@oh-my-pi/pi-coding-agent 15.1.2 → 15.1.3

package/src/cli/auth-gateway-cli.ts

@@ -0,0 +1,342 @@
+/**
+ * `omp auth-gateway` command handlers.
+ *
+ * Boots a forward-proxy server that lets less-trusted clients (the macOS
+ * usage widget, robomp containers, …) make provider API calls without ever
+ * seeing the access token. The gateway is itself a broker client and
+ * resolves credentials through the configured broker (via the same
+ * `OMP_AUTH_BROKER_URL` / `auth.broker.url` precedence used elsewhere).
+ *
+ * Sub-verbs:
+ *   - `serve [--bind=…]` — boots the gateway against the configured broker.
+ *   - `token` / `token --regenerate` — manages the gateway bearer token file.
+ *   - `status` — prints the locally-stored gateway token and bind hint.
+ */
+import * as crypto from "node:crypto";
+import * as fs from "node:fs/promises";
+import * as path from "node:path";
+import {
+	type Api,
+	AuthBrokerClient,
+	AuthStorage,
+	DEFAULT_AUTH_GATEWAY_BIND,
+	type GeneratedProvider,
+	getBundledModels,
+	getBundledProviders,
+	type Model,
+	RemoteAuthCredentialStore,
+	type SnapshotResponse,
+	startAuthGateway,
+} from "@oh-my-pi/pi-ai";
+import { getConfigRootDir, isEnoent, VERSION } from "@oh-my-pi/pi-utils";
+import chalk from "chalk";
+import { type AuthBrokerClientConfig, resolveAuthBrokerConfig } from "../session/auth-broker-config";
+
+export type AuthGatewayAction = "serve" | "token" | "status";
+
+export interface AuthGatewayCommandArgs {
+	action: AuthGatewayAction;
+	flags: {
+		json?: boolean;
+		bind?: string;
+		regenerate?: boolean;
+		/**
+		 * Disable bearer-token auth on inbound requests. Useful when the gateway
+		 * is bound to loopback (the default `127.0.0.1:4000`) and you don't want
+		 * to wire token-paste plumbing into every local client.
+		 */
+		noAuth?: boolean;
+	};
+}
+
+const ACTIONS: readonly AuthGatewayAction[] = ["serve", "token", "status"];
+
+function getTokenFilePath(): string {
+	return path.join(getConfigRootDir(), "auth-gateway.token");
+}
+
+async function readToken(): Promise<string | null> {
+	try {
+		const raw = await Bun.file(getTokenFilePath()).text();
+		const trimmed = raw.trim();
+		return trimmed.length > 0 ? trimmed : null;
+	} catch (err) {
+		if (isEnoent(err)) return null;
+		throw err;
+	}
+}
+
+async function writeToken(token: string): Promise<void> {
+	const file = getTokenFilePath();
+	await fs.mkdir(path.dirname(file), { recursive: true, mode: 0o700 });
+	await fs.writeFile(file, token, { mode: 0o600 });
+	try {
+		await fs.chmod(file, 0o600);
+	} catch {
+		// Best-effort (e.g. Windows).
+	}
+}
+
+/**
+ * Atomically create the token file, refusing to clobber an existing one.
+ * Returns `true` on success, `false` when the file already existed (so the
+ * caller re-reads it instead of racing another concurrent `ensureToken`).
+ */
+async function createTokenExclusive(token: string): Promise<boolean> {
+	const file = getTokenFilePath();
+	await fs.mkdir(path.dirname(file), { recursive: true, mode: 0o700 });
+	try {
+		// `wx` = O_CREAT | O_EXCL — fails with EEXIST if the file is already there.
+		await fs.writeFile(file, token, { flag: "wx", mode: 0o600 });
+	} catch (err) {
+		if ((err as NodeJS.ErrnoException).code === "EEXIST") return false;
+		throw err;
+	}
+	try {
+		await fs.chmod(file, 0o600);
+	} catch {
+		// Best-effort (e.g. Windows).
+	}
+	return true;
+}
+
+function generateToken(): string {
+	return crypto.randomBytes(32).toString("base64url");
+}
+
+async function ensureToken(): Promise<string> {
+	const existing = await readToken();
+	if (existing) return existing;
+	const token = generateToken();
+	if (await createTokenExclusive(token)) return token;
+	// Another concurrent invocation won the create race; read what they wrote.
+	const fromRace = await readToken();
+	if (fromRace) return fromRace;
+	// File existed-then-disappeared between EEXIST and read; last resort, write
