npm - @appfleet-cli/cli - Versions diffs - 0.1.2 → 0.1.3 - Mend

@appfleet-cli/cli 0.1.2 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/appfleet.js +368 -21
package/dist/cloud-session.js +18 -5
package/dist/command-registry.js +121 -11
package/dist/local-vault.js +2 -1
package/dist/project-memory.js +2 -1
package/package.json +1 -1

package/dist/appfleet.js CHANGED Viewed

@@ -3370,10 +3370,58 @@ var program = new Command();
 // src/appfleet.ts
 import { realpathSync } from "node:fs";
+import { readFile as readFile5 } from "node:fs/promises";
+import { dirname as dirname5, join as join4 } from "node:path";
 import { fileURLToPath } from "node:url";
 // src/command-registry.ts
 var cliCommandDocs = [
+  {
+    namespace: "appfleet",
+    name: "login",
+    summary: "Sign in to AppFleet Cloud.",
+    usage: "appfleet login [--workspace <workspace-id>] [--email <email>] [--api-base-url <url>] [--local-test] [--json]",
+    arguments: [],
+    options: [
+      { flags: "--workspace <workspace-id>", description: "Workspace id to sign in to; defaults to workspace_local." },
+      { flags: "--email <email>", description: "Optional non-secret user label for local-test identity metadata." },
+      { flags: "--api-base-url <url>", description: "AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
+      { flags: "--local-test", description: "Create local-test session metadata instead of signing in to AppFleet Cloud." },
+      { flags: "--json", description: "Emit machine-readable JSON." }
+    ],
+    examples: [
+      "appfleet login",
+      "appfleet login --workspace workspace_prod",
+      "appfleet login --json"
+    ],
+    reads: [".appfleet/cloud-session.json if it already exists"],
+    writes: [".appfleet/cloud-session.json hosted redacted session metadata with status and expiry", ".appfleet/cloud-auth-token mode-0600 local credential file"],
+    secretSafety: [
+      "Opens the hosted browser auth flow and stores session metadata only.",
+      "The short-lived hosted session token is isolated in a mode-0600 local credential file and is never printed or included in project memory.",
+      "Does not store OAuth refresh material, session cookies, provider credentials, encrypted credential blobs, key wrappers, command output, secret fragments, or secret values."
+    ]
+  },
+  {
+    namespace: "appfleet",
+    name: "logout",
+    summary: "Sign out of AppFleet Cloud.",
+    usage: "appfleet logout [--api-base-url <url>] [--local-test] [--json]",
+    arguments: [],
+    options: [
+      { flags: "--api-base-url <url>", description: "AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
+      { flags: "--local-test", description: "Remove local-test session metadata instead of revoking a hosted AppFleet Cloud session." },
+      { flags: "--json", description: "Emit machine-readable JSON." }
+    ],
+    examples: ["appfleet logout", "appfleet logout --json"],
+    reads: [".appfleet/cloud-session.json"],
+    writes: [".appfleet/cloud-session.json and .appfleet/cloud-auth-token are removed when present"],
+    secretSafety: [
+      "Revokes hosted session metadata through AppFleet Cloud when available.",
+      "Removes local hosted session metadata and the local credential file without printing credential material.",
+      "Does not read or print OAuth refresh material, session cookies, provider credentials, encrypted credential blobs, key wrappers, command output, or secret fragments."
+    ]
+  },
   {
     namespace: "appfleet",
     name: "link",
@@ -3389,6 +3437,68 @@ var cliCommandDocs = [
       "Never uploads environment values, credential values, command output, key wrappers, or provider payloads."
     ]
   },
+  {
+    namespace: "appfleet",
+    name: "doctor",
+    summary: "Run safe diagnostics for a remembered project, optionally uploading the report.",
+    usage: "appfleet doctor [project] [--upload] [--json]",
+    arguments: ["project: project id, path, URL, or repo fingerprint; defaults to the current project when resolvable."],
+    options: [
+      { flags: "--upload", description: "Upload the safe doctor report to AppFleet Cloud after the local check." },
+      { flags: "--json", description: "Emit machine-readable JSON." }
+    ],
+    examples: [
+      "appfleet doctor appfleet-demo",
+      "appfleet doctor .",
+      "appfleet doctor appfleet-demo --upload"
+    ],
+    reads: [".appfleet/project-memory.json", ".appfleet/cloud-session.json when --upload is used"],
+    writes: [".appfleet/project-memory.json latest safe doctor evidence", ".appfleet/cloud-metadata-sync.json when --upload is used"],
+    secretSafety: [
+      "Runs safe URL and metadata checks only.",
+      "Uploads safe project metadata and doctor evidence only when --upload is passed.",
+      "Never reads .env files or uploads environment values, credential values, command output, key wrappers, or provider payloads."
