Gated access, without credentials

The CLI is the single gatekeeper. It mints a short-lived, RBAC-scoped token so any local package, script, or agent retrieves gated platform data — your credentials never leave the CLI.

Broker a token into your shell#

eval "$(cotrackpro token --scopes org:packages:read --export)"
node my-script.js          # any SDK-based script, now authenticated

--export emits COTRACKPRO_PLUGIN_TOKEN, COTRACKPRO_API, and COTRACKPRO_ORG for eval. Tokens are short-lived (default 300s) and scoped — the server enforces RBAC.

Use it from code#

import { clientFromBrokerEnv } from "@cotrackpro/sdk";

// Authenticated with the CLI-brokered token — holds no credentials.
const cp = clientFromBrokerEnv();
const pkgs = await cp.packages.list();

Scaffold a gated plugin#

Generate a package that's pre-wired to the broker, then register it so the CLI injects a scoped token whenever it runs:

cotrackpro scaffold reporter --plugin --scopes org:packages:read
cotrackpro plugins register ./cotrackpro-reporter

The keychain and RBAC stay in the CLI; packages get least-privilege, expiring access. This is also how agent hosts like Antigravity read gated data.