orizu 0.0.5 → 0.0.6

package/dist/credentials.js

@@ -2,27 +2,124 @@ import { mkdirSync, readFileSync, rmSync, writeFileSync, chmodSync, existsSync }
 import { join } from 'path';
 import { homedir } from 'os';
 function getConfigDir() {
+    if (process.env.ORIZU_CONFIG_DIR) {
+        return process.env.ORIZU_CONFIG_DIR;
+    }
     return join(homedir(), '.config', 'orizu');
 }
 function getCredentialsPath() {
     return join(getConfigDir(), 'credentials.json');
 }
-export function saveCredentials(credentials) {
+function isStoredCredentialsV2(value) {
+    if (!value || typeof value !== 'object') {
+        return false;
+    }
+    const typed = value;
+    return typed.version === 2 && !!typed.servers && typeof typed.servers === 'object';
+}
+function isStoredCredentialsV1(value) {
+    if (!value || typeof value !== 'object') {
+        return false;
+    }
+    const typed = value;
+    return (typeof typed.baseUrl === 'string' &&
+        typeof typed.accessToken === 'string' &&
+        typeof typed.refreshToken === 'string' &&
+        typeof typed.expiresAt === 'number');
+}
+function migrateToV2(stored) {
+    return {
+        version: 2,
+        activeBaseUrl: stored.baseUrl,
+        servers: {
+            [stored.baseUrl]: {
+                accessToken: stored.accessToken,
+                refreshToken: stored.refreshToken,
+                expiresAt: stored.expiresAt,
+            },
+        },
+    };
+}
+function writeCredentials(config) {
     const dir = getConfigDir();
     mkdirSync(dir, { recursive: true });
     const path = getCredentialsPath();
-    writeFileSync(path, JSON.stringify(credentials, null, 2), 'utf-8');
+    writeFileSync(path, JSON.stringify(config, null, 2), 'utf-8');
     chmodSync(path, 0o600);
 }
-export function loadCredentials() {
+function createEmptyCredentialsConfig() {
+    return {
+        version: 2,
+        activeBaseUrl: null,
+        servers: {},
+    };
+}
+function loadCredentialsConfigForWrite() {
+    try {
+        return loadCredentialsConfig() || createEmptyCredentialsConfig();
+    }
+    catch {
+        return createEmptyCredentialsConfig();
+    }
+}
+export function loadCredentialsConfig() {
     const path = getCredentialsPath();
     if (!existsSync(path)) {
         return null;
     }
     const raw = readFileSync(path, 'utf-8');
-    return JSON.parse(raw);
+    const parsed = JSON.parse(raw);
+    if (isStoredCredentialsV2(parsed)) {
+        return parsed;
+    }
+    if (isStoredCredentialsV1(parsed)) {
+        return migrateToV2(parsed);
+    }
+    throw new Error('Invalid credentials file format.');
+}
+export function getServerCredentials(baseUrl) {
+    const config = loadCredentialsConfig();
+    if (!config) {
+        return null;
+    }
+    if (!Object.hasOwn(config.servers, baseUrl)) {
+        return null;
+    }
+    return config.servers[baseUrl] || null;
+}
+export function saveServerCredentials(baseUrl, credentials) {
+    const config = loadCredentialsConfigForWrite();
+    config.servers[baseUrl] = credentials;
+    config.activeBaseUrl = baseUrl;
+    writeCredentials(config);
+}
+export function updateServerCredentials(baseUrl, credentials) {
+    const config = loadCredentialsConfigForWrite();
+    config.servers[baseUrl] = credentials;
+    writeCredentials(config);
+}
+export function getActiveBaseUrl() {
+    const config = loadCredentialsConfig();
+    return config?.activeBaseUrl || null;
+}
+export function setActiveBaseUrl(baseUrl) {
+    const config = loadCredentialsConfigForWrite();
+    config.activeBaseUrl = baseUrl;
+    writeCredentials(config);
+}
+export function clearServerCredentials(baseUrl) {
+    const config = loadCredentialsConfig();
+    if (!config || !Object.hasOwn(config.servers, baseUrl)) {
+        return false;
+    }
+    delete config.servers[baseUrl];
+    if (config.activeBaseUrl === baseUrl) {
+        config.activeBaseUrl = null;
+    }
+    writeCredentials(config);
+    return true;
 }
-export function clearCredentials() {
+export function clearCredentialsFile() {
     const path = getCredentialsPath();
     if (existsSync(path)) {
         rmSync(path);

package/dist/dataset-download.js

@@ -0,0 +1,24 @@
+const DATASET_URL_PATH = /^\/d\/([^/]+)\/([^/]+)\/datasets\/([^/?#]+)\/?$/;
+export function parseDatasetReference(input) {
+    const value = input.trim();
+    if (!value) {
+        throw new Error('Dataset value cannot be empty');
+    }
+    try {
+        const url = new URL(value);
+        const match = DATASET_URL_PATH.exec(url.pathname);
+        if (match) {
+            return {
+                project: `${match[1]}/${match[2]}`,
+                datasetId: decodeURIComponent(match[3]),
+            };
+        }
+        throw new Error('Dataset URL must be in format https://<host>/d/<teamSlug>/<projectSlug>/datasets/<datasetId>');
+    }
+    catch {
+        if (value.startsWith('http://') || value.startsWith('https://')) {
+            throw new Error('Dataset URL must be in format https://<host>/d/<teamSlug>/<projectSlug>/datasets/<datasetId>');
+        }
+    }
+    return { datasetId: value };
+}

