@ait-co/console-cli 0.1.2 → 0.1.4

package/dist/cli.mjs

@@ -1,291 +1,549 @@
 #!/usr/bin/env node
 import { defineCommand, runMain } from "citty";
 import { spawn } from "node:child_process";
-import { randomBytes, timingSafeEqual } from "node:crypto";
-import { createServer } from "node:http";
-import { chmod, mkdir, readFile, rename, unlink, writeFile } from "node:fs/promises";
-import { basename, dirname, join } from "node:path";
-import { homedir } from "node:os";
-//#region src/browser.ts
-function openBrowser(url) {
-	if (process.env.AIT_CONSOLE_NO_BROWSER === "1") return Promise.resolve({ launched: false });
-	try {
-		const parsed = new URL(url);
-		if (parsed.protocol !== "http:" && parsed.protocol !== "https:") return Promise.resolve({ launched: false });
-	} catch {
-		return Promise.resolve({ launched: false });
+import { constants } from "node:fs";
+import { chmod, mkdir, mkdtemp, readFile, rename, rm, unlink, writeFile } from "node:fs/promises";
+import { homedir, tmpdir } from "node:os";
+import { basename, dirname, join, win32 } from "node:path";
+//#region src/api/http.ts
+var TossApiError = class extends Error {
+	constructor(status, errorCode, reason, errorType) {
+		super(`Toss API error ${errorCode}: ${reason} (HTTP ${status})`);
+		this.status = status;
+		this.errorCode = errorCode;
+		this.reason = reason;
+		this.errorType = errorType;
+		this.name = "TossApiError";
 	}
-	return new Promise((resolve) => {
-		try {
-			if (process.platform === "win32") {
-				const child = spawn("cmd", [
-					"/c",
-					"start",
-					"\"\"",
-					`"${url.replace(/"/g, "%22")}"`
-				], {
-					stdio: "ignore",
-					detached: true,
-					windowsHide: true,
-					windowsVerbatimArguments: true
-				});
-				child.once("error", () => resolve({ launched: false }));
-				child.once("spawn", () => {
-					child.unref();
-					resolve({ launched: true });
-				});
-				return;
-			}
-			const child = spawn(process.platform === "darwin" ? "open" : "xdg-open", [url], {
-				stdio: "ignore",
-				detached: true
-			});
-			child.once("error", () => resolve({ launched: false }));
-			child.once("spawn", () => {
-				child.unref();
-				resolve({ launched: true });
-			});
-		} catch {
-			resolve({ launched: false });
-		}
-	});
-}
-//#endregion
-//#region src/exit.ts
-const ExitCode = {
-	Ok: 0,
-	Generic: 1,
-	Usage: 2,
-	NotAuthenticated: 10,
-	NetworkError: 11,
-	LoginTimeout: 12,
-	LoginStateMismatch: 13,
-	UpgradeUnavailable: 20,
-	UpgradeAlreadyLatest: 21
-};
-//#endregion
-//#region src/flush.ts
-async function exitAfterFlush(code) {
-	await new Promise((resolve) => process.stdout.write("", () => resolve()));
-	process.exit(code);
-}
-//#endregion
-//#region src/oauth.ts
-var CallbackTimeoutError = class extends Error {
-	constructor(seconds) {
-		super(`Login timed out after ${seconds}s`);
-		this.name = "CallbackTimeoutError";
+	/** Cookie-based auth rejected — session missing/expired/invalidated. */
+	get isAuthError() {
+		return this.status === 401 || this.errorCode === "4010";
 	}
 };
-var CallbackStateMismatchError = class extends Error {
-	constructor() {
-		super("Invalid or missing state parameter");
-		this.name = "CallbackStateMismatchError";
+var NetworkError = class extends Error {
+	constructor(url, cause) {
+		super(`Network request to ${url} failed: ${cause.message}`);
+		this.url = url;
+		this.name = "NetworkError";
+		this.cause = cause;
 	}
 };
-var CallbackMissingCodeError = class extends Error {
-	constructor() {
-		super("Missing code parameter");
-		this.name = "CallbackMissingCodeError";
+var MalformedResponseError = class extends Error {
+	constructor(url, status, message, bodyPreview) {
+		const suffix = bodyPreview ? ` (body: ${bodyPreview})` : "";
+		super(`Malformed response from ${url} (HTTP ${status}): ${message}${suffix}`);
+		this.url = url;
+		this.status = status;
+		this.bodyPreview = bodyPreview;
+		this.name = "MalformedResponseError";
 	}
 };
-function randomState() {
-	return randomBytes(32).toString("base64url");
+/**
+* RFC 6265-ish domain match. We accept the bare hostname case plus the
+* standard suffix match (`.example.com` cookie matches `foo.example.com`),
+* because CDP `Network.getAllCookies` normalises cookie Domain to a form
+* with a leading dot for host-matching cookies but without for explicit-host
+* cookies. Either form should round-trip correctly.
+*/
+function domainMatches(cookieDomain, hostname) {
+	if (cookieDomain.length === 0) return false;
+	const lower = cookieDomain.toLowerCase();
+	const host = hostname.toLowerCase();
+	if (lower === host) return true;
+	if (lower.startsWith(".") && host.endsWith(lower)) return true;
+	if (!lower.startsWith(".") && host.endsWith(`.${lower}`)) return true;
+	return false;
+}
+/**
+* RFC 6265 §5.1.4 path match. A cookie Path C matches a request path P iff
+* C and P are identical, OR C is a prefix of P and either C already ends
+* with '/' or the character in P immediately after C is '/'. Notably
+* "/foo" does NOT match "/foobar".
+*/
+function pathMatches(cookiePath, requestPath) {
+	if (!cookiePath) return true;
+	if (cookiePath === requestPath) return true;
+	if (!requestPath.startsWith(cookiePath)) return false;
+	return cookiePath.endsWith("/") || requestPath.charAt(cookiePath.length) === "/";
 }
-function constantTimeStringEqual(a, b) {
-	const bufA = Buffer.from(a, "utf8");
-	const bufB = Buffer.from(b, "utf8");
-	if (bufA.length !== bufB.length) return false;
-	return timingSafeEqual(bufA, bufB);
+function isSafeCookiePart(s) {
+	return !/[\x00-\x1f;\x7f]/.test(s);
 }
-function escapeHtml(s) {
-	return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;").replace(/\//g, "&#47;").replace(/`/g, "&#96;");
+/**
+* Build a `Cookie:` header value for the given URL from a captured cookie
+* set. Returns `null` when no cookies match — the caller should skip the
+* header entirely rather than emit `Cookie: ` with an empty value.
+*
+* Ordering follows RFC 6265 §5.4: cookies with longer paths come before
+* cookies with shorter paths; ties break on earliest creation time, which
+* we don't track, so we preserve capture order as a stable tiebreaker.
