@ogment-ai/cli 0.8.2 → 0.9.0

package/dist/cli.js

@@ -1,13 +1,13 @@
 #!/usr/bin/env node
 import { createRequire } from "node:module";
-import { createReadStream, existsSync, lstatSync, mkdirSync, readFile, readFileSync, readdir, realpathSync, unlinkSync, writeFileSync } from "node:fs";
+import { closeSync, createReadStream, existsSync, fsyncSync, lstatSync, mkdirSync, openSync, readFile, readFileSync, readdir, realpathSync, renameSync, statSync, unlinkSync, writeFileSync } from "node:fs";
 import { fileURLToPath, pathToFileURL } from "node:url";
 import { errorMonitor } from "node:events";
 import { execFile, execSync } from "node:child_process";
 import { dirname, join, posix, sep } from "node:path";
+import { createHash, randomUUID } from "node:crypto";
 import * as os from "node:os";
 import { homedir } from "node:os";
-import { createHash, randomUUID } from "node:crypto";
 import { readFile as readFile$1 } from "node:fs/promises";
 import * as moduleModule from "module";
 import { isMainThread, threadId } from "worker_threads";
@@ -3806,409 +3806,6 @@ const Result = {
 	flatten: flatten$1
 };
 
-//#endregion
-//#region src/shared/error-codes.ts
-const ERROR_CATEGORY = {
-	auth: "auth",
-	authorization: "authorization",
-	contractMismatch: "contract_mismatch",
-	internal: "internal",
-	notFound: "not_found",
-	rateLimit: "rate_limit",
-	remote: "remote",
-	transport: "transport",
-	validation: "validation"
-};
-const ERROR_CODE = {
-	authDeviceExpired: "AUTH_DEVICE_EXPIRED",
-	authDevicePending: "AUTH_DEVICE_PENDING",
-	authInvalidCredentials: "AUTH_INVALID_CREDENTIALS",
-	authRequired: "AUTH_REQUIRED",
-	contractVersionUnsupported: "CONTRACT_VERSION_UNSUPPORTED",
-	internalUnexpected: "INTERNAL_UNEXPECTED",
-	remoteRateLimited: "REMOTE_RATE_LIMITED",
-	remoteUnavailable: "REMOTE_UNAVAILABLE",
-	toolInputSchemaViolation: "TOOL_INPUT_SCHEMA_VIOLATION",
-	toolNotFound: "TOOL_NOT_FOUND",
-	transportRequestFailed: "TRANSPORT_REQUEST_FAILED",
-	validationInvalidInput: "VALIDATION_INVALID_INPUT"
-};
-const staticErrorCodes = new Set(Object.values(ERROR_CODE));
-const isStaticErrorCode = (code) => {
-	return staticErrorCodes.has(code);
-};
-
-//#endregion
-//#region src/shared/json.ts
-const isJsonValue = (value) => {
-	if (value === null || typeof value === "boolean" || typeof value === "number" || typeof value === "string") return true;
-	if (Array.isArray(value)) return value.every((item) => isJsonValue(item));
-	if (typeof value === "object") {
-		if (value === null) return false;
-		return Object.values(value).every((item) => isJsonValue(item));
-	}
-	return false;
-};
-const isJsonObject = (value) => {
-	return typeof value === "object" && value !== null && !Array.isArray(value) && isJsonValue(value);
-};
-const toJsonValue = (value) => {
-	if (isJsonValue(value)) return value;
-	try {
-		const serialized = JSON.stringify(value);
-		if (serialized === void 0) return "[unserializable]";
-		const parsed = JSON.parse(serialized);
-		if (isJsonValue(parsed)) return parsed;
-		return "[unserializable]";
-	} catch {
-		return "[unserializable]";
-	}
-};
-
-//#endregion
-//#region src/shared/recovery.ts
-const defaultRecoveryByCode = {
-	[ERROR_CODE.authDeviceExpired]: {
-		command: "ogment auth login",
-		reason: "Device code expired; restart login to continue.",
-		title: "Restart login",
-		when: "immediate"
-	},
-	[ERROR_CODE.authDevicePending]: {
-		command: "ogment auth status",
-		reason: "Authorization is pending; check whether credentials are now available.",
-		title: "Check auth status",
-		when: "immediate"
-	},
-	[ERROR_CODE.authInvalidCredentials]: {
-		command: "ogment auth logout",
-		reason: "Credentials are invalid; clear local state before re-authenticating.",
-		title: "Reset auth state",
-		when: "immediate"
-	},
-	[ERROR_CODE.authRequired]: {
-		command: "ogment auth login",
-		reason: "Authentication is required before catalog or invoke commands can run.",
-		title: "Authenticate",
-		when: "immediate"
-	},
-	[ERROR_CODE.contractVersionUnsupported]: {
-		command: "ogment --version",
-		reason: "Contract mismatch detected; verify CLI version and upgrade before retrying.",
-		title: "Inspect CLI version",
-		when: "immediate"
-	},
-	[ERROR_CODE.internalUnexpected]: {
-		command: "ogment status",
-		reason: "Unexpected failure detected; run diagnostics before retrying the workflow.",
-		title: "Inspect diagnostics",
-		when: "immediate"
-	},
-	[ERROR_CODE.remoteRateLimited]: {
-		command: "ogment status",
-		reason: "Remote rate limit detected; check diagnostics before retrying.",
-		title: "Inspect diagnostics",
-		when: "immediate"
-	},
-	[ERROR_CODE.remoteUnavailable]: {
-		command: "ogment status",
-		reason: "Remote service is unavailable; check connectivity and endpoint health.",
-		title: "Inspect diagnostics",
-		when: "immediate"
-	},
-	[ERROR_CODE.toolInputSchemaViolation]: {
-		command: "ogment catalog",
-		reason: "Tool contract did not validate; inspect available servers and tool metadata.",
-		title: "Inspect catalog",
-		when: "immediate"
-	},
-	[ERROR_CODE.toolNotFound]: {
-		command: "ogment catalog",
-		reason: "Requested tool could not be found; rediscover servers and tools.",
-		title: "Rediscover tools",
-		when: "immediate"
-	},
-	[ERROR_CODE.transportRequestFailed]: {
-		command: "ogment status",
-		reason: "Transport request failed; inspect connectivity diagnostics.",
-		title: "Inspect diagnostics",
-		when: "immediate"
-	},
-	[ERROR_CODE.validationInvalidInput]: {
-		command: "ogment --help",
-		reason: "Input validation failed; inspect canonical command syntax.",
-		title: "Show command help",
-		when: "immediate"
-	}
-};
-const dynamicRecoveryForCode = (code) => {
-	if (code.startsWith("HTTP_")) return {
-		command: "ogment status",
-		reason: `HTTP error ${code} detected; inspect diagnostics and remote connectivity.`,
-		title: "Inspect diagnostics",
-		when: "immediate"
-	};
-	if (code.startsWith("MCP_")) return {
-		command: "ogment status",
-		reason: `MCP error ${code} detected; inspect diagnostics and remote server state.`,
-		title: "Inspect diagnostics",
-		when: "immediate"
-	};
-};
-const hasPlaceholderTokens = (command) => {
-	return command.includes("<") || command.includes(">");
-};
-const sanitizedCommand = (command) => {
-	if (typeof command !== "string") return;
-	if (hasPlaceholderTokens(command)) return;
-	return command;
-};
-const normalizeRecovery = (code, override) => {
-	const fallback = (isStaticErrorCode(code) ? defaultRecoveryByCode[code] : void 0) ?? dynamicRecoveryForCode(code);
-	if (fallback === void 0) return;
-	const overrideCommand = sanitizedCommand(override?.command);
-	const command = overrideCommand ?? fallback.command;
-	const usesCustomCommand = overrideCommand !== void 0 && overrideCommand !== fallback.command;
-	return {
-		command,
-		id: override?.id ?? `recover_${code.toLowerCase()}`,
-		reason: override?.reason ?? (usesCustomCommand ? `Suggested recovery for error ${code}.` : fallback.reason),
-		title: override?.title ?? (usesCustomCommand ? "Run suggested command" : fallback.title),
-		when: override?.when ?? fallback.when
-	};
-};
-
-//#endregion
-//#region src/shared/errors.ts
-const ValidationErrorBase = TaggedError("ValidationError")();
-var ValidationError = class extends ValidationErrorBase {
-	category = ERROR_CATEGORY.validation;
-	code;
-	recovery;
-	retryable = false;
-	constructor(payload) {
-		super({
-			message: payload.message,
-			...payload.details === void 0 ? {} : { details: payload.details }
-		});
-		this.code = payload.code ?? ERROR_CODE.validationInvalidInput;
-		this.recovery = normalizeRecovery(this.code, payload.recovery);
-	}
-};
-const AuthErrorBase = TaggedError("AuthError")();
-var AuthError = class extends AuthErrorBase {
-	category = ERROR_CATEGORY.auth;
-	code;
-	recovery;
-	retryable;
-	constructor(payload) {
-		super({
-			message: payload.message,
-			...payload.details === void 0 ? {} : { details: payload.details }
-		});
-		this.code = payload.code ?? ERROR_CODE.authRequired;
-		this.recovery = normalizeRecovery(this.code, payload.recovery);
-		this.retryable = payload.retryable ?? this.code === ERROR_CODE.authDeviceExpired;
-	}
-};
-const NotFoundErrorBase = TaggedError("NotFoundError")();
-var NotFoundError = class extends NotFoundErrorBase {
-	category = ERROR_CATEGORY.notFound;
-	code;
-	recovery;
-	retryable = false;
-	constructor(payload) {
-		super({
-			message: payload.message,
-			resource: payload.resource
-		});
-		this.code = payload.code ?? ERROR_CODE.toolNotFound;
-		this.recovery = normalizeRecovery(this.code, payload.recovery);
-	}
-};
-const RemoteRequestErrorBase = TaggedError("RemoteRequestError")();
-const parseHttpCode = (code) => {
-	if (!code.startsWith("HTTP_")) return;
-	const parsed = Number.parseInt(code.slice(5), 10);
-	if (!Number.isFinite(parsed)) return;
-	return parsed;
-};
-const resolveRemoteErrorCode = (payload, diagnostics) => {
-	if (payload.code !== void 0) return payload.code;
-	if (typeof diagnostics.httpStatus === "number") return `HTTP_${diagnostics.httpStatus}`;
-	if (typeof diagnostics.mcpCode === "number") return `MCP_${diagnostics.mcpCode}`;
-	return ERROR_CODE.transportRequestFailed;
-};
-const resolveRemoteDiagnostics = (payload) => {
-	const source = payload.source ?? payload.diagnostics?.source ?? "network";
-	const httpStatus = payload.httpStatus ?? payload.status ?? payload.diagnostics?.httpStatus;
-	const mcpCode = payload.mcpCode ?? payload.diagnostics?.mcpCode;
-	const mcpData = payload.mcpData ?? payload.diagnostics?.mcpData;
-	const operation = payload.operation ?? payload.diagnostics?.operation;
-	const raw = payload.raw ?? payload.diagnostics?.raw;
-	return {
-		source,
-		...httpStatus === void 0 ? {} : { httpStatus },
-		...mcpCode === void 0 ? {} : { mcpCode },
-		...mcpData === void 0 ? {} : { mcpData },
-		...operation === void 0 ? {} : { operation },
-		...raw === void 0 ? {} : { raw }
-	};
-};
-const resolveRetryableRemoteError = (diagnostics, code) => {
-	const httpStatus = diagnostics.httpStatus ?? parseHttpCode(code);
-	if (typeof httpStatus === "number") return httpStatus === 429 || httpStatus >= 500;
-	if (typeof diagnostics.mcpCode === "number") return diagnostics.mcpCode === -32001;
-	return diagnostics.source === "network";
-};
