kojee-mcp 0.5.7 → 0.5.8

package/dist/{chunk-64EOLZNI.js → chunk-65KRRDHP.js}

@@ -15,11 +15,17 @@ function defaultCodexHooksPath() {
   return path.join(kojeeHomeDir(), ".codex", "hooks.json");
 }
 var CODEX_STOP_HOOK_COMMAND = "npx -y kojee-mcp hook --type=codex-stop";
+function codexArgsLiteral(token, url) {
+  if (token && url) {
+    return `["-y", "kojee-mcp", "--token", "${escapeTomlString(token)}", "--url", "${escapeTomlString(url)}"]`;
+  }
+  return '["-y", "kojee-mcp"]';
+}
 function buildCodexMcpServerTable(opts) {
   return [
     "[mcp_servers.kojee]",
     'command = "npx"',
-    'args = ["-y", "kojee-mcp"]',
+    `args = ${codexArgsLiteral(opts.token, opts.url)}`,
     "",
     "[mcp_servers.kojee.env]",
     'KOJEE_RUNTIME = "codex"',
@@ -50,7 +56,14 @@ function writeCodexConfig(inputs) {
     toml = fs.readFileSync(configPath, "utf8");
   } catch {
   }
-  toml = upsertKojeeTomlTables(toml, inputs.webhookUrl, inputs.webhookSecret, inputs.signatureEnv ?? []);
+  toml = upsertKojeeTomlTables(
+    toml,
+    inputs.webhookUrl,
+    inputs.webhookSecret,
+    inputs.signatureEnv ?? [],
+    inputs.token,
+    inputs.url
+  );
   writeFile600(configPath, toml);
   const hooks = readJson(hooksPath);
   hooks.hooks ??= {};
@@ -95,20 +108,22 @@ function removeCodexConfig(opts = {}) {
   }
   return result;
 }
-function upsertKojeeTomlTables(existing, webhookUrl, webhookSecret, signatureEnv = []) {
+function upsertKojeeTomlTables(existing, webhookUrl, webhookSecret, signatureEnv = [], token, url) {
   const parsed = extractKojeeBlock(existing);
   if (!parsed) {
     const block = buildCodexMcpServerTable({
       webhookUrl,
       webhookSecret,
-      ...signatureEnv.length > 0 ? { signatureEnv } : {}
+      ...signatureEnv.length > 0 ? { signatureEnv } : {},
+      ...token ? { token } : {},
+      ...url ? { url } : {}
     });
     const base2 = existing.replace(/\s*$/, "");
     return base2.length === 0 ? block + "\n" : base2 + "\n\n" + block + "\n";
   }
   const tableKeys = upsertKeyLines(parsed.tableKeys, [
     ["command", '"npx"'],
-    ["args", '["-y", "kojee-mcp"]']
+    ["args", codexArgsLiteral(token, url)]
   ]);
   const envKeys = upsertKeyLines(parsed.envKeys, [
     ["KOJEE_RUNTIME", '"codex"'],

package/dist/chunk-CH32ELFX.js

@@ -0,0 +1,68 @@
+import {
+  secureDir,
+  secureFile
+} from "./chunk-BLEGIR35.js";
+
+// src/auth/keystore.ts
+import { importJWK, exportJWK, generateKeyPair } from "jose";
+import crypto from "crypto";
+import fs from "fs";
+import os from "os";
+import path from "path";
+var DEFAULT_PATH = path.join(os.homedir(), ".kojee", "keypair.json");
+function defaultPairedKeystorePath() {
+  return path.join(os.homedir(), ".kojee", "keypair.json");
+}
+function deriveKeystorePath(token) {
+  const hash = crypto.createHash("sha256").update(token).digest("hex").slice(0, 12);
+  return path.join(os.homedir(), ".kojee", `keypair-${hash}.json`);
+}
+async function loadKeystore(keystorePath = DEFAULT_PATH, expectedBrokerUrl) {
+  if (!fs.existsSync(keystorePath)) {
+    return null;
+  }
+  const raw = fs.readFileSync(keystorePath, "utf-8");
+  const data = JSON.parse(raw);
+  if (expectedBrokerUrl && data.broker_url !== expectedBrokerUrl) {
+    return null;
+  }
+  const privateKey = await importJWK(data.private_key_jwk, "ES256");
+  return {
+    privateKey,
+    publicJwk: data.public_jwk,
+    kid: data.kid,
+    data
+  };
+}
+async function saveKeystore(privateKey, publicJwk, kid, brokerUrl, keystorePath = DEFAULT_PATH) {
+  const dir = path.dirname(keystorePath);
+  fs.mkdirSync(dir, { recursive: true, mode: 448 });
+  secureDir(dir);
+  const privateJwk = await exportJWK(privateKey);
+  const data = {
+    private_key_jwk: privateJwk,
+    kid,
+    broker_url: brokerUrl,
+    public_jwk: publicJwk,
+    enrolled_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  fs.writeFileSync(keystorePath, JSON.stringify(data, null, 2), {
+    mode: 384
+  });
+  secureFile(keystorePath);
+}
+async function generateES256KeyPair() {
+  const { privateKey, publicKey } = await generateKeyPair("ES256");
+  const publicJwk = await exportJWK(publicKey);
+  publicJwk.kty = "EC";
+  publicJwk.crv = "P-256";
+  return { privateKey, publicJwk };
+}
+
+export {
+  defaultPairedKeystorePath,
+  deriveKeystorePath,
+  loadKeystore,
+  saveKeystore,
+  generateES256KeyPair
+};

