opena2a-cli 0.7.2 → 0.8.1

package/dist/commands/identity.js

@@ -37,6 +37,9 @@ exports.identity = identity;
 const path = __importStar(require("path"));
 const fs = __importStar(require("fs"));
 const colors_js_1 = require("../util/colors.js");
+const server_url_js_1 = require("../util/server-url.js");
+const aim_client_js_1 = require("../util/aim-client.js");
+const auth_js_1 = require("../util/auth.js");
 const USAGE = [
     '',
     'Usage: opena2a identity <subcommand>',
@@ -64,8 +67,29 @@ const USAGE = [
     '  detach                   Remove cross-tool wiring',
     '  sync                     Sync events from enabled tools',
     '',
+    'Server Integration',
+    '  connect <url>            Connect local identity to an AIM server',
+    '  disconnect               Remove server association (keep local identity)',
+    '',
+    'Server Flags (for create, list, trust, audit, log):',
+    '  --server <url>           AIM server URL (e.g. localhost:8080, cloud)',
+    '  --api-key <key>          AIM API key for authentication',
+    '',
 ].join('\n');
 async function identity(options) {
+    // Normalize --json flag to format
+    if (options.json) {
+        options.format = 'json';
+    }
+    // Resolve --server URL when provided
+    if (options.server) {
+        options.server = (0, server_url_js_1.resolveServerUrl)(options.server);
+        const serverCommands = ['create', 'list', 'show', 'trust'];
+        if (!serverCommands.includes(options.subcommand)) {
+            process.stderr.write((0, colors_js_1.yellow)(`Warning: --server is not supported for "identity ${options.subcommand}". Operating in local mode.`) + '\n\n');
+            options.server = undefined;
+        }
+    }
     const sub = options.subcommand;
     switch (sub) {
         case 'list':
@@ -93,6 +117,10 @@ async function identity(options) {
             return handleDetach(options);
         case 'sync':
             return handleSync(options);
+        case 'connect':
+            return handleConnect(options);
+        case 'disconnect':
+            return handleDisconnect(options);
         default:
             process.stderr.write(`Unknown identity subcommand: ${sub}\n`);
             process.stderr.write(USAGE + '\n');
@@ -110,6 +138,96 @@ async function loadAimCore() {
     }
 }
 // ---------------------------------------------------------------------------
+// Server helpers
+// ---------------------------------------------------------------------------
+/**
+ * Build an AimClient from options. Returns null if no server is specified
+ * and no stored config exists.
+ */
+function getServerClient(options) {
+    const serverFlag = options.server;
+    const config = (0, aim_client_js_1.loadServerConfig)();
+    const apiKey = options.apiKey ?? config?.apiKey;
+    if (serverFlag) {
+        const url = (0, server_url_js_1.resolveServerUrl)(serverFlag);
+        // If no explicit API key, check global auth for matching server
+        if (!apiKey) {
+            const globalAuth = (0, auth_js_1.loadAuth)();
+            if (globalAuth && (0, auth_js_1.isAuthValid)(globalAuth) && globalAuth.serverUrl === url) {
+                return new aim_client_js_1.AimClient(url, { accessToken: globalAuth.accessToken });
+            }
+        }
+        return new aim_client_js_1.AimClient(url, { apiKey });
+    }
+    if (config?.serverUrl) {
+        return new aim_client_js_1.AimClient(config.serverUrl, { apiKey });
+    }
+    // No server flag and no stored config -- try global auth
+    const globalAuth = (0, auth_js_1.loadAuth)();
+    if (globalAuth && (0, auth_js_1.isAuthValid)(globalAuth)) {
+        return new aim_client_js_1.AimClient(globalAuth.serverUrl, { accessToken: globalAuth.accessToken });
+    }
+    return null;
+}
+/**
+ * Check server health. Returns true if reachable, false otherwise.
+ * On failure, writes a clear error message.
+ */
+async function checkServerHealth(client, serverUrl) {
+    try {
+        await client.health();
+        return true;
+    }
+    catch (err) {
+        if (err instanceof aim_client_js_1.AimServerError && err.serverMessage) {
+            process.stderr.write(`Cannot connect to AIM server at ${serverUrl}. Verify the server is running.\n`);
+            process.stderr.write(`  Detail: ${err.serverMessage}\n`);
+        }
+        else {
+            process.stderr.write(`Cannot connect to AIM server at ${serverUrl}. Verify the server is running.\n`);
+        }
+        return false;
+    }
+}
+/**
+ * Resolve the auth token from stored config.
