incremnt 0.1.2 → 0.1.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "incremnt",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Command-line tool for querying your incremnt strength training data",
   "license": "MIT",
   "type": "module",

package/src/contract.js

@@ -8,15 +8,85 @@ export const capabilities = {
   remoteBootstrap: true
 };
 
+// Single source of truth for all read commands.
+// Drives: officialCommands, readCommands, help text, and the contract JSON schema.
+// When adding a command: add one entry here — everything else updates automatically.
+export const commandSchema = [
+  {
+    command: 'sessions list',
+    id: 'session-insights',
+    description: 'List recent sessions',
+    options: [
+      { name: 'limit', type: 'number', required: false, description: 'Max sessions to return (default: 10)' }
+    ]
+  },
+  {
+    command: 'sessions show',
+    id: 'session-show',
+    description: 'Show session details',
+    usage: 'sessions show --id <session-id>',
+    options: [
+      { name: 'id', type: 'string', required: true, description: 'Session ID' }
+    ]
+  },
+  {
+    command: 'sessions compare',
+    id: 'planned-vs-actual',
+    description: 'Compare planned vs actual',
+    usage: 'sessions compare --session-id <session-id>',
+    options: [
+      { name: 'session-id', type: 'string', required: true, description: 'Session ID' }
+    ]
+  },
+  {
+    command: 'sessions explain',
+    id: 'why-did-this-change',
+    description: 'Explain session context',
+    usage: 'sessions explain --session-id <session-id>',
+    options: [
+      { name: 'session-id', type: 'string', required: true, description: 'Session ID' }
+    ]
+  },
+  {
+    command: 'programs list',
+    id: 'program-list',
+    description: 'List all programs',
+    options: []
+  },
+  {
+    command: 'programs current',
+    id: 'program-summary',
+    description: 'Show active program',
+    options: []
+  },
+  {
+    command: 'programs show',
+    id: 'program-detail',
+    description: 'Show program with all exercises',
+    usage: 'programs show --id <program-id>',
+    options: [
+      { name: 'id', type: 'string', required: false, description: 'Program ID (defaults to active program)' }
+    ]
+  },
+  {
+    command: 'exercises history',
+    id: 'exercise-history',
+    description: 'Exercise history',
+    usage: 'exercises history --name <exercise-name>',
+    options: [
+      { name: 'name', type: 'string', required: true, description: 'Exercise name' }
+    ]
+  },
+  {
+    command: 'records',
+    id: 'records',
+    description: 'Personal records',
+    options: []
+  }
+];
+
 export const officialCommands = [
-  'sessions list',
-  'sessions show --id <session-id>',
-  'sessions compare --session-id <session-id>',
-  'sessions explain --session-id <session-id>',
-  'programs list',
-  'programs current',
-  'exercises history --name <exercise-name>',
-  'records',
+  ...commandSchema.map((c) => c.usage ?? c.command),
   'status',
   'contract',
   'login',
@@ -28,13 +98,4 @@ export const officialCommands = [
   'logout'
 ];
 
-export const readCommands = new Set([
-  'session-insights',
-  'session-show',
-  'exercise-history',
-  'records',
-  'program-list',
-  'program-summary',
-  'planned-vs-actual',
-  'why-did-this-change'
-]);
+export const readCommands = new Set(commandSchema.map((c) => c.id));

package/src/format.js

@@ -1,4 +1,5 @@
 import chalk from 'chalk';
+import { commandSchema } from './contract.js';
 
 const shortMonths = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'];
 const shortDays = ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'];
@@ -212,6 +213,57 @@ function formatProgramList(payload) {
   return lines.join('\n');
 }
 
