@ait-co/console-cli 0.1.24 → 0.1.25

package/dist/cli.mjs

@@ -2593,7 +2593,7 @@ async function runAppInit(args) {
 		workspaceId = await pickWorkspace(session.cookies);
 		categoryIds = await pickCategories(session.cookies);
 	} catch (err) {
-		if (isPromptCancelled$1(err)) {
+		if (isPromptCancelled$2(err)) {
 			process.stderr.write("Aborted.\n");
 			return exitAfterFlush(ExitCode.Usage);
 		}
@@ -2636,7 +2636,7 @@ async function runAppInit(args) {
 			categoryIds
 		};
 	} catch (err) {
-		if (isPromptCancelled$1(err)) {
+		if (isPromptCancelled$2(err)) {
 			process.stderr.write("Aborted.\n");
 			return exitAfterFlush(ExitCode.Usage);
 		}
@@ -2695,7 +2695,7 @@ async function fileExists(path) {
 		return false;
 	}
 }
-function isPromptCancelled$1(err) {
+function isPromptCancelled$2(err) {
 	return err instanceof Error && err.name === "ExitPromptError";
 }
 async function pickWorkspace(cookies) {
@@ -5856,7 +5856,7 @@ async function runCommand(command, opts) {
 function isCommandNotFound(err) {
 	return err.code === "ENOENT";
 }
-function stripTrailingNewline(s) {
+function stripTrailingNewline$1(s) {
 	return s.replace(/\r?\n$/, "");
 }
 function redactStderr(stderr) {
@@ -5890,7 +5890,7 @@ const LINUX_BACKEND = {
 			throw new CredentialBackendCommandError("secret-tool lookup", result.exitCode, redactStderr(result.stderr));
 		}
 		if (result.stdout.length === 0) return null;
-		const password = stripTrailingNewline(result.stdout);
+		const password = stripTrailingNewline$1(result.stdout);
 		return password.length > 0 ? password : null;
 	},
 	async set(account, password) {
@@ -5954,7 +5954,7 @@ const MACOS_BACKEND = {
 		}
 		if (result.exitCode === 44) return null;
 		if (result.exitCode !== 0) return null;
-		const password = stripTrailingNewline(result.stdout);
+		const password = stripTrailingNewline$1(result.stdout);
 		return password.length > 0 ? password : null;
 	},
 	async set(account, password) {
@@ -6489,13 +6489,17 @@ const authImportCommand = defineCommand({
 });
 //#endregion
 //#region src/commands/auth.ts
+function emitDeprecation(replacement) {
+	process.stderr.write(`warning: this command is deprecated and will be removed in 1.0; ${replacement}\n`);
+}
 async function runAuthSet(args, deps = {}) {
+	emitDeprecation("use `aitcc login` (interactive prompt offers a save option).");
 	const env = deps.env ?? process.env;
 	let email = args.email?.trim();
-	let password$2 = args.password;
-	const argvPasswordUsed = password$2 !== void 0;
+	let password$1 = args.password;
+	const argvPasswordUsed = password$1 !== void 0;
 	if (!email && env.AITCC_EMAIL) email = env.AITCC_EMAIL;
-	if (password$2 === void 0 && env.AITCC_PASSWORD) password$2 = env.AITCC_PASSWORD;
+	if (password$1 === void 0 && env.AITCC_PASSWORD) password$1 = env.AITCC_PASSWORD;
 	if (argvPasswordUsed) process.stderr.write("Warning: --password on argv is visible in `ps`/Task Manager. Prefer the AITCC_PASSWORD environment variable for scripted use.\n");
 	const interactive = process.stdout.isTTY && process.stdin.isTTY && !args.json;
 	if (!email) {
@@ -6509,7 +6513,7 @@ async function runAuthSet(args, deps = {}) {
 				validate: (raw) => raw.trim().length > 0 ? true : "email is required"
 			})).trim();
 		} catch (err) {
-			if (isPromptCancelled(err)) {
+			if (isPromptCancelled$1(err)) {
 				process.stderr.write("Aborted.\n");
