osborn 0.8.9 → 0.8.11

package/dist/claude-auth.d.ts

@@ -53,6 +53,12 @@ export declare function runClaudeAuthFlow(callbacks: ClaudeAuthCallbacks): {
  *   2. ~/.claude/.credentials.json file
  *   3. `claude auth status --json`
  *   4. Interactive OAuth flow (setup-token)
+ *
+ * Concurrency: if a previous call is still running its OAuth flow, new
+ * callers attach to the existing flow rather than spawning a second pty.
+ * This prevents the situation where LiveKit reconnects (e.g. after a
+ * microphone-permission error) retrigger ensureClaudeAuth and the user
+ * sees two different URLs / two different code_challenges racing.
  */
 export declare function ensureClaudeAuth(sendToFrontend: (type: string, payload: unknown) => void): Promise<{
     submitCode?: (code: string) => void;

package/dist/claude-auth.js

@@ -147,67 +147,64 @@ export async function checkClaudeAuthStatus() {
 // ─────────────────────────────────────────
 /**
  * Extract OAuth URL from CLI output.
- * Strips ALL whitespace first (like vutran1710/claudebox) to handle
- * Ink UI wrapping the URL across multiple lines.
- * Also cleans trailing "Pastecodehereifprompted" that Ink appends.
  *
- * IMPORTANT: strips the `redirect_uri` query parameter (which points to a
- * localhost callback server on the *sprite*, not the user's machine). With
- * no redirect_uri, claude.com falls back to showing the auth code in-page,
- * which the user pastes back into the modal. This is the only flow that
- * works for cloud sandboxes — the localhost redirect breaks both on phones
- * (no listener) AND on desktops (sprite's localhost is unreachable).
+ * Strips ALL whitespace first (like vutran1710/claudebox) to handle Ink UI
+ * wrapping the URL across multiple lines. Cleans trailing junk the Ink UI
+ * appends (e.g. "Pastecodehereifprompted") and any stray ESC bytes.
+ *
+ * Note on redirect_uri: we used to strip it hoping claude.ai would fall back
+ * to an in-page code display, but claude.ai REQUIRES redirect_uri and returns
+ * "Invalid OAuth Request: Missing redirect_uri parameter" when it's missing.
+ * The pinned Claude Code client ID (9d1c250a-e61b-44d9-88ed-5944d1962f5e)
+ * only has http://localhost:<port>/callback URIs in its whitelist, so we
+ * can't rewrite to a public callback either — it would be rejected.
+ *
+ * Actual flow that works: keep the localhost redirect AS-IS. User clicks the
+ * URL on any device, authorizes. claude.ai 302s the browser to the localhost
+ * URL (which is unreachable). The browser shows "connection refused" but
+ * leaves the full URL in the address bar — including ?code=XXX&state=YYY.
+ * The user copies the `code` value from the address bar and pastes it into
+ * the modal. This is ugly on mobile but it's the only flow the server
+ * accepts.
  */
 function extractOAuthUrl(text) {
-    // Strip ANSI codes
-    const noAnsi = text.replace(/\x1B\[[0-9;]*[A-Za-z]/g, '')
-        .replace(/\x1B\][^\x07]*\x07/g, '');
+    // Replace ANSI control sequences AND lone ESC bytes with a NUL sentinel.
+    // Why NUL and not a space: we need to strip all whitespace next (to
+    // unwrap URLs that Ink wrapped across terminal lines), and if we used
+    // a space it would be eaten by the whitespace strip — then text on
+    // either side of the control sequence would fuse into the URL. NUL
+    // survives the whitespace strip and acts as a hard boundary the
+    // tail-cut logic below can detect.
