From 7e5e224852ddf5b7ec51732cf5fd36caf12042b4 Mon Sep 17 00:00:00 2001
From: mikouaji <mikolaj@codeinit.pl>
Date: Tue, 10 Feb 2026 23:13:38 +0100
Subject: [PATCH 1/8] feat(connector): add ability to run commands in
 interactive mode and catch urls with possible auto opening

---
 cli/package.json      |   1 +
 cli/src/node-pty.d.ts |  23 ++++
 cli/src/npm-client.ts | 242 ++++++++++++++++++++++++++++++++++++++----
 cli/src/schemas.ts    |   7 +-
 cli/src/server.ts     |  92 +++++++++++++---
 cli/src/types.ts      |   4 +
 cli/tsdown.config.ts  |   1 +
 7 files changed, 331 insertions(+), 39 deletions(-)
 create mode 100644 cli/src/node-pty.d.ts

diff --git a/cli/package.json b/cli/package.json
index f95122382..224f9f3b8 100644
--- a/cli/package.json
+++ b/cli/package.json
@@ -33,6 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^1.0.0",
+    "@lydell/node-pty": "1.2.0-beta.3",
     "citty": "^0.2.0",
     "h3-next": "npm:h3@^2.0.1-rc.11",
     "obug": "^2.1.1",
diff --git a/cli/src/node-pty.d.ts b/cli/src/node-pty.d.ts
new file mode 100644
index 000000000..bf77febbb
--- /dev/null
+++ b/cli/src/node-pty.d.ts
@@ -0,0 +1,23 @@
+// @lydell/node-pty package.json does not export its types so for nodenext target we need to add them (very minimal version)
+declare module '@lydell/node-pty' {
+  interface IPty {
+    readonly pid: number
+    readonly onData: (listener: (data: string) => void) => { dispose(): void }
+    readonly onExit: (listener: (e: { exitCode: number; signal?: number }) => void) => {
+      dispose(): void
+    }
+    write(data: string): void
+    kill(signal?: string): void
+  }
+
+  export function spawn(
+    file: string,
+    args: string[],
+    options: {
+      name?: string
+      cols?: number
+      rows?: number
+      env?: Record<string, string | undefined>
+    },
+  ): IPty
+}
diff --git a/cli/src/npm-client.ts b/cli/src/npm-client.ts
index b709e77fa..d7354cbd4 100644
--- a/cli/src/npm-client.ts
+++ b/cli/src/npm-client.ts
@@ -68,6 +68,8 @@ export interface NpmExecResult {
   requiresOtp?: boolean
   /** True if the operation failed due to authentication failure (not logged in or token expired) */
   authFailure?: boolean
+  /** URLs detected in the command output (stdout + stderr) */
+  urls?: string[]
 }
 
 function detectOtpRequired(stderr: string): boolean {
@@ -116,10 +118,192 @@ function filterNpmWarnings(stderr: string): string {
     .trim()
 }
 
-async function execNpm(
+const URL_RE = /https?:\/\/[^\s<>"{}|\\^`[\]]+/g
+
+export function extractUrls(text: string): string[] {
+  const matches = text.match(URL_RE)
+  if (!matches) return []
+
+  const cleaned = matches.map(url => url.replace(/[.,;:!?)]+$/, ''))
+  return [...new Set(cleaned)]
+}
+
+// Patterns to detect npm's OTP prompt in pty output
+const OTP_PROMPT_RE = /Enter OTP:/i
+// Patterns to detect npm's web auth URL prompt in pty output
+const AUTH_URL_PROMPT_RE = /Press ENTER to open in the browser/i
+// npm prints "Authenticate your account at:\n<url>" — capture the URL on the next line
+const AUTH_URL_TITLE_RE = /Authenticate your account at:\s*(https?:\/\/\S+)/
+
+function stripAnsi(text: string): string {
+  // eslint disabled because we need escape characters in regex
+  // eslint-disable-next-line no-control-regex, regexp/no-obscure-range
+  return text.replace(/\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])/g, '')
+}
+
+const AUTH_URL_TIMEOUT_MS = 90_000
+
+export interface ExecNpmOptions {
+  otp?: string
+  silent?: boolean
+  /** When true, use PTY-based interactive execution instead of execFile. */
+  interactive?: boolean
+  /** When true, npm opens auth URLs in the user's browser.
+   *  When false, browser opening is suppressed via npm_config_browser=false.
+   *  Only relevant when `interactive` is true. */
+  openUrls?: boolean
+  /** Called when an auth URL is detected in the pty output, while npm is still running (polling doneUrl). Lets the caller expose the URL to the frontend via /state before the execute response comes back.
+   *  Only relevant when `interactive` is true. */
+  onAuthUrl?: (url: string) => void
+}
+
+/**
+ * PTY-based npm execution for interactive commands (uses node-pty).
+ *
+ * - Web OTP - either opend URL in browser if openUrls is true or passes the URL to frontend. If no auth happend within AUTH_URL_TIMEOUT_MS kills the process to unlock the connector.
+ *
+ * - Cli OTP - if we get a classic OTP prompt will either return OTP request to the frontend or will pass sent OTP if its provided
+ */
+async function execNpmInteractive(
   args: string[],
-  options: { otp?: string; silent?: boolean } = {},
+  options: ExecNpmOptions = {},
 ): Promise<NpmExecResult> {
+  const openUrls = options.openUrls !== false
+
+  // Lazy-load node-pty so the native addon is only required when interactive mode is actually used.
+  const pty = await import('@lydell/node-pty')
+
+  return new Promise(resolve => {
+    const npmArgs = options.otp ? [...args, '--otp', options.otp] : args
+
+    if (!options.silent) {
+      const displayCmd = options.otp
+        ? ['npm', ...args, '--otp', '******'].join(' ')
+        : ['npm', ...args].join(' ')
+      logCommand(`${displayCmd} (interactive/pty)`)
+    }
+
+    let output = ''
+    let resolved = false
+    let otpPromptSeen = false
+    let authUrlSeen = false
+    let authUrlTimeout: ReturnType<typeof setTimeout> | null = null
+
+    const env: Record<string, string> = {
+      ...(process.env as Record<string, string>),
+      FORCE_COLOR: '0',
+    }
+
+    // When openUrls is false, tell npm not to open the browser.
+    // npm still prints the auth URL and polls doneUrl
+    if (!openUrls) {
+      env.npm_config_browser = 'false'
+    }
+
+    const child = pty.spawn('npm', npmArgs, {
+      name: 'xterm-256color',
+      cols: 120,
+      rows: 30,
+      env,
+    })
+
+    // General timeout: 5 minutes (covers non-auth interactive commands)
+    const timeout = setTimeout(() => {
+      if (resolved) return
+      logDebug('Interactive command timed out', { output })
+      child.kill()
+    }, 300000)
+
+    child.onData((data: string) => {
+      output += data
+      const clean = stripAnsi(data)
+      logDebug('pty data:', { text: clean.trim() })
+
+      const cleanAll = stripAnsi(output)
+
+      // Detect auth URL in output and notify the caller.
+      if (!authUrlSeen) {
+        const urlMatch = cleanAll.match(AUTH_URL_TITLE_RE)
+
+        if (urlMatch && urlMatch[1]) {
+          authUrlSeen = true
+          const authUrl = urlMatch[1].replace(/[.,;:!?)]+$/, '')
+          logDebug('Auth URL detected:', { authUrl, openUrls })
+          options.onAuthUrl?.(authUrl)
+
+          authUrlTimeout = setTimeout(() => {
+            if (resolved) return
+            logDebug('Auth URL timeout (90s) — killing process')
+            logError('Authentication timed out after 90 seconds')
+            child.kill()
+          }, AUTH_URL_TIMEOUT_MS)
+        }
+      }
+
+      if (authUrlSeen && openUrls && AUTH_URL_PROMPT_RE.test(cleanAll)) {
+        logDebug('Web auth prompt detected, pressing ENTER')
+        child.write('\r')
+      }
+
+      if (!otpPromptSeen && OTP_PROMPT_RE.test(cleanAll)) {
+        otpPromptSeen = true
+        if (options.otp) {
+          logDebug('OTP prompt detected, writing OTP')
+          child.write(options.otp + '\r')
+        } else {
+          logDebug('OTP prompt detected but no OTP provided, killing process')
+          child.kill()
+        }
+      }
+    })
+
+    child.onExit(({ exitCode }) => {
+      if (resolved) return
+      resolved = true
+      clearTimeout(timeout)
+      if (authUrlTimeout) clearTimeout(authUrlTimeout)
+
+      const cleanOutput = stripAnsi(output)
+      logDebug('Interactive command exited:', { exitCode, output: cleanOutput })
+
+      const requiresOtp = (otpPromptSeen && !options.otp) || detectOtpRequired(cleanOutput)
+      const authFailure = detectAuthFailure(cleanOutput)
+      const urls = extractUrls(cleanOutput)
+
+      if (!options.silent) {
+        if (exitCode === 0) {
+          logSuccess('Done')
+        } else if (requiresOtp) {
+          logError('OTP required')
+        } else if (authFailure) {
+          logError('Authentication required - please run "npm login" and restart the connector')
+        } else {
+          const firstLine = filterNpmWarnings(cleanOutput).split('\n')[0] || 'Command failed'
+          logError(firstLine)
+        }
+      }
+
+      resolve({
+        stdout: cleanOutput.trim(),
+        stderr: requiresOtp
+          ? 'This operation requires a one-time password (OTP).'
+          : authFailure
+            ? 'Authentication failed. Please run "npm login" and restart the connector.'
+            : filterNpmWarnings(cleanOutput),
+        exitCode,
+        requiresOtp,
+        authFailure,
+        urls: urls.length > 0 ? urls : undefined,
+      })
+    })
+  })
+}
+
+async function execNpm(args: string[], options: ExecNpmOptions = {}): Promise<NpmExecResult> {
+  if (options.interactive) {
+    return execNpmInteractive(args, options)
+  }
+
   // Build the full args array including OTP if provided
   const npmArgs = options.otp ? [...args, '--otp', options.otp] : args
 
