@openbat/cli 0.1.1 → 0.2.0

package/dist/index.js

@@ -32,7 +32,7 @@ var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "
 var __privateMethod = (obj, member, method) => (__accessCheck(obj, member, "access private method"), method);
 
 // src/index.ts
-var import_commander6 = require("commander");
+var import_commander8 = require("commander");
 
 // src/commands/config.ts
 var import_commander = require("commander");
@@ -92,7 +92,26 @@ async function resolveConfig(opts) {
     baseUrl = file.baseUrl;
     baseUrlSource = "file";
   }
-  return { apiKey, baseUrl, apiKeySource, baseUrlSource };
+  let activeChatbotId = null;
+  let activeChatbotIdSource = "missing";
+  if (opts.chatbotFlag) {
+    activeChatbotId = opts.chatbotFlag;
+    activeChatbotIdSource = "flag";
+  } else if (process.env.OPENBAT_CHATBOT_ID) {
+    activeChatbotId = process.env.OPENBAT_CHATBOT_ID;
+    activeChatbotIdSource = "env";
+  } else if (file.activeChatbotId) {
+    activeChatbotId = file.activeChatbotId;
+    activeChatbotIdSource = "file";
+  }
+  return {
+    apiKey,
+    baseUrl,
+    activeChatbotId,
+    apiKeySource,
+    baseUrlSource,
+    activeChatbotIdSource
+  };
 }
 async function setApiKey(apiKey) {
   if (apiKey.startsWith("ob_live_")) {
@@ -109,6 +128,25 @@ async function setApiKey(apiKey) {
   file.apiKey = apiKey;
   await writeConfig(file);
 }
+async function clearApiKey() {
+  const file = await readConfig();
+  delete file.apiKey;
+  delete file.activeChatbotId;
+  await writeConfig(file);
+}
+async function setActiveChatbotId(chatbotId) {
+  if (!/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(chatbotId)) {
+    throw new Error(`Not a UUID: ${chatbotId}`);
+  }
+  const file = await readConfig();
+  file.activeChatbotId = chatbotId;
+  await writeConfig(file);
+}
+async function clearActiveChatbotId() {
+  const file = await readConfig();
+  delete file.activeChatbotId;
+  await writeConfig(file);
+}
 async function setBaseUrl(baseUrl) {
   try {
     new URL(baseUrl);
@@ -123,6 +161,156 @@ function configPath() {
   return CONFIG_PATH;
 }
 
+// src/api-client.ts
+var import_node_url = require("url");
+var CLI_VERSION = "0.1.1";
+var KEY_REGEX = /ob_(?:live|read|admin|pat)_[0-9a-f]{32}/g;
+function redact(s) {
+  return s.replace(KEY_REGEX, (k) => `${k.slice(0, 16)}\u2026<hidden>`);
+}
+function assertHttpsOrLocalhost(baseUrl) {
+  let url;
+  try {
+    url = new import_node_url.URL(baseUrl);
+  } catch {
+    throw new Error(`Invalid base URL: ${redact(baseUrl)}`);
+  }
+  if (url.protocol === "https:") return;
+  if (url.protocol === "http:" && (url.hostname === "localhost" || url.hostname === "127.0.0.1")) {
+    return;
+  }
+  throw new Error(
+    "Refusing to use a non-HTTPS base URL. localhost / 127.0.0.1 are allowed for dev."
+  );
+}
+var _apiKey, _clientLabel, _clientVersion, _ApiClient_instances, commonHeaders_fn, mutate_fn;
+var ApiClient = class {
+  constructor(opts) {
+    __privateAdd(this, _ApiClient_instances);
+    __privateAdd(this, _apiKey);
+    __privateAdd(this, _clientLabel);
+    __privateAdd(this, _clientVersion);
+    assertHttpsOrLocalhost(opts.baseUrl);
+    this.baseUrl = opts.baseUrl.replace(/\/$/, "");
+    __privateSet(this, _apiKey, opts.apiKey);
+    __privateSet(this, _clientLabel, opts.clientLabel ?? "cli");
+    __privateSet(this, _clientVersion, opts.clientVersion ?? CLI_VERSION);
+  }
+  /**
+   * Issue a GET against `path` (must begin with `/`). Returns the parsed
+   * JSON on 200. Throws an Error whose message is safe to print (key
+   * redacted, status included).
