t3code-cli 0.3.0 → 0.4.0

package/dist/upstream-t3code/packages/contracts/src/relayClient.d.ts

@@ -0,0 +1,48 @@
+import * as Schema from "effect/Schema";
+export declare const RelayClientStatusSchema: Schema.Union<readonly [Schema.Struct<{
+    readonly status: Schema.Literal<"available">;
+    readonly executablePath: Schema.String;
+    readonly source: Schema.Literals<readonly ["override", "managed", "path"]>;
+    readonly version: Schema.String;
+}>, Schema.Struct<{
+    readonly status: Schema.Literal<"missing">;
+    readonly version: Schema.String;
+}>, Schema.Struct<{
+    readonly status: Schema.Literal<"unsupported">;
+    readonly platform: Schema.String;
+    readonly arch: Schema.String;
+    readonly version: Schema.String;
+}>]>;
+export type RelayClientStatus = typeof RelayClientStatusSchema.Type;
+export declare const RelayClientInstallProgressStageSchema: Schema.Literals<readonly ["checking", "waiting_for_lock", "downloading", "verifying", "installing", "validating", "activating"]>;
+export type RelayClientInstallProgressStage = typeof RelayClientInstallProgressStageSchema.Type;
+export declare const RelayClientInstallProgressEventSchema: Schema.Union<readonly [Schema.Struct<{
+    readonly type: Schema.Literal<"progress">;
+    readonly stage: Schema.Literals<readonly ["checking", "waiting_for_lock", "downloading", "verifying", "installing", "validating", "activating"]>;
+}>, Schema.Struct<{
+    readonly type: Schema.Literal<"complete">;
+    readonly status: Schema.Union<readonly [Schema.Struct<{
+        readonly status: Schema.Literal<"available">;
+        readonly executablePath: Schema.String;
+        readonly source: Schema.Literals<readonly ["override", "managed", "path"]>;
+        readonly version: Schema.String;
+    }>, Schema.Struct<{
+        readonly status: Schema.Literal<"missing">;
+        readonly version: Schema.String;
+    }>, Schema.Struct<{
+        readonly status: Schema.Literal<"unsupported">;
+        readonly platform: Schema.String;
+        readonly arch: Schema.String;
+        readonly version: Schema.String;
+    }>]>;
+}>]>;
+export type RelayClientInstallProgressEvent = typeof RelayClientInstallProgressEventSchema.Type;
+export declare const RelayClientInstallFailureReasonSchema: Schema.Literals<readonly ["download_failed", "invalid_checksum", "install_locked", "override_missing", "unsupported_platform", "validation_failed", "write_failed"]>;
+export type RelayClientInstallFailureReason = typeof RelayClientInstallFailureReasonSchema.Type;
+declare const RelayClientInstallFailedError_base: Schema.Class<RelayClientInstallFailedError, Schema.TaggedStruct<"RelayClientInstallFailedError", {
+    readonly reason: Schema.Literals<readonly ["download_failed", "invalid_checksum", "install_locked", "override_missing", "unsupported_platform", "validation_failed", "write_failed"]>;
+    readonly message: Schema.String;
+}>, import("effect/Cause").YieldableError>;
+export declare class RelayClientInstallFailedError extends RelayClientInstallFailedError_base {
+}
+export {};

