SPerekrestova · SPerekrestova · Jun 9, 2026 · May 6, 2026 · May 6, 2026 · May 6, 2026
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -18,12 +18,12 @@
         "practice"
     ],
     "scripts": {
-        "test": "vitest run | pino-pretty",
+        "test": "bash -o pipefail -c 'vitest run --exclude \"tests/e2e/**\" | pino-pretty'",
         "test:unit": "vitest run tests/mcp tests/utils tests/services tests/tools",
         "test:integration": "vitest run tests/integration",
-        "test:e2e": "vitest run tests/e2e",
-        "test:all": "vitest run",
-        "test:coverage": "vitest run --coverage",
+        "test:e2e": "vitest run --config vitest.e2e.config.ts",
+        "test:all": "npm run test && npm run test:e2e",
+        "test:coverage": "vitest run --exclude 'tests/e2e/**' --coverage",
         "test:watch": "vitest watch",
         "test:types": "tsc -p tsconfig.test.json",
         "build": "tsc && chmod u+x build/index.js",
@@ -83,6 +83,7 @@
         "globals": "^16.0.0",
         "husky": "^9.1.7",
         "lint-staged": "^15.5.1",
+        "nock": "^14.0.15",
         "pino-pretty": "^13.0.0",
         "prettier": "^3.5.3",
         "prettier-plugin-organize-imports": "^4.1.0",

diff --git a/scripts/sync-version.cjs b/scripts/sync-version.cjs
@@ -49,11 +49,10 @@ if (fs.existsSync(marketplacePath)) {
 const skillPaths = [
     "skills/interactive-leetcode-mcp/SKILL.md",
     ".claude/skills/using-interactive-leetcode-mcp/SKILL.md",
-    "clawhub-skill/interactive-leetcode-mcp/SKILL.md",
+    "clawhub-skill/interactive-leetcode-mcp/SKILL.md"
 ];
 
-const versionPattern =
-    /@sperekrestova\/interactive-leetcode-mcp@[\w.-]+/g;
+const versionPattern = /@sperekrestova\/interactive-leetcode-mcp@[\w.-]+/g;
 const versionReplacement = `@sperekrestova/interactive-leetcode-mcp@${version}`;
 
