@ze-norm/cli 0.4.0 → 0.5.0

package/dist/auth/device-flow.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"device-flow.d.ts","sourceRoot":"","sources":["../../src/auth/device-flow.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAuKpD;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,iBAAiB,CAAC,CAkDpE"}
+{"version":3,"file":"device-flow.d.ts","sourceRoot":"","sources":["../../src/auth/device-flow.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AA+RpD;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,iBAAiB,CAAC,CAkDpE"}

package/dist/auth/device-flow.js

@@ -4,7 +4,7 @@ import { exec } from "node:child_process";
 import { platform } from "node:os";
 import { URL, URLSearchParams } from "node:url";
 import { log } from "../util/logger.js";
-import { CLI_CALLBACK_PORTS, PRODUCTION_CLERK_CLIENT_ID, PRODUCTION_CLERK_ISSUER, } from "../config/defaults.js";
+import { CLI_CALLBACK_PORTS, PRODUCTION_CLERK_CLIENT_ID, PRODUCTION_CLERK_ISSUER, PRODUCTION_WEB_URL, } from "../config/defaults.js";
 /**
  * Find the first pre-registered callback port that is free to bind. Clerk
  * matches redirect_uris exactly, so the local listener must use one of the
@@ -28,6 +28,19 @@ async function pickFreeCallbackPort() {
 function getClerkIssuer() {
     return process.env["ZENORM_CLERK_ISSUER"] ?? PRODUCTION_CLERK_ISSUER;
 }
+/** Where the browser tab lands after a successful login. */
+function getWebUrl() {
+    return process.env["ZENORM_WEB_URL"] ?? PRODUCTION_WEB_URL;
+}
+/** Escape user-influenced text before interpolating into the result page HTML. */
+function escapeHtml(value) {
+    return value
+        .replace(/&/g, "&")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
 function getClerkClientId() {
     return (process.env["ZENORM_CLERK_CLIENT_ID"] ??
         process.env["VITE_CLERK_PUBLISHABLE_KEY"] ??
@@ -62,6 +75,100 @@ function tryOpenBrowser(url) {
         }
     });
 }
+/**
+ * Render a self-contained, branded error page for the localhost callback.
+ *
+ * Only the failure paths render a page — a successful login 302-redirects the
+ * browser into the app instead. Served by the raw `http` server (no
+ * React/bundler available), so the page is fully inline: dark theme, ZeNorm
+ * wordmark, and the same card framing the web app uses on /sign-in.
+ */
+function renderCallbackPage(heading, body) {
+    const accent = "#f87171";
+    const glyph = "&#33;";
+    return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>ZeNorm CLI &middot; ${heading}</title>
+<style>
+  :root { color-scheme: dark; }
+  * { box-sizing: border-box; }
+  body {
+    margin: 0;
+    min-height: 100vh;
+    display: grid;
+    place-items: center;
+    padding: 24px;
+    background:
+      radial-gradient(ellipse 540px 360px at 50% 38%, rgba(99,102,241,0.16), transparent 70%),
+      #0a0a0b;
+    color: #ededee;
+    font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, "Segoe UI",
+      Roboto, Helvetica, Arial, sans-serif;
+    -webkit-font-smoothing: antialiased;
+  }
+  .card {
+    position: relative;
+    width: 100%;
+    max-width: 380px;
+    border: 1px solid rgba(255,255,255,0.10);
+    border-radius: 12px;
+    background: rgba(20,20,22,0.72);
+    backdrop-filter: blur(6px);
+    box-shadow: 0 1px 0 rgba(255,255,255,0.04) inset,
+      0 28px 70px -32px rgba(0,0,0,0.6);
+    padding: 40px 28px 32px;
+    text-align: center;
+  }
+  .eyebrow {
+    font-family: ui-monospace, SFMono-Regular, Menlo, monospace;
+    font-size: 10px;
+    letter-spacing: 0.22em;
+    text-transform: uppercase;
+    color: rgba(237,237,238,0.55);
+    margin-bottom: 22px;
+  }
+  .badge {
+    width: 48px; height: 48px;
+    margin: 0 auto 20px;
+    display: grid; place-items: center;
+    border-radius: 999px;
+    border: 1px solid ${accent}55;
+    background: ${accent}1a;
+    color: ${accent};
+    font-size: 22px; font-weight: 600;
+    line-height: 1;
+  }
+  h1 {
+    margin: 0 0 8px;
+    font-size: 1.5rem;
+    letter-spacing: -0.01em;
+    font-weight: 600;
+  }
+  p { margin: 0; color: rgba(237,237,238,0.62); font-size: 0.9rem; line-height: 1.5; }
+  .footer {
+    margin-top: 24px;
+    font-family: ui-monospace, SFMono-Regular, Menlo, monospace;
+    font-size: 10px;
+    letter-spacing: 0.18em;
+    text-transform: uppercase;
+    color: rgba(237,237,238,0.4);
+  }
+</style>
+</head>
+<body>
+  <div class="card">
+    <div class="eyebrow">ZeNorm CLI</div>
+    <div class="badge">${glyph}</div>
+    <h1>${heading}</h1>
+    <p>${body}</p>
+    <div class="footer">Spec authoring, traced end-to-end</div>
+  </div>
+</body>
+</html>`;
+}
 /**
  * Start a localhost HTTP server and wait for the OAuth callback.
  * Resolves with the authorization code once the redirect arrives.
@@ -80,21 +187,26 @@ function waitForCallback(port, expectedState) {
             const error = url.searchParams.get("error");
             if (error) {
                 const desc = url.searchParams.get("error_description") ?? error;
-                res.writeHead(200, { "Content-Type": "text/html" });
-                res.end(`<html><body><h2>Login failed</h2><p>${desc}</p><p>You can close this tab.</p></body></html>`);
+                res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+                res.end(renderCallbackPage("Login failed", `${escapeHtml(desc)}. You can close this tab and try again.`));
                 server.close();
                 reject(new Error(`Authorization failed: ${desc}`));
                 return;
             }
             if (!code || state !== expectedState) {
-                res.writeHead(400, { "Content-Type": "text/html" });
-                res.end(`<html><body><h2>Invalid callback</h2><p>Missing code or state mismatch.</p></body></html>`);
+                res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+                res.end(renderCallbackPage("Invalid callback", "Missing code or state mismatch. You can close this tab and try again."));
                 server.close();
                 reject(new Error("Invalid callback: missing code or state mismatch"));
                 return;
             }
-            res.writeHead(200, { "Content-Type": "text/html" });
-            res.end(`<html><body><h2>Login successful!</h2><p>You can close this tab and return to your terminal.</p></body></html>`);
+            // No standalone success page — send the browser straight into the app
+            // (the user is already signed in), so the tab lands on the real product
+            // instead of a "you can close this tab" interstitial. The CLI reports
+            // success in the terminal. Errors still render the branded page below,
+            // since those can't sensibly drop the user into the dashboard.
+            res.writeHead(302, { Location: `${getWebUrl()}/dashboard` });
+            res.end();
             server.close();
             resolve(code);
         });