@@ -230,84 +414,98 @@ export async function orgAddUser(
   org: string,
   user: string,
   role: 'developer' | 'admin' | 'owner',
-  otp?: string,
+  options?: ExecNpmOptions,
 ): Promise<NpmExecResult> {
   validateOrgName(org)
   validateUsername(user)
-  return execNpm(['org', 'set', org, user, role], { otp })
+  return execNpm(['org', 'set', org, user, role], options)
 }
 
 export async function orgRemoveUser(
   org: string,
   user: string,
-  otp?: string,
+  options?: ExecNpmOptions,
 ): Promise<NpmExecResult> {
   validateOrgName(org)
   validateUsername(user)
-  return execNpm(['org', 'rm', org, user], { otp })
+  return execNpm(['org', 'rm', org, user], options)
 }
 
-export async function teamCreate(scopeTeam: string, otp?: string): Promise<NpmExecResult> {
+export async function teamCreate(
+  scopeTeam: string,
+  options?: ExecNpmOptions,
+): Promise<NpmExecResult> {
   validateScopeTeam(scopeTeam)
-  return execNpm(['team', 'create', scopeTeam], { otp })
+  return execNpm(['team', 'create', scopeTeam], options)
 }
 
-export async function teamDestroy(scopeTeam: string, otp?: string): Promise<NpmExecResult> {
+export async function teamDestroy(
+  scopeTeam: string,
+  options?: ExecNpmOptions,
+): Promise<NpmExecResult> {
   validateScopeTeam(scopeTeam)
-  return execNpm(['team', 'destroy', scopeTeam], { otp })
+  return execNpm(['team', 'destroy', scopeTeam], options)
 }
 
 export async function teamAddUser(
   scopeTeam: string,
   user: string,
-  otp?: string,
+  options?: ExecNpmOptions,
 ): Promise<NpmExecResult> {
   validateScopeTeam(scopeTeam)
   validateUsername(user)
-  return execNpm(['team', 'add', scopeTeam, user], { otp })
+  return execNpm(['team', 'add', scopeTeam, user], options)
 }
 
 export async function teamRemoveUser(
   scopeTeam: string,
   user: string,
-  otp?: string,
+  options?: ExecNpmOptions,
 ): Promise<NpmExecResult> {
   validateScopeTeam(scopeTeam)
   validateUsername(user)
-  return execNpm(['team', 'rm', scopeTeam, user], { otp })
+  return execNpm(['team', 'rm', scopeTeam, user], options)
 }
 
 export async function accessGrant(
   permission: 'read-only' | 'read-write',
   scopeTeam: string,
   pkg: string,
-  otp?: string,
+  options?: ExecNpmOptions,
 ): Promise<NpmExecResult> {
   validateScopeTeam(scopeTeam)
   validatePackageName(pkg)
-  return execNpm(['access', 'grant', permission, scopeTeam, pkg], { otp })
+  return execNpm(['access', 'grant', permission, scopeTeam, pkg], options)
 }
 
 export async function accessRevoke(
   scopeTeam: string,
   pkg: string,
-  otp?: string,
+  options?: ExecNpmOptions,
 ): Promise<NpmExecResult> {
   validateScopeTeam(scopeTeam)
   validatePackageName(pkg)
-  return execNpm(['access', 'revoke', scopeTeam, pkg], { otp })
+  return execNpm(['access', 'revoke', scopeTeam, pkg], options)
 }
 
-export async function ownerAdd(user: string, pkg: string, otp?: string): Promise<NpmExecResult> {
+export async function ownerAdd(
+  user: string,
+  pkg: string,
+  options?: ExecNpmOptions,
+): Promise<NpmExecResult> {
   validateUsername(user)
   validatePackageName(pkg)
-  return execNpm(['owner', 'add', user, pkg], { otp })
+  return execNpm(['owner', 'add', user, pkg], options)
 }
 
-export async function ownerRemove(user: string, pkg: string, otp?: string): Promise<NpmExecResult> {
+export async function ownerRemove(
+  user: string,
+  pkg: string,
+  options?: ExecNpmOptions,
+): Promise<NpmExecResult> {
   validateUsername(user)
   validatePackageName(pkg)
-  return execNpm(['owner', 'rm', user, pkg], { otp })
+  return execNpm(['owner', 'rm', user, pkg], options)
 }
 
 // List functions (for reading data) - silent since they're not user-triggered operations
diff --git a/cli/src/schemas.ts b/cli/src/schemas.ts
index 6d4fd3883..de2cb627b 100644
--- a/cli/src/schemas.ts
+++ b/cli/src/schemas.ts
@@ -151,10 +151,15 @@ export const ConnectBodySchema = v.object({
 })
 
