@kvell007/embed-labs-cli 0.1.0-alpha.20 → 0.1.0-alpha.22

package/dist/index.js

@@ -1,13 +1,12 @@
 #!/usr/bin/env node
-import { createHash, createHmac, randomBytes } from "node:crypto";
+import { createHash, createHmac, generateKeyPairSync, randomBytes, sign as signCrypto } from "node:crypto";
 import { constants } from "node:fs";
 import { spawn } from "node:child_process";
-import { access, cp, mkdir, mkdtemp, readFile, readdir, rm, stat, writeFile } from "node:fs/promises";
+import { access, chmod, cp, mkdir, mkdtemp, readFile, readdir, rm, stat, writeFile } from "node:fs/promises";
 import { createRequire } from "node:module";
-import { homedir, tmpdir } from "node:os";
+import { arch, hostname, homedir, platform, tmpdir } from "node:os";
 import { basename, delimiter, dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
-import { startServer } from "@embed-labs/local-bridge";
 import { composeBootLogoPackage } from "./image-compose.js";
 import { buildTaishanPiQtSmoke, compileTaishanPiSingleFile, currentLocalToolchain, installLocalToolchain, latestLocalToolchain, validateLocalToolchain } from "./local-toolchain.js";
 import { fail, ok } from "@embed-labs/protocol";
@@ -16,10 +15,14 @@ const CLI_MODULE_DIR = dirname(fileURLToPath(import.meta.url));
 const SOURCE_CHECKOUT_ROOT = resolve(CLI_MODULE_DIR, "..", "..", "..");
 const qrcodeTerminal = require("qrcode-terminal");
 const DEFAULT_BRIDGE_URL = process.env.EMBED_BRIDGE_URL ?? "http://127.0.0.1:18083";
-const DEFAULT_CLOUD_API_URL = process.env.EMBED_CLOUD_API_URL ?? "http://127.0.0.1:18100";
+const DEFAULT_CLOUD_API_URL = process.env.EMBED_CLOUD_API_URL ?? "https://api.embedboard.com";
 const DEFAULT_AUTH_FILE = process.env.EMBED_AUTH_FILE ?? ".embed-labs/auth.json";
+const DEFAULT_DEVICE_FILE = process.env.EMBED_DEVICE_FILE ?? join(dirname(DEFAULT_AUTH_FILE), "device.json");
 const DEFAULT_DASHBOARD_URL = process.env.EMBED_DASHBOARD_URL ?? "https://api.embedboard.com/dashboard";
+const EMBED_CLIENT_NAME = "embedlabs-cli";
+const EMBED_CLIENT_VERSION = process.env.EMBED_CLIENT_VERSION ?? "0.1.0";
 const DEFAULT_AGENT_ARTIFACT_DIR = process.env.EMBED_AGENT_ARTIFACT_DIR ?? ".embed-labs/artifacts";
+const TOOL_INTEGRITY_RELOGIN_MESSAGE = "工具完整性校验失败，请在当前电脑重新执行 embedlabs auth login --token <key>";
 const DOCTOR_USAGE = "Usage: embed doctor [--json]";
 const DOCTOR_HTTP_TIMEOUT_MS = 8000;
 const MIN_NODE_MAJOR = 20;
@@ -30,7 +33,14 @@ const DEFAULT_PLUGIN_RELEASE_URL = process.env.EMBED_PLUGIN_RELEASE_URL?.trim()
 const PLUGIN_LIST_USAGE = "Usage: embed plugin list [--release-dir <dir>] [--release-url <url>] [--json]";
 const CODEX_PLUGIN_NAME = "embed-labs";
 const CODEX_MARKETPLACE_NAME = "embed-labs";
-const LEGACY_CODEX_MARKETPLACE_NAMES = new Set(["embed-labs-plugins"]);
+const LEGACY_CODEX_PLUGIN_NAMES = [
+    "dbt-agent",
+    "Dbt Agent",
+    "development-board-toolchain",
+    "development-board-toolchain-dev",
+    "deve"
+];
+const LEGACY_CODEX_MARKETPLACE_NAMES = new Set(["embed-labs-plugins", "plugins", "Plugins", "deve"]);
 const PLUGIN_INSTALL_USAGE = "Usage: embed plugin install <codex|opencode|all> [--release-dir <dir>] [--release-url <url>] [--target <dir>] [--codex-target <dir>] [--opencode-target <dir>] [--force] [--json]";
 const CLOUD_TASK_ARTIFACTS_USAGE = "Usage: embed cloud task artifacts <task_id> [--json]";
 const CLOUD_TASK_EVIDENCE_USAGE = "Usage: embed cloud task evidence <task_id> [--json]";
@@ -91,6 +101,10 @@ const LOCAL_TOOLCHAIN_INSTALL_USAGE = "Usage: embed local toolchain install [--b
 const LOCAL_TOOLCHAIN_VALIDATE_USAGE = "Usage: embed local toolchain validate [--release-root <path>] [--mode minimal|compile|qt|full|images] [--json]";
 const LOCAL_COMPILE_TAISHANPI_USAGE = "Usage: embed local compile taishanpi --source <main.c|main.cpp> --output <artifact> [--release-root <path>] [--account <account_id>] [--json]";
 const LOCAL_BUILD_QT_SMOKE_USAGE = "Usage: embed local build qt-smoke --build-dir <dir> [--source <qt-smoke-dir>] [--release-root <path>] [--account <account_id>] [--json]";
+const AUTH_DEVICE_STATUS_USAGE = "Usage: embed auth device status [--json]";
+const AUTH_DEVICE_LIST_USAGE = "Usage: embed auth device list [--json]";
+const AUTH_DEVICE_REVOKE_USAGE = "Usage: embed auth device revoke <device_id> [--json]";
+const AUTH_DEVICE_RENAME_USAGE = "Usage: embed auth device rename <device_id> --label <name> [--json]";
 const BOARD_REGISTRY_LIST_USAGE = "Usage: embed board registry list [--json]";
 const BOARD_REGISTRY_SHOW_USAGE = "Usage: embed board registry show <template_id> [--json]";
 const BOARD_METHODS_USAGE = "Usage: embed board methods <template_id> [--json]";
@@ -100,9 +114,10 @@ const MODEL_LIST_USAGE = "Usage: embed model list [--json]";
 const MODEL_DEFAULT_USAGE = "Usage: embed model default [--json]";
 const SERVICE_MODES_USAGE = "Usage: embed service modes [--json]";
 const AGENT_RUN_USAGE = "Usage: embed agent run --prompt <request> [--account <account_id>] [--workspace <workspace_id>] [--provider stub|openai|bai|cc|claude-code] [--model <model>] [--max-tool-calls 6] [--host <ip>] [--ports 22,15301] [--artifact <local_file>|--artifact-id <artifact_id>|--artifact-task <task_id>] [--artifact-output <path>] [--remote-path <path>] [--run] [--approve] [--json]";
+let cachedLocalHardwareFingerprint;
 const TOOL_LIST_USAGE = "Usage: embed tool list [--json]";
 const TOOL_CALL_USAGE = "Usage: embed tool call <capability_id> [--input-json '<json>'] [--approve] [--json]";
-const MCP_TOOL_EVENT_USAGE = "Usage: embed mcp log --tool <tool_name> [--client codex|opencode] [--mode local_ai|server_ai] [--server-model-used true|false] [--success true|false] [--request-id <id>] [--duration-ms <ms>] [--input-summary <text>] [--output-summary <text>] [--json]";
+const MCP_TOOL_EVENT_USAGE = "Usage: embed mcp log --tool <tool_name> [--client codex|opencode] [--mode local_ai|server_ai] [--local-device-id <id>] [--server-model-used true|false] [--success true|false] [--request-id <id>] [--duration-ms <ms>] [--input-summary <text>] [--output-summary <text>] [--json]";
 const BOARD_DEPLOY_TAISHANPI_USAGE = "Usage: embed deploy taishanpi --host <ip> --artifact <local_file> --approve [--user root] [--remote-path /userdata/embed-labs/apps/app] [--run] [--timeout 30] [--json]";
 const CLOUD_TASK_EVENT_APPEND_USAGE = "Usage: embed cloud task event append <task_id> [--state <state>] [--progress-stage <stage>|--stage <stage>] [--progress-text <text>|--message <text>] [--progress-percent 0-100] [--severity info|warning|error] [--type <event_type>] [--artifact-json '<json>'] [--evidence-json '<json>'] [--json]";
 const TASK_STATES = new Set([
@@ -152,11 +167,7 @@ async function main(argv) {
