@oml/cli 0.14.17 → 0.15.0

package/src/auth/auth.ts

@@ -1,7 +1,9 @@
 // Copyright (c) 2026 Modelware. All rights reserved.
 
-import { exchangeGitHubToken, refreshSupabaseAccessToken } from '@oml/platform';
+import { exchangeGitHubToken, refreshSupabaseAccessToken, verifyEntitlementsToken } from '@oml/platform';
 import chalk from 'chalk';
+import * as crypto from 'node:crypto';
+import type { JsonWebKey } from 'node:crypto';
 import * as fs from 'node:fs/promises';
 import * as os from 'node:os';
 import * as path from 'node:path';
@@ -23,7 +25,10 @@ const KEYCHAIN_SERVICE = 'oml-code';
 const ACCESS_TOKEN_KEY = 'oml.cli.access_token';
 const REFRESH_TOKEN_KEY = 'oml.cli.refresh_token';
 const EXPIRES_AT_KEY = 'oml.cli.expires_at';
-const PROFILE_PATH = path.join(os.homedir(), '.oml', 'cli-profile.json');
+const ENTITLEMENT_EXPIRY_KEY = 'oml.cli.entitlement_expiry';
+const ENTITLEMENT_FEATURES_KEY = 'oml.cli.entitlement_features';
+const ENTITLEMENT_TOKEN_KEY = 'oml.cli.entitlement_token';
+const ENTITLEMENT_PUBKEY_KEY = 'oml.cli.entitlement_pubkey';
 const LOCK_PATH = path.join(os.homedir(), '.oml', 'credentials.lock');
 const SESSION_EXPIRATION_LEEWAY_MS = 20_000;
 const LOCK_TIMEOUT_MS = 5_000;
@@ -37,17 +42,6 @@ type KeytarModule = {
 
 let keytarModulePromise: Promise<KeytarModule> | undefined;
 
-type Provider = 'github';
-
-type StoredProfile = {
-    provider: Provider;
-    userId: string;
-    userLabel?: string;
-    email: string | null;
-    tier?: string;
-    signedInAt: string;
-};
-
 type StoredCredential = {
     accessToken: string;
     refreshToken: string;
@@ -77,10 +71,9 @@ export class OmlCliAuthService {
 
         const existing = await this.tryGetValidSnapshot();
         if (existing) {
-            const profile = await readProfile();
-            console.error(chalk.green(
-                `Already signed in as ${profile?.userLabel ?? profile?.email ?? profile?.userId ?? 'current user'}.`
-            ));
+            const claims = decodeJwtClaims(existing.accessToken);
+            const label = claims.userLabel ?? claims.email ?? 'current user';
+            console.error(chalk.green(`Already signed in as ${label}.`));
             return;
         }
 
@@ -90,22 +83,14 @@ export class OmlCliAuthService {
             refreshToken: session.refreshToken,
             expiresAtMs: session.expiresAtMs,
         });
-        await writeProfile({
-            provider: session.provider,
-            userId: session.userId,
-            userLabel: session.userLabel,
-            email: session.email,
-            tier: session.tier,
-            signedInAt: new Date().toISOString(),
-        });
+        void fetchAndSaveEntitlementsPubkey(resolveApiBaseUrl(), this).catch(() => undefined);
         const summary = session.userLabel ?? session.email ?? 'signed-in user';
-        console.error(chalk.green(`Signed in as ${summary} via ${session.provider}.`));
+        console.error(chalk.green(`Signed in as ${summary} via GitHub.`));
     }
 
     async logout(): Promise<void> {
         const activeServers = await listActiveServers();
         await deleteCredential();
-        await deleteProfile();
         if (activeServers.length > 0) {
             console.error(chalk.yellow('Stored OAuth credentials were cleared. Running servers were not stopped:'));
             for (const server of activeServers) {
@@ -127,27 +112,85 @@ export class OmlCliAuthService {
         if (apiKey) {
             console.error('Auth mode: api_key');
             console.error('Account: resolved by OML Platform from OML_PLATFORM_API_KEY');
-            const profile = await readProfile();
-            if (profile) {
-                console.error(`Stored OAuth user: ${profile.userLabel ?? profile.email ?? profile.userId}`);
-            }
             return;
         }
 
