reallink-cli 0.1.10 → 0.1.12

package/rust/src/main.rs

@@ -1,35 +1,74 @@
 use anyhow::{anyhow, Context, Result};
-use clap::{ArgAction, Args, Parser, Subcommand};
+use clap::{ArgAction, Args, Parser, Subcommand, ValueEnum};
 use reqwest::{Method, StatusCode};
 use serde::{Deserialize, Serialize};
+use sha2::Digest;
 use std::fs;
-use std::io::{self, Write};
+use std::io::{self, Read, Write};
 use std::path::{Path, PathBuf};
 use std::process::Command;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
+use tokio::fs as tokio_fs;
+use tokio::io::AsyncWriteExt;
 use tokio::time::sleep;
 
+mod unreal;
+mod generated;
+use unreal::{
+    LinkDoctorArgs, LinkOpenArgs, LinkPathsArgs, LinkPluginInstallArgs, LinkPluginListArgs,
+    LinkRemoveArgs, LinkRunArgs, LinkUnrealArgs, LinkUseArgs, PluginIndexFile, UnrealLinkRecord,
+    UnrealLinksConfig,
+};
+
 const DEFAULT_BASE_URL: &str = "https://api.real-agent.link";
 const CONFIG_DIR_ENV: &str = "REALLINK_CONFIG_DIR";
 const SESSION_DIR_NAME: &str = "reallink";
 const SESSION_FILE_NAME: &str = "session.json";
+const UNREAL_LINKS_FILE_NAME: &str = "unreal-links.json";
 const UPDATE_CACHE_FILE_NAME: &str = "update-check.json";
 const VERSION_CHECK_INTERVAL_MS: u128 = 24 * 60 * 60 * 1000;
 const DEFAULT_VERSION_FETCH_TIMEOUT_MS: u64 = 800;
 
 #[derive(Parser)]
-#[command(name = "reallink", bin_name = "reallink", version, about = "Reallink CLI")]
+#[command(
+    name = "reallink",
+    bin_name = "reallink",
+    version,
+    about = "Reallink CLI"
+)]
 struct Cli {
+    #[arg(
+        long = "format",
+        global = true,
+        value_enum,
+        default_value_t = OutputFormat::Json,
+        help = "CLI output format (json is agent-friendly)"
+    )]
+    output: OutputFormat,
     #[command(subcommand)]
     command: Commands,
 }
 
+#[derive(Clone, Copy, Debug, Eq, PartialEq, ValueEnum)]
+enum OutputFormat {
+    Json,
+    Text,
+}
+
 #[derive(Subcommand)]
 enum Commands {
     Login(LoginArgs),
     Whoami(BaseArgs),
     Logout,
     SelfUpdate(SelfUpdateArgs),
+    Org {
+        #[command(subcommand)]
+        command: OrgCommands,
+    },
+    Link {
+        #[command(subcommand)]
+        command: unreal::LinkCommands,
+    },
     Project {
         #[command(subcommand)]
         command: ProjectCommands,
@@ -86,12 +125,33 @@ enum ProjectCommands {
     Get(ProjectGetArgs),
     Update(ProjectUpdateArgs),
     Delete(ProjectDeleteArgs),
+    Members(ProjectMembersArgs),
+    AddMember(ProjectAddMemberArgs),
+    UpdateMember(ProjectUpdateMemberArgs),
+    RemoveMember(ProjectRemoveMemberArgs),
+}
+
+#[derive(Subcommand)]
+enum OrgCommands {
+    List(BaseArgs),
+    Create(OrgCreateArgs),
+    Get(OrgGetArgs),
+    Update(OrgUpdateArgs),
+    Delete(OrgDeleteArgs),
+    Invites(OrgInvitesArgs),
+    Invite(OrgInviteArgs),
+    Members(OrgMembersArgs),
+    AddMember(OrgAddMemberArgs),
+    UpdateMember(OrgUpdateMemberArgs),
+    RemoveMember(OrgRemoveMemberArgs),
 }
 
 #[derive(Subcommand)]
 enum FileCommands {
     List(FileListArgs),
     Get(FileGetArgs),
+    Stat(FileStatArgs),
+    Download(FileDownloadArgs),
     Upload(FileUploadArgs),
     Mkdir(FileMkdirArgs),
     Move(FileMoveArgs),
@@ -151,6 +211,29 @@ struct FileGetArgs {
     base_url: Option<String>,
 }
 
+#[derive(Args)]
+struct FileStatArgs {
+    #[arg(long)]
+    asset_id: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct FileDownloadArgs {
+    #[arg(long)]
+    asset_id: String,
+    #[arg(long = "output")]
+    output_path: Option<PathBuf>,
+    #[arg(
+        long,
+        help = "Resume download from existing output file size using HTTP Range"
+    )]
+    resume: bool,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
 #[derive(Args)]
 struct FileUploadArgs {
     #[arg(long)]
@@ -339,6 +422,146 @@ struct ProjectDeleteArgs {
     base_url: Option<String>,
 }
 
+#[derive(Args)]
+struct OrgCreateArgs {
+    #[arg(long)]
+    name: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct OrgGetArgs {
+    #[arg(long)]
+    org_id: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct OrgUpdateArgs {
+    #[arg(long)]
+    org_id: String,
+    #[arg(long)]
+    name: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct OrgDeleteArgs {
+    #[arg(long)]
+    org_id: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct OrgMembersArgs {
+    #[arg(long)]
+    org_id: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct OrgAddMemberArgs {
+    #[arg(long)]
+    org_id: String,
+    #[arg(long)]
+    email: String,
+    #[arg(long, default_value = "member")]
+    role: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct OrgUpdateMemberArgs {
+    #[arg(long)]
+    org_id: String,
+    #[arg(long)]
+    user_id: String,
+    #[arg(long)]
+    role: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct OrgRemoveMemberArgs {
+    #[arg(long)]
+    org_id: String,
+    #[arg(long)]
+    user_id: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct OrgInvitesArgs {
+    #[arg(long)]
+    org_id: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct OrgInviteArgs {
+    #[arg(long)]
+    org_id: String,
+    #[arg(long)]
+    email: String,
+    #[arg(long, default_value = "member")]
+    role: String,
+    #[arg(long, default_value_t = 7)]
+    expires_in_days: u32,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct ProjectMembersArgs {
+    #[arg(long)]
+    project_id: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct ProjectAddMemberArgs {
+    #[arg(long)]
+    project_id: String,
+    #[arg(long)]
+    email: String,
+    #[arg(long, default_value = "viewer")]
+    role: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct ProjectUpdateMemberArgs {
+    #[arg(long)]
+    project_id: String,
+    #[arg(long)]
+    user_id: String,
+    #[arg(long)]
+    role: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
+#[derive(Args)]
+struct ProjectRemoveMemberArgs {
+    #[arg(long)]
+    project_id: String,
+    #[arg(long)]
+    user_id: String,
+    #[arg(long)]
+    base_url: Option<String>,
+}
+
 #[derive(Debug, Serialize, Deserialize, Clone)]
 struct SessionConfig {
     base_url: String,
@@ -481,6 +704,95 @@ struct ProjectResponse {
     access_level: Option<String>,
 }
 
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct OrgRecord {
+    id: String,
+    slug: String,
+    name: String,
+    owner_user_id: Option<String>,
+    created_at: Option<String>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct ListOrgsResponse {
+    orgs: Vec<OrgRecord>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct OrgResponse {
+    org: OrgRecord,
+    role: Option<String>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct OrgMemberRecord {
+    org_id: String,
+    user_id: String,
+    role: String,
+    created_at: Option<String>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct ListOrgMembersResponse {
+    members: Vec<OrgMemberRecord>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct OrgMemberResponse {
+    member: OrgMemberRecord,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct OrgInviteRecordApi {
+    id: String,
+    org_id: String,
+    email: String,
+    role: String,
+    invited_by_user_id: Option<String>,
+    status: String,
+    expires_at: String,
+    accepted_by_user_id: Option<String>,
+    accepted_at: Option<String>,
+    created_at: Option<String>,
+    updated_at: Option<String>,
+    url: Option<String>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct ListOrgInvitesResponse {
+    invites: Vec<OrgInviteRecordApi>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct OrgInviteResponse {
+    invite: OrgInviteRecordApi,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct ProjectMemberRecordApi {
+    project_id: String,
+    user_id: String,
+    role: String,
+    invited_by_user_id: Option<String>,
+    created_at: Option<String>,
+    updated_at: Option<String>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct ListProjectMembersResponse {
+    members: Vec<ProjectMemberRecordApi>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct ProjectMemberResponse {
+    member: ProjectMemberRecordApi,
+}
+
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct AssetRecord {
@@ -508,6 +820,20 @@ struct AssetResponse {
     asset: AssetRecord,
 }
 
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct AssetContentMetadata {
+    part_count: i64,
+    content_length: i64,
+    accept_ranges: String,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct AssetMetadataResponse {
+    asset: AssetRecord,
+    content: AssetContentMetadata,
+}
+
 #[derive(Debug, Serialize)]
 #[serde(rename_all = "camelCase")]
 struct UploadIntentRequest {
@@ -598,13 +924,29 @@ fn load_jsonc_file(path: &Path, label: &str) -> Result<serde_json::Value> {
     parse_jsonc_str(&raw, &format!("{} file {}", label, path.display()))
 }
 
-fn parse_object_from_value(value: serde_json::Value, context: &str) -> Result<serde_json::Map<String, serde_json::Value>> {
+fn parse_object_from_value(
+    value: serde_json::Value,
+    context: &str,
+) -> Result<serde_json::Map<String, serde_json::Value>> {
     match value {
         serde_json::Value::Object(map) => Ok(map),
         _ => Err(anyhow!("{} must be a JSON object", context)),
     }
 }
 
+fn print_json(value: &serde_json::Value) -> Result<()> {
+    println!("{}", serde_json::to_string_pretty(value)?);
+    Ok(())
+}
+
+fn emit_text_or_json(output: OutputFormat, text: &str, value: serde_json::Value) -> Result<()> {
+    match output {
+        OutputFormat::Text => println!("{}", text),
+        OutputFormat::Json => print_json(&value)?,
+    }
+    Ok(())
+}
+
 fn now_epoch_ms() -> u128 {
     SystemTime::now()
         .duration_since(UNIX_EPOCH)
@@ -633,6 +975,11 @@ fn update_cache_path() -> Result<PathBuf> {
     Ok(base.join(SESSION_DIR_NAME).join(UPDATE_CACHE_FILE_NAME))
 }
 
+fn unreal_links_path() -> Result<PathBuf> {
+    let base = resolve_config_root()?;
+    Ok(base.join(SESSION_DIR_NAME).join(UNREAL_LINKS_FILE_NAME))
+}
+
 fn session_path_display() -> String {
     config_path()
         .map(|path| path.display().to_string())
@@ -659,72 +1006,329 @@ fn write_atomic(path: &Path, payload: &[u8]) -> Result<()> {
 fn save_session(session: &SessionConfig) -> Result<()> {
     let path = config_path()?;
     if let Some(parent) = path.parent() {
-        fs::create_dir_all(parent).with_context(|| format!("Failed to create {}", parent.display()))?;
+        fs::create_dir_all(parent)
+            .with_context(|| format!("Failed to create {}", parent.display()))?;
     }
     let payload = serde_json::to_vec_pretty(session)?;
     write_atomic(&path, &payload)?;
     Ok(())
 }
 
-fn load_session() -> Result<SessionConfig> {
-    let path = config_path()?;
-    let raw = fs::read(&path).with_context(|| {
-        format!(
-            "No active session at {}. Run `reallink login` first.",
-            path.display()
-        )
-    })?;
-    let session: SessionConfig = serde_json::from_slice(&raw)
-        .with_context(|| format!("Invalid session format in {}", path.display()))?;
-    Ok(session)
-}
-
-fn clear_session() -> Result<bool> {
-    let path = config_path()?;
-    if path.exists() {
-        fs::remove_file(&path).with_context(|| format!("Failed to remove {}", path.display()))?;
-        return Ok(true);
+fn load_unreal_links() -> Result<UnrealLinksConfig> {
+    let path = unreal_links_path()?;
+    if !path.exists() {
+        return Ok(UnrealLinksConfig::default());
     }
-    Ok(false)
-}
-
-fn load_update_cache() -> Option<UpdateCheckCache> {
-    let path = update_cache_path().ok()?;
-    let raw = fs::read(path).ok()?;
-    serde_json::from_slice(&raw).ok()
+    let raw = fs::read(&path)
+        .with_context(|| format!("Failed to read unreal links {}", path.display()))?;
+    let mut config: UnrealLinksConfig = serde_json::from_slice(&raw)
+        .with_context(|| format!("Invalid unreal links format in {}", path.display()))?;
+    if config.version == 0 {
+        config.version = 1;
+    }
+    Ok(config)
 }
 
-fn save_update_cache(cache: &UpdateCheckCache) -> Result<()> {
-    let path = update_cache_path()?;
+fn save_unreal_links(config: &UnrealLinksConfig) -> Result<()> {
+    let path = unreal_links_path()?;
     if let Some(parent) = path.parent() {
-        fs::create_dir_all(parent).with_context(|| format!("Failed to create {}", parent.display()))?;
+        fs::create_dir_all(parent)
+            .with_context(|| format!("Failed to create {}", parent.display()))?;
     }
-    let payload = serde_json::to_vec_pretty(cache)?;
+    let payload = serde_json::to_vec_pretty(config)?;
     write_atomic(&path, &payload)?;
     Ok(())
 }
 
-async fn read_error_body(response: reqwest::Response) -> String {
-    match response.text().await {
-        Ok(text) if !text.trim().is_empty() => text,
-        _ => "No response body".to_string(),
+fn normalize_path_for_compare(path: &Path) -> String {
+    let normalized = path.to_string_lossy().replace('\\', "/");
+    if cfg!(windows) {
+        normalized.to_ascii_lowercase()
+    } else {
+        normalized
     }
 }
 