             return output(parsed, await bridgePost("/v1/board/taishanpi/deploy", request), renderBoardDeployResult);
         }
         if (area === "bridge" && action === "start") {
-            startServer({
-                host: stringFlag(parsed, "host"),
-                port: numberFlag(parsed, "port")
-            });
-            return await waitForever();
+            return await runBridgeStart(parsed);
         }
         if (area === "bridge" && action === "status") {
             return output(parsed, await bridgeGet("/healthz"), renderBridgeStatus);
@@ -293,6 +304,31 @@ async function main(argv) {
         if (area === "auth" && action === "status") {
             return output(parsed, ok(await authStatus()), renderAuthStatus);
         }
+        if (area === "auth" && action === "device") {
+            const deviceAction = parsed.command[2] ?? "status";
+            if (deviceAction === "status") {
+                const result = await authDeviceStatus(parsed);
+                return output(parsed, result, renderAuthDeviceStatus, result.ok ? 0 : 2);
+            }
+            if (deviceAction === "list") {
+                const result = await authDeviceList(parsed);
+                return output(parsed, result, renderAuthDeviceList, result.ok ? 0 : 2);
+            }
+            if (deviceAction === "revoke") {
+                const result = await authDeviceRevoke(parsed);
+                return output(parsed, result, renderAuthDevice, result.ok ? 0 : 2);
+            }
+            if (deviceAction === "rename") {
+                const result = await authDeviceRename(parsed);
+                return output(parsed, result, renderAuthDevice, result.ok ? 0 : 2);
+            }
+            return output(parsed, fail("invalid_args", [
+                AUTH_DEVICE_STATUS_USAGE,
+                AUTH_DEVICE_LIST_USAGE,
+                AUTH_DEVICE_REVOKE_USAGE,
+                AUTH_DEVICE_RENAME_USAGE
+            ].join("\n")), undefined, 2);
+        }
         if (area === "auth" && action === "logout") {
             await rm(DEFAULT_AUTH_FILE, { force: true });
             return output(parsed, ok(await authStatus()), renderAuthStatus);
@@ -1406,17 +1442,23 @@ async function cloudPost(path, body) {
 async function cloudDownloadArtifact(artifactId, outputPath) {
     try {
         const headers = {};
-        const token = await cloudAuthToken();
-        if (token) {
-            headers.authorization = `Bearer ${token}`;
-            addCloudRequestSignature(headers, "GET", `/v1/artifacts/${encodeURIComponent(artifactId)}/download`, "", token);
+        const auth = await cloudAuthConfig();
+        if (auth.token) {
+            if (auth.device) {
+                const integrity = await validateLocalDeviceIntegrity(auth.device);
+                if (!integrity.ok) {
+                    return integrity;
+                }
+            }
+            headers.authorization = `Bearer ${auth.token}`;
+            addCloudRequestSignature(headers, "GET", `/v1/artifacts/${encodeURIComponent(artifactId)}/download`, "", auth.token, auth.device);
         }
         const response = await fetch(`${serviceBaseUrl(DEFAULT_CLOUD_API_URL)}/v1/artifacts/${encodeURIComponent(artifactId)}/download`, {
             headers: Object.keys(headers).length > 0 ? headers : undefined
         });
         if (!response.ok) {
             const parsed = await parseErrorResponse(response);
-            return parsed ? enrichCloudAuthFailure(parsed, Boolean(token)) : fail("artifact_download_failed", `Artifact download failed with HTTP ${response.status}.`);
+            return parsed ? enrichCloudAuthFailure(parsed, Boolean(auth.token)) : fail("artifact_download_failed", `Artifact download failed with HTTP ${response.status}.`);
         }
         const bytes = Buffer.from(await response.arrayBuffer());
         const expectedSha256 = response.headers.get("x-embed-artifact-sha256")?.trim();
@@ -1449,10 +1491,16 @@ async function cloudRequest(method, path, body) {
         if (bodyText) {
             headers["content-type"] = "application/json";
         }
-        const token = await cloudAuthToken();
-        if (token) {
-            headers.authorization = `Bearer ${token}`;
-            addCloudRequestSignature(headers, method, path, bodyText, token);
+        const auth = await cloudAuthConfig();
+        if (auth.token) {
+            if (auth.device) {
+                const integrity = await validateLocalDeviceIntegrity(auth.device);
+                if (!integrity.ok) {
+                    return integrity;
+                }
+            }
+            headers.authorization = `Bearer ${auth.token}`;
+            addCloudRequestSignature(headers, method, path, bodyText, auth.token, auth.device);
         }
         const response = await fetch(`${serviceBaseUrl(DEFAULT_CLOUD_API_URL)}${path}`, {
             method,
@@ -1460,7 +1508,7 @@ async function cloudRequest(method, path, body) {
             body: body === undefined ? undefined : bodyText
         });
         const parsed = await response.json();
-        return enrichCloudAuthFailure(parsed, Boolean(token));
+        return enrichCloudAuthFailure(parsed, Boolean(auth.token));
     }
     catch (error) {
         return fail("cloud_api_unreachable", error instanceof Error ? error.message : String(error), {
@@ -1468,8 +1516,42 @@ async function cloudRequest(method, path, body) {
         });
     }
 }
+async function validateLocalDeviceIntegrity(device) {
+    const current = await localHardwareFingerprint();
+    if (current.fingerprint_hash === device.fingerprint_hash) {
+        return ok(undefined);
+    }
+    return fail("tool_integrity_check_failed", TOOL_INTEGRITY_RELOGIN_MESSAGE, {
+        remediation: [
+            "当前 Embed Labs CLI/插件配置绑定的电脑与本机硬件唯一码不一致。",
+            TOOL_INTEGRITY_RELOGIN_MESSAGE,
+            "如果账号设备数量已达上限，请先在原电脑或用户后台撤销旧设备。"
+        ].join("\n"),
+        details: {
+            expected_fingerprint_hash: device.fingerprint_hash,
+            current_fingerprint_hash: current.fingerprint_hash,
+            platform: current.platform,
+            arch: current.arch,
+            fingerprint_source: current.source
+        }
+    });
+}
 function enrichCloudAuthFailure(response, hadToken) {
-    if (response.ok || response.error.code !== "unauthorized") {
+    if (response.ok) {
+        return response;
+    }
+    if (response.error.code.startsWith("device_") || response.error.code.startsWith("request_signature_")) {
+        return fail(response.error.code, response.error.message, {
+            remediation: [