         const credential = await readCredential();
-        const profile = await readProfile();
-        if (!credential || !profile) {
+        if (!credential) {
             console.error(chalk.yellow('Not signed in.'));
             return;
         }
+        const claims = decodeJwtClaims(credential.accessToken);
         console.error('Auth mode: oauth');
-        console.error(`Provider: ${profile.provider}`);
-        console.error(`User ID: ${profile.userId}`);
-        console.error(`User label: ${profile.userLabel ?? '(not set)'}`);
-        console.error(`Email: ${profile.email ?? '(not set)'}`);
-        console.error(`Tier: ${profile.tier ?? '(not set)'}`);
-        console.error(`Signed in at: ${profile.signedInAt}`);
-        console.error(`Access token expires at: ${new Date(credential.expiresAtMs).toISOString()}`);
+        console.error(`User ID:    ${claims.userId ?? '(unknown)'}`);
+        console.error(`User label: ${claims.userLabel ?? '(not set)'}`);
+        console.error(`Email:      ${claims.email ?? '(not set)'}`);
+        console.error(`Tier:       ${claims.tier ?? '(not set)'}`);
+        console.error(`Token expires at: ${new Date(credential.expiresAtMs).toISOString()}`);
+    }
+
+    async getDeviceId(): Promise<string> {
+        return getOrCreateDeviceId();
+    }
+
+    async getEntitlementCache(): Promise<{ expiry: number; featureIds: string[]; token?: string } | null> {
+        try {
+            const keytar = await getKeytarModule();
+            const [expiryRaw, featuresRaw, tokenRaw, pubkeyRaw] = await Promise.all([
+                keytar.getPassword(KEYCHAIN_SERVICE, ENTITLEMENT_EXPIRY_KEY),
+                keytar.getPassword(KEYCHAIN_SERVICE, ENTITLEMENT_FEATURES_KEY),
+                keytar.getPassword(KEYCHAIN_SERVICE, ENTITLEMENT_TOKEN_KEY),
+                keytar.getPassword(KEYCHAIN_SERVICE, ENTITLEMENT_PUBKEY_KEY),
+            ]);
+            const expiry = Number(expiryRaw ?? NaN);
+            if (!Number.isFinite(expiry) || expiry <= Date.now() || !featuresRaw) {
+                return null;
+            }
+            const featureIds = JSON.parse(featuresRaw) as unknown;
+            if (!Array.isArray(featureIds) || !featureIds.every((x) => typeof x === 'string')) {
+                return null;
+            }
+            let token: string | undefined;
+            if (tokenRaw && pubkeyRaw) {
+                try {
+                    const deviceId = await getOrCreateDeviceId();
+                    const valid = await verifyEntitlementsToken(tokenRaw, deviceId, JSON.parse(pubkeyRaw) as JsonWebKey);
+                    if (valid) {
+                        token = tokenRaw;
+                    }
+                } catch {
+                    // Verification failed — proceed without token; gate will re-fetch.
+                }
+            }
+            return { expiry, featureIds: featureIds as string[], token };
+        } catch {
+            return null;
+        }
+    }
+
+    async saveEntitlementCache(expiry: number, featureIds: string[], token?: string): Promise<void> {
+        try {
+            const keytar = await getKeytarModule();
+            const writes: Promise<void>[] = [
+                keytar.setPassword(KEYCHAIN_SERVICE, ENTITLEMENT_EXPIRY_KEY, String(expiry)),
+                keytar.setPassword(KEYCHAIN_SERVICE, ENTITLEMENT_FEATURES_KEY, JSON.stringify(featureIds)),
+            ];
+            if (token) {
+                writes.push(keytar.setPassword(KEYCHAIN_SERVICE, ENTITLEMENT_TOKEN_KEY, token));
+            }
+            await Promise.all(writes);
+        } catch {
+            // Credential store unavailable — skip silently.
+        }
+    }
+
+    async saveEntitlementsPubkey(pubkeyJwk: JsonWebKey): Promise<void> {
+        try {
+            const keytar = await getKeytarModule();
+            await keytar.setPassword(KEYCHAIN_SERVICE, ENTITLEMENT_PUBKEY_KEY, JSON.stringify(pubkeyJwk));
+        } catch {
+            // Credential store unavailable — skip silently.
+        }
     }
 
     async ensureAuthenticated(operationName: string): Promise<void> {
@@ -198,6 +241,10 @@ export class OmlCliAuthService {
         }
     }
 
