coolhand-cli 0.1.0

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,119 @@
+# coolhand-cli
+
+Command-line authentication helper for [Coolhand](https://coolhandlabs.com). Opens a browser, captures your public API token via a localhost callback (same flow as `gh auth login` and `gcloud auth login`), and stores it in `~/.coolhand/config.json`.
+
+## Install
+
+One-shot, no install:
+```bash
+npx coolhand-cli login
+```
+
+Globally:
+```bash
+npm install -g coolhand-cli
+coolhand login
+```
+
+Requires Node 20 or newer.
+
+## Commands
+
+```
+coolhand login    [--base-url URL] [--write-env PATH] [--client-id ID] [--json]
+coolhand logout   [--client-id ID | --all] [--json]
+coolhand status   [--client-id ID] [--json]
+coolhand whoami   [--client-id ID]
+coolhand clients [use <id>] [--json]
+```
+
+### login
+
+Opens your browser to the Coolhand consent page, listens on `127.0.0.1` for the callback, and stores the returned token. The token is the **public** `api_key` for the client you select — the same key you would use with `coolhand-node`, `coolhand-python`, or the `coolhand-js` widget.
+
+`--write-env PATH` will additionally set `COOLHAND_API_KEY=<token>` in the target `.env` file (idempotent — replaces an existing value rather than appending a duplicate).
+
+### status
+
+`coolhand status --json` is the programmatic check used by integrations:
+
+```json
+{
+  "configured": true,
+  "clients": [
+    {"client_id": "acme", "client_name": "Acme Inc",
+     "masked_token": "e885b463…1148", "base_url": "https://coolhandlabs.com"}
+  ],
+  "default_client_id": "acme"
+}
+```
+
+Exit code is `0` if a token is configured for the default (or requested) client, `1` otherwise.
+
+### clients
+
+Multiple clients can be stored at once. `coolhand clients` lists them, `coolhand clients use <id>` switches the default. Each `coolhand login` adds (or refreshes) one entry, keyed by the server-assigned `client_id`.
+
+## Security
+
+- The callback listener binds to `127.0.0.1` only — never reachable from the LAN.
+- Tokens are delivered through a one-shot localhost redirect; subsequent calls to the listener get `410 Gone`.
+- CSRF protection: every login generates a random `state` value verified with `crypto.timingSafeEqual` before any token is accepted.
+- `~/.coolhand/config.json` is written atomically with mode `0o600`; the parent directory is `0o700`.
+- Raw tokens are never printed to stdout or stderr. JSON output uses a masked form (e.g. `e885b463…1148`).
+- Zero runtime dependencies — minimal supply-chain surface for the auth flow.
+
+## Programmatic use
+
+```ts
+import { run, loadConfig, getClient, maskToken } from 'coolhand-cli';
+
+await run(['login', '--json']);
+
+const cfg = await loadConfig();
+const client = getClient(cfg);
+console.log(maskToken(client!.api_key));
+```
+
+The CLI is shipped as an ES module. Importers must be ESM as well, or use a dynamic `import()`.
+
+## Use with AI agents
+
+coolhand-cli is designed to be invoked by AI agents and automated workflows, not just humans at a terminal. Two patterns make this straightforward:
+
+**Check auth before starting work:**
+```bash
+coolhand status --json   # exit 0 = token present, exit 1 = not configured
+```
+
+**Wire up the API key in one step:**
+```bash
+coolhand login --write-env .env
+# sets COOLHAND_API_KEY=<token> in .env, idempotent on re-run
+```
+
+The CLI works especially well with the [Coolhand feedback collection skill](https://github.com/Coolhand-Labs/feedback-collection-skill) for Claude Code. The skill scans your project for LLM inference calls and implements best-practice human feedback collection — it reads `COOLHAND_API_KEY` from the environment, which `coolhand login --write-env .env` puts in place.
+
+## Configuration file
+
+Located at `$HOME/.coolhand/config.json` (override with `COOLHAND_CONFIG_DIR` for testing). Schema:
+
+```json
+{
+  "version": 1,
+  "default_client_id": "acme",
+  "clients": {
+    "acme": {
+      "client_id": "acme",
+      "client_name": "Acme Inc",
+      "api_key": "e885b463541f1d1c6002268f32bbb7c82d9a350437bd587eb429504005831148",
+      "base_url": "https://coolhandlabs.com",
+      "saved_at": "2026-05-12T18:04:11.000Z"
+    }
+  }
+}
+```
+
+## License
+
+Apache-2.0