+function formatProgramDetail(payload) {
+  if (!payload) {
+    return 'Program not found.';
+  }
+
+  const dot = payload.isActive ? chalk.green('\u25cf') : chalk.dim('\u25cb');
+  const lines = [` ${dot} ${chalk.bold(payload.programName)}${dimDot()}${chalk.dim(`Week ${payload.currentWeek}`)}`, ''];
+
+  if (payload.trainingWeekdays?.length > 0) {
+    const dayNames = ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'];
+    const schedule = payload.trainingWeekdays.map((d) => dayNames[d] ?? d).join(', ');
+    lines.push(keyValue('Schedule', schedule));
+    lines.push('');
+  }
+
+  for (const day of payload.days ?? []) {
+    lines.push(` ${chalk.bold(`Day ${day.dayIndex + 1}`)}${dimDot()}${chalk.bold(day.title ?? 'Untitled')}`);
+
+    if (day.exercises.length === 0) {
+      lines.push(`   ${chalk.dim('No exercises')}`);
+    }
+
+    for (const exercise of day.exercises) {
+      const setCount = exercise.sets.length;
+      const weights = [...new Set(exercise.sets.map((s) => s.weight).filter((w) => w != null))];
+      const reps = [...new Set(exercise.sets.map((s) => s.reps).filter((r) => r != null))];
+
+      let setStr = `${setCount} sets`;
+      if (reps.length === 1) {
+        setStr = `${setCount}\u00d7${reps[0]}`;
+      } else if (reps.length > 1) {
+        setStr = `${setCount}\u00d7${reps.join('/')}`;
+      }
+
+      const weightStr = weights.length === 1
+        ? `@ ${weights[0]} kg`
+        : weights.length > 1
+          ? `@ ${Math.min(...weights)}-${Math.max(...weights)} kg`
+          : '';
+
+      const muscle = exercise.muscleGroup ? chalk.dim(` (${exercise.muscleGroup})`) : '';
+      lines.push(`   ${exercise.name}${muscle}${dimDot()}${chalk.dim([setStr, weightStr].filter(Boolean).join(' '))}`);
+    }
+
+    lines.push('');
+  }
+
+  if (lines.at(-1) === '') lines.pop();
+  return lines.join('\n');
+}
+
 function formatPlannedVsActual(payload) {
   if (!payload) {
     return 'No comparison data found.';
@@ -326,17 +378,11 @@ export function formatHelp() {
     `   incremnt <command> [options]`,
     '',
     header('COMMANDS'),
-    cmd('sessions list', 'List recent sessions'),
-    cmd('sessions show --id <id>', 'Show session details'),
-    cmd('sessions compare --id <id>', 'Compare planned vs actual'),
-    cmd('sessions explain --id <id>', 'Explain session context'),
-    cmd('programs list', 'List all programs'),
-    cmd('programs current', 'Show active program'),
-    cmd('exercises history --name <name>', 'Exercise history'),
-    cmd('records', 'Personal records'),
+    ...commandSchema.map((c) => cmd(c.usage ?? c.command, c.description)),
     '',
     header('AUTH'),
-    cmd('login --base-url <url>', 'Sign in (device flow)'),
+    cmd('login', 'Sign in (opens browser)'),
+    cmd('login --base-url <url>', 'Sign in to a specific server'),
     cmd('login --base-url <url> --token <t>', 'Sign in with token'),
     cmd('login --snapshot <file>', 'Use local snapshot'),
     cmd('login --session-file <file>', 'Import session file'),
@@ -365,6 +411,7 @@ export function formatPretty(command, payload) {
     'exercise-history': formatExerciseHistory,
     'program-summary': formatProgramSummary,
     'program-list': formatProgramList,
+    'program-detail': formatProgramDetail,
     'planned-vs-actual': formatPlannedVsActual,
     'why-did-this-change': formatWhyDidThisChange
   }[command];

package/src/lib.js

@@ -1,6 +1,6 @@
 import fs from 'node:fs/promises';
 import { spawn } from 'node:child_process';
-import { capabilities, contractVersion, officialCommands, readCommands } from './contract.js';
+import { capabilities, commandSchema, contractVersion, officialCommands, readCommands } from './contract.js';
 import {
   bootstrapSessionFromRemoteBaseUrl,
   bootstrapSessionFromRemoteBaseUrlWithDeviceFlow,
@@ -53,13 +53,7 @@ function parseArgs(argv) {
 export async function runCli(argv, stdout, stderr) {
   const { command, options } = parseArgs(argv);
   const normalizedCommand = ({
-    'sessions list': 'session-insights',
-    'sessions show': 'session-show',
-    'programs list': 'program-list',
-    'programs current': 'program-summary',
-    'exercises history': 'exercise-history',
-    'sessions compare': 'planned-vs-actual',
-    'sessions explain': 'why-did-this-change',
+    ...Object.fromEntries(commandSchema.map((c) => [c.command, c.id])),
     insights: 'session-insights',
     history: 'exercise-history',
     prs: 'records',
@@ -114,7 +108,8 @@ export async function runCli(argv, stdout, stderr) {
       contractVersion,
       binary: 'incremnt',
       capabilities,
-      officialCommands
+      officialCommands,
+      schema: commandSchema
     }, null, 2)}\n`);
     return 0;
   }
@@ -135,6 +130,37 @@ export async function runCli(argv, stdout, stderr) {
   }
 
