clawborrator-cli 0.0.38 → 0.0.39

package/dist-bundled/claw.cjs

@@ -5226,7 +5226,7 @@ var require_websocket = __commonJS({
     var http = require("http");
     var net = require("net");
     var tls = require("tls");
-    var { randomBytes, createHash } = require("crypto");
+    var { randomBytes: randomBytes2, createHash: createHash2 } = require("crypto");
     var { Duplex, Readable } = require("stream");
     var { URL: URL2 } = require("url");
     var PerMessageDeflate2 = require_permessage_deflate();
@@ -5756,7 +5756,7 @@ var require_websocket = __commonJS({
         }
       }
       const defaultPort = isSecure ? 443 : 80;
-      const key = randomBytes(16).toString("base64");
+      const key = randomBytes2(16).toString("base64");
       const request2 = isSecure ? https.request : http.request;
       const protocolSet = /* @__PURE__ */ new Set();
       let perMessageDeflate;
@@ -5886,7 +5886,7 @@ var require_websocket = __commonJS({
           abortHandshake(websocket, socket, "Invalid Upgrade header");
           return;
         }
-        const digest = createHash("sha1").update(key + GUID).digest("base64");
+        const digest = createHash2("sha1").update(key + GUID).digest("base64");
         if (res.headers["sec-websocket-accept"] !== digest) {
           abortHandshake(websocket, socket, "Invalid Sec-WebSocket-Accept header");
           return;
@@ -6253,7 +6253,7 @@ var require_websocket_server = __commonJS({
     var EventEmitter = require("events");
     var http = require("http");
     var { Duplex } = require("stream");
-    var { createHash } = require("crypto");
+    var { createHash: createHash2 } = require("crypto");
     var extension2 = require_extension();
     var PerMessageDeflate2 = require_permessage_deflate();
     var subprotocol2 = require_subprotocol();
@@ -6554,7 +6554,7 @@ var require_websocket_server = __commonJS({
           );
         }
         if (this._state > RUNNING) return abortHandshake(socket, 503);
-        const digest = createHash("sha1").update(key + GUID).digest("base64");
+        const digest = createHash2("sha1").update(key + GUID).digest("base64");
         const headers = [
           "HTTP/1.1 101 Switching Protocols",
           "Upgrade: websocket",
@@ -63997,6 +63997,11 @@ var {
   Help
 } = import_index.default;
 
+// src/commands/login.ts
+var import_node_http = require("node:http");
+var import_node_crypto = require("node:crypto");
+var import_node_child_process = require("node:child_process");
+
 // src/config.ts
 var import_node_os = require("node:os");
 var import_node_path = require("node:path");
@@ -64005,7 +64010,7 @@ var CONFIG_DIR = (0, import_node_path.resolve)((0, import_node_os.homedir)(), ".
 var CONFIG_PATH = (0, import_node_path.resolve)(CONFIG_DIR, "config.json");
 var DEFAULTS = {
   hubUrl: process.env.CLAWBORRATOR_HUB ?? "http://localhost:8787",
-  pat: null
+  sessionToken: null
 };
 function loadConfig() {
   if (!(0, import_node_fs.existsSync)(CONFIG_PATH)) return { ...DEFAULTS };
@@ -64014,7 +64019,11 @@ function loadConfig() {
     const parsed = JSON.parse(raw);
     return {
       hubUrl: parsed.hubUrl?.trim() || DEFAULTS.hubUrl,
-      pat: parsed.pat ?? null
+      // Forward-migrate a legacy `pat` field. The token itself is now
+      // dead on the server side, but carrying it forward avoids loud
+      // "config corrupt" errors — the next API call will 401 cleanly
+      // and prompt re-login.
