perplexity-user-mcp 0.8.36

package/dist/impit-login-runner.mjs

@@ -0,0 +1,685 @@
+import {
+  buildRuntimeEndpoints
+} from "./chunk-HU5B4FXS.mjs";
+import {
+  redact
+} from "./chunk-HMKLWVXB.mjs";
+import {
+  isImpitAvailable,
+  loadImpit
+} from "./chunk-Z7DAACGZ.mjs";
+import {
+  PERPLEXITY_URL,
+  findBrowser,
+  getOrCreateContext,
+  resolveBrowserExecutable
+} from "./chunk-LKJMLGFP.mjs";
+import {
+  Vault
+} from "./chunk-TQLCLE4L.mjs";
+import "./chunk-MTDFKNXX.mjs";
+import {
+  getActiveName,
+  getProfilePaths,
+  recordLoginSuccess
+} from "./chunk-XKSWCEGI.mjs";
+import "./chunk-4UEJOM6W.mjs";
+
+// src/impit-login-runner.js
+import { writeFileSync, existsSync, mkdirSync } from "fs";
+
+// src/cookie-jar.js
+var SESSION_EXPIRES = -1;
+function parseSetCookie(header, requestUrlObj) {
+  if (typeof header !== "string" || header.length === 0) return null;
+  const parts = header.split(";");
+  const first = parts.shift();
+  if (!first) return null;
+  const eq = first.indexOf("=");
+  if (eq < 0) return null;
+  const name = first.slice(0, eq).trim();
+  const value = first.slice(eq + 1).trim();
+  if (!name) return null;
+  let domain = requestUrlObj.hostname.toLowerCase();
+  let hostOnly = true;
+  let path = defaultPath(requestUrlObj.pathname);
+  let expires = SESSION_EXPIRES;
+  let maxAgeSeconds = null;
+  let secure = false;
+  let httpOnly = false;
+  let sameSite;
+  for (const raw of parts) {
+    if (!raw) continue;
+    const trimmed = raw.trim();
+    if (!trimmed) continue;
+    const aEq = trimmed.indexOf("=");
+    const attrName = (aEq < 0 ? trimmed : trimmed.slice(0, aEq)).trim().toLowerCase();
+    const attrValue = aEq < 0 ? "" : trimmed.slice(aEq + 1).trim();
+    switch (attrName) {
+      case "domain": {
+        if (!attrValue) break;
+        const stripped = attrValue.replace(/^\./, "").toLowerCase();
+        if (stripped) {
+          domain = stripped;
+          hostOnly = false;
+        }
+        break;
+      }
+      case "path": {
+        if (attrValue.startsWith("/")) path = attrValue;
+        break;
+      }
+      case "expires": {
+        const ts = Date.parse(attrValue);
+        if (!Number.isNaN(ts)) expires = Math.floor(ts / 1e3);
+        break;
+      }
+      case "max-age": {
+        if (/^-?\d+$/.test(attrValue)) {
+          maxAgeSeconds = Number(attrValue);
+        }
+        break;
+      }
+      case "secure":
+        secure = true;
+        break;
+      case "httponly":
+        httpOnly = true;
+        break;
+      case "samesite": {
+        const v = attrValue.toLowerCase();
+        if (v === "strict") sameSite = "Strict";
+        else if (v === "lax") sameSite = "Lax";
+        else if (v === "none") sameSite = "None";
+        break;
+      }
+      default:
+        break;
+    }
+  }
+  if (maxAgeSeconds !== null) {
+    expires = maxAgeSeconds <= 0 ? 0 : Math.floor(Date.now() / 1e3) + maxAgeSeconds;
+  }
+  return { name, value, domain, path, expires, secure, httpOnly, sameSite, hostOnly };
+}
+function defaultPath(uriPath) {
