@pleri/olam-cli 0.1.195 → 0.1.198

package/README.md

@@ -186,6 +186,58 @@ olam upgrade -y                 # pull latest digests; restart services
 
 JSONL audit log at `~/.olam/upgrade.log`.
 
+## Cloud-only auth vault (Phase B)
+
+Olam's credential vault ships two migration phases:
+
+**Phase A** (`@olam/auth-client` — already live): `withCredential` selects the
+cloud auth-worker by default. Resolution order:
+1. `OLAM_CREDENTIAL_BACKEND=local` → local `olam-auth` container at `127.0.0.1:9999`.
+2. `OLAM_CREDENTIAL_BACKEND=remote` → cloud auth-worker.
+3. Auto-discovery via `OLAM_ANTHROPIC_BASE_URL` / `~/.olam/anthropic-base-url` / `~/.olam/cloud-bearer.json`.
+4. Hard-coded fallback → cloud auth-worker (`https://auth-worker.kaluga.co`).
+
+**Phase B** (CLI — this package): `olam auth login | list | list-json` default to
+the cloud auth-worker. Operators with an existing local vault can migrate:
+
+```sh
+# Plan the migration (read-only, no writes)
+olam auth migrate --dry-run
+
+# Run the migration
+olam auth migrate
+
+# Opt out: stay on the local container vault
+olam auth login --local
+olam auth list --local
+OLAM_CREDENTIAL_BACKEND=local olam auth list   # host-wide env override; no deprecation warning
+```
+
+`--local` emits a deprecation warning. The flag will be removed in a future
+release. `OLAM_CREDENTIAL_BACKEND=local` is the quiet host-wide opt-out.
+
+**Deferred (OQ7):** `olam auth refresh | disable | enable` are LOCAL ONLY pending
+the admin-mutator UX design tracked in
+[`docs/plans/cloud-only-vault/README.md`](https://github.com/pleri/olam/blob/main/docs/plans/cloud-only-vault/README.md).
+
+### `olam doctor` — auth vault health
+
+`olam doctor` reports both backends' health at probe position 4:
+
+```
+✓ auth vault  remote (auth-worker.kaluga.co) healthy (42ms); local (olam-auth:9999) absent
+```
+
+Three remote states: `healthy` / `unreachable` / `unauthenticated`.
+Three local states: `present-active` / `present-stale` / `absent`.
+
+When both backends are present (`remote=healthy` + `local=present-active|present-stale`),
+doctor suggests `olam auth migrate --dry-run` to plan cloud migration.
+
+Full design:
+[`docs/architecture/cloud-only-vault.md`](https://github.com/pleri/olam/blob/main/docs/architecture/cloud-only-vault.md),
+[`docs/plans/cloud-only-vault/README.md`](https://github.com/pleri/olam/blob/main/docs/plans/cloud-only-vault/README.md).
+
 ## Docs
 
 - [Full README](https://github.com/pleri/olam#readme)

package/dist/ask/knowledge-pack.generated.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"knowledge-pack.generated.d.ts","sourceRoot":"","sources":["../../src/ask/knowledge-pack.generated.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,eAAO,MAAM,cAAc,EAAE,MA2yE5B,CAAC"}
+{"version":3,"file":"knowledge-pack.generated.d.ts","sourceRoot":"","sources":["../../src/ask/knowledge-pack.generated.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,eAAO,MAAM,cAAc,EAAE,MA+yE5B,CAAC"}

