@ogment-ai/cli 0.5.0 → 0.7.0

package/dist/services/auth.js

@@ -1,739 +0,0 @@
-import { createHash, randomBytes } from "node:crypto";
-import { on } from "node:events";
-import { createServer } from "node:http";
-import { hostname } from "node:os";
-import { Result } from "better-result";
-import { detectExecutionEnvironment } from "../infra/env.js";
-import { readResponseText } from "../infra/http.js";
-import { CLI_CLIENT_NAME, CLI_REDIRECT_HOST } from "../shared/constants.js";
-import { ERROR_CODE } from "../shared/error-codes.js";
-import { AuthError, RemoteRequestError, UnexpectedError, ValidationError, } from "../shared/errors.js";
-import { parseWithSchema } from "../shared/guards.js";
-import { browserAgentCallbackSchema, cliExchangeErrorSchema, cliExchangeRequestSchema, cliExchangeSuccessSchema, deviceCodeStartSchema, deviceTokenApprovedSchema, oauthClientRegistrationSchema, oauthTokenSchema, } from "../shared/schemas.js";
-const CALLBACK_TIMEOUT_MILLISECONDS = 5 * 60 * 1000;
-const defaultSleep = async (milliseconds) => {
-    await new Promise((resolve) => {
-        setTimeout(resolve, milliseconds);
-    });
-};
-const toPendingPayload = (payload) => {
-    if (typeof payload !== "object" || payload === null) {
-        return null;
-    }
-    if (!Object.hasOwn(payload, "error")) {
-        return null;
-    }
-    const error = payload.error;
-    if (error === "authorization_pending") {
-        return "authorization_pending";
-    }
-    return null;
-};
-const generateCodeVerifier = () => {
-    return randomBytes(32).toString("base64url");
-};
-const generateCodeChallenge = (verifier) => {
-    return createHash("sha256").update(verifier).digest("base64url");
-};
-const closeServer = async (server) => {
-    await Result.tryPromise({
-        catch: () => undefined,
-        try: async () => {
-            await new Promise((resolve) => {
-                server.close(() => {
-                    resolve();
-                });
-            });
-        },
-    });
-    Result.try({
-        catch: () => undefined,
-        try: () => {
-            server.unref();
-        },
-    });
-};
-const successPage = (agentName) => {
-    return `<!DOCTYPE html>
-<html lang="en">
-<head><meta charset="utf-8"><title>Ogment - Agent configured</title></head>
-<body>
-  <h1>Agent configured</h1>
-  <p>Agent ${agentName} is now active. You can close this tab.</p>
-</body>
-</html>`;
-};
-const errorPage = (message) => {
-    return `<!DOCTYPE html>
-<html lang="en">
-<head><meta charset="utf-8"><title>Ogment - Login failed</title></head>
-<body>
-  <h1>Login failed</h1>
-  <p>${message}</p>
-</body>
-</html>`;
-};
-const startCallbackServerWithPort = async (createServerFn) => {
-    return Result.tryPromise({
-        catch: (cause) => new UnexpectedError({
-            cause,
-            message: "Failed to start local callback server",
-        }),
-        try: async () => {
-            return new Promise((resolve, reject) => {
-                const server = createServerFn();
-                const onError = (error) => {
-                    server.removeListener("error", onError);
-                    reject(error);
-                };
-                server.once("error", onError);
-                server.listen(0, CLI_REDIRECT_HOST, () => {
-                    server.removeListener("error", onError);
-                    const address = server.address();
-                    if (address === null || typeof address === "string") {
-                        reject(new Error("Could not resolve callback server port"));
-                        return;
-                    }
-                    resolve({
-                        port: address.port,
-                        server,
-                    });
-                });
-            });
-        },
-    });
-};
-const waitForOAuthCallback = async (server, port) => {
-    const abortController = new AbortController();
-    const timeout = setTimeout(() => {
-        abortController.abort();
-    }, CALLBACK_TIMEOUT_MILLISECONDS);
-    timeout.unref();
-    try {
-        for await (const event of on(server, "request", { signal: abortController.signal })) {
-            const request = event[0];
-            const response = event[1];
-            const url = new URL(request.url ?? "/", `http://${CLI_REDIRECT_HOST}:${port}`);
-            if (url.pathname !== "/callback") {
-                continue;
-            }
-            const oauthError = url.searchParams.get("error");
-            if (oauthError !== null) {
-                response.writeHead(200, {
