@lanonasis/cli 3.9.5 → 3.9.7

package/CHANGELOG.md

@@ -1,5 +1,54 @@
 # Changelog - @lanonasis/cli
 
+## [3.9.7] - 2026-02-21
+
+### ✨ New Features
+
+- **`onasis whoami` command**: Display full authenticated user profile including email, name, role, OAuth provider, project scope, and last login time. Fetches live data from `GET /v1/auth/me`.
+- **Live profile on `auth status`**: `onasis auth status` now fetches the real user profile from the auth gateway and displays email, role, and plan — no longer relies solely on cached local state.
+- **Live memory API probe on `auth status`**: After local auth check passes, `auth status` issues a real memory list request to confirm end-to-end API access, reporting `✓ accessible` or `✖ rejected (401)` with actionable guidance.
+- **Manual endpoint override warning**: `auth status` now warns when `manualEndpointOverrides` is active and shows the configured endpoint URLs.
+
+### 🐛 Bug Fixes
+
+- **OAuth sessions no longer show "Not Authenticated"**: Fixed `auth status` incorrectly reporting unauthenticated for valid OAuth PKCE sessions — was checking `if (isAuth && user)` when `user` may be undefined for OAuth sessions.
+- **`process.exit(1)` no longer kills status probe**: Added `noExit` flag to `APIClient` so callers like `auth status` can catch 401/403 from the memory probe without the interceptor terminating the process.
+- **Stale auth cache cleared on 401**: When the memory API returns 401, the CLI now calls `invalidateAuthCache()` to clear the 5-minute in-memory cache and the persisted `lastValidated` timestamp, preventing the 24-hour grace bypass.
+- **24-hour `lastValidated` skip removed**: Eliminated a security hole that bypassed server re-validation for 24 hours after any successful auth check.
+- **7-day offline grace restricted to network errors**: The offline grace period no longer applies to explicit 401/403 auth rejections — only genuine network failures.
+- **Bogus vendor key always passed auth check**: `pingAuthHealth()` was hitting the unauthenticated `/health` endpoint. Replaced with `probeVendorKeyAuth()` which calls `POST /api/v1/memories/search` — a real protected endpoint. Interprets 401/403 as auth rejection, any other response (400, 405, 5xx) as auth accepted with a backend concern.
+- **`discoverServices()` overwrote manual overrides**: Fixed auto-discovery ignoring `manualEndpointOverrides`; discovery now short-circuits when manual overrides are active.
+- **Stale JWT cleared on vendor key switch**: When `setVendorKey()` sets `authMethod: 'vendor_key'`, any existing JWT tokens are now removed from config to prevent auth-method confusion in the API client.
+- **Zod v4 compatibility**: Fixed `z.record(z.any())` → `z.record(z.string(), z.any())` (5 instances in `tool-schemas.ts`) and `error.errors` → `error.issues` (2 instances in schema validator).
+- **Inquirer v9 compatibility**: Fixed deprecated `type: 'list'` → `type: 'select'` prompt type in `welcome.ts`.
+
+### 📡 Auth Gateway Integration (coordinated release)
+
+These CLI changes are paired with server-side fixes in the same release:
+- **Auth Gateway `requireAuth`**: Added opaque OAuth PKCE token introspection path — OAuth CLI sessions can now access `GET /v1/auth/me` and other protected endpoints.
+- **Central API Gateway (`onasis-gateway`)**: `validateJWTToken()` now falls back to `POST /verify-token` when the session endpoint returns 401, enabling OAuth token passthrough for all proxied services. Added `get-me` tool to the auth-gateway MCP adapter.
+
+### 📚 Documentation
+
+- Updated README with `onasis whoami` command reference.
+- Added `auth status` live probe behavior to authentication section.
+- Added `--no-mcp` flag to memory command examples.
+
+## [3.9.6] - 2026-02-21
+
+### 🐛 Bug Fixes
+
+- **Reliable Memory Auth Routing**: Memory CRUD and search operations now consistently route through the API gateway (`https://api.lanonasis.com`) to avoid MCP endpoint contract mismatches.
+- **Legacy Endpoint Compatibility**: Added fallback support for deployments that still expose RPC-style memory routes (`/api/v1/memory/*`) when REST routes return `400/405`.
+- **Auth Status Accuracy**: `status` now validates live auth state against the auth verify endpoint before reporting authenticated session state.
+- **OAuth Session Stability**: Requests proactively refresh OAuth/JWT sessions to reduce intermittent `memory login required` errors during long-running CLI usage.
+- **Response Normalization**: Memory get/list/search handlers normalize wrapped gateway responses (`{ data: ... }`) for consistent CLI behavior across environments.
+
+### 📚 Documentation
+
+- Clarified auth flow behavior for vendor keys and bearer tokens.
+- Added release notes for endpoint override guidance and memory transport behavior.
+
 ## [3.9.3] - 2026-02-02
 
