@openbkn/bkn-sdk 0.1.1-alpha.1 → 0.1.1-alpha.2

package/dist/cli.js

@@ -1,34 +1,39 @@
 #!/usr/bin/env node
 import {
+  DEFAULT_BUSINESS_DOMAIN,
   DEFAULT_LIST_LIMIT,
   DEFAULT_QUERY_LIMIT,
+  HttpError,
   InputError,
   activePlatform,
   attachToken,
-  changePassword,
   createClient,
+  credentialDeviceLogin,
   currentToken,
+  decodeJwt,
   deletePlatform,
+  deviceLogin,
   exportCreds,
   formatError,
+  getUserSafe,
   listPlatforms,
   logout,
+  openBrowser,
   parseEmbeddingFields,
   parsePkMap,
   rawCall,
   readPlatformConfig,
-  renderOrgTree,
   renderReportMarkdown,
+  request,
   resolveContext,
   setActivePlatform,
   status,
   switchUser,
   toExitCode,
   use,
-  usersOf,
   whoami,
   writePlatformConfig
-} from "./chunk-ADZ23DPF.js";
+} from "./chunk-5MOIXIMJ.js";
 
 // src/cli.ts
 import { Command as Command16 } from "commander";
@@ -36,12 +41,12 @@ import { Command as Command16 } from "commander";
 // package.json
 var package_default = {
   name: "@openbkn/bkn-sdk",
-  version: "0.1.1-alpha.1",
+  version: "0.1.1-alpha.2",
   description: "Unified TypeScript SDK + CLI for the BKN (Business Knowledge Network) platform.",
   type: "module",
   license: "Apache-2.0",
   engines: {
-    node: ">=22"
+    node: ">=18"
   },
   bin: {
     openbkn: "./dist/cli.js"
@@ -148,6 +153,19 @@ function installGroupedHelp(root) {
   apply(root);
 }
 
+// src/utils/org-tree.ts
+function renderOrgTree(nodes, prefix = "") {
+  const lines = [];
+  nodes.forEach((node, i) => {
+    const last = i === nodes.length - 1;
+    lines.push(`${prefix}${last ? "\u2514\u2500\u2500 " : "\u251C\u2500\u2500 "}${node.name} (id: ${node.id})`);
+    if (node.children.length) {
+      lines.push(renderOrgTree(node.children, `${prefix}${last ? "    " : "\u2502   "}`));
+    }
+  });
+  return lines.join("\n");
+}
+
 // src/utils/output.ts
 function printJson(value, opts = {}) {
   if (opts.json || opts.compact) {
@@ -157,10 +175,11 @@ function printJson(value, opts = {}) {
   }
   const rows = toRows(value);
   if (rows) {
-    const columns = opts.full ? columnsOf(rows).filter((c) => rows.some((r) => stringifyCell(r[c]) !== "")) : selectColumns(rows);
+    const fullColumns = columnsOf(rows).filter((c) => rows.some((r) => stringifyCell(r[c]) !== ""));
+    const columns = opts.full ? fullColumns : selectColumns(rows);
     if (columns.length > 0) {
       printTable(rows, columns);
-      const hidden = columnsOf(rows).length - columns.length;
+      const hidden = fullColumns.length - columns.length;
       if (hidden > 0 && !opts.full) {
         process.stdout.write(`\u2026 ${hidden} more column(s); use --full or --json for everything
 `);
@@ -168,10 +187,31 @@ function printJson(value, opts = {}) {
       return;
     }
   }
+  if (isEmptyEnvelope(value)) {
+    process.stdout.write("(no results)\n");
+    return;
+  }
   process.stdout.write(`${JSON.stringify(value, null, 2)}
 `);
 }
-var ROW_ENVELOPES = ["entries", "data", "cases", "reports", "results", "list", "recurringRules"];
+function isEmptyEnvelope(value) {
+  if (!value || typeof value !== "object") return false;
+  const o = value;
+  return ROW_ENVELOPES.some((k) => Array.isArray(o[k]) && o[k].length === 0);
+}
+var ROW_ENVELOPES = [
+  "entries",
+  "data",
+  "cases",
+  "reports",
+  "results",
+  "list",
+  "recurringRules",
+  "users",
+  "roles",
+  "departments",
+  "members"
+];
 function toRows(value) {
   const isRowArray = (v) => Array.isArray(v) && v.length > 0 && v.every((x) => x !== null && typeof x === "object" && !Array.isArray(x));
   if (isRowArray(value)) return value;
@@ -286,340 +326,144 @@ function readBody(opts) {
 }
 
 // src/commands/auth.ts
-import { readFileSync as readFileSync2 } from "fs";
+import { createInterface } from "readline";
 import { Command } from "commander";
 
-// src/auth/oauth.ts
-import { spawn } from "child_process";
-import { createHash, constants as cryptoConstants, publicEncrypt, randomBytes } from "crypto";
-import { createServer } from "http";
-var DEFAULT_REDIRECT_PORT = 9010;
-var DEFAULT_SCOPE = "openid offline all";
-var STUDIOWEB_LOGIN_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsyOstgbYuubBi2PUqeVj
-GKlkwVUY6w1Y8d4k116dI2SkZI8fxcjHALv77kItO4jYLVplk9gO4HAtsisnNE2o
