agentapprove 0.1.15 → 0.1.21

package/dist/cli.js

@@ -2630,8 +2630,204 @@ function shouldCreateFreshPairing(connectionMethod) {
   return connectionMethod === "qr" || connectionMethod === "copy";
 }
 
+// src/install-validation.ts
+async function safeReadText(response) {
+  try {
+    return await response.text();
+  } catch {
+    return "";
+  }
+}
+function parseErrorBody(body) {
+  if (!body)
+    return null;
+  try {
+    const parsed = JSON.parse(body);
+    if (parsed && typeof parsed === "object") {
+      return parsed;
+    }
+  } catch {}
+  return null;
+}
+async function validateExistingToken(token, apiUrl, apiVersion, options = {}) {
+  const fetchImpl = options.fetchImpl || fetch;
+  const filename = options.preflightFilename || "common.sh";
+  const url = `${apiUrl}/${apiVersion}/hooks/${filename}?format=raw`;
+  let response;
+  try {
+    response = await fetchImpl(url, {
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "network error";
+    return {
+      kind: "network_error",
+      summary: "cannot reach Agent Approve from this network",
+      serverMessage: message
+    };
+  }
+  const status = response.status;
+  if (response.ok) {
+    const body2 = await safeReadText(response);
+    return {
+      kind: "valid",
+      summary: "verified - token is valid",
+      cachedContent: body2,
+      status
+    };
+  }
+  const body = await safeReadText(response);
+  const parsed = parseErrorBody(body);
+  const code = parsed?.code;
+  const serverMessage = parsed?.error;
+  if (status === 401 && code === "TOKEN_EXPIRED") {
+    return {
+      kind: "expired",
+      summary: "expired (refresh required)",
+      serverMessage,
+      status
+    };
+  }
+  if (status === 401 && code === "INVALID_TOKEN") {
+    return {
+      kind: "invalid",
+      summary: "invalid (re-pair required)",
+      serverMessage,
+      status
+    };
+  }
+  if (status === 403 && code === "AUTH_SCOPE_DENIED") {
+    return {
+      kind: "scope_denied",
+      summary: "scope denied (re-pair required)",
+      serverMessage,
+      status
+    };
+  }
+  if (status === 503) {
+    return {
+      kind: "unavailable",
+      summary: "validation temporarily unavailable",
+      serverMessage,
+      status
+    };
+  }
+  if (status === 403) {
+    return {
+      kind: "network_blocked",
+      summary: "cannot reach service from this network",
+      serverMessage,
+      status
+    };
+  }
+  if (status === 401) {
+    return {
+      kind: "invalid",
+      summary: "invalid (re-pair required)",
+      serverMessage,
+      status
+    };
+  }
+  return {
+    kind: "unavailable",
+    summary: "validation temporarily unavailable",
+    serverMessage,
+    status
+  };
+}
+function classifyHookDownloadFailure(status, body) {
+  const parsed = parseErrorBody(body);
+  const code = parsed?.code;
+  if (status === 401 && code === "TOKEN_EXPIRED")
+    return "token_expired";
+  if (status === 401 && code === "INVALID_TOKEN")
+    return "token_invalid";
+  if (status === 403 && code === "AUTH_SCOPE_DENIED")
+    return "scope_denied";
+  if (status === 503)
+    return "validation_unavailable";
+  if (status === 403)
+    return "network_blocked";
+  if (status === 401)
+    return "token_invalid";
+  return "recoverable";
+}
+
+// src/copy-hook-scripts.ts
