flamecast 0.4.1 → 0.5.0

package/dist/cli.js

@@ -14,69 +14,159 @@ function getVersion() {
         return "unknown";
     }
 }
-// Load .env from the CLI package root (written by scripts/dev-setup.mjs)
-const __cli_dir = dirname(fileURLToPath(import.meta.url));
-const envPath = resolve(__cli_dir, "..", ".env");
-if (existsSync(envPath)) {
-    for (const line of readFileSync(envPath, "utf-8").split("\n")) {
-        const match = line.match(/^([^#=]+)=(.*)$/);
-        if (match && !process.env[match[1]]) {
-            process.env[match[1]] = match[2];
+// Load .env from the CLI package root, but only in dev (cli:local sets
+// FLAMECAST_BASE_URL as a real env var; the .env file is for local dev only).
+if (process.env.NODE_ENV === "development") {
+    const __cli_dir = dirname(fileURLToPath(import.meta.url));
+    const envPath = resolve(__cli_dir, "..", ".env");
+    if (existsSync(envPath)) {
+        for (const line of readFileSync(envPath, "utf-8").split("\n")) {
+            const match = line.match(/^([^#=]+)=(.*)$/);
+            if (match && !process.env[match[1]]) {
+                process.env[match[1]] = match[2];
+            }
         }
     }
 }
-import { handleCastAdd } from "./commands/cast/add.js";
-import { handleCastList } from "./commands/cast/list.js";
-import { handleRun } from "./commands/run.js";
-import { handleStatus } from "./commands/status.js";
-import { handleResult } from "./commands/result.js";
-import { handleApi } from "./commands/api.js";
-import { handleLogin } from "./commands/login.js";
-import { handleLogout } from "./commands/logout.js";
-import { handleSetupClaude } from "./commands/setup-claude.js";
-const args = process.argv.slice(2);
-const [sub1, sub2, ...rest] = args;
-if (sub1 === "--version" || sub1 === "-v") {
-    console.log(getVersion());
-    process.exit(0);
+import { Command } from "commander";
+const program = new Command()
+    .name("flame")
+    .version(getVersion())
+    .description("Flamecast CLI");
+// ── workspace | ws | cast ──────────────────────────
+function registerWorkspaceCommands(cmd) {
+    cmd
+        .command("create")
+        .alias("c")
+        .alias("add")
+        .description("Create a new workspace (interactive)")
+        .action(async () => {
+        const { handleWorkspaceCreate } = await import("./commands/workspace/create.js");
+        await handleWorkspaceCreate();
+    });
+    cmd
+        .command("list")
+        .alias("ls")
+        .description("List all workspaces")
+        .action(async () => {
+        const { handleWorkspaceList } = await import("./commands/workspace/list.js");
+        await handleWorkspaceList();
+    });
+    // Default action when no subcommand — show list
+    cmd.action(async () => {
+        const { handleWorkspaceList } = await import("./commands/workspace/list.js");
+        await handleWorkspaceList();
+    });
+    cmd
+        .command("get <ref>")
+        .alias("g")
+        .description("Get workspace details by name or ID")
+        .action(async (ref) => {
+        const { handleWorkspaceGet } = await import("./commands/workspace/get.js");
+        await handleWorkspaceGet(ref);
+    });
+    cmd
+        .command("delete <ref>")
+        .alias("rm")
+        .description("Delete a workspace")
+        .action(async (ref) => {
+        const { handleWorkspaceDelete } = await import("./commands/workspace/delete.js");
+        await handleWorkspaceDelete(ref);
+    });
+    cmd
+        .command("set-default <ref>")
+        .description("Set the default workspace")
+        .action(async (ref) => {
+        const { handleWorkspaceSetDefault } = await import("./commands/workspace/set-default.js");
+        await handleWorkspaceSetDefault(ref);
+    });
+    cmd
+        .command("set-secrets <ref> [secrets...]")
+        .description("Set secrets on a workspace (KEY=VALUE ...)")
+        .action(async (ref, secrets) => {
+        const { handleWorkspaceSetSecrets } = await import("./commands/workspace/set-secrets.js");
+        await handleWorkspaceSetSecrets(ref, secrets);
+    });
+    cmd
+        .command("sync <ref>")
+        .alias("sync-workflows")
