@r4security/cli 0.0.2 → 0.0.5

package/lib/index.js

@@ -1,38 +1,433 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { Command as Command12 } from "commander";
+import { Command as Command18 } from "commander";
 
-// src/commands/auth/login.ts
-import { Command } from "commander";
+// src/commands/agent/init.ts
+import { Command as Command2 } from "commander";
 import readline from "node:readline";
+import ora2 from "ora";
 
-// src/lib/config.ts
+// src/commands/doctor.ts
+import { Command } from "commander";
+import chalk2 from "chalk";
+import ora from "ora";
+
+// src/lib/doctor.ts
+import R4 from "@r4security/sdk";
+
+// src/lib/client.ts
+var CliClient = class {
+  apiKey;
+  baseUrl;
+  constructor(apiKey, baseUrl) {
+    this.apiKey = apiKey;
+    this.baseUrl = baseUrl.replace(/\/$/, "");
+  }
+  /**
+   * Make an authenticated request to the machine API.
+   * Handles error responses consistently with the SDK pattern.
+   */
+  async request(method, path5, body) {
+    const url = `${this.baseUrl}${path5}`;
+    const response = await fetch(url, {
+      method,
+      headers: {
+        "X-API-Key": this.apiKey,
+        "Content-Type": "application/json"
+      },
+      body: body ? JSON.stringify(body) : void 0
+    });
+    if (!response.ok) {
+      const errorBody = await response.json().catch(() => ({}));
+      const error = errorBody?.error;
+      const errorMessage = error?.message || `HTTP ${response.status}: ${response.statusText}`;
+      const errorCode = typeof error?.code === "string" ? ` [${error.code}]` : "";
+      throw new Error(`R4 API Error${errorCode}: ${errorMessage}`);
+    }
+    return response.json();
+  }
+  /** Register or re-confirm the local agent runtime public key. */
+  async registerAgentPublicKey(body) {
+    return this.request(
+      "POST",
+      "/api/v1/machine/vault/public-key",
+      body
+    );
+  }
+  /** List all visible vaults for the authenticated machine principal. */
+  async listVaults(projectId) {
+    const search = projectId ? `?projectId=${encodeURIComponent(projectId)}` : "";
+    return this.request("GET", `/api/v1/machine/vault${search}`);
+  }
+  /** Retrieve the active wrapped DEK for the current agent on a vault. */
+  async getAgentWrappedKey(vaultId) {
+    return this.request(
+      "GET",
+      `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/wrapped-key`
+    );
+  }
+  /** List lightweight metadata for all items in a vault. */
+  async listVaultItems(vaultId) {
+    return this.request(
+      "GET",
+      `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/items`
+    );
+  }
+  /** List all projects. GET /api/v1/machine/project */
+  async listProjects() {
+    return this.request("GET", "/api/v1/machine/project");
+  }
+  /** Get project details. GET /api/v1/machine/project/:id */
+  async getProject(id) {
+    return this.request("GET", `/api/v1/machine/project/${id}`);
+  }
+  /** Create a new project. POST /api/v1/machine/project */
+  async createProject(data) {
+    return this.request("POST", "/api/v1/machine/project", data);
+  }
+};
+
+// src/lib/private-key.ts
+import crypto from "node:crypto";
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
-var CONFIG_DIR = path.join(os.homedir(), ".r4");
-var CONFIG_PATH = path.join(CONFIG_DIR, "config.json");
-function loadConfig() {
-  try {
-    const raw = fs.readFileSync(CONFIG_PATH, "utf8");
-    return JSON.parse(raw);
-  } catch {
-    return {};
+var DEFAULT_KEYS_DIR = path.join(os.homedir(), ".r4", "keys");
+function sanitizeProfileName(profileName) {
+  const sanitized = profileName.trim().toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^-+|-+$/g, "");
+  return sanitized || "default";
+}
+function getDefaultPrivateKeyPath(profileName) {
+  return path.join(DEFAULT_KEYS_DIR, `${sanitizeProfileName(profileName)}.pem`);
+}
+function resolvePrivateKeyPath(params) {
+  if (params.cliPath) {
+    return { value: params.cliPath, source: "--private-key-path flag" };
+  }
+  if (params.envPath) {
+    return { value: params.envPath, source: "R4_PRIVATE_KEY_PATH env var" };
+  }
+  if (params.profilePath) {
+    return { value: params.profilePath, source: "profile config" };
+  }
+  const defaultPath = getDefaultPrivateKeyPath(params.profileName);
+  if (fs.existsSync(defaultPath) || params.allowDefaultIfMissing === true) {
+    return { value: defaultPath, source: "default profile key path" };
   }
+  return { value: void 0, source: null };
 }
-function saveConfig(config) {
-  fs.mkdirSync(CONFIG_DIR, { recursive: true });
-  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf8");
+function loadPrivateKey(privateKeyPath) {
+  return fs.readFileSync(path.resolve(privateKeyPath), "utf8").trim();
 }
-function clearConfig() {
-  try {
-    fs.unlinkSync(CONFIG_PATH);
-  } catch {
+function derivePublicKey(privateKeyPem) {
+  return crypto.createPublicKey(privateKeyPem).export({
+    type: "spki",
+    format: "pem"
+  }).toString();
+}
+function ensurePrivateKey(privateKeyPath) {
+  const resolvedPath = path.resolve(privateKeyPath);
+  if (fs.existsSync(resolvedPath)) {
+    return {
+      privateKeyPem: loadPrivateKey(resolvedPath),
+      created: false
+    };
   }
+  const keyPair = crypto.generateKeyPairSync("rsa", {
+    modulusLength: 2048,
+    publicKeyEncoding: {
+      type: "spki",
+      format: "pem"
+    },
+    privateKeyEncoding: {
+      type: "pkcs8",
+      format: "pem"
+    }
+  });
+  fs.mkdirSync(path.dirname(resolvedPath), { recursive: true });
+  fs.writeFileSync(resolvedPath, keyPair.privateKey.trim() + "\n", {
+    encoding: "utf8",
+    mode: 384
+  });
+  return {
+    privateKeyPem: keyPair.privateKey.trim(),
+    created: true
+  };
 }
-function getConfigPath() {
-  return CONFIG_PATH;
+
+// src/lib/doctor.ts
+function getAgentIdFromRegistration(registration) {
+  const entryCount = registration?.transparency?.entries.length ?? 0;
+  if (!registration?.transparency || entryCount === 0) {
+    return void 0;
+  }
+  return registration.transparency.entries[entryCount - 1]?.agentId;
+}
+function toDetailList(vaults) {
+  if (vaults.length === 0) {
+    return "0 visible vaults.";
+  }
+  const visibleNames = vaults.slice(0, 5).map((vault) => vault.name);
+  const suffix = vaults.length > visibleNames.length ? ", ..." : "";
+  return `${vaults.length} visible vault${vaults.length === 1 ? "" : "s"}: ${visibleNames.join(", ")}${suffix}`;
+}
+function isWrappedKeyMissing(error) {
+  return error instanceof Error && (error.message.includes("[wrapped_key_not_found]") || error.message.includes("No wrapped key found for this agent and vault."));
+}
+function doctorHasFailures(report) {
+  return report.checks.some((check) => check.status === "fail");
+}
+async function runDoctorChecks(connection) {
+  const report = {
+    profileName: connection.profileName,
+    baseUrl: connection.baseUrl,
+    dev: connection.dev,
+    projectId: connection.projectId,
+    privateKeyPath: connection.privateKeyPath,
+    trustStorePath: connection.trustStorePath,
+    agentName: connection.profile.agentName,
+    checks: [],
+    vaults: []
+  };
+  report.checks.push({
+    id: "base-url",
+    label: "Base URL",
+    status: "pass",
+    detail: `${connection.baseUrl}${connection.dev ? " (dev mode)" : ""}`
+  });
+  if (!connection.apiKey) {
+    report.checks.push({
+      id: "api-key",
+      label: "API Key",
+      status: "fail",
+      detail: "No API key is configured for the active profile."
+    });
+    report.checks.push({
+      id: "project-filter",
+      label: "Project Filter",
+      status: "pass",
+      detail: connection.projectId ? `Filtering to project ${connection.projectId}.` : "No project filter is set."
+    });
+    return report;
+  }
+  report.checks.push({
+    id: "api-key",
+    label: "API Key",
+    status: "pass",
+    detail: `Loaded from ${connection.apiKeySource}.`
+  });
+  report.checks.push({
+    id: "project-filter",
+    label: "Project Filter",
+    status: "pass",
+    detail: connection.projectId ? `Filtering vault reads to project ${connection.projectId}.` : "No project filter is set."
+  });
+  const client = new CliClient(connection.apiKey, connection.baseUrl);
+  let registration;
+  if (!connection.privateKeyPath) {
+    report.checks.push({
+      id: "private-key",
+      label: "Private Key",
+      status: "fail",
+      detail: "No local private-key path is configured, so zero-trust checks cannot run."
+    });
+    report.checks.push({
+      id: "public-key",
+      label: "Public Key Registration",
+      status: "skip",
+      detail: "Skipped because no local private key is configured."
+    });
+    report.checks.push({
+      id: "agent-identity",
+      label: "Agent Identity",
+      status: "skip",
+      detail: "Skipped because public-key registration could not run."
+    });
+  } else {
+    try {
+      const privateKeyPem = loadPrivateKey(connection.privateKeyPath);
+      const publicKeyPem = derivePublicKey(privateKeyPem);
+      registration = await client.registerAgentPublicKey({ publicKey: publicKeyPem });
+      report.agentId = getAgentIdFromRegistration(registration) ?? connection.profile.agentId;
+      report.registration = {
+        encryptionKeyId: registration.encryptionKeyId,
+        fingerprint: registration.fingerprint
+      };
+      report.checks.push({
+        id: "private-key",
+        label: "Private Key",
+        status: "pass",
+        detail: `Loaded ${connection.privateKeyPath}.`
+      });
+      report.checks.push({
+        id: "public-key",
+        label: "Public Key Registration",
+        status: "pass",
+        detail: `Registered encryption key ${registration.encryptionKeyId}.`
+      });
+      report.checks.push({
+        id: "agent-identity",
+        label: "Agent Identity",
+        status: report.agentId ? "pass" : "warn",
+        detail: report.agentId ? `Agent ${report.agentId}${report.agentName ? ` (${report.agentName})` : ""}.` : "The API returned no agent ID in the current registration proof."
+      });
+    } catch (error) {
+      report.checks.push({
+        id: "private-key",
+        label: "Private Key",
+        status: "pass",
+        detail: `Configured at ${connection.privateKeyPath}.`
+      });
+      report.checks.push({
+        id: "public-key",
+        label: "Public Key Registration",
+        status: "fail",
+        detail: error instanceof Error ? error.message : String(error)
+      });
+      report.checks.push({
+        id: "agent-identity",
+        label: "Agent Identity",
+        status: "skip",
+        detail: "Skipped because public-key registration did not succeed."
+      });
+    }
+  }
+  let vaults = [];
+  try {
+    const response = await client.listVaults(connection.projectId);
+    vaults = response.vaults;
+    report.checks.push({
+      id: "visible-vaults",
+      label: "Visible Vaults",
+      status: "pass",
+      detail: toDetailList(vaults)
+    });
+  } catch (error) {
+    report.checks.push({
+      id: "visible-vaults",
+      label: "Visible Vaults",
+      status: "fail",
+      detail: error instanceof Error ? error.message : String(error)
+    });
+    report.checks.push({
+      id: "wrapped-keys",
+      label: "Wrapped Keys",
+      status: "skip",
+      detail: "Skipped because visible vaults could not be listed."
+    });
+    report.checks.push({
+      id: "zero-trust",
+      label: "Trust & Decryption",
+      status: "skip",
+      detail: "Skipped because visible vaults could not be listed."
+    });
+    return report;
+  }
+  if (vaults.length === 0) {
+    report.checks.push({
+      id: "wrapped-keys",
+      label: "Wrapped Keys",
+      status: "skip",
+      detail: "No visible vaults means there were no wrapped keys to verify."
+    });
+    report.checks.push({
+      id: "zero-trust",
+      label: "Trust & Decryption",
+      status: "skip",
+      detail: "No visible vaults were returned, so no vault trust proof was exercised."
+    });
+    return report;
+  }
+  let missingWrappedKeys = 0;
+  let wrappedKeyErrors = 0;
+  for (const vault of vaults) {
+    try {
+      await client.getAgentWrappedKey(vault.id);
+      report.vaults.push({
+        id: vault.id,
+        name: vault.name,
+        itemCount: vault.itemCount,
+        wrappedKeyStatus: "present"
+      });
+    } catch (error) {
+      if (isWrappedKeyMissing(error)) {
+        missingWrappedKeys += 1;
+        report.vaults.push({
+          id: vault.id,
+          name: vault.name,
+          itemCount: vault.itemCount,
+          wrappedKeyStatus: "missing",
+          detail: error instanceof Error ? error.message : String(error)
+        });
+        continue;
+      }
+      wrappedKeyErrors += 1;
+      report.vaults.push({
+        id: vault.id,
+        name: vault.name,
+        itemCount: vault.itemCount,
+        wrappedKeyStatus: "error",
+        detail: error instanceof Error ? error.message : String(error)
+      });
+    }
+  }
+  if (wrappedKeyErrors > 0) {
+    report.checks.push({
+      id: "wrapped-keys",
+      label: "Wrapped Keys",
+      status: "fail",
+      detail: `${wrappedKeyErrors} vault read${wrappedKeyErrors === 1 ? "" : "s"} hit an unexpected wrapped-key error.`
+    });
+  } else if (missingWrappedKeys > 0) {
+    report.checks.push({
+      id: "wrapped-keys",
+      label: "Wrapped Keys",
+      status: "warn",
+      detail: `${missingWrappedKeys} of ${vaults.length} visible vault${vaults.length === 1 ? "" : "s"} do not have wrapped keys for this agent.`
+    });
+  } else {
+    report.checks.push({
+      id: "wrapped-keys",
+      label: "Wrapped Keys",
+      status: "pass",
+      detail: `Wrapped keys are present for all ${vaults.length} visible vault${vaults.length === 1 ? "" : "s"}.`
+    });
+  }
+  if (!connection.privateKeyPath) {
+    report.checks.push({
+      id: "zero-trust",
+      label: "Trust & Decryption",
+      status: "fail",
+      detail: "A local private key is required for end-to-end zero-trust verification."
+    });
+    return report;
+  }
+  try {
+    const r4 = await R4.create({
+      apiKey: connection.apiKey,
+      baseUrl: connection.baseUrl,
+      dev: connection.dev,
+      projectId: connection.projectId,
+      privateKeyPath: connection.privateKeyPath,
+      trustStorePath: connection.trustStorePath
+    });
+    report.envKeyCount = Object.keys(r4.env).length;
+    report.checks.push({
+      id: "zero-trust",
+      label: "Trust & Decryption",
+      status: "pass",
+      detail: `Verified trust/transparency checks and decrypted ${report.envKeyCount} env key${report.envKeyCount === 1 ? "" : "s"} locally.`
+    });
+  } catch (error) {
+    report.checks.push({
+      id: "zero-trust",
+      label: "Trust & Decryption",
+      status: "fail",
+      detail: error instanceof Error ? error.message : String(error)
+    });
+  }
+  return report;
 }
 
