helixmind 0.1.0

package/dist/cli/agent/undo.js

@@ -0,0 +1,48 @@
+import { readFileSync, writeFileSync, existsSync } from 'node:fs';
+export class UndoStack {
+    stack = [];
+    maxSize = 50;
+    push(entry) {
+        this.stack.push(entry);
+        if (this.stack.length > this.maxSize) {
+            this.stack.shift();
+        }
+    }
+    /**
+     * Undo the last n changes. Returns the number of changes undone.
+     */
+    undo(count = 1) {
+        const entries = [];
+        const toUndo = Math.min(count, this.stack.length);
+        for (let i = 0; i < toUndo; i++) {
+            const entry = this.stack.pop();
+            if (entry.originalContent === null) {
+                // File was created — we can't delete it (too dangerous), just note it
+                entries.push(entry);
+            }
+            else {
+                writeFileSync(entry.path, entry.originalContent, 'utf-8');
+                entries.push(entry);
+            }
+        }
+        return { undone: entries.length, entries };
+    }
+    /**
+     * Get all undo-able entries (most recent first).
+     */
+    list() {
+        return [...this.stack].reverse();
+    }
+    /**
+     * Capture the current state of a file before modification.
+     */
+    static captureState(path) {
+        if (!existsSync(path))
+            return null;
+        return readFileSync(path, 'utf-8');
+    }
+    get size() {
+        return this.stack.length;
+    }
+}
+//# sourceMappingURL=undo.js.map

package/dist/cli/agent/undo.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"undo.js","sourceRoot":"","sources":["../../../src/cli/agent/undo.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAWlE,MAAM,OAAO,SAAS;IACZ,KAAK,GAAgB,EAAE,CAAC;IACxB,OAAO,GAAG,EAAE,CAAC;IAErB,IAAI,CAAC,KAAgB;QACnB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvB,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;YACrC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,IAAI,CAAC,QAAgB,CAAC;QACpB,MAAM,OAAO,GAAgB,EAAE,CAAC;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAElD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAChC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,EAAG,CAAC;YAChC,IAAI,KAAK,CAAC,eAAe,KAAK,IAAI,EAAE,CAAC;gBACnC,sEAAsE;gBACtE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACtB,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;gBAC1D,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,IAAI;QACF,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,IAAY;QAC9B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,OAAO,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;IAC3B,CAAC;CACF"}

package/dist/cli/auth/callback-server.d.ts

@@ -0,0 +1,15 @@
+export interface CallbackResult {
+    apiKey: string;
+    state: string;
+    userId?: string;
+    email?: string;
+    plan?: string;
+}
+export interface CallbackServer {
+    port: number;
+    state: string;
+    waitForCallback(): Promise<CallbackResult>;
+    close(): void;
+}
+export declare function startCallbackServer(timeoutMs?: number): Promise<CallbackServer>;
+//# sourceMappingURL=callback-server.d.ts.map

package/dist/cli/auth/callback-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback-server.d.ts","sourceRoot":"","sources":["../../../src/cli/auth/callback-server.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,eAAe,IAAI,OAAO,CAAC,cAAc,CAAC,CAAC;IAC3C,KAAK,IAAI,IAAI,CAAC;CACf;AAsED,wBAAgB,mBAAmB,CAAC,SAAS,SAAU,GAAG,OAAO,CAAC,cAAc,CAAC,CAwGhF"}