+        .description("Sync workflow files to the workspace repo")
+        .action(async (ref) => {
+        const { handleWorkspaceSyncWorkflows } = await import("./commands/workspace/sync-workflows.js");
+        await handleWorkspaceSyncWorkflows(ref);
+    });
 }
-else if (sub1 === "cast" && sub2 === "add") {
-    await handleCastAdd();
-}
-else if (sub1 === "cast" && (sub2 === "list" || sub2 === undefined)) {
-    await handleCastList();
-}
-else if (sub1 === "run" && sub2) {
-    await handleRun(sub2, rest);
-}
-else if (sub1 === "status") {
-    await handleStatus();
-}
-else if (sub1 === "result" && sub2) {
-    await handleResult(sub2);
-}
-else if (sub1 === "api") {
-    handleApi();
-}
-else if (sub1 === "login") {
+const workspaceCmd = program
+    .command("workspace")
+    .alias("ws")
+    .description("Manage workspaces");
+registerWorkspaceCommands(workspaceCmd);
+// "cast" as a top-level alias for "workspace"
+const castCmd = program
+    .command("cast")
+    .description("Manage workspaces (alias for workspace)");
+registerWorkspaceCommands(castCmd);
+// ── task | t ───────────────────────────────────────
+const taskCmd = program.command("task").alias("t").description("Manage tasks");
+taskCmd
+    .command("create <prompt...>")
+    .alias("c")
+    .description("Create a new task")
+    .option("-w, --workspace <ref>", "Workspace name or ID (default: default workspace)")
+    .action(async (prompt, opts) => {
+    const { handleTaskCreate } = await import("./commands/task/create.js");
+    await handleTaskCreate(prompt, opts.workspace);
+});
+taskCmd
+    .command("list")
+    .alias("ls")
+    .description("List tasks for a workspace")
+    .option("-w, --workspace <ref>", "Workspace name or ID (default: default workspace)")
+    .action(async (opts) => {
+    const { handleTaskList } = await import("./commands/task/list.js");
+    await handleTaskList(opts.workspace);
+});
+// Default action when no subcommand — show list
+taskCmd.action(async () => {
+    const { handleTaskList } = await import("./commands/task/list.js");
+    await handleTaskList();
+});
+taskCmd
+    .command("get <taskId>")
+    .alias("g")
+    .description("Get task details")
+    .option("-w, --workspace <ref>", "Workspace name or ID (default: default workspace)")
+    .action(async (taskId, opts) => {
+    const { handleTaskGet } = await import("./commands/task/get.js");
+    await handleTaskGet(taskId, opts.workspace);
+});
+// ── top-level commands ─────────────────────────────
+program
+    .command("login")
+    .description("Authenticate with Flamecast")
+    .action(async () => {
+    const { handleLogin } = await import("./commands/login.js");
     await handleLogin();
-}
-else if (sub1 === "logout") {
+});
+program
+    .command("logout")
+    .description("Clear saved credentials")
+    .action(async () => {
+    const { handleLogout } = await import("./commands/logout.js");
     await handleLogout();
-}
-else if (sub1 === "setup-claude") {
+});
+program
+    .command("api")
+    .description("Print API key")
+    .action(async () => {
+    const { handleApi } = await import("./commands/api.js");
+    handleApi();
+});
+program
+    .command("setup-claude")
+    .description("Set up Claude Code token")
+    .action(async () => {
+    const { handleSetupClaude } = await import("./commands/setup-claude.js");
     await handleSetupClaude();
-}
-else {
-    console.error("Usage:");
-    console.error("  flame cast add              Create a new cast member");
-    console.error("  flame cast [list]           List all cast members");
-    console.error("  flame run <name> <prompt>   Dispatch a task to a cast member");
-    console.error("  flame status                Show status of all active tasks");
-    console.error("  flame result <name> latest  Show latest task result");
-    console.error("  flame api                   Print API key");
-    console.error("  flame login                 Authenticate with Flamecast");
-    console.error("  flame setup-claude          Set up Claude Code token");
-    console.error("  flame logout                Clear saved credentials");
-    process.exit(1);
-}
+});
+await program.parseAsync();

