@appuo/orbit 1.0.6 → 1.0.10

package/dist/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { Command as Command8 } from "commander";
+import { Command as Command9 } from "commander";
 import { createRequire } from "module";
 
 // src/providers/provider.interface.ts
@@ -21,45 +21,106 @@ var getProvider = (name) => {
 };
 
 // src/providers/vercel.ts
-import fs2 from "fs";
-import path2 from "path";
+import fs3 from "fs";
+import path3 from "path";
 import os2 from "os";
 
 // src/utils/paths.ts
 import os from "os";
-import path from "path";
+import path2 from "path";
+import fs2 from "fs";
+
+// src/utils/fileOps.ts
+import crypto from "crypto";
 import fs from "fs";
+import path from "path";
+var ensureFileMode = (filePath, mode) => {
+  if (!fs.existsSync(filePath)) {
+    return;
+  }
+  const currentMode = fs.statSync(filePath).mode & 511;
+  if (currentMode !== mode) {
+    fs.chmodSync(filePath, mode);
+  }
+};
+var atomicWriteFile = (filePath, content, mode) => {
+  const directory = path.dirname(filePath);
+  if (!fs.existsSync(directory)) {
+    fs.mkdirSync(directory, { recursive: true, mode: 448 });
+  }
+  const tempName = `.${path.basename(filePath)}.${process.pid}.${crypto.randomUUID()}.tmp`;
+  const tempPath = path.join(directory, tempName);
+  try {
+    if (mode === void 0) {
+      fs.writeFileSync(tempPath, content, "utf-8");
+    } else {
+      fs.writeFileSync(tempPath, content, { encoding: "utf-8", mode });
+    }
+    fs.renameSync(tempPath, filePath);
+    if (mode !== void 0) {
+      fs.chmodSync(filePath, mode);
+    }
+  } finally {
+    if (fs.existsSync(tempPath)) {
+      fs.rmSync(tempPath, { force: true });
+    }
+  }
+};
+var quarantineCorruptFile = (filePath, suffix) => {
+  if (!fs.existsSync(filePath)) {
+    return filePath;
+  }
+  const quarantinePath = `${filePath}.corrupt-${suffix}`;
+  try {
+    fs.renameSync(filePath, quarantinePath);
+    return quarantinePath;
+  } catch {
+    return filePath;
+  }
+};
+
+// src/utils/paths.ts
 var getConfigDir = () => {
-  return path.join(os.homedir(), ".orbit");
+  const overrideDir = process.env["ORBIT_CONFIG_DIR"];
+  if (overrideDir && overrideDir.trim().length > 0) {
+    return overrideDir;
+  }
+  return path2.join(os.homedir(), ".orbit");
 };
 var getConfigPath = () => {
-  return path.join(getConfigDir(), "config.json");
+  return path2.join(getConfigDir(), "config.json");
 };
 var ensureConfigDir = () => {
   const dir = getConfigDir();
-  if (!fs.existsSync(dir)) {
-    fs.mkdirSync(dir, { recursive: true });
+  if (!fs2.existsSync(dir)) {
+    fs2.mkdirSync(dir, { recursive: true, mode: 448 });
   }
+  ensureFileMode(dir, 448);
 };
 var getAuthDir = (provider) => {
-  return path.join(getConfigDir(), "auth", provider);
+  return path2.join(getConfigDir(), "auth", provider);
 };
 var getAuthFilePath = (provider, profile) => {
-  return path.join(getAuthDir(provider), `${profile}.json`);
+  return path2.join(getAuthDir(provider), `${profile}.json`);
 };
 var ensureAuthDir = (provider) => {
   const dir = getAuthDir(provider);
-  if (!fs.existsSync(dir)) {
-    fs.mkdirSync(dir, { recursive: true });
+  if (!fs2.existsSync(dir)) {
+    fs2.mkdirSync(dir, { recursive: true, mode: 448 });
   }
+  ensureFileMode(dir, 448);
 };
 
