@lanonasis/cli 3.4.15 → 3.6.0

package/README.md

@@ -452,3 +452,71 @@ MIT License - see [LICENSE](../LICENSE) for details.
 ---
 
 _Professional CLI for Enterprise Memory as a Service - Golden Contract Compliant_
+
+## OAuth2 Authentication (v3.5.0+)
+
+### Browser Login with OAuth2 PKCE
+
+The CLI now supports secure OAuth2 authentication with PKCE (Proof Key for Code Exchange) for browser-based login:
+
+```bash
+onasis auth login
+# Choose: 🌐 Browser Login (Get token from web page)
+```
+
+**How it works:**
+1. CLI starts a local callback server on port 8888
+2. Opens your browser to the OAuth2 authorization page
+3. You authenticate in the browser
+4. Authorization code is sent back to the CLI
+5. CLI exchanges code for access and refresh tokens
+6. Tokens are securely stored locally
+
+**Benefits:**
+- ✅ More secure (PKCE prevents code interception)
+- ✅ Automatic token refresh
+- ✅ Revocable access
+- ✅ Industry-standard OAuth2 flow
+
+### Authentication Methods
+
+The CLI supports three authentication methods:
+
+1. **🔑 Vendor Key** (Recommended for API access)
+   - Long-lived API key from dashboard
+   - Best for automation and CI/CD
+
+2. **🌐 Browser Login** (OAuth2 PKCE)
+   - Secure browser-based authentication
+   - Automatic token refresh
+   - Best for interactive use
+
+3. **⚙️ Username/Password** (Direct credentials)
+   - Traditional email/password login
+   - Returns JWT token
+   - Legacy method
+
+### Token Management
+
+OAuth2 tokens are automatically refreshed when expired:
+
+```bash
+# Check authentication status
+onasis auth status
+
+# Force re-authentication
+onasis auth logout
+onasis auth login
+```
+
+### Troubleshooting
+
+**Port 8888 already in use:**
+The CLI needs port 8888 for the OAuth callback. If it's in use, close the application using it or use the Vendor Key method instead.
+
+**Browser doesn't open:**
+The CLI will show the authorization URL - copy and paste it into your browser manually.
+
+**Token refresh failed:**
+Run `onasis auth login` to re-authenticate.
+

