replit-tools 1.0.5 → 1.0.7

package/README.md

@@ -1,22 +1,25 @@
 # DATA Tools
 
-**One command to set up Claude Code and Codex CLI on Replit with full persistence.**
+**One command to set up Claude Code and Codex CLI on Replit with full persistence and automatic token refresh.**
 
 When Replit containers restart, everything outside `/home/runner/workspace/` is wiped - including installed CLIs, conversations, auth tokens, and command history. DATA Tools fixes all of that.
 
 ## Quick Start
 
 ```bash
-npx replit-tools
+npx -y replit-tools
 ```
 
+(The `-y` skips the "Ok to proceed?" prompt)
+
 That's it. The installer will:
 
 1. **Install Claude Code** (if not already installed)
 2. **Install OpenAI Codex CLI** (if not already installed)
 3. **Detect existing config** and preserve your data
 4. **Set up persistence** so everything survives restarts
-5. **Launch the session picker** so you can start working immediately
+5. **Auto-refresh OAuth tokens** before they expire
+6. **Launch the session picker** so you can start working immediately
 
 ## What Gets Installed
 
@@ -38,15 +41,36 @@ Both are installed only if not already present. Existing installations are prese
 | Bash history | `.persistent-home/` | Yes |
 | Per-terminal sessions | `.claude-sessions/` | Yes |
 
+## Automatic Token Refresh
+
+Claude OAuth tokens expire every **8-12 hours**. DATA Tools automatically refreshes them:
+
+- **On every shell start**: Checks token expiry and refreshes if < 2 hours remaining
+- **When expired**: Attempts automatic refresh using the stored refresh token
+- **Transparent**: You'll see `🔄 Token expires in 1h, refreshing...` then `✅ Token refreshed (11h remaining)`
+
+This means you can leave overnight and come back to a working session - no more `claude login` every morning.
+
+### Manual Token Commands
+
+```bash
+# Check token status
+/home/runner/workspace/scripts/claude-auth-refresh.sh --status
+
+# Force refresh now
+/home/runner/workspace/scripts/claude-auth-refresh.sh --force
+
+# Or use a permanent API token (never expires)
+claude setup-token
+```
+
 ## The Session Picker
 
 After installation (and on every new shell), you'll see:
 
 ```
-✅ Claude Code already installed (1.0.17)
-✅ Codex CLI already installed
-
-✅ Claude authentication: valid (23h remaining)
+✅ Claude authentication: valid (11h remaining)
+✅ Claude Code ready: 2.0.71 (Claude Code)
 
 ╭─────────────────────────────────────────────────────────╮
 │  Claude Session Manager                                 │
@@ -101,10 +125,10 @@ Press `c` to continue YOUR terminal's last session. Other terminals are unaffect
 The installer creates symlinks from ephemeral locations to persistent workspace storage:
 
 ```
-~/.claude           →  /workspace/.claude-persistent/
-~/.codex            →  /workspace/.codex-persistent/
+~/.claude             →  /workspace/.claude-persistent/
+~/.codex              →  /workspace/.codex-persistent/
 ~/.local/share/claude →  /workspace/.local/share/claude/
-~/.local/bin/claude →  /workspace/.local/share/claude/versions/X.X.X
+~/.local/bin/claude   →  /workspace/.local/share/claude/versions/X.X.X
 ```
 
 Three layers ensure setup runs on every restart:
@@ -117,7 +141,8 @@ Three layers ensure setup runs on every restart:
 The installer checks for:
 
 - **`CLAUDE_CONFIG_DIR`** - Respects custom Claude config directory if set in Replit Secrets
-- **Existing persistent config** - Uses your existing `.claude-persistent/` if present
+- **`CODEX_HOME`** - Respects custom Codex config directory
+- **Existing persistent config** - Uses your existing config if present
 - **Replit Secrets** - Detects `ANTHROPIC_API_KEY` and `OPENAI_API_KEY`
 - **Existing installations** - Won't reinstall Claude or Codex if already present
 - **Existing data in ~/.claude** - Moves it to persistent storage instead of overwriting
@@ -150,7 +175,7 @@ If you set these in your Replit Secrets to paths inside `/home/runner/workspace/
 ### Option 1: npx (recommended)
 
