@ogment-ai/cli 0.9.1 → 0.10.0

package/dist/cli.js

@@ -7998,25 +7998,25 @@ const toJsonValue = (value) => {
 //#region src/shared/recovery.ts
 const defaultRecoveryByCode = {
 	[ERROR_CODE.authDeviceExpired]: {
-		command: "ogment auth login",
-		reason: "Device code expired; restart login to continue.",
+		command: "ogment login",
+		reason: "Login request expired; start login again to continue.",
 		title: "Restart login",
 		when: "immediate"
 	},
 	[ERROR_CODE.authDevicePending]: {
-		command: "ogment auth status",
-		reason: "Authorization is pending; check whether credentials are now available.",
-		title: "Check auth status",
+		command: "ogment login",
+		reason: "Authorization is pending; run login again after approving in the browser.",
+		title: "Complete login",
 		when: "immediate"
 	},
 	[ERROR_CODE.authInvalidCredentials]: {
-		command: "ogment auth logout",
-		reason: "Credentials are invalid; clear local state before re-authenticating.",
-		title: "Reset auth state",
+		command: "ogment login",
+		reason: "Credentials are invalid; sign in again to restore the local CLI session.",
+		title: "Sign in again",
 		when: "immediate"
 	},
 	[ERROR_CODE.authRequired]: {
-		command: "ogment auth login",
+		command: "ogment login",
 		reason: "Authentication is required before catalog or invoke commands can run.",
 		title: "Authenticate",
 		when: "immediate"
@@ -8367,36 +8367,55 @@ const isRecord$2 = (value) => {
 	return typeof value === "object" && value !== null;
 };
 
-//#endregion
-//#region src/shared/schemas.ts
-const credentialsFileSchema = object({
-	agentName: string().optional(),
-	apiKey: string().min(1).optional()
-});
-
 //#endregion
 //#region src/infra/credentials.ts
 const authStateFileSchema = object({
+	currentAuthRequest: object({
+		authRequestId: string().min(1),
+		expiresAt: string().min(1),
+		verificationUrl: string().min(1)
+	}).nullable().optional(),
+	installationId: uuid(),
+	session: object({
+		agentId: uuid(),
+		agentName: string().min(1),
+		apiKey: string().min(1),
+		credentialId: uuid(),
+		signedInAt: string().min(1)
+	}).nullable().optional(),
+	version: literal(3)
+}).strict();
+const authStateFileV2Schema = object({
+	installationId: uuid(),
+	pendingAuthRequest: object({
+		authRequestId: string().min(1),
+		expiresAt: string().min(1),
+		verificationUrl: string().min(1)
+	}).nullable().optional(),
+	session: object({
+		agentId: uuid(),
+		agentName: string().min(1),
+		apiKey: string().min(1),
+		credentialId: uuid(),
+		signedInAt: string().min(1)
+	}).nullable().optional(),
+	version: literal(2)
+}).strict();
+const legacyAuthStateFileSchema = object({
 	activeAuth: object({
 		agentName: string().optional(),
 		apiKey: string().min(1),
-		boundAt: string().optional(),
-		namespaceKey: string().min(1).optional(),
-		scopeFingerprint: string().min(1).optional()
+		boundAt: string().optional()
 	}).nullable().optional(),
 	installationId: uuid(),
 	pendingRequests: array(object({
 		authRequestId: string().min(1),
-		code: string().min(1),
 		createdAt: string().min(1),
 		expiresAt: string().min(1),
-		namespaceKey: string().min(1),
-		scopeFingerprint: string().min(1).optional(),
 		verificationUrl: string().min(1)
 	})).optional(),
 	version: literal(1)
 }).strict();
-const telemetryInstallationSchema = object({ installationId: uuid() }).strict();
 const LOCK_RETRY_DELAY_MS = 10;
 const LOCK_STALE_MS = 3e4;
 const LOCK_TIMEOUT_MS = 2e3;
@@ -8405,40 +8424,42 @@ const sleepBlocking = (milliseconds) => {
 	const view = new Int32Array(buffer);
 	Atomics.wait(view, 0, 0, milliseconds);
 };
-const normalizeCredentials = (value) => {
-	const parsed = parseWithSchema(credentialsFileSchema, value, "legacy credentials file");
-	if (Result.isError(parsed) || parsed.value.apiKey === void 0) return null;
-	return {
-		...parsed.value.agentName === void 0 ? {} : { agentName: parsed.value.agentName },
-		apiKey: parsed.value.apiKey
-	};
-};
 const normalizeAuthState = (value) => {
-	const parsed = parseWithSchema(authStateFileSchema, value, "auth state file");
-	if (Result.isError(parsed)) return null;
-	const activeAuth = parsed.value.activeAuth === void 0 || parsed.value.activeAuth === null ? null : {
-		...parsed.value.activeAuth.agentName === void 0 ? {} : { agentName: parsed.value.activeAuth.agentName },
-		apiKey: parsed.value.activeAuth.apiKey,
-		...parsed.value.activeAuth.boundAt === void 0 ? {} : { boundAt: parsed.value.activeAuth.boundAt },
-		...parsed.value.activeAuth.namespaceKey === void 0 ? {} : { namespaceKey: parsed.value.activeAuth.namespaceKey },
-		...parsed.value.activeAuth.scopeFingerprint === void 0 ? {} : { scopeFingerprint: parsed.value.activeAuth.scopeFingerprint }
-	};
-	const pendingRequests = (parsed.value.pendingRequests ?? []).map((request) => {
-		return {
-			authRequestId: request.authRequestId,
-			code: request.code,
-			createdAt: request.createdAt,
-			expiresAt: request.expiresAt,
-			namespaceKey: request.namespaceKey,
-			...request.scopeFingerprint === void 0 ? {} : { scopeFingerprint: request.scopeFingerprint },
-			verificationUrl: request.verificationUrl
-		};
-	});
+	const parsedCurrentState = parseWithSchema(authStateFileSchema, value, "auth state file");
+	if (Result.isOk(parsedCurrentState)) return {
+		needsMigration: false,
+		state: {
+			currentAuthRequest: parsedCurrentState.value.currentAuthRequest ?? null,
+			installationId: parsedCurrentState.value.installationId,
+			session: parsedCurrentState.value.session ?? null,
+			version: 3
+		}
+	};
+	const parsedLegacyV2State = parseWithSchema(authStateFileV2Schema, value, "auth state v2 file");
+	if (Result.isOk(parsedLegacyV2State)) return {
+		needsMigration: true,
+		state: {
+			currentAuthRequest: parsedLegacyV2State.value.pendingAuthRequest ?? null,
+			installationId: parsedLegacyV2State.value.installationId,
+			session: parsedLegacyV2State.value.session ?? null,
+			version: 3
+		}
+	};
+	const parsedV1 = parseWithSchema(legacyAuthStateFileSchema, value, "legacy auth state file");
+	if (Result.isError(parsedV1)) return null;
+	const latestPendingRequest = (parsedV1.value.pendingRequests ?? []).at(-1);
 	return {
-		activeAuth,
-		installationId: parsed.value.installationId,
-		pendingRequests,
-		version: 1
+		needsMigration: true,
+		state: {
+			currentAuthRequest: latestPendingRequest === void 0 ? null : {
+				authRequestId: latestPendingRequest.authRequestId,
+				expiresAt: latestPendingRequest.expiresAt,
+				verificationUrl: latestPendingRequest.verificationUrl
+			},
+			installationId: parsedV1.value.installationId,
+			session: null,
+			version: 3
+		}
 	};
 };
 const toCorruptPath = (path, nowFn) => {
@@ -8473,29 +8494,12 @@ const createFileCredentialsStore = (deps) => {
 	const unlinkSyncFn = deps.unlinkSyncFn ?? unlinkSync;
 	const writeFileSyncFn = deps.writeFileSyncFn ?? writeFileSync;
 	const lockPath = `${deps.credentialsPath}.lock`;
-	const readJsonFile = (path) => {
-		if (!existsSyncFn(path)) return null;
-		try {
-			return JSON.parse(readFileSyncFn(path, "utf8"));
-		} catch {
-			return null;
-		}
-	};
-	const readLegacyCredentials = () => {
-		return normalizeCredentials(readJsonFile(deps.legacyCredentialsPath));
-	};
-	const readLegacyInstallationId = () => {
-		const raw = readJsonFile(deps.telemetryPath);
-		if (raw === null) return null;
-		const parsed = telemetryInstallationSchema.safeParse(raw);
-		return parsed.success ? parsed.data.installationId : null;
-	};
 	const createEmptyState = (installationId = randomUuidFn()) => {
 		return {
-			activeAuth: null,
+			currentAuthRequest: null,
 			installationId,
-			pendingRequests: [],
-			version: 1
+			session: null,
+			version: 3
 		};
 	};
 	const withLock = (operation) => {
@@ -8588,43 +8592,33 @@ const createFileCredentialsStore = (deps) => {
 			}
 			throw error;
 		}
-		const parsed = normalizeAuthState(parsedJson);
-		if (parsed === null) {
+		const normalized = normalizeAuthState(parsedJson);
+		if (normalized === null) {
