@vectorplane/ctrl-cli 0.1.13 → 0.1.14

package/README.md

@@ -2,7 +2,7 @@
 
 CLI oficial do VectorPlane.
 
-Use o comando `vp` para autenticar, verificar a sessão local e sincronizar o workspace com o produto.
+Use o comando `vp` para autenticar, verificar a sessão local, sincronizar o workspace e operar o control plane com uma sessão local endurecida.
 
 ## Instalação
 
@@ -15,123 +15,73 @@ npm install -g @vectorplane/ctrl-cli
 ```bash
 vp init
 vp login
+vp login --manual
+vp login --device
 vp logout
 vp status
+vp doctor --policy
 vp sync
 vp task templates
 vp task run --title "Entrega X" --intention "Implementar fluxo Y"
-vp task run --template code-review --title "Review auth" --intention "Revisar risco e cobertura do fluxo de auth"
 vp task watch <task-id>
-vp task claim --capability qa.test
-vp task execute <task-id> --step <step-id>
-vp task daemon --capability qa.test
 vp context --search "decisões sobre autenticação"
-vp context --delivery --search "fluxo de login" --type decisions
-vp context --diff --from latest-1 --to latest
 vp workspace webhook list
-vp workspace webhook create --name approvals --url https://example.com/hooks/vectorplane --secret supersecret123 --events task.approval_required,task.blocked
-vp context --workspace <workspace> --delivery
-vp session check-in --workspace <workspace> --agent codex --type codex --client openai-codex --feature feature-key --task task-key --owning-path "src/core,src/ui" --need "api-contract" --provide "implementation" --status "starting implementation"
-vp draft create --type progress --title "Entrega concluída" --content "Resumo da mudança"
+vp session check-in --workspace <workspace> --agent codex --type codex --client openai-codex
 ```
 
-## Comandos
-
-### `vp init`
-
-- autentica localmente se ainda não houver sessão
-- resolve e associa o workspace atual a partir do `git remote`, somente quando houver correspondência com um workspace que o usuário pode acessar
-- detecta o agente local automaticamente, pede confirmação se houver ambiguidade e aceita `--agent`
-- baixa o template oficial do backend
-- grava o arquivo local e adiciona a entrada no `.gitignore`
-- aceita `--force` para sobrescrever template existente
-- durante execução, se outro agente passar a operar no workspace e a detecção for confiável, o setup local é reconciliado automaticamente
+## Comandos principais
 
 ### `vp login`
 
-- abre o navegador para autenticação
-- conclui o login com callback local seguro
-- salva a sessão localmente
-- suporta `--no-browser` e `--manual`
-- em ambientes remotos ou isolados, o loopback local pode exigir um fluxo alternativo
-- a URL web do login é emitida pelo control plane; o domínio do app não deve ser hardcoded em automações externas
+- suporta `browser`, `manual` e `device`
+- `--manual` evita abrir o navegador automaticamente
+- `--device` evita dependência de callback loopback e fecha melhor com SSH, container, CI e WSL
+- a URL web do login é emitida pelo control plane
 
 ### `vp logout`
 
-- revoga a sessão do CLI quando possível
-- remove a sessão local do dispositivo
+- tenta revogar a sessão remotamente
+- limpa a sessão local do dispositivo
+- registra auditoria local mínima da operação
+
+### `vp doctor`
 
-### `vp sync`
+- valida storage de sessão, política ativa, conectividade e ambiente local
+- suporta `--policy` para checar só conformidade local
+- recomenda o modo de login mais seguro para o ambiente atual
 
-- coleta contexto local do workspace
-- envia a sincronização para o VectorPlane
-- usa fila local quando a API estiver indisponível
+### `vp config`
+
+- gerencia perfis, política local e envelope de privacidade
+- `vp config privacy set <standard|minimal|enterprise>`
+- `vp config policy set <chave> <true|false>`
 