+*/
+function cookieHeaderFor(url, cookies) {
+	const matching = cookies.map((c, i) => ({
+		c,
+		i
+	})).filter(({ c }) => {
+		if (!isSafeCookiePart(c.name) || !isSafeCookiePart(c.value)) return false;
+		if (!domainMatches(c.domain, url.hostname)) return false;
+		if (!pathMatches(c.path, url.pathname)) return false;
+		if (c.secure && url.protocol !== "https:") return false;
+		return true;
+	}).sort((a, b) => {
+		const byPath = b.c.path.length - a.c.path.length;
+		return byPath !== 0 ? byPath : a.i - b.i;
+	}).map(({ c }) => c);
+	if (matching.length === 0) return null;
+	return matching.map((c) => `${c.name}=${c.value}`).join("; ");
 }
-function parseCallbackUrl(reqUrl, expectedState) {
-	if (!reqUrl) return { kind: "malformed" };
+/**
+* Perform a request against the console API and unwrap the Toss envelope.
+*
+* Always sets `Accept: application/json` and propagates the captured cookie
+* set. Callers may pass additional headers (useful for CSRF tokens that
+* later endpoints turn out to require — discovery is per-feature).
+*/
+async function requestConsoleApi(options) {
+	const url = new URL(options.url);
+	const cookieHeader = cookieHeaderFor(url, options.cookies);
+	const headers = {
+		Accept: "application/json, text/plain, */*",
+		...options.headers
+	};
+	if (cookieHeader) headers.Cookie = cookieHeader;
+	const init = {
+		method: options.method ?? "GET",
+		headers,
+		redirect: "follow"
+	};
+	if (options.body !== void 0) {
+		headers["Content-Type"] = "application/json";
+		init.body = JSON.stringify(options.body);
+	}
+	const fetchImpl = options.fetchImpl ?? ((input, init) => fetch(input, init));
+	let res;
+	try {
+		res = await fetchImpl(url, init);
+	} catch (err) {
+		throw new NetworkError(url.toString(), err);
+	}
+	let text;
+	try {
+		text = await res.text();
+	} catch (err) {
+		throw new MalformedResponseError(url.toString(), res.status, err.message);
+	}
 	let parsed;
 	try {
-		parsed = new URL(reqUrl, "http://127.0.0.1");
-	} catch {
-		return { kind: "malformed" };
-	}
-	if (parsed.pathname !== "/callback") return { kind: "not-found" };
-	const raw = {};
-	for (const [k, v] of parsed.searchParams) raw[k] = v;
-	const state = raw.state ?? "";
-	const code = raw.code ?? "";
-	if (!state || !constantTimeStringEqual(state, expectedState)) return { kind: "state-mismatch" };
-	if (!code) return { kind: "missing-code" };
-	return {
-		kind: "ok",
-		query: {
-			code,
-			state,
-			raw
-		}
-	};
+		parsed = JSON.parse(text);
+	} catch (err) {
+		const preview = text.slice(0, 200).replace(/\s+/g, " ").trim();
+		throw new MalformedResponseError(url.toString(), res.status, err.message, preview);
+	}
+	if (parsed.resultType === "SUCCESS") return parsed.success;
+	throw new TossApiError(res.status, parsed.error.errorCode, parsed.error.reason, parsed.error.errorType);
+}
+//#endregion
+//#region src/api/me.ts
+const MEMBER_USER_INFO_URL = "https://apps-in-toss.toss.im/console/api-public/v3/appsintossconsole/members/me/user-info";
+async function fetchConsoleMemberUserInfo(cookies, opts = {}) {
+	return requestConsoleApi({
+		url: MEMBER_USER_INFO_URL,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+}
+//#endregion
+//#region src/cdp.ts
+function isResponse(m) {
+	return "id" in m;
 }
-const ERROR_MESSAGES = {
-	"state-mismatch": "Invalid or missing state parameter",
-	"missing-code": "Missing code parameter",
-	malformed: "Malformed request URL",
-	"not-found": "Not found"
+var CdpProtocolError = class extends Error {
+	constructor(method, code, message) {
+		super(`CDP error for ${method}: ${message} (code=${code})`);
+		this.method = method;
+		this.code = code;
+		this.name = "CdpProtocolError";
+	}
 };
-const ERROR_STATUS = {
-	"state-mismatch": 400,
-	"missing-code": 400,
-	malformed: 400,
-	"not-found": 404
+var CdpConnectionClosedError = class extends Error {
+	constructor() {
+		super("CDP connection closed before the response arrived.");
+		this.name = "CdpConnectionClosedError";
+	}
 };
-const SUCCESS_HTML = `<!doctype html>
-<html lang="en">
-<head><meta charset="utf-8"><title>ait-console</title>
-<style>body{font-family:system-ui,sans-serif;max-width:32rem;margin:4rem auto;padding:0 1rem;color:#222}h1{font-size:1.25rem}</style>
-</head>
-<body>
-<h1>Logged in to ait-console</h1>
-<p>You can close this window and return to your terminal.</p>
-</body></html>`;
-const GONE_HTML = `<!doctype html>
-<html lang="en">
-<head><meta charset="utf-8"><title>ait-console</title>
-<style>body{font-family:system-ui,sans-serif;max-width:32rem;margin:4rem auto;padding:0 1rem;color:#222}h1{font-size:1.25rem}</style>
-</head>
-<body>
-<h1>This login flow is already complete</h1>
-<p>Return to your terminal.</p>
-</body></html>`;
-function errorHtml(message) {
-	return `<!doctype html>
-<html lang="en">
-<head><meta charset="utf-8"><title>ait-console — error</title>
-<style>body{font-family:system-ui,sans-serif;max-width:32rem;margin:4rem auto;padding:0 1rem;color:#222}h1{font-size:1.25rem;color:#b00020}</style>
-</head>
-<body>
-<h1>Login failed</h1>
-<p>${escapeHtml(message)}</p>
-<p>Return to your terminal for details.</p>
-</body></html>`;
-}
-async function bindServer(server, preferredPort) {
-	const tryListen = (port) => new Promise((resolve, reject) => {
-		const onError = (err) => {
-			server.removeListener("error", onError);
-			reject(err);
+var CdpClient = class CdpClient {
+	socket;
+	nextId = 1;
+	pending = /* @__PURE__ */ new Map();
+	listeners = /* @__PURE__ */ new Set();
+	closed = false;
+	constructor(socket) {
+		this.socket = socket;
+		socket.addEventListener("message", (ev) => this.handleMessage(ev));
