npm - shiva-code - Versions diffs - 0.8.18 → 0.8.19 - Mend

shiva-code 0.8.18 → 0.8.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/{chunk-DG46WHXO.js → chunk-EHED4N6M.js} +1042 -927
package/dist/index.js +2 -2
package/dist/{login-ZDS66QHS.js → login-T7CFS3S7.js} +1 -1
package/package.json +1 -1

package/dist/{chunk-DG46WHXO.js → chunk-EHED4N6M.js} RENAMED Viewed

@@ -19,853 +19,6 @@ import {
 import { Command } from "commander";
 import inquirer2 from "inquirer";
-// src/services/auth/auth.ts
-import inquirer from "inquirer";
-import open from "open";
-import http from "http";
-import { URL } from "url";
-// src/services/auth/two-factor.ts
-import * as crypto from "crypto";
-function generateSecret(length = 20) {
-  const buffer = crypto.randomBytes(length);
-  return base32Encode(buffer);
-}
-function base32Encode(buffer) {
-  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
-  let result = "";
-  let bits = 0;
-  let value = 0;
-  for (let i = 0; i < buffer.length; i++) {
-    value = value << 8 | buffer[i];
-    bits += 8;
-    while (bits >= 5) {
-      result += alphabet[value >>> bits - 5 & 31];
-      bits -= 5;
-    }
-  }
-  if (bits > 0) {
-    result += alphabet[value << 5 - bits & 31];
-  }
-  return result;
-}
-function base32Decode(encoded) {
-  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
-  const lookup = /* @__PURE__ */ new Map();
-  for (let i = 0; i < alphabet.length; i++) {
-    lookup.set(alphabet[i], i);
-  }
-  const bytes = [];
-  let bits = 0;
-  let value = 0;
-  for (const char of encoded.toUpperCase()) {
-    if (char === "=") continue;
-    const index = lookup.get(char);
-    if (index === void 0) continue;
-    value = value << 5 | index;
-    bits += 5;
-    if (bits >= 8) {
-      bytes.push(value >>> bits - 8 & 255);
-      bits -= 8;
-    }
-  }
-  return Buffer.from(bytes);
-}
-function generateTOTP(secret, timeStep = 30) {
-  const time = Math.floor(Date.now() / 1e3 / timeStep);
-  const key = base32Decode(secret);
-  const counter = Buffer.alloc(8);
-  counter.writeBigUInt64BE(BigInt(time));
-  const hmac = crypto.createHmac("sha1", key);
-  hmac.update(counter);
-  const hash = hmac.digest();
-  const offset = hash[hash.length - 1] & 15;
-  const code = ((hash[offset] & 127) << 24 | (hash[offset + 1] & 255) << 16 | (hash[offset + 2] & 255) << 8 | hash[offset + 3] & 255) % 1e6;
-  return code.toString().padStart(6, "0");
-}
-function verifyTOTP(secret, code, timeStep = 30) {
-  for (let i = -1; i <= 1; i++) {
-    const time = Math.floor(Date.now() / 1e3 / timeStep) + i;
-    const expectedCode = generateTOTPForTime(secret, time, timeStep);
-    if (expectedCode === code) {
-      return true;
-    }
-  }
-  return false;
-}
-function generateTOTPForTime(secret, time, timeStep) {
-  const key = base32Decode(secret);
-  const counter = Buffer.alloc(8);
-  counter.writeBigUInt64BE(BigInt(time));
-  const hmac = crypto.createHmac("sha1", key);
-  hmac.update(counter);
-  const hash = hmac.digest();
-  const offset = hash[hash.length - 1] & 15;
-  const code = ((hash[offset] & 127) << 24 | (hash[offset + 1] & 255) << 16 | (hash[offset + 2] & 255) << 8 | hash[offset + 3] & 255) % 1e6;
-  return code.toString().padStart(6, "0");
-}
-function generateOtpAuthUrl(secret, email, issuer = "SHIVA Code") {
-  const encodedIssuer = encodeURIComponent(issuer);
-  const encodedEmail = encodeURIComponent(email);
-  return `otpauth://totp/${encodedIssuer}:${encodedEmail}?secret=${secret}&issuer=${encodedIssuer}&algorithm=SHA1&digits=6&period=30`;
-}
-function generateBackupCodes(count = 10) {
-  const codes = [];
-  for (let i = 0; i < count; i++) {
-    const buffer = crypto.randomBytes(6);
-    const code = buffer.toString("hex").toUpperCase();
-    codes.push(`${code.slice(0, 3)}-${code.slice(3, 6)}-${code.slice(6, 9)}-${code.slice(9, 12)}`);
-  }
-  return codes;
-}
-function generateDeviceFingerprint() {
-  const os = __require("os");
-  const components = [
-    os.hostname(),
-    os.platform(),
-    os.arch(),
-    os.cpus()[0]?.model || "unknown",
-    os.userInfo().username
-  ];
-  const fingerprint = crypto.createHash("sha256").update(components.join("|")).digest("hex").slice(0, 32);
-  return fingerprint;
-}
-function getDeviceName() {
-  const os = __require("os");
-  const hostname = os.hostname();
-  const platform = os.platform();
-  const platformNames = {
-    darwin: "macOS",
-    linux: "Linux",
-    win32: "Windows"
-  };
-  return `${hostname} (${platformNames[platform] || platform})`;
-}
-var TwoFactorService = class {
-  /**
-   * Start 2FA setup - generate secret and QR code
-   */
-  async startSetup(email) {
-    try {
-      const response = await api.setup2FA();
-      if (!response.setup) {
-        throw new Error(response.message || "2FA-Setup fehlgeschlagen");
-      }
-      return response.setup;
-    } catch (error) {
-      const secret = generateSecret();
-      const otpAuthUrl = generateOtpAuthUrl(secret, email);
-      const backupCodes = generateBackupCodes();
-      return {
-        secret,
-        qrCodeDataUrl: otpAuthUrl,
-        // In real implementation, would be a data URL
-        backupCodes
-      };
-    }
-  }
-  /**
-   * Verify TOTP code and complete setup
-   */
-  async verifySetup(code) {
-    try {
-      const response = await api.verify2FA(code);
-      return response.success;
-    } catch (error) {
-      throw error;
-    }
-  }
-  /**
-   * Verify TOTP code during login
-   */
-  async verifyCode(code) {
-    try {
-      const response = await api.verify2FACode(code);
-      return response.success;
-    } catch (error) {
-      throw error;
-    }
-  }
-  /**
-   * Verify backup code
-   */
-  async verifyBackupCode(code) {
-    try {
-      const response = await api.verifyBackupCode(code);
-      return response.success;
-    } catch (error) {
-      throw error;
-    }
-  }
-  /**
-   * Get 2FA status
-   */
-  async getStatus() {
-    try {
-      const response = await api.get2FAStatus();
-      return response;
-    } catch (error) {
-      return {
-        enabled: false,
-        backupCodesRemaining: 0
-      };
-    }
-  }
-  /**
-   * Disable 2FA
-   */
-  async disable(code) {
-    try {
-      const response = await api.disable2FA(code);
-      return response.success;
-    } catch (error) {
-      throw error;
-    }
-  }
-  /**
-   * Generate new backup codes
-   */
-  async regenerateBackupCodes() {
-    try {
-      const response = await api.regenerateBackupCodes();
-      return response.codes;
-    } catch (error) {
-      throw error;
-    }
-  }
-  /**
-   * Verify TOTP code locally (for testing)
-   */
-  verifyLocal(secret, code) {
-    return verifyTOTP(secret, code);
-  }
-  /**
-   * Generate TOTP code locally (for testing)
-   */
-  generateLocal(secret) {
-    return generateTOTP(secret);
-  }
-};
-var DeviceTrustService = class {
-  /**
-   * Get current device fingerprint
-   */
-  getFingerprint() {
-    return generateDeviceFingerprint();
-  }
-  /**
-   * Get current device name
-   */
-  getDeviceName() {
-    return getDeviceName();
-  }
-  /**
-   * Register current device as trusted
-   */
-  async trustDevice(name) {
-    const fingerprint = this.getFingerprint();
-    const deviceName = name || this.getDeviceName();
-    try {
-      const response = await api.trustDevice({
-        name: deviceName,
-        fingerprint
-      });
-      return response.device;
-    } catch (error) {
-      throw error;
-    }
-  }
-  /**
-   * Check if current device is trusted
-   */
