@neus/sdk 1.1.0 → 1.1.2

package/cli/neus.mjs

@@ -1,30 +1,33 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 import { spawnSync } from 'node:child_process';
 import { createHash, randomBytes } from 'node:crypto';
 import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import {
+  NEUS_MCP_SERVER_NAME,
+  NEUS_MCP_URL,
+  buildNeusMcpHttpConfig
+} from '../mcp-hosts.js';
+
+const __cliDir = path.dirname(fileURLToPath(import.meta.url));
 
-const NEUS_SERVER_NAME = 'neus';
-const NEUS_MCP_URL = 'https://mcp.neus.network/mcp';
 const NEUS_APP_URL = 'https://neus.network';
 const NEUS_TOKEN_ENDPOINT = 'https://neus.network/api/v1/auth/mcp/token';
 const NEUS_DISCONNECT_ENDPOINT = 'https://neus.network/api/v1/auth/mcp/revoke';
 const NEUS_PROFILE_KEY_ENDPOINT = 'https://api.neus.network/api/v1/auth/profile-key';
-const SUPPORTED_CLIENTS = ['claude', 'cursor', 'vscode'];
+const SUPPORTED_CLIENTS = ['claude', 'codex', 'cursor', 'vscode'];
+const PROJECT_CLIENTS = ['claude', 'cursor', 'vscode'];
+const CODEX_OAUTH_SCOPES = 'neus:core,neus:profile,neus:secrets,offline_access';
 const IMPORT_SCHEMA = 'neus.portable-agent.v1';
 const SUPPORTED_IMPORT_SOURCES = [
   'auto',
-  'openclaw',
-  'hermes',
   'cursor',
   'claude-code',
   'claude-desktop'
 ];
 const SUPPORTED_EXPORT_FORMATS = ['manifest', 'json'];
-const SECRET_NAME_PATTERN =
-  /(?:^|_)(?:api[_-]?key|secret|token|password|private[_-]?key|access[_-]?key|bearer)(?:$|_)/i;
-const ANSI_ENABLED = process.env.NO_COLOR !== '1' && process.env.TERM !== 'dumb';
 
 const ansi = {
   reset: '\x1b[0m',
@@ -36,18 +39,299 @@ const ansi = {
   bold: '\x1b[1m'
 };
 
+function isTruthyEnv(value) {
+  const normalized = String(value || '')
+    .trim()
+    .toLowerCase();
+  return normalized === '1' || normalized === 'true' || normalized === 'yes';
+}
+
+function resolveColorEnabled() {
+  if (isTruthyEnv(process.env.NO_COLOR)) return false;
+  if (process.env.TERM === 'dumb') return false;
+  return true;
+}
+
 function paint(value, color) {
-  if (!ANSI_ENABLED) return String(value);
+  if (!resolveColorEnabled()) return String(value);
   return `${ansi[color] || ''}${value}${ansi.reset}`;
 }
 
-function printBrandHeader(title) {
-  const line = paint('NEUS', 'green');
-  process.stdout.write(
-    `${paint('::', 'dim')} ${line} ${paint('trust portability', 'cyan')} ${paint('::', 'dim')} ${title}\n`
+function terminalColumns() {
+  const cols = Number(process.stderr.columns || process.stdout.columns || 0);
+  if (Number.isFinite(cols) && cols >= 40) return cols;
+  return 80;
+}
+
+function truncateDetail(text) {
+  const raw = String(text || '');
+  const max = Math.max(24, terminalColumns() - 18);
+  if (raw.length <= max) return raw;
+  return `${raw.slice(0, Math.max(0, max - 3))}...`;
+}
+
+function useUnicodeSymbols() {
+  if (!resolveColorEnabled()) return false;
+  if (process.platform !== 'win32') return true;
+  return Boolean(
+    process.env.WT_SESSION ||
+      process.env.TERMINAL_EMULATOR === 'JetBrains-JediTerm' ||
+      process.env.TERM_PROGRAM === 'vscode' ||
+      process.env.TERM_PROGRAM === 'cursor'
+  );
+}
+
+function cliSymbols() {
+  if (useUnicodeSymbols()) {
+    return { ok: '✓', warn: '!', next: '→', skip: '-' };
+  }
+  return { ok: 'ok', warn: '!', next: '>', skip: '-' };
+}
+
+function writeCliLine(line) {
+  process.stderr.write(`${line}\n`);
+}
+
+let cliBannerEmitted = false;
+
+function readCliVersion() {
+  try {
+    const pkg = JSON.parse(fs.readFileSync(path.join(__cliDir, '..', 'package.json'), 'utf8'));
+    return String(pkg.version || '0.0.0').trim();
+  } catch {
+    return '0.0.0';
+  }
+}
+
+function shouldEmitCliBanner(cliOptions = {}) {
+  if (cliBannerEmitted) return false;
+  if (cliOptions.json) return false;
+  if (!process.stderr.isTTY) return false;
+  return true;
+}
+
+function emitCliBanner(cliOptions = {}) {
+  if (!shouldEmitCliBanner(cliOptions)) return;
+  const version = readCliVersion();
+  const title = paint('NEUS', 'green');
+  const meta = `${paint(`v${version}`, 'dim')}${paint(' | trust receipts', 'dim')}`;
+  writeCliLine('');
+  writeCliLine(`  ${title}  ${meta}`);
+  writeCliLine('');
+  cliBannerEmitted = true;
+}
+
+function logStep(kind, label, detail = '') {
+  const symbols = cliSymbols();
+  const iconKey = kind === 'ok' ? 'ok' : kind === 'warn' ? 'warn' : kind === 'next' ? 'next' : 'skip';
+  const iconColor = kind === 'ok' ? 'green' : kind === 'warn' ? 'yellow' : kind === 'next' ? 'cyan' : 'dim';
+  const iconCell = useUnicodeSymbols() ? symbols[iconKey] : symbols[iconKey].padEnd(2);
+  const icon = paint(iconCell, iconColor);
+  const name = paint(String(label).padEnd(10), 'cyan');
+  const suffix = detail ? `  ${paint(truncateDetail(detail), 'dim')}` : '';
+  writeCliLine(`  ${icon} ${name}${suffix}`);
+}
+
+function writeGuidanceLine(text) {
+  writeCliLine(`  ${paint('-', 'dim')} ${text}`);
+}
+
+function describeClientResult(command, result) {
+  if (result.dryRun && result.changed) {
+    if (result.client === 'codex') {
+      return `would update ${result.targetPath || '~/.codex/config.toml'}`;
+    }
+    return 'would update';
+  }
+  if (result.client === 'codex' && result.configured) {
+    if (command === 'auth') {
+      return result.authConfigured ? 'Codex OAuth complete' : 'Codex MCP config ready';
+    }
+    return `Codex MCP config: ${result.targetPath || '~/.codex/config.toml'}`;
+  }
+  if (result.changed) return 'updated';
+  if (result.authConfigured) return 'signed in';
+  return 'ready';
+}
+
+function printBuilderGuidance(command, results) {
+  if (!['setup', 'auth'].includes(command)) return;
+  const hasCodex = results.some(result => result.client === 'codex');
+  writeCliLine('');
+  writeCliLine(paint('Builder notes', 'cyan'));
+  writeGuidanceLine('Use from any shell without a global install: `npx -y -p @neus/sdk neus ...`.');
+  if (hasCodex) {
+    writeGuidanceLine('Codex owns OAuth: run `neus auth --client codex` or `codex mcp login neus`.');
+  }
+  writeGuidanceLine(
+    'Claude plugin commands run inside Claude Code chat, not as `claude install`: `/plugin marketplace add https://github.com/neus/network`.'
   );
 }
 