 ```bash
-npx replit-tools
+npx -y replit-tools
 ```
 
 ### Option 2: curl
@@ -187,13 +212,13 @@ export CLAUDE_NO_PROMPT=true
 
 Add to `.config/bashrc` to make permanent.
 
-### Fix authentication permanently
+### Use a permanent API token
 
 ```bash
 claude setup-token
 ```
 
-Creates a long-lived API token that doesn't expire (OAuth tokens expire every ~24h).
+Creates a long-lived API token that never expires (recommended for unattended use).
 
 ## Files Created
 
@@ -205,9 +230,11 @@ workspace/
 ├── .local/share/claude/    # Claude binary versions
 ├── .persistent-home/       # Bash history
 ├── .config/bashrc          # Shell startup config
+├── logs/                   # Auth refresh logs
 ├── scripts/
-│   ├── setup-claude-code.sh
-│   └── claude-session-manager.sh
+│   ├── setup-claude-code.sh      # Main setup script
+│   ├── claude-session-manager.sh # Interactive session picker
+│   └── claude-auth-refresh.sh    # OAuth token auto-refresh
 └── .gitignore              # Updated to ignore credential dirs
 ```
 
@@ -225,18 +252,25 @@ source /home/runner/workspace/scripts/setup-claude-code.sh
 source /home/runner/workspace/.config/bashrc
 ```
 
-### Auth expired
+### Auth keeps expiring
+
+The auto-refresh should handle this, but if it fails:
 
 ```bash
-claude login
-# Or for permanent fix:
+# Check why refresh failed
+cat /home/runner/workspace/logs/auth-refresh.log
+
+# Manual refresh
+/home/runner/workspace/scripts/claude-auth-refresh.sh --force
+
+# Or use permanent token (recommended)
 claude setup-token
 ```
 
 ### Symlinks broken
 
