@useorgx/wizard 0.1.8 → 0.1.9

package/README.md

@@ -22,7 +22,7 @@ For local development, use `pnpm dev -- --help`.
 - `plugins list` shows companion plugin availability and install status for Claude Code, Codex, and OpenClaw.
 - `plugins add [target...]` installs the managed OrgX companion plugins into Claude Code, Codex, and/or OpenClaw. Claude Code and Codex plugins carry their own OrgX skills, so they become the source of truth for those hosts.
 - `plugins remove [target...]` uninstalls the managed OrgX companion plugins from Claude Code, Codex, and/or OpenClaw.
-- `doctor` verifies local config, hosted MCP reachability, an authenticated hosted MCP `get_setup_status` tool call when OrgX user auth is configured, npm registry readiness, current-workspace connectivity, local OpenClaw health, and optionally the remote setup status API. It exits non-zero when blocking connectivity issues remain.
+- `doctor` verifies local config, hosted MCP reachability, npm registry readiness, current-workspace connectivity, local OpenClaw health, and optionally the remote setup status API. Hosted MCP tools are OAuth-scoped inside the client connector, so the wizard does not preflight them with `oxk_` API keys. It exits non-zero when blocking connectivity issues remain.
 - `auth status` shows the resolved OrgX API key source and verifies it against `POST /api/client/sync`.
 - `auth login [--base-url <url>]` starts browser pairing against OrgX, waits for approval, saves the returned per-user key to the wizard auth store, and bootstraps OpenClaw auth if OpenClaw is detected. Use `--api-key <oxk_...>` for CI or blocked-browser fallback.
 - `auth set-key <oxk_...> [--base-url <url>]` verifies a per-user OrgX key, saves it to the wizard auth store, and bootstraps OpenClaw auth if OpenClaw is detected.
@@ -40,7 +40,7 @@ For local development, use `pnpm dev -- --help`.
 
 - The wizard uses per-user `oxk_...` keys for auth verification and local bootstrap. `auth login` now prefers secure browser pairing and falls back to direct key entry with `--api-key`.
 - When `keytar` is available, the wizard stores the raw API key in the system keychain and keeps only metadata in `auth.json`. If `keytar` is unavailable or disabled, it falls back to file-backed storage in `auth.json`.
-- `doctor` always checks `https://mcp.useorgx.com/health` and, when user auth is configured, initializes an authenticated MCP session against `https://mcp.useorgx.com/mcp` and calls `get_setup_status` before resolving the current workspace through the OrgX API.
+- `doctor` always checks `https://mcp.useorgx.com/health` and resolves the current workspace through the OrgX API. Hosted MCP tool calls are verified by the configured client connector after its OAuth flow completes, not by the wizard's per-user `oxk_` key.
 - `doctor` also checks npm registry reachability for `@useorgx/wizard` and reports whether the package is already published.
 - Remote setup status is separate: `doctor` checks `/api/setup/status` only when `ORGX_SERVICE_KEY` is present because that endpoint is still service-key-only.
 - Auth resolution order is `ORGX_API_KEY`, then the wizard auth store, then OpenClaw config.