package/dist/cli/auth/callback-server.js

@@ -0,0 +1,168 @@
+/**
+ * Temporary localhost HTTP server for CLI login callback.
+ * Receives the API key from the webapp after user authorization.
+ */
+import { createServer } from 'node:http';
+import { randomBytes } from 'node:crypto';
+import { URL } from 'node:url';
+const SUCCESS_HTML = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>HelixMind CLI — Authorized</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      background: #050510;
+      color: #e0e0e0;
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      min-height: 100vh;
+    }
+    .card {
+      text-align: center;
+      padding: 3rem;
+      border: 1px solid rgba(0, 212, 255, 0.2);
+      border-radius: 16px;
+      background: rgba(0, 212, 255, 0.03);
+      max-width: 420px;
+    }
+    .icon { font-size: 3rem; margin-bottom: 1rem; }
+    h1 { color: #00d4ff; font-size: 1.5rem; margin-bottom: 0.5rem; }
+    p { color: #888; font-size: 0.95rem; line-height: 1.5; }
+    .hint { margin-top: 1.5rem; font-size: 0.8rem; color: #555; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <div class="icon">&#x2713;</div>
+    <h1>CLI Authorized</h1>
+    <p>HelixMind CLI has been connected to your account.<br>You can close this tab and return to your terminal.</p>
+    <p class="hint">This tab will close automatically in 3 seconds.</p>
+  </div>
+  <script>setTimeout(() => window.close(), 3000);</script>
+</body>
+</html>`;
+const CANCEL_HTML = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>HelixMind CLI — Cancelled</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      background: #050510; color: #e0e0e0;
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+      display: flex; align-items: center; justify-content: center; min-height: 100vh;
+    }
+    .card { text-align: center; padding: 3rem; border: 1px solid rgba(255,100,100,0.2); border-radius: 16px; max-width: 420px; }
+    h1 { color: #ff6464; font-size: 1.5rem; margin-bottom: 0.5rem; }
+    p { color: #888; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>Authorization Cancelled</h1>
+    <p>You can close this tab.</p>
+  </div>
+  <script>setTimeout(() => window.close(), 2000);</script>
+</body>
+</html>`;
+export function startCallbackServer(timeoutMs = 120_000) {
+    return new Promise((resolveServer, rejectServer) => {
+        const state = randomBytes(32).toString('hex');
+        let callbackResolve = null;
+        let callbackReject = null;
+        let settled = false;
+        let timer = null;
+        const server = createServer((req, res) => {
+            const url = new URL(req.url ?? '/', `http://127.0.0.1`);
+            const pathname = url.pathname;
+            // CORS headers for localhost
+            res.setHeader('Access-Control-Allow-Origin', '*');
+            res.setHeader('Content-Type', 'text/html; charset=utf-8');
+            if (pathname === '/callback' && req.method === 'GET') {
+                const returnedState = url.searchParams.get('state');
+                const key = url.searchParams.get('key');
+                if (returnedState !== state) {
+                    res.writeHead(403);
+                    res.end('<h1>Invalid state — possible CSRF attack</h1>');
+                    return;
+                }
+                if (!key) {
+                    res.writeHead(400);
+                    res.end('<h1>Missing API key</h1>');
+                    return;
+                }
+                res.writeHead(200);
+                res.end(SUCCESS_HTML);
+                if (!settled && callbackResolve) {
+                    settled = true;
+                    if (timer)
+                        clearTimeout(timer);
+                    callbackResolve({
+                        apiKey: key,
+                        state: returnedState,
+                        userId: url.searchParams.get('userId') ?? undefined,
+                        email: url.searchParams.get('email') ?? undefined,
+                        plan: url.searchParams.get('plan') ?? undefined,
+                    });
+                    // Close server after a short delay to finish sending the response
+                    setTimeout(() => server.close(), 500);
+                }
+                return;
+            }
+            if (pathname === '/cancel' && req.method === 'GET') {
+                res.writeHead(200);
+                res.end(CANCEL_HTML);
+                if (!settled && callbackReject) {
+                    settled = true;
+                    if (timer)
+                        clearTimeout(timer);
+                    callbackReject(new Error('Authorization cancelled by user'));
+                    setTimeout(() => server.close(), 500);
+                }
+                return;
+            }
+            // Any other request
+            res.writeHead(404);
+            res.end('Not found');
+        });
+        server.listen(0, '127.0.0.1', () => {
+            const addr = server.address();
+            if (!addr || typeof addr === 'string') {
+                rejectServer(new Error('Failed to start callback server'));
+                return;
+            }
+            resolveServer({
+                port: addr.port,
+                state,
+                waitForCallback() {
+                    return new Promise((resolve, reject) => {
+                        callbackResolve = resolve;
+                        callbackReject = reject;
+                        timer = setTimeout(() => {
+                            if (!settled) {
+                                settled = true;
+                                server.close();
+                                reject(new Error(`Authorization timed out after ${timeoutMs / 1000}s`));
+                            }
+                        }, timeoutMs);
+                    });
+                },
+                close() {
+                    if (timer)
+                        clearTimeout(timer);
+                    server.close();
+                },
+            });
+        });
+        server.on('error', (err) => {
+            rejectServer(err);
+        });
+    });
+}
+//# sourceMappingURL=callback-server.js.map