-                    "Content-Type": "text/html; charset=utf-8",
-                });
-                response.end(errorPage(`OAuth error: ${oauthError}`));
-                return Result.err(new AuthError({
-                    code: ERROR_CODE.authInvalidCredentials,
-                    message: `OAuth error: ${oauthError}`,
-                    recovery: { command: "ogment auth login --browser" },
-                }));
-            }
-            const code = url.searchParams.get("code");
-            if (typeof code !== "string" || code.length === 0) {
-                response.writeHead(400, {
-                    "Content-Type": "text/html; charset=utf-8",
-                });
-                response.end(errorPage("No authorization code received."));
-                return Result.err(new AuthError({
-                    code: ERROR_CODE.authInvalidCredentials,
-                    message: "No authorization code in callback",
-                    recovery: { command: "ogment auth login --browser" },
-                }));
-            }
-            return Result.ok({
-                code,
-                response,
-                state: url.searchParams.get("state") ?? "",
-            });
-        }
-    }
-    catch (error) {
-        if (error instanceof Error && error.name === "AbortError") {
-            return Result.err(new AuthError({
-                code: ERROR_CODE.authInvalidCredentials,
-                message: "Login timed out. No callback received within 5 minutes.",
-                recovery: { command: "ogment auth login --browser" },
-            }));
-        }
-        return Result.err(new AuthError({
-            code: ERROR_CODE.authInvalidCredentials,
-            message: "Failed while waiting for OAuth callback.",
-            recovery: { command: "ogment auth login --browser" },
-        }));
-    }
-    finally {
-        clearTimeout(timeout);
-    }
-    return Result.err(new AuthError({
-        code: ERROR_CODE.authInvalidCredentials,
-        message: "Login timed out. No callback received within 5 minutes.",
-        recovery: { command: "ogment auth login --browser" },
-    }));
-};
-const waitForAgentCallback = async (server, port) => {
-    const abortController = new AbortController();
-    const timeout = setTimeout(() => {
-        abortController.abort();
-    }, CALLBACK_TIMEOUT_MILLISECONDS);
-    timeout.unref();
-    try {
-        for await (const event of on(server, "request", { signal: abortController.signal })) {
-            const request = event[0];
-            const response = event[1];
-            const url = new URL(request.url ?? "/", `http://${CLI_REDIRECT_HOST}:${port}`);
-            if (url.pathname !== "/agent-callback") {
-                continue;
-            }
-            const parsedCallback = parseWithSchema(browserAgentCallbackSchema, Object.fromEntries(url.searchParams.entries()), "agent callback");
-            if (Result.isError(parsedCallback)) {
-                response.writeHead(400, {
-                    "Content-Type": "text/html; charset=utf-8",
-                });
-                response.end(errorPage("No exchange code received."));
-                return Result.err(new AuthError({
-                    code: ERROR_CODE.authInvalidCredentials,
-                    message: "No exchange code in callback",
-                    recovery: { command: "ogment auth login --browser" },
-                }));
-            }
-            const agentName = parsedCallback.value.agent_name ?? "CLI Agent";
-            response.writeHead(200, {
-                "Content-Type": "text/html; charset=utf-8",
-            });
-            response.end(successPage(agentName));
-            return Result.ok({
-                agentName,
-                exchangeCode: parsedCallback.value.exchange_code,
-            });
-        }
-    }
-    catch (error) {
-        if (error instanceof Error && error.name === "AbortError") {
-            return Result.err(new AuthError({
-                code: ERROR_CODE.authInvalidCredentials,
-                message: "Agent selection timed out.",
-                recovery: { command: "ogment auth login --browser" },
-            }));
-        }
-        return Result.err(new AuthError({
-            code: ERROR_CODE.authInvalidCredentials,
-            message: "Failed while waiting for agent callback.",
-            recovery: { command: "ogment auth login --browser" },
-        }));
-    }
-    finally {
-        clearTimeout(timeout);
-    }
-    return Result.err(new AuthError({