 			quarantineCorruptState();
 			return null;
 		}
-		return parsed;
-	};
-	const migrateStateFromLegacy = () => {
-		const migratedInstallationId = readLegacyInstallationId();
-		const migratedCredentials = readLegacyCredentials();
-		if (!(migratedInstallationId !== null || migratedCredentials !== null)) return null;
-		return {
-			...createEmptyState(migratedInstallationId ?? randomUuidFn()),
-			...migratedCredentials === null ? {} : { activeAuth: migratedCredentials }
-		};
+		return normalized;
 	};
 	const loadState = (options) => {
 		const currentState = loadStateFromDisk();
-		if (currentState !== null) return currentState;
-		const migratedState = migrateStateFromLegacy();
-		if (migratedState !== null) {
-			withLock(() => {
-				if (!existsSyncFn(deps.credentialsPath)) writeState(migratedState);
+		if (currentState !== null) {
+			if (currentState.needsMigration) withLock(() => {
+				const latest = loadStateFromDisk();
+				if (latest?.needsMigration) writeState(latest.state);
 			});
-			return loadStateFromDisk() ?? migratedState;
+			return currentState.state;
 		}
 		if (options?.persistIfMissing === true) {
 			const emptyState = createEmptyState();
 			withLock(() => {
 				if (!existsSyncFn(deps.credentialsPath)) writeState(emptyState);
 			});
-			return loadStateFromDisk() ?? emptyState;
+			return loadStateFromDisk()?.state ?? emptyState;
 		}
 		return null;
 	};
 	return {
-		clearPendingRequests: (namespaceKey) => {
+		clearCurrentAuthRequest: () => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
@@ -8632,10 +8626,9 @@ const createFileCredentialsStore = (deps) => {
 				}),
 				try: () => {
 					withLock(() => {
-						const latest = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
 						writeState({
-							...latest,
-							pendingRequests: namespaceKey === void 0 ? [] : latest.pendingRequests.filter((request) => request.namespaceKey !== namespaceKey)
+							...loadStateFromDisk()?.state ?? createEmptyState(),
+							currentAuthRequest: null
 						});
 					});
 				}
@@ -8650,27 +8643,22 @@ const createFileCredentialsStore = (deps) => {
 				try: () => {
 					withLock(() => {
 						writeState({
-							...loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState(),
-							activeAuth: null,
-							pendingRequests: []
+							...loadStateFromDisk()?.state ?? createEmptyState(),
+							session: null
 						});
 					});
 				}
 			});
 		},
-		deletePendingRequest: (authRequestId) => {
+		reset: () => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
-					message: "Failed to update local auth state"
+					message: "Failed to reset local auth state"
 				}),
 				try: () => {
 					withLock(() => {
-						const latest = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
-						writeState({
-							...latest,
-							pendingRequests: latest.pendingRequests.filter((request) => request.authRequestId !== authRequestId)
-						});
+						writeState(createEmptyState());
 					});
 				}
 			});
@@ -8688,14 +8676,14 @@ const createFileCredentialsStore = (deps) => {
 				}
 			});
 		},
-		listPendingRequests: () => {
+		getCurrentAuthRequest: () => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
 					message: "Failed to load local auth state"
 				}),
 				try: () => {
-					return loadState()?.pendingRequests ?? [];
+					return loadState()?.currentAuthRequest ?? null;
 				}
 			});
 		},
@@ -8706,12 +8694,7 @@ const createFileCredentialsStore = (deps) => {
 					message: "Failed to load local auth state"
 				}),
 				try: () => {
-					const state = loadState();
-					if (state?.activeAuth === null || state === null) return null;
-					return {
-						...state.activeAuth.agentName === void 0 ? {} : { agentName: state.activeAuth.agentName },
-						apiKey: state.activeAuth.apiKey
-					};
+					return loadState()?.session ?? null;
 				}
 			});
 		},
@@ -8724,17 +8707,15 @@ const createFileCredentialsStore = (deps) => {
 				try: () => {
 					withLock(() => {
 						writeState({
-							...loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState(),
-							activeAuth: {
-								...credentials.agentName === void 0 ? {} : { agentName: credentials.agentName },
-								apiKey: credentials.apiKey
-							}
+							...loadStateFromDisk()?.state ?? createEmptyState(),
+							currentAuthRequest: null,
+							session: credentials
 						});
 					});
 				}
 			});
 		},
-		storeApprovedAuth: (credentials, namespaceKey) => {
+		saveCurrentAuthRequest: (request) => {
 			return Result.try({
 				catch: (cause) => new UnexpectedError({
 					cause,
@@ -8742,43 +8723,13 @@ const createFileCredentialsStore = (deps) => {
 				}),
 				try: () => {
 					withLock(() => {
-						const currentState = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
 						writeState({
-							...currentState,
-							activeAuth: {
-								...credentials.agentName === void 0 ? {} : { agentName: credentials.agentName },
-								apiKey: credentials.apiKey,
-								boundAt: nowFn().toISOString(),
-								...namespaceKey === void 0 ? {} : { namespaceKey }
-							},
-							pendingRequests: namespaceKey === void 0 ? [] : currentState.pendingRequests.filter((request) => request.namespaceKey !== namespaceKey)
-						});
-					});
-				}
-			});
-		},
-		savePendingRequest: (request) => {
-			return Result.try({
-				catch: (cause) => new UnexpectedError({
-					cause,
-					message: "Failed to update local auth state"
-				}),
-				try: () => {
-					withLock(() => {
-						const currentState = loadStateFromDisk() ?? migrateStateFromLegacy() ?? createEmptyState();
-						const pendingRequests = currentState.pendingRequests.filter((entry) => entry.authRequestId !== request.authRequestId);
-						pendingRequests.push({
-							authRequestId: request.authRequestId,
-							code: request.code,
-							createdAt: request.createdAt,
-							expiresAt: request.expiresAt,
-							namespaceKey: request.namespaceKey,
-							...request.scopeFingerprint === void 0 ? {} : { scopeFingerprint: request.scopeFingerprint },
-							verificationUrl: request.verificationUrl
-						});
-						writeState({
-							...currentState,
-							pendingRequests
+							...loadStateFromDisk()?.state ?? createEmptyState(),
+							currentAuthRequest: {
+								authRequestId: request.authRequestId,
+								expiresAt: request.expiresAt,
+								verificationUrl: request.verificationUrl
+							}
 						});
 					});
 				}
@@ -8800,7 +8751,7 @@ const DEFAULT_OGMENT_BASE_URL = "https://dashboard.ogment.ai";
 */
 const SENTRY_DSN_BUILD = "https://4219ab98670b61086758b4d0e31ae318@o4507724844957696.ingest.us.sentry.io/4510992932405248";
 const SENTRY_ENVIRONMENT_BUILD = "production";
-const SENTRY_RELEASE_BUILD = "cli-v0.9.1+git:99e999ee0";
+const SENTRY_RELEASE_BUILD = "cli-v0.10.0+git:4ebe33ce3";
 const packageJsonSchema = object({ version: string().min(1) });
 const hasCode = (value, code) => {
 	if (typeof value !== "object" || value === null) return false;
@@ -8859,14 +8810,17 @@ const telemetryRuntimeFields = (env, configDir) => {
 		credentialsPath: join(configDir, "auth-state.json"),
 		envApiKey: env["OGMENT_API_KEY"],
 		executionEnvironment: detectExecutionEnvironment(env),
-		legacyCredentialsPath: join(configDir, "credentials.json"),
 		telemetryDisabled: telemetryDisabledFromEnv(env),
-		telemetryPath: join(configDir, "telemetry.json"),
 		version: VERSION$2
 	};
 };
+const resolveConfigDir = (env, homeDirectory) => {
+	const configuredDir = env["OGMENT_CONFIG_DIR"]?.trim();
+	if (configuredDir && configuredDir.length > 0) return configuredDir;
+	return join(homeDirectory, ".config", "ogment");
+};
 const createRuntimeConfig = (env = process.env, homeDirectory = homedir()) => {
-	const configDir = join(homeDirectory, ".config", "ogment");
+	const configDir = resolveConfigDir(env, homeDirectory);
 	const envBaseUrl = env["OGMENT_BASE_URL"];
 	const hasBaseUrlOverride = typeof envBaseUrl === "string";
 	return {
