@vibecodr/cli 1.0.8 → 1.0.10

package/docs/API-CONTRACT.md

@@ -267,6 +267,21 @@ Each descriptor also includes the canonical hosted capability it maps to.
 names for advanced callers, and returns a quota/audit-shaped contract response
 unless the hosted provider mode is later set to `live`.
 
+The endpoint is an OAuth protected resource, not an authorization server. The
+hosted Worker publishes protected-resource metadata at:
+
+- `GET /.well-known/oauth-protected-resource`
+- `GET /.well-known/oauth-protected-resource/mcp`
+- `GET /.well-known/oauth-protected-resource/v1/mcp`
+
+Unauthenticated MCP `POST /mcp` responses include a Bearer
+`WWW-Authenticate` challenge with `resource_metadata` pointing at the MCP
+protected-resource metadata and `scope="vc-tools:use vc-tools:*"`. Discovery
+probes for OAuth authorization-server metadata on `tools.vibecodr.space` return
+an unauthenticated 404 because `tools` only verifies API-issued `vc_tools`
+grants; clients should not treat `openai.vibecodr.space` gateway sessions as
+valid `tools` grants.
+
 Primary agent tool names:
 
 - `browser.render` -> `browser.render_url`
@@ -426,7 +441,9 @@ The local launch package includes:
   HTTP status, and sanitized error message, never query strings, bearer tokens,
   request bodies, or actor identifiers.
   Hosted API/MCP auth failures write anonymous `auth.failed` audit metrics with
-  the semantic auth error code and sanitized path. The scheduled Worker pass
+  the semantic auth error code and sanitized path. OAuth protected-resource and
+  authorization-server discovery probes are served before the auth gate and are
+  not counted as auth failures. The scheduled Worker pass
   aggregates those rows over `VC_TOOLS_AUTH_FAILURE_WINDOW_MINUTES` and emits
   `E-VIBECODR-VC-TOOLS-AUTH-FAILURE-ANOMALY` / `auth.failure_anomaly` only when
   `VC_TOOLS_AUTH_FAILURE_ALERT_THRESHOLD` is crossed. This is an account-level

package/docs/RELEASE-CHECKLIST.md

@@ -76,8 +76,9 @@ Expected results:
 - `inspect` reports one hosted-required check for CLI-contract releases and zero
   hosted-required checks after live production smoke.
 - Unsafe browser URL smoke exits non-zero before any hosted request.
-- The Worker returns health, MCP metadata, and fail-closed auth responses; tests
-  keep contract-mode coverage for no-cost route validation.
+- The Worker returns health, MCP metadata, protected-resource discovery, Bearer
+  auth challenges, and fail-closed auth responses; tests keep contract-mode
+  coverage for no-cost route validation.
 - The contract-mode Worker supports MCP `initialize`, `tools/list`, and
   `tools/call` JSON-RPC requests.
 - Hosted dashboard sections render overview, usage, activity, artifacts, grants,
@@ -208,8 +209,9 @@ Expected hosted guarantees:
   `hosted.worker_5xx` operator alert through the same fanout path. Keep this
   code in parent internal-api `ALERT_CODES`; payloads must stay sanitized to
   method, path pattern, status, and redacted error text only.
-- Hosted API/MCP auth failures write anonymous `auth.failed` audit rows. The
-  scheduled Worker aggregates them and emits the account-scoped
+- Hosted API/MCP auth failures write anonymous `auth.failed` audit rows. OAuth
+  discovery probes are served before auth and must not enter this metric. The
+  scheduled Worker aggregates auth failures and emits the account-scoped
   `E-VIBECODR-VC-TOOLS-AUTH-FAILURE-ANOMALY` /
   `auth.failure_anomaly` operator alert when
   `VC_TOOLS_AUTH_FAILURE_ALERT_THRESHOLD` is crossed inside