+  if (!uriPath || !uriPath.startsWith("/")) return "/";
+  const lastSlash = uriPath.lastIndexOf("/");
+  if (lastSlash <= 0) return "/";
+  return uriPath.slice(0, lastSlash);
+}
+function isExpired(cookie, nowSeconds) {
+  if (cookie.expires === void 0) return false;
+  if (cookie.expires === SESSION_EXPIRES) return false;
+  return cookie.expires <= nowSeconds;
+}
+function domainMatches(cookieDomain, hostOnly, requestHost) {
+  if (cookieDomain === requestHost) return true;
+  if (hostOnly) return false;
+  if (!requestHost.endsWith(cookieDomain)) return false;
+  const idx = requestHost.length - cookieDomain.length;
+  if (idx <= 0) return false;
+  return requestHost[idx - 1] === ".";
+}
+function pathMatches(cookiePath, requestPath) {
+  if (cookiePath === requestPath) return true;
+  if (!requestPath.startsWith(cookiePath)) return false;
+  if (cookiePath.endsWith("/")) return true;
+  return requestPath[cookiePath.length] === "/";
+}
+function cookieKey(name, domain, path) {
+  return `${name}\0${domain.toLowerCase()}\0${path}`;
+}
+function entryFromPlaywright(c) {
+  let domain = (c.domain || "").toLowerCase();
+  let hostOnly = true;
+  if (domain.startsWith(".")) {
+    domain = domain.slice(1);
+    hostOnly = false;
+  }
+  const expires = typeof c.expires === "number" ? c.expires : SESSION_EXPIRES;
+  return {
+    name: String(c.name),
+    value: String(c.value),
+    domain,
+    path: c.path || "/",
+    expires,
+    secure: !!c.secure,
+    httpOnly: !!c.httpOnly,
+    sameSite: c.sameSite,
+    hostOnly
+  };
+}
+var CookieJar = class {
+  /**
+   * @param {PlaywrightCookie[]} [initialCookies]
+   */
+  constructor(initialCookies = []) {
+    this._store = /* @__PURE__ */ new Map();
+    if (Array.isArray(initialCookies)) {
+      for (const c of initialCookies) {
+        if (!c || typeof c.name !== "string") continue;
+        const entry = entryFromPlaywright(c);
+        this._store.set(cookieKey(entry.name, entry.domain, entry.path), entry);
+      }
+    }
+  }
+  /**
+   * Apply one or more Set-Cookie headers from a response. Accepts either a
+   * single string or an array (e.g. `res.headers.getSetCookie?.()` /
+   * `res.headers.raw()['set-cookie']`).
+   *
+   * @param {string|string[]|null|undefined} header
+   * @param {string} requestUrl
+   */
+  consumeSetCookieHeader(header, requestUrl) {
+    if (!header) return;
+    let url;
+    try {
+      url = new URL(requestUrl);
+    } catch {
+      return;
+    }
+    const headers = Array.isArray(header) ? header : [header];
+    for (const h of headers) {
+      const parsed = parseSetCookie(h, url);
+      if (!parsed) continue;
+      const key = cookieKey(parsed.name, parsed.domain, parsed.path);
+      if (parsed.expires !== SESSION_EXPIRES && parsed.expires <= 0) {
+        this._store.delete(key);
+        continue;
+      }
+      this._store.set(key, parsed);
+    }
+  }
+  /**
+   * Build a `Cookie:` header value for `requestUrl`. Returns "" if no cookies
+   * apply (so the caller can do `if (h) headers.cookie = h`).