+		socket.addEventListener("close", () => this.handleClose());
+		socket.addEventListener("error", () => {});
+	}
+	static async connect(options) {
+		const socket = (options.webSocketFactory ?? ((url) => new WebSocket(url)))(options.url);
+		await new Promise((resolve, reject) => {
+			const onOpen = () => {
+				cleanup();
+				resolve();
+			};
+			const onError = () => {
+				cleanup();
+				reject(/* @__PURE__ */ new Error(`Failed to open CDP WebSocket at ${options.url}`));
+			};
+			const onClose = () => {
+				cleanup();
+				reject(/* @__PURE__ */ new Error(`CDP WebSocket closed before opening (${options.url})`));
+			};
+			const cleanup = () => {
+				socket.removeEventListener("open", onOpen);
+				socket.removeEventListener("error", onError);
+				socket.removeEventListener("close", onClose);
+			};
+			socket.addEventListener("open", onOpen);
+			socket.addEventListener("error", onError);
+			socket.addEventListener("close", onClose);
+		});
+		return new CdpClient(socket);
+	}
+	on(listener) {
+		this.listeners.add(listener);
+		return () => this.listeners.delete(listener);
+	}
+	async send(method, params, sessionId) {
+		if (this.closed) throw new CdpConnectionClosedError();
+		const id = this.nextId++;
+		const req = {
+			id,
+			method
 		};
-		server.once("error", onError);
-		server.listen(port, "127.0.0.1", () => {
-			server.removeListener("error", onError);
-			const addr = server.address();
-			if (!addr) reject(/* @__PURE__ */ new Error("Failed to bind callback server"));
-			else resolve(addr.port);
+		if (params) req.params = params;
+		if (sessionId) req.sessionId = sessionId;
+		const waiter = new Promise((resolve, reject) => {
+			this.pending.set(id, {
+				resolve,
+				reject,
+				method
+			});
 		});
+		this.socket.send(JSON.stringify(req));
+		return await waiter;
+	}
+	async close() {
+		if (this.closed) return;
+		this.closed = true;
+		for (const [, pending] of this.pending) pending.reject(new CdpConnectionClosedError());
+		this.pending.clear();
+		try {
+			this.socket.close();
+		} catch {}
+	}
+	handleMessage(ev) {
+		let parsed;
+		try {
+			const raw = typeof ev.data === "string" ? ev.data : new TextDecoder().decode(ev.data);
+			parsed = JSON.parse(raw);
+		} catch {
+			return;
+		}
+		if (isResponse(parsed)) {
+			const pending = this.pending.get(parsed.id);
+			if (!pending) return;
+			this.pending.delete(parsed.id);
+			if ("error" in parsed) pending.reject(new CdpProtocolError(pending.method, parsed.error.code, parsed.error.message));
+			else pending.resolve(parsed.result);
+			return;
+		}
+		for (const listener of this.listeners) try {
+			listener(parsed);
+		} catch {}
+	}
+	handleClose() {
+		if (this.closed) return;
+		this.closed = true;
+		for (const [, pending] of this.pending) pending.reject(new CdpConnectionClosedError());
+		this.pending.clear();
+	}
+};
+/**
+* Attach to the first "page" target exposed by the browser. Chrome always
+* opens at least one page target when launched with an initial URL, so this
+* is a reliable way to grab a session without guessing target IDs.
+*/
+async function attachToFirstPage(client) {
+	const { targetInfos } = await client.send("Target.getTargets");
+	const page = targetInfos.find((t) => t.type === "page");
+	if (!page) throw new Error("No page target found; Chrome launched without an initial tab.");
+	const { sessionId } = await client.send("Target.attachToTarget", {
+		targetId: page.targetId,
+		flatten: true
 	});
-	if (preferredPort && preferredPort !== 0) try {
-		return await tryListen(preferredPort);
-	} catch (err) {
-		if (err.code !== "EADDRINUSE") throw err;
-	}
-	return tryListen(0);
-}
-async function startCallbackServer(options = {}) {
-	const timeoutMs = options.timeoutMs ?? 300 * 1e3;
-	const expectedState = randomState();
-	const server = createServer();
-	const boundPort = await bindServer(server, options.preferredPort);
-	const redirectUri = `http://127.0.0.1:${boundPort}/callback`;
-	let settled = false;
-	let closed = false;
-	let resolveCb;
-	let rejectCb;
-	const waiter = new Promise((resolve, reject) => {
-		resolveCb = resolve;
-		rejectCb = reject;
+	return {
+		sessionId,
+		targetId: page.targetId
+	};
+}
+/**
+* Subscribe to main-frame navigations on the attached page session. Returns
+* an unsubscribe function.
+*
+* Chrome emits `Page.frameNavigated` for every frame — we filter to the main
+* frame (top-level document) since auxiliary iframes (analytics, chat
+* widgets) would otherwise trigger false matches.
+*/
+async function watchMainFrameNavigations(client, sessionId, onNavigate) {
+	await client.send("Page.enable", {}, sessionId);
+	return client.on((event) => {
+		if (event.sessionId !== sessionId) return;
+		if (event.method !== "Page.frameNavigated") return;
+		const frame = event.params.frame;
+		if (!frame?.url || !frame.id) return;
+		onNavigate({
+			url: frame.url,
+			frameId: frame.id,
+			isMainFrame: frame.parentId === void 0
+		});
 	});
-	waiter.catch(() => {});
-	const finish = (outcome) => {
-		if (settled) return;
-		settled = true;
-		if (outcome.kind === "ok") resolveCb(outcome.q);
-		else rejectCb(outcome.e);
+}
+/**
+* `Network.getAllCookies` is scoped to a target session — Chrome rejects it
+* on the browser-level endpoint with `method not found`. Requiring sessionId
+* here surfaces that constraint at compile time.
+*
+* The response shape is fixed in the CDP spec, but we still validate every
+* cookie's required string/number fields at runtime so a malformed entry
+* (from a future Chrome change, say) fails loud instead of propagating
+* `undefined` into the Cookie: header or the on-disk session file.