-  async isDeviceTrusted() {
-    const fingerprint = this.getFingerprint();
-    try {
-      const devices = await api.getDevices();
-      return devices.devices.some((d) => d.fingerprint === fingerprint);
-    } catch (error) {
-      return false;
-    }
-  }
-  /**
-   * List all trusted devices
-   */
-  async listDevices() {
-    try {
-      const response = await api.getDevices();
-      const currentFingerprint = this.getFingerprint();
-      return response.devices.map((d) => ({
-        ...d,
-        isCurrent: d.fingerprint === currentFingerprint
-      }));
-    } catch (error) {
-      return [];
-    }
-  }
-  /**
-   * Revoke a trusted device
-   */
-  async revokeDevice(deviceId) {
-    try {
-      const response = await api.revokeDevice(deviceId);
-      return response.success;
-    } catch (error) {
-      throw error;
-    }
-  }
-  /**
-   * Revoke all devices except current
-   */
-  async revokeAllDevices() {
-    try {
-      const response = await api.revokeAllDevices();
-      return response.revokedCount;
-    } catch (error) {
-      throw error;
-    }
-  }
-};
-var twoFactorService = new TwoFactorService();
-var deviceTrustService = new DeviceTrustService();
-function displayQRCode(url) {
-  log.newline();
-  log.info("Scan diesen QR-Code mit deiner Authenticator App:");
-  log.newline();
-  log.dim("(QR-Code-Anzeige erfordert qrcode-terminal Paket)");
-  log.newline();
-  log.plain(`URL: ${url}`);
-  log.newline();
-}
-function displayBackupCodes(codes) {
-  log.newline();
-  console.log(colors.orange.bold("Backup-Codes (speichern!)"));
-  console.log(colors.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-  log.newline();
-  for (let i = 0; i < codes.length; i++) {
-    console.log(`  ${i + 1}. ${codes[i]}`);
-  }
-  log.newline();
-  log.warn("Diese Codes k\xF6nnen nur einmal verwendet werden!");
-  log.dim("Speichere sie an einem sicheren Ort.");
-  log.newline();
-}
-function displayDevices(devices) {
-  log.newline();
-  console.log(colors.orange.bold("Vertrauensw\xFCrdige Ger\xE4te"));
-  console.log(colors.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-  log.newline();
-  if (devices.length === 0) {
-    log.dim("Keine Ger\xE4te registriert");
-    return;
-  }
-  for (const device of devices) {
-    const current = device.isCurrent ? colors.green(" (aktuell)") : "";
-    console.log(`  ${device.name}${current}`);
-    log.dim(`    ID: ${device.id}`);
-    log.dim(`    Zuletzt: ${formatRelativeTime(device.lastUsed)}`);
-    if (device.expiresAt) {
-      log.dim(`    L\xE4uft ab: ${formatRelativeTime(device.expiresAt)}`);
-    } else {
-      log.dim("    L\xE4uft ab: nie");
-    }
-    log.newline();
-  }
-}
-function formatRelativeTime(dateStr) {
-  const date = new Date(dateStr);
-  const now = /* @__PURE__ */ new Date();
-  const diffMs = now.getTime() - date.getTime();
-  const diffSec = Math.floor(diffMs / 1e3);
-  const diffMin = Math.floor(diffSec / 60);
-  const diffHour = Math.floor(diffMin / 60);
-  const diffDay = Math.floor(diffHour / 24);
-  if (diffSec < 60) return "gerade eben";
-  if (diffMin < 60) return `vor ${diffMin} Minuten`;
-  if (diffHour < 24) return `vor ${diffHour} Stunden`;
-  if (diffDay < 30) return `vor ${diffDay} Tagen`;
-  return date.toLocaleDateString("de-DE");
-}
-// src/services/auth/auth.ts
-var PORT_RANGE_START = 9876;
-var PORT_RANGE_END = 9886;
-async function loginWithOtp(email) {
-  try {
-    log.info(`Sende Login-Code an ${email}...`);
-    const otpResponse = await api.requestOtp(email);
-    if (!otpResponse.success) {
-      log.error(otpResponse.message || "Fehler beim Senden des Codes");
-      return false;
-    }
-    log.success("Code wurde gesendet!");
-    log.dim(`Verbleibende Versuche: ${otpResponse.remainingAttempts}`);
-    log.newline();
-    const { otp } = await inquirer.prompt([
-      {
-        type: "input",
-        name: "otp",
-        message: "Code eingeben:",
-        validate: (input) => {
-          if (!/^\d{6}$/.test(input)) {
-            return "Bitte gib den 6-stelligen Code ein";
-          }
-          return true;
-        }
-      }
-    ]);
-    const authResponse = await api.verifyOtp(otpResponse.token, otp);
-    if (authResponse.requires2FA && authResponse.tempToken) {
-      log.newline();
-      log.info("2FA ist aktiviert. Bitte verifiziere dich.");
-      log.newline();
-      const result = await handle2FALoginFlow(authResponse.tempToken, authResponse.email || email);
-      return result;
-    }
-    if (!authResponse.success || !authResponse.token || !authResponse.user) {
-      log.error(authResponse.message || "Ung\xFCltiger Code");
-      return false;
-    }
-    setAuth(authResponse.token, authResponse.user);
-    log.newline();
-    log.success(`Angemeldet als ${authResponse.user.email} (${authResponse.user.tier.toUpperCase()})`);
-    return true;
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unbekannter Fehler";
-    log.error(`Login fehlgeschlagen: ${message}`);
-    return false;
-  }
-}
-async function handle2FALoginFlow(tempToken, email) {
-  const MAX_ATTEMPTS = 3;
-  for (let attempt = 1; attempt <= MAX_ATTEMPTS; attempt++) {
-    const { code } = await inquirer.prompt([{
-      type: "input",
-      name: "code",
-      message: "2FA-Code (6 Ziffern oder Backup-Code):",
-      validate: (input) => {
-        if (/^\d{6}$/.test(input) || /^[A-Za-z0-9-]+$/.test(input)) {
-          return true;
-        }
-        return "Bitte gib einen g\xFCltigen Code ein";
-      }
-    }]);
-    const { rememberDevice } = await inquirer.prompt([{
-      type: "confirm",
-      name: "rememberDevice",
-      message: "Diesem Ger\xE4t vertrauen?",
-      default: true
-    }]);
-    try {
-      const result = await api.validate2FALogin({
-        tempToken,
-        code,
-        rememberDevice
-      });
-      if (result.success && result.token && result.user) {
-        setAuth(result.token, result.user);
-        if (result.method === "backup" && result.backupCodesRemaining !== void 0) {
-          log.warn(`Backup-Code verwendet. Noch ${result.backupCodesRemaining} Codes \xFCbrig.`);
-        }
-        log.newline();
-        log.success(`Angemeldet als ${result.user.email} (${result.user.tier.toUpperCase()})`);
-        return true;
-      }
-      if (attempt < MAX_ATTEMPTS) {
-        log.error(`Ung\xFCltiger Code. Noch ${MAX_ATTEMPTS - attempt} Versuche.`);
-      }
-    } catch (error) {
-      const message = error instanceof Error ? error.message : "Verifizierung fehlgeschlagen";
-      if (message.includes("expired") || message.includes("abgelaufen")) {
-        log.error("2FA-Token abgelaufen. Bitte erneut anmelden.");
-        return false;
-      }
-      if (attempt < MAX_ATTEMPTS) {
-        log.error(`${message}. Noch ${MAX_ATTEMPTS - attempt} Versuche.`);
-      }
-    }
-  }
-  log.error("2FA-Verifizierung fehlgeschlagen");
-  return false;
-}
-async function findAvailablePort() {
-  for (let port = PORT_RANGE_START; port <= PORT_RANGE_END; port++) {
-    const isAvailable = await checkPort(port);
-    if (isAvailable) {
-      return port;
-    }
-  }
-  throw new Error("Kein freier Port f\xFCr Callback-Server gefunden");
-}
-function checkPort(port) {
-  return new Promise((resolve) => {
-    const server = http.createServer();
-    server.once("error", () => resolve(false));
-    server.once("listening", () => {
-      server.close();
-      resolve(true);
-    });
-    server.listen(port, "127.0.0.1");
-  });
-}
-function getCallbackHtml(type, data) {
