@meetless/mla 0.1.4

package/dist/commands/label.js

@@ -0,0 +1,226 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseLabelArgs = parseLabelArgs;
+exports.runLabel = runLabel;
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+// `mla label` -- the A3 operator-label affordance (notes/20260603-mla-kb-agent
+// -proxy-and-evidence-adoption.md §3, §7.2). A lightweight way for the operator
+// to mark a handful of enrichments useful / noisy / harmful / prevented-a
+// -mistake. It writes the reserved `operator_label` block back into a trace line
+// in ~/.meetless/logs/ask-traces.jsonl. Low volume, high signal: this is the
+// ground-truth anchor the composite needs before any weight tuning, and the
+// `harmful` flag is the exact field the A5 carry-forward hook reads to suppress
+// a re-surface, so a `--harmful` label here closes that loop.
+//
+//   mla label [<trace_id>] [--useful] [--noisy] [--harmful]
+//             [--prevented-mistake] [--note <text>]
+//
+// With no <trace_id> it labels the LATEST trace in the current session, scoping
+// to CLAUDE_CODE_SESSION_ID exactly like `mla summary` / `mla review`. The
+// parent Claude Code shell exports that var, so the operator labels "the
+// enrichment I just saw" without copying its id off the prompt. Pass an explicit
+// trace_id to label any past trace from outside a session.
+//
+// This is the WRITE side of the block that `mla summary` reads and tallies; it
+// is deliberately a standalone command, not a revival of the removed `mla
+// traces` tree (that subtree was dropped 2026-05-31, see summary.ts header).
+// Paths resolve lazily from MEETLESS_HOME (same fallback as lib/config + summary)
+// so the short-lived CLI picks up the operator's env and tests can point at a
+// temp dir.
+function logDir() {
+    return path.join(process.env.MEETLESS_HOME || path.join(os.homedir(), ".meetless"), "logs");
+}
+function tracesFile() {
+    return path.join(logDir(), "ask-traces.jsonl");
+}
+function readLines() {
+    if (!fs.existsSync(tracesFile()))
+        return [];
+    return fs
+        .readFileSync(tracesFile(), "utf8")
+        .split("\n")
+        .filter((l) => l.trim().length > 0);
+}
+function parse(line) {
+    try {
+        const o = JSON.parse(line);
+        return o && typeof o === "object" ? o : null;
+    }
+    catch {
+        return null;
+    }
+}
+function parseLabelArgs(argv) {
+    let traceId = null;
+    const patch = {};
+    let any = false;
+    for (let i = 0; i < argv.length; i++) {
+        const a = argv[i];
+        if (a === "--useful") {
+            patch.useful = true;
+            any = true;
+        }
+        else if (a === "--noisy") {
+            patch.noisy = true;
+            any = true;
+        }
+        else if (a === "--harmful") {
+            patch.harmful = true;
+            any = true;
+        }
+        else if (a === "--prevented-mistake") {
+            patch.prevented_mistake = true;
+            any = true;
+        }
+        else if (a === "--note") {
+            const v = argv[++i];
+            if (v === undefined)
+                throw new Error("--note requires a value");
+            patch.notes = v;
+            any = true;
+        }
+        else if (a.startsWith("-")) {
+            throw new Error(`Unknown flag for \`mla label\`: ${a}`);
+        }
+        else if (traceId === null) {
+            traceId = a;
+        }
+        else {
+            throw new Error(`Unexpected extra argument: ${a}`);
+        }
+    }
+    if (!any) {
+        throw new Error("Provide at least one of --useful / --noisy / --harmful / --prevented-mistake / --note.");
+    }
+    return { traceId, patch };
+}
+// Compact, deterministic render of the merged label state for the confirmation
+// line. Shows the FULL resulting block (not just this patch) so the operator
+// sees the cumulative verdict after a merge.
+function renderLabel(l) {
+    const parts = [];
+    if (l.useful === true)
+        parts.push("useful");
+    if (l.noisy === true)
+        parts.push("noisy");
+    if (l.harmful === true)
+        parts.push("harmful");
+    if (l.prevented_mistake === true)
+        parts.push("prevented-mistake");
+    if (typeof l.notes === "string" && l.notes.length > 0)
+        parts.push(`note="${l.notes}"`);
+    return parts.length ? parts.join(", ") : "(no flags set)";
+}
+function runLabel(argv) {
+    let args;
+    try {
+        args = parseLabelArgs(argv);
+    }
+    catch (e) {
+        console.error(e.message);
+        return 2;
+    }
+    const lines = readLines();
+    if (lines.length === 0) {
+        console.error(`No traces found at ${tracesFile()}.`);
+        return 1;
+    }
+    // Resolve which line index(es) to label, plus a label for the confirmation.