+      sessionToken: parsed.sessionToken ?? parsed.pat ?? null
     };
   } catch {
     return { ...DEFAULTS };
@@ -64030,9 +64039,9 @@ function saveConfig(cfg) {
   } catch {
   }
 }
-function clearPat() {
+function clearSession() {
   const cfg = loadConfig();
-  saveConfig({ ...cfg, pat: null });
+  saveConfig({ ...cfg, sessionToken: null });
 }
 
 // src/client/api.ts
@@ -64047,10 +64056,10 @@ var ApiError = class extends Error {
 async function request(method, path, body, opts = {}) {
   const cfg = loadConfig();
   const hubUrl = (opts.hubUrl ?? cfg.hubUrl).replace(/\/$/, "");
-  const pat = opts.pat === void 0 ? cfg.pat : opts.pat;
+  const token = opts.token === void 0 ? cfg.sessionToken : opts.token;
   const headers = {};
   if (body !== void 0) headers["Content-Type"] = "application/json";
-  if (pat) headers["Authorization"] = `Bearer ${pat}`;
+  if (token) headers["Authorization"] = `Bearer ${token}`;
   const res = await fetch(`${hubUrl}${path}`, {
     method,
     headers,
@@ -64082,61 +64091,113 @@ var api = {
 };
 
 // src/commands/login.ts
-async function deviceFlowLogin(hubUrl) {
-  const start = await api.post("/api/v1/auth/device/start", {}, { hubUrl, pat: null });
-  console.log("To continue, open:");
-  console.log(`    ${start.verificationUri}`);
-  console.log(`and enter the code: ${start.userCode}`);
+function base64url(buf) {
+  return buf.toString("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function openBrowser(url) {
+  const platform2 = process.platform;
+  const cmd = platform2 === "win32" ? "cmd" : platform2 === "darwin" ? "open" : "xdg-open";
+  const args = platform2 === "win32" ? ["/c", "start", '""', url] : [url];
+  try {
+    (0, import_node_child_process.spawn)(cmd, args, { stdio: "ignore", detached: true }).unref();
+  } catch {
+  }
+}
+function awaitCallback(server) {
+  return new Promise((resolve3, reject) => {
+    server.on("request", (req, res) => {
+      const u = new URL(req.url ?? "/", "http://localhost");
+      if (u.pathname !== "/callback") {
+        res.statusCode = 404;
+        res.end("not found");
+        return;
+      }
+      const code = u.searchParams.get("code") ?? "";
+      const state = u.searchParams.get("state") ?? "";
+      const error = u.searchParams.get("error");
+      if (error) {
+        res.setHeader("Content-Type", "text/html; charset=utf-8");
+        res.end(`<html><body><h2>login failed: ${error}</h2><p>you can close this tab.</p></body></html>`);
+        reject(new Error(`oauth error: ${error}`));
+        return;
+      }
+      if (!code || !state) {
+        res.statusCode = 400;
+        res.end("missing code or state");
+        reject(new Error("callback missing code or state"));
+        return;
+      }
+      res.setHeader("Content-Type", "text/html; charset=utf-8");
+      res.end("<html><body><h2>logged in</h2><p>you can close this tab and return to the terminal.</p><script>setTimeout(() => window.close(), 1500);</script></body></html>");
+      resolve3({ code, state });
+    });
+    server.on("error", reject);
+  });
+}
+async function browserOAuthFlow(hubUrl) {
+  const verifier = base64url((0, import_node_crypto.randomBytes)(32));
+  const challenge = base64url((0, import_node_crypto.createHash)("sha256").update(verifier).digest());
+  const state = base64url((0, import_node_crypto.randomBytes)(16));
+  const server = (0, import_node_http.createServer)();
+  await new Promise((resolve3, reject) => {
+    server.once("error", reject);
+    server.listen(0, "127.0.0.1", () => resolve3());
+  });
+  const port = server.address().port;
+  const redirectUri = `http://localhost:${port}/callback`;
+  const startUrl = new URL("/api/v1/auth/oauth/start", hubUrl);
+  startUrl.searchParams.set("redirect_uri", redirectUri);
+  startUrl.searchParams.set("state", state);
+  startUrl.searchParams.set("code_challenge", challenge);