+    const SENTINEL = '\x00';
+    const noAnsi = text
+        .replace(/\x1B\[[0-9;]*[A-Za-z]/g, SENTINEL)
+        .replace(/\x1B\][^\x07]*\x07/g, SENTINEL)
+        .replace(/\x1B/g, SENTINEL);
     // Strip all whitespace (claudebox pattern: strings.Join(strings.Fields(pane), ""))
+    // to unwrap URLs split across terminal lines. NUL sentinels survive.
     const stripped = noAnsi.replace(/\s+/g, '');
     const match = stripped.match(URL_REGEX);
     if (!match)
         return null;
     let url = match[0];
-    // Clean trailing Ink artifacts (claudebox pattern)
-    const trailingJunk = ['Pastecodehereifprompted', 'Pastecodehereifprompted>'];
-    for (const junk of trailingJunk) {
-        const idx = url.indexOf(junk);
-        if (idx > 0)
-            url = url.substring(0, idx);
-    }
-    // Strip the localhost redirect_uri so claude.com shows a pasteable code
-    // instead of trying to redirect. URL() can't be used here because it
-    // re-encodes the path, so we surgically delete the redirect_uri param.
-    url = stripRedirectUri(url);
-    return url;
-}
-/**
- * Strip the `redirect_uri` query param from an OAuth URL.
- *
- * Background: `claude setup-token` spawns a one-shot localhost HTTP server on
- * a random port and registers it as the redirect_uri. That works fine when the
- * user is on the same machine as the CLI, but on a sprite the URL points to
- * the *sprite's* localhost — unreachable from the user's browser regardless
- * of whether they open the auth link on their PC or their phone. With no
- * redirect_uri at all, claude.ai falls back to its in-page code display
- * (the same flow that `claude setup-token`'s "Paste code here if prompted"
- * Ink input is built to consume), and the user can paste the code back into
- * our modal — which works whether they signed in on phone or desktop.
- *
- * Done with regex rather than `new URL()` because the URL constructor
- * normalizes the path (which can break Claude's strict redirect check)
- * and re-encodes spaces/special chars in other params.
- */
-function stripRedirectUri(url) {
-    const before = url;
-    // Three cases: leading param (?redirect_uri=...&), middle/trailing (&redirect_uri=...),
-    // and only param (?redirect_uri=...). Order matters so cleanup leaves the URL well-formed.
-    url = url.replace(/&redirect_uri=[^&]*/g, '');
-    url = url.replace(/\?redirect_uri=[^&]*&/g, '?');
-    url = url.replace(/\?redirect_uri=[^&]*$/g, '');
-    if (before !== url) {
-        console.log('🔑 Stripped localhost redirect_uri from OAuth URL — claude.ai will show a pasteable code instead of redirecting');
-    }
+    // Cut at the first NUL sentinel — that marks where an ANSI control code
+    // USED to be, which is a reliable boundary between the URL and adjacent
+    // terminal output that got fused by the whitespace strip.
+    const sentinelCut = url.indexOf(SENTINEL);
+    if (sentinelCut > 0)
+        url = url.substring(0, sentinelCut);
+    // Cut at the first `paste` (case-insensitive) — Ink always appends a
+    // "Paste code here if prompted" input box after the URL, and any case
+    // variant of it is junk. None of Claude's query-param values begin
+    // with "paste" so this is safe.
+    const pasteCut = url.toLowerCase().indexOf('paste');
+    if (pasteCut > 0)
+        url = url.substring(0, pasteCut);
+    // Defensive: cut at any byte outside the URL-valid character set. OAuth
+    // URLs use letters, digits, `%`, and URL-safe punctuation only.
+    const tailCut = url.search(/[^A-Za-z0-9%._~:/?#\[\]@!$&'()*+,;=\-]/);
+    if (tailCut > 0)
+        url = url.substring(0, tailCut);
     return url;
 }
 // ─────────────────────────────────────────
@@ -357,9 +354,7 @@ export function runClaudeAuthFlow(callbacks) {
     });
     return { handle, done };
 }
-// ─────────────────────────────────────────
-// Startup Gate
-// ─────────────────────────────────────────
+let inFlightAuth = null;
 /**
  * Ensure Claude is authenticated before proceeding.
  *
@@ -368,8 +363,33 @@ export function runClaudeAuthFlow(callbacks) {
  *   2. ~/.claude/.credentials.json file
  *   3. `claude auth status --json`
  *   4. Interactive OAuth flow (setup-token)
+ *
+ * Concurrency: if a previous call is still running its OAuth flow, new
+ * callers attach to the existing flow rather than spawning a second pty.
