@lanonasis/cli 3.6.7 → 3.7.1

package/README.md

@@ -1,4 +1,4 @@
-# @lanonasis/cli v3.4.15 - Enhanced MCP & Interactive CLI Experience
+# @lanonasis/cli v3.7.0 - Enterprise Security & MCP Experience
 
 [![NPM Version](https://img.shields.io/npm/v/@lanonasis/cli)](https://www.npmjs.com/package/@lanonasis/cli)
 [![Downloads](https://img.shields.io/npm/dt/@lanonasis/cli)](https://www.npmjs.com/package/@lanonasis/cli)
@@ -53,7 +53,24 @@ memory list
 maas memory list
 ```
 
-## 🔐 Authentication Methods
+## 🔐 Security & Authentication
+
+### Enterprise-Grade SHA-256 Security (v3.7.0+)
+
+All API keys are now secured with SHA-256 cryptographic hashing:
+
+- ✅ **Automatic Hash Normalization**: Keys are automatically hashed before transmission
+- ✅ **Double-Hash Prevention**: Smart detection prevents re-hashing already hashed keys
+- ✅ **Cross-Platform Compatibility**: Works seamlessly across Node.js and browser environments
+- ✅ **Zero Configuration**: Security is automatic and transparent
+
+```typescript
+// Hash utilities are built-in and automatic
+// Your vendor keys are automatically secured
+onasis login --vendor-key pk_xxxxx.sk_xxxxx  // ✅ Automatically hashed
+```
+
+### Authentication Methods
 
 ### 1. Vendor Key Authentication (Recommended)
 

package/dist/commands/auth.js

@@ -5,6 +5,7 @@ import open from 'open';
 import crypto from 'crypto';
 import http from 'http';
 import url from 'url';
+import axios from 'axios';
 import { apiClient } from '../utils/api.js';
 import { CLIConfig } from '../utils/config.js';
 // Color scheme
@@ -242,16 +243,40 @@ function createCallbackServer(port = 8888) {
 /**
  * Exchange authorization code for OAuth2 tokens
  */
-async function exchangeCodeForTokens(code, verifier, authBase) {
+async function exchangeCodeForTokens(code, verifier, authBase, redirectUri) {
     const tokenEndpoint = `${authBase}/oauth/token`;
-    const response = await apiClient.post(tokenEndpoint, {
-        grant_type: 'authorization_code',
-        code,
-        code_verifier: verifier,
-        client_id: 'lanonasis-cli',
-        redirect_uri: 'http://localhost:8888/callback'
-    });
-    return response;
+    try {
+        // Use axios directly to have full control over error handling
+        const response = await axios.post(tokenEndpoint, {
+            grant_type: 'authorization_code',
+            code,
+            code_verifier: verifier,
+            client_id: 'lanonasis-cli',
+            redirect_uri: redirectUri
+        }, {
+            headers: {
+                'Content-Type': 'application/json',
+            }
+        });
+        return response.data;
+    }
+    catch (error) {
+        // Extract detailed error information from axios error response
+        if (error.response) {
+            const errorData = error.response.data || {};
+            const status = error.response.status;
+            const errorMessage = errorData.error_description || errorData.error || error.message || `Request failed with status code ${status}`;
+            const details = errorData.details;
+            const enhancedError = new Error(errorMessage);
+            enhancedError.response = error.response;
+            enhancedError.status = status;
+            enhancedError.details = details;
+            enhancedError.errorData = errorData;
+            throw enhancedError;
+        }
+        // If it's not an axios error, just rethrow
+        throw error;
+    }
 }
 /**
  * Refresh OAuth2 access token using refresh token
@@ -618,10 +643,11 @@ async function handleOAuthFlow(config) {
         console.log(chalk.gray(`   ✓ Started local callback server on port ${callbackPort}`));
         // Build OAuth2 authorization URL
         const authBase = config.getDiscoveredApiUrl();
+        const redirectUri = `http://localhost:${callbackPort}/callback`;
         const authUrl = new URL(`${authBase}/oauth/authorize`);
         authUrl.searchParams.set('response_type', 'code');
         authUrl.searchParams.set('client_id', 'lanonasis-cli');
-        authUrl.searchParams.set('redirect_uri', `http://localhost:${callbackPort}/callback`);
+        authUrl.searchParams.set('redirect_uri', redirectUri);
         authUrl.searchParams.set('scope', 'read write offline_access');
         authUrl.searchParams.set('code_challenge', pkce.challenge);
         authUrl.searchParams.set('code_challenge_method', 'S256');
@@ -639,7 +665,14 @@ async function handleOAuthFlow(config) {
         // Exchange code for tokens
         spinner.text = 'Exchanging code for access tokens...';
         spinner.start();
-        const tokens = await exchangeCodeForTokens(code, pkce.verifier, authBase);
+        // Debug logging in verbose mode
+        if (process.env.CLI_VERBOSE === 'true') {
+            console.log(chalk.dim(`   Code length: ${code.length}`));
+            console.log(chalk.dim(`   Verifier length: ${pkce.verifier.length}`));
+            console.log(chalk.dim(`   Redirect URI: ${redirectUri}`));
+            console.log(chalk.dim(`   Token endpoint: ${authBase}/oauth/token`));
+        }
+        const tokens = await exchangeCodeForTokens(code, pkce.verifier, authBase, redirectUri);
         spinner.succeed('Access tokens received');
         // Store tokens
         await config.setToken(tokens.access_token);
@@ -653,8 +686,49 @@ async function handleOAuthFlow(config) {
     }
     catch (error) {
         console.error(chalk.red('✖ OAuth2 authentication failed'));
+        // Display detailed error information
         const errorMessage = error instanceof Error ? error.message : 'Unknown error';
         console.error(chalk.gray(`   ${errorMessage}`));
+        // Show validation details if available
+        if (error.details) {
+            console.error(chalk.yellow('\n   Validation errors:'));
+            for (const [field, messages] of Object.entries(error.details)) {
+                const msgArray = Array.isArray(messages) ? messages : [messages];