-        code: ERROR_CODE.authInvalidCredentials,
-        message: "Agent selection timed out.",
-        recovery: { command: "ogment auth login --browser" },
-    }));
-};
-const deviceCodeUrl = (baseUrl) => `${baseUrl}/api/v1/mcp-auth/device/code`;
-const deviceTokenUrl = (baseUrl) => `${baseUrl}/api/v1/mcp-auth/device/token`;
-const revokeUrl = (baseUrl) => `${baseUrl}/api/v1/mcp-auth/cli/revoke-self`;
-const oauthAuthorizeUrl = (baseUrl) => `${baseUrl}/api/v1/mcp-auth/authorize`;
-const oauthRegisterUrl = (baseUrl) => `${baseUrl}/api/v1/mcp-auth/register`;
-const oauthTokenUrl = (baseUrl) => `${baseUrl}/api/v1/mcp-auth/token`;
-const cliExchangeUrl = (baseUrl) => `${baseUrl}/api/v1/mcp-auth/cli/exchange`;
-const agentSelectUrl = (baseUrl) => `${baseUrl}/cli/agent-select`;
-export const createAuthService = (deps) => {
-    const now = deps.now ?? Date.now;
-    const sleep = deps.sleep ?? defaultSleep;
-    const createServerFn = deps.createServerFn ?? createServer;
-    const detectEnvironment = deps.detectEnvironment ?? detectExecutionEnvironment;
-    const hostnameFn = deps.hostnameFn ?? hostname;
-    const requestRemote = async (input, init) => {
-        return deps.httpClient.request(input, init);
-    };
-    const loginWithDevice = async (options) => {
-        const startFlowResponse = await requestRemote(deviceCodeUrl(deps.baseUrl), {
-            headers: {
-                "Content-Type": "application/json",
-            },
-            method: "POST",
-        });
-        if (Result.isError(startFlowResponse)) {
-            return startFlowResponse;
-        }
-        if (!startFlowResponse.value.ok) {
-            const body = await readResponseText(startFlowResponse.value);
-            return Result.err(new RemoteRequestError({
-                body,
-                httpStatus: startFlowResponse.value.status,
-                message: "Failed to start device login",
-                operation: "auth/device/start",
-                raw: body,
-                source: "http",
-            }));
-        }
-        const startPayload = await Result.tryPromise({
-            catch: () => new RemoteRequestError({
-                httpStatus: startFlowResponse.value.status,
-                message: "Failed to parse device login start payload",
-                operation: "auth/device/start",
-                source: "http",
-            }),
-            try: async () => startFlowResponse.value.json(),
-        });
-        if (Result.isError(startPayload)) {
-            return startPayload;
-        }
-        const parsedStartPayload = parseWithSchema(deviceCodeStartSchema, startPayload.value, "device login start response");
-        if (Result.isError(parsedStartPayload)) {
-            return parsedStartPayload;
-        }
-        options.onPending?.({
-            userCode: parsedStartPayload.value.data.user_code,
-            verificationUri: parsedStartPayload.value.data.verification_uri,
-        });
-        const deadline = now() + parsedStartPayload.value.data.expires_in * 1000;
-        const interval = parsedStartPayload.value.data.interval * 1000;
-        while (now() < deadline) {
-            await sleep(interval);
-            const pollResponse = await requestRemote(deviceTokenUrl(deps.baseUrl), {
-                body: JSON.stringify({
-                    device_code: parsedStartPayload.value.data.device_code,
-                }),
-                headers: {
-                    "Content-Type": "application/json",
-                },
-                method: "POST",
-            });
-            if (Result.isError(pollResponse)) {
-                return pollResponse;
-            }
-            if (pollResponse.value.status === 410) {
-                return Result.err(new AuthError({
-                    code: ERROR_CODE.authDeviceExpired,
-                    message: "Device login code expired. Run `ogment auth login` again.",
-                    recovery: { command: "ogment auth login" },
-                }));
-            }
-            if (pollResponse.value.status === 404) {
-                return Result.err(new AuthError({
-                    code: ERROR_CODE.authInvalidCredentials,
-                    message: "Invalid device login code. Run `ogment auth login` again.",
-                    recovery: { command: "ogment auth login" },
-                }));
-            }
-            if (!pollResponse.value.ok) {
-                const body = await readResponseText(pollResponse.value);
-                return Result.err(new RemoteRequestError({
-                    body,
