fraim 2.0.176 → 2.0.179

package/dist/src/ai-hub/server.js

@@ -110,6 +110,16 @@ function loadPersonaCapabilityModule() {
 function getProtectedPersonaForHubJob(jobName) {
     return loadPersonaCapabilityModule()?.getProtectedPersonaForJob(jobName) ?? null;
 }
+const FRAIM_INTERNAL_JOB_IDS = new Set([
+    'contribute-to-fraim',
+    'create-registry-asset',
+    'extract-ashley-learnings',
+    'file-fraim-issue',
+    'praise-fraim',
+    'run-on-remote-hub',
+    'setup-remote-hub',
+    'update-registry-override',
+]);
 function listHubPersonaBundles() {
     return loadPersonaCapabilityModule()?.listPersonaCapabilityBundles() ?? [];
 }
@@ -147,6 +157,9 @@ function createDefaultDbService() {
         return undefined;
     }
 }
+function supportsManagerSeatAssignments(dbService) {
+    return typeof dbService.countHubManagerAssignments === 'function';
+}
 class AiHubRunRegistry {
     constructor() {
         this.runs = new Map();
@@ -1246,6 +1259,23 @@ class AiHubServer {
         this.app.get('/api/health', (_req, res) => {
             res.json({ status: 'ok', service: 'fraim-ai-hub' });
         });
+        // Issue #659: Inbound auth middleware for remote-exposed hubs.
+        // Activated only when FRAIM_HUB_AUTH_TOKEN env var is set. Gates all
+        // /api/ai-hub/* routes. /health and /api/health are registered above
+        // this block and are never gated.
+        if (process.env.FRAIM_HUB_AUTH_TOKEN) {
+            const expectedToken = process.env.FRAIM_HUB_AUTH_TOKEN;
+            this.app.use('/api/ai-hub', (req, res, next) => {
+                const token = req.headers['x-hub-auth'];
+                if (typeof token !== 'string' ||
+                    token.length !== expectedToken.length ||
+                    !(0, crypto_1.timingSafeEqual)(Buffer.from(token), Buffer.from(expectedToken))) {
+                    res.status(401).json({ error: 'Unauthorized' });
+                    return;
+                }
+                next();
+            });
+        }
         this.registerRoutes();
     }
     getApp() {
@@ -1363,7 +1393,9 @@ class AiHubServer {
         // Issue #566 (R7): jobs already carry `personalized` from catalog discovery
         // (true for the fraim/personalized-employee layer). The Hub renders a plain
         // "Personalized" marking from that flag — no author/attribution is tracked.
-        const jobs = rawJobs.map((job) => ({
+        const jobs = rawJobs
+            .filter((job) => !FRAIM_INTERNAL_JOB_IDS.has(job.id))
+            .map((job) => ({
             ...job,
             requiredPersonaKey: getProtectedPersonaForHubJob(job.id),
         }));
@@ -1853,6 +1885,23 @@ class AiHubServer {
             if (!state) {
                 return { personas: fallbackPersonas, subscriptionActive: false, workspaceId: null, userKey: null };
             }
+            // Legacy bypass: persona gating is not active for this workspace, so all personas are accessible.
+            // Mirrors the evaluatePersonaAccess legacy bypass in persona-entitlement-service.ts.