package/dist/commands/cast/add.js

@@ -1,8 +1,7 @@
 import * as p from "@clack/prompts";
 import { saveConfig } from "../../lib/config.js";
 import { spawnSync } from "node:child_process";
-import { client } from "../../lib/auth.js";
-import { authenticateViaBrowser } from "../../lib/auth.js";
+import { client, authenticateViaBrowser, verifyEmailAndExchange, exchangeForApiKey, } from "../../lib/auth.js";
 import { openBrowser } from "../../lib/open-browser.js";
 import { generateEmployeeName } from "../../lib/names.js";
 import { detectClaudeCode, discoverLocalConfig } from "../../lib/detect.js";
@@ -18,15 +17,38 @@ export async function handleCastAdd() {
     const needsSetup = !username;
     if (needsSetup) {
         p.log.step("\u2500\u2500 Setup (one-time) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
-        // Step 1: Authenticate with Flamecast (WorkOS device flow)
+        // Step 1: Authenticate with Flamecast
         const s = p.spinner();
-        s.start("Waiting for browser login...");
+        s.start("Starting authentication...");
         try {
-            const apiKey = await authenticateViaBrowser((userCode, verificationUri) => {
-                s.stop(`Confirm code: ${userCode}`);
-                p.log.info(`If the browser didn't open, visit: ${verificationUri}`);
-                s.start("Waiting for confirmation...");
+            const result = await authenticateViaBrowser(message => {
+                s.message(message);
             });
+            let apiKey;
+            if (result.pendingAuthenticationToken) {
+                s.stop("Email verification required");
+                const code = await p.text({
+                    message: "Check your email for a verification code and enter it here:",
+                    validate(value) {
+                        if (!value.trim())
+                            return "Verification code cannot be empty";
+                    },
+                });
+                if (p.isCancel(code)) {
+                    p.cancel("Setup cancelled");
+                    process.exit(0);
+                }
+                s.start("Verifying...");
+                apiKey = await verifyEmailAndExchange(result.pendingAuthenticationToken, code, result.githubToken);
+            }
+            else {
+                apiKey = await exchangeForApiKey({
+                    refreshToken: result.refreshToken,
+                    ...(result.githubToken && {
+                        githubToken: result.githubToken,
+                    }),
+                });
+            }
             saveConfig({ apiKey });
             s.stop("Authenticated with Flamecast");
         }
@@ -187,7 +209,18 @@ export async function handleCastAdd() {
         });
         const workflowUrl = `https://github.com/${githubRepo}/actions/runs/${task.id}`;
         s6.stop(`Task dispatched \u2192 ${workflowUrl}`);
-        p.outro(`\u{1F525} Run \`flame status\` to check in.`);
+        let taskGetCommand = `flame task get ${task.id}`;
+        try {
+            const { defaultWorkspaceId } = await client.workspaces.default.get();
+            if (defaultWorkspaceId !== workspaceId) {
+                taskGetCommand += ` --workspace ${workspaceId}`;
+            }
+        }
+        catch {
+            // Fall back to explicit workspace if we can't resolve the default.
+            taskGetCommand += ` --workspace ${workspaceId}`;
+        }
+        p.outro(`\u{1F525} Run \`${taskGetCommand}\` to check in.`);
     }
     catch (err) {
         s6.stop("Failed to dispatch task");

package/dist/commands/login.js

@@ -1,15 +1,36 @@
 import * as p from "@clack/prompts";
 import { saveConfig } from "../lib/config.js";
-import { authenticateViaBrowser } from "../lib/auth.js";
+import { authenticateViaBrowser, verifyEmailAndExchange, exchangeForApiKey, } from "../lib/auth.js";
 export async function handleLogin() {
     const s = p.spinner();
-    s.start("Waiting for browser login...");
+    s.start("Starting authentication...");
     try {
-        const apiKey = await authenticateViaBrowser((userCode, verificationUri) => {
-            s.stop(`Confirm code: ${userCode}`);
-            p.log.info(`If the browser didn't open, visit: ${verificationUri}`);
-            s.start("Waiting for confirmation...");
+        const result = await authenticateViaBrowser(message => {
+            s.message(message);
         });
+        let apiKey;
+        if (result.pendingAuthenticationToken) {
+            s.stop("Email verification required");
+            const code = await p.text({
+                message: "Check your email for a verification code and enter it here:",
+                validate(value) {
+                    if (!value.trim())
+                        return "Verification code cannot be empty";
+                },
+            });
+            if (p.isCancel(code)) {
+                p.cancel("Login cancelled");
+                process.exit(0);
+            }
+            s.start("Verifying...");
+            apiKey = await verifyEmailAndExchange(result.pendingAuthenticationToken, code, result.githubToken);
+        }
+        else {
+            apiKey = await exchangeForApiKey({
+                refreshToken: result.refreshToken,
+                ...(result.githubToken && { githubToken: result.githubToken }),
+            });
+        }
         saveConfig({ apiKey });
         s.stop("Logged in");
     }