package/dist/cli.js

@@ -940,6 +940,7 @@ function parseOnboardingTask(value) {
     ...isNonEmptyString2(record.initiativeId) ? { initiativeId: record.initiativeId.trim() } : {},
     ...isNonEmptyString2(record.status) ? { status: record.status.trim() } : {},
     title: record.title.trim(),
+    ...isNonEmptyString2(record.workstreamId) ? { workstreamId: record.workstreamId.trim() } : {},
     ...isNonEmptyString2(record.workspaceId) ? { workspaceId: record.workspaceId.trim() } : {},
     ...isNonEmptyString2(record.workspaceName) ? { workspaceName: record.workspaceName.trim() } : {}
   };
@@ -1239,39 +1240,6 @@ async function checkHostedMcpHealth() {
 
 // src/lib/hosted-mcp-tool-check.ts
 var DEFAULT_TOOL_NAME = "get_setup_status";
-function buildHeaders(apiKey, sessionId) {
-  const headers = {
-    Authorization: `Bearer ${apiKey}`,
-    "Content-Type": "application/json",
-    Accept: "application/json, text/event-stream"
-  };
-  if (sessionId) {
-    headers["Mcp-Session-Id"] = sessionId;
-  }
-  return headers;
-}
-async function readJsonSafe(response) {
-  const text2 = await response.text();
-  if (!text2) return null;
-  try {
-    return JSON.parse(text2);
-  } catch {
-    return text2;
-  }
-}
-function readJsonRpcError(payload) {
-  if (!payload || typeof payload !== "object") {
-    return void 0;
-  }
-  const maybeError = payload.error;
-  if (!maybeError || typeof maybeError !== "object") {
-    return void 0;
-  }
-  return typeof maybeError.message === "string" ? maybeError.message : "Unknown MCP JSON-RPC error.";
-}
-function readSessionId(response) {
-  return response.headers.get("mcp-session-id") ?? response.headers.get("Mcp-Session-Id") ?? void 0;
-}
 async function checkHostedMcpToolAccess(options = {}, toolName = DEFAULT_TOOL_NAME) {
   const auth = await resolveOrgxAuth(options);
   if (!auth) {
@@ -1286,157 +1254,20 @@ async function checkHostedMcpToolAccess(options = {}, toolName = DEFAULT_TOOL_NA
       details: []
     };
   }
-  try {
-    const initializeResponse = await fetch(ORGX_HOSTED_MCP_URL, {
-      method: "POST",
-      headers: buildHeaders(auth.apiKey),
-      body: JSON.stringify({
-        jsonrpc: "2.0",
-        id: 1,
-        method: "initialize",
-        params: {
-          protocolVersion: "2024-11-05",
-          clientInfo: {
-            name: "orgx-wizard",
-            version: "0.1.0"
-          },
-          capabilities: {}
-        }
-      }),
-      signal: AbortSignal.timeout(1e4)
-    });
-    const initializePayload = await readJsonSafe(initializeResponse);
-    const initializeError = readJsonRpcError(initializePayload);
-    const sessionId = readSessionId(initializeResponse);
-    if (!initializeResponse.ok) {
-      return {
-        configured: true,
-        ok: false,
-        skipped: false,
-        source: auth.source,
-        toolName,
-        url: ORGX_HOSTED_MCP_URL,
-        baseUrl: auth.baseUrl,
-        initializeStatus: initializeResponse.status,
-        error: `MCP initialize failed with HTTP ${initializeResponse.status}.`,
-        details: [`auth source: ${auth.source}`],
-        response: initializePayload
-      };
-    }
-    if (initializeError) {
-      return {
-        configured: true,
-        ok: false,
-        skipped: false,
-        source: auth.source,
-        toolName,
-        url: ORGX_HOSTED_MCP_URL,
-        baseUrl: auth.baseUrl,
-        initializeStatus: initializeResponse.status,
-        error: `MCP initialize returned JSON-RPC error: ${initializeError}`,
-        details: [`auth source: ${auth.source}`],
-        response: initializePayload
-      };
-    }
-    if (!sessionId) {
-      return {
-        configured: true,
-        ok: false,
-        skipped: false,
-        source: auth.source,
-        toolName,
-        url: ORGX_HOSTED_MCP_URL,
-        baseUrl: auth.baseUrl,
-        initializeStatus: initializeResponse.status,
