rekor-cli 0.1.27 → 0.1.29

package/dist/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/program.ts
-import { Command as Command18 } from "commander";
+import { Command as Command21 } from "commander";
 
 // src/commands/login.ts
 import { Command } from "commander";
@@ -527,6 +527,9 @@ async function currentAuthKind() {
   const resolved = await getResolvedToken();
   return resolved?.kind ?? null;
 }
+async function isAuthenticated() {
+  return await getResolvedToken() !== null;
+}
 
 // src/pkce.ts
 import * as crypto from "crypto";
@@ -540,6 +543,17 @@ function generateState() {
   return crypto.randomBytes(16).toString("base64url");
 }
 
+// src/env.ts
+function isCI() {
+  return Boolean(process.env["CI"]);
+}
+function isInteractive() {
+  return Boolean(process.stdin.isTTY && process.stdout.isTTY);
+}
+function isSSH() {
+  return Boolean(process.env["SSH_CONNECTION"] || process.env["SSH_TTY"]);
+}
+
 // src/commands/login.ts
 var FALLBACK_URL_DELAY_MS = 5e3;
 var loginCommand = new Command("login").description("Authenticate with Rekor").option("--token <token>", "API key for headless/CI authentication (rec_...)").option("--api-url <url>", "API base URL").action(async (opts) => {
@@ -548,18 +562,10 @@ var loginCommand = new Command("login").description("Authenticate with Rekor").o
     console.log("Authenticated successfully");
     return;
   }
-  try {
-    await browserLoginPkce(opts.apiUrl);
-    console.log("Authenticated successfully");
-  } catch (err) {
-    console.error(
-      `Login failed: ${err instanceof Error ? err.message : "Unknown error"}`
-    );
-    process.exit(1);
-  }
+  await browserLoginPkce(opts.apiUrl);
+  console.log("Authenticated successfully");
 });
 async function browserLoginPkce(apiUrl) {
-  const open = await import("open").then((m) => m.default);
   const codeVerifier = generateCodeVerifier();
   const codeChallenge = generateCodeChallenge(codeVerifier);
   const state = generateState();
@@ -575,24 +581,31 @@ async function browserLoginPkce(apiUrl) {
   authorizeUrl.searchParams.set("code_challenge_method", "S256");
   authorizeUrl.searchParams.set("state", state);
   authorizeUrl.searchParams.set("scope", "openid profile email offline_access");
-  console.log("Opening browser for authentication...");
   const callbackPromise = startCallbackServer(port, state);
-  let fallbackPrinted = false;
-  const fallbackTimer = setTimeout(() => {
-    fallbackPrinted = true;
-    console.log(`If the browser didn't open, visit: ${authorizeUrl.toString()}`);
-  }, FALLBACK_URL_DELAY_MS);
-  open(authorizeUrl.toString()).catch(() => {
-    if (fallbackPrinted) return;
-    clearTimeout(fallbackTimer);
-    console.log("Could not open browser automatically.");
-    console.log(`Visit: ${authorizeUrl.toString()}`);
-  });
+  let fallbackTimer;
+  if (isSSH()) {
+    console.log("SSH session detected. Open this URL in a browser to authenticate:");
+    console.log(authorizeUrl.toString());
+  } else {
+    console.log("Opening browser for authentication...");
+    const open = await import("open").then((m) => m.default);
+    let fallbackPrinted = false;
+    fallbackTimer = setTimeout(() => {
+      fallbackPrinted = true;
+      console.log(`If the browser didn't open, visit: ${authorizeUrl.toString()}`);
+    }, FALLBACK_URL_DELAY_MS);
+    open(authorizeUrl.toString()).catch(() => {
+      if (fallbackPrinted) return;
+      clearTimeout(fallbackTimer);
+      console.log("Could not open browser automatically.");
+      console.log(`Visit: ${authorizeUrl.toString()}`);
+    });
+  }
   let code;
   try {
     ({ code } = await callbackPromise);
   } finally {