+   *
+   * @param {string} requestUrl
+   * @returns {string}
+   */
+  buildCookieHeader(requestUrl) {
+    let url;
+    try {
+      url = new URL(requestUrl);
+    } catch {
+      return "";
+    }
+    const isHttps = url.protocol === "https:";
+    const host = url.hostname.toLowerCase();
+    const reqPath = url.pathname || "/";
+    const now = Math.floor(Date.now() / 1e3);
+    const matched = [];
+    for (const cookie of this._store.values()) {
+      if (isExpired(cookie, now)) continue;
+      if (cookie.secure && !isHttps) continue;
+      if (!domainMatches(cookie.domain, cookie.hostOnly, host)) continue;
+      if (!pathMatches(cookie.path, reqPath)) continue;
+      matched.push(cookie);
+    }
+    matched.sort((a, b) => b.path.length - a.path.length);
+    return matched.map((c) => `${c.name}=${c.value}`).join("; ");
+  }
+  /**
+   * Snapshot of every cookie in the jar (including expired ones — callers that
+   * persist to disk want the full set so a refresh can simply overwrite).
+   *
+   * @returns {PlaywrightCookie[]}
+   */
+  toPlaywrightShape() {
+    const out = [];
+    for (const c of this._store.values()) {
+      const pc = {
+        name: c.name,
+        value: c.value,
+        // Round-trip leading-dot for domain cookies so Patchright + the
+        // existing `getSavedCookies()` consumers see the same shape they do
+        // today.
+        domain: c.hostOnly ? c.domain : `.${c.domain}`,
+        path: c.path,
+        expires: c.expires,
+        secure: c.secure,
+        httpOnly: c.httpOnly
+      };
+      if (c.sameSite) pc.sameSite = c.sameSite;
+      out.push(pc);
+    }
+    return out;
+  }
+  /**
+   * Explicit setter, mostly for tests and for the rare case where the caller
+   * already has a fully-formed cookie record (e.g. seeding cf_clearance from
+   * the vault). `attributes` may include any of the PlaywrightCookie fields
+   * except name/value.
+   *
+   * @param {string} name
+   * @param {string} value
+   * @param {Partial<PlaywrightCookie> & { hostOnly?: boolean }} [attributes]
+   */
+  set(name, value, attributes = {}) {
+    const domainRaw = (attributes.domain || "").toLowerCase();
+    let domain = domainRaw;
+    let hostOnly;
+    if (typeof attributes.hostOnly === "boolean") {
+      hostOnly = attributes.hostOnly;
+      if (domain.startsWith(".")) domain = domain.slice(1);
+    } else if (domain.startsWith(".")) {
+      hostOnly = false;
+      domain = domain.slice(1);
+    } else {
+      hostOnly = true;
+    }
+    if (!domain) {
+      return;
+    }
+    const entry = {
+      name: String(name),
+      value: String(value),
+      domain,
+      path: attributes.path || "/",
+      expires: typeof attributes.expires === "number" ? attributes.expires : SESSION_EXPIRES,
+      secure: !!attributes.secure,
+      httpOnly: !!attributes.httpOnly,
+      sameSite: attributes.sameSite,
+      hostOnly
+    };
+    this._store.set(cookieKey(entry.name, entry.domain, entry.path), entry);
+  }
+};
+
+// src/cf-warmup.ts
+var DEFAULTS = {
+  navigationTimeoutMs: 15e3,
+  pollIntervalMs: 250,
+  cookieWaitMs: 1e4
+};
+async function warmCloudflare(opts = {}) {
+  const navigationTimeoutMs = opts.navigationTimeoutMs ?? DEFAULTS.navigationTimeoutMs;
+  const pollIntervalMs = opts.pollIntervalMs ?? DEFAULTS.pollIntervalMs;
+  const cookieWaitMs = opts.cookieWaitMs ?? DEFAULTS.cookieWaitMs;
+  const started = Date.now();
+  let resolved;
+  try {
+    resolved = await resolveBrowserExecutable();
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    const oneLine = msg.split("\n")[0] ?? msg;
+    console.error(`[cf-warmup] error: ${oneLine}`);
+    return {
+      ok: false,
+      cookies: [],
+      hasCfClearance: false,
+      elapsedMs: Date.now() - started,
+      error: oneLine
+    };
+  }
+  let chromium;
+  try {
+    chromium = (await import("patchright")).chromium;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error(`[cf-warmup] error: patchright import failed: ${msg}`);
+    return {
+      ok: false,
+      cookies: [],
+      hasCfClearance: false,
+      elapsedMs: Date.now() - started,
+      error: `patchright missing: ${msg}`
+    };
+  }
+  console.error(`[cf-warmup] launching ${resolved.path}`);
+  const probe = findBrowser();
+  let browser = null;
+  let cookies = [];
+  let hasCfClearance = false;
+  let ok = false;
+  let error;
+  try {
+    browser = await chromium.launch({
+      headless: true,
+      // Minimal arg set — reusing the launch shape from refresh.ts::tierBrowser
+      // (which already proves out CF resolution under headless). Notably we
+      // strip Playwright's default `--enable-automation` flag since CF
+      // fingerprints it.
