@waniwani/cli 0.0.45 → 0.0.46

package/dist/index.js

@@ -14,7 +14,7 @@ import { Command } from "commander";
 
 // src/lib/config.ts
 import { existsSync } from "fs";
-import { mkdir, readFile, writeFile } from "fs/promises";
+import { chmod, mkdir, readFile, writeFile } from "fs/promises";
 import { join } from "path";
 import { z } from "zod";
 var LOCAL_CONFIG_DIR = ".waniwani";
@@ -22,6 +22,8 @@ var CONFIG_FILE_NAME = "settings.json";
 var LOCAL_DIR = join(process.cwd(), LOCAL_CONFIG_DIR);
 var LOCAL_FILE = join(LOCAL_DIR, CONFIG_FILE_NAME);
 var DEFAULT_API_URL = "https://app.waniwani.ai";
+var CONFIG_DIR_MODE = 448;
+var CONFIG_FILE_MODE = 384;
 var ConfigSchema = z.object({
   // Settings
   sessionId: z.string().nullable().default(null),
@@ -41,6 +43,10 @@ var Config = class {
     this.dir = LOCAL_DIR;
     this.file = LOCAL_FILE;
   }
+  async setSecurePermissions() {
+    await chmod(this.dir, CONFIG_DIR_MODE);
+    await chmod(this.file, CONFIG_FILE_MODE);
+  }
   async load() {
     if (!this.cache) {
       try {
@@ -55,15 +61,17 @@ var Config = class {
   }
   async save(data) {
     this.cache = data;
-    await mkdir(this.dir, { recursive: true });
+    await mkdir(this.dir, { recursive: true, mode: CONFIG_DIR_MODE });
     await writeFile(this.file, JSON.stringify(data, null, "	"));
+    await this.setSecurePermissions();
   }
   /**
    * Ensure the .waniwani directory exists in cwd.
    * Used by login to create config before saving tokens.
    */
   async ensureConfigDir() {
-    await mkdir(this.dir, { recursive: true });
+    await mkdir(this.dir, { recursive: true, mode: CONFIG_DIR_MODE });
+    await chmod(this.dir, CONFIG_DIR_MODE);
   }
   /**
    * Check if a .waniwani config directory exists in cwd.
@@ -134,9 +142,11 @@ var config = new Config();
 async function initConfigAt(dir, overrides = {}) {
   const configDir = join(dir, LOCAL_CONFIG_DIR);
   const configPath = join(configDir, CONFIG_FILE_NAME);
-  await mkdir(configDir, { recursive: true });
+  await mkdir(configDir, { recursive: true, mode: CONFIG_DIR_MODE });
   const data = ConfigSchema.parse(overrides);
   await writeFile(configPath, JSON.stringify(data, null, "	"), "utf-8");
+  await chmod(configDir, CONFIG_DIR_MODE);
+  await chmod(configPath, CONFIG_FILE_MODE);
   return { path: configPath, config: data };
 }
 
@@ -287,12 +297,16 @@ var configInitCommand = new Command("init").description("Initialize .waniwani co
 // src/commands/config/index.ts
 var configCommand = new Command2("config").description("Manage WaniWani configuration").addCommand(configInitCommand);
 
-// src/commands/login.ts
-import { spawn } from "child_process";
-import { createServer } from "http";
-import chalk3 from "chalk";
+// src/commands/git-credential-helper.ts
+import { readFileSync } from "fs";
+import { join as join5 } from "path";
 import { Command as Command3 } from "commander";
-import ora from "ora";
+
+// src/lib/git-auth.ts
+import { execFileSync } from "child_process";
+import { chmodSync, mkdtempSync, rmSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { join as join3 } from "path";
 
 // src/lib/auth.ts
 var AuthManager = class {
@@ -349,125 +363,581 @@ var AuthManager = class {
 };
 var auth = new AuthManager();
 
