create-three-blocks-starter 0.0.7 → 0.0.9

package/README.md

@@ -7,9 +7,15 @@ Private CLI to scaffold a new project from the Three Blocks starter.
 Authenticate to the private registry first (one time per project):
 
 ```bash
-npx -y three-blocks-login --mode project --scope @three-blocks
+# Using pnpm (recommended - no warnings)
+pnpm dlx three-blocks-login@latest@latest --mode project --scope @three-blocks --channel stable
+
+# Using npx (may show harmless npm config warnings)
+npx -y three-blocks-login@latest --mode project --scope @three-blocks --channel stable
 ```
 
+> **Note:** If you see npm warnings about unknown env configs, use `pnpm dlx` instead of `npx`, or see [three-blocks-login NPM warnings fix](https://www.npmjs.com/package/three-blocks-login).
+
 Then scaffold a new app:
 
 ```bash
@@ -26,6 +32,37 @@ pnpm i
 pnpm dev
 ```
 
+## CI/CD & Vercel Setup
+
+The CLI now automatically generates the correct setup, but if you need to configure it manually:
+
+### Quick Setup (3 steps)
+
+1. **Commit `.npmrc`** to your repository (generated automatically by create-three-blocks-starter):
+   ```
+   @three-blocks:registry=https://three-blocks-196905988268.d.codeartifact.ap-northeast-1.amazonaws.com/npm/core/
+   ```
+
+2. **Preinstall script** (added automatically by create-three-blocks-starter):
+   ```json
+   {
+     "scripts": {
+       "preinstall": "npx -y three-blocks-login@latest"
+     }
+   }
+   ```
+
+3. **Set environment variable** in your CI/CD platform:
+   - **Vercel**: Project Settings → Environment Variables → Add `THREE_BLOCKS_SECRET_KEY`
+   - **GitHub Actions**: Repository Settings → Secrets → Add `THREE_BLOCKS_SECRET_KEY`
+   - **Other CI**: Add `THREE_BLOCKS_SECRET_KEY` secret with your license key
+
+### How It Works
+
+- Committed `.npmrc` tells pnpm WHERE to find packages (no auth needed yet)
+- Preinstall script fetches a short-lived token and adds it to `.npmrc`
+- This solves pnpm's timing issue (it resolves packages before running preinstall)
+
 ## Development (monorepo)
 
 - The CLI pulls the template from `packages/three-blocks-starter/` during `prepack`.
@@ -38,6 +75,6 @@ pnpm --filter create-three-blocks-starter run dev:sync
 ## Publish
 
 ```bash
-npx -y three-blocks-login --mode project --scope @three-blocks
+pnpm dlx three-blocks-login@latest --mode project --scope @three-blocks
 pnpm --filter create-three-blocks-starter publish --access restricted
 ```

package/bin/index.js

@@ -20,13 +20,17 @@ const LOGIN_CLI = 'three-blocks-login'; // public login CLI
 const LOGIN_SPEC = `${LOGIN_CLI}@latest`; // force-fresh npx install
 const SCOPE = '@three-blocks';
 
-const BLOCKED_NPM_ENV_KEYS = new Set( [
+const RAW_BLOCKED_NPM_ENV_KEYS = [
 	'npm_config__three_blocks_registry',
 	'npm_config_verify_deps_before_run',
 	'npm_config_global_bin_dir',
 	'npm_config__jsr_registry',
 	'npm_config_node_linker',
-].map( ( key ) => key.replace( /-/g, '_' ).toLowerCase() ) );
+];
+const BLOCKED_NPM_ENV_KEYS = new Set( RAW_BLOCKED_NPM_ENV_KEYS.map( ( key ) => key.replace( /-/g, '_' ).toLowerCase() ) );
+const LOGIN_HELPER_RELATIVE_PATH = path.join( 'scripts', 'three-blocks-login.cjs' );
+const LOGIN_HELPER_POSIX_PATH = LOGIN_HELPER_RELATIVE_PATH.split( path.sep ).join( '/' );
+const LOGIN_HELPER_COMMAND = `node ./${LOGIN_HELPER_POSIX_PATH}`;
 
 let DEBUG = /^1|true|yes$/i.test( String( process.env.THREE_BLOCKS_DEBUG || '' ).trim() );
 
@@ -36,6 +40,24 @@ const logDebug = ( msg ) => {
 
 };
 
+let tempDirForCleanup = '';
+const cleanupTmpDir = () => {
+
+	if ( ! tempDirForCleanup ) return;
+	try {
+
+		fs.rmSync( tempDirForCleanup, { recursive: true, force: true } );
+
+	} catch ( cleanupErr ) {
+
+		logDebug( `Unable to remove temp directory ${tempDirForCleanup}: ${cleanupErr?.message || cleanupErr}` );
+
+	}
+
+	tempDirForCleanup = '';
+
+};
+
 class CliError extends Error {
 
 	constructor( message, {
@@ -90,6 +112,7 @@ const cleanNpmEnv = ( extra = {} ) => {
 
 };
 
+
 const STEP_ICON = '⏺ ';
 const logInfo = ( msg ) => {
 
@@ -121,6 +144,111 @@ const logError = ( msg ) => {
 
 };
 
+const appendAuthTokenLines = ( npmrcPath, authLines = [] ) => {
+
+	if ( ! authLines.length ) return false;
+	try {
+
+		const existing = fs.existsSync( npmrcPath ) ? fs.readFileSync( npmrcPath, 'utf8' ) : '';
+		const needsNewline = existing && ! existing.endsWith( os.EOL ) ? os.EOL : '';
+		const next = `${existing}${needsNewline}${authLines.join( os.EOL )}${os.EOL}`;
+		fs.writeFileSync( npmrcPath, next, { mode: 0o600 } );
+		return true;
+
+	} catch ( err ) {
+
+		logWarn( `Warning: could not append auth token to .npmrc: ${err?.message || err}` );
+		return false;
+
+	}
+
+};
+
+const stripAuthTokens = ( npmrcPath, hostPatterns = [] ) => {
+
+	if ( ! hostPatterns.length ) return;
+	try {
+
+		if ( ! fs.existsSync( npmrcPath ) ) return;
+		const raw = fs.readFileSync( npmrcPath, 'utf8' );
+		const lines = raw.split( /\r?\n/ );
+		const patterns = hostPatterns.map( ( host ) => new RegExp( `^\\s*\\/\\/${host.replace( /[.*+?^${}()|[\]\\]/g, '\\$&' )}:_authToken\\s*=`, 'i' ) );
+		const filtered = lines.filter( ( line ) => ! patterns.some( ( re ) => re.test( line ) ) );
+		let end = filtered.length;
+		while ( end > 0 && ! filtered[ end - 1 ].trim() ) end --;
+		const compact = filtered.slice( 0, end ).join( os.EOL );
+		const finalContent = compact ? `${compact}${os.EOL}` : '';
+		fs.writeFileSync( npmrcPath, finalContent, { mode: 0o600 } );
+
+	} catch ( err ) {
+
+		logWarn( `Warning: could not scrub auth token from .npmrc: ${err?.message || err}` );
+
+	}
+
+};
+
+const buildLoginHelperContent = () => `#!/usr/bin/env node
+'use strict';
+
+const { spawnSync } = require('node:child_process');
+
+const RAW_BLOCKED_KEYS = ${JSON.stringify( RAW_BLOCKED_NPM_ENV_KEYS, null, 2 )};
+const BLOCKED_KEYS = new Set(
+	RAW_BLOCKED_KEYS.map( ( key ) => key.replace( /-/g, '_' ).toLowerCase() )
+);
+
+const normalize = ( key ) => key.replace( /-/g, '_' ).toLowerCase();
+
+const scrubEnv = ( source ) => {
+
+	const next = { ...source };
+	for ( const key of Object.keys( next ) ) {
+
+		if ( BLOCKED_KEYS.has( normalize( key ) ) ) {
+
+			delete next[ key ];
+
+		}
+
+	}
+
+	return next;
+
+};
+
+const shouldSkip = /^1|true|yes$/i.test( String( process.env.THREE_BLOCKS_LOGIN_SKIP || '' ) );
+if ( shouldSkip ) {
+
+	process.exit( 0 );
+
+}
+
+const env = scrubEnv( process.env );
+const cmd = process.platform === 'win32' ? 'npx.cmd' : 'npx';
+const args = [ '-y', 'three-blocks-login@latest', ...process.argv.slice( 2 ) ];
+const result = spawnSync( cmd, args, { stdio: 'inherit', env } );
+
+if ( result.error ) {
+
+	console.error( result.error.message || result.error );
+	process.exit( 1 );
+
+}
+
+process.exit( result.status ?? 0 );
+`;
+
+const ensureLoginHelperScript = async ( targetDir ) => {
+
+	const helperPath = path.join( targetDir, LOGIN_HELPER_RELATIVE_PATH );
+	const helperDir = path.dirname( helperPath );
+	await fsp.mkdir( helperDir, { recursive: true } );
+	await fsp.writeFile( helperPath, buildLoginHelperContent(), { mode: 0o755 } );
+	return helperPath;
+
+};
+
 const die = ( m ) => {
 