+    ]
+  },
+  {
+    namespace: "appfleet",
+    name: "workspaces",
+    summary: "List AppFleet Cloud workspaces available to the signed-in user.",
+    usage: "appfleet workspaces [--api-base-url <url>] [--json]",
+    arguments: [],
+    options: [
+      { flags: "--api-base-url <url>", description: "AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
+      { flags: "--json", description: "Emit machine-readable JSON." }
+    ],
+    examples: ["appfleet workspaces", "appfleet workspaces --json"],
+    reads: [".appfleet/cloud-session.json", ".appfleet/cloud-auth-token"],
+    writes: [],
+    secretSafety: [
+      "Uses the active hosted AppFleet session to list workspace metadata.",
+      "Does not print auth tokens, cookies, provider credentials, environment values, or secret fragments."
+    ]
+  },
+  {
+    namespace: "appfleet",
+    name: "workspace",
+    summary: "Show or change the active AppFleet Cloud workspace.",
+    usage: "appfleet workspace current|list|use <workspace-id> [--json]",
+    arguments: [],
+    options: [
+      { flags: "--json", description: "Emit machine-readable JSON." }
+    ],
+    examples: [
+      "appfleet workspace current",
+      "appfleet workspace list",
+      "appfleet workspace use workspace_prod"
+    ],
+    reads: [".appfleet/cloud-session.json", ".appfleet/cloud-auth-token"],
+    writes: [".appfleet/cloud-session.json and .appfleet/cloud-auth-token when using a workspace"],
+    secretSafety: [
+      "Workspace use runs the hosted AppFleet login flow for the selected workspace.",
+      "Stores active workspace session metadata only and never prints auth tokens, cookies, provider credentials, or secret fragments."
+    ]
+  },
   {
     namespace: "appfleet",
     name: "init",
@@ -3421,20 +3531,21 @@ var cliCommandDocs = [
   {
     namespace: "auth",
     name: "login",
-    summary: "Create local-test session metadata by default, or hosted session metadata when production cloud is explicitly enabled.",
-    usage: "appfleet auth login [--workspace <workspace-id>] [--email <email>] [--production-cloud] [--api-base-url <url>] [--json]",
+    summary: "Sign in to AppFleet Cloud; use --local-test for local scaffold sessions.",
+    usage: "appfleet auth login [--workspace <workspace-id>] [--email <email>] [--api-base-url <url>] [--local-test] [--json]",
     arguments: [],
     options: [
       { flags: "--workspace <workspace-id>", description: "Workspace id for local-test or hosted session metadata." },
       { flags: "--email <email>", description: "Optional non-secret user label for local-test identity or hosted login metadata." },
-      { flags: "--production-cloud", description: "Explicitly use hosted auth mode against AppFleet Cloud." },
+      { flags: "--local-test", description: "Create local-test session metadata instead of signing in to AppFleet Cloud." },
+      { flags: "--production-cloud", description: "Deprecated compatibility flag; hosted AppFleet Cloud is already the default." },
       { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
       { flags: "--json", description: "Emit machine-readable JSON." }
     ],
     examples: [
-      "appfleet auth login --workspace workspace_test",
-      "appfleet auth login --workspace workspace_test --email demo@example.com --json",
-      "appfleet auth login --production-cloud --workspace workspace_prod --json"
+      "appfleet login",
+      "appfleet auth login --workspace workspace_prod --json",
+      "appfleet auth login --local-test --workspace workspace_test --email demo@example.com --json"
     ],
     reads: [".appfleet/cloud-session.json if it already exists"],
     writes: [".appfleet/cloud-session.json local-test or hosted redacted session metadata with status and expiry"],
@@ -3447,18 +3558,19 @@ var cliCommandDocs = [
   {
     namespace: "auth",
     name: "logout",
-    summary: "Log out of local-test session metadata by default, or revoke hosted session metadata when production cloud is explicitly enabled.",
-    usage: "appfleet auth logout [--production-cloud] [--api-base-url <url>] [--json]",
+    summary: "Sign out of AppFleet Cloud; use --local-test for local scaffold sessions.",
+    usage: "appfleet auth logout [--api-base-url <url>] [--local-test] [--json]",
     arguments: [],
     options: [
-      { flags: "--production-cloud", description: "Explicitly use hosted logout mode against AppFleet Cloud and hosted session metadata." },
+      { flags: "--local-test", description: "Remove local-test session metadata instead of revoking a hosted AppFleet Cloud session." },
+      { flags: "--production-cloud", description: "Deprecated compatibility flag; hosted AppFleet Cloud is already the default." },
       { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
       { flags: "--json", description: "Emit machine-readable JSON." }
     ],
     examples: [
-      "appfleet auth logout",
+      "appfleet logout",
       "appfleet auth logout --json",
-      "appfleet auth logout --production-cloud --json"
+      "appfleet auth logout --local-test --json"
     ],
     reads: [".appfleet/cloud-session.json"],
     writes: [".appfleet/cloud-session.json is removed when present; JSON output includes a safe logged_out/not_found/missing_hosted_session status"],
@@ -8093,7 +8205,7 @@ function defaultProjectMemoryStorePath(cwd) {
 function errorMessage2(error) {
   return error instanceof Error ? error.message : String(error);
 }
-if (import.meta.url === `file://${process.argv[1]}`) {
+if (import.meta.url.endsWith("/project-memory.ts") && import.meta.url === `file://${process.argv[1]}`) {
   const result = await runProjectMemoryCommand(process.argv.slice(2), {
     storePath: process.env.APPFLEET_PROJECT_MEMORY_STORE_PATH,
     currentGitRemoteFingerprint: process.env.APPFLEET_GIT_REMOTE_FINGERPRINT
@@ -8173,7 +8285,7 @@ async function runCloudSessionCommand(argv, options = {}) {
           createdAt: createdAt3,
           result: authResult
         });
-        const localAuthToken = authResult.authToken ?? authResult.sessionId;
+        const localAuthToken = authResult.sessionId ?? authResult.authToken;
         if (localAuthToken) {
           await writeAuthToken(authTokenPath, localAuthToken);
         }
@@ -8793,7 +8905,7 @@ function parseCloudSessionCommand(argv, env) {
         action,
         workspaceId: readFlag4(normalizedArgv, "--workspace") ?? "workspace_local",
         email: readFlag4(normalizedArgv, "--email"),
-        productionCloud: cloudProductionFlag(normalizedArgv, env),
+        productionCloud: cloudProductionFlag(normalizedArgv, env, true),
         productionCloudSource: cloudProductionSource(normalizedArgv, env),
         apiBaseUrl: readFlag4(normalizedArgv, "--api-base-url"),
         outputFormat
@@ -8803,7 +8915,7 @@ function parseCloudSessionCommand(argv, env) {
       return {
         namespace,
         action,
-        productionCloud: cloudProductionFlag(normalizedArgv, env),
+        productionCloud: cloudProductionFlag(normalizedArgv, env, true),
         productionCloudSource: cloudProductionSource(normalizedArgv, env),
         apiBaseUrl: readFlag4(normalizedArgv, "--api-base-url"),
         outputFormat
@@ -9111,16 +9223,28 @@ function createZeroSecretBoundary() {
     storesSecretFragments: false
   };
 }
-function cloudProductionFlag(argv, env) {
+function cloudProductionFlag(argv, env, defaultProduction = false) {
+  if (hasFlag2(argv, "--local-test")) {
+    return false;
+  }
   if (hasFlag2(argv, "--production-cloud")) {
     return true;
   }
-  return env.APPFLEET_PRODUCTION_CLOUD_ENABLED === "true" || env.APPFLEET_CLOUD_MODE === "production";
+  if (env.APPFLEET_CLOUD_MODE === "local-test") {
+    return false;
+  }
+  return env.APPFLEET_PRODUCTION_CLOUD_ENABLED === "true" || env.APPFLEET_CLOUD_MODE === "production" || defaultProduction;
 }
 function cloudProductionSource(argv, env) {
+  if (hasFlag2(argv, "--local-test")) {
+    return "flag";
+  }
   if (hasFlag2(argv, "--production-cloud")) {
     return "flag";
   }
+  if (env.APPFLEET_CLOUD_MODE === "local-test") {
+    return "env";
+  }
   if (productionEnvEnabled(env)) {
     return "env";
   }
@@ -11459,7 +11583,7 @@ function commandError(error) {
     childStarted: false
   };
 }
-if (import.meta.url === `file://${process.argv[1]}`) {
+if (import.meta.url.endsWith("/local-vault.ts") && import.meta.url === `file://${process.argv[1]}`) {
   const result = await runLocalVaultCommand(process.argv.slice(2));
   process.stdout.write(result.stdout);
   process.stderr.write(result.stderr);
@@ -11886,6 +12010,7 @@ var namespaces = [
   "vault",
   "secrets"
 ];
+var DEFAULT_PRODUCTION_API_BASE_URL2 = "https://appfleet.xyz";
 async function runAppFleetCli(argv) {
   const normalizedArgv = argv[0] === "--" ? argv.slice(1) : argv;
   if (shouldShowHelp(normalizedArgv)) {
@@ -11899,6 +12024,61 @@ async function runAppFleetCli(argv) {
     return 0;
   }
   const namespace = normalizedArgv[0];
+  if (namespace === "login" || namespace === "logout") {
+    const result = await runCloudSessionCommand(
+      ["auth", namespace, ...normalizedArgv.slice(1)],
+      cloudCommandOptions()
+    );
+    process.stdout.write(result.stdout);
+    process.stderr.write(result.stderr);
+    return result.exitCode;
+  }
+  if (namespace === "workspaces") {
