vibegroup 0.1.2 → 0.1.4

package/README.md

@@ -11,6 +11,12 @@ When you and your teammates are each heads-down in your own repo on your own mac
 
 ## Install
 
+```bash
+npx vibegroup install     # registers the vibegroup plugin in Claude Code
+```
+
+Or install the CLI globally:
+
 ```bash
 npm i -g vibegroup
 ```
@@ -18,7 +24,7 @@ npm i -g vibegroup
 ## Quickstart
 
 ```bash
-vibegroup login                         # sign in (opens your browser)
+vibegroup init                          # one-time: install the plugin, enable the channel, sign in
 vibegroup team create acme --name Acme  # create a team (or get invited to one)
 vibegroup claude --team acme            # launch Claude Code wired to your team's room
 ```
@@ -38,7 +44,9 @@ Inside the session, your agent can reach teammates' agents:
 ## Commands
 
 ```
-vibegroup login                          Sign in / sign up
+vibegroup install                        Register the plugin in Claude Code (also: npx vibegroup install)
+vibegroup init [email]                   One-time setup: plugin + channel + sign-in
+vibegroup login [email]                  Sign in / sign up
 vibegroup logout                         Clear the cached session
 vibegroup status                         Show your auth status
 vibegroup team create <slug> [--name]    Create a team (+ a general room)

package/dist/cli.js

@@ -70,7 +70,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "vibegroup",
-    version: "0.1.2",
+    version: "0.1.4",
     description: "Talk to your teammates' Claude Code agents — agent-to-agent collaboration for Claude Code over a shared channel.",
     type: "module",
     bin: {
@@ -79,7 +79,6 @@ var init_package = __esm(() => {
     files: [
       "dist/cli.js",
       "README.md",
-      "scripts/postinstall.mjs",
       ".claude-plugin/marketplace.json",
       "plugin/.claude-plugin",
       "plugin/.mcp.json",
@@ -107,7 +106,6 @@ var init_package = __esm(() => {
       "build:server": "cd packages/server && bun run build",
       build: "bun run build:relay && bun run build:server && bun run build:plugin && bun run build:cli",
       prepublishOnly: "bun run build:plugin && bun run build:cli",
-      postinstall: "node scripts/postinstall.mjs",
       "test:cli": "bun test ./test/",
       "test:protocol": "cd packages/protocol && bun test",
       "test:relay": "cd packages/relay && bun test",
@@ -178,6 +176,60 @@ var init_allowlist2 = __esm(() => {
   init_allowlist();
 });
 
+// src/lib/pluginInstall.ts
+import { spawnSync } from "node:child_process";
+import { fileURLToPath } from "node:url";
+import { dirname as dirname2, join as join2 } from "node:path";
+function packageRoot() {
+  return join2(dirname2(fileURLToPath(import.meta.url)), "..");
+}
+function claudeAvailable() {
+  try {
+    return spawnSync("claude", ["--version"], { stdio: "ignore" }).status === 0;
+  } catch {
+    return false;
+  }
+}
+function pluginInstalled() {
+  const r = spawnSync("claude", ["plugin", "list"], { encoding: "utf8" });
+  return r.status === 0 && /vibegroup@vibegroup/.test(r.stdout ?? "");
+}
+function installPlugin() {
+  if (!claudeAvailable()) {
+    return { ok: false, message: "Claude Code (`claude`) is not on your PATH. Install it first: https://docs.claude.com/claude-code" };
+  }
+  const root = packageRoot();
+  spawnSync("claude", ["plugin", "marketplace", "remove", "vibegroup"], { stdio: "ignore" });
+  const add = spawnSync("claude", ["plugin", "marketplace", "add", root], { stdio: "inherit" });
+  if (add.status !== 0)
+    return { ok: false, message: "failed to add the vibegroup marketplace" };
+  const inst = spawnSync("claude", ["plugin", "install", "vibegroup@vibegroup"], { stdio: "inherit" });
+  if (inst.status !== 0 && !pluginInstalled())
+    return { ok: false, message: "failed to install the vibegroup plugin" };
+  return { ok: true, message: "plugin installed" };
+}
+var init_pluginInstall = () => {};
+
+// src/commands/install.ts
+var exports_install = {};
+__export(exports_install, {
+  installCommand: () => installCommand
+});
+async function installCommand() {
+  console.log(`Installing the vibegroup plugin into Claude Code…
+`);