+                "This computer is not fully registered for the configured Embed Labs API Token.",
+                "Run: embedlabs auth login --token <your_token>",
+                "Then verify with: embedlabs auth device status",
+                "If the account already has too many devices, revoke one with: embedlabs auth device revoke <device_id>"
+            ].join("\n"),
+            details: response.error.details
+        });
+    }
+    if (response.error.code !== "unauthorized") {
         return response;
     }
     if (!hadToken) {
@@ -1501,7 +1583,7 @@ function cloudAuthSetupDetails() {
         auth_file: DEFAULT_AUTH_FILE
     };
 }
-function addCloudRequestSignature(headers, method, pathWithQuery, bodyText, token) {
+function addCloudRequestSignature(headers, method, pathWithQuery, bodyText, token, device) {
     if (process.env.EMBED_CLOUD_API_SIGNING === "0") {
         return;
     }
@@ -1509,11 +1591,21 @@ function addCloudRequestSignature(headers, method, pathWithQuery, bodyText, toke
     const nonce = randomBytes(16).toString("hex");
     const bodySha256 = createHash("sha256").update(bodyText).digest("hex");
     const keyId = createHash("sha256").update(token).digest("hex").slice(0, 16);
-    const canonical = cloudRequestCanonicalString(method, pathWithQuery, timestamp, nonce, bodySha256);
+    const canonical = device
+        ? cloudRequestCanonicalStringV2(method, pathWithQuery, timestamp, nonce, bodySha256, device, EMBED_CLIENT_NAME, EMBED_CLIENT_VERSION)
+        : cloudRequestCanonicalString(method, pathWithQuery, timestamp, nonce, bodySha256);
     headers["x-embed-key-id"] = keyId;
     headers["x-embed-timestamp"] = timestamp;
     headers["x-embed-nonce"] = nonce;
     headers["x-embed-body-sha256"] = bodySha256;
+    if (device) {
+        headers["x-embed-signature-version"] = "v2";
+        headers["x-embed-device-id"] = device.device_id;
+        headers["x-embed-device-fingerprint-sha256"] = device.fingerprint_hash;
+        headers["x-embed-client-name"] = EMBED_CLIENT_NAME;
+        headers["x-embed-client-version"] = EMBED_CLIENT_VERSION;
+        headers["x-embed-device-signature"] = signCrypto(null, Buffer.from(canonical), device.private_key_pem).toString("base64url");
+    }
     headers["x-embed-signature"] = createHmac("sha256", token).update(canonical).digest("hex");
 }
 function cloudRequestCanonicalString(method, pathWithQuery, timestamp, nonce, bodySha256) {
@@ -1525,6 +1617,19 @@ function cloudRequestCanonicalString(method, pathWithQuery, timestamp, nonce, bo
         bodySha256
     ].join("\n");
 }
+function cloudRequestCanonicalStringV2(method, pathWithQuery, timestamp, nonce, bodySha256, device, clientName, clientVersion) {
+    return [
+        method.toUpperCase(),
+        normalizeCloudPathForSignature(pathWithQuery),
+        timestamp,
+        nonce,
+        bodySha256,
+        device.device_id,
+        device.fingerprint_hash,
+        clientName,
+        clientVersion
+    ].join("\n");
+}
 function normalizeCloudPathForSignature(pathWithQuery) {
     try {
         const parsed = new URL(pathWithQuery, "http://embed.local");
@@ -1951,16 +2056,22 @@ async function cleanupLegacyCodexPluginRemnants(targetRoot) {
     const warnings = [];
     const stoppedProcesses = await stopLegacyCodexPluginProcesses(warnings);
     const legacyPaths = [
-        join(targetRoot, "dbt-agent"),
-        join(targetRoot, "development-board-toolchain"),
-        join(targetRoot, "cache", "embed-labs", "dbt-agent"),
-        join(targetRoot, "cache", "dbt-agent"),
-        join(targetRoot, "cache", "plugins", "dbt-agent")
+        join(targetRoot, "cache", CODEX_MARKETPLACE_NAME, CODEX_PLUGIN_NAME)
     ];
+    for (const marketplaceName of LEGACY_CODEX_MARKETPLACE_NAMES) {
+        legacyPaths.push(join(targetRoot, "cache", marketplaceName, CODEX_PLUGIN_NAME));
+    }
+    for (const pluginName of LEGACY_CODEX_PLUGIN_NAMES) {
+        legacyPaths.push(join(targetRoot, pluginName));
+        legacyPaths.push(join(targetRoot, "cache", pluginName));
+        for (const marketplaceName of [CODEX_MARKETPLACE_NAME, ...LEGACY_CODEX_MARKETPLACE_NAMES]) {
+            legacyPaths.push(join(targetRoot, "cache", marketplaceName, pluginName));
+        }
+    }
     legacyPaths.push(...await discoverLegacyCodexCachePaths(targetRoot));
     if (resolve(targetRoot) === resolve(defaultCodexPluginRoot())) {
         legacyPaths.push(join(defaultCodexHome(), ".tmp", "plugins"), join(defaultCodexHome(), ".tmp", "plugins.sha"), join(defaultCodexHome(), "ambient-suggestions"), join(defaultCodexHome(), "skills", "dbt-agent"), join(defaultCodexHome(), "skills", "development-board-toolchain-dev"), join(defaultCodexHome(), "memories", "skills", "dbt-agent-live-board-ops"), join(defaultCodexHome(), "memories", "skills", "dbt-agent-platform-plugin-maintenance"));
-        legacyPaths.push(...await discoverLegacyHomeAgentsMarketplacePaths(warnings), ...legacyDevelopmentBoardRuntimePluginPaths());
+        legacyPaths.push(...legacyCodexLocalMarketplacePaths(), ...await discoverLegacyHomeAgentsMarketplacePaths(warnings), ...await discoverLegacyCodexProjectMarketplacePaths(warnings), ...legacyDevelopmentBoardRuntimePluginPaths());
     }
     for (const candidate of legacyPaths) {
         try {
@@ -2053,6 +2164,11 @@ function legacyDevelopmentBoardRuntimePluginPaths() {
         join(homedir(), "Library", "Application Support", "development-board-toolchain", "runtime", "opencode_plugin")
     ];
 }
+function legacyCodexLocalMarketplacePaths() {
+    return Array.from(LEGACY_CODEX_MARKETPLACE_NAMES)
+        .filter((name) => name !== CODEX_MARKETPLACE_NAME)
+        .map((name) => join(defaultCodexHome(), "local-marketplaces", name));
+}
 async function discoverLegacyHomeAgentsMarketplacePaths(warnings) {
     const paths = [];
     const pluginRoot = join(homedir(), ".agents", "plugins");
@@ -2079,9 +2195,72 @@ async function discoverLegacyHomeAgentsMarketplacePaths(warnings) {
     return paths;
 }
 function isLegacyHomeAgentsMarketplace(text) {
-    return text.includes('"name" : "plugins"') || text.includes('"name": "plugins"')
-        ? text.includes('"dbt-agent"') || text.includes('"./.codex/plugins/dbt-agent"') || text.includes('"./plugins/dbt-agent"')
-        : false;
+    return marketplaceTextHasLegacyCodexPlugin(text);
+}
+async function discoverLegacyCodexProjectMarketplacePaths(warnings) {
+    const configPath = codexConfigPath();
+    let text = "";
+    try {
+        text = await readFile(configPath, "utf8");
+    }
+    catch {
+        return [];
+    }
+    const paths = new Set();
