@lanonasis/cli 3.9.10 → 3.9.11

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog - @lanonasis/cli
 
+## [3.9.11] - 2026-03-27
+
+### 🐛 Bug Fixes
+
+- **`memory stats` no longer crashes on wrapped responses**: The CLI now normalizes both flat and `{ data: ... }` stats payloads and safely defaults optional fields like `total_size_bytes` and `avg_access_count` when the backend omits them.
+- **Secure storage no longer initializes on every command startup**: Vendor key storage is now lazy-loaded, which prevents unnecessary keychain fallback warnings on CLI commands that do not access vendor key storage.
+- **Bundled auth client updated to `@lanonasis/oauth-client@2.0.4`**: Pulls in the ESM-safe native keychain loader fix and semver-compliant optional React peer metadata.
+
 ## [3.9.8] - 2026-02-25
 
 ### ✨ New Features

package/README.md

@@ -1,11 +1,11 @@
-# @lanonasis/cli v3.9.7 - OAuth PKCE Auth & whoami
+# @lanonasis/cli v3.9.11 - Stable Stats & Cleaner Startup
 
 [![NPM Version](https://img.shields.io/npm/v/@lanonasis/cli)](https://www.npmjs.com/package/@lanonasis/cli)
 [![Downloads](https://img.shields.io/npm/dt/@lanonasis/cli)](https://www.npmjs.com/package/@lanonasis/cli)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Golden Contract](https://img.shields.io/badge/Onasis--Core-v0.1%20Compliant-gold)](https://api.lanonasis.com/.well-known/onasis.json)
 
-🎉 **NEW IN v3.9.7**: Full OAuth PKCE session support across CLI and API gateway. New `onasis whoami` command. `auth status` now shows live user profile and probes real memory API access. Seven auth verification fixes eliminate false-positive "Authenticated: Yes" reports.
+🎉 **NEW IN v3.9.11**: `onasis memory stats` now handles wrapped/partial backend responses without crashing, vendor key secure storage is lazy-loaded so unrelated commands no longer trigger noisy fallback warnings, and the bundled `@lanonasis/oauth-client` is updated to `2.0.4` for the ESM-safe keychain loader fix.
 
 ## 🚀 Quick Start
 

package/dist/commands/auth.js

@@ -712,12 +712,8 @@ async function handleOAuthFlow(config) {
         await config.set('refresh_token', tokens.refresh_token);
         await config.set('token_expires_at', Date.now() + (tokens.expires_in * 1000));
         await config.set('authMethod', 'oauth');
-        // The OAuth access token from auth-gateway works as the API token for all services
-        // Store it as the vendor key equivalent for MCP and API access
         spinner.text = 'Configuring unified access...';
         spinner.start();
-        // Use the OAuth access token directly - it's already an auth-gateway token
-        await config.setVendorKey(tokens.access_token);
         spinner.succeed('Unified authentication configured');
         console.log();
         console.log(chalk.green('✓ OAuth2 authentication successful'));

package/dist/commands/memory.js

@@ -235,8 +235,16 @@ const createIntelligenceTransport = async () => {
                 }),
             };
         }
-        // Legacy key path: use CLI API client auth middleware directly.
-        return { mode: 'api' };
+        // Pre-hashed key (64 hex chars from oauth-client normalizeApiKey): inject via header.
+        // The edge functions accept pre-hashed keys after the auth.ts shared utility update.
+        return {
+            mode: 'sdk',
+            client: new MemoryIntelligenceClient({
+                apiUrl,
+                allowMissingAuth: true,
+                headers: { 'X-API-Key': apiKey },
+            }),
+        };
     }
     throw new Error('Authentication required. Run "lanonasis auth login" first.');
 };

package/dist/utils/api.d.ts

@@ -185,7 +185,10 @@ export declare class APIClient {
     private config;
     /** When true, throw on 401/403 instead of printing+exiting (for callers that handle errors) */
     noExit: boolean;
+    private isLikelyHashedCredential;
     private normalizeMemoryEntry;
+    private tryNormalizeMemoryEntry;
+    private normalizeMemoryStats;
     private shouldUseLegacyMemoryRpcFallback;
     private shouldRetryViaApiGateway;
     private shouldRetryViaSupabaseMemoryFunctions;