 	throw new CliError( m );
@@ -405,7 +533,7 @@ const padText = ( value, width, align = 'left' ) => {
 const makeHeaderRow = ( left, right = '', leftAlign = 'left', rightAlign = 'left' ) =>
 	`│${padText( left, LEFT_WIDTH, leftAlign )}│${padText( right, RIGHT_WIDTH, rightAlign )}│`;
 
-const HEADER_COLOR = ESC( 33 );
+const HEADER_COLOR = ESC( '38;2;21;69;245' ); // threejs-blue (#1545F5)
 const CONTENT_COLOR = ESC( 90 );
 const reapplyColor = ( value, color ) => {
 
@@ -665,204 +793,205 @@ async function main() {
 	const headerLicenseId = tokenMetadata?.licenseId ? String( tokenMetadata.licenseId ) : '';
 
 	// 2) Pre-login in a TEMP dir to generate a temp .npmrc (no always-auth)
-	let tmp = '';
-	let tmpNpmrc = '';
+	let tmp = mkTmpDir();
+	tempDirForCleanup = tmp;
+	let tmpNpmrc = path.join( tmp, '.npmrc' );
+	logProgress( `Fetching short-lived token (temp .npmrc) [channel: ${channel}] ...` );
 	try {
 
-		tmp = mkTmpDir();
-		tmpNpmrc = path.join( tmp, '.npmrc' );
-		logProgress( `Fetching short-lived token (temp .npmrc) [channel: ${channel}] ...` );
-		try {
-
-			run( 'npx', [ '-y', LOGIN_SPEC, '--mode', 'project', '--scope', SCOPE, '--channel', channel ], {
-				cwd: tmp,
-				env: { ...process.env, THREE_BLOCKS_SECRET_KEY: license, THREE_BLOCKS_CHANNEL: channel },
-			} );
-
-		} catch ( err ) {
-
-			if ( err instanceof CliError ) {
+		run( 'npx', [ '-y', LOGIN_SPEC, '--mode', 'project', '--scope', SCOPE, '--channel', channel ], {
+			cwd: tmp,
+			env: { ...process.env, THREE_BLOCKS_SECRET_KEY: license, THREE_BLOCKS_CHANNEL: channel },
+		} );
 
-				throw new CliError(
-					'Login failed while minting short-lived token.',
-					{
-						exitCode: err.exitCode,
-						command: err.command,
-						args: err.args,
-						suggestion: 'Ensure the three-blocks-login CLI is reachable and your license key is valid.',
-						cause: err,
-					}
-				);
+	} catch ( err ) {
 