+    let targetIdxs;
+    let what;
+    if (args.traceId) {
+        // Explicit trace_id: rewrite every matching line. trace_id is a unique join
+        // key, but if a line were ever duplicated we label them all so the read side
+        // can never see a stale copy.
+        targetIdxs = lines.flatMap((line, i) => (parse(line)?.trace_id === args.traceId ? [i] : []));
+        if (targetIdxs.length === 0) {
+            console.error(`Trace not found: ${args.traceId}`);
+            return 1;
+        }
+        what = args.traceId;
+    }
+    else {
+        // Default selector: the latest trace in the current session.
+        const session = (process.env.CLAUDE_CODE_SESSION_ID || "").trim();
+        if (!session) {
+            console.error("No <trace_id> given and no current session (CLAUDE_CODE_SESSION_ID unset). " +
+                "Pass an explicit trace_id, or run `mla label` inside a Claude Code session.");
+            return 2;
+        }
+        let lastIdx = -1;
+        let lastTid = "";
+        lines.forEach((line, i) => {
+            const t = parse(line);
+            if (t && t.session_id === session) {
+                lastIdx = i;
+                lastTid = t.trace_id ?? "";
+            }
+        });
+        if (lastIdx < 0) {
+            console.error(`No traces for the current session (${session}) at ${tracesFile()}. ` +
+                "Pass an explicit trace_id to label a trace from another session.");
+            return 1;
+        }
+        targetIdxs = [lastIdx];
+        what = lastTid || `(latest in ${session})`;
+    }
+    const targets = new Set(targetIdxs);
+    let merged = {};
+    const rewritten = lines.map((line, i) => {
+        if (!targets.has(i))
+            return line;
+        const t = parse(line);
+        if (!t)
+            return line; // defensive: selection only picks parseable lines.
+        merged = { ...(t.operator_label ?? {}), ...args.patch };
+        return JSON.stringify({ ...t, operator_label: merged });
+    });
+    // Atomic replace: write a sibling temp file, then rename over the target.
+    // Node has no native advisory lock and we deliberately do NOT shell out to
+    // flock(1) for this; labeling is a single-operator action that happens
+    // BETWEEN prompts (never during a hook write), so the lost-append window if
+    // the hook appends a brand-new trace between our read and rename is
+    // negligible, and the temp+rename guarantees any concurrent reader always
+    // sees a complete, consistent file.
+    const tmp = path.join(logDir(), `.ask-traces.${process.pid}.tmp`);
+    fs.writeFileSync(tmp, rewritten.join("\n") + "\n");
+    fs.renameSync(tmp, tracesFile());
+    const n = targetIdxs.length;
+    console.log(`Labeled ${what}: ${renderLabel(merged)} (${n} line${n === 1 ? "" : "s"}).`);
+    return 0;
+}

package/dist/commands/login.js

@@ -0,0 +1,295 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseLoginArgs = parseLoginArgs;
+exports.runLogin = runLogin;
+const config_1 = require("../lib/config");
+const http_1 = require("../lib/http");
+const auth_breaker_1 = require("../lib/auth-breaker");
+const login_1 = require("../lib/login");
+const wire_1 = require("../lib/wire");
+// Default liveness probe: GET /internal/v1/auth/me through the control `get`
+// helper, which already does the §6.5 refresh-on-401 dance. A genuinely live
+// session (or one the access token silently refreshes for) resolves; a session
+// whose refresh token is dead server-side rejects with HttpError.status === 401.
+async function defaultVerifySession(cfg) {
+    await (0, http_1.get)(cfg, "/internal/v1/auth/me");
+}
+// `mla login` (proposal §6.6, T24).
+//
+// Browser-based user login over the loopback OAuth + PKCE flow (the transport
+// lives in lib/login.ts, T21). This command is the thin policy layer on top:
+//   - refuses to run before `mla init` (no cli-config.json to write into);
+//   - is a no-op when already logged in with a comfortably-fresh refresh token;
+//   - resolves the Console URL by an explicit precedence ladder;
+//   - validates the --no-browser / --port pairing;
+//   - on success REPLACES auth.* in cli-config.json with the user-token shape
+//     (the prior shared-key value is NOT preserved, §6.6); `mla logout` is the
+//     only path back to shared-key, via a fresh `mla init --control-token`.
