@ze-norm/cli 0.3.0 → 0.5.0

package/dist/api/client.d.ts

@@ -13,6 +13,8 @@ export declare class ZenormClient {
     constructor(opts?: ApiClientOptions);
     private getHeaders;
     private isLocalBaseUrl;
+    /** True when this client targets a localhost API (dev-bypass eligible). */
+    isLocalDevTarget(): boolean;
     private request;
     get<T>(path: string): Promise<T>;
     post<T>(path: string, body?: unknown): Promise<T>;

package/dist/api/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,gBAAgB;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AA0BD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,KAAK,CAAgB;gBAEjB,IAAI,CAAC,EAAE,gBAAgB;IAKnC,OAAO,CAAC,UAAU;IAqBlB,OAAO,CAAC,cAAc;YASR,OAAO;IAwCf,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAIhC,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAIjD,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAIhD,KAAK,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAIlD,MAAM,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAIzC;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC;CAG7C"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,gBAAgB;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AA0BD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,KAAK,CAAgB;gBAEjB,IAAI,CAAC,EAAE,gBAAgB;IAKnC,OAAO,CAAC,UAAU;IAqBlB,OAAO,CAAC,cAAc;IAStB,2EAA2E;IAC3E,gBAAgB,IAAI,OAAO;YAIb,OAAO;IAwCf,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAIhC,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAIjD,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAIhD,KAAK,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAIlD,MAAM,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAIzC;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC;CAG7C"}

package/dist/api/client.js

@@ -57,6 +57,10 @@ export class ZenormClient {
             return false;
         }
     }
+    /** True when this client targets a localhost API (dev-bypass eligible). */
+    isLocalDevTarget() {
+        return this.isLocalBaseUrl();
+    }
     async request(method, path, body) {
         const url = `${this.baseUrl}${path}`;
         const init = {

package/dist/auth/device-flow.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"device-flow.d.ts","sourceRoot":"","sources":["../../src/auth/device-flow.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAgJpD;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,iBAAiB,CAAC,CA4DpE"}
+{"version":3,"file":"device-flow.d.ts","sourceRoot":"","sources":["../../src/auth/device-flow.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AA+RpD;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,iBAAiB,CAAC,CAkDpE"}