-        error: "MCP initialize succeeded but no Mcp-Session-Id header was returned.",
-        details: [`auth source: ${auth.source}`],
-        response: initializePayload
-      };
-    }
-    const callResponse = await fetch(ORGX_HOSTED_MCP_URL, {
-      method: "POST",
-      headers: buildHeaders(auth.apiKey, sessionId),
-      body: JSON.stringify({
-        jsonrpc: "2.0",
-        id: 2,
-        method: "tools/call",
-        params: {
-          name: toolName,
-          arguments: {}
-        }
-      }),
-      signal: AbortSignal.timeout(1e4)
-    });
-    const callPayload = await readJsonSafe(callResponse);
-    const callError = readJsonRpcError(callPayload);
-    if (!callResponse.ok) {
-      return {
-        configured: true,
-        ok: false,
-        skipped: false,
-        source: auth.source,
-        toolName,
-        url: ORGX_HOSTED_MCP_URL,
-        baseUrl: auth.baseUrl,
-        initializeStatus: initializeResponse.status,
-        callStatus: callResponse.status,
-        error: `MCP tool call failed with HTTP ${callResponse.status}.`,
-        details: [
-          `auth source: ${auth.source}`,
-          `session established: ${sessionId}`
-        ],
-        response: callPayload
-      };
-    }
-    if (callError) {
-      return {
-        configured: true,
-        ok: false,
-        skipped: false,
-        source: auth.source,
-        toolName,
-        url: ORGX_HOSTED_MCP_URL,
-        baseUrl: auth.baseUrl,
-        initializeStatus: initializeResponse.status,
-        callStatus: callResponse.status,
-        error: `MCP tool call returned JSON-RPC error: ${callError}`,
-        details: [
-          `auth source: ${auth.source}`,
-          `session established: ${sessionId}`
-        ],
-        response: callPayload
-      };
-    }
-    return {
-      configured: true,
-      ok: true,
-      skipped: false,
-      source: auth.source,
-      toolName,
-      url: ORGX_HOSTED_MCP_URL,
-      baseUrl: auth.baseUrl,
-      initializeStatus: initializeResponse.status,
-      callStatus: callResponse.status,
-      details: [
-        `auth source: ${auth.source}`,
-        `session established: ${sessionId}`,
-        `tool call: ${toolName}`
-      ],
-      response: callPayload
-    };
-  } catch (error) {
-    return {
-      configured: true,
-      ok: false,
-      skipped: false,
-      source: auth.source,
-      toolName,
-      url: ORGX_HOSTED_MCP_URL,
-      baseUrl: auth.baseUrl,
-      error: error instanceof Error ? error.message : String(error),
-      details: [`auth source: ${auth.source}`]
-    };
-  }
+  return {
+    configured: true,
+    ok: false,
+    skipped: true,
+    source: auth.source,
+    toolName,
+    url: ORGX_HOSTED_MCP_URL,
+    baseUrl: auth.baseUrl,
+    error: "Hosted OrgX MCP uses OAuth; API-key tool verification is skipped.",
+    details: [
+      `auth source: ${auth.source}`,
+      "Hosted OrgX MCP connectors complete OAuth during client setup, so the wizard cannot preflight tools with an oxk_ API key."
+    ]
+  };
 }
 
 // src/lib/npm-registry-health.ts
@@ -1633,7 +1464,7 @@ async function getCurrentWorkspace(options = {}) {
     }
     return workspace;
   }
-  if (response.status === 404) {
+  if (response.status === 401 || response.status === 404) {
     const workspaces = await listWorkspaces(options);
     return workspaces[0] ?? null;
   }
@@ -2334,7 +2165,10 @@ function buildChatgptManualStatus(detection, authHint) {
       "Manual step: in ChatGPT desktop developer mode, add a custom connector pointing at the hosted OrgX MCP URL."
     );
     details.push(
-      "After connecting ChatGPT, run `orgx-wizard doctor` to verify hosted MCP tool access."
+      "ChatGPT completes OAuth during connector setup; the wizard cannot preflight hosted MCP tools with an oxk_ API key."
+    );
+    details.push(
+      "After connecting ChatGPT, run `orgx-wizard doctor` to verify hosted MCP health from this machine."
