auramaxx 0.0.11 → 0.0.13

package/src/server/cli/commands/agent.ts

@@ -39,13 +39,11 @@ import {
   putApprovalContext,
   getClaimedToken,
   consumeClaimedToken,
-  getActiveSessionToken,
-  clearActiveSessionToken,
 } from '../lib/approval-context';
 
 // ── Auth ──────────────────────────────────────────────────────────────
 
-type AuthSource = 'socket' | 'env' | 'stored_session' | 'auth';
+type AuthSource = 'socket' | 'env' | 'auth';
 
 interface AuthSession {
   token: string;
@@ -62,33 +60,15 @@ async function getAuthToken(
     return { token: envToken, source: 'env' };
   }
 
-  const storedSession = getActiveSessionToken();
-  if (storedSession?.token) {
-    try {
-      const validateRes = await fetch(`${serverUrl()}/auth/validate`, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ token: storedSession.token }),
-        signal: AbortSignal.timeout(5_000),
-      });
-      const validateData = await validateRes.json().catch(() => ({})) as { valid?: boolean };
-      if (validateRes.ok && validateData.valid === true) {
-        if (storedSession.privateKeyPem) {
-          return { token: storedSession.token, source: 'stored_session', privateKeyPem: storedSession.privateKeyPem };
-        }
-        // Old session entries may not have private key material; drop and re-bootstrap.
-        clearActiveSessionToken();
-      }
-      clearActiveSessionToken();
-    } catch {
-      // If server validation is unavailable, keep the normal auth fallback chain.
-    }
-  }
-
+  let socketError: unknown;
   try {
     const token = await bootstrapViaSocket('cli-agent', keypair);
+    if (!token || typeof token !== 'string') {
+      throw new Error('Socket auth returned empty token.');
+    }
     return { token, source: 'socket', privateKeyPem: keypair.privateKeyPem };
   } catch (socketErr) {
+    socketError = socketErr;
     const socketMessage = getErrorMessage(socketErr).toLowerCase();
     const indicatesLockedAgent =
       socketMessage.includes('wallet is locked') ||
@@ -98,29 +78,29 @@ async function getAuthToken(
     if (indicatesLockedAgent) {
       throw new Error('Agent is locked. Run `auramaxx unlock` and retry.');
     }
+  }
 
-    if (authSelection?.profile) {
-      const result = await bootstrapViaAuthRequest(serverUrl(), 'cli-agent', keypair, {
-        ...authSelection,
-        noWait: true,
-        onStatus: (message) => console.error(message),
-      });
-      if (result.approveUrl) {
-        console.error(`Approve at: ${result.approveUrl}`);
-      }
-      console.error(`After approval, re-run with: AURA_TOKEN=<token> npx auramaxx agent ...`);
-      console.error(`Or use: npx auramaxx auth request --profile ${authSelection.profile} --raw-token`);
-      process.exit(1);
-    }
-
-    const token = await bootstrapViaAuthRequest(serverUrl(), 'cli-agent', keypair, {
+  if (authSelection?.profile) {
+    const result = await bootstrapViaAuthRequest(serverUrl(), 'cli-agent', keypair, {
       ...authSelection,
+      noWait: true,
       onStatus: (message) => console.error(message),
-    }).catch((authErr) => {
-      throw new Error(`${getErrorMessage(socketErr)}\n${getErrorMessage(authErr)}`);
     });
-    return { token, source: 'auth', privateKeyPem: keypair.privateKeyPem };
+    if (result.approveUrl) {
+      console.error(`Approve at: ${result.approveUrl}`);
+    }
+    console.error('After approval, re-run with: AURA_TOKEN=<token> npx auramaxx agent ...');
+    console.error(`Or use: npx auramaxx auth request --profile ${authSelection.profile} --raw-token`);
+    process.exit(1);
   }
+
+  const token = await bootstrapViaAuthRequest(serverUrl(), 'cli-agent', keypair, {
+    ...authSelection,
+    onStatus: (message) => console.error(message),
+  }).catch((authErr) => {
+    throw new Error(`${getErrorMessage(socketError)}\n${getErrorMessage(authErr)}`);
+  });
+  return { token, source: 'auth', privateKeyPem: keypair.privateKeyPem };
 }
 
 async function getReadToken(input: {
@@ -209,6 +189,40 @@ interface ShareCreateResponse {
 