-const resolveRemoteCategory = (code, diagnostics) => {
-	const httpStatus = diagnostics.httpStatus ?? parseHttpCode(code);
-	if (code === ERROR_CODE.remoteRateLimited || httpStatus === 429) return ERROR_CATEGORY.rateLimit;
-	return ERROR_CATEGORY.remote;
-};
-var RemoteRequestError = class extends RemoteRequestErrorBase {
-	category;
-	code;
-	diagnostics;
-	httpStatus;
-	recovery;
-	retryable;
-	constructor(payload) {
-		const diagnostics = resolveRemoteDiagnostics(payload);
-		const code = resolveRemoteErrorCode(payload, diagnostics);
-		const status = diagnostics.httpStatus;
-		super({
-			message: payload.message,
-			...payload.body === void 0 ? {} : { body: payload.body },
-			...status === void 0 ? {} : { status },
-			source: diagnostics.source,
-			...diagnostics.mcpCode === void 0 ? {} : { mcpCode: diagnostics.mcpCode },
-			...diagnostics.mcpData === void 0 ? {} : { mcpData: diagnostics.mcpData },
-			...diagnostics.operation === void 0 ? {} : { operation: diagnostics.operation },
-			...diagnostics.raw === void 0 ? {} : { raw: diagnostics.raw }
-		});
-		this.code = code;
-		this.category = resolveRemoteCategory(code, diagnostics);
-		this.diagnostics = diagnostics;
-		this.httpStatus = diagnostics.httpStatus;
-		this.recovery = normalizeRecovery(this.code, payload.recovery);
-		this.retryable = payload.retryable ?? resolveRetryableRemoteError(diagnostics, code);
-	}
-};
-const ContractMismatchErrorBase = TaggedError("ContractMismatchError")();
-var ContractMismatchError = class extends ContractMismatchErrorBase {
-	category = ERROR_CATEGORY.contractMismatch;
-	code;
-	recovery;
-	retryable = false;
-	constructor(payload) {
-		super({
-			message: payload.message,
-			...payload.details === void 0 ? {} : { details: payload.details }
-		});
-		this.code = payload.code ?? ERROR_CODE.contractVersionUnsupported;
-		this.recovery = normalizeRecovery(this.code, payload.recovery);
-	}
-};
-const UnexpectedErrorBase = TaggedError("UnexpectedError")();
-var UnexpectedError = class extends UnexpectedErrorBase {
-	category = ERROR_CATEGORY.internal;
-	code;
-	recovery;
-	retryable = false;
-	constructor(payload) {
-		super({
-			message: payload.message,
-			...payload.cause === void 0 ? {} : { cause: payload.cause }
-		});
-		this.code = payload.code ?? ERROR_CODE.internalUnexpected;
-		this.recovery = normalizeRecovery(this.code, payload.recovery);
-	}
-};
-const withIfDefined = (base, key, value) => {
-	if (value === void 0) return base;
-	return {
-		...base,
-		[key]: value
-	};
-};
-const hasDetails = (error) => {
-	return error._tag === "AuthError" || error._tag === "ValidationError";
-};
-const appErrorMeta = (error) => {
-	return {
-		category: error.category,
-		code: error.code,
-		recovery: error.recovery,
-		retryable: error.retryable
-	};
-};
-const appErrorDiagnostics = (error) => {
-	if (error._tag === "RemoteRequestError") {
-		let diagnostics = { source: error.source };
-		diagnostics = withIfDefined(diagnostics, "httpStatus", error.httpStatus);
-		diagnostics = withIfDefined(diagnostics, "mcpCode", error.mcpCode);
-		diagnostics = withIfDefined(diagnostics, "mcpData", error.mcpData);
-		diagnostics = withIfDefined(diagnostics, "operation", error.operation);
-		diagnostics = withIfDefined(diagnostics, "raw", error.raw);
-		diagnostics = withIfDefined(diagnostics, "body", error.body);
-		return diagnostics;
-	}
-	if (error._tag === "NotFoundError") return { resource: error.resource };
-	if (error._tag === "UnexpectedError") {
-		if (error.cause === void 0) return {};
-		return { cause: toJsonValue(error.cause) };
-	}
-	if (hasDetails(error) && typeof error.details === "string" && error.details.length > 0) return { details: error.details };
-	return {};
-};
-const appErrorTitle = (error) => {
-	if (error._tag === "UnexpectedError") return "Unexpected CLI error";
-	if (error._tag === "ContractMismatchError") return "Contract version unsupported";
-	return error.message;
-};
-const formatAppError = (error) => {
-	if (error._tag === "NotFoundError") return `${error.message} (${error.resource})`;
-	if (error._tag === "RemoteRequestError" && typeof error.httpStatus === "number") return `${error.message} (status ${error.httpStatus})`;
-	if (hasDetails(error) && typeof error.details === "string" && error.details.length > 0) return `${error.message}: ${error.details}`;
-	return error.message;
-};
-
-//#endregion
-//#region src/shared/guards.ts
-const formatIssues = (issues) => {
-	return issues.map((issue) => {
-		if (issue.path.length === 0) return issue.message;
-		return `${issue.path.filter((value) => typeof value === "number" || typeof value === "string").join(".")}: ${issue.message}`;
-	}).join("; ");
-};
-const parseWithSchema = (schema, payload, context, options = {}) => {
-	const parsed = schema.safeParse(payload);
-	if (!parsed.success) return Result.err(new ValidationError({
-		details: formatIssues(parsed.error.issues),
-		message: `Invalid ${context}`,
-		...options.code === void 0 ? {} : { code: options.code },
-		...options.recovery === void 0 ? {} : { recovery: options.recovery }
-	}));
-	return Result.ok(parsed.data);
-};
-const parseJsonValue = (raw, context) => {
-	return Result.try({
-		catch: () => {
-			return new ValidationError({
-				details: raw,
-				message: `Invalid JSON in ${context}`
-			});
-		},
-		try: () => {
-			return toJsonValue(JSON.parse(raw));
-		}
-	});
-};
-const isRecord$2 = (value) => {
-	return typeof value === "object" && value !== null;
-};
-
 //#endregion
 //#region ../../node_modules/.pnpm/zod@4.3.6/node_modules/zod/v4/core/core.js
 /** A special constant with type `never` */
@@ -8336,6 +7933,440 @@ function number(params) {
 	return _coercedNumber(ZodNumber, params);
 }
 
+//#endregion
+//#region src/shared/error-codes.ts
+const ERROR_CATEGORY = {
+	auth: "auth",
+	authorization: "authorization",
+	contractMismatch: "contract_mismatch",
+	internal: "internal",
+	notFound: "not_found",
+	rateLimit: "rate_limit",
+	remote: "remote",
+	transport: "transport",
+	updateRequired: "update_required",
+	validation: "validation"
+};
+const ERROR_CODE = {
+	authDeviceExpired: "AUTH_DEVICE_EXPIRED",
+	authDevicePending: "AUTH_DEVICE_PENDING",
+	authInvalidCredentials: "AUTH_INVALID_CREDENTIALS",
+	authRequired: "AUTH_REQUIRED",
+	cliUpdateRequired: "CLI_UPDATE_REQUIRED",
+	contractVersionUnsupported: "CONTRACT_VERSION_UNSUPPORTED",
+	internalUnexpected: "INTERNAL_UNEXPECTED",
+	remoteRateLimited: "REMOTE_RATE_LIMITED",
+	remoteUnavailable: "REMOTE_UNAVAILABLE",
+	toolInputSchemaViolation: "TOOL_INPUT_SCHEMA_VIOLATION",
+	toolNotFound: "TOOL_NOT_FOUND",
+	transportRequestFailed: "TRANSPORT_REQUEST_FAILED",
+	validationInvalidInput: "VALIDATION_INVALID_INPUT"
+};
+const staticErrorCodes = new Set(Object.values(ERROR_CODE));
+const isStaticErrorCode = (code) => {
+	return staticErrorCodes.has(code);
+};
+
+//#endregion
+//#region src/shared/json.ts
+const isJsonValue = (value) => {
+	if (value === null || typeof value === "boolean" || typeof value === "number" || typeof value === "string") return true;
+	if (Array.isArray(value)) return value.every((item) => isJsonValue(item));
+	if (typeof value === "object") {
+		if (value === null) return false;
+		return Object.values(value).every((item) => isJsonValue(item));
+	}
+	return false;
+};
+const isJsonObject = (value) => {
+	return typeof value === "object" && value !== null && !Array.isArray(value) && isJsonValue(value);
+};
+const toJsonValue = (value) => {
+	if (isJsonValue(value)) return value;
+	try {
+		const serialized = JSON.stringify(value);
+		if (serialized === void 0) return "[unserializable]";
+		const parsed = JSON.parse(serialized);
+		if (isJsonValue(parsed)) return parsed;
+		return "[unserializable]";
+	} catch {
+		return "[unserializable]";
+	}
+};
+
+//#endregion
+//#region src/shared/recovery.ts
+const defaultRecoveryByCode = {
+	[ERROR_CODE.authDeviceExpired]: {
+		command: "ogment auth login",
+		reason: "Device code expired; restart login to continue.",
+		title: "Restart login",
+		when: "immediate"
+	},
+	[ERROR_CODE.authDevicePending]: {
+		command: "ogment auth status",
+		reason: "Authorization is pending; check whether credentials are now available.",
+		title: "Check auth status",
+		when: "immediate"
+	},
+	[ERROR_CODE.authInvalidCredentials]: {
+		command: "ogment auth logout",
+		reason: "Credentials are invalid; clear local state before re-authenticating.",
+		title: "Reset auth state",
+		when: "immediate"
+	},
+	[ERROR_CODE.authRequired]: {
+		command: "ogment auth login",
+		reason: "Authentication is required before catalog or invoke commands can run.",
+		title: "Authenticate",
+		when: "immediate"
+	},
+	[ERROR_CODE.cliUpdateRequired]: {
+		command: "npm i -g @ogment-ai/cli",
+		reason: "A newer Ogment CLI release is required before the requested command can run.",
+		title: "Update CLI",
+		when: "immediate"
+	},
+	[ERROR_CODE.contractVersionUnsupported]: {
+		command: "ogment --version",
+		reason: "Contract mismatch detected; verify CLI version and upgrade before retrying.",
+		title: "Inspect CLI version",
+		when: "immediate"
+	},
+	[ERROR_CODE.internalUnexpected]: {
+		command: "ogment status",
+		reason: "Unexpected failure detected; run diagnostics before retrying the workflow.",
+		title: "Inspect diagnostics",
+		when: "immediate"
+	},
+	[ERROR_CODE.remoteRateLimited]: {
+		command: "ogment status",
+		reason: "Remote rate limit detected; check diagnostics before retrying.",
+		title: "Inspect diagnostics",
+		when: "immediate"
+	},
+	[ERROR_CODE.remoteUnavailable]: {
+		command: "ogment status",
+		reason: "Remote service is unavailable; check connectivity and endpoint health.",
+		title: "Inspect diagnostics",
+		when: "immediate"
+	},
+	[ERROR_CODE.toolInputSchemaViolation]: {
+		command: "ogment catalog",
+		reason: "Tool contract did not validate; inspect available servers and tool metadata.",
+		title: "Inspect catalog",
+		when: "immediate"
+	},
+	[ERROR_CODE.toolNotFound]: {
+		command: "ogment catalog",
+		reason: "Requested tool could not be found; rediscover servers and tools.",
+		title: "Rediscover tools",
+		when: "immediate"
+	},
+	[ERROR_CODE.transportRequestFailed]: {
+		command: "ogment status",
+		reason: "Transport request failed; inspect connectivity diagnostics.",
+		title: "Inspect diagnostics",