package/dist/global-flags.js

@@ -0,0 +1,57 @@
+const LOCALHOST_BASE_URL = 'http://localhost:3000';
+export function normalizeBaseUrl(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new Error(`Invalid server URL: '${url}'`);
+    }
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+        throw new Error('Server URL must use http or https.');
+    }
+    if (parsed.username || parsed.password) {
+        throw new Error('Server URL must not contain credentials.');
+    }
+    if (parsed.pathname !== '/' || parsed.search || parsed.hash) {
+        throw new Error('Server URL must be an origin only (no path, query, or hash).');
+    }
+    return parsed.origin;
+}
+export function parseGlobalFlags(argv) {
+    const args = [];
+    const flags = {
+        local: false,
+        server: null,
+    };
+    for (let index = 0; index < argv.length; index += 1) {
+        const value = argv[index];
+        if (value === '--local') {
+            flags.local = true;
+            continue;
+        }
+        if (value === '--server') {
+            const next = argv[index + 1];
+            if (!next || next.startsWith('--')) {
+                throw new Error('Usage: --server <url>');
+            }
+            flags.server = normalizeBaseUrl(next);
+            index += 1;
+            continue;
+        }
+        args.push(value);
+    }
+    if (flags.local && flags.server) {
+        throw new Error('Use either --local or --server <url>, not both.');
+    }
+    return { flags, args };
+}
+export function getFlagBaseUrl(flags) {
+    if (flags.local) {
+        return LOCALHOST_BASE_URL;
+    }
+    if (flags.server) {
+        return flags.server;
+    }
+    return null;
+}

package/dist/http.js

@@ -1,13 +1,33 @@
-import { loadCredentials, saveCredentials } from './credentials.js';
+import { getActiveBaseUrl, getServerCredentials, updateServerCredentials } from './credentials.js';
+import { getFlagBaseUrl, normalizeBaseUrl } from './global-flags.js';
+let runtimeFlags = { local: false, server: null };
+export function setGlobalFlags(flags) {
+    runtimeFlags = flags;
+}
+export function resolveBaseUrl(flags = runtimeFlags) {
+    const fromFlags = getFlagBaseUrl(flags);
+    if (fromFlags) {
+        return fromFlags;
+    }
+    const fromEnv = process.env.ORIZU_BASE_URL;
+    if (fromEnv) {
+        return normalizeBaseUrl(fromEnv);
+    }
+    const fromStored = getActiveBaseUrl();
+    if (fromStored) {
+        return fromStored;
+    }
+    return 'https://orizu.ai';
+}
 export function getBaseUrl() {
-    return process.env.ORIZU_BASE_URL || 'https://orizu.ai';
+    return resolveBaseUrl();
 }
 function isExpired(expiresAt) {
     const nowUnix = Math.floor(Date.now() / 1000);
     return expiresAt <= nowUnix + 30;
 }
-async function refreshCredentials(credentials) {
-    const response = await fetch(`${credentials.baseUrl}/api/cli/auth/refresh`, {
+async function refreshCredentials(baseUrl, credentials) {
+    const response = await fetch(`${baseUrl}/api/cli/auth/refresh`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({ refreshToken: credentials.refreshToken }),
@@ -20,21 +40,21 @@ async function refreshCredentials(credentials) {
         accessToken: data.accessToken,
         refreshToken: data.refreshToken,
         expiresAt: data.expiresAt,
-        baseUrl: credentials.baseUrl,
     };
-    saveCredentials(refreshed);
+    updateServerCredentials(baseUrl, refreshed);
     return refreshed;
 }
 export async function authedFetch(path, init = {}) {
-    const credentials = loadCredentials();
+    const baseUrl = resolveBaseUrl();
+    const credentials = getServerCredentials(baseUrl);
     if (!credentials) {
-        throw new Error('Not logged in. Run `orizu login` first.');
+        throw new Error(`Not logged in for ${baseUrl}. Run \`orizu login --server ${baseUrl}\` (or \`--local\`) first.`);
     }
     let activeCredentials = credentials;
     if (isExpired(activeCredentials.expiresAt)) {
-        activeCredentials = await refreshCredentials(activeCredentials);
+        activeCredentials = await refreshCredentials(baseUrl, activeCredentials);
     }
-    let response = await fetch(`${activeCredentials.baseUrl}${path}`, {
+    let response = await fetch(`${baseUrl}${path}`, {
         ...init,
         headers: {
             ...(init.headers || {}),
@@ -42,8 +62,8 @@ export async function authedFetch(path, init = {}) {
         },
     });
     if (response.status === 401) {
-        activeCredentials = await refreshCredentials(activeCredentials);
-        response = await fetch(`${activeCredentials.baseUrl}${path}`, {
+        activeCredentials = await refreshCredentials(baseUrl, activeCredentials);
+        response = await fetch(`${baseUrl}${path}`, {
             ...init,
             headers: {
                 ...(init.headers || {}),

