@danainnovations/cortex-mcp 1.0.4 → 1.0.7

package/dist/cli.js

@@ -10,29 +10,33 @@ import * as readline from "readline";
 var DEFAULT_SERVER_URL = "https://cortex-bice.vercel.app";
 var PROTOCOL_VERSION = "2024-11-05";
 var AVAILABLE_MCPS = [
+  {
+    name: "asana",
+    displayName: "Asana",
+    description: "Projects, tasks, teams, workspaces (17 tools)",
+    serverName: "cortex-asana",
+    authMode: "personal"
+  },
   {
     name: "github",
     displayName: "GitHub",
     description: "Repos, PRs, issues, branches, code review (30 tools)",
-    serverName: "cortex-github"
+    serverName: "cortex-github",
+    authMode: "company"
   },
   {
     name: "vercel",
     displayName: "Vercel",
     description: "Deployments, projects, env vars (15 tools)",
-    serverName: "cortex-vercel"
+    serverName: "cortex-vercel",
+    authMode: "company"
   },
   {
     name: "supabase",
     displayName: "Supabase",
     description: "Database, migrations, edge functions (20+ tools)",
-    serverName: "cortex-supabase"
-  },
-  {
-    name: "sonance_brand",
-    displayName: "Sonance Brand",
-    description: "Brand design system, product data",
-    serverName: "cortex-sonance-brand"
+    serverName: "cortex-supabase",
+    authMode: "company"
   }
 ];
 var MCP_NAMES = AVAILABLE_MCPS.map((m) => m.name);
@@ -40,6 +44,7 @@ var DEFAULT_MCPS = [...MCP_NAMES];
 var DEFAULT_API_KEY = "ctx_07d37a81_9f7be06af38d04753090a4034f907a65ec06cd675ed26f65653898388e2d1709";
 var CONFIG_DIR_NAME = ".cortex-mcp";
 var CONFIG_FILE_NAME = "config.json";
+var CREDENTIALS_FILE_NAME = "credentials.json";
 
 // src/config/storage.ts
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
@@ -214,7 +219,7 @@ function generateStdioSnippet(apiKey) {
     mcpServers: {
       cortex: {
         command: "npx",
-        args: ["-y", "@danainnovations/cortex-mcp", "serve"],
+        args: ["-y", "@danainnovations/cortex-mcp@latest", "serve"],
         env: { CORTEX_API_KEY: apiKey }
       }
     }
@@ -267,6 +272,352 @@ function configureClient(clientType, serverUrl, apiKey, mcps) {
   }
 }
 
+// src/auth/credentials.ts
+import { existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync3, unlinkSync, writeFileSync as writeFileSync3 } from "fs";
+import { join as join3 } from "path";
+function getCredentialsPath() {
+  return join3(getHomeDir(), CONFIG_DIR_NAME, CREDENTIALS_FILE_NAME);
+}
+function readCredentials() {
+  const path = getCredentialsPath();
+  if (!existsSync3(path)) return null;
+  try {
+    const raw = readFileSync3(path, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function writeCredentials(creds) {
+  const dir = join3(getHomeDir(), CONFIG_DIR_NAME);
+  if (!existsSync3(dir)) {
+    mkdirSync3(dir, { recursive: true, mode: 448 });
+  }
+  const path = getCredentialsPath();
+  writeFileSync3(path, JSON.stringify(creds, null, 2) + "\n", {
+    mode: 384
+  });
+}
+function deleteCredentials() {
+  const path = getCredentialsPath();
+  if (existsSync3(path)) {
+    unlinkSync(path);
+  }
+}
+function getEffectiveApiKey() {
+  const envKey = process.env.CORTEX_API_KEY;
+  if (envKey) return envKey;
+  const creds = readCredentials();
+  if (creds?.apiKey) return creds.apiKey;
+  return DEFAULT_API_KEY;
+}
+
+// src/utils/browser.ts
+import { exec } from "child_process";
+function openBrowser(url) {
+  return new Promise((resolve) => {
+    const platform2 = getPlatform();
+    const cmd = platform2 === "macos" ? "open" : platform2 === "windows" ? "start" : "xdg-open";
+    exec(`${cmd} "${url}"`, () => resolve());
+  });
+}
+
+// src/cli/connect.ts
+function log(msg) {
+  process.stderr.write(msg + "\n");
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function connectProvider(providerName, displayName, apiKey, serverUrl) {
+  let sessionId;
+  let authUrl;
+  let expiresIn;
+  try {
+    const resp = await fetch(
