@oml/cli 0.14.17 → 0.16.0

package/README.md

@@ -32,26 +32,36 @@ The CLI uses the built-in production OML Platform endpoint by default. Set `OML_
 ### Quick Start
 
 ```bash
+# Sign in
+oml login
+
 # Lint the current workspace
-node ./packages/cli/bin/cli.js lint
+oml lint
 
-# Start the standalone OML server on the default port (8080)
-node ./packages/cli/bin/cli.js server start
+# Start the OML server
+oml start
 
-# Lint against a local platform dev server
-OML_PLATFORM_API_URL=http://127.0.0.1:8787 \
-node ./packages/cli/bin/cli.js lint
+# Stop the OML server
+oml stop
 
-# Export RDF output with entailments
-node ./packages/cli/bin/cli.js export -o build/owl
+# Export asserted OWL files
+oml export -o build/owl
 
 # Run consistency reasoning (check-only)
-node ./packages/cli/bin/cli.js reason
+oml reason
+
+# Run consistency reasoning and persist entailments
+oml reason -o build/owl
 
 # Render markdown to static HTML
-node ./packages/cli/bin/cli.js render -m src/md -b build/web
+oml render -m src/md -b build/web
 ```
 
+### Global Options
+
+- `-v, --version` — print the version number
+- `-d, --debug` — print detailed error diagnostics (stack traces and nested causes)
+
 ### Commands
 
 - `login`
@@ -62,29 +72,19 @@ node ./packages/cli/bin/cli.js render -m src/md -b build/web
   Prints the current sign-in session.
 - `lint`
   Validates one file, or the current workspace when no file is given.
-- `export [-o|--owl <dir>] [-f <ttl|trig|nt|nq|n3>] [--clean] [--pretty] [--only]`
-  Exports OML to RDF and materializes entailments via `oml/reason`.
-- `reason [-e|--explanation <true|false>] [--only]`
-  Calls `/v0/reason` to run workspace consistency checks in check-only mode (no entailment materialization, no file persistence).
-- `render -m|--md <dir> -b|--web <dir> [-c|--context <ontology-iri>] [--only]`
-  Runs `lint`, then renders markdown files to static HTML.
-- `validate [--only]`
-  Validates table-editor SHACL blocks in workspace markdown files. Template markdown files (frontmatter `template`) are skipped as validation targets, while compose templates are still expanded for other markdown files. Runs `lint` first unless `--only` is provided.
-- `server start [port] [--port <port>] [--workspace <workspace>]`
-  Starts the standalone REST server daemon. When no port is provided, it uses `8080`.
-- `server stop`
-  Stops the standalone server daemon.
-- `server status`
-  Prints the standalone server daemon status.
-
-### Notes
-
-- Pass `--debug` with any command (for example `oml login --debug`) to print stack traces and nested error causes.
-- The CLI uses `OML_PLATFORM_API_KEY` when it is set. Otherwise, operational commands use the token from `oml login` for platform authorization.
-- OAuth login refresh uses built-in Supabase defaults. Set `OML_SUPABASE_URL` or `OML_SUPABASE_ANON_KEY` to override them.
-- GitHub device-flow login requires `OML_AUTH_GITHUB_CLIENT_ID`, unless you embed `DEFAULT_GITHUB_CLIENT_ID` in [`src/auth.ts`](./src/auth.ts).
-- `oml login` exchanges the GitHub token with the platform at `OML_PLATFORM_API_URL` or the built-in default endpoint, then stores the platform session locally.
-- `reason` runs `oml/reason` consistency checks per workspace model in check-only mode (no entailment files written).
-- `render` runs `lint` unless `--only` is provided, then renders markdown files to static HTML.
-- `server start` fails clearly when the requested host and port are already occupied.
-- When installed from npm, the CLI checks the npm registry for newer `@oml/cli` releases and prints `npm install -g @oml/cli@latest` when an update is available. Set `OML_NO_UPDATE_NOTIFIER=1` to disable the check.
