@lanonasis/cli 3.5.15 → 3.6.0

package/README.md

@@ -452,3 +452,71 @@ MIT License - see [LICENSE](../LICENSE) for details.
 ---
 
 _Professional CLI for Enterprise Memory as a Service - Golden Contract Compliant_
+
+## OAuth2 Authentication (v3.5.0+)
+
+### Browser Login with OAuth2 PKCE
+
+The CLI now supports secure OAuth2 authentication with PKCE (Proof Key for Code Exchange) for browser-based login:
+
+```bash
+onasis auth login
+# Choose: 🌐 Browser Login (Get token from web page)
+```
+
+**How it works:**
+1. CLI starts a local callback server on port 8888
+2. Opens your browser to the OAuth2 authorization page
+3. You authenticate in the browser
+4. Authorization code is sent back to the CLI
+5. CLI exchanges code for access and refresh tokens
+6. Tokens are securely stored locally
+
+**Benefits:**
+- ✅ More secure (PKCE prevents code interception)
+- ✅ Automatic token refresh
+- ✅ Revocable access
+- ✅ Industry-standard OAuth2 flow
+
+### Authentication Methods
+
+The CLI supports three authentication methods:
+
+1. **🔑 Vendor Key** (Recommended for API access)
+   - Long-lived API key from dashboard
+   - Best for automation and CI/CD
+
+2. **🌐 Browser Login** (OAuth2 PKCE)
+   - Secure browser-based authentication
+   - Automatic token refresh
+   - Best for interactive use
+
+3. **⚙️ Username/Password** (Direct credentials)
+   - Traditional email/password login
+   - Returns JWT token
+   - Legacy method
+
+### Token Management
+
+OAuth2 tokens are automatically refreshed when expired:
+
+```bash
+# Check authentication status
+onasis auth status
+
+# Force re-authentication
+onasis auth logout
+onasis auth login
+```
+
+### Troubleshooting
+
+**Port 8888 already in use:**
+The CLI needs port 8888 for the OAuth callback. If it's in use, close the application using it or use the Vendor Key method instead.
+
+**Browser doesn't open:**
+The CLI will show the authorization URL - copy and paste it into your browser manually.
+
+**Token refresh failed:**
+Run `onasis auth login` to re-authenticate.
+