+      ...probe ? { executablePath: probe.path } : {},
+      ...probe && (probe.channel === "chrome" || probe.channel === "msedge" || probe.channel === "chromium") ? { channel: probe.channel } : {},
+      ignoreDefaultArgs: ["--enable-automation"]
+    });
+    const ctx = await getOrCreateContext(browser);
+    const page = await ctx.newPage();
+    await page.goto(PERPLEXITY_URL, {
+      waitUntil: "domcontentloaded",
+      timeout: navigationTimeoutMs
+    });
+    ok = true;
+    const pollStarted = Date.now();
+    while (Date.now() - pollStarted < cookieWaitMs) {
+      const current = await ctx.cookies();
+      if (current.some((c) => c.name === "cf_clearance")) {
+        cookies = current;
+        hasCfClearance = true;
+        break;
+      }
+      await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
+    }
+    if (!hasCfClearance) {
+      cookies = await ctx.cookies();
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error(`[cf-warmup] error: ${msg}`);
+    ok = false;
+    error = msg;
+  } finally {
+    if (browser) {
+      try {
+        await browser.close();
+      } catch {
+      }
+    }
+  }
+  const elapsedMs = Date.now() - started;
+  console.error(
+    `[cf-warmup] complete: cf_clearance=${hasCfClearance} cookies=${cookies.length} elapsedMs=${elapsedMs}`
+  );
+  return { ok, cookies, hasCfClearance, elapsedMs, ...error ? { error } : {} };
+}
+
+// src/impit-login-runner.js
+var ORIGIN = process.env.PERPLEXITY_ORIGIN || "https://www.perplexity.ai";
+var EMAIL = process.env.PERPLEXITY_EMAIL;
+var OTP_TIMEOUT_MS = Number(process.env.PERPLEXITY_OTP_TIMEOUT_MS ?? 3e5);
+var MAX_RETRIES = Number(process.env.PERPLEXITY_LOGIN_MAX_RETRIES ?? 2);
+var USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36";
+var CHROME_CLIENT_HINTS = {
+  "sec-ch-ua": '"Not)A;Brand";v="8", "Chromium";v="138", "Google Chrome";v="138"',
+  "sec-ch-ua-mobile": "?0",
+  "sec-ch-ua-platform": '"Windows"'
+};
+function resolveProfile() {
+  return process.env.PERPLEXITY_PROFILE || getActiveName() || "default";
+}
+function ipc(msg) {
+  if (process.send) process.send(msg);
+}
+function emit(obj) {
+  process.stdout.write(JSON.stringify(obj) + "\n");
+}
+async function awaitOtp() {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => {
+      process.removeListener("message", handler);
+      reject(new Error("otp_timeout"));
+    }, OTP_TIMEOUT_MS);
+    const handler = (m) => {
+      if (m && typeof m.otp === "string") {
+        clearTimeout(timer);
+        process.removeListener("message", handler);
+        resolve(m.otp);
+      }
+    };
+    process.on("message", handler);
+  });
+}
+async function impitJsonRequest(client, jar, url, init = {}) {
+  const cookieHeader = jar.buildCookieHeader(url);
+  const headers = {
+    "user-agent": USER_AGENT,
+    accept: "application/json, text/plain, */*",
+    "accept-language": "en-US,en;q=0.9",
+    ...CHROME_CLIENT_HINTS,
+    ...cookieHeader ? { cookie: cookieHeader } : {},
+    ...init.body !== void 0 ? { "content-type": "application/json" } : {},
+    referer: `${ORIGIN}/`,
+    origin: ORIGIN,
+    ...init.headers ?? {}
+  };
+  const ctrl = new AbortController();
