@workjournal/cli 0.1.0

package/README.md

@@ -0,0 +1,93 @@
+# @workjournal/cli
+
+Command-line tool for authenticating with [Workjournal](https://workjournal.pro).
+
+## Installation
+
+Run on demand without installing:
+
+```bash
+npx @workjournal/cli login
+```
+
+Or install globally:
+
+```bash
+npm install -g @workjournal/cli
+workjournal login
+```
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `workjournal login` | Interactive paste-back login (terminal only) |
+| `workjournal login start` | Print authorize URL and store PKCE state |
+| `workjournal login finish <CODE>` | Exchange the pasted code for credentials |
+| `workjournal logout` | Remove stored credentials |
+| `workjournal whoami` | Check if authenticated |
+| `workjournal status` | Show token expiry details |
+
+## How login works
+
+The CLI uses OAuth out-of-band redirect (`urn:ietf:wg:oauth:2.0:oob`) with PKCE. There is no port binding, no auto-opened browser, and no callback server. The flow works equally well in local terminals, SSH sessions, dev containers, and CI.
+
+### Interactive (terminal)
+
+```bash
+$ workjournal login
+Open this URL in any browser:
+
+  https://app.workjournal.pro/authorize?...
+
+Code: ABC123DE
+Authenticated successfully!
+Credentials saved to ~/.workjournal/credentials.json
+```
+
+The CLI prints an authorize URL, you open it in any browser, log in, click Approve, copy the displayed 8-character code, paste it into the terminal. Done.
+
+### Two-phase (assistant-driven)
+
+When invoked by an AI assistant via a one-shot Bash call (e.g. the [Workjournal journal skill](https://github.com/workjournal-pro/skill)), the same flow runs as two independent commands with PKCE state passed via a temp file on disk:
+
+```bash
+workjournal login start              # prints URL, stores PKCE state in ~/.workjournal/cli-login-state.json
+# user opens URL, approves, copies the displayed code
+workjournal login finish ABC123DE    # reads state, exchanges code, writes credentials
+```
+
+This is what makes the same flow drivable from a skill — the assistant doesn't need an interactive stdin to a still-running process.
+
+## Credential storage
+
+Credentials are written to `~/.workjournal/credentials.json` with mode `0600`, in a directory created with mode `0700`.
+
+```
+~/.workjournal/
+├── credentials.json       # { access_token, refresh_token, expires_at }
+└── cli-login-state.json   # ephemeral PKCE state, deleted after `login finish`
+```
+
+The CLI never stores passwords. The MCP server (`@workjournal/mcp-server`) reads `credentials.json` automatically — there's no separate setup.
+
+## Headless environments
+
+The CLI's normal flow already works headless — you do not need a browser on the same machine as the CLI. You only need a browser somewhere (your laptop, your phone) to load the authorize URL.
+
+If you need to skip interactive auth entirely (for example in CI), set `WORKJOURNAL_API_KEY` to a valid Supabase JWT and the MCP server will use that instead of `credentials.json`.
+
+## Security
+
+- **PKCE binds the URL to the redemption.** Even if someone intercepts the displayed code, they can't redeem it without the verifier sitting on the local disk.
+- **Codes are single-use** and expire 5 minutes after `login start`.
+- **No tokens in URLs** — the access token never appears in any redirect.
+- **Constant-time comparison** of the PKCE verifier on the API side prevents timing attacks.
+- **No long-lived listener** on the user's machine — the CLI binds no sockets.
+
+## Links
+
+- [Workjournal](https://workjournal.pro)
+- [Get Started](https://workjournal.pro/docs/get-started)
+- [GitHub](https://github.com/workjournal-pro/workjournal)
+- [CLI auth workflow reference](https://github.com/workjournal-pro/workjournal/blob/main/docs/cli-tool-auth-workflow.md)

package/dist/auth.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Phase 1: generate PKCE, write the in-progress state file, print the authorize URL.
