@postplus/cli 0.1.19 → 0.1.21

package/build/auth-lifecycle.js

@@ -1,7 +1,8 @@
 import { refreshRemoteAuthSession } from './auth-session.js';
 import { clearAuthState, generateAuthStatusReport } from './auth.js';
+import { buildPostPlusClientCompatibilityHeaders, formatPostPlusClientUpgradeError, } from './client-compatibility.js';
 import { requireHostedBaseUrl } from './hosted-release.js';
-import { resolveAccessTokenState, resolveRefreshTokenState, } from './local-state.js';
+import { resolveCliSessionTokenState } from './local-state.js';
 export async function refreshRemoteAuth() {
     const refreshed = await refreshRemoteAuthSession();
     return {
@@ -25,31 +26,31 @@ export function formatAuthRefreshReport(report) {
     ].join('\n');
 }
 export async function revokeRemoteAuth() {
-    const [apiBaseUrl, accessTokenState, refreshTokenState] = await Promise.all([
+    const [apiBaseUrl, cliSessionTokenState] = await Promise.all([
         requireHostedBaseUrl(),
-        resolveAccessTokenState(),
-        resolveRefreshTokenState(),
+        resolveCliSessionTokenState(),
     ]);
-    if (!accessTokenState.present || !accessTokenState.value) {
-        throw new Error('Run `postplus auth login` before revoking PostPlus auth.');
-    }
-    if (!refreshTokenState.present || !refreshTokenState.value) {
+    if (!cliSessionTokenState.present || !cliSessionTokenState.value) {
         throw new Error('Run `postplus auth login` before revoking PostPlus auth.');
     }
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     const response = await fetch(`${apiBaseUrl}/api/postplus-cli/auth/revoke`, {
         method: 'POST',
         headers: {
             accept: 'application/json',
-            authorization: `Bearer ${accessTokenState.value}`,
+            ...compatibilityHeaders,
+            authorization: `Bearer ${cliSessionTokenState.value}`,
             'content-type': 'application/json',
         },
-        body: JSON.stringify({
-            refreshToken: refreshTokenState.value,
-        }),
+        body: JSON.stringify({}),
         signal: AbortSignal.timeout(15000),
     });
     const payload = (await response.json());
     if (!response.ok) {
+        if ('code' in payload &&
+            payload.code === 'postplus_client_upgrade_required') {
+            throw new Error(formatPostPlusClientUpgradeError(payload));
+        }
         throw new Error('error' in payload && typeof payload.error === 'string'
             ? payload.error
             : 'Failed to revoke remote PostPlus auth.');

