Replace the loopback/PKCE-callback server and manual-paste fallback with the RFC 8628 device-code flow as the only xAI Grok OAuth login path. The flow works in headless/SSH/container sessions with no 127.0.0.1 listener, shrinking the local attack surface. - Poll the token endpoint with server-provided interval, honoring slow_down and expires_in; store tokens with auth_mode oauth_device_code. - Adaptive proactive refresh skew for short-lived device-code JWTs; rotated tokens sync back to auth.json, the global root store, and the credential pool (no refresh-token replay). - Clear source suppression on successful re-login (CLI + dashboard) and drop the duplicate dashboard pool entry so exactly one seeded device_code entry exists. - Use the shared device_code source name for consistency with the nous/codex device-code providers. - Desktop: remove the loopback OAuth flow states and dead type variants; pkce providers' sign-in URL selection is unchanged. - Docs (EN + zh-Hans) rewritten for device-code login; drop the deleted --manual-paste flag from documented commands. |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| _shared.py | ||
| acp.py | ||
| auth.py | ||
| backup.py | ||
| claw.py | ||
| config.py | ||
| cron.py | ||
| dashboard.py | ||
| debug.py | ||
| doctor.py | ||
| dump.py | ||
| gateway.py | ||
| gui.py | ||
| hooks.py | ||
| import_cmd.py | ||
| insights.py | ||
| login.py | ||
| logout.py | ||
| logs.py | ||
| mcp.py | ||
| memory.py | ||
| model.py | ||
| pairing.py | ||
| plugins.py | ||
| postinstall.py | ||
| profile.py | ||
| prompt_size.py | ||
| security.py | ||
| setup.py | ||
| skills.py | ||
| slack.py | ||
| status.py | ||
| tools.py | ||
| uninstall.py | ||
| update.py | ||
| version.py | ||
| webhook.py | ||
| whatsapp.py | ||