npm - @kvell007/embed-labs-cli - Versions diffs - 0.1.0-alpha.21 → 0.1.0-alpha.23 - Mend

@kvell007/embed-labs-cli 0.1.0-alpha.21 → 0.1.0-alpha.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +6 -2
package/dist/index.js +839 -76
package/dist/index.js.map +1 -1
package/dist/local-toolchain.d.ts +2 -0
package/dist/local-toolchain.js.map +1 -1
package/package.json +3 -3

package/dist/index.js CHANGED Viewed

@@ -1,13 +1,12 @@
 #!/usr/bin/env node
-import { createHash, createHmac, randomBytes } from "node:crypto";
+import { createHash, createHmac, generateKeyPairSync, randomBytes, sign as signCrypto } from "node:crypto";
 import { constants } from "node:fs";
 import { spawn } from "node:child_process";
-import { access, cp, mkdir, mkdtemp, readFile, readdir, rm, stat, writeFile } from "node:fs/promises";
+import { access, chmod, cp, mkdir, mkdtemp, readFile, readdir, rm, stat, writeFile } from "node:fs/promises";
 import { createRequire } from "node:module";
-import { homedir, tmpdir } from "node:os";
+import { arch, hostname, homedir, platform, tmpdir } from "node:os";
 import { basename, delimiter, dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
-import { startServer } from "@embed-labs/local-bridge";
 import { composeBootLogoPackage } from "./image-compose.js";
 import { buildTaishanPiQtSmoke, compileTaishanPiSingleFile, currentLocalToolchain, installLocalToolchain, latestLocalToolchain, validateLocalToolchain } from "./local-toolchain.js";
 import { fail, ok } from "@embed-labs/protocol";
@@ -16,10 +15,14 @@ const CLI_MODULE_DIR = dirname(fileURLToPath(import.meta.url));
 const SOURCE_CHECKOUT_ROOT = resolve(CLI_MODULE_DIR, "..", "..", "..");
 const qrcodeTerminal = require("qrcode-terminal");
 const DEFAULT_BRIDGE_URL = process.env.EMBED_BRIDGE_URL ?? "http://127.0.0.1:18083";
-const DEFAULT_CLOUD_API_URL = process.env.EMBED_CLOUD_API_URL ?? "http://127.0.0.1:18100";
+const DEFAULT_CLOUD_API_URL = process.env.EMBED_CLOUD_API_URL ?? "https://api.embedboard.com";
 const DEFAULT_AUTH_FILE = process.env.EMBED_AUTH_FILE ?? ".embed-labs/auth.json";
+const DEFAULT_DEVICE_FILE = process.env.EMBED_DEVICE_FILE ?? join(dirname(DEFAULT_AUTH_FILE), "device.json");
 const DEFAULT_DASHBOARD_URL = process.env.EMBED_DASHBOARD_URL ?? "https://api.embedboard.com/dashboard";
+const EMBED_CLIENT_NAME = "embedlabs-cli";
+const EMBED_CLIENT_VERSION = process.env.EMBED_CLIENT_VERSION ?? "0.1.0";
 const DEFAULT_AGENT_ARTIFACT_DIR = process.env.EMBED_AGENT_ARTIFACT_DIR ?? ".embed-labs/artifacts";
+const TOOL_INTEGRITY_RELOGIN_MESSAGE = "工具完整性校验失败，请在当前电脑重新执行 embedlabs auth login --token <key>";
 const DOCTOR_USAGE = "Usage: embed doctor [--json]";
 const DOCTOR_HTTP_TIMEOUT_MS = 8000;
 const MIN_NODE_MAJOR = 20;
@@ -30,7 +33,14 @@ const DEFAULT_PLUGIN_RELEASE_URL = process.env.EMBED_PLUGIN_RELEASE_URL?.trim()
 const PLUGIN_LIST_USAGE = "Usage: embed plugin list [--release-dir <dir>] [--release-url <url>] [--json]";
 const CODEX_PLUGIN_NAME = "embed-labs";
 const CODEX_MARKETPLACE_NAME = "embed-labs";
-const LEGACY_CODEX_MARKETPLACE_NAMES = new Set(["embed-labs-plugins"]);
+const LEGACY_CODEX_PLUGIN_NAMES = [
+    "dbt-agent",
+    "Dbt Agent",
+    "development-board-toolchain",
+    "development-board-toolchain-dev",
+    "deve"
+];
+const LEGACY_CODEX_MARKETPLACE_NAMES = new Set(["embed-labs-plugins", "plugins", "Plugins", "deve"]);
 const PLUGIN_INSTALL_USAGE = "Usage: embed plugin install <codex|opencode|all> [--release-dir <dir>] [--release-url <url>] [--target <dir>] [--codex-target <dir>] [--opencode-target <dir>] [--force] [--json]";
 const CLOUD_TASK_ARTIFACTS_USAGE = "Usage: embed cloud task artifacts <task_id> [--json]";
 const CLOUD_TASK_EVIDENCE_USAGE = "Usage: embed cloud task evidence <task_id> [--json]";
@@ -91,6 +101,10 @@ const LOCAL_TOOLCHAIN_INSTALL_USAGE = "Usage: embed local toolchain install [--b
 const LOCAL_TOOLCHAIN_VALIDATE_USAGE = "Usage: embed local toolchain validate [--release-root <path>] [--mode minimal|compile|qt|full|images] [--json]";
 const LOCAL_COMPILE_TAISHANPI_USAGE = "Usage: embed local compile taishanpi --source <main.c|main.cpp> --output <artifact> [--release-root <path>] [--account <account_id>] [--json]";
 const LOCAL_BUILD_QT_SMOKE_USAGE = "Usage: embed local build qt-smoke --build-dir <dir> [--source <qt-smoke-dir>] [--release-root <path>] [--account <account_id>] [--json]";
+const AUTH_DEVICE_STATUS_USAGE = "Usage: embed auth device status [--json]";
+const AUTH_DEVICE_LIST_USAGE = "Usage: embed auth device list [--json]";
+const AUTH_DEVICE_REVOKE_USAGE = "Usage: embed auth device revoke <device_id> [--json]";
+const AUTH_DEVICE_RENAME_USAGE = "Usage: embed auth device rename <device_id> --label <name> [--json]";
 const BOARD_REGISTRY_LIST_USAGE = "Usage: embed board registry list [--json]";
 const BOARD_REGISTRY_SHOW_USAGE = "Usage: embed board registry show <template_id> [--json]";
 const BOARD_METHODS_USAGE = "Usage: embed board methods <template_id> [--json]";
@@ -100,9 +114,10 @@ const MODEL_LIST_USAGE = "Usage: embed model list [--json]";
 const MODEL_DEFAULT_USAGE = "Usage: embed model default [--json]";
 const SERVICE_MODES_USAGE = "Usage: embed service modes [--json]";
 const AGENT_RUN_USAGE = "Usage: embed agent run --prompt <request> [--account <account_id>] [--workspace <workspace_id>] [--provider stub|openai|bai|cc|claude-code] [--model <model>] [--max-tool-calls 6] [--host <ip>] [--ports 22,15301] [--artifact <local_file>|--artifact-id <artifact_id>|--artifact-task <task_id>] [--artifact-output <path>] [--remote-path <path>] [--run] [--approve] [--json]";
+let cachedLocalHardwareFingerprint;
 const TOOL_LIST_USAGE = "Usage: embed tool list [--json]";
 const TOOL_CALL_USAGE = "Usage: embed tool call <capability_id> [--input-json '<json>'] [--approve] [--json]";
-const MCP_TOOL_EVENT_USAGE = "Usage: embed mcp log --tool <tool_name> [--client codex|opencode] [--mode local_ai|server_ai] [--server-model-used true|false] [--success true|false] [--request-id <id>] [--duration-ms <ms>] [--input-summary <text>] [--output-summary <text>] [--json]";
+const MCP_TOOL_EVENT_USAGE = "Usage: embed mcp log --tool <tool_name> [--client codex|opencode] [--mode local_ai|server_ai] [--local-device-id <id>] [--server-model-used true|false] [--success true|false] [--request-id <id>] [--duration-ms <ms>] [--input-summary <text>] [--output-summary <text>] [--json]";
 const BOARD_DEPLOY_TAISHANPI_USAGE = "Usage: embed deploy taishanpi --host <ip> --artifact <local_file> --approve [--user root] [--remote-path /userdata/embed-labs/apps/app] [--run] [--timeout 30] [--json]";
 const CLOUD_TASK_EVENT_APPEND_USAGE = "Usage: embed cloud task event append <task_id> [--state <state>] [--progress-stage <stage>|--stage <stage>] [--progress-text <text>|--message <text>] [--progress-percent 0-100] [--severity info|warning|error] [--type <event_type>] [--artifact-json '<json>'] [--evidence-json '<json>'] [--json]";
 const TASK_STATES = new Set([
@@ -152,11 +167,7 @@ async function main(argv) {
             return output(parsed, await bridgePost("/v1/board/taishanpi/deploy", request), renderBoardDeployResult);
         }
         if (area === "bridge" && action === "start") {
-            startServer({
-                host: stringFlag(parsed, "host"),
-                port: numberFlag(parsed, "port")
-            });
-            return await waitForever();
+            return await runBridgeStart(parsed);