+    async hasStoredCredential(): Promise<boolean> {
+        return (await readCredential()) !== undefined;
+    }
+
     private async refreshCredential(): Promise<StoredCredential> {
         const session = await readCredential();
         if (!session?.refreshToken) {
@@ -222,18 +269,10 @@ export class OmlCliAuthService {
                 expiresAtMs: Date.now() + (refreshed.expires_in * 1000),
             };
             await writeCredential(updatedSession);
-            const profile = await readProfile();
-            if (profile) {
-                await writeProfile({
-                    ...profile,
-                    email: refreshed.email ?? profile.email,
-                });
-            }
             return updatedSession;
         } catch (error) {
             if (isUnauthorizedError(error)) {
                 await deleteCredential();
-                await deleteProfile();
                 throw new Error('Authentication refresh failed because the stored credential was revoked. Run \'oml login\' again.');
             }
             throw new Error('Authentication refresh failed. Check your network connection or sign in again with \'oml login\'.');
@@ -272,50 +311,40 @@ async function deleteCredential(): Promise<void> {
         keytar.deletePassword(KEYCHAIN_SERVICE, ACCESS_TOKEN_KEY),
         keytar.deletePassword(KEYCHAIN_SERVICE, REFRESH_TOKEN_KEY),
         keytar.deletePassword(KEYCHAIN_SERVICE, EXPIRES_AT_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, ENTITLEMENT_EXPIRY_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, ENTITLEMENT_FEATURES_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, ENTITLEMENT_TOKEN_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, ENTITLEMENT_PUBKEY_KEY),
     ]);
 }
 
-async function readProfile(): Promise<StoredProfile | undefined> {
+async function getOrCreateDeviceId(): Promise<string> {
     try {
-        const content = await fs.readFile(PROFILE_PATH, 'utf-8');
-        const data = JSON.parse(content) as Partial<StoredProfile>;
-        if (!data.provider || !data.userId || !data.signedInAt) {
-            return undefined;
-        }
-        return {
-            provider: data.provider,
-            userId: data.userId,
-            userLabel: data.userLabel,
-            email: data.email ?? null,
-            tier: data.tier,
-            signedInAt: data.signedInAt,
-        };
+        return (await fs.readFile('/etc/machine-id', 'utf-8')).trim();
     } catch {
-        return undefined;
+        try {
+            return (await fs.readFile(LOCAL_MACHINE_ID_PATH, 'utf-8')).trim();
+        } catch {
+            const id = crypto.randomUUID();
+            await fs.mkdir(path.dirname(LOCAL_MACHINE_ID_PATH), { recursive: true });
+            await fs.writeFile(LOCAL_MACHINE_ID_PATH, id, { encoding: 'utf-8', mode: 0o600 });
+            return id;
+        }
     }
 }
 
-async function writeProfile(profile: StoredProfile): Promise<void> {
-    await fs.mkdir(path.dirname(PROFILE_PATH), { recursive: true });
-    await fs.writeFile(PROFILE_PATH, `${JSON.stringify(profile, null, 2)}\n`, 'utf-8');
-}
-
-async function deleteProfile(): Promise<void> {
-    try {
-        await fs.unlink(PROFILE_PATH);
-    } catch (error) {
-        if ((error as NodeJS.ErrnoException).code !== 'ENOENT') {
-            throw error;
-        }
+async function fetchAndSaveEntitlementsPubkey(apiBaseUrl: string, authService: OmlCliAuthService): Promise<void> {
+    const response = await fetch(`${apiBaseUrl}/entitlements/pubkey`);
+    if (!response.ok) {
+        return;
     }
+    const jwk = await response.json() as JsonWebKey;
+    await authService.saveEntitlementsPubkey(jwk);
 }
 
 async function authenticateWithGitHub(): Promise<{
-    provider: Provider;
-    userId: string;
     userLabel?: string;
     email: string | null;
-    tier?: string;
     accessToken: string;
     refreshToken: string;
     expiresAtMs: number;
@@ -360,11 +389,8 @@ async function authenticateWithGitHub(): Promise<{
     const platformSession = await exchangeGitHubToken(resolveApiBaseUrl(), token);
 
     return {
-        provider: 'github',
-        userId: platformSession.user_id,
         userLabel: user.login,
         email: platformSession.email,
-        tier: platformSession.tier,
         accessToken: platformSession.access_token,
         refreshToken: platformSession.refresh_token,
         expiresAtMs: Date.now() + platformSession.expires_in * 1000,
@@ -506,25 +532,149 @@ function isUnauthorizedError(error: unknown): boolean {
     return /\b401\b/.test(message);
 }
 