-// src/commands/login.ts
-var LOGO_LINES = [
-  "\u2588\u2588\u2557    \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557   \u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2557    \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557   \u2588\u2588\u2557 \u2588\u2588\u2557",
-  "\u2588\u2588\u2551    \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551    \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551 \u2588\u2588\u2551",
-  "\u2588\u2588\u2551 \u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551 \u2588\u2588\u2551",
-  "\u2588\u2588\u2551\u2588\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551",
-  "\u255A\u2588\u2588\u2588\u2554\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551 \u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2554\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551 \u2588\u2588\u2551",
-  " \u255A\u2550\u2550\u255D\u255A\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u2550\u255D\u255A\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D \u255A\u2550\u255D"
-];
-var LOGO_COLORS = [
-  "\x1B[38;5;223m",
-  // light peach
-  "\x1B[38;5;216m",
-  // peach
-  "\x1B[38;5;209m",
-  // salmon
-  "\x1B[38;5;203m",
-  // coral
-  "\x1B[38;5;167m",
-  // warm red
-  "\x1B[38;5;131m"
-  // deep terracotta
-];
-var RESET = "\x1B[0m";
-function showLogo() {
-  console.log();
-  for (let i = 0; i < LOGO_LINES.length; i++) {
-    console.log(`${LOGO_COLORS[i]}${LOGO_LINES[i]}${RESET}`);
+// src/lib/api.ts
+var ApiError = class extends CLIError {
+  constructor(message, code, statusCode, details) {
+    super(message, code, details);
+    this.statusCode = statusCode;
+    this.name = "ApiError";
   }
-  console.log();
-}
-var CALLBACK_PORT = 54321;
-var CALLBACK_URL = `http://localhost:${CALLBACK_PORT}/callback`;
-var CLIENT_NAME = "waniwani-cli";
-function generateCodeVerifier() {
-  const array = new Uint8Array(32);
-  crypto.getRandomValues(array);
-  return btoa(String.fromCharCode(...array)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-async function generateCodeChallenge(verifier) {
-  const encoder = new TextEncoder();
-  const data = encoder.encode(verifier);
-  const hash = await crypto.subtle.digest("SHA-256", data);
-  return btoa(String.fromCharCode(...new Uint8Array(hash))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-function generateState() {
-  const array = new Uint8Array(16);
-  crypto.getRandomValues(array);
-  return Array.from(array, (b) => b.toString(16).padStart(2, "0")).join("");
-}
-async function registerClient() {
-  const apiUrl = await config.getApiUrl();
-  const response = await fetch(`${apiUrl}/api/auth/oauth2/register`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json"
-    },
-    body: JSON.stringify({
-      client_name: CLIENT_NAME,
-      redirect_uris: [CALLBACK_URL],
-      grant_types: ["authorization_code", "refresh_token"],
-      response_types: ["code"],
-      token_endpoint_auth_method: "none"
-    })
+};
+async function request(method, path, options) {
+  const {
+    body,
+    requireAuth = true,
+    headers: extraHeaders = {}
+  } = options || {};
+  const headers = {
+    "Content-Type": "application/json",
+    ...extraHeaders
+  };
+  if (requireAuth) {
+    const token = await auth.getAccessToken();
+    if (!token) {
+      throw new AuthError(
+        "Not logged in. Run 'waniwani login' to authenticate."
+      );
+    }
+    headers.Authorization = `Bearer ${token}`;
+  }
+  const baseUrl = await config.getApiUrl();
+  const url = `${baseUrl}${path}`;
+  const response = await fetch(url, {
+    method,
+    headers,
+    body: body ? JSON.stringify(body) : void 0
   });
-  if (!response.ok) {
-    const error = await response.json().catch(() => ({}));
-    throw new CLIError(
-      error.error_description || "Failed to register OAuth client",
-      "CLIENT_REGISTRATION_FAILED"
+  if (response.status === 204) {
+    return void 0;
+  }
+  let data;
+  let rawBody;
+  try {
+    rawBody = await response.text();
+    data = JSON.parse(rawBody);
+  } catch {
+    throw new ApiError(
+      rawBody || `Request failed with status ${response.status}`,
+      "API_ERROR",
+      response.status,
+      { statusText: response.statusText }
     );
   }
-  return response.json();
+  if (!response.ok || data.error) {
+    const errorObject = typeof data.error === "object" && data.error !== null ? data.error : void 0;
+    const errorString = typeof data.error === "string" ? data.error : void 0;
+    const errorMessage = errorObject?.message || data.message || errorString || rawBody || `Request failed with status ${response.status}`;
+    const errorCode = errorString || errorObject?.code || data.code || data.message || errorObject?.message || "API_ERROR";
+    const errorDetails = {
+      ...errorObject?.details,
+      statusText: response.statusText,
+      ...errorObject ? {} : { rawResponse: data }
+    };
+    const error = {
+      code: errorCode,
+      message: errorMessage,
+      details: errorDetails
+    };
+    if (response.status === 401) {
+      const refreshed = await auth.tryRefreshToken();
+      if (refreshed) {
+        return request(method, path, options);
+      }
+      throw new AuthError(
+        "Session expired. Run 'waniwani login' to re-authenticate."
+      );
+    }
+    throw new ApiError(
+      error.message,
+      error.code,
+      response.status,
+      error.details
+    );
+  }
+  return data.data;
 }
-async function openBrowser(url) {
-  const [cmd, ...args] = process.platform === "darwin" ? ["open", url] : process.platform === "win32" ? ["cmd", "/c", "start", url] : ["xdg-open", url];
-  spawn(cmd, args, { stdio: "ignore", detached: true }).unref();
+var api = {
+  get: (path, options) => request("GET", path, options),
+  post: (path, body, options) => request("POST", path, { body, ...options }),
+  delete: (path, options) => request("DELETE", path, options),
+  getBaseUrl: () => config.getApiUrl()
+};
+
+// src/lib/git-auth.ts
+function getGitHubApiBaseUrl(remoteUrl) {
+  try {
+    const parsed = new URL(remoteUrl);
+    return parsed.hostname === "github.com" || parsed.hostname === "www.github.com" ? "https://api.github.com" : `${parsed.protocol}//${parsed.host}/api/v3`;
+  } catch {
+    return null;
+  }
 }
-async function waitForCallback(expectedState, timeoutMs = 3e5) {
-  return new Promise((resolve, reject) => {
-    let server = null;
-    const sockets = /* @__PURE__ */ new Set();
-    const timeout = setTimeout(() => {
-      cleanup();
-      reject(new CLIError("Login timed out", "LOGIN_TIMEOUT"));
-    }, timeoutMs);
-    const cleanup = () => {
-      clearTimeout(timeout);
-      for (const socket of sockets) {
-        socket.destroy();
-      }
-      sockets.clear();
-      server?.close();
-    };
-    const htmlResponse = (title, message, isSuccess) => `<!DOCTYPE html>
-<html>
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>${title} - WaniWani</title>
-  <style>
-    * { margin: 0; padding: 0; box-sizing: border-box; }
-    body {
-      font-family: system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-      min-height: 100vh;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-      background: #fafafa;
-      position: relative;
-      overflow: hidden;
+function parseCloneUrlAuth(cloneUrl) {
+  try {
+    const parsed = new URL(cloneUrl);
+    const username = decodeURIComponent(parsed.username);
+    const password = decodeURIComponent(parsed.password);
+    if (username && password) {
+      parsed.username = "";
+      parsed.password = "";
+      const remoteUrl = parsed.toString();
+      return {
+        cloneUrl,
+        remoteUrl,
+        credentials: { username, password },
+        githubApiBaseUrl: getGitHubApiBaseUrl(remoteUrl)
+      };
     }
-    .blob {
-      position: absolute;
-      border-radius: 50%;
-      filter: blur(60px);
-      pointer-events: none;
+  } catch {
+  }
+  return {
+    cloneUrl,
+    remoteUrl: cloneUrl,
+    credentials: null,
+    githubApiBaseUrl: null
+  };
+}
+async function getGitAuthContext(mcpId) {
+  try {
+    const gitAuth = await api.get(
+      `/api/mcp/repositories/${mcpId}/git-auth`
+    );
+    const parsedRemote = new URL(gitAuth.remoteUrl);
+    parsedRemote.username = gitAuth.username;
+    parsedRemote.password = gitAuth.token;
+    const cloneUrl = parsedRemote.toString();
+    return {
+      cloneUrl,
+      remoteUrl: gitAuth.remoteUrl,
+      credentials: {
+        username: gitAuth.username,
+        password: gitAuth.token
+      },
+      githubApiBaseUrl: getGitHubApiBaseUrl(gitAuth.remoteUrl)
+    };
+  } catch (error) {
+    if (error instanceof ApiError && error.statusCode !== 404) {
+      throw error;
     }
-    .blob-1 {
+    const { cloneUrl } = await api.get(
+      `/api/mcp/repositories/${mcpId}/clone-url`
+    );
+    return parseCloneUrlAuth(cloneUrl);
+  }
+}
+function runGitWithCredentials(args, options) {
+  const { cwd, stdio = "ignore", credentials = null } = options ?? {};
+  if (!credentials) {
+    execFileSync("git", args, { cwd, stdio });
+    return;
+  }
+  const dir = mkdtempSync(join3(tmpdir(), "waniwani-askpass-"));
+  const askpassPath = join3(dir, "askpass.sh");
+  try {
+    writeFileSync(
+      askpassPath,
+      `#!/bin/sh
+case "$1" in
+  *sername*) printf '%s\\n' "$WANIWANI_GIT_USERNAME" ;;
+  *assword*) printf '%s\\n' "$WANIWANI_GIT_PASSWORD" ;;
+  *) printf '\\n' ;;
+esac
+`,
+      "utf-8"
+    );
+    chmodSync(askpassPath, 448);
+    execFileSync("git", ["-c", "credential.helper=", ...args], {
+      cwd,
+      stdio,
+      env: {
+        ...process.env,
+        GIT_ASKPASS: askpassPath,
+        GIT_TERMINAL_PROMPT: "0",
+        WANIWANI_GIT_USERNAME: credentials.username,
+        WANIWANI_GIT_PASSWORD: credentials.password
+      }
+    });
+  } finally {
+    rmSync(dir, { recursive: true, force: true });
+  }
+}
+var REVOKE_TIMEOUT_MS = 5e3;
+async function revokeGitHubInstallationToken(auth2) {
+  if (!auth2.credentials?.password || !auth2.githubApiBaseUrl) return;
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), REVOKE_TIMEOUT_MS);
+  try {
+    await fetch(`${auth2.githubApiBaseUrl}/installation/token`, {
+      method: "DELETE",
+      headers: {
+        Accept: "application/vnd.github+json",
+        Authorization: `Bearer ${auth2.credentials.password}`,
+        "X-GitHub-Api-Version": "2022-11-28"
+      },
+      signal: controller.signal
+    });
+  } catch {
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+// src/lib/sync.ts
+import { existsSync as existsSync3 } from "fs";
+import { mkdir as mkdir2, readdir, readFile as readFile2, stat, writeFile as writeFile2 } from "fs/promises";
+import { dirname, join as join4, relative } from "path";
+import ignore from "ignore";
+
+// src/lib/utils.ts
+async function requireMcpId(mcpId) {
+  if (mcpId) return mcpId;
+  const configMcpId = await config.getMcpId();
+  if (!configMcpId) {
+    throw new McpError(
+      "No active MCP. Run 'waniwani mcp create <name>' or 'waniwani mcp use <name>'."
+    );
+  }
+  return configMcpId;
+}
+async function requireSessionId() {
+  const sessionId = await config.getSessionId();
+  if (!sessionId) {
+    throw new McpError(
+      "No active session. Run 'waniwani mcp preview' to start development."
+    );
+  }
+  return sessionId;
+}
+var BINARY_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".png",
+  ".jpg",
+  ".jpeg",
+  ".gif",
+  ".ico",
+  ".webp",
+  ".svg",
+  ".woff",
+  ".woff2",
+  ".ttf",
+  ".eot",
+  ".otf",
+  ".zip",
+  ".tar",
+  ".gz",
+  ".pdf",
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".bin",
+  ".mp3",
+  ".mp4",
+  ".wav",
+  ".ogg",
+  ".webm"
+]);
+function isBinaryPath(filePath) {
+  const ext = filePath.slice(filePath.lastIndexOf(".")).toLowerCase();
+  return BINARY_EXTENSIONS.has(ext);
+}
+function detectBinary(buffer) {
+  const sample = buffer.subarray(0, 8192);
+  return sample.includes(0);
+}
+
+// src/lib/sync.ts
+var PROJECT_DIR = ".waniwani";
+async function findProjectRoot(startDir) {
+  let current = startDir;
+  const root = dirname(current);
+  while (current !== root) {
+    if (existsSync3(join4(current, PROJECT_DIR))) {
+      return current;
+    }
+    const parent = dirname(current);
+    if (parent === current) break;
+    current = parent;
+  }
+  if (existsSync3(join4(current, PROJECT_DIR))) {
+    return current;
+  }
+  return null;
+}
+var DEFAULT_IGNORE_PATTERNS = [
+  ".waniwani",
+  ".git",
+  "node_modules",
+  ".DS_Store",
+  "*.log",
+  ".cache",
+  "dist",
+  "coverage",
+  ".turbo",
+  ".next",
+  ".nuxt",
+  ".vercel"
+];
+var DEFAULT_ENV_IGNORE_PATTERNS = [".env", ".env.*"];
+async function loadIgnorePatterns(projectRoot, options = {}) {
+  const { includeEnvFiles = false } = options;
+  const ig = ignore();
+  ig.add(DEFAULT_IGNORE_PATTERNS);
+  if (!includeEnvFiles) {
+    ig.add(DEFAULT_ENV_IGNORE_PATTERNS);
+  }
+  const gitignorePath = join4(projectRoot, ".gitignore");
+  if (existsSync3(gitignorePath)) {
+    try {
+      const content = await readFile2(gitignorePath, "utf-8");
+      ig.add(content);
+    } catch {
+    }
+  }
+  if (includeEnvFiles) {
+    ig.add(["!.env", "!.env.*"]);
+  }
+  return ig;
+}
+async function collectFiles(projectRoot, options = {}) {
+  const ig = await loadIgnorePatterns(projectRoot, options);
+  const files = [];
+  async function walk(dir) {
+    const entries = await readdir(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = join4(dir, entry.name);
+      const relativePath = relative(projectRoot, fullPath);
+      if (ig.ignores(relativePath)) {
+        continue;
+      }
+      if (entry.isDirectory()) {
+        await walk(fullPath);
+      } else if (entry.isFile()) {
+        try {
+          const content = await readFile2(fullPath);
+          const isBinary = isBinaryPath(fullPath) || detectBinary(content);
+          files.push({
+            path: relativePath,
+            content: isBinary ? content.toString("base64") : content.toString("utf8"),
+            encoding: isBinary ? "base64" : "utf8"
+          });
+        } catch {
+        }
+      }
+    }
+  }
+  await walk(projectRoot);
+  return files;
+}
+async function pullFilesFromGithub(mcpId, targetDir) {
+  const result = await api.get(
+    `/api/mcp/repositories/${mcpId}/files`
+  );
+  const writtenFiles = [];
+  for (const file of result.files) {
+    const localPath = join4(targetDir, file.path);
+    const dir = dirname(localPath);
+    await mkdir2(dir, { recursive: true });
+    if (file.encoding === "base64") {
+      await writeFile2(localPath, Buffer.from(file.content, "base64"));
+    } else {
+      await writeFile2(localPath, file.content, "utf8");
+    }
+    writtenFiles.push(file.path);
+  }
+  return { count: writtenFiles.length, files: writtenFiles };
+}
+async function collectSingleFile(projectRoot, filePath) {
+  const fullPath = join4(projectRoot, filePath);
+  const relativePath = relative(projectRoot, fullPath);
+  if (!existsSync3(fullPath)) {
+    return null;
+  }
+  try {
+    const fileStat = await stat(fullPath);
+    if (!fileStat.isFile()) {
+      return null;
+    }
+    const content = await readFile2(fullPath);
+    const isBinary = isBinaryPath(fullPath) || detectBinary(content);
+    return {
+      path: relativePath,
+      content: isBinary ? content.toString("base64") : content.toString("utf8"),
+      encoding: isBinary ? "base64" : "utf8"
+    };
+  } catch {
+    return null;
+  }
+}
+
+// src/commands/git-credential-helper.ts
+function parseCredentialInput(input) {
+  const fields = {};
+  for (const line of input.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx > 0) {
+      fields[trimmed.slice(0, eqIdx)] = trimmed.slice(eqIdx + 1);
+    }
+  }
+  return fields;
+}
+var gitCredentialHelperCommand = new Command3("git-credential-helper").description("Git credential helper (used by git, not called directly)").argument("<operation>", "get, store, or erase").action(async (operation) => {
+  if (operation !== "get") {
+    process.exit(0);
+  }
+  try {
+    const input = readFileSync(0, "utf-8");
+    const fields = parseCredentialInput(input);
+    if (fields.protocol && fields.protocol !== "https") {
+      process.exit(0);
+    }
+    const projectRoot = await findProjectRoot(process.cwd());
+    if (!projectRoot) {
+      process.stderr.write(
+        "waniwani: not in a WaniWani project (no .waniwani/ found)\n"
+      );
+      process.exit(1);
+    }
+    const configPath = join5(projectRoot, LOCAL_CONFIG_DIR, CONFIG_FILE_NAME);
+    const configData = JSON.parse(readFileSync(configPath, "utf-8"));
+    const mcpId = configData.mcpId;
+    if (!mcpId) {
+      process.stderr.write("waniwani: no mcpId in config\n");
+      process.exit(1);
+    }
+    const gitAuth = await getGitAuthContext(mcpId);
+    if (!gitAuth.credentials) {
+      process.stderr.write("waniwani: no credentials returned from API\n");
+      process.exit(1);
+    }
+    process.stdout.write(
+      `username=${gitAuth.credentials.username}
+password=${gitAuth.credentials.password}
+`
+    );
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    process.stderr.write(`waniwani credential helper error: ${message}
+`);
+    process.exit(1);
+  }
+});
+
+// src/commands/login.ts
+import { spawn } from "child_process";
+import { createServer } from "http";
+import chalk3 from "chalk";
+import { Command as Command4 } from "commander";
+import ora from "ora";
+var LOGO_LINES = [
+  "\u2588\u2588\u2557    \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557   \u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2557    \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557   \u2588\u2588\u2557 \u2588\u2588\u2557",
+  "\u2588\u2588\u2551    \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551    \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551 \u2588\u2588\u2551",
+  "\u2588\u2588\u2551 \u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551 \u2588\u2588\u2551",
+  "\u2588\u2588\u2551\u2588\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551",
+  "\u255A\u2588\u2588\u2588\u2554\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551 \u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2554\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551 \u2588\u2588\u2551",
+  " \u255A\u2550\u2550\u255D\u255A\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u2550\u255D\u255A\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D \u255A\u2550\u255D"
+];
+var LOGO_COLORS = [
+  "\x1B[38;5;223m",
+  // light peach
+  "\x1B[38;5;216m",
+  // peach
+  "\x1B[38;5;209m",
+  // salmon
+  "\x1B[38;5;203m",
+  // coral
+  "\x1B[38;5;167m",
+  // warm red
+  "\x1B[38;5;131m"
+  // deep terracotta
+];
+var RESET = "\x1B[0m";
+function showLogo() {
+  console.log();
+  for (let i = 0; i < LOGO_LINES.length; i++) {
+    console.log(`${LOGO_COLORS[i]}${LOGO_LINES[i]}${RESET}`);
+  }
+  console.log();
+}
+var CALLBACK_PORT = 54321;
+var CALLBACK_URL = `http://localhost:${CALLBACK_PORT}/callback`;
+var CLIENT_NAME = "waniwani-cli";
+function generateCodeVerifier() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return btoa(String.fromCharCode(...array)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function generateCodeChallenge(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return btoa(String.fromCharCode(...new Uint8Array(hash))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function generateState() {
+  const array = new Uint8Array(16);
+  crypto.getRandomValues(array);
+  return Array.from(array, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function registerClient() {
+  const apiUrl = await config.getApiUrl();
+  const response = await fetch(`${apiUrl}/api/auth/oauth2/register`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      client_name: CLIENT_NAME,
+      redirect_uris: [CALLBACK_URL],
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: "none"
+    })
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({}));
+    throw new CLIError(
+      error.error_description || "Failed to register OAuth client",
+      "CLIENT_REGISTRATION_FAILED"
+    );
+  }
+  return response.json();
+}
+async function openBrowser(url) {
+  const [cmd, ...args] = process.platform === "darwin" ? ["open", url] : process.platform === "win32" ? ["cmd", "/c", "start", url] : ["xdg-open", url];
+  spawn(cmd, args, { stdio: "ignore", detached: true }).unref();
+}
+async function waitForCallback(expectedState, timeoutMs = 3e5) {
+  return new Promise((resolve, reject) => {
+    let server = null;
+    const sockets = /* @__PURE__ */ new Set();
+    const timeout = setTimeout(() => {
+      cleanup();
+      reject(new CLIError("Login timed out", "LOGIN_TIMEOUT"));
+    }, timeoutMs);
+    const cleanup = () => {
+      clearTimeout(timeout);
+      for (const socket of sockets) {
+        socket.destroy();
+      }
+      sockets.clear();
+      server?.close();
+    };
+    const htmlResponse = (title, message, isSuccess) => `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${title} - WaniWani</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      background: #fafafa;
+      position: relative;
+      overflow: hidden;
+    }
+    .blob {
+      position: absolute;
+      border-radius: 50%;
+      filter: blur(60px);
+      pointer-events: none;
+    }
+    .blob-1 {
       top: 0;
       left: 25%;
       width: 24rem;
@@ -655,7 +1125,7 @@ async function exchangeCodeForToken(code, codeVerifier, clientId, resource) {
   }
   return response.json();
 }
-var loginCommand = new Command3("login").description("Log in to WaniWani").option("--no-browser", "Don't open the browser automatically").action(async (options, command) => {
+var loginCommand = new Command4("login").description("Log in to WaniWani").option("--no-browser", "Don't open the browser automatically").action(async (options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
   try {
@@ -734,288 +1204,90 @@ var loginCommand = new Command3("login").description("Log in to WaniWani").optio
     await config.ensureConfigDir();
     await auth.setTokens(
       tokenResponse.access_token,
-      tokenResponse.refresh_token,
-      tokenResponse.expires_in,
-      clientId
-    );
-    spinner.succeed("Logged in successfully!");
-    if (json) {
-      formatOutput({ success: true, loggedIn: true }, true);
-    } else {
-      console.log();
-      formatSuccess("You're now logged in to WaniWani!", false);
-      console.log();
-      console.log("Get started:");
-      console.log(
-        "  waniwani mcp create my-server    Create a new MCP sandbox"
-      );
-      console.log('  waniwani task "Add a tool"       Send tasks to Claude');
-      console.log(
-        "  waniwani org list                View your organizations"
-      );
-    }
-  } catch (error) {
-    handleError(error, json);
-    process.exit(1);
-  }
-});
-
-// src/commands/logout.ts
-import { Command as Command4 } from "commander";
-var logoutCommand = new Command4("logout").description("Log out from WaniWani").action(async (_options, command) => {
-  const globalOptions = command.optsWithGlobals();
-  const json = globalOptions.json ?? false;
-  try {
-    if (!await auth.isLoggedIn()) {
-      if (json) {
-        formatOutput({ alreadyLoggedOut: true }, true);
-      } else {
-        console.log("Not currently logged in.");
-      }
-      return;
-    }
-    await auth.clear();
-    if (json) {
-      formatOutput({ success: true }, true);
-    } else {
-      formatSuccess("You have been logged out.", false);
-    }
-  } catch (error) {
-    handleError(error, json);
-    process.exit(1);
-  }
-});
-
-// src/commands/mcp/index.ts
-import { Command as Command21 } from "commander";
-
-// src/commands/mcp/clone.ts
-import { execFileSync as execFileSync2, execSync } from "child_process";
-import { existsSync as existsSync3 } from "fs";
-import { readFile as readFile2 } from "fs/promises";
-import { join as join4 } from "path";
-import { Command as Command5 } from "commander";
-import ora2 from "ora";
-
-// src/lib/api.ts
-var ApiError = class extends CLIError {
-  constructor(message, code, statusCode, details) {
-    super(message, code, details);
-    this.statusCode = statusCode;
-    this.name = "ApiError";
-  }
-};
-async function request(method, path, options) {
-  const {
-    body,
-    requireAuth = true,
-    headers: extraHeaders = {}
-  } = options || {};
-  const headers = {
-    "Content-Type": "application/json",
-    ...extraHeaders
-  };
-  if (requireAuth) {
-    const token = await auth.getAccessToken();
-    if (!token) {
-      throw new AuthError(
-        "Not logged in. Run 'waniwani login' to authenticate."
-      );
-    }
-    headers.Authorization = `Bearer ${token}`;
-  }
-  const baseUrl = await config.getApiUrl();
-  const url = `${baseUrl}${path}`;
-  const response = await fetch(url, {
-    method,
-    headers,
-    body: body ? JSON.stringify(body) : void 0
-  });
-  if (response.status === 204) {
-    return void 0;
-  }
-  let data;
-  let rawBody;
-  try {
-    rawBody = await response.text();
-    data = JSON.parse(rawBody);
-  } catch {
-    throw new ApiError(
-      rawBody || `Request failed with status ${response.status}`,
-      "API_ERROR",
-      response.status,
-      { statusText: response.statusText }
-    );
-  }
-  if (!response.ok || data.error) {
-    const errorMessage = data.error?.message || data.message || data.error || rawBody || `Request failed with status ${response.status}`;
-    const errorCode = data.error?.code || data.code || "API_ERROR";
-    const errorDetails = {
-      ...data.error?.details,
-      statusText: response.statusText,
-      ...data.error ? {} : { rawResponse: data }
-    };
-    const error = {
-      code: errorCode,
-      message: errorMessage,
-      details: errorDetails
-    };
-    if (response.status === 401) {
-      const refreshed = await auth.tryRefreshToken();
-      if (refreshed) {
-        return request(method, path, options);
-      }
-      throw new AuthError(
-        "Session expired. Run 'waniwani login' to re-authenticate."
+      tokenResponse.refresh_token,
+      tokenResponse.expires_in,
+      clientId
+    );
+    spinner.succeed("Logged in successfully!");
+    if (json) {
+      formatOutput({ success: true, loggedIn: true }, true);
+    } else {
+      console.log();
+      formatSuccess("You're now logged in to WaniWani!", false);
+      console.log();
+      console.log("Get started:");
+      console.log(
+        "  waniwani mcp create my-server    Create a new MCP sandbox"
+      );
+      console.log('  waniwani task "Add a tool"       Send tasks to Claude');
+      console.log(
+        "  waniwani org list                View your organizations"
       );
     }
-    throw new ApiError(
-      error.message,
-      error.code,
-      response.status,
-      error.details
-    );
+  } catch (error) {
+    handleError(error, json);
+    process.exit(1);
   }
-  return data.data;
-}
-var api = {
-  get: (path, options) => request("GET", path, options),
-  post: (path, body, options) => request("POST", path, { body, ...options }),
-  delete: (path, options) => request("DELETE", path, options),
-  getBaseUrl: () => config.getApiUrl()
-};
+});
 
