cleargate 0.11.4 → 0.12.0

package/dist/cli.js

@@ -9,8 +9,9 @@ import {
   AcquireError,
   acquireAccessToken,
   getMembershipState,
-  loadConfig
-} from "./chunk-Q3BTSXCK.js";
+  loadConfig,
+  saveConfig
+} from "./chunk-WFNLCTY5.js";
 import {
   createTokenStore
 } from "./chunk-4V4QABOJ.js";
@@ -21,7 +22,7 @@ import { Command } from "commander";
 // package.json
 var package_default = {
   name: "cleargate",
-  version: "0.11.4",
+  version: "0.12.0",
   private: false,
   type: "module",
   description: "Planning framework for Claude Code agents \u2014 sprint/epic/story protocol, five-role agent team (architect/developer/qa/devops/reporter), Karpathy-style awareness wiki.",
@@ -633,7 +634,8 @@ async function joinHandler(opts) {
     if (UUID_V4_RE.test(opts.inviteUrl)) {
       token = opts.inviteUrl;
       const cfg = loadConfig({
-        flags: { profile: opts.profile, mcpUrl: opts.mcpUrlFlag }
+        flags: { profile: opts.profile, mcpUrl: opts.mcpUrlFlag },
+        ...opts.configPath !== void 0 ? { configPath: opts.configPath } : {}
       });
       if (!cfg.mcpUrl) {
         stderr(
@@ -970,9 +972,15 @@ async function joinHandler(opts) {
   try {
     const store = await (opts.createStore ?? createTokenStore)();
     await store.save(opts.profile, refreshToken);
+    saveConfig(
+      { mcpUrl: baseUrl },
+      opts.configPath !== void 0 ? { configPath: opts.configPath } : {}
+    );
     stdout(`joined project '${projectName}' as '${hostname3()}'
 `);
     stdout(`refresh token saved to ${store.backend}.
+`);
+    stdout(`mcp_url ${baseUrl} saved to ~/.cleargate/config.json.
 `);
   } catch (err) {
     stderr(
@@ -1477,6 +1485,24 @@ var PREFIX_MAP = [
   { prefix: "BUG-", type: "bug", bucket: "bugs" },
   { prefix: "INITIATIVE-", type: "initiative", bucket: "initiatives" }
 ];
+var SPRINT_REPORT_FILENAMES = ["REPORT.md"];
+var SPRINT_REPORT_CANONICAL_RE = /^SPRINT-\d{2,}_REPORT\.md$/;
+function isSprintReportPath(relPath) {
+  const normalised = relPath.replace(/\\/g, "/");
+  const match = /\.cleargate\/sprint-runs\/(SPRINT-\d{2,})\/([^/]+)$/.exec(normalised);
+  if (!match) return false;
+  const filename = match[2];
+  return SPRINT_REPORT_FILENAMES.includes(filename) || SPRINT_REPORT_CANONICAL_RE.test(filename);
+}
+function deriveBucketFromReportPath(relPath) {
+  const normalised = relPath.replace(/\\/g, "/");
+  const match = /\.cleargate\/sprint-runs\/(SPRINT-\d{2,})\//.exec(normalised);
+  if (!match) {
+    throw new Error(`deriveBucketFromReportPath: cannot extract SPRINT-NN from: ${relPath}`);
+  }
+  const id = match[1];
+  return { type: "sprint", id, bucket: "sprints" };
+}
 function deriveBucket(filename) {
   const base = filename.includes("/") ? filename.split("/").pop() : filename;
   const stem = base.endsWith(".md") ? base.slice(0, -3) : base;
@@ -1597,6 +1623,12 @@ function serializePage(page, body) {
   if (page.sprint_cleargate_id !== void 0) {
     lines.push(`sprint_cleargate_id: "${page.sprint_cleargate_id}"`);
   }
+  if (page.report_raw_path !== void 0) {
+    lines.push(`report_raw_path: "${page.report_raw_path}"`);
+  }
+  if (page.last_report_ingest_commit !== void 0) {
+    lines.push(`last_report_ingest_commit: "${page.last_report_ingest_commit}"`);
+  }
   lines.push("---");
   const fm = lines.join("\n");
   return `${fm}
@@ -1619,7 +1651,9 @@ function parsePage(raw) {
   const last_contradict_sha = fm["last_contradict_sha"] !== void 0 ? String(fm["last_contradict_sha"]) : void 0;
   const parent_cleargate_id = fm["parent_cleargate_id"] !== void 0 ? String(fm["parent_cleargate_id"]) : void 0;
   const sprint_cleargate_id = fm["sprint_cleargate_id"] !== void 0 ? String(fm["sprint_cleargate_id"]) : void 0;