+const CREDENTIALS_FILE_PATH = path.join(os.homedir(), '.oml', 'credentials.json');
+const LOCAL_MACHINE_ID_PATH = path.join(os.homedir(), '.oml', 'machine-id');
+
+// Derive a 256-bit encryption key bound to this machine and user.
+// Uses /etc/machine-id (Linux) or a locally generated UUID as the key material,
+// combined with the user's home directory so the key is user-specific too.
+async function deriveMachineKey(): Promise<Buffer> {
+    const machineId = await getOrCreateDeviceId();
+    const ikm = Buffer.from(`${machineId}:${os.homedir()}`, 'utf-8');
+    return new Promise<Buffer>((resolve, reject) => {
+        crypto.hkdf('sha256', ikm, Buffer.alloc(0), 'oml-cli-credentials-v1', 32, (err, key) => {
+            if (err) { reject(err); } else { resolve(Buffer.from(key)); }
+        });
+    });
+}
+
+function encryptValue(value: string, key: Buffer): string {
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    const encrypted = Buffer.concat([cipher.update(value, 'utf-8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return JSON.stringify({
+        v: 1,
+        iv: iv.toString('base64'),
+        tag: tag.toString('base64'),
+        data: encrypted.toString('base64'),
+    });
+}
+
+function decryptValue(stored: string, key: Buffer): string {
+    const parsed = JSON.parse(stored) as { v?: number; iv: string; tag: string; data: string };
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, Buffer.from(parsed.iv, 'base64'));
+    decipher.setAuthTag(Buffer.from(parsed.tag, 'base64'));
+    return decipher.update(Buffer.from(parsed.data, 'base64'), undefined, 'utf-8') + decipher.final('utf-8');
+}
+
+class FileKeytar implements KeytarModule {
+    private keyPromise: Promise<Buffer> | undefined;
+
+    private getKey(): Promise<Buffer> {
+        if (!this.keyPromise) {
+            this.keyPromise = deriveMachineKey();
+        }
+        return this.keyPromise;
+    }
+
+    private async read(): Promise<Record<string, string>> {
+        try {
+            const content = await fs.readFile(CREDENTIALS_FILE_PATH, 'utf-8');
+            return JSON.parse(content) as Record<string, string>;
+        } catch {
+            return {};
+        }
+    }
+
+    private async write(store: Record<string, string>): Promise<void> {
+        await fs.mkdir(path.dirname(CREDENTIALS_FILE_PATH), { recursive: true });
+        await fs.writeFile(CREDENTIALS_FILE_PATH, `${JSON.stringify(store, null, 2)}\n`, { encoding: 'utf-8', mode: 0o600 });
+    }
+
+    private storeKey(service: string, account: string): string {
+        return `${service}:${account}`;
+    }
+
+    async getPassword(service: string, account: string): Promise<string | null> {
+        const store = await this.read();
+        const raw = store[this.storeKey(service, account)];
+        if (raw === undefined || raw === null) {
+            return null;
+        }
+        try {
+            const key = await this.getKey();
+            return decryptValue(raw, key);
+        } catch {
+            // Unreadable entry (wrong machine, corrupt, or legacy plaintext) — treat as missing.
+            return null;
+        }
+    }
+
+    async setPassword(service: string, account: string, password: string): Promise<void> {
+        const [store, key] = await Promise.all([this.read(), this.getKey()]);
+        store[this.storeKey(service, account)] = encryptValue(password, key);
+        await this.write(store);
+    }
+
+    async deletePassword(service: string, account: string): Promise<boolean> {
+        const store = await this.read();
+        const k = this.storeKey(service, account);
+        if (!(k in store)) {
+            return false;
+        }
+        delete store[k];
+        await this.write(store);
+        return true;
+    }
+}
+
 async function getKeytarModule(): Promise<KeytarModule> {
     if (!keytarModulePromise) {
         keytarModulePromise = import('keytar')
             .then((loaded) => loaded.default as KeytarModule)
             .catch((error: unknown) => {
+                const message = error instanceof Error ? error.message : String(error);
+                if (/libsecret|dlopen|ERR_DLOPEN_FAILED/i.test(message)) {
+                    console.error(chalk.yellow(
+                        'System keychain unavailable; credentials will be stored encrypted at ' +
+                        CREDENTIALS_FILE_PATH + ' using a machine-bound key. ' +
+                        'Set OML_PLATFORM_API_KEY for non-interactive environments.'
+                    ));
+                    return new FileKeytar();
+                }
                 keytarModulePromise = undefined;
-                throw new Error(formatKeytarLoadError(error));
+                throw new Error(`Secure credential storage is unavailable: ${message}`);
             });
     }
     return keytarModulePromise;
 }
 