+      `${serverUrl}/api/v1/oauth/connect/${providerName}/initiate`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "x-api-key": apiKey
+        }
+      }
+    );
+    if (!resp.ok) {
+      const err = await resp.json().catch(() => ({}));
+      log(`  Error: ${err.detail || `HTTP ${resp.status}`}`);
+      return false;
+    }
+    const data = await resp.json();
+    sessionId = data.session_id;
+    authUrl = data.authorization_url;
+    expiresIn = data.expires_in;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    log(`  Error: Could not reach Cortex server at ${serverUrl}`);
+    log(`  ${msg}`);
+    return false;
+  }
+  log(`  Opening browser for ${displayName} authorization...`);
+  await openBrowser(authUrl);
+  log("  If the browser didn't open, visit:");
+  log(`  ${authUrl}`);
+  log("");
+  const deadline = Date.now() + expiresIn * 1e3;
+  process.stderr.write("  Waiting for authorization");
+  while (Date.now() < deadline) {
+    await sleep(3e3);
+    try {
+      const resp = await fetch(
+        `${serverUrl}/api/v1/oauth/connect/poll/${sessionId}`
+      );
+      const result = await resp.json();
+      if (result.status === "completed") {
+        process.stderr.write("\n\n");
+        const who = result.account_email || "unknown";
+        log(`  Connected as ${who}`);
+        log(`  ${displayName} tools will now use your personal account.`);
+        log("");
+        return true;
+      }
+      if (result.status === "expired") {
+        process.stderr.write("\n");
+        log("  Authorization session expired. Please try again.");
+        return false;
+      }
+      if (result.status === "error") {
+        process.stderr.write("\n");
+        log(
+          `  Connection failed: ${result.error_message || "unknown error"}`
+        );
+        return false;
+      }
+      process.stderr.write(".");
+    } catch {
+      process.stderr.write("!");
+    }
+  }
+  process.stderr.write("\n");
+  log("  Timeout waiting for authorization. Please try again.");
+  return false;
+}
+async function runConnect(provider) {
+  const creds = readCredentials();
+  if (!creds) {
+    log("");
+    log("  You must be logged in first.");
+    log("  Run: cortex-mcp login");
+    log("");
+    process.exit(1);
+  }
+  const mcp = AVAILABLE_MCPS.find(
+    (m) => m.name === provider || m.displayName.toLowerCase() === provider.toLowerCase()
+  );
+  if (!mcp) {
+    log("");
+    log(`  Unknown provider: ${provider}`);
+    log(`  Available: ${AVAILABLE_MCPS.map((m) => m.name).join(", ")}`);
+    log("");
+    process.exit(1);
+  }
+  const config = readConfig();
+  const serverUrl = config?.server || DEFAULT_SERVER_URL;
+  log("");
+  log(`  Cortex MCP \u2014 Connect ${mcp.displayName}`);
+  log(`  Link your personal ${mcp.displayName} account`);
+  log("");
+  const success = await connectProvider(
+    mcp.name,
+    mcp.displayName,
+    creds.apiKey,
+    serverUrl
+  );
+  if (!success) {
+    process.exit(1);
+  }
+}
+
+// src/cli/login.ts
+function log2(msg) {
+  process.stderr.write(msg + "\n");
+}
+function sleep2(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function loginWithSSO(serverUrl) {
+  let sessionId;
+  let authUrl;
+  let expiresIn;
+  try {
+    const resp = await fetch(`${serverUrl}/api/v1/auth/employee/initiate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" }
+    });
+    if (!resp.ok) {
+      log2(`  Error: Failed to start authentication (HTTP ${resp.status})`);
+      return null;
+    }
+    const data = await resp.json();
+    sessionId = data.session_id;
+    authUrl = data.auth_url;
+    expiresIn = data.expires_in;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    log2(`  Error: Could not reach Cortex server at ${serverUrl}`);
+    log2(`  ${msg}`);
+    return null;
+  }
+  log2("  Opening browser for Okta SSO login...");
+  await openBrowser(authUrl);
+  log2("  If the browser didn't open, visit:");