+- `export [-o|--owl <dir>] [-f|--format <ttl|trig|nt|nq|n3>] [--pretty]`
+  Exports asserted OWL files (no reasoning or entailment materialization).
+- `reason [-o|--owl <dir>] [-f|--format <ttl|trig|nt|nq|n3>] [--pretty] [-u|--unique-names-assumption <true|false>] [-e|--explanation <true|false>]`
+  Runs workspace consistency checks. Without `--owl`, runs in check-only mode with no file output. With `--owl`, persists assertions and entailments to the given folder.
+- `render -m|--md <input-folder> -b|--web <output-folder> [-c|--context <model-path>]`
+  Runs `lint`, then renders markdown files to static HTML. The optional `--context` sets the workspace-relative `.oml` model path used as the default navigation context for wikilinks.
+- `validate`
+  Validates table-editor SHACL blocks in workspace markdown files. Runs `lint` first.
+- `start [port] [-p|--port <port>] [-w|--workspace <workspace>]`
+  Starts the OML server. When no port is provided, an available port is selected automatically. Use `OML_PLATFORM_API_KEY` for non-interactive (CI) start; otherwise an interactive OAuth login is triggered if no session is stored.
+- `stop`
+  Stops the running OML server.
+- `status`
+  Prints the OML server status.
+- `list`
+  Shows all actively running OML servers.

package/out/auth/auth.d.ts

@@ -1,3 +1,4 @@
+import type { JsonWebKey } from 'node:crypto';
 type LoginOptions = {};
 export type OmlCliServerAuthSnapshot = {
     accessToken: string;
@@ -8,11 +9,20 @@ export declare class OmlCliAuthService {
     login(_options: LoginOptions): Promise<void>;
     logout(): Promise<void>;
     whoami(): Promise<void>;
+    getDeviceId(): Promise<string>;
+    getEntitlementCache(): Promise<{
+        expiry: number;
+        featureIds: string[];
+        token?: string;
+    } | null>;
+    saveEntitlementCache(expiry: number, featureIds: string[], token?: string): Promise<void>;
+    saveEntitlementsPubkey(pubkeyJwk: JsonWebKey): Promise<void>;
     ensureAuthenticated(operationName: string): Promise<void>;
     getAccessToken(): Promise<string>;
     refreshAccessToken(): Promise<string>;
     getServerAuthSnapshot(): Promise<OmlCliServerAuthSnapshot>;
     private tryGetValidSnapshot;
+    hasStoredCredential(): Promise<boolean>;
     private refreshCredential;
 }
 export {};

package/out/auth/auth.js

@@ -1,6 +1,7 @@
 // Copyright (c) 2026 Modelware. All rights reserved.
-import { exchangeGitHubToken, refreshSupabaseAccessToken } from '@oml/platform';
+import { exchangeGitHubToken, refreshSupabaseAccessToken, verifyEntitlementsToken } from '@oml/platform';
 import chalk from 'chalk';
+import * as crypto from 'node:crypto';
 import * as fs from 'node:fs/promises';
 import * as os from 'node:os';
 import * as path from 'node:path';
@@ -17,7 +18,10 @@ const KEYCHAIN_SERVICE = 'oml-code';
 const ACCESS_TOKEN_KEY = 'oml.cli.access_token';
 const REFRESH_TOKEN_KEY = 'oml.cli.refresh_token';
 const EXPIRES_AT_KEY = 'oml.cli.expires_at';
-const PROFILE_PATH = path.join(os.homedir(), '.oml', 'cli-profile.json');
+const ENTITLEMENT_EXPIRY_KEY = 'oml.cli.entitlement_expiry';
+const ENTITLEMENT_FEATURES_KEY = 'oml.cli.entitlement_features';
+const ENTITLEMENT_TOKEN_KEY = 'oml.cli.entitlement_token';
+const ENTITLEMENT_PUBKEY_KEY = 'oml.cli.entitlement_pubkey';
 const LOCK_PATH = path.join(os.homedir(), '.oml', 'credentials.lock');
 const SESSION_EXPIRATION_LEEWAY_MS = 20000;
 const LOCK_TIMEOUT_MS = 5000;
@@ -34,8 +38,9 @@ export class OmlCliAuthService {
         }
         const existing = await this.tryGetValidSnapshot();
         if (existing) {
-            const profile = await readProfile();
-            console.error(chalk.green(`Already signed in as ${profile?.userLabel ?? profile?.email ?? profile?.userId ?? 'current user'}.`));