+import { writeFileSync as fsWriteFileSync } from "fs";
+import { join as pathJoin } from "path";
+async function copyHookScripts(hooksDir, token, files, options) {
+  const fetchImpl = options.fetchImpl || fetch;
+  const writeFile = options.writeFileSync || fsWriteFileSync;
+  const join = options.joinPath || pathJoin;
+  let downloaded = 0;
+  const failed = [];
+  for (const file of files) {
+    try {
+      const response = await fetchImpl(`${options.apiUrl}/${options.apiVersion}/hooks/${file}?format=raw`, {
+        headers: {
+          Authorization: `Bearer ${token}`
+        }
+      });
+      if (response.ok) {
+        const content = await response.text();
+        const isShellScript = content.startsWith("#!/") || content.startsWith("# ");
+        const isJsBundle = file.endsWith(".js") && (content.startsWith("//") || content.startsWith("import ") || content.startsWith("var ") || content.startsWith("const ") || content.startsWith("export "));
+        if (isShellScript || isJsBundle) {
+          const filePath = join(hooksDir, file);
+          writeFile(filePath, content, { mode: isShellScript ? 493 : 420 });
+          downloaded++;
+        } else {
+          failed.push(`${file} (invalid content)`);
+        }
+      } else {
+        const body = await response.text().catch(() => "");
+        const failureKind = classifyHookDownloadFailure(response.status, body);
+        if (failureKind !== "recoverable") {
+          return {
+            downloaded,
+            failed,
+            terminalFailure: {
+              kind: failureKind,
+              file,
+              status: response.status
+            }
+          };
+        }
+        failed.push(`${file} (${response.status})`);
+      }
+    } catch (err) {
+      failed.push(`${file} (${err instanceof Error ? err.message : "network error"})`);
+    }
+  }
+  return { downloaded, failed };
+}
+
+// src/pairing-api-url.ts
+function looksLikeHostedAgentApproveApi(baseUrl) {
+  try {
+    const host = new URL(baseUrl).hostname.toLowerCase();
+    return host === "agentapprove.com" || host.endsWith(".agentapprove.com");
+  } catch {
+    return false;
+  }
+}
+function resolvePairingApiBaseUrl(options) {
+  const fromEnv = options.agentapproveApiEnv?.trim();
+  if (fromEnv) {
+    return fromEnv;
+  }
+  const fromFile = options.savedApiUrl?.trim();
+  if (fromFile) {
+    return fromFile;
+  }
+  return options.processDefaultApiUrl;
+}
+
 // src/cli.ts
-var VERSION = "0.1.15";
+var VERSION = "0.1.21";
 function getApiUrl() {
   return process.env.AGENTAPPROVE_API || "https://api.agentapprove.com";
 }
@@ -2703,11 +2899,11 @@ function getCommand() {
   }
   return filtered[0] || "install";
 }
-var OPENCODE_PLUGIN_VERSION = "0.1.12";
+var OPENCODE_PLUGIN_VERSION = "0.1.18";
 var OPENCODE_PLUGIN_SPEC = `@agentapprove/opencode@${OPENCODE_PLUGIN_VERSION}`;
-var OPENCLAW_PLUGIN_VERSION = "0.2.10";
+var OPENCLAW_PLUGIN_VERSION = "0.2.11";
 var OPENCLAW_PLUGIN_SPEC = `@agentapprove/openclaw@${OPENCLAW_PLUGIN_VERSION}`;
-var PI_PLUGIN_VERSION = "0.1.2";
+var PI_PLUGIN_VERSION = "0.1.6";
 var PI_PLUGIN_SPEC = `npm:@agentapprove/pi@${PI_PLUGIN_VERSION}`;
 var PI_STATUS_TIMEOUT_MS = 5000;
 var AGENTS = {
@@ -3590,10 +3786,10 @@ function disableCodexFeatureFlag(configPath = join(homedir(), ".codex", "config.