+  startUrl.searchParams.set("code_challenge_method", "S256");
+  console.log("opening browser to authenticate with GitHub\u2026");
+  console.log(`  if it doesn't open automatically, paste this URL into a browser:`);
+  console.log(`    ${startUrl}`);
   console.log("");
-  process.stdout.write("waiting for authorization");
-  let intervalSec = start.intervalSeconds || 5;
-  const deadline = new Date(start.expiresAt).getTime();
-  for (; ; ) {
-    if (Date.now() > deadline) {
-      console.log("");
-      throw new Error("device code expired before authorization completed");
-    }
-    await new Promise((r) => setTimeout(r, intervalSec * 1e3));
-    const poll = await api.get(
-      `/api/v1/auth/device/poll?id=${encodeURIComponent(start.pollingId)}`,
-      { hubUrl, pat: null }
-    );
-    if (poll.status === "pending") {
-      process.stdout.write(".");
-      if (poll.intervalSeconds) intervalSec = poll.intervalSeconds;
-      continue;
-    }
-    if (poll.status === "expired") {
-      console.log("");
-      throw new Error("device code expired");
-    }
-    if (poll.status === "denied") {
-      console.log("");
-      throw new Error("authorization denied");
-    }
-    if (poll.status === "granted" && poll.user && poll.pat) {
-      console.log("");
-      return { user: poll.user, pat: poll.pat };
+  openBrowser(startUrl.toString());
+  let cb;
+  try {
+    cb = await Promise.race([
+      awaitCallback(server),
+      new Promise(
+        (_, reject) => setTimeout(() => reject(new Error("login timed out after 5 minutes")), 5 * 60 * 1e3)
+      )
+    ]);
+  } finally {
+    server.close();
+  }
+  if (cb.state !== state) throw new Error("state mismatch \u2014 possible CSRF; aborting");
+  const res = await fetch(hubUrl.replace(/\/$/, "") + "/api/v1/auth/oauth/token", {
+    method: "POST",
+    headers: { "Content-Type": "application/json", "User-Agent": "clawborrator-cli" },
+    body: JSON.stringify({ code: cb.code, code_verifier: verifier })
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    let parsed = null;
+    try {
+      parsed = JSON.parse(text);
+    } catch {
     }
-    console.log("");
-    throw new Error(`unexpected poll status: ${poll.status}`);
+    throw new ApiError(res.status, parsed?.error ?? `http_${res.status}`, parsed?.message ?? parsed?.error ?? text);
   }
+  return res.json();
 }
-var loginCmd = new Command("login").description("authenticate against a hub_v1 instance via GitHub device-flow OAuth").option("--hub <url>", "hub URL to use (defaults to config or http://localhost:8787)").action(async (opts) => {
+var loginCmd = new Command("login").description("authenticate against a hub_v1 instance via GitHub OAuth (browser callback)").option("--hub <url>", "hub URL to use (defaults to config or http://localhost:8787)").action(async (opts) => {
   const cfg = loadConfig();
   const hubUrl = opts.hub ?? cfg.hubUrl;
   try {
-    const { user, pat } = await deviceFlowLogin(hubUrl);
-    saveConfig({ hubUrl, pat: pat.token });
+    const { user, session } = await browserOAuthFlow(hubUrl);
+    saveConfig({ hubUrl, sessionToken: session.token });
     console.log(`logged in as @${user.githubLogin}`);
-    console.log(`hub:    ${hubUrl}`);
-    console.log(`PAT:    ${pat.prefix}\u2026  (stored in ~/.clawborrator/config.json)`);
+    console.log(`hub:        ${hubUrl}`);
+    console.log(`session:    ${session.token.slice(0, 16)}\u2026  (stored in ~/.clawborrator/config.json)`);
+    console.log(`expires at: ${session.expiresAt}`);
   } catch (e) {
     if (e instanceof ApiError && e.status === 503) {
       console.error("error: this hub does not have GitHub OAuth configured");
-      console.error("       hub operator must register a GitHub OAuth App with device flow enabled");
-      console.error("       and start the hub with GITHUB_CLIENT_ID=Iv1.xxxxxx");
-      console.error("       see hub_v1/docs/SETUP.md for step-by-step");