+	// our generated token unconditionally so callers don't see an empty string.
+	await writeToken(token);
+	return token;
+}
+
+function createBrokerClient(brokerConfig: AuthBrokerClientConfig): AuthBrokerClient {
+	return new AuthBrokerClient({ url: brokerConfig.url, token: brokerConfig.token });
+}
+
+async function fetchBrokerSnapshot(client: AuthBrokerClient): Promise<SnapshotResponse> {
+	const result = await client.fetchSnapshot();
+	if (result.status !== 200) throw new Error("Auth broker returned no initial snapshot");
+	return result.snapshot;
+}
+
+async function runServe(flags: AuthGatewayCommandArgs["flags"]): Promise<void> {
+	const brokerConfig = await resolveAuthBrokerConfig();
+	if (!brokerConfig) {
+		throw new Error(
+			"`omp auth-gateway serve` requires OMP_AUTH_BROKER_URL (or `auth.broker.url`/`auth.broker.token` in config.yml). The gateway is itself a broker client.",
+		);
+	}
+	const bind = flags.bind ?? DEFAULT_AUTH_GATEWAY_BIND;
+	const gatewayToken = flags.noAuth ? null : await ensureToken();
+
+	// Build a broker-backed AuthStorage — same pattern as discoverAuthStorage()
+	// in sdk.ts. The gateway never touches local SQLite.
+	const client = createBrokerClient(brokerConfig);
+	const initialSnapshot = await fetchBrokerSnapshot(client);
+	const store = new RemoteAuthCredentialStore({ client, initialSnapshot });
+	// Refresh + usage both flow through the store's broker hooks automatically —
+	// `RemoteAuthCredentialStore.refreshOAuthCredential` and `.fetchUsageReports`.
+	// AuthStorage discovers them when no explicit option overrides them, so the
+	// gateway only needs to construct the store and pass it in.
+	const storage = new AuthStorage(store, {
+		sourceLabel: `broker ${brokerConfig.url}`,
+	});
+	await storage.reload();
+
+	// Build the model resolver + catalog from pi-ai's bundled metadata, scoped
+	// to providers we hold credentials for. Format handlers ask `resolveModel`
+	// to translate a client-requested `model` field into a pi-ai `Model<Api>`
+	// before dispatch; `listModels` powers `/v1/models`.
+	const snapshot = storage.exportSnapshot();
+	const providersWithCreds = new Set<string>();
+	for (const entry of snapshot.credentials) providersWithCreds.add(entry.provider);
+	const modelById = new Map<string, Model<Api>>();
+	for (const provider of getBundledProviders()) {
+		if (!providersWithCreds.has(provider)) continue;
+		for (const model of getBundledModels(provider as GeneratedProvider)) {
+			// First-write-wins so a canonical model id collisions across providers
+			// stick to the provider listed first by getBundledProviders.
+			if (!modelById.has(model.id)) modelById.set(model.id, model);
+		}
+	}
+
+	const handle = startAuthGateway({
+		storage,
+		bind,
+		bearerTokens: gatewayToken ? [gatewayToken] : [],
+		version: VERSION,
+		resolveModel: (id: string) => modelById.get(id),
+		listModels: () => modelById.values(),
+	});
+	process.stdout.write(`auth-gateway listening on ${handle.url}\n`);
+	if (gatewayToken) {
+		process.stdout.write(`bearer token: ${getTokenFilePath()} (chmod 0600)\n`);
+	} else {
+		process.stdout.write(`auth: disabled (--no-auth) — any client can call this gateway\n`);
+	}
+	process.stdout.write(`upstream broker: ${brokerConfig.url}\n`);
+
+	const stopped = Promise.withResolvers<void>();
+	let shutdownStarted = false;
+	const stop = async (signal: NodeJS.Signals): Promise<void> => {
+		if (shutdownStarted) return;
+		shutdownStarted = true;
+		process.stdout.write(`\nReceived ${signal}, shutting down...\n`);
+		let closeError: unknown;
+		try {
+			await handle.close();
+		} catch (error) {
+			closeError = error;
+		} finally {
+			storage.close();
+		}
+		if (closeError) {
+			stopped.reject(closeError);
+		} else {
+			stopped.resolve();
+		}
+	};
+	const onSigint = (): void => {
+		void stop("SIGINT");
+	};