package/dist/index.js

@@ -6,24 +6,27 @@ import { readFileSync, writeFileSync } from 'fs';
 import { spawn } from 'child_process';
 import { createInterface } from 'readline/promises';
 import { stdin as input, stdout as output } from 'process';
-import { clearCredentials, loadCredentials, saveCredentials } from './credentials.js';
+import { clearServerCredentials, getServerCredentials, saveServerCredentials } from './credentials.js';
 import { parseDatasetFile } from './file-parser.js';
-import { authedFetch, getBaseUrl } from './http.js';
+import { parseDatasetReference } from './dataset-download.js';
+import { parseGlobalFlags } from './global-flags.js';
+import { authedFetch, getBaseUrl, setGlobalFlags } from './http.js';
 function printUsage() {
-    console.log(`orizu commands:\n\n  orizu login\n  orizu logout\n  orizu whoami\n  orizu teams list\n  orizu teams create [--name <name>]\n  orizu teams members list [--team <teamSlug>]\n  orizu teams members add --email <email> [--team <teamSlug>]\n  orizu teams members remove --email <email> [--team <teamSlug>]\n  orizu teams members role --team <teamSlug> --email <email> --role <admin|member>\n  orizu projects list [--team <teamSlug>]\n  orizu projects create --name <name> [--team <teamSlug>]\n  orizu apps list [--project <team/project>]\n  orizu apps create --project <team/project> --name <name> --dataset <datasetId> --file <path> --input-schema <json-path> --output-schema <json-path> [--component <name>]\n  orizu apps update [--app <appId>] [--project <team/project>] --file <path> --input-schema <json-path> --output-schema <json-path> [--component <name>]\n  orizu apps link-dataset --dataset <datasetId> [--app <appId>] [--project <team/project>] [--version <n>]\n  orizu tasks list [--project <team/project>]\n  orizu tasks create --project <team/project> --dataset <datasetId> --app <appId> --title <title> --assignees <userId1,userId2> [--instructions <text>] [--labels-per-item <n>]\n  orizu tasks assign --task <taskId> --assignees <userId1,userId2>\n  orizu tasks status --task <taskId> [--json]\n  orizu datasets upload --file <path> [--project <team/project>] [--name <name>]\n  orizu tasks export [--task <taskId>] [--format <csv|json|jsonl>] [--out <path>]`);
+    console.log(`orizu global options:\n\n  --local                 Use http://localhost:3000\n  --server <url>          Use a specific server origin (for example: https://preview.example.com)\n\norizu commands:\n\n  orizu login\n  orizu logout\n  orizu whoami\n  orizu teams list\n  orizu teams create [--name <name>]\n  orizu teams members list [--team <teamSlug>]\n  orizu teams members add --email <email> [--team <teamSlug>]\n  orizu teams members remove --email <email> [--team <teamSlug>]\n  orizu teams members role --team <teamSlug> --email <email> --role <admin|member>\n  orizu projects list [--team <teamSlug>]\n  orizu projects create --name <name> [--team <teamSlug>]\n  orizu apps list [--project <team/project>]\n  orizu apps create --project <team/project> --name <name> --dataset <datasetId> --file <path> --input-schema <json-path> --output-schema <json-path> [--component <name>]\n  orizu apps update [--app <appId>] [--project <team/project>] --file <path> --input-schema <json-path> --output-schema <json-path> [--component <name>]\n  orizu apps link-dataset --dataset <datasetId> [--app <appId>] [--project <team/project>] [--version <n>]\n  orizu tasks list [--project <team/project>]\n  orizu tasks create --project <team/project> --dataset <datasetId> --app <appId> --title <title> --assignees <userId1,userId2> [--instructions <text>] [--labels-per-item <n>]\n  orizu tasks assign --task <taskId> --assignees <userId1,userId2>\n  orizu tasks status --task <taskId> [--json]\n  orizu datasets upload --file <path> [--project <team/project>] [--name <name>]\n  orizu datasets download [--dataset <datasetId|datasetUrl>] [--project <team/project>] [--format <csv|json|jsonl>] [--out <path>]\n  orizu tasks export [--task <taskId>] [--format <csv|json|jsonl>] [--out <path>]`);
 }
+let cliArgs = process.argv.slice(2);
 function getArg(name) {
-    const index = process.argv.indexOf(name);
-    if (index === -1 || index + 1 >= process.argv.length) {
+    const index = cliArgs.indexOf(name);
+    if (index === -1 || index + 1 >= cliArgs.length) {
         return null;
     }
-    return process.argv[index + 1];
+    return cliArgs[index + 1];
 }
 function isInteractiveTerminal() {
     return Boolean(process.stdin.isTTY && process.stdout.isTTY);
 }
 function hasArg(name) {
-    return process.argv.includes(name);
+    return cliArgs.includes(name);
 }
 function expandHomePath(path) {
     if (path.startsWith('~/')) {
@@ -144,6 +147,14 @@ async function fetchApps(project) {
     const data = await parseJsonResponse(response, 'Apps list');
     return data.apps;
 }
+async function fetchDatasets(project) {
+    const response = await authedFetch(`/api/cli/datasets?project=${encodeURIComponent(project)}`);
+    if (!response.ok) {
+        throw new Error(`Failed to fetch datasets: ${await response.text()}`);
+    }
+    const data = await parseJsonResponse(response, 'Datasets list');
+    return data.datasets;
+}
 async function fetchTeamMembers(teamSlug) {
