dexto 1.6.8 → 1.6.9

package/README.md

@@ -433,10 +433,10 @@ Pre-built agents for common use cases:
 
 ```bash
 # List available agents
-dexto list-agents
+dexto agents list
 
 # Install and run
-dexto install coding-agent podcast-agent
+dexto agents install coding-agent podcast-agent
 dexto --agent coding-agent
 ```
 
@@ -606,8 +606,8 @@ Options:
 
 Commands:
   setup                    Configure global preferences
-  install <agents...>      Install agents from registry
-  list-agents              List available agents
+  agents install <agents...>  Install agents from registry
+  agents list              List available agents
   session list|history     Manage sessions
   search <query>           Search conversation history
 ```

package/dist/analytics/wrapper.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"wrapper.d.ts","sourceRoot":"","sources":["../../src/analytics/wrapper.ts"],"names":[],"mappings":"AAkDA,wBAAgB,aAAa,CAAC,CAAC,SAAS,OAAO,EAAE,EAAE,CAAC,GAAG,OAAO,EAC1D,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,EACvC,IAAI,CAAC,EAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GAC9B,CAAC,GAAG,IAAI,EAAE,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,CAiE5B;AAED,qBAAa,UAAW,SAAQ,KAAK;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC5B,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;gBACrB,IAAI,GAAE,MAAU,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM;CAOtE;AAED,wBAAgB,QAAQ,CAAC,WAAW,EAAE,MAAM,EAAE,IAAI,GAAE,MAAU,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,KAAK,CAEtF"}
+{"version":3,"file":"wrapper.d.ts","sourceRoot":"","sources":["../../src/analytics/wrapper.ts"],"names":[],"mappings":"AAqEA,wBAAgB,aAAa,CAAC,CAAC,SAAS,OAAO,EAAE,EAAE,CAAC,GAAG,OAAO,EAC1D,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,EACvC,IAAI,CAAC,EAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GAC9B,CAAC,GAAG,IAAI,EAAE,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,CAmF5B;AAED,qBAAa,UAAW,SAAQ,KAAK;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC5B,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;gBACrB,IAAI,GAAE,MAAU,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM;CAOtE;AAED,wBAAgB,QAAQ,CAAC,WAAW,EAAE,MAAM,EAAE,IAAI,GAAE,MAAU,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,KAAK,CAEtF"}

package/dist/analytics/wrapper.js

@@ -1,6 +1,21 @@
 // packages/cli/src/analytics/wrapper.ts
-import { onCommandStart, onCommandEnd, capture } from './index.js';
 import { COMMAND_TIMEOUT_MS } from './constants.js';
+let analyticsModulePromise = null;
+let analyticsInitialized = false;
+async function getAnalyticsModule() {
+    if (!analyticsModulePromise) {
+        analyticsModulePromise = import('./index.js');
+    }
+    return analyticsModulePromise;
+}
+async function ensureAnalyticsInitialized() {
+    const analytics = await getAnalyticsModule();
+    if (!analyticsInitialized) {
+        await analytics.initAnalytics({ appVersion: process.env.DEXTO_CLI_VERSION || '0.0.0' });
+        analyticsInitialized = true;
+    }
+    return analytics;
+}
 function sanitizeOptions(obj) {
     const redactedKeys = /key|token|secret|password|api[_-]?key|authorization|auth/i;
     const truncate = (s, max = 256) => (s.length > max ? s.slice(0, max) + '…' : s);
@@ -45,7 +60,14 @@ export function withAnalytics(commandName, handler, opts) {
     const timeoutMs = opts?.timeoutMs ?? COMMAND_TIMEOUT_MS;
     return async (...args) => {
         const argsMeta = buildArgsPayload(args);
-        await onCommandStart(commandName, { args: argsMeta });
+        let analytics = null;
+        try {
+            analytics = await ensureAnalyticsInitialized();
+            await analytics.onCommandStart(commandName, { args: argsMeta });
+        }
+        catch {
+            analytics = null;
+        }
         const timeout = timeoutMs > 0
             ? (() => {
                 const t = setTimeout(() => {
@@ -56,7 +78,13 @@ export function withAnalytics(commandName, handler, opts) {
                             timeoutMs,
                             args: argsMeta,
                         };
-                        capture('dexto_cli_command', payload);
+                        if (analytics) {
+                            analytics.capture('dexto_cli_command', payload);
+                            return;
+                        }
+                        void getAnalyticsModule()
+                            .then((mod) => mod.capture('dexto_cli_command', payload))
+                            .catch(() => { });
                     }
                     catch {
                         // Timeout instrumentation must never throw.
