wispy-cli 2.7.16 → 2.7.18

package/bin/wispy.mjs

@@ -56,6 +56,7 @@ function hasFlag(flag) {
 
 // Parse global flags (order doesn't matter, remove from args so REPL doesn't see them)
 const globalProfile = extractFlag(["--profile", "-p"], true);
+const globalWorkstream = extractFlag(["--workstream", "-w"], true);
 const globalPersonality = extractFlag(["--personality"], true);
 const globalJsonMode = hasFlag("--json");
 if (globalJsonMode) { args.splice(args.indexOf("--json"), 1); }
@@ -86,6 +87,10 @@ const imagePaths = [];
 
 // Expose for submodules via env
 if (globalProfile) process.env.WISPY_PROFILE = globalProfile;
+// Validate workstream: ignore flag-like values (e.g. --invalid-arg)
+if (globalWorkstream && !globalWorkstream.startsWith("-")) {
+  process.env.WISPY_WORKSTREAM = globalWorkstream;
+}
 if (globalPersonality) process.env.WISPY_PERSONALITY = globalPersonality;
 if (imagePaths.length > 0) process.env.WISPY_IMAGES = JSON.stringify(imagePaths);
 if (globalSystemPrompt) process.env.WISPY_SYSTEM_PROMPT = globalSystemPrompt;
@@ -128,6 +133,9 @@ Usage:
   wispy doctor                 Check system health
   wispy browser [tabs|attach|navigate|screenshot|doctor]
                                Browser control via local-browser-bridge
+  wispy auth                   Show auth status for all providers
+  wispy auth <provider>        Re-authenticate a specific provider
+  wispy auth --reset           Clear all saved credentials
   wispy secrets [list|set|delete|get]
                                Manage encrypted secrets & API keys
   wispy tts "<text>"           Text-to-speech (OpenAI or macOS say)
@@ -235,6 +243,191 @@ if (command === "setup") {
   process.exit(0);
 }
 