 // ── API helpers ───────────────────────────────────────────────────────
 
+function shellQuote(arg: string): string {
+  if (/^[A-Za-z0-9_./:=+-]+$/.test(arg)) return arg;
+  return `'${arg.replace(/'/g, `'\"'\"'`)}'`;
+}
+
+function buildOriginalCommand(args: string[]): string {
+  const rendered = args.map(shellQuote).join(' ').trim();
+  return rendered ? `npx auramaxx ${rendered}` : 'npx auramaxx';
+}
+
+function appendReqIdPlaceholder(command: string): string {
+  const normalized = command.trim();
+  if (!normalized) return '--reqId <reqId>';
+  if (/\s--(?:reqId|req-id|requestId|request-id)(?:\s|=|$)/.test(normalized)) {
+    return normalized;
+  }
+  return `${normalized} --reqId <reqId>`;
+}
+
+function materializeRetryCommand(command: string | undefined, reqId: string): string {
+  const base = String(command || '').trim();
+  if (!base) return `<retry_original_command> --reqId ${reqId}`;
+  let next = base.replace(/<reqId>/g, reqId);
+  next = next
+    .replace(/--req-id\s+\S+/g, `--reqId ${reqId}`)
+    .replace(/--request-id\s+\S+/g, `--reqId ${reqId}`)
+    .replace(/--requestId\s+\S+/g, `--reqId ${reqId}`)
+    .replace(/--reqId\s+\S+/g, `--reqId ${reqId}`);
+  if (!/\s--(?:reqId|req-id|requestId|request-id)(?:\s|=|$)/.test(next)) {
+    next = `${next} --reqId ${reqId}`;
+  }
+  return next;
+}
+
 async function listCredentials(token: string, query?: string): Promise<CredentialMeta[]> {
   const qs = query ? `?q=${encodeURIComponent(query)}` : '';
   const res = await fetch(`${serverUrl()}/credentials${qs}`, {
@@ -230,11 +244,16 @@ async function readCredential(
   privateKeyPem: string,
   options?: {
     retryCommandTemplate?: string;
+    originalCommand?: string;
   },
 ): Promise<DecryptedCredential> {
+  const originalCommand = String(options?.originalCommand || '').trim();
   const res = await fetch(`${serverUrl()}/credentials/${credentialId}/read`, {
     method: 'POST',
-    headers: { 'Authorization': `Bearer ${readToken}` },
+    headers: {
+      'Authorization': `Bearer ${readToken}`,
+      ...(originalCommand ? { 'X-Aura-Original-Command': originalCommand } : {}),
+    },
     signal: AbortSignal.timeout(8_000),
   });
   if (!res.ok) {
@@ -268,7 +287,9 @@ async function readCredential(
         };
       }
     }
-    if (await handlePermissionDenied(res.status, escalationBody)) process.exit(1);
+    if (await handlePermissionDenied(res.status, escalationBody, {
+      retryCommandTemplate: options?.retryCommandTemplate,
+    })) process.exit(1);
     throw new Error(`Read failed (${res.status}): ${text}`);
   }
 
@@ -298,10 +319,18 @@ async function searchCredentials(token: string, name: string): Promise<Credentia
   return [];
 }
 