package/dist/auth/device-flow.js

@@ -4,10 +4,43 @@ import { exec } from "node:child_process";
 import { platform } from "node:os";
 import { URL, URLSearchParams } from "node:url";
 import { log } from "../util/logger.js";
-import { PRODUCTION_CLERK_CLIENT_ID, PRODUCTION_CLERK_ISSUER, } from "../config/defaults.js";
+import { CLI_CALLBACK_PORTS, PRODUCTION_CLERK_CLIENT_ID, PRODUCTION_CLERK_ISSUER, PRODUCTION_WEB_URL, } from "../config/defaults.js";
+/**
+ * Find the first pre-registered callback port that is free to bind. Clerk
+ * matches redirect_uris exactly, so the local listener must use one of the
+ * ports registered on the OAuth app — not a random OS-assigned port.
+ */
+async function pickFreeCallbackPort() {
+    for (const candidate of CLI_CALLBACK_PORTS) {
+        const free = await new Promise((resolve) => {
+            const srv = createServer();
+            srv.once("error", () => resolve(false));
+            srv.listen(candidate, "127.0.0.1", () => {
+                srv.close(() => resolve(true));
+            });
+        });
+        if (free)
+            return candidate;
+    }
+    throw new Error(`All CLI callback ports are in use (${CLI_CALLBACK_PORTS.join(", ")}). ` +
+        `Free one of them and run \`zenorm login\` again.`);
+}
 function getClerkIssuer() {
     return process.env["ZENORM_CLERK_ISSUER"] ?? PRODUCTION_CLERK_ISSUER;
 }
+/** Where the browser tab lands after a successful login. */
+function getWebUrl() {
+    return process.env["ZENORM_WEB_URL"] ?? PRODUCTION_WEB_URL;
+}
+/** Escape user-influenced text before interpolating into the result page HTML. */
+function escapeHtml(value) {
+    return value
+        .replace(/&/g, "&")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
 function getClerkClientId() {
     return (process.env["ZENORM_CLERK_CLIENT_ID"] ??
         process.env["VITE_CLERK_PUBLISHABLE_KEY"] ??
@@ -42,6 +75,100 @@ function tryOpenBrowser(url) {
         }
     });
 }
+/**
+ * Render a self-contained, branded error page for the localhost callback.
+ *
+ * Only the failure paths render a page — a successful login 302-redirects the
+ * browser into the app instead. Served by the raw `http` server (no
+ * React/bundler available), so the page is fully inline: dark theme, ZeNorm
+ * wordmark, and the same card framing the web app uses on /sign-in.
+ */
+function renderCallbackPage(heading, body) {
+    const accent = "#f87171";
+    const glyph = "&#33;";
+    return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>ZeNorm CLI &middot; ${heading}</title>
+<style>
+  :root { color-scheme: dark; }
+  * { box-sizing: border-box; }
+  body {
+    margin: 0;
+    min-height: 100vh;
+    display: grid;
+    place-items: center;
+    padding: 24px;
+    background:
+      radial-gradient(ellipse 540px 360px at 50% 38%, rgba(99,102,241,0.16), transparent 70%),
+      #0a0a0b;
+    color: #ededee;
+    font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, "Segoe UI",
+      Roboto, Helvetica, Arial, sans-serif;
+    -webkit-font-smoothing: antialiased;
+  }
+  .card {
+    position: relative;
+    width: 100%;
+    max-width: 380px;
+    border: 1px solid rgba(255,255,255,0.10);
+    border-radius: 12px;
+    background: rgba(20,20,22,0.72);
+    backdrop-filter: blur(6px);
+    box-shadow: 0 1px 0 rgba(255,255,255,0.04) inset,
+      0 28px 70px -32px rgba(0,0,0,0.6);
+    padding: 40px 28px 32px;
+    text-align: center;
+  }
+  .eyebrow {
+    font-family: ui-monospace, SFMono-Regular, Menlo, monospace;
+    font-size: 10px;
+    letter-spacing: 0.22em;
+    text-transform: uppercase;
+    color: rgba(237,237,238,0.55);
+    margin-bottom: 22px;
+  }
+  .badge {
+    width: 48px; height: 48px;
+    margin: 0 auto 20px;
+    display: grid; place-items: center;
+    border-radius: 999px;
+    border: 1px solid ${accent}55;
+    background: ${accent}1a;
+    color: ${accent};
+    font-size: 22px; font-weight: 600;
+    line-height: 1;
+  }
+  h1 {
+    margin: 0 0 8px;
+    font-size: 1.5rem;
+    letter-spacing: -0.01em;
+    font-weight: 600;
+  }
+  p { margin: 0; color: rgba(237,237,238,0.62); font-size: 0.9rem; line-height: 1.5; }
+  .footer {
+    margin-top: 24px;
+    font-family: ui-monospace, SFMono-Regular, Menlo, monospace;
+    font-size: 10px;
+    letter-spacing: 0.18em;
+    text-transform: uppercase;
+    color: rgba(237,237,238,0.4);
+  }
+</style>
+</head>
+<body>
+  <div class="card">
+    <div class="eyebrow">ZeNorm CLI</div>
+    <div class="badge">${glyph}</div>
+    <h1>${heading}</h1>
+    <p>${body}</p>
+    <div class="footer">Spec authoring, traced end-to-end</div>
+  </div>
+</body>
+</html>`;
+}
 /**
  * Start a localhost HTTP server and wait for the OAuth callback.
  * Resolves with the authorization code once the redirect arrives.
@@ -60,21 +187,26 @@ function waitForCallback(port, expectedState) {
             const error = url.searchParams.get("error");
             if (error) {
                 const desc = url.searchParams.get("error_description") ?? error;
-                res.writeHead(200, { "Content-Type": "text/html" });
-                res.end(`<html><body><h2>Login failed</h2><p>${desc}</p><p>You can close this tab.</p></body></html>`);
+                res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+                res.end(renderCallbackPage("Login failed", `${escapeHtml(desc)}. You can close this tab and try again.`));
                 server.close();
                 reject(new Error(`Authorization failed: ${desc}`));
                 return;
             }
             if (!code || state !== expectedState) {
-                res.writeHead(400, { "Content-Type": "text/html" });
-                res.end(`<html><body><h2>Invalid callback</h2><p>Missing code or state mismatch.</p></body></html>`);
+                res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+                res.end(renderCallbackPage("Invalid callback", "Missing code or state mismatch. You can close this tab and try again."));
                 server.close();
                 reject(new Error("Invalid callback: missing code or state mismatch"));
                 return;
             }
-            res.writeHead(200, { "Content-Type": "text/html" });
-            res.end(`<html><body><h2>Login successful!</h2><p>You can close this tab and return to your terminal.</p></body></html>`);
+            // No standalone success page — send the browser straight into the app
+            // (the user is already signed in), so the tab lands on the real product
+            // instead of a "you can close this tab" interstitial. The CLI reports
+            // success in the terminal. Errors still render the branded page below,
+            // since those can't sensibly drop the user into the dashboard.
+            res.writeHead(302, { Location: `${getWebUrl()}/dashboard` });
+            res.end();
             server.close();
             resolve(code);
         });
@@ -126,20 +258,10 @@ export async function runDeviceAuthFlow() {
     const codeVerifier = generateCodeVerifier();
     const codeChallenge = generateCodeChallenge(codeVerifier);
     const state = generateState();
-    // Bind to port 0 to let the OS assign a free port
-    const port = await new Promise((resolve, reject) => {
-        const srv = createServer();
-        srv.listen(0, () => {
-            const addr = srv.address();
-            if (!addr || typeof addr === "string") {
-                srv.close();
-                reject(new Error("Failed to get server address"));
-                return;
-            }
-            const p = addr.port;
-            srv.close(() => resolve(p));
-        });
-    });
+    // Clerk enforces exact redirect_uri matching, so the callback must land on one
+    // of the OAuth app's pre-registered fixed ports — a random OS-assigned port
+    // would never match. Pick the first registered port that is currently free.
+    const port = await pickFreeCallbackPort();
     const redirectUri = `http://localhost:${port}/callback`;
     const authUrl = new URL(`${getClerkIssuer()}/oauth/authorize`);
     authUrl.searchParams.set("response_type", "code");