+ */
+function getStoredAuth() {
+    const config = (0, aim_client_js_1.loadServerConfig)();
+    if (config) {
+        return {
+            token: config.accessToken ?? undefined,
+            apiKey: config.apiKey ?? undefined,
+            agentId: config.agentId,
+            serverUrl: config.serverUrl,
+        };
+    }
+    // Fallback: check global auth credentials from "opena2a login"
+    const globalAuth = (0, auth_js_1.loadAuth)();
+    if (globalAuth && (0, auth_js_1.isAuthValid)(globalAuth)) {
+        return { token: globalAuth.accessToken, serverUrl: globalAuth.serverUrl };
+    }
+    return {};
+}
+/**
+ * Format server error for display.
+ */
+function formatServerError(err) {
+    if (err instanceof aim_client_js_1.AimServerError) {
+        if (err.statusCode === 401) {
+            return 'Authentication failed. Check your --api-key or run: opena2a identity connect <url>';
+        }
+        if (err.statusCode === 403) {
+            return 'Access denied. Your API key may lack required permissions.';
+        }
+        if (err.statusCode === 404) {
+            return 'Agent not found on server. It may have been deleted or never registered.';
+        }
+        return err.message;
+    }
+    return err instanceof Error ? err.message : String(err);
+}
+// ---------------------------------------------------------------------------
 // list / show
 // ---------------------------------------------------------------------------
 async function handleList(options) {
@@ -132,8 +250,84 @@ async function handleList(options) {
             return 0;
         }
         const id = aim.getIdentity();
+        // If server is configured, fetch enriched data
+        const client = getServerClient(options);
+        const serverConfig = (0, aim_client_js_1.loadServerConfig)();
+        const auth = getStoredAuth();
+        let serverAgent = null;
+        let serverAgentList = null;
+        const effectiveServerUrl = serverConfig?.serverUrl ?? auth.serverUrl;
+        // If we have a server client with auth, try to fetch server data
+        if (client && auth.token) {
+            try {
+                if (serverConfig?.agentId) {
+                    // Fetch specific agent if we have a registered agent ID
+                    serverAgent = await client.getAgent(auth.token, serverConfig.agentId);
+                }
+                else {
+                    // No specific agent ID — list all agents from server
+                    serverAgentList = await client.listAgents(auth.token);
+                }
+            }
+            catch (err) {
+                if (!isJson) {
+                    process.stderr.write((0, colors_js_1.yellow)(`Warning: Could not fetch server data: ${formatServerError(err)}`) + '\n');
+                    process.stderr.write((0, colors_js_1.yellow)('Showing local identity only.') + '\n\n');
+                }
+            }
+        }
+        else if (client && serverConfig?.agentId && auth.apiKey) {
+            try {
+                const loginResp = await client.login({ name: id.agentName, apiKey: auth.apiKey });
+                serverAgent = await client.getAgent(loginResp.accessToken, serverConfig.agentId);
+                (0, aim_client_js_1.saveServerConfig)({ ...serverConfig, accessToken: loginResp.accessToken, refreshToken: loginResp.refreshToken });
+            }
+            catch (err) {
+                if (!isJson) {
+                    process.stderr.write((0, colors_js_1.yellow)(`Warning: Could not fetch server data: ${formatServerError(err)}`) + '\n');
+                    process.stderr.write((0, colors_js_1.yellow)('Showing local identity only.') + '\n\n');
+                }
+            }
+        }
+        // If server returned a list of agents (from global auth), show them
+        if (serverAgentList && serverAgentList.agents?.length > 0) {
+            if (isJson) {
+                process.stdout.write(JSON.stringify({
+                    local: { ...id },
+                    server: { url: effectiveServerUrl, agents: serverAgentList.agents, total: serverAgentList.total },
+                }, null, 2) + '\n');
+                return 0;
+            }
+            process.stdout.write((0, colors_js_1.bold)('Local Identity') + '\n');
+            process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
+            process.stdout.write(`  Agent ID:    ${(0, colors_js_1.cyan)(id.agentId)}\n`);