-wlYIqdmyEPMwupaeFFFcg751oiTXJiYbtX7ABzU5KQYPjRSEjMq6i5qu/mL67XTk
-hvKwrC83zme66qaKApmKupDODPb0RRkutK/zHfd1zL7sciBQ6psnNadh8pE24w8O
-2XVy1v2bgSNkGHABgncR7seyIg81JQ3c/Axxd6GsTztjLnlvGAlmT1TphE84mi99
-fUaGD2A1u1qdIuNc+XuisFeNcUW6fct0+x97eS2eEGRr/7qxWmO/P20sFVzXc2bF
-1QIDAQAB
------END PUBLIC KEY-----`;
-function normalizeBaseUrl(value) {
-  return value.replace(/\/+$/, "");
-}
-function generatePkce() {
-  const verifier = randomBytes(48).toString("base64url");
-  return { verifier, challenge: createHash("sha256").update(verifier).digest("base64url") };
-}
-function buildAuthorizeUrl(base, clientId, redirectUri, state, codeChallenge, scope = DEFAULT_SCOPE) {
-  const params = new URLSearchParams({
-    response_type: "code",
-    client_id: clientId,
-    redirect_uri: redirectUri,
-    scope,
-    state,
-    "x-forwarded-prefix": "",
-    lang: "zh-cn",
-    product: "adp",
-    code_challenge: codeChallenge,
-    code_challenge_method: "S256"
-  });
-  return `${base}/oauth2/auth?${params.toString()}`;
-}
-function mapToken(data) {
-  return {
-    accessToken: data.access_token,
-    refreshToken: data.refresh_token,
-    idToken: data.id_token
-  };
-}
-async function registerClient(base, redirectUri, scope = DEFAULT_SCOPE) {
-  const res = await fetch(`${base}/oauth2/clients`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json", Accept: "application/json" },
-    body: JSON.stringify({
-      client_name: "openbkn-cli",
-      grant_types: ["authorization_code", "implicit", "refresh_token"],
-      response_types: ["token id_token", "code", "token"],
-      scope,
-      redirect_uris: [redirectUri],
-      post_logout_redirect_uris: [redirectUri.replace("/callback", "/successful-logout")],
-      metadata: { device: { name: "openbkn-cli", client_type: "web", description: "openbkn CLI" } }
-    })
-  });
-  if (!res.ok) {
-    throw new Error(
-      `Client registration failed (${res.status}): ${await res.text() || res.statusText}`
-    );
-  }
-  const data = await res.json();
-  return { clientId: data.client_id, clientSecret: data.client_secret };
-}
-async function exchangeCode(base, code, redirectUri, client, codeVerifier) {
-  const params = {
-    grant_type: "authorization_code",
-    code,
-    redirect_uri: redirectUri,
-    code_verifier: codeVerifier
-  };
-  const headers = {
-    "Content-Type": "application/x-www-form-urlencoded",
-    Accept: "application/json"
-  };
-  if (client.clientSecret) {
-    headers.Authorization = `Basic ${Buffer.from(`${client.clientId}:${client.clientSecret}`).toString("base64")}`;
-  } else {
-    params.client_id = client.clientId;
-  }
-  const res = await fetch(`${base}/oauth2/token`, {
+// src/api/eacp-crypto.ts
+import {
+  constants,
+  createPrivateKey,
+  createPublicKey,
+  publicEncrypt
+} from "crypto";
+
+// src/api/admin.ts
+async function changePasswordSafe(ctx, account, oldPassword, newPassword) {
+  await request(ctx, "/api/safe/v1/auth/change-password", {
     method: "POST",
-    headers,
-    body: new URLSearchParams(params).toString()
-  });
-  if (!res.ok) {
-    throw new Error(
-      `Token exchange failed (${res.status}): ${await res.text() || res.statusText}`
-    );
-  }
-  return mapToken(await res.json());
-}
-function startCallbackServer(port) {
-  return new Promise((resolve2, reject) => {
-    const server = createServer((req2, res) => {
-      const u = new URL(req2.url ?? "/", `http://127.0.0.1:${port}`);
-      if (u.pathname !== "/callback") {
-        res.writeHead(404);
-        res.end();
-        return;
-      }
-      const code = u.searchParams.get("code");
-      const error = u.searchParams.get("error");
-      if (error) {
-        res.writeHead(400, { "content-type": "text/html" });
-        res.end(`<h1>Login failed</h1><p>${error}</p>`);
-        server.close(() => reject(new Error(`OAuth error: ${error}`)));
-        return;
-      }
-      if (!code) {
-        res.writeHead(400);
-        res.end("missing code");
-        return;
-      }
-      res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
-      res.end("<h1>Login successful</h1><p>You can close this window.</p>");
-      resolve2({
-        code,