+    for (const projectPath of legacyCodexProjectPathsFromConfig(text)) {
+        for (const candidate of [
+            join(projectPath, ".agents", "plugins", "marketplace.json"),
+            join(projectPath, "platform_plugin", ".agents", "plugins", "marketplace.json"),
+            join(projectPath, "platform_plugins", "codex_plugin", ".agents", "plugins", "marketplace.json")
+        ]) {
+            try {
+                if (!await pathExists(candidate))
+                    continue;
+                const current = await readFile(candidate, "utf8");
+                if (marketplaceTextHasLegacyCodexPlugin(current)) {
+                    paths.add(candidate);
+                }
+            }
+            catch (error) {
+                warnings.push(`Could not inspect legacy Codex project marketplace ${candidate}: ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+    }
+    return Array.from(paths);
+}
+function legacyCodexProjectPathsFromConfig(text) {
+    const paths = [];
+    const lines = text.match(/[^\n]*\n|[^\n]+$/g) ?? [];
+    for (const line of lines) {
+        const table = parseTomlTableHeader(line);
+        const match = table ? /^projects\."([^"]+)"$/.exec(table) : undefined;
+        if (match?.[1] && /DBT-Agent-Project|development-board-toolchain|dbt-agent/i.test(match[1])) {
+            paths.push(match[1].replace(/\\"/g, '"'));
+        }
+    }
+    return paths;
+}
+function marketplaceTextHasLegacyCodexPlugin(text) {
+    try {
+        const parsed = JSON.parse(text);
+        const marketplaceName = typeof parsed.name === "string" ? parsed.name : "";
+        const marketplaceDisplayName = typeof parsed.interface?.displayName === "string" ? parsed.interface.displayName : "";
+        const marketplaceLooksLegacy = legacyTextHasCodexPluginResidue(marketplaceName)
+            || legacyTextHasCodexPluginResidue(marketplaceDisplayName)
+            || LEGACY_CODEX_MARKETPLACE_NAMES.has(marketplaceName);
+        return (parsed.plugins ?? []).some((plugin) => {
+            const values = [
+                plugin.name,
+                plugin.category,
+                plugin.source?.path,
+                plugin.interface?.displayName
+            ].filter((value) => typeof value === "string");
+            return values.some(legacyTextHasCodexPluginResidue) || marketplaceLooksLegacy && values.some((value) => /embed-labs|dbt|development-board/i.test(value));
+        });
+    }
+    catch {
+        return legacyTextHasCodexPluginResidue(text);
+    }
 }
 async function discoverLegacyCodexCachePaths(targetRoot) {
     const paths = [];
@@ -2091,8 +2270,12 @@ async function discoverLegacyCodexCachePaths(targetRoot) {
         for (const entry of marketplaces) {
             if (!entry.isDirectory())
                 continue;
-            paths.push(join(cacheRoot, entry.name, "dbt-agent"));
-            paths.push(join(cacheRoot, entry.name, "development-board-toolchain"));
+            if (LEGACY_CODEX_MARKETPLACE_NAMES.has(entry.name)) {
+                paths.push(join(cacheRoot, entry.name, CODEX_PLUGIN_NAME));
+            }
+            for (const pluginName of LEGACY_CODEX_PLUGIN_NAMES) {
+                paths.push(join(cacheRoot, entry.name, pluginName));
+            }
         }
     }
     catch {
@@ -2138,6 +2321,8 @@ function isLegacyCodexHistoryMention(line) {
         || line.includes("plugin://dbt-agent@embed-labs")
         || line.includes("development-board-toolchain-dev")
         || line.includes("development-board-toolchain")
+        || /plugin:\/\/Dbt Agent@/i.test(line)
+        || /plugin:\/\/deve@/i.test(line)
         || /dbt-agent/i.test(line);
 }
 function removeLegacyCodexConfigTables(text) {
@@ -2166,11 +2351,15 @@ function parseTomlTableHeader(line) {
 }
 function isLegacyCodexConfigTable(table) {
     return /^plugins\."dbt-agent@[^"]+"$/.test(table)
+        || /^plugins\."Dbt Agent@[^"]+"$/i.test(table)
+        || /^plugins\."deve@[^"]+"$/i.test(table)
         || isLegacyEmbedLabsCodexMarketplaceConfigTable(table)
         || table === "mcp_servers.dbt-agent"
         || table.startsWith("mcp_servers.dbt-agent.")
         || table === 'mcp_servers."dbt-agent"'
         || table.startsWith('mcp_servers."dbt-agent".')
+        || table === "mcp_servers.deve"
+        || table.startsWith("mcp_servers.deve.")
         || /^projects\."[^"]*\/DBT-Agent-Project(?:\/[^"]*)?"$/.test(table);
 }
 function isLegacyEmbedLabsCodexMarketplaceConfigTable(table) {
@@ -2184,10 +2373,16 @@ function isLegacyEmbedLabsCodexMarketplaceConfigTable(table) {
     }
     return false;
 }
+function legacyTextHasCodexPluginResidue(value) {
+    return /dbt-agent|Dbt Agent|development-board-toolchain|development-board-toolchain-dev/i.test(value)
+        || value === "deve"
+        || value.replace(/\\/g, "/").includes("/plugins/deve")
+        || value.includes("plugin://deve@");
+}
 function legacyCodexCleanupWarning(cleanup) {
     const parts = [];
     if (cleanup.legacy_removed_paths.length > 0) {
-        parts.push(`removed ${cleanup.legacy_removed_paths.length} legacy Codex plugin path(s)`);
+        parts.push(`removed ${cleanup.legacy_removed_paths.length} stale/legacy Codex plugin path(s)`);
     }
     if (cleanup.legacy_removed_config_tables?.length) {
         parts.push(`removed ${cleanup.legacy_removed_config_tables.length} legacy Codex config table(s)`);
@@ -2201,19 +2396,26 @@ function legacyCodexCleanupWarning(cleanup) {
     if (cleanup.warnings?.length) {
         parts.push(`cleanup warning(s): ${cleanup.warnings.join("; ")}`);
     }
-    return parts.length > 0 ? `Legacy dbt-agent cleanup: ${parts.join(", ")}.` : undefined;
+    return parts.length > 0 ? `Codex plugin cleanup: ${parts.join(", ")}.` : undefined;
 }
 async function cleanupLegacyOpenCodePluginRemnants(targetRoot, globalInstall) {
     const removedPaths = [];
     const warnings = [];
     const legacyPaths = [
         join(targetRoot, "plugins", "development-board-toolchain.js"),
+        join(targetRoot, "plugins", "development-board-toolchain-dev.js"),
         join(targetRoot, "plugins", "dbt-agent.js"),
+        join(targetRoot, "plugins", "Dbt Agent.js"),
+        join(targetRoot, "plugins", "deve.js"),
+        join(targetRoot, "plugins", "deve"),
+        join(targetRoot, "node_modules", "development-board-toolchain"),
+        join(targetRoot, "node_modules", "development-board-toolchain-dev"),
         join(targetRoot, "node_modules", "dbt-agent")
     ];
     if (globalInstall) {
         legacyPaths.push(join(targetRoot, "plugins", "embed-labs.js"));
         legacyPaths.push(...await discoverLegacyOpenCodeBackupPaths(targetRoot, warnings));
