@lanonasis/cli 3.9.12 → 3.9.13

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog - @lanonasis/cli
 
+## [3.9.13] - 2026-04-02
+
+### 🐛 Bug Fixes
+
+- **JWT/password sessions now refresh through the real auth-gateway contract**: Expiring CLI sessions no longer call the nonexistent `/v1/auth/refresh` route. Refreshable JWT and OAuth sessions now use `POST /oauth/token` with `grant_type=refresh_token`, matching the live auth-gateway implementation.
+- **Password login now persists refresh metadata**: Username/password authentication now saves `refresh_token` and `token_expires_at` from the login response, so successful JWT sessions can actually refresh instead of silently falling back to re-login loops.
+- **MCP client refresh flow no longer drifts from the main CLI auth flow**: Removed the stale `/auth/refresh` path and incorrect `refreshToken` config key lookup in favor of the shared `CLIConfig.refreshTokenIfNeeded()` implementation.
+
+### 🔄 Dependency Updates
+
+- **Bundled `@lanonasis/mem-intel-sdk` updated to `2.1.0`**: Aligns the CLI with the newly published scoped intelligence query contract and predictive route support.
+
 ## [3.9.11] - 2026-03-27
 
 ### 🐛 Bug Fixes

package/README.md

@@ -1,11 +1,11 @@
-# @lanonasis/cli v3.9.11 - Stable Stats & Cleaner Startup
+# @lanonasis/cli v3.9.13 - Auth Refresh Reliability
 
 [![NPM Version](https://img.shields.io/npm/v/@lanonasis/cli)](https://www.npmjs.com/package/@lanonasis/cli)
 [![Downloads](https://img.shields.io/npm/dt/@lanonasis/cli)](https://www.npmjs.com/package/@lanonasis/cli)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Golden Contract](https://img.shields.io/badge/Onasis--Core-v0.1%20Compliant-gold)](https://api.lanonasis.com/.well-known/onasis.json)
 
-🎉 **NEW IN v3.9.11**: `onasis memory stats` now handles wrapped/partial backend responses without crashing, vendor key secure storage is lazy-loaded so unrelated commands no longer trigger noisy fallback warnings, and the bundled `@lanonasis/oauth-client` is updated to `2.0.4` for the ESM-safe keychain loader fix.
+🎉 **NEW IN v3.9.13**: JWT/password CLI sessions now refresh through the real auth-gateway OAuth token contract, password login persists refresh metadata correctly, the MCP client no longer uses stale refresh routes, and the bundled `@lanonasis/mem-intel-sdk` is updated to `2.1.0` for scoped intelligence query support.
 
 ## 🚀 Quick Start
 

package/dist/commands/auth.js

@@ -815,8 +815,16 @@ async function handleCredentialsFlow(options, config) {
         if (process.env.CLI_VERBOSE === 'true') {
             console.log(chalk.dim(`   JWT received (length: ${authToken.length})`));
         }
+        const refreshToken = response.refresh_token;
+        const expiresIn = response.expires_in;
         // Store JWT token for API authentication
         await config.setToken(authToken);
+        if (typeof refreshToken === 'string' && refreshToken.length > 0) {
+            config.set('refresh_token', refreshToken);
+        }
+        if (typeof expiresIn === 'number' && Number.isFinite(expiresIn)) {
+            config.set('token_expires_at', Date.now() + (expiresIn * 1000));
+        }
         await config.setAndSave('authMethod', 'jwt');
         spinner.succeed('Login successful');
         console.log();