+            const claims = decodeJwtClaims(existing.accessToken);
+            const label = claims.userLabel ?? claims.email ?? 'current user';
+            console.error(chalk.green(`Already signed in as ${label}.`));
             return;
         }
         const session = await authenticateWithGitHub();
@@ -44,32 +49,13 @@ export class OmlCliAuthService {
             refreshToken: session.refreshToken,
             expiresAtMs: session.expiresAtMs,
         });
-        await writeProfile({
-            provider: session.provider,
-            userId: session.userId,
-            userLabel: session.userLabel,
-            email: session.email,
-            tier: session.tier,
-            signedInAt: new Date().toISOString(),
-        });
+        void fetchAndSaveEntitlementsPubkey(resolveApiBaseUrl(), this).catch(() => undefined);
         const summary = session.userLabel ?? session.email ?? 'signed-in user';
-        console.error(chalk.green(`Signed in as ${summary} via ${session.provider}.`));
+        console.error(chalk.green(`Signed in as ${summary} via GitHub.`));
     }
     async logout() {
-        const activeServers = await listActiveServers();
         await deleteCredential();
-        await deleteProfile();
-        if (activeServers.length > 0) {
-            console.error(chalk.yellow('Stored OAuth credentials were cleared. Running servers were not stopped:'));
-            for (const server of activeServers) {
-                console.error(`- ${server.workspaceRoot ?? '(unknown workspace)'} on port ${server.port} (pid ${server.pid})`);
-            }
-            if (process.env[API_KEY_ENV]?.trim()) {
-                console.error(chalk.yellow('OML_PLATFORM_API_KEY is still set, so future starts may use API-key auth.'));
-            }
-            return;
-        }
-        console.error(chalk.green('Stored OAuth credentials were cleared.'));
+        console.error(chalk.green('Signed out.'));
         if (process.env[API_KEY_ENV]?.trim()) {
             console.error(chalk.yellow('OML_PLATFORM_API_KEY is still set, so future starts may use API-key auth.'));
         }
@@ -79,26 +65,84 @@ export class OmlCliAuthService {
         if (apiKey) {
             console.error('Auth mode: api_key');
             console.error('Account: resolved by OML Platform from OML_PLATFORM_API_KEY');
-            const profile = await readProfile();
-            if (profile) {
-                console.error(`Stored OAuth user: ${profile.userLabel ?? profile.email ?? profile.userId}`);
-            }
             return;
         }
         const credential = await readCredential();
-        const profile = await readProfile();
-        if (!credential || !profile) {
+        if (!credential) {
             console.error(chalk.yellow('Not signed in.'));
             return;
         }
+        const claims = decodeJwtClaims(credential.accessToken);
         console.error('Auth mode: oauth');
-        console.error(`Provider: ${profile.provider}`);
-        console.error(`User ID: ${profile.userId}`);
-        console.error(`User label: ${profile.userLabel ?? '(not set)'}`);
-        console.error(`Email: ${profile.email ?? '(not set)'}`);
-        console.error(`Tier: ${profile.tier ?? '(not set)'}`);
-        console.error(`Signed in at: ${profile.signedInAt}`);
-        console.error(`Access token expires at: ${new Date(credential.expiresAtMs).toISOString()}`);
+        console.error(`User ID:    ${claims.userId ?? '(unknown)'}`);
+        console.error(`User label: ${claims.userLabel ?? '(not set)'}`);
+        console.error(`Email:      ${claims.email ?? '(not set)'}`);
+        console.error(`Tier:       ${claims.tier ?? '(not set)'}`);