package/dist/commands/auth.js

@@ -2,6 +2,9 @@ import chalk from 'chalk';
 import inquirer from 'inquirer';
 import ora from 'ora';
 import open from 'open';
+import crypto from 'crypto';
+import http from 'http';
+import url from 'url';
 import { apiClient } from '../utils/api.js';
 import { CLIConfig } from '../utils/config.js';
 // Color scheme
@@ -49,9 +52,9 @@ async function handleAuthenticationFailure(error, config, authMethod = 'jwt') {
         case 'invalid_credentials':
             console.log(chalk.red('Invalid credentials provided'));
             if (authMethod === 'vendor_key') {
-                console.log(chalk.gray('• Check your vendor key format: pk_xxx.sk_xxx'));
-                console.log(chalk.gray('• Verify the key is active in your account dashboard'));
-                console.log(chalk.gray('• Ensure you copied the complete key including both parts'));
+                console.log(chalk.gray('• Verify the vendor key matches the value shown in your dashboard'));
+                console.log(chalk.gray('• Confirm the key is active and has not been revoked'));
+                console.log(chalk.gray('• Ensure you copied the entire key without extra spaces'));
             }
             else {
                 console.log(chalk.gray('• Double-check your email and password'));
@@ -163,6 +166,120 @@ function categorizeAuthError(error) {
     }
     return 'unknown';
 }
+// ============================================
+// OAuth2 PKCE Helper Functions
+// ============================================
+/**
+ * Generate PKCE code verifier and challenge for OAuth2
+ */
+function generatePKCE() {
+    // Generate random verifier (43-128 chars, base64url)
+    const verifier = crypto.randomBytes(32).toString('base64url');
+    // Generate challenge: base64url(sha256(verifier))
+    const challenge = crypto
+        .createHash('sha256')
+        .update(verifier)
+        .digest('base64url');
+    return { verifier, challenge };
+}
+/**
+ * Start local HTTP server to catch OAuth2 callback
+ */
+function createCallbackServer(port = 8888) {
+    return new Promise((resolve, reject) => {
+        const server = http.createServer((req, res) => {
+            const parsedUrl = url.parse(req.url, true);
+            if (parsedUrl.pathname === '/callback') {
+                const { code, state, error, error_description } = parsedUrl.query;
+                // Send response to browser
+                if (error) {
+                    res.writeHead(400, { 'Content-Type': 'text/html' });
+                    res.end(`
+            <html>
+              <head><title>Authentication Failed</title></head>
+              <body style="font-family: sans-serif; text-align: center; padding: 50px;">
+                <h1>❌ Authentication Failed</h1>
+                <p>${error_description || error}</p>
+                <p style="color: gray;">You can close this window.</p>
+              </body>
+            </html>
+          `);
+                    reject(new Error(`OAuth error: ${error_description || error}`));
+                }
+                else if (code) {
+                    res.writeHead(200, { 'Content-Type': 'text/html' });
+                    res.end(`
+            <html>
+              <head><title>Authentication Successful</title></head>
+              <body style="font-family: sans-serif; text-align: center; padding: 50px;">
+                <h1>✅ Authentication Successful</h1>
+                <p>You can close this window and return to the CLI.</p>
+                <script>setTimeout(() => window.close(), 2000);</script>
+              </body>
+            </html>
+          `);
+                    resolve({ code: code, state: state });
+                }
+                else {
+                    res.writeHead(400, { 'Content-Type': 'text/plain' });
+                    res.end('Invalid callback');
+                    reject(new Error('No authorization code received'));
+                }
+                // Close server after handling request
+                server.close();
+            }
+        });
+        server.listen(port, () => {
+            console.log(chalk.gray(`   Local callback server listening on port ${port}`));
+        });
+        // Timeout after 5 minutes
+        setTimeout(() => {
+            server.close();
+            reject(new Error('Authentication timeout - please try again'));
+        }, 300000);
+    });
+}
+/**
+ * Exchange authorization code for OAuth2 tokens
+ */
+async function exchangeCodeForTokens(code, verifier, authBase) {
+    const tokenEndpoint = `${authBase}/oauth/token`;
+    const response = await apiClient.post(tokenEndpoint, {
+        grant_type: 'authorization_code',
+        code,
+        code_verifier: verifier,
+        client_id: 'lanonasis-cli',
+        redirect_uri: 'http://localhost:8888/callback'
+    });
+    return response;
+}
+/**
+ * Refresh OAuth2 access token using refresh token
+ */
+async function refreshOAuth2Token(config) {
+    const refreshToken = config.get('refresh_token');
+    if (!refreshToken) {
+        return false;
+    }
+    try {
+        const authBase = config.getDiscoveredApiUrl();
+        const response = await apiClient.post(`${authBase}/oauth/token`, {
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+            client_id: 'lanonasis-cli'
+        });
+        await config.setToken(response.access_token);
+        if (response.refresh_token) {
+            await config.set('refresh_token', response.refresh_token);
+        }
+        await config.set('token_expires_at', Date.now() + (response.expires_in * 1000));
+        return true;
+    }
+    catch (error) {
+        console.error(chalk.yellow('⚠️  Token refresh failed, please re-authenticate'));
+        return false;
+    }
+}
 export async function diagnoseCommand() {
     const config = new CLIConfig();
     await config.init();
@@ -206,14 +323,10 @@ export async function diagnoseCommand() {
         diagnostics.hasCredentials = true;
         diagnostics.credentialType = 'vendor_key';
         console.log(chalk.green('   ✓ Vendor key found'));
-        // Validate vendor key format
+        // Validate vendor key presence
         const formatValidation = config.validateVendorKeyFormat(vendorKey);
-        if (formatValidation === true) {
-            console.log(chalk.green('   ✓ Vendor key format is valid'));
-        }
-        else {
-            console.log(chalk.red('   ✖ Vendor key format is invalid:'));
-            console.log(chalk.gray(`     ${formatValidation}`));
+        if (formatValidation !== true) {
+            console.log(chalk.red(`   ✖ Vendor key issue: ${formatValidation}`));
         }
     }
     else if (token) {
@@ -231,8 +344,11 @@ export async function diagnoseCommand() {
                 console.log(chalk.green('   ✓ Token is not expired'));
             }
         }
-        catch {
+        catch (error) {
             console.log(chalk.yellow('   ⚠ Could not validate token expiry'));
+            if (process.env.CLI_VERBOSE === 'true' && error instanceof Error) {
+                console.log(chalk.gray(`     ${error.message}`));
+            }
         }
     }
     else {
@@ -315,8 +431,11 @@ export async function diagnoseCommand() {
         diagnostics.deviceId = deviceId;
         console.log(chalk.green('   ✓ Device ID:'), chalk.gray(deviceId));
     }
-    catch {
+    catch (error) {
         console.log(chalk.yellow('   ⚠ Could not get device ID'));
+        if (process.env.CLI_VERBOSE === 'true' && error instanceof Error) {
+            console.log(chalk.gray(`     ${error.message}`));
+        }
     }
     // Summary and recommendations
     console.log(chalk.blue.bold('\n📋 Diagnostic Summary'));
@@ -329,7 +448,7 @@ export async function diagnoseCommand() {
     }
     if (!diagnostics.hasCredentials) {
         issues.push('No authentication credentials stored');
-        recommendations.push('Run: lanonasis auth login --vendor-key pk_xxx.sk_xxx');
+        recommendations.push('Run: lanonasis auth login --vendor-key <your-key>');
     }
     if (diagnostics.hasCredentials && !diagnostics.credentialsValid) {
         issues.push('Stored credentials are invalid');
@@ -364,7 +483,7 @@ export async function diagnoseCommand() {
     // Additional troubleshooting info
     if (diagnostics.authFailures > 0 || !diagnostics.credentialsValid) {
         console.log(chalk.gray('\n🔧 Additional troubleshooting:'));
-        console.log(chalk.gray('   • Verify your vendor key format: pk_xxx.sk_xxx'));
+        console.log(chalk.gray('   • Verify the vendor key matches the value shown in your dashboard'));
         console.log(chalk.gray('   • Check if your key is active in the dashboard'));
         console.log(chalk.gray('   • Try browser authentication: lanonasis auth login --use-web-auth'));
         console.log(chalk.gray('   • Contact support if issues persist'));
@@ -451,84 +570,37 @@ async function handleVendorKeyAuth(vendorKey, config) {
 async function handleVendorKeyFlow(config) {
     console.log();
     console.log(chalk.yellow('🔑 Vendor Key Authentication'));
-    console.log(chalk.gray('Vendor keys provide secure API access with format: pk_xxx.sk_xxx'));
+    console.log(chalk.gray('Vendor keys provide secure API access for automation and integrations.'));
     console.log();
     // Enhanced guidance for obtaining vendor keys
     console.log(chalk.cyan('📋 How to get your vendor key:'));