         }
         if (area === "bridge" && action === "status") {
             return output(parsed, await bridgeGet("/healthz"), renderBridgeStatus);
@@ -293,6 +304,31 @@ async function main(argv) {
         if (area === "auth" && action === "status") {
             return output(parsed, ok(await authStatus()), renderAuthStatus);
         }
+        if (area === "auth" && action === "device") {
+            const deviceAction = parsed.command[2] ?? "status";
+            if (deviceAction === "status") {
+                const result = await authDeviceStatus(parsed);
+                return output(parsed, result, renderAuthDeviceStatus, result.ok ? 0 : 2);
+            }
+            if (deviceAction === "list") {
+                const result = await authDeviceList(parsed);
+                return output(parsed, result, renderAuthDeviceList, result.ok ? 0 : 2);
+            }
+            if (deviceAction === "revoke") {
+                const result = await authDeviceRevoke(parsed);
+                return output(parsed, result, renderAuthDevice, result.ok ? 0 : 2);
+            }
+            if (deviceAction === "rename") {
+                const result = await authDeviceRename(parsed);
+                return output(parsed, result, renderAuthDevice, result.ok ? 0 : 2);
+            }
+            return output(parsed, fail("invalid_args", [
+                AUTH_DEVICE_STATUS_USAGE,
+                AUTH_DEVICE_LIST_USAGE,
+                AUTH_DEVICE_REVOKE_USAGE,
+                AUTH_DEVICE_RENAME_USAGE
+            ].join("\n")), undefined, 2);
+        }
         if (area === "auth" && action === "logout") {
             await rm(DEFAULT_AUTH_FILE, { force: true });
             return output(parsed, ok(await authStatus()), renderAuthStatus);
@@ -1356,19 +1392,34 @@ function isApiResponse(value) {
     return isJsonObject(error) && typeof error.code === "string" && typeof error.message === "string";
 }
 async function bridgeGet(path) {
-    const response = await fetch(`${DEFAULT_BRIDGE_URL}${path}`, {
-        headers: bridgeHeaders("GET", path, "")
-    });
-    return await response.json();
+    return await bridgeRequest("GET", path);
 }
 async function bridgePost(path, body) {
-    const bodyText = JSON.stringify(body);
-    const response = await fetch(`${DEFAULT_BRIDGE_URL}${path}`, {
-        method: "POST",
-        headers: bridgeHeaders("POST", path, bodyText, { "content-type": "application/json" }),
-        body: bodyText
-    });
-    return await response.json();
+    return await bridgeRequest("POST", path, body);
+}
+async function bridgeRequest(method, path, body) {
+    const bodyText = body === undefined ? "" : JSON.stringify(body);
+    const makeRequest = async () => {
+        const response = await fetch(`${DEFAULT_BRIDGE_URL}${path}`, {
+            method,
+            headers: bridgeHeaders(method, path, method === "POST" ? bodyText : "", method === "POST" ? { "content-type": "application/json" } : {}),
+            body: method === "POST" ? bodyText : undefined
+        });
+        return await response.json();
+    };
+    try {
+        return await makeRequest();
+    }
+    catch (error) {
+        if (!isBridgeConnectionFailure(error)) {
+            throw error;
+        }
+        const started = await ensureBridgeStartedForRequest();
+        if (!started.ok) {
+            return started;
+        }
+        return await makeRequest();
+    }
 }
 function bridgeHeaders(method, path, bodyText, base = {}) {
     const token = process.env.EMBED_BRIDGE_TOKEN?.trim();
@@ -1397,6 +1448,87 @@ function addBridgeRequestSignature(headers, method, pathWithQuery, bodyText, tok
     headers["x-embed-body-sha256"] = bodySha256;
     headers["x-embed-signature"] = createHmac("sha256", token).update(canonical).digest("hex");
 }
+function isBridgeConnectionFailure(error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return message.includes("fetch failed") ||
+        message.includes("ECONNREFUSED") ||
+        message.includes("ECONNRESET") ||
+        message.includes("UND_ERR_SOCKET");
+}
+async function ensureBridgeStartedForRequest() {
+    if (process.env.EMBED_BRIDGE_AUTO_START === "0") {
+        return fail("bridge_unavailable", `embed-local-bridge is not running at ${DEFAULT_BRIDGE_URL}.`, {
+            remediation: `Start it with: embed bridge start`
+        });
+    }
+    let bridgeURL;
+    try {
+        bridgeURL = new URL(DEFAULT_BRIDGE_URL);
+    }
+    catch {
+        return fail("bridge_url_invalid", `EMBED_BRIDGE_URL is not a valid URL: ${DEFAULT_BRIDGE_URL}`);
+    }
+    if (!isLocalBridgeURL(bridgeURL)) {
+        return fail("bridge_unavailable", `embed-local-bridge is not reachable at ${DEFAULT_BRIDGE_URL}.`, {
+            remediation: `Start the bridge for that host, or set EMBED_BRIDGE_URL to a local bridge URL.`
+        });
+    }
+    const launcher = await resolveBridgeLauncher();
+    const host = bridgeURL.hostname === "::1" ? "::1" : bridgeURL.hostname || "127.0.0.1";
+    const port = bridgeURL.port || "18083";
+    const env = {
+        ...process.env,
+        EMBED_BRIDGE_HOST: host,
+        EMBED_BRIDGE_PORT: port
+    };
+    const child = spawn(launcher.command, [...launcher.args, "--host", host, "--port", port], {
+        cwd: process.cwd(),
+        detached: true,
+        stdio: "ignore",
+        env
+    });
+    child.unref();
+    const ready = await waitForBridgeHealth(bridgeURL, 8000);
+    if (!ready.ok) {
+        return ready;
+    }
+    return ok({
+        started: true,
+        bridge_url: DEFAULT_BRIDGE_URL,
+        command: launcher.command
+    });
+}
+function isLocalBridgeURL(url) {
+    const host = url.hostname.toLowerCase();
+    return host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "[::1]";
+}
+async function waitForBridgeHealth(bridgeURL, timeoutMs) {
+    const deadline = Date.now() + timeoutMs;
+    let lastError = "";
+    while (Date.now() < deadline) {
+        try {
+            const response = await fetch(new URL("/healthz", bridgeURL), {
+                headers: bridgeHeaders("GET", "/healthz", "")
+            });
+            const parsed = await response.json();
+            if (parsed.ok) {
+                return parsed;
+            }
+            lastError = parsed.error?.message ?? `HTTP ${response.status}`;
+        }
+        catch (error) {
+            lastError = error instanceof Error ? error.message : String(error);
+        }
+        await delay(100);
+    }
+    return fail("bridge_start_failed", `embed-local-bridge did not become healthy at ${DEFAULT_BRIDGE_URL}.`, {
+        remediation: `Run embed bridge start in a separate terminal and retry.`,
+        details: { last_error: lastError }
+    });
+}
+function delay(ms) {
+    return new Promise((resolveDelay) => setTimeout(resolveDelay, ms));
+}
 async function cloudGet(path) {
     return await cloudRequest("GET", path);
 }
@@ -1406,17 +1538,23 @@ async function cloudPost(path, body) {
 async function cloudDownloadArtifact(artifactId, outputPath) {
     try {
         const headers = {};
-        const token = await cloudAuthToken();
-        if (token) {
-            headers.authorization = `Bearer ${token}`;
-            addCloudRequestSignature(headers, "GET", `/v1/artifacts/${encodeURIComponent(artifactId)}/download`, "", token);
+        const auth = await cloudAuthConfig();