+  log2(`  ${authUrl}`);
+  log2("");
+  const deadline = Date.now() + expiresIn * 1e3;
+  process.stderr.write("  Waiting for authentication");
+  while (Date.now() < deadline) {
+    await sleep2(3e3);
+    try {
+      const resp = await fetch(
+        `${serverUrl}/api/v1/auth/employee/poll/${sessionId}`
+      );
+      const result = await resp.json();
+      if (result.status === "completed") {
+        process.stderr.write("\n\n");
+        const email = result.employee_email || result.user_info?.email || "unknown";
+        const name = result.employee_name || result.user_info?.name || "";
+        const apiKey = result.api_key || "";
+        return { apiKey, email, name: name || void 0 };
+      }
+      if (result.status === "expired") {
+        process.stderr.write("\n");
+        log2("  Authentication session expired. Please try again.");
+        return null;
+      }
+      if (result.status === "error") {
+        process.stderr.write("\n");
+        log2(`  Authentication failed: ${result.error_message || "unknown error"}`);
+        return null;
+      }
+      process.stderr.write(".");
+    } catch {
+      process.stderr.write("!");
+    }
+  }
+  process.stderr.write("\n");
+  log2("  Timeout waiting for authentication. Please try again.");
+  return null;
+}
+async function showConnectionsAndAutoConnect(apiKey, serverUrl) {
+  let existingConnections = [];
+  try {
+    const resp = await fetch(`${serverUrl}/api/v1/oauth/connections`, {
+      headers: { "x-api-key": apiKey }
+    });
+    if (resp.ok) {
+      const data = await resp.json();
+      existingConnections = data.connections || [];
+    }
+  } catch {
+  }
+  log2("");
+  log2("  MCP Connections");
+  log2("  " + "\u2500".repeat(45));
+  const personalMcps = [];
+  for (const mcp of AVAILABLE_MCPS) {
+    const conn = existingConnections.find((c) => c.mcp_name === mcp.name);
+    if (mcp.authMode === "company") {
+      log2(`    ${mcp.displayName.padEnd(15)} company default`);
+    } else {
+      if (conn && !conn.is_company_default && conn.account_email) {
+        log2(`    ${mcp.displayName.padEnd(15)} ${conn.account_email}`);
+      } else {
+        log2(
+          `    ${mcp.displayName.padEnd(15)} not connected (personal account required)`
+        );
+        personalMcps.push({ name: mcp.name, displayName: mcp.displayName });
+      }
+    }
+  }
+  log2("");
+  if (personalMcps.length === 0) {
+    log2("  All accounts connected!");
+    log2("");
+    return;
+  }
+  for (const mcp of personalMcps) {
+    log2(
+      `  ${mcp.displayName} requires a personal connection to access your data.`
+    );
+    log2(`  Connecting now...`);
+    log2("");
+    const success = await connectProvider(
+      mcp.name,
+      mcp.displayName,
+      apiKey,
+      serverUrl
+    );
+    if (!success) {
+      log2(
+        `  You can connect later with: cortex-mcp connect ${mcp.name}`
+      );
+      log2("");
+    }
+  }
+}
+async function runLogin() {
+  const existing = readCredentials();
+  if (existing) {
+    log2("");
+    log2(`  Already logged in as ${existing.name || existing.email}`);
+    log2("  Run 'cortex-mcp logout' first to switch accounts.");
+    log2("");
+    return;
+  }
+  const config = readConfig();
+  const serverUrl = config?.server || DEFAULT_SERVER_URL;
+  log2("");
+  log2("  Cortex MCP Login");
+  log2("  Sign in with your company Okta SSO account");
+  log2("");
+  const result = await loginWithSSO(serverUrl);
+  if (!result) {
+    process.exit(1);
+  }
+  const { apiKey, email, name } = result;
+  writeCredentials({
+    apiKey,
+    email,
+    name,
+    authenticatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  log2(`  Authenticated as ${name || email}${name ? ` (${email})` : ""}`);
+  log2("  Personal API key saved.");
+  const existingConfig = readConfig();
+  if (existingConfig && existingConfig.configuredClients && existingConfig.configuredClients.length > 0) {
