vigthoria-cli 1.8.15 → 1.9.2

package/dist/commands/auth.js

@@ -1,367 +1,409 @@
 "use strict";
-/**
- * Auth Command - Authentication management
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthCommand = void 0;
-const chalk_1 = __importDefault(require("chalk"));
-const readline = __importStar(require("readline"));
-const logger_js_1 = require("../utils/logger.js");
-const api_js_1 = require("../utils/api.js");
-/**
- * Prompt helpers using Node's built-in readline.
- * inquirer 9.x destroys the readline interface after each prompt() call
- * which triggers ERR_USE_AFTER_CLOSE on Node 20 Windows TTY when a second
- * prompt is attempted on the same process.stdin.  Using raw readline avoids
- * this entirely.
- *
- * IMPORTANT: We reuse a single readline.Interface for all prompts in the
- * login flow to avoid the triple-rl stdin contention that causes stalls
- * on Windows TTY and piped terminals.
- */
-function ask(rl, question) {
-    return new Promise((resolve) => rl.question(question, resolve));
+exports.authCommand = void 0;
+exports.readAuthSession = readAuthSession;
+exports.clearAuthSession = clearAuthSession;
+exports.refreshJwtIfNeeded = refreshJwtIfNeeded;
+exports.loginWithToken = loginWithToken;
+exports.loginWithCredentials = loginWithCredentials;
+exports.loginWithDeviceCode = loginWithDeviceCode;
+exports.getValidAuthSession = getValidAuthSession;
+exports.loginAction = loginAction;
+exports.logoutAction = logoutAction;
+exports.handleLogin = handleLogin;
+exports.handleLogout = handleLogout;
+exports.statusAction = statusAction;
+exports.createAuthCommand = createAuthCommand;
+exports.registerAuthCommand = registerAuthCommand;
+const commander_1 = require("commander");
+const fs_1 = __importDefault(require("fs"));
+const os_1 = __importDefault(require("os"));
+const path_1 = __importDefault(require("path"));
+const promises_1 = require("timers/promises");
+const DEFAULT_API_URL = 'https://coder.vigthoria.io';
+const CONFIG_DIR = path_1.default.join(os_1.default.homedir(), '.vigthoria');
+const AUTH_FILE = path_1.default.join(CONFIG_DIR, 'auth.json');
+const REFRESH_SKEW_MS = 30_000;
+const refreshRequests = new Map();
+function getApiUrl(explicit) {
+    return (explicit || process.env.VIGTHORIA_API_URL || DEFAULT_API_URL).replace(/\/$/, '');
 }
-function askHidden(rl, question) {
-    // In non-interactive (piped) terminals, fall back to plain rl.question
-    // because raw data events won't fire after stdin reaches EOF.
-    if (!process.stdin.isTTY) {
-        return new Promise((resolve) => {
-            rl.question(question, (answer) => {
-                resolve(answer.trim());
-            });
-        });
+function ensureConfigDir() {
+    fs_1.default.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+}
+function writeAuthSession(session) {
+    ensureConfigDir();
+    fs_1.default.writeFileSync(AUTH_FILE, `${JSON.stringify(session, null, 2)}\n`, { mode: 0o600 });
+}
+function asErrorMessage(error) {
+    if (error instanceof TypeError && /fetch|network|failed|ECONN|ENOTFOUND|ETIMEDOUT/i.test(error.message)) {
+        return 'Network error while contacting Vigthoria. Check your connection and API URL.';
     }
-    return new Promise((resolve) => {
-        const stdout = process.stdout;
-        let answer = '';
-        // Pause rl so it doesn't compete for stdin data events
-        rl.pause();
-        stdout.write(question);
-        process.stdin.setRawMode(true);
-        process.stdin.resume();
-        const onData = (ch) => {
-            const c = ch.toString('utf8');
-            if (c === '\n' || c === '\r' || c === '\u0004') {
-                process.stdin.setRawMode(false);
-                process.stdin.removeListener('data', onData);
-                stdout.write('\n');
-                rl.resume();
-                resolve(answer);
-            }
-            else if (c === '\u007f' || c === '\b') {
-                if (answer.length > 0) {
-                    answer = answer.slice(0, -1);
-                    stdout.write('\b \b');