+        if (auth.token) {
+            if (auth.device) {
+                const integrity = await validateLocalDeviceIntegrity(auth.device);
+                if (!integrity.ok) {
+                    return integrity;
+                }
+            }
+            headers.authorization = `Bearer ${auth.token}`;
+            addCloudRequestSignature(headers, "GET", `/v1/artifacts/${encodeURIComponent(artifactId)}/download`, "", auth.token, auth.device);
         }
         const response = await fetch(`${serviceBaseUrl(DEFAULT_CLOUD_API_URL)}/v1/artifacts/${encodeURIComponent(artifactId)}/download`, {
             headers: Object.keys(headers).length > 0 ? headers : undefined
         });
         if (!response.ok) {
             const parsed = await parseErrorResponse(response);
-            return parsed ? enrichCloudAuthFailure(parsed, Boolean(token)) : fail("artifact_download_failed", `Artifact download failed with HTTP ${response.status}.`);
+            return parsed ? enrichCloudAuthFailure(parsed, Boolean(auth.token)) : fail("artifact_download_failed", `Artifact download failed with HTTP ${response.status}.`);
         }
         const bytes = Buffer.from(await response.arrayBuffer());
         const expectedSha256 = response.headers.get("x-embed-artifact-sha256")?.trim();
@@ -1449,10 +1587,16 @@ async function cloudRequest(method, path, body) {
         if (bodyText) {
             headers["content-type"] = "application/json";
         }
-        const token = await cloudAuthToken();
-        if (token) {
-            headers.authorization = `Bearer ${token}`;
-            addCloudRequestSignature(headers, method, path, bodyText, token);
+        const auth = await cloudAuthConfig();
+        if (auth.token) {
+            if (auth.device) {
+                const integrity = await validateLocalDeviceIntegrity(auth.device);
+                if (!integrity.ok) {
+                    return integrity;
+                }
+            }
+            headers.authorization = `Bearer ${auth.token}`;
+            addCloudRequestSignature(headers, method, path, bodyText, auth.token, auth.device);
         }
         const response = await fetch(`${serviceBaseUrl(DEFAULT_CLOUD_API_URL)}${path}`, {
             method,
@@ -1460,7 +1604,7 @@ async function cloudRequest(method, path, body) {
             body: body === undefined ? undefined : bodyText
         });
         const parsed = await response.json();
-        return enrichCloudAuthFailure(parsed, Boolean(token));
+        return enrichCloudAuthFailure(parsed, Boolean(auth.token));
     }
     catch (error) {
         return fail("cloud_api_unreachable", error instanceof Error ? error.message : String(error), {
@@ -1468,8 +1612,42 @@ async function cloudRequest(method, path, body) {
         });
     }
 }
+async function validateLocalDeviceIntegrity(device) {
+    const current = await localHardwareFingerprint();
+    if (current.fingerprint_hash === device.fingerprint_hash) {
+        return ok(undefined);
+    }
+    return fail("tool_integrity_check_failed", TOOL_INTEGRITY_RELOGIN_MESSAGE, {
+        remediation: [
+            "当前 Embed Labs CLI/插件配置绑定的电脑与本机硬件唯一码不一致。",
+            TOOL_INTEGRITY_RELOGIN_MESSAGE,
+            "如果账号设备数量已达上限，请先在原电脑或用户后台撤销旧设备。"
+        ].join("\n"),
+        details: {
+            expected_fingerprint_hash: device.fingerprint_hash,
+            current_fingerprint_hash: current.fingerprint_hash,
+            platform: current.platform,
+            arch: current.arch,
+            fingerprint_source: current.source
+        }
+    });
+}
 function enrichCloudAuthFailure(response, hadToken) {
-    if (response.ok || response.error.code !== "unauthorized") {
+    if (response.ok) {
+        return response;
+    }
+    if (response.error.code.startsWith("device_") || response.error.code.startsWith("request_signature_")) {
+        return fail(response.error.code, response.error.message, {
+            remediation: [
+                "This computer is not fully registered for the configured Embed Labs API Token.",
+                "Run: embedlabs auth login --token <your_token>",
+                "Then verify with: embedlabs auth device status",
+                "If the account already has too many devices, revoke one with: embedlabs auth device revoke <device_id>"
+            ].join("\n"),
+            details: response.error.details
+        });
+    }
+    if (response.error.code !== "unauthorized") {
         return response;
     }
     if (!hadToken) {
@@ -1501,7 +1679,7 @@ function cloudAuthSetupDetails() {
         auth_file: DEFAULT_AUTH_FILE
     };
 }
-function addCloudRequestSignature(headers, method, pathWithQuery, bodyText, token) {
+function addCloudRequestSignature(headers, method, pathWithQuery, bodyText, token, device) {
     if (process.env.EMBED_CLOUD_API_SIGNING === "0") {
         return;
     }
@@ -1509,11 +1687,21 @@ function addCloudRequestSignature(headers, method, pathWithQuery, bodyText, toke
     const nonce = randomBytes(16).toString("hex");
     const bodySha256 = createHash("sha256").update(bodyText).digest("hex");
     const keyId = createHash("sha256").update(token).digest("hex").slice(0, 16);
-    const canonical = cloudRequestCanonicalString(method, pathWithQuery, timestamp, nonce, bodySha256);
+    const canonical = device
+        ? cloudRequestCanonicalStringV2(method, pathWithQuery, timestamp, nonce, bodySha256, device, EMBED_CLIENT_NAME, EMBED_CLIENT_VERSION)
+        : cloudRequestCanonicalString(method, pathWithQuery, timestamp, nonce, bodySha256);
     headers["x-embed-key-id"] = keyId;
     headers["x-embed-timestamp"] = timestamp;
     headers["x-embed-nonce"] = nonce;
     headers["x-embed-body-sha256"] = bodySha256;
+    if (device) {
+        headers["x-embed-signature-version"] = "v2";
+        headers["x-embed-device-id"] = device.device_id;
+        headers["x-embed-device-fingerprint-sha256"] = device.fingerprint_hash;
+        headers["x-embed-client-name"] = EMBED_CLIENT_NAME;
+        headers["x-embed-client-version"] = EMBED_CLIENT_VERSION;
+        headers["x-embed-device-signature"] = signCrypto(null, Buffer.from(canonical), device.private_key_pem).toString("base64url");
+    }
     headers["x-embed-signature"] = createHmac("sha256", token).update(canonical).digest("hex");
 }
 function cloudRequestCanonicalString(method, pathWithQuery, timestamp, nonce, bodySha256) {
@@ -1525,6 +1713,19 @@ function cloudRequestCanonicalString(method, pathWithQuery, timestamp, nonce, bo
         bodySha256
     ].join("\n");
 }
+function cloudRequestCanonicalStringV2(method, pathWithQuery, timestamp, nonce, bodySha256, device, clientName, clientVersion) {
+    return [
+        method.toUpperCase(),
+        normalizeCloudPathForSignature(pathWithQuery),
+        timestamp,
+        nonce,
+        bodySha256,
+        device.device_id,
+        device.fingerprint_hash,
+        clientName,
+        clientVersion
+    ].join("\n");
+}
 function normalizeCloudPathForSignature(pathWithQuery) {
     try {
         const parsed = new URL(pathWithQuery, "http://embed.local");
@@ -1951,17 +2152,22 @@ async function cleanupLegacyCodexPluginRemnants(targetRoot) {
     const warnings = [];
     const stoppedProcesses = await stopLegacyCodexPluginProcesses(warnings);
     const legacyPaths = [
-        join(targetRoot, "dbt-agent"),
-        join(targetRoot, "development-board-toolchain"),
-        join(targetRoot, "cache", CODEX_MARKETPLACE_NAME, CODEX_PLUGIN_NAME),
-        join(targetRoot, "cache", "embed-labs", "dbt-agent"),
-        join(targetRoot, "cache", "dbt-agent"),
-        join(targetRoot, "cache", "plugins", "dbt-agent")
+        join(targetRoot, "cache", CODEX_MARKETPLACE_NAME, CODEX_PLUGIN_NAME)
     ];
+    for (const marketplaceName of LEGACY_CODEX_MARKETPLACE_NAMES) {
+        legacyPaths.push(join(targetRoot, "cache", marketplaceName, CODEX_PLUGIN_NAME));
+    }
+    for (const pluginName of LEGACY_CODEX_PLUGIN_NAMES) {
+        legacyPaths.push(join(targetRoot, pluginName));
+        legacyPaths.push(join(targetRoot, "cache", pluginName));
+        for (const marketplaceName of [CODEX_MARKETPLACE_NAME, ...LEGACY_CODEX_MARKETPLACE_NAMES]) {
+            legacyPaths.push(join(targetRoot, "cache", marketplaceName, pluginName));
+        }
+    }
     legacyPaths.push(...await discoverLegacyCodexCachePaths(targetRoot));
     if (resolve(targetRoot) === resolve(defaultCodexPluginRoot())) {
         legacyPaths.push(join(defaultCodexHome(), ".tmp", "plugins"), join(defaultCodexHome(), ".tmp", "plugins.sha"), join(defaultCodexHome(), "ambient-suggestions"), join(defaultCodexHome(), "skills", "dbt-agent"), join(defaultCodexHome(), "skills", "development-board-toolchain-dev"), join(defaultCodexHome(), "memories", "skills", "dbt-agent-live-board-ops"), join(defaultCodexHome(), "memories", "skills", "dbt-agent-platform-plugin-maintenance"));
-        legacyPaths.push(...await discoverLegacyHomeAgentsMarketplacePaths(warnings), ...legacyDevelopmentBoardRuntimePluginPaths());
+        legacyPaths.push(...legacyCodexLocalMarketplacePaths(), ...await discoverLegacyHomeAgentsMarketplacePaths(warnings), ...await discoverLegacyCodexProjectMarketplacePaths(warnings), ...legacyDevelopmentBoardRuntimePluginPaths());
     }
     for (const candidate of legacyPaths) {
         try {
@@ -2054,6 +2260,11 @@ function legacyDevelopmentBoardRuntimePluginPaths() {
         join(homedir(), "Library", "Application Support", "development-board-toolchain", "runtime", "opencode_plugin")
     ];
 }
+function legacyCodexLocalMarketplacePaths() {
+    return Array.from(LEGACY_CODEX_MARKETPLACE_NAMES)
+        .filter((name) => name !== CODEX_MARKETPLACE_NAME)
+        .map((name) => join(defaultCodexHome(), "local-marketplaces", name));
+}
 async function discoverLegacyHomeAgentsMarketplacePaths(warnings) {
     const paths = [];
     const pluginRoot = join(homedir(), ".agents", "plugins");
@@ -2080,9 +2291,72 @@ async function discoverLegacyHomeAgentsMarketplacePaths(warnings) {
     return paths;
 }
 function isLegacyHomeAgentsMarketplace(text) {
-    return text.includes('"name" : "plugins"') || text.includes('"name": "plugins"')
-        ? text.includes('"dbt-agent"') || text.includes('"./.codex/plugins/dbt-agent"') || text.includes('"./plugins/dbt-agent"')
-        : false;
+    return marketplaceTextHasLegacyCodexPlugin(text);
+}
+async function discoverLegacyCodexProjectMarketplacePaths(warnings) {
+    const configPath = codexConfigPath();
+    let text = "";
+    try {
+        text = await readFile(configPath, "utf8");
+    }
+    catch {
+        return [];
+    }
+    const paths = new Set();
+    for (const projectPath of legacyCodexProjectPathsFromConfig(text)) {
+        for (const candidate of [
+            join(projectPath, ".agents", "plugins", "marketplace.json"),
+            join(projectPath, "platform_plugin", ".agents", "plugins", "marketplace.json"),
+            join(projectPath, "platform_plugins", "codex_plugin", ".agents", "plugins", "marketplace.json")
+        ]) {
+            try {
+                if (!await pathExists(candidate))
+                    continue;
+                const current = await readFile(candidate, "utf8");
+                if (marketplaceTextHasLegacyCodexPlugin(current)) {
+                    paths.add(candidate);
+                }
+            }
+            catch (error) {
+                warnings.push(`Could not inspect legacy Codex project marketplace ${candidate}: ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+    }
+    return Array.from(paths);
+}
+function legacyCodexProjectPathsFromConfig(text) {
+    const paths = [];
+    const lines = text.match(/[^\n]*\n|[^\n]+$/g) ?? [];
+    for (const line of lines) {
+        const table = parseTomlTableHeader(line);
+        const match = table ? /^projects\."([^"]+)"$/.exec(table) : undefined;
+        if (match?.[1] && /DBT-Agent-Project|development-board-toolchain|dbt-agent/i.test(match[1])) {
+            paths.push(match[1].replace(/\\"/g, '"'));
+        }
+    }
+    return paths;
+}
+function marketplaceTextHasLegacyCodexPlugin(text) {
+    try {
+        const parsed = JSON.parse(text);
+        const marketplaceName = typeof parsed.name === "string" ? parsed.name : "";
+        const marketplaceDisplayName = typeof parsed.interface?.displayName === "string" ? parsed.interface.displayName : "";
+        const marketplaceLooksLegacy = legacyTextHasCodexPluginResidue(marketplaceName)
+            || legacyTextHasCodexPluginResidue(marketplaceDisplayName)
+            || LEGACY_CODEX_MARKETPLACE_NAMES.has(marketplaceName);
+        return (parsed.plugins ?? []).some((plugin) => {
+            const values = [
+                plugin.name,
+                plugin.category,
+                plugin.source?.path,
+                plugin.interface?.displayName
+            ].filter((value) => typeof value === "string");
+            return values.some(legacyTextHasCodexPluginResidue) || marketplaceLooksLegacy && values.some((value) => /embed-labs|dbt|development-board/i.test(value));
+        });
+    }
+    catch {
+        return legacyTextHasCodexPluginResidue(text);
+    }
 }
 async function discoverLegacyCodexCachePaths(targetRoot) {
     const paths = [];
@@ -2092,8 +2366,12 @@ async function discoverLegacyCodexCachePaths(targetRoot) {
         for (const entry of marketplaces) {
             if (!entry.isDirectory())
                 continue;
-            paths.push(join(cacheRoot, entry.name, "dbt-agent"));
-            paths.push(join(cacheRoot, entry.name, "development-board-toolchain"));
+            if (LEGACY_CODEX_MARKETPLACE_NAMES.has(entry.name)) {
+                paths.push(join(cacheRoot, entry.name, CODEX_PLUGIN_NAME));
+            }
+            for (const pluginName of LEGACY_CODEX_PLUGIN_NAMES) {
+                paths.push(join(cacheRoot, entry.name, pluginName));
+            }
         }
     }
     catch {
@@ -2139,6 +2417,8 @@ function isLegacyCodexHistoryMention(line) {
         || line.includes("plugin://dbt-agent@embed-labs")
         || line.includes("development-board-toolchain-dev")
         || line.includes("development-board-toolchain")
+        || /plugin:\/\/Dbt Agent@/i.test(line)
+        || /plugin:\/\/deve@/i.test(line)
         || /dbt-agent/i.test(line);
 }
 function removeLegacyCodexConfigTables(text) {
@@ -2167,11 +2447,15 @@ function parseTomlTableHeader(line) {
 }
 function isLegacyCodexConfigTable(table) {
     return /^plugins\."dbt-agent@[^"]+"$/.test(table)
+        || /^plugins\."Dbt Agent@[^"]+"$/i.test(table)
+        || /^plugins\."deve@[^"]+"$/i.test(table)
         || isLegacyEmbedLabsCodexMarketplaceConfigTable(table)
         || table === "mcp_servers.dbt-agent"
         || table.startsWith("mcp_servers.dbt-agent.")