+*/
+async function getAllCookies(client, sessionId) {
+	const result = await client.send("Network.getAllCookies", {}, sessionId);
+	if (!Array.isArray(result.cookies)) throw new Error("Network.getAllCookies returned a non-array payload");
+	return result.cookies.map((raw, index) => validateCookie(raw, index));
+}
+function validateCookie(raw, index) {
+	if (!raw || typeof raw !== "object") throw new Error(`Cookie #${index} is not an object`);
+	const c = raw;
+	const str = (field) => {
+		const v = c[field];
+		if (typeof v !== "string") throw new Error(`Cookie #${index}.${field} is not a string`);
+		return v;
 	};
-	server.on("request", (req, res) => {
-		if (settled) {
-			res.statusCode = 410;
-			res.setHeader("content-type", "text/html; charset=utf-8");
-			res.end(GONE_HTML);
-			return;
+	const num = (field) => {
+		const v = c[field];
+		if (typeof v !== "number") throw new Error(`Cookie #${index}.${field} is not a number`);
+		return v;
+	};
+	const bool = (field) => {
+		const v = c[field];
+		if (typeof v !== "boolean") throw new Error(`Cookie #${index}.${field} is not a boolean`);
+		return v;
+	};
+	const base = {
+		name: str("name"),
+		value: str("value"),
+		domain: str("domain"),
+		path: str("path"),
+		expires: num("expires"),
+		httpOnly: bool("httpOnly"),
+		secure: bool("secure"),
+		session: bool("session")
+	};
+	const sameSite = c.sameSite;
+	if (sameSite === "Strict" || sameSite === "Lax" || sameSite === "None") return {
+		...base,
+		sameSite
+	};
+	return base;
+}
+//#endregion
+//#region src/chrome.ts
+var ChromeNotFoundError = class extends Error {
+	constructor(candidates) {
+		super(`Could not find Chrome or a Chromium-family browser. Tried: ${candidates.join(", ")}.\nInstall Chrome, or set AITCC_BROWSER to an executable path.`);
+		this.candidates = candidates;
+		this.name = "ChromeNotFoundError";
+	}
+};
+var ChromeLaunchError = class extends Error {
+	constructor(executable, cause) {
+		super(`Failed to launch ${executable}: ${cause.message}`);
+		this.executable = executable;
+		this.name = "ChromeLaunchError";
+		this.cause = cause;
+	}
+};
+var ChromeEndpointTimeoutError = class extends Error {
+	constructor(executable) {
+		super(`${executable} did not print a DevTools endpoint within the timeout. It may have been blocked by the OS or launched a GUI-less variant.`);
+		this.executable = executable;
+		this.name = "ChromeEndpointTimeoutError";
+	}
+};
+function chromeCandidates(env = process.env, platform = process.platform) {
+	const override = env.AITCC_BROWSER;
+	const out = [];
+	if (override && override.length > 0) out.push(override);
+	if (platform === "darwin") out.push("/Applications/Google Chrome.app/Contents/MacOS/Google Chrome", "/Applications/Google Chrome Beta.app/Contents/MacOS/Google Chrome Beta", "/Applications/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary", "/Applications/Chromium.app/Contents/MacOS/Chromium", "/Applications/Microsoft Edge.app/Contents/MacOS/Microsoft Edge", "/Applications/Arc.app/Contents/MacOS/Arc");
+	else if (platform === "win32") {
+		const pf = env.PROGRAMFILES ?? "C:\\Program Files";
+		const pf86 = env["PROGRAMFILES(X86)"] ?? "C:\\Program Files (x86)";
+		const local = env.LOCALAPPDATA ?? win32.join(homedir() || "C:\\", "AppData", "Local");
+		out.push(win32.join(pf, "Google", "Chrome", "Application", "chrome.exe"), win32.join(pf86, "Google", "Chrome", "Application", "chrome.exe"), win32.join(local, "Google", "Chrome", "Application", "chrome.exe"), win32.join(pf, "Microsoft", "Edge", "Application", "msedge.exe"), win32.join(pf86, "Microsoft", "Edge", "Application", "msedge.exe"));
+	} else out.push("google-chrome-stable", "google-chrome", "chromium-browser", "chromium", "microsoft-edge-stable", "microsoft-edge");
+	return { candidates: out };
+}
+function isAbsolutePath(p, platform) {
+	if (platform === "win32") return /^[A-Za-z]:\\/.test(p);
+	return p.startsWith("/");
+}
+async function resolveOnPath(name, env, platform) {
+	const path = env.PATH ?? env.Path ?? env.path ?? "";
+	if (path.length === 0) return null;
+	const sep = platform === "win32" ? ";" : ":";
+	const fs = await import("node:fs/promises");
+	const extensions = platform === "win32" ? ["", ...(env.PATHEXT ?? ".EXE;.CMD;.BAT").split(";").filter((e) => e.length > 0)] : [""];
+	for (const dir of path.split(sep)) {
+		if (dir.length === 0) continue;
+		for (const ext of extensions) {
+			const candidate = join(dir, name + ext);
+			try {
+				await fs.access(candidate, constants.X_OK);
+				return candidate;
+			} catch {}
 		}
-		const result = parseCallbackUrl(req.url, expectedState);
-		if (result.kind === "ok") {
-			res.statusCode = 200;
-			res.setHeader("content-type", "text/html; charset=utf-8");
-			res.end(SUCCESS_HTML, () => finish({
-				kind: "ok",
-				q: result.query
-			}));
-			return;
+	}
+	return null;
+}
+async function findChrome(env = process.env, platform = process.platform) {
+	const { candidates } = chromeCandidates(env, platform);
+	const fs = await import("node:fs/promises");
+	for (const candidate of candidates) {
+		if (isAbsolutePath(candidate, platform)) {
+			try {
+				await fs.access(candidate, constants.X_OK);
+				return candidate;
+			} catch {}
+			continue;
 		}
-		const status = ERROR_STATUS[result.kind];
-		const message = ERROR_MESSAGES[result.kind];
-		res.statusCode = status;
-		res.setHeader("content-type", "text/html; charset=utf-8");
-		const onFlushed = () => {
-			switch (result.kind) {
-				case "state-mismatch":
-					finish({
-						kind: "err",
-						e: new CallbackStateMismatchError()
-					});
-					return;
-				case "missing-code":
-					finish({
-						kind: "err",
-						e: new CallbackMissingCodeError()
-					});
-					return;
-				case "malformed":
-				case "not-found": return;
-				default: ((_) => {})(result);
+		const resolved = await resolveOnPath(candidate, env, platform);
+		if (resolved) return resolved;
+	}
+	throw new ChromeNotFoundError(candidates);
+}
+const DEVTOOLS_BANNER = /^DevTools listening on (ws:\/\/[^\s]+)\s*$/m;
+function consumeDevtoolsEndpoint(buffer) {
+	const match = DEVTOOLS_BANNER.exec(buffer);
+	return match ? match[1] ?? null : null;
+}
+async function launchChrome(options) {
+	const executable = options.executable ?? await findChrome();
+	const endpointTimeoutMs = options.endpointTimeoutMs ?? 15e3;
+	const userDataDir = await mkdtemp(join(tmpdir(), "aitcc-chrome-"));
+	const args = [
+		"--remote-debugging-port=0",
+		`--user-data-dir=${userDataDir}`,
+		"--no-first-run",
+		"--no-default-browser-check",
+		"--disable-features=Translate,OptimizationHints",
+		"--password-store=basic",
+		"--use-mock-keychain",
+		options.initialUrl
+	];
+	const spawnFn = options.spawnOverride ?? ((a) => spawn(executable, [...a]));
+	let child;
+	try {
+		child = spawnFn(args);
+	} catch (err) {
+		await rm(userDataDir, {
+			recursive: true,
+			force: true
+		}).catch(() => {});
+		throw new ChromeLaunchError(executable, err);
+	}
+	try {
+		child.unref();
+	} catch {}
+	const dispose = async () => {
+		try {
+			if (!child.killed) child.kill("SIGTERM");
+		} catch {}
