@lanonasis/cli 3.9.6 → 3.9.7

package/dist/mcp/schemas/tool-schemas.js

@@ -22,7 +22,7 @@ export const MemoryCreateSchema = z.object({
         .uuid()
         .optional()
         .describe("Optional topic ID for organization"),
-    metadata: z.record(z.any())
+    metadata: z.record(z.string(), z.any())
         .optional()
         .describe("Additional metadata")
 });
@@ -71,7 +71,7 @@ export const MemoryUpdateSchema = z.object({
     tags: z.array(z.string())
         .optional()
         .describe("New tags (replaces existing)"),
-    metadata: z.record(z.any())
+    metadata: z.record(z.string(), z.any())
         .optional()
         .describe("New metadata (merges with existing)")
 });
@@ -229,7 +229,7 @@ export const BulkOperationSchema = z.object({
         .describe("Bulk operation type"),
     entity_type: z.enum(["memory", "topic", "apikey"])
         .describe("Entity type for bulk operation"),
-    items: z.array(z.record(z.any()))
+    items: z.array(z.record(z.string(), z.any()))
         .min(1)
         .max(100)
         .describe("Items for bulk operation"),
@@ -249,7 +249,7 @@ export const ImportExportSchema = z.object({
     file_path: z.string()
         .optional()
         .describe("File path for import/export"),
-    filters: z.record(z.any())
+    filters: z.record(z.string(), z.any())
         .optional()
         .describe("Filters for export")
 });
@@ -257,7 +257,7 @@ export const ImportExportSchema = z.object({
 export const ToolExecutionSchema = z.object({
     tool_name: z.string()
         .describe("Name of the tool to execute"),
-    arguments: z.record(z.any())
+    arguments: z.record(z.string(), z.any())
         .describe("Tool arguments"),
     timeout: z.number()
         .positive()
@@ -308,7 +308,7 @@ export class SchemaValidator {
         }
         catch (error) {
             if (error instanceof z.ZodError) {
-                throw new Error(`Validation error: ${error.errors
+                throw new Error(`Validation error: ${error.issues
                     .map(e => `${e.path.join('.')}: ${e.message}`)
                     .join(', ')}`);
             }
@@ -326,7 +326,7 @@ export class SchemaValidator {
         else {
             return {
                 success: false,
-                errors: result.error.errors.map(e => `${e.path.join('.')}: ${e.message}`)
+                errors: result.error.issues.map(e => `${e.path.join('.')}: ${e.message}`)
             };
         }
     }

package/dist/utils/api.d.ts

@@ -149,9 +149,27 @@ export interface ApiErrorResponse {
     status_code: number;
     details?: Record<string, unknown>;
 }
+export interface UserProfile {
+    id: string;
+    email: string;
+    name: string | null;
+    avatar_url: string | null;
+    role: string;
+    provider: string | null;
+    project_scope: string | null;
+    platform: string | null;
+    created_at: string | null;
+    last_sign_in_at: string | null;
+    metadata?: {
+        locale: string | null;
+        timezone: string | null;
+    };
+}
 export declare class APIClient {
     private client;
     private config;
+    /** When true, throw on 401/403 instead of printing+exiting (for callers that handle errors) */
+    noExit: boolean;
     private normalizeMemoryEntry;
     private shouldUseLegacyMemoryRpcFallback;
     constructor();
@@ -171,6 +189,12 @@ export declare class APIClient {
     updateTopic(id: string, data: UpdateTopicRequest): Promise<MemoryTopic>;
     deleteTopic(id: string): Promise<void>;
     getHealth(): Promise<HealthStatus>;
+    /**
+     * Fetch the current user's profile from the auth gateway (GET /v1/auth/me).
+     * Works for all auth methods: OAuth Bearer token, vendor key (X-API-Key), and JWT.
+     * The /auth/ prefix causes the request interceptor to route this to auth_base.
+     */
+    getUserProfile(): Promise<UserProfile>;
     get<T = any>(url: string, config?: AxiosRequestConfig): Promise<T>;
     post<T = any>(url: string, data?: any, config?: AxiosRequestConfig): Promise<T>;
     put<T = any>(url: string, data?: any, config?: AxiosRequestConfig): Promise<T>;

