@postplus/cli 0.1.20 → 0.1.22

package/build/auth-lifecycle.js

@@ -1,7 +1,8 @@
 import { refreshRemoteAuthSession } from './auth-session.js';
 import { clearAuthState, generateAuthStatusReport } from './auth.js';
+import { buildPostPlusClientCompatibilityHeaders, formatPostPlusClientUpgradeError, } from './client-compatibility.js';
 import { requireHostedBaseUrl } from './hosted-release.js';
-import { resolveAccessTokenState, resolveRefreshTokenState, } from './local-state.js';
+import { resolveCliSessionTokenState } from './local-state.js';
 export async function refreshRemoteAuth() {
     const refreshed = await refreshRemoteAuthSession();
     return {
@@ -25,31 +26,31 @@ export function formatAuthRefreshReport(report) {
     ].join('\n');
 }
 export async function revokeRemoteAuth() {
-    const [apiBaseUrl, accessTokenState, refreshTokenState] = await Promise.all([
+    const [apiBaseUrl, cliSessionTokenState] = await Promise.all([
         requireHostedBaseUrl(),
-        resolveAccessTokenState(),
-        resolveRefreshTokenState(),
+        resolveCliSessionTokenState(),
     ]);
-    if (!accessTokenState.present || !accessTokenState.value) {
-        throw new Error('Run `postplus auth login` before revoking PostPlus auth.');
-    }
-    if (!refreshTokenState.present || !refreshTokenState.value) {
+    if (!cliSessionTokenState.present || !cliSessionTokenState.value) {
         throw new Error('Run `postplus auth login` before revoking PostPlus auth.');
     }
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     const response = await fetch(`${apiBaseUrl}/api/postplus-cli/auth/revoke`, {
         method: 'POST',
         headers: {
             accept: 'application/json',
-            authorization: `Bearer ${accessTokenState.value}`,
+            ...compatibilityHeaders,
+            authorization: `Bearer ${cliSessionTokenState.value}`,
             'content-type': 'application/json',
         },
-        body: JSON.stringify({
-            refreshToken: refreshTokenState.value,
-        }),
+        body: JSON.stringify({}),
         signal: AbortSignal.timeout(15000),
     });
     const payload = (await response.json());
     if (!response.ok) {
+        if ('code' in payload &&
+            payload.code === 'postplus_client_upgrade_required') {
+            throw new Error(formatPostPlusClientUpgradeError(payload));
+        }
         throw new Error('error' in payload && typeof payload.error === 'string'
             ? payload.error
             : 'Failed to revoke remote PostPlus auth.');