 ### `vp status`
 
-- mostra o estado da sessão local
-- exibe workspace ativo, diretório atual e última sincronização
-
-### `vp task`
-
-- cria tasks no orchestrator do workspace
-- lista templates disponíveis com `vp task templates`
-- aceita `--template <slug>` para herdar capabilities e paths padrão do backend
-- lista e inspeciona tasks existentes
-- acompanha uma task em tempo real com `vp task watch <taskId>`
-- faz claim explícito de steps `pending_claim` atribuídos a agentes CLI
-- executa steps locais via `metadata.execution.command`
-- suporta loop controlado com `vp task daemon --capability ...`
-- registra delegação de step
-- envia callback de execução por step para concluir a pipeline
-- lê handoff operacional por task
-- consulta observabilidade por task ou workspace
-- consulta health do workspace ligado às tasks
-- para automação local real, o agente de registry deve ter `metadata.execution` com:
-  - `type: "command"`
-  - `command: "npm"` ou equivalente
-  - `args`, `cwd` e `env` opcionais
-
-### `vp draft`
-
-- cria drafts editoriais ligados ao workspace atual
-- lista drafts existentes para conferência rápida
-- suporta `ui`, `ux`, `project_skeleton`, `template_engineering`, `patterns`, `progress`, `decisions` e `architecture`
-- aceita `--no-impact` para registrar explicitamente quando uma lane não foi afetada
-
-### `vp session`
-
-- suporta `check-in`, `heartbeat` e `check-out`
-- permite declarar `feature`, `task`, `component`, `role`, `owning-path`, `need`, `provide` e `status`
-- deve ser usado em conjunto com `vp context --delivery` para reduzir conflito entre agentes ativos
-
-### Comandos adicionais já implementados
-
-- `vp whoami`
-  - mostra a identidade autenticada
-- `vp doctor`
-  - executa verificações locais e de conectividade
-- `vp config`
-  - gerencia perfis e configuração local
-  - inclui `vp config privacy` e `vp config policy`
-- `vp workspace`
-  - gerencia o workspace atual
-  - suporta `vp workspace webhook list|create|delete` para integrações externas por workspace
-- `vp session`
-  - gerencia sessões de agente
-- `vp context`
-  - carrega contexto remoto do workspace
-  - suporta `--search "QUERY"` para busca semântica na memória
-  - com `--delivery --search`, retorna delivery context com fragmentos semânticos relevantes
-  - suporta `--diff --from latest-1 --to latest` para comparar snapshots do workspace
-- `vp bootstrap`
-  - obtém instruções de setup do workspace
-- `vp event send`
-  - envia eventos operacionais
-- `vp draft`
-  - envia e consulta drafts editoriais do workspace
-- `vp task`
-  - opera tasks do autonomous control plane
+- mostra estado da sessão local
+- exibe storage usado, último login, último refresh, último logout e falhas recentes de auth
+
+## Privacidade de máquina
+
+Perfis:
+
+- `standard`: envia o contexto operacional mínimo usual
+- `minimal`: reduz ao máximo dados locais e desabilita lookup de IP/interface por padrão
+- `enterprise`: permite envelope mais rico, mas continua respeitando policies locais
+
+Policies disponíveis:
+
+- `requireSecureStorage`
+- `disableFileSessionFallback`
+- `requireManualLogin`
+- `requireDeviceLogin`
+- `blockPublicIpLookup`
+- `blockMacAddressCollection`
+- `blockUsernameCollection`
+- `blockNetworkInterfaceCollection`
+- `blockCurrentDirectoryCollection`
+- `blockHomeDirectoryCollection`
+- `blockShellCollection`
 
 ## Persistência local
 
@@ -146,8 +96,14 @@ vp draft create --type progress --title "Entrega concluída" --content "Resumo d
 ## Segurança
 
 - tokens nunca são impressos no terminal
-- tokens nunca são enviados por query string
-- o callback valida o `state`
+- logs mascaram chaves sensíveis e ids de sessão
 - a sessão usa secure storage do sistema quando disponível
-- existe fallback para arquivo local apenas quando permitido
+- existe fallback para arquivo local apenas quando permitido pela policy
 - `vp logout` encerra a sessão local e tenta revogação remota
+- o CLI continua sendo thin client: autorização e regra crítica permanecem no backend
+
+## Tutoriais relacionados
+
+- setup completo do ecossistema: [/home/developer/Documentos/Projetos/conductor-edge-ia/docs/tutorials/setup-ecossistema.md](/home/developer/Documentos/Projetos/conductor-edge-ia/docs/tutorials/setup-ecossistema.md)
+- operação de workspace: [/home/developer/Documentos/Projetos/conductor-edge-ia/docs/tutorials/operacao-workspace.md](/home/developer/Documentos/Projetos/conductor-edge-ia/docs/tutorials/operacao-workspace.md)
+- memória e agentes: [/home/developer/Documentos/Projetos/conductor-edge-ia/docs/tutorials/memoria-e-agentes.md](/home/developer/Documentos/Projetos/conductor-edge-ia/docs/tutorials/memoria-e-agentes.md)

package/dist/commands/doctor.d.ts

@@ -1 +1 @@
-export declare function runDoctorCommand(cliVersion: string): Promise<number>;
+export declare function runDoctorCommand(cliVersion: string, args?: string[]): Promise<number>;

