@openthread/claude-code-plugin 0.1.4 → 0.1.8

package/scripts/share.sh

@@ -9,6 +9,46 @@ set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 API_BASE="${OPENTHREAD_API_URL:-https://openthread.me/api}"
 
+# --- Require CLAUDE_SESSION_ID (G15) ---
+# /ot:share must be invoked inside a real Claude Code session so we can
+# locate the exact JSONL transcript. Without the UUID we cannot reliably
+# pick the right file, and ranked size fallback risks uploading the wrong
+# thread — refuse to run instead.
+require_session_id() {
+  local sid="${CLAUDE_SESSION_ID:-}"
+  if [ -z "$sid" ]; then
+    echo "error: CLAUDE_SESSION_ID environment variable not set" >&2
+    echo "  /ot:share must be invoked from a Claude Code session." >&2
+    exit 2
+  fi
+  # Must look like a UUID (8-4-4-4-12 hex).
+  if ! echo "$sid" | grep -Eq '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$'; then
+    echo "error: CLAUDE_SESSION_ID is not a valid UUID: $sid" >&2
+    exit 2
+  fi
+}
+
+# --- Validate session file path matches the current session UUID ---
+# The caller passes a path; we enforce that its basename is
+# "<CLAUDE_SESSION_ID>.jsonl" so a stale/ranked path cannot be smuggled in.
+validate_session_file() {
+  local session_file="$1"
+  local sid="${CLAUDE_SESSION_ID:-}"
+  if [ ! -f "$session_file" ]; then
+    echo "error: session file not found: $session_file" >&2
+    echo "  expected ~/.claude/projects/<project-slug>/${sid}.jsonl" >&2
+    exit 2
+  fi
+  local base
+  base=$(basename "$session_file")
+  if [ "$base" != "${sid}.jsonl" ]; then
+    echo "error: session file basename does not match CLAUDE_SESSION_ID" >&2
+    echo "  got:      $base" >&2
+    echo "  expected: ${sid}.jsonl" >&2
+    exit 2
+  fi
+}
+
 # --- Parse JSONL session file into compact markdown body ---
 # Extracts only text blocks from assistant messages, skips thinking/tool_use/tool_result/etc.
 # Formats as markdown with ## User / ## Assistant headings separated by ---
@@ -20,16 +60,33 @@ parse_session() {
     return 1
   fi
 
-  python3 - "$session_file" <<'PYEOF'
+  PLUGIN_SCRIPTS_DIR="$SCRIPT_DIR" python3 - "$session_file" <<'PYEOF'
+"""Parse a Claude Code JSONL session file into masked markdown.
+
+This inline script delegates all privacy / sanitization work to the
+shared helpers under ``scripts/lib/``. Import order: ``sanitize`` is
+pulled in implicitly by ``mask``; ``jsonl`` provides the sidechain /
+memory / cwd helpers.
+"""
+
 import json
+import os
+import pathlib
 import sys
 
+_SCRIPTS_DIR = os.environ.get("PLUGIN_SCRIPTS_DIR")
+if _SCRIPTS_DIR:
+    sys.path.insert(0, _SCRIPTS_DIR)
+
+from lib import jsonl, mask  # noqa: E402
+
 session_file = sys.argv[1]
-parts = []
-SKIP_TYPES = {"thinking", "tool_use", "tool_result", "web_fetch", "web_search", "error", "image"}
 
-with open(session_file, 'r') as f:
-    for line in f:
+# ---- Load all entries ------------------------------------------------------
+
+entries: list[dict] = []
+with open(session_file, "r", encoding="utf-8", errors="replace") as fh:
+    for line in fh:
         line = line.strip()
         if not line:
             continue
@@ -37,52 +94,93 @@ with open(session_file, 'r') as f:
             entry = json.loads(line)
         except json.JSONDecodeError:
             continue
+        if isinstance(entry, dict):
+            entries.append(entry)
 
-        # Skip sidechain messages
-        if entry.get("isSidechain"):
-            continue
+by_uuid = jsonl.build_uuid_index(entries)
+cwds = jsonl.collect_cwds(entries)
+home = str(pathlib.Path.home())
 
-        entry_type = entry.get("type", "")
-        if entry_type == "user":
-            role = "User"
-        elif entry_type == "assistant":
-            role = "Assistant"
-        else:
-            continue
+# ---- Walk user / assistant entries, stripping sidechains & memory ---------
 