-    clearTimeout(fallbackTimer);
+    if (fallbackTimer) clearTimeout(fallbackTimer);
   }
   const tokens = await exchangeCodeForTokens(authkitDomain, clientId, code, codeVerifier, redirectUri);
   const expiresAt = expiresInToIso(tokens.expires_in);
@@ -607,6 +620,43 @@ async function browserLoginPkce(apiUrl) {
 // src/commands/logout.ts
 import { Command as Command2 } from "commander";
 
+// src/errors.ts
+var ApiError = class extends Error {
+  constructor(status, message, code, body) {
+    super(message);
+    this.status = status;
+    this.code = code;
+    this.body = body;
+    this.name = "ApiError";
+  }
+  /** 4xx are user-facing (bad input, auth, quota) — not bugs worth reporting. */
+  get isExpected() {
+    return this.status >= 400 && this.status < 500;
+  }
+};
+function friendlyHint(err) {
+  if (!(err instanceof ApiError)) return null;
+  switch (err.status) {
+    case 401:
+      return "Authentication failed or session expired. Run `rekor login`.";
+    case 402:
+      return "Quota exceeded for your plan. Review usage or upgrade your plan.";
+    case 403:
+      return "Access denied. Your token may lack permission for this resource.";
+    case 429:
+      return "Rate limited. Wait a moment and try again.";
+    default:
+      if (err.status >= 500) return "Rekor server error. Try again shortly.";
+      return null;
+  }
+}
+function handleCliError(err) {
+  const message = err instanceof Error ? err.message : String(err);
+  console.error(`Error: ${message}`);
+  const hint = friendlyHint(err);
+  if (hint) console.error(hint);
+}
+
 // src/client.ts
 var ApiClient = class {
   baseUrl;
@@ -632,11 +682,24 @@ var ApiClient = class {
       },
       body: body ? JSON.stringify(body) : void 0
     });
-    const json = await res.json();
+    const text = await res.text();
+    let parsed;
+    if (text) {
+      try {
+        parsed = JSON.parse(text);
+      } catch {
+        parsed = void 0;
+      }
+    }
     if (!res.ok) {
-      throw new Error(json.error?.message ?? `HTTP ${res.status}`);
+      throw new ApiError(
+        res.status,
+        parsed?.error?.message ?? `HTTP ${res.status}`,
+        parsed?.error?.code,
+        parsed
+      );
     }
-    return json.data;
+    return parsed?.data;
   }
   async uploadFile(url, body, contentType) {
     const res = await fetch(url, {
@@ -648,7 +711,7 @@ var ApiClient = class {
       body
     });
     if (!res.ok) {
-      throw new Error(`Upload failed: HTTP ${res.status}`);
+      throw new ApiError(res.status, `Upload failed: HTTP ${res.status}`);
     }
   }
 };
@@ -732,6 +795,22 @@ function getFormat(cmd) {
   return cmd.parent?.parent?.opts().output ?? cmd.parent?.opts().output ?? "table";
 }
 
+// src/prompt.ts
+import * as readline from "readline";
+function confirm(question, opts = {}) {
+  if (!isInteractive()) return Promise.resolve(true);
+  const suffix = opts.defaultYes ? "[Y/n]" : "[y/N]";
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(`${question} ${suffix}: `, (answer) => {
+      rl.close();
+      const a = answer.trim().toLowerCase();
+      if (a === "") return resolve(Boolean(opts.defaultYes));
+      resolve(a === "y" || a === "yes");
+    });
+  });
+}
+
 // src/commands/databases.ts
 var databasesCommand = new Command3("databases").description("Manage databases");
 databasesCommand.command("list").description("List all databases").option("--tag <tag>", "Filter by tag").action(async function(opts) {
@@ -764,9 +843,13 @@ databasesCommand.command("tag <id>").description("Set tags on a database").requi
   });
   console.log(formatOutput(data, getFormat(this)));
 });