 ```bash
-npx replit-tools
+npx -y replit-tools
 ```
 
 Running the installer again is safe - it preserves existing data.

package/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-const { execSync, spawn } = require('child_process');
+const { execSync, spawn, spawnSync } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
@@ -8,6 +8,45 @@ const os = require('os');
 const WORKSPACE = '/home/runner/workspace';
 const HOME = os.homedir();
 
+// Helper to run commands safely without crashing the installer
+function safeExec(cmd, options = {}) {
+  try {
+    const result = spawnSync('bash', ['-c', cmd], {
+      encoding: 'utf8',
+      timeout: options.timeout || 120000,
+      env: options.env || process.env,
+      stdio: ['pipe', 'pipe', 'pipe'],
+      maxBuffer: 10 * 1024 * 1024 // 10MB
+    });
+
+    if (options.showOutput && result.stdout) {
+      // Show condensed output
+      const lines = result.stdout.trim().split('\n');
+      if (lines.length <= 5) {
+        lines.forEach(l => console.log(`   ${l}`));
+      } else {
+        console.log(`   ${lines[0]}`);
+        console.log(`   ... (${lines.length - 2} more lines)`);
+        console.log(`   ${lines[lines.length - 1]}`);
+      }
+    }
+
+    return {
+      success: result.status === 0,
+      stdout: result.stdout || '',
+      stderr: result.stderr || '',
+      status: result.status
+    };
+  } catch (err) {
+    return {
+      success: false,
+      stdout: '',
+      stderr: err.message,
+      status: -1
+    };
+  }
+}
+
 // Wrap everything in try-catch to prevent crashes
 try {
   main();
@@ -205,21 +244,24 @@ function main() {
 
   if (!claudeInstalled) {
     console.log('📦 Installing Claude Code...');
-    try {
-      const installEnv = {
-        ...process.env,
-        CLAUDE_CONFIG_DIR: claudePersistentDir,
-        CLAUDE_WORKSPACE_DIR: claudePersistentDir
-      };
-      execSync('curl -fsSL https://claude.ai/install.sh | bash', {
-        stdio: 'inherit',
-        shell: '/bin/bash',
-        env: installEnv,
-        timeout: 120000 // 2 minute timeout
-      });
+    const installEnv = {
+      ...process.env,
+      CLAUDE_CONFIG_DIR: claudePersistentDir,
+      CLAUDE_WORKSPACE_DIR: claudePersistentDir
+    };
+    const result = safeExec('curl -fsSL https://claude.ai/install.sh | bash', {
+      env: installEnv,
+      timeout: 180000, // 3 minute timeout
+      showOutput: true
+    });
+
+    if (result.success) {
       console.log('✅ Claude Code installed');
-    } catch (err) {
+    } else {
       console.log('⚠️  Claude Code installation had issues (may still work)');
+      if (result.stderr && result.stderr.length < 200) {
+        console.log(`   ${result.stderr.trim()}`);
+      }
     }
   } else {
     const version = claudeVersions.sort().pop() || 'installed';
@@ -234,20 +276,23 @@ function main() {
 
   if (!codexInstalled) {
     console.log('📦 Installing OpenAI Codex CLI...');
-    try {
-      const installEnv = {
-        ...process.env,
-        CODEX_HOME: codexPersistentDir
-      };
-      execSync('npm i -g @openai/codex', {
-        stdio: 'inherit',
-        shell: '/bin/bash',
-        env: installEnv,
-        timeout: 120000 // 2 minute timeout
-      });
+    const installEnv = {
+      ...process.env,
+      CODEX_HOME: codexPersistentDir
+    };
+    const result = safeExec('npm i -g @openai/codex', {
+      env: installEnv,
+      timeout: 180000, // 3 minute timeout
+      showOutput: true
+    });
+
+    if (result.success) {
       console.log('✅ Codex CLI installed');
-    } catch (err) {
+    } else {
       console.log('⚠️  Codex installation had issues (may still work)');
+      if (result.stderr && result.stderr.length < 200) {
+        console.log(`   ${result.stderr.trim()}`);
+      }
     }
   } else {
     console.log('✅ Codex CLI already installed');
@@ -375,7 +420,7 @@ function main() {
   console.log('');
   console.log('📝 Installing scripts...');
 
-  const scripts = ['setup-claude-code.sh', 'claude-session-manager.sh'];
+  const scripts = ['setup-claude-code.sh', 'claude-session-manager.sh', 'claude-auth-refresh.sh'];
   scripts.forEach(script => {
     const srcPath = path.join(scriptsDir, script);