 // src/providers/vercel.ts
 var getVercelAuthPath = () => {
   const platform = os2.platform();
   const home = os2.homedir();
+  const xdgDataHome = process.env["XDG_DATA_HOME"];
+  if (xdgDataHome && xdgDataHome.trim().length > 0) {
+    return path3.join(xdgDataHome, "com.vercel.cli", "auth.json");
+  }
   if (platform === "darwin") {
-    return path2.join(
+    return path3.join(
       home,
       "Library",
       "Application Support",
@@ -67,13 +128,30 @@ var getVercelAuthPath = () => {
       "auth.json"
     );
   } else if (platform === "win32") {
-    const appData = process.env["APPDATA"] || path2.join(home, "AppData", "Roaming");
-    return path2.join(appData, "com.vercel.cli", "auth.json");
+    const appData = process.env["APPDATA"] || path3.join(home, "AppData", "Roaming");
+    return path3.join(appData, "com.vercel.cli", "auth.json");
   } else {
-    const xdgDataHome = process.env["XDG_DATA_HOME"] || path2.join(home, ".local", "share");
-    return path2.join(xdgDataHome, "com.vercel.cli", "auth.json");
+    const linuxDataHome = path3.join(home, ".local", "share");
+    return path3.join(linuxDataHome, "com.vercel.cli", "auth.json");
   }
 };
+var ensureVercelAuthDir = (authPath) => {
+  const authDir = path3.dirname(authPath);
+  if (!fs3.existsSync(authDir)) {
+    fs3.mkdirSync(authDir, { recursive: true, mode: 448 });
+  }
+};
+var writeVercelAuthToken = (token) => {
+  const authPath = getVercelAuthPath();
+  if (!authPath) return false;
+  ensureVercelAuthDir(authPath);
+  fs3.writeFileSync(authPath, JSON.stringify({ token }, null, 2), {
+    encoding: "utf-8",
+    mode: 384
+  });
+  ensureFileMode(authPath, 384);
+  return true;
+};
 var vercelProvider = {
   name: "vercel",
   getEnvVar() {
@@ -88,8 +166,8 @@ var vercelProvider = {
   async getStoredToken() {
     try {
       const configPath = getVercelAuthPath();
-      if (configPath && fs2.existsSync(configPath)) {
-        const content = fs2.readFileSync(configPath, "utf-8");
+      if (configPath && fs3.existsSync(configPath)) {
+        const content = fs3.readFileSync(configPath, "utf-8");
         const config = JSON.parse(content);
         if (config.token && typeof config.token === "string") {
           return config.token;
@@ -127,57 +205,169 @@ var vercelProvider = {
   },
   async captureAuth(profile) {
     const authPath = getVercelAuthPath();
-    if (!authPath || !fs2.existsSync(authPath)) return;
+    if (!authPath || !fs3.existsSync(authPath)) return;
     ensureAuthDir("vercel");
     const destPath = getAuthFilePath("vercel", profile);
-    fs2.copyFileSync(authPath, destPath);
+    fs3.copyFileSync(authPath, destPath);
+    ensureFileMode(destPath, 384);
   },
   async restoreAuth(profile) {
     const sourcePath = getAuthFilePath("vercel", profile);
-    if (!fs2.existsSync(sourcePath)) return false;
+    if (!fs3.existsSync(sourcePath)) return false;
     const authPath = getVercelAuthPath();
     if (!authPath) return false;
-    const authDir = path2.dirname(authPath);
-    if (!fs2.existsSync(authDir)) {
-      fs2.mkdirSync(authDir, { recursive: true });
-    }
-    fs2.copyFileSync(sourcePath, authPath);
+    ensureVercelAuthDir(authPath);
+    fs3.copyFileSync(sourcePath, authPath);
+    ensureFileMode(authPath, 384);
     return true;
+  },
+  async seedAuthFromToken(token) {
+    return writeVercelAuthToken(token);
+  },
+  async validateActiveAuth() {
+    const token = await this.getStoredToken?.();
+    if (!token) return false;
+    try {
+      const { execa: execa3 } = await import("execa");
+      const result = await execa3("vercel", ["whoami", "--token", token], {
+        stdio: "pipe",
+        reject: false
+      });
+      if (result.exitCode === 0) {
+        return true;
+      }
+      const output = `${result.stdout}
+${result.stderr}`.toLowerCase();
+      if (output.includes("token is not valid") || output.includes("not valid")) {
+        return false;
+      }
+      return true;
+    } catch {
+      return true;
+    }
+  },
+  async removeAuthSnapshot(profile) {
+    const snapshotPath = getAuthFilePath("vercel", profile);
+    if (fs3.existsSync(snapshotPath)) {
+      fs3.rmSync(snapshotPath, { force: true });
+    }
   }
 };
 
 // src/commands/add.ts
 import { Command } from "commander";
-import ora from "ora";
 import chalk2 from "chalk";
 import readline from "readline";
 