   writeFileSync(configPath, updated, { mode: 384 });
   return { updated: true, backupPath };
 }
-async function createPairingSession(configuredAgents, e2eKeyId) {
+async function createPairingSession(configuredAgents, e2eKeyId, apiBaseUrl = API_URL) {
   try {
     const machineHostname = hostname();
-    const response = await fetch(`${API_URL}/${API_VERSION}/pair`, {
+    const response = await fetch(`${apiBaseUrl}/${API_VERSION}/pair`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -3612,9 +3808,9 @@ async function createPairingSession(configuredAgents, e2eKeyId) {
     return { sessionCode: "", qrUrl: "", expiresIn: 0, error: String(err) };
   }
 }
-async function pollPairingSession(sessionCode) {
+async function pollPairingSession(sessionCode, apiBaseUrl = API_URL) {
   try {
-    const response = await fetch(`${API_URL}/${API_VERSION}/pair/${sessionCode}`);
+    const response = await fetch(`${apiBaseUrl}/${API_VERSION}/pair/${sessionCode}`);
     return await response.json();
   } catch {
     return { status: "error" };
@@ -3623,7 +3819,7 @@ async function pollPairingSession(sessionCode) {
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
-async function waitForPairing(sessionCode, onProgress, onCancel) {
+async function waitForPairing(sessionCode, onProgress, onCancel, apiBaseUrl = API_URL) {
   let cancelled = false;
   const handleKeypress = (key) => {
     const char = key.toString();
@@ -3650,14 +3846,14 @@ async function waitForPairing(sessionCode, onProgress, onCancel) {
       cleanup();
       return "cancelled";
     }
-    const result = await pollPairingSession(sessionCode);
+    const result = await pollPairingSession(sessionCode, apiBaseUrl);
     if (result.status === "completed" && result.token) {
       cleanup();
       return {
         token: result.token,
         privacy: result.privacy || "full",
         email: result.email || "",
-        apiUrl: result.apiUrl || API_URL,
+        apiUrl: result.apiUrl || apiBaseUrl,
         e2eServerKey: result.e2eServerKey
       };
     }
@@ -4428,35 +4624,27 @@ codex_hooks = true`;
   }
   return "";
 }
-async function copyHookScripts(hooksDir, token, files) {
-  let downloaded = 0;
-  const failed = [];
-  for (const file of files) {
-    try {
-      const response = await fetch(`${API_URL}/${API_VERSION}/hooks/${file}?format=raw`, {
-        headers: {
-          Authorization: `Bearer ${token}`
-        }
-      });
-      if (response.ok) {
-        const content = await response.text();
-        const isShellScript = content.startsWith("#!/") || content.startsWith("# ");
-        const isJsBundle = file.endsWith(".js") && (content.startsWith("//") || content.startsWith("import ") || content.startsWith("var ") || content.startsWith("const ") || content.startsWith("export "));
-        if (isShellScript || isJsBundle) {
-          const filePath = join(hooksDir, file);
-          writeFileSync(filePath, content, { mode: isShellScript ? 493 : 420 });
-          downloaded++;
-        } else {
-          failed.push(`${file} (invalid content)`);
-        }
-      } else {
-        failed.push(`${file} (${response.status})`);
-      }
-    } catch (err) {
-      failed.push(`${file} (${err instanceof Error ? err.message : "network error"})`);
-    }
-  }
-  return { downloaded, failed };
+function describeDownloadTerminalFailure(kind) {
+  switch (kind) {
+    case "token_expired":
+      return "Hook download stopped: your saved token has expired. Run `npx agentapprove refresh` to re-pair, or run the installer again to choose Refresh / Re-pair.";
+    case "token_invalid":
+      return "Hook download stopped: your saved token is no longer valid. Run `npx agentapprove pair` to pair this computer again.";
+    case "scope_denied":
+      return "Hook download stopped: your saved token cannot download hooks. Run `npx agentapprove pair` to pair this computer again.";
+    case "validation_unavailable":
+      return "Hook download stopped: Agent Approve could not validate your token right now. Please try again in a few minutes.";
+    case "network_blocked":
+      return "Hook download stopped: Service temporarily unavailable. Try again later.";
+    case "recoverable":
+      return "Hook download stopped: encountered an unexpected response.";
+  }
+}
+async function copyHookScripts2(hooksDir, token, files, options = {}) {
+  return copyHookScripts(hooksDir, token, files, {
+    apiUrl: options.apiUrl || API_URL,
+    apiVersion: API_VERSION
+  });
 }
 function readOpenClawInstalledVersion() {
   const packagePath = join(homedir(), ".openclaw", "extensions", "openclaw", "package.json");
@@ -4810,16 +4998,107 @@ async function checkSystemDependencies() {
