npm - arisa - Versions diffs - 2.3.35 → 2.3.37 - Mend

arisa 2.3.35 → 2.3.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "arisa",
-  "version": "2.3.35",
+  "version": "2.3.37",
   "description": "Arisa - dynamic agent runtime with daemon/core architecture that evolves through user interaction",
   "keywords": [
     "tinyclaw",

package/src/daemon/setup.ts CHANGED Viewed

@@ -15,7 +15,7 @@ import { existsSync, readFileSync, writeFileSync, mkdirSync } from "fs";
 import { dirname, join } from "path";
 import { dataDir } from "../shared/paths";
 import { secrets, setSecret } from "../shared/secrets";
-import { isAgentCliInstalled, buildBunWrappedAgentCliCommand, isRunningAsRoot, type AgentCliName } from "../shared/ai-cli";
+import { isAgentCliInstalled, buildBunWrappedAgentCliCommand, type AgentCliName } from "../shared/ai-cli";
 const ENV_PATH = join(dataDir, ".env");
 const SETUP_DONE_KEY = "ARISA_SETUP_COMPLETE";
@@ -140,10 +140,16 @@ export async function runSetup(): Promise<boolean> {
     console.log(`\nConfig saved to ${ENV_PATH}`);
   }
-  // ─── Phase 2: CLI Installation (first run, interactive) ─────────
+  // ─── Phase 2: CLI Installation + Auth ───────────────────────────
-  if (isFirstRun && process.stdin.isTTY) {
-    await setupClis(inq, vars);
+  if (process.stdin.isTTY) {
+    if (isFirstRun) {
+      // First run: offer to install missing CLIs + login
+      await setupClis(inq, vars);
+    } else {
+      // Subsequent runs: check if any installed CLI needs auth, offer login
+      await checkCliAuth(inq, vars);
+    }
   }
   return true;
@@ -228,6 +234,59 @@ async function setupClis(inq: typeof import("@inquirer/prompts") | null, vars: R
   }
 }
+/**
+ * On non-first runs, check if installed CLIs are authenticated.
+ * If not, offer to login interactively.
+ */
+async function checkCliAuth(inq: typeof import("@inquirer/prompts") | null, vars: Record<string, string>) {
+  const clis: AgentCliName[] = [];
+  if (isAgentCliInstalled("claude")) clis.push("claude");
+  if (isAgentCliInstalled("codex")) clis.push("codex");
+  if (clis.length === 0) return;
+  for (const cli of clis) {
+    const authed = await isCliAuthenticated(cli);
+    if (authed) {
+      console.log(`[setup] ${cli} ✓ authenticated`);
+      continue;
+    }
+    console.log(`[setup] ${cli} ✗ not authenticated`);
+    let doLogin = true;
+    if (inq) {
+      doLogin = await inq.confirm({ message: `Log in to ${cli === "claude" ? "Claude" : "Codex"}?`, default: true });
+    } else {
+      const answer = await readLine(`\nLog in to ${cli === "claude" ? "Claude" : "Codex"}? (Y/n): `);
+      doLogin = answer.toLowerCase() !== "n";
+    }
+    if (doLogin) {
+      console.log();
+      await runInteractiveLogin(cli, vars);
+    }
+  }
+}
+/**
+ * Quick probe: is this CLI authenticated?
+ * Claude: `claude auth status` exits 0 and contains "loggedIn": true
+ * Codex: `codex auth status` or a quick exec check
+ */
+async function isCliAuthenticated(cli: AgentCliName): Promise<boolean> {
+  try {
+    if (cli === "claude") {
+      const cmd = buildBunWrappedAgentCliCommand("claude", ["auth", "status"], { skipPreload: true });
+      const proc = Bun.spawn(cmd, { stdout: "pipe", stderr: "pipe" });
+      const stdout = await new Response(proc.stdout).text();
+      const exitCode = await proc.exited;
+      return exitCode === 0 && stdout.includes('"loggedIn": true');
+    }
+    // Codex: no simple auth check, assume OK if installed
+    return true;
+  } catch {
+    return false;
+  }
+}
 async function installCli(cli: AgentCliName): Promise<boolean> {
   try {
     // Install into root's bun (arisa has read+execute access)