+                msgArray.forEach((msg) => {
+                    console.error(chalk.gray(`     • ${field}: ${msg}`));
+                });
+            }
+        }
+        // Show error data if available
+        if (error.errorData) {
+            const errorData = error.errorData;
+            if (errorData.error) {
+                console.error(chalk.yellow(`\n   Error: ${errorData.error}`));
+            }
+            if (errorData.error_description) {
+                console.error(chalk.gray(`   ${errorData.error_description}`));
+            }
+            // Show details if not already shown above
+            if (!error.details && errorData.details) {
+                console.error(chalk.yellow('\n   Details:'));
+                console.error(chalk.gray(JSON.stringify(errorData.details, null, 2)));
+            }
+        }
+        // Show full error response in verbose mode
+        if (process.env.CLI_VERBOSE === 'true') {
+            if (error.response?.data) {
+                console.error(chalk.dim('\n   Full error response:'));
+                console.error(chalk.dim(JSON.stringify(error.response.data, null, 2)));
+            }
+            if (error.response?.config) {
+                console.error(chalk.dim('\n   Request config:'));
+                console.error(chalk.dim(JSON.stringify({
+                    url: error.response.config.url,
+                    method: error.response.config.method,
+                    data: error.response.config.data
+                }, null, 2)));
+            }
+        }
         process.exit(1);
     }
 }

package/dist/commands/mcp.js

@@ -178,6 +178,50 @@ export function mcpCommands(program) {
         // Reload config from disk to get latest preference
         await client.init();
         const status = client.getConnectionStatus();
+        // Also perform a lightweight live health check against the MCP HTTP endpoint
+        const config = new CLIConfig();
+        await config.init();
+        let healthLabel = chalk.gray('Unknown');
+        let healthDetails;
+        try {
+            const axios = (await import('axios')).default;
+            // Derive MCP health URL from discovered REST base (e.g. https://mcp.lanonasis.com/api/v1 -> https://mcp.lanonasis.com/health)
+            const restUrl = config.getMCPRestUrl();
+            const rootBase = restUrl.replace(/\/api\/v1$/, '');
+            const healthUrl = `${rootBase}/health`;
+            const token = config.getToken();
+            const vendorKey = config.getVendorKey();
+            const headers = {};
+            if (vendorKey) {
+                headers['X-API-Key'] = vendorKey;
+                headers['X-Auth-Method'] = 'vendor_key';
+            }
+            else if (token) {
+                headers['Authorization'] = `Bearer ${token}`;
+                headers['X-Auth-Method'] = 'jwt';
+            }
+            const response = await axios.get(healthUrl, {
+                headers,
+                timeout: 5000
+            });
+            const overallStatus = String(response.data?.status ?? '').toLowerCase();
+            const ok = response.status === 200 && (!overallStatus || overallStatus === 'healthy');
+            if (ok) {
+                healthLabel = chalk.green('Reachable');
+            }
+            else {
+                healthLabel = chalk.yellow('Degraded');
+            }
+        }
+        catch (error) {
+            healthLabel = chalk.red('Unreachable');
+            if (error instanceof Error) {
+                healthDetails = error.message;
+            }
+            else if (error !== null && error !== undefined) {
+                healthDetails = String(error);
+            }
+        }
         console.log(chalk.cyan('\n📊 MCP Connection Status'));
         console.log(chalk.cyan('========================'));
         console.log(`Status: ${status.connected ? chalk.green('Connected') : chalk.red('Disconnected')}`);
@@ -198,6 +242,10 @@ export function mcpCommands(program) {
         }
         console.log(`Mode: ${modeDisplay}`);
         console.log(`Server: ${status.server}`);
+        console.log(`Health: ${healthLabel}`);
+        if (healthDetails && process.env.CLI_VERBOSE === 'true') {
+            console.log(chalk.gray(`Health details: ${healthDetails}`));
+        }
         if (status.connected) {
             if (status.mode === 'remote') {
                 console.log(`\n${chalk.cyan('Features:')}`);

package/dist/index.js

@@ -283,9 +283,68 @@ program
         // Try to use the REPL package if available
         const { spawn } = await import('child_process');
         const { fileURLToPath } = await import('url');
-        const { dirname, join } = await import('path');
-        // Try to find the REPL package
-        const replPath = join(process.cwd(), 'packages', 'repl-cli', 'dist', 'index.js');
+        const { dirname, join, resolve } = await import('path');
+        const { existsSync } = await import('fs');
+        const moduleLib = (await import('module')).default;
+        const cliDir = dirname(fileURLToPath(import.meta.url));
+        const cliRoot = resolve(cliDir, '..');
+        const searchPaths = [process.cwd(), cliDir, cliRoot];
+        const attempted = [];
+        let replPath = null;
+        const addCandidate = (candidate) => {
+            if (!candidate)
+                return;
+            const normalized = resolve(candidate);
+            if (attempted.includes(normalized))
+                return;
+            attempted.push(normalized);
+            if (!replPath && existsSync(normalized)) {
+                replPath = normalized;
+            }
+        };
+        const resolveRepl = () => {
+            try {
+                return require.resolve('@lanonasis/repl-cli/dist/index.js', { paths: searchPaths });
+            }
+            catch {
+                // ignore resolution errors
+            }
+            try {