 /**
- * Schema for /execute request body
+ * Schema for /execute request body.
+ * - `otp`: optional 6-digit OTP code for 2FA
+ * - `interactive`: when true, commands run via a real PTY (node-pty) instead of execFile, so npm's OTP handler can activate.
+ * - `openUrls`: when true (default), npm opens auth URLs in the user's browser automatically. When false, URLs are suppressed on the connector side and only returned in the response / exposed in /state
  */
 export const ExecuteBodySchema = v.object({
   otp: OtpSchema,
+  interactive: v.optional(v.boolean()),
+  openUrls: v.optional(v.boolean()),
 })
 
 /**
diff --git a/cli/src/server.ts b/cli/src/server.ts
index fc609e06f..40878f463 100644
--- a/cli/src/server.ts
+++ b/cli/src/server.ts
@@ -24,6 +24,8 @@ import {
   ownerRemove,
   packageInit,
   listUserPackages,
+  extractUrls,
+  type ExecNpmOptions,
   type NpmExecResult,
 } from './npm-client.ts'
 import {
@@ -308,8 +310,10 @@ export function createConnectorApp(expectedToken: string) {
       throw new HTTPError({ statusCode: 401, message: 'Unauthorized' })
     }
 
-    // OTP can be passed directly in the request body for this execution
+    // OTP, interactive flag, and openUrls can be passed in the request body
     let otp: string | undefined
+    let interactive = false
+    let openUrls = false
     try {
       const rawBody = await event.req.json()
       if (rawBody) {
@@ -318,6 +322,8 @@ export function createConnectorApp(expectedToken: string) {
           throw new HTTPError({ statusCode: 400, message: parsed.error })
         }
         otp = parsed.data.otp
+        interactive = parsed.data.interactive ?? false
+        openUrls = parsed.data.openUrls ?? false
       }
     } catch (err) {
       // Re-throw HTTPError, ignore JSON parse errors (empty body is fine)
@@ -330,6 +336,9 @@ export function createConnectorApp(expectedToken: string) {
     const completedIds = new Set<string>()
     const failedIds = new Set<string>()
 
+    // Collect all URLs across all operations in this execution batch
+    const allUrls: string[] = []
+
     // Execute operations in waves, respecting dependencies
     // Each wave contains operations whose dependencies are satisfied
     while (true) {
@@ -366,8 +375,9 @@ export function createConnectorApp(expectedToken: string) {
       // Execute ready operations in parallel
       const runningOps = readyOps.map(async op => {
         op.status = 'running'
-        const result = await executeOperation(op, otp)
+        const result = await executeOperation(op, { otp, interactive, openUrls })
         op.result = result
+        op.authUrl = undefined
         op.status = result.exitCode === 0 ? 'completed' : 'failed'
 
         if (result.exitCode === 0) {
@@ -381,6 +391,11 @@ export function createConnectorApp(expectedToken: string) {
           otpRequired = true
         }
 
+        // Collect URLs from this operation's output
+        if (result.urls && result.urls.length > 0) {
+          allUrls.push(...result.urls)
+        }
+
         results.push({ id: op.id, result })
       })
 
@@ -390,12 +405,15 @@ export function createConnectorApp(expectedToken: string) {
     // Check if any operation had an auth failure
     const authFailure = results.some(r => r.result.authFailure)
 
+    const urls = [...new Set(allUrls)]
+
     return {
       success: true,
       data: {
         results,
         otpRequired,
         authFailure,
+        urls: urls.length > 0 ? urls : undefined,
       },
     } as ApiResponse
   })
@@ -698,42 +716,76 @@ export function createConnectorApp(expectedToken: string) {
   return app
 }
 
-async function executeOperation(op: PendingOperation, otp?: string): Promise<NpmExecResult> {
+async function executeOperation(
+  op: PendingOperation,
+  options: { otp?: string; interactive?: boolean; openUrls?: boolean } = {},
+): Promise<NpmExecResult> {
   const { type, params } = op
 
+  // Build exec options that get passed through to execNpm, which
+  // internally routes to either execFile or PTY-based execution.
+  const execOptions: ExecNpmOptions = {
+    otp: options.otp,
+    interactive: options.interactive,
+    openUrls: options.openUrls,
+    onAuthUrl: options.interactive
+      ? url => {
+          // Set authUrl on the operation so /state exposes it to the
+          // frontend while npm is still polling for authentication.
+          op.authUrl = url
+        }
+      : undefined,
+  }
+
+  let result: NpmExecResult
+
   switch (type) {
     case 'org:add-user':
-      return orgAddUser(
+    case 'org:set-role':
+      result = await orgAddUser(
         params.org,
         params.user,
         params.role as 'developer' | 'admin' | 'owner',
-        otp,
+        execOptions,
       )
+      break
     case 'org:rm-user':
-      return orgRemoveUser(params.org, params.user, otp)
+      result = await orgRemoveUser(params.org, params.user, execOptions)
+      break
     case 'team:create':
-      return teamCreate(params.scopeTeam, otp)
+      result = await teamCreate(params.scopeTeam, execOptions)
+      break
     case 'team:destroy':
-      return teamDestroy(params.scopeTeam, otp)
+      result = await teamDestroy(params.scopeTeam, execOptions)
+      break
     case 'team:add-user':
-      return teamAddUser(params.scopeTeam, params.user, otp)
+      result = await teamAddUser(params.scopeTeam, params.user, execOptions)
+      break
     case 'team:rm-user':
-      return teamRemoveUser(params.scopeTeam, params.user, otp)
+      result = await teamRemoveUser(params.scopeTeam, params.user, execOptions)
+      break
     case 'access:grant':
-      return accessGrant(
+      result = await accessGrant(
         params.permission as 'read-only' | 'read-write',
         params.scopeTeam,
         params.pkg,
-        otp,
+        execOptions,
       )
+      break
     case 'access:revoke':
-      return accessRevoke(params.scopeTeam, params.pkg, otp)
+      result = await accessRevoke(params.scopeTeam, params.pkg, execOptions)
+      break
     case 'owner:add':
-      return ownerAdd(params.user, params.pkg, otp)
+      result = await ownerAdd(params.user, params.pkg, execOptions)
+      break
     case 'owner:rm':
-      return ownerRemove(params.user, params.pkg, otp)
+      result = await ownerRemove(params.user, params.pkg, execOptions)
+      break
     case 'package:init':
-      return packageInit(params.name, params.author, otp)
+      // package:init has its own special execution path (temp dir + publish)
+      // and does not support interactive mode
+      result = await packageInit(params.name, params.author, options.otp)
+      break
     default:
       return {
         stdout: '',
@@ -741,6 +793,14 @@ async function executeOperation(op: PendingOperation, otp?: string): Promise<Npm
         exitCode: 1,
       }
   }
+
+  // Extract URLs from output if not already populated
+  if (!result.urls) {
+    const urls = extractUrls((result.stdout || '') + '\n' + (result.stderr || ''))
+    if (urls.length > 0) result.urls = urls
+  }
+
+  return result
 }
 
 export { generateToken }
diff --git a/cli/src/types.ts b/cli/src/types.ts
index a83e9f3b7..ad0efbcab 100644
--- a/cli/src/types.ts
+++ b/cli/src/types.ts
@@ -41,6 +41,8 @@ export interface OperationResult {
   requiresOtp?: boolean
   /** True if the operation failed due to authentication failure (not logged in or token expired) */
   authFailure?: boolean
+  /** URLs detected in the command output (stdout + stderr) */
+  urls?: string[]
 }
 
 export interface PendingOperation {
@@ -54,6 +56,8 @@ export interface PendingOperation {
   result?: OperationResult
   /** ID of operation this depends on (must complete successfully first) */
   dependsOn?: string
+  /** Auth URL detected during interactive execution (set while operation is still running) */
+  authUrl?: string
 }
 
 export interface ConnectorState {
diff --git a/cli/tsdown.config.ts b/cli/tsdown.config.ts
index f9e4897ba..b0bc548f3 100644
--- a/cli/tsdown.config.ts
+++ b/cli/tsdown.config.ts
@@ -6,4 +6,5 @@ export default defineConfig({
   clean: true,
   dts: true,
   outDir: 'dist',
+  external: ['@lydell/node-pty'],
 })