+function selectedClientNames(results) {
+  return results.map(result => result.client).filter(Boolean);
+}
+
+function preferredSetupCommand(results) {
+  const clients = selectedClientNames(results);
+  const suffix = clients.length === 1 ? ` --client ${clients[0]}` : '';
+  return `npx -y -p @neus/sdk neus setup${suffix}`;
+}
+
+function preferredAuthCommand(results) {
+  const clients = selectedClientNames(results);
+  if (clients.length === 1 && clients[0] === 'codex') {
+    return 'npx -y -p @neus/sdk neus auth --client codex';
+  }
+  return 'npx -y -p @neus/sdk neus auth';
+}
+
+function printStatusGuidance(results) {
+  writeCliLine('');
+  writeCliLine(paint('MCP endpoint', 'cyan'));
+  writeGuidanceLine(NEUS_MCP_URL);
+  writeCliLine(paint('Profile connection', 'cyan'));
+  if (results.some(result => result.configured)) {
+    writeGuidanceLine('Saved config found. Run `npx -y -p @neus/sdk neus doctor --live` to confirm live Profile context.');
+  } else {
+    writeGuidanceLine(`No selected MCP host is configured yet. Run \`${preferredSetupCommand(results)}\`.`);
+  }
+}
+
+function printHostAuthIntro(host, cliOptions = {}) {
+  if (cliOptions.json) return;
+  emitCliBanner(cliOptions);
+  writeCliLine(paint('auth', 'green'));
+  if (host === 'codex') {
+    logStep('next', 'codex', 'starting Codex-owned MCP OAuth');
+    logStep('next', 'command', 'codex mcp login neus');
+    writeCliLine('');
+  }
+}
+
+function printFlowSummary(command, scope, results, { nextStep = '', cliOptions = {} } = {}) {
+  emitCliBanner(cliOptions);
+  writeCliLine(paint(String(command), 'green'));
+
+  for (const result of results) {
+    const client = result.client;
+    if (result.error) {
+      logStep('warn', client, result.error);
+      continue;
+    }
+    if (result.configured) {
+      const detail = describeClientResult(command, result);
+      logStep('ok', client, detail);
+      continue;
+    }
+    if (result.authConfigured === null) {
+      logStep('skip', client, 'not installed');
+      continue;
+    }
+    logStep('skip', client, 'not configured');
+  }
+
+  if (nextStep) {
+    writeCliLine('');
+    logStep('next', 'next', nextStep);
+  }
+  if (command === 'status') {
+    printStatusGuidance(results);
+  }
+  printBuilderGuidance(command, results);
+  writeCliLine('');
+}
+
+function printAuthBrowserIntro(authUrl, cliOptions = {}) {
+  emitCliBanner(cliOptions);
+  writeCliLine(paint('auth', 'green'));
+  logStep('next', 'sign-in', 'opens in your browser');
+  writeCliLine('');
+  writeCliLine(`  ${paint(truncateDetail(authUrl), 'dim')}`);
+  writeCliLine('');
+}
+
+function parseBearerHeader(value) {
+  const raw = String(value || '').trim();
+  if (!raw.toLowerCase().startsWith('bearer ')) return '';
+  return raw.slice(7).trim();
+}
+
+function readCursorBearer(scope, cwd) {
+  const targetPath = cursorConfigPath(scope, cwd);
+  if (!fileExists(targetPath)) return '';
+  const doc = readJsonFile(targetPath, {});
+  return parseBearerHeader(doc.mcpServers?.[NEUS_MCP_SERVER_NAME]?.headers?.Authorization);
+}
+
+function readVsCodeBearer(scope, cwd) {
+  const targetPath = vscodeConfigPath(scope, cwd);
+  if (!fileExists(targetPath)) return '';
+  const doc = readJsonFile(targetPath, {});
+  return parseBearerHeader(doc.servers?.[NEUS_MCP_SERVER_NAME]?.headers?.Authorization);
+}
+
+function readClaudeBearer(scope, cwd) {
+  if (scope === 'project') {
+    const targetPath = claudeProjectConfigPath(cwd);
+    if (!fileExists(targetPath)) return '';
+    const doc = readJsonFile(targetPath, {});
+    return parseBearerHeader(doc.mcpServers?.[NEUS_MCP_SERVER_NAME]?.headers?.Authorization);
+  }
+  if (!commandExists('claude')) return '';
+  const result = spawnSync('claude', ['mcp', 'list'], {
+    encoding: 'utf8',
+    env: process.env
+  });
+  if (result.status !== 0) return '';
+  const lines = String(result.stdout || '').split(/\r?\n/);
+  if (!lines.includes(NEUS_MCP_SERVER_NAME)) return '';
+  const statePath = process.env.NEUS_TEST_CLAUDE_STATE;
+  if (statePath && fileExists(statePath)) {
+    const state = readJsonFile(statePath, { servers: {} });
+    const headers = state.servers?.[NEUS_MCP_SERVER_NAME]?.headers || [];
+    const authLine = headers.find(line => String(line).toLowerCase().startsWith('authorization:'));
+    if (authLine) {
+      return parseBearerHeader(authLine.replace(/^authorization:\s*/i, ''));
+    }
+  }
+  return '';
+}
+
+function readInstalledAccessKey(scope, cwd) {
+  for (const reader of [readCursorBearer, readVsCodeBearer, readClaudeBearer]) {
+    const token = reader(scope, cwd);
+    if (token) return token;
+  }
+  return '';
+}
+
+function envAccessKey() {
+  return String(process.env.NEUS_ACCESS_KEY || '').trim();
+}
+
+/** --access-key flag, else NEUS_ACCESS_KEY from the environment, else browser sign-in. */
+function resolveAccessKey(options) {
+  const explicit = String(options.accessKey || '').trim();
+  if (explicit) return explicit;
+  return envAccessKey();
+}
+
+/** --access-key, IDE MCP config, then NEUS_ACCESS_KEY from the environment. */
+function resolveLiveAccessKey(options, scope, cwd) {
+  const explicit = String(options.accessKey || '').trim();
+  if (explicit) return explicit;
+  const installed = readInstalledAccessKey(scope, cwd);
+  if (installed) return installed;
+  return envAccessKey();
+}
+
+function resolveAuthMethod(options, accessKey) {
+  if (!accessKey) return 'browser';
+  if (String(options.accessKey || '').trim()) return 'access-key';
+  return 'env-key';
+}
+
 function fileExists(targetPath) {
   try {
     fs.accessSync(targetPath);
@@ -179,36 +463,20 @@ function instructionEntry(targetPath, name) {
   };
 }
 
