npm - vibecodingmachine-cli - Versions diffs - 1.0.5 → 1.0.7 - Mend

vibecodingmachine-cli 1.0.5 → 1.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

package/.allnightai/REQUIREMENTS.md +11 -11
package/.allnightai/temp/auto-status.json +6 -0
package/.env +7 -0
package/.eslintrc.js +16 -16
package/README.md +85 -85
package/bin/vibecodingmachine.js +274 -274
package/jest.config.js +8 -8
package/logs/audit/2025-11-07.jsonl +2 -2
package/package.json +62 -62
package/scripts/README.md +128 -128
package/scripts/auto-start-wrapper.sh +92 -92
package/scripts/postinstall.js +81 -81
package/src/commands/auth.js +96 -96
package/src/commands/auto-direct.js +1748 -1748
package/src/commands/auto.js +4692 -4692
package/src/commands/auto.js.bak +710 -710
package/src/commands/ide.js +70 -70
package/src/commands/repo.js +159 -159
package/src/commands/requirements.js +161 -161
package/src/commands/setup.js +91 -91
package/src/commands/status.js +88 -88
package/src/index.js +5 -5
package/src/utils/auth.js +572 -577
package/src/utils/auto-mode-ansi-ui.js +238 -238
package/src/utils/auto-mode-simple-ui.js +161 -161
package/src/utils/auto-mode-ui.js.bak.blessed +207 -207
package/src/utils/auto-mode.js +65 -65
package/src/utils/config.js +64 -64
package/src/utils/interactive.js +3616 -3616
package/src/utils/keyboard-handler.js +153 -152
package/src/utils/logger.js +4 -4
package/src/utils/persistent-header.js +116 -116
package/src/utils/provider-registry.js +128 -128
package/src/utils/status-card.js +120 -120
package/src/utils/stdout-interceptor.js +127 -127
package/tests/auto-mode.test.js +37 -37
package/tests/config.test.js +34 -34

package/src/utils/auth.js CHANGED Viewed

@@ -1,577 +1,572 @@
-const chalk = require('chalk');
-const http = require('http');
-const crypto = require('crypto');
-const fs = require('fs');
-const path = require('path');
-const sharedAuth = require('vibecodingmachine-core/src/auth/shared-auth-storage');
-// AWS Cognito configuration
-const COGNITO_DOMAIN = process.env.COGNITO_DOMAIN || 'allnightai-auth-1763598779.auth.us-east-1.amazoncognito.com';
-const CLIENT_ID = process.env.COGNITO_APP_CLIENT_ID || '3tbe1i2g36uqule92iuk6snuo3'; // Public client (no secret)
-const PORT = 3000;
-// Load shared access denied HTML
-function getAccessDeniedHTML() {
-  const accessDeniedPath = require.resolve('vibecodingmachine-core/src/auth/access-denied.html');
-  return fs.readFileSync(accessDeniedPath, 'utf8');
-}
-// PKCE helper functions
-function generateCodeVerifier() {
-  return crypto.randomBytes(32).toString('base64url');
-}
-function generateCodeChallenge(verifier) {
-  return crypto.createHash('sha256').update(verifier).digest('base64url');
-}
-class CLIAuth {
-  /**
-   * Check if authenticated (uses shared storage)
-   */
-  async isAuthenticated() {
-    return await sharedAuth.isAuthenticated();
-  }
-  /**
-   * Get stored token (uses shared storage)
-   */
-  async getToken() {
-    return await sharedAuth.getToken();
-  }
-  /**
-   * Get user profile (uses shared storage)
-   */
-  async getUserProfile() {
-    return await sharedAuth.getUserProfile();
-  }
-  /**
-   * Exchange authorization code for tokens using Cognito token endpoint
-   * @param {string} code - Authorization code
-   * @param {string} codeVerifier - PKCE code verifier
-   * @param {string} redirectUri - Redirect URI used in authorization request
-   * @returns {Promise<string>} ID token
-   */
-  async _exchangeCodeForTokens(code, codeVerifier, redirectUri) {
-    const https = require('https');
-    const tokenEndpoint = `https://${COGNITO_DOMAIN}/oauth2/token`;
-    const postData = new URLSearchParams({
-      grant_type: 'authorization_code',
-      client_id: CLIENT_ID,
-      code: code,
-      redirect_uri: redirectUri,
-      code_verifier: codeVerifier
-    }).toString();
-    return new Promise((resolve, reject) => {
-      const options = {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/x-www-form-urlencoded',
-          'Content-Length': postData.length
-        }
-      };
-      const req = https.request(tokenEndpoint, options, (res) => {
-        let data = '';
-        res.on('data', (chunk) => { data += chunk; });
-        res.on('end', () => {
-          if (res.statusCode === 200) {
-            const tokens = JSON.parse(data);
-            resolve(tokens.id_token); // Return the ID token
-          } else {
-            reject(new Error(`Token exchange failed: ${res.statusCode} - ${data}`));
-          }
-        });
-      });
-      req.on('error', (error) => {
-        reject(new Error(`Token exchange request failed: ${error.message}`));
-      });
-      req.write(postData);
-      req.end();
-    });
-  }
-  /**
-   * Validate JWT token with signature verification
-   * @param {string} idToken - JWT token to validate
-   * @throws {Error} If token is invalid
-   */
-  async _validateToken(idToken) {
-    // Validate token is a string
-    if (!idToken || typeof idToken !== 'string') {
-      throw new Error('Token must be a non-empty string');
-    }
-    // Validate JWT format (must have 3 parts)
-    const parts = idToken.split('.');
-    if (parts.length !== 3) {
-      throw new Error('Invalid JWT format - must have 3 parts separated by dots');
-    }
-    // CRITICAL: Verify JWT signature using Cognito's public keys