     console.log(chalk.gray('1. Visit your Lanonasis dashboard at https://app.lanonasis.com'));
     console.log(chalk.gray('2. Navigate to Settings → API Keys'));
-    console.log(chalk.gray('3. Click "Generate New Key" and copy the full key'));
-    console.log(chalk.gray('4. The key format should be: pk_[letters/numbers].sk_[letters/numbers]'));
+    console.log(chalk.gray('3. Click "Generate New Key" and copy the full key value'));
     console.log();
     const { vendorKey } = await inquirer.prompt([
         {
             type: 'password',
             name: 'vendorKey',
-            message: 'Enter your vendor key (pk_xxx.sk_xxx):',
+            message: 'Enter your vendor key:',
             mask: '*',
             validate: (input) => {
-                return validateVendorKeyFormat(input);
+                return config.validateVendorKeyFormat(input);
             }
         }
     ]);
     await handleVendorKeyAuth(vendorKey, config);
 }
-// Enhanced vendor key format validation with detailed error messages
-function validateVendorKeyFormat(input) {
-    if (!input || input.trim().length === 0) {
-        return 'Vendor key is required';
-    }
-    const trimmed = input.trim();
-    // Check basic format
-    if (!trimmed.includes('.')) {
-        return 'Invalid format: Vendor key must contain a dot (.) separator\nExpected format: pk_xxx.sk_xxx';
-    }
-    const parts = trimmed.split('.');
-    if (parts.length !== 2) {
-        return 'Invalid format: Vendor key must have exactly two parts separated by a dot\nExpected format: pk_xxx.sk_xxx';
-    }
-    const [publicPart, secretPart] = parts;
-    // Validate public key part
-    if (!publicPart.startsWith('pk_')) {
-        return 'Invalid format: First part must start with "pk_"\nExpected format: pk_xxx.sk_xxx';
-    }
-    if (publicPart.length < 4) {
-        return 'Invalid format: Public key part is too short\nExpected format: pk_xxx.sk_xxx (where xxx is alphanumeric)';
-    }
-    const publicKeyContent = publicPart.substring(3); // Remove 'pk_'
-    if (!/^[a-zA-Z0-9]+$/.test(publicKeyContent)) {
-        return 'Invalid format: Public key part contains invalid characters\nOnly letters and numbers are allowed after "pk_"';
-    }
-    // Validate secret key part
-    if (!secretPart.startsWith('sk_')) {
-        return 'Invalid format: Second part must start with "sk_"\nExpected format: pk_xxx.sk_xxx';
-    }
-    if (secretPart.length < 4) {
-        return 'Invalid format: Secret key part is too short\nExpected format: pk_xxx.sk_xxx (where xxx is alphanumeric)';
-    }
-    const secretKeyContent = secretPart.substring(3); // Remove 'sk_'
-    if (!/^[a-zA-Z0-9]+$/.test(secretKeyContent)) {
-        return 'Invalid format: Secret key part contains invalid characters\nOnly letters and numbers are allowed after "sk_"';
-    }
-    // Check minimum length requirements
-    if (publicKeyContent.length < 8) {
-        return 'Invalid format: Public key part is too short (minimum 8 characters after "pk_")';
-    }
-    if (secretKeyContent.length < 16) {
-        return 'Invalid format: Secret key part is too short (minimum 16 characters after "sk_")';
-    }
-    return true;
-}
 async function handleOAuthFlow(config) {
     console.log();
-    console.log(chalk.yellow('🌐 Browser-Based Authentication'));
-    console.log(chalk.gray('This will open your browser for secure authentication'));
+    console.log(chalk.yellow('🌐 Browser-Based OAuth2 Authentication'));
+    console.log(chalk.gray('Secure authentication using OAuth2 with PKCE'));
     console.log();
     const { openBrowser } = await inquirer.prompt([
         {
             type: 'confirm',
             name: 'openBrowser',
-            message: 'Open browser for authentication?',
+            message: 'Open browser for OAuth2 authentication?',
             default: true
         }
     ]);
@@ -536,63 +608,53 @@ async function handleOAuthFlow(config) {
         console.log(chalk.yellow('⚠️  Authentication cancelled'));
         return;
     }
-    // Use the browser-based CLI login endpoint discovered from auth_base
-    const authBase = config.getDiscoveredApiUrl();
-    const authUrl = `${authBase.replace(/\/$/, '')}/auth/cli-login`;
     try {
-        console.log(colors.info('Opening browser...'));
-        await open(authUrl);
+        // Generate PKCE challenge
+        const pkce = generatePKCE();
+        console.log(chalk.gray('   ✓ Generated PKCE challenge'));
+        // Start local callback server
+        const callbackPort = 8888;
+        const callbackPromise = createCallbackServer(callbackPort);
+        console.log(chalk.gray(`   ✓ Started local callback server on port ${callbackPort}`));
+        // Build OAuth2 authorization URL
+        const authBase = config.getDiscoveredApiUrl();
+        const authUrl = new URL(`${authBase}/oauth/authorize`);
+        authUrl.searchParams.set('response_type', 'code');
+        authUrl.searchParams.set('client_id', 'lanonasis-cli');
+        authUrl.searchParams.set('redirect_uri', `http://localhost:${callbackPort}/callback`);
+        authUrl.searchParams.set('scope', 'read write offline_access');
+        authUrl.searchParams.set('code_challenge', pkce.challenge);
+        authUrl.searchParams.set('code_challenge_method', 'S256');
+        authUrl.searchParams.set('state', crypto.randomBytes(16).toString('hex'));
         console.log();
-        console.log(colors.info('Please complete authentication in your browser'));
-        console.log(colors.info('The page will display your authentication token'));
-        console.log(colors.muted(`If browser doesn't open, visit: ${authUrl}`));
+        console.log(colors.info('Opening browser for authentication...'));
+        await open(authUrl.toString());
+        console.log(colors.info('Waiting for authentication in browser...'));
+        console.log(colors.muted(`If browser doesn't open, visit: ${authUrl.toString()}`));
         console.log();
-        // Prompt for the token from the browser page
-        const { token } = await inquirer.prompt([
-            {
-                type: 'input',
-                name: 'token',
-                message: 'Paste the authentication token from browser:',
-                validate: async (input) => {
-                    if (!input || input.trim().length === 0) {
-                        return 'Token is required';
-                    }
-                    const trimmed = input.trim();
-                    // Reject if user pasted a URL instead of token
-                    if (trimmed.startsWith('http://') || trimmed.startsWith('https://')) {
-                        return 'Please paste the TOKEN from the page, not the URL';
-                    }
-                    // Check token format - should start with 'cli_' or be a JWT
-                    if (!trimmed.startsWith('cli_') && !trimmed.match(/^[\w-]+\.[\w-]+\.[\w-]+$/)) {
-                        return 'Invalid token format. Expected format: cli_xxx or JWT token';
-                    }
-                    // Verify token with server
-                    try {
-                        const response = await apiClient.post('/auth/verify', { token: trimmed });
-                        if (!response.valid) {
-                            return 'Token verification failed. Please try again.';
-                        }
-                    }
-                    catch (error) {
-                        const errorMessage = error instanceof Error ? error.message : 'Server verification failed';
-                        return `Token verification error: ${errorMessage}`;
-                    }
-                    return true;
-                }
-            }
-        ]);
-        if (token && token.trim()) {
-            await config.setToken(token.trim());
-            console.log(chalk.green('✓ Browser authentication successful'));
-            console.log(colors.info('You can now use Lanonasis services'));
-        }
-        else {
-            console.log(chalk.yellow('⚠️  No token provided'));
-        }
+        // Wait for callback
+        const spinner = ora('Waiting for authorization...').start();
+        const { code } = await callbackPromise;
+        spinner.succeed('Authorization code received');
+        // Exchange code for tokens
+        spinner.text = 'Exchanging code for access tokens...';
+        spinner.start();
+        const tokens = await exchangeCodeForTokens(code, pkce.verifier, authBase);
+        spinner.succeed('Access tokens received');
+        // Store tokens
+        await config.setToken(tokens.access_token);
+        await config.set('refresh_token', tokens.refresh_token);
+        await config.set('token_expires_at', Date.now() + (tokens.expires_in * 1000));
+        await config.set('authMethod', 'oauth2');
+        console.log();
+        console.log(chalk.green('✓ OAuth2 authentication successful'));
+        console.log(colors.info('You can now use Lanonasis services'));
     }
-    catch {
-        console.error(chalk.red('✖ Failed to open browser'));
-        console.log(colors.muted(`Please visit manually: ${authUrl}`));
+    catch (error) {
+        console.error(chalk.red('✖ OAuth2 authentication failed'));
+        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+        console.error(chalk.gray(`   ${errorMessage}`));
+        process.exit(1);
     }
 }
 async function handleCredentialsFlow(options, config) {