package/dist/auth/callback-server.d.ts

@@ -0,0 +1,13 @@
+import type { CallbackResult } from '../types.js';
+export interface StartCallbackServerOptions {
+    expectedState: string;
+    timeoutMs: number;
+    signal?: AbortSignal;
+}
+export interface CallbackServerHandle {
+    port: number;
+    result: Promise<CallbackResult>;
+    close(): Promise<void>;
+}
+export declare function startCallbackServer(opts: StartCallbackServerOptions): Promise<CallbackServerHandle>;
+//# sourceMappingURL=callback-server.d.ts.map

package/dist/auth/callback-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback-server.d.ts","sourceRoot":"","sources":["../../src/auth/callback-server.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAIlD,MAAM,WAAW,0BAA0B;IACzC,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IAChC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAED,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,0BAA0B,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAwJzG"}

package/dist/auth/callback-server.js

@@ -0,0 +1,133 @@
+import { createServer } from 'http';
+import { CliError } from '../errors.js';
+import { safeEqual } from './state.js';
+import { SUCCESS_HTML, errorHtml } from './success-page.js';
+const LOOPBACK = '127.0.0.1';
+export async function startCallbackServer(opts) {
+    let resolveResult;
+    let rejectResult;
+    const result = new Promise((resolve, reject) => {
+        resolveResult = resolve;
+        rejectResult = reject;
+    });
+    let consumed = false;
+    let timer;
+    const server = createServer((req, res) => {
+        handleRequest(req, res);
+    });
+    function closeServerSoon() {
+        setImmediate(() => {
+            server.close();
+        });
+    }
+    function handleRequest(req, res) {
+        const url = new URL(req.url ?? '/', `http://${LOOPBACK}`);
+        if (req.method !== 'GET') {
+            res.statusCode = 405;
+            res.setHeader('Allow', 'GET');
+            res.end();
+            return;
+        }
+        if (url.pathname !== '/callback') {
+            res.statusCode = 404;
+            res.end();
+            return;
+        }
+        if (consumed) {
+            res.statusCode = 410;
+            res.setHeader('Content-Type', 'text/html; charset=utf-8');
+            res.end(errorHtml('This callback has already been processed. You can close this tab.'));
+            return;
+        }
+        const token = url.searchParams.get('token');
+        const state = url.searchParams.get('state');
+        const clientName = url.searchParams.get('client_name');
+        const clientId = url.searchParams.get('client_id');
+        if (!state || !safeEqual(state, opts.expectedState)) {
+            consumed = true;
+            res.statusCode = 400;
+            res.setHeader('Content-Type', 'text/html; charset=utf-8');
+            res.end(errorHtml('State parameter mismatch. This may be a forged or stale request.'));