package/dist/ask/knowledge-pack.generated.js

@@ -2253,7 +2253,7 @@ Top-level commands (run \`olam <command> --help\` for flags and subcommands):
 - \`olam add\` — Register a local repo path
 - \`olam admin\` — Admin operations (require admin secret)
 - \`olam aggregate\` — Aggregate plan stats by operator (gate #3 measurement)
-- \`olam apply\` — Create a world from a runbook (delegates to olam create)
+- \`olam apply\` — Create a world from a runbook spec (port-validates then delegates to WorldManager.createWorld)
 - \`olam apply-overlays\` — Merge ~/.claude/skills.overrides/ and ~/.claude/agents.overrides/ over upstream (section-as-unit merge per markdown-merger)
 - \`olam ask\` — Ask olam about its own usage, setup, and CLI (local Claude subscription)
 - \`olam audit-log\` — Inspect the manifest-refresh audit log (~/.olam/state/manifest-refresh-audit.jsonl).
@@ -2264,6 +2264,7 @@ Top-level commands (run \`olam <command> --help\` for flags and subcommands):
 - \`olam bootstrap\` — One-shot wiring of a fresh Hermes install to olam (MCP + KG hook + skill mirror)
 - \`olam build\` — Build pristine KG for a workspace (default: current dir). Routes through olam-kg-service /build endpoint. Use --pending to drain the pending queue.
 - \`olam check-ports\` — Check if runbook ports are available
+- \`olam classify\` — Route a query through the remote edge classifier (POST /v1/classify on the proxy Worker)
 - \`olam clean\` — Reap orphaned world filesystem state
 - \`olam completion\` — Emit a shell completion script for zsh or bash
 - \`olam config\` — Manage global olam configuration
@@ -2273,11 +2274,11 @@ Top-level commands (run \`olam <command> --help\` for flags and subcommands):
 - \`olam destroy\` — Destroy a world and clean up its resources
 - \`olam diagnose\` — Bundle diagnostics into a zip file for sharing with maintainers
 - \`olam diff\` — Show what
-- \`olam disable\` — Take a credential out of rotation (manual cooldown)
+- \`olam disable\` — Take a credential out of rotation (manual cooldown). LOCAL ONLY — no cloud equivalent yet (see OQ7 in docs/plans/cloud-only-vault/README.md).
 - \`olam dispatch\` — Send a prompt to a world for execution
 - \`olam doctor\` — Run 4 diagnostic probes against the remote auth-worker
 - \`olam down\` — [deprecated] Stop the auth container — use
-- \`olam enable\` — Re-enable a disabled credential
+- \`olam enable\` — Re-enable a disabled credential. LOCAL ONLY — no cloud equivalent yet (see OQ7 in docs/plans/cloud-only-vault/README.md).
 - \`olam enter\` — Open terminal to a world
 - \`olam evict\` — Evict oldest snapshots until total size ≤ cap (default 5GB; override via OLAM_SNAPSHOT_MAX_BYTES)
 - \`olam get\` — Print the active substrate
@@ -2292,15 +2293,16 @@ Top-level commands (run \`olam <command> --help\` for flags and subcommands):
 - \`olam keys\` — Manage LLM API keys stored at ~/.olam/keys.yaml
 - \`olam kg\` — Knowledge-graph operations (kg-service container)
 - \`olam lanes\` — Manage claude-lane-* tmux sessions inside a running world
-- \`olam list\` — List credentials (local by default; --remote to query a remote auth-worker)
+- \`olam list\` — List credentials. Defaults to the cloud auth-worker (Phase B). Pass --local to read the legacy ~/.olam/auth-data/accounts.json (emits deprecation warning).
 - \`olam list-anthropic-tokens\` — List Anthropic proxy tokens from the remote auth-worker (g4)
-- \`olam login\` — Run the OAuth PKCE flow to store a Claude account in the auth container, or print a remote OAuth URL (--remote)
+- \`olam login\` — Log into the cloud auth-worker by default (Phase B); use --local to opt into the legacy local auth-service container PKCE flow.
 - \`olam logout\` — Remove an account from the auth container
 - \`olam logs\` — Stream application logs from a world (engine-agnostic)
+- \`olam migrate\` — Migrate local ~/.olam/auth-data/accounts.json to the cloud auth-worker.
 - \`olam migrate-hooks-back\` — Reverse olam-meta hook injection by restoring ~/.claude/settings.json from a B5 snapshot
-- \`olam migrate-to-remote\` — Print guidance for re-authenticating local credentials against the remote auth-worker (v1: no auto-migration of secrets)
+- \`olam migrate-to-remote\` — (deprecated) renamed to
 - \`olam mirror\` — cloud-kg-mirror operations (build via CF Worker, classify at edge)
-- \`olam observe\` — Stream thoughts from a world (coming soon)
+- \`olam observe\` — redirect to
 - \`olam onboard\` — Fresh-install umbrella: register + clone + install SessionStart hook + first sync, in one verb
 - \`olam path\` — Print the absolute path to ~/.olam/keys.yaml
 - \`olam plans\` — Manage Olam Cloud plans (list / show / rm / re-register)
@@ -2309,7 +2311,7 @@ Top-level commands (run \`olam <command> --help\` for flags and subcommands):
 - \`olam prune\` — Delete shadow-backup files older than a duration (e.g. 30d) OR all of them with --all --force
 - \`olam ps\` — List running processes in a world container
 - \`olam pull\` — Fetch + reset the clone to upstream HEAD
-- \`olam refresh\` — Force-refresh an account token (substrate-aware: updates kubernetes Secret on k8s substrate)
+- \`olam refresh\` — Force-refresh an account token (substrate-aware: updates kubernetes Secret on k8s substrate). LOCAL ONLY — no cloud equivalent yet (see OQ7 in docs/plans/cloud-only-vault/README.md).
 - \`olam register\` — Register a world with the running host CP so it appears in the unified UI
 - \`olam rekey\` — Rotate the per-world postgres password for a hybrid-mode world
 - \`olam remove\` — Permanently remove a credential (purge tokens)
@@ -2326,6 +2328,7 @@ Top-level commands (run \`olam <command> --help\` for flags and subcommands):
 - \`olam services\` — Manage Olam service containers (up/down/status/logs)
 - \`olam set-prefix\` — Set the deploy prefix for a registered skill source (skills+agents deploy as <prefix>:<canonical-name>)
 - \`olam set-prefix-scope\` — Set which artifact kinds are renamed by the prefix (comma-separated: skill, agent, or skill,agent)
+- \`olam set-prefix-target\` — Restrict prefix renaming to canonical names matching the given glob patterns (only * wildcard supported).
 - \`olam setup\` — Fresh-host onboarding wizard (k3d cluster + services, idempotent)
 - \`olam setup-linux-gate-status\` — Check whether the Linux platform expansion gate has been triggered
 - \`olam setup-metrics\` — Query trust-audit-log for setup dogfood statistics
@@ -2344,6 +2347,7 @@ Top-level commands (run \`olam <command> --help\` for flags and subcommands):
 - \`olam uninstall-hook\` — Remove kg-service PreToolUse hook from .claude/settings.json (sentinel-matched; surgical)
 - \`olam unset-prefix\` — Remove the deploy prefix from a registered skill source (reverts to canonical deploy names)
 - \`olam unset-prefix-scope\` — Remove the prefix-scope override from a registered skill source (reverts to default: both skill and agent are renamed)
+- \`olam unset-prefix-target\` — Remove the prefix-target override from a registered skill source (reverts to default: all canonical names are renamed)
 - \`olam up\` — [deprecated] Start the auth container — use
 - \`olam update\` — Update a registered repo
 - \`olam upgrade\` — Upgrade the olam-auth container. Default: pull olam-auth@<digest> from ghcr.io and recreate.