     );
   } else {
     details.push(
@@ -2369,7 +2203,7 @@ function buildChatgptAddResult(path, authHint, toolCheck) {
       message: `Run \`${AUTH_SETUP_HINT}\` or \`${AUTH_SET_KEY_HINT}\` first, then add ${ORGX_HOSTED_MCP_URL} as a custom connector in ChatGPT developer mode.`
     };
   }
-  if (!toolCheck || !toolCheck.ok) {
+  if (toolCheck && !toolCheck.ok && !toolCheck.skipped) {
     const failure = toolCheck?.error ?? "hosted MCP verification did not complete.";
     return {
       name: "chatgpt",
@@ -2382,7 +2216,7 @@ function buildChatgptAddResult(path, authHint, toolCheck) {
     name: "chatgpt",
     changed: false,
     ...path ? { path } : {},
-    message: `OrgX auth and hosted MCP access are verified. Add ${ORGX_HOSTED_MCP_URL} as a custom connector in ChatGPT developer mode, then run \`${DOCTOR_HINT}\` to confirm \`${toolCheck.toolName}\`.`
+    message: `OrgX auth is ready via ${formatAuthHintSource(authHint)}. Add ${ORGX_HOSTED_MCP_URL} as a custom connector in ChatGPT developer mode; ChatGPT will complete the OAuth flow there. Then run \`${DOCTOR_HINT}\` to verify hosted MCP health from this machine.`
   };
 }
 function buildChatgptRemoveResult(path) {
@@ -2520,8 +2354,7 @@ async function addAutomatedSurface(name) {
       if (!authHint) {
         return buildChatgptAddResult(path, null);
       }
-      const toolCheck = await checkHostedMcpToolAccess();
-      return buildChatgptAddResult(path, authHint, toolCheck);
+      return buildChatgptAddResult(path, authHint);
     }
     default:
       return {
@@ -2827,6 +2660,8 @@ var FOUNDER_DEMO_ARTIFACT_TYPE = "document";
 var FOUNDER_DEMO_ARTIFACT_DESCRIPTION = "Live founder demo generated by @useorgx/wizard after workspace bootstrap completed.";
 var ONBOARDING_TASK_TITLE = "Complete OrgX onboarding";
 var ONBOARDING_TASK_SUMMARY = "Starter onboarding task created by @useorgx/wizard so the first workspace has a clear follow-up after setup.";
+var ONBOARDING_WORKSTREAM_TITLE = "OrgX onboarding";
+var ONBOARDING_WORKSTREAM_SUMMARY = "Starter onboarding workstream created by @useorgx/wizard so the first workspace has a home for setup follow-up tasks.";
 function parseResponseBody3(text2) {
   if (!text2) {
     return null;
@@ -2910,6 +2745,15 @@ function parseTask(payload) {
     ...typeof entity.summary === "string" && entity.summary.trim().length > 0 ? { summary: entity.summary.trim() } : {}
   };
 }
+function parseWorkstream(payload) {
+  const entity = extractEntity(payload);
+  const id = typeof entity.id === "string" ? entity.id.trim() : "";
+  const title = typeof entity.title === "string" ? entity.title.trim() : typeof entity.name === "string" ? entity.name.trim() : "";
+  if (!id || !title) {
+    throw new Error("OrgX returned an incomplete workstream payload.");
+  }
+  return { id, title };
+}
 function toDemoInitiativeRecord(artifact, decision, initiative, liveUrl, workspace) {
   return {
     createdAt: (/* @__PURE__ */ new Date()).toISOString(),
@@ -2927,13 +2771,14 @@ function toDemoInitiativeRecord(artifact, decision, initiative, liveUrl, workspa
     workspaceName: workspace.name
   };
 }
-function toOnboardingTaskRecord(task, workspace, initiativeId) {
+function toOnboardingTaskRecord(task, workspace, options = {}) {
   return {
     createdAt: (/* @__PURE__ */ new Date()).toISOString(),
     id: task.id,
-    ...initiativeId ? { initiativeId } : {},
+    ...options.initiativeId ? { initiativeId: options.initiativeId } : {},
     ...task.status ? { status: task.status } : {},
     title: task.title,
+    ...options.workstreamId ? { workstreamId: options.workstreamId } : {},
     workspaceId: workspace.id,
     workspaceName: workspace.name
   };
@@ -3112,14 +2957,33 @@ async function ensureOnboardingTask(workspace, options = {}) {
       ...existingRecord.status ? { status: existingRecord.status } : {}
     };
   }
+  const initiativeId = options.initiativeId?.trim();
+  if (!initiativeId) {
+    throw new Error(
+      "Starter onboarding task requires an initiative context. Re-run setup with the founder preset or create an initiative before requesting onboarding tasks."
