@ogment-ai/cli 0.10.0 → 0.10.1

package/dist/cli.js

@@ -8004,10 +8004,10 @@ const defaultRecoveryByCode = {
 		when: "immediate"
 	},
 	[ERROR_CODE.authDevicePending]: {
-		command: "ogment login",
-		reason: "Authorization is pending; run login again after approving in the browser.",
-		title: "Complete login",
-		when: "immediate"
+		command: "ogment status",
+		reason: "Approve this request in the browser, then continue in the terminal.",
+		title: "Continue after approval",
+		when: "after_approval"
 	},
 	[ERROR_CODE.authInvalidCredentials]: {
 		command: "ogment login",
@@ -8373,6 +8373,7 @@ const authStateFileSchema = object({
 	currentAuthRequest: object({
 		authRequestId: string().min(1),
 		expiresAt: string().min(1),
+		requestOrigin: _enum(["existing", "new"]).optional(),
 		verificationUrl: string().min(1)
 	}).nullable().optional(),
 	installationId: uuid(),
@@ -8419,6 +8420,14 @@ const legacyAuthStateFileSchema = object({
 const LOCK_RETRY_DELAY_MS = 10;
 const LOCK_STALE_MS = 3e4;
 const LOCK_TIMEOUT_MS = 2e3;
+const normalizeCurrentAuthRequest = (request) => {
+	return {
+		authRequestId: request.authRequestId,
+		expiresAt: request.expiresAt,
+		requestOrigin: request.requestOrigin ?? "existing",
+		verificationUrl: request.verificationUrl
+	};
+};
 const sleepBlocking = (milliseconds) => {
 	const buffer = new SharedArrayBuffer(4);
 	const view = new Int32Array(buffer);
@@ -8429,7 +8438,7 @@ const normalizeAuthState = (value) => {
 	if (Result.isOk(parsedCurrentState)) return {
 		needsMigration: false,
 		state: {
-			currentAuthRequest: parsedCurrentState.value.currentAuthRequest ?? null,
+			currentAuthRequest: parsedCurrentState.value.currentAuthRequest === null || parsedCurrentState.value.currentAuthRequest === void 0 ? null : normalizeCurrentAuthRequest(parsedCurrentState.value.currentAuthRequest),
 			installationId: parsedCurrentState.value.installationId,
 			session: parsedCurrentState.value.session ?? null,
 			version: 3
@@ -8439,7 +8448,10 @@ const normalizeAuthState = (value) => {
 	if (Result.isOk(parsedLegacyV2State)) return {
 		needsMigration: true,
 		state: {
-			currentAuthRequest: parsedLegacyV2State.value.pendingAuthRequest ?? null,
+			currentAuthRequest: parsedLegacyV2State.value.pendingAuthRequest === null || parsedLegacyV2State.value.pendingAuthRequest === void 0 ? null : {
+				...parsedLegacyV2State.value.pendingAuthRequest,
+				requestOrigin: "existing"
+			},
 			installationId: parsedLegacyV2State.value.installationId,
 			session: parsedLegacyV2State.value.session ?? null,
 			version: 3
@@ -8454,6 +8466,7 @@ const normalizeAuthState = (value) => {
 			currentAuthRequest: latestPendingRequest === void 0 ? null : {
 				authRequestId: latestPendingRequest.authRequestId,
 				expiresAt: latestPendingRequest.expiresAt,
+				requestOrigin: "existing",
 				verificationUrl: latestPendingRequest.verificationUrl
 			},
 			installationId: parsedV1.value.installationId,
@@ -8728,6 +8741,7 @@ const createFileCredentialsStore = (deps) => {
 							currentAuthRequest: {
 								authRequestId: request.authRequestId,
 								expiresAt: request.expiresAt,
+								requestOrigin: request.requestOrigin,
 								verificationUrl: request.verificationUrl
 							}
 						});
@@ -8751,7 +8765,7 @@ const DEFAULT_OGMENT_BASE_URL = "https://dashboard.ogment.ai";
 */
 const SENTRY_DSN_BUILD = "https://4219ab98670b61086758b4d0e31ae318@o4507724844957696.ingest.us.sentry.io/4510992932405248";
 const SENTRY_ENVIRONMENT_BUILD = "production";
-const SENTRY_RELEASE_BUILD = "cli-v0.10.0+git:4ebe33ce3";
+const SENTRY_RELEASE_BUILD = "cli-v0.10.1+git:865c808dd";
 const packageJsonSchema = object({ version: string().min(1) });
 const hasCode = (value, code) => {
 	if (typeof value !== "object" || value === null) return false;
@@ -13866,7 +13880,7 @@ const resolvePrimaryCode = (error) => {
 		if (typeof error.httpStatus === "number") return toHttpCode(error.httpStatus);
 		if (typeof error.mcpCode === "number") return toMcpCode(error.mcpCode);
 	}
-	return String(meta.code);
+	return meta.code;
 };
 const resolveRelatedCodes = (error, primaryCode) => {
 	if (error._tag !== "RemoteRequestError") return;
@@ -14106,9 +14120,9 @@ const cliOrgSchema = object({
 	servers: array(cliServerSchema)
 }).strict();
 const cliActingAgentSchema = object({
-	agentId: string().uuid(),
+	agentId: uuid(),
 	agentName: string().min(1),
-	boundInstallationId: string().uuid().nullable()
+	boundInstallationId: uuid().nullable()
 }).strict();
 const cliMeDataSchema = object({
 	actingAgent: cliActingAgentSchema.nullable(),
@@ -14130,15 +14144,15 @@ const authStartDataSchema = object({
 		"reused_pending"
 	]),
 	expiresAt: isoTimestampSchema,
-	verificationUrl: string().url()
+	verificationUrl: url$4()
 }).strict();
 const authStartSchema = cliSuccessEnvelopeSchema(authStartDataSchema);
 const authExchangePendingDataSchema = object({ status: literal("authorization_pending") }).strict();
 const authExchangeApprovedDataSchema = object({
-	agentId: string().uuid(),
+	agentId: uuid(),
 	agentName: string().min(1),
 	apiKey: string().min(1),
-	credentialId: string().uuid(),
+	credentialId: uuid(),
 	status: literal("approved")