-  const baseStyles = `
-    * { margin: 0; padding: 0; box-sizing: border-box; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-      min-height: 100vh;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-      background: linear-gradient(135deg, #0a0a0a 0%, #1a1a2e 50%, #16213e 100%);
-      color: #fff;
-    }
-    .container {
-      text-align: center;
-      padding: 3rem;
-      max-width: 420px;
-    }
-    .logo {
-      width: 80px;
-      height: 80px;
-      margin: 0 auto 1.5rem;
-      background: linear-gradient(135deg, #f97316 0%, #ea580c 100%);
-      border-radius: 20px;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-      box-shadow: 0 10px 40px rgba(249, 115, 22, 0.3);
-    }
-    .logo svg {
-      width: 48px;
-      height: 48px;
-    }
-    h1 {
-      font-size: 1.75rem;
-      font-weight: 700;
-      margin-bottom: 0.75rem;
-    }
-    .subtitle {
-      color: #9ca3af;
-      font-size: 1rem;
-      line-height: 1.5;
-    }
-    .email {
-      color: #f97316;
-      font-weight: 600;
-    }
-    .status-icon {
-      width: 64px;
-      height: 64px;
-      margin: 0 auto 1.5rem;
-      border-radius: 50%;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-    }
-    .status-icon.success {
-      background: linear-gradient(135deg, #22c55e 0%, #16a34a 100%);
-      box-shadow: 0 10px 40px rgba(34, 197, 94, 0.3);
-    }
-    .status-icon.error {
-      background: linear-gradient(135deg, #ef4444 0%, #dc2626 100%);
-      box-shadow: 0 10px 40px rgba(239, 68, 68, 0.3);
-    }
-    .status-icon svg {
-      width: 32px;
-      height: 32px;
-    }
-    .spinner {
-      width: 48px;
-      height: 48px;
-      margin: 0 auto 1.5rem;
-      border: 3px solid rgba(249, 115, 22, 0.2);
-      border-top-color: #f97316;
-      border-radius: 50%;
-      animation: spin 1s linear infinite;
-    }
-    @keyframes spin {
-      to { transform: rotate(360deg); }
-    }
-    .hint {
-      margin-top: 1.5rem;
-      padding-top: 1.5rem;
-      border-top: 1px solid rgba(255, 255, 255, 0.1);
-      color: #6b7280;
-      font-size: 0.875rem;
-    }
-  `;
-  const shivaLogo = `<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M12 2L2 7l10 5 10-5-10-5z"/><path d="M2 17l10 5 10-5"/><path d="M2 12l10 5 10-5"/></svg>`;
-  const checkIcon = `<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="3" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"/></svg>`;
-  const xIcon = `<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="3" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>`;
-  if (type === "success") {
-    return `<!DOCTYPE html>
-<html lang="de">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>SHIVA CLI - Angemeldet</title>
-  <style>${baseStyles}</style>
-</head>
-<body>
-  <div class="container">
-    <div class="status-icon success">${checkIcon}</div>
-    <h1>Erfolgreich angemeldet!</h1>
-    <p class="subtitle">Willkommen zur\xFCck, <span class="email">${data.email}</span></p>
-    <p class="hint">Du kannst dieses Fenster jetzt schlie\xDFen und zum Terminal zur\xFCckkehren.</p>
-  </div>
-  <script>setTimeout(() => window.close(), 3000);</script>
-</body>
-</html>`;
-  }
-  if (type === "error") {
-    return `<!DOCTYPE html>
-<html lang="de">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>SHIVA CLI - Fehler</title>
-  <style>${baseStyles}</style>
-</head>
-<body>
-  <div class="container">
-    <div class="status-icon error">${xIcon}</div>
-    <h1>Anmeldung fehlgeschlagen</h1>
-    <p class="subtitle">${data.message || "Ein unbekannter Fehler ist aufgetreten."}</p>
-    <p class="hint">Du kannst dieses Fenster schlie\xDFen und es erneut versuchen.</p>
-  </div>
-</body>
-</html>`;
-  }
-  return `<!DOCTYPE html>
-<html lang="de">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>SHIVA CLI</title>
-  <style>${baseStyles}</style>
-</head>
-<body>
-  <div class="container">
-    <div class="logo">${shivaLogo}</div>
-    <div class="spinner"></div>
-    <h1>SHIVA CLI</h1>
-    <p class="subtitle">Warte auf Login-Callback...</p>
-  </div>
-</body>
-</html>`;
-}
-function startCallbackServer(port) {
-  return new Promise((resolve, reject) => {
-    const server = http.createServer((req, res) => {
-      const url = new URL(req.url || "/", `http://127.0.0.1:${port}`);
-      if (url.pathname === "/callback") {
-        const token = url.searchParams.get("token");
-        const userId = url.searchParams.get("userId");
-        const email = url.searchParams.get("email");
-        const tier = url.searchParams.get("tier");
-        const error = url.searchParams.get("error");
-        if (error) {
-          res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-          res.end(getCallbackHtml("error", { message: error }));
-          server.close();
-          reject(new Error(error));
-          return;
-        }
-        if (!token || !userId || !email) {
-          res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
-          res.end(getCallbackHtml("error", { message: "Token oder Benutzer-Daten fehlen." }));
-          server.close();
-          reject(new Error("Ung\xFCltige Callback-Parameter"));
-          return;
-        }
-        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-        res.end(getCallbackHtml("success", { email }));
-        setTimeout(() => {
-          server.close();
-          resolve({
-            token,
-            user: {
-              id: parseInt(userId, 10),
-              email,
-              tier: tier || "free"
-            }
-          });
-        }, 100);
-        return;
-      }
-      res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-      res.end(getCallbackHtml("waiting", {}));
-    });
-    const timeout = setTimeout(() => {
-      server.close();
-      reject(new Error("Login-Timeout - keine Antwort erhalten"));
-    }, 3e5);
-    server.once("close", () => {
-      clearTimeout(timeout);
-    });
-    server.once("error", (err) => {
-      clearTimeout(timeout);
-      reject(err);
-    });
-    server.listen(port, "127.0.0.1");
-  });
-}
-async function loginWithBrowser() {
-  const config = getConfig();
-  try {
-    const port = await findAvailablePort();
-    const callbackUrl = `http://127.0.0.1:${port}/callback`;
-    const baseUrl = config.apiEndpoint.replace("/api", "");
-    const loginUrl = `${baseUrl}/auth/cli-login?callback=${encodeURIComponent(callbackUrl)}`;
-    const serverPromise = startCallbackServer(port);
-    log.newline();
-    log.info("\xD6ffne Browser zur Anmeldung...");
-    try {
-      await open(loginUrl);
-    } catch {
-    }
-    log.newline();
-    log.plain("Bitte \xF6ffne diese URL in deinem Browser um die Anmeldung abzuschlie\xDFen:");
-    log.newline();
-    console.log(`  ${colors.cyan(loginUrl)}`);
-    log.newline();
-    log.dim("Warte auf Anmeldung... (Timeout: 5 Minuten)");
-    log.newline();
-    const result = await serverPromise;
-    setAuth(result.token, result.user);
-    try {
-      const tfaStatus = await twoFactorService.getStatus();
-      if (tfaStatus.enabled) {
-        log.newline();
-        log.info("2FA ist aktiviert. Bitte verifiziere dich.");
-        log.newline();
-        const isDeviceTrusted = await deviceTrustService.isDeviceTrusted();
-        if (!isDeviceTrusted) {
-          const verified = await prompt2FAVerification();
-          if (!verified) {
-            clearAuth();
-            log.error("2FA-Verifizierung fehlgeschlagen");
-            return false;
-          }
-          const { trustDevice } = await inquirer.prompt([{