-fn with_cli_headers(request: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
-    request
-        .header("x-reallink-client", "cli")
-        .header("x-reallink-cli-version", env!("CARGO_PKG_VERSION"))
+fn normalize_path_string_for_compare(path: &str) -> String {
+    let normalized = path.replace('\\', "/");
+    if cfg!(windows) {
+        normalized.to_ascii_lowercase()
+    } else {
+        normalized
+    }
 }
 
-fn parse_semver_triplet(version: &str) -> Option<(u64, u64, u64)> {
-    let core = version.trim().split('-').next()?;
-    let mut parts = core.split('.');
-    let major = parts.next()?.parse::<u64>().ok()?;
-    let minor = parts.next().unwrap_or("0").parse::<u64>().ok()?;
-    let patch = parts.next().unwrap_or("0").parse::<u64>().ok()?;
-    Some((major, minor, patch))
-}
+fn canonicalize_existing_path(path: &Path, label: &str) -> Result<PathBuf> {
+    let absolute = if path.is_absolute() {
+        path.to_path_buf()
+    } else {
+        std::env::current_dir()
+            .with_context(|| "Failed to resolve current working directory")?
+            .join(path)
+    };
+    fs::canonicalize(&absolute)
+        .with_context(|| format!("Failed to resolve {} path {}", label, absolute.display()))
+}
+
+fn resolve_uproject_path(path: &Path) -> Result<PathBuf> {
+    let canonical = canonicalize_existing_path(path, "uproject")?;
+    if canonical.is_file() {
+        let is_uproject = canonical
+            .extension()
+            .and_then(|value| value.to_str())
+            .map(|value| value.eq_ignore_ascii_case("uproject"))
+            .unwrap_or(false);
+        if !is_uproject {
+            return Err(anyhow!(
+                "Expected a .uproject file, got {}",
+                canonical.display()
+            ));
+        }
+        return Ok(canonical);
+    }
+    if canonical.is_dir() {
+        let mut entries: Vec<PathBuf> = fs::read_dir(&canonical)
+            .with_context(|| format!("Failed to read directory {}", canonical.display()))?
+            .filter_map(|entry| entry.ok().map(|item| item.path()))
+            .filter(|entry| {
+                entry
+                    .extension()
+                    .and_then(|value| value.to_str())
+                    .map(|value| value.eq_ignore_ascii_case("uproject"))
+                    .unwrap_or(false)
+            })
+            .collect();
+        entries.sort();
+        if entries.len() == 1 {
+            return Ok(entries.remove(0));
+        }
+        if entries.is_empty() {
+            return Err(anyhow!(
+                "No .uproject file found in {}",
+                canonical.display()
+            ));
+        }
+        return Err(anyhow!(
+            "Multiple .uproject files found in {}; pass --uproject with explicit file path",
+            canonical.display()
+        ));
+    }
+    Err(anyhow!(
+        "Path {} is neither a file nor directory",
+        canonical.display()
+    ))
+}
+
+fn candidate_editor_paths_from_engine_root(engine_root: &Path) -> Vec<PathBuf> {
+    vec![
+        engine_root
+            .join("Engine")
+            .join("Binaries")
+            .join("Win64")
+            .join("UnrealEditor.exe"),
+        engine_root
+            .join("Engine")
+            .join("Binaries")
+            .join("Win64")
+            .join("UE4Editor.exe"),
+        engine_root
+            .join("Engine")
+            .join("Binaries")
+            .join("Linux")
+            .join("UnrealEditor"),
+        engine_root
+            .join("Engine")
+            .join("Binaries")
+            .join("Linux")
+            .join("UE4Editor"),
+        engine_root
+            .join("Engine")
+            .join("Binaries")
+            .join("Mac")
+            .join("UnrealEditor.app")
+            .join("Contents")
+            .join("MacOS")
+            .join("UnrealEditor"),
+        engine_root
+            .join("Engine")
+            .join("Binaries")
+            .join("Mac")
+            .join("UE4Editor.app")
+            .join("Contents")
+            .join("MacOS")
+            .join("UE4Editor"),
+    ]
+}
+
+fn resolve_editor_from_engine_root(engine_root: &Path) -> Result<PathBuf> {
+    let root = canonicalize_existing_path(engine_root, "engine root")?;
+    if !root.is_dir() {
+        return Err(anyhow!(
+            "Engine root must be a directory: {}",
+            root.display()
+        ));
+    }
+
+    for candidate in candidate_editor_paths_from_engine_root(&root) {
+        if candidate.exists() {
+            return Ok(candidate);
+        }
+    }
+
+    Err(anyhow!(
+        "Could not find Unreal editor binary under {}. Pass --editor explicitly.",
+        root.display()
+    ))
+}
+
+fn detect_engine_root_from_editor(editor_path: &Path) -> Option<PathBuf> {
+    let parts: Vec<String> = editor_path
+        .components()
+        .map(|component| component.as_os_str().to_string_lossy().to_string())
+        .collect();
+    let mut engine_index = None;
+    for (index, value) in parts.iter().enumerate() {
+        if value.eq_ignore_ascii_case("Engine") {
+            engine_index = Some(index);
+            break;
+        }
+    }
+    let index = engine_index?;
+    let mut root = PathBuf::new();
+    for segment in &parts[..index] {
+        root.push(segment);
+    }
+    if root.as_os_str().is_empty() {
+        None
+    } else {
+        Some(root)
+    }
+}
+
+fn resolve_editor_and_engine(
+    explicit_editor: Option<PathBuf>,
+    explicit_engine_root: Option<PathBuf>,
+) -> Result<(PathBuf, Option<PathBuf>)> {
+    if let Some(editor) = explicit_editor {
+        let editor_path = canonicalize_existing_path(&editor, "editor")?;
+        if !editor_path.is_file() {
+            return Err(anyhow!(
+                "Editor path must be a file: {}",
+                editor_path.display()
+            ));
+        }
+        let engine_root = if let Some(root) = explicit_engine_root {
+            Some(canonicalize_existing_path(&root, "engine root")?)
+        } else {
+            detect_engine_root_from_editor(&editor_path)
+        };
+        return Ok((editor_path, engine_root));
+    }
+
+    if let Some(engine_root) = explicit_engine_root {
+        let root = canonicalize_existing_path(&engine_root, "engine root")?;
+        let editor_path = resolve_editor_from_engine_root(&root)?;
+        return Ok((editor_path, Some(root)));
+    }
+
+    if let Ok(editor_env) = std::env::var("REALLINK_UNREAL_EDITOR") {
+        let trimmed = editor_env.trim();
+        if !trimmed.is_empty() {
+            let editor_path = canonicalize_existing_path(Path::new(trimmed), "editor")?;
+            let engine_root = detect_engine_root_from_editor(&editor_path);
+            return Ok((editor_path, engine_root));
+        }
+    }
+    if let Ok(editor_env) = std::env::var("UE_EDITOR_PATH") {
+        let trimmed = editor_env.trim();
+        if !trimmed.is_empty() {
+            let editor_path = canonicalize_existing_path(Path::new(trimmed), "editor")?;
+            let engine_root = detect_engine_root_from_editor(&editor_path);
+            return Ok((editor_path, engine_root));
+        }
+    }
+    if let Ok(engine_env) = std::env::var("REALLINK_UNREAL_ENGINE_ROOT") {
+        let trimmed = engine_env.trim();
+        if !trimmed.is_empty() {
+            let root = canonicalize_existing_path(Path::new(trimmed), "engine root")?;
+            let editor_path = resolve_editor_from_engine_root(&root)?;
+            return Ok((editor_path, Some(root)));
+        }
+    }
+    if let Ok(engine_env) = std::env::var("UE_ENGINE_ROOT") {
+        let trimmed = engine_env.trim();
+        if !trimmed.is_empty() {
+            let root = canonicalize_existing_path(Path::new(trimmed), "engine root")?;
+            let editor_path = resolve_editor_from_engine_root(&root)?;
+            return Ok((editor_path, Some(root)));
+        }
+    }
+
+    Err(anyhow!(
+        "Unable to resolve Unreal editor. Pass --editor or --engine-root, or set REALLINK_UNREAL_EDITOR/REALLINK_UNREAL_ENGINE_ROOT."
+    ))
+}
+
+fn load_session() -> Result<SessionConfig> {
+    let path = config_path()?;
+    let raw = fs::read(&path).with_context(|| {
+        format!(
+            "No active session at {}. Run `reallink login` first.",
+            path.display()
+        )
+    })?;
+    let session: SessionConfig = serde_json::from_slice(&raw)
+        .with_context(|| format!("Invalid session format in {}", path.display()))?;
+    Ok(session)
+}
+
+fn clear_session() -> Result<bool> {
+    let path = config_path()?;
+    if path.exists() {
+        fs::remove_file(&path).with_context(|| format!("Failed to remove {}", path.display()))?;
+        return Ok(true);
+    }
+    Ok(false)
+}
+
+fn load_update_cache() -> Option<UpdateCheckCache> {
+    let path = update_cache_path().ok()?;
+    let raw = fs::read(path).ok()?;
+    serde_json::from_slice(&raw).ok()
+}
+
+fn save_update_cache(cache: &UpdateCheckCache) -> Result<()> {
+    let path = update_cache_path()?;
+    if let Some(parent) = path.parent() {
+        fs::create_dir_all(parent)
+            .with_context(|| format!("Failed to create {}", parent.display()))?;
+    }
+    let payload = serde_json::to_vec_pretty(cache)?;
+    write_atomic(&path, &payload)?;
+    Ok(())
+}
+
+async fn read_error_body(response: reqwest::Response) -> String {
+    match response.text().await {
+        Ok(text) if !text.trim().is_empty() => text,
+        _ => "No response body".to_string(),
+    }
+}
+
+fn with_cli_headers(request: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
+    request
+        .header("x-reallink-client", "cli")
+        .header("x-reallink-cli-version", env!("CARGO_PKG_VERSION"))
+}
+
+fn parse_semver_triplet(version: &str) -> Option<(u64, u64, u64)> {
+    let core = version.trim().split('-').next()?;
+    let mut parts = core.split('.');
+    let major = parts.next()?.parse::<u64>().ok()?;
+    let minor = parts.next().unwrap_or("0").parse::<u64>().ok()?;
+    let patch = parts.next().unwrap_or("0").parse::<u64>().ok()?;
+    Some((major, minor, patch))
+}
 
 fn is_newer_version(current: &str, latest: &str) -> bool {
     match (parse_semver_triplet(current), parse_semver_triplet(latest)) {
@@ -755,7 +1359,12 @@ async fn fetch_latest_cli_version(client: &reqwest::Client) -> Option<String> {
         .filter(|value| !value.is_empty())
 }
 
-async fn maybe_notify_update(client: &reqwest::Client, force_refresh: bool, allow_network_fetch: bool) {
+async fn maybe_notify_update(
+    client: &reqwest::Client,
+    force_refresh: bool,
+    allow_network_fetch: bool,
+    output: OutputFormat,
+) {
     if std::env::var("REALLINK_DISABLE_AUTO_UPDATE_CHECK")
         .map(|value| value == "1")
         .unwrap_or(false)
@@ -789,10 +1398,12 @@ async fn maybe_notify_update(client: &reqwest::Client, force_refresh: bool, allo
     let current = env!("CARGO_PKG_VERSION");
     if let Some(latest) = latest_version {
         if is_newer_version(current, &latest) {
-            eprintln!(
-                "Update available: {} -> {}. Run `reallink self-update`.",
-                current, latest
-            );
+            if output == OutputFormat::Text {
+                eprintln!(
+                    "Update available: {} -> {}. Run `reallink self-update`.",
+                    current, latest
+                );
+            }
         }
     }
 }
@@ -824,16 +1435,43 @@ fn join_remote_path(prefix: Option<&str>, file_name: &str) -> String {
     format!("{}/{}", prefix_clean, file_clean)
 }
 
+fn base_name_from_virtual_path(path: &str) -> String {
+    let normalized = clean_virtual_path(path);
+    normalized
+        .split('/')
+        .filter(|segment| !segment.is_empty())
+        .next_back()
+        .unwrap_or("download.bin")
+        .to_string()
+}
+
 async fn authed_request(
     client: &reqwest::Client,
     session: &mut SessionConfig,
     method: Method,
     path: &str,
     body: Option<serde_json::Value>,
+) -> Result<reqwest::Response> {
+    authed_request_with_headers(client, session, method, path, body, &[]).await
+}
+
+async fn authed_request_with_headers(
+    client: &reqwest::Client,
+    session: &mut SessionConfig,
+    method: Method,
+    path: &str,
+    body: Option<serde_json::Value>,
+    extra_headers: &[(String, String)],
 ) -> Result<reqwest::Response> {
     let url = format!("{}{}", normalize_base_url(&session.base_url), path);
-    let mut request =
-        with_cli_headers(client.request(method.clone(), &url).bearer_auth(&session.access_token));
+    let mut request = with_cli_headers(
+        client
+            .request(method.clone(), &url)
+            .bearer_auth(&session.access_token),
+    );
+    for (key, value) in extra_headers {
+        request = request.header(key, value);
+    }
     if let Some(ref body_value) = body {
         request = request.json(body_value);
     }
@@ -844,7 +1482,14 @@ async fn authed_request(
 
     refresh_session(client, session).await?;
 
-    let mut retry = with_cli_headers(client.request(method, &url).bearer_auth(&session.access_token));
+    let mut retry = with_cli_headers(
+        client
+            .request(method, &url)
+            .bearer_auth(&session.access_token),
+    );
+    for (key, value) in extra_headers {
+        retry = retry.header(key, value);
+    }
     if let Some(ref body_value) = body {
         retry = retry.json(body_value);
     }
@@ -857,7 +1502,9 @@ async fn refresh_session(client: &reqwest::Client, session: &mut SessionConfig)
         refresh_token: session.refresh_token.clone(),
         session_id: session.session_id.clone(),
     };
-    let response = with_cli_headers(client.post(url).json(&payload)).send().await?;
+    let response = with_cli_headers(client.post(url).json(&payload))
+        .send()
+        .await?;
     if !response.status().is_success() {
         let body = read_error_body(response).await;
         return Err(anyhow!("Refresh failed: {}", body));
@@ -896,64 +1543,130 @@ async fn existing_session_identity_for_base_url(
         .map(|email| email.to_string())
 }
 