package/dist/commands/auth.js

@@ -2,6 +2,9 @@ import chalk from 'chalk';
 import inquirer from 'inquirer';
 import ora from 'ora';
 import open from 'open';
+import crypto from 'crypto';
+import http from 'http';
+import url from 'url';
 import { apiClient } from '../utils/api.js';
 import { CLIConfig } from '../utils/config.js';
 // Color scheme
@@ -49,9 +52,9 @@ async function handleAuthenticationFailure(error, config, authMethod = 'jwt') {
         case 'invalid_credentials':
             console.log(chalk.red('Invalid credentials provided'));
             if (authMethod === 'vendor_key') {
-                console.log(chalk.gray('• Check your vendor key format: pk_xxx.sk_xxx'));
-                console.log(chalk.gray('• Verify the key is active in your account dashboard'));
-                console.log(chalk.gray('• Ensure you copied the complete key including both parts'));
+                console.log(chalk.gray('• Verify the vendor key matches the value shown in your dashboard'));
+                console.log(chalk.gray('• Confirm the key is active and has not been revoked'));
+                console.log(chalk.gray('• Ensure you copied the entire key without extra spaces'));
             }
             else {
                 console.log(chalk.gray('• Double-check your email and password'));
@@ -163,6 +166,120 @@ function categorizeAuthError(error) {
     }
     return 'unknown';
 }
+// ============================================
+// OAuth2 PKCE Helper Functions
+// ============================================
+/**
+ * Generate PKCE code verifier and challenge for OAuth2
+ */
+function generatePKCE() {
+    // Generate random verifier (43-128 chars, base64url)
+    const verifier = crypto.randomBytes(32).toString('base64url');
+    // Generate challenge: base64url(sha256(verifier))
+    const challenge = crypto
+        .createHash('sha256')
+        .update(verifier)
+        .digest('base64url');
+    return { verifier, challenge };
+}
+/**
+ * Start local HTTP server to catch OAuth2 callback
+ */
+function createCallbackServer(port = 8888) {
+    return new Promise((resolve, reject) => {
+        const server = http.createServer((req, res) => {
+            const parsedUrl = url.parse(req.url, true);
+            if (parsedUrl.pathname === '/callback') {
+                const { code, state, error, error_description } = parsedUrl.query;
+                // Send response to browser
+                if (error) {
+                    res.writeHead(400, { 'Content-Type': 'text/html' });
+                    res.end(`
+            <html>
+              <head><title>Authentication Failed</title></head>
+              <body style="font-family: sans-serif; text-align: center; padding: 50px;">
+                <h1>❌ Authentication Failed</h1>
+                <p>${error_description || error}</p>
+                <p style="color: gray;">You can close this window.</p>
+              </body>
+            </html>
+          `);
+                    reject(new Error(`OAuth error: ${error_description || error}`));
+                }
+                else if (code) {
+                    res.writeHead(200, { 'Content-Type': 'text/html' });
+                    res.end(`
+            <html>
+              <head><title>Authentication Successful</title></head>
+              <body style="font-family: sans-serif; text-align: center; padding: 50px;">
+                <h1>✅ Authentication Successful</h1>
+                <p>You can close this window and return to the CLI.</p>
+                <script>setTimeout(() => window.close(), 2000);</script>
+              </body>
+            </html>
+          `);
+                    resolve({ code: code, state: state });
+                }
+                else {
+                    res.writeHead(400, { 'Content-Type': 'text/plain' });
+                    res.end('Invalid callback');
+                    reject(new Error('No authorization code received'));
+                }
+                // Close server after handling request
+                server.close();
+            }
+        });
+        server.listen(port, () => {
+            console.log(chalk.gray(`   Local callback server listening on port ${port}`));
+        });
+        // Timeout after 5 minutes
+        setTimeout(() => {
+            server.close();
+            reject(new Error('Authentication timeout - please try again'));
+        }, 300000);
+    });
+}
+/**
+ * Exchange authorization code for OAuth2 tokens
+ */
+async function exchangeCodeForTokens(code, verifier, authBase) {
+    const tokenEndpoint = `${authBase}/oauth/token`;
+    const response = await apiClient.post(tokenEndpoint, {
+        grant_type: 'authorization_code',
+        code,
+        code_verifier: verifier,
+        client_id: 'lanonasis-cli',
+        redirect_uri: 'http://localhost:8888/callback'
+    });
+    return response;
+}
+/**
+ * Refresh OAuth2 access token using refresh token
+ */
+async function refreshOAuth2Token(config) {
+    const refreshToken = config.get('refresh_token');
+    if (!refreshToken) {
+        return false;
+    }
+    try {
+        const authBase = config.getDiscoveredApiUrl();
+        const response = await apiClient.post(`${authBase}/oauth/token`, {
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+            client_id: 'lanonasis-cli'
+        });
+        await config.setToken(response.access_token);
+        if (response.refresh_token) {
+            await config.set('refresh_token', response.refresh_token);
+        }
+        await config.set('token_expires_at', Date.now() + (response.expires_in * 1000));
+        return true;
+    }
+    catch (error) {
+        console.error(chalk.yellow('⚠️  Token refresh failed, please re-authenticate'));
+        return false;
+    }
+}
 export async function diagnoseCommand() {
     const config = new CLIConfig();
     await config.init();
@@ -206,14 +323,10 @@ export async function diagnoseCommand() {