From 1121c4a8e996a13a787cf76fed0f30793a0a3deb Mon Sep 17 00:00:00 2001
From: mikouaji <mikolaj@codeinit.pl>
Date: Tue, 10 Feb 2026 23:14:11 +0100
Subject: [PATCH 2/8] feat: add new connector settings for web auth

---
 app/composables/useConnector.ts |  8 +++++++-
 app/composables/useSettings.ts  | 11 +++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/app/composables/useConnector.ts b/app/composables/useConnector.ts
index 8efe83114..528f024e8 100644
--- a/app/composables/useConnector.ts
+++ b/app/composables/useConnector.ts
@@ -57,6 +57,8 @@ const STORAGE_KEY = 'npmx-connector'
 const DEFAULT_PORT = 31415
 
 export const useConnector = createSharedComposable(function useConnector() {
+  const { settings } = useSettings()
+
   // Persisted connection config
   const config = useState<{ token: string; port: number } | null>('connector-config', () => null)
 
@@ -303,7 +305,11 @@ export const useConnector = createSharedComposable(function useConnector() {
       ApiResponse<{ results: unknown[]; otpRequired?: boolean }>
     >('/execute', {
       method: 'POST',
-      body: otp ? { otp } : undefined,
+      body: {
+        otp,
+        interactive: settings.value.connector.webAuth,
+        openUrls: settings.value.connector.autoOpenURL,
+      },
     })
     if (response?.success) {
       await refreshState()
diff --git a/app/composables/useSettings.ts b/app/composables/useSettings.ts
index 31476415e..bfeafdde1 100644
--- a/app/composables/useSettings.ts
+++ b/app/composables/useSettings.ts
@@ -29,6 +29,13 @@ export interface AppSettings {
   selectedLocale: LocaleObject['code'] | null
   /** Search provider for package search */
   searchProvider: SearchProvider
+  /** Connector preferences */
+  connector: {
+    /** Use web-based authentication instead of CLI token */
+    webAuth: boolean
+    /** Automatically open the web auth page in the browser */
+    autoOpenURL: boolean
+  }
   sidebar: {
     collapsed: string[]
   }
@@ -42,6 +49,10 @@ const DEFAULT_SETTINGS: AppSettings = {
   selectedLocale: null,
   preferredBackgroundTheme: null,
   searchProvider: import.meta.test ? 'npm' : 'algolia',
+  connector: {
+    webAuth: false,
+    autoOpenURL: false,
+  },
   sidebar: {
     collapsed: [],
   },

From a0904611872df95fe007587aea795ff3325df82b Mon Sep 17 00:00:00 2001
From: mikouaji <mikolaj@codeinit.pl>
Date: Tue, 10 Feb 2026 23:24:15 +0100
Subject: [PATCH 3/8] feat: add web auth settings and redirect/retry buttons to
 ConnectionModal and operations component

---
 app/components/Header/ConnectorModal.vue | 102 ++++++++++++++++++++++-
 app/components/Org/OperationsQueue.vue   |  23 +++++
 2 files changed, 123 insertions(+), 2 deletions(-)

diff --git a/app/components/Header/ConnectorModal.vue b/app/components/Header/ConnectorModal.vue
index 0210462ac..c249e936f 100644
--- a/app/components/Header/ConnectorModal.vue
+++ b/app/components/Header/ConnectorModal.vue
@@ -1,6 +1,54 @@
 <script setup lang="ts">
-const { isConnected, isConnecting, npmUser, error, hasOperations, connect, disconnect } =
-  useConnector()
+const {
+  isConnected,
+  isConnecting,
+  npmUser,
+  error,
+  hasOperations,
+  operations,
+  connect,
+  disconnect,
+  refreshState,
+} = useConnector()
+
+const { settings } = useSettings()
+
+const authUrl = computed(() => {
+  const op = operations.value.find(o => o.status === 'running' && o.authUrl)
+  return op?.authUrl ?? null
+})
+
+const AUTH_POLL_INTERVAL = 20_000
+const AUTH_POLL_COUNT = 3
+let authPollTimer: ReturnType<typeof setInterval> | null = null
+
+function startAuthPolling() {
+  stopAuthPolling()
+  let remaining = AUTH_POLL_COUNT
+  authPollTimer = setInterval(async () => {
+    await refreshState()
+    remaining--
+    if (remaining <= 0) {
+      stopAuthPolling()
+    }
+  }, AUTH_POLL_INTERVAL)
+}
+
+function stopAuthPolling() {
+  if (authPollTimer) {
+    clearInterval(authPollTimer)
+    authPollTimer = null
+  }
+}
+
+onUnmounted(stopAuthPolling)
+
+function handleOpenAuthUrl() {
+  if (authUrl.value) {
+    window.open(authUrl.value, '_blank', 'noopener,noreferrer')
+    startAuthPolling()
+  }
+}
 
 const tokenInput = shallowRef('')
 const portInput = shallowRef('31415')
@@ -8,6 +56,15 @@ const { copied, copy } = useClipboard({ copiedDuring: 2000 })
 
 const hasAttemptedConnect = shallowRef(false)
 
+watch(
+  () => settings.value.connector.webAuth,
+  webAuth => {
+    if (!webAuth) {
+      settings.value.connector.autoOpenURL = false
+    }
+  },
+)
+
 watch(isConnected, connected => {
   if (!connected) {
     tokenInput.value = ''
@@ -61,6 +118,22 @@ function handleDisconnect() {
         </div>
       </div>
 
+      <!-- Connector preferences -->
+      <div class="flex flex-col gap-2">
+        <SettingsToggle
+          :label="$t('connector.modal.web_auth')"
+          v-model="settings.connector.webAuth"
+        />
+        <SettingsToggle
+          :label="$t('connector.modal.auto_open_url')"
+          v-model="settings.connector.autoOpenURL"
+          :class="!settings.connector.webAuth ? 'opacity-50 pointer-events-none' : ''"
+          :aria-disabled="!settings.connector.webAuth"
+        />
+      </div>
+
+      <div class="border-t border-border my-3" />
+
       <!-- Operations Queue -->
       <OrgOperationsQueue />
 
@@ -68,6 +141,17 @@ function handleDisconnect() {
         {{ $t('connector.modal.connected_hint') }}
       </div>
 