package/dist/ask/knowledge-pack.generated.js.map

@@ -1 +1 @@
-{"version":3,"file":"knowledge-pack.generated.js","sourceRoot":"","sources":["../../src/ask/knowledge-pack.generated.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,oBAAoB;AAEpB,MAAM,CAAC,MAAM,cAAc,GAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2yErC,CAAC"}
+{"version":3,"file":"knowledge-pack.generated.js","sourceRoot":"","sources":["../../src/ask/knowledge-pack.generated.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,oBAAoB;AAEpB,MAAM,CAAC,MAAM,cAAc,GAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+yErC,CAAC"}

package/dist/commands/auth-list-json.d.ts

@@ -19,6 +19,7 @@
  * AuthAccountSummary and are never emitted.
  */
 import type { AuthAccountSummary } from '@olam/core/src/auth/types.js';
+import type { AccountEntry } from '../lib/auth-remote.js';
 /** Per-account row in the `auth list --json` payload. */
 export interface AuthListAccountJson {
     readonly id: string;
@@ -50,4 +51,37 @@ export interface AuthListJson {
  * `--json` wire shape. `now` is injectable for deterministic tests.
  */
 export declare function renderAuthListJson(accounts: readonly AuthAccountSummary[], now?: number): string;
+/**
+ * B4 (narrowed) — JSON shape for `olam auth list --json` when the remote
+ * backend is active. The remote payload carries less detail than the local
+ * one (no `usage` window stats, no `tokenValid` — those are local-only
+ * concepts today), so the wire shape is intentionally narrower. The `stale`
+ * + `lastFetchedAt` fields surface the in-process cache's freshness so
+ * driver scripts can decide whether to retry.
+ */
+export interface AuthListRemoteAccountJson {
+    readonly id: string;
+    readonly label: string;
+    readonly state: string;
+    readonly expiresIn: string;
+    readonly provider: string | null;
+    readonly email: string | null;
+    readonly rateLimitResetsAt: string | null;
+    readonly weeklyResetsAt: string | null;
+}
+export interface AuthListRemoteJson {
+    readonly count: number;
+    /** True iff at least one account is in the `active` state. */
+    readonly healthy: boolean;
+    /** True iff this payload came from the stale-cache fallback. */
+    readonly stale: boolean;
+    /** Epoch ms of the underlying fetch; informs the operator how old the data is. */
+    readonly lastFetchedAt: number;
+    readonly accounts: readonly AuthListRemoteAccountJson[];
+}
+/**
+ * Serialise the remote `AccountEntry[]` payload to the `--json` wire shape.
+ * `stale` + `fetchedAt` propagate from the orchestrator's `RemoteListResult`.
+ */
+export declare function renderRemoteAuthListJson(accounts: ReadonlyArray<AccountEntry>, stale: boolean, fetchedAt: number): string;
 //# sourceMappingURL=auth-list-json.d.ts.map

