npm - @visa/cli - Versions diffs - 1.0.3 → 1.0.4-rc.3 - Mend

@visa/cli 1.0.3 → 1.0.4-rc.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +87 -115
package/dist/cli.js +52 -13
package/dist/mcp-server/index.js +54 -10
package/native/visa-keychain.m +46 -4
package/package.json +5 -4
package/LICENSE +0 -8

package/native/visa-keychain.m CHANGED Viewed

@@ -1,6 +1,7 @@
 #import <Foundation/Foundation.h>
 #import <Security/Security.h>
 #import <LocalAuthentication/LocalAuthentication.h>
+#import <AppKit/AppKit.h>
 // SPKI DER header for P-256 (prime256v1) uncompressed public key
 static const unsigned char SPKI_HEADER[] = {
@@ -132,21 +133,62 @@ int cmd_sign(const char *challenge, const char *reason) {
         return 1;
     }
-    // Touch ID gate
+    // Authentication gate (Touch ID OR password — whichever the user has).
+    //
+    // We use LAPolicyDeviceOwnerAuthentication, which presents a single
+    // system dialog: Touch ID on enrolled hardware, password fallback
+    // everywhere else (including users who skipped biometric setup and
+    // Macs without a Touch ID sensor). This front-focus fix applies to
+    // BOTH dialogs — they are the same system-level window, just with
+    // different input modes. If we only fixed the Touch ID path we would
+    // still be burying the password prompt behind the terminal for every
+    // non-biometric user.
+    //
+    // Front-focus fix: bare CLI binaries have no NSApplication, so the
+    // system LAContext dialog gets parented to whichever process happens to
+    // be frontmost (usually the terminal or Claude Code), which puts the
+    // prompt *behind* the user's current window — users never see it, time
+    // out, and their spend gets cancelled.
+    //
+    // Making the binary an Accessory-policy NSApplication and explicitly
+    // calling activateIgnoringOtherApps: before evaluatePolicy tells the
+    // window server this process is the new frontmost app, so the auth
+    // prompt (biometric or password) is raised on top of all other
+    // windows. Accessory policy means no Dock icon, no menu bar — the
+    // binary stays invisible except for the dialog itself.
+    [NSApplication sharedApplication];
+    [NSApp setActivationPolicy:NSApplicationActivationPolicyAccessory];
+    [NSApp activateIgnoringOtherApps:YES];
     LAContext *ctx = [[LAContext alloc] init];
     NSString *reasonStr = reason
         ? [NSString stringWithUTF8String:reason]
         : @"approve payment";
-    dispatch_semaphore_t sem = dispatch_semaphore_create(0);
+    __block BOOL done = NO;
     __block BOOL authOk = NO;
     [ctx evaluatePolicy:LAPolicyDeviceOwnerAuthentication
         localizedReason:reasonStr
                   reply:^(BOOL success, NSError *err) {
         authOk = success;
-        dispatch_semaphore_signal(sem);
+        done = YES;
     }];
-    dispatch_semaphore_wait(sem, DISPATCH_TIME_FOREVER);
+    // Pump the main run loop while waiting for the reply block. Using
+    // dispatch_semaphore_wait here would freeze the main thread and
+    // prevent the WindowServer from delivering the activation we just
+    // requested — the dialog would come up, but not on top.
+    NSDate *timeout = [NSDate dateWithTimeIntervalSinceNow:55.0];
+    while (!done) {
+        @autoreleasepool {
+            [[NSRunLoop currentRunLoop] runMode:NSDefaultRunLoopMode
+                                     beforeDate:[NSDate dateWithTimeIntervalSinceNow:0.05]];
+            if ([[NSDate date] compare:timeout] == NSOrderedDescending) {
+                printf("ERROR:Authentication timed out\n");
+                return 1;
+            }
+        }
+    }
     if (!authOk) {
         printf("ERROR:Authentication cancelled by user\n");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@visa/cli",
-  "version": "1.0.3",
+  "version": "1.0.4-rc.3",
   "description": "AI-powered payments for Claude Code",
   "bin": {
     "visa-cli": "./bin/visa-cli.js"
@@ -16,8 +16,8 @@
     "test:smoke": "VISA_AUTH_URL=https://auth.visacli.sh jest --config jest.smoke.config.js",
     "test:integration": "jest --config jest.integration.config.js",
     "test:e2e": "jest --config jest.e2e.config.js",
+    "test:catalog-e2e": "jest --config jest.catalog-e2e.config.js",
     "test:all": "npm run test:unit && npm run test:integration && npm run test:e2e",
-    "prepare": "husky",
     "prepublishOnly": "npm run build && npm test",
     "lint": "eslint src/**/*.ts",
     "format": "prettier --write \"src/**/*.ts\"",
@@ -37,7 +37,9 @@
   "license": "SEE LICENSE IN LICENSE",
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.0",
-    "commander": "^12.1.0"
+    "@visa-cli/tools": "workspace:*",
+    "commander": "^12.1.0",
+    "zod": "^3.23.0"
   },
   "devDependencies": {
     "@changesets/changelog-git": "^0.2.1",
@@ -51,7 +53,6 @@
     "express": "^4.21.0",
     "eslint": "^10.0.2",
     "eslint-config-prettier": "^10.1.8",
-    "husky": "^9.1.7",
     "jest": "^29.7.0",
     "prettier": "^3.8.1",
     "ts-jest": "^29.2.0",

package/LICENSE DELETED Viewed

@@ -1,8 +0,0 @@
-Copyright (c) 2026 Visa International Service Association. All rights reserved.
-Use of this software is governed by the Visa CLI Terms of Use, available at:
-https://auth.visacli.sh/legal/terms
-This software is proprietary and confidential. Unauthorized copying, distribution,
-or use of this software, in whole or in part, is strictly prohibited except as
-expressly permitted by the Visa CLI Terms of Use.