fix: Fix incorrect storage of id_token, add missing awaits for some async operations( #1121)

* fix: await settings writes across create/clone flows

Ensure project settings persistence is awaited before command and MCP clone flows return success.
This removes fire-and-forget writes so I/O failures are surfaced in-band instead of being lost.
Add assertions that create/clone produce a persisted .clasp.json and add a real filesystem test that setProjectId propagates write failures.

* fix: handle invalid --project and --ignore paths

Convert explicit missing config and ignore paths into controlled CLI errors instead of bubbling raw fs.stat ENOENT output.
Treat both ENOENT and ENOTDIR as user path-not-found cases so directory/file mixups are handled consistently.
Cover both error paths with real filesystem tests and validate the exact CLI messages via direct command execution.

* fix: align MCP pull/clone response wording

Update MCP pull_project and clone_project status text to match the actual operation names.
Correct create_project and clone_project error text that previously referenced push.
Keep this scoped to user-facing response copy without changing command behavior.

* Fix open-web-app deployment label formatting

Correct the deployment choice label in open-web-app by removing an
extra closing brace from the rendered string.

This prevents malformed output in the interactive deployment picker.

* Update tail-logs options in README command list

Remove stale --open and --setup flags from the tail-logs command
summary so it matches the current CLI implementation.

This keeps the command index aligned with supported options.

* chore: format files.ts to satisfy biome check

Apply biome formatting adjustments in Files core implementation to eliminate the pre-existing check failure.
This is a non-functional change that only normalizes whitespace, indentation, and line wrapping.
Keeps the combined PR green under npm run check.

* fix: await logout credential deletion

Await credential store deletion in the logout command so write failures
are surfaced before success output is emitted.

Add a regression test with an unwritable auth file to verify logout exits
with an error and does not print JSON success when deletion fails.

* fix: persist correct id_token on token refresh

Stop writing access tokens into the id_token field when OAuth tokens
refresh for loaded credentials and post-login credentials.

Add auth-level regression tests that trigger refresh events through both
code paths and verify the persisted id_token value matches token.id_token.
Include import ordering updates in the new auth test to satisfy lint checks.

Author: TheCrazyLex

README.md

@@ -135,7 +135,7 @@ clasp
 
 > **NOTE**: These commands require you to add your [Project ID](#projectid-optional).
 
-- [`clasp tail-logs [--json] [--open] [--setup] [--watch] [--simplified]`](#logs)
+- [`clasp tail-logs [--json] [--watch] [--simplified]`](#logs)
 - [`clasp list-apis`](#apis)
 - [`clasp enable-api<api>`](#apis)
 - [`clasp disable-api <api>`](#apis)

src/auth/auth.ts

@@ -149,7 +149,7 @@ export async function getAuthorizedOAuth2Client(
       ...savedCredentials,
       expiry_date: tokens.expiry_date,
       access_token: tokens.access_token,
-      id_token: tokens.access_token,
+      id_token: tokens.id_token,
     };
     await store.save(userKey!, refreshedCredentials);
   });
@@ -217,7 +217,7 @@ async function saveOauthClientCredentials(store: CredentialStore, userKey: strin
       ...savedCredentials,
       expiry_date: tokens.expiry_date,
       access_token: tokens.access_token,
-      id_token: tokens.access_token,
+      id_token: tokens.id_token,
     };
     debug('Saving refreshed credentials for user %s', userKey);
     await store.save(userKey, refreshedCredentials);

src/commands/clone-script.ts

@@ -95,7 +95,7 @@ export const command = new Command('clone-script')
         const files = await clasp.files.pull(versionNumber);
         // After successfully pulling files, update the local project settings (e.g., .clasp.json)
         // to reflect the cloned scriptId and other relevant configurations.
-        clasp.project.updateSettings();
+        await clasp.project.updateSettings();
         return files;
       });
 

src/commands/create-script.ts

@@ -141,7 +141,7 @@ export const command = new Command('create-script')
     const files = await withSpinner(spinnerMsg, async () => {
       const files = await clasp.files.pull();
       // Update the local .clasp.json with the new scriptId and other settings.
-      clasp.project.updateSettings();
+      await clasp.project.updateSettings();
       return files;
     });
 

src/commands/logout.ts

@@ -41,7 +41,7 @@ export const command = new Command('logout').description('Logout of clasp').acti
     return;
   }
 
-  auth.credentialStore?.delete(auth.user);
+  await auth.credentialStore?.delete(auth.user);
 
   if (options.json) {
     console.log(JSON.stringify({success: true}, null, 2));

src/commands/open-webapp.ts

@@ -44,7 +44,7 @@ export const command = new Command('open-web-app')
       const choices = deployments.results.map(deployment => {
         const description = ellipsize(deployment.deploymentConfig?.description ?? '', 30);
         const versionNumber = (deployment.deploymentConfig?.versionNumber?.toString() ?? 'HEAD').padEnd(4);
-        const name = `${description}@${versionNumber}} - ${deployment.deploymentId}`;
+        const name = `${description}@${versionNumber} - ${deployment.deploymentId}`;
         return {
           name: name,
           value: deployment.deploymentId,