+    const result = await runWorkspaceListCommand(normalizedArgv.slice(1));
+    process.stdout.write(result.stdout);
+    process.stderr.write(result.stderr);
+    return result.exitCode;
+  }
+  if (namespace === "workspace") {
+    const action = normalizedArgv[1] ?? "current";
+    if (action === "use") {
+      const workspaceId = normalizedArgv[2] ?? readFlag9(normalizedArgv, "--workspace");
+      if (!workspaceId) {
+        process.stderr.write("AppFleet workspace failed: usage: appfleet workspace use <workspace-id> [--json]\n");
+        return 1;
+      }
+      const result = await runCloudSessionCommand(
+        [
+          "auth",
+          "login",
+          "--workspace",
+          workspaceId,
+          ...normalizedArgv.includes("--json") ? ["--json"] : []
+        ],
+        cloudCommandOptions()
+      );
+      process.stdout.write(result.stdout);
+      process.stderr.write(result.stderr);
+      return result.exitCode;
+    }
+    if (action === "current") {
+      const result = await runWorkspaceCurrentCommand(normalizedArgv.slice(2));
+      process.stdout.write(result.stdout);
+      process.stderr.write(result.stderr);
+      return result.exitCode;
+    }
+    if (action === "list") {
+      const result = await runWorkspaceListCommand(normalizedArgv.slice(2));
+      process.stdout.write(result.stdout);
+      process.stderr.write(result.stderr);
+      return result.exitCode;
+    }
+    process.stderr.write(
+      `AppFleet workspace failed: unknown workspace command "${action}"
+`
+    );
+    return 1;
+  }
   if (namespace === "init") {
     const result = await runFirstRunSetup(normalizedArgv.slice(1));
     process.stdout.write(result.stdout);
@@ -11919,6 +12099,20 @@ async function runAppFleetCli(argv) {
     process.stderr.write(result.stderr);
     return result.exitCode;
   }
+  if (namespace === "doctor") {
+    const args = ["projects", "doctor", ...normalizedArgv.slice(1)];
+    if (normalizedArgv.includes("--upload")) {
+      return runDoctorAndUpload(args);
+    }
+    const result = await runProjectMemoryCommand(args, {
+      storePath: process.env.APPFLEET_PROJECT_MEMORY_STORE_PATH,
+      currentGitRemoteFingerprint: process.env.APPFLEET_GIT_REMOTE_FINGERPRINT,
+      projectRoot: process.env.INIT_CWD
+    });
+    process.stdout.write(result.stdout);
+    process.stderr.write(result.stderr);
+    return result.exitCode;
+  }
   if (namespace === "projects") {
     if (normalizedArgv[1] === "doctor" && normalizedArgv.includes("--upload")) {
       return runDoctorAndUpload(normalizedArgv);
@@ -11989,7 +12183,7 @@ async function runAppFleetCli(argv) {
 }
 function createAppFleetProgram() {
   const program2 = new Command();
-  program2.name("appfleet").description("Local AppFleet recovery cockpit and encrypted secret injection CLI.").showHelpAfterError().configureHelp({ sortSubcommands: true, sortOptions: true });
+  program2.name("appfleet").description("AppFleet Cloud CLI for remembering, diagnosing, and recovering projects.").showHelpAfterError().configureHelp({ sortSubcommands: true, sortOptions: true });
   const initDoc = findCliCommandDoc("appfleet", "init");
   if (initDoc) {
     program2.addCommand(commandFromDoc(initDoc));
@@ -11998,6 +12192,26 @@ function createAppFleetProgram() {
   if (linkDoc) {
     program2.addCommand(commandFromDoc(linkDoc));
   }
+  const loginDoc = findCliCommandDoc("appfleet", "login");
+  if (loginDoc) {
+    program2.addCommand(commandFromDoc(loginDoc));
+  }
+  const logoutDoc = findCliCommandDoc("appfleet", "logout");
+  if (logoutDoc) {
+    program2.addCommand(commandFromDoc(logoutDoc));
+  }
+  const doctorDoc = findCliCommandDoc("appfleet", "doctor");
+  if (doctorDoc) {
+    program2.addCommand(commandFromDoc(doctorDoc));
+  }
+  const workspacesDoc = findCliCommandDoc("appfleet", "workspaces");
+  if (workspacesDoc) {
+    program2.addCommand(commandFromDoc(workspacesDoc));
+  }
+  const workspaceDoc = findCliCommandDoc("appfleet", "workspace");
+  if (workspaceDoc) {
+    program2.addCommand(commandFromDoc(workspaceDoc));
+  }
   for (const namespace of namespaces) {
     const namespaceCommand = new Command(namespace).description(
       namespaceDescription(namespace)
@@ -12020,6 +12234,139 @@ function cloudCommandOptions() {
     env: process.env
   };
 }
+async function runWorkspaceCurrentCommand(argv) {
+  const outputFormat = argv.includes("--json") ? "json" : "human";
+  const session = await readHostedSession();
+  if (!session) {
+    const document2 = {
+      type: "appfleet_active_workspace_result",
+      version: 1,
+      status: "not_logged_in",
+      activeWorkspaceId: void 0,
+      next: "Run appfleet login."
