@hyperdrive.bot/cli 1.0.2

package/bin/dev.cmd

@@ -0,0 +1,3 @@
+@echo off
+
+node --loader ts-node/esm --no-warnings=ExperimentalWarning "%~dp0\dev" %*

package/bin/dev.js

@@ -0,0 +1,3 @@
+import {execute} from '@oclif/core'
+
+await execute({development: true, dir: import.meta.url})

package/bin/run.cmd

@@ -0,0 +1,3 @@
+@echo off
+
+node "%~dp0\run" %*

package/bin/run.js

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+
+import {execute} from '@oclif/core'
+
+await execute({dir: import.meta.url})

package/dist/commands/account/add.d.ts

@@ -0,0 +1,16 @@
+import { Command } from '@oclif/core';
+export default class AccountAdd extends Command {
+    static description: string;
+    static examples: string[];
+    static flags: {
+        accountId: import("@oclif/core/lib/interfaces/parser.js").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser.js").CustomOptions>;
+        defaultRegion: import("@oclif/core/lib/interfaces/parser.js").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser.js").CustomOptions>;
+        domain: import("@oclif/core/lib/interfaces/parser.js").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser.js").CustomOptions>;
+        name: import("@oclif/core/lib/interfaces/parser.js").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser.js").CustomOptions>;
+        'no-wait': import("@oclif/core/lib/interfaces/parser.js").BooleanFlag<boolean>;
+        roleArn: import("@oclif/core/lib/interfaces/parser.js").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser.js").CustomOptions>;
+    };
+    run(): Promise<void>;
+    private promptUser;
+    private waitForRoleVerification;
+}