+		when: "immediate"
+	},
+	[ERROR_CODE.validationInvalidInput]: {
+		command: "ogment --help",
+		reason: "Input validation failed; inspect canonical command syntax.",
+		title: "Show command help",
+		when: "immediate"
+	}
+};
+const dynamicRecoveryForCode = (code) => {
+	if (code.startsWith("HTTP_")) return {
+		command: "ogment status",
+		reason: `HTTP error ${code} detected; inspect diagnostics and remote connectivity.`,
+		title: "Inspect diagnostics",
+		when: "immediate"
+	};
+	if (code.startsWith("MCP_")) return {
+		command: "ogment status",
+		reason: `MCP error ${code} detected; inspect diagnostics and remote server state.`,
+		title: "Inspect diagnostics",
+		when: "immediate"
+	};
+};
+const hasPlaceholderTokens = (command) => {
+	return command.includes("<") || command.includes(">");
+};
+const sanitizedCommand = (command) => {
+	if (typeof command !== "string") return;
+	if (hasPlaceholderTokens(command)) return;
+	return command;
+};
+const normalizeRecovery = (code, override) => {
+	const fallback = (isStaticErrorCode(code) ? defaultRecoveryByCode[code] : void 0) ?? dynamicRecoveryForCode(code);
+	if (fallback === void 0) return;
+	const overrideCommand = sanitizedCommand(override?.command);
+	const command = overrideCommand ?? fallback.command;
+	const usesCustomCommand = overrideCommand !== void 0 && overrideCommand !== fallback.command;
+	return {
+		command,
+		id: override?.id ?? `recover_${code.toLowerCase()}`,
+		reason: override?.reason ?? (usesCustomCommand ? `Suggested recovery for error ${code}.` : fallback.reason),
+		title: override?.title ?? (usesCustomCommand ? "Run suggested command" : fallback.title),
+		when: override?.when ?? fallback.when
+	};
+};
+
+//#endregion
+//#region src/shared/errors.ts
+const ValidationErrorBase = TaggedError("ValidationError")();
+var ValidationError = class extends ValidationErrorBase {
+	category = ERROR_CATEGORY.validation;
+	code;
+	recovery;
+	retryable = false;
+	constructor(payload) {
+		super({
+			message: payload.message,
+			...payload.details === void 0 ? {} : { details: payload.details }
+		});
+		this.code = payload.code ?? ERROR_CODE.validationInvalidInput;
+		this.recovery = normalizeRecovery(this.code, payload.recovery);
+	}
+};
+const AuthErrorBase = TaggedError("AuthError")();
+var AuthError = class extends AuthErrorBase {
+	category = ERROR_CATEGORY.auth;
+	code;
+	recovery;
+	retryable;
+	constructor(payload) {
+		super({
+			message: payload.message,
+			...payload.details === void 0 ? {} : { details: payload.details }
+		});
+		this.code = payload.code ?? ERROR_CODE.authRequired;
+		this.recovery = normalizeRecovery(this.code, payload.recovery);
+		this.retryable = payload.retryable ?? this.code === ERROR_CODE.authDeviceExpired;
+	}
+};
+const NotFoundErrorBase = TaggedError("NotFoundError")();
+var NotFoundError = class extends NotFoundErrorBase {
+	category = ERROR_CATEGORY.notFound;
+	code;
+	recovery;
+	retryable = false;
+	constructor(payload) {
+		super({
+			message: payload.message,
+			resource: payload.resource
+		});
+		this.code = payload.code ?? ERROR_CODE.toolNotFound;
+		this.recovery = normalizeRecovery(this.code, payload.recovery);
+	}
+};
+const RemoteRequestErrorBase = TaggedError("RemoteRequestError")();
+const parseHttpCode = (code) => {
+	if (!code.startsWith("HTTP_")) return;
+	const parsed = Number.parseInt(code.slice(5), 10);
+	if (!Number.isFinite(parsed)) return;
+	return parsed;
+};
+const resolveRemoteErrorCode = (payload, diagnostics) => {
+	if (payload.code !== void 0) return payload.code;
+	if (typeof diagnostics.httpStatus === "number") return `HTTP_${diagnostics.httpStatus}`;
+	if (typeof diagnostics.mcpCode === "number") return `MCP_${diagnostics.mcpCode}`;
+	return ERROR_CODE.transportRequestFailed;
+};
+const resolveRemoteDiagnostics = (payload) => {
+	const source = payload.source ?? payload.diagnostics?.source ?? "network";
+	const httpStatus = payload.httpStatus ?? payload.status ?? payload.diagnostics?.httpStatus;
+	const mcpCode = payload.mcpCode ?? payload.diagnostics?.mcpCode;
+	const mcpData = payload.mcpData ?? payload.diagnostics?.mcpData;
+	const operation = payload.operation ?? payload.diagnostics?.operation;
+	const raw = payload.raw ?? payload.diagnostics?.raw;
+	return {
+		source,
+		...httpStatus === void 0 ? {} : { httpStatus },
+		...mcpCode === void 0 ? {} : { mcpCode },
+		...mcpData === void 0 ? {} : { mcpData },
+		...operation === void 0 ? {} : { operation },
+		...raw === void 0 ? {} : { raw }
+	};
+};
+const resolveRetryableRemoteError = (diagnostics, code) => {
+	const httpStatus = diagnostics.httpStatus ?? parseHttpCode(code);
+	if (typeof httpStatus === "number") return httpStatus === 429 || httpStatus >= 500;
+	if (typeof diagnostics.mcpCode === "number") return diagnostics.mcpCode === -32001;
+	return diagnostics.source === "network";
+};
+const resolveRemoteCategory = (code, diagnostics) => {
+	const httpStatus = diagnostics.httpStatus ?? parseHttpCode(code);
+	if (code === ERROR_CODE.remoteRateLimited || httpStatus === 429) return ERROR_CATEGORY.rateLimit;
+	return ERROR_CATEGORY.remote;
+};
+var RemoteRequestError = class extends RemoteRequestErrorBase {
+	category;
+	code;
+	diagnostics;
+	httpStatus;
+	recovery;
+	retryable;
+	constructor(payload) {
+		const diagnostics = resolveRemoteDiagnostics(payload);
+		const code = resolveRemoteErrorCode(payload, diagnostics);
+		const status = diagnostics.httpStatus;
+		super({
+			message: payload.message,
+			...payload.body === void 0 ? {} : { body: payload.body },
+			...status === void 0 ? {} : { status },
+			source: diagnostics.source,
+			...diagnostics.mcpCode === void 0 ? {} : { mcpCode: diagnostics.mcpCode },
+			...diagnostics.mcpData === void 0 ? {} : { mcpData: diagnostics.mcpData },
+			...diagnostics.operation === void 0 ? {} : { operation: diagnostics.operation },
+			...diagnostics.raw === void 0 ? {} : { raw: diagnostics.raw }
+		});
+		this.code = code;
+		this.category = resolveRemoteCategory(code, diagnostics);
+		this.diagnostics = diagnostics;
+		this.httpStatus = diagnostics.httpStatus;
+		this.recovery = normalizeRecovery(this.code, payload.recovery);
+		this.retryable = payload.retryable ?? resolveRetryableRemoteError(diagnostics, code);
+	}
+};
+const ContractMismatchErrorBase = TaggedError("ContractMismatchError")();
+var ContractMismatchError = class extends ContractMismatchErrorBase {
+	category = ERROR_CATEGORY.contractMismatch;
+	code;
+	recovery;
+	retryable = false;
+	constructor(payload) {
+		super({
+			message: payload.message,
+			...payload.details === void 0 ? {} : { details: payload.details }
+		});
+		this.code = payload.code ?? ERROR_CODE.contractVersionUnsupported;
+		this.recovery = normalizeRecovery(this.code, payload.recovery);
+	}
+};
+const UpdateRequiredErrorBase = TaggedError("UpdateRequiredError")();
+var UpdateRequiredError = class extends UpdateRequiredErrorBase {
+	category = ERROR_CATEGORY.updateRequired;
+	code;
+	recovery;
+	retryable = false;
+	constructor(payload) {
+		super({
+			currentVersion: payload.currentVersion,
+			latestVersion: payload.latestVersion,
+			message: payload.message,
+			packageName: payload.packageName
+		});
+		this.code = ERROR_CODE.cliUpdateRequired;
+		this.recovery = normalizeRecovery(this.code, payload.recovery);
+	}
+};
+const UnexpectedErrorBase = TaggedError("UnexpectedError")();
+var UnexpectedError = class extends UnexpectedErrorBase {
+	category = ERROR_CATEGORY.internal;
+	code;
+	recovery;
+	retryable = false;
+	constructor(payload) {
+		super({
+			message: payload.message,
+			...payload.cause === void 0 ? {} : { cause: payload.cause }
+		});
+		this.code = payload.code ?? ERROR_CODE.internalUnexpected;
+		this.recovery = normalizeRecovery(this.code, payload.recovery);
+	}
+};
+const withIfDefined = (base, key, value) => {
+	if (value === void 0) return base;
+	return {
+		...base,
+		[key]: value
+	};
+};
+const hasDetails = (error) => {
+	return error._tag === "AuthError" || error._tag === "ValidationError";
+};
+const appErrorMeta = (error) => {
+	return {
+		category: error.category,
+		code: error.code,
+		recovery: error.recovery,
+		retryable: error.retryable
+	};
+};
+const appErrorDiagnostics = (error) => {
+	if (error._tag === "RemoteRequestError") {
+		let diagnostics = { source: error.source };
+		diagnostics = withIfDefined(diagnostics, "httpStatus", error.httpStatus);
+		diagnostics = withIfDefined(diagnostics, "mcpCode", error.mcpCode);
+		diagnostics = withIfDefined(diagnostics, "mcpData", error.mcpData);
+		diagnostics = withIfDefined(diagnostics, "operation", error.operation);
+		diagnostics = withIfDefined(diagnostics, "raw", error.raw);
+		diagnostics = withIfDefined(diagnostics, "body", error.body);
+		return diagnostics;
+	}
+	if (error._tag === "NotFoundError") return { resource: error.resource };
+	if (error._tag === "UpdateRequiredError") return {
+		currentVersion: error.currentVersion,
+		latestVersion: error.latestVersion,
+		packageName: error.packageName
+	};
+	if (error._tag === "UnexpectedError") {
+		if (error.cause === void 0) return {};
+		return { cause: toJsonValue(error.cause) };
+	}
+	if (hasDetails(error) && typeof error.details === "string" && error.details.length > 0) return { details: error.details };
+	return {};
+};
+const appErrorTitle = (error) => {
+	if (error._tag === "UnexpectedError") return "Unexpected CLI error";
+	if (error._tag === "ContractMismatchError") return "Contract version unsupported";
+	if (error._tag === "UpdateRequiredError") return "CLI update required";
+	return error.message;
+};
+const formatAppError = (error) => {
+	if (error._tag === "NotFoundError") return `${error.message} (${error.resource})`;
+	if (error._tag === "RemoteRequestError" && typeof error.httpStatus === "number") return `${error.message} (status ${error.httpStatus})`;
+	if (hasDetails(error) && typeof error.details === "string" && error.details.length > 0) return `${error.message}: ${error.details}`;
+	return error.message;
+};
+
+//#endregion
+//#region src/shared/guards.ts
+const formatIssues = (issues) => {
+	return issues.map((issue) => {
+		if (issue.path.length === 0) return issue.message;
+		return `${issue.path.filter((value) => typeof value === "number" || typeof value === "string").join(".")}: ${issue.message}`;