+    };
+    return {
+      exitCode: 1,
+      stdout: outputFormat === "json" ? `${JSON.stringify(document2, null, 2)}
+` : "",
+      stderr: outputFormat === "json" ? "" : "AppFleet workspace failed: not logged in. Run appfleet login.\n"
+    };
+  }
+  const document = {
+    type: "appfleet_active_workspace_result",
+    version: 1,
+    status: "ok",
+    activeWorkspaceId: session.workspaceId,
+    user: session.user,
+    expiresAt: session.expiresAt
+  };
+  return {
+    exitCode: 0,
+    stdout: outputFormat === "json" ? `${JSON.stringify(document, null, 2)}
+` : `Active workspace: ${session.workspaceId}
+`,
+    stderr: ""
+  };
+}
+async function runWorkspaceListCommand(argv) {
+  const outputFormat = argv.includes("--json") ? "json" : "human";
+  const session = await readHostedSession();
+  const authToken = await readWorkspaceAuthToken();
+  if (!session || !authToken) {
+    const document2 = {
+      type: "appfleet_workspace_list_result",
+      version: 1,
+      status: "not_logged_in",
+      workspaces: [],
+      next: "Run appfleet login."
+    };
+    return {
+      exitCode: 1,
+      stdout: outputFormat === "json" ? `${JSON.stringify(document2, null, 2)}
+` : "",
+      stderr: outputFormat === "json" ? "" : "AppFleet workspaces failed: not logged in. Run appfleet login.\n"
+    };
+  }
+  const apiBaseUrl = readFlag9(argv, "--api-base-url") ?? process.env.APPFLEET_API_BASE_URL ?? DEFAULT_PRODUCTION_API_BASE_URL2;
+  const url = new URL("/api/workspaces", apiBaseUrl);
+  url.searchParams.set("workspaceId", session.workspaceId);
+  const response = await fetch(url, {
+    headers: {
+      Accept: "application/json",
+      "X-AppFleet-Hosted-Session": authToken,
+      "X-AppFleet-Workspace-Id": session.workspaceId
+    }
+  });
+  if (!response.ok) {
+    const document2 = {
+      type: "appfleet_workspace_list_result",
+      version: 1,
+      status: "request_failed",
+      httpStatusCode: response.status,
+      activeWorkspaceId: session.workspaceId,
+      workspaces: []
+    };
+    return {
+      exitCode: 1,
+      stdout: outputFormat === "json" ? `${JSON.stringify(document2, null, 2)}
+` : "",
+      stderr: outputFormat === "json" ? "" : `AppFleet workspaces failed: cloud request returned HTTP ${response.status}.
+`
+    };
+  }
+  const parsed = await response.json();
+  const workspaces = parsed.data?.workspaces ?? [];
+  const document = {
+    type: "appfleet_workspace_list_result",
+    version: 1,
+    status: "ok",
+    activeWorkspaceId: session.workspaceId,
+    workspaces: workspaces.map((workspace) => ({
+      ...workspace,
+      active: workspace.id === session.workspaceId
+    }))
+  };
+  return {
+    exitCode: 0,
+    stdout: outputFormat === "json" ? `${JSON.stringify(document, null, 2)}
+` : formatWorkspaceList(document),
+    stderr: ""
+  };
+}
+function formatWorkspaceList(document) {
+  if (document.workspaces.length === 0) {
+    return "No workspaces found.\n";
+  }
+  return `${document.workspaces.map(
+    (workspace) => `${workspace.active ? "*" : " "} ${workspace.name} (${workspace.id})`
+  ).join("\n")}
+`;
+}
+async function readHostedSession() {
+  try {
+    const parsed = JSON.parse(await readFile5(defaultCliSessionPath(), "utf8"));
+    if (!parsed.workspaceId) return void 0;
+    return {
+      type: parsed.type,
+      workspaceId: parsed.workspaceId,
+      user: parsed.user,
+      expiresAt: parsed.expiresAt
+    };
+  } catch {
+    return void 0;
+  }
+}
+async function readWorkspaceAuthToken() {
+  try {
+    const token = await readFile5(join4(dirname5(defaultCliSessionPath()), "cloud-auth-token"), "utf8");
+    return token.trim() || void 0;
+  } catch {
+    return void 0;
+  }
+}
+function defaultCliSessionPath() {
+  return process.env.APPFLEET_CLOUD_SESSION_PATH ?? join4(process.env.INIT_CWD ?? process.cwd(), ".appfleet", "cloud-session.json");
+}
 async function runDoctorAndUpload(argv) {
   const doctorArgs = argv.filter((argument) => argument !== "--upload");
   if (!doctorArgs.includes("--json")) doctorArgs.push("--json");
@@ -12196,9 +12543,9 @@ function namespaceDescription(namespace) {
     case "projects":
       return "Remember projects, summarize recovery status, and run safe diagnostics.";
     case "auth":
-      return "Manage local-test hosted auth session metadata.";
+      return "Manage AppFleet Cloud login sessions.";
     case "cloud":
-      return "Prepare cloud-safe metadata sync envelopes for V1 scaffold flows.";
+      return "Sync cloud-safe metadata with AppFleet Cloud.";
     case "providers":
       return "Inspect provider integration contracts and fail-closed discovery scaffolds.";
     case "ops":

package/dist/cloud-session.js CHANGED Viewed