package/dist/commands/completion.js

@@ -48,7 +48,7 @@ export async function generateCompletionData() {
                         options: [
                             { name: '--email', description: 'Email address', type: 'string' },
                             { name: '--password', description: 'Password', type: 'string' },
-                            { name: '--vendor-key', description: 'Vendor key (pk_xxx.sk_xxx)', type: 'string' },
+                            { name: '--vendor-key', description: 'Vendor key value', type: 'string' },
                             { name: '--oauth', description: 'Use OAuth flow', type: 'boolean' }
                         ]
                     },

package/dist/commands/config.js

@@ -411,15 +411,15 @@ export function configCommands(program) {
                     console.log(chalk.cyan('   → Repaired: Set auth method to jwt'));
                 }
             }
-            // Validate vendor key format if present
+            // Validate vendor key presence if present
             if (vendorKey) {
                 const formatValidation = config.validateVendorKeyFormat(vendorKey);
                 if (formatValidation === true) {
-                    console.log(chalk.green('   ✓ Vendor key format is valid'));
+                    console.log(chalk.green('   ✓ Vendor key is set'));
                 }
                 else {
-                    console.log(chalk.red('   ✖ Vendor key format is invalid'));
-                    validation.issues.push('Invalid vendor key format');
+                    console.log(chalk.red(`   ✖ Vendor key issue: ${formatValidation}`));
+                    validation.issues.push('Vendor key missing or invalid');
                 }
             }
             // Test authentication validity

package/dist/commands/guide.js

@@ -233,7 +233,7 @@ export class UserGuidanceSystem {
         switch (authMethod) {
             case 'vendor_key':
                 console.log(chalk.yellow('📝 Vendor keys provide secure, programmatic access'));
-                console.log(chalk.gray('Format: pk_xxxxx.sk_xxxxx'));
+                console.log(chalk.gray('Find it in your dashboard under API Keys.'));
                 console.log();
                 break;
             case 'oauth':
@@ -409,7 +409,7 @@ export async function quickStartCommand() {
             category: 'Setup',
             commands: [
                 { cmd: 'lanonasis init', desc: 'Initialize configuration' },
-                { cmd: 'lanonasis login --vendor-key pk_xxx.sk_xxx', desc: 'Authenticate with vendor key' },
+                { cmd: 'lanonasis login --vendor-key <your-key>', desc: 'Authenticate with vendor key' },
                 { cmd: 'lanonasis health', desc: 'Verify system health' }
             ]
         },

package/dist/core/power-mode.js

@@ -293,7 +293,7 @@ export class PowerUserMode {
         const subCommand = args[0];
         switch (subCommand) {
             case 'keys':
-                console.log('API Keys: pk_xxx...xxx (active), pk_yyy...yyy (revoked)');
+                console.log('API Keys: vendor-key-1... (active), vendor-key-2... (revoked)');
                 break;
             case 'limits':
                 console.log('Rate Limits: 1000/hour (432 used)');

package/dist/core/welcome.js

@@ -296,7 +296,7 @@ export class InteractiveSetup {
                 message: 'Select authentication method:',
                 choices: [
                     {
-                        name: authBox('🔑 Vendor Key', 'Secure API access with pk_xxx.sk_xxx format', ['No expiration', 'Ideal for CI/CD', 'Full API access']),
+                        name: authBox('🔑 Vendor Key', 'Secure API access with long-lived credentials', ['No expiration', 'Ideal for CI/CD', 'Full API access']),
                         value: 'vendor',
                         short: 'Vendor Key'
                     },
@@ -327,32 +327,21 @@ export class InteractiveSetup {
         }
     }
     async authenticateWithVendorKey() {
-        const creds = await inquirer.prompt([
-            {
-                type: 'input',
-                name: 'publicKey',
-                message: 'Enter your Public Key (pk_xxx):',
-                validate: (input) => {
-                    if (!input.startsWith('pk_')) {
-                        return 'Public key must start with pk_';
-                    }
-                    return true;
-                }
-            },
+        const { vendorKey } = await inquirer.prompt([
             {
                 type: 'password',
-                name: 'secretKey',
-                message: 'Enter your Secret Key (sk_xxx):',
+                name: 'vendorKey',
+                message: 'Enter your vendor key:',
                 mask: '*',
                 validate: (input) => {
-                    if (!input.startsWith('sk_')) {
-                        return 'Secret key must start with sk_';
+                    if (!input || input.trim().length === 0) {
+                        return 'Vendor key is required';
                     }
                     return true;
                 }
             }
         ]);
-        void creds; // collected for future use when hooking real auth
+        void vendorKey; // collected for future use when hooking real auth
         const spinner = ora('Authenticating...').start();
         await this.simulateDelay(1000);
         spinner.succeed('Authentication successful!');
@@ -393,7 +382,6 @@ export class InteractiveSetup {
                 mask: '*'
             }
         ]);
-        void auth; // suppress unused until real auth wired
         const spinner = ora('Signing in...').start();
         await this.simulateDelay(1000);
         spinner.succeed('Sign in successful!');

package/dist/index-simple.js

@@ -123,7 +123,7 @@ const showWelcome = () => {
     console.log();
     if (isOnasisInvocation) {
         console.log(colors.info('🔑 Golden Contract Authentication:'));
-        console.log(`  ${colors.success(`${cmdName} login --vendor-key pk_xxx.sk_xxx`)}  ${colors.muted('# Vendor key auth')}`);
+        console.log(`  ${colors.success(`${cmdName} login --vendor-key <your-key>`)}      ${colors.muted('# Vendor key auth')}`);
         console.log(`  ${colors.success(`${cmdName} login --oauth`)}                    ${colors.muted('# Browser OAuth')}`);
         console.log();
     }
@@ -175,11 +175,24 @@ const healthCheck = async () => {
     process.stdout.write('MCP Server status: ');
     try {
         const client = getMCPClient();
+        const status = client.getConnectionStatus();
+        const mcpPreference = await cliConfig.get('mcpPreference') || 'auto';
         if (client.isConnectedToServer()) {
             console.log(colors.success('✅ Connected'));
+            console.log(`  Mode: ${colors.highlight(status.mode)}`);
+            console.log(`  Server: ${colors.highlight(status.server || 'N/A')}`);
         }
         else {
             console.log(colors.warning('⚠️  Disconnected'));
+            console.log(`  Configured preference: ${colors.highlight(mcpPreference)}`);
+            if (mcpPreference === 'remote') {
+                const mcpUrl = cliConfig.getMCPServerUrl();
+                console.log(`  Remote server: ${colors.highlight(mcpUrl)}`);
+            }
+            else if (mcpPreference === 'local') {
+                const mcpPath = cliConfig.getMCPServerPath();
+                console.log(`  Local server: ${colors.highlight(mcpPath || 'Not configured')}`);
+            }
         }
     }
     catch (error) {
@@ -229,7 +242,7 @@ authCmd
     .description('Login to your MaaS account')
     .option('-e, --email <email>', 'email address')
     .option('-p, --password <password>', 'password')
-    .option('--vendor-key <key>', 'vendor key (pk_xxx.sk_xxx format)')
+    .option('--vendor-key <key>', 'vendor key (as provided in your dashboard)')
     .option('--oauth', 'use OAuth browser flow')
     .action(async (options) => {
     // Handle oauth flag
@@ -249,6 +262,8 @@ authCmd
     .command('status')
     .description('Show authentication status')
     .action(async () => {
+    // Initialize config first
+    await cliConfig.init();
     const isAuth = await cliConfig.isAuthenticated();
     const user = await cliConfig.getCurrentUser();
     const failureCount = cliConfig.getFailureCount();
@@ -523,6 +538,8 @@ program
     .command('status')
     .description('Show overall system status')
     .action(async () => {
+    // Initialize config first
+    await cliConfig.init();
     const isAuth = await cliConfig.isAuthenticated();
     const apiUrl = cliConfig.getApiUrl();
     console.log(chalk.blue.bold('MaaS CLI Status'));

