chore: add context7.json

context7.json

@@ -0,0 +1,4 @@
+{
+	"url": "https://context7.com/eyaltoledano/claude-task-master",
+	"public_key": "pk_52Na55p8REi9c5jSFszav"
+}

packages/tm-core/src/modules/auth/services/oauth-service.ts

@@ -168,7 +168,7 @@ export class OAuthService {
 			onAuthUrl(verification_url);
 		}
 
-		// Step 2: Open browser with verification URL
+		// Step 3: Open browser with verification URL
 		if (openBrowser && verification_url) {
 			try {
 				await openBrowser(verification_url);
@@ -186,7 +186,7 @@ export class OAuthService {
 			onWaitingForAuth();
 		}
 
-		// Step 3: Poll for completion
+		// Step 4: Poll for completion
 		const credentials = await this.pollForCompletion(
 			flow_id,
 			poll_interval * 1000,
@@ -194,9 +194,17 @@ export class OAuthService {
 		);
 
 		// Set the session in Supabase client
+		// Note: Only set session if we have a valid refresh token
+		// Supabase requires a valid refresh_token to manage token lifecycle
+		if (!credentials.refreshToken) {
+			this.logger.warn(
+				'No refresh token received from server - session refresh will not work'
+			);
+		}
+
 		const session: Session = {
 			access_token: credentials.token,
-			refresh_token: credentials.refreshToken || '',
+			refresh_token: credentials.refreshToken ?? '',
 			expires_in: credentials.expiresAt
 				? Math.floor(
 						(new Date(credentials.expiresAt).getTime() - Date.now()) / 1000

packages/tm-core/src/modules/auth/types.ts

@@ -112,7 +112,8 @@ export type AuthErrorCode =
 	| 'FLOW_NOT_FOUND'
 	// E2E encryption errors
 	| 'INTERNAL_ERROR'
-	| 'MISSING_TOKENS';
+	| 'MISSING_TOKENS'
+	| 'DECRYPTION_FAILED';
 
 /**
  * Authentication error class

packages/tm-core/src/modules/auth/utils/cli-crypto.ts

@@ -8,6 +8,7 @@
  */
 
 import crypto from 'crypto';
+import { AuthenticationError } from '../types.js';
 
 /**
  * Encrypted token payload from server
@@ -69,30 +70,38 @@ export function decryptTokens(
 	payload: EncryptedTokenPayload,
 	privateKeyPem: string
 ): DecryptedTokens {
-	// Decode base64 values
-	const encryptedKey = Buffer.from(payload.encrypted_key, 'base64');
-	const encryptedData = Buffer.from(payload.encrypted_data, 'base64');
-	const iv = Buffer.from(payload.iv, 'base64');
-	const authTag = Buffer.from(payload.auth_tag, 'base64');
+	try {
+		// Decode base64 values
+		const encryptedKey = Buffer.from(payload.encrypted_key, 'base64');
+		const encryptedData = Buffer.from(payload.encrypted_data, 'base64');
+		const iv = Buffer.from(payload.iv, 'base64');
+		const authTag = Buffer.from(payload.auth_tag, 'base64');
 
-	// Decrypt AES key using RSA private key
-	const aesKey = crypto.privateDecrypt(
-		{
-			key: privateKeyPem,
-			padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
-			oaepHash: 'sha256'
-		},
-		encryptedKey
-	);
+		// Decrypt AES key using RSA private key
+		const aesKey = crypto.privateDecrypt(
+			{
+				key: privateKeyPem,
+				padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+				oaepHash: 'sha256'
+			},
+			encryptedKey
+		);
 
-	// Decrypt tokens using AES-256-GCM
-	const decipher = crypto.createDecipheriv('aes-256-gcm', aesKey, iv);
-	decipher.setAuthTag(authTag);
+		// Decrypt tokens using AES-256-GCM
+		const decipher = crypto.createDecipheriv('aes-256-gcm', aesKey, iv);
+		decipher.setAuthTag(authTag);
 
-	const decrypted = Buffer.concat([
-		decipher.update(encryptedData),
-		decipher.final()
-	]);
+		const decrypted = Buffer.concat([
+			decipher.update(encryptedData),
+			decipher.final()
+		]);
 
-	return JSON.parse(decrypted.toString('utf8')) as DecryptedTokens;
+		return JSON.parse(decrypted.toString('utf8')) as DecryptedTokens;
+	} catch (error) {
+		throw new AuthenticationError(
+			`Token decryption failed: ${error instanceof Error ? error.message : 'Unknown error'}`,
+			'DECRYPTION_FAILED',
+			error
+		);
+	}
 }