package/dist/upstream-t3code/packages/contracts/src/rpc.d.ts

@@ -7,6 +7,7 @@ import { FilesystemBrowseError } from "./filesystem.ts";
 import { GitCommandError } from "./git.ts";
 import { KeybindingsConfigError } from "./keybindings.ts";
 import { OrchestrationDispatchCommandError, OrchestrationGetFullThreadDiffError, OrchestrationGetSnapshotError, OrchestrationGetTurnDiffError, OrchestrationReplayEventsError } from "./orchestration.ts";
+import { RelayClientInstallFailedError } from "./relayClient.ts";
 import { ProjectSearchEntriesError, ProjectWriteFileError } from "./project.ts";
 import { ServerProviderUpdateError } from "./server.ts";
 import { ServerSettingsError } from "./settings.ts";
@@ -50,6 +51,8 @@ export declare const WS_METHODS: {
     readonly serverGetProcessDiagnostics: "server.getProcessDiagnostics";
     readonly serverGetProcessResourceHistory: "server.getProcessResourceHistory";
     readonly serverSignalProcess: "server.signalProcess";
+    readonly cloudGetRelayClientStatus: "cloud.getRelayClientStatus";
+    readonly cloudInstallRelayClient: "cloud.installRelayClient";
     readonly sourceControlLookupRepository: "sourceControl.lookupRepository";
     readonly sourceControlCloneRepository: "sourceControl.cloneRepository";
     readonly sourceControlPublishRepository: "sourceControl.publishRepository";
@@ -161,7 +164,7 @@ export declare const WsServerGetConfigRpc: Rpc.Rpc<"server.getConfig", Schema.St
     readonly auth: Schema.Struct<{
         readonly policy: Schema.Literals<readonly ["desktop-managed-local", "loopback-browser", "remote-reachable", "unsafe-no-auth"]>;
         readonly bootstrapMethods: Schema.$Array<Schema.Literals<readonly ["desktop-bootstrap", "one-time-token"]>>;
-        readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>>;
+        readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
         readonly sessionCookieName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
     }>;
     readonly cwd: Schema.decodeTo<Schema.String, Schema.String, never, never>;
@@ -906,6 +909,40 @@ export declare const WsServerSignalProcessRpc: Rpc.Rpc<"server.signalProcess", S
     readonly signaled: Schema.Boolean;
     readonly message: Schema.Option<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
 }>, typeof EnvironmentAuthorizationError, never, never>;
+export declare const WsCloudGetRelayClientStatusRpc: Rpc.Rpc<"cloud.getRelayClientStatus", Schema.Struct<{}>, Schema.Union<readonly [Schema.Struct<{
+    readonly status: Schema.Literal<"available">;
+    readonly executablePath: Schema.String;
+    readonly source: Schema.Literals<readonly ["override", "managed", "path"]>;
+    readonly version: Schema.String;
+}>, Schema.Struct<{
+    readonly status: Schema.Literal<"missing">;
+    readonly version: Schema.String;
+}>, Schema.Struct<{
+    readonly status: Schema.Literal<"unsupported">;
+    readonly platform: Schema.String;
+    readonly arch: Schema.String;
+    readonly version: Schema.String;
+}>]>, typeof EnvironmentAuthorizationError, never, never>;
+export declare const WsCloudInstallRelayClientRpc: Rpc.Rpc<"cloud.installRelayClient", Schema.Struct<{}>, import("effect/unstable/rpc/RpcSchema").Stream<Schema.Union<readonly [Schema.Struct<{
+    readonly type: Schema.Literal<"progress">;
+    readonly stage: Schema.Literals<readonly ["checking", "waiting_for_lock", "downloading", "verifying", "installing", "validating", "activating"]>;
+}>, Schema.Struct<{
+    readonly type: Schema.Literal<"complete">;
+    readonly status: Schema.Union<readonly [Schema.Struct<{
+        readonly status: Schema.Literal<"available">;
+        readonly executablePath: Schema.String;
+        readonly source: Schema.Literals<readonly ["override", "managed", "path"]>;
+        readonly version: Schema.String;
+    }>, Schema.Struct<{
+        readonly status: Schema.Literal<"missing">;
+        readonly version: Schema.String;
+    }>, Schema.Struct<{
+        readonly status: Schema.Literal<"unsupported">;
+        readonly platform: Schema.String;
+        readonly arch: Schema.String;
+        readonly version: Schema.String;
+    }>]>;
+}>]>, Schema.Union<readonly [typeof RelayClientInstallFailedError, typeof EnvironmentAuthorizationError]>>, Schema.Never, never, never>;
 export declare const WsSourceControlLookupRepositoryRpc: Rpc.Rpc<"sourceControl.lookupRepository", Schema.Struct<{
     readonly provider: Schema.Literals<readonly ["github", "gitlab", "azure-devops", "bitbucket", "unknown"]>;
     readonly repository: Schema.decodeTo<Schema.String, Schema.String, never, never>;
@@ -3597,7 +3634,7 @@ export declare const WsSubscribeServerConfigRpc: Rpc.Rpc<"subscribeServerConfig"
         readonly auth: Schema.Struct<{
             readonly policy: Schema.Literals<readonly ["desktop-managed-local", "loopback-browser", "remote-reachable", "unsafe-no-auth"]>;
             readonly bootstrapMethods: Schema.$Array<Schema.Literals<readonly ["desktop-bootstrap", "one-time-token"]>>;
-            readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>>;
+            readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
             readonly sessionCookieName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
         }>;
         readonly cwd: Schema.decodeTo<Schema.String, Schema.String, never, never>;
@@ -4064,7 +4101,7 @@ export declare const WsSubscribeAuthAccessRpc: Rpc.Rpc<"subscribeAuthAccess", Sc
             readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
             readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
             readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
-            readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
+            readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
             readonly client: Schema.Struct<{
                 readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
                 readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
