@autohq/cli 0.1.86 → 0.1.88

package/dist/agent-bridge.js

@@ -21330,6 +21330,21 @@ var SessionApplyTriggersSchema = external_exports.array(
 ).transform(expandSessionApplyTriggerDefinitions).superRefine(validateAttributedRunsTriggerPairing);
 var AVATAR_ASSET_EXTENSIONS = [".png", ".jpg", ".jpeg"];
 var MAX_AVATAR_ASSET_BYTES = 2 * 1024 * 1024;
+var SESSION_IDENTITY_DESCRIPTION_MAX_LENGTH = 140;
+function sessionIdentityDescriptionLength(value2) {
+  let length = 0;
+  for (const char of value2) {
+    const codePoint = char.codePointAt(0) ?? 0;
+    if (codePoint < 32 || codePoint > 126) {
+      length += 6 * char.length;
+    } else if (char === '"' || char === "\\" || char === "/") {
+      length += 2;
+    } else {
+      length += 1;
+    }
+  }
+  return length;
+}
 var SHA256_HEX_PATTERN = /^[a-f0-9]{64}$/;
 function isAvatarAssetPathShapeValid(asset) {
   const normalized = asset.trim().replaceAll("\\", "/");
@@ -21353,7 +21368,12 @@ var SessionIdentitySchema = external_exports.object({
     // overwritten, so it is never trusted input.
     sha256: external_exports.string().regex(SHA256_HEX_PATTERN).optional()
   }).strict().optional(),
-  description: external_exports.string().trim().min(1).max(256).optional()
+  description: external_exports.string().trim().min(1).refine(
+    (value2) => sessionIdentityDescriptionLength(value2) <= SESSION_IDENTITY_DESCRIPTION_MAX_LENGTH,
+    {
+      message: `description must be at most ${SESSION_IDENTITY_DESCRIPTION_MAX_LENGTH} characters as Slack counts them (a non-ASCII character like "\u2014" counts as 6)`
+    }
+  ).optional()
 }).strict().refine((identity) => Object.keys(identity).length > 0, {
   message: "Session identity requires at least one field"
 });

package/dist/index.js

@@ -16989,6 +16989,20 @@ var init_trigger_router = __esm({
 });
 
 // ../../packages/schemas/src/sessions.ts
+function sessionIdentityDescriptionLength(value) {
+  let length = 0;
+  for (const char of value) {
+    const codePoint = char.codePointAt(0) ?? 0;
+    if (codePoint < 32 || codePoint > 126) {
+      length += 6 * char.length;
+    } else if (char === '"' || char === "\\" || char === "/") {
+      length += 2;
+    } else {
+      length += 1;
+    }
+  }
+  return length;
+}
 function isAvatarAssetPathShapeValid(asset) {
   const normalized = asset.trim().replaceAll("\\", "/");
   if (normalized.length === 0) return false;
@@ -17122,7 +17136,7 @@ function isChatMessageEvent(trigger) {
 function hasFilterValue(trigger, path, expected) {
   return trigger.where?.[path] === expected;
 }
-var RESOURCE_KIND_SESSION, TriggerFilterScalarSchema, TriggerFilterPathSchema, TriggerFilterClauseSchema, TriggerFilterSchema, SessionTriggerCheckTimeoutSchema, TriggerEventSchema, TriggerEventsSchema, SessionTriggerSharedFields, SessionTriggerEventSourceFields, SessionTriggerBaseSchema, SessionTriggerDefinitionBaseSchema, SessionTriggerSchema, SessionApplyTriggerSchema, SessionHeartbeatTriggerBaseSchema, SessionHeartbeatTriggerSchema, SessionApplyHeartbeatTriggerSchema, SessionTriggerDefinitionSchema, SessionApplyTriggerDefinitionSchema, SessionTriggersSchema, SessionApplyTriggersSchema, AVATAR_ASSET_EXTENSIONS, MAX_AVATAR_ASSET_BYTES, SHA256_HEX_PATTERN, SessionIdentitySchema, SessionSpecSchema, SessionApplySpecSchema, SessionStatusSchema, SessionResourceSchema, SessionApplyRequestSchema, SessionApplyTriggerReceiptSchema, SessionApplyResponseSchema, SESSION_TELEGRAM_IDENTITY_STATUSES, SessionTelegramIdentityStatusSchema, SessionPresenceIdentitySchema, SessionPresenceResponseSchema, SessionPresenceConnectRequestSchema, SessionPresenceConnectPendingSchema, SessionPresenceConnectResponseSchema, SessionPresenceIconRequestSchema, SessionPresenceIconResponseSchema, SessionPresenceCompleteResponseSchema;
