@lanonasis/cli 3.9.6 → 3.9.8

package/CHANGELOG.md

@@ -1,5 +1,57 @@
 # Changelog - @lanonasis/cli
 
+## [3.9.8] - 2026-02-25
+
+### ✨ New Features
+
+- **Issue #98 (CLI Memory UX Enhancements)**:
+  - Added `onasis memory create --json <json>` for direct JSON payload creation.
+  - Added `onasis memory create --content-file <path>` for file-based content ingestion.
+  - Added `onasis memory save-session` to persist branch/status/changed-files session context as memory.
+- **Behavior methods via CLI commands**:
+  - Added `onasis memory intelligence` subcommands for health check, tag suggestions, related lookup, duplicate detection, insight extraction, and pattern analysis.
+  - Added `onasis memory behavior` subcommands for `record`, `recall`, and `suggest` workflow behavior operations.
+
+### 🐛 Bug Fixes
+
+- Normalized memory response handling for create/get/update wrappers (`{ data: ... }`) so CLI output fields like ID/Title/Type are consistently resolved.
+- Ensured token refresh is executed before memory command paths to reduce intermittent re-auth prompts during active OAuth sessions.
+- Aligned default semantic search thresholds to `0.55` across memory and MCP search command paths for consistent result behavior.
+
+## [3.9.7] - 2026-02-21
+
+### ✨ New Features
+
+- **`onasis whoami` command**: Display full authenticated user profile including email, name, role, OAuth provider, project scope, and last login time. Fetches live data from `GET /v1/auth/me`.
+- **Live profile on `auth status`**: `onasis auth status` now fetches the real user profile from the auth gateway and displays email, role, and plan — no longer relies solely on cached local state.
+- **Live memory API probe on `auth status`**: After local auth check passes, `auth status` issues a real memory list request to confirm end-to-end API access, reporting `✓ accessible` or `✖ rejected (401)` with actionable guidance.
+- **Manual endpoint override warning**: `auth status` now warns when `manualEndpointOverrides` is active and shows the configured endpoint URLs.
+
+### 🐛 Bug Fixes
+
+- **OAuth sessions no longer show "Not Authenticated"**: Fixed `auth status` incorrectly reporting unauthenticated for valid OAuth PKCE sessions — was checking `if (isAuth && user)` when `user` may be undefined for OAuth sessions.
+- **`process.exit(1)` no longer kills status probe**: Added `noExit` flag to `APIClient` so callers like `auth status` can catch 401/403 from the memory probe without the interceptor terminating the process.
+- **Stale auth cache cleared on 401**: When the memory API returns 401, the CLI now calls `invalidateAuthCache()` to clear the 5-minute in-memory cache and the persisted `lastValidated` timestamp, preventing the 24-hour grace bypass.
+- **24-hour `lastValidated` skip removed**: Eliminated a security hole that bypassed server re-validation for 24 hours after any successful auth check.
+- **7-day offline grace restricted to network errors**: The offline grace period no longer applies to explicit 401/403 auth rejections — only genuine network failures.
+- **Bogus vendor key always passed auth check**: `pingAuthHealth()` was hitting the unauthenticated `/health` endpoint. Replaced with `probeVendorKeyAuth()` which calls `POST /api/v1/memories/search` — a real protected endpoint. Interprets 401/403 as auth rejection, any other response (400, 405, 5xx) as auth accepted with a backend concern.
+- **`discoverServices()` overwrote manual overrides**: Fixed auto-discovery ignoring `manualEndpointOverrides`; discovery now short-circuits when manual overrides are active.
+- **Stale JWT cleared on vendor key switch**: When `setVendorKey()` sets `authMethod: 'vendor_key'`, any existing JWT tokens are now removed from config to prevent auth-method confusion in the API client.
+- **Zod v4 compatibility**: Fixed `z.record(z.any())` → `z.record(z.string(), z.any())` (5 instances in `tool-schemas.ts`) and `error.errors` → `error.issues` (2 instances in schema validator).
+- **Inquirer v9 compatibility**: Fixed deprecated `type: 'list'` → `type: 'select'` prompt type in `welcome.ts`.
+
+### 📡 Auth Gateway Integration (coordinated release)
+
+These CLI changes are paired with server-side fixes in the same release:
+- **Auth Gateway `requireAuth`**: Added opaque OAuth PKCE token introspection path — OAuth CLI sessions can now access `GET /v1/auth/me` and other protected endpoints.
+- **Central API Gateway (`onasis-gateway`)**: `validateJWTToken()` now falls back to `POST /verify-token` when the session endpoint returns 401, enabling OAuth token passthrough for all proxied services. Added `get-me` tool to the auth-gateway MCP adapter.
+
+### 📚 Documentation
+
+- Updated README with `onasis whoami` command reference.
+- Added `auth status` live probe behavior to authentication section.
+- Added `--no-mcp` flag to memory command examples.
+
 ## [3.9.6] - 2026-02-21
 