-// src/lib/git-auth.ts
-import { execFileSync } from "child_process";
-import { chmodSync, mkdtempSync, rmSync, writeFileSync } from "fs";
-import { tmpdir } from "os";
-import { join as join3 } from "path";
-function getGitHubApiBaseUrl(remoteUrl) {
-  try {
-    const parsed = new URL(remoteUrl);
-    return parsed.hostname === "github.com" || parsed.hostname === "www.github.com" ? "https://api.github.com" : `${parsed.protocol}//${parsed.host}/api/v3`;
-  } catch {
-    return null;
-  }
-}
-function parseCloneUrlAuth(cloneUrl) {
+// src/commands/logout.ts
+import { Command as Command5 } from "commander";
+var logoutCommand = new Command5("logout").description("Log out from WaniWani").action(async (_options, command) => {
+  const globalOptions = command.optsWithGlobals();
+  const json = globalOptions.json ?? false;
   try {
-    const parsed = new URL(cloneUrl);
-    const username = decodeURIComponent(parsed.username);
-    const password = decodeURIComponent(parsed.password);
-    if (username && password) {
-      parsed.username = "";
-      parsed.password = "";
-      const remoteUrl = parsed.toString();
-      return {
-        cloneUrl,
-        remoteUrl,
-        credentials: { username, password },
-        githubApiBaseUrl: getGitHubApiBaseUrl(remoteUrl)
-      };
+    if (!await auth.isLoggedIn()) {
+      if (json) {
+        formatOutput({ alreadyLoggedOut: true }, true);
+      } else {
+        console.log("Not currently logged in.");
+      }
+      return;
     }
-  } catch {
-  }
-  return {
-    cloneUrl,
-    remoteUrl: cloneUrl,
-    credentials: null,
-    githubApiBaseUrl: null
-  };
-}
-async function getGitAuthContext(mcpId) {
-  try {
-    const gitAuth = await api.get(
-      `/api/mcp/repositories/${mcpId}/git-auth`
-    );
-    const parsedRemote = new URL(gitAuth.remoteUrl);
-    parsedRemote.username = gitAuth.username;
-    parsedRemote.password = gitAuth.token;
-    const cloneUrl = parsedRemote.toString();
-    return {
-      cloneUrl,
-      remoteUrl: gitAuth.remoteUrl,
-      credentials: {
-        username: gitAuth.username,
-        password: gitAuth.token
-      },
-      githubApiBaseUrl: getGitHubApiBaseUrl(gitAuth.remoteUrl)
-    };
-  } catch (error) {
-    if (error instanceof ApiError && error.statusCode !== 404) {
-      throw error;
+    await auth.clear();
+    if (json) {
+      formatOutput({ success: true }, true);
+    } else {
+      formatSuccess("You have been logged out.", false);
     }
-    const { cloneUrl } = await api.get(
-      `/api/mcp/repositories/${mcpId}/clone-url`
-    );
-    return parseCloneUrlAuth(cloneUrl);
-  }
-}
-function runGitWithCredentials(args, options) {
-  const { cwd, stdio = "ignore", credentials = null } = options ?? {};
-  if (!credentials) {
-    execFileSync("git", args, { cwd, stdio });
-    return;
-  }
-  const dir = mkdtempSync(join3(tmpdir(), "waniwani-askpass-"));
-  const askpassPath = join3(dir, "askpass.sh");
-  try {
-    writeFileSync(
-      askpassPath,
-      `#!/bin/sh
-case "$1" in
-  *sername*) printf '%s\\n' "$WANIWANI_GIT_USERNAME" ;;
-  *assword*) printf '%s\\n' "$WANIWANI_GIT_PASSWORD" ;;
-  *) printf '\\n' ;;
-esac
-`,
-      "utf-8"
-    );
-    chmodSync(askpassPath, 448);
-    execFileSync("git", ["-c", "credential.helper=", ...args], {
-      cwd,
-      stdio,
-      env: {
-        ...process.env,
-        GIT_ASKPASS: askpassPath,
-        GIT_TERMINAL_PROMPT: "0",
-        WANIWANI_GIT_USERNAME: credentials.username,
-        WANIWANI_GIT_PASSWORD: credentials.password
-      }
-    });
-  } finally {
-    rmSync(dir, { recursive: true, force: true });
-  }
-}
-var REVOKE_TIMEOUT_MS = 5e3;
-async function revokeGitHubInstallationToken(auth2) {
-  if (!auth2.credentials?.password || !auth2.githubApiBaseUrl) return;
-  const controller = new AbortController();
-  const timeout = setTimeout(() => controller.abort(), REVOKE_TIMEOUT_MS);
-  try {
-    await fetch(`${auth2.githubApiBaseUrl}/installation/token`, {
-      method: "DELETE",
-      headers: {
-        Accept: "application/vnd.github+json",
-        Authorization: `Bearer ${auth2.credentials.password}`,
-        "X-GitHub-Api-Version": "2022-11-28"
-      },
-      signal: controller.signal
-    });
-  } catch {
-  } finally {
-    clearTimeout(timeout);
+  } catch (error) {
+    handleError(error, json);
+    process.exit(1);
   }
+});
+
+// src/commands/mcp/index.ts
+import { Command as Command21 } from "commander";
+
+// src/commands/mcp/clone.ts
+import { execFileSync as execFileSync3, execSync } from "child_process";
+import { existsSync as existsSync4 } from "fs";
+import { readFile as readFile3 } from "fs/promises";
+import { join as join6 } from "path";
+import { Command as Command6 } from "commander";
+import ora2 from "ora";
+
+// src/lib/credential-helper-setup.ts
+import { execFileSync as execFileSync2 } from "child_process";
+import { realpathSync } from "fs";
+function setupGitCredentialHelper(repoDir) {
+  const binaryPath = realpathSync(process.argv[1]);
+  const helperCommand = `!${process.execPath} ${binaryPath} git-credential-helper`;
+  execFileSync2(
+    "git",
+    ["config", "--local", "credential.helper", helperCommand],
+    { cwd: repoDir, stdio: "ignore" }
+  );
 }
 