         diagnostics.hasCredentials = true;
         diagnostics.credentialType = 'vendor_key';
         console.log(chalk.green('   ✓ Vendor key found'));
-        // Validate vendor key format
+        // Validate vendor key presence
         const formatValidation = config.validateVendorKeyFormat(vendorKey);
-        if (formatValidation === true) {
-            console.log(chalk.green('   ✓ Vendor key format is valid'));
-        }
-        else {
-            console.log(chalk.red('   ✖ Vendor key format is invalid:'));
-            console.log(chalk.gray(`     ${formatValidation}`));
+        if (formatValidation !== true) {
+            console.log(chalk.red(`   ✖ Vendor key issue: ${formatValidation}`));
         }
     }
     else if (token) {
@@ -335,7 +448,7 @@ export async function diagnoseCommand() {
     }
     if (!diagnostics.hasCredentials) {
         issues.push('No authentication credentials stored');
-        recommendations.push('Run: lanonasis auth login --vendor-key pk_xxx.sk_xxx');
+        recommendations.push('Run: lanonasis auth login --vendor-key <your-key>');
     }
     if (diagnostics.hasCredentials && !diagnostics.credentialsValid) {
         issues.push('Stored credentials are invalid');
@@ -370,7 +483,7 @@ export async function diagnoseCommand() {
     // Additional troubleshooting info
     if (diagnostics.authFailures > 0 || !diagnostics.credentialsValid) {
         console.log(chalk.gray('\n🔧 Additional troubleshooting:'));
-        console.log(chalk.gray('   • Verify your vendor key format: pk_xxx.sk_xxx'));
+        console.log(chalk.gray('   • Verify the vendor key matches the value shown in your dashboard'));
         console.log(chalk.gray('   • Check if your key is active in the dashboard'));
         console.log(chalk.gray('   • Try browser authentication: lanonasis auth login --use-web-auth'));
         console.log(chalk.gray('   • Contact support if issues persist'));
@@ -457,84 +570,37 @@ async function handleVendorKeyAuth(vendorKey, config) {
 async function handleVendorKeyFlow(config) {
     console.log();
     console.log(chalk.yellow('🔑 Vendor Key Authentication'));
-    console.log(chalk.gray('Vendor keys provide secure API access with format: pk_xxx.sk_xxx'));
+    console.log(chalk.gray('Vendor keys provide secure API access for automation and integrations.'));
     console.log();
     // Enhanced guidance for obtaining vendor keys
     console.log(chalk.cyan('📋 How to get your vendor key:'));
     console.log(chalk.gray('1. Visit your Lanonasis dashboard at https://app.lanonasis.com'));
     console.log(chalk.gray('2. Navigate to Settings → API Keys'));
-    console.log(chalk.gray('3. Click "Generate New Key" and copy the full key'));
-    console.log(chalk.gray('4. The key format should be: pk_[letters/numbers].sk_[letters/numbers]'));
+    console.log(chalk.gray('3. Click "Generate New Key" and copy the full key value'));
     console.log();
     const { vendorKey } = await inquirer.prompt([
         {
             type: 'password',
             name: 'vendorKey',
-            message: 'Enter your vendor key (pk_xxx.sk_xxx):',
+            message: 'Enter your vendor key:',
             mask: '*',
             validate: (input) => {
-                return validateVendorKeyFormat(input);
+                return config.validateVendorKeyFormat(input);
             }
         }
     ]);
     await handleVendorKeyAuth(vendorKey, config);
 }
-// Enhanced vendor key format validation with detailed error messages
-function validateVendorKeyFormat(input) {
-    if (!input || input.trim().length === 0) {
-        return 'Vendor key is required';
-    }
-    const trimmed = input.trim();
-    // Check basic format
-    if (!trimmed.includes('.')) {
-        return 'Invalid format: Vendor key must contain a dot (.) separator\nExpected format: pk_xxx.sk_xxx';
-    }
-    const parts = trimmed.split('.');
-    if (parts.length !== 2) {
-        return 'Invalid format: Vendor key must have exactly two parts separated by a dot\nExpected format: pk_xxx.sk_xxx';
-    }
-    const [publicPart, secretPart] = parts;
-    // Validate public key part
-    if (!publicPart.startsWith('pk_')) {
-        return 'Invalid format: First part must start with "pk_"\nExpected format: pk_xxx.sk_xxx';
-    }
-    if (publicPart.length < 4) {
-        return 'Invalid format: Public key part is too short\nExpected format: pk_xxx.sk_xxx (where xxx is alphanumeric)';
-    }
-    const publicKeyContent = publicPart.substring(3); // Remove 'pk_'
-    if (!/^[a-zA-Z0-9]+$/.test(publicKeyContent)) {
-        return 'Invalid format: Public key part contains invalid characters\nOnly letters and numbers are allowed after "pk_"';
-    }
-    // Validate secret key part
-    if (!secretPart.startsWith('sk_')) {
-        return 'Invalid format: Second part must start with "sk_"\nExpected format: pk_xxx.sk_xxx';
-    }
-    if (secretPart.length < 4) {
-        return 'Invalid format: Secret key part is too short\nExpected format: pk_xxx.sk_xxx (where xxx is alphanumeric)';
-    }
-    const secretKeyContent = secretPart.substring(3); // Remove 'sk_'
-    if (!/^[a-zA-Z0-9]+$/.test(secretKeyContent)) {
-        return 'Invalid format: Secret key part contains invalid characters\nOnly letters and numbers are allowed after "sk_"';
-    }
-    // Check minimum length requirements
-    if (publicKeyContent.length < 8) {
-        return 'Invalid format: Public key part is too short (minimum 8 characters after "pk_")';
-    }
-    if (secretKeyContent.length < 16) {
-        return 'Invalid format: Secret key part is too short (minimum 16 characters after "sk_")';
-    }
-    return true;
-}
 async function handleOAuthFlow(config) {
     console.log();
-    console.log(chalk.yellow('🌐 Browser-Based Authentication'));
-    console.log(chalk.gray('This will open your browser for secure authentication'));
+    console.log(chalk.yellow('🌐 Browser-Based OAuth2 Authentication'));