+	const onSigterm = (): void => {
+		void stop("SIGTERM");
+	};
+	process.once("SIGINT", onSigint);
+	process.once("SIGTERM", onSigterm);
+
+	try {
+		await stopped.promise;
+	} finally {
+		process.off("SIGINT", onSigint);
+		process.off("SIGTERM", onSigterm);
+	}
+}
+
+async function runToken(flags: AuthGatewayCommandArgs["flags"]): Promise<void> {
+	if (flags.regenerate) {
+		const next = generateToken();
+		await writeToken(next);
+		if (flags.json) {
+			process.stdout.write(`${JSON.stringify({ token: next, path: getTokenFilePath() })}\n`);
+		} else {
+			process.stdout.write(`${next}\n`);
+		}
+		return;
+	}
+	const token = await ensureToken();
+	if (flags.json) {
+		process.stdout.write(`${JSON.stringify({ token, path: getTokenFilePath() })}\n`);
+	} else {
+		process.stdout.write(`${token}\n`);
+	}
+}
+
+async function runStatus(flags: AuthGatewayCommandArgs["flags"]): Promise<void> {
+	const token = await readToken();
+	const brokerConfig = await resolveAuthBrokerConfig();
+	const tokenFile = getTokenFilePath();
+	if (!brokerConfig) {
+		const status = {
+			ready: false,
+			reason: "not_configured",
+			tokenFile,
+			tokenPresent: token !== null,
+			broker: null,
+			brokerConfigured: false,
+			brokerAuthenticated: false,
+		};
+		if (flags.json) {
+			process.stdout.write(`${JSON.stringify(status)}\n`);
+		} else {
+			process.stdout.write(`${chalk.yellow("No broker configured.")} Set OMP_AUTH_BROKER_URL.\n`);
+			process.stdout.write(
+				`token: ${status.tokenPresent ? chalk.green("present") : chalk.red("missing")} at ${status.tokenFile}\n`,
+			);
+		}
+		process.exitCode = 1;
+		return;
+	}
+
+	try {
+		const snapshot = await fetchBrokerSnapshot(createBrokerClient(brokerConfig));
+		const tokenPresent = token !== null;
+		const status = {
+			ready: tokenPresent,
+			reason: tokenPresent ? null : "token_missing",
+			tokenFile,
+			tokenPresent,
+			broker: brokerConfig.url,
+			brokerConfigured: true,
+			brokerAuthenticated: true,
+			credentialCount: snapshot.credentials.length,
+		};
+		if (flags.json) {
+			process.stdout.write(`${JSON.stringify(status)}\n`);
+		} else {
+			const brokerLine = `upstream broker: ${brokerConfig.url} (${snapshot.credentials.length} credential${
+				snapshot.credentials.length === 1 ? "" : "s"
+			})`;
+			process.stdout.write(`${tokenPresent ? chalk.green("ready") : chalk.yellow("not ready")} ${brokerLine}\n`);
+			process.stdout.write(
+				`token: ${tokenPresent ? chalk.green("present") : chalk.red("missing")} at ${status.tokenFile}\n`,
+			);
+			if (!tokenPresent) {
+				process.stdout.write(
+					"Run `omp auth-gateway token` or `omp auth-gateway serve` to create a bearer token.\n",
+				);
+			}
+		}
+		if (!tokenPresent) process.exitCode = 1;
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		const status = {
+			ready: false,
+			reason: "broker_unavailable",
+			tokenFile,
+			tokenPresent: token !== null,
+			broker: brokerConfig.url,
+			brokerConfigured: true,
+			brokerAuthenticated: false,
+			error: message,
+		};
+		if (flags.json) {
+			process.stdout.write(`${JSON.stringify(status)}\n`);
+		} else {
+			process.stdout.write(`${chalk.red("FAILED")} upstream broker: ${brokerConfig.url}: ${message}\n`);
+			process.stdout.write(
+				`token: ${status.tokenPresent ? chalk.green("present") : chalk.red("missing")} at ${status.tokenFile}\n`,
+			);
+		}
+		process.exitCode = 1;
+	}
+}
+
+export async function runAuthGatewayCommand(cmd: AuthGatewayCommandArgs): Promise<void> {
+	switch (cmd.action) {
+		case "serve":
+			await runServe(cmd.flags);
+			return;
+		case "token":
+			await runToken(cmd.flags);
+			return;
+		case "status":
+			await runStatus(cmd.flags);
+			return;
+		default: {
+			const _exhaustive: never = cmd.action;
+			throw new Error(`Unknown auth-gateway action: ${String(_exhaustive)}`);
+		}
+	}
+}
+
+export { ACTIONS as AUTH_GATEWAY_ACTIONS };

