create-claude-workspace 1.1.35 → 1.1.37

package/dist/template/.claude/agents/orchestrator.md

@@ -151,7 +151,7 @@ If no remote, skip this step.
 ### 10. One task per invocation
 - Complete exactly ONE task per invocation, then end the session cleanly.
 - The external loop (`autonomous.mjs` or ralph-loop) handles iteration control — you do NOT need to manage capacity, iteration counters, or session bounds.
-- After committing the task (STEP 11) and post-merge (STEP 12), update MEMORY.md and EXIT. Do NOT ask whether to continue, do NOT wait for confirmation, do NOT start another task.
+- After committing the task (STEP 11) and post-merge (STEP 12), EXIT. Do NOT update MEMORY.md after merge — it was already committed in STEP 11 and arrived on main via merge. Do NOT ask whether to continue, do NOT wait for confirmation, do NOT start another task. Do NOT create any commits after merge.
 - Track complexity in MEMORY.md `Complexity This Session` for informational purposes only (S=1, M=2, L=4).
 
 ## Task Type Detection
@@ -482,7 +482,8 @@ To determine if a task is frontend, backend, or fullstack, use this heuristic:
     ```
     Note the stacking in MEMORY.md. When the previous MR/PR is merged: `git -C .worktrees/feat/{next} rebase --onto main feat/{previous}`
 - **If no `[ ]` tasks remain in current phase AND at least one `[~]` exists** (all remaining were skipped): do NOT auto-advance. Delegate to `product-owner`: "All tasks in Phase [N] are blocked/skipped. The autonomous loop cannot proceed. Options: (1) ADD replacement tasks that unblock progress, (2) REPRIORITIZE to skip this phase entirely and move to next, (3) declare a BLOCKER requiring human intervention." If product-owner returns only CONFIRM with no actionable changes, STOP the autonomous loop and log: "Phase [N] fully blocked — requires human intervention. Run orchestrator manually after resolving blockers."
-- One task per invocation — after post-merge, end session. The external loop will start the next invocation. Do NOT update MEMORY.md here (already done in STEP 11).
+- One task per invocation — after post-merge, end session. The external loop will start the next invocation.
+- **CRITICAL: ZERO commits after merge.** MEMORY.md and TODO.md are already on main (they came from the merge). Do NOT `git add`, do NOT `git commit`, do NOT create `chore:` commits. If you see tracking files as "modified" after merge, that is IMPOSSIBLE if STEP 11 was done correctly — investigate, do NOT blindly commit.
 - **If no `[ ]` tasks remain in current phase AND zero `[~]` exist** (all completed) -> phase transition (handled at start of STEP 1)
 - **If no `[ ]` tasks remain in ALL phases AND zero `[~]` exist** (everything completed) -> final completion sequence:
   1. Delegate to `product-owner` agent:
@@ -598,7 +599,7 @@ Examples:
 - NEVER implement without architect plan (STEP 2) or skip code review (STEP 7)
 - Each commit = 1 logical unit
 - Conventional commits: feat/fix/refactor/chore/docs
-- **NEVER create commits that only change MEMORY.md or TODO.md** — tracking file updates MUST be included in the same commit as the implementation they track (STEP 11). After merge (STEP 12), do NOT commit anything. No `chore: update progress tracking`, no `chore: update MEMORY.md`, no `chore: log hotfix`. If you feel the urge to commit tracking-only changes, STOP — you missed including them in STEP 11.
+- **ABSOLUTE BAN: NEVER create commits that only change MEMORY.md or TODO.md.** Tracking files are committed WITH implementation code in STEP 11. After merge (STEP 12), ZERO commits — tracking files arrive on main via the merge itself. Forbidden patterns: `chore: update progress tracking`, `chore: update MEMORY.md`, `chore: update MEMORY.md tracking after ...`, `chore: log hotfix`. If tracking files show as modified after merge, something went wrong in STEP 11 — investigate and fix, do NOT create a band-aid commit.
 - All files in ENGLISH
 - TODO.md + MEMORY.md are your tracking system — keep them PRECISE and CURRENT
 - If deviating from plan, LOG the reason in MEMORY.md