         || table === 'mcp_servers."dbt-agent"'
         || table.startsWith('mcp_servers."dbt-agent".')
+        || table === "mcp_servers.deve"
+        || table.startsWith("mcp_servers.deve.")
         || /^projects\."[^"]*\/DBT-Agent-Project(?:\/[^"]*)?"$/.test(table);
 }
 function isLegacyEmbedLabsCodexMarketplaceConfigTable(table) {
@@ -2185,6 +2469,12 @@ function isLegacyEmbedLabsCodexMarketplaceConfigTable(table) {
     }
     return false;
 }
+function legacyTextHasCodexPluginResidue(value) {
+    return /dbt-agent|Dbt Agent|development-board-toolchain|development-board-toolchain-dev/i.test(value)
+        || value === "deve"
+        || value.replace(/\\/g, "/").includes("/plugins/deve")
+        || value.includes("plugin://deve@");
+}
 function legacyCodexCleanupWarning(cleanup) {
     const parts = [];
     if (cleanup.legacy_removed_paths.length > 0) {
@@ -2209,12 +2499,19 @@ async function cleanupLegacyOpenCodePluginRemnants(targetRoot, globalInstall) {
     const warnings = [];
     const legacyPaths = [
         join(targetRoot, "plugins", "development-board-toolchain.js"),
+        join(targetRoot, "plugins", "development-board-toolchain-dev.js"),
         join(targetRoot, "plugins", "dbt-agent.js"),
+        join(targetRoot, "plugins", "Dbt Agent.js"),
+        join(targetRoot, "plugins", "deve.js"),
+        join(targetRoot, "plugins", "deve"),
+        join(targetRoot, "node_modules", "development-board-toolchain"),
+        join(targetRoot, "node_modules", "development-board-toolchain-dev"),
         join(targetRoot, "node_modules", "dbt-agent")
     ];
     if (globalInstall) {
         legacyPaths.push(join(targetRoot, "plugins", "embed-labs.js"));
         legacyPaths.push(...await discoverLegacyOpenCodeBackupPaths(targetRoot, warnings));
+        legacyPaths.push(...await discoverLegacyOpenCodePluginCachePaths(targetRoot, warnings));
     }
     for (const candidate of legacyPaths) {
         try {
@@ -2243,7 +2540,7 @@ async function discoverLegacyOpenCodeBackupPaths(targetRoot, warnings) {
             const filePath = join(targetRoot, entry.name);
             try {
                 const current = await readFile(filePath, "utf8");
-                if (current.includes("dbt-agent") || current.includes("development-board-toolchain")) {
+                if (legacyTextHasCodexPluginResidue(current)) {
                     paths.push(filePath);
                 }
             }
@@ -2257,6 +2554,26 @@ async function discoverLegacyOpenCodeBackupPaths(targetRoot, warnings) {
     }
     return paths;
 }
+async function discoverLegacyOpenCodePluginCachePaths(targetRoot, warnings) {
+    const paths = [];
+    const cacheRoot = join(targetRoot, ".embed-labs", "plugin-cache");
+    try {
+        const entries = await readdir(cacheRoot, { withFileTypes: true });
+        for (const entry of entries) {
+            if (!entry.isFile())
+                continue;
+            if (/^(embed-labs|embed-labs-opencode-plugin)-\d+\.\d+\.\d+\.tgz$/.test(entry.name)) {
+                paths.push(join(cacheRoot, entry.name));
+            }
+        }
+    }
+    catch (error) {
+        if (error.code !== "ENOENT") {
+            warnings.push(`Could not inspect OpenCode plugin cache ${cacheRoot}: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    return paths;
+}
 function legacyOpenCodeCleanupWarning(cleanup) {
     const parts = [];
     if (cleanup.legacy_removed_paths.length > 0) {
@@ -2553,6 +2870,97 @@ async function resolveExecutableOnPath(name) {
     }
     return undefined;
 }
+async function runBridgeStart(parsed) {
+    const host = stringFlag(parsed, "host");
+    const port = numberFlag(parsed, "port");
+    const bridge = await resolveBridgeLauncher();
+    const args = [...bridge.args];
+    if (host) {
+        args.push("--host", host);
+    }
+    if (port !== undefined) {
+        args.push("--port", String(port));
+    }
+    const env = {
+        ...process.env,
+        ...(host ? { EMBED_BRIDGE_HOST: host } : {}),
+        ...(port !== undefined ? { EMBED_BRIDGE_PORT: String(port) } : {})
+    };
+    const child = spawn(bridge.command, args, {
+        stdio: "inherit",
+        env
+    });
+    const forwardSignal = (signal) => {
+        if (!child.killed) {
+            child.kill(signal);
+        }
+    };
+    process.once("SIGINT", forwardSignal);
+    process.once("SIGTERM", forwardSignal);
+    return await new Promise((resolveCode) => {
+        child.on("error", (error) => {
+            process.off("SIGINT", forwardSignal);
+            process.off("SIGTERM", forwardSignal);
+            console.error(error instanceof Error ? error.message : String(error));
+            resolveCode(1);
+        });
+        child.on("close", (code, signal) => {
+            process.off("SIGINT", forwardSignal);
+            process.off("SIGTERM", forwardSignal);
+            if (signal === "SIGINT" || signal === "SIGTERM") {
+                resolveCode(0);
+            }
+            else {
+                resolveCode(code ?? 0);
+            }
+        });
+    });
+}
+async function resolveBridgeLauncher() {
+    const explicitBinary = process.env.EMBED_LOCAL_BRIDGE_BINARY?.trim();
+    if (explicitBinary) {
+        try {
+            await access(explicitBinary, constants.X_OK);
+            return { command: explicitBinary, args: [] };
+        }
+        catch {
+            // Fall through so the package launcher can print its clearer repair message.
+        }
+    }
+    const pathBinary = await resolveExecutableOnPath(process.platform === "win32" ? "embed-local-bridge.cmd" : "embed-local-bridge");
+    if (pathBinary) {
+        return { command: pathBinary, args: [] };
+    }
+    const packageLauncher = await resolveBridgePackageLauncher();
+    if (packageLauncher) {
+        return { command: process.execPath, args: [packageLauncher] };
+    }
+    return {
+        command: process.execPath,
+        args: [resolve(SOURCE_CHECKOUT_ROOT, "packages", "local-bridge", "dist", "index.js")]
+    };
+}
+async function resolveBridgePackageLauncher() {
+    const candidates = [];
+    try {
+        const packageJson = require.resolve("@embed-labs/local-bridge/package.json");
+        candidates.push(join(dirname(packageJson), "dist", "index.js"));
+    }
+    catch {
+        // Source checkout fallback below.