-                }
-            }
-            else if (c === '\u0003') {
-                rl.close();
-                process.exit(1);
-            }
-            else {
-                answer += c;
-                stdout.write('*');
-            }
-        };
-        process.stdin.on('data', onData);
-    });
+    return error instanceof Error ? error.message : String(error);
 }
-class AuthCommand {
-    config;
-    logger;
-    api;
-    constructor(config, logger) {
-        this.config = config;
-        this.logger = logger;
-        this.api = new api_js_1.APIClient(config, logger);
+async function parseResponseBody(response) {
+    const text = await response.text();
+    if (!text)
+        return {};
+    try {
+        const parsed = JSON.parse(text);
+        return parsed && typeof parsed === 'object' ? parsed : {};
     }
-    async login(options) {
-        // If token provided, use token auth
-        if (options.token) {
-            await this.loginWithToken(options.token);
-            return;
-        }
-        console.log();
-        console.log(chalk_1.default.cyan(`${logger_js_1.CH.hDouble.repeat(3)} Vigthoria Login ${logger_js_1.CH.hDouble.repeat(3)}`));
-        console.log();
-        // Use Node's built-in readline instead of inquirer.
-        // inquirer 9.x destroys and recreates readline interfaces per prompt
-        // which causes ERR_USE_AFTER_CLOSE on Node 20 Windows TTY.
-        const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-        try {
-            console.log(chalk_1.default.white('  1) Email & Password'));
-            console.log(chalk_1.default.white('  2) API Token'));
-            console.log(chalk_1.default.white('  3) Browser Login'));
-            console.log();
-            const choice = (await ask(rl, chalk_1.default.cyan('? ') + 'Choose login method (1/2/3): ')).trim();
-            switch (choice) {
-                case '1':
-                case 'credentials': {
-                    const email = (await ask(rl, chalk_1.default.cyan('? ') + 'Email: ')).trim();
-                    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-                    if (!emailRegex.test(email)) {
-                        this.logger.error('Please enter a valid email');
-                        rl.close();
-                        return;
-                    }
-                    const password = await askHidden(rl, chalk_1.default.cyan('? ') + 'Password: ');
-                    rl.close();
-                    if (password.length < 6) {
-                        this.logger.error('Password must be at least 6 characters');
-                        return;
-                    }
-                    await this.doCredentialLogin(email, password);
-                    break;
-                }
-                case '2':
-                case 'token': {
-                    const token = await askHidden(rl, chalk_1.default.cyan('? ') + 'API Token: ');
-                    rl.close();
-                    if (!token) {
-                        this.logger.error('Please enter your API token');
-                        return;
-                    }
-                    await this.loginWithToken(token);
-                    break;
-                }
-                case '3':
-                case 'browser':
-                    rl.close();
-                    await this.loginWithBrowser();
-                    break;
-                default:
-                    rl.close();
-                    this.logger.error('Invalid choice. Please enter 1, 2, or 3.');
-                    break;
-            }
-        }
-        catch (err) {
-            rl.close();
-            throw err;
-        }
+    catch {
+        return { message: text.slice(0, 300) };
     }
-    async doCredentialLogin(email, password) {
-        const spinner = (0, logger_js_1.createSpinner)('Logging in...').start();
-        const success = await this.api.login(email, password);
-        spinner.stop();
-        if (success) {
-            this.printLoginSuccess();
-        }