package/dist/commands/account/add.js

@@ -0,0 +1,185 @@
+import { Command, Flags } from '@oclif/core';
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import open from 'open';
+import ora from 'ora';
+import { HyperdriveSigV4Service } from '../../services/hyperdrive-sigv4.js';
+const VERIFY_POLL_INTERVAL = 5000; // 5 seconds
+const VERIFY_TIMEOUT = 300000; // 5 minutes
+export default class AccountAdd extends Command {
+    static description = 'Add an AWS account to Hyperdrive for deployments';
+    static examples = [
+        '<%= config.bin %> <%= command.id %> --accountId 123456789012 --defaultRegion us-east-1',
+        '<%= config.bin %> <%= command.id %> --accountId 123456789012 --defaultRegion us-east-1 --name "Production Account"',
+        '<%= config.bin %> <%= command.id %> # Interactive mode',
+    ];
+    static flags = {
+        accountId: Flags.string({
+            char: 'a',
+            description: 'AWS Account ID (12 digits)',
+        }),
+        defaultRegion: Flags.string({
+            char: 'r',
+            description: 'Default AWS region for deployments',
+        }),
+        domain: Flags.string({
+            char: 'd',
+            description: 'Tenant domain (for multi-domain setups)',
+        }),
+        name: Flags.string({
+            char: 'n',
+            description: 'Friendly name for the account',
+        }),
+        'no-wait': Flags.boolean({
+            default: false,
+            description: 'Do not wait for role verification after opening CloudFormation',
+        }),
+        roleArn: Flags.string({
+            description: 'Cross-account IAM role ARN (optional - will be auto-generated if not provided)',
+        }),
+    };
+    async run() {
+        this.log(chalk.green('🔐 Adding AWS account to Hyperdrive...'));
+        const { flags } = await this.parse(AccountAdd);
+        const responses = await this.promptUser(flags);
+        const service = new HyperdriveSigV4Service(flags.domain);
+        const combinedData = { ...flags, ...responses };
+        try {
+            const result = await service.accountAdd({
+                accountId: combinedData.accountId,
+                defaultRegion: combinedData.defaultRegion,
+                name: combinedData.name,
+                roleArn: combinedData.roleArn,
+            });
+            this.log(chalk.blue('✅ AWS account registered successfully!'));
+            this.log('');
+            this.log(chalk.white('Account Details:'));
+            this.log(chalk.gray(`  Account ID:  ${result.accountId}`));
+            this.log(chalk.gray(`  Name:        ${result.name || 'N/A'}`));
+            this.log(chalk.gray(`  Region:      ${result.defaultRegion}`));
+            this.log(chalk.gray(`  Role ARN:    ${result.roleArn}`));
+            this.log('');
+            // If quickCreateUrl is provided, prompt user to create the cross-account role
+            if (result.quickCreateUrl) {
+                this.log(chalk.yellow('⚠️  IMPORTANT: You need to create the cross-account IAM role in the target account.'));
+                this.log('');
+                this.log(chalk.white('To create the role, open the following URL in your browser:'));
+                this.log(chalk.cyan(result.quickCreateUrl));
+                this.log('');
+                const { openBrowser } = await inquirer.prompt([{
+                        default: true,
+                        message: chalk.yellow('Open CloudFormation in browser to create the role?'),
+                        name: 'openBrowser',
+                        type: 'confirm',
+                    }]);
+                if (openBrowser) {
+                    this.log(chalk.gray('Opening browser...'));
+                    await open(result.quickCreateUrl);
+                    if (flags['no-wait']) {
+                        this.log(chalk.green('✓ Browser opened. Complete the CloudFormation stack creation to enable deployments.'));
+                        this.log('');
+                        this.log(chalk.gray('Once the role is created, you can verify it with: hd account verify --accountId ' + result.accountId));
+                        return;
+                    }
+                    // Poll for role verification
+                    await this.waitForRoleVerification(service, result.accountId);
+                }
+                else {
+                    this.log(chalk.gray('You can create the role later by visiting the URL above.'));
+                    this.log(chalk.gray('After creating the role, verify it with: hd account verify --accountId ' + result.accountId));
+                }
+            }
+            else {
+                this.log('');
+                this.log(chalk.gray('You can now create stages that deploy to this account.'));
+            }
+        }
+        catch (error) {
+            const axiosError = error;
+            const errorMessage = axiosError.response?.data?.message ?? axiosError.message ?? 'Unknown error';
+            this.log(chalk.red('❌ Error adding AWS account: ' + errorMessage));
+            if (axiosError.response?.status === 403) {
+                this.log(chalk.yellow('\nTip: Make sure you are authenticated with "hd auth login".'));
+            }
+            this.exit(1);
+        }
+    }
+    async promptUser(flags) {
+        const prompts = [];
+        if (!flags.accountId) {
+            prompts.push({
+                message: chalk.yellow('🔢 Enter the AWS Account ID (12 digits):'),
+                name: 'accountId',
+                validate: (input) => {
+                    if (!/^\d{12}$/.test(input)) {
+                        return 'AWS Account ID must be exactly 12 digits';
+                    }
+                    return true;
+                },
+            });
+        }
+        if (!flags.name) {
+            prompts.push({
+                default: 'Production',
+                message: chalk.yellow('📛 Enter a friendly name for this account:'),
+                name: 'name',
+            });
+        }
+        if (!flags.defaultRegion) {
+            prompts.push({
+                choices: [
+                    'us-east-1',
+                    'us-east-2',
+                    'us-west-1',
+                    'us-west-2',
+                    'sa-east-1',
+                    'eu-west-1',
+                    'eu-central-1',
+                    'ap-southeast-1',
+                    'ap-northeast-1',
+                ],
+                default: 'us-east-1',
+                message: chalk.yellow('🌍 Select the default AWS region:'),
+                name: 'defaultRegion',
+                type: 'list',
+            });
+        }
+        if (prompts.length === 0) {
+            return {};
+        }
+        return inquirer.prompt(prompts);
+    }
+    async waitForRoleVerification(service, accountId) {
+        const spinner = ora('Waiting for CloudFormation stack to complete and role to be verified...').start();
+        const startTime = Date.now();
+        let attemptCount = 0;
+        while (Date.now() - startTime < VERIFY_TIMEOUT) {
+            attemptCount++;
+            const elapsed = Math.floor((Date.now() - startTime) / 1000);
+            try {
+                spinner.text = `Verifying role... (attempt ${attemptCount}, ${elapsed}s elapsed)`;
+                const result = await service.accountVerify({ accountId });
+                if (result.verified) {
+                    spinner.succeed(chalk.green('✅ Cross-account role verified successfully!'));
+                    this.log('');
+                    this.log(chalk.green('🎉 Account setup complete! You can now create stages that deploy to this account.'));
+                    return;
+                }
+                // Role exists but not verified yet
+                spinner.text = `Role not ready yet: ${result.message || 'waiting...'} (attempt ${attemptCount}, ${elapsed}s)`;
+            }
+            catch (error) {
+                // API error - role not ready yet, continue polling
+                const errorMessage = error instanceof Error ? error.message : 'unknown error';
+                spinner.text = `Checking role... ${errorMessage} (attempt ${attemptCount}, ${elapsed}s)`;
+            }
+            // Wait before next poll
+            await new Promise(resolve => setTimeout(resolve, VERIFY_POLL_INTERVAL));
+        }
+        // Timeout reached
+        spinner.warn(chalk.yellow('⏱️  Verification timed out after 5 minutes.'));
+        this.log('');
+        this.log(chalk.gray('The CloudFormation stack may still be creating.'));
+        this.log(chalk.gray('You can verify the role later with: hd account verify --accountId ' + accountId));
+    }
+}