-    const jwt = require('jsonwebtoken');
-    const jwksClient = require('jwks-rsa');
-    const region = process.env.AWS_REGION || 'us-east-1';
-    const userPoolId = process.env.COGNITO_USER_POOL_ID || 'us-east-1_EjZ4Kbtgd';
-    const jwksUri = `https://cognito-idp.${region}.amazonaws.com/${userPoolId}/.well-known/jwks.json`;
-    const client = jwksClient({
-      jwksUri: jwksUri,
-      cache: true,
-      rateLimit: true
-    });
-    // Get signing key
-    const getKey = (header, callback) => {
-      client.getSigningKey(header.kid, (err, key) => {
-        if (err) {
-          callback(err);
-          return;
-        }
-        const signingKey = key.getPublicKey();
-        callback(null, signingKey);
-      });
-    };
-    // Verify token signature
-    let payload;
-    try {
-      payload = await new Promise((resolve, reject) => {
-        jwt.verify(idToken, getKey, {
-          algorithms: ['RS256'],
-          issuer: `https://cognito-idp.${region}.amazonaws.com/${userPoolId}`,
-          audience: CLIENT_ID
-        }, (err, decoded) => {
-          if (err) {
-            reject(new Error(`Signature verification failed: ${err.message}`));
-          } else {
-            resolve(decoded);
-          }
-        });
-      });
-    } catch (verifyError) {
-      throw new Error(`JWT signature verification failed: ${verifyError.message}`);
-    }
-    // Verify required fields exist
-    if (!payload.exp) {
-      throw new Error('Token missing expiration claim (exp)');
-    }
-    if (!payload.iss) {
-      throw new Error('Token missing issuer claim (iss)');
-    }
-    if (!payload.aud) {
-      throw new Error('Token missing audience claim (aud)');
-    }
-    if (!payload.token_use) {
-      throw new Error('Token missing token_use claim');
-    }
-    // Verify token is not expired
-    const now = Math.floor(Date.now() / 1000);
-    if (payload.exp <= now) {
-      throw new Error(`Token has expired (exp: ${payload.exp}, now: ${now})`);
-    }
-    // Verify token issuer matches our Cognito domain
-    const expectedIssuer = `https://cognito-idp.${process.env.AWS_REGION || 'us-east-1'}.amazonaws.com/${process.env.COGNITO_USER_POOL_ID || 'us-east-1_EjZ4Kbtgd'}`;
-    if (payload.iss !== expectedIssuer) {
-      throw new Error(`Invalid token issuer. Expected: ${expectedIssuer}, Got: ${payload.iss}`);
-    }
-    // Verify token audience matches our client ID
-    if (payload.aud !== CLIENT_ID) {
-      throw new Error(`Invalid token audience. Expected: ${CLIENT_ID}, Got: ${payload.aud}`);
-    }
-    // Verify token use is 'id'
-    if (payload.token_use !== 'id') {
-      throw new Error(`Invalid token use. Expected: id, Got: ${payload.token_use}`);
-    }
-    // Verify essential user claims exist
-    if (!payload.sub) {
-      throw new Error('Token missing subject claim (sub)');
-    }
-    if (!payload.email) {
-      throw new Error('Token missing email claim');
-    }
-    return true;
-  }
-  /**
-   * Check if running in VS Code Remote SSH environment
-   */
-  _isVSCodeRemoteSSH() {
-    return (
-      process.env.VSCODE_IPC_HOOK_CLI && // Running in VS Code terminal
-      process.env.SSH_CONNECTION // In SSH session
-    );
-  }
-  /**
-   * Login via browser OAuth flow
-   * @param {Object} options - Login options
-   * @param {boolean} options.headless - If true, skip opening browser and provide manual instructions
-   */
-  async login(options = {}) {
-    // Check if running in VS Code Remote SSH
-    const isVSCodeRemote = this._isVSCodeRemoteSSH();
-    // Auto-detect headless environment if not explicitly set
-    // VS Code Remote SSH should use browser flow (not headless) because port forwarding works
-    const isHeadless = options.headless !== undefined
-      ? options.headless
-      : (!process.env.DISPLAY && process.platform !== 'darwin' && process.platform !== 'win32' && !isVSCodeRemote);
-    // Headless mode - for SSH/no-GUI environments
-    if (isHeadless) {
-      return this._loginHeadless();
-    }
-    // VS Code Remote SSH - use optimized flow with instructions
-    if (isVSCodeRemote && !options.headless) {
-      console.log(chalk.cyan('\n🔐 VS Code Remote SSH Detected!\n'));
-      console.log(chalk.gray('VS Code will automatically forward port 3000 to your laptop.\n'));
-      console.log(chalk.yellow('If the browser doesn\'t open automatically:'));
-      console.log(chalk.gray('  1. VS Code will show "Port 3000 is now available"'));
-      console.log(chalk.gray('  2. Click "Open in Browser" in the notification\n'));
-    }
-    // Standard browser-based login
-    return new Promise((resolve, reject) => {
-      let serverClosed = false;
-      // Generate PKCE code verifier and challenge
-      const codeVerifier = generateCodeVerifier();
-      const codeChallenge = generateCodeChallenge(codeVerifier);
-      // Create local server to receive callback
-      const server = http.createServer(async (req, res) => {
-        const url = new URL(req.url, `http://localhost:${PORT}`);
-        if (url.pathname === '/callback') {
-          // Extract authorization code from query params
-          const code = url.searchParams.get('code');
-          if (code) {
-            try {
-              // Exchange code for tokens
