osborn 0.8.12 → 0.8.13

package/dist/claude-auth.js

@@ -74,6 +74,26 @@ function resolveClaudePath() {
 // Constants
 // ─────────────────────────────────────────
 const CREDENTIALS_PATH = join(homedir(), '.claude', '.credentials.json');
+/**
+ * Strip ALL ANSI escape sequences from a string — CSI (including private
+ * prefixes like `?`), OSC (both BEL and ST terminators), and lone ESC bytes.
+ *
+ * This is a superset of the common `/\x1B\[[0-9;]*[A-Za-z]/g` pattern, which
+ * misses private-prefix modes like `\x1B[?2026h` and string terminators like
+ * `\x1B\\`. Claude's Ink UI uses these extensively and they leak into error
+ * messages and URLs when we only strip the basic CSI form.
+ */
+function stripAnsi(text) {
+    return text
+        // Full CSI: ESC [ <intermediates 0x20–0x3F> <final 0x40–0x7E>
+        .replace(/\x1B\[[\x20-\x3F]*[\x40-\x7E]/g, '')
+        // OSC terminated by BEL (0x07) — ESC ] <content> BEL
+        .replace(/\x1B\][^\x07]*\x07/g, '')
+        // OSC terminated by ST (ESC \) — ESC ] <content> ESC \
+        .replace(/\x1B\][^\x1B]*\x1B\\/g, '')
+        // Any remaining lone ESC bytes (e.g. ESC \ string terminator used standalone)
+        .replace(/\x1B/g, '');
+}
 // URL matching: strip all whitespace first (like claudebox), then match
 // Handles Ink UI wrapping URLs across multiple lines
 const URL_REGEX = /https:\/\/claude\.(com|ai)\/cai\/oauth\/authorize[^\s]*/;
@@ -168,18 +188,20 @@ export async function checkClaudeAuthStatus() {
  * accepts.
  */
 function extractOAuthUrl(text) {
-    // Replace ANSI control sequences AND lone ESC bytes with a NUL sentinel.
-    // Why NUL and not a space: we need to strip all whitespace next (to
-    // unwrap URLs that Ink wrapped across terminal lines), and if we used
-    // a space it would be eaten by the whitespace strip — then text on
-    // either side of the control sequence would fuse into the URL. NUL
-    // survives the whitespace strip and acts as a hard boundary the
-    // tail-cut logic below can detect.
+    // Replace ALL ANSI control sequences with a NUL sentinel. NUL (not a
+    // space) because we strip all whitespace next to unwrap URLs that Ink
+    // split across terminal lines — a space would vanish and text on either
+    // side of a control sequence would fuse into the URL. NUL survives the
+    // strip and acts as a hard boundary the tail-cut below can detect.
+    //
+    // Uses the same patterns as stripAnsi() but replaces with SENTINEL
+    // instead of '' so boundaries are preserved.
     const SENTINEL = '\x00';
     const noAnsi = text
-        .replace(/\x1B\[[0-9;]*[A-Za-z]/g, SENTINEL)
-        .replace(/\x1B\][^\x07]*\x07/g, SENTINEL)
-        .replace(/\x1B/g, SENTINEL);
+        .replace(/\x1B\[[\x20-\x3F]*[\x40-\x7E]/g, SENTINEL) // Full CSI (incl. private-prefix ?/</>/=)
+        .replace(/\x1B\][^\x07]*\x07/g, SENTINEL) // OSC terminated by BEL
+        .replace(/\x1B\][^\x1B]*\x1B\\/g, SENTINEL) // OSC terminated by ST (ESC \)
+        .replace(/\x1B/g, SENTINEL); // Lone ESC bytes
     // Strip all whitespace (claudebox pattern: strings.Join(strings.Fields(pane), ""))
     // to unwrap URLs split across terminal lines. NUL sentinels survive.
     const stripped = noAnsi.replace(/\s+/g, '');
@@ -223,7 +245,23 @@ export function runClaudeAuthFlow(callbacks) {
     const handle = {
         submitCode: (code) => {
             if (procRef) {
-                const trimmed = code.trim();
+                let trimmed = code.trim();
+                // User may paste the full callback URL instead of just the code:
+                //   http://localhost:38719/callback?code=ZIgFd5nApQMR7...&state=TSLp6...
+                // Extract the bare `code` value so the CLI accepts it.
+                if (trimmed.startsWith('http://') || trimmed.startsWith('https://')) {
+                    try {
+                        const u = new URL(trimmed);
+                        const extracted = u.searchParams.get('code');
+                        if (extracted) {
+                            console.log(`🔑 Extracted code from pasted callback URL (${extracted.length} chars)`);
+                            trimmed = extracted;
+                        }
+                    }
+                    catch {
+                        // Not a valid URL, use as-is
+                    }
+                }
                 console.log(`🔑 Submitting auth code to Claude CLI (${trimmed.length} chars)`);
                 // Ink reads raw keypresses. Write in chunks to simulate typing.
                 const CHUNK_SIZE = 10;
@@ -274,7 +312,7 @@ export function runClaudeAuthFlow(callbacks) {
             }
         }, AUTH_TIMEOUT_MS);
         proc.onData((data) => {
-            const clean = data.replace(/\x1B\[[0-9;]*[A-Za-z]/g, '')
+            const clean = stripAnsi(data)
                 .replace(/\x1B\][^\x07]*\x07/g, '');
             fullBuffer += clean;
             recentBuffer += clean;
@@ -332,7 +370,7 @@ export function runClaudeAuthFlow(callbacks) {
             }
             // Detect errors
             if (/OAuth error|Invalid code|expired/i.test(recentBuffer)) {
-                const errMsg = recentBuffer.replace(/\x1B\[[0-9;]*[A-Za-z]/g, '').trim().substring(0, 200);
+                const errMsg = stripAnsi(recentBuffer).trim().substring(0, 200);
                 console.log('⚠️ Claude auth error:', errMsg);
                 callbacks.onError(errMsg);
                 recentBuffer = '';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "osborn",
-  "version": "0.8.12",
+  "version": "0.8.13",
   "description": "Voice AI coding assistant - local agent that connects to Osborn frontend",
   "type": "module",
   "bin": {