-async function fetchTotpCode(credentialId: string, token: string): Promise<{ code: string; remaining: number }> {
+async function fetchTotpCode(
+  credentialId: string,
+  token: string,
+  options?: { originalCommand?: string },
+): Promise<{ code: string; remaining: number }> {
+  const originalCommand = String(options?.originalCommand || '').trim();
   const res = await fetch(`${serverUrl()}/credentials/${credentialId}/totp`, {
     method: 'POST',
-    headers: { 'Authorization': `Bearer ${token}` },
+    headers: {
+      'Authorization': `Bearer ${token}`,
+      ...(originalCommand ? { 'X-Aura-Original-Command': originalCommand } : {}),
+    },
     signal: AbortSignal.timeout(8_000),
   });
   if (!res.ok) {
@@ -608,7 +637,7 @@ function showHelp(): void {
     '  --password <pwd>         Share password (implies accessMode=password)',
     '  --one-time               Share one-time-only access',
     '  --location <v>           Delete location: active|archive|recently_deleted',
-    '  --reqId <id>             Retry using a previously claimed one-shot approval token',
+    '  --reqId <id>             Retry using a previously claimed one-shot approval token (aliases: --req-id, --requestId, --request-id)',
     '  --profile <p>            /auth fallback profile when socket is blocked',
     '  --profile-version <v>    /auth fallback profile version',
     '  --profile-overrides <j>  Tighten-only profile override JSON',
@@ -671,7 +700,9 @@ export function parseArgs(args: string[]): {
   const sharePassword = passwordIdx !== -1 ? parseableArgs[passwordIdx + 1] : undefined;
   const locationIdx = parseableArgs.indexOf('--location');
   const deleteLocation = locationIdx !== -1 ? parseableArgs[locationIdx + 1] : undefined;
-  const reqIdIdx = parseableArgs.indexOf('--reqId');
+  const reqIdFlag = ['--reqId', '--req-id', '--requestId', '--request-id']
+    .find((flag) => parseableArgs.includes(flag));
+  const reqIdIdx = reqIdFlag ? parseableArgs.indexOf(reqIdFlag) : -1;
   const reqId = reqIdIdx !== -1 ? parseableArgs[reqIdIdx + 1] : undefined;
   const profileIdx = parseableArgs.indexOf('--profile');
   const authProfile = profileIdx !== -1 ? parseableArgs[profileIdx + 1] : undefined;
@@ -688,7 +719,7 @@ export function parseArgs(args: string[]): {
     : undefined;
 
   const knownValueFlags = new Set([
-    '--field', '--name', '--env', '--agent', '--expires-after', '--password', '--location', '--reqId', '--profile', '--profile-version', '--profile-overrides', '--type', '--tags',
+    '--field', '--name', '--env', '--agent', '--expires-after', '--password', '--location', '--reqId', '--req-id', '--requestId', '--request-id', '--profile', '--profile-version', '--profile-overrides', '--type', '--tags',
   ]);
   const knownBooleanFlags = new Set(['--json', '--first', '--totp', '--one-time', '--danger-plaintext']);
 
@@ -862,8 +893,9 @@ interface ResolvedReadAuthContext {
   consumeAfterAttempt: boolean;
 }
 
-function missingOrExpiredClaimPayload(reqId: string): Record<string, unknown> {
+function missingOrExpiredClaimPayload(reqId: string, retryCommandTemplate?: string): Record<string, unknown> {
   const claimCommand = `npx auramaxx auth claim ${reqId} --json`;
+  const retryCommand = materializeRetryCommand(retryCommandTemplate, reqId);
   return {
     success: false,
     requiresHumanApproval: false,
@@ -882,18 +914,18 @@ function missingOrExpiredClaimPayload(reqId: string): Record<string, unknown> {
     retryAction: {
       transport: 'cli',
       kind: 'command',
-      command: `<retry_original_command> --reqId ${reqId}`,
+      command: retryCommand,
     },
     instructions: [
       `1) Ask a human to approve request ${reqId} in dashboard`,
       `2) Claim token: ${claimCommand}`,
-      `3) Retry original command with --reqId ${reqId}`,
+      `3) Run this exact command: ${retryCommand}`,
     ],
   };
 }
 
-function printMissingOrExpiredClaim(reqId: string): void {
-  console.error(JSON.stringify(missingOrExpiredClaimPayload(reqId), null, 2));
+function printMissingOrExpiredClaim(reqId: string, retryCommandTemplate?: string): void {
+  console.error(JSON.stringify(missingOrExpiredClaimPayload(reqId, retryCommandTemplate), null, 2));
 }
 
 async function resolveReadAuthContext(input: {
@@ -902,12 +934,13 @@ async function resolveReadAuthContext(input: {
   decryptPrivateKeyPem: string;
   authSelection?: ProfileIssuanceSelection;
   reqId?: string;
+  retryCommandTemplate?: string;
 }): Promise<ResolvedReadAuthContext | null> {
   const reqId = String(input.reqId || '').trim();
   if (reqId) {
     const claimed = getClaimedToken(reqId);
     if (!claimed) {
-      printMissingOrExpiredClaim(reqId);
+      printMissingOrExpiredClaim(reqId, input.retryCommandTemplate);
       return null;
     }
     return {
@@ -977,7 +1010,7 @@ async function runSecretExec(command: string[], envVarName: string, secretValue:
 