-  return { type, id, parent, children, status, remote_id, raw_path, last_ingest, last_ingest_commit, repo, last_contradict_sha, parent_cleargate_id, sprint_cleargate_id };
+  const report_raw_path = fm["report_raw_path"] !== void 0 ? String(fm["report_raw_path"]) : void 0;
+  const last_report_ingest_commit = fm["last_report_ingest_commit"] !== void 0 ? String(fm["last_report_ingest_commit"]) : void 0;
+  return { type, id, parent, children, status, remote_id, raw_path, last_ingest, last_ingest_commit, repo, last_contradict_sha, parent_cleargate_id, sprint_cleargate_id, report_raw_path, last_report_ingest_commit };
 }
 function parseFmRaw(raw) {
   const lines = raw.split("\n");
@@ -3138,28 +3172,33 @@ async function wikiIngestHandler(opts) {
   const rawPath = opts.rawPath;
   const absRawPath = path17.isAbsolute(rawPath) ? rawPath : path17.resolve(cwd, rawPath);
   const relRawPath = path17.relative(cwd, absRawPath).replace(/\\/g, "/");
-  const deliveryRoot = path17.join(cwd, ".cleargate", "delivery");
-  const deliveryRootNorm = deliveryRoot.replace(/\\/g, "/");
-  const absDeliveryRoot = deliveryRoot;
-  const relToDelivery = path17.relative(absDeliveryRoot, absRawPath);
-  if (relToDelivery.startsWith("..") || path17.isAbsolute(relToDelivery)) {
-    stderr(`wiki ingest: ${rawPath} not under .cleargate/delivery/
+  const isSprintReport = isSprintReportPath(relRawPath);
+  if (!isSprintReport) {
+    const deliveryRoot = path17.join(cwd, ".cleargate", "delivery");
+    const absDeliveryRoot = deliveryRoot;
+    const relToDelivery = path17.relative(absDeliveryRoot, absRawPath);
+    if (relToDelivery.startsWith("..") || path17.isAbsolute(relToDelivery)) {
+      stderr(`wiki ingest: ${rawPath} not under .cleargate/delivery/
 `);
-    exit(2);
-    return;
-  }
-  void deliveryRootNorm;
-  const isExcluded = EXCLUDED_SUFFIXES2.some((excl) => relRawPath.startsWith(excl));
-  if (isExcluded) {
-    stdout(`wiki ingest: ${rawPath} excluded (skip)
+      exit(2);
+      return;
+    }
+    const isExcluded = EXCLUDED_SUFFIXES2.some((excl) => relRawPath.startsWith(excl));
+    if (isExcluded) {
+      stdout(`wiki ingest: ${rawPath} excluded (skip)
 `);
-    exit(0);
-    return;
+      exit(0);
+      return;
+    }
   }
   const filename = path17.basename(absRawPath);
   let bucketInfo;
   try {
-    bucketInfo = deriveBucket(filename);
+    if (isSprintReport) {
+      bucketInfo = deriveBucketFromReportPath(relRawPath);
+    } else {
+      bucketInfo = deriveBucket(filename);
+    }
   } catch (e) {
     stderr(`wiki ingest: cannot determine bucket for ${rawPath}: ${e.message}
 `);
@@ -3202,16 +3241,26 @@ async function wikiIngestHandler(opts) {
   }
   const currentSha = getGitSha(absRawPath, gitRunner) ?? "";
   const pageExists = fs17.existsSync(pagePath);
-  if (pageExists && currentSha !== "") {
-    let isNoOp = false;
+  let existingPage;
+  if (pageExists) {
     try {
       const existingPageContent = fs17.readFileSync(pagePath, "utf8");
-      const existingPage = parsePage(existingPageContent);
-      if (existingPage.last_ingest_commit === currentSha) {
-        const contentUnchanged = checkContentUnchanged(absRawPath, currentSha, relRawPath, gitRunner);
-        if (contentUnchanged) {
+      existingPage = parsePage(existingPageContent);
+    } catch {
+    }
+  }
+  if (existingPage !== void 0 && currentSha !== "") {
+    let isNoOp = false;
+    try {
+      if (isSprintReport) {
+        if (existingPage.last_report_ingest_commit === currentSha) {
           isNoOp = true;
         }
+      } else {
+        if (existingPage.last_ingest_commit === currentSha) {
