vibegroup 0.1.3 → 0.1.5

package/dist/cli.js

@@ -70,7 +70,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "vibegroup",
-    version: "0.1.3",
+    version: "0.1.5",
     description: "Talk to your teammates' Claude Code agents — agent-to-agent collaboration for Claude Code over a shared channel.",
     type: "module",
     bin: {
@@ -230,6 +230,32 @@ var init_install = __esm(() => {
   init_pluginInstall();
 });
 
+// src/lib/channel.ts
+import { spawnSync as spawnSync2 } from "node:child_process";
+import { existsSync as existsSync3, readFileSync as readFileSync3 } from "node:fs";
+import { dirname as dirname3 } from "node:path";
+function readManagedSettings() {
+  try {
+    const p = managedSettingsPath();
+    if (existsSync3(p))
+      return JSON.parse(readFileSync3(p, "utf8"));
+  } catch {}
+  return null;
+}
+function channelAllowlisted() {
+  return isAllowlisted(readManagedSettings());
+}
+function enableChannelWithSudo() {
+  const path = managedSettingsPath();
+  const json = JSON.stringify(mergeManagedSettings(readManagedSettings()), null, 2);
+  const script = `mkdir -p "${dirname3(path)}" && cat > "${path}"`;
+  const r = spawnSync2("sudo", ["sh", "-c", script], { input: json, stdio: ["pipe", "inherit", "inherit"] });
+  return r.status === 0;
+}
+var init_channel = __esm(() => {
+  init_allowlist();
+});
+
 // src/ui/runner.ts
 import { render } from "ink";
 function runInk(make) {
@@ -249,144 +275,30 @@ function runInk(make) {
 }
 var init_runner = () => {};
 