+// ── Auth ──────────────────────────────────────────────────────────────────────
+
+if (command === "auth") {
+  try {
+    const { loadConfig, saveConfig, PROVIDERS, WISPY_DIR } = await import(join(rootDir, "core/config.mjs"));
+    const { AuthManager } = await import(join(rootDir, "core/auth.mjs"));
+    const { readdir, unlink } = await import("node:fs/promises");
+    const { existsSync } = await import("node:fs");
+    const path = await import("node:path");
+
+    const bold   = (s) => `\x1b[1m${s}\x1b[0m`;
+    const dim    = (s) => `\x1b[2m${s}\x1b[0m`;
+    const green  = (s) => `\x1b[32m${s}\x1b[0m`;
+    const yellow = (s) => `\x1b[33m${s}\x1b[0m`;
+    const red    = (s) => `\x1b[31m${s}\x1b[0m`;
+    const cyan   = (s) => `\x1b[36m${s}\x1b[0m`;
+
+    const sub = args[1];
+
+    // ── wispy auth --reset ───────────────────────────────────────────────────
+    if (sub === "--reset") {
+      const { confirm } = await import("@inquirer/prompts");
+      const yes = await confirm({
+        message: "Clear ALL saved credentials (API keys + tokens)?",
+        default: false,
+      });
+      if (yes) {
+        const config = await loadConfig();
+        delete config.providers;
+        delete config.apiKey;
+        delete config.provider;
+        await saveConfig(config);
+
+        // Remove auth token files
+        const authDir = path.join(WISPY_DIR, "auth");
+        if (existsSync(authDir)) {
+          const files = await readdir(authDir);
+          for (const f of files) {
+            await unlink(path.join(authDir, f)).catch(() => {});
+          }
+        }
+        console.log(green("✓ All credentials cleared."));
+      } else {
+        console.log(dim("Cancelled."));
+      }
+      process.exit(0);
+    }
+
+    const config = await loadConfig();
+    const authMgr = new AuthManager(WISPY_DIR);
+
+    // ── wispy auth <provider> ────────────────────────────────────────────────
+    if (sub && !sub.startsWith("-")) {
+      const provKey = sub;
+      const providerInfo = PROVIDERS?.[provKey];
+      if (!providerInfo) {
+        console.error(`Unknown provider: ${provKey}`);
+        console.log(dim("Run `wispy auth` (no args) to see configured providers."));
+        process.exit(1);
+      }
+
+      console.log(`\n  Re-authenticating ${bold(providerInfo.label ?? provKey)}...\n`);
+
+      if (provKey === "github-copilot") {
+        const { githubDeviceFlow } = await import(join(rootDir, "core/oauth-flows.mjs"));
+        const result = await githubDeviceFlow();
+        if (result?.access_token) {
+          await authMgr.saveToken("github-copilot", {
+            type: "oauth",
+            accessToken: result.access_token,
+            provider: "github-copilot",
+          });
+          if (!config.providers) config.providers = {};
+          config.providers["github-copilot"] = { model: providerInfo.defaultModel ?? "gpt-4o", auth: "oauth" };
+          await saveConfig(config);
+          console.log(green("  ✅ GitHub Copilot authenticated!"));
+        } else {
+          console.error(red("  ✗ Authentication failed"));
+          process.exit(1);
+        }
+      } else {
+        // Standard API key re-auth
+        const { openUrl } = await import(join(rootDir, "core/onboarding.mjs"));
+        const { select, password } = await import("@inquirer/prompts");
+
+        if (providerInfo.signupUrl) {
+          try {
+            const choice = await select({
+              message: `How would you like to authenticate with ${providerInfo.label ?? provKey}?`,
+              choices: [
+                { name: `Open ${providerInfo.label ?? provKey} in browser → paste API key`, value: "browser" },
+                { name: "Paste API key directly", value: "paste" },