+            rejectResult(new CliError('STATE_MISMATCH', 'Callback state did not match the expected value.'));
+            closeServerSoon();
+            return;
+        }
+        if (!token || !clientId || !clientName) {
+            consumed = true;
+            res.statusCode = 400;
+            res.setHeader('Content-Type', 'text/html; charset=utf-8');
+            res.end(errorHtml('Callback was missing required parameters.'));
+            rejectResult(new CliError('INVALID_CALLBACK', 'Callback was missing token, client_id, or client_name. Make sure your Coolhand server is up to date.'));
+            closeServerSoon();
+            return;
+        }
+        consumed = true;
+        res.statusCode = 200;
+        res.setHeader('Content-Type', 'text/html; charset=utf-8');
+        res.end(SUCCESS_HTML);
+        resolveResult({ token, clientName, clientId });
+        closeServerSoon();
+    }
+    await new Promise((resolve, reject) => {
+        server.once('error', reject);
+        server.listen(0, LOOPBACK, () => {
+            server.removeListener('error', reject);
+            resolve();
+        });
+    });
+    const address = server.address();
+    if (!address || typeof address === 'string') {
+        server.close();
+        throw new CliError('INVALID_REDIRECT_URI', 'Could not determine local callback port.');
+    }
+    const port = address.port;
+    timer = setTimeout(() => {
+        if (!consumed) {
+            consumed = true;
+            rejectResult(new CliError('TIMEOUT', `No callback received within ${opts.timeoutMs}ms.`));
+            closeServerSoon();
+        }
+    }, opts.timeoutMs);
+    timer.unref?.();
+    if (opts.signal) {
+        if (opts.signal.aborted) {
+            if (!consumed) {
+                consumed = true;
+                rejectResult(new CliError('TIMEOUT', 'Operation aborted before callback received.'));
+                closeServerSoon();
+            }
+        }
+        else {
+            opts.signal.addEventListener('abort', () => {
+                if (!consumed) {
+                    consumed = true;
+                    rejectResult(new CliError('TIMEOUT', 'Operation aborted before callback received.'));
+                    closeServerSoon();
+                }
+            }, { once: true });
+        }
+    }
+    const cleanup = () => {
+        if (timer) {
+            clearTimeout(timer);
+            timer = undefined;
+        }
+    };
+    result.finally(cleanup).catch(() => undefined);
+    async function close() {
+        cleanup();
+        if (!consumed) {
+            consumed = true;
+            rejectResult(new CliError('TIMEOUT', 'Callback server closed before receiving a request.'));
+        }
+        await new Promise((resolve) => {
+            if (!server.listening) {
+                resolve();
+                return;
+            }
+            server.close(() => resolve());
+        });
+    }
+    return { port, result, close };
+}
+//# sourceMappingURL=callback-server.js.map