+      <!-- Web auth link -->
+      <button
+        v-if="authUrl"
+        type="button"
+        class="flex items-center justify-center gap-2 w-full px-4 py-2 font-mono text-sm text-accent bg-accent/10 border border-accent/30 rounded-md transition-colors duration-200 hover:bg-accent/20 focus-visible:outline-accent/70"
+        @click="handleOpenAuthUrl"
+      >
+        <span class="i-carbon:launch w-4 h-4" aria-hidden="true" />
+        {{ $t('operations.queue.open_web_auth') }}
+      </button>
+
       <button
         type="button"
         class="w-full px-4 py-2 font-mono text-sm text-fg-muted bg-bg-subtle border border-border rounded-md transition-colors duration-200 hover:text-fg hover:border-border-hover focus-visible:outline-accent/70"
@@ -194,6 +278,20 @@ function handleDisconnect() {
               class="w-full"
               size="medium"
             />
+
+            <div class="border-t border-border my-3" />
+            <div class="flex flex-col gap-2">
+              <SettingsToggle
+                :label="$t('connector.modal.web_auth')"
+                v-model="settings.connector.webAuth"
+              />
+              <SettingsToggle
+                :label="$t('connector.modal.auto_open_url')"
+                v-model="settings.connector.autoOpenURL"
+                :class="!settings.connector.webAuth ? 'opacity-50 pointer-events-none' : ''"
+                :aria-disabled="!settings.connector.webAuth"
+              />
+            </div>
           </div>
         </details>
       </div>
diff --git a/app/components/Org/OperationsQueue.vue b/app/components/Org/OperationsQueue.vue
index 92eff1722..f744d3b15 100644
--- a/app/components/Org/OperationsQueue.vue
+++ b/app/components/Org/OperationsQueue.vue
@@ -21,6 +21,8 @@ const {
   refreshState,
 } = useConnector()
 
+const { settings } = useSettings()
+
 const isExecuting = shallowRef(false)
 const otpInput = shallowRef('')
 
@@ -63,6 +65,18 @@ async function handleRetryWithOtp() {
   await handleExecute(otp)
 }
 
+/** Retry all OTP-failed operations using web auth (no OTP needed) */
+async function handleRetryWithWebAuth() {
+  const otpFailedOps = activeOperations.value.filter(
+    (op: PendingOperation) => op.status === 'failed' && op.result?.requiresOtp,
+  )
+  for (const op of otpFailedOps) {
+    await retryOperation(op.id)
+  }
+
+  await handleExecute()
+}
+
 async function handleClearAll() {
   await clearOperations()
   otpInput.value = ''
@@ -263,6 +277,15 @@ watch(isExecuting, executing => {
           {{ isExecuting ? $t('operations.queue.retrying') : $t('operations.queue.retry_otp') }}
         </button>
       </form>
+      <button
+        v-if="settings.connector.webAuth"
+        type="button"
+        :disabled="isExecuting"
+        class="w-full mt-2 px-3 py-2 font-mono text-xs text-fg bg-bg-subtle border border-border rounded transition-all duration-200 hover:text-fg hover:border-border-hover disabled:opacity-50 disabled:cursor-not-allowed focus-visible:outline-accent/70"
+        @click="handleRetryWithWebAuth"
+      >
+        {{ isExecuting ? $t('operations.queue.retrying') : $t('operations.queue.retry_web_auth') }}
+      </button>
     </div>
 
     <!-- Action buttons -->

From 4b5971bdbc21f3a6b8605f6d6ed5d98bd71e5b79 Mon Sep 17 00:00:00 2001
From: mikouaji <mikolaj@codeinit.pl>
Date: Tue, 10 Feb 2026 23:24:38 +0100
Subject: [PATCH 4/8] i18n: translations

---
 i18n/locales/en.json     |  6 +++++-
 i18n/locales/pl-PL.json  |  6 +++++-
 i18n/schema.json         | 12 ++++++++++++
 lunaria/files/en-GB.json |  6 +++++-
 lunaria/files/en-US.json |  6 +++++-
 lunaria/files/pl-PL.json |  6 +++++-
 6 files changed, 37 insertions(+), 5 deletions(-)

diff --git a/i18n/locales/en.json b/i18n/locales/en.json
index b83fcc59b..bad3aa443 100644
--- a/i18n/locales/en.json
+++ b/i18n/locales/en.json
@@ -461,7 +461,9 @@
       "warning": "WARNING",
       "warning_text": "This allows npmx to access your npm CLI. Only connect to sites you trust.",
       "connect": "Connect",
-      "connecting": "Connecting..."
+      "connecting": "Connecting...",
+      "web_auth": "Use web authentication",
+      "auto_open_url": "Automatically open auth page"
     }
   },
   "operations": {
@@ -477,7 +479,9 @@
       "otp_placeholder": "Enter OTP code...",
       "otp_label": "One-time password",
       "retry_otp": "Retry with OTP",
+      "retry_web_auth": "Retry with web auth",
       "retrying": "Retrying...",
+      "open_web_auth": "Open web auth link",
       "approve_operation": "Approve operation",
       "remove_operation": "Remove operation",
       "approve_all": "Approve All",
diff --git a/i18n/locales/pl-PL.json b/i18n/locales/pl-PL.json
index f8ef96d81..21708799e 100644
--- a/i18n/locales/pl-PL.json
+++ b/i18n/locales/pl-PL.json
@@ -393,7 +393,9 @@
       "warning": "OSTRZEŻENIE",
       "warning_text": "To pozwala npmx uzyskać dostęp do twojego npm CLI. Łącz się tylko ze stronami, którym ufasz.",
       "connect": "Połącz",
-      "connecting": "Łączenie..."
+      "connecting": "Łączenie...",
+      "web_auth": "Używaj autoryzacji w przeglądarce",
+      "auto_open_url": "Automatycznie otwórz stronę z autoryzacją"
     }
   },
   "operations": {
@@ -409,7 +411,9 @@
       "otp_placeholder": "Wprowadź kod OTP...",
       "otp_label": "Hasło jednorazowe",
       "retry_otp": "Ponów z OTP",
+      "retry_web_auth": "Ponów z autoryzacją w przeglądarce",
       "retrying": "Ponawianie...",
+      "open_web_auth": "Otwórz stronę z autoryzacją",
       "approve_operation": "Zatwierdź operację",
       "remove_operation": "Usuń operację",
       "approve_all": "Zatwierdź wszystkie",
diff --git a/i18n/schema.json b/i18n/schema.json
index 47977f0b2..87af8c335 100644
--- a/i18n/schema.json
+++ b/i18n/schema.json
@@ -1389,6 +1389,12 @@
             },
             "connecting": {
               "type": "string"
+            },
+            "web_auth": {
+              "type": "string"
+            },
+            "auto_open_url": {
+              "type": "string"
             }
           },
           "additionalProperties": false
@@ -1435,9 +1441,15 @@
             "retry_otp": {
               "type": "string"
             },
+            "retry_web_auth": {
+              "type": "string"
+            },
             "retrying": {
               "type": "string"
             },
+            "open_web_auth": {
+              "type": "string"
+            },
             "approve_operation": {
               "type": "string"
             },
diff --git a/lunaria/files/en-GB.json b/lunaria/files/en-GB.json
index 56f795555..f989731ca 100644
--- a/lunaria/files/en-GB.json
+++ b/lunaria/files/en-GB.json
@@ -460,7 +460,9 @@
       "warning": "WARNING",
       "warning_text": "This allows npmx to access your npm CLI. Only connect to sites you trust.",
       "connect": "Connect",
-      "connecting": "Connecting..."
+      "connecting": "Connecting...",
+      "web_auth": "Use web authentication",
+      "auto_open_url": "Automatically open auth page"
     }
   },
   "operations": {
@@ -476,7 +478,9 @@
       "otp_placeholder": "Enter OTP code...",
       "otp_label": "One-time password",
       "retry_otp": "Retry with OTP",
+      "retry_web_auth": "Retry with web auth",
       "retrying": "Retrying...",
+      "open_web_auth": "Open web auth link",
       "approve_operation": "Approve operation",
       "remove_operation": "Remove operation",
       "approve_all": "Approve All",
diff --git a/lunaria/files/en-US.json b/lunaria/files/en-US.json
index d8666cdf5..da47a0e10 100644
--- a/lunaria/files/en-US.json
+++ b/lunaria/files/en-US.json
@@ -460,7 +460,9 @@
       "warning": "WARNING",
       "warning_text": "This allows npmx to access your npm CLI. Only connect to sites you trust.",
       "connect": "Connect",
-      "connecting": "Connecting..."
+      "connecting": "Connecting...",
+      "web_auth": "Use web authentication",
+      "auto_open_url": "Automatically open auth page"
     }
   },
   "operations": {
@@ -476,7 +478,9 @@
       "otp_placeholder": "Enter OTP code...",
       "otp_label": "One-time password",
       "retry_otp": "Retry with OTP",
+      "retry_web_auth": "Retry with web auth",
       "retrying": "Retrying...",
+      "open_web_auth": "Open web auth link",
       "approve_operation": "Approve operation",
       "remove_operation": "Remove operation",
       "approve_all": "Approve All",
diff --git a/lunaria/files/pl-PL.json b/lunaria/files/pl-PL.json
index 69027061b..3e3437d51 100644
--- a/lunaria/files/pl-PL.json
+++ b/lunaria/files/pl-PL.json
@@ -392,7 +392,9 @@
       "warning": "OSTRZEŻENIE",
       "warning_text": "To pozwala npmx uzyskać dostęp do twojego npm CLI. Łącz się tylko ze stronami, którym ufasz.",
       "connect": "Połącz",
-      "connecting": "Łączenie..."
+      "connecting": "Łączenie...",
+      "web_auth": "Używaj autoryzacji w przeglądarce",
+      "auto_open_url": "Automatycznie otwórz stronę z autoryzacją"
     }
   },
   "operations": {
@@ -408,7 +410,9 @@
       "otp_placeholder": "Wprowadź kod OTP...",
       "otp_label": "Hasło jednorazowe",
       "retry_otp": "Ponów z OTP",
+      "retry_web_auth": "Ponów z autoryzacją w przeglądarce",
       "retrying": "Ponawianie...",
+      "open_web_auth": "Otwórz stronę z autoryzacją",
       "approve_operation": "Zatwierdź operację",
       "remove_operation": "Usuń operację",
       "approve_all": "Zatwierdź wszystkie",