+        console.error(`Token expires at: ${new Date(credential.expiresAtMs).toISOString()}`);
+    }
+    async getDeviceId() {
+        return getOrCreateDeviceId();
+    }
+    async getEntitlementCache() {
+        try {
+            const keytar = await getKeytarModule();
+            const [expiryRaw, featuresRaw, tokenRaw, pubkeyRaw] = await Promise.all([
+                keytar.getPassword(KEYCHAIN_SERVICE, ENTITLEMENT_EXPIRY_KEY),
+                keytar.getPassword(KEYCHAIN_SERVICE, ENTITLEMENT_FEATURES_KEY),
+                keytar.getPassword(KEYCHAIN_SERVICE, ENTITLEMENT_TOKEN_KEY),
+                keytar.getPassword(KEYCHAIN_SERVICE, ENTITLEMENT_PUBKEY_KEY),
+            ]);
+            const expiry = Number(expiryRaw ?? NaN);
+            if (!Number.isFinite(expiry) || expiry <= Date.now() || !featuresRaw) {
+                return null;
+            }
+            const featureIds = JSON.parse(featuresRaw);
+            if (!Array.isArray(featureIds) || !featureIds.every((x) => typeof x === 'string')) {
+                return null;
+            }
+            let token;
+            if (tokenRaw && pubkeyRaw) {
+                try {
+                    const deviceId = await getOrCreateDeviceId();
+                    const valid = await verifyEntitlementsToken(tokenRaw, deviceId, JSON.parse(pubkeyRaw));
+                    if (valid) {
+                        token = tokenRaw;
+                    }
+                }
+                catch {
+                    // Verification failed — proceed without token; gate will re-fetch.
+                }
+            }
+            return { expiry, featureIds: featureIds, token };
+        }
+        catch {
+            return null;
+        }
+    }
+    async saveEntitlementCache(expiry, featureIds, token) {
+        try {
+            const keytar = await getKeytarModule();
+            const writes = [
+                keytar.setPassword(KEYCHAIN_SERVICE, ENTITLEMENT_EXPIRY_KEY, String(expiry)),
+                keytar.setPassword(KEYCHAIN_SERVICE, ENTITLEMENT_FEATURES_KEY, JSON.stringify(featureIds)),
+            ];
+            if (token) {
+                writes.push(keytar.setPassword(KEYCHAIN_SERVICE, ENTITLEMENT_TOKEN_KEY, token));
+            }
+            await Promise.all(writes);
+        }
+        catch {
+            // Credential store unavailable — skip silently.
+        }
+    }
+    async saveEntitlementsPubkey(pubkeyJwk) {
+        try {
+            const keytar = await getKeytarModule();
+            await keytar.setPassword(KEYCHAIN_SERVICE, ENTITLEMENT_PUBKEY_KEY, JSON.stringify(pubkeyJwk));
+        }
+        catch {
+            // Credential store unavailable — skip silently.
+        }
     }
     async ensureAuthenticated(operationName) {
         if (process.env[API_KEY_ENV]?.trim()) {
@@ -144,6 +188,9 @@ export class OmlCliAuthService {
             return null;
         }
     }
+    async hasStoredCredential() {
+        return (await readCredential()) !== undefined;
+    }
     async refreshCredential() {
         const session = await readCredential();
         if (!session?.refreshToken) {
@@ -163,19 +210,11 @@ export class OmlCliAuthService {
                 expiresAtMs: Date.now() + (refreshed.expires_in * 1000),
             };
             await writeCredential(updatedSession);
-            const profile = await readProfile();
-            if (profile) {
-                await writeProfile({
-                    ...profile,
-                    email: refreshed.email ?? profile.email,
-                });
-            }
             return updatedSession;
         }
         catch (error) {
             if (isUnauthorizedError(error)) {
                 await deleteCredential();