package/dist/utils/api.js

@@ -2,11 +2,22 @@ import axios from 'axios';
 import chalk from 'chalk';
 import { randomUUID } from 'crypto';
 import { CLIConfig } from './config.js';
+const MEMORY_TYPES = [
+    'context',
+    'project',
+    'knowledge',
+    'reference',
+    'personal',
+    'workflow'
+];
 export class APIClient {
     client;
     config;
     /** When true, throw on 401/403 instead of printing+exiting (for callers that handle errors) */
     noExit = false;
+    isLikelyHashedCredential(value) {
+        return typeof value === 'string' && /^[a-f0-9]{64}$/i.test(value.trim());
+    }
     normalizeMemoryEntry(payload) {
         // API responses are inconsistent across gateways:
         // - Some return the memory entry directly
@@ -27,13 +38,77 @@ export class APIClient {
         }
         return payload;
     }
+    tryNormalizeMemoryEntry(payload) {
+        if (!payload || typeof payload !== 'object') {
+            return undefined;
+        }
+        const normalized = this.normalizeMemoryEntry(payload);
+        if (!normalized || typeof normalized !== 'object') {
+            return undefined;
+        }
+        const normalizedRecord = normalized;
+        return typeof normalizedRecord.id === 'string' ? normalized : undefined;
+    }
+    normalizeMemoryStats(payload) {
+        if (!payload || typeof payload !== 'object') {
+            throw new Error('Memory stats endpoint returned an invalid response.');
+        }
+        const envelope = payload;
+        const rawStats = envelope.data && typeof envelope.data === 'object' && !Array.isArray(envelope.data)
+            ? envelope.data
+            : envelope;
+        const rawByType = rawStats.memories_by_type && typeof rawStats.memories_by_type === 'object' && !Array.isArray(rawStats.memories_by_type)
+            ? rawStats.memories_by_type
+            : rawStats.by_type && typeof rawStats.by_type === 'object' && !Array.isArray(rawStats.by_type)
+                ? rawStats.by_type
+                : {};
+        const memoriesByType = MEMORY_TYPES.reduce((accumulator, memoryType) => {
+            const value = rawByType[memoryType];
+            accumulator[memoryType] = typeof value === 'number' ? value : 0;
+            return accumulator;
+        }, {});
+        const recentMemories = Array.isArray(rawStats.recent_memories)
+            ? rawStats.recent_memories
+                .map((entry) => this.tryNormalizeMemoryEntry(entry))
+                .filter((entry) => entry !== undefined)
+            : [];
+        const totalMemories = typeof rawStats.total_memories === 'number'
+            ? rawStats.total_memories
+            : Object.values(memoriesByType).reduce((sum, count) => sum + count, 0);
+        return {
+            total_memories: totalMemories,
+            memories_by_type: memoriesByType,
+            total_size_bytes: typeof rawStats.total_size_bytes === 'number' ? rawStats.total_size_bytes : 0,
+            avg_access_count: typeof rawStats.avg_access_count === 'number' ? rawStats.avg_access_count : 0,
+            most_accessed_memory: this.tryNormalizeMemoryEntry(rawStats.most_accessed_memory),
+            recent_memories: recentMemories
+        };
+    }
     shouldUseLegacyMemoryRpcFallback(error) {
         const status = error?.response?.status;
         const errorData = error?.response?.data;
         const message = `${errorData?.error || ''} ${errorData?.message || ''}`.toLowerCase();
+        const rawRequestUrl = String(error?.config?.url || '');
+        const requestPath = (() => {
+            try {
+                if (/^https?:\/\//i.test(rawRequestUrl)) {
+                    return new URL(rawRequestUrl).pathname;
+                }
+            }
+            catch {
+                // Fall back to the raw URL if URL parsing fails.
+            }
+            return rawRequestUrl;
+        })();
+        const normalizedRequestUrl = requestPath.startsWith('/memory')
+            ? this.normalizeMcpPathToApi(requestPath)
+            : requestPath;
         if (status === 405) {
             return true;
         }
+        if (status === 404 && /^\/api\/v1\/memories\/[^/?#]+$/.test(normalizedRequestUrl)) {
+            return true;
+        }
         if (status === 400 && message.includes('memory id is required')) {
             return true;
         }
@@ -238,6 +313,9 @@ export class APIClient {
             const forceDirectApi = forceApiFromEnv || forceApiFromConfig || forceDirectApiRetry;
             const prefersTokenAuth = Boolean(token) && (authMethod === 'jwt' || authMethod === 'oauth' || authMethod === 'oauth2');
             const useVendorKeyAuth = Boolean(vendorKey) && !prefersTokenAuth;
+            if (authMethod === 'vendor_key' && this.isLikelyHashedCredential(vendorKey)) {
+                throw new Error('Stored vendor key is in legacy hashed format. Run "lanonasis auth login --vendor-key <your-key>" to refresh secure storage.');
+            }
             // Determine the correct API base URL:
             // - Auth endpoints -> auth.lanonasis.com
             // - Memory/MCP operations (JWT or vendor key) -> mcp.lanonasis.com (the memory service)
@@ -567,7 +645,7 @@ export class APIClient {
             return this.normalizeMemoryEntry(response.data);
         }
         catch (error) {
-            if (this.shouldUseLegacyMemoryRpcFallback(error)) {
+            if (this.shouldUseLegacyMemoryRpcFallback(error) || error?.response?.status === 404) {
                 const fallback = await this.client.post('/api/v1/memory/update', {
                     id,
                     ...data
@@ -585,7 +663,7 @@ export class APIClient {
             await this.client.delete(`/api/v1/memories/${id}`);
         }
         catch (error) {
-            if (this.shouldUseLegacyMemoryRpcFallback(error)) {
+            if (this.shouldUseLegacyMemoryRpcFallback(error) || error?.response?.status === 404) {
                 await this.client.post('/api/v1/memory/delete', { id });
                 return;
             }
@@ -601,7 +679,7 @@ export class APIClient {
     }
     async getMemoryStats() {
         const response = await this.client.get('/api/v1/memories/stats');
-        return response.data;
+        return this.normalizeMemoryStats(response.data);
     }
     async bulkDeleteMemories(memoryIds) {
         const response = await this.client.post('/api/v1/memories/bulk/delete', {