+	}).join("; ");
+};
+const parseWithSchema = (schema, payload, context, options = {}) => {
+	const parsed = schema.safeParse(payload);
+	if (!parsed.success) return Result.err(new ValidationError({
+		details: formatIssues(parsed.error.issues),
+		message: `Invalid ${context}`,
+		...options.code === void 0 ? {} : { code: options.code },
+		...options.recovery === void 0 ? {} : { recovery: options.recovery }
+	}));
+	return Result.ok(parsed.data);
+};
+const parseJsonValue = (raw, context) => {
+	return Result.try({
+		catch: () => {
+			return new ValidationError({
+				details: raw,
+				message: `Invalid JSON in ${context}`
+			});
+		},
+		try: () => {
+			return toJsonValue(JSON.parse(raw));
+		}
+	});
+};
+const isRecord$2 = (value) => {
+	return typeof value === "object" && value !== null;
+};
+
 //#endregion
 //#region src/shared/schemas.ts
 const credentialsFileSchema = object({
@@ -8345,35 +8376,326 @@ const credentialsFileSchema = object({
 
 //#endregion
 //#region src/infra/credentials.ts
-const deleteIfExists = (path, existsSyncFn, unlinkSyncFn) => {
-	if (existsSyncFn(path)) unlinkSyncFn(path);
+const authStateFileSchema = object({
+	activeAuth: object({
+		agentName: string().optional(),
+		apiKey: string().min(1),
+		boundAt: string().optional(),
+		namespaceKey: string().min(1).optional(),
+		scopeFingerprint: string().min(1).optional()
+	}).nullable().optional(),
+	installationId: uuid(),
+	pendingRequests: array(object({
+		authRequestId: string().min(1),
+		code: string().min(1),
+		createdAt: string().min(1),
+		expiresAt: string().min(1),
+		namespaceKey: string().min(1),
+		scopeFingerprint: string().min(1).optional(),
+		verificationUrl: string().min(1)
+	})).optional(),
+	version: literal(1)
+}).strict();
+const telemetryInstallationSchema = object({ installationId: uuid() }).strict();
+const LOCK_RETRY_DELAY_MS = 10;
+const LOCK_STALE_MS = 3e4;
+const LOCK_TIMEOUT_MS = 2e3;
+const sleepBlocking = (milliseconds) => {
+	const buffer = new SharedArrayBuffer(4);
+	const view = new Int32Array(buffer);
+	Atomics.wait(view, 0, 0, milliseconds);
 };
 const normalizeCredentials = (value) => {
-	const parsed = parseWithSchema(credentialsFileSchema, value, "credentials file");
+	const parsed = parseWithSchema(credentialsFileSchema, value, "legacy credentials file");
+	if (Result.isError(parsed) || parsed.value.apiKey === void 0) return null;
+	return {
+		...parsed.value.agentName === void 0 ? {} : { agentName: parsed.value.agentName },
+		apiKey: parsed.value.apiKey
+	};
+};
+const normalizeAuthState = (value) => {
+	const parsed = parseWithSchema(authStateFileSchema, value, "auth state file");
 	if (Result.isError(parsed)) return null;
-	if (parsed.value.apiKey !== void 0) {
-		const credentials = { apiKey: parsed.value.apiKey };
-		if (typeof parsed.value.agentName === "string") credentials.agentName = parsed.value.agentName;
-		return credentials;
-	}
-	return null;
+	const activeAuth = parsed.value.activeAuth === void 0 || parsed.value.activeAuth === null ? null : {
+		...parsed.value.activeAuth.agentName === void 0 ? {} : { agentName: parsed.value.activeAuth.agentName },
+		apiKey: parsed.value.activeAuth.apiKey,
+		...parsed.value.activeAuth.boundAt === void 0 ? {} : { boundAt: parsed.value.activeAuth.boundAt },
+		...parsed.value.activeAuth.namespaceKey === void 0 ? {} : { namespaceKey: parsed.value.activeAuth.namespaceKey },
+		...parsed.value.activeAuth.scopeFingerprint === void 0 ? {} : { scopeFingerprint: parsed.value.activeAuth.scopeFingerprint }
+	};
+	const pendingRequests = (parsed.value.pendingRequests ?? []).map((request) => {
+		return {
+			authRequestId: request.authRequestId,
+			code: request.code,
+			createdAt: request.createdAt,
+			expiresAt: request.expiresAt,
+			namespaceKey: request.namespaceKey,
+			...request.scopeFingerprint === void 0 ? {} : { scopeFingerprint: request.scopeFingerprint },
+			verificationUrl: request.verificationUrl
+		};
+	});
+	return {
+		activeAuth,
+		installationId: parsed.value.installationId,
+		pendingRequests,
+		version: 1
+	};
+};
+const toCorruptPath = (path, nowFn) => {
+	return `${path}.corrupt-${nowFn().toISOString().replaceAll(":", "-")}`;
+};
+const isErrnoException = (error) => {
+	if (!(error instanceof Error) || !("code" in error)) return false;
+	const code = Reflect.get(error, "code");
+	return code === void 0 || typeof code === "string";
+};
+const rethrowWithCleanupError = (operationError, cleanupError) => {
+	if (operationError instanceof Error) {
+		if (operationError.cause === void 0) Reflect.set(operationError, "cause", cleanupError);
+		else Reflect.set(operationError, "cleanupError", cleanupError);
+		throw operationError;
+	}
+	const wrappedError = new Error("Auth-state operation failed and lock cleanup also failed", { cause: operationError });
+	Reflect.set(wrappedError, "cleanupError", cleanupError);
+	throw wrappedError;
 };
 const createFileCredentialsStore = (deps) => {
 	const existsSyncFn = deps.existsSyncFn ?? existsSync;
+	const fsyncSyncFn = deps.fsyncSyncFn ?? fsyncSync;
 	const lstatSyncFn = deps.lstatSyncFn ?? lstatSync;
 	const mkdirSyncFn = deps.mkdirSyncFn ?? mkdirSync;
+	const nowFn = deps.nowFn ?? (() => /* @__PURE__ */ new Date());
+	const openSyncFn = deps.openSyncFn ?? openSync;
+	const randomUuidFn = deps.randomUuidFn ?? randomUUID;
 	const readFileSyncFn = deps.readFileSyncFn ?? readFileSync;
+	const renameSyncFn = deps.renameSyncFn ?? renameSync;
+	const statSyncFn = deps.statSyncFn ?? statSync;
 	const unlinkSyncFn = deps.unlinkSyncFn ?? unlinkSync;
 	const writeFileSyncFn = deps.writeFileSyncFn ?? writeFileSync;
+	const lockPath = `${deps.credentialsPath}.lock`;
+	const readJsonFile = (path) => {
+		if (!existsSyncFn(path)) return null;
+		try {
+			return JSON.parse(readFileSyncFn(path, "utf8"));
+		} catch {
+			return null;
+		}
+	};
+	const readLegacyCredentials = () => {
+		return normalizeCredentials(readJsonFile(deps.legacyCredentialsPath));
+	};
+	const readLegacyInstallationId = () => {
+		const raw = readJsonFile(deps.telemetryPath);
+		if (raw === null) return null;
+		const parsed = telemetryInstallationSchema.safeParse(raw);
+		return parsed.success ? parsed.data.installationId : null;
+	};
+	const createEmptyState = (installationId = randomUuidFn()) => {
+		return {
+			activeAuth: null,
+			installationId,
+			pendingRequests: [],
+			version: 1
+		};
+	};
+	const withLock = (operation) => {
+		mkdirSyncFn(deps.configDir, { recursive: true });
+		const deadline = Date.now() + LOCK_TIMEOUT_MS;
+		let lockFd = null;
+		const releaseLock = (fd) => {
+			closeSync(fd);
+			try {
+				unlinkSyncFn(lockPath);
+			} catch (releaseError) {
+				if (!isErrnoException(releaseError) || releaseError.code !== "ENOENT") throw releaseError;
+			}
+		};
+		while (lockFd === null) try {
+			lockFd = openSyncFn(lockPath, "wx", 384);
+		} catch (error) {
+			if (!isErrnoException(error) || error.code !== "EEXIST") throw error;
+			try {
+				if (Date.now() - statSyncFn(lockPath).mtimeMs >= LOCK_STALE_MS) {
+					unlinkSyncFn(lockPath);
+					continue;
+				}
+			} catch (statError) {
+				if (!isErrnoException(statError) || statError.code !== "ENOENT") throw statError;
+			}
+			if (Date.now() >= deadline) throw new Error("Timed out waiting for auth-state lock", { cause: error });
+			sleepBlocking(LOCK_RETRY_DELAY_MS);
+		}
+		if (lockFd === null) throw new Error("Failed to acquire auth-state lock");
+		const acquiredLockFd = lockFd;
+		try {
+			const result = operation();
+			releaseLock(acquiredLockFd);
+			return result;
+		} catch (operationError) {
+			let cleanupError;
+			try {
+				releaseLock(acquiredLockFd);
+			} catch (releaseError) {
+				cleanupError = releaseError;
+			}
+			if (cleanupError !== void 0) rethrowWithCleanupError(operationError, cleanupError);
+			throw operationError;
+		}
+	};
+	const writeState = (state) => {
+		mkdirSyncFn(deps.configDir, { recursive: true });
+		if (existsSyncFn(deps.credentialsPath) && lstatSyncFn(deps.credentialsPath).isSymbolicLink()) unlinkSyncFn(deps.credentialsPath);
+		const tempPath = `${deps.credentialsPath}.tmp-${process.pid}-${randomUuidFn()}`;
+		let tempFd = null;
+		try {
+			tempFd = openSyncFn(tempPath, "w", 384);
+			writeFileSyncFn(tempFd, `${JSON.stringify(state, null, 2)}\n`, "utf8");
+			fsyncSyncFn(tempFd);
+			closeSync(tempFd);
+			tempFd = null;
+			renameSyncFn(tempPath, deps.credentialsPath);
+			const configDirFd = openSyncFn(dirname(deps.credentialsPath), "r");
+			try {
+				fsyncSyncFn(configDirFd);
+			} finally {
+				closeSync(configDirFd);
+			}
+		} catch (error) {
+			if (tempFd !== null) closeSync(tempFd);
+			try {
+				unlinkSyncFn(tempPath);
+			} catch (unlinkError) {
+				if (!isErrnoException(unlinkError) || unlinkError.code !== "ENOENT") throw unlinkError;
+			}
+			throw error;
+		}
+	};
+	const quarantineCorruptState = () => {
+		if (!existsSyncFn(deps.credentialsPath)) return;
+		try {
+			renameSyncFn(deps.credentialsPath, toCorruptPath(deps.credentialsPath, nowFn));
+		} catch {}
+	};
+	const loadStateFromDisk = () => {
+		if (!existsSyncFn(deps.credentialsPath)) return null;
+		let parsedJson;
+		try {
+			parsedJson = JSON.parse(readFileSyncFn(deps.credentialsPath, "utf8"));
+		} catch (error) {
+			if (!isErrnoException(error) || error.code === void 0) {
+				quarantineCorruptState();
+				return null;
+			}
+			throw error;
+		}
+		const parsed = normalizeAuthState(parsedJson);
+		if (parsed === null) {
+			quarantineCorruptState();
+			return null;
+		}
+		return parsed;
+	};
+	const migrateStateFromLegacy = () => {
+		const migratedInstallationId = readLegacyInstallationId();
+		const migratedCredentials = readLegacyCredentials();
+		if (!(migratedInstallationId !== null || migratedCredentials !== null)) return null;
+		return {
+			...createEmptyState(migratedInstallationId ?? randomUuidFn()),
+			...migratedCredentials === null ? {} : { activeAuth: migratedCredentials }
+		};
+	};
+	const loadState = (options) => {
+		const currentState = loadStateFromDisk();
+		if (currentState !== null) return currentState;
+		const migratedState = migrateStateFromLegacy();
+		if (migratedState !== null) {
+			withLock(() => {
+				if (!existsSyncFn(deps.credentialsPath)) writeState(migratedState);