 // src/commands/mcp/clone.ts
 async function loadParentConfig(cwd) {
-  const parentConfigPath = join4(cwd, LOCAL_CONFIG_DIR, CONFIG_FILE_NAME);
-  if (!existsSync3(parentConfigPath)) {
+  const parentConfigPath = join6(cwd, LOCAL_CONFIG_DIR, CONFIG_FILE_NAME);
+  if (!existsSync4(parentConfigPath)) {
     return null;
   }
   try {
-    const content = await readFile2(parentConfigPath, "utf-8");
+    const content = await readFile3(parentConfigPath, "utf-8");
     const config2 = JSON.parse(content);
     const { mcpId: _, sessionId: __, ...rest } = config2;
     return rest;
@@ -1033,15 +1305,15 @@ function checkGitInstalled() {
     );
   }
 }
-var cloneCommand = new Command5("clone").description("Clone an existing MCP project to a local directory").argument("<name>", "Name of the MCP to clone").argument("[directory]", "Directory to clone into (defaults to MCP name)").action(
+var cloneCommand = new Command6("clone").description("Clone an existing MCP project to a local directory").argument("<name>", "Name of the MCP to clone").argument("[directory]", "Directory to clone into (defaults to MCP name)").action(
   async (name, directory, _options, command) => {
     const globalOptions = command.optsWithGlobals();
     const json = globalOptions.json ?? false;
     try {
       const cwd = process.cwd();
       const dirName = directory ?? name;
-      const projectDir = join4(cwd, dirName);
-      if (existsSync3(projectDir)) {
+      const projectDir = join6(cwd, dirName);
+      if (existsSync4(projectDir)) {
         if (json) {
           formatOutput(
             {
@@ -1083,7 +1355,7 @@ var cloneCommand = new Command5("clone").description("Clone an existing MCP proj
       } finally {
         await revokeGitHubInstallationToken(gitAuth);
       }
-      execFileSync2(
+      execFileSync3(
         "git",
         ["remote", "set-url", "origin", mcp.githubCloneUrl],
         {
@@ -1096,6 +1368,7 @@ var cloneCommand = new Command5("clone").description("Clone an existing MCP proj
         ...parentConfig,
         mcpId: mcp.id
       });
+      setupGitCredentialHelper(projectDir);
       spinner.succeed("Repository cloned");
       if (json) {
         formatOutput(
@@ -1113,6 +1386,7 @@ var cloneCommand = new Command5("clone").description("Clone an existing MCP proj
         console.log("Next steps:");
         console.log(`  cd ${dirName}`);
         console.log("  waniwani mcp preview      # Start developing");
+        console.log("  git push origin main      # Deploy");
       }
     } catch (error) {
       handleError(error, json);
@@ -1122,19 +1396,19 @@ var cloneCommand = new Command5("clone").description("Clone an existing MCP proj
 );
 