     const response = await authedFetch(`/api/cli/teams/${encodeURIComponent(teamSlug)}/members`);
     if (!response.ok) {
@@ -204,6 +215,18 @@ async function selectAppIdInteractively(projectArg) {
         project,
     };
 }
+async function selectDatasetInteractively(projectArg) {
+    let project = projectArg;
+    if (!project) {
+        project = await resolveProjectSlug(null);
+    }
+    const datasets = await fetchDatasets(project);
+    const dataset = await promptSelect(`Select a dataset in ${project}`, datasets, item => `${item.name} (id=${item.id}, rows=${item.rowCount})`, { forcePrompt: true });
+    return {
+        datasetId: dataset.id,
+        project,
+    };
+}
 function printTeams(teams) {
     if (teams.length === 0) {
         console.log('No teams found.');
@@ -377,11 +400,10 @@ async function login() {
         throw new Error(`Failed to exchange auth code: ${text}`);
     }
     const loginData = await parseJsonResponse(exchangeResponse, 'CLI auth exchange');
-    saveCredentials({
+    saveServerCredentials(baseUrl, {
         accessToken: loginData.accessToken,
         refreshToken: loginData.refreshToken,
         expiresAt: loginData.expiresAt,
-        baseUrl,
     });
     console.log(`Logged in as ${loginData.user.email ?? loginData.user.id}`);
 }
@@ -394,19 +416,20 @@ async function whoami() {
     console.log(data.user.email ?? data.user.id);
 }
 async function logout() {
-    const credentials = loadCredentials();
+    const baseUrl = getBaseUrl();
+    const credentials = getServerCredentials(baseUrl);
     if (!credentials) {
-        console.log('Already logged out.');
+        console.log(`Already logged out for ${baseUrl}.`);
         return;
     }
-    await fetch(`${credentials.baseUrl}/api/cli/auth/logout`, {
+    await fetch(`${baseUrl}/api/cli/auth/logout`, {
         method: 'POST',
         headers: {
             Authorization: `Bearer ${credentials.accessToken}`,
         },
     }).catch(() => undefined);
-    clearCredentials();
-    console.log('Logged out.');
+    clearServerCredentials(baseUrl);
+    console.log(`Logged out from ${baseUrl}.`);
 }
 async function listTeams() {
     printTeams(await fetchTeams());
@@ -769,6 +792,44 @@ async function uploadDataset() {
         console.log(`View dataset: ${formatTerminalLink(data.dataset.url)}`);
     }
 }
+function getDatasetDownloadInput() {
+    const fromFlag = getArg('--dataset');
+    if (fromFlag) {
+        return fromFlag;
+    }
+    const positional = cliArgs[2];
+    if (positional && !positional.startsWith('--')) {
+        return positional;
+    }
+    return null;
+}
+async function downloadDataset() {
+    const projectArg = getArg('--project');
+    const datasetInput = getDatasetDownloadInput();
+    const format = (getArg('--format') || 'jsonl');
+    const outPathArg = getArg('--out');
+    if (!['csv', 'json', 'jsonl'].includes(format)) {
+        throw new Error('format must be one of: csv, json, jsonl');
+    }
+    let datasetId;
+    if (datasetInput) {
+        datasetId = parseDatasetReference(datasetInput).datasetId;
+    }
+    else {
+        const selected = await selectDatasetInteractively(projectArg);
+        datasetId = selected.datasetId;
+    }
+    const response = await authedFetch(`/api/cli/datasets/${encodeURIComponent(datasetId)}/download?format=${encodeURIComponent(format)}`);
+    if (!response.ok) {
+        throw new Error(`Download failed: ${await response.text()}`);
+    }
+    const filename = outPathArg
+        ? expandHomePath(outPathArg)
+        : `${datasetId}.${format}`;
+    const bytes = new Uint8Array(await response.arrayBuffer());
+    writeFileSync(filename, bytes);
+    console.log(`Saved dataset ${datasetId} (${format.toUpperCase()}) to ${filename}`);
+}
 async function downloadAnnotations() {
     let taskId = getArg('--task');
     const format = (getArg('--format') || 'jsonl');
@@ -792,8 +853,11 @@ async function downloadAnnotations() {
     console.log(`Saved ${format.toUpperCase()} export to ${filename}`);
 }
 async function main() {
-    const command = process.argv[2];
-    const subcommand = process.argv[3];
+    const parsed = parseGlobalFlags(process.argv.slice(2));
+    setGlobalFlags(parsed.flags);
+    cliArgs = parsed.args;
+    const command = cliArgs[0];
+    const subcommand = cliArgs[1];
     if (!command) {
         printUsage();
         process.exit(1);
@@ -818,7 +882,7 @@ async function main() {
         await createTeam();
         return;
     }
-    const teamsMembersAction = process.argv[4];
+    const teamsMembersAction = cliArgs[2];
     if (command === 'teams' && subcommand === 'members' && teamsMembersAction === 'list') {
         await listTeamMembers();
         return;
@@ -879,6 +943,10 @@ async function main() {
         await uploadDataset();
         return;
     }
+    if (command === 'datasets' && subcommand === 'download') {
+        await downloadDataset();
+        return;
+    }
     if (command === 'tasks' && subcommand === 'export') {
         await downloadAnnotations();
         return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "orizu",
-  "version": "0.0.5",
+  "version": "0.0.6",
   "private": false,
   "type": "module",
   "bin": {

