@solarains/va-cli 0.1.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 VAOne contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,132 @@
+# va-cli
+
+Bootstrap CLI for the new VAOne product.
+
+This project intentionally starts as a runnable but business-light CLI shell. It
+defines the command tree, local config and state layout, token-storage
+abstraction, diagnostics path, and placeholder commands that later child
+changes will extend for browser auth, installation binding, and usage queries.
+
+Parent architecture references:
+
+- `openspec/changes/define-skills-mvp-architecture/proposal.md`
+- `openspec/changes/define-skills-mvp-architecture/design.md`
+- `openspec/changes/define-skills-mvp-architecture/specs/skills-system-architecture/spec.md`
+- `openspec/changes/define-skills-mvp-architecture/master-task-list.md`
+- `openspec/changes/bootstrap-va-cli/design.md`
+- `openspec/changes/add-cli-browser-auth-flow/proposal.md`
+- `openspec/changes/add-cli-browser-auth-flow/design.md`
+
+Current command surface:
+
+- `vaone init`
+- `vaone auth login`
+- `vaone auth logout`
+- `vaone usage`
+- `vaone doctor`
+
+Current auth foundation:
+
+- `vaone auth login` now generates PKCE verifier/challenge pairs for a public CLI client
+- the CLI creates or resumes a durable installation identity with ed25519 key material
+- primary completion uses a localhost loopback callback
+- fallback completion prints the browser URL and terminal QR code, then polls the same auth session
+- token persistence stores account id, installation id, session id, access token, and refresh token metadata
+- refresh continuation signs `refreshToken + installationId + signedAt` with the local installation private key
+- revoked installations and invalid installation-proof refresh attempts now resolve to explicit re-login guidance instead of generic refresh failure
+
+Current source layout:
+
+- `src/cli/` startup, command tree, help rendering
+- `src/commands/` grouped command handlers
+- `src/config/` runtime configuration and endpoint loading
+- `src/features/init/` agent target detection, managed pack generation, init orchestration
+- `src/state/` local path layout and file-backed storage adapters
+- `src/shared/` logging and output helpers
+
+## `vaone init`
+
+`vaone init` is the supported onboarding path for agent-ready setup. It now:
+
+- detects Codex, Claude Code, and OpenClaw install surfaces
+- supports `project` and `user` scope installation
+- installs thin VAOne-managed agent packs that call back into `vaone`
+- chains into `vaone auth login` by default unless `--skip-login` is set
+- runs CLI-native readiness checks before exit
+
+Supported flags:
+
+- `--agents codex,claude,openclaw`
+- `--scope project|user`
+- `--skip-login`
+- `--force`
+- `--yes`
+
+Target-specific install behavior:
+
+- Codex: installs `vaone/SKILL.md` under `.codex/skills` or `~/.codex/skills`
+- Claude Code: installs managed files under `.claude/commands`, `.claude/agents`, and `.claude/VAONE.md`
+- OpenClaw: installs `vaone/SKILL.md` under `skills` or `~/.openclaw/skills`
+
+Current MVP limits:
+
+- Claude Code support is limited to managed command and agent guide files; deeper adapter behavior can be expanded later
+- OpenClaw marketplace plugin packaging is still deferred; this change only installs local skill assets
+- Agents may need a full restart or a new session before they discover newly installed files
+
+## Local development
+
+```bash
+pnpm install
+pnpm cli -- --help
+```
+
+## Validation
+
+```bash
+pnpm typecheck
+pnpm lint
+pnpm test
+pnpm build
+node dist/main.js --help
+```
+
+## npm release packaging
+
+`va-cli` now assembles a dedicated publish root under `dist/publish/` and
+publishes from that directory instead of from the repository root.
+
+Useful commands:
+
+```bash
+pnpm build:publish
+pnpm pack:publish
+pnpm verify:publish
+```
+
+Release flow:
+
+```bash
+pnpm release:prepare
+pnpm verify:publish
+npm publish dist/publish --access public
+```
+
+`pnpm release:prepare` increments the patch version in the root
+`package.json`, then rebuilds `dist/publish/` with the updated version.
+
+Before the first real npm publish, add the intended license text at
+`va-cli/LICENSE`. The packaging flow copies that file into `dist/publish/` when
+present.
+
+## Git Workflow
+
+- 提交信息使用 Conventional Commits，建议以中文描述主要变更，例如 `feat(cli): 增加日报查询命令`
+- 本仓库启用 Husky：
+  - `pre-commit` 会执行 `pnpm lint-staged` 和 `pnpm typecheck`
+  - `commit-msg` 会执行 `pnpm commitlint --edit`
+- PR 需要填写摘要、背景、验证方式，以及配置 / 认证 / 本地状态影响
+- CLI 相关 PR 请附关键命令示例输出
+- 提交前最少通过：
+  - `pnpm lint`
+  - `pnpm typecheck`

package/dist/cli/command-types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cli/help-copy.js