-async fn login_command(client: &reqwest::Client, args: LoginArgs) -> Result<()> {
+fn default_login_scopes() -> Vec<String> {
+    generated::contract::CLI_DEFAULT_LOGIN_SCOPES
+        .iter()
+        .map(|value| (*value).to_string())
+        .collect()
+}
+
+fn default_login_scopes_with_tools() -> Vec<String> {
+    generated::contract::CLI_DEFAULT_LOGIN_SCOPES_WITH_TOOLS
+        .iter()
+        .map(|value| (*value).to_string())
+        .collect()
+}
+
+async fn login_command(
+    client: &reqwest::Client,
+    args: LoginArgs,
+    output: OutputFormat,
+) -> Result<()> {
     let base_url = normalize_base_url(&args.base_url);
     if !args.force {
         if let Some(email) = existing_session_identity_for_base_url(client, &base_url).await {
-            println!("Already logged in as {} on {}.", email, base_url);
-            println!("Use `reallink logout` to sign out or `reallink login --force` to replace this session.");
+            let payload = serde_json::json!({
+                "ok": true,
+                "alreadyLoggedIn": true,
+                "baseUrl": base_url,
+                "email": email,
+                "message": "Use `reallink logout` to sign out or `reallink login --force` to replace this session."
+            });
+            emit_text_or_json(
+                output,
+                &format!(
+                    "Already logged in. Use `reallink logout` to sign out or `reallink login --force` to replace this session."
+                ),
+                payload,
+            )?;
             return Ok(());
         }
     }
 
-    let scope = if args.scope.is_empty() {
-        vec![
-            "core:read".to_string(),
-            "core:write".to_string(),
-            "assets:read".to_string(),
-            "assets:write".to_string(),
-            "trace:read".to_string(),
-            "trace:write".to_string(),
-            "tools:read".to_string(),
-            "tools:write".to_string(),
-            "tools:run".to_string(),
-            "org:admin".to_string(),
-            "project:admin".to_string(),
-        ]
+    let (initial_scope, fallback_scope) = if args.scope.is_empty() {
+        (
+            default_login_scopes_with_tools(),
+            Some(default_login_scopes()),
+        )
     } else {
-        args.scope
+        (args.scope, None)
     };
 
-    let device_code_response = with_cli_headers(client.post(format!("{}/auth/device/code", base_url)))
-        .json(&DeviceCodeRequest {
-            client_id: args.client_id.clone(),
-            scope,
-        })
-        .send()
-        .await?;
+    let mut selected_scope = initial_scope;
+    let mut device_code_response =
+        with_cli_headers(client.post(format!("{}/auth/device/code", base_url)))
+            .json(&DeviceCodeRequest {
+                client_id: args.client_id.clone(),
+                scope: selected_scope.clone(),
+            })
+            .send()
+            .await?;
 
     if !device_code_response.status().is_success() {
         let body = read_error_body(device_code_response).await;
-        return Err(anyhow!("Failed to start device flow: {}", body));
+        let can_fallback = fallback_scope.is_some()
+            && body.contains("VALIDATION_ERROR")
+            && body.contains("tools:");
+        if can_fallback {
+            if output == OutputFormat::Text {
+                eprintln!(
+                    "Server rejected tool scopes for device-flow bootstrap; retrying with compatibility scopes."
+                );
+            }
+            selected_scope = fallback_scope.unwrap_or_default();
+            device_code_response =
+                with_cli_headers(client.post(format!("{}/auth/device/code", base_url)))
+                    .json(&DeviceCodeRequest {
+                        client_id: args.client_id.clone(),
+                        scope: selected_scope.clone(),
+                    })
+                    .send()
+                    .await?;
+            if !device_code_response.status().is_success() {
+                let retry_body = read_error_body(device_code_response).await;
+                return Err(anyhow!("Failed to start device flow: {}", retry_body));
+            }
+        } else {
+            return Err(anyhow!("Failed to start device flow: {}", body));
+        }
     }
 
     let device_code: DeviceCodeResponse = device_code_response.json().await?;
-    println!("Open this URL in your browser and approve the login:");
-    println!("{}", device_code.verification_uri_complete);
-    println!("User code: {}", device_code.user_code);
-    match webbrowser::open(&device_code.verification_uri_complete) {
-        Ok(_) => println!("Browser opened for device approval."),
-        Err(_) => println!("Could not open browser automatically. Open the URL manually."),
+    let browser_opened = webbrowser::open(&device_code.verification_uri_complete).is_ok();
+    if output == OutputFormat::Text {
+        println!("Open this URL in your browser and approve the login:");
+        println!("{}", device_code.verification_uri_complete);
+        println!("User code: {}", device_code.user_code);
+        if browser_opened {
+            println!("Browser opened for device approval.");
+        } else {
+            println!("Could not open browser automatically. Open the URL manually.");
+        }
+    } else {
+        print_json(&serde_json::json!({
+            "ok": true,
+            "phase": "authorization_pending",
+            "baseUrl": base_url,
+            "verificationUri": device_code.verification_uri,
+            "verificationUriComplete": device_code.verification_uri_complete,
+            "userCode": device_code.user_code,
+            "browserOpened": browser_opened,
+            "expiresInSeconds": device_code.expires_in,
+            "pollIntervalSeconds": device_code.interval,
+            "scope": selected_scope
+        }))?;
     }
 
     let expires_at = std::time::Instant::now() + Duration::from_secs(device_code.expires_in);
     let mut poll_interval = Duration::from_secs(device_code.interval.max(1));
     let mut pending_polls = 0u32;
-    println!("Waiting for approval (press Ctrl+C to cancel)");
+    if output == OutputFormat::Text {
+        println!("Waiting for approval (press Ctrl+C to cancel)");
+    }
 
     loop {
         if std::time::Instant::now() >= expires_at {
-            if pending_polls > 0 {
+            if output == OutputFormat::Text && pending_polls > 0 {
                 println!();
             }
             return Err(anyhow!("Device code expired before approval"));
@@ -961,18 +1674,19 @@ async fn login_command(client: &reqwest::Client, args: LoginArgs) -> Result<()>
 
         sleep(poll_interval).await;
 
-        let token_response = with_cli_headers(client.post(format!("{}/auth/device/token", base_url)))
-            .json(&DeviceTokenRequest {
-                grant_type: "urn:ietf:params:oauth:grant-type:device_code".to_string(),
-                device_code: device_code.device_code.clone(),
-                client_id: args.client_id.clone(),
-            })
-            .send()
-            .await?;
+        let token_response =
+            with_cli_headers(client.post(format!("{}/auth/device/token", base_url)))
+                .json(&DeviceTokenRequest {
+                    grant_type: "urn:ietf:params:oauth:grant-type:device_code".to_string(),
+                    device_code: device_code.device_code.clone(),
+                    client_id: args.client_id.clone(),
+                })
+                .send()
+                .await?;
 
         if token_response.status().is_success() {
             let tokens: DeviceTokenSuccess = token_response.json().await?;
-            if pending_polls > 0 {
+            if output == OutputFormat::Text && pending_polls > 0 {
                 println!();
             }
             let session = SessionConfig {
@@ -983,15 +1697,25 @@ async fn login_command(client: &reqwest::Client, args: LoginArgs) -> Result<()>
                 updated_at_epoch_ms: now_epoch_ms(),
             };
             save_session(&session)?;
-            println!("Login successful.");
-            println!("Session stored at {}", session_path_display());
+            let path = session_path_display();
+            let payload = serde_json::json!({
+                "ok": true,
+                "phase": "authenticated",
+                "baseUrl": base_url,
+                "sessionPath": path,
+                "sessionId": session.session_id
+            });
+            if output == OutputFormat::Text {
+                println!("Login successful.");
+                println!("Session stored at {}", session_path_display());
+            } else {
+                print_json(&payload)?;
+            }
             return Ok(());
         }
 
-        let error_payload: DeviceTokenError = token_response
-            .json()
-            .await
-            .unwrap_or(DeviceTokenError {
+        let error_payload: DeviceTokenError =
+            token_response.json().await.unwrap_or(DeviceTokenError {
                 error: "unknown_error".to_string(),
                 error_description: Some("Could not parse auth error".to_string()),
             });
@@ -999,38 +1723,46 @@ async fn login_command(client: &reqwest::Client, args: LoginArgs) -> Result<()>
         match error_payload.error.as_str() {
             "authorization_pending" => {
                 pending_polls = pending_polls.saturating_add(1);
-                print!(".");
-                let _ = io::stdout().flush();
+                if output == OutputFormat::Text {
+                    print!(".");
+                    let _ = io::stdout().flush();
+                }
                 continue;
             }
             "slow_down" => {
                 poll_interval += Duration::from_secs(1);
                 pending_polls = pending_polls.saturating_add(1);
-                print!("+");
-                let _ = io::stdout().flush();
+                if output == OutputFormat::Text {
+                    print!("+");
+                    let _ = io::stdout().flush();
+                }
                 continue;
             }
             _ => {
-                if pending_polls > 0 {
+                if output == OutputFormat::Text && pending_polls > 0 {
                     println!();
                 }
                 return Err(anyhow!(
                     "Device login failed: {} ({})",
                     error_payload.error,
                     error_payload.error_description.unwrap_or_default()
-                ))
+                ));
             }
         }
     }
 }
 
-async fn logout_command(client: &reqwest::Client) -> Result<()> {
+async fn logout_command(client: &reqwest::Client, output: OutputFormat) -> Result<()> {
     let path_display = session_path_display();
     let mut session = match load_session() {
         Ok(session) => session,
         Err(_) => {
-            println!("No local session found at {}.", path_display);
-            println!("You are already logged out.");
+            let payload = serde_json::json!({
+                "ok": true,
+                "alreadyLoggedOut": true,
+                "sessionPath": path_display
+            });
+            emit_text_or_json(output, "You are already logged out.", payload)?;
             return Ok(());
         }
     };
@@ -1046,26 +1778,54 @@ async fn logout_command(client: &reqwest::Client) -> Result<()> {
         }
         Ok(response) => {
             let body = read_error_body(response).await;
-            eprintln!("Warning: remote logout request failed: {}", body);
+            if output == OutputFormat::Text {
+                eprintln!("Warning: remote logout request failed: {}", body);
+            }
         }
         Err(error) => {
-            eprintln!("Warning: remote logout request failed: {}", error);
+            if output == OutputFormat::Text {
+                eprintln!("Warning: remote logout request failed: {}", error);
+            }
         }
     }
 
     let removed = clear_session()?;
     if !removed {
-        println!("Local session was already cleared.");
+        let payload = serde_json::json!({
+            "ok": true,
+            "alreadyLoggedOut": true,
+            "sessionPath": path_display
+        });
+        emit_text_or_json(output, "Local session was already cleared.", payload)?;
         return Ok(());
     }
 
-    if remote_revoked {
-        println!("Logged out. Server session revoked and local session removed from {}.", path_display);
-    } else if remote_unavailable {
-        println!("Logged out locally. Removed session from {}.", path_display);
-        println!("Server logout endpoint is not available on this API deployment yet.");
+    let payload = serde_json::json!({
+        "ok": true,
+        "sessionPath": path_display,
+        "remoteRevoked": remote_revoked,
+        "remoteUnavailable": remote_unavailable
+    });
+    if output == OutputFormat::Text {
+        if remote_revoked {
+            println!(
+                "Logged out. Server session revoked and local session removed from {}.",
+                session_path_display()
+            );
+        } else if remote_unavailable {
+            println!(
+                "Logged out locally. Removed session from {}.",
+                session_path_display()
+            );
+            println!("Server logout endpoint is not available on this API deployment yet.");
+        } else {
+            println!(
+                "Logged out locally. Removed session from {}.",
+                session_path_display()
+            );
+        }
     } else {
-        println!("Logged out locally. Removed session from {}.", path_display);
+        print_json(&payload)?;
     }
 
     Ok(())
@@ -1119,7 +1879,14 @@ async fn token_create_command(client: &reqwest::Client, args: TokenCreateArgs) -
         expires_in_days: args.expires_in_days,
     })?;
 
-    let response = authed_request(client, &mut session, Method::POST, "/auth/tokens", Some(body)).await?;
+    let response = authed_request(
+        client,
+        &mut session,
+        Method::POST,
+        "/auth/tokens",
+        Some(body),
+    )
+    .await?;
     if !response.status().is_success() {
         let body_text = read_error_body(response).await;
         return Err(anyhow!("token create failed: {}", body_text));
@@ -1146,123 +1913,1609 @@ async fn token_revoke_command(client: &reqwest::Client, args: TokenRevokeArgs) -
     Ok(())
 }
 
-async fn project_list_command(client: &reqwest::Client, args: ProjectListArgs) -> Result<()> {
+async fn org_list_command(client: &reqwest::Client, args: BaseArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let response = authed_request(client, &mut session, Method::GET, "/core/orgs", None).await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("org list failed: {}", body));
+    }
+    let payload: ListOrgsResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.orgs)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn org_create_command(client: &reqwest::Client, args: OrgCreateArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let response = authed_request(
+        client,
+        &mut session,
+        Method::POST,
+        "/core/orgs",
+        Some(serde_json::json!({
+            "name": args.name
+        })),
+    )
+    .await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("org create failed: {}", body));
+    }
+    let payload: OrgResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.org)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn org_get_command(client: &reqwest::Client, args: OrgGetArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/core/orgs/{}", args.org_id);
+    let response = authed_request(client, &mut session, Method::GET, &path, None).await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("org get failed: {}", body));
+    }
+    let payload: OrgResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn org_update_command(client: &reqwest::Client, args: OrgUpdateArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/core/orgs/{}", args.org_id);
+    let response = authed_request(
+        client,
+        &mut session,
+        Method::PATCH,
+        &path,
+        Some(serde_json::json!({
+            "name": args.name
+        })),
+    )
+    .await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("org update failed: {}", body));
+    }
+    let payload: OrgResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.org)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn org_delete_command(client: &reqwest::Client, args: OrgDeleteArgs) -> Result<()> {
     let mut session = load_session()?;
     apply_base_url_override(&mut session, args.base_url);
 