 ### ✨ Features

package/README.md

@@ -1,11 +1,11 @@
-# @lanonasis/cli v3.9.3 - Enterprise Security & Professional UX
+# @lanonasis/cli v3.9.7 - OAuth PKCE Auth & whoami
 
 [![NPM Version](https://img.shields.io/npm/v/@lanonasis/cli)](https://www.npmjs.com/package/@lanonasis/cli)
 [![Downloads](https://img.shields.io/npm/dt/@lanonasis/cli)](https://www.npmjs.com/package/@lanonasis/cli)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Golden Contract](https://img.shields.io/badge/Onasis--Core-v0.1%20Compliant-gold)](https://api.lanonasis.com/.well-known/onasis.json)
 
-🎉 **NEW IN v3.9.3**: Fixed JWT authentication routing for username/password login, resolved frozen terminal during interactive input, and added non-interactive vendor key authentication (`-k` flag). Professional CLI UX with seamless inline text editing, intelligent MCP connection management, and first-run onboarding.
+🎉 **NEW IN v3.9.7**: Full OAuth PKCE session support across CLI and API gateway. New `onasis whoami` command. `auth status` now shows live user profile and probes real memory API access. Seven auth verification fixes eliminate false-positive "Authenticated: Yes" reports.
 
 ## 🚀 Quick Start
 
@@ -129,23 +129,19 @@ maas memory list
 
 ## 🔐 Security & Authentication
 
-### Enterprise-Grade SHA-256 Security (v3.7.0+)
+### Enterprise-Grade API Key Handling
 
-All API keys are now secured with SHA-256 cryptographic hashing:
+The CLI uses secure local storage and sends credentials in the expected wire format:
 
-- ✅ **Automatic Hash Normalization**: Keys are automatically hashed before transmission
-- ✅ **Double-Hash Prevention**: Smart detection prevents re-hashing already hashed keys
-- ✅ **Cross-Platform Compatibility**: Works seamlessly across Node.js and browser environments
-- ✅ **Zero Configuration**: Security is automatic and transparent
-
-```typescript
-// Hash utilities are built-in and automatic
-// Your vendor keys are automatically secured
-onasis login --vendor-key pk_xxxxx.sk_xxxxx  // ✅ Automatically hashed
-```
+- ✅ **Encrypted At Rest**: Vendor keys are stored in encrypted local storage (keytar when available, encrypted file fallback otherwise).
+- ✅ **Correct On-Wire Format**: Vendor key auth sends the raw vendor key in `X-API-Key` over HTTPS.
+- ✅ **Single Server-Side Hash Validation**: The API validates keys with server-side hashing and does not require client-side hashing.
+- ✅ **Token-First Sessions**: OAuth/JWT sessions use `Authorization: Bearer <token>` and refresh automatically before expiry.
 