-        else {
-            this.logger.error('Login failed. Please check your credentials.');
-        }
+}
+function responseErrorMessage(response, data) {
+    const serverMessage = typeof data.error === 'string'
+        ? data.error
+        : typeof data.message === 'string'
+            ? data.message
+            : undefined;
+    if (response.status === 400 || response.status === 401 || response.status === 403) {
+        return serverMessage || 'Invalid credentials. Check your email, password, or token and try again.';
     }
-    async loginWithToken(token) {
-        const spinner = (0, logger_js_1.createSpinner)('Validating token...').start();
-        const success = await this.api.loginWithToken(token);
-        spinner.stop();
-        if (success) {
-            this.printLoginSuccess();
-        }
-        else {
-            this.logger.error('Invalid token. Please check and try again.');
-        }
+    if (response.status === 404)
+        return serverMessage || 'Authentication endpoint was not found for the configured API URL.';
+    if (response.status >= 500)
+        return serverMessage || 'Vigthoria authentication service is temporarily unavailable. Try again later.';
+    return serverMessage || `Request failed with HTTP ${response.status}`;
+}
+function readAuthSession() {
+    try {
+        if (!fs_1.default.existsSync(AUTH_FILE))
+            return null;
+        const parsed = JSON.parse(fs_1.default.readFileSync(AUTH_FILE, 'utf8'));
+        if (!parsed || typeof parsed.accessToken !== 'string' || !parsed.accessToken)
+            return null;
+        return parsed;
     }
-    async loginWithBrowser() {
-        console.log();
-        console.log(chalk_1.default.gray('Opening browser for authentication...'));
-        console.log();
-        console.log(chalk_1.default.cyan('Visit: https://coder.vigthoria.io/cli-auth'));
-        console.log();
-        console.log(chalk_1.default.gray('After authenticating, copy the token and run:'));
-        console.log(chalk_1.default.white('  vigthoria login --token YOUR_TOKEN'));
-        console.log();
+    catch (error) {
+        console.error('Failed to read saved authentication session:', asErrorMessage(error));
+        return null;
     }
-    async logout() {
-        const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-        const answer = await ask(rl, chalk_1.default.cyan('? ') + 'Are you sure you want to logout? (y/N): ');
-        rl.close();
-        const confirm = /^y(es)?$/i.test(answer.trim());
-        if (confirm) {
-            this.config.clearAuth();
-            this.logger.success('Logged out successfully');
+}
+function clearBrowserStorage() {
+    const storage = globalThis.localStorage;
+    if (!storage)
+        return;
+    try {
+        if (typeof storage.removeItem === 'function') {
+            storage.removeItem('vigthoria.auth');
+            storage.removeItem('vigthoria.jwt');
+            storage.removeItem('auth');
+            storage.removeItem('jwt');
         }
+        if (typeof storage.clear === 'function')
+            storage.clear();
     }
-    async status() {
-        console.log();
-        console.log(chalk_1.default.cyan(`${logger_js_1.CH.hDouble.repeat(3)} Account Status ${logger_js_1.CH.hDouble.repeat(3)}`));
-        console.log();
-        if (!this.config.isAuthenticated()) {
-            this.logger.warn('Not logged in');
-            console.log();
-            console.log(chalk_1.default.gray('Run `vigthoria login` to authenticate'));
-            this.api.destroy();
-            return;
-        }
-        const email = this.config.get('email');
-        const sub = this.config.get('subscription');
-        // Account info
-        console.log(chalk_1.default.white('Account:'));
-        console.log(chalk_1.default.gray('  Email: ') + chalk_1.default.cyan(email));
-        console.log(chalk_1.default.gray('  User ID: ') + chalk_1.default.gray(this.config.get('userId')));
-        console.log();
-        // Subscription info