package/dist/template/.claude/scripts/autonomous.mjs

@@ -9,6 +9,7 @@ import { createLogger } from './lib/logger.mjs';
 import { emptyCheckpoint, readCheckpoint, writeCheckpoint } from './lib/state.mjs';
 import { runClaude, currentChild } from './lib/claude-runner.mjs';
 import { sleep, formatDuration, acquireLock, releaseLock, readMemory, isProjectComplete, getCurrentTask, getCurrentPhase, checkClaudeInstalled, checkAuth, checkGitIdentity, checkFilesystemWritable, gitFetchAndPull, gitCheckState, notify, printSummary, promptUser, } from './lib/utils.mjs';
+import { isTokenExpiringSoon, refreshOAuthToken } from './lib/oauth-refresh.mjs';
 // ─── Args ───
 function parseArgs(argv) {
     const opts = { ...DEFAULTS };
@@ -291,18 +292,34 @@ async function main() {
         if (timeSinceLastAuth > opts.processTimeout * 2) {
             log.warn('Large time gap detected (system sleep?). Re-checking auth...');
             if (!checkAuth()) {
-                log.error('Auth expired after sleep. Re-authenticate and restart.');
-                notify(opts.notifyCommand, 'stopped', 'Auth expired after system sleep', i);
-                break;
+                log.warn('Auth expired after sleep. Attempting OAuth refresh...');
+                const refreshed = await refreshOAuthToken(log);
+                if (!refreshed || !checkAuth()) {
+                    log.error('Auth expired after sleep and refresh failed. Run `claude /login`.');
+                    notify(opts.notifyCommand, 'stopped', 'Auth expired after system sleep (refresh failed)', i);
+                    break;
+                }
+                log.info('OAuth token refreshed after sleep. Continuing.');
             }
             checkpoint.lastAuthCheckTime = Date.now();
         }
-        // Periodic auth re-check (every 30 min)
-        if (timeSinceLastAuth > 30 * 60_000) {
+        // Proactive token refresh — refresh before expiry to prevent mid-iteration failures
+        if (isTokenExpiringSoon()) {
+            log.info('OAuth token expiring soon. Refreshing proactively...');
+            await refreshOAuthToken(log);
+        }
+        // Periodic auth re-check (every 10 min)
+        if (timeSinceLastAuth > 10 * 60_000) {
             if (!checkAuth()) {
-                log.error('Auth expired. Run `claude /login` or check ANTHROPIC_API_KEY.');
-                notify(opts.notifyCommand, 'stopped', 'Auth expired', i);
-                break;
+                // Try OAuth refresh before giving up
+                log.warn('Auth check failed. Attempting OAuth token refresh...');
+                const refreshed = await refreshOAuthToken(log);
+                if (!refreshed || !checkAuth()) {
+                    log.error('Auth expired and refresh failed. Run `claude /login` or check ANTHROPIC_API_KEY.');
+                    notify(opts.notifyCommand, 'stopped', 'Auth expired (refresh failed)', i);
+                    break;
+                }
+                log.info('OAuth token refreshed successfully. Continuing.');
             }
             checkpoint.lastAuthCheckTime = Date.now();
         }
@@ -333,14 +350,37 @@ async function main() {
                 stats.processTimeouts++;
             if (category === 'activity_timeout')
                 stats.activityTimeouts++;
+            // Immediate auth check after any error — catches expired OAuth tokens that
+            // weren't classified as auth_expired (e.g., process_timeout with auth errors in stderr)
+            if (category !== 'auth_expired' && !checkAuth()) {
+                log.warn('Auth check failed after error. Attempting OAuth refresh...');
+                const refreshed = await refreshOAuthToken(log);
+                if (!refreshed || !checkAuth()) {
+                    log.error('Auth expired and refresh failed. Run `claude /login` or check ANTHROPIC_API_KEY.');
+                    notify(opts.notifyCommand, 'stopped', 'Auth expired (refresh failed after process error)', i);
+                    writeCheckpoint(opts.projectDir, checkpoint, log);
+                    break;
+                }
+                log.info('OAuth token refreshed after error. Continuing.');
+            }
         }
         // Get response action
         const action = getErrorAction(category, {
             consecutiveFailures: checkpoint.consecutiveFailures,
             authRetries: checkpoint.authRetries,
         });
-        // Handle stop
+        // Handle stop — try OAuth refresh for auth errors before giving up
         if (action.type === 'stop') {
+            if (category === 'auth_expired') {
+                log.warn('Auth expired. Attempting OAuth token refresh...');
+                const refreshed = await refreshOAuthToken(log);
+                if (refreshed && checkAuth()) {
+                    log.info('OAuth token refreshed. Retrying iteration.');
+                    checkpoint.lastAuthCheckTime = Date.now();
+                    i--; // Retry this iteration
+                    continue;
+                }
+            }
             log.error(action.reason);
             notify(opts.notifyCommand, 'stopped', action.reason, i);
             writeCheckpoint(opts.projectDir, checkpoint, log);