+      console.error("       hub operator must register a GitHub OAuth App, set GITHUB_CLIENT_ID +");
+      console.error("       GITHUB_CLIENT_SECRET, and add the callback URL.");
       process.exit(2);
     }
     throw e;
@@ -64144,34 +64205,27 @@ var loginCmd = new Command("login").description("authenticate against a hub_v1 i
 });
 
 // src/commands/logout.ts
-var logoutCmd = new Command("logout").description("forget the locally-stored PAT").option("--keep-server", "do not revoke the PAT server-side (default: revoke)").action(async (opts) => {
+var logoutCmd = new Command("logout").description("forget the locally-stored session token").option("--keep-server", "do not revoke the session server-side (default: revoke)").action(async (opts) => {
   const cfg = loadConfig();
-  if (!cfg.pat) {
+  if (!cfg.sessionToken) {
     console.log("not logged in; nothing to do");
     return;
   }
   if (!opts.keepServer) {
     try {
-      const me = await api.get("/api/v1/me");
-      const list3 = await api.get(
-        "/api/v1/tokens?kind=pat"
-      );
-      const target = list3.items.find((t) => cfg.pat.startsWith(t.prefix) && !t.revokedAt);
-      if (target) {
-        await api.delete(`/api/v1/tokens/${target.id}`);
-      }
+      await api.post("/api/v1/auth/logout");
     } catch (e) {
       console.warn(`warning: server-side revoke failed: ${e?.message ?? e}`);
     }
   }
-  clearPat();
-  console.log("logged out (PAT cleared from local config)");
+  clearSession();
+  console.log("logged out (session cleared from local config)");
 });
 
 // src/commands/whoami.ts
 var whoamiCmd = new Command("whoami").description("show the currently authenticated user").action(async () => {
   const cfg = loadConfig();
-  if (!cfg.pat) {
+  if (!cfg.sessionToken) {
     console.log("not logged in \u2014 run: claw login");
     return;
   }
@@ -64181,7 +64235,7 @@ var whoamiCmd = new Command("whoami").description("show the currently authentica
     console.log(`hub:  ${cfg.hubUrl}`);
   } catch (e) {
     if (e instanceof ApiError && e.status === 401) {
-      console.error("error: PAT rejected by hub. Run: claw login");
+      console.error("error: session rejected by hub. Run: claw login");
       process.exit(2);
     }
     throw e;
@@ -67702,7 +67756,7 @@ var sessionAttach = new Command("attach").description("open a TUI on a session \
   if (opts.debug) debugMode = true;
   if (opts.status === false) statusEnabled = false;
   const cfg = loadConfig();
-  if (!cfg.pat) {
+  if (!cfg.sessionToken) {
     console.error("error: not logged in. run `claw login`.");
     process.exit(2);
   }
@@ -67790,7 +67844,7 @@ var sessionAttach = new Command("attach").description("open a TUI on a session \
   let reconnectAttempt = 0;
   let reconnectTimer = null;
   function connect() {
-    ws = new wrapper_default(wsUrl, { headers: { Authorization: `Bearer ${cfg.pat}` } });
+    ws = new wrapper_default(wsUrl, { headers: { Authorization: `Bearer ${cfg.sessionToken}` } });
     ws.on("open", () => {
       if (reconnectAttempt > 0) {
         say(`${DIM2}[${ts()}]${RESET2} ${AMBER}reconnected${RESET2} to ${cfg.hubUrl}`);
@@ -68488,112 +68542,57 @@ var sessionCmd = new Command("session").description("manage Claude Code sessions
 // src/commands/token.ts
 var import_node_fs2 = require("node:fs");
 var import_node_path2 = require("node:path");
-
-// ../shared/dist/scopes.js
-var ALL_SCOPES = [
-  "me:read",
-  "sessions:read",
-  "sessions:read.transcript",
-  "sessions:write",
-  // archive/purge/share/unshare
-  "sessions:approve",
-  // permission decisions
-  "sessions:share",
-  "op-messages:read",
-  "op-messages:write",
-  "prompts:write",
-  "webhooks:manage",
-  "tokens:manage"
-];
-var CLI_DEFAULT_SCOPES = [
-  "me:read",
-  "sessions:read",
-  "sessions:read.transcript",
-  "sessions:write",
-  "sessions:approve",