 // src/commands/mcp/create.ts
-import { execFileSync as execFileSync3, execSync as execSync2 } from "child_process";
-import { existsSync as existsSync4 } from "fs";
-import { readFile as readFile3 } from "fs/promises";
-import { join as join5 } from "path";
-import { Command as Command6 } from "commander";
+import { execFileSync as execFileSync4, execSync as execSync2 } from "child_process";
+import { existsSync as existsSync5 } from "fs";
+import { readFile as readFile4 } from "fs/promises";
+import { join as join7 } from "path";
+import { Command as Command7 } from "commander";
 import ora3 from "ora";
 async function loadParentConfig2(cwd) {
-  const parentConfigPath = join5(cwd, LOCAL_CONFIG_DIR, CONFIG_FILE_NAME);
-  if (!existsSync4(parentConfigPath)) {
+  const parentConfigPath = join7(cwd, LOCAL_CONFIG_DIR, CONFIG_FILE_NAME);
+  if (!existsSync5(parentConfigPath)) {
     return null;
   }
   try {
-    const content = await readFile3(parentConfigPath, "utf-8");
+    const content = await readFile4(parentConfigPath, "utf-8");
     const config2 = JSON.parse(content);
     const { mcpId: _, sessionId: __, ...rest } = config2;
     return rest;
@@ -1152,13 +1426,13 @@ function checkGitInstalled2() {
     );
   }
 }
-var createCommand = new Command6("create").description("Create a new MCP project").argument("<name>", "Name for the MCP project").action(async (name, _options, command) => {
+var createCommand = new Command7("create").description("Create a new MCP project").argument("<name>", "Name for the MCP project").action(async (name, _options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
   try {
     const cwd = process.cwd();
-    const projectDir = join5(cwd, name);
-    if (existsSync4(projectDir)) {
+    const projectDir = join7(cwd, name);
+    if (existsSync5(projectDir)) {
       if (json) {
         formatOutput(
           {
@@ -1193,7 +1467,7 @@ var createCommand = new Command6("create").description("Create a new MCP project
     } finally {
       await revokeGitHubInstallationToken(gitAuth);
     }
-    execFileSync3(
+    execFileSync4(
       "git",
       ["remote", "set-url", "origin", result.githubCloneUrl],
       {
@@ -1206,6 +1480,7 @@ var createCommand = new Command6("create").description("Create a new MCP project
       ...parentConfig,
       mcpId: result.id
     });
+    setupGitCredentialHelper(projectDir);
     spinner.succeed("MCP project created");
     if (json) {
       formatOutput(
@@ -1223,6 +1498,7 @@ var createCommand = new Command6("create").description("Create a new MCP project
       console.log("Next steps:");
       console.log(`  cd ${name}`);
       console.log("  waniwani mcp preview      # Start developing");
+      console.log("  git push origin main      # Deploy");
     }
   } catch (error) {
     handleError(error, json);
@@ -1233,68 +1509,9 @@ var createCommand = new Command6("create").description("Create a new MCP project
 // src/commands/mcp/delete.ts
 import { confirm } from "@inquirer/prompts";
 import chalk4 from "chalk";
-import { Command as Command7 } from "commander";
-import ora4 from "ora";
-
-// src/lib/utils.ts
-async function requireMcpId(mcpId) {
-  if (mcpId) return mcpId;
-  const configMcpId = await config.getMcpId();
-  if (!configMcpId) {
-    throw new McpError(
-      "No active MCP. Run 'waniwani mcp create <name>' or 'waniwani mcp use <name>'."
-    );
-  }
-  return configMcpId;
-}
-async function requireSessionId() {
-  const sessionId = await config.getSessionId();
-  if (!sessionId) {
-    throw new McpError(
-      "No active session. Run 'waniwani mcp preview' to start development."
-    );
-  }
-  return sessionId;
-}
-var BINARY_EXTENSIONS = /* @__PURE__ */ new Set([
-  ".png",
-  ".jpg",
-  ".jpeg",
-  ".gif",
-  ".ico",
-  ".webp",
-  ".svg",
-  ".woff",
-  ".woff2",
-  ".ttf",
-  ".eot",
-  ".otf",
-  ".zip",
-  ".tar",
-  ".gz",
-  ".pdf",
-  ".exe",
-  ".dll",
-  ".so",
-  ".dylib",
-  ".bin",
-  ".mp3",
-  ".mp4",
-  ".wav",
-  ".ogg",
-  ".webm"
-]);
-function isBinaryPath(filePath) {
-  const ext = filePath.slice(filePath.lastIndexOf(".")).toLowerCase();
-  return BINARY_EXTENSIONS.has(ext);
-}
-function detectBinary(buffer) {
-  const sample = buffer.subarray(0, 8192);
-  return sample.includes(0);
-}
-
-// src/commands/mcp/delete.ts
-var deleteCommand = new Command7("delete").description("Delete the MCP (includes all associated resources)").option("--mcp-id <id>", "Specific MCP ID").option("--force", "Skip confirmation prompt").action(async (options, command) => {
+import { Command as Command8 } from "commander";
+import ora4 from "ora";
+var deleteCommand = new Command8("delete").description("Delete the MCP (includes all associated resources)").option("--mcp-id <id>", "Specific MCP ID").option("--force", "Skip confirmation prompt").action(async (options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
   try {
@@ -1338,13 +1555,13 @@ var deleteCommand = new Command7("delete").description("Delete the MCP (includes
 });
 
 // src/commands/mcp/file/index.ts
-import { Command as Command11 } from "commander";
+import { Command as Command12 } from "commander";
 
 // src/commands/mcp/file/list.ts
 import chalk5 from "chalk";
-import { Command as Command8 } from "commander";
+import { Command as Command9 } from "commander";
 import ora5 from "ora";
-var listCommand = new Command8("list").description("List files in the MCP sandbox").argument("[path]", "Directory path (defaults to /app)", "/app").option("--mcp-id <id>", "Specific MCP ID").action(async (path, options, command) => {
+var listCommand = new Command9("list").description("List files in the MCP sandbox").argument("[path]", "Directory path (defaults to /app)", "/app").option("--mcp-id <id>", "Specific MCP ID").action(async (path, options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
   try {
@@ -1386,10 +1603,10 @@ function formatSize(bytes) {
 }
 
 // src/commands/mcp/file/read.ts
-import { writeFile as writeFile2 } from "fs/promises";
-import { Command as Command9 } from "commander";
+import { writeFile as writeFile3 } from "fs/promises";
+import { Command as Command10 } from "commander";
 import ora6 from "ora";
-var readCommand = new Command9("read").description("Read a file from the MCP sandbox").argument("<path>", "Path in sandbox (e.g., /app/src/index.ts)").option("--mcp-id <id>", "Specific MCP ID").option("--output <file>", "Write to local file instead of stdout").option("--base64", "Output as base64 (for binary files)").action(async (path, options, command) => {
+var readCommand = new Command10("read").description("Read a file from the MCP sandbox").argument("<path>", "Path in sandbox (e.g., /app/src/index.ts)").option("--mcp-id <id>", "Specific MCP ID").option("--output <file>", "Write to local file instead of stdout").option("--base64", "Output as base64 (for binary files)").action(async (path, options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
   try {
@@ -1406,7 +1623,7 @@ var readCommand = new Command9("read").description("Read a file from the MCP san
     }
     if (options.output) {
       const buffer = result.encoding === "base64" ? Buffer.from(result.content, "base64") : Buffer.from(result.content, "utf8");
-      await writeFile2(options.output, buffer);
+      await writeFile3(options.output, buffer);
       if (json) {
         formatOutput({ path, savedTo: options.output }, true);
       } else {
@@ -1427,10 +1644,10 @@ var readCommand = new Command9("read").description("Read a file from the MCP san
 });
 
 // src/commands/mcp/file/write.ts
-import { readFile as readFile4 } from "fs/promises";
-import { Command as Command10 } from "commander";
+import { readFile as readFile5 } from "fs/promises";
+import { Command as Command11 } from "commander";
 import ora7 from "ora";
-var writeCommand = new Command10("write").description("Write a file to the MCP sandbox").argument("<path>", "Path in sandbox (e.g., /app/src/index.ts)").option("--mcp-id <id>", "Specific MCP ID").option("--content <content>", "Content to write").option("--file <localFile>", "Local file to upload").option("--base64", "Treat content as base64 encoded").action(async (path, options, command) => {
+var writeCommand = new Command11("write").description("Write a file to the MCP sandbox").argument("<path>", "Path in sandbox (e.g., /app/src/index.ts)").option("--mcp-id <id>", "Specific MCP ID").option("--content <content>", "Content to write").option("--file <localFile>", "Local file to upload").option("--base64", "Treat content as base64 encoded").action(async (path, options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
   try {
@@ -1444,7 +1661,7 @@ var writeCommand = new Command10("write").description("Write a file to the MCP s
         encoding = "base64";
       }
     } else if (options.file) {
-      const fileBuffer = await readFile4(options.file);
+      const fileBuffer = await readFile5(options.file);
       if (options.base64) {
         content = fileBuffer.toString("base64");
         encoding = "base64";
@@ -1477,13 +1694,13 @@ var writeCommand = new Command10("write").description("Write a file to the MCP s
 });
 
 // src/commands/mcp/file/index.ts
-var fileCommand = new Command11("file").description("File operations in MCP sandbox").addCommand(readCommand).addCommand(writeCommand).addCommand(listCommand);
+var fileCommand = new Command12("file").description("File operations in MCP sandbox").addCommand(readCommand).addCommand(writeCommand).addCommand(listCommand);
 
 // src/commands/mcp/list.ts
 import chalk6 from "chalk";
-import { Command as Command12 } from "commander";
+import { Command as Command13 } from "commander";
 import ora8 from "ora";
-var listCommand2 = new Command12("list").description("List all MCPs in your organization").action(async (_options, command) => {
+var listCommand2 = new Command13("list").description("List all MCPs in your organization").action(async (_options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
   try {
@@ -1541,9 +1758,9 @@ var listCommand2 = new Command12("list").description("List all MCPs in your orga
 
 // src/commands/mcp/logs.ts
 import chalk7 from "chalk";
-import { Command as Command13 } from "commander";
+import { Command as Command14 } from "commander";
 import ora9 from "ora";
-var logsCommand = new Command13("logs").description("Stream logs from the MCP server").argument("[cmdId]", "Command ID (defaults to running server)").option("--mcp-id <id>", "Specific MCP ID").option("-f, --follow", "Keep streaming logs (default)", true).option("--no-follow", "Fetch logs and exit").action(async (cmdIdArg, options, command) => {
+var logsCommand = new Command14("logs").description("Stream logs from the MCP server").argument("[cmdId]", "Command ID (defaults to running server)").option("--mcp-id <id>", "Specific MCP ID").option("-f, --follow", "Keep streaming logs (default)", true).option("--no-follow", "Fetch logs and exit").action(async (cmdIdArg, options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
   let reader;
@@ -1683,8 +1900,10 @@ Error: ${event.error}`));
 });
 
 // src/commands/mcp/preview.ts
+import { existsSync as existsSync6 } from "fs";
+import { join as join8 } from "path";
 import { watch } from "chokidar";
-import { Command as Command14 } from "commander";
+import { Command as Command15, InvalidArgumentError } from "commander";
 import ora10 from "ora";
 
 // src/lib/async.ts
@@ -1707,134 +1926,172 @@ async function withTimeout(promise, timeoutMs, options) {
   }
 }
 