@@ -8884,7 +8838,7 @@ const createRuntimeConfig = (env = process.env, homeDirectory = homedir()) => {
 	};
 };
 const createTelemetryRuntimeConfig = (env = process.env, homeDirectory = homedir()) => {
-	const configDir = join(homeDirectory, ".config", "ogment");
+	const configDir = resolveConfigDir(env, homeDirectory);
 	const parsedBaseUrl = baseUrlSchema.safeParse(env["OGMENT_BASE_URL"]);
 	return {
 		baseUrl: parsedBaseUrl.success ? parsedBaseUrl.data : DEFAULT_OGMENT_BASE_URL,
@@ -14151,7 +14105,13 @@ const cliOrgSchema = object({
 	role: string(),
 	servers: array(cliServerSchema)
 }).strict();
+const cliActingAgentSchema = object({
+	agentId: string().uuid(),
+	agentName: string().min(1),
+	boundInstallationId: string().uuid().nullable()
+}).strict();
 const cliMeDataSchema = object({
+	actingAgent: cliActingAgentSchema.nullable(),
 	email: string().nullable(),
 	imageUrl: string().nullable(),
 	name: string().nullable(),
@@ -14162,72 +14122,60 @@ const accountMeSchema = cliSuccessEnvelopeSchema(cliMeDataSchema);
 
 //#endregion
 //#region ../../packages/shared/src/cli/auth.ts
-const deviceCodeStartDataSchema = object({
-	deviceCode: string().min(1),
-	expiresIn: number$1().int().positive(),
-	interval: number$1().int().positive(),
-	userCode: string().min(1),
-	verificationUri: string().url()
-}).strict();
-const deviceCodeStartSchema = cliSuccessEnvelopeSchema(deviceCodeStartDataSchema);
 const authStartDataSchema = object({
 	authRequestId: string().min(1),
+	disposition: _enum([
+		"created",
+		"reused_approved",
+		"reused_pending"
+	]),
 	expiresAt: isoTimestampSchema,
-	userCode: string().min(1),
 	verificationUrl: string().url()
 }).strict();
 const authStartSchema = cliSuccessEnvelopeSchema(authStartDataSchema);
-const deviceTokenPendingDataSchema = object({ status: literal("authorization_pending") }).strict();
-const deviceTokenApprovedDataSchema = object({
-	agentName: string().min(1),
-	apiKey: string().min(1),
-	status: literal("approved")
-}).strict();
-const deviceTokenDataSchema = discriminatedUnion("status", [deviceTokenPendingDataSchema, deviceTokenApprovedDataSchema]);
-const deviceTokenSchema = cliSuccessEnvelopeSchema(deviceTokenDataSchema);
-const deviceTokenApprovedSchema = cliSuccessEnvelopeSchema(deviceTokenApprovedDataSchema);
 const authExchangePendingDataSchema = object({ status: literal("authorization_pending") }).strict();
 const authExchangeApprovedDataSchema = object({
+	agentId: string().uuid(),
 	agentName: string().min(1),
 	apiKey: string().min(1),
-	scopeFingerprint: string().min(1),
+	credentialId: string().uuid(),
 	status: literal("approved")
 }).strict();
 const authExchangeExpiredDataSchema = object({ status: literal("expired") }).strict();
-const authExchangeDeniedDataSchema = object({ status: literal("denied") }).strict();
-const authExchangeConflictDataSchema = object({ status: literal("conflict") }).strict();
 const authExchangeInvalidDataSchema = object({ status: literal("invalid") }).strict();
+const authExchangeSupersededDataSchema = object({ status: literal("superseded") }).strict();
 const authExchangeDataSchema = discriminatedUnion("status", [
 	authExchangePendingDataSchema,
 	authExchangeApprovedDataSchema,
 	authExchangeExpiredDataSchema,
-	authExchangeDeniedDataSchema,
-	authExchangeConflictDataSchema,
-	authExchangeInvalidDataSchema
+	authExchangeInvalidDataSchema,
+	authExchangeSupersededDataSchema
 ]);
 const authExchangeSchema = cliSuccessEnvelopeSchema(authExchangeDataSchema);
 const authExchangeApprovedSchema = cliSuccessEnvelopeSchema(authExchangeApprovedDataSchema);
-const revokeSelfDataSchema = object({ success: literal(true) }).strict();
-const revokeSelfSchema = cliSuccessEnvelopeSchema(revokeSelfDataSchema);
+const authMutationSuccessDataSchema = object({ success: literal(true) }).strict();
+const authLogoutDataSchema = authMutationSuccessDataSchema;
+const authLogoutSchema = cliSuccessEnvelopeSchema(authLogoutDataSchema);
+const authResetDataSchema = authMutationSuccessDataSchema;
+const authResetSchema = cliSuccessEnvelopeSchema(authResetDataSchema);
 
 //#endregion
 //#region ../../packages/shared/src/cli/endpoints.ts
 const cliEndpoints = {
 	accountMe: "/api/v1/cli/me",
-	authExchange: "/api/v1/cli/auth/exchange",
 	authStart: "/api/v1/cli/auth/start",
-	cliRevokeSelf: "/api/v1/cli/revoke-self",
-	deviceCode: "/api/v1/cli/device-code",
-	deviceToken: "/api/v1/cli/device-token",
+	authExchange: "/api/v1/cli/auth/exchange",
+	authLogout: "/api/v1/cli/auth/logout",
+	authReset: "/api/v1/cli/auth/reset",
 	telemetry: "/api/v1/cli/telemetry"
 };
 
 //#endregion
 //#region ../../packages/shared/src/cli/telemetry.ts
 const cliCommandKindSchema = _enum([
-	"auth_login",
-	"auth_logout",
-	"auth_status",
+	"login",
+	"logout",
+	"reset",
 	"catalog_summary",
 	"catalog_tool",
 	"catalog_tools",
@@ -14378,25 +14326,16 @@ const exitCodeForError = (error) => {
 
 //#endregion
 //#region src/commands/auth.ts
-const runAuthLoginCommand = async (context, options) => {
-	const loginOptions = (() => {
-		if (options.mode === "apiKey") return {
-			apiKey: options.apiKey,
-			mode: "apiKey"
-		};
-		return {
-			mode: "device",
-			...options.onPending === void 0 ? {} : { onPending: options.onPending }
-		};
-	})();
+const runLoginCommand = async (context, options) => {
+	const loginOptions = options.onPending === void 0 ? {} : { onPending: options.onPending };
 	return context.services.auth.login(loginOptions);
 };
-const runAuthStatusCommand = async (context) => {
-	return context.services.auth.status(context.apiKeyOverride);
-};
-const runAuthLogoutCommand = async (context) => {
+const runLogoutCommand = async (context) => {
 	return context.services.auth.logout();
 };
+const runResetCommand = async (context) => {
+	return context.services.auth.reset();
+};
 
 //#endregion
 //#region src/commands/server-context.ts
@@ -14831,13 +14770,6 @@ const buildJsonSchemaExample = (schema) => {
 //#endregion
 //#region src/cli/commands.ts
 const cliCommands = {
-	auth: {
-		help: () => "ogment auth --help",
-		login: () => "ogment auth login",
-		loginWithApiKeyRedacted: () => "ogment auth login --api-key <redacted>",
-		logout: () => "ogment auth logout",
-		status: () => "ogment auth status"
-	},
 	catalog: {
 		command: () => "ogment catalog",
 		server: (serverId) => `ogment catalog ${serverId}`,
@@ -14861,6 +14793,8 @@ const cliCommands = {
 		if (scope === null) return "ogment --help";
 		return `ogment ${scope} --help`;
 	},
+	login: { command: () => "ogment login" },
+	logout: { command: () => "ogment logout" },
 	invoke: {
 		command: (serverId, toolName, orgSlug) => [
 			"ogment invoke",
@@ -14896,9 +14830,9 @@ const cliCommands = {
 		command: () => "ogment",
 		commandsSurface: () => {
 			return [
-				"auth login",
-				"auth status",
-				"auth logout",
+				"login",
+				"logout",
+				"reset",
 				"catalog",
 				"catalog <server-id>",
 				"catalog <server-id> <tool-name>",
@@ -14908,6 +14842,7 @@ const cliCommands = {
 		},
 		help: () => "ogment --help"
 	},
+	reset: { command: () => "ogment reset" },
 	status: { command: () => "ogment status" }
 };
 
@@ -14946,15 +14881,11 @@ const ensureSuccess = (result, runtime, context) => {
 	}
 	return result.unwrap();
 };
-const nextActionsForLogin = (payload, mode) => {
-	return [nextAction("check_auth_status", "Check auth status", cliCommands.auth.status(), `Verify persisted credentials after ${mode} login for ${payload.agentName}.`, "immediate"), nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Logged in as ${payload.agentName} via ${mode}; discover available servers.`, "after_auth")];
+const nextActionsForLogin = (payload) => {
+	return [nextAction("inspect_status", "Inspect status", cliCommands.status.command(), `Verify the connected CLI state for ${payload.agentName}.`, "immediate"), nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Logged in as ${payload.agentName}; discover available servers.`, "after_auth")];
 };
-const nextActionsForPendingLogin = (userCode, verificationUri) => {