+ *
+ * The state file holds the verifier between this command and `loginFinish`. The
+ * assistant (or the user) is expected to open the URL, approve the request, and
+ * paste the displayed code back into a `workjournal login finish <CODE>` call.
+ */
+export declare function loginStart(): void;
+/**
+ * Phase 2: read the verifier from the state file, exchange the pasted code for
+ * Supabase session tokens, persist them.
+ *
+ * On API failure the state file is left in place so the user can retry `finish`
+ * with a corrected code (subject to the server-side 5-minute TTL on the code).
+ * The state file is deleted only on a fully successful exchange.
+ */
+export declare function loginFinish(rawCode: string): Promise<void>;
+/**
+ * Convenience wrapper for direct terminal use: runs `start`, prompts for the
+ * code via readline, then runs `finish` in the same process. Same on-disk
+ * shape as the two-command flow — the state file is written and deleted as
+ * a side effect.
+ *
+ * Refuses to run when stdin is not a TTY (e.g. when invoked by an assistant
+ * via Bash) and points the caller at the two-phase commands instead.
+ */
+export declare function loginInteractive(): Promise<void>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAgDA;;;;;;GAMG;AACH,wBAAgB,UAAU,IAAI,IAAI,CAcjC;AAED;;;;;;;GAOG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqBhE;AAED;;;;;;;;GAQG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC,CAyCtD"}

package/dist/auth.js

@@ -0,0 +1,164 @@
+import { createHash, randomBytes } from 'node:crypto';
+import { createInterface } from 'node:readline/promises';
+import { clearLoginState, isLoginStateExpired, readLoginState, writeCredentials, writeLoginState, } from './credentials.js';
+const APP_URL = process.env['WORKJOURNAL_APP_URL'] ?? 'https://app.workjournal.pro';
+const API_URL = process.env['WORKJOURNAL_API_URL'] ?? 'https://api.workjournal.pro';
+const OOB_REDIRECT_URI = 'urn:ietf:wg:oauth:2.0:oob';
+function generatePkce() {
+    const verifier = randomBytes(32).toString('base64url');
+    const challenge = createHash('sha256').update(verifier).digest('base64url');
+    return { verifier, challenge };
+}
+function generateState() {
+    return randomBytes(16).toString('hex');
+}
+function buildAuthorizeUrl(challenge) {
+    const state = generateState();
+    return (`${APP_URL}/authorize?client_id=workjournal-cli` +
+        `&redirect_uri=${encodeURIComponent(OOB_REDIRECT_URI)}` +
+        `&state=${state}` +
+        `&code_challenge=${challenge}` +
+        `&code_challenge_method=S256`);
+}
+/**
+ * Phase 1: generate PKCE, write the in-progress state file, print the authorize URL.
+ *
+ * The state file holds the verifier between this command and `loginFinish`. The
+ * assistant (or the user) is expected to open the URL, approve the request, and
+ * paste the displayed code back into a `workjournal login finish <CODE>` call.
+ */
+export function loginStart() {
+    const { verifier, challenge } = generatePkce();
+    const state = {
+        verifier,
+        challenge,
+        created_at: new Date().toISOString(),
+    };
+    writeLoginState(state);
+    const url = buildAuthorizeUrl(challenge);
+    process.stdout.write('Open this URL in any browser:\n\n');
+    process.stdout.write(`  ${url}\n\n`);
+    process.stdout.write('After approving, run:\n\n');
+    process.stdout.write('  workjournal login finish <CODE>\n');
+}
+/**
+ * Phase 2: read the verifier from the state file, exchange the pasted code for
+ * Supabase session tokens, persist them.
+ *
+ * On API failure the state file is left in place so the user can retry `finish`
+ * with a corrected code (subject to the server-side 5-minute TTL on the code).
+ * The state file is deleted only on a fully successful exchange.