-        message = entry.get("message", {})
-        if not isinstance(message, dict):
-            if isinstance(message, str) and message.strip():
-                parts.append(f"## {role}\n\n{message.strip()}")
-            continue
+SKIP_BLOCK_TYPES = {
+    "thinking",
+    "tool_use",
+    "tool_result",
+    "web_fetch",
+    "web_search",
+    "error",
+    "image",
+}
 
-        msg_content = message.get("content", "")
+parts: list[str] = []
+dropped_memory = 0
+dropped_sidechain = 0
 
-        # If content is a string, keep it as-is
-        if isinstance(msg_content, str):
-            text = msg_content.strip()
-            if text:
-                parts.append(f"## {role}\n\n{text}")
-            continue
+for entry in entries:
+    entry_type = entry.get("type")
+    if entry_type not in ("user", "assistant"):
+        continue
+    if jsonl.is_under_sidechain(entry, by_uuid):
+        dropped_sidechain += 1
+        continue
 
-        # Content is a list of blocks — keep only text blocks
-        if isinstance(msg_content, list):
-            kept = []
+    role = "User" if entry_type == "user" else "Assistant"
+    message = entry.get("message", {})
+
+    raw_texts: list[str] = []
+    if isinstance(message, str):
+        if message.strip():
+            raw_texts.append(message)
+    elif isinstance(message, dict):
+        msg_content = message.get("content", "")
+        if isinstance(msg_content, str):
+            if msg_content.strip():
+                raw_texts.append(msg_content)
+        elif isinstance(msg_content, list):
             for block in msg_content:
                 if isinstance(block, str):
-                    kept.append(block)
+                    if block.strip():
+                        raw_texts.append(block)
                 elif isinstance(block, dict):
                     btype = block.get("type", "")
-                    if btype in SKIP_TYPES:
+                    if btype in SKIP_BLOCK_TYPES:
                         continue
-                    if btype == "text" and block.get("text", "").strip():
-                        kept.append(block["text"])
-            text = "\n\n".join(kept).strip()
-            if text:
-                parts.append(f"## {role}\n\n{text}")
+                    if btype == "text":
+                        text_val = block.get("text", "")
+                        if isinstance(text_val, str) and text_val.strip():
+                            raw_texts.append(text_val)
+
+    # Drop any memory / system-reminder blocks.
+    kept_texts: list[str] = []
+    for text in raw_texts:
+        if jsonl.looks_like_memory(text):
+            dropped_memory += 1
+            continue
+        kept_texts.append(text)
+
+    if not kept_texts:
+        continue
+
+    # Mask each kept block through the shared library.
+    masked_texts = [
+        mask.mask(t, cwds=cwds, home=home).strip() for t in kept_texts
+    ]
+    masked_texts = [t for t in masked_texts if t]
+    if not masked_texts:
+        continue
+
+    parts.append(f"## {role}\n\n" + "\n\n".join(masked_texts))
+
+if dropped_memory or dropped_sidechain:
+    print(
+        f"[share.sh] dropped {dropped_sidechain} sidechain entries, "
+        f"{dropped_memory} memory blocks",
+        file=sys.stderr,
+    )
 
 body = "\n\n---\n\n".join(parts)
-# Truncate to 500000 chars
+# Truncate to 500000 chars to match the server's body limit.
 print(body[:500000])
 PYEOF
 }
@@ -105,6 +203,50 @@ import_post() {
     return 1
   fi
 