package/dist/index.js

@@ -270,6 +270,47 @@ const memoryCmd = program
 requireAuth(memoryCmd);
 memoryCommands(memoryCmd);
 // Note: Memory commands are now MCP-powered when available
+// REPL command (lightweight REPL for memory operations)
+program
+    .command('repl')
+    .description('Start lightweight REPL session for memory operations')
+    .option('--mcp', 'Use MCP mode')
+    .option('--api <url>', 'Override API URL')
+    .option('--token <token>', 'Authentication token')
+    .action(async (options) => {
+    try {
+        // Try to use the REPL package if available
+        const { spawn } = await import('child_process');
+        const { fileURLToPath } = await import('url');
+        const { dirname, join } = await import('path');
+        // Try to find the REPL package
+        const replPath = join(process.cwd(), 'packages', 'repl-cli', 'dist', 'index.js');
+        const args = ['start'];
+        if (options.mcp)
+            args.push('--mcp');
+        if (options.api)
+            args.push('--api', options.api);
+        if (options.token)
+            args.push('--token', options.token);
+        const repl = spawn('node', [replPath, ...args], {
+            stdio: 'inherit',
+            cwd: process.cwd()
+        });
+        repl.on('error', (err) => {
+            console.error(colors.error('Failed to start REPL:'), err.message);
+            console.log(colors.muted('Make sure the REPL package is built: cd packages/repl-cli && bun run build'));
+            process.exit(1);
+        });
+        repl.on('exit', (code) => {
+            process.exit(code || 0);
+        });
+    }
+    catch (error) {
+        console.error(colors.error('Failed to start REPL:'), error instanceof Error ? error.message : String(error));
+        console.log(colors.muted('Install the REPL package: cd packages/repl-cli && bun install && bun run build'));
+        process.exit(1);
+    }
+});
 // Topic commands (require auth)
 const topicCmd = program
     .command('topic')

package/dist/mcp/client/enhanced-client.js

@@ -59,7 +59,7 @@ export class EnhancedMCPClient extends EventEmitter {
         const maxRetries = config.maxRetries || 3;
         const timeout = config.timeout || 30000;
         let attempts = 0;
-        while (attempts < maxRetries) {
+        while (true) {
             try {
                 this.updateConnectionStatus(config.name, 'connecting');
                 const client = await this.createClientWithTimeout(config, timeout);
@@ -82,7 +82,6 @@ export class EnhancedMCPClient extends EventEmitter {
                 await this.delay(delay);
             }
         }
-        return false;
     }
     /**
      * Create client with timeout

package/dist/mcp/schemas/tool-schemas.d.ts

@@ -202,13 +202,13 @@ export declare const SystemConfigSchema: z.ZodObject<{
 }, "strip", z.ZodTypeAny, {
     value?: any;
     action?: "get" | "set" | "reset";
-    key?: string;
     scope?: "user" | "global";
+    key?: string;
 }, {
     value?: any;
     action?: "get" | "set" | "reset";
-    key?: string;
     scope?: "user" | "global";
+    key?: string;
 }>;
 export declare const BulkOperationSchema: z.ZodObject<{
     operation: z.ZodEnum<["create", "update", "delete"]>;
@@ -580,13 +580,13 @@ export declare const MCPSchemas: {
         }, "strip", z.ZodTypeAny, {
             value?: any;
             action?: "get" | "set" | "reset";
-            key?: string;
             scope?: "user" | "global";
+            key?: string;
         }, {
             value?: any;
             action?: "get" | "set" | "reset";
-            key?: string;
             scope?: "user" | "global";
+            key?: string;
         }>;
     };
     operations: {

package/dist/mcp-server.d.ts

@@ -17,6 +17,7 @@ export declare class CLIMCPServer {
      * Start MCP server using CLI configuration
      */
     start(options?: MCPServerOptions): Promise<void>;
+    private resolveMCPServerPath;
     /**
      * Start local MCP server using CLI auth config
      */

package/dist/mcp-server.js

@@ -6,10 +6,13 @@
  */
 import { fileURLToPath } from 'url';
 import { dirname, join } from 'path';
+import { existsSync } from 'fs';
+import { createRequire } from 'module';
 import { spawn } from 'child_process';
 import { CLIConfig } from './utils/config.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
+const nodeRequire = createRequire(import.meta.url);
 export class CLIMCPServer {
     config;
     constructor() {
@@ -28,6 +31,33 @@ export class CLIMCPServer {
             await this.startLocalMCP(options);
         }
     }
+    resolveMCPServerPath() {
+        const candidates = new Set();
+        if (process.env.MCP_SERVER_PATH) {
+            candidates.add(process.env.MCP_SERVER_PATH);
+        }
+        const packageRequests = [
+            '@lanonasis/mcp-server/dist/cli-aligned-mcp-server.js',
+            'lanonasis-mcp-server/dist/cli-aligned-mcp-server.js'
+        ];
+        for (const request of packageRequests) {
+            try {
+                const resolved = nodeRequire.resolve(request);
+                candidates.add(resolved);
+            }
+            catch {
+                // Ignore resolution failures and continue through fallbacks
+            }
+        }
+        candidates.add(join(process.cwd(), 'mcp-server/dist/cli-aligned-mcp-server.js'));
+        candidates.add(join(__dirname, '../../../mcp-server/dist/cli-aligned-mcp-server.js'));
+        for (const candidate of candidates) {
+            if (candidate && existsSync(candidate)) {
+                return candidate;
+            }
+        }
+        throw new Error('Unable to locate the CLI-aligned MCP server. Set MCP_SERVER_PATH or install @lanonasis/mcp-server.');
+    }
     /**
      * Start local MCP server using CLI auth config
      */
@@ -42,10 +72,11 @@ export class CLIMCPServer {
             console.error(`Config: ~/.maas/config.json`);
             console.error(`Auth: ${this.config.hasVendorKey() ? 'Vendor Key' : 'JWT Token'}`);
         }
+        const resolvedPort = typeof port === 'number' && !Number.isNaN(port) ? port : 3001;
         // Set environment variables from CLI config
         const env = {
             ...process.env,
-            PORT: port?.toString(),
+            PORT: resolvedPort.toString(),
             MEMORY_API_URL: this.config.getApiUrl(),
             LANONASIS_VENDOR_KEY: this.config.getVendorKey(),
             LANONASIS_TOKEN: this.config.getToken(),
@@ -84,14 +115,13 @@ export class CLIMCPServer {
      */
     async startRemoteMCP(options) {
         const { verbose } = options;
+        const message = 'Remote MCP not implemented; remove --remote or use local mode.';
         if (verbose) {
             console.error('🌐 Connecting to remote MCP server...');
             console.error(`URL: ${this.config.getMCPServerUrl()}`);
         }
-        // For remote MCP, we'd need to implement a proxy or client
-        // For now, fall back to local mode
-        console.error('⚠️  Remote MCP not yet implemented, falling back to local mode');
-        await this.startLocalMCP({ ...options, useRemote: false });
+        console.error(`❌ ${message}`);
+        throw new Error(message);
     }
     /**
      * Check if MCP server is available and configured
@@ -149,6 +179,10 @@ Examples:
     await server.start(options);
 }
 if (import.meta.url === `file://${process.argv[1]}`) {
-    main().catch(console.error);
+    main().catch(error => {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(message);
+        process.exit(1);
+    });
 }
 export default CLIMCPServer;