+ */
+export async function loginFinish(rawCode) {
+    const code = rawCode.trim().toUpperCase();
+    if (!code) {
+        process.stderr.write('Error: missing code argument.\nUsage: workjournal login finish <CODE>\n');
+        process.exit(1);
+    }
+    const state = readLoginState();
+    if (!state) {
+        process.stderr.write('Error: no login in progress. Run `workjournal login start` first.\n');
+        process.exit(1);
+    }
+    if (isLoginStateExpired(state)) {
+        clearLoginState();
+        process.stderr.write('Error: login state expired. Run `workjournal login start` again.\n');
+        process.exit(1);
+    }
+    await exchangeAndPersist(code, state.verifier);
+    clearLoginState();
+}
+/**
+ * Convenience wrapper for direct terminal use: runs `start`, prompts for the
+ * code via readline, then runs `finish` in the same process. Same on-disk
+ * shape as the two-command flow — the state file is written and deleted as
+ * a side effect.
+ *
+ * Refuses to run when stdin is not a TTY (e.g. when invoked by an assistant
+ * via Bash) and points the caller at the two-phase commands instead.
+ */
+export async function loginInteractive() {
+    if (!process.stdin.isTTY) {
+        process.stderr.write('Error: `workjournal login` with no subcommand requires an interactive terminal.\n' +
+            'For non-interactive use, run:\n' +
+            '  workjournal login start\n' +
+            '  workjournal login finish <CODE>\n');
+        process.exit(1);
+    }
+    const { verifier, challenge } = generatePkce();
+    const state = {
+        verifier,
+        challenge,
+        created_at: new Date().toISOString(),
+    };
+    writeLoginState(state);
+    const url = buildAuthorizeUrl(challenge);
+    process.stdout.write('Open this URL in any browser:\n\n');
+    process.stdout.write(`  ${url}\n\n`);
+    process.stdout.write('After approving, paste the code shown on the page below.\n\n');
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    let code;
+    try {
+        const answer = await rl.question('Code: ');
+        code = answer.trim().toUpperCase();
+    }
+    finally {
+        rl.close();
+    }
+    if (!code) {
+        clearLoginState();
+        process.stderr.write('No code entered. Aborting.\n');
+        process.exit(1);
+    }
+    await exchangeAndPersist(code, verifier);
+    clearLoginState();
+}
+async function exchangeAndPersist(code, verifier) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 15_000);
+    let res;
+    try {
+        res = await fetch(`${API_URL}/v1/auth/cli/exchange`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ code, code_verifier: verifier }),
+            signal: controller.signal,
+        });
+    }
+    catch (error) {
+        clearTimeout(timeout);
+        const message = error instanceof Error && error.name === 'AbortError'
+            ? 'Request timed out after 15s'
+            : error instanceof Error
+                ? error.message
+                : String(error);
+        process.stderr.write(`Failed to exchange code: ${message}\n`);
+        process.exit(1);
+    }
+    clearTimeout(timeout);
+    if (!res.ok) {
+        const text = await res.text();
+        let message = text;
+        try {
+            const parsed = JSON.parse(text);
+            if (parsed.error?.message)
+                message = parsed.error.message;
+        }
+        catch {
+            // keep raw text
+        }
+        process.stderr.write(`Failed to exchange code (${res.status}): ${message}\n`);
+        process.exit(1);
+    }
+    const data = (await res.json());
+    const expiresAt = new Date(Date.now() + data.expires_in * 1000).toISOString();
+    const creds = {
+        access_token: data.access_token,
+        expires_at: expiresAt,
+        ...(data.refresh_token ? { refresh_token: data.refresh_token } : {}),
+    };
+    writeCredentials(creds);
+    process.stdout.write('\nAuthenticated successfully!\n');
+    process.stdout.write('Credentials saved to ~/.workjournal/credentials.json\n');