+    log2("");
+    log2("  Updating configured clients:");
+    for (const clientType of existingConfig.configuredClients) {
+      try {
+        configureClient(
+          clientType,
+          existingConfig.server || DEFAULT_SERVER_URL,
+          apiKey,
+          existingConfig.mcps
+        );
+        log2(`    ${clientType}: updated`);
+      } catch {
+        log2(`    ${clientType}: failed to update`);
+      }
+    }
+    existingConfig.apiKey = apiKey;
+    writeConfig(existingConfig);
+  }
+  await showConnectionsAndAutoConnect(apiKey, serverUrl);
+  log2("  Done! Restart your AI clients to apply.");
+  log2("");
+}
+
 // src/cli/setup.ts
 var rl = readline.createInterface({
   input: process.stdin,
@@ -277,28 +628,29 @@ function ask(question) {
     rl.question(question, (answer) => resolve(answer.trim()));
   });
 }
-function log(msg) {
+function log3(msg) {
   process.stderr.write(msg + "\n");
 }
 async function runSetup() {
-  const apiKey = DEFAULT_API_KEY;
-  log("");
-  log("  Cortex MCP Setup");
-  log("  Connect your AI tools to GitHub, Vercel, Supabase & Sonance Brand");
-  log("");
-  log("  Step 1: Select MCPs");
-  log("  Available MCPs (all enabled by default):\n");
+  let apiKey = getEffectiveApiKey();
+  let creds = readCredentials();
+  log3("");
+  log3("  Cortex MCP Setup");
+  log3("  Connect your AI tools to Asana, GitHub, Vercel & Supabase");
+  log3("");
+  log3("  Step 1: Select MCPs");
+  log3("  Available MCPs (all enabled by default):\n");
   for (const mcp of AVAILABLE_MCPS) {
-    log(`    - ${mcp.displayName.padEnd(15)} ${mcp.description}`);
+    log3(`    - ${mcp.displayName.padEnd(15)} ${mcp.description}`);
   }
-  log("");
+  log3("");
   const mcpInput = await ask(
     `  MCPs to enable (comma-separated, or press Enter for all): `
   );
   let selectedMcps;
   if (!mcpInput) {
     selectedMcps = [...DEFAULT_MCPS];
-    log("  All MCPs enabled.\n");
+    log3("  All MCPs enabled.\n");
   } else {
     selectedMcps = mcpInput.split(",").map((s) => s.trim().toLowerCase()).filter(
       (s) => AVAILABLE_MCPS.some(
@@ -313,58 +665,103 @@ async function runSetup() {
     });
     if (selectedMcps.length === 0) {
       selectedMcps = [...DEFAULT_MCPS];
-      log("  No valid MCPs recognized. Enabling all.\n");
+      log3("  No valid MCPs recognized. Enabling all.\n");
     } else {
-      log(`  Enabled: ${selectedMcps.join(", ")}
+      log3(`  Enabled: ${selectedMcps.join(", ")}
 `);
     }
   }
-  log("  Step 2: Configure AI Clients\n");
+  log3("  Step 2: Configure AI Clients\n");
   const clients = detectClients();
   const configuredClients = [];
   for (const client of clients) {
     if (!client.detected) {
-      log(`    ${client.name}: not detected, skipping`);
+      log3(`    ${client.name}: not detected, skipping`);
       continue;
     }
     const answer = await ask(`    Configure ${client.name}? (Y/n): `);
     if (answer.toLowerCase() === "n") {
-      log(`    Skipping ${client.name}`);
+      log3(`    Skipping ${client.name}`);
       continue;
     }
     try {
       if (client.type === "claude-desktop") {
         configureClaudeDesktop(DEFAULT_SERVER_URL, apiKey, selectedMcps);
-        log(`    ${client.name}: configured`);
+        log3(`    ${client.name}: configured`);
         configuredClients.push(client.type);
       } else if (client.type === "claude-code") {
         configureClaudeCode(DEFAULT_SERVER_URL, apiKey, selectedMcps);
-        log(`    ${client.name}: configured`);
+        log3(`    ${client.name}: configured`);
         configuredClients.push(client.type);
       }
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
-      log(`    ${client.name}: failed \u2014 ${msg}`);
+      log3(`    ${client.name}: failed \u2014 ${msg}`);
     }
   }
-  log("");
+  log3("");
   const stdioAnswer = await ask(