package/build/auth-login.js

@@ -1,3 +1,4 @@
+import { buildPostPlusClientCompatibilityHeaders, formatPostPlusClientUpgradeError, writeCurrentCliVersionToLocalConfig, } from './client-compatibility.js';
 import { requireHostedBaseUrl } from './hosted-release.js';
 import { setLocalSession } from './local-state.js';
 export const CLI_AUTH_LOGIN_TIMEOUT_MS = 30 * 60 * 1000;
@@ -23,18 +24,18 @@ export async function loginWithCloudHandoff() {
         requestId: started.requestId,
     });
     const validated = await validateCliSession({
-        accessToken: handoffPayload.accessToken,
         apiBaseUrl: baseUrl,
+        cliSessionToken: handoffPayload.cliSessionToken,
     });
     await setLocalSession({
-        accessToken: handoffPayload.accessToken,
         accountId: validated.accountId,
         apiBaseUrl: baseUrl,
-        refreshToken: handoffPayload.refreshToken,
+        cliSessionToken: handoffPayload.cliSessionToken,
         sessionExpiresAt: validated.sessionExpiresAt ?? handoffPayload.sessionExpiresAt ?? null,
         userEmail: validated.userEmail,
         userId: validated.userId,
     });
+    await writeCurrentCliVersionToLocalConfig();
     return {
         accountId: validated.accountId,
         apiBaseUrl: baseUrl,
@@ -44,10 +45,12 @@ export async function loginWithCloudHandoff() {
     };
 }
 export async function startCloudAuthLogin(apiBaseUrl) {
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     const response = await fetch(`${apiBaseUrl}/api/postplus-cli/auth/login/start`, {
         method: 'POST',
         headers: {
             accept: 'application/json',
+            ...compatibilityHeaders,
         },
         signal: AbortSignal.timeout(15000),
     });
@@ -76,10 +79,12 @@ async function waitForCloudAuthLogin(input) {
     throw new Error('Timed out waiting for the cloud sign-in handoff.');
 }
 export async function pollCloudAuthLogin(input) {
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     const response = await fetch(`${input.apiBaseUrl}/api/postplus-cli/auth/login/poll`, {
         method: 'POST',
         headers: {
             accept: 'application/json',
+            ...compatibilityHeaders,
             'content-type': 'application/json',
         },
         body: JSON.stringify({
@@ -101,11 +106,13 @@ export async function pollCloudAuthLogin(input) {
     throw new Error('PostPlus CLI sign-in poll returned incomplete data.');
 }
 export async function validateCliSession(input) {
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     const response = await fetch(`${input.apiBaseUrl}/api/postplus-cli/auth/whoami`, {
         method: 'GET',
         headers: {
             accept: 'application/json',
-            authorization: `Bearer ${input.accessToken}`,
+            ...compatibilityHeaders,
+            authorization: `Bearer ${input.cliSessionToken}`,
         },
         signal: AbortSignal.timeout(15000),
     });
@@ -123,6 +130,9 @@ export function formatCliSessionAuthError(payload) {
             'Once the environment is ready, the CLI will automatically obtain and store its session.',
         ].join(' ');
     }
+    if (payload.code === 'postplus_client_upgrade_required') {
+        return formatPostPlusClientUpgradeError(payload);
+    }
     if (typeof payload.error === 'string' && payload.error.trim().length > 0) {
         return payload.error;
     }
@@ -140,8 +150,7 @@ function isCliAuthLoginStartSuccessPayload(payload) {
 function isCliAuthLoginCompletedPayload(payload) {
     return ('status' in payload &&
         payload.status === 'completed' &&
-        typeof payload.accessToken === 'string' &&
-        typeof payload.refreshToken === 'string' &&
+        typeof payload.cliSessionToken === 'string' &&
         typeof payload.accountId === 'string' &&
         typeof payload.userId === 'string');
 }
@@ -149,6 +158,9 @@ function isCliAuthLoginPendingPayload(payload) {
     return 'status' in payload && payload.status === 'pending';
 }
 function formatRemoteAuthLoginError(payload) {
+    if ('code' in payload && payload.code === 'postplus_client_upgrade_required') {
+        return formatPostPlusClientUpgradeError(payload);
+    }
     return 'error' in payload &&
         typeof payload.error === 'string' &&
         payload.error.trim().length > 0