package/dist/commands/account/list.d.ts

@@ -0,0 +1,6 @@
+import { Command } from '@oclif/core';
+export default class AccountList extends Command {
+    static description: string;
+    static examples: string[];
+    run(): Promise<void>;
+}

package/dist/commands/account/list.js

@@ -0,0 +1,37 @@
+import { Command } from '@oclif/core';
+import chalk from 'chalk';
+import { HyperdriveSigV4Service } from '../../services/hyperdrive-sigv4.js';
+export default class AccountList extends Command {
+    static description = 'List all AWS accounts registered with Hyperdrive';
+    static examples = [
+        '<%= config.bin %> <%= command.id %>',
+    ];
+    async run() {
+        this.log(chalk.green('📋 Fetching AWS accounts...'));
+        const service = new HyperdriveSigV4Service();
+        try {
+            const accounts = await service.accountList();
+            if (accounts.length === 0) {
+                this.log(chalk.yellow('\nNo AWS accounts registered yet.'));
+                this.log(chalk.gray('Use "hd account add" to register an AWS account.'));
+                return;
+            }
+            this.log(chalk.blue(`\n✅ Found ${accounts.length} AWS account(s):\n`));
+            for (const account of accounts) {
+                this.log(chalk.white(`  ${account.name || 'Unnamed'} (${account.accountId})`));
+                this.log(chalk.gray(`    Region: ${account.defaultRegion}`));
+                this.log(chalk.gray(`    Role: ${account.roleArn}`));
+                if (account.createdAt) {
+                    this.log(chalk.gray(`    Added: ${new Date(account.createdAt).toLocaleDateString()}`));
+                }
+                this.log('');
+            }
+        }
+        catch (error) {
+            const axiosError = error;
+            const errorMessage = axiosError.response?.data?.message ?? axiosError.message ?? 'Unknown error';
+            this.log(chalk.red('❌ Error fetching accounts: ' + errorMessage));
+            this.exit(1);
+        }
+    }
+}

package/dist/commands/account/remove.d.ts

@@ -0,0 +1,11 @@
+import { Command } from '@oclif/core';
+export default class AccountRemove extends Command {
+    static description: string;
+    static examples: string[];
+    static flags: {
+        accountId: import("@oclif/core/lib/interfaces/parser.js").OptionFlag<string, import("@oclif/core/lib/interfaces/parser.js").CustomOptions>;
+        domain: import("@oclif/core/lib/interfaces/parser.js").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser.js").CustomOptions>;
+        force: import("@oclif/core/lib/interfaces/parser.js").BooleanFlag<boolean>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/account/remove.js