@@ -0,0 +1,97 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getHelpCopy = getHelpCopy;
+exports.getLocalizedCommandHelp = getLocalizedCommandHelp;
+exports.getLocalizedChildSummary = getLocalizedChildSummary;
+const HELP_COPY = {
+    en: {
+        commandsHeading: 'Commands:',
+        globalFlagsHeading: 'Global flags:',
+        helpFlag: 'Show help',
+        debugFlag: 'Enable debug logging',
+        commandHelp: {
+            '': {
+                summary: 'VAOne CLI with guided init, auth, assets, usage, daily reports, intelligence queries, and diagnostics.',
+                usage: 'vaone <command> [subcommand] [options]',
+            },
+            init: {
+                summary: 'Install VisionAlpha operator skills with branded onboarding and optional browser login.',
+                usage: 'vaone init [.] [--agents codex,claude,openclaw] [--scope project|user] [--lang en|zh-CN] [--skip-login] [--force] [--yes]',
+            },
+            auth: {
+                summary: 'Authentication placeholder commands for future browser login.',
+            },
+            assets: {
+                summary: 'Browse asset catalog commands.',
+            },
+            usage: {
+                summary: 'Show current account usage summary.',
+            },
+            reports: {
+                summary: 'List or read normalized daily reports.',
+            },
+            intelligence: {
+                summary: 'Query paid asset intelligence data.',
+            },
+            doctor: {
+                summary: 'Run local diagnostics for auth, install, and configuration state.',
+            },
+        },
+        unknownCommandSegment(path, token) {
+            return `Unknown command segment "${token}" under "${path}".`;
+        },
+    },
+    'zh-CN': {
+        commandsHeading: '命令：',
+        globalFlagsHeading: '全局参数：',
+        helpFlag: '显示帮助',
+        debugFlag: '启用调试日志',
+        commandHelp: {
+            '': {
+                summary: 'VAOne CLI，提供引导式 init、认证、资产、usage、日报、intelligence 查询与诊断能力。',
+                usage: 'vaone <命令> [子命令] [参数]',
+            },
+            init: {
+                summary: '通过带品牌感的引导流程安装 VisionAlpha operator skills，并可选串联浏览器登录。',
+                usage: 'vaone init [.] [--agents codex,claude,openclaw] [--scope project|user] [--lang en|zh-CN] [--skip-login] [--force] [--yes]',
+            },
+            auth: {
+                summary: '认证相关命令，包括浏览器登录与退出登录。',
+            },
+            assets: {
+                summary: '浏览资产目录相关命令。',
+            },
+            usage: {
+                summary: '显示当前账户 usage 摘要。',
+            },
+            reports: {
+                summary: '列出或读取标准化日报。',
+            },
+            intelligence: {
+                summary: '查询付费资产 intelligence 数据。',
+            },
+            doctor: {
+                summary: '运行本地认证、安装和配置状态诊断。',
+            },
+        },
+        unknownCommandSegment(path, token) {
+            return `命令 "${path}" 下不存在 "${token}" 这一段。`;
+        },
+    },
+};
+function pathKey(pathSegments) {
+    return pathSegments.join(' ');
+}
+function getHelpCopy(locale) {
+    return HELP_COPY[locale];
+}
+function getLocalizedCommandHelp(locale, command, pathSegments) {
+    return (HELP_COPY[locale].commandHelp[pathKey(pathSegments)] ?? {
+        summary: command.summary,
+        usage: command.usage,
+    });
+}
+function getLocalizedChildSummary(locale, pathSegments, child) {
+    return (HELP_COPY[locale].commandHelp[pathKey([...pathSegments, child.name])]
+        ?.summary ?? child.summary);
+}

