From 4976b326ae5fd4dd27f6be31ed0ec589d02332db Mon Sep 17 00:00:00 2001
From: crowlbot <280062030+crowlbot@users.noreply.github.com>
Date: Wed, 13 May 2026 15:25:17 +0000
Subject: [PATCH] chore(auth): route browser-flow prompts + diagnostics to
 stderr

Move four log sites from stdout to stderr so that `--json` callers
(and anyone piping the CLI's stdout) stop seeing human/diagnostic
chatter mixed into machine-readable output:

- The OAuth browser-flow prompt ("Visit ... to authorize ..."): this
  is a prompt directed at the human at the terminal; it belongs on
  stderr, not on stdout where it would corrupt a piped JSON payload.
- "Authorization successful. Authenticated as ...": status message,
  not data; stderr.
- The 401 response body that `authedFetch` logs when re-authenticating:
  always a diagnostic; gated on `--debug` and emitted to stderr.
- The retry-link's `console.log(opts)` debug dump: stderr (was the
  only stdout debug write in auth.ts).

The keychain-unavailable warning was already moved to stderr in #91.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 auth.ts | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/auth.ts b/auth.ts
index 8a286e2..5b185e5 100644
--- a/auth.ts
+++ b/auth.ts
@@ -113,7 +113,7 @@ export function createTrpcClient(
       retryLink({
         retry(opts) {
           if (context.debug) {
-            console.log(opts);
+            console.error(opts);
           }
 
           if (
@@ -243,7 +243,8 @@ export async function getAuth(
     message: "",
     color: "yellow",
   });
-  console.log(`Visit ${authUrl} to authorize deploying your project.`);
+  // Prompt-style message — goes to stderr so it doesn't pollute `--json` callers' stdout.
+  console.error(`Visit ${authUrl} to authorize deploying your project.`);
   if (!quiet) {
     spinner.start();
   }
@@ -310,7 +311,8 @@ export function tokenExchange(
         const { token, user } = await res.json();
         spinner.stop();
         if (!quiet) {
-          console.log(
+          // Status message — stderr so JSON callers' stdout stays clean.
+          console.error(
             `${
               green("✔")
             } Authorization successful. Authenticated as ${user.name}\n`,
@@ -368,7 +370,8 @@ export async function authedFetch(
   });
 
   if (res.status === 401) {
-    console.log(await res.text());
+    // Diagnostic body — stderr only, and only when debugging.
+    if (context.debug) console.error(await res.text());
     tokenStorage.remove();
     auth = await getAuth(context);