+var RESOURCE_KIND_SESSION, TriggerFilterScalarSchema, TriggerFilterPathSchema, TriggerFilterClauseSchema, TriggerFilterSchema, SessionTriggerCheckTimeoutSchema, TriggerEventSchema, TriggerEventsSchema, SessionTriggerSharedFields, SessionTriggerEventSourceFields, SessionTriggerBaseSchema, SessionTriggerDefinitionBaseSchema, SessionTriggerSchema, SessionApplyTriggerSchema, SessionHeartbeatTriggerBaseSchema, SessionHeartbeatTriggerSchema, SessionApplyHeartbeatTriggerSchema, SessionTriggerDefinitionSchema, SessionApplyTriggerDefinitionSchema, SessionTriggersSchema, SessionApplyTriggersSchema, AVATAR_ASSET_EXTENSIONS, MAX_AVATAR_ASSET_BYTES, SESSION_IDENTITY_DESCRIPTION_MAX_LENGTH, SHA256_HEX_PATTERN, SessionIdentitySchema, SessionSpecSchema, SessionApplySpecSchema, SessionStatusSchema, SessionResourceSchema, SessionApplyRequestSchema, SessionApplyTriggerReceiptSchema, SessionApplyResponseSchema, SESSION_TELEGRAM_IDENTITY_STATUSES, SessionTelegramIdentityStatusSchema, SessionPresenceIdentitySchema, SessionPresenceResponseSchema, SessionPresenceConnectRequestSchema, SessionPresenceConnectPendingSchema, SessionPresenceConnectResponseSchema, SessionPresenceIconRequestSchema, SessionPresenceIconResponseSchema, SessionPresenceCompleteResponseSchema;
 var init_sessions = __esm({
   "../../packages/schemas/src/sessions.ts"() {
     "use strict";
@@ -17299,6 +17313,7 @@ var init_sessions = __esm({
     ).transform(expandSessionApplyTriggerDefinitions).superRefine(validateAttributedRunsTriggerPairing);
     AVATAR_ASSET_EXTENSIONS = [".png", ".jpg", ".jpeg"];
     MAX_AVATAR_ASSET_BYTES = 2 * 1024 * 1024;
+    SESSION_IDENTITY_DESCRIPTION_MAX_LENGTH = 140;
     SHA256_HEX_PATTERN = /^[a-f0-9]{64}$/;
     SessionIdentitySchema = external_exports.object({
       displayName: external_exports.string().trim().min(1).max(80).optional(),
@@ -17312,7 +17327,12 @@ var init_sessions = __esm({
         // overwritten, so it is never trusted input.
         sha256: external_exports.string().regex(SHA256_HEX_PATTERN).optional()
       }).strict().optional(),
-      description: external_exports.string().trim().min(1).max(256).optional()
+      description: external_exports.string().trim().min(1).refine(
+        (value) => sessionIdentityDescriptionLength(value) <= SESSION_IDENTITY_DESCRIPTION_MAX_LENGTH,
+        {
+          message: `description must be at most ${SESSION_IDENTITY_DESCRIPTION_MAX_LENGTH} characters as Slack counts them (a non-ASCII character like "\u2014" counts as 6)`
+        }
+      ).optional()
     }).strict().refine((identity) => Object.keys(identity).length > 0, {
       message: "Session identity requires at least one field"
     });
@@ -18138,20 +18158,42 @@ var init_active_project = __esm({
 });
 
 // src/lib/config/path.ts
+import { createHash } from "crypto";
 import { homedir } from "os";
-import { join } from "path";
+import { join, normalize } from "path";
 function defaultConfigPath() {
   return process.env.AUTO_CLI_CONFIG ?? join(homedir(), ".auto", "config.yaml");
 }
+function profilesDir(configPath = defaultConfigPath()) {
+  return normalize(join(configPath, "..", PROFILES_DIR_NAME));
+}
+function profileFileName(input) {
+  const key = `${input.userEmail.toLowerCase()}
+${serverHost(input.serverUrl)}`;
+  const hash2 = createHash("sha256").update(key).digest("hex").slice(0, 8);
+  return `${slug(input.userEmail)}--${slug(serverHost(input.serverUrl))}-${hash2}.yaml`;
+}
+function serverHost(serverUrl) {
+  try {
+    return new URL(serverUrl).host;
