create-claude-workspace 1.1.34 → 1.1.36

package/dist/template/.claude/profiles/angular.md

@@ -175,7 +175,11 @@ npx themecraft generate    # generates type-safe SCSS from tokens.json
 
 **How it works:** `npx themecraft generate` reads `tokens.json` and produces typed SCSS files (`generated/theme/colors.scss`, `sizes.scss`, `typography.scss`) that wrap `color-var()`/`size-var()` internally. Components consume these generated variables — never the raw accessor functions.
 
-**Figma workflow:** If a Figma design exists, run `npx themecraft figma-sync` FIRST to pull design variables into `tokens.json`, then `npx themecraft generate`.
+**Token source (pick one):**
+- **With Figma:** `npx themecraft figma-sync` pulls design variables into `tokens.json`, then `npx themecraft generate`
+- **Without Figma:** `npx themecraft init` creates `tokens.json` scaffold → manually define token names (color groups, size groups, typography levels) → `npx themecraft generate`
+
+Either way, the result is the same: typed SCSS files in `generated/theme/` ready to import.
 
 **Theme definition** (`themes/light.scss`):
 ```scss

package/dist/template/.claude/profiles/react.md

@@ -185,7 +185,11 @@ npx themecraft generate    # generates type-safe SCSS from tokens.json
 
 **How it works:** `npx themecraft generate` reads `tokens.json` and produces typed SCSS files (`generated/theme/colors.scss`, `sizes.scss`, `typography.scss`) that wrap `color-var()`/`size-var()` internally. Components consume these generated variables — never the raw accessor functions.
 
-**Figma workflow:** If a Figma design exists, run `npx themecraft figma-sync` FIRST to pull design variables into `tokens.json`, then `npx themecraft generate`.
+**Token source (pick one):**
+- **With Figma:** `npx themecraft figma-sync` pulls design variables into `tokens.json`, then `npx themecraft generate`
+- **Without Figma:** `npx themecraft init` creates `tokens.json` scaffold → manually define token names (color groups, size groups, typography levels) → `npx themecraft generate`
+
+Either way, the result is the same: typed SCSS files in `generated/theme/` ready to import.
 
 **Runtime setup** (in layout or `_app.tsx`):
 ```typescript

package/dist/template/.claude/profiles/svelte.md

@@ -188,7 +188,11 @@ npx themecraft generate    # generates type-safe SCSS from tokens.json
 
 **How it works:** `npx themecraft generate` reads `tokens.json` and produces typed SCSS files (`generated/theme/colors.scss`, `sizes.scss`, `typography.scss`) that wrap `color-var()`/`size-var()` internally. Components consume these generated variables — never the raw accessor functions.
 
-**Figma workflow:** If a Figma design exists, run `npx themecraft figma-sync` FIRST to pull design variables into `tokens.json`, then `npx themecraft generate`.
+**Token source (pick one):**
+- **With Figma:** `npx themecraft figma-sync` pulls design variables into `tokens.json`, then `npx themecraft generate`
+- **Without Figma:** `npx themecraft init` creates `tokens.json` scaffold → manually define token names (color groups, size groups, typography levels) → `npx themecraft generate`
+
+Either way, the result is the same: typed SCSS files in `generated/theme/` ready to import.
 
 **Runtime setup** (in `+layout.svelte` or `hooks.server.ts`):
 ```typescript

package/dist/template/.claude/profiles/vue.md

@@ -213,7 +213,11 @@ npx themecraft generate    # generates type-safe SCSS from tokens.json
 
 **How it works:** `npx themecraft generate` reads `tokens.json` and produces typed SCSS files (`generated/theme/colors.scss`, `sizes.scss`, `typography.scss`) that wrap `color-var()`/`size-var()` internally. Components consume these generated variables — never the raw accessor functions.
 
-**Figma workflow:** If a Figma design exists, run `npx themecraft figma-sync` FIRST to pull design variables into `tokens.json`, then `npx themecraft generate`.
+**Token source (pick one):**
+- **With Figma:** `npx themecraft figma-sync` pulls design variables into `tokens.json`, then `npx themecraft generate`
+- **Without Figma:** `npx themecraft init` creates `tokens.json` scaffold → manually define token names (color groups, size groups, typography levels) → `npx themecraft generate`
+
+Either way, the result is the same: typed SCSS files in `generated/theme/` ready to import.
 
 **Runtime setup** (in `App.vue` or plugin):
 ```typescript

