specli 0.0.4 → 0.0.7

package/dist/src/cli/types.d.ts

@@ -0,0 +1,53 @@
+export type SpecSource = "embedded" | "file" | "url";
+export type SecurityRequirement = Record<string, string[]>;
+export type OpenApiDoc = {
+    openapi: string;
+    info?: {
+        title?: string;
+        version?: string;
+    };
+    servers?: Array<{
+        url: string;
+        description?: string;
+        variables?: unknown;
+    }>;
+    security?: SecurityRequirement[];
+    components?: {
+        securitySchemes?: Record<string, unknown>;
+    };
+    paths?: Record<string, unknown>;
+};
+export type NormalizedParameter = {
+    in: "path" | "query" | "header" | "cookie";
+    name: string;
+    required: boolean;
+    description?: string;
+    schema?: unknown;
+};
+export type JsonSchema = Record<string, unknown>;
+export declare function isJsonSchema(value: unknown): value is JsonSchema;
+export type NormalizedRequestBody = {
+    required: boolean;
+    contentTypes: string[];
+    schemasByContentType: Record<string, unknown | undefined>;
+};
+export type NormalizedOperation = {
+    key: string;
+    method: string;
+    path: string;
+    operationId?: string;
+    tags: string[];
+    summary?: string;
+    description?: string;
+    deprecated?: boolean;
+    security?: SecurityRequirement[];
+    parameters: NormalizedParameter[];
+    requestBody?: NormalizedRequestBody;
+};
+export type LoadedSpec = {
+    source: SpecSource;
+    id: string;
+    fingerprint: string;
+    doc: OpenApiDoc;
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/src/cli/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/cli/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,UAAU,GAAG,UAAU,GAAG,MAAM,GAAG,KAAK,CAAC;AAErD,MAAM,MAAM,mBAAmB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;AAE3D,MAAM,MAAM,UAAU,GAAG;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE;QACN,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,OAAO,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,OAAO,CAAC,EAAE,KAAK,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAC5E,QAAQ,CAAC,EAAE,mBAAmB,EAAE,CAAC;IACjC,UAAU,CAAC,EAAE;QACZ,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAC1C,CAAC;IACF,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IACjC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,OAAO,CAAC;CACjB,CAAC;AAGF,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAEjD,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,UAAU,CAEhE;AAED,MAAM,MAAM,qBAAqB,GAAG;IACnC,QAAQ,EAAE,OAAO,CAAC;IAClB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,oBAAoB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,GAAG,SAAS,CAAC,CAAC;CAC1D,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,EAAE,mBAAmB,EAAE,CAAC;IACjC,UAAU,EAAE,mBAAmB,EAAE,CAAC;IAClC,WAAW,CAAC,EAAE,qBAAqB,CAAC;CACpC,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG;IACxB,MAAM,EAAE,UAAU,CAAC;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,UAAU,CAAC;CAChB,CAAC"}

package/dist/src/cli/types.js

@@ -0,0 +1,9 @@
+// src/cli/types.ts
+function isJsonSchema(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+export {
+  isJsonSchema
+};
+
+//# debugId=D591F75F6084972664756E2164756E21