@@ -0,0 +1,57 @@
+import { Command, Flags } from '@oclif/core';
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import { HyperdriveSigV4Service } from '../../services/hyperdrive-sigv4.js';
+export default class AccountRemove extends Command {
+    static description = 'Remove an AWS account from Hyperdrive';
+    static examples = [
+        '<%= config.bin %> <%= command.id %> --accountId 123456789012',
+        '<%= config.bin %> <%= command.id %> --accountId 123456789012 --force',
+    ];
+    static flags = {
+        accountId: Flags.string({
+            char: 'a',
+            description: 'AWS Account ID (12 digits)',
+            required: true,
+        }),
+        domain: Flags.string({
+            char: 'd',
+            description: 'Tenant domain (for multi-domain setups)',
+        }),
+        force: Flags.boolean({
+            char: 'f',
+            default: false,
+            description: 'Skip confirmation prompt',
+        }),
+    };
+    async run() {
+        const { flags } = await this.parse(AccountRemove);
+        if (!flags.force) {
+            const { confirm } = await inquirer.prompt([{
+                    default: false,
+                    message: chalk.yellow(`Are you sure you want to remove account ${flags.accountId}?`),
+                    name: 'confirm',
+                    type: 'confirm',
+                }]);
+            if (!confirm) {
+                this.log(chalk.gray('Operation cancelled.'));
+                return;
+            }
+        }
+        this.log(chalk.yellow('🗑️  Removing AWS account from Hyperdrive...'));
+        const service = new HyperdriveSigV4Service(flags.domain);
+        try {
+            await service.accountRemove({ accountId: flags.accountId });
+            this.log(chalk.green('✅ AWS account removed successfully!'));
+        }
+        catch (error) {
+            const axiosError = error;
+            const errorMessage = axiosError.response?.data?.message ?? axiosError.message ?? 'Unknown error';
+            this.log(chalk.red('❌ Error removing AWS account: ' + errorMessage));
+            if (axiosError.response?.status === 404) {
+                this.log(chalk.yellow('\nAccount not found. It may have already been removed.'));
+            }
+            this.exit(1);
+        }
+    }
+}

package/dist/commands/auth/login.d.ts

@@ -0,0 +1,16 @@
+import { Command } from '@oclif/core';
+export default class Login extends Command {
+    static description: string;
+    static examples: string[];
+    static flags: {
+        ci: import("@oclif/core/lib/interfaces/parser.js").BooleanFlag<boolean>;
+        domain: import("@oclif/core/lib/interfaces/parser.js").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser.js").CustomOptions>;
+        port: import("@oclif/core/lib/interfaces/parser.js").OptionFlag<number, import("@oclif/core/lib/interfaces/parser.js").CustomOptions>;
+        tenant: import("@oclif/core/lib/interfaces/parser.js").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser.js").CustomOptions>;
+    };
+    run(): Promise<void>;
+    /**
+     * Run CI authentication flow (non-interactive)
+     */
+    private runCIAuth;
+}