+    console.log(chalk.gray('Secure authentication using OAuth2 with PKCE'));
     console.log();
     const { openBrowser } = await inquirer.prompt([
         {
             type: 'confirm',
             name: 'openBrowser',
-            message: 'Open browser for authentication?',
+            message: 'Open browser for OAuth2 authentication?',
             default: true
         }
     ]);
@@ -542,63 +608,53 @@ async function handleOAuthFlow(config) {
         console.log(chalk.yellow('⚠️  Authentication cancelled'));
         return;
     }
-    // Use the browser-based CLI login endpoint discovered from auth_base
-    const authBase = config.getDiscoveredApiUrl();
-    const authUrl = `${authBase.replace(/\/$/, '')}/auth/cli-login`;
     try {
-        console.log(colors.info('Opening browser...'));
-        await open(authUrl);
+        // Generate PKCE challenge
+        const pkce = generatePKCE();
+        console.log(chalk.gray('   ✓ Generated PKCE challenge'));
+        // Start local callback server
+        const callbackPort = 8888;
+        const callbackPromise = createCallbackServer(callbackPort);
+        console.log(chalk.gray(`   ✓ Started local callback server on port ${callbackPort}`));
+        // Build OAuth2 authorization URL
+        const authBase = config.getDiscoveredApiUrl();
+        const authUrl = new URL(`${authBase}/oauth/authorize`);
+        authUrl.searchParams.set('response_type', 'code');
+        authUrl.searchParams.set('client_id', 'lanonasis-cli');
+        authUrl.searchParams.set('redirect_uri', `http://localhost:${callbackPort}/callback`);
+        authUrl.searchParams.set('scope', 'read write offline_access');
+        authUrl.searchParams.set('code_challenge', pkce.challenge);
+        authUrl.searchParams.set('code_challenge_method', 'S256');
+        authUrl.searchParams.set('state', crypto.randomBytes(16).toString('hex'));
         console.log();
-        console.log(colors.info('Please complete authentication in your browser'));
-        console.log(colors.info('The page will display your authentication token'));
-        console.log(colors.muted(`If browser doesn't open, visit: ${authUrl}`));
+        console.log(colors.info('Opening browser for authentication...'));
+        await open(authUrl.toString());
+        console.log(colors.info('Waiting for authentication in browser...'));
+        console.log(colors.muted(`If browser doesn't open, visit: ${authUrl.toString()}`));
         console.log();
-        // Prompt for the token from the browser page
-        const { token } = await inquirer.prompt([
-            {
-                type: 'input',
-                name: 'token',
-                message: 'Paste the authentication token from browser:',
-                validate: async (input) => {
-                    if (!input || input.trim().length === 0) {
-                        return 'Token is required';
-                    }
-                    const trimmed = input.trim();
-                    // Reject if user pasted a URL instead of token
-                    if (trimmed.startsWith('http://') || trimmed.startsWith('https://')) {
-                        return 'Please paste the TOKEN from the page, not the URL';
-                    }
-                    // Check token format - should start with 'cli_' or be a JWT
-                    if (!trimmed.startsWith('cli_') && !trimmed.match(/^[\w-]+\.[\w-]+\.[\w-]+$/)) {
-                        return 'Invalid token format. Expected format: cli_xxx or JWT token';
-                    }
-                    // Verify token with server
-                    try {
-                        const response = await apiClient.post('/auth/verify', { token: trimmed });
-                        if (!response.valid) {
-                            return 'Token verification failed. Please try again.';
-                        }
-                    }
-                    catch (error) {
-                        const errorMessage = error instanceof Error ? error.message : 'Server verification failed';
-                        return `Token verification error: ${errorMessage}`;
-                    }
-                    return true;
-                }
-            }
-        ]);
-        if (token && token.trim()) {
-            await config.setToken(token.trim());
-            console.log(chalk.green('✓ Browser authentication successful'));
-            console.log(colors.info('You can now use Lanonasis services'));
-        }
-        else {
-            console.log(chalk.yellow('⚠️  No token provided'));
-        }
+        // Wait for callback
+        const spinner = ora('Waiting for authorization...').start();
+        const { code } = await callbackPromise;
+        spinner.succeed('Authorization code received');
+        // Exchange code for tokens
+        spinner.text = 'Exchanging code for access tokens...';
+        spinner.start();
+        const tokens = await exchangeCodeForTokens(code, pkce.verifier, authBase);
+        spinner.succeed('Access tokens received');
+        // Store tokens
+        await config.setToken(tokens.access_token);
+        await config.set('refresh_token', tokens.refresh_token);
+        await config.set('token_expires_at', Date.now() + (tokens.expires_in * 1000));
+        await config.set('authMethod', 'oauth2');
+        console.log();
+        console.log(chalk.green('✓ OAuth2 authentication successful'));
+        console.log(colors.info('You can now use Lanonasis services'));
     }
-    catch {
-        console.error(chalk.red('✖ Failed to open browser'));
-        console.log(colors.muted(`Please visit manually: ${authUrl}`));
+    catch (error) {
+        console.error(chalk.red('✖ OAuth2 authentication failed'));
+        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+        console.error(chalk.gray(`   ${errorMessage}`));
+        process.exit(1);
     }
 }
 async function handleCredentialsFlow(options, config) {