@@ -4108,7 +4145,7 @@ export declare const WsSubscribeAuthAccessRpc: Rpc.Rpc<"subscribeAuthAccess", Sc
         readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
         readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
         readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
-        readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
+        readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
         readonly client: Schema.Struct<{
             readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
             readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
@@ -4230,7 +4267,7 @@ export declare const WsRpcGroup: RpcGroup.RpcGroup<Rpc.Rpc<"server.upsertKeybind
     readonly auth: Schema.Struct<{
         readonly policy: Schema.Literals<readonly ["desktop-managed-local", "loopback-browser", "remote-reachable", "unsafe-no-auth"]>;
         readonly bootstrapMethods: Schema.$Array<Schema.Literals<readonly ["desktop-bootstrap", "one-time-token"]>>;
-        readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>>;
+        readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
         readonly sessionCookieName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
     }>;
     readonly cwd: Schema.decodeTo<Schema.String, Schema.String, never, never>;
@@ -4965,7 +5002,39 @@ export declare const WsRpcGroup: RpcGroup.RpcGroup<Rpc.Rpc<"server.upsertKeybind
     readonly signal: Schema.Literals<readonly ["SIGINT", "SIGKILL"]>;
     readonly signaled: Schema.Boolean;
     readonly message: Schema.Option<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
-}>, typeof EnvironmentAuthorizationError, never, never> | Rpc.Rpc<"sourceControl.lookupRepository", Schema.Struct<{
+}>, typeof EnvironmentAuthorizationError, never, never> | Rpc.Rpc<"cloud.getRelayClientStatus", Schema.Struct<{}>, Schema.Union<readonly [Schema.Struct<{
+    readonly status: Schema.Literal<"available">;
+    readonly executablePath: Schema.String;
+    readonly source: Schema.Literals<readonly ["override", "managed", "path"]>;
+    readonly version: Schema.String;
+}>, Schema.Struct<{
+    readonly status: Schema.Literal<"missing">;
+    readonly version: Schema.String;
+}>, Schema.Struct<{
+    readonly status: Schema.Literal<"unsupported">;
+    readonly platform: Schema.String;
+    readonly arch: Schema.String;
+    readonly version: Schema.String;
+}>]>, typeof EnvironmentAuthorizationError, never, never> | Rpc.Rpc<"cloud.installRelayClient", Schema.Struct<{}>, import("effect/unstable/rpc/RpcSchema").Stream<Schema.Union<readonly [Schema.Struct<{
+    readonly type: Schema.Literal<"progress">;
+    readonly stage: Schema.Literals<readonly ["checking", "waiting_for_lock", "downloading", "verifying", "installing", "validating", "activating"]>;
+}>, Schema.Struct<{
+    readonly type: Schema.Literal<"complete">;
+    readonly status: Schema.Union<readonly [Schema.Struct<{
+        readonly status: Schema.Literal<"available">;
+        readonly executablePath: Schema.String;
+        readonly source: Schema.Literals<readonly ["override", "managed", "path"]>;
+        readonly version: Schema.String;
+    }>, Schema.Struct<{
+        readonly status: Schema.Literal<"missing">;
+        readonly version: Schema.String;
+    }>, Schema.Struct<{
+        readonly status: Schema.Literal<"unsupported">;
+        readonly platform: Schema.String;
+        readonly arch: Schema.String;
+        readonly version: Schema.String;
+    }>]>;
+}>]>, Schema.Union<readonly [typeof RelayClientInstallFailedError, typeof EnvironmentAuthorizationError]>>, Schema.Never, never, never> | Rpc.Rpc<"sourceControl.lookupRepository", Schema.Struct<{
     readonly provider: Schema.Literals<readonly ["github", "gitlab", "azure-devops", "bitbucket", "unknown"]>;
     readonly repository: Schema.decodeTo<Schema.String, Schema.String, never, never>;
     readonly cwd: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
@@ -7615,7 +7684,7 @@ export declare const WsRpcGroup: RpcGroup.RpcGroup<Rpc.Rpc<"server.upsertKeybind
         readonly auth: Schema.Struct<{
             readonly policy: Schema.Literals<readonly ["desktop-managed-local", "loopback-browser", "remote-reachable", "unsafe-no-auth"]>;
             readonly bootstrapMethods: Schema.$Array<Schema.Literals<readonly ["desktop-bootstrap", "one-time-token"]>>;
-            readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>>;
+            readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
             readonly sessionCookieName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
         }>;
         readonly cwd: Schema.decodeTo<Schema.String, Schema.String, never, never>;
@@ -8080,7 +8149,7 @@ export declare const WsRpcGroup: RpcGroup.RpcGroup<Rpc.Rpc<"server.upsertKeybind
             readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
             readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
             readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
-            readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
+            readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
             readonly client: Schema.Struct<{
                 readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
                 readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
@@ -8124,7 +8193,7 @@ export declare const WsRpcGroup: RpcGroup.RpcGroup<Rpc.Rpc<"server.upsertKeybind
         readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
         readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
         readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
-        readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
+        readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
         readonly client: Schema.Struct<{
             readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
             readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;