-                await deleteProfile();
                 throw new Error('Authentication refresh failed because the stored credential was revoked. Run \'oml login\' again.');
             }
             throw new Error('Authentication refresh failed. Check your network connection or sign in again with \'oml login\'.');
@@ -212,65 +251,39 @@ async function deleteCredential() {
         keytar.deletePassword(KEYCHAIN_SERVICE, ACCESS_TOKEN_KEY),
         keytar.deletePassword(KEYCHAIN_SERVICE, REFRESH_TOKEN_KEY),
         keytar.deletePassword(KEYCHAIN_SERVICE, EXPIRES_AT_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, ENTITLEMENT_EXPIRY_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, ENTITLEMENT_FEATURES_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, ENTITLEMENT_TOKEN_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, ENTITLEMENT_PUBKEY_KEY),
     ]);
 }
-async function readProfile() {
+async function getOrCreateDeviceId() {
     try {
-        const content = await fs.readFile(PROFILE_PATH, 'utf-8');
-        const data = JSON.parse(content);
-        if (!data.provider || !data.userId || !data.signedInAt) {
-            return undefined;
-        }
-        return {
-            provider: data.provider,
-            userId: data.userId,
-            userLabel: data.userLabel,
-            email: data.email ?? null,
-            tier: data.tier,
-            signedInAt: data.signedInAt,
-        };
+        return (await fs.readFile('/etc/machine-id', 'utf-8')).trim();
     }
     catch {
-        return undefined;
+        try {
+            return (await fs.readFile(LOCAL_MACHINE_ID_PATH, 'utf-8')).trim();
+        }
+        catch {
+            const id = crypto.randomUUID();
+            await fs.mkdir(path.dirname(LOCAL_MACHINE_ID_PATH), { recursive: true });
+            await fs.writeFile(LOCAL_MACHINE_ID_PATH, id, { encoding: 'utf-8', mode: 0o600 });
+            return id;
+        }
     }
 }
-async function writeProfile(profile) {
-    await fs.mkdir(path.dirname(PROFILE_PATH), { recursive: true });
-    await fs.writeFile(PROFILE_PATH, `${JSON.stringify(profile, null, 2)}\n`, 'utf-8');
-}
-async function deleteProfile() {
-    try {
-        await fs.unlink(PROFILE_PATH);
-    }
-    catch (error) {
-        if (error.code !== 'ENOENT') {
-            throw error;
-        }
+async function fetchAndSaveEntitlementsPubkey(apiBaseUrl, authService) {
+    const response = await fetch(`${apiBaseUrl}/entitlements/pubkey`);
+    if (!response.ok) {
+        return;
     }
+    const jwk = await response.json();
+    await authService.saveEntitlementsPubkey(jwk);
 }
 async function authenticateWithGitHub() {
     const clientId = resolveClientId();
-    const params = new URLSearchParams({
-        client_id: clientId,
-        scope: 'read:user user:email'
-    });
-    const response = await fetch(GITHUB_DEVICE_CODE_URL, {
-        method: 'POST',
-        headers: {
-            accept: 'application/json',
-            'content-type': 'application/x-www-form-urlencoded'
-        },
-        body: params
-    });
-    if (!response.ok) {
-        throw new Error(`GitHub device authorization failed: HTTP ${response.status} ${response.statusText}`);
-    }
-    const device = await response.json();
-    if (!device.device_code || !device.user_code || !device.verification_uri) {
-        throw new Error('GitHub device authorization response was incomplete.');
-    }
-    printDeviceFlowInstructions('GitHub', device.verification_uri, device.user_code);
-    const token = await pollForGitHubAccessToken(clientId, device);
+    const token = await authenticateWithGitHubDevice(clientId);
     const userResponse = await fetch(GITHUB_USER_URL, {
         headers: {
