feat: add Windows install, improve auth UX and paste support

  - Add Windows installation support in install script
  - Fix Anthropic OAuth to auto-open browser automatically
  - Add clickable OAuth URLs with OSC 8 hyperlinks
  - Fix paste functionality in TUI (Ctrl+V and bracketed paste mode)

Author: mathisdev7

changelog/CHANGELOG-2026-01-04.md

@@ -0,0 +1,42 @@
+# Changelog - January 4, 2026
+
+## Installation
+
+### Windows Install Support
+
+- Added Windows install support in install script
+- Fixed curl install tracking to follow redirects to Upstash
+
+## Authentication
+
+### Anthropic OAuth Browser Auto-Open
+
+- Fixed OAuth link for Anthropic not opening browser automatically
+- Implemented internal Anthropic OAuth plugin with PKCE flow
+- Browser now auto-opens like Codex authentication flow
+- Added fallback clickable URLs when browser fails to open
+- Replaced external `opencode-anthropic-auth` plugin with internal implementation
+
+### Clickable OAuth URLs
+
+- Added `UI.hyperlink()` utility for OSC 8 terminal hyperlinks
+- OAuth URLs now clickable via Ctrl+Click in modern terminals
+- Bypassed `@clack/prompts` escape sequence stripping with direct console output
+- Updated Qwen and Amp OAuth flows to use clickable URLs
+
+## TUI Improvements
+
+### Enhanced Paste Support
+
+- Added bracketed paste mode for better paste detection
+- Fixed Ctrl+V paste action (was disabled and only handled images)
+- Ctrl+V now supports both text and image pasting from clipboard
+- Improved paste reliability for large content
+- Paste now works via multiple methods:
+  - Ctrl+V (system clipboard)
+  - Native terminal paste (Shift+Insert, Cmd+V)
+  - Bracketed paste mode
+
+---
+
+**Summary**: This release adds Windows installation support, fixes Anthropic OAuth to auto-open the browser, makes OAuth URLs clickable in terminals, and significantly improves paste functionality in the TUI. Authentication flows now provide a smoother experience with automatic browser opening and clickable fallback URLs.

packages/arctic/src/auth/amp-auth/index.ts

@@ -3,6 +3,7 @@ import crypto from "node:crypto"
 import http from "node:http"
 import { URL } from "node:url"
 import { openBrowserUrl } from "../codex-oauth/auth/browser"
+import { UI } from "@/cli/ui"
 
 const AMP_DEFAULT_URL = "https://ampcode.com"
 const CALLBACK_PATH = "/auth/callback"
@@ -106,7 +107,7 @@ export const ArcticAmpAuth: Plugin = async (_input: PluginInput) => {
 
             return {
               url: loginUrl,
-              instructions: `If the callback fails, open ${manualUrl} and paste the access token.`,
+              instructions: `If the callback fails, open ${UI.hyperlink(manualUrl, manualUrl)} and paste the access token.`,
               method: "auto",
               callback: async () => {
                 try {

packages/arctic/src/auth/anthropic-oauth/index.ts

@@ -1 +1,2 @@
 export { refreshAccessToken, isTokenExpired, type TokenResult, type TokenResponse } from "./token"
+export { ArcticAnthropicAuth } from "./plugin"

