@lanonasis/cli 3.7.8 → 3.8.1

package/dist/commands/auth.js

@@ -370,7 +370,7 @@ export async function diagnoseCommand() {
     // Step 2: Check stored credentials
     console.log(chalk.cyan('\n2. Stored Credentials'));
     const token = config.getToken();
-    const vendorKey = config.getVendorKey();
+    const vendorKey = await config.getVendorKeyAsync();
     const authMethod = config.get('authMethod');
     if (vendorKey) {
         diagnostics.hasCredentials = true;
@@ -707,7 +707,7 @@ async function handleOAuthFlow(config) {
         await config.setToken(tokens.access_token);
         await config.set('refresh_token', tokens.refresh_token);
         await config.set('token_expires_at', Date.now() + (tokens.expires_in * 1000));
-        await config.set('authMethod', 'oauth2');
+        await config.set('authMethod', 'oauth');
         // The OAuth access token from auth-gateway works as the API token for all services
         // Store it as the vendor key equivalent for MCP and API access
         spinner.text = 'Configuring unified access...';
@@ -825,10 +825,8 @@ async function handleCredentialsFlow(options, config) {
         if (response.user.role) {
             console.log(`Role: ${response.user.role}`);
         }
-        console.log(chalk.gray('✓ API access configured'));
-        console.log();
-        console.log(chalk.dim('Note: MCP WebSocket commands require a vendor key.'));
-        console.log(chalk.dim('Run'), chalk.white('onasis auth vendor-key <key>'), chalk.dim('to configure MCP access.'));
+        console.log(chalk.gray('✓ API and MCP access configured'));
+        console.log(chalk.dim('Your JWT token works with all services: API, MCP, CLI.'));
     }
     catch (error) {
         spinner.fail('Login failed');

package/dist/commands/config.js

@@ -382,7 +382,7 @@ export function configCommands(program) {
         // Step 2: Validate authentication configuration
         console.log(chalk.cyan('\n2. Authentication Configuration'));
         const token = config.getToken();
-        const vendorKey = config.getVendorKey();
+        const vendorKey = await config.getVendorKeyAsync();
         const authMethod = config.get('authMethod');
         if (!token && !vendorKey) {
             console.log(chalk.yellow('   ⚠ No authentication credentials configured'));
@@ -391,8 +391,9 @@ export function configCommands(program) {
         else {
             console.log(chalk.green('   ✓ Authentication credentials found'));
             // Validate auth method consistency
-            if (vendorKey && authMethod !== 'vendor_key') {
-                console.log(chalk.yellow('   ⚠ Auth method mismatch (has vendor key but method is not vendor_key)'));
+            // Note: OAuth users can have vendorKey stored (for MCP access) while authMethod is 'oauth'
+            if (vendorKey && authMethod !== 'vendor_key' && authMethod !== 'oauth') {
+                console.log(chalk.yellow('   ⚠ Auth method mismatch (has vendor key but method is not vendor_key or oauth)'));
                 validation.issues.push('Auth method mismatch');
                 if (options.repair) {
                     config.set('authMethod', 'vendor_key');