package/build/auth-login.js

@@ -1,3 +1,4 @@
+import { buildPostPlusClientCompatibilityHeaders, formatPostPlusClientUpgradeError, writeCurrentCliVersionToLocalConfig, } from './client-compatibility.js';
 import { requireHostedBaseUrl } from './hosted-release.js';
 import { setLocalSession } from './local-state.js';
 export const CLI_AUTH_LOGIN_TIMEOUT_MS = 30 * 60 * 1000;
@@ -23,18 +24,18 @@ export async function loginWithCloudHandoff() {
         requestId: started.requestId,
     });
     const validated = await validateCliSession({
-        accessToken: handoffPayload.accessToken,
         apiBaseUrl: baseUrl,
+        cliSessionToken: handoffPayload.cliSessionToken,
     });
     await setLocalSession({
-        accessToken: handoffPayload.accessToken,
         accountId: validated.accountId,
         apiBaseUrl: baseUrl,
-        refreshToken: handoffPayload.refreshToken,
+        cliSessionToken: handoffPayload.cliSessionToken,
         sessionExpiresAt: validated.sessionExpiresAt ?? handoffPayload.sessionExpiresAt ?? null,
         userEmail: validated.userEmail,
         userId: validated.userId,
     });
+    await writeCurrentCliVersionToLocalConfig();
     return {
         accountId: validated.accountId,
         apiBaseUrl: baseUrl,
@@ -44,10 +45,12 @@ export async function loginWithCloudHandoff() {
     };
 }
 export async function startCloudAuthLogin(apiBaseUrl) {
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     const response = await fetch(`${apiBaseUrl}/api/postplus-cli/auth/login/start`, {
         method: 'POST',
         headers: {
             accept: 'application/json',
+            ...compatibilityHeaders,
         },
         signal: AbortSignal.timeout(15000),
     });
@@ -76,10 +79,12 @@ async function waitForCloudAuthLogin(input) {
     throw new Error('Timed out waiting for the cloud sign-in handoff.');
 }
 export async function pollCloudAuthLogin(input) {
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     const response = await fetch(`${input.apiBaseUrl}/api/postplus-cli/auth/login/poll`, {
         method: 'POST',
         headers: {
             accept: 'application/json',
+            ...compatibilityHeaders,
             'content-type': 'application/json',
         },
         body: JSON.stringify({
@@ -101,11 +106,13 @@ export async function pollCloudAuthLogin(input) {
     throw new Error('PostPlus CLI sign-in poll returned incomplete data.');
 }
 export async function validateCliSession(input) {
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     const response = await fetch(`${input.apiBaseUrl}/api/postplus-cli/auth/whoami`, {
         method: 'GET',
         headers: {
             accept: 'application/json',
-            authorization: `Bearer ${input.accessToken}`,
+            ...compatibilityHeaders,
+            authorization: `Bearer ${input.cliSessionToken}`,
         },
         signal: AbortSignal.timeout(15000),
     });
@@ -123,6 +130,9 @@ export function formatCliSessionAuthError(payload) {
             'Once the environment is ready, the CLI will automatically obtain and store its session.',
         ].join(' ');
     }
+    if (payload.code === 'postplus_client_upgrade_required') {
+        return formatPostPlusClientUpgradeError(payload);
+    }
     if (typeof payload.error === 'string' && payload.error.trim().length > 0) {
         return payload.error;
     }
@@ -140,8 +150,7 @@ function isCliAuthLoginStartSuccessPayload(payload) {
 function isCliAuthLoginCompletedPayload(payload) {
     return ('status' in payload &&
         payload.status === 'completed' &&
-        typeof payload.accessToken === 'string' &&
-        typeof payload.refreshToken === 'string' &&
+        typeof payload.cliSessionToken === 'string' &&
         typeof payload.accountId === 'string' &&
         typeof payload.userId === 'string');
 }
@@ -149,6 +158,9 @@ function isCliAuthLoginPendingPayload(payload) {
     return 'status' in payload && payload.status === 'pending';
 }
 function formatRemoteAuthLoginError(payload) {
+    if ('code' in payload && payload.code === 'postplus_client_upgrade_required') {
+        return formatPostPlusClientUpgradeError(payload);
+    }
     return 'error' in payload &&
         typeof payload.error === 'string' &&
         payload.error.trim().length > 0