+  const r = installPlugin();
+  if (!r.ok) {
+    console.error(r.message);
+    return 1;
+  }
+  console.log("\n✓ Plugin installed. Next: `vibegroup init` to enable the channel + sign in.");
+  return 0;
+}
+var init_install = __esm(() => {
+  init_pluginInstall();
+});
+
 // src/ui/runner.ts
 import { render } from "ink";
 function runInk(make) {
@@ -197,144 +249,30 @@ function runInk(make) {
 }
 var init_runner = () => {};
 
-// src/lib/workosAuth.ts
-async function json(res) {
-  const text = await res.text();
-  try {
-    return text ? JSON.parse(text) : {};
-  } catch {
-    return {};
-  }
-}
-function parseCeremony(c) {
-  if (!c || !c.user_code || !c.verification_uri)
-    return;
-  return {
-    userCode: c.user_code,
-    verificationUri: c.verification_uri,
-    interval: typeof c.interval === "number" ? c.interval : 5,
-    expiresIn: typeof c.expires_in === "number" ? c.expires_in : 600
-  };
-}
-function tokensFromResponse(body, nowMs) {
-  const tokens = { accessToken: body.access_token };
-  if (typeof body.expires_in === "number") {
-    tokens.accessTokenExpiresAt = new Date(nowMs + body.expires_in * 1000).toISOString();
-  }
-  if (body.identity_assertion)
-    tokens.identityAssertion = body.identity_assertion;
-  if (body.assertion_expires)
-    tokens.assertionExpiresAt = body.assertion_expires;
-  if (body.scope)
-    tokens.scope = body.scope;
-  return tokens;
-}
-async function discover(apiBase, f) {
-  const base = apiBase.replace(/\/+$/, "");
-  const prmRes = await f(`${base}/.well-known/oauth-protected-resource`);
-  if (!prmRes.ok)
-    throw new Error(`discovery failed: protected-resource metadata HTTP ${prmRes.status}`);
-  const prm = await json(prmRes);
-  const as = (prm.authorization_servers ?? [])[0];
-  if (!as)
-    throw new Error("discovery failed: no authorization_servers in protected-resource metadata");
-  const asRes = await f(`${as.replace(/\/+$/, "")}/.well-known/oauth-authorization-server`);
-  if (!asRes.ok)
-    throw new Error(`discovery failed: authorization-server metadata HTTP ${asRes.status}`);
-  const meta = await json(asRes);
-  const agent = meta.agent_auth ?? {};
-  if (!meta.token_endpoint || !agent.identity_endpoint || !agent.claim_endpoint) {
-    throw new Error("discovery failed: authorization server is missing agent_auth endpoints");
-  }
-  return {
-    issuer: meta.issuer,
-    tokenEndpoint: meta.token_endpoint,
-    revocationEndpoint: meta.revocation_endpoint,
-    identityEndpoint: agent.identity_endpoint,
-    claimEndpoint: agent.claim_endpoint,
-    resource: prm.resource ?? meta.resource,
-    scopesSupported: prm.scopes_supported
-  };
-}
-async function register(ep, body, f) {
-  const res = await f(ep.identityEndpoint, {
+// src/lib/emailAuth.ts
+async function startEmailLogin(apiBase, email, f) {
+  const res = await f(`${apiBase}/auth/email/start`, {
     method: "POST",
     headers: { "content-type": "application/json" },
-    body: JSON.stringify(body)
+    body: JSON.stringify({ email })
   });
-  const data = await json(res);
-  if (!res.ok && !data.registration_id) {
-    throw new Error(`register failed: ${data.error ?? `HTTP ${res.status}`}`);
+  if (!res.ok) {
+    const err = await res.json().catch(() => ({}));
+    throw new Error(err.detail ?? "could not send the code");
   }
-  return {
-    registrationId: data.registration_id,
-    registrationType: data.registration_type,
-    identityAssertion: data.identity_assertion,
-    assertionExpires: data.assertion_expires,
-    preClaimScopes: data.pre_claim_scopes,
-    postClaimScopes: data.post_claim_scopes,
-    claimToken: data.claim_token,
-    claim: parseCeremony(data.claim)
-  };
 }
-async function pollClaim(tokenEndpoint, claimToken, f, nowMs = Date.now()) {
-  const res = await f(tokenEndpoint, {
+async function verifyEmailLogin(apiBase, email, code, f) {
+  const res = await f(`${apiBase}/auth/email/verify`, {
     method: "POST",
-    headers: { "content-type": "application/x-www-form-urlencoded" },
-    body: new URLSearchParams({ grant_type: CLAIM_GRANT, claim_token: claimToken }).toString()
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ email, code })
   });