package/dist/upstream-t3code/packages/contracts/src/server.d.ts

@@ -546,7 +546,7 @@ export declare const ServerConfig: Schema.Struct<{
     readonly auth: Schema.Struct<{
         readonly policy: Schema.Literals<readonly ["desktop-managed-local", "loopback-browser", "remote-reachable", "unsafe-no-auth"]>;
         readonly bootstrapMethods: Schema.$Array<Schema.Literals<readonly ["desktop-bootstrap", "one-time-token"]>>;
-        readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>>;
+        readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
         readonly sessionCookieName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
     }>;
     readonly cwd: Schema.decodeTo<Schema.String, Schema.String, never, never>;
@@ -1222,7 +1222,7 @@ export declare const ServerConfigStreamSnapshotEvent: Schema.Struct<{
         readonly auth: Schema.Struct<{
             readonly policy: Schema.Literals<readonly ["desktop-managed-local", "loopback-browser", "remote-reachable", "unsafe-no-auth"]>;
             readonly bootstrapMethods: Schema.$Array<Schema.Literals<readonly ["desktop-bootstrap", "one-time-token"]>>;
-            readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>>;
+            readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
             readonly sessionCookieName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
         }>;
         readonly cwd: Schema.decodeTo<Schema.String, Schema.String, never, never>;
@@ -1655,7 +1655,7 @@ export declare const ServerConfigStreamEvent: Schema.Union<readonly [Schema.Stru
         readonly auth: Schema.Struct<{
             readonly policy: Schema.Literals<readonly ["desktop-managed-local", "loopback-browser", "remote-reachable", "unsafe-no-auth"]>;
             readonly bootstrapMethods: Schema.$Array<Schema.Literals<readonly ["desktop-bootstrap", "one-time-token"]>>;
-            readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>>;
+            readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
             readonly sessionCookieName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
         }>;
         readonly cwd: Schema.decodeTo<Schema.String, Schema.String, never, never>;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "t3code-cli",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "CLI for t3code",
   "keywords": [
     "claude",
@@ -40,8 +40,8 @@
     }
   },
   "dependencies": {
-    "@effect/platform-node": "4.0.0-beta.74",
-    "effect": "4.0.0-beta.74"
+    "@effect/platform-node": "4.0.0-beta.78",
+    "effect": "4.0.0-beta.78"
   },
   "devDependencies": {
     "@changesets/cli": "^2.31.0",