package/build/auth-session.js

@@ -1,137 +1,89 @@
+import { buildPostPlusClientCompatibilityHeaders, formatPostPlusClientUpgradeError, writeCurrentCliVersionToLocalConfig, } from './client-compatibility.js';
 import { requireHostedBaseUrl } from './hosted-release.js';
-import { readLocalConfig, resolveAccessTokenState, resolveRefreshTokenState, setLocalSession, } from './local-state.js';
-export const AUTH_SESSION_REFRESH_LEEWAY_SECONDS = 60;
+import { resolveCliSessionTokenState, setLocalSession, } from './local-state.js';
 export async function resolveFreshRemoteAuth(options = {}) {
-    const [apiBaseUrl, accessTokenState, refreshTokenState, config] = await Promise.all([
+    const [apiBaseUrl, cliSessionTokenState] = await Promise.all([
         requireHostedBaseUrl(),
-        resolveAccessTokenState(),
-        resolveRefreshTokenState(),
-        readLocalConfig(),
+        resolveCliSessionTokenState(),
     ]);
-    if (!refreshTokenState.present || !refreshTokenState.value) {
-        if (!accessTokenState.present || !accessTokenState.value) {
-            throw new Error('Run `postplus auth login` before validating PostPlus auth.');
-        }
-        return {
-            accessToken: accessTokenState.value,
-            apiBaseUrl,
-            refreshed: false,
-            source: 'config',
-        };
+    if (!cliSessionTokenState.present || !cliSessionTokenState.value) {
+        throw new Error('Run `postplus auth login` before using PostPlus auth.');
     }
-    const existingAccessToken = accessTokenState.value;
-    const decodedTokenExpiresAt = existingAccessToken
-        ? decodeAccessTokenExpiration(existingAccessToken)
-        : null;
-    const tokenExpiresAt = typeof decodedTokenExpiresAt === 'number'
-        ? decodedTokenExpiresAt
-        : typeof config?.sessionExpiresAt === 'number'
-            ? config.sessionExpiresAt
-            : null;
-    const shouldRefresh = options.forceRefresh === true ||
-        !accessTokenState.present ||
-        !accessTokenState.value ||
-        isExpiringSoon(tokenExpiresAt);
-    if (!shouldRefresh) {
-        if (!existingAccessToken) {
-            throw new Error('Run `postplus auth login` before validating PostPlus auth.');
-        }
+    if (options.forceRefresh === true) {
+        const refreshed = await refreshRemoteAuthSession({
+            apiBaseUrl,
+            cliSessionToken: cliSessionTokenState.value,
+        });
         return {
-            accessToken: existingAccessToken,
             apiBaseUrl,
-            refreshed: false,
+            cliSessionToken: refreshed.cliSessionToken,
+            refreshed: true,
             source: 'config',
         };
     }
-    const refreshed = await refreshRemoteAuthSession({
-        accessToken: accessTokenState.value,
-        apiBaseUrl,
-        refreshToken: refreshTokenState.value,
-    });
     return {
-        accessToken: refreshed.accessToken,
         apiBaseUrl,
-        refreshed: true,
+        cliSessionToken: cliSessionTokenState.value,
+        refreshed: false,
         source: 'config',
     };
 }
 export async function refreshRemoteAuthSession(input) {
-    const [apiBaseUrl, accessTokenState, refreshTokenState] = await Promise.all([
+    const [apiBaseUrl, cliSessionTokenState] = await Promise.all([
         input?.apiBaseUrl ?? requireHostedBaseUrl(),
-        input?.accessToken === undefined ? resolveAccessTokenState() : null,
-        input?.refreshToken === undefined ? resolveRefreshTokenState() : null,
+        input?.cliSessionToken === undefined ? resolveCliSessionTokenState() : null,
     ]);
-    const accessToken = input?.accessToken === undefined
-        ? accessTokenState?.value
-        : input.accessToken;
-    const refreshToken = input?.refreshToken === undefined
-        ? refreshTokenState?.value
-        : input.refreshToken;
-    if (!refreshToken) {
+    const cliSessionToken = input?.cliSessionToken === undefined
+        ? cliSessionTokenState?.value
+        : input.cliSessionToken;
+    if (!cliSessionToken) {
         throw new Error('Run `postplus auth login` before refreshing PostPlus auth.');
     }
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     const response = await fetch(`${apiBaseUrl}/api/postplus-cli/auth/refresh`, {
         method: 'POST',
         headers: {
             accept: 'application/json',
-            ...(accessToken ? { authorization: `Bearer ${accessToken}` } : {}),
+            ...compatibilityHeaders,
+            authorization: `Bearer ${cliSessionToken}`,
             'content-type': 'application/json',
         },
-        body: JSON.stringify({
-            refreshToken,
-        }),
+        body: JSON.stringify({}),
         signal: AbortSignal.timeout(15000),
     });
     const payload = (await response.json());
     if (!response.ok) {
+        if ('code' in payload &&
+            payload.code === 'postplus_client_upgrade_required') {
+            throw new Error(formatPostPlusClientUpgradeError(payload));
+        }
         throw new Error('error' in payload && typeof payload.error === 'string'
             ? payload.error
             : 'Failed to refresh remote PostPlus auth.');
     }
     if (!isRemoteAuthRefreshSuccessPayload(payload)) {
-        throw new Error('PostPlus auth refresh returned incomplete session tokens.');
+        throw new Error('PostPlus auth refresh returned incomplete session data.');
     }
     await setLocalSession({
-        accessToken: payload.accessToken,
         accountId: payload.accountId,
         apiBaseUrl,
-        refreshToken: payload.refreshToken,
+        cliSessionToken: payload.cliSessionToken,
         sessionExpiresAt: payload.sessionExpiresAt,
         userEmail: payload.userEmail,
         userId: payload.userId,
     });
+    await writeCurrentCliVersionToLocalConfig();
     return {
         ...payload,
         apiBaseUrl,
     };
 }
-export function decodeAccessTokenExpiration(accessToken) {
-    try {
-        const [, payload] = accessToken.split('.');
-        if (!payload) {
-            return null;
-        }
-        const decoded = JSON.parse(Buffer.from(payload, 'base64url').toString('utf8'));
-        return typeof decoded.exp === 'number' ? decoded.exp : null;
-    }
-    catch {
-        return null;
-    }
-}
-function isExpiringSoon(expiresAt) {
-    if (typeof expiresAt !== 'number' || !Number.isFinite(expiresAt)) {
-        return false;
-    }
-    const nowSeconds = Math.floor(Date.now() / 1_000);
-    return expiresAt - nowSeconds <= AUTH_SESSION_REFRESH_LEEWAY_SECONDS;
-}
 function isRemoteAuthRefreshSuccessPayload(payload) {
     return (typeof payload === 'object' &&
         payload !== null &&
-        typeof payload.accessToken === 'string' &&
-        payload.accessToken.trim().length > 0 &&
-        typeof payload.refreshToken === 'string' &&
-        payload.refreshToken.trim().length > 0 &&
+        typeof payload.cliSessionToken ===
+            'string' &&
+        payload.cliSessionToken.trim().length > 0 &&
         typeof payload.accountId === 'string' &&
         typeof payload.userId === 'string');
 }

