@unifiedmemory/cli 1.3.12 → 1.3.14

package/.env.example

@@ -37,6 +37,24 @@
 # REDIRECT_URI=http://localhost:3333/callback
 # PORT=3333
 
+# ============================================
+# OAuth Success Page Link
+# ============================================
+# Optional website link shown on the OAuth success page
+# Users can visit this URL to manage their account or subscription
+# Default: https://unifiedmemory.ai/oauth/callback
+# OAUTH_SUCCESS_URL=https://unifiedmemory.ai/oauth/callback
+
+# ============================================
+# Frontend URL (CLI Auth Page)
+# ============================================
+# URL of the frontend app that hosts the CLI auth page with org picker
+# During login, the browser opens this URL where users can select an organization
+# before being redirected to Clerk OAuth
+# Default: https://unifiedmemory.ai
+# For local development: http://localhost:3000
+# FRONTEND_URL=https://unifiedmemory.ai
+
 # ============================================
 # Clerk Client Secret (Optional)
 # ============================================

package/README.md

@@ -106,6 +106,34 @@ Project Configuration:
   ✓ Configured: My Project (proj_xxx)
 ```
 
+### `um usage`
+Check your current usage and quota allowances.
+
+```bash
+um usage
+```
+
+**Example output:**
+```
+📊 Usage & Quota
+
+Account:
+  Organization: My Team
+
+Monthly Queries:
+  450 / 1,000 (45.0%)
+  [█████████░░░░░░░░░░░]
+  Remaining: 550 queries
+  Resets: 2/1/2026
+```
+
+Context-aware: Shows personal or organization quota based on current context (`um org switch`).
+
+**Color indicators:**
+- 🟢 Green: <70% usage
+- 🟡 Yellow: 70-89% usage
+- 🔴 Red: ≥90% usage (with upgrade prompt)
+
 ### `um org switch`
 Switch between your organizations or personal account.
 

package/commands/debug.js

@@ -0,0 +1,67 @@
+import chalk from 'chalk';
+import { getToken, getOrgContext } from '../lib/token-storage.js';
+import { isTokenExpired } from '../lib/token-refresh.js';
+
+/**
+ * Debug authentication and token issues
+ * Displays comprehensive diagnostics about the current token state
+ * JWT is the single source of truth for org context
+ */
+export async function debugAuth() {
+  console.log(chalk.blue('\n🔍 Token Diagnostics\n'));
+
+  const tokenData = getToken();
+
+  if (!tokenData) {
+    console.log(chalk.red('❌ No token found'));
+    console.log(chalk.gray('   Run: um login'));
+    return;
+  }
+
+  // Check expiration
+  const expired = isTokenExpired(tokenData);
+  console.log(chalk.yellow('Token Expiration:'));
+  console.log(expired ? chalk.red('  ❌ Expired') : chalk.green('  ✓ Valid'));
+  if (tokenData.decoded?.exp) {
+    const expDate = new Date(tokenData.decoded.exp * 1000);
+    console.log(chalk.gray(`  Expires: ${expDate.toLocaleString()}`));
+  }
+
+  // Check org context from JWT claims (single source of truth)
+  console.log(chalk.yellow('\nOrganization Context (from JWT):'));
+  const orgContext = getOrgContext();
+
+  if (orgContext) {
+    console.log(chalk.green(`  ✓ Organization: ${orgContext.name} (${orgContext.id})`));
+    console.log(chalk.gray(`    Role: ${orgContext.role || 'member'}`));
+    if (orgContext.slug) {
+      console.log(chalk.gray(`    Slug: ${orgContext.slug}`));
+    }
+  } else {
+    console.log(chalk.cyan('  Personal Account (no org claims in JWT)'));
+  }
+
+  // Check session ID
+  console.log(chalk.yellow('\nSession ID:'));
+  const hasSid = tokenData.decoded?.sid;
+  console.log(hasSid ? chalk.green('  ✓ Present') : chalk.yellow('  ⚠ Missing'));
+  if (hasSid) {
+    console.log(chalk.gray(`  SID: ${tokenData.decoded.sid}`));
+  } else {
+    console.log(chalk.gray('  Note: Some org-scoped tokens may not have sid'));
+  }
+
+  // Check user ID
+  console.log(chalk.yellow('\nUser ID:'));
+  if (tokenData.decoded?.sub) {
+    console.log(chalk.green(`  ✓ ${tokenData.decoded.sub}`));
+  } else {
+    console.log(chalk.red('  ❌ Missing'));
+  }
+
+  // Check refresh token
+  console.log(chalk.yellow('\nRefresh Token:'));
+  console.log(tokenData.refresh_token ? chalk.green('  ✓ Present') : chalk.red('  ❌ Missing'));
+
+  console.log('');
+}

package/commands/init.js

@@ -65,8 +65,9 @@ export async function init(options = {}) {
   }
 
   console.log(chalk.green(`✓ Logged in as: ${authData.user_id}`));