-function parseEnvSecretRefs(targetPath, source, warnings) {
-  if (!fileExists(targetPath)) return [];
-  const refs = [];
-  const seen = new Set();
-  const raw = readTextFile(targetPath);
-  for (const line of raw.split(/\r?\n/)) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith('#') || !trimmed.includes('=')) continue;
-    const name = trimmed.split('=')[0].trim();
-    if (!name || !SECRET_NAME_PATTERN.test(name) || seen.has(name)) continue;
-    seen.add(name);
-    refs.push({ name, source, handling: 'detected-only' });
-  }
-  if (refs.length > 0) {
-    warnings.push(
-      `Detected ${refs.length} secret-like env name${refs.length === 1 ? '' : 's'} in ${portablePath(targetPath)}; values were not read into the manifest.`
-    );
-  }
-  return refs;
-}
-
 function readMcpServers(targetPath, source, warnings) {
   const doc = safeReadJson(targetPath, warnings);
   if (!doc) return [];
+  const mcpSection = doc.mcp && typeof doc.mcp === 'object' && !Array.isArray(doc.mcp) ? doc.mcp : null;
   const servers =
     doc.mcpServers && typeof doc.mcpServers === 'object' && !Array.isArray(doc.mcpServers)
       ? doc.mcpServers
-      : doc.servers && typeof doc.servers === 'object' && !Array.isArray(doc.servers)
-        ? doc.servers
-        : {};
+      : mcpSection?.servers &&
+          typeof mcpSection.servers === 'object' &&
+          !Array.isArray(mcpSection.servers)
+        ? mcpSection.servers
+        : doc.servers && typeof doc.servers === 'object' && !Array.isArray(doc.servers)
+          ? doc.servers
+          : {};
   return Object.keys(servers)
     .sort((a, b) => a.localeCompare(b))
     .map(name => ({
@@ -285,6 +553,7 @@ function cursorInstalled() {
 function defaultUserClients() {
   const detected = [];
   if (commandExists('claude')) detected.push('claude');
+  if (commandExists('codex')) detected.push('codex');
   if (cursorInstalled()) detected.push('cursor');
   if (commandExists('code') || fileExists(path.join(process.env.APPDATA || '', 'Code')))
     detected.push('vscode');
@@ -303,7 +572,7 @@ function parseArgs(argv) {
     return {
       command: 'help',
       options: {
-        accessKey: process.env.NEUS_ACCESS_KEY || '',
+        accessKey: '',
         clients: [],
         source: 'auto',
         format: 'manifest',
@@ -318,7 +587,7 @@ function parseArgs(argv) {
 
   const command = argv[0];
   const options = {
-    accessKey: process.env.NEUS_ACCESS_KEY || '',
+    accessKey: '',
     clients: [],
     source: 'auto',
     format: 'manifest',
@@ -399,24 +668,24 @@ function printUsage(exitCode = 0) {
     'Usage: neus <command> [options]',
     '',
     'Commands:',
-    '  setup         One-command: run init, then auth if --access-key is provided',
+    '  setup         Configure hosted NEUS MCP for supported clients',
     '  init          Configure supported MCP clients automatically',
-    '  auth          Sign in via browser (recommended) or add an access key for NEUS MCP',
+    '  auth          Sign in (browser, or NEUS_ACCESS_KEY / --access-key when set)',
     '  disconnect    Disconnect NEUS MCP (revoke the stored OAuth token or access key)',
     '  status        Show current NEUS MCP setup',
-    '  doctor        Deep check: config status, profile connection, agent verification',
-    '  import        Detect and package an existing agent runtime for NEUS proof-backed portability',
+    '  doctor        Deep check: config status, profile connection, and live MCP context',
+    '  import        Detect and package supported assistant context for NEUS portability',
     '  export        Export the latest local NEUS portable agent manifest',
     '  help          Show this message',
     '',
     'Options:',
-    '  --client <name[,name]>   Limit setup to claude, cursor, or vscode',
+    '  --client <name[,name]>   Limit setup to claude, codex, cursor, or vscode',
     '  --project                Write shared project config instead of user config',
-    '  --access-key <npk_...>   Use manual access key instead of browser sign-in',
-    '  --from <source>          Import source: auto, openclaw, hermes, cursor, claude-code, claude-desktop',
+    '  --access-key <npk_...>   Override profile access key (else uses NEUS_ACCESS_KEY if set)',
+    '  --from <source>          Import source: auto, cursor, claude-code, or claude-desktop',
     '  --to <format>            Export format: manifest or json',
     '  --output <path>          Write exported manifest to a specific path',
-    '  --live                   Run live MCP checks when an access key is available',
+    '  --live                   Run live MCP checks (uses IDE credential or --access-key)',
     '  --json                   Print JSON output',
     '  --dry-run                Preview changes without writing files'
   ];
@@ -440,7 +709,7 @@ function resolveScope(options) {
 function resolveClients(scope, requestedClients) {
   assertValidClients(requestedClients);
   if (requestedClients.length > 0) return requestedClients;
-  if (scope === 'project') return [...SUPPORTED_CLIENTS];
+  if (scope === 'project') return [...PROJECT_CLIENTS];
   return defaultUserClients();
 }
 
@@ -466,27 +735,15 @@ function ensureSafeAuth(command, scope, accessKey) {
 }
 
 function buildCursorServer(accessKey) {
-  return {
-    type: 'http',
-    url: NEUS_MCP_URL,
-    ...(accessKey ? { headers: { Authorization: `Bearer ${accessKey}` } } : {})
-  };
+  return buildNeusMcpHttpConfig(accessKey);
 }
 
 function buildVsCodeServer(accessKey) {
-  return {
-    type: 'http',
-    url: NEUS_MCP_URL,
-    ...(accessKey ? { headers: { Authorization: `Bearer ${accessKey}` } } : {})
-  };
+  return buildNeusMcpHttpConfig(accessKey);
 }
 
 function buildClaudeServer(accessKey) {
-  return {
-    type: 'http',
-    url: NEUS_MCP_URL,
-    ...(accessKey ? { headers: { Authorization: `Bearer ${accessKey}` } } : {})
-  };
+  return buildNeusMcpHttpConfig(accessKey);
 }
 
 function cursorConfigPath(scope, cwd) {
@@ -496,20 +753,31 @@ function cursorConfigPath(scope, cwd) {
 }
 
 function vscodeConfigPath(scope, cwd) {
-  return scope === 'user'
-    ? path.join(
-        process.env.APPDATA || path.join(os.homedir(), 'AppData', 'Roaming'),
-        'Code',
-        'User',
-        'mcp.json'
-      )
-    : path.join(cwd, '.vscode', 'mcp.json');
+  if (scope !== 'user') {
+    return path.join(cwd, '.vscode', 'mcp.json');
+  }
+  if (process.platform === 'darwin') {
+    return path.join(os.homedir(), 'Library', 'Application Support', 'Code', 'User', 'mcp.json');
+  }
+  if (process.platform === 'win32') {
+    return path.join(
+      process.env.APPDATA || path.join(os.homedir(), 'AppData', 'Roaming'),
+      'Code',
+      'User',
+      'mcp.json'
+    );
+  }
+  return path.join(os.homedir(), '.config', 'Code', 'User', 'mcp.json');
 }
 
 function claudeProjectConfigPath(cwd) {
   return path.join(cwd, '.mcp.json');
 }
 