package/src/auth/error.ts

@@ -38,9 +38,41 @@ const AuthLocalErrorCauseSchema = Schema.Union([
   UrlError,
 ]);
 
+export class AuthLocalSecretError extends Schema.TaggedErrorClass<AuthLocalSecretError>()(
+  "AuthLocalSecretError",
+  {
+    message: Schema.String,
+    cause: Schema.optionalKey(Schema.instanceOf(PlatformError)),
+  },
+) {}
+
+export class AuthLocalDatabaseError extends Schema.TaggedErrorClass<AuthLocalDatabaseError>()(
+  "AuthLocalDatabaseError",
+  {
+    operation: Schema.Literals(["connect", "query", "schema"]),
+    message: Schema.String,
+  },
+) {}
+
+export class AuthLocalSigningError extends Schema.TaggedErrorClass<AuthLocalSigningError>()(
+  "AuthLocalSigningError",
+  {
+    operation: Schema.Literals(["sign"]),
+    message: Schema.String,
+    cause: Schema.optionalKey(Schema.instanceOf(PlatformError)),
+  },
+) {}
+
 export class AuthLocalError extends Schema.TaggedErrorClass<AuthLocalError>()("AuthLocalError", {
   message: Schema.String,
-  cause: Schema.optionalKey(AuthLocalErrorCauseSchema),
+  cause: Schema.optionalKey(
+    Schema.Union([
+      AuthLocalErrorCauseSchema,
+      AuthLocalSecretError,
+      AuthLocalDatabaseError,
+      AuthLocalSigningError,
+    ]),
+  ),
 }) {}
 
 export type AuthError = AuthPairingUrlError | AuthConfigError | AuthTransportError | AuthLocalError;

package/src/auth/layer.ts

@@ -1,83 +1,18 @@
 import * as Effect from "effect/Effect";
-import * as FileSystem from "effect/FileSystem";
 import * as Layer from "effect/Layer";
-import * as Path from "effect/Path";
-import * as Scope from "effect/Scope";
-import { ChildProcessSpawner } from "effect/unstable/process/ChildProcessSpawner";
 
 import { T3Config } from "../config/service.ts";
-import { Environment } from "../environment/service.ts";
 import { AuthConfigError } from "./error.ts";
-import { issueLocalSession, resolveLocalOrigin } from "./local.ts";
-import { parsePairingUrl } from "./pairing.ts";
+import { T3LocalAuth } from "./local.ts";
+import { T3AuthPairing } from "./pairing.ts";
 import { T3Auth } from "./service.ts";
-import { makeAuthTransport } from "./transport.ts";
-import type { LocalAuthInput } from "./type.ts";
+import { T3AuthTransport } from "./transport.ts";
 