+   */
+  async get(path) {
+    const url = `${this.baseUrl}${path}`;
+    let res;
+    try {
+      res = await fetch(url, {
+        method: "GET",
+        headers: __privateMethod(this, _ApiClient_instances, commonHeaders_fn).call(this, { accept: "application/json" })
+      });
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      throw new Error(`Request to ${redact(url)} failed: ${redact(msg)}`);
+    }
+    return parseResponse(res, url);
+  }
+  /** Issue a POST with a JSON body. */
+  async post(path, body) {
+    return __privateMethod(this, _ApiClient_instances, mutate_fn).call(this, "POST", path, body);
+  }
+  /** Issue a PATCH with a JSON body. */
+  async patch(path, body) {
+    return __privateMethod(this, _ApiClient_instances, mutate_fn).call(this, "PATCH", path, body);
+  }
+  /** Issue a DELETE. Body is rarely used; we still allow it. */
+  async delete(path, body) {
+    return __privateMethod(this, _ApiClient_instances, mutate_fn).call(this, "DELETE", path, body);
+  }
+  /** Pass-through for streaming endpoints (export). Returns the raw body. */
+  async getRaw(path) {
+    const url = `${this.baseUrl}${path}`;
+    const res = await fetch(url, {
+      method: "GET",
+      headers: __privateMethod(this, _ApiClient_instances, commonHeaders_fn).call(this)
+    });
+    if (!res.ok || !res.body) {
+      const errText = await res.text().catch(() => "");
+      throw new Error(
+        `GET ${redact(url)} \u2192 ${res.status} ${res.statusText}${errText ? `: ${redact(errText.slice(0, 200))}` : ""}`
+      );
+    }
+    return {
+      body: res.body,
+      contentType: res.headers.get("content-type") ?? "application/octet-stream"
+    };
+  }
+};
+_apiKey = new WeakMap();
+_clientLabel = new WeakMap();
+_clientVersion = new WeakMap();
+_ApiClient_instances = new WeakSet();
+commonHeaders_fn = function(extra) {
+  const h = {
+    "x-openbat-key": __privateGet(this, _apiKey),
+    "x-openbat-client": __privateGet(this, _clientLabel),
+    ...extra ?? {}
+  };
+  if (__privateGet(this, _clientVersion)) h["x-openbat-client-version"] = __privateGet(this, _clientVersion);
+  return h;
+};
+mutate_fn = async function(method, path, body) {
+  const url = `${this.baseUrl}${path}`;
+  let res;
+  try {
+    res = await fetch(url, {
+      method,
+      headers: __privateMethod(this, _ApiClient_instances, commonHeaders_fn).call(this, {
+        "content-type": "application/json",
+        accept: "application/json"
+      }),
+      body: body === void 0 ? void 0 : JSON.stringify(body)
+    });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new Error(`Request to ${redact(url)} failed: ${redact(msg)}`);
+  }
+  return parseResponse(res, url);
+};
+async function parseResponse(res, url) {
+  if (res.status === 401) {
+    throw new Error(
+      "Unauthorized. The API key was rejected (invalid, wrong kind for this endpoint, expired, or revoked)."
+    );
+  }
+  if (res.status === 403) {
+    throw new Error(
+      "Forbidden. The credential is valid but lacks permission for this operation (e.g. read-scope PAT can't mutate)."
+    );
+  }
+  if (res.status === 429) {
+    const retry = res.headers.get("retry-after");
+    throw new Error(
+      `Rate limited.${retry ? ` Retry after ${retry}s.` : ""}`
+    );
+  }
+  if (!res.ok) {
+    let errBody = null;
+    try {
+      errBody = await res.json();
+    } catch {
+    }
+    throw new Error(
+      `GET ${redact(url)} \u2192 ${res.status} ${res.statusText}${errBody?.error ? `: ${redact(errBody.error)}` : ""}`
+    );
+  }
+  try {
+    return await res.json();
+  } catch {
+    throw new Error(`Response from ${redact(url)} was not valid JSON`);
+  }
+}
+
 // src/format.ts
 var ANSI = {
   dim: "\x1B[2m",
@@ -248,167 +436,131 @@ function configCommand() {
       apiKeySource: cfg.apiKeySource,
       baseUrl: cfg.baseUrl,
       baseUrlSource: cfg.baseUrlSource,
+      activeChatbotId: cfg.activeChatbotId ?? "(not set)",
+      activeChatbotIdSource: cfg.activeChatbotIdSource,
       configFile: configPath()
     });
   });
-  return cmd;
-}
-
-// src/commands/data.ts
-var import_commander2 = require("commander");
-
-// src/api-client.ts
-var import_node_url = require("url");
-var KEY_REGEX = /ob_(?:live|read|admin|pat)_[0-9a-f]{32}/g;
-function redact(s) {
-  return s.replace(KEY_REGEX, (k) => `${k.slice(0, 16)}\u2026<hidden>`);
-}
-function assertHttpsOrLocalhost(baseUrl) {
-  let url;
-  try {
-    url = new import_node_url.URL(baseUrl);
-  } catch {
-    throw new Error(`Invalid base URL: ${redact(baseUrl)}`);
-  }
-  if (url.protocol === "https:") return;
-  if (url.protocol === "http:" && (url.hostname === "localhost" || url.hostname === "127.0.0.1")) {
-    return;
-  }
-  throw new Error(
-    "Refusing to use a non-HTTPS base URL. localhost / 127.0.0.1 are allowed for dev."
-  );
-}
-var _apiKey, _ApiClient_instances, mutate_fn;
-var ApiClient = class {
-  constructor(opts) {
-    __privateAdd(this, _ApiClient_instances);
-    __privateAdd(this, _apiKey);
-    assertHttpsOrLocalhost(opts.baseUrl);
-    this.baseUrl = opts.baseUrl.replace(/\/$/, "");
-    __privateSet(this, _apiKey, opts.apiKey);
-  }
-  /**
-   * Issue a GET against `path` (must begin with `/`). Returns the parsed
-   * JSON on 200. Throws an Error whose message is safe to print (key
-   * redacted, status included).