 }).strict();
 const authExchangeExpiredDataSchema = object({ status: literal("expired") }).strict();
@@ -14175,7 +14189,7 @@ const cliEndpoints = {
 const cliCommandKindSchema = _enum([
 	"login",
 	"logout",
-	"reset",
+	"logout_reset",
 	"catalog_summary",
 	"catalog_tool",
 	"catalog_tools",
@@ -14310,7 +14324,7 @@ const exitCodeForError = (error) => {
 	const { category, code } = appErrorMeta(error);
 	switch (category) {
 		case ERROR_CATEGORY.auth:
-			if (code === ERROR_CODE.authRequired) return EXIT_CODE.authRequired;
+			if (code === ERROR_CODE.authRequired || code === ERROR_CODE.authDevicePending) return EXIT_CODE.authRequired;
 			return EXIT_CODE.authFailed;
 		case ERROR_CATEGORY.notFound: return EXIT_CODE.notFound;
 		case ERROR_CATEGORY.rateLimit: return EXIT_CODE.rateLimit;
@@ -14333,8 +14347,8 @@ const runLoginCommand = async (context, options) => {
 const runLogoutCommand = async (context) => {
 	return context.services.auth.logout();
 };
-const runResetCommand = async (context) => {
-	return context.services.auth.reset();
+const runLogoutResetCommand = async (context) => {
+	return context.services.auth.logoutReset();
 };
 
 //#endregion
@@ -14701,7 +14715,7 @@ const runInvokeCommand = async (context, options, deps = {}) => {
 //#endregion
 //#region src/commands/status.ts
 const runStatusCommand = async (options, deps) => {
-	return deps.infoService.collect(options.apiKeyOverride, { includeDebug: options.debug });
+	return deps.infoService.collect(options.apiKeyOverride, { includeDebug: options.debug ?? false });
 };
 
 //#endregion
@@ -14769,81 +14783,131 @@ const buildJsonSchemaExample = (schema) => {
 
 //#endregion
 //#region src/cli/commands.ts
+function catalogCommand() {
+	return "ogment catalog";
+}
+function catalogServerCommand(serverId) {
+	return `${catalogCommand()} ${serverId}`;
+}
+function catalogSummaryCommand(options) {
+	return [
+		catalogCommand(),
+		...options.cursor === void 0 ? [] : [`--cursor ${options.cursor}`],
+		...options.limit === void 0 ? [] : [`--limit ${options.limit}`]
+	].join(" ");
+}
+function catalogToolCommand(serverId, toolName, options) {
+	return [
+		catalogCommand(),
+		serverId,
+		toolName,
+		...options.example ? ["--example"] : []
+	].join(" ");
+}
+function helpForScope(scope) {
+	if (scope === null) return "ogment --help";
+	return `ogment ${scope} --help`;
+}
+function loginCommand() {
+	return "ogment login";
+}
+function logoutCommand() {
+	return "ogment logout";
+}
+function logoutResetCommand() {
+	return "ogment logout --reset";
+}
+function invokeCommand(serverId, toolName, orgSlug) {
+	return [
+		"ogment invoke",
+		...orgSlug === void 0 ? [] : [`--org ${orgSlug}`],
+		serverId,
+		toolName
+	].join(" ");
+}
+function invokeInlineJson(serverId, toolName, orgSlug) {
+	return `${invokeCommand(serverId, toolName, orgSlug)} --input <json>`;
+}
+function invokeStdin(serverId, toolName, orgSlug) {
+	return `${invokeCommand(serverId, toolName, orgSlug)} --input -`;
+}
+function invokeWithInputValue(serverId, toolName, value, orgSlug) {
+	return `${invokeCommand(serverId, toolName, orgSlug)} --input ${value}`;
+}
+function rootCommand() {
+	return "ogment";
+}
+const rootCommandReferences = [
+	{
+		quickCommand: catalogCommand(),
+		surface: "catalog"
+	},
+	{
+		quickCommand: catalogServerCommand("<server-id>"),
+		surface: "catalog <server-id>"
+	},
+	{
+		quickCommand: catalogToolCommand("<server-id>", "<tool-name>", { example: false }),
+		surface: "catalog <server-id> <tool-name>"
+	},
+	{
+		quickCommand: invokeWithInputValue("<server-id>", "<tool-name>", "'{}'"),
+		surface: "invoke <server-id> <tool-name>"
+	},
+	{
+		quickCommand: statusCommand(),
+		surface: "status"
+	},
+	{
+		quickCommand: loginCommand(),
+		surface: "login"
+	},
+	{
+		quickCommand: logoutCommand(),
+		surface: "logout"
+	},
+	{
+		quickCommand: logoutResetCommand(),
+		surface: "logout --reset"
+	}
+];
+function rootCommandsSurface() {
+	return rootCommandReferences.map(({ surface }) => surface);
+}
+function rootQuickCommands() {
+	return rootCommandReferences.map(({ quickCommand }) => quickCommand);
+}
+function rootHelp() {
+	return `${rootCommand()} --help`;
+}
+function statusCommand() {
+	return "ogment status";
+}
 const cliCommands = {
 	catalog: {
-		command: () => "ogment catalog",
-		server: (serverId) => `ogment catalog ${serverId}`,
-		summary: (options) => {
-			return [
-				"ogment catalog",
-				...options.cursor === void 0 ? [] : [`--cursor ${options.cursor}`],
-				...options.limit === void 0 ? [] : [`--limit ${options.limit}`]
-			].join(" ");
-		},
-		tool: (serverId, toolName, options) => {
-			return [
-				"ogment catalog",
-				serverId,
-				toolName,
-				...options.example ? ["--example"] : []
-			].join(" ");
-		}
+		command: catalogCommand,
+		server: catalogServerCommand,
+		summary: catalogSummaryCommand,
+		tool: catalogToolCommand
 	},
-	helpForScope: (scope) => {
-		if (scope === null) return "ogment --help";
-		return `ogment ${scope} --help`;
+	helpForScope,
+	login: { command: loginCommand },
+	logout: {
+		command: logoutCommand,
+		reset: logoutResetCommand
 	},
-	login: { command: () => "ogment login" },