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EACN,eAAe,EACf,mBAAmB,EAEnB,cAAc,EAEd,gBAAgB,EAChB,eAAe,GACf,MAAM,kBAAkB,CAAC;AAE1B,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,6BAA6B,CAAC;AACpF,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,6BAA6B,CAAC;AACpF,MAAM,gBAAgB,GAAG,2BAA2B,CAAC;AAOrD,SAAS,YAAY;IACpB,MAAM,QAAQ,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACvD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC5E,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AAChC,CAAC;AAED,SAAS,aAAa;IACrB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAiB;IAC3C,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,OAAO,CACN,GAAG,OAAO,sCAAsC;QAChD,iBAAiB,kBAAkB,CAAC,gBAAgB,CAAC,EAAE;QACvD,UAAU,KAAK,EAAE;QACjB,mBAAmB,SAAS,EAAE;QAC9B,6BAA6B,CAC7B,CAAC;AACH,CAAC;AAQD;;;;;;GAMG;AACH,MAAM,UAAU,UAAU;IACzB,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,YAAY,EAAE,CAAC;IAC/C,MAAM,KAAK,GAAe;QACzB,QAAQ;QACR,SAAS;QACT,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IACF,eAAe,CAAC,KAAK,CAAC,CAAC;IAEvB,MAAM,GAAG,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IACzC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;IAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,GAAG,MAAM,CAAC,CAAC;IACrC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAClD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAe;IAChD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;QACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,yEAAyE,CAAC,CAAC;QAChG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;QACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,qEAAqE,CAAC,CAAC;QAC5F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IAED,IAAI,mBAAmB,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,eAAe,EAAE,CAAC;QAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oEAAoE,CAAC,CAAC;QAC3F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC/C,eAAe,EAAE,CAAC;AACnB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACrC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QAC1B,OAAO,CAAC,MAAM,CAAC,KAAK,CACnB,mFAAmF;YAClF,iCAAiC;YACjC,6BAA6B;YAC7B,qCAAqC,CACtC,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,YAAY,EAAE,CAAC;IAC/C,MAAM,KAAK,GAAe;QACzB,QAAQ;QACR,SAAS;QACT,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IACF,eAAe,CAAC,KAAK,CAAC,CAAC;IAEvB,MAAM,GAAG,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IACzC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;IAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,GAAG,MAAM,CAAC,CAAC;IACrC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,8DAA8D,CAAC,CAAC;IAErF,MAAM,EAAE,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7E,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACJ,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC3C,IAAI,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACpC,CAAC;YAAS,CAAC;QACV,EAAE,CAAC,KAAK,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC,IAAI,EAAE,CAAC;QACX,eAAe,EAAE,CAAC;QAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACrD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,kBAAkB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACzC,eAAe,EAAE,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,IAAY,EAAE,QAAgB;IAC/D,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACJ,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,uBAAuB,EAAE;YACpD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC;YACvD,MAAM,EAAE,UAAU,CAAC,MAAM;SACzB,CAAC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,YAAY,CAAC,OAAO,CAAC,CAAC;QACtB,MAAM,OAAO,GACZ,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY;YACpD,CAAC,CAAC,6BAA6B;YAC/B,CAAC,CAAC,KAAK,YAAY,KAAK;gBACvB,CAAC,CAAC,KAAK,CAAC,OAAO;gBACf,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,OAAO,IAAI,CAAC,CAAC;QAC9D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IACD,YAAY,CAAC,OAAO,CAAC,CAAC;IAEtB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,OAAO,GAAG,IAAI,CAAC;QACnB,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAqC,CAAC;YACpE,IAAI,MAAM,CAAC,KAAK,EAAE,OAAO;gBAAE,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACR,gBAAgB;QACjB,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,GAAG,CAAC,MAAM,MAAM,OAAO,IAAI,CAAC,CAAC;QAC9E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAqB,CAAC;IACpD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9E,MAAM,KAAK,GAAsB;QAChC,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,UAAU,EAAE,SAAS;QACrB,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACpE,CAAC;IAEF,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACxB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACxD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;AAChF,CAAC"}

package/dist/credentials.d.ts

@@ -0,0 +1,29 @@
+export interface StoredCredentials {
+    access_token: string;
+    refresh_token?: string;
+    expires_at: string;
+}
+export interface LoginState {
+    verifier: string;
+    challenge: string;
+    created_at: string;
+}
+export declare function readCredentials(): StoredCredentials | null;
+export declare function writeCredentials(creds: StoredCredentials): void;
+export declare function clearCredentials(): void;
+export declare function writeLoginState(state: LoginState): void;
+/**
+ * Read the in-progress login state file. Returns null if missing or unreadable.