packages/arctic/src/auth/anthropic-oauth/plugin.ts

@@ -0,0 +1,141 @@
+import type { Plugin, PluginInput } from "@arctic-cli/plugin"
+import { openBrowserUrl } from "../codex-oauth/auth/browser"
+
+export const ArcticAnthropicAuth: Plugin = async (_: PluginInput) => {
+  return {
+    auth: {
+      provider: "anthropic",
+
+      methods: [
+        {
+          label: "Claude.ai Account (OAuth)",
+          type: "oauth" as const,
+          async authorize() {
+            // Generate OAuth parameters
+            const clientId = "9d1c250a-e61b-44d9-88ed-5944d1962f5e"
+            const redirectUri = "https://console.anthropic.com/oauth/code/callback"
+            const scope = "org:create_api_key user:profile user:inference"
+
+            // Generate PKCE challenge
+            const codeVerifier = generateCodeVerifier()
+            const codeChallenge = await generateCodeChallenge(codeVerifier)
+            const state = generateRandomString(64)
+
+            // Build authorization URL
+            const params = new URLSearchParams({
+              code: "true",
+              client_id: clientId,
+              response_type: "code",
+              redirect_uri: redirectUri,
+              scope,
+              code_challenge: codeChallenge,
+              code_challenge_method: "S256",
+              state,
+            })
+
+            const url = `https://claude.ai/oauth/authorize?${params.toString()}`
+
+            // Open browser automatically
+            openBrowserUrl(url)
+
+            return {
+              url,
+              instructions:
+                "Opening browser to authenticate with Claude.ai...\n\nIf the browser doesn't open automatically, visit the URL above.",
+              method: "code" as const,
+              async callback(code: string) {
+                if (!code) {
+                  return { type: "failed" as const, error: "No authorization code provided" }
+                }
+
+                try {
+                  // Exchange code for tokens
+                  const tokenResponse = await fetch("https://console.anthropic.com/v1/oauth/token", {
+                    method: "POST",
+                    headers: {
+                      "Content-Type": "application/json",
+                    },
+                    body: JSON.stringify({
+                      grant_type: "authorization_code",
+                      code,
+                      redirect_uri: redirectUri,
+                      code_verifier: codeVerifier,
+                      client_id: clientId,
+                    }),
+                  })
+
+                  if (!tokenResponse.ok) {
+                    const errorText = await tokenResponse.text()
+                    console.error("[Anthropic OAuth] Token exchange failed:", tokenResponse.status, errorText)
+                    return { type: "failed" as const, error: `Token exchange failed: ${tokenResponse.status}` }
+                  }
+
+                  const tokenData = await tokenResponse.json()
+
+                  if (!tokenData.access_token) {
+                    console.error("[Anthropic OAuth] No access token in response:", tokenData)
+                    return { type: "failed" as const, error: "No access token received" }
+                  }
+
+                  // Calculate expiration timestamp
+                  const expiresAt = Date.now() + (tokenData.expires_in ?? 3600) * 1000
+
+                  return {
+                    type: "success" as const,
+                    access: tokenData.access_token,
+                    refresh: tokenData.refresh_token,
+                    expires: expiresAt,
+                  }
+                } catch (error) {
+                  console.error("[Anthropic OAuth] Error during token exchange:", error)
+                  return {
+                    type: "failed" as const,
+                    error: error instanceof Error ? error.message : "Unknown error",
+                  }
+                }
+              },
+            }
+          },
+        },
+      ],
+    },
+  }
+}
+
+/**
+ * Generate a random string for PKCE code verifier or state
+ */
+function generateRandomString(length: number): string {
+  const array = new Uint8Array(length)
+  crypto.getRandomValues(array)
+  return Array.from(array, (byte) => byte.toString(16).padStart(2, "0")).join("")
+}
+
+/**
+ * Generate PKCE code verifier (43-128 characters)
+ */
+function generateCodeVerifier(): string {
+  const array = new Uint8Array(32)
+  crypto.getRandomValues(array)
+  return base64UrlEncode(array)
+}
+
+/**
+ * Generate PKCE code challenge from verifier
+ */
+async function generateCodeChallenge(verifier: string): Promise<string> {
+  const encoder = new TextEncoder()
+  const data = encoder.encode(verifier)
+  const hash = await crypto.subtle.digest("SHA-256", data)
+  return base64UrlEncode(new Uint8Array(hash))
+}
+
+/**
+ * Base64 URL-safe encoding (no padding)
+ */
+function base64UrlEncode(buffer: Uint8Array): string {
+  const base64 = btoa(String.fromCharCode(...buffer))
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "")
+}
+
+export default ArcticAnthropicAuth

packages/arctic/src/auth/qwen-oauth/index.ts

@@ -2,6 +2,7 @@ import type { Plugin, PluginInput } from "@arctic-cli/plugin"
 import { openBrowserUrl } from "../codex-oauth/auth/browser"
 import { Auth } from "../index"
 import { ensureAuth, getApiBaseUrl, pollForToken, requestDeviceCode } from "./auth"
+import { UI } from "@/cli/ui"
 
 export { ensureAuth, getApiBaseUrl } from "./auth"
 