             accept: 'application/vnd.github+json',
@@ -286,16 +299,36 @@ async function authenticateWithGitHub() {
     }
     const platformSession = await exchangeGitHubToken(resolveApiBaseUrl(), token);
     return {
-        provider: 'github',
-        userId: platformSession.user_id,
         userLabel: user.login,
         email: platformSession.email,
-        tier: platformSession.tier,
         accessToken: platformSession.access_token,
         refreshToken: platformSession.refresh_token,
         expiresAtMs: Date.now() + platformSession.expires_in * 1000,
     };
 }
+async function authenticateWithGitHubDevice(clientId) {
+    const params = new URLSearchParams({
+        client_id: clientId,
+        scope: 'read:user user:email'
+    });
+    const response = await fetch(GITHUB_DEVICE_CODE_URL, {
+        method: 'POST',
+        headers: {
+            accept: 'application/json',
+            'content-type': 'application/x-www-form-urlencoded'
+        },
+        body: params
+    });
+    if (!response.ok) {
+        throw new Error(`GitHub device authorization failed: HTTP ${response.status} ${response.statusText}`);
+    }
+    const device = await response.json();
+    if (!device.device_code || !device.user_code || !device.verification_uri) {
+        throw new Error('GitHub device authorization response was incomplete.');
+    }
+    printDeviceFlowInstructions('GitHub', device.verification_uri, device.user_code);
+    return await pollForGitHubAccessToken(clientId, device);
+}
 function printDeviceFlowInstructions(providerName, verificationUri, userCode) {
     console.error(chalk.cyan(`${providerName} sign-in required.`));
     console.error(`Open: ${verificationUri}`);
@@ -367,38 +400,6 @@ async function acquireCredentialLock() {
     }
     throw new Error('Timed out waiting for the CLI credential lock.');
 }
-async function listActiveServers() {
-    const baseDir = path.join(os.homedir(), '.oml', 'workspaces');
-    try {
-        const workspaceDirs = await fs.readdir(baseDir);
-        const active = [];
-        for (const workspaceDir of workspaceDirs) {
-            const lockFile = path.join(baseDir, workspaceDir, 'server.lock');
-            try {
-                const raw = await fs.readFile(lockFile, 'utf-8');
-                const parsed = JSON.parse(raw);
-                const pid = Number(parsed.pid);
-                const port = Number(parsed.port);
-                if (!Number.isFinite(pid) || !Number.isFinite(port)) {
-                    continue;
-                }
-                process.kill(Math.trunc(pid), 0);
-                active.push({
-                    pid: Math.trunc(pid),
-                    port: Math.trunc(port),
-                    workspaceRoot: typeof parsed.workspaceRoot === 'string' ? parsed.workspaceRoot : undefined,
-                });
-            }
-            catch {
-                // ignore malformed or stale lock entries
-            }
-        }
-        return active;
-    }
-    catch {
-        return [];
-    }
-}
 function resolveClientId() {
     const configured = process.env.OML_AUTH_GITHUB_CLIENT_ID?.trim() || DEFAULT_GITHUB_CLIENT_ID;
     if (configured) {
@@ -422,23 +423,135 @@ function isUnauthorizedError(error) {
     const message = error instanceof Error ? error.message : String(error);
     return /\b401\b/.test(message);
 }
+const CREDENTIALS_FILE_PATH = path.join(os.homedir(), '.oml', 'credentials.json');
+const LOCAL_MACHINE_ID_PATH = path.join(os.homedir(), '.oml', 'machine-id');
+// Derive a 256-bit encryption key bound to this machine and user.
+// Uses /etc/machine-id (Linux) or a locally generated UUID as the key material,
+// combined with the user's home directory so the key is user-specific too.