package/dist/auth/callback-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback-server.js","sourceRoot":"","sources":["../../src/auth/callback-server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAA2C,MAAM,MAAM,CAAC;AAE7E,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AACxC,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAG5D,MAAM,QAAQ,GAAG,WAAW,CAAC;AAc7B,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAgC;IACxE,IAAI,aAA+C,CAAC;IACpD,IAAI,YAAmC,CAAC;IACxC,MAAM,MAAM,GAAG,IAAI,OAAO,CAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7D,aAAa,GAAG,OAAO,CAAC;QACxB,YAAY,GAAG,MAAM,CAAC;IACxB,CAAC,CAAC,CAAC;IAEH,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,KAAiC,CAAC;IAEtC,MAAM,MAAM,GAAW,YAAY,CAAC,CAAC,GAAoB,EAAE,GAAmB,EAAE,EAAE;QAChF,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;IAEH,SAAS,eAAe;QACtB,YAAY,CAAC,GAAG,EAAE;YAChB,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,CAAC,CAAC,CAAC;IACL,CAAC;IAED,SAAS,aAAa,CAAC,GAAoB,EAAE,GAAmB;QAC9D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,UAAU,QAAQ,EAAE,CAAC,CAAC;QAE1D,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YACzB,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,GAAG,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YAC9B,GAAG,CAAC,GAAG,EAAE,CAAC;YACV,OAAO;QACT,CAAC;QAED,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACjC,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,GAAG,CAAC,GAAG,EAAE,CAAC;YACV,OAAO;QACT,CAAC;QAED,IAAI,QAAQ,EAAE,CAAC;YACb,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;YAC1D,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,mEAAmE,CAAC,CAAC,CAAC;YACxF,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAEnD,IAAI,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;YACpD,QAAQ,GAAG,IAAI,CAAC;YAChB,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;YAC1D,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,kEAAkE,CAAC,CAAC,CAAC;YACvF,YAAY,CAAC,IAAI,QAAQ,CAAC,gBAAgB,EAAE,kDAAkD,CAAC,CAAC,CAAC;YACjG,eAAe,EAAE,CAAC;YAClB,OAAO;QACT,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,IAAI,CAAC,UAAU,EAAE,CAAC;YACvC,QAAQ,GAAG,IAAI,CAAC;YAChB,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;YAC1D,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,2CAA2C,CAAC,CAAC,CAAC;YAChE,YAAY,CACV,IAAI,QAAQ,CACV,kBAAkB,EAClB,sGAAsG,CACvG,CACF,CAAC;YACF,eAAe,EAAE,CAAC;YAClB,OAAO;QACT,CAAC;QAED,QAAQ,GAAG,IAAI,CAAC;QAChB,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;QACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;QAC1D,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACtB,aAAa,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC/C,eAAe,EAAE,CAAC;IACpB,CAAC;IAED,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE;YAC9B,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACvC,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAwB,CAAC;IACvD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC5C,MAAM,CAAC,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,QAAQ,CAAC,sBAAsB,EAAE,0CAA0C,CAAC,CAAC;IACzF,CAAC;IACD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAE1B,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;QACtB,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,QAAQ,GAAG,IAAI,CAAC;YAChB,YAAY,CAAC,IAAI,QAAQ,CAAC,SAAS,EAAE,+BAA+B,IAAI,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC;YAC1F,eAAe,EAAE,CAAC;QACpB,CAAC;IACH,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;IACnB,KAAK,CAAC,KAAK,EAAE,EAAE,CAAC;IAEhB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACxB,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,QAAQ,GAAG,IAAI,CAAC;gBAChB,YAAY,CAAC,IAAI,QAAQ,CAAC,SAAS,EAAE,6CAA6C,CAAC,CAAC,CAAC;gBACrF,eAAe,EAAE,CAAC;YACpB,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAC1B,OAAO,EACP,GAAG,EAAE;gBACH,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,QAAQ,GAAG,IAAI,CAAC;oBAChB,YAAY,CAAC,IAAI,QAAQ,CAAC,SAAS,EAAE,6CAA6C,CAAC,CAAC,CAAC;oBACrF,eAAe,EAAE,CAAC;gBACpB,CAAC;YACH,CAAC,EACD,EAAE,IAAI,EAAE,IAAI,EAAE,CACf,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,GAAS,EAAE;QACzB,IAAI,KAAK,EAAE,CAAC;YACV,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,KAAK,GAAG,SAAS,CAAC;QACpB,CAAC;IACH,CAAC,CAAC;IACF,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAE/C,KAAK,UAAU,KAAK;QAClB,OAAO,EAAE,CAAC;QACV,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,QAAQ,GAAG,IAAI,CAAC;YAChB,YAAY,CAAC,IAAI,QAAQ,CAAC,SAAS,EAAE,oDAAoD,CAAC,CAAC,CAAC;QAC9F,CAAC;QACD,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;YAClC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBACtB,OAAO,EAAE,CAAC;gBACV,OAAO;YACT,CAAC;YACD,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QAChC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACjC,CAAC"}