-databasesCommand.command("delete <id>").description("Delete a database").action(async (_id) => {
+databasesCommand.command("delete <id>").description("Delete a database").option("-y, --yes", "Skip confirmation prompt").action(async (id, opts) => {
+  if (!opts.yes && !await confirm(`Delete database "${id}"? This cannot be undone.`)) {
+    console.log("Aborted");
+    return;
+  }
   const client = new ApiClient();
-  await client.request("DELETE", `/v1/databases/${_id}`);
+  await client.request("DELETE", `/v1/databases/${id}`);
   console.log("Deleted");
 });
 databasesCommand.command("create-preview <production-id>").description("Create a preview database linked to a production database").requiredOption("--name <name>", "Preview database name").option("--description <desc>", "Description").action(async function(productionId, opts) {
@@ -833,7 +916,11 @@ collectionsCommand.command("upsert <id>").description("Create or update a collec
   const data = await client.request("PUT", `/v1/${ws}/collections/${id}`, body);
   console.log(formatOutput(data, getFormat(this)));
 });
-collectionsCommand.command("delete <id>").description("Delete a collection").action(async function(id) {
+collectionsCommand.command("delete <id>").description("Delete a collection").option("-y, --yes", "Skip confirmation prompt").action(async function(id, opts) {
+  if (!opts.yes && !await confirm(`Delete collection "${id}"? This cannot be undone.`)) {
+    console.log("Aborted");
+    return;
+  }
   const ws = getDatabase(this);
   const client = new ApiClient();
   await client.request("DELETE", `/v1/${ws}/collections/${id}`);
@@ -859,7 +946,11 @@ documentsCommand.command("get <collection> <id>").description("Get a document by
   const data = await client.request("GET", `/v1/${ws}/documents/${collection}/${id}`);
   console.log(formatOutput(data, getFormat(this)));
 });
-documentsCommand.command("delete <collection> <id>").description("Delete a document").action(async function(collection, id) {
+documentsCommand.command("delete <collection> <id>").description("Delete a document").option("-y, --yes", "Skip confirmation prompt").action(async function(collection, id, opts) {
+  if (!opts.yes && !await confirm(`Delete document ${collection}/${id}? This cannot be undone.`)) {
+    console.log("Aborted");
+    return;
+  }
   const ws = getDatabase(this);
   const client = new ApiClient();
   await client.request("DELETE", `/v1/${ws}/documents/${collection}/${id}`);
@@ -925,7 +1016,11 @@ relationshipsCommand.command("get <id>").description("Get a relationship by ID")
   const data = await client.request("GET", `/v1/${ws}/relationships/${id}`);
   console.log(formatOutput(data, getFormat(this)));
 });
-relationshipsCommand.command("delete <id>").description("Delete a relationship").action(async function(id) {
+relationshipsCommand.command("delete <id>").description("Delete a relationship").option("-y, --yes", "Skip confirmation prompt").action(async function(id, opts) {
+  if (!opts.yes && !await confirm(`Delete relationship ${id}? This cannot be undone.`)) {
+    console.log("Aborted");
+    return;
+  }
   const ws = getDatabase(this);
   const client = new ApiClient();
   await client.request("DELETE", `/v1/${ws}/relationships/${id}`);
@@ -985,7 +1080,11 @@ attachmentsCommand.command("list <collection> <id>").description("List attachmen
   const data = await client.request("GET", `/v1/${ws}/documents/${collection}/${id}/attachments${query}`);
   console.log(formatOutput(data, getFormat(this)));
 });
-attachmentsCommand.command("delete <collection> <id> <attachment-id>").description("Delete an attachment").action(async function(collection, id, attachmentId) {