package/dist/commands/auth/login.js

@@ -0,0 +1,178 @@
+import { Command, Flags } from '@oclif/core';
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import open from 'open';
+import ora from 'ora';
+import { TenantService } from '../../services/tenant-service.js';
+import { buildAuthUrl, exchangeCodeForTokens, executeCIAuthFlow, generateCodeChallenge, generateCodeVerifier, getAWSCredentials, getCICredentials, getCredentialsPath, isCI, saveCredentials, startCallbackServer, } from '../../utils/auth-flow.js';
+export default class Login extends Command {
+    static description = 'Authenticate with Hyperdrive using OAuth 2.0 PKCE flow (or CI credentials)';
+    static examples = [
+        '<%= config.bin %> <%= command.id %>',
+        '<%= config.bin %> <%= command.id %> --domain acme.hyperdrive.bot',
+        '<%= config.bin %> <%= command.id %> --port 9876',
+        '<%= config.bin %> <%= command.id %> --ci --domain acme.hyperdrive.bot',
+    ];
+    static flags = {
+        ci: Flags.boolean({
+            default: false,
+            description: 'Use CI authentication (requires HD_CI_USERNAME and HD_CI_PASSWORD env vars)',
+        }),
+        domain: Flags.string({
+            char: 'd',
+            description: 'Tenant domain (e.g., acme.hyperdrive.bot) - allows multiple installations',
+        }),
+        port: Flags.integer({
+            char: 'p',
+            default: 8765,
+            description: 'Local callback server port',
+        }),
+        tenant: Flags.string({
+            char: 't',
+            description: '[DEPRECATED] Use --domain instead',
+            hidden: true,
+        }),
+    };
+    async run() {
+        const { flags } = await this.parse(Login);
+        // Support legacy --tenant flag (fallback to --domain)
+        const domainFlag = flags.domain || flags.tenant;
+        // Auto-detect CI environment if --ci flag not provided but CI env vars are set
+        const ciCredentials = getCICredentials();
+        const useCI = flags.ci || (isCI() && ciCredentials !== null);
+        // Handle CI authentication
+        if (useCI) {
+            await this.runCIAuth(domainFlag);
+            return;
+        }
+        const tenantService = new TenantService(domainFlag);
+        this.log(chalk.blue('🚀 Starting Hyperdrive authentication...'));
+        this.log('');
+        // Step 1: Resolve tenant configuration from bootstrap
+        let tenantConfig;
+        const spinner = ora('Fetching tenant configuration...').start();
+        try {
+            // Prompt for tenant if not provided
+            let tenantDomain = domainFlag;
+            if (!tenantDomain) {
+                spinner.stop();
+                // Get saved tenant domain from config file or env var
+                const savedTenantDomain = tenantService.getTenantDomain();
+                const answers = await inquirer.prompt([
+                    {
+                        default: savedTenantDomain || undefined,
+                        message: 'Enter your tenant domain:',
+                        name: 'tenant',
+                        type: 'input',
+                        validate: (input) => input.trim().length > 0 || 'Tenant domain is required',
+                    },
+                ]);
+                tenantDomain = answers.tenant;
+                spinner.start('Fetching tenant configuration...');
+            }
+            tenantConfig = await tenantService.fetchTenantConfig(tenantDomain);
+            spinner.succeed(chalk.green(`Tenant found: ${tenantConfig.displayName}`));
+        }
+        catch (error) {
+            spinner.fail(chalk.red('Failed to fetch tenant configuration'));
+            this.log('');
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            this.error(errorMessage + '\n\n' +
+                chalk.yellow('💡 Tips:\n') +
+                chalk.gray('  - Check your tenant domain spelling\n') +
+                chalk.gray('  - Set HYPERDRIVE_TENANT_DOMAIN environment variable\n') +
+                chalk.gray('  - Or run `hd init` to configure your environment'));
+        }
+        try {
+            // Generate PKCE parameters using extracted utilities
+            const codeVerifier = generateCodeVerifier();
+            const codeChallenge = generateCodeChallenge(codeVerifier);
+            // Start local callback server and get promise for auth code
+            const authCodePromise = startCallbackServer(flags.port, 300000); // 5 min timeout