-        state: u.searchParams.get("state") ?? void 0,
-        close: () => server.close()
-      });
-    });
-    server.on("error", reject);
-    server.listen(port, "127.0.0.1");
+    body: { account, old_password: oldPassword, new_password: newPassword }
   });
+  return { ok: true };
 }
-function openBrowser(url) {
-  const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+
+// src/commands/auth.ts
+async function resolveAccount(baseUrl, accessToken, insecure, idToken) {
+  const sub = decodeJwt(idToken ?? accessToken)?.sub;
+  if (!sub) return void 0;
   try {
-    spawn(cmd, [url], {
-      stdio: "ignore",
-      detached: true,
-      shell: process.platform === "win32"
-    }).unref();
+    const u = await getUserSafe(
+      { baseUrl, token: accessToken, businessDomain: DEFAULT_BUSINESS_DOMAIN, insecure },
+      sub
+    );
+    return u.account;
   } catch {
+    return void 0;
   }
 }
-async function browserLogin(baseUrl, opts = {}) {
-  const base = normalizeBaseUrl(baseUrl);
-  const port = opts.port ?? DEFAULT_REDIRECT_PORT;
-  const redirectUri = `http://127.0.0.1:${port}/callback`;
-  const scope = opts.scope ?? DEFAULT_SCOPE;
-  const client = opts.clientId ? { clientId: opts.clientId } : await registerClient(base, redirectUri, scope);
-  const { verifier, challenge } = generatePkce();
-  const state = randomBytes(12).toString("hex");
-  const authUrl = buildAuthorizeUrl(base, client.clientId, redirectUri, state, challenge, scope);
-  const waiter = startCallbackServer(port);
-  if (opts.noBrowser) {
-    process.stderr.write(`Open this URL to log in:
-${authUrl}
-`);
-  } else {
-    process.stderr.write(`Opening browser for login\u2026
-If it doesn't open, visit:
-${authUrl}
-`);
-    openBrowser(authUrl);
-  }
-  const { code, state: returned, close } = await waiter;
-  close();
-  if (returned && returned !== state) throw new Error("OAuth state mismatch \u2014 possible CSRF.");
-  return exchangeCode(base, code, redirectUri, client, verifier);
-}
-function mergeCookies(existing, res) {
-  const setCookies = typeof res.headers.getSetCookie === "function" ? res.headers.getSetCookie() : res.headers.get("set-cookie") ? [res.headers.get("set-cookie")] : [];
-  const map = /* @__PURE__ */ new Map();
-  const add = (pair) => {
-    const eq = pair.indexOf("=");
-    if (eq > 0) map.set(pair.slice(0, eq), pair.slice(eq + 1));
-  };
-  for (const p of existing.split(";").map((s) => s.trim()).filter(Boolean))
-    add(p);
-  for (const sc of setCookies) add(sc.split(";")[0]?.trim() ?? "");
-  return [...map.entries()].map(([k, v]) => `${k}=${v}`).join("; ");
-}
-function parseSigninProps(html) {
-  const m = html.match(/<script[^>]*\bid=["']__NEXT_DATA__["'][^>]*>([\s\S]*?)<\/script>/i);
-  if (!m?.[1]) throw new Error("Could not find __NEXT_DATA__ on /oauth2/signin.");
-  const data = JSON.parse(m[1]);
-  const pp = data.props?.pageProps;
-  const csrftoken = pp?.csrftoken ?? pp?._csrf;
-  if (typeof csrftoken !== "string") throw new Error("Sign-in page did not expose csrftoken.");
-  return {
-    csrftoken,
-    challenge: typeof pp?.challenge === "string" ? pp.challenge : void 0,
-    remember: pp?.remember === true || pp?.remember === "true"
-  };
-}
-async function followToCallback(startUrl, jar0, state, redirectUri) {
-  let url = startUrl;
-  let jar = jar0;
-  const cb = new URL(redirectUri);
-  for (let hop = 0; hop < 40; hop++) {
-    const resp = await fetch(url, {
-      headers: { Cookie: jar, Accept: "text/html,*/*;q=0.8" },
-      redirect: "manual"
-    });
-    jar = mergeCookies(jar, resp);
-    if (![302, 303, 307, 308].includes(resp.status)) {
-      throw new Error(`Unexpected OAuth response (HTTP ${resp.status}).`);
+function promptLine(query, hidden = false) {
+  return new Promise((resolve2) => {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    if (hidden) {
+      const mutable = rl;
+      mutable._writeToOutput = (s) => {
+        if (s.startsWith(query)) process.stdout.write(query);
+      };
     }
-    const loc = resp.headers.get("location");
-    if (!loc) throw new Error(`OAuth redirect missing Location (HTTP ${resp.status}).`);
-    const next = new URL(loc, url);
-    if (next.origin === cb.origin && next.pathname === cb.pathname) {
