@pleri/olam-cli 0.1.196 → 0.1.199

package/dist/commands/auth.js

@@ -39,7 +39,11 @@ import { readConfig } from '../lib/config.js';
 import { applyK8sAuthRefresh, resolveKubectlContext, } from '../lib/auth-refresh-kubernetes.js';
 import { remoteOAuthStart, remoteListServiceTokens, remoteListAccounts, remoteBindServiceToken, remoteDeleteServiceToken, remoteIssueAnthropicToken, remoteListAnthropicTokens, remoteRevokeAnthropicToken, runDoctorChecks, } from '../lib/auth-remote.js';
 import { resolveCfAccessServiceToken } from '../lib/cf-access-token.js';
-import { renderAuthListJson } from './auth-list-json.js';
+import { renderAuthListJson, renderRemoteAuthListJson } from './auth-list-json.js';
+import { runAuthLogin } from '../lib/auth-login.js';
+import { runAuthList, } from '../lib/auth-list.js';
+import { resolveMutatorBackend, } from '../lib/auth-mutator-backend.js';
+import { registerAuthMigrate } from './auth-migrate.js';
 /**
  * Best-effort browser opener. Uses the host's native "open URL" command:
  * `open` on macOS, `xdg-open` on Linux, `start` on Windows. Silently
@@ -57,6 +61,106 @@ function openBrowser(url) {
         // Ignore — caller already printed the URL.
     }
 }
+/**
+ * B4 (narrowed) — render an `olam auth list` result to stdout. Returns the
+ * desired exit code (0 = success; 1 = error). Pulled out of the action body
+ * so the orchestration in `runAuthList` is testable without driving the
+ * Commander.js scaffolding.
+ */
+function renderAuthList(result, opts) {
+    if (result.mode === 'error') {
+        if (opts.json) {
+            console.log(JSON.stringify({ error: result.message }));
+        }
+        else {
+            printError(result.message);
+        }
+        return result.exitCode;
+    }
+    if (result.mode === 'local') {
+        if (!result.reachable) {
+            if (opts.json) {
+                console.log(JSON.stringify({ error: 'auth-container-unreachable', reachable: false }));
+                return 1;
+            }
+            printError('Auth container is not reachable. Run `olam services up` first.');
+            return 1;
+        }
+        if (opts.json) {
+            console.log(renderAuthListJson(result.accounts));
+            return 0;
+        }
+        printHeader(`Credentials (${result.accounts.length})`);
+        if (result.accounts.length === 0) {
+            console.log(`  ${pc.dim('No credentials — run: olam auth login --label primary')}`);
+            return 0;
+        }
+        const stateColor = (s) => {
+            if (s === 'active')
+                return pc.green('active');
+            if (s === 'cooldown')
+                return pc.yellow('cooldown');
+            if (s === 'expired')
+                return pc.red('expired');
+            if (s === 'disabled')
+                return pc.dim('disabled');
+            return pc.dim(s ?? 'unknown');
+        };
+        for (const a of result.accounts) {
+            const label = a.accountLabel ?? a.id;
+            const reqs = a.usage?.requestCount5h ?? 0;
+            const last429 = a.usage?.last429At
+                ? `last429=${a.usage.last429At}`
+                : 'last429=never';
+            const reset = a.rateLimitResetsAt ? `resets=${a.rateLimitResetsAt}` : '';
+            console.log(`  ${pc.bold(label.padEnd(18))} ${stateColor(a.state).padEnd(18)} ` +
+                `${pc.dim(`req5h=${reqs}`)}  ${pc.dim(`exp=${a.expiresIn}`)} ${pc.dim(last429)} ${pc.yellow(reset)}`);
+        }
+        return 0;
+    }
+    // remote
+    if (opts.json) {
+        console.log(renderRemoteAuthListJson(result.accounts, result.stale, result.fetchedAt));
+        return 0;
+    }
+    const staleSuffix = result.stale ? pc.yellow(' (stale)') : '';
+    printHeader(`Remote accounts (${result.accounts.length})${staleSuffix}`);
+    if (result.accounts.length === 0) {
+        console.log(`  ${pc.dim('No accounts — run: olam auth login --remote ' + result.baseUrl)}`);
+    }
+    else {
+        for (const a of result.accounts) {
+            const label = a.label ?? a.id;
+            const state = a.state ?? 'unknown';
+            const exp = a.expiresIn ?? '';
+            console.log(`  ${pc.bold(label.padEnd(20))} ${pc.green(state).padEnd(16)} ${pc.dim(exp)}`);
+        }
+    }
+    if (result.stale) {
+        const fetchedAtIso = new Date(result.fetchedAt).toISOString();
+        console.log(`\n  ${pc.yellow('warning:')} showing cached results from ${fetchedAtIso}; ` +
+            `fresh fetch failed (${result.fetchError ?? 'unknown error'}).`);
+        console.log(`  ${pc.dim('Retry with --no-cache once connectivity is restored.')}`);
+    }
+    return 0;
+}
+/**
+ * B4 (narrowed) — adapter around `resolveMutatorBackend` for the three
+ * local-only mutator subcommands. Prints the message body to stderr and
+ * returns the desired exit code (0 = proceed locally; non-zero = stop).