+//
+// SECURITY: this command never logs the access token, refresh token, grant code,
+// or PKCE verifier. It prints only identity (display name / email / workspace)
+// and the (non-secret) expiry timestamps.
+// `mla login` is a no-op when the live user-token's refresh window still has
+// more than this much runway. Below it (or any other mode), we re-run the flow.
+// Mirrors §6.6: "more than 24h remaining".
+const REFRESH_FRESH_THRESHOLD_MS = 24 * 60 * 60 * 1000;
+// Strict argv parsing, mirroring `mla init`'s VALUE_FLAGS/BOOLEAN_FLAGS shape
+// (init.ts): a value flag must be followed by a non-flag value; unknown flags
+// and positionals throw. `mla login` takes no positionals.
+const VALUE_FLAGS = new Set(["--console-url", "--port"]);
+// --force skips every no-op/self-heal short-circuit and runs the browser flow
+// unconditionally (escape hatch for "just re-mint my tokens").
+const BOOLEAN_FLAGS = new Set(["--no-browser", "--force"]);
+function parseLoginArgs(argv) {
+    const out = {};
+    for (let i = 0; i < argv.length; i++) {
+        const a = argv[i];
+        if (VALUE_FLAGS.has(a)) {
+            const v = argv[i + 1];
+            if (v === undefined) {
+                throw new Error(`Missing value for ${a}`);
+            }
+            if (v.startsWith("--") || v.startsWith("-")) {
+                throw new Error(`Missing value for ${a} (got the next flag ${v} instead)`);
+            }
+            if (a === "--console-url") {
+                out.consoleUrl = v;
+            }
+            else if (a === "--port") {
+                const port = Number(v);
+                if (!Number.isInteger(port) || port < 1 || port > 65535) {
+                    throw new Error(`Invalid --port value "${v}": expected an integer in 1..65535.`);
+                }
+                out.port = port;
+            }
+            i += 1;
+            continue;
+        }
+        if (BOOLEAN_FLAGS.has(a)) {
+            if (a === "--no-browser")
+                out.noBrowser = true;
+            else if (a === "--force")
+                out.force = true;
+            continue;
+        }
+        if (a.startsWith("--") || a.startsWith("-")) {
+            throw new Error(`Unknown flag: ${a}. Supported flags: ${[...VALUE_FLAGS, ...BOOLEAN_FLAGS].sort().join(", ")}`);
+        }
+        throw new Error(`Unexpected positional argument: ${a}. \`mla login\` takes no positional arguments.`);
+    }
+    return out;
+}
+// Resolve the Console origin by the §6.6 precedence ladder, stopping at the first
+// defined value: --console-url > MEETLESS_CONSOLE_URL > raw cfg.consoleUrl. When
+// all three are absent this returns undefined and runBrowserLogin infers the
+// origin from the control URL via its pair table (failing loud if no pair
+// matches). We deliberately read the RAW `cfg.consoleUrl`, NOT getConsoleUrl():
+// the latter defaults to localhost:3000 and would mask the pair-table inference
+// (and silently point login at the wrong origin for a prod control URL).
+function resolveConsoleOverride(flags, cfg) {
+    const fromFlag = flags.consoleUrl?.trim();
+    if (fromFlag)
+        return fromFlag;
+    const fromEnv = process.env.MEETLESS_CONSOLE_URL?.trim();
+    if (fromEnv)
+        return fromEnv;
+    const fromCfg = cfg.consoleUrl?.trim();
+    if (fromCfg)
+        return fromCfg;
+    return undefined;
+}
+// Map control's exchange bundle into the on-disk user-token credential. Only the
+// four display fields of `user` survive: role here is display-only (§4.6); every
+// authorization decision re-reads the live WorkspaceUser.role server-side.
+function bundleToUserTokenAuth(bundle) {
+    return {
+        mode: "user-token",
+        accessToken: bundle.accessToken,
+        refreshToken: bundle.refreshToken,
+        accessExpiresAt: bundle.accessExpiresAt,
+        refreshExpiresAt: bundle.refreshExpiresAt,
+        sessionId: bundle.sessionId,
+        user: {
+            id: bundle.user.id,
+            displayName: bundle.user.displayName,
+            email: bundle.user.email,
+            role: bundle.user.role,
+        },
+    };
+}
+// Best-effort humanizer for "how much runway is left" on an ISO expiry. Returns
+// null for an unparseable/empty timestamp so callers can degrade gracefully.