-      const err = next.searchParams.get("error");
-      if (err) throw new Error(`Authorization failed: ${err}`);
-      const code = next.searchParams.get("code");
-      if (next.searchParams.get("state") !== state) throw new Error("OAuth state mismatch.");
-      if (!code) throw new Error("Callback missing authorization code.");
-      return code;
-    }
-    url = next.href;
-  }
-  throw new Error("Too many OAuth redirects.");
+    rl.question(query, (answer) => {
+      rl.close();
+      if (hidden) process.stdout.write("\n");
+      resolve2(answer.trim());
+    });
+  });
 }
-async function passwordLogin(baseUrl, username, password, opts = {}) {
-  const base = normalizeBaseUrl(baseUrl);
-  const port = opts.port ?? DEFAULT_REDIRECT_PORT;
-  const redirectUri = `http://127.0.0.1:${port}/callback`;
-  const scope = opts.scope ?? DEFAULT_SCOPE;
-  const client = opts.clientId ? { clientId: opts.clientId } : await registerClient(base, redirectUri, scope);
-  const { verifier, challenge } = generatePkce();
-  const state = randomBytes(12).toString("hex");
-  let jar = "";
-  const authResp = await fetch(
-    buildAuthorizeUrl(base, client.clientId, redirectUri, state, challenge, scope),
-    { redirect: "manual" }
-  );
-  jar = mergeCookies(jar, authResp);
-  const authLoc = authResp.headers.get("location");
-  if (!authLoc) throw new Error(`/oauth2/auth did not redirect (HTTP ${authResp.status}).`);
-  const signinUrl = new URL(authLoc, base);
-  if (!signinUrl.pathname.includes("signin")) {
-    throw new Error(`Expected a sign-in redirect, got: ${authLoc}`);
+function renderSessions(items) {
+  const byPlatform = /* @__PURE__ */ new Map();
+  for (const it of items) {
+    const arr = byPlatform.get(it.baseUrl) ?? [];
+    arr.push(it);
+    byPlatform.set(it.baseUrl, arr);
   }
-  const pageResp = await fetch(signinUrl.href, {
-    headers: { Cookie: jar, Accept: "text/html,*/*;q=0.8" },
-    redirect: "manual"
-  });
-  jar = mergeCookies(jar, pageResp);
-  const props = parseSigninProps(await pageResp.text());
-  const loginChallenge = signinUrl.searchParams.get("login_challenge")?.trim() || props.challenge?.trim();
-  if (!loginChallenge) throw new Error("Could not resolve the login challenge.");
-  const cipher = publicEncrypt(
-    {
-      key: opts.signinPublicKeyPem ?? STUDIOWEB_LOGIN_PUBLIC_KEY_PEM,
-      padding: cryptoConstants.RSA_PKCS1_PADDING
-    },
-    Buffer.from(password, "utf8")
-  ).toString("base64");
-  const postResp = await fetch(`${base}/oauth2/signin`, {
-    method: "POST",
-    headers: {
-      Cookie: jar,
-      "Content-Type": "application/json",
-      Accept: "application/json, text/plain, */*",
-      Origin: new URL(base).origin,
-      Referer: signinUrl.href
-    },
-    body: JSON.stringify({
-      _csrf: props.csrftoken,
-      challenge: loginChallenge,
-      account: username,
-      password: cipher,
-      vcode: { id: "", content: "" },
-      dualfactorauthinfo: { validcode: { vcode: "" }, OTP: { OTP: "" } },
-      remember: props.remember ?? false,
-      device: { name: "", description: "", client_type: "console_web", udids: [] }
-    }),
-    redirect: "manual"
-  });
-  jar = mergeCookies(jar, postResp);
-  let code;
-  if ([302, 303, 307].includes(postResp.status)) {
-    const loc = postResp.headers.get("location");
-    if (!loc) throw new Error("Sign-in response missing Location.");
-    code = await followToCallback(new URL(loc, base).href, jar, state, redirectUri);
-  } else if (postResp.status === 200) {
-    const text = await postResp.text();
-    let json = null;
-    try {
-      json = JSON.parse(text);
-    } catch {
-    }
-    const redir = json && typeof json.redirect === "string" ? json.redirect : "";
-    if (!redir) {
-      const msg = json && typeof json.message === "string" ? json.message : text.slice(0, 300);
-      throw new InputError(`Sign-in failed: ${msg}`);
-    }
-    code = await followToCallback(new URL(redir, base).href, jar, state, redirectUri);
-  } else {
-    throw new InputError(
-      `Sign-in failed (HTTP ${postResp.status}): ${(await postResp.text()).slice(0, 300)}`
-    );
+  const lines = [];
+  for (const [platform, users] of byPlatform) {