     "  Do you also need a config snippet for OpenClaw or other stdio clients? (y/N): "
   );
   if (stdioAnswer.toLowerCase() === "y") {
-    log("\n  Add this to your client's MCP config:\n");
-    log(generateStdioSnippet(apiKey));
-    log("");
+    log3("\n  Add this to your client's MCP config:\n");
+    log3(generateStdioSnippet(apiKey));
+    log3("");
     configuredClients.push("stdio");
   }
   const config = createConfig(apiKey, selectedMcps);
   config.configuredClients = configuredClients;
   writeConfig(config);
-  log("");
-  log("  Setup complete! Restart your AI clients to see the new tools.");
-  log(`  Config saved to ~/.cortex-mcp/config.json`);
-  log("");
-  rl.close();
+  log3("");
+  log3("  Step 3: Sign In\n");
+  if (creds) {
+    log3(`  Already signed in as ${creds.name || creds.email}`);
+    apiKey = creds.apiKey;
+  } else {
+    log3("  Sign in with your company Okta SSO account.");
+    log3("");
+    rl.close();
+    const result = await loginWithSSO(DEFAULT_SERVER_URL);
+    if (!result) {
+      log3("  Login failed. Run 'cortex-mcp login' to try again.");
+      process.exit(1);
+    }
+    const { apiKey: newKey, email, name } = result;
+    apiKey = newKey;
+    writeCredentials({
+      apiKey: newKey,
+      email,
+      name,
+      authenticatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    log3(`  Authenticated as ${name || email}${name ? ` (${email})` : ""}`);
+    log3("  Personal API key saved.");
+    if (configuredClients.length > 0) {
+      log3("");
+      log3("  Updating clients with personal key:");
+      for (const clientType of configuredClients) {
+        try {
+          if (clientType === "claude-desktop") {
+            configureClaudeDesktop(DEFAULT_SERVER_URL, newKey, selectedMcps);
+          } else if (clientType === "claude-code") {
+            configureClaudeCode(DEFAULT_SERVER_URL, newKey, selectedMcps);
+          }
+          log3(`    ${clientType}: updated`);
+        } catch {
+          log3(`    ${clientType}: failed to update`);
+        }
+      }
+    }
+    config.apiKey = newKey;
+    writeConfig(config);
+    creds = readCredentials();
+  }
+  log3("");
+  log3("  Step 4: Connect Accounts\n");
+  await showConnectionsAndAutoConnect(apiKey, DEFAULT_SERVER_URL);
+  log3("  Setup complete! Restart your AI clients to see the new tools.");
+  log3(`  Config saved to ~/.cortex-mcp/config.json`);
+  log3("");
 }
 
 // src/cli/configure.ts
@@ -374,7 +771,7 @@ var VALID_CLIENTS = {
   stdio: "stdio"
 };
 async function runConfigure(options) {
-  const key = options.key || DEFAULT_API_KEY;
+  const key = options.key || getEffectiveApiKey();
   const { client } = options;
   const clientType = VALID_CLIENTS[client];
   if (!clientType) {
@@ -557,18 +954,9 @@ async function startStdioServer(options) {
 
 // src/cli/serve.ts
 async function runServe() {
-  let apiKey = process.env.CORTEX_API_KEY;
-  let serverUrl = DEFAULT_SERVER_URL;
-  if (!apiKey) {
-    const config = readConfig();
-    if (config) {
-      apiKey = config.apiKey;
-      serverUrl = config.server || DEFAULT_SERVER_URL;
-    }
-  }
-  if (!apiKey) {
-    apiKey = DEFAULT_API_KEY;
-  }
+  const config = readConfig();
+  let serverUrl = config?.server || DEFAULT_SERVER_URL;
+  let apiKey = getEffectiveApiKey();
   await startStdioServer({ serverUrl, apiKey });
 }
 
@@ -580,9 +968,16 @@ function runStatus() {
     return;
   }
   const maskedKey = config.apiKey.slice(0, 8) + "****" + config.apiKey.slice(-4);
+  const creds = readCredentials();
   console.log("");
   console.log("  Cortex MCP Status");
   console.log("  -----------------");
+  if (creds) {
+    console.log(`  User:    ${creds.name || creds.email}`);
+    console.log(`  Email:   ${creds.email}`);
+  } else {
+    console.log("  User:    not logged in (using shared key)");
+  }
   console.log(`  Config:  ${getConfigPath()}`);
   console.log(`  Server:  ${config.server}`);