package/dist/src/cli/types.js.map

@@ -0,0 +1,10 @@
+{
+  "version": 3,
+  "sources": ["../../../src/cli/types.ts"],
+  "sourcesContent": [
+    "export type SpecSource = \"embedded\" | \"file\" | \"url\";\n\nexport type SecurityRequirement = Record<string, string[]>;\n\nexport type OpenApiDoc = {\n\topenapi: string;\n\tinfo?: {\n\t\ttitle?: string;\n\t\tversion?: string;\n\t};\n\tservers?: Array<{ url: string; description?: string; variables?: unknown }>;\n\tsecurity?: SecurityRequirement[];\n\tcomponents?: {\n\t\tsecuritySchemes?: Record<string, unknown>;\n\t};\n\tpaths?: Record<string, unknown>;\n};\n\nexport type NormalizedParameter = {\n\tin: \"path\" | \"query\" | \"header\" | \"cookie\";\n\tname: string;\n\trequired: boolean;\n\tdescription?: string;\n\tschema?: unknown;\n};\n\n// Minimal JSON Schema-like shape for validation and flag expansion.\nexport type JsonSchema = Record<string, unknown>;\n\nexport function isJsonSchema(value: unknown): value is JsonSchema {\n\treturn Boolean(value) && typeof value === \"object\" && !Array.isArray(value);\n}\n\nexport type NormalizedRequestBody = {\n\trequired: boolean;\n\tcontentTypes: string[];\n\tschemasByContentType: Record<string, unknown | undefined>;\n};\n\nexport type NormalizedOperation = {\n\tkey: string;\n\tmethod: string;\n\tpath: string;\n\toperationId?: string;\n\ttags: string[];\n\tsummary?: string;\n\tdescription?: string;\n\tdeprecated?: boolean;\n\tsecurity?: SecurityRequirement[];\n\tparameters: NormalizedParameter[];\n\trequestBody?: NormalizedRequestBody;\n};\n\nexport type LoadedSpec = {\n\tsource: SpecSource;\n\tid: string;\n\tfingerprint: string;\n\tdoc: OpenApiDoc;\n};\n"
+  ],
+  "mappings": ";AA6BO,SAAS,YAAY,CAAC,OAAqC;AAAA,EACjE,OAAO,QAAQ,KAAK,KAAK,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK;AAAA;",
+  "debugId": "D591F75F6084972664756E2164756E21",
+  "names": []
+}

package/package.json

@@ -1,18 +1,39 @@
 {
 	"name": "specli",
-	"module": "index.ts",
+	"version": "0.0.7",
 	"type": "module",
-	"version": "0.0.4",
+	"main": "./dist/index.js",
+	"module": "./dist/index.js",
+	"types": "./dist/index.d.ts",
 	"bin": {
-		"specli": "./cli.ts"
+		"specli": "./dist/cli.js"
+	},
+	"exports": {
+		".": {
+			"bun": "./index.ts",
+			"import": {
+				"types": "./dist/index.d.ts",
+				"default": "./dist/index.js"
+			}
+		},
+		"./ai/tools": {
+			"bun": "./src/ai/tools.ts",
+			"import": {
+				"types": "./dist/src/ai/tools.d.ts",
+				"default": "./dist/src/ai/tools.js"
+			}
+		}
 	},
 	"files": [
+		"dist",
 		"cli.ts",
 		"index.ts",
 		"src",
 		"!**/*.test.ts"
 	],
 	"scripts": {
+		"build": "bun run scripts/build.ts",
+		"prepublishOnly": "bun run build",
 		"lint": "biome ci",
 		"lint:check": "biome check --write --unsafe",
 		"lint:format": "biome format --write",
@@ -21,6 +42,7 @@
 	"devDependencies": {
 		"@biomejs/biome": "^2.3.11",
 		"@types/bun": "^1.3.6",
+		"@types/node": "^22.19.7",
 		"@typescript/native-preview": "^7.0.0-dev.20260120.1"
 	},
 	"dependencies": {
@@ -28,6 +50,11 @@
 		"ajv": "^8.17.1",
 		"ajv-formats": "^3.0.1",
 		"commander": "^14.0.2",
-		"openapi-types": "^12.1.3"
+		"openapi-types": "^12.1.3",
+		"yaml": "^2.8.2"
+	},
+	"peerDependencies": {
+		"ai": "^6.0.42",
+		"zod": "^4.3.5"
 	}
 }