package/src/cli/grievances-cli.ts

@@ -1,9 +1,9 @@
 /**
- * CLI handler for `omp grievances` — view reported tool issues from auto-QA.
+ * CLI handler for `omp grievances` — view, clean, and manually push reported tool issues.
  */
-import { Database } from "bun:sqlite";
 import chalk from "chalk";
-import { getAutoQaDbPath } from "../tools/report-tool-issue";
+import { Settings } from "../config/settings";
+import { flushGrievances, openAutoQaDb } from "../tools/report-tool-issue";
 
 interface GrievanceRow {
 	id: number;
@@ -30,20 +30,12 @@ export interface CleanGrievancesOptions {
 	json?: boolean;
 }
 
-function openDb(readonly: boolean): Database | null {
-	try {
-		// bun:sqlite rejects `{ readonly: false }` — it requires either readonly,
-		// readwrite, or create flags to be explicit. Use the default constructor
-		// (readwrite + create) for write mode and only pass `readonly: true` when
-		// listing.
-		return readonly ? new Database(getAutoQaDbPath(), { readonly: true }) : new Database(getAutoQaDbPath());
-	} catch {
-		return null;
-	}
+export interface PushGrievancesOptions {
+	/** Emit the {@link FlushResult} as JSON instead of a status line. */
+	json?: boolean;
 }
-
 export async function listGrievances(options: ListGrievancesOptions): Promise<void> {
-	const db = openDb(true);
+	const db = openAutoQaDb();
 	if (!db) {
 		if (options.json) {
 			console.log("[]");
@@ -112,7 +104,7 @@ export async function cleanGrievances(options: CleanGrievancesOptions): Promise<
 		return;
 	}
 