package/dist/commands/memory.js

@@ -22,6 +22,12 @@ const MEMORY_TYPE_CHOICES = [
     'personal',
     'workflow',
 ];
+const QUERY_SCOPE_CHOICES = [
+    'personal',
+    'team',
+    'organization',
+    'hybrid',
+];
 const coerceMemoryType = (value) => {
     if (typeof value !== 'string')
         return undefined;
@@ -34,6 +40,48 @@ const coerceMemoryType = (value) => {
     }
     return undefined;
 };
+const coerceQueryScope = (value) => {
+    if (typeof value !== 'string')
+        return undefined;
+    const normalized = value.trim().toLowerCase();
+    if (QUERY_SCOPE_CHOICES.includes(normalized)) {
+        return normalized;
+    }
+    return undefined;
+};
+const parseMemoryTypesOption = (value) => {
+    if (!value?.trim())
+        return undefined;
+    const parsed = value
+        .split(',')
+        .map((entry) => coerceMemoryType(entry))
+        .filter((entry) => Boolean(entry));
+    if (parsed.length === 0) {
+        return undefined;
+    }
+    return [...new Set(parsed)];
+};
+const buildIntelligenceContextPayload = (options) => {
+    const payload = {};
+    if (options.organizationId?.trim()) {
+        payload.organization_id = options.organizationId.trim();
+    }
+    if (options.topicId?.trim()) {
+        payload.topic_id = options.topicId.trim();
+    }
+    if (options.scope) {
+        const scope = coerceQueryScope(options.scope);
+        if (!scope) {
+            throw new Error(`Invalid scope \"${options.scope}\". Expected one of: ${QUERY_SCOPE_CHOICES.join(', ')}`);
+        }
+        payload.query_scope = scope;
+    }
+    const memoryTypes = parseMemoryTypesOption(options.memoryTypes);
+    if (memoryTypes?.length) {
+        payload.memory_types = memoryTypes;
+    }
+    return payload;
+};
 const resolveInputMode = async () => {
     const config = new CLIConfig();
     await config.init();
@@ -1015,13 +1063,21 @@ export function memoryCommands(program) {
     intelligence
         .command('health-check')
         .description('Run memory intelligence health check')
+        .option('--organization-id <id>', 'Optional organization context')
+        .option('--topic-id <id>', 'Optional topic context')
+        .option('--scope <scope>', `Optional query scope (${QUERY_SCOPE_CHOICES.join(', ')})`)
+        .option('--memory-types <types>', `Optional comma-separated memory types (${MEMORY_TYPE_CHOICES.join(', ')})`)
         .option('--json', 'Output raw JSON payload')
         .action(async (options) => {
         try {
             const spinner = ora('Running intelligence health check...').start();
             const transport = await createIntelligenceTransport();
             const userId = await resolveCurrentUserId();
-            const result = await postIntelligenceEndpoint(transport, '/intelligence/health-check', { user_id: userId, response_format: 'json' });
+            const result = await postIntelligenceEndpoint(transport, '/intelligence/health-check', {
+                user_id: userId,
+                response_format: 'json',
+                ...buildIntelligenceContextPayload(options),
+            });
             spinner.stop();
             printIntelligenceResult('🩺 Intelligence Health Check', result, options);
         }
@@ -1036,6 +1092,9 @@ export function memoryCommands(program) {
         .description('Suggest tags for a memory')
         .argument('<memory-id>', 'Memory ID')
         .option('--max <number>', 'Maximum suggestions', '8')
+        .option('--organization-id <id>', 'Optional organization context')
+        .option('--topic-id <id>', 'Optional topic context')
+        .option('--scope <scope>', `Optional query scope (${QUERY_SCOPE_CHOICES.join(', ')})`)
         .option('--json', 'Output raw JSON payload')
         .action(async (memoryId, options) => {
         try {
@@ -1049,6 +1108,7 @@ export function memoryCommands(program) {
                 max_suggestions: maxSuggestions,
                 include_existing_tags: true,
                 response_format: 'json',
+                ...buildIntelligenceContextPayload(options),
             });
             spinner.stop();
             printIntelligenceResult('🏷️ Tag Suggestions', result, options);
@@ -1065,6 +1125,10 @@ export function memoryCommands(program) {
         .argument('<memory-id>', 'Source memory ID')
         .option('--limit <number>', 'Maximum related memories', '5')
         .option('--threshold <number>', 'Similarity threshold (0-1)', '0.7')