package/build/auth-session.js

@@ -1,137 +1,89 @@
+import { buildPostPlusClientCompatibilityHeaders, formatPostPlusClientUpgradeError, writeCurrentCliVersionToLocalConfig, } from './client-compatibility.js';
 import { requireHostedBaseUrl } from './hosted-release.js';
-import { readLocalConfig, resolveAccessTokenState, resolveRefreshTokenState, setLocalSession, } from './local-state.js';
-export const AUTH_SESSION_REFRESH_LEEWAY_SECONDS = 60;
+import { resolveCliSessionTokenState, setLocalSession, } from './local-state.js';
 export async function resolveFreshRemoteAuth(options = {}) {
-    const [apiBaseUrl, accessTokenState, refreshTokenState, config] = await Promise.all([
+    const [apiBaseUrl, cliSessionTokenState] = await Promise.all([
         requireHostedBaseUrl(),
-        resolveAccessTokenState(),
-        resolveRefreshTokenState(),
-        readLocalConfig(),
+        resolveCliSessionTokenState(),
     ]);
-    if (!refreshTokenState.present || !refreshTokenState.value) {
-        if (!accessTokenState.present || !accessTokenState.value) {
-            throw new Error('Run `postplus auth login` before validating PostPlus auth.');
-        }
-        return {
-            accessToken: accessTokenState.value,
-            apiBaseUrl,
-            refreshed: false,
-            source: 'config',
-        };
+    if (!cliSessionTokenState.present || !cliSessionTokenState.value) {
+        throw new Error('Run `postplus auth login` before using PostPlus auth.');
     }
-    const existingAccessToken = accessTokenState.value;
-    const decodedTokenExpiresAt = existingAccessToken
-        ? decodeAccessTokenExpiration(existingAccessToken)
-        : null;
-    const tokenExpiresAt = typeof decodedTokenExpiresAt === 'number'
-        ? decodedTokenExpiresAt
-        : typeof config?.sessionExpiresAt === 'number'
-            ? config.sessionExpiresAt
-            : null;
-    const shouldRefresh = options.forceRefresh === true ||
-        !accessTokenState.present ||
-        !accessTokenState.value ||
-        isExpiringSoon(tokenExpiresAt);
-    if (!shouldRefresh) {
-        if (!existingAccessToken) {
-            throw new Error('Run `postplus auth login` before validating PostPlus auth.');
-        }
+    if (options.forceRefresh === true) {
+        const refreshed = await refreshRemoteAuthSession({
+            apiBaseUrl,
+            cliSessionToken: cliSessionTokenState.value,
+        });
         return {
-            accessToken: existingAccessToken,
             apiBaseUrl,
-            refreshed: false,
+            cliSessionToken: refreshed.cliSessionToken,
+            refreshed: true,
             source: 'config',
         };
     }
-    const refreshed = await refreshRemoteAuthSession({
-        accessToken: accessTokenState.value,
-        apiBaseUrl,
-        refreshToken: refreshTokenState.value,
-    });
     return {
-        accessToken: refreshed.accessToken,
         apiBaseUrl,
-        refreshed: true,
+        cliSessionToken: cliSessionTokenState.value,
+        refreshed: false,
         source: 'config',
     };
 }
 export async function refreshRemoteAuthSession(input) {
-    const [apiBaseUrl, accessTokenState, refreshTokenState] = await Promise.all([
+    const [apiBaseUrl, cliSessionTokenState] = await Promise.all([
         input?.apiBaseUrl ?? requireHostedBaseUrl(),
-        input?.accessToken === undefined ? resolveAccessTokenState() : null,
-        input?.refreshToken === undefined ? resolveRefreshTokenState() : null,
+        input?.cliSessionToken === undefined ? resolveCliSessionTokenState() : null,
     ]);
-    const accessToken = input?.accessToken === undefined
-        ? accessTokenState?.value
-        : input.accessToken;
-    const refreshToken = input?.refreshToken === undefined
-        ? refreshTokenState?.value
-        : input.refreshToken;
-    if (!refreshToken) {
+    const cliSessionToken = input?.cliSessionToken === undefined
+        ? cliSessionTokenState?.value
+        : input.cliSessionToken;
+    if (!cliSessionToken) {
         throw new Error('Run `postplus auth login` before refreshing PostPlus auth.');
     }
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     const response = await fetch(`${apiBaseUrl}/api/postplus-cli/auth/refresh`, {
         method: 'POST',
         headers: {
             accept: 'application/json',
-            ...(accessToken ? { authorization: `Bearer ${accessToken}` } : {}),
+            ...compatibilityHeaders,
+            authorization: `Bearer ${cliSessionToken}`,
             'content-type': 'application/json',
         },
-        body: JSON.stringify({
-            refreshToken,
-        }),
+        body: JSON.stringify({}),
         signal: AbortSignal.timeout(15000),
     });
     const payload = (await response.json());
     if (!response.ok) {
+        if ('code' in payload &&
+            payload.code === 'postplus_client_upgrade_required') {
+            throw new Error(formatPostPlusClientUpgradeError(payload));
+        }
         throw new Error('error' in payload && typeof payload.error === 'string'
             ? payload.error
             : 'Failed to refresh remote PostPlus auth.');
     }
     if (!isRemoteAuthRefreshSuccessPayload(payload)) {
-        throw new Error('PostPlus auth refresh returned incomplete session tokens.');
+        throw new Error('PostPlus auth refresh returned incomplete session data.');
     }
     await setLocalSession({
-        accessToken: payload.accessToken,
         accountId: payload.accountId,
         apiBaseUrl,
-        refreshToken: payload.refreshToken,
+        cliSessionToken: payload.cliSessionToken,
         sessionExpiresAt: payload.sessionExpiresAt,
         userEmail: payload.userEmail,
         userId: payload.userId,
     });
+    await writeCurrentCliVersionToLocalConfig();
     return {
         ...payload,
         apiBaseUrl,
     };
 }
-export function decodeAccessTokenExpiration(accessToken) {
-    try {
-        const [, payload] = accessToken.split('.');
-        if (!payload) {
-            return null;
-        }
-        const decoded = JSON.parse(Buffer.from(payload, 'base64url').toString('utf8'));
-        return typeof decoded.exp === 'number' ? decoded.exp : null;
-    }
-    catch {
-        return null;
-    }
-}
-function isExpiringSoon(expiresAt) {
-    if (typeof expiresAt !== 'number' || !Number.isFinite(expiresAt)) {
-        return false;
-    }
-    const nowSeconds = Math.floor(Date.now() / 1_000);
-    return expiresAt - nowSeconds <= AUTH_SESSION_REFRESH_LEEWAY_SECONDS;
-}
 function isRemoteAuthRefreshSuccessPayload(payload) {
     return (typeof payload === 'object' &&
         payload !== null &&
-        typeof payload.accessToken === 'string' &&
-        payload.accessToken.trim().length > 0 &&
-        typeof payload.refreshToken === 'string' &&
-        payload.refreshToken.trim().length > 0 &&
+        typeof payload.cliSessionToken ===
+            'string' &&
+        payload.cliSessionToken.trim().length > 0 &&
         typeof payload.accountId === 'string' &&
         typeof payload.userId === 'string');
 }