-              console.log(chalk.gray('Exchanging authorization code for tokens...'));
-              const idToken = await this._exchangeCodeForTokens(
-                code,
-                codeVerifier,
-                `http://localhost:${PORT}/callback`
-              );
-              // Validate token (signature + claims)
-              console.log(chalk.gray('Validating token...'));
-              await this._validateToken(idToken);
-              // Save token
-              await sharedAuth.saveToken(idToken);
-              // Show success page
-              res.writeHead(200, {
-                'Content-Type': 'text/html',
-                'Cache-Control': 'no-cache, no-store, must-revalidate',
-                'Pragma': 'no-cache',
-                'Expires': '0'
-              });
-              res.end(`
-            <!DOCTYPE html>
-            <html>
-              <head>
-                <meta charset="UTF-8">
-                <meta name="viewport" content="width=device-width, initial-scale=1.0">
-                <style>
-                  * {
-                    margin: 0;
-                    padding: 0;
-                    box-sizing: border-box;
-                  }
-                  html, body {
-                    width: 100%;
-                    height: 100%;
-                    overflow: hidden;
-                    position: fixed;
-                  }
-                  body {
-                    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
-                    background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-                    color: white;
-                  }
-                  .wrapper {
-                    width: 100%;
-                    height: 100%;
-                    display: flex;
-                    align-items: center;
-                    justify-content: center;
-                    padding: 20px;
-                  }
-                  .container {
-                    background: white;
-                    color: #333;
-                    padding: 40px;
-                    border-radius: 12px;
-                    box-shadow: 0 8px 32px rgba(0,0,0,0.3);
-                    width: 500px;
-                    max-width: 100%;
-                    text-align: center;
-                  }
-                  h1 { margin: 0 0 20px 0; color: #10b981; }
-                  p { margin: 10px 0; color: #666; }
-                  .success-icon { font-size: 48px; margin-bottom: 10px; }
-                  .info-box {
-                    margin-top: 30px;
-                    padding: 16px;
-                    background: #f3f4f6;
-                    border-radius: 8px;
-                    border-left: 4px solid #10b981;
-                  }
-                  .info-title {
-                    font-weight: 600;
-                    margin-bottom: 8px;
-                    color: #374151;
-                  }
-                  code {
-                    background: #1f2937;
-                    color: #10b981;
-                    padding: 3px 8px;
-                    border-radius: 4px;
-                    font-family: 'Monaco', 'Courier New', monospace;
-                    display: inline-block;
-                    margin: 4px 0;
-                  }
-                  .command-list {
-                    margin-top: 12px;
-                  }
-                </style>
-              </head>
-              <body>
-                <div class="wrapper">
-                  <div class="container">
-                    <h1>Authentication Successful!</h1>
-                    <p>You are now logged in to Vibe Coding Machine.</p>
-                    <p>You can close this window and return to the terminal.</p>
-                    <div class="info-box">
-                      <div class="info-title">Available Commands:</div>
-                      <div class="command-list">
-                        <code>vcm</code> - Start interactive mode<br>
-                        <code>vcm auth:status</code> - Check authentication status<br>
-                        <code>vcm auth:logout</code> - Logout
-                      </div>
-                    </div>
-                  </div>
-                </div>
-              </body>
-            </html>
-          `);
-              // Close server and resolve
-              if (!serverClosed) {
-                serverClosed = true;
-                server.close();
-                console.log(chalk.green('✓ Authentication successful!\n'));
-                resolve(idToken);
-              }
-            } catch (error) {
-              // Token exchange or validation failed
-              console.error(chalk.red('\n✗ Authentication failed:'), error.message);
-              // Load shared access denied HTML
-              res.writeHead(400, { 'Content-Type': 'text/html' });
-              res.end(getAccessDeniedHTML());
-              if (!serverClosed) {
-                serverClosed = true;
-                server.close();
-                reject(error);
-              }
-            }
-          } else {
-            res.writeHead(400, { 'Content-Type': 'text/plain' });
-            res.end('No authorization code received');
-          }
-        }
-      });