+		await rm(userDataDir, {
+			recursive: true,
+			force: true
+		}).catch(() => {});
+	};
+	let stderrBuf = "";
+	const wsUrl = await new Promise((resolve, reject) => {
+		const timer = setTimeout(() => {
+			cleanup();
+			reject(new ChromeEndpointTimeoutError(executable));
+		}, endpointTimeoutMs);
+		if (typeof timer.unref === "function") timer.unref();
+		const onStderr = (chunk) => {
+			stderrBuf += chunk.toString("utf8");
+			const found = consumeDevtoolsEndpoint(stderrBuf);
+			if (found) {
+				cleanup();
+				resolve(found);
 			}
 		};
-		res.end(errorHtml(message), onFlushed);
+		const onExit = (code) => {
+			cleanup();
+			reject(new ChromeLaunchError(executable, /* @__PURE__ */ new Error(`process exited with code ${code ?? "null"} before printing endpoint`)));
+		};
+		const onError = (err) => {
+			cleanup();
+			reject(new ChromeLaunchError(executable, err));
+		};
+		const cleanup = () => {
+			clearTimeout(timer);
+			child.stderr?.off("data", onStderr);
+			child.off("exit", onExit);
+			child.off("error", onError);
+		};
+		child.stderr?.on("data", onStderr);
+		child.on("exit", onExit);
+		child.on("error", onError);
+	}).catch(async (err) => {
+		await dispose();
+		throw err;
 	});
-	const timer = setTimeout(() => {
-		finish({
-			kind: "err",
-			e: new CallbackTimeoutError(Math.ceil(timeoutMs / 1e3))
-		});
-	}, timeoutMs);
-	if (typeof timer.unref === "function") timer.unref();
-	const close = async () => {
-		if (closed) return;
-		closed = true;
-		clearTimeout(timer);
-		await new Promise((resolve) => {
-			let done = false;
-			const finishClose = () => {
-				if (done) return;
-				done = true;
-				resolve();
-			};
-			server.close(() => finishClose());
-			server.closeAllConnections?.();
-			const fallback = setTimeout(finishClose, 1e3);
-			if (typeof fallback.unref === "function") fallback.unref();
-		});
-	};
 	return {
-		port: boundPort,
-		redirectUri,
-		expectedState,
-		waitForCallback: () => waiter,
-		close
+		process: child,
+		webSocketDebuggerUrl: wsUrl,
+		userDataDir,
+		dispose
 	};
 }
 //#endregion
+//#region src/exit.ts
+const ExitCode = {
+	Ok: 0,
+	Generic: 1,
+	Usage: 2,
+	NotAuthenticated: 10,
+	NetworkError: 11,
+	LoginTimeout: 12,
+	LoginStateMismatch: 13,
+	LoginBrowserNotFound: 14,
+	LoginBrowserFailed: 15,
+	LoginCookieCaptureFailed: 16,
+	ApiError: 17,
+	UpgradeUnavailable: 20,
+	UpgradeAlreadyLatest: 21
+};
+//#endregion
+//#region src/flush.ts
+async function exitAfterFlush(code) {
+	await new Promise((resolve) => process.stdout.write("", () => resolve()));
+	process.exit(code);
+}
+//#endregion
 //#region src/paths.ts
-const APP_NAME = "ait-console";
+const APP_NAME = "aitcc";
 function configDir() {
 	if (process.platform === "win32") {
 		const appData = process.env.APPDATA;
@@ -301,29 +559,38 @@ function sessionFilePath() {
 }
 //#endregion
 //#region src/session.ts
-function summarize(session) {
-	return {
-		user: session.user,
-		capturedAt: session.capturedAt
-	};
-}
 async function readSession() {
+	const path = sessionFilePath();
+	let raw;
 	try {
-		const raw = await readFile(sessionFilePath(), "utf8");
-		const parsed = JSON.parse(raw);
-		if (parsed.schemaVersion !== 1) return null;
-		if (!parsed.user || typeof parsed.user.id !== "string") return null;
-		if (typeof parsed.user.email !== "string") return null;
-		if (parsed.user.displayName !== void 0 && typeof parsed.user.displayName !== "string") return null;
-		return parsed;
+		raw = await readFile(path, "utf8");
 	} catch (err) {
-		if (err.code === "ENOENT") return null;
+		const code = err.code;
+		if (code === "ENOENT") return null;
+		process.stderr.write(`warning: could not read session file at ${path}: ${code ?? "unknown"}\n`);
 		return null;
 	}
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch {
+		process.stderr.write(`warning: session file at ${path} is corrupt and will be ignored\n`);
+		return null;
+	}
+	const schemaReason = validateSessionShape(parsed);
+	if (schemaReason) {
+		process.stderr.write(`warning: session file at ${path} ignored (${schemaReason}); re-run \`aitcc login\`\n`);
+		return null;
+	}
+	return parsed;
 }
-async function readSessionSummary() {
-	const s = await readSession();
-	return s ? summarize(s) : null;
+function validateSessionShape(parsed) {
+	if (parsed.schemaVersion !== 1) return `unknown schemaVersion ${String(parsed.schemaVersion)}`;
+	if (!parsed.user || typeof parsed.user.id !== "string") return "missing user.id";
+	if (typeof parsed.user.email !== "string") return "missing user.email";
+	if (parsed.user.displayName !== void 0 && typeof parsed.user.displayName !== "string") return "user.displayName has wrong type";
+	if (!Array.isArray(parsed.cookies)) return "cookies is not an array";
+	return null;
 }
 async function writeSession(session) {
 	await mkdir(dirname(sessionFilePath()), {
@@ -349,46 +616,28 @@ function sessionPathForDiagnostics() {
 }
 //#endregion
 //#region src/commands/login.ts
-const MAX_FIELD_LENGTH = 128;
-const PENDING_USER_ID = "pending:oauth-discovery";
-function sanitizeField(raw) {
-	if (typeof raw !== "string") return void 0;
-	if (raw.length === 0) return void 0;
-	if (raw.length > MAX_FIELD_LENGTH) return void 0;
-	if (/[\x00-\x1f\x7f]/.test(raw)) return void 0;
-	return raw;
-}
-function buildAuthorizeUrl(params) {
-	const url = new URL(params.authorizeUrl);
-	url.searchParams.set("response_type", "code");
-	url.searchParams.set("redirect_uri", params.redirectUri);
-	url.searchParams.set("state", params.state);
-	if (params.clientId) url.searchParams.set("client_id", params.clientId);
-	if (params.scope) url.searchParams.set("scope", params.scope);
-	return url.toString();
-}
-function classifyCallbackError(err) {
-	if (err instanceof CallbackTimeoutError) return {
-		reason: "timeout",
-		exitCode: ExitCode.LoginTimeout
-	};
-	if (err instanceof CallbackStateMismatchError) return {
-		reason: "state-mismatch",
-		exitCode: ExitCode.LoginStateMismatch
-	};
-	if (err instanceof CallbackMissingCodeError) return {
-		reason: "missing-code",
-		exitCode: ExitCode.Generic
-	};
-	return {
-		reason: "other",
-		exitCode: ExitCode.Generic
-	};
+const DEFAULT_AUTHORIZE_URL = "https://business.toss.im/account/sign-in?client_id=4uktpjgqd0cp9txybqzuxc2y6w0cuupb&redirect_uri=https%3A%2F%2Fapps-in-toss.toss.im%2Fsign-up&state=%2Fworkspace";
+const LOGIN_LANDING_HOST = "apps-in-toss.toss.im";
+const LOGIN_LANDING_PATH_PREFIX = "/workspace";
+const ALLOWED_AUTHORIZE_HOST_SUFFIXES = [".toss.im"];
+function isAllowedAuthorizeHost(host) {
+	const lower = host.toLowerCase();
+	return ALLOWED_AUTHORIZE_HOST_SUFFIXES.some((suffix) => lower === suffix.slice(1) || lower.endsWith(suffix));
+}
+function isLoginLanding(url) {
+	try {
+		const u = new URL(url);
+		if (u.hostname !== LOGIN_LANDING_HOST) return false;
+		if (u.pathname !== LOGIN_LANDING_PATH_PREFIX && !u.pathname.startsWith(`${LOGIN_LANDING_PATH_PREFIX}/`)) return false;
+		return true;
+	} catch {
+		return false;
+	}
 }
 const loginCommand = defineCommand({
 	meta: {
 		name: "login",
-		description: "Log in via the browser; starts a localhost callback server."