package/dist/commands/task/create.js

@@ -6,7 +6,7 @@ export async function handleTaskCreate(promptParts, workspaceRef) {
         console.error("Usage: flame task create <prompt> [-w workspace]");
         process.exit(1);
     }
-    const ws = await resolveWorkspace(client, workspaceRef);
+    const ws = await resolveWorkspace(workspaceRef);
     const task = await client.workspaces.tasks.create(ws.id, { prompt });
     console.log(`Task dispatched to ${ws.name}.`);
     if (task.workflowRunId) {

package/dist/commands/task/get.js

@@ -1,7 +1,7 @@
 import { client } from "../../lib/auth.js";
 import { resolveWorkspace } from "../../lib/resolve-workspace.js";
 export async function handleTaskGet(taskId, workspaceRef) {
-    const ws = await resolveWorkspace(client, workspaceRef);
+    const ws = await resolveWorkspace(workspaceRef);
     const { task, outputs } = await client.workspaces.tasks.get(taskId, {
         workspaceId: ws.id,
     });

package/dist/commands/task/list.js

@@ -1,7 +1,7 @@
 import { client } from "../../lib/auth.js";
 import { resolveWorkspace } from "../../lib/resolve-workspace.js";
 export async function handleTaskList(workspaceRef) {
-    const ws = await resolveWorkspace(client, workspaceRef);
+    const ws = await resolveWorkspace(workspaceRef);
     const page = await client.workspaces.tasks.list(ws.id);
     const tasks = page.tasks ?? [];
     if (tasks.length === 0) {

package/dist/commands/workspace/delete.js

@@ -2,7 +2,7 @@ import * as p from "@clack/prompts";
 import { client } from "../../lib/auth.js";
 import { resolveWorkspace } from "../../lib/resolve-workspace.js";
 export async function handleWorkspaceDelete(ref) {
-    const ws = await resolveWorkspace(client, ref);
+    const ws = await resolveWorkspace(ref);
     const confirmed = await p.confirm({
         message: `Delete workspace "${ws.name}" (${ws.githubRepo})? This will also delete the GitHub repo.`,
         initialValue: false,

package/dist/commands/workspace/get.js

@@ -1,7 +1,6 @@
-import { client } from "../../lib/auth.js";
 import { resolveWorkspace } from "../../lib/resolve-workspace.js";
 export async function handleWorkspaceGet(ref) {
-    const ws = await resolveWorkspace(client, ref);
+    const ws = await resolveWorkspace(ref);
     console.log(`  Name:       ${ws.name}`);
     console.log(`  ID:         ${ws.id}`);
     console.log(`  Status:     ${ws.status}`);

package/dist/commands/workspace/set-default.js

@@ -1,7 +1,7 @@
 import { client } from "../../lib/auth.js";
 import { resolveWorkspace } from "../../lib/resolve-workspace.js";
 export async function handleWorkspaceSetDefault(ref) {
-    const ws = await resolveWorkspace(client, ref);
+    const ws = await resolveWorkspace(ref);
     await client.workspaces.default.set({ workspaceId: ws.id });
     console.log(`Default workspace set to "${ws.name}".`);
 }

package/dist/commands/workspace/set-secrets.js

@@ -1,7 +1,7 @@
 import { client } from "../../lib/auth.js";
 import { resolveWorkspace } from "../../lib/resolve-workspace.js";
 export async function handleWorkspaceSetSecrets(ref, secretArgs) {
-    const ws = await resolveWorkspace(client, ref);
+    const ws = await resolveWorkspace(ref);
     const secrets = {};
     for (const arg of secretArgs) {
         const eqIdx = arg.indexOf("=");