package/dist/commands/login.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/commands/login.ts"],"names":[],"mappings":"AAOA,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuChE"}
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/commands/login.ts"],"names":[],"mappings":"AAMA,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuChE"}

package/dist/commands/login.js

@@ -2,7 +2,6 @@ import { parseArgs } from "node:util";
 import { runDeviceAuthFlow } from "../auth/device-flow.js";
 import { saveCredentials } from "../auth/store.js";
 import { ZenormClient } from "../api/client.js";
-import { AuthError } from "../util/errors.js";
 import { log } from "../util/logger.js";
 export async function loginCommand(argv) {
     const { values } = parseArgs({
@@ -39,15 +38,20 @@ export async function loginCommand(argv) {
     }
 }
 async function tryLocalDevelopmentLogin() {
+    const client = new ZenormClient();
+    // Only localhost targets use the dev-bypass header path. For hosted/prod APIs
+    // we must always run the real OAuth flow — never silently report a successful
+    // "local development mode" login against production.
+    if (!client.isLocalDevTarget()) {
+        return null;
+    }
     try {
-        const client = new ZenormClient();
         const ctx = await client.getAuthContext();
         return { userId: ctx.userId, orgId: ctx.orgId };
     }
-    catch (err) {
-        if (err instanceof AuthError) {
-            return null;
-        }
+    catch {
+        // Local API unreachable or rejected the dev headers — fall through to the
+        // browser OAuth flow rather than masking the failure.
         return null;
     }
 }