+ * This prevents the situation where LiveKit reconnects (e.g. after a
+ * microphone-permission error) retrigger ensureClaudeAuth and the user
+ * sees two different URLs / two different code_challenges racing.
  */
 export async function ensureClaudeAuth(sendToFrontend) {
+    // If an auth flow is already running, attach to it and replay any
+    // state we've already captured (the URL, any waiting_code prompt).
+    if (inFlightAuth) {
+        console.log('🔑 ensureClaudeAuth called while a flow is in-flight — attaching new subscriber');
+        inFlightAuth.subscribers.push(sendToFrontend);
+        // Replay the state the frontend needs to render the modal correctly.
+        sendToFrontend('claude_auth_required', {
+            message: 'Claude authentication required. A login URL will appear shortly.',
+        });
+        if (inFlightAuth.lastUrl) {
+            sendToFrontend('claude_auth_url', { url: inFlightAuth.lastUrl });
+        }
+        if (inFlightAuth.lastStatus === 'waiting_code') {
+            sendToFrontend('claude_auth_waiting_code', {
+                message: 'Paste the authentication code from the browser.',
+            });
+        }
+        return { submitCode: inFlightAuth.submitCode, done: inFlightAuth.done };
+    }
     // Check 0: Restore token from volume if previously persisted
     if (!hasOAuthTokenEnv()) {
         try {
@@ -402,28 +422,62 @@ export async function ensureClaudeAuth(sendToFrontend) {
     }
     // Check 4: Need interactive OAuth flow
     console.log('🔑 Claude not authenticated — starting OAuth flow');
-    sendToFrontend('claude_auth_required', {
+    // Create the in-flight record BEFORE spawning, and fan-out every
+    // callback to all current subscribers. New subscribers that attach
+    // later get replay of lastUrl / lastStatus from the deduped path
+    // at the top of this function.
+    const subscribers = [sendToFrontend];
+    const fanout = (type, payload) => {
+        for (const sub of subscribers) {
+            try {
+                sub(type, payload);
+            }
+            catch (err) {
+                console.warn('🔑 subscriber failed:', err);
+            }
+        }
+    };
+    fanout('claude_auth_required', {
         message: 'Claude authentication required. A login URL will appear shortly.',
     });
     const { handle, done } = runClaudeAuthFlow({
         onUrl: (url) => {
-            console.log('📤 Sending Claude auth URL to frontend');
-            sendToFrontend('claude_auth_url', { url });
+            console.log(`📤 Sending Claude auth URL to frontend (${url.length} chars)`);
+            if (inFlightAuth) {
+                inFlightAuth.lastUrl = url;
+                inFlightAuth.lastStatus = 'waiting';
+            }
+            fanout('claude_auth_url', { url });
         },
         onWaitingForCode: () => {
             console.log('📤 Sending code prompt to frontend');
-            sendToFrontend('claude_auth_waiting_code', {
+            if (inFlightAuth)
+                inFlightAuth.lastStatus = 'waiting_code';
+            fanout('claude_auth_waiting_code', {
                 message: 'Paste the authentication code from the browser.',
             });
         },
         onComplete: () => {
-            sendToFrontend('claude_auth_complete', {
+            fanout('claude_auth_complete', {
                 message: 'Claude authenticated successfully. Starting voice session...',
             });
         },
         onError: (message) => {
-            sendToFrontend('claude_auth_error', { message });
+            fanout('claude_auth_error', { message });
         },
     });
+    // Publish the in-flight record so concurrent callers attach to it.
+    inFlightAuth = {
+        submitCode: handle.submitCode,
+        done,
+        lastUrl: null,
+        lastStatus: null,
+        subscribers,
+    };
+    // Clear the in-flight record once the flow settles, success or failure.
+    done.finally(() => {
+        console.log('🔑 OAuth flow settled — clearing in-flight guard');
+        inFlightAuth = null;
+    });
     return { submitCode: handle.submitCode, done };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "osborn",
-  "version": "0.8.9",
+  "version": "0.8.11",
   "description": "Voice AI coding assistant - local agent that connects to Osborn frontend",
   "type": "module",
   "bin": {