 // src/storage/keychain.ts
-import fs3 from "fs";
-import path3 from "path";
-import crypto from "crypto";
+import fs4 from "fs";
+import path4 from "path";
+import crypto2 from "crypto";
+
+// src/utils/logger.ts
+import chalk from "chalk";
+var jsonMode = false;
+var write = (stream, message) => {
+  stream.write(`${message}
+`);
+};
+var writeJson = (stream, level, message) => {
+  write(
+    stream,
+    JSON.stringify({
+      level,
+      message
+    })
+  );
+};
+var setJsonMode = (enabled) => {
+  jsonMode = enabled;
+};
+var logger = {
+  isJsonMode: () => {
+    return jsonMode;
+  },
+  json: (payload) => {
+    write(process.stdout, JSON.stringify(payload));
+  },
+  info: (message) => {
+    if (jsonMode) {
+      writeJson(process.stdout, "info", message);
+      return;
+    }
+    write(process.stdout, chalk.blue("\u2139") + ` ${message}`);
+  },
+  success: (message) => {
+    if (jsonMode) {
+      writeJson(process.stdout, "success", message);
+      return;
+    }
+    write(process.stdout, chalk.green("\u2714") + ` ${message}`);
+  },
+  warn: (message) => {
+    if (jsonMode) {
+      writeJson(process.stderr, "warn", message);
+      return;
+    }
+    write(process.stderr, chalk.yellow("\u26A0") + ` ${message}`);
+  },
+  error: (message) => {
+    if (jsonMode) {
+      writeJson(process.stderr, "error", message);
+      return;
+    }
+    write(process.stderr, chalk.red("\u2716") + ` ${message}`);
+  },
+  plain: (message) => {
+    if (jsonMode) {
+      write(process.stdout, message);
+      return;
+    }
+    write(process.stdout, message);
+  },
+  newline: () => {
+    if (jsonMode) {
+      return;
+    }
+    write(process.stdout, "");
+  }
+};
+
+// src/storage/keychain.ts
 var CREDENTIALS_FILE = "credentials.json";
 var KEY_FILE = ".key";
 var ALGORITHM = "aes-256-gcm";
+var ENCRYPTED_FILE_MODE = 384;
 var getCredentialsPath = () => {
-  return path3.join(getConfigDir(), CREDENTIALS_FILE);
+  return path4.join(getConfigDir(), CREDENTIALS_FILE);
 };
 var getKeyPath = () => {
-  return path3.join(getConfigDir(), KEY_FILE);
+  return path4.join(getConfigDir(), KEY_FILE);
+};
+var writeKey = (keyPath, key) => {
+  atomicWriteFile(keyPath, key.toString("hex"), ENCRYPTED_FILE_MODE);
+};
+var readKey = (keyPath) => {
+  ensureFileMode(keyPath, ENCRYPTED_FILE_MODE);
+  const raw = fs4.readFileSync(keyPath, "utf-8").trim();
+  if (!/^[0-9a-fA-F]{64}$/.test(raw)) {
+    throw new Error("Invalid encryption key format.");
+  }
+  return Buffer.from(raw, "hex");
 };
 var getOrCreateKey = () => {
   const keyPath = getKeyPath();
   ensureConfigDir();
-  if (fs3.existsSync(keyPath)) {
-    return Buffer.from(fs3.readFileSync(keyPath, "utf-8"), "hex");
+  if (fs4.existsSync(keyPath)) {
+    return readKey(keyPath);
   }
-  const key = crypto.randomBytes(32);
-  fs3.writeFileSync(keyPath, key.toString("hex"), { mode: 384 });
+  const key = crypto2.randomBytes(32);
+  writeKey(keyPath, key);
   return key;
 };
 var encrypt = (text, key) => {
-  const iv = crypto.randomBytes(16);
-  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  const iv = crypto2.randomBytes(16);
+  const cipher = crypto2.createCipheriv(ALGORITHM, key, iv);
   let encrypted = cipher.update(text, "utf-8", "hex");
   encrypted += cipher.final("hex");
   const tag = cipher.getAuthTag();
@@ -188,7 +378,7 @@ var encrypt = (text, key) => {
   };
 };
 var decrypt = (entry, key) => {
-  const decipher = crypto.createDecipheriv(
+  const decipher = crypto2.createDecipheriv(
     ALGORITHM,
     key,
     Buffer.from(entry.iv, "hex")
@@ -200,17 +390,22 @@ var decrypt = (entry, key) => {
 };
 var loadStore = () => {
   const filePath = getCredentialsPath();
-  if (!fs3.existsSync(filePath)) return {};
+  if (!fs4.existsSync(filePath)) return {};
+  ensureFileMode(filePath, ENCRYPTED_FILE_MODE);
   try {
-    return JSON.parse(fs3.readFileSync(filePath, "utf-8"));
+    return JSON.parse(fs4.readFileSync(filePath, "utf-8"));
   } catch {
+    const quarantinePath = quarantineCorruptFile(filePath, `${Date.now()}`);
+    logger.warn(
+      `Detected invalid credentials store. Backed it up to "${quarantinePath}" and re-initialized credentials.`
+    );
     return {};
   }
 };
 var saveStore = (store) => {
   ensureConfigDir();
   const filePath = getCredentialsPath();
-  fs3.writeFileSync(filePath, JSON.stringify(store, null, 2), { mode: 384 });
+  atomicWriteFile(filePath, JSON.stringify(store, null, 2), ENCRYPTED_FILE_MODE);
 };
 var getKey = (provider, profile) => {
   return `${provider}:${profile}`;
@@ -240,9 +435,41 @@ var deleteToken = async (provider, profile) => {
   saveStore(store);
   return true;
 };
+var rotateEncryptionKey = async () => {
+  const keyPath = getKeyPath();
+  const oldKey = getOrCreateKey();
+  const store = loadStore();
+  const decryptedEntries = /* @__PURE__ */ new Map();
+  for (const [entryKey, entryValue] of Object.entries(store)) {
+    decryptedEntries.set(entryKey, decrypt(entryValue, oldKey));
+  }
+  const newKey = crypto2.randomBytes(32);
+  const rotatedStore = {};
+  for (const [entryKey, token] of decryptedEntries.entries()) {
+    rotatedStore[entryKey] = encrypt(token, newKey);
+  }
+  const backupPath = `${keyPath}.bak-${Date.now()}`;
+  if (fs4.existsSync(keyPath)) {
+    fs4.copyFileSync(keyPath, backupPath);
+  }
+  try {
+    writeKey(keyPath, newKey);
+    saveStore(rotatedStore);
+  } catch (error) {
+    if (fs4.existsSync(backupPath)) {
+      fs4.copyFileSync(backupPath, keyPath);
+      ensureFileMode(keyPath, ENCRYPTED_FILE_MODE);
+    }
+    throw error;
+  } finally {
+    if (fs4.existsSync(backupPath)) {
+      fs4.rmSync(backupPath, { force: true });
+    }
+  }
+};
 