@@ -246,31 +305,6 @@ async function installCli(cli: AgentCliName): Promise<boolean> {
   }
 }
-/**
- * Read the OAuth token from Claude CLI's credentials file.
- * Claude CLI stores credentials at ~/.claude/.credentials.json after login.
- */
-function readClaudeCredentialsToken(): string | null {
-  const candidateDirs = [
-    isRunningAsRoot() ? "/home/arisa/.claude" : null,
-    join(process.env.HOME || "~", ".claude"),
-  ].filter(Boolean) as string[];
-  for (const dir of candidateDirs) {
-    const credsPath = join(dir, ".credentials.json");
-    if (!existsSync(credsPath)) continue;
-    try {
-      const raw = JSON.parse(readFileSync(credsPath, "utf8"));
-      const token = raw?.claudeAiOauth?.accessToken;
-      if (typeof token === "string" && token.startsWith("sk-ant-") && token.length > 50) {
-        return token;
-      }
-    } catch {
-      // Malformed file, skip
-    }
-  }
-  return null;
-}
 async function runInteractiveLogin(cli: AgentCliName, vars: Record<string, string>): Promise<boolean> {
   const args = cli === "claude"
@@ -280,116 +314,8 @@ async function runInteractiveLogin(cli: AgentCliName, vars: Record<string, strin
   console.log(`Starting ${cli} login...`);
   try {
-    // For claude: capture stdout to extract OAuth token while still showing output
-    if (cli === "claude") {
-      const proc = Bun.spawn(buildBunWrappedAgentCliCommand(cli, args, { skipPreload: true }), {
-        stdin: "inherit",
-        stdout: "pipe",
-        stderr: "inherit",
-      });
-      let output = "";
-      const reader = (proc.stdout as ReadableStream<Uint8Array>).getReader();
-      const decoder = new TextDecoder();
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done) break;
-        const chunk = decoder.decode(value, { stream: true });
-        process.stdout.write(chunk);
-        output += chunk;
-      }
-      const exitCode = await proc.exited;
-      if (exitCode === 0) {
-        // Strip ANSI with a state machine (regex can't handle all Ink sequences)
-        function stripAnsi(s: string): string {
-          let out = "";
-          for (let i = 0; i < s.length; i++) {
-            if (s.charCodeAt(i) === 0x1b) {
-              i++;
-              if (i >= s.length) break;
-              if (s[i] === "[") {
-                // CSI: ESC [ <params 0x20-0x3F>* <final 0x40-0x7E>
-                i++;
-                while (i < s.length && s.charCodeAt(i) < 0x40) i++;
-                // i now on final byte, loop will i++
-              } else if (s[i] === "]") {
-                // OSC: ESC ] ... BEL(0x07) or ST(ESC \)
-                i++;
-                while (i < s.length && s.charCodeAt(i) !== 0x07 && s[i] !== "\x1b") i++;
-              } else if (s[i] === "(" || s[i] === ")" || s[i] === "#") {
-                i++; // skip designator byte
-              }
-              // else: 2-byte Fe sequence, already skipped
-            } else if (s.charCodeAt(i) < 0x20 && s[i] !== "\n" && s[i] !== "\r") {
-              // skip control chars
-            } else {
-              out += s[i];
-            }
-          }
-          return out;
-        }
-        const clean = stripAnsi(output);
-        const startIdx = clean.indexOf("sk-ant-");
-        let token = "";
-        if (startIdx >= 0) {
-          let endIdx = clean.indexOf("Store", startIdx);
-          if (endIdx < 0) endIdx = clean.indexOf("Use this", startIdx);
-          if (endIdx < 0) endIdx = startIdx + 200;
-          const tokenArea = clean.substring(startIdx, endIdx);
-          token = tokenArea.replace(/[^A-Za-z0-9_-]/g, "");
-        }
-        // Fallback: if stdout scraping missed the token, read from Claude CLI's credentials file