   if (normalizedCommand === 'login') {
+    if (options.snapshot) {
+      try {
+        const result = await bootstrapSessionFromSnapshot(options.snapshot);
+        stdout.write(`${JSON.stringify({
+          ok: true,
+          sessionPath: result.path,
+          account: result.session.account,
+          transport: result.session.transport
+        }, null, 2)}\n`);
+        return 0;
+      } catch (error) {
+        stderr.write(`${error.message}\n`);
+        return 1;
+      }
+    }
+
+    if (options['session-file']) {
+      try {
+        const result = await importSessionFile(options['session-file']);
+        stdout.write(`${JSON.stringify({
+          ok: true,
+          sessionPath: result.path,
+          account: result.session.account
+        }, null, 2)}\n`);
+        return 0;
+      } catch (error) {
+        stderr.write(`${error.message}\n`);
+        return 1;
+      }
+    }
+
     const loginBaseUrl = resolveLoginBaseUrl(options, sessionState);
 
     if (loginBaseUrl) {
@@ -228,49 +254,28 @@ export async function runCli(argv, stdout, stderr) {
       }
     }
 
-    if (options.snapshot) {
-      try {
-        const result = await bootstrapSessionFromSnapshot(options.snapshot);
-        stdout.write(`${JSON.stringify({
-          ok: true,
-          sessionPath: result.path,
-          account: result.session.account,
-          transport: result.session.transport
-        }, null, 2)}\n`);
-        return 0;
-      } catch (error) {
-        stderr.write(`${error.message}\n`);
-        return 1;
-      }
-    }
-
-    if (options['session-file']) {
-      try {
-        const result = await importSessionFile(options['session-file']);
-        stdout.write(`${JSON.stringify({
-          ok: true,
-          sessionPath: result.path,
-          account: result.session.account
-        }, null, 2)}\n`);
-        return 0;
-      } catch (error) {
-        stderr.write(`${error.message}\n`);
-        return 1;
-      }
-    }
-
-    stderr.write('Pass --base-url, --snapshot, or --session-file to login, or set INCREMNT_BASE_URL.\n');
+    // loginBaseUrl always resolves (falls back to DEFAULT_BASE_URL) so this is unreachable
+    // unless INCREMNT_BASE_URL is explicitly set to empty string to disable the default
+    stderr.write('Pass --snapshot or --session-file, or run incremnt login to sign in.\n');
     return 1;
   }
 
+  const wantJson = options.json || !(stdout.isTTY ?? false);
+  const explicitJson = Boolean(options.json);
+
   if (!readCommands.has(normalizedCommand)) {
-    stderr.write(`Unknown command: ${command}\n`);
+    const message = `Unknown command: ${command}`;
+    if (explicitJson) {
+      stdout.write(`${JSON.stringify({ error: message, code: 'UNKNOWN_COMMAND' }, null, 2)}\n`);
+    } else {
+      stderr.write(`${message}\n`);
+    }
+
     return 1;
   }
 
   try {
     const payload = await transport.executeReadCommand(normalizedCommand, options);
-    const wantJson = options.json || !(stdout.isTTY ?? false);
     if (wantJson) {
       stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
     } else {
@@ -280,16 +285,24 @@ export async function runCli(argv, stdout, stderr) {
 
     return 0;
   } catch (error) {
-    stderr.write(`${error.message}\n`);
+    if (explicitJson) {
+      stdout.write(`${JSON.stringify({ error: error.message, code: error.code ?? null }, null, 2)}\n`);
+    } else {
+      stderr.write(`${error.message}\n`);
+    }
+
     return 1;
   }
 }
 
+const DEFAULT_BASE_URL = 'https://incremnt-sync.onrender.com';
+
 function resolveLoginBaseUrl(options, sessionState) {
-  return options['base-url']
-    ?? process.env.INCREMNT_BASE_URL
-    ?? sessionState.session?.transport?.baseUrl
-    ?? null;
+  if (options['base-url']) return options['base-url'];
+  // If INCREMNT_BASE_URL is explicitly set (even to empty string), respect it — empty = no URL
+  if ('INCREMNT_BASE_URL' in process.env) return process.env.INCREMNT_BASE_URL || null;
+  if (sessionState.session?.transport?.baseUrl) return sessionState.session.transport.baseUrl;
+  return DEFAULT_BASE_URL;
 }
 