+function codexConfigPath() {
+  return path.join(os.homedir(), '.codex', 'config.toml');
+}
+
 function installCursor(scope, accessKey, dryRun, cwd) {
   const targetPath = cursorConfigPath(scope, cwd);
   const doc = readJsonFile(targetPath, { mcpServers: {} });
@@ -519,7 +787,7 @@ function installCursor(scope, accessKey, dryRun, cwd) {
       ...(doc.mcpServers && typeof doc.mcpServers === 'object' && !Array.isArray(doc.mcpServers)
         ? doc.mcpServers
         : {}),
-      [NEUS_SERVER_NAME]: buildCursorServer(accessKey)
+      [NEUS_MCP_SERVER_NAME]: buildCursorServer(accessKey)
     }
   };
   const writeResult = writeJsonFile(targetPath, next, dryRun);
@@ -545,7 +813,7 @@ function installVsCode(scope, accessKey, dryRun, cwd) {
       ...(doc.servers && typeof doc.servers === 'object' && !Array.isArray(doc.servers)
         ? doc.servers
         : {}),
-      [NEUS_SERVER_NAME]: buildVsCodeServer(accessKey)
+      [NEUS_MCP_SERVER_NAME]: buildVsCodeServer(accessKey)
     }
   };
   const writeResult = writeJsonFile(targetPath, next, dryRun);
@@ -571,7 +839,7 @@ function installClaudeProject(scope, accessKey, dryRun, cwd) {
       ...(doc.mcpServers && typeof doc.mcpServers === 'object' && !Array.isArray(doc.mcpServers)
         ? doc.mcpServers
         : {}),
-      [NEUS_SERVER_NAME]: buildClaudeServer(accessKey)
+      [NEUS_MCP_SERVER_NAME]: buildClaudeServer(accessKey)
     }
   };
   const writeResult = writeJsonFile(targetPath, next, dryRun);
@@ -594,7 +862,7 @@ function installClaudeUser(scope, accessKey, dryRun, cwd) {
   }
 
   if (!dryRun) {
-    runCommand('claude', ['mcp', 'remove', '--scope', 'user', NEUS_SERVER_NAME], cwd, true);
+    runCommand('claude', ['mcp', 'remove', '--scope', 'user', NEUS_MCP_SERVER_NAME], cwd, true);
     const addArgs = [
       'mcp',
       'add',
@@ -602,7 +870,7 @@ function installClaudeUser(scope, accessKey, dryRun, cwd) {
       'http',
       '--scope',
       'user',
-      NEUS_SERVER_NAME,
+      NEUS_MCP_SERVER_NAME,
       NEUS_MCP_URL
     ];
     if (accessKey) {
@@ -631,10 +899,66 @@ function installClaude(scope, accessKey, dryRun, cwd) {
   return installClaudeUser(scope, accessKey, dryRun, cwd);
 }
 
+function installCodex(scope, accessKey, dryRun, cwd) {
+  if (scope !== 'user') {
+    throw new Error('Codex MCP setup is user-scoped through ~/.codex/config.toml.');
+  }
+  if (!commandExists('codex')) {
+    throw new Error('Codex CLI is not installed or not on PATH.');
+  }
+
+  const bearerTokenEnvVar = envAccessKey() ? 'NEUS_ACCESS_KEY' : '';
+
+  if (!dryRun) {
+    runCommand('codex', ['mcp', 'remove', NEUS_MCP_SERVER_NAME], cwd, true);
+    const addArgs = [
+      'mcp',
+      'add',
+      NEUS_MCP_SERVER_NAME,
+      '--url',
+      NEUS_MCP_URL,
+      '--oauth-client-id',
+      NEUS_OAUTH_CLIENT_ID,
+      '--oauth-resource',
+      NEUS_MCP_RESOURCE
+    ];
+    if (bearerTokenEnvVar) {
+      addArgs.push('--bearer-token-env-var', bearerTokenEnvVar);
+    }
+    runCommand('codex', addArgs, cwd);
+  }
+
+  return {
+    client: 'codex',
+    scope,
+    configured: true,
+    authConfigured: bearerTokenEnvVar ? true : null,
+    changed: true,
+    targetPath: portablePath(codexConfigPath()),
+    backupPath: null,
+    dryRun,
+    error: null
+  };
+}
+
+function authCodex(scope, dryRun, cwd, cliOptions = {}) {
+  const setupResult = installCodex(scope, '', dryRun, cwd);
+  if (!dryRun) {
+    printHostAuthIntro('codex', cliOptions);
+    runCommand('codex', ['mcp', 'login', NEUS_MCP_SERVER_NAME, '--scopes', CODEX_OAUTH_SCOPES], cwd);
+  }
+  return {
+    ...setupResult,
+    authConfigured: !dryRun,
+    changed: true
+  };
+}
+
 function installClient(client, scope, accessKey, dryRun, cwd) {
   if (client === 'cursor') return installCursor(scope, accessKey, dryRun, cwd);
   if (client === 'vscode') return installVsCode(scope, accessKey, dryRun, cwd);
   if (client === 'claude') return installClaude(scope, accessKey, dryRun, cwd);
+  if (client === 'codex') return installCodex(scope, accessKey, dryRun, cwd);
   throw new Error(`Unsupported client: ${client}`);
 }
 
@@ -651,7 +975,7 @@ function inspectCursor(scope, cwd) {
     };
   }
   const doc = readJsonFile(targetPath, {});
-  const server = doc.mcpServers?.[NEUS_SERVER_NAME];
+  const server = doc.mcpServers?.[NEUS_MCP_SERVER_NAME];
   return {
     client: 'cursor',
     scope,
@@ -675,7 +999,7 @@ function inspectVsCode(scope, cwd) {
     };
   }
   const doc = readJsonFile(targetPath, {});
-  const server = doc.servers?.[NEUS_SERVER_NAME];
+  const server = doc.servers?.[NEUS_MCP_SERVER_NAME];
   return {
     client: 'vscode',
     scope,
@@ -700,7 +1024,7 @@ function inspectClaude(scope, cwd) {
       };
     }
     const doc = readJsonFile(targetPath, {});
-    const server = doc.mcpServers?.[NEUS_SERVER_NAME];
+    const server = doc.mcpServers?.[NEUS_MCP_SERVER_NAME];
     return {
       client: 'claude',
       scope,
@@ -725,21 +1049,59 @@ function inspectClaude(scope, cwd) {
   const result = runCommand('claude', ['mcp', 'list'], cwd, true);
   const configured =
     result.status === 0 &&
-    result.stdout.split(/\r?\n/).some(line => line.trim() === NEUS_SERVER_NAME);
+    result.stdout.split(/\r?\n/).some(line => line.trim() === NEUS_MCP_SERVER_NAME);
   return {
     client: 'claude',
     scope,
     configured,
-    authConfigured: null,
+    authConfigured: configured ? null : false,
     targetPath: '~/.claude.json',
     error: null
   };
 }
 