-        console.log(chalk_1.default.white('Subscription:'));
-        const planDisplay = sub.plan ? chalk_1.default.green(sub.plan.toUpperCase()) : chalk_1.default.yellow('FREE');
-        const statusDisplay = sub.status === 'active' ? chalk_1.default.green('Active') : chalk_1.default.red(sub.status || 'N/A');
-        console.log(chalk_1.default.gray('  Plan: ') + planDisplay);
-        console.log(chalk_1.default.gray('  Status: ') + statusDisplay);
-        console.log(chalk_1.default.gray('  Cloud Models: ') + (this.config.hasCloudAccess() ? chalk_1.default.green('Enabled') : chalk_1.default.yellow('Local only')));
-        console.log(chalk_1.default.gray('  Operator Mode: ') + (this.config.hasOperatorAccess() ? chalk_1.default.green('Enabled') : chalk_1.default.yellow('Enterprise/Admin only')));
-        if (sub.expiresAt) {
-            const expiresDate = new Date(sub.expiresAt);
-            const daysLeft = Math.ceil((expiresDate.getTime() - Date.now()) / (1000 * 60 * 60 * 24));
-            const expiresColor = daysLeft > 7 ? chalk_1.default.green : daysLeft > 0 ? chalk_1.default.yellow : chalk_1.default.red;
-            console.log(chalk_1.default.gray('  Expires: ') + expiresColor(`${expiresDate.toLocaleDateString()} (${daysLeft} days)`));
-        }
-        console.log();
-        // Available models
-        console.log(chalk_1.default.white('Available Models:'));
-        const models = this.config.getAvailableModels();
-        models.forEach(m => {
-            console.log(chalk_1.default.gray(`  ${logger_js_1.CH.bullet} `) + chalk_1.default.cyan(m.id) + chalk_1.default.gray(' -> ') + chalk_1.default.white(m.name));
-            const runtimeLabel = m.tier === 'cloud' ? 'cloud' : 'blackwell';
-            console.log(chalk_1.default.gray(`      ${m.tier === 'cloud' ? logger_js_1.CH.cloud : logger_js_1.CH.home} ${m.description}`));
-            console.log(chalk_1.default.gray(`      Backend: ${m.backendModel} (${runtimeLabel})`));
+    catch (error) {
+        console.warn('Failed to clear local auth storage:', asErrorMessage(error));
+    }
+}
+function resetJwtState(state) {
+    if (!state)
+        return;
+    state.token = null;
+    state.expiresAt = null;
+    state.refreshToken = null;
+}
+function clearAuthSession(state) {
+    let ok = true;
+    try {
+        if (fs_1.default.existsSync(AUTH_FILE))
+            fs_1.default.rmSync(AUTH_FILE, { force: true });
+    }
+    catch (error) {
+        ok = false;
+        console.error('Failed to remove saved authentication session:', asErrorMessage(error));
+    }
+    clearBrowserStorage();
+    resetJwtState(state);
+    refreshRequests.clear();
+    return ok;
+}
+async function postJson(url, body, token) {
+    let response;
+    try {
+        response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'content-type': 'application/json',
+                ...(token ? { authorization: `Bearer ${token}` } : {}),
+            },
+            body: JSON.stringify(body),
         });
-        console.log();
-        // Run ALL three probes in parallel — they are independent.
-        const spinner = (0, logger_js_1.createSpinner)('Checking API, capabilities and auth...').start();
-        let capabilityTimeout = null;
-        const [apiStatus, capabilityStatus, tokenValidation] = await Promise.all([
-            this.api.getHealthStatus(),
-            Promise.race([
-                this.api.getCapabilityTruthStatus({
-                    workspacePath: process.cwd(),
-                    projectPath: process.cwd(),
-                    targetPath: process.cwd(),
-                }),
-                new Promise(resolve => {
-                    capabilityTimeout = setTimeout(() => resolve({
-                        overallOk: false,
-                        v3Agent: { name: 'V3 Agent', endpoint: '', ok: false, error: 'Timed out (8s)' },
-                        hyperLoop: { name: 'Hyper Loop', endpoint: '', ok: false, error: 'Timed out (8s)' },
-                        repoMemory: { name: 'Repo Memory', endpoint: '', ok: false, error: 'Timed out (8s)' },