-function formatKeytarLoadError(error: unknown): string {
-    const message = error instanceof Error ? error.message : String(error);
-    if (/libsecret|dlopen|ERR_DLOPEN_FAILED/i.test(message)) {
-        return 'Secure credential storage is unavailable (missing system keychain runtime, e.g. libsecret on Linux). ' +
-            'Install the OS keychain runtime or set OML_PLATFORM_API_KEY for non-interactive mode.';
+type JwtClaims = {
+    userId?: string;
+    userLabel?: string;
+    email?: string;
+    tier?: string;
+};
+
+function decodeJwtClaims(token: string): JwtClaims {
+    try {
+        const payload = token.split('.')[1];
+        if (!payload) { return {}; }
+        const json = JSON.parse(Buffer.from(payload.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString('utf-8')) as Record<string, unknown>;
+        const userMeta = json['user_metadata'];
+        const appMeta = json['app_metadata'];
+        return {
+            userId: typeof json['sub'] === 'string' ? json['sub'] : undefined,
+            email: typeof json['email'] === 'string' ? json['email'] : undefined,
+            userLabel: userMeta && typeof (userMeta as Record<string, unknown>)['user_name'] === 'string'
+                ? (userMeta as Record<string, unknown>)['user_name'] as string : undefined,
+            tier: appMeta && typeof (appMeta as Record<string, unknown>)['tier'] === 'string'
+                ? (appMeta as Record<string, unknown>)['tier'] as string : undefined,
+        };
+    } catch {
+        return {};
     }
-    return `Secure credential storage is unavailable: ${message}`;
 }
 
 type GitHubDeviceCodeResponse = {

package/src/cli.ts

@@ -28,20 +28,20 @@ export interface CliCommandInfo {
 export function getWorkspaceCommands(): CliCommandInfo[] {
     return [
         { name: 'lint', description: 'lints OML files and prints any syntax or validation errors' },
-        { 
-            name: 'render [options]', 
+        {
+            name: 'render [options]',
             description: 'lint the workspace, then render markdown files to static html',
-            usage: 'render -m <input-folder> -b <output-folder> [--clean] [-c <ontology-iri>]'
+            usage: 'render -m <input-folder> -b <output-folder> [-c <ontology-iri>]'
         },
-        { 
-            name: 'export [options]', 
+        {
+            name: 'export [options]',
             description: 'export asserted OWL files (no reasoning)',
-            usage: 'export [-o <dir>] [-f <ext>] [--clean] [--pretty]'
+            usage: 'export [-o <dir>] [-f <ext>] [--pretty]'
         },
-        { 
-            name: 'reason [options]', 
+        {
+            name: 'reason [options]',
             description: 'run workspace consistency checks (or persist assertions/entailments with --owl)',
-            usage: 'reason [-o <dir>] [-f <ext>] [--clean] [--pretty] [-e <true|false>]'
+            usage: 'reason [-o <dir>] [-f <ext>] [--pretty] [-e <true|false>]'
         },
         { 
             name: 'validate [options]', 
@@ -94,14 +94,20 @@ export async function runCli(argv: string[] = process.argv): Promise<void> {
         .option('-w, --workspace <workspace>', 'workspace root used by REST facade initialize (default: cwd)')
         .description('start an OML server')
         .action(async (port: string | undefined, options: { port?: string; workspace?: string }) => {
+            const [entitlementCache, deviceId] = await Promise.all([
+                authService.getEntitlementCache().then((c) => c ?? undefined),
+                authService.getDeviceId().catch(() => undefined),
+            ]);
             if (process.env.OML_PLATFORM_API_KEY?.trim()) {
-                await serverStartAction(port, { ...options, auth: await resolveServerStartAuth() });
+                await serverStartAction(port, { ...options, auth: await resolveServerStartAuth(), entitlementCache });
                 return;
             }
             await serverRunAction(port, {
                 ...options,
                 authService,
                 auth: await resolveServerRunAuth(authService),
+                entitlementCache,
+                deviceId,
             });
         });
 