+function inspectCodex(scope, cwd) {
+  const targetPath = portablePath(codexConfigPath());
+  if (scope !== 'user') {
+    return {
+      client: 'codex',
+      scope,
+      configured: false,
+      authConfigured: null,
+      targetPath,
+      error: 'Codex MCP setup is user-scoped through ~/.codex/config.toml.'
+    };
+  }
+  if (!commandExists('codex')) {
+    return {
+      client: 'codex',
+      scope,
+      configured: false,
+      authConfigured: null,
+      targetPath,
+      error: null
+    };
+  }
+
+  const result = runCommand('codex', ['mcp', 'get', NEUS_MCP_SERVER_NAME], cwd, true);
+  const configured =
+    result.status === 0 &&
+    result.stdout.split(/\r?\n/).some(line => line.trim() === `url: ${NEUS_MCP_URL}`);
+  return {
+    client: 'codex',
+    scope,
+    configured,
+    authConfigured: configured ? null : false,
+    targetPath,
+    error: null
+  };
+}
+
 function inspectClient(client, scope, cwd) {
   if (client === 'cursor') return inspectCursor(scope, cwd);
   if (client === 'vscode') return inspectVsCode(scope, cwd);
   if (client === 'claude') return inspectClaude(scope, cwd);
+  if (client === 'codex') return inspectCodex(scope, cwd);
   throw new Error(`Unsupported client: ${client}`);
 }
 
@@ -762,29 +1124,7 @@ function createEmptyManifest(source) {
   };
 }
 
-function openclawRoots() {
-  return [
-    path.join(os.homedir(), '.openclaw', 'workspace'),
-    path.join(process.cwd(), '.openclaw', 'workspace'),
-    process.cwd()
-  ];
-}
-
-function hermesRoots() {
-  return [path.join(os.homedir(), '.hermes'), path.join(process.cwd(), '.hermes')];
-}
-
 function sourceDetected(source) {
-  if (source === 'openclaw') {
-    return openclawRoots().some(
-      root => fileExists(path.join(root, 'SOUL.md')) || fileExists(path.join(root, 'skills'))
-    );
-  }
-  if (source === 'hermes') {
-    return hermesRoots().some(
-      root => fileExists(path.join(root, 'SOUL.md')) || fileExists(path.join(root, 'skills'))
-    );
-  }
   if (source === 'cursor') {
     return (
       fileExists(path.join(process.cwd(), '.cursor', 'rules')) ||
@@ -814,7 +1154,7 @@ function detectImportSources() {
 
 function chooseImportSource(requestedSource, detectedSources) {
   if (requestedSource && requestedSource !== 'auto') return requestedSource;
-  const preference = ['openclaw', 'hermes', 'claude-code', 'cursor', 'claude-desktop'];
+  const preference = ['claude-code', 'cursor', 'claude-desktop'];
   return (
     preference.find(source => detectedSources.some(candidate => candidate.source === source)) ||
     'cursor'
@@ -833,79 +1173,6 @@ function mergeManifest(base, next) {
   };
 }
 
-function buildOpenclawManifest(warnings) {
-  const source = 'openclaw';
-  const root = openclawRoots().find(
-    candidate =>
-      fileExists(path.join(candidate, 'SOUL.md')) || fileExists(path.join(candidate, 'skills'))
-  );
-  const manifest = createEmptyManifest(source);
-  if (!root) {
-    warnings.push('OpenClaw workspace was not found.');
-    return manifest;
-  }
-
-  const soul = instructionEntry(path.join(root, 'SOUL.md'), 'SOUL.md');
-  const memory = instructionEntry(path.join(root, 'MEMORY.md'), 'MEMORY.md');
-  if (soul) manifest.instructions.push(soul);
-  if (memory) manifest.memories.push(memory);
-
-  for (const skillName of listDirectoryNames(path.join(root, 'skills'))) {
-    manifest.skills.push({
-      name: skillName,
-      kind: 'skill',
-      source,
-      path: portablePath(path.join(root, 'skills', skillName)),
-      hasSkillMd: fileExists(path.join(root, 'skills', skillName, 'SKILL.md'))
-    });
-  }
-
-  manifest.secretRefs.push(...parseEnvSecretRefs(path.join(root, '.env'), source, warnings));
-  manifest.mcpServers.push(
-    ...readMcpServers(
-      path.join(os.homedir(), '.openclaw', 'agents', 'main', 'agent', 'claude-mcp.json'),
-      source,
-      warnings
-    ),
-    ...readMcpServers(
-      path.join(os.homedir(), '.openclaw', 'agents', 'main', 'agent', 'runtime-mcp.json'),
-      source,
-      warnings
-    )
-  );
-  return manifest;
-}
-
-function buildHermesManifest(warnings) {
-  const source = 'hermes';
-  const root = hermesRoots().find(
-    candidate =>
-      fileExists(path.join(candidate, 'SOUL.md')) || fileExists(path.join(candidate, 'skills'))
-  );
-  const manifest = createEmptyManifest(source);
-  if (!root) {
-    warnings.push('HERMES workspace was not found.');
-    return manifest;
-  }
-
-  const soul = instructionEntry(path.join(root, 'SOUL.md'), 'SOUL.md');
-  if (soul) manifest.instructions.push(soul);
-
-  for (const skillName of listDirectoryNames(path.join(root, 'skills'))) {
-    manifest.skills.push({
-      name: skillName,
-      kind: 'skill',
-      source,
-      path: portablePath(path.join(root, 'skills', skillName)),
-      hasSkillMd: fileExists(path.join(root, 'skills', skillName, 'SKILL.md'))
-    });
-  }
-
-  manifest.secretRefs.push(...parseEnvSecretRefs(path.join(root, '.env'), source, warnings));
-  manifest.mcpServers.push(...readMcpServers(path.join(root, 'config.json'), source, warnings));
-  return manifest;
-}
-
 function buildCursorManifest(warnings) {
   const source = 'cursor';
   const manifest = createEmptyManifest(source);
@@ -959,8 +1226,6 @@ function buildClaudeDesktopManifest(warnings) {
 }
 
 function buildSourceManifest(source, warnings) {
-  if (source === 'openclaw') return buildOpenclawManifest(warnings);
-  if (source === 'hermes') return buildHermesManifest(warnings);
   if (source === 'cursor') return buildCursorManifest(warnings);
   if (source === 'claude-code') return buildClaudeCodeManifest(warnings);
   if (source === 'claude-desktop') return buildClaudeDesktopManifest(warnings);
@@ -1233,110 +1498,48 @@ function runClientOperations(clients, scope, cwd, dryRun, runner) {
   });
 }
 