 // src/storage/configStore.ts
-import fs4 from "fs";
+import fs5 from "fs";
 
 // src/types/config.ts
 import { z } from "zod";
@@ -259,21 +486,37 @@ var OrbitConfigSchema = z.object({
 var defaultConfig = {
   providers: {}
 };
+var writeDefaultConfig = (configPath) => {
+  ensureConfigDir();
+  atomicWriteFile(
+    configPath,
+    JSON.stringify(defaultConfig, null, 2),
+    384
+  );
+  return { providers: {} };
+};
 var loadConfig = () => {
   const configPath = getConfigPath();
-  if (!fs4.existsSync(configPath)) {
-    ensureConfigDir();
-    fs4.writeFileSync(configPath, JSON.stringify(defaultConfig, null, 2), "utf-8");
-    return { ...defaultConfig };
+  if (!fs5.existsSync(configPath)) {
+    return writeDefaultConfig(configPath);
+  }
+  ensureFileMode(configPath, 384);
+  try {
+    const raw = fs5.readFileSync(configPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    return OrbitConfigSchema.parse(parsed);
+  } catch (error) {
+    const quarantinePath = quarantineCorruptFile(configPath, `${Date.now()}`);
+    logger.warn(
+      `Detected invalid config. Backed it up to "${quarantinePath}" and re-initialized Orbit config.`
+    );
+    return writeDefaultConfig(configPath);
   }
-  const raw = fs4.readFileSync(configPath, "utf-8");
-  const parsed = JSON.parse(raw);
-  return OrbitConfigSchema.parse(parsed);
 };
 var saveConfig = (config) => {
   ensureConfigDir();
   const configPath = getConfigPath();
-  fs4.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf-8");
+  atomicWriteFile(configPath, JSON.stringify(config, null, 2), 384);
 };
 var addProfile = (provider, profile, metadata) => {
   const config = loadConfig();
@@ -300,6 +543,12 @@ var removeProfile = (provider, profile) => {
   if (providerConfig.current === profile) {
     providerConfig.current = void 0;
   }
+  if (providerConfig.metadata?.[profile]) {
+    delete providerConfig.metadata[profile];
+    if (Object.keys(providerConfig.metadata).length === 0) {
+      delete providerConfig.metadata;
+    }
+  }
   if (providerConfig.profiles.length === 0) {
     delete config.providers[provider];
   }
@@ -336,50 +585,135 @@ var validateProfileName = (name) => {
   return nameSchema.parse(name);
 };
 