+          const contentUnchanged = checkContentUnchanged(absRawPath, currentSha, relRawPath, gitRunner);
+          if (contentUnchanged) isNoOp = true;
+        }
       }
     } catch {
     }
@@ -3223,36 +3272,53 @@ async function wikiIngestHandler(opts) {
     }
   }
   const action = pageExists ? "update" : "create";
-  let existingLastContradictSha;
-  if (pageExists) {
-    try {
-      const existingPageContent = fs17.readFileSync(pagePath, "utf8");
-      const existingPage = parsePage(existingPageContent);
-      existingLastContradictSha = existingPage.last_contradict_sha;
-    } catch {
-    }
-  }
+  const timestamp = now();
+  const existingLastContradictSha = existingPage?.last_contradict_sha;
+  const existingReportRawPath = existingPage?.report_raw_path;
+  const existingLastReportIngestCommit = existingPage?.last_report_ingest_commit;
   const parent = buildParentRef2(fm);
   const children = buildChildrenRefs2(fm);
-  const timestamp = now();
   const wikiPage = {
     type,
     id,
-    parent,
-    children,
-    status: String(fm["status"] ?? ""),
-    remote_id: String(fm["remote_id"] ?? ""),
-    raw_path: relRawPath,
+    parent: isSprintReport ? existingPage?.parent ?? "" : parent,
+    children: isSprintReport ? existingPage?.children ?? [] : children,
+    status: isSprintReport ? existingPage?.status ?? String(fm["status"] ?? "") : String(fm["status"] ?? ""),
+    remote_id: isSprintReport ? existingPage?.remote_id ?? String(fm["remote_id"] ?? "") : String(fm["remote_id"] ?? ""),
+    // raw_path tracks the plan file path; for report-only ingest preserve existing or use relRawPath as fallback
+    raw_path: isSprintReport ? existingPage?.raw_path ?? relRawPath : relRawPath,
     last_ingest: timestamp,
-    last_ingest_commit: currentSha,
+    // last_ingest_commit tracks the plan source; preserve when re-ingesting report
+    last_ingest_commit: isSprintReport ? existingPage?.last_ingest_commit ?? "" : currentSha,
     repo,
     // Carry forward last_contradict_sha so Phase 4 idempotency survives re-ingest
     ...existingLastContradictSha !== void 0 ? { last_contradict_sha: existingLastContradictSha } : {},
-    // Hierarchy keys (§11.7): read from raw fm — stamped at raw-side, not wiki-side
-    ...typeof fm["parent_cleargate_id"] === "string" ? { parent_cleargate_id: fm["parent_cleargate_id"] } : {},
-    ...typeof fm["sprint_cleargate_id"] === "string" ? { sprint_cleargate_id: fm["sprint_cleargate_id"] } : {}
+    // Hierarchy keys (§11.7): read from raw fm for plan ingest; preserve for report ingest
+    ...isSprintReport ? existingPage?.parent_cleargate_id !== void 0 ? { parent_cleargate_id: existingPage.parent_cleargate_id } : {} : typeof fm["parent_cleargate_id"] === "string" ? { parent_cleargate_id: fm["parent_cleargate_id"] } : {},
+    ...isSprintReport ? existingPage?.sprint_cleargate_id !== void 0 ? { sprint_cleargate_id: existingPage.sprint_cleargate_id } : {} : typeof fm["sprint_cleargate_id"] === "string" ? { sprint_cleargate_id: fm["sprint_cleargate_id"] } : {},
+    // CR-063 sprint-report fields
+    report_raw_path: isSprintReport ? relRawPath : existingReportRawPath ?? void 0,
+    last_report_ingest_commit: isSprintReport ? currentSha : existingLastReportIngestCommit ?? void 0
   };
-  const pageBody = buildPageBody2({ id, fm, body });
+  let existingPageBody = "";
+  if (existingPage !== void 0 && pageExists) {
+    try {
+      const existingPageContent = fs17.readFileSync(pagePath, "utf8");
+      const lines = existingPageContent.split("\n");
+      let closingDash = -1;
+      for (let i = 1; i < lines.length; i++) {
+        if (lines[i] === "---") {
+          closingDash = i;
+          break;
+        }
+      }