+                { name: "Cancel", value: "cancel" },
+              ],
+            });
+            if (choice === "cancel") { console.log(dim("Cancelled.")); process.exit(0); }
+            if (choice === "browser") {
+              console.log(`\n  Opening ${providerInfo.label ?? provKey} in your browser...`);
+              await openUrl(providerInfo.signupUrl);
+              console.log(dim(`  → ${providerInfo.signupUrl}`));
+              console.log(dim(`  Copy your API key and paste it below.\n`));
+            }
+          } catch {
+            // non-interactive, fall through
+          }
+        }
+
+        const key = await password({
+          message: `  🔑 ${providerInfo.label ?? provKey} API key:`,
+          mask: "*",
+        });
+
+        if (!key?.trim()) { console.log(dim("  No key provided. Exiting.")); process.exit(0); }
+
+        process.stdout.write("  Validating...");
+        const { validateApiKey } = await import(join(rootDir, "core/onboarding.mjs")).catch(() => ({ validateApiKey: null }));
+        let validated = false;
+        if (validateApiKey) {
+          const result = await validateApiKey(provKey, key.trim());
+          if (result.ok) {
+            console.log(green(" ✅ Connected!"));
+            validated = true;
+          } else {
+            console.log(yellow(` ⚠ ${result.error ?? "Could not validate"} — saving anyway.`));
+          }
+        } else {
+          console.log(dim(" (validation skipped)"));
+        }
+
+        if (!config.providers) config.providers = {};
+        config.providers[provKey] = {
+          ...(config.providers[provKey] ?? {}),
+          apiKey: key.trim(),
+        };
+        await saveConfig(config);
+        console.log(green(`  ✅ ${providerInfo.label ?? provKey} credentials updated.`));
+      }
+      process.exit(0);
+    }
+
+    // ── wispy auth (status) ──────────────────────────────────────────────────
+    console.log(`\n  ${bold("Auth Status")}\n`);
+
+    const configuredProviders = config.providers ? Object.keys(config.providers) : [];
+    if (config.provider && !configuredProviders.includes(config.provider)) {
+      configuredProviders.push(config.provider);
+    }
+
+    if (configuredProviders.length === 0) {
+      console.log(dim("  No providers configured. Run `wispy setup` to get started.\n"));
+    } else {
+      for (const provKey of configuredProviders) {
+        const provInfo = PROVIDERS?.[provKey];
+        const label = provInfo?.label ?? provKey;
+        const provConfig = config.providers?.[provKey] ?? {};
+        const hasKey = !!(provConfig.apiKey || provKey === "ollama" || provKey === "vllm");
+        const isOAuth = provConfig.auth === "oauth";
+        const token = authMgr.loadToken(provKey);
+        const hasToken = !!token;
+
+        let status;
+        if (isOAuth || hasToken) {
+          const expired = authMgr.isExpired?.(provKey) ?? false;
+          status = expired ? yellow("⚠ token expired") : green("✅ OAuth/token");
+        } else if (hasKey) {
+          status = green("✅ API key set");
+        } else {
+          status = red("✗ no credentials");
+        }
+
+        const model = provConfig.model ?? provInfo?.defaultModel ?? "";
+        console.log(`  ${cyan(label.padEnd(30))} ${status}${model ? dim(` (${model})`) : ""}`);
+      }
+      console.log("");
+      console.log(dim("  Run `wispy auth <provider>` to re-authenticate a specific provider."));
+      console.log(dim("  Run `wispy auth --reset` to clear all credentials.\n"));
+    }
+
+  } catch (err) {
+    console.error("Auth error:", err.message);
+    process.exit(1);
+  }
+  process.exit(0);
+}
+
 // ── Config ────────────────────────────────────────────────────────────────────
 