-// src/lib/workosAuth.ts
-async function json(res) {
-  const text = await res.text();
-  try {
-    return text ? JSON.parse(text) : {};
-  } catch {
-    return {};
-  }
-}
-function parseCeremony(c) {
-  if (!c || !c.user_code || !c.verification_uri)
-    return;
-  return {
-    userCode: c.user_code,
-    verificationUri: c.verification_uri,
-    interval: typeof c.interval === "number" ? c.interval : 5,
-    expiresIn: typeof c.expires_in === "number" ? c.expires_in : 600
-  };
-}
-function tokensFromResponse(body, nowMs) {
-  const tokens = { accessToken: body.access_token };
-  if (typeof body.expires_in === "number") {
-    tokens.accessTokenExpiresAt = new Date(nowMs + body.expires_in * 1000).toISOString();
-  }
-  if (body.identity_assertion)
-    tokens.identityAssertion = body.identity_assertion;
-  if (body.assertion_expires)
-    tokens.assertionExpiresAt = body.assertion_expires;
-  if (body.scope)
-    tokens.scope = body.scope;
-  return tokens;
-}
-async function discover(apiBase, f) {
-  const base = apiBase.replace(/\/+$/, "");
-  const prmRes = await f(`${base}/.well-known/oauth-protected-resource`);
-  if (!prmRes.ok)
-    throw new Error(`discovery failed: protected-resource metadata HTTP ${prmRes.status}`);
-  const prm = await json(prmRes);
-  const as = (prm.authorization_servers ?? [])[0];
-  if (!as)
-    throw new Error("discovery failed: no authorization_servers in protected-resource metadata");
-  const asRes = await f(`${as.replace(/\/+$/, "")}/.well-known/oauth-authorization-server`);
-  if (!asRes.ok)
-    throw new Error(`discovery failed: authorization-server metadata HTTP ${asRes.status}`);
-  const meta = await json(asRes);
-  const agent = meta.agent_auth ?? {};
-  if (!meta.token_endpoint || !agent.identity_endpoint || !agent.claim_endpoint) {
-    throw new Error("discovery failed: authorization server is missing agent_auth endpoints");
-  }
-  return {
-    issuer: meta.issuer,
-    tokenEndpoint: meta.token_endpoint,
-    revocationEndpoint: meta.revocation_endpoint,
-    identityEndpoint: agent.identity_endpoint,
-    claimEndpoint: agent.claim_endpoint,
-    resource: prm.resource ?? meta.resource,
-    scopesSupported: prm.scopes_supported
-  };
-}
-async function register(ep, body, f) {
-  const res = await f(ep.identityEndpoint, {
+// src/lib/emailAuth.ts
+async function startEmailLogin(apiBase, email, f) {
+  const res = await f(`${apiBase}/auth/email/start`, {
     method: "POST",
     headers: { "content-type": "application/json" },
-    body: JSON.stringify(body)
+    body: JSON.stringify({ email })
   });
-  const data = await json(res);
-  if (!res.ok && !data.registration_id) {
-    throw new Error(`register failed: ${data.error ?? `HTTP ${res.status}`}`);
+  if (!res.ok) {
+    const err = await res.json().catch(() => ({}));
+    throw new Error(err.detail ?? "could not send the code");
   }
-  return {
-    registrationId: data.registration_id,
-    registrationType: data.registration_type,
-    identityAssertion: data.identity_assertion,
-    assertionExpires: data.assertion_expires,
-    preClaimScopes: data.pre_claim_scopes,
-    postClaimScopes: data.post_claim_scopes,
-    claimToken: data.claim_token,
-    claim: parseCeremony(data.claim)
-  };
 }
-async function pollClaim(tokenEndpoint, claimToken, f, nowMs = Date.now()) {
-  const res = await f(tokenEndpoint, {
+async function verifyEmailLogin(apiBase, email, code, f) {
+  const res = await f(`${apiBase}/auth/email/verify`, {
     method: "POST",
-    headers: { "content-type": "application/x-www-form-urlencoded" },
-    body: new URLSearchParams({ grant_type: CLAIM_GRANT, claim_token: claimToken }).toString()
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ email, code })
   });
-  const data = await json(res);
-  if (res.ok && data.access_token)
-    return { status: "done", tokens: tokensFromResponse(data, nowMs) };
-  switch (data.error) {
-    case "authorization_pending":
-      return { status: "pending" };
-    case "slow_down":
-      return { status: "slow_down" };
-    case "expired_token":
-      return { status: "expired" };
-    default:
-      throw new Error(`claim poll failed: ${data.error ?? `HTTP ${res.status}`}`);
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    throw new Error(data.error === "invalid_code" ? "that code is incorrect or expired" : data.detail ?? "verification failed");
   }
+  return { accessToken: data.access_token ?? "", identityAssertion: data.identity_assertion, scope: data.scope };
 }
-var CLAIM_GRANT = "urn:workos:agent-auth:grant-type:claim";
-
-// src/lib/loginFlow.ts
-async function login(apiBase, f, hooks) {
-  const emit = (e) => hooks.onEvent?.(e);
-  const sleep = hooks.sleep ?? defaultSleep;
-  const now = hooks.now ?? Date.now;
-  emit({ type: "discovering", apiBase });
-  const ep = await discover(apiBase, f);
-  emit({ type: "discovered", endpoints: ep });
-  const email = (await hooks.email())?.trim();
-  if (!email)
-    return null;
-  emit({ type: "registering", email });
-  const reg = await register(ep, { type: "service_auth", login_hint: email }, f);
-  if (!reg.claim || !reg.claimToken)
-    throw new Error("service_auth did not return a claim ceremony");
-  emit({ type: "claim", ceremony: reg.claim });
-  emit({ type: "polling" });
-  let interval = Math.max(1, reg.claim.interval);
-  const deadline = now() + (hooks.timeoutMs ?? 10 * 60 * 1000);
-  for (;; ) {
-    const r = await pollClaim(ep.tokenEndpoint, reg.claimToken, f, now());
-    if (r.status === "done") {
-      emit({ type: "done" });
-      return { tokens: r.tokens, email };
-    }
-    if (r.status === "expired")
-      throw new Error("the code expired — run `vibegroup login` again");
-    if (r.status === "slow_down")
-      interval += 5;
-    if (now() > deadline)
-      throw new Error("login timed out");
-    await sleep(interval * 1000);
-  }
-}
-var defaultSleep = (ms) => new Promise((r) => setTimeout(r, ms));
-var init_loginFlow = () => {};
 