package/dist/cli/auth/callback-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback-server.js","sourceRoot":"","sources":["../../../src/cli/auth/callback-server.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,YAAY,EAAe,MAAM,WAAW,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAiB/B,MAAM,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAwCb,CAAC;AAET,MAAM,WAAW,GAAG;;;;;;;;;;;;;;;;;;;;;;;;QAwBZ,CAAC;AAET,MAAM,UAAU,mBAAmB,CAAC,SAAS,GAAG,OAAO;IACrD,OAAO,IAAI,OAAO,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,EAAE;QACjD,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,eAAe,GAA8C,IAAI,CAAC;QACtE,IAAI,cAAc,GAAkC,IAAI,CAAC;QACzD,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,IAAI,KAAK,GAAyC,IAAI,CAAC;QAEvD,MAAM,MAAM,GAAW,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAC/C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;YACxD,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;YAE9B,6BAA6B;YAC7B,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAClD,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;YAE1D,IAAI,QAAQ,KAAK,WAAW,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBACrD,MAAM,aAAa,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACpD,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBAExC,IAAI,aAAa,KAAK,KAAK,EAAE,CAAC;oBAC5B,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;oBACnB,GAAG,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;oBACzD,OAAO;gBACT,CAAC;gBAED,IAAI,CAAC,GAAG,EAAE,CAAC;oBACT,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;oBACnB,GAAG,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;oBACpC,OAAO;gBACT,CAAC;gBAED,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACnB,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;gBAEtB,IAAI,CAAC,OAAO,IAAI,eAAe,EAAE,CAAC;oBAChC,OAAO,GAAG,IAAI,CAAC;oBACf,IAAI,KAAK;wBAAE,YAAY,CAAC,KAAK,CAAC,CAAC;oBAC/B,eAAe,CAAC;wBACd,MAAM,EAAE,GAAG;wBACX,KAAK,EAAE,aAAa;wBACpB,MAAM,EAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,SAAS;wBACnD,KAAK,EAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,SAAS;wBACjD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,SAAS;qBAChD,CAAC,CAAC;oBACH,kEAAkE;oBAClE,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,GAAG,CAAC,CAAC;gBACxC,CAAC;gBACD,OAAO;YACT,CAAC;YAED,IAAI,QAAQ,KAAK,SAAS,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBACnD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACnB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBAErB,IAAI,CAAC,OAAO,IAAI,cAAc,EAAE,CAAC;oBAC/B,OAAO,GAAG,IAAI,CAAC;oBACf,IAAI,KAAK;wBAAE,YAAY,CAAC,KAAK,CAAC,CAAC;oBAC/B,cAAc,CAAC,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC,CAAC;oBAC7D,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,GAAG,CAAC,CAAC;gBACxC,CAAC;gBACD,OAAO;YACT,CAAC;YAED,oBAAoB;YACpB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACvB,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YACjC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;YAC9B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACtC,YAAY,CAAC,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC,CAAC;gBAC3D,OAAO;YACT,CAAC;YAED,aAAa,CAAC;gBACZ,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,KAAK;gBACL,eAAe;oBACb,OAAO,IAAI,OAAO,CAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;wBACrD,eAAe,GAAG,OAAO,CAAC;wBAC1B,cAAc,GAAG,MAAM,CAAC;wBAExB,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;4BACtB,IAAI,CAAC,OAAO,EAAE,CAAC;gCACb,OAAO,GAAG,IAAI,CAAC;gCACf,MAAM,CAAC,KAAK,EAAE,CAAC;gCACf,MAAM,CAAC,IAAI,KAAK,CAAC,iCAAiC,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC;4BAC1E,CAAC;wBACH,CAAC,EAAE,SAAS,CAAC,CAAC;oBAChB,CAAC,CAAC,CAAC;gBACL,CAAC;gBACD,KAAK;oBACH,IAAI,KAAK;wBAAE,YAAY,CAAC,KAAK,CAAC,CAAC;oBAC/B,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,CAAC;aACF,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,YAAY,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/cli/auth/feature-gate.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Feature gating based on subscription plan.
+ * Checks whether a feature is available for the user's current plan.
+ */
+import type { ConfigStore } from '../config/store.js';
+export type Feature = 'cloud_sync' | 'team_sessions' | 'advanced_spiral' | 'priority_support';
+export declare function isFeatureAvailable(store: ConfigStore, feature: Feature): boolean;
+export declare function requireFeature(store: ConfigStore, feature: Feature): void;
+export declare class FeatureGateError extends Error {
+    readonly feature: Feature;
+    readonly requiredPlan: string;
+    constructor(feature: Feature, requiredPlan: string);
+}
+/**
+ * Refresh plan info from the web platform.
+ * Updates cached plan in config. Returns the plan string or null on failure.
+ */
+export declare function refreshPlanInfo(store: ConfigStore): Promise<string | null>;
+//# sourceMappingURL=feature-gate.d.ts.map