package/dist/commands/mcp.js

@@ -169,6 +169,7 @@ export function mcpCommands(program) {
         const client = getMCPClient();
         await client.disconnect();
         console.log(chalk.green('✓ Disconnected from MCP server'));
+        process.exit(0);
     });
     // Status command
     mcp.command('status')
@@ -183,6 +184,7 @@ export function mcpCommands(program) {
         await config.init();
         let healthLabel = chalk.gray('Unknown');
         let healthDetails;
+        let isServiceReachable = false;
         try {
             const axios = (await import('axios')).default;
             // Derive MCP health URL from discovered REST base (e.g. https://mcp.lanonasis.com/api/v1 -> https://mcp.lanonasis.com/health)
@@ -190,7 +192,7 @@ export function mcpCommands(program) {
             const rootBase = restUrl.replace(/\/api\/v1$/, '');
             const healthUrl = `${rootBase}/health`;
             const token = config.getToken();
-            const vendorKey = config.getVendorKey();
+            const vendorKey = await config.getVendorKeyAsync();
             const headers = {};
             if (vendorKey) {
                 headers['X-API-Key'] = vendorKey;
@@ -207,14 +209,17 @@ export function mcpCommands(program) {
             const overallStatus = String(response.data?.status ?? '').toLowerCase();
             const ok = response.status === 200 && (!overallStatus || overallStatus === 'healthy');
             if (ok) {
-                healthLabel = chalk.green('Reachable');
+                healthLabel = chalk.green('Healthy');
+                isServiceReachable = true;
             }
             else {
                 healthLabel = chalk.yellow('Degraded');
+                isServiceReachable = true; // Service is reachable but degraded
             }
         }
         catch (error) {
             healthLabel = chalk.red('Unreachable');
+            isServiceReachable = false;
             if (error instanceof Error) {
                 healthDetails = error.message;
             }
@@ -224,7 +229,14 @@ export function mcpCommands(program) {
         }
         console.log(chalk.cyan('\n📊 MCP Connection Status'));
         console.log(chalk.cyan('========================'));
-        console.log(`Status: ${status.connected ? chalk.green('Connected') : chalk.red('Disconnected')}`);
+        // Show status based on service reachability, not in-memory connection state
+        // The CLI isn't a persistent daemon - "connected" means the service is available
+        if (isServiceReachable) {
+            console.log(`Status: ${chalk.green('Ready')} (service reachable)`);
+        }
+        else {
+            console.log(`Status: ${chalk.red('Unavailable')} (service unreachable)`);
+        }
         // Display mode with proper labels
         let modeDisplay;
         switch (status.mode) {
@@ -246,7 +258,8 @@ export function mcpCommands(program) {
         if (healthDetails && process.env.CLI_VERBOSE === 'true') {
             console.log(chalk.gray(`Health details: ${healthDetails}`));
         }
-        if (status.connected) {
+        // Show features when service is reachable
+        if (isServiceReachable) {
             if (status.mode === 'remote') {
                 console.log(`\n${chalk.cyan('Features:')}`);
                 console.log('• Real-time updates via SSE');
@@ -259,7 +272,12 @@ export function mcpCommands(program) {
                 console.log('• Authenticated WebSocket connection');
                 console.log('• Production-ready MCP server');
             }
+            console.log(chalk.green('\n✓ MCP tools are available. Run "lanonasis mcp tools" to see them.'));
+        }
+        else {
+            console.log(chalk.yellow('\n⚠ MCP service is not reachable. Run "lanonasis mcp diagnose" for troubleshooting.'));
         }
+        process.exit(0);
     });
     // List tools command
     mcp.command('tools')
@@ -456,6 +474,42 @@ export function mcpCommands(program) {
             console.log('  --prefer-local     : Use local stdio mode (development only)');
             console.log('  --auto             : Auto-detect based on configuration (default)');
         }
+        process.exit(0);
+    });
+    // Start MCP server for external clients
+    mcp.command('start')
+        .description('Start MCP server for external clients (Claude Desktop, Cursor, etc.)')
+        .option('--transport <type>', 'Transport: stdio (default), ws, http, sse', 'stdio')
+        .option('--port <number>', 'Port for ws/http/sse', '3009')
+        .option('--host <address>', 'Host address', '127.0.0.1')
+        .action(async (options) => {
+        const apiKey = process.env.LANONASIS_API_KEY;
+        if (!apiKey) {
+            console.error('Error: LANONASIS_API_KEY environment variable required');
+            process.exit(1);
+        }
+        try {
+            const { LanonasisMCPServer } = await import('../mcp/server/lanonasis-server.js');
+            const server = new LanonasisMCPServer({
+                apiKey,
+                transport: options.transport,
+                port: parseInt(options.port, 10),
+                host: options.host
+            });
+            if (options.transport === 'stdio') {
+                // Log to stderr since stdout is for MCP protocol
+                console.error(`Starting MCP server in stdio mode...`);
+                await server.startStdio();
+            }
+            else {
+                console.error(`Starting MCP server on ${options.host}:${options.port} (${options.transport})...`);
+                await server.start();
+            }
+        }
+        catch (error) {
+            console.error(`Failed to start MCP server: ${error instanceof Error ? error.message : 'Unknown error'}`);
+            process.exit(1);
+        }
     });
     // Diagnose MCP connection issues
     mcp.command('diagnose')
@@ -483,7 +537,7 @@ export function mcpCommands(program) {
         // Step 1: Check authentication status
         console.log(chalk.cyan('1. Authentication Status'));
         const token = config.getToken();
-        const vendorKey = config.getVendorKey();
+        const vendorKey = await config.getVendorKeyAsync();
         if (!token && !vendorKey) {
             console.log(chalk.red('   ✖ No authentication credentials found'));
             console.log(chalk.gray('   → Run: lanonasis auth login'));
@@ -755,5 +809,6 @@ export function mcpCommands(program) {
             console.log(chalk.gray('   • Verify your network allows outbound HTTPS connections'));
             console.log(chalk.gray('   • Contact support if issues persist'));
         }
+        process.exit(0);
     });
 }

package/dist/commands/memory.js

@@ -31,9 +31,9 @@ export function memoryCommands(program) {
                         validate: (input) => input.length > 0 || 'Title is required'
                     },
                     {
-                        type: 'editor',
+                        type: 'input',
                         name: 'content',
-                        message: 'Memory content:',
+                        message: 'Memory content (or use -c flag for multi-line):',
                         default: content,
                         validate: (input) => input.length > 0 || 'Content is required'
                     },