   console.log(`  API Key: ${maskedKey}`);
@@ -606,7 +1001,7 @@ function runStatus() {
 }
 
 // src/cli/reset.ts
-import { existsSync as existsSync3, unlinkSync, rmdirSync } from "fs";
+import { existsSync as existsSync4, unlinkSync as unlinkSync2, rmdirSync } from "fs";
 function runReset() {
   console.log("");
   console.log("  Resetting Cortex MCP configuration...");
@@ -619,8 +1014,8 @@ function runReset() {
     `  Claude Code:    ${codeReset ? "entries removed" : "no entries found"}`
   );
   const configPath = getConfigPath();
-  if (existsSync3(configPath)) {
-    unlinkSync(configPath);
+  if (existsSync4(configPath)) {
+    unlinkSync2(configPath);
     console.log(`  Config file:    removed`);
   }
   const configDir = getConfigDir();
@@ -630,13 +1025,181 @@ function runReset() {
   }
   console.log("");
   console.log("  Done. Restart your AI clients to apply changes.");
+  console.log("  Note: Login credentials are preserved. Run 'cortex-mcp logout' to sign out.");
   console.log("");
 }
 
+// src/cli/logout.ts
+function runLogout() {
+  const creds = readCredentials();
+  if (!creds) {
+    console.log("");
+    console.log("  Not currently logged in.");
+    console.log("");
+    return;
+  }
+  deleteCredentials();
+  console.log("");
+  console.log(`  Logged out (was: ${creds.email})`);
+  console.log("  MCP tools will use the shared default key.");
+  console.log("  Run 'cortex-mcp login' to sign in again.");
+  console.log("");
+}
+
+// src/cli/whoami.ts
+function runWhoami() {
+  const creds = readCredentials();
+  if (!creds) {
+    console.log("");
+    console.log("  Not logged in. Using shared default API key.");
+    console.log("  Run 'cortex-mcp login' to authenticate.");
+    console.log("");
+    return;
+  }
+  console.log("");
+  console.log("  Cortex MCP Account");
+  console.log("  ------------------");
+  if (creds.name) {
+    console.log(`  Name:           ${creds.name}`);
+  }
+  console.log(`  Email:          ${creds.email}`);
+  console.log(`  Authenticated:  ${creds.authenticatedAt}`);
+  console.log(
+    `  API Key:        ${creds.apiKey.slice(0, 8)}****${creds.apiKey.slice(-4)}`
+  );
+  console.log("");
+}
+
+// src/cli/connections.ts
+function log4(msg) {
+  process.stderr.write(msg + "\n");
+}
+async function runConnections() {
+  const creds = readCredentials();
+  if (!creds) {
+    log4("");
+    log4("  Not logged in. Run: cortex-mcp login");
+    log4("");
+    process.exit(1);
+  }
+  const config = readConfig();
+  const serverUrl = config?.server || DEFAULT_SERVER_URL;
+  try {
+    const resp = await fetch(`${serverUrl}/api/v1/oauth/connections`, {
+      headers: { "x-api-key": creds.apiKey }
+    });
+    if (!resp.ok) {
+      log4("");
+      log4("  Error fetching connections.");
+      log4("");
+      process.exit(1);
+    }
+    const data = await resp.json();
+    const connections = data.connections || [];
+    log4("");
+    log4("  Cortex MCP Connections");
+    log4("  ----------------------");
+    for (const mcp of AVAILABLE_MCPS) {
+      const conn = connections.find((c) => c.mcp_name === mcp.name);
+      let statusText;
+      if (!conn) {
+        statusText = "not connected";
+      } else if (conn.is_company_default) {
+        statusText = "(company default)";
+      } else {
+        statusText = conn.account_email || "connected";
+      }
+      log4(`  ${mcp.displayName.padEnd(15)} ${statusText}`);
+    }
+    log4("");
+    log4("  Connect an account: cortex-mcp connect <provider>");
+    log4("");
+  } catch {
+    log4("");
+    log4("  Error: Could not reach Cortex server.");
+    log4("");
+    process.exit(1);
+  }
+}
+
+// src/cli/disconnect.ts
+function log5(msg) {
+  process.stderr.write(msg + "\n");
+}
+async function runDisconnect(provider) {
+  const creds = readCredentials();
+  if (!creds) {
+    log5("");
+    log5("  Not logged in. Run: cortex-mcp login");