-            type: "confirm",
-            name: "trustDevice",
-            message: "Diesem Ger\xE4t vertrauen?",
-            default: true
-          }]);
-          if (trustDevice) {
-            try {
-              await deviceTrustService.trustDevice();
-              log.success("Ger\xE4t als vertrauensw\xFCrdig markiert");
-            } catch {
-            }
-          }
-        } else {
-          log.dim("Ger\xE4t ist vertrauensw\xFCrdig - 2FA \xFCbersprungen");
-        }
-      }
-    } catch {
-    }
-    log.success(`Angemeldet als ${result.user.email} (${result.user.tier.toUpperCase()})`);
-    return true;
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unbekannter Fehler";
-    log.error(`Login fehlgeschlagen: ${message}`);
-    log.newline();
-    log.info("Fallback: Manueller Token-Eintrag");
-    const loginUrl = `${config.apiEndpoint.replace("/api", "")}/auth/cli-login`;
-    log.dim(`URL: ${loginUrl}`);
-    log.newline();
-    const { useManual } = await inquirer.prompt([{
-      type: "confirm",
-      name: "useManual",
-      message: "Token manuell eingeben?",
-      default: true
-    }]);
-    if (!useManual) {
-      return false;
-    }
-    try {
-      await open(loginUrl);
-    } catch {
-      log.dim("Browser konnte nicht ge\xF6ffnet werden");
-      log.dim(`\xD6ffne manuell: ${loginUrl}`);
-    }
-    const { token } = await inquirer.prompt([{
-      type: "password",
-      name: "token",
-      message: "Token:",
-      mask: "*"
-    }]);
-    if (!token) {
-      log.error("Kein Token eingegeben");
-      return false;
-    }
-    setAuth(token, { id: 0, email: "", tier: "free" });
-    try {
-      const response = await api.getCurrentUser();
-      setAuth(token, response.user);
-      log.success(`Angemeldet als ${response.user.email}`);
-      return true;
-    } catch {
-      clearAuth();
-      log.error("Ung\xFCltiger Token");
-      return false;
-    }
-  }
-}
-function logout() {
-  clearAuth();
-  log.success("Abgemeldet");
-}
-async function prompt2FAVerification() {
-  const MAX_ATTEMPTS = 3;
-  for (let attempt = 1; attempt <= MAX_ATTEMPTS; attempt++) {
-    const { method } = await inquirer.prompt([{
-      type: "list",
-      name: "method",
-      message: "Verifizierungsmethode:",
-      choices: [
-        { name: "Authenticator App Code", value: "totp" },
-        { name: "Backup Code", value: "backup" },
-        { name: "Abbrechen", value: "cancel" }
-      ]
-    }]);
-    if (method === "cancel") {
-      return false;
-    }
-    const promptMessage = method === "totp" ? "6-stelliger Code aus deiner Authenticator App:" : "Backup-Code (Format: XXX-XXX-XXX-XXX):";
-    const { code } = await inquirer.prompt([{
-      type: "input",
-      name: "code",
-      message: promptMessage,
-      validate: (input) => {
-        if (method === "totp") {
-          return /^\d{6}$/.test(input) || "Bitte gib einen 6-stelligen Code ein";
-        }
-        return input.length > 0 || "Bitte gib einen Backup-Code ein";
-      }
-    }]);
-    try {
-      let verified = false;
-      if (method === "totp") {
-        verified = await twoFactorService.verifyCode(code);
-      } else {
-        verified = await twoFactorService.verifyBackupCode(code);
-      }
-      if (verified) {
-        log.success("2FA-Verifizierung erfolgreich");
-        return true;
-      }
-    } catch (error) {
-    }
-    if (attempt < MAX_ATTEMPTS) {
-      log.error(`Ung\xFCltiger Code. Noch ${MAX_ATTEMPTS - attempt} Versuche.`);
-    }
-  }
-  return false;
-}
 // src/i18n/locales/de.json
 var de_default = {
   common: {
@@ -928,7 +81,20 @@ var de_default = {
     invalidEmail: "Bitte gib eine gultige Email-Adresse ein",
     twoFactorEnabled: "2FA aktiviert.",
     twoFactorDisabled: "2FA deaktiviert.",
-    invalidToken: "Ungultiger Token."
+    invalidToken: "Ungultiger Token.",
+    callback: {
+      successTitle: "Erfolgreich angemeldet!",
+      successSubtitle: "Willkommen zur\xFCck,",
+      successHint: "Du kannst dieses Fenster jetzt schlie\xDFen und zum Terminal zur\xFCckkehren.",
+      errorTitle: "Anmeldung fehlgeschlagen",
+      errorDefault: "Ein unbekannter Fehler ist aufgetreten.",
+      errorHint: "Du kannst dieses Fenster schlie\xDFen und es erneut versuchen.",
+      waitingTitle: "Authentifizierung",
+      waitingSubtitle: "Warte auf Login-Best\xE4tigung...",
+      pageTitle: "SHIVA Code",
+      pageTitleSuccess: "SHIVA Code - Angemeldet",
+      pageTitleError: "SHIVA Code - Fehler"
+    }
   },
   errors: {
     unknown: "Ein unbekannter Fehler ist aufgetreten",
@@ -2977,7 +2143,20 @@ var en_default = {
     invalidEmail: "Please enter a valid email address",
     twoFactorEnabled: "2FA enabled.",
     twoFactorDisabled: "2FA disabled.",
-    invalidToken: "Invalid token."
+    invalidToken: "Invalid token.",
+    callback: {
+      successTitle: "Successfully logged in!",
+      successSubtitle: "Welcome back,",
+      successHint: "You can now close this window and return to the terminal.",
+      errorTitle: "Login failed",
+      errorDefault: "An unknown error occurred.",
+      errorHint: "You can close this window and try again.",
+      waitingTitle: "Authentication",
+      waitingSubtitle: "Waiting for login confirmation...",
+      pageTitle: "SHIVA Code",
+      pageTitleSuccess: "SHIVA Code - Logged in",
+      pageTitleError: "SHIVA Code - Error"
+    }
   },
   errors: {
     unknown: "An unknown error occurred",
@@ -4656,7 +3835,20 @@ var fr_default = {
     invalidEmail: "Veuillez entrer une adresse email valide",
     twoFactorEnabled: "2FA active.",
     twoFactorDisabled: "2FA desactive.",
-    invalidToken: "Token invalide."
+    invalidToken: "Token invalide.",
+    callback: {
+      successTitle: "Connexion r\xE9ussie!",
+      successSubtitle: "Bienvenue,",
+      successHint: "Vous pouvez maintenant fermer cette fen\xEAtre et retourner au terminal.",
+      errorTitle: "\xC9chec de la connexion",
+      errorDefault: "Une erreur inconnue s'est produite.",
+      errorHint: "Vous pouvez fermer cette fen\xEAtre et r\xE9essayer.",
+      waitingTitle: "Authentification",
+      waitingSubtitle: "En attente de la confirmation...",
+      pageTitle: "SHIVA Code",
+      pageTitleSuccess: "SHIVA Code - Connect\xE9",
+      pageTitleError: "SHIVA Code - Erreur"
+    }
   },
   errors: {
     unknown: "Une erreur inconnue s'est produite",
@@ -6284,7 +5476,20 @@ var es_default = {
     invalidEmail: "Por favor introduce una direccion de email valida",
     twoFactorEnabled: "2FA habilitado.",
     twoFactorDisabled: "2FA deshabilitado.",
-    invalidToken: "Token invalido."
+    invalidToken: "Token invalido.",
+    callback: {
+      successTitle: "\xA1Sesi\xF3n iniciada con \xE9xito!",
+      successSubtitle: "Bienvenido de nuevo,",
+      successHint: "Ahora puedes cerrar esta ventana y volver al terminal.",
+      errorTitle: "Error de inicio de sesi\xF3n",
+      errorDefault: "Ha ocurrido un error desconocido.",
+      errorHint: "Puedes cerrar esta ventana e intentarlo de nuevo.",
+      waitingTitle: "Autenticaci\xF3n",
+      waitingSubtitle: "Esperando confirmaci\xF3n de inicio de sesi\xF3n...",
+      pageTitle: "SHIVA Code",
+      pageTitleSuccess: "SHIVA Code - Conectado",
+      pageTitleError: "SHIVA Code - Error"
+    }
   },
   errors: {
     unknown: "Ha ocurrido un error desconocido",
@@ -8227,94 +7432,1004 @@ var es_default = {
     deletedInfo: "Todos los datos del proyecto han sido eliminados de la nube."