+        .option('--organization-id <id>', 'Optional organization context')
+        .option('--topic-id <id>', 'Optional topic context')
+        .option('--scope <scope>', `Optional query scope (${QUERY_SCOPE_CHOICES.join(', ')})`)
+        .option('--memory-types <types>', `Optional comma-separated candidate memory types (${MEMORY_TYPE_CHOICES.join(', ')})`)
         .option('--json', 'Output raw JSON payload')
         .action(async (memoryId, options) => {
         try {
@@ -1077,6 +1141,7 @@ export function memoryCommands(program) {
                 limit: Math.max(1, Math.min(20, parseInt(options.limit || '5', 10))),
                 similarity_threshold: Math.max(0, Math.min(1, parseFloat(options.threshold || '0.7'))),
                 response_format: 'json',
+                ...buildIntelligenceContextPayload(options),
             });
             spinner.stop();
             printIntelligenceResult('🔗 Related Memories', result, options);
@@ -1092,6 +1157,10 @@ export function memoryCommands(program) {
         .description('Detect duplicate memory entries')
         .option('--threshold <number>', 'Similarity threshold (0-1)', '0.88')
         .option('--max-pairs <number>', 'Maximum duplicate pairs to inspect', '100')
+        .option('--organization-id <id>', 'Optional organization context')
+        .option('--topic-id <id>', 'Optional topic context')
+        .option('--scope <scope>', `Optional query scope (${QUERY_SCOPE_CHOICES.join(', ')})`)
+        .option('--memory-types <types>', `Optional comma-separated memory types (${MEMORY_TYPE_CHOICES.join(', ')})`)
         .option('--json', 'Output raw JSON payload')
         .action(async (options) => {
         try {
@@ -1103,6 +1172,7 @@ export function memoryCommands(program) {
                 similarity_threshold: Math.max(0, Math.min(1, parseFloat(options.threshold || '0.88'))),
                 max_pairs: Math.max(10, Math.min(500, parseInt(options.maxPairs || '100', 10))),
                 response_format: 'json',
+                ...buildIntelligenceContextPayload(options),
             });
             spinner.stop();
             printIntelligenceResult('🧬 Duplicate Detection', result, options);
@@ -1119,6 +1189,10 @@ export function memoryCommands(program) {
         .option('--topic <topic>', 'Optional topic filter')
         .option('--type <type>', `Optional memory type filter (${MEMORY_TYPE_CHOICES.join(', ')})`)
         .option('--max-memories <number>', 'Maximum memories to analyze', '50')
+        .option('--organization-id <id>', 'Optional organization context')
+        .option('--topic-id <id>', 'Optional topic context')
+        .option('--scope <scope>', `Optional query scope (${QUERY_SCOPE_CHOICES.join(', ')})`)
+        .option('--memory-types <types>', `Optional comma-separated memory types (${MEMORY_TYPE_CHOICES.join(', ')})`)
         .option('--json', 'Output raw JSON payload')
         .action(async (options) => {
         try {
@@ -1135,6 +1209,7 @@ export function memoryCommands(program) {
                 memory_type: memoryType,
                 max_memories: Math.max(5, Math.min(200, parseInt(options.maxMemories || '50', 10))),
                 response_format: 'json',
+                ...buildIntelligenceContextPayload(options),
             });
             spinner.stop();
             printIntelligenceResult('💡 Memory Insights', result, options);
@@ -1149,6 +1224,10 @@ export function memoryCommands(program) {
         .command('analyze-patterns')
         .description('Analyze memory usage patterns')
         .option('--days <number>', 'Days to include in analysis', '30')
+        .option('--organization-id <id>', 'Optional organization context')
+        .option('--topic-id <id>', 'Optional topic context')
+        .option('--scope <scope>', `Optional query scope (${QUERY_SCOPE_CHOICES.join(', ')})`)
+        .option('--memory-types <types>', `Optional comma-separated memory types (${MEMORY_TYPE_CHOICES.join(', ')})`)
         .option('--json', 'Output raw JSON payload')
         .action(async (options) => {
         try {
@@ -1159,6 +1238,7 @@ export function memoryCommands(program) {
                 user_id: userId,
                 time_range_days: Math.max(1, Math.min(365, parseInt(options.days || '30', 10))),
                 response_format: 'json',
+                ...buildIntelligenceContextPayload(options),
             });
             spinner.stop();
             printIntelligenceResult('📈 Pattern Analysis', result, options);

