@vectorplane/ctrl-cli 0.1.4 → 0.1.6

package/README.md

@@ -14,6 +14,7 @@ npm install -g @vectorplane/ctrl-cli
 
 ```bash
 vp login
+vp logout
 vp status
 vp sync
 ```
@@ -25,8 +26,14 @@ vp sync
 - abre o navegador para autenticação
 - conclui o login com callback local seguro
 - salva a sessão localmente
+- suporta `--no-browser` e `--manual`
 - em ambientes remotos ou isolados, o loopback local pode exigir um fluxo alternativo
 
+### `vp logout`
+
+- revoga a sessão do CLI quando possível
+- remove a sessão local do dispositivo
+
 ### `vp sync`
 
 - coleta contexto local do workspace
@@ -46,6 +53,7 @@ vp sync
   - executa verificações locais e de conectividade
 - `vp config`
   - gerencia perfis e configuração local
+  - inclui `vp config privacy` e `vp config policy`
 - `vp workspace`
   - gerencia o workspace atual
 - `vp session`
@@ -72,9 +80,6 @@ vp sync
 - tokens nunca são impressos no terminal
 - tokens nunca são enviados por query string
 - o callback valida o `state`
-- a sessão fica no diretório do usuário
-
-## Notas de fluxo
-
-O plano de endurecimento do login local está em [docs/cli-auth-hardening-phases.md](/home/developer/Documentos/Projetos/vectorplane-ctrl-cli/docs/cli-auth-hardening-phases.md).
-O desenho multicanal atual do login está em [docs/cli-login-multichannel.md](/home/developer/Documentos/Projetos/vectorplane-ctrl-cli/docs/cli-login-multichannel.md).
+- a sessão usa secure storage do sistema quando disponível
+- existe fallback para arquivo local apenas quando permitido
+- `vp logout` encerra a sessão local e tenta revogação remota

package/dist/commands/config.js

@@ -13,6 +13,8 @@ function setProfileField(profile, key, value) {
             return { ...profile, orgId: value };
         case "environment":
             return { ...profile, environment: value };
+        case "machinePrivacyProfile":
+            return { ...profile, machinePrivacyProfile: value };
         default:
             throw new ValidationError(`Campo de perfil não suportado: ${key}`);
     }
@@ -53,6 +55,53 @@ export async function runConfigCommand(args) {
             return 0;
         }
     }
+    if (subcommand === "privacy") {
+        const action = rest[0] ?? "get";
+        const active = getActiveProfile(config);
+        if (action === "get") {
+            process.stdout.write(`${active.machinePrivacyProfile}\n`);
+            return 0;
+        }
+        if (action === "set") {
+            const value = rest[1];
+            if (!value) {
+                throw new ValidationError("Uso: vp config privacy set <standard|minimal|enterprise>");
+            }
+            const profileName = getStringOption(parsed, "profile") ?? config.activeProfile;
+            const current = config.profiles[profileName];
+            if (!current) {
+                throw new ValidationError(`Perfil ${profileName} não existe.`);
+            }
+            await upsertProfile(profileName, { ...current, machinePrivacyProfile: value });
+            process.stdout.write(`Privacidade da máquina atualizada: ${value}\n`);
+            return 0;
+        }
+    }
+    if (subcommand === "policy") {
+        const action = rest[0] ?? "list";
+        if (action === "list") {
+            process.stdout.write(JSON.stringify(config.policy, null, 2));
+            process.stdout.write("\n");
+            return 0;
+        }
+        if (action === "set") {
+            const key = rest[1];
+            const value = rest[2];
+            if (!key || value === undefined) {
+                throw new ValidationError("Uso: vp config policy set <chave> <true|false>");
+            }
+            const next = {
+                ...config,
+                policy: {
+                    ...config.policy,
+                    [key]: ["1", "true", "yes", "on"].includes(value.toLowerCase()),
+                },
+            };
+            await saveConfig(next);
+            process.stdout.write(`Policy atualizada: ${key}\n`);
+            return 0;
+        }
+    }
     if (subcommand === "get") {
         const key = requirePositional({ ...parsed, positionals: rest }, 0, "Informe a chave a ser lida.");
         const active = getActiveProfile(config);
@@ -63,8 +112,17 @@ export async function runConfigCommand(args) {
             case "telemetryEnabled":
                 process.stdout.write(String(config.telemetryEnabled));
                 break;
+            case "preferredSessionStorage":
+                process.stdout.write(String(config.preferredSessionStorage));
+                break;
             default:
-                process.stdout.write(String(active[key] ?? ""));
+                if (key.startsWith("policy.")) {
+                    const policyKey = key.slice("policy.".length);
+                    process.stdout.write(String(config.policy[policyKey] ?? ""));
+                }
+                else {
+                    process.stdout.write(String(active[key] ?? ""));
+                }
                 break;
         }
         process.stdout.write("\n");
@@ -82,6 +140,25 @@ export async function runConfigCommand(args) {
             process.stdout.write(`Configuração atualizada: ${key}\n`);
             return 0;
         }
+        if (key === "preferredSessionStorage") {
+            const next = { ...config, preferredSessionStorage: value };
+            await saveConfig(next);
+            process.stdout.write(`Configuração atualizada: ${key}\n`);
+            return 0;
+        }
+        if (key.startsWith("policy.")) {
+            const policyKey = key.slice("policy.".length);
+            const next = {
+                ...config,
+                policy: {
+                    ...config.policy,
+                    [policyKey]: ["1", "true", "yes", "on"].includes(value.toLowerCase()),
+                },
+            };
+            await saveConfig(next);
+            process.stdout.write(`Configuração atualizada: ${key}\n`);
+            return 0;
+        }
         const profileName = getStringOption(parsed, "profile") ?? config.activeProfile;
         const current = config.profiles[profileName];
         if (!current) {