+ * Does NOT enforce TTL — callers should check `created_at` against `LOGIN_STATE_TTL_MS`.
+ */
+export declare function readLoginState(): LoginState | null;
+export declare function clearLoginState(): void;
+export declare function isLoginStateExpired(state: LoginState): boolean;
+export declare function isExpired(creds: StoredCredentials): boolean;
+export declare function refreshAccessToken(refreshToken: string): Promise<StoredCredentials>;
+/**
+ * Get a valid access token, refreshing if expired.
+ * Returns null if no credentials are stored.
+ */
+export declare function getAccessToken(): Promise<string | null>;
+//# sourceMappingURL=credentials.d.ts.map

package/dist/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,iBAAiB;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;CACnB;AASD,MAAM,WAAW,UAAU;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACnB;AAQD,wBAAgB,eAAe,IAAI,iBAAiB,GAAG,IAAI,CAU1D;AAED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,iBAAiB,GAAG,IAAI,CAI/D;AAED,wBAAgB,gBAAgB,IAAI,IAAI,CAIvC;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI,CAIvD;AAED;;;GAGG;AACH,wBAAgB,cAAc,IAAI,UAAU,GAAG,IAAI,CA0BlD;AAED,wBAAgB,eAAe,IAAI,IAAI,CAItC;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAI9D;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAE3D;AAID,wBAAsB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CA0BzF;AAED;;;GAGG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAiB7D"}

package/dist/credentials.js

@@ -0,0 +1,125 @@
+import { existsSync, mkdirSync, readFileSync, renameSync, unlinkSync, writeFileSync, } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+const CONFIG_DIR = join(homedir(), '.workjournal');
+const CREDENTIALS_PATH = join(CONFIG_DIR, 'credentials.json');
+const CREDENTIALS_TMP_PATH = `${CREDENTIALS_PATH}.tmp`;
+const LOGIN_STATE_PATH = join(CONFIG_DIR, 'cli-login-state.json');
+const LOGIN_STATE_TMP_PATH = `${LOGIN_STATE_PATH}.tmp`;
+const LOGIN_STATE_TTL_MS = 10 * 60 * 1000;
+function ensureConfigDir() {
+    if (!existsSync(CONFIG_DIR)) {
+        mkdirSync(CONFIG_DIR, { mode: 0o700, recursive: true });
+    }
+}
+export function readCredentials() {
+    if (!existsSync(CREDENTIALS_PATH)) {
+        return null;
+    }
+    try {
+        const raw = readFileSync(CREDENTIALS_PATH, 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+export function writeCredentials(creds) {
+    ensureConfigDir();
+    writeFileSync(CREDENTIALS_TMP_PATH, `${JSON.stringify(creds, null, '\t')}\n`, { mode: 0o600 });
+    renameSync(CREDENTIALS_TMP_PATH, CREDENTIALS_PATH);
+}
+export function clearCredentials() {
+    if (existsSync(CREDENTIALS_PATH)) {
+        unlinkSync(CREDENTIALS_PATH);
+    }
+}
+export function writeLoginState(state) {
+    ensureConfigDir();
+    writeFileSync(LOGIN_STATE_TMP_PATH, `${JSON.stringify(state, null, '\t')}\n`, { mode: 0o600 });
+    renameSync(LOGIN_STATE_TMP_PATH, LOGIN_STATE_PATH);
+}
+/**
+ * Read the in-progress login state file. Returns null if missing or unreadable.