package/dist/utils/config.d.ts

@@ -48,9 +48,12 @@ export declare class CLIConfig {
     private static readonly CONFIG_VERSION;
     private authCheckCache;
     private readonly AUTH_CACHE_TTL;
-    private apiKeyStorage;
+    private apiKeyStorage?;
     private vendorKeyCache?;
+    private isLegacyHashedCredential;
+    private getLegacyHashedVendorKeyReason;
     constructor();
+    private getApiKeyStorage;
     /**
      * Overrides the configuration storage directory. Primarily used for tests.
      */

package/dist/utils/config.js

@@ -15,12 +15,22 @@ export class CLIConfig {
     AUTH_CACHE_TTL = 5 * 60 * 1000; // 5 minutes
     apiKeyStorage;
     vendorKeyCache;
+    isLegacyHashedCredential(value) {
+        return typeof value === 'string' && /^[a-f0-9]{64}$/i.test(value.trim());
+    }
+    getLegacyHashedVendorKeyReason() {
+        return 'Stored vendor key is in legacy hashed format. Run "lanonasis auth login --vendor-key <your-key>" to refresh secure storage.';
+    }
     constructor() {
         this.configDir = path.join(os.homedir(), '.maas');
         this.configPath = path.join(this.configDir, 'config.json');
         this.lockFile = path.join(this.configDir, 'config.lock');
-        // Initialize secure storage for vendor keys using oauth-client's ApiKeyStorage
-        this.apiKeyStorage = new ApiKeyStorage();
+    }
+    getApiKeyStorage() {
+        if (!this.apiKeyStorage) {
+            this.apiKeyStorage = new ApiKeyStorage();
+        }
+        return this.apiKeyStorage;
     }
     /**
      * Overrides the configuration storage directory. Primarily used for tests.
@@ -627,6 +637,13 @@ export class CLIConfig {
         await this.discoverServices();
         const token = this.getToken();
         const vendorKey = await this.getVendorKeyAsync();
+        if (this.config.authMethod === 'vendor_key' && this.isLegacyHashedCredential(vendorKey)) {
+            return {
+                valid: false,
+                method: 'vendor_key',
+                reason: this.getLegacyHashedVendorKeyReason()
+            };
+        }
         if (this.config.authMethod === 'vendor_key' && vendorKey) {
             return this.verifyVendorKeyWithAuthGateway(vendorKey);
         }
@@ -710,8 +727,9 @@ export class CLIConfig {
         }
         // Initialize and store using ApiKeyStorage from @lanonasis/oauth-client
         // This handles encryption automatically (AES-256-GCM with machine-derived key)
-        await this.apiKeyStorage.initialize();
-        await this.apiKeyStorage.store({
+        const apiKeyStorage = this.getApiKeyStorage();
+        await apiKeyStorage.initialize();
+        await apiKeyStorage.store({
             apiKey: trimmedKey,
             organizationId: this.config.user?.organization_id,
             userId: this.config.user?.email,
@@ -835,8 +853,9 @@ export class CLIConfig {
      */
     async getVendorKeyAsync() {
         try {
-            await this.apiKeyStorage.initialize();
-            const stored = await this.apiKeyStorage.retrieve();
+            const apiKeyStorage = this.getApiKeyStorage();
+            await apiKeyStorage.initialize();
+            const stored = await apiKeyStorage.retrieve();
             if (stored) {