+        legacyPaths.push(...await discoverLegacyOpenCodePluginCachePaths(targetRoot, warnings));
     }
     for (const candidate of legacyPaths) {
         try {
@@ -2242,7 +2444,7 @@ async function discoverLegacyOpenCodeBackupPaths(targetRoot, warnings) {
             const filePath = join(targetRoot, entry.name);
             try {
                 const current = await readFile(filePath, "utf8");
-                if (current.includes("dbt-agent") || current.includes("development-board-toolchain")) {
+                if (legacyTextHasCodexPluginResidue(current)) {
                     paths.push(filePath);
                 }
             }
@@ -2256,6 +2458,26 @@ async function discoverLegacyOpenCodeBackupPaths(targetRoot, warnings) {
     }
     return paths;
 }
+async function discoverLegacyOpenCodePluginCachePaths(targetRoot, warnings) {
+    const paths = [];
+    const cacheRoot = join(targetRoot, ".embed-labs", "plugin-cache");
+    try {
+        const entries = await readdir(cacheRoot, { withFileTypes: true });
+        for (const entry of entries) {
+            if (!entry.isFile())
+                continue;
+            if (/^(embed-labs|embed-labs-opencode-plugin)-\d+\.\d+\.\d+\.tgz$/.test(entry.name)) {
+                paths.push(join(cacheRoot, entry.name));
+            }
+        }
+    }
+    catch (error) {
+        if (error.code !== "ENOENT") {
+            warnings.push(`Could not inspect OpenCode plugin cache ${cacheRoot}: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    return paths;
+}
 function legacyOpenCodeCleanupWarning(cleanup) {
     const parts = [];
     if (cleanup.legacy_removed_paths.length > 0) {
@@ -2358,6 +2580,7 @@ async function maybeRegisterCodexMarketplace(parsed, targetRoot, targetPath) {
         await rm(marketplacePluginPath, { recursive: true, force: true });
         await mkdir(dirname(marketplacePluginPath), { recursive: true });
         await cp(targetPath, marketplacePluginPath, { recursive: true });
+        await refreshCodexPluginCache(targetPath);
         await writeCodexLocalMarketplaceManifest(marketplacePath);
         const warning = await upsertCodexPluginMarketplaceConfig(marketplacePath);
         return warning ? { registered: true, marketplacePath, warning } : { registered: true, marketplacePath };
@@ -2373,6 +2596,18 @@ async function maybeRegisterCodexMarketplace(parsed, targetRoot, targetPath) {
 function defaultCodexLocalMarketplaceRoot() {
     return join(defaultCodexHome(), "local-marketplaces", CODEX_PLUGIN_NAME);
 }
+async function refreshCodexPluginCache(targetPath) {
+    const manifestPath = join(targetPath, ".codex-plugin", "plugin.json");
+    const manifest = JSON.parse(await readFile(manifestPath, "utf8"));
+    const version = typeof manifest.version === "string" && manifest.version.trim()
+        ? manifest.version.trim()
+        : "local";
+    const cachePluginRoot = join(defaultCodexPluginRoot(), "cache", CODEX_MARKETPLACE_NAME, CODEX_PLUGIN_NAME);
+    const cacheVersionPath = join(cachePluginRoot, version);
+    await rm(cachePluginRoot, { recursive: true, force: true });
+    await mkdir(dirname(cacheVersionPath), { recursive: true });
+    await cp(targetPath, cacheVersionPath, { recursive: true });
+}
 async function writeCodexLocalMarketplaceManifest(marketplacePath) {
     const manifestPath = join(marketplacePath, ".agents", "plugins", "marketplace.json");
     const manifest = {
@@ -2539,6 +2774,97 @@ async function resolveExecutableOnPath(name) {
     }
     return undefined;
 }
+async function runBridgeStart(parsed) {
+    const host = stringFlag(parsed, "host");
+    const port = numberFlag(parsed, "port");
+    const bridge = await resolveBridgeLauncher();
+    const args = [...bridge.args];
+    if (host) {
+        args.push("--host", host);
+    }
+    if (port !== undefined) {
+        args.push("--port", String(port));
+    }
+    const env = {
+        ...process.env,
+        ...(host ? { EMBED_BRIDGE_HOST: host } : {}),
+        ...(port !== undefined ? { EMBED_BRIDGE_PORT: String(port) } : {})
+    };
+    const child = spawn(bridge.command, args, {
+        stdio: "inherit",
+        env
+    });
+    const forwardSignal = (signal) => {
+        if (!child.killed) {
+            child.kill(signal);
+        }
+    };
+    process.once("SIGINT", forwardSignal);
+    process.once("SIGTERM", forwardSignal);
+    return await new Promise((resolveCode) => {
+        child.on("error", (error) => {
+            process.off("SIGINT", forwardSignal);
+            process.off("SIGTERM", forwardSignal);
+            console.error(error instanceof Error ? error.message : String(error));
+            resolveCode(1);
+        });
+        child.on("close", (code, signal) => {
+            process.off("SIGINT", forwardSignal);
+            process.off("SIGTERM", forwardSignal);
+            if (signal === "SIGINT" || signal === "SIGTERM") {
+                resolveCode(0);
+            }
+            else {
+                resolveCode(code ?? 0);
+            }
+        });
+    });
+}
+async function resolveBridgeLauncher() {
+    const explicitBinary = process.env.EMBED_LOCAL_BRIDGE_BINARY?.trim();
+    if (explicitBinary) {
+        try {
+            await access(explicitBinary, constants.X_OK);
+            return { command: explicitBinary, args: [] };
+        }
+        catch {
+            // Fall through so the package launcher can print its clearer repair message.
+        }
+    }
+    const pathBinary = await resolveExecutableOnPath(process.platform === "win32" ? "embed-local-bridge.cmd" : "embed-local-bridge");
+    if (pathBinary) {
+        return { command: pathBinary, args: [] };
+    }
+    const packageLauncher = await resolveBridgePackageLauncher();
+    if (packageLauncher) {
+        return { command: process.execPath, args: [packageLauncher] };
+    }
+    return {
+        command: process.execPath,
+        args: [resolve(SOURCE_CHECKOUT_ROOT, "packages", "local-bridge", "dist", "index.js")]
+    };
+}
+async function resolveBridgePackageLauncher() {
+    const candidates = [];
+    try {
+        const packageJson = require.resolve("@embed-labs/local-bridge/package.json");
+        candidates.push(join(dirname(packageJson), "dist", "index.js"));
+    }
+    catch {
+        // Source checkout fallback below.
+    }
+    candidates.push(resolve(SOURCE_CHECKOUT_ROOT, "packages", "local-bridge", "dist", "index.js"));
+    for (const candidate of candidates) {
+        try {
+            await access(candidate, constants.R_OK);
+            return candidate;
+        }
+        catch {
+            // Keep looking.