package/docs/VALIDATION-MATRIX.md

@@ -9,8 +9,8 @@ artifacts and tests.
 | CLI Guidelines compliance | `src/cli/parser.ts`, `src/cli/run.ts`, `src/cli/output.ts`, `docs/CLI-GUIDELINES-AUDIT.md` | tests verify command-specific help, docs/support links, typo suggestions, stable JSON, product-safe default output, quiet mode, agent-computer primary nouns, and secure credential file/stdin sources |
 | Agent Computer first-use path | `vibecodr start`, `vibecodr setup`, `vibecodr try`, `vibecodr agent connect/status`, `vibecodr computer status` | tests verify `start` checks account identity, hosted health, MCP connection metadata, usage state, safe readiness output, and agent-native connection details without exposing tokens; `try` proves auth, hosted API, browser, computer, proof saving, and usage readback |
 | CLI login and auth diagnostics | `vibecodr login`, `vibecodr auth status`, `vibecodr auth diagnose`, `vibecodr auth export-agent-env`, safe generic credential file/stdin forms | tests verify browser/device auth starts when no credential is provided, `start` recovers from unreadable stored approval state by opening the normal browser login path, cost-bearing browser commands treat unreadable stored approval as missing auth instead of failing on credential storage shape, the private device code is never printed or stored, approval metadata points to `/settings/vc-tools/approve`, `--no-input` refuses interactive login without network calls, direct token grant caching, generic credential classification for Clerk OAuth/API-key exchange through Vibecodr Auth, durable API-key/OAuth local storage, expired grant refresh from stored API keys, file/stdin credential paths, one-off env credential auth without persistence, status reporting for active credential sources without exposing internal profiles, ambiguous credential denial, redaction, optional API verification, explicit file-store test mode, friendly expired-login errors, isolated config warnings, strict-permission agent credential-file export without printing the secret, and no stored-token forwarding to insecure local API URLs unless explicitly allowed |
-| Remote agent connection setup | `vibecodr agent connect`, advanced `vibecodr connect` | tests verify Streamable HTTP metadata, agent-native tool names, and no token leakage |
-| Remote MCP tool server | `/mcp` in `src/hosted/worker.ts` | tests verify MCP `initialize`, `tools/list`, and `tools/call` JSON-RPC contract flow with agent-native `browser.*`, `computer.*`, `work.*`, `proof.*`, and `usage.status` tool names mapped to hosted canonical capabilities |
+| Remote agent connection setup | `vibecodr agent connect`, advanced `vibecodr connect` | tests verify Streamable HTTP metadata, agent-native tool names, no token leakage, and refusal to write bare named-client configs for `tools.vibecodr.space/mcp` until a supported `vc_tools` client auth flow is proven |
+| Remote MCP tool server | `/mcp` in `src/hosted/worker.ts` | tests verify protected-resource discovery, Bearer `WWW-Authenticate` challenge metadata, MCP `initialize`, `tools/list`, and `tools/call` JSON-RPC contract flow with agent-native `browser.*`, `computer.*`, `work.*`, `proof.*`, and `usage.status` tool names mapped to hosted canonical capabilities |
 | Browser render/screenshot/markdown/PDF tests, crawl, snapshot, and paid agent tasks | `vibecodr browser *`, advanced `vibecodr tools test browser.*` | tests verify capability aliases including `browser.snapshot`, canonical browser and crawl payloads, default submit/wait behavior, `--out` proof saving without exposed IDs, Creator `browser.agent_task` acceptance up to 20 minutes, Pro acceptance up to 1 hour, Free denial, Quick Actions staying short, HTTPS-only validation, localhost/private/internal denial with safe-next-action messaging, URL credential denial, direct cookie/header/storage-state auth material denial, IPv4/IPv6 private, link-local, mapped, NAT64, and 6to4 denial, hosted unsafe redirect-chain denial before cost-bearing dispatch, and Workflow dispatch for paid browser agent tasks |