+    }
+    candidates.push(resolve(SOURCE_CHECKOUT_ROOT, "packages", "local-bridge", "dist", "index.js"));
+    for (const candidate of candidates) {
+        try {
+            await access(candidate, constants.R_OK);
+            return candidate;
+        }
+        catch {
+            // Keep looking.
+        }
+    }
+    return undefined;
+}
 function defaultOpenCodeRoot() {
     return globalOpenCodeRoot();
 }
@@ -2592,12 +3000,26 @@ async function ensureOpenCodeGlobalPluginConfig() {
     return removed;
 }
 function isLegacyOpenCodePluginConfigEntry(item) {
-    const normalized = item.replace(/\\/g, "/");
-    return item === "dbt-agent"
-        || item === "development-board-toolchain"
+    const normalized = item.trim().replace(/\\/g, "/");
+    const pathOnly = normalized.split(/[?#]/, 1)[0] || normalized;
+    return normalized === "dbt-agent"
+        || normalized === "Dbt Agent"
+        || normalized === "deve"
+        || normalized === "development-board-toolchain"
+        || normalized === "development-board-toolchain-dev"
+        || normalized === "./plugins/deve"
+        || normalized === "./plugins/deve.js"
+        || /(?:^|\/)plugins\/deve(?:\.js)?$/.test(pathOnly)
+        || /(?:^|\/)plugins\/dbt-agent(?:\.js)?$/.test(pathOnly)
         || normalized === "./plugins/development-board-toolchain"
         || normalized === "./plugins/development-board-toolchain.js"
-        || normalized.endsWith("/plugins/development-board-toolchain.js")
+        || normalized === "./plugins/development-board-toolchain-dev"
+        || normalized === "./plugins/development-board-toolchain-dev.js"
+        || pathOnly.endsWith("/plugins/development-board-toolchain")
+        || pathOnly.endsWith("/plugins/development-board-toolchain.js")
+        || pathOnly.endsWith("/plugins/development-board-toolchain-dev")
+        || pathOnly.endsWith("/plugins/development-board-toolchain-dev.js")
+        || normalized.includes("dbt-agent")
         || normalized.includes("development-board-toolchain");
 }
 async function openCodeDuplicatePluginWarning(targetRoot) {
@@ -2691,19 +3113,65 @@ async function parseErrorResponse(response) {
     return undefined;
 }
 async function cloudAuthToken() {
+    return (await cloudAuthConfig()).token;
+}
+async function cloudAuthConfig() {
     const envToken = process.env.EMBED_API_TOKEN?.trim();
     if (envToken) {
-        return envToken;
+        const fileConfig = await readLocalAuthFile();
+        return {
+            ...fileConfig,
+            token: envToken,
+            profile: process.env.EMBED_AUTH_PROFILE ?? fileConfig.profile ?? "default",
+            source: "env"
+        };
     }
+    const fileConfig = await readLocalAuthFile();
+    return {
+        ...fileConfig,
+        token: fileConfig.token?.trim() || undefined,
+        profile: fileConfig.profile ?? "default",
+        source: fileConfig.token ? "file" : undefined
+    };
+}
+async function readLocalAuthFile() {
     try {
         const parsed = JSON.parse(await readFile(DEFAULT_AUTH_FILE, "utf8"));
-        const fileToken = typeof parsed.token === "string" ? parsed.token.trim() : "";
-        return fileToken || undefined;
+        return normalizeLocalAuthFile(parsed);
     }
     catch {
-        return undefined;
+        return {};
     }
 }
+function normalizeLocalAuthFile(parsed) {
+    const device = isJsonObject(parsed.device) ? parsed.device : undefined;
+    const normalizedDevice = device && typeof device.device_id === "string" && typeof device.fingerprint_hash === "string" && typeof device.private_key_pem === "string"
+        ? {
+            device_id: device.device_id,
+            fingerprint_hash: device.fingerprint_hash,
+            private_key_pem: device.private_key_pem,
+            public_key_pem: typeof device.public_key_pem === "string" ? device.public_key_pem : undefined,
+            label: typeof device.label === "string" ? device.label : undefined,
+            platform: typeof device.platform === "string" ? device.platform : undefined,
+            arch: typeof device.arch === "string" ? device.arch : undefined,
+            hostname_hash: typeof device.hostname_hash === "string" ? device.hostname_hash : undefined,
+            registered_at: typeof device.registered_at === "string" ? device.registered_at : undefined
+        }
+        : undefined;
+    return {
+        profile: typeof parsed.profile === "string" ? parsed.profile : undefined,
+        token: typeof parsed.token === "string" ? parsed.token.trim() : undefined,
+        updated_at: typeof parsed.updated_at === "string" ? parsed.updated_at : undefined,
+        account_id: typeof parsed.account_id === "string" ? parsed.account_id : undefined,
+        api_key_id: typeof parsed.api_key_id === "string" ? parsed.api_key_id : undefined,
+        device: normalizedDevice
+    };
+}
+async function writeLocalAuthFile(config) {
+    await mkdir(dirname(DEFAULT_AUTH_FILE), { recursive: true });
+    await writeFile(DEFAULT_AUTH_FILE, `${JSON.stringify(config, null, 2)}\n`, "utf8");
+    await chmod(DEFAULT_AUTH_FILE, 0o600).catch(() => undefined);
+}
 function serviceBaseUrl(url) {
     return url.replace(/\/+$/, "");
 }
@@ -4162,30 +4630,272 @@ async function authLogin(parsed) {
         return fail("invalid_args", "Usage: embed auth login --token <token> [--profile default] [--json]");
     }
     const updatedAt = new Date().toISOString();
-    await mkdir(dirname(DEFAULT_AUTH_FILE), { recursive: true });
-    await writeFile(DEFAULT_AUTH_FILE, `${JSON.stringify({ profile, token, updated_at: updatedAt }, null, 2)}\n`, "utf8");
-    return ok({ authenticated: true, profile, source: "file", updated_at: updatedAt });
+    const current = await readLocalAuthFile();
+    const localDevice = await buildLocalDeviceAuth(parsed, current.device);
+    const registration = await registerLocalDevice(token.trim(), localDevice.registration);
+    if (!registration.ok) {
+        return fail(registration.error.code, registration.error.message, {
+            remediation: registration.error.remediation,
+            details: registration.error.details
+        });
+    }
+    const device = {
+        device_id: registration.data.device.device_id,
+        fingerprint_hash: localDevice.device.fingerprint_hash,
+        private_key_pem: localDevice.device.private_key_pem,
+        public_key_pem: localDevice.device.public_key_pem,
+        label: registration.data.device.label ?? localDevice.device.label,
+        platform: registration.data.device.platform ?? localDevice.device.platform,
+        arch: registration.data.device.arch ?? localDevice.device.arch,
+        hostname_hash: registration.data.device.hostname_hash ?? localDevice.device.hostname_hash,
+        registered_at: registration.data.device.first_seen_at
+    };
+    await writeLocalAuthFile({
+        profile,
+        token: token.trim(),
+        updated_at: updatedAt,
+        account_id: registration.data.device.account_id,
+        api_key_id: registration.data.device.api_key_id,
+        device
+    });
+    return ok({
+        authenticated: true,
+        profile,
+        source: "file",
+        updated_at: updatedAt,
+        account_id: registration.data.device.account_id,
+        api_key_id: registration.data.device.api_key_id,
+        device_id: device.device_id,
+        device_fingerprint_hash: device.fingerprint_hash,
+        device_label: device.label,
+        device_registered_at: device.registered_at,
+        device_private_key_configured: true
+    });
 }
 async function authStatus() {
-    if (process.env.EMBED_API_TOKEN?.trim()) {
+    const envToken = process.env.EMBED_API_TOKEN?.trim();
+    const file = await readLocalAuthFile();
+    const deviceIntegrity = file.device
+        ? (await validateLocalDeviceIntegrity(file.device)).ok ? "ok" : "failed"
+        : "unbound";
+    if (envToken) {
         return {
             authenticated: true,
             profile: process.env.EMBED_AUTH_PROFILE ?? "default",
-            source: "env"
+            source: "env",
+            account_id: file.account_id,
+            api_key_id: file.api_key_id,
+            device_id: file.device?.device_id,
+            device_fingerprint_hash: file.device?.fingerprint_hash,
+            device_label: file.device?.label,
+            device_registered_at: file.device?.registered_at,