+        }
+    }
+    return undefined;
+}
 function defaultOpenCodeRoot() {
     return globalOpenCodeRoot();
 }
@@ -2578,12 +2904,26 @@ async function ensureOpenCodeGlobalPluginConfig() {
     return removed;
 }
 function isLegacyOpenCodePluginConfigEntry(item) {
-    const normalized = item.replace(/\\/g, "/");
-    return item === "dbt-agent"
-        || item === "development-board-toolchain"
+    const normalized = item.trim().replace(/\\/g, "/");
+    const pathOnly = normalized.split(/[?#]/, 1)[0] || normalized;
+    return normalized === "dbt-agent"
+        || normalized === "Dbt Agent"
+        || normalized === "deve"
+        || normalized === "development-board-toolchain"
+        || normalized === "development-board-toolchain-dev"
+        || normalized === "./plugins/deve"
+        || normalized === "./plugins/deve.js"
+        || /(?:^|\/)plugins\/deve(?:\.js)?$/.test(pathOnly)
+        || /(?:^|\/)plugins\/dbt-agent(?:\.js)?$/.test(pathOnly)
         || normalized === "./plugins/development-board-toolchain"
         || normalized === "./plugins/development-board-toolchain.js"
-        || normalized.endsWith("/plugins/development-board-toolchain.js")
+        || normalized === "./plugins/development-board-toolchain-dev"
+        || normalized === "./plugins/development-board-toolchain-dev.js"
+        || pathOnly.endsWith("/plugins/development-board-toolchain")
+        || pathOnly.endsWith("/plugins/development-board-toolchain.js")
+        || pathOnly.endsWith("/plugins/development-board-toolchain-dev")
+        || pathOnly.endsWith("/plugins/development-board-toolchain-dev.js")
+        || normalized.includes("dbt-agent")
         || normalized.includes("development-board-toolchain");
 }
 async function openCodeDuplicatePluginWarning(targetRoot) {
@@ -2677,19 +3017,65 @@ async function parseErrorResponse(response) {
     return undefined;
 }
 async function cloudAuthToken() {
+    return (await cloudAuthConfig()).token;
+}
+async function cloudAuthConfig() {
     const envToken = process.env.EMBED_API_TOKEN?.trim();
     if (envToken) {
-        return envToken;
+        const fileConfig = await readLocalAuthFile();
+        return {
+            ...fileConfig,
+            token: envToken,
+            profile: process.env.EMBED_AUTH_PROFILE ?? fileConfig.profile ?? "default",
+            source: "env"
+        };
     }
+    const fileConfig = await readLocalAuthFile();
+    return {
+        ...fileConfig,
+        token: fileConfig.token?.trim() || undefined,
+        profile: fileConfig.profile ?? "default",
+        source: fileConfig.token ? "file" : undefined
+    };
+}
+async function readLocalAuthFile() {
     try {
         const parsed = JSON.parse(await readFile(DEFAULT_AUTH_FILE, "utf8"));
-        const fileToken = typeof parsed.token === "string" ? parsed.token.trim() : "";
-        return fileToken || undefined;
+        return normalizeLocalAuthFile(parsed);
     }
     catch {
-        return undefined;
+        return {};
     }
 }
+function normalizeLocalAuthFile(parsed) {
+    const device = isJsonObject(parsed.device) ? parsed.device : undefined;
+    const normalizedDevice = device && typeof device.device_id === "string" && typeof device.fingerprint_hash === "string" && typeof device.private_key_pem === "string"
+        ? {
+            device_id: device.device_id,
+            fingerprint_hash: device.fingerprint_hash,
+            private_key_pem: device.private_key_pem,
+            public_key_pem: typeof device.public_key_pem === "string" ? device.public_key_pem : undefined,
+            label: typeof device.label === "string" ? device.label : undefined,
+            platform: typeof device.platform === "string" ? device.platform : undefined,
+            arch: typeof device.arch === "string" ? device.arch : undefined,
+            hostname_hash: typeof device.hostname_hash === "string" ? device.hostname_hash : undefined,
+            registered_at: typeof device.registered_at === "string" ? device.registered_at : undefined
+        }
+        : undefined;
+    return {
+        profile: typeof parsed.profile === "string" ? parsed.profile : undefined,
+        token: typeof parsed.token === "string" ? parsed.token.trim() : undefined,
+        updated_at: typeof parsed.updated_at === "string" ? parsed.updated_at : undefined,
+        account_id: typeof parsed.account_id === "string" ? parsed.account_id : undefined,
+        api_key_id: typeof parsed.api_key_id === "string" ? parsed.api_key_id : undefined,
+        device: normalizedDevice
+    };
+}
+async function writeLocalAuthFile(config) {
+    await mkdir(dirname(DEFAULT_AUTH_FILE), { recursive: true });
+    await writeFile(DEFAULT_AUTH_FILE, `${JSON.stringify(config, null, 2)}\n`, "utf8");
+    await chmod(DEFAULT_AUTH_FILE, 0o600).catch(() => undefined);
+}
 function serviceBaseUrl(url) {
     return url.replace(/\/+$/, "");
 }
@@ -4148,30 +4534,272 @@ async function authLogin(parsed) {
         return fail("invalid_args", "Usage: embed auth login --token <token> [--profile default] [--json]");
     }
     const updatedAt = new Date().toISOString();
-    await mkdir(dirname(DEFAULT_AUTH_FILE), { recursive: true });
-    await writeFile(DEFAULT_AUTH_FILE, `${JSON.stringify({ profile, token, updated_at: updatedAt }, null, 2)}\n`, "utf8");
-    return ok({ authenticated: true, profile, source: "file", updated_at: updatedAt });
+    const current = await readLocalAuthFile();
+    const localDevice = await buildLocalDeviceAuth(parsed, current.device);
+    const registration = await registerLocalDevice(token.trim(), localDevice.registration);
+    if (!registration.ok) {
+        return fail(registration.error.code, registration.error.message, {
+            remediation: registration.error.remediation,
+            details: registration.error.details
+        });
+    }
+    const device = {
+        device_id: registration.data.device.device_id,
+        fingerprint_hash: localDevice.device.fingerprint_hash,
+        private_key_pem: localDevice.device.private_key_pem,
+        public_key_pem: localDevice.device.public_key_pem,
+        label: registration.data.device.label ?? localDevice.device.label,
+        platform: registration.data.device.platform ?? localDevice.device.platform,
+        arch: registration.data.device.arch ?? localDevice.device.arch,
+        hostname_hash: registration.data.device.hostname_hash ?? localDevice.device.hostname_hash,
+        registered_at: registration.data.device.first_seen_at
+    };
+    await writeLocalAuthFile({
+        profile,
+        token: token.trim(),
+        updated_at: updatedAt,
+        account_id: registration.data.device.account_id,
+        api_key_id: registration.data.device.api_key_id,
+        device
+    });
+    return ok({
+        authenticated: true,
+        profile,
+        source: "file",
+        updated_at: updatedAt,
+        account_id: registration.data.device.account_id,
+        api_key_id: registration.data.device.api_key_id,
+        device_id: device.device_id,
+        device_fingerprint_hash: device.fingerprint_hash,
+        device_label: device.label,
+        device_registered_at: device.registered_at,
+        device_private_key_configured: true
+    });
 }
 async function authStatus() {
-    if (process.env.EMBED_API_TOKEN?.trim()) {
+    const envToken = process.env.EMBED_API_TOKEN?.trim();
+    const file = await readLocalAuthFile();
+    const deviceIntegrity = file.device
+        ? (await validateLocalDeviceIntegrity(file.device)).ok ? "ok" : "failed"
+        : "unbound";
+    if (envToken) {
         return {
             authenticated: true,
             profile: process.env.EMBED_AUTH_PROFILE ?? "default",
-            source: "env"
+            source: "env",
+            account_id: file.account_id,
+            api_key_id: file.api_key_id,
+            device_id: file.device?.device_id,
+            device_fingerprint_hash: file.device?.fingerprint_hash,
+            device_label: file.device?.label,
+            device_registered_at: file.device?.registered_at,
+            device_private_key_configured: Boolean(file.device?.private_key_pem),
+            device_integrity: deviceIntegrity
         };