+function formatRemaining(iso) {
+    const ms = Date.parse(iso) - Date.now();
+    if (Number.isNaN(ms))
+        return null;
+    if (ms <= 0)
+        return "expired";
+    const hours = Math.floor(ms / (60 * 60 * 1000));
+    if (hours < 48)
+        return `in ~${hours}h`;
+    return `in ~${Math.floor(hours / 24)}d`;
+}
+// The shared "you're still logged in" message. Pulled out so the fast path, the
+// verify-confirmed path, and the offline-fallback path all print identically.
+function printAlreadyLoggedIn(auth) {
+    const who = auth.user.displayName || auth.user.id;
+    const email = auth.user.email ? ` <${auth.user.email}>` : "";
+    const runway = formatRemaining(auth.refreshExpiresAt);
+    console.log(`Already logged in as ${who}${email}.`);
+    console.log(`  Session expires ${runway ?? "soon"} (run \`mla logout && mla login\` to re-login).`);
+}
+async function runLogin(argv, deps = {}) {
+    const verifySession = deps.verifySession ?? defaultVerifySession;
+    const browserLogin = deps.browserLogin ?? login_1.runBrowserLogin;
+    let flags;
+    try {
+        flags = parseLoginArgs(argv);
+    }
+    catch (e) {
+        console.error(e.message);
+        return 2;
+    }
+    // --no-browser needs a fixed loopback port: the browser runs on a different
+    // machine (SSH), so the operator forwards `ssh -L <port>:127.0.0.1:<port>`
+    // ahead of time and the redirect_uri must target that known port (§6.6). With
+    // a browser on this machine, port 0 (kernel-assigned) is correct.
+    if (flags.noBrowser && flags.port === undefined) {
+        console.error("--port <n> is required with --no-browser: the loopback redirect must " +
+            "target a port you have forwarded (e.g. `ssh -L 8765:127.0.0.1:8765`).");
+        return 2;
+    }
+    // `mla login` writes INTO cli-config.json. When none exists yet (a fresh
+    // install that goes straight to `mla login`, which is the documented flow on
+    // the install page), bootstrap a minimal MACHINE config pointing at the hosted
+    // prod backend, then carry on -- so login works with zero extra steps instead
+    // of dead-ending on "run `mla init` first".
+    //
+    // Multi-repo safety: this is HOME-level (one cli-config.json per MEETLESS_HOME,
+    // shared by every repo on the machine, the long-standing model) and writes NO
+    // per-folder workspace binding. A user with several repos still binds each one
+    // to its own workspace through its `.meetless.json` marker (`mla activate`);
+    // login never reads or writes that, so it is correct from any directory. The
+    // bootstrap is idempotent: it fires only when the config is absent, so a second
+    // `mla login` from another repo just reads the existing config.
+    //
+    // It deliberately does NOT wire capture hooks or the MCP server (that is
+    // `mla init`'s runWire job, §6.6) -- it only creates the config the browser
+    // login writes tokens into. A non-default backend (dogfood/staging/self-host)
+    // is still pinned with `mla init --control-url ...`; MEETLESS_BACKEND_URL /
+    // MEETLESS_INTEL_URL continue to override these defaults at read time
+    // (readConfig), so a one-off `MEETLESS_BACKEND_URL=... mla login` still works.
+    if (!(0, config_1.configExists)()) {
+        (0, config_1.writeConfig)({
+            controlUrl: config_1.DEFAULT_CONTROL_URL,
+            controlToken: "", // auth.mode 'none': no bearer until the login below
+            intelUrl: config_1.DEFAULT_INTEL_URL,
+            mlaPath: (0, wire_1.resolveMlaPath)(),
+            auth: { mode: "none" },
+        });
+        console.log(`No cli-config.json found; created ${config_1.CFG_PATH} for the hosted backend ` +
+            `(${config_1.DEFAULT_CONTROL_URL}).`);
+        console.log("Tip: run `mla init` to wire capture hooks and the Meetless MCP server " +
+            "into your coding agent.");
+    }
+    let cfg;
+    try {
+        cfg = (0, config_1.readConfig)();
+    }
+    catch (e) {
+        // readConfig throws loudly on a corrupt config or the Gate-4 env conflict
+        // (user-token on disk + MEETLESS_CONTROL_TOKEN set). Surface it verbatim.