From f4633d997953a0c3973d798f541846da76f8f283 Mon Sep 17 00:00:00 2001
From: mikouaji <mikolaj@codeinit.pl>
Date: Tue, 10 Feb 2026 23:24:47 +0100
Subject: [PATCH 5/8] chore: pnpm-lock

---
 pnpm-lock.yaml | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 21602824a..3d76eb8a5 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -288,6 +288,9 @@ importers:
       '@clack/prompts':
         specifier: ^1.0.0
         version: 1.0.0
+      '@lydell/node-pty':
+        specifier: 1.2.0-beta.3
+        version: 1.2.0-beta.3
       citty:
         specifier: ^0.2.0
         version: 0.2.0
@@ -1880,6 +1883,39 @@ packages:
     version: 0.1.1
     engines: {node: '>=18.17.0'}
 
+  '@lydell/node-pty-darwin-arm64@1.2.0-beta.3':
+    resolution: {integrity: sha512-owcv+e1/OSu3bf9ZBdUQqJsQF888KyuSIiPYFNn0fLhgkhm9F3Pvha76Kj5mCPnodf7hh3suDe7upw7GPRXftQ==}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@lydell/node-pty-darwin-x64@1.2.0-beta.3':
+    resolution: {integrity: sha512-k38O+UviWrWdxtqZBBc/D8NJU11Rey8Y2YMwSWNxLv3eXZZdF5IVpbBkI/2RmLsV5nCcciqLPbukxeZnEfPlwA==}
+    cpu: [x64]
+    os: [darwin]
+
+  '@lydell/node-pty-linux-arm64@1.2.0-beta.3':
+    resolution: {integrity: sha512-HUwRpGu3O+4sv9DAQFKnyW5LYhyYu2SDUa/bdFO/t4dIFCM4uDJEq47wfRM7+aYtJTi1b3lakN8SlWeuFQqJQQ==}
+    cpu: [arm64]
+    os: [linux]
+
+  '@lydell/node-pty-linux-x64@1.2.0-beta.3':
+    resolution: {integrity: sha512-+RRY0PoCUeQaCvPR7/UnkGbxulwbFtoTWJfe+o4T1RcNtngrgaI55I9nl8CD8uqhGrB3smKuyvPM5UtwGhASUw==}
+    cpu: [x64]
+    os: [linux]
+
+  '@lydell/node-pty-win32-arm64@1.2.0-beta.3':
+    resolution: {integrity: sha512-UEDd9ASp2M3iIYpIzfmfBlpyn4+K1G4CAjYcHWStptCkefoSVXWTiUBIa1KjBjZi3/xmsHIDpBEYTkGWuvLt2Q==}
+    cpu: [arm64]
+    os: [win32]
+
+  '@lydell/node-pty-win32-x64@1.2.0-beta.3':
+    resolution: {integrity: sha512-TpdqSFYx7/Rj+68tuP6F/lkRYrHCYAIJgaS1bx3SctTkb5QAQCFwOKHd4xlsivmEOMT2LdhkJggPxwX9PAO5pQ==}
+    cpu: [x64]
+    os: [win32]
+
+  '@lydell/node-pty@1.2.0-beta.3':
+    resolution: {integrity: sha512-ngGAItlRhmJXrhspxt8kX13n1dVFqzETOq0m/+gqSkO8NJBvNMwP7FZckMwps2UFySdr4yxCXNGu/bumg5at6A==}
+
   '@mapbox/node-pre-gyp@2.0.3':
     resolution: {integrity: sha512-uwPAhccfFJlsfCxMYTwOdVfOz3xqyj8xYL3zJj8f0pb30tLohnnFPhLuqp4/qoEz8sNxe4SESZedcBojRefIzg==}
     engines: {node: '>=18'}
@@ -11429,6 +11465,33 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  '@lydell/node-pty-darwin-arm64@1.2.0-beta.3':
+    optional: true
+
+  '@lydell/node-pty-darwin-x64@1.2.0-beta.3':
+    optional: true
+
+  '@lydell/node-pty-linux-arm64@1.2.0-beta.3':
+    optional: true
+
+  '@lydell/node-pty-linux-x64@1.2.0-beta.3':
+    optional: true
+
+  '@lydell/node-pty-win32-arm64@1.2.0-beta.3':
+    optional: true
+
+  '@lydell/node-pty-win32-x64@1.2.0-beta.3':
+    optional: true
+
+  '@lydell/node-pty@1.2.0-beta.3':
+    optionalDependencies:
+      '@lydell/node-pty-darwin-arm64': 1.2.0-beta.3
+      '@lydell/node-pty-darwin-x64': 1.2.0-beta.3
+      '@lydell/node-pty-linux-arm64': 1.2.0-beta.3
+      '@lydell/node-pty-linux-x64': 1.2.0-beta.3
+      '@lydell/node-pty-win32-arm64': 1.2.0-beta.3
+      '@lydell/node-pty-win32-x64': 1.2.0-beta.3
+
   '@mapbox/node-pre-gyp@2.0.3':
     dependencies:
       consola: 3.4.2