package/dist/commands/doctor.js

@@ -2,10 +2,11 @@ import { access } from "node:fs/promises";
 import { constants as fsConstants } from "node:fs";
 import { configDirectoryExists, ensureSessionAvailable, getConfigDirectoryPath, getSessionStorageInfo } from "../core/config.js";
 import { collectGitContext } from "../core/git.js";
-import { collectMachineContext, collectRuntimeContext } from "../core/machine.js";
+import { assessExecutionEnvironment, collectMachineContext, collectRuntimeContext, describePrivacyEnvelope } from "../core/machine.js";
 import { loadRuntimeStatus } from "../core/runtime.js";
 import { ensureFreshSession } from "../core/session.js";
 import { VectorPlaneApiClient } from "../core/api.js";
+import { getBooleanOption, parseArgs } from "../core/cli.js";
 async function writable(filePath) {
     try {
         await access(filePath, fsConstants.W_OK);
@@ -18,23 +19,9 @@ async function writable(filePath) {
 function printCheck(label, ok, details) {
     process.stdout.write(`${ok ? "OK" : "FAIL"} ${label}: ${details}\n`);
 }
-function detectExecutionRisks() {
-    const risks = [];
-    if (process.env.WSL_DISTRO_NAME) {
-        risks.push("wsl");
-    }
-    if (process.env.SSH_CONNECTION || process.env.SSH_CLIENT) {
-        risks.push("ssh");
-    }
-    if (process.env.CI === "true") {
-        risks.push("ci");
-    }
-    if (process.env.CONTAINER || process.env.DOCKER_CONTAINER) {
-        risks.push("container");
-    }
-    return risks;
-}
-export async function runDoctorCommand(cliVersion) {
+export async function runDoctorCommand(cliVersion, args = []) {
+    const parsed = parseArgs(args);
+    const policyOnly = getBooleanOption(parsed, "policy");
     const runtime = await loadRuntimeStatus();
     const configDirectory = await getConfigDirectoryPath();
     const [hasConfigDir, git, canWriteConfig] = await Promise.all([
@@ -43,15 +30,21 @@ export async function runDoctorCommand(cliVersion) {
         writable(configDirectory),
     ]);
     const storage = await getSessionStorageInfo(runtime.profile.name);
-    const risks = detectExecutionRisks();
+    const environment = assessExecutionEnvironment();
+    const privacyEnvelope = describePrivacyEnvelope(runtime.profile.machinePrivacyProfile, runtime.config.policy);
     printCheck("config_dir", hasConfigDir, configDirectory);
     printCheck("config_dir_writable", canWriteConfig, canWriteConfig ? "gravável" : "sem permissão de escrita");
     printCheck("git", git.isRepository, git.isRepository ? (git.rootPath ?? process.cwd()) : "repositório não detectado");
     printCheck("node", true, process.version);
     printCheck("privacy_profile", true, runtime.profile.machinePrivacyProfile);
+    printCheck("privacy_envelope", true, JSON.stringify(privacyEnvelope));
     printCheck("session_storage", (storage?.protected ?? false) || runtime.config.preferredSessionStorage === "system", storage ? `${storage.backend}:${storage.protected ? "protected" : "file"}` : runtime.config.preferredSessionStorage);
     printCheck("policy_secure_storage", !runtime.config.policy.requireSecureStorage || storage?.protected === true, JSON.stringify(runtime.config.policy));
-    printCheck("execution_environment", risks.length === 0, risks.length === 0 ? "local" : risks.join(","));
+    printCheck("execution_environment", environment.loopbackLikelySafe, environment.risks.length === 0 ? "local" : environment.risks.join(","));
+    printCheck("login_recommendation", true, environment.recommendedLoginMode);
+    if (policyOnly) {
+        return 0;
+    }
     const apiClient = new VectorPlaneApiClient(runtime.profile.apiBaseUrl, runtime.config.requestTimeoutMs, runtime.logger);
     try {
         const health = await apiClient.getHealth();

package/dist/commands/login.js

@@ -1,18 +1,37 @@
 import { getBooleanOption, getStringOption, parseArgs } from "../core/cli.js";
 import { runLoginFlow } from "../core/auth.js";
 import { getSessionStorageInfo, saveSession, setActiveProfile, updateProfileState, upsertProfile } from "../core/config.js";
-import { collectMachineContext, collectRuntimeContext } from "../core/machine.js";
+import { assessExecutionEnvironment, collectMachineContext, collectRuntimeContext } from "../core/machine.js";
 import { loadRuntimeStatus } from "../core/runtime.js";
 import { VectorPlaneApiClient } from "../core/api.js";
+function resolveLoginMode(args) {
+    if (args.device || args.requireDeviceLogin) {
+        return "device";
+    }
+    if (args.manual || args.noBrowser || args.requireManualLogin) {
+        return "manual";
+    }
+    return "browser";
+}
 export async function runLoginCommand(cliVersion, args) {
     const parsed = parseArgs(args);
     const requestedProfile = getStringOption(parsed, "profile");
-    const noBrowser = getBooleanOption(parsed, "no-browser") || getBooleanOption(parsed, "manual");
     if (requestedProfile) {
         await upsertProfile(requestedProfile, { name: requestedProfile });
         await setActiveProfile(requestedProfile);
     }
     const runtime = await loadRuntimeStatus();
+    const loginMode = resolveLoginMode({
+        noBrowser: getBooleanOption(parsed, "no-browser"),
+        manual: getBooleanOption(parsed, "manual"),
+        device: getBooleanOption(parsed, "device"),
+        requireManualLogin: runtime.config.policy.requireManualLogin,
+        requireDeviceLogin: runtime.config.policy.requireDeviceLogin,
+    });
+    const environment = assessExecutionEnvironment();
+    if (environment.recommendedLoginMode === "device" && loginMode === "browser") {
+        runtime.logger.warn("o ambiente atual parece pouco confiável para loopback. considere `vp login --device`.");
+    }
     const machine = await collectMachineContext(runtime.device, runtime.config);
     const runtimeContext = await collectRuntimeContext(cliVersion, "login", process.argv.slice(2));
     const apiClient = new VectorPlaneApiClient(runtime.profile.apiBaseUrl, runtime.config.requestTimeoutMs, runtime.logger);
@@ -24,7 +43,7 @@ export async function runLoginCommand(cliVersion, args) {
         device: runtime.device,
         apiClient,
         logger: runtime.logger,
-        noBrowser: noBrowser || runtime.config.policy.requireManualLogin,
+        loginMode,
     });
     await saveSession(session, runtime.profile.name);
     const storage = await getSessionStorageInfo(runtime.profile.name);
@@ -34,6 +53,7 @@ export async function runLoginCommand(cliVersion, args) {
         lastWorkspace: session.workspace,
         lastError: null,
         lastLoginAt: session.obtainedAt,
+        lastLoginMethod: loginMode,
         lastSessionId: session.sessionId,
         storageBackend: storage?.backend ?? null,
         storageProtected: storage?.protected ?? null,
@@ -42,6 +62,7 @@ export async function runLoginCommand(cliVersion, args) {
     });
     runtime.logger.success("login realizado com sucesso.");
     process.stdout.write(`Perfil: ${runtime.profile.name}\n`);
+    process.stdout.write(`Modo de login: ${loginMode}\n`);
     process.stdout.write(`Workspace ativo: ${session.workspace}\n`);
     return 0;
 }