package/src/ai/tools.ts

@@ -0,0 +1,211 @@
+/**
+ * AI SDK tools for specli
+ *
+ * Provides tools for AI agents to explore and execute OpenAPI specs.
+ *
+ * @example
+ * ```ts
+ * import { specli } from "specli/ai";
+ * import { generateText } from "ai";
+ *
+ * const result = await generateText({
+ *   model: yourModel,
+ *   tools: {
+ *     api: specli({ spec: "https://api.example.com/openapi.json" }),
+ *   },
+ *   prompt: "List all users",
+ * });
+ * ```
+ */
+
+import { tool } from "ai";
+import { z } from "zod";
+
+import type { CommandAction } from "../cli/command-model.ts";
+import { buildRuntimeContext } from "../cli/runtime/context.ts";
+import { execute } from "../cli/runtime/execute.ts";
+import type { RuntimeGlobals } from "../cli/runtime/request.ts";
+
+export type SpecliToolOptions = {
+	/** The OpenAPI spec URL or file path */
+	spec: string;
+	/** Override the server/base URL */
+	server?: string;
+	/** Server URL template variables */
+	serverVars?: Record<string, string>;
+	/** Bearer token for authentication */
+	bearerToken?: string;
+	/** API key for authentication */
+	apiKey?: string;
+	/** Basic auth credentials */
+	basicAuth?: { username: string; password: string };
+	/** Auth scheme to use (if multiple are available) */
+	authScheme?: string;
+};
+
+// Cache contexts to avoid reloading spec on every call
+const contextCache = new Map<
+	string,
+	Awaited<ReturnType<typeof buildRuntimeContext>>
+>();
+
+async function getContext(spec: string) {
+	let ctx = contextCache.get(spec);
+	if (!ctx) {
+		ctx = await buildRuntimeContext({ spec });
+		contextCache.set(spec, ctx);
+	}
+	return ctx;
+}
+
+function findAction(
+	ctx: Awaited<ReturnType<typeof buildRuntimeContext>>,
+	resource: string,
+	action: string,
+): CommandAction | undefined {
+	const r = ctx.commands.resources.find(
+		(r) => r.resource.toLowerCase() === resource.toLowerCase(),
+	);
+	return r?.actions.find(
+		(a) => a.action.toLowerCase() === action.toLowerCase(),
+	);
+}
+
+/**
+ * Create an AI SDK tool for interacting with an OpenAPI spec.
+ */
+export function specli(options: SpecliToolOptions) {
+	const {
+		spec,
+		server,
+		serverVars,
+		bearerToken,
+		apiKey,
+		basicAuth,
+		authScheme,
+	} = options;
+
+	return tool({
+		description: `Execute API operations. Commands: "list" (show resources/actions), "help" (action details), "exec" (call API).`,
+		inputSchema: z.object({
+			command: z.enum(["list", "help", "exec"]).describe("Command to run"),
+			resource: z.string().optional().describe("Resource name (e.g. users)"),
+			action: z
+				.string()
+				.optional()
+				.describe("Action name (e.g. list, get, create)"),
+			args: z.array(z.string()).optional().describe("Positional arguments"),
+			flags: z
+				.record(z.string(), z.unknown())
+				.optional()
+				.describe("Named flags"),
+		}),
+		execute: async ({ command, resource, action, args, flags }) => {
+			const ctx = await getContext(spec);
+
+			if (command === "list") {
+				return {
+					resources: ctx.commands.resources.map((r) => ({
+						name: r.resource,
+						actions: r.actions.map((a) => ({
+							name: a.action,
+							summary: a.summary,
+							method: a.method,
+							path: a.path,
+							args: a.positionals.map((p) => p.name),
+							requiredFlags: a.flags
+								.filter((f) => f.required)
+								.map((f) => f.flag),
+						})),
+					})),
+				};
+			}
+
+			if (command === "help") {
+				if (!resource) return { error: "Missing resource" };
+				const r = ctx.commands.resources.find(
+					(r) => r.resource.toLowerCase() === resource.toLowerCase(),
+				);
+				if (!r) return { error: `Unknown resource: ${resource}` };
+				if (!action) {
+					return {
+						resource: r.resource,
+						actions: r.actions.map((a) => a.action),
+					};
+				}
+				const a = r.actions.find(
+					(a) => a.action.toLowerCase() === action.toLowerCase(),
+				);
+				if (!a) return { error: `Unknown action: ${action}` };
+				return {
+					action: a.action,
+					method: a.method,
+					path: a.path,
+					summary: a.summary,
+					args: a.positionals.map((p) => ({
+						name: p.name,
+						description: p.description,
+					})),
+					flags: a.flags.map((f) => ({
+						name: f.flag,
+						type: f.type,
+						required: f.required,
+						description: f.description,
+					})),
+				};
+			}
+
+			if (command === "exec") {
+				if (!resource || !action)
+					return { error: "Missing resource or action" };
+				const actionDef = findAction(ctx, resource, action);
+				if (!actionDef) return { error: `Unknown: ${resource} ${action}` };
+
+				const positionalValues = args ?? [];
+				if (positionalValues.length < actionDef.positionals.length) {
+					return {
+						error: `Missing args: ${actionDef.positionals
+							.slice(positionalValues.length)
+							.map((p) => p.name)
+							.join(", ")}`,
+					};
+				}
+
+				const globals: RuntimeGlobals = {
+					server,
+					serverVar: serverVars
+						? Object.entries(serverVars).map(([k, v]) => `${k}=${v}`)
+						: undefined,
+					auth: authScheme,
+					bearerToken,
+					apiKey,
+					username: basicAuth?.username,
+					password: basicAuth?.password,
+				};
+
+				try {
+					const result = await execute({
+						specId: ctx.loaded.id,
+						action: actionDef,
+						positionalValues,
+						flagValues: flags ?? {},
+						globals,
+						servers: ctx.servers,
+						authSchemes: ctx.authSchemes,
+					});
+					return { status: result.status, ok: result.ok, body: result.body };
+				} catch (err) {
+					return { error: err instanceof Error ? err.message : String(err) };
+				}
+			}
+
+			return { error: `Unknown command: ${command}` };
+		},
+	});
+}
+
+/** Clear cached spec context */
+export function clearSpecliCache(spec?: string): void {
+	if (spec) contextCache.delete(spec);
+	else contextCache.clear();
+}