+                const pkgPath = require.resolve('@lanonasis/repl-cli/package.json', { paths: searchPaths });
+                return join(dirname(pkgPath), 'dist', 'index.js');
+            }
+            catch {
+                return null;
+            }
+        };
+        // Prefer Node resolution (local dependency or workspace)
+        addCandidate(resolveRepl());
+        // Monorepo layouts (compiled or running from dist)
+        addCandidate(join(cliRoot, '..', 'packages', 'repl-cli', 'dist', 'index.js'));
+        addCandidate(join(cliRoot, '..', '..', 'packages', 'repl-cli', 'dist', 'index.js'));
+        addCandidate(join(process.cwd(), 'apps', 'lanonasis-maas', 'packages', 'repl-cli', 'dist', 'index.js'));
+        addCandidate(join(process.cwd(), 'packages', 'repl-cli', 'dist', 'index.js'));
+        addCandidate(join(process.cwd(), 'dist', 'index.js'));
+        addCandidate(join(process.cwd(), '..', 'dist', 'index.js'));
+        // Project/local node_modules
+        for (const base of searchPaths) {
+            addCandidate(join(base, 'node_modules', '@lanonasis', 'repl-cli', 'dist', 'index.js'));
+        }
+        // Global node_modules locations
+        const globalPaths = Array.isArray(moduleLib?.globalPaths) ? moduleLib.globalPaths : [];
+        for (const globalPath of globalPaths) {
+            addCandidate(join(globalPath, '@lanonasis', 'repl-cli', 'dist', 'index.js'));
+        }
+        if (!replPath) {
+            console.error(colors.error('REPL package not found.'));
+            console.log(colors.muted('Searched locations:'));
+            attempted.forEach(c => console.log(colors.muted(`  - ${c}`)));
+            console.log(colors.info('\n💡 Options:'));
+            console.log(colors.info('  1. Run from monorepo root: cd /path/to/lan-onasis-monorepo && onasis repl'));
+            console.log(colors.info('  2. Use direct command: cd apps/lanonasis-maas/packages/repl-cli && node dist/index.js start'));
+            console.log(colors.info('  3. Install globally: npm install -g @lanonasis/repl-cli && onasis-repl start'));
+            process.exit(1);
+        }
         const args = ['start'];
         if (options.mcp)
             args.push('--mcp');
@@ -295,11 +354,11 @@ program
             args.push('--token', options.token);
         const repl = spawn('node', [replPath, ...args], {
             stdio: 'inherit',
-            cwd: process.cwd()
+            cwd: dirname(replPath)
         });
         repl.on('error', (err) => {
             console.error(colors.error('Failed to start REPL:'), err.message);
-            console.log(colors.muted('Make sure the REPL package is built: cd packages/repl-cli && bun run build'));
+            console.log(colors.muted(`Make sure the REPL package is built: cd ${dirname(replPath)} && bun run build`));
             process.exit(1);
         });
         repl.on('exit', (code) => {
@@ -308,7 +367,7 @@ program
     }
     catch (error) {
         console.error(colors.error('Failed to start REPL:'), error instanceof Error ? error.message : String(error));
-        console.log(colors.muted('Install the REPL package: cd packages/repl-cli && bun install && bun run build'));
+        console.log(colors.muted('Install the REPL package: cd apps/lanonasis-maas/packages/repl-cli && bun install && bun run build'));
         process.exit(1);
     }
 });

package/dist/mcp/client/enhanced-client.js

@@ -128,11 +128,7 @@ export class EnhancedMCPClient extends EventEmitter {
             name: `lanonasis-cli-${config.name}`,
             version: '3.0.1'
         }, {
-            capabilities: {
-                tools: {},
-                resources: {},
-                prompts: {}
-            }
+            capabilities: {}
         });
         await client.connect(transport);
         return client;

package/dist/mcp/schemas/tool-schemas.d.ts

@@ -202,13 +202,13 @@ export declare const SystemConfigSchema: z.ZodObject<{
 }, "strip", z.ZodTypeAny, {
     value?: any;
     action?: "get" | "set" | "reset";
-    scope?: "user" | "global";
     key?: string;
+    scope?: "user" | "global";
 }, {
     value?: any;
     action?: "get" | "set" | "reset";
-    scope?: "user" | "global";
     key?: string;
+    scope?: "user" | "global";
 }>;
 export declare const BulkOperationSchema: z.ZodObject<{
     operation: z.ZodEnum<["create", "update", "delete"]>;
@@ -580,13 +580,13 @@ export declare const MCPSchemas: {
         }, "strip", z.ZodTypeAny, {
             value?: any;
             action?: "get" | "set" | "reset";
-            scope?: "user" | "global";
             key?: string;
+            scope?: "user" | "global";
         }, {
             value?: any;
             action?: "get" | "set" | "reset";
-            scope?: "user" | "global";
             key?: string;
+            scope?: "user" | "global";
         }>;
     };
     operations: {

package/dist/utils/api.js

@@ -2,6 +2,7 @@ import axios from 'axios';
 import chalk from 'chalk';
 import { randomUUID } from 'crypto';
 import { CLIConfig } from './config.js';
+import { ensureApiKeyHash } from './hash-utils.js';
 export class APIClient {
     client;
     config;
@@ -30,7 +31,7 @@ export class APIClient {
             const vendorKey = this.config.getVendorKey();
             if (vendorKey) {
                 // Vendor key authentication (validated server-side)
-                config.headers['X-API-Key'] = vendorKey;
+                config.headers['X-API-Key'] = ensureApiKeyHash(vendorKey);
                 config.headers['X-Auth-Method'] = 'vendor_key';
             }
             else if (token) {

package/dist/utils/config.d.ts

@@ -42,6 +42,7 @@ export declare class CLIConfig {
     private static readonly CONFIG_VERSION;
     private authCheckCache;
     private readonly AUTH_CACHE_TTL;
+    private apiKeyStorage;
     constructor();
     /**
      * Overrides the configuration storage directory. Primarily used for tests.