+attachmentsCommand.command("delete <collection> <id> <attachment-id>").description("Delete an attachment").option("-y, --yes", "Skip confirmation prompt").action(async function(collection, id, attachmentId, opts) {
+  if (!opts.yes && !await confirm(`Delete attachment ${attachmentId} on ${collection}/${id}? This cannot be undone.`)) {
+    console.log("Aborted");
+    return;
+  }
   const ws = getDatabase(this);
   const client = new ApiClient();
   await client.request("DELETE", `/v1/${ws}/documents/${collection}/${id}/attachments/${attachmentId}`);
@@ -1023,7 +1122,11 @@ hooksCommand.command("list").description("List all hooks").action(async function
   const data = await client.request("GET", `/v1/${ws}/hooks`);
   console.log(formatOutput(data, getFormat(this)));
 });
-hooksCommand.command("delete <id>").description("Delete a hook").action(async function(id) {
+hooksCommand.command("delete <id>").description("Delete a hook").option("-y, --yes", "Skip confirmation prompt").action(async function(id, opts) {
+  if (!opts.yes && !await confirm(`Delete hook ${id}? This cannot be undone.`)) {
+    console.log("Aborted");
+    return;
+  }
   const ws = getDatabase(this);
   const client = new ApiClient();
   await client.request("DELETE", `/v1/${ws}/hooks/${id}`);
@@ -1066,7 +1169,11 @@ triggersCommand.command("list").description("List all triggers").action(async fu
   const data = await client.request("GET", `/v1/${ws}/triggers`);
   console.log(formatOutput(data, getFormat(this)));
 });
-triggersCommand.command("delete <id>").description("Delete a trigger").action(async function(id) {
+triggersCommand.command("delete <id>").description("Delete a trigger").option("-y, --yes", "Skip confirmation prompt").action(async function(id, opts) {
+  if (!opts.yes && !await confirm(`Delete trigger ${id}? This cannot be undone.`)) {
+    console.log("Aborted");
+    return;
+  }
   const ws = getDatabase(this);
   const client = new ApiClient();
   await client.request("DELETE", `/v1/${ws}/triggers/${id}`);
@@ -1120,7 +1227,11 @@ endpointsCommand.command("list").description("List all endpoints").action(async
   const data = await client.request("GET", `/v1/${ws}/endpoints`);
   console.log(formatOutput(data, getFormat(this)));
 });
-endpointsCommand.command("delete <slug>").description("Delete an endpoint").action(async function(slug) {
+endpointsCommand.command("delete <slug>").description("Delete an endpoint").option("-y, --yes", "Skip confirmation prompt").action(async function(slug, opts) {
+  if (!opts.yes && !await confirm(`Delete endpoint "${slug}"? This cannot be undone.`)) {
+    console.log("Aborted");
+    return;
+  }
   const ws = getDatabase(this);
   const client = new ApiClient();
   await client.request("DELETE", `/v1/${ws}/endpoints/${slug}`);
@@ -1180,8 +1291,8 @@ providersCommand.command("export <provider>").description(`Export collections as
   const query = opts.collections ? `?collections=${opts.collections}` : "";
   const data = await client.request("GET", `/v1/${ws}/providers/${provider}/export${query}`);
   if (opts.output) {
-    const { writeFileSync: writeFileSync3 } = await import("fs");
-    writeFileSync3(opts.output, JSON.stringify(data, null, 2));
+    const { writeFileSync: writeFileSync4 } = await import("fs");
+    writeFileSync4(opts.output, JSON.stringify(data, null, 2));
     console.log(`Written to ${opts.output}`);
   } else {
     console.log(formatOutput(data, getFormat(this)));
@@ -1257,11 +1368,12 @@ doCommand.command("read <type> <id> <table>").description("Read rows from an int