+  } catch {
+    return serverUrl;
+  }
+}
+function slug(value) {
+  return value.toLowerCase().replace(/[^a-z0-9._-]+/g, "_");
+}
+var PROFILES_DIR_NAME;
 var init_path = __esm({
   "src/lib/config/path.ts"() {
     "use strict";
+    PROFILES_DIR_NAME = "profiles";
   }
 });
 
 // src/lib/config/file.ts
 import { chmodSync, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
-import { dirname as dirname2 } from "path";
+import { basename, dirname as dirname2, join as join2 } from "path";
 function readConfig(path = defaultConfigPath()) {
   try {
     const text = readFileSync2(path, "utf8");
@@ -18159,21 +18201,8 @@ function readConfig(path = defaultConfigPath()) {
     for (const line of text.split(/\r?\n/)) {
       const match = /^([A-Za-z0-9_]+):\s*(.*)$/.exec(line.trim());
       if (!match) continue;
-      const value = match[2] ?? "";
-      if (match[1] === "serverUrl") config2.serverUrl = value;
-      if (match[1] === "organizationId") config2.organizationId = value;
-      if (match[1] === "projectId") config2.projectId = value;
-      if (match[1] === "refreshToken") config2.refreshToken = value;
-      if (match[1] === "accessToken") config2.accessToken = value;
-      if (match[1] === "accessTokenExpiresAt") {
-        config2.accessTokenExpiresAt = value;
-      }
-      if (match[1] === "accessTokenOrganizationId") {
-        config2.accessTokenOrganizationId = value;
-      }
-      if (match[1] === "accessTokenProjectId") {
-        config2.accessTokenProjectId = value;
-      }
+      const key = CONFIG_KEYS.find((candidate) => candidate === match[1]);
+      if (key) config2[key] = match[2] ?? "";
     }
     return config2;
   } catch (err) {
@@ -18182,17 +18211,26 @@ function readConfig(path = defaultConfigPath()) {
   }
 }
 function writeConfig(config2, path = defaultConfigPath()) {
+  writeConfigFile(config2, path);
+  if (config2.userEmail && config2.serverUrl && basename(dirname2(path)) !== PROFILES_DIR_NAME) {
+    writeConfigFile(
+      config2,
+      join2(
+        dirname2(path),
+        PROFILES_DIR_NAME,
+        profileFileName({
+          userEmail: config2.userEmail,
+          serverUrl: config2.serverUrl
+        })
+      )
+    );
+  }
+}
+function writeConfigFile(config2, path) {
   mkdirSync2(dirname2(path), { recursive: true });
-  const lines = [
-    ["serverUrl", config2.serverUrl],
-    ["organizationId", config2.organizationId],
-    ["projectId", config2.projectId],
-    ["refreshToken", config2.refreshToken],
-    ["accessToken", config2.accessToken],
-    ["accessTokenExpiresAt", config2.accessTokenExpiresAt],
-    ["accessTokenOrganizationId", config2.accessTokenOrganizationId],
-    ["accessTokenProjectId", config2.accessTokenProjectId]
-  ].filter(([, value]) => value).map(([key, value]) => `${key}: ${value}`);
+  const lines = CONFIG_KEYS.filter((key) => config2[key]).map(
+    (key) => `${key}: ${config2[key]}`
+  );
   writeFileSync2(path, `${lines.join("\n")}
 `, {
     encoding: "utf8",
@@ -18200,10 +18238,23 @@ function writeConfig(config2, path = defaultConfigPath()) {
   });
   chmodSync(path, 384);
 }
+var CONFIG_KEYS;
 var init_file = __esm({
   "src/lib/config/file.ts"() {
     "use strict";
     init_path();
+    CONFIG_KEYS = [
+      "serverUrl",
+      "userId",
+      "userEmail",
+      "organizationId",
+      "projectId",
+      "refreshToken",
+      "accessToken",
+      "accessTokenExpiresAt",
+      "accessTokenOrganizationId",
+      "accessTokenProjectId"
+    ];
   }
 });
 
@@ -20193,7 +20244,7 @@ var init_connect = __esm({
 });
 
 // src/commands/apply/files.ts
-import { createHash } from "crypto";
