agent-insights 0.0.1 → 0.0.6

package/dist/cli.js

@@ -1,15 +1,13 @@
 #!/usr/bin/env node
-
-// src/cli.ts
-import { Command } from "commander";
-
-// src/commands/cursor.ts
-import { spawn } from "child_process";
-import { randomUUID } from "crypto";
-
-// src/config/config.ts
-import { mkdir, readFile, writeFile } from "fs/promises";
-import { dirname } from "path";
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 
 // src/config/paths.ts
 import { homedir } from "os";
@@ -20,18 +18,278 @@ function configRoot() {
 function configFile() {
   return join(configRoot(), "config.json");
 }
+function authFile() {
+  return join(configRoot(), "auth.json");
+}
 function sessionCacheDir() {
   return join(configRoot(), "session-cache");
 }
 function logsDir() {
   return join(configRoot(), "logs");
 }
+var init_paths = __esm({
+  "src/config/paths.ts"() {
+    "use strict";
+  }
+});
+
+// src/auth/oauth.ts
+import { createHash as createHash2, randomBytes } from "crypto";
+import { exec } from "child_process";
+import { createServer } from "http";
+import { platform } from "os";
+function generateCodeVerifier() {
+  return randomBytes(48).toString("base64url");
+}
+function generateCodeChallenge(verifier) {
+  return createHash2("sha256").update(verifier).digest("base64url");
+}
+function generateState() {
+  return randomBytes(16).toString("hex");
+}
+async function startPkceFlow(timeoutMs = 12e4) {
+  const codeVerifier = generateCodeVerifier();
+  const codeChallenge = generateCodeChallenge(codeVerifier);
+  const state = generateState();
+  const authUrl = new URL(AUTH_ENDPOINT);
+  authUrl.searchParams.set("client_id", CLIENT_ID);
+  authUrl.searchParams.set("response_type", "code");
+  authUrl.searchParams.set("redirect_uri", REDIRECT_URI);
+  authUrl.searchParams.set("scope", SCOPES);
+  authUrl.searchParams.set("code_challenge", codeChallenge);
+  authUrl.searchParams.set("code_challenge_method", "S256");
+  authUrl.searchParams.set("state", state);
+  const url = authUrl.toString();
+  const codePromise = listenForCallback(state, timeoutMs);
+  openBrowser(url);
+  process.stderr.write(`
+If the browser did not open, visit:
+  ${url}
+
+`);
+  const code = await codePromise;
+  return { code, codeVerifier };
+}
+function listenForCallback(expectedState, timeoutMs) {
+  return new Promise((resolve, reject) => {
+    const server = createServer((req, res) => {
+      const url = new URL(req.url ?? "/", `http://localhost:${CALLBACK_PORT}`);
+      if (url.pathname !== "/callback") {
+        res.writeHead(404);
+        res.end("Not found");
+        return;
+      }
+      const code = url.searchParams.get("code");
+      const returnedState = url.searchParams.get("state");
+      const error = url.searchParams.get("error");
+      const html = (msg) => `<html><body style="font-family:sans-serif;text-align:center;padding:80px"><h2>${msg}</h2><p>You can close this tab.</p></body></html>`;
+      if (error) {
+        res.writeHead(400, { "content-type": "text/html" });
+        res.end(html(`Login failed: ${error}`));
+        server.close();
+        reject(new Error(`OAuth error: ${error}`));
+        return;
+      }
+      if (returnedState !== expectedState) {
+        res.writeHead(400, { "content-type": "text/html" });
+        res.end(html("Invalid state parameter \u2014 please try again."));
+        server.close();
+        reject(new Error("State mismatch \u2014 possible CSRF"));
+        return;
+      }
+      if (!code) {
+        res.writeHead(400, { "content-type": "text/html" });
+        res.end(html("No authorization code received."));
+        server.close();
+        reject(new Error("No code in callback"));
+        return;
+      }
+      res.writeHead(200, { "content-type": "text/html" });
+      res.end(html("\u2713 Logged in! You can close this tab."));
+      server.close();
+      resolve(code);