-                        devtoolsBridge: { name: 'DevTools Bridge', endpoint: '', ok: false, error: 'Timed out (8s)' },
-                    }), 8000);
-                }),
-            ]),
-            this.api.validateToken(),
-        ]);
-        if (capabilityTimeout)
-            clearTimeout(capabilityTimeout);
-        spinner.stop();
-        // --- Display API Status ---
-        console.log(chalk_1.default.white('API Status:'));
-        console.log(chalk_1.default.gray('  Overall: ') + (apiStatus.overallOk ? chalk_1.default.green('Healthy') : chalk_1.default.yellow('Degraded')));
-        console.log(chalk_1.default.gray('  Coder API: ') + (apiStatus.coder.ok ? chalk_1.default.green('Online') : chalk_1.default.red('Offline')) + chalk_1.default.gray(` (${apiStatus.coder.endpoint})`));
-        if (apiStatus.coder.error) {
-            console.log(chalk_1.default.gray('    Error: ') + chalk_1.default.red(apiStatus.coder.error));
-        }
-        console.log(chalk_1.default.gray('  Models API: ') + (apiStatus.models.ok ? chalk_1.default.green('Online') : chalk_1.default.red('Offline')) + chalk_1.default.gray(` (${apiStatus.models.endpoint})`));
-        if (apiStatus.models.details?.modelCount !== undefined) {
-            console.log(chalk_1.default.gray('    Models Available: ') + chalk_1.default.cyan(String(apiStatus.models.details.modelCount)));
-        }
-        if (apiStatus.models.error) {
-            console.log(chalk_1.default.gray('    Error: ') + chalk_1.default.red(apiStatus.models.error));
-        }
-        if (apiStatus.selfHosted) {
-            console.log(chalk_1.default.gray('  Self-hosted Models: ') + (apiStatus.selfHosted.ok ? chalk_1.default.green('Online') : chalk_1.default.yellow('Unavailable')) + chalk_1.default.gray(` (${apiStatus.selfHosted.endpoint})`));
-            if (apiStatus.selfHosted.error) {
-                console.log(chalk_1.default.gray('    Error: ') + chalk_1.default.yellow(apiStatus.selfHosted.error));
+    }
+    catch (error) {
+        throw new Error(asErrorMessage(error));
+    }
+    const data = await parseResponseBody(response);
+    if (!response.ok)
+        throw new Error(responseErrorMessage(response, data));
+    return data;
+}
+async function getJson(url, token) {
+    let response;
+    try {
+        response = await fetch(url, {
+            headers: token ? { authorization: `Bearer ${token}` } : undefined,
+        });
+    }
+    catch (error) {
+        throw new Error(asErrorMessage(error));
+    }
+    const data = await parseResponseBody(response);
+    if (!response.ok)
+        throw new Error(responseErrorMessage(response, data));
+    return data;
+}
+function normalizeSession(data, apiUrl) {
+    const accessToken = data.accessToken || data.token;
+    if (!accessToken)
+        throw new Error('Authentication response did not include an access token.');
+    const now = new Date().toISOString();
+    const expiresAt = typeof data.expiresAt === 'number'
+        ? data.expiresAt
+        : typeof data.expiresIn === 'number'
+            ? Date.now() + data.expiresIn * 1000
+            : undefined;
+    return {
+        accessToken,
+        refreshToken: data.refreshToken,
+        user: data.user,
+        expiresAt,
+        apiUrl,
+        createdAt: now,
+        updatedAt: now,
+    };
+}
+function isExpired(session) {
+    return typeof session.expiresAt === 'number' && Date.now() >= session.expiresAt - REFRESH_SKEW_MS;
+}
+function jwtNeedsRefresh(state) {
+    if (!state.token)
+        return false;
+    if (typeof state.isExpired === 'function')
+        return state.isExpired();
+    return typeof state.expiresAt === 'number' && Date.now() >= state.expiresAt - REFRESH_SKEW_MS;
+}
+function refreshKey(state, session) {
+    const apiUrl = getApiUrl(state.apiUrl || session?.apiUrl);
+    const refreshToken = state.refreshToken || session?.refreshToken || 'no-refresh-token';
+    return `${apiUrl}:${refreshToken}`;
+}
+async function performRefresh(state, session) {
+    if (!session.refreshToken) {