+            process.stdout.write(`  Name:        ${id.agentName}\n`);
+            process.stdout.write(`  Public Key:  ${(0, colors_js_1.dim)(id.publicKey.slice(0, 32) + '...')}\n`);
+            process.stdout.write(`  Created:     ${id.createdAt}\n`);
+            process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n\n');
+            process.stdout.write((0, colors_js_1.bold)(`Server Agents (${effectiveServerUrl})`) + '\n');
+            process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
+            for (const agent of serverAgentList.agents) {
+                const statusColor = agent.status === 'verified' ? colors_js_1.green : agent.status === 'active' ? colors_js_1.cyan : colors_js_1.yellow;
+                process.stdout.write(`  ${(0, colors_js_1.cyan)(agent.name)} (${(0, colors_js_1.dim)(agent.id)})\n`);
+                process.stdout.write(`    Status: ${statusColor(agent.status)}  Trust: ${agent.trustScore}\n`);
+            }
+            process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
+            process.stdout.write((0, colors_js_1.dim)(`  ${serverAgentList.total} agent(s) total`) + '\n');
+            return 0;
+        }
         if (isJson) {
-            process.stdout.write(JSON.stringify(id, null, 2) + '\n');
+            const result = { ...id };
+            if (serverAgent) {
+                result.server = {
+                    id: serverAgent.id,
+                    name: serverAgent.name,
+                    trustScore: serverAgent.trustScore,
+                    status: serverAgent.status,
+                    serverUrl: effectiveServerUrl,
+                };
+            }
+            process.stdout.write(JSON.stringify(result, null, 2) + '\n');
             return 0;
         }
         process.stdout.write((0, colors_js_1.bold)('Agent Identity') + '\n');
@@ -143,6 +337,19 @@ async function handleList(options) {
         process.stdout.write(`  Public Key:  ${(0, colors_js_1.dim)(id.publicKey.slice(0, 32) + '...')}\n`);
         process.stdout.write(`  Created:     ${id.createdAt}\n`);
         process.stdout.write(`  Data Dir:    ${(0, colors_js_1.dim)(aim.getDataDir())}\n`);
+        if (serverAgent && serverConfig) {
+            process.stdout.write('\n' + (0, colors_js_1.bold)('  Server') + '\n');
+            process.stdout.write(`  Server URL:  ${(0, colors_js_1.cyan)(serverConfig.serverUrl)}\n`);
+            process.stdout.write(`  Server ID:   ${serverAgent.id}\n`);
+            process.stdout.write(`  Status:      ${serverAgent.status === 'verified' ? (0, colors_js_1.green)(serverAgent.status) : (0, colors_js_1.yellow)(serverAgent.status)}\n`);
+            process.stdout.write(`  Trust Score: ${serverAgent.trustScore}\n`);
+        }
+        else if (serverConfig) {
+            process.stdout.write('\n' + (0, colors_js_1.bold)('  Server') + '\n');
+            process.stdout.write(`  Server URL:  ${(0, colors_js_1.cyan)(serverConfig.serverUrl)}\n`);
+            process.stdout.write(`  Server ID:   ${serverConfig.agentId}\n`);
+            process.stdout.write(`  Status:      ${(0, colors_js_1.dim)('offline or unreachable')}\n`);
+        }
         process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
         return 0;
     }
@@ -162,13 +369,17 @@ async function handleCreate(options) {
     if (!name) {
         process.stderr.write('Missing required option: --name <name>\n');
         process.stderr.write('Usage: opena2a identity create --name my-agent\n');
+        process.stderr.write('       opena2a identity create --name my-agent --server localhost:8080 --api-key <key>\n');
         return 1;
     }
     const isJson = options.format === 'json';
     try {
+        // If --server is provided, register on the server
+        if (options.server) {
+            return handleServerCreate(options, name, isJson);
+        }
+        // Local-only creation
         const aim = new mod.AIMCore({ agentName: name });
-        // Check if identity file already exists BEFORE calling getIdentity
-        // (getIdentity creates one if missing, so we check the file directly)
         const dataDir = aim.getDataDir();
         const identityPath = await import('node:path').then(p => p.join(dataDir, 'identity.json'));
         const { existsSync } = await import('node:fs');
@@ -197,6 +408,82 @@ async function handleCreate(options) {
         return 1;
     }
 }
+/**
+ * Register agent on the AIM server and store the result locally.