   }
 };
-// src/i18n/types.ts
-var SUPPORTED_LANGUAGES = ["de", "en", "fr", "es"];
-var LANGUAGE_NAMES = {
-  de: "Deutsch",
-  en: "English",
-  fr: "Francais",
-  es: "Espanol"
+// src/i18n/types.ts
+var SUPPORTED_LANGUAGES = ["de", "en", "fr", "es"];
+var LANGUAGE_NAMES = {
+  de: "Deutsch",
+  en: "English",
+  fr: "Francais",
+  es: "Espanol"
+};
+// src/i18n/index.ts
+var translations = {
+  de: de_default,
+  en: en_default,
+  fr: fr_default,
+  es: es_default
+};
+var currentLanguage = "de";
+function setLanguage(lang) {
+  currentLanguage = lang;
+}
+function getLanguage() {
+  return currentLanguage;
+}
+function isValidLanguage(lang) {
+  return ["de", "en", "fr", "es"].includes(lang);
+}
+function t(key, params) {
+  const keys = key.split(".");
+  let value = translations[currentLanguage];
+  for (const k of keys) {
+    if (value && typeof value === "object" && k in value) {
+      value = value[k];
+    } else {
+      value = void 0;
+      break;
+    }
+  }
+  if (typeof value !== "string") {
+    value = keys.reduce(
+      (obj, k) => obj && typeof obj === "object" && k in obj ? obj[k] : void 0,
+      translations.de
+    );
+  }
+  if (typeof value !== "string") {
+    return key;
+  }
+  if (params) {
+    for (const [param, val] of Object.entries(params)) {
+      value = value.replace(new RegExp(`\\{${param}\\}`, "g"), String(val));
+    }
+  }
+  return value;
+}
+function tArray(key) {
+  const keys = key.split(".");
+  let value = translations[currentLanguage];
+  for (const k of keys) {
+    if (value && typeof value === "object" && k in value) {
+      value = value[k];
+    } else {
+      value = void 0;
+      break;
+    }
+  }
+  if (!Array.isArray(value)) {
+    value = keys.reduce(
+      (obj, k) => obj && typeof obj === "object" && k in obj ? obj[k] : void 0,
+      translations.de
+    );
+  }
+  return Array.isArray(value) ? value : [];
+}
+function initializeLanguage(storedLang) {
+  if (storedLang && isValidLanguage(storedLang)) {
+    setLanguage(storedLang);
+    return;
+  }
+  try {
+    const systemLocale = Intl.DateTimeFormat().resolvedOptions().locale;
+    const langCode = systemLocale.split("-")[0].toLowerCase();
+    if (isValidLanguage(langCode)) {
+      setLanguage(langCode);
+      return;
+    }
+  } catch {
+  }
+  setLanguage("de");
+}
+// src/services/auth/auth.ts
+import inquirer from "inquirer";
+import open from "open";
+import http from "http";
+import { URL } from "url";
+// src/services/auth/two-factor.ts
+import * as crypto from "crypto";
+function generateSecret(length = 20) {
+  const buffer = crypto.randomBytes(length);
+  return base32Encode(buffer);
+}
+function base32Encode(buffer) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  let result = "";
+  let bits = 0;
+  let value = 0;
+  for (let i = 0; i < buffer.length; i++) {
+    value = value << 8 | buffer[i];
+    bits += 8;
+    while (bits >= 5) {
+      result += alphabet[value >>> bits - 5 & 31];
+      bits -= 5;
+    }
+  }
+  if (bits > 0) {
+    result += alphabet[value << 5 - bits & 31];
+  }
+  return result;
+}
+function base32Decode(encoded) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  const lookup = /* @__PURE__ */ new Map();
+  for (let i = 0; i < alphabet.length; i++) {
+    lookup.set(alphabet[i], i);
+  }
+  const bytes = [];
+  let bits = 0;
+  let value = 0;
+  for (const char of encoded.toUpperCase()) {
+    if (char === "=") continue;
+    const index = lookup.get(char);
+    if (index === void 0) continue;
+    value = value << 5 | index;
+    bits += 5;
+    if (bits >= 8) {
+      bytes.push(value >>> bits - 8 & 255);
+      bits -= 8;
+    }
+  }
+  return Buffer.from(bytes);
+}
+function generateTOTP(secret, timeStep = 30) {
+  const time = Math.floor(Date.now() / 1e3 / timeStep);
+  const key = base32Decode(secret);
+  const counter = Buffer.alloc(8);
+  counter.writeBigUInt64BE(BigInt(time));
+  const hmac = crypto.createHmac("sha1", key);
+  hmac.update(counter);
+  const hash = hmac.digest();
+  const offset = hash[hash.length - 1] & 15;
+  const code = ((hash[offset] & 127) << 24 | (hash[offset + 1] & 255) << 16 | (hash[offset + 2] & 255) << 8 | hash[offset + 3] & 255) % 1e6;
+  return code.toString().padStart(6, "0");
+}
+function verifyTOTP(secret, code, timeStep = 30) {
+  for (let i = -1; i <= 1; i++) {
+    const time = Math.floor(Date.now() / 1e3 / timeStep) + i;
+    const expectedCode = generateTOTPForTime(secret, time, timeStep);
+    if (expectedCode === code) {
+      return true;
+    }
+  }
+  return false;
+}
+function generateTOTPForTime(secret, time, timeStep) {
+  const key = base32Decode(secret);
+  const counter = Buffer.alloc(8);
+  counter.writeBigUInt64BE(BigInt(time));
+  const hmac = crypto.createHmac("sha1", key);
+  hmac.update(counter);
+  const hash = hmac.digest();
+  const offset = hash[hash.length - 1] & 15;
+  const code = ((hash[offset] & 127) << 24 | (hash[offset + 1] & 255) << 16 | (hash[offset + 2] & 255) << 8 | hash[offset + 3] & 255) % 1e6;
+  return code.toString().padStart(6, "0");
+}
+function generateOtpAuthUrl(secret, email, issuer = "SHIVA Code") {
+  const encodedIssuer = encodeURIComponent(issuer);
+  const encodedEmail = encodeURIComponent(email);
+  return `otpauth://totp/${encodedIssuer}:${encodedEmail}?secret=${secret}&issuer=${encodedIssuer}&algorithm=SHA1&digits=6&period=30`;
+}
+function generateBackupCodes(count = 10) {
+  const codes = [];
+  for (let i = 0; i < count; i++) {
+    const buffer = crypto.randomBytes(6);
+    const code = buffer.toString("hex").toUpperCase();
+    codes.push(`${code.slice(0, 3)}-${code.slice(3, 6)}-${code.slice(6, 9)}-${code.slice(9, 12)}`);
+  }
+  return codes;
+}
+function generateDeviceFingerprint() {
+  const os = __require("os");
+  const components = [
+    os.hostname(),
+    os.platform(),
+    os.arch(),
+    os.cpus()[0]?.model || "unknown",
+    os.userInfo().username
+  ];
+  const fingerprint = crypto.createHash("sha256").update(components.join("|")).digest("hex").slice(0, 32);
+  return fingerprint;
+}
+function getDeviceName() {
+  const os = __require("os");
+  const hostname = os.hostname();
+  const platform = os.platform();
+  const platformNames = {
+    darwin: "macOS",
+    linux: "Linux",
+    win32: "Windows"
+  };
+  return `${hostname} (${platformNames[platform] || platform})`;
+}
+var TwoFactorService = class {
+  /**
+   * Start 2FA setup - generate secret and QR code
+   */
+  async startSetup(email) {
+    try {
+      const response = await api.setup2FA();
+      if (!response.setup) {
+        throw new Error(response.message || "2FA-Setup fehlgeschlagen");
+      }
+      return response.setup;
+    } catch (error) {
+      const secret = generateSecret();
+      const otpAuthUrl = generateOtpAuthUrl(secret, email);
+      const backupCodes = generateBackupCodes();
+      return {
+        secret,
+        qrCodeDataUrl: otpAuthUrl,
+        // In real implementation, would be a data URL
+        backupCodes
+      };
+    }
+  }
+  /**
+   * Verify TOTP code and complete setup
+   */
+  async verifySetup(code) {
+    try {
+      const response = await api.verify2FA(code);
+      return response.success;
+    } catch (error) {
+      throw error;
+    }
+  }
+  /**
+   * Verify TOTP code during login
+   */
+  async verifyCode(code) {
+    try {
+      const response = await api.verify2FACode(code);
+      return response.success;
+    } catch (error) {
+      throw error;
+    }
+  }
+  /**
+   * Verify backup code
+   */
+  async verifyBackupCode(code) {
+    try {
+      const response = await api.verifyBackupCode(code);
+      return response.success;
+    } catch (error) {
+      throw error;
+    }
+  }
+  /**
+   * Get 2FA status
+   */
+  async getStatus() {
+    try {
+      const response = await api.get2FAStatus();
+      return response;
+    } catch (error) {
+      return {
+        enabled: false,
+        backupCodesRemaining: 0
+      };
+    }
+  }
+  /**
+   * Disable 2FA
+   */
+  async disable(code) {
+    try {
+      const response = await api.disable2FA(code);
+      return response.success;
+    } catch (error) {
+      throw error;