@@ -53,7 +54,7 @@ export const ArcticQwenAuth: Plugin = async (_: PluginInput) => {
 
             return {
               url,
-              instructions: `Visit the URL in your browser and click the button to authorize.\n\nURL: ${url}`,
+              instructions: `Visit the URL in your browser and click the button to authorize.\n\nURL: ${UI.hyperlink(url)}`,
               method: "auto" as const,
               async callback() {
                 while (true) {

packages/arctic/src/cli/cmd/auth.ts

@@ -101,12 +101,16 @@ async function handlePluginAuth(plugin: { auth: PluginAuth }, provider: string):
     }
 
     if (authorize.url) {
-      prompts.log.info("Go to: " + authorize.url)
+      // Use console.log directly because @clack/prompts strips escape sequences
+      console.log("│")
+      console.log("●  Go to: " + UI.hyperlink(authorize.url))
     }
 
     if (authorize.method === "auto") {
       if (authorize.instructions) {
-        prompts.log.info(authorize.instructions)
+        // Use console.log directly to preserve hyperlinks in instructions
+        console.log("│")
+        console.log("●  " + authorize.instructions)
       }
       const spinner = prompts.spinner()
       spinner.start("Waiting for authorization...")

packages/arctic/src/cli/cmd/tui/app.tsx

@@ -116,6 +116,9 @@ export function tui(input: { url: string; args: Args; onExit?: () => Promise<voi
   process.stdout.write("\x1b[>4;2m")
   // Enable focus tracking to handle terminal tab switches
   process.stdout.write("\x1b[?1004h")
+  // Enable bracketed paste mode (wraps pasted text with \x1b[200~ and \x1b[201~ markers)
+  // This prevents terminals from executing pasted commands and improves paste detection
+  process.stdout.write("\x1b[?2004h")
 
   // promise to prevent immediate exit
   return new Promise<void>(async (resolve) => {
@@ -126,6 +129,8 @@ export function tui(input: { url: string; args: Args; onExit?: () => Promise<voi
       process.stdout.write("\x1b[>4;0m")
       // Disable focus tracking
       process.stdout.write("\x1b[?1004l")
+      // Disable bracketed paste mode
+      process.stdout.write("\x1b[?2004l")
       await input.onExit?.()
       resolve()
     }
@@ -208,6 +213,8 @@ function App() {
     renderer.enableKittyKeyboard()
     process.stdout.write("\x1b[>4;1m")
     process.stdout.write("\x1b[>4;2m")
+    // Re-enable bracketed paste mode
+    process.stdout.write("\x1b[?2004h")
 
     // Handle terminal focus events (e.g., switching tabs)
     // Focus-in events trigger a repaint to fix rendering issues

packages/arctic/src/cli/cmd/tui/component/prompt/index.tsx

@@ -495,7 +495,7 @@ export function Prompt(props: PromptProps) {
       {
         title: "Paste",
         value: "prompt.paste",
-        disabled: true,
+        disabled: false,
         keybind: "input_paste",
         category: "Prompt",
         onSelect: async () => {
@@ -506,6 +506,12 @@ export function Prompt(props: PromptProps) {
               mime: content.mime,
               content: content.data,
             })
+          } else if (content?.mime === "text/plain") {
+            // Paste text content from clipboard
+            const text = content.data
+            if (text) {
+              input.insertText(text)
+            }
           }
         },
       },

packages/arctic/src/cli/cmd/uninstall.ts

@@ -199,6 +199,22 @@ async function executeUninstall(method: Installation.Method, targets: RemovalTar
   }
 
   if (method === "curl" && targets.binary) {
+    if (process.platform !== "win32") {
+      spinner.start("Removing binary...")
+      try {
+        await fs.unlink(targets.binary)
+        spinner.stop("Binary removed")
+
+        const binDir = path.dirname(targets.binary)
+        if (binDir.includes(".arctic")) {
+          await fs.rm(binDir, { recursive: true, force: true }).catch(() => {})
+        }
+        return
+      } catch {
+        spinner.stop("Failed to remove binary", 1)
+      }
+    }
+
     UI.empty()
     prompts.log.message("To finish removing the binary, run:")
     prompts.log.info(`  rm "${targets.binary}"`)

packages/arctic/src/cli/ui.ts

@@ -29,6 +29,20 @@ export namespace UI {
     TEXT_INFO_BOLD: "\x1b[94m\x1b[1m",
   }
 
+  /**
+   * Makes a URL clickable in terminals that support OSC 8 hyperlinks.
+   * Falls back to plain URL if not supported.
+   *
+   * @param url - The URL to make clickable
+   * @param text - Optional display text (defaults to the URL itself)
+   * @returns The formatted hyperlink
+   */
+  export function hyperlink(url: string, text?: string): string {
+    const displayText = text || url
+    // OSC 8 format: \x1b]8;;URL\x07TEXT\x1b]8;;\x07
+    return `\x1b]8;;${url}\x07${displayText}\x1b]8;;\x07`
+  }
+
   export function println(...message: string[]) {
     print(...message)
     Bun.stderr.write(EOL)