@textcortex/zenocode 0.1.9 → 0.1.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@textcortex/zenocode",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "Secure, EU-hosted coding agent for TextCortex customers that runs in your terminal, edits files, runs scripts, and more.",
   "keywords": [
     "ai",

package/scripts/build-branded-opencode.mjs

@@ -237,6 +237,14 @@ async function packPackage(packageDir) {
   return path.join(packageDir, tarballs[tarballs.length - 1]);
 }
 
+export function buildPublishCommandArgs(tarballPath, { tag } = {}) {
+  const args = ["publish", tarballPath, "--access", "public"];
+  if (tag) {
+    args.push("--tag", tag);
+  }
+  return args;
+}
+
 async function publishTarballIfNeeded(packageName, version, tarballPath, cwd) {
   if (!publishEnabled) return { published: false, skipped: false };
 
@@ -254,11 +262,7 @@ async function publishTarballIfNeeded(packageName, version, tarballPath, cwd) {
   }
 
   const npmCommand = _command("npm");
-  await run(
-    npmCommand,
-    ["publish", tarballPath, "--access", "public", "--tag", publishTag, "--provenance"],
-    { cwd },
-  );
+  await run(npmCommand, buildPublishCommandArgs(tarballPath, { tag: publishTag }), { cwd });
   return { published: true, skipped: false };
 }
 

package/scripts/build-branded-opencode.test.mjs

@@ -1,6 +1,7 @@
 import assert from "node:assert/strict";
 import test from "node:test";
 import {
+  buildPublishCommandArgs,
   buildWrapperBinMap,
   mapBrandedBinaryPackageName,
 } from "./build-branded-opencode.mjs";
@@ -23,3 +24,23 @@ test("buildWrapperBinMap includes package, opencode, and zenocode entrypoints",
     zenocode: "./bin/opencode",
   });
 });
+
+test("buildPublishCommandArgs omits npm provenance for runtime tarball publishing", () => {
+  assert.deepEqual(buildPublishCommandArgs("package.tgz", { tag: "latest" }), [
+    "publish",
+    "package.tgz",
+    "--access",
+    "public",
+    "--tag",
+    "latest",
+  ]);
+});
+
+test("buildPublishCommandArgs omits tag arguments when no tag is provided", () => {
+  assert.deepEqual(buildPublishCommandArgs("package.tgz"), [
+    "publish",
+    "package.tgz",
+    "--access",
+    "public",
+  ]);
+});

package/scripts/run-zenocode.mjs

@@ -31,6 +31,7 @@ const modelsPath = path.join(runtimeDir, "models.json");
 const configPath = path.join(runtimeDir, "opencode.jsonc");
 const localBaseUrlDefault = "http://127.0.0.1:8080";
 const cloudBaseUrlDefault = "https://api.textcortex.com";
+const localBaseUrlFlags = new Set(["--local", "--localhost"]);
 
 const providerID = "textcortex";
 const configuredOpencodePackage =
@@ -492,6 +493,15 @@ function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
 
+export function hasLocalBaseUrlFlag(args = []) {
+  const normalizedArgs = args[0] === "--" ? args.slice(1) : args;
+  return normalizedArgs.some((arg) => localBaseUrlFlags.has(arg));
+}
+
+function stripLocalBaseUrlFlags(args = []) {
+  return args.filter((arg) => !localBaseUrlFlags.has(arg));
+}
+
 async function parseLoginArgs(args) {
   const normalizedArgs = args[0] === "--" ? args.slice(1) : args;
   let emailHint = process.env.TEXTCORTEX_LOGIN_EMAIL || null;
@@ -499,6 +509,9 @@ async function parseLoginArgs(args) {
 
   for (let idx = 0; idx < normalizedArgs.length; idx += 1) {
     const arg = normalizedArgs[idx];
+    if (localBaseUrlFlags.has(arg)) {
+      continue;
+    }
     if (arg === "--no-launch-browser") {
       launchBrowser = false;
       continue;
@@ -515,6 +528,7 @@ async function parseLoginArgs(args) {
     if (arg === "--help" || arg === "-h") {
       console.log("Zenocode login options:");
       console.log("  --email <address>      Optional email hint for tenant/SSO routing");
+      console.log(`  --local                Use the local FastAPI backend at ${localBaseUrlDefault}`);
       console.log("  --no-launch-browser    Do not open browser automatically");
       process.exit(0);
     }
@@ -543,10 +557,29 @@ function isLoginRouteNotFoundError(error) {
   return message.includes("Login initiate failed (404)");
 }
 