-function printResultSummary(command, scope, results, accessKey) {
-  const changedCount = results.filter(result => result.changed).length;
-  const configuredClients = results
-    .filter(result => result.configured)
-    .map(result => result.client)
-    .join(', ');
-  const failures = results.filter(result => result.error);
-  const lines = [
-    `NEUS ${command} completed for ${results.length} client${results.length === 1 ? '' : 's'} in ${scope} scope.`,
-    `Configured: ${configuredClients || 'none'}.`
-  ];
-
-  if (changedCount > 0) {
-    lines.push(`Updated: ${changedCount} target${changedCount === 1 ? '' : 's'}.`);
-  }
-
-  if ((command === 'init' || command === 'setup') && !accessKey) {
-    lines.push(
-      `Sign in with: neus auth (opens browser) or neus auth --access-key <npk_...> (servers and CI only)`
-    );
-  }
-  if (command === 'init' || command === 'setup') {
-    lines.push('Claude Code skill bundle: https://docs.neus.network/mcp/claude-code-marketplace');
-    lines.push(
-      'Cursor / VS Code: same command when those apps are detected (local MCP config) — https://docs.neus.network/mcp/setup'
-    );
-  }
-  if ((command === 'init' || command === 'auth') && accessKey) {
-    lines.push(
-      'Personal account tools are enabled.'
-    );
-  }
-  if (command === 'status') {
-    const enabled = results.filter(result => result.configured).map(result => result.client);
-    lines.push(`Active: ${enabled.length > 0 ? enabled.join(', ') : 'none'}.`);
-  }
-  if (failures.length > 0) {
-    lines.push(
-      `Issues: ${failures.map(result => `${result.client}: ${result.error}`).join(' | ')}`
-    );
-  }
-
-  process.stdout.write(`${lines.join('\n')}\n`);
-}
 
-function printImportSummary(payload) {
-  printBrandHeader('agent import');
+function printImportSummary(payload, cliOptions = {}) {
+  emitCliBanner(cliOptions);
   const manifest = payload.manifest;
-  const lines = [
-    `${paint('Source', 'cyan')}: ${manifest.source}${payload.dryRun ? ' (dry run)' : ''}`,
-    `${paint('Instructions', 'cyan')}: ${manifest.instructions.length}`,
-    `${paint('Skills', 'cyan')}: ${manifest.skills.length}`,
-    `${paint('MCP servers', 'cyan')}: ${manifest.mcpServers.length}`,
-    `${paint('Secret refs', 'cyan')}: ${manifest.secretRefs.length} detected, values never written`,
-    `${paint('Proofs', 'cyan')}: ${manifest.proofHints.status}; create or link receipts through NEUS MCP`
-  ];
-  if (payload.targetPath) {
-    lines.push(
-      `${paint('Manifest', 'cyan')}: ${payload.targetPath}${payload.changed ? '' : ' (unchanged)'}`
-    );
-  }
-  if (payload.warnings.length > 0) {
-    lines.push('');
-    lines.push(paint('Notes', 'yellow'));
-    lines.push(...payload.warnings.map(warning => `- ${warning}`));
-  }
-  lines.push('');
-  lines.push(
-    'Next: run `neus setup`, then `neus doctor --live`, then call `neus_agent_create` from your MCP client.'
-  );
-  process.stdout.write(`${lines.join('\n')}\n`);
-}
-
-function printExportSummary(payload) {
-  printBrandHeader('agent export');
-  const lines = [
-    `${paint('Format', 'cyan')}: ${payload.format}`,
-    `${paint('Source', 'cyan')}: ${payload.manifest.source}`,
-    `${paint('Skills', 'cyan')}: ${payload.manifest.skills?.length || 0}`,
-    `${paint('Proof refs', 'cyan')}: ${payload.manifest.proofHints?.qHashes?.length || 0} qHash value${payload.manifest.proofHints?.qHashes?.length === 1 ? '' : 's'}`
-  ];
+  writeCliLine(paint('import', 'green'));
+  logStep('ok', 'source', `${manifest.source}${payload.dryRun ? ' (dry run)' : ''}`);
+  logStep('ok', 'skills', String(manifest.skills.length));
+  logStep('ok', 'servers', String(manifest.mcpServers.length));
+  writeCliLine('');
+  logStep('next', 'next', 'neus setup | neus auth');
+  writeCliLine('');
+}
+
+function printExportSummary(payload, cliOptions = {}) {
+  emitCliBanner(cliOptions);
+  writeCliLine(paint('export', 'green'));
+  logStep('ok', 'format', payload.format);
+  logStep('ok', 'source', payload.manifest.source);
   if (payload.outputPath) {
-    lines.push(`${paint('Output', 'cyan')}: ${payload.outputPath}`);
+    logStep('ok', 'output', payload.outputPath);
   }
-  process.stdout.write(`${lines.join('\n')}\n`);
+  writeCliLine('');
 }
 
 function runInit(options) {
   const scope = resolveScope(options);
-  ensureSafeAuth('init', scope, options.accessKey);
+  const accessKey = resolveAccessKey(options);
+  ensureSafeAuth('init', scope, accessKey);
   const cwd = process.cwd();
 
   const clients = resolveClients(scope, options.clients);
   ensureClientSelection(scope, clients);
 
   const results = runClientOperations(clients, scope, cwd, options.dryRun, client =>
-    installClient(client, scope, options.accessKey, options.dryRun, cwd)
+    installClient(client, scope, accessKey, options.dryRun, cwd)
   );
   const payload = {
     command: 'init',
     scope,
     detectedClients: defaultUserClients(),
     clients,
-    accessKeyConfigured: Boolean(options.accessKey),
+    accessKeyConfigured: Boolean(accessKey),
     results,
     hasErrors: results.some(result => result.error)
   };
@@ -1344,7 +1547,10 @@ function runInit(options) {
   if (options.json) {
     printJson(payload);
   } else {
-    printResultSummary('init', scope, results, options.accessKey);
+    printFlowSummary('init', scope, results, {
+      nextStep: accessKey ? '' : 'neus auth',
+      cliOptions: options
+    });
   }
 
   if (payload.hasErrors) {
@@ -1378,6 +1584,8 @@ async function runAuthBrowser(options) {
   }
   const clients = resolveClients(scope, options.clients);
   ensureClientSelection(scope, clients);
+  const browserManagedClients = clients.filter(client => client !== 'codex');
+  const hostManagedClients = clients.filter(client => client === 'codex');
   const cwd = process.cwd();
 
   const { createServer } = await import('node:http');
@@ -1448,9 +1656,14 @@ async function runAuthBrowser(options) {
             res.end('<html><body><h2>Authenticated</h2><p>You can close this tab and return to your terminal.</p></body></html>');
             server.close();
 
-            const results = runClientOperations(clients, scope, cwd, options.dryRun, client =>
+            const results = runClientOperations(browserManagedClients, scope, cwd, options.dryRun, client =>
               installClient(client, scope, accessToken, options.dryRun, cwd)
             );
+            results.push(
+              ...runClientOperations(hostManagedClients, scope, cwd, options.dryRun, () =>
+                authCodex(scope, options.dryRun, cwd, options)
+              )
+            );
             const payload = {
               command: 'auth',
               scope,
@@ -1489,17 +1702,16 @@ async function runAuthBrowser(options) {
       });
       const authUrl = `${NEUS_APP_URL}/oauth/authorize?${authParams.toString()}`;
 
