feat(account): headless + agent-compatible ade login#822
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
📝 WalkthroughWalkthroughThe account-directory Worker now provides a D1-backed device authorization bridge. ADE CLI authentication supports loopback, device, and durable environment-token flows, with new account actions, token creation, cleanup scheduling, authorization controls, tests, and documentation. ChangesDevice authorization bridge
ADE account authentication
Account action exposure
Estimated code review effort: 5 (Critical) | ~120 minutes Possibly related PRs
Suggested labels: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@copilot review but do not make fixes |
|
@codex review |
2e674bc to
e48e98f
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e48e98f219
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 19924cfdeb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5bc9b24c19
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4ff0b394db
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
4ff0b39 to
016fe0d
Compare
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 016fe0d383
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Actionable comments posted: 9
🧹 Nitpick comments (1)
apps/ade-cli/src/multiProjectRpcServer.test.ts (1)
225-233: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winCover
pollLoginin the CTO-only action matrix.The matrix includes device polling but omits the equivalent loopback polling action. Add
pollLoginso both credential-bearing polling paths remain protected against authorization regressions.Proposed fix
"createToken", "startLogin", + "pollLogin", "startDeviceLogin",🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@apps/ade-cli/src/multiProjectRpcServer.test.ts` around lines 225 - 233, Update the CTO-only action matrix loop in multiProjectRpcServer.test.ts to include "pollLogin" alongside "pollDeviceLogin", ensuring the loopback polling action receives the same authorization coverage as the other credential-bearing actions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/account-directory/src/deviceAuthorization.ts`:
- Around line 226-253: Update checkDeviceRateLimit to replace the separate
select and subsequent insert/update operations with one conditional UPSERT that
resets expired windows, increments active-window attempts only below
maxAttempts, and leaves exhausted rows unchanged. Determine whether admission
succeeded from the UPSERT result’s meta.changes value, returning true only when
a row was inserted or updated.
In `@apps/account-directory/test/directory.test.ts`:
- Around line 129-133: Update the fake D1 query handling in the test database
class so machine deletion returns the number of rows actually removed, including
0 when no row matches both user_id and machine_key. In the generic expiration
branch, only mutate rows whose status is pending or approved, matching
production WHERE semantics; preserve unchanged rows and report the actual change
count.
In `@apps/ade-cli/src/cli.ts`:
- Around line 3455-3459: Update the account polling branch in the action
dispatch logic to accept the positional form only when argsList contains exactly
one string session ID. Ensure inputs with additional positional arguments fall
through to CliUsageError instead of silently discarding trailing values, while
preserving the empty-argument and valid single-session-ID behaviors.
- Around line 17753-17754: Update the authentication selection logic so
args.explicitHeadless is checked before env.ADE_ACCOUNT_TOKEN, ensuring ade
login --headless always selects the device flow even when a token is present or
expired. Preserve the existing env-token behavior for non-headless requests, and
add a regression test covering a token combined with explicit headless mode.
- Around line 17863-17867: Update the timedOut helper in the account sign-in
flow to inspect the result of runAccountAction("status") before returning
failure. If the status indicates the user is signed in, return the formatted
output with exitCode 0 and preserve the active session; otherwise retain the
timeout message, exitCode 1, and existing cancellation behavior.
In `@apps/ade-cli/src/services/account/accountAuthService.ts`:
- Around line 868-872: Update both bridge fetch calls in the account
authentication flow, including the device-code request near fetchImpl and the
polling request, to use a bounded AbortSignal timeout. Catch timeout failures
and convert them into actionable errors; when polling times out, preserve the
existing session so callers can retry. Verify the behavior through both headless
login and the desktop socket-backed ADE RPC path.
- Around line 942-970: Update the non-OK response handling in the device-session
polling flow to retain pendingDeviceSessions for retryable bridge failures,
including HTTP 429 and 5xx responses. Move deletion out of the unconditional
path and perform it only for terminal OAuth outcomes such as
expired/expired_token and invalid_grant, while preserving the existing pending
and slow_down behavior.
- Around line 563-572: Update resetEnvSessionIfCredentialChanged and the
environment refresh flow so credential rotation invalidates prior refresh
results without allowing their promise or finally handler to modify current
state. Capture a credential generation and refresh-promise identity when
starting each refresh, and commit envSession/envRefreshToken or clear
envRefreshInFlight only when both still match. Add a test covering
ADE_ACCOUNT_TOKEN changing during an in-flight refresh and verify stale
credentials are never returned.