package/dist/mcp/access-control.js

@@ -192,7 +192,7 @@ export class MemoryAccessControl {
             const apiUrl = this.config.get('apiUrl') || 'https://api.lanonasis.com';
             const token = this.config.get('token');
             const axios = (await import('axios')).default;
-            const response = await axios.get(`${apiUrl}/api/v1/memory/${memoryId}`, {
+            const response = await axios.get(`${apiUrl}/api/v1/memories/${memoryId}`, {
                 headers: {
                     'Authorization': `Bearer ${token}`,
                     'Content-Type': 'application/json'
@@ -210,7 +210,7 @@ export class MemoryAccessControl {
             const apiUrl = this.config.get('apiUrl') || 'https://api.lanonasis.com';
             const token = this.config.get('token');
             const axios = (await import('axios')).default;
-            const response = await axios.get(`${apiUrl}/api/v1/memory?user_id=${userId}`, {
+            const response = await axios.get(`${apiUrl}/api/v1/memories?user_id=${userId}`, {
                 headers: {
                     'Authorization': `Bearer ${token}`,
                     'Content-Type': 'application/json'

package/dist/mcp/schemas/tool-schemas.d.ts

@@ -15,15 +15,15 @@ export declare const MemoryCreateSchema: z.ZodObject<{
     content?: string;
     tags?: string[];
     topic_id?: string;
-    memory_type?: "context" | "reference" | "note";
     metadata?: Record<string, any>;
+    memory_type?: "context" | "reference" | "note";
 }, {
     title?: string;
     content?: string;
     tags?: string[];
     topic_id?: string;
-    memory_type?: "context" | "reference" | "note";
     metadata?: Record<string, any>;
+    memory_type?: "context" | "reference" | "note";
 }>;
 export declare const MemorySearchSchema: z.ZodObject<{
     query: z.ZodString;
@@ -59,15 +59,15 @@ export declare const MemoryUpdateSchema: z.ZodObject<{
     content?: string;
     tags?: string[];
     memory_id?: string;
-    memory_type?: "context" | "reference" | "note";
     metadata?: Record<string, any>;
+    memory_type?: "context" | "reference" | "note";
 }, {
     title?: string;
     content?: string;
     tags?: string[];
     memory_id?: string;
-    memory_type?: "context" | "reference" | "note";
     metadata?: Record<string, any>;
+    memory_type?: "context" | "reference" | "note";
 }>;
 export declare const MemoryDeleteSchema: z.ZodObject<{
     memory_id: z.ZodString;
@@ -217,13 +217,13 @@ export declare const BulkOperationSchema: z.ZodObject<{
     transaction: z.ZodDefault<z.ZodBoolean>;
 }, "strip", z.ZodTypeAny, {
     operation?: "create" | "delete" | "update";
-    entity_type?: "topic" | "memory" | "apikey";
     items?: Record<string, any>[];
+    entity_type?: "topic" | "memory" | "apikey";
     transaction?: boolean;
 }, {
     operation?: "create" | "delete" | "update";
-    entity_type?: "topic" | "memory" | "apikey";
     items?: Record<string, any>[];
+    entity_type?: "topic" | "memory" | "apikey";
     transaction?: boolean;
 }>;
 export declare const ImportExportSchema: z.ZodObject<{
@@ -387,15 +387,15 @@ export declare const MCPSchemas: {
             content?: string;
             tags?: string[];
             topic_id?: string;
-            memory_type?: "context" | "reference" | "note";
             metadata?: Record<string, any>;
+            memory_type?: "context" | "reference" | "note";
         }, {
             title?: string;
             content?: string;
             tags?: string[];
             topic_id?: string;
-            memory_type?: "context" | "reference" | "note";
             metadata?: Record<string, any>;
+            memory_type?: "context" | "reference" | "note";
         }>;
         search: z.ZodObject<{
             query: z.ZodString;
@@ -431,15 +431,15 @@ export declare const MCPSchemas: {
             content?: string;
             tags?: string[];
             memory_id?: string;
-            memory_type?: "context" | "reference" | "note";
             metadata?: Record<string, any>;
+            memory_type?: "context" | "reference" | "note";
         }, {
             title?: string;
             content?: string;
             tags?: string[];
             memory_id?: string;
-            memory_type?: "context" | "reference" | "note";
             metadata?: Record<string, any>;
+            memory_type?: "context" | "reference" | "note";
         }>;
         delete: z.ZodObject<{
             memory_id: z.ZodString;
@@ -597,13 +597,13 @@ export declare const MCPSchemas: {
             transaction: z.ZodDefault<z.ZodBoolean>;
         }, "strip", z.ZodTypeAny, {
             operation?: "create" | "delete" | "update";
-            entity_type?: "topic" | "memory" | "apikey";
             items?: Record<string, any>[];
+            entity_type?: "topic" | "memory" | "apikey";
             transaction?: boolean;
         }, {
             operation?: "create" | "delete" | "update";
-            entity_type?: "topic" | "memory" | "apikey";
             items?: Record<string, any>[];
+            entity_type?: "topic" | "memory" | "apikey";
             transaction?: boolean;
         }>;
         importExport: z.ZodObject<{