 async function maybeOpenBrowser(url) {

package/src/queries.js

@@ -101,6 +101,7 @@ export function exerciseHistory(snapshot, exerciseName) {
           muscleGroup: exercise.muscleGroup,
           weight: set.weight,
           reps: set.reps,
+          estimatedOneRM: Number(set.weight) * (1 + Number(set.reps) / 30),
           rir: exercise.rir ?? null,
           recommendation: session.recommendations?.[exercise.name] ?? null,
           historicalContext: session.historicalContext ?? null
@@ -200,7 +201,19 @@ export function findSession(snapshot, sessionId) {
 
 export function sessionDetails(snapshot, sessionId) {
   const session = findSession(snapshot, sessionId);
-  return session ? sessionSummary(session) : null;
+  if (!session) return null;
+
+  const summary = sessionSummary(session);
+  summary.exercises = (session.exercises ?? []).map((exercise) => ({
+    name: exercise.name,
+    muscleGroup: exercise.muscleGroup ?? null,
+    sets: (exercise.sets ?? []).filter((s) => s.isComplete).map((s) => ({
+      weight: s.weight ?? null,
+      reps: s.reps ?? null,
+      rpe: s.rpe ?? null
+    }))
+  }));
+  return summary;
 }
 
 export function plannedVsActual(snapshot, sessionId) {
@@ -252,6 +265,37 @@ export function whyDidThisChange(snapshot, sessionId) {
   };
 }
 
+export function programDetail(snapshot, programId) {
+  const programs = snapshot.programs ?? [];
+  const program = programId
+    ? programs.find((p) => p.id === programId)
+    : programs.find((p) => p.id === snapshot.activeProgramId) ?? programs[0];
+
+  if (!program) return null;
+
+  return {
+    programId: program.id,
+    programName: program.name,
+    isActive: program.id === snapshot.activeProgramId,
+    currentWeek: Number(program.completedCyclesCount ?? 0) + 1,
+    currentDayIndex: program.currentDayIndex ?? 0,
+    trainingWeekdays: program.trainingWeekdays ?? [],
+    completedCyclesCount: program.completedCyclesCount ?? 0,
+    days: (program.days ?? []).map((day, index) => ({
+      dayIndex: index,
+      title: day.title ?? null,
+      exercises: (day.exercises ?? []).map((exercise) => ({
+        name: exercise.name,
+        muscleGroup: exercise.muscleGroup ?? null,
+        sets: (exercise.sets ?? []).map((set) => ({
+          reps: set.reps ?? null,
+          weight: set.weight ?? null
+        }))
+      }))
+    }))
+  };
+}
+
 function requiredOption(options, primaryKey, legacyKey = null) {
   return options[primaryKey] ?? (legacyKey ? options[legacyKey] : undefined);
 }
@@ -303,6 +347,16 @@ export function executeReadCommand(snapshot, normalizedCommand, options = {}) {
     return { ok: true, payload: programSummary(snapshot) };
   }
 
+  if (normalizedCommand === 'program-detail') {
+    const programId = requiredOption(options, 'id');
+    const payload = programDetail(snapshot, programId ?? null);
+    if (!payload) {
+      return { ok: false, error: programId ? `Program not found: ${programId}` : 'No programs found' };
+    }
+
+    return { ok: true, payload };
+  }
+
   if (normalizedCommand === 'planned-vs-actual') {
     const sessionId = requiredOption(options, 'session-id');
     if (!sessionId) {

package/src/sync-service.js

@@ -1,4 +1,4 @@
-import { timingSafeEqual } from 'node:crypto';
+import { createHash, randomUUID, timingSafeEqual } from 'node:crypto';
 import { capabilities as cliCapabilities, contractVersion, officialCommands } from './contract.js';
 import { executeReadCommand } from './queries.js';
 
@@ -13,6 +13,8 @@ const DEFAULT_RATE_LIMIT_RULES = {
   'google-callback': 20,
   'apple-start': 20,
   'apple-callback': 20,
+  'web-auth-start': 20,
+  'web-auth-callback': 20,
   'session-login': 60,
   'session-refresh': 30
 };
@@ -54,10 +56,10 @@ function internalError(response, error) {
 
 function constantTimeEqual(a, b) {
   if (!a || !b) return false;
-  const bufA = Buffer.from(a);
-  const bufB = Buffer.from(b);
-  if (bufA.length !== bufB.length) return false;
-  return timingSafeEqual(bufA, bufB);
+  // Hash both values to fixed length to avoid leaking length information
+  const hashA = createHash('sha256').update(a).digest();
+  const hashB = createHash('sha256').update(b).digest();
+  return timingSafeEqual(hashA, hashB);
 }
 
 function bearerToken(request) {
@@ -88,6 +90,17 @@ function createRateLimiter({
   const mergedRules = { ...DEFAULT_RATE_LIMIT_RULES, ...rules };
   const buckets = new Map();
 