+      if (closingDash !== -1) {
+        existingPageBody = lines.slice(closingDash + 1).join("\n").replace(/^\n/, "");
+      }
+    } catch {
+    }
+  }
+  const pageBody = buildPageBody2({ id, fm, body, isSprintReport, existingPageBody });
   const pageContent = serializePage(wikiPage, pageBody);
   fs17.mkdirSync(pageDir, { recursive: true });
   fs17.writeFileSync(pagePath, pageContent, "utf8");
@@ -3330,7 +3396,37 @@ function buildChildrenRefs2(fm) {
     return `[[${s}]]`;
   });
 }
+function extractReportBlock(pageBody) {
+  const beginMarker = "<!-- BEGIN sprint-report -->";
+  const endMarker = "<!-- END sprint-report -->";
+  const beginIdx = pageBody.indexOf(beginMarker);
+  const endIdx = pageBody.indexOf(endMarker);
+  if (beginIdx === -1 || endIdx === -1 || endIdx <= beginIdx) return void 0;
+  return pageBody.slice(beginIdx, endIdx + endMarker.length);
+}
+function extractPlanStub(pageBody) {
+  const beginMarker = "<!-- BEGIN sprint-report -->";
+  const beginIdx = pageBody.indexOf(beginMarker);
+  if (beginIdx === -1) return pageBody;
+  return pageBody.slice(0, beginIdx);
+}
 function buildPageBody2(item) {
+  const { isSprintReport, existingPageBody } = item;
+  if (isSprintReport) {
+    const planStub = existingPageBody ? extractPlanStub(existingPageBody) : buildPlanStub(item);
+    const reportBlock = buildReportBlock(item.body);
+    return planStub + reportBlock;
+  } else {
+    const planStub = buildPlanStub(item);
+    const existingReportBlock = existingPageBody ? extractReportBlock(existingPageBody) : void 0;
+    if (existingReportBlock !== void 0) {
+      const stub = planStub.trimEnd() + "\n\n";
+      return stub + existingReportBlock + "\n";
+    }
+    return planStub;
+  }
+}
+function buildPlanStub(item) {
   const title = String(item.fm["title"] ?? item.id);
   const summary = String(
     item.fm["description"] ?? item.body.split("\n")[0] ?? "No summary available."
@@ -3354,6 +3450,16 @@ function buildPageBody2(item) {
     ""
   ].join("\n");
 }
+function buildReportBlock(reportBody) {
+  return [
+    "<!-- BEGIN sprint-report -->",
+    "## Sprint Report",
+    "",
+    reportBody.trim(),
+    "<!-- END sprint-report -->",
+    ""
+  ].join("\n");
+}
 function appendLogEntry(wikiRoot, entry) {
   const logPath = path17.join(wikiRoot, "log.md");
   const logEntry = [
@@ -5815,7 +5921,7 @@ async function writeCachedGate(absPath, result, opts) {
     throw new Error(`writeCachedGate: failed to parse frontmatter in ${absPath}`);
   }
   const existing = coerceCachedGate(fm["cached_gate_result"]);
-  if (existing && JSON.stringify(existing) === JSON.stringify(newResult)) {
+  if (existing && existing.pass === newResult.pass && JSON.stringify(existing.failing_criteria) === JSON.stringify(newResult.failing_criteria)) {
     return;
   }
   const newFm = {};
@@ -7029,6 +7135,10 @@ function refreshScopedGateCaches(sprintId, cwd, execFn) {
     if (!absPath) {
       continue;
     }
+    if (absPath.includes(`${path31.sep}archive${path31.sep}`)) {
+      result.skipped.push(id);
+      continue;
+    }
     let status = "";
     try {
       const raw = fs30.readFileSync(absPath, "utf8");
@@ -10312,6 +10422,19 @@ async function pushHandler(fileOrId, opts = {}) {
 async function handlePush(filePath, ctx) {
   const { projectRoot, identity, sprintRoot, nowFn, resolveMcp, stdout, stderr, exit } = ctx;
   const resolvedPath = path49.isAbsolute(filePath) ? filePath : path49.resolve(projectRoot, filePath);
+  if (SPRINT_RUNS_PATH_REGEX.test(resolvedPath)) {
+    if (!SPRINT_REPORT_PATH_REGEX.test(resolvedPath)) {
+      stderr(
+        `Error: path not in allowlist. Only sprint report files are accepted from sprint-runs/.