 				return exitAfterFlush(ExitCode.Usage);
 			}
@@ -6525,26 +6529,26 @@ async function runAuthSet(args, deps = {}) {
 		else process.stderr.write(`Invalid email: ${email}\n`);
 		return exitAfterFlush(ExitCode.Usage);
 	}
-	if (password$2 === void 0) {
+	if (password$1 === void 0) {
 		if (!interactive) {
 			emitInteractiveRequired(args.json, "password");
 			return exitAfterFlush(ExitCode.Usage);
 		}
 		try {
-			password$2 = await password({
+			password$1 = await password({
 				message: "Password:",
 				mask: true,
 				validate: (raw) => raw.length > 0 ? true : "password is required"
 			});
 		} catch (err) {
-			if (isPromptCancelled(err)) {
+			if (isPromptCancelled$1(err)) {
 				process.stderr.write("Aborted.\n");
 				return exitAfterFlush(ExitCode.Usage);
 			}
 			throw err;
 		}
 	}
-	if (password$2.length === 0) {
+	if (password$1.length === 0) {
 		if (args.json) emitJson({
 			ok: false,
 			reason: "invalid-password",
@@ -6555,7 +6559,7 @@ async function runAuthSet(args, deps = {}) {
 	}
 	let result;
 	try {
-		result = await saveCredentials(email, password$2, deps.backend ? { override: deps.backend } : {});
+		result = await saveCredentials(email, password$1, deps.backend ? { override: deps.backend } : {});
 	} catch (err) {
 		const message = err.message;
 		if (args.json) emitJson({
@@ -6576,6 +6580,7 @@ async function runAuthSet(args, deps = {}) {
 	return exitAfterFlush(ExitCode.Ok);
 }
 async function runAuthClear(args, deps = {}) {
+	emitDeprecation("use `aitcc logout --purge` to remove session and saved credentials together.");
 	const interactive = process.stdout.isTTY && process.stdin.isTTY && !args.json;
 	const active = await getActiveCredentialEmail(deps.env ? { env: deps.env } : {}).catch(() => null);
 	if (!args.yes) {
@@ -6596,7 +6601,7 @@ async function runAuthClear(args, deps = {}) {
 				default: false
 			});
 		} catch (err) {
-			if (isPromptCancelled(err)) {
+			if (isPromptCancelled$1(err)) {
 				process.stderr.write("Aborted.\n");
 				return exitAfterFlush(ExitCode.Usage);
 			}
@@ -6634,6 +6639,7 @@ async function runAuthClear(args, deps = {}) {
 	return exitAfterFlush(ExitCode.Ok);
 }
 async function runAuthStatus(args, deps = {}) {
+	emitDeprecation("use `aitcc whoami` (now reports credential source).");
 	const active = await getActiveCredentialEmail(deps.env ? { env: deps.env } : {}).catch(() => null);
 	const session = await readSession();
 	if (args.json) {
@@ -6672,7 +6678,7 @@ function emitInteractiveRequired(json, missing) {
 	});
 	else process.stderr.write(`Cannot prompt for ${missing} in non-interactive mode. Use --${missing} or set AITCC_${missing.toUpperCase()}.\n`);
 }
-function isPromptCancelled(err) {
+function isPromptCancelled$1(err) {
 	return err instanceof Error && err.name === "ExitPromptError";
 }
 const authCommand = defineCommand({
@@ -6684,7 +6690,7 @@ const authCommand = defineCommand({
 		set: defineCommand({
 			meta: {
 				name: "set",
-				description: "Save email + password to the OS keychain for future headless logins."
+				description: "[deprecated] Use `aitcc login` instead — the prompt now offers a save option."
 			},
 			args: {
 				json: {
@@ -6712,7 +6718,7 @@ const authCommand = defineCommand({
 		clear: defineCommand({
 			meta: {
 				name: "clear",
-				description: "Delete the saved credentials and the auth-state pointer."