+ * Does NOT enforce TTL — callers should check `created_at` against `LOGIN_STATE_TTL_MS`.
+ */
+export function readLoginState() {
+    if (!existsSync(LOGIN_STATE_PATH)) {
+        return null;
+    }
+    try {
+        const raw = readFileSync(LOGIN_STATE_PATH, 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (!parsed ||
+            typeof parsed !== 'object' ||
+            typeof parsed.verifier !== 'string' ||
+            parsed.verifier.length === 0 ||
+            typeof parsed.challenge !== 'string' ||
+            parsed.challenge.length === 0 ||
+            typeof parsed.created_at !== 'string') {
+            return null;
+        }
+        return {
+            verifier: parsed.verifier,
+            challenge: parsed.challenge,
+            created_at: parsed.created_at,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+export function clearLoginState() {
+    if (existsSync(LOGIN_STATE_PATH)) {
+        unlinkSync(LOGIN_STATE_PATH);
+    }
+}
+export function isLoginStateExpired(state) {
+    const created = Date.parse(state.created_at);
+    if (!Number.isFinite(created))
+        return true;
+    return Date.now() - created > LOGIN_STATE_TTL_MS;
+}
+export function isExpired(creds) {
+    return new Date(creds.expires_at) < new Date();
+}
+const API_URL = process.env['WORKJOURNAL_API_URL'] ?? 'https://api.workjournal.pro';
+export async function refreshAccessToken(refreshToken) {
+    const res = await fetch(`${API_URL}/v1/auth/refresh`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ refresh_token: refreshToken }),
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        throw new Error(`Token refresh failed (${res.status}): ${text}`);
+    }
+    const data = (await res.json());
+    const expiresAt = new Date(Date.now() + data.expires_in * 1000).toISOString();
+    const creds = {
+        access_token: data.access_token,
+        refresh_token: data.refresh_token,
+        expires_at: expiresAt,
+    };
+    writeCredentials(creds);
+    return creds;
+}
+/**
+ * Get a valid access token, refreshing if expired.
+ * Returns null if no credentials are stored.
+ */
+export async function getAccessToken() {
+    const creds = readCredentials();
+    if (!creds) {
+        return null;
+    }
+    if (isExpired(creds)) {
+        if (!creds.refresh_token) {
+            throw new Error('Access token expired and no refresh token available. Please run `workjournal login` again.');
+        }
+        const refreshed = await refreshAccessToken(creds.refresh_token);
+        return refreshed.access_token;
+    }
+    return creds.access_token;
+}
+//# sourceMappingURL=credentials.js.map

package/dist/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,EACN,UAAU,EACV,SAAS,EACT,YAAY,EACZ,UAAU,EACV,UAAU,EACV,aAAa,GACb,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAQjC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,cAAc,CAAC,CAAC;AACnD,MAAM,gBAAgB,GAAG,IAAI,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAC;AAC9D,MAAM,oBAAoB,GAAG,GAAG,gBAAgB,MAAM,CAAC;AACvD,MAAM,gBAAgB,GAAG,IAAI,CAAC,UAAU,EAAE,sBAAsB,CAAC,CAAC;AAClE,MAAM,oBAAoB,GAAG,GAAG,gBAAgB,MAAM,CAAC;AACvD,MAAM,kBAAkB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAQ1C,SAAS,eAAe;IACvB,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7B,SAAS,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;AACF,CAAC;AAED,MAAM,UAAU,eAAe;IAC9B,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACb,CAAC;IACD,IAAI,CAAC;QACJ,MAAM,GAAG,GAAG,YAAY,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;QACpD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAsB,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAC;IACb,CAAC;AACF,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,KAAwB;IACxD,eAAe,EAAE,CAAC;IAClB,aAAa,CAAC,oBAAoB,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/F,UAAU,CAAC,oBAAoB,EAAE,gBAAgB,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC/B,IAAI,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAClC,UAAU,CAAC,gBAAgB,CAAC,CAAC;IAC9B,CAAC;AACF,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAiB;IAChD,eAAe,EAAE,CAAC;IAClB,aAAa,CAAC,oBAAoB,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/F