+  # --- Editor preview (G17) ---
+  # Default: open the masked body in $EDITOR for user review before upload.
+  # Modelines are disabled in vim/nvim/emacs so a malicious modeline in the
+  # transcript cannot execute editor commands. `--yes` skips the preview.
+  if [ "${PREVIEW:-1}" = "1" ] && [ -t 0 ] && [ -t 1 ]; then
+    local preview_file
+    preview_file=$(mktemp -t ot-preview.XXXXXX) || {
+      echo "ERROR: failed to create preview tempfile" >&2
+      return 1
+    }
+    # Ensure .md suffix so editors syntax-highlight properly.
+    mv "$preview_file" "${preview_file}.md"
+    preview_file="${preview_file}.md"
+    printf '%s' "$compact_body" > "$preview_file"
+    chmod 600 "$preview_file"
+
+    local editor="${EDITOR:-${VISUAL:-vi}}"
+    case "$editor" in
+      *vim*|*nvim*)
+        "$editor" -c 'set nomodeline nomodelineexpr' "$preview_file" </dev/tty >/dev/tty 2>&1 || true
+        ;;
+      *emacs*)
+        "$editor" --no-site-file --eval '(setq enable-local-eval nil)' "$preview_file" </dev/tty >/dev/tty 2>&1 || true
+        ;;
+      *)
+        "$editor" "$preview_file" </dev/tty >/dev/tty 2>&1 || true
+        ;;
+    esac
+
+    printf 'Upload this content? [y/N] ' >/dev/tty
+    local confirm=""
+    if [ -r /dev/tty ]; then
+      read -r confirm </dev/tty || confirm=""
+    fi
+    if [ "$confirm" != "y" ] && [ "$confirm" != "Y" ]; then
+      echo "cancelled." >&2
+      rm -f "$preview_file"
+      return 0
+    fi
+    # Re-read in case the user edited the body.
+    compact_body=$(cat "$preview_file")
+    rm -f "$preview_file"
+  fi
+
   # Build tags array from comma-separated string
   local tags_json="[]"
   if [ -n "$tags_csv" ] && [ "$tags_csv" != "-" ]; then
@@ -115,19 +257,40 @@ print(json.dumps(tags))
 " "$tags_csv")
   fi
 
-  # Build the import payload — prepend summary to body if provided
+  # Build the import payload — prepend summary to body if provided.
+  # Title / summary are run through the same shared masking library so
+  # nothing unmasked leaks via the meta fields. The body was already
+  # masked by parse_session() but we run it through again to handle any
+  # user-authored title / summary that the caller injected above it.
   local payload
-  payload=$(python3 -c "
-import json, sys
+  payload=$(PLUGIN_SCRIPTS_DIR="$SCRIPT_DIR" python3 -c "
+import json, os, pathlib, sys
+
+_SCRIPTS_DIR = os.environ.get('PLUGIN_SCRIPTS_DIR')
+if _SCRIPTS_DIR:
+    sys.path.insert(0, _SCRIPTS_DIR)
+from lib import mask  # noqa: E402
+
 body_text = sys.argv[1]
+title = sys.argv[2]
+community_id = sys.argv[3]
+tags = json.loads(sys.argv[4])
 summary = sys.argv[5] if len(sys.argv) > 5 and sys.argv[5] else ''
+
+home = str(pathlib.Path.home())
+title = mask.mask(title, home=home)
+summary = mask.mask(summary, home=home)
+# Body was masked in parse_session but is idempotent — safe to re-run.
+body_text = mask.mask(body_text, home=home)
+
 if summary:
     body_text = '> ' + summary.replace('\n', '\n> ') + '\n\n---\n\n' + body_text
+
 payload = {
-    'title': sys.argv[2],
-    'communityId': sys.argv[3],
+    'title': title,
+    'communityId': community_id,
     'body': body_text,
-    'tags': json.loads(sys.argv[4]),
+    'tags': tags,
     'source': 'claude-code',
     'provider': 'claude',
 }
@@ -219,30 +382,50 @@ print(json.dumps(payload))
 }
 