+				description: "[deprecated] Use `aitcc logout --purge` instead."
 			},
 			args: {
 				json: {
@@ -6737,7 +6743,7 @@ const authCommand = defineCommand({
 		status: defineCommand({
 			meta: {
 				name: "status",
-				description: "Report whether credentials and a session are configured."
+				description: "[deprecated] Use `aitcc whoami` (now reports credential source)."
 			},
 			args: { json: {
 				type: "boolean",
@@ -7897,10 +7903,38 @@ function chooseLoginMode(input) {
 	if (input.interactiveFlag) return "interactive";
 	return input.hasCredentials ? "headless" : "interactive";
 }
+const defaultPromptDeps = {
+	email: (defaultValue) => input({
+		message: "Email:",
+		...defaultValue !== void 0 ? { default: defaultValue } : {},
+		validate: (raw) => {
+			const trimmed = raw.trim();
+			if (trimmed.length === 0) return "email is required";
+			if (!trimmed.includes("@")) return "must contain \"@\"";
+			return true;
+		}
+	}).then((s) => s.trim()),
+	password: () => password({
+		message: "Password:",
+		mask: true,
+		validate: (raw) => raw.length > 0 ? true : "password is required"
+	}),
+	saveTarget: () => select({
+		message: "Where would you like to save the credentials?",
+		default: "keychain",
+		choices: [{
+			name: "OS keychain (recommended) — next login runs headlessly",
+			value: "keychain"
+		}, {
+			name: "Do not save — one-shot. (Tip: AITCC_EMAIL/AITCC_PASSWORD env for CI.)",
+			value: "none"
+		}]
+	})
+};
 const loginCommand = defineCommand({
 	meta: {
 		name: "login",
-		description: "Open a browser to sign in, then capture the console session cookies."
+		description: "Sign in to the Apps in Toss console and capture the session cookies."
 	},
 	args: {
 		json: {
@@ -7918,9 +7952,26 @@ const loginCommand = defineCommand({
 			description: "Force the visible-browser flow even if credentials are configured.",
 			default: false
 		},
+		email: {
+			type: "string",
+			description: "Email (skip prompt; required for non-interactive use)."
+		},
+		password: {
+			type: "string",
+			description: "Password (skip prompt; visible in `ps`/Task Manager — prefer --password-stdin or AITCC_PASSWORD env)."
+		},
+		"password-stdin": {
+			type: "boolean",
+			description: "Read the password from stdin (recommended for non-interactive use).",
+			default: false
+		},
+		save: {
+			type: "string",
+			description: "Where to persist credentials when --email/--password* are passed: \"keychain\" or \"none\" (default)."
+		},
 		"skip-onboarding": {
 			type: "boolean",
-			description: "Skip the post-login prompt to save credentials to the OS keychain.",
+			description: "Deprecated no-op; kept so existing scripts do not break.",
 			default: false
 		}
 	},
@@ -7929,7 +7980,10 @@ const loginCommand = defineCommand({
 			json: args.json,
 			timeout: args.timeout,
 			interactive: args.interactive,
-			skipOnboarding: args["skip-onboarding"]
+			email: typeof args.email === "string" ? args.email : void 0,
+			password: typeof args.password === "string" ? args.password : void 0,
+			passwordStdin: args["password-stdin"],