+		description: "Open a browser to sign in, then capture the console session cookies."
 	},
 	args: {
 		json: {
@@ -396,22 +645,13 @@ const loginCommand = defineCommand({
 			description: "Emit machine-readable JSON to stdout.",
 			default: false
 		},
-		"no-browser": {
-			type: "boolean",
-			description: "Don't auto-open the browser; print the URL for manual copy.",
-			default: false
-		},
 		timeout: {
 			type: "string",
-			description: "Abort the login if no callback arrives within N seconds (default 300).",
+			description: "Abort if login does not complete within N seconds (default 300).",
 			default: "300"
 		}
 	},
 	async run({ args }) {
-		const rawOauthUrl = process.env.AIT_CONSOLE_OAUTH_URL;
-		const authorizeUrl = rawOauthUrl && rawOauthUrl.length > 0 ? rawOauthUrl : null;
-		const clientId = process.env.AIT_CONSOLE_OAUTH_CLIENT_ID;
-		const scope = process.env.AIT_CONSOLE_OAUTH_SCOPE;
 		const emitError = (payload, human) => {
 			if (args.json) process.stdout.write(`${JSON.stringify({
 				ok: false,
@@ -419,78 +659,130 @@ const loginCommand = defineCommand({
 			})}\n`);
 			process.stderr.write(`${human}\n`);
 		};
-		const timeoutNum = Number(args.timeout);
-		if (!Number.isFinite(timeoutNum) || timeoutNum < 1) {
+		const timeoutSec = Number(args.timeout);
+		if (!Number.isFinite(timeoutSec) || timeoutSec < 1) {
 			emitError({
 				reason: "invalid-timeout",
 				given: args.timeout
 			}, `Invalid --timeout value: ${args.timeout}`);
 			return exitAfterFlush(ExitCode.Usage);
 		}
-		const timeoutMs = timeoutNum * 1e3;
-		if (!authorizeUrl) {
-			emitError({
-				reason: "oauth-url-not-configured",
-				hint: "set AIT_CONSOLE_OAUTH_URL"
-			}, [
-				"The Toss developer console OAuth URL is not configured.",
-				"Discovery is pending — set AIT_CONSOLE_OAUTH_URL to override,",
-				"or track the TODO in CLAUDE.md § \"Open questions\"."
-			].join("\n"));
-			return exitAfterFlush(ExitCode.Usage);
-		}
-		const server = await startCallbackServer({ timeoutMs });
-		const authUrl = buildAuthorizeUrl({
-			authorizeUrl,
-			redirectUri: server.redirectUri,
-			state: server.expectedState,
-			clientId,
-			scope
-		});
-		process.stderr.write(`Listening for the OAuth callback on ${server.redirectUri}\n`);
-		let launched = false;
-		if (!args["no-browser"]) launched = (await openBrowser(authUrl)).launched;
-		if (launched) process.stderr.write("Opened your browser. Complete the login there.\n");
-		else process.stderr.write(`Open this URL in your browser to continue:\n  ${authUrl}\n`);
-		let query;
-		try {
+		const timeoutMs = timeoutSec * 1e3;
+		const rawAuthorizeUrl = process.env.AITCC_OAUTH_URL;
+		const authorizeUrl = rawAuthorizeUrl ?? DEFAULT_AUTHORIZE_URL;
+		if (rawAuthorizeUrl) {
+			let parsed = null;
 			try {
-				query = await server.waitForCallback();
-			} catch (err) {
-				const { reason, exitCode } = classifyCallbackError(err);
+				parsed = new URL(rawAuthorizeUrl);
+			} catch {}
+			if (!parsed || parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+				emitError({ reason: "invalid-authorize-url" }, `AITCC_OAUTH_URL is not a valid http(s) URL: ${rawAuthorizeUrl}`);
+				return exitAfterFlush(ExitCode.Usage);
+			}
+			if (!isAllowedAuthorizeHost(parsed.hostname)) {
 				emitError({
-					reason,
-					message: err.message
-				}, `Login failed: ${err.message}`);
-				return exitAfterFlush(exitCode);
+					reason: "authorize-host-not-allowed",
+					host: parsed.hostname
+				}, `Refusing to open ${parsed.hostname}: only *.toss.im hosts are allowed for sign-in.`);
+				return exitAfterFlush(ExitCode.Usage);
 			}
-		} finally {
-			await server.close();
-		}
-		const rawUserId = sanitizeField(query.raw.user_id);
-		const rawEmail = sanitizeField(query.raw.email);
-		const displayName = sanitizeField(query.raw.display_name);
-		if (!rawUserId && !rawEmail) {
-			emitError({ reason: "oauth-identity-missing" }, [
-				"The callback did not carry user_id or email.",
-				"This is expected until Toss console OAuth discovery lands.",
-				"No session was written."