   }
   return true;
 }
+async function runExistingTokenPreflight(token, apiUrlForPreflight) {
+  const preflightSpinner = _2();
+  preflightSpinner.start("Checking saved token");
+  let result = await validateExistingToken(token, apiUrlForPreflight, API_VERSION);
+  if (result.kind === "unavailable" || result.kind === "network_error") {
+    const message = result.kind === "unavailable" ? "Token validation is temporarily unavailable." : "Could not reach Agent Approve from this network.";
+    preflightSpinner.stop(message);
+    const retryChoice = await le({
+      message: "How would you like to continue?",
+      options: [
+        { value: "retry", label: "Retry" },
+        { value: "cancel", label: "Cancel" }
+      ]
+    });
+    if (lD(retryChoice) || retryChoice === "cancel") {
+      he("Installation cancelled");
+      process.exit(0);
+    }
+    preflightSpinner.start("Checking saved token");
+    result = await validateExistingToken(token, apiUrlForPreflight, API_VERSION);
+  }
+  switch (result.kind) {
+    case "valid":
+      preflightSpinner.stop("Saved token verified");
+      break;
+    case "expired":
+      preflightSpinner.stop("Saved token has expired");
+      break;
+    case "invalid":
+    case "scope_denied":
+      preflightSpinner.stop("Saved token is no longer valid");
+      break;
+    case "network_blocked":
+      preflightSpinner.stop("Service temporarily unavailable");
+      break;
+    default:
+      preflightSpinner.stop("Saved token check finished");
+  }
+  return result;
+}
+function describeExistingTokenStatus(preflight) {
+  if (!preflight) {
+    return "already linked to your Agent Approve account";
+  }
+  switch (preflight.kind) {
+    case "valid":
+      return "verified - linked to your Agent Approve account";
+    case "expired":
+      return "expired (refresh required)";
+    case "invalid":
+      return "invalid (re-pair required)";
+    case "scope_denied":
+      return "scope denied (re-pair required)";
+    case "unavailable":
+      return "validation temporarily unavailable";
+    case "network_blocked":
+      return "cannot reach service from this network";
+    case "network_error":
+      return "cannot reach Agent Approve from this network";
+  }
+}
+async function promptTokenRecoveryAction(preflight) {
+  if (preflight.kind === "expired") {
+    const choice2 = await le({
+      message: "Your saved token has expired. How would you like to continue?",
+      options: [
+        { value: "refresh", label: "Refresh token", hint: "Keeps the existing encryption key and current settings" },
+        { value: "repair", label: "Pair this computer again", hint: "You can rotate the encryption key" },
+        { value: "cancel", label: "Cancel", hint: "Exit the installer" }
+      ]
+    });
+    if (lD(choice2))
+      return "cancel";
+    return choice2;
+  }
+  const choice = await le({
+    message: "Your saved token is no longer valid. How would you like to continue?",
+    options: [
+      { value: "repair", label: "Pair this computer again" },
+      { value: "cancel", label: "Cancel", hint: "Exit the installer" }
+    ]
+  });
+  if (lD(choice))
+    return "cancel";
+  return choice;
+}
 async function installCommand() {
   console.clear();
   pe(source_default.bgCyan.black(" Agent Approve ") + source_default.gray(` Hooks Installer v${VERSION}`));
   migrateE2ERootKey();
-  const isCustomApi = !API_URL.includes("agentapprove.com");
-  if (isCustomApi) {
-    v2.warn(`Using custom API: ${API_URL}`);
-  }
   await checkSystemDependencies();
   const existingConfig = readExistingConfig();
+  const pairingApiBase = resolvePairingApiBaseUrl({
+    agentapproveApiEnv: process.env.AGENTAPPROVE_API,
+    savedApiUrl: existingConfig?.apiUrl,
+    processDefaultApiUrl: API_URL
+  });
+  const isCustomApi = !looksLikeHostedAgentApproveApi(pairingApiBase);
+  if (isCustomApi) {
+    v2.warn(`Using custom API: ${pairingApiBase}`);
+  }
   const hasExistingToken = !!(existingConfig?.token && existingConfig.token.length > 10);
   let existingTokenPreview = "Not set";
   let existingKeyId = null;
@@ -4831,6 +5110,12 @@ async function installCommand() {
       existingKeyId = createHash("sha256").update(Buffer.from(keyHex, "hex")).digest("hex").slice(0, 8);
     }
   }
+  const existingTokenPreflight = hasExistingToken ? await runExistingTokenPreflight(existingConfig.token, pairingApiBase) : null;
+  if (existingTokenPreflight?.kind === "network_blocked") {
+    v2.error("Service temporarily unavailable. Try again later.");
+    he("Installation cancelled");
+    process.exit(1);
+  }
   me(`Approve AI agent actions from your iPhone or Apple Watch.