     }
+    return {
+        authenticated: Boolean(file.token?.trim()),
+        profile: file.profile ?? "default",
+        source: file.token ? "file" : undefined,
+        updated_at: file.updated_at,
+        account_id: file.account_id,
+        api_key_id: file.api_key_id,
+        device_id: file.device?.device_id,
+        device_fingerprint_hash: file.device?.fingerprint_hash,
+        device_label: file.device?.label,
+        device_registered_at: file.device?.registered_at,
+        device_private_key_configured: Boolean(file.device?.private_key_pem),
+        device_integrity: deviceIntegrity
+    };
+}
+async function authDeviceStatus(parsed) {
+    const unknownFlag = firstUnknownFlag(parsed, ["json"]);
+    const unexpected = parsed.command.slice(3);
+    if (unknownFlag || unexpected.length > 0) {
+        return fail("invalid_args", unknownFlag ? `Unknown flag --${unknownFlag}. ${AUTH_DEVICE_STATUS_USAGE}` : AUTH_DEVICE_STATUS_USAGE);
+    }
+    const local = await authStatus();
+    const remote = local.authenticated ? await cloudGet("/v1/me/devices") : undefined;
+    if (remote && !remote.ok) {
+        return ok({ local });
+    }
+    return ok({ local, remote: remote?.data });
+}
+async function authDeviceList(parsed) {
+    const unknownFlag = firstUnknownFlag(parsed, ["json"]);
+    const unexpected = parsed.command.slice(3);
+    if (unknownFlag || unexpected.length > 0) {
+        return fail("invalid_args", unknownFlag ? `Unknown flag --${unknownFlag}. ${AUTH_DEVICE_LIST_USAGE}` : AUTH_DEVICE_LIST_USAGE);
+    }
+    return await cloudGet("/v1/me/devices");
+}
+async function authDeviceRevoke(parsed) {
+    const unknownFlag = firstUnknownFlag(parsed, ["json"]);
+    if (unknownFlag) {
+        return fail("invalid_args", `Unknown flag --${unknownFlag}. ${AUTH_DEVICE_REVOKE_USAGE}`);
+    }
+    const id = commandId(parsed, 3, "device_id", AUTH_DEVICE_REVOKE_USAGE);
+    if (!id.ok) {
+        return fail("invalid_args", id.error);
+    }
+    return await cloudPost(`/v1/me/devices/${encodeURIComponent(id.value)}/revoke`, {});
+}
+async function authDeviceRename(parsed) {
+    const unknownFlag = firstUnknownFlag(parsed, ["json", "label"]);
+    if (unknownFlag) {
+        return fail("invalid_args", `Unknown flag --${unknownFlag}. ${AUTH_DEVICE_RENAME_USAGE}`);
+    }
+    const id = commandId(parsed, 3, "device_id", AUTH_DEVICE_RENAME_USAGE);
+    if (!id.ok) {
+        return fail("invalid_args", id.error);
+    }
+    const label = stringFlag(parsed, "label");
+    if (!label?.trim()) {
+        return fail("invalid_args", AUTH_DEVICE_RENAME_USAGE);
+    }
+    const updated = await cloudPost(`/v1/me/devices/${encodeURIComponent(id.value)}`, { label: label.trim() });
+    if (updated.ok) {
+        const auth = await readLocalAuthFile();
+        if (auth.device?.device_id === updated.data.device_id) {
+            await writeLocalAuthFile({ ...auth, device: { ...auth.device, label: updated.data.label } });
+        }
+    }
+    return updated;
+}
+async function buildLocalDeviceAuth(parsed, existing) {
+    const fingerprint = await localHardwareFingerprint();
+    const keyPair = existing?.fingerprint_hash === fingerprint.fingerprint_hash && existing.private_key_pem && existing.public_key_pem
+        ? { privateKeyPem: existing.private_key_pem, publicKeyPem: existing.public_key_pem }
+        : generateLocalDeviceKeyPair();
+    const label = stringFlag(parsed, "label")?.trim()
+        || existing?.label
+        || `${fingerprint.platform} ${fingerprint.arch}`;
+    const device = {
+        device_id: existing?.fingerprint_hash === fingerprint.fingerprint_hash ? existing.device_id : "",
+        fingerprint_hash: fingerprint.fingerprint_hash,
+        private_key_pem: keyPair.privateKeyPem,
+        public_key_pem: keyPair.publicKeyPem,
+        label,
+        platform: fingerprint.platform,
+        arch: fingerprint.arch,
+        hostname_hash: fingerprint.hostname_hash,
+        registered_at: existing?.registered_at
+    };
+    return {
+        device,
+        registration: {
+            fingerprint_hash: fingerprint.fingerprint_hash,
+            public_key: keyPair.publicKeyPem,
+            label,
+            platform: fingerprint.platform,
+            arch: fingerprint.arch,
+            hostname_hash: fingerprint.hostname_hash,
+            client_name: EMBED_CLIENT_NAME,
+            client_version: EMBED_CLIENT_VERSION,
+            metadata: {
+                fingerprint_version: "v1",
+                fingerprint_source: fingerprint.source
+            }
+        }
+    };
+}
+function generateLocalDeviceKeyPair() {
+    const { privateKey, publicKey } = generateKeyPairSync("ed25519");
+    return {
+        privateKeyPem: privateKey.export({ type: "pkcs8", format: "pem" }).toString(),
+        publicKeyPem: publicKey.export({ type: "spki", format: "pem" }).toString()
+    };
+}
+async function registerLocalDevice(token, body) {
     try {
-        const parsed = JSON.parse(await readFile(DEFAULT_AUTH_FILE, "utf8"));
-        return {
-            authenticated: typeof parsed.token === "string" && parsed.token.trim().length > 0,
-            profile: typeof parsed.profile === "string" ? parsed.profile : "default",
-            source: "file",
-            updated_at: typeof parsed.updated_at === "string" ? parsed.updated_at : undefined
+        const bodyText = JSON.stringify(body);
+        const headers = {
+            "content-type": "application/json",
+            authorization: `Bearer ${token}`
         };
+        addCloudRequestSignature(headers, "POST", "/v1/me/devices/register", bodyText, token);
+        const response = await fetch(`${serviceBaseUrl(DEFAULT_CLOUD_API_URL)}/v1/me/devices/register`, {
+            method: "POST",
+            headers,
+            body: bodyText
+        });
+        const parsed = await response.json();
+        return enrichCloudAuthFailure(parsed, true);
+    }
+    catch (error) {
+        return fail("cloud_api_unreachable", error instanceof Error ? error.message : String(error), {
+            remediation: `Check that embed cloud-api is running at ${DEFAULT_CLOUD_API_URL}. Start it with: npm run cloud-api`
+        });
+    }
+}
+async function localHardwareFingerprint() {
+    cachedLocalHardwareFingerprint ??= localHardwareFingerprintUncached();
+    return await cachedLocalHardwareFingerprint;
+}
+async function localHardwareFingerprintUncached() {
+    const platformName = platform();
+    const archName = arch();
+    const raw = await localHardwareId(platformName);
+    const fingerprintHash = createHash("sha256")
+        .update(`embed-labs:device:v1:${platformName}:${raw.value}`)
+        .digest("hex");
+    const hostnameHash = createHash("sha256")
+        .update(`embed-labs:hostname:v1:${hostname()}`)
+        .digest("hex");
+    return {
+        fingerprint_hash: fingerprintHash,
+        platform: platformName,
+        arch: archName,
+        hostname_hash: hostnameHash,
+        source: raw.source
+    };
+}
+async function localHardwareId(platformName) {
+    if (platformName === "darwin") {
+        const result = await runLocalProcess("ioreg", ["-rd1", "-c", "IOPlatformExpertDevice"]);
+        const match = /"IOPlatformUUID"\s*=\s*"([^"]+)"/.exec(result.stdout);
+        if (match?.[1]) {
+            return { value: match[1], source: "macos_ioplatformuuid" };
+        }
+    }
+    if (platformName === "win32") {
+        const result = await runLocalProcess("reg", ["query", "HKLM\\SOFTWARE\\Microsoft\\Cryptography", "/v", "MachineGuid"]);
+        const match = /MachineGuid\s+REG_\w+\s+([^\r\n]+)/.exec(result.stdout);
+        if (match?.[1]?.trim()) {
+            return { value: match[1].trim(), source: "windows_machineguid" };
+        }
+    }
+    if (platformName === "linux") {
+        for (const pathValue of ["/etc/machine-id", "/var/lib/dbus/machine-id"]) {
+            try {
+                const value = (await readFile(pathValue, "utf8")).trim();
+                if (value) {
+                    return { value, source: `linux:${pathValue}` };
+                }
+            }
+            catch {
+                // Try the next stable machine id location.