     const destPath = path.join(targetScriptsDir, script);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "replit-tools",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "description": "DATA Tools - One command to set up Claude Code and Codex CLI on Replit with full persistence",
   "main": "index.js",
   "bin": {

package/scripts/claude-auth-refresh.sh

@@ -0,0 +1,221 @@
+#!/bin/bash
+# Claude OAuth Token Auto-Refresh
+# Automatically refreshes Claude Code OAuth tokens before expiration
+# Part of DATA Tools - https://github.com/stevemoraco/DATAtools
+
+CREDENTIALS_FILE="${CLAUDE_CONFIG_DIR:-$HOME/.claude}/.credentials.json"
+OAUTH_ENDPOINT="https://console.anthropic.com/v1/oauth/token"
+CLIENT_ID="9d1c250a-e61b-44d9-88ed-5944d1962f5e"
+REFRESH_THRESHOLD_HOURS=2  # Refresh when less than 2 hours remaining
+LOG_FILE="/home/runner/workspace/logs/auth-refresh.log"
+
+# Logging function
+log() {
+    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
+    echo "[$timestamp] $1" >> "$LOG_FILE" 2>/dev/null
+}
+
+# Check if jq is available, if not use node for JSON parsing
+parse_json() {
+    local json="$1"
+    local key="$2"
+
+    if command -v jq &>/dev/null; then
+        echo "$json" | jq -r ".$key" 2>/dev/null
+    else
+        # Fallback to node
+        echo "$json" | node -e "
+            let data = '';
+            process.stdin.on('data', chunk => data += chunk);
+            process.stdin.on('end', () => {
+                try {
+                    const obj = JSON.parse(data);
+                    const keys = '$key'.split('.');
+                    let val = obj;
+                    for (const k of keys) val = val[k];
+                    console.log(val);
+                } catch(e) { console.log(''); }
+            });
+        " 2>/dev/null
+    fi
+}
+
+# Get current timestamp in milliseconds
+get_current_time_ms() {
+    echo $(($(date +%s) * 1000))
+}
+
+# Check token status and return remaining time in hours
+check_token_status() {
+    if [ ! -f "$CREDENTIALS_FILE" ]; then
+        echo "no_file"
+        return 1
+    fi
+
+    local creds=$(cat "$CREDENTIALS_FILE" 2>/dev/null)
+    if [ -z "$creds" ]; then
+        echo "empty_file"
+        return 1
+    fi
+
+    local expires_at=$(parse_json "$creds" "claudeAiOauth.expiresAt")
+    if [ -z "$expires_at" ] || [ "$expires_at" = "null" ]; then
+        echo "no_expiry"
+        return 1
+    fi
+
+    local current_time=$(get_current_time_ms)
+    local remaining_ms=$((expires_at - current_time))
+    local remaining_hours=$((remaining_ms / 1000 / 60 / 60))
+
+    if [ $remaining_ms -le 0 ]; then
+        echo "expired"
+        return 1
+    fi
+
+    echo "$remaining_hours"
+    return 0
+}
+
+# Refresh the OAuth token
+refresh_token() {
+    local creds=$(cat "$CREDENTIALS_FILE" 2>/dev/null)
+    local refresh_token=$(parse_json "$creds" "claudeAiOauth.refreshToken")
+
+    if [ -z "$refresh_token" ] || [ "$refresh_token" = "null" ]; then
+        log "ERROR: No refresh token found"
+        return 1
+    fi
+
+    log "Attempting token refresh..."
+
+    # Make the refresh request
+    local response=$(curl -s -X POST "$OAUTH_ENDPOINT" \
+        -H "Content-Type: application/json" \
+        -d "{\"grant_type\":\"refresh_token\",\"refresh_token\":\"$refresh_token\",\"client_id\":\"$CLIENT_ID\"}" \
+        2>/dev/null)
+
+    if [ -z "$response" ]; then
+        log "ERROR: No response from OAuth endpoint"
+        return 1
+    fi
+
+    # Check for error in response
+    local error=$(parse_json "$response" "error")
+    if [ -n "$error" ] && [ "$error" != "null" ]; then
+        log "ERROR: OAuth refresh failed: $error"
+        return 1
+    fi
+
+    # Extract new tokens
+    local new_access_token=$(parse_json "$response" "access_token")
+    local new_refresh_token=$(parse_json "$response" "refresh_token")
+    local expires_in=$(parse_json "$response" "expires_in")
+
+    if [ -z "$new_access_token" ] || [ "$new_access_token" = "null" ]; then
+        log "ERROR: No access token in response"
+        return 1
+    fi
+
+    # Calculate new expiry time (expires_in is in seconds)
+    local current_time=$(get_current_time_ms)
+    local new_expires_at=$((current_time + expires_in * 1000))
+
