# Device-Flow Setup `covibe-local setup` can provision per-agent MCP tokens without the manual create-token-then-export ritual. When no token is available it runs an RFC-8628-style device flow: the CLI requests a grant, the developer approves it once in the Co-Vibe console, and the server mints one typed token per requested agent (`claude-code`, `codex`, `cursor`). Typed tokens let the server attribute sessions and usage to the exact agent instead of trusting the self-reported `agent_type` at session start. ## Flow 1. `covibe-local setup` finds no `--token`, no usable `COVIBE_MCP_TOKEN`, and at least one requested agent without a stored credential token for the base URL, so it POSTs `{machine_name, agents[]}` (the missing agents only) to `/api/setup/device`. 2. The server creates a `setup_device_grants` row and returns a short-lived user code (8 characters, shown as `XXXX-XXXX`), a one-time device code, a `verification_uri`, `expires_in` (600 seconds), and a poll `interval`. 3. The CLI prints `Open and confirm code XXXX-XXXX`, best-effort opens the browser (`open` on macOS, `xdg-open` on Linux, `start` on Windows — never a hard failure), and polls `/api/setup/device/poll` with the device code at the server interval, backing off on 429 via the `retry-after` header. 4. The developer signs in to the console at `/setup/authorize?code=XXXX-XXXX`, reviews the machine name and requested agents, and approves or denies. The approval binds the developer, tenant, and workspace from the signed-in session. A signed-out visit round-trips through sign-in with a sanitized `returnTo`, so the code survives the hosted (WorkOS) sign-in redirect. 5. The next poll mints one typed token per requested agent, marks the grant consumed, and returns the tokens exactly once as `{"tokens": {"claude-code": "cv_...", ...}}`. A replayed poll gets `{"status": "consumed"}` and no tokens. 6. The CLI writes the tokens into the credentials file (merging with existing agent tokens) and continues with the normal config writes. When stored credentials already cover every requested agent, setup is fully zero-touch; `--dry-run` always skips the flow. `--agents claude-code,codex` overrides agent auto-detection (Claude Code is always included by default; Codex and Cursor are added when their home directories are detected). The list scopes both token minting and the Codex and Cursor config writes: an agent left out of `--agents` gets no config even when its home directory is detected, and a requested agent whose home directory is missing still gets its token but its config write is skipped with an INFO line (Codex and Cursor cannot run without their home directories). The repo-local Claude Code config is always written. ## Endpoints - `POST /api/setup/device` (unauthenticated, rate-limited): create a grant. - `POST /api/setup/device/poll` (unauthenticated, rate-limited): poll by device code; terminal states are `approved` (tokens, once), `denied`, `expired`, and `consumed`. - `GET/POST /api/setup/device/grant` (cookie-authenticated): look up a grant by user code for the approval page and approve or deny it. ## Credentials File Tokens land in `~/.covibe/credentials.json` (override with `COVIBE_CREDENTIALS_PATH`; tests always set it to a temp path). The file is written with mode 0600 and its directory with 0700: ```json { "version": 1, "servers": { "http://localhost:3000": { "tokens": { "claude-code": "cv_...", "codex": "cv_..." } } } } ``` The file is per-user and keyed by lowercase origin, so running setup in a second repo against the same server is zero-touch. Long-lived processes (the machine-level watch service) resolve the token from this file at runtime on every tick — including after an auth failure — so token rotation never requires a service reinstall and the service unit embeds no token. ## COVIBE_AGENT Markers And Token Resolution Setup writes a non-secret `COVIBE_AGENT` marker into each agent config: `claude-code` in `.mcp.json`, `codex` in the `~/.codex/config.toml` env, and `cursor` in `.cursor/mcp.json`. Configs stay secret-free — the raw-token validators still fail on any literal `cv_` value. Everywhere a token is needed (the stdio MCP bridge, the Claude Code and Cursor hooks, companion snapshot/telemetry/watch), resolution order is: 1. an explicit `--token` flag (companion CLI only) 2. the `COVIBE_MCP_TOKEN` environment variable (legacy shared-token setups keep working unchanged) 3. the credentials file, looked up by `COVIBE_BASE_URL` plus `COVIBE_AGENT` Empty strings and unexpanded `${...