-	logout: { command: () => "ogment logout" },
 	invoke: {
-		command: (serverId, toolName, orgSlug) => [
-			"ogment invoke",
-			...orgSlug === void 0 ? [] : [`--org ${orgSlug}`],
-			serverId,
-			toolName
-		].join(" "),
-		inlineJson: (serverId, toolName, orgSlug) => [
-			"ogment invoke",
-			...orgSlug === void 0 ? [] : [`--org ${orgSlug}`],
-			serverId,
-			toolName,
-			"--input <json>"
-		].join(" "),
-		stdin: (serverId, toolName, orgSlug) => [
-			"ogment invoke",
-			...orgSlug === void 0 ? [] : [`--org ${orgSlug}`],
-			serverId,
-			toolName,
-			"--input -"
-		].join(" "),
-		withInputValue: (serverId, toolName, value, orgSlug) => {
-			return [
-				"ogment invoke",
-				...orgSlug === void 0 ? [] : [`--org ${orgSlug}`],
-				serverId,
-				toolName,
-				`--input ${value}`
-			].join(" ");
-		}
+		command: invokeCommand,
+		inlineJson: invokeInlineJson,
+		stdin: invokeStdin,
+		withInputValue: invokeWithInputValue
 	},
 	root: {
-		command: () => "ogment",
-		commandsSurface: () => {
-			return [
-				"login",
-				"logout",
-				"reset",
-				"catalog",
-				"catalog <server-id>",
-				"catalog <server-id> <tool-name>",
-				"invoke <server-id> <tool-name>",
-				"status"
-			];
-		},
-		help: () => "ogment --help"
+		command: rootCommand,
+		commandsSurface: rootCommandsSurface,
+		help: rootHelp
 	},
-	reset: { command: () => "ogment reset" },
-	status: { command: () => "ogment status" }
+	status: { command: statusCommand }
 };
 
 //#endregion
@@ -14884,8 +14948,8 @@ const ensureSuccess = (result, runtime, context) => {
 const nextActionsForLogin = (payload) => {
 	return [nextAction("inspect_status", "Inspect status", cliCommands.status.command(), `Verify the connected CLI state for ${payload.agentName}.`, "immediate"), nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Logged in as ${payload.agentName}; discover available servers.`, "after_auth")];
 };
-const nextActionsForPendingLogin = (authRequestId, verificationUrl) => {
-	return [nextAction("complete_login", "Complete login", cliCommands.login.command(), `Approve request ${authRequestId} at ${verificationUrl}, then run login again to finish local sign-in.`, "immediate"), nextAction("inspect_status", "Inspect status", cliCommands.status.command(), "Inspect the current CLI state and diagnostics.", "if_expired")];
+const nextActionsForPendingAuth = (verification, command = cliCommands.status.command()) => {
+	return [nextAction("continue_after_approval", "Continue in terminal", command, `Approve request ${verification.authRequestId} at ${verification.verificationUrl}, then continue in the terminal.`, "after_approval")];
 };
 const nextActionsForCatalogSummary = (payload, context) => {
 	const actions = [];
@@ -14914,9 +14978,58 @@ const nextActionsForInvoke = (payload) => {
 	return [nextAction("inspect_tool", "Inspect tool schema", cliCommands.catalog.tool(payload.serverId, payload.toolName, { example: false }), `Review ${payload.serverId}/${payload.toolName} schema for the next invocation.`, "after_invoke")];
 };
 const nextActionsForStatus = (payload) => {
+	if (payload.auth.state === "pending_approval") return nextActionsForPendingAuth(payload.auth.pendingRequest);
 	if (!payload.auth.apiKeyPresent) return [nextAction("login", "Authenticate", cliCommands.login.command(), "Status detected no API key; authenticate first.", "immediate")];
 	return [nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Connectivity is ${payload.summary.status}; discover available servers.`, "after_status")];
 };
+const pendingAuthDiagnostics = (verification) => {
+	return {
+		authRequestId: verification.authRequestId,
+		expiresAt: verification.expiresAt,
+		requestOrigin: verification.requestOrigin,
+		verificationUrl: verification.verificationUrl
+	};
+};
+const throwPendingAuthError = (runtime, command, verification, recoveryCommand) => {
+	const error = new AuthError({
+		code: ERROR_CODE.authDevicePending,
+		message: "Approve this request, then continue in the terminal.",
+		recovery: {
+			command: recoveryCommand,
+			reason: "Approve this request in the browser, then continue in the terminal.",
+			title: "Continue after approval",
+			when: "after_approval"
+		}
+	});
+	runtime.output.error(error, {
+		command,
+		diagnostics: pendingAuthDiagnostics(verification),
+		entity: {
+			event: "auth.pending",
+			verification: pendingAuthDiagnostics(verification)
+		}
+	});
+	throw new CliExitError(exitCodeForError(error), error);
+};
+const completePendingAuthBeforeInvocation = async (runtime, command) => {
+	const data = ensureSuccess(await runtime.context.services.auth.completePendingAuth(), runtime, { command });
+	if (data.kind === "pending") {
+		const resolvedApiKey = await runtime.context.services.auth.resolveApiKey(runtime.context.apiKeyOverride);
+		if (Result.isOk(resolvedApiKey)) return { kind: "continue" };
+		if (!(resolvedApiKey.error instanceof AuthError && resolvedApiKey.error.code === ERROR_CODE.authDevicePending)) {
+			runtime.output.error(resolvedApiKey.error, {
+				command,
+				entity: null
+			});
+			throwCommandError(resolvedApiKey.error);
+		}
+		return {
+			kind: "pending",
+			verification: data.verification