package/dist/commands/doctor.js

@@ -1,6 +1,6 @@
 import { access } from "node:fs/promises";
 import { constants as fsConstants } from "node:fs";
-import { configDirectoryExists, ensureSessionAvailable, getConfigDirectoryPath } from "../core/config.js";
+import { configDirectoryExists, ensureSessionAvailable, getConfigDirectoryPath, getSessionStorageInfo } from "../core/config.js";
 import { collectGitContext } from "../core/git.js";
 import { collectMachineContext, collectRuntimeContext } from "../core/machine.js";
 import { loadRuntimeStatus } from "../core/runtime.js";
@@ -18,6 +18,22 @@ async function writable(filePath) {
 function printCheck(label, ok, details) {
     process.stdout.write(`${ok ? "OK" : "FAIL"} ${label}: ${details}\n`);
 }
+function detectExecutionRisks() {
+    const risks = [];
+    if (process.env.WSL_DISTRO_NAME) {
+        risks.push("wsl");
+    }
+    if (process.env.SSH_CONNECTION || process.env.SSH_CLIENT) {
+        risks.push("ssh");
+    }
+    if (process.env.CI === "true") {
+        risks.push("ci");
+    }
+    if (process.env.CONTAINER || process.env.DOCKER_CONTAINER) {
+        risks.push("container");
+    }
+    return risks;
+}
 export async function runDoctorCommand(cliVersion) {
     const runtime = await loadRuntimeStatus();
     const configDirectory = await getConfigDirectoryPath();
@@ -26,10 +42,16 @@ export async function runDoctorCommand(cliVersion) {
         collectGitContext(process.cwd()),
         writable(configDirectory),
     ]);
+    const storage = await getSessionStorageInfo(runtime.profile.name);
+    const risks = detectExecutionRisks();
     printCheck("config_dir", hasConfigDir, configDirectory);
     printCheck("config_dir_writable", canWriteConfig, canWriteConfig ? "gravável" : "sem permissão de escrita");
     printCheck("git", git.isRepository, git.isRepository ? (git.rootPath ?? process.cwd()) : "repositório não detectado");
     printCheck("node", true, process.version);
+    printCheck("privacy_profile", true, runtime.profile.machinePrivacyProfile);
+    printCheck("session_storage", (storage?.protected ?? false) || runtime.config.preferredSessionStorage === "system", storage ? `${storage.backend}:${storage.protected ? "protected" : "file"}` : runtime.config.preferredSessionStorage);
+    printCheck("policy_secure_storage", !runtime.config.policy.requireSecureStorage || storage?.protected === true, JSON.stringify(runtime.config.policy));
+    printCheck("execution_environment", risks.length === 0, risks.length === 0 ? "local" : risks.join(","));
     const apiClient = new VectorPlaneApiClient(runtime.profile.apiBaseUrl, runtime.config.requestTimeoutMs, runtime.logger);
     try {
         const health = await apiClient.getHealth();

package/dist/commands/login.js

@@ -1,12 +1,13 @@
-import { getStringOption, parseArgs } from "../core/cli.js";
+import { getBooleanOption, getStringOption, parseArgs } from "../core/cli.js";
 import { runLoginFlow } from "../core/auth.js";
-import { saveSession, setActiveProfile, updateProfileState, upsertProfile } from "../core/config.js";
+import { getSessionStorageInfo, saveSession, setActiveProfile, updateProfileState, upsertProfile } from "../core/config.js";
 import { collectMachineContext, collectRuntimeContext } from "../core/machine.js";
 import { loadRuntimeStatus } from "../core/runtime.js";
 import { VectorPlaneApiClient } from "../core/api.js";
 export async function runLoginCommand(cliVersion, args) {
     const parsed = parseArgs(args);
     const requestedProfile = getStringOption(parsed, "profile");
+    const noBrowser = getBooleanOption(parsed, "no-browser") || getBooleanOption(parsed, "manual");
     if (requestedProfile) {
         await upsertProfile(requestedProfile, { name: requestedProfile });
         await setActiveProfile(requestedProfile);
@@ -23,13 +24,21 @@ export async function runLoginCommand(cliVersion, args) {
         device: runtime.device,
         apiClient,
         logger: runtime.logger,
+        noBrowser: noBrowser || runtime.config.policy.requireManualLogin,
     });
     await saveSession(session, runtime.profile.name);
+    const storage = await getSessionStorageInfo(runtime.profile.name);
     await upsertProfile(runtime.profile.name, { workspace: session.workspace });
     await updateProfileState(runtime.profile.name, {
         lastCommand: "login",
         lastWorkspace: session.workspace,
         lastError: null,
+        lastLoginAt: session.obtainedAt,
+        lastSessionId: session.sessionId,
+        storageBackend: storage?.backend ?? null,
+        storageProtected: storage?.protected ?? null,
+        lastAuthFailure: null,
+        lastAuthFailureAt: null,
     });
     runtime.logger.success("login realizado com sucesso.");
     process.stdout.write(`Perfil: ${runtime.profile.name}\n`);