-   */
-  async get(path) {
-    const url = `${this.baseUrl}${path}`;
-    let res;
+  cmd.command("use-chatbot <id-or-name>").description(
+    "Persist a default chatbot for commands that need one (e.g. with a PAT spanning many chatbots)"
+  ).action(async function(target) {
     try {
-      res = await fetch(url, {
-        method: "GET",
-        headers: {
-          "x-openbat-key": __privateGet(this, _apiKey),
-          accept: "application/json"
-        }
-      });
+      const id = await resolveTargetChatbotId(target);
+      await setActiveChatbotId(id);
+      process.stdout.write(`Active chatbot saved: ${id}
+`);
     } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      throw new Error(`Request to ${redact(url)} failed: ${redact(msg)}`);
+      fatal(err instanceof Error ? err.message : String(err));
     }
-    return parseResponse(res, url);
-  }
-  /** Issue a POST with a JSON body. */
-  async post(path, body) {
-    return __privateMethod(this, _ApiClient_instances, mutate_fn).call(this, "POST", path, body);
-  }
-  /** Issue a PATCH with a JSON body. */
-  async patch(path, body) {
-    return __privateMethod(this, _ApiClient_instances, mutate_fn).call(this, "PATCH", path, body);
-  }
-  /** Issue a DELETE. Body is rarely used; we still allow it. */
-  async delete(path, body) {
-    return __privateMethod(this, _ApiClient_instances, mutate_fn).call(this, "DELETE", path, body);
+  });
+  cmd.command("clear-chatbot").description("Forget the persisted default chatbot").action(async () => {
+    await clearActiveChatbotId();
+    process.stdout.write("Cleared active chatbot.\n");
+  });
+  return cmd;
+}
+var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+async function resolveTargetChatbotId(target) {
+  const cfg = await resolveConfig({});
+  if (!cfg.apiKey) {
+    fatal(
+      "No API key configured. Run `openbat config set-key` first so I can list your chatbots."
+    );
   }
-  /** Pass-through for streaming endpoints (export). Returns the raw body. */
-  async getRaw(path) {
-    const url = `${this.baseUrl}${path}`;
-    const res = await fetch(url, {
-      method: "GET",
-      headers: {
-        "x-openbat-key": __privateGet(this, _apiKey)
-      }
-    });
-    if (!res.ok || !res.body) {
-      const errText = await res.text().catch(() => "");
-      throw new Error(
-        `GET ${redact(url)} \u2192 ${res.status} ${res.statusText}${errText ? `: ${redact(errText.slice(0, 200))}` : ""}`
-      );
+  const api = new ApiClient({ apiKey: cfg.apiKey, baseUrl: cfg.baseUrl });
+  const list = await api.get(
+    "/api/v1/chatbots"
+  );
+  const chatbots = list.chatbots ?? [];
+  if (UUID_RE.test(target)) {
+    const hit = chatbots.find((c) => c.id === target);
+    if (!hit) {
+      fatal(`Chatbot ${target} is not reachable by this API key.`);
     }
-    return {
-      body: res.body,
-      contentType: res.headers.get("content-type") ?? "application/octet-stream"
-    };
-  }
-};
-_apiKey = new WeakMap();
-_ApiClient_instances = new WeakSet();
-mutate_fn = async function(method, path, body) {
-  const url = `${this.baseUrl}${path}`;
-  let res;
-  try {
-    res = await fetch(url, {
-      method,
-      headers: {
-        "x-openbat-key": __privateGet(this, _apiKey),
-        "content-type": "application/json",
-        accept: "application/json"
-      },
-      body: body === void 0 ? void 0 : JSON.stringify(body)
-    });
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    throw new Error(`Request to ${redact(url)} failed: ${redact(msg)}`);
+    return hit.id;
   }
-  return parseResponse(res, url);
-};
-async function parseResponse(res, url) {
-  if (res.status === 401) {
-    throw new Error(
-      "Unauthorized. The API key was rejected (invalid, wrong kind for this endpoint, expired, or revoked)."
-    );
+  const lower = target.toLowerCase();
+  const matches = chatbots.filter((c) => c.name.toLowerCase() === lower);
+  if (matches.length === 0) {
+    fatal(`No chatbot named "${target}". Run \`openbat chatbot list\`.`);
   }
-  if (res.status === 403) {
-    throw new Error(
-      "Forbidden. The credential is valid but lacks permission for this operation (e.g. read-scope PAT can't mutate)."
-    );
-  }
-  if (res.status === 429) {
-    const retry = res.headers.get("retry-after");
-    throw new Error(
-      `Rate limited.${retry ? ` Retry after ${retry}s.` : ""}`
+  if (matches.length > 1) {
+    fatal(
+      `Multiple chatbots named "${target}". Use the UUID \u2014 list them with \`openbat chatbot list\`.`
     );
   }
-  if (!res.ok) {
-    let errBody = null;
+  return matches[0].id;
+}
+function useCommand() {
+  return new import_commander.Command("use").argument("<id-or-name>", "Chatbot UUID or exact name").description("Set the default chatbot for this CLI (shortcut for `config use-chatbot`)").action(async (target) => {
     try {
-      errBody = await res.json();
-    } catch {
+      const id = await resolveTargetChatbotId(target);
+      await setActiveChatbotId(id);
+      process.stdout.write(`Active chatbot saved: ${id}
+`);
+    } catch (err) {
+      fatal(err instanceof Error ? err.message : String(err));
     }
-    throw new Error(
-      `GET ${redact(url)} \u2192 ${res.status} ${res.statusText}${errBody?.error ? `: ${redact(errBody.error)}` : ""}`
-    );
-  }
-  try {
-    return await res.json();
-  } catch {
-    throw new Error(`Response from ${redact(url)} was not valid JSON`);
-  }
+  });
 }
 
 // src/commands/data.ts
+var import_commander2 = require("commander");
 async function client(globals) {
   const cfg = await resolveConfig({
     apiKeyFlag: globals.apiKey ?? null,
-    baseUrlFlag: globals.baseUrl ?? null
+    baseUrlFlag: globals.baseUrl ?? null,
+    chatbotFlag: globals.chatbot ?? null
   });
   if (!cfg.apiKey) {
     fatal(
       "No API key configured. Run `openbat config set-key`, or pass --api-key, or set OPENBAT_API_KEY."