+            }
+        }
+    }
+    const generated = await localGeneratedInstallId();
+    return { value: generated, source: "generated_install_id" };
+}
+async function localGeneratedInstallId() {
+    try {
+        const parsed = JSON.parse(await readFile(DEFAULT_DEVICE_FILE, "utf8"));
+        if (typeof parsed.generated_install_id === "string" && parsed.generated_install_id.trim()) {
+            return parsed.generated_install_id.trim();
+        }
     }
     catch {
-        return { authenticated: false, profile: "default" };
+        // Fall through and create a local-only fallback id.
     }
+    const generated = `install_${randomBytes(24).toString("base64url")}`;
+    await mkdir(dirname(DEFAULT_DEVICE_FILE), { recursive: true });
+    await writeFile(DEFAULT_DEVICE_FILE, `${JSON.stringify({ generated_install_id: generated, created_at: new Date().toISOString() }, null, 2)}\n`, "utf8");
+    await chmod(DEFAULT_DEVICE_FILE, 0o600).catch(() => undefined);
+    return generated;
 }
 function accountCreateBody(parsed) {
     const unknownFlag = firstUnknownFlag(parsed, ["json", "email", "display-name"]);
@@ -4337,6 +4965,8 @@ function mcpToolEventBody(parsed) {
         "mode",
         "server-model-used",
         "success",
+        "local-device-id",
+        "local_device_id",
         "request-id",
         "duration-ms",
         "input-summary",
@@ -4363,6 +4993,9 @@ function mcpToolEventBody(parsed) {
     const modeResult = optionalTrimmedStringFlag(parsed, "mode");
     if (modeResult.error)
         return modeResult.error;
+    const localDeviceResult = optionalTrimmedStringAliasFlag(parsed, ["local-device-id", "local_device_id"], "local-device-id");
+    if (localDeviceResult.error)
+        return localDeviceResult.error;
     const requestIdResult = optionalTrimmedStringFlag(parsed, "request-id");
     if (requestIdResult.error)
         return requestIdResult.error;
@@ -4386,12 +5019,14 @@ function mcpToolEventBody(parsed) {
         tool_name: toolResult.value,
         client: clientResult.value,
         mode: modeResult.value,
+        local_device_id: localDeviceResult.value,
         server_model_used: serverModelUsed,
         success,
         request_id: requestIdResult.value,
         duration_ms: durationResult.value,
         input_summary: inputSummaryResult.value,
-        output_summary: outputSummaryResult.value
+        output_summary: outputSummaryResult.value,
+        metadata: localDeviceResult.value ? { local_device_id: localDeviceResult.value } : undefined
     });
 }
 function usageSummaryRequest(parsed) {
@@ -4909,7 +5544,9 @@ function localToolchainAuthContext(auth, accountId) {
         authenticated: auth.authenticated,
         profile: auth.profile,
         source: auth.source,
-        account_id: accountId
+        account_id: accountId,
+        api_key_id: auth.api_key_id,
+        device_id: auth.device_id
     };
 }
 function usageEventsRequest(parsed) {
@@ -5380,9 +6017,53 @@ function renderAgentRunResult(result) {
     return lines.join("\n");
 }
 function renderAuthStatus(status) {
-    return status.authenticated
-        ? `Authenticated profile=${status.profile}${status.source ? ` source=${status.source}` : ""}`
-        : `Not authenticated profile=${status.profile}`;
+    if (!status.authenticated) {
+        return `Not authenticated profile=${status.profile}`;
+    }
+    return [
+        `Authenticated profile=${status.profile}${status.source ? ` source=${status.source}` : ""}`,
+        status.account_id ? `account=${status.account_id}` : "",
+        status.api_key_id ? `api_key=${status.api_key_id}` : "",
+        status.device_id ? `device=${status.device_id}` : "device=not_registered",
+        status.device_label ? `device_label=${status.device_label}` : "",
+        status.device_integrity ? `device_integrity=${status.device_integrity}` : "",
+        status.device_private_key_configured === false ? "device_private_key=missing" : ""
+    ].filter(Boolean).join("\n");
+}
+function renderAuthDeviceStatus(status) {
+    const lines = [renderAuthStatus(status.local)];
+    if (status.remote) {
+        const activeCount = status.remote.devices.filter((device) => device.status === "active").length;
+        lines.push(`remote_devices=${activeCount}/${status.remote.device_limit}`);
+        const localDevice = status.local.device_id
+            ? status.remote.devices.find((device) => device.device_id === status.local.device_id)
+            : undefined;
+        if (localDevice) {
+            lines.push(`remote_current=${renderAuthDevice(localDevice)}`);
+        }
+    }
+    return lines.join("\n");
+}
+function renderAuthDeviceList(result) {
+    if (result.devices.length === 0) {
+        return `No registered devices. device_limit=${result.device_limit}`;
+    }
+    return [
+        `device_limit=${result.device_limit}`,
+        ...result.devices.map(renderAuthDevice)
+    ].join("\n");
+}
+function renderAuthDevice(device) {
+    return [
+        `${device.device_id} account=${device.account_id}`,
+        device.api_key_id ? `api_key=${device.api_key_id}` : "",
+        `status=${device.status}`,
+        device.label ? `label=${device.label}` : "",
+        device.platform ? `platform=${device.platform}` : "",
+        device.arch ? `arch=${device.arch}` : "",
+        `last_seen_at=${device.last_seen_at}`,
+        device.revoked_at ? `revoked_at=${device.revoked_at}` : ""
+    ].filter(Boolean).join(" ");
 }
 function renderAccount(account) {
     return [
@@ -6895,7 +7576,7 @@ Help:
 
 Environment:
   EMBED_BRIDGE_URL=http://127.0.0.1:18083
-  EMBED_CLOUD_API_URL=http://127.0.0.1:18100
+  EMBED_CLOUD_API_URL=https://api.embedboard.com
   EMBED_API_TOKEN=<token>
   CODEX_HOME=~/.codex
 
@@ -7134,7 +7815,7 @@ Usage:
 
 Environment:
   EMBED_BRIDGE_URL=http://127.0.0.1:18083
-  EMBED_CLOUD_API_URL=http://127.0.0.1:18100
+  EMBED_CLOUD_API_URL=https://api.embedboard.com
   EMBED_API_TOKEN=<token>
   CODEX_HOME=~/.codex
 `);