+    });
+    const timer = setTimeout(() => {
+      server.close();
+      reject(new Error("Login timed out \u2014 no response within 2 minutes."));
+    }, timeoutMs);
+    timer.unref();
+    server.listen(CALLBACK_PORT, "127.0.0.1", () => {
+    });
+    server.on("error", (err) => {
+      clearTimeout(timer);
+      if (err.code === "EADDRINUSE") {
+        reject(
+          new Error(
+            `Port ${CALLBACK_PORT} is already in use. Close any other agent-insights login process and try again.`
+          )
+        );
+      } else {
+        reject(err);
+      }
+    });
+  });
+}
+async function exchangeCodeForToken(code, codeVerifier) {
+  const res = await fetch(TOKEN_ENDPOINT, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: CLIENT_ID,
+      code,
+      code_verifier: codeVerifier,
+      redirect_uri: REDIRECT_URI
+    })
+  });
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`Token exchange failed (${res.status}): ${body}`);
+  }
+  return res.json();
+}
+async function refreshAccessToken(refreshToken) {
+  const res = await fetch(TOKEN_ENDPOINT, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      client_id: CLIENT_ID,
+      refresh_token: refreshToken
+    })
+  });
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`Token refresh failed (${res.status}): ${body}`);
+  }
+  return res.json();
+}
+async function fetchUserInfo(accessToken) {
+  const res = await fetch(USERINFO_ENDPOINT, {
+    headers: { authorization: `Bearer ${accessToken}` }
+  });
+  if (!res.ok) {
+    throw new Error(`Failed to fetch user info (${res.status})`);
+  }
+  return res.json();
+}
+function openBrowser(url) {
+  const os = platform();
+  let cmd;
+  if (os === "darwin") cmd = `open "${url}"`;
+  else if (os === "win32") cmd = `start "" "${url}"`;
+  else cmd = `xdg-open "${url}"`;
+  exec(cmd, () => {
+  });
+}
+var CLIENT_ID, AUTH_ENDPOINT, TOKEN_ENDPOINT, USERINFO_ENDPOINT, CALLBACK_PORT, REDIRECT_URI, SCOPES;
+var init_oauth = __esm({
+  "src/auth/oauth.ts"() {
+    "use strict";
+    CLIENT_ID = process.env.AGENT_INSIGHTS_CLIENT_ID ?? "cl_TxqqNFTHcF9kEtM48LBFsYfwjhJ9T8sz";
+    AUTH_ENDPOINT = "https://vercel.com/oauth/authorize";
+    TOKEN_ENDPOINT = "https://api.vercel.com/login/oauth/token";
+    USERINFO_ENDPOINT = "https://api.vercel.com/login/oauth/userinfo";
+    CALLBACK_PORT = 9797;
+    REDIRECT_URI = `http://localhost:${CALLBACK_PORT}/callback`;
+    SCOPES = "openid email profile offline_access";
+  }
+});
+
+// src/auth/store.ts
+var store_exports = {};
+__export(store_exports, {
+  clearAuth: () => clearAuth,
+  getValidToken: () => getValidToken,
+  loadAuth: () => loadAuth,
+  saveAuth: () => saveAuth
+});
+import { chmod, readFile as readFile4, writeFile as writeFile4 } from "fs/promises";
+import { dirname as dirname4 } from "path";
+import { mkdir as mkdir4 } from "fs/promises";
+async function loadAuth() {
+  try {
+    const raw = await readFile4(authFile(), "utf8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.accessToken === "string" && parsed.accessToken.length > 0) {
+      return parsed;
+    }
+    return void 0;
+  } catch (err) {
+    if (err.code === "ENOENT") return void 0;
+    throw err;
+  }
+}
+async function saveAuth(state) {
+  const path = authFile();
+  await mkdir4(dirname4(path), { recursive: true });
+  await writeFile4(path, `${JSON.stringify(state, null, 2)}
+`, {
+    encoding: "utf8",
+    mode: 384
+  });
+  try {
+    await chmod(path, 384);
+  } catch {
+  }
+}
+async function clearAuth() {
+  const { unlink } = await import("fs/promises");
+  try {
+    await unlink(authFile());
+  } catch (err) {
+    if (err.code !== "ENOENT") throw err;
+  }
+}
+async function getValidToken() {
+  const auth = await loadAuth();
+  if (!auth) return void 0;
+  const needsRefresh = Date.now() >= auth.expiresAt - REFRESH_BUFFER_MS;