-			}
+		if ( err instanceof CliError ) {
 
-			throw err;
+			throw new CliError(
+				'Login failed while minting short-lived token.',
+				{
+					exitCode: err.exitCode,
+					command: err.command,
+					args: err.args,
+					suggestion: 'Ensure the three-blocks-login CLI is reachable and your license key is valid.',
+					cause: err,
+				}
+			);
 
 		}
 
-		if ( ! fs.existsSync( tmpNpmrc ) ) {
-
-			throw new CliError( 'Login failed: temp .npmrc not created.' );
-
-		}
+		throw err;
 
-		// Extract registry URL from temp .npmrc so we can pass it explicitly to npm create
-		let registryUrl = '';
-		try {
+	}
 
-			const txt = fs.readFileSync( tmpNpmrc, 'utf8' );
-			const m = txt.match( /^@[^:]+:registry=(.+)$/m );
-			if ( m && m[ 1 ] ) registryUrl = m[ 1 ].trim();
+	if ( ! fs.existsSync( tmpNpmrc ) ) {
 
-		} catch ( readErr ) {
+		throw new CliError( 'Login failed: temp .npmrc not created.' );
 
-			logDebug( `Could not read temp .npmrc: ${readErr?.message || readErr}` );
+	}
 
-		}
+	// Extract registry URL from temp .npmrc so we can pass it explicitly to npm create
+	let registryUrl = '';
+	const tempAuthLines = [];
+	const tempAuthHosts = new Set();
+	try {
 
-		if ( ! headerRegistry && registryUrl ) headerRegistry = registryUrl;
+		const txt = fs.readFileSync( tmpNpmrc, 'utf8' );
+		const lines = txt.split( /\r?\n/ );
+		for ( const rawLine of lines ) {
 
-		// 3) Scaffold the private starter by packing and extracting the tarball (avoids npm create naming transform)
-		const starterSpec = `${STARTER_PKG}@${channel === 'stable' ? 'latest' : channel}`;
-		logProgress( `Fetching starter tarball ${starterSpec} ...` );
-		const createEnv = {
-			...process.env,
-			THREE_BLOCKS_SECRET_KEY: license,
-			NPM_CONFIG_USERCONFIG: tmpNpmrc,
-			npm_config_userconfig: tmpNpmrc,
-		};
-		const packArgs = [ 'pack', starterSpec, '--json' ];
-		if ( ! DEBUG ) packArgs.push( '--silent' );
-		let packedOut = '';
-		try {
+			const line = rawLine.replace( /\r/g, '' );
+			if ( ! line ) continue;
+			if ( ! registryUrl ) {
 
-			packedOut = exec( 'npm', packArgs, { cwd: tmp, env: createEnv } );
+				const m = line.match( /^@[^:]+:registry=(.+)$/ );
+				if ( m && m[ 1 ] ) registryUrl = m[ 1 ].trim();
 
-		} catch ( err ) {
+			}
 
-			if ( err instanceof CliError ) {
+			const authMatch = line.match( /^\/\/([^:]+):_authToken=.+$/ );
+			if ( authMatch && authMatch[ 1 ] ) {
 
-				const baseMessage = `Failed to fetch starter tarball ${starterSpec}.`;
-				const detail = ( err.stderr || err.stdout || '' ).trim();
-				const message = detail ? baseMessage : `${baseMessage} ${err.message || ''}`.trim();
-				throw new CliError(
-					message,
-					{
-						exitCode: err.exitCode,
-						command: err.command,
-						args: err.args,
-						stdout: err.stdout,
-						stderr: err.stderr,
-						suggestion: 'Confirm your license has access to the selected channel and that the package version exists.',
-						cause: err,
-					}
-				);
+				tempAuthLines.push( line );
+				tempAuthHosts.add( authMatch[ 1 ] );
 
 			}
 
-			throw new CliError(
-				`Failed to fetch starter tarball ${starterSpec}.`,
-				{ cause: err }
-			);
-
 		}
 