+            if (!state.subscriptionActive) {
+                const legacySeatCount = supportsManagerSeatAssignments(this.dbService) ? 0 : 1;
+                const allPersonas = allBundles.map((bundle) => ({
+                    key: bundle.personaKey,
+                    displayName: bundle.catalogMetadata.displayName,
+                    role: bundle.catalogMetadata.role,
+                    avatarUrl: buildHubPersonaAvatarUrl(bundle.personaKey),
+                    pricingLabel: '',
+                    status: 'hired',
+                    hireUrl: buildHubPersonaHireUrl(bundle.personaKey, bundle.defaultHireMode),
+                    seatCount: legacySeatCount,
+                    seatsInUse: 0,
+                }));
+                return { personas: allPersonas, subscriptionActive: false, workspaceId: state.workspaceId, userKey: state.userId ?? null };
+            }
             const hiredKeys = new Set(state.entitlements
                 .filter((e) => e.status === 'active')
                 .map((e) => e.personaKey));

package/dist/src/cli/commands/add-provider.js

@@ -33,67 +33,79 @@ const saveGlobalConfig = (config) => {
     const globalConfigPath = path_1.default.join((0, script_sync_utils_1.getUserFraimDir)(), 'config.json');
     fs_1.default.writeFileSync(globalConfigPath, JSON.stringify(config, null, 2));
 };
-const updateIDEConfigs = async (provider, config) => {
+const forEachInstalledIDE = async (callback) => {
     const detectedIDEs = (0, ide_detector_1.detectInstalledIDEs)();
     if (detectedIDEs.length === 0) {
         console.log(chalk_1.default.yellow('⚠️ No IDEs detected. MCP configs not updated.'));
         return;
     }
     console.log(chalk_1.default.blue(`\n🔧 Updating ${detectedIDEs.length} IDE configuration(s)...\n`));
-    const tokenConfig = {
-        github: config.tokens?.github,
-        gitlab: config.tokens?.gitlab,
-        ado: config.tokens?.ado,
-        jira: config.tokens?.jira
-    };
-    const providerConfigs = Object.entries(config.providerConfigs || {}).reduce((acc, [key, value]) => {
-        const providerId = key.replace(/Config$/, '');
-        acc[providerId] = value;
-        return acc;
-    }, {});
     for (const ide of detectedIDEs) {
         try {
-            const configPath = (0, ide_detector_1.expandPath)(ide.configPath);
-            if (ide.configFormat === 'json') {
-                // JSON-based config (Claude Desktop, Cursor, etc.)
-                let ideConfig = {};
-                if (fs_1.default.existsSync(configPath)) {
-                    ideConfig = JSON.parse(fs_1.default.readFileSync(configPath, 'utf8'));
-                }
-                const mcpConfig = await (0, mcp_config_generator_1.generateMCPConfig)(ide.configType, config.apiKey, tokenConfig, providerConfigs);
-                const serversKey = ide.configType === 'vscode' ? 'servers' : 'mcpServers';
-                if (!ideConfig[serversKey]) {
-                    ideConfig[serversKey] = {};
-                }
-                // Add the new provider's MCP server
-                const providerServerKey = provider === 'ado' ? 'ado' : provider;
-                if (mcpConfig[serversKey] && mcpConfig[serversKey][providerServerKey]) {
-                    ideConfig[serversKey][providerServerKey] = mcpConfig[serversKey][providerServerKey];
-                    fs_1.default.writeFileSync(configPath, JSON.stringify(ideConfig, null, 2));
-                    console.log(chalk_1.default.green(`✅ Updated ${ide.name} config`));
-                }
-            }
-            else if (ide.configFormat === 'toml') {
-                // TOML-based config (Codex, Zed)
-                const mcpConfigToml = await (0, mcp_config_generator_1.generateMCPConfig)(ide.configType, config.apiKey, tokenConfig, providerConfigs);
-                if (fs_1.default.existsSync(configPath)) {
-                    const existingContent = fs_1.default.readFileSync(configPath, 'utf8');
-                    // Merge only the new provider's server
-                    const serversToMerge = [provider === 'ado' ? 'ado' : provider];
-                    const mergeResult = (0, mcp_config_generator_2.mergeTomlMCPServers)(existingContent, mcpConfigToml, serversToMerge);