                 this.vendorKeyCache = stored.apiKey;
                 return this.vendorKeyCache;
@@ -912,6 +931,13 @@ export class CLIConfig {
             const vendorKey = await this.getVendorKeyAsync();
             if (!vendorKey)
                 return false;
+            if (this.isLegacyHashedCredential(vendorKey)) {
+                if (process.env.CLI_VERBOSE === 'true') {
+                    console.warn(`⚠️  ${this.getLegacyHashedVendorKeyReason()}`);
+                }
+                this.authCheckCache = { isValid: false, timestamp: Date.now() };
+                return false;
+            }
             // Check in-memory cache first (5-minute TTL)
             if (this.authCheckCache && (Date.now() - this.authCheckCache.timestamp) < this.AUTH_CACHE_TTL) {
                 return this.authCheckCache.isValid;
@@ -1146,10 +1172,13 @@ export class CLIConfig {
         this.vendorKeyCache = undefined;
         this.config.vendorKey = undefined;
         this.config.authMethod = undefined;
+        this.config.refresh_token = undefined;
+        this.config.token_expires_at = undefined;
         try {
-            await this.apiKeyStorage.initialize();
+            const apiKeyStorage = this.getApiKeyStorage();
+            await apiKeyStorage.initialize();
             // ApiKeyStorage may implement clear() to remove encrypted secrets
-            const storage = this.apiKeyStorage;
+            const storage = apiKeyStorage;
             if (typeof storage.clear === 'function') {
                 await storage.clear();
             }
@@ -1270,14 +1299,6 @@ export class CLIConfig {
                 if (typeof expiresIn === 'number' && Number.isFinite(expiresIn)) {
                     this.config.token_expires_at = Date.now() + (expiresIn * 1000);
                 }
-                // Keep the encrypted "vendor key" in sync for MCP/WebSocket clients that use X-API-Key.
-                // This does not change authMethod away from oauth (setVendorKey guards against that).
-                try {
-                    await this.setVendorKey(accessToken);
-                }
-                catch {
-                    // Non-fatal: bearer token refresh still helps API calls.
-                }
                 await this.save().catch(() => { });
                 return;
             }
@@ -1327,9 +1348,23 @@ export class CLIConfig {
         this.config.user = undefined;
         this.config.authMethod = undefined;
         this.config.tokenExpiry = undefined;
+        this.config.refresh_token = undefined;
+        this.config.token_expires_at = undefined;
         this.config.lastValidated = undefined;
         this.config.authFailureCount = 0;
         this.config.lastAuthFailure = undefined;
+        this.vendorKeyCache = undefined;
+        try {
+            const apiKeyStorage = this.getApiKeyStorage();
+            await apiKeyStorage.initialize();
+            const storage = apiKeyStorage;
+            if (typeof storage.clear === 'function') {
+                await storage.clear();
+            }
+        }
+        catch {
+            // Ignore secure storage cleanup failures while invalidating credentials
+        }
         await this.save();
     }
     async incrementFailureCount() {