-		let tarName = '';
-		let starterVersion = '';
-		try {
-
-			const info = JSON.parse( packedOut );
-			if ( Array.isArray( info ) ) {
-
-				tarName = info[ 0 ]?.filename || '';
-				starterVersion = info[ 0 ]?.version || '';
+	} catch ( readErr ) {
 
-			} else {
+		logDebug( `Could not read temp .npmrc: ${readErr?.message || readErr}` );
 
-				tarName = info.filename || '';
-				starterVersion = info.version || '';
-
-			}
+	}
 
-		} catch {
+	if ( ! headerRegistry && registryUrl ) headerRegistry = registryUrl;
+	const authHostList = Array.from( tempAuthHosts );
+
+	// 3) Scaffold the private starter by packing and extracting the tarball (avoids npm create naming transform)
+	const starterSpec = `${STARTER_PKG}@${channel === 'stable' ? 'latest' : channel}`;
+	logProgress( `Fetching starter tarball ${starterSpec} ...` );
+	const createEnv = {
+		...process.env,
+		THREE_BLOCKS_SECRET_KEY: license,
+		NPM_CONFIG_USERCONFIG: tmpNpmrc,
+		npm_config_userconfig: tmpNpmrc,
+	};
+	const packArgs = [ 'pack', starterSpec, '--json' ];
+	if ( ! DEBUG ) packArgs.push( '--silent' );
+	let packedOut = '';
+	try {
 
-			const lines = String( packedOut || '' ).trim().split( /\r?\n/ );
-			tarName = lines[ lines.length - 1 ] || '';
+		packedOut = exec( 'npm', packArgs, { cwd: tmp, env: createEnv } );
 
-		}
+	} catch ( err ) {
 
-		const tarPath = path.join( tmp, tarName );
-		if ( ! tarName || ! fs.existsSync( tarPath ) ) {
+		if ( err instanceof CliError ) {
 
+			const baseMessage = `Failed to fetch starter tarball ${starterSpec}.`;
+			const detail = ( err.stderr || err.stdout || '' ).trim();
+			const message = detail ? baseMessage : `${baseMessage} ${err.message || ''}`.trim();
 			throw new CliError(
-				`Failed to fetch starter tarball ${starterSpec}.`,
-				{ suggestion: 'Ensure the requested release is published and accessible for your channel.' }
+				message,
+				{
+					exitCode: err.exitCode,
+					command: err.command,
+					args: err.args,
+					stdout: err.stdout,
+					stderr: err.stderr,
+					suggestion: 'Confirm your license has access to the selected channel and that the package version exists.',
+					cause: err,
+				}
 			);
 
 		}
 
-		const headerStarterVersion = starterVersion || extractVersionFromTarball( tarName );
-		const headerCoreVersion = headerChannel === 'stable' ? 'latest' : headerChannel;
-		renderHeader( {
-			starterVersion: headerStarterVersion,
-			userDisplayName,
-			planName,
-			repoPath,
-			projectName: appName,
-			channel: headerChannel,
-			coreVersion: headerCoreVersion,
-			license,
-			registry: headerRegistry,
-			domain: headerDomain,
-			region: headerRegion,
-			repository: headerRepository,
-			expiresAt: headerExpires,
-			teamId: headerTeamId,
-			teamName: headerTeamName,
-			licenseId: headerLicenseId,
-		} );
-		logProgress( 'Extracting files ...' );
-		try {
+		throw new CliError(
+			`Failed to fetch starter tarball ${starterSpec}.`,
+			{ cause: err }
+		);
 
-			run( 'tar', [ '-xzf', tarPath, '-C', targetDir, '--strip-components=1' ] );
+	}
 
-		} catch ( err ) {
+	let tarName = '';
+	let starterVersion = '';
+	try {
 
-			if ( err instanceof CliError ) {
+		const info = JSON.parse( packedOut );
+		if ( Array.isArray( info ) ) {
 
-				throw new CliError(
-					'Failed to extract starter files.',
-					{
-						exitCode: err.exitCode,
-						command: err.command,
-						args: err.args,
-						suggestion: 'Check file permissions and available disk space before retrying.',
-						cause: err,
-					}
-				);
+			tarName = info[ 0 ]?.filename || '';
+			starterVersion = info[ 0 ]?.version || '';
 