+export function shouldFallbackLoginToCloud({ baseUrl, hasExplicitBaseUrl, error }) {
+  if (hasExplicitBaseUrl || baseUrl !== localBaseUrlDefault) {
+    return false;
+  }
+
+  return isFetchFailedError(error) || isLoginRouteNotFoundError(error);
+}
+
+export function resolveTextCortexBaseUrl({
+  envBaseUrl,
+  storedBaseUrl,
+  preferLocalhost = false,
+} = {}) {
+  if (preferLocalhost) {
+    return localBaseUrlDefault;
+  }
+  return envBaseUrl || storedBaseUrl || cloudBaseUrlDefault;
+}
+
 function _loginConnectivityHelp(baseUrl) {
   return [
     `Cannot reach Zenocode auth endpoint at ${baseUrl}.`,
-    "Run local backend FastAPI (`cd backend && uv run dev_fastapi`) or set TEXTCORTEX_BASE_URL to a reachable backend API.",
+    `Set TEXTCORTEX_BASE_URL to ${cloudBaseUrlDefault} or, for local development, run local backend FastAPI (\`cd backend && uv run dev_fastapi\`).`,
   ].join(" ");
 }
 
@@ -655,18 +688,20 @@ async function saveRuntimeCredentials(baseUrl, tokenData) {
   await clearLogoutMarker();
 }
 
-async function runLoginCommand(baseUrl, args) {
+async function runLoginCommand(baseUrl, args, options = {}) {
+  const preferLocalhost = options.preferLocalhost === true;
   const { emailHint, launchBrowser } = await parseLoginArgs(args);
-  let resolvedBaseUrl = baseUrl;
+  let resolvedBaseUrl = preferLocalhost ? localBaseUrlDefault : baseUrl;
   let login;
   try {
     login = await initiateDeviceLogin(resolvedBaseUrl, emailHint);
   } catch (error) {
-    if (
-      !process.env.TEXTCORTEX_BASE_URL &&
-      resolvedBaseUrl === localBaseUrlDefault &&
-      isFetchFailedError(error)
-    ) {
+    if (shouldFallbackLoginToCloud({
+      baseUrl: resolvedBaseUrl,
+      hasExplicitBaseUrl:
+        Boolean(process.env.TEXTCORTEX_BASE_URL) || preferLocalhost,
+      error,
+    })) {
       resolvedBaseUrl = cloudBaseUrlDefault;
       console.log(
         `Local backend not reachable at ${localBaseUrlDefault}. Falling back to ${cloudBaseUrlDefault}.`,
@@ -1225,6 +1260,7 @@ export async function runRuntimeWithSessionRecovery({
   token,
   childOptions,
   canAutoLoginRuntime,
+  preferLocalhost = false,
   refreshTokenFn = refreshStoredCredentials,
   runLogin = runLoginCommand,
   resolveTokenFn = resolveToken,
@@ -1283,9 +1319,16 @@ export async function runRuntimeWithSessionRecovery({
     }
 
     console.log("Zenocode session expired. Starting login flow...\n");
-    await runLogin(activeBaseUrl, buildAutoLoginArgs());
+    await runLogin(activeBaseUrl, buildAutoLoginArgs({ preferLocalhost }), {
+      preferLocalhost,
+    });
     activeToken = await resolveTokenFn();
-    activeBaseUrl = process.env.TEXTCORTEX_BASE_URL || (await resolveStoredBaseUrlFn()) || activeBaseUrl;
+    activeBaseUrl =
+      resolveTextCortexBaseUrl({
+        envBaseUrl: process.env.TEXTCORTEX_BASE_URL,
+        storedBaseUrl: await resolveStoredBaseUrlFn(),
+        preferLocalhost,
+      }) || activeBaseUrl;
     await prepareRuntimeFn(activeBaseUrl, activeToken);
     const retryDelayMs = Math.min(
       Math.max(recoveryDelayMs, 0) * recoveryAttempts,
@@ -1366,11 +1409,18 @@ function maybeRenderBanner(args) {
   console.log(`${buildZenocodeBanner()}\n`);
 }
 