package/dist/commands/auth-list-json.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-list-json.d.ts","sourceRoot":"","sources":["../../src/commands/auth-list-json.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAGH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAEvE,yDAAyD;AACzD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1C,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IACvC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CACnC;AAED,0DAA0D;AAC1D,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,kEAAkE;IAClE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B;;;;OAIG;IACH,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,QAAQ,CAAC,QAAQ,EAAE,SAAS,mBAAmB,EAAE,CAAC;CACnD;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,SAAS,kBAAkB,EAAE,EACvC,GAAG,GAAE,MAAmB,GACvB,MAAM,CAsBR"}
+{"version":3,"file":"auth-list-json.d.ts","sourceRoot":"","sources":["../../src/commands/auth-list-json.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAGH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAE1D,yDAAyD;AACzD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1C,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IACvC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CACnC;AAED,0DAA0D;AAC1D,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,kEAAkE;IAClE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B;;;;OAIG;IACH,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,QAAQ,CAAC,QAAQ,EAAE,SAAS,mBAAmB,EAAE,CAAC;CACnD;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,SAAS,kBAAkB,EAAE,EACvC,GAAG,GAAE,MAAmB,GACvB,MAAM,CAsBR;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,yBAAyB;IACxC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1C,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;CACxC;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,8DAA8D;IAC9D,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,gEAAgE;IAChE,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,kFAAkF;IAClF,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,EAAE,SAAS,yBAAyB,EAAE,CAAC;CACzD;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,QAAQ,EAAE,aAAa,CAAC,YAAY,CAAC,EACrC,KAAK,EAAE,OAAO,EACd,SAAS,EAAE,MAAM,GAChB,MAAM,CAqBR"}

package/dist/commands/auth-list-json.js

@@ -44,4 +44,28 @@ export function renderAuthListJson(accounts, now = Date.now()) {
     };
     return JSON.stringify(payload);
 }
+/**
+ * Serialise the remote `AccountEntry[]` payload to the `--json` wire shape.
+ * `stale` + `fetchedAt` propagate from the orchestrator's `RemoteListResult`.
+ */
+export function renderRemoteAuthListJson(accounts, stale, fetchedAt) {
+    const rows = accounts.map((a) => ({
+        id: a.id,
+        label: a.label ?? a.id,
+        state: a.state ?? 'unknown',
+        expiresIn: a.expiresIn ?? '',
+        provider: a.provider ?? null,
+        email: a.email === undefined ? null : a.email,
+        rateLimitResetsAt: a.rateLimitResetsAt === undefined ? null : a.rateLimitResetsAt,
+        weeklyResetsAt: a.weeklyResetsAt === undefined ? null : a.weeklyResetsAt,
+    }));
+    const payload = {
+        count: rows.length,
+        healthy: rows.some((r) => r.state === 'active'),
+        stale,
+        lastFetchedAt: fetchedAt,
+        accounts: rows,
+    };
+    return JSON.stringify(payload);
+}
 //# sourceMappingURL=auth-list-json.js.map