package/src/cli/main.ts

@@ -2,13 +2,12 @@ import { Command } from "commander";
 
 import { getArgValue, hasAnyArg } from "./runtime/argv.ts";
 import { collectRepeatable } from "./runtime/collect.ts";
+import { readStdinText } from "./runtime/compat.ts";
 import { buildRuntimeContext } from "./runtime/context.ts";
 import { addGeneratedCommands } from "./runtime/generated.ts";
 import { deleteToken, getToken, setToken } from "./runtime/profile/secrets.ts";
 import {
-	getProfile,
 	readProfiles,
-	removeProfile,
 	upsertProfile,
 	writeProfiles,
 } from "./runtime/profile/store.ts";
@@ -42,7 +41,6 @@ export async function main(argv: string[], options: MainOptions = {}) {
 		.option("--username <username>", "Basic auth username")
 		.option("--password <password>", "Basic auth password")
 		.option("--api-key <key>", "API key value")
-		.option("--profile <name>", "Profile name (stored under ~/.config/specli)")
 		.option("--json", "Machine-readable output")
 		.showHelpAfterError();
 
@@ -63,197 +61,109 @@ export async function main(argv: string[], options: MainOptions = {}) {
 		embeddedSpecText: options.embeddedSpecText,
 	});
 
-	const profileCmd = program
-		.command("profile")
-		.description("Manage specli profiles");
+	// Simple auth commands
+	const defaultProfileName = "default";
 
-	profileCmd
-		.command("list")
-		.description("List profiles")
-		.action(async (_opts, command) => {
+	program
+		.command("login [token]")
+		.description("Store a bearer token for authentication")
+		.action(async (tokenArg: string | undefined, _opts, command) => {
 			const globals = command.optsWithGlobals() as { json?: boolean };
-			const file = await readProfiles();
-
-			const payload = {
-				defaultProfile: file.defaultProfile,
-				profiles: file.profiles.map((p) => ({
-					name: p.name,
-					server: p.server,
-					authScheme: p.authScheme,
-				})),
-			};
-
-			if (globals.json) {
-				process.stdout.write(`${JSON.stringify(payload)}\n`);
-				return;
-			}
 
-			if (payload.defaultProfile) {
-				process.stdout.write(`default: ${payload.defaultProfile}\n`);
-			}
-			for (const p of payload.profiles) {
-				process.stdout.write(`${p.name}\n`);
-				if (p.server) process.stdout.write(`  server: ${p.server}\n`);
-				if (p.authScheme)
-					process.stdout.write(`  authScheme: ${p.authScheme}\n`);
+			let token = tokenArg;
+
+			// If no token argument, try to read from stdin (for piping)
+			if (!token) {
+				const isTTY = process.stdin.isTTY;
+				if (isTTY) {
+					// Interactive mode - prompt user
+					process.stdout.write("Enter token: ");
+					const reader = process.stdin;
+					const chunks: Buffer[] = [];
+					for await (const chunk of reader) {
+						chunks.push(chunk);
+						// Read one line only
+						if (chunk.includes(10)) break; // newline
+					}
+					token = Buffer.concat(chunks).toString().trim();
+				} else {
+					// Piped input - use cross-runtime stdin reading
+					const text = await readStdinText();
+					token = text.trim();
+				}
 			}
-		});
 