+  if (!needsRefresh) return auth.accessToken;
+  if (!auth.refreshToken) {
+    await clearAuth();
+    return void 0;
+  }
+  try {
+    const tokens = await refreshAccessToken(auth.refreshToken);
+    const refreshed = {
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token ?? auth.refreshToken,
+      expiresAt: Date.now() + tokens.expires_in * 1e3
+    };
+    await saveAuth(refreshed);
+    return refreshed.accessToken;
+  } catch {
+    await clearAuth();
+    return void 0;
+  }
+}
+var REFRESH_BUFFER_MS;
+var init_store = __esm({
+  "src/auth/store.ts"() {
+    "use strict";
+    init_paths();
+    init_oauth();
+    REFRESH_BUFFER_MS = 6e4;
+  }
+});
+
+// src/cli.ts
+import { Command } from "commander";
+
+// src/commands/cursor.ts
+import { spawn } from "child_process";
+import { randomUUID } from "crypto";
 
 // src/config/config.ts
+init_paths();
+import { mkdir, readFile, writeFile } from "fs/promises";
+import { dirname } from "path";
 function defaultConfig() {
   return {
     version: 1,
     enabled: true,
+    hooksScope: "global",
     vercel: {
       team: "vercel-labs",
       project: "agent-insights"
@@ -55,7 +313,6 @@ function defaultConfig() {
     sessionAnalysis: {
       enabled: false,
       analyzerUrl: process.env.AGENT_INSIGHTS_ANALYZER_URL ?? "",
-      secretEnv: "AGENT_INSIGHTS_INGEST_SECRET",
       githubIssueRepo: "vercel-labs/agent-insights"
     },
     agents: {
@@ -329,6 +586,7 @@ import { rm } from "fs/promises";
 
 // src/adapters/claude-code.ts
 import { mkdir as mkdir2, readFile as readFile2, writeFile as writeFile2 } from "fs/promises";
+import { homedir as homedir2 } from "os";
 import { dirname as dirname2, join as join2 } from "path";
 var HOOK_COMMAND_NAME = "agent-insights";
 var HOOK_MAP = {
@@ -367,8 +625,8 @@ var claudeCodeAdapter = {
       ...transcriptPath !== void 0 ? { transcriptPath } : {}
     };
   },
-  async install(repoRoot) {
-    const path = join2(repoRoot, ".claude/settings.json");
+  async install(repoRoot, scope = "global") {
+    const path = resolveClaudePath(repoRoot, scope);
     const settings = await readJson(path);
     const next = { ...settings ?? {} };
     const hooks = { ...next.hooks ?? {} };
@@ -388,8 +646,8 @@ var claudeCodeAdapter = {
 `, "utf8");
     return { written: true, path };
   },
-  async uninstall(repoRoot) {
-    const path = join2(repoRoot, ".claude/settings.json");
+  async uninstall(repoRoot, scope = "global") {
+    const path = resolveClaudePath(repoRoot, scope);
     const settings = await readJson(path);
     if (!settings?.hooks) return { removed: false, path };
     const hooks = { ...settings.hooks };
@@ -410,9 +668,9 @@ var claudeCodeAdapter = {
 `, "utf8");
     return { removed: touched, path };
   },
-  async isInstalled(repoRoot) {
+  async isInstalled(repoRoot, scope = "global") {
     const settings = await readJson(
-      join2(repoRoot, ".claude/settings.json")
+      resolveClaudePath(repoRoot, scope)
     );
     if (!settings?.hooks) return false;
     return Object.values(settings.hooks).some(
@@ -420,6 +678,9 @@ var claudeCodeAdapter = {
     );
   }
 };
+function resolveClaudePath(repoRoot, scope) {
+  return scope === "global" ? join2(homedir2(), ".claude", "settings.json") : join2(repoRoot, ".claude", "settings.json");
+}
 function isAgentInsightsCommand(cmd) {
   if (!cmd) return false;
   return cmd.startsWith(`${HOOK_COMMAND_NAME} hook`);
@@ -439,15 +700,25 @@ function asString(v) {
 
 // src/adapters/cursor.ts
 import { mkdir as mkdir3, readFile as readFile3, writeFile as writeFile3 } from "fs/promises";
+import { homedir as homedir3 } from "os";
 import { dirname as dirname3, join as join3 } from "path";
 var HOOK_COMMAND_NAME2 = "agent-insights";
 var HOOK_MAP2 = {
-  SessionStart: "session.start",
-  SessionEnd: "session.end",
-  UserPromptSubmit: "user.prompt.submit",
-  PreToolUse: "tool.start",