package/dist/utils/api.d.ts

@@ -9,8 +9,11 @@ export interface AuthResponse {
         created_at: string;
         updated_at: string;
     };
-    token: string;
-    expires_at: string;
+    token?: string;
+    access_token?: string;
+    refresh_token?: string;
+    expires_in?: number;
+    expires_at?: string;
 }
 export interface RegisterRequest {
     email: string;

package/dist/utils/config.d.ts

@@ -27,6 +27,8 @@ interface CLIConfigData {
     lastManualEndpointUpdate?: string;
     vendorKey?: string | undefined;
     authMethod?: 'jwt' | 'vendor_key' | 'oauth' | 'oauth2' | undefined;
+    refresh_token?: string | undefined;
+    token_expires_at?: number | string | undefined;
     tokenExpiry?: number | undefined;
     lastValidated?: string | undefined;
     deviceId?: string;
@@ -130,6 +132,7 @@ export declare class CLIConfig {
     exists(): Promise<boolean>;
     validateStoredCredentials(): Promise<boolean>;
     refreshTokenIfNeeded(): Promise<void>;
+    private refreshViaOAuthTokenEndpoint;
     clearInvalidCredentials(): Promise<void>;
     incrementFailureCount(): Promise<void>;
     resetFailureCount(): Promise<void>;

package/dist/utils/config.js

@@ -1283,9 +1283,9 @@ export class CLIConfig {
             if (String(this.config.authMethod || '').toLowerCase() === 'vendor_key') {
                 return;
             }
+            const refreshToken = this.get('refresh_token');
             // OAuth token refresh (opaque tokens + refresh_token + token_expires_at)
-            if (this.config.authMethod === 'oauth') {
-                const refreshToken = this.get('refresh_token');
+            if (this.config.authMethod === 'oauth' || this.config.authMethod === 'oauth2') {
                 if (!refreshToken) {
                     return;
                 }
@@ -1310,37 +1310,7 @@ export class CLIConfig {
                     return;
                 }
                 await this.discoverServices();
-                const authBase = this.getDiscoveredApiUrl();
-                const resp = await axios.post(`${authBase}/oauth/token`, {
-                    grant_type: 'refresh_token',
-                    refresh_token: refreshToken,
-                    client_id: 'lanonasis-cli'
-                }, {
-                    headers: { 'Content-Type': 'application/json' },
-                    timeout: 10000,
-                    proxy: false
-                });
-                // Some gateways wrap responses as `{ data: { ... } }`.
-                const raw = resp?.data;
-                const payload = raw && typeof raw === 'object' && raw.data && typeof raw.data === 'object'
-                    ? raw.data
-                    : raw;
-                const accessToken = payload?.access_token ?? payload?.token;
-                const refreshedRefreshToken = payload?.refresh_token;
-                const expiresIn = payload?.expires_in;
-                if (typeof accessToken !== 'string' || accessToken.length === 0) {
-                    throw new Error('Token refresh response missing access_token');
-                }
-                // setToken() assumes JWT by default; ensure authMethod stays oauth after storing.
-                await this.setToken(accessToken);
-                this.config.authMethod = 'oauth';
-                if (typeof refreshedRefreshToken === 'string' && refreshedRefreshToken.length > 0) {
-                    this.config.refresh_token = refreshedRefreshToken;
-                }
-                if (typeof expiresIn === 'number' && Number.isFinite(expiresIn)) {
-                    this.config.token_expires_at = Date.now() + (expiresIn * 1000);
-                }
-                await this.save().catch(() => { });
+                await this.refreshViaOAuthTokenEndpoint(refreshToken, this.getDiscoveredApiUrl(), 'oauth');
                 return;
             }
             // Check if token is JWT and if it's close to expiry
@@ -1359,20 +1329,11 @@ export class CLIConfig {
             const exp = typeof decoded.exp === 'number' ? decoded.exp : 0;
             // Refresh if token expires within 5 minutes
             if (exp > 0 && (exp - now) < 300) {
-                // Import axios dynamically
-                await this.discoverServices();
-                const authBase = this.config.discoveredServices?.auth_base || 'https://auth.lanonasis.com';
-                // Attempt token refresh
-                const response = await axios.post(`${authBase}/v1/auth/refresh`, {}, {
-                    headers: {
-                        'Authorization': `Bearer ${token}`,
-                        'X-Project-Scope': 'lanonasis-maas'
-                    },
-                    timeout: 10000
-                });
-                if (response.data.token) {
-                    await this.setToken(response.data.token);
+                if (!refreshToken) {
+                    return;
                 }
+                await this.discoverServices();
+                await this.refreshViaOAuthTokenEndpoint(refreshToken, this.getDiscoveredApiUrl(), 'jwt');
             }
         }
         catch (err) {
@@ -1383,6 +1344,36 @@ export class CLIConfig {
             }
         }
     }
+    async refreshViaOAuthTokenEndpoint(refreshToken, authBase, authMethod) {
+        const resp = await axios.post(`${authBase}/oauth/token`, {
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+            client_id: 'lanonasis-cli'
+        }, {
+            headers: { 'Content-Type': 'application/json' },
+            timeout: 10000,
+            proxy: false
+        });
+        const raw = resp?.data;
+        const payload = raw && typeof raw === 'object' && raw.data && typeof raw.data === 'object'
+            ? raw.data
+            : raw;
+        const accessToken = payload?.access_token ?? payload?.token;
+        const refreshedRefreshToken = payload?.refresh_token;
+        const expiresIn = payload?.expires_in;
+        if (typeof accessToken !== 'string' || accessToken.length === 0) {
+            throw new Error('Token refresh response missing access_token');
+        }
+        await this.setToken(accessToken);
+        this.config.authMethod = authMethod;
+        if (typeof refreshedRefreshToken === 'string' && refreshedRefreshToken.length > 0) {
+            this.config.refresh_token = refreshedRefreshToken;
+        }
+        if (typeof expiresIn === 'number' && Number.isFinite(expiresIn)) {
+            this.config.token_expires_at = Date.now() + (expiresIn * 1000);
+        }
+        await this.save().catch(() => { });
+    }
     async clearInvalidCredentials() {
         this.config.token = undefined;
         this.config.vendorKey = undefined;