-function buildAutoLoginArgs() {
-  return process.env.ZENOCODE_AUTO_LOGIN_NO_BROWSER === "1" ||
+function buildAutoLoginArgs({ preferLocalhost = false } = {}) {
+  const loginArgs = [];
+  if (preferLocalhost) {
+    loginArgs.push("--local");
+  }
+  if (
+    process.env.ZENOCODE_AUTO_LOGIN_NO_BROWSER === "1" ||
     process.env.CODECORTEX_AUTO_LOGIN_NO_BROWSER === "1"
-    ? ["--no-launch-browser"]
-    : [];
+  ) {
+    loginArgs.push("--no-launch-browser");
+  }
+  return loginArgs;
 }
 
 function isMissingTokenError(error) {
@@ -1443,7 +1493,8 @@ function shouldAttemptAutoLogin(error, args) {
   return canAutoLogin(args);
 }
 
-async function resolveTokenWithAutoLogin(baseUrl, args) {
+async function resolveTokenWithAutoLogin(baseUrl, args, options = {}) {
+  const preferLocalhost = options.preferLocalhost === true;
   try {
     const token = await resolveToken();
     return { token, baseUrl };
@@ -1453,14 +1504,21 @@ async function resolveTokenWithAutoLogin(baseUrl, args) {
     }
 
     console.log("No local Zenocode credentials found. Starting login flow...\n");
-    await runLoginCommand(baseUrl, buildAutoLoginArgs());
+    await runLoginCommand(baseUrl, buildAutoLoginArgs({ preferLocalhost }), {
+      preferLocalhost,
+    });
     const token = await resolveToken();
-    const persistedBaseUrl = process.env.TEXTCORTEX_BASE_URL || (await resolveStoredBaseUrl()) || baseUrl;
+    const persistedBaseUrl = resolveTextCortexBaseUrl({
+      envBaseUrl: process.env.TEXTCORTEX_BASE_URL,
+      storedBaseUrl: await resolveStoredBaseUrl(),
+      preferLocalhost,
+    });
     return { token, baseUrl: persistedBaseUrl };
   }
 }
 
-async function prepareRuntimeWithAutoLogin(baseUrl, token, args) {
+async function prepareRuntimeWithAutoLogin(baseUrl, token, args, options = {}) {
+  const preferLocalhost = options.preferLocalhost === true;
   try {
     const model = await prepareRuntime(baseUrl, token);
     return { model, token, baseUrl };
@@ -1484,9 +1542,15 @@ async function prepareRuntimeWithAutoLogin(baseUrl, token, args) {
     }
 
     console.log("Zenocode session expired. Starting login flow...\n");
-    await runLoginCommand(baseUrl, buildAutoLoginArgs());
+    await runLoginCommand(baseUrl, buildAutoLoginArgs({ preferLocalhost }), {
+      preferLocalhost,
+    });
     const refreshedToken = await resolveToken();
-    const refreshedBaseUrl = process.env.TEXTCORTEX_BASE_URL || (await resolveStoredBaseUrl()) || baseUrl;
+    const refreshedBaseUrl = resolveTextCortexBaseUrl({
+      envBaseUrl: process.env.TEXTCORTEX_BASE_URL,
+      storedBaseUrl: await resolveStoredBaseUrl(),
+      preferLocalhost,
+    });
     const model = await prepareRuntime(refreshedBaseUrl, refreshedToken);
     return { model, token: refreshedToken, baseUrl: refreshedBaseUrl };
   }
@@ -1503,12 +1567,18 @@ async function main() {
     passthrough.shift();
   }
 