+            // Open browser for authentication
+            const authUrl = buildAuthUrl(tenantConfig, codeChallenge, flags.port);
+            this.log(chalk.yellow('📱 Opening browser for authentication...'));
+            this.log(chalk.gray(`If browser doesn't open, visit: ${authUrl}`));
+            this.log('');
+            await open(authUrl);
+            spinner.start('Waiting for authentication...');
+            // Wait for callback with auth code
+            const code = await authCodePromise;
+            spinner.succeed(chalk.green('Authentication callback received!'));
+            // Exchange code for tokens using extracted utility
+            spinner.start('Exchanging authorization code for tokens...');
+            const tokens = await exchangeCodeForTokens(tenantConfig, code, codeVerifier, flags.port);
+            spinner.succeed(chalk.green('Tokens obtained successfully!'));
+            // Get AWS credentials from Cognito Identity Pool using extracted utility
+            spinner.start('Obtaining AWS credentials...');
+            const awsCredentials = await getAWSCredentials(tenantConfig, tokens.id_token);
+            spinner.succeed(chalk.green('AWS credentials obtained!'));
+            // Save credentials using extracted utility (domain-specific if specified)
+            spinner.start('Saving credentials...');
+            saveCredentials({
+                ...tokens,
+                apiUrl: tenantConfig.apiUrl,
+                awsCredentials,
+                cognitoConfig: {
+                    clientId: tenantConfig.cognitoClientId,
+                    domain: tenantConfig.cognitoDomain,
+                    identityPoolId: tenantConfig.cognitoIdentityPoolId,
+                    userPoolId: tenantConfig.cognitoUserPoolId,
+                },
+                obtainedAt: new Date().toISOString(),
+                region: tenantConfig.region,
+                tenantDomain: tenantConfig.tenantDomain,
+                tenantId: tenantConfig.tenantId,
+            }, tenantConfig.tenantDomain);
+            spinner.succeed(chalk.green('Credentials saved!'));
+            this.log('');
+            this.log(chalk.green('✅ Successfully authenticated!'));
+            this.log(chalk.gray('You can now use all Hyperdrive CLI commands.'));
+            this.log('');
+            this.log(chalk.gray(`✓ Credentials saved to ${getCredentialsPath(tenantConfig.tenantDomain)}`));
+            this.log(chalk.gray('💡 Credentials refresh automatically when needed. You\'re all set!'));
+        }
+        catch (error) {
+            this.error(chalk.red(`Authentication failed: ${error instanceof Error ? error.message : String(error)}`));
+        }
+    }
+    /**
+     * Run CI authentication flow (non-interactive)
+     */
+    async runCIAuth(domainFlag) {
+        this.log(chalk.blue('🤖 Starting CI authentication...'));
+        this.log('');
+        // Get CI credentials from environment
+        const ciCredentials = getCICredentials();
+        if (!ciCredentials) {
+            this.error(chalk.red('CI authentication requires HD_TOKEN environment variable.\n\n') +
+                chalk.yellow('Create a CI token with:\n') +
+                chalk.gray('  hd ci account create --name "my-ci" --scope deploy\n\n') +
+                chalk.yellow('Then add to your CI environment:\n') +
+                chalk.gray('  HD_TOKEN=hd_sk_...'));
+        }
+        // Require domain for CI auth
+        if (!domainFlag) {
+            this.error(chalk.red('Domain is required for CI authentication.\n\n') +
+                chalk.yellow('Usage:\n') +
+                chalk.gray('  hd auth login --ci --domain acme.hyperdrive.bot'));
+        }
+        const spinner = ora('Authenticating...').start();
+        const result = await executeCIAuthFlow({
+            logger: (message) => {
+                spinner.text = message;
+            },
+            password: ciCredentials.password,
+            tenantDomain: domainFlag,
+            username: ciCredentials.username,
+        });
+        if (!result.success) {
+            spinner.fail(chalk.red('Authentication failed'));
+            this.error(chalk.red(result.error || 'Unknown error'));
+        }
+        spinner.succeed(chalk.green('Authenticated successfully!'));
+        this.log('');
+        this.log(chalk.green('✅ CI authentication complete!'));
+        this.log(chalk.gray('You can now use Hyperdrive CLI commands in your CI pipeline.'));
+    }
+}