}` placeholders — what agent runtimes pass when the shell variable is unset — count as absent, so the credentials fallback actually fires. Hook commands carry no env of their own: when `COVIBE_BASE_URL` is unset, the Claude Code and Cursor hooks read the Co-Vibe server env block in the project's `.mcp.json` / `.cursor/mcp.json` to discover the origin before defaulting to `http://localhost:3000`, so hosted (and non-:3000 local) setups resolve credentials and post telemetry against the right server. ## Doctor `covibe-local doctor` adds a `credentials` check. The expected agent list is derived from what setup actually wired — `claude-code` when `.mcp.json` carries the `COVIBE_AGENT` marker, `codex` when `~/.codex/config.toml` has the Co-Vibe block, `cursor` when `.cursor/mcp.json` has the Co-Vibe server — falling back to auto-detection only before any config exists, so a deliberate `setup --agents claude-code` never fails on a detected-but-unwired agent. The check passes when the file exists with 0600 permissions and a token per expected agent, fails on loose permissions or a missing agent token (downgraded to info while the legacy env token still covers every agent), and is info when no credentials exist yet. The `token` check warns on legacy shared `COVIBE_MCP_TOKEN` setups and suggests rerunning setup. A config written before this feature lacks the `COVIBE_AGENT` marker; the `MCP config` check downgrades that single defect to a warn — such setups still work via the legacy env token — and rerunning `covibe-local setup` migrates them in place. Any other config defect (stale base URL, raw token, wrong cwd) stays a hard fail. ## Updates The machine service keeps itself current. Each watch tick the companion reports its installed version on the session heartbeat; when the server advertises a newer hosted tarball (see `mcp-contract.md`), a `--service` run silently self-updates between ticks. Auto-update is intentionally narrow: - **Only the service updates.** Service mode is detected by the `--service` flag alone — foreground `watch`, pipes, CI, and test subprocesses never self-update. Setup adds `--service` to the units it installs. - **Only npm-managed installs update.** The package must be `co-vibe` directly under a `node_modules/` directory with a matching `package.json` and no `.git`. Git checkouts get a `git pull` hint instead; npx caches are refused. - **Disable it** with the environment variable `COVIBE_AUTO_UPDATE=off`, or the marker file `~/.covibe/auto-update-off`. `covibe-local setup --no-auto-update` writes that marker at setup time; `covibe-local update --off` / `--on` toggle it afterward. `covibe-local update` is the manual path: a one-off session-less heartbeat fetches the version handshake, then the updater runs immediately (it ignores the once-per-hour throttle and the service-mode gate, but still enforces the sha256 and npm-root gates). On a git checkout it prints the `git pull` hint and exits cleanly. The update mechanism downloads the tarball from the server's `/downloads`, verifies its sha256 against the handshake, and `npm install`s the `.tgz` into the install prefix with `--no-save --no-package-lock --ignore-scripts` (local installs) or `npm install -g` (global installs) so the host project's `package.json` and lockfile stay byte-identical and host lifecycle scripts never run. Because the sha256 gate already proved the bytes are exactly what the server intended, a non-zero `npm install` exit is treated as environmental (EACCES/ENOSPC, a held npm lock, an engine mismatch) — the attempt is recorded for WARN spacing but the version is **not** blacklisted, so a healed machine retries it automatically. The still-running old code then boot-checks the new install (`covibe-local --version`); on failure it auto-reverts to the previous tarball, records the failed version so it is not retried, and keeps running the old code. Genuine version faults (a version mismatch or a failed boot-check) are the only failures that blacklist a release. On success it logs `INFO update: updated ` and exits 0 so launchd/systemd respawn the new code on the next supervised restart. **Rollout:** machines whose service was installed before this release re-run `covibe-local setup` once to gain `--service`. The write-only unit-drift self-repair also rewrites a stale unit file at the next login or boot, so old units pick up `--service` with no manual step at the next restart. ## Automatic Repo Registration There is no per-repo registration command. Agent activity — the Claude Code and Cursor hooks, the stdio MCP bridge, and the companion's own sync commands — registers the enclosing git repo root in `~/.covibe/repos.json` (override with `COVIBE_REGISTRY_PATH`). Entries are keyed per server base URL, so a repo used against two Co-Vibe servers gets one entry per server, and the machine watcher only syncs repos registered for its own server. Registration is local metadata only; nothing syncs at registration time, and the home directory itself is never registered. Setup resolves the new-repos policy up-front: on a TTY it asks once — `Sync git activity from new repos on this machine to ? [Y/n]` — and the `--log-new-repos` / `--no-log-new-repos` flags skip the prompt for automation (non-TTY and `--dry-run` leave the stored policy untouched). Under the opt-in policy, first activity registers a repo as *pending*: the agent gets the one-line hint "new repo registered but not logged — run `covibe-local include` inside it to opt in" (once per repo), the repo shows a `pending` pill in Settings → Connected repos, and no data leaves the machine until it is included. ## Excluding Personal Repos Every repo a developer works in is logged to Co-Vibe unless excluded — setup prints exactly this disclosure after wiring configs, and doctor repeats it as the `exclusions` check. To keep a personal repo private: ```bash npm exec -- covibe-local exclude # exclude the current repo npm exec -- covibe-local exclude /path/to/repo npm exec -- covibe-local exclude --list # show excluded repos and the policy npm exec -- covibe-local exclude --remove # log the current repo again ``` To flip the machine to opt-in instead — new repos are NOT logged until you opt them in — use the `--new-repos` policy: ```bash npm exec -- covibe-local exclude --new-repos # stop logging new repos npm exec -- covibe-local include # opt the current repo in npm exec -- covibe-local exclude --new-repos --remove # log new repos again ``` Exclusions are machine-level, stored canonicalized in `~/.covibe/exclusions.json` (override with `COVIBE_EXCLUSIONS_PATH`), and cover the repo plus its subdirectories. Exclusion is sticky: `covibe-local exclude` also deletes the repo's registry entries (every server), and no session activity can re-register an explicitly excluded repo — only `covibe-local include` inside it lifts the exclusion, re-registers it for the CLI's server, and lets the machine watcher resume on its next tick. For an excluded repo, the Claude Code and Cursor hooks exit before any tool call or state write, the stdio MCP bridge returns a terminal error without contacting the API, `covibe-local snapshot`, `covibe-local telemetry`, and the trailing setup snapshot send nothing, and the machine-level `covibe-local watch` filters the repo out of its per-tick sync set (snapshots, telemetry inbox flushes, heartbeats) instead of exiting; only the single-repo debug form, `watch --repo ` pointed at an excluded repo, warns and exits. The Codex and Cursor usage sweeps are scoped to the repo of the watch process's working directory (the machine service runs from `$HOME`, so its sweeps carry no repo attribution), so an excluded repo's threads never sync from another repo's watcher either. The server never sees the repo. The repo an agent works in is resolved deterministically from the OS/runtime, never from agent self-report: repo-local configs make the bridge's `process.cwd()` correct for Claude Code and Cursor, and the global Codex config forwards the shell-set `PWD` via `env_vars` so the bridge checks the repo Codex was actually launched in (see `codex-integration.md`). ## Security Notes - The server stores only the SHA-256 hash of the device code; the raw code is returned once at grant creation and never logged. - Raw `cv_` tokens are delivered exactly once by the poll endpoint, never appear in work-event payloads or CLI logs, and are never written into agent configs. - Grants expire after 600 seconds; approved-but-unconsumed grants expire one TTL after approval, and pending grants cannot be approved past expiry. - Both unauthenticated endpoints and the user-code lookup are rate limited. ## Verification ```bash npx vitest run tests/unit/credentials-file.test.ts tests/unit/device-flow.test.ts \ tests/unit/setup-device-command.test.ts tests/unit/doctor-credentials.test.ts ```