package/dist/cli/auth/feature-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"feature-gate.d.ts","sourceRoot":"","sources":["../../../src/cli/auth/feature-gate.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEtD,MAAM,MAAM,OAAO,GACf,YAAY,GACZ,eAAe,GACf,iBAAiB,GACjB,kBAAkB,CAAC;AAmBvB,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAIhF;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAKzE;AAED,qBAAa,gBAAiB,SAAQ,KAAK;aAEvB,OAAO,EAAE,OAAO;aAChB,YAAY,EAAE,MAAM;gBADpB,OAAO,EAAE,OAAO,EAChB,YAAY,EAAE,MAAM;CAQvC;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAwChF"}

package/dist/cli/auth/feature-gate.js

@@ -0,0 +1,74 @@
+// Web enricher is FREE for all — it's the core intelligence of HelixMind.
+// Gated features are cloud/team/enterprise add-ons.
+const PLAN_HIERARCHY = {
+    FREE: 0,
+    PRO: 1,
+    TEAM: 2,
+    ENTERPRISE: 3,
+};
+const FEATURE_MIN_PLAN = {
+    cloud_sync: 'PRO',
+    advanced_spiral: 'PRO',
+    team_sessions: 'TEAM',
+    priority_support: 'PRO',
+};
+export function isFeatureAvailable(store, feature) {
+    const plan = store.get('relay.plan') ?? 'FREE';
+    const minPlan = FEATURE_MIN_PLAN[feature];
+    return (PLAN_HIERARCHY[plan] ?? 0) >= (PLAN_HIERARCHY[minPlan] ?? 0);
+}
+export function requireFeature(store, feature) {
+    if (!isFeatureAvailable(store, feature)) {
+        const minPlan = FEATURE_MIN_PLAN[feature];
+        throw new FeatureGateError(feature, minPlan);
+    }
+}
+export class FeatureGateError extends Error {
+    feature;
+    requiredPlan;
+    constructor(feature, requiredPlan) {
+        super(`Feature "${feature}" requires ${requiredPlan} plan or higher. ` +
+            'Run `helixmind login` to authenticate or upgrade at your dashboard.');
+        this.feature = feature;
+        this.requiredPlan = requiredPlan;
+        this.name = 'FeatureGateError';
+    }
+}
+/**
+ * Refresh plan info from the web platform.
+ * Updates cached plan in config. Returns the plan string or null on failure.
+ */
+export async function refreshPlanInfo(store) {
+    const auth = store.getAuthInfo();
+    if (!auth?.apiKey || !auth.url)
+        return null;
+    try {
+        const url = auth.url.replace(/\/+$/, '');
+        const res = await fetch(`${url}/api/auth/cli/verify`, {
+            headers: { Authorization: `Bearer ${auth.apiKey}` },
+            signal: AbortSignal.timeout(5000),
+        });
+        if (!res.ok) {
+            // Key might be revoked/expired
+            if (res.status === 401) {
+                store.set('relay.plan', 'FREE');
+            }
+            return null;
+        }
+        const data = (await res.json());
+        if (data.plan) {
+            store.set('relay.plan', data.plan);
+        }
+        if (data.email) {
+            store.set('relay.userEmail', data.email);
+        }
+        if (data.userId) {
+            store.set('relay.userId', data.userId);
+        }
+        return data.plan ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=feature-gate.js.map