package/src/credentials.ts

@@ -1,9 +1,12 @@
 import { mkdirSync, readFileSync, rmSync, writeFileSync, chmodSync, existsSync } from 'fs'
 import { join } from 'path'
 import { homedir } from 'os'
-import { StoredCredentials } from './types.js'
+import { ServerCredentials, StoredCredentialsV1, StoredCredentialsV2 } from './types.js'
 
 function getConfigDir(): string {
+  if (process.env.ORIZU_CONFIG_DIR) {
+    return process.env.ORIZU_CONFIG_DIR
+  }
   return join(homedir(), '.config', 'orizu')
 }
 
@@ -11,25 +14,139 @@ function getCredentialsPath(): string {
   return join(getConfigDir(), 'credentials.json')
 }
 
-export function saveCredentials(credentials: StoredCredentials) {
+function isStoredCredentialsV2(value: unknown): value is StoredCredentialsV2 {
+  if (!value || typeof value !== 'object') {
+    return false
+  }
+
+  const typed = value as Partial<StoredCredentialsV2>
+  return typed.version === 2 && !!typed.servers && typeof typed.servers === 'object'
+}
+
+function isStoredCredentialsV1(value: unknown): value is StoredCredentialsV1 {
+  if (!value || typeof value !== 'object') {
+    return false
+  }
+
+  const typed = value as Partial<StoredCredentialsV1>
+  return (
+    typeof typed.baseUrl === 'string' &&
+    typeof typed.accessToken === 'string' &&
+    typeof typed.refreshToken === 'string' &&
+    typeof typed.expiresAt === 'number'
+  )
+}
+
+function migrateToV2(stored: StoredCredentialsV1): StoredCredentialsV2 {
+  return {
+    version: 2,
+    activeBaseUrl: stored.baseUrl,
+    servers: {
+      [stored.baseUrl]: {
+        accessToken: stored.accessToken,
+        refreshToken: stored.refreshToken,
+        expiresAt: stored.expiresAt,
+      },
+    },
+  }
+}
+
+function writeCredentials(config: StoredCredentialsV2) {
   const dir = getConfigDir()
   mkdirSync(dir, { recursive: true })
   const path = getCredentialsPath()
-  writeFileSync(path, JSON.stringify(credentials, null, 2), 'utf-8')
+  writeFileSync(path, JSON.stringify(config, null, 2), 'utf-8')
   chmodSync(path, 0o600)
 }
 
-export function loadCredentials(): StoredCredentials | null {
+function createEmptyCredentialsConfig(): StoredCredentialsV2 {
+  return {
+    version: 2 as const,
+    activeBaseUrl: null,
+    servers: {},
+  }
+}
+
+function loadCredentialsConfigForWrite(): StoredCredentialsV2 {
+  try {
+    return loadCredentialsConfig() || createEmptyCredentialsConfig()
+  } catch {
+    return createEmptyCredentialsConfig()
+  }
+}
+
+export function loadCredentialsConfig(): StoredCredentialsV2 | null {
   const path = getCredentialsPath()
   if (!existsSync(path)) {
     return null
   }
 
   const raw = readFileSync(path, 'utf-8')
-  return JSON.parse(raw) as StoredCredentials
+  const parsed = JSON.parse(raw) as unknown
+  if (isStoredCredentialsV2(parsed)) {
+    return parsed
+  }
+
+  if (isStoredCredentialsV1(parsed)) {
+    return migrateToV2(parsed)
+  }
+
+  throw new Error('Invalid credentials file format.')
+}
+
+export function getServerCredentials(baseUrl: string): ServerCredentials | null {
+  const config = loadCredentialsConfig()
+  if (!config) {
+    return null
+  }
+
+  if (!Object.hasOwn(config.servers, baseUrl)) {
+    return null
+  }
+
+  return config.servers[baseUrl] || null
+}
+
+export function saveServerCredentials(baseUrl: string, credentials: ServerCredentials) {
+  const config = loadCredentialsConfigForWrite()
+
+  config.servers[baseUrl] = credentials
+  config.activeBaseUrl = baseUrl
+  writeCredentials(config)
+}
+
+export function updateServerCredentials(baseUrl: string, credentials: ServerCredentials) {
+  const config = loadCredentialsConfigForWrite()
+  config.servers[baseUrl] = credentials
+  writeCredentials(config)
+}
+
+export function getActiveBaseUrl(): string | null {
+  const config = loadCredentialsConfig()
+  return config?.activeBaseUrl || null
+}
+
+export function setActiveBaseUrl(baseUrl: string | null) {
+  const config = loadCredentialsConfigForWrite()
+  config.activeBaseUrl = baseUrl
+  writeCredentials(config)
+}
+
+export function clearServerCredentials(baseUrl: string): boolean {
+  const config = loadCredentialsConfig()
+  if (!config || !Object.hasOwn(config.servers, baseUrl)) {
+    return false
+  }
+
+  delete config.servers[baseUrl]
+  if (config.activeBaseUrl === baseUrl) {
+    config.activeBaseUrl = null
+  }
+  writeCredentials(config)
+  return true
 }
 
-export function clearCredentials() {
+export function clearCredentialsFile() {
   const path = getCredentialsPath()
   if (existsSync(path)) {
     rmSync(path)

package/src/dataset-download.ts

@@ -0,0 +1,36 @@
+export interface ParsedDatasetReference {
+  datasetId: string
+  project?: string
+}
+
+const DATASET_URL_PATH = /^\/d\/([^/]+)\/([^/]+)\/datasets\/([^/?#]+)\/?$/
+
+export function parseDatasetReference(input: string): ParsedDatasetReference {
+  const value = input.trim()
+  if (!value) {
+    throw new Error('Dataset value cannot be empty')
+  }
+
+  try {
+    const url = new URL(value)
+    const match = DATASET_URL_PATH.exec(url.pathname)
+    if (match) {
+      return {
+        project: `${match[1]}/${match[2]}`,
+        datasetId: decodeURIComponent(match[3]),
+      }
+    }
+
+    throw new Error(
+      'Dataset URL must be in format https://<host>/d/<teamSlug>/<projectSlug>/datasets/<datasetId>'
+    )
+  } catch {
+    if (value.startsWith('http://') || value.startsWith('https://')) {
+      throw new Error(
+        'Dataset URL must be in format https://<host>/d/<teamSlug>/<projectSlug>/datasets/<datasetId>'
+      )
+    }
+  }
+
+  return { datasetId: value }
+}