package/dist/commands/auth-list-json.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth-list-json.js","sourceRoot":"","sources":["../../src/commands/auth-list-json.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AA+BrD;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAuC,EACvC,MAAc,IAAI,CAAC,GAAG,EAAE;IAExB,MAAM,IAAI,GAA0B,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACvD,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,KAAK,EAAE,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,EAAE;QAC7B,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,SAAS;QAC3B,UAAU,EAAE,CAAC,CAAC,UAAU;QACxB,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,WAAW,EAAE,CAAC,CAAC,WAAW;QAC1B,iBAAiB,EAAE,CAAC,CAAC,iBAAiB,IAAI,IAAI;QAC9C,cAAc,EAAE,CAAC,CAAC,cAAc,IAAI,IAAI;QACxC,cAAc,EAAE,CAAC,CAAC,KAAK,EAAE,cAAc,IAAI,CAAC;QAC5C,SAAS,EAAE,CAAC,CAAC,KAAK,EAAE,SAAS,IAAI,IAAI;KACtC,CAAC,CAAC,CAAC;IAEJ,MAAM,OAAO,GAAiB;QAC5B,KAAK,EAAE,IAAI,CAAC,MAAM;QAClB,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,QAAQ,CAAC;QAC/C,WAAW,EAAE,iBAAiB,CAAC,QAAQ,EAAE,GAAG,CAAC;QAC7C,QAAQ,EAAE,IAAI;KACf,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC"}
+{"version":3,"file":"auth-list-json.js","sourceRoot":"","sources":["../../src/commands/auth-list-json.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAgCrD;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAuC,EACvC,MAAc,IAAI,CAAC,GAAG,EAAE;IAExB,MAAM,IAAI,GAA0B,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACvD,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,KAAK,EAAE,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,EAAE;QAC7B,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,SAAS;QAC3B,UAAU,EAAE,CAAC,CAAC,UAAU;QACxB,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,WAAW,EAAE,CAAC,CAAC,WAAW;QAC1B,iBAAiB,EAAE,CAAC,CAAC,iBAAiB,IAAI,IAAI;QAC9C,cAAc,EAAE,CAAC,CAAC,cAAc,IAAI,IAAI;QACxC,cAAc,EAAE,CAAC,CAAC,KAAK,EAAE,cAAc,IAAI,CAAC;QAC5C,SAAS,EAAE,CAAC,CAAC,KAAK,EAAE,SAAS,IAAI,IAAI;KACtC,CAAC,CAAC,CAAC;IAEJ,MAAM,OAAO,GAAiB;QAC5B,KAAK,EAAE,IAAI,CAAC,MAAM;QAClB,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,QAAQ,CAAC;QAC/C,WAAW,EAAE,iBAAiB,CAAC,QAAQ,EAAE,GAAG,CAAC;QAC7C,QAAQ,EAAE,IAAI;KACf,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC;AAgCD;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CACtC,QAAqC,EACrC,KAAc,EACd,SAAiB;IAEjB,MAAM,IAAI,GAAgC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC7D,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,EAAE;QACtB,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,SAAS;QAC3B,SAAS,EAAE,CAAC,CAAC,SAAS,IAAI,EAAE;QAC5B,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,IAAI;QAC5B,KAAK,EAAE,CAAC,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK;QAC7C,iBAAiB,EAAE,CAAC,CAAC,iBAAiB,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,iBAAiB;QACjF,cAAc,EAAE,CAAC,CAAC,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc;KACzE,CAAC,CAAC,CAAC;IAEJ,MAAM,OAAO,GAAuB;QAClC,KAAK,EAAE,IAAI,CAAC,MAAM;QAClB,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,QAAQ,CAAC;QAC/C,KAAK;QACL,aAAa,EAAE,SAAS;QACxB,QAAQ,EAAE,IAAI;KACf,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC"}