 | Agent Computer run/tests | `vibecodr computer run/test`, advanced `vibecodr tools test sandbox.*`, hosted Sandbox SDK queue execution | tests verify no local shell execution, bounded command payload, default submit/wait behavior, `--out` proof saving without exposed IDs, public HTTP(S) package/docs egress by default for paid Agent Computer jobs, explicit `--network public`/`--network off` payloads, no private-network opt-in flag, no per-command host allowlist requirement, Cloudflare host policy plus hosted outbound handler denial for private/local/internal destinations and private-resolving DNS, per-command Sandbox SDK timeout forwarding, timeout/fork-storm failure cleanup through sandbox teardown, minimal sandbox env injection, stdout/stderr truncation, sandbox-returned files/output-file paths ignored in favor of one fixed transcript artifact, artifact storage accounting, and sandbox-minute metering |
 | Proof store/read/save/delete | `vibecodr proof list/show/save/delete`, advanced `vibecodr artifacts list/get/pull/create/delete` | tests verify metadata shape, bounded list limits, safe filenames, overwrite guard, explicit in-workspace pull file targets, automatic proof saving from browser/computer aliases and `work follow --out`, explicit confirmation before delete, actor-scoped hosted deletion of D1 shelf rows plus R2 bytes, hosted plan-owned upload caps, hard total artifact storage caps, R2 cleanup after D1 reservation races, workspace-bounded upload/download paths, and symlink/junction escape denial |
@@ -33,7 +33,7 @@ artifacts and tests.
 | Browser Run crawl provider path | `browser.crawl_site`, hosted `/crawl` Quick Action integration | CLI tests verify `browser.crawl` payloads; hosted tests verify crawl start, result fetch, artifact storage, browser-minute usage, and crawl-page usage |
 | Browser Run provider retry/defer | `src/hosted/worker.ts` queue failure handling | hosted tests verify provider 429 responses return jobs to queued/retryable state and do not mark them failed on first rate-limit pressure |
 | Human-use security hardening | CLI and hosted Worker trust-boundary controls | tests verify insecure local API opt-in, workspace-bounded artifacts including symlink/junction denial, scoped Vibecodr CLI grants with per-tool capability scopes, actor-scoped live job/artifact/usage/audit SQL, DNS address-record and redirect-chain enforcement with denial metrics, authenticated-browser material denial, Browser Run Quick Action routing and metered time, crawl metering, paid sandbox public HTTP(S) egress with private/local/internal denial, quota denial metrics, pre-execution and during-execution cancellation guards, hard artifact storage caps, D1/R2 artifact write cleanup, explicit artifact deletion cleanup, and retention-backed artifact expiry |
-| Hosted API/MCP scaffold | `src/hosted/worker.ts`, `wrangler.jsonc`, `migrations/0001_live_schema.sql`, `migrations/0002_actor_scope.sql`, `migrations/0003_quota_reservations.sql`, `migrations/0004_sandbox_quota_reservations.sql`, `migrations/0005_operator_alert_dedupe.sql`, `migrations/0006_scheduled_qa.sql`, `migrations/0007_job_queue_metadata.sql` | `npm run check:worker` and `test/hosted-worker.test.ts` verify health, auth fail-closed behavior, auth-failure audit metrics, user-safe public readiness, protected inspection/dashboard routes, scoped CLI grants, capability-scope denial, MCP metadata, MCP tool flow, dashboard contract, actor-scoped live acceptance, atomic quota reservation including sandbox seconds and parallel race conflict handling, queued-ahead metadata without interactive fairness delay, Workflow-owned paid agent browser dispatch without a Queue binding, Queue rejection for Browser Agent execution, Browser Run Quick Action hard-cap deferral, Browser Session hard-cap deferral, Sandbox hard-cap deferral, provider retry/defer handling, Browser Run large-page timeout bounds, failed-job DLQ retry-boundary behavior without provider re-execution, exhausted failed-job loop prevention, scheduled Queue/DLQ/artifact-storage/retention-cleanup/execution-health/auth-failure/Cloudflare-spend alerting, unexpected hosted 500 alerting, crawl artifacts, scheduled QA config/create/list/run-now enqueue/cron enqueue, sandbox execution timeout/env/output/teardown behavior, sandbox timeout/fork-storm failure cleanup, sandbox-returned file/path suppression, sandbox reservation reconciliation, unsafe redirect rejection before cost-bearing dispatch, D1-backed operator alert dedupe, and contract-mode tool acceptance |