+        console.error(e.message);
+        return 1;
+    }
+    // No-op when already logged in with a comfortably-fresh refresh token. Forcing
+    // a re-login is `mla login --force` (or `mla logout && mla login`). A corrupt/
+    // empty refreshExpiresAt parses to NaN, so this guard safely falls through to a
+    // real login rather than mis-treating a broken session as fresh.
+    //
+    // T29 self-heal: NO local timestamp is proof the session is alive. The on-disk
+    // refresh token can be dead server-side (rotated/revoked) while refreshExpiresAt
+    // still reads ~Nd out, AND the access JWT can sit well inside its 24h TTL while
+    // the session it belongs to was revoked (e.g. a control-dev reseed). The original
+    // T29 trusted a still-live access token and fast-no-op'd without probing, so An
+    // hit the exact closed loop it was meant to kill: every hook 401'd telling him to
+    // "run `mla login`", and `mla login` answered "already logged in" all day. So we
+    // NEVER short-circuit on a local timestamp alone:
+    //   - refresh window locally-fresh -> ALWAYS PROBE control (GET /auth/me, which
+    //       refreshes transparently). Live -> no-op. Rejected (401/403) -> the session
+    //       is dead server-side: fall through to a real browser login (self-heal).
+    //       Unreachable (network error, no .status) -> keep the cached session rather
+    //       than force a doomed flow on someone merely offline.
+    //   - refresh window locally-expired -> no probe; re-auth is required regardless,
+    //       so drop straight through to a browser login.
+    //   - --force always re-authenticates and skips the probe entirely.
+    if (cfg.auth.mode === "user-token" && !flags.force) {
+        const auth = cfg.auth;
+        const refreshRemainingMs = Date.parse(auth.refreshExpiresAt) - Date.now();
+        const refreshLocallyFresh = !Number.isNaN(refreshRemainingMs) && refreshRemainingMs > REFRESH_FRESH_THRESHOLD_MS;
+        if (refreshLocallyFresh) {
+            // Verify against control before ever declaring "already logged in". login is a
+            // rare, interactive command, so one GET /auth/me on the happy path is a non-issue
+            // next to the all-day dead loop a blind no-op can hide.
+            try {
+                await verifySession(cfg);
+                printAlreadyLoggedIn(auth);
+                return 0;
+            }
+            catch (e) {
+                const status = e.status;
+                if (status === 401 || status === 403) {
+                    // Session is dead server-side. Self-heal: drop through to a real browser
+                    // login instead of the old no-op dead end.
+                    console.log("Cached session is no longer valid server-side. Re-authenticating...");
+                }
+                else {
+                    // No HTTP status -> never reached the server (control down / offline).
+                    // Keep the cached session; do not open a browser flow that cannot reach
+                    // control anyway.
+                    printAlreadyLoggedIn(auth);
+                    console.log("  (could not verify with control; keeping cached session for now.)");
+                    return 0;
+                }
+            }
+        }
+    }
+    const consoleUrl = resolveConsoleOverride(flags, cfg);
+    let bundle;
+    try {
+        bundle = await browserLogin({
+            controlUrl: cfg.controlUrl,
+            consoleUrl,
+            noBrowser: flags.noBrowser ?? false,
+            port: flags.port,
+        });
+    }
+    catch (e) {
+        // runBrowserLogin already keeps tokens/codes out of its messages. Print the
+        // message (timeout, CSRF refusal, exchange failure, missing console URL).
+        console.error(e.message);
+        return 1;
+    }
+    const auth = bundleToUserTokenAuth(bundle);
+    // REPLACE auth.* outright: no shared-key preservation (§6.6). actorUserId and
+    // controlToken are re-derived by writeConfig/readConfig from the new auth.
+    (0, config_1.writeConfig)({
+        ...cfg,
+        auth,
+        controlToken: auth.accessToken,
+        actorUserId: auth.user.id,
+    });
+    // A fresh login retires any dead-auth circuit breaker proactively. consult also
+    // self-clears on the fingerprint mismatch, but clearing here reopens the gate
+    // for live `mla mcp` workers the instant the new token lands on disk.