-  const data = await json(res);
-  if (res.ok && data.access_token)
-    return { status: "done", tokens: tokensFromResponse(data, nowMs) };
-  switch (data.error) {
-    case "authorization_pending":
-      return { status: "pending" };
-    case "slow_down":
-      return { status: "slow_down" };
-    case "expired_token":
-      return { status: "expired" };
-    default:
-      throw new Error(`claim poll failed: ${data.error ?? `HTTP ${res.status}`}`);
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    throw new Error(data.error === "invalid_code" ? "that code is incorrect or expired" : data.detail ?? "verification failed");
   }
+  return { accessToken: data.access_token ?? "", identityAssertion: data.identity_assertion, scope: data.scope };
 }
-var CLAIM_GRANT = "urn:workos:agent-auth:grant-type:claim";
-
-// src/lib/loginFlow.ts
-async function login(apiBase, f, hooks) {
-  const emit = (e) => hooks.onEvent?.(e);
-  const sleep = hooks.sleep ?? defaultSleep;
-  const now = hooks.now ?? Date.now;
-  emit({ type: "discovering", apiBase });
-  const ep = await discover(apiBase, f);
-  emit({ type: "discovered", endpoints: ep });
-  const email = (await hooks.email())?.trim();
-  if (!email)
-    return null;
-  emit({ type: "registering", email });
-  const reg = await register(ep, { type: "service_auth", login_hint: email }, f);
-  if (!reg.claim || !reg.claimToken)
-    throw new Error("service_auth did not return a claim ceremony");
-  emit({ type: "claim", ceremony: reg.claim });
-  emit({ type: "polling" });
-  let interval = Math.max(1, reg.claim.interval);
-  const deadline = now() + (hooks.timeoutMs ?? 10 * 60 * 1000);
-  for (;; ) {
-    const r = await pollClaim(ep.tokenEndpoint, reg.claimToken, f, now());
-    if (r.status === "done") {
-      emit({ type: "done" });
-      return { tokens: r.tokens, email };
-    }
-    if (r.status === "expired")
-      throw new Error("the code expired — run `vibegroup login` again");
-    if (r.status === "slow_down")
-      interval += 5;
-    if (now() > deadline)
-      throw new Error("login timed out");
-    await sleep(interval * 1000);
-  }
-}
-var defaultSleep = (ms) => new Promise((r) => setTimeout(r, ms));
-var init_loginFlow = () => {};
 
 // src/ui/session.ts
 function jwtClaim(jwt, key) {
@@ -354,17 +292,6 @@ function sessionFromTokens(tokens, email) {
   };
 }
 
-// src/lib/openBrowser.ts
-import { spawn } from "node:child_process";
-function openBrowser(url) {
-  const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open";
-  const args = process.platform === "win32" ? ["/c", "start", "", url] : [url];
-  try {
-    spawn(cmd, args, { stdio: "ignore", detached: true }).unref();
-  } catch {}
-}
-var init_openBrowser = () => {};
-
 // src/ui/theme.ts
 var color;
 var init_theme = __esm(() => {
@@ -381,53 +308,42 @@ var init_theme = __esm(() => {
 // src/ui/Login.tsx
 import { useEffect, useRef, useState } from "react";
 import { Box, Text } from "ink";
-import { Spinner, StatusMessage, TextInput, Alert, Badge } from "@inkjs/ui";
+import { Spinner, StatusMessage, TextInput, Alert } from "@inkjs/ui";
 import { jsx, jsxs } from "react/jsx-runtime";
 function Login({
   apiBase,
   initialEmail,
   onExit
 }) {
-  const [phase, setPhase] = useState(initialEmail ? { t: "connecting" } : { t: "email" });
-  const opened = useRef(false);
+  const [phase, setPhase] = useState(initialEmail ? { t: "sending", email: initialEmail } : { t: "email" });
   const started = useRef(false);
-  const start = (email) => {
-    if (started.current)
-      return;
-    started.current = true;
-    setPhase({ t: "connecting" });
-    login(apiBase, fetch, {
-      email: async () => email,
-      onEvent: (e) => {
-        if (e.type === "registering")
-          setPhase({ t: "registering", email: e.email });
-        else if (e.type === "claim")
-          setPhase({ t: "waiting", code: e.ceremony.userCode, url: e.ceremony.verificationUri });
-      }
-    }).then((res) => {
-      if (!res) {
-        setPhase({ t: "error", message: "Login cancelled." });
-        setTimeout(() => onExit(1), 50);
-        return;
-      }
-      writeAuth(sessionFromTokens(res.tokens, res.email));