-	return [nextAction("check_login_status", "Check login status", cliCommands.auth.status(), `Approve ${userCode} at ${verificationUri}, then verify local auth state.`, "immediate"), nextAction("restart_device_login", "Restart login", cliCommands.auth.login(), `Restart login if code ${userCode} expires before approval.`, "if_expired")];
-};
-const nextActionsForAuthStatus = (payload) => {
-	if (!payload.loggedIn) return [nextAction("login", "Authenticate", cliCommands.auth.login(), "No API key is configured locally; login is required.", "immediate")];
-	return [nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Authenticated via ${payload.apiKeySource}; discover servers next.`, "after_auth")];
+const nextActionsForPendingLogin = (authRequestId, verificationUrl) => {
+	return [nextAction("complete_login", "Complete login", cliCommands.login.command(), `Approve request ${authRequestId} at ${verificationUrl}, then run login again to finish local sign-in.`, "immediate"), nextAction("inspect_status", "Inspect status", cliCommands.status.command(), "Inspect the current CLI state and diagnostics.", "if_expired")];
 };
 const nextActionsForCatalogSummary = (payload, context) => {
 	const actions = [];
@@ -14983,91 +14914,82 @@ const nextActionsForInvoke = (payload) => {
 	return [nextAction("inspect_tool", "Inspect tool schema", cliCommands.catalog.tool(payload.serverId, payload.toolName, { example: false }), `Review ${payload.serverId}/${payload.toolName} schema for the next invocation.`, "after_invoke")];
 };
 const nextActionsForStatus = (payload) => {
-	if (!payload.auth.apiKeyPresent) return [nextAction("login", "Authenticate", cliCommands.auth.login(), "Status detected no API key; authenticate first.", "immediate")];
+	if (!payload.auth.apiKeyPresent) return [nextAction("login", "Authenticate", cliCommands.login.command(), "Status detected no API key; authenticate first.", "immediate")];
 	return [nextAction("discover_servers", "Discover servers", cliCommands.catalog.command(), `Connectivity is ${payload.summary.status}; discover available servers.`, "after_status")];
 };
 const runLoginFlow = async (runtime, options) => {
-	const { commandOptions, invokedCommand, mode } = options.mode === "apiKey" ? {
-		commandOptions: options,
-		invokedCommand: cliCommands.auth.loginWithApiKeyRedacted(),
-		mode: "apiKey"
-	} : {
-		commandOptions: { mode: "device" },
-		invokedCommand: cliCommands.auth.login(),
-		mode: "device"
-	};
-	const data = ensureSuccess(await runAuthLoginCommand(runtime.context, commandOptions), runtime, {
-		command: invokedCommand,
-		entity: { mode }
-	});
+	const invokedCommand = cliCommands.login.command();
+	const data = ensureSuccess(await runLoginCommand(runtime.context, options), runtime, { command: invokedCommand });
 	if (!data.loggedIn) {
 		const pendingOutput = {
-			event: "auth_login.pending",
+			event: "login.pending",
 			loggedIn: false,
 			verification: data.verification
 		};
 		runtime.output.success(pendingOutput, {
 			command: invokedCommand,
 			entity: {
-				event: "auth_login.pending",
-				mode,
+				event: "login.pending",
 				verification: {
-					userCode: data.verification.userCode,
-					verificationUri: data.verification.verificationUri
+					authRequestId: data.verification.authRequestId,
+					verificationUrl: data.verification.verificationUrl
 				}
 			},
-			nextActions: nextActionsForPendingLogin(data.verification.userCode, data.verification.verificationUri)
+			nextActions: nextActionsForPendingLogin(data.verification.authRequestId, data.verification.verificationUrl)
 		});
 		return;
 	}
 	const outputData = {
 		...data,
-		event: "auth_login.completed"
+		event: "login.completed"
 	};
 	runtime.output.success(outputData, {
 		command: invokedCommand,
 		entity: {
 			agentName: data.agentName,
-			event: "auth_login.completed",
+			event: "login.completed",
 			loggedIn: data.loggedIn,
-			mode,
 			outcome: data.outcome
 		},
-		nextActions: nextActionsForLogin(data, mode)
+		nextActions: nextActionsForLogin(data)
 	});
 };
-const executeAuthLoginInvocation = async (runtime, invocation) => {
-	if (invocation.apiKey !== void 0) {
-		await runLoginFlow(runtime, {
-			apiKey: invocation.apiKey,
-			mode: "apiKey"
-		});
-		return;
-	}
-	await runLoginFlow(runtime, { mode: "device" });
+const executeLoginInvocation = async (runtime, _invocation) => {
+	await runLoginFlow(runtime, {});
 };
-const executeAuthStatusInvocation = async (runtime) => {
-	const command = cliCommands.auth.status();
-	const data = ensureSuccess(await runAuthStatusCommand(runtime.context), runtime, { command });
-	runtime.output.success(data, {
+const executeLogoutInvocation = async (runtime) => {
+	const command = cliCommands.logout.command();
+	const data = ensureSuccess(await runLogoutCommand(runtime.context), runtime, { command });
+	const outputData = {
+		...data,
+		event: "logout.completed"
+	};
+	runtime.output.success(outputData, {
 		command,
 		entity: {
-			apiKeySource: data.apiKeySource,
-			loggedIn: data.loggedIn
+			event: "logout.completed",
+			localStateCleared: data.localStateCleared,
+			remoteSignedOut: data.remoteSignedOut
 		},
-		nextActions: nextActionsForAuthStatus(data)
+		nextActions: [nextAction("login", "Authenticate again", cliCommands.login.command(), "Sign-out completed; run login when you want to reconnect this installation.", "after_logout")]
 	});
 };
-const executeAuthLogoutInvocation = async (runtime) => {
-	const command = cliCommands.auth.logout();
-	const data = ensureSuccess(await runAuthLogoutCommand(runtime.context), runtime, { command });
-	runtime.output.success(data, {
+const executeResetInvocation = async (runtime) => {
+	const command = cliCommands.reset.command();
+	const data = ensureSuccess(await runResetCommand(runtime.context), runtime, { command });
+	const outputData = {
+		...data,
+		event: "reset.completed"
+	};
+	runtime.output.success(outputData, {
 		command,
 		entity: {
-			localCredentialsDeleted: data.localCredentialsDeleted,
-			revoked: data.revoked
+			event: "reset.completed",
+			installationReset: data.installationReset,
+			localStateCleared: data.localStateCleared,
+			remoteReset: data.remoteReset
 		},
-		nextActions: [nextAction("login", "Authenticate again", cliCommands.auth.login(), "Logout completed; authenticate again before further tool calls.", "after_logout")]
+		nextActions: [nextAction("login", "Authenticate this fresh install", cliCommands.login.command(), "Reset completed; run login to create or reconnect this installation.", "after_reset"), nextAction("inspect_status", "Inspect status", cliCommands.status.command(), "Inspect the fresh-install CLI state and diagnostics.", "after_reset")]
 	});
 };
 const executeCatalogInvocation = async (runtime, invocation) => {
@@ -15254,19 +15176,19 @@ const executeRootInvocation = (runtime) => {
 	runtime.output.success({ commands: cliCommands.root.commandsSurface() }, {
 		command: cliCommands.root.command(),
 		entity: null,
-		nextActions: [nextAction("login", "Authenticate", cliCommands.auth.login(), "Authenticate first so catalog and invoke commands can run.", "immediate"), nextAction("catalog", "Discover servers", cliCommands.catalog.command(), "List accessible servers and tool counts.", "after_auth")]
+		nextActions: [nextAction("login", "Authenticate", cliCommands.login.command(), "Authenticate first so catalog and invoke commands can run.", "immediate"), nextAction("catalog", "Discover servers", cliCommands.catalog.command(), "List accessible servers and tool counts.", "after_auth")]
 	});
 };
 const executeInvocation = async (runtime, invocation) => {
 	switch (invocation.kind) {
-		case "auth_login":
-			await executeAuthLoginInvocation(runtime, invocation);
+		case "login":
+			await executeLoginInvocation(runtime, invocation);
 			return;
-		case "auth_logout":
-			await executeAuthLogoutInvocation(runtime);
+		case "logout":
+			await executeLogoutInvocation(runtime);