-	profileCmd
-		.command("set")
-		.description("Create or update a profile")
-		.requiredOption("--name <name>", "Profile name")
-		.option("--server <url>", "Default server/base URL")
-		.option("--auth <scheme>", "Default auth scheme key")
-		.option("--default", "Set as default profile")
-		.action(async (opts, command) => {
-			const globals = command.optsWithGlobals() as {
-				json?: boolean;
-				server?: string;
-				auth?: string;
-			};
-
-			const file = await readProfiles();
-			const next = upsertProfile(file, {
-				name: String(opts.name),
-				server:
-					typeof opts.server === "string"
-						? opts.server
-						: typeof globals.server === "string"
-							? globals.server
-							: undefined,
-				authScheme:
-					typeof opts.auth === "string"
-						? opts.auth
-						: typeof globals.auth === "string"
-							? globals.auth
-							: undefined,
-			});
-			const final = opts.default
-				? { ...next, defaultProfile: String(opts.name) }
-				: next;
-			await writeProfiles(final);
-
-			if (globals.json) {
-				process.stdout.write(
-					`${JSON.stringify({ ok: true, profile: String(opts.name) })}\n`,
+			if (!token) {
+				throw new Error(
+					"No token provided. Usage: login <token> or echo $TOKEN | login",
 				);
-				return;
 			}
-			process.stdout.write(`ok: profile ${String(opts.name)}\n`);
-		});
 
-	profileCmd
-		.command("rm")
-		.description("Remove a profile")
-		.requiredOption("--name <name>", "Profile name")
-		.action(async (opts, command) => {
-			const globals = command.optsWithGlobals() as { json?: boolean };
+			// Ensure default profile exists
 			const file = await readProfiles();
-			const removed = removeProfile(file, String(opts.name));
-
-			const final =
-				file.defaultProfile === opts.name
-					? { ...removed, defaultProfile: undefined }
-					: removed;
+			if (!file.profiles.find((p) => p.name === defaultProfileName)) {
+				const updated = upsertProfile(file, { name: defaultProfileName });
+				await writeProfiles({ ...updated, defaultProfile: defaultProfileName });
+			} else if (!file.defaultProfile) {
+				await writeProfiles({ ...file, defaultProfile: defaultProfileName });
+			}
 
-			await writeProfiles(final);
+			await setToken(ctx.loaded.id, defaultProfileName, token);
 
 			if (globals.json) {
-				process.stdout.write(
-					`${JSON.stringify({ ok: true, profile: String(opts.name) })}\n`,
-				);
+				process.stdout.write(`${JSON.stringify({ ok: true })}\n`);
 				return;
 			}
-
-			process.stdout.write(`ok: removed ${String(opts.name)}\n`);
+			process.stdout.write("ok: logged in\n");
 		});
 
-	profileCmd
-		.command("use")
-		.description("Set the default profile")
-		.requiredOption("--name <name>", "Profile name")
-		.action(async (opts, command) => {
+	program
+		.command("logout")
+		.description("Clear stored authentication token")
+		.action(async (_opts, command) => {
 			const globals = command.optsWithGlobals() as { json?: boolean };
-			const file = await readProfiles();
-			const profile = getProfile(file, String(opts.name));
-			if (!profile) throw new Error(`Profile not found: ${String(opts.name)}`);
 
-			await writeProfiles({ ...file, defaultProfile: String(opts.name) });
+			const deleted = await deleteToken(ctx.loaded.id, defaultProfileName);
 
 			if (globals.json) {
-				process.stdout.write(
-					`${JSON.stringify({ ok: true, defaultProfile: String(opts.name) })}\n`,
-				);
+				process.stdout.write(`${JSON.stringify({ ok: deleted })}\n`);
 				return;
 			}
-			process.stdout.write(`ok: default ${String(opts.name)}\n`);
+			process.stdout.write(
+				deleted ? "ok: logged out\n" : "ok: not logged in\n",
+			);
 		});
 
-	const authCmd = program.command("auth").description("Manage auth secrets");
+	program
+		.command("whoami")
+		.description("Show current authentication status")
+		.action(async (_opts, command) => {
+			const globals = command.optsWithGlobals() as { json?: boolean };
 