package/dist/mcp/server/lanonasis-server.d.ts

@@ -9,6 +9,10 @@ export interface LanonasisServerOptions {
     verbose?: boolean;
     apiUrl?: string;
     token?: string;
+    apiKey?: string;
+    transport?: 'stdio' | 'ws' | 'http' | 'sse';
+    port?: number;
+    host?: string;
     preferredTransport?: 'stdio' | 'websocket' | 'http';
     enableTransportFallback?: boolean;
 }
@@ -209,6 +213,11 @@ export declare class LanonasisMCPServer {
      * Start the server
      */
     start(): Promise<void>;
+    /**
+     * Start the server in stdio mode for external MCP clients (Claude Desktop, Cursor, etc.)
+     * This is the primary entry point for `lanonasis mcp start`
+     */
+    startStdio(): Promise<void>;
     /**
      * Stop the server
      */

package/dist/mcp/server/lanonasis-server.js

@@ -407,7 +407,15 @@ export class LanonasisMCPServer {
                             text: `Authentication Error: ${error instanceof Error ? error.message : 'Authentication failed'}`
                         }
                     ],
-                    isError: true
+                    isError: true,
+                    task: {
+                        taskId: `${clientId}-${Date.now()}`,
+                        status: 'failed',
+                        ttl: null,
+                        createdAt: new Date().toISOString(),
+                        lastUpdatedAt: new Date().toISOString(),
+                        statusMessage: 'Authentication failed'
+                    }
                 };
             }
             this.updateConnectionActivity(clientId);
@@ -419,7 +427,14 @@ export class LanonasisMCPServer {
                             type: 'text',
                             text: JSON.stringify(result, null, 2)
                         }
-                    ]
+                    ],
+                    task: {
+                        taskId: `${clientId}-${Date.now()}`,
+                        status: 'completed',
+                        ttl: null,
+                        createdAt: new Date().toISOString(),
+                        lastUpdatedAt: new Date().toISOString()
+                    }
                 };
             }
             catch (error) {
@@ -430,7 +445,15 @@ export class LanonasisMCPServer {
                             text: `Error: ${error instanceof Error ? error.message : 'Unknown error'}`
                         }
                     ],
-                    isError: true
+                    isError: true,
+                    task: {
+                        taskId: `${clientId}-${Date.now()}`,
+                        status: 'failed',
+                        ttl: null,
+                        createdAt: new Date().toISOString(),
+                        lastUpdatedAt: new Date().toISOString(),
+                        statusMessage: error instanceof Error ? error.message : 'Unknown error'
+                    }
                 };
             }
         });
@@ -1473,6 +1496,35 @@ Please choose an option (1-4):`
             throw error;
         }
     }
+    /**
+     * Start the server in stdio mode for external MCP clients (Claude Desktop, Cursor, etc.)
+     * This is the primary entry point for `lanonasis mcp start`
+     */
+    async startStdio() {
+        await this.initialize();
+        try {
+            // Use API key from options if provided (from LANONASIS_API_KEY env var)
+            if (this.options.apiKey) {
+                // Set the API key for authentication
+                await this.config.setVendorKey(this.options.apiKey);
+            }
+            // Create stdio transport
+            this.transport = new StdioServerTransport();
+            await this.server.connect(this.transport);
+            // Log to stderr since stdout is for MCP protocol
+            console.error(chalk.cyan('🚀 Lanonasis MCP Server started (stdio mode)'));
+            console.error(chalk.gray(`Backend: ${this.config.getApiUrl()}`));
+            console.error(chalk.gray(`Tools: 18+ available`));
+            console.error(chalk.gray('Ready for MCP client connections...'));
+            // Keep the process alive
+            process.stdin.resume();
+        }
+        catch (error) {
+            console.error(chalk.red('❌ Failed to start MCP Server:'));
+            console.error(chalk.red(error instanceof Error ? error.message : 'Unknown error'));
+            throw error;
+        }
+    }
     /**
      * Stop the server
      */