 Installs hooks and extensions for Cursor, Claude, Gemini, Pi, OpenCode, OpenClaw, and more.`, "About");
   const installedAgents = detectInstalledAgents();
@@ -4850,7 +5135,7 @@ Installs hooks and extensions for Cursor, Claude, Gemini, Pi, OpenCode, OpenClaw
     process.exit(0);
   }
   const setupProfileSummary = existingConfig ? formatSetupProfileBlock("Existing config", getInitialInstallConfig("existing-config", existingConfig), [
-    `Connection token: ${existingTokenPreview} - already linked to your Agent Approve account.`,
+    `Connection token: ${existingTokenPreview} - ${describeExistingTokenStatus(existingTokenPreflight)}.`,
     ...existingKeyId ? [`Encryption key ID: ${existingKeyId} - already installed for this computer.`] : []
   ]) : formatSetupProfileBlock("Recommended setup", getInitialInstallConfig("recommended", existingConfig));
   me(setupProfileSummary, "Setup profiles");
@@ -4862,13 +5147,23 @@ Installs hooks and extensions for Cursor, Claude, Gemini, Pi, OpenCode, OpenClaw
     he("Installation cancelled");
     process.exit(0);
   }
+  let pendingRecoveryAction = null;
+  if (hasExistingToken && existingTokenPreflight && (existingTokenPreflight.kind === "expired" || existingTokenPreflight.kind === "invalid" || existingTokenPreflight.kind === "scope_denied")) {
+    pendingRecoveryAction = await promptTokenRecoveryAction(existingTokenPreflight);
+    if (pendingRecoveryAction === "cancel") {
+      he("Installation cancelled");
+      process.exit(0);
+    }
+  }
+  const requiresFreshPair = pendingRecoveryAction !== null;
+  const forceKeyReuseForRecovery = pendingRecoveryAction === "refresh";
   ensureAgentApproveDir();
   const hooksDir = join(getAgentApproveDir(), "hooks");
   const selectedInstallConfig = getInitialInstallConfig(setupProfile, existingConfig);
   let token = null;
   let finalPrivacy = selectedInstallConfig.privacy;
   let email = "";
-  let apiUrl = API_URL;
+  let apiUrl = pairingApiBase;
   let debugLog = selectedInstallConfig.debugLog;
   let retentionDays = selectedInstallConfig.retentionDays;
   let failBehavior = selectedInstallConfig.failBehavior;
@@ -4956,7 +5251,8 @@ Installs hooks and extensions for Cursor, Claude, Gemini, Pi, OpenCode, OpenClaw
     if (existsSync2(existingKeyPath)) {
       const oldKeyHex = readFileSync(existingKeyPath, "utf-8").trim();
       const oldKeyId = createHash("sha256").update(Buffer.from(oldKeyHex, "hex")).digest("hex").slice(0, 8);
-      if (setupProfile === "existing-config") {
+      const autoReuseKey = forceKeyReuseForRecovery || setupProfile === "existing-config" && !requiresFreshPair;
+      if (autoReuseKey) {
         e2eUserKey = oldKeyHex;
       } else {
         v2.info(`Existing E2E key found (Key ID: ${oldKeyId})`);
@@ -5014,9 +5310,10 @@ Installs hooks and extensions for Cursor, Claude, Gemini, Pi, OpenCode, OpenClaw
     }
     debugLog = debugLogChoice;
   }
-  const silentlyReuseExistingToken = setupProfile === "existing-config" && hasExistingToken;
+  const canReuseExistingToken = hasExistingToken && !requiresFreshPair;
+  const silentlyReuseExistingToken = setupProfile === "existing-config" && canReuseExistingToken;
   const connectionOptions = [];
-  if (hasExistingToken) {
+  if (canReuseExistingToken) {
     const tokenPreview = existingConfig.token.slice(0, 15) + "...";
     connectionOptions.push({
       value: "existing",
@@ -5024,10 +5321,20 @@ Installs hooks and extensions for Cursor, Claude, Gemini, Pi, OpenCode, OpenClaw
       hint: tokenPreview
     });
   }
-  connectionOptions.push({ value: "qr", label: "Scan QR code", hint: hasExistingToken ? undefined : "Recommended" }, { value: "copy", label: "Copy and paste code", hint: "No camera" });
+  connectionOptions.push({ value: "qr", label: "Scan QR code", hint: canReuseExistingToken ? undefined : "Recommended" }, { value: "copy", label: "Copy and paste code", hint: "No camera" });