 if (command === "config") {

package/core/engine.mjs

@@ -96,10 +96,14 @@ export class WispyEngine {
     this._workMdContent = null;
     this._workMdLoaded = false;
     this._workMdPath = null;
-    this._activeWorkstream = config.workstream
-      ?? process.env.WISPY_WORKSTREAM
-      ?? process.argv.find((a, i) => (process.argv[i-1] === "-w" || process.argv[i-1] === "--workstream"))
-      ?? "default";
+    {
+      const _ws = config.workstream
+        ?? process.env.WISPY_WORKSTREAM
+        ?? process.argv.find((a, i) => (process.argv[i-1] === "-w" || process.argv[i-1] === "--workstream"))
+        ?? "default";
+      // Sanitize: never use a flag-like value as workstream name
+      this._activeWorkstream = (_ws && !_ws.startsWith("-")) ? _ws : "default";
+    }
     // Personality: from config, or null (use default Wispy personality)
     this._personality = config.personality ?? null;
     // System prompt overrides from config

package/core/oauth-flows.mjs

@@ -0,0 +1,102 @@
+/**
+ * core/oauth-flows.mjs — OAuth/device flow handlers for various providers
+ *
+ * Provides:
+ *   - startCallbackServer()  — localhost HTTP server for OAuth redirect flows
+ *   - githubDeviceFlow()     — re-exported from auth.mjs for convenience
+ *   - browserKeyFlow()       — generic "open browser + wait for paste" flow
+ */
+
+import { createServer } from "node:http";
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Localhost callback server for OAuth redirect flows
+// ──────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Starts a temporary HTTP server on localhost that waits for an OAuth redirect.
+ * Resolves with { code, token, params } when the browser hits the callback URL.
+ * Rejects after 120 seconds if no callback is received.
+ *
+ * @param {number} [port=9876] - Port to listen on
+ * @returns {Promise<{ code: string|null, token: string|null, params: Record<string,string> }>}
+ */
+export async function startCallbackServer(port = 9876) {
+  return new Promise((resolve, reject) => {
+    let resolved = false;
+
+    const server = createServer((req, res) => {
+      const url = new URL(req.url, `http://127.0.0.1:${port}`);
+      const code = url.searchParams.get("code");
+      const token =
+        url.searchParams.get("token") || url.searchParams.get("key");
+
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(`
+        <html><body style="font-family:system-ui;text-align:center;padding:60px">
+          <h2>✓ Wispy connected!</h2>
+          <p>You can close this tab and return to your terminal.</p>
+          <script>window.close()</script>
+        </body></html>
+      `);
+
+      if (!resolved) {
+        resolved = true;
+        server.close();
+        resolve({ code, token, params: Object.fromEntries(url.searchParams) });
+      }
+    });
+
+    server.listen(port, "127.0.0.1");
+
+    // Timeout after 120 seconds
+    setTimeout(() => {
+      if (!resolved) {
+        resolved = true;
+        server.close();
+        reject(new Error("Authentication timed out (120s)"));
+      }
+    }, 120_000);
+  });
+}
+
+// ──────────────────────────────────────────────────────────────────────────────
+// GitHub OAuth device flow (re-export from auth.mjs)
+// ──────────────────────────────────────────────────────────────────────────────
+
+export { githubDeviceFlow } from "./auth.mjs";
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Generic "open browser, wait for paste" flow with optional validation
+// ──────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Opens the provider's signup URL in the browser, then prompts the user to
+ * paste their API key. Optionally validates the key via validateFn.
+ *
+ * @param {{ label: string, signupUrl?: string }} providerInfo
+ * @param {((key: string) => Promise<{ ok: boolean, error?: string, model?: string }>)|null} [validateFn]
+ * @returns {Promise<{ valid: boolean, key?: string, error?: string }>}
+ */
+export async function browserKeyFlow(providerInfo, validateFn = null) {
+  const { openUrl } = await import("./onboarding.mjs");
+
+  if (providerInfo.signupUrl) {
+    await openUrl(providerInfo.signupUrl);
+  }
+
+  const { password } = await import("@inquirer/prompts");
+  const key = await password({
+    message: `  Paste your ${providerInfo.label} API key:`,
+    mask: "*",
+  });
+
+  if (!key?.trim()) return { valid: false, error: "No key provided" };
+
+  if (validateFn) {
+    const result = await validateFn(key.trim());
+    return { ...result, key: key.trim() };
+  }
+
+  return { valid: true, key: key.trim() };
+}

package/core/onboarding.mjs

@@ -50,6 +50,24 @@ const cyan   = (s) => `\x1b[36m${s}\x1b[0m`;
 const yellow = (s) => `\x1b[33m${s}\x1b[0m`;
 const red    = (s) => `\x1b[31m${s}\x1b[0m`;
 
+// ──────────────────────────────────────────────────────────────────────────────
+// openUrl — cross-platform browser opener
+// ──────────────────────────────────────────────────────────────────────────────
+
+export async function openUrl(url) {
+  const { exec } = await import("node:child_process");
+  const { promisify } = await import("node:util");
+  const run = promisify(exec);
+  try {
+    if (process.platform === "darwin") await run(`open "${url}"`);
+    else if (process.platform === "linux") await run(`xdg-open "${url}"`);
+    else if (process.platform === "win32") await run(`start "${url}"`);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
 // ──────────────────────────────────────────────────────────────────────────────
 // Provider registry (display order for wizard)
 // ──────────────────────────────────────────────────────────────────────────────
@@ -115,7 +133,7 @@ const SECURITY_LEVELS = {
 // API key validation
 // ──────────────────────────────────────────────────────────────────────────────
 
-async function validateApiKey(provider, key) {
+export async function validateApiKey(provider, key) {
   if (provider === "ollama") return { ok: true, model: "llama3.2" };
   try {
     if (provider === "google") {
@@ -540,8 +558,35 @@ export class OnboardingWizard {
 