package/dist/utils/api.js

@@ -5,6 +5,8 @@ import { CLIConfig } from './config.js';
 export class APIClient {
     client;
     config;
+    /** When true, throw on 401/403 instead of printing+exiting (for callers that handle errors) */
+    noExit = false;
     normalizeMemoryEntry(payload) {
         // API responses are inconsistent across gateways:
         // - Some return the memory entry directly
@@ -148,11 +150,21 @@ export class APIClient {
             if (error.response) {
                 const { status, data } = error.response;
                 if (status === 401) {
+                    // Invalidate the local auth cache so the next isAuthenticated() call
+                    // performs a fresh server check rather than returning a stale result.
+                    this.config.invalidateAuthCache().catch(() => { });
+                    if (this.noExit) {
+                        // Caller handles the error (e.g. auth status probe) — throw so try/catch fires
+                        return Promise.reject(error);
+                    }
                     console.error(chalk.red('✖ Authentication failed'));
                     console.log(chalk.yellow('Please run:'), chalk.white('lanonasis auth login'));
                     process.exit(1);
                 }
                 if (status === 403) {
+                    if (this.noExit) {
+                        return Promise.reject(error);
+                    }
                     console.error(chalk.red('✖ Permission denied'));
                     if (data.message) {
                         console.error(chalk.gray(data.message));
@@ -436,6 +448,15 @@ export class APIClient {
         const response = await this.client.get('/health');
         return response.data;
     }
+    /**
+     * Fetch the current user's profile from the auth gateway (GET /v1/auth/me).
+     * Works for all auth methods: OAuth Bearer token, vendor key (X-API-Key), and JWT.
+     * The /auth/ prefix causes the request interceptor to route this to auth_base.
+     */
+    async getUserProfile() {
+        const response = await this.client.get('/v1/auth/me');
+        return response.data;
+    }
     // Generic HTTP methods
     async get(url, config) {
         const response = await this.client.get(url, config);

package/dist/utils/config.d.ts

@@ -83,9 +83,18 @@ export declare class CLIConfig {
     verifyCurrentCredentialsWithServer(): Promise<RemoteAuthVerification>;
     setManualEndpoints(endpoints: Partial<CLIConfigData['discoveredServices']>): Promise<void>;
     hasManualEndpointOverrides(): boolean;
+    /**
+     * Clears the in-memory auth cache and removes the `lastValidated` timestamp.
+     * Called after a definitive 401 from the memory API so that the next
+     * `isAuthenticated()` call performs a fresh server verification rather than
+     * returning a stale cached result.
+     */
+    invalidateAuthCache(): Promise<void>;
     clearManualEndpointOverrides(): Promise<void>;
     getDiscoveredApiUrl(): string;
-    setVendorKey(vendorKey: string): Promise<void>;
+    setVendorKey(vendorKey: string, options?: {
+        skipServerValidation?: boolean;
+    }): Promise<void>;
     validateVendorKeyFormat(vendorKey: string): string | boolean;
     private validateVendorKeyWithServer;
     getVendorKey(): string | undefined;