-                    httpStatus: pollResponse.value.status,
-                    message: "Failed to poll device login status",
-                    operation: "auth/device/poll",
-                    raw: body,
-                    source: "http",
-                }));
-            }
-            const pollPayload = await Result.tryPromise({
-                catch: () => new RemoteRequestError({
-                    httpStatus: pollResponse.value.status,
-                    message: "Failed to parse device login poll payload",
-                    operation: "auth/device/poll",
-                    source: "http",
-                }),
-                try: async () => pollResponse.value.json(),
-            });
-            if (Result.isError(pollPayload)) {
-                return pollPayload;
-            }
-            if (toPendingPayload(pollPayload.value) === "authorization_pending") {
-                continue;
-            }
-            const approvedPayload = parseWithSchema(deviceTokenApprovedSchema, pollPayload.value, "device login poll response");
-            if (Result.isError(approvedPayload)) {
-                return approvedPayload;
-            }
-            const saveResult = deps.credentialsStore.save({
-                agentName: approvedPayload.value.data.agent_name ?? "CLI Agent",
-                apiKey: approvedPayload.value.data.api_key,
-            });
-            if (Result.isError(saveResult)) {
-                return saveResult;
-            }
-            return Result.ok({
-                agentName: approvedPayload.value.data.agent_name ?? "CLI Agent",
-                loggedIn: true,
-                outcome: "authenticated",
-            });
-        }
-        return Result.err(new AuthError({
-            code: ERROR_CODE.authDeviceExpired,
-            message: "Device login code expired. Run `ogment auth login` again.",
-            recovery: { command: "ogment auth login" },
-        }));
-    };
-    const loginWithBrowser = async () => {
-        const callbackServerResult = await startCallbackServerWithPort(createServerFn);
-        if (Result.isError(callbackServerResult)) {
-            return callbackServerResult;
-        }
-        const { port, server } = callbackServerResult.value;
-        const redirectUri = `http://${CLI_REDIRECT_HOST}:${port}/callback`;
-        const registerResponse = await requestRemote(oauthRegisterUrl(deps.baseUrl), {
-            body: JSON.stringify({
-                client_name: CLI_CLIENT_NAME,
-                grant_types: ["authorization_code"],
-                redirect_uris: [redirectUri],
-                response_types: ["code"],
-                token_endpoint_auth_method: "client_secret_post",
-            }),
-            headers: {
-                "Content-Type": "application/json",
-            },
-            method: "POST",
-        });
-        if (Result.isError(registerResponse)) {
-            await closeServer(server);
-            return registerResponse;
-        }
-        if (!registerResponse.value.ok) {
-            const body = await readResponseText(registerResponse.value);
-            await closeServer(server);
-            return Result.err(new RemoteRequestError({
-                body,
-                httpStatus: registerResponse.value.status,
-                message: "Client registration failed",
-                operation: "auth/browser/register",
-                raw: body,
-                source: "http",
-            }));
-        }
-        const registerPayload = await Result.tryPromise({
-            catch: () => new RemoteRequestError({
-                httpStatus: registerResponse.value.status,
-                message: "Failed to parse client registration payload",
-                operation: "auth/browser/register",
-                source: "http",
-            }),
-            try: async () => registerResponse.value.json(),
-        });
-        if (Result.isError(registerPayload)) {
-            await closeServer(server);
-            return registerPayload;
-        }
-        const parsedClient = parseWithSchema(oauthClientRegistrationSchema, registerPayload.value, "oauth client registration response");
-        if (Result.isError(parsedClient)) {
-            await closeServer(server);
-            return parsedClient;
-        }
-        const codeVerifier = generateCodeVerifier();
-        const codeChallenge = generateCodeChallenge(codeVerifier);
-        const state = randomBytes(16).toString("hex");
-        const authorizeUrl = new URL(oauthAuthorizeUrl(deps.baseUrl));
