osborn 0.8.9 → 0.8.10

package/dist/claude-auth.js

@@ -147,67 +147,64 @@ export async function checkClaudeAuthStatus() {
 // ─────────────────────────────────────────
 /**
  * Extract OAuth URL from CLI output.
- * Strips ALL whitespace first (like vutran1710/claudebox) to handle
- * Ink UI wrapping the URL across multiple lines.
- * Also cleans trailing "Pastecodehereifprompted" that Ink appends.
  *
- * IMPORTANT: strips the `redirect_uri` query parameter (which points to a
- * localhost callback server on the *sprite*, not the user's machine). With
- * no redirect_uri, claude.com falls back to showing the auth code in-page,
- * which the user pastes back into the modal. This is the only flow that
- * works for cloud sandboxes — the localhost redirect breaks both on phones
- * (no listener) AND on desktops (sprite's localhost is unreachable).
+ * Strips ALL whitespace first (like vutran1710/claudebox) to handle Ink UI
+ * wrapping the URL across multiple lines. Cleans trailing junk the Ink UI
+ * appends (e.g. "Pastecodehereifprompted") and any stray ESC bytes.
+ *
+ * Note on redirect_uri: we used to strip it hoping claude.ai would fall back
+ * to an in-page code display, but claude.ai REQUIRES redirect_uri and returns
+ * "Invalid OAuth Request: Missing redirect_uri parameter" when it's missing.
+ * The pinned Claude Code client ID (9d1c250a-e61b-44d9-88ed-5944d1962f5e)
+ * only has http://localhost:<port>/callback URIs in its whitelist, so we
+ * can't rewrite to a public callback either — it would be rejected.
+ *
+ * Actual flow that works: keep the localhost redirect AS-IS. User clicks the
+ * URL on any device, authorizes. claude.ai 302s the browser to the localhost
+ * URL (which is unreachable). The browser shows "connection refused" but
+ * leaves the full URL in the address bar — including ?code=XXX&state=YYY.
+ * The user copies the `code` value from the address bar and pastes it into
+ * the modal. This is ugly on mobile but it's the only flow the server
+ * accepts.
  */
 function extractOAuthUrl(text) {
-    // Strip ANSI codes
-    const noAnsi = text.replace(/\x1B\[[0-9;]*[A-Za-z]/g, '')
-        .replace(/\x1B\][^\x07]*\x07/g, '');
+    // Replace ANSI control sequences AND lone ESC bytes with a NUL sentinel.
+    // Why NUL and not a space: we need to strip all whitespace next (to
+    // unwrap URLs that Ink wrapped across terminal lines), and if we used
+    // a space it would be eaten by the whitespace strip — then text on
+    // either side of the control sequence would fuse into the URL. NUL
+    // survives the whitespace strip and acts as a hard boundary the
+    // tail-cut logic below can detect.
+    const SENTINEL = '\x00';
+    const noAnsi = text
+        .replace(/\x1B\[[0-9;]*[A-Za-z]/g, SENTINEL)
+        .replace(/\x1B\][^\x07]*\x07/g, SENTINEL)
+        .replace(/\x1B/g, SENTINEL);
     // Strip all whitespace (claudebox pattern: strings.Join(strings.Fields(pane), ""))
+    // to unwrap URLs split across terminal lines. NUL sentinels survive.
     const stripped = noAnsi.replace(/\s+/g, '');
     const match = stripped.match(URL_REGEX);
     if (!match)
         return null;
     let url = match[0];
-    // Clean trailing Ink artifacts (claudebox pattern)
-    const trailingJunk = ['Pastecodehereifprompted', 'Pastecodehereifprompted>'];
-    for (const junk of trailingJunk) {
-        const idx = url.indexOf(junk);
-        if (idx > 0)
-            url = url.substring(0, idx);
-    }
-    // Strip the localhost redirect_uri so claude.com shows a pasteable code
-    // instead of trying to redirect. URL() can't be used here because it
-    // re-encodes the path, so we surgically delete the redirect_uri param.
-    url = stripRedirectUri(url);
-    return url;
-}
-/**
- * Strip the `redirect_uri` query param from an OAuth URL.
- *
- * Background: `claude setup-token` spawns a one-shot localhost HTTP server on
- * a random port and registers it as the redirect_uri. That works fine when the
- * user is on the same machine as the CLI, but on a sprite the URL points to
- * the *sprite's* localhost — unreachable from the user's browser regardless
- * of whether they open the auth link on their PC or their phone. With no
- * redirect_uri at all, claude.ai falls back to its in-page code display
- * (the same flow that `claude setup-token`'s "Paste code here if prompted"
- * Ink input is built to consume), and the user can paste the code back into
- * our modal — which works whether they signed in on phone or desktop.
- *
- * Done with regex rather than `new URL()` because the URL constructor
- * normalizes the path (which can break Claude's strict redirect check)
- * and re-encodes spaces/special chars in other params.
- */
-function stripRedirectUri(url) {
-    const before = url;
-    // Three cases: leading param (?redirect_uri=...&), middle/trailing (&redirect_uri=...),
-    // and only param (?redirect_uri=...). Order matters so cleanup leaves the URL well-formed.
-    url = url.replace(/&redirect_uri=[^&]*/g, '');
-    url = url.replace(/\?redirect_uri=[^&]*&/g, '?');
-    url = url.replace(/\?redirect_uri=[^&]*$/g, '');
-    if (before !== url) {
-        console.log('🔑 Stripped localhost redirect_uri from OAuth URL — claude.ai will show a pasteable code instead of redirecting');
-    }
+    // Cut at the first NUL sentinel — that marks where an ANSI control code
+    // USED to be, which is a reliable boundary between the URL and adjacent
+    // terminal output that got fused by the whitespace strip.
+    const sentinelCut = url.indexOf(SENTINEL);
+    if (sentinelCut > 0)
+        url = url.substring(0, sentinelCut);
+    // Cut at the first `paste` (case-insensitive) — Ink always appends a
+    // "Paste code here if prompted" input box after the URL, and any case
+    // variant of it is junk. None of Claude's query-param values begin
+    // with "paste" so this is safe.
+    const pasteCut = url.toLowerCase().indexOf('paste');
+    if (pasteCut > 0)
+        url = url.substring(0, pasteCut);
+    // Defensive: cut at any byte outside the URL-valid character set. OAuth
+    // URLs use letters, digits, `%`, and URL-safe punctuation only.
+    const tailCut = url.search(/[^A-Za-z0-9%._~:/?#\[\]@!$&'()*+,;=\-]/);
+    if (tailCut > 0)
+        url = url.substring(0, tailCut);
     return url;
 }
 // ─────────────────────────────────────────

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "osborn",
-  "version": "0.8.9",
+  "version": "0.8.10",
   "description": "Voice AI coding assistant - local agent that connects to Osborn frontend",
   "type": "module",
   "bin": {