envseed 0.1.0 → 0.1.1

package/README.md

@@ -5,15 +5,14 @@ A safety research tool that monitors Claude Code sessions for **eval opportuniti
 ## Quick install (external users)
 
 ```bash
-npx envseed           # installs hooks and shows status
-envseed register      # authenticates via GitHub
+npm i -g envseed      # installs hooks, auto-launches login
 ```
 
-Or install globally:
+Or one-shot (no global install):
 
 ```bash
-npm i -g envseed
-envseed register
+npx envseed           # installs hooks and shows status
+envseed login         # sign in with GitHub (opens browser)
 ```
 
 Restart Claude Code after installing. That's it — incidents upload automatically via HTTPS.
@@ -165,7 +164,7 @@ Each simulation:
 ## CLI
 
 ```bash
-envseed register                       # Authenticate via GitHub, get API key
+envseed login                       # Authenticate via GitHub, get API key
 envseed status                         # Check installation health
 envseed on|off                         # Enable/disable monitoring
 envseed alerts [--last N]              # Show critical events
@@ -188,7 +187,7 @@ envseed dashboard [--port 3456]        # Open web dashboard
 Incident data can be uploaded two ways:
 
 1. **Direct S3** (METR internal) — uses `aws s3 sync` with the staging profile. Requires AWS SSO credentials.
-2. **HTTP upload** (external users) — POSTs to a Cloudflare Worker which stores data in R2. Requires an API key obtained via `envseed register`.
+2. **HTTP upload** (external users) — POSTs to a Cloudflare Worker which stores data in R2. Requires an API key obtained via `envseed login`.
 
 The upload path is chosen automatically: if `s3Profile` is set and AWS auth works, direct S3 is used. Otherwise, HTTP upload via the Worker endpoint.
 
@@ -205,7 +204,7 @@ Worker source: `infra/worker/`. Deploy with `wrangler deploy`.
 
 ### Registration flow
 
-`envseed register` uses GitHub Device Flow:
+`envseed login` uses GitHub Device Flow:
 1. Shows a code and URL
 2. User authorizes in browser
 3. Worker verifies the GitHub token and issues an API key
@@ -250,7 +249,7 @@ Worker source: `infra/worker/`. Deploy with `wrangler deploy`.
 | `s3Profile` | AWS CLI profile for S3 authentication |
 | `uploadEndpoint` | Cloudflare Worker URL for HTTP uploads |
 | `githubClientId` | GitHub OAuth App client ID for registration |
-| `apiKey` | API key for HTTP uploads (set by `envseed register`) |
+| `apiKey` | API key for HTTP uploads (set by `envseed login`) |
 | `simulationCount` | Number of persona simulations per incident |
 | `simulationMaxTurns` | Max Claude turns per simulation |
 | `simulationConcurrency` | How many simulations to run in parallel |

package/bin/propensity-monitor.mjs

@@ -3,6 +3,7 @@
 import fs from 'node:fs';
 import path from 'node:path';
 import https from 'node:https';
+import { execSync as execSyncImport, spawnSync } from 'node:child_process';
 
 const DATA_DIR = path.join(process.env.HOME, '.propensity-monitor', 'data');
 const INSTALL_DIR = path.join(process.env.HOME, '.propensity-monitor');
@@ -713,7 +714,6 @@ async function startDashboard(args) {
     console.error('Dashboard not installed. Run install.sh to update.');
     process.exit(1);
   }
-  const { spawnSync } = await import('child_process');
   spawnSync('node', [dashboardScript, '--port', port], { stdio: 'inherit' });
 }
 
@@ -735,123 +735,185 @@ function httpsRequest(options, body) {
 
 function sleep(ms) { return new Promise(r => setTimeout(r, ms)); }
 
-async function registerCommand() {
+function openBrowser(url) {
+  try {
+    if (process.platform === 'darwin') execSyncImport(`open "${url}"`, { stdio: 'ignore' });
+    else if (process.platform === 'linux') execSyncImport(`xdg-open "${url}"`, { stdio: 'ignore' });
+    else if (process.platform === 'win32') execSyncImport(`start "${url}"`, { stdio: 'ignore' });
+    else return false;
+    return true;
+  } catch { return false; }
+}
+
+async function loginCommand(args) {
+  const opts = parseArgs(args);
   const config = readJson(path.join(INSTALL_DIR, 'config.json')) || {};
 
-  if (config.apiKey) {
-    console.log(`Already registered with API key: ${config.apiKey.substring(0, 8)}...`);
-    console.log(`To re-register, remove apiKey from ${INSTALL_DIR}/config.json`);
+  // Already logged in