package/dist/commands/logout.js

@@ -15,8 +15,10 @@ export async function runLogoutCommand() {
         return 0;
     }
     const apiClient = new VectorPlaneApiClient(runtime.profile.apiBaseUrl, runtime.config.requestTimeoutMs, runtime.logger);
+    let remoteRevokedAt = null;
     try {
         await revokeSession({ session, apiClient });
+        remoteRevokedAt = new Date().toISOString();
     }
     catch (error) {
         runtime.logger.warn("não foi possível revogar a sessão remotamente. removendo a sessão local mesmo assim.");
@@ -29,6 +31,7 @@ export async function runLogoutCommand() {
     await updateProfileState(runtime.profile.name, {
         lastCommand: "logout",
         lastLogoutAt: loggedOutAt,
+        lastRemoteRevokeAt: remoteRevokedAt,
         lastSessionId: null,
     });
     runtime.logger.success("sessão local encerrada.");

package/dist/commands/status.js

@@ -35,16 +35,22 @@ export async function runStatusCommand() {
     process.stdout.write(`Sessão CLI: ${session.sessionId}\n`);
     process.stdout.write(`Expira em: ${session.expiresAt}\n`);
     process.stdout.write(`Último refresh: ${profileState.lastRefreshAt ?? session.lastRefreshAt ?? "nunca"}\n`);
+    process.stdout.write(`Último login: ${profileState.lastLoginAt ?? "desconhecido"}\n`);
+    process.stdout.write(`Último método de login: ${profileState.lastLoginMethod ?? "desconhecido"}\n`);
+    process.stdout.write(`Último logout: ${profileState.lastLogoutAt ?? "nunca"}\n`);
+    process.stdout.write(`Última revogação remota: ${profileState.lastRemoteRevokeAt ?? "nunca"}\n`);
     if (git.branch) {
         process.stdout.write(`Branch: ${git.branch}\n`);
     }
     process.stdout.write(`Última sincronização: ${profileState.lastSyncAt ?? "nunca"}\n`);
     process.stdout.write(`Status do último sync: ${profileState.lastSyncStatus ?? "desconhecido"}\n`);
-    process.stdout.write(`Último login: ${profileState.lastLoginAt ?? "desconhecido"}\n`);
-    process.stdout.write(`Último logout: ${profileState.lastLogoutAt ?? "nunca"}\n`);
     if (profileState.lastSnapshotPath) {
         process.stdout.write(`Último snapshot local: ${profileState.lastSnapshotPath}\n`);
     }
+    if (profileState.lastAuthFailure) {
+        process.stdout.write(`Última falha de auth: ${profileState.lastAuthFailure}\n`);
+        process.stdout.write(`Falha registrada em: ${profileState.lastAuthFailureAt ?? "desconhecido"}\n`);
+    }
     if (profileState.lastError) {
         process.stdout.write(`Último erro: ${profileState.lastError}\n`);
     }

package/dist/core/auth.d.ts

@@ -1,4 +1,4 @@
-import type { CliConfig, CliProfileConfig } from "../types/config.js";
+import type { CliConfig, CliLoginMode, CliProfileConfig } from "../types/config.js";
 import type { AuthSession } from "../types/auth.js";
 import type { DeviceIdentity, MachineContext, RuntimeContext } from "../types/machine.js";
 import { VectorPlaneApiClient } from "./api.js";
@@ -13,5 +13,5 @@ export declare function runLoginFlow(params: {
     device: DeviceIdentity;
     apiClient: VectorPlaneApiClient;
     logger: Logger;
-    noBrowser?: boolean;
+    loginMode: CliLoginMode;
 }): Promise<AuthSession>;