 // src/lib/output.ts
@@ -75,13 +470,32 @@ function printError(message) {
 }
 
 // src/lib/errors.ts
+function formatErrorMessage(message) {
+  if (message.includes("[wrapped_key_not_found]") || message.includes("No wrapped key found for this agent and vault.")) {
+    return `${message}
+
+Remediation:
+  - Make sure the vault or vault item is shared with this agent, one of its security groups, or one of its projects.
+  - If you just created or rotated the local runtime key, re-run \`r4 agent init\` and then re-wrap access for the agent.
+  - Run \`r4 doctor\` to see which visible vaults are missing wrapped keys.`;
+  }
+  if (message.includes("failed to register the local agent public key")) {
+    return `${message}
+
+Remediation:
+  - Use an AGENT-scoped API key.
+  - Point \`--private-key-path\` at the matching local PEM file, or run \`r4 agent init\` to generate and register one automatically.
+  - If you intentionally target a non-production environment, include \`--dev\` or set \`R4_DEV=1\`.`;
+  }
+  return message;
+}
 function withErrorHandler(fn) {
   return async (...args) => {
     try {
       await fn(...args);
     } catch (err) {
       if (err instanceof Error) {
-        printError(err.message);
+        printError(formatErrorMessage(err.message));
       } else {
         printError("An unexpected error occurred");
       }
@@ -90,6 +504,150 @@ function withErrorHandler(fn) {
   };
 }
 
+// src/lib/resolve-auth.ts
+import path3 from "node:path";
+
+// src/lib/config.ts
+import fs2 from "node:fs";
+import os2 from "node:os";
+import path2 from "node:path";
+var CONFIG_DIR = path2.join(os2.homedir(), ".r4");
+var CONFIG_PATH = path2.join(CONFIG_DIR, "config.json");
+var DEFAULT_PROFILE_NAME = "default";
+function emptyConfig() {
+  return {
+    version: 2,
+    currentProfile: DEFAULT_PROFILE_NAME,
+    profiles: {
+      [DEFAULT_PROFILE_NAME]: {}
+    }
+  };
+}
+function sanitizeProfileConfig(profile) {
+  if (!profile || typeof profile !== "object") {
+    return {};
+  }
+  const value = profile;
+  const nextProfile = {};
+  if (typeof value.apiKey === "string" && value.apiKey.trim()) {
+    nextProfile.apiKey = value.apiKey.trim();
+  }
+  if (typeof value.baseUrl === "string" && value.baseUrl.trim()) {
+    nextProfile.baseUrl = value.baseUrl.trim();
+  }
+  if (typeof value.dev === "boolean") {
+    nextProfile.dev = value.dev;
+  }
+  if (typeof value.projectId === "string" && value.projectId.trim()) {
+    nextProfile.projectId = value.projectId.trim();
+  }
+  if (typeof value.privateKeyPath === "string" && value.privateKeyPath.trim()) {
+    nextProfile.privateKeyPath = value.privateKeyPath.trim();
+  }
+  if (typeof value.trustStorePath === "string" && value.trustStorePath.trim()) {
+    nextProfile.trustStorePath = value.trustStorePath.trim();
+  }
+  if (typeof value.agentId === "string" && value.agentId.trim()) {
+    nextProfile.agentId = value.agentId.trim();
+  }
+  if (typeof value.agentName === "string" && value.agentName.trim()) {
+    nextProfile.agentName = value.agentName.trim();
+  }
+  return nextProfile;
+}
+function hasLegacyTopLevelProfileFields(config) {
+  return Boolean(
+    config.apiKey || config.baseUrl || config.dev !== void 0 || config.projectId || config.privateKeyPath || config.trustStorePath || config.agentId || config.agentName
+  );
+}
+function normalizeConfig(raw) {
+  if (!raw || typeof raw !== "object") {
+    return emptyConfig();
+  }
+  const parsed = raw;
+  const nextConfig = emptyConfig();
+  if (parsed.profiles && typeof parsed.profiles === "object") {
+    const entries = Object.entries(parsed.profiles).filter(([name]) => typeof name === "string" && name.trim().length > 0).map(([name, profile]) => [name.trim(), sanitizeProfileConfig(profile)]);
+    if (entries.length > 0) {
+      nextConfig.profiles = Object.fromEntries(entries);
+    }
+  }
+  if (hasLegacyTopLevelProfileFields(parsed)) {
+    nextConfig.profiles[DEFAULT_PROFILE_NAME] = {
+      ...nextConfig.profiles[DEFAULT_PROFILE_NAME],
+      ...sanitizeProfileConfig(parsed)
+    };
+  }
+  const configuredCurrentProfile = typeof parsed.currentProfile === "string" && parsed.currentProfile.trim() ? parsed.currentProfile.trim() : DEFAULT_PROFILE_NAME;
+  nextConfig.currentProfile = nextConfig.profiles[configuredCurrentProfile] !== void 0 ? configuredCurrentProfile : Object.keys(nextConfig.profiles)[0] ?? DEFAULT_PROFILE_NAME;
+  if (Object.keys(nextConfig.profiles).length === 0) {
+    return emptyConfig();
+  }
+  return nextConfig;
+}
+function loadConfig() {
+  try {
+    const raw = fs2.readFileSync(CONFIG_PATH, "utf8");
+    return normalizeConfig(JSON.parse(raw));
+  } catch {
+    return emptyConfig();
+  }
+}
+function saveConfig(config) {
+  fs2.mkdirSync(CONFIG_DIR, { recursive: true });
+  fs2.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf8");
+}
+function clearConfig() {
+  try {
+    fs2.unlinkSync(CONFIG_PATH);
+  } catch {
+  }
+}
+function getConfigPath() {
+  return CONFIG_PATH;
+}
+function getProfileNames(config) {
+  return Object.keys(config.profiles).sort();
+}
+function getCurrentProfileName(config) {
+  return config.currentProfile;
+}
+function getSelectedProfileName(config, profileOverride, envProfile) {
+  const selectedProfile = profileOverride || envProfile || config.currentProfile;
+  return selectedProfile?.trim() || DEFAULT_PROFILE_NAME;
+}
+function getProfileConfig(config, profileName) {
+  return config.profiles[profileName] ?? {};
+}
+function updateProfile(config, profileName, profile) {
+  return {
+    ...config,
+    profiles: {
+      ...config.profiles,
+      [profileName]: profile
+    }
+  };
+}
+function setCurrentProfile(config, profileName) {
+  return {
+    ...config,
+    currentProfile: profileName
+  };
+}
+function removeProfile(config, profileName) {
+  const remainingProfiles = Object.fromEntries(
+    Object.entries(config.profiles).filter(([name]) => name !== profileName)
+  );
+  if (Object.keys(remainingProfiles).length === 0) {
+    return emptyConfig();
+  }
+  return {
+    version: 2,
+    currentProfile: config.currentProfile === profileName ? Object.keys(remainingProfiles).sort()[0] ?? DEFAULT_PROFILE_NAME : config.currentProfile,
+    profiles: remainingProfiles
+  };
+}
+
 // src/lib/runtime-config.ts
 var R4_DEFAULT_API_BASE_URL = "https://r4.dev";
 var R4_DEV_API_BASE_URL = "https://dev.r4.dev";
@@ -126,28 +684,470 @@ function resolveRuntimeModeFromCli(opts, config) {
     configDev: config.dev
   });
 }
-function applyGlobalRuntimeOptionsToConfig(config, opts) {
-  const nextConfig = { ...config };
+function applyGlobalRuntimeOptionsToProfile(profile, opts) {
+  const nextProfile = { ...profile };
   if (opts.baseUrl) {
-    nextConfig.baseUrl = opts.baseUrl;
-    delete nextConfig.dev;
+    nextProfile.baseUrl = opts.baseUrl;
+    delete nextProfile.dev;
   } else if (opts.dev === true) {
-    nextConfig.dev = true;
-    delete nextConfig.baseUrl;
+    nextProfile.dev = true;
+    delete nextProfile.baseUrl;
   }
   if (opts.projectId) {
-    nextConfig.projectId = opts.projectId;
+    nextProfile.projectId = opts.projectId;
   }
   if (opts.privateKeyPath) {
-    nextConfig.privateKeyPath = opts.privateKeyPath;
+    nextProfile.privateKeyPath = opts.privateKeyPath;
   }
   if (opts.trustStorePath) {
-    nextConfig.trustStorePath = opts.trustStorePath;
+    nextProfile.trustStorePath = opts.trustStorePath;
   }
-  return nextConfig;
+  return nextProfile;
 }
 