   let connectionMethod;
   if (silentlyReuseExistingToken) {
     connectionMethod = "existing";
+  } else if (requiresFreshPair) {
+    const connectionChoice = await le({
+      message: pendingRecoveryAction === "refresh" ? "How would you like to refresh the token?" : "How would you like to pair this computer?",
+      options: connectionOptions
+    });
+    if (lD(connectionChoice)) {
+      he("Installation cancelled");
+      process.exit(0);
+    }
+    connectionMethod = connectionChoice;
   } else {
     const connectionChoice = await le({
       message: "Connect to iOS app (required for setup and any hook downloads)",
@@ -5041,7 +5348,7 @@ Installs hooks and extensions for Cursor, Claude, Gemini, Pi, OpenCode, OpenClaw
   }
   if (connectionMethod === "existing") {
     token = existingConfig.token;
-    apiUrl = existingConfig.apiUrl || API_URL;
+    apiUrl = pairingApiBase;
     if (setupProfile === "existing-config" && existingConfig?.configSetAt) {
       configSetAt = existingConfig.configSetAt;
     }
@@ -5067,7 +5374,7 @@ Installs hooks and extensions for Cursor, Claude, Gemini, Pi, OpenCode, OpenClaw
       configSetAt,
       e2eEnabled: useE2E
     };
-    const session = await createPairingSession(selectedAgents, e2eKeyId);
+    const session = await createPairingSession(selectedAgents, e2eKeyId, pairingApiBase);
     if (!session || session.error) {
       v2.error(`Failed to create pairing session: ${session?.error || "Unknown error"}`);
       he("Cannot continue without token");
@@ -5093,7 +5400,7 @@ Installs hooks and extensions for Cursor, Claude, Gemini, Pi, OpenCode, OpenClaw
         const minutes = Math.floor(expiresIn / 60);
         const seconds = expiresIn % 60;
         pairingSpinner.message(`Waiting for iOS app... ${minutes}:${seconds.toString().padStart(2, "0")}`);
-      }, () => {});
+      }, () => {}, pairingApiBase);
       if (result === "cancelled") {
         pairingSpinner.stop("Cancelled");
         he("Installation cancelled");
@@ -5102,6 +5409,7 @@ Installs hooks and extensions for Cursor, Claude, Gemini, Pi, OpenCode, OpenClaw
         token = result.token;
         finalPrivacy = result.privacy;
         email = result.email;
+        apiUrl = result.apiUrl || pairingApiBase;
         if (e2eUserKey && e2eKeyId) {
           const rootKeyPath = join(agentApproveDir, "e2e-root-key");
           writeFileSync(rootKeyPath, e2eUserKey, { mode: 384 });
@@ -5152,9 +5460,15 @@ Installs hooks and extensions for Cursor, Claude, Gemini, Pi, OpenCode, OpenClaw
   if (hookDownloadPlan.files.length > 0) {
     const downloadSpinner = _2();
     downloadSpinner.start("Downloading hook scripts");
-    const downloadResult = await copyHookScripts(hooksDir, token, hookDownloadPlan.files);
+    const downloadResult = await copyHookScripts2(hooksDir, token, hookDownloadPlan.files, { apiUrl });
     const summary = formatHookDownloadSummary(hookDownloadPlan);
-    if (downloadResult.failed.length > 0) {
+    if (downloadResult.terminalFailure) {
+      downloadSpinner.stop(`Downloaded ${downloadResult.downloaded} of ${hookDownloadPlan.files.length} hook files (${summary})`);
+      const message = describeDownloadTerminalFailure(downloadResult.terminalFailure.kind);
+      v2.error(message);
+      he("Hook download stopped before completion.");
+      process.exit(1);
+    } else if (downloadResult.failed.length > 0) {
       downloadSpinner.stop(`Downloaded ${downloadResult.downloaded} of ${hookDownloadPlan.files.length} hook files (${summary})`);
       v2.warn(`Failed to download: ${downloadResult.failed.join(", ")}`);
     } else {
@@ -5697,10 +6011,15 @@ async function refreshCommand() {
     v2.error('No existing configuration found. Run "npx agentapprove install" first.');