+			save: typeof args.save === "string" ? args.save : void 0
 		}, {
 			getCredentials: loadCredentials,
 			saveCredentials
@@ -7973,17 +8027,41 @@ async function runLoginCommand(args, deps) {
 		}
 		process.stderr.write(`Using custom authorize URL from AITCC_OAUTH_URL: ${authorizeUrl}\n`);
 	}
-	let credentials = null;
-	if (!args.interactive) {
-		const getCredentials = deps.getCredentials;
-		if (getCredentials) credentials = await getCredentials().catch((err) => {
-			process.stderr.write(`Credential lookup failed (${err.message}); using interactive login.\n`);
-			return null;
-		});
+	const resolved = await resolveCredentialsForLogin(args, deps);
+	if (resolved.kind === "error") {
+		emitError({
+			reason: resolved.reason,
+			message: resolved.message
+		}, resolved.message);
+		return exitAfterFlush(resolved.exitCode);
+	}
+	let saved = "skipped";
+	if (resolved.saveTarget === "keychain" && resolved.credentials !== null) {
+		const save = deps.saveCredentials;
+		if (!save) {
+			emitError({
+				reason: "save-unavailable",
+				message: "no save backend configured"
+			}, "Cannot save credentials: no backend configured.");
+			return exitAfterFlush(ExitCode.Generic);
+		}
+		try {
+			const result = await save(resolved.credentials.email, resolved.credentials.password);
+			saved = result.status;
+			if (!args.json) if (result.status === "unchanged") process.stderr.write("Credentials already saved (no change).\n");
+			else process.stderr.write(`Credentials saved to OS keychain (${resolved.credentials.email}).\n`);
+		} catch (err) {
+			const message = err.message;
+			emitError({
+				reason: "keychain-save-failed",
+				message
+			}, `Failed to save credentials to the OS keychain: ${message}\nOn Linux, install libsecret (\`secret-tool\`) and retry. Re-run with \`--save none\` to skip persistence.`);
+			return exitAfterFlush(ExitCode.Usage);
+		}
 	}
 	const initialMode = chooseLoginMode({
 		interactiveFlag: args.interactive,
-		hasCredentials: credentials !== null
+		hasCredentials: resolved.credentials !== null
 	});
 	const endpointTimeoutMs = Math.min(6e4, Math.max(3e4, Math.floor(timeoutMs / 2)));
 	const firstAttemptStart = Date.now();
@@ -7993,9 +8071,9 @@ async function runLoginCommand(args, deps) {
 		endpointTimeoutMs,
 		authorizeUrl,
 		mode: initialMode,
-		credentials,
-		emitError,
-		deps
+		credentials: resolved.credentials,
+		saved,
+		emitError
 	});
 	if (result.status === "fallback-to-interactive") {
 		process.stderr.write(`${result.message}\n`);
@@ -8006,8 +8084,8 @@ async function runLoginCommand(args, deps) {
 			authorizeUrl,
 			mode: "interactive",
 			credentials: null,
-			emitError,
-			deps
+			saved,
+			emitError
 		});
 		if (second.status === "exit") return exitAfterFlush(second.code);
 		second.status;
@@ -8015,8 +8093,167 @@ async function runLoginCommand(args, deps) {
 	}
 	return exitAfterFlush(result.code);
 }
+/**
+* Resolve credentials and the requested save target for `aitcc login`.
+* Pure-ish: only side-effect is reading stdin via `deps.readStdin` (when
+* `--password-stdin` is set) and prompting via `deps.prompts` (when TTY).