-// src/lib/sync.ts
-import { existsSync as existsSync5 } from "fs";
-import { mkdir as mkdir2, readdir, readFile as readFile5, stat, writeFile as writeFile3 } from "fs/promises";
-import { dirname, join as join6, relative } from "path";
-import ignore from "ignore";
-var PROJECT_DIR = ".waniwani";
-async function findProjectRoot(startDir) {
-  let current = startDir;
-  const root = dirname(current);
-  while (current !== root) {
-    if (existsSync5(join6(current, PROJECT_DIR))) {
-      return current;
-    }
-    const parent = dirname(current);
-    if (parent === current) break;
-    current = parent;
+// src/commands/mcp/preview.ts
+var SHUTDOWN_MAX_WAIT_MS = 3e3;
+var SHUTDOWN_STEP_TIMEOUT_MS = 1200;
+var DEV_SERVER_VERIFY_ATTEMPTS = 4;
+var DEV_SERVER_VERIFY_INTERVAL_MS = 750;
+var DEFAULT_DEV_SERVER_MONITOR_INTERVAL_MS = 6e4;
+var MAX_INSTALL_TIMEOUT_MS = 3e5;
+function resolveSessionInfo(response) {
+  const maybeLegacy = response;
+  if (maybeLegacy?.sandbox?.id && maybeLegacy?.previewUrl) {
+    return {
+      id: maybeLegacy.sandbox.id,
+      previewUrl: maybeLegacy.previewUrl,
+      sandboxId: maybeLegacy.sandbox.sandboxId
+    };
   }
-  if (existsSync5(join6(current, PROJECT_DIR))) {
-    return current;
+  const maybeSession = response;
+  if (maybeSession?.id && maybeSession?.previewUrl) {
+    return {
+      id: maybeSession.id,
+      previewUrl: maybeSession.previewUrl,
+      sandboxId: maybeSession.sandboxId
+    };
   }
-  return null;
+  throw new CLIError("Invalid session response from API", "SESSION_ERROR");
 }
-var DEFAULT_IGNORE_PATTERNS = [
-  ".waniwani",
-  ".git",
-  "node_modules",
-  ".env",
-  ".env.*",
-  ".DS_Store",
-  "*.log",
-  ".cache",
-  "dist",
-  "coverage",
-  ".turbo",
-  ".next",
-  ".nuxt",
-  ".vercel"
-];
-async function loadIgnorePatterns(projectRoot) {
-  const ig = ignore();
-  ig.add(DEFAULT_IGNORE_PATTERNS);
-  const gitignorePath = join6(projectRoot, ".gitignore");
-  if (existsSync5(gitignorePath)) {
-    try {
-      const content = await readFile5(gitignorePath, "utf-8");
-      ig.add(content);
-    } catch {
-    }
+function detectPackageManager(projectRoot) {
+  if (existsSync6(join8(projectRoot, "bun.lock")) || existsSync6(join8(projectRoot, "bun.lockb"))) {
+    return "bun";
   }
-  return ig;
-}
-async function collectFiles(projectRoot) {
-  const ig = await loadIgnorePatterns(projectRoot);
-  const files = [];
-  async function walk(dir) {
-    const entries = await readdir(dir, { withFileTypes: true });
-    for (const entry of entries) {
-      const fullPath = join6(dir, entry.name);
-      const relativePath = relative(projectRoot, fullPath);
-      if (ig.ignores(relativePath)) {
-        continue;
-      }
-      if (entry.isDirectory()) {
-        await walk(fullPath);
-      } else if (entry.isFile()) {
-        try {
-          const content = await readFile5(fullPath);
-          const isBinary = isBinaryPath(fullPath) || detectBinary(content);
-          files.push({
-            path: relativePath,
-            content: isBinary ? content.toString("base64") : content.toString("utf8"),
-            encoding: isBinary ? "base64" : "utf8"
-          });
-        } catch {
-        }
-      }
-    }
+  if (existsSync6(join8(projectRoot, "pnpm-lock.yaml"))) return "pnpm";
+  if (existsSync6(join8(projectRoot, "yarn.lock"))) return "yarn";
+  if (existsSync6(join8(projectRoot, "package-lock.json")) || existsSync6(join8(projectRoot, "npm-shrinkwrap.json"))) {
+    return "npm-ci";
   }
-  await walk(projectRoot);
-  return files;
+  return "npm";
 }
-async function pullFilesFromGithub(mcpId, targetDir) {
-  const result = await api.get(
-    `/api/mcp/repositories/${mcpId}/files`
-  );
-  const writtenFiles = [];
-  for (const file of result.files) {
-    const localPath = join6(targetDir, file.path);
-    const dir = dirname(localPath);
-    await mkdir2(dir, { recursive: true });
-    if (file.encoding === "base64") {
-      await writeFile3(localPath, Buffer.from(file.content, "base64"));
-    } else {
-      await writeFile3(localPath, file.content, "utf8");
-    }
-    writtenFiles.push(file.path);
+function getInstallCommand(pm) {
+  switch (pm) {
+    case "bun":
+      return { command: "bun", args: ["install", "--frozen-lockfile"] };
+    case "pnpm":
+      return {
+        command: "pnpm",
+        args: ["install", "--frozen-lockfile", "--prefer-offline"]
+      };
+    case "yarn":
+      return {
+        command: "yarn",
+        args: ["install", "--frozen-lockfile", "--prefer-offline"]
+      };
+    case "npm-ci":
+      return {
+        command: "npm",
+        args: ["ci", "--no-audit", "--no-fund", "--prefer-offline"]
+      };
+    default:
+      return {
+        command: "npm",
+        args: ["install", "--no-audit", "--no-fund"]
+      };
   }
-  return { count: writtenFiles.length, files: writtenFiles };
 }
-async function collectSingleFile(projectRoot, filePath) {
-  const fullPath = join6(projectRoot, filePath);
-  const relativePath = relative(projectRoot, fullPath);
-  if (!existsSync5(fullPath)) {
-    return null;
+function getNonFrozenInstallCommand(pm) {
+  switch (pm) {
+    case "bun":
+      return { command: "bun", args: ["install"] };
+    case "pnpm":
+      return { command: "pnpm", args: ["install", "--prefer-offline"] };
+    case "yarn":
+      return { command: "yarn", args: ["install", "--prefer-offline"] };
+    case "npm-ci":
+      return { command: "npm", args: ["install", "--no-audit", "--no-fund"] };
+    default:
+      return null;
   }
+}
+function shouldRetryWithoutFrozenLockfile(result) {
+  const output = `${result.stderr}
+${result.stdout}`.toLowerCase();
+  const npmLockMismatchDetected = output.includes("update your lock file") && output.includes("npm install") || output.includes("package-lock.json") && output.includes("not in sync") || output.includes("package-lock.json") && output.includes("are not in sync") || output.includes("npm ci") && output.includes("can only install packages") && output.includes("package-lock.json");
+  return output.includes("frozen-lockfile") || output.includes("lockfile had changes") || output.includes("lockfile is frozen") || output.includes("lockfile") && output.includes("out of date") || npmLockMismatchDetected;
+}
+function isAlreadyRunningServerError(error) {
+  const normalized = getNormalizedError(error);
+  return normalized.includes("already_running") || normalized.includes("already running");
+}
+function isServerNotRunningError(error) {
+  const normalized = getNormalizedError(error);
+  return normalized.includes("server_not_running") || normalized.includes("server not running");
+}
+function getNormalizedError(error) {
+  if (!(error instanceof CLIError)) return "";
+  const details = JSON.stringify(error.details ?? {}).toLowerCase();
+  return `${error.code} ${error.message} ${details}`.toLowerCase();
+}
+async function getServerStatusOrNull(sessionId) {
   try {
-    const fileStat = await stat(fullPath);
-    if (!fileStat.isFile()) {
+    return await api.get(
+      `/api/mcp/sessions/${sessionId}/server`
+    );
+  } catch (error) {
+    if (isServerNotRunningError(error)) {
       return null;
     }
-    const content = await readFile5(fullPath);
-    const isBinary = isBinaryPath(fullPath) || detectBinary(content);
-    return {
-      path: relativePath,
-      content: isBinary ? content.toString("base64") : content.toString("utf8"),
-      encoding: isBinary ? "base64" : "utf8"
-    };
+    throw error;
+  }
+}
+function getDevCommand(pm) {
+  switch (pm) {
+    case "bun":
+      return "bun run dev";
+    case "pnpm":
+      return "pnpm run dev";
+    case "yarn":
+      return "yarn run dev";
+    default:
+      return "npm run dev";
+  }
+}
+function sleep(ms) {
+  return new Promise((resolve) => {
+    setTimeout(resolve, ms);
+  });
+}
+function parseStatusPollIntervalMs(value) {
+  const parsed = Number(value);
+  if (!Number.isInteger(parsed) || parsed < 500) {
+    throw new InvalidArgumentError(
+      "Status poll interval must be an integer >= 500 milliseconds."
+    );
+  }
+  return parsed;
+}
+async function getCommandOutputOrNull(sessionId, cmdId) {
+  try {
+    return await api.get(
+      `/api/mcp/sessions/${sessionId}/commands/${cmdId}`
+    );
   } catch {
     return null;
   }
 }
-
-// src/commands/mcp/preview.ts
-var SHUTDOWN_MAX_WAIT_MS = 3e3;
-var SHUTDOWN_STEP_TIMEOUT_MS = 1200;
-var previewCommand = new Command14("preview").description("Start live development with sandbox and file watching").option("--mcp-id <id>", "Specific MCP ID").option("--no-watch", "Skip file watching").option("--no-logs", "Don't stream logs to terminal").action(async (options, command) => {
+async function cleanupPreviewSession(sessionId) {
+  await withTimeout(
+    api.post(`/api/mcp/sessions/${sessionId}/server`, { action: "stop" }).catch(() => void 0),
+    SHUTDOWN_STEP_TIMEOUT_MS
+  );
+  await withTimeout(
+    api.delete(`/api/mcp/sessions/${sessionId}`).catch(() => void 0),
+    SHUTDOWN_STEP_TIMEOUT_MS
+  );
+  await withTimeout(
+    config.setSessionId(null).catch(() => void 0),
+    SHUTDOWN_STEP_TIMEOUT_MS
+  );
+}
+var previewCommand = new Command15("preview").description("Start live development with sandbox and file watching").option("--mcp-id <id>", "Specific MCP ID").option("--no-watch", "Skip file watching").option("--no-logs", "Don't stream logs to terminal").option(
+  "--status-poll-interval-ms <ms>",
+  "Watch-mode server status polling interval in milliseconds (default: 60000)",
+  parseStatusPollIntervalMs,
+  DEFAULT_DEV_SERVER_MONITOR_INTERVAL_MS
+).action(async (options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
+  const statusPollIntervalMs = options.statusPollIntervalMs ?? DEFAULT_DEV_SERVER_MONITOR_INTERVAL_MS;
   try {
     const projectRoot = await findProjectRoot(process.cwd());
     if (!projectRoot) {
@@ -1857,13 +2114,16 @@ var previewCommand = new Command14("preview").description("Start live developmen
     spinner.text = "Starting session...";
     let sessionId;
     let previewUrl;
+    let sandboxId;
     try {
       const sessionResponse = await api.post(
         `/api/mcp/repositories/${mcpId}/session`,
         {}
       );
-      sessionId = sessionResponse.sandbox.id;
-      previewUrl = sessionResponse.previewUrl;
+      const sessionInfo = resolveSessionInfo(sessionResponse);
+      sessionId = sessionInfo.id;
+      previewUrl = sessionInfo.previewUrl;
+      sandboxId = sessionInfo.sandboxId;
     } catch {
       const existing = await api.get(
         `/api/mcp/repositories/${mcpId}/session`
@@ -1871,33 +2131,156 @@ var previewCommand = new Command14("preview").description("Start live developmen
       if (!existing) {
         throw new CLIError("Failed to start session", "SESSION_ERROR");
       }
-      sessionId = existing.id;
-      previewUrl = existing.previewUrl;
+      const sessionInfo = resolveSessionInfo(existing);
+      sessionId = sessionInfo.id;
+      previewUrl = sessionInfo.previewUrl;
+      sandboxId = sessionInfo.sandboxId;
     }
     await config.setSessionId(sessionId);
     spinner.text = "Syncing files to sandbox...";
-    const files = await collectFiles(projectRoot);
+    const files = await collectFiles(projectRoot, { includeEnvFiles: true });
     if (files.length > 0) {
       await api.post(
         `/api/mcp/sessions/${sessionId}/files`,
         { files }
       );
     }
+    const packageManager = detectPackageManager(projectRoot);
+    let installCommand = getInstallCommand(packageManager);
+    spinner.text = `Installing dependencies (${installCommand.command})...`;
+    let installResult = await api.post(
+      `/api/mcp/sessions/${sessionId}/commands`,
+      {
+        command: installCommand.command,
+        args: installCommand.args,
+        timeout: MAX_INSTALL_TIMEOUT_MS
+      }
+    );
+    if (installResult.exitCode !== 0) {
+      const nonFrozenInstallCommand = getNonFrozenInstallCommand(packageManager);
+      if (nonFrozenInstallCommand && shouldRetryWithoutFrozenLockfile(installResult)) {
+        installCommand = nonFrozenInstallCommand;
+        spinner.text = `Retrying install without frozen lockfile (${installCommand.command})...`;
+        installResult = await api.post(
+          `/api/mcp/sessions/${sessionId}/commands`,
+          {
+            command: installCommand.command,
+            args: installCommand.args,
+            timeout: MAX_INSTALL_TIMEOUT_MS
+          }
+        );
+      }
+    }
+    if (installResult.exitCode !== 0) {
+      throw new CLIError(
+        installResult.stderr || `Dependency install failed with exit code ${installResult.exitCode}`,
+        "SANDBOX_HYDRATION_FAILED",
+        {
+          command: [installCommand.command, ...installCommand.args].join(" "),
+          exitCode: installResult.exitCode
+        }
+      );
+    }
+    const devCommand = getDevCommand(packageManager);
+    let serverCmdId;
+    let didStartServer = false;
+    const serverStatus = await getServerStatusOrNull(sessionId);
+    const serverStatusPreviewUrl = serverStatus?.previewUrl;
+    if (serverStatusPreviewUrl) {
+      previewUrl = serverStatusPreviewUrl;
+    }
+    if (serverStatus?.running) {
+      spinner.text = "Server already running, attaching...";
+      serverCmdId = serverStatus.cmdId;
+    } else {
+      spinner.text = `Starting server (${devCommand})...`;
+      try {
+        const serverStart = await api.post(
+          `/api/mcp/sessions/${sessionId}/server`,
+          {
+            action: "start",
+            command: devCommand
+          }
+        );
+        const serverStartPreviewUrl = serverStart.previewUrl;
+        if (serverStartPreviewUrl) {
+          previewUrl = serverStartPreviewUrl;
+        }
+        serverCmdId = serverStart.cmdId;
+        didStartServer = true;
+      } catch (error) {
+        if (!isAlreadyRunningServerError(error)) {
+          throw error;
+        }
+        const refreshedStatus = await getServerStatusOrNull(sessionId);
+        if (!refreshedStatus?.running) {
+          throw error;
+        }
+        const refreshedPreviewUrl = refreshedStatus.previewUrl;
+        if (refreshedPreviewUrl) {
+          previewUrl = refreshedPreviewUrl;
+        }
+        serverCmdId = refreshedStatus.cmdId;
+        spinner.text = "Server already running, attaching...";
+      }
+    }
+    if (didStartServer && !serverCmdId) {
+      await cleanupPreviewSession(sessionId);
+      throw new CLIError(
+        "Server start command ID was not returned by the API.",
+        "SERVER_START_FAILED",
+        { command: devCommand }
+      );
+    }
+    if (didStartServer && serverCmdId) {
+      spinner.text = "Verifying server startup...";
+      for (let attempt = 0; attempt < DEV_SERVER_VERIFY_ATTEMPTS; attempt++) {
+        if (attempt > 0) {
+          await sleep(DEV_SERVER_VERIFY_INTERVAL_MS);
+        }
+        const commandStatus = await api.get(
+          `/api/mcp/sessions/${sessionId}/commands/${serverCmdId}?statusOnly=true`
+        );
+        if (commandStatus.exitCode === null) {
+          continue;
+        }
+        const commandOutput = await api.get(
+          `/api/mcp/sessions/${sessionId}/commands/${serverCmdId}`
+        ).catch(() => null);
+        await cleanupPreviewSession(sessionId);
+        throw new CLIError(
+          `Dev server command exited during startup with code ${commandStatus.exitCode}.`,
+          "SERVER_START_FAILED",
+          {
+            command: devCommand,
+            cmdId: serverCmdId,
+            exitCode: commandStatus.exitCode,
+            stdout: commandOutput?.stdout ?? "",
+            stderr: commandOutput?.stderr ?? ""
+          }
+        );
+      }
+    }
     spinner.succeed("Development environment ready");
     console.log();
     formatSuccess("Live preview started!", false);
     console.log();
+    if (sandboxId) {
+      console.log(`  Sandbox ID: ${sandboxId}`);
+    }
     console.log(`  Preview URL: ${previewUrl}`);
     console.log();
     console.log(`  MCP Inspector:`);
     console.log(
-      `    npx @anthropic-ai/mcp-inspector@latest "${previewUrl}/mcp"`
+      `    npx @modelcontextprotocol/inspector@latest --transport http --server-url "${previewUrl}/mcp"`
     );
     console.log();
     if (options.watch !== false) {
       console.log("Watching for file changes... (Ctrl+C to stop)");
       console.log();
-      const ig = await loadIgnorePatterns(projectRoot);
+      const ig = await loadIgnorePatterns(projectRoot, {
+        includeEnvFiles: true
+      });
       const watcher = watch(projectRoot, {
         ignored: (path) => {
           const relative2 = path.replace(`${projectRoot}/`, "");
@@ -1932,24 +2315,15 @@ var previewCommand = new Command14("preview").description("Start live developmen
         const relativePath = filePath.replace(`${projectRoot}/`, "");
         console.log(`  Deleted: ${relativePath}`);
       });
-      const stopSessionBestEffort = async () => {
-        await withTimeout(
-          api.post(`/api/mcp/sessions/${sessionId}/server`, { action: "stop" }).catch(() => void 0),
-          SHUTDOWN_STEP_TIMEOUT_MS
-        );
-        await withTimeout(
-          api.delete(`/api/mcp/sessions/${sessionId}`).catch(() => void 0),
-          SHUTDOWN_STEP_TIMEOUT_MS
-        );
-        await withTimeout(
-          config.setSessionId(null).catch(() => void 0),
-          SHUTDOWN_STEP_TIMEOUT_MS
-        );
-      };
       let shuttingDown = false;
-      const gracefulShutdown = async () => {
+      let serverMonitorInterval = null;
+      const gracefulShutdown = async (exitCode = 0) => {
         if (shuttingDown) return;
         shuttingDown = true;
+        if (serverMonitorInterval) {
+          clearInterval(serverMonitorInterval);
+          serverMonitorInterval = null;
+        }
         console.log();
         console.log("Stopping development environment...");
         try {
@@ -1959,7 +2333,7 @@ var previewCommand = new Command14("preview").description("Start live developmen
                 watcher.close().catch(() => void 0),
                 SHUTDOWN_STEP_TIMEOUT_MS
               );
-              await stopSessionBestEffort();
+              await cleanupPreviewSession(sessionId);
             })(),
             SHUTDOWN_MAX_WAIT_MS,
             {
@@ -1969,9 +2343,49 @@ var previewCommand = new Command14("preview").description("Start live developmen
             }
           );
         } finally {
-          process.exit(0);
+          process.exit(exitCode);
         }
       };
+      if (serverCmdId) {
+        serverMonitorInterval = setInterval(() => {
+          if (shuttingDown) return;
+          void (async () => {
+            try {
+              const commandStatus = await api.get(
+                `/api/mcp/sessions/${sessionId}/commands/${serverCmdId}?statusOnly=true`
+              );
+              if (commandStatus.exitCode === null) {
+                return;
+              }
+              if (commandStatus.exitCode === 0) {
+                console.log("Dev server exited (code 0).");
+                await gracefulShutdown(0);
+                return;
+              }
+              const commandOutput = await getCommandOutputOrNull(
+                sessionId,
+                serverCmdId
+              );
+              handleError(
+                new CLIError(
+                  `Dev server exited with code ${commandStatus.exitCode}.`,
+                  "SERVER_EXITED",
+                  {
+                    command: devCommand,
+                    cmdId: serverCmdId,
+                    exitCode: commandStatus.exitCode,
+                    stdout: commandOutput?.stdout ?? "",
+                    stderr: commandOutput?.stderr ?? ""
+                  }
+                ),
+                json
+              );
+              await gracefulShutdown(1);
+            } catch {
+            }
+          })();
+        }, statusPollIntervalMs);
+      }
       process.once("SIGINT", () => {
         void gracefulShutdown();
       });
@@ -1987,94 +2401,10 @@ var previewCommand = new Command14("preview").description("Start live developmen
   }
 });
 