-    let path = match args.org_id {
-        Some(org_id) if !org_id.trim().is_empty() => format!("/core/projects?orgId={}", org_id.trim()),
-        _ => "/core/projects".to_string(),
-    };
+    let path = format!("/core/orgs/{}", args.org_id);
+    let response = authed_request(client, &mut session, Method::DELETE, &path, None).await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("org delete failed: {}", body));
+    }
+    let payload: serde_json::Value = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn org_invites_command(client: &reqwest::Client, args: OrgInvitesArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/core/orgs/{}/invites", args.org_id);
+    let response = authed_request(client, &mut session, Method::GET, &path, None).await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("org invites failed: {}", body));
+    }
+    let payload: ListOrgInvitesResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.invites)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn org_invite_command(client: &reqwest::Client, args: OrgInviteArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let role = args.role.trim().to_lowercase();
+    if role != "member" && role != "admin" {
+        return Err(anyhow!("org invite role must be either 'member' or 'admin'"));
+    }
+    if args.expires_in_days == 0 || args.expires_in_days > 30 {
+        return Err(anyhow!("org invite expires_in_days must be between 1 and 30"));
+    }
+
+    let path = format!("/core/orgs/{}/invites", args.org_id);
+    let response = authed_request(
+        client,
+        &mut session,
+        Method::POST,
+        &path,
+        Some(serde_json::json!({
+            "email": args.email.trim(),
+            "role": role,
+            "expiresInDays": args.expires_in_days
+        })),
+    )
+    .await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("org invite failed: {}", body));
+    }
+    let payload: OrgInviteResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.invite)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn org_members_command(client: &reqwest::Client, args: OrgMembersArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/core/orgs/{}/members", args.org_id);
+    let response = authed_request(client, &mut session, Method::GET, &path, None).await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("org members failed: {}", body));
+    }
+    let payload: ListOrgMembersResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.members)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn org_add_member_command(client: &reqwest::Client, args: OrgAddMemberArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/core/orgs/{}/members", args.org_id);
+    let response = authed_request(
+        client,
+        &mut session,
+        Method::POST,
+        &path,
+        Some(serde_json::json!({
+            "email": args.email,
+            "role": args.role
+        })),
+    )
+    .await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("org add member failed: {}", body));
+    }
+    let payload: OrgMemberResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.member)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn org_update_member_command(client: &reqwest::Client, args: OrgUpdateMemberArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/core/orgs/{}/members/{}", args.org_id, args.user_id);
+    let response = authed_request(
+        client,
+        &mut session,
+        Method::PATCH,
+        &path,
+        Some(serde_json::json!({
+            "role": args.role
+        })),
+    )
+    .await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("org update member failed: {}", body));
+    }
+    let payload: OrgMemberResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.member)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn org_remove_member_command(client: &reqwest::Client, args: OrgRemoveMemberArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/core/orgs/{}/members/{}", args.org_id, args.user_id);
+    let response = authed_request(client, &mut session, Method::DELETE, &path, None).await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("org remove member failed: {}", body));
+    }
+    let payload: serde_json::Value = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn project_list_command(client: &reqwest::Client, args: ProjectListArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = match args.org_id {
+        Some(org_id) if !org_id.trim().is_empty() => {
+            format!("/core/projects?orgId={}", org_id.trim())
+        }
+        _ => "/core/projects".to_string(),
+    };
+
+    let response = authed_request(client, &mut session, Method::GET, &path, None).await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("project list failed: {}", body));
+    }
+    let payload: ListProjectsResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.projects)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn project_create_command(client: &reqwest::Client, args: ProjectCreateArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let response = authed_request(
+        client,
+        &mut session,
+        Method::POST,
+        "/core/projects",
+        Some(serde_json::json!({
+            "orgId": args.org_id,
+            "name": args.name,
+            "description": args.description
+        })),
+    )
+    .await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("project create failed: {}", body));
+    }
+    let payload: ProjectResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.project)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn project_get_command(client: &reqwest::Client, args: ProjectGetArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/core/projects/{}", args.project_id);
+    let response = authed_request(client, &mut session, Method::GET, &path, None).await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("project get failed: {}", body));
+    }
+    let payload: ProjectResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.project)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn project_update_command(client: &reqwest::Client, args: ProjectUpdateArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let mut body = serde_json::Map::new();
+    if let Some(name) = args.name {
+        body.insert("name".to_string(), serde_json::Value::String(name));
+    }
+    if args.clear_description {
+        body.insert("description".to_string(), serde_json::Value::Null);
+    } else if let Some(description) = args.description {
+        body.insert(
+            "description".to_string(),
+            serde_json::Value::String(description),
+        );
+    }
+
+    if body.is_empty() {
+        return Err(anyhow!(
+            "project update requires at least one field (--name, --description, or --clear-description)"
+        ));
+    }
+
+    let path = format!("/core/projects/{}", args.project_id);
+    let response = authed_request(
+        client,
+        &mut session,
+        Method::PATCH,
+        &path,
+        Some(serde_json::Value::Object(body)),
+    )
+    .await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("project update failed: {}", body));
+    }
+    let payload: ProjectResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.project)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn project_delete_command(client: &reqwest::Client, args: ProjectDeleteArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/core/projects/{}", args.project_id);
+    let response = authed_request(client, &mut session, Method::DELETE, &path, None).await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("project delete failed: {}", body));
+    }
+    let payload: serde_json::Value = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn project_members_command(client: &reqwest::Client, args: ProjectMembersArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/core/projects/{}/members", args.project_id);
+    let response = authed_request(client, &mut session, Method::GET, &path, None).await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("project members failed: {}", body));
+    }
+    let payload: ListProjectMembersResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.members)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn project_add_member_command(client: &reqwest::Client, args: ProjectAddMemberArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/core/projects/{}/members", args.project_id);
+    let response = authed_request(
+        client,
+        &mut session,
+        Method::POST,
+        &path,
+        Some(serde_json::json!({
+            "email": args.email,
+            "role": args.role
+        })),
+    )
+    .await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("project add member failed: {}", body));
+    }
+    let payload: ProjectMemberResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.member)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn project_update_member_command(
+    client: &reqwest::Client,
+    args: ProjectUpdateMemberArgs,
+) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/core/projects/{}/members/{}", args.project_id, args.user_id);
+    let response = authed_request(
+        client,
+        &mut session,
+        Method::PATCH,
+        &path,
+        Some(serde_json::json!({
+            "role": args.role
+        })),
+    )
+    .await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("project update member failed: {}", body));
+    }
+    let payload: ProjectMemberResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload.member)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn project_remove_member_command(
+    client: &reqwest::Client,
+    args: ProjectRemoveMemberArgs,
+) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/core/projects/{}/members/{}", args.project_id, args.user_id);
+    let response = authed_request(client, &mut session, Method::DELETE, &path, None).await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("project remove member failed: {}", body));
+    }
+    let payload: serde_json::Value = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn verify_project_access(
+    client: &reqwest::Client,
+    session: &mut SessionConfig,
+    project_id: &str,
+) -> Result<()> {
+    let path = format!("/core/projects/{}", project_id);
+    let response = authed_request(client, session, Method::GET, &path, None).await?;
+    if response.status().is_success() {
+        return Ok(());
+    }
+    let body = read_error_body(response).await;
+    Err(anyhow!(
+        "project verification failed for {}: {}",
+        project_id,
+        body
+    ))
+}
+
+fn file_name_component(path: &str) -> String {
+    Path::new(path)
+        .file_name()
+        .and_then(|value| value.to_str())
+        .unwrap_or(path)
+        .to_string()
+}
+
+fn build_unreal_link_manifest_payload(
+    link: &UnrealLinkRecord,
+    include_local_paths: bool,
+) -> serde_json::Value {
+    let mut payload = serde_json::json!({
+        "schemaVersion": 1,
+        "provider": "unreal",
+        "projectId": link.project_id,
+        "uprojectFile": file_name_component(&link.uproject_path),
+        "projectRootName": file_name_component(&link.project_root),
+        "editorBinary": file_name_component(&link.editor_path),
+        "engineRootName": link.engine_root.as_ref().map(|value| file_name_component(value)),
+        "updatedAtEpochMs": link.updated_at_epoch_ms
+    });
+
+    if include_local_paths {
+        payload["localPaths"] = serde_json::json!({
+            "uprojectPath": link.uproject_path,
+            "projectRoot": link.project_root,
+            "editorPath": link.editor_path,
+            "engineRoot": link.engine_root
+        });
+    }
+    payload
+}
+
+async fn sync_unreal_link_manifest_asset(
+    client: &reqwest::Client,
+    session: &mut SessionConfig,
+    link: &UnrealLinkRecord,
+    include_local_paths: bool,
+) -> Result<AssetRecord> {
+    let payload = build_unreal_link_manifest_payload(link, include_local_paths);
+    let bytes = serde_json::to_vec_pretty(&payload)?;
+    upload_asset_via_intent(
+        client,
+        session,
+        &link.project_id,
+        ".reallink/link/unreal-link.latest.json",
+        bytes,
+        "application/json",
+        "other",
+        "private",
+    )
+    .await
+}
+
+pub(crate) async fn link_unreal_command(client: &reqwest::Client, args: LinkUnrealArgs) -> Result<()> {
+    let uproject_path = resolve_uproject_path(&args.uproject)?;
+    let project_root = uproject_path
+        .parent()
+        .ok_or_else(|| anyhow!("Invalid uproject path {}", uproject_path.display()))?
+        .to_path_buf();
+    let (editor_path, engine_root_path) = resolve_editor_and_engine(args.editor, args.engine_root)?;
+
+    let now = now_epoch_ms();
+    let link_record = UnrealLinkRecord {
+        project_id: args.project_id.clone(),
+        uproject_path: uproject_path.display().to_string(),
+        project_root: project_root.display().to_string(),
+        engine_root: engine_root_path
+            .as_ref()
+            .map(|value| value.display().to_string()),
+        editor_path: editor_path.display().to_string(),
+        created_at_epoch_ms: now,
+        updated_at_epoch_ms: now,
+    };
+
+    let mut synced_asset: Option<AssetRecord> = None;
+    if !args.no_verify_remote || args.sync_project {
+        let mut session = load_session()?;
+        apply_base_url_override(&mut session, args.base_url.clone());
+        if !args.no_verify_remote {
+            verify_project_access(client, &mut session, &args.project_id).await?;
+        }
+        if args.sync_project {
+            let synced = sync_unreal_link_manifest_asset(
+                client,
+                &mut session,
+                &link_record,
+                args.include_local_paths,
+            )
+            .await?;
+            synced_asset = Some(synced);
+        }
+        save_session(&session)?;
+    }
+
+    let uproject_cmp = normalize_path_for_compare(&uproject_path);
+    let mut config = load_unreal_links()?;
+    config.links.retain(|entry| {
+        entry.project_id != args.project_id
+            && normalize_path_string_for_compare(&entry.uproject_path) != uproject_cmp
+    });
+    config.links.push(link_record.clone());
+
+    if args.set_default || config.default_project_id.is_none() {
+        config.default_project_id = Some(args.project_id.clone());
+    }
+
+    save_unreal_links(&config)?;
+    println!(
+        "{}",
+        serde_json::to_string_pretty(&serde_json::json!({
+            "ok": true,
+            "defaultProjectId": config.default_project_id,
+            "link": config.links.iter().find(|entry| entry.project_id == args.project_id),
+            "syncedAssetId": synced_asset.as_ref().map(|entry| entry.id.clone()),
+            "syncedManifestPath": if args.sync_project { Some(".reallink/link/unreal-link.latest.json") } else { None }
+        }))?
+    );
+    Ok(())
+}
+
+pub(crate) async fn link_list_command() -> Result<()> {
+    let config = load_unreal_links()?;
+    println!("{}", serde_json::to_string_pretty(&config)?);
+    Ok(())
+}
+
+pub(crate) async fn link_use_command(args: LinkUseArgs) -> Result<()> {
+    let mut config = load_unreal_links()?;
+    if !config
+        .links
+        .iter()
+        .any(|entry| entry.project_id == args.project_id)
+    {
+        return Err(anyhow!(
+            "No link found for project {}. Run `reallink link unreal ...` first.",
+            args.project_id
+        ));
+    }
+    config.default_project_id = Some(args.project_id.clone());
+    save_unreal_links(&config)?;
+    println!(
+        "{}",
+        serde_json::to_string_pretty(&serde_json::json!({
+            "ok": true,
+            "defaultProjectId": args.project_id
+        }))?
+    );
+    Ok(())
+}
+
+fn normalize_match_path(path: &Path) -> String {
+    if let Ok(canonical) = canonicalize_existing_path(path, "uproject") {
+        return normalize_path_for_compare(&canonical);
+    }
+    let absolute = if path.is_absolute() {
+        path.to_path_buf()
+    } else {
+        match std::env::current_dir() {
+            Ok(dir) => dir.join(path),
+            Err(_) => path.to_path_buf(),
+        }
+    };
+    normalize_path_for_compare(&absolute)
+}
+
+pub(crate) async fn link_remove_command(args: LinkRemoveArgs) -> Result<()> {
+    if args.project_id.is_none() && args.uproject.is_none() {
+        return Err(anyhow!(
+            "Provide --project-id or --uproject to remove a link."
+        ));
+    }
+
+    let mut config = load_unreal_links()?;
+    let before = config.links.len();
+    let target_uproject_cmp = args
+        .uproject
+        .as_ref()
+        .map(|value| normalize_match_path(value));
+    config.links.retain(|entry| {
+        if let Some(project_id) = args.project_id.as_ref() {
+            if &entry.project_id == project_id {
+                return false;
+            }
+        }
+        if let Some(target_cmp) = target_uproject_cmp.as_ref() {
+            if normalize_path_string_for_compare(&entry.uproject_path) == *target_cmp {
+                return false;
+            }
+        }
+        true
+    });
+    let removed = before.saturating_sub(config.links.len());
+    if removed == 0 {
+        return Err(anyhow!("No matching link found."));
+    }
+
+    if let Some(default_id) = config.default_project_id.clone() {
+        let has_default = config
+            .links
+            .iter()
+            .any(|entry| entry.project_id == default_id);
+        if !has_default {
+            config.default_project_id = config.links.first().map(|entry| entry.project_id.clone());
+        }
+    }
+
+    save_unreal_links(&config)?;
+    println!(
+        "{}",
+        serde_json::to_string_pretty(&serde_json::json!({
+            "ok": true,
+            "removed": removed,
+            "defaultProjectId": config.default_project_id
+        }))?
+    );
+    Ok(())
+}
+
+fn resolve_link_target(
+    config: &UnrealLinksConfig,
+    project_id: Option<&str>,
+    uproject: Option<&Path>,
+) -> Result<UnrealLinkRecord> {
+    if let Some(project_id) = project_id {
+        let entry = config
+            .links
+            .iter()
+            .find(|item| item.project_id == project_id)
+            .ok_or_else(|| anyhow!("No link found for project {}", project_id))?;
+        return Ok(entry.clone());
+    }
+    if let Some(uproject) = uproject {
+        let target_cmp = normalize_match_path(uproject);
+        let entry = config
+            .links
+            .iter()
+            .find(|item| normalize_path_string_for_compare(&item.uproject_path) == target_cmp)
+            .ok_or_else(|| anyhow!("No link found for uproject {}", uproject.display()))?;
+        return Ok(entry.clone());
+    }
+    if let Some(default_project_id) = config.default_project_id.as_ref() {
+        if let Some(entry) = config
+            .links
+            .iter()
+            .find(|item| &item.project_id == default_project_id)
+        {
+            return Ok(entry.clone());
+        }
+    }
+    if config.links.len() == 1 {
+        return Ok(config.links[0].clone());
+    }
+    Err(anyhow!(
+        "No target specified. Use --project-id or set a default link with `reallink link use --project-id ...`."
+    ))
+}
+
+fn unreal_manifest_local_path(link: &UnrealLinkRecord) -> PathBuf {
+    PathBuf::from(&link.project_root)
+        .join(".reallink")
+        .join("link")
+        .join("unreal-link.latest.json")
+}
+
+fn push_doctor_check(
+    checks: &mut Vec<serde_json::Value>,
+    errors: &mut Vec<String>,
+    warnings: &mut Vec<String>,
+    key: &str,
+    ok: bool,
+    detail: impl Into<String>,
+    warning_only: bool,
+) {
+    let detail_text = detail.into();
+    let status = if ok {
+        "ok"
+    } else if warning_only {
+        "warn"
+    } else {
+        "error"
+    };
+    if !ok {
+        if warning_only {
+            warnings.push(format!("{}: {}", key, detail_text));
+        } else {
+            errors.push(format!("{}: {}", key, detail_text));
+        }
+    }
+    checks.push(serde_json::json!({
+        "key": key,
+        "status": status,
+        "detail": detail_text
+    }));
+}
+
+pub(crate) async fn link_paths_command(args: LinkPathsArgs) -> Result<()> {
+    let config = load_unreal_links()?;
+    if config.links.is_empty() {
+        return Err(anyhow!(