package/dist/{chunk-3XDJOHMZ.js → chunk-HSR3GXCL.js}

@@ -7,69 +7,9 @@ import {
   translateJsonRpcError,
   translateNetworkError
 } from "./chunk-LDZXU3DW.js";
-import {
-  secureDir,
-  secureFile
-} from "./chunk-BLEGIR35.js";
-
-// src/auth/keystore.ts
-import { importJWK, exportJWK, generateKeyPair } from "jose";
-import crypto from "crypto";
-import fs from "fs";
-import os from "os";
-import path from "path";
-var DEFAULT_PATH = path.join(os.homedir(), ".kojee", "keypair.json");
-function defaultPairedKeystorePath() {
-  return path.join(os.homedir(), ".kojee", "keypair.json");
-}
-function deriveKeystorePath(token) {
-  const hash = crypto.createHash("sha256").update(token).digest("hex").slice(0, 12);
-  return path.join(os.homedir(), ".kojee", `keypair-${hash}.json`);
-}
-async function loadKeystore(keystorePath = DEFAULT_PATH, expectedBrokerUrl) {
-  if (!fs.existsSync(keystorePath)) {
-    return null;
-  }
-  const raw = fs.readFileSync(keystorePath, "utf-8");
-  const data = JSON.parse(raw);
-  if (expectedBrokerUrl && data.broker_url !== expectedBrokerUrl) {
-    return null;
-  }
-  const privateKey = await importJWK(data.private_key_jwk, "ES256");
-  return {
-    privateKey,
-    publicJwk: data.public_jwk,
-    kid: data.kid,
-    data
-  };
-}
-async function saveKeystore(privateKey, publicJwk, kid, brokerUrl, keystorePath = DEFAULT_PATH) {
-  const dir = path.dirname(keystorePath);
-  fs.mkdirSync(dir, { recursive: true, mode: 448 });
-  secureDir(dir);
-  const privateJwk = await exportJWK(privateKey);
-  const data = {
-    private_key_jwk: privateJwk,
-    kid,
-    broker_url: brokerUrl,
-    public_jwk: publicJwk,
-    enrolled_at: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  fs.writeFileSync(keystorePath, JSON.stringify(data, null, 2), {
-    mode: 384
-  });
-  secureFile(keystorePath);
-}
-async function generateES256KeyPair() {
-  const { privateKey, publicKey } = await generateKeyPair("ES256");
-  const publicJwk = await exportJWK(publicKey);
-  publicJwk.kty = "EC";
-  publicJwk.crv = "P-256";
-  return { privateKey, publicJwk };
-}
 
 // src/gateway-client.ts
-import crypto2 from "crypto";
+import crypto from "crypto";
 var GatewayClient = class {
   constructor(brokerUrl, token, privateKey, kid, sessionId) {
     this.brokerUrl = brokerUrl;
@@ -105,7 +45,7 @@ var GatewayClient = class {
    * session_id = sha256(token + "proxy").slice(0, 16)
    */
   static deriveSessionId(token) {
-    const hash = crypto2.createHash("sha256").update(token + "proxy").digest("hex");
+    const hash = crypto.createHash("sha256").update(token + "proxy").digest("hex");
     return hash.slice(0, 16);
   }
   /**
@@ -214,10 +154,5 @@ var GatewayClient = class {
 };
 
 export {
-  defaultPairedKeystorePath,
-  deriveKeystorePath,
-  loadKeystore,
-  saveKeystore,
-  generateES256KeyPair,
   GatewayClient
 };

package/dist/{chunk-GATXJ6UT.js → chunk-JWSIR6KV.js}

@@ -9,10 +9,10 @@ import {
 } from "./chunk-BJMASMKX.js";
 import {
   AuthModule
-} from "./chunk-6SK6ITFE.js";
+} from "./chunk-JXMVZEQ7.js";
 import {
   GatewayClient
-} from "./chunk-3XDJOHMZ.js";
+} from "./chunk-HSR3GXCL.js";
 import {
   startEventStream
 } from "./chunk-UEGQGXPY.js";

package/dist/{chunk-6SK6ITFE.js → chunk-JXMVZEQ7.js}

@@ -2,7 +2,7 @@ import {
   generateES256KeyPair,
   loadKeystore,
   saveKeystore
-} from "./chunk-3XDJOHMZ.js";
+} from "./chunk-CH32ELFX.js";
 
 // src/auth/auth-module.ts
 import { calculateJwkThumbprint } from "jose";

package/dist/chunk-OGHDTFAX.js

@@ -0,0 +1,50 @@
+import {
+  loadPairedConfig,
+  savePairedConfig
+} from "./chunk-YH27B6SW.js";
+import {
+  AuthModule
+} from "./chunk-JXMVZEQ7.js";
+
+// src/tandem/pair.ts
+import fs from "fs";
+async function runPair(opts) {
+  if (loadPairedConfig(opts.configPath) !== null) {
+    throw new Error(
+      `Already paired (config exists at ${opts.configPath}). To re-pair this slot, delete the config file first. For a second account, use --keystore-path /custom/keypair.json.`
+    );
+  }
+  try {
+    fs.unlinkSync(opts.keystorePath);
+  } catch {
+  }
+  const auth = new AuthModule(opts.code, opts.url, opts.keystorePath);
+  await auth.ensureEnrolled();
+  let principal_id;
+  let agent_id;
+  try {
+    const me = await fetch(`${opts.url}/api/v1/users/me/`, {
+      headers: { Authorization: `DPoP ${opts.code}` }
+    });
+    if (me.ok) {
+      const body = await me.json();
+      principal_id = body.principal_id;
+      agent_id = body.agent_id;
+    }
+  } catch {
+  }
+  const config = {
+    token: opts.code,
+    broker_url: opts.url,
+    paired_at: (/* @__PURE__ */ new Date()).toISOString(),
+    ...principal_id ? { principal_id } : {},
+    ...agent_id ? { agent_id } : {}
+  };
+  savePairedConfig(opts.configPath, config);
+  const who = principal_id && agent_id ? `${principal_id} (${agent_id})` : "(use kojee-mcp without args to start the proxy)";
+  return { message: `Paired as ${who}. Keypair: ${opts.keystorePath}. Config: ${opts.configPath}.` };
+}
+
+export {
+  runPair
+};