-	authCmd
-		.command("token")
-		.description("Set or get bearer token for a profile")
-		.option("--name <name>", "Profile name (defaults to global --profile)")
-		.option("--set <token>", "Set token")
-		.option("--get", "Get token")
-		.option("--delete", "Delete token")
-		.action(async (opts, command) => {
-			const globals = command.optsWithGlobals() as {
-				json?: boolean;
-				profile?: string;
-			};
+			const token = await getToken(ctx.loaded.id, defaultProfileName);
+			const hasToken = Boolean(token);
 
-			const profileName = String(opts.name ?? globals.profile ?? "");
-			if (!profileName) {
-				throw new Error(
-					"Missing profile name. Provide --name <name> or global --profile <name>.",
-				);
-			}
-			if (opts.set && (opts.get || opts.delete)) {
-				throw new Error("Use only one of --set, --get, --delete");
-			}
-			if (opts.get && opts.delete) {
-				throw new Error("Use only one of --get or --delete");
-			}
-			if (!opts.set && !opts.get && !opts.delete) {
-				throw new Error("Provide one of --set, --get, --delete");
+			// Mask the token for display (show first 8 and last 4 chars)
+			let maskedToken: string | null = null;
+			if (token && token.length > 16) {
+				maskedToken = `${token.slice(0, 8)}...${token.slice(-4)}`;
+			} else if (token) {
+				maskedToken = `${token.slice(0, 4)}...`;
 			}
 
-			if (typeof opts.set === "string") {
-				await setToken(ctx.loaded.id, profileName, opts.set);
-				if (globals.json) {
-					process.stdout.write(
-						`${JSON.stringify({ ok: true, profile: profileName })}\n`,
-					);
-					return;
-				}
-				process.stdout.write(`ok: token set for ${profileName}\n`);
-				return;
-			}
-
-			if (opts.get) {
-				const token = await getToken(ctx.loaded.id, profileName);
-				if (globals.json) {
-					process.stdout.write(
-						`${JSON.stringify({ profile: profileName, token })}\n`,
-					);
-					return;
-				}
-				process.stdout.write(`${token ?? ""}\n`);
+			if (globals.json) {
+				process.stdout.write(
+					`${JSON.stringify({ authenticated: hasToken, token: maskedToken })}\n`,
+				);
 				return;
 			}
 
-			if (opts.delete) {
-				const ok = await deleteToken(ctx.loaded.id, profileName);
-				if (globals.json) {
-					process.stdout.write(
-						`${JSON.stringify({ ok, profile: profileName })}\n`,
-					);
-					return;
-				}
-				process.stdout.write(`ok: ${ok ? "deleted" : "not-found"}\n`);
+			if (hasToken) {
+				process.stdout.write(`authenticated: yes\n`);
+				process.stdout.write(`token: ${maskedToken}\n`);
+			} else {
+				process.stdout.write(`authenticated: no\n`);
+				process.stdout.write(`Run 'login <token>' to authenticate.\n`);
 			}
 		});
 

package/src/cli/runtime/auth/resolve.ts

@@ -4,8 +4,15 @@ export type AuthInputs = {
 	flagAuthScheme?: string;
 	profileAuthScheme?: string;
 	embeddedAuthScheme?: string;
+	hasStoredToken?: boolean;
 };
 
+const BEARER_COMPATIBLE_KINDS = new Set([
+	"http-bearer",
+	"oauth2",
+	"openIdConnect",
+]);
+
 export function resolveAuthScheme(
 	authSchemes: AuthScheme[],
 	required: import("../../auth-requirements.ts").AuthSummary,
@@ -35,5 +42,18 @@ export function resolveAuthScheme(
 	// Otherwise if there is only one scheme in spec, pick it.
 	if (authSchemes.length === 1) return authSchemes[0]?.key;
 
+	// If user has a stored token and operation accepts a bearer-compatible scheme,
+	// automatically pick the first one that matches.
+	if (inputs.hasStoredToken && alts.length > 0) {
+		for (const alt of alts) {
+			if (alt.length !== 1) continue;
+			const key = alt[0]?.key;
+			const scheme = authSchemes.find((s) => s.key === key);
+			if (scheme && BEARER_COMPATIBLE_KINDS.has(scheme.kind)) {
+				return key;
+			}
+		}
+	}
+
 	return undefined;
 }