package/dist/mcp-server-entry.d.ts

@@ -0,0 +1,20 @@
+#!/usr/bin/env node
+/**
+ * Lanonasis MCP Server Entry Point
+ *
+ * Direct entry point for external MCP clients (Claude Desktop, Cursor, Windsurf, etc.)
+ * This allows simple configuration like:
+ *
+ *   claude mcp add lanonasis -- lanonasis-mcp
+ *
+ * Or in claude_desktop_config.json:
+ *   {
+ *     "mcpServers": {
+ *       "lanonasis": {
+ *         "command": "lanonasis-mcp",
+ *         "env": { "LANONASIS_API_KEY": "lano_xxx" }
+ *       }
+ *     }
+ *   }
+ */
+export {};

package/dist/mcp-server-entry.js

@@ -0,0 +1,54 @@
+#!/usr/bin/env node
+/**
+ * Lanonasis MCP Server Entry Point
+ *
+ * Direct entry point for external MCP clients (Claude Desktop, Cursor, Windsurf, etc.)
+ * This allows simple configuration like:
+ *
+ *   claude mcp add lanonasis -- lanonasis-mcp
+ *
+ * Or in claude_desktop_config.json:
+ *   {
+ *     "mcpServers": {
+ *       "lanonasis": {
+ *         "command": "lanonasis-mcp",
+ *         "env": { "LANONASIS_API_KEY": "lano_xxx" }
+ *       }
+ *     }
+ *   }
+ */
+import { LanonasisMCPServer } from './mcp/server/lanonasis-server.js';
+async function main() {
+    // Get API key from environment
+    const apiKey = process.env.LANONASIS_API_KEY;
+    if (!apiKey) {
+        console.error('Error: LANONASIS_API_KEY environment variable is required');
+        console.error('');
+        console.error('Usage:');
+        console.error('  LANONASIS_API_KEY=lano_xxx lanonasis-mcp');
+        console.error('');
+        console.error('Or configure in Claude Desktop/Cursor:');
+        console.error('  {');
+        console.error('    "mcpServers": {');
+        console.error('      "lanonasis": {');
+        console.error('        "command": "lanonasis-mcp",');
+        console.error('        "env": { "LANONASIS_API_KEY": "your_api_key" }');
+        console.error('      }');
+        console.error('    }');
+        console.error('  }');
+        process.exit(1);
+    }
+    try {
+        const server = new LanonasisMCPServer({
+            apiKey,
+            verbose: process.env.LOG_LEVEL === 'debug'
+        });
+        // Start in stdio mode (standard for MCP clients)
+        await server.startStdio();
+    }
+    catch (error) {
+        console.error(`Failed to start MCP server: ${error instanceof Error ? error.message : 'Unknown error'}`);
+        process.exit(1);
+    }
+}
+main();

package/dist/mcp-server.js

@@ -77,12 +77,13 @@ export class CLIMCPServer {
             console.error(`Auth: ${this.config.hasVendorKey() ? 'Vendor Key' : 'JWT Token'}`);
         }
         const resolvedPort = typeof port === 'number' && !Number.isNaN(port) ? port : 3001;
+        const vendorKey = await this.config.getVendorKeyAsync();
         // Set environment variables from CLI config
         const env = {
             ...process.env,
             PORT: resolvedPort.toString(),
             MEMORY_API_URL: this.config.getApiUrl(),
-            LANONASIS_VENDOR_KEY: this.config.getVendorKey(),
+            LANONASIS_VENDOR_KEY: vendorKey,
             LANONASIS_TOKEN: this.config.getToken(),
             MCP_VERBOSE: verbose ? 'true' : 'false',
             CLI_ALIGNED: 'true'

package/dist/utils/api.js

@@ -27,7 +27,7 @@ export class APIClient {
             }
             // Enhanced Authentication Support
             const token = this.config.getToken();
-            const vendorKey = this.config.getVendorKey();
+            const vendorKey = await this.config.getVendorKeyAsync();
             if (vendorKey) {
                 // Vendor key authentication (validated server-side)
                 // Send raw key - server handles hashing for comparison
@@ -99,40 +99,40 @@ export class APIClient {
         });
         return response.data;
     }
-    // Memory operations - aligned with existing schema
-    // All memory endpoints use /api/v1/memory path
+    // Memory operations - aligned with REST API canonical endpoints
+    // All memory endpoints use /api/v1/memories path (plural, per REST conventions)
     async createMemory(data) {
-        const response = await this.client.post('/api/v1/memory', data);
+        const response = await this.client.post('/api/v1/memories', data);
         return response.data;
     }
     async getMemories(params = {}) {
-        const response = await this.client.get('/api/v1/memory', { params });
+        const response = await this.client.get('/api/v1/memories', { params });
         return response.data;
     }
     async getMemory(id) {
-        const response = await this.client.get(`/api/v1/memory/${id}`);
+        const response = await this.client.get(`/api/v1/memories/${id}`);
         return response.data;
     }
     async updateMemory(id, data) {
-        const response = await this.client.put(`/api/v1/memory/${id}`, data);
+        const response = await this.client.put(`/api/v1/memories/${id}`, data);
         return response.data;
     }
     async deleteMemory(id) {
-        await this.client.delete(`/api/v1/memory/${id}`);
+        await this.client.delete(`/api/v1/memories/${id}`);
     }
     async searchMemories(query, options = {}) {
-        const response = await this.client.post('/api/v1/memory/search', {
+        const response = await this.client.post('/api/v1/memories/search', {
             query,
             ...options
         });
         return response.data;
     }
     async getMemoryStats() {
-        const response = await this.client.get('/api/v1/memory/stats');
+        const response = await this.client.get('/api/v1/memories/stats');
         return response.data;
     }
     async bulkDeleteMemories(memoryIds) {
-        const response = await this.client.post('/api/v1/memory/bulk/delete', {
+        const response = await this.client.post('/api/v1/memories/bulk/delete', {
             memory_ids: memoryIds
         });
         return response.data;