-                    fs_1.default.writeFileSync(configPath, mergeResult.content);
-                    console.log(chalk_1.default.green(`✅ Updated ${ide.name} config`));
-                }
-                else {
-                    console.log(chalk_1.default.yellow(`⚠️ ${ide.name} config not found, skipping`));
-                }
-            }
+            await callback(ide, (0, ide_detector_1.expandPath)(ide.configPath));
         }
         catch (error) {
             console.log(chalk_1.default.red(`❌ Failed to update ${ide.name}: ${error instanceof Error ? error.message : 'Unknown error'}`));
         }
     }
 };
+const writeOAuthProviderToIDEConfigs = async (provider, mcpUrl) => {
+    const urlOnlyEntry = { type: 'http', url: mcpUrl };
+    await forEachInstalledIDE(async (ide, configPath) => {
+        if (ide.configFormat === 'json') {
+            let ideConfig = {};
+            if (fs_1.default.existsSync(configPath)) {
+                ideConfig = JSON.parse(fs_1.default.readFileSync(configPath, 'utf8'));
+            }
+            const serversKey = ide.configType === 'vscode' ? 'servers' : 'mcpServers';
+            if (!ideConfig[serversKey]) {
+                ideConfig[serversKey] = {};
+            }
+            ideConfig[serversKey][provider] = urlOnlyEntry;
+            fs_1.default.writeFileSync(configPath, JSON.stringify(ideConfig, null, 2));
+            console.log(chalk_1.default.green(`✅ Updated ${ide.name} config`));
+        }
+        else if (ide.configFormat === 'toml') {
+            console.log(chalk_1.default.yellow(`⚠️ ${ide.name} uses TOML format — update manually: add [tools.${provider}] url = "${mcpUrl}"`));
+        }
+    });
+};
+const updateIDEConfigs = async (provider, fraimKey, token, providerConfig) => {
+    const tokenConfig = { [provider]: token };
+    const providerConfigs = providerConfig ? { [provider]: providerConfig } : {};
+    await forEachInstalledIDE(async (ide, configPath) => {
+        if (ide.configFormat === 'json') {
+            let ideConfig = {};
+            if (fs_1.default.existsSync(configPath)) {
+                ideConfig = JSON.parse(fs_1.default.readFileSync(configPath, 'utf8'));
+            }
+            const mcpConfig = await (0, mcp_config_generator_1.generateMCPConfig)(ide.configType, fraimKey, tokenConfig, providerConfigs);
+            const serversKey = ide.configType === 'vscode' ? 'servers' : 'mcpServers';
+            if (!ideConfig[serversKey]) {
+                ideConfig[serversKey] = {};
+            }
+            const providerServerKey = provider === 'ado' ? 'ado' : provider;
+            if (mcpConfig[serversKey] && mcpConfig[serversKey][providerServerKey]) {
+                ideConfig[serversKey][providerServerKey] = mcpConfig[serversKey][providerServerKey];
+                fs_1.default.writeFileSync(configPath, JSON.stringify(ideConfig, null, 2));
+                console.log(chalk_1.default.green(`✅ Updated ${ide.name} config`));
+            }
+        }
+        else if (ide.configFormat === 'toml') {
+            const mcpConfigToml = await (0, mcp_config_generator_1.generateMCPConfig)(ide.configType, fraimKey, tokenConfig, providerConfigs);
+            if (fs_1.default.existsSync(configPath)) {
+                const existingContent = fs_1.default.readFileSync(configPath, 'utf8');
+                const serversToMerge = [provider === 'ado' ? 'ado' : provider];
+                const mergeResult = (0, mcp_config_generator_2.mergeTomlMCPServers)(existingContent, mcpConfigToml, serversToMerge);
+                fs_1.default.writeFileSync(configPath, mergeResult.content);
+                console.log(chalk_1.default.green(`✅ Updated ${ide.name} config`));
+            }
+            else {
+                console.log(chalk_1.default.yellow(`⚠️ ${ide.name} config not found, skipping`));
+            }
+        }
+    });
+};
 const offerModeSwitch = async (config) => {
     if (config.mode === 'split') {
         console.log(chalk_1.default.gray('\nAlready in split mode.'));
@@ -186,6 +198,19 @@ const runAddProvider = async (provider, options) => {
             }
         }
     }
+    // Detect OAuth-first providers: HTTP MCP with no authHeaderTemplate means the IDE
+    // handles OAuth natively. Skip credential collection and write a URL-only IDE entry.
