feat(cli): device authorization flow for browser sign-in v1.0.6

- "Sign in with browser" option opens githat.io/device
- CLI polls /auth/device/token until user authorizes
- Automatic publishable key retrieval after auth
- Skip for now remains default option

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: doble196

package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-githat-app",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "description": "GitHat CLI — scaffold apps and manage the skills marketplace",
   "type": "module",
   "bin": {

src/constants.ts

@@ -1,4 +1,4 @@
-export const VERSION = '1.0.5';
+export const VERSION = '1.0.6';
 export const DEFAULT_API_URL = 'https://api.githat.io';
 export const DOCS_URL = 'https://githat.io/docs/sdk';
 export const DASHBOARD_URL = 'https://githat.io/dashboard/apps';

src/prompts/githat.ts

@@ -16,6 +16,24 @@ export interface GitHatAnswers {
   authFeatures: AuthFeature[];
 }
 
+interface DeviceCodeResponse {
+  device_code: string;
+  user_code: string;
+  verification_uri: string;
+  verification_uri_complete: string;
+  expires_in: number;
+  interval: number;
+}
+
+interface DeviceTokenResponse {
+  error?: 'authorization_pending' | 'expired_token';
+  publishable_key?: string;
+  app_id?: string;
+  app_name?: string;
+  org_id?: string;
+  org_name?: string;
+}
+
 function openBrowser(url: string): void {
   try {
     const cmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
@@ -25,6 +43,87 @@ function openBrowser(url: string): void {
   }
 }
 
+function sleep(ms: number): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+async function deviceAuthFlow(): Promise<string | null> {
+  const spinner = p.spinner();
+
+  try {
+    // Step 1: Get device code
+    spinner.start('Requesting device code...');
+    const codeRes = await fetch(`${DEFAULT_API_URL}/auth/device/code`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ client_name: 'create-githat-app' }),
+    });
+
+    if (!codeRes.ok) {
+      spinner.stop('Failed to get device code');
+      return null;
+    }
+
+    const codeData: DeviceCodeResponse = await codeRes.json();
+    spinner.stop('Device code generated');
+
+    // Step 2: Show code and open browser
+    p.note(
+      `Code: ${codeData.user_code}\n\nOpening browser to complete sign-in...\nIf it doesn't open, visit: ${codeData.verification_uri_complete}`,
+      'Authorize Device'
+    );
+
+    openBrowser(codeData.verification_uri_complete);
+
+    // Step 3: Poll for authorization
+    spinner.start('Waiting for browser authorization...');
+
+    const expiresAt = Date.now() + codeData.expires_in * 1000;
+    const pollInterval = (codeData.interval || 5) * 1000;
+
+    while (Date.now() < expiresAt) {
+      await sleep(pollInterval);
+
+      const tokenRes = await fetch(`${DEFAULT_API_URL}/auth/device/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ device_code: codeData.device_code }),
+      });
+
+      const tokenData: DeviceTokenResponse = await tokenRes.json();
+
+      if (tokenData.error === 'authorization_pending') {
+        // Keep polling
+        continue;
+      }
+
+      if (tokenData.error === 'expired_token') {
+        spinner.stop('Device code expired');
+        p.log.error('Authorization timed out. Please try again.');
+        return null;
+      }
+
+      if (tokenData.publishable_key) {
+        spinner.stop('Authorized!');
+        p.log.success(`Connected to ${tokenData.app_name || 'your app'} (${tokenData.org_name || 'your org'})`);
+        return tokenData.publishable_key;
+      }
+
+      // Unknown error
+      spinner.stop('Authorization failed');
+      return null;
+    }
+
+    spinner.stop('Timed out');
+    p.log.error('Authorization timed out. Please try again.');
+    return null;
+  } catch (err) {
+    spinner.stop('Connection error');
+    p.log.error('Failed to connect to GitHat API. Check your internet connection.');
+    return null;
+  }
+}
+
 export async function promptGitHat(existingKey?: string): Promise<GitHatAnswers> {
   let publishableKey = existingKey || '';
 
@@ -34,6 +133,7 @@ export async function promptGitHat(existingKey?: string): Promise<GitHatAnswers>
       message: 'Connect to GitHat',
       options: [
         { value: 'skip', label: 'Skip for now', hint: 'auth works on localhost — add key later' },
+        { value: 'browser', label: 'Sign in with browser', hint: 'opens githat.io to authorize' },
         { value: 'paste', label: 'I have a key', hint: 'paste your pk_live_... key' },
       ],
     });
@@ -43,7 +143,13 @@ export async function promptGitHat(existingKey?: string): Promise<GitHatAnswers>
       process.exit(0);
     }
 
-    if (connectChoice === 'paste') {
+    if (connectChoice === 'browser') {
+      const key = await deviceAuthFlow();
+      if (key) {
+        publishableKey = key;
+      }
+      // If browser auth failed, continue without key (same as skip)
+    } else if (connectChoice === 'paste') {
       const pastedKey = await p.text({
         message: 'Publishable key',
         placeholder: `pk_live_... (get one at ${DASHBOARD_URL})`,