 function resolveSetType(typeName: string | undefined): { requestType: string; normalizedType: string; defaultFieldKey: string } {
   const normalizedType = normalizeCredentialType(typeName);
-  const requestType = ['login', 'card', 'note', 'plain_note', 'hot_wallet', 'api', 'apikey', 'custom', 'passkey', 'oauth2', 'ssh', 'gpg'].includes(normalizedType)
+  const requestType = ['login', 'card', 'sso', 'note', 'plain_note', 'hot_wallet', 'api', 'apikey', 'custom', 'passkey', 'oauth2', 'ssh', 'gpg'].includes(normalizedType)
     ? normalizedType
     : 'custom';
   const defaultFieldKey = getCredentialPrimaryFieldKey(normalizedType);
@@ -1101,6 +1134,8 @@ export async function runAgentCli(args: string[]): Promise<number> {
     ...(authProfileVersion ? { profileVersion: authProfileVersion } : {}),
     ...(profileOverrides ? { profileOverrides } : {}),
   };
+  const originalCommand = buildOriginalCommand(args);
+  const retryCommandTemplate = appendReqIdPlaceholder(originalCommand);
 
   try {
     const { token, source: authSource, privateKeyPem: authPrivateKeyPem } = await getAuthToken(keypair, authSelection);
@@ -1131,6 +1166,7 @@ export async function runAgentCli(args: string[]): Promise<number> {
           decryptPrivateKeyPem,
           authSelection,
           reqId,
+          retryCommandTemplate,
         });
         if (!readAuthContext) return 1;
         let fieldMatches: boolean[] = [];
@@ -1138,7 +1174,8 @@ export async function runAgentCli(args: string[]): Promise<number> {
           fieldMatches = await Promise.all(credentials.map(async (credential) => {
             try {
               const decrypted = await readCredential(credential.id, readAuthContext.readToken, readAuthContext.privateKeyPem, {
-                retryCommandTemplate: 'npx auramaxx agent list --field <field> --reqId <reqId>',
+                retryCommandTemplate,
+                originalCommand,
               });
               return matchesListFieldFilter(credential, decrypted, listFieldQuery);
             } catch {
@@ -1208,12 +1245,14 @@ export async function runAgentCli(args: string[]): Promise<number> {
         decryptPrivateKeyPem,
         authSelection,
         reqId,
+        retryCommandTemplate,
       });
       if (!readAuthContext) return 1;
 
       try {
         const decrypted = await readCredential(target.id, readAuthContext.readToken, readAuthContext.privateKeyPem, {
-          retryCommandTemplate: `npx auramaxx ${isInjectShortcut ? 'inject' : 'secret exec'} "${target.name}" --reqId <reqId>`,
+          retryCommandTemplate,
+          originalCommand,
         });
         const primarySecret = resolvePrimarySecretField(
           normalizeCredentialType(decrypted.type || target.type),
@@ -1245,7 +1284,7 @@ export async function runAgentCli(args: string[]): Promise<number> {
       });
 
       if (flagTotp) {
-        const totp = await fetchTotpCode(target.id, token);
+        const totp = await fetchTotpCode(target.id, token, { originalCommand });
         process.stdout.write(totp.code);
         return 0;
       }
@@ -1256,13 +1295,15 @@ export async function runAgentCli(args: string[]): Promise<number> {
         decryptPrivateKeyPem,
         authSelection,
         reqId,
+        retryCommandTemplate,
       });
       if (!readAuthContext) return 1;
 