package/build/auth-validate.js

@@ -1,4 +1,5 @@
 import { resolveFreshRemoteAuth } from './auth-session.js';
+import { buildPostPlusClientCompatibilityHeaders, formatPostPlusClientUpgradeError, } from './client-compatibility.js';
 export async function validateRemoteAuth() {
     let auth = await resolveFreshRemoteAuth();
     let response = await fetchWhoami(auth);
@@ -10,6 +11,10 @@ export async function validateRemoteAuth() {
     }
     const payload = (await response.json());
     if (!response.ok) {
+        if ('code' in payload &&
+            payload.code === 'postplus_client_upgrade_required') {
+            throw new Error(formatPostPlusClientUpgradeError(payload));
+        }
         throw new Error('error' in payload && typeof payload.error === 'string'
             ? payload.error
             : 'Failed to validate remote PostPlus auth.');
@@ -36,12 +41,14 @@ export function formatAuthValidateReport(report) {
         `Subscription: ${report.subscriptionStatus ?? 'unknown'}`,
     ].join('\n');
 }
-function fetchWhoami(input) {
+async function fetchWhoami(input) {
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     return fetch(`${input.apiBaseUrl}/api/postplus-cli/auth/whoami`, {
         method: 'GET',
         headers: {
             accept: 'application/json',
-            authorization: `Bearer ${input.accessToken}`,
+            ...compatibilityHeaders,
+            authorization: `Bearer ${input.cliSessionToken}`,
         },
         signal: AbortSignal.timeout(15000),
     });

package/build/auth.js

@@ -7,13 +7,11 @@ export async function generateAuthStatusReport() {
         readLocalConfig(),
     ]);
     return {
-        ok: sessionState.accessToken.present &&
-            sessionState.refreshToken.present &&
-            apiBaseUrlState.present,
-        accessToken: {
-            source: sessionState.accessToken.source,
-            present: sessionState.accessToken.present,
-            maskedValue: maskSecret(sessionState.accessToken.value),
+        ok: sessionState.cliSessionToken.present && apiBaseUrlState.present,
+        cliSessionToken: {
+            source: sessionState.cliSessionToken.source,
+            present: sessionState.cliSessionToken.present,
+            maskedValue: maskSecret(sessionState.cliSessionToken.value),
         },
         apiBaseUrl: {
             source: apiBaseUrlState.source,
@@ -24,29 +22,21 @@ export async function generateAuthStatusReport() {
             path: getPostPlusConfigPath(),
             exists: configExists,
             accountId: config?.accountId?.trim() || null,
+            sessionExpiresAt: typeof config?.sessionExpiresAt === 'number'
+                ? config.sessionExpiresAt
+                : null,
             userEmail: typeof config?.userEmail === 'string' ? config.userEmail.trim() : null,
             userId: config?.userId?.trim() || null,
         },
-        refreshToken: {
-            source: sessionState.refreshToken.source,
-            present: sessionState.refreshToken.present,
-            maskedValue: maskSecret(sessionState.refreshToken.value),
-        },
     };
 }
 export function formatAuthStatusReport(report) {
     const lines = ['PostPlus CLI auth status', ''];
-    lines.push(report.accessToken.present
-        ? `[PASS] Access token: present (${report.accessToken.source})`
-        : '[FAIL] Access token: missing');
-    lines.push(report.accessToken.maskedValue
-        ? `  Value: ${report.accessToken.maskedValue}`
-        : '  Value: not configured');
-    lines.push(report.refreshToken.present
-        ? `[PASS] Refresh token: present (${report.refreshToken.source})`
-        : '[FAIL] Refresh token: missing');
-    lines.push(report.refreshToken.maskedValue
-        ? `  Value: ${report.refreshToken.maskedValue}`
+    lines.push(report.cliSessionToken.present
+        ? `[PASS] CLI session token: present (${report.cliSessionToken.source})`
+        : '[FAIL] CLI session token: missing');
+    lines.push(report.cliSessionToken.maskedValue
+        ? `  Value: ${report.cliSessionToken.maskedValue}`
         : '  Value: not configured');
     lines.push(report.apiBaseUrl.present
         ? `[PASS] PostPlus Cloud: configured (${report.apiBaseUrl.source})`
@@ -59,6 +49,9 @@ export function formatAuthStatusReport(report) {
         : `[PASS] local config path: ${report.config.path}`);
     lines.push(`  Account: ${report.config.accountId ?? 'not bound'}`);
     lines.push(`  User: ${report.config.userEmail ?? report.config.userId ?? 'not bound'}`);
+    lines.push(`  Expires: ${report.config.sessionExpiresAt
+        ? new Date(report.config.sessionExpiresAt * 1000).toISOString()
+        : 'unknown'}`);
     lines.push('', report.ok ? 'Auth status OK.' : 'Auth status incomplete.');
     return lines.join('\n');
 }

package/build/client-compatibility.js

@@ -0,0 +1,69 @@
+import { readFile } from 'node:fs/promises';
+import { readLocalConfig, updateLocalConfig } from './local-state.js';
+export const POSTPLUS_CLIENT_CONTRACT_VERSION = 1;
+export const POSTPLUS_CLIENT_RUNTIME = 'postplus-cli';
+export const POSTPLUS_CLIENT_COMPATIBILITY_HEADERS = {
+    cliVersion: 'x-postplus-cli-version',
+    contractVersion: 'x-postplus-client-contract-version',
+    runtime: 'x-postplus-client-runtime',
+    skillCatalogRevision: 'x-postplus-skill-catalog-revision',
+    skillName: 'x-postplus-skill-name',
+};
+export async function buildPostPlusClientCompatibilityHeaders(input = {}) {
+    const [cliVersion, config] = await Promise.all([
+        readCurrentCliVersion(),
+        readLocalConfig(),
+    ]);
+    const headers = {
+        [POSTPLUS_CLIENT_COMPATIBILITY_HEADERS.cliVersion]: cliVersion,
+        [POSTPLUS_CLIENT_COMPATIBILITY_HEADERS.contractVersion]: String(POSTPLUS_CLIENT_CONTRACT_VERSION),
+        [POSTPLUS_CLIENT_COMPATIBILITY_HEADERS.runtime]: POSTPLUS_CLIENT_RUNTIME,
+    };
+    const skillCatalogRevision = config?.managedSkills?.revision?.trim();
+    const skillName = input.skillName?.trim();
+    if (skillCatalogRevision) {
+        headers[POSTPLUS_CLIENT_COMPATIBILITY_HEADERS.skillCatalogRevision] =
+            skillCatalogRevision;
+    }
+    if (skillName) {
+        headers[POSTPLUS_CLIENT_COMPATIBILITY_HEADERS.skillName] = skillName;
+    }
+    return headers;
+}
+export async function writeCurrentCliVersionToLocalConfig() {
+    const cliVersion = await readCurrentCliVersion();
+    await updateLocalConfig((current) => ({
+        ...(current ?? {}),
+        cliVersion,
+    }));
+}
+export async function readCurrentCliVersion() {
+    const packageJsonPath = new URL('../package.json', import.meta.url);
+    const raw = await readFile(packageJsonPath, 'utf8');
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.version !== 'string' || !parsed.version.trim()) {
+        throw new Error('Could not read the current PostPlus CLI version.');
+    }
+    return parsed.version.trim();
+}
+export function formatPostPlusClientUpgradeError(payload) {
+    const record = payload && typeof payload === 'object' && !Array.isArray(payload)
+        ? payload
+        : {};
+    const cliCommand = record.compatibility?.upgrade?.cli?.command ??
+        'npm install -g @postplus/cli';
+    const skillsCommand = record.compatibility?.upgrade?.skills?.command ?? 'postplus update';
+    const restart = record.compatibility?.upgrade?.restartAgentSession
+        ? ' Then restart your agent session.'
+        : '';
+    return [
+        typeof record.error === 'string' && record.error.trim().length > 0
+            ? record.error.trim()
+            : 'Your PostPlus CLI or PostPlus skills are out of date.',
+        `Update CLI: ${cliCommand}.`,
+        `Update skills: ${skillsCommand}.`,
+        restart.trim(),
+    ]
+        .filter(Boolean)
+        .join(' ');
+}

package/build/doctor.js

@@ -1,4 +1,5 @@
 import { resolveFreshRemoteAuth, } from './auth-session.js';
+import { buildPostPlusClientCompatibilityHeaders, formatPostPlusClientUpgradeError, } from './client-compatibility.js';
 import { resolveHostedBaseUrl } from './hosted-release.js';
 import { formatLocalDependencyReport, generateLocalDependencyReport, } from './local-dependencies.js';
 function createPass(id, label, detail, severity = 'required') {
@@ -184,15 +185,20 @@ function readReadinessCheckFailureLabel(value) {
             : 'unknown check';
 }
 function readErrorMessage(payload, fallback) {
+    if (payload.code === 'postplus_client_upgrade_required') {
+        return formatPostPlusClientUpgradeError(payload);
+    }
     return typeof payload.error === 'string' && payload.error.trim().length > 0
         ? payload.error
         : fallback;
 }
-function requestWithAuth(input, path) {
+async function requestWithAuth(input, path) {
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
     return fetch(`${input.apiBaseUrl}${path}`, {
         headers: {
             accept: 'application/json',
-            authorization: `Bearer ${input.accessToken}`,
+            ...compatibilityHeaders,
+            authorization: `Bearer ${input.cliSessionToken}`,
         },
         signal: AbortSignal.timeout(15000),
     });

package/build/index.js

@@ -8,7 +8,8 @@ import { assertConfigFilePermissions } from './local-state.js';
 import { POSTPLUS_SKILLS_INSTALL_COMMAND, loadPublicSkillCatalog, } from './skill-catalog.js';
 import { runPostPlusSkillUninstall, runPostPlusSkillUpdate, } from './skill-management.js';
 import { formatStatusReport, generateStatusReport } from './status.js';
-import { readCurrentCliVersion, refreshUpdateCheckCache, } from './update-check.js';
+import { readCurrentCliVersion, } from './client-compatibility.js';
+import { refreshUpdateCheckCache } from './update-check.js';
 function printAuthHelp() {
     process.stdout.write(`PostPlus CLI — auth commands
 

package/build/local-state.js

@@ -95,6 +95,7 @@ export async function clearLocalAuthState() {
         delete next.accessToken;
         delete next.accountId;
         delete next.apiKey;
+        delete next.cliSessionToken;
         delete next.machineId;
         delete next.refreshToken;
         delete next.sessionExpiresAt;
@@ -150,24 +151,19 @@ export async function setLocalApiBaseUrl(apiBaseUrl) {
     }));
 }
 export async function setLocalSession(input) {
-    const accessToken = input.accessToken.trim();
-    const refreshToken = input.refreshToken.trim();
+    const cliSessionToken = input.cliSessionToken.trim();
     const apiBaseUrl = input.apiBaseUrl.trim().replace(/\/+$/, '');
-    if (accessToken.length === 0) {
-        throw new Error('PostPlus CLI access token cannot be empty.');
-    }
-    if (refreshToken.length === 0) {
-        throw new Error('PostPlus CLI refresh token cannot be empty.');
+    if (cliSessionToken.length === 0) {
+        throw new Error('PostPlus CLI session token cannot be empty.');
     }
     if (apiBaseUrl.length === 0) {
         throw new Error('POSTPLUS_API_BASE_URL cannot be empty.');
     }
     return updateLocalConfig((current) => ({
         ...omitLegacyAuthFields(current),
-        accessToken,
         accountId: input.accountId,
         apiBaseUrl,
-        refreshToken,
+        cliSessionToken,
         sessionExpiresAt: input.sessionExpiresAt,
         userEmail: input.userEmail,
         userId: input.userId,
@@ -182,6 +178,22 @@ export async function hasLocalConfigFile() {
         return false;
     }
 }
+export async function resolveCliSessionTokenState() {
+    const config = await readLocalConfig();
+    const configValue = config?.cliSessionToken?.trim();
+    if (configValue && configValue.length > 0) {
+        return {
+            source: 'config',
+            present: true,
+            value: configValue,
+        };
+    }
+    return {
+        source: 'missing',
+        present: false,
+        value: null,
+    };
+}
 export async function resolveAccessTokenState() {
     const config = await readLocalConfig();
     const configValue = config?.accessToken?.trim();
@@ -215,13 +227,9 @@ export async function resolveRefreshTokenState() {
     };
 }
 export async function resolveLocalSessionState() {
-    const [accessToken, refreshToken] = await Promise.all([
-        resolveAccessTokenState(),
-        resolveRefreshTokenState(),
-    ]);
+    const cliSessionToken = await resolveCliSessionTokenState();
     return {
-        accessToken,
-        refreshToken,
+        cliSessionToken,
     };
 }
 export async function resolveApiBaseUrlState() {
@@ -258,7 +266,7 @@ export function maskSecret(value) {
     return `${value.slice(0, 4)}…${value.slice(-4)}`;
 }
 function omitLegacyAuthFields(current) {
-    const { apiKey: _apiKey, machineId: _machineId, ...rest } = (current ?? {});
+    const { apiKey: _apiKey, accessToken: _accessToken, machineId: _machineId, refreshToken: _refreshToken, ...rest } = (current ?? {});
     return rest;
 }
 function normalizeSkillNames(values) {

package/build/skill-management.js

@@ -1,4 +1,5 @@
 import { runCommand, runInteractiveCommand } from './command-runner.js';
+import { writeCurrentCliVersionToLocalConfig } from './client-compatibility.js';
 import { clearManagedSkillBaseline, readManagedSkillBaseline, writeManagedSkillBaseline, } from './local-state.js';
 import { POSTPLUS_SKILLS_AGENT_TARGETS, POSTPLUS_SKILLS_INSTALL_COMMAND, POSTPLUS_SKILLS_REPO, loadPublicSkillCatalog, } from './skill-catalog.js';
 const NPX_SKILLS = ['-y', 'skills'];
@@ -26,6 +27,7 @@ export async function runPostPlusSkillUpdate(dependencies = {
         revision: catalog.revision,
         skillNames,
     });
+    await writeCurrentCliVersionToLocalConfig();
     return 0;
 }
 export async function runPostPlusSkillUninstall(dependencies = {

package/build/status.js

@@ -1,4 +1,5 @@
 import { formatAuthStatusReport, generateAuthStatusReport, } from './auth.js';
+import { writeCurrentCliVersionToLocalConfig } from './client-compatibility.js';
 import { formatDoctorReport, generateDoctorReport, } from './doctor.js';
 import { formatSkillInstallStatusReport, generateSkillInstallStatusReport, } from './skill-management.js';
 import { formatUpdateStatusReport, generateUpdateStatusReport, } from './update-check.js';
@@ -6,6 +7,7 @@ export async function generateStatusReport() {
     return generateStatusReportWithDependencies();
 }
 export async function generateStatusReportWithDependencies(dependencies = {}) {
+    await writeCurrentCliVersionToLocalConfig();
     const generateAuthStatus = dependencies.generateAuthStatus ?? generateAuthStatusReport;
     const generateDoctor = dependencies.generateDoctor ?? generateDoctorReport;
     const generateSkillStatus = dependencies.generateSkillStatus ?? generateSkillInstallStatusReport;

package/build/update-check.js

@@ -1,5 +1,6 @@
 import { mkdir, readFile, writeFile } from 'node:fs/promises';
 import { dirname, join } from 'node:path';
+import { readCurrentCliVersion } from './client-compatibility.js';
 import { getPostPlusConfigDir, readManagedSkillBaseline, } from './local-state.js';
 import { POSTPLUS_SKILLS_REPO, loadPublicSkillCatalog, } from './skill-catalog.js';
 const UPDATE_CHECK_TTL_MS = 24 * 60 * 60 * 1000;
@@ -125,15 +126,6 @@ function buildUpdateReport(input) {
         warning: null,
     };
 }
-export async function readCurrentCliVersion() {
-    const packageJsonPath = new URL('../package.json', import.meta.url);
-    const raw = await readFile(packageJsonPath, 'utf8');
-    const parsed = JSON.parse(raw);
-    if (typeof parsed.version !== 'string' || !parsed.version.trim()) {
-        throw new Error('Could not read the current PostPlus CLI version.');
-    }
-    return parsed.version.trim();
-}
 async function fetchLatestCliVersion(fetchFn) {
     const response = await fetchFn(NPM_LATEST_URL, {
         headers: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@postplus/cli",
-  "version": "0.1.20",
+  "version": "0.1.22",
   "packageManager": "pnpm@10.30.3+sha512.c961d1e0a2d8e354ecaa5166b822516668b7f44cb5bd95122d590dd81922f606f5473b6d23ec4a5be05e7fcd18e8488d47d978bbe981872f1145d06e9a740017",
   "type": "module",
   "description": "PostPlus CLI for PostPlus Cloud auth, status, and diagnostics.",
@@ -11,6 +11,7 @@
     "build/auth-session.js",
     "build/auth-validate.js",
     "build/auth.js",
+    "build/client-compatibility.js",
     "build/command-runner.js",
     "build/doctor.js",
     "build/hosted-release.js",