package/build/auth-validate.js

@@ -1,4 +1,5 @@
 import { resolveFreshRemoteAuth } from './auth-session.js';
+import { buildPostPlusClientCompatibilityHeaders, formatPostPlusClientUpgradeError, } from './client-compatibility.js';
 export async function validateRemoteAuth() {
     let auth = await resolveFreshRemoteAuth();
     let response = await fetchWhoami(auth);
@@ -10,6 +11,10 @@ export async function validateRemoteAuth() {
     }
     const payload = (await response.json());
     if (!response.ok) {
+        if ('code' in payload &&
+            payload.code === 'postplus_client_upgrade_required') {
+            throw new Error(formatPostPlusClientUpgradeError(payload));
+        }
         throw new Error('error' in payload && typeof payload.error === 'string'
             ? payload.error
             : 'Failed to validate remote PostPlus auth.');
@@ -36,12 +41,14 @@ export function formatAuthValidateReport(report) {
         `Subscription: ${report.subscriptionStatus ?? 'unknown'}`,
     ].join('\n');
 }
-function fetchWhoami(input) {
+async function fetchWhoami(input) {
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     return fetch(`${input.apiBaseUrl}/api/postplus-cli/auth/whoami`, {
         method: 'GET',
         headers: {
             accept: 'application/json',
-            authorization: `Bearer ${input.accessToken}`,
+            ...compatibilityHeaders,
+            authorization: `Bearer ${input.cliSessionToken}`,
         },
         signal: AbortSignal.timeout(15000),
     });

package/build/auth.js

@@ -7,13 +7,11 @@ export async function generateAuthStatusReport() {
         readLocalConfig(),
     ]);
     return {
-        ok: sessionState.accessToken.present &&
-            sessionState.refreshToken.present &&
-            apiBaseUrlState.present,
-        accessToken: {
-            source: sessionState.accessToken.source,
-            present: sessionState.accessToken.present,
-            maskedValue: maskSecret(sessionState.accessToken.value),
+        ok: sessionState.cliSessionToken.present && apiBaseUrlState.present,
+        cliSessionToken: {
+            source: sessionState.cliSessionToken.source,
+            present: sessionState.cliSessionToken.present,
+            maskedValue: maskSecret(sessionState.cliSessionToken.value),
         },
         apiBaseUrl: {
             source: apiBaseUrlState.source,
@@ -24,29 +22,21 @@ export async function generateAuthStatusReport() {
             path: getPostPlusConfigPath(),
             exists: configExists,
             accountId: config?.accountId?.trim() || null,
+            sessionExpiresAt: typeof config?.sessionExpiresAt === 'number'
+                ? config.sessionExpiresAt
+                : null,
             userEmail: typeof config?.userEmail === 'string' ? config.userEmail.trim() : null,
             userId: config?.userId?.trim() || null,
         },
-        refreshToken: {
-            source: sessionState.refreshToken.source,
-            present: sessionState.refreshToken.present,
-            maskedValue: maskSecret(sessionState.refreshToken.value),
-        },
     };
 }
 export function formatAuthStatusReport(report) {
     const lines = ['PostPlus CLI auth status', ''];
-    lines.push(report.accessToken.present
-        ? `[PASS] Access token: present (${report.accessToken.source})`
-        : '[FAIL] Access token: missing');
-    lines.push(report.accessToken.maskedValue
-        ? `  Value: ${report.accessToken.maskedValue}`
-        : '  Value: not configured');
-    lines.push(report.refreshToken.present
-        ? `[PASS] Refresh token: present (${report.refreshToken.source})`
-        : '[FAIL] Refresh token: missing');
-    lines.push(report.refreshToken.maskedValue
-        ? `  Value: ${report.refreshToken.maskedValue}`
+    lines.push(report.cliSessionToken.present
+        ? `[PASS] CLI session token: present (${report.cliSessionToken.source})`
+        : '[FAIL] CLI session token: missing');
+    lines.push(report.cliSessionToken.maskedValue
+        ? `  Value: ${report.cliSessionToken.maskedValue}`
         : '  Value: not configured');
     lines.push(report.apiBaseUrl.present
         ? `[PASS] PostPlus Cloud: configured (${report.apiBaseUrl.source})`
@@ -59,6 +49,9 @@ export function formatAuthStatusReport(report) {
         : `[PASS] local config path: ${report.config.path}`);
     lines.push(`  Account: ${report.config.accountId ?? 'not bound'}`);
     lines.push(`  User: ${report.config.userEmail ?? report.config.userId ?? 'not bound'}`);
+    lines.push(`  Expires: ${report.config.sessionExpiresAt
+        ? new Date(report.config.sessionExpiresAt * 1000).toISOString()
+        : 'unknown'}`);
     lines.push('', report.ok ? 'Auth status OK.' : 'Auth status incomplete.');
     return lines.join('\n');
 }