+import { createHash as createHash2 } from "crypto";
 import {
   readFileSync as readFileSync3,
   readdirSync,
@@ -20201,11 +20252,11 @@ import {
   statSync
 } from "fs";
 import {
-  basename,
+  basename as basename2,
   dirname as dirname3,
   extname,
   isAbsolute,
-  join as join2,
+  join as join3,
   resolve
 } from "path";
 import { parseAllDocuments as parseYamlDocuments } from "yaml";
@@ -20221,7 +20272,7 @@ function readProjectApplyRequest(options) {
     );
     return { ...request, assets: assets2 };
   }
-  const directory = options.directory ?? join2(process.cwd(), ".auto");
+  const directory = options.directory ?? join3(process.cwd(), ".auto");
   const files = applyFiles(directory);
   if (files.length === 0) {
     throw new Error(`No resource files found in ${directory}`);
@@ -20284,7 +20335,7 @@ function applyFiles(root) {
   const files = [];
   for (const kind of APPLY_RESOURCE_ORDER) {
     const directory = APPLY_DIRECTORIES[kind];
-    const path = join2(root, directory);
+    const path = join3(root, directory);
     let entries;
     try {
       entries = readdirSync(path, { withFileTypes: true });
@@ -20358,7 +20409,7 @@ function readApplyAssets(resources, projectRoot) {
     });
     const bytes = readFileSync3(resolvedPath);
     assets[avatarAsset] = {
-      sha256: createHash("sha256").update(bytes).digest("hex"),
+      sha256: createHash2("sha256").update(bytes).digest("hex"),
       contentType: extname(resolvedPath).toLowerCase() === ".png" ? "image/png" : "image/jpeg",
       dataBase64: bytes.toString("base64")
     };
@@ -20422,12 +20473,12 @@ function validateSessionAvatarAsset(input) {
 }
 function applyProjectRoot(directory) {
   const resolved = resolve(directory);
-  return basename(resolved) === ".auto" ? dirname3(resolved) : resolved;
+  return basename2(resolved) === ".auto" ? dirname3(resolved) : resolved;
 }
 function applyFileProjectRoot(file2) {
   let dir = dirname3(resolve(file2));
   while (true) {
-    if (basename(dir) === ".auto") {
+    if (basename2(dir) === ".auto") {
       return dirname3(dir);
     }
     const parent = dirname3(dir);
@@ -20464,7 +20515,7 @@ function isRecord(value) {
 function resourceApplyFiles(directory, entries) {
   const files = [];
   for (const entry of entries) {
-    const path = join2(directory, entry.name);
+    const path = join3(directory, entry.name);
     if (entry.isDirectory()) {
       files.push(
         ...resourceApplyFiles(path, readdirSync(path, { withFileTypes: true }))
@@ -20613,13 +20664,49 @@ var init_actions = __esm({
   }
 });
 
+// src/lib/config/profiles.ts
+import { readdirSync as readdirSync2 } from "fs";
+import { join as join4 } from "path";
+function listProfiles(configPath = defaultConfigPath()) {
+  const dir = profilesDir(configPath);
+  let entries;
+  try {
+    entries = readdirSync2(dir);
+  } catch (err) {
+    if (err.code === "ENOENT") return [];
+    throw err;
+  }
+  return entries.filter((entry) => entry.endsWith(".yaml")).sort().map((entry) => {
+    const path = join4(dir, entry);
+    return { path, config: readConfig(path) };
+  }).filter((profile) => profile.config.userEmail);
+}
+function findAccountProfile(input) {
+  const candidates = listProfiles(input.configPath).map((profile) => profile.config).filter((config2) => config2.serverUrl === input.serverUrl);
+  return candidates.find(
+    (config2) => input.userId && config2.userId === input.userId
+  ) ?? // Email is only a fallback for when a user id is missing on either side;
+  // it must never override a known user-id mismatch (emails can be
+  // reassigned to a different user).