package/dist/commands/workspace/sync-workflows.js

@@ -1,7 +1,7 @@
 import { client } from "../../lib/auth.js";
 import { resolveWorkspace } from "../../lib/resolve-workspace.js";
 export async function handleWorkspaceSyncWorkflows(ref) {
-    const ws = await resolveWorkspace(client, ref);
+    const ws = await resolveWorkspace(ref);
     const result = await client.workspaces.syncWorkflows.sync(ws.id);
     console.log(`Synced workflows for "${ws.name}".`);
     console.log(`  PR: ${result.pullRequestUrl}`);

package/dist/lib/auth.js

@@ -1,95 +1,100 @@
+import { createWorkOS } from "@workos-inc/node";
 import { openBrowser } from "./open-browser.js";
 import { loadConfig, saveConfig } from "./config.js";
+import { startCallbackServer } from "./callback-server.js";
 import Flamecast from "@flamecast/api";
 import * as dotenv from "dotenv";
 dotenv.config();
 const WORKOS_CLIENT_ID = process.env.WORKOS_CLIENT_ID ?? "client_01KD3FTW7R2QD0NW6QB7QP6Q0B";
 export const FLAMECAST_BASE_URL = process.env.FLAMECAST_BASE_URL || "https://api.flamecast.dev";
-function sleep(ms) {
-    return new Promise(resolve => setTimeout(resolve, ms));
-}
+const workos = createWorkOS({ clientId: WORKOS_CLIENT_ID });
 /**
- * Authenticates via WorkOS Device Authorization flow (OAuth 2.0 RFC 8628).
+ * Authenticates via WorkOS Authorization Code flow with PKCE.
  *
- * 1. Request device code from WorkOS
- * 2. Open browser to verification URL
- * 3. Poll for tokens
- * 4. Exchange WorkOS refresh token for a Flamecast API key
- *    (optionally sends the user's local GitHub token for server-side storage)
+ * 1. Start a local callback server
+ * 2. Generate authorization URL with PKCE
+ * 3. Open browser to WorkOS/GitHub auth
+ * 4. Receive callback with authorization code
+ * 5. Exchange code for tokens (includes GitHub OAuth token)
+ * 6. If email verification is required, return the pending token
+ * 7. Otherwise exchange WorkOS refresh token for a Flamecast API key
  */
-export async function authenticateViaBrowser(onDeviceCode) {
-    // Step 1: Request device authorization
-    const deviceRes = await fetch("https://api.workos.com/user_management/authorize/device", {
-        method: "POST",
-        headers: { "Content-Type": "application/x-www-form-urlencoded" },
-        body: new URLSearchParams({ client_id: WORKOS_CLIENT_ID }),
-    });
-    if (!deviceRes.ok) {
-        const text = await deviceRes.text();
-        throw new Error(`Failed to start device authorization: ${text}`);
+export async function authenticateViaBrowser(onStatus) {
+    const { redirectUri, waitForCallback, close } = await startCallbackServer();
+    try {
+        // Generate PKCE authorization URL
+        const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({
+            provider: "GitHubOAuth",
+            redirectUri,
+            providerScopes: ["repo", "read:user"],
+        });
+        onStatus?.("Opening browser for authentication...");
+        openBrowser(url);
+        // Wait for the OAuth callback
+        onStatus?.("Waiting for browser authentication...");
+        const callback = await waitForCallback();
+        if (callback.state !== state) {
+            throw new Error("OAuth state mismatch");
+        }
+        // Exchange code for tokens — this returns oauthTokens (GitHub token)
+        try {
+            const authResult = await workos.userManagement.authenticateWithCodeAndVerifier({
+                code: callback.code,
+                codeVerifier,
+            });
+            return {
+                refreshToken: authResult.refreshToken,
+                githubToken: authResult.oauthTokens?.accessToken,
+            };
+        }
+        catch (err) {
+            // WorkOS requires email verification — extract the pending token
+            const rawData = err?.rawData;
+            const pendingToken = rawData?.pending_authentication_token;
+            if (!pendingToken)
+                throw err;
+            return { refreshToken: "", pendingAuthenticationToken: pendingToken };
+        }
     }
-    const device = (await deviceRes.json());
-    // Step 2: Notify caller of the user code, then open browser
-    onDeviceCode?.(device.user_code, device.verification_uri);
-    openBrowser(device.verification_uri_complete);
-    // Step 3: Poll for tokens
-    const tokens = await pollForTokens({
-        deviceCode: device.device_code,
-        expiresIn: device.expires_in,