package/src/global-flags.ts

@@ -0,0 +1,81 @@
+const LOCALHOST_BASE_URL = 'http://localhost:3000'
+
+export interface GlobalFlags {
+  local: boolean
+  server: string | null
+}
+
+export interface ParsedGlobalFlags {
+  flags: GlobalFlags
+  args: string[]
+}
+
+export function normalizeBaseUrl(url: string): string {
+  let parsed: URL
+  try {
+    parsed = new URL(url)
+  } catch {
+    throw new Error(`Invalid server URL: '${url}'`)
+  }
+
+  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+    throw new Error('Server URL must use http or https.')
+  }
+
+  if (parsed.username || parsed.password) {
+    throw new Error('Server URL must not contain credentials.')
+  }
+
+  if (parsed.pathname !== '/' || parsed.search || parsed.hash) {
+    throw new Error('Server URL must be an origin only (no path, query, or hash).')
+  }
+
+  return parsed.origin
+}
+
+export function parseGlobalFlags(argv: string[]): ParsedGlobalFlags {
+  const args: string[] = []
+  const flags: GlobalFlags = {
+    local: false,
+    server: null,
+  }
+
+  for (let index = 0; index < argv.length; index += 1) {
+    const value = argv[index]
+    if (value === '--local') {
+      flags.local = true
+      continue
+    }
+
+    if (value === '--server') {
+      const next = argv[index + 1]
+      if (!next || next.startsWith('--')) {
+        throw new Error('Usage: --server <url>')
+      }
+
+      flags.server = normalizeBaseUrl(next)
+      index += 1
+      continue
+    }
+
+    args.push(value)
+  }
+
+  if (flags.local && flags.server) {
+    throw new Error('Use either --local or --server <url>, not both.')
+  }
+
+  return { flags, args }
+}
+
+export function getFlagBaseUrl(flags: GlobalFlags): string | null {
+  if (flags.local) {
+    return LOCALHOST_BASE_URL
+  }
+
+  if (flags.server) {
+    return flags.server
+  }
+
+  return null
+}

package/src/http.ts

@@ -1,8 +1,34 @@
-import { loadCredentials, saveCredentials } from './credentials.js'
-import { LoginResponse, StoredCredentials } from './types.js'
+import { getActiveBaseUrl, getServerCredentials, updateServerCredentials } from './credentials.js'
+import { getFlagBaseUrl, GlobalFlags, normalizeBaseUrl } from './global-flags.js'
+import { LoginResponse, ServerCredentials } from './types.js'
+
+let runtimeFlags: GlobalFlags = { local: false, server: null }
+
+export function setGlobalFlags(flags: GlobalFlags) {
+  runtimeFlags = flags
+}
+
+export function resolveBaseUrl(flags: GlobalFlags = runtimeFlags): string {
+  const fromFlags = getFlagBaseUrl(flags)
+  if (fromFlags) {
+    return fromFlags
+  }
+
+  const fromEnv = process.env.ORIZU_BASE_URL
+  if (fromEnv) {
+    return normalizeBaseUrl(fromEnv)
+  }
+
+  const fromStored = getActiveBaseUrl()
+  if (fromStored) {
+    return fromStored
+  }
+
+  return 'https://orizu.ai'
+}
 
 export function getBaseUrl(): string {
-  return process.env.ORIZU_BASE_URL || 'https://orizu.ai'
+  return resolveBaseUrl()
 }
 
 function isExpired(expiresAt: number): boolean {
@@ -10,8 +36,8 @@ function isExpired(expiresAt: number): boolean {
   return expiresAt <= nowUnix + 30
 }
 
-async function refreshCredentials(credentials: StoredCredentials): Promise<StoredCredentials> {
-  const response = await fetch(`${credentials.baseUrl}/api/cli/auth/refresh`, {
+async function refreshCredentials(baseUrl: string, credentials: ServerCredentials): Promise<ServerCredentials> {
+  const response = await fetch(`${baseUrl}/api/cli/auth/refresh`, {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({ refreshToken: credentials.refreshToken }),
@@ -26,24 +52,24 @@ async function refreshCredentials(credentials: StoredCredentials): Promise<Store
     accessToken: data.accessToken,
     refreshToken: data.refreshToken,
     expiresAt: data.expiresAt,
-    baseUrl: credentials.baseUrl,
   }
-  saveCredentials(refreshed)
+  updateServerCredentials(baseUrl, refreshed)
   return refreshed
 }
 
 export async function authedFetch(path: string, init: RequestInit = {}) {
-  const credentials = loadCredentials()
+  const baseUrl = resolveBaseUrl()
+  const credentials = getServerCredentials(baseUrl)
   if (!credentials) {
-    throw new Error('Not logged in. Run `orizu login` first.')
+    throw new Error(`Not logged in for ${baseUrl}. Run \`orizu login --server ${baseUrl}\` (or \`--local\`) first.`)
   }
 
   let activeCredentials = credentials
   if (isExpired(activeCredentials.expiresAt)) {
-    activeCredentials = await refreshCredentials(activeCredentials)
+    activeCredentials = await refreshCredentials(baseUrl, activeCredentials)
   }
 
-  let response = await fetch(`${activeCredentials.baseUrl}${path}`, {
+  let response = await fetch(`${baseUrl}${path}`, {
     ...init,
     headers: {
       ...(init.headers || {}),
@@ -52,8 +78,8 @@ export async function authedFetch(path: string, init: RequestInit = {}) {
   })
 
   if (response.status === 401) {
-    activeCredentials = await refreshCredentials(activeCredentials)
-    response = await fetch(`${activeCredentials.baseUrl}${path}`, {
+    activeCredentials = await refreshCredentials(baseUrl, activeCredentials)
+    response = await fetch(`${baseUrl}${path}`, {
       ...init,
       headers: {
         ...(init.headers || {}),

package/src/index.ts

@@ -6,9 +6,11 @@ import { readFileSync, writeFileSync } from 'fs'
 import { spawn } from 'child_process'
 import { createInterface } from 'readline/promises'
 import { stdin as input, stdout as output } from 'process'
-import { clearCredentials, loadCredentials, saveCredentials } from './credentials.js'
+import { clearServerCredentials, getServerCredentials, saveServerCredentials } from './credentials.js'
 import { parseDatasetFile } from './file-parser.js'
-import { authedFetch, getBaseUrl } from './http.js'
+import { parseDatasetReference } from './dataset-download.js'
+import { parseGlobalFlags } from './global-flags.js'
+import { authedFetch, getBaseUrl, setGlobalFlags } from './http.js'
 import { LoginResponse } from './types.js'
 
 interface Team {
@@ -50,6 +52,19 @@ interface AppSummary {
   projectName: string
 }
 