+ */
+async function handleServerCreate(options, name, isJson) {
+    const serverUrl = (0, server_url_js_1.resolveServerUrl)(options.server);
+    const apiKey = options.apiKey;
+    if (!apiKey) {
+        process.stderr.write('Missing required option: --api-key <key>\n');
+        process.stderr.write('The AIM server requires an API key for agent registration.\n');
+        process.stderr.write(`Usage: opena2a identity create --name ${name} --server ${options.server} --api-key <key>\n`);
+        return 1;
+    }
+    const client = new aim_client_js_1.AimClient(serverUrl);
+    // 1. Health check
+    if (!(await checkServerHealth(client, serverUrl))) {
+        return 1;
+    }
+    try {
+        // 2. Register on server
+        const resp = await client.register({ name, displayName: name, description: `Agent ${name} registered via OpenA2A CLI` }, apiKey);
+        // 3. Also create local identity via aim-core
+        const mod = await loadAimCore();
+        let localId = null;
+        if (mod) {
+            const aim = new mod.AIMCore({ agentName: name });
+            localId = aim.getIdentity();
+        }
+        // 4. Store server config locally
+        const config = {
+            serverUrl,
+            agentId: resp.agentId,
+            apiKey,
+            registeredAt: new Date().toISOString(),
+        };
+        (0, aim_client_js_1.saveServerConfig)(config);
+        if (isJson) {
+            process.stdout.write(JSON.stringify({
+                created: true,
+                server: {
+                    id: resp.agentId,
+                    name: resp.name,
+                    displayName: resp.displayName,
+                    publicKey: resp.publicKey,
+                    trustScore: resp.trustScore,
+                    status: resp.status,
+                    serverUrl,
+                },
+                local: localId ? {
+                    agentId: localId.agentId,
+                    agentName: localId.agentName,
+                    publicKey: localId.publicKey,
+                } : null,
+            }, null, 2) + '\n');
+            return 0;
+        }
+        process.stdout.write((0, colors_js_1.green)('Agent registered on AIM server') + '\n');
+        process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
+        process.stdout.write(`  Server ID:    ${(0, colors_js_1.cyan)(resp.agentId)}\n`);
+        process.stdout.write(`  Name:         ${resp.name}\n`);
+        process.stdout.write(`  Display Name: ${resp.displayName}\n`);
+        process.stdout.write(`  Public Key:   ${(0, colors_js_1.dim)((resp.publicKey ?? '').slice(0, 32) + '...')}\n`);
+        process.stdout.write(`  Trust Score:  ${resp.trustScore}\n`);
+        process.stdout.write(`  Status:       ${resp.status === 'verified' ? (0, colors_js_1.green)(resp.status) : (0, colors_js_1.yellow)(resp.status)}\n`);
+        process.stdout.write(`  Server URL:   ${(0, colors_js_1.dim)(serverUrl)}\n`);
+        if (localId) {
+            process.stdout.write(`\n  Local ID:     ${(0, colors_js_1.dim)(localId.agentId)}\n`);
+        }
+        process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
+        process.stdout.write((0, colors_js_1.dim)('Server config stored in ~/.opena2a/aim-core/identities/server.json') + '\n');
+        return 0;
+    }
+    catch (err) {
+        process.stderr.write(`Failed to register on server: ${formatServerError(err)}\n`);
+        return 1;
+    }
+}
 // ---------------------------------------------------------------------------
 // trust
 // ---------------------------------------------------------------------------
@@ -208,6 +495,29 @@ async function handleTrust(options) {
     try {
         const aim = new mod.AIMCore({ agentName: 'default' });
         aim.getIdentity(); // ensure identity exists
+        // If server is configured, fetch server-side trust data
+        const client = getServerClient(options);
+        const serverConfig = (0, aim_client_js_1.loadServerConfig)();
+        let serverAgent = null;
+        if (client && serverConfig?.agentId) {
+            try {
+                const auth = getStoredAuth();
+                if (auth.token) {
+                    serverAgent = await client.getAgent(auth.token, serverConfig.agentId);
+                }
+                else if (auth.apiKey) {
+                    const id = aim.getIdentity();
+                    const loginResp = await client.login({ name: id.agentName, apiKey: auth.apiKey });
+                    serverAgent = await client.getAgent(loginResp.accessToken, serverConfig.agentId);
