@panguard-ai/panguard 1.5.4 → 1.5.5

package/dist/cli/commands/login.js

@@ -1,22 +1,194 @@
 /**
- * `panguard login` - Authentication removed
- * `panguard login` - 驗證功能已移除
+ * `pga login` — OAuth 2.0 Device Code Flow (RFC 8628).
  *
- * All features are free and open source. No login required.
+ * Same UX as `gh auth login`, `aws sso login`, and Claude Code CLI:
+ *   1. Request a device code from the server.
+ *   2. Print the short user code + verification URL.
+ *   3. Try to open the browser automatically (best effort).
+ *   4. Poll until the user authorises in the browser.
+ *   5. Persist `{ api_key, workspace, user }` to `~/.panguard/auth.json`
+ *      with mode 0600.
+ *
+ * Secrets policy: the `api_key`, `device_code`, and `Authorization` header
+ * values are never printed or logged.
  *
  * @module @panguard-ai/panguard/cli/commands/login
  */
 import { Command } from 'commander';
+import { mkdir, writeFile } from 'node:fs/promises';
+import { dirname } from 'node:path';
+import { c, symbols, box } from '@panguard-ai/core';
+import { authConfigPath, loadAuth } from '../auth-guard.js';
+import { DEFAULT_APP_URL, openBrowser, pollOnce, requestDeviceCode, resolveAppUrl, } from '../device-flow.js';
 export function loginCommand() {
     return new Command('login')
-        .description('Authentication removed - all features are free')
-        .action(async () => {
-        console.log('');
-        console.log('  Authentication removed. All features are free and open source.');
-        console.log('  驗證功能已移除。所有功能皆免費開源。');
+        .description('Sign in to PanGuard (opens browser for authorization)')
+        .option('--app-url <url>', `PanGuard app URL (default: ${DEFAULT_APP_URL})`)
+        .option('--no-browser', 'Do not attempt to open the browser')
+        .option('--force', 'Re-authenticate even if already logged in')
+        .option('--quiet', 'Suppress non-essential output')
+        .action(async (opts) => {
+        await runLogin(opts);
+    });
+}
+export async function runLogin(opts) {
+    const appUrl = resolveAppUrl(opts.appUrl);
+    const quiet = opts.quiet === true;
+    // If a valid session already exists, short-circuit unless --force.
+    if (!opts.force) {
+        const existing = await loadAuth();
+        if (existing) {
+            if (!quiet) {
+                console.log('');
+                console.log(`  ${symbols.pass} Already logged in as ${c.bold(existing.user_email)} ` +
+                    `(workspace: ${c.bold(existing.workspace_name)}).`);
+                console.log(`  ${c.dim('Use `pga login --force` to switch accounts.')}`);
+                console.log('');
+            }
+            return;
+        }
+    }
+    // Step 1: request a device code.
+    let device;
+    try {
+        device = await requestDeviceCode(appUrl);
+    }
+    catch (err) {
+        console.error('');
+        console.error(`  ${c.critical(symbols.fail)} Could not start login.`);
+        console.error(`  ${c.dim(err instanceof Error ? err.message : String(err))}`);
+        console.error('');
+        process.exitCode = 1;
+        return;
+    }
+    // Step 2: print the panel.
+    printDevicePanel(device, quiet);
+    // Step 3: best-effort browser open.
+    if (opts.browser !== false) {
+        openBrowser(device.verification_uri_complete);
+    }
+    // Step 4: set up SIGINT handler for a clean cancel.
+    let cancelled = false;
+    const onSigint = () => {
+        cancelled = true;
         console.log('');
-        console.log('  Visit https://github.com/panguard-ai/panguard-ai for more info.');
+        console.log(`  ${c.caution(symbols.warn)} Login cancelled.`);
         console.log('');
+        process.exit(130); // 128 + SIGINT(2)
+    };
+    process.once('SIGINT', onSigint);
+    // Step 5: poll loop. `interval` may grow on `slow_down`.
+    try {
+        const success = await pollUntilDone(appUrl, device, () => cancelled);
+        if (!success) {
+            // pollUntilDone already printed a specific failure reason.
+            process.exitCode = 1;
+            return;