       let decrypted: DecryptedCredential;
       try {
         decrypted = await readCredential(target.id, readAuthContext.readToken, readAuthContext.privateKeyPem, {
-          retryCommandTemplate: `npx auramaxx agent get "${target.name}" --reqId <reqId>`,
+          retryCommandTemplate,
+          originalCommand,
         });
       } finally {
         finalizeReadAuthContext(readAuthContext);
@@ -1271,7 +1312,7 @@ export async function runAgentCli(args: string[]): Promise<number> {
       const hasTotpField = decrypted.fields.some((f) => f.key === 'totp' || f.key === 'otp');
       if (hasTotpField) {
         try {
-          const totp = await fetchTotpCode(target.id, token);
+          const totp = await fetchTotpCode(target.id, token, { originalCommand });
           decrypted.fields.push({ key: 'totp_code', value: totp.code, type: 'text', sensitive: false });
         } catch {
           // ignore TOTP enrichment failure
@@ -1377,11 +1418,13 @@ export async function runAgentCli(args: string[]): Promise<number> {
             decryptPrivateKeyPem,
             authSelection,
             reqId,
+            retryCommandTemplate,
           });
           if (!readAuthContext) return 1;
           try {
             const decrypted = await readCredential(target.id, readAuthContext.readToken, readAuthContext.privateKeyPem, {
-              retryCommandTemplate: `npx auramaxx agent set "${target.name}" <value> --reqId <reqId>`,
+              retryCommandTemplate,
+              originalCommand,
             });
             const existing = [...decrypted.fields];
             for (const next of setFields) {
@@ -1476,11 +1519,13 @@ export async function runAgentCli(args: string[]): Promise<number> {
           decryptPrivateKeyPem,
           authSelection,
           reqId,
+          retryCommandTemplate,
         });
         if (!readAuthContext) return 1;
         try {
           const decrypted = await readCredential(target.id, readAuthContext.readToken, readAuthContext.privateKeyPem, {
-            retryCommandTemplate: `npx auramaxx agent share "${target.name}" --reqId <reqId>`,
+            retryCommandTemplate,
+            originalCommand,
           });
           gistFields = mergeCredentialFields(
             normalizedType,

package/src/server/cli/commands/approve.ts

@@ -23,7 +23,7 @@ function showHelp(): void {
     '  --json                       JSON output',
     '',
     'Auth bootstrap options (when AURA_TOKEN is not set):',
-    '  --profile <id>               /auth fallback profile (default: strict)',
+    '  --profile <id>               /auth fallback profile (default: trust.localProfile, then dev)',
     '  --profile-version <v>        /auth fallback profile version (default: v1)',
     '  --profile-overrides <json>   Tighten-only profile override JSON',
     '',

package/src/server/cli/commands/auth.ts

@@ -5,6 +5,7 @@
 import {
   decryptWithPrivateKey,
   generateEphemeralKeypair,
+  resolveAuthFallbackProfileConfig,
   type ProfileIssuanceSelection,
 } from '../../lib/credential-transport';
 import { buildApprovalClaimFlow, buildPollUrl } from '../../lib/approval-flow';
@@ -43,7 +44,7 @@ interface ParsedCommon {
 
 interface ParsedRequestFlags extends ParsedCommon {
   agentId: string;
-  profile: string;
+  profile?: string;
   profileVersion?: string;
   profileOverrides?: JsonObject;
   action?: { endpoint: string; method: string; body?: JsonObject };
@@ -127,8 +128,8 @@ function showHelp(): void {
   ], [
     'Request options:',
     '  --agent-id <id>              Agent id (default: cli-auth)',
-    '  --profile <id>               Profile id (default: dev)',
-    '  --profile-version <v>        Profile version (default: v1)',
+    '  --profile <id>               Profile id (default: trust.localProfile; seed: admin)',
+    '  --profile-version <v>        Profile version (default: trust.localProfileVersion; seed: v1)',
     '  --profile-overrides <json>   Tighten-only profile override JSON',
     '  --action <json>              Pre-computed action to auto-execute on approval',
     '                               JSON: {"endpoint":"/send","method":"POST","body":{...}}',
@@ -240,8 +241,8 @@ function parseRequestFlags(args: string[]): ParsedRequestFlags {
   return {
     ...common,
     agentId: getFlagValue(args, '--agent-id') || 'cli-auth',
-    profile: getFlagValue(args, '--profile') || 'dev',
-    profileVersion: getFlagValue(args, '--profile-version') || 'v1',
+    profile: getFlagValue(args, '--profile'),
+    profileVersion: getFlagValue(args, '--profile-version'),
     profileOverrides: parseJsonObjectFlag(args, '--profile-overrides'),
     action: parseActionFlag(args),
   };
@@ -349,10 +350,50 @@ function maskToken(token: string): string {
   return `${token.slice(0, 20)}...${token.slice(-4)}`;
 }
 