-      server.listen(PORT, async () => {
-        // Build Cognito OAuth URL with PKCE - force Google account picker every time
-        const authUrl = `https://${COGNITO_DOMAIN}/oauth2/authorize?` +
-          `client_id=${CLIENT_ID}&` +
-          `response_type=code&` +
-          `scope=email+openid+profile&` +
-          `redirect_uri=http://localhost:${PORT}/callback&` +
-          `code_challenge=${codeChallenge}&` +
-          `code_challenge_method=S256&` +
-          `identity_provider=Google&` +
-          `prompt=select_account`;
-        // Open browser - use VS Code command if in Remote SSH, otherwise use standard open
-        if (this._isVSCodeRemoteSSH()) {
-          const { exec } = require('child_process');
-          // Try using VS Code's code command to open URL on local machine
-          exec(`code --open-url "${authUrl}"`, (error) => {
-            if (error) {
-              console.log(chalk.yellow('\n⚠️  Could not open browser automatically.'));
-              console.log(chalk.gray('Please manually open this URL:\n'));
-              console.log(chalk.blue(`   ${authUrl}\n`));
-            }
-          });
-        } else {
-          // Standard open for local or GUI environments
-          const open = (await import('open')).default;
-          try {
-            await open(authUrl);
-            console.log(chalk.gray('\nIf the browser did not open automatically, please manually open:'));
-            console.log(chalk.blue(`   ${authUrl}\n`));
-          } catch (error) {
-            console.log(chalk.yellow('\n⚠️  Could not open browser automatically.'));
-            console.log(chalk.gray('Please manually open this URL:\n'));
-            console.log(chalk.blue(`   ${authUrl}\n`));
-          }
-        }
-      });
-      // Timeout after 5 minutes
-      setTimeout(() => {
-        if (!serverClosed) {
-          serverClosed = true;
-          server.close();
-          reject(new Error('Authentication timeout'));
-        }
-      }, 5 * 60 * 1000);
-    });
-  }
-  /**
-   * Headless login - for SSH/no-GUI environments
-   * User manually opens URL and pastes back the callback URL
-   */
-  async _loginHeadless() {
-    const inquirer = require('inquirer');
-    // Generate PKCE code verifier and challenge
-    const codeVerifier = generateCodeVerifier();
-    const codeChallenge = generateCodeChallenge(codeVerifier);
-    // Build Cognito OAuth URL with PKCE
-    const authUrl = `https://${COGNITO_DOMAIN}/oauth2/authorize?` +
-      `client_id=${CLIENT_ID}&` +
-      `response_type=code&` +
-      `scope=email+openid+profile&` +
-      `redirect_uri=http://localhost:3000/callback&` +
-      `code_challenge=${codeChallenge}&` +
-      `code_challenge_method=S256&` +
-      `identity_provider=Google&` +
-      `prompt=select_account`;
-    console.log(chalk.cyan('\n🔐 Headless Authentication Mode\n'));
-    console.log(chalk.gray('You are in a headless/SSH environment.\n'));
-    console.log(chalk.white('Please follow these steps:\n'));
-    console.log(chalk.yellow('1. Open this URL in a browser on any device (Cmd-Double-Click might work):'));
-    console.log(chalk.blue(`\n   ${authUrl}\n`));
-    console.log(chalk.yellow('2. Sign in with Google (may happen automatically if already signed in)'));
-    console.log(chalk.yellow('3. Browser will redirect to localhost and show "connection refused" error'));
-    console.log(chalk.yellow('   ' + chalk.gray('(This is expected - localhost is not accessible from your device)')));
-    console.log(chalk.yellow('4. Copy the FULL URL from your browser address bar'));
-    console.log(chalk.yellow('   ' + chalk.gray('(It will start with: http://localhost:3000/callback?code=...)')));
-    console.log(chalk.yellow('5. Paste it below\n'));
-    const { callbackUrl } = await inquirer.prompt([{
-      type: 'input',
-      name: 'callbackUrl',
-      message: 'Paste the callback URL here:',
-      validate: (input) => {
-        if (!input || input.trim() === '') {
-          return 'Please provide the callback URL';
-        }
-        if (!input.includes('code=')) {
-          return 'Invalid URL - should contain "code=" parameter';
-        }
-        if (!input.includes('localhost:3000/callback')) {
-          return 'Invalid callback URL - should be from localhost:3000/callback';
-        }
-        return true;
-      }
-    }]);
-    try {
-      // Extract authorization code from URL query params
-      const urlObj = new URL(callbackUrl.trim());
-      const code = urlObj.searchParams.get('code');
-      if (!code) {
-        throw new Error('No authorization code found in URL');
-      }
-      // Exchange code for tokens
-      console.log(chalk.gray('Exchanging authorization code for tokens...'));
-      const idToken = await this._exchangeCodeForTokens(
-        code,
-        codeVerifier,
-        'http://localhost:3000/callback'
-      );
-      // Validate JWT token
-      console.log(chalk.gray('Validating token...'));
-      try {
-        await this._validateToken(idToken);
-        console.log(chalk.gray('✓ Token validation and signature verification passed'));
-      } catch (validationError) {
-        console.error(chalk.red('\n✗ Token validation failed:'), validationError.message);
-        throw new Error(`Invalid token: ${validationError.message}`);