+  Allowed: .cleargate/sprint-runs/SPRINT-NN/REPORT.md
+           .cleargate/sprint-runs/SPRINT-NN/SPRINT-NN_REPORT.md
+  Got:     "${resolvedPath}"
+`
+      );
+      exit(2);
+      return;
+    }
+  }
   let rawContent;
   try {
     rawContent = await fsPromises11.readFile(resolvedPath, "utf8");
@@ -10341,7 +10464,7 @@ async function handlePush(filePath, ctx) {
     return;
   }
   const itemId = getItemId4(fm);
-  const type = getItemType2(fm);
+  const type = getItemTypeWithPathOverride(resolvedPath, fm);
   if (!type) {
     stderr(`Error: cannot determine item type from frontmatter in "${resolvedPath}".
 `);
@@ -10354,6 +10477,9 @@ async function handlePush(filePath, ctx) {
     if (h1) payloadForPush["title"] = h1;
   }
   payloadForPush["body"] = body;
+  if (payloadForPush["origin"] === void 0) {
+    payloadForPush["origin"] = "cleargate-cli";
+  }
   const mcp2 = await resolveMcp();
   let result;
   try {
@@ -10473,17 +10599,20 @@ async function writeAtomic8(filePath, content) {
   await fsPromises11.rename(tmpPath, filePath);
 }
 function getItemId4(fm) {
-  for (const key of ["story_id", "epic_id", "proposal_id", "cr_id", "bug_id"]) {
+  for (const key of ["story_id", "epic_id", "proposal_id", "sprint_id", "cr_id", "bug_id"]) {
     const val = fm[key];
     if (typeof val === "string" && val) return val;
   }
   return "unknown";
 }
+var SPRINT_RUNS_PATH_REGEX = /\.cleargate[\\/]sprint-runs[\\/]/;
+var SPRINT_REPORT_PATH_REGEX = /\.cleargate[\\/]sprint-runs[\\/]SPRINT-\d{2,}[\\/](REPORT|SPRINT-\d{2,}_REPORT)\.md$/;
 function getItemType2(fm) {
   const typeMap = {
     story_id: "story",
     epic_id: "epic",
     proposal_id: "proposal",
+    sprint_id: "sprint",
     cr_id: "cr",
     bug_id: "bug"
   };
@@ -10492,6 +10621,10 @@ function getItemType2(fm) {
   }
   return null;
 }
+function getItemTypeWithPathOverride(localPath, fm) {
+  if (SPRINT_REPORT_PATH_REGEX.test(localPath)) return "sprint_report";
+  return getItemType2(fm);
+}
 
 // src/commands/conflicts.ts
 import * as fsPromises12 from "fs/promises";
@@ -10918,8 +11051,25 @@ var AuthFetcher = class {
   }
 };
 
+// src/auth/service-token-fetcher.ts
+var ServiceTokenFetcher = class {
+  constructor(token) {
+    this.token = token;
+  }
+  token;
+  async getAccessToken() {
+    return this.token;
+  }
+};
+
 // src/commands/mcp-serve.ts
 var DEFAULT_BASE_URL = "https://cleargate-mcp.soula.ge";
+var ServiceToken401Error = class extends Error {
+  constructor() {
+    super("service-token-401");
+    this.name = "ServiceToken401Error";
+  }
+};
 async function mcpServeHandler(opts) {
   const fetchFn = opts.fetch ?? globalThis.fetch;
   const stdout = opts.stdout ?? ((s) => process.stdout.write(s));
@@ -10929,32 +11079,44 @@ async function mcpServeHandler(opts) {
     flags: { profile: opts.profile, mcpUrl: opts.mcpUrlFlag }
   });
   const baseUrl = cfg.mcpUrl ?? DEFAULT_BASE_URL;
-  const store = await (opts.createStore ?? createTokenStore)({
-    ...opts.keychainService !== void 0 ? { keychainService: opts.keychainService } : {},
-    ...opts.forceBackend !== void 0 ? { forceBackend: opts.forceBackend } : {}
-  });
-  const fetcher = new AuthFetcher({
-    baseUrl,
-    loadRefresh: () => store.load(opts.profile),
-    saveRefresh: (t) => store.save(opts.profile, t),
-    ...opts.fetch !== void 0 ? { fetch: opts.fetch } : {},
-    ...opts.now !== void 0 ? { now: opts.now } : {}
-  });
-  try {
-    await fetcher.getAccessToken();
-  } catch (err) {
-    if (err instanceof RefreshError) {
-      stderr(
-        `cleargate mcp serve: refresh failed (${err.status} ${err.code}). Run \`cleargate join <invite-url>\` to re-authenticate.