+        resetJwtState(state);
+        return null;
+    }
+    try {
+        const data = await postJson(`${session.apiUrl}/api/auth/refresh`, { refreshToken: session.refreshToken, client: 'vigthoria-cli' });
+        const refreshed = normalizeSession({ ...data, refreshToken: data.refreshToken || session.refreshToken }, session.apiUrl);
+        refreshed.createdAt = session.createdAt;
+        refreshed.updatedAt = new Date().toISOString();
+        writeAuthSession(refreshed);
+        state.token = refreshed.accessToken;
+        state.expiresAt = refreshed.expiresAt ?? null;
+        state.refreshToken = refreshed.refreshToken ?? session.refreshToken;
+        state.apiUrl = refreshed.apiUrl;
+        return refreshed.accessToken;
+    }
+    catch (error) {
+        console.error('Failed to refresh authentication session:', asErrorMessage(error));
+        clearAuthSession(state);
+        return null;
+    }
+}
+async function refreshJwtIfNeeded(state) {
+    if (!state || typeof state !== 'object')
+        throw new Error('JWT state is required.');
+    if (!jwtNeedsRefresh(state))
+        return state.token;
+    const session = readAuthSession();
+    if (!session) {
+        resetJwtState(state);
+        return null;
+    }
+    const key = refreshKey(state, session);
+    const existing = refreshRequests.get(key);
+    if (existing)
+        return existing;
+    const request = performRefresh(state, session).finally(() => {
+        refreshRequests.delete(key);
+    });
+    refreshRequests.set(key, request);
+    return request;
+}
+async function loginWithToken(token, options = {}) {
+    if (!token || typeof token !== 'string')
+        throw new Error('A token is required.');
+    const apiUrl = getApiUrl(options.apiUrl);
+    let user;
+    try {
+        const profile = await getJson(`${apiUrl}/api/auth/me`, token);
+        user = profile.data || profile.user;
+    }
+    catch (error) {
+        throw new Error(`Token validation failed: ${asErrorMessage(error)}`);
+    }
+    const now = new Date().toISOString();
+    const session = { accessToken: token, user, apiUrl, createdAt: now, updatedAt: now };
+    writeAuthSession(session);
+    return session;
+}
+async function loginWithCredentials(email, password, options = {}) {
+    if (!email || !password)
+        throw new Error('Email and password are required.');
+    const apiUrl = getApiUrl(options.apiUrl);
+    const data = await postJson(`${apiUrl}/api/auth/login`, { email, password, client: 'vigthoria-cli' });
+    const session = normalizeSession(data, apiUrl);
+    writeAuthSession(session);
+    return session;
+}
+async function loginWithDeviceCode(options = {}) {
+    const apiUrl = getApiUrl(options.apiUrl);
+    const start = await postJson(`${apiUrl}/api/auth/device`, { client: 'vigthoria-cli' });
+    const verificationUri = start.verificationUri || start.verification_uri;
+    const userCode = start.userCode || start.user_code;
+    const deviceCode = start.deviceCode || start.device_code;
+    if (!verificationUri || !userCode || !deviceCode)
+        throw new Error('Device authorization endpoint returned an incomplete response.');
+    console.log(`Open this URL to authenticate: ${verificationUri}`);
+    console.log(`Enter code: ${userCode}`);
+    const timeoutAt = Date.now() + (options.pollTimeoutMs ?? 10 * 60 * 1000);
+    const intervalMs = Math.max(1000, (start.interval ?? 5) * 1000);
+    while (Date.now() < timeoutAt) {
+        await (0, promises_1.setTimeout)(intervalMs);
+        try {
+            const result = await postJson(`${apiUrl}/api/auth/device/complete`, { deviceCode, device_code: deviceCode, client: 'vigthoria-cli' });
+            if (result.accessToken || result.token) {
+                const session = normalizeSession(result, apiUrl);
+                writeAuthSession(session);
+                return session;
             }
         }
-        else {
-            console.log(chalk_1.default.gray('  Self-hosted Models: ') + chalk_1.default.gray('disabled'));