package/dist/utils/config.d.ts

@@ -43,6 +43,7 @@ export declare class CLIConfig {
     private authCheckCache;
     private readonly AUTH_CACHE_TTL;
     private apiKeyStorage;
+    private vendorKeyCache?;
     constructor();
     /**
      * Overrides the configuration storage directory. Primarily used for tests.

package/dist/utils/config.js

@@ -14,6 +14,7 @@ export class CLIConfig {
     authCheckCache = null;
     AUTH_CACHE_TTL = 5 * 60 * 1000; // 5 minutes
     apiKeyStorage;
+    vendorKeyCache;
     constructor() {
         this.configDir = path.join(os.homedir(), '.maas');
         this.configPath = path.join(this.configDir, 'config.json');
@@ -28,6 +29,7 @@ export class CLIConfig {
         this.configDir = configDir;
         this.configPath = path.join(configDir, 'config.json');
         this.lockFile = path.join(configDir, 'config.lock');
+        this.vendorKeyCache = undefined;
     }
     /**
      * Exposes the current config path for tests and diagnostics.
@@ -45,6 +47,8 @@ export class CLIConfig {
         }
     }
     async load() {
+        // Reset in-memory cache; disk state may have changed
+        this.vendorKeyCache = undefined;
         try {
             const data = await fs.readFile(this.configPath, 'utf-8');
             this.config = JSON.parse(data);
@@ -170,7 +174,7 @@ export class CLIConfig {
     getApiUrl() {
         const baseUrl = process.env.MEMORY_API_URL ||
             this.config.apiUrl ||
-            'https://mcp.lanonasis.com';
+            'https://api.lanonasis.com'; // Primary REST API endpoint
         // Ensure we don't double-append /api/v1 - strip it if present since APIClient adds it
         return baseUrl.replace(/\/api\/v1\/?$/, '');
     }
@@ -192,8 +196,8 @@ export class CLIConfig {
             if (!this.config.discoveredServices) {
                 this.config.discoveredServices = {
                     auth_base: 'https://auth.lanonasis.com',
-                    memory_base: 'https://mcp.lanonasis.com', // Base URL without /api/v1
-                    mcp_base: 'https://mcp.lanonasis.com/api/v1', // Full MCP REST path
+                    memory_base: 'https://api.lanonasis.com', // Primary REST API (Supabase Edge Functions)
+                    mcp_base: 'https://mcp.lanonasis.com/api/v1', // MCP protocol REST path
                     mcp_ws_base: 'wss://mcp.lanonasis.com/ws',
                     mcp_sse_base: 'https://mcp.lanonasis.com/api/v1/events',
                     project_scope: 'lanonasis-maas'
@@ -245,10 +249,10 @@ export class CLIConfig {
             if (authBase.includes('localhost') || authBase.includes('127.0.0.1')) {
                 authBase = 'https://auth.lanonasis.com';
             }
-            // Memory base should be the MCP base URL without /api/v1 suffix
+            // Memory base should be the REST API URL without /api/v1 suffix
             // The API client will append the path as needed
-            const rawMemoryBase = discovered.endpoints?.http || 'https://mcp.lanonasis.com/api/v1';
-            const memoryBase = rawMemoryBase.replace(/\/api\/v1\/?$/, '') || 'https://mcp.lanonasis.com';
+            const rawMemoryBase = discovered.endpoints?.http || 'https://api.lanonasis.com/api/v1';
+            const memoryBase = rawMemoryBase.replace(/\/api\/v1\/?$/, '') || 'https://api.lanonasis.com';
             this.config.discoveredServices = {
                 auth_base: authBase || 'https://auth.lanonasis.com',
                 memory_base: memoryBase,
@@ -371,8 +375,8 @@ export class CLIConfig {
         const nodeEnv = (process.env.NODE_ENV ?? '').toLowerCase();
         const isDevEnvironment = nodeEnv === 'development' || nodeEnv === 'test';
         const defaultAuthBase = isDevEnvironment ? 'http://localhost:4000' : 'https://auth.lanonasis.com';
-        const defaultMemoryBase = isDevEnvironment ? 'http://localhost:4000' : 'https://mcp.lanonasis.com'; // Base URL without /api/v1
-        const defaultMcpBase = isDevEnvironment ? 'http://localhost:4100/api/v1' : 'https://mcp.lanonasis.com/api/v1'; // Full MCP REST path
+        const defaultMemoryBase = isDevEnvironment ? 'http://localhost:4000' : 'https://api.lanonasis.com'; // Primary REST API (Supabase Edge Functions)
+        const defaultMcpBase = isDevEnvironment ? 'http://localhost:4100/api/v1' : 'https://mcp.lanonasis.com/api/v1'; // MCP protocol REST path
         const defaultMcpWsBase = isDevEnvironment ? 'ws://localhost:4100/ws' : 'wss://mcp.lanonasis.com/ws';
         const defaultMcpSseBase = isDevEnvironment ? 'http://localhost:4100/api/v1/events' : 'https://mcp.lanonasis.com/api/v1/events';
         const endpoints = {
@@ -438,8 +442,8 @@ export class CLIConfig {
         }
         const currentServices = this.config.discoveredServices ?? {
             auth_base: 'https://auth.lanonasis.com',
-            memory_base: 'https://mcp.lanonasis.com', // Base URL without /api/v1
-            mcp_base: 'https://mcp.lanonasis.com/api/v1', // Full MCP REST path
+            memory_base: 'https://api.lanonasis.com', // Primary REST API (Supabase Edge Functions)
+            mcp_base: 'https://mcp.lanonasis.com/api/v1', // MCP protocol REST path
             mcp_ws_base: 'wss://mcp.lanonasis.com/ws',
             mcp_sse_base: 'https://mcp.lanonasis.com/api/v1/events',
             project_scope: 'lanonasis-maas'
@@ -488,12 +492,18 @@ export class CLIConfig {
             environment: process.env.NODE_ENV || 'production',
             createdAt: new Date().toISOString()
         });
+        // Cache the vendor key for this process so synchronous callers can reuse it
+        this.vendorKeyCache = trimmedKey;
         if (process.env.CLI_VERBOSE === 'true') {
             console.log('🔐 Vendor key stored securely via @lanonasis/oauth-client');
         }
         // Store a reference marker in config (not the actual key)
         this.config.vendorKey = 'stored_in_api_key_storage';
-        this.config.authMethod = 'vendor_key';