-  PostToolUse: "tool.end",
-  Stop: "agent.stop"
+  sessionStart: "session.start",
+  sessionEnd: "session.end",
+  beforeSubmitPrompt: "user.prompt.submit",
+  preToolUse: "tool.start",
+  postToolUse: "tool.end",
+  postToolUseFailure: "tool.failure",
+  subagentStart: "subagent.start",
+  subagentStop: "subagent.end",
+  stop: "agent.stop",
+  preCompact: "context.compact.start",
+  // Additional events — mapped to existing schema types
+  beforeShellExecution: "tool.start",
+  afterShellExecution: "tool.end",
+  afterFileEdit: "tool.end",
+  workspaceOpen: "session.start"
 };
 var CURSOR_HOOK_EVENTS = Object.keys(HOOK_MAP2);
 var cursorAdapter = {
@@ -459,9 +730,9 @@ var cursorAdapter = {
     const type = HOOK_MAP2[payload.event];
     if (!type) return void 0;
     const data = payload.data ?? {};
-    const sessionId = asString2(data["session_id"]) ?? asString2(data["sessionId"]);
+    const sessionId = asString2(data["session_id"]) ?? asString2(data["sessionId"]) ?? asString2(data["conversation_id"]);
     const toolName = asString2(data["tool_name"]) ?? asString2(data["toolName"]);
-    const transcriptPath = asString2(data["transcript_path"]) ?? asString2(data["transcriptPath"]);
+    const transcriptPath = asString2(data["transcript_path"]) ?? asString2(data["transcriptPath"]) ?? asString2(process.env.CURSOR_TRANSCRIPT_PATH);
     return {
       type,
       ...sessionId !== void 0 ? { sessionId } : {},
@@ -469,10 +740,13 @@ var cursorAdapter = {
       ...transcriptPath !== void 0 ? { transcriptPath } : {}
     };
   },
-  async install(repoRoot) {
-    const path = join3(repoRoot, ".cursor/hooks.json");
+  async install(repoRoot, scope = "global") {
+    const path = resolveCursorPath(repoRoot, scope);
     const settings = await readJson2(path);
-    const next = { ...settings ?? {} };
+    const next = {
+      version: 1,
+      ...settings ?? {}
+    };
     const hooks = { ...next.hooks ?? {} };
     for (const event of CURSOR_HOOK_EVENTS) {
       const existing = (hooks[event] ?? []).filter(
@@ -487,8 +761,8 @@ var cursorAdapter = {
 `, "utf8");
     return { written: true, path };
   },
-  async uninstall(repoRoot) {
-    const path = join3(repoRoot, ".cursor/hooks.json");
+  async uninstall(repoRoot, scope = "global") {
+    const path = resolveCursorPath(repoRoot, scope);
     const settings = await readJson2(path);
     if (!settings?.hooks) return { removed: false, path };
     const hooks = { ...settings.hooks };
@@ -509,9 +783,9 @@ var cursorAdapter = {
 `, "utf8");
     return { removed: touched, path };
   },
-  async isInstalled(repoRoot) {
+  async isInstalled(repoRoot, scope = "global") {
     const settings = await readJson2(
-      join3(repoRoot, ".cursor/hooks.json")
+      resolveCursorPath(repoRoot, scope)
     );
     if (!settings?.hooks) return false;
     return Object.values(settings.hooks).some(
@@ -519,6 +793,9 @@ var cursorAdapter = {
     );
   }
 };
+function resolveCursorPath(repoRoot, scope) {
+  return scope === "global" ? join3(homedir3(), ".cursor", "hooks.json") : join3(repoRoot, ".cursor", "hooks.json");
+}
 function isAgentInsightsCommand2(cmd) {
   if (!cmd) return false;
   return cmd.startsWith(`${HOOK_COMMAND_NAME2} hook`);
@@ -544,6 +821,7 @@ var adapters = {
 var adapterList = Object.values(adapters);
 
 // src/commands/disable.ts
+init_paths();
 async function runDisable(opts) {
   const repoRoot = process.cwd();
   const targets = opts.agent ? [opts.agent] : adapterList.map((a) => a.id);
@@ -576,12 +854,12 @@ async function runDisable(opts) {
 }
 
 // src/commands/doctor.ts
-import { existsSync } from "fs";
-import { join as join4 } from "path";
 import kleur2 from "kleur";
+init_paths();
+init_store();
 
 // src/transcript/store.ts
-import { readFile as readFile4 } from "fs/promises";
+import { readFile as readFile5 } from "fs/promises";