-// src/utils/logger.ts
-import chalk from "chalk";
-var write = (stream, message) => {
-  stream.write(`${message}
-`);
+// src/utils/errorHandler.ts
+import { ZodError } from "zod";
+
+// src/utils/cliError.ts
+var CliError = class extends Error {
+  exitCode;
+  constructor(message, exitCode = 1) {
+    super(message);
+    this.name = "CliError";
+    this.exitCode = exitCode;
+  }
 };
-var logger = {
-  info: (message) => {
-    write(process.stdout, chalk.blue("\u2139") + ` ${message}`);
-  },
-  success: (message) => {
-    write(process.stdout, chalk.green("\u2714") + ` ${message}`);
-  },
-  warn: (message) => {
-    write(process.stderr, chalk.yellow("\u26A0") + ` ${message}`);
-  },
-  error: (message) => {
-    write(process.stderr, chalk.red("\u2716") + ` ${message}`);
-  },
-  plain: (message) => {
-    write(process.stdout, message);
-  },
-  newline: () => {
-    write(process.stdout, "");
+var fail = (message, exitCode = 1) => {
+  throw new CliError(message, exitCode);
+};
+
+// src/utils/redact.ts
+var PATTERNS = [
+  [/(Bearer\s+)[A-Za-z0-9._\-~=+/]+/g, "$1[REDACTED]"],
+  [/([A-Z_]*TOKEN=)[^\s"']+/g, "$1[REDACTED]"],
+  [/"token"\s*:\s*"[^"]+"/g, '"token":"[REDACTED]"']
+];
+var redactSecrets = (value) => {
+  let output = value;
+  for (const [pattern, replacement] of PATTERNS) {
+    output = output.replace(pattern, replacement);
   }
+  return output;
 };
 
 // src/utils/errorHandler.ts
-import { ZodError } from "zod";
+var printDebugStack = (error) => {
+  if (process.env["ORBIT_DEBUG"] !== "1") {
+    return;
+  }
+  logger.plain(redactSecrets(error.stack ?? ""));
+};
 var handleError = (error) => {
   if (error instanceof ZodError) {
     const messages = error.issues.map((e) => e.message).join(", ");
-    logger.error(`Validation error: ${messages}`);
-    process.exit(1);
+    const message = `Validation error: ${messages}`;
+    if (logger.isJsonMode()) {
+      logger.json({
+        ok: false,
+        error: {
+          type: "validation_error",
+          message
+        }
+      });
+    } else {
+      logger.error(message);
+    }
+    process.exitCode = 1;
+    return;
+  }
+  if (error instanceof CliError) {
+    if (logger.isJsonMode()) {
+      logger.json({
+        ok: false,
+        error: {
+          type: "cli_error",
+          message: error.message
+        }
+      });
+    } else {
+      logger.error(error.message);
+    }
+    process.exitCode = error.exitCode;
+    printDebugStack(error);
+    return;
   }
   if (error instanceof Error) {
-    logger.error(error.message);
-    if (process.env["ORBIT_DEBUG"] === "1") {
-      logger.plain(error.stack ?? "");
+    const message = redactSecrets(error.message);
+    if (logger.isJsonMode()) {
+      logger.json({
+        ok: false,
+        error: {
+          type: "runtime_error",
+          message
+        }
+      });
+    } else {
+      logger.error(message);
     }
-    process.exit(1);
+    process.exitCode = 1;
+    printDebugStack(error);
+    return;
+  }
+  if (logger.isJsonMode()) {
+    logger.json({
+      ok: false,
+      error: {
+        type: "unknown_error",
+        message: "An unexpected error occurred."
+      }
+    });
+  } else {
+    logger.error("An unexpected error occurred.");
+  }
+  process.exitCode = 1;
+};
+
+// src/utils/spinner.ts
+import ora from "ora";
+var NoopSpinner = class {
+  text;
+  constructor(text) {
+    this.text = text;
+  }
+  start() {
+    return this;
+  }
+  stop() {
+    return this;
+  }
+  succeed(text) {
+    logger.success(text ?? this.text);
+    return this;
+  }
+  fail(text) {
+    logger.error(text ?? this.text);
+    return this;
   }
-  logger.error("An unexpected error occurred.");
-  process.exit(1);
+};
+var createSpinner = (text) => {
+  if (logger.isJsonMode()) {
+    return new NoopSpinner(text);
+  }
+  return ora(text).start();
 };
 