@@ -70,7 +98,9 @@ export function withAnalytics(commandName, handler, opts) {
         try {
             const result = await handler(...args);
             const success = (typeof process.exitCode === 'number' ? process.exitCode : 0) === 0;
-            await onCommandEnd(commandName, success, { args: argsMeta });
+            if (analytics) {
+                await analytics.onCommandEnd(commandName, success, { args: argsMeta });
+            }
             return result;
         }
         catch (err) {
@@ -85,7 +115,9 @@ export function withAnalytics(commandName, handler, opts) {
                     if (err.commandName) {
                         endMeta.command = err.commandName;
                     }
-                    await onCommandEnd(commandName, exitCode === 0, endMeta);
+                    if (analytics) {
+                        await analytics.onCommandEnd(commandName, exitCode === 0, endMeta);
+                    }
                 }
                 catch {
                     // Ignore analytics errors when propagating ExitSignal.
@@ -94,10 +126,12 @@ export function withAnalytics(commandName, handler, opts) {
                 process.exit(exitCode);
             }
             try {
-                await onCommandEnd(commandName, false, {
-                    error: err instanceof Error ? err.message : String(err),
-                    args: argsMeta,
-                });
+                if (analytics) {
+                    await analytics.onCommandEnd(commandName, false, {
+                        error: err instanceof Error ? err.message : String(err),
+                        args: argsMeta,
+                    });
+                }
             }
             catch {
                 // Ignore analytics errors when recording failures.

package/dist/cli/auth/api-client.d.ts

@@ -1,3 +1,32 @@
+import type { AuthenticatedUser } from './types.js';
+export interface DeviceCodeStartResponse {
+    deviceCode: string;
+    userCode: string;
+    verificationUrl: string;
+    verificationUrlComplete: string | null;
+    expiresIn: number;
+    interval: number;
+}
+export interface DeviceCodeTokenResponse {
+    accessToken: string;
+    refreshToken?: string | null;
+    expiresIn?: number | null;
+    expiresAt?: number | null;
+}
+export type DeviceCodePollResponse = {
+    status: 'pending';
+} | {
+    status: 'slowDown';
+} | {
+    status: 'expired';
+} | {
+    status: 'denied';
+} | {
+    status: 'transientError';
+} | {
+    status: 'success';
+    token: DeviceCodeTokenResponse;
+};
 export interface UsageSummaryResponse {
     credits_usd: number;
     mtd_usage: {
@@ -17,6 +46,9 @@ export interface UsageSummaryResponse {
         output_tokens: number;
     }>;
 }
+interface RequestOptions {
+    signal?: AbortSignal | undefined;
+}
 /**
  * Dexto API client for key management
  */
@@ -24,6 +56,7 @@ export declare class DextoApiClient {
     private readonly baseUrl;
     private readonly timeoutMs;
     constructor(baseUrl?: string);
+    private createRequestSignal;
     /**
      * Validate if a Dexto API key is valid
      */
@@ -41,9 +74,26 @@ export declare class DextoApiClient {
      * Get usage summary (balance + MTD usage + recent history)
      */
     getUsageSummary(apiKey: string): Promise<UsageSummaryResponse>;
+    /**
+     * Start device code login at the gateway.
+     */
+    startDeviceCodeLogin(client?: string, options?: RequestOptions): Promise<DeviceCodeStartResponse>;
+    /**
+     * Poll the gateway for device-code login completion.
+     */
+    pollDeviceCodeLogin(deviceCode: string, options?: RequestOptions): Promise<DeviceCodePollResponse>;
+    /**
+     * Fetch Supabase user profile for a bearer token.
+     */
+    fetchSupabaseUser(accessToken: string, options?: RequestOptions): Promise<AuthenticatedUser | undefined>;
+    /**
+     * Validate Supabase access token by checking if /auth/v1/user resolves.