package/dist/core/auth.js

@@ -25,48 +25,118 @@ export async function openBrowser(url) {
         });
     });
 }
+function printLoginInstructions(loginMode, loginUrl, logger) {
+    if (loginMode === "browser") {
+        logger.info("abrindo navegador para autenticação...");
+        return;
+    }
+    if (loginMode === "manual") {
+        logger.info("login manual habilitado. abra a URL abaixo no navegador:");
+        process.stdout.write(`${loginUrl}\n`);
+        return;
+    }
+    logger.info("login device-like habilitado. use a URL abaixo em qualquer navegador confiável:");
+    process.stdout.write(`${loginUrl}\n`);
+}
+async function waitForCallbackCode(callbackServer, timeoutMs) {
+    try {
+        const callback = await callbackServer.waitForCallback(timeoutMs);
+        return callback.code;
+    }
+    catch (error) {
+        throw new AuthError("Falha no callback local do login do CLI.", error);
+    }
+}
+async function waitForAuthorizedAttempt(params) {
+    const startedAt = Date.now();
+    let announcedAuthorization = false;
+    while (Date.now() - startedAt < params.timeoutMs) {
+        let status;
+        try {
+            status = await params.apiClient.getLoginAttemptStatus(params.attemptId, params.pollToken);
+        }
+        catch (error) {
+            throw new AuthError("Falha ao acompanhar a autorização do login do CLI por polling.", error);
+        }
+        const code = pickAuthorizedCode(status);
+        if (code) {
+            return code;
+        }
+        if (status.status === "authorized" && !announcedAuthorization) {
+            announcedAuthorization = true;
+            params.logger.info("autorização recebida pela API. finalizando sessão...");
+        }
+        await delay(LOGIN_ATTEMPT_POLL_INTERVAL_MS);
+    }
+    throw new AuthError("Tempo esgotado aguardando a confirmação do login do CLI.");
+}
+function pickAuthorizedCode(status) {
+    if ((status.status === "authorized" || status.status === "completed") && typeof status.code === "string" && status.code.length > 0) {
+        return status.code;
+    }
+    return null;
+}
+function delay(ms) {
+    return new Promise((resolve) => {
+        setTimeout(resolve, ms);
+    });
+}
 export async function runLoginFlow(params) {
     const state = generateLoginState();
-    const callbackServer = await createCallbackServer(params.config.callbackHost, params.config.callbackPort, params.config.callbackPath, state);
+    const useLoopback = params.loginMode !== "device";
+    const callbackServer = useLoopback
+        ? await createCallbackServer(params.config.callbackHost, params.config.callbackPort, params.config.callbackPath, state)
+        : null;
     try {
+        const redirectUri = callbackServer?.callbackUrl ?? `http://127.0.0.1/disabled-device-flow/${state}`;
         const loginAttempt = await params.apiClient.createLoginAttempt({
-            redirectUri: callbackServer.callbackUrl,
+            redirectUri,
             state,
             client: CLI_CLIENT_ID,
         });
         const loginUrl = loginAttempt.loginUrl;
-        if (params.noBrowser) {
-            params.logger.info("login manual habilitado. abra a URL abaixo no navegador:");
-            process.stdout.write(`${loginUrl}\n`);
-        }
-        else {
-            params.logger.info("abrindo navegador para autenticação...");
+        printLoginInstructions(params.loginMode, loginUrl, params.logger);
+        if (params.loginMode === "browser") {
             const opened = await openBrowser(loginUrl);
             if (!opened) {
-                params.logger.warn("não foi possível abrir o navegador automaticamente.");
+                params.logger.warn("não foi possível abrir o navegador automaticamente. continue pela URL abaixo.");
                 process.stdout.write(`${loginUrl}\n`);
             }
         }
         params.logger.info("aguardando confirmação...");
-        const code = await Promise.any([
-            callbackServer.waitForCallback(CALLBACK_TIMEOUT_MS).then((callback) => callback.code),
-            waitForAuthorizedAttempt({
+        const code = params.loginMode === "device"
+            ? await waitForAuthorizedAttempt({
                 apiClient: params.apiClient,
                 attemptId: loginAttempt.attemptId,
                 pollToken: loginAttempt.pollToken,
                 timeoutMs: CALLBACK_TIMEOUT_MS,
                 logger: params.logger,
-            }),
-        ]).catch((error) => {
-            throw new AuthError("Não foi possível concluir o login do CLI.", error);
-        });
+            })
+            : await Promise.any([
+                waitForCallbackCode(callbackServer, CALLBACK_TIMEOUT_MS),
+                waitForAuthorizedAttempt({
+                    apiClient: params.apiClient,
+                    attemptId: loginAttempt.attemptId,
+                    pollToken: loginAttempt.pollToken,
+                    timeoutMs: CALLBACK_TIMEOUT_MS,
+                    logger: params.logger,
+                }),
+            ]).catch((error) => {
+                throw new AuthError("Não foi possível concluir o login do CLI.", error);
+            });
         const payload = {
             code,
             client: CLI_CLIENT_ID,
             device: params.machine,
             runtime: params.runtime,
         };
-        const tokenResponse = await params.apiClient.exchangeToken(payload);
+        let tokenResponse;
+        try {
+            tokenResponse = await params.apiClient.exchangeToken(payload);
+        }
+        catch (error) {
+            throw new AuthError("Falha na troca do código do CLI por sessão autenticada.", error);
+        }
         if (!tokenResponse.access_token || !tokenResponse.refresh_token) {
             throw new AuthError("A API retornou uma sessão inválida.");
         }
@@ -80,38 +150,11 @@ export async function runLoginFlow(params) {
             obtainedAt: new Date().toISOString(),
             expiresAt: new Date(Date.now() + tokenResponse.expires_in * 1000).toISOString(),
             lastRefreshAt: null,
+            deviceId: params.device.machineId,
         };
     }
     finally {
-        await callbackServer.close();
+        await callbackServer?.close();
     }
 }
-async function waitForAuthorizedAttempt(params) {
-    const startedAt = Date.now();
-    let announcedAuthorization = false;
-    while (Date.now() - startedAt < params.timeoutMs) {
-        const status = await params.apiClient.getLoginAttemptStatus(params.attemptId, params.pollToken);
-        const code = pickAuthorizedCode(status);
-        if (code) {
-            return code;
-        }
-        if (status.status === "authorized" && !announcedAuthorization) {
-            announcedAuthorization = true;
-            params.logger.info("autorização recebida pela API. finalizando sessão...");
-        }
-        await delay(LOGIN_ATTEMPT_POLL_INTERVAL_MS);
-    }
-    throw new AuthError("Tempo esgotado aguardando a confirmação do login do CLI.");
-}
-function pickAuthorizedCode(status) {
-    if ((status.status === "authorized" || status.status === "completed") && typeof status.code === "string" && status.code.length > 0) {
-        return status.code;
-    }
-    return null;
-}
-function delay(ms) {
-    return new Promise((resolve) => {
-        setTimeout(resolve, ms);
-    });
-}
 //# sourceMappingURL=auth.js.map

package/dist/core/constants.js

@@ -38,9 +38,14 @@ export const DEFAULT_CONFIG = {
         requireSecureStorage: false,
         disableFileSessionFallback: false,
         requireManualLogin: false,
+        requireDeviceLogin: false,
         blockPublicIpLookup: false,
         blockMacAddressCollection: false,
         blockUsernameCollection: false,
+        blockNetworkInterfaceCollection: false,
+        blockCurrentDirectoryCollection: false,
+        blockHomeDirectoryCollection: false,
+        blockShellCollection: false,
     },
 };
 export const DEFAULT_PROFILE_STATE = {
@@ -53,8 +58,10 @@ export const DEFAULT_PROFILE_STATE = {
     lastSnapshotPath: null,
     lastSessionId: null,
     lastLoginAt: null,
+    lastLoginMethod: null,
     lastRefreshAt: null,
     lastLogoutAt: null,
+    lastRemoteRevokeAt: null,
     storageBackend: null,
     storageProtected: null,
     lastAuthFailure: null,
@@ -74,7 +81,20 @@ export const DEFAULT_WORKSPACE_BINDINGS = {
 };
 export const CALLBACK_TIMEOUT_MS = 120_000;
 export const LOGIN_ATTEMPT_POLL_INTERVAL_MS = 1_000;
-export const SENSITIVE_KEYS = ["token", "authorization", "refresh", "secret", "password", "cookie"];
+export const SENSITIVE_KEYS = [
+    "token",
+    "authorization",
+    "refresh",
+    "secret",
+    "password",
+    "cookie",
+    "set-cookie",
+    "session",
+    "machineid",
+    "deviceid",
+    "polltoken",
+    "code",
+];
 export const SAFE_ENV_KEYS = [
     "SHELL",
     "TERM",

package/dist/core/machine.d.ts

@@ -1,4 +1,11 @@
-import type { CliConfig } from "../types/config.js";
+import type { CliConfig, CliPolicyConfig, MachinePrivacyProfile } from "../types/config.js";
 import type { DeviceIdentity, MachineContext, RuntimeContext } from "../types/machine.js";
+export interface ExecutionEnvironmentAssessment {
+    risks: string[];
+    recommendedLoginMode: "browser" | "manual" | "device";
+    loopbackLikelySafe: boolean;
+}
+export declare function assessExecutionEnvironment(): ExecutionEnvironmentAssessment;
+export declare function describePrivacyEnvelope(profile: MachinePrivacyProfile, policy: CliPolicyConfig): Record<string, boolean>;
 export declare function collectRuntimeContext(cliVersion: string, command: string, args: string[]): Promise<RuntimeContext>;
 export declare function collectMachineContext(identity: DeviceIdentity, config: CliConfig): Promise<MachineContext>;