-			}
+		} else {
 
-			throw err;
+			tarName = info.filename || '';
+			starterVersion = info.version || '';
 
 		}
 
-	} finally {
+	} catch {
 
-		if ( tmp ) {
+		const lines = String( packedOut || '' ).trim().split( /\r?\n/ );
+		tarName = lines[ lines.length - 1 ] || '';
 
-			try {
+	}
 
-				fs.rmSync( tmp, { recursive: true, force: true } );
+	const tarPath = path.join( tmp, tarName );
+	if ( ! tarName || ! fs.existsSync( tarPath ) ) {
 
-			} catch ( cleanupErr ) {
+		throw new CliError(
+			`Failed to fetch starter tarball ${starterSpec}.`,
+			{ suggestion: 'Ensure the requested release is published and accessible for your channel.' }
+		);
 
-				logDebug( `Unable to remove temp directory ${tmp}: ${cleanupErr?.message || cleanupErr}` );
+	}
 
-			}
+	const headerStarterVersion = starterVersion || extractVersionFromTarball( tarName );
+	const headerCoreVersion = headerChannel === 'stable' ? 'latest' : headerChannel;
+	renderHeader( {
+		starterVersion: headerStarterVersion,
+		userDisplayName,
+		planName,
+		repoPath,
+		projectName: appName,
+		channel: headerChannel,
+		coreVersion: headerCoreVersion,
+		license,
+		registry: headerRegistry,
+		domain: headerDomain,
+		region: headerRegion,
+		repository: headerRepository,
+		expiresAt: headerExpires,
+		teamId: headerTeamId,
+		teamName: headerTeamName,
+		licenseId: headerLicenseId,
+	} );
+	logProgress( 'Extracting files ...' );
+	try {
+
+		run( 'tar', [ '-xzf', tarPath, '-C', targetDir, '--strip-components=1' ] );
+
+	} catch ( err ) {
+
+		if ( err instanceof CliError ) {
+
+			throw new CliError(
+				'Failed to extract starter files.',
+				{
+					exitCode: err.exitCode,
+					command: err.command,
+					args: err.args,
+					suggestion: 'Check file permissions and available disk space before retrying.',
+					cause: err,
+				}
+			);
 
 		}
 
+		throw err;
+
 	}
 
 	// 4) Write .env.local and .gitignore entries
@@ -876,7 +1005,8 @@ async function main() {
 
 	} catch {}
 
-	for ( const line of [ '.env.local', '.npmrc' ] ) {
+	// Only add .env.local to .gitignore (NOT .npmrc - we want to commit the registry config)
+	for ( const line of [ '.env.local' ] ) {
 
 		if ( ! gi.includes( line ) ) gi += ( gi.endsWith( '\n' ) || gi === '' ? '' : '\n' ) + line + '\n';
 
@@ -884,9 +1014,42 @@ async function main() {
 
 	await fsp.writeFile( giPath, gi );
 
-	// 5) First install — the starter already has:
-	//    "preinstall": "npx -y three-blocks-login --mode project --scope @three-blocks"
-	//    so it will mint a fresh token and write a project .npmrc.
+	// Create base .npmrc with registry URL (tokens added dynamically)
+	const npmrcPath = path.join( targetDir, '.npmrc' );
+	const npmrcContent = [
+		'# Three Blocks registry configuration',
+		'# Auth tokens are appended automatically by three-blocks-login and expire quickly.',
+		'# Avoid committing auth tokens; rerun pnpm install to refresh access if needed.',
+		'',
+		`${SCOPE}:registry=${headerRegistry || registryUrl}`,
+		'',
+		'# Auth tokens are appended during installs/preinstall hooks.',
+		'# DO NOT hard-code long-lived tokens in this file.',
+		''
+	].join( '\n' );
+	await fsp.writeFile( npmrcPath, npmrcContent ).catch( ( e ) => {
+
+		logWarn( `Warning: could not write .npmrc: ${e?.message || String( e )}` );
+
+	} );
+	let loginHelperReady = false;
+	try {
+
+		await ensureLoginHelperScript( targetDir );
+		loginHelperReady = true;
+		logSuccess( `Prepared login helper script (${LOGIN_HELPER_POSIX_PATH}).` );
+
+	} catch ( helperErr ) {
+
+		logWarn( `Warning: could not write ${LOGIN_HELPER_POSIX_PATH}: ${helperErr?.message || String( helperErr )}` );
+
+	}
+
+	const primedAuth = appendAuthTokenLines( npmrcPath, tempAuthLines );
+	if ( primedAuth ) logDebug( 'Primed .npmrc with short-lived auth token.' );
+
+	// 5) Add simplified preinstall script
+	//    The script will automatically append auth token to existing .npmrc
 	try {
 