package/dist/commands/completion.js

@@ -48,7 +48,7 @@ export async function generateCompletionData() {
                         options: [
                             { name: '--email', description: 'Email address', type: 'string' },
                             { name: '--password', description: 'Password', type: 'string' },
-                            { name: '--vendor-key', description: 'Vendor key (pk_xxx.sk_xxx)', type: 'string' },
+                            { name: '--vendor-key', description: 'Vendor key value', type: 'string' },
                             { name: '--oauth', description: 'Use OAuth flow', type: 'boolean' }
                         ]
                     },

package/dist/commands/config.js

@@ -411,15 +411,15 @@ export function configCommands(program) {
                     console.log(chalk.cyan('   → Repaired: Set auth method to jwt'));
                 }
             }
-            // Validate vendor key format if present
+            // Validate vendor key presence if present
             if (vendorKey) {
                 const formatValidation = config.validateVendorKeyFormat(vendorKey);
                 if (formatValidation === true) {
-                    console.log(chalk.green('   ✓ Vendor key format is valid'));
+                    console.log(chalk.green('   ✓ Vendor key is set'));
                 }
                 else {
-                    console.log(chalk.red('   ✖ Vendor key format is invalid'));
-                    validation.issues.push('Invalid vendor key format');
+                    console.log(chalk.red(`   ✖ Vendor key issue: ${formatValidation}`));
+                    validation.issues.push('Vendor key missing or invalid');
                 }
             }
             // Test authentication validity

package/dist/commands/guide.js

@@ -233,7 +233,7 @@ export class UserGuidanceSystem {
         switch (authMethod) {
             case 'vendor_key':
                 console.log(chalk.yellow('📝 Vendor keys provide secure, programmatic access'));
-                console.log(chalk.gray('Format: pk_xxxxx.sk_xxxxx'));
+                console.log(chalk.gray('Find it in your dashboard under API Keys.'));
                 console.log();
                 break;
             case 'oauth':
@@ -409,7 +409,7 @@ export async function quickStartCommand() {
             category: 'Setup',
             commands: [
                 { cmd: 'lanonasis init', desc: 'Initialize configuration' },
-                { cmd: 'lanonasis login --vendor-key pk_xxx.sk_xxx', desc: 'Authenticate with vendor key' },
+                { cmd: 'lanonasis login --vendor-key <your-key>', desc: 'Authenticate with vendor key' },
                 { cmd: 'lanonasis health', desc: 'Verify system health' }
             ]
         },

package/dist/core/power-mode.js

@@ -293,7 +293,7 @@ export class PowerUserMode {
         const subCommand = args[0];
         switch (subCommand) {
             case 'keys':
-                console.log('API Keys: pk_xxx...xxx (active), pk_yyy...yyy (revoked)');
+                console.log('API Keys: vendor-key-1... (active), vendor-key-2... (revoked)');
                 break;
             case 'limits':
                 console.log('Rate Limits: 1000/hour (432 used)');

package/dist/core/welcome.js

@@ -296,7 +296,7 @@ export class InteractiveSetup {
                 message: 'Select authentication method:',
                 choices: [
                     {
-                        name: authBox('🔑 Vendor Key', 'Secure API access with pk_xxx.sk_xxx format', ['No expiration', 'Ideal for CI/CD', 'Full API access']),
+                        name: authBox('🔑 Vendor Key', 'Secure API access with long-lived credentials', ['No expiration', 'Ideal for CI/CD', 'Full API access']),
                         value: 'vendor',
                         short: 'Vendor Key'
                     },
@@ -327,32 +327,21 @@ export class InteractiveSetup {
         }
     }
     async authenticateWithVendorKey() {
-        const creds = await inquirer.prompt([
-            {
-                type: 'input',
-                name: 'publicKey',
-                message: 'Enter your Public Key (pk_xxx):',
-                validate: (input) => {
-                    if (!input.startsWith('pk_')) {
-                        return 'Public key must start with pk_';
-                    }
-                    return true;
-                }
-            },
+        const { vendorKey } = await inquirer.prompt([
             {
                 type: 'password',
-                name: 'secretKey',
-                message: 'Enter your Secret Key (sk_xxx):',
+                name: 'vendorKey',
+                message: 'Enter your vendor key:',
                 mask: '*',
                 validate: (input) => {
-                    if (!input.startsWith('sk_')) {
-                        return 'Secret key must start with sk_';
+                    if (!input || input.trim().length === 0) {
+                        return 'Vendor key is required';
                     }
                     return true;
                 }
             }
         ]);
-        void creds; // collected for future use when hooking real auth
+        void vendorKey; // collected for future use when hooking real auth
         const spinner = ora('Authenticating...').start();
         await this.simulateDelay(1000);
         spinner.succeed('Authentication successful!');

