npm - arisa - Versions diffs - 2.3.36 → 2.3.38 - Mend

arisa 2.3.36 → 2.3.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "arisa",
-  "version": "2.3.36",
+  "version": "2.3.38",
   "description": "Arisa - dynamic agent runtime with daemon/core architecture that evolves through user interaction",
   "keywords": [
     "tinyclaw",

package/src/daemon/setup.ts CHANGED Viewed

@@ -140,10 +140,16 @@ export async function runSetup(): Promise<boolean> {
     console.log(`\nConfig saved to ${ENV_PATH}`);
   }
-  // ─── Phase 2: CLI Installation (first run, interactive) ─────────
+  // ─── Phase 2: CLI Installation + Auth ───────────────────────────
-  if (isFirstRun && process.stdin.isTTY) {
-    await setupClis(inq, vars);
+  if (process.stdin.isTTY) {
+    if (isFirstRun) {
+      // First run: offer to install missing CLIs + login
+      await setupClis(inq, vars);
+    } else {
+      // Subsequent runs: check if any installed CLI needs auth, offer login
+      await checkCliAuth(inq, vars);
+    }
   }
   return true;
@@ -228,6 +234,65 @@ async function setupClis(inq: typeof import("@inquirer/prompts") | null, vars: R
   }
 }
+/**
+ * On non-first runs, check if installed CLIs are authenticated.
+ * If not, offer to login interactively.
+ */
+async function checkCliAuth(inq: typeof import("@inquirer/prompts") | null, vars: Record<string, string>) {
+  const clis: AgentCliName[] = [];
+  if (isAgentCliInstalled("claude")) clis.push("claude");
+  if (isAgentCliInstalled("codex")) clis.push("codex");
+  if (clis.length === 0) return;
+  for (const cli of clis) {
+    const authed = await isCliAuthenticated(cli);
+    if (authed) {
+      console.log(`[setup] ${cli} ✓ authenticated`);
+      continue;
+    }
+    console.log(`[setup] ${cli} ✗ not authenticated`);
+    let doLogin = true;
+    if (inq) {
+      doLogin = await inq.confirm({ message: `Log in to ${cli === "claude" ? "Claude" : "Codex"}?`, default: true });
+    } else {
+      const answer = await readLine(`\nLog in to ${cli === "claude" ? "Claude" : "Codex"}? (Y/n): `);
+      doLogin = answer.toLowerCase() !== "n";
+    }
+    if (doLogin) {
+      console.log();
+      await runInteractiveLogin(cli, vars);
+    }
+  }
+}
+/**
+ * Quick probe: is this CLI authenticated?
+ * Claude: check CLAUDE_CODE_OAUTH_TOKEN env/.env, or `claude auth status`
+ * Codex: no simple auth check, assume OK if installed
+ */
+async function isCliAuthenticated(cli: AgentCliName): Promise<boolean> {
+  try {
+    if (cli === "claude") {
+      // setup-token auth: token lives in env var (not .credentials.json)
+      if (process.env.CLAUDE_CODE_OAUTH_TOKEN?.startsWith("sk-ant-")) {
+        console.log(`[setup] claude auth via CLAUDE_CODE_OAUTH_TOKEN env var`);
+        return true;
+      }
+      // Native CLI auth: check `claude auth status`
+      const cmd = buildBunWrappedAgentCliCommand("claude", ["auth", "status"], { skipPreload: true });
+      const proc = Bun.spawn(cmd, { stdout: "pipe", stderr: "pipe" });
+      const stdout = await new Response(proc.stdout).text();
+      const exitCode = await proc.exited;
+      return exitCode === 0 && stdout.includes('"loggedIn": true');
+    }
+    // Codex: no simple auth check, assume OK if installed
+    return true;
+  } catch {
+    return false;
+  }
+}
 async function installCli(cli: AgentCliName): Promise<boolean> {
   try {
     // Install into root's bun (arisa has read+execute access)
@@ -255,8 +320,51 @@ async function runInteractiveLogin(cli: AgentCliName, vars: Record<string, strin