package/dist/utils/api.js

@@ -27,7 +27,7 @@ export class APIClient {
             const token = this.config.getToken();
             const vendorKey = this.config.getVendorKey();
             if (vendorKey) {
-                // Vendor key authentication (pk_*.sk_* format)
+                // Vendor key authentication (validated server-side)
                 config.headers['X-API-Key'] = vendorKey;
                 config.headers['X-Auth-Method'] = 'vendor_key';
             }

package/dist/utils/config.d.ts

@@ -43,6 +43,14 @@ export declare class CLIConfig {
     private authCheckCache;
     private readonly AUTH_CACHE_TTL;
     constructor();
+    /**
+     * Overrides the configuration storage directory. Primarily used for tests.
+     */
+    setConfigDirectory(configDir: string): void;
+    /**
+     * Exposes the current config path for tests and diagnostics.
+     */
+    getConfigPath(): string;
     init(): Promise<void>;
     load(): Promise<void>;
     private migrateConfigIfNeeded;
@@ -55,6 +63,8 @@ export declare class CLIConfig {
     discoverServices(verbose?: boolean): Promise<void>;
     private handleServiceDiscoveryFailure;
     private categorizeServiceDiscoveryError;
+    private resolveFallbackEndpoints;
+    private logFallbackUsage;
     setManualEndpoints(endpoints: Partial<CLIConfigData['discoveredServices']>): Promise<void>;
     hasManualEndpointOverrides(): boolean;
     clearManualEndpointOverrides(): Promise<void>;
@@ -71,7 +81,6 @@ export declare class CLIConfig {
     isAuthenticated(): Promise<boolean>;
     logout(): Promise<void>;
     clear(): Promise<void>;
-    getConfigPath(): string;
     exists(): Promise<boolean>;
     validateStoredCredentials(): Promise<boolean>;
     refreshTokenIfNeeded(): Promise<void>;