+        catch (error) {
+            const message = asErrorMessage(error);
+            if (!/pending|authorization_pending|slow_down/i.test(message))
+                throw new Error(message);
         }
-        // --- Display Capability Truth ---
-        console.log();
-        console.log(chalk_1.default.white('Capability Truth:'));
-        const coreOk = apiStatus.overallOk;
-        console.log(chalk_1.default.gray('  Overall: ') + (coreOk ? chalk_1.default.green('Verified') : chalk_1.default.yellow('Partial')));
-        // V3 Agent — used by agent/chat commands (routed through model API)
-        console.log(chalk_1.default.gray('  V3 Agent: ') + (capabilityStatus.v3Agent.ok ? chalk_1.default.green('Reachable') : chalk_1.default.gray('Not deployed (routed through model API)')));
-        if (capabilityStatus.v3Agent.error && capabilityStatus.v3Agent.ok === false) {
-            const err = capabilityStatus.v3Agent.error;
-            if (!/timed? out|not reachable|No V3 agent/i.test(err)) {
-                console.log(chalk_1.default.gray('    Error: ') + chalk_1.default.red(err));
-            }
-        }
-        // Hyper Loop — optional orchestration layer
-        console.log(chalk_1.default.gray('  Hyper Loop: ') + (capabilityStatus.hyperLoop.ok ? chalk_1.default.green('Reachable') : chalk_1.default.gray('Not deployed (optional)')));
-        // Repo Memory — separate auth scope, only affects repo commands
-        console.log(chalk_1.default.gray('  Repo Memory: ') + (capabilityStatus.repoMemory.ok ? chalk_1.default.green('Active') : chalk_1.default.gray('Not deployed (optional)')));
-        if (capabilityStatus.repoMemory.details?.compactContextLength !== undefined) {
-            console.log(chalk_1.default.gray('    Compact Context: ') + chalk_1.default.cyan(`${capabilityStatus.repoMemory.details.compactContextLength} chars`));
+    }
+    throw new Error('Timed out waiting for device authentication.');
+}
+async function getValidAuthSession() {
+    const session = readAuthSession();
+    if (!session)
+        return null;
+    if (!isExpired(session))
+        return session;
+    if (!session.refreshToken) {
+        clearAuthSession();
+        return null;
+    }
+    const state = {
+        token: session.accessToken,
+        expiresAt: session.expiresAt ?? null,
+        refreshToken: session.refreshToken,
+        apiUrl: session.apiUrl,
+        isExpired: () => true,
+    };
+    const token = await refreshJwtIfNeeded(state);
+    return token ? readAuthSession() : null;
+}
+function printSession(session) {
+    const user = session.user?.email || session.user?.name || session.user?.id || 'authenticated user';
+    console.log(`Authenticated as ${user}`);
+    console.log(`API: ${session.apiUrl}`);
+    if (session.expiresAt)
+        console.log(`Expires: ${new Date(session.expiresAt).toLocaleString()}`);
+}
+async function loginAction(options = {}) {
+    try {
+        const session = options.token
+            ? await loginWithToken(options.token, options)
+            : options.email && options.password
+                ? await loginWithCredentials(options.email, options.password, options)
+                : await loginWithDeviceCode(options);
+        console.log('Login successful.');
+        printSession(session);
+    }
+    catch (error) {
+        clearAuthSession();
+        throw new Error(asErrorMessage(error));
+    }
+}
+async function logoutAction(state) {
+    const session = readAuthSession();
+    if (session) {
+        try {
+            await postJson(`${session.apiUrl}/api/auth/logout`, { client: 'vigthoria-cli' }, session.accessToken);
         }
-        // DevTools Bridge — local service, not required
-        console.log(chalk_1.default.gray('  DevTools Bridge: ') + (capabilityStatus.devtoolsBridge.ok ? chalk_1.default.green('Connected') : chalk_1.default.gray('Not running (optional)')));
-        // --- Display Auth Scopes ---
-        console.log();
-        console.log(chalk_1.default.white('Auth Scopes:'));