package/dist/cli.js

@@ -1,71 +1,30 @@
 #!/usr/bin/env node
+import {
+  runPair
+} from "./chunk-OGHDTFAX.js";
 import {
   VERSION,
   startProxy
-} from "./chunk-GATXJ6UT.js";
+} from "./chunk-JWSIR6KV.js";
 import "./chunk-X672ZN7V.js";
 import "./chunk-BJMASMKX.js";
 import {
-  loadPairedConfig,
-  pairedConfigPath,
-  savePairedConfig
+  pairedConfigPath
 } from "./chunk-YH27B6SW.js";
-import {
-  AuthModule
-} from "./chunk-6SK6ITFE.js";
+import "./chunk-JXMVZEQ7.js";
+import "./chunk-HSR3GXCL.js";
+import "./chunk-UEGQGXPY.js";
+import "./chunk-2MIISF2W.js";
 import {
   defaultPairedKeystorePath,
   deriveKeystorePath
-} from "./chunk-3XDJOHMZ.js";
-import "./chunk-UEGQGXPY.js";
-import "./chunk-2MIISF2W.js";
-import "./chunk-LDZXU3DW.js";
+} from "./chunk-CH32ELFX.js";
 import "./chunk-BLEGIR35.js";
+import "./chunk-LDZXU3DW.js";
 