 			return;
-		case "auth_status":
-			await executeAuthStatusInvocation(runtime);
+		case "reset":
+			await executeResetInvocation(runtime);
 			return;
 		case "catalog":
 			await executeCatalogInvocation(runtime, invocation);
@@ -15339,19 +15261,19 @@ const nextActionForParseError = (scope, helpCommand) => {
 	};
 };
 const parseActionsForScope = (scope, helpAction) => {
-	if (scope === "auth") return [
+	if (scope === "login" || scope === "logout" || scope === "reset") return [
 		{
-			command: cliCommands.auth.login(),
-			id: "auth_login",
-			reason: "Authenticate with device flow.",
-			title: "Auth login",
+			command: cliCommands.login.command(),
+			id: "login",
+			reason: "Authenticate this CLI installation.",
+			title: "Login",
 			when: "immediate"
 		},
 		{
-			command: cliCommands.auth.status(),
-			id: "auth_status",
-			reason: "Check current local authentication state.",
-			title: "Auth status",
+			command: cliCommands.status.command(),
+			id: "status",
+			reason: "Inspect the current CLI state and diagnostics.",
+			title: "Status",
 			when: "immediate"
 		},
 		helpAction
@@ -60807,8 +60729,8 @@ const createAccountService = (deps) => {
 			mapStatusError: (response, body) => {
 				if (response.status === 401) return new AuthError({
 					code: ERROR_CODE.authInvalidCredentials,
-					message: "Authentication failed. Run `ogment auth login` again.",
-					recovery: { command: "ogment auth login" }
+					message: "Authentication failed. Run `ogment login` again.",
+					recovery: { command: "ogment login" }
 				});
 				return new RemoteRequestError({
 					body,
@@ -60829,7 +60751,6 @@ const createAccountService = (deps) => {
 
 //#endregion
 //#region src/services/auth.ts
-const DEFAULT_NAMESPACE_KEY = "default";
 const toEndpointUrl = (baseUrl, endpoint) => {
 	return `${baseUrl}${endpoint}`;
 };
@@ -60839,85 +60760,138 @@ const authStartUrl = (baseUrl) => {
 const authExchangeUrl = (baseUrl) => {
 	return toEndpointUrl(baseUrl, cliEndpoints.authExchange);
 };
-const isExpiredPendingRequest = (request, nowMs) => {
+const authLogoutUrl = (baseUrl) => {
+	return toEndpointUrl(baseUrl, cliEndpoints.authLogout);
+};
+const authResetUrl = (baseUrl) => {
+	return toEndpointUrl(baseUrl, cliEndpoints.authReset);
+};
+const accountMeUrl = (baseUrl) => {
+	return toEndpointUrl(baseUrl, cliEndpoints.accountMe);
+};
+const toLoginPendingInfo = (request) => {
+	if (request === null) return null;
+	return {
+		authRequestId: request.authRequestId,
+		verificationUrl: request.verificationUrl
+	};
+};
+const isExpiredCurrentAuthRequest = (request, nowMs) => {
 	const parsedExpiresAt = Date.parse(request.expiresAt);
 	return !Number.isNaN(parsedExpiresAt) && parsedExpiresAt <= nowMs;
 };
 const createAuthService = (deps) => {
 	const now = deps.now ?? Date.now;
-	const storeApprovedAuth = (approvedAuth, namespaceKey = DEFAULT_NAMESPACE_KEY) => {
-		return deps.credentialsStore.storeApprovedAuth({
-			agentName: approvedAuth.agentName,
-			apiKey: approvedAuth.apiKey
-		}, namespaceKey);
-	};
-	const saveApiKeyAuth = (approvedAuth) => {
+	const storeApprovedAuth = (approvedAuth) => {
 		return deps.credentialsStore.save({
+			agentId: approvedAuth.agentId,
 			agentName: approvedAuth.agentName,
-			apiKey: approvedAuth.apiKey
+			apiKey: approvedAuth.apiKey,
+			credentialId: approvedAuth.credentialId,
+			signedInAt: new Date(now()).toISOString()
 		});
 	};
-	const tryExchangePendingRequests = async () => {
-		const installationIdResult = deps.credentialsStore.getInstallationId();
-		if (Result.isError(installationIdResult)) return installationIdResult;
-		const pendingRequestsResult = deps.credentialsStore.listPendingRequests();
-		if (Result.isError(pendingRequestsResult)) return pendingRequestsResult;
-		const pendingRequests = [...pendingRequestsResult.value].toSorted((a, b) => {
-			return a.createdAt.localeCompare(b.createdAt);
+	const loadLocalAuthSnapshot = () => {
+		const installationId = deps.credentialsStore.getInstallationId();
+		if (Result.isError(installationId)) return installationId;
+		const session = deps.credentialsStore.load();
+		if (Result.isError(session)) return session;
+		const currentAuthRequest = deps.credentialsStore.getCurrentAuthRequest();
+		if (Result.isError(currentAuthRequest)) return currentAuthRequest;
+		return Result.ok({
+			currentAuthRequest: currentAuthRequest.value,
+			installationId: installationId.value,
+			session: session.value
 		});
-		for (const pendingRequest of pendingRequests) {
-			if (isExpiredPendingRequest(pendingRequest, now())) {
-				const deleteResult = deps.credentialsStore.deletePendingRequest(pendingRequest.authRequestId);
-				if (Result.isError(deleteResult)) return deleteResult;
-				continue;
-			}
-			const exchangePayload = await requestJson(deps.httpClient, authExchangeUrl(deps.baseUrl), authExchangeSchema, {
-				body: JSON.stringify({
-					authRequestId: pendingRequest.authRequestId,
-					installationId: installationIdResult.value,
-					namespaceKey: pendingRequest.namespaceKey
-				}),
-				headers: { "Content-Type": "application/json" },
-				method: "POST"
-			}, {
-				context: "auth exchange response",
-				mapStatusError: (response, body) => new RemoteRequestError({
+	};
+	const clearCurrentAuthRequest = () => {
+		return deps.credentialsStore.clearCurrentAuthRequest();
+	};
+	const toStoredAuthorizationHeader = (session) => {
+		return session === null ? null : `Bearer ${session.apiKey}`;
+	};
+	const validateStoredCredentials = async (apiKey) => {
+		const response = await requestJson(deps.httpClient, accountMeUrl(deps.baseUrl), accountMeSchema, { headers: { Authorization: `Bearer ${apiKey}` } }, {
+			context: "account response",
+			mapStatusError: (httpResponse, body) => {
+				if (httpResponse.status === 401) return new AuthError({
+					code: ERROR_CODE.authInvalidCredentials,
+					message: "Stored CLI session is invalid. Run `ogment login` to sign in again.",
+					recovery: { command: "ogment login" }
+				});
+				return new RemoteRequestError({
 					body,
-					httpStatus: response.status,
-					message: "Failed to exchange pending CLI auth",
-					operation: "auth/exchange",
+					httpStatus: httpResponse.status,
+					message: "Failed to validate current CLI session",
+					operation: "account/fetch",
 					raw: body,
 					source: "http"
-				}),
-				operation: "auth/exchange"
-			});
-			if (Result.isError(exchangePayload)) return exchangePayload;
-			const exchangeData = exchangePayload.value.data;
-			if (exchangeData.status === "authorization_pending") continue;
-			if (exchangeData.status === "approved") {
-				const storeResult = storeApprovedAuth({
-					agentName: exchangeData.agentName,
-					apiKey: exchangeData.apiKey
-				}, pendingRequest.namespaceKey);
-				if (Result.isError(storeResult)) return storeResult;
-				return Result.ok({
-					agentName: exchangeData.agentName,
-					apiKey: exchangeData.apiKey
 				});
-			}
-			const deleteResult = deps.credentialsStore.deletePendingRequest(pendingRequest.authRequestId);
-			if (Result.isError(deleteResult)) return deleteResult;
+			},
+			operation: "account/fetch"
+		});
+		if (Result.isError(response)) {
+			if (response.error instanceof AuthError && response.error.code === ERROR_CODE.authInvalidCredentials) return Result.ok(false);
+			return response;
 		}
-		return Result.ok(null);
+		return Result.ok(true);
 	};
-	const loginWithDevice = async (options) => {
-		const installationIdResult = deps.credentialsStore.getInstallationId();
-		if (Result.isError(installationIdResult)) return installationIdResult;
+	const exchangeCurrentAuthRequest = async (snapshot) => {
+		const currentAuthRequest = snapshot.currentAuthRequest;
+		if (currentAuthRequest === null) return Result.ok({ kind: "none" });
+		if (isExpiredCurrentAuthRequest(currentAuthRequest, now())) {
+			const clearResult = clearCurrentAuthRequest();
+			if (Result.isError(clearResult)) return clearResult;