@@ -73,7 +73,7 @@ export async function runCloudSessionCommand(argv, options = {}) {
                     createdAt,
                     result: authResult,
                 });
-                const localAuthToken = authResult.authToken ?? authResult.sessionId;
+                const localAuthToken = authResult.sessionId ?? authResult.authToken;
                 if (localAuthToken) {
                     await writeAuthToken(authTokenPath, localAuthToken);
                 }
@@ -707,7 +707,7 @@ function parseCloudSessionCommand(argv, env) {
                 action,
                 workspaceId: readFlag(normalizedArgv, "--workspace") ?? "workspace_local",
                 email: readFlag(normalizedArgv, "--email"),
-                productionCloud: cloudProductionFlag(normalizedArgv, env),
+                productionCloud: cloudProductionFlag(normalizedArgv, env, true),
                 productionCloudSource: cloudProductionSource(normalizedArgv, env),
                 apiBaseUrl: readFlag(normalizedArgv, "--api-base-url"),
                 outputFormat,
@@ -717,7 +717,7 @@ function parseCloudSessionCommand(argv, env) {
             return {
                 namespace,
                 action,
-                productionCloud: cloudProductionFlag(normalizedArgv, env),
+                productionCloud: cloudProductionFlag(normalizedArgv, env, true),
                 productionCloudSource: cloudProductionSource(normalizedArgv, env),
                 apiBaseUrl: readFlag(normalizedArgv, "--api-base-url"),
                 outputFormat,
@@ -1015,17 +1015,30 @@ function createZeroSecretBoundary() {
         storesSecretFragments: false,
     };
 }
-function cloudProductionFlag(argv, env) {
+function cloudProductionFlag(argv, env, defaultProduction = false) {
+    if (hasFlag(argv, "--local-test")) {
+        return false;
+    }
     if (hasFlag(argv, "--production-cloud")) {
         return true;
     }
+    if (env.APPFLEET_CLOUD_MODE === "local-test") {
+        return false;
+    }
     return (env.APPFLEET_PRODUCTION_CLOUD_ENABLED === "true" ||
-        env.APPFLEET_CLOUD_MODE === "production");
+        env.APPFLEET_CLOUD_MODE === "production" ||
+        defaultProduction);
 }
 function cloudProductionSource(argv, env) {
+    if (hasFlag(argv, "--local-test")) {
+        return "flag";
+    }
     if (hasFlag(argv, "--production-cloud")) {
         return "flag";
     }
+    if (env.APPFLEET_CLOUD_MODE === "local-test") {
+        return "env";
+    }
     if (productionEnvEnabled(env)) {
         return "env";
     }

package/dist/command-registry.js CHANGED Viewed

@@ -1,4 +1,50 @@
 export const cliCommandDocs = [
+    {
+        namespace: "appfleet",
+        name: "login",
+        summary: "Sign in to AppFleet Cloud.",
+        usage: "appfleet login [--workspace <workspace-id>] [--email <email>] [--api-base-url <url>] [--local-test] [--json]",
+        arguments: [],
+        options: [
+            { flags: "--workspace <workspace-id>", description: "Workspace id to sign in to; defaults to workspace_local." },
+            { flags: "--email <email>", description: "Optional non-secret user label for local-test identity metadata." },
+            { flags: "--api-base-url <url>", description: "AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
+            { flags: "--local-test", description: "Create local-test session metadata instead of signing in to AppFleet Cloud." },
+            { flags: "--json", description: "Emit machine-readable JSON." },
+        ],
+        examples: [
+            "appfleet login",
+            "appfleet login --workspace workspace_prod",
+            "appfleet login --json",
+        ],
+        reads: [".appfleet/cloud-session.json if it already exists"],
+        writes: [".appfleet/cloud-session.json hosted redacted session metadata with status and expiry", ".appfleet/cloud-auth-token mode-0600 local credential file"],
+        secretSafety: [
+            "Opens the hosted browser auth flow and stores session metadata only.",
+            "The short-lived hosted session token is isolated in a mode-0600 local credential file and is never printed or included in project memory.",
+            "Does not store OAuth refresh material, session cookies, provider credentials, encrypted credential blobs, key wrappers, command output, secret fragments, or secret values.",
+        ],
+    },
+    {
+        namespace: "appfleet",
+        name: "logout",
+        summary: "Sign out of AppFleet Cloud.",
+        usage: "appfleet logout [--api-base-url <url>] [--local-test] [--json]",
+        arguments: [],
+        options: [
+            { flags: "--api-base-url <url>", description: "AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
