npm - @ogment-ai/cli - Versions diffs - 0.9.1-next.2 → 0.10.0-beta.1 - Mend

@ogment-ai/cli 0.9.1-next.2 → 0.10.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli.js CHANGED Viewed

@@ -7998,25 +7998,25 @@ const toJsonValue = (value) => {
 //#region src/shared/recovery.ts
 const defaultRecoveryByCode = {
 	[ERROR_CODE.authDeviceExpired]: {
-		command: "ogment auth login",
-		reason: "Device code expired; restart login to continue.",
+		command: "ogment login",
+		reason: "Login request expired; start login again to continue.",
 		title: "Restart login",
 		when: "immediate"
 	},
 	[ERROR_CODE.authDevicePending]: {
-		command: "ogment auth status",
-		reason: "Authorization is pending; check whether credentials are now available.",
-		title: "Check auth status",
+		command: "ogment login",
+		reason: "Authorization is pending; run login again after approving in the browser.",
+		title: "Complete login",
 		when: "immediate"
 	},
 	[ERROR_CODE.authInvalidCredentials]: {
-		command: "ogment auth logout",
-		reason: "Credentials are invalid; clear local state before re-authenticating.",
-		title: "Reset auth state",
+		command: "ogment login",
+		reason: "Credentials are invalid; sign in again to restore the local CLI session.",
+		title: "Sign in again",
 		when: "immediate"
 	},
 	[ERROR_CODE.authRequired]: {
-		command: "ogment auth login",
+		command: "ogment login",
 		reason: "Authentication is required before catalog, search, or execute commands can run.",
 		title: "Authenticate",
 		when: "immediate"
@@ -8367,36 +8367,55 @@ const isRecord$1 = (value) => {
 	return typeof value === "object" && value !== null;
 };
-//#endregion
-//#region src/shared/schemas.ts
-const credentialsFileSchema = object({
-	agentName: string().optional(),
-	apiKey: string().min(1).optional()
-});
 //#endregion
 //#region src/infra/credentials.ts
 const authStateFileSchema = object({
+	currentAuthRequest: object({
+		authRequestId: string().min(1),
+		expiresAt: string().min(1),
+		verificationUrl: string().min(1)
+	}).nullable().optional(),
+	installationId: uuid(),
+	session: object({
+		agentId: uuid(),
+		agentName: string().min(1),
+		apiKey: string().min(1),
+		credentialId: uuid(),
+		signedInAt: string().min(1)
+	}).nullable().optional(),
+	version: literal(3)
+}).strict();
+const authStateFileV2Schema = object({
+	installationId: uuid(),
+	pendingAuthRequest: object({
+		authRequestId: string().min(1),
+		expiresAt: string().min(1),
+		verificationUrl: string().min(1)
+	}).nullable().optional(),
+	session: object({
+		agentId: uuid(),
+		agentName: string().min(1),
+		apiKey: string().min(1),
+		credentialId: uuid(),
+		signedInAt: string().min(1)
+	}).nullable().optional(),
+	version: literal(2)
+}).strict();
+const legacyAuthStateFileSchema = object({
 	activeAuth: object({
 		agentName: string().optional(),
 		apiKey: string().min(1),
-		boundAt: string().optional(),
-		namespaceKey: string().min(1).optional(),
-		scopeFingerprint: string().min(1).optional()
+		boundAt: string().optional()
 	}).nullable().optional(),
 	installationId: uuid(),
 	pendingRequests: array(object({
 		authRequestId: string().min(1),
-		code: string().min(1),
 		createdAt: string().min(1),
 		expiresAt: string().min(1),
-		namespaceKey: string().min(1),
-		scopeFingerprint: string().min(1).optional(),
 		verificationUrl: string().min(1)
 	})).optional(),
 	version: literal(1)
 }).strict();
-const telemetryInstallationSchema = object({ installationId: uuid() }).strict();
 const LOCK_RETRY_DELAY_MS = 10;
 const LOCK_STALE_MS = 3e4;
 const LOCK_TIMEOUT_MS = 2e3;
@@ -8405,40 +8424,42 @@ const sleepBlocking = (milliseconds) => {
 	const view = new Int32Array(buffer);
 	Atomics.wait(view, 0, 0, milliseconds);
 };
-const normalizeCredentials = (value) => {
-	const parsed = parseWithSchema(credentialsFileSchema, value, "legacy credentials file");
-	if (Result.isError(parsed) || parsed.value.apiKey === void 0) return null;
-	return {
-		...parsed.value.agentName === void 0 ? {} : { agentName: parsed.value.agentName },
-		apiKey: parsed.value.apiKey
-	};
-};
 const normalizeAuthState = (value) => {
-	const parsed = parseWithSchema(authStateFileSchema, value, "auth state file");
-	if (Result.isError(parsed)) return null;
-	const activeAuth = parsed.value.activeAuth === void 0 || parsed.value.activeAuth === null ? null : {
-		...parsed.value.activeAuth.agentName === void 0 ? {} : { agentName: parsed.value.activeAuth.agentName },
-		apiKey: parsed.value.activeAuth.apiKey,
-		...parsed.value.activeAuth.boundAt === void 0 ? {} : { boundAt: parsed.value.activeAuth.boundAt },
-		...parsed.value.activeAuth.namespaceKey === void 0 ? {} : { namespaceKey: parsed.value.activeAuth.namespaceKey },
-		...parsed.value.activeAuth.scopeFingerprint === void 0 ? {} : { scopeFingerprint: parsed.value.activeAuth.scopeFingerprint }
-	};
-	const pendingRequests = (parsed.value.pendingRequests ?? []).map((request) => {
-		return {
-			authRequestId: request.authRequestId,
-			code: request.code,
-			createdAt: request.createdAt,
-			expiresAt: request.expiresAt,
-			namespaceKey: request.namespaceKey,
-			...request.scopeFingerprint === void 0 ? {} : { scopeFingerprint: request.scopeFingerprint },
-			verificationUrl: request.verificationUrl
-		};
-	});
+	const parsedCurrentState = parseWithSchema(authStateFileSchema, value, "auth state file");
+	if (Result.isOk(parsedCurrentState)) return {
+		needsMigration: false,
+		state: {
+			currentAuthRequest: parsedCurrentState.value.currentAuthRequest ?? null,
+			installationId: parsedCurrentState.value.installationId,
+			session: parsedCurrentState.value.session ?? null,
+			version: 3
+		}
+	};
+	const parsedLegacyV2State = parseWithSchema(authStateFileV2Schema, value, "auth state v2 file");
+	if (Result.isOk(parsedLegacyV2State)) return {
+		needsMigration: true,
+		state: {
+			currentAuthRequest: parsedLegacyV2State.value.pendingAuthRequest ?? null,
+			installationId: parsedLegacyV2State.value.installationId,
+			session: parsedLegacyV2State.value.session ?? null,
+			version: 3
+		}
+	};
+	const parsedV1 = parseWithSchema(legacyAuthStateFileSchema, value, "legacy auth state file");
+	if (Result.isError(parsedV1)) return null;
+	const latestPendingRequest = (parsedV1.value.pendingRequests ?? []).at(-1);
 	return {
-		activeAuth,
-		installationId: parsed.value.installationId,
-		pendingRequests,
-		version: 1
+		needsMigration: true,
+		state: {
+			currentAuthRequest: latestPendingRequest === void 0 ? null : {
+				authRequestId: latestPendingRequest.authRequestId,
+				expiresAt: latestPendingRequest.expiresAt,
+				verificationUrl: latestPendingRequest.verificationUrl
+			},
+			installationId: parsedV1.value.installationId,
+			session: null,
+			version: 3
+		}
 	};
 };
 const toCorruptPath = (path, nowFn) => {
@@ -8473,29 +8494,12 @@ const createFileCredentialsStore = (deps) => {
 	const unlinkSyncFn = deps.unlinkSyncFn ?? unlinkSync;
 	const writeFileSyncFn = deps.writeFileSyncFn ?? writeFileSync;
 	const lockPath = `${deps.credentialsPath}.lock`;
-	const readJsonFile = (path) => {
-		if (!existsSyncFn(path)) return null;
-		try {
-			return JSON.parse(readFileSyncFn(path, "utf8"));
-		} catch {
-			return null;
-		}
-	};
-	const readLegacyCredentials = () => {
-		return normalizeCredentials(readJsonFile(deps.legacyCredentialsPath));
-	};
-	const readLegacyInstallationId = () => {
-		const raw = readJsonFile(deps.telemetryPath);
-		if (raw === null) return null;
-		const parsed = telemetryInstallationSchema.safeParse(raw);
-		return parsed.success ? parsed.data.installationId : null;
-	};
 	const createEmptyState = (installationId = randomUuidFn()) => {
 		return {
-			activeAuth: null,
+			currentAuthRequest: null,
 			installationId,
-			pendingRequests: [],
-			version: 1
+			session: null,
+			version: 3
 		};
 	};
 	const withLock = (operation) => {
@@ -8588,43 +8592,33 @@ const createFileCredentialsStore = (deps) => {