 ### Authentication Methods
 
+> Transport note: for memory commands, keep `manualEndpointOverrides=false` so requests route through `https://api.lanonasis.com`.
+
 ### 1. Vendor Key Authentication (Recommended)
 
 Best for API integrations and automation. Copy the vendor key value exactly as shown in your LanOnasis dashboard (keys may vary in format):
@@ -176,13 +172,28 @@ Traditional username/password authentication:
 onasis login  # Will prompt for email and password
 ```
 
-### Authentication Status
+### Authentication Status & Profile
 
 ```bash
-onasis auth status    # Check current authentication
+onasis auth status    # Check current authentication (probes live memory API access)
 onasis auth logout    # Logout from current session
+onasis whoami         # Display full authenticated user profile
 ```
 
+`auth status` now performs a live end-to-end check:
+1. Validates the local credential (vendor key probe hits a real protected endpoint, not `/health`)
+2. Fetches and displays your user profile from `GET /v1/auth/me`
+3. Issues a real memory list request to confirm API access is working
+4. Warns if manual endpoint overrides are active
+
+`onasis whoami` displays:
+- Email address and display name
+- Role (admin, user, authenticated)
+- Plan tier (free, pro, enterprise)
+- OAuth provider (if applicable)
+- Project scope
+- Last login time
+
 **Auth Login Options:**
 | Short | Long | Description |
 |-------|------|-------------|
@@ -226,6 +237,7 @@ echo 'onasis --completion fish | source' >> ~/.config/fish/config.fish
 ```bash
 onasis health           # Comprehensive system health check
 onasis status          # Quick status overview
+onasis whoami          # Display authenticated user profile (email, role, plan, provider)
 onasis init            # Initialize CLI configuration
 onasis guide           # Interactive setup guide
 onasis quickstart      # Essential commands reference

package/dist/core/welcome.js

@@ -73,7 +73,7 @@ export class WelcomeExperience {
         const choices = isAuthenticated ? existingUserOptions : newUserOptions;
         const { choice } = await inquirer.prompt([
             {
-                type: 'list',
+                type: 'select',
                 name: 'choice',
                 message: isAuthenticated ?
                     'Welcome back! What would you like to do?' :
@@ -229,7 +229,7 @@ export class InteractiveSetup {
         console.log("Let's connect to your Onasis service\n");
         const { connectionType } = await inquirer.prompt([
             {
-                type: 'list',
+                type: 'select',
                 name: 'connectionType',
                 message: 'Where is your Onasis service hosted?',
                 choices: [
@@ -291,7 +291,7 @@ export class InteractiveSetup {
         };
         const { authMethod } = await inquirer.prompt([
             {
-                type: 'list',
+                type: 'select',
                 name: 'authMethod',
                 message: 'Select authentication method:',
                 choices: [
@@ -395,7 +395,7 @@ export class InteractiveSetup {
         console.log("Let's personalize your experience\n");
         const answers = await inquirer.prompt([
             {
-                type: 'list',
+                type: 'select',
                 name: 'outputFormat',
                 message: 'Preferred output format:',
                 choices: [

package/dist/index-simple.js

@@ -553,18 +553,30 @@ program
     .action(async () => {
     // Initialize config first
     await cliConfig.init();
-    const isAuth = await cliConfig.isAuthenticated();
+    const verification = await cliConfig.verifyCurrentCredentialsWithServer().catch((error) => ({
+        valid: false,
+        method: 'none',
+        endpoint: undefined,
+        reason: error instanceof Error ? error.message : String(error)
+    }));
+    const isAuth = verification.valid;
     const apiUrl = cliConfig.getApiUrl();
     console.log(chalk.blue.bold('MaaS CLI Status'));
     console.log(`API URL: ${apiUrl}`);
     console.log(`Authenticated: ${isAuth ? chalk.green('Yes') : chalk.red('No')}`);
+    if (process.env.CLI_VERBOSE === 'true' && verification.endpoint) {
+        console.log(`Verified via: ${verification.endpoint}`);
+    }
     if (isAuth) {
         const user = await cliConfig.getCurrentUser();
         if (user) {
             console.log(`User: ${user.email}`);
             console.log(`Plan: ${user.plan}`);
         }
+        return;
     }
+    console.log(chalk.yellow(`Auth check: ${verification.reason || 'Credential validation failed'}`));
+    console.log(chalk.yellow('Please run:'), chalk.white('lanonasis auth login'));
 });
 // Health command using the healthCheck function
 program