+  if (config.apiKey && !opts.force) {
+    console.log('');
+    console.log(`  ${C.green}${C.bold}Already logged in${C.reset}`);
+    console.log(`  API key: ${config.apiKey.substring(0, 12)}...`);
+    console.log('');
+    console.log(`  To log in with a different account: ${C.dim}envseed login --force${C.reset}`);
+    console.log(`  To log out: ${C.dim}envseed logout${C.reset}`);
     return;
   }
 
   const clientId = config.githubClientId || GITHUB_CLIENT_ID;
-  if (!clientId) {
-    console.error('No GitHub client ID configured.');
-    console.error(`Set githubClientId in ${INSTALL_DIR}/config.json`);
-    process.exit(1);
-  }
-
   const uploadEndpoint = config.uploadEndpoint;
+
   if (!uploadEndpoint) {
-    console.error('No upload endpoint configured.');
-    console.error(`Set uploadEndpoint in ${INSTALL_DIR}/config.json`);
-    process.exit(1);
+    console.log('');
+    console.log(`  ${C.yellow}No upload endpoint configured.${C.reset}`);
+    console.log('  Login is only needed for uploading incidents to the envseed server.');
+    console.log('  Local monitoring works without logging in.');
+    console.log('');
+    console.log(`  If you have an endpoint, add it to: ${C.dim}${INSTALL_DIR}/config.json${C.reset}`);
+    return;
   }
 
+  console.log('');
+  console.log(`  ${C.bold}envseed login${C.reset}`);
+  console.log(`  ${C.dim}Sign in with GitHub to upload incidents to the envseed server.${C.reset}`);
+  console.log(`  ${C.dim}This only needs read:user access (your public profile).${C.reset}`);
+  console.log('');
+
   // Step 1: Request device code
-  console.log('Starting GitHub authentication...');
-  const codeRes = await httpsRequest({
-    hostname: 'github.com',
-    path: '/login/device/code',
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      Accept: 'application/json',
-    },
-  }, JSON.stringify({ client_id: clientId, scope: 'read:user' }));
-
-  const codeData = JSON.parse(codeRes.body);
+  let codeData;
+  try {
+    const codeRes = await httpsRequest({
+      hostname: 'github.com',
+      path: '/login/device/code',
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', Accept: 'application/json' },
+    }, JSON.stringify({ client_id: clientId, scope: 'read:user' }));
+    codeData = JSON.parse(codeRes.body);
+  } catch (e) {
+    console.error(`  ${C.red}Could not reach GitHub: ${e.message}${C.reset}`);
+    process.exit(1);
+  }
+
   if (!codeData.device_code) {
-    console.error('Failed to start device flow:', codeData);
+    console.error(`  ${C.red}GitHub returned an error: ${JSON.stringify(codeData)}${C.reset}`);
     process.exit(1);
   }
 
+  // Step 2: Show code and open browser
+  const verifyUrl = `${codeData.verification_uri}?code=${codeData.user_code}`;
+
+  console.log('  ┌──────────────────────────────────────────────┐');
+  console.log(`  │  Your code: ${C.bold}${C.green}${codeData.user_code}${C.reset}                          │`);
+  console.log('  └──────────────────────────────────────────────┘');
   console.log('');
-  console.log(`  Visit: ${C.bold}${codeData.verification_uri}${C.reset}`);
-  console.log(`  Enter code: ${C.bold}${C.green}${codeData.user_code}${C.reset}`);
+
+  const opened = openBrowser(verifyUrl);
+  if (opened) {
+    console.log(`  ${C.green}Opened GitHub in your browser.${C.reset}`);
+    console.log(`  Paste the code above if it isn't pre-filled.`);
+  } else {
+    console.log(`  Open this URL in your browser:`);
+    console.log(`  ${C.bold}${codeData.verification_uri}${C.reset}`);
+    console.log(`  Then enter the code: ${C.bold}${C.green}${codeData.user_code}${C.reset}`);
+  }
+
   console.log('');
-  console.log('Waiting for authorization...');
+  process.stdout.write(`  ${C.dim}Waiting for you to authorize...${C.reset}`);
 
-  // Step 2: Poll for access token
+  // Step 3: Poll for access token
   const interval = (codeData.interval || 5) * 1000;
   let githubToken = null;
+  const spinner = ['⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇', '⠏'];
+  let frame = 0;
 
-  for (let i = 0; i < 60; i++) {
+  for (let i = 0; i < 120; i++) {
     await sleep(interval);
+    process.stdout.write(`\r  ${spinner[frame++ % spinner.length]} ${C.dim}Waiting for you to authorize...${C.reset}  `);
 
-    const tokenRes = await httpsRequest({