+| Hosted API/MCP scaffold | `src/hosted/worker.ts`, `wrangler.jsonc`, `migrations/0001_live_schema.sql`, `migrations/0002_actor_scope.sql`, `migrations/0003_quota_reservations.sql`, `migrations/0004_sandbox_quota_reservations.sql`, `migrations/0005_operator_alert_dedupe.sql`, `migrations/0006_scheduled_qa.sql`, `migrations/0007_job_queue_metadata.sql` | `npm run check:worker` and `test/hosted-worker.test.ts` verify health, auth fail-closed behavior, OAuth discovery routes that do not emit `auth.failed`, auth-failure audit metrics, user-safe public readiness, protected inspection/dashboard routes, scoped CLI grants, capability-scope denial, MCP protected-resource metadata, MCP auth challenge headers, MCP metadata, MCP tool flow, dashboard contract, actor-scoped live acceptance, atomic quota reservation including sandbox seconds and parallel race conflict handling, queued-ahead metadata without interactive fairness delay, Workflow-owned paid agent browser dispatch without a Queue binding, Queue rejection for Browser Agent execution, Browser Run Quick Action hard-cap deferral, Browser Session hard-cap deferral, Sandbox hard-cap deferral, provider retry/defer handling, Browser Run large-page timeout bounds, failed-job DLQ retry-boundary behavior without provider re-execution, exhausted failed-job loop prevention, scheduled Queue/DLQ/artifact-storage/retention-cleanup/execution-health/auth-failure/Cloudflare-spend alerting, unexpected hosted 500 alerting, crawl artifacts, scheduled QA config/create/list/run-now enqueue/cron enqueue, sandbox execution timeout/env/output/teardown behavior, sandbox timeout/fork-storm failure cleanup, sandbox-returned file/path suppression, sandbox reservation reconciliation, unsafe redirect rejection before cost-bearing dispatch, D1-backed operator alert dedupe, and contract-mode tool acceptance |
 | Live Cloudflare provider | `src/hosted/worker.ts`, `wrangler.jsonc`, `Dockerfile`, `migrations/0001_live_schema.sql`, `migrations/0002_actor_scope.sql`, `migrations/0003_quota_reservations.sql`, `migrations/0004_sandbox_quota_reservations.sql`, `migrations/0005_operator_alert_dedupe.sql`, `migrations/0006_scheduled_qa.sql`, `migrations/0007_job_queue_metadata.sql` | hosted-required for live releases: apply all migrations, set Browser Run Quick Actions secrets and `BROWSER_AGENT_WORKFLOW`, deploy, then smoke health, authenticated login, real Quick Action browser job, real scheduled QA create/list/run-now enqueue/job-readback/monthly-cap denial plus natural cron-tick readback at a real trigger time, real Creator browser agent-task job through `BROWSER_AGENT_WORKFLOW`/`BROWSER`, real Pro browser agent-task job through `BROWSER_AGENT_WORKFLOW`/`BROWSER`, real crawl job, real Creator `standard-1` sandbox job capped at 10 minutes, real Pro `standard-2` sandbox job capped at 30 minutes, R2 artifact download, actor-scoped user-safe usage, crawl-page usage, sandbox-second quota denial, operator-alert dedupe/readback on operator surfaces, COGS dashboard readback, and audit rows against `https://tools.vibecodr.space` |
 | Cloudflare dynamic primitive fit | `docs/CLOUDFLARE-PRIMITIVE-FIT.md`, `docs/API-CONTRACT.md`, `wrangler.jsonc` | docs verify Cloudflare Workflows are the v1 durable `browser.agent_task` lane; Dynamic Workers/Facets/Dynamic Workflows remain future supervised dynamic-code capabilities, not replacements for v1 Browser Run Quick Actions, Sandbox SDK, D1, R2, Queue/DLQ, or platform-owned quota/audit/billing authority |
 | Production-grade packaging | build, typecheck, test, explicit npm exports, CLI-only runtime dependencies, pack verifier, CI | `npm run verify`; pack verifier rejects `docs/`, hosted Worker source, migrations, deployment config, tests, scripts, and Cloudflare primitive runtime dependencies from the public npm artifact |