package/dist/template/.claude/scripts/lib/claude-runner.mjs

@@ -352,9 +352,9 @@ export function runClaude(opts, log, runOpts = {}) {
             // Kill on auth error burst (e.g. expired token causing infinite retry loop)
             if (AUTH_ERROR_RE.test(lower)) {
                 authErrorCount++;
-                if (authErrorCount >= 5 && !killed) {
+                if (authErrorCount >= 3 && !killed) {
                     log.warn(`Auth error burst detected (${authErrorCount} errors) — killing process.`);
-                    killChild('activity_timeout');
+                    killChild('process_timeout');
                     return;
                 }
             }

package/dist/template/.claude/scripts/lib/errors.mjs

@@ -15,14 +15,20 @@ export function classifyError(signals) {
     if (signals.code === 0 && signals.hasResult)
         return 'none';
     // Flag-based (set by stream events, not just stderr)
+    // Auth errors take priority over everything — prevents 30-min timeout loops on expired tokens
     if (signals.isAuthError)
         return 'auth_expired';
     if (signals.isAuthServerError)
         return 'auth_server_error';
     if (signals.isRateLimit)
         return 'rate_limited';
-    if (signals.timedOut)
+    if (signals.timedOut) {
+        // Double-check stderr for auth errors (may not have been caught by stream events)
+        if (/authentication_error|failed to authenticate|api error: 401|oauth token has expired/i.test(signals.stderr)) {
+            return 'auth_expired';
+        }
         return 'process_timeout';
+    }
     // Activity timeout after result = success (process just hung after finishing)
     if (signals.activityTimedOut)
         return signals.hasResult ? 'none' : 'activity_timeout';