 // src/cli.ts
 import { Command } from "commander";
 import path from "path";
-
-// src/tandem/pair.ts
-import fs from "fs";
-async function runPair(opts) {
-  if (loadPairedConfig(opts.configPath) !== null) {
-    throw new Error(
-      `Already paired (config exists at ${opts.configPath}). To re-pair this slot, delete the config file first. For a second account, use --keystore-path /custom/keypair.json.`
-    );
-  }
-  try {
-    fs.unlinkSync(opts.keystorePath);
-  } catch {
-  }
-  const auth = new AuthModule(opts.code, opts.url, opts.keystorePath);
-  await auth.ensureEnrolled();
-  let principal_id;
-  let agent_id;
-  try {
-    const me = await fetch(`${opts.url}/api/v1/users/me/`, {
-      headers: { Authorization: `DPoP ${opts.code}` }
-    });
-    if (me.ok) {
-      const body = await me.json();
-      principal_id = body.principal_id;
-      agent_id = body.agent_id;
-    }
-  } catch {
-  }
-  const config = {
-    token: opts.code,
-    broker_url: opts.url,
-    paired_at: (/* @__PURE__ */ new Date()).toISOString(),
-    ...principal_id ? { principal_id } : {},
-    ...agent_id ? { agent_id } : {}
-  };
-  savePairedConfig(opts.configPath, config);
-  const who = principal_id && agent_id ? `${principal_id} (${agent_id})` : "(use kojee-mcp without args to start the proxy)";
-  return { message: `Paired as ${who}. Keypair: ${opts.keystorePath}. Config: ${opts.configPath}.` };
-}
-
-// src/cli.ts
 var program = new Command().name("kojee-mcp").description(
   "Local MCP proxy for Kojee \u2014 handles DPoP auth, tool discovery, and governance transparently"
 ).version(VERSION).enablePositionalOptions();
@@ -83,11 +42,11 @@ program.command("pair <code>").description("Pair this machine against Kojee usin
 });
 program.command("hook").description("Run a kojee MCP hook script (called by Claude Code via ~/.claude/settings.json)").requiredOption("--type <type>", "Hook type: stop, user-prompt-submit, or codex-stop").action(async (opts) => {
   if (opts.type === "stop") {
-    const { runStopHook } = await import("./stop-hook-46BJD55B.js");
+    const { runStopHook } = await import("./stop-hook-SNPOFG4Q.js");
     await runStopHook();
     process.exit(0);
   } else if (opts.type === "user-prompt-submit") {
-    const { runUserPromptSubmitHook } = await import("./user-prompt-submit-hook-ZD2XKN7U.js");
+    const { runUserPromptSubmitHook } = await import("./user-prompt-submit-hook-J7XZSDST.js");
     await runUserPromptSubmitHook();
     process.exit(0);
   } else if (opts.type === "codex-stop") {
@@ -100,7 +59,7 @@ program.command("hook").description("Run a kojee MCP hook script (called by Clau
   }
 });
 program.command("install-hooks").description("Install kojee Stop + UserPromptSubmit hooks in ~/.claude/settings.json (idempotent)").option("--hooks-path <path>", "Override default ~/.claude/settings.json").option("--uninstall", "Remove kojee hook entries instead of installing them").action(async (opts) => {
-  const { installHooks, uninstallHooks } = await import("./install-WBIUVBZW.js");
+  const { installHooks, uninstallHooks } = await import("./install-LJY2CHKG.js");
   if (opts.uninstall) {
     const removed = uninstallHooks({ hooksPath: opts.hooksPath });
     console.error(removed ? "Removed kojee hook entries." : "No kojee hook entries found.");
@@ -117,7 +76,7 @@ Restart Claude Code for hooks to take effect.`
 program.command("send <tandem_id>").description(
   "Send a Tandem message using this machine's paired credentials (~/.kojee). Prints one JSON envelope to stdout: {ok, message_id, cursor, text} on success, {ok:false, error:<typed code>, message} on failure (exit 1)."
 ).requiredOption("--body <text>", "Message body (required)").option("--reply-to <message_id>", "Message id this send replies to").option("--kind <kind>", "Message kind: message | status (default: backend default)").action(async (tandemId, opts) => {
-  const { runSendCli } = await import("./send-cli-C2F4WTBN.js");
+  const { runSendCli } = await import("./send-cli-CN5EX7PO.js");
   const { exitCode, envelope } = await runSendCli({
     tandemId,
     body: opts.body,
@@ -128,7 +87,7 @@ program.command("send <tandem_id>").description(
   process.exit(exitCode);
 });
 program.command("tail <path>").description("Stream a file's contents and follow appends (portable replacement for `tail -F`)").action(async (filePath) => {
-  const { runTail } = await import("./tail-stream-VUZBYKXS.js");
+  const { runTail } = await import("./tail-stream-HDM7BZDZ.js");
   try {
     await runTail(filePath);
   } catch (err) {
@@ -137,13 +96,13 @@ program.command("tail <path>").description("Stream a file's contents and follow
   }
 });
 program.command("doctor").description("Diagnose the kojee wake path (proxy, hook-server, SSE stream, event log, Monitor) and print the exact wake recipe").action(async () => {
-  const { runDoctor } = await import("./doctor-QCQDFLEH.js");
+  const { runDoctor } = await import("./doctor-QRATEOFD.js");
   const code = await runDoctor();
   process.exit(code);
 });
 program.command("init").description(
   "Set up kojee for a runtime (claude-code | hermes | openclaw | codex). Interactive when stdin is a TTY; `--runtime <id>` for non-interactive/CI. Run after `kojee-mcp pair`."
-).option("--runtime <id>", "Target runtime: claude-code | hermes | openclaw | codex").option("--config-path <path>", "Override the runtime's MCP-config path").option("--hooks-path <path>", "Override the runtime's hooks-file path").option("--webhook-url <url>", "Webhook receiver URL (codex/hermes/openclaw)").option("--webhook-secret <secret>", "Webhook HMAC secret (generated if omitted)").option(
+).option("--runtime <id>", "Target runtime: claude-code | hermes | openclaw | codex").option("--config-path <path>", "Override the runtime's MCP-config path").option("--hooks-path <path>", "Override the runtime's hooks-file path").option("--token <token>", "Gateway token \u2014 token mode (writes --token/--url into the MCP config)").option("--url <url>", "Broker base URL (token mode / pair URL; default https://rosie-staging.kojee.net)").option("--pair-code <code>", "Pair code \u2014 runs the pair flow (writes ~/.kojee/config.json) before configuring").option("--webhook-url <url>", "Webhook receiver URL (codex/hermes/openclaw)").option("--webhook-secret <secret>", "Webhook HMAC secret (generated if omitted)").option(
   "--webhook-signature-format <preset>",
   'Signature preset: "github" = header X-Hub-Signature-256, value sha256=<hex> (default: bare hex in X-Kojee-Signature)'
 ).option(
@@ -153,43 +112,98 @@ program.command("init").description(
   "--webhook-signature-prefix <prefix>",
   "Literal string prepended to the hex digest (default empty; overrides the preset's prefix)"
 ).option("--uninstall", "Remove the kojee config for the chosen (or recorded) runtime").action(async (opts) => {
-  const { loadPairedConfig: loadPairedConfig2 } = await import("./paired-config-JTFLHMZ2.js");
-  if (loadPairedConfig2() === null && !opts.uninstall) {
-    console.error("Not paired. Run `kojee-mcp pair <code> --url <broker>` first, then re-run `init`.");
+  const interactive = process.stdin.isTTY === true && opts.runtime === void 0;
+  if (opts.pairCode && !opts.uninstall) {
+    const { runPair: runPair2 } = await import("./pair-P4ILCMT7.js");
+    const { pairedConfigPath: pairedConfigPath2 } = await import("./paired-config-JTFLHMZ2.js");
+    const { defaultPairedKeystorePath: defaultPairedKeystorePath2 } = await import("./keystore-XLEV3FL5.js");
+    const url = (opts.url ?? "https://rosie-staging.kojee.net").replace(/\/+$/, "");
+    try {
+      const r = await runPair2({
+        code: opts.pairCode,
+        url,
+        keystorePath: defaultPairedKeystorePath2(),
+        configPath: pairedConfigPath2()
+      });
+      console.error(r.message);
+    } catch (err) {
+      console.error("[kojee-mcp init] Pairing failed:", err.message);
+      process.exit(1);
+    }
+  }
+  const { loadPairedConfig } = await import("./paired-config-JTFLHMZ2.js");
+  const hasCredential = loadPairedConfig() !== null || opts.token !== void 0;
+  if (!hasCredential && !interactive && !opts.uninstall) {
+    console.error("Not paired. Run `kojee-mcp pair <code> --url <broker>` first, then re-run `init` \u2014 or pass --token/--pair-code, or run `init` in a terminal for the guided wizard.");
     process.exit(1);
   }
-  const { runWizard } = await import("./wizard-UOXQYJLP.js");
-  const interactive = process.stdin.isTTY === true && opts.runtime === void 0;
+  const { runWizard } = await import("./wizard-PLGHYCT3.js");
   const result = await runWizard({
     ...opts.runtime !== void 0 ? { runtime: opts.runtime } : {},
     ...opts.uninstall ? { uninstall: true } : {},
     ...opts.configPath ? { configPath: opts.configPath } : {},
     ...opts.hooksPath ? { hooksPath: opts.hooksPath } : {},
+    // Token-mode threading (token + url ⇒ --token/--url in the written config).
+    // Normalize the URL exactly like the proxy action does (strip trailing /).
+    ...opts.token ? { token: opts.token } : {},
+    ...opts.url ? { url: opts.url.replace(/\/+$/, "") } : {},
     ...opts.webhookUrl ? { webhookUrl: opts.webhookUrl } : {},
     ...opts.webhookSecret ? { webhookSecret: opts.webhookSecret } : {},
     ...opts.webhookSignatureFormat ? { webhookSignatureFormat: opts.webhookSignatureFormat } : {},
     ...opts.webhookSignatureHeader ? { webhookSignatureHeader: opts.webhookSignatureHeader } : {},
     ...opts.webhookSignaturePrefix !== void 0 ? { webhookSignaturePrefix: opts.webhookSignaturePrefix } : {},
     interactive,
-    ...interactive ? { promptRuntime: promptRuntimeFromTty } : {}
+    ...interactive ? {
+      promptRuntime: promptRuntimeFromTty,
+      promptUrl: promptUrlFromTty,
+      promptAuth: promptAuthFromTty,
+      promptToken: promptTokenFromTty,
+      promptPairCode: promptPairCodeFromTty,
+      promptWebhookUrl: promptWebhookUrlFromTty
+    } : {}
   });
   console.error(result.output);
   process.exit(result.exitCode);
 });
-async function promptRuntimeFromTty() {
-  const { RUNTIME_MENU } = await import("./runtimes-CO43XUUK.js");
+async function withReadline(fn) {
   const readline = await import("readline/promises");
   const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
   try {
+    return await fn((q) => rl.question(q));
+  } finally {
+    rl.close();
+  }
+}
+async function promptRuntimeFromTty() {
+  const { RUNTIME_MENU } = await import("./runtimes-CO43XUUK.js");
+  return withReadline(async (ask) => {
     const menu = RUNTIME_MENU.map((m) => `[${m.index}] ${m.runtime}`).join("  ");
-    const answer = (await rl.question(`Which runtime is this proxy for? ${menu}
+    const answer = (await ask(`Which runtime is this proxy for? ${menu}
 > `)).trim();
     const byIndex = RUNTIME_MENU.find((m) => String(m.index) === answer);
     if (byIndex) return byIndex.runtime;
     return answer;
-  } finally {
-    rl.close();
-  }
+  });
+}
+async function promptUrlFromTty(defaultUrl) {
+  return withReadline((ask) => ask(`Broker URL [${defaultUrl}]
+> `));
+}
+async function promptAuthFromTty() {
+  return withReadline(async (ask) => {
+    const answer = (await ask("Auth: [1] paste a token  [2] enter a pair code\n> ")).trim().toLowerCase();
+    if (answer === "2" || answer.startsWith("p")) return "pair";
+    return "token";
+  });
+}
+async function promptTokenFromTty() {
+  return withReadline((ask) => ask("Paste your gateway token:\n> "));
+}
+async function promptPairCodeFromTty() {
+  return withReadline((ask) => ask("Enter your pair code (from the dashboard):\n> "));
+}
+async function promptWebhookUrlFromTty() {
+  return withReadline((ask) => ask("Webhook receiver URL (press Enter to skip and set it up later):\n> "));
 }
 program.option("--token <token>", "Gateway token (for token-mode)").option("--url <url>", "Broker base URL (for token-mode; required if --token is passed)").option(
   "--keystore-path <path>",
@@ -207,8 +221,8 @@ program.option("--token <token>", "Gateway token (for token-mode)").option("--ur
     url = url.replace(/\/+$/, "");
     keystorePath ??= deriveKeystorePath(token);
   } else {
-    const { loadPairedConfig: loadPairedConfig2 } = await import("./paired-config-JTFLHMZ2.js");
-    const cfg = loadPairedConfig2();
+    const { loadPairedConfig } = await import("./paired-config-JTFLHMZ2.js");
+    const cfg = loadPairedConfig();
     if (!cfg) {
       console.error(
         "No --token provided and no ~/.kojee/config.json found. Run `kojee-mcp pair <code> --url <broker>` first."