package/dist/config/defaults.d.ts

@@ -1,4 +1,6 @@
 export declare const PRODUCTION_API_URL = "https://api.zenorm.com";
 export declare const PRODUCTION_CLERK_ISSUER = "https://clerk.zenorm.com";
-export declare const PRODUCTION_CLERK_CLIENT_ID = "pk_live_Y2xlcmsuemVub3JtLmNvbSQ";
+export declare const PRODUCTION_WEB_URL = "https://zenorm.com";
+export declare const PRODUCTION_CLERK_CLIENT_ID = "nUFCpxIFWJ4YSB3A";
+export declare const CLI_CALLBACK_PORTS: readonly [4571, 4572, 4573];
 //# sourceMappingURL=defaults.d.ts.map

package/dist/config/defaults.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"defaults.d.ts","sourceRoot":"","sources":["../../src/config/defaults.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,kBAAkB,2BAA2B,CAAC;AAC3D,eAAO,MAAM,uBAAuB,6BAA6B,CAAC;AAClE,eAAO,MAAM,0BAA0B,oCAAoC,CAAC"}
+{"version":3,"file":"defaults.d.ts","sourceRoot":"","sources":["../../src/config/defaults.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,kBAAkB,2BAA2B,CAAC;AAC3D,eAAO,MAAM,uBAAuB,6BAA6B,CAAC;AAIlE,eAAO,MAAM,kBAAkB,uBAAuB,CAAC;AAWvD,eAAO,MAAM,0BAA0B,qBAAqB,CAAC;AAK7D,eAAO,MAAM,kBAAkB,6BAA8B,CAAC"}

package/dist/config/defaults.js

@@ -1,3 +1,21 @@
 export const PRODUCTION_API_URL = "https://api.zenorm.com";
 export const PRODUCTION_CLERK_ISSUER = "https://clerk.zenorm.com";
-export const PRODUCTION_CLERK_CLIENT_ID = "pk_live_Y2xlcmsuemVub3JtLmNvbSQ";
+// Prod web app. After a successful login the localhost callback 302-redirects
+// the browser here so the tab lands on the real product (already signed in)
+// instead of a standalone "you can close this tab" page.
+export const PRODUCTION_WEB_URL = "https://zenorm.com";
+// Clerk OAuth Application client id for the public CLI (prod instance
+// clerk.zenorm.com). NOT the publishable key — this is the OAuth 2.0 client id
+// from the "ZeNorm CLI" OAuth app. Its registered redirect_uris are the fixed
+// localhost callback ports in CLI_CALLBACK_PORTS below.
+//
+// NOTE: this OAuth app has `consent_screen_enabled` set to FALSE out-of-band on
+// the Clerk instance (via the Clerk Backend API, not tracked in this repo).
+// That is what lets an already-signed-in `zenorm login` skip Clerk's OAuth
+// consent screen and redirect straight to the localhost callback. To restore
+// the consent screen, PATCH the OAuth app back to `consent_screen_enabled:true`.
+export const PRODUCTION_CLERK_CLIENT_ID = "nUFCpxIFWJ4YSB3A";
+// Fixed localhost callback ports the device-auth flow binds, in order. Clerk
+// enforces exact redirect_uri matching, so these MUST stay in sync with the
+// OAuth app's pre-registered redirect_uris (http://localhost:<port>/callback).
+export const CLI_CALLBACK_PORTS = [4571, 4572, 4573];

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@ze-norm/cli",
   "private": false,
-  "version": "0.3.0",
+  "version": "0.5.0",
   "license": "SEE LICENSE IN README.md",
   "type": "module",
   "repository": {