 		const pkgPath = path.join( targetDir, 'package.json' );
@@ -895,12 +1058,12 @@ async function main() {
 		pkg.scripts = pkg.scripts || {};
 		if ( ! pkg.scripts.preinstall ) {
 
-			pkg.scripts.preinstall = `npx -y ${LOGIN_CLI}@latest --mode project --scope ${SCOPE} --channel ${channel}`;
+			pkg.scripts.preinstall = loginHelperReady ? LOGIN_HELPER_COMMAND : `npx -y ${LOGIN_CLI}@latest`;
 
 		}
 
 		await fsp.writeFile( pkgPath, JSON.stringify( pkg, null, 2 ) );
-		logSuccess( 'Added preinstall to generated package.json to refresh token on installs.' );
+		logSuccess( 'Added preinstall script to refresh auth tokens on installs.' );
 
 	} catch ( e ) {
 
@@ -908,61 +1071,77 @@ async function main() {
 
 	}
 
-	logProgress( 'Installing dependencies (preinstall will refresh token) ...' );
+	const installMessage = primedAuth
+		? 'Installing dependencies (token primed; future installs refresh automatically) ...'
+		: 'Installing dependencies (preinstall will refresh token) ...';
+	logProgress( installMessage );
 	const hasPnpm = spawnSync( 'pnpm', [ '-v' ], { stdio: 'ignore', env: cleanNpmEnv() } ).status === 0;
+	const sharedInstallEnv = {
+		...process.env,
+		THREE_BLOCKS_SECRET_KEY: license,
+		THREE_BLOCKS_CHANNEL: channel,
+	};
+	if ( primedAuth ) sharedInstallEnv.THREE_BLOCKS_LOGIN_SKIP = '1';
+	const cleanupAuthAfterBootstrap = () => {
+
+		if ( primedAuth && authHostList.length ) stripAuthTokens( npmrcPath, authHostList );
+
+	};
+
 	try {
 
-		run( hasPnpm ? 'pnpm' : 'npm', [ hasPnpm ? 'install' : 'ci' ], {
-			cwd: targetDir,
-			env: {
-				...process.env,
-				THREE_BLOCKS_SECRET_KEY: license,
-				THREE_BLOCKS_CHANNEL: channel,
-			},
-		} );
+		try {
 
-	} catch ( err ) {
+			run( hasPnpm ? 'pnpm' : 'npm', [ hasPnpm ? 'install' : 'ci' ], {
+				cwd: targetDir,
+				env: sharedInstallEnv,
+			} );
 
-		if ( err instanceof CliError ) {
+		} catch ( err ) {
 
-			throw new CliError(
-				'Dependency installation failed.',
-				{
-					exitCode: err.exitCode,
-					command: err.command,
-					args: err.args,
-					stdout: err.stdout,
-					stderr: err.stderr,
-					suggestion: 'Inspect the log above for npm/pnpm errors or retry with --debug for full output.',
-					cause: err,
-				}
-			);
+			if ( err instanceof CliError ) {
+
+				throw new CliError(
+					'Dependency installation failed.',
+					{
+						exitCode: err.exitCode,
+						command: err.command,
+						args: err.args,
+						stdout: err.stdout,
+						stderr: err.stderr,
+						suggestion: 'Inspect the log above for npm/pnpm errors or retry with --debug for full output.',
+						cause: err,
+					}
+				);
+
+			}
+
+			throw err;
 