+    const providerDefOAuth = await (0, provider_registry_1.getProvider)(provider);
+    if (providerDefOAuth?.mcpServer?.type === 'http' &&
+        !providerDefOAuth.mcpServer.authHeaderTemplate) {
+        const mcpUrl = providerDefOAuth.mcpServer.url;
+        await writeOAuthProviderToIDEConfigs(provider, mcpUrl);
+        console.log(chalk_1.default.green(`\n✅ ${providerName} configured for IDE-native OAuth.`));
+        console.log(chalk_1.default.cyan('\n💡 Next steps:'));
+        console.log(chalk_1.default.gray('   1. Restart your IDE(s) to load the new MCP server'));
+        console.log(chalk_1.default.gray('   2. On first use, your IDE will prompt you to sign in to ' + providerName));
+        return;
+    }
     // Get credentials using generic prompt system
     try {
         // Build provided tokens/configs from CLI options
@@ -205,20 +230,8 @@ const runAddProvider = async (provider, options) => {
         // Get credentials using generic prompt system
         const client = (0, get_provider_client_1.getProviderClient)();
         const creds = await (0, provider_prompts_1.promptForProviderCredentials)(client, provider, providedTokens[provider], providedConfigs[provider]);
-        // Save token
-        config.tokens[provider] = creds.token;
-        // Save provider-specific config if present
-        if (creds.config) {
-            if (!config.providerConfigs) {
-                config.providerConfigs = {};
-            }
-            config.providerConfigs[`${provider}Config`] = creds.config;
-        }
-        // Save updated config
-        saveGlobalConfig(config);
-        console.log(chalk_1.default.green(`\n✅ ${providerName} credentials saved to global config`));
-        // Update IDE configs
-        await updateIDEConfigs(provider, config);
+        // Write provider MCP entry directly to IDE configs (token not stored in global config)
+        await updateIDEConfigs(provider, config.apiKey, creds.token, creds.config);
         // Offer mode switch if adding a provider with issues capability
         const providerDef = await (0, provider_registry_1.getProvider)(provider);
         if (providerDef?.capabilities.includes('issues') && provider === 'jira') {

package/dist/src/cli/commands/add-surface.js

@@ -0,0 +1,128 @@
+"use strict";
+/**
+ * fraim add-surface — Register FRAIM as an MCP server on Track B Claude surfaces.
+ *
+ * Track B surfaces connect via remote HTTPS MCP (not local stdio):
+ *   - claude.ai web, Claude Design, Claude Cowork (remote mode), Claude mobile
+ *   - Claude in Word, Excel, PowerPoint, Outlook (via admin manifest)
+ *
+ * Track A surfaces (local stdio) are handled by `fraim add-ide` instead.
+ *
+ * Auth model: OAuth 2.1 PKCE. claude.ai discovers endpoints via RFC 8414
+ * (/.well-known/oauth-authorization-server) and drives the full authorize/token
+ * flow automatically — no manual API key entry required.