 # --- CLI interface ---
+# Parse global flags (before the subcommand).
+PREVIEW=1
+while [ $# -gt 0 ]; do
+  case "${1:-}" in
+    --yes) PREVIEW=0; shift;;
+    --preview) PREVIEW=1; shift;;
+    --) shift; break;;
+    *) break;;
+  esac
+done
+export PREVIEW
+
 case "${1:-}" in
   parse)
     if [ -z "${2:-}" ]; then
       echo "Usage: share.sh parse <session_file>" >&2
       exit 1
     fi
+    require_session_id
+    validate_session_file "$2"
     parse_session "$2"
     ;;
   import)
     if [ -z "${6:-}" ]; then
-      echo "Usage: share.sh import <session_file> <title> <community_id> <tags> <token> [summary]" >&2
+      echo "Usage: share.sh [--yes] import <session_file> <title> <community_id> <tags> <token> [summary]" >&2
       exit 1
     fi
+    require_session_id
+    validate_session_file "$2"
     import_post "$2" "$3" "$4" "${5:--}" "$6" "${7:-}"
     ;;
   import-export)
     if [ -z "${6:-}" ]; then
-      echo "Usage: share.sh import-export <export_file> <title> <community_id> <tags> <token> [summary]" >&2
+      echo "Usage: share.sh [--yes] import-export <export_file> <title> <community_id> <tags> <token> [summary]" >&2
       exit 1
     fi
+    if [ ! -f "$2" ]; then
+      echo "error: export file not found: $2" >&2
+      exit 2
+    fi
     import_export_post "$2" "$3" "$4" "${5:--}" "$6" "${7:-}"
     ;;
   *)
-    echo "Usage: share.sh {parse|import|import-export} ..." >&2
+    echo "Usage: share.sh [--yes|--preview] {parse|import|import-export} ..." >&2
     exit 1
     ;;
 esac

package/scripts/token.sh

@@ -1,5 +1,14 @@
 #!/usr/bin/env bash
 # Token management for OpenThread Claude Code plugin
+#
+# Secrets (access_token, refresh_token) are stored in the OS keychain via
+# scripts/lib/keychain.js (keytar). The credentials.json file now only holds
+# { "expiresAt": <unix seconds> } so the shell can check expiry without
+# hitting the keychain on every call.
+#
+# If keytar is not installed (e.g. dev clone without `npm install`), we fall
+# back to plaintext storage in credentials.json and print a warning.
+#
 # Usage:
 #   source token.sh           — import functions
 #   bash token.sh refresh     — refresh the access token
@@ -7,12 +16,67 @@
 #   bash token.sh check       — exit 0 if authenticated, 1 if not
 set -euo pipefail
 
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 API_BASE="${OPENTHREAD_API_URL:-https://openthread.me/api}"
 EXTENSION_ID="claude-code"
 CREDENTIALS_DIR="$HOME/.config/openthread"
 CREDENTIALS_FILE="$CREDENTIALS_DIR/credentials.json"
+KEYCHAIN_JS="$SCRIPT_DIR/lib/keychain.js"
 
-# --- Save tokens to credentials file ---
+# --- Keychain availability probe ---
+# Returns 0 if node + keytar are usable, 1 otherwise. Cached per process.
+_KEYCHAIN_AVAILABLE=""
+keychain_available() {
+  if [ -n "$_KEYCHAIN_AVAILABLE" ]; then
+    [ "$_KEYCHAIN_AVAILABLE" = "yes" ] && return 0 || return 1
+  fi
+  if ! command -v node >/dev/null 2>&1; then
+    _KEYCHAIN_AVAILABLE="no"
+    return 1
+  fi
+  if [ ! -f "$KEYCHAIN_JS" ]; then
+    _KEYCHAIN_AVAILABLE="no"
+    return 1
+  fi
+  # Probe by resolving keytar. `node -e "require('keytar')"` exits 0 if ok.
+  if node -e "require('keytar')" >/dev/null 2>&1; then
+    _KEYCHAIN_AVAILABLE="yes"
+    return 0
+  fi
+  # keytar may be installed in the plugin's own node_modules.
+  if (cd "$SCRIPT_DIR/.." && node -e "require('keytar')" >/dev/null 2>&1); then
+    _KEYCHAIN_AVAILABLE="yes"
+    return 0
+  fi
+  _KEYCHAIN_AVAILABLE="no"
+  return 1
+}
+
+_warn_plaintext_once() {
+  if [ -z "${_PLAINTEXT_WARNED:-}" ]; then
+    echo "warning: keytar not available — falling back to plaintext credentials at $CREDENTIALS_FILE" >&2
+    _PLAINTEXT_WARNED=1
+  fi
+}
+
+# --- Low-level keychain helpers (when available) ---
+kc_set() {
+  local account="$1" value="$2"
+  (cd "$SCRIPT_DIR/.." && printf '%s' "$value" | node "$KEYCHAIN_JS" set "$account")
+}
+
+kc_get() {
+  local account="$1"
+  (cd "$SCRIPT_DIR/.." && node "$KEYCHAIN_JS" get "$account")
+}
+
+kc_delete() {
+  local account="$1"
+  (cd "$SCRIPT_DIR/.." && node "$KEYCHAIN_JS" delete "$account") >/dev/null 2>&1 || true
+}
+
+# --- Save tokens ---
+# save_tokens <access_token> <refresh_token> <expires_at>
 save_tokens() {
   local access_token="$1"
   local refresh_token="$2"
@@ -20,54 +84,170 @@ save_tokens() {
 
   mkdir -p "$CREDENTIALS_DIR"
 