-      }
-      // Save token using shared storage (only if validation passed)
-      await sharedAuth.saveToken(idToken);
-      console.log(chalk.green('\n✓ Authentication successful!'));
-      return idToken;
-    } catch (error) {
-      console.error(chalk.red('\n✗ Authentication failed:'), error.message);
-      throw error;
-    }
-  }
-  /**
-   * Logout (uses shared storage)
-   */
-  async logout() {
-    return await sharedAuth.logout();
-  }
-  /**
-   * Check if can run auto mode (uses shared storage)
-   */
-  async canRunAutoMode() {
-    return await sharedAuth.canRunAutoMode();
-  }
-  /**
-   * Log iteration (uses shared storage)
-   */
-  async logIteration() {
-    return await sharedAuth.logIteration();
-  }
-  /**
-   * Activate license key (uses shared storage)
-   */
-  async activateLicense(licenseKey) {
-    return await sharedAuth.activateLicense(licenseKey);
-  }
-}
-module.exports = new CLIAuth();
+const chalk = require('chalk');
+const http = require('http');
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+const sharedAuth = require('vibecodingmachine-core/src/auth/shared-auth-storage');
+// AWS Cognito configuration
+const COGNITO_DOMAIN = process.env.COGNITO_DOMAIN || 'allnightai-auth-1763598779.auth.us-east-1.amazoncognito.com';
+const CLIENT_ID = process.env.COGNITO_APP_CLIENT_ID || '3tbe1i2g36uqule92iuk6snuo3'; // Public client (no secret)
+const PORT = 3000;
+// Load shared access denied HTML
+function getAccessDeniedHTML() {
+  const accessDeniedPath = require.resolve('vibecodingmachine-core/src/auth/access-denied.html');
+  return fs.readFileSync(accessDeniedPath, 'utf8');
+}
+// PKCE helper functions
+function generateCodeVerifier() {
+  return crypto.randomBytes(32).toString('base64url');
+}
+function generateCodeChallenge(verifier) {
+  return crypto.createHash('sha256').update(verifier).digest('base64url');
+}
+class CLIAuth {
+  /**
+   * Check if authenticated (uses shared storage)
+   */
+  async isAuthenticated() {
+    return await sharedAuth.isAuthenticated();
+  }
+  /**
+   * Get stored token (uses shared storage)
+   */
+  async getToken() {
+    return await sharedAuth.getToken();
+  }
+  /**
+   * Get user profile (uses shared storage)
+   */
+  async getUserProfile() {
+    return await sharedAuth.getUserProfile();
+  }
+  /**
+   * Exchange authorization code for tokens using Cognito token endpoint
+   * @param {string} code - Authorization code
+   * @param {string} codeVerifier - PKCE code verifier
+   * @param {string} redirectUri - Redirect URI used in authorization request
+   * @returns {Promise<string>} ID token
+   */
+  async _exchangeCodeForTokens(code, codeVerifier, redirectUri) {
+    const https = require('https');
+    const tokenEndpoint = `https://${COGNITO_DOMAIN}/oauth2/token`;
+    const postData = new URLSearchParams({
+      grant_type: 'authorization_code',
+      client_id: CLIENT_ID,
+      code: code,
+      redirect_uri: redirectUri,
+      code_verifier: codeVerifier
+    }).toString();
+    return new Promise((resolve, reject) => {
+      const options = {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+          'Content-Length': postData.length
+        }
+      };
+      const req = https.request(tokenEndpoint, options, (res) => {
+        let data = '';
+        res.on('data', (chunk) => { data += chunk; });
+        res.on('end', () => {
+          if (res.statusCode === 200) {
+            const tokens = JSON.parse(data);
+            resolve(tokens.id_token); // Return the ID token
+          } else {
+            reject(new Error(`Token exchange failed: ${res.statusCode} - ${data}`));
+          }
+        });
+      });
+      req.on('error', (error) => {
+        reject(new Error(`Token exchange request failed: ${error.message}`));
+      });
+      req.write(postData);
+      req.end();
+    });
+  }
+  /**
+   * Validate JWT token with signature verification
+   * @param {string} idToken - JWT token to validate
+   * @throws {Error} If token is invalid
+   */
+  async _validateToken(idToken) {
+    // Validate token is a string
+    if (!idToken || typeof idToken !== 'string') {
+      throw new Error('Token must be a non-empty string');
+    }
+    // Validate JWT format (must have 3 parts)
+    const parts = idToken.split('.');
+    if (parts.length !== 3) {
+      throw new Error('Invalid JWT format - must have 3 parts separated by dots');
+    }
+    // CRITICAL: Verify JWT signature using Cognito's public keys
+    const jwt = require('jsonwebtoken');
+    const jwksClient = require('jwks-rsa');
+    const region = process.env.AWS_REGION || 'us-east-1';
+    const userPoolId = process.env.COGNITO_USER_POOL_ID || 'us-east-1_EjZ4Kbtgd';
+    const jwksUri = `https://cognito-idp.${region}.amazonaws.com/${userPoolId}/.well-known/jwks.json`;
+    const client = jwksClient({
+      jwksUri: jwksUri,
+      cache: true,
+      rateLimit: true
+    });
+    // Get signing key
+    const getKey = (header, callback) => {
+      client.getSigningKey(header.kid, (err, key) => {
+        if (err) {
+          callback(err);
+          return;
+        }
+        const signingKey = key.getPublicKey();
+        callback(null, signingKey);
+      });
+    };
+    // Verify token signature