+    }
+  }
+  /**
+   * Generate new backup codes
+   */
+  async regenerateBackupCodes() {
+    try {
+      const response = await api.regenerateBackupCodes();
+      return response.codes;
+    } catch (error) {
+      throw error;
+    }
+  }
+  /**
+   * Verify TOTP code locally (for testing)
+   */
+  verifyLocal(secret, code) {
+    return verifyTOTP(secret, code);
+  }
+  /**
+   * Generate TOTP code locally (for testing)
+   */
+  generateLocal(secret) {
+    return generateTOTP(secret);
+  }
+};
+var DeviceTrustService = class {
+  /**
+   * Get current device fingerprint
+   */
+  getFingerprint() {
+    return generateDeviceFingerprint();
+  }
+  /**
+   * Get current device name
+   */
+  getDeviceName() {
+    return getDeviceName();
+  }
+  /**
+   * Register current device as trusted
+   */
+  async trustDevice(name) {
+    const fingerprint = this.getFingerprint();
+    const deviceName = name || this.getDeviceName();
+    try {
+      const response = await api.trustDevice({
+        name: deviceName,
+        fingerprint
+      });
+      return response.device;
+    } catch (error) {
+      throw error;
+    }
+  }
+  /**
+   * Check if current device is trusted
+   */
+  async isDeviceTrusted() {
+    const fingerprint = this.getFingerprint();
+    try {
+      const devices = await api.getDevices();
+      return devices.devices.some((d) => d.fingerprint === fingerprint);
+    } catch (error) {
+      return false;
+    }
+  }
+  /**
+   * List all trusted devices
+   */
+  async listDevices() {
+    try {
+      const response = await api.getDevices();
+      const currentFingerprint = this.getFingerprint();
+      return response.devices.map((d) => ({
+        ...d,
+        isCurrent: d.fingerprint === currentFingerprint
+      }));
+    } catch (error) {
+      return [];
+    }
+  }
+  /**
+   * Revoke a trusted device
+   */
+  async revokeDevice(deviceId) {
+    try {
+      const response = await api.revokeDevice(deviceId);
+      return response.success;
+    } catch (error) {
+      throw error;
+    }
+  }
+  /**
+   * Revoke all devices except current
+   */
+  async revokeAllDevices() {
+    try {
+      const response = await api.revokeAllDevices();
+      return response.revokedCount;
+    } catch (error) {
+      throw error;
+    }
+  }
 };
+var twoFactorService = new TwoFactorService();
+var deviceTrustService = new DeviceTrustService();
+function displayQRCode(url) {
+  log.newline();
+  log.info("Scan diesen QR-Code mit deiner Authenticator App:");
+  log.newline();
+  log.dim("(QR-Code-Anzeige erfordert qrcode-terminal Paket)");
+  log.newline();
+  log.plain(`URL: ${url}`);
+  log.newline();
+}
+function displayBackupCodes(codes) {
+  log.newline();
+  console.log(colors.orange.bold("Backup-Codes (speichern!)"));
+  console.log(colors.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  log.newline();
+  for (let i = 0; i < codes.length; i++) {
+    console.log(`  ${i + 1}. ${codes[i]}`);
+  }
+  log.newline();
+  log.warn("Diese Codes k\xF6nnen nur einmal verwendet werden!");
+  log.dim("Speichere sie an einem sicheren Ort.");
+  log.newline();
+}
+function displayDevices(devices) {
+  log.newline();
+  console.log(colors.orange.bold("Vertrauensw\xFCrdige Ger\xE4te"));
+  console.log(colors.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  log.newline();
+  if (devices.length === 0) {
+    log.dim("Keine Ger\xE4te registriert");
+    return;
+  }
+  for (const device of devices) {
+    const current = device.isCurrent ? colors.green(" (aktuell)") : "";
+    console.log(`  ${device.name}${current}`);
+    log.dim(`    ID: ${device.id}`);
+    log.dim(`    Zuletzt: ${formatRelativeTime(device.lastUsed)}`);
+    if (device.expiresAt) {
+      log.dim(`    L\xE4uft ab: ${formatRelativeTime(device.expiresAt)}`);
+    } else {
+      log.dim("    L\xE4uft ab: nie");
+    }
+    log.newline();
+  }
+}
+function formatRelativeTime(dateStr) {
+  const date = new Date(dateStr);
+  const now = /* @__PURE__ */ new Date();
+  const diffMs = now.getTime() - date.getTime();
+  const diffSec = Math.floor(diffMs / 1e3);
+  const diffMin = Math.floor(diffSec / 60);
+  const diffHour = Math.floor(diffMin / 60);
+  const diffDay = Math.floor(diffHour / 24);
+  if (diffSec < 60) return "gerade eben";
+  if (diffMin < 60) return `vor ${diffMin} Minuten`;
+  if (diffHour < 24) return `vor ${diffHour} Stunden`;
+  if (diffDay < 30) return `vor ${diffDay} Tagen`;
+  return date.toLocaleDateString("de-DE");
+}
-// src/i18n/index.ts
-var translations = {
-  de: de_default,
-  en: en_default,
-  fr: fr_default,
-  es: es_default
-};
-var currentLanguage = "de";
-function setLanguage(lang) {
-  currentLanguage = lang;
+// src/services/auth/auth.ts
+var PORT_RANGE_START = 9876;
+var PORT_RANGE_END = 9886;
+async function loginWithOtp(email) {
+  try {
+    log.info(`Sende Login-Code an ${email}...`);
+    const otpResponse = await api.requestOtp(email);
+    if (!otpResponse.success) {
+      log.error(otpResponse.message || "Fehler beim Senden des Codes");
+      return false;
+    }
+    log.success("Code wurde gesendet!");
+    log.dim(`Verbleibende Versuche: ${otpResponse.remainingAttempts}`);
+    log.newline();
+    const { otp } = await inquirer.prompt([
+      {
+        type: "input",
+        name: "otp",
+        message: "Code eingeben:",
+        validate: (input) => {
+          if (!/^\d{6}$/.test(input)) {
+            return "Bitte gib den 6-stelligen Code ein";
+          }
+          return true;
+        }
+      }
+    ]);
+    const authResponse = await api.verifyOtp(otpResponse.token, otp);
+    if (authResponse.requires2FA && authResponse.tempToken) {
+      log.newline();
+      log.info("2FA ist aktiviert. Bitte verifiziere dich.");
+      log.newline();
+      const result = await handle2FALoginFlow(authResponse.tempToken, authResponse.email || email);
+      return result;
+    }
+    if (!authResponse.success || !authResponse.token || !authResponse.user) {
+      log.error(authResponse.message || "Ung\xFCltiger Code");
+      return false;
+    }
+    setAuth(authResponse.token, authResponse.user);
+    log.newline();
+    log.success(`Angemeldet als ${authResponse.user.email} (${authResponse.user.tier.toUpperCase()})`);
+    return true;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unbekannter Fehler";
+    log.error(`Login fehlgeschlagen: ${message}`);
+    return false;
+  }
 }
-function getLanguage() {
-  return currentLanguage;
+async function handle2FALoginFlow(tempToken, email) {
+  const MAX_ATTEMPTS = 3;
+  for (let attempt = 1; attempt <= MAX_ATTEMPTS; attempt++) {
+    const { code } = await inquirer.prompt([{
+      type: "input",
+      name: "code",
+      message: "2FA-Code (6 Ziffern oder Backup-Code):",
+      validate: (input) => {
+        if (/^\d{6}$/.test(input) || /^[A-Za-z0-9-]+$/.test(input)) {
+          return true;
+        }
+        return "Bitte gib einen g\xFCltigen Code ein";
+      }
+    }]);
+    const { rememberDevice } = await inquirer.prompt([{
+      type: "confirm",
+      name: "rememberDevice",
+      message: "Diesem Ger\xE4t vertrauen?",
+      default: true
+    }]);
+    try {
+      const result = await api.validate2FALogin({
+        tempToken,
+        code,
+        rememberDevice
+      });
+      if (result.success && result.token && result.user) {
+        setAuth(result.token, result.user);
+        if (result.method === "backup" && result.backupCodesRemaining !== void 0) {
+          log.warn(`Backup-Code verwendet. Noch ${result.backupCodesRemaining} Codes \xFCbrig.`);
+        }
+        log.newline();
+        log.success(`Angemeldet als ${result.user.email} (${result.user.tier.toUpperCase()})`);
+        return true;
+      }
+      if (attempt < MAX_ATTEMPTS) {
+        log.error(`Ung\xFCltiger Code. Noch ${MAX_ATTEMPTS - attempt} Versuche.`);
+      }
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Verifizierung fehlgeschlagen";
+      if (message.includes("expired") || message.includes("abgelaufen")) {
+        log.error("2FA-Token abgelaufen. Bitte erneut anmelden.");
+        return false;
+      }