package/dist/utils/mcp-client.js

@@ -451,20 +451,11 @@ export class MCPClient {
      * Refresh token if needed
      */
     async refreshTokenIfNeeded() {
-        const refreshToken = this.config.get('refreshToken');
-        if (!refreshToken) {
-            throw new Error('No refresh token available. Please re-authenticate.');
-        }
         try {
-            const axios = (await import('axios')).default;
-            const authUrl = this.config.get('authUrl') ?? 'https://api.lanonasis.com';
-            const response = await axios.post(`${authUrl}/auth/refresh`, {
-                refresh_token: refreshToken
-            }, {
-                timeout: 10000
-            });
-            if (response.data.access_token) {
-                await this.config.setAndSave('token', response.data.access_token);
+            const previousToken = this.config.getToken();
+            await this.config.refreshTokenIfNeeded();
+            const currentToken = this.config.getToken();
+            if (currentToken && currentToken !== previousToken) {
                 console.log(chalk.green('✓ Token refreshed successfully'));
             }
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lanonasis/cli",
-  "version": "3.9.12",
+  "version": "3.9.13",
   "description": "Professional CLI for LanOnasis Memory as a Service (MaaS) with MCP support, seamless inline editing, and enterprise-grade security",
   "keywords": [
     "lanonasis",
@@ -52,11 +52,11 @@
     "CHANGELOG.md"
   ],
   "dependencies": {
-    "@lanonasis/mem-intel-sdk": "2.0.6",
+    "@lanonasis/mem-intel-sdk": "2.1.0",
     "@lanonasis/oauth-client": "2.0.4",
     "@lanonasis/security-sdk": "1.0.5",
     "@modelcontextprotocol/sdk": "^1.28.0",
-    "axios": "^1.13.6",
+    "axios": "^1.14.0",
     "chalk": "^5.6.2",
     "cli-progress": "^3.12.0",
     "cli-table3": "^0.6.5",