-        authorizeUrl.searchParams.set("client_id", parsedClient.value.client_id);
-        authorizeUrl.searchParams.set("redirect_uri", redirectUri);
-        authorizeUrl.searchParams.set("response_type", "code");
-        authorizeUrl.searchParams.set("code_challenge", codeChallenge);
-        authorizeUrl.searchParams.set("code_challenge_method", "S256");
-        authorizeUrl.searchParams.set("state", state);
-        const oauthCallbackPromise = waitForOAuthCallback(server, port);
-        const openResult = await deps.browserOpener.open(authorizeUrl.toString());
-        if (Result.isError(openResult)) {
-            await closeServer(server);
-            return openResult;
-        }
-        const oauthCallbackResult = await oauthCallbackPromise;
-        if (Result.isError(oauthCallbackResult)) {
-            await closeServer(server);
-            return oauthCallbackResult;
-        }
-        if (oauthCallbackResult.value.state !== state) {
-            oauthCallbackResult.value.response.writeHead(302, {
-                Location: "about:blank",
-            });
-            oauthCallbackResult.value.response.end();
-            await closeServer(server);
-            return Result.err(new AuthError({
-                code: ERROR_CODE.authInvalidCredentials,
-                message: "OAuth state mismatch - possible CSRF attack.",
-                recovery: { command: "ogment auth login --browser" },
-            }));
-        }
-        const tokenBody = new URLSearchParams({
-            client_id: parsedClient.value.client_id,
-            code: oauthCallbackResult.value.code,
-            code_verifier: codeVerifier,
-            grant_type: "authorization_code",
-            redirect_uri: redirectUri,
-        });
-        if (typeof parsedClient.value.client_secret === "string" &&
-            parsedClient.value.client_secret.length > 0) {
-            tokenBody.set("client_secret", parsedClient.value.client_secret);
-        }
-        const tokenResponse = await requestRemote(oauthTokenUrl(deps.baseUrl), {
-            body: tokenBody.toString(),
-            headers: {
-                "Content-Type": "application/x-www-form-urlencoded",
-            },
-            method: "POST",
-        });
-        if (Result.isError(tokenResponse)) {
-            await closeServer(server);
-            return tokenResponse;
-        }
-        if (!tokenResponse.value.ok) {
-            const body = await readResponseText(tokenResponse.value);
-            await closeServer(server);
-            return Result.err(new RemoteRequestError({
-                body,
-                httpStatus: tokenResponse.value.status,
-                message: "Token exchange failed",
-                operation: "auth/browser/token",
-                raw: body,
-                source: "http",
-            }));
-        }
-        const tokenPayload = await Result.tryPromise({
-            catch: () => new RemoteRequestError({
-                httpStatus: tokenResponse.value.status,
-                message: "Failed to parse token payload",
-                operation: "auth/browser/token",
-                source: "http",
-            }),
-            try: async () => tokenResponse.value.json(),
-        });
-        if (Result.isError(tokenPayload)) {
-            await closeServer(server);
-            return tokenPayload;
-        }
-        const parsedToken = parseWithSchema(oauthTokenSchema, tokenPayload.value, "oauth token response");
-        if (Result.isError(parsedToken)) {
-            await closeServer(server);
-            return parsedToken;
-        }
-        const pickerUrl = new URL(agentSelectUrl(deps.baseUrl));
-        pickerUrl.searchParams.set("token", parsedToken.value.access_token);
-        pickerUrl.searchParams.set("callback", `http://${CLI_REDIRECT_HOST}:${port}/agent-callback`);
-        pickerUrl.searchParams.set("env", detectEnvironment());
-        pickerUrl.searchParams.set("host", hostnameFn());
-        oauthCallbackResult.value.response.writeHead(302, {
-            Location: pickerUrl.toString(),
-        });
-        oauthCallbackResult.value.response.end();
-        const agentCallbackResult = await waitForAgentCallback(server, port);
-        await closeServer(server);
-        if (Result.isError(agentCallbackResult)) {
-            return agentCallbackResult;
-        }
-        const exchangeRequestPayload = {
-            exchange_code: agentCallbackResult.value.exchangeCode,
-        };
-        const parsedExchangeRequestPayload = parseWithSchema(cliExchangeRequestSchema, exchangeRequestPayload, "browser exchange request");