package/dist/index.js

@@ -11,6 +11,7 @@ import { orgCommands } from './commands/organization.js';
 import { mcpCommands } from './commands/mcp.js';
 import apiKeysCommand from './commands/api-keys.js';
 import { CLIConfig } from './utils/config.js';
+import { APIClient } from './utils/api.js';
 import { getMCPClient } from './utils/mcp-client.js';
 import { dirname, join } from 'path';
 import { createOnboardingFlow } from './ux/index.js';
@@ -253,29 +254,77 @@ authCmd
     .description('Show authentication status')
     .action(async () => {
     const isAuth = await cliConfig.isAuthenticated();
-    const user = await cliConfig.getCurrentUser();
     const failureCount = cliConfig.getFailureCount();
     const lastFailure = cliConfig.getLastAuthFailure();
     const authMethod = cliConfig.get('authMethod');
     const lastValidated = cliConfig.get('lastValidated');
     console.log(chalk.blue.bold('🔐 Authentication Status'));
     console.log('━'.repeat(40));
-    if (isAuth && user) {
+    if (isAuth) {
         console.log(chalk.green('✓ Authenticated'));
-        console.log(`Email: ${user.email}`);
-        console.log(`Organization: ${user.organization_id}`);
-        console.log(`Plan: ${user.plan}`);
         if (authMethod) {
             console.log(`Method: ${authMethod}`);
         }
         if (lastValidated) {
-            const validatedDate = new Date(lastValidated);
-            console.log(`Last validated: ${validatedDate.toLocaleString()}`);
+            console.log(`Last validated: ${new Date(lastValidated).toLocaleString()}`);
+        }
+        // Fetch live profile from auth gateway
+        try {
+            const profileClient = new APIClient();
+            profileClient.noExit = true;
+            const profile = await profileClient.getUserProfile();
+            console.log(`Email: ${profile.email}`);
+            if (profile.name)
+                console.log(`Name: ${profile.name}`);
+            console.log(`Role: ${profile.role}`);
+            if (profile.provider)
+                console.log(`Provider: ${profile.provider}`);
+            if (profile.last_sign_in_at) {
+                console.log(`Last sign-in: ${new Date(profile.last_sign_in_at).toLocaleString()}`);
+            }
+        }
+        catch {
+            // Profile fetch failed (e.g. auth gateway offline) — show cached info if available
+            const cached = await cliConfig.getCurrentUser();
+            if (cached?.email)
+                console.log(`Email: ${cached.email} (cached)`);
         }
     }
     else {
         console.log(chalk.red('✖ Not authenticated'));
-        console.log(chalk.yellow('Run:'), chalk.white('memory login'));
+        console.log(chalk.yellow('Run:'), chalk.white('lanonasis auth login'));
+    }
+    // Warn when manual endpoint overrides are active
+    if (cliConfig.hasManualEndpointOverrides()) {
+        console.log();
+        console.log(chalk.yellow('⚠️  Manual endpoint overrides are active (manualEndpointOverrides=true)'));
+        const services = cliConfig.get('discoveredServices');
+        if (services) {
+            console.log(chalk.gray(`   auth:   ${services['auth_base']}`));
+            console.log(chalk.gray(`   memory: ${services['memory_base']}`));
+        }
+        console.log(chalk.gray('   Run: lanonasis config clear-overrides  to restore auto-discovery'));
+    }
+    // Live memory API probe — shows whether credentials actually work end-to-end
+    if (isAuth) {
+        console.log();
+        process.stdout.write('Memory API access: ');
+        try {
+            const apiClient = new APIClient();
+            apiClient.noExit = true; // catch 401 in our try/catch below instead of process.exit
+            await apiClient.getMemories({ limit: 1 });
+            console.log(chalk.green('✓ accessible'));
+        }
+        catch (err) {
+            const status = err?.response?.status;
+            if (status === 401 || status === 403) {
+                console.log(chalk.red(`✖ rejected (${status}) — credentials are stale or revoked`));
+                console.log(chalk.yellow('  Run: lanonasis auth login'));