In `@apps/desktop/src/main/services/adeActions/registry.ts`:
- Around line 139-148: Add the account status action to ADE_ACTION_CTO_ONLY so
the existing full status response cannot be called by non-CTO callers; update
the CTO-only allowlist alongside the account action definitions, preserving the
current status implementation and authorization flow.
---
Nitpick comments:
In `@apps/ade-cli/src/multiProjectRpcServer.test.ts`:
- Around line 225-233: Update the CTO-only action matrix loop in
multiProjectRpcServer.test.ts to include "pollLogin" alongside
"pollDeviceLogin", ensuring the loopback polling action receives the same
authorization coverage as the other credential-bearing actions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 2572f2ad-8b0b-4cf6-a03a-b9f5b35d0f96
⛔ Files ignored due to path filters (2)
docs/ARCHITECTURE.mdis excluded by!docs/**docs/features/agents/README.mdis excluded by!docs/**
📒 Files selected for processing (17)
apps/account-directory/README.mdapps/account-directory/migrations/0002_device_authorization.sqlapps/account-directory/src/deviceAuthorization.tsapps/account-directory/src/directory.tsapps/account-directory/src/index.tsapps/account-directory/test/directory.test.tsapps/account-directory/wrangler.jsoncapps/ade-cli/README.mdapps/ade-cli/src/cli.test.tsapps/ade-cli/src/cli.tsapps/ade-cli/src/multiProjectRpcServer.test.tsapps/ade-cli/src/multiProjectRpcServer.tsapps/ade-cli/src/services/account/accountAuthService.test.tsapps/ade-cli/src/services/account/accountAuthService.tsapps/ade-cli/src/services/account/sharedAccountAuthService.tsapps/desktop/src/main/services/adeActions/registry.test.tsapps/desktop/src/main/services/adeActions/registry.ts
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 85f5408c4e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/ade-cli/src/cli.test.ts`:
- Around line 3001-3016: Update the test around runCli and the mocked
stderrWrite spy to inspect all data written to stderr and assert it does not
contain either credential secret. Keep the existing result and request
assertions unchanged, and ensure the assertion covers the captured stderr output
rather than only result serialization.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 61f278de-af99-4879-84c4-26338686b30e
📒 Files selected for processing (12)
apps/account-directory/src/deviceAuthorization.tsapps/account-directory/test/directory.test.tsapps/ade-cli/src/adeRpcServer.test.tsapps/ade-cli/src/adeRpcServer.tsapps/ade-cli/src/cli.test.tsapps/ade-cli/src/cli.tsapps/ade-cli/src/multiProjectRpcServer.test.tsapps/ade-cli/src/multiProjectRpcServer.tsapps/ade-cli/src/services/account/accountAuthService.test.tsapps/ade-cli/src/services/account/accountAuthService.tsapps/desktop/src/main/services/adeActions/registry.test.tsapps/desktop/src/main/services/adeActions/registry.ts
🚧 Files skipped from review as they are similar to previous changes (7)
- apps/desktop/src/main/services/adeActions/registry.ts
- apps/account-directory/test/directory.test.ts
- apps/ade-cli/src/multiProjectRpcServer.test.ts
- apps/desktop/src/main/services/adeActions/registry.test.ts
- apps/ade-cli/src/cli.ts
- apps/account-directory/src/deviceAuthorization.ts
- apps/ade-cli/src/services/account/accountAuthService.ts
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7b6ea0c685
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9f2baa16af
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3465f7eba1
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2f0984cd06
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
apps/ade-cli/src/services/account/accountAuthService.ts (1)
1120-1125: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick winDo not discard a bridge-approved token after the local TTL elapses.
The bridge has already accepted and consumed the code when this successful response arrives. If the request crosses the local expiry boundary, this check loses the one-time token even though the server authorized it. Cancellation and sign-out remain covered by the epoch and map checks.