+    # Use the new refresh token if provided, otherwise keep the old one
+    if [ -z "$new_refresh_token" ] || [ "$new_refresh_token" = "null" ]; then
+        new_refresh_token="$refresh_token"
+    fi
+
+    # Backup the old credentials
+    cp "$CREDENTIALS_FILE" "${CREDENTIALS_FILE}.backup" 2>/dev/null
+
+    # Update credentials file using node (more reliable for JSON manipulation)
+    node -e "
+        const fs = require('fs');
+        const creds = JSON.parse(fs.readFileSync('$CREDENTIALS_FILE', 'utf8'));
+        creds.claudeAiOauth.accessToken = '$new_access_token';
+        creds.claudeAiOauth.refreshToken = '$new_refresh_token';
+        creds.claudeAiOauth.expiresAt = $new_expires_at;
+        fs.writeFileSync('$CREDENTIALS_FILE', JSON.stringify(creds));
+    " 2>/dev/null
+
+    if [ $? -eq 0 ]; then
+        log "SUCCESS: Token refreshed, expires in $((expires_in / 3600)) hours"
+        return 0
+    else
+        # Restore backup on failure
+        mv "${CREDENTIALS_FILE}.backup" "$CREDENTIALS_FILE" 2>/dev/null
+        log "ERROR: Failed to update credentials file"
+        return 1
+    fi
+}
+
+# Main function - called from setup script
+auto_refresh_if_needed() {
+    local status=$(check_token_status)
+
+    case "$status" in
+        "no_file"|"empty_file"|"no_expiry")
+            # No credentials, user needs to login
+            return 1
+            ;;
+        "expired")
+            echo "⚠️  Token expired, attempting refresh..."
+            if refresh_token; then
+                echo "✅ Token refreshed successfully"
+                return 0
+            else
+                echo "❌ Token refresh failed - run: claude login"
+                return 1
+            fi
+            ;;
+        *)
+            # status is remaining hours
+            local remaining=$status
+            if [ "$remaining" -lt "$REFRESH_THRESHOLD_HOURS" ]; then
+                echo "🔄 Token expires in ${remaining}h, refreshing..."
+                if refresh_token; then
+                    local new_status=$(check_token_status)
+                    echo "✅ Token refreshed (${new_status}h remaining)"
+                    return 0
+                else
+                    echo "⚠️  Refresh failed, ${remaining}h remaining"
+                    return 0  # Don't fail, token still works
+                fi
+            else
+                # Token is fine, no refresh needed
+                return 0
+            fi
+            ;;
+    esac
+}
+
+# Command line interface
+case "${1:-}" in
+    --status)
+        status=$(check_token_status)
+        case "$status" in
+            "no_file") echo "❌ No credentials file found" ;;
+            "empty_file") echo "❌ Credentials file is empty" ;;
+            "no_expiry") echo "❌ No expiry timestamp found" ;;
+            "expired") echo "❌ Token has expired" ;;
+            *) echo "✅ Token valid (${status}h remaining)" ;;
+        esac
+        ;;
+    --force)
+        echo "Forcing token refresh..."
+        if refresh_token; then
+            echo "✅ Token refreshed"
+        else
+            echo "❌ Refresh failed"
+            exit 1
+        fi
+        ;;
+    --auto)
+        auto_refresh_if_needed
+        ;;
+    *)
+        # Default: auto refresh if needed (silent unless action taken)
+        auto_refresh_if_needed
+        ;;
+esac

package/scripts/setup-claude-code.sh

@@ -8,6 +8,7 @@
 #   2. Symlink for Claude binary (~/.local/bin/claude)
 #   3. Authentication persistence (credentials stored in workspace)
 #   4. Auto-installation if Claude is missing
+#   5. Automatic OAuth token refresh before expiration
 #
 # Run this script on every container restart via .config/bashrc or .replit
 # =============================================================================
@@ -16,9 +17,10 @@ set -e
 
 # Configuration
 WORKSPACE="/home/runner/workspace"
-CLAUDE_PERSISTENT="${WORKSPACE}/.claude-persistent"
+CLAUDE_PERSISTENT="${CLAUDE_CONFIG_DIR:-${WORKSPACE}/.claude-persistent}"
 CLAUDE_LOCAL_SHARE="${WORKSPACE}/.local/share/claude"
 CLAUDE_VERSIONS="${CLAUDE_LOCAL_SHARE}/versions"
+AUTH_REFRESH_SCRIPT="${WORKSPACE}/scripts/claude-auth-refresh.sh"
 
 # Target locations (ephemeral, need symlinks)
 CLAUDE_SYMLINK="${HOME}/.claude"