 export const makeT3Auth = Effect.fn("makeT3Auth")(function* () {
   const config = yield* T3Config;
-  const transport = yield* makeAuthTransport();
-  const spawner = yield* ChildProcessSpawner;
-  const fs = yield* FileSystem.FileSystem;
-  const path = yield* Path.Path;
-  const environment = yield* Environment;
-  const scope = yield* Scope.Scope;
-
-  const pair = Effect.fn("T3AuthLive.pair")(function* (pairingUrl: string) {
-    const parsed = yield* parsePairingUrl(pairingUrl);
-    const result = yield* transport.bootstrapBearer(parsed);
-    const existing = yield* config.readStored().pipe(
-      Effect.catchTags({
-        ConfigError: (error) =>
-          Effect.fail(new AuthConfigError({ message: "auth config failed", cause: error })),
-      }),
-    );
-    yield* config
-      .writeStored({ ...existing, url: parsed.baseUrl, token: result.sessionToken })
-      .pipe(
-        Effect.catchTags({
-          ConfigError: (error) =>
-            Effect.fail(new AuthConfigError({ message: "auth config failed", cause: error })),
-        }),
-      );
-    return { url: parsed.baseUrl, role: result.role, expiresAt: result.expiresAt };
-  });
-
-  const local = Effect.fn("T3AuthLive.local")(function* (input: LocalAuthInput) {
-    const issued = yield* issueLocalSession(input).pipe(
-      Effect.provideService(ChildProcessSpawner, spawner),
-      Effect.provideService(FileSystem.FileSystem, fs),
-      Effect.provideService(Path.Path, path),
-      Effect.provideService(Environment, environment),
-      Effect.provideService(Scope.Scope, scope),
-    );
-    const url = yield* resolveLocalOrigin({
-      baseDir: issued.baseDir,
-      ...(input.origin !== undefined ? { origin: input.origin } : {}),
-    }).pipe(
-      Effect.provideService(FileSystem.FileSystem, fs),
-      Effect.provideService(Path.Path, path),
-    );
-    const existing = yield* config.readStored().pipe(
-      Effect.catchTags({
-        ConfigError: (error) =>
-          Effect.fail(new AuthConfigError({ message: "auth config failed", cause: error })),
-      }),
-    );
-    yield* config.writeStored({ ...existing, url, token: issued.session.token }).pipe(
-      Effect.catchTags({
-        ConfigError: (error) =>
-          Effect.fail(new AuthConfigError({ message: "auth config failed", cause: error })),
-      }),
-    );
-    return {
-      url,
-      role: issued.session.role,
-      expiresAt: issued.session.expiresAt,
-      source: "local" as const,
-      baseDir: issued.baseDir,
-    };
-  });
+  const transport = yield* T3AuthTransport;
+  const localAuth = yield* T3LocalAuth;
+  const pairing = yield* T3AuthPairing;
 
   const status = Effect.fn("T3AuthLive.status")(function* () {
     const resolved = yield* config.resolve().pipe(
@@ -91,7 +26,7 @@ export const makeT3Auth = Effect.fn("makeT3Auth")(function* () {
     return yield* transport.getSession(resolved);
   });
 
-  const issueWebSocketToken = Effect.fn("T3AuthLive.issueWebSocketToken")(function* () {
+  const issueWebSocketTicket = Effect.fn("T3AuthLive.issueWebSocketTicket")(function* () {
     const resolved = yield* config.resolve().pipe(
       Effect.catchTags({
         ConfigError: (error) =>
@@ -100,14 +35,14 @@ export const makeT3Auth = Effect.fn("makeT3Auth")(function* () {
           Effect.fail(new AuthConfigError({ message: "auth config failed", cause: error })),
       }),
     );
-    return yield* transport.issueWebSocketToken(resolved);
+    return yield* transport.issueWebSocketTicket(resolved);
   });
 
   return {
-    pair,
-    local,
+    pair: pairing.pair,
+    local: localAuth.local,
     status,
-    issueWebSocketToken,
+    issueWebSocketTicket,
   };
 });