+  candidates.find(
+    (config2) => input.userEmail && config2.userEmail?.toLowerCase() === input.userEmail.toLowerCase() && !(input.userId && config2.userId && config2.userId !== input.userId)
+  );
+}
+var init_profiles2 = __esm({
+  "src/lib/config/profiles.ts"() {
+    "use strict";
+    init_file();
+    init_path();
+  }
+});
+
 // src/commands/auth/pkce.ts
-import { createHash as createHash2, randomBytes as randomBytes2 } from "crypto";
+import { createHash as createHash3, randomBytes as randomBytes2 } from "crypto";
 function pkceVerifier() {
   return randomBytes2(32).toString("base64url");
 }
 function pkceChallenge(verifier) {
-  return createHash2("sha256").update(verifier).digest("base64url");
+  return createHash3("sha256").update(verifier).digest("base64url");
 }
 var init_pkce = __esm({
   "src/commands/auth/pkce.ts"() {
@@ -20630,7 +20717,6 @@ var init_pkce = __esm({
 // src/commands/auth/login.ts
 async function login(input) {
   const serverUrl = resolveApiBaseUrl({ explicit: input.options.apiUrl });
-  const previous = readConfig(input.configPath);
   if (input.options.device) {
     const device = await postJson(
       input.fetch,
@@ -20648,194 +20734,158 @@ async function login(input) {
         await sleep(Math.max(0, device.interval) * 1e3);
       }
       firstAttempt = false;
+      let token3;
       try {
-        const token2 = await postJson(
+        token3 = await postJson(
           input.fetch,
           `${serverUrl}/api/v1/auth/cli/token`,
           {
             grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-            device_code: device.device_code,
-            ...previous.organizationId && previous.projectId ? {
-              organization_id: previous.organizationId,
-              project_id: previous.projectId
-            } : {}
+            device_code: device.device_code
           }
         );
-        writeConfig(
-          {
-            ...previous,
-            serverUrl,
-            refreshToken: token2.refresh_token,
-            accessToken: token2.access_token,
-            accessTokenExpiresAt: token2.access_token ? accessTokenExpiresAt(token2) : void 0,
-            accessTokenOrganizationId: token2.access_token ? previous.organizationId : void 0,
-            accessTokenProjectId: token2.access_token ? previous.projectId : void 0
-          },
-          input.configPath
-        );
-        input.writeOutput("Logged in.");
-        return;
       } catch (error51) {
         if (error51 instanceof Error && error51.message === "authorization_pending") {
           continue;
         }
         throw error51;
       }
+      await finishLogin({
+        token: token3,
+        serverUrl,
+        fetch: input.fetch,
+        configPath: input.configPath,
+        writeOutput: input.writeOutput
+      });
+      return;
     }
     throw new Error("Device authorization expired before approval.");
   }
   const verifier = input.options.verifier ?? pkceVerifier();
   if (!input.options.code) {
-    const selectionDetails = await resolveLoginSelectionDetails({
-      configPath: input.configPath,
-      env: input.env ?? process.env,
-      fetch: input.fetch,
-      serverUrl,
-      previous,
-      writeError: input.writeError ?? (() => {
-      })
-    });
     const callback = await createOAuthLoopbackCallback({
-      successHtml: (result) => renderOAuthLoopbackPage({
+      successHtml: () => renderOAuthLoopbackPage({
         status: "success",
         eyebrow: "Auto CLI",
         title: "Login authorized",
         message: "Auto received the browser authorization. The CLI will finish signing you in from your terminal.",
-        details: [
-          { label: "Server", value: serverUrl },
-          {
-            label: "Organization",
-            value: result.organizationName ?? selectionDetails.organization
-          },
-          {
-            label: "Project",
-            value: result.projectName ?? selectionDetails.project
-          }
-        ]
+        details: [{ label: "Server", value: serverUrl }]
       }),
       failureHtml: () => renderOAuthLoopbackPage({
         status: "failure",
         eyebrow: "Auto CLI",
         title: "Login failed",
         message: "The browser authorization did not complete. Return to your terminal to retry or inspect the error.",
-        details: [
-          { label: "Server", value: serverUrl },
-          { label: "Organization", value: selectionDetails.organization },
-          { label: "Project", value: selectionDetails.project }
-        ]
+        details: [{ label: "Server", value: serverUrl }]
       })
     });
     try {
       const authorizeUrl = new URL("/auth/cli", serverUrl);
       authorizeUrl.searchParams.set("pkce_challenge", pkceChallenge(verifier));
       authorizeUrl.searchParams.set("redirect_uri", callback.redirectUri);
-      if (previous.organizationId && previous.projectId) {
-        authorizeUrl.searchParams.set(