-  "sessions:share",
-  "op-messages:read",
-  "op-messages:write",
-  "prompts:write",
-  "webhooks:manage",
-  "tokens:manage"
-];
-
-// src/commands/token.ts
-var tokenMint = new Command("mint").description("create a new token").requiredOption("--kind <kind>", "channel | pat").requiredOption("--name <name>", 'human-readable label (e.g. "alice-laptop")').option("--scopes <csv>", "comma-separated scopes (PAT only); default = sensible CLI set").option("--app <name>", "pin the PAT to a specific app (display only)").option("--mcp-snippet", "after minting a channel token, also produce a ready-to-use .mcp.json block. By default writes to stdout (prose to stderr); pair with --out=<path> to write the file directly (recommended on Windows \u2014 `>` redirection in PowerShell encodes as UTF-16 w/ BOM, which CC rejects).").option("--out <path>", "when used with --mcp-snippet, write the JSON to <path> (UTF-8, no BOM) instead of stdout. Pass `.mcp.json` for the canonical project location.").action(async (opts) => {
-  if (opts.kind === "channel") {
-    const out = await api.post("/api/v1/tokens/channel", { name: opts.name });
-    const proseToStderr = opts.mcpSnippet && !opts.out;
-    const prose = proseToStderr ? console.error : console.log;
-    prose(`\u2713 channel token minted: ${out.name}`);
-    prose(`  ${out.token}`);
-    prose("  (shown ONCE \u2014 store it now)");
-    if (opts.mcpSnippet) {
-      const cfg = loadConfig();
-      const wsUrl = cfg.hubUrl.replace(/^http(s?):\/\//, "ws$1://");
-      const json = JSON.stringify({
-        mcpServers: {
-          clawborrator: {
-            command: "npx",
-            args: ["-y", "clawborrator-mcp"],
-            env: {
-              CLAWBORRATOR_HUB_URL: wsUrl,
-              CLAWBORRATOR_TOKEN: out.token
-            }
-          }
-        }
-      }, null, 2) + "\n";
-      if (opts.out) {
-        const target = (0, import_node_path2.resolve)(opts.out);
-        (0, import_node_fs2.writeFileSync)(target, json, "utf8");
-        prose("");
-        prose(`\u2713 wrote ${target}`);
-      } else {
-        process.stdout.write(json);
-      }
+var tokenMint = new Command("mint").description("create a new channel token").requiredOption("--name <name>", 'human-readable label (e.g. "alice-laptop")').option("--mcp-snippet", "after minting, also produce a ready-to-use .mcp.json block. By default writes to stdout (prose to stderr); pair with --out=<path> to write the file directly (recommended on Windows \u2014 `>` redirection in PowerShell encodes as UTF-16 w/ BOM, which CC rejects).").option("--out <path>", "when used with --mcp-snippet, write the JSON to <path> (UTF-8, no BOM) instead of stdout. Pass `.mcp.json` for the canonical project location.").action(async (opts) => {
+  const out = await api.post("/api/v1/tokens/channel", { name: opts.name });
+  const proseToStderr = opts.mcpSnippet && !opts.out;
+  const prose = proseToStderr ? console.error : console.log;
+  prose(`\u2713 channel token minted: ${out.name}`);
+  prose(`  ${out.token}`);
+  prose("  (shown ONCE \u2014 store it now)");
+  if (opts.mcpSnippet) {
+    const cfg = loadConfig();
+    const wsUrl = cfg.hubUrl.replace(/^http(s?):\/\//, "ws$1://");
+    const json = JSON.stringify({
+      mcpServers: {
+        clawborrator: {
+          command: "npx",
+          args: ["-y", "clawborrator-mcp"],
+          env: {
+            CLAWBORRATOR_HUB_URL: wsUrl,
+            CLAWBORRATOR_TOKEN: out.token
+          }
+        }
+      }
+    }, null, 2) + "\n";
+    if (opts.out) {
+      const target = (0, import_node_path2.resolve)(opts.out);
+      (0, import_node_fs2.writeFileSync)(target, json, "utf8");
       prose("");
-      prose("  next: launch CC with the clawborrator channel enabled \u2014");
-      prose("    claude --dangerously-load-development-channels server:clawborrator");
+      prose(`\u2713 wrote ${target}`);