package/dist/core/machine.js

@@ -30,7 +30,7 @@ async function detectPublicIp(timeoutMs) {
         clearTimeout(timer);
     }
 }
-function collectNetworkInterfaces() {
+function collectNetworkInterfaces(includeMacAddress, includeAddresses) {
     const interfaces = os.networkInterfaces();
     const results = [];
     for (const [name, entries] of Object.entries(interfaces)) {
@@ -38,14 +38,48 @@ function collectNetworkInterfaces() {
             results.push({
                 name,
                 family: entry.family,
-                mac: entry.mac,
-                address: entry.address,
+                mac: includeMacAddress ? entry.mac : null,
+                address: includeAddresses ? entry.address : null,
                 internal: entry.internal,
-                cidr: entry.cidr ?? null,
+                cidr: includeAddresses ? (entry.cidr ?? null) : null,
             });
         }
     }
-    return results.sort((left, right) => left.name.localeCompare(right.name) || left.address.localeCompare(right.address));
+    return results.sort((left, right) => left.name.localeCompare(right.name) || String(left.address).localeCompare(String(right.address)));
+}
+export function assessExecutionEnvironment() {
+    const risks = [];
+    if (process.env.WSL_DISTRO_NAME) {
+        risks.push("wsl");
+    }
+    if (process.env.SSH_CONNECTION || process.env.SSH_CLIENT) {
+        risks.push("ssh");
+    }
+    if (process.env.CI === "true") {
+        risks.push("ci");
+    }
+    if (process.env.CONTAINER || process.env.DOCKER_CONTAINER || process.env.KUBERNETES_SERVICE_HOST) {
+        risks.push("container");
+    }
+    const loopbackLikelySafe = risks.length === 0;
+    const recommendedLoginMode = loopbackLikelySafe
+        ? "browser"
+        : risks.includes("ssh") || risks.includes("container") || risks.includes("ci")
+            ? "device"
+            : "manual";
+    return { risks, recommendedLoginMode, loopbackLikelySafe };
+}
+export function describePrivacyEnvelope(profile, policy) {
+    return {
+        username: !policy.blockUsernameCollection && profile !== "minimal",
+        publicIp: !policy.blockPublicIpLookup && profile !== "minimal",
+        networkInterfaces: !policy.blockNetworkInterfaceCollection && profile !== "minimal",
+        networkAddresses: profile === "enterprise" && !policy.blockNetworkInterfaceCollection,
+        macAddress: profile === "enterprise" && !policy.blockMacAddressCollection,
+        currentDirectory: !policy.blockCurrentDirectoryCollection && profile !== "minimal",
+        homeDirectory: !policy.blockHomeDirectoryCollection && profile === "enterprise",
+        shell: !policy.blockShellCollection && profile !== "minimal",
+    };
 }
 export async function collectRuntimeContext(cliVersion, command, args) {
     return {
@@ -62,14 +96,11 @@ export async function collectRuntimeContext(cliVersion, command, args) {
 export async function collectMachineContext(identity, config) {
     const cpus = os.cpus();
     const privacyProfile = config.profiles[config.activeProfile]?.machinePrivacyProfile ?? "standard";
-    const collectPublicIp = !config.policy.blockPublicIpLookup && privacyProfile !== "minimal";
-    const includeMacAddress = !config.policy.blockMacAddressCollection && privacyProfile === "enterprise";
-    const includeUsername = !config.policy.blockUsernameCollection && privacyProfile !== "minimal";
-    const networkInterfaces = collectNetworkInterfaces().map((entry) => ({
-        ...entry,
-        mac: includeMacAddress ? entry.mac : null,
-    }));
-    const publicIp = collectPublicIp ? await detectPublicIp(config.publicIpLookupTimeoutMs) : null;
+    const envelope = describePrivacyEnvelope(privacyProfile, config.policy);
+    const publicIp = envelope.publicIp ? await detectPublicIp(config.publicIpLookupTimeoutMs) : null;
+    const networkInterfaces = envelope.networkInterfaces
+        ? collectNetworkInterfaces(envelope.macAddress, envelope.networkAddresses)
+        : [];
     return {
         machineId: identity.machineId,
         hostname: os.hostname(),
@@ -77,19 +108,19 @@ export async function collectMachineContext(identity, config) {
         osRelease: os.release(),
         architecture: os.arch(),
         kernelVersion: os.version(),
-        username: includeUsername ? os.userInfo().username : null,
+        username: envelope.username ? os.userInfo().username : null,
         timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
         locale: Intl.DateTimeFormat().resolvedOptions().locale,
-        shell: process.env.SHELL ?? null,
-        currentDirectory: process.cwd(),
-        homeDirectory: os.homedir(),
+        shell: envelope.shell ? (process.env.SHELL ?? null) : null,
+        currentDirectory: envelope.currentDirectory ? process.cwd() : null,
+        homeDirectory: envelope.homeDirectory ? os.homedir() : null,
         cpuModel: cpus[0]?.model ?? null,
         cpuCount: cpus.length,
         loadAverage: os.loadavg(),
         memoryTotal: os.totalmem(),
         memoryFree: os.freemem(),
         uptimeSeconds: os.uptime(),
-        networkInterfaces: privacyProfile === "minimal" ? [] : networkInterfaces,
+        networkInterfaces,
         publicIp,
         privacyProfile,
     };