-        console.log(chalk_1.default.gray('  Model Auth: ') + (tokenValidation.valid ? chalk_1.default.green('Valid') : chalk_1.default.red('Invalid')) + chalk_1.default.gray(' (used by chat, agent, review, explain, generate, fix)'));
-        if (!tokenValidation.valid && tokenValidation.error) {
-            console.log(chalk_1.default.gray('    ') + chalk_1.default.red(tokenValidation.error));
+        catch (error) {
+            console.warn('Remote logout failed; local session will still be cleared:', asErrorMessage(error));
         }
-        console.log(chalk_1.default.gray('  Repo Auth: ') + (capabilityStatus.repoMemory.ok ? chalk_1.default.green('Active') : chalk_1.default.gray('N/A — repo memory not deployed')) + chalk_1.default.gray(' (used by repo push/pull/list only)'));
-        console.log(chalk_1.default.gray('  Bridge Auth: ') + (capabilityStatus.devtoolsBridge.ok ? chalk_1.default.green('Connected') : chalk_1.default.gray('N/A — bridge not running')) + chalk_1.default.gray(' (used by --bridge flag only)'));
-        console.log();
-        // Graceful exit — destroy keep-alive agents so the event loop drains
-        // naturally.  Setting exitCode (not calling process.exit()) avoids the
-        // libuv UV_HANDLE_CLOSING assertion on Windows that occurs when
-        // process.exit() is invoked while socket handles are mid-close.
-        this.api.destroy();
-        process.exitCode = 0;
     }
-    printLoginSuccess() {
-        const email = this.config.get('email');
-        const sub = this.config.get('subscription');
-        console.log();
-        this.logger.success(`Logged in as ${chalk_1.default.cyan(email)}`);
-        if (sub.plan) {
-            console.log(chalk_1.default.gray(`  Plan: ${chalk_1.default.green(sub.plan.toUpperCase())}`));
-        }
-        console.log();
-        console.log(chalk_1.default.gray('You can now use all Vigthoria CLI features.'));
-        console.log(chalk_1.default.gray('Run `vigthoria chat` or `npx vigthoria-chat` to start coding with AI!'));
-        console.log();
+    if (!clearAuthSession(state))
+        process.exitCode = 1;
+    else
+        console.log('Logged out.');
+}
+async function handleLogin(config) {
+    try {
+        await loginAction(config || {});
+    }
+    catch (error) {
+        console.error('Login failed:', asErrorMessage(error));
+        process.exitCode = 1;
+    }
+}
+async function handleLogout(config) {
+    await logoutAction(config && typeof config === 'object' ? config : null);
+}
+async function statusAction() {
+    const session = await getValidAuthSession();
+    if (!session) {
+        console.log('Not authenticated. Run `vigthoria auth login` to sign in.');
+        process.exitCode = 1;
+        return;
     }
+    printSession(session);
+}
+function createAuthCommand() {
+    const auth = new commander_1.Command('auth').description('Manage Vigthoria CLI authentication');
+    auth
+        .command('login')
+        .description('Sign in to Vigthoria')
+        .option('--token <token>', 'use an existing access token')
+        .option('--email <email>', 'account email for password login')
+        .option('--password <password>', 'account password for password login')
+        .option('--api-url <url>', 'Vigthoria API URL')
+        .option('--device', 'force browser/device-code login')
+        .action(async (options) => {
+        await handleLogin(options);
+    });
+    auth
+        .command('logout')
+        .description('Clear the saved Vigthoria session')
+        .action(async () => {
+        await handleLogout(null);
+    });
+    auth
+        .command('status')
+        .description('Show current authentication status')
+        .action(async () => {
+        await statusAction();
+    });
+    auth.action(() => auth.help());
+    return auth;
+}
+function registerAuthCommand(program) {
+    const command = createAuthCommand();
+    program.addCommand(command);
+    return command;
 }
-exports.AuthCommand = AuthCommand;
+exports.authCommand = createAuthCommand();
+exports.default = exports.authCommand;