+*/
+async function resolveCredentialsForLogin(args, deps, opts = {}) {
+	const env = opts.env ?? process.env;
+	const stdoutIsTTY = opts.stdoutIsTTY ?? Boolean(process.stdout.isTTY);
+	const stdinIsTTY = opts.stdinIsTTY ?? Boolean(process.stdin.isTTY);
+	const interactiveTty = stdoutIsTTY && stdinIsTTY && !args.json;
+	if (args.password !== void 0 && args.passwordStdin) return {
+		kind: "error",
+		reason: "conflicting-password-source",
+		message: "--password and --password-stdin cannot be used together.",
+		exitCode: ExitCode.Usage
+	};
+	if (args.interactive && (args.email !== void 0 || args.password !== void 0 || args.passwordStdin || args.save !== void 0)) return {
+		kind: "error",
+		reason: "conflicting-interactive-flags",
+		message: "--interactive cannot be combined with --email/--password/--password-stdin/--save. Drop --interactive to use credentials, or drop the credential flags to type in the browser.",
+		exitCode: ExitCode.Usage
+	};
+	let saveTarget;
+	if (args.save !== void 0) {
+		if (args.save !== "keychain" && args.save !== "none") return {
+			kind: "error",
+			reason: "invalid-save",
+			message: `--save must be "keychain" or "none" (got "${args.save}").`,
+			exitCode: ExitCode.Usage
+		};
+		saveTarget = args.save;
+	}
+	if (args.email !== void 0 || args.password !== void 0 || args.passwordStdin) {
+		if (args.email === void 0 || args.email.trim().length === 0) return {
+			kind: "error",
+			reason: "missing-email",
+			message: "--email is required when --password / --password-stdin is passed.",
+			exitCode: ExitCode.Usage
+		};
+		if (!args.email.includes("@")) return {
+			kind: "error",
+			reason: "invalid-email",
+			message: `Invalid email: ${args.email}`,
+			exitCode: ExitCode.Usage
+		};
+		let password;
+		if (args.passwordStdin) {
+			password = stripTrailingNewline(await (deps.readStdin ?? readStdinAll)());
+			if (password.length === 0) return {
+				kind: "error",
+				reason: "invalid-password",
+				message: "--password-stdin received an empty password on stdin.",
+				exitCode: ExitCode.Usage
+			};
+		} else if (args.password !== void 0) {
+			process.stderr.write("Warning: --password on argv is visible in `ps`/Task Manager. Prefer --password-stdin or the AITCC_PASSWORD environment variable.\n");
+			password = args.password;
+			if (password.length === 0) return {
+				kind: "error",
+				reason: "invalid-password",
+				message: "--password value is empty.",
+				exitCode: ExitCode.Usage
+			};
+		} else return {
+			kind: "error",
+			reason: "missing-password",
+			message: "--email passed without a password. Add --password-stdin (recommended) or --password.",
+			exitCode: ExitCode.Usage
+		};
+		return {
+			kind: "ok",
+			credentials: {
+				source: "argv",
+				email: args.email.trim(),
+				password
+			},
+			saveTarget: saveTarget ?? "none"
+		};
+	}
+	if (args.interactive) return {
+		kind: "ok",
+		credentials: null,
+		saveTarget: saveTarget ?? "none"
+	};
+	if (env.AITCC_EMAIL && env.AITCC_PASSWORD) return {
+		kind: "ok",
+		credentials: {
+			source: "env",
+			email: env.AITCC_EMAIL,
+			password: env.AITCC_PASSWORD
+		},
+		saveTarget: saveTarget ?? "none"
+	};
+	const getCredentials = deps.getCredentials;
+	if (getCredentials) {
+		const fromStore = await getCredentials().catch((err) => {
+			process.stderr.write(`Credential lookup failed (${err.message}); ignoring.\n`);
+			return null;
+		});
+		if (fromStore) {
+			if (!args.json) process.stderr.write(`Using credentials from OS keychain for ${fromStore.email}. Pass --interactive to type a different account.