+    lines.push(platform);
+    for (const u of users) lines.push(`  ${u.active ? "*" : " "} ${u.username ?? u.userId}`);
   }
-  return exchangeCode(base, code, redirectUri, client, verifier);
+  return lines.join("\n") || "(no saved sessions)";
 }
-
-// src/commands/auth.ts
 function registerAuthLeaves(cmd) {
-  cmd.command("login <url>").description("Log in to a platform (attach a token, or browser/password OAuth)").option("-u, --username <name>", "username for password signin").option("-p, --password <pwd>", "password for password signin").option("--token <token>", "provide a token directly (CI / headless)").option("--client-id <id>", "use a fixed OAuth2 client id (skip dynamic registration)").option("--client-secret <secret>", "OAuth2 client secret (omit for public/PKCE)").option("--port <n>", "local callback port", (v) => Number.parseInt(v, 10)).option(
-    "--signin-public-key-file <path>",
-    "override the RSA public key (PEM) for password signin"
-  ).option("--product <name>", "OAuth product query (default 'adp')").option("--no-browser", "headless: print the authorize URL instead of opening a browser").action(async (url, opts, cmd2) => {
+  cmd.command("login <url>").description("Log in to a platform (attach a token, or browser/password OAuth)").option("-u, --username <name>", "username for password signin").option("-p, --password <pwd>", "password for password signin").option("--token <token>", "provide a token directly (CI / headless)").option("--client-id <id>", "use a fixed OAuth2 client id (skip dynamic registration)").option("--client-secret <secret>", "OAuth2 client secret (omit for public/PKCE)").option(
+    "--port <n>",
+    "loopback redirect port for the auth_code flow",
+    (v) => Number.parseInt(v, 10)
+  ).option("--device", "headless device-code login (RFC 8628) \u2014 no callback server, no password").option("--audience <aud>", "device-code token audience", "bkn-safe").option(
+    "--timeout <s>",
+    "device-login wait before timing out",
+    (v) => Number.parseInt(v, 10),
+    120
+  ).option("--no-browser", "(legacy) print the URL instead of opening a browser").option("--product <name>", "(legacy) ISF OAuth product query").option("--signin-public-key-file <path>", "(legacy) RSA public key for ISF /oauth2/signin").action(async (url, opts, cmd2) => {
     const g = cmd2.optsWithGlobals();
     if (g.insecure) process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+    const out = outputOptions(cmd2);
+    const report = (r) => {
+      if (out.json || out.compact) {
+        printJson({ loggedIn: true, ...r }, out);
+      } else {
+        process.stdout.write(`Logged in to ${r.baseUrl ?? url} as ${r.username ?? r.userId}
+`);
+      }
+    };
     const token = opts.token ?? g.token;
     if (token) {
-      const r2 = attachToken(url, token, { insecure: g.insecure });
-      printJson({ loggedIn: true, ...r2 }, outputOptions(cmd2));
+      report(attachToken(url, token, { insecure: g.insecure }));
       return;
     }
-    const signinKey = opts.signinPublicKeyFile ? readFileSync2(opts.signinPublicKeyFile, "utf8") : void 0;
-    const tokens = opts.username ? await passwordLogin(url, opts.username, opts.password ?? "", {
-      clientId: opts.clientId,
-      port: opts.port,
-      signinPublicKeyPem: signinKey
-    }) : await browserLogin(url, {
-      clientId: opts.clientId,
-      port: opts.port,
-      noBrowser: opts.browser === false
-    });
-    const r = attachToken(url, tokens.accessToken, {
-      refreshToken: tokens.refreshToken,
-      idToken: tokens.idToken,
-      insecure: g.insecure
-    });
-    printJson({ loggedIn: true, ...r }, outputOptions(cmd2));
+    let tokens;
+    let account;
+    if (opts.username || opts.password) {
+      const username = opts.username ?? await promptLine("Username: ");
+      account = username;
+      const password = opts.password ?? await promptLine("Password: ", true);
+      tokens = await credentialDeviceLogin(url, username, password, {
+        clientId: opts.clientId,
+        audience: opts.audience,
+        timeoutMs: opts.timeout * 1e3
+      });
+    } else {
+      const openInBrowser = !opts.device && opts.browser !== false;