package/dist/index-simple.js

@@ -123,7 +123,7 @@ const showWelcome = () => {
     console.log();
     if (isOnasisInvocation) {
         console.log(colors.info('🔑 Golden Contract Authentication:'));
-        console.log(`  ${colors.success(`${cmdName} login --vendor-key pk_xxx.sk_xxx`)}  ${colors.muted('# Vendor key auth')}`);
+        console.log(`  ${colors.success(`${cmdName} login --vendor-key <your-key>`)}      ${colors.muted('# Vendor key auth')}`);
         console.log(`  ${colors.success(`${cmdName} login --oauth`)}                    ${colors.muted('# Browser OAuth')}`);
         console.log();
     }
@@ -175,11 +175,24 @@ const healthCheck = async () => {
     process.stdout.write('MCP Server status: ');
     try {
         const client = getMCPClient();
+        const status = client.getConnectionStatus();
+        const mcpPreference = await cliConfig.get('mcpPreference') || 'auto';
         if (client.isConnectedToServer()) {
             console.log(colors.success('✅ Connected'));
+            console.log(`  Mode: ${colors.highlight(status.mode)}`);
+            console.log(`  Server: ${colors.highlight(status.server || 'N/A')}`);
         }
         else {
             console.log(colors.warning('⚠️  Disconnected'));
+            console.log(`  Configured preference: ${colors.highlight(mcpPreference)}`);
+            if (mcpPreference === 'remote') {
+                const mcpUrl = cliConfig.getMCPServerUrl();
+                console.log(`  Remote server: ${colors.highlight(mcpUrl)}`);
+            }
+            else if (mcpPreference === 'local') {
+                const mcpPath = cliConfig.getMCPServerPath();
+                console.log(`  Local server: ${colors.highlight(mcpPath || 'Not configured')}`);
+            }
         }
     }
     catch (error) {
@@ -229,7 +242,7 @@ authCmd
     .description('Login to your MaaS account')
     .option('-e, --email <email>', 'email address')
     .option('-p, --password <password>', 'password')
-    .option('--vendor-key <key>', 'vendor key (pk_xxx.sk_xxx format)')
+    .option('--vendor-key <key>', 'vendor key (as provided in your dashboard)')
     .option('--oauth', 'use OAuth browser flow')
     .action(async (options) => {
     // Handle oauth flag
@@ -249,6 +262,8 @@ authCmd
     .command('status')
     .description('Show authentication status')
     .action(async () => {
+    // Initialize config first
+    await cliConfig.init();
     const isAuth = await cliConfig.isAuthenticated();
     const user = await cliConfig.getCurrentUser();
     const failureCount = cliConfig.getFailureCount();
@@ -523,6 +538,8 @@ program
     .command('status')
     .description('Show overall system status')
     .action(async () => {
+    // Initialize config first
+    await cliConfig.init();
     const isAuth = await cliConfig.isAuthenticated();
     const apiUrl = cliConfig.getApiUrl();
     console.log(chalk.blue.bold('MaaS CLI Status'));

package/dist/index.js

@@ -270,6 +270,47 @@ const memoryCmd = program
 requireAuth(memoryCmd);
 memoryCommands(memoryCmd);
 // Note: Memory commands are now MCP-powered when available
+// REPL command (lightweight REPL for memory operations)
+program
+    .command('repl')
+    .description('Start lightweight REPL session for memory operations')
+    .option('--mcp', 'Use MCP mode')
+    .option('--api <url>', 'Override API URL')
+    .option('--token <token>', 'Authentication token')
+    .action(async (options) => {
+    try {
+        // Try to use the REPL package if available
+        const { spawn } = await import('child_process');
+        const { fileURLToPath } = await import('url');
+        const { dirname, join } = await import('path');
+        // Try to find the REPL package
+        const replPath = join(process.cwd(), 'packages', 'repl-cli', 'dist', 'index.js');
+        const args = ['start'];
+        if (options.mcp)
+            args.push('--mcp');
+        if (options.api)
+            args.push('--api', options.api);
+        if (options.token)
+            args.push('--token', options.token);
+        const repl = spawn('node', [replPath, ...args], {
+            stdio: 'inherit',
+            cwd: process.cwd()
+        });
+        repl.on('error', (err) => {
+            console.error(colors.error('Failed to start REPL:'), err.message);
+            console.log(colors.muted('Make sure the REPL package is built: cd packages/repl-cli && bun run build'));
+            process.exit(1);
+        });
+        repl.on('exit', (code) => {
+            process.exit(code || 0);
+        });
+    }
+    catch (error) {
+        console.error(colors.error('Failed to start REPL:'), error instanceof Error ? error.message : String(error));
+        console.log(colors.muted('Install the REPL package: cd packages/repl-cli && bun install && bun run build'));
+        process.exit(1);
+    }
+});
 // Topic commands (require auth)
 const topicCmd = program
     .command('topic')

package/dist/mcp/schemas/tool-schemas.d.ts

@@ -202,13 +202,13 @@ export declare const SystemConfigSchema: z.ZodObject<{
 }, "strip", z.ZodTypeAny, {
     value?: any;
     action?: "get" | "set" | "reset";
-    key?: string;
     scope?: "user" | "global";
+    key?: string;
 }, {
     value?: any;
     action?: "get" | "set" | "reset";
-    key?: string;
     scope?: "user" | "global";
+    key?: string;
 }>;
 export declare const BulkOperationSchema: z.ZodObject<{
     operation: z.ZodEnum<["create", "update", "delete"]>;
@@ -580,13 +580,13 @@ export declare const MCPSchemas: {
         }, "strip", z.ZodTypeAny, {
             value?: any;
             action?: "get" | "set" | "reset";
-            key?: string;
             scope?: "user" | "global";
+            key?: string;
         }, {
             value?: any;
             action?: "get" | "set" | "reset";
-            key?: string;
             scope?: "user" | "global";
+            key?: string;
         }>;
     };
     operations: {