     );
   }
-  return new ApiClient({ apiKey: cfg.apiKey, baseUrl: cfg.baseUrl });
+  return {
+    api: new ApiClient({ apiKey: cfg.apiKey, baseUrl: cfg.baseUrl }),
+    chatbotFlag: cfg.activeChatbotId
+  };
+}
+var UUID_RE2 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+async function resolveChatbotId(api, chatbotFlag) {
+  const list = await api.get(
+    "/api/v1/chatbots"
+  );
+  const chatbots = list.chatbots ?? [];
+  if (chatbots.length === 0) {
+    fatal("This API key authorizes no chatbots.");
+  }
+  if (chatbotFlag) {
+    if (UUID_RE2.test(chatbotFlag)) {
+      const hit = chatbots.find((c) => c.id === chatbotFlag);
+      if (!hit) {
+        fatal(
+          `Chatbot ${chatbotFlag} is not reachable by this API key. Run \`openbat chatbot list\` to see what is.`
+        );
+      }
+      return hit.id;
+    }
+    const lower = chatbotFlag.toLowerCase();
+    const matches = chatbots.filter((c) => c.name.toLowerCase() === lower);
+    if (matches.length === 0) {
+      fatal(
+        `No chatbot named "${chatbotFlag}". Run \`openbat chatbot list\` to see what's reachable.`
+      );
+    }
+    if (matches.length > 1) {
+      fatal(
+        `Multiple chatbots named "${chatbotFlag}". Use the UUID instead \u2014 list them with \`openbat chatbot list\`.`
+      );
+    }
+    return matches[0].id;
+  }
+  if (chatbots.length === 1) return chatbots[0].id;
+  const lines = chatbots.map((c) => `  \u2022 ${c.name}   ${c.id}`).join("\n");
+  fatal(
+    `This API key targets multiple chatbots. Pick one with \`openbat use <id>\` (persistent) or \`--chatbot <id>\` (one-off):
+${lines}`
+  );
 }
 function formatOpts(cmd) {
   const opts = cmd.optsWithGlobals();
@@ -420,12 +572,26 @@ function chatbotCommand() {
   );
   cmd.command("info").description("Show the chatbot the current API key authorizes").action(async function() {
     try {
-      const c = await client(this.optsWithGlobals());
-      const result = await c.get(
+      const { api, chatbotFlag } = await client(this.optsWithGlobals());
+      const id = await resolveChatbotId(api, chatbotFlag);
+      const result = await api.get(
+        "/api/v1/chatbots"
+      );
+      const row = (result.chatbots ?? []).find(
+        (c) => c.id === id
+      ) ?? null;
+      emit(row, formatOpts(this));
+    } catch (err) {
+      fatal(err instanceof Error ? err.message : String(err));
+    }
+  });
+  cmd.command("list").description("List every chatbot this API key authorizes").action(async function() {
+    try {
+      const { api } = await client(this.optsWithGlobals());
+      const result = await api.get(
         "/api/v1/chatbots"
       );
-      const list = result.chatbots ?? [];
-      emit(list[0] ?? null, formatOpts(this));
+      emit(result.chatbots ?? [], formatOpts(this));
     } catch (err) {
       fatal(err instanceof Error ? err.message : String(err));
     }
@@ -438,12 +604,14 @@ function conversationsCommand() {
   );
   cmd.command("list").description("Page through recent conversations").option("--page <n>", "Page number", "1").option("--limit <n>", "Page size (max 100)", "20").action(async function(opts) {
     try {
-      const c = await client(this.optsWithGlobals());
+      const { api, chatbotFlag } = await client(this.optsWithGlobals());
+      const id = await resolveChatbotId(api, chatbotFlag);
       const params = new URLSearchParams({
+        chatbotId: id,
         page: opts.page,
         limit: opts.limit
       });
-      const result = await c.get(`/api/v1/conversations?${params}`);
+      const result = await api.get(`/api/v1/conversations?${params}`);
       if (this.optsWithGlobals().json) {
         emit(result, { json: true });
       } else {
@@ -458,11 +626,13 @@ Total: ${result.total}, page ${opts.page}, limit ${opts.limit}
       fatal(err instanceof Error ? err.message : String(err));
     }
   });
-  cmd.command("show <id>").description("Show one conversation by id, with messages").action(async function(id) {
+  cmd.command("show <id>").description("Show one conversation by id, with messages").action(async function(convId) {
     try {
-      const c = await client(this.optsWithGlobals());
-      const result = await c.get(
-        `/api/v1/conversations/${encodeURIComponent(id)}`
+      const { api, chatbotFlag } = await client(this.optsWithGlobals());
+      const id = await resolveChatbotId(api, chatbotFlag);
+      const params = new URLSearchParams({ chatbotId: id });
+      const result = await api.get(
+        `/api/v1/conversations/${encodeURIComponent(convId)}?${params}`
       );
       emit(result.conversation, formatOpts(this));
     } catch (err) {
@@ -473,13 +643,15 @@ Total: ${result.total}, page ${opts.page}, limit ${opts.limit}
 }
 function analyticsCommand() {
   const cmd = new import_commander2.Command("analytics").description(
-    "Aggregated analytics for the bound chatbot"
+    "Aggregated analytics for the active chatbot"
   );
   cmd.command("overview").description("Total conversations, messages, sentiment distribution").action(async function() {