+     */
+    validateSupabaseAccessToken(accessToken: string, options?: RequestOptions): Promise<boolean>;
 }
 /**
  * Get default Dexto API client
  */
 export declare function getDextoApiClient(): DextoApiClient;
+export {};
 //# sourceMappingURL=api-client.d.ts.map

package/dist/cli/auth/api-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"api-client.d.ts","sourceRoot":"","sources":["../../../src/cli/auth/api-client.ts"],"names":[],"mappings":"AAqBA,MAAM,WAAW,oBAAoB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE;QACP,cAAc,EAAE,MAAM,CAAC;QACvB,cAAc,EAAE,MAAM,CAAC;QACvB,QAAQ,EAAE,MAAM,CACZ,MAAM,EACN;YACI,QAAQ,EAAE,MAAM,CAAC;YACjB,QAAQ,EAAE,MAAM,CAAC;YACjB,MAAM,EAAE,MAAM,CAAC;SAClB,CACJ,CAAC;KACL,CAAC;IACF,MAAM,EAAE,KAAK,CAAC;QACV,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC;KACzB,CAAC,CAAC;CACN;AAED;;GAEG;AACH,qBAAa,cAAc;IACvB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAU;gBAExB,OAAO,GAAE,MAAsB;IAI3C;;OAEG;IACG,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAwB3D;;;OAGG;IACG,oBAAoB,CACtB,SAAS,EAAE,MAAM,EACjB,IAAI,GAAE,MAAwB,EAC9B,UAAU,GAAE,OAAe,GAC5B,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAA;KAAE,CAAC;IA0DrE;;OAEG;IACG,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;CAwBvE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,CAElD"}
+{"version":3,"file":"api-client.d.ts","sourceRoot":"","sources":["../../../src/cli/auth/api-client.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAUpD,MAAM,WAAW,uBAAuB;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,uBAAuB,EAAE,MAAM,GAAG,IAAI,CAAC;IACvC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,uBAAuB;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,MAAM,sBAAsB,GAC5B;IAAE,MAAM,EAAE,SAAS,CAAA;CAAE,GACrB;IAAE,MAAM,EAAE,UAAU,CAAA;CAAE,GACtB;IAAE,MAAM,EAAE,SAAS,CAAA;CAAE,GACrB;IAAE,MAAM,EAAE,QAAQ,CAAA;CAAE,GACpB;IAAE,MAAM,EAAE,gBAAgB,CAAA;CAAE,GAC5B;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,KAAK,EAAE,uBAAuB,CAAA;CAAE,CAAC;AAE5D,MAAM,WAAW,oBAAoB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE;QACP,cAAc,EAAE,MAAM,CAAC;QACvB,cAAc,EAAE,MAAM,CAAC;QACvB,QAAQ,EAAE,MAAM,CACZ,MAAM,EACN;YACI,QAAQ,EAAE,MAAM,CAAC;YACjB,QAAQ,EAAE,MAAM,CAAC;YACjB,MAAM,EAAE,MAAM,CAAC;SAClB,CACJ,CAAC;KACL,CAAC;IACF,MAAM,EAAE,KAAK,CAAC;QACV,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC;KACzB,CAAC,CAAC;CACN;AAED,UAAU,cAAc;IACpB,MAAM,CAAC,EAAE,WAAW,GAAG,SAAS,CAAC;CACpC;AAkSD;;GAEG;AACH,qBAAa,cAAc;IACvB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAU;gBAExB,OAAO,GAAE,MAAsB;IAI3C,OAAO,CAAC,mBAAmB;IAS3B;;OAEG;IACG,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAwB3D;;;OAGG;IACG,oBAAoB,CACtB,SAAS,EAAE,MAAM,EACjB,IAAI,GAAE,MAAwB,EAC9B,UAAU,GAAE,OAAe,GAC5B,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAA;KAAE,CAAC;IA6DrE;;OAEG;IACG,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IA2BpE;;OAEG;IACG,oBAAoB,CACtB,MAAM,GAAE,MAAoB,EAC5B,OAAO,GAAE,cAAmB,GAC7B,OAAO,CAAC,uBAAuB,CAAC;IAyBnC;;OAEG;IACG,mBAAmB,CACrB,UAAU,EAAE,MAAM,EAClB,OAAO,GAAE,cAAmB,GAC7B,OAAO,CAAC,sBAAsB,CAAC;IAuFlC;;OAEG;IACG,iBAAiB,CACnB,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,cAAmB,GAC7B,OAAO,CAAC,iBAAiB,GAAG,SAAS,CAAC;IAyBzC;;OAEG;IACG,2BAA2B,CAC7B,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,cAAmB,GAC7B,OAAO,CAAC,OAAO,CAAC;CAItB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,CAElD"}

package/dist/cli/auth/api-client.js

@@ -5,18 +5,247 @@
 // 1. Migrate dexto-web APIs to Hono and use @hono/client (like packages/server)
 // 2. Use openapi-fetch with generated types from OpenAPI spec
 // 3. Use tRPC if we want full-stack type safety
-// Currently using plain fetch() with manual type definitions.