 			}
 			throw error;
 		}
-		const parsed = normalizeAuthState(parsedJson);
-		if (parsed === null) {
+		const normalized = normalizeAuthState(parsedJson);
+		if (normalized === null) {
 			quarantineCorruptState();
 			return null;
 		}
-		return parsed;
-	};
-	const migrateStateFromLegacy = () => {
-		const migratedInstallationId = readLegacyInstallationId();
-		const migratedCredentials = readLegacyCredentials();
-		if (!(migratedInstallationId !== null || migratedCredentials !== null)) return null;
-		return {
-			...createEmptyState(migratedInstallationId ?? randomUuidFn()),
-			...migratedCredentials === null ? {} : { activeAuth: migratedCredentials }
-		};
+		return normalized;
 	};
 	const loadState = (options) => {
 		const currentState = loadStateFromDisk();
-		if (currentState !== null) return currentState;
-		const migratedState = migrateStateFromLegacy();
-		if (migratedState !== null) {
-			withLock(() => {
-				if (!existsSyncFn(deps.credentialsPath)) writeState(migratedState);
+		if (currentState !== null) {
+			if (currentState.needsMigration) withLock(() => {
+				const latest = loadStateFromDisk();
+				if (latest?.needsMigration) writeState(latest.state);
 			});
-			return loadStateFromDisk() ?? migratedState;
+			return currentState.state;
 		}
 		if (options?.persistIfMissing === true) {
 			const emptyState = createEmptyState();
 			withLock(() => {
 				if (!existsSyncFn(deps.credentialsPath)) writeState(emptyState);
 			});
-			return loadStateFromDisk() ?? emptyState;
+			return loadStateFromDisk()?.state ?? emptyState;
 		}
 		return null;
 	};
 	return {
-		clearPendingRequests: (namespaceKey) => {
+		clearCurrentAuthRequest: () => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
@@ -8632,10 +8626,9 @@ const createFileCredentialsStore = (deps) => {
 				}),
 				try: () => {
 					withLock(() => {
-						const latest = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
 						writeState({
-							...latest,
-							pendingRequests: namespaceKey === void 0 ? [] : latest.pendingRequests.filter((request) => request.namespaceKey !== namespaceKey)
+							...loadStateFromDisk()?.state ?? createEmptyState(),
+							currentAuthRequest: null
 						});
 					});
 				}
@@ -8650,27 +8643,22 @@ const createFileCredentialsStore = (deps) => {
 				try: () => {
 					withLock(() => {
 						writeState({
-							...loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState(),
-							activeAuth: null,
-							pendingRequests: []
+							...loadStateFromDisk()?.state ?? createEmptyState(),
+							session: null
 						});
 					});
 				}
 			});
 		},
-		deletePendingRequest: (authRequestId) => {
+		reset: () => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
-					message: "Failed to update local auth state"
+					message: "Failed to reset local auth state"
 				}),
 				try: () => {
 					withLock(() => {
-						const latest = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
-						writeState({
-							...latest,
-							pendingRequests: latest.pendingRequests.filter((request) => request.authRequestId !== authRequestId)
-						});
+						writeState(createEmptyState());
 					});
 				}
 			});
@@ -8688,14 +8676,14 @@ const createFileCredentialsStore = (deps) => {
 				}
 			});
 		},
-		listPendingRequests: () => {
+		getCurrentAuthRequest: () => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
 					message: "Failed to load local auth state"
 				}),
 				try: () => {
-					return loadState()?.pendingRequests ?? [];
+					return loadState()?.currentAuthRequest ?? null;
 				}
 			});
 		},
@@ -8706,12 +8694,7 @@ const createFileCredentialsStore = (deps) => {
 					message: "Failed to load local auth state"
 				}),
 				try: () => {
-					const state = loadState();
-					if (state?.activeAuth === null || state === null) return null;
-					return {
-						...state.activeAuth.agentName === void 0 ? {} : { agentName: state.activeAuth.agentName },
-						apiKey: state.activeAuth.apiKey
-					};
+					return loadState()?.session ?? null;
 				}
 			});
 		},
@@ -8724,17 +8707,15 @@ const createFileCredentialsStore = (deps) => {
 				try: () => {
 					withLock(() => {
 						writeState({
-							...loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState(),
-							activeAuth: {
-								...credentials.agentName === void 0 ? {} : { agentName: credentials.agentName },
-								apiKey: credentials.apiKey
-							}
+							...loadStateFromDisk()?.state ?? createEmptyState(),
+							currentAuthRequest: null,
+							session: credentials
 						});
 					});
 				}
 			});
 		},
-		storeApprovedAuth: (credentials, namespaceKey) => {
+		saveCurrentAuthRequest: (request) => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
@@ -8742,43 +8723,13 @@ const createFileCredentialsStore = (deps) => {
 				}),
 				try: () => {
 					withLock(() => {
-						const currentState = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
 						writeState({
-							...currentState,
-							activeAuth: {
-								...credentials.agentName === void 0 ? {} : { agentName: credentials.agentName },
-								apiKey: credentials.apiKey,
-								boundAt: nowFn().toISOString(),
-								...namespaceKey === void 0 ? {} : { namespaceKey }
-							},
-							pendingRequests: namespaceKey === void 0 ? [] : currentState.pendingRequests.filter((request) => request.namespaceKey !== namespaceKey)
-						});
-					});
-				}
-			});
-		},
-		savePendingRequest: (request) => {
-			return Result.try({
-				catch: (cause) => new UnexpectedError({
-					cause,
-					message: "Failed to update local auth state"
-				}),
-				try: () => {
-					withLock(() => {
-						const currentState = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
-						const pendingRequests = currentState.pendingRequests.filter((entry) => entry.authRequestId !== request.authRequestId);
-						pendingRequests.push({
-							authRequestId: request.authRequestId,
-							code: request.code,
-							createdAt: request.createdAt,
-							expiresAt: request.expiresAt,
-							namespaceKey: request.namespaceKey,
-							...request.scopeFingerprint === void 0 ? {} : { scopeFingerprint: request.scopeFingerprint },
-							verificationUrl: request.verificationUrl
-						});
-						writeState({
-							...currentState,
-							pendingRequests
+							...loadStateFromDisk()?.state ?? createEmptyState(),
+							currentAuthRequest: {
+								authRequestId: request.authRequestId,
+								expiresAt: request.expiresAt,
+								verificationUrl: request.verificationUrl
+							}
 						});
 					});
 				}
@@ -8859,14 +8810,17 @@ const telemetryRuntimeFields = (env, configDir) => {
 		credentialsPath: join(configDir, "auth-state.json"),
 		envApiKey: env["OGMENT_API_KEY"],
 		executionEnvironment: detectExecutionEnvironment(env),
-		legacyCredentialsPath: join(configDir, "credentials.json"),
 		telemetryDisabled: telemetryDisabledFromEnv(env),
-		telemetryPath: join(configDir, "telemetry.json"),
 		version: VERSION$2
 	};
 };
+const resolveConfigDir = (env, homeDirectory) => {
+	const configuredDir = env["OGMENT_CONFIG_DIR"]?.trim();
+	if (configuredDir && configuredDir.length > 0) return configuredDir;
+	return join(homeDirectory, ".config", "ogment");
+};
 const createRuntimeConfig = (env = process.env, homeDirectory = homedir()) => {
-	const configDir = join(homeDirectory, ".config", "ogment");
+	const configDir = resolveConfigDir(env, homeDirectory);
 	const envBaseUrl = env["OGMENT_BASE_URL"];
 	const hasBaseUrlOverride = typeof envBaseUrl === "string";
 	return {
@@ -8884,7 +8838,7 @@ const createRuntimeConfig = (env = process.env, homeDirectory = homedir()) => {
 	};
 };
 const createTelemetryRuntimeConfig = (env = process.env, homeDirectory = homedir()) => {
-	const configDir = join(homeDirectory, ".config", "ogment");
+	const configDir = resolveConfigDir(env, homeDirectory);
 	const parsedBaseUrl = baseUrlSchema.safeParse(env["OGMENT_BASE_URL"]);
 	return {
 		baseUrl: parsedBaseUrl.success ? parsedBaseUrl.data : DEFAULT_OGMENT_BASE_URL,
@@ -14140,7 +14094,13 @@ const cliOrgSchema = object({
 	role: string(),
 	servers: array(cliServerSchema)
 }).strict();
+const cliActingAgentSchema = object({
+	agentId: string().uuid(),
+	agentName: string().min(1),
+	boundInstallationId: string().uuid().nullable()
+}).strict();
 const cliMeDataSchema = object({
+	actingAgent: cliActingAgentSchema.nullable(),
 	email: string().nullable(),
 	imageUrl: string().nullable(),
 	name: string().nullable(),
@@ -14151,72 +14111,60 @@ const accountMeSchema = cliSuccessEnvelopeSchema(cliMeDataSchema);
 //#endregion
 //#region ../../packages/shared/src/cli/auth.ts
-const deviceCodeStartDataSchema = object({
-	deviceCode: string().min(1),
-	expiresIn: number$1().int().positive(),
-	interval: number$1().int().positive(),
-	userCode: string().min(1),
-	verificationUri: string().url()
-}).strict();
-const deviceCodeStartSchema = cliSuccessEnvelopeSchema(deviceCodeStartDataSchema);
 const authStartDataSchema = object({
 	authRequestId: string().min(1),
+	disposition: _enum([
+		"created",
+		"reused_approved",
+		"reused_pending"
+	]),
 	expiresAt: isoTimestampSchema,
-	userCode: string().min(1),
 	verificationUrl: string().url()
 }).strict();
 const authStartSchema = cliSuccessEnvelopeSchema(authStartDataSchema);
-const deviceTokenPendingDataSchema = object({ status: literal("authorization_pending") }).strict();
-const deviceTokenApprovedDataSchema = object({
-	agentName: string().min(1),
-	apiKey: string().min(1),
-	status: literal("approved")
-}).strict();
-const deviceTokenDataSchema = discriminatedUnion("status", [deviceTokenPendingDataSchema, deviceTokenApprovedDataSchema]);
-const deviceTokenSchema = cliSuccessEnvelopeSchema(deviceTokenDataSchema);
-const deviceTokenApprovedSchema = cliSuccessEnvelopeSchema(deviceTokenApprovedDataSchema);
 const authExchangePendingDataSchema = object({ status: literal("authorization_pending") }).strict();
 const authExchangeApprovedDataSchema = object({
+	agentId: string().uuid(),
 	agentName: string().min(1),
 	apiKey: string().min(1),
-	scopeFingerprint: string().min(1),
+	credentialId: string().uuid(),
 	status: literal("approved")
 }).strict();
 const authExchangeExpiredDataSchema = object({ status: literal("expired") }).strict();
-const authExchangeDeniedDataSchema = object({ status: literal("denied") }).strict();
-const authExchangeConflictDataSchema = object({ status: literal("conflict") }).strict();
 const authExchangeInvalidDataSchema = object({ status: literal("invalid") }).strict();
+const authExchangeSupersededDataSchema = object({ status: literal("superseded") }).strict();
 const authExchangeDataSchema = discriminatedUnion("status", [
 	authExchangePendingDataSchema,
 	authExchangeApprovedDataSchema,
 	authExchangeExpiredDataSchema,
-	authExchangeDeniedDataSchema,
-	authExchangeConflictDataSchema,
-	authExchangeInvalidDataSchema
+	authExchangeInvalidDataSchema,
+	authExchangeSupersededDataSchema
 ]);
 const authExchangeSchema = cliSuccessEnvelopeSchema(authExchangeDataSchema);
 const authExchangeApprovedSchema = cliSuccessEnvelopeSchema(authExchangeApprovedDataSchema);
-const revokeSelfDataSchema = object({ success: literal(true) }).strict();
-const revokeSelfSchema = cliSuccessEnvelopeSchema(revokeSelfDataSchema);
+const authMutationSuccessDataSchema = object({ success: literal(true) }).strict();
+const authLogoutDataSchema = authMutationSuccessDataSchema;
+const authLogoutSchema = cliSuccessEnvelopeSchema(authLogoutDataSchema);
+const authResetDataSchema = authMutationSuccessDataSchema;
+const authResetSchema = cliSuccessEnvelopeSchema(authResetDataSchema);
 //#endregion
 //#region ../../packages/shared/src/cli/endpoints.ts
 const cliEndpoints = {
 	accountMe: "/api/v1/cli/me",
-	authExchange: "/api/v1/cli/auth/exchange",
 	authStart: "/api/v1/cli/auth/start",
-	cliRevokeSelf: "/api/v1/cli/revoke-self",
-	deviceCode: "/api/v1/cli/device-code",
-	deviceToken: "/api/v1/cli/device-token",
+	authExchange: "/api/v1/cli/auth/exchange",
+	authLogout: "/api/v1/cli/auth/logout",
+	authReset: "/api/v1/cli/auth/reset",
 	telemetry: "/api/v1/cli/telemetry"
 };
 //#endregion
 //#region ../../packages/shared/src/cli/telemetry.ts
 const cliCommandKindSchema = _enum([
-	"auth_login",
-	"auth_logout",
-	"auth_status",
+	"login",
+	"logout",
+	"reset",
 	"catalog_detail",
 	"catalog_summary",
 	"catalog_tool_detail",
@@ -14368,25 +14316,16 @@ const exitCodeForError = (error) => {
 //#endregion
 //#region src/commands/auth.ts
-const runAuthLoginCommand = async (context, options) => {
-	const loginOptions = (() => {
-		if (options.mode === "apiKey") return {
-			apiKey: options.apiKey,
-			mode: "apiKey"
-		};
-		return {
-			mode: "device",
-			...options.onPending === void 0 ? {} : { onPending: options.onPending }
-		};
-	})();
+const runLoginCommand = async (context, options) => {
+	const loginOptions = options.onPending === void 0 ? {} : { onPending: options.onPending };
 	return context.services.auth.login(loginOptions);
 };
-const runAuthStatusCommand = async (context) => {
-	return context.services.auth.status(context.apiKeyOverride);
-};
-const runAuthLogoutCommand = async (context) => {
+const runLogoutCommand = async (context) => {
 	return context.services.auth.logout();
 };
+const runResetCommand = async (context) => {
+	return context.services.auth.reset();
+};
 //#endregion
 //#region src/commands/server-context.ts
@@ -14760,13 +14699,6 @@ const withOrg = (orgSlug) => {
 	return orgSlug === void 0 ? [] : [`--org ${orgSlug}`];
 };
 const cliCommands = {
-	auth: {
-		help: () => "ogment auth --help",
-		login: () => "ogment auth login",
-		loginWithApiKeyRedacted: () => "ogment auth login --api-key <redacted>",
-		logout: () => "ogment auth logout",
-		status: () => "ogment auth status"
-	},
 	catalog: {
 		command: (serverId, toolName, orgSlug) => [
 			"ogment catalog",
@@ -14825,14 +14757,19 @@ const cliCommands = {
 		if (scope === null) return "ogment --help";
 		return `ogment ${scope} --help`;
 	},
+	login: { command: () => "ogment login" },
+	logout: { command: () => "ogment logout" },
+	reset: { command: () => "ogment reset" },
 	root: {
 		command: () => "ogment",
 		commandsSurface: () => {
 			return [
-				"auth login",
-				"auth status",
-				"auth logout",
+				"login",
+				"logout",
+				"reset",
 				"catalog",
+				"catalog <server-id>",
+				"catalog <server-id> <tool-name>",
 				"search <server-id>",
 				"execute <server-id>",
 				"status"
@@ -14904,15 +14841,11 @@ const ensureSuccess = (result, runtime, context) => {
 	}
 	return result.unwrap();
 };
-const nextActionsForLogin = (payload, mode) => {
-	return [nextAction("check_auth_status", "Check auth status", cliCommands.auth.status(), `Verify persisted credentials after ${mode} login for ${payload.agentName}.`, "immediate"), nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Logged in as ${payload.agentName} via ${mode}; discover available servers.`, "after_auth")];
+const nextActionsForLogin = (payload) => {
+	return [nextAction("inspect_status", "Inspect status", cliCommands.status.command(), `Verify the connected CLI state for ${payload.agentName}.`, "immediate"), nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Logged in as ${payload.agentName}; discover available servers.`, "after_auth")];
 };
-const nextActionsForPendingLogin = (userCode, verificationUri) => {
-	return [nextAction("check_login_status", "Check login status", cliCommands.auth.status(), `Approve ${userCode} at ${verificationUri}, then verify local auth state.`, "immediate"), nextAction("restart_device_login", "Restart login", cliCommands.auth.login(), `Restart login if code ${userCode} expires before approval.`, "if_expired")];
-};
-const nextActionsForAuthStatus = (payload) => {
-	if (!payload.loggedIn) return [nextAction("login", "Authenticate", cliCommands.auth.login(), "No API key is configured locally; login is required.", "immediate")];
-	return [nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Authenticated via ${payload.apiKeySource}; discover servers next.`, "after_auth")];
+const nextActionsForPendingLogin = (authRequestId, verificationUrl) => {
+	return [nextAction("complete_login", "Complete login", cliCommands.login.command(), `Approve request ${authRequestId} at ${verificationUrl}, then run login again to finish local sign-in.`, "immediate"), nextAction("inspect_status", "Inspect status", cliCommands.status.command(), "Inspect the current CLI state and diagnostics.", "if_expired")];
 };
 const nextActionsForCatalogSummary = (payload, context) => {
 	const actions = [];
@@ -14941,7 +14874,7 @@ const nextActionsForExecute = (payload) => {
 	return [nextAction("search_tools", "Search tools again", cliCommands.search.inspectAllTools(payload.serverId), `Reinspect tool definitions on ${payload.serverId} before the next execution.`, "after_execute")];
 };
 const nextActionsForStatus = (payload) => {
-	if (!payload.auth.apiKeyPresent) return [nextAction("login", "Authenticate", cliCommands.auth.login(), "Status detected no API key; authenticate first.", "immediate")];
+	if (!payload.auth.apiKeyPresent) return [nextAction("login", "Authenticate", cliCommands.login.command(), "Status detected no API key; authenticate first.", "immediate")];
 	return [nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Connectivity is ${payload.summary.status}; discover available servers.`, "after_status")];
 };
 const codeSourceFromValue = (value) => {
@@ -14956,87 +14889,78 @@ const inputSourceFromValue = (value) => {
 	return "inline_json";
 };
 const runLoginFlow = async (runtime, options) => {
-	const { commandOptions, invokedCommand, mode } = options.mode === "apiKey" ? {
-		commandOptions: options,
-		invokedCommand: cliCommands.auth.loginWithApiKeyRedacted(),
-		mode: "apiKey"
-	} : {
-		commandOptions: { mode: "device" },
-		invokedCommand: cliCommands.auth.login(),
-		mode: "device"
-	};
-	const data = ensureSuccess(await runAuthLoginCommand(runtime.context, commandOptions), runtime, {
-		command: invokedCommand,
-		entity: { mode }
-	});
+	const invokedCommand = cliCommands.login.command();
+	const data = ensureSuccess(await runLoginCommand(runtime.context, options), runtime, { command: invokedCommand });
 	if (!data.loggedIn) {
 		const pendingOutput = {
-			event: "auth_login.pending",
+			event: "login.pending",
 			loggedIn: false,
 			verification: data.verification
 		};
 		runtime.output.success(pendingOutput, {
 			command: invokedCommand,
 			entity: {
-				event: "auth_login.pending",
-				mode,
+				event: "login.pending",
 				verification: {
-					userCode: data.verification.userCode,
-					verificationUri: data.verification.verificationUri
+					authRequestId: data.verification.authRequestId,
+					verificationUrl: data.verification.verificationUrl
 				}
 			},
-			nextActions: nextActionsForPendingLogin(data.verification.userCode, data.verification.verificationUri)
+			nextActions: nextActionsForPendingLogin(data.verification.authRequestId, data.verification.verificationUrl)
 		});
 		return;
 	}
 	const outputData = {
 		...data,
-		event: "auth_login.completed"
+		event: "login.completed"
 	};
 	runtime.output.success(outputData, {
 		command: invokedCommand,
 		entity: {
 			agentName: data.agentName,
-			event: "auth_login.completed",
+			event: "login.completed",
 			loggedIn: data.loggedIn,
-			mode,
 			outcome: data.outcome
 		},
-		nextActions: nextActionsForLogin(data, mode)
+		nextActions: nextActionsForLogin(data)
 	});
 };
-const executeAuthLoginInvocation = async (runtime, invocation) => {
-	if (invocation.apiKey !== void 0) {
-		await runLoginFlow(runtime, {
-			apiKey: invocation.apiKey,
-			mode: "apiKey"
-		});
-		return;
-	}
-	await runLoginFlow(runtime, { mode: "device" });
+const executeLoginInvocation = async (runtime, _invocation) => {
+	await runLoginFlow(runtime, {});
 };
-const executeAuthStatusInvocation = async (runtime) => {
-	const command = cliCommands.auth.status();
-	const data = ensureSuccess(await runAuthStatusCommand(runtime.context), runtime, { command });
-	runtime.output.success(data, {
+const executeLogoutInvocation = async (runtime) => {
+	const command = cliCommands.logout.command();
+	const data = ensureSuccess(await runLogoutCommand(runtime.context), runtime, { command });
+	const outputData = {
+		...data,
+		event: "logout.completed"
+	};
+	runtime.output.success(outputData, {
 		command,
 		entity: {
-			apiKeySource: data.apiKeySource,
-			loggedIn: data.loggedIn
+			event: "logout.completed",
+			localStateCleared: data.localStateCleared,
+			remoteSignedOut: data.remoteSignedOut
 		},
-		nextActions: nextActionsForAuthStatus(data)
+		nextActions: [nextAction("login", "Authenticate again", cliCommands.login.command(), "Sign-out completed; run login when you want to reconnect this installation.", "after_logout")]
 	});
 };
-const executeAuthLogoutInvocation = async (runtime) => {
-	const command = cliCommands.auth.logout();
-	const data = ensureSuccess(await runAuthLogoutCommand(runtime.context), runtime, { command });
-	runtime.output.success(data, {
+const executeResetInvocation = async (runtime) => {
+	const command = cliCommands.reset.command();
+	const data = ensureSuccess(await runResetCommand(runtime.context), runtime, { command });
+	const outputData = {
+		...data,
+		event: "reset.completed"
+	};
+	runtime.output.success(outputData, {
 		command,
 		entity: {
-			localCredentialsDeleted: data.localCredentialsDeleted,
-			revoked: data.revoked
+			event: "reset.completed",
+			installationReset: data.installationReset,
+			localStateCleared: data.localStateCleared,
+			remoteReset: data.remoteReset
 		},
-		nextActions: [nextAction("login", "Authenticate again", cliCommands.auth.login(), "Logout completed; authenticate again before further Codemode commands.", "after_logout")]
+		nextActions: [nextAction("login", "Authenticate this fresh install", cliCommands.login.command(), "Reset completed; run login to create or reconnect this installation.", "after_reset"), nextAction("inspect_status", "Inspect status", cliCommands.status.command(), "Inspect the fresh-install CLI state and diagnostics.", "after_reset")]
 	});
 };
 const executeCatalogInvocation = async (runtime, invocation) => {
@@ -15197,19 +15121,19 @@ const executeRootInvocation = (runtime) => {
 	runtime.output.success({ commands: cliCommands.root.commandsSurface() }, {
 		command: cliCommands.root.command(),
 		entity: null,
-		nextActions: [nextAction("login", "Authenticate", cliCommands.auth.login(), "Authenticate first so catalog, search, and execute commands can run.", "immediate"), nextAction("catalog", "Discover servers", cliCommands.catalog.command(), "List accessible servers before running Codemode search or execute.", "after_auth")]
+		nextActions: [nextAction("login", "Authenticate", cliCommands.login.command(), "Authenticate first so catalog, search, and execute commands can run.", "immediate"), nextAction("catalog", "Discover servers", cliCommands.catalog.command(), "List accessible servers before running Codemode search or execute.", "after_auth")]
 	});
 };
 const executeInvocation = async (runtime, invocation) => {
 	switch (invocation.kind) {
-		case "auth_login":
-			await executeAuthLoginInvocation(runtime, invocation);
+		case "login":
+			await executeLoginInvocation(runtime, invocation);
 			return;
-		case "auth_logout":
-			await executeAuthLogoutInvocation(runtime);
+		case "logout":
+			await executeLogoutInvocation(runtime);
 			return;
-		case "auth_status":
-			await executeAuthStatusInvocation(runtime);
+		case "reset":
+			await executeResetInvocation(runtime);
 			return;
 		case "catalog":
 			await executeCatalogInvocation(runtime, invocation);
@@ -15285,19 +15209,19 @@ const nextActionForParseError = (scope, helpCommand) => {
 	};
 };
 const parseActionsForScope = (scope, helpAction) => {
-	if (scope === "auth") return [
+	if (scope === "login" || scope === "logout" || scope === "reset") return [
 		{
-			command: cliCommands.auth.login(),
-			id: "auth_login",
-			reason: "Authenticate with device flow.",
-			title: "Auth login",
+			command: cliCommands.login.command(),
+			id: "login",
+			reason: "Authenticate this CLI installation.",
+			title: "Login",
 			when: "immediate"
 		},
 		{
-			command: cliCommands.auth.status(),
-			id: "auth_status",
-			reason: "Check current local authentication state.",
-			title: "Auth status",
+			command: cliCommands.status.command(),
+			id: "status",
+			reason: "Inspect the current CLI state and diagnostics.",
+			title: "Status",
 			when: "immediate"
 		},
 		helpAction
@@ -60760,8 +60684,8 @@ const createAccountService = (deps) => {
 			mapStatusError: (response, body) => {
 				if (response.status === 401) return new AuthError({
 					code: ERROR_CODE.authInvalidCredentials,
-					message: "Authentication failed. Run `ogment auth login` again.",
-					recovery: { command: "ogment auth login" }
+					message: "Authentication failed. Run `ogment login` again.",
+					recovery: { command: "ogment login" }
 				});
 				return new RemoteRequestError({
 					body,
@@ -60782,7 +60706,6 @@ const createAccountService = (deps) => {
 //#endregion
 //#region src/services/auth.ts
-const DEFAULT_NAMESPACE_KEY = "default";
 const toEndpointUrl = (baseUrl, endpoint) => {
 	return `${baseUrl}${endpoint}`;
 };
@@ -60792,85 +60715,138 @@ const authStartUrl = (baseUrl) => {
 const authExchangeUrl = (baseUrl) => {
 	return toEndpointUrl(baseUrl, cliEndpoints.authExchange);
 };
-const isExpiredPendingRequest = (request, nowMs) => {
+const authLogoutUrl = (baseUrl) => {
+	return toEndpointUrl(baseUrl, cliEndpoints.authLogout);
+};
+const authResetUrl = (baseUrl) => {
+	return toEndpointUrl(baseUrl, cliEndpoints.authReset);
+};
+const accountMeUrl = (baseUrl) => {
+	return toEndpointUrl(baseUrl, cliEndpoints.accountMe);
+};
+const toLoginPendingInfo = (request) => {
+	if (request === null) return null;
+	return {
+		authRequestId: request.authRequestId,
+		verificationUrl: request.verificationUrl
+	};
+};
+const isExpiredCurrentAuthRequest = (request, nowMs) => {
 	const parsedExpiresAt = Date.parse(request.expiresAt);
 	return !Number.isNaN(parsedExpiresAt) && parsedExpiresAt <= nowMs;
 };
 const createAuthService = (deps) => {
 	const now = deps.now ?? Date.now;
-	const storeApprovedAuth = (approvedAuth, namespaceKey = DEFAULT_NAMESPACE_KEY) => {
-		return deps.credentialsStore.storeApprovedAuth({
-			agentName: approvedAuth.agentName,
-			apiKey: approvedAuth.apiKey
-		}, namespaceKey);
-	};
-	const saveApiKeyAuth = (approvedAuth) => {
+	const storeApprovedAuth = (approvedAuth) => {
 		return deps.credentialsStore.save({
+			agentId: approvedAuth.agentId,
 			agentName: approvedAuth.agentName,
-			apiKey: approvedAuth.apiKey
+			apiKey: approvedAuth.apiKey,
+			credentialId: approvedAuth.credentialId,
+			signedInAt: new Date(now()).toISOString()
 		});
 	};
-	const tryExchangePendingRequests = async () => {
-		const installationIdResult = deps.credentialsStore.getInstallationId();
-		if (Result.isError(installationIdResult)) return installationIdResult;
-		const pendingRequestsResult = deps.credentialsStore.listPendingRequests();
-		if (Result.isError(pendingRequestsResult)) return pendingRequestsResult;
-		const pendingRequests = [...pendingRequestsResult.value].toSorted((a, b) => {
-			return a.createdAt.localeCompare(b.createdAt);
+	const loadLocalAuthSnapshot = () => {
+		const installationId = deps.credentialsStore.getInstallationId();
+		if (Result.isError(installationId)) return installationId;
+		const session = deps.credentialsStore.load();
+		if (Result.isError(session)) return session;
+		const currentAuthRequest = deps.credentialsStore.getCurrentAuthRequest();
+		if (Result.isError(currentAuthRequest)) return currentAuthRequest;
+		return Result.ok({
+			currentAuthRequest: currentAuthRequest.value,
+			installationId: installationId.value,
+			session: session.value
 		});
-		for (const pendingRequest of pendingRequests) {
-			if (isExpiredPendingRequest(pendingRequest, now())) {
-				const deleteResult = deps.credentialsStore.deletePendingRequest(pendingRequest.authRequestId);
-				if (Result.isError(deleteResult)) return deleteResult;
-				continue;
-			}
-			const exchangePayload = await requestJson(deps.httpClient, authExchangeUrl(deps.baseUrl), authExchangeSchema, {
-				body: JSON.stringify({
-					authRequestId: pendingRequest.authRequestId,
-					installationId: installationIdResult.value,
-					namespaceKey: pendingRequest.namespaceKey
-				}),
-				headers: { "Content-Type": "application/json" },
-				method: "POST"
-			}, {
-				context: "auth exchange response",
-				mapStatusError: (response, body) => new RemoteRequestError({
+	};
+	const clearCurrentAuthRequest = () => {
+		return deps.credentialsStore.clearCurrentAuthRequest();
+	};
+	const toStoredAuthorizationHeader = (session) => {
+		return session === null ? null : `Bearer ${session.apiKey}`;
+	};
+	const validateStoredCredentials = async (apiKey) => {
+		const response = await requestJson(deps.httpClient, accountMeUrl(deps.baseUrl), accountMeSchema, { headers: { Authorization: `Bearer ${apiKey}` } }, {
+			context: "account response",
+			mapStatusError: (httpResponse, body) => {
+				if (httpResponse.status === 401) return new AuthError({
+					code: ERROR_CODE.authInvalidCredentials,
+					message: "Stored CLI session is invalid. Run `ogment login` to sign in again.",
+					recovery: { command: "ogment login" }
+				});
+				return new RemoteRequestError({
 					body,
-					httpStatus: response.status,
-					message: "Failed to exchange pending CLI auth",
-					operation: "auth/exchange",
+					httpStatus: httpResponse.status,
+					message: "Failed to validate current CLI session",
+					operation: "account/fetch",
 					raw: body,
 					source: "http"
-				}),
-				operation: "auth/exchange"
-			});
-			if (Result.isError(exchangePayload)) return exchangePayload;
-			const exchangeData = exchangePayload.value.data;
-			if (exchangeData.status === "authorization_pending") continue;
-			if (exchangeData.status === "approved") {
-				const storeResult = storeApprovedAuth({
-					agentName: exchangeData.agentName,
-					apiKey: exchangeData.apiKey
-				}, pendingRequest.namespaceKey);
-				if (Result.isError(storeResult)) return storeResult;
-				return Result.ok({
-					agentName: exchangeData.agentName,
-					apiKey: exchangeData.apiKey
 				});
-			}
-			const deleteResult = deps.credentialsStore.deletePendingRequest(pendingRequest.authRequestId);
-			if (Result.isError(deleteResult)) return deleteResult;
+			},
+			operation: "account/fetch"
+		});
+		if (Result.isError(response)) {
+			if (response.error instanceof AuthError && response.error.code === ERROR_CODE.authInvalidCredentials) return Result.ok(false);
+			return response;
 		}
-		return Result.ok(null);
+		return Result.ok(true);
 	};
-	const loginWithDevice = async (options) => {
-		const installationIdResult = deps.credentialsStore.getInstallationId();
-		if (Result.isError(installationIdResult)) return installationIdResult;
+	const exchangeCurrentAuthRequest = async (snapshot) => {
+		const currentAuthRequest = snapshot.currentAuthRequest;
+		if (currentAuthRequest === null) return Result.ok({ kind: "none" });
+		if (isExpiredCurrentAuthRequest(currentAuthRequest, now())) {
+			const clearResult = clearCurrentAuthRequest();
+			if (Result.isError(clearResult)) return clearResult;
+			return Result.ok({ kind: "none" });
+		}
+		const exchangePayload = await requestJson(deps.httpClient, authExchangeUrl(deps.baseUrl), authExchangeSchema, {
+			body: JSON.stringify({
+				authRequestId: currentAuthRequest.authRequestId,
+				installationId: snapshot.installationId
+			}),
+			headers: { "Content-Type": "application/json" },
+			method: "POST"
+		}, {
+			context: "auth exchange response",
+			mapStatusError: (response, body) => new RemoteRequestError({
+				body,
+				httpStatus: response.status,
+				message: "Failed to exchange current CLI auth request",
+				operation: "auth/exchange",
+				raw: body,
+				source: "http"
+			}),
+			operation: "auth/exchange"
+		});
+		if (Result.isError(exchangePayload)) return exchangePayload;
+		const exchangeData = exchangePayload.value.data;
+		if (exchangeData.status === "authorization_pending") return Result.ok({
+			kind: "pending",
+			request: currentAuthRequest
+		});
+		if (exchangeData.status === "approved") {
+			const approvedAuth = {
+				agentId: exchangeData.agentId,
+				agentName: exchangeData.agentName,
+				apiKey: exchangeData.apiKey,
+				credentialId: exchangeData.credentialId
+			};
+			const storeResult = storeApprovedAuth(approvedAuth);
+			if (Result.isError(storeResult)) return storeResult;
+			return Result.ok({
+				auth: approvedAuth,
+				kind: "approved"
+			});
+		}
+		const clearResult = clearCurrentAuthRequest();
+		if (Result.isError(clearResult)) return clearResult;
+		return Result.ok({ kind: "none" });
+	};
+	const startOrRecoverLogin = async (installationId, options) => {
 		const startPayload = await requestJson(deps.httpClient, authStartUrl(deps.baseUrl), authStartSchema, {
 			body: JSON.stringify({
 				...deps.executionEnvironment === void 0 ? {} : { executionEnvironment: deps.executionEnvironment },
-				installationId: installationIdResult.value,
-				namespaceKey: DEFAULT_NAMESPACE_KEY
+				installationId
 			}),
 			headers: { "Content-Type": "application/json" },
 			method: "POST"
@@ -60887,76 +60863,140 @@ const createAuthService = (deps) => {
 			operation: "auth/start"
 		});
 		if (Result.isError(startPayload)) return startPayload;
-		const savePendingRequestResult = deps.credentialsStore.savePendingRequest({
+		const currentAuthRequest = {
 			authRequestId: startPayload.value.data.authRequestId,
-			code: startPayload.value.data.userCode,
-			createdAt: new Date(now()).toISOString(),
 			expiresAt: startPayload.value.data.expiresAt,
-			namespaceKey: DEFAULT_NAMESPACE_KEY,
 			verificationUrl: startPayload.value.data.verificationUrl
-		});
-		if (Result.isError(savePendingRequestResult)) return savePendingRequestResult;
-		const verification = {
-			userCode: startPayload.value.data.userCode,
-			verificationUri: startPayload.value.data.verificationUrl
 		};
-		options.onPending?.(verification);
+		const saveCurrentAuthRequestResult = deps.credentialsStore.saveCurrentAuthRequest(currentAuthRequest);
+		if (Result.isError(saveCurrentAuthRequestResult)) return saveCurrentAuthRequestResult;
+		if (startPayload.value.data.disposition === "reused_approved") {
+			const exchangedCurrentAuthRequest = await exchangeCurrentAuthRequest({
+				currentAuthRequest,
+				installationId,
+				session: null
+			});
+			if (Result.isError(exchangedCurrentAuthRequest)) return exchangedCurrentAuthRequest;
+			if (exchangedCurrentAuthRequest.value.kind === "approved") return Result.ok({
+				agentName: exchangedCurrentAuthRequest.value.auth.agentName,
+				loggedIn: true,
+				outcome: "authenticated"
+			});
+		}
+		const verification = toLoginPendingInfo(currentAuthRequest);
+		if (verification !== null) options.onPending?.(verification);
 		return Result.ok({
 			agentName: null,
 			loggedIn: false,
 			outcome: "pending_approval",
-			verification
+			verification: verification ?? {
+				authRequestId: currentAuthRequest.authRequestId,
+				verificationUrl: currentAuthRequest.verificationUrl
+			}
 		});
 	};
 	return {
 		login: async (options) => {
-			if (options.mode === "apiKey" && options.apiKey.length > 0) {
-				const saveResult = saveApiKeyAuth({
-					agentName: "CLI Agent",
-					apiKey: options.apiKey
-				});
-				if (Result.isError(saveResult)) return saveResult;
-				return Result.ok({
-					agentName: "CLI Agent",
+			const snapshot = loadLocalAuthSnapshot();
+			if (Result.isError(snapshot)) return snapshot;
+			if (snapshot.value.session !== null) {
+				const validationResult = await validateStoredCredentials(snapshot.value.session.apiKey);
+				if (Result.isError(validationResult)) return validationResult;
+				if (validationResult.value) return Result.ok({
+					agentName: snapshot.value.session.agentName ?? "CLI Agent",
 					loggedIn: true,
-					outcome: "authenticated"
+					outcome: "already_authenticated"
 				});
+				const deleteResult = deps.credentialsStore.delete();
+				if (Result.isError(deleteResult)) return deleteResult;
 			}
-			if (options.mode === "apiKey") return Result.err(new ValidationError({
-				code: ERROR_CODE.validationInvalidInput,
-				message: "Missing API key value. Provide a non-empty API key.",
-				recovery: { command: "ogment auth login --api-key <key>" }
-			}));
-			const stored = deps.credentialsStore.load();
-			if (Result.isError(stored)) return stored;
-			if (stored.value !== null) return Result.ok({
-				agentName: stored.value.agentName ?? "CLI Agent",
-				loggedIn: true,
-				outcome: "already_authenticated"
-			});
-			const exchangedPendingAuth = await tryExchangePendingRequests();
-			if (Result.isError(exchangedPendingAuth)) return exchangedPendingAuth;
-			if (exchangedPendingAuth.value !== null) return Result.ok({
-				agentName: exchangedPendingAuth.value.agentName,
+			const exchangedCurrentAuthRequest = await exchangeCurrentAuthRequest(snapshot.value);
+			if (Result.isError(exchangedCurrentAuthRequest)) return exchangedCurrentAuthRequest;
+			if (exchangedCurrentAuthRequest.value.kind === "approved") return Result.ok({
+				agentName: exchangedCurrentAuthRequest.value.auth.agentName,
 				loggedIn: true,
 				outcome: "authenticated"
 			});
-			return loginWithDevice(options);
+			if (exchangedCurrentAuthRequest.value.kind === "pending") {
+				const verification = toLoginPendingInfo(exchangedCurrentAuthRequest.value.request);
+				if (verification !== null) options.onPending?.(verification);
+				return Result.ok({
+					agentName: null,
+					loggedIn: false,
+					outcome: "pending_approval",
+					verification: verification ?? {
+						authRequestId: exchangedCurrentAuthRequest.value.request.authRequestId,
+						verificationUrl: exchangedCurrentAuthRequest.value.request.verificationUrl
+					}
+				});
+			}
+			return startOrRecoverLogin(snapshot.value.installationId, options);
 		},
 		logout: async () => {
-			const stored = deps.credentialsStore.load();
-			if (Result.isError(stored)) return stored;
-			const pendingRequestsResult = deps.credentialsStore.listPendingRequests();
-			if (Result.isError(pendingRequestsResult)) return pendingRequestsResult;
-			if (!(stored.value !== null || pendingRequestsResult.value.length > 0)) return Result.ok({
-				localCredentialsDeleted: false,
-				revoked: false
+			const snapshot = loadLocalAuthSnapshot();
+			if (Result.isError(snapshot)) return snapshot;
+			if (snapshot.value.session === null) return Result.ok({
+				localStateCleared: false,
+				remoteSignedOut: false
 			});
+			const storedAuthorizationHeader = toStoredAuthorizationHeader(snapshot.value.session);
+			let remoteSignedOut = false;
+			if (storedAuthorizationHeader !== null) {
+				const logoutPayload = await requestJson(deps.httpClient, authLogoutUrl(deps.baseUrl), authLogoutSchema, {
+					headers: { Authorization: storedAuthorizationHeader },
+					method: "POST"
+				}, {
+					context: "auth logout response",
+					mapStatusError: (response, body) => new RemoteRequestError({
+						body,
+						httpStatus: response.status,
+						message: "Failed to sign out current CLI session",
+						operation: "auth/logout",
+						raw: body,
+						source: "http"
+					}),
+					operation: "auth/logout"
+				});
+				if (Result.isOk(logoutPayload)) remoteSignedOut = true;
+			}