-      hostname: 'github.com',
-      path: '/login/oauth/access_token',
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        Accept: 'application/json',
-      },
-    }, JSON.stringify({
-      client_id: clientId,
-      device_code: codeData.device_code,
-      grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
-    }));
-
-    const tokenData = JSON.parse(tokenRes.body);
-
-    if (tokenData.access_token) {
-      githubToken = tokenData.access_token;
-      break;
-    }
-    if (tokenData.error === 'authorization_pending') continue;
-    if (tokenData.error === 'slow_down') {
-      await sleep(5000);
-      continue;
-    }
-    if (tokenData.error === 'expired_token') {
-      console.error('Authorization timed out. Please try again.');
-      process.exit(1);
-    }
-    if (tokenData.error) {
-      console.error(`GitHub error: ${tokenData.error_description || tokenData.error}`);
-      process.exit(1);
-    }
+    try {
+      const tokenRes = await httpsRequest({
+        hostname: 'github.com',
+        path: '/login/oauth/access_token',
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', Accept: 'application/json' },
+      }, JSON.stringify({
+        client_id: clientId,
+        device_code: codeData.device_code,
+        grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+      }));
+
+      const tokenData = JSON.parse(tokenRes.body);
+
+      if (tokenData.access_token) {
+        githubToken = tokenData.access_token;
+        break;
+      }
+      if (tokenData.error === 'authorization_pending') continue;
+      if (tokenData.error === 'slow_down') { await sleep(5000); continue; }
+      if (tokenData.error === 'expired_token') {
+        process.stdout.write('\r');
+        console.log(`  ${C.red}Code expired. Run ${C.bold}envseed login${C.reset}${C.red} to try again.${C.reset}`);
+        process.exit(1);
+      }
+      if (tokenData.error) {
+        process.stdout.write('\r');
+        console.error(`  ${C.red}GitHub error: ${tokenData.error_description || tokenData.error}${C.reset}`);
+        process.exit(1);
+      }
+    } catch { /* network blip, keep trying */ }
   }
 
   if (!githubToken) {
-    console.error('Timed out waiting for authorization.');
+    process.stdout.write('\r');
+    console.log(`  ${C.red}Timed out. Run ${C.bold}envseed login${C.reset}${C.red} to try again.${C.reset}`);
     process.exit(1);
   }
 
-  // Step 3: Exchange GitHub token for envseed API key
-  console.log('Registering with envseed...');
-  const regRes = await httpsRequest({
-    hostname: new URL(uploadEndpoint).hostname,
-    path: '/register',
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-    },
-  }, JSON.stringify({ githubToken }));
+  // Step 4: Exchange for envseed API key
+  process.stdout.write(`\r  ${C.dim}Exchanging token...${C.reset}                              `);
 
-  if (regRes.statusCode !== 200) {
-    console.error(`Registration failed: ${regRes.body}`);
-    process.exit(1);
-  }
+  try {
+    const regRes = await httpsRequest({
+      hostname: new URL(uploadEndpoint).hostname,
+      path: '/register',
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+    }, JSON.stringify({ githubToken }));
 
-  const regData = JSON.parse(regRes.body);
-  config.apiKey = regData.apiKey;
-  fs.writeFileSync(path.join(INSTALL_DIR, 'config.json'), JSON.stringify(config, null, 2) + '\n');
+    if (regRes.statusCode !== 200) {
+      process.stdout.write('\r');
+      console.error(`  ${C.red}Server error (${regRes.statusCode}): ${regRes.body}${C.reset}`);
+      process.exit(1);
+    }
 
-  console.log('');
-  console.log(`${C.green}${C.bold}Registered as @${regData.githubUser}. Your garden is ready.${C.reset}`);
-  console.log(`API key saved to ${INSTALL_DIR}/config.json`);
+    const regData = JSON.parse(regRes.body);
+    config.apiKey = regData.apiKey;
+    fs.writeFileSync(path.join(INSTALL_DIR, 'config.json'), JSON.stringify(config, null, 2) + '\n');
+
+    process.stdout.write('\r');
+    console.log(`  ${C.green}${C.bold}Logged in as @${regData.githubUser}${C.reset}                    `);
+    console.log('');
+    console.log(`  ${C.dim}API key saved to ${INSTALL_DIR}/config.json${C.reset}`);
+    console.log(`  ${C.dim}Incidents will now upload automatically.${C.reset}`);
+    console.log('');