package/dist/commands/logout.d.ts

@@ -0,0 +1 @@
+export declare function runLogoutCommand(): Promise<number>;

package/dist/commands/logout.js

@@ -0,0 +1,37 @@
+import { deleteSession, loadSession, updateProfileState } from "../core/config.js";
+import { loadRuntimeStatus } from "../core/runtime.js";
+import { VectorPlaneApiClient } from "../core/api.js";
+import { revokeSession } from "../core/session.js";
+export async function runLogoutCommand() {
+    const runtime = await loadRuntimeStatus();
+    const session = await loadSession(runtime.profile.name);
+    const loggedOutAt = new Date().toISOString();
+    if (!session) {
+        runtime.logger.warn("nenhuma sessão ativa para encerrar.");
+        await updateProfileState(runtime.profile.name, {
+            lastCommand: "logout",
+            lastLogoutAt: loggedOutAt,
+        });
+        return 0;
+    }
+    const apiClient = new VectorPlaneApiClient(runtime.profile.apiBaseUrl, runtime.config.requestTimeoutMs, runtime.logger);
+    try {
+        await revokeSession({ session, apiClient });
+    }
+    catch (error) {
+        runtime.logger.warn("não foi possível revogar a sessão remotamente. removendo a sessão local mesmo assim.");
+        await updateProfileState(runtime.profile.name, {
+            lastAuthFailure: error instanceof Error ? error.message : String(error),
+            lastAuthFailureAt: loggedOutAt,
+        });
+    }
+    await deleteSession(runtime.profile.name);
+    await updateProfileState(runtime.profile.name, {
+        lastCommand: "logout",
+        lastLogoutAt: loggedOutAt,
+        lastSessionId: null,
+    });
+    runtime.logger.success("sessão local encerrada.");
+    return 0;
+}
+//# sourceMappingURL=logout.js.map

package/dist/commands/status.js

@@ -1,15 +1,16 @@
-import { configDirectoryExists, getConfigDirectoryPath, getProfileState, loadQueue, loadSession } from "../core/config.js";
+import { configDirectoryExists, getConfigDirectoryPath, getProfileState, getSessionStorageInfo, loadQueue, loadSession } from "../core/config.js";
 import { collectGitContext } from "../core/git.js";
 import { getBoundWorkspace } from "../core/workspace-binding.js";
 import { loadRuntimeStatus } from "../core/runtime.js";
 export async function runStatusCommand() {
     const runtime = await loadRuntimeStatus();
-    const [hasConfigDir, session, git, configDirectory, queue] = await Promise.all([
+    const [hasConfigDir, session, git, configDirectory, queue, storage] = await Promise.all([
         configDirectoryExists(),
         loadSession(runtime.profile.name),
         collectGitContext(process.cwd()),
         getConfigDirectoryPath(),
         loadQueue(),
+        getSessionStorageInfo(runtime.profile.name),
     ]);
     const rootPath = git.rootPath ?? process.cwd();
     const boundWorkspace = await getBoundWorkspace(rootPath);
@@ -19,6 +20,8 @@ export async function runStatusCommand() {
     process.stdout.write(`Diretório: ${process.cwd()}\n`);
     process.stdout.write(`Persistência local: ${configDirectory}\n`);
     process.stdout.write(`Machine ID: ${runtime.device.machineId}\n`);
+    process.stdout.write(`Privacidade da máquina: ${runtime.profile.machinePrivacyProfile}\n`);
+    process.stdout.write(`Storage de sessão: ${storage ? `${storage.backend}${storage.protected ? " (protegido)" : " (arquivo)"}` : runtime.config.preferredSessionStorage}\n`);
     process.stdout.write(`Fila pendente: ${queuedItems}\n`);
     if (!hasConfigDir || !session) {
         runtime.logger.warn("sessão não encontrada.");
@@ -29,12 +32,16 @@ export async function runStatusCommand() {
     process.stdout.write(`Workspace: ${session.workspace}\n`);
     process.stdout.write(`Workspace vinculado: ${boundWorkspace ?? runtime.profile.workspace ?? "nenhum"}\n`);
     process.stdout.write(`Sessão de agente: ${profileState.lastSessionId ?? "nenhuma"}\n`);
+    process.stdout.write(`Sessão CLI: ${session.sessionId}\n`);
     process.stdout.write(`Expira em: ${session.expiresAt}\n`);
+    process.stdout.write(`Último refresh: ${profileState.lastRefreshAt ?? session.lastRefreshAt ?? "nunca"}\n`);
     if (git.branch) {
         process.stdout.write(`Branch: ${git.branch}\n`);
     }
     process.stdout.write(`Última sincronização: ${profileState.lastSyncAt ?? "nunca"}\n`);
     process.stdout.write(`Status do último sync: ${profileState.lastSyncStatus ?? "desconhecido"}\n`);
+    process.stdout.write(`Último login: ${profileState.lastLoginAt ?? "desconhecido"}\n`);
+    process.stdout.write(`Último logout: ${profileState.lastLogoutAt ?? "nunca"}\n`);
     if (profileState.lastSnapshotPath) {
         process.stdout.write(`Último snapshot local: ${profileState.lastSnapshotPath}\n`);
     }