+      tokens = await deviceLogin(url, {
+        clientId: opts.clientId,
+        audience: opts.audience,
+        timeoutMs: opts.timeout * 1e3,
+        onPrompt: ({ userCode, verificationUri, verificationUriComplete }) => {
+          const target = verificationUriComplete ?? verificationUri;
+          process.stderr.write(
+            `
+Open this URL to sign in and authorize:
+  ${target}
+User code: ${userCode}
+`
+          );
+          if (openInBrowser) openBrowser(target);
+          process.stderr.write("Waiting for authorization\u2026\n");
+        }
+      });
+    }
+    if (!account) {
+      account = await resolveAccount(
+        url,
+        tokens.accessToken,
+        Boolean(g.insecure),
+        tokens.idToken
+      );
+    }
+    report(
+      attachToken(url, tokens.accessToken, {
+        refreshToken: tokens.refreshToken,
+        idToken: tokens.idToken,
+        insecure: g.insecure,
+        username: account
+      })
+    );
   });
   cmd.command("status").description("Show base URL and whether a token is configured").action((_opts, cmd2) => printJson(status(), outputOptions(cmd2)));
   cmd.command("token").description("Print the current access token (keep secret)").action(() => {
@@ -629,7 +473,13 @@ function registerAuthLeaves(cmd) {
   cmd.command("whoami [url]").description("Show current user identity (from the token)").option("--no-lookup", "skip the backend identity fallback (eacp/user/get)").action(
     (_url, _opts, cmd2) => printJson(whoami(), outputOptions(cmd2))
   );
-  cmd.command("list").alias("ls").description("List platforms with a saved session").action((_opts, cmd2) => printJson(listPlatforms(), outputOptions(cmd2)));
+  cmd.command("list").alias("ls").description("List saved sessions (platform \u2192 users; * = active)").action((_opts, cmd2) => {
+    const items = listPlatforms();
+    const out = outputOptions(cmd2);
+    if (out.json || out.compact) printJson(items, out);
+    else process.stdout.write(`${renderSessions(items)}
+`);
+  });
   cmd.command("use <url>").description("Switch the active platform").action((url, _opts, cmd2) => {
     use(url);
     printJson(status(), outputOptions(cmd2));
@@ -638,28 +488,56 @@ function registerAuthLeaves(cmd) {
   cmd.command("delete <url>").description("Delete saved credentials for a platform").action(
     (url, _opts, cmd2) => printJson({ deleted: deletePlatform(url) }, outputOptions(cmd2))
   );
-  cmd.command("switch <url> <user-id>").description("Switch the active user for a platform").action((url, userId, _opts, cmd2) => {
-    printJson(switchUser(url, userId), outputOptions(cmd2));
+  cmd.command("switch <url> <user>").description("Switch the active user for a platform (by username or user id)").action((url, user, _opts, cmd2) => {
+    const r = switchUser(url, user);
+    const out = outputOptions(cmd2);
+    if (out.json || out.compact) printJson(r, out);
+    else process.stdout.write(`Switched to ${r.username ?? r.userId} on ${r.baseUrl}
+`);
   });
-  cmd.command("users <url>").description("List saved user profiles for a platform").action((url, _opts, cmd2) => {
-    printJson(usersOf(url), outputOptions(cmd2));
+  cmd.command("users <url>").description("List saved users for a platform (* = active)").action((url, _opts, cmd2) => {
+    const norm = url.replace(/\/+$/, "");
+    const items = listPlatforms().filter((i) => i.baseUrl === norm);
+    const out = outputOptions(cmd2);
+    if (out.json || out.compact) printJson(items, out);
+    else process.stdout.write(`${renderSessions(items)}
+`);
   });
   cmd.command("export").description("Export the active session's tokens (for a headless host)").action((_opts, cmd2) => {
     printJson(exportCreds(), outputOptions(cmd2));
   });
-  cmd.command("change-password [url]").description("Change your account password (EACP, RSA-encrypted in transit)").requiredOption("-a, --account <name>", "account / login name").requiredOption("--old-password <pwd>", "current password").requiredOption("--new-password <pwd>", "new password").option("--public-key-file <path>", "override the RSA public key (PEM) for password encryption").action(async (_url, opts, cmd2) => {