 import { put } from "@vercel/blob";
 var NoopTranscriptStore = class {
   async upload() {
@@ -599,14 +877,14 @@ var BlobTranscriptStore = class {
   token;
   prefix;
   async upload(input) {
-    const body = await readFile4(input.transcriptPath);
+    const body = await readFile5(input.transcriptPath);
     const requestedPath = buildPathname(
       this.prefix,
       input.userHash,
       input.sessionId
     );
     const blob = await put(requestedPath, body, {
-      access: "public",
+      access: "private",
       token: this.token,
       contentType: "application/jsonl",
       addRandomSuffix: true
@@ -620,6 +898,11 @@ var BlobTranscriptStore = class {
 };
 function createTranscriptStore(cfg) {
   if (cfg.type === "none") return new NoopTranscriptStore();
+  if (cfg.type === "analyzer") {
+    throw new Error(
+      "transcript store: type=analyzer uploads are handled by the hook command directly"
+    );
+  }
   const token = process.env[cfg.tokenEnv];
   if (!token) {
     throw new Error(
@@ -638,6 +921,12 @@ function buildPathname(prefix, userHash2, sessionId) {
 async function runDoctor(opts) {
   const repoRoot = process.cwd();
   const checks = [];
+  const token = await getValidToken();
+  checks.push({
+    name: "logged in",
+    ok: token != null,
+    ...token ? {} : { detail: "run `agent-insights login`" }
+  });
   const cfg = await loadConfig();
   checks.push({
     name: "config found",
@@ -645,11 +934,6 @@ async function runDoctor(opts) {
     detail: cfg ? configFile() : `missing ${configFile()}`
   });
   if (cfg) {
-    checks.push({
-      name: "vercel project linked",
-      ok: existsSync(join4(repoRoot, ".vercel/project.json")),
-      detail: "run `vercel link --scope vercel-labs --project agent-insights`"
-    });
     if (cfg.userConsent.transcriptSync) {
       try {
         const store = createTranscriptStore(cfg.transcriptStore);
@@ -674,11 +958,11 @@ async function runDoctor(opts) {
     for (const adapter of adapterList) {
       const enabled = adapter.id === "claude-code" ? cfg.agents.claudeCode.enabled : cfg.agents.cursor.enabled;
       if (!enabled) continue;
-      const installed = await adapter.isInstalled(repoRoot);
+      const installed = await adapter.isInstalled(repoRoot, cfg.hooksScope);
       checks.push({
         name: `${adapter.label} hooks installed`,
         ok: installed,
-        detail: installed ? join4(repoRoot, adapter.settingsFile) : "run `agent-insights init`"
+        ...installed ? {} : { detail: "run `agent-insights init`" }
       });
     }
   }
@@ -736,7 +1020,6 @@ async function runHook(eventName, opts) {
       if (cfg.userConsent.sessionAnalysis && cfg.sessionAnalysis.analyzerUrl) {
         await notifyAnalyzer({
           analyzerUrl: cfg.sessionAnalysis.analyzerUrl,
-          secretEnv: cfg.sessionAnalysis.secretEnv,
           payload: {
             sessionId: mapped.sessionId ?? "unknown",
             agent: adapter.id,
@@ -754,11 +1037,12 @@ async function runHook(eventName, opts) {
 }
 async function notifyAnalyzer(opts) {
   try {
+    const { getValidToken: getValidToken2 } = await Promise.resolve().then(() => (init_store(), store_exports));
+    const token = await getValidToken2();
     const headers = {
       "content-type": "application/json"
     };
-    const secret = process.env[opts.secretEnv];
-    if (secret) headers["x-agent-insights-secret"] = secret;
+    if (token) headers["authorization"] = `Bearer ${token}`;
     const url = new URL("/api/sessions", opts.analyzerUrl).toString();
     const res = await fetch(url, {
       method: "POST",
@@ -847,9 +1131,9 @@ function parseJsonObject(raw) {
 }
 
 // src/commands/init.ts
-import { existsSync as existsSync2 } from "fs";
-import { join as join5 } from "path";
 import kleur3 from "kleur";
+init_paths();
+init_store();
 var CONSENT_TEXT = `Agent Insights is opt-in (internal).