package/dist/{doctor-QCQDFLEH.js → doctor-QRATEOFD.js}

@@ -2,6 +2,10 @@ import {
   monitorHeartbeatPath,
   statusLogPath
 } from "./chunk-2TUAFAIW.js";
+import {
+  discoveryPathForKey,
+  readSessionDiscoveryByKey
+} from "./chunk-DO42NPNR.js";
 import {
   loadControlToken
 } from "./chunk-GI2CKKBL.js";
@@ -16,10 +20,6 @@ import {
 import {
   loadPairedConfig
 } from "./chunk-YH27B6SW.js";
-import {
-  discoveryPathForKey,
-  readSessionDiscoveryByKey
-} from "./chunk-DO42NPNR.js";
 import "./chunk-BLEGIR35.js";
 
 // src/doctor.ts
@@ -233,7 +233,7 @@ function formatDoctorReport(report) {
 async function runDoctor() {
   const { readRecordedRuntime } = await import("./runtime-record-WO4IECM6.js");
   if (readRecordedRuntime() === "codex") {
-    const { collectCodexDoctorReport, formatCodexDoctorReport } = await import("./doctor-codex-NZ53ROQA.js");
+    const { collectCodexDoctorReport, formatCodexDoctorReport } = await import("./doctor-codex-SMROUYGV.js");
     const report2 = collectCodexDoctorReport();
     console.error(formatCodexDoctorReport(report2));
     return report2.verdict === "broken" ? 1 : 0;

package/dist/{doctor-codex-NZ53ROQA.js → doctor-codex-SMROUYGV.js}

@@ -1,7 +1,7 @@
 import {
   defaultCodexConfigPath,
   defaultCodexHooksPath
-} from "./chunk-64EOLZNI.js";
+} from "./chunk-65KRRDHP.js";
 import "./chunk-SQL56SEB.js";
 import {
   resolveWebhookConfig