+            }
+            else {
+                console.log(chalk.yellow(`⚠  reachable (status: ${status ?? 'network error'})`));
+            }
+        }
     }
     // Show failure tracking information
     if (failureCount > 0) {
@@ -630,17 +679,85 @@ program
     .description('Show overall system status')
     .action(async () => {
     await cliConfig.init();
-    const isAuth = await cliConfig.isAuthenticated();
+    const verification = await cliConfig.verifyCurrentCredentialsWithServer().catch((error) => ({
+        valid: false,
+        method: 'none',
+        endpoint: undefined,
+        reason: error instanceof Error ? error.message : String(error)
+    }));
+    const isAuth = verification.valid;
     const apiUrl = cliConfig.getApiUrl();
     console.log(chalk.blue.bold('MaaS CLI Status'));
     console.log(`API URL: ${apiUrl}`);
     console.log(`Authenticated: ${isAuth ? chalk.green('Yes') : chalk.red('No')}`);
+    if (process.env.CLI_VERBOSE === 'true' && verification.endpoint) {
+        console.log(`Verified via: ${verification.endpoint}`);
+    }
     if (isAuth) {
-        const user = await cliConfig.getCurrentUser();
-        if (user) {
-            console.log(`User: ${user.email}`);
-            console.log(`Plan: ${user.plan}`);
+        try {
+            const profileClient = new APIClient();
+            profileClient.noExit = true;
+            const profile = await profileClient.getUserProfile();
+            console.log(`User: ${profile.email}`);
+            if (profile.name)
+                console.log(`Name: ${profile.name}`);
+            console.log(`Role: ${profile.role}`);
         }
+        catch {
+            const cached = await cliConfig.getCurrentUser();
+            if (cached?.email)
+                console.log(`User: ${cached.email} (cached)`);
+        }
+        return;
+    }
+    console.log(chalk.yellow(`Auth check: ${verification.reason || 'Credential validation failed'}`));
+    console.log(chalk.yellow('Please run:'), chalk.white('lanonasis auth login'));
+});
+// Whoami command — live profile from auth gateway
+program
+    .command('whoami')
+    .description('Show the currently authenticated user profile')
+    .action(async () => {
+    await cliConfig.init();
+    const isAuth = await cliConfig.isAuthenticated();
+    if (!isAuth) {
+        console.log(chalk.red('✖ Not authenticated'));
+        console.log(chalk.yellow('Run:'), chalk.white('lanonasis auth login'));
+        process.exit(1);
+    }
+    try {
+        const profileClient = new APIClient();
+        profileClient.noExit = true;
+        const profile = await profileClient.getUserProfile();
+        console.log(chalk.blue.bold('👤 Current User'));
+        console.log('━'.repeat(40));
+        console.log(`Email:      ${chalk.white(profile.email)}`);
+        if (profile.name) {
+            console.log(`Name:       ${chalk.white(profile.name)}`);
+        }
+        console.log(`Role:       ${chalk.white(profile.role)}`);
+        if (profile.provider) {
+            console.log(`Provider:   ${chalk.white(profile.provider)}`);
+        }
+        if (profile.project_scope) {
+            console.log(`Scope:      ${chalk.white(profile.project_scope)}`);
+        }
+        if (profile.last_sign_in_at) {
+            console.log(`Last login: ${chalk.white(new Date(profile.last_sign_in_at).toLocaleString())}`);
+        }
+        if (profile.created_at) {
+            console.log(`Member since: ${chalk.white(new Date(profile.created_at).toLocaleString())}`);
+        }
+    }
+    catch (err) {
+        const status = err?.response?.status;
+        if (status === 401 || status === 403) {
+            console.log(chalk.red('✖ Session expired — please log in again'));
+            console.log(chalk.yellow('Run:'), chalk.white('lanonasis auth login'));
+            process.exit(1);
+        }
+        console.error(chalk.red('✖ Failed to fetch profile:'), err instanceof Error ? err.message : String(err));
+        process.exit(1);
     }
 });
 // Health command using the healthCheck function