+        // Only set authMethod to 'vendor_key' if not already set to OAuth
+        // This prevents overwriting OAuth auth method when storing the token for MCP access
+        if (!this.config.authMethod || !['oauth', 'oauth2', 'jwt'].includes(this.config.authMethod)) {
+            this.config.authMethod = 'vendor_key';
+        }
         this.config.lastValidated = new Date().toISOString();
         await this.resetFailureCount(); // Reset failure count on successful auth
         await this.save();
@@ -566,10 +576,16 @@ export class CLIConfig {
         }
     }
     getVendorKey() {
+        if (this.vendorKeyCache) {
+            return this.vendorKeyCache;
+        }
         try {
             // Retrieve from secure storage using ApiKeyStorage (synchronous wrapper)
             const stored = this.getVendorKeySync();
-            return stored;
+            if (stored) {
+                this.vendorKeyCache = stored;
+            }
+            return this.vendorKeyCache;
         }
         catch (error) {
             if (process.env.CLI_VERBOSE === 'true') {
@@ -600,7 +616,8 @@ export class CLIConfig {
             await this.apiKeyStorage.initialize();
             const stored = await this.apiKeyStorage.retrieve();
             if (stored) {
-                return stored.apiKey;
+                this.vendorKeyCache = stored.apiKey;
+                return this.vendorKeyCache;
             }
         }
         catch (error) {
@@ -613,13 +630,14 @@ export class CLIConfig {
             if (process.env.CLI_VERBOSE === 'true') {
                 console.log('ℹ️  Found legacy plaintext vendor key, will migrate on next auth');
             }
-            return this.config.vendorKey;
+            this.vendorKeyCache = this.config.vendorKey;
+            return this.vendorKeyCache;
         }
         return undefined;
     }
     hasVendorKey() {
         // Check for marker or legacy storage
-        return !!this.config.vendorKey;
+        return !!(this.vendorKeyCache || this.config.vendorKey);
     }
     async setApiUrl(url) {
         this.config.apiUrl = url;
@@ -678,11 +696,41 @@ export class CLIConfig {
                 this.authCheckCache = { isValid: true, timestamp: Date.now() };
                 return true;
             }
-            // For vendor keys, we trust that they were validated during setVendorKey()
-            // and rely on the lastValidated timestamp. For additional security,
-            // the server should revoke keys that are invalid.
-            this.authCheckCache = { isValid: true, timestamp: Date.now() };
-            return true;
+            // Vendor key not recently validated - verify with server
+            try {
+                await this.discoverServices();
+                const authBase = this.config.discoveredServices?.auth_base || 'https://auth.lanonasis.com';
+                // Ping auth health with vendor key to verify it's still valid
+                await this.pingAuthHealth(axios, authBase, {
+                    'X-API-Key': vendorKey,
+                    'X-Auth-Method': 'vendor_key',
+                    'X-Project-Scope': 'lanonasis-maas'
+                }, { timeout: 5000, proxy: false });
+                // Update last validated timestamp on success
+                this.config.lastValidated = new Date().toISOString();
+                await this.save().catch(() => { }); // Don't fail auth check if save fails
+                this.authCheckCache = { isValid: true, timestamp: Date.now() };
+                return true;
+            }
+            catch (error) {
+                // Server validation failed - check for grace period (7 days offline)
+                const gracePeriod = 7 * 24 * 60 * 60 * 1000;
+                const withinGracePeriod = lastValidated &&
+                    (Date.now() - new Date(lastValidated).getTime()) < gracePeriod;
+                if (withinGracePeriod) {
+                    if (process.env.CLI_VERBOSE === 'true') {
+                        console.warn('⚠️  Unable to validate vendor key with server, using cached validation');
+                    }
+                    this.authCheckCache = { isValid: true, timestamp: Date.now() };
+                    return true;
+                }
+                // Grace period expired - require server validation
+                if (process.env.CLI_VERBOSE === 'true') {
+                    console.warn('⚠️  Vendor key validation failed and grace period expired');
+                }
+                this.authCheckCache = { isValid: false, timestamp: Date.now() };
+                return false;
+            }
         }
         // Handle token-based authentication
         const token = this.getToken();
@@ -848,10 +896,25 @@ export class CLIConfig {
     async logout() {
         this.config.token = undefined;
         this.config.user = undefined;
+        this.vendorKeyCache = undefined;
+        this.config.vendorKey = undefined;
+        this.config.authMethod = undefined;
+        try {
+            await this.apiKeyStorage.initialize();
+            // ApiKeyStorage may implement clear() to remove encrypted secrets
+            const storage = this.apiKeyStorage;
+            if (typeof storage.clear === 'function') {
+                await storage.clear();
+            }
+        }
+        catch {
+            // Ignore storage cleanup errors during logout
+        }
         await this.save();
     }
     async clear() {
         this.config = {};
+        this.vendorKeyCache = undefined;
         await this.save();
     }
     async exists() {
@@ -866,7 +929,7 @@ export class CLIConfig {
     // Enhanced credential validation methods
     async validateStoredCredentials() {
         try {
-            const vendorKey = this.getVendorKey();
+            const vendorKey = await this.getVendorKeyAsync();
             const token = this.getToken();
             if (!vendorKey && !token) {
                 return false;