 			const deleteResult = deps.credentialsStore.delete();
 			if (Result.isError(deleteResult)) return deleteResult;
 			return Result.ok({
-				localCredentialsDeleted: true,
-				revoked: false
+				localStateCleared: true,
+				remoteSignedOut
+			});
+		},
+		reset: async () => {
+			const snapshot = loadLocalAuthSnapshot();
+			if (Result.isError(snapshot)) return snapshot;
+			const storedAuthorizationHeader = toStoredAuthorizationHeader(snapshot.value.session);
+			const remoteResetResult = await requestJson(deps.httpClient, authResetUrl(deps.baseUrl), authResetSchema, {
+				body: JSON.stringify({ installationId: snapshot.value.installationId }),
+				headers: {
+					"Content-Type": "application/json",
+					...storedAuthorizationHeader === null ? {} : { Authorization: storedAuthorizationHeader }
+				},
+				method: "POST"
+			}, {
+				context: "auth reset response",
+				mapStatusError: (response, body) => new RemoteRequestError({
+					body,
+					httpStatus: response.status,
+					message: "Failed to reset current CLI installation",
+					operation: "auth/reset",
+					raw: body,
+					source: "http"
+				}),
+				operation: "auth/reset"
+			});
+			const remoteReset = Result.isOk(remoteResetResult);
+			const localStateCleared = snapshot.value.session !== null || snapshot.value.currentAuthRequest !== null;
+			const resetLocalStateResult = deps.credentialsStore.reset();
+			if (Result.isError(resetLocalStateResult)) return resetLocalStateResult;
+			return Result.ok({
+				installationReset: true,
+				localStateCleared,
+				remoteReset
 			});
 		},
 		resolveApiKey: async (overrideApiKey) => {
@@ -60967,42 +61007,16 @@ const createAuthService = (deps) => {
 			});
 			if (resolution.apiKey !== null) return Result.ok(resolution.apiKey);
 			if (resolution.source === "credentialsError" && resolution.loadError) return Result.err(resolution.loadError);
-			const exchangedPendingAuth = await tryExchangePendingRequests();
-			if (Result.isError(exchangedPendingAuth)) return exchangedPendingAuth;
-			if (exchangedPendingAuth.value !== null) return Result.ok(exchangedPendingAuth.value.apiKey);
+			const snapshot = loadLocalAuthSnapshot();
+			if (Result.isError(snapshot)) return snapshot;
+			const exchangedCurrentAuthRequest = await exchangeCurrentAuthRequest(snapshot.value);
+			if (Result.isError(exchangedCurrentAuthRequest)) return exchangedCurrentAuthRequest;
+			if (exchangedCurrentAuthRequest.value.kind === "approved") return Result.ok(exchangedCurrentAuthRequest.value.auth.apiKey);
 			return Result.err(new AuthError({
 				code: ERROR_CODE.authRequired,
-				message: "Not logged in. Run `ogment auth login` or set OGMENT_API_KEY.",
-				recovery: { command: "ogment auth login" }
+				message: "Not logged in. Run `ogment login` or set OGMENT_API_KEY.",
+				recovery: { command: "ogment login" }
 			}));
-		},
-		status: async (overrideApiKey) => {
-			const resolution = resolveApiKey({
-				apiKeyOverride: overrideApiKey,
-				credentialsStore: deps.credentialsStore,
-				envApiKey: deps.envApiKey
-			});
-			if (resolution.source === "credentialsError" && resolution.loadError) return Result.err(resolution.loadError);
-			if (resolution.apiKey !== null) {
-				const apiKeySource = resolution.source === "credentialsFile" ? "credentialsFile" : resolution.source === "apiKeyOption" ? "apiKeyOption" : "env";
-				return Result.ok({
-					agentName: resolution.agentName,
-					apiKeySource,
-					loggedIn: true
-				});
-			}
-			const exchangedPendingAuth = await tryExchangePendingRequests();
-			if (Result.isError(exchangedPendingAuth)) return exchangedPendingAuth;
-			if (exchangedPendingAuth.value !== null) return Result.ok({
-				agentName: exchangedPendingAuth.value.agentName,
-				apiKeySource: "credentialsFile",
-				loggedIn: true
-			});
-			return Result.ok({
-				agentName: null,
-				apiKeySource: "none",
-				loggedIn: false
-			});
 		}
 	};
 };
@@ -61015,9 +61029,9 @@ const maskApiKey = (apiKey) => {
 };
 const nextActionByIssueCode = (includeDebug) => {
 	return {
-		auth_failed: "Run `ogment auth login` to refresh credentials.",
+		auth_failed: "Run `ogment login` to refresh credentials.",
 		credentials_load_failed: "Check file permissions and contents of `~/.config/ogment/auth-state.json`.",
-		no_api_key: "Run `ogment auth login` or set `OGMENT_API_KEY`.",
+		no_api_key: "Run `ogment login` or set `OGMENT_API_KEY`.",
 		unreachable: includeDebug ? "Verify `OGMENT_BASE_URL` and network connectivity." : "Verify network connectivity."
 	};
 };
@@ -61056,6 +61070,8 @@ const createInfoService = (deps) => {
 			credentialsStore: deps.credentialsStore,
 			envApiKey: deps.envApiKey
 		});
+		const installationIdResult = deps.credentialsStore.getInstallationId();
+		const installationId = Result.isOk(installationIdResult) ? installationIdResult.value : null;
 		const selectedApiKey = apiKeyResolution.apiKey;
 		const credentialsFileExists = existsSyncFn(deps.credentialsPath);
 		const endpoint = `${deps.baseUrl}${cliEndpoints.accountMe}`;
@@ -61080,6 +61096,7 @@ const createInfoService = (deps) => {
 		};
 		const collectAccount = async () => {
 			if (selectedApiKey === null) return {
+				actingAgent: null,
 				...emptyAccountErrorDetails(),
 				errorType: null,
 				latencyMs: null,
@@ -61097,6 +61114,12 @@ const createInfoService = (deps) => {
 					return organization.servers.map((server) => server.path);
 				});
 				return {
+					actingAgent: accountResult.value.actingAgent === null ? null : {
+						agentId: accountResult.value.actingAgent.agentId,
+						agentName: accountResult.value.actingAgent.agentName,
+						boundInstallationId: accountResult.value.actingAgent.boundInstallationId,
+						boundToCurrentInstallation: installationId === null || accountResult.value.actingAgent.boundInstallationId === null ? null : accountResult.value.actingAgent.boundInstallationId === installationId
+					},
 					...emptyAccountErrorDetails(),
 					errorType: null,
 					latencyMs: accountElapsedMs,
@@ -61123,6 +61146,7 @@ const createInfoService = (deps) => {
 					break;
 			}
 			return {
+				actingAgent: null,
 				..."code" in accountResult.error ? { errorCode: String(accountResult.error.code) } : { errorCode: null },
 				..."httpStatus" in accountResult.error ? { errorHttpStatus: typeof accountResult.error.httpStatus === "number" ? accountResult.error.httpStatus : null } : { errorHttpStatus: null },
 				..."mcpCode" in accountResult.error ? { errorMcpCode: typeof accountResult.error.mcpCode === "number" ? accountResult.error.mcpCode : null } : { errorMcpCode: null },
@@ -61168,13 +61192,18 @@ const createInfoService = (deps) => {
 			code: "unexpected_diagnostic_error",
 			message: `Unexpected diagnostic error: ${account.message ?? "unknown error"}`
 		});
+		if (Result.isError(installationIdResult)) issues.push({
+			code: "credentials_load_failed",
+			message: `Failed to load installation identity: ${installationIdResult.error.message}`
+		});
 		return {
 			auth: {
 				apiKeyPresent: selectedApiKey !== null,
 				apiKeyPreview: selectedApiKey === null ? null : maskApiKey(selectedApiKey),
 				apiKeySource: apiKeyResolution.source,
 				credentialsFileExists,
-				credentialsFileLoadError: apiKeyResolution.loadError?.message ?? null
+				credentialsFileLoadError: apiKeyResolution.loadError?.message ?? null,
+				installationId
 			},
 			config: {
 				baseUrl: deps.baseUrl,
@@ -61191,7 +61220,9 @@ const createInfoService = (deps) => {
 				],
 				quickCommands: [
 					"ogment status",
-					"ogment auth login",
+					"ogment login",
+					"ogment logout",
+					"ogment reset",
 					"ogment catalog",
 					"ogment search <server-id> --code 'return input'",
 					"ogment execute <server-id> --code 'return input' --input '{}'"
@@ -72001,9 +72032,7 @@ const createRuntime = () => {
 	const output = new OutputManager();
 	const authStateStore = createFileCredentialsStore({