+        }
+        // Step 6: persist the session.
+        const authInfo = toAuthInfo(success);
+        await persistAuth(authInfo);
+        // Step 7: success banner.
+        if (!quiet)
+            printSuccessBanner(authInfo);
+    }
+    finally {
+        process.removeListener('SIGINT', onSigint);
+    }
+}
+function printDevicePanel(device, quiet) {
+    if (quiet) {
+        // Still print the code — the user needs it.
+        console.log(`Code: ${device.user_code}`);
+        console.log(`URL:  ${device.verification_uri_complete}`);
+        return;
+    }
+    const content = [
+        c.heading('Authorize PanGuard CLI'),
+        '',
+        `${c.dim('Visit:')}  ${c.bold(device.verification_uri)}`,
+        `${c.dim('Code:')}   ${c.bold(device.user_code)}`,
+        '',
+        c.dim('Or open this link directly:'),
+        c.sage(device.verification_uri_complete),
+        '',
+        c.dim('Waiting for authorization ... (press Ctrl+C to cancel)'),
+    ].join('\n');
+    console.log('');
+    console.log(box(content, { padding: 2 }));
+    console.log('');
+}
+function printSuccessBanner(auth) {
+    console.log('');
+    console.log(`  ${c.safe(symbols.pass)} Logged in as ${c.bold(auth.user_email)}.`);
+    console.log(`  ${c.dim('Workspace:')} ${c.bold(auth.workspace_name)} ${c.dim(`(${auth.workspace_slug})`)}`);
+    console.log(`  ${c.dim('Tier:')}      ${c.bold(auth.tier)}`);
+    console.log('');
+}
+/**
+ * Poll the server until a terminal state is reached.
+ * Returns the success payload on auth, or null on expiry/error/cancel
+ * (after printing a user-facing message). Never throws.
+ */
+async function pollUntilDone(appUrl, device, isCancelled) {
+    let intervalSec = Math.max(1, device.interval);
+    const deadlineMs = Date.now() + device.expires_in * 1000;
+    while (!isCancelled()) {
+        if (Date.now() > deadlineMs) {
+            console.error('');
+            console.error(`  ${c.critical(symbols.fail)} Login code expired. Please run \`pga login\` again.`);
+            console.error('');
+            return null;
+        }
+        await sleep(intervalSec * 1000);
+        if (isCancelled())
+            return null;
+        const outcome = await pollOnce(appUrl, device.device_code);
+        switch (outcome.kind) {
+            case 'success':
+                return outcome.payload;
+            case 'pending':
+                continue;
+            case 'slow_down':
+                intervalSec += 5;
+                continue;
+            case 'expired':
+                console.error('');
+                console.error(`  ${c.critical(symbols.fail)} Login code expired. Please run \`pga login\` again.`);
+                console.error('');
+                return null;
+            case 'error':
+                console.error('');
+                console.error(`  ${c.critical(symbols.fail)} Login failed: ${outcome.message}`);
+                console.error('');
+                return null;
+        }
+    }
+    return null;
+}
+function toAuthInfo(payload) {
+    return Object.freeze({
+        api_key: payload.api_key,
+        workspace_id: payload.workspace.id,
+        workspace_slug: payload.workspace.slug,
+        workspace_name: payload.workspace.name,
+        tier: payload.workspace.tier,
+        user_email: payload.user.email,
+        logged_in_at: new Date().toISOString(),
+        // Optional TC correlation id — only written to auth.json when the server
+        // returns it. Older workspaces without a TC link omit this field.
+        ...(typeof payload.workspace.tc_org_id === 'string'
+            ? { tc_org_id: payload.workspace.tc_org_id }
+            : {}),
     });
 }
+/** Write the session file with mode 0600. Creates parent dir if missing. */
+async function persistAuth(auth) {
+    const target = authConfigPath();
+    await mkdir(dirname(target), { recursive: true, mode: 0o700 });
+    await writeFile(target, JSON.stringify(auth, null, 2), { mode: 0o600 });
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
 //# sourceMappingURL=login.js.map