package/dist/utils/crypto-utils.js

@@ -8,7 +8,7 @@
  */
 import crypto from 'crypto';
 import { homedir, platform, hostname } from 'os';
-import { hashApiKey, isSha256Hash } from './hash-utils.js';
+import { hashApiKey, isSha256Hash } from '@lanonasis/security-sdk/hash-utils';
 // Encryption algorithm configuration
 const ALGORITHM = 'aes-256-gcm';
 const KEY_LENGTH = 32; // 256 bits

package/package.json

@@ -1,12 +1,13 @@
 {
   "name": "@lanonasis/cli",
-  "version": "3.7.8",
+  "version": "3.8.1",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "bin": {
     "onasis": "dist/index.js",
-    "lanonasis": "dist/index.js"
+    "lanonasis": "dist/index.js",
+    "lanonasis-mcp": "dist/mcp-server-entry.js"
   },
   "exports": {
     ".": {
@@ -23,8 +24,8 @@
   ],
   "dependencies": {
     "@lanonasis/oauth-client": "1.2.5",
-    "@lanonasis/security-sdk": "^1.0.1",
-    "@modelcontextprotocol/sdk": "^1.1.1",
+    "@lanonasis/security-sdk": "1.0.5",
+    "@modelcontextprotocol/sdk": "^1.25.2",
     "axios": "^1.7.7",
     "chalk": "^5.3.0",
     "cli-progress": "^3.12.0",
@@ -61,4 +62,4 @@
     "test:watch": "npm test -- --watch",
     "test:coverage": "npm test -- --coverage"
   }
-}
+}