package/dist/utils/config.js

@@ -16,6 +16,20 @@ export class CLIConfig {
         this.configPath = path.join(this.configDir, 'config.json');
         this.lockFile = path.join(this.configDir, 'config.lock');
     }
+    /**
+     * Overrides the configuration storage directory. Primarily used for tests.
+     */
+    setConfigDirectory(configDir) {
+        this.configDir = configDir;
+        this.configPath = path.join(configDir, 'config.json');
+        this.lockFile = path.join(configDir, 'config.lock');
+    }
+    /**
+     * Exposes the current config path for tests and diagnostics.
+     */
+    getConfigPath() {
+        return this.configPath;
+    }
     async init() {
         try {
             await fs.mkdir(this.configDir, { recursive: true });
@@ -229,20 +243,17 @@ export class CLIConfig {
                 return;
             }
         }
-        // Set fallback service endpoints
+        const fallback = this.resolveFallbackEndpoints();
         this.config.discoveredServices = {
-            auth_base: 'https://api.lanonasis.com', // CLI auth goes to central auth system
-            memory_base: 'https://api.lanonasis.com/api/v1', // Memory via onasis-core
-            mcp_base: 'https://mcp.lanonasis.com/api/v1', // MCP HTTP/REST
-            mcp_ws_base: 'wss://mcp.lanonasis.com/ws', // MCP WebSocket
-            mcp_sse_base: 'https://mcp.lanonasis.com/api/v1/events', // MCP SSE
-            project_scope: 'lanonasis-maas' // Correct project scope
+            ...fallback.endpoints,
+            project_scope: 'lanonasis-maas'
         };
         // Mark as fallback (don't set lastServiceDiscovery)
         await this.save();
+        this.logFallbackUsage(fallback.source, this.config.discoveredServices);
         if (verbose) {
             console.log('✓ Using fallback service endpoints');
-            console.log('   These are the standard production endpoints');
+            console.log(`   Source: ${fallback.source === 'environment' ? 'environment overrides' : 'built-in defaults'}`);
         }
     }
     categorizeServiceDiscoveryError(error) {
@@ -272,6 +283,47 @@ export class CLIConfig {
         }
         return 'unknown';
     }
+    resolveFallbackEndpoints() {
+        const envAuthBase = process.env.LANONASIS_FALLBACK_AUTH_BASE ?? process.env.AUTH_BASE;
+        const envMemoryBase = process.env.LANONASIS_FALLBACK_MEMORY_BASE ?? process.env.MEMORY_BASE;
+        const envMcpBase = process.env.LANONASIS_FALLBACK_MCP_BASE ?? process.env.MCP_BASE;
+        const envMcpWsBase = process.env.LANONASIS_FALLBACK_MCP_WS_BASE ?? process.env.MCP_WS_BASE;
+        const envMcpSseBase = process.env.LANONASIS_FALLBACK_MCP_SSE_BASE ?? process.env.MCP_SSE_BASE;
+        const hasEnvOverrides = Boolean(envAuthBase || envMemoryBase || envMcpBase || envMcpWsBase || envMcpSseBase);
+        const nodeEnv = (process.env.NODE_ENV ?? '').toLowerCase();
+        const isDevEnvironment = nodeEnv === 'development' || nodeEnv === 'test';
+        const defaultAuthBase = isDevEnvironment ? 'http://localhost:4000' : 'https://api.lanonasis.com';
+        const defaultMemoryBase = isDevEnvironment ? 'http://localhost:4000/api/v1' : 'https://api.lanonasis.com/api/v1';
+        const defaultMcpBase = isDevEnvironment ? 'http://localhost:4100/api/v1' : 'https://mcp.lanonasis.com/api/v1';
+        const defaultMcpWsBase = isDevEnvironment ? 'ws://localhost:4100/ws' : 'wss://mcp.lanonasis.com/ws';
+        const defaultMcpSseBase = isDevEnvironment ? 'http://localhost:4100/api/v1/events' : 'https://mcp.lanonasis.com/api/v1/events';
+        const endpoints = {
+            auth_base: envAuthBase ?? defaultAuthBase,
+            memory_base: envMemoryBase ?? defaultMemoryBase,
+            mcp_base: envMcpBase ?? defaultMcpBase,
+            mcp_ws_base: envMcpWsBase ?? defaultMcpWsBase,
+            mcp_sse_base: envMcpSseBase ?? defaultMcpSseBase
+        };
+        return {
+            endpoints,
+            source: hasEnvOverrides ? 'environment' : 'default'
+        };
+    }
+    logFallbackUsage(source, endpoints) {
+        const summary = {
+            auth: endpoints.auth_base,
+            mcp: endpoints.mcp_base,
+            websocket: endpoints.mcp_ws_base,
+            sse: endpoints.mcp_sse_base,
+            source
+        };
+        const message = `Service discovery fallback activated using ${source === 'environment' ? 'environment overrides' : 'built-in defaults'}`;
+        console.warn(`⚠️  ${message}`);
+        console.info('📊 service_discovery_fallback', summary);
+        if (typeof process.emitWarning === 'function') {
+            process.emitWarning(message, 'ServiceDiscoveryFallback');
+        }
+    }
     // Manual endpoint override functionality
     async setManualEndpoints(endpoints) {
         if (!this.config.discoveredServices) {
@@ -302,55 +354,25 @@ export class CLIConfig {
     }
     // Enhanced authentication support
     async setVendorKey(vendorKey) {
-        // Enhanced format validation with detailed error messages
-        const formatValidation = this.validateVendorKeyFormat(vendorKey);
+        const trimmedKey = typeof vendorKey === 'string' ? vendorKey.trim() : '';
+        // Minimal format validation (non-empty); rely on server-side checks for everything else
+        const formatValidation = this.validateVendorKeyFormat(trimmedKey);
         if (formatValidation !== true) {
-            throw new Error(typeof formatValidation === 'string' ? formatValidation : 'Invalid vendor key format');
+            throw new Error(typeof formatValidation === 'string' ? formatValidation : 'Vendor key is invalid');
         }
         // Server-side validation
-        await this.validateVendorKeyWithServer(vendorKey);
-        this.config.vendorKey = vendorKey;
+        await this.validateVendorKeyWithServer(trimmedKey);
+        this.config.vendorKey = trimmedKey;
         this.config.authMethod = 'vendor_key';
         this.config.lastValidated = new Date().toISOString();
         await this.resetFailureCount(); // Reset failure count on successful auth
         await this.save();
     }
     validateVendorKeyFormat(vendorKey) {
-        if (!vendorKey || vendorKey.trim().length === 0) {
+        const trimmed = typeof vendorKey === 'string' ? vendorKey.trim() : '';
+        if (!trimmed) {
             return 'Vendor key is required';
         }
-        const trimmed = vendorKey.trim();
-        // Check basic format
-        if (!trimmed.includes('.')) {
-            return 'Invalid vendor key format: Must contain a dot (.) separator. Expected format: pk_xxx.sk_xxx';
-        }
-        const parts = trimmed.split('.');
-        if (parts.length !== 2) {
-            return 'Invalid vendor key format: Must have exactly two parts separated by a dot. Expected format: pk_xxx.sk_xxx';
-        }
-        const [publicPart, secretPart] = parts;
-        // Validate public key part
-        if (!publicPart.startsWith('pk_')) {
-            return 'Invalid vendor key format: First part must start with "pk_". Expected format: pk_xxx.sk_xxx';
-        }
-        if (publicPart.length < 11) { // pk_ + minimum 8 chars
-            return 'Invalid vendor key format: Public key part is too short. Expected format: pk_xxx.sk_xxx (minimum 8 characters after "pk_")';
-        }
-        const publicKeyContent = publicPart.substring(3); // Remove 'pk_'
-        if (!/^[a-zA-Z0-9]+$/.test(publicKeyContent)) {
-            return 'Invalid vendor key format: Public key part contains invalid characters. Only letters and numbers are allowed after "pk_"';
-        }
-        // Validate secret key part
-        if (!secretPart.startsWith('sk_')) {
-            return 'Invalid vendor key format: Second part must start with "sk_". Expected format: pk_xxx.sk_xxx';
-        }
-        if (secretPart.length < 19) { // sk_ + minimum 16 chars
-            return 'Invalid vendor key format: Secret key part is too short. Expected format: pk_xxx.sk_xxx (minimum 16 characters after "sk_")';
-        }
-        const secretKeyContent = secretPart.substring(3); // Remove 'sk_'
-        if (!/^[a-zA-Z0-9]+$/.test(secretKeyContent)) {
-            return 'Invalid vendor key format: Secret key part contains invalid characters. Only letters and numbers are allowed after "sk_"';
-        }
         return true;
     }
     async validateVendorKeyWithServer(vendorKey) {
@@ -524,7 +546,17 @@ export class CLIConfig {
             this.authCheckCache = { isValid: false, timestamp: Date.now() };
             return false;
         }
-        // Verify with server (security check)
+        // Token is locally valid - check if we need server validation
+        // Skip server validation if we have a recent lastValidated timestamp (within 24 hours)
+        const lastValidated = this.config.lastValidated;
+        const skipServerValidation = lastValidated &&
+            (Date.now() - new Date(lastValidated).getTime()) < (24 * 60 * 60 * 1000); // 24 hours
+        if (skipServerValidation) {
+            // Trust the local validation if it was recently validated
+            this.authCheckCache = { isValid: locallyValid, timestamp: Date.now() };
+            return locallyValid;
+        }
+        // Verify with server (security check) for tokens that haven't been validated recently
         try {
             const axios = (await import('axios')).default;
             // Try auth-gateway first (port 4000), then fall back to Netlify function
@@ -547,16 +579,29 @@ export class CLIConfig {
                 }
             }
             if (!response || response.data.valid !== true) {
+                // Server says invalid - but if locally valid and recent, trust local
+                if (locallyValid) {
+                    if (process.env.CLI_VERBOSE === 'true') {
+                        console.warn('⚠️  Server validation failed, but token is locally valid - using local validation');
+                    }
+                    this.authCheckCache = { isValid: locallyValid, timestamp: Date.now() };
+                    return locallyValid;
+                }
                 this.authCheckCache = { isValid: false, timestamp: Date.now() };
                 return false;
             }
+            // Update lastValidated on successful server validation
+            this.config.lastValidated = new Date().toISOString();
+            await this.save().catch(() => { }); // Don't fail auth check if save fails
             this.authCheckCache = { isValid: true, timestamp: Date.now() };
             return true;
         }
         catch {
             // If all server checks fail, fall back to local validation
             // This allows offline usage but is less secure
-            console.warn('⚠️  Unable to verify token with server, using local validation');
+            if (process.env.CLI_VERBOSE === 'true') {
+                console.warn('⚠️  Unable to verify token with server, using local validation');
+            }
             this.authCheckCache = { isValid: locallyValid, timestamp: Date.now() };
             return locallyValid;
         }
@@ -570,9 +615,6 @@ export class CLIConfig {
         this.config = {};
         await this.save();
     }
-    getConfigPath() {
-        return this.configPath;
-    }
     async exists() {
         try {
             await fs.access(this.configPath);
@@ -656,9 +698,12 @@ export class CLIConfig {
                 }
             }
         }
-        catch {
+        catch (err) {
             // If refresh fails, mark credentials as potentially invalid
             await this.incrementFailureCount();
+            if (process.env.CLI_VERBOSE === 'true' || process.env.NODE_ENV !== 'production') {
+                console.debug('Token refresh failed:', err.message);
+            }
         }
     }
     async clearInvalidCredentials() {