+ * Office add-ins still use a direct gateway token via the claude-in-office CLI.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.addSurfaceCommand = void 0;
+const commander_1 = require("commander");
+const chalk_1 = __importDefault(require("chalk"));
+const FRAIM_REMOTE_URL = 'https://fraim.wellnessatwork.me';
+const MCP_ENDPOINT = `${FRAIM_REMOTE_URL}/mcp`;
+// ─── surface handlers ────────────────────────────────────────────────────────
+function printClaudeWebInstructions(surface) {
+    const label = {
+        'claude.ai': 'claude.ai web',
+        'design': 'Claude Design',
+        'cowork': 'Claude Cowork (remote mode)',
+        'mobile': 'Claude iOS / Android',
+    };
+    const name = label[surface] || surface;
+    console.log(chalk_1.default.bold(`\n  ${name} — Remote MCP Connector`));
+    console.log(chalk_1.default.gray('  ─────────────────────────────────────────────────────────'));
+    console.log(chalk_1.default.white('  1. Open claude.ai → profile icon → Settings → Connectors'));
+    console.log(chalk_1.default.white('  2. Click "+ Add Custom Connector"'));
+    console.log(chalk_1.default.white('  3. Enter this URL:'));
+    console.log(chalk_1.default.cyan(`\n       ${MCP_ENDPOINT}\n`));
+    console.log(chalk_1.default.white('  4. Click "Connect" — FRAIM uses OAuth sign-in (Google or GitHub).'));
+    console.log(chalk_1.default.white('     If you are already logged in to fraimworks.ai, the connector'));
+    console.log(chalk_1.default.white('     completes automatically with no extra steps.'));
+    console.log(chalk_1.default.white('  5. The connector syncs to mobile and Claude Design automatically.'));
+    console.log(chalk_1.default.gray('\n  Note: Settings > Connectors is the same for web, mobile, and Claude Design.'));
+    console.log(chalk_1.default.gray(`  Discovery: ${FRAIM_REMOTE_URL}/.well-known/oauth-authorization-server`));
+}
+function printOfficeInstructions(surface) {
+    const label = {
+        'word': 'Claude in Word',
+        'excel': 'Claude in Excel',
+        'powerpoint': 'Claude in PowerPoint',
+        'outlook': 'Claude in Outlook',
+    };
+    const name = label[surface] || surface;
+    console.log(chalk_1.default.bold(`\n  ${name} — Claude add-in (sign in with your Claude account)`));
+    console.log(chalk_1.default.gray('  ─────────────────────────────────────────────────────────'));
+    console.log(chalk_1.default.white('  The Claude Office add-in is a client-side panel you install from'));
+    console.log(chalk_1.default.white('  Microsoft AppSource and sign into with your claude.ai account.'));
+    console.log(chalk_1.default.white('  Connectors are per-account, so the FRAIM connector you configured'));
+    console.log(chalk_1.default.white('  on claude.ai is automatically available here — no extra setup needed.'));
+    console.log(chalk_1.default.white('\n  Steps:'));
+    console.log(chalk_1.default.white('    1. Open Word / Excel / PowerPoint'));
+    console.log(chalk_1.default.white('    2. Insert → Add-ins → search for "Claude"'));
+    console.log(chalk_1.default.white('    3. Sign in with the same account you used on claude.ai'));
+    console.log(chalk_1.default.white('    4. FRAIM tools are available immediately via the connector'));
+    console.log(chalk_1.default.gray('\n  Docs: https://support.claude.com/en/articles/13945233'));
+}
+function printDesktopBridgeNote() {
+    console.log(chalk_1.default.gray('\n  Note: Claude Desktop and Claude Cowork (local mode) use Track A (local stdio).'));
+    console.log(chalk_1.default.gray('  Run `fraim add-ide` for those instead.'));
+}
+// ─── supported surfaces ───────────────────────────────────────────────────────
+const WEB_SURFACES = ['claude.ai', 'design', 'cowork', 'mobile'];
+const OFFICE_SURFACES = ['word', 'excel', 'powerpoint', 'outlook'];
+const ALL_SURFACES = [...WEB_SURFACES, ...OFFICE_SURFACES];
+// ─── command action ───────────────────────────────────────────────────────────