 		configDir: runtimeConfig.configDir,
-		credentialsPath: runtimeConfig.credentialsPath,
-		legacyCredentialsPath: runtimeConfig.legacyCredentialsPath,
-		telemetryPath: runtimeConfig.telemetryPath
+		credentialsPath: runtimeConfig.credentialsPath
 	});
 	const httpClient = createHttpClient();
 	const services = {
@@ -72128,7 +72157,7 @@ const createProgram = (runtime, parseState) => {
 		return [
 			"",
 			"Examples:",
-			"  $ ogment auth login",
+			"  $ ogment login",
 			"  $ ogment catalog",
 			"  $ ogment catalog billing",
 			"  $ ogment catalog billing execute",
@@ -72143,27 +72172,14 @@ const createProgram = (runtime, parseState) => {
 		runtime.output.configure(mapGlobalOutputOptions(options));
 		runtime.context.apiKeyOverride = options.apiKey;
 	});
-	const authCommand = program.command("auth").summary("Authenticate, inspect auth state, and logout").description("Authentication workflows").helpGroup("Authentication Commands:").helpCommand("help [command]", "Display help for auth commands").addHelpText("after", ({ error }) => {
-		if (error) return "";
-		return [
-			"",
-			"Examples:",
-			"  $ ogment auth login",
-			"  $ ogment auth status"
-		].join("\n");
-	});
-	authCommand.command("login").summary("Login with device flow (default)").description("Authenticate with Ogment using device flow (recommended)").action((_, command) => {
-		const { apiKey } = asGlobalOptions(command);
-		setInvocation({
-			apiKey,
-			kind: "auth_login"
-		});
+	program.command("login").summary("Authenticate this CLI installation").description("Start or complete browser-based login for this installation").helpGroup("Authentication Commands:").action(() => {
+		setInvocation({ kind: "login" });
 	});
-	authCommand.command("status").summary("Show current auth state").description("Show local authentication status").action(() => {
-		setInvocation({ kind: "auth_status" });
+	program.command("logout").summary("Sign this CLI installation out").description("Sign out the current local CLI session").helpGroup("Authentication Commands:").action(() => {
+		setInvocation({ kind: "logout" });
 	});
-	authCommand.command("logout").summary("Delete local credentials and revoke token").description("Revoke token and delete local credentials").action(() => {
-		setInvocation({ kind: "auth_logout" });
+	program.command("reset").summary("Reset this CLI installation").description("Wipe local state and create a fresh CLI installation identity").helpGroup("Authentication Commands:").action(() => {
+		setInvocation({ kind: "reset" });
 	});
 	program.command("catalog").summary("Discover servers or inspect Codemode tools").description("Discover servers or inspect Codemode tools on a server").helpGroup("Discovery Commands:").argument("[serverId]", "Server id").argument("[toolName]", "Codemode tool name").addOption(new Option("--org <orgSlug>", "Organization slug").hideHelp()).addOption(new Option("--cursor <cursor>", "Pagination cursor for server discovery")).addOption(new Option("--limit <limit>", "Maximum servers to return").argParser(parseCatalogLimitOption)).action((serverId, toolName, options) => {
 		if (serverId !== void 0 && (options.cursor !== void 0 || options.limit !== void 0)) throw new InvalidArgumentError("--cursor and --limit are only supported for `ogment catalog`.");
@@ -72193,7 +72209,7 @@ const createProgram = (runtime, parseState) => {
 			serverId
 		});
 	});
-	program.command("status").summary("Show runtime diagnostics").description("Show runtime configuration and connectivity diagnostics").helpGroup("Diagnostics Commands:").action(() => {
+	program.command("status").summary("Show runtime diagnostics and auth state").description("Show runtime configuration, connectivity, and auth diagnostics").helpGroup("Diagnostics Commands:").action(() => {
 		setInvocation({ kind: "status" });
 	});
 	program.action(() => {
@@ -72220,10 +72236,13 @@ const RUNTIME_ERROR_COMMAND_PATH = "ogment <runtime_error>";
 const PARSE_ERROR_COMMAND_PATH = "ogment <parse_error>";
 const CLI_PACKAGE_NAME = "@ogment-ai/cli";
 const PARSE_ERROR_SCOPE_COMMAND_PATHS = {
-	auth: "ogment auth <parse_error>",
+	login: "ogment login <parse_error>",
+	logout: "ogment logout <parse_error>",
+	reset: "ogment reset <parse_error>",
 	catalog: "ogment catalog <parse_error>",
 	execute: "ogment execute <parse_error>",
-	search: "ogment search <parse_error>"
+	search: "ogment search <parse_error>",
+	status: "ogment status <parse_error>"
 };
 const isParseErrorTelemetryScope = (value) => {
 	return value in PARSE_ERROR_SCOPE_COMMAND_PATHS;
@@ -72241,24 +72260,24 @@ const telemetryInputModeFromExecute = (input) => {
 	return "inline_json";
 };
 const telemetryContextResolvers = {
-	auth_login: (_) => {
+	login: (_) => {
 		return {
-			commandKind: "auth_login",
-			commandPath: "ogment auth login",
+			commandKind: "login",
+			commandPath: "ogment login",
 			inputMode: null
 		};
 	},
-	auth_logout: (_) => {
+	logout: (_) => {
 		return {
-			commandKind: "auth_logout",
-			commandPath: "ogment auth logout",
+			commandKind: "logout",
+			commandPath: "ogment logout",
 			inputMode: null
 		};
 	},
-	auth_status: (_) => {
+	reset: (_) => {
 		return {
-			commandKind: "auth_status",
-			commandPath: "ogment auth status",
+			commandKind: "reset",
+			commandPath: "ogment reset",
 			inputMode: null
 		};
 	},
@@ -72310,9 +72329,9 @@ const telemetryContextResolvers = {
 };
 const telemetryContextFromInvocation = (invocation) => {
 	switch (invocation.kind) {
-		case "auth_login": return telemetryContextResolvers.auth_login(invocation);
-		case "auth_logout": return telemetryContextResolvers.auth_logout(invocation);
-		case "auth_status": return telemetryContextResolvers.auth_status(invocation);
+		case "login": return telemetryContextResolvers.login(invocation);
+		case "logout": return telemetryContextResolvers.logout(invocation);
+		case "reset": return telemetryContextResolvers.reset(invocation);
 		case "catalog": return telemetryContextResolvers.catalog(invocation);
 		case "execute": return telemetryContextResolvers.execute(invocation);
 		case "root": return telemetryContextResolvers.root(invocation);
@@ -72350,9 +72369,7 @@ const emitRuntimeErrorTelemetry = async (output, input) => {
 	const telemetry = createTelemetryService({
 		authStateStore: createFileCredentialsStore({
 			configDir: telemetryConfig.configDir,
-			credentialsPath: telemetryConfig.credentialsPath,
-			legacyCredentialsPath: telemetryConfig.legacyCredentialsPath,
-			telemetryPath: telemetryConfig.telemetryPath
+			credentialsPath: telemetryConfig.credentialsPath
 		}),
 		baseUrl: telemetryConfig.baseUrl,
 		cliVersion: telemetryConfig.version,
@@ -72391,15 +72408,15 @@ const commandContextFromInvocation = (invocation, apiKeyOverride) => {
 	const withBase = (commandName, invocationKind, subcommand = void 0) => {
 		return {
 			commandName,
-			hasApiKeyOverride: invocation.kind === "auth_login" ? hasApiKeyOverride(invocation.apiKey) : hasApiKeyOverride(apiKeyOverride),
+			hasApiKeyOverride: hasApiKeyOverride(apiKeyOverride),
 			invocationKind,
 			subcommand
 		};
 	};
 	switch (invocation.kind) {
-		case "auth_login": return withBase("auth", "auth_login", "login");
-		case "auth_logout": return withBase("auth", "auth_logout", "logout");
-		case "auth_status": return withBase("auth", "auth_status", "status");
+		case "login": return withBase("login", "login");
+		case "logout": return withBase("logout", "logout");
+		case "reset": return withBase("reset", "reset");
 		case "catalog": return withBase("catalog", "catalog", "summary");
 		case "execute": return withBase("execute", "execute");
 		case "root": return withBase("ogment", "root");
@@ -72555,4 +72572,4 @@ if (shouldExecuteCli(import.meta.url, process.argv[1])) await executeCli();
 //#endregion
 export { executeCli, runCli, shouldExecuteCli };
-//# debugId=7f3c7b5c-dc65-451e-8bd3-f0541a4f4fdf
+//# debugId=38b5ce38-06fe-4ef8-9580-b9d5110652a6