-  cat > "$CREDENTIALS_FILE" <<EOF
+  if keychain_available; then
+    kc_set "access_token" "$access_token"
+    kc_set "refresh_token" "$refresh_token"
+    cat > "$CREDENTIALS_FILE" <<EOF
+{
+  "expiresAt": ${expires_at}
+}
+EOF
+  else
+    _warn_plaintext_once
+    cat > "$CREDENTIALS_FILE" <<EOF
 {
   "access_token": "${access_token}",
   "refresh_token": "${refresh_token}",
-  "expires_at": ${expires_at}
+  "expiresAt": ${expires_at}
 }
 EOF
+  fi
 
   chmod 600 "$CREDENTIALS_FILE"
 }
 
-# --- Check if token is expired ---
-is_expired() {
+# --- Migrate legacy plaintext credentials into keychain ---
+# Idempotent: if the file already has only { expiresAt }, this is a no-op.
+migrate_credentials_if_needed() {
+  [ -f "$CREDENTIALS_FILE" ] || return 0
+  keychain_available || return 0
+
+  # Detect if the file still has access_token / refresh_token fields.
+  local needs_migration
+  needs_migration=$(python3 - "$CREDENTIALS_FILE" <<'PYEOF'
+import json, sys
+try:
+    with open(sys.argv[1]) as f:
+        data = json.load(f)
+except Exception:
+    print("no")
+    sys.exit(0)
+if isinstance(data, dict) and ("access_token" in data or "refresh_token" in data):
+    print("yes")
+else:
+    print("no")
+PYEOF
+)
+
+  if [ "$needs_migration" != "yes" ]; then
+    return 0
+  fi
+
+  local legacy_access legacy_refresh legacy_expires
+  legacy_access=$(python3 -c "import json; d=json.load(open('$CREDENTIALS_FILE')); print(d.get('access_token',''))")
+  legacy_refresh=$(python3 -c "import json; d=json.load(open('$CREDENTIALS_FILE')); print(d.get('refresh_token',''))")
+  legacy_expires=$(python3 -c "import json; d=json.load(open('$CREDENTIALS_FILE')); print(d.get('expiresAt', d.get('expires_at', 0)))")
+
+  if [ -n "$legacy_access" ]; then
+    kc_set "access_token" "$legacy_access"
+  fi
+  if [ -n "$legacy_refresh" ]; then
+    kc_set "refresh_token" "$legacy_refresh"
+  fi
+
+  cat > "$CREDENTIALS_FILE" <<EOF
+{
+  "expiresAt": ${legacy_expires:-0}
+}
+EOF
+  chmod 600 "$CREDENTIALS_FILE"
+  echo "token.sh: migrated plaintext credentials into OS keychain" >&2
+}
+
+# --- Read expiresAt from the credentials file (supports legacy key name) ---
+_read_expires_at() {
   if [ ! -f "$CREDENTIALS_FILE" ]; then
-    return 0  # No file = expired
+    echo "0"
+    return
   fi
+  python3 -c "
+import json, sys
+try:
+    with open('$CREDENTIALS_FILE') as f:
+        d = json.load(f)
+    print(d.get('expiresAt', d.get('expires_at', 0)))
+except Exception:
+    print(0)
+" 2>/dev/null || echo "0"
+}
 
-  local expires_at
-  expires_at=$(python3 -c "import json; print(json.load(open('$CREDENTIALS_FILE'))['expires_at'])" 2>/dev/null || echo "0")
-  local now
+# --- Check if token is expired (60s buffer) ---
+is_expired() {
+  if [ ! -f "$CREDENTIALS_FILE" ]; then
+    return 0
+  fi
+  local expires_at now
+  expires_at=$(_read_expires_at)
   now=$(date +%s)
-
-  # Consider expired if within 60 seconds of expiry
   if [ "$now" -ge "$((expires_at - 60))" ]; then
-    return 0  # Expired
+    return 0
   fi
-
-  return 1  # Still valid
+  return 1
 }
 