     process.exit(1);
   }
+  const pairingApiBase = resolvePairingApiBaseUrl({
+    agentapproveApiEnv: process.env.AGENTAPPROVE_API,
+    savedApiUrl: existingConfig?.apiUrl,
+    processDefaultApiUrl: API_URL
+  });
   me(`Your API token has expired (30 days). Tokens extend automatically on use,
 but if unused for 30 days they expire. Get a new one below.`, "Token Expired");
   let token = null;
-  let apiUrl = API_URL;
+  let apiUrl = pairingApiBase;
   const installedAgents = detectInstalledAgents();
   const e2eEnabled = existingConfig.e2eEnabled !== false;
   const e2eKeyPath = join(getAgentApproveDir(), "e2e-key");
@@ -5727,7 +6046,7 @@ but if unused for 30 days they expire. Get a new one below.`, "Token Expired");
     configSetAt,
     e2eEnabled
   };
-  const session = await createPairingSession(installedAgents.length > 0 ? installedAgents : undefined, e2eKeyId);
+  const session = await createPairingSession(installedAgents.length > 0 ? installedAgents : undefined, e2eKeyId, pairingApiBase);
   if (!session || session.error) {
     v2.error(`Failed to create pairing session: ${session?.error || "Unknown error"}`);
     process.exit(1);
@@ -5753,13 +6072,14 @@ but if unused for 30 days they expire. Get a new one below.`, "Token Expired");
     const minutes = Math.floor(expiresIn / 60);
     const seconds = expiresIn % 60;
     pairingSpinner.message(`Waiting for iOS app... ${minutes}:${seconds.toString().padStart(2, "0")}`);
-  }, () => {});
+  }, () => {}, pairingApiBase);
   if (result === "cancelled") {
     pairingSpinner.stop("Cancelled");
     he("Refresh cancelled");
     process.exit(0);
   } else if (result) {
     token = result.token;
+    apiUrl = result.apiUrl || pairingApiBase;
     pairingSpinner.stop(`Connected! ${result.email ? `Account: ${result.email}` : ""}`);
   } else {
     pairingSpinner.stop("Session expired");
@@ -5797,6 +6117,11 @@ async function pairCommand() {
   console.clear();
   pe(source_default.bgCyan.black(" Agent Approve ") + source_default.gray(" Device Pairing"));
   const existingConfig = readExistingConfig();
+  const pairingApiBase = resolvePairingApiBaseUrl({
+    agentapproveApiEnv: process.env.AGENTAPPROVE_API,
+    savedApiUrl: existingConfig?.apiUrl,
+    processDefaultApiUrl: API_URL
+  });
   const keys = discoverE2EKeys();
   if (keys.length === 0 && !existingConfig) {
     v2.error("No E2E keys or configuration found.");
@@ -5887,7 +6212,7 @@ async function pairCommand() {
     configSetAt: pairingConfigSetAt,
     e2eEnabled: !!e2eUserKey
   };
-  const session = await createPairingSession(installedAgents.length > 0 ? installedAgents : undefined, e2eKeyId);
+  const session = await createPairingSession(installedAgents.length > 0 ? installedAgents : undefined, e2eKeyId, pairingApiBase);
   if (!session || session.error) {
     v2.error(`Failed to create pairing session: ${session?.error || "Unknown error"}`);
     process.exit(1);
@@ -5913,7 +6238,7 @@ async function pairCommand() {
     const minutes = Math.floor(expiresIn / 60);
     const seconds = expiresIn % 60;
     pairingSpinner.message(`Waiting for iOS app... ${minutes}:${seconds.toString().padStart(2, "0")}`);
-  }, () => {});
+  }, () => {}, pairingApiBase);
   if (result === "cancelled") {
     pairingSpinner.stop("Cancelled");
     he("Pairing cancelled");
@@ -5943,7 +6268,7 @@ async function pairCommand() {
       writeFileSync(serverKeyPath, result.e2eServerKey, { mode: 384 });
     }
   }
-  const apiUrl = API_URL;
+  const apiUrl = result.apiUrl || pairingApiBase;
   const configSetAt = Math.floor(Date.now() / 1000);
   saveEnvConfig({
     apiUrl,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentapprove",
-  "version": "0.1.15",
+  "version": "0.1.21",
   "description": "Approve AI agent actions from your iPhone or Apple Watch",
   "type": "module",
   "bin": {