+interface DatasetSummary {
+  id: string
+  name: string
+  rowCount: number
+  sourceType: string
+  createdAt: string
+  projectId: string
+  projectName: string
+  projectSlug: string
+  teamName: string
+  teamSlug: string
+}
+
 interface TeamMember {
   id: string
   user_id: string | null
@@ -91,16 +106,18 @@ interface TaskStatusPayload {
 }
 
 function printUsage() {
-  console.log(`orizu commands:\n\n  orizu login\n  orizu logout\n  orizu whoami\n  orizu teams list\n  orizu teams create [--name <name>]\n  orizu teams members list [--team <teamSlug>]\n  orizu teams members add --email <email> [--team <teamSlug>]\n  orizu teams members remove --email <email> [--team <teamSlug>]\n  orizu teams members role --team <teamSlug> --email <email> --role <admin|member>\n  orizu projects list [--team <teamSlug>]\n  orizu projects create --name <name> [--team <teamSlug>]\n  orizu apps list [--project <team/project>]\n  orizu apps create --project <team/project> --name <name> --dataset <datasetId> --file <path> --input-schema <json-path> --output-schema <json-path> [--component <name>]\n  orizu apps update [--app <appId>] [--project <team/project>] --file <path> --input-schema <json-path> --output-schema <json-path> [--component <name>]\n  orizu apps link-dataset --dataset <datasetId> [--app <appId>] [--project <team/project>] [--version <n>]\n  orizu tasks list [--project <team/project>]\n  orizu tasks create --project <team/project> --dataset <datasetId> --app <appId> --title <title> --assignees <userId1,userId2> [--instructions <text>] [--labels-per-item <n>]\n  orizu tasks assign --task <taskId> --assignees <userId1,userId2>\n  orizu tasks status --task <taskId> [--json]\n  orizu datasets upload --file <path> [--project <team/project>] [--name <name>]\n  orizu tasks export [--task <taskId>] [--format <csv|json|jsonl>] [--out <path>]`)
+  console.log(`orizu global options:\n\n  --local                 Use http://localhost:3000\n  --server <url>          Use a specific server origin (for example: https://preview.example.com)\n\norizu commands:\n\n  orizu login\n  orizu logout\n  orizu whoami\n  orizu teams list\n  orizu teams create [--name <name>]\n  orizu teams members list [--team <teamSlug>]\n  orizu teams members add --email <email> [--team <teamSlug>]\n  orizu teams members remove --email <email> [--team <teamSlug>]\n  orizu teams members role --team <teamSlug> --email <email> --role <admin|member>\n  orizu projects list [--team <teamSlug>]\n  orizu projects create --name <name> [--team <teamSlug>]\n  orizu apps list [--project <team/project>]\n  orizu apps create --project <team/project> --name <name> --dataset <datasetId> --file <path> --input-schema <json-path> --output-schema <json-path> [--component <name>]\n  orizu apps update [--app <appId>] [--project <team/project>] --file <path> --input-schema <json-path> --output-schema <json-path> [--component <name>]\n  orizu apps link-dataset --dataset <datasetId> [--app <appId>] [--project <team/project>] [--version <n>]\n  orizu tasks list [--project <team/project>]\n  orizu tasks create --project <team/project> --dataset <datasetId> --app <appId> --title <title> --assignees <userId1,userId2> [--instructions <text>] [--labels-per-item <n>]\n  orizu tasks assign --task <taskId> --assignees <userId1,userId2>\n  orizu tasks status --task <taskId> [--json]\n  orizu datasets upload --file <path> [--project <team/project>] [--name <name>]\n  orizu datasets download [--dataset <datasetId|datasetUrl>] [--project <team/project>] [--format <csv|json|jsonl>] [--out <path>]\n  orizu tasks export [--task <taskId>] [--format <csv|json|jsonl>] [--out <path>]`)
 }
 
+let cliArgs = process.argv.slice(2)
+
 function getArg(name: string): string | null {
-  const index = process.argv.indexOf(name)
-  if (index === -1 || index + 1 >= process.argv.length) {
+  const index = cliArgs.indexOf(name)
+  if (index === -1 || index + 1 >= cliArgs.length) {
     return null
   }
 
-  return process.argv[index + 1]
+  return cliArgs[index + 1]
 }
 
 function isInteractiveTerminal() {
@@ -108,7 +125,7 @@ function isInteractiveTerminal() {
 }
 
 function hasArg(name: string): boolean {
-  return process.argv.includes(name)
+  return cliArgs.includes(name)
 }
 
 function expandHomePath(path: string): string {
@@ -265,6 +282,16 @@ async function fetchApps(project: string): Promise<AppSummary[]> {
   return data.apps
 }
 
+async function fetchDatasets(project: string): Promise<DatasetSummary[]> {
+  const response = await authedFetch(`/api/cli/datasets?project=${encodeURIComponent(project)}`)
+  if (!response.ok) {
+    throw new Error(`Failed to fetch datasets: ${await response.text()}`)
+  }
+
+  const data = await parseJsonResponse<{ datasets: DatasetSummary[] }>(response, 'Datasets list')
+  return data.datasets
+}
+
 async function fetchTeamMembers(teamSlug: string): Promise<TeamMember[]> {
   const response = await authedFetch(`/api/cli/teams/${encodeURIComponent(teamSlug)}/members`)
   if (!response.ok) {
@@ -389,6 +416,26 @@ async function selectAppIdInteractively(projectArg: string | null): Promise<{ ap
   }
 }
 