 // src/commands/add.ts
@@ -449,7 +783,7 @@ var addCommand = new Command("add").description("Add a new cloud provider profil
     let token = "";
     let storedTokenFound = false;
     if (provider.getStoredToken) {
-      const spinner2 = ora(`Checking for existing ${provider.name} credentials...`).start();
+      const spinner2 = createSpinner(`Checking for existing ${provider.name} credentials...`);
       try {
         const storedToken = await provider.getStoredToken();
         spinner2.stop();
@@ -481,7 +815,7 @@ var addCommand = new Command("add").description("Add a new cloud provider profil
         const loginSuccess = await provider.login();
         if (loginSuccess) {
           if (provider.getStoredToken) {
-            const spinner2 = ora("Checking for new credentials...").start();
+            const spinner2 = createSpinner("Checking for new credentials...");
             try {
               const storedToken = await provider.getStoredToken();
               spinner2.stop();
@@ -502,14 +836,12 @@ var addCommand = new Command("add").description("Add a new cloud provider profil
       token = await promptHiddenInput(`\u{1F511} Enter token for ${provider.name}/${validProfile}: `);
     }
     if (!token.trim()) {
-      logger.error("Token cannot be empty.");
-      process.exit(1);
+      fail("Token cannot be empty.");
     }
-    const spinner = ora("Validating token...").start();
+    const spinner = createSpinner("Validating token...");
     if (!provider.validateToken(token.trim())) {
       spinner.fail("Token validation failed.");
-      logger.error(`Invalid token format for ${provider.name}. Please check your token and try again.`);
-      process.exit(1);
+      fail(`Invalid token format for ${provider.name}. Please check your token and try again.`);
     }
     spinner.text = "Storing token securely...";
     await storeToken(validProvider, validProfile, token.trim());
@@ -548,6 +880,25 @@ var listCommand = new Command2("list").description("List all profiles across pro
   try {
     const config = loadConfig();
     const providers2 = Object.keys(config.providers);
+    if (logger.isJsonMode()) {
+      const payload = providers2.map((providerName) => {
+        const providerConfig = config.providers[providerName];
+        return {
+          provider: providerName,
+          current: providerConfig?.current ?? null,
+          profiles: (providerConfig?.profiles ?? []).map((profile) => ({
+            name: profile,
+            email: providerConfig?.metadata?.[profile]?.email ?? null,
+            isCurrent: providerConfig?.current === profile
+          }))
+        };
+      });
+      logger.json({
+        ok: true,
+        providers: payload
+      });
+      return;
+    }
     if (providers2.length === 0) {
       logger.info('No profiles configured yet. Use "orbit add <provider> <profile>" to get started.');
       return;
@@ -578,19 +929,21 @@ var listCommand = new Command2("list").description("List all profiles across pro
 
 // src/commands/remove.ts
 import { Command as Command3 } from "commander";
-import ora2 from "ora";
 var removeCommand = new Command3("remove").description("Remove a cloud provider profile").argument("<provider>", "Cloud provider name").argument("<profile>", "Profile name to remove").action(async (providerName, profileName) => {
   try {
     const validProvider = validateProviderName(providerName);
     const validProfile = validateProfileName(profileName);
-    getProvider(validProvider);
+    const provider = getProvider(validProvider);
     if (!profileExists(validProvider, validProfile)) {
-      logger.error(`Profile "${validProfile}" does not exist for provider "${validProvider}".`);
-      process.exit(1);
+      fail(`Profile "${validProfile}" does not exist for provider "${validProvider}".`);
     }
-    const spinner = ora2("Removing profile...").start();
+    const spinner = createSpinner("Removing profile...");
     spinner.text = "Deleting token from secure storage...";
     await deleteToken(validProvider, validProfile);
+    if (provider.removeAuthSnapshot) {
+      spinner.text = "Removing local auth snapshot...";
+      await provider.removeAuthSnapshot(validProfile);
+    }
     spinner.text = "Updating configuration...";
     removeProfile(validProvider, validProfile);
     spinner.succeed(`Profile "${validProfile}" removed from ${validProvider}.`);
@@ -601,32 +954,69 @@ var removeCommand = new Command3("remove").description("Remove a cloud provider
 