+  const preferLocalhost = hasLocalBaseUrlFlag(passthrough);
+  const runtimeArgs = stripLocalBaseUrlFlags(passthrough);
   const storedBaseUrl = await resolveStoredBaseUrl();
-  const baseUrl = process.env.TEXTCORTEX_BASE_URL || storedBaseUrl || localBaseUrlDefault;
-  const subcommand = passthrough[0];
+  const baseUrl = resolveTextCortexBaseUrl({
+    envBaseUrl: process.env.TEXTCORTEX_BASE_URL,
+    storedBaseUrl,
+    preferLocalhost,
+  });
+  const subcommand = runtimeArgs[0];
 
   if (subcommand === "login") {
-    await runLoginCommand(baseUrl, passthrough.slice(1));
+    await runLoginCommand(baseUrl, runtimeArgs.slice(1), { preferLocalhost });
     return;
   }
 
@@ -1517,12 +1587,15 @@ async function main() {
     return;
   }
 
-  maybeRenderBanner(passthrough);
-  const tokenResolution = await resolveTokenWithAutoLogin(baseUrl, passthrough);
+  maybeRenderBanner(runtimeArgs);
+  const tokenResolution = await resolveTokenWithAutoLogin(baseUrl, runtimeArgs, {
+    preferLocalhost,
+  });
   const runtime = await prepareRuntimeWithAutoLogin(
     tokenResolution.baseUrl,
     tokenResolution.token,
-    passthrough,
+    runtimeArgs,
+    { preferLocalhost },
   );
   const token = runtime.token;
   const model = runtime.model;
@@ -1539,14 +1612,15 @@ async function main() {
       TEXTCORTEX_API_KEY: token,
     },
   };
-  const monitorRuntimeSession = canAutoLogin(passthrough);
+  const monitorRuntimeSession = canAutoLogin(runtimeArgs);
 
   if (opencodeBinaryPath) {
     const result = await runRuntimeWithSessionRecovery({
-      args: passthrough,
+      args: runtimeArgs,
       baseUrl: runtime.baseUrl,
       token,
       childOptions,
+      preferLocalhost,
       canAutoLoginRuntime: monitorRuntimeSession,
       launchRuntimeFn: ({ args, childOptions }) =>
         runRuntimeBinary(opencodeBinaryPath, args, childOptions, monitorRuntimeSession),
@@ -1559,10 +1633,11 @@ async function main() {
   const pinnedRuntimePath = await resolvePinnedRuntimeBinary(launchPackage, childOptions);
   if (pinnedRuntimePath) {
     const result = await runRuntimeWithSessionRecovery({
-      args: passthrough,
+      args: runtimeArgs,
       baseUrl: runtime.baseUrl,
       token,
       childOptions,
+      preferLocalhost,
       canAutoLoginRuntime: monitorRuntimeSession,
       launchRuntimeFn: ({ args, childOptions }) =>
         runRuntimeBinary(pinnedRuntimePath, args, childOptions, monitorRuntimeSession),
@@ -1570,7 +1645,7 @@ async function main() {
     exitWithChildResult(result);
     return;
   }
-  await runPackageLauncher(launchPackage, passthrough, childOptions);
+  await runPackageLauncher(launchPackage, runtimeArgs, childOptions);
 }
 
 const resolveExecutablePath = (value) => {

package/scripts/run-zenocode.test.mjs

@@ -15,8 +15,11 @@ import {
   canRecoverRuntimeSessionFromTranscript,
   buildZenocodeBanner,
   chooseDefaults,
+  hasLocalBaseUrlFlag,
   resolveLoginSuccessIdentifier,
+  resolveTextCortexBaseUrl,
   runRuntimeWithSessionRecovery,
+  shouldFallbackLoginToCloud,
   writePrivateJsonFile,
 } from "./run-zenocode.mjs";
 
@@ -33,6 +36,65 @@ test("chooseDefaults prefers kimi k2.5 thinking for Zenocode", () => {
   });
 });
 