+    );
+  }
+  const workstream = await createEntity(
+    "workstream",
+    {
+      initiative_id: initiativeId,
+      status: "active",
+      summary: ONBOARDING_WORKSTREAM_SUMMARY,
+      title: ONBOARDING_WORKSTREAM_TITLE,
+      workspace_id: workspace.id
+    },
+    parseWorkstream,
+    options
+  );
   const task = await createEntity(
     "task",
     {
+      initiative_id: initiativeId,
       status: "todo",
       summary: ONBOARDING_TASK_SUMMARY,
       title: ONBOARDING_TASK_TITLE,
-      workspace_id: workspace.id,
-      ...options.initiativeId ? { initiative_id: options.initiativeId } : {}
+      workstream_id: workstream.id,
+      workspace_id: workspace.id
     },
     parseTask,
     options
@@ -3127,7 +2991,10 @@ async function ensureOnboardingTask(workspace, options = {}) {
   updateWizardState(
     (current) => ({
       ...current,
-      onboardingTask: toOnboardingTaskRecord(task, workspace, options.initiativeId)
+      onboardingTask: toOnboardingTaskRecord(task, workspace, {
+        initiativeId,
+        workstreamId: workstream.id
+      })
     }),
     options.statePath
   );
@@ -4943,8 +4810,9 @@ async function maybeConfigureOptionalWorkspaceAddOns(input) {
     return "skipped";
   }
   const existingState = readWizardState();
+  const effectiveInitiativeId = input.initiativeId?.trim() || (existingState?.demoInitiative?.workspaceId === input.workspace.id ? existingState.demoInitiative.id : void 0);
   const hasOnboardingTask = existingState?.onboardingTask?.workspaceId === input.workspace.id;
-  if (!hasOnboardingTask) {
+  if (!hasOnboardingTask && effectiveInitiativeId) {
     const onboardingChoice = await selectPrompt({
       message: `Create a starter onboarding task for ${input.workspace.name}?`,
       options: [
@@ -4957,24 +4825,29 @@ async function maybeConfigureOptionalWorkspaceAddOns(input) {
       return "cancelled";
     }
     if (onboardingChoice === "yes") {
-      const task = await ensureOnboardingTask(input.workspace, {
-        ...input.initiativeId ? { initiativeId: input.initiativeId } : {}
-      });
-      console.log(`  ${ICON.ok}  ${pc3.green("onboarding")} ${pc3.bold(task.title)}`);
-      await safeTrackWizardTelemetry(
-        "onboarding_task_created",
-        buildOnboardingTaskTelemetryProperties(
-          {
-            created: true,
-            hasInitiative: Boolean(input.initiativeId),
-            task
-          },
-          {
-            command: input.telemetry?.command ?? "setup",
-            ...input.telemetry?.preset ? { preset: input.telemetry.preset } : {}
-          }
-        )
-      );
+      try {
+        const task = await ensureOnboardingTask(input.workspace, {
+          initiativeId: effectiveInitiativeId
+        });
+        console.log(`  ${ICON.ok}  ${pc3.green("onboarding")} ${pc3.bold(task.title)}`);
+        await safeTrackWizardTelemetry(
+          "onboarding_task_created",
+          buildOnboardingTaskTelemetryProperties(
+            {
+              created: true,
+              hasInitiative: true,
+              task
+            },
+            {
+              command: input.telemetry?.command ?? "setup",
+              ...input.telemetry?.preset ? { preset: input.telemetry.preset } : {}
+            }
+          )
+        );
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.log(`  ${ICON.warn}  ${pc3.yellow("onboarding")} ${pc3.dim(message)}`);
+      }
     }
   }
   const refreshedState = readWizardState();
@@ -5178,7 +5051,7 @@ function printDoctorReport(report, assessment) {
 async function main() {
   const program = new Command();
   program.name("orgx-wizard").description("One-line CLI onboarding for OrgX surfaces.").showHelpAfterError();
-  const pkgVersion = true ? "0.1.8" : void 0;
+  const pkgVersion = true ? "0.1.9" : void 0;
   program.version(pkgVersion ?? "unknown", "-V, --version");
   program.hook("preAction", () => {
     console.log(renderBanner(pkgVersion));