From 3f91ce64ff1c817f3f54f06cb1fd2d03bedc32af Mon Sep 17 00:00:00 2001
From: Arjun Komath <arjunkomath@gmail.com>
Date: Thu, 26 Mar 2026 21:35:00 +1100
Subject: [PATCH 1/4] Add CLI binary workflow

---
 .github/workflows/cli-release.yml | 78 +++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 .github/workflows/cli-release.yml

diff --git a/.github/workflows/cli-release.yml b/.github/workflows/cli-release.yml
new file mode 100644
index 0000000..cb5dd86
--- /dev/null
+++ b/.github/workflows/cli-release.yml
@@ -0,0 +1,78 @@
+name: CLI Release
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build ${{ matrix.target }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        include:
+          - target: bun-darwin-arm64
+            os: macos-latest
+            artifact: chp-darwin-arm64
+          - target: bun-darwin-x64
+            os: macos-latest
+            artifact: chp-darwin-x64
+          - target: bun-linux-x64
+            os: ubuntu-latest
+            artifact: chp-linux-x64
+          - target: bun-linux-arm64
+            os: ubuntu-latest
+            artifact: chp-linux-arm64
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install dependencies
+        run: cd packages/cli && bun install
+
+      - name: Build binary
+        run: |
+          cd packages/cli
+          VERSION=$(jq -r .version package.json)
+          bun build --compile --target=${{ matrix.target }} --define "__CLI_VERSION__=\"${VERSION}\"" ./src/index.ts --outfile ${{ matrix.artifact }}
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v5
+        with:
+          name: ${{ matrix.artifact }}
+          path: packages/cli/${{ matrix.artifact }}
+
+  release:
+    name: Create Release
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Read version
+        id: version
+        run: echo "version=$(jq -r .version packages/cli/package.json)" >> "$GITHUB_OUTPUT"
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@v5
+        with:
+          path: artifacts
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: cli-v${{ steps.version.outputs.version }}
+          name: CLI v${{ steps.version.outputs.version }}
+          generate_release_notes: true
+          files: |
+            artifacts/chp-darwin-arm64/chp-darwin-arm64
+            artifacts/chp-darwin-x64/chp-darwin-x64
+            artifacts/chp-linux-x64/chp-linux-x64
+            artifacts/chp-linux-arm64/chp-linux-arm64

From 0866df457fda5f8c514023d35d72f5743969d83f Mon Sep 17 00:00:00 2001
From: Arjun Komath <arjunkomath@gmail.com>
Date: Thu, 26 Mar 2026 21:38:22 +1100
Subject: [PATCH 2/4] Update workflow

---
 .github/workflows/cli-release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/cli-release.yml b/.github/workflows/cli-release.yml
index cb5dd86..4a55aba 100644
--- a/.github/workflows/cli-release.yml
+++ b/.github/workflows/cli-release.yml
@@ -40,7 +40,7 @@ jobs:
           bun build --compile --target=${{ matrix.target }} --define "__CLI_VERSION__=\"${VERSION}\"" ./src/index.ts --outfile ${{ matrix.artifact }}
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ${{ matrix.artifact }}
           path: packages/cli/${{ matrix.artifact }}
@@ -61,7 +61,7 @@ jobs:
         run: echo "version=$(jq -r .version packages/cli/package.json)" >> "$GITHUB_OUTPUT"
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           path: artifacts
 

From 25141f7cf1c43e874aca9d8f3dee223fd6f3fbe2 Mon Sep 17 00:00:00 2001
From: Arjun Komath <arjunkomath@gmail.com>
Date: Thu, 16 Apr 2026 09:56:51 +1000
Subject: [PATCH 3/4] Disable sign-ups using email

---
 apps/web/pages/login.tsx | 85 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 78 insertions(+), 7 deletions(-)

diff --git a/apps/web/pages/login.tsx b/apps/web/pages/login.tsx
index 0d69071..4d3675e 100644
--- a/apps/web/pages/login.tsx
+++ b/apps/web/pages/login.tsx
@@ -5,6 +5,12 @@ import Head from "next/head";
 import Image from "next/image";
 import Link from "next/link";
 import { useRouter } from "next/router";
+import { useState } from "react";
+import {
+  createToastWrapper,
+  notifyError,
+  notifySuccess,
+} from "../components/core/toast.component";
 import { DEFAULT_TITLE, SUBTITLE } from "../data/marketing.data";
 import { ROUTES } from "../data/routes.data";
 import logoImage from "../public/images/logo.png";
@@ -19,6 +25,39 @@ export default function Login() {
   const { supabase } = useUserData();
   const prefersColorScheme = usePrefersColorScheme();
 