package/dist/core/api.d.ts

@@ -10,6 +10,10 @@ export declare class VectorPlaneApiClient {
     createLoginAttempt(payload: CreateLoginAttemptRequest): Promise<CreateLoginAttemptResponse>;
     getLoginAttemptStatus(attemptId: string, pollToken: string): Promise<LoginAttemptStatusResponse>;
     refreshToken(payload: RefreshTokenRequest): Promise<AuthTokenExchangeResponse>;
+    revokeToken(payload: RefreshTokenRequest): Promise<{
+        revoked: boolean;
+        sessionId: string | null;
+    }>;
     getCurrentUser(accessToken: string): Promise<CurrentUserResponse>;
     sync(accessToken: string, payload: SyncRequest): Promise<SyncResponse>;
     sendEvent(accessToken: string, payload: EventRequest): Promise<Record<string, unknown>>;

package/dist/core/api.js

@@ -92,6 +92,13 @@ export class VectorPlaneApiClient {
             body: JSON.stringify(payload),
         }, this.timeoutMs, this.logger);
     }
+    async revokeToken(payload) {
+        return requestJson(`${this.apiBaseUrl}/cli/token/revoke`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(payload),
+        }, this.timeoutMs, this.logger);
+    }
     async getCurrentUser(accessToken) {
         return requestJson(`${this.apiBaseUrl}/auth/me`, {
             method: "GET",

package/dist/core/auth.d.ts

@@ -13,4 +13,5 @@ export declare function runLoginFlow(params: {
     device: DeviceIdentity;
     apiClient: VectorPlaneApiClient;
     logger: Logger;
+    noBrowser?: boolean;
 }): Promise<AuthSession>;

package/dist/core/auth.js

@@ -35,12 +35,18 @@ export async function runLoginFlow(params) {
             client: CLI_CLIENT_ID,
         });
         const loginUrl = loginAttempt.loginUrl;
-        params.logger.info("abrindo navegador para autenticação...");
-        const opened = await openBrowser(loginUrl);
-        if (!opened) {
-            params.logger.warn("não foi possível abrir o navegador automaticamente.");
+        if (params.noBrowser) {
+            params.logger.info("login manual habilitado. abra a URL abaixo no navegador:");
             process.stdout.write(`${loginUrl}\n`);
         }
+        else {
+            params.logger.info("abrindo navegador para autenticação...");
+            const opened = await openBrowser(loginUrl);
+            if (!opened) {
+                params.logger.warn("não foi possível abrir o navegador automaticamente.");
+                process.stdout.write(`${loginUrl}\n`);
+            }
+        }
         params.logger.info("aguardando confirmação...");
         const code = await Promise.any([
             callbackServer.waitForCallback(CALLBACK_TIMEOUT_MS).then((callback) => callback.code),
@@ -67,11 +73,13 @@ export async function runLoginFlow(params) {
         return {
             accessToken: tokenResponse.access_token,
             refreshToken: tokenResponse.refresh_token,
+            sessionId: tokenResponse.session_id,
             workspace: tokenResponse.workspace,
             tokenType: tokenResponse.token_type,
             expiresIn: tokenResponse.expires_in,
             obtainedAt: new Date().toISOString(),
             expiresAt: new Date(Date.now() + tokenResponse.expires_in * 1000).toISOString(),
+            lastRefreshAt: null,
         };
     }
     finally {

package/dist/core/config.d.ts

@@ -11,6 +11,10 @@ export declare function setActiveProfile(profileName: string): Promise<CliConfig
 export declare function loadSession(profileName?: string): Promise<AuthSession | null>;
 export declare function saveSession(session: AuthSession, profileName?: string): Promise<void>;
 export declare function deleteSession(profileName?: string): Promise<void>;
+export declare function getSessionStorageInfo(profileName?: string): Promise<{
+    backend: "system" | "file";
+    protected: boolean;
+} | null>;
 export declare function loadState(): Promise<CliState>;
 export declare function saveState(state: CliState): Promise<void>;
 export declare function updateProfileState(profileName: string, patch: Partial<CliProfileState>): Promise<CliState>;