+// Currently using plain fetch() with runtime response validation.
 import { logger } from '@dexto/core';
-import { DEXTO_API_URL } from './constants.js';
+import { DEXTO_API_URL, SUPABASE_ANON_KEY, SUPABASE_URL } from './constants.js';
+function parseString(value) {
+    return typeof value === 'string' && value.trim().length > 0 ? value : null;
+}
+function parseBoolean(value) {
+    return typeof value === 'boolean' ? value : null;
+}
+function parseNumber(value) {
+    if (typeof value === 'number' && Number.isFinite(value)) {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const parsed = Number.parseFloat(value);
+        if (Number.isFinite(parsed)) {
+            return parsed;
+        }
+    }
+    return null;
+}
+function parseProvisionResponse(payload) {
+    if (typeof payload !== 'object' || payload === null) {
+        throw new Error('Invalid response from API');
+    }
+    const success = parseBoolean(Reflect.get(payload, 'success'));
+    if (success === null) {
+        throw new Error('Invalid response from API');
+    }
+    const dextoApiKey = parseString(Reflect.get(payload, 'dextoApiKey')) ?? undefined;
+    const keyId = parseString(Reflect.get(payload, 'keyId')) ?? undefined;
+    const isNewKey = parseBoolean(Reflect.get(payload, 'isNewKey')) ?? undefined;
+    const error = parseString(Reflect.get(payload, 'error')) ?? undefined;
+    const result = {
+        success,
+    };
+    if (dextoApiKey) {
+        result.dextoApiKey = dextoApiKey;
+    }
+    if (keyId) {
+        result.keyId = keyId;
+    }
+    if (isNewKey !== undefined) {
+        result.isNewKey = isNewKey;
+    }
+    if (error) {
+        result.error = error;
+    }
+    return result;
+}
+function parseDeviceCodeStartResponse(payload) {
+    if (typeof payload !== 'object' || payload === null) {
+        throw new Error('Invalid device start response');
+    }
+    const deviceCode = parseString(Reflect.get(payload, 'device_code')) ??
+        parseString(Reflect.get(payload, 'deviceCode'));
+    const userCode = parseString(Reflect.get(payload, 'user_code')) ??
+        parseString(Reflect.get(payload, 'userCode'));
+    const verificationUrl = parseString(Reflect.get(payload, 'verification_uri')) ??
+        parseString(Reflect.get(payload, 'verificationUrl'));
+    const verificationUrlComplete = parseString(Reflect.get(payload, 'verification_uri_complete')) ??
+        parseString(Reflect.get(payload, 'verificationUrlComplete'));
+    const expiresIn = parseNumber(Reflect.get(payload, 'expires_in')) ??
+        parseNumber(Reflect.get(payload, 'expiresIn'));
+    const interval = parseNumber(Reflect.get(payload, 'interval'));
+    if (!deviceCode || !userCode || !verificationUrl || !expiresIn || !interval) {
+        throw new Error('Device start response missing required fields');
+    }
+    return {
+        deviceCode,
+        userCode,
+        verificationUrl,
+        verificationUrlComplete,
+        expiresIn,
+        interval,
+    };
+}
+function parseDeviceCodeTokenResponse(payload) {
+    if (typeof payload !== 'object' || payload === null) {
+        return null;
+    }
+    const accessToken = parseString(Reflect.get(payload, 'accessToken')) ??
+        parseString(Reflect.get(payload, 'access_token'));
+    if (!accessToken) {
+        return null;
+    }
+    const refreshToken = parseString(Reflect.get(payload, 'refreshToken')) ??
+        parseString(Reflect.get(payload, 'refresh_token'));
+    const expiresIn = parseNumber(Reflect.get(payload, 'expiresIn')) ??