-# --- Get access token from credentials ---
+# --- Get access token from storage ---
 get_access_token() {
   if [ ! -f "$CREDENTIALS_FILE" ]; then
     echo "ERROR: Not authenticated. Run auth.sh first." >&2
     return 1
   fi
 
-  python3 -c "import json; print(json.load(open('$CREDENTIALS_FILE'))['access_token'])" 2>/dev/null
+  migrate_credentials_if_needed
+
+  if keychain_available; then
+    if ! kc_get "access_token"; then
+      # Fall back to legacy field if a stale file still contains it.
+      python3 -c "
+import json, sys
+try:
+    d = json.load(open('$CREDENTIALS_FILE'))
+    v = d.get('access_token', '')
+    if not v:
+        sys.exit(1)
+    print(v)
+except Exception:
+    sys.exit(1)
+" 2>/dev/null || {
+        echo "ERROR: access_token not found in keychain or credentials file" >&2
+        return 1
+      }
+    fi
+  else
+    _warn_plaintext_once
+    python3 -c "import json; print(json.load(open('$CREDENTIALS_FILE')).get('access_token',''))" 2>/dev/null
+  fi
 }
 
-# --- Get refresh token from credentials ---
+# --- Get refresh token from storage ---
 get_refresh_token() {
   if [ ! -f "$CREDENTIALS_FILE" ]; then
     echo "ERROR: Not authenticated. Run auth.sh first." >&2
     return 1
   fi
 
-  python3 -c "import json; print(json.load(open('$CREDENTIALS_FILE'))['refresh_token'])" 2>/dev/null
+  migrate_credentials_if_needed
+
+  if keychain_available; then
+    if ! kc_get "refresh_token"; then
+      python3 -c "
+import json, sys
+try:
+    d = json.load(open('$CREDENTIALS_FILE'))
+    v = d.get('refresh_token', '')
+    if not v:
+        sys.exit(1)
+    print(v)
+except Exception:
+    sys.exit(1)
+" 2>/dev/null || {
+        echo "ERROR: refresh_token not found in keychain or credentials file" >&2
+        return 1
+      }
+    fi
+  else
+    _warn_plaintext_once
+    python3 -c "import json; print(json.load(open('$CREDENTIALS_FILE')).get('refresh_token',''))" 2>/dev/null
+  fi
 }
 
 # --- Refresh the access token ---
@@ -91,14 +271,12 @@ refresh_token() {
     return 1
   fi
 
-  local new_access_token
+  local new_access_token expires_in new_expires_at
   new_access_token=$(echo "$BODY" | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['access_token'])")
-  local expires_in
   expires_in=$(echo "$BODY" | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['expires_in'])")
-  local new_expires_at
   new_expires_at=$(( $(date +%s) + expires_in ))
 
-  # Update credentials file (keep existing refresh token)
+  # Persist new access token; keep the refresh token we already had.
   save_tokens "$new_access_token" "$current_refresh" "$new_expires_at"
 
   echo "$new_access_token"
@@ -106,6 +284,7 @@ refresh_token() {
 
 # --- Get a valid token (refresh if needed) ---
 get_valid_token() {
+  migrate_credentials_if_needed
   if is_expired; then
     echo "Token expired, refreshing..." >&2
     refresh_token
@@ -114,6 +293,15 @@ get_valid_token() {
   fi
 }
 
+# --- Clear all stored credentials ---
+clear_tokens() {
+  if keychain_available; then
+    kc_delete "access_token"
+    kc_delete "refresh_token"
+  fi
+  rm -f "$CREDENTIALS_FILE"
+}
+
 # --- CLI interface ---
 if [ "${BASH_SOURCE[0]}" = "$0" ]; then
   case "${1:-}" in
@@ -132,8 +320,12 @@ if [ "${BASH_SOURCE[0]}" = "$0" ]; then
         exit 1
       fi
       ;;
+    clear|logout)
+      clear_tokens
+      echo "Credentials cleared"
+      ;;
     *)
-      echo "Usage: token.sh {refresh|get|check}" >&2
+      echo "Usage: token.sh {refresh|get|check|clear}" >&2
       exit 1
       ;;
   esac