+ */
+function handleMutatorBackend(subcommand, opts) {
+    const outcome = resolveMutatorBackend(subcommand, opts);
+    if (outcome.outcome === 'proceed-local')
+        return 0;
+    if (outcome.outcome === 'conflict') {
+        process.stderr.write(`Error: ${outcome.message}\n`);
+        return 1;
+    }
+    // remote-unsupported
+    process.stderr.write(`Error: ${outcome.message}\n`);
+    return outcome.exitCode;
+}
 async function promptLine(question) {
     const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
     try {
@@ -98,9 +202,16 @@ export function registerAuth(program) {
     });
     auth
         .command('disable')
-        .description('Take a credential out of rotation (manual cooldown)')
+        .description('Take a credential out of rotation (manual cooldown). LOCAL ONLY — no cloud equivalent yet (see OQ7 in docs/plans/cloud-only-vault/README.md).')
         .argument('<label>', 'Credential label or id')
-        .action(async (label) => {
+        .option('--local', 'Explicit local backend (default — only backend supported today).')
+        .option('--remote [url]', 'Reserved — exits 2 with structured message pointing to OQ7.')
+        .action(async (label, opts) => {
+        const code = handleMutatorBackend('disable', opts);
+        if (code !== 0) {
+            process.exitCode = code;
+            return;
+        }
         const client = new AuthClient();
         try {
             await client.disableAccount(label);
@@ -113,9 +224,16 @@ export function registerAuth(program) {
     });
     auth
         .command('enable')
-        .description('Re-enable a disabled credential')
+        .description('Re-enable a disabled credential. LOCAL ONLY — no cloud equivalent yet (see OQ7 in docs/plans/cloud-only-vault/README.md).')
         .argument('<label>', 'Credential label or id')
-        .action(async (label) => {
+        .option('--local', 'Explicit local backend (default — only backend supported today).')
+        .option('--remote [url]', 'Reserved — exits 2 with structured message pointing to OQ7.')
+        .action(async (label, opts) => {
+        const code = handleMutatorBackend('enable', opts);
+        if (code !== 0) {
+            process.exitCode = code;
+            return;
+        }
         const client = new AuthClient();
         try {
             await client.enableAccount(label);
@@ -143,73 +261,85 @@ export function registerAuth(program) {
     });
     auth
         .command('login')
-        .description('Run the OAuth PKCE flow to store a Claude account in the auth container, or print a remote OAuth URL (--remote)')
+        .description('Log into the cloud auth-worker by default (Phase B); use --local to opt into the legacy local auth-service container PKCE flow.')
         .option('--label <label>', 'Account label (e.g. primary, burner-1). Defaults to "primary" for the first account, "burner-N" thereafter.')
-        .option('--remote <url>', 'Auth-worker base URL. Prints the OAuth start URL for browser completion (v1 dogfood).')
+        .option('--local', 'Opt into the deprecated local auth-service container PKCE flow. Emits a deprecation warning.')
+        .option('--remote [url]', 'Force remote login. Optionally accepts an explicit auth-worker URL (back-compat); without a URL falls through to env/file/default discovery.')
+        .option('--yes, -y', 'Skip the first-time interactive confirm prompt before flipping to remote.')
         .option('--print-url', 'Print the OAuth URL without attempting to open a browser (implied by --remote).')
         .option('--service-token <client_id:secret>', 'Delegate to bind-service-token flow instead (use with --remote).')