+        parseNumber(Reflect.get(payload, 'expires_in'));
+    const expiresAt = parseNumber(Reflect.get(payload, 'expiresAt')) ??
+        parseNumber(Reflect.get(payload, 'expires_at'));
+    return {
+        accessToken,
+        refreshToken,
+        expiresIn,
+        expiresAt,
+    };
+}
+function parseDeviceErrorCode(payload) {
+    if (typeof payload !== 'object' || payload === null) {
+        return null;
+    }
+    return parseString(Reflect.get(payload, 'error'));
+}
+function isTransientDevicePollErrorCode(errorCode) {
+    return (errorCode === 'server_error' ||
+        errorCode === 'temporary_unavailable' ||
+        errorCode === 'temporarily_unavailable');
+}
+function parseSupabaseUser(payload) {
+    if (typeof payload !== 'object' || payload === null) {
+        return null;
+    }
+    const id = parseString(Reflect.get(payload, 'id'));
+    const email = parseString(Reflect.get(payload, 'email'));
+    if (!id || !email) {
+        return null;
+    }
+    const userMetadata = Reflect.get(payload, 'user_metadata');
+    const fullName = typeof userMetadata === 'object' && userMetadata !== null
+        ? parseString(Reflect.get(userMetadata, 'full_name'))
+        : null;
+    return {
+        id,
+        email,
+        name: fullName ?? email,
+    };
+}
+function parseUsageByModel(payload) {
+    if (typeof payload !== 'object' || payload === null) {
+        return {};
+    }
+    const byModel = {};
+    for (const [model, value] of Object.entries(payload)) {
+        if (typeof value !== 'object' || value === null) {
+            continue;
+        }
+        const requests = parseNumber(Reflect.get(value, 'requests'));
+        const costUsd = parseNumber(Reflect.get(value, 'cost_usd'));
+        const tokens = parseNumber(Reflect.get(value, 'tokens'));
+        if (requests === null || costUsd === null || tokens === null) {
+            continue;
+        }
+        byModel[model] = {
+            requests,
+            cost_usd: costUsd,
+            tokens,
+        };
+    }
+    return byModel;
+}
+function parseRecentUsage(payload) {
+    if (!Array.isArray(payload)) {
+        return [];
+    }
+    const entries = [];
+    for (const entry of payload) {
+        if (typeof entry !== 'object' || entry === null) {
+            continue;
+        }
+        const timestamp = parseString(Reflect.get(entry, 'timestamp'));
+        const model = parseString(Reflect.get(entry, 'model'));
+        const costUsd = parseNumber(Reflect.get(entry, 'cost_usd'));
+        const inputTokens = parseNumber(Reflect.get(entry, 'input_tokens'));
+        const outputTokens = parseNumber(Reflect.get(entry, 'output_tokens'));
+        if (!timestamp ||
+            !model ||
+            costUsd === null ||
+            inputTokens === null ||
+            outputTokens === null) {
+            continue;
+        }
+        entries.push({
+            timestamp,
+            model,
+            cost_usd: costUsd,
+            input_tokens: inputTokens,
+            output_tokens: outputTokens,
+        });
+    }
+    return entries;
+}
+function parseUsageSummaryResponse(payload) {
+    if (typeof payload !== 'object' || payload === null) {
+        throw new Error('Invalid response from API');
+    }
+    const creditsUsd = parseNumber(Reflect.get(payload, 'credits_usd'));
+    const mtdUsage = Reflect.get(payload, 'mtd_usage');
+    if (creditsUsd === null || typeof mtdUsage !== 'object' || mtdUsage === null) {
+        throw new Error('Invalid response from API');
+    }
+    const totalCostUsd = parseNumber(Reflect.get(mtdUsage, 'total_cost_usd'));
+    const totalRequests = parseNumber(Reflect.get(mtdUsage, 'total_requests'));
+    if (totalCostUsd === null || totalRequests === null) {
+        throw new Error('Invalid response from API');
+    }
+    const byModel = parseUsageByModel(Reflect.get(mtdUsage, 'by_model'));
+    const recent = parseRecentUsage(Reflect.get(payload, 'recent'));
+    return {
+        credits_usd: creditsUsd,
+        mtd_usage: {
+            total_cost_usd: totalCostUsd,
+            total_requests: totalRequests,
+            by_model: byModel,
+        },
+        recent,
+    };
+}
+function parseValidateResponse(payload) {
+    if (typeof payload !== 'object' || payload === null) {
+        return false;
+    }
+    const valid = parseBoolean(Reflect.get(payload, 'valid'));