-// src/commands/auth/login.ts
+// src/lib/resolve-auth.ts
+function buildApiKeyFromParts(accessKey, secretKey) {
+  if (!accessKey || !secretKey) {
+    return void 0;
+  }
+  return `${accessKey}.${secretKey}`;
+}
+function resolveApiKey(opts, profile, profileName) {
+  if (opts.apiKey) {
+    return {
+      value: opts.apiKey,
+      source: "--api-key flag",
+      incompleteSplitEnv: false
+    };
+  }
+  if (process.env.R4_API_KEY) {
+    return {
+      value: process.env.R4_API_KEY,
+      source: "R4_API_KEY env var",
+      incompleteSplitEnv: false
+    };
+  }
+  const splitEnvApiKey = buildApiKeyFromParts(
+    process.env.R4_ACCESS_KEY,
+    process.env.R4_SECRET_KEY
+  );
+  if (splitEnvApiKey) {
+    return {
+      value: splitEnvApiKey,
+      source: "R4_ACCESS_KEY + R4_SECRET_KEY env vars",
+      incompleteSplitEnv: false
+    };
+  }
+  if (profile.apiKey) {
+    return {
+      value: profile.apiKey,
+      source: `profile "${profileName}"`,
+      incompleteSplitEnv: false
+    };
+  }
+  return {
+    value: void 0,
+    source: "none",
+    incompleteSplitEnv: Boolean(process.env.R4_ACCESS_KEY || process.env.R4_SECRET_KEY)
+  };
+}
+function resolveProjectId(opts, profile) {
+  return opts.projectId || process.env.R4_PROJECT_ID || profile.projectId;
+}
+function resolveTrustStorePath(opts, profile, privateKeyPath) {
+  if (opts.trustStorePath) {
+    return { value: opts.trustStorePath, source: "--trust-store-path flag" };
+  }
+  if (process.env.R4_TRUST_STORE_PATH) {
+    return { value: process.env.R4_TRUST_STORE_PATH, source: "R4_TRUST_STORE_PATH env var" };
+  }
+  if (profile.trustStorePath) {
+    return { value: profile.trustStorePath, source: "profile config" };
+  }
+  if (privateKeyPath) {
+    return {
+      value: `${path3.resolve(privateKeyPath)}.trust.json`,
+      source: "default beside private key"
+    };
+  }
+  return { value: void 0, source: null };
+}
+function resolveConnection(opts, params) {
+  const configFile = loadConfig();
+  const profileName = getSelectedProfileName(
+    configFile,
+    opts.profile,
+    process.env.R4_PROFILE
+  );
+  const profile = getProfileConfig(configFile, profileName);
+  const runtimeMode = resolveRuntimeModeFromCli(opts, profile);
+  const apiKey = resolveApiKey(opts, profile, profileName);
+  const privateKey = resolvePrivateKeyPath({
+    cliPath: opts.privateKeyPath,
+    envPath: process.env.R4_PRIVATE_KEY_PATH,
+    profilePath: profile.privateKeyPath,
+    profileName
+  });
+  const trustStorePath = resolveTrustStorePath(opts, profile, privateKey.value);
+  if (params?.requireApiKey && !apiKey.value) {
+    throw new Error(
+      "No API key found. Provide one via:\n  --api-key <key>             CLI flag\n  R4_API_KEY                  environment variable\n  R4_ACCESS_KEY + R4_SECRET_KEY environment variables\n  r4 auth login               save it to a profile\n  r4 agent init               bootstrap the full first-run flow" + (apiKey.incompleteSplitEnv ? "\n\nBoth R4_ACCESS_KEY and R4_SECRET_KEY must be set together." : "")
+    );
+  }
+  if (params?.requirePrivateKey && !privateKey.value) {
+    throw new Error(
+      `No private key path found. Provide one via:
+  --private-key-path <path>   CLI flag
+  R4_PRIVATE_KEY_PATH         environment variable
+  profile config              saved privateKeyPath
+  r4 agent init               generate a key at ${getDefaultPrivateKeyPath(profileName)}`
+    );
+  }
+  return {
+    apiKey: apiKey.value,
+    apiKeySource: apiKey.source,
+    baseUrl: runtimeMode.baseUrl,
+    dev: runtimeMode.devMode,
+    projectId: resolveProjectId(opts, profile),
+    privateKeyPath: privateKey.value,
+    privateKeySource: privateKey.source,
+    trustStorePath: trustStorePath.value,
+    trustStoreSource: trustStorePath.source,
+    profileName,
+    profile,
+    configFile
+  };
+}
+function resolveAuth(opts) {
+  const connection = resolveConnection(opts, {
+    requireApiKey: true,
+    requirePrivateKey: true
+  });
+  return {
+    apiKey: connection.apiKey,
+    projectId: connection.projectId,
+    baseUrl: connection.baseUrl,
+    dev: connection.dev,
+    privateKeyPath: connection.privateKeyPath,
+    trustStorePath: connection.trustStorePath
+  };
+}
+
+// src/commands/doctor.ts
+function renderStatus(status) {
+  switch (status) {
+    case "pass":
+      return chalk2.green("PASS");
+    case "warn":
+      return chalk2.yellow("WARN");
+    case "fail":
+      return chalk2.red("FAIL");
+    default:
+      return chalk2.gray("SKIP");
+  }
+}
+function printDoctorReport(report) {
+  console.log();
+  console.log(chalk2.bold("  R4 Doctor"));
+  console.log();
+  printDetail(
+    [
+      ["Profile", report.profileName],
+      ["Base URL", report.baseUrl],
+      ["Mode", report.dev ? "dev" : "prod"],
+      ["Project ID", report.projectId || chalk2.dim("(not set)")],
+      ["Private Key", report.privateKeyPath || chalk2.dim("(not set)")],
+      ["Trust Store", report.trustStorePath || chalk2.dim("(not set)")],
+      ["Agent ID", report.agentId || report.agentName || chalk2.dim("(unknown)")]
+    ],
+    false
+  );
+  console.log();
+  printTable(
+    ["Check", "Status", "Detail"],
+    report.checks.map((check) => [
+      check.label,
+      renderStatus(check.status),
+      check.detail
+    ]),
+    false
+  );
+  if (report.vaults.length > 0) {
+    console.log();
+    console.log(chalk2.bold("  Vaults"));
+    console.log();
+    printTable(
+      ["Vault", "Items", "Wrapped Key", "Detail"],
+      report.vaults.map((vault) => [
+        vault.name,
+        String(vault.itemCount),
+        vault.wrappedKeyStatus,
+        vault.detail ?? "-"
+      ]),
+      false
+    );
+  }
+  console.log();
+}
+function doctorCommand(commandName = "doctor", description = "Verify CLI auth, runtime key registration, vault access, and zero-trust health") {
+  return new Command(commandName).description(description).action(
+    withErrorHandler(async (_opts, cmd) => {
+      const globalOpts = cmd.optsWithGlobals();
+      const connection = resolveConnection(globalOpts);
+      const spinner = ora("Running CLI health checks...").start();
+      const report = await runDoctorChecks(connection);
+      spinner.stop();
+      if (globalOpts.json) {
+        console.log(JSON.stringify(report, null, 2));
+        if (doctorHasFailures(report)) {
+          process.exitCode = 1;
+        }
+        return;
+      }
+      printDoctorReport(report);
+      if (doctorHasFailures(report)) {
+        process.exitCode = 1;
+      }
+    })
+  );
+}
+
+// src/lib/credentials-file.ts
+import fs3 from "node:fs";
+import path4 from "node:path";
+function normalizeFieldName(fieldName) {
+  return fieldName.trim().toLowerCase().replace(/[^a-z0-9]+/g, "");
+}
+function stripWrappingQuotes(value) {
+  const trimmed = value.trim();
+  if (trimmed.startsWith('"') && trimmed.endsWith('"') || trimmed.startsWith("'") && trimmed.endsWith("'")) {
+    return trimmed.slice(1, -1).trim();
+  }
+  return trimmed;
+}
+function parseBooleanLike(value) {
+  const normalized = value.trim().toLowerCase();
+  if (["1", "true", "yes", "on", "dev", "development"].includes(normalized)) {
+    return true;
+  }
+  if (["0", "false", "no", "off", "prod", "production"].includes(normalized)) {
+    return false;
+  }
+  return void 0;
+}
+function applyField(bundle, fieldName, rawValue) {
+  const value = stripWrappingQuotes(rawValue);
+  if (!value) {
+    return;
+  }
+  const normalized = normalizeFieldName(fieldName);
+  if (["apikey", "r4apikey", "machineapikey"].includes(normalized)) {
+    bundle.apiKey = value;
+    return;
+  }
+  if (["accesskey", "r4accesskey", "accesskeyid", "access", "keyid"].includes(normalized)) {
+    bundle.accessKey = value;
+    return;
+  }
+  if (["secretkey", "r4secretkey", "secret", "accesssecret", "secretaccesskey"].includes(normalized)) {
+    bundle.secretKey = value;
+    return;
+  }
+  if (["baseurl", "r4baseurl", "apiurl", "apibaseurl", "targetbaseurl", "url"].includes(normalized)) {
+    bundle.baseUrl = value;
+    return;
+  }
+  if (["environment", "env", "targetenvironment"].includes(normalized)) {
+    const dev = parseBooleanLike(value);
+    if (dev !== void 0) {
+      bundle.dev = dev;
+    }
+    return;
+  }
+  if (["projectid", "r4projectid", "project", "projectscope", "scopeprojectid"].includes(normalized)) {
+    bundle.projectId = value;
+    return;
+  }
+  if (["agentid", "r4agentid", "machineid"].includes(normalized)) {
+    bundle.agentId = value;
+    return;
+  }
+  if (["agentname", "r4agentname", "machinename"].includes(normalized)) {
+    bundle.agentName = value;
+  }
+}
+function finalizeBundle(bundle) {
+  if (!bundle.apiKey && bundle.accessKey && bundle.secretKey) {
+    bundle.apiKey = `${bundle.accessKey}.${bundle.secretKey}`;
+  }
+  return bundle;
+}
+function parseJsonContent(content) {
+  const parsed = JSON.parse(content);
+  const bundle = {};
+  const sources = [parsed];
+  for (const key of ["credentials", "profile"]) {
+    const nested = parsed[key];
+    if (nested && typeof nested === "object") {
+      sources.push(nested);
+    }
+  }
+  for (const source of sources) {
+    for (const [key, value] of Object.entries(source)) {
+      if (typeof value === "string") {
+        applyField(bundle, key, value);
+      } else if (typeof value === "boolean") {
+        applyField(bundle, key, String(value));
+      }
+    }
+  }
+  return finalizeBundle(bundle);
+}
+function parseEnvContent(content) {
+  const bundle = {};
+  for (const rawLine of content.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#")) {
+      continue;
+    }
+    const separatorIndex = line.indexOf("=");
+    if (separatorIndex === -1) {
+      continue;
+    }
+    const key = line.slice(0, separatorIndex).trim();
+    const value = line.slice(separatorIndex + 1).trim();
+    applyField(bundle, key, value);
+  }
+  return finalizeBundle(bundle);
+}
+function splitCsvLine(line) {
+  const cells = [];
+  let current = "";
+  let inQuotes = false;
+  for (let index = 0; index < line.length; index += 1) {
+    const character = line[index];
+    if (character === '"') {
+      const nextCharacter = line[index + 1];
+      if (inQuotes && nextCharacter === '"') {
+        current += '"';
+        index += 1;
+      } else {
+        inQuotes = !inQuotes;
+      }
+      continue;
+    }
+    if (character === "," && !inQuotes) {
+      cells.push(current.trim());
+      current = "";
+      continue;
+    }
+    current += character;
+  }
+  cells.push(current.trim());
+  return cells;
+}
+function parseHeaderlessCsvRow(values) {
+  const bundle = {};
+  if (values.length >= 1) {
+    bundle.accessKey = stripWrappingQuotes(values[0] ?? "");
+  }
+  if (values.length >= 2) {
+    bundle.secretKey = stripWrappingQuotes(values[1] ?? "");
+  }
+  if (values.length >= 3) {
+    const thirdValue = stripWrappingQuotes(values[2] ?? "");
+    if (thirdValue.startsWith("http://") || thirdValue.startsWith("https://")) {
+      bundle.baseUrl = thirdValue;
+    } else if (thirdValue) {
+      bundle.projectId = thirdValue;
+    }
+  }
+  if (values.length >= 4) {
+    const fourthValue = stripWrappingQuotes(values[3] ?? "");
+    if (!bundle.projectId) {
+      bundle.projectId = fourthValue;
+    } else if (!bundle.baseUrl) {
+      bundle.baseUrl = fourthValue;
+    }
+  }
+  return finalizeBundle(bundle);
+}
+function parseCsvContent(content) {
+  const lines = content.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0);
+  if (lines.length === 0) {
+    return {};
+  }
+  const firstRow = splitCsvLine(lines[0] ?? "");
+  const firstHeaders = firstRow.map(normalizeFieldName);
+  const looksLikeHeader = firstHeaders.some(
+    (header) => [
+      "apikey",
+      "accesskey",
+      "secretkey",
+      "baseurl",
+      "environment",
+      "projectid",
+      "agentid",
+      "agentname"
+    ].includes(header)
+  );
+  if (!looksLikeHeader) {
+    return parseHeaderlessCsvRow(firstRow);
+  }
+  const dataRow = lines.slice(1).find((line) => line.trim().length > 0);
+  if (!dataRow) {
+    return {};
+  }
+  const values = splitCsvLine(dataRow);
+  const bundle = {};
+  for (const [index, header] of firstRow.entries()) {
+    applyField(bundle, header, values[index] ?? "");
+  }
+  return finalizeBundle(bundle);
+}
+function parsePlainTextContent(content) {
+  const trimmed = content.trim();
+  if (!trimmed) {
+    return {};
+  }
+  if (trimmed.includes(".") && !/\s/.test(trimmed)) {
+    return { apiKey: trimmed };
+  }
+  const commaValues = splitCsvLine(trimmed);
+  if (commaValues.length >= 2) {
+    return parseHeaderlessCsvRow(commaValues);
+  }
+  return {};
+}
+function parseCredentialsFile(credentialsFilePath) {
+  const resolvedPath = path4.resolve(credentialsFilePath);
+  const content = fs3.readFileSync(resolvedPath, "utf8");
+  const extension = path4.extname(resolvedPath).toLowerCase();
+  if (extension === ".json") {
+    return parseJsonContent(content);
+  }
+  if (extension === ".env") {
+    return parseEnvContent(content);
+  }
+  if (extension === ".csv") {
+    return parseCsvContent(content);
+  }
+  if (content.includes("=") && !content.trim().startsWith("{")) {
+    return parseEnvContent(content);
+  }
+  if (content.includes(",") || content.includes("\n")) {
+    const csvBundle = parseCsvContent(content);
+    if (csvBundle.apiKey || csvBundle.accessKey || csvBundle.secretKey) {
+      return csvBundle;
+    }
+  }
+  if (content.trim().startsWith("{")) {
+    return parseJsonContent(content);
+  }
+  return parsePlainTextContent(content);
+}
+
+// src/commands/agent/init.ts
 function prompt(question) {
   const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
   return new Promise((resolve) => {
@@ -157,82 +1157,309 @@ function prompt(question) {
     });
   });
 }
-function loginCommand() {
-  return new Command("login").description("Save your API key and runtime key paths to the config file").action(
-    withErrorHandler(async (_opts, cmd) => {
-      const globalOpts = cmd.optsWithGlobals();
-      let apiKey = globalOpts.apiKey || process.env.R4_API_KEY;
-      if (!apiKey) {
-        apiKey = await prompt("Enter your R4 API key: ");
-      }
-      if (!apiKey) {
-        throw new Error("No API key provided.");
-      }
-      if (!apiKey.includes(".")) {
-        warn("API key format is usually {accessKey}.{secret}");
+function getAgentId(bundle) {
+  const entryCount = bundle.transparency?.entries.length ?? 0;
+  if (!bundle.transparency || entryCount === 0) {
+    return void 0;
+  }
+  return bundle.transparency.entries[entryCount - 1]?.agentId;
+}
+function applyCredentialBundleToProfile(profile, bundle, globalOpts, privateKeyPath) {
+  let nextProfile = { ...profile };
+  if (!globalOpts.baseUrl && globalOpts.dev !== true) {
+    if (bundle.baseUrl) {
+      nextProfile.baseUrl = bundle.baseUrl;
+      delete nextProfile.dev;
+    } else if (bundle.dev === true) {
+      nextProfile.dev = true;
+      delete nextProfile.baseUrl;
+    } else if (bundle.dev === false) {
+      delete nextProfile.dev;
+    }
+  }
+  if (!globalOpts.projectId && bundle.projectId) {
+    nextProfile.projectId = bundle.projectId;
+  }
+  if (bundle.agentId) {
+    nextProfile.agentId = bundle.agentId;
+  }
+  if (bundle.agentName) {
+    nextProfile.agentName = bundle.agentName;
+  }
+  nextProfile.privateKeyPath = privateKeyPath;
+  nextProfile = applyGlobalRuntimeOptionsToProfile(nextProfile, globalOpts);
+  return nextProfile;
+}
+function initCommand() {
+  return new Command2("init").description("Bootstrap local agent auth, key generation, public-key registration, and health checks").option(
+    "--credentials-file <path>",
+    "Read credentials from a CSV, .env, JSON, or plain-text handoff file"
+  ).action(
+    withErrorHandler(
+      async (opts, cmd) => {
+        const globalOpts = cmd.optsWithGlobals();
+        const config = loadConfig();
+        const profileName = getSelectedProfileName(
+          config,
+          globalOpts.profile,
+          process.env.R4_PROFILE
+        );
+        const existingProfile = getProfileConfig(config, profileName);
+        const bundle = opts.credentialsFile ? parseCredentialsFile(opts.credentialsFile) : {};
+        let apiKey = globalOpts.apiKey || process.env.R4_API_KEY || buildApiKeyFromParts(
+          process.env.R4_ACCESS_KEY,
+          process.env.R4_SECRET_KEY
+        ) || bundle.apiKey || existingProfile.apiKey;
+        if (!apiKey) {
+          apiKey = await prompt("Enter your R4 API key: ");
+        }
+        if (!apiKey) {
+          throw new Error("No API key provided.");
+        }
+        if (!apiKey.includes(".")) {
+          warn("API key format is usually {accessKey}.{secret}");
+        }
+        if (globalOpts.baseUrl && globalOpts.dev) {
+          warn("--base-url takes precedence over --dev and will be saved as the active runtime URL.");
+        }
+        const privateKeyPath = resolvePrivateKeyPath({
+          cliPath: globalOpts.privateKeyPath,
+          envPath: process.env.R4_PRIVATE_KEY_PATH,
+          profilePath: existingProfile.privateKeyPath,
+          profileName,
+          allowDefaultIfMissing: true
+        }).value;
+        if (!privateKeyPath) {
+          throw new Error("Unable to resolve a local private-key path for agent bootstrap.");
+        }
+        const keySpinner = ora2("Ensuring a local RSA private key exists...").start();
+        const { privateKeyPem, created } = ensurePrivateKey(privateKeyPath);
+        keySpinner.stop();
+        const publicKeyPem = derivePublicKey(privateKeyPem);
+        const nextProfile = applyCredentialBundleToProfile(
+          existingProfile,
+          bundle,
+          globalOpts,
+          privateKeyPath
+        );
+        const runtimeMode = resolveRuntimeModeFromCli(globalOpts, nextProfile);
+        const client = new CliClient(apiKey, runtimeMode.baseUrl);
+        const registerSpinner = ora2("Registering the local public key...").start();
+        const registration = await client.registerAgentPublicKey({
+          publicKey: publicKeyPem
+        });
+        registerSpinner.stop();
+        const savedProfile = {
+          ...nextProfile,
+          apiKey,
+          agentId: getAgentId(registration) ?? nextProfile.agentId
+        };
+        const savedConfig = setCurrentProfile(
+          updateProfile(config, profileName, savedProfile),
+          profileName
+        );
+        saveConfig(savedConfig);
+        success(
+          created ? `Generated a private key at ${privateKeyPath}` : `Reused the existing private key at ${privateKeyPath}`
+        );
+        success(`Saved profile "${profileName}" to the local CLI config`);
+        const doctorConnection = resolveConnection(
+          { ...globalOpts, profile: profileName },
+          { requireApiKey: true, requirePrivateKey: true }
+        );
+        const doctorSpinner = ora2("Running health checks...").start();
+        const report = await runDoctorChecks(doctorConnection);
+        doctorSpinner.stop();
+        printDoctorReport(report);
+        if (doctorHasFailures(report)) {
+          throw new Error(
+            "Agent init saved your local profile, but the health check still has failures."
+          );
+        }
+        success(
+          `Agent profile "${profileName}" is ready for ${runtimeMode.devMode ? "dev" : "prod"} use.`
+        );
       }
-      if (globalOpts.baseUrl && globalOpts.dev) {
-        warn("--base-url takes precedence over --dev and will be saved as the active runtime URL.");
+    )
+  );
+}
+
+// src/commands/agent/index.ts
+function registerAgentCommands(program2) {
+  const agent = program2.command("agent").description("Bootstrap and manage local agent runtime setup");
+  agent.addCommand(initCommand());
+}
+
+// src/commands/auth/diagnose.ts
+function diagnoseCommand() {
+  return doctorCommand(
+    "diagnose",
+    "Verify auth, public-key registration, vault access, and zero-trust health"
+  );
+}
+
+// src/commands/auth/login.ts
+import { Command as Command3 } from "commander";
+import readline2 from "node:readline";
+function prompt2(question) {
+  const rl = readline2.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+function applyCredentialBundleToProfile2(profile, bundle, globalOpts) {
+  let nextProfile = { ...profile };
+  if (!globalOpts.baseUrl && globalOpts.dev !== true) {
+    if (bundle.baseUrl) {
+      nextProfile.baseUrl = bundle.baseUrl;
+      delete nextProfile.dev;
+    } else if (bundle.dev === true) {
+      nextProfile.dev = true;
+      delete nextProfile.baseUrl;
+    } else if (bundle.dev === false) {
+      delete nextProfile.dev;
+    }
+  }
+  if (!globalOpts.projectId && bundle.projectId) {
+    nextProfile.projectId = bundle.projectId;
+  }
+  if (bundle.agentId) {
+    nextProfile.agentId = bundle.agentId;
+  }
+  if (bundle.agentName) {
+    nextProfile.agentName = bundle.agentName;
+  }
+  return applyGlobalRuntimeOptionsToProfile(nextProfile, globalOpts);
+}
+function loginCommand() {
+  return new Command3("login").description("Save your API key and runtime settings to the active CLI profile").option(
+    "--credentials-file <path>",
+    "Read credentials from a CSV, .env, JSON, or plain-text handoff file"
+  ).addHelpText(
+    "after",
+    `
+First run:
+  r4 agent init --credentials-file ./agent-creds.csv --dev
+
+That bootstrap flow can read the credentials bundle, generate a local RSA key if
+needed, register the public key with the machine API, save the profile, and run
+\`r4 doctor\`.
+
+Manual save-only flow:
+  r4 auth login --profile loom-dev --credentials-file ./agent-creds.csv --dev
+  r4 doctor --profile loom-dev
+`
+  ).action(
+    withErrorHandler(
+      async (opts, cmd) => {
+        const globalOpts = cmd.optsWithGlobals();
+        const config = loadConfig();
+        const profileName = getSelectedProfileName(
+          config,
+          globalOpts.profile,
+          process.env.R4_PROFILE
+        );
+        const existingProfile = getProfileConfig(config, profileName);
+        const bundle = opts.credentialsFile ? parseCredentialsFile(opts.credentialsFile) : {};
+        let apiKey = globalOpts.apiKey || process.env.R4_API_KEY || buildApiKeyFromParts(
+          process.env.R4_ACCESS_KEY,
+          process.env.R4_SECRET_KEY
+        ) || bundle.apiKey || existingProfile.apiKey;
+        if (!apiKey) {
+          apiKey = await prompt2("Enter your R4 API key: ");
+        }
+        if (!apiKey) {
+          throw new Error("No API key provided.");
+        }
+        if (!apiKey.includes(".")) {
+          warn("API key format is usually {accessKey}.{secret}");
+        }
+        if (globalOpts.baseUrl && globalOpts.dev) {
+          warn("--base-url takes precedence over --dev and will be saved as the active runtime URL.");
+        }
+        const nextProfile = applyCredentialBundleToProfile2(
+          existingProfile,
+          bundle,
+          globalOpts
+        );
+        const savedConfig = setCurrentProfile(
+          updateProfile(config, profileName, {
+            ...nextProfile,
+            apiKey
+          }),
+          profileName
+        );
+        saveConfig(savedConfig);
+        success(`Saved profile "${profileName}" to ${getConfigPath()}`);
       }
-      const config = applyGlobalRuntimeOptionsToConfig(loadConfig(), globalOpts);
-      config.apiKey = apiKey;
-      saveConfig(config);
-      success(`Runtime settings saved to ${getConfigPath()}`);
-    })
+    )
   );
 }
 