package/dist/utils/config.js

@@ -190,6 +190,10 @@ export class CLIConfig {
     }
     // Enhanced Service Discovery Integration
     async discoverServices(verbose = false) {
+        // Honour manually configured endpoints — skip auto-discovery so we don't clobber them.
+        if (this.config.manualEndpointOverrides) {
+            return;
+        }
         const isTestEnvironment = process.env.NODE_ENV === 'test';
         const forceDiscovery = process.env.FORCE_SERVICE_DISCOVERY === 'true';
         if ((isTestEnvironment && !forceDiscovery) || process.env.SKIP_SERVICE_DISCOVERY === 'true') {
@@ -534,6 +538,16 @@ export class CLIConfig {
         };
     }
     async verifyVendorKeyWithAuthGateway(vendorKey) {
+        // Detect whether the stored "vendor key" is actually an OAuth/JWT access token
+        // (3-part base64url string separated by dots). OAuth tokens must be verified via the
+        // Bearer token path (/v1/auth/verify-token), not as API keys (/v1/auth/verify-api-key),
+        // because they are not stored in the api_keys table.
+        const isJwtFormat = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/.test(vendorKey.trim());
+        if (isJwtFormat) {
+            // Delegate to token verification — the auth gateway's UAI router accepts Bearer tokens
+            // on /v1/auth/verify (requireAuth) and /v1/auth/verify-token (public, body-based).
+            return this.verifyTokenWithAuthGateway(vendorKey);
+        }
         const headers = {
             'X-API-Key': vendorKey,
             'X-Auth-Method': 'vendor_key',
@@ -655,6 +669,17 @@ export class CLIConfig {
     hasManualEndpointOverrides() {
         return !!this.config.manualEndpointOverrides;
     }
+    /**
+     * Clears the in-memory auth cache and removes the `lastValidated` timestamp.
+     * Called after a definitive 401 from the memory API so that the next
+     * `isAuthenticated()` call performs a fresh server verification rather than
+     * returning a stale cached result.
+     */
+    async invalidateAuthCache() {
+        this.authCheckCache = null;
+        delete this.config.lastValidated;
+        await this.save().catch(() => { });
+    }
     async clearManualEndpointOverrides() {
         delete this.config.manualEndpointOverrides;
         delete this.config.lastManualEndpointUpdate;
@@ -667,15 +692,20 @@ export class CLIConfig {
             'https://auth.lanonasis.com';
     }
     // Enhanced authentication support
-    async setVendorKey(vendorKey) {
+    async setVendorKey(vendorKey, options = {}) {
         const trimmedKey = typeof vendorKey === 'string' ? vendorKey.trim() : '';
         // Minimal format validation (non-empty); rely on server-side checks for everything else
         const formatValidation = this.validateVendorKeyFormat(trimmedKey);
         if (formatValidation !== true) {
             throw new Error(typeof formatValidation === 'string' ? formatValidation : 'Vendor key is invalid');
         }
-        // Server-side validation
-        await this.validateVendorKeyWithServer(trimmedKey);
+        // Skip server-side validation when the caller already holds a valid auth credential
+        // (e.g. an OAuth access token being stored for MCP/API access — auth-gateway won't
+        // recognise it as a vendor key even though the memory API accepts it).
+        const isOAuthContext = ['oauth', 'oauth2'].includes(this.config.authMethod || '');
+        if (!options.skipServerValidation && !isOAuthContext) {
+            await this.validateVendorKeyWithServer(trimmedKey);
+        }
         // Initialize and store using ApiKeyStorage from @lanonasis/oauth-client
         // This handles encryption automatically (AES-256-GCM with machine-derived key)
         await this.apiKeyStorage.initialize();
@@ -877,23 +907,21 @@ export class CLIConfig {
             const vendorKey = await this.getVendorKeyAsync();
             if (!vendorKey)
                 return false;
-            // Check cache first
+            // Check in-memory cache first (5-minute TTL)
             if (this.authCheckCache && (Date.now() - this.authCheckCache.timestamp) < this.AUTH_CACHE_TTL) {
                 return this.authCheckCache.isValid;
             }
-            // Check if recently validated (within 24 hours)
+            // Track lastValidated for the offline grace period used in the catch block.
+            // The 24-hour skip-server-validation gate has been removed: it allowed expired/revoked
+            // keys to appear valid as long as they had been validated within the past day.
             const lastValidated = this.config.lastValidated;