+                    (0, aim_client_js_1.saveServerConfig)({ ...serverConfig, accessToken: loginResp.accessToken, refreshToken: loginResp.refreshToken });
+                }
+            }
+            catch (err) {
+                if (!isJson) {
+                    process.stderr.write((0, colors_js_1.yellow)(`Warning: Could not fetch server trust data: ${formatServerError(err)}`) + '\n\n');
+                }
+            }
+        }
         // Auto-sync trust hints if a manifest exists (tools are attached)
         const targetDir = path.resolve(options.dir ?? process.cwd());
         let hasManifest = false;
@@ -222,11 +532,19 @@ async function handleTrust(options) {
             }
         }
         catch {
-            // Identity module not available or manifest missing — that's fine
+            // Identity module not available or manifest missing
         }
         const trust = aim.calculateTrust();
         if (isJson) {
-            process.stdout.write(JSON.stringify({ ...trust, attached: hasManifest }, null, 2) + '\n');
+            const result = { ...trust, attached: hasManifest };
+            if (serverAgent) {
+                result.server = {
+                    trustScore: serverAgent.trustScore,
+                    status: serverAgent.status,
+                    serverUrl: serverConfig?.serverUrl,
+                };
+            }
+            process.stdout.write(JSON.stringify(result, null, 2) + '\n');
             return 0;
         }
         const displayScore = trust.score ?? Math.round((trust.overall ?? 0) * 100);
@@ -235,6 +553,12 @@ async function handleTrust(options) {
         process.stdout.write((0, colors_js_1.bold)('Trust Score') + '\n');
         process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
         process.stdout.write(`  Score:  ${gradeColor((0, colors_js_1.bold)(String(displayScore) + '/100'))}  (${gradeColor(displayGrade)})\n`);
+        // Show server trust score if available
+        if (serverAgent) {
+            const serverScore = serverAgent.trustScore;
+            const serverColor = serverScore >= 80 ? colors_js_1.green : serverScore >= 60 ? colors_js_1.yellow : colors_js_1.red;
+            process.stdout.write(`  Server: ${serverColor((0, colors_js_1.bold)(String(serverScore) + '/100'))}  ${(0, colors_js_1.dim)('(from AIM server)')}\n`);
+        }
         process.stdout.write('\n');
         process.stdout.write((0, colors_js_1.bold)('  Factors:') + '\n');
         for (const [factor, value] of Object.entries(trust.factors)) {
@@ -248,7 +572,6 @@ async function handleTrust(options) {
             if (trust.calculatedAt) {
                 process.stdout.write((0, colors_js_1.dim)(`  Calculated: ${trust.calculatedAt}`) + '\n');
             }
-            // Show improvement suggestions for factors at 0%
             const zeroFactors = Object.entries(trust.factors).filter(([, v]) => v === 0);
             if (zeroFactors.length > 0) {
                 process.stdout.write('\n' + (0, colors_js_1.bold)('  How to improve:') + '\n');
@@ -323,6 +646,62 @@ async function handleAudit(options) {
         return 1;
     const isJson = options.format === 'json';
     const limit = options.limit ?? 10;
+    // If server is configured, fetch server-side audit logs
+    const client = getServerClient(options);
+    const serverConfig = (0, aim_client_js_1.loadServerConfig)();
+    if (client && serverConfig?.agentId) {
+        try {
+            const auth = getStoredAuth();
+            let token = auth.token;
+            if (!token && auth.apiKey) {
+                const aim = new mod.AIMCore({ agentName: 'default' });
+                const id = aim.getIdentity();
+                const loginResp = await client.login({ name: id.agentName, apiKey: auth.apiKey });
+                token = loginResp.accessToken;
+                (0, aim_client_js_1.saveServerConfig)({ ...serverConfig, accessToken: loginResp.accessToken, refreshToken: loginResp.refreshToken });
+            }
+            if (token) {
+                const resp = await client.getAuditLogs(token, serverConfig.agentId, { pageSize: limit });
+                if (isJson) {
+                    process.stdout.write(JSON.stringify({
+                        source: 'server',
+                        serverUrl: serverConfig.serverUrl,
+                        total: resp.total,
+                        auditLogs: resp.auditLogs,
+                    }, null, 2) + '\n');
+                    return 0;
+                }
+                process.stdout.write((0, colors_js_1.bold)(`Server Audit Log (${resp.auditLogs.length} of ${resp.total})`) + '\n');
+                process.stdout.write((0, colors_js_1.dim)(`  Server: ${serverConfig.serverUrl}`) + '\n');