@@ -39,6 +41,7 @@ mkdir -p "${CLAUDE_PERSISTENT}"
 mkdir -p "${CLAUDE_VERSIONS}"
 mkdir -p "${LOCAL_BIN}"
 mkdir -p "${HOME}/.local/share"
+mkdir -p "${WORKSPACE}/logs"
 
 # =============================================================================
 # Step 2: Create ~/.claude symlink for conversation history & credentials
@@ -63,7 +66,7 @@ fi
 # =============================================================================
 LATEST_VERSION=""
 if [ -d "${CLAUDE_VERSIONS}" ]; then
-    LATEST_VERSION=$(ls -1 "${CLAUDE_VERSIONS}" 2>/dev/null | sort -V | tail -n1)
+    LATEST_VERSION=$(ls -1 "${CLAUDE_VERSIONS}" 2>/dev/null | grep -v '^\.' | sort -V | tail -n1)
 fi
 
 if [ -n "${LATEST_VERSION}" ] && [ -f "${CLAUDE_VERSIONS}/${LATEST_VERSION}" ]; then
@@ -79,31 +82,19 @@ else
     # Claude not installed - install it
     log "⚠️  Claude Code not found, installing..."
 
-    # Install Claude Code using npm
-    if command -v npm &> /dev/null; then
-        npm install -g @anthropic-ai/claude-code 2>/dev/null || {
-            log "❌ Failed to install Claude Code via npm"
-            log "   Try running: npm install -g @anthropic-ai/claude-code"
-        }
-
-        # After npm install, the binary should be available
-        # Move it to our persistent location
-        if command -v claude &> /dev/null; then
-            INSTALLED_PATH=$(which claude)
-            if [ -f "${INSTALLED_PATH}" ] && [ ! -L "${INSTALLED_PATH}" ]; then
-                # Get version
-                VERSION=$(claude --version 2>/dev/null | grep -oP '\d+\.\d+\.\d+' | head -1)
-                if [ -n "${VERSION}" ]; then
-                    cp "${INSTALLED_PATH}" "${CLAUDE_VERSIONS}/${VERSION}"
-                    chmod +x "${CLAUDE_VERSIONS}/${VERSION}"
-                    rm -f "${LOCAL_BIN}/claude" 2>/dev/null || true
-                    ln -sf "${CLAUDE_VERSIONS}/${VERSION}" "${LOCAL_BIN}/claude"
-                    log "✅ Claude Code ${VERSION} installed and persisted"
-                fi
+    # Install Claude Code using the official installer
+    if curl -fsSL https://claude.ai/install.sh | bash 2>/dev/null; then
+        # After install, find the new version
+        if [ -d "${CLAUDE_VERSIONS}" ]; then
+            LATEST_VERSION=$(ls -1 "${CLAUDE_VERSIONS}" 2>/dev/null | grep -v '^\.' | sort -V | tail -n1)
+            if [ -n "${LATEST_VERSION}" ]; then
+                ln -sf "${CLAUDE_VERSIONS}/${LATEST_VERSION}" "${LOCAL_BIN}/claude"
+                log "✅ Claude Code ${LATEST_VERSION} installed"
             fi
         fi
     else
-        log "❌ npm not found, cannot install Claude Code"
+        log "❌ Failed to install Claude Code"
+        log "   Try running: curl -fsSL https://claude.ai/install.sh | bash"
     fi
 fi
 
@@ -115,11 +106,14 @@ if [[ ":$PATH:" != *":${LOCAL_BIN}:"* ]]; then
 fi
 
 # =============================================================================
-# Step 6: Verify authentication
+# Step 6: Auto-refresh OAuth token if needed
 # =============================================================================
 CREDENTIALS_FILE="${CLAUDE_PERSISTENT}/.credentials.json"
-if [ -f "${CREDENTIALS_FILE}" ]; then
-    # Check if credentials are valid (not expired)
+if [ -f "${CREDENTIALS_FILE}" ] && [ -f "${AUTH_REFRESH_SCRIPT}" ]; then
+    # Source the auth refresh script to get the function
+    source "${AUTH_REFRESH_SCRIPT}"
+
+    # Check and refresh if needed (this handles all the logic)
     if command -v node &> /dev/null; then
         AUTH_INFO=$(node -e "
             try {
@@ -127,37 +121,70 @@ if [ -f "${CREDENTIALS_FILE}" ]; then
                 const oauth = creds.claudeAiOauth;
                 const apiKey = creds.primaryApiKey;
                 if (apiKey) {
-                    // Long-lived API key - doesn't expire
-                    console.log('apikey');
+                    console.log('apikey:permanent');
                 } else if (oauth && oauth.expiresAt) {
-                    console.log(oauth.expiresAt);
+                    const now = Date.now();
+                    const remaining = Math.floor((oauth.expiresAt - now) / 1000 / 60 / 60);
+                    const hasRefresh = oauth.refreshToken ? 'yes' : 'no';