+		};
+	}
+	return { kind: "continue" };
+};
 const runLoginFlow = async (runtime, options) => {
 	const invokedCommand = cliCommands.login.command();
 	const data = ensureSuccess(await runLoginCommand(runtime.context, options), runtime, { command: invokedCommand });
@@ -14932,10 +15045,12 @@ const runLoginFlow = async (runtime, options) => {
 				event: "login.pending",
 				verification: {
 					authRequestId: data.verification.authRequestId,
+					expiresAt: data.verification.expiresAt,
+					requestOrigin: data.verification.requestOrigin,
 					verificationUrl: data.verification.verificationUrl
 				}
 			},
-			nextActions: nextActionsForPendingLogin(data.verification.authRequestId, data.verification.verificationUrl)
+			nextActions: nextActionsForPendingAuth(data.verification)
 		});
 		return;
 	}
@@ -14968,28 +15083,26 @@ const executeLogoutInvocation = async (runtime) => {
 		command,
 		entity: {
 			event: "logout.completed",
-			localStateCleared: data.localStateCleared,
+			outcome: data.outcome,
 			remoteSignedOut: data.remoteSignedOut
 		},
 		nextActions: [nextAction("login", "Authenticate again", cliCommands.login.command(), "Sign-out completed; run login when you want to reconnect this installation.", "after_logout")]
 	});
 };
-const executeResetInvocation = async (runtime) => {
-	const command = cliCommands.reset.command();
-	const data = ensureSuccess(await runResetCommand(runtime.context), runtime, { command });
+const executeLogoutResetInvocation = async (runtime) => {
+	const command = cliCommands.logout.reset();
+	const data = ensureSuccess(await runLogoutResetCommand(runtime.context), runtime, { command });
 	const outputData = {
 		...data,
-		event: "reset.completed"
+		event: "logout.reset.completed"
 	};
 	runtime.output.success(outputData, {
 		command,
 		entity: {
-			event: "reset.completed",
-			installationReset: data.installationReset,
-			localStateCleared: data.localStateCleared,
-			remoteReset: data.remoteReset
+			event: "logout.reset.completed",
+			outcome: data.outcome
 		},
-		nextActions: [nextAction("login", "Authenticate this fresh install", cliCommands.login.command(), "Reset completed; run login to create or reconnect this installation.", "after_reset"), nextAction("inspect_status", "Inspect status", cliCommands.status.command(), "Inspect the fresh-install CLI state and diagnostics.", "after_reset")]
+		nextActions: [nextAction("login", "Authenticate this fresh install", cliCommands.login.command(), "This installation is reset; run login to create or reconnect it.", "after_reset"), nextAction("inspect_status", "Inspect status", cliCommands.status.command(), "Inspect the fresh-install CLI state and diagnostics.", "after_reset")]
 	});
 };
 const executeCatalogInvocation = async (runtime, invocation) => {
@@ -15046,6 +15159,8 @@ const executeCatalogInvocation = async (runtime, invocation) => {
 				...plan.cursor === void 0 ? {} : { cursor: plan.cursor },
 				...plan.limit === void 0 ? {} : { limit: plan.limit }
 			});
+			const pendingAuth = await completePendingAuthBeforeInvocation(runtime, command);
+			if (pendingAuth.kind === "pending") throwPendingAuthError(runtime, command, pendingAuth.verification, command);
 			const data = ensureSuccess(await runCatalogCommand(runtime.context, {
 				...plan.cursor === void 0 ? {} : { cursor: plan.cursor },
 				includeDebug: runtime.output.debug,
@@ -15079,6 +15194,8 @@ const executeCatalogInvocation = async (runtime, invocation) => {
 		}
 		case "tools": {
 			const command = cliCommands.catalog.server(planResult.value.serverId);
+			const pendingAuth = await completePendingAuthBeforeInvocation(runtime, command);
+			if (pendingAuth.kind === "pending") throwPendingAuthError(runtime, command, pendingAuth.verification, command);
 			const data = ensureSuccess(await runCatalogToolsCommand(runtime.context, { serverId: planResult.value.serverId }), runtime, {
 				command,
 				entity: { serverId: planResult.value.serverId }
@@ -15095,6 +15212,8 @@ const executeCatalogInvocation = async (runtime, invocation) => {
 		}
 		case "tool": {
 			const command = cliCommands.catalog.tool(planResult.value.serverId, planResult.value.toolName, { example: planResult.value.example });
+			const pendingAuth = await completePendingAuthBeforeInvocation(runtime, command);
+			if (pendingAuth.kind === "pending") throwPendingAuthError(runtime, command, pendingAuth.verification, command);
 			const data = ensureSuccess(await runCatalogToolDetailsCommand(runtime.context, {
 				serverId: planResult.value.serverId,
 				toolName: planResult.value.toolName
@@ -15135,6 +15254,8 @@ const executeInvokeInvocation = async (runtime, invocation) => {
 		inputSource = "inline_json";
 		command = cliCommands.invoke.inlineJson(invocation.serverId, invocation.toolName, invocation.orgSlug);
 	}
+	const pendingAuth = await completePendingAuthBeforeInvocation(runtime, command);
+	if (pendingAuth.kind === "pending") throwPendingAuthError(runtime, command, pendingAuth.verification, command);
 	const data = ensureSuccess(await runInvokeCommand(runtime.context, {
 		input: invocation.input,
 		...invocation.orgSlug === void 0 ? {} : { orgSlug: invocation.orgSlug },