 // src/commands/auth/logout.ts
-import { Command as Command2 } from "commander";
+import { Command as Command4 } from "commander";
 function logoutCommand() {
-  return new Command2("logout").description("Remove saved API key from the config file").action(
-    withErrorHandler(async () => {
-      clearConfig();
-      success(`Config removed from ${getConfigPath()}`);
+  return new Command4("logout").description("Remove saved credentials from the active profile").option("--all", "Remove every saved profile and delete the config file").action(
+    withErrorHandler(async (opts, cmd) => {
+      if (opts.all) {
+        clearConfig();
+        success(`Removed all saved profiles from ${getConfigPath()}`);
+        return;
+      }
+      const globalOpts = cmd.optsWithGlobals();
+      const config = loadConfig();
+      const profileName = getSelectedProfileName(
+        config,
+        globalOpts.profile,
+        process.env.R4_PROFILE
+      );
+      if (!config.profiles[profileName]) {
+        throw new Error(`Profile "${profileName}" does not exist.`);
+      }
+      if (Object.keys(config.profiles).length === 1) {
+        clearConfig();
+      } else {
+        const nextConfig = removeProfile(config, profileName);
+        saveConfig(nextConfig);
+      }
+      success(`Removed profile "${profileName}" from ${getConfigPath()}`);
     })
   );
 }
 
 // src/commands/auth/status.ts
-import { Command as Command3 } from "commander";
-import chalk2 from "chalk";
+import { Command as Command5 } from "commander";
+import chalk3 from "chalk";
 function maskKey(key) {
-  if (key.length <= 8) return key;
-  return key.substring(0, 8) + "...";
+  if (key.length <= 8) {
+    return key;
+  }
+  return `${key.substring(0, 8)}...`;
 }
 function statusCommand() {
-  return new Command3("status").description("Show current authentication status").action(
+  return new Command5("status").description("Show current authentication and profile status").action(
     withErrorHandler(async (_opts, cmd) => {
       const globalOpts = cmd.optsWithGlobals();
-      const config = loadConfig();
-      const runtimeMode = resolveRuntimeModeFromCli(globalOpts, config);
-      let source;
-      let apiKey;
-      const privateKeyPath = globalOpts.privateKeyPath || process.env.R4_PRIVATE_KEY_PATH || config.privateKeyPath;
-      const trustStorePath = globalOpts.trustStorePath || process.env.R4_TRUST_STORE_PATH || config.trustStorePath;
-      if (globalOpts.apiKey) {
-        source = "--api-key flag";
-        apiKey = globalOpts.apiKey;
-      } else if (process.env.R4_API_KEY) {
-        source = "R4_API_KEY env var";
-        apiKey = process.env.R4_API_KEY;
-      } else if (config.apiKey) {
-        source = `config file (${getConfigPath()})`;
-        apiKey = config.apiKey;
-      } else {
-        source = "none";
-      }
+      const connection = resolveConnection(globalOpts);
       if (globalOpts.json) {
         console.log(
           JSON.stringify(
             {
-              authenticated: !!apiKey,
-              source,
-              apiKey: apiKey ? maskKey(apiKey) : null,
-              baseUrl: runtimeMode.baseUrl,
-              devMode: runtimeMode.devMode,
-              privateKeyPath: privateKeyPath || null,
-              trustStorePath: trustStorePath || null
+              authenticated: Boolean(connection.apiKey),
+              profile: connection.profileName,
+              source: connection.apiKeySource,
+              apiKey: connection.apiKey ? maskKey(connection.apiKey) : null,
+              agentId: connection.profile.agentId || null,
+              agentName: connection.profile.agentName || null,
+              baseUrl: connection.baseUrl,
+              devMode: connection.dev,
+              projectId: connection.projectId || null,
+              privateKeyPath: connection.privateKeyPath || null,
+              trustStorePath: connection.trustStorePath || null,
+              configPath: getConfigPath()
             },
             null,
             2
@@ -241,58 +1468,60 @@ function statusCommand() {
         return;
       }
       console.log();
-      if (apiKey) {
-        console.log(chalk2.bold("  Authenticated"));
+      if (!connection.apiKey) {
+        console.log(chalk3.bold("  Not authenticated"));
         console.log();
-        printDetail(
-          [
-            ["Source", source],
-            ["API Key", maskKey(apiKey)],
-            ["Mode", runtimeMode.devMode ? "dev" : "prod"],
-            ["Base URL", runtimeMode.baseUrl],
-            ["Private Key", privateKeyPath || chalk2.dim("(not set)")],
-            ["Trust Store", trustStorePath || chalk2.dim("(default beside key file)")]
-          ],
-          false
-        );
-      } else {
-        console.log(chalk2.bold("  Not authenticated"));
+        console.log(`  Active profile: ${chalk3.cyan(connection.profileName)}`);
+        console.log("  Run " + chalk3.cyan("r4 auth login") + " or " + chalk3.cyan("r4 agent init") + " to save credentials.");
         console.log();
-        console.log("  Run " + chalk2.cyan("r4 auth login") + " to save your API key.");
+        return;
       }
+      console.log(chalk3.bold("  Authenticated"));
+      console.log();
+      printDetail(
+        [
+          ["Profile", connection.profileName],
+          ["Source", connection.apiKeySource],
+          ["API Key", maskKey(connection.apiKey)],
+          ["Agent", connection.profile.agentName || connection.profile.agentId || chalk3.dim("(unknown)")],
+          ["Mode", connection.dev ? "dev" : "prod"],
+          ["Base URL", connection.baseUrl],
+          ["Project ID", connection.projectId || chalk3.dim("(not set)")],
+          ["Private Key", connection.privateKeyPath || chalk3.dim("(not set)")],
+          ["Trust Store", connection.trustStorePath || chalk3.dim("(not set)")],
+          ["Config File", getConfigPath()]
+        ],
+        false
+      );
       console.log();
     })
   );
 }
 
 // src/commands/auth/whoami.ts
-import { Command as Command4 } from "commander";
-import chalk3 from "chalk";
-function maskKey2(key) {
-  if (key.length <= 8) return key;
-  return key.substring(0, 8) + "...";
-}
+import { Command as Command6 } from "commander";
+import chalk4 from "chalk";
 function whoamiCommand() {
-  return new Command4("whoami").description("Show current authenticated identity").action(
+  return new Command6("whoami").description("Show the current profile, agent identity, and runtime target").action(
     withErrorHandler(async (_opts, cmd) => {
       const globalOpts = cmd.optsWithGlobals();
-      const config = loadConfig();
-      const runtimeMode = resolveRuntimeModeFromCli(globalOpts, config);
-      const apiKey = globalOpts.apiKey || process.env.R4_API_KEY || config.apiKey;
-      const projectId = globalOpts.projectId || process.env.R4_PROJECT_ID || config.projectId;
-      const privateKeyPath = globalOpts.privateKeyPath || process.env.R4_PRIVATE_KEY_PATH || config.privateKeyPath;
-      const trustStorePath = globalOpts.trustStorePath || process.env.R4_TRUST_STORE_PATH || config.trustStorePath;
+      const connection = resolveConnection(globalOpts);
+      const agentIdentity = connection.profile.agentName || connection.profile.agentId || null;
       if (globalOpts.json) {
         console.log(
           JSON.stringify(
             {
-              authenticated: !!apiKey,
-              apiKey: apiKey ? maskKey2(apiKey) : null,
-              projectId: projectId || null,
-              baseUrl: runtimeMode.baseUrl,
-              devMode: runtimeMode.devMode,
-              privateKeyPath: privateKeyPath || null,
-              trustStorePath: trustStorePath || null,
+              profile: connection.profileName,
+              authenticated: Boolean(connection.apiKey),
+              agent: {
+                id: connection.profile.agentId || null,
+                name: connection.profile.agentName || null
+              },
+              baseUrl: connection.baseUrl,
+              devMode: connection.dev,
+              projectId: connection.projectId || null,
+              privateKeyPath: connection.privateKeyPath || null,
+              trustStorePath: connection.trustStorePath || null,
               configPath: getConfigPath()
             },
             null,
@@ -302,23 +1531,18 @@ function whoamiCommand() {
         return;
       }
       console.log();
-      if (!apiKey) {
-        console.log(chalk3.bold("  Not authenticated"));
-        console.log();
-        console.log("  Run " + chalk3.cyan("r4 auth login") + " to save your API key.");
-        console.log();
-        return;
-      }
-      console.log(chalk3.bold("  Authenticated"));
+      console.log(chalk4.bold(connection.apiKey ? "  Current Identity" : "  Current Profile"));
       console.log();
       printDetail(
         [
-          ["API Key", maskKey2(apiKey)],
-          ["Project ID", projectId || chalk3.dim("(not set)")],
-          ["Mode", runtimeMode.devMode ? "dev" : "prod"],
-          ["Base URL", runtimeMode.baseUrl],
-          ["Private Key", privateKeyPath || chalk3.dim("(not set)")],
-          ["Trust Store", trustStorePath || chalk3.dim("(default beside key file)")],
+          ["Profile", connection.profileName],
+          ["Authenticated", connection.apiKey ? "yes" : "no"],
+          ["Agent", agentIdentity || chalk4.dim("(unknown)")],
+          ["Base URL", connection.baseUrl],
+          ["Mode", connection.dev ? "dev" : "prod"],
+          ["Project ID", connection.projectId || chalk4.dim("(not set)")],
+          ["Private Key", connection.privateKeyPath || chalk4.dim("(not set)")],
+          ["Trust Store", connection.trustStorePath || chalk4.dim("(not set)")],
           ["Config File", getConfigPath()]
         ],
         false
@@ -335,49 +1559,79 @@ function registerAuthCommands(program2) {
   auth.addCommand(logoutCommand());
   auth.addCommand(statusCommand());
   auth.addCommand(whoamiCommand());
+  auth.addCommand(diagnoseCommand());
 }
 
-// src/commands/vault/list.ts
-import { Command as Command5 } from "commander";
-import ora from "ora";
-import R4 from "@r4security/sdk";
+// src/commands/profile/list.ts
+import { Command as Command7 } from "commander";
+function listCommand() {
+  return new Command7("list").description("List saved CLI profiles").action(
+    withErrorHandler(async (_opts, cmd) => {
+      const globalOpts = cmd.optsWithGlobals();
+      const config = loadConfig();
+      const currentProfile = getCurrentProfileName(config);
+      const rows = getProfileNames(config).map((profileName) => {
+        const profile = config.profiles[profileName] ?? {};
+        return [
+          profileName,
+          profileName === currentProfile ? "yes" : "",
+          profile.baseUrl || (profile.dev ? "https://dev.r4.dev" : "(default)"),
+          profile.projectId || "-",
+          profile.agentId || profile.agentName || "-"
+        ];
+      });
+      console.log();
+      printTable(
+        ["Name", "Current", "Base URL", "Project ID", "Agent"],
+        rows,
+        !!globalOpts.json,
+        rows.map(([name, current, baseUrl, projectId, agent]) => ({
+          name,
+          current: current === "yes",
+          baseUrl,
+          projectId: projectId === "-" ? null : projectId,
+          agent: agent === "-" ? null : agent
+        }))
+      );
+      console.log();
+    })
+  );
+}
 
-// src/lib/resolve-auth.ts
-function resolveAuth(opts) {
-  const config = loadConfig();
-  const runtimeMode = resolveRuntimeModeFromCli(opts, config);
-  const apiKey = opts.apiKey || process.env.R4_API_KEY || config.apiKey;
-  if (!apiKey) {
-    throw new Error(
-      "No API key found. Provide one via:\n  --api-key <key>          CLI flag\n  R4_API_KEY               environment variable\n  r4 auth login            save to config file"
-    );
-  }
-  const privateKeyPath = opts.privateKeyPath || process.env.R4_PRIVATE_KEY_PATH || config.privateKeyPath;
-  if (!privateKeyPath) {
-    throw new Error(
-      "No private key path found. Provide one via:\n  --private-key-path <path> CLI flag\n  R4_PRIVATE_KEY_PATH       environment variable\n  ~/.r4/config.json         config file (privateKeyPath field)"
-    );
-  }
-  const projectId = opts.projectId || process.env.R4_PROJECT_ID || config.projectId;
-  const trustStorePath = opts.trustStorePath || process.env.R4_TRUST_STORE_PATH || config.trustStorePath;
-  return {
-    apiKey,
-    projectId,
-    baseUrl: runtimeMode.baseUrl,
-    dev: runtimeMode.devMode,
-    privateKeyPath,
-    trustStorePath
-  };
+// src/commands/profile/use.ts
+import { Command as Command8 } from "commander";
+function useCommand() {
+  return new Command8("use").description("Switch the active CLI profile").argument("<name>", "Profile name").action(
+    withErrorHandler(async (profileName) => {
+      const config = loadConfig();
+      const profile = getProfileConfig(config, profileName);
+      if (Object.keys(profile).length === 0 && !config.profiles[profileName]) {
+        throw new Error(`Profile "${profileName}" does not exist.`);
+      }
+      saveConfig(setCurrentProfile(config, profileName));
+      success(`Now using profile "${profileName}"`);
+    })
+  );
+}
+
+// src/commands/profile/index.ts
+function registerProfileCommands(program2) {
+  const profile = program2.command("profile").description("Manage saved CLI profiles");
+  profile.addCommand(listCommand());
+  profile.addCommand(useCommand());
 }
 
 // src/commands/vault/list.ts
-function listCommand() {
-  return new Command5("list").description("List all locally decrypted environment variables").action(
+import { Command as Command9 } from "commander";
+import ora3 from "ora";
+import R42 from "@r4security/sdk";
+function listCommand2() {
+  return new Command9("list").description("List all locally decrypted environment variables").action(
     withErrorHandler(async (_opts, cmd) => {
       const globalOpts = cmd.optsWithGlobals();
       const config = resolveAuth(globalOpts);
-      const spinner = ora("Fetching environment variables...").start();
-      const r4 = await R4.create(config);
+      const spinner = ora3("Fetching environment variables...").start();
+      const r4 = await R42.create(config);
       spinner.stop();
       const env = r4.env;
       const keys = Object.keys(env).sort();
@@ -397,39 +1651,12 @@ function listCommand() {
   );
 }
 
-// src/commands/vault/get.ts
-import { Command as Command6 } from "commander";
-import ora2 from "ora";
-import R42 from "@r4security/sdk";
-function getCommand() {
-  return new Command6("get").description("Get a specific locally decrypted environment variable value").argument("<key>", "Environment variable key (SCREAMING_SNAKE_CASE)").action(
-    withErrorHandler(
-      async (keyArg, _opts, cmd) => {
-        const globalOpts = cmd.optsWithGlobals();
-        const config = resolveAuth(globalOpts);
-        const spinner = ora2("Fetching environment variables...").start();
-        const r4 = await R42.create(config);
-        spinner.stop();
-        const env = r4.env;
-        const key = keyArg.toUpperCase();
-        const value = env[key];
-        if (value === void 0) {
-          const available = Object.keys(env).sort().join(", ") || "(none)";
-          throw new Error(`Key "${key}" not found. Available keys: ${available}`);
-        }
-        if (globalOpts.json) {
-          console.log(JSON.stringify({ key, value }, null, 2));
-          return;
-        }
-        process.stdout.write(value);
-      }
-    )
-  );
-}
+// src/commands/vault/list-items.ts
+import { Command as Command11 } from "commander";
 
 // src/commands/vault/items.ts
-import { Command as Command7 } from "commander";
-import ora3 from "ora";
+import { Command as Command10 } from "commander";
+import ora4 from "ora";
 import R43 from "@r4security/sdk";
 function deriveItems(env) {
   const keys = Object.keys(env).sort();
@@ -438,12 +1665,71 @@ function deriveItems(env) {
     fields: [{ name: key, key }]
   }));
 }
+async function loadVaultMetadataRows(globalOpts) {
+  const connection = resolveConnection(globalOpts, { requireApiKey: true });
+  const client = new CliClient(connection.apiKey, connection.baseUrl);
+  const { vaults } = await client.listVaults(connection.projectId);
+  const rows = [];
+  for (const vault of vaults) {
+    const response = await client.listVaultItems(vault.id);
+    const groupNames = Object.fromEntries(
+      response.vaultItemGroups.map((group) => [group.id, group.name])
+    );
+    for (const item of response.items) {
+      rows.push({
+        vaultId: vault.id,
+        vaultName: vault.name,
+        itemId: item.id,
+        itemName: item.name,
+        type: item.type,
+        fieldCount: item.fieldCount,
+        groupName: item.groupId ? groupNames[item.groupId] ?? item.groupId : null,
+        websites: item.websites
+      });
+    }
+  }
+  return rows.sort((left, right) => {
+    const vaultCompare = left.vaultName.localeCompare(right.vaultName);
+    return vaultCompare !== 0 ? vaultCompare : left.itemName.localeCompare(right.itemName);
+  });
+}
+async function renderVaultMetadataRows(globalOpts) {
+  const spinner = ora4("Fetching vault item metadata...").start();
+  const rows = await loadVaultMetadataRows(globalOpts);
+  spinner.stop();
+  if (globalOpts.json) {
+    console.log(JSON.stringify(rows, null, 2));
+    return;
+  }
+  if (rows.length === 0) {
+    console.log("\n  No vault items found.\n");
+    return;
+  }
+  console.log();
+  printTable(
+    ["Vault", "Item", "Type", "Fields", "Group", "Websites"],
+    rows.map((row) => [
+      row.vaultName,
+      row.itemName,
+      row.type || "-",
+      String(row.fieldCount),
+      row.groupName || "-",
+      row.websites.join(", ") || "-"
+    ]),
+    false
+  );
+  console.log();
+}
 function itemsCommand() {
-  return new Command7("items").description("List all vault items represented in the locally decrypted env map").action(
-    withErrorHandler(async (_opts, cmd) => {
+  return new Command10("items").description("List vault items from the decrypted env map, or use --metadata-only for raw machine metadata").option("--metadata-only", "List item metadata without local decryption").action(
+    withErrorHandler(async (opts, cmd) => {
       const globalOpts = cmd.optsWithGlobals();
+      if (opts.metadataOnly) {
+        await renderVaultMetadataRows(globalOpts);
+        return;
+      }
       const config = resolveAuth(globalOpts);
-      const spinner = ora3("Fetching vault items...").start();
+      const spinner = ora4("Fetching vault items...").start();
       const r4 = await R43.create(config);
       spinner.stop();
       const env = r4.env;
@@ -468,18 +1754,95 @@ function itemsCommand() {
   );
 }
 
-// src/commands/vault/search.ts
-import { Command as Command8 } from "commander";
-import ora4 from "ora";
+// src/commands/vault/list-items.ts
+function listItemsCommand() {
+  return new Command11("list-items").description("List vault item metadata only, without requiring local decryption").action(
+    withErrorHandler(async (_opts, cmd) => {
+      const globalOpts = cmd.optsWithGlobals();
+      await renderVaultMetadataRows(globalOpts);
+    })
+  );
+}
+
+// src/commands/vault/list-vaults.ts
+import { Command as Command12 } from "commander";
+import ora5 from "ora";
+function listVaultsCommand() {
+  return new Command12("list-vaults").description("List visible vaults without requiring local decryption").action(
+    withErrorHandler(async (_opts, cmd) => {
+      const globalOpts = cmd.optsWithGlobals();
+      const connection = resolveConnection(globalOpts, { requireApiKey: true });
+      const client = new CliClient(connection.apiKey, connection.baseUrl);
+      const spinner = ora5("Fetching visible vaults...").start();
+      const response = await client.listVaults(connection.projectId);
+      spinner.stop();
+      if (globalOpts.json) {
+        console.log(JSON.stringify(response.vaults, null, 2));
+        return;
+      }
+      if (response.vaults.length === 0) {
+        console.log("\n  No visible vaults found.\n");
+        return;
+      }
+      console.log();
+      printTable(
+        ["ID", "Name", "Classification", "Items", "Created At"],
+        response.vaults.map((vault) => [
+          vault.id,
+          vault.name,
+          vault.dataClassification || "-",
+          String(vault.itemCount),
+          vault.createdAt
+        ]),
+        false
+      );
+      console.log();
+    })
+  );
+}
+
+// src/commands/vault/get.ts
+import { Command as Command13 } from "commander";
+import ora6 from "ora";
 import R44 from "@r4security/sdk";
+function getCommand() {
+  return new Command13("get").description("Get a specific locally decrypted environment variable value").argument("<key>", "Environment variable key (SCREAMING_SNAKE_CASE)").action(
+    withErrorHandler(
+      async (keyArg, _opts, cmd) => {
+        const globalOpts = cmd.optsWithGlobals();
+        const config = resolveAuth(globalOpts);
+        const spinner = ora6("Fetching environment variables...").start();
+        const r4 = await R44.create(config);
+        spinner.stop();
+        const env = r4.env;
+        const key = keyArg.toUpperCase();
+        const value = env[key];
+        if (value === void 0) {
+          const available = Object.keys(env).sort().join(", ") || "(none)";
+          throw new Error(`Key "${key}" not found. Available keys: ${available}`);
+        }
+        if (globalOpts.json) {
+          console.log(JSON.stringify({ key, value }, null, 2));
+          return;
+        }
+        process.stdout.write(value);
+      }
+    )
+  );
+}
+
+// src/commands/vault/search.ts
+import { Command as Command14 } from "commander";
+import ora7 from "ora";
+import R45 from "@r4security/sdk";
 function searchCommand() {
-  return new Command8("search").description("Search vault items by name").argument("<query>", "Search query (case-insensitive match against key names)").action(
+  return new Command14("search").description("Search vault items by name").argument("<query>", "Search query (case-insensitive match against key names)").action(
     withErrorHandler(
       async (query, _opts, cmd) => {
         const globalOpts = cmd.optsWithGlobals();
         const config = resolveAuth(globalOpts);
-        const spinner = ora4("Searching vault items...").start();
-        const r4 = await R44.create(config);
+        const spinner = ora7("Searching vault items...").start();
+        const r4 = await R45.create(config);
         spinner.stop();
         const env = r4.env;
         const lowerQuery = query.toLowerCase();
@@ -507,68 +1870,24 @@ function searchCommand() {
 // src/commands/vault/index.ts
 function registerVaultCommands(program2) {
   const vault = program2.command("vault").description("Manage vault secrets");
-  vault.addCommand(listCommand());
+  vault.addCommand(listCommand2());
+  vault.addCommand(listVaultsCommand());
+  vault.addCommand(listItemsCommand());
   vault.addCommand(getCommand());
   vault.addCommand(itemsCommand());
   vault.addCommand(searchCommand());
 }
 
 // src/commands/project/list.ts
-import { Command as Command9 } from "commander";
-import ora5 from "ora";
-
-// src/lib/client.ts
-var CliClient = class {
-  apiKey;
-  baseUrl;
-  constructor(apiKey, baseUrl) {
-    this.apiKey = apiKey;
-    this.baseUrl = baseUrl.replace(/\/$/, "");
-  }
-  /**
-   * Make an authenticated request to the machine API.
-   * Handles error responses consistently with the SDK pattern.
-   */
-  async request(method, path2, body) {
-    const url = `${this.baseUrl}${path2}`;
-    const response = await fetch(url, {
-      method,
-      headers: {
-        "X-API-Key": this.apiKey,
-        "Content-Type": "application/json"
-      },
-      body: body ? JSON.stringify(body) : void 0
-    });
-    if (!response.ok) {
-      const errorBody = await response.json().catch(() => ({}));
-      const error = errorBody?.error;
-      const errorMessage = error?.message || `HTTP ${response.status}: ${response.statusText}`;
-      throw new Error(`R4 API Error: ${errorMessage}`);
-    }
-    return response.json();
-  }
-  /** List all projects. GET /api/v1/machine/project */
-  async listProjects() {
-    return this.request("GET", "/api/v1/machine/project");
-  }
-  /** Get project details. GET /api/v1/machine/project/:id */
-  async getProject(id) {
-    return this.request("GET", `/api/v1/machine/project/${id}`);
-  }
-  /** Create a new project. POST /api/v1/machine/project */
-  async createProject(data) {
-    return this.request("POST", "/api/v1/machine/project", data);
-  }
-};
-
-// src/commands/project/list.ts
-function listCommand2() {
-  return new Command9("list").description("List all projects").action(
+import { Command as Command15 } from "commander";
+import ora8 from "ora";
+function listCommand3() {
+  return new Command15("list").description("List all projects").action(
     withErrorHandler(async (_opts, cmd) => {
       const globalOpts = cmd.optsWithGlobals();
-      const config = resolveAuth(globalOpts);
-      const client = new CliClient(config.apiKey, config.baseUrl || "https://r4.dev");
-      const spinner = ora5("Fetching projects...").start();
+      const connection = resolveConnection(globalOpts, { requireApiKey: true });
+      const client = new CliClient(connection.apiKey, connection.baseUrl);
+      const spinner = ora8("Fetching projects...").start();
       const response = await client.listProjects();
       spinner.stop();
       const rows = response.projects.map((p) => [
@@ -592,16 +1911,16 @@ function listCommand2() {
 }
 
 // src/commands/project/get.ts
-import { Command as Command10 } from "commander";
-import chalk4 from "chalk";
-import ora6 from "ora";
+import { Command as Command16 } from "commander";
+import chalk5 from "chalk";
+import ora9 from "ora";
 function getCommand2() {
-  return new Command10("get").description("Get project details").argument("<id>", "Project ID").action(
+  return new Command16("get").description("Get project details").argument("<id>", "Project ID").action(
     withErrorHandler(async (id, _opts, cmd) => {
       const globalOpts = cmd.optsWithGlobals();
-      const config = resolveAuth(globalOpts);
-      const client = new CliClient(config.apiKey, config.baseUrl || "https://r4.dev");
-      const spinner = ora6("Fetching project...").start();
+      const connection = resolveConnection(globalOpts, { requireApiKey: true });
+      const client = new CliClient(connection.apiKey, connection.baseUrl);
+      const spinner = ora9("Fetching project...").start();
       const project = await client.getProject(id);
       spinner.stop();
       if (globalOpts.json) {
@@ -609,7 +1928,7 @@ function getCommand2() {
         return;
       }
       console.log();
-      console.log(chalk4.bold(`  ${project.name}`));
+      console.log(chalk5.bold(`  ${project.name}`));
       console.log();
       printDetail(
         [
@@ -625,7 +1944,7 @@ function getCommand2() {
       );
       if (project.vaults.length > 0) {
         console.log();
-        console.log(chalk4.bold("  Vaults"));
+        console.log(chalk5.bold("  Vaults"));
         console.log();
         printTable(
           ["ID", "Name", "Encrypted"],
@@ -635,7 +1954,7 @@ function getCommand2() {
       }
       if (project.licenses.length > 0) {
         console.log();
-        console.log(chalk4.bold("  Licenses"));
+        console.log(chalk5.bold("  Licenses"));
         console.log();
         printTable(
           ["ID", "Name", "Type"],
@@ -645,7 +1964,7 @@ function getCommand2() {
       }
       if (project.licenseGroups.length > 0) {
         console.log();
-        console.log(chalk4.bold("  License Groups"));
+        console.log(chalk5.bold("  License Groups"));
         console.log();
         printTable(
           ["ID", "Name"],
@@ -659,11 +1978,11 @@ function getCommand2() {
 }
 
 // src/commands/project/create.ts
-import { Command as Command11 } from "commander";
-import readline2 from "node:readline";
-import ora7 from "ora";
-function prompt2(question) {
-  const rl = readline2.createInterface({ input: process.stdin, output: process.stdout });
+import { Command as Command17 } from "commander";
+import readline3 from "node:readline";
+import ora10 from "ora";
+function prompt3(question) {
+  const rl = readline3.createInterface({ input: process.stdin, output: process.stdout });
   return new Promise((resolve) => {
     rl.question(question, (answer) => {
       rl.close();
@@ -672,19 +1991,19 @@ function prompt2(question) {
   });
 }
 function createCommand() {
-  return new Command11("create").description("Create a new project").option("--name <name>", "Project name").option("--description <description>", "Project description").option("--external-id <externalId>", "External identifier").action(
+  return new Command17("create").description("Create a new project").option("--name <name>", "Project name").option("--description <description>", "Project description").option("--external-id <externalId>", "External identifier").action(
     withErrorHandler(async (opts, cmd) => {
       const globalOpts = cmd.optsWithGlobals();
-      const config = resolveAuth(globalOpts);
-      const client = new CliClient(config.apiKey, config.baseUrl || "https://r4.dev");
+      const connection = resolveConnection(globalOpts, { requireApiKey: true });
+      const client = new CliClient(connection.apiKey, connection.baseUrl);
       let name = opts.name;
       if (!name) {
-        name = await prompt2("Project name: ");
+        name = await prompt3("Project name: ");
       }
       if (!name) {
         throw new Error("Project name is required.");
       }
-      const spinner = ora7("Creating project...").start();
+      const spinner = ora10("Creating project...").start();
       const response = await client.createProject({
         name,
         description: opts.description,
@@ -703,23 +2022,23 @@ function createCommand() {
 // src/commands/project/index.ts
 function registerProjectCommands(program2) {
   const project = program2.command("project").description("Manage projects");
-  project.addCommand(listCommand2());
+  project.addCommand(listCommand3());
   project.addCommand(getCommand2());
   project.addCommand(createCommand());
 }
 
 // src/commands/run/index.ts
 import { spawn } from "node:child_process";
-import ora8 from "ora";
-import R45 from "@r4security/sdk";
+import ora11 from "ora";
+import R46 from "@r4security/sdk";
 function registerRunCommand(program2) {
   program2.command("run").description("Run a command with vault secrets injected as environment variables").argument("<command...>", "Command and arguments to execute").option("--prefix <prefix>", "Add prefix to all injected env var names").action(
     withErrorHandler(
       async (commandParts, opts, cmd) => {
         const globalOpts = cmd.optsWithGlobals();
         const config = resolveAuth(globalOpts);
-        const spinner = ora8("Loading vault secrets...").start();
-        const r4 = await R45.create(config);
+        const spinner = ora11("Loading vault secrets...").start();
+        const r4 = await R46.create(config);
         spinner.stop();
         const env = r4.env;
         const secretEnv = {};
@@ -745,11 +2064,14 @@ function registerRunCommand(program2) {
 }
 
 // src/index.ts
-var program = new Command12();
-program.name("r4").description("R4 CLI \u2014 manage vaults, projects, and secrets from the terminal").version("0.0.2").option("--api-key <key>", "API key (overrides R4_API_KEY env var and config file)").option("--project-id <id>", "Optional project ID filter (overrides R4_PROJECT_ID env var and config file)").option("--dev", "Use https://dev.r4.dev unless an explicit base URL override is set").option("--base-url <url>", "API base URL (default: https://r4.dev)").option("--private-key-path <path>", "Path to the agent private key PEM (overrides R4_PRIVATE_KEY_PATH env var and config file)").option("--trust-store-path <path>", "Path to the local signer trust-store JSON (overrides R4_TRUST_STORE_PATH env var and config file)").option("--json", "Output as JSON for scripting and piping", false);
+var program = new Command18();
+program.name("r4").description("R4 CLI \u2014 manage vaults, projects, and secrets from the terminal").version("0.0.5").option("--api-key <key>", "API key (overrides R4_API_KEY env var and config file)").option("--profile <name>", "CLI profile name (overrides R4_PROFILE and the saved current profile)").option("--project-id <id>", "Optional project ID filter (overrides R4_PROJECT_ID env var and config file)").option("--dev", "Use https://dev.r4.dev unless an explicit base URL override is set").option("--base-url <url>", "API base URL (default: https://r4.dev)").option("--private-key-path <path>", "Path to the agent private key PEM (overrides R4_PRIVATE_KEY_PATH env var and config file)").option("--trust-store-path <path>", "Path to the local signer trust-store JSON (overrides R4_TRUST_STORE_PATH env var and config file)").option("--json", "Output as JSON for scripting and piping", false);
+registerAgentCommands(program);
 registerAuthCommands(program);
+registerProfileCommands(program);
 registerVaultCommands(program);
 registerProjectCommands(program);
 registerRunCommand(program);
+program.addCommand(doctorCommand());
 program.parse();
 //# sourceMappingURL=index.js.map