@@ -74,6 +75,15 @@ export declare class CLIConfig {
     validateVendorKeyFormat(vendorKey: string): string | boolean;
     private validateVendorKeyWithServer;
     getVendorKey(): string | undefined;
+    /**
+     * Synchronous wrapper for async retrieve operation
+     * Note: ApiKeyStorage.retrieve() is async but we need sync for existing code
+     */
+    private getVendorKeySync;
+    /**
+     * Async method to get vendor key from secure storage
+     */
+    getVendorKeyAsync(): Promise<string | undefined>;
     hasVendorKey(): boolean;
     setApiUrl(url: string): Promise<void>;
     setToken(token: string): Promise<void>;

package/dist/utils/config.js

@@ -3,6 +3,7 @@ import * as path from 'path';
 import * as os from 'os';
 import { jwtDecode } from 'jwt-decode';
 import { randomUUID } from 'crypto';
+import { ApiKeyStorage } from '@lanonasis/oauth-client';
 export class CLIConfig {
     configDir;
     configPath;
@@ -11,10 +12,13 @@ export class CLIConfig {
     static CONFIG_VERSION = '1.0.0';
     authCheckCache = null;
     AUTH_CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+    apiKeyStorage;
     constructor() {
         this.configDir = path.join(os.homedir(), '.maas');
         this.configPath = path.join(this.configDir, 'config.json');
         this.lockFile = path.join(this.configDir, 'config.lock');
+        // Initialize secure storage for vendor keys using oauth-client's ApiKeyStorage
+        this.apiKeyStorage = new ApiKeyStorage();
     }
     /**
      * Overrides the configuration storage directory. Primarily used for tests.
@@ -169,6 +173,20 @@ export class CLIConfig {
     }
     // Enhanced Service Discovery Integration
     async discoverServices(verbose = false) {
+        // Skip service discovery in test environment
+        if (process.env.NODE_ENV === 'test' || process.env.SKIP_SERVICE_DISCOVERY === 'true') {
+            if (!this.config.discoveredServices) {
+                this.config.discoveredServices = {
+                    auth_base: 'https://auth.lanonasis.com',
+                    memory_base: 'https://mcp.lanonasis.com/api/v1',
+                    mcp_base: 'https://mcp.lanonasis.com/api/v1',
+                    mcp_ws_base: 'wss://mcp.lanonasis.com/ws',
+                    mcp_sse_base: 'https://mcp.lanonasis.com/api/v1/events',
+                    project_scope: 'lanonasis-maas'
+                };
+            }
+            return;
+        }
         const discoveryUrl = 'https://mcp.lanonasis.com/.well-known/onasis.json';
         try {
             // Use axios instead of fetch for consistency
@@ -403,7 +421,21 @@ export class CLIConfig {
         }
         // Server-side validation
         await this.validateVendorKeyWithServer(trimmedKey);
-        this.config.vendorKey = trimmedKey;
+        // Initialize and store using ApiKeyStorage from @lanonasis/oauth-client
+        // This handles encryption automatically (AES-256-GCM with machine-derived key)
+        await this.apiKeyStorage.initialize();
+        await this.apiKeyStorage.store({
+            apiKey: trimmedKey,
+            organizationId: this.config.user?.organization_id,
+            userId: this.config.user?.email,
+            environment: process.env.NODE_ENV || 'production',
+            createdAt: new Date().toISOString()
+        });
+        if (process.env.CLI_VERBOSE === 'true') {
+            console.log('🔐 Vendor key stored securely via @lanonasis/oauth-client');
+        }
+        // Store a reference marker in config (not the actual key)
+        this.config.vendorKey = 'stored_in_api_key_storage';
         this.config.authMethod = 'vendor_key';
         this.config.lastValidated = new Date().toISOString();
         await this.resetFailureCount(); // Reset failure count on successful auth
@@ -423,11 +455,45 @@ export class CLIConfig {
             // Ensure service discovery is done
             await this.discoverServices();
             const authBase = this.config.discoveredServices?.auth_base || 'https://auth.lanonasis.com';
-            await this.pingAuthHealth(axios, authBase, {
-                'X-API-Key': vendorKey,
-                'X-Auth-Method': 'vendor_key',
-                'X-Project-Scope': 'lanonasis-maas'
-            }, { timeout: 10000, proxy: false });
+            const normalizedBase = authBase.replace(/\/$/, '');
+            // Try multiple validation endpoints
+            const validationEndpoints = [
+                `${normalizedBase}/api/v1/auth/validate`,
+                `${normalizedBase}/api/v1/auth/validate-vendor-key`,
+                `${normalizedBase}/v1/auth/validate`
+            ];
+            let lastError;
+            let validated = false;
+            for (const endpoint of validationEndpoints) {
+                try {
+                    const response = await axios.post(endpoint, { key: vendorKey }, {
+                        headers: {
+                            'X-API-Key': vendorKey,
+                            'X-Auth-Method': 'vendor_key',
+                            'X-Project-Scope': 'lanonasis-maas',
+                            'Content-Type': 'application/json'
+                        },
+                        timeout: 10000,
+                        proxy: false
+                    });
+                    // Check if response indicates validation success
+                    if (response.data && (response.data.valid === true || response.data.success === true)) {
+                        validated = true;
+                        break;
+                    }
+                }
+                catch (error) {
+                    lastError = error;
+                    // Continue to next endpoint if this one fails
+                    continue;
+                }
+            }
+            if (!validated && lastError) {
+                throw lastError;
+            }
+            else if (!validated) {
+                throw new Error('Vendor key validation failed: Unable to validate key with server');
+            }
         }
         catch (error) {
             // Provide specific error messages based on response
@@ -473,9 +539,59 @@ export class CLIConfig {
         }
     }
     getVendorKey() {
-        return this.config.vendorKey;
+        try {
+            // Retrieve from secure storage using ApiKeyStorage (synchronous wrapper)
+            const stored = this.getVendorKeySync();
+            return stored;
+        }