package/dist/cli/auth/feature-gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"feature-gate.js","sourceRoot":"","sources":["../../../src/cli/auth/feature-gate.ts"],"names":[],"mappings":"AAYA,0EAA0E;AAC1E,oDAAoD;AAEpD,MAAM,cAAc,GAA2B;IAC7C,IAAI,EAAE,CAAC;IACP,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;IACP,UAAU,EAAE,CAAC;CACd,CAAC;AAEF,MAAM,gBAAgB,GAA4B;IAChD,UAAU,EAAE,KAAK;IACjB,eAAe,EAAE,KAAK;IACtB,aAAa,EAAE,MAAM;IACrB,gBAAgB,EAAE,KAAK;CACxB,CAAC;AAEF,MAAM,UAAU,kBAAkB,CAAC,KAAkB,EAAE,OAAgB;IACrE,MAAM,IAAI,GAAI,KAAK,CAAC,GAAG,CAAC,YAAY,CAAwB,IAAI,MAAM,CAAC;IACvE,MAAM,OAAO,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAC1C,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,KAAkB,EAAE,OAAgB;IACjE,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC;QACxC,MAAM,OAAO,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,IAAI,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;AACH,CAAC;AAED,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAEvB;IACA;IAFlB,YACkB,OAAgB,EAChB,YAAoB;QAEpC,KAAK,CACH,YAAY,OAAO,cAAc,YAAY,mBAAmB;YAChE,qEAAqE,CACtE,CAAC;QANc,YAAO,GAAP,OAAO,CAAS;QAChB,iBAAY,GAAZ,YAAY,CAAQ;QAMpC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAkB;IACtD,MAAM,IAAI,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,CAAC,IAAI,EAAE,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAE5C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACzC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,sBAAsB,EAAE;YACpD,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,EAAE,EAAE;YACnD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,+BAA+B;YAC/B,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,KAAK,CAAC,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YAClC,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAK7B,CAAC;QAEF,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,KAAK,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,KAAK,CAAC,GAAG,CAAC,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3C,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,KAAK,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;QAED,OAAO,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/cli/auth/guard.d.ts

@@ -0,0 +1,10 @@
+import { ConfigStore } from '../config/store.js';
+/**
+ * Check if user is logged in. If not, run login flow.
+ * Returns the ConfigStore (always authenticated after this call).
+ * Exits process if login fails/cancelled.
+ *
+ * Commands that are exempt from auth: login, logout, whoami, --help, --version
+ */
+export declare function requireAuth(): Promise<ConfigStore>;
+//# sourceMappingURL=guard.d.ts.map

package/dist/cli/auth/guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../../src/cli/auth/guard.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAGjD;;;;;;GAMG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,WAAW,CAAC,CA8BxD"}