-  if (authData.org_id) {
-    console.log(chalk.green(`✓ Organization: ${authData.org_id}`));
+  if (authData.org_id && authData.org_id !== authData.user_id) {
+    const orgDisplay = authData.org_name || authData.org_id;
+    console.log(chalk.green(`✓ Organization: ${orgDisplay}`));
   }
 
   // Step 1.5: Check for existing config
@@ -166,14 +167,17 @@ async function ensureAuthenticated(options) {
   if (stored && stored.decoded) {
     console.log(chalk.gray('Using saved session'));
 
-    // Extract user_id and org_id from token
+    // Extract user_id and org_id from JWT claims, with selectedOrgId fallback
     const userId = stored.decoded.sub;
-    const orgId = stored.selectedOrg?.id || userId; // Fallback to user_id if no org
+    // Use org from JWT o.* claims, fallback to selectedOrgId from login, then userId for personal context
+    const orgId = stored.decoded.o?.o_id || stored.selectedOrgId || userId;
+    const orgName = stored.decoded.o?.o_name || stored.selectedOrgName || null;
     const expirationTime = stored.decoded.exp * 1000;
 
     return {
       user_id: userId,
       org_id: orgId,
+      org_name: orgName,
       access_token: stored.idToken || stored.accessToken,
       api_url: 'https://rose-asp-main-1c0b114.d2.zuplo.dev',
       expires_at: expirationTime,
@@ -189,14 +193,17 @@ async function ensureAuthenticated(options) {
     return null;
   }
 
-  // Extract from saved token
+  // Extract from saved token (JWT claims with selectedOrgId fallback)
   const savedToken = getToken();
   const userId = savedToken?.decoded?.sub;
-  const orgId = savedToken?.selectedOrg?.id || userId;
+  // Use org from JWT o.* claims, fallback to selectedOrgId from login, then userId for personal context
+  const orgId = savedToken?.decoded?.o?.o_id || savedToken?.selectedOrgId || userId;
+  const orgName = savedToken?.decoded?.o?.o_name || savedToken?.selectedOrgName || null;
 
   return {
     user_id: userId,
     org_id: orgId,
+    org_name: orgName,
     access_token: savedToken.idToken || savedToken.accessToken,
     api_url: 'https://rose-asp-main-1c0b114.d2.zuplo.dev',
     expires_at: savedToken.decoded?.exp * 1000,
@@ -244,10 +251,12 @@ async function selectOrCreateProject(authData, options) {
           return null;
         }
 
-        // Update authData with fresh credentials
+        // Update authData with fresh credentials (JWT claims with selectedOrgId fallback)
         const savedToken = getToken();
         authData.user_id = savedToken.decoded.sub;
-        authData.org_id = savedToken.selectedOrg?.id || authData.user_id;
+        // Use org from JWT o.* claims, fallback to selectedOrgId from login, then userId for personal context
+        authData.org_id = savedToken.decoded?.o?.o_id || savedToken?.selectedOrgId || authData.user_id;
+        authData.org_name = savedToken.decoded?.o?.o_name || savedToken?.selectedOrgName || null;
         authData.access_token = savedToken.idToken || savedToken.accessToken;
         authData.expires_at = savedToken.decoded?.exp * 1000;
 

package/commands/login.js

@@ -3,12 +3,9 @@ import { URL } from 'url';
 import open from 'open';
 import chalk from 'chalk';
 import crypto from 'crypto';
-import inquirer from 'inquirer';
 import { config, validateConfig } from '../lib/config.js';
-import { saveToken, updateSelectedOrg } from '../lib/token-storage.js';
-import { getUserOrganizations, getOrganizationsFromToken, getOrgScopedToken } from '../lib/clerk-api.js';
+import { saveToken } from '../lib/token-storage.js';
 import { parseJWT } from '../lib/jwt-utils.js';
-import { promptOrganizationSelection, displayOrganizationSelection } from '../lib/org-selection-ui.js';
 
 function generateRandomState() {
   // Use cryptographically secure random bytes for CSRF protection
@@ -38,11 +35,10 @@ export async function login() {
   const state = generateRandomState();
   const pkce = generatePKCE();
 
-  // Build OAuth2 authorization URL with PKCE
-  const authUrl = new URL(`https://${config.clerkDomain}/oauth/authorize`);
+  // Build URL to frontend CLI auth page (which shows org picker before Clerk OAuth)
+  const authUrl = new URL(`${config.frontendUrl}/cli-auth`);
   authUrl.searchParams.append('client_id', config.clerkClientId);