   if (data.truncated) console.log("(truncated \u2014 pass --limit to see more)");
 });
 var reportCommand = debugCommand.command("report").description("Inspect and triage the platform_report queue (Sentry + CLI bug reports)");
-reportCommand.command("list").description("List reports with optional filters").option("--status <s>", "pending | grouped | escalated | addressed | dismissed").option("--source <s>", "sentry | cli_report").option("--limit <n>", "Max rows (default 50, cap 200)", (v) => Number(v)).option("--offset <n>", "Offset for pagination", (v) => Number(v)).option("--since <iso>", "Lower bound on created_at (ISO timestamp)").action(async function(opts) {
+reportCommand.command("list").description("List reports with optional filters").option("--status <s>", "pending | grouped | escalated | addressed | dismissed").option("--source <s>", "sentry | cli_report | review | security_audit").option("--classification <c>", "bug | flaky_test | security").option("--limit <n>", "Max rows (default 50, cap 200)", (v) => Number(v)).option("--offset <n>", "Offset for pagination", (v) => Number(v)).option("--since <iso>", "Lower bound on created_at (ISO timestamp)").action(async function(opts) {
   const client = new ApiClient();
   const params = new URLSearchParams();
   if (opts.status) params.set("status", opts.status);
   if (opts.source) params.set("source", opts.source);
+  if (opts.classification) params.set("classification", opts.classification);
   if (opts.limit !== void 0) params.set("limit", String(opts.limit));
   if (opts.offset !== void 0) params.set("offset", String(opts.offset));
   if (opts.since) params.set("since", opts.since);
@@ -1329,13 +1441,16 @@ reportCommand.command("dismiss <id>").description("Mark a report as dismissed (n
 
 // src/commands/report-bug.ts
 import { Command as Command17 } from "commander";
-var reportBugCommand = new Command17("report-bug").description("Submit a bug report to Rekor (deduplicated by content)").requiredOption("--title <title>", "Short summary").requiredOption("--description <text>", "What happened").option("--severity <level>", "low | medium | high | critical").option("--steps <text>", "Steps to reproduce").option("--error-message <text>", "Exact error text if any").option("--context <text>", "Additional context (logs, request IDs)").option("--locale <code>", "Notification locale (en | pt | es)", "en").option("--reporter-email <addr>", "Override reporter email (defaults to session email)").action(async function(opts) {
+var reportBugCommand = new Command17("report-bug").description("Submit a report to the Rekor triage queue (deduplicated)").requiredOption("--title <title>", "Short summary").requiredOption("--description <text>", "What happened").option("--source <source>", "Origin: cli_report (default) | review | security_audit").option("--classification <c>", "Nature: bug (default) | flaky_test | security").option("--dedup-key <key>", 'Stable dedup key (e.g. "<file>::<test>"); collapses repeat occurrences').option("--severity <level>", "low | medium | high | critical").option("--steps <text>", "Steps to reproduce").option("--error-message <text>", "Exact error text if any").option("--context <text>", "Additional context (logs, request IDs)").option("--locale <code>", "Notification locale (en | pt | es)", "en").option("--reporter-email <addr>", "Override reporter email (defaults to session email)").action(async function(opts) {
   const client = new ApiClient();
   const body = {
     title: opts.title,
     description: opts.description,
     locale: opts.locale
   };
+  if (opts.source) body["source"] = opts.source;
+  if (opts.classification) body["classification"] = opts.classification;