package/dist/cli/auth/guard.js

@@ -0,0 +1,46 @@
+/**
+ * Auth guard — ensures user is logged in before using any CLI command.
+ *
+ * After first login, credentials are cached locally in ~/.helixmind/config.json.
+ * Works offline with cached auth. When online, token validity is checked
+ * in the background (non-blocking).
+ */
+import chalk from 'chalk';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { ConfigStore } from '../config/store.js';
+import { theme } from '../ui/theme.js';
+/**
+ * Check if user is logged in. If not, run login flow.
+ * Returns the ConfigStore (always authenticated after this call).
+ * Exits process if login fails/cancelled.
+ *
+ * Commands that are exempt from auth: login, logout, whoami, --help, --version
+ */
+export async function requireAuth() {
+    const configDir = join(homedir(), '.helixmind');
+    const store = new ConfigStore(configDir);
+    if (store.isLoggedIn()) {
+        // Already authenticated (cached locally). Verify in background when online.
+        import('../auth/feature-gate.js')
+            .then(({ refreshPlanInfo }) => refreshPlanInfo(store))
+            .catch(() => { });
+        return store;
+    }
+    // Not logged in — show gate and start login flow
+    process.stdout.write('\n');
+    process.stdout.write(chalk.dim('  \u256D\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256E') + '\n');
+    process.stdout.write(chalk.dim('  \u2502  ') + theme.primary('\uD83D\uDD10 Login required') + chalk.dim('                                \u2502') + '\n');
+    process.stdout.write(chalk.dim('  \u2502  ') + 'HelixMind requires a free account to use.'.padEnd(46) + chalk.dim('  \u2502') + '\n');
+    process.stdout.write(chalk.dim('  \u2502  ') + chalk.dim('One-time setup \u2014 works offline afterwards.'.padEnd(46)) + chalk.dim('  \u2502') + '\n');
+    process.stdout.write(chalk.dim('  \u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256F') + '\n\n');
+    const { loginFlow } = await import('../auth/login.js');
+    const loggedIn = await loginFlow(store, {});
+    if (!loggedIn) {
+        process.stdout.write(chalk.red('\n  Login required to use HelixMind.\n'));
+        process.stdout.write(chalk.dim('  Run `helixmind login` to try again.\n\n'));
+        process.exit(1);
+    }
+    return store;
+}
+//# sourceMappingURL=guard.js.map

package/dist/cli/auth/guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard.js","sourceRoot":"","sources":["../../../src/cli/auth/guard.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAC;AAEvC;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,YAAY,CAAC,CAAC;IAChD,MAAM,KAAK,GAAG,IAAI,WAAW,CAAC,SAAS,CAAC,CAAC;IAEzC,IAAI,KAAK,CAAC,UAAU,EAAE,EAAE,CAAC;QACvB,4EAA4E;QAC5E,MAAM,CAAC,yBAAyB,CAAC;aAC9B,IAAI,CAAC,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;aACrD,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,iDAAiD;IACjD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC3B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,4TAA4T,CAAC,GAAG,IAAI,CAAC,CAAC;IACrW,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,6BAA6B,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,wCAAwC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC1J,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,2CAA2C,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC;IACtI,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,iDAAiD,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC;IACvJ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,4TAA4T,CAAC,GAAG,MAAM,CAAC,CAAC;IAEvW,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAE5C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC,CAAC;QAC1E,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC,CAAC;QAC7E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/cli/auth/login.d.ts

@@ -0,0 +1,22 @@
+import { ConfigStore } from '../config/store.js';
+export interface LoginOptions {
+    apiKey?: string;
+    url?: string;
+    force?: boolean;
+}
+export interface AuthStatus {
+    loggedIn: boolean;
+    email?: string;
+    plan?: string;
+    userId?: string;
+    webappUrl?: string;
+}
+/**
+ * Full login flow: check existing auth, then either manual key or browser flow.
+ */
+export declare function loginFlow(store: ConfigStore, options: LoginOptions): Promise<boolean>;
+/**
+ * Check if the stored API key is still valid. Returns auth status.
+ */
+export declare function checkAuthStatus(store: ConfigStore): Promise<AuthStatus>;
+//# sourceMappingURL=login.d.ts.map

package/dist/cli/auth/login.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../../src/cli/auth/login.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAKjD,MAAM,WAAW,YAAY;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,wBAAsB,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,CAyB3F;AA+HD;;GAEG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAwC7E"}