 // src/ui/session.ts
 function jwtClaim(jwt, key) {
@@ -406,17 +318,6 @@ function sessionFromTokens(tokens, email) {
   };
 }
 
-// src/lib/openBrowser.ts
-import { spawn } from "node:child_process";
-function openBrowser(url) {
-  const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open";
-  const args = process.platform === "win32" ? ["/c", "start", "", url] : [url];
-  try {
-    spawn(cmd, args, { stdio: "ignore", detached: true }).unref();
-  } catch {}
-}
-var init_openBrowser = () => {};
-
 // src/ui/theme.ts
 var color;
 var init_theme = __esm(() => {
@@ -433,53 +334,42 @@ var init_theme = __esm(() => {
 // src/ui/Login.tsx
 import { useEffect, useRef, useState } from "react";
 import { Box, Text } from "ink";
-import { Spinner, StatusMessage, TextInput, Alert, Badge } from "@inkjs/ui";
+import { Spinner, StatusMessage, TextInput, Alert } from "@inkjs/ui";
 import { jsx, jsxs } from "react/jsx-runtime";
 function Login({
   apiBase,
   initialEmail,
   onExit
 }) {
-  const [phase, setPhase] = useState(initialEmail ? { t: "connecting" } : { t: "email" });
-  const opened = useRef(false);
+  const [phase, setPhase] = useState(initialEmail ? { t: "sending", email: initialEmail } : { t: "email" });
   const started = useRef(false);
-  const start = (email) => {
-    if (started.current)
-      return;
-    started.current = true;
-    setPhase({ t: "connecting" });
-    login(apiBase, fetch, {
-      email: async () => email,
-      onEvent: (e) => {
-        if (e.type === "registering")
-          setPhase({ t: "registering", email: e.email });
-        else if (e.type === "claim")
-          setPhase({ t: "waiting", code: e.ceremony.userCode, url: e.ceremony.verificationUri });
-      }
-    }).then((res) => {
-      if (!res) {
-        setPhase({ t: "error", message: "Login cancelled." });
-        setTimeout(() => onExit(1), 50);
-        return;
-      }
-      writeAuth(sessionFromTokens(res.tokens, res.email));
-      setPhase({ t: "done", email: res.email });
-      setTimeout(() => onExit(0), 500);
-    }).catch((err) => {
+  const send = async (email) => {
+    setPhase({ t: "sending", email });
+    try {
+      await startEmailLogin(apiBase, email, fetch);
+      setPhase({ t: "code", email });
+    } catch (err) {
       setPhase({ t: "error", message: err?.message ?? String(err) });
       setTimeout(() => onExit(1), 800);
-    });
+    }
+  };
+  const verify = async (email, code) => {
+    setPhase({ t: "verifying", email });
+    try {
+      const tokens = await verifyEmailLogin(apiBase, email, code, fetch);
+      writeAuth(sessionFromTokens(tokens, email));
+      setPhase({ t: "done", email });
+      setTimeout(() => onExit(0), 500);
+    } catch (err) {
+      setPhase({ t: "code", email, error: err?.message ?? String(err) });
+    }
   };
   useEffect(() => {
-    if (initialEmail)
-      start(initialEmail);
-  }, []);
-  useEffect(() => {
-    if (phase.t === "waiting" && !opened.current) {
-      opened.current = true;
-      openBrowser(phase.url);
+    if (initialEmail && !started.current) {
+      started.current = true;
+      send(initialEmail);
     }
-  }, [phase]);
+  }, []);
   return /* @__PURE__ */ jsxs(Box, {
     flexDirection: "column",
     gap: 1,
@@ -509,9 +399,9 @@ function Login({