-        if (Result.isError(parsedExchangeRequestPayload)) {
-            return parsedExchangeRequestPayload;
-        }
-        const exchangeResponse = await requestRemote(cliExchangeUrl(deps.baseUrl), {
-            body: JSON.stringify(parsedExchangeRequestPayload.value),
-            headers: {
-                "Content-Type": "application/json",
-            },
-            method: "POST",
-        });
-        if (Result.isError(exchangeResponse)) {
-            return exchangeResponse;
-        }
-        if (!exchangeResponse.value.ok) {
-            const body = await readResponseText(exchangeResponse.value);
-            const parsedExchangeErrorPayload = Result.try({
-                catch: () => null,
-                try: () => JSON.parse(body),
-            });
-            if (Result.isOk(parsedExchangeErrorPayload)) {
-                const parsedExchangeError = parseWithSchema(cliExchangeErrorSchema, parsedExchangeErrorPayload.value, "browser exchange error response");
-                if (Result.isOk(parsedExchangeError)) {
-                    const exchangeErrorCode = parsedExchangeError.value.error;
-                    if (exchangeErrorCode === "expired_exchange_code") {
-                        return Result.err(new AuthError({
-                            code: ERROR_CODE.authDeviceExpired,
-                            message: "Browser login code expired. Run `ogment auth login --browser` again.",
-                            recovery: { command: "ogment auth login --browser" },
-                        }));
-                    }
-                    if (exchangeErrorCode === "invalid_exchange_code") {
-                        return Result.err(new AuthError({
-                            code: ERROR_CODE.authInvalidCredentials,
-                            message: "Invalid browser login code. Run `ogment auth login --browser` again.",
-                            recovery: { command: "ogment auth login --browser" },
-                        }));
-                    }
-                    if (exchangeErrorCode === "authorization_pending") {
-                        return Result.err(new AuthError({
-                            code: ERROR_CODE.authDevicePending,
-                            message: "Browser login authorization is still pending.",
-                            recovery: { command: "ogment auth login --browser" },
-                            retryable: true,
-                        }));
-                    }
-                }
-            }
-            return Result.err(new RemoteRequestError({
-                body,
-                httpStatus: exchangeResponse.value.status,
-                message: "Failed to exchange browser login code",
-                operation: "auth/browser/exchange",
-                raw: body,
-                source: "http",
-            }));
-        }
-        const exchangePayload = await Result.tryPromise({
-            catch: () => new RemoteRequestError({
-                httpStatus: exchangeResponse.value.status,
-                message: "Failed to parse browser exchange payload",
-                operation: "auth/browser/exchange",
-                source: "http",
-            }),
-            try: async () => exchangeResponse.value.json(),
-        });
-        if (Result.isError(exchangePayload)) {
-            return exchangePayload;
-        }
-        const parsedExchangePayload = parseWithSchema(cliExchangeSuccessSchema, exchangePayload.value, "browser exchange response");
-        if (Result.isError(parsedExchangePayload)) {
-            return parsedExchangePayload;
-        }
-        const saveResult = deps.credentialsStore.save({
-            agentName: parsedExchangePayload.value.data.name,
-            apiKey: parsedExchangePayload.value.data.apiKey,
-        });
-        if (Result.isError(saveResult)) {
-            return saveResult;
-        }
-        return Result.ok({
-            agentName: parsedExchangePayload.value.data.name,
-            loggedIn: true,
-            outcome: "authenticated",
-        });
-    };
-    return {
-        login: async (options) => {
-            if (options.mode === "apiKey" && options.apiKey.length > 0) {
-                const saveResult = deps.credentialsStore.save({
-                    agentName: "CLI Agent",
-                    apiKey: options.apiKey,
-                });
-                if (Result.isError(saveResult)) {
-                    return saveResult;
-                }
-                return Result.ok({