+    (0, auth_breaker_1.clearAuthBreaker)();
+    const email = bundle.user.email ? ` <${bundle.user.email}>` : "";
+    const accessRunway = formatRemaining(bundle.accessExpiresAt);
+    const refreshRunway = formatRemaining(bundle.refreshExpiresAt);
+    console.log(`Logged in as ${bundle.user.displayName}${email}.`);
+    console.log(`  Workspace: ${bundle.workspace.name} (${bundle.workspace.slug})`);
+    console.log(`  Role:      ${bundle.user.role}`);
+    console.log(`  Access token expires ${accessRunway ?? "soon"}; refresh token ${refreshRunway ?? "soon"}.`);
+    console.log("Next: mla whoami");
+    return 0;
+}

package/dist/commands/logout.js

@@ -0,0 +1,108 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.revokeCliSession = revokeCliSession;
+exports.runLogout = runLogout;
+const config_1 = require("../lib/config");
+// Raw fetch to the guardless revoke route. Deliberately bypasses http.ts's
+// doFetch (which always stamps an Authorization header): the refresh token in the
+// body is the proof, and we send no bearer because the access token may be dead.
+// Never throws: a network failure becomes a non-cleared result so the caller can
+// still clear local state.
+async function revokeCliSession(controlUrl, sessionId, refreshToken, timeoutMs = 10000) {
+    const url = `${controlUrl.replace(/\/+$/, "")}/internal/v1/auth/sessions/revoke`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        const res = await fetch(url, {
+            method: "POST",
+            // Content-Type only; NO Authorization header (body proof-of-possession).
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ sessionId, refreshToken }),
+            signal: controller.signal,
+        });
+        if (res.ok)
+            return { serverCleared: true, detail: "session revoked" };
+        if (res.status === 401 || res.status === 410) {
+            return {
+                serverCleared: true,
+                detail: "session was already revoked server-side",
+            };
+        }
+        return { serverCleared: false, detail: `control returned HTTP ${res.status}` };
+    }
+    catch (e) {
+        // Timeout / DNS / connection refused: do not block the local clear.
+        return {
+            serverCleared: false,
+            detail: `control unreachable (${e.name})`,
+        };
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+async function runLogout(argv, deps = {}) {
+    if (argv.length > 0) {
+        console.error(`\`mla logout\` takes no arguments (got: ${argv.join(" ")}). ` +
+            "There is no --all flag; revoke other sessions from the Console.");
+        return 2;
+    }
+    const log = deps.log ?? ((m) => console.log(m));
+    const revokeFn = deps.revokeFn ?? revokeCliSession;
+    if (!(0, config_1.configExists)()) {
+        // Nothing to log out of, and nothing to write. Idempotent success.
+        log("Not logged in (no cli-config.json). Nothing to do.");
+        return 0;
+    }
+    let cfg;
+    try {
+        cfg = (0, config_1.readConfig)();
+    }
+    catch (e) {
+        // A corrupt/conflicting config can't be safely rewritten here; surface it.
+        console.error(e.message);
+        return 1;
+    }
+    if (cfg.auth.mode !== "user-token") {
+        // shared-key or none: there is no user session to revoke. We deliberately do
+        // NOT touch a shared-key config (logout is not "downgrade my shared key");
+        // the operator manages that via `mla init`.
+        if (cfg.auth.mode === "shared-key") {
+            log("Logged in with a shared key, not a user session; nothing to revoke.");
+            log("To remove it, edit cli-config.json or re-run `mla init`.");
+        }
+        else {
+            log("Already logged out (auth.mode: none).");
+        }
+        return 0;
+    }
+    const { sessionId, refreshToken } = cfg.auth;
+    const who = cfg.auth.user.displayName || cfg.auth.user.id;
+    // Best-effort server revoke. Missing sessionId/refreshToken (corrupt session)
+    // skips the network call and goes straight to local clear.
+    if (sessionId && refreshToken) {
+        const result = await revokeFn(cfg.controlUrl, sessionId, refreshToken);
+        if (result.serverCleared) {
+            log(`Revoked: ${result.detail}.`);
+        }
+        else {
+            log(`Local logout complete, but ${result.detail}.`);
+            log("The session may still be active server-side until it expires.");
+        }
+    }
+    else {
+        log("Local session was incomplete; clearing it without a server revoke.");
+    }
+    // Clear auth.* to the terminal `none` state. NEVER restore shared-key (§6.6).
+    // Top-level controlUrl/intelUrl/mlaPath/etc. survive so the next
+    // `mla init --control-token` or `mla login` runs cleanly. writeConfig
+    // re-derives controlToken ("") and drops actorUserId under none.
+    (0, config_1.writeConfig)({
+        ...cfg,
+        auth: { mode: "none" },
+        controlToken: "",
+        actorUserId: undefined,
+    });
+    log(`Logged out ${who}. Run \`mla login\` to log back in.`);
+    return 0;
+}