     try {
-      const c = await client(this.optsWithGlobals());
-      const result = await c.get(
-        "/api/v1/analytics/overview"
+      const { api, chatbotFlag } = await client(this.optsWithGlobals());
+      const id = await resolveChatbotId(api, chatbotFlag);
+      const params = new URLSearchParams({ chatbotId: id });
+      const result = await api.get(
+        `/api/v1/analytics/overview?${params}`
       );
       emit(result, formatOpts(this));
     } catch (err) {
@@ -488,9 +660,10 @@ function analyticsCommand() {
   });
   cmd.command("sentiment").description("Sentiment over time (default last 30 days)").option("--days <n>", "Look-back window in days", "30").action(async function(opts) {
     try {
-      const c = await client(this.optsWithGlobals());
-      const params = new URLSearchParams({ days: opts.days });
-      const result = await c.get(
+      const { api, chatbotFlag } = await client(this.optsWithGlobals());
+      const id = await resolveChatbotId(api, chatbotFlag);
+      const params = new URLSearchParams({ chatbotId: id, days: opts.days });
+      const result = await api.get(
         `/api/v1/analytics/sentiment?${params}`
       );
       emit(result, formatOpts(this));
@@ -501,16 +674,12 @@ function analyticsCommand() {
   return cmd;
 }
 function exportCommand() {
-  const cmd = new import_commander2.Command("export").description("Dump all conversation data for the bound chatbot").option("--format <fmt>", "json or csv", "json").option("--out <path>", "Write to file (defaults to stdout)").action(async function(opts) {
+  const cmd = new import_commander2.Command("export").description("Dump all conversation data for the active chatbot").option("--format <fmt>", "json or csv", "json").option("--out <path>", "Write to file (defaults to stdout)").action(async function(opts) {
     try {
-      const c = await client(this.optsWithGlobals());
-      const info = await c.get(
-        "/api/v1/chatbots"
-      );
-      const id = info.chatbots[0]?.id;
-      if (!id) fatal("Could not resolve chatbot from API key.");
+      const { api, chatbotFlag } = await client(this.optsWithGlobals());
+      const id = await resolveChatbotId(api, chatbotFlag);
       const format = opts.format === "csv" ? "csv" : "json";
-      const { body } = await c.getRaw(
+      const { body } = await api.getRaw(
         `/api/v1/export/${id}?format=${format}`
       );
       if (opts.out) {
@@ -622,8 +791,370 @@ function authCommand() {
   return cmd;
 }
 
-// src/commands/org.ts
+// src/commands/login.ts
 var import_commander4 = require("commander");
+var import_node_os2 = __toESM(require("os"));
+var import_node_readline = __toESM(require("readline"));
+
+// src/browser.ts
+var import_node_child_process = require("child_process");
+function openBrowser(url) {
+  try {
+    if (process.platform === "darwin") {
+      (0, import_node_child_process.spawn)("open", [url], { detached: true, stdio: "ignore" }).unref();
+      return true;
+    }
+    if (process.platform === "win32") {
+      (0, import_node_child_process.spawn)("cmd", ["/c", "start", "", url], {
+        detached: true,
+        stdio: "ignore",
+        windowsVerbatimArguments: true
+      }).unref();
+      return true;
+    }
+    (0, import_node_child_process.spawn)("xdg-open", [url], { detached: true, stdio: "ignore" }).unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/pkce.ts
+var import_node_crypto = __toESM(require("crypto"));
+function generateVerifier() {
+  return import_node_crypto.default.randomBytes(32).toString("hex");
+}
+function challengeFor(verifier) {
+  return import_node_crypto.default.createHash("sha256").update(verifier).digest("hex");
+}
+function randomState() {
+  return import_node_crypto.default.randomBytes(32).toString("hex");
+}
+
+// src/loopback.ts
+var import_node_http = __toESM(require("http"));
+var TIMEOUT_MS = 5 * 60 * 1e3;
+var SUCCESS_HTML = `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <title>OpenBat CLI \u2014 signed in</title>
+  <style>
+    body {
+      font-family: system-ui, -apple-system, "Segoe UI", sans-serif;
+      background: #0a0a0a;
+      color: #fafafa;
+      margin: 0;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+    }
+    .card {
+      max-width: 420px;
+      padding: 32px;
+      border-radius: 14px;
+      background: #141414;
+      border: 1px solid #262626;
+      text-align: center;
+    }
+    h1 { margin: 0 0 8px; font-size: 18px; font-weight: 600; }
+    p { margin: 0; color: #a3a3a3; font-size: 14px; line-height: 1.5; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>Signed in</h1>
+    <p>You can close this tab and return to your terminal.</p>
+  </div>
+</body>
+</html>`;
+var ERROR_HTML = (msg) => `<!doctype html>
+<html><body style="font-family:system-ui;background:#0a0a0a;color:#fafafa;margin:0;min-height:100vh;display:flex;align-items:center;justify-content:center">
+<div style="max-width:420px;padding:32px;text-align:center">