 for (const rel of skillPaths) {

diff --git a/src/auth/auth-flow.ts b/src/auth/auth-flow.ts
@@ -0,0 +1,102 @@
+/**
+ * Authentication helpers that bridge the on-disk credentials store and the
+ * in-memory `LeetcodeServiceInterface`.
+ *
+ * Closes the silent-logout-on-restart gap where saved credentials existed in
+ * `~/.leetcode-mcp/credentials.json` but the running server never re-hydrated
+ * them, so every authenticated tool failed with "Authentication required" until
+ * the user pasted their cookies again.
+ */
+import { LeetcodeServiceInterface } from "../leetcode/leetcode-service-interface.js";
+import { CredentialsStorage } from "../types/credentials.js";
+import { credentialsStorage as defaultStorage } from "../utils/credentials.js";
+import logger from "../utils/logger.js";
+
+/** Outcome of an `restoreCredentials` call — useful in tests and logs. */
+export type RestoreOutcome =
+    | { status: "no_credentials" }
+    | { status: "invalid"; reason: "load_failed" | "expired" }
+    | { status: "restored"; username: string };
+
+/**
+ * Loads saved credentials from disk, validates them against LeetCode, and
+ * pushes them into the running service if they're still good.
+ *
+ * Safe to call at server startup; never throws — failures are logged and the
+ * outcome is returned for callers that want to react.
+ */
+export async function restoreCredentials(
+    service: LeetcodeServiceInterface,
+    storage: CredentialsStorage = defaultStorage
+): Promise<RestoreOutcome> {
+    let credentials: Awaited<ReturnType<CredentialsStorage["load"]>>;
+    try {
+        if (!(await storage.exists())) {
+            return { status: "no_credentials" };
+        }
+        credentials = await storage.load();
+    } catch (error) {
+        logger.warn(
+            "Saved credentials could not be loaded; ignoring: %s",
+            error instanceof Error ? error.message : String(error)
+        );
+        return { status: "invalid", reason: "load_failed" };
+    }
+
+    if (!credentials) {
+        logger.warn(
+            "Saved credentials file exists but could not be parsed; ignoring."
+        );
+        return { status: "invalid", reason: "load_failed" };
+    }
+
+    let username: string | null;
+    try {
+        username = await applyValidatedCredentials(
+            service,
+            credentials.csrftoken,
+            credentials.LEETCODE_SESSION
+        );
+    } catch (error) {
+        logger.warn(
+            "Saved credentials validation failed; user will need to re-authenticate: %s",
+            error instanceof Error ? error.message : String(error)
+        );
+        return { status: "invalid", reason: "expired" };
+    }
+
+    if (!username) {
+        logger.info(
+            "Saved credentials are no longer valid; user will need to re-authenticate."
+        );
+        return { status: "invalid", reason: "expired" };
+    }
+
+    logger.info(
+        "Restored LeetCode session for %s from saved credentials.",
+        username
+    );
+    return { status: "restored", username };
+}
+
+/**
+ * Validates `csrf` / `session` against LeetCode and, on success, pushes them
+ * into the running service so the very next authenticated tool call works
+ * without forcing a server restart.
+ *
+ * Returns the validated username, or `null` if LeetCode rejected the cookies.
+ * Trusts the `validateCredentials` interface contract (`Promise<string | null>`)
+ * and does not catch — any exception thrown by the service propagates.
+ */
+export async function applyValidatedCredentials(
+    service: LeetcodeServiceInterface,
+    csrf: string,
+    session: string
+): Promise<string | null> {
+    const username = await service.validateCredentials(csrf, session);
+    if (!username) {
+        return null;
+    }
+    service.updateCredentials(csrf, session);
+    return username;
+}
diff --git a/src/domain/hint-state-machine.ts b/src/domain/hint-state-machine.ts
@@ -0,0 +1,83 @@
+/**
+ * Pure-logic hint state machine.
+ *
+ * The "tutor, not solution oracle" contract is enforced **here** — not in
+ * prompts, not in tool descriptions, not in the agent's instruction-following.
+ * Every transition that affects hint progression flows through these
+ * functions, and gated tools call {@link assertSolutionUnlocked} before
+ * returning content. If a code path bypasses this module it is a bug.
+ *
+ * Intentionally has no IO: takes a {@link SessionState}, returns a new one
+ * (or throws). The session store handles persistence.
+ */
+import {
+    ErrorCode,
+    LeetCodeError,
+    MAX_HINT_LEVEL,
+    type HintLevel,
+    type SessionState
+} from "../types/index.js";
+
+/** Hint level at which the canonical solution becomes callable. */
+export const SOLUTION_HINT_LEVEL: HintLevel = MAX_HINT_LEVEL;
+
+/**
+ * Bumps `session.hintLevel` by one (clamped at {@link MAX_HINT_LEVEL}) and
+ * stamps `updatedAt`. Returns a new object — the input is not mutated.
+ *
+ * Bumping at the maximum level is a no-op rather than an error: callers
+ * that want a different behaviour should check `session.hintLevel` before
+ * calling.
+ */
+export function advanceHint(session: SessionState): SessionState {
+    const next: HintLevel =
+        session.hintLevel >= MAX_HINT_LEVEL
+            ? MAX_HINT_LEVEL
+            : ((session.hintLevel + 1) as HintLevel);
+    return {
+        ...session,
+        hintLevel: next,
+        updatedAt: new Date().toISOString()
+    };
+}
+
+/**
+ * Resets the session back to its level-0 initial state, preserving the
+ * slug / language / workspace so the user can re-attempt from scratch.
+ *
+ * `attempts` and `lastLocalRunPassed` are zeroed too, because resetting
+ * the hint level without resetting effort would mislead future hint
+ * generation about how much the user has already tried.
+ */
+export function resetSession(session: SessionState): SessionState {
+    return {
+        ...session,
+        hintLevel: 0,
+        attempts: 0,
+        lastLocalRunPassed: null,
+        lastLocalRunSnapshot: null,
+        status: "started",
+        updatedAt: new Date().toISOString()
+    };
+}
+
+/**
+ * Throws `LeetCodeError(HINT_LEVEL_TOO_LOW)` unless the session has
+ * reached the level required to unlock the canonical solution.
+ *
+ * `list_problem_solutions` and `get_problem_solution` MUST call this
+ * before returning content. If the session doesn't exist (the user
+ * never called `start_problem`) callers should throw
+ * `SESSION_NOT_FOUND` themselves — that's a different failure mode and
+ * the agent should react differently to it.
+ */
+export function assertSolutionUnlocked(session: SessionState): void {
+    if (session.hintLevel < SOLUTION_HINT_LEVEL) {
+        throw new LeetCodeError(
+            ErrorCode.HINT_LEVEL_TOO_LOW,
+            `Solution is gated behind hint level ${SOLUTION_HINT_LEVEL}; ` +
+                `session for "${session.slug}" is at level ${session.hintLevel}. ` +
+                `Drive the user through \`request_hint\` until they have engaged with each level.`
+        );
+    }
+}
diff --git a/src/domain/local-run-snapshot.ts b/src/domain/local-run-snapshot.ts
@@ -0,0 +1,12 @@
+import { createHash } from "node:crypto";
+
+export interface LocalRunSnapshotInput {
+    code: string;
+    language: string;
+}
+
+export function createLocalRunSnapshot(input: LocalRunSnapshotInput): string {
+    return createHash("sha256")
+        .update(JSON.stringify([input.language, input.code]))
+        .digest("hex");
+}