package/dist/template/.claude/scripts/autonomous.mjs

@@ -9,6 +9,7 @@ import { createLogger } from './lib/logger.mjs';
 import { emptyCheckpoint, readCheckpoint, writeCheckpoint } from './lib/state.mjs';
 import { runClaude, currentChild } from './lib/claude-runner.mjs';
 import { sleep, formatDuration, acquireLock, releaseLock, readMemory, isProjectComplete, getCurrentTask, getCurrentPhase, checkClaudeInstalled, checkAuth, checkGitIdentity, checkFilesystemWritable, gitFetchAndPull, gitCheckState, notify, printSummary, promptUser, } from './lib/utils.mjs';
+import { isTokenExpiringSoon, refreshOAuthToken } from './lib/oauth-refresh.mjs';
 // ─── Args ───
 function parseArgs(argv) {
     const opts = { ...DEFAULTS };
@@ -291,18 +292,34 @@ async function main() {
         if (timeSinceLastAuth > opts.processTimeout * 2) {
             log.warn('Large time gap detected (system sleep?). Re-checking auth...');
             if (!checkAuth()) {
-                log.error('Auth expired after sleep. Re-authenticate and restart.');
-                notify(opts.notifyCommand, 'stopped', 'Auth expired after system sleep', i);
-                break;
+                log.warn('Auth expired after sleep. Attempting OAuth refresh...');
+                const refreshed = await refreshOAuthToken(log);
+                if (!refreshed || !checkAuth()) {
+                    log.error('Auth expired after sleep and refresh failed. Run `claude /login`.');
+                    notify(opts.notifyCommand, 'stopped', 'Auth expired after system sleep (refresh failed)', i);
+                    break;
+                }
+                log.info('OAuth token refreshed after sleep. Continuing.');
             }
             checkpoint.lastAuthCheckTime = Date.now();
         }
-        // Periodic auth re-check (every 30 min)
-        if (timeSinceLastAuth > 30 * 60_000) {
+        // Proactive token refresh — refresh before expiry to prevent mid-iteration failures
+        if (isTokenExpiringSoon()) {
+            log.info('OAuth token expiring soon. Refreshing proactively...');
+            await refreshOAuthToken(log);
+        }
+        // Periodic auth re-check (every 10 min)
+        if (timeSinceLastAuth > 10 * 60_000) {
             if (!checkAuth()) {
-                log.error('Auth expired. Run `claude /login` or check ANTHROPIC_API_KEY.');
-                notify(opts.notifyCommand, 'stopped', 'Auth expired', i);
-                break;
+                // Try OAuth refresh before giving up
+                log.warn('Auth check failed. Attempting OAuth token refresh...');
+                const refreshed = await refreshOAuthToken(log);
+                if (!refreshed || !checkAuth()) {
+                    log.error('Auth expired and refresh failed. Run `claude /login` or check ANTHROPIC_API_KEY.');
+                    notify(opts.notifyCommand, 'stopped', 'Auth expired (refresh failed)', i);
+                    break;
+                }
+                log.info('OAuth token refreshed successfully. Continuing.');
             }
             checkpoint.lastAuthCheckTime = Date.now();
         }
@@ -333,14 +350,37 @@ async function main() {
                 stats.processTimeouts++;
             if (category === 'activity_timeout')
                 stats.activityTimeouts++;
+            // Immediate auth check after any error — catches expired OAuth tokens that
+            // weren't classified as auth_expired (e.g., process_timeout with auth errors in stderr)
+            if (category !== 'auth_expired' && !checkAuth()) {
+                log.warn('Auth check failed after error. Attempting OAuth refresh...');
+                const refreshed = await refreshOAuthToken(log);
+                if (!refreshed || !checkAuth()) {
+                    log.error('Auth expired and refresh failed. Run `claude /login` or check ANTHROPIC_API_KEY.');
+                    notify(opts.notifyCommand, 'stopped', 'Auth expired (refresh failed after process error)', i);
+                    writeCheckpoint(opts.projectDir, checkpoint, log);
+                    break;
+                }
+                log.info('OAuth token refreshed after error. Continuing.');
+            }
         }
         // Get response action
         const action = getErrorAction(category, {
             consecutiveFailures: checkpoint.consecutiveFailures,
             authRetries: checkpoint.authRetries,
         });
-        // Handle stop
+        // Handle stop — try OAuth refresh for auth errors before giving up
         if (action.type === 'stop') {
+            if (category === 'auth_expired') {
+                log.warn('Auth expired. Attempting OAuth token refresh...');
+                const refreshed = await refreshOAuthToken(log);
+                if (refreshed && checkAuth()) {
+                    log.info('OAuth token refreshed. Retrying iteration.');
+                    checkpoint.lastAuthCheckTime = Date.now();
+                    i--; // Retry this iteration
+                    continue;
+                }
+            }
             log.error(action.reason);
             notify(opts.notifyCommand, 'stopped', action.reason, i);
             writeCheckpoint(opts.projectDir, checkpoint, log);

package/dist/template/.claude/scripts/lib/claude-runner.mjs

@@ -352,9 +352,9 @@ export function runClaude(opts, log, runOpts = {}) {
             // Kill on auth error burst (e.g. expired token causing infinite retry loop)
             if (AUTH_ERROR_RE.test(lower)) {
                 authErrorCount++;
-                if (authErrorCount >= 5 && !killed) {
+                if (authErrorCount >= 3 && !killed) {
                     log.warn(`Auth error burst detected (${authErrorCount} errors) — killing process.`);
-                    killChild('activity_timeout');
+                    killChild('process_timeout');
                     return;
                 }
             }

package/dist/template/.claude/scripts/lib/errors.mjs

@@ -15,14 +15,20 @@ export function classifyError(signals) {
     if (signals.code === 0 && signals.hasResult)
         return 'none';
     // Flag-based (set by stream events, not just stderr)
+    // Auth errors take priority over everything — prevents 30-min timeout loops on expired tokens
     if (signals.isAuthError)
         return 'auth_expired';
     if (signals.isAuthServerError)
         return 'auth_server_error';
     if (signals.isRateLimit)
         return 'rate_limited';
-    if (signals.timedOut)
+    if (signals.timedOut) {
+        // Double-check stderr for auth errors (may not have been caught by stream events)
+        if (/authentication_error|failed to authenticate|api error: 401|oauth token has expired/i.test(signals.stderr)) {
+            return 'auth_expired';
+        }
         return 'process_timeout';
+    }
     // Activity timeout after result = success (process just hung after finishing)
     if (signals.activityTimedOut)
         return signals.hasResult ? 'none' : 'activity_timeout';

package/dist/template/.claude/scripts/lib/oauth-refresh.mjs

@@ -0,0 +1,146 @@
+// ─── OAuth token refresh for Claude Code ───
+// Cross-platform: reads/writes ~/.claude/.credentials.json (Windows/Linux)
+// or macOS Keychain via `security` CLI.
+// Refresh endpoint: https://console.anthropic.com/v1/oauth/token
+import { readFileSync, writeFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { homedir } from 'node:os';
+import { execSync } from 'node:child_process';
+const TOKEN_URL = 'https://console.anthropic.com/v1/oauth/token';
+const CLIENT_ID = '9d1c250a-e61b-44d9-88ed-5944d1962f5e';
+const CREDENTIALS_FILE = '.claude/.credentials.json';
+const KEYCHAIN_SERVICE = 'Claude Code-credentials';
+// Buffer: refresh if token expires within this many ms
+const REFRESH_BUFFER_MS = 30 * 60_000; // 30 minutes
+// ─── Credential storage (cross-platform) ───
+function credentialsPath() {
+    return resolve(homedir(), CREDENTIALS_FILE);
+}
+function readCredentialsFile() {
+    try {
+        const raw = readFileSync(credentialsPath(), 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (parsed?.claudeAiOauth?.refreshToken)
+            return parsed;
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+function writeCredentialsFile(creds) {
+    writeFileSync(credentialsPath(), JSON.stringify(creds));
+}
+function readKeychainCredentials() {
+    try {
+        // Try common account names
+        const accounts = ['claude', 'Claude Code', 'default'];
+        for (const account of accounts) {
+            try {
+                const raw = execSync(`security find-generic-password -s "${KEYCHAIN_SERVICE}" -a "${account}" -w`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'], timeout: 5000 }).trim();
+                const parsed = JSON.parse(raw);
+                if (parsed?.claudeAiOauth?.refreshToken)
+                    return parsed;
+            }
+            catch { /* try next account */ }
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+function writeKeychainCredentials(creds, account) {
+    const data = JSON.stringify(creds);
+    try {
+        execSync(`security delete-generic-password -s "${KEYCHAIN_SERVICE}" -a "${account}"`, { stdio: 'ignore', timeout: 5000 });
+    }
+    catch { /* may not exist */ }
+    execSync(`security add-generic-password -s "${KEYCHAIN_SERVICE}" -a "${account}" -w '${data.replace(/'/g, "'\\''")}' -U`, { stdio: 'ignore', timeout: 5000 });
+}
+function readCredentials() {
+    // File-based (Windows/Linux) takes priority — always present
+    const fileCreds = readCredentialsFile();
+    if (fileCreds)
+        return fileCreds;
+    // macOS Keychain fallback
+    if (process.platform === 'darwin')
+        return readKeychainCredentials();
+    return null;
+}
+function writeCredentials(creds) {
+    // Always write to file
+    writeCredentialsFile(creds);
+    // Also update Keychain on macOS
+    if (process.platform === 'darwin') {
+        try {
+            writeKeychainCredentials(creds, 'claude');
+        }
+        catch { /* non-fatal */ }
+    }
+}
+// ─── Token refresh ───
+async function postRefresh(refreshToken) {
+    const body = JSON.stringify({
+        grant_type: 'refresh_token',
+        refresh_token: refreshToken,
+        client_id: CLIENT_ID,
+    });
+    const response = await fetch(TOKEN_URL, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body,
+        signal: AbortSignal.timeout(30_000),
+    });
+    if (!response.ok) {
+        const text = await response.text().catch(() => '');
+        throw new Error(`OAuth refresh failed: ${response.status} ${text.slice(0, 200)}`);
+    }
+    return await response.json();
+}
+// ─── Public API ───
+/** Check if the current OAuth token is expired or about to expire. */
+export function isTokenExpiringSoon() {
+    const creds = readCredentials();
+    if (!creds)
+        return false; // No OAuth credentials (API key user) — not our problem
+    return Date.now() > (creds.claudeAiOauth.expiresAt - REFRESH_BUFFER_MS);
+}
+/** Attempt to refresh the OAuth token. Returns true on success. */
+export async function refreshOAuthToken(log) {
+    const creds = readCredentials();
+    if (!creds) {
+        log.warn('No OAuth credentials found — cannot refresh.');
+        return false;
+    }
+    const oauth = creds.claudeAiOauth;
+    if (!oauth.refreshToken) {
+        log.warn('No refresh token available.');
+        return false;
+    }
+    const remaining = oauth.expiresAt - Date.now();
+    log.info(`Token expires in ${Math.round(remaining / 60_000)}m. Attempting refresh...`);
+    try {
+        const result = await postRefresh(oauth.refreshToken);
+        if (!result.access_token || !result.refresh_token) {
+            log.error('Refresh response missing tokens.');
+            return false;
+        }
+        // Update credentials
+        const updated = {
+            claudeAiOauth: {
+                ...oauth,
+                accessToken: result.access_token,
+                refreshToken: result.refresh_token,
+                expiresAt: Date.now() + (result.expires_in * 1000),
+            },
+        };
+        writeCredentials(updated);
+        log.info(`OAuth token refreshed. New expiry: ${new Date(updated.claudeAiOauth.expiresAt).toISOString()}`);
+        return true;
+    }
+    catch (err) {
+        log.error(`OAuth refresh failed: ${err.message}`);
+        return false;
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-claude-workspace",
-  "version": "1.1.34",
+  "version": "1.1.36",
   "description": "Scaffold a project with Claude Code agents for autonomous AI-driven development",
   "type": "module",
   "bin": {