+<h1 style="font-size:18px;margin:0 0 8px">Login failed</h1>
+<p style="margin:0;color:#a3a3a3;font-size:14px">${escapeHtml(msg)}</p>
+</div></body></html>`;
+function escapeHtml(s) {
+  return s.replace(
+    /[&<>"]/g,
+    (c) => c === "&" ? "&amp;" : c === "<" ? "&lt;" : c === ">" ? "&gt;" : "&quot;"
+  );
+}
+async function runLoopbackServer(opts) {
+  let resolve = null;
+  let reject = null;
+  const callback = new Promise((res, rej) => {
+    resolve = res;
+    reject = rej;
+  });
+  const server = import_node_http.default.createServer((req, res) => {
+    const url = new URL(req.url ?? "/", "http://127.0.0.1");
+    if (url.pathname !== "/cb") {
+      res.writeHead(404).end();
+      return;
+    }
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    if (!code || !state) {
+      res.writeHead(400, { "content-type": "text/html" }).end(ERROR_HTML("Missing code or state"));
+      reject?.(new Error("Missing code or state in callback"));
+      return;
+    }
+    if (state !== opts.expectedState) {
+      res.writeHead(400, { "content-type": "text/html" }).end(ERROR_HTML("State mismatch \u2014 aborting for safety"));
+      reject?.(new Error("State mismatch \u2014 aborting"));
+      return;
+    }
+    res.writeHead(200, { "content-type": "text/html" }).end(SUCCESS_HTML);
+    resolve?.({ code });
+    setTimeout(() => server.close(), 100);
+  });
+  await new Promise((res) => server.listen(0, "127.0.0.1", () => res()));
+  const port = server.address().port;
+  const timer = setTimeout(() => {
+    server.close();
+    reject?.(new Error("Login timed out after 5 minutes."));
+  }, TIMEOUT_MS);
+  return {
+    port,
+    waitForCallback: async () => {
+      try {
+        const result = await callback;
+        clearTimeout(timer);
+        return result;
+      } catch (err) {
+        clearTimeout(timer);
+        server.close();
+        throw err;
+      }
+    }
+  };
+}
+
+// src/commands/login.ts
+var HOSTNAME = import_node_os2.default.hostname();
+function loginCommand() {
+  return new import_commander4.Command("login").description("Sign in via browser and install an API key on this device").option("--device", "Use the device-code flow (for SSH / headless machines)").option(
+    "--use <key>",
+    "Skip the browser; install a PAT plaintext you already have"
+  ).action(async function(opts) {
+    try {
+      const globals = this.optsWithGlobals();
+      const cfg = await resolveConfig({
+        apiKeyFlag: null,
+        baseUrlFlag: globals.baseUrl ?? null
+      });
+      let token;
+      if (opts.use) {
+        token = opts.use.trim();
+      } else if (opts.device) {
+        token = await deviceFlow(cfg.baseUrl);
+      } else {
+        token = await loopbackFlow(cfg.baseUrl);
+      }
+      await setApiKey(token);
+      process.stdout.write(`Signed in. API key saved to ~/.openbatrc.
+`);
+      await pickDefaultChatbot(token, cfg.baseUrl);
+    } catch (err) {
+      fatal(err instanceof Error ? err.message : String(err));
+    }
+  });
+}
+async function loopbackFlow(baseUrl) {
+  const verifier = generateVerifier();
+  const challenge = challengeFor(verifier);
+  const state = randomState();
+  const { port, waitForCallback } = await runLoopbackServer({
+    expectedState: state
+  });
+  const redirectUri = `http://127.0.0.1:${port}/cb`;
+  const authorizeUrl = new URL("/platform/cli/authorize", baseUrl);
+  authorizeUrl.searchParams.set("state", state);
+  authorizeUrl.searchParams.set("challenge", challenge);
+  authorizeUrl.searchParams.set("redirect_uri", redirectUri);
+  authorizeUrl.searchParams.set("hostname", HOSTNAME);
+  const opened = openBrowser(authorizeUrl.toString());
+  if (!opened) {
+    process.stderr.write(`
+Couldn't open a browser. Visit this URL to continue:
+  ${authorizeUrl}
+
+`);
+  } else {
+    process.stderr.write(`
+Opening your browser\u2026 (waiting on http://127.0.0.1:${port})
+`);
+    process.stderr.write(`If it didn't open, visit: ${authorizeUrl}
+
+`);
+  }
+  const { code } = await waitForCallback();
+  const exchangeRes = await fetch(new URL("/api/cli/exchange", baseUrl), {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ code, verifier })
+  });
+  if (!exchangeRes.ok) {
+    const text = await exchangeRes.text();
+    throw new Error(`Exchange failed (${exchangeRes.status}): ${text}`);
+  }
+  const exchange = await exchangeRes.json();
+  if (!exchange.ok || !exchange.token) {
+    throw new Error("Exchange response missing token.");
+  }
+  return exchange.token;
+}
+async function deviceFlow(baseUrl) {
+  const startRes = await fetch(new URL("/api/cli/device/start", baseUrl), {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ hostname: HOSTNAME })
+  });
+  if (!startRes.ok) {
+    const text = await startRes.text();
+    throw new Error(`Device flow start failed (${startRes.status}): ${text}`);
+  }
+  const start = await startRes.json();
+  process.stdout.write(`
+On any device, visit:
+  ${start.verification_uri}
+
+`);