+    let payload;
+    try {
+      payload = await new Promise((resolve, reject) => {
+        jwt.verify(idToken, getKey, {
+          algorithms: ['RS256'],
+          issuer: `https://cognito-idp.${region}.amazonaws.com/${userPoolId}`,
+          audience: CLIENT_ID
+        }, (err, decoded) => {
+          if (err) {
+            reject(new Error(`Signature verification failed: ${err.message}`));
+          } else {
+            resolve(decoded);
+          }
+        });
+      });
+    } catch (verifyError) {
+      throw new Error(`JWT signature verification failed: ${verifyError.message}`);
+    }
+    // Verify required fields exist
+    if (!payload.exp) {
+      throw new Error('Token missing expiration claim (exp)');
+    }
+    if (!payload.iss) {
+      throw new Error('Token missing issuer claim (iss)');
+    }
+    if (!payload.aud) {
+      throw new Error('Token missing audience claim (aud)');
+    }
+    if (!payload.token_use) {
+      throw new Error('Token missing token_use claim');
+    }
+    // Verify token is not expired
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp <= now) {
+      throw new Error(`Token has expired (exp: ${payload.exp}, now: ${now})`);
+    }
+    // Verify token issuer matches our Cognito domain
+    const expectedIssuer = `https://cognito-idp.${process.env.AWS_REGION || 'us-east-1'}.amazonaws.com/${process.env.COGNITO_USER_POOL_ID || 'us-east-1_EjZ4Kbtgd'}`;
+    if (payload.iss !== expectedIssuer) {
+      throw new Error(`Invalid token issuer. Expected: ${expectedIssuer}, Got: ${payload.iss}`);
+    }
+    // Verify token audience matches our client ID
+    if (payload.aud !== CLIENT_ID) {
+      throw new Error(`Invalid token audience. Expected: ${CLIENT_ID}, Got: ${payload.aud}`);
+    }
+    // Verify token use is 'id'
+    if (payload.token_use !== 'id') {
+      throw new Error(`Invalid token use. Expected: id, Got: ${payload.token_use}`);
+    }
+    // Verify essential user claims exist
+    if (!payload.sub) {
+      throw new Error('Token missing subject claim (sub)');
+    }
+    if (!payload.email) {
+      throw new Error('Token missing email claim');
+    }
+    return true;
+  }
+  /**
+   * Check if running in VS Code Remote SSH environment
+   */
+  _isVSCodeRemoteSSH() {
+    return (
+      process.env.VSCODE_IPC_HOOK_CLI && // Running in VS Code terminal
+      process.env.SSH_CONNECTION // In SSH session
+    );
+  }
+  /**
+   * Login via browser OAuth flow
+   * @param {Object} options - Login options
+   * @param {boolean} options.headless - If true, skip opening browser and provide manual instructions
+   */
+  async login(options = {}) {
+    // Check if running in VS Code Remote SSH
+    const isVSCodeRemote = this._isVSCodeRemoteSSH();
+    // Auto-detect headless environment if not explicitly set
+    // VS Code Remote SSH should use browser flow (not headless) because port forwarding works
+    const isHeadless = options.headless !== undefined
+      ? options.headless
+      : (!process.env.DISPLAY && process.platform !== 'darwin' && process.platform !== 'win32' && !isVSCodeRemote);
+    // Headless mode - for SSH/no-GUI environments
+    if (isHeadless) {
+      return this._loginHeadless();
+    }
+    // VS Code Remote SSH - use optimized flow with instructions
+    if (isVSCodeRemote && !options.headless) {
+      console.log(chalk.cyan('\n🔐 VS Code Remote SSH Detected!\n'));
+      console.log(chalk.yellow('⚠️  IMPORTANT: VS Code will show "Port 3000 is now available"'));
+      console.log(chalk.yellow('    → DO NOT click that notification!'));
+      console.log(chalk.yellow('    → Instead, Ctrl+Click the authentication URL shown below\n'));
+    }
+    // Standard browser-based login
+    return new Promise((resolve, reject) => {
+      let serverClosed = false;
+      // Generate PKCE code verifier and challenge
+      const codeVerifier = generateCodeVerifier();
+      const codeChallenge = generateCodeChallenge(codeVerifier);
+      // Create local server to receive callback
+      const server = http.createServer(async (req, res) => {
+        const url = new URL(req.url, `http://localhost:${PORT}`);
+        if (url.pathname === '/callback') {
+          // Extract authorization code from query params
+          const code = url.searchParams.get('code');
+          if (code) {
+            try {
+              // Exchange code for tokens
+              console.log(chalk.gray('Exchanging authorization code for tokens...'));
+              const idToken = await this._exchangeCodeForTokens(
+                code,
+                codeVerifier,
+                `http://localhost:${PORT}/callback`
+              );
+              // Validate token (signature + claims)
+              console.log(chalk.gray('Validating token...'));
+              await this._validateToken(idToken);
+              // Save token
+              await sharedAuth.saveToken(idToken);
+              // Show success page
+              res.writeHead(200, {
+                'Content-Type': 'text/html',
+                'Cache-Control': 'no-cache, no-store, must-revalidate',
+                'Pragma': 'no-cache',
+                'Expires': '0'
+              });
+              res.end(`
+            <!DOCTYPE html>
+            <html>