package/dist/cli/commands/login.js.map

@@ -1 +1 @@
-{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../src/cli/commands/login.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,MAAM,UAAU,YAAY;IAC1B,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC;SACxB,WAAW,CAAC,gDAAgD,CAAC;SAC7D,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,kEAAkE,CAAC,CAAC;QAChF,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAC;QACjF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACP,CAAC"}
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../src/cli/commands/login.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5D,OAAO,EACL,eAAe,EACf,WAAW,EACX,QAAQ,EACR,iBAAiB,EACjB,aAAa,GACd,MAAM,mBAAmB,CAAC;AAU3B,MAAM,UAAU,YAAY;IAC1B,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC;SACxB,WAAW,CAAC,uDAAuD,CAAC;SACpE,MAAM,CAAC,iBAAiB,EAAE,8BAA8B,eAAe,GAAG,CAAC;SAC3E,MAAM,CAAC,cAAc,EAAE,oCAAoC,CAAC;SAC5D,MAAM,CAAC,SAAS,EAAE,2CAA2C,CAAC;SAC9D,MAAM,CAAC,SAAS,EAAE,+BAA+B,CAAC;SAClD,MAAM,CAAC,KAAK,EAAE,IAAkB,EAAE,EAAE;QACnC,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;IACvB,CAAC,CAAC,CAAC;AACP,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,IAAkB;IAC/C,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC;IAElC,mEAAmE;IACnE,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,QAAQ,GAAG,MAAM,QAAQ,EAAE,CAAC;QAClC,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,KAAK,OAAO,CAAC,IAAI,yBAAyB,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,GAAG;oBACtE,eAAe,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,CACrD,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,6CAA6C,CAAC,EAAE,CAAC,CAAC;gBACzE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAClB,CAAC;YACD,OAAO;QACT,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,IAAI,MAA0B,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACtE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC;QAC9E,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,2BAA2B;IAC3B,gBAAgB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAEhC,oCAAoC;IACpC,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;QAC3B,WAAW,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC;IAChD,CAAC;IAED,oDAAoD;IACpD,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,MAAM,QAAQ,GAAG,GAAS,EAAE;QAC1B,SAAS,GAAG,IAAI,CAAC;QACjB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,kBAAkB;IACvC,CAAC,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAEjC,yDAAyD;IACzD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QACrE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,2DAA2D;YAC3D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;QAED,+BAA+B;QAC/B,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC;QAE5B,0BAA0B;QAC1B,IAAI,CAAC,KAAK;YAAE,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;YAAS,CAAC;QACT,OAAO,CAAC,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,MAA0B,EAAE,KAAc;IAClE,IAAI,KAAK,EAAE,CAAC;QACV,4CAA4C;QAC5C,OAAO,CAAC,GAAG,CAAC,SAAS,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,SAAS,MAAM,CAAC,yBAAyB,EAAE,CAAC,CAAC;QACzD,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG;QACd,CAAC,CAAC,OAAO,CAAC,wBAAwB,CAAC;QACnC,EAAE;QACF,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE;QACxD,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE;QACjD,EAAE;QACF,CAAC,CAAC,GAAG,CAAC,6BAA6B,CAAC;QACpC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,yBAAyB,CAAC;QACxC,EAAE;QACF,CAAC,CAAC,GAAG,CAAC,wDAAwD,CAAC;KAChE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAc;IACxC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IAClF,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,cAAc,GAAG,CAAC,EAAE,CAC/F,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,aAAa,CAC1B,MAAc,EACd,MAA0B,EAC1B,WAA0B;IAE1B,IAAI,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;IAEzD,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;QACtB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,EAAE,CAAC;YAC5B,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClB,OAAO,CAAC,KAAK,CACX,KAAK,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,sDAAsD,CACpF,CAAC;YACF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;QAChC,IAAI,WAAW,EAAE;YAAE,OAAO,IAAI,CAAC;QAE/B,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;QAC3D,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC;YACrB,KAAK,SAAS;gBACZ,OAAO,OAAO,CAAC,OAAO,CAAC;YACzB,KAAK,SAAS;gBACZ,SAAS;YACX,KAAK,WAAW;gBACd,WAAW,IAAI,CAAC,CAAC;gBACjB,SAAS;YACX,KAAK,SAAS;gBACZ,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBAClB,OAAO,CAAC,KAAK,CACX,KAAK,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,sDAAsD,CACpF,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBAClB,OAAO,IAAI,CAAC;YACd,KAAK,OAAO;gBACV,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,kBAAkB,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;gBAChF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBAClB,OAAO,IAAI,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,UAAU,CAAC,OAA0B;IAC5C,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,YAAY,EAAE,OAAO,CAAC,SAAS,CAAC,EAAE;QAClC,cAAc,EAAE,OAAO,CAAC,SAAS,CAAC,IAAI;QACtC,cAAc,EAAE,OAAO,CAAC,SAAS,CAAC,IAAI;QACtC,IAAI,EAAE,OAAO,CAAC,SAAS,CAAC,IAAI;QAC5B,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK;QAC9B,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,yEAAyE;QACzE,kEAAkE;QAClE,GAAG,CAAC,OAAO,OAAO,CAAC,SAAS,CAAC,SAAS,KAAK,QAAQ;YACjD,CAAC,CAAC,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE;YAC5C,CAAC,CAAC,EAAE,CAAC;KACR,CAAC,CAAC;AACL,CAAC;AAED,4EAA4E;AAC5E,KAAK,UAAU,WAAW,CAAC,IAAc;IACvC,MAAM,MAAM,GAAG,cAAc,EAAE,CAAC;IAChC,MAAM,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/D,MAAM,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/cli/commands/logout.d.ts