 // src/commands/use.ts
 import { Command as Command4 } from "commander";
-import ora3 from "ora";
 var useCommand = new Command4("use").description("Set the current active profile for a provider").argument("<provider>", "Cloud provider name").argument("<profile>", "Profile name to activate").action(async (providerName, profileName) => {
   try {
     const validProvider = validateProviderName(providerName);
     const validProfile = validateProfileName(profileName);
     const provider = getProvider(validProvider);
     if (!profileExists(validProvider, validProfile)) {
-      logger.error(`Profile "${validProfile}" does not exist for provider "${provider.name}".`);
-      process.exit(1);
+      fail(`Profile "${validProfile}" does not exist for provider "${provider.name}".`);
     }
-    const spinner = ora3("Switching profile...").start();
-    const currentProfile = getCurrentProfile(validProvider);
-    if (currentProfile && currentProfile !== validProfile && provider.captureAuth) {
-      try {
-        await provider.captureAuth(currentProfile);
-      } catch {
+    const spinner = createSpinner("Switching profile...");
+    try {
+      const currentProfile = getCurrentProfile(validProvider);
+      if (currentProfile && currentProfile !== validProfile && provider.captureAuth) {
+        try {
+          await provider.captureAuth(currentProfile);
+        } catch {
+        }
       }
-    }
-    if (provider.restoreAuth) {
-      const restored = await provider.restoreAuth(validProfile);
-      if (restored) {
+      if (provider.restoreAuth && currentProfile !== validProfile) {
+        const restoredSnapshot = await provider.restoreAuth(validProfile);
+        if (!restoredSnapshot) {
+          fail(
+            `No saved auth snapshot found for ${provider.name}/${validProfile}. Re-add the profile with "orbit add ${validProvider} ${validProfile}" to capture credentials.`
+          );
+        }
         spinner.text = "Auth credentials restored...";
       }
+      const authValid = provider.validateActiveAuth ? await provider.validateActiveAuth() : true;
+      if (!authValid) {
+        let recovered = false;
+        if (provider.seedAuthFromToken) {
+          const savedToken = await getToken(validProvider, validProfile);
+          if (savedToken && provider.validateToken(savedToken)) {
+            spinner.text = "Refreshing auth from saved token...";
+            const seeded = await provider.seedAuthFromToken(savedToken);
+            if (seeded) {
+              recovered = provider.validateActiveAuth ? await provider.validateActiveAuth() : true;
+            }
+          }
+        }
+        if (!recovered) {
+          if (currentProfile && currentProfile !== validProfile && provider.restoreAuth) {
+            try {
+              await provider.restoreAuth(currentProfile);
+            } catch {
+            }
+          }
+          fail(
+            `Credentials for ${provider.name}/${validProfile} are invalid or expired. Re-authenticate with "${provider.getCliName()} login", then refresh Orbit with "orbit add ${validProvider} ${validProfile}".`
+          );
+        }
+      }
+      if (provider.captureAuth) {
+        try {
+          await provider.captureAuth(validProfile);
+        } catch {
+        }
+      }
+      setCurrentProfile(validProvider, validProfile);
+      spinner.succeed(`Now using profile "${validProfile}" for ${provider.name}.`);
+    } catch (error) {
+      spinner.fail("Failed to switch profile.");
+      throw error;
     }
-    setCurrentProfile(validProvider, validProfile);
-    spinner.succeed(`Now using profile "${validProfile}" for ${provider.name}.`);
   } catch (error) {
     handleError(error);
   }
@@ -641,8 +1031,7 @@ var runCommand = new Command5("run").description("Run a command with a specific
     const validProfile = validateProfileName(profileName);
     const provider = getProvider(validProvider);
     if (!profileExists(validProvider, validProfile)) {
-      logger.error(`Profile "${validProfile}" does not exist for provider "${provider.name}".`);
-      process.exit(1);
+      fail(`Profile "${validProfile}" does not exist for provider "${provider.name}".`);
     }
     logger.info(`Running as ${provider.name}/${validProfile}...`);
     const currentProfile = getCurrentProfile(validProvider);
@@ -655,6 +1044,11 @@ var runCommand = new Command5("run").description("Run a command with a specific
         }
       }
       swapped = await provider.restoreAuth(validProfile);
+      if (!swapped) {
+        logger.warn(
+          `No local auth snapshot found for ${provider.name}/${validProfile}. Using token fallback.`
+        );
+      }
     }
     try {
       if (swapped) {
@@ -667,15 +1061,18 @@ var runCommand = new Command5("run").description("Run a command with a specific
       } else {
         const token = await getToken(validProvider, validProfile);
         if (!token) {
-          logger.error(`No token found for ${provider.name}/${validProfile}. Try adding it again with "orbit add".`);
-          process.exit(1);
+          fail(
+            `No token found for ${provider.name}/${validProfile}. Try adding it again with "orbit add".`
+          );
+          return;
         }
+        const envToken = token;
         const cliName = provider.getCliName();
         const envVar = provider.getEnvVar();
         const result = await execa(cliName, args, {
           env: {
             ...process.env,
-            [envVar]: token
+            [envVar]: envToken
           },
           stdio: "inherit",
           reject: false
@@ -690,7 +1087,6 @@ var runCommand = new Command5("run").description("Run a command with a specific
         }
       }
     }
-    process.exit(process.exitCode ?? 0);
   } catch (error) {
     handleError(error);
   }
@@ -705,40 +1101,47 @@ var execCommand = new Command6("exec").description("Execute a command using the
     const provider = getProvider(validProvider);
     const currentProfile = getCurrentProfile(validProvider);
     if (!currentProfile) {
-      logger.error(
-        `No active profile set for ${provider.name}. Use "orbit use ${validProvider} <profile>" first.`
-      );
-      process.exit(1);
+      fail(`No active profile set for ${provider.name}. Use "orbit use ${validProvider} <profile>" first.`);
+      return;
     }
+    const activeProfile = currentProfile;
+    const cliName = provider.getCliName();
+    logger.info(`Running as ${provider.name}/${activeProfile}...`);
+    let swapped = false;
     if (provider.restoreAuth) {
-      await provider.restoreAuth(currentProfile);
+      swapped = await provider.restoreAuth(activeProfile);
     }
-    const cliName = provider.getCliName();
-    logger.info(`Running as ${provider.name}/${currentProfile}...`);
-    if (provider.getAuthConfigPath?.()) {
+    if (swapped) {
       const result2 = await execa2(cliName, args, {
         stdio: "inherit",
         reject: false
       });
-      process.exit(result2.exitCode ?? 0);
+      process.exitCode = result2.exitCode ?? 0;
+      return;
+    }
+    if (provider.restoreAuth) {
+      logger.warn(
+        `Unable to restore local auth snapshot for ${provider.name}/${activeProfile}. Falling back to token-based execution.`
+      );
     }
-    const token = await getToken(validProvider, currentProfile);
+    const token = await getToken(validProvider, activeProfile);
     if (!token) {
-      logger.error(
-        `No token found for ${provider.name}/${currentProfile}. Try adding it again with "orbit add".`
+      fail(
+        `No token found for ${provider.name}/${activeProfile}. Cannot verify identity; try "orbit add ${validProvider} ${activeProfile}" first.`
       );
-      process.exit(1);
+      return;
     }
+    const envToken = token;
     const envVar = provider.getEnvVar();
     const result = await execa2(cliName, args, {
       env: {
         ...process.env,
-        [envVar]: token
+        [envVar]: envToken
       },
       stdio: "inherit",
       reject: false
     });
-    process.exit(result.exitCode ?? 0);
+    process.exitCode = result.exitCode ?? 0;
   } catch (error) {
     handleError(error);
   }
@@ -751,6 +1154,23 @@ var currentCommand = new Command7("current").description("Show current active pr
   try {
     const config = loadConfig();
     const providers2 = Object.keys(config.providers);
+    if (logger.isJsonMode()) {
+      const current = providers2.map((providerName) => {
+        const providerConfig = config.providers[providerName];
+        if (!providerConfig?.current) {
+          return null;
+        }
+        return {
+          provider: providerName,
+          profile: providerConfig.current
+        };
+      }).filter((entry) => entry !== null);
+      logger.json({
+        ok: true,
+        current
+      });
+      return;
+    }
     if (providers2.length === 0) {
       logger.info("No profiles configured yet.");
       return;
@@ -773,12 +1193,31 @@ var currentCommand = new Command7("current").description("Show current active pr
   }
 });
 