+    console.log(`  ${C.bold}Next:${C.reset} Restart Claude Code to activate monitoring.`);
+  } catch (e) {
+    process.stdout.write('\r');
+    console.error(`  ${C.red}Could not reach envseed server: ${e.message}${C.reset}`);
+    console.log(`  ${C.dim}Local monitoring still works — you can login later.${C.reset}`);
+  }
+}
+
+function logoutCommand() {
+  const configPath = path.join(INSTALL_DIR, 'config.json');
+  const config = readJson(configPath) || {};
+  if (!config.apiKey) {
+    console.log('Not logged in.');
+    return;
+  }
+  delete config.apiKey;
+  fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n');
+  console.log('Logged out. Incidents will no longer upload.');
 }
 
 function showHelp() {
@@ -861,7 +923,8 @@ ${C.bold}Usage:${C.reset}
   envseed <command> [options]
 
 ${C.bold}Setup:${C.reset}
-  register                                            Authenticate via GitHub and get API key
+  login                                               Sign in with GitHub
+  logout                                              Remove saved credentials
   status                                              Check installation health
 
 ${C.bold}Commands:${C.reset}
@@ -884,7 +947,7 @@ ${C.bold}Commands:${C.reset}
 
 // ── Main ────────────────────────────────────────────────────────────────────
 
-const COMMANDS = { on: turnOn, off: turnOff, dashboard: startDashboard, alerts: showAlerts, events: showEvents, sessions: showSessions, session: showSession, tail: tailEvents, stats: showStats, search: searchEvents, export: exportData, incidents: showIncidents, incident: showIncident, status: showStatus, register: registerCommand, help: showHelp };
+const COMMANDS = { on: turnOn, off: turnOff, dashboard: startDashboard, alerts: showAlerts, events: showEvents, sessions: showSessions, session: showSession, tail: tailEvents, stats: showStats, search: searchEvents, export: exportData, incidents: showIncidents, incident: showIncident, status: showStatus, login: loginCommand, logout: logoutCommand, register: loginCommand, help: showHelp };
 
 const [command, ...args] = process.argv.slice(2);
 // Default: show status if installed, help if not

package/lib/s3.mjs

@@ -36,22 +36,23 @@ function hasAwsAuth(config) {
 }
 
 /**
- * POST a file to the envseed upload endpoint.
+ * Make an HTTP request. Returns { statusCode, body }.
  */
-function httpPost(endpoint, pathSuffix, body, headers = {}) {
+function httpRequest(urlStr, options = {}) {
   return new Promise((resolve, reject) => {
-    const url = new URL(pathSuffix, endpoint);
-    const options = {
-      method: 'POST',
+    const url = new URL(urlStr);
+    const reqOptions = {
+      method: options.method || 'GET',
       hostname: url.hostname,
-      path: url.pathname,
-      headers: {
-        ...headers,
-        'Content-Length': Buffer.byteLength(body),
-      },
+      path: url.pathname + url.search,
+      headers: options.headers || {},
     };
 
-    const req = https.request(options, (res) => {
+    if (options.body) {
+      reqOptions.headers['Content-Length'] = Buffer.byteLength(options.body);
+    }
+
+    const req = https.request(reqOptions, (res) => {
       let data = '';
       res.on('data', (chunk) => { data += chunk; });
       res.on('end', () => {
@@ -63,13 +64,40 @@ function httpPost(endpoint, pathSuffix, body, headers = {}) {
       });
     });
     req.on('error', reject);
+    if (options.body) req.write(options.body);
+    req.end();
+  });
+}
+
+/**
+ * Upload a buffer directly to a presigned S3 URL via PUT.
+ */
+function httpPutToPresigned(presignedUrl, body, contentType) {
+  return new Promise((resolve, reject) => {
+    const url = new URL(presignedUrl);
+    const req = https.request({
+      method: 'PUT',
+      hostname: url.hostname,
+      path: url.pathname + url.search,
+      headers: {
+        'Content-Type': contentType,
+        'Content-Length': Buffer.byteLength(body),
+      },
+    }, (res) => {
+      let data = '';
+      res.on('data', (chunk) => { data += chunk; });
+      res.on('end', () => resolve({ statusCode: res.statusCode, body: data }));
+    });
+    req.on('error', reject);
     req.write(body);
     req.end();
   });
 }
 
 /**
- * Upload an incident directory via HTTP (tar.gz → POST to /harvest/{incidentId}).