package/dist/core/config.js

@@ -4,6 +4,7 @@ import path from "node:path";
 import { randomUUID } from "node:crypto";
 import { CONFIG_DIRECTORY_NAME, CONFIG_FILE_NAME, DEFAULT_CONFIG, DEFAULT_PROFILE, DEFAULT_PROFILE_NAME, DEFAULT_PROFILE_STATE, DEFAULT_QUEUE, DEFAULT_STATE, DEFAULT_WORKSPACE_BINDINGS, DEVICE_FILE_NAME, QUEUE_FILE_NAME, SESSION_FILE_NAME, SNAPSHOTS_DIRECTORY_NAME, STATE_FILE_NAME, WORKSPACE_BINDINGS_FILE_NAME, } from "./constants.js";
 import { ConfigError } from "./errors.js";
+import { deleteSystemSession, loadSystemSession, resolveSessionStorage, saveSystemSession } from "./secure-store.js";
 function configDirectory() {
     return path.join(os.homedir(), CONFIG_DIRECTORY_NAME);
 }
@@ -72,6 +73,10 @@ export async function loadConfig() {
         ...DEFAULT_CONFIG,
         ...stored,
         profiles,
+        policy: {
+            ...DEFAULT_CONFIG.policy,
+            ...(stored?.policy ?? {}),
+        },
         activeProfile: stored?.activeProfile && profiles[stored.activeProfile] ? stored.activeProfile : DEFAULT_PROFILE_NAME,
     };
 }
@@ -105,7 +110,19 @@ export async function setActiveProfile(profileName) {
     return next;
 }
 async function loadSessionStore() {
-    return (await readJsonFile(configFilePath(SESSION_FILE_NAME))) ?? { profiles: {} };
+    const stored = (await readJsonFile(configFilePath(SESSION_FILE_NAME))) ?? { profiles: {} };
+    const normalizedProfiles = Object.fromEntries(Object.entries(stored.profiles ?? {}).map(([profile, value]) => {
+        if (value && typeof value === "object" && "backend" in value && "session" in value) {
+            return [profile, value];
+        }
+        const legacy = value;
+        return [profile, {
+                backend: "file",
+                protected: false,
+                session: legacy,
+            }];
+    }));
+    return { profiles: normalizedProfiles };
 }
 async function saveSessionStore(store) {
     await writeJsonFile(configFilePath(SESSION_FILE_NAME), store);
@@ -113,22 +130,83 @@ async function saveSessionStore(store) {
 export async function loadSession(profileName) {
     const config = await loadConfig();
     const store = await loadSessionStore();
-    return store.profiles[profileName ?? getActiveProfileName(config)] ?? null;
+    const profile = profileName ?? getActiveProfileName(config);
+    const record = store.profiles[profile];
+    if (!record) {
+        return null;
+    }
+    if (record.backend === "system") {
+        const protectedSession = await loadSystemSession(profile);
+        if (!protectedSession) {
+            return null;
+        }
+        return protectedSession;
+    }
+    if (!record.session.accessToken || !record.session.refreshToken) {
+        return null;
+    }
+    return {
+        accessToken: record.session.accessToken,
+        refreshToken: record.session.refreshToken,
+        sessionId: record.session.sessionId ?? "legacy-session",
+        workspace: record.session.workspace,
+        tokenType: record.session.tokenType,
+        expiresIn: record.session.expiresIn,
+        obtainedAt: record.session.obtainedAt,
+        expiresAt: record.session.expiresAt,
+        lastRefreshAt: record.session.lastRefreshAt ?? null,
+    };
 }
 export async function saveSession(session, profileName) {
     const config = await loadConfig();
     const activeProfile = profileName ?? getActiveProfileName(config);
     const store = await loadSessionStore();
-    store.profiles[activeProfile] = session;
+    const storage = await resolveSessionStorage(config);
+    if (storage.backend === "system") {
+        await saveSystemSession(activeProfile, session);
+        store.profiles[activeProfile] = {
+            backend: "system",
+            protected: true,
+            session: {
+                sessionId: session.sessionId,
+                workspace: session.workspace,
+                tokenType: session.tokenType,
+                expiresIn: session.expiresIn,
+                obtainedAt: session.obtainedAt,
+                expiresAt: session.expiresAt,
+                lastRefreshAt: session.lastRefreshAt,
+            },
+        };
+    }
+    else {
+        store.profiles[activeProfile] = {
+            backend: "file",
+            protected: false,
+            session,
+        };
+    }
     await saveSessionStore(store);
 }
 export async function deleteSession(profileName) {
     const config = await loadConfig();
     const activeProfile = profileName ?? getActiveProfileName(config);
     const store = await loadSessionStore();
+    if (store.profiles[activeProfile]?.backend === "system") {
+        await deleteSystemSession(activeProfile);
+    }
     delete store.profiles[activeProfile];
     await saveSessionStore(store);
 }
+export async function getSessionStorageInfo(profileName) {
+    const config = await loadConfig();
+    const activeProfile = profileName ?? getActiveProfileName(config);
+    const store = await loadSessionStore();
+    const record = store.profiles[activeProfile];
+    if (!record) {
+        return null;
+    }
+    return { backend: record.backend, protected: record.protected };
+}
 export async function loadState() {
     const stored = await readJsonFile(configFilePath(STATE_FILE_NAME));
     const profiles = Object.entries(stored?.profiles ?? DEFAULT_STATE.profiles).reduce((accumulator, [name, value]) => {