package/dist/cli/help.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.renderHelp = renderHelp;
+const help_copy_1 = require("./help-copy");
+function formatPath(segments) {
+    return ['vaone', ...segments].join(' ');
+}
+function renderHelp(command, pathSegments = [], locale = 'en') {
+    const copy = (0, help_copy_1.getHelpCopy)(locale);
+    const localized = (0, help_copy_1.getLocalizedCommandHelp)(locale, command, pathSegments);
+    const lines = [];
+    const usage = localized.usage ?? command.usage ?? formatPath(pathSegments);
+    const summary = localized.summary ?? command.summary;
+    lines.push(`Usage: ${usage}`);
+    lines.push('');
+    lines.push(summary);
+    if (command.children?.length) {
+        lines.push('');
+        lines.push(copy.commandsHeading);
+        for (const child of command.children) {
+            lines.push(`  ${child.name.padEnd(10, ' ')} ${(0, help_copy_1.getLocalizedChildSummary)(locale, pathSegments, child)}`);
+        }
+    }
+    lines.push('');
+    lines.push(copy.globalFlagsHeading);
+    lines.push(`  --help, -h   ${copy.helpFlag}`);
+    lines.push(`  --debug      ${copy.debugFlag}`);
+    return lines.join('\n');
+}

package/dist/cli/root-command.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rootCommand = void 0;
+const assets_command_1 = require("../commands/assets/assets-command");
+const auth_command_1 = require("../commands/auth/auth-command");
+const doctor_command_1 = require("../commands/doctor/doctor-command");
+const init_command_1 = require("../commands/init/init-command");
+const intelligence_command_1 = require("../commands/intelligence/intelligence-command");
+const reports_command_1 = require("../commands/reports/reports-command");
+const usage_command_1 = require("../commands/usage/usage-command");
+exports.rootCommand = {
+    name: 'vaone',
+    summary: 'VAOne CLI with guided init, auth, assets, usage, daily reports, intelligence queries, and diagnostics.',
+    usage: 'vaone <command> [subcommand] [options]',
+    children: [
+        init_command_1.initCommand,
+        auth_command_1.authCommand,
+        assets_command_1.assetsCommand,
+        usage_command_1.usageCommand,
+        reports_command_1.reportsCommand,
+        intelligence_command_1.intelligenceCommand,
+        doctor_command_1.doctorCommand,
+    ],
+};