-      console.log('');
-      console.log('  Opening browser for NEUS authentication...');
-      console.log(`  If the browser doesn't open, visit:`);
-      console.log(`  ${authUrl}`);
-      console.log('');
+      if (!options.json) {
+        printAuthBrowserIntro(authUrl, options);
+        logStep('next', 'wait', 'finish sign-in in the browser');
+      }
 
       const { exec } = require('node:child_process');
       const openCmd = process.platform === 'win32' ? 'start' : process.platform === 'darwin' ? 'open' : 'xdg-open';
-      exec(`${openCmd} "${authUrl}"`, (err) => {
-        if (err) {
-          console.log('  Could not open browser automatically. Copy the URL above and open it manually.');
+      exec(`${openCmd} "${authUrl}"`, err => {
+        if (err && !options.json) {
+          logStep('warn', 'browser', 'open the URL above manually');
         }
       });
     });
@@ -1514,27 +1726,39 @@ async function runAuthBrowser(options) {
 
 function runAuth(options) {
   const scope = resolveScope(options);
-  ensureSafeAuth('auth', scope, options.accessKey);
+  const accessKey = resolveAccessKey(options);
+  ensureSafeAuth('auth', scope, accessKey);
   const cwd = process.cwd();
+  const clients = resolveClients(scope, options.clients);
+  ensureClientSelection(scope, clients);
 
-  // Browser flow: when no --access-key is provided, open browser
-  if (!options.accessKey) {
+  if (!accessKey) {
+    if (clients.length === 1 && clients[0] === 'codex') {
+      const results = runClientOperations(clients, scope, cwd, options.dryRun, () =>
+        authCodex(scope, options.dryRun, cwd, options)
+      );
+      return {
+        command: 'auth',
+        scope,
+        clients,
+        accessKeyConfigured: results.some(result => result.authConfigured === true),
+        authMethod: 'host-oauth',
+        results,
+        hasErrors: results.some(result => result.error)
+      };
+    }
     return runAuthBrowser(options);
   }
 
-  // Manual key flow: --access-key provided
-  const clients = resolveClients(scope, options.clients);
-  ensureClientSelection(scope, clients);
-
   const results = runClientOperations(clients, scope, cwd, options.dryRun, client =>
-    installClient(client, scope, options.accessKey, options.dryRun, cwd)
+    installClient(client, scope, accessKey, options.dryRun, cwd)
   );
   const payload = {
     command: 'auth',
     scope,
     clients,
     accessKeyConfigured: true,
-    authMethod: 'access-key',
+    authMethod: resolveAuthMethod(options, accessKey),
     results,
     hasErrors: results.some(result => result.error)
   };
@@ -1562,14 +1786,15 @@ function runStatus(options) {
     printJson(payload);
     return;
   }
-  printResultSummary('status', scope, inspected, '');
+  printFlowSummary('status', scope, inspected, { cliOptions: options });
 }
 
-function runSetup(options) {
+async function runSetup(options) {
   const scope = resolveScope(options);
-  ensureSafeAuth('setup', scope, options.accessKey);
+  const accessKey = resolveAccessKey(options);
+  ensureSafeAuth('setup', scope, accessKey);
   const cwd = process.cwd();
-  if (options.project && options.accessKey) {
+  if (options.project && accessKey) {
     throw new Error(
       'Access keys are only supported in user scope. Remove --project or omit --access-key.'
     );
@@ -1577,9 +1802,8 @@ function runSetup(options) {
 
   const clients = resolveClients(scope, options.clients);
   ensureClientSelection(scope, clients);
-
   const initResults = runClientOperations(clients, scope, cwd, options.dryRun, client =>
-    installClient(client, scope, options.accessKey, options.dryRun, cwd)
+    installClient(client, scope, accessKey, options.dryRun, cwd)
   );
 
   const payload = {
@@ -1587,23 +1811,46 @@ function runSetup(options) {
     scope,
     detectedClients: defaultUserClients(),
     clients,
-    accessKeyConfigured: Boolean(options.accessKey),
+    accessKeyConfigured: Boolean(accessKey),
     results: initResults,
     hasErrors: initResults.some(result => result.error)
   };
 
+  if (payload.hasErrors) {
+    if (options.json) printJson(payload);
+    else printFlowSummary('setup', scope, initResults, { cliOptions: options });
+    process.exitCode = 1;
+    return payload;
+  }
+
   if (options.json) {
     printJson(payload);
-  } else {
-    printResultSummary('setup', scope, initResults, options.accessKey);
+    return payload;
   }
 
-  if (payload.hasErrors) {
-    process.exitCode = 1;
+  printFlowSummary('setup', scope, initResults, {
+    nextStep: accessKey ? 'neus_context in your MCP client' : '',
+    cliOptions: options
+  });
+
+  if (!accessKey && !options.dryRun) {
+    const authResult = await runAuth(options);
+    if (authResult && !authResult.hasErrors) {
+      printFlowSummary('auth', authResult.scope, authResult.results, {
+        nextStep: 'neus_context in your MCP client',
+        cliOptions: options
+      });
+    }
+    if (authResult?.hasErrors) {
+      process.exitCode = 1;
+    }
+    return authResult || payload;
   }
+
+  return payload;
 }
 
-function runImport(options) {
+function runImport(options, { emitOutput = true } = {}) {
   if (!SUPPORTED_IMPORT_SOURCES.includes(options.source)) {
     throw new Error(`Unsupported import source: ${options.source}`);
   }
@@ -1628,15 +1875,18 @@ function runImport(options) {
       manifest.mcpServers.length === 0
   };
 
-  if (options.json) {
-    printJson(payload);
-  } else {
-    printImportSummary(payload);
+  if (emitOutput) {
+    if (options.json) {
+      printJson(payload);
+    } else {
+      printImportSummary(payload, options);
+    }
   }
 
-  if (payload.hasErrors) {
+  if (emitOutput && payload.hasErrors) {
     process.exitCode = 1;
   }
+  return payload;
 }
 
 function runExport(options) {
@@ -1671,7 +1921,7 @@ function runExport(options) {
     printJson(payload);
     return;
   }
-  printExportSummary(payload);
+  printExportSummary(payload, options);
 }
 
 async function runDoctor(options) {
@@ -1684,12 +1934,13 @@ async function runDoctor(options) {
     inspectClient(client, scope, cwd)
   );
   const configuredClients = inspected.filter(r => r.configured);
+  const liveAccessKey = resolveLiveAccessKey(options, scope, cwd);
   const payload = {
     command: 'doctor',
     scope,
     clients: inspected,
     configuredCount: configuredClients.length,
-    accessKeyPresent: Boolean(options.accessKey),
+    accessKeyPresent: Boolean(liveAccessKey),
     profileConnectable: false,
     agentVerified: false,
     live: options.live,
@@ -1699,9 +1950,12 @@ async function runDoctor(options) {
   };
 
   if (options.live) {
-    payload.mcp = await runLiveMcpDiagnostics(options.accessKey);
-    payload.profileConnectable = Boolean(payload.mcp.authenticated);
-    payload.hasErrors = payload.hasErrors || !payload.mcp.reachable || !payload.mcp.authenticated;
+    payload.mcp = await runLiveMcpDiagnostics(liveAccessKey);
+    if (liveAccessKey) {
+      payload.profileConnectable = Boolean(payload.mcp.authenticated);
+      payload.hasErrors =
+        payload.hasErrors || !payload.mcp.reachable || !payload.mcp.authenticated;
+    }
   }
 
   if (options.json) {
@@ -1709,45 +1963,60 @@ async function runDoctor(options) {
     return;
   }
 