+  const serviceToken = process.env["CLEARGATE_SERVICE_TOKEN"] ?? "";
+  let fetcher;
+  let isServiceTokenMode;
+  if (serviceToken.length > 0) {
+    isServiceTokenMode = true;
+    fetcher = new ServiceTokenFetcher(serviceToken);
+    stderr("cleargate mcp serve: auth mode = service-token\n");
+  } else {
+    isServiceTokenMode = false;
+    const store = await (opts.createStore ?? createTokenStore)({
+      ...opts.keychainService !== void 0 ? { keychainService: opts.keychainService } : {},
+      ...opts.forceBackend !== void 0 ? { forceBackend: opts.forceBackend } : {}
+    });
+    const authFetcher = new AuthFetcher({
+      baseUrl,
+      loadRefresh: () => store.load(opts.profile),
+      saveRefresh: (t) => store.save(opts.profile, t),
+      ...opts.fetch !== void 0 ? { fetch: opts.fetch } : {},
+      ...opts.now !== void 0 ? { now: opts.now } : {}
+    });
+    fetcher = authFetcher;
+    stderr("cleargate mcp serve: auth mode = keychain-refresh\n");
+    try {
+      await authFetcher.getAccessToken();
+    } catch (err) {
+      if (err instanceof RefreshError) {
+        stderr(
+          `cleargate mcp serve: refresh failed (${err.status} ${err.code}). Run \`cleargate join <invite-url>\` to re-authenticate.
 `
-      );
-    } else {
-      stderr(
-        `cleargate mcp serve: ${err instanceof Error ? err.message : String(err)}
+        );
+      } else {
+        stderr(
+          `cleargate mcp serve: ${err instanceof Error ? err.message : String(err)}
 `
-      );
+        );
+      }
+      return exit(1);
     }
-    return exit(1);
   }
   const inputStream = opts.stdin ?? process.stdin;
   const rl = readline5.createInterface({
@@ -10965,8 +11127,23 @@ async function mcpServeHandler(opts) {
   for await (const line of rl) {
     if (!line.trim()) continue;
     try {
-      await proxyOne(line, baseUrl, fetcher, fetchFn, stdout, stderr);
+      await proxyOne(
+        line,
+        baseUrl,
+        fetcher,
+        isServiceTokenMode,
+        fetchFn,
+        stdout,
+        stderr
+      );
     } catch (err) {
+      if (err instanceof ServiceToken401Error) {
+        stderr(
+          `cleargate mcp serve: CLEARGATE_SERVICE_TOKEN rejected by /mcp (401). Issue a new token in the admin console: Tokens \u2192 Issue \u2192 copy snippet.
+`
+        );
+        return exit(1);
+      }
       const errMsg = err instanceof Error ? err.message : String(err);
       stderr(`cleargate mcp serve: proxy error: ${errMsg}
 `);
@@ -10983,7 +11160,7 @@ async function mcpServeHandler(opts) {
     }
   }
 }
-async function proxyOne(line, baseUrl, fetcher, fetchFn, stdout, stderr) {
+async function proxyOne(line, baseUrl, fetcher, isServiceTokenMode, fetchFn, stdout, stderr) {
   let parsed;
   try {
     parsed = JSON.parse(line);
@@ -10996,6 +11173,9 @@ async function proxyOne(line, baseUrl, fetcher, fetchFn, stdout, stderr) {
   let access = await fetcher.getAccessToken();
   let res = await postFrame(baseUrl, line, access, fetchFn);
   if (res.status === 401) {
+    if (isServiceTokenMode) {
+      throw new ServiceToken401Error();
+    }
     fetcher.invalidate();
     access = await fetcher.getAccessToken();
     res = await postFrame(baseUrl, line, access, fetchFn);
@@ -11119,7 +11299,7 @@ program.command("init").description("initialise a repo with ClearGate scaffold (
   await initHandler({ force: opts.force ?? false, yes: opts.yes ?? false, pin: opts.pin, fromSource: opts.fromSource });
 });
 program.command("whoami").description("print the currently authenticated agent identity").option("--json", "CR-011: emit membership state as JSON (no network call)").action(async (opts) => {
-  const { whoamiHandler } = await import("./whoami-W4U6DPVG.js");
+  const { whoamiHandler } = await import("./whoami-GQTFZHFQ.js");
   const parentOpts = program.opts();
   await whoamiHandler({
     profile: parentOpts.profile,