 ### 🐛 Bug Fixes

package/README.md

@@ -1,11 +1,11 @@
-# @lanonasis/cli v3.9.6 - Auth Routing & Memory Reliability
+# @lanonasis/cli v3.9.7 - OAuth PKCE Auth & whoami
 
 [![NPM Version](https://img.shields.io/npm/v/@lanonasis/cli)](https://www.npmjs.com/package/@lanonasis/cli)
 [![Downloads](https://img.shields.io/npm/dt/@lanonasis/cli)](https://www.npmjs.com/package/@lanonasis/cli)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Golden Contract](https://img.shields.io/badge/Onasis--Core-v0.1%20Compliant-gold)](https://api.lanonasis.com/.well-known/onasis.json)
 
-🎉 **NEW IN v3.9.6**: Fixed memory auth routing to the API gateway, added compatibility fallbacks for legacy memory endpoints, improved auth status verification, and stabilized OAuth/JWT refresh behavior during CLI memory operations.
+🎉 **NEW IN v3.9.7**: Full OAuth PKCE session support across CLI and API gateway. New `onasis whoami` command. `auth status` now shows live user profile and probes real memory API access. Seven auth verification fixes eliminate false-positive "Authenticated: Yes" reports.
 
 ## 🚀 Quick Start
 
@@ -172,13 +172,28 @@ Traditional username/password authentication:
 onasis login  # Will prompt for email and password
 ```
 
-### Authentication Status
+### Authentication Status & Profile
 
 ```bash
-onasis auth status    # Check current authentication
+onasis auth status    # Check current authentication (probes live memory API access)
 onasis auth logout    # Logout from current session
+onasis whoami         # Display full authenticated user profile
 ```
 
+`auth status` now performs a live end-to-end check:
+1. Validates the local credential (vendor key probe hits a real protected endpoint, not `/health`)
+2. Fetches and displays your user profile from `GET /v1/auth/me`
+3. Issues a real memory list request to confirm API access is working
+4. Warns if manual endpoint overrides are active
+
+`onasis whoami` displays:
+- Email address and display name
+- Role (admin, user, authenticated)
+- Plan tier (free, pro, enterprise)
+- OAuth provider (if applicable)
+- Project scope
+- Last login time
+
 **Auth Login Options:**
 | Short | Long | Description |
 |-------|------|-------------|
@@ -222,6 +237,7 @@ echo 'onasis --completion fish | source' >> ~/.config/fish/config.fish
 ```bash
 onasis health           # Comprehensive system health check
 onasis status          # Quick status overview
+onasis whoami          # Display authenticated user profile (email, role, plan, provider)
 onasis init            # Initialize CLI configuration
 onasis guide           # Interactive setup guide
 onasis quickstart      # Essential commands reference

package/dist/commands/completion.js

@@ -132,6 +132,16 @@ export async function generateCompletionData() {
                         description: 'Show memory statistics',
                         options: []
                     },
+                    {
+                        name: 'intelligence',
+                        description: 'Memory intelligence operations (use: memory intelligence --help)',
+                        options: []
+                    },
+                    {
+                        name: 'behavior',
+                        description: 'Behavior pattern operations (use: memory behavior --help)',
+                        options: []
+                    },
                     {
                         name: 'bulk-delete',
                         description: 'Delete multiple memories',

package/dist/commands/mcp.js

@@ -462,7 +462,7 @@ export function mcpCommands(program) {
         .description('Search memories via MCP')
         .argument('<query>', 'Search query')
         .option('-l, --limit <number>', 'Maximum results', '10')
-        .option('-t, --threshold <number>', 'Similarity threshold (0-1)', '0.7')
+        .option('-t, --threshold <number>', 'Similarity threshold (0-1)', '0.55')
         .action(async (query, options) => {
         const spinner = ora('Searching memories via MCP...').start();
         try {
@@ -488,7 +488,7 @@ export function mcpCommands(program) {
                 console.log(`\n${chalk.bold(`${index + 1}. ${memory.title}`)}`);
                 console.log(`   ID: ${chalk.gray(memory.id)}`);
                 console.log(`   Type: ${chalk.blue(memory.memory_type)}`);
-                console.log(`   Score: ${chalk.green((memory.relevance_score * 100).toFixed(1) + '%')}`);
+                console.log(`   Score: ${chalk.green((memory.similarity_score * 100).toFixed(1) + '%')}`);
                 console.log(`   Content: ${memory.content.substring(0, 100)}...`);
             });
         }