package/dist/utils/api.js

@@ -27,7 +27,7 @@ export class APIClient {
             const token = this.config.getToken();
             const vendorKey = this.config.getVendorKey();
             if (vendorKey) {
-                // Vendor key authentication (pk_*.sk_* format)
+                // Vendor key authentication (validated server-side)
                 config.headers['X-API-Key'] = vendorKey;
                 config.headers['X-Auth-Method'] = 'vendor_key';
             }

package/dist/utils/config.js

@@ -354,55 +354,25 @@ export class CLIConfig {
     }
     // Enhanced authentication support
     async setVendorKey(vendorKey) {
-        // Enhanced format validation with detailed error messages
-        const formatValidation = this.validateVendorKeyFormat(vendorKey);
+        const trimmedKey = typeof vendorKey === 'string' ? vendorKey.trim() : '';
+        // Minimal format validation (non-empty); rely on server-side checks for everything else
+        const formatValidation = this.validateVendorKeyFormat(trimmedKey);
         if (formatValidation !== true) {
-            throw new Error(typeof formatValidation === 'string' ? formatValidation : 'Invalid vendor key format');
+            throw new Error(typeof formatValidation === 'string' ? formatValidation : 'Vendor key is invalid');
         }
         // Server-side validation
-        await this.validateVendorKeyWithServer(vendorKey);
-        this.config.vendorKey = vendorKey;
+        await this.validateVendorKeyWithServer(trimmedKey);
+        this.config.vendorKey = trimmedKey;
         this.config.authMethod = 'vendor_key';
         this.config.lastValidated = new Date().toISOString();
         await this.resetFailureCount(); // Reset failure count on successful auth
         await this.save();
     }
     validateVendorKeyFormat(vendorKey) {
-        if (!vendorKey || vendorKey.trim().length === 0) {
+        const trimmed = typeof vendorKey === 'string' ? vendorKey.trim() : '';
+        if (!trimmed) {
             return 'Vendor key is required';
         }
-        const trimmed = vendorKey.trim();
-        // Check basic format
-        if (!trimmed.includes('.')) {
-            return 'Invalid vendor key format: Must contain a dot (.) separator. Expected format: pk_xxx.sk_xxx';
-        }
-        const parts = trimmed.split('.');
-        if (parts.length !== 2) {
-            return 'Invalid vendor key format: Must have exactly two parts separated by a dot. Expected format: pk_xxx.sk_xxx';
-        }
-        const [publicPart, secretPart] = parts;
-        // Validate public key part
-        if (!publicPart.startsWith('pk_')) {
-            return 'Invalid vendor key format: First part must start with "pk_". Expected format: pk_xxx.sk_xxx';
-        }
-        if (publicPart.length < 11) { // pk_ + minimum 8 chars
-            return 'Invalid vendor key format: Public key part is too short. Expected format: pk_xxx.sk_xxx (minimum 8 characters after "pk_")';
-        }
-        const publicKeyContent = publicPart.substring(3); // Remove 'pk_'
-        if (!/^[a-zA-Z0-9]+$/.test(publicKeyContent)) {
-            return 'Invalid vendor key format: Public key part contains invalid characters. Only letters and numbers are allowed after "pk_"';
-        }
-        // Validate secret key part
-        if (!secretPart.startsWith('sk_')) {
-            return 'Invalid vendor key format: Second part must start with "sk_". Expected format: pk_xxx.sk_xxx';
-        }
-        if (secretPart.length < 19) { // sk_ + minimum 16 chars
-            return 'Invalid vendor key format: Secret key part is too short. Expected format: pk_xxx.sk_xxx (minimum 16 characters after "sk_")';
-        }
-        const secretKeyContent = secretPart.substring(3); // Remove 'sk_'
-        if (!/^[a-zA-Z0-9]+$/.test(secretKeyContent)) {
-            return 'Invalid vendor key format: Secret key part contains invalid characters. Only letters and numbers are allowed after "sk_"';
-        }
         return true;
     }
     async validateVendorKeyWithServer(vendorKey) {
@@ -576,7 +546,17 @@ export class CLIConfig {
             this.authCheckCache = { isValid: false, timestamp: Date.now() };
             return false;
         }
-        // Verify with server (security check)
+        // Token is locally valid - check if we need server validation
+        // Skip server validation if we have a recent lastValidated timestamp (within 24 hours)
+        const lastValidated = this.config.lastValidated;
+        const skipServerValidation = lastValidated &&
+            (Date.now() - new Date(lastValidated).getTime()) < (24 * 60 * 60 * 1000); // 24 hours
+        if (skipServerValidation) {
+            // Trust the local validation if it was recently validated
+            this.authCheckCache = { isValid: locallyValid, timestamp: Date.now() };
+            return locallyValid;
+        }
+        // Verify with server (security check) for tokens that haven't been validated recently
         try {
             const axios = (await import('axios')).default;
             // Try auth-gateway first (port 4000), then fall back to Netlify function
@@ -599,16 +579,29 @@ export class CLIConfig {
                 }
             }
             if (!response || response.data.valid !== true) {
+                // Server says invalid - but if locally valid and recent, trust local
+                if (locallyValid) {
+                    if (process.env.CLI_VERBOSE === 'true') {
+                        console.warn('⚠️  Server validation failed, but token is locally valid - using local validation');
+                    }
+                    this.authCheckCache = { isValid: locallyValid, timestamp: Date.now() };
+                    return locallyValid;
+                }
                 this.authCheckCache = { isValid: false, timestamp: Date.now() };
                 return false;
             }
+            // Update lastValidated on successful server validation
+            this.config.lastValidated = new Date().toISOString();
+            await this.save().catch(() => { }); // Don't fail auth check if save fails
             this.authCheckCache = { isValid: true, timestamp: Date.now() };
             return true;
         }
         catch {
             // If all server checks fail, fall back to local validation
             // This allows offline usage but is less secure
-            console.warn('⚠️  Unable to verify token with server, using local validation');
+            if (process.env.CLI_VERBOSE === 'true') {
+                console.warn('⚠️  Unable to verify token with server, using local validation');
+            }
             this.authCheckCache = { isValid: locallyValid, timestamp: Date.now() };
             return locallyValid;
         }