-        interval: device.interval,
-    });
-    // Step 4: Exchange WorkOS refresh token for Flamecast API key
-    const exchangeBody = {
-        refreshToken: tokens.refresh_token,
-    };
-    const exchangeRes = await fetch(`${FLAMECAST_BASE_URL}/auth/cli/exchange`, {
+    finally {
+        close();
+    }
+}
+export async function exchangeForApiKey(body) {
+    const res = await fetch(`${FLAMECAST_BASE_URL}/auth/cli/exchange`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
-        body: JSON.stringify(exchangeBody),
+        body: JSON.stringify(body),
     });
-    if (!exchangeRes.ok) {
-        const text = await exchangeRes.text();
+    if (!res.ok) {
+        const text = await res.text();
         throw new Error(`Failed to exchange token: ${text}`);
     }
-    const { apiKey } = (await exchangeRes.json());
+    const { apiKey } = (await res.json());
     return apiKey;
 }
-async function pollForTokens({ deviceCode, expiresIn = 300, interval = 5, }) {
-    const deadline = Date.now() + expiresIn * 1000;
-    let pollInterval = interval;
-    while (Date.now() < deadline) {
-        await sleep(pollInterval * 1000);
-        const res = await fetch("https://api.workos.com/user_management/authenticate", {
-            method: "POST",
-            headers: { "Content-Type": "application/x-www-form-urlencoded" },
-            body: new URLSearchParams({
-                grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-                device_code: deviceCode,
-                client_id: WORKOS_CLIENT_ID,
-            }),
-        });
-        const data = (await res.json());
-        if (res.ok && data.access_token && data.refresh_token) {
-            return data;
-        }
-        switch (data.error) {
-            case "authorization_pending":
-                break;
-            case "slow_down":
-                pollInterval += 1;
-                break;
-            case "access_denied":
-            case "expired_token":
-                throw new Error("Authorization was denied or expired");
-            default:
-                throw new Error(`Unexpected auth error: ${data.error}`);
-        }
+export async function verifyEmailAndExchange(pendingAuthenticationToken, verificationCode, githubToken) {
+    const body = {
+        pendingAuthenticationToken,
+        code: verificationCode,
+    };
+    if (githubToken)
+        body.githubToken = githubToken;
+    const res = await fetch(`${FLAMECAST_BASE_URL}/auth/cli/verify-email`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        throw new Error(`Email verification failed: ${text}`);
     }
-    throw new Error("Authentication timed out");
+    const { apiKey } = (await res.json());
+    return apiKey;
 }
 /**
  * Ensures the user is authenticated. Returns a valid API key.
- * If no valid key exists, runs the device auth flow.
+ * If no valid key exists, runs the auth flow.
  */
 export async function ensureAuthenticated() {
     const config = loadConfig();
@@ -108,10 +113,29 @@ export async function ensureAuthenticated() {
     }
     try {
         console.log("Opening browser to authenticate...");
-        const apiKey = await authenticateViaBrowser((userCode, verificationUri) => {
-            console.log(`\nConfirm code: ${userCode}`);
-            console.log(`If the browser didn't open, visit: ${verificationUri}\n`);
-        });
+        const result = await authenticateViaBrowser();
+        let apiKey;
+        if (result.pendingAuthenticationToken) {
+            // Email verification required — prompt in terminal
+            const readline = await import("node:readline");
+            const rl = readline.createInterface({
+                input: process.stdin,
+                output: process.stdout,
+            });
+            const code = await new Promise(resolve => {
+                rl.question("Check your email for a verification code and enter it here: ", answer => {
+                    rl.close();
+                    resolve(answer.trim());
+                });
+            });
+            apiKey = await verifyEmailAndExchange(result.pendingAuthenticationToken, code, result.githubToken);
+        }
+        else {
+            apiKey = await exchangeForApiKey({
+                refreshToken: result.refreshToken,
+                ...(result.githubToken && { githubToken: result.githubToken }),
+            });
+        }
         saveConfig({ apiKey });
         return { apiKey };
     }