 
 OTLP / lifecycle metrics: event names, timestamps, tool names, outcomes,
@@ -861,6 +1145,11 @@ username stored as SHA256 only.
 SessionEnd analysis (optional): an internal LLM reviews transcript for
 tooling gaps; may post to Slack with a GitHub issue link.`;
 async function runInit(opts) {
+  const token = await getValidToken();
+  if (!token) {
+    log.fail("Not logged in. Run `agent-insights login` first.");
+    process.exit(1);
+  }
   log.info(kleur3.bold("Agent Insights setup\n"));
   log.hint(CONSENT_TEXT);
   log.info("");
@@ -885,11 +1174,10 @@ async function runInit(opts) {
     for (const adapter of adapterList) {
       const enabled = adapter.id === "claude-code" && cfg.agents.claudeCode.enabled || adapter.id === "cursor" && cfg.agents.cursor.enabled;
       if (!enabled) continue;
-      const { path } = await adapter.install(repoRoot);
+      const { path } = await adapter.install(repoRoot, cfg.hooksScope);
       log.ok(`Installed ${adapter.label} hooks \u2192 ${rel(path)}`);
     }
   }
-  printVercelHint(repoRoot);
   log.info("");
   log.info(`Config root: ${configRoot()}`);
   log.hint("Run `agent-insights doctor` to verify the setup.");
@@ -903,29 +1191,65 @@ function parseAgents(value) {
   }
   return out;
 }
-function printVercelHint(repoRoot) {
-  const linked = existsSync2(join5(repoRoot, ".vercel/project.json"));
-  const envFile = existsSync2(join5(repoRoot, ".env.local"));
-  if (!linked) {
-    log.hint(
-      "Vercel project not linked. Run `vercel link --scope vercel-labs --project agent-insights`."
-    );
+function rel(p) {
+  const cwd = process.cwd();
+  return p.startsWith(cwd) ? p.slice(cwd.length + 1) : p;
+}
+
+// src/commands/login.ts
+init_oauth();
+init_store();
+import kleur4 from "kleur";
+var ALLOWED_DOMAIN = "vercel.com";
+async function runLogin() {
+  log.info(kleur4.bold("Signing in with Vercel...\n"));
+  let pkceResult;
+  try {
+    log.hint(`Listening on ${REDIRECT_URI} \u2014 opening browser...`);
+    pkceResult = await startPkceFlow();
+  } catch (err) {
+    log.fail(`Login failed: ${err.message}`);
+    process.exit(1);
+  }
+  let tokens;
+  try {
+    tokens = await exchangeCodeForToken(pkceResult.code, pkceResult.codeVerifier);
+  } catch (err) {
+    log.fail(`Token exchange failed: ${err.message}`);
+    process.exit(1);
   }
-  if (!envFile) {
-    log.hint(
-      "No .env.local found. Run `vercel env pull .env.local` to fetch BLOB_READ_WRITE_TOKEN."