+  const to = setTimeout(() => ctrl.abort(), init.timeoutMs ?? 3e4);
+  try {
+    const res = await client.fetch(url, {
+      method: init.method ?? "GET",
+      headers,
+      body: init.body !== void 0 ? JSON.stringify(init.body) : void 0,
+      signal: ctrl.signal,
+      redirect: init.redirect ?? "manual"
+    });
+    const text = await res.text();
+    const setCookies = readSetCookies(res.headers);
+    if (setCookies.length) jar.consumeSetCookieHeader(setCookies, url);
+    let json;
+    if (text) {
+      try {
+        json = JSON.parse(text);
+      } catch {
+      }
+    }
+    return { status: res.status, headers: res.headers, text, json };
+  } finally {
+    clearTimeout(to);
+  }
+}
+function readSetCookies(headers) {
+  if (!headers) return [];
+  if (typeof headers.getSetCookie === "function") {
+    return headers.getSetCookie();
+  }
+  if (typeof headers.raw === "function") {
+    const raw = headers.raw();
+    return raw["set-cookie"] ?? [];
+  }
+  const lower = Object.keys(headers).find((k) => k.toLowerCase() === "set-cookie");
+  if (!lower) return [];
+  const v = headers[lower];
+  return Array.isArray(v) ? v : [v];
+}
+async function followRedirectsManually(client, jar, startUrl, init = {}, maxHops = 10) {
+  let url = startUrl;
+  let lastStatus = 0;
+  for (let hop = 0; hop < maxHops; hop++) {
+    const result = await impitJsonRequest(client, jar, url, { ...init, redirect: "manual", method: hop === 0 ? init.method ?? "GET" : "GET" });
+    lastStatus = result.status;
+    if (result.status >= 300 && result.status < 400) {
+      const loc = readHeader(result.headers, "location");
+      if (!loc) return { ok: false, status: result.status, finalUrl: url };
+      url = new URL(loc, url).toString();
+      init.body = void 0;
+      continue;
+    }
+    return { ok: result.status >= 200 && result.status < 300, status: result.status, finalUrl: url, json: result.json, text: result.text };
+  }
+  return { ok: false, status: lastStatus, finalUrl: url, error: "max_redirects" };
+}
+function readHeader(headers, name) {
+  if (!headers) return null;
+  if (typeof headers.get === "function") return headers.get(name);
+  const key = Object.keys(headers).find((k) => k.toLowerCase() === name.toLowerCase());
+  return key ? headers[key] : null;
+}
+async function startEmailFlow(client, jar) {
+  const endpoints = buildRuntimeEndpoints(ORIGIN);
+  const csrf = await impitJsonRequest(client, jar, endpoints.csrf);
+  if (csrf.status !== 200 || !csrf.json?.csrfToken) {
+    return { kind: "unsupported", detail: { step: "csrf", status: csrf.status } };
+  }
+  const sso = await impitJsonRequest(client, jar, endpoints.ssoDetails, {
+    method: "POST",
+    body: { email: EMAIL }
+  });
+  if (sso.status === 200 && sso.json?.organization) {
+    return { kind: "sso_required" };
+  }
+  const redirectUrl = `${ORIGIN}/account?login-source=settings`;
+  const signIn = await impitJsonRequest(client, jar, endpoints.signInEmail, {
+    method: "POST",
+    body: {
+      email: EMAIL,
+      useNumericOtp: "true",
+      csrfToken: csrf.json.csrfToken,
+      callbackUrl: `${redirectUrl}#locale=en-US`,
+      json: "true"
+    }
+  });
+  if (signIn.status !== 200 || !signIn.json?.url) {