+function shellQuote(arg: string): string {
+  if (/^[A-Za-z0-9_./:=+-]+$/.test(arg)) return arg;
+  return `'${arg.replace(/'/g, `'\"'\"'`)}'`;
+}
+
+function buildAuthRequestRetryCommand(input: {
+  agentId: string;
+  profile: string;
+  profileVersion?: string;
+  profileOverrides?: JsonObject;
+  action?: { endpoint: string; method: string; body?: JsonObject };
+}): string {
+  const args: string[] = ['npx', 'auramaxx', 'auth', 'request', '--profile', input.profile];
+  if (input.agentId && input.agentId !== 'cli-auth') {
+    args.push('--agent-id', input.agentId);
+  }
+  if (input.profileVersion && input.profileVersion !== 'v1') {
+    args.push('--profile-version', input.profileVersion);
+  }
+  if (input.profileOverrides) {
+    args.push('--profile-overrides', JSON.stringify(input.profileOverrides));
+  }
+  if (input.action) {
+    args.push('--action', JSON.stringify(input.action));
+  }
+  args.push('--json');
+  return args.map(shellQuote).join(' ');
+}
+
+function resolveRetryCommandTemplate(template: string | undefined, reqId: string): string {
+  const candidate = String(template || '').trim().replaceAll('<reqId>', reqId);
+  if (candidate && !candidate.includes('<retry_original_command>')) {
+    return candidate;
+  }
+  // For plain `auth request` flows there may be no original operation command;
+  // return a concrete fallback command instead of a placeholder token.
+  return `npx auramaxx auth claim ${reqId} --json`;
+}
+
 async function handleApprovalFlow(
   createResult: AuthCreateResponse,
   privateKeyPem: string,
   options: ParsedCommon,
+  requestRetryCommand: string,
 ): Promise<number> {
   const requestId = createResult.requestId!;
   const secret = createResult.secret!;
@@ -362,7 +403,7 @@ async function handleApprovalFlow(
   const flow = buildAuthApprovalFlow({ requestId, secret, approveUrl });
   const pollUrl = flow.pollUrl || buildPollUrl(serverUrl(), requestId, secret);
   const claimAction = buildCliClaimAction(reqId);
-  const retryAction = buildCliRetryAction('<retry_original_command>');
+  const retryAction = buildCliRetryAction(requestRetryCommand);
 
   putApprovalContext({
     reqId,
@@ -370,7 +411,7 @@ async function handleApprovalFlow(
     privateKeyPem,
     approvalScope: 'session_token',
     ttlSeconds: SESSION_TOKEN_DEFAULT_TTL_SECONDS,
-    retryCommandTemplate: '<retry_original_command>',
+    retryCommandTemplate: requestRetryCommand,
   });
 
   if (options.noWait) {
@@ -393,7 +434,7 @@ async function handleApprovalFlow(
         instructions: [
           `1) Ask a human to approve: ${flow.approveUrl}`,
           `2) Claim now: ${claimAction.command}`,
-          '3) Retry original command (session token is activated on claim).',
+          `3) If request is rejected/expired, re-request: ${requestRetryCommand}`,
         ],
         approvalFlow: flow.approvalFlow,
         message: 'Auth request created. Approve and claim token before retrying.',
@@ -409,7 +450,7 @@ async function handleApprovalFlow(
       }
       console.log(`  pollUrl: ${pollUrl}`);
       console.log(`  claim: ${claimAction.command}`);
-      console.log('Retry your original command after claim reports approved.');
+      console.log(`If rejected/expired, re-request with: ${requestRetryCommand}`);
     }
     return 0;
   }
@@ -456,7 +497,7 @@ async function handleApprovalFlow(
         instructions: [
           `1) Ask a human to approve: ${flow.approveUrl}`,
           `2) Claim now: ${claimAction.command}`,
-          '3) Retry original command when approved.',
+          `3) Re-request token: ${requestRetryCommand}`,
         ],
         approvalFlow: flow.approvalFlow,
         note: 'Auth request was rejected. Create a new request and repeat the approval flow.',
@@ -521,9 +562,17 @@ async function handleApprovalFlow(
 async function cmdRequest(args: string[]): Promise<number> {
   const flags = parseRequestFlags(args);
   const keypair = generateEphemeralKeypair();
-  const profileSelection: ProfileIssuanceSelection = {
+  const resolvedDefaults = await resolveAuthFallbackProfileConfig({
     profile: flags.profile,
     profileVersion: flags.profileVersion,
+  });
+  const profileSelection: {
+    profile: string;
+    profileVersion: string;
+    profileOverrides?: JsonObject;
+  } = {
+    profile: resolvedDefaults.profile,
+    profileVersion: resolvedDefaults.profileVersion,
     ...(flags.profileOverrides ? { profileOverrides: flags.profileOverrides } : {}),
   };
 