-                    agentName: "CLI Agent",
-                    loggedIn: true,
-                    outcome: "authenticated",
-                });
-            }
-            if (options.mode === "apiKey") {
-                return Result.err(new ValidationError({
-                    code: ERROR_CODE.validationInvalidInput,
-                    message: "Missing API key value. Provide a non-empty API key.",
-                    recovery: { command: "ogment auth login --api-key <key>" },
-                }));
-            }
-            if (options.nonInteractive && options.mode === "browser") {
-                return Result.err(new ValidationError({
-                    code: ERROR_CODE.validationInvalidInput,
-                    message: "Use `ogment auth login` in non-interactive mode.",
-                    recovery: { command: "ogment auth login" },
-                }));
-            }
-            const stored = deps.credentialsStore.load();
-            if (Result.isError(stored)) {
-                return stored;
-            }
-            if (stored.value !== null) {
-                return Result.ok({
-                    agentName: stored.value.agentName ?? "CLI Agent",
-                    loggedIn: true,
-                    outcome: "already_authenticated",
-                });
-            }
-            if (options.mode === "device") {
-                return loginWithDevice(options);
-            }
-            return loginWithBrowser();
-        },
-        logout: async () => {
-            const stored = deps.credentialsStore.load();
-            if (Result.isError(stored)) {
-                return stored;
-            }
-            if (stored.value === null) {
-                return Result.ok({
-                    localCredentialsDeleted: false,
-                    revoked: false,
-                });
-            }
-            const revokeResult = await requestRemote(revokeUrl(deps.baseUrl), {
-                headers: {
-                    Authorization: `Bearer ${stored.value.apiKey}`,
-                },
-                method: "POST",
-            });
-            const deleteResult = deps.credentialsStore.delete();
-            if (Result.isError(deleteResult)) {
-                return deleteResult;
-            }
-            const revoked = Result.isOk(revokeResult) && revokeResult.value.ok;
-            return Result.ok({
-                localCredentialsDeleted: true,
-                revoked,
-            });
-        },
-        resolveApiKey: async (overrideApiKey) => {
-            if (typeof overrideApiKey === "string" && overrideApiKey.length > 0) {
-                return Result.ok(overrideApiKey);
-            }
-            if (typeof deps.envApiKey === "string" && deps.envApiKey.length > 0) {
-                return Result.ok(deps.envApiKey);
-            }
-            const stored = deps.credentialsStore.load();
-            if (Result.isError(stored)) {
-                return stored;
-            }
-            if (stored.value !== null) {
-                return Result.ok(stored.value.apiKey);
-            }
-            return Result.err(new AuthError({
-                code: ERROR_CODE.authRequired,
-                message: "Not logged in. Run `ogment auth login` or set OGMENT_API_KEY.",
-                recovery: { command: "ogment auth login" },
-            }));
-        },
-        status: async (overrideApiKey) => {
-            if (typeof overrideApiKey === "string" && overrideApiKey.length > 0) {
-                return Result.ok({
-                    agentName: null,
-                    apiKeySource: "apiKeyOption",
-                    loggedIn: true,
-                });
-            }
-            if (typeof deps.envApiKey === "string" && deps.envApiKey.length > 0) {
-                return Result.ok({
-                    agentName: null,
-                    apiKeySource: "env",
-                    loggedIn: true,
-                });
-            }
-            const stored = deps.credentialsStore.load();
-            if (Result.isError(stored)) {
-                return stored;
-            }
-            if (stored.value === null) {
-                return Result.ok({
-                    agentName: null,
-                    apiKeySource: "none",
-                    loggedIn: false,
-                });
-            }
-            return Result.ok({
-                agentName: stored.value.agentName ?? null,
-                apiKeySource: "credentialsFile",
-                loggedIn: true,
-            });
-        },
-    };
-};