   console.log(`Starting ${cli} login...`);
   try {
-    // Let the CLI handle its own credential storage (credentials.json / keychain).
-    // Don't intercept stdout or save tokens to .env — the CLI manages refresh internally.
+    if (cli === "claude") {
+      // `claude setup-token` generates a long-lived (1 year) OAuth token for
+      // headless/CI environments. It prints the token to stdout but does NOT
+      // write .credentials.json. We must capture it and save to .env.
+      const proc = Bun.spawn(buildBunWrappedAgentCliCommand(cli, args, { skipPreload: true }), {
+        stdin: "inherit",
+        stdout: "pipe",
+        stderr: "inherit",
+      });
+      let output = "";
+      const reader = (proc.stdout as ReadableStream<Uint8Array>).getReader();
+      const decoder = new TextDecoder();
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        const chunk = decoder.decode(value, { stream: true });
+        process.stdout.write(chunk);
+        output += chunk;
+      }
+      const exitCode = await proc.exited;
+      if (exitCode !== 0) {
+        console.log(`  ✗ claude login failed (exit ${exitCode})`);
+        return false;
+      }
+      // Extract token from output (format: sk-ant-oat01-...)
+      const tokenMatch = output.match(/(sk-ant-oat01-[A-Za-z0-9_-]+)/);
+      if (tokenMatch) {
+        const token = tokenMatch[1];
+        console.log(`  [token] ${token.slice(0, 20)}...${token.slice(-6)} (${token.length} chars)`);
+        vars.CLAUDE_CODE_OAUTH_TOKEN = token;
+        process.env.CLAUDE_CODE_OAUTH_TOKEN = token;
+        saveEnv(vars);
+        console.log("  ✓ token saved to .env");
+      } else {
+        console.log("  ⚠ could not extract token from output — set CLAUDE_CODE_OAUTH_TOKEN manually in ~/.arisa/.env");
+      }
+      console.log(`  ✓ claude login successful`);
+      return true;
+    }
+    // For codex and others: inherit all stdio
     const proc = Bun.spawn(buildBunWrappedAgentCliCommand(cli, args, { skipPreload: true }), {
       stdin: "inherit",
       stdout: "inherit",
@@ -266,16 +374,6 @@ async function runInteractiveLogin(cli: AgentCliName, vars: Record<string, strin
     if (exitCode === 0) {
       console.log(`  ✓ ${cli} login successful`);
-      // Clean up stale CLAUDE_CODE_OAUTH_TOKEN from .env if present —
-      // it overrides the CLI's own credential store and breaks token refresh.
-      if (cli === "claude" && vars.CLAUDE_CODE_OAUTH_TOKEN) {
-        delete vars.CLAUDE_CODE_OAUTH_TOKEN;
-        delete process.env.CLAUDE_CODE_OAUTH_TOKEN;
-        saveEnv(vars);
-        console.log("  ✓ removed stale CLAUDE_CODE_OAUTH_TOKEN from .env (CLI manages auth internally)");
-      }
       return true;
     } else {
       console.log(`  ✗ ${cli} login failed (exit ${exitCode})`);

package/src/shared/ai-cli.ts CHANGED Viewed

@@ -81,10 +81,10 @@ export function isAgentCliInstalled(cli: AgentCliName): boolean {
 const INK_SHIM = join(dirname(new URL(import.meta.url).pathname), "ink-shim.js");
 // Env vars that must survive the su - login shell reset.
-// Note: CLAUDE_CODE_OAUTH_TOKEN intentionally excluded — the CLI manages
-// its own credentials via ~/.claude/.credentials.json with token refresh.
-// Injecting a stale accessToken via env var breaks refresh.
+// CLAUDE_CODE_OAUTH_TOKEN is a long-lived (1 year) token from `claude setup-token`
+// — the headless auth method. It must be passed through to the CLI.
 const PASSTHROUGH_VARS = [
+  "CLAUDE_CODE_OAUTH_TOKEN",
   "ANTHROPIC_API_KEY",
   "OPENAI_API_KEY",
 ];