package/dist/commands/auth-migrate.d.ts

@@ -0,0 +1,212 @@
+/**
+ * olam auth migrate — one-shot migration tool for operators with a legacy
+ * `~/.olam/auth-data/accounts.json` (the file the pre-Phase-A auth-service
+ * container wrote OAuth tokens to). Reads each local account and walks the
+ * operator through re-authenticating it against the cloud auth-worker.
+ *
+ * ───────────────────────────────────────────────────────────────────────────
+ * IMPORTANT — DESIGN-DOC NOTE FROM B2's AUDIT
+ * ───────────────────────────────────────────────────────────────────────────
+ *
+ * **There is no `POST /v1/credentials` endpoint on the cloud auth-worker DO.**
+ * Phase A's design doc (`docs/architecture/cloud-only-vault.md` §3 — "the
+ * bearer IS the credential") makes the explicit choice that the cloud vault
+ * does not accept already-minted OAuth tokens over HTTP. The only way a
+ * credential lands in the DO is via the worker's own OAuth-callback handler
+ * after the operator completes the Anthropic device-code dance.
+ *
+ * So "migrate" here does NOT mean "POST tokens into the cloud DO" (phase-b-
+ * tasks.md B3's wording is shorthand). It means: **for each local account,
+ * re-run the OAuth-start flow against the cloud auth-worker so the operator
+ * re-authenticates that Anthropic account, and the worker's callback stores
+ * the resulting token server-side.**
+ *
+ * The local OAuth token bytes themselves are never sent anywhere — they
+ * remain in `~/.olam/auth-data/accounts.json` until the operator approves
+ * the final timestamped rename. Local file is NEVER deleted automatically.
+ *
+ * ───────────────────────────────────────────────────────────────────────────
+ * IDEMPOTENCE MODEL
+ * ───────────────────────────────────────────────────────────────────────────
+ *
+ * Per-account migration state lives in `~/.olam/auth-data/migration-state.json`:
+ *
+ *   {
+ *     "version": 1,
+ *     "migrated": {
+ *       "<sha256(stable-content-shape)>": {
+ *         "migratedAt": "2026-05-29T...Z",
+ *         "email": "alice@example.com",
+ *         "provider": "claude"
+ *       },
+ *       ...
+ *     }
+ *   }
+ *
+ * The hash is computed from a STABLE JSON shape (`{email, provider,
+ * anthropicAccountId}`) — re-running migrate after the local vault changes
+ * picks up new accounts but skips already-migrated ones. Atomic write
+ * (write-to-tmp then rename) guarantees that a mid-flight kill resumes
+ * cleanly: any account whose state record is durable on disk is skipped;
+ * the rest are re-attempted.
+ *
+ * ───────────────────────────────────────────────────────────────────────────
+ * CLI SURFACE
+ * ───────────────────────────────────────────────────────────────────────────
+ *
+ *   olam auth migrate                 # default: interactive live-run
+ *   olam auth migrate --dry-run       # print the per-account plan only
+ *   olam auth migrate --remote <url>  # override auth-worker URL
+ *   olam auth migrate --yes           # CI safety; only valid w/ --dry-run
+ */
+import type { Command } from 'commander';
+import { DEFAULT_AUTH_WORKER_URL } from '../lib/auth-login.js';
+import { printError, printHeader, printSuccess } from '../output.js';
+/**
+ * A row from the legacy local vault. The pre-Phase-A `auth-service` container
+ * wrote a richer record than this; for migration purposes we only need the
+ * three fields that uniquely identify an Anthropic account.
+ */
+export interface LocalAccount {
+    readonly email: string;
+    readonly provider: string;
+    readonly anthropicAccountId?: string;
+    /** Optional label the operator gave the account at login time. */
+    readonly label?: string;
+}
+/** Shape of `~/.olam/auth-data/accounts.json` (the legacy vault file). */
+export interface LocalAccountsFile {
+    readonly accounts: readonly LocalAccount[];
+}
+/** Per-hash record in `migration-state.json`. */
+export interface MigrationRecord {
+    readonly migratedAt: string;
+    readonly email: string;
+    readonly provider: string;
+}
+/** Shape of `~/.olam/auth-data/migration-state.json`. */
+export interface MigrationState {
+    readonly version: 1;
+    readonly migrated: Readonly<Record<string, MigrationRecord>>;
+}
+/** Per-account decision in the migration plan. */
+export interface PlannedAccount {
+    readonly account: LocalAccount;
+    readonly hash: string;
+    readonly status: 'pending' | 'already-migrated';
+    readonly migratedRecord?: MigrationRecord;
+}
+/** Options parsed from Commander for `olam auth migrate`. */
+export interface AuthMigrateOptions {
+    readonly local?: boolean;
+    readonly remote?: boolean | string;
+    readonly dryRun?: boolean;
+    readonly yes?: boolean;
+}
+/** Result of a `runAuthMigrate` invocation (drives `process.exitCode`). */
+export interface AuthMigrateResult {
+    readonly exitCode: 0 | 1;
+    /** Total accounts in the local vault (zero when the file is absent). */
+    readonly accountsTotal?: number;
+    /** Accounts that were already-migrated at start. */
+    readonly accountsAlreadyMigrated?: number;
+    /** Accounts that completed migration during THIS invocation. */