+        catch (error) {
+            if (process.env.CLI_VERBOSE === 'true') {
+                console.error('⚠️  Failed to load vendor key from secure storage:', error);
+            }
+            return undefined;
+        }
+    }
+    /**
+     * Synchronous wrapper for async retrieve operation
+     * Note: ApiKeyStorage.retrieve() is async but we need sync for existing code
+     */
+    getVendorKeySync() {
+        // For now, check legacy storage. We'll update callers to use async later
+        if (this.config.vendorKey && this.config.vendorKey !== 'stored_in_api_key_storage') {
+            if (process.env.CLI_VERBOSE === 'true') {
+                console.log('ℹ️  Using legacy vendor key storage');
+            }
+            return this.config.vendorKey;
+        }
+        return undefined;
+    }
+    /**
+     * Async method to get vendor key from secure storage
+     */
+    async getVendorKeyAsync() {
+        try {
+            await this.apiKeyStorage.initialize();
+            const stored = await this.apiKeyStorage.retrieve();
+            if (stored) {
+                return stored.apiKey;
+            }
+        }
+        catch (error) {
+            if (process.env.CLI_VERBOSE === 'true') {
+                console.error('⚠️  Failed to retrieve vendor key:', error);
+            }
+        }
+        // Fallback: check for legacy plaintext storage in config
+        if (this.config.vendorKey && this.config.vendorKey !== 'stored_in_api_key_storage') {
+            if (process.env.CLI_VERBOSE === 'true') {
+                console.log('ℹ️  Found legacy plaintext vendor key, will migrate on next auth');
+            }
+            return this.config.vendorKey;
+        }
+        return undefined;
     }
     hasVendorKey() {
+        // Check for marker or legacy storage
         return !!this.config.vendorKey;
     }
     async setApiUrl(url) {
@@ -517,6 +633,30 @@ export class CLIConfig {
         return this.config.user;
     }
     async isAuthenticated() {
+        // Check if using vendor key authentication
+        if (this.config.authMethod === 'vendor_key') {
+            const vendorKey = this.getVendorKey();
+            if (!vendorKey)
+                return false;
+            // Check cache first
+            if (this.authCheckCache && (Date.now() - this.authCheckCache.timestamp) < this.AUTH_CACHE_TTL) {
+                return this.authCheckCache.isValid;
+            }
+            // Check if recently validated (within 24 hours)
+            const lastValidated = this.config.lastValidated;
+            const recentlyValidated = lastValidated &&
+                (Date.now() - new Date(lastValidated).getTime()) < (24 * 60 * 60 * 1000);
+            if (recentlyValidated) {
+                this.authCheckCache = { isValid: true, timestamp: Date.now() };
+                return true;
+            }
+            // For vendor keys, we trust that they were validated during setVendorKey()
+            // and rely on the lastValidated timestamp. For additional security,
+            // the server should revoke keys that are invalid.
+            this.authCheckCache = { isValid: true, timestamp: Date.now() };
+            return true;
+        }
+        // Handle token-based authentication
         const token = this.getToken();
         if (!token)
             return false;
@@ -601,27 +741,65 @@ export class CLIConfig {
                 'https://auth.lanonasis.com/v1/auth/verify-token'
             ];
             let response = null;
+            let networkError = false;
+            let authError = false;
             for (const endpoint of endpoints) {
                 try {
                     response = await axios.post(endpoint, { token }, { timeout: 3000 });
                     if (response.data.valid === true) {
                         break;
                     }
+                    // Server explicitly said invalid - this is an auth error, not network error
+                    if (response.status === 401 || response.status === 403 || response.data.valid === false) {
+                        authError = true;
+                    }
                 }
-                catch {
+                catch (error) {
+                    // Check if this is a network error (no response) vs auth error (got response)
+                    if (error.response) {
+                        // Got a response, likely 401/403
+                        authError = true;
+                    }
+                    else {
+                        // Network error (ECONNREFUSED, ETIMEDOUT, etc.)
+                        networkError = true;
+                    }
                     // Try next endpoint
                     continue;
                 }
             }
             if (!response || response.data.valid !== true) {
-                // Server says invalid - but if locally valid and recent, trust local
-                if (locallyValid) {
+                // If server explicitly rejected (auth error), don't trust local validation
+                if (authError) {
                     if (process.env.CLI_VERBOSE === 'true') {
-                        console.warn('⚠️  Server validation failed, but token is locally valid - using local validation');
+                        console.warn('⚠️  Server validation failed with authentication error - token is invalid');
+                    }
+                    this.authCheckCache = { isValid: false, timestamp: Date.now() };
+                    return false;
+                }
+                // If purely network error AND locally valid AND recently validated (within 7 days)
+                // allow offline usage with grace period
+                if (networkError && locallyValid) {
+                    const gracePeriod = 7 * 24 * 60 * 60 * 1000; // 7 days
+                    const lastValidated = this.config.lastValidated;
+                    const withinGracePeriod = lastValidated &&
+                        (Date.now() - new Date(lastValidated).getTime()) < gracePeriod;
+                    if (withinGracePeriod) {
+                        if (process.env.CLI_VERBOSE === 'true') {
+                            console.warn('⚠️  Unable to reach server, using cached validation (offline mode)');
+                        }
+                        this.authCheckCache = { isValid: true, timestamp: Date.now() };
+                        return true;
+                    }