package/dist/config/defaults.d.ts

@@ -1,5 +1,6 @@
 export declare const PRODUCTION_API_URL = "https://api.zenorm.com";
 export declare const PRODUCTION_CLERK_ISSUER = "https://clerk.zenorm.com";
+export declare const PRODUCTION_WEB_URL = "https://zenorm.com";
 export declare const PRODUCTION_CLERK_CLIENT_ID = "nUFCpxIFWJ4YSB3A";
 export declare const CLI_CALLBACK_PORTS: readonly [4571, 4572, 4573];
 //# sourceMappingURL=defaults.d.ts.map

package/dist/config/defaults.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"defaults.d.ts","sourceRoot":"","sources":["../../src/config/defaults.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,kBAAkB,2BAA2B,CAAC;AAC3D,eAAO,MAAM,uBAAuB,6BAA6B,CAAC;AAKlE,eAAO,MAAM,0BAA0B,qBAAqB,CAAC;AAK7D,eAAO,MAAM,kBAAkB,6BAA8B,CAAC"}
+{"version":3,"file":"defaults.d.ts","sourceRoot":"","sources":["../../src/config/defaults.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,kBAAkB,2BAA2B,CAAC;AAC3D,eAAO,MAAM,uBAAuB,6BAA6B,CAAC;AAIlE,eAAO,MAAM,kBAAkB,uBAAuB,CAAC;AAWvD,eAAO,MAAM,0BAA0B,qBAAqB,CAAC;AAK7D,eAAO,MAAM,kBAAkB,6BAA8B,CAAC"}

package/dist/config/defaults.js

@@ -1,9 +1,19 @@
 export const PRODUCTION_API_URL = "https://api.zenorm.com";
 export const PRODUCTION_CLERK_ISSUER = "https://clerk.zenorm.com";
+// Prod web app. After a successful login the localhost callback 302-redirects
+// the browser here so the tab lands on the real product (already signed in)
+// instead of a standalone "you can close this tab" page.
+export const PRODUCTION_WEB_URL = "https://zenorm.com";
 // Clerk OAuth Application client id for the public CLI (prod instance
 // clerk.zenorm.com). NOT the publishable key — this is the OAuth 2.0 client id
 // from the "ZeNorm CLI" OAuth app. Its registered redirect_uris are the fixed
 // localhost callback ports in CLI_CALLBACK_PORTS below.
+//
+// NOTE: this OAuth app has `consent_screen_enabled` set to FALSE out-of-band on
+// the Clerk instance (via the Clerk Backend API, not tracked in this repo).
+// That is what lets an already-signed-in `zenorm login` skip Clerk's OAuth
+// consent screen and redirect straight to the localhost callback. To restore
+// the consent screen, PATCH the OAuth app back to `consent_screen_enabled:true`.
 export const PRODUCTION_CLERK_CLIENT_ID = "nUFCpxIFWJ4YSB3A";
 // Fixed localhost callback ports the device-auth flow binds, in order. Clerk
 // enforces exact redirect_uri matching, so these MUST stay in sync with the

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@ze-norm/cli",
   "private": false,
-  "version": "0.4.0",
+  "version": "0.5.0",
   "license": "SEE LICENSE IN README.md",
   "type": "module",
   "repository": {