-          "organization_id",
-          previous.organizationId
-        );
-        authorizeUrl.searchParams.set("project_id", previous.projectId);
-      }
       input.writeOutput(`Opening ${authorizeUrl.toString()}`);
       input.writeOutput("Waiting for browser authorization...");
       openBrowser(authorizeUrl.toString());
       const { code } = await callback.result;
-      await exchangeCode({
+      const token3 = await exchangeAuthorizationCode({
         code,
-        configPath: input.configPath,
         fetch: input.fetch,
-        previous,
         redirectUri: callback.redirectUri,
         serverUrl,
         verifier
       });
-      input.writeOutput("Logged in.");
+      await finishLogin({
+        token: token3,
+        serverUrl,
+        fetch: input.fetch,
+        configPath: input.configPath,
+        writeOutput: input.writeOutput
+      });
       return;
     } finally {
       callback.close();
     }
   }
-  await exchangeCode({
+  const token2 = await exchangeAuthorizationCode({
     code: input.options.code,
-    configPath: input.configPath,
     fetch: input.fetch,
-    previous,
     redirectUri: "http://127.0.0.1/callback",
     serverUrl,
     verifier
   });
-  input.writeOutput("Logged in.");
+  await finishLogin({
+    token: token2,
+    serverUrl,
+    fetch: input.fetch,
+    configPath: input.configPath,
+    writeOutput: input.writeOutput
+  });
 }
-async function exchangeCode(input) {
-  const token2 = await postJson(
+async function exchangeAuthorizationCode(input) {
+  return postJson(
     input.fetch,
     `${input.serverUrl}/api/v1/auth/cli/token`,
     {
       grant_type: "authorization_code",
       code: input.code,
       code_verifier: input.verifier,
-      redirect_uri: input.redirectUri,
-      ...input.previous.organizationId && input.previous.projectId ? {
-        organization_id: input.previous.organizationId,
-        project_id: input.previous.projectId
-      } : {}
+      redirect_uri: input.redirectUri
     }
   );
-  writeConfig(
-    {
-      ...input.previous,
-      serverUrl: input.serverUrl,
-      refreshToken: token2.refresh_token,
-      accessToken: token2.access_token,
-      accessTokenExpiresAt: token2.access_token ? accessTokenExpiresAt(token2) : void 0,
-      accessTokenOrganizationId: token2.access_token ? input.previous.organizationId : void 0,
-      accessTokenProjectId: token2.access_token ? input.previous.projectId : void 0
-    },
-    input.configPath
-  );
 }
-async function resolveLoginSelectionDetails(input) {
-  const fallback = {
-    organization: input.previous.organizationId,
-    project: input.previous.projectId
-  };
-  if (!input.previous.organizationId) {
-    return fallback;
-  }
-  const client = createApiClient({
+async function finishLogin(input) {
+  const { token: token2, serverUrl } = input;
+  const previous = readConfig(input.configPath);
+  const profile = token2.user ? findAccountProfile({
     configPath: input.configPath,
-    env: input.env,
-    fetch: input.fetch,
-    writeError: input.writeError
-  });
-  try {
-    if (input.previous.projectId) {
-      const projects = await client.listProjects({
-        apiBaseUrl: input.serverUrl
-      });
-      const project = projects.projects.find(
-        (candidate) => candidate.organizationId === input.previous.organizationId && candidate.projectId === input.previous.projectId
+    serverUrl,
+    userId: token2.user.id,
+    userEmail: token2.user.email
+  }) : void 0;
+  const selectionSource = profile ?? previous;
+  const selection = selectionSource.organizationId && selectionSource.projectId ? {
+    organizationId: selectionSource.organizationId,
+    projectId: selectionSource.projectId
+  } : void 0;
+  let config2 = {
+    serverUrl,
+    userId: token2.user?.id,
+    userEmail: token2.user?.email,
+    refreshToken: token2.refresh_token,
+    accessToken: token2.access_token,
+    accessTokenExpiresAt: token2.access_token ? accessTokenExpiresAt(token2) : void 0
+  };
+  if (selection) {
+    try {
+      const scoped = await postJson(
+        input.fetch,
+        `${serverUrl}/api/v1/auth/cli/token`,
+        {
+          grant_type: "refresh_token",
+          refresh_token: token2.refresh_token,
+          organization_id: selection.organizationId,
+          project_id: selection.projectId
+        }
+      );
+      config2 = {
+        ...config2,
+        ...selection,
+        refreshToken: scoped.refresh_token,
+        accessToken: scoped.access_token,
+        accessTokenExpiresAt: scoped.access_token ? accessTokenExpiresAt(scoped) : void 0,
+        accessTokenOrganizationId: scoped.access_token ? selection.organizationId : void 0,
+        accessTokenProjectId: scoped.access_token ? selection.projectId : void 0
+      };
+    } catch {
+      input.writeOutput(
+        "The saved organization/project selection is not available for this account; run `auto orgs list` to pick a new one."