From 28d2d0f35e8164c7ef2a5a5e4e6d63eeb3da1b94 Mon Sep 17 00:00:00 2001
From: mikouaji <mikolaj@codeinit.pl>
Date: Wed, 11 Feb 2026 00:33:21 +0100
Subject: [PATCH 6/8] fix: tests

---
 app/components/Header/ConnectorModal.vue | 11 +++++++----
 app/components/Org/OperationsQueue.vue   |  2 +-
 cli/src/node-pty.d.ts                    | 20 +++++++++++++-------
 cli/src/npm-client.ts                    |  1 +
 4 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/app/components/Header/ConnectorModal.vue b/app/components/Header/ConnectorModal.vue
index c249e936f..d38e046b9 100644
--- a/app/components/Header/ConnectorModal.vue
+++ b/app/components/Header/ConnectorModal.vue
@@ -26,7 +26,12 @@ function startAuthPolling() {
   stopAuthPolling()
   let remaining = AUTH_POLL_COUNT
   authPollTimer = setInterval(async () => {
-    await refreshState()
+    try {
+      await refreshState()
+    } catch {
+      stopAuthPolling()
+      return
+    }
     remaining--
     if (remaining <= 0) {
       stopAuthPolling()
@@ -128,7 +133,6 @@ function handleDisconnect() {
           :label="$t('connector.modal.auto_open_url')"
           v-model="settings.connector.autoOpenURL"
           :class="!settings.connector.webAuth ? 'opacity-50 pointer-events-none' : ''"
-          :aria-disabled="!settings.connector.webAuth"
         />
       </div>
 
@@ -145,7 +149,7 @@ function handleDisconnect() {
       <button
         v-if="authUrl"
         type="button"
-        class="flex items-center justify-center gap-2 w-full px-4 py-2 font-mono text-sm text-accent bg-accent/10 border border-accent/30 rounded-md transition-colors duration-200 hover:bg-accent/20 focus-visible:outline-accent/70"
+        class="flex items-center justify-center gap-2 w-full px-4 py-2 font-mono text-sm text-accent bg-accent/10 border border-accent/30 rounded-md transition-colors duration-200 hover:bg-accent/20"
         @click="handleOpenAuthUrl"
       >
         <span class="i-carbon:launch w-4 h-4" aria-hidden="true" />
@@ -289,7 +293,6 @@ function handleDisconnect() {
                 :label="$t('connector.modal.auto_open_url')"
                 v-model="settings.connector.autoOpenURL"
                 :class="!settings.connector.webAuth ? 'opacity-50 pointer-events-none' : ''"
-                :aria-disabled="!settings.connector.webAuth"
               />
             </div>
           </div>
diff --git a/app/components/Org/OperationsQueue.vue b/app/components/Org/OperationsQueue.vue
index f744d3b15..4517f94f9 100644
--- a/app/components/Org/OperationsQueue.vue
+++ b/app/components/Org/OperationsQueue.vue
@@ -281,7 +281,7 @@ watch(isExecuting, executing => {
         v-if="settings.connector.webAuth"
         type="button"
         :disabled="isExecuting"
-        class="w-full mt-2 px-3 py-2 font-mono text-xs text-fg bg-bg-subtle border border-border rounded transition-all duration-200 hover:text-fg hover:border-border-hover disabled:opacity-50 disabled:cursor-not-allowed focus-visible:outline-accent/70"
+        class="w-full mt-2 px-3 py-2 font-mono text-xs text-fg bg-bg-subtle border border-border rounded transition-all duration-200 hover:text-fg hover:border-border-hover disabled:opacity-50 disabled:cursor-not-allowed"
         @click="handleRetryWithWebAuth"
       >
         {{ isExecuting ? $t('operations.queue.retrying') : $t('operations.queue.retry_web_auth') }}
diff --git a/cli/src/node-pty.d.ts b/cli/src/node-pty.d.ts
index bf77febbb..3bfe4aa35 100644
--- a/cli/src/node-pty.d.ts
+++ b/cli/src/node-pty.d.ts
@@ -1,18 +1,24 @@
-// @lydell/node-pty package.json does not export its types so for nodenext target we need to add them (very minimal version)
+// @lydell/node-pty package.json does not export its types so for nodenext target we need to add them
 declare module '@lydell/node-pty' {
+  interface IDisposable {
+    dispose(): void
+  }
+
+  interface IEvent<T> {
+    (listener: (e: T) => any): IDisposable
+  }
+
   interface IPty {
     readonly pid: number
-    readonly onData: (listener: (data: string) => void) => { dispose(): void }
-    readonly onExit: (listener: (e: { exitCode: number; signal?: number }) => void) => {
-      dispose(): void
-    }
-    write(data: string): void
+    readonly onData: IEvent<string>
+    readonly onExit: IEvent<{ exitCode: number; signal?: number }>
+    write(data: string | Buffer): void
     kill(signal?: string): void
   }
 
   export function spawn(
     file: string,
-    args: string[],
+    args: string[] | string,
     options: {
       name?: string
       cols?: number
diff --git a/cli/src/npm-client.ts b/cli/src/npm-client.ts
index d7354cbd4..9dacc9629 100644
--- a/cli/src/npm-client.ts
+++ b/cli/src/npm-client.ts
@@ -1,3 +1,4 @@
+import './node-pty.d.ts'
 import crypto from 'node:crypto'
 import process from 'node:process'
 import { execFile } from 'node:child_process'

From 48311c2f5e1548748531885860ec6474c7516a17 Mon Sep 17 00:00:00 2001
From: mikouaji <mikolaj@codeinit.pl>
Date: Wed, 11 Feb 2026 00:50:00 +0100
Subject: [PATCH 7/8] fix: coderabbit comments

---
 cli/src/node-pty.d.ts | 54 +++++++++++++++++++++++++++++++------------
 cli/src/npm-client.ts |  1 -
 cli/src/types.ts      |  2 ++
 3 files changed, 41 insertions(+), 16 deletions(-)

diff --git a/cli/src/node-pty.d.ts b/cli/src/node-pty.d.ts
index 3bfe4aa35..9fb264416 100644
--- a/cli/src/node-pty.d.ts
+++ b/cli/src/node-pty.d.ts
@@ -1,29 +1,53 @@
 // @lydell/node-pty package.json does not export its types so for nodenext target we need to add them
 declare module '@lydell/node-pty' {
-  interface IDisposable {
-    dispose(): void
+  export function spawn(
+    file: string,
+    args: string[] | string,
+    options: IPtyForkOptions | IWindowsPtyForkOptions,
+  ): IPty
+  export interface IBasePtyForkOptions {
+    name?: string
+    cols?: number
+    rows?: number
+    cwd?: string
+    env?: { [key: string]: string | undefined }
+    encoding?: string | null
+    handleFlowControl?: boolean
+    flowControlPause?: string
+    flowControlResume?: string
   }
 