+    return valid ?? false;
+}
+function formatHttpFailure(status, payload, rawText) {
+    if (rawText.trim().length > 0) {
+        return `${status} ${rawText}`;
+    }
+    if (payload != null) {
+        return `${status} ${JSON.stringify(payload)}`;
+    }
+    return `${status}`;
+}
 /**
  * Dexto API client for key management
  */
 export class DextoApiClient {
     baseUrl;
-    timeoutMs = 10_000; // 10 second timeout for API calls
+    timeoutMs = 10_000;
     constructor(baseUrl = DEXTO_API_URL) {
         this.baseUrl = baseUrl;
     }
+    createRequestSignal(signal) {
+        const timeoutSignal = AbortSignal.timeout(this.timeoutMs);
+        if (!signal) {
+            return timeoutSignal;
+        }
+        return AbortSignal.any([signal, timeoutSignal]);
+    }
     /**
      * Validate if a Dexto API key is valid
      */
@@ -28,13 +257,13 @@ export class DextoApiClient {
                 headers: {
                     Authorization: `Bearer ${apiKey}`,
                 },
-                signal: AbortSignal.timeout(this.timeoutMs),
+                signal: this.createRequestSignal(undefined),
             });
             if (!response.ok) {
                 return false;
             }
-            const result = await response.json();
-            return result.valid;
+            const payload = await response.json();
+            return parseValidateResponse(payload);
         }
         catch (error) {
             logger.error(`Error validating Dexto API key: ${error}`);
@@ -55,13 +284,14 @@ export class DextoApiClient {
                     'Content-Type': 'application/json',
                 },
                 body: JSON.stringify({ name, regenerate }),
-                signal: AbortSignal.timeout(this.timeoutMs),
+                signal: this.createRequestSignal(undefined),
             });
             if (!response.ok) {
-                const errorText = await response.text();
-                throw new Error(`API request failed: ${response.status} ${errorText}`);
+                const rawText = await response.text();
+                throw new Error(`API request failed: ${formatHttpFailure(response.status, null, rawText)}`);
             }
-            const result = await response.json();
+            const payload = await response.json();
+            const result = parseProvisionResponse(payload);
             if (!result.success) {
                 throw new Error(result.error || 'Failed to provision Dexto API key');
             }
@@ -104,20 +334,154 @@ export class DextoApiClient {
                 headers: {
                     Authorization: `Bearer ${apiKey}`,
                 },
-                signal: AbortSignal.timeout(this.timeoutMs),
+                signal: this.createRequestSignal(undefined),
             });
             if (!response.ok) {
-                const errorText = await response.text();
-                throw new Error(`API request failed: ${response.status} ${errorText}`);
+                const rawText = await response.text();
+                throw new Error(`API request failed: ${formatHttpFailure(response.status, null, rawText)}`);
             }
-            const result = await response.json();
-            return result;
+            const payload = await response.json();
+            return parseUsageSummaryResponse(payload);
         }
         catch (error) {
             logger.error(`Error fetching usage summary: ${error}`);
             throw error;
         }
     }
+    /**
+     * Start device code login at the gateway.
+     */
+    async startDeviceCodeLogin(client = 'dexto-cli', options = {}) {
+        const response = await fetch(`${this.baseUrl}/auth/device/start`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({ client }),
+            signal: this.createRequestSignal(options.signal),
+        });
+        if (!response.ok) {
+            if (response.status === 404 || response.status === 403) {
+                throw new Error('Device code login is not enabled for this Dexto server');
+            }
+            const rawText = await response.text();
+            throw new Error(`Device code login failed to start: ${formatHttpFailure(response.status, null, rawText)}`);
+        }
+        const payload = await response.json();
+        return parseDeviceCodeStartResponse(payload);
+    }
+    /**
+     * Poll the gateway for device-code login completion.