+  process.stdout.write(`and enter this code:
+  ${start.user_code}
+
+`);
+  process.stdout.write(`Or open directly:
+  ${start.verification_uri_complete}
+
+`);
+  process.stderr.write("Waiting for authorization\u2026\n");
+  const deadline = Date.now() + start.expires_in * 1e3;
+  const intervalMs = Math.max(start.interval, 5) * 1e3;
+  while (Date.now() < deadline) {
+    await new Promise((r) => setTimeout(r, intervalMs));
+    const pollRes = await fetch(new URL("/api/cli/device/poll", baseUrl), {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ device_code: start.device_code })
+    });
+    if (pollRes.status === 429) continue;
+    if (!pollRes.ok) {
+      const text = await pollRes.text();
+      throw new Error(`Poll failed (${pollRes.status}): ${text}`);
+    }
+    const poll = await pollRes.json();
+    if (poll.status === "pending") continue;
+    if (poll.status === "expired") throw new Error("Code expired. Run `openbat login --device` again.");
+    if (poll.status === "denied") throw new Error("Authorization denied.");
+    if (poll.status === "unknown") throw new Error("Server lost the request. Try again.");
+    if (poll.status === "authorized") {
+      if (!poll.token) throw new Error("Server authorized but didn't return a token.");
+      return poll.token;
+    }
+  }
+  throw new Error("Timed out waiting for authorization.");
+}
+async function pickDefaultChatbot(token, baseUrl) {
+  const api = new ApiClient({ apiKey: token, baseUrl });
+  let chatbots;
+  try {
+    const result = await api.get(
+      "/api/v1/chatbots"
+    );
+    chatbots = result.chatbots ?? [];
+  } catch (err) {
+    process.stderr.write(
+      `
+(Couldn't list chatbots: ${err instanceof Error ? err.message : String(err)})
+`
+    );
+    return;
+  }
+  if (chatbots.length === 0) {
+    process.stdout.write("\nNo chatbots reachable yet. Create one from the dashboard.\n");
+    return;
+  }
+  if (chatbots.length === 1) {
+    await setActiveChatbotId(chatbots[0].id);
+    process.stdout.write(`Default chatbot: ${chatbots[0].name}
+`);
+    return;
+  }
+  if (!process.stdin.isTTY) {
+    process.stdout.write(
+      `
+You have ${chatbots.length} chatbots. Pick one later with \`openbat use <id>\`.
+`
+    );
+    return;
+  }
+  process.stdout.write("\nYou have access to multiple chatbots. Pick a default:\n");
+  chatbots.forEach((c, i) => {
+    process.stdout.write(`  ${i + 1}. ${c.name}   ${c.id}
+`);
+  });
+  process.stdout.write(`  ${chatbots.length + 1}. Skip \u2014 pick later with \`openbat use\`
+`);
+  const rl = import_node_readline.default.createInterface({ input: process.stdin, output: process.stdout });
+  const answer = await new Promise(
+    (res) => rl.question("Choice: ", (input) => {
+      rl.close();
+      res(input.trim());
+    })
+  );
+  const idx = Number(answer);
+  if (!Number.isInteger(idx) || idx < 1 || idx > chatbots.length + 1) {
+    process.stdout.write("(Invalid choice \u2014 skipping.)\n");
+    return;
+  }
+  if (idx === chatbots.length + 1) return;
+  await setActiveChatbotId(chatbots[idx - 1].id);
+  process.stdout.write(`Default chatbot: ${chatbots[idx - 1].name}
+`);
+}
+
+// src/commands/logout.ts
+var import_commander5 = require("commander");
+function logoutCommand() {
+  return new import_commander5.Command("logout").description("Revoke the stored API key and clear ~/.openbatrc").action(async function() {
+    try {
+      const globals = this.optsWithGlobals();
+      const cfg = await resolveConfig({
+        apiKeyFlag: null,
+        baseUrlFlag: globals.baseUrl ?? null
+      });
+      if (!cfg.apiKey) {
+        process.stdout.write("Not signed in.\n");
+        return;
+      }
+      if (cfg.apiKey.startsWith("ob_pat_")) {
+        const api = new ApiClient({ apiKey: cfg.apiKey, baseUrl: cfg.baseUrl });
+        try {
+          await api.post("/api/v1/me/pats/self/revoke", {});
+        } catch (err) {
+          process.stderr.write(
+            `Warning: server-side revoke failed (${err instanceof Error ? err.message : err}). Clearing local config anyway.
+`
+          );
+        }
+      } else {
+        process.stderr.write(
+          "Note: read/admin keys can't self-revoke. Visit the dashboard to revoke; this command will just clear the local config.\n"
+        );
+      }
+      await clearApiKey();
+      process.stdout.write("Signed out.\n");
+    } catch (err) {
+      fatal(err instanceof Error ? err.message : String(err));
+    }
+  });
+}
+
+// src/commands/org.ts
+var import_commander6 = require("commander");
 async function client3(globals) {
   const cfg = await resolveConfig({
     apiKeyFlag: globals.apiKey ?? null,
@@ -638,7 +1169,7 @@ async function client3(globals) {
   return new ApiClient({ apiKey: cfg.apiKey, baseUrl: cfg.baseUrl });
 }
 function orgCommand() {
-  const cmd = new import_commander4.Command("org").description(
+  const cmd = new import_commander6.Command("org").description(
     "Manage the OpenBat tenant org (rename, members, invitations). Requires PAT."