+  if (opts.dedupKey) body["dedup_key"] = opts.dedupKey;
   if (opts.severity) body["severity"] = opts.severity;
   if (opts.steps) body["steps"] = opts.steps;
   if (opts.errorMessage) body["error_message"] = opts.errorMessage;
@@ -1350,10 +1465,95 @@ var reportBugCommand = new Command17("report-bug").description("Submit a bug rep
   }
 });
 
+// src/commands/update.ts
+import { Command as Command18 } from "commander";
+import { execFileSync } from "child_process";
+
+// src/version.ts
+function isNewerVersion(latest, current) {
+  const strip = (v) => v.replace(/[-+].*$/, "");
+  const l = strip(latest).split(".").map(Number);
+  const c = strip(current).split(".").map(Number);
+  for (let i = 0; i < Math.max(l.length, c.length); i++) {
+    const lv = l[i] ?? 0;
+    const cv = c[i] ?? 0;
+    if (Number.isNaN(lv) || Number.isNaN(cv)) return false;
+    if (lv > cv) return true;
+    if (lv < cv) return false;
+  }
+  return false;
+}
+
+// src/version-check.ts
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3 } from "fs";
+import { join as join2 } from "path";
+import { execFile } from "child_process";
+var NPM_PACKAGE = "rekor-cli";
+var CACHE_FILE = join2(CONFIG_DIR, "update-check.json");
+var MAX_AGE_MS = 24 * 60 * 60 * 1e3;
+function isDisabled() {
+  return Boolean(
+    process.env["NO_UPDATE_NOTIFIER"] || process.env["REKOR_NO_UPDATE_CHECK"] || isCI()
+  );
+}
+function readCache() {
+  try {
+    const parsed = JSON.parse(readFileSync6(CACHE_FILE, "utf-8"));
+    if (typeof parsed.lastCheck !== "number") return null;
+    if (parsed.latest !== null && typeof parsed.latest !== "string") return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function writeCache(cache) {
+  try {
+    mkdirSync3(CONFIG_DIR, { recursive: true, mode: 448 });
+    writeFileSync3(CACHE_FILE, JSON.stringify(cache), { mode: 384 });
+  } catch {
+  }
+}
+function readCachedLatest(current) {
+  const cache = readCache();
+  if (!cache?.latest) return null;
+  if (Date.now() - cache.lastCheck > MAX_AGE_MS) return null;
+  return isNewerVersion(cache.latest, current) ? cache.latest : null;
+}
+function notify(latest, current) {
+  console.error(`
+Update available: ${current} \u2192 ${latest}
+Run \`rekor update\` to update.`);
+}
+function checkForUpdates(current) {
+  if (isDisabled()) return;
+  try {
+    const cache = readCache();
+    if (cache && Date.now() - cache.lastCheck < MAX_AGE_MS) {
+      if (cache.latest && isNewerVersion(cache.latest, current)) notify(cache.latest, current);
+      return;
+    }
+    writeCache({ lastCheck: Date.now(), latest: cache?.latest ?? null });
+    const child = execFile(
+      "npm",
+      ["view", NPM_PACKAGE, "version"],
+      { timeout: 5e3, shell: true },
+      (err, stdout) => {
+        if (err) return;
+        const latest = stdout.trim();
+        if (!latest) return;
+        writeCache({ lastCheck: Date.now(), latest });
+        if (isNewerVersion(latest, current)) notify(latest, current);
+      }
+    );
+    child.unref();
+  } catch {
+  }
+}
+
 // package.json
 var package_default = {
   name: "rekor-cli",
-  version: "0.1.27",
+  version: "0.1.29",
   type: "module",
   engines: {
     node: ">=20.0.0"
@@ -1377,6 +1577,9 @@ var package_default = {
     commander: "^13.1.0",
     open: "^11.0.0"
   },
+  optionalDependencies: {
+    "@sentry/node": "^10.0.0"
+  },
   devDependencies: {
     "@types/node": "^25.5.0",
     tsup: "^8.4.0",
@@ -1385,10 +1588,110 @@ var package_default = {
   }
 };
 
+// src/commands/update.ts
+var updateCommand = new Command18("update").description("Update the Rekor CLI to the latest published version").action(() => {