+    log5("");
+    process.exit(1);
+  }
+  const mcp = AVAILABLE_MCPS.find(
+    (m) => m.name === provider || m.displayName.toLowerCase() === provider.toLowerCase()
+  );
+  if (!mcp) {
+    log5("");
+    log5(`  Unknown provider: ${provider}`);
+    log5(`  Available: ${AVAILABLE_MCPS.map((m) => m.name).join(", ")}`);
+    log5("");
+    process.exit(1);
+  }
+  const providerName = mcp.name;
+  const displayName = mcp.displayName;
+  const config = readConfig();
+  const serverUrl = config?.server || DEFAULT_SERVER_URL;
+  try {
+    const listResp = await fetch(`${serverUrl}/api/v1/oauth/connections`, {
+      headers: { "x-api-key": creds.apiKey }
+    });
+    if (!listResp.ok) {
+      log5("");
+      log5("  Error fetching connections.");
+      log5("");
+      process.exit(1);
+    }
+    const listData = await listResp.json();
+    const match = (listData.connections || []).find(
+      (c) => c.mcp_name === providerName && !c.is_company_default
+    );
+    if (!match) {
+      log5("");
+      log5(`  No personal connection found for ${displayName}.`);
+      log5("");
+      process.exit(1);
+    }
+    const resp = await fetch(
+      `${serverUrl}/api/v1/oauth/connections/${match.id}/disconnect`,
+      {
+        method: "POST",
+        headers: { "x-api-key": creds.apiKey }
+      }
+    );
+    if (resp.ok) {
+      log5("");
+      log5(`  Disconnected from ${displayName}.`);
+      log5(
+        `  ${displayName} tools will fall back to the company default token.`
+      );
+      log5("");
+    } else {
+      log5("");
+      log5("  Error disconnecting. Please try again.");
+      log5("");
+      process.exit(1);
+    }
+  } catch {
+    log5("");
+    log5("  Error: Could not reach Cortex server.");
+    log5("");
+    process.exit(1);
+  }
+}
+
 // bin/cli.ts
 var program = new Command();
 program.name("cortex-mcp").description(
-  "Connect your AI tools to GitHub, Vercel, Supabase & Sonance Brand via Cortex"
+  "Connect your AI tools to Asana, GitHub, Vercel & Supabase via Cortex"
 ).version("1.0.0");
 program.command("setup").description("Interactive setup wizard \u2014 configure MCPs and AI clients").action(async () => {
   try {
@@ -669,5 +1232,49 @@ program.command("status").description("Show current Cortex MCP configuration").a
 program.command("reset").description("Remove all Cortex MCP entries from AI clients").action(() => {
   runReset();
 });
+program.command("login").description("Sign in with your company Okta SSO account").action(async () => {
+  try {
+    await runLogin();
+  } catch (err) {
+    if (err.code === "ERR_USE_AFTER_CLOSE") {
+      process.exit(0);
+    }
+    console.error("Login failed:", err);
+    process.exit(1);
+  }
+});
+program.command("logout").description("Sign out and remove stored credentials").action(() => {
+  runLogout();
+});
+program.command("whoami").description("Show current authenticated user").action(() => {
+  runWhoami();
+});
+program.command("connect <provider>").description("Connect your personal account to an MCP service (e.g., asana)").action(async (provider) => {
+  try {
+    await runConnect(provider);
+  } catch (err) {
+    if (err.code === "ERR_USE_AFTER_CLOSE") {
+      process.exit(0);
+    }
+    console.error("Connect failed:", err);
+    process.exit(1);
+  }
+});
+program.command("connections").description("List your OAuth connections to MCP services").action(async () => {
+  try {
+    await runConnections();
+  } catch (err) {
+    console.error("Failed:", err);
+    process.exit(1);
+  }
+});
+program.command("disconnect <provider>").description("Remove your personal OAuth connection to an MCP service").action(async (provider) => {
+  try {
+    await runDisconnect(provider);
+  } catch (err) {
+    console.error("Disconnect failed:", err);
+    process.exit(1);
+  }
+});
 program.parse();
 //# sourceMappingURL=cli.js.map