+            device_private_key_configured: Boolean(file.device?.private_key_pem),
+            device_integrity: deviceIntegrity
         };
     }
+    return {
+        authenticated: Boolean(file.token?.trim()),
+        profile: file.profile ?? "default",
+        source: file.token ? "file" : undefined,
+        updated_at: file.updated_at,
+        account_id: file.account_id,
+        api_key_id: file.api_key_id,
+        device_id: file.device?.device_id,
+        device_fingerprint_hash: file.device?.fingerprint_hash,
+        device_label: file.device?.label,
+        device_registered_at: file.device?.registered_at,
+        device_private_key_configured: Boolean(file.device?.private_key_pem),
+        device_integrity: deviceIntegrity
+    };
+}
+async function authDeviceStatus(parsed) {
+    const unknownFlag = firstUnknownFlag(parsed, ["json"]);
+    const unexpected = parsed.command.slice(3);
+    if (unknownFlag || unexpected.length > 0) {
+        return fail("invalid_args", unknownFlag ? `Unknown flag --${unknownFlag}. ${AUTH_DEVICE_STATUS_USAGE}` : AUTH_DEVICE_STATUS_USAGE);
+    }
+    const local = await authStatus();
+    const remote = local.authenticated ? await cloudGet("/v1/me/devices") : undefined;
+    if (remote && !remote.ok) {
+        return ok({ local });
+    }
+    return ok({ local, remote: remote?.data });
+}
+async function authDeviceList(parsed) {
+    const unknownFlag = firstUnknownFlag(parsed, ["json"]);
+    const unexpected = parsed.command.slice(3);
+    if (unknownFlag || unexpected.length > 0) {
+        return fail("invalid_args", unknownFlag ? `Unknown flag --${unknownFlag}. ${AUTH_DEVICE_LIST_USAGE}` : AUTH_DEVICE_LIST_USAGE);
+    }
+    return await cloudGet("/v1/me/devices");
+}
+async function authDeviceRevoke(parsed) {
+    const unknownFlag = firstUnknownFlag(parsed, ["json"]);
+    if (unknownFlag) {
+        return fail("invalid_args", `Unknown flag --${unknownFlag}. ${AUTH_DEVICE_REVOKE_USAGE}`);
+    }
+    const id = commandId(parsed, 3, "device_id", AUTH_DEVICE_REVOKE_USAGE);
+    if (!id.ok) {
+        return fail("invalid_args", id.error);
+    }
+    return await cloudPost(`/v1/me/devices/${encodeURIComponent(id.value)}/revoke`, {});
+}
+async function authDeviceRename(parsed) {
+    const unknownFlag = firstUnknownFlag(parsed, ["json", "label"]);
+    if (unknownFlag) {
+        return fail("invalid_args", `Unknown flag --${unknownFlag}. ${AUTH_DEVICE_RENAME_USAGE}`);
+    }
+    const id = commandId(parsed, 3, "device_id", AUTH_DEVICE_RENAME_USAGE);
+    if (!id.ok) {
+        return fail("invalid_args", id.error);
+    }
+    const label = stringFlag(parsed, "label");
+    if (!label?.trim()) {
+        return fail("invalid_args", AUTH_DEVICE_RENAME_USAGE);
+    }
+    const updated = await cloudPost(`/v1/me/devices/${encodeURIComponent(id.value)}`, { label: label.trim() });
+    if (updated.ok) {
+        const auth = await readLocalAuthFile();
+        if (auth.device?.device_id === updated.data.device_id) {
+            await writeLocalAuthFile({ ...auth, device: { ...auth.device, label: updated.data.label } });
+        }
+    }
+    return updated;
+}
+async function buildLocalDeviceAuth(parsed, existing) {
+    const fingerprint = await localHardwareFingerprint();
+    const keyPair = existing?.fingerprint_hash === fingerprint.fingerprint_hash && existing.private_key_pem && existing.public_key_pem
+        ? { privateKeyPem: existing.private_key_pem, publicKeyPem: existing.public_key_pem }
+        : generateLocalDeviceKeyPair();
+    const label = stringFlag(parsed, "label")?.trim()
+        || existing?.label
+        || `${fingerprint.platform} ${fingerprint.arch}`;
+    const device = {
+        device_id: existing?.fingerprint_hash === fingerprint.fingerprint_hash ? existing.device_id : "",
+        fingerprint_hash: fingerprint.fingerprint_hash,
+        private_key_pem: keyPair.privateKeyPem,
+        public_key_pem: keyPair.publicKeyPem,
+        label,
+        platform: fingerprint.platform,
+        arch: fingerprint.arch,
+        hostname_hash: fingerprint.hostname_hash,
+        registered_at: existing?.registered_at
+    };
+    return {
+        device,
+        registration: {
+            fingerprint_hash: fingerprint.fingerprint_hash,
+            public_key: keyPair.publicKeyPem,
+            label,
+            platform: fingerprint.platform,
+            arch: fingerprint.arch,
+            hostname_hash: fingerprint.hostname_hash,
+            client_name: EMBED_CLIENT_NAME,
+            client_version: EMBED_CLIENT_VERSION,
+            metadata: {
+                fingerprint_version: "v1",
+                fingerprint_source: fingerprint.source
+            }
+        }
+    };
+}
+function generateLocalDeviceKeyPair() {
+    const { privateKey, publicKey } = generateKeyPairSync("ed25519");
+    return {
+        privateKeyPem: privateKey.export({ type: "pkcs8", format: "pem" }).toString(),
+        publicKeyPem: publicKey.export({ type: "spki", format: "pem" }).toString()
+    };
+}
+async function registerLocalDevice(token, body) {
     try {
-        const parsed = JSON.parse(await readFile(DEFAULT_AUTH_FILE, "utf8"));
-        return {
-            authenticated: typeof parsed.token === "string" && parsed.token.trim().length > 0,
-            profile: typeof parsed.profile === "string" ? parsed.profile : "default",
-            source: "file",
-            updated_at: typeof parsed.updated_at === "string" ? parsed.updated_at : undefined
+        const bodyText = JSON.stringify(body);
+        const headers = {
+            "content-type": "application/json",
+            authorization: `Bearer ${token}`
         };
+        addCloudRequestSignature(headers, "POST", "/v1/me/devices/register", bodyText, token);
+        const response = await fetch(`${serviceBaseUrl(DEFAULT_CLOUD_API_URL)}/v1/me/devices/register`, {
+            method: "POST",
+            headers,
+            body: bodyText
+        });
+        const parsed = await response.json();
+        return enrichCloudAuthFailure(parsed, true);
+    }
+    catch (error) {
+        return fail("cloud_api_unreachable", error instanceof Error ? error.message : String(error), {
+            remediation: `Check that embed cloud-api is running at ${DEFAULT_CLOUD_API_URL}. Start it with: npm run cloud-api`
+        });
+    }
+}
+async function localHardwareFingerprint() {
+    cachedLocalHardwareFingerprint ??= localHardwareFingerprintUncached();
+    return await cachedLocalHardwareFingerprint;
+}
+async function localHardwareFingerprintUncached() {
+    const platformName = platform();
+    const archName = arch();
+    const raw = await localHardwareId(platformName);
+    const fingerprintHash = createHash("sha256")
+        .update(`embed-labs:device:v1:${platformName}:${raw.value}`)
+        .digest("hex");
+    const hostnameHash = createHash("sha256")
+        .update(`embed-labs:hostname:v1:${hostname()}`)
+        .digest("hex");
+    return {
+        fingerprint_hash: fingerprintHash,
+        platform: platformName,
+        arch: archName,
+        hostname_hash: hostnameHash,
+        source: raw.source
+    };
+}
+async function localHardwareId(platformName) {
+    if (platformName === "darwin") {
+        const result = await runLocalProcess("ioreg", ["-rd1", "-c", "IOPlatformExpertDevice"]);
+        const match = /"IOPlatformUUID"\s*=\s*"([^"]+)"/.exec(result.stdout);
+        if (match?.[1]) {
+            return { value: match[1], source: "macos_ioplatformuuid" };
+        }
+    }
+    if (platformName === "win32") {
+        const result = await runLocalProcess("reg", ["query", "HKLM\\SOFTWARE\\Microsoft\\Cryptography", "/v", "MachineGuid"]);
+        const match = /MachineGuid\s+REG_\w+\s+([^\r\n]+)/.exec(result.stdout);
+        if (match?.[1]?.trim()) {
+            return { value: match[1].trim(), source: "windows_machineguid" };
+        }
+    }
+    if (platformName === "linux") {
+        for (const pathValue of ["/etc/machine-id", "/var/lib/dbus/machine-id"]) {
+            try {
+                const value = (await readFile(pathValue, "utf8")).trim();
+                if (value) {
+                    return { value, source: `linux:${pathValue}` };
+                }
+            }
+            catch {
+                // Try the next stable machine id location.