-	const db = openDb(false);
+	const db = openAutoQaDb();
 	if (!db) {
 		if (options.json) {
 			console.log(JSON.stringify({ deleted: 0 }));
@@ -161,3 +153,104 @@ export async function cleanGrievances(options: CleanGrievancesOptions): Promise<
 		db.close();
 	}
 }
+
+// ───────────────────────────────────────────────────────────────────────────
+// Manual push (`omp grievances push`)
+// ───────────────────────────────────────────────────────────────────────────
+
+/**
+ * Single-line ANSI progress reporter. `update(done)` rewrites the line via
+ * `\r`; `finish()` newlines out so subsequent log lines land cleanly. On a
+ * non-TTY stdout (CI, pipes) both calls no-op so log files don't fill with
+ * carriage-return noise.
+ */
+interface ProgressBar {
+	update(done: number): void;
+	finish(): void;
+}
+
+function makeProgressBar(total: number, width = 30): ProgressBar {
+	const isTty = !!process.stdout.isTTY;
+	if (!isTty || total === 0) {
+		return { update: () => undefined, finish: () => undefined };
+	}
+	const render = (done: number): void => {
+		const ratio = Math.min(1, done / total);
+		const filled = Math.round(ratio * width);
+		const bar = `${"█".repeat(filled)}${"░".repeat(width - filled)}`;
+		const pct = `${Math.floor(ratio * 100)
+			.toString()
+			.padStart(3, " ")}%`;
+		process.stdout.write(`\r${chalk.cyan("Pushing")} [${bar}] ${pct} ${done}/${total}`);
+	};
+	render(0);
+	return {
+		update: render,
+		finish: () => process.stdout.write("\n"),
+	};
+}
+
+/**
+ * Manually drain every unpushed grievance to the configured backend,
+ * ignoring the user-facing consent gate (manual push is the user's
+ * explicit "yes ship these now" intent).
+ *
+ * Requires endpoint configuration (default `qa.omp.sh/v1/grievances`).
+ */
+export async function pushGrievances(options: PushGrievancesOptions): Promise<void> {
+	const db = openAutoQaDb();
+	if (!db) {
+		if (options.json) {
+			console.log(JSON.stringify({ pushed: 0, ok: false, skipped: true, reason: "no_db" }));
+		} else {
+			console.log(chalk.dim("No grievances database found — nothing to push."));
+		}
+		return;
+	}
+	const settings = await Settings.init();
+	let bar: ProgressBar = { update: () => undefined, finish: () => undefined };
+	let total = 0;
+
+	try {
+		const result = await flushGrievances(db, settings, {
+			bypassConsent: true,
+			onStart: t => {
+				total = t;
+				if (!options.json) bar = makeProgressBar(t);
+			},
+			onProgress: pushed => bar.update(pushed),
+		});
+		bar.finish();
+
+		if (options.json) {
+			console.log(JSON.stringify(result));
+			return;
+		}
+
+		if (result.skipped) {
+			console.log(
+				chalk.yellow(
+					"Push skipped — no endpoint configured. Set `dev.autoqaPush.endpoint` or `PI_AUTO_QA_PUSH_URL`.",
+				),
+			);
+			return;
+		}
+		if (total === 0) {
+			console.log(chalk.dim("Nothing to push — all grievances are already shipped."));
+			return;
+		}
+		if (result.ok) {
+			console.log(chalk.green(`Pushed ${result.pushed}/${total} grievance${result.pushed === 1 ? "" : "s"}.`));
+			return;
+		}
+		const remaining = total - result.pushed;
+		console.log(
+			chalk.red(
+				`Push failed after ${result.pushed}/${total}; ${remaining} grievance${remaining === 1 ? "" : "s"} remain unpushed.`,
+			),
+		);
+		process.exitCode = 1;
+	} finally {
+		db.close();
+	}
+}

package/src/cli.ts

@@ -18,7 +18,7 @@ procmgr.scrubProcessEnv();
  * CLI entry point — registers all commands explicitly and delegates to the
  * lightweight CLI runner from pi-utils.
  */
-import { type CommandEntry, run } from "@oh-my-pi/pi-utils/cli";
+import { type CliConfig, type CommandEntry, run } from "@oh-my-pi/pi-utils/cli";
 