@@ -15162,19 +15283,42 @@ const executeInvokeInvocation = async (runtime, invocation) => {
 };
 const executeStatusInvocation = async (runtime) => {
 	const command = cliCommands.status.command();
+	await completePendingAuthBeforeInvocation(runtime, command);
 	const data = await runStatusCommand({
 		apiKeyOverride: runtime.context.apiKeyOverride,
 		debug: runtime.output.debug
 	}, { infoService: runtime.infoService });
 	runtime.output.success(data, {
 		command,
-		entity: { summaryStatus: data.summary.status },
+		entity: {
+			authState: data.auth.state,
+			pendingAuth: data.auth.pendingRequest === null ? null : pendingAuthDiagnostics(data.auth.pendingRequest),
+			summaryStatus: data.summary.status
+		},
 		nextActions: nextActionsForStatus(data)
 	});
 };
-const executeRootInvocation = (runtime) => {
+const executeRootInvocation = async (runtime) => {
+	const command = cliCommands.root.command();
+	const pendingAuth = await completePendingAuthBeforeInvocation(runtime, command);
+	if (pendingAuth.kind === "pending") {
+		const outputData = {
+			event: "auth.pending",
+			loggedIn: false,
+			verification: pendingAuth.verification
+		};
+		runtime.output.success(outputData, {
+			command,
+			entity: {
+				event: "auth.pending",
+				verification: pendingAuthDiagnostics(pendingAuth.verification)
+			},
+			nextActions: nextActionsForPendingAuth(pendingAuth.verification, command)
+		});
+		return;
+	}
 	runtime.output.success({ commands: cliCommands.root.commandsSurface() }, {
-		command: cliCommands.root.command(),
+		command,
 		entity: null,
 		nextActions: [nextAction("login", "Authenticate", cliCommands.login.command(), "Authenticate first so catalog and invoke commands can run.", "immediate"), nextAction("catalog", "Discover servers", cliCommands.catalog.command(), "List accessible servers and tool counts.", "after_auth")]
 	});
@@ -15187,8 +15331,8 @@ const executeInvocation = async (runtime, invocation) => {
 		case "logout":
 			await executeLogoutInvocation(runtime);
 			return;
-		case "reset":
-			await executeResetInvocation(runtime);
+		case "logout_reset":
+			await executeLogoutResetInvocation(runtime);
 			return;
 		case "catalog":
 			await executeCatalogInvocation(runtime, invocation);
@@ -15197,7 +15341,7 @@ const executeInvocation = async (runtime, invocation) => {
 			await executeInvokeInvocation(runtime, invocation);
 			return;
 		case "root":
-			executeRootInvocation(runtime);
+			await executeRootInvocation(runtime);
 			return;
 		case "status":
 			await executeStatusInvocation(runtime);
@@ -15261,7 +15405,7 @@ const nextActionForParseError = (scope, helpCommand) => {
 	};
 };
 const parseActionsForScope = (scope, helpAction) => {
-	if (scope === "login" || scope === "logout" || scope === "reset") return [
+	if (scope === "login" || scope === "logout") return [
 		{
 			command: cliCommands.login.command(),
 			id: "login",
@@ -60770,9 +60914,10 @@ const accountMeUrl = (baseUrl) => {
 	return toEndpointUrl(baseUrl, cliEndpoints.accountMe);
 };
 const toLoginPendingInfo = (request) => {
-	if (request === null) return null;
 	return {
 		authRequestId: request.authRequestId,
+		expiresAt: request.expiresAt,
+		requestOrigin: request.requestOrigin,
 		verificationUrl: request.verificationUrl
 	};
 };
@@ -60887,6 +61032,19 @@ const createAuthService = (deps) => {
 		if (Result.isError(clearResult)) return clearResult;
 		return Result.ok({ kind: "none" });
 	};
+	const completePendingAuthSnapshot = async (snapshot) => {
+		const exchangedCurrentAuthRequest = await exchangeCurrentAuthRequest(snapshot);
+		if (Result.isError(exchangedCurrentAuthRequest)) return exchangedCurrentAuthRequest;
+		if (exchangedCurrentAuthRequest.value.kind === "approved") return Result.ok({
+			auth: exchangedCurrentAuthRequest.value.auth,
+			kind: "authenticated"
+		});
+		if (exchangedCurrentAuthRequest.value.kind === "pending") return Result.ok({
+			kind: "pending",
+			verification: toLoginPendingInfo(exchangedCurrentAuthRequest.value.request)
+		});
+		return Result.ok({ kind: "none" });
+	};
 	const startOrRecoverLogin = async (installationId, options) => {
 		const startPayload = await requestJson(deps.httpClient, authStartUrl(deps.baseUrl), authStartSchema, {
 			body: JSON.stringify({
@@ -60911,6 +61069,7 @@ const createAuthService = (deps) => {
 		const currentAuthRequest = {
 			authRequestId: startPayload.value.data.authRequestId,
 			expiresAt: startPayload.value.data.expiresAt,
+			requestOrigin: startPayload.value.data.disposition === "created" ? "new" : "existing",
 			verificationUrl: startPayload.value.data.verificationUrl
 		};
 		const saveCurrentAuthRequestResult = deps.credentialsStore.saveCurrentAuthRequest(currentAuthRequest);
@@ -60929,18 +61088,20 @@ const createAuthService = (deps) => {
 			});
 		}
 		const verification = toLoginPendingInfo(currentAuthRequest);
-		if (verification !== null) options.onPending?.(verification);
+		options.onPending?.(verification);
 		return Result.ok({
 			agentName: null,
 			loggedIn: false,
 			outcome: "pending_approval",
-			verification: verification ?? {
-				authRequestId: currentAuthRequest.authRequestId,