+			});
+			return loadStateFromDisk() ?? migratedState;
+		}
+		if (options?.persistIfMissing === true) {
+			const emptyState = createEmptyState();
+			withLock(() => {
+				if (!existsSyncFn(deps.credentialsPath)) writeState(emptyState);
+			});
+			return loadStateFromDisk() ?? emptyState;
+		}
+		return null;
+	};
 	return {
+		clearPendingRequests: (namespaceKey) => {
+			return Result.try({
+				catch: (cause) => new UnexpectedError({
+					cause,
+					message: "Failed to update local auth state"
+				}),
+				try: () => {
+					withLock(() => {
+						const latest = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
+						writeState({
+							...latest,
+							pendingRequests: namespaceKey === void 0 ? [] : latest.pendingRequests.filter((request) => request.namespaceKey !== namespaceKey)
+						});
+					});
+				}
+			});
+		},
 		delete: () => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
-					message: "Failed to delete credentials"
+					message: "Failed to update local auth state"
+				}),
+				try: () => {
+					withLock(() => {
+						writeState({
+							...loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState(),
+							activeAuth: null,
+							pendingRequests: []
+						});
+					});
+				}
+			});
+		},
+		deletePendingRequest: (authRequestId) => {
+			return Result.try({
+				catch: (cause) => new UnexpectedError({
+					cause,
+					message: "Failed to update local auth state"
+				}),
+				try: () => {
+					withLock(() => {
+						const latest = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
+						writeState({
+							...latest,
+							pendingRequests: latest.pendingRequests.filter((request) => request.authRequestId !== authRequestId)
+						});
+					});
+				}
+			});
+		},
+		getInstallationId: () => {
+			return Result.try({
+				catch: (cause) => new UnexpectedError({
+					cause,
+					message: "Failed to load local auth state"
 				}),
 				try: () => {
-					deleteIfExists(deps.credentialsPath, existsSyncFn, unlinkSyncFn);
+					const state = loadState({ persistIfMissing: true });
+					if (state === null) throw new Error("Failed to initialize local auth state");
+					return state.installationId;
+				}
+			});
+		},
+		listPendingRequests: () => {
+			return Result.try({
+				catch: (cause) => new UnexpectedError({
+					cause,
+					message: "Failed to load local auth state"
+				}),
+				try: () => {
+					return loadState()?.pendingRequests ?? [];
 				}
 			});
 		},
@@ -8381,14 +8703,15 @@ const createFileCredentialsStore = (deps) => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
-					message: "Failed to load credentials"
+					message: "Failed to load local auth state"
 				}),
 				try: () => {
-					if (!existsSyncFn(deps.credentialsPath)) return null;
-					const raw = readFileSyncFn(deps.credentialsPath, "utf8");
-					const normalized = normalizeCredentials(JSON.parse(raw));
-					if (normalized === null) deleteIfExists(deps.credentialsPath, existsSyncFn, unlinkSyncFn);
-					return normalized;
+					const state = loadState();
+					if (state?.activeAuth === null || state === null) return null;
+					return {
+						...state.activeAuth.agentName === void 0 ? {} : { agentName: state.activeAuth.agentName },
+						apiKey: state.activeAuth.apiKey
+					};
 				}
 			});
 		},
@@ -8396,12 +8719,68 @@ const createFileCredentialsStore = (deps) => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
-					message: "Failed to save credentials"
+					message: "Failed to update local auth state"
 				}),
 				try: () => {
-					mkdirSyncFn(deps.configDir, { recursive: true });
-					if (existsSyncFn(deps.credentialsPath) && lstatSyncFn(deps.credentialsPath).isSymbolicLink()) unlinkSyncFn(deps.credentialsPath);
-					writeFileSyncFn(deps.credentialsPath, JSON.stringify(credentials, null, 2), { mode: 384 });
+					withLock(() => {
+						writeState({
+							...loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState(),
+							activeAuth: {
+								...credentials.agentName === void 0 ? {} : { agentName: credentials.agentName },
+								apiKey: credentials.apiKey
+							}
+						});
+					});
+				}
+			});
+		},
+		storeApprovedAuth: (credentials, namespaceKey) => {
+			return Result.try({
+				catch: (cause) => new UnexpectedError({
+					cause,
+					message: "Failed to update local auth state"
+				}),
+				try: () => {
+					withLock(() => {
+						const currentState = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
+						writeState({
+							...currentState,
+							activeAuth: {
+								...credentials.agentName === void 0 ? {} : { agentName: credentials.agentName },
+								apiKey: credentials.apiKey,
+								boundAt: nowFn().toISOString(),
+								...namespaceKey === void 0 ? {} : { namespaceKey }
+							},
+							pendingRequests: namespaceKey === void 0 ? [] : currentState.pendingRequests.filter((request) => request.namespaceKey !== namespaceKey)
+						});
+					});
+				}
+			});
+		},
+		savePendingRequest: (request) => {
+			return Result.try({
+				catch: (cause) => new UnexpectedError({
+					cause,
+					message: "Failed to update local auth state"
+				}),
+				try: () => {
+					withLock(() => {
+						const currentState = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
+						const pendingRequests = currentState.pendingRequests.filter((entry) => entry.authRequestId !== request.authRequestId);
+						pendingRequests.push({
+							authRequestId: request.authRequestId,
+							code: request.code,
+							createdAt: request.createdAt,
+							expiresAt: request.expiresAt,
+							namespaceKey: request.namespaceKey,
+							...request.scopeFingerprint === void 0 ? {} : { scopeFingerprint: request.scopeFingerprint },
+							verificationUrl: request.verificationUrl
+						});
+						writeState({
+							...currentState,
+							pendingRequests
+						});
+					});
 				}
 			});
 		}
@@ -8421,7 +8800,7 @@ const DEFAULT_OGMENT_BASE_URL = "https://dashboard.ogment.ai";
 */
 const SENTRY_DSN_BUILD = "https://4219ab98670b61086758b4d0e31ae318@o4507724844957696.ingest.us.sentry.io/4510992932405248";
 const SENTRY_ENVIRONMENT_BUILD = "production";
-const SENTRY_RELEASE_BUILD = "cli-v0.8.2+git:61c0ca10c";
+const SENTRY_RELEASE_BUILD = "cli-v0.9.0+git:f88c23e58";
 const packageJsonSchema = object({ version: string().min(1) });
 const hasCode = (value, code) => {
 	if (typeof value !== "object" || value === null) return false;
@@ -8477,9 +8856,10 @@ const resolveSentryConfig = (env) => {
 const telemetryRuntimeFields = (env, configDir) => {
 	return {
 		configDir,
-		credentialsPath: join(configDir, "credentials.json"),
+		credentialsPath: join(configDir, "auth-state.json"),
 		envApiKey: env["OGMENT_API_KEY"],
 		executionEnvironment: detectExecutionEnvironment(env),
+		legacyCredentialsPath: join(configDir, "credentials.json"),
 		telemetryDisabled: telemetryDisabledFromEnv(env),
 		telemetryPath: join(configDir, "telemetry.json"),
 		version: VERSION$2
@@ -13351,6 +13731,8 @@ const UPDATE_CHECK_CACHE_FILENAME = "update-check.json";
 const UPDATE_CHECK_INTERVAL_MS = 3600 * 1e3;
 const LOOKUP_TIMEOUT_MS = 1500;
 const PACKAGE_VERSION_SELECTOR = "latest";
+const OGMENT_NO_UPDATE_CHECK_ENV_VAR = "OGMENT_NO_UPDATE_CHECK";
+const NO_UPDATE_NOTIFIER_ENV_VAR = "NO_UPDATE_NOTIFIER";
 const cacheSchema = object({
 	lastCheckedAtMs: number$1().int().nonnegative(),
 	latestVersion: string().optional()
@@ -13361,8 +13743,8 @@ const isTruthyEnvValue = (value) => {
 	return normalized !== "" && normalized !== "0" && normalized !== "false";
 };
 const shouldSkipUpdateCheck = (env) => {
-	if (isTruthyEnvValue(env["OGMENT_NO_UPDATE_CHECK"])) return true;
-	if (isTruthyEnvValue(env["NO_UPDATE_NOTIFIER"])) return true;
+	if (isTruthyEnvValue(env[OGMENT_NO_UPDATE_CHECK_ENV_VAR])) return true;
+	if (isTruthyEnvValue(env[NO_UPDATE_NOTIFIER_ENV_VAR])) return true;
 	if (isTruthyEnvValue(env["CI"])) return true;
 	return false;
 };
@@ -13406,33 +13788,17 @@ const isNewerVersion = (latestVersion, currentVersion) => {
 	if (latest === null || current === null) return false;
 	return import_semver.default.gt(latest, current);
 };
-const toUpdateMessage = (currentVersion, latestVersion, packageName) => {
-	return [
-		"",
-		"A newer Ogment CLI is available.",
-		"",
-		`Current: v${currentVersion}`,
-		`Latest:  v${latestVersion}`,
-		"",
-		"Recommended update:",
-		`npm i -g ${packageName}`,
-		"",
-		"Continuing with your current version for this run.",
-		""
-	].join("\n");
-};
 const defaultConfigDir = () => {
 	return join(homedir(), ".config", "ogment");
 };
 const cachePathFromConfigDir = (configDir) => {
 	return join(configDir, UPDATE_CHECK_CACHE_FILENAME);
 };
-const maybeNotifyCliUpdate = async (options, deps = {}) => {
+const maybeGetAvailableCliUpdate = async (options, deps = {}) => {
 	try {
-		if (shouldSkipUpdateCheck(options.env ?? process.env)) return;
+		if (shouldSkipUpdateCheck(options.env ?? process.env)) return null;
 		const now = deps.now ?? (() => /* @__PURE__ */ new Date());
 		const fetchLatestVersion = deps.fetchLatestVersion ?? defaultFetchLatestVersion;
-		const stderr = options.stderr ?? process.stderr;
 		const cachePath = cachePathFromConfigDir(options.configDir ?? defaultConfigDir());
 		let latestVersion;
 		const existingCache = readCache(cachePath);
@@ -13448,8 +13814,13 @@ const maybeNotifyCliUpdate = async (options, deps = {}) => {
 				lastCheckedAtMs: nowMs
 			});
 		} else latestVersion = existingCache.latestVersion;
-		if (latestVersion !== void 0 && isNewerVersion(latestVersion, options.currentVersion)) stderr.write(toUpdateMessage(options.currentVersion, latestVersion, options.packageName));
+		if (latestVersion !== void 0 && isNewerVersion(latestVersion, options.currentVersion)) return {
+			currentVersion: options.currentVersion,
+			latestVersion,
+			packageName: options.packageName
+		};
 	} catch {}
+	return null;
 };
 
 //#endregion
@@ -13789,6 +14160,13 @@ const deviceCodeStartDataSchema = object({
 	verificationUri: string().url()
 }).strict();
 const deviceCodeStartSchema = cliSuccessEnvelopeSchema(deviceCodeStartDataSchema);
+const authStartDataSchema = object({
+	authRequestId: string().min(1),
+	expiresAt: string().datetime(),
+	userCode: string().min(1),
+	verificationUrl: string().url()
+}).strict();