-            const recentlyValidated = lastValidated &&
-                (Date.now() - new Date(lastValidated).getTime()) < (24 * 60 * 60 * 1000);
-            if (recentlyValidated) {
-                this.authCheckCache = { isValid: true, timestamp: Date.now() };
-                return true;
-            }
-            // Vendor key not recently validated - verify with server
+            // Verify with server on every cache-miss
             try {
                 const verification = await this.verifyVendorKeyWithAuthGateway(vendorKey);
                 if (!verification.valid) {
-                    throw new Error(verification.reason || 'Vendor key validation failed');
+                    // Auth gateway explicitly rejected the key — no grace period applies.
+                    this.authCheckCache = { isValid: false, timestamp: Date.now() };
+                    return false;
                 }
                 // Update last validated timestamp on success
                 this.config.lastValidated = new Date().toISOString();
@@ -901,8 +929,18 @@ export class CLIConfig {
                 this.authCheckCache = { isValid: true, timestamp: Date.now() };
                 return true;
             }
-            catch {
-                // Server validation failed - check for grace period (7 days offline)
+            catch (err) {
+                // verifyVendorKeyWithAuthGateway throws only on network/timeout errors
+                // (explicit 401/403 returns {valid:false} without throwing).
+                // Apply the 7-day offline grace ONLY for genuine network failures.
+                const normalizedErr = this.normalizeServiceError(err);
+                const httpStatus = normalizedErr.response?.status ?? 0;
+                if (httpStatus === 401 || httpStatus === 403) {
+                    // Explicit auth rejection propagated as an exception — definitely invalid.
+                    this.authCheckCache = { isValid: false, timestamp: Date.now() };
+                    return false;
+                }
+                // Network / server error — apply offline grace period
                 const gracePeriod = 7 * 24 * 60 * 60 * 1000;
                 const withinGracePeriod = lastValidated &&
                     (Date.now() - new Date(lastValidated).getTime()) < gracePeriod;
@@ -913,7 +951,6 @@ export class CLIConfig {
                     this.authCheckCache = { isValid: true, timestamp: Date.now() };
                     return true;
                 }
-                // Grace period expired - require server validation
                 if (process.env.CLI_VERBOSE === 'true') {
                     console.warn('⚠️  Vendor key validation failed and grace period expired');
                 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lanonasis/cli",
-  "version": "3.9.6",
+  "version": "3.9.7",
   "description": "Professional CLI for LanOnasis Memory as a Service (MaaS) with MCP support, seamless inline editing, and enterprise-grade security",
   "keywords": [
     "lanonasis",
@@ -52,37 +52,37 @@
     "CHANGELOG.md"
   ],
   "dependencies": {
-    "@lanonasis/oauth-client": "1.2.5",
+    "@lanonasis/oauth-client": "2.0.0",
     "@lanonasis/security-sdk": "1.0.5",
-    "@modelcontextprotocol/sdk": "^1.25.2",
-    "axios": "^1.7.7",
-    "chalk": "^5.3.0",
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "axios": "^1.13.5",
+    "chalk": "^5.6.2",
     "cli-progress": "^3.12.0",
-    "cli-table3": "^0.6.3",
-    "commander": "^12.1.0",
+    "cli-table3": "^0.6.5",
+    "commander": "^14.0.3",
     "date-fns": "^4.1.0",
-    "dotenv": "^16.4.5",
-    "eventsource": "^4.0.0",
-    "inquirer": "^9.3.6",
+    "dotenv": "^17.3.1",
+    "eventsource": "^4.1.0",
+    "inquirer": "^13.2.5",
     "jwt-decode": "^4.0.0",
-    "open": "^10.2.0",
-    "ora": "^8.0.1",
+    "open": "^11.0.0",
+    "ora": "^9.3.0",
     "table": "^6.9.0",
     "word-wrap": "^1.2.5",
-    "ws": "^8.18.0",
-    "zod": "^3.24.4"
+    "ws": "^8.19.0",
+    "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@jest/globals": "^27.5.1",
+    "@jest/globals": "^30.2.0",
     "@types/cli-progress": "^3.11.6",
-    "@types/inquirer": "^9.0.7",
-    "@types/node": "^22.19.3",
-    "@types/ws": "^8.5.12",
-    "fast-check": "^3.15.1",
-    "jest": "^25.0.0",
+    "@types/inquirer": "^9.0.9",
+    "@types/node": "^25.3.0",
+    "@types/ws": "^8.18.1",
+    "fast-check": "^4.5.3",
+    "jest": "^30.2.0",
     "rimraf": "^6.1.3",
-    "ts-jest": "^29.1.1",
-    "typescript": "^5.7.2"
+    "ts-jest": "^29.4.6",
+    "typescript": "^5.9.3"
   },
   "scripts": {
     "build": "rimraf dist && tsc -p tsconfig.json",