             children: /* @__PURE__ */ jsx(TextInput, {
               placeholder: "you@company.com",
               onSubmit: (value) => {
-                const email = value.trim();
-                if (email)
-                  start(email);
+                const email = value.trim().toLowerCase();
+                if (email.includes("@"))
+                  send(email);
                 else
                   onExit(1);
               }
@@ -519,47 +409,48 @@ function Login({
           })
         ]
       }),
-      phase.t === "connecting" && /* @__PURE__ */ jsx(Spinner, {
-        label: "Connecting to vibegroup…"
+      phase.t === "sending" && /* @__PURE__ */ jsx(Spinner, {
+        label: `Sending a code to ${phase.email}…`
       }),
-      phase.t === "registering" && /* @__PURE__ */ jsx(Spinner, {
-        label: `Registering ${phase.email}…`
-      }),
-      phase.t === "waiting" && /* @__PURE__ */ jsxs(Box, {
+      phase.t === "code" && /* @__PURE__ */ jsxs(Box, {
         flexDirection: "column",
-        gap: 1,
         children: [
-          /* @__PURE__ */ jsxs(Box, {
-            borderStyle: "round",
-            borderColor: color.accent,
-            paddingX: 1,
-            flexDirection: "column",
+          /* @__PURE__ */ jsxs(Text, {
             children: [
-              /* @__PURE__ */ jsx(Text, {
-                children: "Open this link, sign in, and enter the code:"
-              }),
-              /* @__PURE__ */ jsx(Box, {
-                marginY: 1,
-                children: /* @__PURE__ */ jsx(Badge, {
-                  color: "cyan",
-                  children: phase.code
-                })
-              }),
+              "Enter the 6-digit code sent to ",
               /* @__PURE__ */ jsx(Text, {
                 color: color.accent,
-                children: phase.url
+                children: phase.email
               }),
-              /* @__PURE__ */ jsx(Text, {
-                dimColor: true,
-                children: "(the code goes into that page — not back here)"
-              })
+              ":"
             ]
           }),
-          /* @__PURE__ */ jsx(Spinner, {
-            label: "Waiting for you to confirm in the browser…"
+          /* @__PURE__ */ jsx(Box, {
+            marginTop: 1,
+            children: /* @__PURE__ */ jsx(TextInput, {
+              placeholder: "123456",
+              onSubmit: (value) => {
+                const code = value.trim();
+                if (code)
+                  verify(phase.email, code);
+              }
+            })
+          }),
+          phase.error && /* @__PURE__ */ jsx(Box, {
+            marginTop: 1,
+            children: /* @__PURE__ */ jsxs(Text, {
+              color: color.err,
+              children: [
+                phase.error,
+                " — try again."
+              ]
+            })
           })
         ]
       }),
+      phase.t === "verifying" && /* @__PURE__ */ jsx(Spinner, {
+        label: "Verifying…"
+      }),
       phase.t === "done" && /* @__PURE__ */ jsxs(StatusMessage, {
         variant: "success",
         children: [
@@ -576,9 +467,7 @@ function Login({
   });
 }
 var init_Login = __esm(() => {
-  init_loginFlow();
   init_auth();
-  init_openBrowser();
   init_theme();
 });
 