+			return Result.ok({ kind: "none" });
+		}
+		const exchangePayload = await requestJson(deps.httpClient, authExchangeUrl(deps.baseUrl), authExchangeSchema, {
+			body: JSON.stringify({
+				authRequestId: currentAuthRequest.authRequestId,
+				installationId: snapshot.installationId
+			}),
+			headers: { "Content-Type": "application/json" },
+			method: "POST"
+		}, {
+			context: "auth exchange response",
+			mapStatusError: (response, body) => new RemoteRequestError({
+				body,
+				httpStatus: response.status,
+				message: "Failed to exchange current CLI auth request",
+				operation: "auth/exchange",
+				raw: body,
+				source: "http"
+			}),
+			operation: "auth/exchange"
+		});
+		if (Result.isError(exchangePayload)) return exchangePayload;
+		const exchangeData = exchangePayload.value.data;
+		if (exchangeData.status === "authorization_pending") return Result.ok({
+			kind: "pending",
+			request: currentAuthRequest
+		});
+		if (exchangeData.status === "approved") {
+			const approvedAuth = {
+				agentId: exchangeData.agentId,
+				agentName: exchangeData.agentName,
+				apiKey: exchangeData.apiKey,
+				credentialId: exchangeData.credentialId
+			};
+			const storeResult = storeApprovedAuth(approvedAuth);
+			if (Result.isError(storeResult)) return storeResult;
+			return Result.ok({
+				auth: approvedAuth,
+				kind: "approved"
+			});
+		}
+		const clearResult = clearCurrentAuthRequest();
+		if (Result.isError(clearResult)) return clearResult;
+		return Result.ok({ kind: "none" });
+	};
+	const startOrRecoverLogin = async (installationId, options) => {
 		const startPayload = await requestJson(deps.httpClient, authStartUrl(deps.baseUrl), authStartSchema, {
 			body: JSON.stringify({
 				...deps.executionEnvironment === void 0 ? {} : { executionEnvironment: deps.executionEnvironment },
-				installationId: installationIdResult.value,
-				namespaceKey: DEFAULT_NAMESPACE_KEY
+				installationId
 			}),
 			headers: { "Content-Type": "application/json" },
 			method: "POST"
@@ -60934,76 +60908,140 @@ const createAuthService = (deps) => {
 			operation: "auth/start"
 		});
 		if (Result.isError(startPayload)) return startPayload;
-		const savePendingRequestResult = deps.credentialsStore.savePendingRequest({
+		const currentAuthRequest = {
 			authRequestId: startPayload.value.data.authRequestId,
-			code: startPayload.value.data.userCode,
-			createdAt: new Date(now()).toISOString(),
 			expiresAt: startPayload.value.data.expiresAt,
-			namespaceKey: DEFAULT_NAMESPACE_KEY,
 			verificationUrl: startPayload.value.data.verificationUrl
-		});
-		if (Result.isError(savePendingRequestResult)) return savePendingRequestResult;
-		const verification = {
-			userCode: startPayload.value.data.userCode,
-			verificationUri: startPayload.value.data.verificationUrl
 		};
-		options.onPending?.(verification);
+		const saveCurrentAuthRequestResult = deps.credentialsStore.saveCurrentAuthRequest(currentAuthRequest);
+		if (Result.isError(saveCurrentAuthRequestResult)) return saveCurrentAuthRequestResult;
+		if (startPayload.value.data.disposition === "reused_approved") {
+			const exchangedCurrentAuthRequest = await exchangeCurrentAuthRequest({
+				currentAuthRequest,
+				installationId,
+				session: null
+			});
+			if (Result.isError(exchangedCurrentAuthRequest)) return exchangedCurrentAuthRequest;
+			if (exchangedCurrentAuthRequest.value.kind === "approved") return Result.ok({
+				agentName: exchangedCurrentAuthRequest.value.auth.agentName,
+				loggedIn: true,
+				outcome: "authenticated"
+			});
+		}
+		const verification = toLoginPendingInfo(currentAuthRequest);
+		if (verification !== null) options.onPending?.(verification);
 		return Result.ok({
 			agentName: null,
 			loggedIn: false,
 			outcome: "pending_approval",
-			verification
+			verification: verification ?? {
+				authRequestId: currentAuthRequest.authRequestId,
+				verificationUrl: currentAuthRequest.verificationUrl
+			}
 		});
 	};
 	return {
 		login: async (options) => {
-			if (options.mode === "apiKey" && options.apiKey.length > 0) {
-				const saveResult = saveApiKeyAuth({
-					agentName: "CLI Agent",
-					apiKey: options.apiKey
-				});
-				if (Result.isError(saveResult)) return saveResult;
-				return Result.ok({
-					agentName: "CLI Agent",
+			const snapshot = loadLocalAuthSnapshot();
+			if (Result.isError(snapshot)) return snapshot;
+			if (snapshot.value.session !== null) {
+				const validationResult = await validateStoredCredentials(snapshot.value.session.apiKey);
+				if (Result.isError(validationResult)) return validationResult;
+				if (validationResult.value) return Result.ok({
+					agentName: snapshot.value.session.agentName ?? "CLI Agent",
 					loggedIn: true,
-					outcome: "authenticated"
+					outcome: "already_authenticated"
 				});
+				const deleteResult = deps.credentialsStore.delete();
+				if (Result.isError(deleteResult)) return deleteResult;
 			}
-			if (options.mode === "apiKey") return Result.err(new ValidationError({
-				code: ERROR_CODE.validationInvalidInput,
-				message: "Missing API key value. Provide a non-empty API key.",
-				recovery: { command: "ogment auth login --api-key <key>" }
-			}));
-			const stored = deps.credentialsStore.load();
-			if (Result.isError(stored)) return stored;
-			if (stored.value !== null) return Result.ok({
-				agentName: stored.value.agentName ?? "CLI Agent",
-				loggedIn: true,
-				outcome: "already_authenticated"
-			});
-			const exchangedPendingAuth = await tryExchangePendingRequests();
-			if (Result.isError(exchangedPendingAuth)) return exchangedPendingAuth;
-			if (exchangedPendingAuth.value !== null) return Result.ok({
-				agentName: exchangedPendingAuth.value.agentName,
+			const exchangedCurrentAuthRequest = await exchangeCurrentAuthRequest(snapshot.value);
+			if (Result.isError(exchangedCurrentAuthRequest)) return exchangedCurrentAuthRequest;
+			if (exchangedCurrentAuthRequest.value.kind === "approved") return Result.ok({
+				agentName: exchangedCurrentAuthRequest.value.auth.agentName,
 				loggedIn: true,
 				outcome: "authenticated"
 			});
-			return loginWithDevice(options);
+			if (exchangedCurrentAuthRequest.value.kind === "pending") {
+				const verification = toLoginPendingInfo(exchangedCurrentAuthRequest.value.request);
+				if (verification !== null) options.onPending?.(verification);
+				return Result.ok({
+					agentName: null,
+					loggedIn: false,
+					outcome: "pending_approval",
+					verification: verification ?? {
+						authRequestId: exchangedCurrentAuthRequest.value.request.authRequestId,
+						verificationUrl: exchangedCurrentAuthRequest.value.request.verificationUrl
+					}
+				});
+			}
+			return startOrRecoverLogin(snapshot.value.installationId, options);
 		},
 		logout: async () => {
-			const stored = deps.credentialsStore.load();
-			if (Result.isError(stored)) return stored;
-			const pendingRequestsResult = deps.credentialsStore.listPendingRequests();
-			if (Result.isError(pendingRequestsResult)) return pendingRequestsResult;
-			if (!(stored.value !== null || pendingRequestsResult.value.length > 0)) return Result.ok({
-				localCredentialsDeleted: false,
-				revoked: false
+			const snapshot = loadLocalAuthSnapshot();
+			if (Result.isError(snapshot)) return snapshot;
+			if (snapshot.value.session === null) return Result.ok({
+				localStateCleared: false,
+				remoteSignedOut: false
 			});
+			const storedAuthorizationHeader = toStoredAuthorizationHeader(snapshot.value.session);
+			let remoteSignedOut = false;
+			if (storedAuthorizationHeader !== null) {
+				const logoutPayload = await requestJson(deps.httpClient, authLogoutUrl(deps.baseUrl), authLogoutSchema, {
+					headers: { Authorization: storedAuthorizationHeader },
+					method: "POST"
+				}, {
+					context: "auth logout response",
+					mapStatusError: (response, body) => new RemoteRequestError({
+						body,
+						httpStatus: response.status,
+						message: "Failed to sign out current CLI session",