+async function selectDatasetInteractively(projectArg: string | null): Promise<{ datasetId: string; project: string }> {
+  let project = projectArg
+  if (!project) {
+    project = await resolveProjectSlug(null)
+  }
+
+  const datasets = await fetchDatasets(project)
+  const dataset = await promptSelect(
+    `Select a dataset in ${project}`,
+    datasets,
+    item => `${item.name} (id=${item.id}, rows=${item.rowCount})`,
+    { forcePrompt: true }
+  )
+
+  return {
+    datasetId: dataset.id,
+    project,
+  }
+}
+
 function printTeams(teams: Team[]) {
   if (teams.length === 0) {
     console.log('No teams found.')
@@ -618,11 +665,10 @@ async function login() {
   }
 
   const loginData = await parseJsonResponse<LoginResponse>(exchangeResponse, 'CLI auth exchange')
-  saveCredentials({
+  saveServerCredentials(baseUrl, {
     accessToken: loginData.accessToken,
     refreshToken: loginData.refreshToken,
     expiresAt: loginData.expiresAt,
-    baseUrl,
   })
 
   console.log(`Logged in as ${loginData.user.email ?? loginData.user.id}`)
@@ -639,21 +685,22 @@ async function whoami() {
 }
 
 async function logout() {
-  const credentials = loadCredentials()
+  const baseUrl = getBaseUrl()
+  const credentials = getServerCredentials(baseUrl)
   if (!credentials) {
-    console.log('Already logged out.')
+    console.log(`Already logged out for ${baseUrl}.`)
     return
   }
 
-  await fetch(`${credentials.baseUrl}/api/cli/auth/logout`, {
+  await fetch(`${baseUrl}/api/cli/auth/logout`, {
     method: 'POST',
     headers: {
       Authorization: `Bearer ${credentials.accessToken}`,
     },
   }).catch(() => undefined)
 
-  clearCredentials()
-  console.log('Logged out.')
+  clearServerCredentials(baseUrl)
+  console.log(`Logged out from ${baseUrl}.`)
 }
 
 async function listTeams() {
@@ -1126,6 +1173,55 @@ async function uploadDataset() {
   }
 }
 
+function getDatasetDownloadInput(): string | null {
+  const fromFlag = getArg('--dataset')
+  if (fromFlag) {
+    return fromFlag
+  }
+
+  const positional = cliArgs[2]
+  if (positional && !positional.startsWith('--')) {
+    return positional
+  }
+
+  return null
+}
+
+async function downloadDataset() {
+  const projectArg = getArg('--project')
+  const datasetInput = getDatasetDownloadInput()
+  const format = (getArg('--format') || 'jsonl') as 'csv' | 'json' | 'jsonl'
+  const outPathArg = getArg('--out')
+
+  if (!['csv', 'json', 'jsonl'].includes(format)) {
+    throw new Error('format must be one of: csv, json, jsonl')
+  }
+
+  let datasetId: string
+  if (datasetInput) {
+    datasetId = parseDatasetReference(datasetInput).datasetId
+  } else {
+    const selected = await selectDatasetInteractively(projectArg)
+    datasetId = selected.datasetId
+  }
+
+  const response = await authedFetch(
+    `/api/cli/datasets/${encodeURIComponent(datasetId)}/download?format=${encodeURIComponent(format)}`
+  )
+  if (!response.ok) {
+    throw new Error(`Download failed: ${await response.text()}`)
+  }
+
+  const filename = outPathArg
+    ? expandHomePath(outPathArg)
+    : `${datasetId}.${format}`
+
+  const bytes = new Uint8Array(await response.arrayBuffer())
+  writeFileSync(filename, bytes)
+
+  console.log(`Saved dataset ${datasetId} (${format.toUpperCase()}) to ${filename}`)
+}
+
 async function downloadAnnotations() {
   let taskId = getArg('--task')
   const format = (getArg('--format') || 'jsonl') as 'csv' | 'json' | 'jsonl'
@@ -1156,8 +1252,12 @@ async function downloadAnnotations() {
 }
 
 async function main() {
-  const command = process.argv[2]
-  const subcommand = process.argv[3]
+  const parsed = parseGlobalFlags(process.argv.slice(2))
+  setGlobalFlags(parsed.flags)
+  cliArgs = parsed.args
+
+  const command = cliArgs[0]
+  const subcommand = cliArgs[1]
 
   if (!command) {
     printUsage()
@@ -1189,7 +1289,7 @@ async function main() {
     return
   }
 
-  const teamsMembersAction = process.argv[4]
+  const teamsMembersAction = cliArgs[2]
   if (command === 'teams' && subcommand === 'members' && teamsMembersAction === 'list') {
     await listTeamMembers()
     return
@@ -1262,6 +1362,11 @@ async function main() {
     return
   }
 
+  if (command === 'datasets' && subcommand === 'download') {
+    await downloadDataset()
+    return
+  }
+
   if (command === 'tasks' && subcommand === 'export') {
     await downloadAnnotations()
     return

package/src/types.ts

@@ -1,10 +1,25 @@
-export interface StoredCredentials {
+export interface ServerCredentials {
   accessToken: string
   refreshToken: string
   expiresAt: number
+}
+
+export interface StoredCredentialsV1 {
   baseUrl: string
+  accessToken: string
+  refreshToken: string
+  expiresAt: number
+}
+
+export interface StoredCredentialsV2 {
+  version: 2
+  activeBaseUrl: string | null
+  servers: Record<string, ServerCredentials>
 }
 
+// Backward-compatible alias for legacy callers.
+export type StoredCredentials = StoredCredentialsV1
+
 export interface LoginResponse {
   accessToken: string
   refreshToken: string