+  let userInfo2;
+  try {
+    userInfo2 = await fetchUserInfo(tokens.access_token);
+  } catch (err) {
+    log.fail(`Could not fetch user info: ${err.message}`);
+    process.exit(1);
+  }
+  if (!userInfo2.email?.endsWith(`@${ALLOWED_DOMAIN}`) || !userInfo2.email_verified) {
+    log.fail(
+      `Only @${ALLOWED_DOMAIN} accounts are allowed. Got: ${userInfo2.email ?? "(no email)"}`
     );
+    process.exit(1);
   }
+  await saveAuth({
+    accessToken: tokens.access_token,
+    ...tokens.refresh_token !== void 0 ? { refreshToken: tokens.refresh_token } : {},
+    expiresAt: Date.now() + tokens.expires_in * 1e3
+  });
+  const name = userInfo2.preferred_username ?? userInfo2.email;
+  log.ok(`Logged in as ${kleur4.bold(name)} (${userInfo2.email})`);
+  log.hint("Run `agent-insights init` to install hooks globally.");
 }
-function rel(p) {
-  const cwd = process.cwd();
-  return p.startsWith(cwd) ? p.slice(cwd.length + 1) : p;
+async function runLogout() {
+  await clearAuth();
+  log.ok("Logged out.");
 }
 
 // src/commands/status.ts
-import { existsSync as existsSync3 } from "fs";
-import { join as join6 } from "path";
-import kleur4 from "kleur";
+import { existsSync } from "fs";
+import { join as join4 } from "path";
+import kleur5 from "kleur";
+init_paths();
 async function runStatus(opts) {
   const cfg = await loadConfig();
   const repoRoot = process.cwd();
@@ -949,46 +1273,52 @@ async function runStatus(opts) {
       enabled: cfg.enabled,
       consent: cfg.userConsent,
       vercel: {
-        linked: existsSync3(join6(repoRoot, ".vercel/project.json")),
-        envFile: existsSync3(join6(repoRoot, ".env.local"))
+        linked: existsSync(join4(repoRoot, ".vercel/project.json")),
+        envFile: existsSync(join4(repoRoot, ".env.local"))
       },
       adapters: adapterStatus
     });
     return;
   }
-  log.info(kleur4.bold("Agent Insights status\n"));
+  log.info(kleur5.bold("Agent Insights status\n"));
   log.info(`config       ${configFile()}`);
   log.info(`enabled      ${cfg.enabled ? "yes" : "no"}`);
   log.info("");
-  log.info(kleur4.bold("Consent"));
+  log.info(kleur5.bold("Consent"));
   log.info(`  event telemetry   ${yn(cfg.userConsent.eventTelemetry)}`);
   log.info(`  transcript sync   ${yn(cfg.userConsent.transcriptSync)}`);
   log.info(`  session analysis  ${yn(cfg.userConsent.sessionAnalysis)}`);
   log.info("");
-  log.info(kleur4.bold("Adapters"));
+  log.info(kleur5.bold("Adapters"));
   for (const a of adapterStatus) {
     log.info(
       `  ${a.label.padEnd(12)} ${a.enabled ? "enabled" : "disabled"}   hooks ${a.installed ? "installed" : "not installed"}`
     );
   }
   log.info("");
-  log.info(kleur4.bold("Vercel"));
+  log.info(kleur5.bold("Vercel"));
   log.info(
-    `  linked      ${yn(existsSync3(join6(repoRoot, ".vercel/project.json")))}`
+    `  linked      ${yn(existsSync(join4(repoRoot, ".vercel/project.json")))}`
   );
-  log.info(`  .env.local  ${yn(existsSync3(join6(repoRoot, ".env.local")))}`);
+  log.info(`  .env.local  ${yn(existsSync(join4(repoRoot, ".env.local")))}`);
 }
 function yn(v) {
-  return v ? kleur4.green("yes") : kleur4.dim("no");
+  return v ? kleur5.green("yes") : kleur5.dim("no");
 }
 
 // src/cli.ts
-var VERSION = "0.0.1";
+var VERSION = "0.0.2";
 var program = new Command();
 program.name("agent-insights").description(
   "Internal CLI for AI coding agent observability (Claude Code, Cursor)."
 ).version(VERSION);
-program.command("init").description("Set up agent-insights in this repo.").option(
+program.command("login").description("Authenticate with Vercel (Sign in with Vercel).").action(async () => {
+  await runLogin();
+});
+program.command("logout").description("Clear stored credentials.").action(async () => {
+  await runLogout();
+});
+program.command("init").description("Install agent hooks globally (run once per machine).").option(
   "--agents <list>",
   "Comma-separated agent ids (claude-code,cursor)",
   "claude-code,cursor"