) {
-      console.log(`   Error: ${status.error}`);
-    }
-  }
-  console.log();
-}
-
-// src/index.ts
 init_setup();
 await init_config();
+import { Command } from "commander";
 
 // src/modes/headless.ts
 init_api_client();
@@ -15419,7 +15362,7 @@ init_react();
 init_MessageList();
 init_SessionContext();
 import { execSync as execSync2 } from "child_process";
-import { homedir as homedir5 } from "os";
+import { homedir as homedir4 } from "os";
 import { Box as Box13, useApp } from "ink";
 import React14, { useEffect as useEffect2, useRef as useRef4, useState as useState3 } from "react";
 var getGitBranch = () => {
@@ -15431,7 +15374,7 @@ var getGitBranch = () => {
 };
 var getCurrentFolder = () => {
   const cwd = process.cwd();
-  const home = homedir5();
+  const home = homedir4();
   if (cwd.startsWith(home)) {
     return `~${cwd.slice(home.length)}`;
   }
@@ -15678,7 +15621,7 @@ async function runAgent(config2) {
 // src/utils/auto-update.ts
 init_version();
 init_error_logger();
-import { execSync as execSync3, spawn as spawn3 } from "child_process";
+import { execSync as execSync3, spawn as spawn2 } from "child_process";
 import latestVersion from "latest-version";
 import { gt } from "semver";
 var UPDATE_CHECK_TIMEOUT = 3e3;
@@ -15719,8 +15662,24 @@ Updating Supatest CLI ${CLI_VERSION} \u2192 ${latest}...`);
           timeout: INSTALL_TIMEOUT
         });
       }
+      let updateVerified = false;
+      try {
+        const installedVersion = execSync3("npm ls -g @supatest/cli --json 2>/dev/null", {
+          encoding: "utf-8"
+        });
+        const parsed = JSON.parse(installedVersion);
+        const newVersion = parsed.dependencies?.["@supatest/cli"]?.version;
+        if (newVersion && gt(newVersion, CLI_VERSION)) {
+          updateVerified = true;
+        }
+      } catch {
+      }
+      if (!updateVerified) {
+        console.log("Update completed but could not verify new version. Continuing with current version...\n");
+        return;
+      }
       console.log("\u2713 Updated successfully\n");
-      const child = spawn3(process.argv[0], process.argv.slice(1), {
+      const child = spawn2(process.argv[0], process.argv.slice(1), {
         stdio: "inherit",
         detached: false
       });
@@ -16005,33 +15964,6 @@ program.command("setup").description("Check prerequisites and set up required to
     process.exit(1);
   }
 });
-program.command("claude-login").description("Authenticate with Claude using OAuth (uses your Claude Pro/Max subscription)").action(async () => {
-  try {
-    await claudeLoginCommand();
-  } catch (error) {
-    logError(error, { source: "claude-login" });
-    logger.error(`Claude login failed: ${error instanceof Error ? error.message : String(error)}`);
-    process.exit(1);
-  }
-});
-program.command("claude-logout").description("Sign out from Claude OAuth").action(async () => {
-  try {
-    await claudeLogoutCommand();
-  } catch (error) {
-    logError(error, { source: "claude-logout" });
-    logger.error(`Claude logout failed: ${error instanceof Error ? error.message : String(error)}`);
-    process.exit(1);
-  }
-});
-program.command("claude-status").description("Show Claude OAuth authentication status").action(async () => {
-  try {
-    await claudeStatusCommand();
-  } catch (error) {
-    logError(error, { source: "claude-status" });
-    logger.error(`Claude status check failed: ${error instanceof Error ? error.message : String(error)}`);
-    process.exit(1);
-  }
-});
 var filteredArgv = process.argv.filter((arg, index) => {
   return !(arg === "--" && index > 1);
 });