package/build/doctor.js

@@ -1,21 +1,25 @@
 import { resolveFreshRemoteAuth, } from './auth-session.js';
+import { buildPostPlusClientCompatibilityHeaders, formatPostPlusClientUpgradeError, } from './client-compatibility.js';
 import { resolveHostedBaseUrl } from './hosted-release.js';
 import { formatLocalDependencyReport, generateLocalDependencyReport, } from './local-dependencies.js';
-function createPass(id, label, detail) {
+function createPass(id, label, detail, severity = 'required') {
     return {
         id,
         label,
         status: 'pass',
+        severity,
         detail,
     };
 }
-function createFail(id, label, detail, fix) {
+function createFail(id, label, detail, fix, input = {}) {
     return {
         id,
         label,
         status: 'fail',
+        severity: input.severity ?? 'required',
         detail,
         fix,
+        metadata: input.metadata,
     };
 }
 export async function generateDoctorReport() {
@@ -50,7 +54,19 @@ async function checkLocalDependencies() {
         const report = await generateLocalDependencyReport();
         const detail = formatLocalDependencyReport(report);
         if (!report.ok) {
-            return createFail('local_dependencies', 'Local dependencies', detail, 'Run the affected PostPlus skill in a local agent. The installed postplus-shared rules tell the agent how to bootstrap approved missing media dependencies.');
+            return createFail('local_dependencies', 'Task-specific local media dependencies', detail, 'Run the affected PostPlus skill in a local agent. The installed postplus-shared rules tell the agent how to bootstrap approved missing media dependencies.', {
+                severity: 'task_specific',
+                metadata: {
+                    bootstrapRule: 'postplus-shared',
+                    missingDependencies: report.checks
+                        .filter((check) => !check.ok)
+                        .map((check) => ({
+                        dependency: check.dependency,
+                        detail: check.detail,
+                        skillIds: check.skillIds,
+                    })),
+                },
+            });
         }
         return createPass('local_dependencies', 'Local dependencies', detail);
     }
@@ -61,9 +77,11 @@ async function checkLocalDependencies() {
     }
 }
 function buildDoctorReport(checks) {
+    const requiredOk = checks.every((check) => check.severity !== 'required' || check.status === 'pass');
     return {
         schemaVersion: 1,
         ok: checks.every((check) => check.status === 'pass'),
+        requiredOk,
         checks,
     };
 }
@@ -167,15 +185,20 @@ function readReadinessCheckFailureLabel(value) {
             : 'unknown check';
 }
 function readErrorMessage(payload, fallback) {
+    if (payload.code === 'postplus_client_upgrade_required') {
+        return formatPostPlusClientUpgradeError(payload);
+    }
     return typeof payload.error === 'string' && payload.error.trim().length > 0
         ? payload.error
         : fallback;
 }
-function requestWithAuth(input, path) {
+async function requestWithAuth(input, path) {
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     return fetch(`${input.apiBaseUrl}${path}`, {
         headers: {
             accept: 'application/json',
-            authorization: `Bearer ${input.accessToken}`,
+            ...compatibilityHeaders,
+            authorization: `Bearer ${input.cliSessionToken}`,
         },
         signal: AbortSignal.timeout(15000),
     });
@@ -183,12 +206,20 @@ function requestWithAuth(input, path) {
 export function formatDoctorReport(report) {
     const lines = ['PostPlus CLI doctor', ''];
     for (const check of report.checks) {
-        const marker = check.status === 'pass' ? '[PASS]' : '[FAIL]';
+        const marker = check.status === 'pass'
+            ? '[PASS]'
+            : check.severity === 'task_specific'
+                ? '[WARN]'
+                : '[FAIL]';
         lines.push(`${marker} ${check.label}: ${check.detail}`);
         if (check.fix) {
             lines.push(`  Fix: ${check.fix}`);
         }
     }
-    lines.push('', report.ok ? 'Doctor passed.' : 'Doctor failed.');
+    lines.push('', report.ok
+        ? 'Doctor passed.'
+        : report.requiredOk
+            ? 'Doctor incomplete: task-specific checks need attention.'
+            : 'Doctor failed.');
     return lines.join('\n');
 }