@@ -1,11 +1,21 @@
 /**
- * `panguard logout` - Authentication removed
- * `panguard logout` - 驗證功能已移除
+ * `pga logout` — clear the local session.
  *
- * All features are free and open source. No login required.
+ * 1. Best-effort POST to `${APP_URL}/api/auth/revoke` to invalidate the
+ *    api_key server-side. Failures are swallowed — the local file is the
+ *    source of truth for a logged-in session.
+ * 2. Delete `~/.panguard/auth.json`.
+ *
+ * The `api_key` is sent only in the Authorization header and is never logged.
  *
  * @module @panguard-ai/panguard/cli/commands/logout
  */
 import { Command } from 'commander';
+interface LogoutOptions {
+    appUrl?: string;
+    quiet?: boolean;
+}
 export declare function logoutCommand(): Command;
+export declare function runLogout(opts: LogoutOptions): Promise<void>;
+export {};
 //# sourceMappingURL=logout.d.ts.map

package/dist/cli/commands/logout.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"logout.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/logout.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,wBAAgB,aAAa,IAAI,OAAO,CASvC"}
+{"version":3,"file":"logout.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/logout.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAMpC,UAAU,aAAa;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,wBAAgB,aAAa,IAAI,OAAO,CAQvC;AAED,wBAAsB,SAAS,CAAC,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAmDlE"}

package/dist/cli/commands/logout.js

@@ -1,20 +1,75 @@
 /**
- * `panguard logout` - Authentication removed
- * `panguard logout` - 驗證功能已移除
+ * `pga logout` — clear the local session.
  *
- * All features are free and open source. No login required.
+ * 1. Best-effort POST to `${APP_URL}/api/auth/revoke` to invalidate the
+ *    api_key server-side. Failures are swallowed — the local file is the
+ *    source of truth for a logged-in session.
+ * 2. Delete `~/.panguard/auth.json`.
+ *
+ * The `api_key` is sent only in the Authorization header and is never logged.
  *
  * @module @panguard-ai/panguard/cli/commands/logout
  */
 import { Command } from 'commander';
+import { rm } from 'node:fs/promises';
+import { c, symbols } from '@panguard-ai/core';
+import { authConfigPath, loadAuth } from '../auth-guard.js';
+import { DEFAULT_APP_URL, resolveAppUrl } from '../device-flow.js';
 export function logoutCommand() {
     return new Command('logout')
-        .description('Authentication removed - all features are free')
-        .action(async () => {
+        .description('Sign out and clear local PanGuard session')
+        .option('--app-url <url>', `PanGuard app URL (default: ${DEFAULT_APP_URL})`)
+        .option('--quiet', 'Suppress non-essential output')
+        .action(async (opts) => {
+        await runLogout(opts);
+    });
+}
+export async function runLogout(opts) {
+    const auth = await loadAuth();
+    const quiet = opts.quiet === true;
+    if (!auth) {
+        if (!quiet) {
+            console.log('');
+            console.log(`  ${c.dim(symbols.info)} Not logged in — nothing to do.`);
+            console.log('');
+        }
+        return;
+    }
+    // Best-effort server-side revoke. We intentionally ignore failures so a
+    // dropped network (e.g. offline laptop) never blocks local cleanup.
+    const appUrl = resolveAppUrl(opts.appUrl);
+    try {
+        await fetch(`${appUrl}/api/auth/revoke`, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${auth.api_key}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({}),
+            signal: AbortSignal.timeout(5_000),
+        });
+    }
+    catch {
+        // Swallow — local cleanup still happens below.
+    }
+    // Always remove the local file. `rm --force` behaviour via { force: true }.
+    try {
+        await rm(authConfigPath(), { force: true });
+    }
+    catch (err) {
+        if (!quiet) {
+            console.error('');
+            console.error(`  ${c.critical(symbols.fail)} Could not remove local session file: ` +
+                (err instanceof Error ? err.message : String(err)));
+            console.error('');
+        }
+        process.exitCode = 1;
+        return;
+    }
+    if (!quiet) {
         console.log('');
-        console.log('  Authentication removed. All features are free and open source.');
-        console.log('  驗證功能已移除。所有功能皆免費開源。');
+        console.log(`  ${c.safe(symbols.pass)} Logged out.`);
         console.log('');
-    });
+    }
 }
 //# sourceMappingURL=logout.js.map