package/dist/index.js

@@ -1,15 +1,16 @@
 import {
   listTandemIds,
   startProxy
-} from "./chunk-GATXJ6UT.js";
+} from "./chunk-JWSIR6KV.js";
 import "./chunk-X672ZN7V.js";
 import "./chunk-BJMASMKX.js";
-import "./chunk-6SK6ITFE.js";
-import "./chunk-3XDJOHMZ.js";
+import "./chunk-JXMVZEQ7.js";
+import "./chunk-HSR3GXCL.js";
 import "./chunk-UEGQGXPY.js";
 import "./chunk-2MIISF2W.js";
-import "./chunk-LDZXU3DW.js";
+import "./chunk-CH32ELFX.js";
 import "./chunk-BLEGIR35.js";
+import "./chunk-LDZXU3DW.js";
 export {
   listTandemIds,
   startProxy

package/dist/{install-WBIUVBZW.js → install-LJY2CHKG.js}

@@ -94,21 +94,28 @@ function uninstallHooks(opts = {}) {
   writeConfig(p, cfg);
   return removed;
 }
+function mcpServerArgs(opts) {
+  if (opts.token && opts.url) {
+    return [...MCP_SERVER_ARGS, "--token", opts.token, "--url", opts.url];
+  }
+  return [...MCP_SERVER_ARGS];
+}
 function installMcpServer(opts = {}) {
   const p = opts.configPath ?? defaultConfigPath();
   const cfg = readConfig(p);
   cfg.mcpServers ??= {};
+  const args = mcpServerArgs(opts);
   const existing = cfg.mcpServers["kojee"];
   if (existing) {
     const sameCommand = existing.command === MCP_SERVER_CMD;
-    const sameArgs = JSON.stringify(existing.args ?? []) === JSON.stringify(MCP_SERVER_ARGS);
+    const sameArgs = JSON.stringify(existing.args ?? []) === JSON.stringify(args);
     const sameEnv = JSON.stringify(existing.env ?? {}) === JSON.stringify(MCP_SERVER_ENV);
     if (sameCommand && sameArgs && sameEnv) return "already-installed";
     return "preserved-different";
   }
   cfg.mcpServers["kojee"] = {
     command: MCP_SERVER_CMD,
-    args: [...MCP_SERVER_ARGS],
+    args,
     env: { ...MCP_SERVER_ENV }
   };
   writeConfig(p, cfg);
@@ -135,7 +142,11 @@ function runInit(opts = {}) {
       reports.push({ kind: t.kind, path: t.path, ...t.hooksPath ? { hooksPath: t.hooksPath } : {}, mcpServer: "not-found" });
       continue;
     }
-    const mcpServer = installMcpServer({ configPath: t.path });
+    const mcpServer = installMcpServer({
+      configPath: t.path,
+      ...opts.token ? { token: opts.token } : {},
+      ...opts.url ? { url: opts.url } : {}
+    });
     let stopHook;
     let upsHook;
     if (t.kind === "cli") {

package/dist/keystore-XLEV3FL5.js

@@ -0,0 +1,15 @@
+import {
+  defaultPairedKeystorePath,
+  deriveKeystorePath,
+  generateES256KeyPair,
+  loadKeystore,
+  saveKeystore
+} from "./chunk-CH32ELFX.js";
+import "./chunk-BLEGIR35.js";
+export {
+  defaultPairedKeystorePath,
+  deriveKeystorePath,
+  generateES256KeyPair,
+  loadKeystore,
+  saveKeystore
+};

package/dist/lib.js

@@ -7,15 +7,10 @@ import {
 } from "./chunk-YH27B6SW.js";
 import {
   AuthModule
-} from "./chunk-6SK6ITFE.js";
+} from "./chunk-JXMVZEQ7.js";
 import {
-  GatewayClient,
-  defaultPairedKeystorePath,
-  deriveKeystorePath,
-  generateES256KeyPair,
-  loadKeystore,
-  saveKeystore
-} from "./chunk-3XDJOHMZ.js";
+  GatewayClient
+} from "./chunk-HSR3GXCL.js";
 import {
   normalizeBackendEvent,
   sanitizeDisplayname,
@@ -24,8 +19,15 @@ import {
 import {
   createDPoPProof
 } from "./chunk-2MIISF2W.js";
-import "./chunk-LDZXU3DW.js";
+import {
+  defaultPairedKeystorePath,
+  deriveKeystorePath,
+  generateES256KeyPair,
+  loadKeystore,
+  saveKeystore
+} from "./chunk-CH32ELFX.js";
 import "./chunk-BLEGIR35.js";
+import "./chunk-LDZXU3DW.js";
 export {
   AuthModule,
   GatewayClient,

package/dist/pair-P4ILCMT7.js

@@ -0,0 +1,10 @@
+import {
+  runPair
+} from "./chunk-OGHDTFAX.js";
+import "./chunk-YH27B6SW.js";
+import "./chunk-JXMVZEQ7.js";
+import "./chunk-CH32ELFX.js";
+import "./chunk-BLEGIR35.js";
+export {
+  runPair
+};

package/dist/{send-cli-C2F4WTBN.js → send-cli-CN5EX7PO.js}

@@ -2,17 +2,19 @@ import {
   loadPairedConfig
 } from "./chunk-YH27B6SW.js";
 import {
-  GatewayClient,
-  loadKeystore
-} from "./chunk-3XDJOHMZ.js";
+  GatewayClient
+} from "./chunk-HSR3GXCL.js";
 import "./chunk-2MIISF2W.js";
+import {
+  loadKeystore
+} from "./chunk-CH32ELFX.js";
+import "./chunk-BLEGIR35.js";
 import {
   executeSend,
   parseSendRequest,
   sendFailure
 } from "./chunk-HIZ4NDWN.js";
 import "./chunk-LDZXU3DW.js";
-import "./chunk-BLEGIR35.js";
 