+            "No local links configured. Run `reallink link unreal ...` first."
+        ));
+    }
+    let target = resolve_link_target(
+        &config,
+        args.project_id.as_deref(),
+        args.uproject.as_deref(),
+    )?;
+    let project_plugins_dir = PathBuf::from(&target.project_root).join("Plugins");
+    let engine_plugins_dir = target.engine_root.as_ref().map(|root| {
+        PathBuf::from(root)
+            .join("Engine")
+            .join("Plugins")
+            .join("Marketplace")
+    });
+    let manifest_path = unreal_manifest_local_path(&target);
+
+    print_json(&serde_json::json!({
+        "ok": true,
+        "projectId": target.project_id,
+        "paths": {
+            "uprojectPath": target.uproject_path,
+            "projectRoot": target.project_root,
+            "editorPath": target.editor_path,
+            "engineRoot": target.engine_root,
+            "projectPluginsDir": project_plugins_dir.display().to_string(),
+            "enginePluginsDir": engine_plugins_dir.as_ref().map(|value| value.display().to_string()),
+            "manifestPath": manifest_path.display().to_string(),
+            "localLinkConfigPath": unreal_links_path()?.display().to_string()
+        },
+        "remoteManifestAssetPath": ".reallink/link/unreal-link.latest.json"
+    }))?;
+    Ok(())
+}
+
+pub(crate) async fn link_doctor_command(client: &reqwest::Client, args: LinkDoctorArgs) -> Result<()> {
+    let config = load_unreal_links()?;
+    if config.links.is_empty() {
+        return Err(anyhow!(
+            "No local links configured. Run `reallink link unreal ...` first."
+        ));
+    }
+    let target = resolve_link_target(
+        &config,
+        args.project_id.as_deref(),
+        args.uproject.as_deref(),
+    )?;
+
+    let mut checks: Vec<serde_json::Value> = Vec::new();
+    let mut warnings: Vec<String> = Vec::new();
+    let mut errors: Vec<String> = Vec::new();
+
+    let project_root = PathBuf::from(&target.project_root);
+    let uproject_path = PathBuf::from(&target.uproject_path);
+    let editor_path = PathBuf::from(&target.editor_path);
+    let engine_root = target.engine_root.as_ref().map(PathBuf::from);
+    let project_plugins_dir = project_root.join("Plugins");
+    let engine_plugins_dir = engine_root
+        .as_ref()
+        .map(|root| root.join("Engine").join("Plugins").join("Marketplace"));
+    let manifest_path = unreal_manifest_local_path(&target);
+
+    push_doctor_check(
+        &mut checks,
+        &mut errors,
+        &mut warnings,
+        "projectRoot.exists",
+        project_root.exists() && project_root.is_dir(),
+        format!("projectRoot={}", project_root.display()),
+        false,
+    );
+    let uproject_ext_ok = uproject_path
+        .extension()
+        .and_then(|value| value.to_str())
+        .map(|value| value.eq_ignore_ascii_case("uproject"))
+        .unwrap_or(false);
+    push_doctor_check(
+        &mut checks,
+        &mut errors,
+        &mut warnings,
+        "uproject.valid",
+        uproject_path.exists() && uproject_path.is_file() && uproject_ext_ok,
+        format!("uprojectPath={}", uproject_path.display()),
+        false,
+    );
+    push_doctor_check(
+        &mut checks,
+        &mut errors,
+        &mut warnings,
+        "editor.valid",
+        editor_path.exists() && editor_path.is_file(),
+        format!("editorPath={}", editor_path.display()),
+        false,
+    );
+    if let Some(root) = engine_root.as_ref() {
+        let root_ok = root.exists() && root.is_dir();
+        push_doctor_check(
+            &mut checks,
+            &mut errors,
+            &mut warnings,
+            "engineRoot.valid",
+            root_ok,
+            format!("engineRoot={}", root.display()),
+            false,
+        );
+        let binaries_path = root.join("Engine").join("Binaries");
+        push_doctor_check(
+            &mut checks,
+            &mut errors,
+            &mut warnings,
+            "engineRoot.layout",
+            binaries_path.exists() && binaries_path.is_dir(),
+            format!("expected Engine/Binaries under {}", root.display()),
+            true,
+        );
+    } else {
+        push_doctor_check(
+            &mut checks,
+            &mut errors,
+            &mut warnings,
+            "engineRoot.present",
+            false,
+            "engineRoot not set on this link; plugin engine-scope operations are unavailable",
+            true,
+        );
+    }
+    push_doctor_check(
+        &mut checks,
+        &mut errors,
+        &mut warnings,
+        "plugins.projectDir",
+        project_plugins_dir.exists() && project_plugins_dir.is_dir(),
+        format!("projectPluginsDir={}", project_plugins_dir.display()),
+        true,
+    );
+    if let Some(engine_plugins) = engine_plugins_dir.as_ref() {
+        push_doctor_check(
+            &mut checks,
+            &mut errors,
+            &mut warnings,
+            "plugins.engineDir",
+            engine_plugins.exists() && engine_plugins.is_dir(),
+            format!("enginePluginsDir={}", engine_plugins.display()),
+            true,
+        );
+    }
+
+    if manifest_path.exists() {
+        let manifest_ok = fs::read_to_string(&manifest_path)
+            .ok()
+            .and_then(|value| json5::from_str::<serde_json::Value>(&value).ok())
+            .is_some();
+        push_doctor_check(
+            &mut checks,
+            &mut errors,
+            &mut warnings,
+            "manifest.local",
+            manifest_ok,
+            format!("manifestPath={}", manifest_path.display()),
+            true,
+        );
+    } else {
+        push_doctor_check(
+            &mut checks,
+            &mut errors,
+            &mut warnings,
+            "manifest.local",
+            false,
+            format!("manifestPath={} (missing)", manifest_path.display()),
+            true,
+        );
+    }
+
+    if args.verify_remote {
+        let (remote_ok, remote_detail) = match load_session() {
+            Ok(mut session) => {
+                apply_base_url_override(&mut session, args.base_url.clone());
+                let outcome = if let Err(error) =
+                    verify_project_access(client, &mut session, &target.project_id).await
+                {
+                    (false, error.to_string())
+                } else {
+                    (
+                        true,
+                        format!(
+                            "projectId={} verified against {}",
+                            target.project_id, session.base_url
+                        ),
+                    )
+                };
+                let _ = save_session(&session);
+                outcome
+            }
+            Err(error) => (false, format!("no active session: {}", error)),
+        };
+        push_doctor_check(
+            &mut checks,
+            &mut errors,
+            &mut warnings,
+            "remote.verify",
+            remote_ok,
+            remote_detail,
+            false,
+        );
+    }
+
+    let ok = errors.is_empty();
+    print_json(&serde_json::json!({
+        "ok": ok,
+        "projectId": target.project_id,
+        "checks": checks,
+        "warnings": warnings,
+        "errors": errors,
+        "paths": {
+            "uprojectPath": uproject_path.display().to_string(),
+            "projectRoot": project_root.display().to_string(),
+            "editorPath": editor_path.display().to_string(),
+            "engineRoot": engine_root.as_ref().map(|value| value.display().to_string()),
+            "projectPluginsDir": project_plugins_dir.display().to_string(),
+            "enginePluginsDir": engine_plugins_dir.as_ref().map(|value| value.display().to_string()),
+            "manifestPath": manifest_path.display().to_string()
+        }
+    }))?;
+    Ok(())
+}
+
+pub(crate) async fn link_open_command(args: LinkOpenArgs) -> Result<()> {
+    let config = load_unreal_links()?;
+    if config.links.is_empty() {
+        return Err(anyhow!(
+            "No local links configured. Run `reallink link unreal ...` first."
+        ));
+    }
+    let target = resolve_link_target(
+        &config,
+        args.project_id.as_deref(),
+        args.uproject.as_deref(),
+    )?;
+    let editor_path = PathBuf::from(&target.editor_path);
+    let uproject_path = PathBuf::from(&target.uproject_path);
+
+    if !editor_path.exists() {
+        return Err(anyhow!(
+            "Editor path does not exist anymore: {}",
+            editor_path.display()
+        ));
+    }
+    if !uproject_path.exists() {
+        return Err(anyhow!(
+            "uproject path does not exist anymore: {}",
+            uproject_path.display()
+        ));
+    }
+
+    let mut command = Command::new(&editor_path);
+    command.arg(&uproject_path);
+    for argument in args.extra_arg {
+        command.arg(argument);
+    }
+
+    if args.wait {
+        let status = command
+            .status()
+            .with_context(|| format!("Failed to run Unreal editor {}", editor_path.display()))?;
+        if !status.success() {
+            return Err(anyhow!("Unreal editor exited with {}", status));
+        }
+        println!(
+            "{}",
+            serde_json::to_string_pretty(&serde_json::json!({
+                "ok": true,
+                "projectId": target.project_id,
+                "waited": true,
+                "status": status.code()
+            }))?
+        );
+    } else {
+        let child = command
+            .spawn()
+            .with_context(|| format!("Failed to launch Unreal editor {}", editor_path.display()))?;
+        println!(
+            "{}",
+            serde_json::to_string_pretty(&serde_json::json!({
+                "ok": true,
+                "projectId": target.project_id,
+                "waited": false,
+                "pid": child.id()
+            }))?
+        );
+    }
+
+    Ok(())
+}
+
+pub(crate) async fn link_run_command(args: LinkRunArgs) -> Result<()> {
+    let config = load_unreal_links()?;
+    if config.links.is_empty() {
+        return Err(anyhow!(
+            "No local links configured. Run `reallink link unreal ...` first."
+        ));
+    }
+    let target = resolve_link_target(
+        &config,
+        args.project_id.as_deref(),
+        args.uproject.as_deref(),
+    )?;
+    let editor_path = PathBuf::from(&target.editor_path);
+    let uproject_path = PathBuf::from(&target.uproject_path);
+
+    if !editor_path.exists() {
+        return Err(anyhow!(
+            "Editor path does not exist anymore: {}",
+            editor_path.display()
+        ));
+    }
+    if !uproject_path.exists() {
+        return Err(anyhow!(
+            "uproject path does not exist anymore: {}",
+            uproject_path.display()
+        ));
+    }
+
+    let mut command = Command::new(&editor_path);
+    command.arg(&uproject_path);
+    if let Some(commandlet) = args.commandlet.as_ref() {
+        let normalized = commandlet.trim();
+        if normalized.is_empty() {
+            return Err(anyhow!("--commandlet cannot be empty"));
+        }
+        command.arg(format!("-run={}", normalized));
+    }
+    if args.log {
+        command.arg("-log");
+    }
+    if args.headless {
+        command.arg("-unattended");
+        command.arg("-nop4");
+        command.arg("-nosplash");
+        command.arg("-nullrhi");
+    }
+    for argument in args.extra_arg {
+        command.arg(argument);
+    }
+
+    if args.no_wait {
+        let child = command
+            .spawn()
+            .with_context(|| format!("Failed to launch Unreal editor {}", editor_path.display()))?;
+        println!(
+            "{}",
+            serde_json::to_string_pretty(&serde_json::json!({
+                "ok": true,
+                "projectId": target.project_id,
+                "mode": if args.commandlet.is_some() { "commandlet" } else { "editor" },
+                "waited": false,
+                "pid": child.id()
+            }))?
+        );
+        return Ok(());
+    }
+
+    let status = command
+        .status()
+        .with_context(|| format!("Failed to run Unreal editor {}", editor_path.display()))?;
+    if !status.success() {
+        return Err(anyhow!("Unreal editor exited with {}", status));
+    }
+
+    println!(
+        "{}",
+        serde_json::to_string_pretty(&serde_json::json!({
+            "ok": true,
+            "projectId": target.project_id,
+            "mode": if args.commandlet.is_some() { "commandlet" } else { "editor" },
+            "waited": true,
+            "status": status.code()
+        }))?
+    );
+    Ok(())
+}
+
+fn normalize_public_bucket_base(base_url: &str) -> Result<String> {
+    let trimmed = base_url.trim().trim_end_matches('/');
+    if trimmed.is_empty() {
+        return Err(anyhow!("Plugin base URL is empty"));
+    }
+    let parsed = reqwest::Url::parse(trimmed)
+        .with_context(|| format!("Invalid plugin base URL {}", trimmed))?;
+    Ok(parsed.to_string().trim_end_matches('/').to_string())
+}
+
+fn compose_plugin_archive_url(base_url: &str, name: &str, version: &str) -> Result<String> {
+    let plugin = name.trim();
+    let release = version.trim();
+    if plugin.is_empty() {
+        return Err(anyhow!("Plugin name is required"));
+    }
+    if release.is_empty() {
+        return Err(anyhow!("Plugin version is required"));
+    }
+    if plugin.contains('/') || plugin.contains('\\') {
+        return Err(anyhow!("Plugin name cannot include path separators"));
+    }
+    let base = normalize_public_bucket_base(base_url)?;
+    Ok(format!("{}/{}/{}/{}.zip", base, plugin, release, plugin))
+}
+
+fn normalize_sha256_hex(input: &str) -> Result<String> {
+    let cleaned = input.trim().to_ascii_lowercase();
+    if cleaned.len() != 64 {
+        return Err(anyhow!(
+            "SHA-256 must be a 64-character hex string, got length {}",
+            cleaned.len()
+        ));
+    }
+    if !cleaned
+        .chars()
+        .all(|value| matches!(value, '0'..='9' | 'a'..='f'))
+    {
+        return Err(anyhow!("SHA-256 contains non-hex characters"));
+    }
+    Ok(cleaned)
+}
+
+async fn fetch_plugin_index_value(
+    client: &reqwest::Client,
+    base_url: &str,
+    index_path: &str,
+) -> Result<serde_json::Value> {
+    let base = normalize_public_bucket_base(base_url)?;
+    let normalized_index_path = index_path.trim().trim_start_matches('/');
+    if normalized_index_path.is_empty() {
+        return Err(anyhow!("index path cannot be empty"));
+    }
+    let url = format!("{}/{}", base, normalized_index_path);
+    let response = with_cli_headers(client.get(url.clone()))
+        .send()
+        .await
+        .with_context(|| format!("Failed to fetch plugin index {}", url))?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("plugin index fetch failed: {}", body));
+    }
+    let body = response
+        .text()
+        .await
+        .with_context(|| format!("Failed to read plugin index {}", url))?;
+    serde_json::from_str(&body)
+        .or_else(|_| json5::from_str(&body))
+        .with_context(|| format!("Plugin index is not valid JSON/JSONC: {}", url))
+}
+
+async fn fetch_plugin_index(
+    client: &reqwest::Client,
+    base_url: &str,
+    index_path: &str,
+) -> Result<PluginIndexFile> {
+    let value = fetch_plugin_index_value(client, base_url, index_path).await?;
+    let parsed: PluginIndexFile = serde_json::from_value(value)
+        .with_context(|| "Plugin index does not match expected schema")?;
+    Ok(parsed)
+}
+
+fn resolve_plugin_from_index(
+    index: &PluginIndexFile,
+    name: &str,
+    requested_version: &str,
+    base_url: &str,
+) -> Result<(String, String, Option<String>)> {
+    let plugin_name = name.trim();
+    let version_request = requested_version.trim();
+    if plugin_name.is_empty() {
+        return Err(anyhow!("Plugin name is required"));
+    }
+    if version_request.is_empty() {
+        return Err(anyhow!("Plugin version is required"));
+    }
+
+    let plugin = index
+        .plugins
+        .iter()
+        .find(|entry| entry.name.eq_ignore_ascii_case(plugin_name))
+        .ok_or_else(|| anyhow!("Plugin {} not found in index", plugin_name))?;
+
+    let resolved_version = if version_request.eq_ignore_ascii_case("latest") {
+        plugin
+            .latest
+            .as_ref()
+            .map(|value| value.trim().to_string())
+            .or_else(|| {
+                plugin
+                    .versions
+                    .first()
+                    .map(|entry| entry.version.trim().to_string())
+            })
+            .ok_or_else(|| anyhow!("Plugin {} has no versions in index", plugin_name))?
+    } else {
+        version_request.to_string()
+    };
+
+    let version_entry = plugin
+        .versions
+        .iter()
+        .find(|entry| entry.version.trim() == resolved_version)
+        .ok_or_else(|| {
+            anyhow!(
+                "Version {} for plugin {} not found in index",
+                resolved_version,
+                plugin_name
+            )
+        })?;
+
+    let archive_url = if let Some(url) = version_entry.archive_url.as_ref() {
+        let trimmed = url.trim();
+        if trimmed.is_empty() {
+            compose_plugin_archive_url(base_url, plugin_name, &resolved_version)?
+        } else {
+            trimmed.to_string()
+        }
+    } else {
+        compose_plugin_archive_url(base_url, plugin_name, &resolved_version)?
+    };
+
+    let expected_sha256 = version_entry
+        .sha256
+        .as_ref()
+        .map(|value| normalize_sha256_hex(value))
+        .transpose()?;
+
+    Ok((resolved_version, archive_url, expected_sha256))
+}
+
+fn compute_sha256_hex(path: &Path) -> Result<String> {
+    let mut file =
+        fs::File::open(path).with_context(|| format!("Failed to open {}", path.display()))?;
+    let mut hasher = sha2::Sha256::new();
+    let mut buffer = [0u8; 64 * 1024];
+    loop {
+        let read = file
+            .read(&mut buffer)
+            .with_context(|| format!("Failed reading {}", path.display()))?;
+        if read == 0 {
+            break;
+        }
+        hasher.update(&buffer[..read]);
+    }
+    let digest = hasher.finalize();
+    Ok(format!("{:x}", digest))
+}
+
+async fn download_plugin_archive_to_file(
+    client: &reqwest::Client,
+    url: &str,
+    destination: &Path,
+) -> Result<()> {
+    if let Some(parent) = destination.parent() {
+        tokio_fs::create_dir_all(parent)
+            .await
+            .with_context(|| format!("Failed to create {}", parent.display()))?;
+    }
+
+    let response = with_cli_headers(client.get(url.to_string()))
+        .send()
+        .await
+        .with_context(|| format!("Failed to download plugin archive {}", url))?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("Plugin download failed: {}", body));
+    }
+
+    let mut file = tokio_fs::File::create(destination)
+        .await
+        .with_context(|| format!("Failed to create {}", destination.display()))?;
+    let mut stream = response;
+    while let Some(chunk) = stream
+        .chunk()
+        .await
+        .with_context(|| format!("Failed while downloading {}", url))?
+    {
+        file.write_all(&chunk)
+            .await
+            .with_context(|| format!("Failed writing {}", destination.display()))?;
+    }
+    file.flush()
+        .await
+        .with_context(|| format!("Failed to finalize {}", destination.display()))?;
+    Ok(())
+}
+
+fn extract_zip_file(zip_path: &Path, destination: &Path) -> Result<()> {
+    let file = fs::File::open(zip_path)
+        .with_context(|| format!("Failed to open {}", zip_path.display()))?;
+    let mut archive = zip::ZipArchive::new(file).with_context(|| "Failed to read zip archive")?;
+
+    for index in 0..archive.len() {
+        let mut file = archive
+            .by_index(index)
+            .with_context(|| format!("Failed to read zip entry {}", index))?;
+        let Some(name) = file.enclosed_name().map(|value| value.to_path_buf()) else {
+            continue;
+        };
+        let output_path = destination.join(name);
+
+        if file.is_dir() {
+            fs::create_dir_all(&output_path)
+                .with_context(|| format!("Failed to create {}", output_path.display()))?;
+            continue;
+        }
+
+        if let Some(parent) = output_path.parent() {
+            fs::create_dir_all(parent)
+                .with_context(|| format!("Failed to create {}", parent.display()))?;
+        }
 
-    let response = authed_request(client, &mut session, Method::GET, &path, None).await?;
-    if !response.status().is_success() {
-        let body = read_error_body(response).await;
-        return Err(anyhow!("project list failed: {}", body));
+        let mut output_file = fs::File::create(&output_path)
+            .with_context(|| format!("Failed to create {}", output_path.display()))?;
+        io::copy(&mut file, &mut output_file)
+            .with_context(|| format!("Failed to extract {}", output_path.display()))?;
     }
-    let payload: ListProjectsResponse = response.json().await?;
-    println!("{}", serde_json::to_string_pretty(&payload.projects)?);
-    save_session(&session)?;
     Ok(())
 }
 
-async fn project_create_command(client: &reqwest::Client, args: ProjectCreateArgs) -> Result<()> {
-    let mut session = load_session()?;
-    apply_base_url_override(&mut session, args.base_url);
+fn collect_uplugin_roots(root: &Path) -> Result<Vec<PathBuf>> {
+    let mut stack = vec![root.to_path_buf()];
+    let mut roots: Vec<PathBuf> = Vec::new();
 
-    let response = authed_request(
-        client,
-        &mut session,
-        Method::POST,
-        "/core/projects",
-        Some(serde_json::json!({
-            "orgId": args.org_id,
-            "name": args.name,
-            "description": args.description
-        })),
-    )
-    .await?;
-    if !response.status().is_success() {
-        let body = read_error_body(response).await;
-        return Err(anyhow!("project create failed: {}", body));
+    while let Some(path) = stack.pop() {
+        if !path.is_dir() {
+            continue;
+        }
+        for entry in
+            fs::read_dir(&path).with_context(|| format!("Failed to read {}", path.display()))?
+        {
+            let entry = entry?;
+            let child = entry.path();
+            if child.is_dir() {
+                stack.push(child);
+                continue;
+            }
+            let is_uplugin = child
+                .extension()
+                .and_then(|value| value.to_str())
+                .map(|value| value.eq_ignore_ascii_case("uplugin"))
+                .unwrap_or(false);
+            if is_uplugin {
+                if let Some(parent) = child.parent() {
+                    roots.push(parent.to_path_buf());
+                }
+            }
+        }
     }
-    let payload: ProjectResponse = response.json().await?;
-    println!("{}", serde_json::to_string_pretty(&payload.project)?);
-    save_session(&session)?;
-    Ok(())
+
+    roots.sort();
+    roots.dedup_by(|left, right| {
+        normalize_path_for_compare(left) == normalize_path_for_compare(right)
+    });
+    Ok(roots)
 }
 
-async fn project_get_command(client: &reqwest::Client, args: ProjectGetArgs) -> Result<()> {
-    let mut session = load_session()?;
-    apply_base_url_override(&mut session, args.base_url);
+fn find_plugin_root_from_extracted(extracted_root: &Path) -> Result<PathBuf> {
+    let roots = collect_uplugin_roots(extracted_root)?;
+    if roots.is_empty() {
+        return Err(anyhow!(
+            "Plugin archive does not contain a .uplugin descriptor"
+        ));
+    }
+    if roots.len() > 1 {
+        return Err(anyhow!(
+            "Plugin archive contains multiple .uplugin roots; expected one"
+        ));
+    }
+    canonicalize_existing_path(&roots[0], "plugin root")
+}
 
-    let path = format!("/core/projects/{}", args.project_id);
-    let response = authed_request(client, &mut session, Method::GET, &path, None).await?;
-    if !response.status().is_success() {
-        let body = read_error_body(response).await;
-        return Err(anyhow!("project get failed: {}", body));
+fn remove_existing_path(path: &Path) -> Result<()> {
+    if !path.exists() {
+        return Ok(());
+    }
+    if path.is_dir() {
+        fs::remove_dir_all(path)
+            .with_context(|| format!("Failed to remove directory {}", path.display()))?;
+    } else {
+        fs::remove_file(path)
+            .with_context(|| format!("Failed to remove file {}", path.display()))?;
     }
-    let payload: ProjectResponse = response.json().await?;
-    println!("{}", serde_json::to_string_pretty(&payload.project)?);
-    save_session(&session)?;
     Ok(())
 }
 