package/dist/auth/open-browser.d.ts

@@ -0,0 +1,8 @@
+import { spawn } from 'child_process';
+interface OpenBrowserDeps {
+    platform?: NodeJS.Platform;
+    spawnFn?: typeof spawn;
+}
+export declare function openBrowser(url: string, deps?: OpenBrowserDeps): Promise<void>;
+export {};
+//# sourceMappingURL=open-browser.d.ts.map

package/dist/auth/open-browser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"open-browser.d.ts","sourceRoot":"","sources":["../../src/auth/open-browser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAGtC,UAAU,eAAe;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;IAC3B,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;CACxB;AAED,wBAAsB,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,GAAE,eAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CA0BxF"}

package/dist/auth/open-browser.js

@@ -0,0 +1,31 @@
+import { spawn } from 'child_process';
+import { logger } from '../logger.js';
+export async function openBrowser(url, deps = {}) {
+    const platform = deps.platform ?? process.platform;
+    const spawnFn = deps.spawnFn ?? spawn;
+    let command;
+    let args;
+    if (platform === 'darwin') {
+        command = 'open';
+        args = [url];
+    }
+    else if (platform === 'win32') {
+        command = 'cmd';
+        args = ['/c', 'start', '""', url];
+    }
+    else {
+        command = 'xdg-open';
+        args = [url];
+    }
+    try {
+        const child = spawnFn(command, args, { detached: true, stdio: 'ignore' });
+        child.on('error', (err) => {
+            logger.warn(`Failed to open browser (${command}): ${err.message}. Open the URL manually.`);
+        });
+        child.unref();
+    }
+    catch (err) {
+        logger.warn(`Failed to launch browser (${command}): ${err.message}. Open the URL manually.`);
+    }
+}
+//# sourceMappingURL=open-browser.js.map

package/dist/auth/open-browser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"open-browser.js","sourceRoot":"","sources":["../../src/auth/open-browser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AACtC,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAOtC,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,GAAW,EAAE,OAAwB,EAAE;IACvE,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IACnD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,KAAK,CAAC;IAEtC,IAAI,OAAe,CAAC;IACpB,IAAI,IAAc,CAAC;IACnB,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,OAAO,GAAG,MAAM,CAAC;QACjB,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACf,CAAC;SAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,OAAO,GAAG,KAAK,CAAC;QAChB,IAAI,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;IACpC,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,UAAU,CAAC;QACrB,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACf,CAAC;IAED,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC1E,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,MAAM,CAAC,IAAI,CAAC,2BAA2B,OAAO,MAAM,GAAG,CAAC,OAAO,0BAA0B,CAAC,CAAC;QAC7F,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,KAAK,EAAE,CAAC;IAChB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,6BAA6B,OAAO,MAAO,GAAa,CAAC,OAAO,0BAA0B,CAAC,CAAC;IAC1G,CAAC;AACH,CAAC"}

package/dist/auth/state.d.ts

@@ -0,0 +1,3 @@
+export declare function generateState(): string;
+export declare function safeEqual(a: string, b: string): boolean;
+//# sourceMappingURL=state.d.ts.map

package/dist/auth/state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.d.ts","sourceRoot":"","sources":["../../src/auth/state.ts"],"names":[],"mappings":"AAEA,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED,wBAAgB,SAAS,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAUvD"}

package/dist/auth/state.js

@@ -0,0 +1,16 @@
+import { randomBytes, timingSafeEqual } from 'crypto';
+export function generateState() {
+    return randomBytes(16).toString('hex');
+}
+export function safeEqual(a, b) {
+    if (typeof a !== 'string' || typeof b !== 'string') {
+        return false;
+    }
+    const aBuf = Buffer.from(a, 'utf8');
+    const bBuf = Buffer.from(b, 'utf8');
+    if (aBuf.length !== bBuf.length) {
+        return false;
+    }
+    return timingSafeEqual(aBuf, bBuf);
+}
+//# sourceMappingURL=state.js.map

package/dist/auth/state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.js","sourceRoot":"","sources":["../../src/auth/state.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAEtD,MAAM,UAAU,aAAa;IAC3B,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,CAAS,EAAE,CAAS;IAC5C,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;QACnD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpC,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC"}