+              <head>
+                <meta charset="UTF-8">
+                <meta name="viewport" content="width=device-width, initial-scale=1.0">
+                <style>
+                  * {
+                    margin: 0;
+                    padding: 0;
+                    box-sizing: border-box;
+                  }
+                  html, body {
+                    width: 100%;
+                    height: 100%;
+                    overflow: hidden;
+                    position: fixed;
+                  }
+                  body {
+                    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+                    background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+                    color: white;
+                  }
+                  .wrapper {
+                    width: 100%;
+                    height: 100%;
+                    display: flex;
+                    align-items: center;
+                    justify-content: center;
+                    padding: 20px;
+                  }
+                  .container {
+                    background: white;
+                    color: #333;
+                    padding: 40px;
+                    border-radius: 12px;
+                    box-shadow: 0 8px 32px rgba(0,0,0,0.3);
+                    width: 500px;
+                    max-width: 100%;
+                    text-align: center;
+                  }
+                  h1 { margin: 0 0 20px 0; color: #10b981; }
+                  p { margin: 10px 0; color: #666; }
+                  .success-icon { font-size: 48px; margin-bottom: 10px; }
+                  .info-box {
+                    margin-top: 30px;
+                    padding: 16px;
+                    background: #f3f4f6;
+                    border-radius: 8px;
+                    border-left: 4px solid #10b981;
+                  }
+                  .info-title {
+                    font-weight: 600;
+                    margin-bottom: 8px;
+                    color: #374151;
+                  }
+                  code {
+                    background: #1f2937;
+                    color: #10b981;
+                    padding: 3px 8px;
+                    border-radius: 4px;
+                    font-family: 'Monaco', 'Courier New', monospace;
+                    display: inline-block;
+                    margin: 4px 0;
+                  }
+                  .command-list {
+                    margin-top: 12px;
+                  }
+                </style>
+              </head>
+              <body>
+                <div class="wrapper">
+                  <div class="container">
+                    <h1>Authentication Successful!</h1>
+                    <p>You are now logged in to Vibe Coding Machine.</p>
+                    <p>You can close this window and return to the terminal.</p>
+                    <div class="info-box">
+                      <div class="info-title">Available Commands:</div>
+                      <div class="command-list">
+                        <code>vcm</code> - Start interactive mode<br>
+                        <code>vcm auth:status</code> - Check authentication status<br>
+                        <code>vcm auth:logout</code> - Logout
+                      </div>
+                    </div>
+                  </div>
+                </div>
+              </body>
+            </html>
+          `);
+              // Close server and resolve
+              if (!serverClosed) {
+                serverClosed = true;
+                server.close();
+                console.log(chalk.green('✓ Authentication successful!\n'));
+                resolve(idToken);
+              }
+            } catch (error) {
+              // Token exchange or validation failed
+              console.error(chalk.red('\n✗ Authentication failed:'), error.message);
+              // Load shared access denied HTML
+              res.writeHead(400, { 'Content-Type': 'text/html' });
+              res.end(getAccessDeniedHTML());
+              if (!serverClosed) {
+                serverClosed = true;
+                server.close();
+                reject(error);
+              }
+            }
+          } else {
+            res.writeHead(400, { 'Content-Type': 'text/plain' });
+            res.end('No authorization code received');
+          }
+        }
+      });
+      server.listen(PORT, async () => {
+        // Build Cognito OAuth URL with PKCE - force Google account picker every time
+        const authUrl = `https://${COGNITO_DOMAIN}/oauth2/authorize?` +
+          `client_id=${CLIENT_ID}&` +
+          `response_type=code&` +
+          `scope=email+openid+profile&` +
+          `redirect_uri=http://localhost:${PORT}/callback&` +
+          `code_challenge=${codeChallenge}&` +
+          `code_challenge_method=S256&` +
+          `identity_provider=Google&` +
+          `prompt=select_account`;
+        // Open browser - VS Code Remote SSH users should click the URL
+        if (this._isVSCodeRemoteSSH()) {
+          // For VS Code Remote SSH, just show the URL prominently
+          // Port forwarding will automatically work when they click it
+          console.log(chalk.green('👉 Click this URL to login:\n'));
+          console.log(chalk.blue.underline(`   ${authUrl}\n`));