+    } else {
+      process.stdout.write(json);
     }
-    return;
-  }
-  if (opts.kind === "pat") {
-    const scopes = opts.scopes ? opts.scopes.split(",").map((s) => s.trim()).filter(Boolean) : CLI_DEFAULT_SCOPES;
-    const out = await api.post("/api/v1/tokens/pat", {
-      name: opts.name,
-      scopes,
-      appName: opts.app ?? null
-    });
-    console.log(`\u2713 PAT minted: ${out.name}`);
-    console.log(`  ${out.token}`);
-    console.log(`  scopes: ${out.scopes.join(", ")}`);
-    console.log("  (shown ONCE \u2014 store it now)");
-    return;
+    prose("");
+    prose("  next: launch CC with the clawborrator channel enabled \u2014");
+    prose("    claude --dangerously-load-development-channels server:clawborrator");
   }
-  console.error(`error: --kind must be channel or pat (got ${opts.kind})`);
-  process.exit(2);
 });
-var tokenList = new Command("list").alias("ls").description("list tokens (channel + PAT) for the current user").option("--kind <kind>", "narrow to one kind").action(async (opts) => {
-  const qs = opts.kind ? `?kind=${encodeURIComponent(opts.kind)}` : "";
-  const data = await api.get(`/api/v1/tokens${qs}`);
+var tokenList = new Command("list").alias("ls").description("list channel tokens for the current user").action(async () => {
+  const data = await api.get("/api/v1/tokens");
   if (data.items.length === 0) {
-    console.log("no active tokens");
+    console.log("no active channel tokens");
     return;
   }
   for (const t of data.items) {
     const used = t.lastUsedAt ? `last used ${fmtAgo2(t.lastUsedAt)}` : "never used";
-    const meta = t.kind === "pat" ? ` scopes=${t.scopes.length}${t.appName ? ` app=${t.appName}` : ""}` : "";
-    console.log(`${t.id.toString().padStart(3)}  ${t.kind.padEnd(7)}  ${t.prefix}\u2026  ${t.name.padEnd(28)} ${used}${meta}`);
+    console.log(`${t.id.toString().padStart(3)}  ${t.prefix}\u2026  ${t.name.padEnd(28)} ${used}`);
   }
 });
-var tokenRevoke = new Command("revoke").description("revoke a token by id").argument("<id>", "token id (from `claw token list`)").action(async (id) => {
+var tokenRevoke = new Command("revoke").description("revoke a channel token by id").argument("<id>", "token id (from `claw token list`)").action(async (id) => {
   await api.delete(`/api/v1/tokens/${encodeURIComponent(id)}`);
   console.log(`\u2713 token ${id} revoked`);
 });
-var tokenScopes = new Command("scopes").description("print every valid scope name").action(() => {
-  for (const s of ALL_SCOPES) console.log(s);
-});
-var tokenCmd = new Command("token").description("mint, list, and revoke channel tokens + PATs").addCommand(tokenMint).addCommand(tokenList).addCommand(tokenRevoke).addCommand(tokenScopes);
+var tokenCmd = new Command("token").description("mint, list, and revoke channel tokens").addCommand(tokenMint).addCommand(tokenList).addCommand(tokenRevoke);
 function fmtAgo2(iso) {
   const ms = Date.now() - new Date(iso).getTime();
   if (ms < 6e4) return Math.max(1, Math.floor(ms / 1e3)) + "s ago";
@@ -68703,7 +68702,7 @@ var webhookCmd = new Command("webhook").description("manage webhook subscription
 
 // src/index.ts
 var program2 = new Command();
-program2.name("claw").description("clawborrator CLI \u2014 control your Claude Code sessions from the terminal").version("0.0.38");
+program2.name("claw").description("clawborrator CLI \u2014 control your Claude Code sessions from the terminal").version("0.0.39");
 program2.addCommand(loginCmd);
 program2.addCommand(logoutCmd);
 program2.addCommand(whoamiCmd);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawborrator-cli",
-  "version": "0.0.38",
+  "version": "0.0.39",
   "type": "module",
   "description": "claw — command-line client for clawborrator hub_v1. Manages PATs, channel tokens, sessions, cross-session routing, and webhooks; ships an inline TUI for live multi-operator session attach.",
   "license": "MIT",