   authUrl.searchParams.append('redirect_uri', config.redirectUri);
-  authUrl.searchParams.append('response_type', 'code');
   authUrl.searchParams.append('scope', 'openid profile email');
   authUrl.searchParams.append('state', state);
   authUrl.searchParams.append('code_challenge', pkce.challenge);
@@ -76,7 +72,23 @@ export async function login() {
           return;
         }
 
-        if (returnedState !== state) {
+        // Parse state to extract CSRF token, org_id, and org_name
+        // State format: base64({ csrf: string, org_id: string|null, org_name: string|null })
+        let csrfState = returnedState;
+        let selectedOrgId = null;
+        let selectedOrgName = null;
+
+        try {
+          const stateData = JSON.parse(atob(returnedState));
+          csrfState = stateData.csrf;
+          selectedOrgId = stateData.org_id;
+          selectedOrgName = stateData.org_name;
+        } catch (e) {
+          // Old format - state is just the CSRF token
+          csrfState = returnedState;
+        }
+
+        if (csrfState !== state) {
           res.writeHead(400, { 'Content-Type': 'text/html' });
           res.end(`
             <html>
@@ -143,24 +155,111 @@ export async function login() {
           // Debug: Log the token response structure
           console.log(chalk.gray('\nToken response keys:'), Object.keys(tokenData));
 
-          // Send success response to browser first
+          // Send success response to browser
           res.writeHead(200, { 'Content-Type': 'text/html' });
           res.end(`
-            <html>
-              <body style="font-family: system-ui; padding: 2rem; text-align: center;">
-                <h1 style="color: #10B981;">✅ Authentication Successful!</h1>
-                <p>You have successfully authenticated with Clerk.</p>
-                <p>You can close this window and return to the CLI.</p>
-                <script>setTimeout(() => window.close(), 3000);</script>
+            <!DOCTYPE html>
+            <html lang="en">
+              <head>
+                <meta charset="UTF-8">
+                <meta name="viewport" content="width=device-width, initial-scale=1.0">
+                <title>Login Successful</title>
+                <link rel="preconnect" href="https://fonts.googleapis.com">
+                <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+                <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">
+                <style>
+                  * {
+                    margin: 0;
+                    padding: 0;
+                    box-sizing: border-box;
+                  }
+                  body {
+                    font-family: 'Inter', -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+                    background: hsl(220, 30%, 8%);
+                    color: hsl(0, 0%, 100%);
+                    min-height: 100vh;
+                    display: flex;
+                    align-items: center;
+                    justify-content: center;
+                    padding: 2rem;
+                  }
+                  .card {
+                    background: hsl(220, 25%, 12%);
+                    border: 1px solid hsl(220, 20%, 20%);
+                    border-radius: 0.5rem;
+                    padding: 2rem;
+                    text-align: center;
+                    max-width: 32rem;
+                    width: 100%;
+                  }
+                  .logo {
+                    width: 64px;
+                    height: 64px;
+                    margin: 0 auto 1.5rem;
+                    display: block;
+                  }
+                  h1 {
+                    font-size: 1.875rem;
+                    font-weight: 700;
+                    margin-bottom: 0.5rem;
+                    color: hsl(0, 0%, 100%);
+                  }
+                  .description {
+                    font-size: 1.125rem;
+                    color: hsl(0, 0%, 65%);
+                    margin-bottom: 1.5rem;
+                  }
+                  .message {
+                    color: hsl(0, 0%, 65%);
+                    line-height: 1.6;
+                  }
+                  .optional-link {
+                    margin-top: 2rem;
+                    padding-top: 1.5rem;
+                    border-top: 1px solid hsl(220, 20%, 20%);
+                    font-size: 0.8125rem;
+                    color: hsl(0, 0%, 50%);
+                    line-height: 1.5;
+                  }
+                  .optional-link a {
+                    color: hsl(0, 0%, 55%);
+                    text-decoration: none;
+                    border-bottom: 1px solid transparent;
+                    transition: border-color 0.2s;
+                  }
+                  .optional-link a:hover {
+                    border-bottom-color: hsl(0, 0%, 55%);
+                  }
+                </style>
+              </head>
+              <body>
+                <div class="card">
+                  <img src="https://unifiedmemory.ai/images/theme/axolotl-logo.png" alt="UnifiedMemory.ai Logo" class="logo" />
+                  <h1>Login Successful</h1>
+                  <p class="description">Your authentication is complete.</p>
+                  <p class="message">You may now close this tab and return to the terminal to continue using the CLI.</p>
+                  <div class="optional-link">
+                    You can manage your account or subscription on the web at<br>
+                    <a href="https://unifiedmemory.ai/account">unifiedmemory.ai</a>
+                  </div>
+                </div>
+                <script>
+                  // Auto-close window after 10 seconds
+                  setTimeout(() => {
+                    window.close();
+                  }, 10000);
+                </script>
               </body>
             </html>
           `);
 
           // Parse JWT for user info - do not log tokens
+          // The id_token should already have org claims because the frontend
+          // called setActive() before OAuth redirect
           const tokenToParse = tokenData.id_token || tokenData.access_token;
           const decoded = parseJWT(tokenToParse);
 
-          // Save token (save both access_token and id_token if available)
+          // Save token with selected org from state (since JWT doesn't have org claims)
           saveToken({
             accessToken: tokenData.access_token,
             idToken: tokenData.id_token,
@@ -168,7 +267,10 @@ export async function login() {
             tokenType: tokenData.token_type || 'Bearer',
             expiresIn: tokenData.expires_in,
             receivedAt: Date.now(),
-            decoded: decoded
+            decoded: decoded,
+            sessionId: decoded?.sid,
+            selectedOrgId: selectedOrgId,  // From state parameter
+            selectedOrgName: selectedOrgName,  // From state parameter
           });
 
           console.log(chalk.green('\n✅ Authentication successful!'));
@@ -184,95 +286,30 @@ export async function login() {
             }
           }
 
-          // Close server first
-          server.close(async () => {
+          // Close server and display org context
+          server.close(() => {
             console.log(chalk.gray('✓ Callback server closed'));
 
-            // Prompt for organization selection
-            try {
-              const userId = decoded?.sub;
-              if (userId) {
-                // First try to get organizations from JWT token
-                let memberships = getOrganizationsFromToken(decoded);
-
-                // If not in JWT, fetch from Clerk Frontend API
-                if (memberships.length === 0) {
-                  const sessionToken = tokenData.id_token || tokenData.access_token;
-                  memberships = await getUserOrganizations(userId, sessionToken);
-                }
-
-                console.log(chalk.blue('\n🔍 Checking for organizations...'));
-                const selectedOrg = await promptOrganizationSelection(memberships);
-                displayOrganizationSelection(selectedOrg);
-
-                if (selectedOrg) {
-                  // Get org-scoped JWT from Clerk
-                  try {
-                    console.log(chalk.cyan('\n🔄 Getting organization-scoped token...'));
-
-                    const sessionId = decoded.sid;
-                    if (!sessionId) {
-                      throw new Error('No session ID found in token');
-                    }
-
-                    const orgToken = await getOrgScopedToken(
-                      sessionId,