@@ -148,7 +154,6 @@ export async function runCli(argv: string[] = process.argv): Promise<void> {
         .command('render')
         .requiredOption('-m, --md <input-folder>', 'folder containing markdown files to render')
         .requiredOption('-b, --web <output-folder>', 'folder where rendered static site files are written')
-        .option('--clean', 'remove output folder before render')
         .option('-c, --context <model-path>', 'workspace-relative .oml model path used as default navigation context for wikilinks')
         .description('lint the workspace, then render markdown files to static html')
         .action(async (...args: unknown[]) => {
@@ -170,7 +175,6 @@ export async function runCli(argv: string[] = process.argv): Promise<void> {
         .command('export')
         .option('-o, --owl <dir>', 'folder where RDF output files are written')
         .option('-f, --format <ext>', 'RDF format extension: ttl, trig, nt, nq, or n3', 'ttl')
-        .option('--clean', 'remove output folder before export')
         .option('--pretty', 'pretty-print Turtle/TriG output with blank lines between top-level blocks')
         .description('export asserted OWL files (no reasoning)')
         .action(async (...args: unknown[]) => {
@@ -192,7 +196,6 @@ export async function runCli(argv: string[] = process.argv): Promise<void> {
         .command('reason')
         .option('-o, --owl <dir>', 'persist assertions/entailments to folder (default: check-only with no persistence)')
         .option('-f, --format <ext>', 'RDF format extension: ttl, trig, nt, nq, or n3', 'ttl')
-        .option('--clean', 'remove output folder before reason (only when --owl is provided)')
         .option('--pretty', 'pretty-print Turtle/TriG output with blank lines between top-level blocks (only when --owl is provided)')
         .option('-u, --unique-names-assumption [value]', 'enable or disable the unique names assumption', parseBooleanOption, true)
         .option('-e, --explanation [value]', 'enable or disable inconsistency explanations', parseBooleanOption, false)
@@ -322,29 +325,21 @@ async function resolveServerStartAuth(): Promise<{ accessToken: string }> {
     const apiKey = process.env.OML_PLATFORM_API_KEY?.trim();
     if (!apiKey) {
         throw new CliExitError(
-            'OML_PLATFORM_API_KEY is not set. For interactive use, run \'oml start\'. ' +
-            'For non-interactive use, set OML_PLATFORM_API_KEY and retry.'
+            'OML_PLATFORM_API_KEY is required for non-interactive server start. ' +
+            'Unset it and run \'oml start\' again to use interactive OAuth login instead.'
         );
     }
     return { accessToken: apiKey };
 }
 
-async function resolveServerRunAuth(authService: OmlCliAuthService): Promise<{
-    accessToken: string;
-}> {
-    let snapshot;
-    try {
-        snapshot = await authService.getServerAuthSnapshot();
-    } catch {
+async function resolveServerRunAuth(authService: OmlCliAuthService): Promise<{ accessToken: string }> {
+    if (!(await authService.hasStoredCredential())) {
+        console.error(chalk.cyan('Authentication required to start the server. Signing in...'));
         await authService.login({});
-        snapshot = await authService.getServerAuthSnapshot();
     }
-    return {
-        accessToken: snapshot.accessToken,
-    };
+    return { accessToken: (await authService.getServerAuthSnapshot()).accessToken };
 }
 
-
 function formatDetailedError(error: unknown): string {
     if (!(error instanceof Error)) {
         return String(error);

package/src/commands/export.ts

@@ -10,7 +10,6 @@ import { restPost } from './server/rest.js';
 export type ExportOptions = {
     owl?: string;
     format?: 'ttl' | 'trig' | 'nt' | 'nq' | 'n3' | string;
-    clean?: boolean;
     pretty?: boolean;
     authToken?: string;
 };
@@ -44,7 +43,6 @@ export const exportAction = async (opts: ExportOptions): Promise<void> => {
         {
             owl: opts.owl,
             format,
-            clean: opts.clean,
             pretty: opts.pretty === true,
         } as Record<string, unknown>,
         opts.authToken,

package/src/commands/lint.ts

@@ -71,7 +71,8 @@ export const lintAction = async (opts: LintOptions): Promise<void> => {
         failCli(chalk.red(formatLintSummary(result, elapsedMs)));
     }
     if (result.warnings > 0) {
-        failCli(chalk.yellow(formatLintSummary(result, elapsedMs)));
+        console.warn(chalk.yellow(formatLintSummary(result, elapsedMs)));
+        return;
     }
     console.log(chalk.green(formatLintSummary(result, elapsedMs)));
 };