+`);
+			return {
+				kind: "ok",
+				credentials: {
+					source: fromStore.kind,
+					email: fromStore.email,
+					password: fromStore.password
+				},
+				saveTarget: saveTarget ?? "none"
+			};
+		}
+	}
+	if (interactiveTty) {
+		const prompts = deps.prompts ?? defaultPromptDeps;
+		let email;
+		let password;
+		try {
+			email = await prompts.email();
+			password = await prompts.password();
+		} catch (err) {
+			if (isPromptCancelled(err)) return {
+				kind: "error",
+				reason: "aborted",
+				message: "Aborted.",
+				exitCode: ExitCode.Usage
+			};
+			throw err;
+		}
+		let promptedSave;
+		if (saveTarget !== void 0) promptedSave = saveTarget;
+		else try {
+			promptedSave = await prompts.saveTarget();
+		} catch (err) {
+			if (isPromptCancelled(err)) return {
+				kind: "error",
+				reason: "aborted",
+				message: "Aborted.",
+				exitCode: ExitCode.Usage
+			};
+			throw err;
+		}
+		return {
+			kind: "ok",
+			credentials: {
+				source: "prompt",
+				email,
+				password
+			},
+			saveTarget: promptedSave
+		};
+	}
+	return {
+		kind: "error",
+		reason: "interactive-required",
+		message: "No credentials configured and stdin is not a TTY. Pass --email + --password-stdin (or set AITCC_EMAIL + AITCC_PASSWORD).",
+		exitCode: ExitCode.Usage
+	};
+}
 async function attemptLogin(opts) {
-	const { args, timeoutMs, endpointTimeoutMs, authorizeUrl, mode, credentials, emitError, deps } = opts;
+	const { args, timeoutMs, endpointTimeoutMs, authorizeUrl, mode, credentials, saved, emitError } = opts;
 	const launched = await launchChrome({
 		initialUrl: authorizeUrl,
 		endpointTimeoutMs,
@@ -8055,8 +8292,8 @@ async function attemptLogin(opts) {
 	}
 	if (mode === "interactive") process.stderr.write("Opened a browser window — complete the sign-in there. The CLI will capture the session automatically.\n");
 	else {
-		const source = credentials?.kind === "env" ? "env" : "keychain";
-		process.stderr.write(`Signing in headlessly with credentials from ${source}…\n`);
+		const sourceLabel = credentials?.source ?? "configured store";
+		process.stderr.write(`Signing in headlessly with credentials from ${sourceLabel}…\n`);
 	}
 	let client = null;
 	const disposeAll = async () => {
@@ -8223,57 +8460,29 @@ async function attemptLogin(opts) {
 		capturedAt: session.capturedAt,
 		cookieCount: cookies.length,
 		mode,
+		credentialSource: credentials?.source ?? "browser",
+		saved,
 		stepUp
 	})}\n`);
 	else process.stdout.write(`Logged in as ${user.name} <${user.email}>\n`);
 	await disposeAll();
-	if (mode === "interactive" && credentials === null && !args.json && !args.skipOnboarding && process.stdout.isTTY && process.stdin.isTTY && deps.saveCredentials) await runOnboardingPrompt(user.email, deps.saveCredentials);
 	return {
 		status: "exit",
 		code: ExitCode.Ok
 	};
 }
-/**
-* Post-login prompt that offers to persist the user's email + password
-* to the OS keychain so subsequent `aitcc login` runs can take the
-* headless form-fill path. Failures are non-fatal: we already wrote a
-* valid session, so a keychain hiccup just means the next login will
-* fall back to interactive — exactly the same UX as before.
-*/
-async function runOnboardingPrompt(email, save) {
-	process.stdout.write("\n");
-	process.stdout.write("Would you like to save your password to the OS keychain so the next `aitcc login` runs headlessly?\n");
-	let agreed;
-	try {
-		agreed = await confirm({
-			message: "Save credentials?",
-			default: true
-		});
-	} catch (err) {
-		if (err instanceof Error && err.name === "ExitPromptError") return;
-		process.stderr.write(`Onboarding prompt failed: ${err.message}\n`);
-		return;
-	}
-	if (!agreed) return;
-	let password$1;
-	try {
-		password$1 = await password({
-			message: "Password:",
-			mask: true,
-			validate: (raw) => raw.length > 0 ? true : "password is required"
-		});
-	} catch (err) {
-		if (err instanceof Error && err.name === "ExitPromptError") return;
-		process.stderr.write(`Could not read password: ${err.message}\n`);
-		return;
-	}
-	try {
-		await save(email, password$1);
-		process.stdout.write("Saved. Next `aitcc login` will run headlessly.\n");
-	} catch (err) {
-		process.stderr.write(`Could not save credentials: ${err.message}. You can retry later with \`aitcc auth set\`.