package/build/index.js

@@ -8,6 +8,7 @@ import { assertConfigFilePermissions } from './local-state.js';
 import { POSTPLUS_SKILLS_INSTALL_COMMAND, loadPublicSkillCatalog, } from './skill-catalog.js';
 import { runPostPlusSkillUninstall, runPostPlusSkillUpdate, } from './skill-management.js';
 import { formatStatusReport, generateStatusReport } from './status.js';
+import { readCurrentCliVersion, } from './client-compatibility.js';
 import { refreshUpdateCheckCache } from './update-check.js';
 function printAuthHelp() {
     process.stdout.write(`PostPlus CLI — auth commands
@@ -41,6 +42,7 @@ Usage:
   postplus uninstall
   postplus list [--json]
   postplus status [--json]
+  postplus version
   postplus help
 
 Skills:
@@ -96,6 +98,10 @@ async function runList(json) {
     process.stdout.write(`${lines.join('\n')}\n`);
     return 0;
 }
+async function runVersion() {
+    process.stdout.write(`${await readCurrentCliVersion()}\n`);
+    return 0;
+}
 async function runSkillUpdateCommand() {
     const exitCode = await runPostPlusSkillUpdate();
     if (exitCode === 0) {
@@ -172,6 +178,11 @@ async function main() {
             printHelp();
             process.exitCode = 0;
             return;
+        case '--version':
+        case '-v':
+        case 'version':
+            process.exitCode = await runVersion();
+            return;
         case 'help': {
             const [helpTopic] = rest;
             if (helpTopic === 'auth') {