package/dist/core/constants.js

@@ -17,6 +17,7 @@ export const DEFAULT_PROFILE = {
     workspace: null,
     orgId: null,
     environment: "production",
+    machinePrivacyProfile: "standard",
 };
 export const DEFAULT_CONFIG = {
     activeProfile: DEFAULT_PROFILE_NAME,
@@ -32,6 +33,15 @@ export const DEFAULT_CONFIG = {
     telemetryEnabled: false,
     queueMaxRetries: 5,
     snapshotStoreLimit: 20,
+    preferredSessionStorage: "system",
+    policy: {
+        requireSecureStorage: false,
+        disableFileSessionFallback: false,
+        requireManualLogin: false,
+        blockPublicIpLookup: false,
+        blockMacAddressCollection: false,
+        blockUsernameCollection: false,
+    },
 };
 export const DEFAULT_PROFILE_STATE = {
     lastSyncAt: null,
@@ -42,6 +52,13 @@ export const DEFAULT_PROFILE_STATE = {
     lastError: null,
     lastSnapshotPath: null,
     lastSessionId: null,
+    lastLoginAt: null,
+    lastRefreshAt: null,
+    lastLogoutAt: null,
+    storageBackend: null,
+    storageProtected: null,
+    lastAuthFailure: null,
+    lastAuthFailureAt: null,
 };
 export const DEFAULT_STATE = {
     activeProfile: DEFAULT_PROFILE_NAME,

package/dist/core/machine.js

@@ -61,6 +61,15 @@ export async function collectRuntimeContext(cliVersion, command, args) {
 }
 export async function collectMachineContext(identity, config) {
     const cpus = os.cpus();
+    const privacyProfile = config.profiles[config.activeProfile]?.machinePrivacyProfile ?? "standard";
+    const collectPublicIp = !config.policy.blockPublicIpLookup && privacyProfile !== "minimal";
+    const includeMacAddress = !config.policy.blockMacAddressCollection && privacyProfile === "enterprise";
+    const includeUsername = !config.policy.blockUsernameCollection && privacyProfile !== "minimal";
+    const networkInterfaces = collectNetworkInterfaces().map((entry) => ({
+        ...entry,
+        mac: includeMacAddress ? entry.mac : null,
+    }));
+    const publicIp = collectPublicIp ? await detectPublicIp(config.publicIpLookupTimeoutMs) : null;
     return {
         machineId: identity.machineId,
         hostname: os.hostname(),
@@ -68,7 +77,7 @@ export async function collectMachineContext(identity, config) {
         osRelease: os.release(),
         architecture: os.arch(),
         kernelVersion: os.version(),
-        username: os.userInfo().username,
+        username: includeUsername ? os.userInfo().username : null,
         timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
         locale: Intl.DateTimeFormat().resolvedOptions().locale,
         shell: process.env.SHELL ?? null,
@@ -80,8 +89,9 @@ export async function collectMachineContext(identity, config) {
         memoryTotal: os.totalmem(),
         memoryFree: os.freemem(),
         uptimeSeconds: os.uptime(),
-        networkInterfaces: collectNetworkInterfaces(),
-        publicIp: await detectPublicIp(config.publicIpLookupTimeoutMs),
+        networkInterfaces: privacyProfile === "minimal" ? [] : networkInterfaces,
+        publicIp,
+        privacyProfile,
     };
 }
 //# sourceMappingURL=machine.js.map

package/dist/core/secure-store.d.ts

@@ -0,0 +1,10 @@
+import type { AuthSession } from "../types/auth.js";
+import type { CliConfig } from "../types/config.js";
+export interface SessionStorageInfo {
+    backend: "system" | "file";
+    protected: boolean;
+}
+export declare function resolveSessionStorage(config: CliConfig): Promise<SessionStorageInfo>;
+export declare function saveSystemSession(profileName: string, session: AuthSession): Promise<SessionStorageInfo>;
+export declare function loadSystemSession(profileName: string): Promise<AuthSession | null>;
+export declare function deleteSystemSession(profileName: string): Promise<void>;