+const authStartSchema = cliSuccessEnvelopeSchema(authStartDataSchema);
 const deviceTokenPendingDataSchema = object({ status: literal("authorization_pending") }).strict();
 const deviceTokenApprovedDataSchema = object({
 	agentName: string().min(1),
@@ -13798,6 +14176,27 @@ const deviceTokenApprovedDataSchema = object({
 const deviceTokenDataSchema = discriminatedUnion("status", [deviceTokenPendingDataSchema, deviceTokenApprovedDataSchema]);
 const deviceTokenSchema = cliSuccessEnvelopeSchema(deviceTokenDataSchema);
 const deviceTokenApprovedSchema = cliSuccessEnvelopeSchema(deviceTokenApprovedDataSchema);
+const authExchangePendingDataSchema = object({ status: literal("authorization_pending") }).strict();
+const authExchangeApprovedDataSchema = object({
+	agentName: string().min(1),
+	apiKey: string().min(1),
+	scopeFingerprint: string().min(1),
+	status: literal("approved")
+}).strict();
+const authExchangeExpiredDataSchema = object({ status: literal("expired") }).strict();
+const authExchangeDeniedDataSchema = object({ status: literal("denied") }).strict();
+const authExchangeConflictDataSchema = object({ status: literal("conflict") }).strict();
+const authExchangeInvalidDataSchema = object({ status: literal("invalid") }).strict();
+const authExchangeDataSchema = discriminatedUnion("status", [
+	authExchangePendingDataSchema,
+	authExchangeApprovedDataSchema,
+	authExchangeExpiredDataSchema,
+	authExchangeDeniedDataSchema,
+	authExchangeConflictDataSchema,
+	authExchangeInvalidDataSchema
+]);
+const authExchangeSchema = cliSuccessEnvelopeSchema(authExchangeDataSchema);
+const authExchangeApprovedSchema = cliSuccessEnvelopeSchema(authExchangeApprovedDataSchema);
 const revokeSelfDataSchema = object({ success: literal(true) }).strict();
 const revokeSelfSchema = cliSuccessEnvelopeSchema(revokeSelfDataSchema);
 
@@ -13805,6 +14204,8 @@ const revokeSelfSchema = cliSuccessEnvelopeSchema(revokeSelfDataSchema);
 //#region ../../packages/shared/src/cli/endpoints.ts
 const cliEndpoints = {
 	accountMe: "/api/v1/cli/me",
+	authExchange: "/api/v1/cli/auth/exchange",
+	authStart: "/api/v1/cli/auth/start",
 	cliRevokeSelf: "/api/v1/cli/revoke-self",
 	deviceCode: "/api/v1/cli/device-code",
 	deviceToken: "/api/v1/cli/device-token",
@@ -13890,32 +14291,10 @@ const resolveApiKey = (options) => {
 //#endregion
 //#region src/services/telemetry.ts
 const TELEMETRY_TIMEOUT_MS = 500;
-const telemetryInstallationSchema = object({ installationId: uuid() }).strict();
-const loadOrCreateInstallationId = (telemetryPath, configDir, fileDeps) => {
-	try {
-		if (fileDeps.existsSyncFn(telemetryPath)) {
-			const raw = fileDeps.readFileSyncFn(telemetryPath, "utf8");
-			const parsed = telemetryInstallationSchema.safeParse(JSON.parse(raw));
-			if (parsed.success) return parsed.data.installationId;
-		}
-	} catch {}
-	const installationId = fileDeps.randomUuidFn();
-	try {
-		fileDeps.mkdirSyncFn(configDir, { recursive: true });
-		fileDeps.writeFileSyncFn(telemetryPath, JSON.stringify({ installationId }, null, 2), { mode: 384 });
-	} catch {}
-	return installationId;
-};
 const createTelemetryService = (deps) => {
 	const now = deps.now ?? (() => /* @__PURE__ */ new Date());
-	const fileDeps = {
-		existsSyncFn: existsSync,
-		mkdirSyncFn: mkdirSync,
-		randomUuidFn: randomUUID,
-		readFileSyncFn: readFileSync,
-		writeFileSyncFn: writeFileSync
-	};
-	const installationId = loadOrCreateInstallationId(deps.telemetryPath, deps.configDir, fileDeps);
+	const installationIdResult = deps.authStateStore.getInstallationId();
+	const installationId = Result.isOk(installationIdResult) ? installationIdResult.value : randomUUID();
 	const endpoint = `${deps.baseUrl}${cliEndpoints.telemetry}`;
 	return { trackCommandCompleted: async (input) => {
 		if (deps.telemetryDisabled) return;
@@ -13935,7 +14314,7 @@ const createTelemetryService = (deps) => {
 		if (!payload.success) throw new Error("Invalid CLI telemetry payload");
 		const apiKeyResolution = resolveApiKey({
 			apiKeyOverride: deps.getApiKeyOverride?.(),
-			credentialsStore: deps.credentialsStore,
+			credentialsStore: deps.authStateStore,
 			envApiKey: deps.envApiKey
 		});
 		const headers = {
@@ -13966,6 +14345,7 @@ const EXIT_CODE = {
 	rateLimit: 6,
 	remote: 7,
 	success: 0,
+	updateRequired: 10,
 	validation: 2
 };
 const exitCodeForError = (error) => {
@@ -13979,6 +14359,7 @@ const exitCodeForError = (error) => {
 		case ERROR_CATEGORY.remote:
 		case ERROR_CATEGORY.transport:
 		case ERROR_CATEGORY.authorization: return EXIT_CODE.remote;
+		case ERROR_CATEGORY.updateRequired: return EXIT_CODE.updateRequired;
 		case ERROR_CATEGORY.contractMismatch: return EXIT_CODE.contractMismatch;
 		case ERROR_CATEGORY.validation: return EXIT_CODE.validation;
 		case ERROR_CATEGORY.internal: return EXIT_CODE.internal;
@@ -14558,6 +14939,9 @@ const ensureSuccess = (result, runtime, context) => {
 const nextActionsForLogin = (payload, mode) => {
 	return [nextAction("check_auth_status", "Check auth status", cliCommands.auth.status(), `Verify persisted credentials after ${mode} login for ${payload.agentName}.`, "immediate"), nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Logged in as ${payload.agentName} via ${mode}; discover available servers.`, "after_auth")];
 };
+const nextActionsForPendingLogin = (userCode, verificationUri) => {
+	return [nextAction("check_login_status", "Check login status", cliCommands.auth.status(), `Approve ${userCode} at ${verificationUri}, then verify local auth state.`, "immediate"), nextAction("restart_device_login", "Restart login", cliCommands.auth.login(), `Restart login if code ${userCode} expires before approval.`, "if_expired")];
+};
 const nextActionsForAuthStatus = (payload) => {
 	if (!payload.loggedIn) return [nextAction("login", "Authenticate", cliCommands.auth.login(), "No API key is configured locally; login is required.", "immediate")];
 	return [nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Authenticated via ${payload.apiKeySource}; discover servers next.`, "after_auth")];
@@ -14597,42 +14981,35 @@ const runLoginFlow = async (runtime, options) => {
 		commandOptions: options,
 		invokedCommand: cliCommands.auth.loginWithApiKeyRedacted(),
 		mode: "apiKey"
-	} : (() => {
-		const deviceCommand = cliCommands.auth.login();
-		return {
-			commandOptions: {
-				mode: "device",
-				onPending: ({ userCode, verificationUri }) => {
-					const pendingNextActions = [nextAction("check_login_status", "Check login status", cliCommands.auth.status(), `Approve ${userCode} at ${verificationUri}, then verify local auth state.`, "immediate"), nextAction("restart_device_login", "Restart login", cliCommands.auth.login(), `Restart login if code ${userCode} expires before approval.`, "if_expired")];
-					runtime.output.success({
-						event: "auth_login.pending",
-						loggedIn: false,
-						verification: {
-							userCode,
-							verificationUri
-						}
-					}, {
-						command: deviceCommand,
-						entity: {
-							event: "auth_login.pending",
-							mode: "device",
-							verification: {
-								userCode,
-								verificationUri
-							}
-						},
-						nextActions: pendingNextActions
-					});
-				}
-			},
-			invokedCommand: deviceCommand,
-			mode: "device"
-		};
-	})();
+	} : {
+		commandOptions: { mode: "device" },
+		invokedCommand: cliCommands.auth.login(),
+		mode: "device"
+	};
 	const data = ensureSuccess(await runAuthLoginCommand(runtime.context, commandOptions), runtime, {
 		command: invokedCommand,
 		entity: { mode }
 	});
+	if (!data.loggedIn) {
+		const pendingOutput = {
+			event: "auth_login.pending",
+			loggedIn: false,
+			verification: data.verification
+		};
+		runtime.output.success(pendingOutput, {
+			command: invokedCommand,
+			entity: {
+				event: "auth_login.pending",
+				mode,
+				verification: {
+					userCode: data.verification.userCode,
+					verificationUri: data.verification.verificationUri
+				}
+			},
+			nextActions: nextActionsForPendingLogin(data.verification.userCode, data.verification.verificationUri)
+		});
+		return;
+	}
 	const outputData = {
 		...data,
 		event: "auth_login.completed"
@@ -60381,6 +60758,7 @@ const createCliSentry = (config) => {
 						break;
 					case "AuthError":
 					case "ContractMismatchError":
+					case "UpdateRequiredError":
 					case "UnexpectedError":
 					case "ValidationError": break;
 					default: assertNever$1(error);
@@ -60441,103 +60819,136 @@ const createAccountService = (deps) => {
 
 //#endregion
 //#region src/services/auth.ts
-const defaultSleep = async (milliseconds) => {
-	await new Promise((resolve) => {
-		setTimeout(resolve, milliseconds);
-	});
-};
+const DEFAULT_NAMESPACE_KEY = "default";
 const toEndpointUrl = (baseUrl, endpoint) => {
 	return `${baseUrl}${endpoint}`;
 };
-const deviceCodeUrl = (baseUrl) => {
-	return toEndpointUrl(baseUrl, cliEndpoints.deviceCode);
+const authStartUrl = (baseUrl) => {
+	return toEndpointUrl(baseUrl, cliEndpoints.authStart);
 };
-const deviceTokenUrl = (baseUrl) => {
-	return toEndpointUrl(baseUrl, cliEndpoints.deviceToken);
+const authExchangeUrl = (baseUrl) => {
+	return toEndpointUrl(baseUrl, cliEndpoints.authExchange);
 };
-const revokeUrl = (baseUrl) => {
-	return toEndpointUrl(baseUrl, cliEndpoints.cliRevokeSelf);
+const isExpiredPendingRequest = (request, nowMs) => {
+	const parsedExpiresAt = Date.parse(request.expiresAt);
+	return !Number.isNaN(parsedExpiresAt) && parsedExpiresAt <= nowMs;
 };
 const createAuthService = (deps) => {
 	const now = deps.now ?? Date.now;
-	const sleep = deps.sleep ?? defaultSleep;
+	const storeApprovedAuth = (approvedAuth, namespaceKey = DEFAULT_NAMESPACE_KEY) => {
+		return deps.credentialsStore.storeApprovedAuth({
+			agentName: approvedAuth.agentName,
+			apiKey: approvedAuth.apiKey
+		}, namespaceKey);
+	};
+	const saveApiKeyAuth = (approvedAuth) => {
+		return deps.credentialsStore.save({
+			agentName: approvedAuth.agentName,
+			apiKey: approvedAuth.apiKey
+		});
+	};
+	const tryExchangePendingRequests = async () => {
+		const installationIdResult = deps.credentialsStore.getInstallationId();
+		if (Result.isError(installationIdResult)) return installationIdResult;
+		const pendingRequestsResult = deps.credentialsStore.listPendingRequests();
+		if (Result.isError(pendingRequestsResult)) return pendingRequestsResult;