src/core/clasp.ts

@@ -246,7 +246,15 @@ async function findProjectRootdDir(configFilePath?: string) {
   debug('Searching for project root');
   if (configFilePath) {
     debug('Checking for config file at %s', configFilePath);
-    const info = await fs.stat(configFilePath);
+    let info: Awaited<ReturnType<typeof fs.stat>>;
+    try {
+      info = await fs.stat(configFilePath);
+    } catch (error) {
+      if (isPathNotFoundError(error)) {
+        throw new Error(`Invalid --project path: ${configFilePath}. File or directory does not exist.`);
+      }
+      throw error;
+    }
     if (info.isDirectory()) {
       debug('Is directory, trying file');
       configFilePath = path.join(configFilePath, '.clasp.json');
@@ -279,7 +287,15 @@ async function findIgnoreFile(projectDir: string, configFilePath?: string) {
   debug('Searching for ignore file');
   if (configFilePath) {
     debug('Checking for ignore file at %s', configFilePath);
-    const info = await fs.stat(configFilePath);
+    let info: Awaited<ReturnType<typeof fs.stat>>;
+    try {
+      info = await fs.stat(configFilePath);
+    } catch (error) {
+      if (isPathNotFoundError(error)) {
+        throw new Error(`Invalid --ignore path: ${configFilePath}. File or directory does not exist.`);
+      }
+      throw error;
+    }
     if (info.isDirectory()) {
       debug('Is directory, trying file');
       configFilePath = path.join(configFilePath, '.claspignore');
@@ -328,3 +344,10 @@ function firstValue<T>(values: T | T[] | undefined): T | undefined {
   }
   return values as T | undefined;
 }
+
+function isPathNotFoundError(error: unknown): error is NodeJS.ErrnoException {
+  if (!error || typeof error !== 'object') {
+    return false;
+  }
+  return (error as NodeJS.ErrnoException).code === 'ENOENT' || (error as NodeJS.ErrnoException).code === 'ENOTDIR';
+}

src/core/files.ts

@@ -56,23 +56,11 @@ function parentDirs(file: string) {
   return parentDirs;
 }
 function isInside(parentPath: string, childPath: string): boolean {
-
   const relative = path.relative(parentPath, childPath);
 
-  return (
-
-    relative !== '' &&
-
-    !relative.startsWith('..') &&
-
-    !path.isAbsolute(relative)
-
-  );
-
+  return relative !== '' && !relative.startsWith('..') && !path.isAbsolute(relative);
 }
 
-
-
 async function getLocalFiles(rootDir: string, ignorePatterns: string[], recursive: boolean) {
   debug('Collecting files in %s', rootDir);
   let fdirBuilder = new fdir().withBasePath().withRelativePaths();
@@ -207,7 +195,7 @@ export class Files {
     this.options = options;
   }
 
-/**
+  /**
    * Fetches the content of a script project from Google Drive.
    */
   async fetchRemote(versionNumber?: number): Promise<ProjectFile[]> {
@@ -241,7 +229,7 @@ export class Files {
         // This prevents traversal (../../) and prefix attacks (/foo/bar vs /foo/bar1)
         if (!isInside(absoluteContentDir, resolvedPath)) {
           throw new Error(
-            `Security Error: Remote file name "${f.name}" attempts to write outside the project directory.`
+            `Security Error: Remote file name "${f.name}" attempts to write outside the project directory.`,
           );
         }
 
@@ -601,4 +589,3 @@ function extractSyntaxError(error: GaxiosError, files: ProjectFile[]) {
   snippet = preLines + '\n' + errLine + '\n' + postLines;
   return {message, snippet}; // Return the formatted message and snippet.
 }
-

src/core/project.ts

@@ -470,7 +470,7 @@ export class Project {
     debug('Setting project ID %s in file %s', projectId, this.options.configFilePath);
     assertScriptConfigured(this.options);
     this.options.project.projectId = projectId;
-    this.updateSettings();
+    await this.updateSettings();
   }
 
   /**

src/mcp/server.ts

@@ -197,7 +197,7 @@ export function buildMcpServer(auth: AuthInfo) {
           content: [
             {
               type: 'text',
-              text: `Error pushing project: ${err.message}`,
+              text: `Error cloning project: ${err.message}`,
             },
           ],
         };
@@ -294,7 +294,7 @@ export function buildMcpServer(auth: AuthInfo) {
           content: [
             {
               type: 'text',
-              text: `Error pushing project: ${err.message}`,
+              text: `Error creating project: ${err.message}`,
             },
           ],
         };
@@ -365,7 +365,7 @@ export function buildMcpServer(auth: AuthInfo) {
         // Pull files from the specified remote script ID.
         const files = await clasp.files.pull();
         // Create/update the .clasp.json file with the cloned script's ID and settings.
-        clasp.project.updateSettings();
+        await clasp.project.updateSettings();
 
         const fileList: Array<TextContent> = files.map(file => ({
           type: 'text',
@@ -394,7 +394,7 @@ export function buildMcpServer(auth: AuthInfo) {
           content: [
             {
               type: 'text',
-              text: `Error pushing project: ${err.message}`,
+              text: `Error cloning project: ${err.message}`,
             },
           ],
         };