 if (Bun.semver.order(Bun.version, MIN_BUN_VERSION) < 0) {
 	process.stderr.write(
@@ -32,6 +32,8 @@ process.title = APP_NAME;
 const commands: CommandEntry[] = [
 	{ name: "launch", load: () => import("./commands/launch").then(m => m.default) },
 	{ name: "acp", load: () => import("./commands/acp").then(m => m.default) },
+	{ name: "auth-broker", load: () => import("./commands/auth-broker").then(m => m.default) },
+	{ name: "auth-gateway", load: () => import("./commands/auth-gateway").then(m => m.default) },
 	{ name: "agents", load: () => import("./commands/agents").then(m => m.default) },
 	{ name: "commit", load: () => import("./commands/commit").then(m => m.default) },
 	{ name: "config", load: () => import("./commands/config").then(m => m.default) },
@@ -47,7 +49,7 @@ const commands: CommandEntry[] = [
 	{ name: "search", load: () => import("./commands/web-search").then(m => m.default), aliases: ["q"] },
 ];
 
-async function showHelp(config: import("@oh-my-pi/pi-utils/cli").CliConfig): Promise<void> {
+async function showHelp(config: CliConfig): Promise<void> {
 	const { renderRootHelp } = await import("@oh-my-pi/pi-utils/cli");
 	const { getExtraHelpText } = await import("./cli/args");
 	renderRootHelp(config);

package/src/commands/auth-broker.ts

@@ -0,0 +1,96 @@
+/**
+ * `omp auth-broker` — manage the omp credential vault.
+ */
+import { Args, Command, Flags, renderCommandHelp } from "@oh-my-pi/pi-utils/cli";
+import {
+	AUTH_BROKER_ACTIONS,
+	type AuthBrokerAction,
+	type AuthBrokerCommandArgs,
+	runAuthBrokerCommand,
+} from "../cli/auth-broker-cli";
+import { initTheme } from "../modes/theme/theme";
+
+export default class AuthBroker extends Command {
+	static description = "Manage the omp auth-broker (credential vault)";
+
+	static args = {
+		action: Args.string({
+			description: "Sub-command",
+			required: false,
+			options: [...AUTH_BROKER_ACTIONS],
+		}),
+		// Second positional: provider id (login/logout) or filesystem path (import).
+		source: Args.string({
+			description: "OAuth provider id (login/logout) or path (import)",
+			required: false,
+		}),
+	};
+
+	static flags = {
+		json: Flags.boolean({ description: "Output JSON" }),
+		bind: Flags.string({ description: "Bind address for `serve` (host:port)", char: "b" }),
+		regenerate: Flags.boolean({ description: "Regenerate the bearer token" }),
+		via: Flags.string({
+			description: "SSH user@host for remote login (login --via=user@host)",
+		}),
+		provider: Flags.string({
+			description: "Override provider id for `import` (e.g. when JSON `type` is unrecognized)",
+		}),
+		"include-disabled": Flags.boolean({
+			description: "Import credentials whose JSON has `disabled: true` (import)",
+		}),
+		"from-local": Flags.boolean({
+			description: "migrate source: local SQLite + env vars (required for `migrate`)",
+		}),
+		"include-env": Flags.boolean({
+			description: "Capture env-var API keys for providers not yet on broker (migrate)",
+		}),
+		"include-oauth": Flags.boolean({
+			description: "Also upload OAuth from local SQLite during migrate (default skips them)",
+		}),
+		"dry-run": Flags.boolean({ description: "Print actions without executing (import / login --via / migrate)" }),
+	};
+
+	static examples = [
+		"# Boot the broker against the local SQLite store\n  omp auth-broker serve",
+		"# Boot on a non-default port\n  omp auth-broker serve --bind=127.0.0.1:9000",
+		"# Print the bearer token\n  omp auth-broker token",
+		"# Rotate the bearer token\n  omp auth-broker token --regenerate",
+		"# Local login (run on the broker host)\n  omp auth-broker login anthropic",
+		"# Remote login over SSH tunnel\n  omp auth-broker login anthropic --via=user@broker",
+		"# Import a CLIProxyAPI auth dump\n  omp auth-broker import ~/.cliproxy/auth",
+		"# Import a single CLIProxyAPI JSON, overriding the provider mapping\n  omp auth-broker import ~/.cliproxy/auth/claude-foo.json --provider anthropic",
+		"# Preview a migration from local store + env vars to the configured broker\n  omp auth-broker migrate --from-local --include-env --dry-run",
+		"# Apply the migration\n  omp auth-broker migrate --from-local --include-env",
+		"# Health-check the configured remote broker\n  omp auth-broker status",
+	];
+
+	async run(): Promise<void> {
+		const { args, flags } = await this.parse(AuthBroker);
+		if (!args.action) {
+			renderCommandHelp("omp", "auth-broker", AuthBroker);
+			return;
+		}
+		const action = args.action as AuthBrokerAction;
+		const cmd: AuthBrokerCommandArgs = {
+			action,
+			flags: {
+				json: flags.json,
+				bind: flags.bind,
+				regenerate: flags.regenerate,
+				via: flags.via,
+				// `login`/`logout` reuse the legacy `provider` slot; `import` keeps `source` separate
+				// so `provider` flag (used as an override) is unambiguous.
+				provider: action === "import" ? flags.provider : (args.source ?? flags.provider),
+				source: args.source,
+				includeDisabled: flags["include-disabled"],
+				fromLocal: flags["from-local"],
+				includeEnv: flags["include-env"],
+				includeOauth: flags["include-oauth"],
+				dryRun: flags["dry-run"],
+			},
+		};
+		await initTheme();
+		await runAuthBrokerCommand(cmd);
+	}
+}