+      if (attempt < MAX_ATTEMPTS) {
+        log.error(`${message}. Noch ${MAX_ATTEMPTS - attempt} Versuche.`);
+      }
+    }
+  }
+  log.error("2FA-Verifizierung fehlgeschlagen");
+  return false;
+}
+async function findAvailablePort() {
+  for (let port = PORT_RANGE_START; port <= PORT_RANGE_END; port++) {
+    const isAvailable = await checkPort(port);
+    if (isAvailable) {
+      return port;
+    }
+  }
+  throw new Error("Kein freier Port f\xFCr Callback-Server gefunden");
+}
+function checkPort(port) {
+  return new Promise((resolve) => {
+    const server = http.createServer();
+    server.once("error", () => resolve(false));
+    server.once("listening", () => {
+      server.close();
+      resolve(true);
+    });
+    server.listen(port, "127.0.0.1");
+  });
+}
+function getCallbackHtml(type, data) {
+  const baseStyles = `
+    @import url('https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap');
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: 'Inter', -apple-system, BlinkMacSystemFont, sans-serif;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      background: #000000;
+      color: #fafafa;
+      position: relative;
+    }
+    body::before {
+      content: '';
+      position: fixed;
+      inset: 0;
+      background:
+        radial-gradient(ellipse at 20% 0%, rgba(255, 107, 44, 0.12) 0%, transparent 50%),
+        radial-gradient(ellipse at 80% 100%, rgba(0, 212, 255, 0.08) 0%, transparent 50%);
+      pointer-events: none;
+    }
+    .container {
+      text-align: center;
+      padding: 3rem;
+      max-width: 420px;
+      position: relative;
+      z-index: 1;
+    }
+    .logo {
+      width: 72px;
+      height: 72px;
+      margin: 0 auto 2rem;
+      color: #FF6B2C;
+      filter: drop-shadow(0 0 30px rgba(255, 107, 44, 0.4));
+    }
+    .logo svg {
+      width: 100%;
+      height: 100%;
+    }
+    .brand {
+      font-size: 0.875rem;
+      font-weight: 600;
+      letter-spacing: 0.1em;
+      text-transform: uppercase;
+      color: #a0a0a0;
+      margin-bottom: 2rem;
+    }
+    h1 {
+      font-size: 2rem;
+      font-weight: 700;
+      margin-bottom: 0.75rem;
+      background: linear-gradient(135deg, #fafafa 0%, #a0a0a0 100%);
+      -webkit-background-clip: text;
+      -webkit-text-fill-color: transparent;
+      background-clip: text;
+    }
+    .subtitle {
+      color: #a0a0a0;
+      font-size: 1rem;
+      line-height: 1.6;
+    }
+    .email {
+      color: #FF6B2C;
+      font-weight: 600;
+    }
+    .status-icon {
+      width: 72px;
+      height: 72px;
+      margin: 0 auto 1.5rem;
+      border-radius: 50%;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      position: relative;
+    }
+    .status-icon::before {
+      content: '';
+      position: absolute;
+      inset: -4px;
+      border-radius: 50%;
+      padding: 4px;
+      background: linear-gradient(135deg, var(--icon-color) 0%, var(--icon-color-dark) 100%);
+      -webkit-mask: linear-gradient(#fff 0 0) content-box, linear-gradient(#fff 0 0);
+      mask: linear-gradient(#fff 0 0) content-box, linear-gradient(#fff 0 0);
+      -webkit-mask-composite: xor;
+      mask-composite: exclude;
+      opacity: 0.5;
+    }
+    .status-icon.success {
+      --icon-color: #10B981;
+      --icon-color-dark: #059669;
+      background: linear-gradient(135deg, #10B981 0%, #059669 100%);
+      box-shadow: 0 0 40px rgba(16, 185, 129, 0.4);
+    }
+    .status-icon.error {
+      --icon-color: #EF4444;
+      --icon-color-dark: #DC2626;
+      background: linear-gradient(135deg, #EF4444 0%, #DC2626 100%);
+      box-shadow: 0 0 40px rgba(239, 68, 68, 0.4);
+    }
+    .status-icon svg {
+      width: 36px;
+      height: 36px;
+    }
+    .spinner {
+      width: 56px;
+      height: 56px;
+      margin: 0 auto 1.5rem;
+      border: 3px solid rgba(255, 107, 44, 0.15);
+      border-top-color: #FF6B2C;
+      border-radius: 50%;
+      animation: spin 1s linear infinite;
+    }
+    @keyframes spin {
+      to { transform: rotate(360deg); }
+    }
+    .hint {
+      margin-top: 2rem;
+      padding-top: 2rem;
+      border-top: 1px solid rgba(255, 255, 255, 0.08);
+      color: #666666;
+      font-size: 0.875rem;
+    }
+    .card {
+      background: rgba(13, 13, 13, 0.8);
+      border: 1px solid #1a1a1a;
+      border-radius: 16px;
+      padding: 2.5rem;
+      backdrop-filter: blur(10px);
+    }
+  `;
+  const shivaEye = `<svg viewBox="0 -32 576 576" fill="currentColor"><defs><linearGradient id="eyeGrad" x1="0%" y1="0%" x2="100%" y2="100%"><stop offset="0%" style="stop-color:#FF6B2C"/><stop offset="100%" style="stop-color:#FF8F5C"/></linearGradient></defs><path fill="url(#eyeGrad)" d="M288 144a110.94 110.94 0 0 0-31.24 5 55.4 55.4 0 0 1 7.24 27 56 56 0 0 1-56 56 55.4 55.4 0 0 1-27-7.24A111.71 111.71 0 1 0 288 144zm284.52 97.4C518.29 135.59 410.93 64 288 64S57.68 135.64 3.48 241.41a32.35 32.35 0 0 0 0 29.19C57.71 376.41 165.07 448 288 448s230.32-71.64 284.52-177.41a32.35 32.35 0 0 0 0-29.19zM288 400c-98.65 0-189.09-55-237.93-144C98.91 167 189.34 112 288 112s189.09 55 237.93 144C477.1 345 386.66 400 288 400z"/></svg>`;
+  const checkIcon = `<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="3" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"/></svg>`;
+  const xIcon = `<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="3" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>`;
+  const lang = getLanguage();
+  if (type === "success") {
+    return `<!DOCTYPE html>
+<html lang="${lang}">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${t("auth.callback.pageTitleSuccess")}</title>
+  <link rel="icon" type="image/svg+xml" href="https://shiva.li/favicon.svg">
+  <style>${baseStyles}</style>
+</head>
+<body>
+  <div class="container">
+    <div class="card">
+      <div class="logo">${shivaEye}</div>
+      <p class="brand">SHIVA Code</p>
+      <div class="status-icon success">${checkIcon}</div>
+      <h1>${t("auth.callback.successTitle")}</h1>
+      <p class="subtitle">${t("auth.callback.successSubtitle")}<br><span class="email">${data.email}</span></p>
+      <p class="hint">${t("auth.callback.successHint")}</p>
+    </div>
+  </div>
+  <script>setTimeout(() => window.close(), 3000);</script>
+</body>
+</html>`;
+  }
+  if (type === "error") {
+    return `<!DOCTYPE html>
+<html lang="${lang}">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${t("auth.callback.pageTitleError")}</title>
+  <link rel="icon" type="image/svg+xml" href="https://shiva.li/favicon.svg">
+  <style>${baseStyles}</style>
+</head>
+<body>
+  <div class="container">
+    <div class="card">
+      <div class="logo">${shivaEye}</div>
+      <p class="brand">SHIVA Code</p>
+      <div class="status-icon error">${xIcon}</div>
+      <h1>${t("auth.callback.errorTitle")}</h1>
+      <p class="subtitle">${data.message || t("auth.callback.errorDefault")}</p>
+      <p class="hint">${t("auth.callback.errorHint")}</p>
+    </div>
+  </div>
+</body>
+</html>`;
+  }
+  return `<!DOCTYPE html>
+<html lang="${lang}">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${t("auth.callback.pageTitle")}</title>
+  <link rel="icon" type="image/svg+xml" href="https://shiva.li/favicon.svg">
+  <style>${baseStyles}</style>
+</head>
+<body>
+  <div class="container">
+    <div class="card">
+      <div class="logo">${shivaEye}</div>
+      <p class="brand">SHIVA Code</p>
+      <div class="spinner"></div>
+      <h1>${t("auth.callback.waitingTitle")}</h1>
+      <p class="subtitle">${t("auth.callback.waitingSubtitle")}</p>
+    </div>
+  </div>
+</body>
+</html>`;
 }
-function isValidLanguage(lang) {
-  return ["de", "en", "fr", "es"].includes(lang);
+function startCallbackServer(port) {
+  return new Promise((resolve, reject) => {
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url || "/", `http://127.0.0.1:${port}`);
+      if (url.pathname === "/callback") {
+        const token = url.searchParams.get("token");
+        const userId = url.searchParams.get("userId");
+        const email = url.searchParams.get("email");
+        const tier = url.searchParams.get("tier");
+        const error = url.searchParams.get("error");