+    return {
+      kind: signIn.status >= 400 && signIn.status < 500 ? "email_rejected" : "unsupported",
+      detail: { step: "signin_email", status: signIn.status }
+    };
+  }
+  return { kind: "live", redirectUrl, csrfToken: csrf.json.csrfToken };
+}
+async function submitOtp(client, jar, flow, otp) {
+  const endpoints = buildRuntimeEndpoints(ORIGIN);
+  const redirectResp = await impitJsonRequest(client, jar, endpoints.otpRedirectLink, {
+    method: "POST",
+    body: {
+      email: EMAIL,
+      otp,
+      redirectUrl: flow.redirectUrl,
+      emailLoginMethod: "web-otp",
+      loginSource: null
+    }
+  });
+  if (redirectResp.status !== 200 || !redirectResp.json?.redirect) {
+    return { ok: false };
+  }
+  const callbackUrl = new URL(redirectResp.json.redirect, ORIGIN).toString();
+  const callback = await followRedirectsManually(client, jar, callbackUrl, { method: "GET" });
+  if (!callback.ok) return { ok: false };
+  const cookies = jar.toPlaywrightShape();
+  const hasSession = cookies.some((c) => c.name === "__Secure-next-auth.session-token");
+  if (!hasSession) return { ok: false };
+  return { ok: true, cookies };
+}
+async function fetchSessionInfo(client, jar) {
+  const session = await impitJsonRequest(client, jar, `${ORIGIN}/api/auth/session?version=2.18&source=default`);
+  return session.json ?? {};
+}
+async function fetchModelsCache(client, jar) {
+  const result = {};
+  for (const [key, path] of [
+    ["models", "/rest/configs/models?version=2.18&source=default"],
+    ["asi", "/rest/configs/asi-access?version=2.18&source=default"],
+    ["rateLimits", "/rest/rate-limits?version=2.18&source=default"],
+    ["experiments", "/rest/experiments?version=2.18&source=default"],
+    ["userInfo", "/rest/user/info?version=2.18&source=default"]
+  ]) {
+    try {
+      const r = await impitJsonRequest(client, jar, `${ORIGIN}${path}`);
+      if (r.status === 200 && r.json) result[key] = r.json;
+    } catch {
+    }
+  }
+  return result;
+}
+function deriveTier(modelsCache) {
+  if (modelsCache.userInfo?.subscription_tier === "enterprise") return "Enterprise";
+  if (modelsCache.userInfo?.subscription_tier === "max") return "Max";
+  if (modelsCache.userInfo?.subscription_tier === "pro") return "Pro";
+  if (modelsCache.experiments?.server_is_enterprise) return "Enterprise";
+  if (modelsCache.experiments?.server_is_max) return "Max";
+  if (modelsCache.experiments?.server_is_pro) return "Pro";
+  if (modelsCache.asi?.can_use_computer) return "Pro";
+  return "Authenticated";
+}
+async function main() {
+  if (!EMAIL) {
+    emit({ ok: false, reason: "no_email" });
+    process.exit(1);
+  }
+  if (!isImpitAvailable()) {
+    emit({ ok: false, reason: "impit_missing", error: "Speed Boost (impit) not installed" });
+    process.exit(4);
+  }
+  const PROFILE = resolveProfile();
+  const vault = new Vault();
+  const jar = new CookieJar([]);
+  try {
+    const stored = await vault.get(PROFILE, "cookies").catch(() => null);
+    if (stored) {
+      const parsed = JSON.parse(stored);
+      if (Array.isArray(parsed)) {
+        for (const c of parsed) jar.set?.(c.name, c.value, { domain: c.domain, path: c.path, expires: c.expires, secure: c.secure, httpOnly: c.httpOnly, sameSite: c.sameSite });