+async function deriveMachineKey() {
+    const machineId = await getOrCreateDeviceId();
+    const ikm = Buffer.from(`${machineId}:${os.homedir()}`, 'utf-8');
+    return new Promise((resolve, reject) => {
+        crypto.hkdf('sha256', ikm, Buffer.alloc(0), 'oml-cli-credentials-v1', 32, (err, key) => {
+            if (err) {
+                reject(err);
+            }
+            else {
+                resolve(Buffer.from(key));
+            }
+        });
+    });
+}
+function encryptValue(value, key) {
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    const encrypted = Buffer.concat([cipher.update(value, 'utf-8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return JSON.stringify({
+        v: 1,
+        iv: iv.toString('base64'),
+        tag: tag.toString('base64'),
+        data: encrypted.toString('base64'),
+    });
+}
+function decryptValue(stored, key) {
+    const parsed = JSON.parse(stored);
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, Buffer.from(parsed.iv, 'base64'));
+    decipher.setAuthTag(Buffer.from(parsed.tag, 'base64'));
+    return decipher.update(Buffer.from(parsed.data, 'base64'), undefined, 'utf-8') + decipher.final('utf-8');
+}
+class FileKeytar {
+    getKey() {
+        if (!this.keyPromise) {
+            this.keyPromise = deriveMachineKey();
+        }
+        return this.keyPromise;
+    }
+    async read() {
+        try {
+            const content = await fs.readFile(CREDENTIALS_FILE_PATH, 'utf-8');
+            return JSON.parse(content);
+        }
+        catch {
+            return {};
+        }
+    }
+    async write(store) {
+        await fs.mkdir(path.dirname(CREDENTIALS_FILE_PATH), { recursive: true });
+        await fs.writeFile(CREDENTIALS_FILE_PATH, `${JSON.stringify(store, null, 2)}\n`, { encoding: 'utf-8', mode: 0o600 });
+    }
+    storeKey(service, account) {
+        return `${service}:${account}`;
+    }
+    async getPassword(service, account) {
+        const store = await this.read();
+        const raw = store[this.storeKey(service, account)];
+        if (raw === undefined || raw === null) {
+            return null;
+        }
+        try {
+            const key = await this.getKey();
+            return decryptValue(raw, key);
+        }
+        catch {
+            // Unreadable entry (wrong machine, corrupt, or legacy plaintext) — treat as missing.
+            return null;
+        }
+    }
+    async setPassword(service, account, password) {
+        const [store, key] = await Promise.all([this.read(), this.getKey()]);
+        store[this.storeKey(service, account)] = encryptValue(password, key);
+        await this.write(store);
+    }
+    async deletePassword(service, account) {
+        const store = await this.read();
+        const k = this.storeKey(service, account);
+        if (!(k in store)) {
+            return false;
+        }
+        delete store[k];
+        await this.write(store);
+        return true;
+    }
+}
 async function getKeytarModule() {
     if (!keytarModulePromise) {
         keytarModulePromise = import('keytar')
             .then((loaded) => loaded.default)
             .catch((error) => {
+            const message = error instanceof Error ? error.message : String(error);
+            if (/libsecret|dlopen|ERR_DLOPEN_FAILED/i.test(message)) {
+                console.error(chalk.yellow('System keychain unavailable; credentials will be stored encrypted at ' +
+                    CREDENTIALS_FILE_PATH + ' using a machine-bound key. ' +
+                    'Set OML_PLATFORM_API_KEY for non-interactive environments.'));
+                return new FileKeytar();
+            }
             keytarModulePromise = undefined;
-            throw new Error(formatKeytarLoadError(error));
+            throw new Error(`Secure credential storage is unavailable: ${message}`);
         });
     }
     return keytarModulePromise;
 }
-function formatKeytarLoadError(error) {
-    const message = error instanceof Error ? error.message : String(error);
-    if (/libsecret|dlopen|ERR_DLOPEN_FAILED/i.test(message)) {
-        return 'Secure credential storage is unavailable (missing system keychain runtime, e.g. libsecret on Linux). ' +
-            'Install the OS keychain runtime or set OML_PLATFORM_API_KEY for non-interactive mode.';
+function decodeJwtClaims(token) {
+    try {
+        const payload = token.split('.')[1];
+        if (!payload) {
+            return {};
+        }
+        const json = JSON.parse(Buffer.from(payload.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString('utf-8'));
+        const userMeta = json['user_metadata'];
+        const appMeta = json['app_metadata'];
+        return {
+            userId: typeof json['sub'] === 'string' ? json['sub'] : undefined,
+            email: typeof json['email'] === 'string' ? json['email'] : undefined,
+            userLabel: userMeta && typeof userMeta['user_name'] === 'string'
+                ? userMeta['user_name'] : undefined,
+            tier: appMeta && typeof appMeta['tier'] === 'string'
+                ? appMeta['tier'] : undefined,
+        };
+    }
+    catch {
+        return {};
     }
-    return `Secure credential storage is unavailable: ${message}`;
 }
 //# sourceMappingURL=auth.js.map