-				verificationUrl: currentAuthRequest.verificationUrl
-			}
+			verification
 		});
 	};
 	return {
+		completePendingAuth: async () => {
+			const snapshot = loadLocalAuthSnapshot();
+			if (Result.isError(snapshot)) return snapshot;
+			return completePendingAuthSnapshot(snapshot.value);
+		},
 		login: async (options) => {
 			const snapshot = loadLocalAuthSnapshot();
 			if (Result.isError(snapshot)) return snapshot;
@@ -60955,24 +61116,20 @@ const createAuthService = (deps) => {
 				const deleteResult = deps.credentialsStore.delete();
 				if (Result.isError(deleteResult)) return deleteResult;
 			}
-			const exchangedCurrentAuthRequest = await exchangeCurrentAuthRequest(snapshot.value);
-			if (Result.isError(exchangedCurrentAuthRequest)) return exchangedCurrentAuthRequest;
-			if (exchangedCurrentAuthRequest.value.kind === "approved") return Result.ok({
-				agentName: exchangedCurrentAuthRequest.value.auth.agentName,
+			const completedPendingAuth = await completePendingAuthSnapshot(snapshot.value);
+			if (Result.isError(completedPendingAuth)) return completedPendingAuth;
+			if (completedPendingAuth.value.kind === "authenticated") return Result.ok({
+				agentName: completedPendingAuth.value.auth.agentName,
 				loggedIn: true,
 				outcome: "authenticated"
 			});
-			if (exchangedCurrentAuthRequest.value.kind === "pending") {
-				const verification = toLoginPendingInfo(exchangedCurrentAuthRequest.value.request);
-				if (verification !== null) options.onPending?.(verification);
+			if (completedPendingAuth.value.kind === "pending") {
+				options.onPending?.(completedPendingAuth.value.verification);
 				return Result.ok({
 					agentName: null,
 					loggedIn: false,
 					outcome: "pending_approval",
-					verification: verification ?? {
-						authRequestId: exchangedCurrentAuthRequest.value.request.authRequestId,
-						verificationUrl: exchangedCurrentAuthRequest.value.request.verificationUrl
-					}
+					verification: completedPendingAuth.value.verification
 				});
 			}
 			return startOrRecoverLogin(snapshot.value.installationId, options);
@@ -60981,7 +61138,7 @@ const createAuthService = (deps) => {
 			const snapshot = loadLocalAuthSnapshot();
 			if (Result.isError(snapshot)) return snapshot;
 			if (snapshot.value.session === null) return Result.ok({
-				localStateCleared: false,
+				outcome: "already_logged_out",
 				remoteSignedOut: false
 			});
 			const storedAuthorizationHeader = toStoredAuthorizationHeader(snapshot.value.session);
@@ -61007,11 +61164,11 @@ const createAuthService = (deps) => {
 			const deleteResult = deps.credentialsStore.delete();
 			if (Result.isError(deleteResult)) return deleteResult;
 			return Result.ok({
-				localStateCleared: true,
+				outcome: "logged_out",
 				remoteSignedOut
 			});
 		},
-		reset: async () => {
+		logoutReset: async () => {
 			const snapshot = loadLocalAuthSnapshot();
 			if (Result.isError(snapshot)) return snapshot;
 			const storedAuthorizationHeader = toStoredAuthorizationHeader(snapshot.value.session);
@@ -61035,14 +61192,9 @@ const createAuthService = (deps) => {
 				operation: "auth/reset"
 			});
 			const remoteReset = Result.isOk(remoteResetResult);
-			const localStateCleared = snapshot.value.session !== null || snapshot.value.currentAuthRequest !== null;
 			const resetLocalStateResult = deps.credentialsStore.reset();
 			if (Result.isError(resetLocalStateResult)) return resetLocalStateResult;
-			return Result.ok({
-				installationReset: true,
-				localStateCleared,
-				remoteReset
-			});
+			return Result.ok({ outcome: remoteReset ? "installation_reset" : "local_only_reset_with_remote_warning" });
 		},
 		resolveApiKey: async (overrideApiKey) => {
 			const resolution = resolveApiKey({
@@ -61054,9 +61206,14 @@ const createAuthService = (deps) => {
 			if (resolution.source === "credentialsError" && resolution.loadError) return Result.err(resolution.loadError);
 			const snapshot = loadLocalAuthSnapshot();
 			if (Result.isError(snapshot)) return snapshot;
-			const exchangedCurrentAuthRequest = await exchangeCurrentAuthRequest(snapshot.value);
-			if (Result.isError(exchangedCurrentAuthRequest)) return exchangedCurrentAuthRequest;
-			if (exchangedCurrentAuthRequest.value.kind === "approved") return Result.ok(exchangedCurrentAuthRequest.value.auth.apiKey);
+			const completedPendingAuth = await completePendingAuthSnapshot(snapshot.value);
+			if (Result.isError(completedPendingAuth)) return completedPendingAuth;
+			if (completedPendingAuth.value.kind === "authenticated") return Result.ok(completedPendingAuth.value.auth.apiKey);
+			if (completedPendingAuth.value.kind === "pending") return Result.err(new AuthError({
+				code: ERROR_CODE.authDevicePending,
+				message: "Approve this request, then continue in the terminal.",
+				recovery: { command: "ogment status" }
+			}));
 			return Result.err(new AuthError({
 				code: ERROR_CODE.authRequired,
 				message: "Not logged in. Run `ogment login` or set OGMENT_API_KEY.",
@@ -61080,14 +61237,14 @@ const nextActionByIssueCode = (includeDebug) => {
 		unreachable: includeDebug ? "Verify `OGMENT_BASE_URL` and network connectivity." : "Verify network connectivity."