package/build/local-state.js

@@ -95,6 +95,7 @@ export async function clearLocalAuthState() {
         delete next.accessToken;
         delete next.accountId;
         delete next.apiKey;
+        delete next.cliSessionToken;
         delete next.machineId;
         delete next.refreshToken;
         delete next.sessionExpiresAt;
@@ -150,24 +151,19 @@ export async function setLocalApiBaseUrl(apiBaseUrl) {
     }));
 }
 export async function setLocalSession(input) {
-    const accessToken = input.accessToken.trim();
-    const refreshToken = input.refreshToken.trim();
+    const cliSessionToken = input.cliSessionToken.trim();
     const apiBaseUrl = input.apiBaseUrl.trim().replace(/\/+$/, '');
-    if (accessToken.length === 0) {
-        throw new Error('PostPlus CLI access token cannot be empty.');
-    }
-    if (refreshToken.length === 0) {
-        throw new Error('PostPlus CLI refresh token cannot be empty.');
+    if (cliSessionToken.length === 0) {
+        throw new Error('PostPlus CLI session token cannot be empty.');
     }
     if (apiBaseUrl.length === 0) {
         throw new Error('POSTPLUS_API_BASE_URL cannot be empty.');
     }
     return updateLocalConfig((current) => ({
         ...omitLegacyAuthFields(current),
-        accessToken,
         accountId: input.accountId,
         apiBaseUrl,
-        refreshToken,
+        cliSessionToken,
         sessionExpiresAt: input.sessionExpiresAt,
         userEmail: input.userEmail,
         userId: input.userId,
@@ -182,6 +178,22 @@ export async function hasLocalConfigFile() {
         return false;
     }
 }
+export async function resolveCliSessionTokenState() {
+    const config = await readLocalConfig();
+    const configValue = config?.cliSessionToken?.trim();
+    if (configValue && configValue.length > 0) {
+        return {
+            source: 'config',
+            present: true,
+            value: configValue,
+        };
+    }
+    return {
+        source: 'missing',
+        present: false,
+        value: null,
+    };
+}
 export async function resolveAccessTokenState() {
     const config = await readLocalConfig();
     const configValue = config?.accessToken?.trim();
@@ -215,13 +227,9 @@ export async function resolveRefreshTokenState() {
     };
 }
 export async function resolveLocalSessionState() {
-    const [accessToken, refreshToken] = await Promise.all([
-        resolveAccessTokenState(),
-        resolveRefreshTokenState(),
-    ]);
+    const cliSessionToken = await resolveCliSessionTokenState();
     return {
-        accessToken,
-        refreshToken,
+        cliSessionToken,
     };
 }
 export async function resolveApiBaseUrlState() {
@@ -258,7 +266,7 @@ export function maskSecret(value) {
     return `${value.slice(0, 4)}…${value.slice(-4)}`;
 }
 function omitLegacyAuthFields(current) {
-    const { apiKey: _apiKey, machineId: _machineId, ...rest } = (current ?? {});
+    const { apiKey: _apiKey, accessToken: _accessToken, machineId: _machineId, refreshToken: _refreshToken, ...rest } = (current ?? {});
     return rest;
 }
 function normalizeSkillNames(values) {

package/build/skill-catalog.js

@@ -23,7 +23,8 @@ export async function loadPublicSkillCatalog(fetchFn = fetch) {
     if (!response.ok) {
         throw new Error(`Failed to load PostPlus skill catalog (${response.status}): ${response.statusText}`);
     }
-    const payload = (await response.json());
+    const raw = await response.text();
+    const payload = parseJsonResponse(raw, POSTPLUS_SKILLS_CATALOG_URL);
     const catalog = parsePublicSkillCatalog(payload);
     return {
         ...catalog,
@@ -33,6 +34,20 @@ export async function loadPublicSkillCatalog(fetchFn = fetch) {
         listCommand: POSTPLUS_SKILLS_LIST_COMMAND,
     };
 }
+function parseJsonResponse(raw, url) {
+    try {
+        return JSON.parse(raw);
+    }
+    catch (error) {
+        const trimmed = raw.trimStart();
+        if (trimmed.startsWith('<')) {
+            throw new Error(`PostPlus public skill catalog returned HTML instead of JSON: ${url}`);
+        }
+        throw new Error(error instanceof Error
+            ? `PostPlus public skill catalog returned invalid JSON: ${error.message}`
+            : 'PostPlus public skill catalog returned invalid JSON.');
+    }
+}
 function parsePublicSkillCatalog(payload) {
     if (!payload || typeof payload !== 'object' || Array.isArray(payload)) {
         throw new Error('PostPlus public skill catalog is invalid.');

package/build/skill-management.js

@@ -1,4 +1,5 @@
 import { runCommand, runInteractiveCommand } from './command-runner.js';
+import { writeCurrentCliVersionToLocalConfig } from './client-compatibility.js';
 import { clearManagedSkillBaseline, readManagedSkillBaseline, writeManagedSkillBaseline, } from './local-state.js';
 import { POSTPLUS_SKILLS_AGENT_TARGETS, POSTPLUS_SKILLS_INSTALL_COMMAND, POSTPLUS_SKILLS_REPO, loadPublicSkillCatalog, } from './skill-catalog.js';
 const NPX_SKILLS = ['-y', 'skills'];
@@ -26,6 +27,7 @@ export async function runPostPlusSkillUpdate(dependencies = {
         revision: catalog.revision,
         skillNames,
     });
+    await writeCurrentCliVersionToLocalConfig();
     return 0;
 }
 export async function runPostPlusSkillUninstall(dependencies = {
@@ -144,10 +146,8 @@ function mergeSkillNames(left, right) {
     return [...new Set([...left, ...right])].sort((a, b) => a.localeCompare(b));
 }
 async function listInstalledSkills(dependencies) {
-    const [project, global] = await Promise.all([
-        listInstalledSkillsForScope(dependencies, []),
-        listInstalledSkillsForScope(dependencies, ['--global']),
-    ]);
+    const project = await listInstalledSkillsForScope(dependencies, []);
+    const global = await listInstalledSkillsForScope(dependencies, ['--global']);
     const byKey = new Map();
     for (const skill of [...project, ...global]) {
         byKey.set(`${skill.scope}:${skill.name}:${skill.path}`, skill);