+  // Periodically evict expired buckets to prevent memory leak
+  const cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [key, bucket] of buckets) {
+      if (bucket.resetAt <= now) {
+        buckets.delete(key);
+      }
+    }
+  }, 5 * 60_000);
+  if (cleanupInterval.unref) cleanupInterval.unref();
+
   return {
     check(request, command) {
       const limit = mergedRules[command];
@@ -166,6 +179,10 @@ function routeRequest(url) {
     return { command: 'apple-callback', options: {} };
   }
 
+  if (pathname === '/auth/web/start') {
+    return { command: 'web-auth-start', options: {} };
+  }
+
   if (pathname === '/admin/bootstrap-user') {
     return { command: 'admin-bootstrap-user', options: {} };
   }
@@ -195,6 +212,11 @@ function routeRequest(url) {
     return { command: 'program-summary', options: {} };
   }
 
+  const programShowMatch = pathname.match(/^\/cli\/programs\/([^/]+)$/);
+  if (programShowMatch) {
+    return { command: 'program-detail', options: { id: programShowMatch[1] } };
+  }
+
   if (pathname === '/cli/exercises/history') {
     return {
       command: 'exercise-history',
@@ -558,14 +580,38 @@ export function createSyncServiceRequestHandler({
     configured: false
   },
   buildGoogleAuthUrl = null,
+  buildAppleWebAuthUrl = null,
+  buildGoogleWebAuthUrl = null,
+  completeAppleWebAuth = null,
+  completeGoogleWebAuth = null,
   refreshSession,
   allowManualDeviceApproval = false,
-  rateLimitConfig = null
+  rateLimitConfig = null,
+  corsOrigins = []
 }) {
   const rateLimiter = createRateLimiter(rateLimitConfig ?? {});
 
   return async function handle(request, response) {
     try {
+      // Security headers on all responses
+      response.setHeader('X-Content-Type-Options', 'nosniff');
+      response.setHeader('X-Frame-Options', 'DENY');
+      response.setHeader('Cache-Control', 'no-store');
+
+      const origin = request.headers.origin ?? '';
+      const corsAllowed = corsOrigins.length > 0 && corsOrigins.includes(origin);
+      if (corsAllowed) {
+        response.setHeader('Access-Control-Allow-Origin', origin);
+        response.setHeader('Access-Control-Allow-Headers', 'Authorization, Content-Type');
+        response.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, OPTIONS');
+      }
+
+      if (request.method === 'OPTIONS') {
+        response.writeHead(corsAllowed ? 204 : 404);
+        response.end();
+        return;
+      }
+
       const url = new URL(request.url ?? '/', `http://${request.headers.host ?? '127.0.0.1'}`);
       const route = routeRequest(url);
       if (!route) {
@@ -755,11 +801,6 @@ export function createSyncServiceRequestHandler({
           return;
         }
 
-        if (!googleAuth?.configured || !completeGoogleDeviceApproval) {
-          methodNotAllowed(response, 'Google auth is not enabled for this service mode.');
-          return;
-        }
-
         const code = url.searchParams.get('code') ?? '';
         const state = url.searchParams.get('state') ?? '';
         if (!code || !state) {
@@ -767,6 +808,42 @@ export function createSyncServiceRequestHandler({
           return;
         }
 
+        let parsedState;
+        try {
+          parsedState = JSON.parse(state);
+        } catch {
+          badRequest(response, 'Invalid state parameter.');
+          return;
+        }
+
+        if (parsedState?.flow === 'web') {
+          if (!completeGoogleWebAuth) {
+            methodNotAllowed(response, 'Web auth is not enabled for this service mode.');
+            return;
+          }
+
+          try {
+            const result = await completeGoogleWebAuth({ code, state });
+            const returnUrl = new URL(result.returnUrl);
+            returnUrl.hash = `token=${result.session.accessToken}&expires=${result.session.expiresAt}`;
+            response.writeHead(302, { location: returnUrl.toString() });
+            response.end();
+            return;
+          } catch (error) {
+            html(response, 400, deviceApprovalPage({
+              title: 'Login failed',
+              message: error.message,
+              isError: true
+            }));
+            return;
+          }
+        }
+
+        if (!googleAuth?.configured || !completeGoogleDeviceApproval) {
+          methodNotAllowed(response, 'Google auth is not enabled for this service mode.');
+          return;
+        }
+
         try {
           const result = await completeGoogleDeviceApproval({ code, state });
           html(response, 200, deviceApprovalSuccessPage({
@@ -818,11 +895,6 @@ export function createSyncServiceRequestHandler({
           return;
         }
 