 // src/tandem/send-cli.ts
 import os from "os";

package/dist/{wizard-UOXQYJLP.js → wizard-PLGHYCT3.js}

@@ -1,3 +1,9 @@
+import {
+  buildCodexMcpServerTable,
+  buildCodexStopHookBlock,
+  removeCodexConfig,
+  writeCodexConfig
+} from "./chunk-65KRRDHP.js";
 import {
   WIZARD_RUNTIMES,
   isWizardRuntime
@@ -7,12 +13,6 @@ import {
   readRecordedRuntime,
   recordRuntime
 } from "./chunk-EW72ZNQL.js";
-import {
-  buildCodexMcpServerTable,
-  buildCodexStopHookBlock,
-  removeCodexConfig,
-  writeCodexConfig
-} from "./chunk-64EOLZNI.js";
 import {
   kojeeHomeDir
 } from "./chunk-SQL56SEB.js";
@@ -32,6 +32,7 @@ import {
 import crypto from "crypto";
 import fs from "fs";
 import path from "path";
+var DEFAULT_BROKER_URL = "https://rosie-staging.kojee.net";
 function generateWebhookSecret() {
   return crypto.randomBytes(32).toString("hex");
 }
@@ -115,6 +116,49 @@ function writeRuntimeEnvFile(runtime, url, secret, signatureEnv = []) {
   return envPath;
 }
 var CODEX_UNVERIFIED_NOTE = "NOTE: live Codex verification (hook fires, MCP server connects, bounded listen works) has not been run on this build \u2014 confirm in a real Codex session. This is the owner morning step.";
+function runtimeUsesWebhook(runtime) {
+  return runtime === "codex" || runtime === "hermes" || runtime === "openclaw";
+}
+async function gatherGuidedInputs(runtime, opts) {
+  const preamble = [];
+  const next = { ...opts };
+  if (opts.promptUrl) {
+    const answered = (await opts.promptUrl(opts.url ?? DEFAULT_BROKER_URL)).trim();
+    next.url = (answered.length > 0 ? answered : opts.url ?? DEFAULT_BROKER_URL).replace(/\/+$/, "");
+  }
+  const brokerUrl = (next.url ?? DEFAULT_BROKER_URL).replace(/\/+$/, "");
+  if (opts.promptAuth) {
+    const mode = await opts.promptAuth();
+    if (mode === "token") {
+      const token = opts.promptToken ? (await opts.promptToken()).trim() : "";
+      if (!token) return { error: "No token entered. Re-run `kojee-mcp init` and paste a token, or choose pair mode." };
+      next.token = token;
+      next.url = brokerUrl;
+      preamble.push("Auth: token mode \u2014 the written MCP config will launch the proxy with --token/--url");
+      preamble.push("      (it enrolls its own per-token keystore on first boot).");
+    } else {
+      const code = opts.promptPairCode ? (await opts.promptPairCode()).trim() : "";
+      if (!code) return { error: "No pair code entered. Re-run `kojee-mcp init` and enter a pair code, or choose token mode." };
+      const pair = opts.runPair ?? (async (a) => {
+        const { runPair } = await import("./pair-P4ILCMT7.js");
+        const { pairedConfigPath } = await import("./paired-config-JTFLHMZ2.js");
+        const { defaultPairedKeystorePath } = await import("./keystore-XLEV3FL5.js");
+        return runPair({ code: a.code, url: a.url, keystorePath: defaultPairedKeystorePath(), configPath: pairedConfigPath() });
+      });
+      try {
+        const { message } = await pair({ code, url: brokerUrl });
+        preamble.push(`Auth: pair mode \u2014 ${message}`);
+      } catch (err) {
+        return { error: `Pairing failed: ${err.message}` };
+      }
+    }
+  }
+  if (runtimeUsesWebhook(runtime) && opts.promptWebhookUrl && opts.webhookUrl === void 0) {
+    const wh = (await opts.promptWebhookUrl()).trim();
+    if (wh.length > 0) next.webhookUrl = wh;
+  }
+  return { opts: next, preamble };
+}
 async function runWizard(opts) {
   const resolved = await resolveRuntime(opts);
   if ("error" in resolved) {
@@ -124,15 +168,44 @@ async function runWizard(opts) {
   if (opts.uninstall) {
     return runWizardUninstall(runtime, opts);
   }
-  if (runtime === "claude-code") return configureClaudeCode(opts);
-  if (runtime === "codex") return configureCodex(opts);
-  return configureWebhookDaemon(runtime, opts);
+  let effective = opts;
+  let preamble = [];
+  if (opts.interactive && (opts.promptUrl || opts.promptAuth || opts.promptWebhookUrl)) {
+    const gathered = await gatherGuidedInputs(runtime, opts);
+    if ("error" in gathered) {
+      return { runtime, output: gathered.error, exitCode: 2 };
+    }
+    effective = gathered.opts;
+    preamble = gathered.preamble;
+  }
+  const result = runtime === "claude-code" ? await configureClaudeCode(effective) : runtime === "codex" ? configureCodex(effective) : configureWebhookDaemon(runtime, effective);
+  if (preamble.length > 0 && result.exitCode === 0) {
+    return {
+      ...result,
+      output: [...preamble, "", result.output, "", whatHappensNext(runtime, effective)].join("\n")
+    };
+  }
+  return result;
+}
+function whatHappensNext(runtime, opts) {
+  const lines = ["What happens next:"];
+  lines.push("  - Restart your runtime so it picks up the new kojee config.");
+  if (opts.token) {
+    lines.push("  - First boot enrolls this token's own keystore (~/.kojee/keypair-<hash>.json).");
+  } else {
+    lines.push("  - The proxy uses your paired credentials (~/.kojee/config.json + keypair.json).");
+  }
+  lines.push("  - Verify with: kojee-mcp doctor");
+  return lines.join("\n");
 }
 async function configureClaudeCode(opts) {
-  const { runInit } = await import("./install-WBIUVBZW.js");
+  const { runInit } = await import("./install-LJY2CHKG.js");
   const report = runInit({
     ...opts.configPath ? { configPath: opts.configPath } : {},
-    ...opts.hooksPath ? { hooksPath: opts.hooksPath } : {}
+    ...opts.hooksPath ? { hooksPath: opts.hooksPath } : {},
+    // Token mode threads --token/--url into the written args (per-token
+    // keystore). Paired mode leaves both unset ⇒ args stay `["kojee-mcp"]`.
+    ...opts.token && opts.url ? { token: opts.token, url: opts.url } : {}
   });
   recordRuntime("claude-code");
   return { runtime: "claude-code", output: formatClaudeInit(report), exitCode: 0 };
@@ -180,12 +253,14 @@ function configureCodex(opts) {
   }
   const url = wh.url || "https://YOUR-CODEX-WEBHOOK-RECEIVER.local/kojee";
   const secret = wh.secret || generateWebhookSecret();
+  const tokenArgs = opts.token && opts.url ? { token: opts.token, url: opts.url } : {};
   writeCodexConfig({
     ...opts.configPath ? { configPath: opts.configPath } : {},
     ...opts.hooksPath ? { hooksPath: opts.hooksPath } : {},
     webhookUrl: url,
     webhookSecret: secret,
-    ...wh.signatureEnv.length > 0 ? { signatureEnv: wh.signatureEnv } : {}
+    ...wh.signatureEnv.length > 0 ? { signatureEnv: wh.signatureEnv } : {},
+    ...tokenArgs
   });
   recordRuntime("codex");
   const lines = [];
@@ -196,7 +271,11 @@ function configureCodex(opts) {
   lines.push(indent(buildCodexMcpServerTable({
     webhookUrl: url,
     webhookSecret: "<redacted>",
-    ...wh.signatureEnv.length > 0 ? { signatureEnv: wh.signatureEnv } : {}
+    ...wh.signatureEnv.length > 0 ? { signatureEnv: wh.signatureEnv } : {},
+    // Redact the gateway token in the human-readable printed copy (it ends up
+    // in result.output → cli.ts console.error). The WRITTEN config above keeps
+    // the real token; only this printed report is redacted, like webhookSecret.
+    ...tokenArgs.token ? { token: "<redacted>", url: tokenArgs.url } : {}
   })));
   if (wh.warning) lines.push(`webhook WARNING: ${wh.warning}`);
   lines.push("");
@@ -254,7 +333,7 @@ async function runWizardUninstall(runtime, opts) {
   const effective = opts.runtime !== void 0 ? runtime : readRecordedRuntime() ?? runtime;
   const lines = [`Uninstalling runtime: ${effective}`];
   if (effective === "claude-code") {
-    const { runUninstall } = await import("./install-WBIUVBZW.js");
+    const { runUninstall } = await import("./install-LJY2CHKG.js");
     const report = runUninstall({
       ...opts.configPath ? { configPath: opts.configPath } : {},
       ...opts.hooksPath ? { hooksPath: opts.hooksPath } : {}
@@ -295,6 +374,7 @@ function indent(s) {
 }
 export {
   CODEX_UNVERIFIED_NOTE,
+  DEFAULT_BROKER_URL,
   generateWebhookSecret,
   resolveRuntime,
   resolveWizardWebhook,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kojee-mcp",
-  "version": "0.5.7",
+  "version": "0.5.8",
   "type": "module",
   "main": "dist/index.js",
   "exports": {