package/dist/cli/commands/logout.js.map

@@ -1 +1 @@
-{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../../src/cli/commands/logout.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,MAAM,UAAU,aAAa;IAC3B,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC;SACzB,WAAW,CAAC,gDAAgD,CAAC;SAC7D,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,kEAAkE,CAAC,CAAC;QAChF,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACP,CAAC"}
+{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../../src/cli/commands/logout.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AACtC,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAOnE,MAAM,UAAU,aAAa;IAC3B,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC;SACzB,WAAW,CAAC,2CAA2C,CAAC;SACxD,MAAM,CAAC,iBAAiB,EAAE,8BAA8B,eAAe,GAAG,CAAC;SAC3E,MAAM,CAAC,SAAS,EAAE,+BAA+B,CAAC;SAClD,MAAM,CAAC,KAAK,EAAE,IAAmB,EAAE,EAAE;QACpC,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC;IACxB,CAAC,CAAC,CAAC;AACP,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAmB;IACjD,MAAM,IAAI,GAAG,MAAM,QAAQ,EAAE,CAAC;IAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC;IAElC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;YACvE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QACD,OAAO;IACT,CAAC;IAED,wEAAwE;IACxE,oEAAoE;IACpE,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC;QACH,MAAM,KAAK,CAAC,GAAG,MAAM,kBAAkB,EAAE;YACvC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,OAAO,EAAE;gBACvC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACxB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,+CAA+C;IACjD,CAAC;IAED,4EAA4E;IAC5E,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,cAAc,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClB,OAAO,CAAC,KAAK,CACX,KAAK,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,wCAAwC;gBACnE,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CACrD,CAAC;YACF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACpB,CAAC;QACD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/cli/commands/report.d.ts

@@ -1,6 +1,31 @@
 /**
- * panguard report - Compliance report generation (Coming Soon)
- * panguard report - 合規報告產生（即將推出）
+ * panguard report — AI Compliance Audit Evidence report generator
+ *
+ * Reads ATR rule YAML (from @panguard-ai/agent-threat-rules node_modules) and
+ * produces auditor-readable reports mapping each rule to compliance framework
+ * articles / clauses / subcategories. This is the Enterprise tier's core
+ * differentiator (product "D1").
+ *
+ * Usage:
+ *   pga report list-frameworks
+ *   pga report summary --framework <name>
+ *   pga report generate --framework <name> [--format md|json|pdf] [--output <path>] [--sign <key>]
+ *
+ * Every report includes a SHA-256 integrity hash computed over the
+ * canonical JSON representation, and optionally an HMAC-SHA256
+ * signature (via --sign or PANGUARD_REPORT_SIGNING_KEY env var).
+ * PDFs additionally write a sidecar <output>.hash file for auditor
+ * verification.
+ *
+ * Supported framework ids:
+ *   owasp-agentic   — OWASP Agentic Top 10 (2026)
+ *   owasp-llm       — OWASP LLM Top 10 (2025)
+ *   eu-ai-act       — EU AI Act (Regulation 2024/1689)
+ *   colorado-ai-act — Colorado SB24-205
+ *   nist-ai-rmf     — NIST AI RMF 1.0
+ *   iso-42001       — ISO/IEC 42001:2023
+ *
+ * @module @panguard-ai/panguard/cli/commands/report
  */
 import { Command } from 'commander';
 export declare function reportCommand(): Command;

package/dist/cli/commands/report.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"report.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/report.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAkBpC,wBAAgB,aAAa,IAAI,OAAO,CA4CvC"}
+{"version":3,"file":"report.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/report.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAgyBpC,wBAAgB,aAAa,IAAI,OAAO,CAkDvC"}