-      setPhase({ t: "done", email: res.email });
-      setTimeout(() => onExit(0), 500);
-    }).catch((err) => {
+  const send = async (email) => {
+    setPhase({ t: "sending", email });
+    try {
+      await startEmailLogin(apiBase, email, fetch);
+      setPhase({ t: "code", email });
+    } catch (err) {
       setPhase({ t: "error", message: err?.message ?? String(err) });
       setTimeout(() => onExit(1), 800);
-    });
+    }
+  };
+  const verify = async (email, code) => {
+    setPhase({ t: "verifying", email });
+    try {
+      const tokens = await verifyEmailLogin(apiBase, email, code, fetch);
+      writeAuth(sessionFromTokens(tokens, email));
+      setPhase({ t: "done", email });
+      setTimeout(() => onExit(0), 500);
+    } catch (err) {
+      setPhase({ t: "code", email, error: err?.message ?? String(err) });
+    }
   };
   useEffect(() => {
-    if (initialEmail)
-      start(initialEmail);
-  }, []);
-  useEffect(() => {
-    if (phase.t === "waiting" && !opened.current) {
-      opened.current = true;
-      openBrowser(phase.url);
+    if (initialEmail && !started.current) {
+      started.current = true;
+      send(initialEmail);
     }
-  }, [phase]);
+  }, []);
   return /* @__PURE__ */ jsxs(Box, {
     flexDirection: "column",
     gap: 1,
@@ -457,9 +373,9 @@ function Login({
             children: /* @__PURE__ */ jsx(TextInput, {
               placeholder: "you@company.com",
               onSubmit: (value) => {
-                const email = value.trim();
-                if (email)
-                  start(email);
+                const email = value.trim().toLowerCase();
+                if (email.includes("@"))
+                  send(email);
                 else
                   onExit(1);
               }
@@ -467,47 +383,48 @@ function Login({
           })
         ]
       }),
-      phase.t === "connecting" && /* @__PURE__ */ jsx(Spinner, {
-        label: "Connecting to vibegroup…"
-      }),
-      phase.t === "registering" && /* @__PURE__ */ jsx(Spinner, {
-        label: `Registering ${phase.email}…`
+      phase.t === "sending" && /* @__PURE__ */ jsx(Spinner, {
+        label: `Sending a code to ${phase.email}…`
       }),
-      phase.t === "waiting" && /* @__PURE__ */ jsxs(Box, {
+      phase.t === "code" && /* @__PURE__ */ jsxs(Box, {
         flexDirection: "column",
-        gap: 1,
         children: [
-          /* @__PURE__ */ jsxs(Box, {
-            borderStyle: "round",
-            borderColor: color.accent,
-            paddingX: 1,
-            flexDirection: "column",
+          /* @__PURE__ */ jsxs(Text, {
             children: [
-              /* @__PURE__ */ jsx(Text, {
-                children: "Open this link, sign in, and enter the code:"
-              }),
-              /* @__PURE__ */ jsx(Box, {
-                marginY: 1,
-                children: /* @__PURE__ */ jsx(Badge, {
-                  color: "cyan",
-                  children: phase.code
-                })
-              }),
+              "Enter the 6-digit code sent to ",
               /* @__PURE__ */ jsx(Text, {
                 color: color.accent,
-                children: phase.url
+                children: phase.email
               }),
-              /* @__PURE__ */ jsx(Text, {
-                dimColor: true,
-                children: "(the code goes into that page — not back here)"
-              })
+              ":"
             ]
           }),
-          /* @__PURE__ */ jsx(Spinner, {
-            label: "Waiting for you to confirm in the browser…"
+          /* @__PURE__ */ jsx(Box, {
+            marginTop: 1,
+            children: /* @__PURE__ */ jsx(TextInput, {
+              placeholder: "123456",
+              onSubmit: (value) => {
+                const code = value.trim();
+                if (code)
+                  verify(phase.email, code);
+              }
+            })
+          }),
+          phase.error && /* @__PURE__ */ jsx(Box, {
+            marginTop: 1,
+            children: /* @__PURE__ */ jsxs(Text, {
+              color: color.err,
+              children: [
+                phase.error,
+                " — try again."