-// src/commands/mcp/publish.ts
-import { execFileSync as execFileSync4 } from "child_process";
-import { input } from "@inquirer/prompts";
-import { Command as Command15 } from "commander";
-import ora11 from "ora";
-var publishCommand = new Command15("publish").description("Push local files to GitHub and trigger deployment").option("-m, --message <msg>", "Commit message").option("--mcp-id <id>", "Specific MCP ID").action(async (options, command) => {
-  const globalOptions = command.optsWithGlobals();
-  const json = globalOptions.json ?? false;
-  try {
-    const mcpId = await requireMcpId(options.mcpId);
-    const projectRoot = await findProjectRoot(process.cwd());
-    if (!projectRoot) {
-      throw new CLIError(
-        "Not in a WaniWani project. Run 'waniwani mcp create <name>' first.",
-        "NOT_IN_PROJECT"
-      );
-    }
-    try {
-      execFileSync4("git", ["rev-parse", "--is-inside-work-tree"], {
-        cwd: projectRoot,
-        stdio: "ignore"
-      });
-    } catch {
-      throw new CLIError(
-        "Not a git repository. Run 'waniwani mcp create <name>' or 'waniwani mcp clone <name>' to set up properly.",
-        "NOT_GIT_REPO"
-      );
-    }
-    const status = execFileSync4("git", ["status", "--porcelain"], {
-      cwd: projectRoot,
-      encoding: "utf-8"
-    }).trim();
-    if (!status) {
-      if (json) {
-        formatOutput({ success: true, message: "Nothing to publish" }, true);
-      } else {
-        console.log("Nothing to publish \u2014 no changes detected.");
-      }
-      return;
-    }
-    let message = options.message;
-    if (!message) {
-      message = await input({
-        message: "Commit message:",
-        validate: (value) => value.trim() ? true : "Commit message is required"
-      });
-    }
-    const spinner = ora11("Publishing...").start();
-    const gitAuth = await getGitAuthContext(mcpId);
-    spinner.text = "Committing changes...";
-    execFileSync4("git", ["add", "-A"], { cwd: projectRoot, stdio: "ignore" });
-    execFileSync4("git", ["commit", "-m", message], {
-      cwd: projectRoot,
-      stdio: "ignore"
-    });
-    spinner.text = "Pushing to GitHub...";
-    try {
-      runGitWithCredentials(["push", gitAuth.remoteUrl, "HEAD"], {
-        cwd: projectRoot,
-        stdio: "ignore",
-        credentials: gitAuth.credentials
-      });
-    } finally {
-      await revokeGitHubInstallationToken(gitAuth);
-    }
-    const commitSha = execFileSync4("git", ["rev-parse", "HEAD"], {
-      cwd: projectRoot,
-      encoding: "utf-8"
-    }).trim();
-    spinner.succeed(`Pushed to GitHub (${commitSha.slice(0, 7)})`);
-    if (json) {
-      formatOutput({ commitSha, message }, true);
-    } else {
-      console.log();
-      formatSuccess("Files pushed to GitHub!", false);
-      console.log();
-      console.log("Deployment will start automatically via webhook.");
-    }
-  } catch (error) {
-    handleError(error, json);
-    process.exit(1);
-  }
-});
-
 // src/commands/mcp/run-command.ts
 import chalk8 from "chalk";
 import { Command as Command16 } from "commander";
-import ora12 from "ora";
+import ora11 from "ora";
 var runCommandCommand = new Command16("run-command").description("Run a command in the MCP sandbox").argument("<command>", "Command to run").argument("[args...]", "Command arguments").option("--mcp-id <id>", "Specific MCP ID").option("--cwd <path>", "Working directory").option(
   "--timeout <ms>",
   "Command timeout in milliseconds (default: 30000, max: 300000)"
@@ -2085,7 +2415,7 @@ var runCommandCommand = new Command16("run-command").description("Run a command
     await requireMcpId(options.mcpId);
     const sessionId = await requireSessionId();
     const timeout = options.timeout ? Number.parseInt(options.timeout, 10) : void 0;
-    const spinner = ora12(`Running: ${cmd} ${args.join(" ")}`.trim()).start();
+    const spinner = ora11(`Running: ${cmd} ${args.join(" ")}`.trim()).start();
     const result = await api.post(
       `/api/mcp/sessions/${sessionId}/commands`,
       {
@@ -2133,13 +2463,13 @@ var runCommandCommand = new Command16("run-command").description("Run a command
 // src/commands/mcp/status.ts
 import chalk9 from "chalk";
 import { Command as Command17 } from "commander";
-import ora13 from "ora";
+import ora12 from "ora";
 var statusCommand = new Command17("status").description("Show current MCP status").option("--mcp-id <id>", "Specific MCP ID").action(async (options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
   try {
     const mcpId = await requireMcpId(options.mcpId);
-    const spinner = ora13("Fetching MCP status...").start();
+    const spinner = ora12("Fetching MCP status...").start();
     const result = await api.get(
       `/api/mcp/repositories/${mcpId}`
     );
@@ -2209,14 +2539,14 @@ var statusCommand = new Command17("status").description("Show current MCP status
 