,UAAU,CAAC,oBAAoB,EAAE,gBAAgB,CAAC,CAAC;AACpD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc;IAC7B,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACb,CAAC;IACD,IAAI,CAAC;QACJ,MAAM,GAAG,GAAG,YAAY,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;QACpD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAwB,CAAC;QACtD,IACC,CAAC,MAAM;YACP,OAAO,MAAM,KAAK,QAAQ;YAC1B,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ;YACnC,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;YAC5B,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;YACpC,MAAM,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC;YAC7B,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,EACpC,CAAC;YACF,OAAO,IAAI,CAAC;QACb,CAAC;QACD,OAAO;YACN,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;SAC7B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAC;IACb,CAAC;AACF,CAAC;AAED,MAAM,UAAU,eAAe;IAC9B,IAAI,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAClC,UAAU,CAAC,gBAAgB,CAAC,CAAC;IAC9B,CAAC;AACF,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAAiB;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,GAAG,kBAAkB,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,KAAwB;IACjD,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;AAChD,CAAC;AAED,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,6BAA6B,CAAC;AAEpF,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,YAAoB;IAC5D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,kBAAkB,EAAE;QACrD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC;KACrD,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAI7B,CAAC;IACF,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAE9E,MAAM,KAAK,GAAsB;QAChC,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,UAAU,EAAE,SAAS;KACrB,CAAC;IACF,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACxB,OAAO,KAAK,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc;IACnC,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,CAAC,KAAK,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC;IACb,CAAC;IAED,IAAI,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;QACtB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CACd,4FAA4F,CAC5F,CAAC;QACH,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,kBAAkB,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QAChE,OAAO,SAAS,CAAC,YAAY,CAAC;IAC/B,CAAC;IAED,OAAO,KAAK,CAAC,YAAY,CAAC;AAC3B,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,72 @@
+#!/usr/bin/env node
+import { loginFinish, loginInteractive, loginStart } from './auth.js';
+import { clearCredentials, clearLoginState, readCredentials } from './credentials.js';
+const command = process.argv[2];
+switch (command) {
+    case 'login': {
+        const sub = process.argv[3];
+        if (sub === 'start') {
+            loginStart();
+        }
+        else if (sub === 'finish') {
+            const code = process.argv[4];
+            if (!code) {
+                process.stderr.write('Usage: workjournal login finish <CODE>\n');
+                process.exit(1);
+            }
+            await loginFinish(code);
+        }
+        else if (sub === undefined) {
+            await loginInteractive();
+        }
+        else {
+            process.stderr.write(`Unknown login subcommand: ${sub}\n`);
+            process.stderr.write('Usage: workjournal login [start | finish <CODE>]\n');
+            process.exit(1);
+        }
+        break;
+    }
+    case 'logout':
+        clearCredentials();
+        clearLoginState();
+        process.stdout.write('Logged out. Credentials removed.\n');
+        break;
+    case 'whoami': {
+        const creds = readCredentials();
+        if (!creds) {
+            process.stderr.write('Not logged in. Run `workjournal login` to authenticate.\n');
+            process.exit(1);
+        }
+        process.stdout.write('Authenticated. Credentials stored at ~/.workjournal/credentials.json\n');
+        break;
+    }
+    case 'status': {
+        const creds = readCredentials();
+        if (!creds) {
+            process.stdout.write('Status: not authenticated\n');
+            process.stdout.write('Run `workjournal login` to authenticate.\n');
+        }
+        else {