+                    else {
+                        if (process.env.CLI_VERBOSE === 'true') {
+                            console.warn('⚠️  Token validation grace period expired, server validation required');
+                        }
+                        this.authCheckCache = { isValid: false, timestamp: Date.now() };
+                        return false;
                     }
-                    this.authCheckCache = { isValid: locallyValid, timestamp: Date.now() };
-                    return locallyValid;
                 }
+                // Default to invalid if we can't validate
                 this.authCheckCache = { isValid: false, timestamp: Date.now() };
                 return false;
             }

package/dist/utils/crypto-utils.d.ts

@@ -0,0 +1,76 @@
+/**
+ * Cryptographic utilities for secure credential storage
+ *
+ * Security Model:
+ * - API Keys: Hashed with SHA-256 (one-way, server compares hashes)
+ * - Vendor Keys: Encrypted with AES-256-GCM (reversible, needed for API headers)
+ * - Encryption key derived from machine-specific identifier + user password (optional)
+ */
+/**
+ * Encrypted data structure
+ */
+export interface EncryptedData {
+    encrypted: string;
+    iv: string;
+    authTag: string;
+    salt: string;
+    version: string;
+}
+/**
+ * Encrypt sensitive data (like vendor keys)
+ *
+ * @param data - The sensitive data to encrypt
+ * @param passphrase - Optional user passphrase for additional security
+ * @returns Encrypted data structure
+ */
+export declare function encryptCredential(data: string, passphrase?: string): EncryptedData;
+/**
+ * Decrypt sensitive data
+ *
+ * @param encryptedData - The encrypted data structure
+ * @param passphrase - Optional user passphrase (must match encryption)
+ * @returns Decrypted data
+ */
+export declare function decryptCredential(encryptedData: EncryptedData, passphrase?: string): string;
+/**
+ * Secure vendor key storage wrapper
+ */
+export interface SecureVendorKey {
+    keyHash: string;
+    encryptedKey: EncryptedData;
+    createdAt: string;
+    lastUsed?: string;
+    encrypted: true;
+}
+/**
+ * Securely store a vendor key
+ *
+ * @param vendorKey - The raw vendor key
+ * @param passphrase - Optional user passphrase for additional security
+ * @returns Secure storage structure
+ */
+export declare function secureStoreVendorKey(vendorKey: string, passphrase?: string): SecureVendorKey;
+/**
+ * Retrieve a vendor key from secure storage
+ *
+ * @param secureKey - The secure storage structure
+ * @param passphrase - Optional user passphrase (must match storage)
+ * @returns Decrypted vendor key
+ */
+export declare function retrieveVendorKey(secureKey: SecureVendorKey, passphrase?: string): string;
+/**
+ * Validate a vendor key against stored hash
+ *
+ * @param vendorKey - The key to validate
+ * @param storedHash - The stored hash to compare against
+ * @returns True if key matches hash
+ */
+export declare function validateVendorKeyHash(vendorKey: string, storedHash: string): boolean;
+/**
+ * Check if a value is encrypted vendor key data
+ */
+export declare function isEncryptedVendorKey(value: any): value is SecureVendorKey;
+/**
+ * Migration helper: Check if vendor key needs encryption upgrade
+ */
+export declare function needsEncryptionMigration(vendorKey: any): boolean;

package/dist/utils/crypto-utils.js

@@ -0,0 +1,171 @@
+/**
+ * Cryptographic utilities for secure credential storage
+ *
+ * Security Model:
+ * - API Keys: Hashed with SHA-256 (one-way, server compares hashes)
+ * - Vendor Keys: Encrypted with AES-256-GCM (reversible, needed for API headers)
+ * - Encryption key derived from machine-specific identifier + user password (optional)
+ */
+import crypto from 'crypto';
+import { homedir, platform, hostname } from 'os';
+import { hashApiKey, isSha256Hash } from './hash-utils.js';
+// Encryption algorithm configuration
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LENGTH = 32; // 256 bits
+const IV_LENGTH = 16; // 128 bits for GCM
+const AUTH_TAG_LENGTH = 16; // 128 bits
+const SALT_LENGTH = 32; // 256 bits
+// Default salt component for key derivation when no passphrase is provided
+// This is a known constant, not a secret - it's part of the encryption scheme
+const DEFAULT_SALT_COMPONENT = 'lanonasis-cli-default-salt';
+/**
+ * Get a machine-specific identifier for key derivation
+ * Uses hostname + platform + homedir to create a stable machine fingerprint
+ */
+function getMachineId() {
+    const machineFingerprint = `${hostname()}-${platform()}-${homedir()}`;
+    return crypto
+        .createHash('sha256')
+        .update(machineFingerprint)
+        .digest('hex');
+}
+/**
+ * Derive an encryption key from machine ID and optional user passphrase
+ * Uses PBKDF2 with 100,000 iterations
+ */
+function deriveEncryptionKey(salt, passphrase) {
+    const baseSecret = getMachineId() + (passphrase || DEFAULT_SALT_COMPONENT);
+    return crypto.pbkdf2Sync(baseSecret, salt, 100000, KEY_LENGTH, 'sha256');
+}
+/**
+ * Encrypt sensitive data (like vendor keys)
+ *
+ * @param data - The sensitive data to encrypt
+ * @param passphrase - Optional user passphrase for additional security
+ * @returns Encrypted data structure
+ */
+export function encryptCredential(data, passphrase) {
+    if (!data || typeof data !== 'string') {
+        throw new Error('Data must be a non-empty string');
+    }
+    // Generate random salt and IV
+    const salt = crypto.randomBytes(SALT_LENGTH);
+    const iv = crypto.randomBytes(IV_LENGTH);
+    // Derive encryption key
+    const key = deriveEncryptionKey(salt, passphrase);
+    // Create cipher and encrypt
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(data, 'utf8', 'base64');
+    encrypted += cipher.final('base64');
+    // Get authentication tag
+    const authTag = cipher.getAuthTag();
+    return {
+        encrypted,
+        iv: iv.toString('base64'),
+        authTag: authTag.toString('base64'),
+        salt: salt.toString('base64'),
+        version: '1.0'
+    };
+}
+/**
+ * Decrypt sensitive data
+ *
+ * @param encryptedData - The encrypted data structure
+ * @param passphrase - Optional user passphrase (must match encryption)
+ * @returns Decrypted data
+ */
+export function decryptCredential(encryptedData, passphrase) {
+    if (!encryptedData || typeof encryptedData !== 'object') {
+        throw new Error('Encrypted data must be an object');
+    }
+    try {