package/dist/utils/mcp-client.d.ts

@@ -57,6 +57,23 @@ export declare class MCPClient {
     private lastHealthCheck;
     private activeConnectionMode;
     constructor();
+    /**
+     * Overrides the configuration directory used by the underlying CLI config.
+     * Useful for tests that need isolated config state.
+     */
+    setConfigDirectory(configDir: string): void;
+    /**
+     * Returns the current config file path. Primarily used for test introspection.
+     */
+    getConfigPath(): string;
+    /**
+     * Helper for tests to seed authentication tokens without accessing internals.
+     */
+    setTokenForTesting(token: string): Promise<void>;
+    /**
+     * Helper for tests to seed vendor keys without accessing internals.
+     */
+    setVendorKeyForTesting(vendorKey: string): Promise<void>;
     /**
      * Initialize the MCP client configuration
      */
@@ -93,10 +110,6 @@ export declare class MCPClient {
      * Validate authentication credentials before attempting MCP connection
      */
     private validateAuthBeforeConnect;
-    /**
-     * Validate vendor key format
-     */
-    private validateVendorKeyFormat;
     /**
      * Validate and refresh token if needed
      */

package/dist/utils/mcp-client.js

@@ -20,6 +20,31 @@ export class MCPClient {
     constructor() {
         this.config = new CLIConfig();
     }
+    /**
+     * Overrides the configuration directory used by the underlying CLI config.
+     * Useful for tests that need isolated config state.
+     */
+    setConfigDirectory(configDir) {
+        this.config.setConfigDirectory(configDir);
+    }
+    /**
+     * Returns the current config file path. Primarily used for test introspection.
+     */
+    getConfigPath() {
+        return this.config.getConfigPath();
+    }
+    /**
+     * Helper for tests to seed authentication tokens without accessing internals.
+     */
+    async setTokenForTesting(token) {
+        await this.config.setToken(token);
+    }
+    /**
+     * Helper for tests to seed vendor keys without accessing internals.
+     */
+    async setVendorKeyForTesting(vendorKey) {
+        await this.config.setVendorKey(vendorKey);
+    }
     /**
      * Initialize the MCP client configuration
      */
@@ -220,11 +245,10 @@ export class MCPClient {
         const msg = error?.message ?? '';
         if (msg.includes('AUTHENTICATION_REQUIRED')) {
             console.log(chalk.cyan('• No credentials found. Run: lanonasis auth login'));
-            console.log(chalk.cyan('• Or set vendor key: lanonasis auth login --vendor-key pk_xxx.sk_xxx'));
+            console.log(chalk.cyan('• Or set a vendor key: lanonasis auth login --vendor-key <your-key>'));
         }
         else if (msg.includes('AUTHENTICATION_INVALID')) {
-            console.log(chalk.cyan('• Invalid credentials. Check your vendor key format'));
-            console.log(chalk.cyan('• Expected format: pk_xxx.sk_xxx'));
+            console.log(chalk.cyan('• Invalid credentials. Confirm the vendor key matches your dashboard value'));
             console.log(chalk.cyan('• Try: lanonasis auth logout && lanonasis auth login'));
         }
         else if (msg.includes('expired')) {
@@ -234,7 +258,7 @@ export class MCPClient {
         else {
             console.log(chalk.cyan('• Check authentication status: lanonasis auth status'));
             console.log(chalk.cyan('• Re-authenticate: lanonasis auth login'));
-            console.log(chalk.cyan('• Verify vendor key: lanonasis auth login --vendor-key pk_xxx.sk_xxx'));
+            console.log(chalk.cyan('• Verify vendor key: lanonasis auth login --vendor-key <your-key>'));
         }
     }
     /**
@@ -306,21 +330,14 @@ export class MCPClient {
                 throw new Error(`AUTHENTICATION_INVALID: ${error instanceof Error ? error.message : 'Token validation failed'}`);
             }
         }
-        // If we have a vendor key, validate its format
+        // If we have a vendor key, ensure it is valid (non-empty)
         if (vendorKey && !token) {
-            if (!this.validateVendorKeyFormat(vendorKey)) {
-                throw new Error('AUTHENTICATION_INVALID: Invalid vendor key format. Expected format: pk_xxx.sk_xxx');
+            const validationResult = this.config.validateVendorKeyFormat(vendorKey);
+            if (validationResult !== true) {
+                throw new Error(`AUTHENTICATION_INVALID: ${typeof validationResult === 'string' ? validationResult : 'Vendor key is invalid'}`);
             }
         }
     }
-    /**
-     * Validate vendor key format
-     */
-    validateVendorKeyFormat(vendorKey) {
-        // Vendor key should be in format: pk_xxx.sk_xxx
-        const vendorKeyPattern = /^pk_[a-zA-Z0-9]+\.sk_[a-zA-Z0-9]+$/;
-        return vendorKeyPattern.test(vendorKey);
-    }
     /**
      * Validate and refresh token if needed
      */
@@ -528,7 +545,7 @@ export class MCPClient {
         }
         try {
             this.lastHealthCheck = new Date();
-            const connectionMode = this.config.get('mcpConnectionMode') ?? 'remote';
+            const connectionMode = this.activeConnectionMode || 'remote';
             switch (connectionMode) {
                 case 'websocket':
                     await this.checkWebSocketHealth();
@@ -542,7 +559,8 @@ export class MCPClient {
             }
         }
         catch {
-            console.log(chalk.yellow('⚠️  Health check failed, attempting reconnection...'));
+            const connectionMode = this.activeConnectionMode || 'remote';
+            console.log(chalk.yellow(`⚠️  ${connectionMode} connection health check failed, attempting reconnection...`));
             await this.handleHealthCheckFailure();
         }
     }
@@ -607,10 +625,11 @@ export class MCPClient {
         this.isConnected = false;
         this.stopHealthMonitoring();
         // Attempt to reconnect with current configuration
-        const connectionMode = this.config.get('mcpConnectionMode') ?? 'remote';
+        const connectionMode = (this.activeConnectionMode || 'remote');
         const options = {
-            connectionMode: connectionMode
+            connectionMode
         };
+        console.log(chalk.yellow(`↻ Attempting reconnection using ${connectionMode} mode...`));
         // Add specific URLs if available
         if (connectionMode === 'websocket') {
             options.serverUrl = this.config.get('mcpWebSocketUrl');
@@ -648,7 +667,7 @@ export class MCPClient {
             this.wsConnection = null;
         }
         this.isConnected = false;
-        this.activeConnectionMode = 'local'; // Reset to default
+        this.activeConnectionMode = 'websocket'; // Reset to default
     }
     /**
      * Call an MCP tool

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lanonasis/cli",
-  "version": "3.4.15",
+  "version": "3.6.0",
   "description": "LanOnasis Enterprise CLI - Memory as a Service, API Key Management, and Infrastructure Orchestration",
   "main": "dist/index-simple.js",
   "bin": {
@@ -99,4 +99,4 @@
   "engines": {
     "node": ">=18.0.0"
   }
-}
+}