+		const pendingRequests = [...pendingRequestsResult.value].toSorted((a, b) => {
+			return a.createdAt.localeCompare(b.createdAt);
+		});
+		for (const pendingRequest of pendingRequests) {
+			if (isExpiredPendingRequest(pendingRequest, now())) {
+				const deleteResult = deps.credentialsStore.deletePendingRequest(pendingRequest.authRequestId);
+				if (Result.isError(deleteResult)) return deleteResult;
+				continue;
+			}
+			const exchangePayload = await requestJson(deps.httpClient, authExchangeUrl(deps.baseUrl), authExchangeSchema, {
+				body: JSON.stringify({
+					authRequestId: pendingRequest.authRequestId,
+					installationId: installationIdResult.value,
+					namespaceKey: pendingRequest.namespaceKey
+				}),
+				headers: { "Content-Type": "application/json" },
+				method: "POST"
+			}, {
+				context: "auth exchange response",
+				mapStatusError: (response, body) => new RemoteRequestError({
+					body,
+					httpStatus: response.status,
+					message: "Failed to exchange pending CLI auth",
+					operation: "auth/exchange",
+					raw: body,
+					source: "http"
+				}),
+				operation: "auth/exchange"
+			});
+			if (Result.isError(exchangePayload)) return exchangePayload;
+			const exchangeData = exchangePayload.value.data;
+			if (exchangeData.status === "authorization_pending") continue;
+			if (exchangeData.status === "approved") {
+				const storeResult = storeApprovedAuth({
+					agentName: exchangeData.agentName,
+					apiKey: exchangeData.apiKey
+				}, pendingRequest.namespaceKey);
+				if (Result.isError(storeResult)) return storeResult;
+				return Result.ok({
+					agentName: exchangeData.agentName,
+					apiKey: exchangeData.apiKey
+				});
+			}
+			const deleteResult = deps.credentialsStore.deletePendingRequest(pendingRequest.authRequestId);
+			if (Result.isError(deleteResult)) return deleteResult;
+		}
+		return Result.ok(null);
+	};
 	const loginWithDevice = async (options) => {
-		const startPayload = await requestJson(deps.httpClient, deviceCodeUrl(deps.baseUrl), deviceCodeStartSchema, {
+		const installationIdResult = deps.credentialsStore.getInstallationId();
+		if (Result.isError(installationIdResult)) return installationIdResult;
+		const startPayload = await requestJson(deps.httpClient, authStartUrl(deps.baseUrl), authStartSchema, {
+			body: JSON.stringify({
+				...deps.executionEnvironment === void 0 ? {} : { executionEnvironment: deps.executionEnvironment },
+				installationId: installationIdResult.value,
+				namespaceKey: DEFAULT_NAMESPACE_KEY
+			}),
 			headers: { "Content-Type": "application/json" },
 			method: "POST"
 		}, {
-			context: "device login start response",
+			context: "auth start response",
 			mapStatusError: (response, body) => new RemoteRequestError({
 				body,
 				httpStatus: response.status,
-				message: "Failed to start device login",
-				operation: "auth/device/start",
+				message: "Failed to start CLI login",
+				operation: "auth/start",
 				raw: body,
 				source: "http"
 			}),
-			operation: "auth/device/start"
+			operation: "auth/start"
 		});
 		if (Result.isError(startPayload)) return startPayload;
-		options.onPending?.({
+		const savePendingRequestResult = deps.credentialsStore.savePendingRequest({
+			authRequestId: startPayload.value.data.authRequestId,
+			code: startPayload.value.data.userCode,
+			createdAt: new Date(now()).toISOString(),
+			expiresAt: startPayload.value.data.expiresAt,
+			namespaceKey: DEFAULT_NAMESPACE_KEY,
+			verificationUrl: startPayload.value.data.verificationUrl
+		});
+		if (Result.isError(savePendingRequestResult)) return savePendingRequestResult;
+		const verification = {
 			userCode: startPayload.value.data.userCode,
-			verificationUri: startPayload.value.data.verificationUri
+			verificationUri: startPayload.value.data.verificationUrl
+		};
+		options.onPending?.(verification);
+		return Result.ok({
+			agentName: null,
+			loggedIn: false,
+			outcome: "pending_approval",
+			verification
 		});
-		const deadline = now() + startPayload.value.data.expiresIn * 1e3;
-		const interval = startPayload.value.data.interval * 1e3;
-		while (now() < deadline) {
-			await sleep(interval);
-			const pollPayload = await requestJson(deps.httpClient, deviceTokenUrl(deps.baseUrl), deviceTokenSchema, {
-				body: JSON.stringify({ deviceCode: startPayload.value.data.deviceCode }),
-				headers: { "Content-Type": "application/json" },
-				method: "POST"
-			}, {
-				context: "device login poll response",
-				mapStatusError: (response, body) => {
-					if (response.status === 410) return new AuthError({
-						code: ERROR_CODE.authDeviceExpired,
-						message: "Device login code expired. Run `ogment auth login` again.",
-						recovery: { command: "ogment auth login" }
-					});
-					if (response.status === 404) return new AuthError({
-						code: ERROR_CODE.authInvalidCredentials,
-						message: "Invalid device login code. Run `ogment auth login` again.",
-						recovery: { command: "ogment auth login" }
-					});
-					return new RemoteRequestError({
-						body,
-						httpStatus: response.status,
-						message: "Failed to poll device login status",
-						operation: "auth/device/poll",
-						raw: body,
-						source: "http"
-					});
-				},
-				operation: "auth/device/poll"
-			});
-			if (Result.isError(pollPayload)) return pollPayload;
-			if (pollPayload.value.data.status === "authorization_pending") continue;
-			const approvedPayload = pollPayload.value.data;
-			const saveResult = deps.credentialsStore.save({
-				agentName: approvedPayload.agentName,
-				apiKey: approvedPayload.apiKey
-			});
-			if (Result.isError(saveResult)) return saveResult;
-			return Result.ok({
-				agentName: approvedPayload.agentName,
-				loggedIn: true,
-				outcome: "authenticated"
-			});
-		}
-		return Result.err(new AuthError({
-			code: ERROR_CODE.authDeviceExpired,
-			message: "Device login code expired. Run `ogment auth login` again.",
-			recovery: { command: "ogment auth login" }
-		}));
 	};
 	return {
 		login: async (options) => {
 			if (options.mode === "apiKey" && options.apiKey.length > 0) {
-				const saveResult = deps.credentialsStore.save({
+				const saveResult = saveApiKeyAuth({
 					agentName: "CLI Agent",
 					apiKey: options.apiKey
 				});
@@ -60560,25 +60971,29 @@ const createAuthService = (deps) => {
 				loggedIn: true,
 				outcome: "already_authenticated"
 			});
+			const exchangedPendingAuth = await tryExchangePendingRequests();
+			if (Result.isError(exchangedPendingAuth)) return exchangedPendingAuth;
+			if (exchangedPendingAuth.value !== null) return Result.ok({
+				agentName: exchangedPendingAuth.value.agentName,
+				loggedIn: true,
+				outcome: "authenticated"
+			});
 			return loginWithDevice(options);
 		},
 		logout: async () => {
 			const stored = deps.credentialsStore.load();
 			if (Result.isError(stored)) return stored;
-			if (stored.value === null) return Result.ok({
+			const pendingRequestsResult = deps.credentialsStore.listPendingRequests();
+			if (Result.isError(pendingRequestsResult)) return pendingRequestsResult;
+			if (!(stored.value !== null || pendingRequestsResult.value.length > 0)) return Result.ok({
 				localCredentialsDeleted: false,
 				revoked: false
 			});
-			const revokeResult = await deps.httpClient.request(revokeUrl(deps.baseUrl), {
-				headers: { Authorization: `Bearer ${stored.value.apiKey}` },
-				method: "POST"
-			});
 			const deleteResult = deps.credentialsStore.delete();
 			if (Result.isError(deleteResult)) return deleteResult;
-			const revoked = Result.isOk(revokeResult) && revokeResult.value.ok;
 			return Result.ok({
 				localCredentialsDeleted: true,
-				revoked
+				revoked: false
 			});
 		},
 		resolveApiKey: async (overrideApiKey) => {
@@ -60589,6 +61004,9 @@ const createAuthService = (deps) => {
 			});
 			if (resolution.apiKey !== null) return Result.ok(resolution.apiKey);
 			if (resolution.source === "credentialsError" && resolution.loadError) return Result.err(resolution.loadError);
+			const exchangedPendingAuth = await tryExchangePendingRequests();
+			if (Result.isError(exchangedPendingAuth)) return exchangedPendingAuth;
+			if (exchangedPendingAuth.value !== null) return Result.ok(exchangedPendingAuth.value.apiKey);
 			return Result.err(new AuthError({
 				code: ERROR_CODE.authRequired,
 				message: "Not logged in. Run `ogment auth login` or set OGMENT_API_KEY.",
@@ -60602,17 +61020,26 @@ const createAuthService = (deps) => {
 				envApiKey: deps.envApiKey
 			});
 			if (resolution.source === "credentialsError" && resolution.loadError) return Result.err(resolution.loadError);
-			if (resolution.apiKey === null) return Result.ok({
+			if (resolution.apiKey !== null) {
+				const apiKeySource = resolution.source === "credentialsFile" ? "credentialsFile" : resolution.source === "apiKeyOption" ? "apiKeyOption" : "env";
+				return Result.ok({
+					agentName: resolution.agentName,
+					apiKeySource,
+					loggedIn: true
+				});
+			}
+			const exchangedPendingAuth = await tryExchangePendingRequests();
+			if (Result.isError(exchangedPendingAuth)) return exchangedPendingAuth;
+			if (exchangedPendingAuth.value !== null) return Result.ok({
+				agentName: exchangedPendingAuth.value.agentName,
+				apiKeySource: "credentialsFile",
+				loggedIn: true
+			});
+			return Result.ok({
 				agentName: null,
 				apiKeySource: "none",
 				loggedIn: false
 			});
-			const apiKeySource = resolution.source === "credentialsFile" ? "credentialsFile" : resolution.source === "apiKeyOption" ? "apiKeyOption" : "env";
-			return Result.ok({
-				agentName: resolution.agentName,
-				apiKeySource,
-				loggedIn: true
-			});
 		}
 	};
 };
@@ -60626,7 +61053,7 @@ const maskApiKey = (apiKey) => {
 const nextActionByIssueCode = (includeDebug) => {
 	return {
 		auth_failed: "Run `ogment auth login` to refresh credentials.",
-		credentials_load_failed: "Check file permissions and contents of `~/.config/ogment/credentials.json`.",
+		credentials_load_failed: "Check file permissions and contents of `~/.config/ogment/auth-state.json`.",
 		no_api_key: "Run `ogment auth login` or set `OGMENT_API_KEY`.",
 		unreachable: includeDebug ? "Verify `OGMENT_BASE_URL` and network connectivity." : "Verify network connectivity."