package/dist/core/secure-store.js

@@ -0,0 +1,137 @@
+import { execFile, spawn } from "node:child_process";
+import { promisify } from "node:util";
+import { ConfigError } from "./errors.js";
+const execFileAsync = promisify(execFile);
+const SERVICE_NAME = "vectorplane-ctrl-cli";
+async function commandExists(command) {
+    try {
+        await execFileAsync("sh", ["-lc", `command -v ${command}`]);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function storeMacSession(profileName, session) {
+    await execFileAsync("security", [
+        "add-generic-password",
+        "-a",
+        profileName,
+        "-s",
+        SERVICE_NAME,
+        "-U",
+        "-w",
+        JSON.stringify(session),
+    ]);
+}
+async function loadMacSession(profileName) {
+    try {
+        const { stdout } = await execFileAsync("security", [
+            "find-generic-password",
+            "-a",
+            profileName,
+            "-s",
+            SERVICE_NAME,
+            "-w",
+        ]);
+        return JSON.parse(stdout.trim());
+    }
+    catch {
+        return null;
+    }
+}
+async function deleteMacSession(profileName) {
+    try {
+        await execFileAsync("security", ["delete-generic-password", "-a", profileName, "-s", SERVICE_NAME]);
+    }
+    catch {
+        // Ignore missing entry.
+    }
+}
+async function storeLinuxSession(profileName, session) {
+    await new Promise((resolve, reject) => {
+        const child = spawn("secret-tool", ["store", "--label", `VectorPlane CLI ${profileName}`, "service", SERVICE_NAME, "account", profileName], {
+            stdio: ["pipe", "ignore", "pipe"],
+        });
+        let stderr = "";
+        child.stderr.on("data", (chunk) => {
+            stderr += String(chunk);
+        });
+        child.on("error", reject);
+        child.on("close", (code) => {
+            if (code === 0) {
+                resolve();
+                return;
+            }
+            reject(new ConfigError(stderr.trim() || "Falha ao salvar sessão no secure storage do sistema."));
+        });
+        child.stdin.write(JSON.stringify(session));
+        child.stdin.end();
+    });
+}
+async function loadLinuxSession(profileName) {
+    try {
+        const { stdout } = await execFileAsync("secret-tool", ["lookup", "service", SERVICE_NAME, "account", profileName]);
+        return JSON.parse(stdout.trim());
+    }
+    catch {
+        return null;
+    }
+}
+async function deleteLinuxSession(profileName) {
+    try {
+        await execFileAsync("secret-tool", ["clear", "service", SERVICE_NAME, "account", profileName]);
+    }
+    catch {
+        // Ignore missing entry.
+    }
+}
+async function systemBackendAvailable() {
+    if (process.platform === "darwin") {
+        return commandExists("security");
+    }
+    if (process.platform === "linux") {
+        return commandExists("secret-tool");
+    }
+    return false;
+}
+export async function resolveSessionStorage(config) {
+    const systemAvailable = await systemBackendAvailable();
+    if (config.preferredSessionStorage === "system" && systemAvailable) {
+        return { backend: "system", protected: true };
+    }
+    if (config.policy.requireSecureStorage || config.policy.disableFileSessionFallback) {
+        throw new ConfigError("Secure storage do sistema é obrigatório neste perfil, mas não está disponível.");
+    }
+    return { backend: "file", protected: false };
+}
+export async function saveSystemSession(profileName, session) {
+    if (process.platform === "darwin") {
+        await storeMacSession(profileName, session);
+        return { backend: "system", protected: true };
+    }
+    if (process.platform === "linux") {
+        await storeLinuxSession(profileName, session);
+        return { backend: "system", protected: true };
+    }
+    throw new ConfigError("Secure storage não suportado neste sistema operacional.");
+}
+export async function loadSystemSession(profileName) {
+    if (process.platform === "darwin") {
+        return loadMacSession(profileName);
+    }
+    if (process.platform === "linux") {
+        return loadLinuxSession(profileName);
+    }
+    return null;
+}
+export async function deleteSystemSession(profileName) {
+    if (process.platform === "darwin") {
+        await deleteMacSession(profileName);
+        return;
+    }
+    if (process.platform === "linux") {
+        await deleteLinuxSession(profileName);
+    }
+}
+//# sourceMappingURL=secure-store.js.map

package/dist/core/session.d.ts

@@ -13,4 +13,11 @@ export declare function ensureFreshSession(params: {
     apiClient: VectorPlaneApiClient;
     logger: Logger;
 }): Promise<AuthSession>;
+export declare function revokeSession(params: {
+    session: AuthSession;
+    apiClient: VectorPlaneApiClient;
+}): Promise<{
+    revoked: boolean;
+    sessionId: string | null;
+}>;
 export declare function resolveWorkspaceSlug(profile: CliProfileConfig, session: AuthSession | null, explicit: string | undefined, bound: string | null, stateWorkspace: string | null): string | null;

package/dist/core/session.js

@@ -1,6 +1,6 @@
 import { AuthError } from "./errors.js";
 import { CLI_CLIENT_ID } from "./constants.js";
-import { saveSession } from "./config.js";
+import { saveSession, updateProfileState } from "./config.js";
 export function isSessionExpired(session, offsetMs = 60_000) {
     return new Date(session.expiresAt).getTime() <= Date.now() + offsetMs;
 }
@@ -20,15 +20,31 @@ export async function ensureFreshSession(params) {
     const nextSession = {
         accessToken: refreshed.access_token,
         refreshToken: refreshed.refresh_token,
+        sessionId: refreshed.session_id || params.session.sessionId,
         workspace: refreshed.workspace || params.session.workspace,
         tokenType: refreshed.token_type,
         expiresIn: refreshed.expires_in,
         obtainedAt: new Date().toISOString(),
         expiresAt: new Date(Date.now() + refreshed.expires_in * 1000).toISOString(),
+        lastRefreshAt: new Date().toISOString(),
     };
     await saveSession(nextSession, params.profileName);
+    await updateProfileState(params.profileName, {
+        lastRefreshAt: nextSession.lastRefreshAt,
+        lastSessionId: nextSession.sessionId,
+        lastError: null,
+        lastAuthFailure: null,
+        lastAuthFailureAt: null,
+    });
     return nextSession;
 }
+export async function revokeSession(params) {
+    const refreshPayload = {
+        refresh_token: params.session.refreshToken,
+        client: CLI_CLIENT_ID,
+    };
+    return params.apiClient.revokeToken(refreshPayload);
+}
 export function resolveWorkspaceSlug(profile, session, explicit, bound, stateWorkspace) {
     return explicit ?? bound ?? profile.workspace ?? session?.workspace ?? stateWorkspace ?? null;
 }