-async fn project_update_command(client: &reqwest::Client, args: ProjectUpdateArgs) -> Result<()> {
-    let mut session = load_session()?;
-    apply_base_url_override(&mut session, args.base_url);
+fn copy_dir_recursive(source: &Path, destination: &Path) -> Result<()> {
+    fs::create_dir_all(destination)
+        .with_context(|| format!("Failed to create {}", destination.display()))?;
+    for entry in
+        fs::read_dir(source).with_context(|| format!("Failed to read {}", source.display()))?
+    {
+        let entry = entry?;
+        let child = entry.path();
+        let target = destination.join(entry.file_name());
+        if child.is_dir() {
+            copy_dir_recursive(&child, &target)?;
+        } else {
+            if let Some(parent) = target.parent() {
+                fs::create_dir_all(parent)
+                    .with_context(|| format!("Failed to create {}", parent.display()))?;
+            }
+            fs::copy(&child, &target).with_context(|| {
+                format!("Failed to copy {} to {}", child.display(), target.display())
+            })?;
+        }
+    }
+    Ok(())
+}
 
-    let mut body = serde_json::Map::new();
-    if let Some(name) = args.name {
-        body.insert("name".to_string(), serde_json::Value::String(name));
+pub(crate) async fn link_plugin_install_command(
+    client: &reqwest::Client,
+    args: LinkPluginInstallArgs,
+) -> Result<()> {
+    let config = load_unreal_links()?;
+    if config.links.is_empty() {
+        return Err(anyhow!(
+            "No local links configured. Run `reallink link unreal ...` first."
+        ));
     }
-    if args.clear_description {
-        body.insert("description".to_string(), serde_json::Value::Null);
-    } else if let Some(description) = args.description {
-        body.insert(
-            "description".to_string(),
-            serde_json::Value::String(description),
-        );
+    let target = resolve_link_target(
+        &config,
+        args.project_id.as_deref(),
+        args.uproject.as_deref(),
+    )?;
+
+    let plugin_name = args.name.trim();
+    if plugin_name.is_empty() {
+        return Err(anyhow!("Plugin name is required"));
+    }
+    if plugin_name.contains('/') || plugin_name.contains('\\') {
+        return Err(anyhow!("Plugin name cannot include path separators"));
     }
 
-    if body.is_empty() {
+    let mut expected_sha256 = args
+        .sha256
+        .as_ref()
+        .map(|value| normalize_sha256_hex(value))
+        .transpose()?;
+    let mut resolved_version = args.version.trim().to_string();
+    if resolved_version.is_empty() {
+        return Err(anyhow!("Plugin version is required"));
+    }
+
+    let archive_url = if let Some(url) = args.url {
+        let trimmed = url.trim();
+        if trimmed.is_empty() {
+            return Err(anyhow!("--url cannot be empty"));
+        }
+        trimmed.to_string()
+    } else if args.use_index {
+        let index = fetch_plugin_index(client, &args.base_url, &args.index_path).await?;
+        let (resolved, url, index_sha256) =
+            resolve_plugin_from_index(&index, plugin_name, &resolved_version, &args.base_url)?;
+        if expected_sha256.is_none() {
+            expected_sha256 = index_sha256;
+        }
+        resolved_version = resolved;
+        url
+    } else {
+        compose_plugin_archive_url(&args.base_url, plugin_name, &resolved_version)?
+    };
+
+    let plugin_root_dir = if args.engine {
+        let engine_root = target.engine_root.as_ref().ok_or_else(|| {
+            anyhow!("Selected link has no engine_root; relink with --engine-root or --editor")
+        })?;
+        let root = PathBuf::from(engine_root);
+        root.join("Engine").join("Plugins").join("Marketplace")
+    } else {
+        PathBuf::from(&target.project_root).join("Plugins")
+    };
+    fs::create_dir_all(&plugin_root_dir)
+        .with_context(|| format!("Failed to create {}", plugin_root_dir.display()))?;
+    let destination_dir = plugin_root_dir.join(plugin_name);
+
+    if destination_dir.exists() && !args.force {
         return Err(anyhow!(
-            "project update requires at least one field (--name, --description, or --clear-description)"
+            "Plugin destination already exists: {} (use --force to overwrite)",
+            destination_dir.display()
         ));
     }
+    if destination_dir.exists() && args.force {
+        remove_existing_path(&destination_dir)?;
+    }
 
-    let path = format!("/core/projects/{}", args.project_id);
-    let response = authed_request(
-        client,
-        &mut session,
-        Method::PATCH,
-        &path,
-        Some(serde_json::Value::Object(body)),
-    )
-    .await?;
-    if !response.status().is_success() {
-        let body = read_error_body(response).await;
-        return Err(anyhow!("project update failed: {}", body));
+    let temp_root = std::env::temp_dir().join(format!(
+        "reallink-plugin-install-{}-{}",
+        plugin_name,
+        now_epoch_ms()
+    ));
+    if temp_root.exists() {
+        remove_existing_path(&temp_root)?;
     }
-    let payload: ProjectResponse = response.json().await?;
-    println!("{}", serde_json::to_string_pretty(&payload.project)?);
-    save_session(&session)?;
+    fs::create_dir_all(&temp_root)
+        .with_context(|| format!("Failed to create {}", temp_root.display()))?;
+    let archive_path = temp_root.join("plugin.zip");
+    let temp_extract_root = temp_root.join("extract");
+
+    download_plugin_archive_to_file(client, &archive_url, &archive_path).await?;
+    let archive_sha256 = compute_sha256_hex(&archive_path)?;
+    if let Some(expected) = expected_sha256.as_ref() {
+        if &archive_sha256 != expected {
+            let _ = remove_existing_path(&temp_root);
+            return Err(anyhow!(
+                "Plugin checksum mismatch (expected {}, got {})",
+                expected,
+                archive_sha256
+            ));
+        }
+    }
+    fs::create_dir_all(&temp_extract_root)
+        .with_context(|| format!("Failed to create {}", temp_extract_root.display()))?;
+    extract_zip_file(&archive_path, &temp_extract_root)?;
+    let plugin_source_root = find_plugin_root_from_extracted(&temp_extract_root)?;
+    copy_dir_recursive(&plugin_source_root, &destination_dir)?;
+    let _ = remove_existing_path(&temp_root);
+
+    println!(
+        "{}",
+        serde_json::to_string_pretty(&serde_json::json!({
+            "ok": true,
+            "projectId": target.project_id,
+            "plugin": plugin_name,
+            "version": resolved_version,
+            "scope": if args.engine { "engine" } else { "project" },
+            "archiveUrl": archive_url,
+            "archiveSha256": archive_sha256,
+            "verifiedSha256": expected_sha256,
+            "installedTo": destination_dir.display().to_string()
+        }))?
+    );
     Ok(())
 }
 
-async fn project_delete_command(client: &reqwest::Client, args: ProjectDeleteArgs) -> Result<()> {
-    let mut session = load_session()?;
-    apply_base_url_override(&mut session, args.base_url);
-
-    let path = format!("/core/projects/{}", args.project_id);
-    let response = authed_request(client, &mut session, Method::DELETE, &path, None).await?;
-    if !response.status().is_success() {
-        let body = read_error_body(response).await;
-        return Err(anyhow!("project delete failed: {}", body));
-    }
-    let payload: serde_json::Value = response.json().await?;
-    println!("{}", serde_json::to_string_pretty(&payload)?);
-    save_session(&session)?;
+pub(crate) async fn link_plugin_list_command(
+    client: &reqwest::Client,
+    args: LinkPluginListArgs,
+) -> Result<()> {
+    let parsed = fetch_plugin_index_value(client, &args.base_url, &args.index_path).await?;
+    println!("{}", serde_json::to_string_pretty(&parsed)?);
     Ok(())
 }
 
@@ -1303,11 +3556,23 @@ async fn upload_asset_via_intent(
     let complete_payload = if strategy == "multipart" {
         let part_size = intent
             .part_size_bytes
-            .and_then(|value| if value > 0 { Some(value as usize) } else { None })
+            .and_then(|value| {
+                if value > 0 {
+                    Some(value as usize)
+                } else {
+                    None
+                }
+            })
             .ok_or_else(|| anyhow!("multipart upload intent is missing partSizeBytes"))?;
         let part_count = intent
             .part_count
-            .and_then(|value| if value > 0 { Some(value as usize) } else { None })
+            .and_then(|value| {
+                if value > 0 {
+                    Some(value as usize)
+                } else {
+                    None
+                }
+            })
             .ok_or_else(|| anyhow!("multipart upload intent is missing partCount"))?;
         let session_id = intent
             .session_id
@@ -1459,6 +3724,144 @@ async fn file_get_command(client: &reqwest::Client, args: FileGetArgs) -> Result
     Ok(())
 }
 
+async fn file_stat_command(client: &reqwest::Client, args: FileStatArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let path = format!("/assets/{}/metadata", args.asset_id);
+    let response = authed_request(client, &mut session, Method::GET, &path, None).await?;
+    if !response.status().is_success() {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("file stat failed: {}", body));
+    }
+    let payload: AssetMetadataResponse = response.json().await?;
+    println!("{}", serde_json::to_string_pretty(&payload)?);
+    save_session(&session)?;
+    Ok(())
+}
+
+async fn file_download_command(client: &reqwest::Client, args: FileDownloadArgs) -> Result<()> {
+    let mut session = load_session()?;
+    apply_base_url_override(&mut session, args.base_url);
+
+    let metadata_path = format!("/assets/{}/metadata", args.asset_id);
+    let metadata_response =
+        authed_request(client, &mut session, Method::GET, &metadata_path, None).await?;
+    if !metadata_response.status().is_success() {
+        let body = read_error_body(metadata_response).await;
+        return Err(anyhow!("file metadata fetch failed: {}", body));
+    }
+    let metadata_payload: AssetMetadataResponse = metadata_response.json().await?;
+    let fallback_name = base_name_from_virtual_path(&metadata_payload.asset.file_name);
+
+    let mut output_path = args
+        .output_path
+        .unwrap_or_else(|| PathBuf::from(fallback_name.as_str()));
+    if output_path.exists() && output_path.is_dir() {
+        output_path = output_path.join(fallback_name.as_str());
+    }
+
+    if let Some(parent) = output_path.parent() {
+        if !parent.as_os_str().is_empty() {
+            tokio_fs::create_dir_all(parent).await.with_context(|| {
+                format!("Failed to create output directory {}", parent.display())
+            })?;
+        }
+    }
+
+    let mut resume_from: Option<u64> = None;
+    if args.resume && output_path.exists() && output_path.is_file() {
+        let existing_size = tokio_fs::metadata(&output_path)
+            .await
+            .with_context(|| {
+                format!(
+                    "Failed to read output file metadata {}",
+                    output_path.display()
+                )
+            })?
+            .len();
+        if existing_size > 0 {
+            let remote_size = metadata_payload.content.content_length.max(0) as u64;
+            if existing_size >= remote_size && remote_size > 0 {
+                println!(
+                    "{}",
+                    serde_json::to_string_pretty(&serde_json::json!({
+                        "assetId": metadata_payload.asset.id,
+                        "fileName": metadata_payload.asset.file_name,
+                        "output": output_path.display().to_string(),
+                        "bytesWritten": 0,
+                        "resumedFrom": existing_size,
+                        "alreadyComplete": true
+                    }))?
+                );
+                save_session(&session)?;
+                return Ok(());
+            }
+            resume_from = Some(existing_size);
+        }
+    }
+
+    let download_path = format!("/assets/{}/download", args.asset_id);
+    let mut headers = Vec::new();
+    if let Some(offset) = resume_from {
+        headers.push(("range".to_string(), format!("bytes={}-", offset)));
+    }
+    let mut response = authed_request_with_headers(
+        client,
+        &mut session,
+        Method::GET,
+        &download_path,
+        None,
+        &headers,
+    )
+    .await?;
+    if !(response.status().is_success() || response.status() == StatusCode::PARTIAL_CONTENT) {
+        let body = read_error_body(response).await;
+        return Err(anyhow!("file download failed: {}", body));
+    }
+
+    let append_mode = resume_from.is_some() && response.status() == StatusCode::PARTIAL_CONTENT;
+    let mut output_file = if append_mode {
+        tokio_fs::OpenOptions::new()
+            .append(true)
+            .open(&output_path)
+            .await
+            .with_context(|| {
+                format!(
+                    "Failed to open output file for append {}",
+                    output_path.display()
+                )
+            })?
+    } else {
+        tokio_fs::File::create(&output_path)
+            .await
+            .with_context(|| format!("Failed to create output file {}", output_path.display()))?
+    };
+    let mut bytes_written: u64 = 0;
+    while let Some(chunk) = response.chunk().await? {
+        output_file
+            .write_all(&chunk)
+            .await
+            .with_context(|| format!("Failed to write to {}", output_path.display()))?;
+        bytes_written = bytes_written.saturating_add(chunk.len() as u64);
+    }
+    output_file.flush().await?;
+
+    println!(
+        "{}",
+        serde_json::to_string_pretty(&serde_json::json!({
+            "assetId": metadata_payload.asset.id,
+            "fileName": metadata_payload.asset.file_name,
+            "output": output_path.display().to_string(),
+            "bytesWritten": bytes_written,
+            "resumedFrom": resume_from,
+            "partialContent": response.status() == StatusCode::PARTIAL_CONTENT
+        }))?
+    );
+    save_session(&session)?;
+    Ok(())
+}
+
 async fn file_upload_command(client: &reqwest::Client, args: FileUploadArgs) -> Result<()> {
     let mut session = load_session()?;
     apply_base_url_override(&mut session, args.base_url);
@@ -1589,12 +3992,16 @@ async fn tool_register_command(client: &reqwest::Client, args: ToolRegisterArgs)
     apply_base_url_override(&mut session, args.base_url);
 
     let manifest = load_jsonc_file(&args.manifest, "tool manifest")?;
-    let body = serde_json::Value::Object(parse_object_from_value(
-        manifest,
-        "tool manifest payload",
-    )?);
-    let response =
-        authed_request(client, &mut session, Method::POST, "/tools/definitions", Some(body)).await?;
+    let body =
+        serde_json::Value::Object(parse_object_from_value(manifest, "tool manifest payload")?);
+    let response = authed_request(
+        client,
+        &mut session,
+        Method::POST,
+        "/tools/definitions",
+        Some(body),
+    )
+    .await?;
     if !response.status().is_success() {
         let body = read_error_body(response).await;
         return Err(anyhow!("tool register failed: {}", body));
@@ -1637,13 +4044,19 @@ async fn tool_set_entitlement_command(
         body.insert("orgId".to_string(), serde_json::Value::String(org_id));
     }
     if let Some(project_id) = project_id {
-        body.insert("projectId".to_string(), serde_json::Value::String(project_id));
+        body.insert(
+            "projectId".to_string(),
+            serde_json::Value::String(project_id),
+        );
     }
     if let Some(user_id) = user_id {
         body.insert("userId".to_string(), serde_json::Value::String(user_id));
     }
     if let Some(expires_at) = expires_at {
-        body.insert("expiresAt".to_string(), serde_json::Value::String(expires_at));
+        body.insert(
+            "expiresAt".to_string(),
+            serde_json::Value::String(expires_at),
+        );
     }
     if let Some(path) = metadata_file {
         let metadata = load_jsonc_file(&path, "tool entitlement metadata")?;
@@ -1731,19 +4144,23 @@ async fn tool_run_command(client: &reqwest::Client, args: ToolRunArgs) -> Result
         serde_json::Value::Object(serde_json::Map::new())
     };
 