+            { flags: "--local-test", description: "Remove local-test session metadata instead of revoking a hosted AppFleet Cloud session." },
+            { flags: "--json", description: "Emit machine-readable JSON." },
+        ],
+        examples: ["appfleet logout", "appfleet logout --json"],
+        reads: [".appfleet/cloud-session.json"],
+        writes: [".appfleet/cloud-session.json and .appfleet/cloud-auth-token are removed when present"],
+        secretSafety: [
+            "Revokes hosted session metadata through AppFleet Cloud when available.",
+            "Removes local hosted session metadata and the local credential file without printing credential material.",
+            "Does not read or print OAuth refresh material, session cookies, provider credentials, encrypted credential blobs, key wrappers, command output, or secret fragments.",
+        ],
+    },
     {
         namespace: "appfleet",
         name: "link",
@@ -14,6 +60,68 @@ export const cliCommandDocs = [
             "Never uploads environment values, credential values, command output, key wrappers, or provider payloads.",
         ],
     },
+    {
+        namespace: "appfleet",
+        name: "doctor",
+        summary: "Run safe diagnostics for a remembered project, optionally uploading the report.",
+        usage: "appfleet doctor [project] [--upload] [--json]",
+        arguments: ["project: project id, path, URL, or repo fingerprint; defaults to the current project when resolvable."],
+        options: [
+            { flags: "--upload", description: "Upload the safe doctor report to AppFleet Cloud after the local check." },
+            { flags: "--json", description: "Emit machine-readable JSON." },
+        ],
+        examples: [
+            "appfleet doctor appfleet-demo",
+            "appfleet doctor .",
+            "appfleet doctor appfleet-demo --upload",
+        ],
+        reads: [".appfleet/project-memory.json", ".appfleet/cloud-session.json when --upload is used"],
+        writes: [".appfleet/project-memory.json latest safe doctor evidence", ".appfleet/cloud-metadata-sync.json when --upload is used"],
+        secretSafety: [
+            "Runs safe URL and metadata checks only.",
+            "Uploads safe project metadata and doctor evidence only when --upload is passed.",
+            "Never reads .env files or uploads environment values, credential values, command output, key wrappers, or provider payloads.",
+        ],
+    },
+    {
+        namespace: "appfleet",
+        name: "workspaces",
+        summary: "List AppFleet Cloud workspaces available to the signed-in user.",
+        usage: "appfleet workspaces [--api-base-url <url>] [--json]",
+        arguments: [],
+        options: [
+            { flags: "--api-base-url <url>", description: "AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
+            { flags: "--json", description: "Emit machine-readable JSON." },
+        ],
+        examples: ["appfleet workspaces", "appfleet workspaces --json"],
+        reads: [".appfleet/cloud-session.json", ".appfleet/cloud-auth-token"],
+        writes: [],
+        secretSafety: [
+            "Uses the active hosted AppFleet session to list workspace metadata.",
+            "Does not print auth tokens, cookies, provider credentials, environment values, or secret fragments.",
+        ],
+    },
+    {
+        namespace: "appfleet",
+        name: "workspace",
+        summary: "Show or change the active AppFleet Cloud workspace.",
+        usage: "appfleet workspace current|list|use <workspace-id> [--json]",
+        arguments: [],
+        options: [
+            { flags: "--json", description: "Emit machine-readable JSON." },
+        ],
+        examples: [
+            "appfleet workspace current",
+            "appfleet workspace list",
+            "appfleet workspace use workspace_prod",
+        ],
+        reads: [".appfleet/cloud-session.json", ".appfleet/cloud-auth-token"],
+        writes: [".appfleet/cloud-session.json and .appfleet/cloud-auth-token when using a workspace"],
+        secretSafety: [
+            "Workspace use runs the hosted AppFleet login flow for the selected workspace.",
+            "Stores active workspace session metadata only and never prints auth tokens, cookies, provider credentials, or secret fragments.",
+        ],
+    },
     {
         namespace: "appfleet",
         name: "init",
@@ -46,20 +154,21 @@ export const cliCommandDocs = [
     {
         namespace: "auth",
         name: "login",
-        summary: "Create local-test session metadata by default, or hosted session metadata when production cloud is explicitly enabled.",