@@ -603,24 +492,6 @@ var exports_init = {};
 __export(exports_init, {
   initCommand: () => initCommand
 });
-import { spawnSync as spawnSync2 } from "node:child_process";
-import { existsSync as existsSync3, readFileSync as readFileSync3 } from "node:fs";
-import { dirname as dirname3 } from "node:path";
-function readManagedSettings() {
-  try {
-    const p = managedSettingsPath();
-    if (existsSync3(p))
-      return JSON.parse(readFileSync3(p, "utf8"));
-  } catch {}
-  return null;
-}
-function writeAllowlistWithSudo() {
-  const path = managedSettingsPath();
-  const json2 = JSON.stringify(mergeManagedSettings(readManagedSettings()), null, 2);
-  const script = `mkdir -p "${dirname3(path)}" && cat > "${path}"`;
-  const r = spawnSync2("sudo", ["sh", "-c", script], { input: json2, stdio: ["pipe", "inherit", "inherit"] });
-  return r.status === 0;
-}
 async function initCommand(rest, flags = {}, env = process.env) {
   const dev = flags.dev === true;
   console.log(`vibegroup setup
@@ -642,13 +513,13 @@ async function initCommand(rest, flags = {}, env = process.env) {
   }
   if (dev) {
     console.log("• Dev mode: skipping the channel allowlist (launch with `vibegroup claude --dev`).");
-  } else if (isAllowlisted(readManagedSettings())) {
+  } else if (channelAllowlisted()) {
     console.log("✓ Channel already enabled.");
   } else {
     console.log(`
 • Enabling the vibegroup channel needs admin once (Claude Code gates channel plugins).`);
-    console.log(`  Writing ${managedSettingsPath()} — enter your password if prompted.`);
-    if (!writeAllowlistWithSudo()) {
+    console.log("  Enter your password if prompted.");
+    if (!enableChannelWithSudo()) {
       console.error("  Could not write managed settings. Retry, or run `vibegroup init --dev` to skip it and use `vibegroup claude --dev`.");
       return 1;
     }
@@ -671,7 +542,7 @@ async function initCommand(rest, flags = {}, env = process.env) {
 }
 var init_init = __esm(() => {
   init_auth();
-  init_allowlist();
+  init_channel();
   init_pluginInstall();
   init_login();
 });
@@ -836,7 +707,7 @@ function extractFlag(args, name) {
   }
   return { value, rest };
 }
-function claudeCommand(args, env = process.env, launcher) {
+function claudeCommand(args, env = process.env, launcher, channel = realChannelGate) {
   if (!isLoggedIn(readAuth(env))) {
     console.error("Not logged in — run `vibegroup login` first.");
     return 1;
@@ -848,6 +719,13 @@ function claudeCommand(args, env = process.env, launcher) {
     console.error("No team selected — pass `--team <slug>` (the team whose room you want to join).");
     return 1;
   }
+  if (!dangerously && !channel.allowlisted()) {
+    console.log("Enabling the vibegroup channel — one-time, needs admin. Enter your password if prompted.");
+    if (!channel.enable()) {
+      console.error("Could not enable the channel. Retry, or launch with `vibegroup claude --dev` (no admin needed).");
+      return 1;
+    }
+  }
   const vg = {
     VIBEGROUP_TEAM: team,
     VIBEGROUP_ROOM: room && room.length > 0 ? room : "general",
@@ -855,10 +733,12 @@ function claudeCommand(args, env = process.env, launcher) {
   };
   return launchClaude({ extraArgs: extra, dangerously, env: vg }, launcher);
 }
-var DEFAULT_API_BASE = "https://api.vibegroup.sh";
+var DEFAULT_API_BASE = "https://api.vibegroup.sh", realChannelGate;
 var init_claudeCmd = __esm(() => {
   init_claudeLaunch();
   init_auth();
+  init_channel();
+  realChannelGate = { allowlisted: channelAllowlisted, enable: enableChannelWithSudo };
 });
 