package/dist/utils/mcp-client.js

@@ -360,6 +360,10 @@ export class MCPClient {
         const authMethod = String(this.config.get('authMethod') || '').toLowerCase();
         const token = this.config.get('token');
         const vendorKey = await this.config.getVendorKeyAsync();
+        const isLikelyHashedCredential = typeof vendorKey === 'string' && /^[a-f0-9]{64}$/i.test(vendorKey.trim());
+        if (authMethod === 'vendor_key' && isLikelyHashedCredential) {
+            throw new Error('AUTHENTICATION_INVALID: Stored vendor key is in legacy hashed format. Run "lanonasis auth login --vendor-key <your-key>" to refresh secure storage.');
+        }
         if (authMethod === 'vendor_key' && typeof vendorKey === 'string' && vendorKey.trim().length > 0) {
             return { value: vendorKey.trim(), source: 'vendor_key' };
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lanonasis/cli",
-  "version": "3.9.10",
+  "version": "3.9.11",
   "description": "Professional CLI for LanOnasis Memory as a Service (MaaS) with MCP support, seamless inline editing, and enterprise-grade security",
   "keywords": [
     "lanonasis",
@@ -52,11 +52,11 @@
     "CHANGELOG.md"
   ],
   "dependencies": {
-    "@lanonasis/mem-intel-sdk": "2.0.3",
-    "@lanonasis/oauth-client": "2.0.0",
+    "@lanonasis/mem-intel-sdk": "2.0.6",
+    "@lanonasis/oauth-client": "2.0.4",
     "@lanonasis/security-sdk": "1.0.5",
-    "@modelcontextprotocol/sdk": "^1.26.0",
-    "axios": "^1.13.5",
+    "@modelcontextprotocol/sdk": "^1.28.0",
+    "axios": "^1.13.6",
     "chalk": "^5.6.2",
     "cli-progress": "^3.12.0",
     "cli-table3": "^0.6.5",
@@ -64,26 +64,40 @@
     "date-fns": "^4.1.0",
     "dotenv": "^17.3.1",
     "eventsource": "^4.1.0",
-    "inquirer": "^13.2.5",
+    "inquirer": "^13.3.2",
     "jwt-decode": "^4.0.0",
     "open": "^11.0.0",
     "ora": "^9.3.0",
     "table": "^6.9.0",
     "word-wrap": "^1.2.5",
-    "ws": "^8.19.0",
+    "ws": "^8.20.0",
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@jest/globals": "^30.2.0",
+    "@jest/globals": "^30.3.0",
     "@types/cli-progress": "^3.11.6",
     "@types/inquirer": "^9.0.9",
-    "@types/node": "^25.3.0",
+    "@types/node": "^25.5.0",
     "@types/ws": "^8.18.1",
-    "fast-check": "^4.5.3",
-    "jest": "^30.2.0",
+    "fast-check": "^4.6.0",
+    "jest": "^30.3.0",
     "rimraf": "^6.1.3",
     "ts-jest": "^29.4.6",
-    "typescript": "^5.9.3"
+    "typescript": "^6.0.2"
+  },
+  "overrides": {
+    "@jest/transform": "^30.3.0",
+    "@hono/node-server": "^1.19.10",
+    "ajv": "^8.18.0",
+    "babel-jest": "^30.3.0",
+    "brace-expansion": "^1.1.13",
+    "express-rate-limit": "^8.2.2",
+    "handlebars": "^4.7.9",
+    "hono": "^4.12.8",
+    "jest-util": "^30.3.0",
+    "picomatch": "^2.3.2",
+    "qs": "^6.15.0",
+    "test-exclude": "^8.0.0"
   },
   "scripts": {
     "build": "rimraf dist && tsc -p tsconfig.json && chmod +x dist/index.js dist/mcp-server-entry.js 2>/dev/null || true",