-        if (!appleAuth?.configured || !completeAppleDeviceApproval) {
-          methodNotAllowed(response, 'Apple auth is not enabled for this service mode.');
-          return;
-        }
-
         let code = url.searchParams.get('code') ?? '';
         let state = url.searchParams.get('state') ?? '';
         if (request.method === 'POST') {
@@ -836,6 +908,42 @@ export function createSyncServiceRequestHandler({
           return;
         }
 
+        let parsedState;
+        try {
+          parsedState = JSON.parse(state);
+        } catch {
+          badRequest(response, 'Invalid state parameter.');
+          return;
+        }
+
+        if (parsedState?.flow === 'web') {
+          if (!completeAppleWebAuth) {
+            methodNotAllowed(response, 'Web auth is not enabled for this service mode.');
+            return;
+          }
+
+          try {
+            const result = await completeAppleWebAuth({ code, state });
+            const returnUrl = new URL(result.returnUrl);
+            returnUrl.hash = `token=${result.session.accessToken}&expires=${result.session.expiresAt}`;
+            response.writeHead(302, { location: returnUrl.toString() });
+            response.end();
+            return;
+          } catch (error) {
+            html(response, 400, deviceApprovalPage({
+              title: 'Login failed',
+              message: error.message,
+              isError: true
+            }));
+            return;
+          }
+        }
+
+        if (!appleAuth?.configured || !completeAppleDeviceApproval) {
+          methodNotAllowed(response, 'Apple auth is not enabled for this service mode.');
+          return;
+        }
+
         try {
           const result = await completeAppleDeviceApproval({ code, state });
           html(response, 200, deviceApprovalSuccessPage({
@@ -859,6 +967,63 @@ export function createSyncServiceRequestHandler({
         }
       }
 
+      if (route.command === 'web-auth-start') {
+        if (request.method !== 'GET') {
+          methodNotAllowed(response, 'Use GET for /auth/web/start.');
+          return;
+        }
+
+        const provider = url.searchParams.get('provider') ?? '';
+        const returnUrl = url.searchParams.get('returnUrl') ?? '';
+        if (!provider || !returnUrl) {
+          badRequest(response, 'provider and returnUrl are required.');
+          return;
+        }
+
+        if (provider !== 'apple' && provider !== 'google') {
+          badRequest(response, 'provider must be apple or google.');
+          return;
+        }
+
+        // Validate returnUrl against allowed CORS origins to prevent open redirect token theft.
+        // Fail closed: if no origins are configured, reject web auth entirely.
+        try {
+          const parsedReturnUrl = new URL(returnUrl);
+          const returnOrigin = parsedReturnUrl.origin;
+          if (corsOrigins.length === 0 || !corsOrigins.includes(returnOrigin)) {
+            badRequest(response, 'returnUrl origin is not in the allowed origins list.');
+            return;
+          }
+        } catch {
+          badRequest(response, 'returnUrl must be a valid URL.');
+          return;
+        }
+
+        const nonce = randomUUID();
+
+        if (provider === 'apple') {
+          if (!buildAppleWebAuthUrl || !appleAuth?.configured) {
+            methodNotAllowed(response, 'Apple web auth is not enabled for this service mode.');
+            return;
+          }
+          const authUrl = buildAppleWebAuthUrl(appleAuth, { nonce, returnUrl });
+          response.writeHead(302, { location: authUrl });
+          response.end();
+          return;
+        }
+
+        if (provider === 'google') {
+          if (!buildGoogleWebAuthUrl || !googleAuth?.configured) {
+            methodNotAllowed(response, 'Google web auth is not enabled for this service mode.');
+            return;
+          }
+          const authUrl = buildGoogleWebAuthUrl(googleAuth, { nonce, returnUrl });
+          response.writeHead(302, { location: authUrl });
+          response.end();
+          return;
+        }
+      }
+
       if (route.command === 'device-approve') {
         if (!approveDeviceChallenge) {
           methodNotAllowed(response, 'Device approval is not enabled for this service mode.');