+        // Parse encrypted data components
+        const salt = Buffer.from(encryptedData.salt, 'base64');
+        const iv = Buffer.from(encryptedData.iv, 'base64');
+        const authTag = Buffer.from(encryptedData.authTag, 'base64');
+        // Derive the same encryption key
+        const key = deriveEncryptionKey(salt, passphrase);
+        // Create decipher and decrypt
+        const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+        decipher.setAuthTag(authTag);
+        let decrypted = decipher.update(encryptedData.encrypted, 'base64', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    catch (error) {
+        throw new Error('Decryption failed - credential may be corrupted or wrong passphrase');
+    }
+}
+/**
+ * Securely store a vendor key
+ *
+ * @param vendorKey - The raw vendor key
+ * @param passphrase - Optional user passphrase for additional security
+ * @returns Secure storage structure
+ */
+export function secureStoreVendorKey(vendorKey, passphrase) {
+    if (!vendorKey || typeof vendorKey !== 'string') {
+        throw new Error('Vendor key must be a non-empty string');
+    }
+    return {
+        keyHash: hashApiKey(vendorKey),
+        encryptedKey: encryptCredential(vendorKey, passphrase),
+        createdAt: new Date().toISOString(),
+        encrypted: true
+    };
+}
+/**
+ * Retrieve a vendor key from secure storage
+ *
+ * @param secureKey - The secure storage structure
+ * @param passphrase - Optional user passphrase (must match storage)
+ * @returns Decrypted vendor key
+ */
+export function retrieveVendorKey(secureKey, passphrase) {
+    if (!secureKey || !secureKey.encryptedKey) {
+        throw new Error('Invalid secure key structure');
+    }
+    return decryptCredential(secureKey.encryptedKey, passphrase);
+}
+/**
+ * Validate a vendor key against stored hash
+ *
+ * @param vendorKey - The key to validate
+ * @param storedHash - The stored hash to compare against
+ * @returns True if key matches hash
+ */
+export function validateVendorKeyHash(vendorKey, storedHash) {
+    if (!vendorKey || !storedHash) {
+        return false;
+    }
+    try {
+        const keyHash = hashApiKey(vendorKey);
+        return keyHash === storedHash;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Check if a value is encrypted vendor key data
+ */
+export function isEncryptedVendorKey(value) {
+    return (value &&
+        typeof value === 'object' &&
+        value.encrypted === true &&
+        typeof value.keyHash === 'string' &&
+        isSha256Hash(value.keyHash) &&
+        value.encryptedKey &&
+        typeof value.encryptedKey.encrypted === 'string');
+}
+/**
+ * Migration helper: Check if vendor key needs encryption upgrade
+ */
+export function needsEncryptionMigration(vendorKey) {
+    // If it's a plain string, it's not encrypted
+    if (typeof vendorKey === 'string' && !isSha256Hash(vendorKey)) {
+        return true;
+    }
+    // If it's not an encrypted structure, needs migration
+    return !isEncryptedVendorKey(vendorKey);
+}

package/dist/utils/hash-utils.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Local Hash Utilities for CLI
+ * Copied from shared/hash-utils.ts to avoid TypeScript rootDir issues
+ */
+/**
+ * Determine if the provided value is already a SHA-256 hex digest
+ */
+export declare function isSha256Hash(value: string): boolean;
+/**
+ * Hash an API key with SHA-256
+ * Used for: Database storage, validation, lookups
+ *
+ * @param apiKey - The raw API key to hash
+ * @returns SHA-256 hash as hex string (64 characters)
+ */
+export declare function hashApiKey(apiKey: string): string;
+/**
+ * Normalize any API key input to a SHA-256 hex digest
+ * Leaves an existing 64-char hex hash untouched to prevent double hashing
+ */
+export declare function ensureApiKeyHash(apiKey: string): string;
+export type ApiKeyHash = string;
+export type ApiKey = string;

package/dist/utils/hash-utils.js

@@ -0,0 +1,37 @@
+/**
+ * Local Hash Utilities for CLI
+ * Copied from shared/hash-utils.ts to avoid TypeScript rootDir issues
+ */
+import crypto from 'crypto';
+/**
+ * Determine if the provided value is already a SHA-256 hex digest
+ */
+export function isSha256Hash(value) {
+    return typeof value === 'string' && /^[a-f0-9]{64}$/i.test(value.trim());
+}
+/**
+ * Hash an API key with SHA-256
+ * Used for: Database storage, validation, lookups
+ *
+ * @param apiKey - The raw API key to hash
+ * @returns SHA-256 hash as hex string (64 characters)
+ */
+export function hashApiKey(apiKey) {
+    if (!apiKey || typeof apiKey !== 'string') {
+        throw new Error('API key must be a non-empty string');
+    }
+    return crypto
+        .createHash('sha256')
+        .update(apiKey)
+        .digest('hex');
+}
+/**
+ * Normalize any API key input to a SHA-256 hex digest
+ * Leaves an existing 64-char hex hash untouched to prevent double hashing
+ */
+export function ensureApiKeyHash(apiKey) {
+    if (isSha256Hash(apiKey)) {
+        return apiKey.toLowerCase();
+    }
+    return hashApiKey(apiKey);
+}

package/dist/utils/mcp-client.d.ts

@@ -82,6 +82,10 @@ export declare class MCPClient {
      * Connect to MCP server with retry logic
      */
     connect(options?: MCPConnectionOptions): Promise<boolean>;
+    /**
+     * Persist successful connection mode and URLs to config for future use
+     */
+    private persistConnectionState;
     /**
      * Connect to MCP server with retry logic and exponential backoff
      */

package/dist/utils/mcp-client.js

@@ -58,6 +58,36 @@ export class MCPClient {
         this.retryAttempts = 0;
         return this.connectWithRetry(options);
     }
+    /**
+     * Persist successful connection mode and URLs to config for future use
+     */
+    async persistConnectionState(mode, url) {
+        try {
+            // Save the successful connection mode as preference
+            this.config.set('mcpConnectionMode', mode);
+            this.config.set('mcpPreference', mode);
+            // Save the specific URL that worked
+            if (url) {
+                if (mode === 'websocket') {
+                    this.config.set('mcpWebSocketUrl', url);
+                }
+                else if (mode === 'remote') {
+                    this.config.set('mcpServerUrl', url);
+                }
+                else if (mode === 'local') {
+                    this.config.set('mcpServerPath', url);
+                }
+            }