 // src/cli.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibegroup",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "Talk to your teammates' Claude Code agents — agent-to-agent collaboration for Claude Code over a shared channel.",
   "type": "module",
   "bin": {

package/plugin/commands/init.md

@@ -1,37 +1,29 @@
 ---
-description: Set up vibegroup — authenticate by following auth.md, create/join a team, launch a channel session.
+description: Set up vibegroup — sign in with an email code, create/join a team, launch a channel session.
 ---
 
-Onboard the user to vibegroup. **You (the agent) follow the auth.md protocol yourself** — do NOT run `vibegroup login` (that's the human/terminal path). Use AskUserQuestion for choices; keep steps terse.
+Onboard the user to vibegroup. Sign-in is **passwordless email code** — you send a code, the user reads it from their inbox and pastes it to you. Do NOT run `vibegroup login` (that's the human/terminal path). Use AskUserQuestion for choices; keep steps terse.
 
 ## Phase 0 — Already authenticated?
 
 Read `~/.claude/vibegroup/auth.json` (honor `CLAUDE_CONFIG_DIR`). If it has a non-empty `accessToken`, you're signed in — skip to Phase 2.
 
-## Phase 1 — Authenticate (follow auth.md, `service_auth`)
-
-vibegroup publishes its agent-auth instructions at `https://api.vibegroup.sh/auth.md`. Follow the **`service_auth` (user-claimed)** path — no anonymous:
+## Phase 1 — Sign in (email code, no browser)
 
 1. Ask the user which email to sign in with (e.g. `terry@cruz.pe`).
-2. Register on their behalf:
+2. Send a code to that email:
    ```bash
-   curl -s -X POST https://api.vibegroup.sh/agent/identity \
-     -H 'content-type: application/json' \
-     -d '{"type":"service_auth","login_hint":"<email>"}'
+   curl -s -X POST https://api.vibegroup.sh/auth/email/start \
+     -H 'content-type: application/json' -d '{"email":"<email>"}'
    ```
-   Capture `claim_token`, `claim.user_code`, `claim.verification_uri`, and `claim.interval` from the JSON.
-3. Surface to the user, in one message:
-   > Open this link, sign in to vibegroup (it verifies your email), and enter the code **<user_code>**:
-   > <verification_uri>
-   > (the code goes into that page — not back to me)
-4. Poll until they confirm — wait `interval` seconds (default 5) between calls, give up after ~10 min:
+   (`{"ok":true}` means it's on the way.)
+3. Tell the user, in one message: *"I sent a 6-digit code to `<email>` — paste it here when it arrives."* Then wait for them to give you the code.
+4. Verify the code (this proves they own the email + signs them in):
    ```bash
-   curl -s -X POST https://api.vibegroup.sh/oauth2/token \
-     -H 'content-type: application/x-www-form-urlencoded' \
-     --data-urlencode 'grant_type=urn:workos:agent-auth:grant-type:claim' \
-     --data-urlencode 'claim_token=<claim_token>'
+   curl -s -X POST https://api.vibegroup.sh/auth/email/verify \
+     -H 'content-type: application/json' -d '{"email":"<email>","code":"<code>"}'
    ```
-   `{"error":"authorization_pending"}` → keep polling. `{"error":"expired_token"}` → re-register (step 2). On success the response has `access_token` + `identity_assertion`.
+   `{"error":"invalid_code"}` → tell them it was wrong/expired and ask again (re-send with step 2 if needed). On success the response has `access_token` + `identity_assertion`.
 5. Persist the session so the channel + CLI pick it up — write `~/.claude/vibegroup/auth.json` (file mode 600):
    ```json
    { "accessToken": "<access_token>", "identityAssertion": "<identity_assertion>", "user": { "id": "<email>", "email": "<email>" } }
@@ -45,10 +37,11 @@ The session is cached now, so the `vibegroup` CLI works. AskUserQuestion: **"Cre
 
 ## Phase 3 — Launch a channel session
 
-If the vibegroup channel isn't set up on this machine yet, tell the user to run `vibegroup init` once in their terminal (it installs the plugin and enables the channel — needs their password once). Then:
+The vibegroup channel is admin-gated (it lives in root-owned managed settings), so **you can't enable it from here** — it's a terminal action, like login. Tell the user to run, in their terminal:
 ```bash
 vibegroup claude --team <slug>
 ```
+The **first run enables the channel** (one `sudo` password prompt), then launches Claude Code in the room. Every later run just launches. If they'd rather not use admin, `vibegroup claude --team <slug> --dev` skips it via the development-channel flag (no password).
 
 ## Done