package/dist/cli/run-cli.js

@@ -0,0 +1,107 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runCli = runCli;
+const runtime_config_1 = require("../config/runtime-config");
+const paths_1 = require("../state/paths");
+const installation_store_1 = require("../state/stores/installation-store");
+const token_store_1 = require("../state/stores/token-store");
+const logger_1 = require("../shared/logger");
+const help_1 = require("./help");
+const help_copy_1 = require("./help-copy");
+const root_command_1 = require("./root-command");
+function parseArgv(argv) {
+    const tokens = [];
+    let debug = false;
+    let help = false;
+    for (const token of argv) {
+        if (token === '--') {
+            continue;
+        }
+        if (token === '--debug') {
+            debug = true;
+            continue;
+        }
+        if (token === '--help' || token === '-h') {
+            help = true;
+            continue;
+        }
+        tokens.push(token);
+    }
+    if (tokens[0] === 'help') {
+        help = true;
+        tokens.shift();
+    }
+    return {
+        debug,
+        help,
+        tokens,
+    };
+}
+function resolveCommand(tokens) {
+    let command = root_command_1.rootCommand;
+    const path = [];
+    let index = 0;
+    while (index < tokens.length && command.children?.length) {
+        const nextToken = tokens[index];
+        const nextCommand = command.children.find((child) => child.name === nextToken);
+        if (!nextCommand) {
+            break;
+        }
+        command = nextCommand;
+        path.push(nextToken);
+        index += 1;
+    }
+    return {
+        command,
+        path,
+        remainingArgs: tokens.slice(index),
+    };
+}
+function printUnknownCommand(logger, command, path, token, locale) {
+    logger.error((0, help_copy_1.getHelpCopy)(locale).unknownCommandSegment(['vaone', ...path].join(' '), token));
+    logger.plain('');
+    logger.plain((0, help_1.renderHelp)(command, path, locale));
+}
+async function runCli(argv, env) {
+    const parsedArgv = parseArgv(argv);
+    const logger = new logger_1.Logger(parsedArgv.debug || env.VAONE_DEBUG === 'true');
+    const paths = (0, paths_1.createCliPaths)(env);
+    const runtimeConfig = await (0, runtime_config_1.loadRuntimeConfig)(env, paths);
+    logger.setDebugMode(parsedArgv.debug || runtimeConfig.debug);
+    const tokenStore = new token_store_1.TokenStore(paths.authStateFile);
+    const installationStore = new installation_store_1.InstallationStore(paths.installationStateFile);
+    const resolvedCommand = resolveCommand(parsedArgv.tokens);
+    const unknownToken = resolvedCommand.remainingArgs[0];
+    const canTraverseFurther = Boolean(resolvedCommand.command.children?.length && unknownToken);
+    const locale = runtimeConfig.locale;
+    const context = {
+        argv,
+        logger,
+        paths,
+        runtimeConfig,
+        tokenStore,
+        installationStore,
+    };
+    if (parsedArgv.help || !resolvedCommand.path.length) {
+        logger.plain((0, help_1.renderHelp)(resolvedCommand.command, resolvedCommand.path, locale));
+        return 0;
+    }
+    await (0, paths_1.ensureCliDirectories)(paths);
+    if (canTraverseFurther && !resolvedCommand.command.run) {
+        printUnknownCommand(logger, resolvedCommand.command, resolvedCommand.path, unknownToken, locale);
+        return 1;
+    }
+    if (!resolvedCommand.command.run) {
+        logger.plain((0, help_1.renderHelp)(resolvedCommand.command, resolvedCommand.path, locale));
+        return 0;
+    }
+    try {
+        return await resolvedCommand.command.run(context, resolvedCommand.remainingArgs);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : 'Unknown CLI failure.';
+        logger.error(message);
+        logger.debug('Unhandled CLI error payload:', error);
+        return 1;
+    }
+}

package/dist/commands/assets/assets-command.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assetsCommand = void 0;
+const list_command_1 = require("./list-command");
+exports.assetsCommand = {
+    name: 'assets',
+    summary: 'Browse the filterable asset catalog.',
+    usage: 'vaone assets <list> [options]',
+    children: [list_command_1.assetsListCommand],
+};

package/dist/commands/assets/list-command.js

@@ -0,0 +1,52 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assetsListCommand = void 0;
+const authenticated_api_client_1 = require("../../features/auth/authenticated-api-client");
+const assets_api_client_1 = require("../../features/assets/assets-api-client");
+const assets_output_1 = require("../../features/assets/assets-output");
+const argv_1 = require("../../shared/argv");
+function parseEnabledFilter(parsed) {
+    const raw = parsed.options.enabled;
+    if (raw === undefined) {
+        return undefined;
+    }
+    if (typeof raw === 'boolean') {
+        return raw;
+    }
+    const normalized = raw.trim().toLowerCase();
+    if (normalized === 'true' || normalized === '1') {
+        return true;
+    }
+    if (normalized === 'false' || normalized === '0') {
+        return false;
+    }
+    throw new Error('Option "--enabled" must be true or false.');
+}
+exports.assetsListCommand = {
+    name: 'list',
+    summary: 'List asset catalog entries using supported API filters.',
+    usage: 'vaone assets list [--category <category>] [--enabled true|false]',
+    async run(context, args) {
+        const parsed = (0, argv_1.parseCommandArgs)(args);
+        if (parsed.positionals.length) {
+            throw new Error('`vaone assets list` does not accept positional arguments.');
+        }
+        try {
+            const assets = await (0, assets_api_client_1.listAssets)(context, {
+                category: (0, argv_1.getStringOption)(parsed, 'category'),
+                enabled: parseEnabledFilter(parsed),
+            });
+            (0, assets_output_1.renderAssetList)(context.logger, assets);
+            return 0;
+        }
+        catch (error) {
+            if (error instanceof authenticated_api_client_1.AuthRequiredError) {
+                throw new Error('Asset catalog access requires login. Run `vaone auth login` first.');
+            }
+            if (error instanceof authenticated_api_client_1.CliApiError && error.status === 401) {
+                throw new Error('Asset catalog access requires a valid CLI login session.');
+            }
+            throw error;
+        }
+    },
+};

package/dist/commands/auth/auth-command.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authCommand = void 0;
+const login_command_1 = require("./login-command");
+const logout_command_1 = require("./logout-command");
+exports.authCommand = {
+    name: 'auth',
+    summary: 'Authentication placeholder commands for future browser login.',
+    usage: 'vaone auth <login|logout> [options]',
+    children: [login_command_1.loginCommand, logout_command_1.logoutCommand],
+};

package/dist/commands/auth/login-command.js

@@ -0,0 +1,127 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loginCommand = void 0;
+const output_1 = require("../../shared/output");
+const auth_api_client_1 = require("../../features/auth/auth-api-client");
+const browser_login_1 = require("../../features/auth/browser-login");
+const installation_state_1 = require("../../features/auth/installation-state");
+const AUTH_TIMEOUT_MS = 10 * 60 * 1000;
+function printFallbackInstructions(logger, continuationUri, callbackMode) {
+    (0, output_1.printSection)(logger, 'Browser continuation');
+    (0, output_1.printKeyValue)(logger, 'URL', continuationUri);
+    const qr = (0, browser_login_1.renderQrCode)(continuationUri);
+    if (qr) {
+        logger.plain('');
+        logger.plain(qr);
+    }
+    logger.plain('');
+    (0, output_1.printList)(logger, [
+        callbackMode === 'loopback'
+            ? 'If the browser cannot return to localhost automatically, keep the terminal open and finish the same URL manually.'
+            : 'Finish login in any browser, then return to the terminal while the CLI keeps polling the same auth session.',
+        'Do not enter credentials inside the terminal. The terminal only waits for server-side session completion.',
+    ]);
+}
+async function waitForCompletion(apiBaseUrl, sessionId, loopbackListener) {
+    const pollPromise = (0, browser_login_1.pollForCliRedeemableSession)(() => (0, auth_api_client_1.getAuthSession)(apiBaseUrl, sessionId), AUTH_TIMEOUT_MS).then((session) => session.sessionId);
+    if (!loopbackListener) {
+        return pollPromise;
+    }
+    const callbackPromise = loopbackListener
+        .waitForCallback(AUTH_TIMEOUT_MS)
+        .then((payload) => payload.sessionId);
+    return Promise.race([callbackPromise, pollPromise]);
+}
+exports.loginCommand = {
+    name: 'login',
+    summary: 'Start browser-based login with PKCE and installation binding.',
+    usage: 'vaone auth login',
+    async run(context) {
+        const installation = await (0, installation_state_1.ensureInstallationState)(context.installationStore);
+        const pkce = (0, browser_login_1.createPkcePair)();
+        const cliState = (0, browser_login_1.createCliState)();
+        const cliSessionId = (0, browser_login_1.createCliSessionId)();
+        let loopbackListener = null;
+        let callbackMode = 'manual';
+        let callbackPort;
+        if (context.runtimeConfig.authCallbackMode !== 'manual') {
+            try {
+                loopbackListener = await (0, browser_login_1.startLoopbackListener)(cliState, context.runtimeConfig.locale);
+                callbackMode = 'loopback';
+                callbackPort = loopbackListener.port;
+            }
+            catch (error) {
+                context.logger.debug('Loopback listener unavailable, falling back to manual mode.', error);
+            }
+        }
+        else {
+            context.logger.debug('Manual auth callback mode is enabled by runtime configuration.');
+        }
+        try {
+            const session = await (0, auth_api_client_1.startCliAuthSession)(context.runtimeConfig.apiBaseUrl, {
+                cliSessionId,
+                pkceCodeChallenge: pkce.codeChallenge,
+                pkceMethod: pkce.method,
+                callbackMode,
+                callbackPort,
+                cliState,
+            });
+            if (!session.continuationUri) {
+                throw new Error('Auth session did not return a browser continuation URL.');
+            }
+            (0, output_1.printSection)(context.logger, 'Login context');
+            (0, output_1.printList)(context.logger, [
+                `Account login is handled in the browser against ${context.runtimeConfig.apiBaseUrl}.`,
+                `Installation binding uses ${installation.installationId} on ${installation.clientPlatform}/${installation.clientArch}.`,
+                `Callback mode: ${callbackMode}.`,
+            ]);
+            const browserOpened = await (0, browser_login_1.openSystemBrowser)(session.continuationUri);
+            if (!browserOpened) {
+                context.logger.info('Automatic browser launch failed. Use the fallback URL or QR code below.');
+                printFallbackInstructions(context.logger, session.continuationUri, callbackMode);
+            }
+            else if (callbackMode === 'manual') {
+                context.logger.info('Browser opened. Keep the terminal open while the CLI polls the auth session.');
+                printFallbackInstructions(context.logger, session.continuationUri, callbackMode);
+            }
+            else {
+                context.logger.info('Browser opened. Finish sign-in there; the CLI is waiting for the localhost callback.');
+            }
+            const completedSessionId = await waitForCompletion(context.runtimeConfig.apiBaseUrl, session.sessionId, loopbackListener);
+            const tokenBundle = await (0, auth_api_client_1.redeemCliAuthSession)(context.runtimeConfig.apiBaseUrl, completedSessionId, {
+                codeVerifier: pkce.codeVerifier,
+                installationId: installation.installationId,
+                publicKey: installation.publicKey,
+                keyFingerprint: installation.keyFingerprint,
+                clientPlatform: installation.clientPlatform,
+                clientArch: installation.clientArch,
+                cliVersion: installation.cliVersion,
+                deviceName: installation.deviceName,
+            });
+            await context.tokenStore.save({
+                accountId: tokenBundle.accountId,
+                installationId: tokenBundle.installationId,
+                sessionId: completedSessionId,
+                accessToken: tokenBundle.accessToken,
+                refreshToken: tokenBundle.refreshToken,
+                expiresAt: tokenBundle.expiresAt,
+                tokenType: tokenBundle.tokenType,
+                refreshBoundAt: new Date().toISOString(),
+            });
+            (0, output_1.printSection)(context.logger, 'Login complete');
+            (0, output_1.printList)(context.logger, [
+                `Account: ${tokenBundle.accountId}`,
+                `Installation: ${tokenBundle.installationId}`,
+                `Access token expires at: ${tokenBundle.expiresAt}`,
+            ]);
+            return 0;
+        }
+        finally {
+            if (loopbackListener) {
+                await loopbackListener.close().catch((error) => {
+                    context.logger.debug('Failed to close loopback listener cleanly.', error);
+                });
+            }
+        }
+    },
+};

package/dist/commands/auth/logout-command.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.logoutCommand = void 0;
+const output_1 = require("../../shared/output");
+const auth_api_client_1 = require("../../features/auth/auth-api-client");
+exports.logoutCommand = {
+    name: 'logout',
+    summary: 'Attempt remote logout, then clear local auth state.',
+    usage: 'vaone auth logout',
+    async run(context) {
+        const tokens = await context.tokenStore.read();
+        let remoteLogoutAttempted = false;
+        let remoteLogoutSucceeded = false;
+        let remoteLogoutFailure;
+        if (tokens?.sessionId) {
+            remoteLogoutAttempted = true;
+            try {
+                await (0, auth_api_client_1.logoutCliSession)(context.runtimeConfig.apiBaseUrl, {
+                    sessionId: tokens.sessionId,
+                });
+                remoteLogoutSucceeded = true;
+            }
+            catch (error) {
+                remoteLogoutFailure =
+                    error instanceof Error ? error.message : 'Unknown remote logout failure.';
+                context.logger.debug('Remote logout request failed.', error);
+            }
+        }
+        await context.tokenStore.clear();
+        (0, output_1.printSection)(context.logger, 'Logout status');
+        if (!tokens) {
+            (0, output_1.printList)(context.logger, [
+                'No active local auth state remained on this machine.',
+            ]);
+            return 0;
+        }
+        if (remoteLogoutSucceeded) {
+            (0, output_1.printList)(context.logger, [
+                'Remote session logout completed successfully.',
+                'Local auth state cleared.',
+            ]);
+            return 0;
+        }
+        if (remoteLogoutAttempted) {
+            (0, output_1.printList)(context.logger, [
+                'Local auth state cleared.',
+                `Remote session logout could not be confirmed: ${remoteLogoutFailure}`,
+            ]);
+            return 0;
+        }
+        (0, output_1.printList)(context.logger, [
+            'Local auth state cleared.',
+            'Remote session logout was skipped because no stored session id was available.',
+        ]);
+        return 0;
+    },
+};