-                      selectedOrg.id,
-                      tokenData.id_token
-                    );
-
-                    // Update saved token with org-scoped version
-                    // Preserve originalSid for recovery purposes (org-scoped token won't have sid)
-                    saveToken({
-                      accessToken: tokenData.access_token,
-                      idToken: orgToken.jwt,
-                      refresh_token: tokenData.refresh_token,
-                      tokenType: 'Bearer',
-                      expiresIn: tokenData.expires_in,
-                      receivedAt: Date.now(),
-                      decoded: parseJWT(orgToken.jwt),
-                      selectedOrg: selectedOrg,
-                      originalSid: decoded.sid  // Preserve session ID from original OAuth token
-                    });
-
-                    console.log(chalk.green(`\n✅ Using organization context: ${chalk.bold(selectedOrg.name)}`));
-                    console.log(chalk.gray(`   Organization ID: ${selectedOrg.id}`));
-                    console.log(chalk.gray(`   Your role: ${selectedOrg.role}`));
-                    console.log(chalk.gray('   ✓ Token updated with organization context'));
-                  } catch (error) {
-                    console.error(chalk.yellow('\n⚠️  Failed to get org-scoped token:'), error.message);
-                    console.log(chalk.gray('   Continuing with original token (may have limited org access)'));
-
-                    // Save token with selectedOrg AND originalSid for recovery
-                    // This allows token-validation.js to retry getting org-scoped token later
-                    saveToken({
-                      accessToken: tokenData.access_token,
-                      idToken: tokenData.id_token,
-                      refresh_token: tokenData.refresh_token,
-                      tokenType: 'Bearer',
-                      expiresIn: tokenData.expires_in,
-                      receivedAt: Date.now(),
-                      decoded: decoded,
-                      selectedOrg: selectedOrg,
-                      originalSid: decoded.sid  // Preserve session ID for recovery
-                    });
-
-                    console.log(chalk.green(`\n✅ Using organization context: ${chalk.bold(selectedOrg.name)}`));
-                    console.log(chalk.gray(`   Organization ID: ${selectedOrg.id}`));
-                    console.log(chalk.gray(`   Your role: ${selectedOrg.role}`));
-                    console.log(chalk.yellow('   ⚠️  Token lacks org claims - recovery will be attempted on next use'));
-                  }
-                } else {
-                  console.log(chalk.green('\n✅ Using personal account context'));
-                }
-
-                console.log(chalk.gray('\nYou can switch organizations anytime with: um org switch'));
+            // Display organization context - prefer JWT claims, fall back to selected org from state
+            // Support both flat claims (org_id) and nested claims (o.o_id) from Clerk JWT templates
+            const jwtOrgId = decoded?.org_id || decoded?.o?.o_id;
+            const orgId = jwtOrgId || selectedOrgId;
+            const orgName = decoded?.org_name || decoded?.o?.o_name || selectedOrgName;
+            const orgSlug = decoded?.org_slug || decoded?.o?.o_slug;
+            const orgRole = decoded?.org_role || decoded?.o?.o_role;
+
+            if (orgId) {
+              console.log(chalk.green(`\n✅ Organization context: ${chalk.bold(orgName || orgSlug || orgId)}`));
+              console.log(chalk.gray(`   Organization ID: ${orgId}`));
+              if (orgRole) {
+                console.log(chalk.gray(`   Your role: ${orgRole}`));
               }
-            } catch (error) {
-              console.log(chalk.yellow('\n⚠️  Could not fetch organizations. Continuing with personal account context.'));
-              console.log(chalk.gray(`Error: ${error.message}`));
+            } else {
+              console.log(chalk.green('\n✅ Using personal account context'));
             }
 
+            console.log(chalk.gray('\nYou can switch organizations anytime with: um org switch'));
+
             resolve(tokenData);
           });
         } catch (error) {