+// src/commands/rotate-key.ts
+import { Command as Command8 } from "commander";
+var rotateKeyCommand = new Command8("rotate-key").description("Rotate local encryption key and re-encrypt stored tokens").action(async () => {
+  const spinner = createSpinner("Rotating encryption key...");
+  try {
+    await rotateEncryptionKey();
+    spinner.succeed("Encryption key rotated successfully.");
+  } catch (error) {
+    spinner.fail("Failed to rotate encryption key.");
+    handleError(error);
+  }
+});
+
 // src/index.ts
 var require2 = createRequire(import.meta.url);
 var pkg = require2("../package.json");
+if (process.argv.includes("--json")) {
+  setJsonMode(true);
+}
+if (process.argv.includes("--debug")) {
+  process.env["ORBIT_DEBUG"] = "1";
+}
 registerProvider(vercelProvider);
-var program = new Command8();
-program.name("orbit").description("Switch Vercel identities instantly. No logout required.").version(pkg.version).enablePositionalOptions();
+var program = new Command9();
+program.name("orbit").description("Switch Vercel identities instantly. No logout required.").version(pkg.version).option("--json", "Output machine-readable JSON logs").option("--debug", "Enable debug diagnostics (with secret redaction)").enablePositionalOptions();
 program.addCommand(addCommand);
 program.addCommand(listCommand);
 program.addCommand(removeCommand);
@@ -786,6 +1225,7 @@ program.addCommand(useCommand);
 program.addCommand(runCommand);
 program.addCommand(execCommand);
 program.addCommand(currentCommand);
+program.addCommand(rotateKeyCommand);
 try {
   await program.parseAsync(process.argv);
 } catch (error) {