+  const [email, setEmail] = useState("");
+  const [sending, setSending] = useState(false);
+  const [submitted, setSubmitted] = useState(false);
+
+  const redirectTo =
+    getAppBaseURL() +
+    ROUTES.LOGIN_CALLBACK +
+    (redirectedFrom ? `?redirectedFrom=${redirectedFrom}` : "");
+
+  async function handleEmailLogin(e: React.FormEvent) {
+    e.preventDefault();
+    if (!email || sending) return;
+    setSending(true);
+    const { error } = await supabase.auth.signInWithOtp({
+      email,
+      options: { shouldCreateUser: false, emailRedirectTo: redirectTo },
+    });
+    setSending(false);
+    if (error) {
+      const msg = error.message.toLowerCase();
+      if (msg.includes("signups not allowed") || msg.includes("not found")) {
+        notifyError(
+          "No account found for this email. Sign up with Google or GitHub."
+        );
+      } else {
+        notifyError(error.message);
+      }
+      return;
+    }
+    setSubmitted(true);
+    notifySuccess("Check your email for the login link.");
+  }
+
   const fontFamily =
     "system-ui, -apple-system, BlinkMacSystemFont, Segoe UI, Roboto, Oxygen, Ubuntu, Cantarell, Fira Sans, Droid Sans, Helvetica Neue, sans-serif";
 
@@ -53,6 +92,8 @@ export default function Login() {
         }}
       />
 
+      {createToastWrapper(prefersColorScheme)}
+
       <div className="min-h-screen flex flex-col items-center justify-center bg-gray-50 dark:bg-gray-800 py-12 px-4 sm:px-6 lg:px-8 overflow-y-auto">
         <div className="max-w-md w-full space-y-4">
           <div className="flex flex-col items-center justify-center mb-8">
@@ -111,15 +152,45 @@ export default function Login() {
               },
             }}
             providers={["github", "google"]}
-            redirectTo={
-              getAppBaseURL() +
-              ROUTES.LOGIN_CALLBACK +
-              (redirectedFrom ? `?redirectedFrom=${redirectedFrom}` : "")
-            }
+            redirectTo={redirectTo}
             theme={prefersColorScheme === "dark" ? "dark" : "light"}
-            view="magic_link"
-            showLinks={false}
+            onlyThirdPartyProviders
           />
+
+          <div className="relative my-4">
+            <div className="absolute inset-0 flex items-center" aria-hidden="true">
+              <div className="w-full border-t border-gray-300 dark:border-gray-700" />
+            </div>
+            <div className="relative flex justify-center text-sm">
+              <span className="bg-gray-50 dark:bg-gray-800 px-2 text-gray-500 dark:text-gray-400">
+                Or sign in with email
+              </span>
+            </div>
+          </div>
+
+          <form onSubmit={handleEmailLogin} className="space-y-3">
+            <input
+              type="email"
+              required
+              autoComplete="email"
+              placeholder="you@example.com"
+              value={email}
+              onChange={(e) => setEmail(e.target.value)}
+              disabled={sending || submitted}
+              className="block w-full rounded-md border border-gray-300 dark:border-gray-700 bg-white dark:bg-gray-900 px-3 py-2 text-gray-900 dark:text-gray-100 placeholder-gray-400 focus:border-indigo-500 focus:outline-none focus:ring-indigo-500 disabled:opacity-60"
+            />
+            <button
+              type="submit"
+              disabled={sending || submitted}
+              className="flex w-full justify-center rounded-md bg-indigo-600 px-3 py-2 text-sm font-medium text-white hover:bg-indigo-700 focus:outline-none focus:ring-2 focus:ring-indigo-500 focus:ring-offset-2 disabled:opacity-60"
+            >
+              {submitted
+                ? "Check your email"
+                : sending
+                  ? "Sending…"
+                  : "Send magic link"}
+            </button>
+          </form>
         </div>
       </div>
     </>

From 063728e8bab86d2e72c7e4f876113a4bfb05cd78 Mon Sep 17 00:00:00 2001
From: Arjun Komath <arjunkomath@gmail.com>
Date: Thu, 16 Apr 2026 09:59:24 +1000
Subject: [PATCH 4/4] Potential fix for pull request finding 'CodeQL / Workflow
 does not contain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/cli-release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/cli-release.yml b/.github/workflows/cli-release.yml
index 4a55aba..7de38f1 100644
--- a/.github/workflows/cli-release.yml
+++ b/.github/workflows/cli-release.yml
@@ -7,6 +7,8 @@ jobs:
   build:
     name: Build ${{ matrix.target }}
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         include: