@ogment-ai/cli 0.9.1 → 0.10.0-beta.1

package/dist/cli.js

@@ -7998,26 +7998,26 @@ const toJsonValue = (value) => {
 //#region src/shared/recovery.ts
 const defaultRecoveryByCode = {
 	[ERROR_CODE.authDeviceExpired]: {
-		command: "ogment auth login",
-		reason: "Device code expired; restart login to continue.",
+		command: "ogment login",
+		reason: "Login request expired; start login again to continue.",
 		title: "Restart login",
 		when: "immediate"
 	},
 	[ERROR_CODE.authDevicePending]: {
-		command: "ogment auth status",
-		reason: "Authorization is pending; check whether credentials are now available.",
-		title: "Check auth status",
+		command: "ogment login",
+		reason: "Authorization is pending; run login again after approving in the browser.",
+		title: "Complete login",
 		when: "immediate"
 	},
 	[ERROR_CODE.authInvalidCredentials]: {
-		command: "ogment auth logout",
-		reason: "Credentials are invalid; clear local state before re-authenticating.",
-		title: "Reset auth state",
+		command: "ogment login",
+		reason: "Credentials are invalid; sign in again to restore the local CLI session.",
+		title: "Sign in again",
 		when: "immediate"
 	},
 	[ERROR_CODE.authRequired]: {
-		command: "ogment auth login",
-		reason: "Authentication is required before catalog or invoke commands can run.",
+		command: "ogment login",
+		reason: "Authentication is required before catalog, search, or execute commands can run.",
 		title: "Authenticate",
 		when: "immediate"
 	},
@@ -8053,14 +8053,14 @@ const defaultRecoveryByCode = {
 	},
 	[ERROR_CODE.toolInputSchemaViolation]: {
 		command: "ogment catalog",
-		reason: "Tool contract did not validate; inspect available servers and tool metadata.",
+		reason: "Tool contract did not validate; inspect available servers before retrying search or execute.",
 		title: "Inspect catalog",
 		when: "immediate"
 	},
 	[ERROR_CODE.toolNotFound]: {
 		command: "ogment catalog",
-		reason: "Requested tool could not be found; rediscover servers and tools.",
-		title: "Rediscover tools",
+		reason: "Requested server or tool context could not be found; rediscover available servers.",
+		title: "Rediscover servers",
 		when: "immediate"
 	},
 	[ERROR_CODE.transportRequestFailed]: {
@@ -8363,40 +8363,59 @@ const parseJsonValue = (raw, context) => {
 		}
 	});
 };
-const isRecord$2 = (value) => {
+const isRecord$1 = (value) => {
 	return typeof value === "object" && value !== null;
 };
 
-//#endregion
-//#region src/shared/schemas.ts
-const credentialsFileSchema = object({
-	agentName: string().optional(),
-	apiKey: string().min(1).optional()
-});
-
 //#endregion
 //#region src/infra/credentials.ts
 const authStateFileSchema = object({
+	currentAuthRequest: object({
+		authRequestId: string().min(1),
+		expiresAt: string().min(1),
+		verificationUrl: string().min(1)
+	}).nullable().optional(),
+	installationId: uuid(),
+	session: object({
+		agentId: uuid(),
+		agentName: string().min(1),
+		apiKey: string().min(1),
+		credentialId: uuid(),
+		signedInAt: string().min(1)
+	}).nullable().optional(),
+	version: literal(3)
+}).strict();
+const authStateFileV2Schema = object({
+	installationId: uuid(),
+	pendingAuthRequest: object({
+		authRequestId: string().min(1),
+		expiresAt: string().min(1),
+		verificationUrl: string().min(1)
+	}).nullable().optional(),
+	session: object({
+		agentId: uuid(),
+		agentName: string().min(1),
+		apiKey: string().min(1),
+		credentialId: uuid(),
+		signedInAt: string().min(1)
+	}).nullable().optional(),
+	version: literal(2)
+}).strict();
+const legacyAuthStateFileSchema = object({
 	activeAuth: object({
 		agentName: string().optional(),
 		apiKey: string().min(1),
-		boundAt: string().optional(),
-		namespaceKey: string().min(1).optional(),
-		scopeFingerprint: string().min(1).optional()
+		boundAt: string().optional()
 	}).nullable().optional(),
 	installationId: uuid(),
 	pendingRequests: array(object({
 		authRequestId: string().min(1),
-		code: string().min(1),
 		createdAt: string().min(1),
 		expiresAt: string().min(1),
-		namespaceKey: string().min(1),
-		scopeFingerprint: string().min(1).optional(),
 		verificationUrl: string().min(1)
 	})).optional(),
 	version: literal(1)
 }).strict();
-const telemetryInstallationSchema = object({ installationId: uuid() }).strict();
 const LOCK_RETRY_DELAY_MS = 10;
 const LOCK_STALE_MS = 3e4;
 const LOCK_TIMEOUT_MS = 2e3;
@@ -8405,40 +8424,42 @@ const sleepBlocking = (milliseconds) => {
 	const view = new Int32Array(buffer);
 	Atomics.wait(view, 0, 0, milliseconds);
 };
-const normalizeCredentials = (value) => {
-	const parsed = parseWithSchema(credentialsFileSchema, value, "legacy credentials file");
-	if (Result.isError(parsed) || parsed.value.apiKey === void 0) return null;
-	return {
-		...parsed.value.agentName === void 0 ? {} : { agentName: parsed.value.agentName },
-		apiKey: parsed.value.apiKey
-	};
-};
 const normalizeAuthState = (value) => {
-	const parsed = parseWithSchema(authStateFileSchema, value, "auth state file");
-	if (Result.isError(parsed)) return null;
-	const activeAuth = parsed.value.activeAuth === void 0 || parsed.value.activeAuth === null ? null : {
-		...parsed.value.activeAuth.agentName === void 0 ? {} : { agentName: parsed.value.activeAuth.agentName },
-		apiKey: parsed.value.activeAuth.apiKey,
-		...parsed.value.activeAuth.boundAt === void 0 ? {} : { boundAt: parsed.value.activeAuth.boundAt },
-		...parsed.value.activeAuth.namespaceKey === void 0 ? {} : { namespaceKey: parsed.value.activeAuth.namespaceKey },
-		...parsed.value.activeAuth.scopeFingerprint === void 0 ? {} : { scopeFingerprint: parsed.value.activeAuth.scopeFingerprint }
-	};
-	const pendingRequests = (parsed.value.pendingRequests ?? []).map((request) => {
-		return {
-			authRequestId: request.authRequestId,
-			code: request.code,
-			createdAt: request.createdAt,
-			expiresAt: request.expiresAt,
-			namespaceKey: request.namespaceKey,
-			...request.scopeFingerprint === void 0 ? {} : { scopeFingerprint: request.scopeFingerprint },
-			verificationUrl: request.verificationUrl
-		};
-	});
+	const parsedCurrentState = parseWithSchema(authStateFileSchema, value, "auth state file");
+	if (Result.isOk(parsedCurrentState)) return {
+		needsMigration: false,
+		state: {
+			currentAuthRequest: parsedCurrentState.value.currentAuthRequest ?? null,
+			installationId: parsedCurrentState.value.installationId,
+			session: parsedCurrentState.value.session ?? null,
+			version: 3
+		}
+	};
+	const parsedLegacyV2State = parseWithSchema(authStateFileV2Schema, value, "auth state v2 file");
+	if (Result.isOk(parsedLegacyV2State)) return {
+		needsMigration: true,
+		state: {
+			currentAuthRequest: parsedLegacyV2State.value.pendingAuthRequest ?? null,
+			installationId: parsedLegacyV2State.value.installationId,
+			session: parsedLegacyV2State.value.session ?? null,
+			version: 3
+		}
+	};
+	const parsedV1 = parseWithSchema(legacyAuthStateFileSchema, value, "legacy auth state file");
+	if (Result.isError(parsedV1)) return null;
+	const latestPendingRequest = (parsedV1.value.pendingRequests ?? []).at(-1);
 	return {
-		activeAuth,
-		installationId: parsed.value.installationId,
-		pendingRequests,
-		version: 1
+		needsMigration: true,
+		state: {
+			currentAuthRequest: latestPendingRequest === void 0 ? null : {
+				authRequestId: latestPendingRequest.authRequestId,
+				expiresAt: latestPendingRequest.expiresAt,
+				verificationUrl: latestPendingRequest.verificationUrl
+			},
+			installationId: parsedV1.value.installationId,
+			session: null,
+			version: 3
+		}
 	};
 };
 const toCorruptPath = (path, nowFn) => {
@@ -8473,29 +8494,12 @@ const createFileCredentialsStore = (deps) => {
 	const unlinkSyncFn = deps.unlinkSyncFn ?? unlinkSync;
 	const writeFileSyncFn = deps.writeFileSyncFn ?? writeFileSync;
 	const lockPath = `${deps.credentialsPath}.lock`;
-	const readJsonFile = (path) => {
-		if (!existsSyncFn(path)) return null;
-		try {
-			return JSON.parse(readFileSyncFn(path, "utf8"));
-		} catch {
-			return null;
-		}
-	};
-	const readLegacyCredentials = () => {
-		return normalizeCredentials(readJsonFile(deps.legacyCredentialsPath));
-	};
-	const readLegacyInstallationId = () => {
-		const raw = readJsonFile(deps.telemetryPath);
-		if (raw === null) return null;
-		const parsed = telemetryInstallationSchema.safeParse(raw);
-		return parsed.success ? parsed.data.installationId : null;
-	};
 	const createEmptyState = (installationId = randomUuidFn()) => {
 		return {
-			activeAuth: null,
+			currentAuthRequest: null,
 			installationId,
-			pendingRequests: [],
-			version: 1
+			session: null,
+			version: 3
 		};
 	};
 	const withLock = (operation) => {
@@ -8588,43 +8592,33 @@ const createFileCredentialsStore = (deps) => {
 			}
 			throw error;
 		}
-		const parsed = normalizeAuthState(parsedJson);
-		if (parsed === null) {
+		const normalized = normalizeAuthState(parsedJson);
+		if (normalized === null) {
 			quarantineCorruptState();
 			return null;
 		}
-		return parsed;
-	};
-	const migrateStateFromLegacy = () => {
-		const migratedInstallationId = readLegacyInstallationId();
-		const migratedCredentials = readLegacyCredentials();
-		if (!(migratedInstallationId !== null || migratedCredentials !== null)) return null;
-		return {
-			...createEmptyState(migratedInstallationId ?? randomUuidFn()),
-			...migratedCredentials === null ? {} : { activeAuth: migratedCredentials }
-		};
+		return normalized;
 	};
 	const loadState = (options) => {
 		const currentState = loadStateFromDisk();
-		if (currentState !== null) return currentState;
-		const migratedState = migrateStateFromLegacy();
-		if (migratedState !== null) {
-			withLock(() => {
-				if (!existsSyncFn(deps.credentialsPath)) writeState(migratedState);
+		if (currentState !== null) {
+			if (currentState.needsMigration) withLock(() => {
+				const latest = loadStateFromDisk();
+				if (latest?.needsMigration) writeState(latest.state);
 			});
-			return loadStateFromDisk() ?? migratedState;
+			return currentState.state;
 		}
 		if (options?.persistIfMissing === true) {
 			const emptyState = createEmptyState();
 			withLock(() => {
 				if (!existsSyncFn(deps.credentialsPath)) writeState(emptyState);
 			});
-			return loadStateFromDisk() ?? emptyState;
+			return loadStateFromDisk()?.state ?? emptyState;
 		}
 		return null;
 	};
 	return {
-		clearPendingRequests: (namespaceKey) => {
+		clearCurrentAuthRequest: () => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
@@ -8632,10 +8626,9 @@ const createFileCredentialsStore = (deps) => {
 				}),
 				try: () => {
 					withLock(() => {
-						const latest = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
 						writeState({
-							...latest,
-							pendingRequests: namespaceKey === void 0 ? [] : latest.pendingRequests.filter((request) => request.namespaceKey !== namespaceKey)
+							...loadStateFromDisk()?.state ?? createEmptyState(),
+							currentAuthRequest: null
 						});
 					});
 				}
@@ -8650,27 +8643,22 @@ const createFileCredentialsStore = (deps) => {
 				try: () => {
 					withLock(() => {
 						writeState({
-							...loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState(),
-							activeAuth: null,
-							pendingRequests: []
+							...loadStateFromDisk()?.state ?? createEmptyState(),
+							session: null
 						});
 					});
 				}
 			});
 		},
-		deletePendingRequest: (authRequestId) => {
+		reset: () => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
-					message: "Failed to update local auth state"
+					message: "Failed to reset local auth state"
 				}),
 				try: () => {
 					withLock(() => {
-						const latest = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
-						writeState({
-							...latest,
-							pendingRequests: latest.pendingRequests.filter((request) => request.authRequestId !== authRequestId)
-						});
+						writeState(createEmptyState());
 					});
 				}
 			});
@@ -8688,14 +8676,14 @@ const createFileCredentialsStore = (deps) => {
 				}
 			});
 		},
-		listPendingRequests: () => {
+		getCurrentAuthRequest: () => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
 					message: "Failed to load local auth state"
 				}),
 				try: () => {
-					return loadState()?.pendingRequests ?? [];
+					return loadState()?.currentAuthRequest ?? null;
 				}
 			});
 		},
@@ -8706,12 +8694,7 @@ const createFileCredentialsStore = (deps) => {
 					message: "Failed to load local auth state"
 				}),
 				try: () => {
-					const state = loadState();
-					if (state?.activeAuth === null || state === null) return null;
-					return {
-						...state.activeAuth.agentName === void 0 ? {} : { agentName: state.activeAuth.agentName },
-						apiKey: state.activeAuth.apiKey
-					};
+					return loadState()?.session ?? null;
 				}
 			});
 		},
@@ -8724,40 +8707,15 @@ const createFileCredentialsStore = (deps) => {
 				try: () => {
 					withLock(() => {
 						writeState({
-							...loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState(),
-							activeAuth: {
-								...credentials.agentName === void 0 ? {} : { agentName: credentials.agentName },
-								apiKey: credentials.apiKey
-							}
-						});
-					});
-				}
-			});
-		},
-		storeApprovedAuth: (credentials, namespaceKey) => {
-			return Result.try({
-				catch: (cause) => new UnexpectedError({
-					cause,
-					message: "Failed to update local auth state"
-				}),
-				try: () => {
-					withLock(() => {
-						const currentState = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
-						writeState({
-							...currentState,
-							activeAuth: {
-								...credentials.agentName === void 0 ? {} : { agentName: credentials.agentName },
-								apiKey: credentials.apiKey,
-								boundAt: nowFn().toISOString(),
-								...namespaceKey === void 0 ? {} : { namespaceKey }
-							},
-							pendingRequests: namespaceKey === void 0 ? [] : currentState.pendingRequests.filter((request) => request.namespaceKey !== namespaceKey)
+							...loadStateFromDisk()?.state ?? createEmptyState(),
+							currentAuthRequest: null,
+							session: credentials
 						});
 					});
 				}
 			});
 		},
-		savePendingRequest: (request) => {
+		saveCurrentAuthRequest: (request) => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
@@ -8765,20 +8723,13 @@ const createFileCredentialsStore = (deps) => {
 				}),
 				try: () => {
 					withLock(() => {
-						const currentState = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
-						const pendingRequests = currentState.pendingRequests.filter((entry) => entry.authRequestId !== request.authRequestId);
-						pendingRequests.push({
-							authRequestId: request.authRequestId,
-							code: request.code,
-							createdAt: request.createdAt,
-							expiresAt: request.expiresAt,
-							namespaceKey: request.namespaceKey,
-							...request.scopeFingerprint === void 0 ? {} : { scopeFingerprint: request.scopeFingerprint },
-							verificationUrl: request.verificationUrl
-						});
 						writeState({
-							...currentState,
-							pendingRequests
+							...loadStateFromDisk()?.state ?? createEmptyState(),
+							currentAuthRequest: {
+								authRequestId: request.authRequestId,
+								expiresAt: request.expiresAt,
+								verificationUrl: request.verificationUrl
+							}
 						});
 					});
 				}
@@ -8798,9 +8749,9 @@ const DEFAULT_OGMENT_BASE_URL = "https://dashboard.ogment.ai";
 * These are injected by Rolldown `transform.define` during release builds.
 * Runtime env vars (`OGMENT_CLI_SENTRY_*`) can still override them.
 */
-const SENTRY_DSN_BUILD = "https://4219ab98670b61086758b4d0e31ae318@o4507724844957696.ingest.us.sentry.io/4510992932405248";
-const SENTRY_ENVIRONMENT_BUILD = "production";
-const SENTRY_RELEASE_BUILD = "cli-v0.9.1+git:99e999ee0";
+const SENTRY_DSN_BUILD = void 0;
+const SENTRY_ENVIRONMENT_BUILD = void 0;
+const SENTRY_RELEASE_BUILD = void 0;
 const packageJsonSchema = object({ version: string().min(1) });
 const hasCode = (value, code) => {
 	if (typeof value !== "object" || value === null) return false;
@@ -8859,14 +8810,17 @@ const telemetryRuntimeFields = (env, configDir) => {
 		credentialsPath: join(configDir, "auth-state.json"),
 		envApiKey: env["OGMENT_API_KEY"],
 		executionEnvironment: detectExecutionEnvironment(env),
-		legacyCredentialsPath: join(configDir, "credentials.json"),
 		telemetryDisabled: telemetryDisabledFromEnv(env),
-		telemetryPath: join(configDir, "telemetry.json"),
 		version: VERSION$2
 	};
 };
+const resolveConfigDir = (env, homeDirectory) => {
+	const configuredDir = env["OGMENT_CONFIG_DIR"]?.trim();
+	if (configuredDir && configuredDir.length > 0) return configuredDir;
+	return join(homeDirectory, ".config", "ogment");
+};
 const createRuntimeConfig = (env = process.env, homeDirectory = homedir()) => {
-	const configDir = join(homeDirectory, ".config", "ogment");
+	const configDir = resolveConfigDir(env, homeDirectory);
 	const envBaseUrl = env["OGMENT_BASE_URL"];
 	const hasBaseUrlOverride = typeof envBaseUrl === "string";
 	return {
@@ -8884,7 +8838,7 @@ const createRuntimeConfig = (env = process.env, homeDirectory = homedir()) => {
 	};
 };
 const createTelemetryRuntimeConfig = (env = process.env, homeDirectory = homedir()) => {
-	const configDir = join(homeDirectory, ".config", "ogment");
+	const configDir = resolveConfigDir(env, homeDirectory);
 	const parsedBaseUrl = baseUrlSchema.safeParse(env["OGMENT_BASE_URL"]);
 	return {
 		baseUrl: parsedBaseUrl.success ? parsedBaseUrl.data : DEFAULT_OGMENT_BASE_URL,
@@ -13854,7 +13808,7 @@ const parseRemoteErrorDetails = (payload) => {
 		}
 		return { message: trimmed };
 	}
-	if (!isRecord$2(payload)) return {};
+	if (!isRecord$1(payload)) return {};
 	const directCode = payload["code"];
 	const directMessage = payload["message"];
 	if (typeof directCode === "number" || typeof directMessage === "string") return {
@@ -13863,7 +13817,7 @@ const parseRemoteErrorDetails = (payload) => {
 		...Object.hasOwn(payload, "data") ? { data: toJsonValue(payload["data"]) } : {}
 	};
 	const nestedError = payload["error"];
-	if (!isRecord$2(nestedError)) return {};
+	if (!isRecord$1(nestedError)) return {};
 	return {
 		...typeof nestedError["code"] === "number" ? { mcpCode: nestedError["code"] } : {},
 		...typeof nestedError["message"] === "string" ? { message: nestedError["message"] } : {},
@@ -13954,17 +13908,6 @@ const presentRuntimeErrorPayload = (error, options) => {
 		title: appErrorTitle(error)
 	};
 };
-const presentCatalogFailureError = (error, options) => {
-	const payload = presentRuntimeErrorPayload(error, options);
-	return {
-		code: payload.code,
-		detail: payload.detail,
-		diagnostics: payload.diagnostics,
-		...payload.related_codes === void 0 ? {} : { related_codes: payload.related_codes },
-		retryable: payload.retryable,
-		title: payload.title
-	};
-};
 
 //#endregion
 //#region src/output/envelope.ts
@@ -14151,7 +14094,13 @@ const cliOrgSchema = object({
 	role: string(),
 	servers: array(cliServerSchema)
 }).strict();
+const cliActingAgentSchema = object({
+	agentId: string().uuid(),
+	agentName: string().min(1),
+	boundInstallationId: string().uuid().nullable()
+}).strict();
 const cliMeDataSchema = object({
+	actingAgent: cliActingAgentSchema.nullable(),
 	email: string().nullable(),
 	imageUrl: string().nullable(),
 	name: string().nullable(),
@@ -14162,78 +14111,67 @@ const accountMeSchema = cliSuccessEnvelopeSchema(cliMeDataSchema);
 
 //#endregion
 //#region ../../packages/shared/src/cli/auth.ts
-const deviceCodeStartDataSchema = object({
-	deviceCode: string().min(1),
-	expiresIn: number$1().int().positive(),
-	interval: number$1().int().positive(),
-	userCode: string().min(1),
-	verificationUri: string().url()
-}).strict();
-const deviceCodeStartSchema = cliSuccessEnvelopeSchema(deviceCodeStartDataSchema);
 const authStartDataSchema = object({
 	authRequestId: string().min(1),
+	disposition: _enum([
+		"created",
+		"reused_approved",
+		"reused_pending"
+	]),
 	expiresAt: isoTimestampSchema,
-	userCode: string().min(1),
 	verificationUrl: string().url()
 }).strict();
 const authStartSchema = cliSuccessEnvelopeSchema(authStartDataSchema);
-const deviceTokenPendingDataSchema = object({ status: literal("authorization_pending") }).strict();
-const deviceTokenApprovedDataSchema = object({
-	agentName: string().min(1),
-	apiKey: string().min(1),
-	status: literal("approved")
-}).strict();
-const deviceTokenDataSchema = discriminatedUnion("status", [deviceTokenPendingDataSchema, deviceTokenApprovedDataSchema]);
-const deviceTokenSchema = cliSuccessEnvelopeSchema(deviceTokenDataSchema);
-const deviceTokenApprovedSchema = cliSuccessEnvelopeSchema(deviceTokenApprovedDataSchema);
 const authExchangePendingDataSchema = object({ status: literal("authorization_pending") }).strict();
 const authExchangeApprovedDataSchema = object({
+	agentId: string().uuid(),
 	agentName: string().min(1),
 	apiKey: string().min(1),
-	scopeFingerprint: string().min(1),
+	credentialId: string().uuid(),
 	status: literal("approved")
 }).strict();
 const authExchangeExpiredDataSchema = object({ status: literal("expired") }).strict();
-const authExchangeDeniedDataSchema = object({ status: literal("denied") }).strict();
-const authExchangeConflictDataSchema = object({ status: literal("conflict") }).strict();
 const authExchangeInvalidDataSchema = object({ status: literal("invalid") }).strict();
+const authExchangeSupersededDataSchema = object({ status: literal("superseded") }).strict();
 const authExchangeDataSchema = discriminatedUnion("status", [
 	authExchangePendingDataSchema,
 	authExchangeApprovedDataSchema,
 	authExchangeExpiredDataSchema,
-	authExchangeDeniedDataSchema,
-	authExchangeConflictDataSchema,
-	authExchangeInvalidDataSchema
+	authExchangeInvalidDataSchema,
+	authExchangeSupersededDataSchema
 ]);
 const authExchangeSchema = cliSuccessEnvelopeSchema(authExchangeDataSchema);
 const authExchangeApprovedSchema = cliSuccessEnvelopeSchema(authExchangeApprovedDataSchema);
-const revokeSelfDataSchema = object({ success: literal(true) }).strict();
-const revokeSelfSchema = cliSuccessEnvelopeSchema(revokeSelfDataSchema);
+const authMutationSuccessDataSchema = object({ success: literal(true) }).strict();
+const authLogoutDataSchema = authMutationSuccessDataSchema;
+const authLogoutSchema = cliSuccessEnvelopeSchema(authLogoutDataSchema);
+const authResetDataSchema = authMutationSuccessDataSchema;
+const authResetSchema = cliSuccessEnvelopeSchema(authResetDataSchema);
 
 //#endregion
 //#region ../../packages/shared/src/cli/endpoints.ts
 const cliEndpoints = {
 	accountMe: "/api/v1/cli/me",
-	authExchange: "/api/v1/cli/auth/exchange",
 	authStart: "/api/v1/cli/auth/start",
-	cliRevokeSelf: "/api/v1/cli/revoke-self",
-	deviceCode: "/api/v1/cli/device-code",
-	deviceToken: "/api/v1/cli/device-token",
+	authExchange: "/api/v1/cli/auth/exchange",
+	authLogout: "/api/v1/cli/auth/logout",
+	authReset: "/api/v1/cli/auth/reset",
 	telemetry: "/api/v1/cli/telemetry"
 };
 
 //#endregion
 //#region ../../packages/shared/src/cli/telemetry.ts
 const cliCommandKindSchema = _enum([
-	"auth_login",
-	"auth_logout",
-	"auth_status",
+	"login",
+	"logout",
+	"reset",
+	"catalog_detail",
 	"catalog_summary",
-	"catalog_tool",
-	"catalog_tools",
-	"invoke",
+	"catalog_tool_detail",
+	"execute",
 	"parse_error",
 	"root",
+	"search",
 	"runtime_error",
 	"status"
 ]);
@@ -14378,28 +14316,29 @@ const exitCodeForError = (error) => {
 
 //#endregion
 //#region src/commands/auth.ts
-const runAuthLoginCommand = async (context, options) => {
-	const loginOptions = (() => {
-		if (options.mode === "apiKey") return {
-			apiKey: options.apiKey,
-			mode: "apiKey"
-		};
-		return {
-			mode: "device",
-			...options.onPending === void 0 ? {} : { onPending: options.onPending }
-		};
-	})();
+const runLoginCommand = async (context, options) => {
+	const loginOptions = options.onPending === void 0 ? {} : { onPending: options.onPending };
 	return context.services.auth.login(loginOptions);
 };
-const runAuthStatusCommand = async (context) => {
-	return context.services.auth.status(context.apiKeyOverride);
-};
-const runAuthLogoutCommand = async (context) => {
+const runLogoutCommand = async (context) => {
 	return context.services.auth.logout();
 };
+const runResetCommand = async (context) => {
+	return context.services.auth.reset();
+};
 
 //#endregion
 //#region src/commands/server-context.ts
+const commandNameForSelectorKind = (selectorKind) => {
+	return selectorKind;
+};
+const selectorRecoveryCommand = (selectorKind, selector, orgSlug, toolName) => {
+	switch (selectorKind) {
+		case "catalog": return toolName === void 0 ? `ogment catalog ${orgSlug}/${selector}` : `ogment catalog ${orgSlug}/${selector} ${toolName}`;
+		case "search": return `ogment search --org ${orgSlug} ${selector} --code 'return input'`;
+		case "execute": return `ogment execute --org ${orgSlug} ${selector} --code 'return input' --input '{}'`;
+	}
+};
 const formatCandidateSelectors = (profile, path) => {
 	return profile.orgs.flatMap((org) => {
 		return org.servers.filter((server) => server.path === path).map((server) => `${org.orgSlug}/${server.path}`);
@@ -14466,8 +14405,9 @@ const findServerByPath = (profile, selector, options) => {
 		const [firstCandidate] = sortedCandidates;
 		if (firstCandidate !== void 0) {
 			const firstCandidateParsed = parseQualifiedSelector(firstCandidate);
-			const message = options.selectorKind === "invoke" ? `Server "${selector}" is ambiguous across organizations (${sortedCandidates.join(", ")}). Re-run with --org <org-slug>.` : `Server "${selector}" is ambiguous across organizations (${sortedCandidates.join(", ")}). Use a qualified selector like "${firstCandidate}".`;
-			const recoveryCommand = options.selectorKind === "invoke" ? options.toolName === void 0 ? "ogment invoke --help" : firstCandidateParsed === null ? "ogment invoke --help" : `ogment invoke --org ${firstCandidateParsed.orgSlug} ${selector} ${options.toolName}` : `ogment catalog ${firstCandidate}`;
+			const commandName = commandNameForSelectorKind(options.selectorKind);
+			const message = `Server "${selector}" is ambiguous across organizations (${sortedCandidates.join(", ")}). Re-run \`ogment ${commandName}\` with --org <org-slug> or use a qualified selector like "${firstCandidate}".`;
+			const recoveryCommand = firstCandidateParsed === null ? `ogment ${commandName} --help` : selectorRecoveryCommand(options.selectorKind, selector, firstCandidateParsed.orgSlug, options.toolName);
 			return Result.err(new ValidationError({
 				message,
 				recovery: { command: recoveryCommand }
@@ -14487,96 +14427,75 @@ const findServerByPath = (profile, selector, options) => {
 
 //#endregion
 //#region src/commands/catalog.ts
-const toServerSummary = (target, toolCount) => {
+const toServerSummary = (target) => {
 	return {
 		capabilities: [],
 		description: target.server.description,
 		name: target.server.name,
 		orgSlug: target.orgSlug,
 		serverId: target.server.path,
-		toolCount,
 		version: null
 	};
 };
-const toToolSummaries = (tools) => {
-	return tools.map((tool) => {
-		return {
-			description: tool.description ?? null,
-			name: tool.name
-		};
-	});
-};
-const listServerTools = async (context, apiKey, server) => {
-	return context.services.mcp.listTools({
-		orgSlug: server.orgSlug,
-		serverPath: server.server.path
-	}, apiKey);
+const toToolSummary = (tool) => {
+	return {
+		description: tool.description ?? null,
+		name: tool.name
+	};
 };
-const TOOL_COUNT_CONCURRENCY = 4;
-const toCatalogServerFailure = (server, error, includeDebug) => {
+const toToolDetail = (tool) => {
 	return {
-		error: presentCatalogFailureError(error, { includeDebug }),
-		orgSlug: server.orgSlug,
-		serverId: server.server.path
+		description: tool.description ?? null,
+		inputSchema: toJsonValue(tool.inputSchema),
+		name: tool.name,
+		outputSchema: tool.outputSchema === void 0 ? null : toJsonValue(tool.outputSchema)
 	};
 };
-const mapWithConcurrency = async (items, concurrency, mapItem) => {
-	if (items.length === 0) return [];
-	const results = [];
-	results.length = items.length;
-	let nextIndex = 0;
-	const worker = async () => {
-		while (true) {
-			const currentIndex = nextIndex;
-			nextIndex += 1;
-			if (currentIndex >= items.length) return;
-			const item = items[currentIndex];
-			if (item === void 0) return;
-			results[currentIndex] = await mapItem(item, currentIndex);
-		}
-	};
-	const workerCount = Math.min(concurrency, items.length);
-	await Promise.all(Array.from({ length: workerCount }, async () => worker()));
-	return results;
+const detailCommandForServer = (serverId, orgSlug) => {
+	return `ogment catalog ${orgSlug === void 0 ? serverId : `${orgSlug}/${serverId}`}`;
+};
+const resolveCatalogServerTarget = async (context, options) => {
+	const stateResult = await resolveServerState(context);
+	if (Result.isError(stateResult)) return stateResult;
+	const serverResult = findServerByPath(stateResult.value.profile, options.serverId, {
+		...options.orgSlug === void 0 ? {} : { orgSlug: options.orgSlug },
+		selectorKind: "catalog",
+		..."toolName" in options ? { toolName: options.toolName } : {}
+	});
+	if (Result.isError(serverResult)) return serverResult;
+	return Result.ok({
+		apiKey: stateResult.value.apiKey,
+		target: {
+			orgSlug: serverResult.value.orgSlug,
+			server: {
+				description: serverResult.value.server.description,
+				name: serverResult.value.server.name,
+				path: serverResult.value.server.path
+			}
+		}
+	});
+};
+const listCodeModeTools = async (context, apiKey, target) => {
+	return context.services.codemode.listTools({
+		orgSlug: target.orgSlug,
+		serverPath: target.server.path
+	}, apiKey);
 };
 const runCatalogCommand = async (context, options) => {
 	const stateResult = await resolveServerState(context);
 	if (Result.isError(stateResult)) return stateResult;
-	let targetServers = stateResult.value.profile.orgs.flatMap((org) => {
-		return org.servers.map((server) => ({
+	const targetOrgs = options.orgSlug === void 0 ? stateResult.value.profile.orgs : stateResult.value.profile.orgs.filter((org) => org.orgSlug === options.orgSlug);
+	if (options.orgSlug !== void 0 && targetOrgs.length === 0) return Result.err(new ValidationError({
+		code: ERROR_CODE.validationInvalidInput,
+		message: `Organization "${options.orgSlug}" not found`,
+		recovery: { command: "ogment catalog" }
+	}));
+	const summaries = targetOrgs.flatMap((org) => {
+		return org.servers.map((server) => toServerSummary({
 			orgSlug: org.orgSlug,
 			server
 		}));
 	});
-	if (options.serverId !== void 0) {
-		const serverResult = findServerByPath(stateResult.value.profile, options.serverId, { selectorKind: "catalog" });
-		if (Result.isError(serverResult)) return serverResult;
-		targetServers = [{
-			orgSlug: serverResult.value.orgSlug,
-			server: serverResult.value.server
-		}];
-	}
-	const serverSummaries = await mapWithConcurrency(targetServers, TOOL_COUNT_CONCURRENCY, async (server) => {
-		return {
-			server,
-			toolsResult: await listServerTools(context, stateResult.value.apiKey, server)
-		};
-	});
-	const summaries = [];
-	const failures = [];
-	for (const serverSummary of serverSummaries) {
-		if (Result.isError(serverSummary.toolsResult)) {
-			if (options.serverId !== void 0) return serverSummary.toolsResult;
-			failures.push(toCatalogServerFailure(serverSummary.server, serverSummary.toolsResult.error, options.includeDebug === true));
-			continue;
-		}
-		summaries.push(toServerSummary(serverSummary.server, serverSummary.toolsResult.value.length));
-	}
-	if (options.serverId !== void 0) return Result.ok({
-		failures: [],
-		nextCursor: null,
-		servers: summaries
-	});
 	const limit = Math.max(1, options.limit ?? 20);
 	let startIndex = 0;
 	if (options.cursor !== void 0) {
@@ -14591,81 +14510,52 @@ const runCatalogCommand = async (context, options) => {
 	const servers = summaries.slice(startIndex, startIndex + limit);
 	const nextCursor = startIndex + limit < summaries.length ? servers.at(-1)?.serverId ?? null : null;
 	return Result.ok({
-		failures,
+		failures: [],
 		nextCursor,
 		servers
 	});
 };
-const runCatalogToolsCommand = async (context, options) => {
-	const stateResult = await resolveServerState(context);
-	if (Result.isError(stateResult)) return stateResult;
-	const serverResult = findServerByPath(stateResult.value.profile, options.serverId, { selectorKind: "catalog" });
-	if (Result.isError(serverResult)) return serverResult;
-	const targetServer = {
-		orgSlug: serverResult.value.orgSlug,
-		server: serverResult.value.server
-	};
-	const toolsResult = await listServerTools(context, stateResult.value.apiKey, targetServer);
+const runCatalogServerDetailCommand = async (context, options) => {
+	const targetResult = await resolveCatalogServerTarget(context, options);
+	if (Result.isError(targetResult)) return targetResult;
+	const toolsResult = await listCodeModeTools(context, targetResult.value.apiKey, targetResult.value.target);
 	if (Result.isError(toolsResult)) return toolsResult;
 	return Result.ok({
-		server: toServerSummary(targetServer, toolsResult.value.length),
-		tools: toToolSummaries(toolsResult.value)
+		server: toServerSummary(targetResult.value.target),
+		tools: toolsResult.value.map((tool) => toToolSummary(tool))
 	});
 };
-const runCatalogToolDetailsCommand = async (context, options) => {
-	const stateResult = await resolveServerState(context);
-	if (Result.isError(stateResult)) return stateResult;
-	const serverResult = findServerByPath(stateResult.value.profile, options.serverId, { selectorKind: "catalog" });
-	if (Result.isError(serverResult)) return serverResult;
-	const targetServer = {
-		orgSlug: serverResult.value.orgSlug,
-		server: serverResult.value.server
-	};
-	const toolsResult = await listServerTools(context, stateResult.value.apiKey, targetServer);
+const runCatalogToolDetailCommand = async (context, options) => {
+	const targetResult = await resolveCatalogServerTarget(context, options);
+	if (Result.isError(targetResult)) return targetResult;
+	const toolsResult = await listCodeModeTools(context, targetResult.value.apiKey, targetResult.value.target);
 	if (Result.isError(toolsResult)) return toolsResult;
-	const tool = toolsResult.value.find((item) => item.name === options.toolName);
+	const tool = toolsResult.value.find((candidate) => {
+		return candidate.name === options.toolName;
+	});
 	if (tool === void 0) return Result.err(new NotFoundError({
-		message: `Tool "${options.toolName}" not found`,
-		resource: options.toolName
+		message: `Codemode tool "${options.toolName}" not found on server "${options.serverId}"`,
+		recovery: { command: detailCommandForServer(targetResult.value.target.server.path, targetResult.value.target.orgSlug) },
+		resource: `${options.serverId}/${options.toolName}`
 	}));
 	return Result.ok({
-		description: tool.description ?? null,
-		inputSchema: tool.inputSchema,
-		name: tool.name,
-		outputSchema: tool.outputSchema ?? null,
-		server: toServerSummary(targetServer, toolsResult.value.length)
+		server: toServerSummary(targetResult.value.target),
+		tool: toToolDetail(tool)
 	});
 };
 
 //#endregion
-//#region src/commands/invoke.ts
-const mapInputFileReadError = (inputFile, cause) => {
+//#region src/commands/codemode.ts
+const mapSourceFileReadError = (inputFile, optionName, cause) => {
 	const code = cause instanceof Error && "code" in cause && typeof cause.code === "string" ? cause.code : void 0;
-	if (code === "ENOENT") return new ValidationError({ message: `Input file not found: ${inputFile}` });
-	if (code === "EACCES" || code === "EPERM") return new ValidationError({ message: `Input file is not readable: ${inputFile}` });
-	if (code === "EISDIR") return new ValidationError({ message: `Input path must be a file: ${inputFile}` });
+	if (code === "ENOENT") return new ValidationError({ message: `${optionName} file not found: ${inputFile}` });
+	if (code === "EACCES" || code === "EPERM") return new ValidationError({ message: `${optionName} file is not readable: ${inputFile}` });
+	if (code === "EISDIR") return new ValidationError({ message: `${optionName} path must be a file: ${inputFile}` });
 	return new UnexpectedError({
 		cause,
-		message: `Failed to read input file: ${inputFile}`
+		message: `Failed to read ${optionName} file: ${inputFile}`
 	});
 };
-const parseInputObject = (raw, context) => {
-	const parsed = parseJsonValue(raw, context);
-	if (Result.isError(parsed)) return parsed;
-	const parsedValue = parsed.value;
-	if (!isJsonObject(parsedValue)) return Result.err(new ValidationError({ message: "Invoke input must be a JSON object" }));
-	return Result.ok(parsedValue);
-};
-const toToolCallStructuredContent = (result) => {
-	if (result.structuredContent !== void 0) return toJsonValue(result.structuredContent);
-	const firstContent = (Array.isArray(result.content) ? result.content : [])[0];
-	if (firstContent !== void 0 && firstContent.type === "text" && typeof firstContent.text === "string") {
-		const parsedText = parseJsonValue(firstContent.text, "MCP text content");
-		if (Result.isError(parsedText)) return firstContent.text;
-		return parsedText.value;
-	}
-	return toJsonValue(result);
-};
 const readStdin = async () => {
 	return Result.tryPromise({
 		catch: (cause) => new UnexpectedError({
@@ -14689,73 +14579,111 @@ const readStdin = async () => {
 		}
 	});
 };
-const parseInvokeArgs = async (options, deps) => {
-	if (options.input === void 0) return Result.ok({});
-	if (options.input === "-") {
-		const stdinResult = await (deps.readStdin ?? readStdin)();
-		if (Result.isError(stdinResult)) return stdinResult;
-		return parseInputObject(stdinResult.value, "--input (-)");
-	}
-	if (options.input.startsWith("@")) {
-		const inputFile = options.input.slice(1);
+const readSourceValue = async (value, optionName, deps) => {
+	if (value === "-") return (deps.readStdin ?? readStdin)();
+	if (value.startsWith("@")) {
+		const inputFile = value.slice(1);
 		if (inputFile.length === 0) return Result.err(new ValidationError({
-			details: options.input,
-			message: "Invalid --input value. Use @<path>, -, or an inline JSON object."
+			details: value,
+			message: `Invalid ${optionName} value. Use @<path>, -, or an inline value.`
 		}));
-		const fileReadResult = await Result.tryPromise({
-			catch: (cause) => mapInputFileReadError(inputFile, cause),
+		return Result.tryPromise({
+			catch: (cause) => mapSourceFileReadError(inputFile, optionName, cause),
 			try: async () => readFile$1(inputFile, "utf8")
 		});
-		if (Result.isError(fileReadResult)) return fileReadResult;
-		return parseInputObject(fileReadResult.value, "--input (@file)");
 	}
-	return parseInputObject(options.input, "--input");
+	return Result.ok(value);
+};
+const parseInputObject = (raw, context) => {
+	const parsed = parseJsonValue(raw, context);
+	if (Result.isError(parsed)) return parsed;
+	if (!isJsonObject(parsed.value)) return Result.err(new ValidationError({ message: "Execute input must be a JSON object" }));
+	return Result.ok(parsed.value);
+};
+const parseExecuteInput = async (input, deps) => {
+	if (input === void 0) return Result.ok(void 0);
+	const sourceResult = await readSourceValue(input, "--input", deps);
+	if (Result.isError(sourceResult)) return sourceResult;
+	const sourceContext = input === "-" ? "--input (-)" : input.startsWith("@") ? "--input (@file)" : "--input";
+	return parseInputObject(sourceResult.value, sourceContext);
+};
+const toToolCallStructuredContent = (result) => {
+	if (result.structuredContent !== void 0) return toJsonValue(result.structuredContent);
+	const firstContent = (Array.isArray(result.content) ? result.content : [])[0];
+	if (firstContent !== void 0 && firstContent.type === "text" && typeof firstContent.text === "string") {
+		const parsedText = parseJsonValue(firstContent.text, "MCP text content");
+		if (Result.isError(parsedText)) return firstContent.text;
+		return parsedText.value;
+	}
+	return toJsonValue(result);
 };
-const runInvokeCommand = async (context, options, deps = {}) => {
-	const argsResult = await parseInvokeArgs(options, deps);
-	if (Result.isError(argsResult)) return argsResult;
+const resolveServerTarget = async (context, options, selectorKind) => {
 	const stateResult = await resolveServerState(context);
 	if (Result.isError(stateResult)) return stateResult;
 	const serverResult = findServerByPath(stateResult.value.profile, options.serverId, {
 		...options.orgSlug === void 0 ? {} : { orgSlug: options.orgSlug },
-		selectorKind: "invoke",
-		toolName: options.toolName
+		selectorKind
 	});
 	if (Result.isError(serverResult)) return serverResult;
-	const mcpTarget = {
+	return Result.ok({
+		apiKey: stateResult.value.apiKey,
 		orgSlug: serverResult.value.orgSlug,
 		serverPath: serverResult.value.server.path
-	};
-	const callResult = await context.services.mcp.callTool(mcpTarget, stateResult.value.apiKey, options.toolName, argsResult.value);
-	if (Result.isError(callResult)) {
-		if (callResult.error._tag === "RemoteRequestError") {
-			const toolsResult = await context.services.mcp.listTools(mcpTarget, stateResult.value.apiKey);
-			if (Result.isOk(toolsResult)) {
-				if (!toolsResult.value.some((tool) => tool.name === options.toolName)) return Result.err(new NotFoundError({
-					message: `Tool "${options.toolName}" not found`,
-					resource: options.toolName
-				}));
-			}
-		}
-		return callResult;
-	}
-	const structuredContent = toToolCallStructuredContent(callResult.value);
-	if (callResult.value.isError) {
-		const details = parseRemoteErrorDetails(structuredContent);
-		return Result.err(new RemoteRequestError({
-			...details.mcpCode === void 0 ? {} : { mcpCode: details.mcpCode },
-			...details.data === void 0 ? {} : { mcpData: details.data },
-			message: details.message ?? "MCP tool call returned an error result",
-			operation: "tools/call",
-			raw: structuredContent,
-			retryable: false,
-			source: "mcp_jsonrpc"
-		}));
-	}
+	});
+};
+const codemodeErrorFromToolResult = (result) => {
+	if (!result.isError) return null;
+	const structuredContent = toToolCallStructuredContent(result);
+	const details = parseRemoteErrorDetails(structuredContent);
+	return new RemoteRequestError({
+		...details.mcpCode === void 0 ? {} : { mcpCode: details.mcpCode },
+		...details.data === void 0 ? {} : { mcpData: details.data },
+		message: details.message ?? "Codemode tool call returned an error result",
+		operation: "tools/call",
+		raw: structuredContent,
+		retryable: false,
+		source: "mcp_jsonrpc"
+	});
+};
+const runSearchCommand = async (context, options, deps = {}) => {
+	const codeResult = await readSourceValue(options.code, "--code", deps);
+	if (Result.isError(codeResult)) return codeResult;
+	const targetResult = await resolveServerTarget(context, options, "search");
+	if (Result.isError(targetResult)) return targetResult;
+	const callResult = await context.services.codemode.callTool({
+		orgSlug: targetResult.value.orgSlug,
+		serverPath: targetResult.value.serverPath
+	}, targetResult.value.apiKey, "search", { code: codeResult.value });
+	if (Result.isError(callResult)) return callResult;
+	const toolError = codemodeErrorFromToolResult(callResult.value);
+	if (toolError !== null) return Result.err(toolError);
+	return Result.ok({
+		result: toToolCallStructuredContent(callResult.value),
+		serverId: options.serverId
+	});
+};
+const runExecuteCommand = async (context, options, deps = {}) => {
+	const [codeResult, inputResult, targetResult] = await Promise.all([
+		readSourceValue(options.code, "--code", deps),
+		parseExecuteInput(options.input, deps),
+		resolveServerTarget(context, options, "execute")
+	]);
+	if (Result.isError(codeResult)) return codeResult;
+	if (Result.isError(inputResult)) return inputResult;
+	if (Result.isError(targetResult)) return targetResult;
+	const callResult = await context.services.codemode.callTool({
+		orgSlug: targetResult.value.orgSlug,
+		serverPath: targetResult.value.serverPath
+	}, targetResult.value.apiKey, "execute", {
+		code: codeResult.value,
+		...inputResult.value === void 0 ? {} : { input: inputResult.value }
+	});
+	if (Result.isError(callResult)) return callResult;
+	const toolError = codemodeErrorFromToolResult(callResult.value);
+	if (toolError !== null) return Result.err(toolError);
 	return Result.ok({
-		result: structuredContent,
-		serverId: options.serverId,
-		toolName: options.toolName
+		result: toToolCallStructuredContent(callResult.value),
+		serverId: options.serverId
 	});
 };
 
@@ -14765,149 +14693,116 @@ const runStatusCommand = async (options, deps) => {
 	return deps.infoService.collect(options.apiKeyOverride, { includeDebug: options.debug });
 };
 
-//#endregion
-//#region src/shared/schema-example.ts
-const MAX_EXAMPLE_DEPTH = 6;
-const EXAMPLE_PLACEHOLDER = " ... ";
-const isRecord$1 = (value) => {
-	return typeof value === "object" && value !== null && !Array.isArray(value);
-};
-const asStringArray = (value) => {
-	if (!Array.isArray(value)) return [];
-	return value.filter((item) => typeof item === "string");
-};
-const firstKnown = (value) => {
-	if (Array.isArray(value) && value.length > 0) return value[0];
-};
-const deriveType = (schema) => {
-	const typeValue = schema["type"];
-	if (typeof typeValue === "string") return typeValue;
-	if (Array.isArray(typeValue)) return typeValue.find((entry) => typeof entry === "string");
-	if (isRecord$1(schema["properties"])) return "object";
-	if (schema["items"] !== void 0) return "array";
-};
-const baseScalarExample = (_typeName) => {
-	switch (_typeName) {
-		case "string": return EXAMPLE_PLACEHOLDER;
-		case "integer": return EXAMPLE_PLACEHOLDER;
-		case "number": return EXAMPLE_PLACEHOLDER;
-		case "boolean": return EXAMPLE_PLACEHOLDER;
-		case "null": return EXAMPLE_PLACEHOLDER;
-		default: return EXAMPLE_PLACEHOLDER;
-	}
-};
-const buildExample = (value, depth) => {
-	if (!isRecord$1(value)) return {};
-	if (depth > MAX_EXAMPLE_DEPTH) return {};
-	const oneOfCandidate = firstKnown(value["oneOf"]);
-	if (oneOfCandidate !== void 0) return buildExample(oneOfCandidate, depth + 1);
-	const anyOfCandidate = firstKnown(value["anyOf"]);
-	if (anyOfCandidate !== void 0) return buildExample(anyOfCandidate, depth + 1);
-	const allOfCandidate = firstKnown(value["allOf"]);
-	if (allOfCandidate !== void 0) return buildExample(allOfCandidate, depth + 1);
-	const typeName = deriveType(value);
-	if (typeName === "object") {
-		const result = {};
-		const properties = isRecord$1(value["properties"]) ? value["properties"] : {};
-		const required = asStringArray(value["required"]);
-		for (const propertyName of required) {
-			const propertySchema = properties[propertyName];
-			if (propertySchema !== void 0) result[propertyName] = buildExample(propertySchema, depth + 1);
-		}
-		if (required.length === 0 && isRecord$1(value["additionalProperties"])) result["example"] = buildExample(value["additionalProperties"], depth + 1);
-		return result;
-	}
-	if (typeName === "array") {
-		if (value["items"] === void 0) return [EXAMPLE_PLACEHOLDER];
-		return [buildExample(value["items"], depth + 1)];
-	}
-	if (typeName === void 0) return depth === 0 ? {} : EXAMPLE_PLACEHOLDER;
-	return baseScalarExample(typeName);
-};
-const buildJsonSchemaExample = (schema) => {
-	return buildExample(schema, 0);
-};
-
 //#endregion
 //#region src/cli/commands.ts
+const withOrg = (orgSlug) => {
+	return orgSlug === void 0 ? [] : [`--org ${orgSlug}`];
+};
 const cliCommands = {
-	auth: {
-		help: () => "ogment auth --help",
-		login: () => "ogment auth login",
-		loginWithApiKeyRedacted: () => "ogment auth login --api-key <redacted>",
-		logout: () => "ogment auth logout",
-		status: () => "ogment auth status"
-	},
 	catalog: {
-		command: () => "ogment catalog",
-		server: (serverId) => `ogment catalog ${serverId}`,
+		command: (serverId, toolName, orgSlug) => [
+			"ogment catalog",
+			...withOrg(orgSlug),
+			...serverId === void 0 ? [] : [serverId],
+			...toolName === void 0 ? [] : [toolName]
+		].join(" "),
+		detail: (serverId, orgSlug) => [
+			"ogment catalog",
+			...withOrg(orgSlug),
+			serverId
+		].join(" "),
 		summary: (options) => {
 			return [
 				"ogment catalog",
+				...withOrg(options.orgSlug),
 				...options.cursor === void 0 ? [] : [`--cursor ${options.cursor}`],
 				...options.limit === void 0 ? [] : [`--limit ${options.limit}`]
 			].join(" ");
 		},
-		tool: (serverId, toolName, options) => {
-			return [
-				"ogment catalog",
-				serverId,
-				toolName,
-				...options.example ? ["--example"] : []
-			].join(" ");
-		}
-	},
-	helpForScope: (scope) => {
-		if (scope === null) return "ogment --help";
-		return `ogment ${scope} --help`;
-	},
-	invoke: {
-		command: (serverId, toolName, orgSlug) => [
-			"ogment invoke",
-			...orgSlug === void 0 ? [] : [`--org ${orgSlug}`],
+		toolDetail: (serverId, toolName, orgSlug) => [
+			"ogment catalog",
+			...withOrg(orgSlug),
 			serverId,
 			toolName
+		].join(" ")
+	},
+	execute: {
+		command: (serverId, orgSlug) => [
+			"ogment execute",
+			...withOrg(orgSlug),
+			serverId
 		].join(" "),
-		inlineJson: (serverId, toolName, orgSlug) => [
-			"ogment invoke",
-			...orgSlug === void 0 ? [] : [`--org ${orgSlug}`],
+		help: () => "ogment execute --help",
+		inlineCode: (serverId, orgSlug) => [
+			"ogment execute",
+			...withOrg(orgSlug),
 			serverId,
-			toolName,
-			"--input <json>"
+			"--code <javascript>"
 		].join(" "),
-		stdin: (serverId, toolName, orgSlug) => [
-			"ogment invoke",
-			...orgSlug === void 0 ? [] : [`--org ${orgSlug}`],
+		stdinCode: (serverId, orgSlug) => [
+			"ogment execute",
+			...withOrg(orgSlug),
 			serverId,
-			toolName,
-			"--input -"
+			"--code -"
 		].join(" "),
-		withInputValue: (serverId, toolName, value, orgSlug) => {
-			return [
-				"ogment invoke",
-				...orgSlug === void 0 ? [] : [`--org ${orgSlug}`],
-				serverId,
-				toolName,
-				`--input ${value}`
-			].join(" ");
-		}
+		withCodeAndInputValue: (serverId, code, input, orgSlug) => [
+			"ogment execute",
+			...withOrg(orgSlug),
+			serverId,
+			`--code ${code}`,
+			...input === void 0 ? [] : [`--input ${input}`]
+		].join(" ")
+	},
+	helpForScope: (scope) => {
+		if (scope === null) return "ogment --help";
+		return `ogment ${scope} --help`;
 	},
+	login: { command: () => "ogment login" },
+	logout: { command: () => "ogment logout" },
+	reset: { command: () => "ogment reset" },
 	root: {
 		command: () => "ogment",
 		commandsSurface: () => {
 			return [
-				"auth login",
-				"auth status",
-				"auth logout",
+				"login",
+				"logout",
+				"reset",
 				"catalog",
 				"catalog <server-id>",
 				"catalog <server-id> <tool-name>",
-				"invoke <server-id> <tool-name>",
+				"search <server-id>",
+				"execute <server-id>",
 				"status"
 			];
 		},
 		help: () => "ogment --help"
 	},
+	search: {
+		command: (serverId, orgSlug) => [
+			"ogment search",
+			...withOrg(orgSlug),
+			serverId
+		].join(" "),
+		help: () => "ogment search --help",
+		inspectAllTools: (serverId, orgSlug) => [
+			"ogment search",
+			...withOrg(orgSlug),
+			serverId,
+			"--code 'return input'"
+		].join(" "),
+		stdinCode: (serverId, orgSlug) => [
+			"ogment search",
+			...withOrg(orgSlug),
+			serverId,
+			"--code -"
+		].join(" "),
+		withCodeValue: (serverId, code, orgSlug) => [
+			"ogment search",
+			...withOrg(orgSlug),
+			serverId,
+			`--code ${code}`
+		].join(" ")
+	},
 	status: { command: () => "ogment status" }
 };
 
@@ -14946,296 +14841,268 @@ const ensureSuccess = (result, runtime, context) => {
 	}
 	return result.unwrap();
 };
-const nextActionsForLogin = (payload, mode) => {
-	return [nextAction("check_auth_status", "Check auth status", cliCommands.auth.status(), `Verify persisted credentials after ${mode} login for ${payload.agentName}.`, "immediate"), nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Logged in as ${payload.agentName} via ${mode}; discover available servers.`, "after_auth")];
+const nextActionsForLogin = (payload) => {
+	return [nextAction("inspect_status", "Inspect status", cliCommands.status.command(), `Verify the connected CLI state for ${payload.agentName}.`, "immediate"), nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Logged in as ${payload.agentName}; discover available servers.`, "after_auth")];
 };
-const nextActionsForPendingLogin = (userCode, verificationUri) => {
-	return [nextAction("check_login_status", "Check login status", cliCommands.auth.status(), `Approve ${userCode} at ${verificationUri}, then verify local auth state.`, "immediate"), nextAction("restart_device_login", "Restart login", cliCommands.auth.login(), `Restart login if code ${userCode} expires before approval.`, "if_expired")];
-};
-const nextActionsForAuthStatus = (payload) => {
-	if (!payload.loggedIn) return [nextAction("login", "Authenticate", cliCommands.auth.login(), "No API key is configured locally; login is required.", "immediate")];
-	return [nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Authenticated via ${payload.apiKeySource}; discover servers next.`, "after_auth")];
+const nextActionsForPendingLogin = (authRequestId, verificationUrl) => {
+	return [nextAction("complete_login", "Complete login", cliCommands.login.command(), `Approve request ${authRequestId} at ${verificationUrl}, then run login again to finish local sign-in.`, "immediate"), nextAction("inspect_status", "Inspect status", cliCommands.status.command(), "Inspect the current CLI state and diagnostics.", "if_expired")];
 };
 const nextActionsForCatalogSummary = (payload, context) => {
 	const actions = [];
-	const targetServer = payload.servers.find((server) => server.toolCount > 0);
-	if (targetServer !== void 0) actions.push(nextAction("inspect_tools", "Inspect tools", cliCommands.catalog.server(targetServer.serverId), `${targetServer.serverId} has ${targetServer.toolCount} available tools.`, "if_tool_count_gt_0"));
+	const targetServer = payload.servers[0];
+	if (targetServer !== void 0) actions.push(nextAction("inspect_server", "Inspect server", cliCommands.catalog.detail(targetServer.serverId, targetServer.orgSlug), `Inspect Codemode tools exposed on ${targetServer.serverId}.`, "if_servers_available"));
 	if (context.nextCursor !== null) actions.push(nextAction("next_catalog_page", "Load next page", cliCommands.catalog.summary({
 		cursor: context.nextCursor,
-		...context.limit === null ? {} : { limit: context.limit }
+		...context.limit === null ? {} : { limit: context.limit },
+		...context.orgSlug === null ? {} : { orgSlug: context.orgSlug }
 	}), `More servers are available after cursor ${context.nextCursor}.`, "if_more_servers"));
 	return actions;
 };
-const nextActionsForCatalogTools = (payload) => {
-	const firstTool = payload.tools[0];
-	if (firstTool === void 0) return [];
-	return [nextAction("inspect_tool", "Inspect tool details", cliCommands.catalog.tool(payload.server.serverId, firstTool.name, { example: false }), `Inspect schema for ${payload.server.serverId}/${firstTool.name} before invoking.`, "if_tools_available")];
+const nextActionsForCatalogServerDetail = (payload) => {
+	const searchTool = payload.tools.find((tool) => tool.name === "search");
+	if (searchTool !== void 0) return [nextAction("inspect_tool", "Inspect tool details", cliCommands.catalog.toolDetail(payload.server.serverId, searchTool.name, payload.server.orgSlug), `Inspect schema for ${payload.server.serverId}/${searchTool.name} before invoking.`, "if_tools_available")];
+	return [];
 };
-const toInlineJsonTemplateArgument = (value) => {
-	const placeholderLiteral = JSON.stringify(EXAMPLE_PLACEHOLDER);
-	return `'${JSON.stringify(value).replaceAll(placeholderLiteral, " ... ").replaceAll("'", String.raw`'\''`)}'`;
+const nextActionsForCatalogToolDetail = (payload) => {
+	if (payload.tool.name === "search") return [nextAction("run_search", "Run search", cliCommands.search.inspectAllTools(payload.server.serverId, payload.server.orgSlug), `Use Codemode search on ${payload.server.serverId} after reviewing the tool contract.`, "after_tool_inspection")];
+	return [nextAction("run_execute", "Run execute", cliCommands.execute.inlineCode(payload.server.serverId, payload.server.orgSlug), `Use Codemode execute on ${payload.server.serverId} after reviewing the tool contract.`, "after_tool_inspection")];
 };
-const nextActionsForCatalogToolDetails = (payload, exampleInput) => {
-	const inputArgument = toInlineJsonTemplateArgument(exampleInput);
-	return [nextAction("invoke_tool", "Invoke this tool", cliCommands.invoke.withInputValue(payload.server.serverId, payload.name, inputArgument), `Replace every ... placeholder with real JSON values, then invoke ${payload.server.serverId} ${payload.name}.`, "after_tool_inspection")];
+const nextActionsForSearch = (payload) => {
+	return [nextAction("execute_help", "Inspect execute usage", cliCommands.execute.help(), `Run Codemode execute against ${payload.serverId} after choosing a workflow.`, "after_search")];
 };
-const nextActionsForInvoke = (payload) => {
-	return [nextAction("inspect_tool", "Inspect tool schema", cliCommands.catalog.tool(payload.serverId, payload.toolName, { example: false }), `Review ${payload.serverId}/${payload.toolName} schema for the next invocation.`, "after_invoke")];
+const nextActionsForExecute = (payload) => {
+	return [nextAction("search_tools", "Search tools again", cliCommands.search.inspectAllTools(payload.serverId), `Reinspect tool definitions on ${payload.serverId} before the next execution.`, "after_execute")];
 };
 const nextActionsForStatus = (payload) => {
-	if (!payload.auth.apiKeyPresent) return [nextAction("login", "Authenticate", cliCommands.auth.login(), "Status detected no API key; authenticate first.", "immediate")];
+	if (!payload.auth.apiKeyPresent) return [nextAction("login", "Authenticate", cliCommands.login.command(), "Status detected no API key; authenticate first.", "immediate")];
 	return [nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Connectivity is ${payload.summary.status}; discover available servers.`, "after_status")];
 };
+const codeSourceFromValue = (value) => {
+	if (value === "-") return "stdin";
+	if (value.startsWith("@")) return "file";
+	return "inline";
+};
+const inputSourceFromValue = (value) => {
+	if (value === void 0) return "none";
+	if (value === "-") return "stdin";
+	if (value.startsWith("@")) return "file";
+	return "inline_json";
+};
 const runLoginFlow = async (runtime, options) => {
-	const { commandOptions, invokedCommand, mode } = options.mode === "apiKey" ? {
-		commandOptions: options,
-		invokedCommand: cliCommands.auth.loginWithApiKeyRedacted(),
-		mode: "apiKey"
-	} : {
-		commandOptions: { mode: "device" },
-		invokedCommand: cliCommands.auth.login(),
-		mode: "device"
-	};
-	const data = ensureSuccess(await runAuthLoginCommand(runtime.context, commandOptions), runtime, {
-		command: invokedCommand,
-		entity: { mode }
-	});
+	const invokedCommand = cliCommands.login.command();
+	const data = ensureSuccess(await runLoginCommand(runtime.context, options), runtime, { command: invokedCommand });
 	if (!data.loggedIn) {
 		const pendingOutput = {
-			event: "auth_login.pending",
+			event: "login.pending",
 			loggedIn: false,
 			verification: data.verification
 		};
 		runtime.output.success(pendingOutput, {
 			command: invokedCommand,
 			entity: {
-				event: "auth_login.pending",
-				mode,
+				event: "login.pending",
 				verification: {
-					userCode: data.verification.userCode,
-					verificationUri: data.verification.verificationUri
+					authRequestId: data.verification.authRequestId,
+					verificationUrl: data.verification.verificationUrl
 				}
 			},
-			nextActions: nextActionsForPendingLogin(data.verification.userCode, data.verification.verificationUri)
+			nextActions: nextActionsForPendingLogin(data.verification.authRequestId, data.verification.verificationUrl)
 		});
 		return;
 	}
 	const outputData = {
 		...data,
-		event: "auth_login.completed"
+		event: "login.completed"
 	};
 	runtime.output.success(outputData, {
 		command: invokedCommand,
 		entity: {
 			agentName: data.agentName,
-			event: "auth_login.completed",
+			event: "login.completed",
 			loggedIn: data.loggedIn,
-			mode,
 			outcome: data.outcome
 		},
-		nextActions: nextActionsForLogin(data, mode)
+		nextActions: nextActionsForLogin(data)
 	});
 };
-const executeAuthLoginInvocation = async (runtime, invocation) => {
-	if (invocation.apiKey !== void 0) {
-		await runLoginFlow(runtime, {
-			apiKey: invocation.apiKey,
-			mode: "apiKey"
-		});
-		return;
-	}
-	await runLoginFlow(runtime, { mode: "device" });
+const executeLoginInvocation = async (runtime, _invocation) => {
+	await runLoginFlow(runtime, {});
 };
-const executeAuthStatusInvocation = async (runtime) => {
-	const command = cliCommands.auth.status();
-	const data = ensureSuccess(await runAuthStatusCommand(runtime.context), runtime, { command });
-	runtime.output.success(data, {
+const executeLogoutInvocation = async (runtime) => {
+	const command = cliCommands.logout.command();
+	const data = ensureSuccess(await runLogoutCommand(runtime.context), runtime, { command });
+	const outputData = {
+		...data,
+		event: "logout.completed"
+	};
+	runtime.output.success(outputData, {
 		command,
 		entity: {
-			apiKeySource: data.apiKeySource,
-			loggedIn: data.loggedIn
+			event: "logout.completed",
+			localStateCleared: data.localStateCleared,
+			remoteSignedOut: data.remoteSignedOut
 		},
-		nextActions: nextActionsForAuthStatus(data)
+		nextActions: [nextAction("login", "Authenticate again", cliCommands.login.command(), "Sign-out completed; run login when you want to reconnect this installation.", "after_logout")]
 	});
 };
-const executeAuthLogoutInvocation = async (runtime) => {
-	const command = cliCommands.auth.logout();
-	const data = ensureSuccess(await runAuthLogoutCommand(runtime.context), runtime, { command });
-	runtime.output.success(data, {
+const executeResetInvocation = async (runtime) => {
+	const command = cliCommands.reset.command();
+	const data = ensureSuccess(await runResetCommand(runtime.context), runtime, { command });
+	const outputData = {
+		...data,
+		event: "reset.completed"
+	};
+	runtime.output.success(outputData, {
 		command,
 		entity: {
-			localCredentialsDeleted: data.localCredentialsDeleted,
-			revoked: data.revoked
+			event: "reset.completed",
+			installationReset: data.installationReset,
+			localStateCleared: data.localStateCleared,
+			remoteReset: data.remoteReset
 		},
-		nextActions: [nextAction("login", "Authenticate again", cliCommands.auth.login(), "Logout completed; authenticate again before further tool calls.", "after_logout")]
+		nextActions: [nextAction("login", "Authenticate this fresh install", cliCommands.login.command(), "Reset completed; run login to create or reconnect this installation.", "after_reset"), nextAction("inspect_status", "Inspect status", cliCommands.status.command(), "Inspect the fresh-install CLI state and diagnostics.", "after_reset")]
 	});
 };
 const executeCatalogInvocation = async (runtime, invocation) => {
-	const formatPaginationDetails = () => {
-		return `${invocation.cursor === void 0 ? "" : `--cursor ${invocation.cursor} `}${invocation.limit === void 0 ? "" : `--limit ${invocation.limit}`}`.trim();
-	};
-	const toCatalogExecutionPlan = () => {
-		if (invocation.serverId === void 0) {
-			if (invocation.example) return Result.err(new ValidationError({
-				details: "--example without <server-id> <tool-name>",
-				message: "Invalid catalog options. --example requires <server-id> <tool-name>.",
-				recovery: { command: cliCommands.catalog.command() }
-			}));
-			return Result.ok({
-				cursor: invocation.cursor,
-				kind: "summary",
-				limit: invocation.limit
-			});
-		}
-		if (invocation.toolName === void 0) {
-			if (invocation.cursor !== void 0 || invocation.limit !== void 0) return Result.err(new ValidationError({
-				details: formatPaginationDetails(),
-				message: "Invalid catalog options. --cursor and --limit are only valid for `ogment catalog`.",
-				recovery: { command: cliCommands.catalog.command() }
-			}));
-			if (invocation.example) return Result.err(new ValidationError({
-				details: `--example without tool name for ${invocation.serverId}`,
-				message: "Invalid catalog options. --example requires <tool-name>.",
-				recovery: { command: cliCommands.catalog.server(invocation.serverId) }
-			}));
-			return Result.ok({
-				kind: "tools",
-				serverId: invocation.serverId
-			});
-		}
-		if (invocation.cursor !== void 0 || invocation.limit !== void 0) return Result.err(new ValidationError({
-			details: formatPaginationDetails(),
-			message: "Invalid catalog options. --cursor and --limit are only valid for `ogment catalog`.",
-			recovery: { command: cliCommands.catalog.tool(invocation.serverId, invocation.toolName, { example: invocation.example }) }
-		}));
-		return Result.ok({
-			example: invocation.example,
-			kind: "tool",
+	if (invocation.toolName !== void 0 && invocation.serverId !== void 0) {
+		const command = cliCommands.catalog.toolDetail(invocation.serverId, invocation.toolName, invocation.orgSlug);
+		const data = ensureSuccess(await runCatalogToolDetailCommand(runtime.context, {
+			includeDebug: runtime.output.debug,
+			...invocation.orgSlug === void 0 ? {} : { orgSlug: invocation.orgSlug },
 			serverId: invocation.serverId,
 			toolName: invocation.toolName
+		}), runtime, {
+			command,
+			entity: {
+				...invocation.orgSlug === void 0 ? {} : { orgSlug: invocation.orgSlug },
+				serverId: invocation.serverId,
+				toolName: invocation.toolName
+			}
 		});
-	};
-	const planResult = toCatalogExecutionPlan();
-	if (Result.isError(planResult)) throw planResult.error;
-	switch (planResult.value.kind) {
-		case "summary": {
-			const plan = planResult.value;
-			const command = cliCommands.catalog.summary({
-				...plan.cursor === void 0 ? {} : { cursor: plan.cursor },
-				...plan.limit === void 0 ? {} : { limit: plan.limit }
-			});
-			const data = ensureSuccess(await runCatalogCommand(runtime.context, {
-				...plan.cursor === void 0 ? {} : { cursor: plan.cursor },
-				includeDebug: runtime.output.debug,
-				...plan.limit === void 0 ? {} : { limit: plan.limit }
-			}), runtime, {
-				command,
-				entity: {
-					cursor: plan.cursor ?? null,
-					limit: plan.limit ?? null
-				}
-			});
-			const outputData = {
-				failures: data.failures,
-				servers: data.servers
-			};
-			runtime.output.success(outputData, {
-				command,
-				entity: {
-					cursor: plan.cursor ?? null,
-					failedServerCount: data.failures.length,
-					limit: plan.limit ?? null,
-					serverCount: data.servers.length
-				},
-				nextActions: nextActionsForCatalogSummary(outputData, {
-					limit: plan.limit ?? null,
-					nextCursor: data.nextCursor
-				}),
-				pagination: { nextCursor: data.nextCursor }
-			});
-			return;
-		}
-		case "tools": {
-			const command = cliCommands.catalog.server(planResult.value.serverId);
-			const data = ensureSuccess(await runCatalogToolsCommand(runtime.context, { serverId: planResult.value.serverId }), runtime, {
-				command,
-				entity: { serverId: planResult.value.serverId }
-			});
-			runtime.output.success(data, {
-				command,
-				entity: {
-					serverId: data.server.serverId,
-					toolCount: data.tools.length
-				},
-				nextActions: nextActionsForCatalogTools(data)
-			});
-			return;
+		runtime.output.success(data, {
+			command,
+			entity: {
+				orgSlug: data.server.orgSlug,
+				serverId: data.server.serverId,
+				toolName: data.tool.name
+			},
+			nextActions: nextActionsForCatalogToolDetail(data)
+		});
+		return;
+	}
+	if (invocation.serverId !== void 0) {
+		const command = cliCommands.catalog.detail(invocation.serverId, invocation.orgSlug);
+		const data = ensureSuccess(await runCatalogServerDetailCommand(runtime.context, {
+			includeDebug: runtime.output.debug,
+			...invocation.orgSlug === void 0 ? {} : { orgSlug: invocation.orgSlug },
+			serverId: invocation.serverId
+		}), runtime, {
+			command,
+			entity: {
+				...invocation.orgSlug === void 0 ? {} : { orgSlug: invocation.orgSlug },
+				serverId: invocation.serverId
+			}
+		});
+		runtime.output.success(data, {
+			command,
+			entity: {
+				orgSlug: data.server.orgSlug,
+				serverId: data.server.serverId
+			},
+			nextActions: nextActionsForCatalogServerDetail(data)
+		});
+		return;
+	}
+	const command = cliCommands.catalog.summary({
+		...invocation.cursor === void 0 ? {} : { cursor: invocation.cursor },
+		...invocation.limit === void 0 ? {} : { limit: invocation.limit },
+		...invocation.orgSlug === void 0 ? {} : { orgSlug: invocation.orgSlug }
+	});
+	const data = ensureSuccess(await runCatalogCommand(runtime.context, {
+		...invocation.cursor === void 0 ? {} : { cursor: invocation.cursor },
+		...invocation.limit === void 0 ? {} : { limit: invocation.limit },
+		...invocation.orgSlug === void 0 ? {} : { orgSlug: invocation.orgSlug }
+	}), runtime, {
+		command,
+		entity: {
+			cursor: invocation.cursor ?? null,
+			limit: invocation.limit ?? null,
+			orgSlug: invocation.orgSlug ?? null
 		}
-		case "tool": {
-			const command = cliCommands.catalog.tool(planResult.value.serverId, planResult.value.toolName, { example: planResult.value.example });
-			const data = ensureSuccess(await runCatalogToolDetailsCommand(runtime.context, {
-				serverId: planResult.value.serverId,
-				toolName: planResult.value.toolName
-			}), runtime, {
-				command,
-				entity: {
-					serverId: planResult.value.serverId,
-					toolName: planResult.value.toolName
-				}
-			});
-			const exampleInput = toJsonValue(buildJsonSchemaExample(data.inputSchema));
-			const outputData = planResult.value.example ? {
-				...data,
-				exampleInput
-			} : data;
-			runtime.output.success(outputData, {
-				command,
-				entity: {
-					serverId: data.server.serverId,
-					toolName: data.name
-				},
-				nextActions: nextActionsForCatalogToolDetails(data, exampleInput)
-			});
-			return;
+	});
+	const outputData = {
+		failures: data.failures,
+		servers: data.servers
+	};
+	runtime.output.success(outputData, {
+		command,
+		entity: {
+			cursor: invocation.cursor ?? null,
+			failedServerCount: data.failures.length,
+			limit: invocation.limit ?? null,
+			orgSlug: invocation.orgSlug ?? null,
+			serverCount: data.servers.length
+		},
+		nextActions: nextActionsForCatalogSummary(outputData, {
+			limit: invocation.limit ?? null,
+			nextCursor: data.nextCursor,
+			orgSlug: invocation.orgSlug ?? null
+		}),
+		pagination: { nextCursor: data.nextCursor }
+	});
+};
+const executeSearchInvocation = async (runtime, invocation) => {
+	const codeSource = codeSourceFromValue(invocation.code);
+	const command = codeSource === "stdin" ? cliCommands.search.stdinCode(invocation.serverId, invocation.orgSlug) : cliCommands.search.withCodeValue(invocation.serverId, invocation.code, invocation.orgSlug);
+	const data = ensureSuccess(await runSearchCommand(runtime.context, {
+		code: invocation.code,
+		...invocation.orgSlug === void 0 ? {} : { orgSlug: invocation.orgSlug },
+		serverId: invocation.serverId
+	}), runtime, {
+		command,
+		entity: {
+			codeSource,
+			...invocation.orgSlug === void 0 ? {} : { orgSlug: invocation.orgSlug },
+			serverId: invocation.serverId
 		}
-	}
+	});
+	runtime.output.success(data, {
+		command,
+		entity: {
+			codeSource,
+			...invocation.orgSlug === void 0 ? {} : { orgSlug: invocation.orgSlug },
+			serverId: data.serverId
+		},
+		nextActions: nextActionsForSearch(data)
+	});
 };
-const executeInvokeInvocation = async (runtime, invocation) => {
-	let inputSource = "none";
-	let command = cliCommands.invoke.command(invocation.serverId, invocation.toolName, invocation.orgSlug);
-	if (invocation.input !== void 0) if (invocation.input === "-") {
-		inputSource = "stdin";
-		command = cliCommands.invoke.stdin(invocation.serverId, invocation.toolName, invocation.orgSlug);
-	} else if (invocation.input.startsWith("@")) {
-		inputSource = "file";
-		command = cliCommands.invoke.withInputValue(invocation.serverId, invocation.toolName, invocation.input, invocation.orgSlug);
-	} else {
-		inputSource = "inline_json";
-		command = cliCommands.invoke.inlineJson(invocation.serverId, invocation.toolName, invocation.orgSlug);
-	}
-	const data = ensureSuccess(await runInvokeCommand(runtime.context, {
+const executeExecuteInvocation = async (runtime, invocation) => {
+	const codeSource = codeSourceFromValue(invocation.code);
+	const inputSource = inputSourceFromValue(invocation.input);
+	const command = codeSource === "stdin" ? cliCommands.execute.stdinCode(invocation.serverId, invocation.orgSlug) : cliCommands.execute.withCodeAndInputValue(invocation.serverId, invocation.code, invocation.input, invocation.orgSlug);
+	const data = ensureSuccess(await runExecuteCommand(runtime.context, {
+		code: invocation.code,
 		input: invocation.input,
 		...invocation.orgSlug === void 0 ? {} : { orgSlug: invocation.orgSlug },
-		serverId: invocation.serverId,
-		toolName: invocation.toolName
+		serverId: invocation.serverId
 	}), runtime, {
 		command,
 		entity: {
+			codeSource,
 			inputSource,
 			...invocation.orgSlug === void 0 ? {} : { orgSlug: invocation.orgSlug },
-			serverId: invocation.serverId,
-			toolName: invocation.toolName
+			serverId: invocation.serverId
 		}
 	});
 	runtime.output.success(data, {
 		command,
 		entity: {
+			codeSource,
 			inputSource,
 			...invocation.orgSlug === void 0 ? {} : { orgSlug: invocation.orgSlug },
-			serverId: data.serverId,
-			toolName: data.toolName
+			serverId: data.serverId
 		},
-		nextActions: nextActionsForInvoke(data)
+		nextActions: nextActionsForExecute(data)
 	});
 };
 const executeStatusInvocation = async (runtime) => {
@@ -15254,29 +15121,32 @@ const executeRootInvocation = (runtime) => {
 	runtime.output.success({ commands: cliCommands.root.commandsSurface() }, {
 		command: cliCommands.root.command(),
 		entity: null,
-		nextActions: [nextAction("login", "Authenticate", cliCommands.auth.login(), "Authenticate first so catalog and invoke commands can run.", "immediate"), nextAction("catalog", "Discover servers", cliCommands.catalog.command(), "List accessible servers and tool counts.", "after_auth")]
+		nextActions: [nextAction("login", "Authenticate", cliCommands.login.command(), "Authenticate first so catalog, search, and execute commands can run.", "immediate"), nextAction("catalog", "Discover servers", cliCommands.catalog.command(), "List accessible servers before running Codemode search or execute.", "after_auth")]
 	});
 };
 const executeInvocation = async (runtime, invocation) => {
 	switch (invocation.kind) {
-		case "auth_login":
-			await executeAuthLoginInvocation(runtime, invocation);
+		case "login":
+			await executeLoginInvocation(runtime, invocation);
 			return;
-		case "auth_logout":
-			await executeAuthLogoutInvocation(runtime);
+		case "logout":
+			await executeLogoutInvocation(runtime);
 			return;
-		case "auth_status":
-			await executeAuthStatusInvocation(runtime);
+		case "reset":
+			await executeResetInvocation(runtime);
 			return;
 		case "catalog":
 			await executeCatalogInvocation(runtime, invocation);
 			return;
-		case "invoke":
-			await executeInvokeInvocation(runtime, invocation);
+		case "execute":
+			await executeExecuteInvocation(runtime, invocation);
 			return;
 		case "root":
 			executeRootInvocation(runtime);
 			return;
+		case "search":
+			await executeSearchInvocation(runtime, invocation);
+			return;
 		case "status":
 			await executeStatusInvocation(runtime);
 			return;
@@ -15339,19 +15209,19 @@ const nextActionForParseError = (scope, helpCommand) => {
 	};
 };
 const parseActionsForScope = (scope, helpAction) => {
-	if (scope === "auth") return [
+	if (scope === "login" || scope === "logout" || scope === "reset") return [
 		{
-			command: cliCommands.auth.login(),
-			id: "auth_login",
-			reason: "Authenticate with device flow.",
-			title: "Auth login",
+			command: cliCommands.login.command(),
+			id: "login",
+			reason: "Authenticate this CLI installation.",
+			title: "Login",
 			when: "immediate"
 		},
 		{
-			command: cliCommands.auth.status(),
-			id: "auth_status",
-			reason: "Check current local authentication state.",
-			title: "Auth status",
+			command: cliCommands.status.command(),
+			id: "status",
+			reason: "Inspect the current CLI state and diagnostics.",
+			title: "Status",
 			when: "immediate"
 		},
 		helpAction
@@ -15359,15 +15229,22 @@ const parseActionsForScope = (scope, helpAction) => {
 	if (scope === "catalog") return [{
 		command: cliCommands.catalog.command(),
 		id: "catalog_summary",
-		reason: "List available servers and follow progressive discovery.",
+		reason: "List available servers before selecting a Codemode target.",
 		title: "Catalog servers",
 		when: "immediate"
 	}, helpAction];
-	if (scope === "invoke") return [{
+	if (scope === "search") return [{
 		command: cliCommands.catalog.command(),
-		id: "invoke_prepare",
-		reason: "Discover servers and tools before invoking a target command.",
-		title: "Discover tools",
+		id: "search_prepare",
+		reason: "Discover servers before running Codemode search.",
+		title: "Discover servers",
+		when: "immediate"
+	}, helpAction];
+	if (scope === "execute") return [{
+		command: cliCommands.catalog.command(),
+		id: "execute_prepare",
+		reason: "Discover servers before running Codemode execute.",
+		title: "Discover servers",
 		when: "immediate"
 	}, helpAction];
 	if (scope === null) return [helpAction];
@@ -60807,8 +60684,8 @@ const createAccountService = (deps) => {
 			mapStatusError: (response, body) => {
 				if (response.status === 401) return new AuthError({
 					code: ERROR_CODE.authInvalidCredentials,
-					message: "Authentication failed. Run `ogment auth login` again.",
-					recovery: { command: "ogment auth login" }
+					message: "Authentication failed. Run `ogment login` again.",
+					recovery: { command: "ogment login" }
 				});
 				return new RemoteRequestError({
 					body,
@@ -60829,7 +60706,6 @@ const createAccountService = (deps) => {
 
 //#endregion
 //#region src/services/auth.ts
-const DEFAULT_NAMESPACE_KEY = "default";
 const toEndpointUrl = (baseUrl, endpoint) => {
 	return `${baseUrl}${endpoint}`;
 };
@@ -60839,85 +60715,138 @@ const authStartUrl = (baseUrl) => {
 const authExchangeUrl = (baseUrl) => {
 	return toEndpointUrl(baseUrl, cliEndpoints.authExchange);
 };
-const isExpiredPendingRequest = (request, nowMs) => {
+const authLogoutUrl = (baseUrl) => {
+	return toEndpointUrl(baseUrl, cliEndpoints.authLogout);
+};
+const authResetUrl = (baseUrl) => {
+	return toEndpointUrl(baseUrl, cliEndpoints.authReset);
+};
+const accountMeUrl = (baseUrl) => {
+	return toEndpointUrl(baseUrl, cliEndpoints.accountMe);
+};
+const toLoginPendingInfo = (request) => {
+	if (request === null) return null;
+	return {
+		authRequestId: request.authRequestId,
+		verificationUrl: request.verificationUrl
+	};
+};
+const isExpiredCurrentAuthRequest = (request, nowMs) => {
 	const parsedExpiresAt = Date.parse(request.expiresAt);
 	return !Number.isNaN(parsedExpiresAt) && parsedExpiresAt <= nowMs;
 };
 const createAuthService = (deps) => {
 	const now = deps.now ?? Date.now;
-	const storeApprovedAuth = (approvedAuth, namespaceKey = DEFAULT_NAMESPACE_KEY) => {
-		return deps.credentialsStore.storeApprovedAuth({
-			agentName: approvedAuth.agentName,
-			apiKey: approvedAuth.apiKey
-		}, namespaceKey);
-	};
-	const saveApiKeyAuth = (approvedAuth) => {
+	const storeApprovedAuth = (approvedAuth) => {
 		return deps.credentialsStore.save({
+			agentId: approvedAuth.agentId,
 			agentName: approvedAuth.agentName,
-			apiKey: approvedAuth.apiKey
+			apiKey: approvedAuth.apiKey,
+			credentialId: approvedAuth.credentialId,
+			signedInAt: new Date(now()).toISOString()
 		});
 	};
-	const tryExchangePendingRequests = async () => {
-		const installationIdResult = deps.credentialsStore.getInstallationId();
-		if (Result.isError(installationIdResult)) return installationIdResult;
-		const pendingRequestsResult = deps.credentialsStore.listPendingRequests();
-		if (Result.isError(pendingRequestsResult)) return pendingRequestsResult;
-		const pendingRequests = [...pendingRequestsResult.value].toSorted((a, b) => {
-			return a.createdAt.localeCompare(b.createdAt);
+	const loadLocalAuthSnapshot = () => {
+		const installationId = deps.credentialsStore.getInstallationId();
+		if (Result.isError(installationId)) return installationId;
+		const session = deps.credentialsStore.load();
+		if (Result.isError(session)) return session;
+		const currentAuthRequest = deps.credentialsStore.getCurrentAuthRequest();
+		if (Result.isError(currentAuthRequest)) return currentAuthRequest;
+		return Result.ok({
+			currentAuthRequest: currentAuthRequest.value,
+			installationId: installationId.value,
+			session: session.value
 		});
-		for (const pendingRequest of pendingRequests) {
-			if (isExpiredPendingRequest(pendingRequest, now())) {
-				const deleteResult = deps.credentialsStore.deletePendingRequest(pendingRequest.authRequestId);
-				if (Result.isError(deleteResult)) return deleteResult;
-				continue;
-			}
-			const exchangePayload = await requestJson(deps.httpClient, authExchangeUrl(deps.baseUrl), authExchangeSchema, {
-				body: JSON.stringify({
-					authRequestId: pendingRequest.authRequestId,
-					installationId: installationIdResult.value,
-					namespaceKey: pendingRequest.namespaceKey
-				}),
-				headers: { "Content-Type": "application/json" },
-				method: "POST"
-			}, {
-				context: "auth exchange response",
-				mapStatusError: (response, body) => new RemoteRequestError({
+	};
+	const clearCurrentAuthRequest = () => {
+		return deps.credentialsStore.clearCurrentAuthRequest();
+	};
+	const toStoredAuthorizationHeader = (session) => {
+		return session === null ? null : `Bearer ${session.apiKey}`;
+	};
+	const validateStoredCredentials = async (apiKey) => {
+		const response = await requestJson(deps.httpClient, accountMeUrl(deps.baseUrl), accountMeSchema, { headers: { Authorization: `Bearer ${apiKey}` } }, {
+			context: "account response",
+			mapStatusError: (httpResponse, body) => {
+				if (httpResponse.status === 401) return new AuthError({
+					code: ERROR_CODE.authInvalidCredentials,
+					message: "Stored CLI session is invalid. Run `ogment login` to sign in again.",
+					recovery: { command: "ogment login" }
+				});
+				return new RemoteRequestError({
 					body,
-					httpStatus: response.status,
-					message: "Failed to exchange pending CLI auth",
-					operation: "auth/exchange",
+					httpStatus: httpResponse.status,
+					message: "Failed to validate current CLI session",
+					operation: "account/fetch",
 					raw: body,
 					source: "http"
-				}),
-				operation: "auth/exchange"
-			});
-			if (Result.isError(exchangePayload)) return exchangePayload;
-			const exchangeData = exchangePayload.value.data;
-			if (exchangeData.status === "authorization_pending") continue;
-			if (exchangeData.status === "approved") {
-				const storeResult = storeApprovedAuth({
-					agentName: exchangeData.agentName,
-					apiKey: exchangeData.apiKey
-				}, pendingRequest.namespaceKey);
-				if (Result.isError(storeResult)) return storeResult;
-				return Result.ok({
-					agentName: exchangeData.agentName,
-					apiKey: exchangeData.apiKey
 				});
-			}
-			const deleteResult = deps.credentialsStore.deletePendingRequest(pendingRequest.authRequestId);
-			if (Result.isError(deleteResult)) return deleteResult;
+			},
+			operation: "account/fetch"
+		});
+		if (Result.isError(response)) {
+			if (response.error instanceof AuthError && response.error.code === ERROR_CODE.authInvalidCredentials) return Result.ok(false);
+			return response;
 		}
-		return Result.ok(null);
+		return Result.ok(true);
 	};
-	const loginWithDevice = async (options) => {
-		const installationIdResult = deps.credentialsStore.getInstallationId();
-		if (Result.isError(installationIdResult)) return installationIdResult;
+	const exchangeCurrentAuthRequest = async (snapshot) => {
+		const currentAuthRequest = snapshot.currentAuthRequest;
+		if (currentAuthRequest === null) return Result.ok({ kind: "none" });
+		if (isExpiredCurrentAuthRequest(currentAuthRequest, now())) {
+			const clearResult = clearCurrentAuthRequest();
+			if (Result.isError(clearResult)) return clearResult;
+			return Result.ok({ kind: "none" });
+		}
+		const exchangePayload = await requestJson(deps.httpClient, authExchangeUrl(deps.baseUrl), authExchangeSchema, {
+			body: JSON.stringify({
+				authRequestId: currentAuthRequest.authRequestId,
+				installationId: snapshot.installationId
+			}),
+			headers: { "Content-Type": "application/json" },
+			method: "POST"
+		}, {
+			context: "auth exchange response",
+			mapStatusError: (response, body) => new RemoteRequestError({
+				body,
+				httpStatus: response.status,
+				message: "Failed to exchange current CLI auth request",
+				operation: "auth/exchange",
+				raw: body,
+				source: "http"
+			}),
+			operation: "auth/exchange"
+		});
+		if (Result.isError(exchangePayload)) return exchangePayload;
+		const exchangeData = exchangePayload.value.data;
+		if (exchangeData.status === "authorization_pending") return Result.ok({
+			kind: "pending",
+			request: currentAuthRequest
+		});
+		if (exchangeData.status === "approved") {
+			const approvedAuth = {
+				agentId: exchangeData.agentId,
+				agentName: exchangeData.agentName,
+				apiKey: exchangeData.apiKey,
+				credentialId: exchangeData.credentialId
+			};
+			const storeResult = storeApprovedAuth(approvedAuth);
+			if (Result.isError(storeResult)) return storeResult;
+			return Result.ok({
+				auth: approvedAuth,
+				kind: "approved"
+			});
+		}
+		const clearResult = clearCurrentAuthRequest();
+		if (Result.isError(clearResult)) return clearResult;
+		return Result.ok({ kind: "none" });
+	};
+	const startOrRecoverLogin = async (installationId, options) => {
 		const startPayload = await requestJson(deps.httpClient, authStartUrl(deps.baseUrl), authStartSchema, {
 			body: JSON.stringify({
 				...deps.executionEnvironment === void 0 ? {} : { executionEnvironment: deps.executionEnvironment },
-				installationId: installationIdResult.value,
-				namespaceKey: DEFAULT_NAMESPACE_KEY
+				installationId
 			}),
 			headers: { "Content-Type": "application/json" },
 			method: "POST"
@@ -60934,76 +60863,140 @@ const createAuthService = (deps) => {
 			operation: "auth/start"
 		});
 		if (Result.isError(startPayload)) return startPayload;
-		const savePendingRequestResult = deps.credentialsStore.savePendingRequest({
+		const currentAuthRequest = {
 			authRequestId: startPayload.value.data.authRequestId,
-			code: startPayload.value.data.userCode,
-			createdAt: new Date(now()).toISOString(),
 			expiresAt: startPayload.value.data.expiresAt,
-			namespaceKey: DEFAULT_NAMESPACE_KEY,
 			verificationUrl: startPayload.value.data.verificationUrl
-		});
-		if (Result.isError(savePendingRequestResult)) return savePendingRequestResult;
-		const verification = {
-			userCode: startPayload.value.data.userCode,
-			verificationUri: startPayload.value.data.verificationUrl
 		};
-		options.onPending?.(verification);
+		const saveCurrentAuthRequestResult = deps.credentialsStore.saveCurrentAuthRequest(currentAuthRequest);
+		if (Result.isError(saveCurrentAuthRequestResult)) return saveCurrentAuthRequestResult;
+		if (startPayload.value.data.disposition === "reused_approved") {
+			const exchangedCurrentAuthRequest = await exchangeCurrentAuthRequest({
+				currentAuthRequest,
+				installationId,
+				session: null
+			});
+			if (Result.isError(exchangedCurrentAuthRequest)) return exchangedCurrentAuthRequest;
+			if (exchangedCurrentAuthRequest.value.kind === "approved") return Result.ok({
+				agentName: exchangedCurrentAuthRequest.value.auth.agentName,
+				loggedIn: true,
+				outcome: "authenticated"
+			});
+		}
+		const verification = toLoginPendingInfo(currentAuthRequest);
+		if (verification !== null) options.onPending?.(verification);
 		return Result.ok({
 			agentName: null,
 			loggedIn: false,
 			outcome: "pending_approval",
-			verification
+			verification: verification ?? {
+				authRequestId: currentAuthRequest.authRequestId,
+				verificationUrl: currentAuthRequest.verificationUrl
+			}
 		});
 	};
 	return {
 		login: async (options) => {
-			if (options.mode === "apiKey" && options.apiKey.length > 0) {
-				const saveResult = saveApiKeyAuth({
-					agentName: "CLI Agent",
-					apiKey: options.apiKey
-				});
-				if (Result.isError(saveResult)) return saveResult;
-				return Result.ok({
-					agentName: "CLI Agent",
+			const snapshot = loadLocalAuthSnapshot();
+			if (Result.isError(snapshot)) return snapshot;
+			if (snapshot.value.session !== null) {
+				const validationResult = await validateStoredCredentials(snapshot.value.session.apiKey);
+				if (Result.isError(validationResult)) return validationResult;
+				if (validationResult.value) return Result.ok({
+					agentName: snapshot.value.session.agentName ?? "CLI Agent",
 					loggedIn: true,
-					outcome: "authenticated"
+					outcome: "already_authenticated"
 				});
+				const deleteResult = deps.credentialsStore.delete();
+				if (Result.isError(deleteResult)) return deleteResult;
 			}
-			if (options.mode === "apiKey") return Result.err(new ValidationError({
-				code: ERROR_CODE.validationInvalidInput,
-				message: "Missing API key value. Provide a non-empty API key.",
-				recovery: { command: "ogment auth login --api-key <key>" }
-			}));
-			const stored = deps.credentialsStore.load();
-			if (Result.isError(stored)) return stored;
-			if (stored.value !== null) return Result.ok({
-				agentName: stored.value.agentName ?? "CLI Agent",
-				loggedIn: true,
-				outcome: "already_authenticated"
-			});
-			const exchangedPendingAuth = await tryExchangePendingRequests();
-			if (Result.isError(exchangedPendingAuth)) return exchangedPendingAuth;
-			if (exchangedPendingAuth.value !== null) return Result.ok({
-				agentName: exchangedPendingAuth.value.agentName,
+			const exchangedCurrentAuthRequest = await exchangeCurrentAuthRequest(snapshot.value);
+			if (Result.isError(exchangedCurrentAuthRequest)) return exchangedCurrentAuthRequest;
+			if (exchangedCurrentAuthRequest.value.kind === "approved") return Result.ok({
+				agentName: exchangedCurrentAuthRequest.value.auth.agentName,
 				loggedIn: true,
 				outcome: "authenticated"
 			});
-			return loginWithDevice(options);
+			if (exchangedCurrentAuthRequest.value.kind === "pending") {
+				const verification = toLoginPendingInfo(exchangedCurrentAuthRequest.value.request);
+				if (verification !== null) options.onPending?.(verification);
+				return Result.ok({
+					agentName: null,
+					loggedIn: false,
+					outcome: "pending_approval",
+					verification: verification ?? {
+						authRequestId: exchangedCurrentAuthRequest.value.request.authRequestId,
+						verificationUrl: exchangedCurrentAuthRequest.value.request.verificationUrl
+					}
+				});
+			}
+			return startOrRecoverLogin(snapshot.value.installationId, options);
 		},
 		logout: async () => {
-			const stored = deps.credentialsStore.load();
-			if (Result.isError(stored)) return stored;
-			const pendingRequestsResult = deps.credentialsStore.listPendingRequests();
-			if (Result.isError(pendingRequestsResult)) return pendingRequestsResult;
-			if (!(stored.value !== null || pendingRequestsResult.value.length > 0)) return Result.ok({
-				localCredentialsDeleted: false,
-				revoked: false
+			const snapshot = loadLocalAuthSnapshot();
+			if (Result.isError(snapshot)) return snapshot;
+			if (snapshot.value.session === null) return Result.ok({
+				localStateCleared: false,
+				remoteSignedOut: false
 			});
+			const storedAuthorizationHeader = toStoredAuthorizationHeader(snapshot.value.session);
+			let remoteSignedOut = false;
+			if (storedAuthorizationHeader !== null) {
+				const logoutPayload = await requestJson(deps.httpClient, authLogoutUrl(deps.baseUrl), authLogoutSchema, {
+					headers: { Authorization: storedAuthorizationHeader },
+					method: "POST"
+				}, {
+					context: "auth logout response",
+					mapStatusError: (response, body) => new RemoteRequestError({
+						body,
+						httpStatus: response.status,
+						message: "Failed to sign out current CLI session",
+						operation: "auth/logout",
+						raw: body,
+						source: "http"
+					}),
+					operation: "auth/logout"
+				});
+				if (Result.isOk(logoutPayload)) remoteSignedOut = true;
+			}
 			const deleteResult = deps.credentialsStore.delete();
 			if (Result.isError(deleteResult)) return deleteResult;
 			return Result.ok({
-				localCredentialsDeleted: true,
-				revoked: false
+				localStateCleared: true,
+				remoteSignedOut
+			});
+		},
+		reset: async () => {
+			const snapshot = loadLocalAuthSnapshot();
+			if (Result.isError(snapshot)) return snapshot;
+			const storedAuthorizationHeader = toStoredAuthorizationHeader(snapshot.value.session);
+			const remoteResetResult = await requestJson(deps.httpClient, authResetUrl(deps.baseUrl), authResetSchema, {
+				body: JSON.stringify({ installationId: snapshot.value.installationId }),
+				headers: {
+					"Content-Type": "application/json",
+					...storedAuthorizationHeader === null ? {} : { Authorization: storedAuthorizationHeader }
+				},
+				method: "POST"
+			}, {
+				context: "auth reset response",
+				mapStatusError: (response, body) => new RemoteRequestError({
+					body,
+					httpStatus: response.status,
+					message: "Failed to reset current CLI installation",
+					operation: "auth/reset",
+					raw: body,
+					source: "http"
+				}),
+				operation: "auth/reset"
+			});
+			const remoteReset = Result.isOk(remoteResetResult);
+			const localStateCleared = snapshot.value.session !== null || snapshot.value.currentAuthRequest !== null;
+			const resetLocalStateResult = deps.credentialsStore.reset();
+			if (Result.isError(resetLocalStateResult)) return resetLocalStateResult;
+			return Result.ok({
+				installationReset: true,
+				localStateCleared,
+				remoteReset
 			});
 		},
 		resolveApiKey: async (overrideApiKey) => {
@@ -61014,42 +61007,16 @@ const createAuthService = (deps) => {
 			});
 			if (resolution.apiKey !== null) return Result.ok(resolution.apiKey);
 			if (resolution.source === "credentialsError" && resolution.loadError) return Result.err(resolution.loadError);
-			const exchangedPendingAuth = await tryExchangePendingRequests();
-			if (Result.isError(exchangedPendingAuth)) return exchangedPendingAuth;
-			if (exchangedPendingAuth.value !== null) return Result.ok(exchangedPendingAuth.value.apiKey);
+			const snapshot = loadLocalAuthSnapshot();
+			if (Result.isError(snapshot)) return snapshot;
+			const exchangedCurrentAuthRequest = await exchangeCurrentAuthRequest(snapshot.value);
+			if (Result.isError(exchangedCurrentAuthRequest)) return exchangedCurrentAuthRequest;
+			if (exchangedCurrentAuthRequest.value.kind === "approved") return Result.ok(exchangedCurrentAuthRequest.value.auth.apiKey);
 			return Result.err(new AuthError({
 				code: ERROR_CODE.authRequired,
-				message: "Not logged in. Run `ogment auth login` or set OGMENT_API_KEY.",
-				recovery: { command: "ogment auth login" }
+				message: "Not logged in. Run `ogment login` or set OGMENT_API_KEY.",
+				recovery: { command: "ogment login" }
 			}));
-		},
-		status: async (overrideApiKey) => {
-			const resolution = resolveApiKey({
-				apiKeyOverride: overrideApiKey,
-				credentialsStore: deps.credentialsStore,
-				envApiKey: deps.envApiKey
-			});
-			if (resolution.source === "credentialsError" && resolution.loadError) return Result.err(resolution.loadError);
-			if (resolution.apiKey !== null) {
-				const apiKeySource = resolution.source === "credentialsFile" ? "credentialsFile" : resolution.source === "apiKeyOption" ? "apiKeyOption" : "env";
-				return Result.ok({
-					agentName: resolution.agentName,
-					apiKeySource,
-					loggedIn: true
-				});
-			}
-			const exchangedPendingAuth = await tryExchangePendingRequests();
-			if (Result.isError(exchangedPendingAuth)) return exchangedPendingAuth;
-			if (exchangedPendingAuth.value !== null) return Result.ok({
-				agentName: exchangedPendingAuth.value.agentName,
-				apiKeySource: "credentialsFile",
-				loggedIn: true
-			});
-			return Result.ok({
-				agentName: null,
-				apiKeySource: "none",
-				loggedIn: false
-			});
 		}
 	};
 };
@@ -61062,9 +61029,9 @@ const maskApiKey = (apiKey) => {
 };
 const nextActionByIssueCode = (includeDebug) => {
 	return {
-		auth_failed: "Run `ogment auth login` to refresh credentials.",
+		auth_failed: "Run `ogment login` to refresh credentials.",
 		credentials_load_failed: "Check file permissions and contents of `~/.config/ogment/auth-state.json`.",
-		no_api_key: "Run `ogment auth login` or set `OGMENT_API_KEY`.",
+		no_api_key: "Run `ogment login` or set `OGMENT_API_KEY`.",
 		unreachable: includeDebug ? "Verify `OGMENT_BASE_URL` and network connectivity." : "Verify network connectivity."
 	};
 };
@@ -61103,6 +61070,8 @@ const createInfoService = (deps) => {
 			credentialsStore: deps.credentialsStore,
 			envApiKey: deps.envApiKey
 		});
+		const installationIdResult = deps.credentialsStore.getInstallationId();
+		const installationId = Result.isOk(installationIdResult) ? installationIdResult.value : null;
 		const selectedApiKey = apiKeyResolution.apiKey;
 		const credentialsFileExists = existsSyncFn(deps.credentialsPath);
 		const endpoint = `${deps.baseUrl}${cliEndpoints.accountMe}`;
@@ -61127,6 +61096,7 @@ const createInfoService = (deps) => {
 		};
 		const collectAccount = async () => {
 			if (selectedApiKey === null) return {
+				actingAgent: null,
 				...emptyAccountErrorDetails(),
 				errorType: null,
 				latencyMs: null,
@@ -61144,6 +61114,12 @@ const createInfoService = (deps) => {
 					return organization.servers.map((server) => server.path);
 				});
 				return {
+					actingAgent: accountResult.value.actingAgent === null ? null : {
+						agentId: accountResult.value.actingAgent.agentId,
+						agentName: accountResult.value.actingAgent.agentName,
+						boundInstallationId: accountResult.value.actingAgent.boundInstallationId,
+						boundToCurrentInstallation: installationId === null || accountResult.value.actingAgent.boundInstallationId === null ? null : accountResult.value.actingAgent.boundInstallationId === installationId
+					},
 					...emptyAccountErrorDetails(),
 					errorType: null,
 					latencyMs: accountElapsedMs,
@@ -61170,6 +61146,7 @@ const createInfoService = (deps) => {
 					break;
 			}
 			return {
+				actingAgent: null,
 				..."code" in accountResult.error ? { errorCode: String(accountResult.error.code) } : { errorCode: null },
 				..."httpStatus" in accountResult.error ? { errorHttpStatus: typeof accountResult.error.httpStatus === "number" ? accountResult.error.httpStatus : null } : { errorHttpStatus: null },
 				..."mcpCode" in accountResult.error ? { errorMcpCode: typeof accountResult.error.mcpCode === "number" ? accountResult.error.mcpCode : null } : { errorMcpCode: null },
@@ -61215,13 +61192,18 @@ const createInfoService = (deps) => {
 			code: "unexpected_diagnostic_error",
 			message: `Unexpected diagnostic error: ${account.message ?? "unknown error"}`
 		});
+		if (Result.isError(installationIdResult)) issues.push({
+			code: "credentials_load_failed",
+			message: `Failed to load installation identity: ${installationIdResult.error.message}`
+		});
 		return {
 			auth: {
 				apiKeyPresent: selectedApiKey !== null,
 				apiKeyPreview: selectedApiKey === null ? null : maskApiKey(selectedApiKey),
 				apiKeySource: apiKeyResolution.source,
 				credentialsFileExists,
-				credentialsFileLoadError: apiKeyResolution.loadError?.message ?? null
+				credentialsFileLoadError: apiKeyResolution.loadError?.message ?? null,
+				installationId
 			},
 			config: {
 				baseUrl: deps.baseUrl,
@@ -61238,11 +61220,12 @@ const createInfoService = (deps) => {
 				],
 				quickCommands: [
 					"ogment status",
-					"ogment auth login",
+					"ogment login",
+					"ogment logout",
+					"ogment reset",
 					"ogment catalog",
-					"ogment catalog <server-id>",
-					"ogment catalog <server-id> <tool-name>",
-					"ogment invoke <server-id> <tool-name> --input '{}'"
+					"ogment search <server-id> --code 'return input'",
+					"ogment execute <server-id> --code 'return input' --input '{}'"
 				]
 			},
 			generatedAt: new Date(now()).toISOString(),
@@ -71951,6 +71934,25 @@ const createRemoteRequestErrorFromMcpCause = (options) => {
 const MCP_CONNECT_TIMEOUT_MS = 1e4;
 const MCP_DISCOVERY_TIMEOUT_MS = 1e4;
 const MCP_INVOKE_TIMEOUT_MS = 45e3;
+const DEFAULT_PATH_PREFIX = "/api/v1/mcp";
+const normalizePathPrefix = (value) => {
+	const candidate = value?.trim() || DEFAULT_PATH_PREFIX;
+	if (candidate.startsWith("/")) return candidate;
+	return `/${candidate}`;
+};
+const isLocalhost = (hostname) => {
+	return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname.startsWith("192.168.") || hostname.endsWith(".local");
+};
+const buildMcpEndpointUrl = (baseUrl, pathPrefix, target) => {
+	const base = new URL(baseUrl);
+	if (isLocalhost(base.hostname)) return new URL(`${pathPrefix}/${target.orgSlug}/${target.serverPath}`, `${base.origin}/`);
+	if (base.hostname.startsWith("dashboard.")) {
+		const rootDomain = base.hostname.slice(10);
+		const toolPath = pathPrefix === "/code" ? `/code/${target.serverPath}` : `/${target.serverPath}`;
+		return new URL(`${base.protocol}//${target.orgSlug}.mcp.${rootDomain}${toolPath}`);
+	}
+	return new URL(`${pathPrefix}/${target.orgSlug}/${target.serverPath}`, `${base.origin}/`);
+};
 const defaultCreateClient = (version) => {
 	return new Client({
 		name: APP_NAME,
@@ -71963,9 +71965,9 @@ const defaultCreateTransport = (url, apiKey) => {
 const createMcpService = (deps) => {
 	const createClient = deps.createClient ?? (() => defaultCreateClient(deps.version));
 	const createTransport = deps.createTransport ?? defaultCreateTransport;
+	const pathPrefix = normalizePathPrefix(deps.pathPrefix);
 	const withClient = async (target, apiKey, handler) => {
-		const endpoint = `${deps.baseUrl}/api/v1/mcp/${target.orgSlug}/${target.serverPath}`;
-		const transport = createTransport(new URL(endpoint), apiKey);
+		const transport = createTransport(buildMcpEndpointUrl(deps.baseUrl, pathPrefix, target), apiKey);
 		const client = createClient();
 		const connectResult = await Result.tryPromise({
 			catch: (cause) => createRemoteRequestErrorFromMcpCause({
@@ -72030,9 +72032,7 @@ const createRuntime = () => {
 	const output = new OutputManager();
 	const authStateStore = createFileCredentialsStore({
 		configDir: runtimeConfig.configDir,
-		credentialsPath: runtimeConfig.credentialsPath,
-		legacyCredentialsPath: runtimeConfig.legacyCredentialsPath,
-		telemetryPath: runtimeConfig.telemetryPath
+		credentialsPath: runtimeConfig.credentialsPath
 	});
 	const httpClient = createHttpClient();
 	const services = {
@@ -72047,6 +72047,11 @@ const createRuntime = () => {
 			executionEnvironment,
 			httpClient
 		}),
+		codemode: createMcpService({
+			baseUrl: runtimeConfig.baseUrl,
+			pathPrefix: "/code",
+			version: runtimeConfig.version
+		}),
 		mcp: createMcpService({
 			baseUrl: runtimeConfig.baseUrl,
 			version: runtimeConfig.version
@@ -72152,9 +72157,12 @@ const createProgram = (runtime, parseState) => {
 		return [
 			"",
 			"Examples:",
-			"  $ ogment auth login",
-			"  $ ogment catalog billing create_invoice --example",
-			"  $ ogment invoke billing create_invoice --input '{\"amount\":100}'",
+			"  $ ogment login",
+			"  $ ogment catalog",
+			"  $ ogment catalog billing",
+			"  $ ogment catalog billing execute",
+			"  $ ogment search billing --code 'return input'",
+			"  $ ogment execute billing --code 'return input' --input '{}'",
 			"",
 			"Run `ogment help <command>` for command-specific usage."
 		].join("\n");
@@ -72164,48 +72172,44 @@ const createProgram = (runtime, parseState) => {
 		runtime.output.configure(mapGlobalOutputOptions(options));
 		runtime.context.apiKeyOverride = options.apiKey;
 	});
-	const authCommand = program.command("auth").summary("Authenticate, inspect auth state, and logout").description("Authentication workflows").helpGroup("Authentication Commands:").helpCommand("help [command]", "Display help for auth commands").addHelpText("after", ({ error }) => {
-		if (error) return "";
-		return [
-			"",
-			"Examples:",
-			"  $ ogment auth login",
-			"  $ ogment auth status"
-		].join("\n");
+	program.command("login").summary("Authenticate this CLI installation").description("Start or complete browser-based login for this installation").helpGroup("Authentication Commands:").action(() => {
+		setInvocation({ kind: "login" });
 	});
-	authCommand.command("login").summary("Login with device flow (default)").description("Authenticate with Ogment using device flow (recommended)").action((_, command) => {
-		const { apiKey } = asGlobalOptions(command);
-		setInvocation({
-			apiKey,
-			kind: "auth_login"
-		});
+	program.command("logout").summary("Sign this CLI installation out").description("Sign out the current local CLI session").helpGroup("Authentication Commands:").action(() => {
+		setInvocation({ kind: "logout" });
 	});
-	authCommand.command("status").summary("Show current auth state").description("Show local authentication status").action(() => {
-		setInvocation({ kind: "auth_status" });
+	program.command("reset").summary("Reset this CLI installation").description("Wipe local state and create a fresh CLI installation identity").helpGroup("Authentication Commands:").action(() => {
+		setInvocation({ kind: "reset" });
 	});
-	authCommand.command("logout").summary("Delete local credentials and revoke token").description("Revoke token and delete local credentials").action(() => {
-		setInvocation({ kind: "auth_logout" });
-	});
-	program.command("catalog [serverId] [toolName]").summary("Discover servers and inspect tools").description("Discover servers and tools with progressive disclosure").helpGroup("Discovery Commands:").addOption(new Option("--cursor <cursor>", "Pagination cursor (catalog summary only)").conflicts("example")).addOption(new Option("--limit <limit>", "Maximum servers to return (catalog summary only)").argParser(parseCatalogLimitOption).conflicts("example")).addOption(new Option("--example", "Include a generated example input payload (tool details only)").conflicts(["cursor", "limit"])).action((serverId, toolName, options) => {
+	program.command("catalog").summary("Discover servers or inspect Codemode tools").description("Discover servers or inspect Codemode tools on a server").helpGroup("Discovery Commands:").argument("[serverId]", "Server id").argument("[toolName]", "Codemode tool name").addOption(new Option("--org <orgSlug>", "Organization slug").hideHelp()).addOption(new Option("--cursor <cursor>", "Pagination cursor for server discovery")).addOption(new Option("--limit <limit>", "Maximum servers to return").argParser(parseCatalogLimitOption)).action((serverId, toolName, options) => {
+		if (serverId !== void 0 && (options.cursor !== void 0 || options.limit !== void 0)) throw new InvalidArgumentError("--cursor and --limit are only supported for `ogment catalog`.");
 		setInvocation({
-			example: options.example === true,
 			kind: "catalog",
 			...options.cursor === void 0 ? {} : { cursor: options.cursor },
 			...options.limit === void 0 ? {} : { limit: options.limit },
+			...options.org === void 0 ? {} : { orgSlug: options.org },
 			...serverId === void 0 ? {} : { serverId },
 			...toolName === void 0 ? {} : { toolName }
 		});
 	});
-	program.command("invoke").summary("Invoke a tool by <server-id> <tool-name>").description("Invoke a tool using <server-id> <tool-name>").helpGroup("Execution Commands:").argument("<serverId>", "Server id").argument("<toolName>", "Tool name").addOption(new Option("--org <orgSlug>", "Organization slug").hideHelp()).option("--input <value>", "Input payload: inline JSON object, @path, or - for stdin").action((serverId, toolName, options) => {
+	program.command("search").summary("Search tools on a server via Codemode").description("Run Codemode search JavaScript against a server tool catalog").helpGroup("Execution Commands:").argument("<serverId>", "Server id").addOption(new Option("--org <orgSlug>", "Organization slug").hideHelp()).requiredOption("--code <value>", "JavaScript source: inline code, @path, or - for stdin").action((serverId, options) => {
 		setInvocation({
+			code: options.code,
+			kind: "search",
+			...options.org === void 0 ? {} : { orgSlug: options.org },
+			serverId
+		});
+	});
+	program.command("execute").summary("Execute Codemode JavaScript on a server").description("Run Codemode execute JavaScript with optional JSON input").helpGroup("Execution Commands:").argument("<serverId>", "Server id").addOption(new Option("--org <orgSlug>", "Organization slug").hideHelp()).requiredOption("--code <value>", "JavaScript source: inline code, @path, or - for stdin").option("--input <value>", "Input payload: inline JSON object, @path, or - for stdin").action((serverId, options) => {
+		setInvocation({
+			code: options.code,
+			kind: "execute",
 			input: options.input,
-			kind: "invoke",
 			...options.org === void 0 ? {} : { orgSlug: options.org },
-			serverId,
-			toolName
+			serverId
 		});
 	});
-	program.command("status").summary("Show runtime diagnostics").description("Show runtime configuration and connectivity diagnostics").helpGroup("Diagnostics Commands:").action(() => {
+	program.command("status").summary("Show runtime diagnostics and auth state").description("Show runtime configuration, connectivity, and auth diagnostics").helpGroup("Diagnostics Commands:").action(() => {
 		setInvocation({ kind: "status" });
 	});
 	program.action(() => {
@@ -72232,9 +72236,13 @@ const RUNTIME_ERROR_COMMAND_PATH = "ogment <runtime_error>";
 const PARSE_ERROR_COMMAND_PATH = "ogment <parse_error>";
 const CLI_PACKAGE_NAME = "@ogment-ai/cli";
 const PARSE_ERROR_SCOPE_COMMAND_PATHS = {
-	auth: "ogment auth <parse_error>",
+	login: "ogment login <parse_error>",
+	logout: "ogment logout <parse_error>",
+	reset: "ogment reset <parse_error>",
 	catalog: "ogment catalog <parse_error>",
-	invoke: "ogment invoke <parse_error>"
+	execute: "ogment execute <parse_error>",
+	search: "ogment search <parse_error>",
+	status: "ogment status <parse_error>"
 };
 const isParseErrorTelemetryScope = (value) => {
 	return value in PARSE_ERROR_SCOPE_COMMAND_PATHS;
@@ -72245,56 +72253,63 @@ const parseErrorCommandPath = (scope) => {
 	if (rootScope === void 0 || !isParseErrorTelemetryScope(rootScope)) return PARSE_ERROR_COMMAND_PATH;
 	return PARSE_ERROR_SCOPE_COMMAND_PATHS[rootScope];
 };
-const telemetryInputModeFromInvoke = (input) => {
+const telemetryInputModeFromExecute = (input) => {
 	if (input === void 0) return "none";
 	if (input === "-") return "stdin";
 	if (input.startsWith("@")) return "file";
 	return "inline_json";
 };
 const telemetryContextResolvers = {
-	auth_login: (_) => {
+	login: (_) => {
 		return {
-			commandKind: "auth_login",
-			commandPath: "ogment auth login",
+			commandKind: "login",
+			commandPath: "ogment login",
 			inputMode: null
 		};
 	},
-	auth_logout: (_) => {
+	logout: (_) => {
 		return {
-			commandKind: "auth_logout",
-			commandPath: "ogment auth logout",
+			commandKind: "logout",
+			commandPath: "ogment logout",
 			inputMode: null
 		};
 	},
-	auth_status: (_) => {
+	reset: (_) => {
 		return {
-			commandKind: "auth_status",
-			commandPath: "ogment auth status",
+			commandKind: "reset",
+			commandPath: "ogment reset",
 			inputMode: null
 		};
 	},
 	catalog: (invocation) => {
-		if (invocation.serverId === void 0) return {
-			commandKind: "catalog_summary",
-			commandPath: "ogment catalog",
+		if (invocation.toolName !== void 0 && invocation.serverId !== void 0) return {
+			commandKind: "catalog_tool_detail",
+			commandPath: "ogment catalog <server-id> <tool-name>",
 			inputMode: null
 		};
-		if (invocation.toolName === void 0) return {
-			commandKind: "catalog_tools",
+		if (invocation.serverId !== void 0) return {
+			commandKind: "catalog_detail",
 			commandPath: "ogment catalog <server-id>",
 			inputMode: null
 		};
 		return {
-			commandKind: "catalog_tool",
-			commandPath: "ogment catalog <server-id> <tool-name>",
+			commandKind: "catalog_summary",
+			commandPath: "ogment catalog",
 			inputMode: null
 		};
 	},
-	invoke: (invocation) => {
+	execute: (invocation) => {
 		return {
-			commandKind: "invoke",
-			commandPath: "ogment invoke <server-id> <tool-name>",
-			inputMode: telemetryInputModeFromInvoke(invocation.input)
+			commandKind: "execute",
+			commandPath: "ogment execute <server-id>",
+			inputMode: telemetryInputModeFromExecute(invocation.input)
+		};
+	},
+	search: (_) => {
+		return {
+			commandKind: "search",
+			commandPath: "ogment search <server-id>",
+			inputMode: null
 		};
 	},
 	root: (_) => {
@@ -72314,12 +72329,13 @@ const telemetryContextResolvers = {
 };
 const telemetryContextFromInvocation = (invocation) => {
 	switch (invocation.kind) {
-		case "auth_login": return telemetryContextResolvers.auth_login(invocation);
-		case "auth_logout": return telemetryContextResolvers.auth_logout(invocation);
-		case "auth_status": return telemetryContextResolvers.auth_status(invocation);
+		case "login": return telemetryContextResolvers.login(invocation);
+		case "logout": return telemetryContextResolvers.logout(invocation);
+		case "reset": return telemetryContextResolvers.reset(invocation);
 		case "catalog": return telemetryContextResolvers.catalog(invocation);
-		case "invoke": return telemetryContextResolvers.invoke(invocation);
+		case "execute": return telemetryContextResolvers.execute(invocation);
 		case "root": return telemetryContextResolvers.root(invocation);
+		case "search": return telemetryContextResolvers.search(invocation);
 		case "status": return telemetryContextResolvers.status(invocation);
 	}
 };
@@ -72353,9 +72369,7 @@ const emitRuntimeErrorTelemetry = async (output, input) => {
 	const telemetry = createTelemetryService({
 		authStateStore: createFileCredentialsStore({
 			configDir: telemetryConfig.configDir,
-			credentialsPath: telemetryConfig.credentialsPath,
-			legacyCredentialsPath: telemetryConfig.legacyCredentialsPath,
-			telemetryPath: telemetryConfig.telemetryPath
+			credentialsPath: telemetryConfig.credentialsPath
 		}),
 		baseUrl: telemetryConfig.baseUrl,
 		cliVersion: telemetryConfig.version,
@@ -72394,21 +72408,19 @@ const commandContextFromInvocation = (invocation, apiKeyOverride) => {
 	const withBase = (commandName, invocationKind, subcommand = void 0) => {
 		return {
 			commandName,
-			hasApiKeyOverride: invocation.kind === "auth_login" ? hasApiKeyOverride(invocation.apiKey) : hasApiKeyOverride(apiKeyOverride),
+			hasApiKeyOverride: hasApiKeyOverride(apiKeyOverride),
 			invocationKind,
 			subcommand
 		};
 	};
 	switch (invocation.kind) {
-		case "auth_login": return withBase("auth", "auth_login", "login");
-		case "auth_logout": return withBase("auth", "auth_logout", "logout");
-		case "auth_status": return withBase("auth", "auth_status", "status");
-		case "catalog":
-			if (invocation.toolName !== void 0) return withBase("catalog", "catalog", "tool");
-			if (invocation.serverId !== void 0) return withBase("catalog", "catalog", "server");
-			return withBase("catalog", "catalog", "summary");
-		case "invoke": return withBase("invoke", "invoke");
+		case "login": return withBase("login", "login");
+		case "logout": return withBase("logout", "logout");
+		case "reset": return withBase("reset", "reset");
+		case "catalog": return withBase("catalog", "catalog", "summary");
+		case "execute": return withBase("execute", "execute");
 		case "root": return withBase("ogment", "root");
+		case "search": return withBase("search", "search");
 		case "status": return withBase("status", "status");
 		default: return assertNever(invocation);
 	}
@@ -72560,4 +72572,4 @@ if (shouldExecuteCli(import.meta.url, process.argv[1])) await executeCli();
 
 //#endregion
 export { executeCli, runCli, shouldExecuteCli };
-//# debugId=75a9f438-9e34-4abd-88d2-6cd8a68d9950
+//# debugId=38b5ce38-06fe-4ef8-9580-b9d5110652a6