+async function runAddSurface(options) {
+    if (options.list) {
+        console.log(chalk_1.default.bold('\nTrack B surfaces (remote HTTPS MCP):'));
+        console.log(chalk_1.default.cyan('  Web / Mobile'));
+        WEB_SURFACES.forEach(s => console.log(chalk_1.default.white(`    • ${s}`)));
+        console.log(chalk_1.default.cyan('\n  Microsoft 365 (admin manifest required)'));
+        OFFICE_SURFACES.forEach(s => console.log(chalk_1.default.white(`    • ${s}`)));
+        console.log(chalk_1.default.gray('\nTrack A surfaces (local stdio — use `fraim add-ide` instead):'));
+        console.log(chalk_1.default.gray('  claude-desktop, claude-code, claude-cowork (local), cursor, vscode, codex, gemini, kiro, windsurf'));
+        return;
+    }
+    const targets = options.all
+        ? ALL_SURFACES
+        : options.surface
+            ? [options.surface.toLowerCase()]
+            : [];
+    if (targets.length === 0) {
+        console.log(chalk_1.default.bold('\nUsage: fraim add-surface --surface <name>  or  --all  or  --list\n'));
+        console.log(chalk_1.default.white('Available surfaces (Track B — remote HTTPS MCP):'));
+        console.log(chalk_1.default.cyan('  Web/mobile:  claude.ai | design | cowork | mobile'));
+        console.log(chalk_1.default.cyan('  Office:      word | excel | powerpoint | outlook'));
+        console.log(chalk_1.default.gray('\nExample: fraim add-surface --surface claude.ai'));
+        console.log(chalk_1.default.gray('         fraim add-surface --all'));
+        return;
+    }
+    const unknown = targets.filter(t => !ALL_SURFACES.includes(t));
+    if (unknown.length > 0) {
+        console.log(chalk_1.default.red(`✗ Unknown surface(s): ${unknown.join(', ')}`));
+        console.log(chalk_1.default.yellow(`  Valid values: ${ALL_SURFACES.join(', ')}`));
+        process.exit(1);
+    }
+    console.log(chalk_1.default.bold('\nFRAIM MCP — Surface Registration Instructions'));
+    console.log(chalk_1.default.gray(`Remote endpoint: ${MCP_ENDPOINT}`));
+    const webTargets = targets.filter(t => WEB_SURFACES.includes(t));
+    const officeTargets = targets.filter(t => OFFICE_SURFACES.includes(t));
+    webTargets.forEach(s => printClaudeWebInstructions(s));
+    officeTargets.forEach(s => printOfficeInstructions(s));
+    if (targets.some(t => ['cowork', 'claude-desktop'].includes(t))) {
+        printDesktopBridgeNote();
+    }
+    console.log(chalk_1.default.bold('\n  MCP endpoint details:'));
+    console.log(chalk_1.default.white(`    URL:       ${MCP_ENDPOINT}`));
+    console.log(chalk_1.default.white(`    Auth:      OAuth 2.1 PKCE (Google / GitHub sign-in via fraimworks.ai)`));
+    console.log(chalk_1.default.white(`    Discovery: ${FRAIM_REMOTE_URL}/.well-known/oauth-authorization-server`));
+    console.log(chalk_1.default.gray('\n  Run `fraim doctor` to verify local (Track A) configuration.'));
+}
+exports.addSurfaceCommand = new commander_1.Command('add-surface')
+    .description('Register FRAIM as a remote MCP server on Track B Claude surfaces (claude.ai, Design, Cowork, Office add-ins)')
+    .option('--surface <name>', 'Target surface: claude.ai | design | cowork | mobile | word | excel | powerpoint | outlook')
+    .option('--all', 'Print instructions for all Track B surfaces')
+    .option('--list', 'List supported surfaces')
+    .action(runAddSurface);

package/dist/src/cli/commands/first-run.js

@@ -65,11 +65,9 @@ function openBrowser(url) {
     }
 }
 const runFirstRun = async (options) => {
-    const key = options.key || process.env.FRAIM_API_KEY || process.env.FRAIM_SETUP_KEY || process.env.FRAIM_INSTALL_KEY;
-    if (!key) {
-        console.log(chalk_1.default.red('FRAIM key is required for first-run.'));
-        process.exit(1);
-    }
+    // Issue #646: the key is optional. When launched by the no-terminal macOS
+    // installer (.pkg), no key is passed — the wizard prompts the user to paste it.