package/dist/template/.claude/scripts/lib/oauth-refresh.mjs

@@ -0,0 +1,146 @@
+// ─── OAuth token refresh for Claude Code ───
+// Cross-platform: reads/writes ~/.claude/.credentials.json (Windows/Linux)
+// or macOS Keychain via `security` CLI.
+// Refresh endpoint: https://console.anthropic.com/v1/oauth/token
+import { readFileSync, writeFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { homedir } from 'node:os';
+import { execSync } from 'node:child_process';
+const TOKEN_URL = 'https://console.anthropic.com/v1/oauth/token';
+const CLIENT_ID = '9d1c250a-e61b-44d9-88ed-5944d1962f5e';
+const CREDENTIALS_FILE = '.claude/.credentials.json';
+const KEYCHAIN_SERVICE = 'Claude Code-credentials';
+// Buffer: refresh if token expires within this many ms
+const REFRESH_BUFFER_MS = 30 * 60_000; // 30 minutes
+// ─── Credential storage (cross-platform) ───
+function credentialsPath() {
+    return resolve(homedir(), CREDENTIALS_FILE);
+}
+function readCredentialsFile() {
+    try {
+        const raw = readFileSync(credentialsPath(), 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (parsed?.claudeAiOauth?.refreshToken)
+            return parsed;
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+function writeCredentialsFile(creds) {
+    writeFileSync(credentialsPath(), JSON.stringify(creds));
+}
+function readKeychainCredentials() {
+    try {
+        // Try common account names
+        const accounts = ['claude', 'Claude Code', 'default'];
+        for (const account of accounts) {
+            try {
+                const raw = execSync(`security find-generic-password -s "${KEYCHAIN_SERVICE}" -a "${account}" -w`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'], timeout: 5000 }).trim();
+                const parsed = JSON.parse(raw);
+                if (parsed?.claudeAiOauth?.refreshToken)
+                    return parsed;
+            }
+            catch { /* try next account */ }
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+function writeKeychainCredentials(creds, account) {
+    const data = JSON.stringify(creds);
+    try {
+        execSync(`security delete-generic-password -s "${KEYCHAIN_SERVICE}" -a "${account}"`, { stdio: 'ignore', timeout: 5000 });
+    }
+    catch { /* may not exist */ }
+    execSync(`security add-generic-password -s "${KEYCHAIN_SERVICE}" -a "${account}" -w '${data.replace(/'/g, "'\\''")}' -U`, { stdio: 'ignore', timeout: 5000 });
+}
+function readCredentials() {
+    // File-based (Windows/Linux) takes priority — always present
+    const fileCreds = readCredentialsFile();
+    if (fileCreds)
+        return fileCreds;
+    // macOS Keychain fallback
+    if (process.platform === 'darwin')
+        return readKeychainCredentials();
+    return null;
+}
+function writeCredentials(creds) {
+    // Always write to file
+    writeCredentialsFile(creds);
+    // Also update Keychain on macOS
+    if (process.platform === 'darwin') {
+        try {
+            writeKeychainCredentials(creds, 'claude');
+        }
+        catch { /* non-fatal */ }
+    }
+}
+// ─── Token refresh ───
+async function postRefresh(refreshToken) {
+    const body = JSON.stringify({
+        grant_type: 'refresh_token',
+        refresh_token: refreshToken,
+        client_id: CLIENT_ID,
+    });
+    const response = await fetch(TOKEN_URL, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body,
+        signal: AbortSignal.timeout(30_000),
+    });
+    if (!response.ok) {
+        const text = await response.text().catch(() => '');
+        throw new Error(`OAuth refresh failed: ${response.status} ${text.slice(0, 200)}`);
+    }
+    return await response.json();
+}
+// ─── Public API ───
+/** Check if the current OAuth token is expired or about to expire. */
+export function isTokenExpiringSoon() {
+    const creds = readCredentials();
+    if (!creds)
+        return false; // No OAuth credentials (API key user) — not our problem
+    return Date.now() > (creds.claudeAiOauth.expiresAt - REFRESH_BUFFER_MS);
+}
+/** Attempt to refresh the OAuth token. Returns true on success. */
+export async function refreshOAuthToken(log) {
+    const creds = readCredentials();
+    if (!creds) {
+        log.warn('No OAuth credentials found — cannot refresh.');
+        return false;
+    }
+    const oauth = creds.claudeAiOauth;
+    if (!oauth.refreshToken) {
+        log.warn('No refresh token available.');
+        return false;
+    }
+    const remaining = oauth.expiresAt - Date.now();
+    log.info(`Token expires in ${Math.round(remaining / 60_000)}m. Attempting refresh...`);
+    try {
+        const result = await postRefresh(oauth.refreshToken);
+        if (!result.access_token || !result.refresh_token) {
+            log.error('Refresh response missing tokens.');
+            return false;
+        }
+        // Update credentials
+        const updated = {
+            claudeAiOauth: {
+                ...oauth,
+                accessToken: result.access_token,
+                refreshToken: result.refresh_token,
+                expiresAt: Date.now() + (result.expires_in * 1000),
+            },
+        };
+        writeCredentials(updated);
+        log.info(`OAuth token refreshed. New expiry: ${new Date(updated.claudeAiOauth.expiresAt).toISOString()}`);
+        return true;
+    }
+    catch (err) {
+        log.error(`OAuth refresh failed: ${err.message}`);
+        return false;
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-claude-workspace",
-  "version": "1.1.35",
+  "version": "1.1.37",
   "description": "Scaffold a project with Claude Code agents for autonomous AI-driven development",
   "type": "module",
   "bin": {