 	};
 };
-const toSummary = (issues, includeDebug) => {
+const toSummary = (issues, includeDebug, authState) => {
 	const issueActions = nextActionByIssueCode(includeDebug);
 	const nextActions = /* @__PURE__ */ new Set();
 	for (const issue of issues) {
 		const nextAction = issueActions[issue.code];
 		if (nextAction !== void 0) nextActions.add(nextAction);
 	}
-	nextActions.add("Run `ogment catalog` to inspect available servers.");
+	if (authState === "signed_in") nextActions.add("Run `ogment catalog` to inspect available servers.");
 	return {
 		issues: issues.map((issue) => issue.message),
 		nextActions: [...nextActions],
@@ -61104,6 +61261,11 @@ const emptyAccountErrorDetails = () => {
 		errorSource: null
 	};
 };
+function resolveAuthState(selectedApiKey, pendingRequest) {
+	if (selectedApiKey !== null) return "signed_in";
+	if (pendingRequest !== null) return "pending_approval";
+	return "signed_out";
+}
 const createInfoService = (deps) => {
 	const detectEnvironment = deps.detectExecutionEnvironmentFn ?? detectExecutionEnvironment;
 	const existsSyncFn = deps.existsSyncFn ?? existsSync;
@@ -61116,8 +61278,11 @@ const createInfoService = (deps) => {
 			envApiKey: deps.envApiKey
 		});
 		const installationIdResult = deps.credentialsStore.getInstallationId();
+		const currentAuthRequestResult = deps.credentialsStore.getCurrentAuthRequest();
 		const installationId = Result.isOk(installationIdResult) ? installationIdResult.value : null;
+		const pendingRequest = Result.isOk(currentAuthRequestResult) ? currentAuthRequestResult.value : null;
 		const selectedApiKey = apiKeyResolution.apiKey;
+		const authState = resolveAuthState(selectedApiKey, pendingRequest);
 		const credentialsFileExists = existsSyncFn(deps.credentialsPath);
 		const endpoint = `${deps.baseUrl}${cliEndpoints.accountMe}`;
 		const pingHeaders = typeof selectedApiKey === "string" ? { Authorization: `Bearer ${selectedApiKey}` } : void 0;
@@ -61192,7 +61357,7 @@ const createInfoService = (deps) => {
 			}
 			return {
 				actingAgent: null,
-				..."code" in accountResult.error ? { errorCode: String(accountResult.error.code) } : { errorCode: null },
+				..."code" in accountResult.error ? { errorCode: accountResult.error.code } : { errorCode: null },
 				..."httpStatus" in accountResult.error ? { errorHttpStatus: typeof accountResult.error.httpStatus === "number" ? accountResult.error.httpStatus : null } : { errorHttpStatus: null },
 				..."mcpCode" in accountResult.error ? { errorMcpCode: typeof accountResult.error.mcpCode === "number" ? accountResult.error.mcpCode : null } : { errorMcpCode: null },
 				..."raw" in accountResult.error ? { errorRaw: accountResult.error.raw ?? null } : { errorRaw: null },
@@ -61213,7 +61378,11 @@ const createInfoService = (deps) => {
 			code: "unreachable",
 			message: `Could not reach ${deps.baseUrl}: ${ping.error ?? "unknown error"}`
 		});
-		if (apiKeyResolution.source === "none") issues.push({
+		if (authState === "pending_approval") issues.push({
+			code: "pending_approval",
+			message: "CLI sign-in is waiting for browser approval for the current request."
+		});
+		if (apiKeyResolution.source === "none" && authState !== "pending_approval") issues.push({
 			code: "no_api_key",
 			message: "No API key found in --api-key, OGMENT_API_KEY, or local auth state."