         .action(async (opts) => {
-        // ── Remote path (e4) ──────────────────────────────────────────────────
-        if (opts.remote) {
-            const baseUrl = opts.remote;
-            if (opts.serviceToken) {
-                // Delegate to bind-service-token flow
-                const parts = opts.serviceToken.split(':');
-                if (parts.length < 2) {
-                    printError('--service-token must be in format <client_id>:<secret>');
-                    process.exitCode = 1;
-                    return;
-                }
-                const [clientId] = parts;
-                const label = opts.label ?? clientId ?? 'service-token';
-                printHeader('Auth worker — bind service token');
-                console.log(`\n  ${pc.bold('Step 1:')} Open ${pc.cyan(baseUrl + '/v1/oauth/start')} in a browser.`);
-                console.log(`          Complete CF Access SSO. You may see a JSON response or "no credentials" — that is normal.`);
-                const rawCookie = await promptLine(`\n  ${pc.dim('Paste CF_Authorization cookie value (from DevTools > Application > Cookies):')} `);
-                if (!rawCookie) {
-                    printError('No cookie provided. Aborting.');
-                    process.exitCode = 1;
-                    return;
-                }
-                const clientIdStr = clientId ?? '';
-                try {
-                    await remoteBindServiceToken({ baseUrl, cfAuthCookie: rawCookie }, { client_id: clientIdStr, label });
-                    printSuccess(`Service token bound: ${clientIdStr} (label=${label})`);
-                    console.log(`\n${pc.dim('Set ANTHROPIC_BASE' + '_URL=' + baseUrl + '/v1/proxy in your shell to route Claude API calls through this worker.')}`);
-                }
-                catch (err) {
-                    printError(err instanceof Error ? err.message : 'bind failed');
-                    process.exitCode = 1;
-                }
+        const result = await runAuthLogin(opts, {
+            promptConfirm: (question) => promptLine(question),
+            executeRemoteLogin: (baseUrl, o) => executeRemoteLogin(baseUrl, o),
+            executeLocalLogin: (o) => executeLocalLogin(o),
+        });
+        if (result.exitCode !== 0) {
+            process.exitCode = result.exitCode;
+        }
+    });
+    // ── Legacy login executors (extracted from the action body so runAuthLogin
+    // can drive them; behaviour preserved verbatim other than the --remote
+    // <url> form now arrives via the resolution-helper rather than opts.remote
+    // directly). ───────────────────────────────────────────────────────────────
+    async function executeRemoteLogin(baseUrl, opts) {
+        if (opts.serviceToken) {
+            // Delegate to bind-service-token flow
+            const parts = opts.serviceToken.split(':');
+            if (parts.length < 2) {
+                printError('--service-token must be in format <client_id>:<secret>');
+                process.exitCode = 1;
                 return;
             }
-            // Default: print (and optionally open) the OAuth start URL.
-            // V1 dogfood: browser completes the full flow (CF Access SSO → Anthropic
-            // OAuth → worker callback → token stored). CLI re-checks via `list --remote`.
-            // Full CLI-orchestrated cookie-bridging is deferred to v2.
-            let startUrl;
-            try {
-                const r = await remoteOAuthStart({ baseUrl });
-                startUrl = r.authorize_url;
+            const [clientId] = parts;
+            const label = opts.label ?? clientId ?? 'service-token';
+            printHeader('Auth worker — bind service token');
+            console.log(`\n  ${pc.bold('Step 1:')} Open ${pc.cyan(baseUrl + '/v1/oauth/start')} in a browser.`);
+            console.log(`          Complete CF Access SSO. You may see a JSON response or "no credentials" — that is normal.`);
+            const rawCookie = await promptLine(`\n  ${pc.dim('Paste CF_Authorization cookie value (from DevTools > Application > Cookies):')} `);
+            if (!rawCookie) {
+                printError('No cookie provided. Aborting.');
+                process.exitCode = 1;
+                return;
             }
-            catch {
-                // Fallback if /v1/oauth/start isn't reachable (CF Access gate, etc.)