package/dist/{stop-hook-46BJD55B.js → stop-hook-SNPOFG4Q.js}

@@ -5,6 +5,9 @@ import {
   monitorHeartbeatPath,
   nudgeSentinelPath
 } from "./chunk-2TUAFAIW.js";
+import {
+  readSessionDiscoveryByKey
+} from "./chunk-DO42NPNR.js";
 import {
   controlTokenAuthHeaders
 } from "./chunk-GI2CKKBL.js";
@@ -15,9 +18,6 @@ import {
   deriveDiscoveryKey,
   findClaudeAncestorPid
 } from "./chunk-BJMASMKX.js";
-import {
-  readSessionDiscoveryByKey
-} from "./chunk-DO42NPNR.js";
 import "./chunk-BLEGIR35.js";
 
 // src/hooks/stop-hook.ts

package/dist/{tail-stream-VUZBYKXS.js → tail-stream-HDM7BZDZ.js}

@@ -3,11 +3,11 @@ import {
   monitorHeartbeatPath,
   statusLogPath
 } from "./chunk-2TUAFAIW.js";
+import "./chunk-DO42NPNR.js";
 import {
   createAdaptiveWatchdog
 } from "./chunk-UEGQGXPY.js";
 import "./chunk-2MIISF2W.js";
-import "./chunk-DO42NPNR.js";
 import "./chunk-BLEGIR35.js";
 
 // src/tail-stream.ts

package/dist/{user-prompt-submit-hook-ZD2XKN7U.js → user-prompt-submit-hook-J7XZSDST.js}

@@ -1,6 +1,9 @@
 import {
   readHookStdin
 } from "./chunk-LSUB6QMP.js";
+import {
+  readSessionDiscoveryByKey
+} from "./chunk-DO42NPNR.js";
 import {
   controlTokenAuthHeaders
 } from "./chunk-GI2CKKBL.js";
@@ -8,9 +11,6 @@ import {
   deriveDiscoveryKey,
   findClaudeAncestorPid
 } from "./chunk-BJMASMKX.js";
-import {
-  readSessionDiscoveryByKey
-} from "./chunk-DO42NPNR.js";
 import "./chunk-BLEGIR35.js";
 
 // src/hooks/user-prompt-submit-hook.ts