+                process.stdout.write((0, colors_js_1.gray)('-'.repeat(70)) + '\n');
+                if (resp.auditLogs.length === 0) {
+                    process.stdout.write((0, colors_js_1.dim)('  No server audit events recorded yet.') + '\n');
+                }
+                else {
+                    for (const e of resp.auditLogs) {
+                        const ts = (e.createdAt ?? '').slice(0, 19).replace('T', ' ');
+                        process.stdout.write(`  ${(0, colors_js_1.dim)(ts)}  ${(e.action ?? '').padEnd(16)} ${(e.resource ?? '').padEnd(16)} ${(0, colors_js_1.dim)(e.details ?? '')}\n`);
+                    }
+                }
+                process.stdout.write((0, colors_js_1.gray)('-'.repeat(70)) + '\n');
+                // Also show local audit events if --verbose
+                if (options.verbose) {
+                    process.stdout.write('\n');
+                    return showLocalAudit(mod, limit, isJson);
+                }
+                return 0;
+            }
+        }
+        catch (err) {
+            if (!isJson) {
+                process.stderr.write((0, colors_js_1.yellow)(`Warning: Could not fetch server audit logs: ${formatServerError(err)}`) + '\n');
+                process.stderr.write((0, colors_js_1.yellow)('Showing local audit log.') + '\n\n');
+            }
+        }
+    }
+    return showLocalAudit(mod, limit, isJson);
+}
+async function showLocalAudit(mod, limit, isJson) {
     try {
         const aim = new mod.AIMCore({ agentName: 'default' });
         const events = aim.readAuditLog({ limit });
@@ -398,6 +777,136 @@ async function handleLog(options) {
     }
 }
 // ---------------------------------------------------------------------------
+// connect -- connect existing local identity to an AIM server
+// ---------------------------------------------------------------------------
+async function handleConnect(options) {
+    const mod = await loadAimCore();
+    if (!mod)
+        return 1;
+    // The URL comes from the positional arg or --server flag
+    const rawUrl = options.args?.[0] ?? options.server;
+    if (!rawUrl) {
+        process.stderr.write('Missing server URL.\n');
+        process.stderr.write('Usage: opena2a identity connect <url> --api-key <key>\n');
+        process.stderr.write('       opena2a identity connect localhost:8080 --api-key <key>\n');
+        return 1;
+    }
+    const apiKey = options.apiKey;
+    if (!apiKey) {
+        process.stderr.write('Missing required option: --api-key <key>\n');
+        process.stderr.write('The AIM server requires an API key for agent registration.\n');
+        return 1;
+    }
+    const serverUrl = (0, server_url_js_1.resolveServerUrl)(rawUrl);
+    const client = new aim_client_js_1.AimClient(serverUrl);
+    const isJson = options.format === 'json';
+    // 1. Health check
+    if (!(await checkServerHealth(client, serverUrl))) {
+        return 1;
+    }
+    try {
+        // 2. Load local identity
+        const aim = new mod.AIMCore({ agentName: 'default' });
+        const identityFile = path.join(aim.getDataDir(), 'identity.json');
+        if (!fs.existsSync(identityFile)) {
+            process.stderr.write('No local identity found. Create one first: opena2a identity create --name my-agent\n');
+            return 1;
+        }
+        const id = aim.getIdentity();
+        // 3. Register on server
+        const resp = await client.register({ name: id.agentName, displayName: id.agentName, description: `Agent ${id.agentName} registered via OpenA2A CLI` }, apiKey);
+        // 4. Store server config
+        const config = {
+            serverUrl,
+            agentId: resp.agentId,
+            apiKey,
+            registeredAt: new Date().toISOString(),
+        };
+        (0, aim_client_js_1.saveServerConfig)(config);
+        // 5. Log the connect event
+        aim.logEvent({
+            action: 'identity.connect',
+            target: serverUrl,
+            result: 'allowed',
+            plugin: 'opena2a-cli',
+        });
+        if (isJson) {
+            process.stdout.write(JSON.stringify({
+                connected: true,
+                localAgentId: id.agentId,
+                serverAgentId: resp.agentId,
+                serverUrl,
+                trustScore: resp.trustScore,
+                status: resp.status,
+            }, null, 2) + '\n');
+            return 0;
+        }
+        process.stdout.write((0, colors_js_1.green)('Connected to AIM server') + '\n');
+        process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
+        process.stdout.write(`  Local ID:    ${(0, colors_js_1.cyan)(id.agentId)}\n`);