+              ]
+            })
           })
         ]
       }),
+      phase.t === "verifying" && /* @__PURE__ */ jsx(Spinner, {
+        label: "Verifying…"
+      }),
       phase.t === "done" && /* @__PURE__ */ jsxs(StatusMessage, {
         variant: "success",
         children: [
@@ -524,9 +441,7 @@ function Login({
   });
 }
 var init_Login = __esm(() => {
-  init_loginFlow();
   init_auth();
-  init_openBrowser();
   init_theme();
 });
 
@@ -551,20 +466,9 @@ var exports_init = {};
 __export(exports_init, {
   initCommand: () => initCommand
 });
-import { spawnSync } from "node:child_process";
+import { spawnSync as spawnSync2 } from "node:child_process";
 import { existsSync as existsSync3, readFileSync as readFileSync3 } from "node:fs";
-import { fileURLToPath } from "node:url";
-import { dirname as dirname2, join as join2 } from "node:path";
-function packageRoot() {
-  return join2(dirname2(fileURLToPath(import.meta.url)), "..");
-}
-function commandExists(cmd) {
-  return spawnSync(cmd, ["--version"], { stdio: "ignore" }).status === 0;
-}
-function pluginInstalled() {
-  const r = spawnSync("claude", ["plugin", "list"], { encoding: "utf8" });
-  return r.status === 0 && /vibegroup@vibegroup/.test(r.stdout ?? "");
-}
+import { dirname as dirname3 } from "node:path";
 function readManagedSettings() {
   try {
     const p = managedSettingsPath();
@@ -575,16 +479,16 @@ function readManagedSettings() {
 }
 function writeAllowlistWithSudo() {
   const path = managedSettingsPath();
-  const json2 = JSON.stringify(mergeManagedSettings(readManagedSettings()), null, 2);
-  const script = `mkdir -p "${dirname2(path)}" && cat > "${path}"`;
-  const r = spawnSync("sudo", ["sh", "-c", script], { input: json2, stdio: ["pipe", "inherit", "inherit"] });
+  const json = JSON.stringify(mergeManagedSettings(readManagedSettings()), null, 2);
+  const script = `mkdir -p "${dirname3(path)}" && cat > "${path}"`;
+  const r = spawnSync2("sudo", ["sh", "-c", script], { input: json, stdio: ["pipe", "inherit", "inherit"] });
   return r.status === 0;
 }
 async function initCommand(rest, flags = {}, env = process.env) {
   const dev = flags.dev === true;
   console.log(`vibegroup setup
 `);
-  if (!commandExists("claude")) {
+  if (!claudeAvailable()) {
     console.error("Claude Code (`claude`) is not on your PATH. Install it first: https://docs.claude.com/claude-code");
     return 1;
   }
@@ -592,10 +496,9 @@ async function initCommand(rest, flags = {}, env = process.env) {
     console.log("✓ Plugin already installed.");
   } else {
     console.log("• Installing the vibegroup plugin into Claude Code…");
-    spawnSync("claude", ["plugin", "marketplace", "add", packageRoot()], { stdio: "inherit" });
-    spawnSync("claude", ["plugin", "install", "vibegroup@vibegroup"], { stdio: "inherit" });
-    if (!pluginInstalled()) {
-      console.error("Plugin install did not complete. Try manually: claude plugin install vibegroup@vibegroup");
+    const r = installPlugin();
+    if (!r.ok) {
+      console.error(r.message);
       return 1;
     }
     console.log("✓ Plugin installed.");
@@ -632,6 +535,7 @@ async function initCommand(rest, flags = {}, env = process.env) {
 var init_init = __esm(() => {
   init_auth();
   init_allowlist();
+  init_pluginInstall();
   init_login();
 });
 
@@ -753,7 +657,7 @@ var init_team = __esm(() => {
 });
 
 // src/lib/claudeLaunch.ts
-import { spawnSync as spawnSync2 } from "node:child_process";
+import { spawnSync as spawnSync3 } from "node:child_process";
 function buildClaudeArgs(opts = {}) {
   const extra = opts.extraArgs ?? [];