package/dist/cli/auth/login.js

@@ -0,0 +1,194 @@
+/**
+ * CLI login orchestrator — browser-based callback flow.
+ * Opens the webapp in the browser, waits for the user to authorize,
+ * then stores the API key in the local config.
+ */
+import { platform, hostname, release } from 'node:os';
+import { exec } from 'node:child_process';
+import chalk from 'chalk';
+import { theme } from '../ui/theme.js';
+import { ConfigStore } from '../config/store.js';
+import { startCallbackServer } from './callback-server.js';
+const DEFAULT_WEBAPP_URL = 'https://helix-mind.ai';
+/**
+ * Full login flow: check existing auth, then either manual key or browser flow.
+ */
+export async function loginFlow(store, options) {
+    const webappUrl = (options.url ?? store.get('relay.url') ?? DEFAULT_WEBAPP_URL).replace(/\/+$/, '');
+    // Check if already logged in (unless --force)
+    if (!options.force && store.isLoggedIn()) {
+        const status = await checkAuthStatus(store);
+        if (status.loggedIn) {
+            process.stdout.write('\n');
+            process.stdout.write(chalk.dim('\u256D\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256E') + '\n');
+            process.stdout.write(chalk.dim('\u2502  ') + theme.primary('\u{1F517} Already logged in') + chalk.dim('                        \u2502') + '\n');
+            process.stdout.write(chalk.dim('\u2502  ') + `Account: ${status.email ?? 'unknown'}`.padEnd(46) + chalk.dim('\u2502') + '\n');
+            process.stdout.write(chalk.dim('\u2502  ') + `Plan: ${status.plan ?? 'FREE'}`.padEnd(46) + chalk.dim('\u2502') + '\n');
+            process.stdout.write(chalk.dim('\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256F') + '\n');
+            process.stdout.write(chalk.dim('  Use --force to re-authenticate.\n\n'));
+            return true;
+        }
+    }
+    // Manual key entry (--api-key flag)
+    if (options.apiKey) {
+        return manualKeyLogin(store, options.apiKey, webappUrl);
+    }
+    // Browser callback flow
+    return browserLogin(store, webappUrl);
+}
+async function manualKeyLogin(store, apiKey, webappUrl) {
+    if (!apiKey.startsWith('hm_')) {
+        process.stdout.write(chalk.red('  Invalid API key format. Keys start with "hm_".\n'));
+        return false;
+    }
+    process.stdout.write(chalk.dim('  Validating API key...\n'));
+    try {
+        const res = await fetch(`${webappUrl}/api/auth/cli/verify`, {
+            headers: { Authorization: `Bearer ${apiKey}` },
+            signal: AbortSignal.timeout(10_000),
+        });
+        if (!res.ok) {
+            process.stdout.write(chalk.red('  Invalid or expired API key.\n'));
+            return false;
+        }
+        const data = (await res.json());
+        store.set('relay.apiKey', apiKey);
+        store.set('relay.url', webappUrl);
+        if (data.email)
+            store.set('relay.userEmail', data.email);
+        if (data.plan)
+            store.set('relay.plan', data.plan);
+        if (data.userId)
+            store.set('relay.userId', data.userId);
+        store.set('relay.loginAt', new Date().toISOString());
+        store.set('relay.autoConnect', true);
+        showSuccessBox(data.email, data.plan, apiKey);
+        return true;
+    }
+    catch (err) {
+        process.stdout.write(chalk.red(`  Could not reach ${webappUrl}. Check your connection.\n`));
+        return false;
+    }
+}
+async function browserLogin(store, webappUrl) {
+    process.stdout.write('\n');
+    process.stdout.write(theme.primary('  \u{1F300} HelixMind Login\n'));
+    process.stdout.write(chalk.dim('  Opening browser for authorization...\n\n'));
+    let server;
+    try {
+        server = await startCallbackServer();
+    }
+    catch (err) {
+        process.stdout.write(chalk.red('  Failed to start local callback server.\n'));
+        return false;
+    }
+    const deviceName = hostname();
+    const deviceOs = `${platform()} ${release()}`;
+    const authUrl = `${webappUrl}/auth/cli` +
+        `?callback_port=${server.port}` +
+        `&state=${server.state}` +
+        `&device_name=${encodeURIComponent(deviceName)}` +
+        `&device_os=${encodeURIComponent(deviceOs)}`;
+    // Open browser
+    const opened = await openBrowser(authUrl);