+test("resolveTextCortexBaseUrl defaults to the cloud API for packaged usage", () => {
+  assert.equal(
+    resolveTextCortexBaseUrl({
+      envBaseUrl: "",
+      storedBaseUrl: null,
+    }),
+    "https://api.textcortex.com",
+  );
+});
+
+test("resolveTextCortexBaseUrl prefers the explicit env var over stored credentials", () => {
+  assert.equal(
+    resolveTextCortexBaseUrl({
+      envBaseUrl: "https://staging.textcortex.com",
+      storedBaseUrl: "http://127.0.0.1:8080",
+    }),
+    "https://staging.textcortex.com",
+  );
+});
+
+test("resolveTextCortexBaseUrl prefers localhost when the local flag is enabled", () => {
+  assert.equal(
+    resolveTextCortexBaseUrl({
+      envBaseUrl: "https://staging.textcortex.com",
+      storedBaseUrl: "https://api.textcortex.com",
+      preferLocalhost: true,
+    }),
+    "http://127.0.0.1:8080",
+  );
+});
+
+test("hasLocalBaseUrlFlag detects localhost flags", () => {
+  assert.equal(hasLocalBaseUrlFlag(["login", "--local"]), true);
+  assert.equal(hasLocalBaseUrlFlag(["--localhost", "run"]), true);
+  assert.equal(hasLocalBaseUrlFlag(["run", "--help"]), false);
+});
+
+test("shouldFallbackLoginToCloud retries the cloud API when the local auth route returns 404", () => {
+  assert.equal(
+    shouldFallbackLoginToCloud({
+      baseUrl: "http://127.0.0.1:8080",
+      hasExplicitBaseUrl: false,
+      error: new Error("Login initiate failed (404): not found"),
+    }),
+    true,
+  );
+});
+
+test("shouldFallbackLoginToCloud does not override an explicit base URL", () => {
+  assert.equal(
+    shouldFallbackLoginToCloud({
+      baseUrl: "http://127.0.0.1:8080",
+      hasExplicitBaseUrl: true,
+      error: new Error("fetch failed"),
+    }),
+    false,
+  );
+});
+
 test("buildOpenCodeConfig includes an openai stub for fallback runtime auth plugins", () => {
   const config = buildOpenCodeConfig({
     baseUrl: "http://127.0.0.1:8080",
@@ -253,6 +315,61 @@ test("runRuntimeWithSessionRecovery refreshes stored credentials before forcing
   assert.deepEqual(result, { code: 0, signal: null, expiredSession: false });
 });
 
+test("runRuntimeWithSessionRecovery preserves explicit localhost preference during login recovery", async () => {
+  const events = [];
+  let launchCount = 0;
+
+  const result = await runRuntimeWithSessionRecovery({
+    args: ["run"],
+    baseUrl: "http://127.0.0.1:8080",
+    token: "token-1",
+    childOptions: {
+      cwd: process.cwd(),
+      env: {},
+    },
+    canAutoLoginRuntime: true,
+    preferLocalhost: true,
+    refreshTokenFn: async (baseUrl) => {
+      events.push(["refresh", baseUrl]);
+      throw new Error("refresh failed");
+    },
+    runLogin: async (baseUrl, loginArgs, options) => {
+      events.push(["login", baseUrl, loginArgs, options]);
+    },
+    resolveTokenFn: async () => {
+      events.push(["resolve-token"]);
+      return "token-2";
+    },
+    resolveStoredBaseUrlFn: async () => {
+      events.push(["resolve-base-url"]);
+      return "https://api.textcortex.com";
+    },
+    prepareRuntimeFn: async (baseUrl, token) => {
+      events.push(["prepare", baseUrl, token]);
+      return "kimi-k2-5-thinking";
+    },
+    launchRuntimeFn: async ({ childOptions }) => {
+      launchCount += 1;
+      events.push(["launch", launchCount, childOptions.env.TEXTCORTEX_API_KEY]);
+      if (launchCount === 1) {
+        return { expiredSession: true };
+      }
+      return { code: 0, signal: null, expiredSession: false };
+    },
+  });
+
+  assert.deepEqual(events, [
+    ["launch", 1, "token-1"],
+    ["refresh", "http://127.0.0.1:8080"],
+    ["login", "http://127.0.0.1:8080", ["--local"], { preferLocalhost: true }],
+    ["resolve-token"],
+    ["resolve-base-url"],
+    ["prepare", "http://127.0.0.1:8080", "token-2"],
+    ["launch", 2, "token-2"],
+  ]);
+  assert.deepEqual(result, { code: 0, signal: null, expiredSession: false });
+});
+
 test("runRuntimeWithSessionRecovery stops after repeated recovery failures", async () => {
   const events = [];
   let launchCount = 0;