package/src/commands/reason.ts

@@ -16,7 +16,6 @@ type RdfFormat = 'ttl' | 'trig' | 'nt' | 'nq' | 'n3';
 export type ReasonOptions = {
     owl?: string;
     format?: RdfFormat | string;
-    clean?: boolean;
     pretty?: boolean;
     explanation?: boolean;
     uniqueNamesAssumption?: boolean;
@@ -36,7 +35,6 @@ type AssertionsPayload = {
     files: Array<{
         modelUri: string;
         ontologyIri: string;
-        path: string;
         content: string;
     }>;
 };
@@ -150,8 +148,21 @@ function resolveEntailmentsPath(uri: string): string {
     return trimmed;
 }
 
-function modelUriToRelativePath(modelUri: string): string {
-    const trimmed = modelUri.trim();
+function ontologyIriToTempPath(ontologyIri: string, format: RdfFormat): string {
+    try {
+        const iri = new URL(ontologyIri);
+        const rawPath = iri.pathname.replace(/\/+$/, '');
+        const segments = rawPath.split('/').filter(Boolean);
+        const stem = segments.at(-1) || 'index';
+        const dirSegs = iri.host ? [iri.host, ...segments.slice(0, -1)] : segments.slice(0, -1);
+        return dirSegs.length > 0 ? path.join(...dirSegs, `${stem}.${format}`) : `${stem}.${format}`;
+    } catch {
+        return ontologyIri.replace(/[^a-zA-Z0-9_/-]/g, '_') + '.' + format;
+    }
+}
+
+function modelUriToRelativePath(modelUri: string | undefined): string {
+    const trimmed = (modelUri ?? '').trim();
     if (trimmed.startsWith('file://')) {
         const absolute = fileURLToPath(trimmed);
         const relative = path.relative(process.cwd(), absolute);
@@ -190,9 +201,7 @@ export const reasonAction = async (opts: ReasonOptions): Promise<void> => {
         : undefined;
     const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), 'oml-reason-cli-'));
     if (outputDir) {
-        if (opts.clean === true) {
-            await fs.rm(outputDir, { recursive: true, force: true });
-        }
+        await fs.rm(outputDir, { recursive: true, force: true, maxRetries: 3, retryDelay: 100 });
     }
     const orderedFiles = sortFilesLeafToRoot(assertions.files);
     let firstInconsistent: { file: AssertionsPayload['files'][number]; result: Record<string, unknown> } | undefined;
@@ -200,12 +209,12 @@ export const reasonAction = async (opts: ReasonOptions): Promise<void> => {
     let entailmentsProduced = 0;
     try {
         for (const file of orderedFiles) {
-            const target = path.join(tempRoot, file.path);
+            const target = path.join(tempRoot, ontologyIriToTempPath(file.ontologyIri, outputFormat));
             await fs.mkdir(path.dirname(target), { recursive: true });
             await fs.writeFile(target, prettyPrintRdf(file.content, outputFormat), 'utf-8');
         }
         for (const file of orderedFiles) {
-            const target = path.join(tempRoot, file.path);
+            const target = path.join(tempRoot, ontologyIriToTempPath(file.ontologyIri, outputFormat));
             try {
                 const result = await checkConsistency({
                     input: target,
@@ -257,7 +266,9 @@ export const reasonAction = async (opts: ReasonOptions): Promise<void> => {
         failCli(chalk.red(`reason failed: ${modelUri}: ${firstFailure.error}`));
     }
     if (firstInconsistent) {
-        const where = modelUriToRelativePath(firstInconsistent.file.modelUri);
+        const where = modelUriToRelativePath(firstInconsistent.file.modelUri)
+            || firstInconsistent.file.ontologyIri.trim()
+            || '<unknown>';
         if (opts.explanation === true) {
             failCli(chalk.red(`Inconsistency found in: ${where}\n${JSON.stringify(firstInconsistent.result, null, 2)}`));
         }

package/src/commands/render.ts

@@ -10,7 +10,6 @@ import { restPost } from './server/rest.js';
 export type RenderOptions = {
     md: string;
     web: string;
-    clean?: boolean;
     context?: string;
     authToken?: string;
 };