-        usage: "appfleet auth login [--workspace <workspace-id>] [--email <email>] [--production-cloud] [--api-base-url <url>] [--json]",
+        summary: "Sign in to AppFleet Cloud; use --local-test for local scaffold sessions.",
+        usage: "appfleet auth login [--workspace <workspace-id>] [--email <email>] [--api-base-url <url>] [--local-test] [--json]",
         arguments: [],
         options: [
             { flags: "--workspace <workspace-id>", description: "Workspace id for local-test or hosted session metadata." },
             { flags: "--email <email>", description: "Optional non-secret user label for local-test identity or hosted login metadata." },
-            { flags: "--production-cloud", description: "Explicitly use hosted auth mode against AppFleet Cloud." },
+            { flags: "--local-test", description: "Create local-test session metadata instead of signing in to AppFleet Cloud." },
+            { flags: "--production-cloud", description: "Deprecated compatibility flag; hosted AppFleet Cloud is already the default." },
             { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
             { flags: "--json", description: "Emit machine-readable JSON." },
         ],
         examples: [
-            "appfleet auth login --workspace workspace_test",
-            "appfleet auth login --workspace workspace_test --email demo@example.com --json",
-            "appfleet auth login --production-cloud --workspace workspace_prod --json",
+            "appfleet login",
+            "appfleet auth login --workspace workspace_prod --json",
+            "appfleet auth login --local-test --workspace workspace_test --email demo@example.com --json",
         ],
         reads: [".appfleet/cloud-session.json if it already exists"],
         writes: [".appfleet/cloud-session.json local-test or hosted redacted session metadata with status and expiry"],
@@ -72,18 +181,19 @@ export const cliCommandDocs = [
     {
         namespace: "auth",
         name: "logout",
-        summary: "Log out of local-test session metadata by default, or revoke hosted session metadata when production cloud is explicitly enabled.",
-        usage: "appfleet auth logout [--production-cloud] [--api-base-url <url>] [--json]",
+        summary: "Sign out of AppFleet Cloud; use --local-test for local scaffold sessions.",
+        usage: "appfleet auth logout [--api-base-url <url>] [--local-test] [--json]",
         arguments: [],
         options: [
-            { flags: "--production-cloud", description: "Explicitly use hosted logout mode against AppFleet Cloud and hosted session metadata." },
+            { flags: "--local-test", description: "Remove local-test session metadata instead of revoking a hosted AppFleet Cloud session." },
+            { flags: "--production-cloud", description: "Deprecated compatibility flag; hosted AppFleet Cloud is already the default." },
             { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
             { flags: "--json", description: "Emit machine-readable JSON." },
         ],
         examples: [
-            "appfleet auth logout",
+            "appfleet logout",
             "appfleet auth logout --json",
-            "appfleet auth logout --production-cloud --json",
+            "appfleet auth logout --local-test --json",
         ],
         reads: [".appfleet/cloud-session.json"],
         writes: [".appfleet/cloud-session.json is removed when present; JSON output includes a safe logged_out/not_found/missing_hosted_session status"],

package/dist/local-vault.js CHANGED Viewed

@@ -1161,7 +1161,8 @@ function commandError(error) {
         childStarted: false,
     };
 }
-if (import.meta.url === `file://${process.argv[1]}`) {
+if (import.meta.url.endsWith("/local-vault.ts") &&
+    import.meta.url === `file://${process.argv[1]}`) {
     const result = await runLocalVaultCommand(process.argv.slice(2));
     process.stdout.write(result.stdout);
     process.stderr.write(result.stderr);

package/dist/project-memory.js CHANGED Viewed

@@ -1518,7 +1518,8 @@ function defaultProjectMemoryStorePath(cwd) {
 function errorMessage(error) {
     return error instanceof Error ? error.message : String(error);
 }
-if (import.meta.url === `file://${process.argv[1]}`) {
+if (import.meta.url.endsWith("/project-memory.ts") &&
+    import.meta.url === `file://${process.argv[1]}`) {
     const result = await runProjectMemoryCommand(process.argv.slice(2), {
         storePath: process.env.APPFLEET_PROJECT_MEMORY_STORE_PATH,
         currentGitRemoteFingerprint: process.env.APPFLEET_GIT_REMOTE_FINGERPRINT,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@appfleet-cli/cli",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "private": false,
   "type": "module",
   "bin": {