   return opts.dangerously ? ["--dangerously-load-development-channels", CHANNEL_SPEC, ...extra] : ["--channels", CHANNEL_SPEC, ...extra];
@@ -762,7 +666,7 @@ function launchClaude(opts = {}, launcher = defaultLauncher) {
   return launcher("claude", buildClaudeArgs(opts), opts.env);
 }
 var CHANNEL_SPEC = "plugin:vibegroup@vibegroup", defaultLauncher = (cmd, args, env) => {
-  const r = spawnSync2(cmd, args, { stdio: "inherit", env: env ? { ...process.env, ...env } : process.env });
+  const r = spawnSync3(cmd, args, { stdio: "inherit", env: env ? { ...process.env, ...env } : process.env });
   if (r.error)
     throw r.error;
   return r.status ?? 0;
@@ -893,6 +797,10 @@ async function run(argv, env = process.env) {
       const { allowlistPathCommand: allowlistPathCommand2 } = await Promise.resolve().then(() => (init_allowlist2(), exports_allowlist));
       return allowlistPathCommand2();
     }
+    case "install": {
+      const { installCommand: installCommand2 } = await Promise.resolve().then(() => (init_install(), exports_install));
+      return installCommand2();
+    }
     case "init": {
       const { initCommand: initCommand2 } = await Promise.resolve().then(() => (init_init(), exports_init));
       return initCommand2(rest, flags, env);
@@ -929,6 +837,7 @@ var VERSION, DEFAULT_API_BASE2 = "https://api.vibegroup.sh", HELP = `vibegroup
 Usage: vibegroup <command> [options]
 
 Commands:
+  install                     Register the vibegroup plugin in Claude Code (also: npx vibegroup install)
   init [email]                One-time setup: install the plugin, enable the channel, sign in
   login [email]               Sign in / sign up (opens your browser, verifies email)
   logout                      Clear the cached session

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibegroup",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Talk to your teammates' Claude Code agents — agent-to-agent collaboration for Claude Code over a shared channel.",
   "type": "module",
   "bin": {
@@ -9,7 +9,6 @@
   "files": [
     "dist/cli.js",
     "README.md",
-    "scripts/postinstall.mjs",
     ".claude-plugin/marketplace.json",
     "plugin/.claude-plugin",
     "plugin/.mcp.json",
@@ -37,7 +36,6 @@
     "build:server": "cd packages/server && bun run build",
     "build": "bun run build:relay && bun run build:server && bun run build:plugin && bun run build:cli",
     "prepublishOnly": "bun run build:plugin && bun run build:cli",
-    "postinstall": "node scripts/postinstall.mjs",
     "test:cli": "bun test ./test/",
     "test:protocol": "cd packages/protocol && bun test",
     "test:relay": "cd packages/relay && bun test",

package/plugin/commands/init.md

@@ -1,37 +1,29 @@
 ---
-description: Set up vibegroup — authenticate by following auth.md, create/join a team, launch a channel session.
+description: Set up vibegroup — sign in with an email code, create/join a team, launch a channel session.
 ---
 
-Onboard the user to vibegroup. **You (the agent) follow the auth.md protocol yourself** — do NOT run `vibegroup login` (that's the human/terminal path). Use AskUserQuestion for choices; keep steps terse.
+Onboard the user to vibegroup. Sign-in is **passwordless email code** — you send a code, the user reads it from their inbox and pastes it to you. Do NOT run `vibegroup login` (that's the human/terminal path). Use AskUserQuestion for choices; keep steps terse.
 
 ## Phase 0 — Already authenticated?
 
 Read `~/.claude/vibegroup/auth.json` (honor `CLAUDE_CONFIG_DIR`). If it has a non-empty `accessToken`, you're signed in — skip to Phase 2.