+        if (error) {
+          res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+          res.end(getCallbackHtml("error", { message: error }));
+          server.close();
+          reject(new Error(error));
+          return;
+        }
+        if (!token || !userId || !email) {
+          res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+          res.end(getCallbackHtml("error", { message: "Token oder Benutzer-Daten fehlen." }));
+          server.close();
+          reject(new Error("Ung\xFCltige Callback-Parameter"));
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(getCallbackHtml("success", { email }));
+        setTimeout(() => {
+          server.close();
+          resolve({
+            token,
+            user: {
+              id: parseInt(userId, 10),
+              email,
+              tier: tier || "free"
+            }
+          });
+        }, 100);
+        return;
+      }
+      res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+      res.end(getCallbackHtml("waiting", {}));
+    });
+    const timeout = setTimeout(() => {
+      server.close();
+      reject(new Error("Login-Timeout - keine Antwort erhalten"));
+    }, 3e5);
+    server.once("close", () => {
+      clearTimeout(timeout);
+    });
+    server.once("error", (err) => {
+      clearTimeout(timeout);
+      reject(err);
+    });
+    server.listen(port, "127.0.0.1");
+  });
 }
-function t(key, params) {
-  const keys = key.split(".");
-  let value = translations[currentLanguage];
-  for (const k of keys) {
-    if (value && typeof value === "object" && k in value) {
-      value = value[k];
-    } else {
-      value = void 0;
-      break;
+async function loginWithBrowser() {
+  const config = getConfig();
+  try {
+    const port = await findAvailablePort();
+    const callbackUrl = `http://127.0.0.1:${port}/callback`;
+    const baseUrl = config.apiEndpoint.replace("/api", "");
+    const lang = getLanguage();
+    const loginUrl = `${baseUrl}/auth/cli-login?callback=${encodeURIComponent(callbackUrl)}&lang=${lang}`;
+    const serverPromise = startCallbackServer(port);
+    log.newline();
+    log.info("\xD6ffne Browser zur Anmeldung...");
+    try {
+      await open(loginUrl);
+    } catch {
     }
-  }
-  if (typeof value !== "string") {
-    value = keys.reduce(
-      (obj, k) => obj && typeof obj === "object" && k in obj ? obj[k] : void 0,
-      translations.de
-    );
-  }
-  if (typeof value !== "string") {
-    return key;
-  }
-  if (params) {
-    for (const [param, val] of Object.entries(params)) {
-      value = value.replace(new RegExp(`\\{${param}\\}`, "g"), String(val));
+    log.newline();
+    log.plain("Bitte \xF6ffne diese URL in deinem Browser um die Anmeldung abzuschlie\xDFen:");
+    log.newline();
+    console.log(`  ${colors.cyan(loginUrl)}`);
+    log.newline();
+    log.dim("Warte auf Anmeldung... (Timeout: 5 Minuten)");
+    log.newline();
+    const result = await serverPromise;
+    setAuth(result.token, result.user);
+    try {
+      const tfaStatus = await twoFactorService.getStatus();
+      if (tfaStatus.enabled) {
+        log.newline();
+        log.info("2FA ist aktiviert. Bitte verifiziere dich.");
+        log.newline();
+        const isDeviceTrusted = await deviceTrustService.isDeviceTrusted();
+        if (!isDeviceTrusted) {
+          const verified = await prompt2FAVerification();
+          if (!verified) {
+            clearAuth();
+            log.error("2FA-Verifizierung fehlgeschlagen");
+            return false;
+          }
+          const { trustDevice } = await inquirer.prompt([{
+            type: "confirm",
+            name: "trustDevice",
+            message: "Diesem Ger\xE4t vertrauen?",
+            default: true
+          }]);
+          if (trustDevice) {
+            try {
+              await deviceTrustService.trustDevice();
+              log.success("Ger\xE4t als vertrauensw\xFCrdig markiert");
+            } catch {
+            }
+          }
+        } else {
+          log.dim("Ger\xE4t ist vertrauensw\xFCrdig - 2FA \xFCbersprungen");
+        }
+      }
+    } catch {
     }
-  }
-  return value;
-}
-function tArray(key) {
-  const keys = key.split(".");
-  let value = translations[currentLanguage];
-  for (const k of keys) {
-    if (value && typeof value === "object" && k in value) {
-      value = value[k];
-    } else {
-      value = void 0;
-      break;
+    log.success(`Angemeldet als ${result.user.email} (${result.user.tier.toUpperCase()})`);
+    return true;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unbekannter Fehler";
+    log.error(`Login fehlgeschlagen: ${message}`);
+    log.newline();
+    log.info("Fallback: Manueller Token-Eintrag");
+    const fallbackLang = getLanguage();
+    const loginUrl = `${config.apiEndpoint.replace("/api", "")}/auth/cli-login?lang=${fallbackLang}`;
+    log.dim(`URL: ${loginUrl}`);
+    log.newline();
+    const { useManual } = await inquirer.prompt([{
+      type: "confirm",
+      name: "useManual",
+      message: "Token manuell eingeben?",
+      default: true
+    }]);
+    if (!useManual) {
+      return false;
+    }
+    try {
+      await open(loginUrl);
+    } catch {
+      log.dim("Browser konnte nicht ge\xF6ffnet werden");
+      log.dim(`\xD6ffne manuell: ${loginUrl}`);
+    }
+    const { token } = await inquirer.prompt([{
+      type: "password",
+      name: "token",
+      message: "Token:",
+      mask: "*"
+    }]);
+    if (!token) {
+      log.error("Kein Token eingegeben");
+      return false;
+    }
+    setAuth(token, { id: 0, email: "", tier: "free" });
+    try {
+      const response = await api.getCurrentUser();
+      setAuth(token, response.user);
+      log.success(`Angemeldet als ${response.user.email}`);
+      return true;
+    } catch {
+      clearAuth();
+      log.error("Ung\xFCltiger Token");
+      return false;
     }
   }
-  if (!Array.isArray(value)) {
-    value = keys.reduce(
-      (obj, k) => obj && typeof obj === "object" && k in obj ? obj[k] : void 0,
-      translations.de
-    );
-  }
-  return Array.isArray(value) ? value : [];
 }
-function initializeLanguage(storedLang) {
-  if (storedLang && isValidLanguage(storedLang)) {
-    setLanguage(storedLang);
-    return;
-  }
-  try {
-    const systemLocale = Intl.DateTimeFormat().resolvedOptions().locale;
-    const langCode = systemLocale.split("-")[0].toLowerCase();
-    if (isValidLanguage(langCode)) {
-      setLanguage(langCode);
-      return;
+function logout() {
+  clearAuth();
+  log.success("Abgemeldet");
+}
+async function prompt2FAVerification() {
+  const MAX_ATTEMPTS = 3;
+  for (let attempt = 1; attempt <= MAX_ATTEMPTS; attempt++) {
+    const { method } = await inquirer.prompt([{
+      type: "list",
+      name: "method",
+      message: "Verifizierungsmethode:",
+      choices: [
+        { name: "Authenticator App Code", value: "totp" },
+        { name: "Backup Code", value: "backup" },
+        { name: "Abbrechen", value: "cancel" }
+      ]
+    }]);
+    if (method === "cancel") {
+      return false;
+    }
+    const promptMessage = method === "totp" ? "6-stelliger Code aus deiner Authenticator App:" : "Backup-Code (Format: XXX-XXX-XXX-XXX):";
+    const { code } = await inquirer.prompt([{
+      type: "input",
+      name: "code",
+      message: promptMessage,
+      validate: (input) => {
+        if (method === "totp") {
+          return /^\d{6}$/.test(input) || "Bitte gib einen 6-stelligen Code ein";
+        }
+        return input.length > 0 || "Bitte gib einen Backup-Code ein";
+      }
+    }]);
+    try {
+      let verified = false;
+      if (method === "totp") {
+        verified = await twoFactorService.verifyCode(code);
+      } else {
+        verified = await twoFactorService.verifyBackupCode(code);
+      }
+      if (verified) {
+        log.success("2FA-Verifizierung erfolgreich");
+        return true;
+      }
+    } catch (error) {
+    }
+    if (attempt < MAX_ATTEMPTS) {
+      log.error(`Ung\xFCltiger Code. Noch ${MAX_ATTEMPTS - attempt} Versuche.`);
     }
-  } catch {
   }
-  setLanguage("de");
+  return false;
 }
 // src/commands/auth/login.ts