package/dist/index.js

@@ -7,6 +7,7 @@ import { runContextCommand } from "./commands/context.js";
 import { runDoctorCommand } from "./commands/doctor.js";
 import { runEventCommand } from "./commands/event.js";
 import { runLoginCommand } from "./commands/login.js";
+import { runLogoutCommand } from "./commands/logout.js";
 import { runSessionCommand } from "./commands/session.js";
 import { runStatusCommand } from "./commands/status.js";
 import { runSyncCommand } from "./commands/sync.js";
@@ -25,7 +26,8 @@ function printHelp() {
     process.stdout.write("Uso: vp <comando>\n");
     process.stdout.write("\n");
     process.stdout.write("Comandos principais:\n");
-    process.stdout.write("  login\n");
+    process.stdout.write("  login [--no-browser|--manual]\n");
+    process.stdout.write("  logout\n");
     process.stdout.write("  sync [--force]\n");
     process.stdout.write("  status\n");
     process.stdout.write("  whoami\n");
@@ -50,6 +52,8 @@ export async function runCli(args) {
                 return runLoginCommand(cliVersion, rest);
             case "sync":
                 return runSyncCommand(cliVersion, rest);
+            case "logout":
+                return runLogoutCommand();
             case "status":
                 return runStatusCommand();
             case "whoami":

package/dist/types/auth.d.ts

@@ -31,6 +31,7 @@ export interface AuthTokenExchangeResponse {
     workspace: string;
     expires_in: number;
     token_type: string;
+    session_id: string;
 }
 export interface RefreshTokenRequest {
     refresh_token: string;
@@ -48,9 +49,11 @@ export interface CurrentUserResponse {
 export interface AuthSession {
     accessToken: string;
     refreshToken: string;
+    sessionId: string;
     workspace: string;
     tokenType: string;
     expiresIn: number;
     obtainedAt: string;
     expiresAt: string;
+    lastRefreshAt: string | null;
 }

package/dist/types/config.d.ts

@@ -1,4 +1,14 @@
 export type VectorPlaneEnvironment = "production" | "preview" | "self-hosted";
+export type MachinePrivacyProfile = "standard" | "minimal" | "enterprise";
+export type SessionStorageBackend = "system" | "file";
+export interface CliPolicyConfig {
+    requireSecureStorage: boolean;
+    disableFileSessionFallback: boolean;
+    requireManualLogin: boolean;
+    blockPublicIpLookup: boolean;
+    blockMacAddressCollection: boolean;
+    blockUsernameCollection: boolean;
+}
 export interface CliProfileConfig {
     name: string;
     apiBaseUrl: string;
@@ -6,6 +16,7 @@ export interface CliProfileConfig {
     workspace: string | null;
     orgId: string | null;
     environment: VectorPlaneEnvironment;
+    machinePrivacyProfile: MachinePrivacyProfile;
 }
 export interface CliConfig {
     activeProfile: string;
@@ -19,6 +30,8 @@ export interface CliConfig {
     telemetryEnabled: boolean;
     queueMaxRetries: number;
     snapshotStoreLimit: number;
+    preferredSessionStorage: SessionStorageBackend;
+    policy: CliPolicyConfig;
 }
 export interface CliProfileState {
     lastSyncAt: string | null;
@@ -29,6 +42,13 @@ export interface CliProfileState {
     lastError: string | null;
     lastSnapshotPath: string | null;
     lastSessionId: string | null;
+    lastLoginAt: string | null;
+    lastRefreshAt: string | null;
+    lastLogoutAt: string | null;
+    storageBackend: SessionStorageBackend | null;
+    storageProtected: boolean | null;
+    lastAuthFailure: string | null;
+    lastAuthFailureAt: string | null;
 }
 export interface CliState {
     activeProfile: string;

package/dist/types/machine.d.ts

@@ -5,7 +5,7 @@ export interface SafeEnvironmentVariable {
 export interface NetworkInterfaceContext {
     name: string;
     family: string;
-    mac: string;
+    mac: string | null;
     address: string;
     internal: boolean;
     cidr: string | null;
@@ -32,7 +32,7 @@ export interface MachineContext {
     osRelease: string;
     architecture: string;
     kernelVersion: string;
-    username: string;
+    username: string | null;
     timezone: string;
     locale: string;
     shell: string | null;
@@ -46,4 +46,5 @@ export interface MachineContext {
     uptimeSeconds: number;
     networkInterfaces: NetworkInterfaceContext[];
     publicIp: string | null;
+    privacyProfile: "standard" | "minimal" | "enterprise";
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vectorplane/ctrl-cli",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "Official VectorPlane CLI.",
   "type": "module",
   "main": "./dist/index.js",