-                startUrl = `${baseUrl.replace(/\/+$/, '')}/v1/oauth/start`;
+            const clientIdStr = clientId ?? '';
+            try {
+                await remoteBindServiceToken({ baseUrl, cfAuthCookie: rawCookie }, { client_id: clientIdStr, label });
+                printSuccess(`Service token bound: ${clientIdStr} (label=${label})`);
+                console.log(`\n${pc.dim('Set ANTHROPIC_BASE' + '_URL=' + baseUrl + '/v1/proxy in your shell to route Claude API calls through this worker.')}`);
             }
-            printHeader('Auth worker — OAuth login (v1 dogfood)');
-            console.log(`\n  ${pc.bold('1.')} Open this URL in your browser to authenticate via CF Access + Anthropic OAuth:`);
-            console.log(`\n     ${pc.cyan(startUrl)}\n`);
-            console.log(`  ${pc.bold('2.')} Complete the CF Access SSO and Anthropic OAuth consent.`);
-            console.log(`         The worker stores your tokens on callback — the browser lands on a success page.`);
-            console.log(`\n  ${pc.bold('3.')} Confirm your credentials are stored:\n`);
-            console.log(`         ${pc.dim('olam auth list --remote ' + baseUrl)}\n`);
-            console.log(`  ${pc.dim('Note: full CLI-orchestrated browser SSO flow is deferred to v2 (cookie-bridging complexity).')}\n`);
-            if (!opts.printUrl) {
-                openBrowser(startUrl);
+            catch (err) {
+                printError(err instanceof Error ? err.message : 'bind failed');
+                process.exitCode = 1;
             }
             return;
         }
-        // ── Local path (existing behaviour) ──────────────────────────────────
+        // Default: print (and optionally open) the OAuth start URL.
+        // V1 dogfood: browser completes the full flow (CF Access SSO → Anthropic
+        // OAuth → worker callback → token stored). CLI re-checks via `list --remote`.
+        // Full CLI-orchestrated cookie-bridging is deferred to v2.
+        let startUrl;
+        try {
+            const r = await remoteOAuthStart({ baseUrl });
+            startUrl = r.authorize_url;
+        }
+        catch {
+            // Fallback if /v1/oauth/start isn't reachable (CF Access gate, etc.)
+            startUrl = `${baseUrl.replace(/\/+$/, '')}/v1/oauth/start`;
+        }
+        printHeader('Auth worker — OAuth login (v1 dogfood)');
+        console.log(`\n  ${pc.bold('1.')} Open this URL in your browser to authenticate via CF Access + Anthropic OAuth:`);
+        console.log(`\n     ${pc.cyan(startUrl)}\n`);
+        console.log(`  ${pc.bold('2.')} Complete the CF Access SSO and Anthropic OAuth consent.`);
+        console.log(`         The worker stores your tokens on callback — the browser lands on a success page.`);
+        console.log(`\n  ${pc.bold('3.')} Confirm your credentials are stored:\n`);
+        console.log(`         ${pc.dim('olam auth list --remote ' + baseUrl)}\n`);
+        console.log(`  ${pc.dim('Tokens written to cloud auth-worker. Full CLI-orchestrated browser SSO flow is deferred to v2.')}\n`);
+        if (!opts.printUrl) {
+            openBrowser(startUrl);
+        }
+    }
+    async function executeLocalLogin(opts) {
         const preflight = await runAuthPreflight({ autoStart: true });
         if (preflight.verdict !== 'ok' && preflight.verdict !== 'no-accounts') {
             printError(preflight.message);
@@ -249,7 +379,7 @@ export function registerAuth(program) {
             process.exitCode = 1;
             return;
         }
-        printHeader('Claude OAuth — PKCE flow');
+        printHeader('Claude OAuth — PKCE flow (legacy local container)');
         console.log(`\n  ${pc.bold('1.')} Opening Claude in your default browser…`);
         console.log(`     ${pc.dim(pending.loginUrl)}`);
         openBrowser(pending.loginUrl);
@@ -265,13 +395,14 @@ export function registerAuth(program) {
         try {
             const result = await client.completeLogin(statePart, codePart);
             printSuccess(`Account stored: ${result.account} (${result.expiresIn})`);
+            console.log(`${pc.dim('Tokens written to ~/.olam/auth-data/accounts.json (deprecated; cloud is the new default).')}`);
             console.log(`\n${pc.dim('Next: olam create --name my-world')}`);
         }
         catch (err) {
             printError(err instanceof Error ? err.message : 'token exchange failed');
             process.exitCode = 1;
         }
-    });
+    }
     auth
         .command('logout')
         .description('Remove an account from the auth container')
@@ -289,9 +420,16 @@ export function registerAuth(program) {
     });
     auth
         .command('refresh')
-        .description('Force-refresh an account token (substrate-aware: updates kubernetes Secret on k8s substrate)')
+        .description('Force-refresh an account token (substrate-aware: updates kubernetes Secret on k8s substrate). LOCAL ONLY — no cloud equivalent yet (see OQ7 in docs/plans/cloud-only-vault/README.md).')