Proposed fix
if ( authEpoch !== epochAtPoll - || pendingDeviceSessions.get(normalizedSessionId) !== session - || session.expiresAtMs <= now() + || pendingDeviceSessions.get(normalizedSessionId) !== session ) {🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@apps/ade-cli/src/services/account/accountAuthService.ts` around lines 1120 - 1125, Update the success-response guard around pendingDeviceSessions so session.expiresAtMs <= now() no longer causes an already bridge-approved token to be discarded. Keep the authEpoch and pendingDeviceSessions map identity checks unchanged to preserve cancellation and sign-out handling, and remove only the local TTL condition from this post-authorization path.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/ade-cli/src/cli.test.ts`:
- Around line 3131-3137: Add a separate headless login test around the existing
runCli call that omits --socket and uses a socketless environment, ensuring no
machine-brain socket exists. Assert that device login starts successfully, while
retaining the current socket-backed coverage to verify both headless mode and
desktop ADE RPC behavior.
- Around line 2902-2919: Update the token creation test around the tokenResult
assertion to verify that the --text output contains the durable credential, not
only a successful exit code. Assert the returned stdout or rendered text
includes the token value while preserving the existing account.call request
assertion.
In `@apps/ade-cli/src/services/account/accountAuthService.ts`:
- Around line 1003-1006: Update the device-token polling flow around the visible
authEpoch/requestDeviceBridge logic to maintain an in-flight polling promise
keyed by device session, returning the existing promise for concurrent polls and
clearing it when the poll settles. Ensure only one request can redeem a
session’s one-time code, preserve session identity validation, and add a
Promise.all regression test where a successful response races a terminal
response.
---
Outside diff comments:
In `@apps/ade-cli/src/services/account/accountAuthService.ts`:
- Around line 1120-1125: Update the success-response guard around
pendingDeviceSessions so session.expiresAtMs <= now() no longer causes an
already bridge-approved token to be discarded. Keep the authEpoch and
pendingDeviceSessions map identity checks unchanged to preserve cancellation and
sign-out handling, and remove only the local TTL condition from this
post-authorization path.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 14408bd8-25ac-4863-ba51-21aaea97b2df
📒 Files selected for processing (12)
apps/account-directory/src/deviceAuthorization.tsapps/account-directory/test/directory.test.tsapps/ade-cli/src/adeRpcServer.test.tsapps/ade-cli/src/adeRpcServer.tsapps/ade-cli/src/cli.test.tsapps/ade-cli/src/cli.tsapps/ade-cli/src/multiProjectRpcServer.test.tsapps/ade-cli/src/multiProjectRpcServer.tsapps/ade-cli/src/services/account/accountAuthService.test.tsapps/ade-cli/src/services/account/accountAuthService.tsapps/desktop/src/main/services/adeActions/registry.test.tsapps/desktop/src/main/services/adeActions/registry.ts
🚧 Files skipped from review as they are similar to previous changes (5)
- apps/ade-cli/src/adeRpcServer.test.ts
- apps/desktop/src/main/services/adeActions/registry.ts
- apps/account-directory/test/directory.test.ts
- apps/account-directory/src/deviceAuthorization.ts
- apps/ade-cli/src/cli.ts
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: de67f1cad8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d179fe2b6a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f9a9e00021
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 95409b81f4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
|
Codex Review: Didn't find any major issues. Swish! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Headless / agent-compatible
ade loginThe merged
ade login(#815) is browser +127.0.0.1loopback — it needs a local browser, so it breaks on a headless VPC and can't be driven by an agent. This adds two headless paths + auto-detection, all additive (loopback + local-first unchanged).{ device_code, user_code, verification_uri }; a rate-limited hosted approval page runs the Clerk PKCE sign-in (redirect → Worker); the daemon polls with a secret-bound, one-time, atomically-burned redemption.ade login --headless(or auto-detected: noDISPLAY/ SSH / browser-open fails) prints the URL + user code and polls — thegh auth loginpattern ("copy-paste link in any browser").ADE_ACCOUNT_TOKEN(access or refresh token) is used directly with no flow / no disk writes and is never logged (asserted by test);ade account token createmints the durable credential once (CTO-only).ADE_ACCOUNT_TOKENshort-circuits both.ade auth statusreports the auth source.startDeviceLogin/pollDeviceLogin/createTokenare CTO-role-only (a subagent can't drive login or extract the token); state/secret hashed; redemption secret-bound + one-time + atomic; approval page rate-limited; zero analytics on the credential path (deliberate).ade codecontract touched.Tests: 17/17 account-directory (device bridge + PKCE + redemption + rate-limit) + 1,814 ADE CLI + 66/66 registry + docs validation, all green.