+  console.log(`Current version: ${package_default.version}`);
+  console.log("Checking for updates...");
+  let latest;
+  try {
+    latest = execFileSync("npm", ["view", NPM_PACKAGE, "version"], { timeout: 1e4, shell: true }).toString().trim();
+  } catch {
+    console.error(`Could not reach npm to check for updates.`);
+    console.error(`Try manually: npm install -g ${NPM_PACKAGE}`);
+    process.exit(1);
+  }
+  if (!isNewerVersion(latest, package_default.version)) {
+    console.log(`Already on the latest version (${package_default.version}).`);
+    return;
+  }
+  console.log(`Updating ${package_default.version} \u2192 ${latest}...`);
+  try {
+    execFileSync("npm", ["install", "-g", `${NPM_PACKAGE}@latest`], {
+      timeout: 12e4,
+      shell: true,
+      stdio: "inherit"
+    });
+    console.log(`Updated to ${latest}.`);
+  } catch (err) {
+    console.error(`Update failed: ${err instanceof Error ? err.message : String(err)}`);
+    console.error(`Try manually: npm install -g ${NPM_PACKAGE}`);
+    process.exit(1);
+  }
+});
+
+// src/commands/whoami.ts
+import { Command as Command19 } from "commander";
+var whoamiCommand = new Command19("whoami").description("Show the authenticated identity").action(async function() {
+  const client = new ApiClient();
+  const me = await client.request("GET", "/v1/auth/me");
+  if (getFormat(this) === "json") {
+    console.log(JSON.stringify(me, null, 2));
+    return;
+  }
+  console.log(`auth_kind:      ${me.auth_kind}`);
+  if (me.email) console.log(`email:          ${me.email}`);
+  if (me.user_id) console.log(`user_id:        ${me.user_id}`);
+  if (me.org_id) console.log(`org_id:         ${me.org_id}`);
+  console.log(`grants:         ${me.grants_summary}`);
+  if (me.orgs && me.orgs.length > 0) {
+    console.log("organizations:");
+    for (const o of me.orgs) {
+      console.log(`  ${o.name} (${o.org_id}) \u2014 ${o.role}`);
+    }
+  }
+});
+
+// src/commands/status.ts
+import { Command as Command20 } from "commander";
+var statusCommand = new Command20("status").description("Show auth, connectivity, and CLI version diagnostics").action(async function() {
+  const config = loadConfig();
+  const loggedIn = await isAuthenticated();
+  const cliLatest = readCachedLatest(package_default.version);
+  let tokenValid = null;
+  let me = null;
+  if (loggedIn) {
+    try {
+      me = await new ApiClient().request("GET", "/v1/auth/me");
+      tokenValid = true;
+    } catch (err) {
+      if (err instanceof ApiError && (err.status === 401 || err.status === 403)) tokenValid = false;
+    }
+  }
+  const snapshot = {
+    logged_in: loggedIn,
+    token_valid: tokenValid,
+    api_url: config.api_url,
+    auth_kind: me?.auth_kind ?? null,
+    email: me?.email ?? null,
+    org_id: me?.org_id ?? null,
+    grants: me?.grants_summary ?? null,
+    cli: { version: package_default.version, latest: cliLatest }
+  };
+  if (getFormat(this) === "json") {
+    console.log(JSON.stringify(snapshot, null, 2));
+    return;
+  }
+  if (!loggedIn) {
+    console.log("Not logged in. Run `rekor login`.");
+    console.log(`API: ${config.api_url}`);
+    if (cliLatest) console.log(`CLI: ${package_default.version} (latest: ${cliLatest} \u2014 run \`rekor update\`)`);
+    return;
+  }
+  const tokenStatus = tokenValid === true ? "token valid" : tokenValid === false ? "token rejected \u2014 run `rekor login` to re-authenticate" : "token validity unknown \u2014 backend unreachable";
+  console.log(`Logged in${me?.email ? ` as ${me.email}` : ""} \u2014 ${tokenStatus}`);
+  console.log(`API: ${config.api_url}`);