+        process.stdout.write(`  Server ID:   ${(0, colors_js_1.cyan)(resp.agentId)}\n`);
+        process.stdout.write(`  Server URL:  ${(0, colors_js_1.dim)(serverUrl)}\n`);
+        process.stdout.write(`  Trust Score: ${resp.trustScore}\n`);
+        process.stdout.write(`  Status:      ${resp.status === 'verified' ? (0, colors_js_1.green)(resp.status) : (0, colors_js_1.yellow)(resp.status)}\n`);
+        process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
+        process.stdout.write((0, colors_js_1.dim)('Future commands will automatically use this server.') + '\n');
+        process.stdout.write((0, colors_js_1.dim)('Disconnect with: opena2a identity disconnect') + '\n');
+        return 0;
+    }
+    catch (err) {
+        process.stderr.write(`Failed to connect to server: ${formatServerError(err)}\n`);
+        return 1;
+    }
+}
+// ---------------------------------------------------------------------------
+// disconnect -- remove server association
+// ---------------------------------------------------------------------------
+async function handleDisconnect(options) {
+    const isJson = options.format === 'json';
+    const config = (0, aim_client_js_1.loadServerConfig)();
+    if (!config) {
+        if (isJson) {
+            process.stdout.write(JSON.stringify({ disconnected: false, reason: 'no server configured' }, null, 2) + '\n');
+        }
+        else {
+            process.stdout.write('No server connection configured.\n');
+        }
+        return 0;
+    }
+    const removed = (0, aim_client_js_1.removeServerConfig)();
+    // Log the disconnect event
+    try {
+        const mod = await loadAimCore();
+        if (mod) {
+            const aim = new mod.AIMCore({ agentName: 'default' });
+            aim.logEvent({
+                action: 'identity.disconnect',
+                target: config.serverUrl,
+                result: 'allowed',
+                plugin: 'opena2a-cli',
+            });
+        }
+    }
+    catch {
+        // Non-critical
+    }
+    if (isJson) {
+        process.stdout.write(JSON.stringify({
+            disconnected: removed,
+            serverUrl: config.serverUrl,
+            agentId: config.agentId,
+        }, null, 2) + '\n');
+    }
+    else {
+        process.stdout.write((0, colors_js_1.green)('Disconnected from AIM server') + '\n');
+        process.stdout.write(`  Server URL: ${(0, colors_js_1.dim)(config.serverUrl)}\n`);
+        process.stdout.write(`  Server ID:  ${(0, colors_js_1.dim)(config.agentId)}\n`);
+        process.stdout.write((0, colors_js_1.dim)('\n  Local identity and audit log are preserved.') + '\n');
+        process.stdout.write((0, colors_js_1.dim)('  Only the server association was removed.') + '\n');
+    }
+    return 0;
+}
+// ---------------------------------------------------------------------------
 // policy -- show or load capability policy
 // ---------------------------------------------------------------------------
 async function handlePolicy(options) {
@@ -654,11 +1163,9 @@ async function handleAttach(options) {
             shield: false,
         };
         if (options.all) {
-            // Enable all
             enabledTools = { secretless: true, configguard: true, arp: true, hma: true, shield: true };
         }
         else if (options.tools) {
-            // Enable specific tools, merge with existing
             const requested = options.tools.split(',').map(t => t.trim().toLowerCase());
             const knownTools = ['secretless', 'configguard', 'guard', 'arp', 'hma', 'hackmyagent', 'shield'];
             const unknown = requested.filter(t => !knownTools.includes(t));
@@ -684,11 +1191,9 @@ async function handleAttach(options) {
             }
         }
         else if (existing) {
-            // Re-attach with existing config
             enabledTools = existing.tools;
         }
         else {
-            // First attach with no flags — enable all by default
             enabledTools = { secretless: true, configguard: true, arp: true, hma: true, shield: true };
         }
         // 3. Collect trust hints from enabled tools
@@ -705,7 +1210,6 @@ async function handleAttach(options) {
                 process.stdout.write((0, colors_js_1.bold)('  Requested tools: ') + options.tools + '\n\n');
             }
             process.stdout.write((0, colors_js_1.bold)('  Tool Detection:') + '\n');
-            // Show all tools (not just enabled ones) so user sees the full picture
             const allToolNames = [
                 { key: 'secretless', label: 'Secretless' },
                 { key: 'configguard', label: 'ConfigGuard' },