Deploy (pending): apply the new D1 migration, set
CLERK_ISSUER+CLERK_OAUTH_CLIENT_ID, registerhttps://<worker>/device/callbackwith Clerk,wrangler deploy, and setADE_ACCOUNT_DIRECTORY_URLfor ADE brains.🤖 Generated with Claude Code
Summary by CodeRabbit
/device/*endpoints, including approval redirect handling and token polling.ade login --headlesswith automatic fallback, plusade account token create --textfor durable tokens.account.*actions for device login and token creation, with sign-in source reporting (loopback,device,env-token).slow_down), and per-client rate limits.account.status.Greptile Summary
This PR adds headless and agent-compatible account login for ADE. The main changes are:
ade login --headless, automatic device-flow fallback, andADE_ACCOUNT_TOKENshort-circuiting.ade account token create.Confidence Score: 5/5
This PR appears safe to merge with low risk.
The Worker, CLI service, RPC gates, and role-scoping changes were reviewed, and no blocking correctness or security issues were identified.
No files require special attention.
What T-Rex did
Important Files Changed
ade login --headless, auto device-flow fallback, env-token short-circuiting, and account token creation command wiring.Sequence Diagram
%%{init: {'theme': 'neutral'}}%% sequenceDiagram participant CLI as ade login --headless participant Worker as account-directory Worker participant Browser as User browser participant Clerk as Clerk OAuth participant D1 as D1 device_authorizations CLI->>Worker: "POST /device/code {device_secret}" Worker->>D1: Store device_code, user_code, secret hash, TTL Worker-->>CLI: user_code + verification_uri Browser->>Worker: "POST /device {user_code}" Worker->>D1: Claim pending code, store PKCE verifier + state hash Worker-->>Browser: Redirect to Clerk /oauth/authorize Browser->>Clerk: Sign in with PKCE/state Clerk-->>Worker: "GET /device/callback?code&state" Worker->>D1: Atomic state claim Worker->>Clerk: Exchange authorization code Clerk-->>Worker: Token pair Worker->>D1: Mark approved, store tokens temporarily loop until approved or expired CLI->>Worker: "POST /device/token {device_code, device_secret}" Worker->>D1: Verify secret hash and status Worker-->>CLI: pending / slow_down / token response end Worker->>D1: Atomic consume, clear stored tokens CLI->>CLI: Persist account session%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%% sequenceDiagram participant CLI as ade login --headless participant Worker as account-directory Worker participant Browser as User browser participant Clerk as Clerk OAuth participant D1 as D1 device_authorizations CLI->>Worker: "POST /device/code {device_secret}" Worker->>D1: Store device_code, user_code, secret hash, TTL Worker-->>CLI: user_code + verification_uri Browser->>Worker: "POST /device {user_code}" Worker->>D1: Claim pending code, store PKCE verifier + state hash Worker-->>Browser: Redirect to Clerk /oauth/authorize Browser->>Clerk: Sign in with PKCE/state Clerk-->>Worker: "GET /device/callback?code&state" Worker->>D1: Atomic state claim Worker->>Clerk: Exchange authorization code Clerk-->>Worker: Token pair Worker->>D1: Mark approved, store tokens temporarily loop until approved or expired CLI->>Worker: "POST /device/token {device_code, device_secret}" Worker->>D1: Verify secret hash and status Worker-->>CLI: pending / slow_down / token response end Worker->>D1: Atomic consume, clear stored tokens CLI->>CLI: Persist account sessionComments Outside Diff (1)
apps/ade-cli/src/cli.ts, line 17788-17790 (link)ade login --headlessstill forcescreateConnectionto attach to an existing machine brain withheadless: falseandmachineRuntimeOnly: true, so on the headless VPC case this PR targets it throws before reachingdetectAccountLoginModeorstartDeviceLogin. The device flow only starts after this connection succeeds, making the new headless path unusable unless a brain is already running.Artifacts
Repro: headless login no-brain harness
Repro: failing headless login command output
Prompt To Fix With AI
Reviews (16): Last reviewed commit: "ship: iteration 13 — claim device callba..." | Re-trigger Greptile