+            const expiresAt = new Date(creds.expires_at);
+            const isExpired = expiresAt < new Date();
+            process.stdout.write('Status: authenticated\n');
+            process.stdout.write(`Token expires: ${expiresAt.toISOString()}${isExpired ? ' (expired, will auto-refresh)' : ''}\n`);
+        }
+        break;
+    }
+    default:
+        process.stdout.write(`workjournal — CLI for Workjournal (https://workjournal.pro)
+
+Usage:
+  workjournal login                    Interactive login (terminal only)
+  workjournal login start              Print authorize URL and store PKCE state
+  workjournal login finish <CODE>      Exchange the pasted code for credentials
+  workjournal logout                   Remove stored credentials
+  workjournal whoami                   Show current auth status
+  workjournal status                   Show detailed auth status\n`);
+        if (command && command !== 'help' && command !== '--help') {
+            process.stderr.write(`Unknown command: ${command}\n`);
+            process.exit(1);
+        }
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEtF,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAEhC,QAAQ,OAAO,EAAE,CAAC;IACjB,KAAK,OAAO,CAAC,CAAC,CAAC;QACd,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;YACrB,UAAU,EAAE,CAAC;QACd,CAAC;aAAM,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC7B,IAAI,CAAC,IAAI,EAAE,CAAC;gBACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;gBACjE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACjB,CAAC;YACD,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;QACzB,CAAC;aAAM,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,gBAAgB,EAAE,CAAC;QAC1B,CAAC;aAAM,CAAC;YACP,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,GAAG,IAAI,CAAC,CAAC;YAC3D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;YAC3E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QACD,MAAM;IACP,CAAC;IAED,KAAK,QAAQ;QACZ,gBAAgB,EAAE,CAAC;QACnB,eAAe,EAAE,CAAC;QAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;QAC3D,MAAM;IAEP,KAAK,QAAQ,CAAC,CAAC,CAAC;QACf,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,IAAI,CAAC,KAAK,EAAE,CAAC;YACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2DAA2D,CAAC,CAAC;YAClF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,wEAAwE,CAAC,CAAC;QAC/F,MAAM;IACP,CAAC;IAED,KAAK,QAAQ,CAAC,CAAC,CAAC;QACf,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,IAAI,CAAC,KAAK,EAAE,CAAC;YACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;YACpD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;QACpE,CAAC;aAAM,CAAC;YACP,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAC7C,MAAM,SAAS,GAAG,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;YACzC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;YAChD,OAAO,CAAC,MAAM,CAAC,KAAK,CACnB,kBAAkB,SAAS,CAAC,WAAW,EAAE,GAAG,SAAS,CAAC,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC,EAAE,IAAI,CAChG,CAAC;QACH,CAAC;QACD,MAAM;IACP,CAAC;IAED;QACC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC;;;;;;;;mEAQ4C,CAAC,CAAC;QAEnE,IAAI,OAAO,IAAI,OAAO,KAAK,MAAM,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;YAC3D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,OAAO,IAAI,CAAC,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;AACH,CAAC"}

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "@workjournal/cli",
+  "version": "0.1.0",
+  "description": "Command-line tool for authenticating with Workjournal — the journaling service for AI agents and developers.",
+  "license": "MIT",
+  "type": "module",
+  "bin": {
+    "workjournal": "./dist/index.js"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/workjournal-pro/workjournal.git",
+    "directory": "packages/cli"
+  },
+  "bugs": {
+    "url": "https://github.com/workjournal-pro/workjournal/issues"
+  },
+  "homepage": "https://workjournal.pro",
+  "keywords": [
+    "workjournal",
+    "cli",
+    "oauth",
+    "authentication",
+    "ai-agents",
+    "journaling"
+  ],
+  "dependencies": {},
+  "devDependencies": {
+    "@types/node": "22.15.29",
+    "typescript": "5.8.3",
+    "vitest": "4.1.2"
+  },
+  "scripts": {
+    "build": "tsc --project tsconfig.json",
+    "test": "vitest run"
+  }
+}