-        if (!token || !token.startsWith("sk-ant-") || token.length <= 50 || token.length >= 150) {
-          token = readClaudeCredentialsToken() || "";
-          if (token) {
-            console.log(`  ✓ token read from credentials file`);
-          }
-        }
-        if (token && token.startsWith("sk-ant-") && token.length > 50 && token.length < 150) {
-          console.log(`  [token] ${token.slice(0, 20)}...${token.slice(-6)} (${token.length} chars)`);
-          vars.CLAUDE_CODE_OAUTH_TOKEN = token;
-          process.env.CLAUDE_CODE_OAUTH_TOKEN = token;
-          saveEnv(vars);
-          console.log("  ✓ claude token saved to .env");
-          // Also write credentials file for arisa user when running as root
-          if (isRunningAsRoot()) {
-            const arisaClaudeDir = "/home/arisa/.claude";
-            try {
-              if (!existsSync(arisaClaudeDir)) mkdirSync(arisaClaudeDir, { recursive: true });
-              const credsPath = join(arisaClaudeDir, ".credentials.json");
-              const creds = {
-                claudeAiOauth: {
-                  accessToken: token,
-                  expiresAt: Date.now() + 365 * 24 * 60 * 60 * 1000,
-                  scopes: ["user:inference", "user:profile"],
-                },
-              };
-              writeFileSync(credsPath, JSON.stringify(creds, null, 2) + "\n");
-              Bun.spawnSync(["chown", "-R", "arisa:arisa", arisaClaudeDir]);
-              console.log(`  ✓ credentials written to ${credsPath}`);
-            } catch (e) {
-              console.log(`  ⚠ could not write credentials file: ${e}`);
-            }
-          }
-        } else {
-          console.log(`  ⚠ token not captured (Claude CLI stored credentials internally)`);
-        }
-        console.log(`  ✓ claude login successful`);
-        return true;
-      } else {
-        console.log(`  ✗ claude login failed (exit ${exitCode})`);
-        return false;
-      }
-    }
-    // For codex and others: inherit all stdio
+    // Let the CLI handle its own credential storage (credentials.json / keychain).
+    // Don't intercept stdout or save tokens to .env — the CLI manages refresh internally.
     const proc = Bun.spawn(buildBunWrappedAgentCliCommand(cli, args, { skipPreload: true }), {
       stdin: "inherit",
       stdout: "inherit",
@@ -399,6 +325,16 @@ async function runInteractiveLogin(cli: AgentCliName, vars: Record<string, strin
     if (exitCode === 0) {
       console.log(`  ✓ ${cli} login successful`);
+      // Clean up stale CLAUDE_CODE_OAUTH_TOKEN from .env if present —
+      // it overrides the CLI's own credential store and breaks token refresh.
+      if (cli === "claude" && vars.CLAUDE_CODE_OAUTH_TOKEN) {
+        delete vars.CLAUDE_CODE_OAUTH_TOKEN;
+        delete process.env.CLAUDE_CODE_OAUTH_TOKEN;
+        saveEnv(vars);
+        console.log("  ✓ removed stale CLAUDE_CODE_OAUTH_TOKEN from .env (CLI manages auth internally)");
+      }
       return true;
     } else {
       console.log(`  ✗ ${cli} login failed (exit ${exitCode})`);

package/src/shared/ai-cli.ts CHANGED Viewed

@@ -80,9 +80,11 @@ export function isAgentCliInstalled(cli: AgentCliName): boolean {
 const INK_SHIM = join(dirname(new URL(import.meta.url).pathname), "ink-shim.js");
-// Env vars that must survive the su - login shell reset
+// Env vars that must survive the su - login shell reset.
+// Note: CLAUDE_CODE_OAUTH_TOKEN intentionally excluded — the CLI manages
+// its own credentials via ~/.claude/.credentials.json with token refresh.
+// Injecting a stale accessToken via env var breaks refresh.
 const PASSTHROUGH_VARS = [
-  "CLAUDE_CODE_OAUTH_TOKEN",
   "ANTHROPIC_API_KEY",
   "OPENAI_API_KEY",
 ];