       );
-      if (project) {
-        return {
-          organization: project.organizationName,
-          project: project.projectName
-        };
-      }
     }
-    const organizations = await client.listOrganizations({
-      apiBaseUrl: input.serverUrl
-    });
-    const organization = organizations.organizations.find(
-      (candidate) => candidate.organizationId === input.previous.organizationId
-    );
-    return {
-      organization: organization?.organizationName ?? fallback.organization,
-      project: fallback.project
-    };
-  } catch {
-    return fallback;
   }
+  writeConfig(config2, input.configPath);
+  input.writeOutput(
+    token2.user ? `Logged in as ${token2.user.email}.` : "Logged in."
+  );
 }
 async function sleep(ms) {
   await new Promise((resolve2) => setTimeout(resolve2, ms));
@@ -20844,11 +20894,11 @@ var init_login = __esm({
   "src/commands/auth/login.ts"() {
     "use strict";
     init_base_url();
-    init_client();
     init_http();
     init_tokens();
     init_browser();
     init_file();
+    init_profiles2();
     init_loopback();
     init_pkce();
   }
@@ -20858,7 +20908,7 @@ var init_login = __esm({
 import { spawn as spawn2 } from "child_process";
 import { mkdtempSync, readFileSync as readFileSync4, rmSync, writeFileSync as writeFileSync3 } from "fs";
 import { tmpdir } from "os";
-import { join as join3 } from "path";
+import { join as join5 } from "path";
 import { parseAllDocuments as parseYamlDocuments2, stringify as stringify2 } from "yaml";
 async function editResource(input) {
   const reference = parseEditableResource(input.resource);
@@ -20873,8 +20923,8 @@ async function editResource(input) {
   const document = editableResourceDocument(reference.kind, current);
   const source = `${stringify2(document).trimEnd()}
 `;
-  const tempRoot = mkdtempSync(join3(tmpdir(), "auto-edit-"));
-  const filePath = join3(tempRoot, `${reference.kind}-${reference.name}.yaml`);
+  const tempRoot = mkdtempSync(join5(tmpdir(), "auto-edit-"));
+  const filePath = join5(tempRoot, `${reference.kind}-${reference.name}.yaml`);
   writeFileSync3(filePath, source, "utf8");
   let removeTempFile = false;
   try {
@@ -21133,7 +21183,7 @@ var init_package = __esm({
   "package.json"() {
     package_default = {
       name: "@autohq/cli",
-      version: "0.1.86",
+      version: "0.1.88",
       license: "SEE LICENSE IN README.md",
       publishConfig: {
         access: "public"
@@ -27986,6 +28036,7 @@ init_login();
 
 // src/commands/auth/profile.ts
 init_file();
+init_profiles2();
 async function handleAuthStatus(context) {
   const result = await fetchAuthStatus(context);
   context.io.writeResult(result, formatAuthStatusText);
@@ -28010,12 +28061,58 @@ function logout(context) {
   );
   context.writeOutput("Logged out.");
 }
+function switchAccount(context, accountEmail, options = {}) {
+  const profiles = listProfiles(context.configPath);
+  if (profiles.length === 0) {
+    throw new Error("No stored accounts. Run `auto auth login` first.");
+  }
+  const active = readConfig(context.configPath);
+  if (!accountEmail) {
+    for (const profile of profiles) {
+      context.writeOutput(accountLine(profile.config, active));
+    }
+    return;
+  }
+  const matches = profiles.map((profile) => profile.config).filter(
+    (config2) => config2.userEmail?.toLowerCase() === accountEmail.toLowerCase() && (!options.server || config2.serverUrl === options.server)
+  );
+  if (matches.length === 0) {
+    throw new Error(
+      `No stored account for ${accountEmail}. Run \`auto auth login\` to add it.`
+    );
+  }
+  const match = matches.length === 1 ? matches[0] : matches.find((config2) => config2.serverUrl === active.serverUrl);
+  if (!match) {
+    throw new Error(
+      `Multiple servers have a stored account for ${accountEmail}: ${matches.map((config2) => config2.serverUrl).join(
+        ", "
+      )}. Pick one with \`auto auth switch ${accountEmail} --server <url>\`.`
+    );
+  }
+  writeConfig(match, context.configPath);
+  context.writeOutput(`Switched to ${match.userEmail} (${match.serverUrl}).`);
+  if (!match.refreshToken) {
+    context.writeOutput(
+      "This account has no stored credentials; run `auto auth login`."