package/dist/commands/auth/logout.d.ts

@@ -0,0 +1,6 @@
+import { Command } from '@oclif/core';
+export default class Logout extends Command {
+    static description: string;
+    static examples: string[];
+    run(): Promise<void>;
+}

package/dist/commands/auth/logout.js

@@ -0,0 +1,39 @@
+import { Command } from '@oclif/core';
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import { AuthService } from '../../services/auth-service.js';
+export default class Logout extends Command {
+    static description = 'Remove stored credentials and logout';
+    static examples = ['<%= config.bin %> <%= command.id %>'];
+    async run() {
+        const authService = new AuthService();
+        // Check if credentials exist
+        const credentials = authService.loadCredentials();
+        if (!credentials) {
+            this.log(chalk.yellow('⚠️  No active session found'));
+            return;
+        }
+        // Confirm logout
+        const { confirm } = await inquirer.prompt([
+            {
+                default: false,
+                message: 'Are you sure you want to logout?',
+                name: 'confirm',
+                type: 'confirm',
+            },
+        ]);
+        if (!confirm) {
+            this.log(chalk.gray('Logout cancelled'));
+            return;
+        }
+        try {
+            authService.clearCredentials();
+            this.log('');
+            this.log(chalk.green('✅ Successfully logged out!'));
+            this.log(chalk.gray('Run `hd auth login` to authenticate again.'));
+        }
+        catch (error) {
+            this.error(chalk.red(`Logout failed: ${error instanceof Error ? error.message : String(error)}`));
+        }
+    }
+}

package/dist/commands/auth/refresh.d.ts

@@ -0,0 +1,6 @@
+import { Command } from '@oclif/core';
+export default class Refresh extends Command {
+    static description: string;
+    static examples: string[];
+    run(): Promise<void>;
+}

package/dist/commands/auth/refresh.js

@@ -0,0 +1,66 @@
+import { Command } from '@oclif/core';
+import chalk from 'chalk';
+import ora from 'ora';
+import { AuthService } from '../../services/auth-service.js';
+export default class Refresh extends Command {
+    static description = 'Refresh expired AWS credentials using refresh token';
+    static examples = ['<%= config.bin %> <%= command.id %>'];
+    async run() {
+        const authService = new AuthService();
+        const spinner = ora('Checking current credentials...').start();
+        try {
+            // Load existing credentials
+            const credentials = authService.loadCredentials();
+            if (!credentials) {
+                spinner.fail(chalk.red('No credentials found'));
+                this.log('');
+                this.log(chalk.yellow('Please run `hd auth login` first'));
+                return;
+            }
+            // Check if cognitoConfig exists
+            if (!credentials.cognitoConfig) {
+                spinner.fail(chalk.red('Cognito configuration not found'));
+                this.log('');
+                this.log(chalk.yellow('Please run `hd auth login` again to update credentials'));
+                return;
+            }
+            // Check if refresh is needed
+            const needsRefresh = authService.needsRefresh(credentials);
+            if (!needsRefresh) {
+                spinner.succeed(chalk.green('Credentials are still valid!'));
+                const expiresIn = Math.floor((new Date(credentials.awsCredentials.expiration).getTime() - Date.now()) / 1000 / 60);
+                this.log(chalk.gray(`Expires in ${expiresIn} minutes`));
+                return;
+            }
+            // Refresh tokens
+            spinner.text = 'Refreshing tokens...';
+            const newTokens = await authService.refreshTokens(credentials.refresh_token, credentials.cognitoConfig);
+            spinner.succeed(chalk.green('Tokens refreshed!'));
+            // Get new AWS credentials
+            spinner.start('Obtaining new AWS credentials...');
+            const newAwsCredentials = await authService.getAWSCredentials(newTokens.id_token, credentials.region, credentials.cognitoConfig);
+            spinner.succeed(chalk.green('AWS credentials renewed!'));
+            // Save updated credentials (preserve tenant info)
+            spinner.start('Saving credentials...');
+            authService.saveCredentials({
+                ...newTokens,
+                apiUrl: credentials.apiUrl,
+                awsCredentials: newAwsCredentials,
+                cognitoConfig: credentials.cognitoConfig,
+                obtainedAt: new Date().toISOString(),
+                region: credentials.region,
+                tenantDomain: credentials.tenantDomain,
+                tenantId: credentials.tenantId,
+            });
+            spinner.succeed(chalk.green('Credentials saved!'));
+            this.log('');
+            this.log(chalk.green('✅ Credentials successfully refreshed!'));
+            this.log(chalk.gray('Your session has been extended for another hour.'));
+        }
+        catch (error) {
+            spinner.fail(chalk.red('Refresh failed'));
+            this.log('');
+            this.error(chalk.red(`Failed to refresh credentials: ${error instanceof Error ? error.message : String(error)}\n\nPlease run 'hd auth login' to re-authenticate.`));
+        }
+    }
+}