 		});
@@ -61241,14 +61410,20 @@ const createInfoService = (deps) => {
 			code: "credentials_load_failed",
 			message: `Failed to load installation identity: ${installationIdResult.error.message}`
 		});
+		if (Result.isError(currentAuthRequestResult)) issues.push({
+			code: "credentials_load_failed",
+			message: `Failed to load pending auth state: ${currentAuthRequestResult.error.message}`
+		});
 		return {
 			auth: {
+				state: authState,
 				apiKeyPresent: selectedApiKey !== null,
 				apiKeyPreview: selectedApiKey === null ? null : maskApiKey(selectedApiKey),
 				apiKeySource: apiKeyResolution.source,
 				credentialsFileExists,
 				credentialsFileLoadError: apiKeyResolution.loadError?.message ?? null,
-				installationId
+				installationId,
+				pendingRequest
 			},
 			config: {
 				baseUrl: deps.baseUrl,
@@ -61263,16 +61438,7 @@ const createInfoService = (deps) => {
 					"~/.config/ogment/auth-state.json",
 					...includeDebug ? ["default base URL when OGMENT_BASE_URL is unset"] : []
 				],
-				quickCommands: [
-					"ogment status",
-					"ogment login",
-					"ogment logout",
-					"ogment reset",
-					"ogment catalog",
-					"ogment catalog <server-id>",
-					"ogment catalog <server-id> <tool-name>",
-					"ogment invoke <server-id> <tool-name> --input '{}'"
-				]
+				quickCommands: rootQuickCommands()
 			},
 			generatedAt: new Date(now()).toISOString(),
 			remote: {
@@ -61286,7 +61452,7 @@ const createInfoService = (deps) => {
 				platform: process.platform,
 				processArch: process.arch
 			},
-			summary: toSummary(issues, includeDebug)
+			summary: toSummary(issues, includeDebug, authState)
 		};
 	} };
 };
@@ -72123,8 +72289,8 @@ const asGlobalOptions = (command) => {
 	const options = command.optsWithGlobals();
 	return {
 		apiKey: options.apiKey,
-		debug: Boolean(options.debug),
-		quiet: Boolean(options.quiet)
+		debug: options.debug,
+		quiet: options.quiet
 	};
 };
 const mapGlobalOutputOptions = (options) => {
@@ -72194,11 +72360,8 @@ const createProgram = (runtime, parseState) => {
 	program.command("login").summary("Authenticate this CLI installation").description("Start or complete browser-based login for this installation").helpGroup("Authentication Commands:").action(() => {
 		setInvocation({ kind: "login" });
 	});
-	program.command("logout").summary("Sign this CLI installation out").description("Sign out the current local CLI session").helpGroup("Authentication Commands:").action(() => {
-		setInvocation({ kind: "logout" });
-	});
-	program.command("reset").summary("Reset this CLI installation").description("Wipe local state and create a fresh CLI installation identity").helpGroup("Authentication Commands:").action(() => {
-		setInvocation({ kind: "reset" });
+	program.command("logout").summary("Sign this CLI installation out").description("Sign out the current local CLI session").helpGroup("Authentication Commands:").option("--reset", "Forget this installation and rotate its local identity").action((options) => {
+		setInvocation({ kind: options.reset === true ? "logout_reset" : "logout" });
 	});
 	program.command("catalog [serverId] [toolName]").summary("Discover servers and inspect tools").description("Discover servers and tools with progressive disclosure").helpGroup("Discovery Commands:").addOption(new Option("--cursor <cursor>", "Pagination cursor (catalog summary only)").conflicts("example")).addOption(new Option("--limit <limit>", "Maximum servers to return (catalog summary only)").argParser(parseCatalogLimitOption).conflicts("example")).addOption(new Option("--example", "Include a generated example input payload (tool details only)").conflicts(["cursor", "limit"])).action((serverId, toolName, options) => {
 		setInvocation({
@@ -72248,7 +72411,6 @@ const CLI_PACKAGE_NAME = "@ogment-ai/cli";
 const PARSE_ERROR_SCOPE_COMMAND_PATHS = {
 	login: "ogment login <parse_error>",
 	logout: "ogment logout <parse_error>",
-	reset: "ogment reset <parse_error>",
 	catalog: "ogment catalog <parse_error>",
 	invoke: "ogment invoke <parse_error>",
 	status: "ogment status <parse_error>"
@@ -72283,10 +72445,10 @@ const telemetryContextResolvers = {
 			inputMode: null
 		};
 	},
-	reset: (_) => {
+	logout_reset: (_) => {
 		return {
-			commandKind: "reset",
-			commandPath: "ogment reset",
+			commandKind: "logout_reset",
+			commandPath: "ogment logout --reset",
 			inputMode: null
 		};
 	},
@@ -72333,7 +72495,7 @@ const telemetryContextFromInvocation = (invocation) => {
 	switch (invocation.kind) {
 		case "login": return telemetryContextResolvers.login(invocation);
 		case "logout": return telemetryContextResolvers.logout(invocation);
-		case "reset": return telemetryContextResolvers.reset(invocation);
+		case "logout_reset": return telemetryContextResolvers.logout_reset(invocation);
 		case "catalog": return telemetryContextResolvers.catalog(invocation);
 		case "invoke": return telemetryContextResolvers.invoke(invocation);
 		case "root": return telemetryContextResolvers.root(invocation);
@@ -72417,7 +72579,7 @@ const commandContextFromInvocation = (invocation, apiKeyOverride) => {
 	switch (invocation.kind) {
 		case "login": return withBase("login", "login");
 		case "logout": return withBase("logout", "logout");
-		case "reset": return withBase("reset", "reset");
+		case "logout_reset": return withBase("logout", "logout_reset", "--reset");
 		case "catalog":
 			if (invocation.toolName !== void 0) return withBase("catalog", "catalog", "tool");
 			if (invocation.serverId !== void 0) return withBase("catalog", "catalog", "server");
@@ -72575,4 +72737,4 @@ if (shouldExecuteCli(import.meta.url, process.argv[1])) await executeCli();
 
 //#endregion
 export { executeCli, runCli, shouldExecuteCli };
-//# debugId=af3eaa67-a183-47bc-ab25-5c28a25c0929
+//# debugId=fda73b83-a425-4a1b-a698-42d3d51d54f1