+     */
+    async pollDeviceCodeLogin(deviceCode, options = {}) {
+        let response;
+        try {
+            response = await fetch(`${this.baseUrl}/auth/device/poll`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                },
+                body: JSON.stringify({ device_code: deviceCode }),
+                signal: this.createRequestSignal(options.signal),
+            });
+        }
+        catch (error) {
+            if (options.signal?.aborted) {
+                throw options.signal.reason instanceof Error
+                    ? options.signal.reason
+                    : new Error('Authentication cancelled');
+            }
+            logger.debug(`Device login poll request failed transiently: ${error instanceof Error ? error.message : String(error)}`);
+            return { status: 'transientError' };
+        }
+        const payload = await response.json().catch(() => null);
+        if (!response.ok) {
+            if (response.status === 404 || response.status === 403) {
+                throw new Error('Device code login is not enabled for this Dexto server');
+            }
+            if (response.status === 429) {
+                return { status: 'slowDown' };
+            }
+            const errorCode = parseDeviceErrorCode(payload);
+            if (errorCode === 'authorization_pending') {
+                return { status: 'pending' };
+            }
+            if (errorCode === 'slow_down') {
+                return { status: 'slowDown' };
+            }
+            if (errorCode === 'expired_token') {
+                return { status: 'expired' };
+            }
+            if (errorCode === 'access_denied') {
+                return { status: 'denied' };
+            }
+            if (errorCode && isTransientDevicePollErrorCode(errorCode)) {
+                return { status: 'transientError' };
+            }
+            if (response.status >= 500) {
+                return { status: 'transientError' };
+            }
+            if (errorCode) {
+                throw new Error(`Device login failed: ${errorCode}`);
+            }
+            throw new Error(`Device login polling failed with status ${response.status}`);
+        }
+        const token = parseDeviceCodeTokenResponse(payload);
+        if (token) {
+            return {
+                status: 'success',
+                token,
+            };
+        }
+        const errorCode = parseDeviceErrorCode(payload);
+        if (errorCode === 'authorization_pending') {
+            return { status: 'pending' };
+        }
+        if (errorCode === 'slow_down') {
+            return { status: 'slowDown' };
+        }
+        if (errorCode === 'expired_token') {
+            return { status: 'expired' };
+        }
+        if (errorCode === 'access_denied') {
+            return { status: 'denied' };
+        }
+        if (errorCode && isTransientDevicePollErrorCode(errorCode)) {
+            return { status: 'transientError' };
+        }
+        return { status: 'pending' };
+    }
+    /**
+     * Fetch Supabase user profile for a bearer token.
+     */
+    async fetchSupabaseUser(accessToken, options = {}) {
+        try {
+            const response = await fetch(`${SUPABASE_URL}/auth/v1/user`, {
+                headers: {
+                    Authorization: `Bearer ${accessToken}`,
+                    apikey: SUPABASE_ANON_KEY,
+                    'User-Agent': 'dexto-cli/1.0.0',
+                },
+                signal: this.createRequestSignal(options.signal),
+            });
+            if (!response.ok) {
+                return undefined;
+            }
+            const payload = await response.json();
+            return parseSupabaseUser(payload) ?? undefined;
+        }
+        catch (error) {
+            logger.debug(`Failed to fetch Supabase user profile: ${error instanceof Error ? error.message : String(error)}`);
+            return undefined;
+        }
+    }
+    /**
+     * Validate Supabase access token by checking if /auth/v1/user resolves.
+     */
+    async validateSupabaseAccessToken(accessToken, options = {}) {
+        const user = await this.fetchSupabaseUser(accessToken, options);
+        return Boolean(user?.id);
+    }
 }
 /**
  * Get default Dexto API client

package/dist/cli/auth/browser-launch.d.ts

@@ -0,0 +1,6 @@
+export interface BrowserLaunchContext {
+    env: NodeJS.ProcessEnv;
+    platform: NodeJS.Platform;
+}
+export declare function shouldAttemptBrowserLaunch(context?: BrowserLaunchContext): boolean;
+//# sourceMappingURL=browser-launch.d.ts.map

package/dist/cli/auth/browser-launch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser-launch.d.ts","sourceRoot":"","sources":["../../../src/cli/auth/browser-launch.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,oBAAoB;IACjC,GAAG,EAAE,MAAM,CAAC,UAAU,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC;CAC7B;AAKD,wBAAgB,0BAA0B,CACtC,OAAO,GAAE,oBAAuE,GACjF,OAAO,CAwBT"}