-    let input_object = serde_json::Value::Object(parse_object_from_value(
-        input_value,
-        "tool run input",
-    )?);
+    let input_object =
+        serde_json::Value::Object(parse_object_from_value(input_value, "tool run input")?);
 
     let mut body = serde_json::Map::new();
-    body.insert("toolId".to_string(), serde_json::Value::String(args.tool_id));
+    body.insert(
+        "toolId".to_string(),
+        serde_json::Value::String(args.tool_id),
+    );
     body.insert("input".to_string(), input_object);
     if let Some(org_id) = args.org_id {
         body.insert("orgId".to_string(), serde_json::Value::String(org_id));
     }
     if let Some(project_id) = args.project_id {
-        body.insert("projectId".to_string(), serde_json::Value::String(project_id));
+        body.insert(
+            "projectId".to_string(),
+            serde_json::Value::String(project_id),
+        );
     }
     let mut metadata_map = if let Some(path) = args.metadata_file {
         let metadata = load_jsonc_file(&path, "tool run metadata")?;
@@ -1761,7 +4178,10 @@ async fn tool_run_command(client: &reqwest::Client, args: ToolRunArgs) -> Result
         }
     }
     if !metadata_map.is_empty() {
-        body.insert("metadata".to_string(), serde_json::Value::Object(metadata_map));
+        body.insert(
+            "metadata".to_string(),
+            serde_json::Value::Object(metadata_map),
+        );
     }
 
     let response = authed_request(
@@ -1851,23 +4271,58 @@ fn run_and_check_status(mut command: Command, context: &str) -> Result<()> {
     Ok(())
 }
 
-async fn self_update_command(client: &reqwest::Client, args: SelfUpdateArgs) -> Result<()> {
+async fn self_update_command(
+    client: &reqwest::Client,
+    args: SelfUpdateArgs,
+    output: OutputFormat,
+) -> Result<()> {
     let current = env!("CARGO_PKG_VERSION");
     let latest = fetch_latest_cli_version(client).await;
 
     let Some(latest_version) = latest else {
-        println!("Could not check latest version right now.");
+        let payload = serde_json::json!({
+            "ok": false,
+            "checked": false,
+            "currentVersion": current,
+            "message": "Could not check latest version right now."
+        });
+        emit_text_or_json(output, "Could not check latest version right now.", payload)?;
         return Ok(());
     };
 
     if !is_newer_version(current, &latest_version) {
-        println!("reallink is up to date ({})", current);
+        let payload = serde_json::json!({
+            "ok": true,
+            "checked": true,
+            "upToDate": true,
+            "currentVersion": current,
+            "latestVersion": latest_version
+        });
+        emit_text_or_json(
+            output,
+            &format!("reallink is up to date ({})", current),
+            payload,
+        )?;
         return Ok(());
     }
 
-    println!("Update available: {} -> {}", current, latest_version);
     if args.check {
-        println!("Run `reallink self-update` to install the update.");
+        let payload = serde_json::json!({
+            "ok": true,
+            "checked": true,
+            "upToDate": false,
+            "currentVersion": current,
+            "latestVersion": latest_version,
+            "action": "run `reallink self-update` to install"
+        });
+        emit_text_or_json(
+            output,
+            &format!(
+                "Update available: {} -> {}. Run `reallink self-update`.",
+                current, latest_version
+            ),
+            payload,
+        )?;
         return Ok(());
     }
 
@@ -1886,7 +4341,19 @@ async fn self_update_command(client: &reqwest::Client, args: SelfUpdateArgs) ->
             },
             "npm self-update",
         )?;
-        println!("Updated via npm. Restart your shell if `reallink --version` still shows old version.");
+        let payload = serde_json::json!({
+            "ok": true,
+            "checked": true,
+            "updated": true,
+            "method": "npm",
+            "currentVersion": current,
+            "latestVersion": latest_version
+        });
+        emit_text_or_json(
+            output,
+            "Updated via npm. Restart your shell if `reallink --version` still shows old version.",
+            payload,
+        )?;
         return Ok(());
     }
 
@@ -1916,33 +4383,176 @@ async fn self_update_command(client: &reqwest::Client, args: SelfUpdateArgs) ->
         )?;
     }
 
-    println!("Update installed. Verify with `reallink --version`.");
+    let payload = serde_json::json!({
+        "ok": true,
+        "checked": true,
+        "updated": true,
+        "method": if cfg!(windows) { "powershell-installer" } else { "shell-installer" },
+        "currentVersion": current,
+        "latestVersion": latest_version
+    });
+    emit_text_or_json(
+        output,
+        "Update installed. Verify with `reallink --version`.",
+        payload,
+    )?;
     Ok(())
 }
 
-#[tokio::main]
-async fn main() -> Result<()> {
-    let cli = Cli::parse();
+#[cfg(test)]
+mod tests {
+    use super::{
+        compose_plugin_archive_url, default_login_scopes, default_login_scopes_with_tools,
+        file_name_component, normalize_public_bucket_base, normalize_sha256_hex, resolve_plugin_from_index,
+    };
+    use super::unreal::{PluginIndexFile, PluginIndexPlugin, PluginIndexVersion};
+
+    #[test]
+    fn normalizes_public_bucket_base() {
+        let normalized = normalize_public_bucket_base("https://real-agent.link/plugins/unreal/")
+            .expect("base URL should normalize");
+        assert_eq!(normalized, "https://real-agent.link/plugins/unreal");
+    }
+
+    #[test]
+    fn composes_archive_url() {
+        let url = compose_plugin_archive_url(
+            "https://real-agent.link/plugins/unreal/",
+            "RealLinkUnreal",
+            "latest",
+        )
+        .expect("archive URL should compose");
+        assert_eq!(
+            url,
+            "https://real-agent.link/plugins/unreal/RealLinkUnreal/latest/RealLinkUnreal.zip"
+        );
+    }
+
+    #[test]
+    fn rejects_plugin_name_with_path_separator() {
+        let result = compose_plugin_archive_url(
+            "https://real-agent.link/plugins/unreal",
+            "RealLink/Unreal",
+            "latest",
+        );
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn extracts_file_name_component() {
+        let output = file_name_component("D:/Games/MyGame/MyGame.uproject");
+        assert_eq!(output, "MyGame.uproject");
+    }
+
+    #[test]
+    fn normalizes_sha256_hex() {
+        let value = normalize_sha256_hex(
+            "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
+        )
+        .expect("sha256 should normalize");
+        assert_eq!(
+            value,
+            "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+        );
+    }
+
+    #[test]
+    fn resolves_plugin_from_index_with_latest() {
+        let index = PluginIndexFile {
+            schema_version: Some(1),
+            plugins: vec![PluginIndexPlugin {
+                name: "RealLinkUnreal".to_string(),
+                latest: Some("0.1.2".to_string()),
+                versions: vec![PluginIndexVersion {
+                    version: "0.1.2".to_string(),
+                    archive_url: Some(
+                        "https://cdn.example.com/RealLinkUnreal-0.1.2.zip".to_string(),
+                    ),
+                    sha256: Some(
+                        "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+                            .to_string(),
+                    ),
+                }],
+            }],
+        };
+
+        let (version, url, sha) = resolve_plugin_from_index(
+            &index,
+            "RealLinkUnreal",
+            "latest",
+            "https://real-agent.link/plugins/unreal",
+        )
+        .expect("index resolve should succeed");
+        assert_eq!(version, "0.1.2");
+        assert_eq!(url, "https://cdn.example.com/RealLinkUnreal-0.1.2.zip");
+        assert_eq!(
+            sha,
+            Some("0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef".to_string())
+        );
+    }
+
+    #[test]
+    fn default_login_scopes_exclude_tool_scopes() {
+        let scopes = default_login_scopes();
+        assert!(scopes.contains(&"core:read".to_string()));
+        assert!(scopes.contains(&"core:write".to_string()));
+        assert!(scopes.contains(&"scheduler:read".to_string()));
+        assert!(scopes.contains(&"scheduler:write".to_string()));
+        assert!(!scopes.iter().any(|value| value.starts_with("tools:")));
+    }
+
+    #[test]
+    fn default_login_scopes_with_tools_include_tool_scopes() {
+        let scopes = default_login_scopes_with_tools();
+        assert!(scopes.contains(&"tools:read".to_string()));
+        assert!(scopes.contains(&"tools:write".to_string()));
+        assert!(scopes.contains(&"tools:run".to_string()));
+    }
+}
+
+async fn run_cli(cli: Cli) -> Result<()> {
     let client = reqwest::Client::builder()
         .user_agent(concat!("reallink-cli/", env!("CARGO_PKG_VERSION")))
         .build()?;
 
     if !matches!(&cli.command, Commands::SelfUpdate(_)) {
         let allow_update_fetch = matches!(&cli.command, Commands::Login(_));
-        maybe_notify_update(&client, false, allow_update_fetch).await;
+        maybe_notify_update(&client, false, allow_update_fetch, cli.output).await;
     }
 
     match cli.command {
-        Commands::Login(args) => login_command(&client, args).await?,
+        Commands::Login(args) => login_command(&client, args, cli.output).await?,
         Commands::Whoami(args) => whoami_command(&client, args).await?,
-        Commands::Logout => logout_command(&client).await?,
-        Commands::SelfUpdate(args) => self_update_command(&client, args).await?,
+        Commands::Logout => logout_command(&client, cli.output).await?,
+        Commands::SelfUpdate(args) => self_update_command(&client, args, cli.output).await?,
+        Commands::Org { command } => match command {
+            OrgCommands::List(args) => org_list_command(&client, args).await?,
+            OrgCommands::Create(args) => org_create_command(&client, args).await?,
+            OrgCommands::Get(args) => org_get_command(&client, args).await?,
+            OrgCommands::Update(args) => org_update_command(&client, args).await?,
+            OrgCommands::Delete(args) => org_delete_command(&client, args).await?,
+            OrgCommands::Invites(args) => org_invites_command(&client, args).await?,
+            OrgCommands::Invite(args) => org_invite_command(&client, args).await?,
+            OrgCommands::Members(args) => org_members_command(&client, args).await?,
+            OrgCommands::AddMember(args) => org_add_member_command(&client, args).await?,
+            OrgCommands::UpdateMember(args) => org_update_member_command(&client, args).await?,
+            OrgCommands::RemoveMember(args) => org_remove_member_command(&client, args).await?,
+        },
+        Commands::Link { command } => unreal::dispatch(&client, command).await?,
         Commands::Project { command } => match command {
             ProjectCommands::List(args) => project_list_command(&client, args).await?,
             ProjectCommands::Create(args) => project_create_command(&client, args).await?,
             ProjectCommands::Get(args) => project_get_command(&client, args).await?,
             ProjectCommands::Update(args) => project_update_command(&client, args).await?,
             ProjectCommands::Delete(args) => project_delete_command(&client, args).await?,
+            ProjectCommands::Members(args) => project_members_command(&client, args).await?,
+            ProjectCommands::AddMember(args) => project_add_member_command(&client, args).await?,
+            ProjectCommands::UpdateMember(args) => {
+                project_update_member_command(&client, args).await?
+            }
+            ProjectCommands::RemoveMember(args) => {
+                project_remove_member_command(&client, args).await?
+            }
         },
         Commands::Token { command } => match command {
             TokenCommands::List(args) => token_list_command(&client, args).await?,
@@ -1952,6 +4562,8 @@ async fn main() -> Result<()> {
         Commands::File { command } => match command {
             FileCommands::List(args) => file_list_command(&client, args).await?,
             FileCommands::Get(args) => file_get_command(&client, args).await?,
+            FileCommands::Stat(args) => file_stat_command(&client, args).await?,
+            FileCommands::Download(args) => file_download_command(&client, args).await?,
             FileCommands::Upload(args) => file_upload_command(&client, args).await?,
             FileCommands::Mkdir(args) => file_mkdir_command(&client, args).await?,
             FileCommands::Move(args) => file_move_command(&client, args).await?,
@@ -1970,3 +4582,27 @@ async fn main() -> Result<()> {
 
     Ok(())
 }
+
+#[tokio::main]
+async fn main() {
+    let cli = Cli::parse();
+    let output = cli.output;
+    if let Err(error) = run_cli(cli).await {
+        match output {
+            OutputFormat::Json => {
+                let payload = serde_json::json!({
+                    "ok": false,
+                    "error": format!("{:#}", error)
+                });
+                if let Err(emit_error) = print_json(&payload) {
+                    eprintln!("Error: {}", error);
+                    eprintln!("Failed to emit JSON error payload: {}", emit_error);
+                }
+            }
+            OutputFormat::Text => {
+                eprintln!("Error: {:#}", error);
+            }
+        }
+        std::process::exit(1);
+    }
+}