+                    console.log('oauth:' + remaining + ':' + hasRefresh);
                 }
-            } catch(e) {}
+            } catch(e) { console.log('error'); }
         " 2>/dev/null)
 
-        if [ "${AUTH_INFO}" = "apikey" ]; then
-            log "✅ Claude authentication: long-lived token (no expiration)"
-        elif [ -n "${AUTH_INFO}" ]; then
-            CURRENT_TIME=$(node -e "console.log(Date.now())" 2>/dev/null)
-            if [ -n "${CURRENT_TIME}" ] && [ "${AUTH_INFO}" -gt "${CURRENT_TIME}" ]; then
-                # Calculate time remaining
-                HOURS_LEFT=$(node -e "console.log(Math.floor((${AUTH_INFO} - ${CURRENT_TIME}) / 1000 / 60 / 60))" 2>/dev/null)
-                if [ "${HOURS_LEFT}" -lt 2 ]; then
-                    log "⚠️  Claude authentication: expires in ${HOURS_LEFT}h - run 'claude login' soon"
+        IFS=':' read -r auth_type remaining has_refresh <<< "${AUTH_INFO}"
+
+        if [ "${auth_type}" = "apikey" ]; then
+            log "✅ Claude authentication: API key (permanent)"
+        elif [ "${auth_type}" = "oauth" ]; then
+            if [ "${remaining}" -le 0 ]; then
+                # Token expired - try to refresh
+                if [ "${has_refresh}" = "yes" ]; then
+                    log "⚠️  Token expired, attempting refresh..."
+                    if refresh_token 2>/dev/null; then
+                        # Re-check the new expiry
+                        NEW_REMAINING=$(node -e "
+                            try {
+                                const creds = require('${CREDENTIALS_FILE}');
+                                const remaining = Math.floor((creds.claudeAiOauth.expiresAt - Date.now()) / 1000 / 60 / 60);
+                                console.log(remaining);
+                            } catch(e) { console.log('0'); }
+                        " 2>/dev/null)
+                        log "✅ Claude authentication: refreshed (${NEW_REMAINING}h remaining)"
+                    else
+                        log "❌ Token refresh failed - run: claude login"
+                    fi
+                else
+                    log "❌ Token expired (no refresh token) - run: claude login"
+                fi
+            elif [ "${remaining}" -lt 2 ]; then
+                # Less than 2 hours - refresh proactively
+                if [ "${has_refresh}" = "yes" ]; then
+                    log "🔄 Token expires in ${remaining}h, refreshing..."
+                    if refresh_token 2>/dev/null; then
+                        NEW_REMAINING=$(node -e "
+                            try {
+                                const creds = require('${CREDENTIALS_FILE}');
+                                const remaining = Math.floor((creds.claudeAiOauth.expiresAt - Date.now()) / 1000 / 60 / 60);
+                                console.log(remaining);
+                            } catch(e) { console.log('0'); }
+                        " 2>/dev/null)
+                        log "✅ Claude authentication: refreshed (${NEW_REMAINING}h remaining)"
+                    else
+                        log "⚠️  Refresh failed, ${remaining}h remaining"
+                    fi
                 else
-                    log "✅ Claude authentication: valid (${HOURS_LEFT}h remaining)"
+                    log "⚠️  Claude authentication: ${remaining}h remaining (no refresh token)"
                 fi
             else
-                log "⚠️  Claude authentication: expired, run 'claude login' to re-authenticate"
-                log "   💡 Tip: Run 'claude setup-token' for a long-lived token that won't expire"
+                log "✅ Claude authentication: valid (${remaining}h remaining)"
             fi
+        elif [ "${auth_type}" = "error" ]; then
+            log "⚠️  Could not read credentials"
         fi
-    else
-        log "✅ Claude credentials file exists (persisted in workspace)"
     fi
-else
+elif [ ! -f "${CREDENTIALS_FILE}" ]; then
     log "⚠️  No Claude credentials found. Run 'claude login' to authenticate"
-    log "   💡 Tip: Run 'claude setup-token' for a long-lived token that won't expire"
+    log "   💡 Tip: Run 'claude setup-token' for a long-lived token"
 fi
 
 # =============================================================================