 
-## Phase 1 — Authenticate (follow auth.md, `service_auth`)
-
-vibegroup publishes its agent-auth instructions at `https://api.vibegroup.sh/auth.md`. Follow the **`service_auth` (user-claimed)** path — no anonymous:
+## Phase 1 — Sign in (email code, no browser)
 
 1. Ask the user which email to sign in with (e.g. `terry@cruz.pe`).
-2. Register on their behalf:
+2. Send a code to that email:
    ```bash
-   curl -s -X POST https://api.vibegroup.sh/agent/identity \
-     -H 'content-type: application/json' \
-     -d '{"type":"service_auth","login_hint":"<email>"}'
+   curl -s -X POST https://api.vibegroup.sh/auth/email/start \
+     -H 'content-type: application/json' -d '{"email":"<email>"}'
    ```
-   Capture `claim_token`, `claim.user_code`, `claim.verification_uri`, and `claim.interval` from the JSON.
-3. Surface to the user, in one message:
-   > Open this link, sign in to vibegroup (it verifies your email), and enter the code **<user_code>**:
-   > <verification_uri>
-   > (the code goes into that page — not back to me)
-4. Poll until they confirm — wait `interval` seconds (default 5) between calls, give up after ~10 min:
+   (`{"ok":true}` means it's on the way.)
+3. Tell the user, in one message: *"I sent a 6-digit code to `<email>` — paste it here when it arrives."* Then wait for them to give you the code.
+4. Verify the code (this proves they own the email + signs them in):
    ```bash
-   curl -s -X POST https://api.vibegroup.sh/oauth2/token \
-     -H 'content-type: application/x-www-form-urlencoded' \
-     --data-urlencode 'grant_type=urn:workos:agent-auth:grant-type:claim' \
-     --data-urlencode 'claim_token=<claim_token>'
+   curl -s -X POST https://api.vibegroup.sh/auth/email/verify \
+     -H 'content-type: application/json' -d '{"email":"<email>","code":"<code>"}'
    ```
-   `{"error":"authorization_pending"}` → keep polling. `{"error":"expired_token"}` → re-register (step 2). On success the response has `access_token` + `identity_assertion`.
+   `{"error":"invalid_code"}` → tell them it was wrong/expired and ask again (re-send with step 2 if needed). On success the response has `access_token` + `identity_assertion`.
 5. Persist the session so the channel + CLI pick it up — write `~/.claude/vibegroup/auth.json` (file mode 600):
    ```json
    { "accessToken": "<access_token>", "identityAssertion": "<identity_assertion>", "user": { "id": "<email>", "email": "<email>" } }

package/scripts/postinstall.mjs

@@ -1,38 +0,0 @@
-// Best-effort: after `npm i -g vibegroup`, register the plugin into Claude Code so
-// it's usable immediately. The channel allowlist (needs sudo) and sign-in still
-// happen in `vibegroup init`. Never fails the install — only global installs act.
-import { spawnSync } from 'node:child_process'
-import { fileURLToPath } from 'node:url'
-import { dirname, join } from 'node:path'
-
-try {
-  if (process.env.npm_config_global !== 'true') process.exit(0)
-
-  const has = (cmd) => {
-    try {
-      return spawnSync(cmd, ['--version'], { stdio: 'ignore' }).status === 0
-    } catch {
-      return false
-    }
-  }
-
-  if (!has('claude')) {
-    console.log('\nvibegroup installed. Install Claude Code, then run `vibegroup init` to set up the plugin + channel.\n')
-    process.exit(0)
-  }
-
-  const list = spawnSync('claude', ['plugin', 'list'], { encoding: 'utf8' })
-  if (list.status === 0 && /vibegroup@vibegroup/.test(list.stdout ?? '')) {
-    console.log('\nvibegroup plugin already registered. Finish setup any time with `vibegroup init`.\n')
-    process.exit(0)
-  }
-
-  const root = join(dirname(fileURLToPath(import.meta.url)), '..')
-  console.log('\nRegistering the vibegroup plugin in Claude Code…')
-  spawnSync('claude', ['plugin', 'marketplace', 'add', root], { stdio: 'inherit' })
-  spawnSync('claude', ['plugin', 'install', 'vibegroup@vibegroup'], { stdio: 'inherit' })
-  console.log('\n✓ Plugin registered. Next: run `vibegroup init` (enables the channel + signs you in).\n')
-} catch {
-  // never break the install
-  process.exit(0)
-}