 // src/commands/mcp/stop.ts
 import { Command as Command18 } from "commander";
-import ora14 from "ora";
+import ora13 from "ora";
 var stopCommand = new Command18("stop").description("Stop the development environment (sandbox + server)").option("--mcp-id <id>", "Specific MCP ID").action(async (options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
   try {
     await requireMcpId(options.mcpId);
     const sessionId = await requireSessionId();
-    const spinner = ora14("Stopping development environment...").start();
+    const spinner = ora13("Stopping development environment...").start();
     try {
       await api.post(`/api/mcp/sessions/${sessionId}/server`, {
         action: "stop"
@@ -2241,7 +2571,7 @@ var stopCommand = new Command18("stop").description("Stop the development enviro
 
 // src/commands/mcp/sync.ts
 import { Command as Command19 } from "commander";
-import ora15 from "ora";
+import ora14 from "ora";
 var syncCommand = new Command19("sync").description("Pull template files to local project").option("--mcp-id <id>", "Specific MCP ID").action(async (options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
@@ -2254,7 +2584,7 @@ var syncCommand = new Command19("sync").description("Pull template files to loca
         "NOT_IN_PROJECT"
       );
     }
-    const spinner = ora15("Pulling files...").start();
+    const spinner = ora14("Pulling files...").start();
     const result = await pullFilesFromGithub(mcpId, projectRoot);
     spinner.succeed(`Pulled ${result.count} files`);
     if (json) {
@@ -2277,12 +2607,12 @@ var syncCommand = new Command19("sync").description("Pull template files to loca
 
 // src/commands/mcp/use.ts
 import { Command as Command20 } from "commander";
-import ora16 from "ora";
+import ora15 from "ora";
 var useCommand = new Command20("use").description("Select an MCP to use for subsequent commands").argument("<name>", "Name of the MCP to use").action(async (name, _options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
   try {
-    const spinner = ora16("Fetching MCPs...").start();
+    const spinner = ora15("Fetching MCPs...").start();
     const mcps = await api.get(
       "/api/mcp/repositories"
     );
@@ -2313,7 +2643,7 @@ var useCommand = new Command20("use").description("Select an MCP to use for subs
 });
 
 // src/commands/mcp/index.ts
-var mcpCommand = new Command21("mcp").description("MCP management commands").addCommand(createCommand).addCommand(cloneCommand).addCommand(listCommand2).addCommand(useCommand).addCommand(statusCommand).addCommand(previewCommand).addCommand(stopCommand).addCommand(logsCommand).addCommand(syncCommand).addCommand(publishCommand).addCommand(deleteCommand).addCommand(fileCommand).addCommand(runCommandCommand);
+var mcpCommand = new Command21("mcp").description("MCP management commands").addCommand(createCommand).addCommand(cloneCommand).addCommand(listCommand2).addCommand(useCommand).addCommand(statusCommand).addCommand(previewCommand).addCommand(stopCommand).addCommand(logsCommand).addCommand(syncCommand).addCommand(deleteCommand).addCommand(fileCommand).addCommand(runCommandCommand);
 
 // src/commands/org/index.ts
 import { Command as Command24 } from "commander";
@@ -2321,12 +2651,12 @@ import { Command as Command24 } from "commander";
 // src/commands/org/list.ts
 import chalk10 from "chalk";
 import { Command as Command22 } from "commander";
-import ora17 from "ora";
+import ora16 from "ora";
 var listCommand3 = new Command22("list").description("List your organizations").action(async (_options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
   try {
-    const spinner = ora17("Fetching organizations...").start();
+    const spinner = ora16("Fetching organizations...").start();
     const result = await api.get("/api/oauth/orgs");
     spinner.stop();
     const { orgs, activeOrgId } = result;
@@ -2373,12 +2703,12 @@ var listCommand3 = new Command22("list").description("List your organizations").
 
 // src/commands/org/switch.ts
 import { Command as Command23 } from "commander";
-import ora18 from "ora";
+import ora17 from "ora";
 var switchCommand = new Command23("switch").description("Switch to a different organization").argument("<name>", "Name or slug of the organization to switch to").action(async (name, _options, command) => {
   const globalOptions = command.optsWithGlobals();
   const json = globalOptions.json ?? false;
   try {
-    const spinner = ora18("Fetching organizations...").start();
+    const spinner = ora17("Fetching organizations...").start();
     const { orgs } = await api.get("/api/oauth/orgs");
     const org = orgs.find((o) => o.name === name || o.slug === name);
     if (!org) {
@@ -2422,6 +2752,7 @@ program.addCommand(logoutCommand);
 program.addCommand(mcpCommand);
 program.addCommand(orgCommand);
 program.addCommand(configCommand);
+program.addCommand(gitCredentialHelperCommand);
 
 // src/index.ts
 program.parse(process.argv);