package/src/commands/auth-gateway.ts

@@ -0,0 +1,61 @@
+/**
+ * `omp auth-gateway` — run a forward proxy that injects auth from the broker.
+ */
+import { Args, Command, Flags, renderCommandHelp } from "@oh-my-pi/pi-utils/cli";
+import {
+	AUTH_GATEWAY_ACTIONS,
+	type AuthGatewayAction,
+	type AuthGatewayCommandArgs,
+	runAuthGatewayCommand,
+} from "../cli/auth-gateway-cli";
+import { initTheme } from "../modes/theme/theme";
+
+export default class AuthGateway extends Command {
+	static description = "Run an auth-gateway forward proxy backed by the configured broker";
+
+	static args = {
+		action: Args.string({
+			description: "Sub-command",
+			required: false,
+			options: [...AUTH_GATEWAY_ACTIONS],
+		}),
+	};
+
+	static flags = {
+		json: Flags.boolean({ description: "Output JSON (token/status)" }),
+		bind: Flags.string({ description: "Bind address for `serve` (host:port)", char: "b" }),
+		regenerate: Flags.boolean({ description: "Regenerate the gateway bearer token (token)" }),
+		"no-auth": Flags.boolean({
+			description:
+				"Disable inbound bearer-token auth (serve). Useful when bound to loopback — any caller is allowed.",
+		}),
+	};
+
+	static examples = [
+		"# Boot the gateway against the configured broker\n  omp auth-gateway serve",
+		"# Boot on a non-default port\n  omp auth-gateway serve --bind=127.0.0.1:4000",
+		"# Print the gateway bearer token (creates one on first run)\n  omp auth-gateway token",
+		"# Rotate the gateway bearer token\n  omp auth-gateway token --regenerate",
+		"# Run on loopback without any bearer (anyone on this host can call)\n  omp auth-gateway serve --no-auth",
+		"# Show local gateway + broker config status\n  omp auth-gateway status",
+	];
+
+	async run(): Promise<void> {
+		const { args, flags } = await this.parse(AuthGateway);
+		if (!args.action) {
+			renderCommandHelp("omp", "auth-gateway", AuthGateway);
+			return;
+		}
+		const cmd: AuthGatewayCommandArgs = {
+			action: args.action as AuthGatewayAction,
+			flags: {
+				json: flags.json,
+				bind: flags.bind,
+				regenerate: flags.regenerate,
+				noAuth: flags["no-auth"],
+			},
+		};
+		await initTheme();
+		await runAuthGatewayCommand(cmd);
+	}
+}