package/build/status.js

@@ -1,4 +1,5 @@
 import { formatAuthStatusReport, generateAuthStatusReport, } from './auth.js';
+import { writeCurrentCliVersionToLocalConfig } from './client-compatibility.js';
 import { formatDoctorReport, generateDoctorReport, } from './doctor.js';
 import { formatSkillInstallStatusReport, generateSkillInstallStatusReport, } from './skill-management.js';
 import { formatUpdateStatusReport, generateUpdateStatusReport, } from './update-check.js';
@@ -6,6 +7,7 @@ export async function generateStatusReport() {
     return generateStatusReportWithDependencies();
 }
 export async function generateStatusReportWithDependencies(dependencies = {}) {
+    await writeCurrentCliVersionToLocalConfig();
     const generateAuthStatus = dependencies.generateAuthStatus ?? generateAuthStatusReport;
     const generateDoctor = dependencies.generateDoctor ?? generateDoctorReport;
     const generateSkillStatus = dependencies.generateSkillStatus ?? generateSkillInstallStatusReport;
@@ -18,7 +20,7 @@ export async function generateStatusReportWithDependencies(dependencies = {}) {
     ]);
     return {
         schemaVersion: 1,
-        ok: doctor.ok && auth.ok && skills.ok && updates.ok,
+        ok: doctor.requiredOk && auth.ok && skills.ok && updates.ok,
         doctor,
         auth,
         skills,
@@ -26,10 +28,15 @@ export async function generateStatusReportWithDependencies(dependencies = {}) {
     };
 }
 export function formatStatusReport(report) {
+    const taskSpecificChecksNeedAttention = report.doctor.requiredOk && !report.doctor.ok;
     return [
         'PostPlus CLI status',
         '',
-        `Overall: ${report.ok ? 'OK' : 'INCOMPLETE'}`,
+        `Overall: ${report.ok
+            ? taskSpecificChecksNeedAttention
+                ? 'OK (task-specific checks need attention)'
+                : 'OK'
+            : 'INCOMPLETE'}`,
         '',
         formatDoctorReport(report.doctor),
         '',

package/build/update-check.js

@@ -1,5 +1,6 @@
 import { mkdir, readFile, writeFile } from 'node:fs/promises';
 import { dirname, join } from 'node:path';
+import { readCurrentCliVersion } from './client-compatibility.js';
 import { getPostPlusConfigDir, readManagedSkillBaseline, } from './local-state.js';
 import { POSTPLUS_SKILLS_REPO, loadPublicSkillCatalog, } from './skill-catalog.js';
 const UPDATE_CHECK_TTL_MS = 24 * 60 * 60 * 1000;
@@ -125,15 +126,6 @@ function buildUpdateReport(input) {
         warning: null,
     };
 }
-async function readCurrentCliVersion() {
-    const packageJsonPath = new URL('../package.json', import.meta.url);
-    const raw = await readFile(packageJsonPath, 'utf8');
-    const parsed = JSON.parse(raw);
-    if (typeof parsed.version !== 'string' || !parsed.version.trim()) {
-        throw new Error('Could not read the current PostPlus CLI version.');
-    }
-    return parsed.version.trim();
-}
 async function fetchLatestCliVersion(fetchFn) {
     const response = await fetchFn(NPM_LATEST_URL, {
         headers: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@postplus/cli",
-  "version": "0.1.19",
+  "version": "0.1.21",
   "packageManager": "pnpm@10.30.3+sha512.c961d1e0a2d8e354ecaa5166b822516668b7f44cb5bd95122d590dd81922f606f5473b6d23ec4a5be05e7fcd18e8488d47d978bbe981872f1145d06e9a740017",
   "type": "module",
   "description": "PostPlus CLI for PostPlus Cloud auth, status, and diagnostics.",