+    readonly accountsMigratedNow?: number;
+    /** Accounts the operator skipped this run. */
+    readonly accountsSkipped?: number;
+    /** True when --dry-run was honoured (no live OAuth). */
+    readonly dryRun?: boolean;
+    /** Resolved auth-worker URL for the live-run case. */
+    readonly resolvedRemoteUrl?: string;
+}
+export interface AuthMigrateDeps {
+    /** Absolute path to ~/.olam/auth-data/accounts.json. */
+    readonly accountsPath?: string;
+    /** Absolute path to ~/.olam/auth-data/migration-state.json. */
+    readonly statePath?: string;
+    /** fs.readFileSync surrogate (defaults to real fs). */
+    readonly readFileSync?: (p: string) => string;
+    /** fs.writeFileSync surrogate (defaults to real fs). */
+    readonly writeFileSync?: (p: string, data: string) => void;
+    /** fs.renameSync surrogate (defaults to real fs). */
+    readonly renameSync?: (from: string, to: string) => void;
+    /** fs.existsSync surrogate (defaults to real fs). */
+    readonly existsSync?: (p: string) => boolean;
+    /** Returns the current ISO timestamp (defaults to new Date().toISOString()). */
+    readonly now?: () => string;
+    /** Reads OLAM_AUTH_WORKER_URL env var (resolveRemoteUrl). */
+    readonly readEnv?: (key: string) => string | undefined;
+    /** Reads ~/.olam/auth-worker-url file (resolveRemoteUrl). */
+    readonly readAuthWorkerUrlFile?: () => string | null;
+    /** True when stdin is a TTY (interactive prompts are meaningful). */
+    readonly isTty?: () => boolean;
+    /**
+     * Per-account interactive prompt:
+     *   q = abort migration; s = skip this account; anything else = proceed.
+     * Returns the operator's raw answer; runAuthMigrate interprets.
+     */
+    readonly promptPerAccount?: (question: string) => Promise<string>;
+    /** Final "rename local vault?" prompt (yes / no). */
+    readonly promptFinalRename?: (question: string) => Promise<string>;
+    /** Where banner + table output goes. Defaults to process.stdout. */
+    readonly stdout?: NodeJS.WritableStream;
+    /** Where errors + warnings go. Defaults to process.stderr. */
+    readonly stderr?: NodeJS.WritableStream;
+}
+/**
+ * Stable content hash for an account. Two accounts with identical
+ * (email, provider, anthropicAccountId) tuples produce the same hash —
+ * the operator deleting + re-adding the same Anthropic account locally
+ * still resolves to "already migrated" on the cloud side. Tests rely on
+ * this invariant being stable (no random salt, no time component).
+ */
+export declare function accountContentHash(account: LocalAccount): string;
+/** Empty initial migration state (version 1). */
+export declare function emptyMigrationState(): MigrationState;
+/**
+ * Read + parse migration-state.json. Returns `emptyMigrationState()` when
+ * the file is absent (first-ever migrate run). Throws on parse-failure or
+ * version drift so the caller can exit 1 with a manual-inspection message.
+ */
+export declare function readMigrationState(statePath: string, deps: Pick<AuthMigrateDeps, 'existsSync' | 'readFileSync'>): MigrationState;
+/**
+ * Atomically write migration state. Strategy: serialise to `<path>.tmp`,
+ * then `rename` over the live file. The rename is atomic on POSIX (and on
+ * NTFS via ReplaceFileEx semantics); a process kill between the .tmp write
+ * and the rename leaves the live file untouched.
+ *
+ * Throws on write or rename failure; caller is expected to surface the
+ * error and exit 1 without touching anything else.
+ */
+export declare function writeMigrationStateAtomic(statePath: string, state: MigrationState, deps: Pick<AuthMigrateDeps, 'writeFileSync' | 'renameSync'>): void;
+/**
+ * Read + parse the legacy local vault file. Returns `null` when absent
+ * (the "nothing to migrate" path). Throws on parse failure.
+ */
+export declare function readLocalAccounts(accountsPath: string, deps: Pick<AuthMigrateDeps, 'existsSync' | 'readFileSync'>): LocalAccountsFile | null;
+/**
+ * Pure planner — given the local accounts + the migration state, decide
+ * what each account's status is. No IO; trivial to unit-test.
+ */
+export declare function planMigration(accounts: readonly LocalAccount[], state: MigrationState): PlannedAccount[];
+/**
+ * Run the `olam auth migrate` decision tree. Every IO touchpoint is funnelled
+ * through `AuthMigrateDeps` so tests assert on orchestration without spawning
+ * real OAuth round-trips, filesystem writes, or readline reads.
+ */
+export declare function runAuthMigrate(opts: AuthMigrateOptions, deps?: AuthMigrateDeps): Promise<AuthMigrateResult>;
+/**
+ * Register `olam auth migrate` on the supplied `auth` subcommand. Called
+ * from `packages/cli/src/commands/auth.ts`.
+ */
+export declare function registerAuthMigrate(auth: Command): void;
+export { DEFAULT_AUTH_WORKER_URL };
+export declare const _internal: {
+    printError: typeof printError;
+    printHeader: typeof printHeader;
+    printSuccess: typeof printSuccess;
+    pc: import("picocolors/types.js").Colors & {
+        createColors: (enabled?: boolean) => import("picocolors/types.js").Colors;
+    };
+};
+//# sourceMappingURL=auth-migrate.d.ts.map