+    );
+  }
+}
+function accountLine(config2, active) {
+  const isActive = Boolean(config2.userEmail) && config2.userEmail === active.userEmail && config2.serverUrl === active.serverUrl;
+  return [
+    config2.userEmail,
+    `server=${config2.serverUrl ?? "(unset)"}`,
+    config2.refreshToken ? void 0 : "logged_out",
+    isActive ? "(active)" : void 0
+  ].filter(Boolean).join(" ");
+}
 async function fetchAuthStatus(context) {
   const config2 = readConfig(context.configPath);
   const client = createContextApiClient(context);
   const operator = client.getOperatorInfo();
   const base = {
     serverUrl: config2.serverUrl ?? context.env.AUTO_API_BASE_URL ?? null,
+    account: config2.userEmail ?? null,
     organizationId: config2.organizationId ?? null,
     projectId: config2.projectId ?? null,
     authSource: operator.authType
@@ -28057,6 +28154,9 @@ async function fetchAuthStatus(context) {
 }
 function formatAuthStatusText(result, writeLine) {
   writeLine(`server: ${result.serverUrl ?? "(unset)"}`);
+  if (result.account) {
+    writeLine(`account: ${result.account}`);
+  }
   writeLine(`organization: ${result.organizationId ?? "(unset)"}`);
   writeLine(`project: ${result.projectId ?? "(unset)"}`);
   writeLine(
@@ -28169,6 +28269,11 @@ function registerAuthCommands(program, context) {
     await handleWhoami(context);
   });
   auth.command("logout").description("Remove the local user refresh token.").action(() => logout(context));
+  auth.command("switch").description(
+    "Switch the active account to a stored profile, or list stored accounts."
+  ).argument("[email]", "Email of a stored account").option("--server <url>", "Auto web server URL of the stored account").action(
+    (email3, options) => switchAccount(context, email3, options)
+  );
 }
 
 // src/lib/stdio/readline.ts
@@ -30725,7 +30830,7 @@ init_resources2();
 init_browser();
 import { existsSync as existsSync2, mkdtempSync as mkdtempSync2, writeFileSync as writeFileSync4 } from "fs";
 import { homedir as homedir2, tmpdir as tmpdir2 } from "os";
-import { join as join4 } from "path";
+import { join as join6 } from "path";
 var POLL_INTERVAL_MS = 2e3;
 var POLL_TIMEOUT_MS = 5 * 6e4;
 var SLACK_APPS_URL = "https://api.slack.com/apps";
@@ -30886,7 +30991,7 @@ async function promptForIconUploads(input, options) {
   }
 }
 function stagedLocationLabel(stagedPath) {
-  return stagedPath.startsWith(`${join4(homedir2(), "Downloads")}/`) ? "Downloads" : "the printed path";
+  return stagedPath.startsWith(`${join6(homedir2(), "Downloads")}/`) ? "Downloads" : "the printed path";
 }
 async function stageAvatarImage(input) {
   try {
@@ -30898,9 +31003,9 @@ async function stageAvatarImage(input) {
     }
     const contentType = response.headers.get("content-type") ?? "";
     const extension = contentType.includes("jpeg") ? ".jpg" : ".png";
-    const downloads = join4(homedir2(), "Downloads");
-    const directory = existsSync2(downloads) ? downloads : mkdtempSync2(join4(tmpdir2(), "auto-avatar-"));
-    const path = join4(directory, `${input.session}-avatar${extension}`);
+    const downloads = join6(homedir2(), "Downloads");
+    const directory = existsSync2(downloads) ? downloads : mkdtempSync2(join6(tmpdir2(), "auto-avatar-"));
+    const path = join6(directory, `${input.session}-avatar${extension}`);
     writeFileSync4(path, Buffer.from(await response.arrayBuffer()));
     return path;
   } catch {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@autohq/cli",
-  "version": "0.1.86",
+  "version": "0.1.88",
   "license": "SEE LICENSE IN README.md",
   "publishConfig": {
     "access": "public"