         .argument('<account>', 'Account id')
-        .action(async (accountId) => {
+        .option('--local', 'Explicit local backend (default — only backend supported today).')
+        .option('--remote [url]', 'Reserved — exits 2 with structured message pointing to OQ7.')
+        .action(async (accountId, opts) => {
+        const code = handleMutatorBackend('refresh', opts);
+        if (code !== 0) {
+            process.exitCode = code;
+            return;
+        }
         const cfg = readConfig();
         const isK8s = cfg.host.substrate === 'kubernetes';
         // Kubernetes substrate: validate context before touching auth-service (SEC-NEW-003).
@@ -366,132 +504,49 @@ export function registerAuth(program) {
             process.exitCode = 1;
         }
     });
-    // ── e6: list (local + --remote) ─────────────────────────────────────────
+    // ── B4 (narrowed): list defaults to cloud auth-worker ────────────────────
     auth
         .command('list')
-        .description('List credentials (local by default; --remote to query a remote auth-worker)')
-        .option('--remote <url>', 'Auth-worker base URL')
-        .option('--cookie <value>', 'CF_Authorization cookie for authenticated requests')
-        .option('--json', 'Emit machine-readable JSON instead of the text table (local vault only)', false)
+        .description('List credentials. Defaults to the cloud auth-worker (Phase B). Pass --local to read the legacy ~/.olam/auth-data/accounts.json (emits deprecation warning).')
+        .option('--local', 'Read the legacy local auth-service vault. Emits a deprecation warning.')
+        .option('--remote [url]', 'Force remote. Optionally accepts an explicit auth-worker URL; without one falls through to env/file/default discovery.')
+        .option('--cookie <value>', 'CF_Authorization cookie for authenticated requests (remote path)')
+        .option('--no-cache', 'Bypass the 30 s TTL cache and force a fresh fetch (remote path)')
+        .option('--json', 'Emit machine-readable JSON instead of the text table', false)
         .action(async (opts) => {
-        if (opts.remote) {
-            const baseUrl = opts.remote;
-            const clientOpts = { baseUrl, cfAuthCookie: opts.cookie };
-            let accounts = [];
-            let tokens = [];
-            try {
-                accounts = await remoteListAccounts(clientOpts);
-            }
-            catch (err) {
-                printWarning(`Could not fetch accounts: ${err instanceof Error ? err.message : String(err)}`);
-            }
-            try {
-                tokens = await remoteListServiceTokens(clientOpts);
-            }
-            catch (err) {
-                printWarning(`Could not fetch service tokens: ${err instanceof Error ? err.message : String(err)}`);
-            }
-            printHeader(`Remote accounts (${accounts.length})`);
-            if (accounts.length === 0) {
-                console.log(`  ${pc.dim('No accounts — run: olam auth login --remote ' + baseUrl)}`);
-            }
-            else {
-                for (const a of accounts) {
-                    const label = a.label ?? a.id;
-                    const state = a.state ?? 'unknown';
-                    const exp = a.expiresIn ?? '';
-                    console.log(`  ${pc.bold(label.padEnd(20))} ${pc.green(state).padEnd(16)} ${pc.dim(exp)}`);
-                }
-            }
-            printHeader(`Remote service tokens (${tokens.length})`);
-            if (tokens.length === 0) {
-                console.log(`  ${pc.dim('No service tokens — run: olam auth bind-service-token --remote ' + baseUrl)}`);
-            }
-            else {
-                for (const t of tokens) {
-                    const label = t.label ?? t.client_id;
-                    const created = t.created_at ?? '';
-                    console.log(`  ${pc.bold(label.padEnd(20))} ${pc.dim(t.client_id)}  ${pc.dim(created)}`);
-                }
-            }
-            return;
-        }
-        // Local list (original behaviour)
-        const client = new AuthClient();
-        const status = await client.status();
-        if (!status.reachable) {
-            if (opts.json) {
-                // Machine-readable error so drivers never screen-scrape the
-                // human "not reachable" line. Exit code unchanged (1).