 		}
 
-		throw err;
+		{
 
-	}
+			const coreSpec = `@three-blocks/core@${channel === 'stable' ? 'latest' : channel}`;
+			logProgress( `Installing ${coreSpec} ...` );
+			const addArgs = hasPnpm ? [ 'add', '--save-exact', coreSpec ] : [ 'install', '--save-exact', coreSpec ];
+			const r = spawnSync( hasPnpm ? 'pnpm' : 'npm', addArgs, {
+				stdio: 'inherit',
+				cwd: targetDir,
+				env: cleanNpmEnv( sharedInstallEnv ),
+			} );
+			if ( r.status !== 0 ) {
 
-	{
-
-		const coreSpec = `@three-blocks/core@${channel === 'stable' ? 'latest' : channel}`;
-		logProgress( `Installing ${coreSpec} ...` );
-		const addArgs = hasPnpm ? [ 'add', '--save-exact', coreSpec ] : [ 'install', '--save-exact', coreSpec ];
-		const r = spawnSync( hasPnpm ? 'pnpm' : 'npm', addArgs, {
-			stdio: 'inherit',
-			cwd: targetDir,
-			env: cleanNpmEnv( {
-				THREE_BLOCKS_SECRET_KEY: license,
-				THREE_BLOCKS_CHANNEL: channel,
-			} ),
-		} );
-		if ( r.status !== 0 ) {
+				logWarn( `Warning: could not install @three-blocks/core (exit ${r.status}).` );
 
-			logWarn( `Warning: could not install @three-blocks/core (exit ${r.status}).` );
+			}
 
 		}
 
+	} finally {
+
+		cleanupAuthAfterBootstrap();
+
 	}
 
 	console.log( '' );
@@ -978,32 +1157,38 @@ async function main() {
 
 }
 
-main().catch( ( err ) => {
+main()
+	.catch( ( err ) => {
 
-	if ( err instanceof CliError ) {
+		if ( err instanceof CliError ) {
 
-		logError( err.message );
-		const detail = ( err.stderr || err.stdout || '' ).trim();
-		if ( detail ) {
+			logError( err.message );
+			const detail = ( err.stderr || err.stdout || '' ).trim();
+			if ( detail ) {
 
-			const lines = detail.split( /\r?\n/ );
-			for ( const line of lines ) console.error( dim( `    ${line}` ) );
+				const lines = detail.split( /\r?\n/ );
+				for ( const line of lines ) console.error( dim( `    ${line}` ) );
 
-		}
+			}
+
+			if ( err.suggestion ) logInfo( dim( `Hint: ${err.suggestion}` ) );
+			if ( DEBUG && err.cause && err.cause !== err && err.cause?.stack ) {
 
-		if ( err.suggestion ) logInfo( dim( `Hint: ${err.suggestion}` ) );
-		if ( DEBUG && err.cause && err.cause !== err && err.cause?.stack ) {
+				console.error( dim( err.cause.stack ) );
+
+			}
 
-			console.error( dim( err.cause.stack ) );
+			process.exit( err.exitCode ?? 1 );
 
 		}
 
-		process.exit( err.exitCode ?? 1 );
+		const fallback = err?.stack || err?.message || String( err );
+		logError( fallback );
+		process.exit( 1 );
 
-	}
+	} )
+	.finally( () => {
 
-	const fallback = err?.stack || err?.message || String( err );
-	logError( fallback );
-	process.exit( 1 );
+		cleanupTmpDir();
 
-} );
+	} );

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-three-blocks-starter",
-  "version": "0.0.7",
+  "version": "0.0.9",
   "private": false,
   "type": "module",
   "description": "Create a new Three Blocks starter app",