+						operation: "auth/logout",
+						raw: body,
+						source: "http"
+					}),
+					operation: "auth/logout"
+				});
+				if (Result.isOk(logoutPayload)) remoteSignedOut = true;
+			}
 			const deleteResult = deps.credentialsStore.delete();
 			if (Result.isError(deleteResult)) return deleteResult;
 			return Result.ok({
-				localCredentialsDeleted: true,
-				revoked: false
+				localStateCleared: true,
+				remoteSignedOut
+			});
+		},
+		reset: async () => {
+			const snapshot = loadLocalAuthSnapshot();
+			if (Result.isError(snapshot)) return snapshot;
+			const storedAuthorizationHeader = toStoredAuthorizationHeader(snapshot.value.session);
+			const remoteResetResult = await requestJson(deps.httpClient, authResetUrl(deps.baseUrl), authResetSchema, {
+				body: JSON.stringify({ installationId: snapshot.value.installationId }),
+				headers: {
+					"Content-Type": "application/json",
+					...storedAuthorizationHeader === null ? {} : { Authorization: storedAuthorizationHeader }
+				},
+				method: "POST"
+			}, {
+				context: "auth reset response",
+				mapStatusError: (response, body) => new RemoteRequestError({
+					body,
+					httpStatus: response.status,
+					message: "Failed to reset current CLI installation",
+					operation: "auth/reset",
+					raw: body,
+					source: "http"
+				}),
+				operation: "auth/reset"
+			});
+			const remoteReset = Result.isOk(remoteResetResult);
+			const localStateCleared = snapshot.value.session !== null || snapshot.value.currentAuthRequest !== null;
+			const resetLocalStateResult = deps.credentialsStore.reset();
+			if (Result.isError(resetLocalStateResult)) return resetLocalStateResult;
+			return Result.ok({
+				installationReset: true,
+				localStateCleared,
+				remoteReset
 			});
 		},
 		resolveApiKey: async (overrideApiKey) => {
@@ -61014,42 +61052,16 @@ const createAuthService = (deps) => {
 			});
 			if (resolution.apiKey !== null) return Result.ok(resolution.apiKey);
 			if (resolution.source === "credentialsError" && resolution.loadError) return Result.err(resolution.loadError);
-			const exchangedPendingAuth = await tryExchangePendingRequests();
-			if (Result.isError(exchangedPendingAuth)) return exchangedPendingAuth;
-			if (exchangedPendingAuth.value !== null) return Result.ok(exchangedPendingAuth.value.apiKey);
+			const snapshot = loadLocalAuthSnapshot();
+			if (Result.isError(snapshot)) return snapshot;
+			const exchangedCurrentAuthRequest = await exchangeCurrentAuthRequest(snapshot.value);
+			if (Result.isError(exchangedCurrentAuthRequest)) return exchangedCurrentAuthRequest;
+			if (exchangedCurrentAuthRequest.value.kind === "approved") return Result.ok(exchangedCurrentAuthRequest.value.auth.apiKey);
 			return Result.err(new AuthError({
 				code: ERROR_CODE.authRequired,
-				message: "Not logged in. Run `ogment auth login` or set OGMENT_API_KEY.",
-				recovery: { command: "ogment auth login" }
+				message: "Not logged in. Run `ogment login` or set OGMENT_API_KEY.",
+				recovery: { command: "ogment login" }
 			}));
-		},
-		status: async (overrideApiKey) => {
-			const resolution = resolveApiKey({
-				apiKeyOverride: overrideApiKey,
-				credentialsStore: deps.credentialsStore,
-				envApiKey: deps.envApiKey
-			});
-			if (resolution.source === "credentialsError" && resolution.loadError) return Result.err(resolution.loadError);
-			if (resolution.apiKey !== null) {
-				const apiKeySource = resolution.source === "credentialsFile" ? "credentialsFile" : resolution.source === "apiKeyOption" ? "apiKeyOption" : "env";
-				return Result.ok({
-					agentName: resolution.agentName,
-					apiKeySource,
-					loggedIn: true
-				});
-			}
-			const exchangedPendingAuth = await tryExchangePendingRequests();
-			if (Result.isError(exchangedPendingAuth)) return exchangedPendingAuth;
-			if (exchangedPendingAuth.value !== null) return Result.ok({
-				agentName: exchangedPendingAuth.value.agentName,
-				apiKeySource: "credentialsFile",
-				loggedIn: true
-			});
-			return Result.ok({
-				agentName: null,
-				apiKeySource: "none",
-				loggedIn: false
-			});
 		}
 	};
 };
@@ -61062,9 +61074,9 @@ const maskApiKey = (apiKey) => {
 };
 const nextActionByIssueCode = (includeDebug) => {
 	return {
-		auth_failed: "Run `ogment auth login` to refresh credentials.",
+		auth_failed: "Run `ogment login` to refresh credentials.",
 		credentials_load_failed: "Check file permissions and contents of `~/.config/ogment/auth-state.json`.",
-		no_api_key: "Run `ogment auth login` or set `OGMENT_API_KEY`.",
+		no_api_key: "Run `ogment login` or set `OGMENT_API_KEY`.",
 		unreachable: includeDebug ? "Verify `OGMENT_BASE_URL` and network connectivity." : "Verify network connectivity."
 	};
 };
@@ -61103,6 +61115,8 @@ const createInfoService = (deps) => {
 			credentialsStore: deps.credentialsStore,
 			envApiKey: deps.envApiKey
 		});
+		const installationIdResult = deps.credentialsStore.getInstallationId();
+		const installationId = Result.isOk(installationIdResult) ? installationIdResult.value : null;
 		const selectedApiKey = apiKeyResolution.apiKey;
 		const credentialsFileExists = existsSyncFn(deps.credentialsPath);
 		const endpoint = `${deps.baseUrl}${cliEndpoints.accountMe}`;
@@ -61127,6 +61141,7 @@ const createInfoService = (deps) => {
 		};
 		const collectAccount = async () => {
 			if (selectedApiKey === null) return {
+				actingAgent: null,
 				...emptyAccountErrorDetails(),
 				errorType: null,
 				latencyMs: null,
@@ -61144,6 +61159,12 @@ const createInfoService = (deps) => {
 					return organization.servers.map((server) => server.path);
 				});
 				return {
+					actingAgent: accountResult.value.actingAgent === null ? null : {
+						agentId: accountResult.value.actingAgent.agentId,
+						agentName: accountResult.value.actingAgent.agentName,
+						boundInstallationId: accountResult.value.actingAgent.boundInstallationId,
+						boundToCurrentInstallation: installationId === null || accountResult.value.actingAgent.boundInstallationId === null ? null : accountResult.value.actingAgent.boundInstallationId === installationId
+					},
 					...emptyAccountErrorDetails(),
 					errorType: null,
 					latencyMs: accountElapsedMs,
@@ -61170,6 +61191,7 @@ const createInfoService = (deps) => {
 					break;
 			}
 			return {
+				actingAgent: null,
 				..."code" in accountResult.error ? { errorCode: String(accountResult.error.code) } : { errorCode: null },
 				..."httpStatus" in accountResult.error ? { errorHttpStatus: typeof accountResult.error.httpStatus === "number" ? accountResult.error.httpStatus : null } : { errorHttpStatus: null },
 				..."mcpCode" in accountResult.error ? { errorMcpCode: typeof accountResult.error.mcpCode === "number" ? accountResult.error.mcpCode : null } : { errorMcpCode: null },
@@ -61215,13 +61237,18 @@ const createInfoService = (deps) => {
 			code: "unexpected_diagnostic_error",
 			message: `Unexpected diagnostic error: ${account.message ?? "unknown error"}`
 		});
+		if (Result.isError(installationIdResult)) issues.push({
+			code: "credentials_load_failed",
+			message: `Failed to load installation identity: ${installationIdResult.error.message}`
+		});
 		return {
 			auth: {
 				apiKeyPresent: selectedApiKey !== null,
 				apiKeyPreview: selectedApiKey === null ? null : maskApiKey(selectedApiKey),
 				apiKeySource: apiKeyResolution.source,
 				credentialsFileExists,
-				credentialsFileLoadError: apiKeyResolution.loadError?.message ?? null
+				credentialsFileLoadError: apiKeyResolution.loadError?.message ?? null,
+				installationId
 			},
 			config: {
 				baseUrl: deps.baseUrl,
@@ -61238,7 +61265,9 @@ const createInfoService = (deps) => {
 				],
 				quickCommands: [
 					"ogment status",
-					"ogment auth login",
+					"ogment login",
+					"ogment logout",
+					"ogment reset",
 					"ogment catalog",
 					"ogment catalog <server-id>",
 					"ogment catalog <server-id> <tool-name>",