package/dist/auth/success-page.d.ts

@@ -0,0 +1,3 @@
+export declare const SUCCESS_HTML = "<!doctype html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"utf-8\">\n  <title>Coolhand \u2014 Token captured</title>\n  <meta name=\"viewport\" content=\"width=device-width,initial-scale=1\">\n  <meta name=\"color-scheme\" content=\"dark\">\n  <meta name=\"robots\" content=\"noindex\">\n  <style>\n  * { box-sizing: border-box; margin: 0; padding: 0; }\n  html, body { height: 100%; }\n  body {\n    font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont,\n                 \"Segoe UI\", Roboto, \"Helvetica Neue\", Arial, sans-serif;\n    background: hsl(222.2 84% 4.9%);\n    color: hsl(210 40% 98%);\n    display: flex;\n    align-items: center;\n    justify-content: center;\n    min-height: 100vh;\n    padding: 24px;\n    line-height: 1.5;\n    -webkit-font-smoothing: antialiased;\n    -moz-osx-font-smoothing: grayscale;\n  }\n  .wrap { width: 100%; max-width: 440px; }\n  .brand {\n    text-align: center;\n    margin-bottom: 32px;\n  }\n  .brand-logo {\n    height: 157px;\n    width: auto;\n    max-width: 100%;\n    display: inline-block;\n  }\n  .brand-text {\n    display: none;\n    font-size: 13px;\n    font-weight: 600;\n    letter-spacing: 0.15em;\n    text-transform: uppercase;\n    color: hsl(215 20.2% 65.1%);\n    align-items: center;\n    justify-content: center;\n  }\n  .brand-dot {\n    display: inline-block;\n    width: 8px;\n    height: 8px;\n    border-radius: 50%;\n    background: hsl(217.2 91.2% 59.8%);\n    margin-right: 8px;\n    vertical-align: middle;\n    transform: translateY(-1px);\n  }\n  .card {\n    background: hsl(222.2 84% 4.9%);\n    border: 1px solid hsl(217.2 32.6% 17.5%);\n    border-radius: 12px;\n    padding: 40px 32px 32px;\n    text-align: center;\n    box-shadow: 0 24px 48px -16px rgba(0, 0, 0, 0.5);\n  }\n  .icon-wrap {\n    width: 64px;\n    height: 64px;\n    border-radius: 50%;\n    display: flex;\n    align-items: center;\n    justify-content: center;\n    margin: 0 auto 20px;\n  }\n  .icon-svg { width: 32px; height: 32px; }\n  h1 {\n    font-size: 20px;\n    font-weight: 600;\n    color: hsl(210 40% 98%);\n    margin-bottom: 8px;\n    letter-spacing: -0.01em;\n  }\n  p {\n    color: hsl(215 20.2% 65.1%);\n    font-size: 14px;\n  }\n  p + p { margin-top: 12px; }\n  .foot {\n    text-align: center;\n    margin-top: 24px;\n    font-size: 12px;\n    color: hsl(215 20.2% 65.1%);\n  }\n</style>\n</head>\n<body>\n  <main class=\"wrap\">\n  \n  <div class=\"brand\">\n    <img src=\"https://coolhandlabs.com/coolhand-logo.png\" alt=\"Coolhand\"\n         class=\"brand-logo\"\n         onerror=\"this.style.display='none'; this.nextElementSibling.style.display='inline-flex';\">\n    <span class=\"brand-text\"><span class=\"brand-dot\"></span>coolhand</span>\n  </div>\n\n  <div class=\"card\">\n    <div class=\"icon-wrap\" style=\"background: hsl(217.2 91.2% 59.8% / 0.12);\">\n      <svg class=\"icon-svg\" viewBox=\"0 0 24 24\" fill=\"none\"\n           stroke=\"hsl(217.2 91.2% 59.8%)\" stroke-width=\"2.5\"\n           stroke-linecap=\"round\" stroke-linejoin=\"round\" aria-hidden=\"true\">\n        <polyline points=\"20 6 9 17 4 12\"></polyline>\n      </svg>\n    </div>\n    <h1>Token captured</h1>\n    <p>You can close this tab and return to your terminal.</p>\n  </div>\n  <p class=\"foot\">coolhand-cli received your API token securely.</p>\n</main>\n</body>\n</html>\n";
+export declare function errorHtml(message: string): string;
+//# sourceMappingURL=success-page.d.ts.map

package/dist/auth/success-page.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"success-page.d.ts","sourceRoot":"","sources":["../../src/auth/success-page.ts"],"names":[],"mappings":"AAoHA,eAAO,MAAM,YAAY,0zGAcxB,CAAC;AAEF,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CA8CjD"}