package/dist/commands/auth-migrate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-migrate.d.ts","sourceRoot":"","sources":["../../src/commands/auth-migrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4DG;AAOH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAMzC,OAAO,EAAoB,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AACjF,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAIrE;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC,kEAAkE;IAClE,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,0EAA0E;AAC1E,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,QAAQ,EAAE,SAAS,YAAY,EAAE,CAAC;CAC5C;AAED,iDAAiD;AACjD,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,yDAAyD;AACzD,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;IACpB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC;CAC9D;AAED,kDAAkD;AAClD,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAC;IAC/B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,SAAS,GAAG,kBAAkB,CAAC;IAChD,QAAQ,CAAC,cAAc,CAAC,EAAE,eAAe,CAAC;CAC3C;AAED,6DAA6D;AAC7D,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IACnC,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC;CACxB;AAED,2EAA2E;AAC3E,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,CAAC;IACzB,wEAAwE;IACxE,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,oDAAoD;IACpD,QAAQ,CAAC,uBAAuB,CAAC,EAAE,MAAM,CAAC;IAC1C,gEAAgE;IAChE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IACtC,8CAA8C;IAC9C,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAClC,wDAAwD;IACxD,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B,sDAAsD;IACtD,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;CACrC;AAID,MAAM,WAAW,eAAe;IAC9B,wDAAwD;IACxD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,+DAA+D;IAC/D,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,uDAAuD;IACvD,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;IAC9C,wDAAwD;IACxD,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IAC3D,qDAAqD;IACrD,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,KAAK,IAAI,CAAC;IACzD,qDAAqD;IACrD,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;IAC7C,gFAAgF;IAChF,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IAC5B,6DAA6D;IAC7D,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;IACvD,6DAA6D;IAC7D,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IACrD,qEAAqE;IACrE,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,OAAO,CAAC;IAC/B;;;;OAIG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClE,qDAAqD;IACrD,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACnE,oEAAoE;IACpE,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,8DAA8D;IAC9D,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;CACzC;AAcD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,YAAY,GAAG,MAAM,CAOhE;AAED,iDAAiD;AACjD,wBAAgB,mBAAmB,IAAI,cAAc,CAEpD;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,IAAI,CAAC,eAAe,EAAE,YAAY,GAAG,cAAc,CAAC,GACzD,cAAc,CA6BhB;AAED;;;;;;;;GAQG;AACH,wBAAgB,yBAAyB,CACvC,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE,cAAc,EACrB,IAAI,EAAE,IAAI,CAAC,eAAe,EAAE,eAAe,GAAG,YAAY,CAAC,GAC1D,IAAI,CAON;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,YAAY,EAAE,MAAM,EACpB,IAAI,EAAE,IAAI,CAAC,eAAe,EAAE,YAAY,GAAG,cAAc,CAAC,GACzD,iBAAiB,GAAG,IAAI,CAoC1B;AAID;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,SAAS,YAAY,EAAE,EACjC,KAAK,EAAE,cAAc,GACpB,cAAc,EAAE,CASlB;AAwDD;;;;GAIG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,kBAAkB,EACxB,IAAI,GAAE,eAAoB,GACzB,OAAO,CAAC,iBAAiB,CAAC,CAoO5B;AAID;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,CAoBvD;AAGD,OAAO,EAAE,uBAAuB,EAAE,CAAC;AAInC,eAAO,MAAM,SAAS;;;;;8BArpBR,CAAC;;CA0pBd,CAAC"}