+          console.log(chalk.gray('(Ctrl+Click or Cmd+Click to open in your browser)\n'));
+        } else {
+          // Standard open for local or GUI environments
+          const open = (await import('open')).default;
+          try {
+            await open(authUrl);
+            console.log(chalk.gray('\nOpening browser for authentication...'));
+            console.log(chalk.gray('If it doesn\'t open, click this URL:\n'));
+            console.log(chalk.blue.underline(`   ${authUrl}\n`));
+          } catch (error) {
+            console.log(chalk.yellow('\n⚠️  Could not open browser automatically.'));
+            console.log(chalk.gray('Please click this URL to login:\n'));
+            console.log(chalk.blue.underline(`   ${authUrl}\n`));
+          }
+        }
+      });
+      // Timeout after 5 minutes
+      setTimeout(() => {
+        if (!serverClosed) {
+          serverClosed = true;
+          server.close();
+          reject(new Error('Authentication timeout'));
+        }
+      }, 5 * 60 * 1000);
+    });
+  }
+  /**
+   * Headless login - for SSH/no-GUI environments
+   * User manually opens URL and pastes back the callback URL
+   */
+  async _loginHeadless() {
+    const inquirer = require('inquirer');
+    // Generate PKCE code verifier and challenge
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = generateCodeChallenge(codeVerifier);
+    // Build Cognito OAuth URL with PKCE
+    const authUrl = `https://${COGNITO_DOMAIN}/oauth2/authorize?` +
+      `client_id=${CLIENT_ID}&` +
+      `response_type=code&` +
+      `scope=email+openid+profile&` +
+      `redirect_uri=http://localhost:3000/callback&` +
+      `code_challenge=${codeChallenge}&` +
+      `code_challenge_method=S256&` +
+      `identity_provider=Google&` +
+      `prompt=select_account`;
+    console.log(chalk.cyan('\n🔐 Headless Authentication Mode\n'));
+    console.log(chalk.gray('You are in a headless/SSH environment.\n'));
+    console.log(chalk.white('Please follow these steps:\n'));
+    console.log(chalk.yellow('1. Open this URL in a browser on any device (Cmd-Double-Click might work):'));
+    console.log(chalk.blue(`\n   ${authUrl}\n`));
+    console.log(chalk.yellow('2. Sign in with Google (may happen automatically if already signed in)'));
+    console.log(chalk.yellow('3. Browser will redirect to localhost and show "connection refused" error'));
+    console.log(chalk.yellow('   ' + chalk.gray('(This is expected - localhost is not accessible from your device)')));
+    console.log(chalk.yellow('4. Copy the FULL URL from your browser address bar'));
+    console.log(chalk.yellow('   ' + chalk.gray('(It will start with: http://localhost:3000/callback?code=...)')));
+    console.log(chalk.yellow('5. Paste it below\n'));
+    const { callbackUrl } = await inquirer.prompt([{
+      type: 'input',
+      name: 'callbackUrl',
+      message: 'Paste the callback URL here:',
+      validate: (input) => {
+        if (!input || input.trim() === '') {
+          return 'Please provide the callback URL';
+        }
+        if (!input.includes('code=')) {
+          return 'Invalid URL - should contain "code=" parameter';
+        }
+        if (!input.includes('localhost:3000/callback')) {
+          return 'Invalid callback URL - should be from localhost:3000/callback';
+        }
+        return true;
+      }
+    }]);
+    try {
+      // Extract authorization code from URL query params
+      const urlObj = new URL(callbackUrl.trim());
+      const code = urlObj.searchParams.get('code');
+      if (!code) {
+        throw new Error('No authorization code found in URL');
+      }
+      // Exchange code for tokens
+      console.log(chalk.gray('Exchanging authorization code for tokens...'));
+      const idToken = await this._exchangeCodeForTokens(
+        code,
+        codeVerifier,
+        'http://localhost:3000/callback'
+      );
+      // Validate JWT token
+      console.log(chalk.gray('Validating token...'));
+      try {
+        await this._validateToken(idToken);
+        console.log(chalk.gray('✓ Token validation and signature verification passed'));
+      } catch (validationError) {
+        console.error(chalk.red('\n✗ Token validation failed:'), validationError.message);
+        throw new Error(`Invalid token: ${validationError.message}`);
+      }
+      // Save token using shared storage (only if validation passed)
+      await sharedAuth.saveToken(idToken);
+      console.log(chalk.green('\n✓ Authentication successful!'));
+      return idToken;
+    } catch (error) {
+      console.error(chalk.red('\n✗ Authentication failed:'), error.message);
+      throw error;
+    }
+  }
+  /**
+   * Logout (uses shared storage)
+   */
+  async logout() {
+    return await sharedAuth.logout();
+  }
+  /**
+   * Check if can run auto mode (uses shared storage)
+   */
+  async canRunAutoMode() {
+    return await sharedAuth.canRunAutoMode();
+  }
+  /**
+   * Log iteration (uses shared storage)
+   */
+  async logIteration() {
+    return await sharedAuth.logIteration();
+  }
+  /**
+   * Activate license key (uses shared storage)
+   */
+  async activateLicense(licenseKey) {
+    return await sharedAuth.activateLicense(licenseKey);
+  }
+}
+module.exports = new CLIAuth();