+  cmd.command("change-password [url]").description("Change your account password (bkn-safe self-service; no browser)").option("-a, --account <name>", "account / login name (the login column, e.g. admin)").option("--old-password <pwd>", "current password").option("--new-password <pwd>", "new password").option("--public-key-file <path>", "(legacy) RSA public key for ISF password encryption").action(async (url, opts, cmd2) => {
     const g = cmd2.optsWithGlobals();
+    if (g.insecure) process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
     const ctx = resolveContext({
-      baseUrl: g.baseUrl,
+      baseUrl: url ?? g.baseUrl,
       token: g.token,
       user: g.user,
       businessDomain: g.bizDomain,
       insecure: g.insecure
     });
-    printJson(
-      await changePassword(ctx, opts.account, opts.oldPassword, opts.newPassword),
-      outputOptions(cmd2)
-    );
+    const account = opts.account ?? await promptLine("Account: ");
+    const oldPassword = opts.oldPassword ?? await promptLine("Current password: ", true);
+    let newPassword = opts.newPassword;
+    if (!newPassword) {
+      newPassword = await promptLine("New password: ", true);
+      const confirm = await promptLine("Confirm new password: ", true);
+      if (newPassword !== confirm) throw new Error("New passwords do not match.");
+    }
+    try {
+      printJson(
+        await changePasswordSafe(ctx, account, oldPassword, newPassword),
+        outputOptions(cmd2)
+      );
+    } catch (e) {
+      if (e instanceof HttpError && e.status === 401) {
+        throw new InputError("Wrong account or current password.");
+      }
+      if (e instanceof HttpError && e.status === 400) {
+        throw new InputError("New password must differ from the current one.");
+      }
+      throw e;
+    }
   });
 }
 function authCommand() {
@@ -840,6 +718,41 @@ function adminCommand() {
       outputOptions(cmd)
     );
   });
+  role.command("create").description("Create a custom role (bkn-safe; built-in roles are read-only)").requiredOption("--name <name>", "role name").option("--description <text>", "role description").action(async (opts, cmd) => {
+    printJson(
+      await clientFrom(cmd).admin.roleCreate(opts.name, opts.description),
+      outputOptions(cmd)
+    );
+  });
+  role.command("update <role>").description("Update a custom role's name/description (403 on built-in)").option("--name <name>", "new name").option("--description <text>", "new description").action(async (roleId, opts, cmd) => {
+    printJson(
+      await clientFrom(cmd).admin.roleUpdate(roleId, {
+        name: opts.name,
+        description: opts.description
+      }),
+      outputOptions(cmd)
+    );
+  });
+  role.command("delete <role>").description("Delete a custom role (403 on built-in)").option("-y, --yes", "skip confirmation").action(async (roleId, _opts, cmd) => {
+    printJson(await clientFrom(cmd).admin.roleDelete(roleId), outputOptions(cmd));
+  });
+  for (const [verb, grant] of [
+    ["grant-perm", true],
+    ["revoke-perm", false]
+  ]) {
+    role.command(`${verb} <role>`).description(`${grant ? "Grant" : "Revoke"} a permission on a custom role (403 on built-in)`).requiredOption("--resource-type <t>", "resource type (e.g. catalog)").option("--resource-id <id>", "resource id ('*' = whole type)", "*").requiredOption("--operations <list>", "comma-separated operations").action(async (roleId, opts, cmd) => {
+      printJson(
+        await clientFrom(cmd).admin.rolePermission(
+          roleId,
+          grant,
+          opts.resourceType,
+          opts.resourceId,
+          csv(opts.operations) ?? []
+        ),
+        outputOptions(cmd)
+      );
+    });
+  }
   const modelBody = (opts) => {
     if (opts.body || opts.bodyFile) return readBody(opts);
     const mc = {};
@@ -1075,7 +988,7 @@ function agentCommand() {
 import { Command as Command4 } from "commander";
 
 // src/utils/bkn-validate.ts
-import { existsSync, readFileSync as readFileSync3, readdirSync, statSync } from "fs";
+import { existsSync, readFileSync as readFileSync2, readdirSync, statSync } from "fs";
 import { join, resolve } from "path";
 var BKN_OBJECT_NAME_MAX_LENGTH = 40;
 function parseFrontmatter(text) {
@@ -1128,7 +1041,7 @@ function validateBknDirectory(dirPath) {