@@ -536,7 +585,15 @@ async function cmdRequest(args: string[]): Promise<number> {
     pubkey: keypair.publicKeyPem,
   });
 
-  return handleApprovalFlow(createResult, keypair.privateKeyPem, flags);
+  const requestRetryCommand = buildAuthRequestRetryCommand({
+    agentId: flags.agentId,
+    profile: profileSelection.profile,
+    ...(profileSelection.profileVersion ? { profileVersion: profileSelection.profileVersion } : {}),
+    ...(profileSelection.profileOverrides ? { profileOverrides: profileSelection.profileOverrides } : {}),
+    ...(flags.action ? { action: flags.action } : {}),
+  });
+
+  return handleApprovalFlow(createResult, keypair.privateKeyPem, flags, requestRetryCommand);
 }
 
 async function cmdClaim(args: string[]): Promise<number> {
@@ -558,6 +615,11 @@ async function cmdClaim(args: string[]): Promise<number> {
     if (!candidate) return undefined;
     return candidate.replaceAll('<reqId>', reqId);
   };
+  const retryCommandFromClaim = (payload: Record<string, unknown>): string | undefined => {
+    const candidate = typeof payload.retryCommand === 'string' ? payload.retryCommand.trim() : '';
+    if (!candidate) return undefined;
+    return candidate.replaceAll('<reqId>', reqId);
+  };
   if (!ctx) {
     const claimAction = buildCliClaimAction(reqId);
     const payload = {
@@ -575,10 +637,8 @@ async function cmdClaim(args: string[]): Promise<number> {
   }
 
   const pollUrl = buildPollUrl(serverUrl(), reqId, ctx.secret);
-  const retryAction = buildCliRetryAction(
-    ctx.retryCommandTemplate?.replaceAll('<reqId>', reqId) || '<retry_original_command>',
-  );
   const claimAction = buildCliClaimAction(reqId);
+  const retryAction = buildCliRetryAction(resolveRetryCommandTemplate(ctx.retryCommandTemplate, reqId));
   let result = await fetchAuthDecisionOnce(serverUrl(), reqId, ctx.secret);
   let classification = classifyClaimFetchResult(result);
   let mappedStatus = classification.mappedStatus;
@@ -645,18 +705,19 @@ async function cmdClaim(args: string[]): Promise<number> {
         });
       }
       deleteApprovalContext(reqId);
+      const retryNow = retryCommandFromClaim(result.payload)
+        || retryCommand(ctx.retryCommandTemplate)
+        || retryAction.command;
       payload.success = true;
-      payload.retryCommand = retryCommand(ctx.retryCommandTemplate);
+      payload.retryCommand = retryNow;
       payload.instructions = [
         `1) Claim complete for reqId=${reqId}`,
         ctx.approvalScope === 'session_token'
           ? '2) Session token is active for subsequent CLI calls until expiry/revoke.'
           : `2) Retry original command with --reqId ${reqId}`,
-        `3) Retry now: ${payload.retryCommand || retryAction.command}`,
+        `3) Retry now: ${retryNow}`,
       ];
-      payload.note = payload.retryCommand
-        ? `Claimed token stored for reqId=${reqId}. Retry now: ${payload.retryCommand}`
-        : `Claimed token stored for reqId=${reqId}. Retry the original command with --reqId ${reqId}.`;
+      payload.note = `Claimed token stored for reqId=${reqId}. Retry now: ${retryNow}`;
       if (json) {
         if (rawToken) {
           payload.token = token;