+      }
+    }
+  } catch {
+  }
+  if (!jar.toPlaywrightShape().some((c) => c.name === "cf_clearance")) {
+    const warmup = await warmCloudflare();
+    if (warmup.cookies.length) {
+      for (const c of warmup.cookies) {
+        jar.set?.(c.name, c.value, { domain: c.domain, path: c.path, expires: c.expires, secure: c.secure, httpOnly: c.httpOnly, sameSite: c.sameSite });
+      }
+    }
+    if (!warmup.hasCfClearance) {
+      emit({ ok: false, reason: "cf_blocked", detail: { warmupOk: warmup.ok } });
+      process.exit(3);
+    }
+  }
+  const impitMod = await loadImpit();
+  if (!impitMod) {
+    emit({ ok: false, reason: "impit_load_failed" });
+    process.exit(4);
+  }
+  const client = new impitMod.Impit({ browser: "chrome", ignoreTlsErrors: false });
+  let authFlow;
+  try {
+    authFlow = await startEmailFlow(client, jar);
+  } catch (err) {
+    emit({ ok: false, reason: "auto_unsupported", detail: { step: "start", error: redact(String(err?.message ?? err)) } });
+    process.exit(2);
+  }
+  if (authFlow.kind === "sso_required") {
+    emit({ ok: false, reason: "sso_required" });
+    process.exit(2);
+  }
+  if (authFlow.kind === "email_rejected") {
+    emit({ ok: false, reason: "email_rejected", detail: authFlow.detail });
+    process.exit(2);
+  }
+  if (authFlow.kind !== "live") {
+    emit({ ok: false, reason: "auto_unsupported", detail: authFlow.detail });
+    process.exit(2);
+  }
+  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+    ipc({ phase: "awaiting_otp", attempt });
+    let otp;
+    try {
+      otp = await awaitOtp();
+    } catch {
+      emit({ ok: false, reason: "otp_timeout" });
+      process.exit(2);
+    }
+    const submitResp = await submitOtp(client, jar, authFlow, otp);
+    if (submitResp.ok) {
+      const sessionInfo = await fetchSessionInfo(client, jar).catch(() => ({}));
+      const modelsCache = await fetchModelsCache(client, jar).catch(() => ({}));
+      const tier = deriveTier(modelsCache);
+      await vault.set(PROFILE, "cookies", JSON.stringify(submitResp.cookies));
+      if (sessionInfo?.user?.email) await vault.set(PROFILE, "email", sessionInfo.user.email);
+      if (sessionInfo?.user?.id) await vault.set(PROFILE, "userId", sessionInfo.user.id);
+      const paths = getProfilePaths(PROFILE);
+      if (!existsSync(paths.dir)) mkdirSync(paths.dir, { recursive: true });
+      writeFileSync(paths.modelsCache, JSON.stringify(modelsCache, null, 2));
+      recordLoginSuccess(PROFILE, { tier, loginMode: "auto", lastLogin: (/* @__PURE__ */ new Date()).toISOString() });
+      writeFileSync(paths.reinit, String(Date.now()));
+      emit({ ok: true, tier, modelCount: Object.keys(modelsCache?.models?.models ?? {}).length, transport: "impit" });
+      process.exit(0);
+    }
+    if (attempt === MAX_RETRIES) {
+      emit({ ok: false, reason: "otp_rejected" });
+      process.exit(2);
+    }
+  }
+}
+main().catch((err) => {
+  const msg = err?.message ?? err;
+  emit({
+    ok: false,
+    reason: "crash",
+    error: redact(String(msg ?? "unknown error")),
+    ...err?.stack ? { stack: redact(String(err.stack)) } : {}
+  });
+  process.exit(5);
+});