package/docs/auth.md

@@ -1,13 +1,20 @@
 # Auth
 
-`vibecodr login` defaults to authenticating the CLI itself to the hosted Vibecodr MCP server. It does not log Codex, Cursor, VS Code, Windsurf, ChatGPT, or any other MCP client into MCP.
+The normal public setup path is `vibecodr start`. It opens the browser approval
+flow shown on the Vibecodr CLI pages, stores the hosted Agent Computer
+credential for this machine, and returns the connection details an agent needs.
+
+`vibecodr login` is still the explicit MCP Gateway login for publishing,
+uploads, Pulses, and direct MCP Gateway tools. It does not log Codex, Cursor, VS
+Code, Windsurf, ChatGPT, or any other MCP client into MCP.
 
 Vibecodr now has two CLI credential lanes:
 
 - MCP Gateway: `vibecodr login` or `vibecodr login mcp`, stored under the historical `@vibecodr/mcp` service.
 - Hosted Agent Computer: `vibecodr login agent` or the automatic `vibecodr start` approval flow, stored under the historical `@vibecodr/vc-tools` service.
 
-The token types are intentionally separate. Status and doctor can read both lanes, but the CLI does not merge or copy credentials between them.
+The token types are intentionally separate. Status and doctor can read both lanes,
+but the CLI does not merge or copy credentials between them.
 
 Compatibility alias:
 

package/docs/commands.md

@@ -10,9 +10,10 @@ The Vibecodr CLI talks to two hosted endpoints. Every command targets exactly on
 
 The three bin entries — `vibecodr`, `vibecodr-mcp`, `vc-tools` — all resolve to the same dispatcher. The `vc-tools` bin remains for back-compat and routes every command through the legacy code path so output is byte-equivalent to `@vibecodr/vc-tools@0.1.4`. The `vibecodr` bin runs the MCP-gateway commands inline and cross-routes the hosted Agent Computer commands into the legacy code path. The `vibecodr-mcp` bin is the alias preserved from `@vibecodr/cli@0.2.x`.
 
-The human-facing command experience is deliberately guided: `vibecodr`,
-`vibecodr status`, and `vibecodr doctor` should answer what to do next before
-they teach service names. The architecture underneath remains explicit:
+The human-facing command experience is deliberately guided: `vibecodr start` is
+the normal public setup path, and `vibecodr`, `vibecodr status`, and
+`vibecodr doctor` should answer what to do next before they teach service names.
+The architecture underneath remains explicit:
 commands still route to one hosted endpoint, JSON stays stable for scripts, and
 diagnostics preserve the real credential/service boundary.
 
@@ -96,13 +97,13 @@ Sends product feedback to the MCP Gateway `submit_feedback` tool. The platform s
 
 `vibecodr install <codex|cursor|vscode|windsurf|claude-desktop|claude-code> [--scope user|project] [--path <dir>] [--name <server-name>] [--open-client] [--overwrite] [--dry-run]`
 
-Adds (or removes) the hosted Vibecodr MCP server to an app such as Codex, Cursor, VS Code, Windsurf, Claude Desktop, or Claude Code. In command syntax we call that app a `client`. `codex`, `vscode`, and `claude-code` prefer their own CLI shim (`codex mcp add`, `code --add-mcp`, `claude mcp add`) and fall back to writing the app config file. `cursor`, `windsurf`, and `claude-desktop` always write the app config file directly. Records the install in `installs.json` so `uninstall` can find it.
+Adds (or removes) the OAuth-backed Vibecodr MCP Gateway server to an app such as Codex, Cursor, VS Code, Windsurf, Claude Desktop, or Claude Code. In command syntax we call that app a `client`. `codex`, `vscode`, and `claude-code` prefer their own CLI shim (`codex mcp add`, `code --add-mcp`, `claude mcp add`) and fall back to writing the app config file. `cursor`, `windsurf`, and `claude-desktop` always write the app config file directly. Records the install in `installs.json` so `uninstall` can find it. Profiles pointed at `tools.vibecodr.space/mcp` are refused here because that hosted Agent Computer endpoint uses `vc_tools` grants, not editor-owned MCP Gateway OAuth sessions.
 
 ### `vibecodr connect` / `vibecodr agent connect` (H)
 
 `vibecodr connect --client <codex|cursor|vscode|windsurf|claude-desktop|claude-code> [--print] [--name <server-name>] [--install] [--overwrite]`
 
-Prints (`--print`) or installs (`--install`) the MCP connection details for the hosted Agent Computer. The `vibecodr agent connect` form is the agent-shaped alias; both reach the same code path.
+Prints (`--print`) the MCP connection details for the hosted Agent Computer. The `vibecodr agent connect` form is the agent-shaped alias; both reach the same code path. Named editor/client installs are skipped for `tools.vibecodr.space/mcp` until that client has a proven `vc_tools` grant flow; use `vibecodr install <client>` for the OAuth-backed MCP Gateway and `vibecodr start`/`vibecodr try` for CLI-owned Agent Computer credentials.
 
 ## Hosted browser (H)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibecodr/cli",
-  "version": "1.0.8",
+  "version": "1.0.10",
   "description": "The official Vibecodr CLI: hosted browser, hosted computer, capsule uploads, Pulse operations, and agent-client MCP setup under one command.",
   "license": "Apache-2.0",
   "type": "module",