-			].join("\n"));
-			return exitAfterFlush(ExitCode.Generic);
+			process.stderr.write(`Using custom authorize URL from AITCC_OAUTH_URL: ${authorizeUrl}\n`);
+		}
+		const launched = await launchChrome({
+			initialUrl: authorizeUrl,
+			endpointTimeoutMs: Math.min(6e4, Math.max(3e4, Math.floor(timeoutMs / 2)))
+		}).catch((err) => err);
+		if (launched instanceof ChromeNotFoundError) {
+			emitError({
+				reason: "chrome-not-found",
+				candidates: launched.candidates
+			}, launched.message);
+			return exitAfterFlush(ExitCode.LoginBrowserNotFound);
+		}
+		if (launched instanceof ChromeLaunchError || launched instanceof ChromeEndpointTimeoutError) {
+			emitError({
+				reason: "chrome-launch-failed",
+				message: launched.message
+			}, `Failed to launch browser: ${launched.message}`);
+			return exitAfterFlush(ExitCode.LoginBrowserFailed);
+		}
+		if (launched instanceof Error) {
+			emitError({
+				reason: "chrome-launch-failed",
+				errorName: launched.name,
+				message: launched.message
+			}, `Failed to launch browser (${launched.name}): ${launched.message}`);
+			return exitAfterFlush(ExitCode.LoginBrowserFailed);
+		}
+		process.stderr.write("Opened a browser window — complete the sign-in there. The CLI will capture the session automatically.\n");
+		let client = null;
+		const disposeAll = async () => {
+			if (client) {
+				await client.close().catch(() => {});
+				client = null;
+			}
+			await launched.dispose().catch(() => {});
+		};
+		const exitWith = async (code) => {
+			await disposeAll();
+			return exitAfterFlush(code);
+		};
+		try {
+			client = await CdpClient.connect({ url: launched.webSocketDebuggerUrl });
+		} catch (err) {
+			emitError({
+				reason: "cdp-connect-failed",
+				message: err.message
+			}, `Could not connect to the browser over CDP: ${err.message}`);
+			return exitWith(ExitCode.LoginBrowserFailed);
+		}
+		let attached;
+		try {
+			attached = await attachToFirstPage(client);
+		} catch (err) {
+			emitError({
+				reason: "cdp-attach-failed",
+				message: err.message
+			}, `Could not attach to the browser tab: ${err.message}`);
+			return exitWith(ExitCode.LoginBrowserFailed);
+		}
+		const landing = await waitForLanding(client, attached.sessionId, timeoutMs);
+		if (landing === "timeout") {
+			emitError({
+				reason: "login-timeout",
+				timeoutSec
+			}, `Login timed out after ${timeoutSec}s.`);
+			return exitWith(ExitCode.LoginTimeout);
+		}
+		if (landing === "aborted") {
+			emitError({ reason: "login-aborted" }, "Login was aborted (browser closed before reaching the console).");
+			return exitWith(ExitCode.LoginBrowserFailed);
+		}
+		const cookies = await getAllCookies(client, attached.sessionId).catch((err) => err);
+		if (cookies instanceof Error) {
+			emitError({
+				reason: "cookie-capture-failed",
+				message: cookies.message
+			}, `Failed to capture cookies: ${cookies.message}`);
+			return exitWith(ExitCode.LoginCookieCaptureFailed);
+		}
+		const user = await resolveUserWithRetry(cookies, { onRetry: (ms) => process.stderr.write(`Cookies not yet accepted by the console API — retrying in ${ms}ms...\n`) }).catch((err) => err);
+		if (user instanceof Error) {
+			const authFailed = user instanceof TossApiError && user.isAuthError;
+			emitError({
+				reason: authFailed ? "login-auth-not-active" : "member-info-failed",
+				message: user.message
+			}, authFailed ? "Browser session did not produce valid console cookies. Try again and wait for the workspace page to load." : `Failed to read member info: ${user.message}`);
+			return exitWith(authFailed ? ExitCode.LoginCookieCaptureFailed : ExitCode.ApiError);
 		}
-		const userId = rawUserId ?? PENDING_USER_ID;
-		const email = rawEmail ?? "";
 		const session = {
 			schemaVersion: 1,
-			user: displayName ? {
-				id: userId,
-				email,
-				displayName
-			} : {
-				id: userId,
-				email
+			user: {
+				id: String(user.id),
+				email: user.email,
+				displayName: user.name
 			},
-			cookies: [],
+			cookies,
 			origins: [],
 			capturedAt: (/* @__PURE__ */ new Date()).toISOString()
 		};
@@ -501,21 +793,76 @@ const loginCommand = defineCommand({
 				reason: "session-write-failed",
 				message: err.message
 			}, `Failed to write session file: ${err.message}`);
-			return exitAfterFlush(ExitCode.Generic);
+			return exitWith(ExitCode.Generic);
 		}
 		if (args.json) process.stdout.write(`${JSON.stringify({
 			ok: true,
 			status: "logged-in",
 			user: session.user,
-			capturedAt: session.capturedAt
+			capturedAt: session.capturedAt,
+			cookieCount: cookies.length
 		})}\n`);
-		else {
-			const label = displayName ? `${displayName} <${email}>` : email || userId;
-			process.stdout.write(`Logged in as ${label}\n`);
-		}
-		return exitAfterFlush(ExitCode.Ok);
+		else process.stdout.write(`Logged in as ${user.name} <${user.email}>\n`);
+		return exitWith(ExitCode.Ok);
 	}
 });
+async function waitForLanding(client, sessionId, timeoutMs) {
+	return await new Promise((resolve) => {
+		let settled = false;
+		const stops = [];
+		const settle = (outcome) => {
+			if (settled) return;
+			settled = true;
+			clearTimeout(timer);
+			clearInterval(pollTimer);
+			for (const s of stops) try {
+				s();
+			} catch {}
+			resolve(outcome);
+		};
+		const timer = setTimeout(() => settle("timeout"), timeoutMs);
+		if (typeof timer.unref === "function") timer.unref();
+		stops.push(client.on((event) => {
+			if (event.method === "Target.targetDestroyed") settle("aborted");
+		}));
+		watchMainFrameNavigations(client, sessionId, (ev) => {
+			if (!ev.isMainFrame) return;
+			if (isLoginLanding(ev.url)) settle("ok");
+		}).then((off) => {
+			if (settled) off();
+			else stops.push(off);
+		}).catch((err) => {
+			if (settled) return;
+			process.stderr.write(`Could not watch for navigation: ${err.message}\n`);
+		});
+		const checkCurrent = async () => {
+			if (settled) return;
+			const url = (await client.send("Page.getFrameTree", {}, sessionId).catch(() => null))?.frameTree.frame?.url;
+			if (url && isLoginLanding(url)) settle("ok");
+		};
+		checkCurrent();
+		const pollTimer = setInterval(() => {
+			checkCurrent();
+		}, 1e3);
+		if (typeof pollTimer.unref === "function") pollTimer.unref();
+	});
+}
+async function resolveUserWithRetry(cookies, opts = {}) {
+	const callArgs = opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {};
+	try {
+		return await fetchConsoleMemberUserInfo(cookies, callArgs);
+	} catch (err) {
+		if (err instanceof TossApiError && err.isAuthError) {
+			opts.onRetry?.(750);
+			await new Promise((r) => {
+				const t = setTimeout(r, 750);
+				if (typeof t.unref === "function") t.unref();
+			});
+			return await fetchConsoleMemberUserInfo(cookies, callArgs);
+		}
+		throw err;
+	}
+}
 //#endregion
 //#region src/commands/logout.ts
 const logoutCommand = defineCommand({
@@ -561,7 +908,7 @@ const REPO_NAME = "console-cli";
 function defaultHeaders() {
 	const headers = {
 		Accept: "application/vnd.github+json",
-		"User-Agent": "ait-console",
+		"User-Agent": "aitcc",
 		"X-GitHub-Api-Version": "2022-11-28"
 	};
 	const token = process.env.GITHUB_TOKEN;
@@ -609,7 +956,7 @@ function detectPlatform() {
 	return {
 		os,
 		arch,
-		assetName: `ait-console-${os}-${arch}${os === "windows" ? ".exe" : ""}`
+		assetName: `aitcc-${os}-${arch}${os === "windows" ? ".exe" : ""}`
 	};
 }
 //#endregion
@@ -640,11 +987,11 @@ function compareSemver(a, b) {
 //#region src/version.ts
 function resolveVersion() {
 	try {
-		const injected = globalThis.AIT_CONSOLE_VERSION;
+		const injected = globalThis.AITCC_VERSION;
 		if (typeof injected === "string" && injected.length > 0) return injected;
 	} catch {}
 	try {
-		return "0.1.2";
+		return "0.1.4";
 	} catch {}
 	return "0.0.0-dev";
 }
@@ -652,7 +999,7 @@ const VERSION = resolveVersion();
 //#endregion
 //#region src/commands/upgrade.ts
 function isStandaloneBinary() {
-	return basename(process.execPath).toLowerCase().startsWith("ait-console");
+	return basename(process.execPath).toLowerCase().startsWith("aitcc");
 }
 const upgradeCommand = defineCommand({
 	meta: {
@@ -786,7 +1133,7 @@ const upgradeCommand = defineCommand({
 			to: latest,
 			installedAt: exePath,
 			installedIn: dirname(exePath)
-		}, `Upgraded ait-console: ${current} → ${latest}`);
+		}, `Upgraded aitcc: ${current} → ${latest}`);
 	}
 });
 //#endregion
@@ -794,43 +1141,115 @@ const upgradeCommand = defineCommand({
 const whoamiCommand = defineCommand({
 	meta: {
 		name: "whoami",
-		description: "Show the currently authenticated user from the local session."