-  printResultSummary('doctor', scope, inspected, '');
-
-  const lines = [];
-  if (configuredClients.length > 0) {
-    lines.push(
-      `MCP reachable: ${configuredClients.map(r => r.client).join(', ')} ready at ${NEUS_MCP_URL}.`
-    );
-  } else {
-    lines.push('MCP reachable: No clients configured. Run `neus setup` first.');
-    process.stdout.write(`\n${lines.join('\n')}\n`);
-    process.exit(1);
+  if (configuredClients.length === 0) {
+    emitCliBanner(options);
+    writeCliLine(paint('doctor', 'green'));
+    for (const result of inspected) {
+      if (result.error) {
+        logStep('warn', result.client, result.error);
+      } else if (result.authConfigured === null) {
+        logStep('skip', result.client, 'not installed');
+      } else {
+        logStep('skip', result.client, 'not configured');
+      }
+    }
+    writeCliLine('');
+    writeCliLine(paint('MCP endpoint', 'cyan'));
+    writeGuidanceLine(NEUS_MCP_URL);
+    writeCliLine(paint('Profile connection', 'cyan'));
+    writeGuidanceLine(`No selected MCP host is configured yet. Run \`${preferredSetupCommand(inspected)}\`.`);
+    writeGuidanceLine(`Then run \`${preferredAuthCommand(inspected)}\` and re-check with \`npx -y -p @neus/sdk neus doctor --live\`.`);
+    writeCliLine('');
+    process.exitCode = 1;
+    return;
   }
 
-  if (options.accessKey) {
-    if (options.live && payload.mcp) {
-      lines.push(
-        `Profile connection: ${payload.mcp.authenticated ? 'live MCP context confirmed' : 'not confirmed by live MCP check'}.`
+  printFlowSummary('doctor', scope, inspected, { cliOptions: options });
+  const hasCodex = inspected.some(result => result.client === 'codex');
+  writeCliLine(paint('Profile connection', 'cyan'));
+  if (options.live && payload.mcp) {
+    if (!liveAccessKey) {
+      writeGuidanceLine(
+        hasCodex
+          ? 'Codex owns OAuth: run `neus auth --client codex` or `codex mcp login neus`.'
+          : 'No account credential found for the configured MCP clients. Run `neus auth`.'
       );
-      lines.push(`Tools: ${payload.mcp.toolsCount || 0} discovered.`);
     } else {
-      lines.push(
-        'Profile connection: auth header present. Re-run `neus doctor --live` to confirm against hosted MCP.'
+      logStep(
+        payload.mcp.authenticated ? 'ok' : 'warn',
+        'profile',
+        payload.mcp.authenticated
+          ? `live MCP context confirmed; ${payload.mcp.toolsCount || 0} tools discovered`
+          : 'live MCP context was not confirmed'
       );
     }
+  } else if (liveAccessKey) {
+    writeGuidanceLine('Saved credential found. Run `neus doctor --live` to confirm Profile context.');
   } else {
-    lines.push(
-      `Profile connection: No access key found. Run \`neus auth\` (browser sign-in) or \`neus auth --access-key <npk_...>\` and reconnect.`
+    writeGuidanceLine(
+      hasCodex
+        ? 'Codex owns OAuth: run `neus auth --client codex` or `codex mcp login neus`.'
+        : 'No account credential found. Run `neus auth` for browser sign-in.'
     );
   }
-
-  lines.push(
-    'Agent verification: Run `neus_agent_link` and `neus_proofs_check` inside the MCP-connected client to verify agent identity and delegation proofs.'
-  );
-  lines.push('');
-  lines.push(
-    'Next: Open your editor/IDE, connect to the NEUS MCP endpoint, and run `neus_context`.'
-  );
-
-  process.stdout.write(`\n${lines.join('\n')}\n`);
+  writeGuidanceLine('In the connected MCP client, call `neus_context` first.');
+  writeGuidanceLine('For agents, run `neus_agent_link` before assuming identity or delegation is ready.');
+  writeCliLine('');
 }
 
 async function runDisconnect(options) {
@@ -1756,12 +2025,15 @@ async function runDisconnect(options) {
     throw new Error('Disconnect only supports user scope. Remove --project flag.');
   }
 
-  if (!options.accessKey) {
-    throw new Error('Credential required. Run `neus disconnect --access-key <token>` or set NEUS_ACCESS_KEY.');
+  const cwd = process.cwd();
+  const token = resolveLiveAccessKey(options, scope, cwd);
+  if (!token) {
+    throw new Error(
+      'Credential required. Run `neus disconnect --access-key <token>` or sign in first (`neus auth`).'
+    );
   }
 
   try {
-    const token = String(options.accessKey || '').trim();
     const isProfileKey = token.startsWith('npk_');
     const resp = isProfileKey
       ? await fetch(NEUS_PROFILE_KEY_ENDPOINT, {
@@ -1794,7 +2066,6 @@ async function runDisconnect(options) {
     throw error;
   }
 
-  const cwd = process.cwd();
   const clients = resolveClients(scope, options.clients);
   ensureClientSelection(scope, clients);
 
@@ -1814,9 +2085,11 @@ async function runDisconnect(options) {
   if (options.json) {
     printJson(payload);
   } else {
-    printBrandHeader('disconnect');
-    console.log('  NEUS MCP credential disconnected. Your client configurations have been updated to remove the token.');
-    console.log('  Re-authenticate with: neus auth');
+    emitCliBanner(options);
+    writeCliLine(paint('disconnect', 'green'));
+    logStep('ok', 'signed-out', 'MCP configs updated');
+    logStep('next', 'next', 'neus auth');
+    writeCliLine('');
   }
 }
 
@@ -1837,13 +2110,16 @@ async function main() {
       if (result) {
         if (options.json) {
           printJson(result);
+        } else if (result.authMethod !== 'browser') {
+          printFlowSummary('auth', result.scope, result.results, {
+            nextStep: 'neus_context in your MCP client',
+            cliOptions: options
+          });
         } else {
-          const displayKey = result.authMethod === 'browser' ? '<browser-auth>' : options.accessKey;
-          printResultSummary('auth', result.scope, result.results, displayKey);
-          if (result.authMethod === 'browser') {
-            console.log('');
-            console.log('  Authenticated via browser. Your MCP clients are now configured.');
-          }
+          printFlowSummary('auth', result.scope, result.results, {
+            nextStep: 'neus_context in your MCP client',
+            cliOptions: options
+          });
         }
         if (result.hasErrors) {
           process.exitCode = 1;
@@ -1856,7 +2132,10 @@ async function main() {
       return;
     }
     if (command === 'setup') {
-      runSetup(options);
+      const setupResult = await runSetup(options);
+      if (setupResult?.hasErrors) {
+        process.exitCode = 1;
+      }
       return;
     }
     if (command === 'doctor') {