   );
   cmd.command("list").description("List orgs the current PAT's user belongs to").action(async function() {
@@ -746,7 +1277,7 @@ function orgCommand() {
 }
 
 // src/commands/write.ts
-var import_commander5 = require("commander");
+var import_commander7 = require("commander");
 async function client4(globals) {
   const cfg = await resolveConfig({
     apiKeyFlag: globals.apiKey ?? null,
@@ -770,7 +1301,7 @@ function surfacePlaintext(plaintext, label) {
   );
 }
 function chatbotsCommand() {
-  const cmd = new import_commander5.Command("chatbots").description(
+  const cmd = new import_commander7.Command("chatbots").description(
     "List, create, delete chatbots in the current scope"
   );
   cmd.command("list").description("List every chatbot the credential can reach").action(async function() {
@@ -818,7 +1349,7 @@ function chatbotsCommand() {
   return cmd;
 }
 function webhooksCommand() {
-  const cmd = new import_commander5.Command("webhooks").description("Manage webhooks for a chatbot");
+  const cmd = new import_commander7.Command("webhooks").description("Manage webhooks for a chatbot");
   cmd.command("list").requiredOption("--chatbot <id>", "Chatbot id").action(async function(opts) {
     try {
       const globals = this.optsWithGlobals();
@@ -859,7 +1390,7 @@ function webhooksCommand() {
   return cmd;
 }
 function settingsCommand() {
-  const cmd = new import_commander5.Command("settings").description(
+  const cmd = new import_commander7.Command("settings").description(
     "Manage chatbot settings + per-chatbot keys"
   );
   const keys = cmd.command("keys").description("Manage API keys for a chatbot");
@@ -947,7 +1478,7 @@ function settingsCommand() {
   return cmd;
 }
 function workflowsCommand() {
-  const cmd = new import_commander5.Command("workflows").description("Manage workflows");
+  const cmd = new import_commander7.Command("workflows").description("Manage workflows");
   cmd.command("list").requiredOption("--chatbot <id>", "Chatbot id").action(async function(opts) {
     try {
       const globals = this.optsWithGlobals();
@@ -985,7 +1516,7 @@ function workflowsCommand() {
   return cmd;
 }
 function reportsCommand() {
-  const cmd = new import_commander5.Command("reports").description("Manage AI reports");
+  const cmd = new import_commander7.Command("reports").description("Manage AI reports");
   cmd.command("list").requiredOption("--chatbot <id>", "Chatbot id").action(async function(opts) {
     try {
       const globals = this.optsWithGlobals();
@@ -1021,7 +1552,7 @@ Created report. View it (org members only):
   return cmd;
 }
 function analysisCommand() {
-  const cmd = new import_commander5.Command("analysis").description("Manage analysis definitions");
+  const cmd = new import_commander7.Command("analysis").description("Manage analysis definitions");
   cmd.command("list").requiredOption("--chatbot <id>", "Chatbot id").option("--type <t>", "intent | flag | assistant_outcome | assistant_issue").option("--pending", "Include pending suggestions").action(async function(opts) {
     try {
       const globals = this.optsWithGlobals();
@@ -1061,7 +1592,7 @@ function analysisCommand() {
   return cmd;
 }
 function usersCommand() {
-  const cmd = new import_commander5.Command("users").description(
+  const cmd = new import_commander7.Command("users").description(
     "List external users (chatbot customers) with health metrics"
   );
   cmd.command("list").requiredOption("--chatbot <id>", "Chatbot id").option("--from <iso>").option("--to <iso>").option("--days <n>", "Convenience: last N days").option("--search <q>").option("--limit <n>", "Page size", "20").action(async function(opts) {
@@ -1093,7 +1624,7 @@ Total: ${result.total}
   return cmd;
 }
 function sdkCommand() {
-  const cmd = new import_commander5.Command("sdk").description(
+  const cmd = new import_commander7.Command("sdk").description(
     "Help install and verify the OpenBat SDK in a target project"
   );
   cmd.command("install-instructions").description("Print markdown the calling agent can follow").option(
@@ -1187,17 +1718,23 @@ function sdkCommand() {
 }
 
 // src/index.ts
-var program = new import_commander6.Command();
+var program = new import_commander8.Command();
 program.name("openbat").description(
   "Query OpenBat chatbot data \u2014 conversations, sentiment, analytics, exports."
-).version("0.1.0").option("--api-key <key>", "Override the stored Read API key (footgun \u2014 leaks into shell history)").option(
+).version("0.2.0").option("--api-key <key>", "Override the stored Read API key (footgun \u2014 leaks into shell history)").option(
   "--base-url <url>",
   "Override the OpenBat API base URL (defaults to ~/.openbatrc or https://app.openbat.com)"
+).option(
+  "--chatbot <id|name>",
+  "Override the active chatbot for this invocation (UUID or chatbot name)"
 ).option(
   "--json",
   "Emit raw JSON instead of the TTY-friendly pretty-print"
 );
+program.addCommand(loginCommand());
+program.addCommand(logoutCommand());
 program.addCommand(configCommand());
+program.addCommand(useCommand());
 program.addCommand(authCommand());
 program.addCommand(orgCommand());
 program.addCommand(chatbotCommand());