+            }
+        }
+    }
+    const generated = await localGeneratedInstallId();
+    return { value: generated, source: "generated_install_id" };
+}
+async function localGeneratedInstallId() {
+    try {
+        const parsed = JSON.parse(await readFile(DEFAULT_DEVICE_FILE, "utf8"));
+        if (typeof parsed.generated_install_id === "string" && parsed.generated_install_id.trim()) {
+            return parsed.generated_install_id.trim();
+        }
     }
     catch {
-        return { authenticated: false, profile: "default" };
+        // Fall through and create a local-only fallback id.
     }
+    const generated = `install_${randomBytes(24).toString("base64url")}`;
+    await mkdir(dirname(DEFAULT_DEVICE_FILE), { recursive: true });
+    await writeFile(DEFAULT_DEVICE_FILE, `${JSON.stringify({ generated_install_id: generated, created_at: new Date().toISOString() }, null, 2)}\n`, "utf8");
+    await chmod(DEFAULT_DEVICE_FILE, 0o600).catch(() => undefined);
+    return generated;
 }
 function accountCreateBody(parsed) {
     const unknownFlag = firstUnknownFlag(parsed, ["json", "email", "display-name"]);
@@ -4351,6 +5061,8 @@ function mcpToolEventBody(parsed) {
         "mode",
         "server-model-used",
         "success",
+        "local-device-id",
+        "local_device_id",
         "request-id",
         "duration-ms",
         "input-summary",
@@ -4377,6 +5089,9 @@ function mcpToolEventBody(parsed) {
     const modeResult = optionalTrimmedStringFlag(parsed, "mode");
     if (modeResult.error)
         return modeResult.error;
+    const localDeviceResult = optionalTrimmedStringAliasFlag(parsed, ["local-device-id", "local_device_id"], "local-device-id");
+    if (localDeviceResult.error)
+        return localDeviceResult.error;
     const requestIdResult = optionalTrimmedStringFlag(parsed, "request-id");
     if (requestIdResult.error)
         return requestIdResult.error;
@@ -4400,12 +5115,14 @@ function mcpToolEventBody(parsed) {
         tool_name: toolResult.value,
         client: clientResult.value,
         mode: modeResult.value,
+        local_device_id: localDeviceResult.value,
         server_model_used: serverModelUsed,
         success,
         request_id: requestIdResult.value,
         duration_ms: durationResult.value,
         input_summary: inputSummaryResult.value,
-        output_summary: outputSummaryResult.value
+        output_summary: outputSummaryResult.value,
+        metadata: localDeviceResult.value ? { local_device_id: localDeviceResult.value } : undefined
     });
 }
 function usageSummaryRequest(parsed) {
@@ -4923,7 +5640,9 @@ function localToolchainAuthContext(auth, accountId) {
         authenticated: auth.authenticated,
         profile: auth.profile,
         source: auth.source,
-        account_id: accountId
+        account_id: accountId,
+        api_key_id: auth.api_key_id,
+        device_id: auth.device_id
     };
 }
 function usageEventsRequest(parsed) {
@@ -5394,9 +6113,53 @@ function renderAgentRunResult(result) {
     return lines.join("\n");
 }
 function renderAuthStatus(status) {
-    return status.authenticated
-        ? `Authenticated profile=${status.profile}${status.source ? ` source=${status.source}` : ""}`
-        : `Not authenticated profile=${status.profile}`;
+    if (!status.authenticated) {
+        return `Not authenticated profile=${status.profile}`;
+    }
+    return [
+        `Authenticated profile=${status.profile}${status.source ? ` source=${status.source}` : ""}`,
+        status.account_id ? `account=${status.account_id}` : "",
+        status.api_key_id ? `api_key=${status.api_key_id}` : "",
+        status.device_id ? `device=${status.device_id}` : "device=not_registered",
+        status.device_label ? `device_label=${status.device_label}` : "",
+        status.device_integrity ? `device_integrity=${status.device_integrity}` : "",
+        status.device_private_key_configured === false ? "device_private_key=missing" : ""
+    ].filter(Boolean).join("\n");
+}
+function renderAuthDeviceStatus(status) {
+    const lines = [renderAuthStatus(status.local)];
+    if (status.remote) {
+        const activeCount = status.remote.devices.filter((device) => device.status === "active").length;
+        lines.push(`remote_devices=${activeCount}/${status.remote.device_limit}`);
+        const localDevice = status.local.device_id
+            ? status.remote.devices.find((device) => device.device_id === status.local.device_id)
+            : undefined;
+        if (localDevice) {
+            lines.push(`remote_current=${renderAuthDevice(localDevice)}`);
+        }
+    }
+    return lines.join("\n");
+}
+function renderAuthDeviceList(result) {
+    if (result.devices.length === 0) {
+        return `No registered devices. device_limit=${result.device_limit}`;
+    }
+    return [
+        `device_limit=${result.device_limit}`,
+        ...result.devices.map(renderAuthDevice)
+    ].join("\n");
+}
+function renderAuthDevice(device) {
+    return [
+        `${device.device_id} account=${device.account_id}`,
+        device.api_key_id ? `api_key=${device.api_key_id}` : "",
+        `status=${device.status}`,
+        device.label ? `label=${device.label}` : "",
+        device.platform ? `platform=${device.platform}` : "",
+        device.arch ? `arch=${device.arch}` : "",
+        `last_seen_at=${device.last_seen_at}`,
+        device.revoked_at ? `revoked_at=${device.revoked_at}` : ""
+    ].filter(Boolean).join(" ");
 }
 function renderAccount(account) {
     return [
@@ -6909,7 +7672,7 @@ Help:
 Environment:
   EMBED_BRIDGE_URL=http://127.0.0.1:18083
-  EMBED_CLOUD_API_URL=http://127.0.0.1:18100
+  EMBED_CLOUD_API_URL=https://api.embedboard.com
   EMBED_API_TOKEN=<token>
   CODEX_HOME=~/.codex
@@ -7148,7 +7911,7 @@ Usage:
 Environment:
   EMBED_BRIDGE_URL=http://127.0.0.1:18083
-  EMBED_CLOUD_API_URL=http://127.0.0.1:18100
+  EMBED_CLOUD_API_URL=https://api.embedboard.com
   EMBED_API_TOKEN=<token>
   CODEX_HOME=~/.codex
 `);