 	};
@@ -60756,11 +61183,11 @@ const createInfoService = (deps) => {
 		});
 		if (apiKeyResolution.source === "none") issues.push({
 			code: "no_api_key",
-			message: "No API key found in --api-key, OGMENT_API_KEY, or credentials file."
+			message: "No API key found in --api-key, OGMENT_API_KEY, or local auth state."
 		});
 		if (apiKeyResolution.source === "credentialsError" && apiKeyResolution.loadError !== null) issues.push({
 			code: "credentials_load_failed",
-			message: `Failed to load credentials file: ${apiKeyResolution.loadError.message}`
+			message: `Failed to load local auth state: ${apiKeyResolution.loadError.message}`
 		});
 		if (account.status === "auth_error") issues.push({
 			code: "auth_failed",
@@ -60796,7 +61223,7 @@ const createInfoService = (deps) => {
 				configPrecedence: [
 					"--api-key option",
 					"OGMENT_API_KEY environment variable",
-					"~/.config/ogment/credentials.json",
+					"~/.config/ogment/auth-state.json",
 					...includeDebug ? ["default base URL when OGMENT_BASE_URL is unset"] : []
 				],
 				quickCommands: [
@@ -71591,9 +72018,11 @@ const createRuntime = () => {
 	const runtimeConfig = createRuntimeConfig();
 	const executionEnvironment = runtimeConfig.executionEnvironment;
 	const output = new OutputManager();
-	const credentialsStore = createFileCredentialsStore({
+	const authStateStore = createFileCredentialsStore({
 		configDir: runtimeConfig.configDir,
-		credentialsPath: runtimeConfig.credentialsPath
+		credentialsPath: runtimeConfig.credentialsPath,
+		legacyCredentialsPath: runtimeConfig.legacyCredentialsPath,
+		telemetryPath: runtimeConfig.telemetryPath
 	});
 	const httpClient = createHttpClient();
 	const services = {
@@ -71603,8 +72032,9 @@ const createRuntime = () => {
 		}),
 		auth: createAuthService({
 			baseUrl: runtimeConfig.baseUrl,
-			credentialsStore,
+			credentialsStore: authStateStore,
 			envApiKey: runtimeConfig.envApiKey,
+			executionEnvironment,
 			httpClient
 		}),
 		mcp: createMcpService({
@@ -71618,7 +72048,7 @@ const createRuntime = () => {
 		baseUrlSource: runtimeConfig.baseUrlSource,
 		configDir: runtimeConfig.configDir,
 		credentialsPath: runtimeConfig.credentialsPath,
-		credentialsStore,
+		credentialsStore: authStateStore,
 		envApiKey: runtimeConfig.envApiKey,
 		httpClient,
 		version: runtimeConfig.version
@@ -71639,18 +72069,16 @@ const createRuntime = () => {
 		output,
 		sentry,
 		telemetry: createTelemetryService({
+			authStateStore,
 			baseUrl: runtimeConfig.baseUrl,
 			cliVersion: runtimeConfig.version,
-			configDir: runtimeConfig.configDir,
-			credentialsStore,
 			envApiKey: runtimeConfig.envApiKey,
 			executionEnvironment,
 			getApiKeyOverride: () => {
 				return context.apiKeyOverride;
 			},
 			httpClient,
-			telemetryDisabled: runtimeConfig.telemetryDisabled,
-			telemetryPath: runtimeConfig.telemetryPath
+			telemetryDisabled: runtimeConfig.telemetryDisabled
 		})
 	};
 };
@@ -71792,6 +72220,7 @@ const commandFromArgv = (argv) => {
 };
 const RUNTIME_ERROR_COMMAND_PATH = "ogment <runtime_error>";
 const PARSE_ERROR_COMMAND_PATH = "ogment <parse_error>";
+const CLI_PACKAGE_NAME = "@ogment-ai/cli";
 const PARSE_ERROR_SCOPE_COMMAND_PATHS = {
 	auth: "ogment auth <parse_error>",
 	catalog: "ogment catalog <parse_error>",
@@ -71888,22 +72317,42 @@ const telemetryErrorDetail = (error) => {
 	if (error instanceof Error) return `${error.name}: ${error.message}`;
 	return "Unknown telemetry error";
 };
+function updateInstallCommand(packageName) {
+	return `npm i -g ${packageName}`;
+}
+function formatUpdateRequiredDetail(update) {
+	return [`Update the Ogment CLI before retrying this command (current: v${update.currentVersion}; latest: v${update.latestVersion}).`, `Run \`${updateInstallCommand(update.packageName)}\` to update, or set \`${OGMENT_NO_UPDATE_CHECK_ENV_VAR}=1\` or \`${NO_UPDATE_NOTIFIER_ENV_VAR}=1\` to bypass this check.`].join(" ");
+}
+function createUpdateRequiredError(update) {
+	return new UpdateRequiredError({
+		currentVersion: update.currentVersion,
+		latestVersion: update.latestVersion,
+		message: formatUpdateRequiredDetail(update),
+		packageName: update.packageName,
+		recovery: {
+			command: updateInstallCommand(update.packageName),
+			id: "update_cli",
+			reason: "A newer Ogment CLI version must be installed before this command can run.",
+			title: "Update CLI",
+			when: "immediate"
+		}
+	});
+}
 const emitRuntimeErrorTelemetry = async (output, input) => {
 	const telemetryConfig = createTelemetryRuntimeConfig();
-	const credentialsStore = createFileCredentialsStore({
-		configDir: telemetryConfig.configDir,
-		credentialsPath: telemetryConfig.credentialsPath
-	});
 	const telemetry = createTelemetryService({
+		authStateStore: createFileCredentialsStore({
+			configDir: telemetryConfig.configDir,
+			credentialsPath: telemetryConfig.credentialsPath,
+			legacyCredentialsPath: telemetryConfig.legacyCredentialsPath,
+			telemetryPath: telemetryConfig.telemetryPath
+		}),
 		baseUrl: telemetryConfig.baseUrl,
 		cliVersion: telemetryConfig.version,
-		configDir: telemetryConfig.configDir,
-		credentialsStore,
 		envApiKey: telemetryConfig.envApiKey,
 		executionEnvironment: telemetryConfig.executionEnvironment,
 		httpClient: createHttpClient(),
-		telemetryDisabled: telemetryConfig.telemetryDisabled,
-		telemetryPath: telemetryConfig.telemetryPath
+		telemetryDisabled: telemetryConfig.telemetryDisabled
 	});
 	try {
 		await telemetry.trackCommandCompleted({
@@ -71954,12 +72403,17 @@ const commandContextFromInvocation = (invocation, apiKeyOverride) => {
 		default: return assertNever(invocation);
 	}
 };
-const runCli = async (argv = process.argv.slice(2), runtime = void 0) => {
+const runCli = async (argv = process.argv.slice(2), runtime = void 0, deps = {}) => {
 	const normalizedArgv = normalizeCliArgv(argv);
 	const outputOptions = parseOutputOptionsFromArgv(normalizedArgv);
 	const displayCommand = commandFromArgv(argv);
 	const startedAt = Date.now();
-	const runtimeCreatedInternally = runtime === void 0;
+	const shouldCheckForUpdate = runtime === void 0 || deps.checkForCliUpdate !== void 0;
+	const checkForCliUpdate = deps.checkForCliUpdate ?? maybeGetAvailableCliUpdate;
+	const updateCheckOptions = {
+		currentVersion: VERSION$2,
+		packageName: CLI_PACKAGE_NAME
+	};
 	let telemetryContext = null;
 	let telemetryErrorCode = null;
 	let shouldEmitTelemetry = true;
@@ -71991,10 +72445,6 @@ const runCli = async (argv = process.argv.slice(2), runtime = void 0) => {
 			executionEnvironment: resolvedRuntime.executionEnvironment
 		});
 	};
-	if (runtimeCreatedInternally) await maybeNotifyCliUpdate({
-		currentVersion: VERSION$2,
-		packageName: "@ogment-ai/cli"
-	});
 	const parseState = createCommanderParseState();
 	const { program, readInvocation } = createProgram(resolvedRuntime, parseState);
 	try {
@@ -72004,12 +72454,23 @@ const runCli = async (argv = process.argv.slice(2), runtime = void 0) => {
 			if (invocation !== null) {
 				resolvedInvocation = invocation;
 				telemetryContext = telemetryContextFromInvocation(invocation);
-				await executeInvocation(resolvedRuntime, invocation);
+				const availableUpdate = shouldCheckForUpdate ? await checkForCliUpdate(updateCheckOptions) : null;
+				if (availableUpdate !== null) {
+					const updateError = createUpdateRequiredError(availableUpdate);
+					resolvedRuntime.output.error(updateError, {
+						command: displayCommand,
+						entity: null
+					});
+					telemetryErrorCode = ERROR_CODE.cliUpdateRequired;
+					finalExitCode = exitCodeForError(updateError);
+				} else {
+					await executeInvocation(resolvedRuntime, invocation);
+					finalExitCode = EXIT_CODE.success;
+				}
 			} else {
 				shouldEmitTelemetry = false;
 				resolvedRuntime.output.info("[telemetry] command_completed event not sent: missing telemetry context");
 			}
-			finalExitCode = EXIT_CODE.success;
 		} catch (error) {
 			if (error instanceof CliExitError) {
 				if (error.error !== void 0) captureCliError(error.error);
@@ -72089,4 +72550,4 @@ if (shouldExecuteCli(import.meta.url, process.argv[1])) await executeCli();
 
 //#endregion
 export { executeCli, runCli, shouldExecuteCli };
-//# debugId=3ea61f88-7f34-4abe-adff-ad066ac07739
+//# debugId=856f5502-c592-445c-b0d7-d8c7048e63ba