package/dist/lib/callback-server.js

@@ -0,0 +1,72 @@
+import { createServer } from "node:http";
+import { URL } from "node:url";
+const PORTS = [19284, 19285, 19286];
+const TIMEOUT_MS = 120_000;
+const SUCCESS_HTML = `<!DOCTYPE html>
+<html><body style="font-family:system-ui;display:flex;justify-content:center;align-items:center;height:100vh;margin:0">
+<div style="text-align:center"><h2>Authentication successful</h2><p>You can close this tab and return to the terminal.</p></div>
+</body></html>`;
+function tryListen(server, port) {
+    return new Promise((resolve, reject) => {
+        server.once("error", reject);
+        server.listen(port, "127.0.0.1", () => {
+            server.removeListener("error", reject);
+            resolve();
+        });
+    });
+}
+export async function startCallbackServer() {
+    let resolve;
+    let reject;
+    const callbackPromise = new Promise((res, rej) => {
+        resolve = res;
+        reject = rej;
+    });
+    const server = createServer((req, res) => {
+        if (!req.url?.startsWith("/callback")) {
+            res.writeHead(404);
+            res.end();
+            return;
+        }
+        const url = new URL(req.url, `http://127.0.0.1`);
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        const error = url.searchParams.get("error");
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(SUCCESS_HTML);
+        if (error) {
+            reject(new Error(`Authentication failed: ${error}`));
+        }
+        else if (code && state) {
+            resolve({ code, state });
+        }
+        else {
+            reject(new Error("Missing code or state in callback"));
+        }
+    });
+    let boundPort;
+    for (const port of PORTS) {
+        try {
+            await tryListen(server, port);
+            boundPort = port;
+            break;
+        }
+        catch { }
+    }
+    if (!boundPort) {
+        throw new Error(`Could not start callback server on any port (${PORTS.join(", ")})`);
+    }
+    const timeout = setTimeout(() => {
+        reject(new Error("Authentication timed out"));
+        server.close();
+    }, TIMEOUT_MS);
+    return {
+        port: boundPort,
+        redirectUri: `http://localhost:${boundPort}/callback`,
+        waitForCallback: () => callbackPromise,
+        close: () => {
+            clearTimeout(timeout);
+            server.close();
+        },
+    };
+}

package/dist/lib/resolve-workspace.js

@@ -1,9 +1,10 @@
+import { client } from "./auth.js";
 const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 /**
  * Resolve a workspace from a name, UUID, or "default".
  * If `ref` is omitted/undefined, resolves the user's default workspace.
  */
-export async function resolveWorkspace(client, ref) {
+export async function resolveWorkspace(ref) {
     // No ref provided → use default
     if (!ref) {
         const { defaultWorkspaceId } = await client.workspaces.default.get();

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "flamecast",
-	"version": "0.4.1",
+	"version": "0.5.0",
 	"type": "module",
 	"bin": {
 		"flame": "./dist/cli.js"
@@ -16,13 +16,15 @@
 		"check-types": "tsc --noEmit",
 		"cli": "tsx src/cli.ts",
 		"cli:local": "FLAMECAST_BASE_URL=http://localhost:6970 tsx src/cli.ts",
-		"compile": "bun run scripts/compile.ts",
-		"compile:local": "bun run scripts/compile.ts local"
+		"secrets:pull": "infisical export --path=/packages/cli --env=dev --format=dotenv > .env",
+		"secrets:push": "infisical secrets set --file=.env --path=/packages/cli --env=dev"
 	},
 	"dependencies": {
 		"@clack/prompts": "^0.9",
-		"dotenv": "^17.3.1",
-		"@flamecast/api": "https://pkg.stainless.com/s/flamecast-typescript/a6defd2f595fa445dd2fd116076a7bbffd3f65b9/dist.tar.gz"
+		"@flamecast/api": "https://pkg.stainless.com/s/flamecast-typescript/8bcb3971cf86ab592fcb8d2eb121e4f70abff474/dist.tar.gz",
+		"@workos-inc/node": "^8",
+		"commander": "^14.0.3",
+		"dotenv": "^17.3.1"
 	},
 	"devDependencies": {
 		"@flamecast/typescript-config": "workspace:*",

package/dist/lib/api.js

@@ -1,11 +0,0 @@
-import Flamecast from "@flamecast/api";
-const DEFAULT_API_URL = "https://api.flamecast.dev";
-export function getBaseUrl(apiUrl) {
-    return apiUrl || process.env.FLAMECAST_BASE_URL || DEFAULT_API_URL;
-}
-export function createApiClient(apiKey, apiUrl) {
-    return new Flamecast({
-        apiKey,
-        baseURL: getBaseUrl(apiUrl),
-    });
-}