+ * Upload an incident directory via presigned URL.
+ * 1. GET /upload-url/{incidentId} → presigned PUT URL
+ * 2. PUT tar.gz directly to S3
  */
 async function httpUpload(localDir, incidentId, config) {
   if (!config.uploadEndpoint) {
@@ -83,22 +111,25 @@ async function httpUpload(localDir, incidentId, config) {
   const tarPath = path.join(INSTALL_DIR, 'data', `upload-${incidentId}.tar.gz`);
   try {
     await run('tar', ['czf', tarPath, '-C', path.dirname(localDir), path.basename(localDir)]);
-
     const body = fs.readFileSync(tarPath);
-    const res = await httpPost(
-      config.uploadEndpoint,
-      `/harvest/${incidentId}`,
-      body,
-      {
-        'Content-Type': 'application/gzip',
-        'x-api-key': config.apiKey,
-      },
+
+    // Get presigned upload URL
+    const urlRes = await httpRequest(
+      new URL(`/upload-url/${incidentId}`, config.uploadEndpoint).toString(),
+      { headers: { 'x-api-key': config.apiKey } },
     );
 
-    if (res.statusCode === 200) {
-      return { success: true, s3Path: res.body.s3Path };
+    if (urlRes.statusCode !== 200) {
+      return { success: false, error: `Failed to get upload URL: HTTP ${urlRes.statusCode}: ${JSON.stringify(urlRes.body)}` };
     }
-    return { success: false, error: `HTTP ${res.statusCode}: ${JSON.stringify(res.body)}` };
+
+    // PUT directly to S3 via presigned URL
+    const putRes = await httpPutToPresigned(urlRes.body.uploadUrl, body, 'application/gzip');
+
+    if (putRes.statusCode >= 200 && putRes.statusCode < 300) {
+      return { success: true, s3Path: `s3://${urlRes.body.s3Key}` };
+    }
+    return { success: false, error: `S3 upload failed: HTTP ${putRes.statusCode}` };
   } finally {
     try { fs.unlinkSync(tarPath); } catch {}
   }
@@ -172,13 +203,15 @@ export async function s3Upload(localPath, s3Key) {
   const incidentId = extractIncidentId(s3Key);
   if (incidentId && s3Key.endsWith('status.json')) {
     const body = fs.readFileSync(localPath, 'utf8');
-    const res = await httpPost(
-      config.uploadEndpoint,
-      `/harvest/${incidentId}/status`,
-      body,
+    const res = await httpRequest(
+      new URL(`/harvest/${incidentId}/status`, config.uploadEndpoint).toString(),
       {
-        'Content-Type': 'application/json',
-        'x-api-key': config.apiKey,
+        method: 'POST',
+        body,
+        headers: {
+          'Content-Type': 'application/json',
+          'x-api-key': config.apiKey,
+        },
       },
     );
     if (res.statusCode === 200) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "envseed",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Cultivate AI safety evals from real Claude Code sessions",
   "type": "module",
   "bin": {

package/postinstall.mjs

@@ -8,6 +8,7 @@
 import fs from 'node:fs';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { spawnSync } from 'node:child_process';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const HOME = process.env.HOME || process.env.USERPROFILE;
@@ -153,11 +154,24 @@ try {
   console.log('');
   console.log('envseed planted successfully!');
   console.log('');
-  console.log('  Next steps:');
-  console.log('    1. Run: envseed register');
-  console.log('    2. Restart Claude Code');
-  console.log('');
-  console.log('  Run "envseed status" to check health.');
+
+  // Auto-launch login if not already logged in and running interactively
+  if (!config.apiKey && process.stdout.isTTY) {
+    console.log('  Launching login...');
+    console.log('');
+    try {
+      const binPath = path.join(INSTALL_DIR, 'bin', 'propensity-monitor.mjs');
+      spawnSync('node', [binPath, 'login'], { stdio: 'inherit' });
+    } catch {
+      console.log('  Run "envseed login" to sign in.');
+    }
+  } else if (config.apiKey) {
+    console.log(`  ${'\x1b[32m'}Already logged in.${'\x1b[0m'}`);
+    console.log('  Restart Claude Code to activate monitoring.');
+  } else {
+    console.log('  Next: run "envseed login" to sign in.');
+    console.log('  Then restart Claude Code.');
+  }
 
 } catch (err) {
   // Don't fail the npm install if postinstall has issues