package/dist/utils/mcp-client.d.ts

@@ -110,10 +110,6 @@ export declare class MCPClient {
      * Validate authentication credentials before attempting MCP connection
      */
     private validateAuthBeforeConnect;
-    /**
-     * Validate vendor key format
-     */
-    private validateVendorKeyFormat;
     /**
      * Validate and refresh token if needed
      */

package/dist/utils/mcp-client.js

@@ -245,11 +245,10 @@ export class MCPClient {
         const msg = error?.message ?? '';
         if (msg.includes('AUTHENTICATION_REQUIRED')) {
             console.log(chalk.cyan('• No credentials found. Run: lanonasis auth login'));
-            console.log(chalk.cyan('• Or set vendor key: lanonasis auth login --vendor-key pk_xxx.sk_xxx'));
+            console.log(chalk.cyan('• Or set a vendor key: lanonasis auth login --vendor-key <your-key>'));
         }
         else if (msg.includes('AUTHENTICATION_INVALID')) {
-            console.log(chalk.cyan('• Invalid credentials. Check your vendor key format'));
-            console.log(chalk.cyan('• Expected format: pk_xxx.sk_xxx'));
+            console.log(chalk.cyan('• Invalid credentials. Confirm the vendor key matches your dashboard value'));
             console.log(chalk.cyan('• Try: lanonasis auth logout && lanonasis auth login'));
         }
         else if (msg.includes('expired')) {
@@ -259,7 +258,7 @@ export class MCPClient {
         else {
             console.log(chalk.cyan('• Check authentication status: lanonasis auth status'));
             console.log(chalk.cyan('• Re-authenticate: lanonasis auth login'));
-            console.log(chalk.cyan('• Verify vendor key: lanonasis auth login --vendor-key pk_xxx.sk_xxx'));
+            console.log(chalk.cyan('• Verify vendor key: lanonasis auth login --vendor-key <your-key>'));
         }
     }
     /**
@@ -331,21 +330,14 @@ export class MCPClient {
                 throw new Error(`AUTHENTICATION_INVALID: ${error instanceof Error ? error.message : 'Token validation failed'}`);
             }
         }
-        // If we have a vendor key, validate its format
+        // If we have a vendor key, ensure it is valid (non-empty)
         if (vendorKey && !token) {
-            if (!this.validateVendorKeyFormat(vendorKey)) {
-                throw new Error('AUTHENTICATION_INVALID: Invalid vendor key format. Expected format: pk_xxx.sk_xxx');
+            const validationResult = this.config.validateVendorKeyFormat(vendorKey);
+            if (validationResult !== true) {
+                throw new Error(`AUTHENTICATION_INVALID: ${typeof validationResult === 'string' ? validationResult : 'Vendor key is invalid'}`);
             }
         }
     }
-    /**
-     * Validate vendor key format
-     */
-    validateVendorKeyFormat(vendorKey) {
-        // Vendor key should be in format: pk_xxx.sk_xxx
-        const vendorKeyPattern = /^pk_[a-zA-Z0-9]+\.sk_[a-zA-Z0-9]+$/;
-        return vendorKeyPattern.test(vendorKey);
-    }
     /**
      * Validate and refresh token if needed
      */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lanonasis/cli",
-  "version": "3.5.15",
+  "version": "3.6.0",
   "description": "LanOnasis Enterprise CLI - Memory as a Service, API Key Management, and Infrastructure Orchestration",
   "main": "dist/index-simple.js",
   "bin": {
@@ -99,4 +99,4 @@
   "engines": {
     "node": ">=18.0.0"
   }
-}
+}