@@ -72030,9 +72059,7 @@ const createRuntime = () => {
 	const output = new OutputManager();
 	const authStateStore = createFileCredentialsStore({
 		configDir: runtimeConfig.configDir,
-		credentialsPath: runtimeConfig.credentialsPath,
-		legacyCredentialsPath: runtimeConfig.legacyCredentialsPath,
-		telemetryPath: runtimeConfig.telemetryPath
+		credentialsPath: runtimeConfig.credentialsPath
 	});
 	const httpClient = createHttpClient();
 	const services = {
@@ -72152,7 +72179,7 @@ const createProgram = (runtime, parseState) => {
 		return [
 			"",
 			"Examples:",
-			"  $ ogment auth login",
+			"  $ ogment login",
 			"  $ ogment catalog billing create_invoice --example",
 			"  $ ogment invoke billing create_invoice --input '{\"amount\":100}'",
 			"",
@@ -72164,27 +72191,14 @@ const createProgram = (runtime, parseState) => {
 		runtime.output.configure(mapGlobalOutputOptions(options));
 		runtime.context.apiKeyOverride = options.apiKey;
 	});
-	const authCommand = program.command("auth").summary("Authenticate, inspect auth state, and logout").description("Authentication workflows").helpGroup("Authentication Commands:").helpCommand("help [command]", "Display help for auth commands").addHelpText("after", ({ error }) => {
-		if (error) return "";
-		return [
-			"",
-			"Examples:",
-			"  $ ogment auth login",
-			"  $ ogment auth status"
-		].join("\n");
-	});
-	authCommand.command("login").summary("Login with device flow (default)").description("Authenticate with Ogment using device flow (recommended)").action((_, command) => {
-		const { apiKey } = asGlobalOptions(command);
-		setInvocation({
-			apiKey,
-			kind: "auth_login"
-		});
+	program.command("login").summary("Authenticate this CLI installation").description("Start or complete browser-based login for this installation").helpGroup("Authentication Commands:").action(() => {
+		setInvocation({ kind: "login" });
 	});
-	authCommand.command("status").summary("Show current auth state").description("Show local authentication status").action(() => {
-		setInvocation({ kind: "auth_status" });
+	program.command("logout").summary("Sign this CLI installation out").description("Sign out the current local CLI session").helpGroup("Authentication Commands:").action(() => {
+		setInvocation({ kind: "logout" });
 	});
-	authCommand.command("logout").summary("Delete local credentials and revoke token").description("Revoke token and delete local credentials").action(() => {
-		setInvocation({ kind: "auth_logout" });
+	program.command("reset").summary("Reset this CLI installation").description("Wipe local state and create a fresh CLI installation identity").helpGroup("Authentication Commands:").action(() => {
+		setInvocation({ kind: "reset" });
 	});
 	program.command("catalog [serverId] [toolName]").summary("Discover servers and inspect tools").description("Discover servers and tools with progressive disclosure").helpGroup("Discovery Commands:").addOption(new Option("--cursor <cursor>", "Pagination cursor (catalog summary only)").conflicts("example")).addOption(new Option("--limit <limit>", "Maximum servers to return (catalog summary only)").argParser(parseCatalogLimitOption).conflicts("example")).addOption(new Option("--example", "Include a generated example input payload (tool details only)").conflicts(["cursor", "limit"])).action((serverId, toolName, options) => {
 		setInvocation({
@@ -72205,7 +72219,7 @@ const createProgram = (runtime, parseState) => {
 			toolName
 		});
 	});
-	program.command("status").summary("Show runtime diagnostics").description("Show runtime configuration and connectivity diagnostics").helpGroup("Diagnostics Commands:").action(() => {
+	program.command("status").summary("Show runtime diagnostics and auth state").description("Show runtime configuration, connectivity, and auth diagnostics").helpGroup("Diagnostics Commands:").action(() => {
 		setInvocation({ kind: "status" });
 	});
 	program.action(() => {
@@ -72232,9 +72246,12 @@ const RUNTIME_ERROR_COMMAND_PATH = "ogment <runtime_error>";
 const PARSE_ERROR_COMMAND_PATH = "ogment <parse_error>";
 const CLI_PACKAGE_NAME = "@ogment-ai/cli";
 const PARSE_ERROR_SCOPE_COMMAND_PATHS = {
-	auth: "ogment auth <parse_error>",
+	login: "ogment login <parse_error>",
+	logout: "ogment logout <parse_error>",
+	reset: "ogment reset <parse_error>",
 	catalog: "ogment catalog <parse_error>",
-	invoke: "ogment invoke <parse_error>"
+	invoke: "ogment invoke <parse_error>",
+	status: "ogment status <parse_error>"
 };
 const isParseErrorTelemetryScope = (value) => {
 	return value in PARSE_ERROR_SCOPE_COMMAND_PATHS;
@@ -72252,24 +72269,24 @@ const telemetryInputModeFromInvoke = (input) => {
 	return "inline_json";
 };
 const telemetryContextResolvers = {
-	auth_login: (_) => {
+	login: (_) => {
 		return {
-			commandKind: "auth_login",
-			commandPath: "ogment auth login",
+			commandKind: "login",
+			commandPath: "ogment login",
 			inputMode: null
 		};
 	},
-	auth_logout: (_) => {
+	logout: (_) => {
 		return {
-			commandKind: "auth_logout",
-			commandPath: "ogment auth logout",
+			commandKind: "logout",
+			commandPath: "ogment logout",
 			inputMode: null
 		};
 	},
-	auth_status: (_) => {
+	reset: (_) => {
 		return {
-			commandKind: "auth_status",
-			commandPath: "ogment auth status",
+			commandKind: "reset",
+			commandPath: "ogment reset",
 			inputMode: null
 		};
 	},
@@ -72314,9 +72331,9 @@ const telemetryContextResolvers = {
 };
 const telemetryContextFromInvocation = (invocation) => {
 	switch (invocation.kind) {
-		case "auth_login": return telemetryContextResolvers.auth_login(invocation);
-		case "auth_logout": return telemetryContextResolvers.auth_logout(invocation);
-		case "auth_status": return telemetryContextResolvers.auth_status(invocation);
+		case "login": return telemetryContextResolvers.login(invocation);
+		case "logout": return telemetryContextResolvers.logout(invocation);
+		case "reset": return telemetryContextResolvers.reset(invocation);
 		case "catalog": return telemetryContextResolvers.catalog(invocation);
 		case "invoke": return telemetryContextResolvers.invoke(invocation);
 		case "root": return telemetryContextResolvers.root(invocation);
@@ -72353,9 +72370,7 @@ const emitRuntimeErrorTelemetry = async (output, input) => {
 	const telemetry = createTelemetryService({
 		authStateStore: createFileCredentialsStore({
 			configDir: telemetryConfig.configDir,
-			credentialsPath: telemetryConfig.credentialsPath,
-			legacyCredentialsPath: telemetryConfig.legacyCredentialsPath,
-			telemetryPath: telemetryConfig.telemetryPath
+			credentialsPath: telemetryConfig.credentialsPath
 		}),
 		baseUrl: telemetryConfig.baseUrl,
 		cliVersion: telemetryConfig.version,
@@ -72394,15 +72409,15 @@ const commandContextFromInvocation = (invocation, apiKeyOverride) => {
 	const withBase = (commandName, invocationKind, subcommand = void 0) => {
 		return {
 			commandName,
-			hasApiKeyOverride: invocation.kind === "auth_login" ? hasApiKeyOverride(invocation.apiKey) : hasApiKeyOverride(apiKeyOverride),
+			hasApiKeyOverride: hasApiKeyOverride(apiKeyOverride),
 			invocationKind,
 			subcommand
 		};
 	};
 	switch (invocation.kind) {
-		case "auth_login": return withBase("auth", "auth_login", "login");
-		case "auth_logout": return withBase("auth", "auth_logout", "logout");
-		case "auth_status": return withBase("auth", "auth_status", "status");
+		case "login": return withBase("login", "login");
+		case "logout": return withBase("logout", "logout");
+		case "reset": return withBase("reset", "reset");
 		case "catalog":
 			if (invocation.toolName !== void 0) return withBase("catalog", "catalog", "tool");
 			if (invocation.serverId !== void 0) return withBase("catalog", "catalog", "server");
@@ -72560,4 +72575,4 @@ if (shouldExecuteCli(import.meta.url, process.argv[1])) await executeCli();
 
 //#endregion
 export { executeCli, runCli, shouldExecuteCli };
-//# debugId=75a9f438-9e34-4abd-88d2-6cd8a68d9950
+//# debugId=af3eaa67-a183-47bc-ab25-5c28a25c0929