package/dist/index.js

@@ -31,14 +31,14 @@ function printHelp() {
     process.stdout.write("\n");
     process.stdout.write("Comandos principais:\n");
     process.stdout.write("  init [--agent <tipo>] [--workspace <workspace>] [--force]\n");
-    process.stdout.write("  login [--no-browser|--manual]\n");
+    process.stdout.write("  login [--no-browser|--manual|--device]\n");
     process.stdout.write("  logout\n");
     process.stdout.write("  sync [--force]\n");
     process.stdout.write("  status\n");
     process.stdout.write("  task <run|templates|list|inspect|watch|claim|execute|daemon|approve|reject|delegate|step-update|handoff|observability|health>\n");
     process.stdout.write("  registry <list|register|update|deactivate>\n");
     process.stdout.write("  whoami\n");
-    process.stdout.write("  doctor\n");
+    process.stdout.write("  doctor [--policy]\n");
     process.stdout.write("  draft <create|list>\n");
     process.stdout.write("  config <profile|get|set>\n");
     process.stdout.write("  workspace <current|use|resolve|clear|policy|webhook>\n");
@@ -73,7 +73,7 @@ export async function runCli(args) {
             case "whoami":
                 return runWhoAmICommand(cliVersion);
             case "doctor":
-                return runDoctorCommand(cliVersion);
+                return runDoctorCommand(cliVersion, rest);
             case "draft":
                 return runDraftCommand(cliVersion, rest);
             case "config":

package/dist/types/auth.d.ts

@@ -56,4 +56,5 @@ export interface AuthSession {
     obtainedAt: string;
     expiresAt: string;
     lastRefreshAt: string | null;
+    deviceId?: string | null;
 }

package/dist/types/config.d.ts

@@ -1,13 +1,19 @@
 export type VectorPlaneEnvironment = "production" | "preview" | "self-hosted";
 export type MachinePrivacyProfile = "standard" | "minimal" | "enterprise";
 export type SessionStorageBackend = "system" | "file";
+export type CliLoginMode = "browser" | "manual" | "device";
 export interface CliPolicyConfig {
     requireSecureStorage: boolean;
     disableFileSessionFallback: boolean;
     requireManualLogin: boolean;
+    requireDeviceLogin: boolean;
     blockPublicIpLookup: boolean;
     blockMacAddressCollection: boolean;
     blockUsernameCollection: boolean;
+    blockNetworkInterfaceCollection: boolean;
+    blockCurrentDirectoryCollection: boolean;
+    blockHomeDirectoryCollection: boolean;
+    blockShellCollection: boolean;
 }
 export interface CliProfileConfig {
     name: string;
@@ -43,8 +49,10 @@ export interface CliProfileState {
     lastSnapshotPath: string | null;
     lastSessionId: string | null;
     lastLoginAt: string | null;
+    lastLoginMethod: CliLoginMode | null;
     lastRefreshAt: string | null;
     lastLogoutAt: string | null;
+    lastRemoteRevokeAt: string | null;
     storageBackend: SessionStorageBackend | null;
     storageProtected: boolean | null;
     lastAuthFailure: string | null;

package/dist/types/machine.d.ts

@@ -6,7 +6,7 @@ export interface NetworkInterfaceContext {
     name: string;
     family: string;
     mac: string | null;
-    address: string;
+    address: string | null;
     internal: boolean;
     cidr: string | null;
 }
@@ -36,8 +36,8 @@ export interface MachineContext {
     timezone: string;
     locale: string;
     shell: string | null;
-    currentDirectory: string;
-    homeDirectory: string;
+    currentDirectory: string | null;
+    homeDirectory: string | null;
     cpuModel: string | null;
     cpuCount: number;
     loadAverage: number[];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vectorplane/ctrl-cli",
-  "version": "0.1.13",
+  "version": "0.1.14",
   "description": "Official VectorPlane CLI.",
   "type": "module",
   "main": "./dist/index.js",
@@ -14,12 +14,17 @@
   "files": [
     "bin/vp.js",
     "dist/**/*.js",
+    "!dist/**/__tests__/**",
+    "!dist/**/*.test.js",
     "dist/**/*.d.ts",
+    "!dist/**/__tests__/**",
+    "!dist/**/*.test.d.ts",
     "README.md",
     "LICENSE"
   ],
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "type": "git",
@@ -43,7 +48,8 @@
     "pack:dry-run": "npm pack --dry-run",
     "release:check": "npm run check && npm run build && npm run pack:dry-run",
     "prepublishOnly": "npm run release:check",
-    "start": "node ./dist/index.js"
+    "start": "node ./dist/index.js",
+    "test": "vitest run"
   },
   "keywords": [
     "vectorplane",
@@ -56,6 +62,7 @@
   "license": "MIT",
   "devDependencies": {
     "@types/node": "^24.5.2",
-    "typescript": "^5.9.2"
+    "typescript": "^5.9.2",
+    "vitest": "^4.1.3"
   }
 }