-`);
-	}
+async function readStdinAll() {
+	if (process.stdin.isTTY) throw new Error("--password-stdin requires stdin to be a pipe, not a TTY.");
+	process.stdin.setEncoding("utf8");
+	let buf = "";
+	for await (const chunk of process.stdin) buf += chunk;
+	return buf;
+}
+function stripTrailingNewline(s) {
+	return s.replace(/\r?\n$/, "");
+}
+function isPromptCancelled(err) {
+	return err instanceof Error && err.name === "ExitPromptError";
 }
 async function waitForLanding(client, sessionId, timeoutMs) {
 	return await new Promise((resolve) => {
@@ -8337,18 +8546,25 @@ async function resolveUserWithRetry(cookies, opts = {}) {
 const logoutCommand = defineCommand({
 	meta: {
 		name: "logout",
-		description: "Delete the local session file."
+		description: "Delete the local session file (and optionally the saved credentials)."
+	},
+	args: {
+		json: {
+			type: "boolean",
+			description: "Emit machine-readable JSON to stdout.",
+			default: false
+		},
+		purge: {
+			type: "boolean",
+			description: "Also delete saved keychain credentials and the auth-state pointer.",
+			default: false
+		}
 	},
-	args: { json: {
-		type: "boolean",
-		description: "Emit machine-readable JSON to stdout.",
-		default: false
-	} },
 	async run({ args }) {
 		const path = sessionPathForDiagnostics();
-		let existed;
+		let sessionRemoved;
 		try {
-			existed = (await clearSession()).existed;
+			sessionRemoved = (await clearSession()).existed;
 		} catch (err) {
 			const message = err.message;
 			if (args.json) process.stdout.write(`${JSON.stringify({
@@ -8360,13 +8576,29 @@ const logoutCommand = defineCommand({
 			process.stderr.write(`Failed to remove session file at ${path}: ${message}\n`);
 			return exitAfterFlush(ExitCode.Generic);
 		}
-		if (args.json) process.stdout.write(`${JSON.stringify({
-			ok: true,
-			status: existed ? "logged-out" : "no-session",
-			path
-		})}\n`);
-		else if (existed) process.stdout.write(`Logged out. Session removed from ${path}\n`);
-		else process.stdout.write(`No active session at ${path}.\n`);
+		let credentialsPurged = false;
+		let purgeError = null;
+		if (args.purge) try {
+			credentialsPurged = (await deleteCredentials()).existed;
+		} catch (err) {
+			purgeError = err.message;
+		}
+		if (args.json) {
+			const payload = {
+				ok: true,
+				sessionRemoved,
+				credentialsPurged,
+				path
+			};
+			if (purgeError !== null) payload.purgeError = purgeError;
+			process.stdout.write(`${JSON.stringify(payload)}\n`);
+		} else {
+			if (sessionRemoved) process.stdout.write(`Logged out. Session removed from ${path}\n`);
+			else process.stdout.write(`No active session at ${path}.\n`);
+			if (args.purge) if (purgeError !== null) process.stderr.write(`Could not delete saved credentials: ${purgeError}\n`);
+			else if (credentialsPurged) process.stdout.write("Saved credentials deleted from the OS keychain.\n");
+			else process.stdout.write("No saved credentials to delete.\n");
+		}
 		return exitAfterFlush(ExitCode.Ok);
 	}
 });
@@ -8901,7 +9133,7 @@ function resolveVersion() {
 		if (typeof injected === "string" && injected.length > 0) return injected;
 	} catch {}
 	try {
-		return "0.1.24";
+		return "0.1.25";
 	} catch {}
 	return "0.0.0-dev";
 }
@@ -9273,6 +9505,22 @@ function maybeEmitNotice(entry, env) {
 }
 //#endregion
 //#region src/commands/whoami.ts
+async function describeCredentialSource() {
+	const active = await getActiveCredentialEmail().catch(() => null);