+  if (me?.auth_kind) console.log(`Auth: ${me.auth_kind}`);
+  if (me?.org_id) console.log(`Org: ${me.org_id}`);
+  if (me?.grants_summary) console.log(`Grants: ${me.grants_summary}`);
+  if (cliLatest) console.log(`CLI: ${package_default.version} (latest: ${cliLatest} \u2014 run \`rekor update\`)`);
+});
+
 // src/program.ts
-var program = new Command18("rekor").description("Rekor CLI \u2014 System of Record for AI agents").version(package_default.version).option("--database <id>", "Database ID").option("--output <format>", "Output format: json or table", "table");
+var program = new Command21("rekor").description("Rekor CLI \u2014 System of Record for AI agents").version(package_default.version).option("--database <id>", "Database ID").option("--output <format>", "Output format: json or table", "table");
 program.addCommand(loginCommand);
 program.addCommand(logoutCommand);
+program.addCommand(whoamiCommand);
+program.addCommand(statusCommand);
 program.addCommand(databasesCommand);
 program.addCommand(collectionsCommand);
 program.addCommand(documentsCommand);
@@ -1404,7 +1707,84 @@ program.addCommand(tokensCommand);
 program.addCommand(endpointsCommand);
 program.addCommand(debugCommand);
 program.addCommand(reportBugCommand);
+program.addCommand(updateCommand);
+
+// src/telemetry.ts
+import { homedir as homedir2, platform, arch } from "os";
+var sentry = null;
+function getDsn() {
+  if (process.env["REKOR_TELEMETRY_DISABLED"]) return void 0;
+  return process.env["REKOR_CLI_SENTRY_DSN"] || void 0;
+}
+function scrubHome(event, home) {
+  const root = home.replace(/[\\/]+$/, "");
+  if (!root) return event;
+  const re = new RegExp(root.replace(/[.*+?^${}()|[\]\\]/g, "\\$&") + "(?=[\\\\/]|$)", "g");
+  const scrub = (s) => s.replace(re, "~");
+  for (const value of event.exception?.values ?? []) {
+    if (value.value) value.value = scrub(value.value);
+    for (const frame of value.stacktrace?.frames ?? []) {
+      if (frame.filename) frame.filename = scrub(frame.filename);
+      if (frame.abs_path) frame.abs_path = scrub(frame.abs_path);
+    }
+  }
+  return event;
+}
+async function initTelemetry(command2, version) {
+  if (sentry) return;
+  const dsn = getDsn();
+  if (!dsn) return;
+  try {
+    const mod = await import("@sentry/node");
+    const home = homedir2();
+    mod.init({
+      dsn,
+      tracesSampleRate: 0,
+      release: `rekor-cli@${version}`,
+      environment: "production",
+      defaultIntegrations: false,
+      beforeSend: (event) => scrubHome(event, home)
+    });
+    mod.setTag("command", command2 || "unknown");
+    mod.setTag("node_version", process.version);
+    mod.setTag("os_platform", platform());
+    mod.setTag("os_arch", arch());
+    sentry = mod;
+  } catch {
+    sentry = null;
+  }
+}
+function captureException(err) {
+  if (!sentry) return;
+  if (err instanceof ApiError && err.isExpected) return;
+  try {
+    sentry.captureException(err);
+  } catch {
+  }
+}
+async function closeTelemetry() {
+  if (!sentry) return;
+  try {
+    await sentry.close(2e3);
+  } catch {
+  }
+  sentry = null;
+}
 
 // src/index.ts
-program.parse();
+var SKIP_UPDATE_CHECK = ["--version", "-v", "--help", "-h", "help", "update"];
+var command = process.argv[2];
+async function main() {
+  await initTelemetry(command, package_default.version);
+  await program.parseAsync();
+  if (command && !SKIP_UPDATE_CHECK.includes(command)) {
+    checkForUpdates(package_default.version);
+  }
+}
+main().then(() => closeTelemetry()).catch(async (err) => {
+  handleCliError(err);
+  captureException(err);
+  await closeTelemetry();
+  process.exit(1);
+});
 //# sourceMappingURL=index.js.map