       // ── Standard API key flow ────────────────────────────────────────────
       console.log("");
+
+      // Ask user how they want to authenticate
+      let skipProvider = false;
       if (info?.signupUrl) {
-        console.log(dim(`  Get a key at: ${info.signupUrl}`));
+        try {
+          const authChoice = await select({
+            message: `How would you like to authenticate with ${info?.label ?? provKey}?`,
+            choices: [
+              { name: `Open ${info?.label ?? provKey} in browser → paste API key`, value: "browser" },
+              { name: "Paste API key directly (I already have one)", value: "paste" },
+              { name: "Skip this provider", value: "skip" },
+            ],
+          });
+          if (authChoice === "browser") {
+            console.log(`\n  Opening ${info.label} in your browser...`);
+            await openUrl(info.signupUrl);
+            console.log(dim(`  → ${info.signupUrl}`));
+            console.log(dim(`  Copy your API key and paste it below.\n`));
+          } else if (authChoice === "skip") {
+            skipProvider = true;
+          }
+        } catch {
+          // if select fails (non-interactive), fall through to direct paste
+        }
+      }
+
+      if (skipProvider) {
+        console.log(dim(`  Skipping ${provKey}.`));
+        continue;
       }
 
       let validated = false;

package/lib/commands/continuity.mjs

@@ -29,9 +29,11 @@ async function readJsonOr(filePath, fallback = null) {
 
 async function getActiveWorkstream() {
   const envWs = process.env.WISPY_WORKSTREAM;
-  if (envWs) return envWs;
+  if (envWs && !envWs.startsWith("-")) return envWs;
   const cfg = await readJsonOr(CONFIG_PATH, {});
-  return cfg.workstream ?? "default";
+  const ws = cfg.workstream ?? "default";
+  // Sanitize: never return a flag-like value (e.g. "--invalid-arg")
+  return (ws && !ws.startsWith("-")) ? ws : "default";
 }
 
 async function getProviderLabel(cfg) {

package/lib/wispy-repl.mjs

@@ -62,8 +62,10 @@ function box(lines, { padding = 1 } = {}) {
 // ---------------------------------------------------------------------------
 
 const SCRIPT_DIR = path.dirname(fileURLToPath(import.meta.url));
-const ACTIVE_WORKSTREAM = process.env.WISPY_WORKSTREAM ??
+const _rawWorkstream = process.env.WISPY_WORKSTREAM ??
   process.argv.find((a, i) => (process.argv[i-1] === "-w" || process.argv[i-1] === "--workstream")) ?? "default";
+// Validate: ignore flag-like values to avoid e.g. "--invalid-arg" becoming workstream
+const ACTIVE_WORKSTREAM = (_rawWorkstream && !_rawWorkstream.startsWith("-")) ? _rawWorkstream : "default";
 const HISTORY_FILE = path.join(CONVERSATIONS_DIR, `${ACTIVE_WORKSTREAM}.json`);
 
 async function readFileOr(filePath, fallback = null) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wispy-cli",
-  "version": "2.7.16",
+  "version": "2.7.18",
   "description": "🌿 Wispy — AI workspace assistant with trustworthy execution (harness, receipts, approvals, diffs)",
   "license": "MIT",
   "author": "Minseo & Poropo",
@@ -59,7 +59,8 @@
   "scripts": {
     "test": "node --test --test-force-exit --test-timeout=15000 tests/*.test.mjs",
     "test:basic": "node --test --test-force-exit test/basic.test.mjs",
-    "test:verbose": "node --test --test-force-exit --test-timeout=15000 --test-reporter=spec tests/*.test.mjs"
+    "test:verbose": "node --test --test-force-exit --test-timeout=15000 --test-reporter=spec tests/*.test.mjs",
+    "postpublish": "npm install -g wispy-cli@latest || true"
   },
   "dependencies": {
     "@inquirer/prompts": "^8.3.2",