+    if (!opened) {
+        process.stdout.write(chalk.yellow('  Could not open browser automatically.\n'));
+        process.stdout.write(chalk.dim('  Open this URL manually:\n\n'));
+        process.stdout.write(`  ${theme.primary(authUrl)}\n\n`);
+    }
+    process.stdout.write(chalk.dim('  Waiting for authorization in browser... (timeout: 120s)\n'));
+    process.stdout.write(chalk.dim('  Press Ctrl+C to cancel.\n\n'));
+    try {
+        const result = await server.waitForCallback();
+        // Store auth data
+        store.set('relay.apiKey', result.apiKey);
+        store.set('relay.url', webappUrl);
+        if (result.email)
+            store.set('relay.userEmail', result.email);
+        if (result.plan)
+            store.set('relay.plan', result.plan);
+        if (result.userId)
+            store.set('relay.userId', result.userId);
+        store.set('relay.loginAt', new Date().toISOString());
+        store.set('relay.autoConnect', true);
+        showSuccessBox(result.email, result.plan, result.apiKey);
+        return true;
+    }
+    catch (err) {
+        server.close();
+        const msg = err instanceof Error ? err.message : String(err);
+        if (msg.includes('cancelled')) {
+            process.stdout.write(chalk.yellow('  Authorization cancelled.\n\n'));
+        }
+        else if (msg.includes('timed out')) {
+            process.stdout.write(chalk.yellow('  Authorization timed out.\n'));
+            process.stdout.write(chalk.dim('  Try: helixmind login --api-key <key>\n\n'));
+        }
+        else {
+            process.stdout.write(chalk.red(`  Login failed: ${msg}\n\n`));
+        }
+        return false;
+    }
+}
+function showSuccessBox(email, plan, apiKey) {
+    const masked = apiKey ? ConfigStore.maskKey(apiKey) : '***';
+    process.stdout.write('\n');
+    process.stdout.write(chalk.dim('\u256D\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256E') + '\n');
+    process.stdout.write(chalk.dim('\u2502  ') + chalk.green('\u2713 HelixMind \u2014 Logged In') + chalk.dim('                       \u2502') + '\n');
+    process.stdout.write(chalk.dim('\u2502  ') + `Account: ${email ?? 'connected'}`.padEnd(46) + chalk.dim('\u2502') + '\n');
+    process.stdout.write(chalk.dim('\u2502  ') + `Plan:    ${plan ?? 'FREE'}`.padEnd(46) + chalk.dim('\u2502') + '\n');
+    process.stdout.write(chalk.dim('\u2502  ') + `API Key: ${masked}`.padEnd(46) + chalk.dim('\u2502') + '\n');
+    process.stdout.write(chalk.dim('\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256F') + '\n\n');
+}
+function openBrowser(url) {
+    return new Promise((resolve) => {
+        const plat = platform();
+        const cmd = plat === 'win32' ? `start "" "${url}"`
+            : plat === 'darwin' ? `open "${url}"`
+                : `xdg-open "${url}"`;
+        exec(cmd, (err) => resolve(!err));
+    });
+}
+/**
+ * Check if the stored API key is still valid. Returns auth status.
+ */
+export async function checkAuthStatus(store) {
+    const auth = store.getAuthInfo();
+    if (!auth?.apiKey || !auth.url) {
+        return { loggedIn: false };
+    }
+    try {
+        const url = auth.url.replace(/\/+$/, '');
+        const res = await fetch(`${url}/api/auth/cli/verify`, {
+            headers: { Authorization: `Bearer ${auth.apiKey}` },
+            signal: AbortSignal.timeout(5000),
+        });
+        if (!res.ok) {
+            return { loggedIn: false, webappUrl: auth.url };
+        }
+        const data = (await res.json());
+        // Update cached values
+        if (data.email)
+            store.set('relay.userEmail', data.email);
+        if (data.plan)
+            store.set('relay.plan', data.plan);
+        return {
+            loggedIn: true,
+            email: data.email ?? auth.email,
+            plan: data.plan ?? auth.plan,
+            userId: data.userId ?? auth.userId,
+            webappUrl: auth.url,
+        };
+    }
+    catch {
+        // Network error — use cached data
+        return {
+            loggedIn: true,
+            email: auth.email,
+            plan: auth.plan,
+            userId: auth.userId,
+            webappUrl: auth.url,
+        };
+    }
+}
+//# sourceMappingURL=login.js.map