+            // Save to disk
+            await this.config.save();
+        }
+        catch (error) {
+            // Don't fail connection if persistence fails, just log
+            if (process.env.CLI_VERBOSE === 'true') {
+                console.warn('⚠️  Failed to persist connection state:', error);
+            }
+        }
+    }
     /**
      * Connect to MCP server with retry logic and exponential backoff
      */
@@ -104,6 +134,8 @@ export class MCPClient {
                     this.isConnected = true;
                     this.activeConnectionMode = 'websocket';
                     this.retryAttempts = 0;
+                    // Persist successful connection state
+                    await this.persistConnectionState('websocket', wsUrl);
                     this.startHealthMonitoring();
                     return true;
                 }
@@ -125,6 +157,8 @@ export class MCPClient {
                     this.isConnected = true;
                     this.activeConnectionMode = 'remote';
                     this.retryAttempts = 0;
+                    // Persist successful connection state
+                    await this.persistConnectionState('remote', serverUrl);
                     this.startHealthMonitoring();
                     return true;
                 }
@@ -172,6 +206,8 @@ export class MCPClient {
                     this.isConnected = true;
                     this.activeConnectionMode = 'local';
                     this.retryAttempts = 0;
+                    // Persist successful connection state
+                    await this.persistConnectionState('local', serverPath);
                     console.log(chalk.green('✓ Connected to MCP server'));
                     this.startHealthMonitoring();
                     return true;
@@ -188,6 +224,8 @@ export class MCPClient {
                     this.isConnected = true;
                     this.activeConnectionMode = 'remote';
                     this.retryAttempts = 0;
+                    // Persist successful connection state
+                    await this.persistConnectionState('remote', serverUrl);
                     this.startHealthMonitoring();
                     return true;
                 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lanonasis/cli",
-  "version": "3.6.7",
+  "version": "3.7.1",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -17,10 +17,13 @@
   },
   "files": [
     "dist",
+    "scripts",
     "README.md",
     "LICENSE"
   ],
   "dependencies": {
+    "@lanonasis/oauth-client": "^1.0.0",
+    "@lanonasis/security-sdk": "^1.0.1",
     "@modelcontextprotocol/sdk": "^1.1.1",
     "axios": "^1.7.7",
     "chalk": "^5.3.0",
@@ -53,6 +56,7 @@
   "scripts": {
     "build": "rimraf dist && tsc -p tsconfig.json",
     "prepublishOnly": "npm run build",
+    "postinstall": "node scripts/postinstall.js",
     "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js",
     "test:watch": "npm test -- --watch",
     "test:coverage": "npm test -- --coverage"

package/scripts/postinstall.js

@@ -0,0 +1,100 @@
+#!/usr/bin/env node
+import { fileURLToPath } from 'url';
+import { dirname, resolve, join } from 'path';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
+import { homedir } from 'os';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+/**
+ * Postinstall script to auto-configure MCP server path
+ * This runs after npm/bun install and sets up the local MCP server path automatically
+ */
+
+async function postinstall() {
+  console.log('⚙️  Configuring Lanonasis CLI...');
+
+  const configDir = join(homedir(), '.maas');
+  const configFile = join(configDir, 'config.json');
+
+  // Ensure config directory exists
+  if (!existsSync(configDir)) {
+    mkdirSync(configDir, { recursive: true });
+  }
+
+  // Potential MCP server locations (in priority order)
+  const potentialPaths = [
+    // Development: relative to CLI in monorepo
+    resolve(__dirname, '../../../onasis-core/dist/mcp-server.js'),
+    resolve(__dirname, '../../../onasis-core/src/mcp/server.ts'),
+    // Global install: look in common locations
+    resolve(homedir(), 'DevOps/_project_folders/lan-onasis-monorepo/packages/onasis-core/dist/mcp-server.js'),
+    resolve(homedir(), 'projects/lan-onasis-monorepo/packages/onasis-core/dist/mcp-server.js'),
+    // Check if installed alongside CLI in node_modules
+    resolve(__dirname, '../../onasis-core/dist/mcp-server.js'),
+  ];
+
+  // Find the first existing MCP server path
+  let mcpServerPath = null;
+  for (const path of potentialPaths) {
+    if (existsSync(path)) {
+      mcpServerPath = path;
+      console.log(`✓ Found MCP server at: ${path}`);
+      break;
+    }
+  }
+
+  // Load existing config or create new one
+  let config = {
+    version: '1.0.0',
+    apiUrl: 'https://mcp.lanonasis.com/api/v1'
+  };
+
+  if (existsSync(configFile)) {
+    try {
+      const existingConfig = readFileSync(configFile, 'utf-8');
+      config = JSON.parse(existingConfig);
+    } catch (error) {
+      console.warn('⚠️  Could not read existing config, will create new one');
+    }
+  }
+
+  // Update config with MCP server path if found
+  if (mcpServerPath) {
+    config.mcpServerPath = mcpServerPath;
+    config.mcpConnectionMode = 'local';
+    config.mcpPreference = 'local';
+    console.log('✓ Configured local MCP server path');
+  } else {
+    // No local server found, prefer remote/websocket
+    console.log('ℹ️  No local MCP server found, will use remote connection');
+    config.mcpConnectionMode = 'websocket';
+    config.mcpPreference = 'websocket';
+    config.mcpWebSocketUrl = 'wss://mcp.lanonasis.com/ws';
+  }
+
+  // Save config
+  try {
+    writeFileSync(configFile, JSON.stringify(config, null, 2), 'utf-8');
+    console.log('✓ Configuration saved to ~/.maas/config.json');
+  } catch (error) {
+    console.error('✖ Failed to save configuration:', error.message);
+  }
+
+  console.log('');
+  console.log('🎉 Lanonasis CLI configured successfully!');
+  console.log('');
+  console.log('Get started:');
+  console.log('  onasis --help          # Show available commands');
+  console.log('  onasis auth            # Authenticate with your account');
+  console.log('  onasis mcp connect     # Connect to MCP services');
+  console.log('');
+}
+
+// Run postinstall
+postinstall().catch((error) => {
+  console.error('✖ Postinstall failed:', error);
+  // Don't fail installation if postinstall fails
+  process.exit(0);
+});