   if (!existsSync(networkPath)) {
     errors.push("Missing network.bkn at the BKN root.");
   } else {
-    const fm = parseFrontmatter(readFileSync3(networkPath, "utf8"));
+    const fm = parseFrontmatter(readFileSync2(networkPath, "utf8"));
     if (!fm) errors.push("network.bkn has no frontmatter block.");
     else {
       if (fm.type !== "knowledge_network")
@@ -1140,7 +1053,7 @@ function validateBknDirectory(dirPath) {
   const otIds = /* @__PURE__ */ new Set();
   const otFiles = bknFiles(join(dir, "object_types"));
   for (const file of otFiles) {
-    const fm = parseFrontmatter(readFileSync3(file, "utf8"));
+    const fm = parseFrontmatter(readFileSync2(file, "utf8"));
     const rel = file.slice(dir.length + 1);
     if (!fm || fm.type !== "object_type") {
       errors.push(`${rel}: not a valid object_type (missing/wrong frontmatter type).`);
@@ -1160,7 +1073,7 @@ function validateBknDirectory(dirPath) {
   }
   const rtFiles = bknFiles(join(dir, "relation_types"));
   for (const file of rtFiles) {
-    const text = readFileSync3(file, "utf8");
+    const text = readFileSync2(file, "utf8");
     const fm = parseFrontmatter(text);
     const rel = file.slice(dir.length + 1);
     if (!fm || fm.type !== "relation_type") {
@@ -1754,7 +1667,7 @@ function dataflowCommand() {
 }
 
 // src/commands/explore.ts
-import { createServer as createServer2 } from "http";
+import { createServer } from "http";
 import { Command as Command9 } from "commander";
 var int6 = (v) => Number.parseInt(v, 10);
 var ROUTES = {
@@ -1806,7 +1719,7 @@ function exploreCommand() {
   );
   cmd.option("--port <n>", "port to listen on", int6, 7777).option("--host <h>", "host to bind", "127.0.0.1").action(async (opts, command) => {
     const client = clientFrom(command);
-    const server = createServer2((reqMsg, res) => {
+    const server = createServer((reqMsg, res) => {
       void handle(client, reqMsg, res);
     });
     server.listen(opts.port, opts.host, () => {
@@ -2147,11 +2060,11 @@ function toolCommand() {
 }
 
 // src/commands/trace.ts
-import { readFileSync as readFileSync5, writeFileSync } from "fs";
+import { readFileSync as readFileSync4, writeFileSync } from "fs";
 import { Command as Command14 } from "commander";
 
 // src/trace-ai/schema-validate.ts
-import { readFileSync as readFileSync4 } from "fs";
+import { readFileSync as readFileSync3 } from "fs";
 import { extname } from "path";
 import yaml from "js-yaml";
 import { z } from "zod";
@@ -2188,7 +2101,7 @@ var DiagnosisRule = z.object({
   params: z.record(z.string(), z.unknown()).optional()
 });
 function parseFile(file) {
-  const text = readFileSync4(file, "utf8");
+  const text = readFileSync3(file, "utf8");
   const ext = extname(file).toLowerCase();
   if (ext === ".yaml" || ext === ".yml") return yaml.load(text);
   return JSON.parse(text);
@@ -2255,7 +2168,7 @@ function traceCommand() {
   });
   const evalSet = cmd.command("eval-set").description("Build + run trace eval sets");
   evalSet.command("build <queries-file>").description("Build eval cases from a queries JSON file").option("--out <file>", "write the cases JSON here (default: stdout)").action(async (queriesFile, opts, cmd2) => {
-    const raw = JSON.parse(readFileSync5(queriesFile, "utf8"));
+    const raw = JSON.parse(readFileSync4(queriesFile, "utf8"));
     const cases = clientFrom(cmd2).trace.evalSetBuild(raw);
     if (opts.out) {
       writeFileSync(opts.out, JSON.stringify({ cases }, null, 2));
@@ -2265,7 +2178,7 @@ function traceCommand() {
     }
   });
   evalSet.command("test <cases-file>").description("Run an eval set against an agent (--llm enables semantic_match)").requiredOption("--agent <id>", "agent id to run the queries against").option("--version <v>", "agent version", "v0").option("--llm", "enable semantic_match assertions via the local `claude` CLI").action(async (casesFile, opts, cmd2) => {
-    const raw = JSON.parse(readFileSync5(casesFile, "utf8"));
+    const raw = JSON.parse(readFileSync4(casesFile, "utf8"));
     const cases = clientFrom(cmd2).trace.evalSetBuild(raw);
     const result = await clientFrom(cmd2).trace.evalSetTest(opts.agent, cases, {
       version: opts.version,