+    const key = options.key || process.env.FRAIM_API_KEY || process.env.FRAIM_SETUP_KEY || process.env.FRAIM_INSTALL_KEY || '';
     const sessionService = new session_service_1.FirstRunSessionService({
         key,
         headless: options.headless,

package/dist/src/cli/commands/login.js

@@ -6,78 +6,14 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.loginCommand = void 0;
 const commander_1 = require("commander");
 const chalk_1 = __importDefault(require("chalk"));
-const device_flow_service_1 = require("../internal/device-flow-service");
-const provider_client_1 = require("../api/provider-client");
-const script_sync_utils_1 = require("../utils/script-sync-utils");
-const fs_1 = __importDefault(require("fs"));
-const path_1 = __importDefault(require("path"));
-const auto_mcp_setup_1 = require("../setup/auto-mcp-setup");
 exports.loginCommand = new commander_1.Command('login')
     .description('Login to platforms (GitHub, etc.)');
 exports.loginCommand
     .command('github')
-    .description('Login to GitHub using Device Flow')
+    .description('Configure GitHub MCP access (redirects to add-provider)')
     .action(async () => {
-    // Load the token to global config
-    const globalConfigDir = (0, script_sync_utils_1.getUserFraimDir)();
-    const globalConfigPath = path_1.default.join(globalConfigDir, 'config.json');
-    let config = {};
-    if (fs_1.default.existsSync(globalConfigPath)) {
-        config = JSON.parse(fs_1.default.readFileSync(globalConfigPath, 'utf8'));
-    }
-    if (!config.apiKey) {
-        console.error(chalk_1.default.red('\n❌ No FRAIM API key found. Please run "fraim setup" first.'));
-        process.exit(1);
-    }
-    const client = new provider_client_1.ProviderClient(config.apiKey);
-    let githubConfig;
-    try {
-        const providers = await client.getAllProviders();
-        githubConfig = providers.find(p => p.id === 'github')?.deviceFlowConfig;
-        if (!githubConfig) {
-            console.error(chalk_1.default.red('\n❌ Device flow configuration for GitHub not found on server.'));
-            process.exit(1);
-        }
-    }
-    catch (error) {
-        console.error(chalk_1.default.red(`\n❌ Failed to fetch provider configuration: ${error.message}`));
-        process.exit(1);
-    }
-    const deviceFlow = new device_flow_service_1.DeviceFlowService(githubConfig);
-    try {
-        const token = await deviceFlow.login();
-        config.tokens = {
-            ...(config.tokens || {}),
-            github: token
-        };
-        delete config.version;
-        config.updatedAt = new Date().toISOString();
-        fs_1.default.writeFileSync(globalConfigPath, JSON.stringify(config, null, 2));
-        console.log(chalk_1.default.green('\n✅ GitHub token saved to global configuration.'));
-        // Trigger MCP reconfiguration
-        if (config.apiKey) {
-            console.log(chalk_1.default.blue('🔌 Updating MCP server configurations...'));
-            const mcpTokens = {};
-            Object.entries(config.tokens).forEach(([id, t]) => {
-                mcpTokens[id] = t;
-            });
-            // Re-use existing provider configs if any
-            const providerConfigsMap = {};
-            if (config.providerConfigs) {
-                Object.entries(config.providerConfigs).forEach(([key, val]) => {
-                    const providerId = key.replace('Config', '');
-                    providerConfigsMap[providerId] = val;
-                });
-            }
-            await (0, auto_mcp_setup_1.autoConfigureMCP)(config.apiKey, mcpTokens, undefined, providerConfigsMap);
-            console.log(chalk_1.default.green('✅ MCP servers updated with new GitHub token.'));
-        }
-        else {
-            console.log(chalk_1.default.yellow('⚠️  No FRAIM API key found. Run "fraim setup" to complete configuration.'));
-        }
-    }
-    catch (error) {
-        console.error(chalk_1.default.red(`\n❌ Login failed: ${error.message}`));
-        process.exit(1);
-    }
+    console.log(chalk_1.default.blue('\n💡 GitHub authentication is now handled natively by your IDE.'));
+    console.log(chalk_1.default.gray('To configure GitHub MCP access, run:'));
+    console.log(chalk_1.default.cyan('\n   fraim add-provider github\n'));
+    console.log(chalk_1.default.gray('Your IDE will prompt for GitHub sign-in automatically on first use.'));
 });