-                console.log(JSON.stringify({ error: 'auth-container-unreachable', reachable: false }));
-                process.exitCode = 1;
-                return;
-            }
-            printError('Auth container is not reachable. Run `olam services up` first.');
-            process.exitCode = 1;
-            return;
-        }
-        if (opts.json) {
-            console.log(renderAuthListJson(status.accounts));
-            return;
-        }
-        printHeader(`Credentials (${status.accounts.length})`);
-        if (status.accounts.length === 0) {
-            console.log(`  ${pc.dim('No credentials — run: olam auth login --label primary')}`);
-            return;
-        }
-        const stateColor = (s) => {
-            if (s === 'active')
-                return pc.green('active');
-            if (s === 'cooldown')
-                return pc.yellow('cooldown');
-            if (s === 'expired')
-                return pc.red('expired');
-            if (s === 'disabled')
-                return pc.dim('disabled');
-            return pc.dim(s ?? 'unknown');
+        const listOpts = {
+            local: opts.local,
+            remote: opts.remote,
+            cookie: opts.cookie,
+            // commander.js maps `--no-cache` to `cache: false`. Translate.
+            noCache: opts.cache === false,
+            json: opts.json,
         };
-        for (const a of status.accounts) {
-            const label = a.accountLabel ?? a.id;
-            const reqs = a.usage?.requestCount5h ?? 0;
-            const last429 = a.usage?.last429At
-                ? `last429=${a.usage.last429At}`
-                : 'last429=never';
-            const reset = a.rateLimitResetsAt ? `resets=${a.rateLimitResetsAt}` : '';
-            console.log(`  ${pc.bold(label.padEnd(18))} ${stateColor(a.state).padEnd(18)} ` +
-                `${pc.dim(`req5h=${reqs}`)}  ${pc.dim(`exp=${a.expiresIn}`)} ${pc.dim(last429)} ${pc.yellow(reset)}`);
-        }
+        const result = await runAuthList(listOpts, {
+            fetchRemoteAccounts: async (baseUrl, cookie) => {
+                return remoteListAccounts({ baseUrl, cfAuthCookie: cookie });
+            },
+            fetchLocalStatus: () => new AuthClient().status(),
+        });
+        const exitCode = renderAuthList(result, listOpts);
+        if (exitCode !== 0)
+            process.exitCode = exitCode;
     });
-    // ── e6: migrate-to-remote ──────────────────────────────────────────────
+    // ── B3: `olam auth migrate` (one-shot migration tool) ──────────────────
+    registerAuthMigrate(auth);
+    // ── Deprecation pointer: old `migrate-to-remote` → `migrate` ────────────
+    // Phase B3 replaces the e6 placeholder. Operators with scripted invocations
+    // of the old name see a one-line pointer + exit 0 (no script breakage); the
+    // real auto-migration lives at `olam auth migrate` now.
     auth
         .command('migrate-to-remote')
-        .description('Print guidance for re-authenticating local credentials against the remote auth-worker (v1: no auto-migration of secrets)')
-        .requiredOption('--url <url>', 'Auth-worker base URL')
-        .action(async (opts) => {
-        const baseUrl = opts.url;
-        let accountLabels = [];
-        try {
-            const client = new AuthClient();
-            const status = await client.status();
-            accountLabels = status.accounts.map((a) => a.accountLabel ?? a.id);
-        }
-        catch {
-            // Auth container may not be running — proceed with generic guidance.
-        }
-        printHeader('Migrate local credentials to remote auth-worker');
-        console.log(`\n  Remote URL: ${pc.cyan(baseUrl)}\n`);
-        console.log(`  ${pc.dim('V1 note: secrets cannot be migrated automatically. Each account must re-authenticate via OAuth.')}\n`);
-        if (accountLabels.length === 0) {
-            console.log(`  No local accounts found. Run:`);
-            console.log(`\n    ${pc.cyan('olam auth login --remote ' + baseUrl)}\n`);
-        }
-        else {
-            console.log(`  Found ${accountLabels.length} local account(s). For each, run:\n`);
-            for (const label of accountLabels) {
-                console.log(`    ${pc.cyan('olam auth login --remote ' + baseUrl + ' --label ' + label)}`);
-            }
-            console.log();
-        }
+        .description('(deprecated) renamed to `olam auth migrate`. Prints pointer + exits 0.')
+        .option('--url <url>', 'Auth-worker base URL (ignored; pass --remote to `migrate` instead)')
+        .action(() => {
+        printHeader('migrate-to-remote has been renamed');
+        console.log(`\n  Run ${pc.cyan('olam auth migrate --help')} for the new auto-migration flow.\n` +
+            `  (B3 of cloud-only-vault: per-account re-OAuth against the cloud auth-worker,\n` +
+            `   content-hash idempotent, atomic state writes, --dry-run preview.)\n`);
     });
     // ── e6: rotate-service-token ───────────────────────────────────────────
     auth