+	if (!active) return {
+		source: "none",
+		email: null
+	};
+	return {
+		source: active.kind,
+		email: active.email
+	};
+}
+function formatCredentials(cred) {
+	if (cred.source === "none") return "none (run `aitcc login` to save)";
+	if (cred.source === "env") return `env (AITCC_EMAIL${cred.email ? ` = ${cred.email}` : ""})`;
+	return `keychain${cred.email ? ` (${cred.email})` : ""}`;
+}
 async function runBackgroundUpdateCheck(json) {
 	if (json) return;
 	const timeoutMs = 500;
@@ -9300,14 +9548,18 @@ const whoamiCommand = defineCommand({
 	},
 	async run({ args }) {
 		const session = await readSession();
+		const cred = await describeCredentialSource();
 		if (!session) {
 			if (args.json) process.stdout.write(`${JSON.stringify({
 				ok: true,
-				authenticated: false
+				authenticated: false,
+				credentialSource: cred.source,
+				...cred.email ? { credentialEmail: cred.email } : {}
 			})}\n`);
 			else {
 				process.stderr.write("Not logged in. Run `aitcc login` to start a session.\n");
 				process.stderr.write(`Session file checked: ${sessionPathForDiagnostics()}\n`);
+				process.stderr.write(`Credentials: ${formatCredentials(cred)}\n`);
 			}
 			return exitAfterFlush(ExitCode.NotAuthenticated);
 		}
@@ -9318,12 +9570,15 @@ const whoamiCommand = defineCommand({
 					authenticated: true,
 					source: "cache",
 					user: session.user,
-					capturedAt: session.capturedAt
+					capturedAt: session.capturedAt,
+					credentialSource: cred.source,
+					...cred.email ? { credentialEmail: cred.email } : {}
 				})}\n`);
 				return exitAfterFlush(ExitCode.Ok);
 			}
 			const label = session.user.displayName ? `${session.user.displayName} <${session.user.email}>` : session.user.email;
 			process.stdout.write(`Logged in as ${label} (cached)\n`);
+			process.stdout.write(`Credentials: ${formatCredentials(cred)}\n`);
 			process.stdout.write(`Session captured: ${session.capturedAt}\n`);
 			await runBackgroundUpdateCheck(args.json);
 			return exitAfterFlush(ExitCode.Ok);
@@ -9347,11 +9602,14 @@ const whoamiCommand = defineCommand({
 						workspaceName: w.workspaceName,
 						role: w.role
 					})),
-					capturedAt: session.capturedAt
+					capturedAt: session.capturedAt,
+					credentialSource: cred.source,
+					...cred.email ? { credentialEmail: cred.email } : {}
 				})}\n`);
 				return exitAfterFlush(ExitCode.Ok);
 			}
 			process.stdout.write(`Logged in as ${info.name} <${info.email}> (${info.role})\n`);
+			process.stdout.write(`Credentials: ${formatCredentials(cred)}\n`);
 			if (info.workspaces.length > 0) {
 				process.stdout.write("Workspaces:\n");
 				for (const w of info.workspaces) process.stdout.write(`  - ${w.workspaceName} (id ${w.workspaceId}, ${w.role})\n`);
@@ -9364,9 +9622,14 @@ const whoamiCommand = defineCommand({
 					ok: true,
 					authenticated: false,
 					reason: "session-expired",
-					errorCode: err.errorCode
+					errorCode: err.errorCode,
+					credentialSource: cred.source,
+					...cred.email ? { credentialEmail: cred.email } : {}
 				})}\n`);
-				else process.stderr.write("Session is no longer valid. Run `aitcc login` again.\n");
+				else {
+					process.stderr.write("Session is no longer valid. Run `aitcc login` again.\n");
+					process.stderr.write(`Credentials: ${formatCredentials(cred)}\n`);
+				}
 				return exitAfterFlush(ExitCode.NotAuthenticated);
 			}
 			if (err instanceof NetworkError) {