-  interface IEvent<T> {
-    (listener: (e: T) => any): IDisposable
+  export interface IPtyForkOptions extends IBasePtyForkOptions {
+    uid?: number
+    gid?: number
+  }
+
+  export interface IWindowsPtyForkOptions extends IBasePtyForkOptions {
+    useConpty?: boolean
+    useConptyDll?: boolean
+    conptyInheritCursor?: boolean
   }
 
-  interface IPty {
+  export interface IPty {
     readonly pid: number
+    readonly cols: number
+    readonly rows: number
+    readonly process: string
+    handleFlowControl: boolean
     readonly onData: IEvent<string>
     readonly onExit: IEvent<{ exitCode: number; signal?: number }>
+    resize(columns: number, rows: number): void
+    clear(): void
     write(data: string | Buffer): void
     kill(signal?: string): void
+    pause(): void
+    resume(): void
   }
 
-  export function spawn(
-    file: string,
-    args: string[] | string,
-    options: {
-      name?: string
-      cols?: number
-      rows?: number
-      env?: Record<string, string | undefined>
-    },
-  ): IPty
+  export interface IDisposable {
+    dispose(): void
+  }
+  export interface IEvent<T> {
+    (listener: (e: T) => any): IDisposable
+  }
 }
diff --git a/cli/src/npm-client.ts b/cli/src/npm-client.ts
index 9dacc9629..d7354cbd4 100644
--- a/cli/src/npm-client.ts
+++ b/cli/src/npm-client.ts
@@ -1,4 +1,3 @@
-import './node-pty.d.ts'
 import crypto from 'node:crypto'
 import process from 'node:process'
 import { execFile } from 'node:child_process'
diff --git a/cli/src/types.ts b/cli/src/types.ts
index ad0efbcab..435aa50f6 100644
--- a/cli/src/types.ts
+++ b/cli/src/types.ts
@@ -1,3 +1,5 @@
+import './node-pty.d.ts'
+
 export interface ConnectorConfig {
   port: number
   host: string

From aa9374f7421d3542f2ded785ff7e7be6a5735636 Mon Sep 17 00:00:00 2001
From: Daniel Roe <daniel@roe.dev>
Date: Wed, 11 Feb 2026 15:13:31 +0000
Subject: [PATCH 8/8] fix: update mock-connector for new types

---
 cli/src/mock-app.ts                           | 11 +++++---
 cli/src/mock-state.ts                         | 12 ++++++++-
 cli/src/types.ts                              |  6 ++++-
 .../components/HeaderConnectorModal.spec.ts   | 25 +++++++++++++++++++
 4 files changed, 49 insertions(+), 5 deletions(-)

diff --git a/cli/src/mock-app.ts b/cli/src/mock-app.ts
index e3bdc9052..24ebe6b88 100644
--- a/cli/src/mock-app.ts
+++ b/cli/src/mock-app.ts
@@ -230,13 +230,18 @@ function createMockConnectorApp(stateManager: MockConnectorStateManager) {
     requireAuth(event)
 
     const body = await event.req.json().catch(() => ({}))
-    const otp = (body as { otp?: string })?.otp
+    const { otp } = body as { otp?: string; interactive?: boolean; openUrls?: boolean }
 
-    const { results, otpRequired } = stateManager.executeOperations({ otp })
+    const { results, otpRequired, authFailure, urls } = stateManager.executeOperations({ otp })
 
     return {
       success: true,
-      data: { results, otpRequired },
+      data: {
+        results,
+        otpRequired,
+        authFailure,
+        urls,
+      },
     } satisfies ApiResponse<ConnectorEndpoints['POST /execute']['data']>
   })
 
diff --git a/cli/src/mock-state.ts b/cli/src/mock-state.ts
index b2182fab5..284036945 100644
--- a/cli/src/mock-state.ts
+++ b/cli/src/mock-state.ts
@@ -58,6 +58,8 @@ export interface ExecuteOptions {
 export interface ExecuteResult {
   results: Array<{ id: string; result: OperationResult }>
   otpRequired?: boolean
+  authFailure?: boolean
+  urls?: string[]
 }
 
 export function createMockConnectorState(config: MockConnectorConfig): MockConnectorStateData {
@@ -305,7 +307,15 @@ export class MockConnectorStateManager {
       }
     }
 
-    return { results }
+    const authFailure = results.some(r => r.result.authFailure)
+    const allUrls = results.flatMap(r => r.result.urls ?? [])
+    const urls = [...new Set(allUrls)]
+
+    return {
+      results,
+      authFailure: authFailure || undefined,
+      urls: urls.length > 0 ? urls : undefined,
+    }
   }
 
   /** Apply side effects of a completed operation. Param keys match schemas.ts. */
diff --git a/cli/src/types.ts b/cli/src/types.ts
index b0ed10e1d..fcd0db2a4 100644
--- a/cli/src/types.ts
+++ b/cli/src/types.ts
@@ -98,6 +98,7 @@ export interface ExecuteResponseData {
   results: Array<{ id: string; result: OperationResult }>
   otpRequired?: boolean
   authFailure?: boolean
+  urls?: string[]
 }
 
 /** POST /approve-all response data */
@@ -133,7 +134,10 @@ export interface ConnectorEndpoints {
   'POST /approve': { body: never; data: PendingOperation }
   'POST /approve-all': { body: never; data: ApproveAllResponseData }
   'POST /retry': { body: never; data: PendingOperation }
-  'POST /execute': { body: { otp?: string }; data: ExecuteResponseData }
+  'POST /execute': {
+    body: { otp?: string; interactive?: boolean; openUrls?: boolean }
+    data: ExecuteResponseData
+  }
   'GET /org/:org/users': { body: never; data: Record<string, OrgRole> }
   'GET /org/:org/teams': { body: never; data: string[] }
   'GET /team/:scopeTeam/users': { body: never; data: string[] }
diff --git a/test/nuxt/components/HeaderConnectorModal.spec.ts b/test/nuxt/components/HeaderConnectorModal.spec.ts
index 1ee999af5..dfd6ed877 100644
--- a/test/nuxt/components/HeaderConnectorModal.spec.ts
+++ b/test/nuxt/components/HeaderConnectorModal.spec.ts
@@ -99,6 +99,10 @@ function resetMockState() {
     error: null,
     lastExecutionTime: null,
   }
+  mockSettings.value.connector = {
+    webAuth: false,
+    autoOpenURL: false,
+  }
 }
 
 function simulateConnect() {
@@ -112,6 +116,27 @@ vi.mock('~/composables/useConnector', () => ({
   useConnector: createMockUseConnector,
 }))
 
+const mockSettings = ref({
+  relativeDates: false,
+  includeTypesInInstall: true,
+  accentColorId: null,
+  hidePlatformPackages: true,
+  selectedLocale: null,
+  preferredBackgroundTheme: null,
+  searchProvider: 'npm',
+  connector: {
+    webAuth: false,
+    autoOpenURL: false,
+  },
+  sidebar: {
+    collapsed: [],
+  },
+})
+
+vi.mock('~/composables/useSettings', () => ({
+  useSettings: () => ({ settings: mockSettings }),
+}))
+
 vi.mock('~/composables/useSelectedPackageManager', () => ({
   useSelectedPackageManager: () => ref('npm'),
 }))