+		description: "Show the currently authenticated user (live from the console API by default)."
+	},
+	args: {
+		json: {
+			type: "boolean",
+			description: "Emit machine-readable JSON to stdout.",
+			default: false
+		},
+		offline: {
+			type: "boolean",
+			description: "Skip the live API call and read only the cached session summary.",
+			default: false
+		}
 	},
-	args: { json: {
-		type: "boolean",
-		description: "Emit machine-readable JSON to stdout.",
-		default: false
-	} },
 	async run({ args }) {
-		const summary = await readSessionSummary();
-		if (!summary) {
-			if (args.json) process.stdout.write(`${JSON.stringify({ authenticated: false })}\n`);
+		const session = await readSession();
+		if (!session) {
+			if (args.json) process.stdout.write(`${JSON.stringify({
+				ok: true,
+				authenticated: false
+			})}\n`);
 			else {
-				process.stderr.write("Not logged in. Run `ait-console login` to start a session.\n");
+				process.stderr.write("Not logged in. Run `aitcc login` to start a session.\n");
 				process.stderr.write(`Session file checked: ${sessionPathForDiagnostics()}\n`);
 			}
-			process.exit(ExitCode.NotAuthenticated);
+			return exitAfterFlush(ExitCode.NotAuthenticated);
+		}
+		if (args.offline) {
+			if (args.json) {
+				process.stdout.write(`${JSON.stringify({
+					ok: true,
+					authenticated: true,
+					source: "cache",
+					user: session.user,
+					capturedAt: session.capturedAt
+				})}\n`);
+				return exitAfterFlush(ExitCode.Ok);
+			}
+			const label = session.user.displayName ? `${session.user.displayName} <${session.user.email}>` : session.user.email;
+			process.stdout.write(`Logged in as ${label} (cached)\n`);
+			process.stdout.write(`Session captured: ${session.capturedAt}\n`);
+			return exitAfterFlush(ExitCode.Ok);
 		}
-		if (args.json) {
-			process.stdout.write(`${JSON.stringify({
-				authenticated: true,
-				user: summary.user,
-				capturedAt: summary.capturedAt
+		try {
+			const info = await fetchConsoleMemberUserInfo(session.cookies);
+			if (args.json) {
+				process.stdout.write(`${JSON.stringify({
+					ok: true,
+					authenticated: true,
+					source: "live",
+					user: {
+						id: String(info.id),
+						bizUserNo: info.bizUserNo,
+						name: info.name,
+						email: info.email,
+						role: info.role
+					},
+					workspaces: info.workspaces.map((w) => ({
+						workspaceId: w.workspaceId,
+						workspaceName: w.workspaceName,
+						role: w.role
+					})),
+					capturedAt: session.capturedAt
+				})}\n`);
+				return exitAfterFlush(ExitCode.Ok);
+			}
+			process.stdout.write(`Logged in as ${info.name} <${info.email}> (${info.role})\n`);
+			if (info.workspaces.length > 0) {
+				process.stdout.write("Workspaces:\n");
+				for (const w of info.workspaces) process.stdout.write(`  - ${w.workspaceName} (id ${w.workspaceId}, ${w.role})\n`);
+			}
+			return exitAfterFlush(ExitCode.Ok);
+		} catch (err) {
+			if (err instanceof TossApiError && err.isAuthError) {
+				if (args.json) process.stdout.write(`${JSON.stringify({
+					ok: true,
+					authenticated: false,
+					reason: "session-expired",
+					errorCode: err.errorCode
+				})}\n`);
+				else process.stderr.write("Session is no longer valid. Run `aitcc login` again.\n");
+				return exitAfterFlush(ExitCode.NotAuthenticated);
+			}
+			if (err instanceof NetworkError) {
+				if (args.json) process.stdout.write(`${JSON.stringify({
+					ok: false,
+					reason: "network-error",
+					message: err.message
+				})}\n`);
+				else process.stderr.write(`Network error reaching the console API: ${err.message}. Use \`aitcc whoami --offline\` for the cached identity.\n`);
+				return exitAfterFlush(ExitCode.NetworkError);
+			}
+			if (args.json) process.stdout.write(`${JSON.stringify({
+				ok: false,
+				reason: "api-error",
+				message: err.message
 			})}\n`);
-			return;
+			else process.stderr.write(`Unexpected error: ${err.message}\n`);
+			return exitAfterFlush(ExitCode.ApiError);
 		}
-		const label = summary.user.displayName ? `${summary.user.displayName} <${summary.user.email}>` : summary.user.email;
-		process.stdout.write(`Logged in as ${label}\n`);
-		process.stdout.write(`Session captured: ${summary.capturedAt}\n`);
 	}
 });
 //#endregion
 //#region src/cli.ts
 runMain(defineCommand({
 	meta: {
-		name: "ait-console",
+		name: "aitcc",
 		version: VERSION,
-		description: "Community CLI for the Apps in Toss developer console (unofficial; not affiliated with Toss)."
+		description: "aitcc — Apps in Toss Community Console CLI. Unofficial, not affiliated with Toss."
 	},
 	subCommands: {
 		whoami: whoamiCommand,