npm - vigthoria-cli - Versions diffs - 1.9.2 → 1.9.8 - Mend

vigthoria-cli 1.9.2 → 1.9.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/README.md +15 -5
package/dist/commands/auth.d.ts +28 -38
package/dist/commands/auth.js +461 -313
package/dist/commands/bridge.js +3 -8
package/dist/commands/chat.d.ts +3 -0
package/dist/commands/chat.js +97 -34
package/dist/commands/index.js +1 -1
package/dist/commands/legion.d.ts +22 -19
package/dist/commands/legion.js +561 -134
package/dist/commands/preview.js +32 -7
package/dist/commands/repo.js +19 -13
package/dist/commands/security.d.ts +20 -0
package/dist/commands/security.js +98 -0
package/dist/commands/update.d.ts +9 -0
package/dist/commands/update.js +235 -0
package/dist/index.d.ts +2 -1
package/dist/index.js +147 -40
package/dist/utils/api.d.ts +25 -70
package/dist/utils/api.js +875 -693
package/dist/utils/config.js +1 -1
package/dist/utils/tools.d.ts +11 -0
package/dist/utils/tools.js +251 -5
package/install.ps1 +322 -0
package/install.sh +314 -0
package/package.json +18 -3
package/scripts/release/LOCAL_MACHINE_USER_VERIFICATION.md +159 -0
package/scripts/release/publish-cli-release.sh +73 -0
package/scripts/release/validate-no-go-gates.sh +129 -0
package/scripts/release/verify-runtime-consistency.mjs +64 -0

package/dist/commands/auth.js CHANGED Viewed

@@ -3,407 +3,555 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.authCommand = void 0;
-exports.readAuthSession = readAuthSession;
-exports.clearAuthSession = clearAuthSession;
-exports.refreshJwtIfNeeded = refreshJwtIfNeeded;
-exports.loginWithToken = loginWithToken;
-exports.loginWithCredentials = loginWithCredentials;
-exports.loginWithDeviceCode = loginWithDeviceCode;
-exports.getValidAuthSession = getValidAuthSession;
-exports.loginAction = loginAction;
-exports.logoutAction = logoutAction;
+exports.loadAuthConfig = loadAuthConfig;
+exports.saveAuthConfig = saveAuthConfig;
+exports.clearAuthConfig = clearAuthConfig;
+exports.getAuthToken = getAuthToken;
+exports.login = login;
+exports.logout = logout;
+exports.whoami = whoami;
+exports.doctor = doctor;
 exports.handleLogin = handleLogin;
 exports.handleLogout = handleLogout;
 exports.statusAction = statusAction;
-exports.createAuthCommand = createAuthCommand;
-exports.registerAuthCommand = registerAuthCommand;
-const commander_1 = require("commander");
-const fs_1 = __importDefault(require("fs"));
-const os_1 = __importDefault(require("os"));
+exports.registerAuthCommands = registerAuthCommands;
+const chalk_1 = __importDefault(require("chalk"));
+const fs_1 = require("fs");
+const os_1 = require("os");
 const path_1 = __importDefault(require("path"));
-const promises_1 = require("timers/promises");
+const readline_1 = __importDefault(require("readline"));
+const config_js_1 = require("../utils/config.js");
 const DEFAULT_API_URL = 'https://coder.vigthoria.io';
-const CONFIG_DIR = path_1.default.join(os_1.default.homedir(), '.vigthoria');
-const AUTH_FILE = path_1.default.join(CONFIG_DIR, 'auth.json');
-const REFRESH_SKEW_MS = 30_000;
-const refreshRequests = new Map();
-function getApiUrl(explicit) {
-    return (explicit || process.env.VIGTHORIA_API_URL || DEFAULT_API_URL).replace(/\/$/, '');
+const CONFIG_DIR = path_1.default.join((0, os_1.homedir)(), '.vigthoria');
+const CONFIG_FILE = path_1.default.join(CONFIG_DIR, 'config.json');
+const KNOWN_AUTH_BASE_URLS = ['https://coder.vigthoria.io', 'https://api.vigthoria.io'];
+class HttpError extends Error {
+    status;
+    constructor(status, message) {
+        super(message);
+        this.status = status;
+    }
 }
-function ensureConfigDir() {
-    fs_1.default.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+function trimTrailingSlash(value) {
+    return value.replace(/\/+$/, '');
 }
-function writeAuthSession(session) {
-    ensureConfigDir();
-    fs_1.default.writeFileSync(AUTH_FILE, `${JSON.stringify(session, null, 2)}\n`, { mode: 0o600 });
+function uniqueStrings(values) {
+    return [...new Set(values.filter(Boolean))];
+}
+function getApiUrl() {
+    return trimTrailingSlash(process.env.VIGTHORIA_API_URL || DEFAULT_API_URL);
 }
-function asErrorMessage(error) {
-    if (error instanceof TypeError && /fetch|network|failed|ECONN|ENOTFOUND|ETIMEDOUT/i.test(error.message)) {
-        return 'Network error while contacting Vigthoria. Check your connection and API URL.';
+function derivePeerHost(baseUrl) {
+    if (baseUrl.includes('://api.vigthoria.io')) {
+        return baseUrl.replace('://api.vigthoria.io', '://coder.vigthoria.io');
     }
-    return error instanceof Error ? error.message : String(error);
+    if (baseUrl.includes('://coder.vigthoria.io')) {
+        return baseUrl.replace('://coder.vigthoria.io', '://api.vigthoria.io');
+    }
+    return undefined;
 }
-async function parseResponseBody(response) {
-    const text = await response.text();
-    if (!text)
-        return {};
+function getAuthBaseCandidates(seedBaseUrl) {
+    const seed = trimTrailingSlash(seedBaseUrl || getApiUrl());
+    const peer = derivePeerHost(seed);
+    return uniqueStrings([seed, ...(peer ? [peer] : []), ...KNOWN_AUTH_BASE_URLS]).map(trimTrailingSlash);
+}
+function ensureConfigDir() {
+    if (!(0, fs_1.existsSync)(CONFIG_DIR)) {
+        (0, fs_1.mkdirSync)(CONFIG_DIR, { recursive: true, mode: 0o700 });
+    }
     try {
-        const parsed = JSON.parse(text);
-        return parsed && typeof parsed === 'object' ? parsed : {};
+        (0, fs_1.chmodSync)(CONFIG_DIR, 0o700);
     }
     catch {
-        return { message: text.slice(0, 300) };
+        // Best-effort on non-POSIX filesystems.
     }
 }
-function responseErrorMessage(response, data) {
-    const serverMessage = typeof data.error === 'string'
-        ? data.error
-        : typeof data.message === 'string'
-            ? data.message
-            : undefined;
-    if (response.status === 400 || response.status === 401 || response.status === 403) {
-        return serverMessage || 'Invalid credentials. Check your email, password, or token and try again.';
-    }
-    if (response.status === 404)
-        return serverMessage || 'Authentication endpoint was not found for the configured API URL.';
-    if (response.status >= 500)
-        return serverMessage || 'Vigthoria authentication service is temporarily unavailable. Try again later.';
-    return serverMessage || `Request failed with HTTP ${response.status}`;
-}
-function readAuthSession() {
+function syncSharedConfig(config) {
     try {
-        if (!fs_1.default.existsSync(AUTH_FILE))
-            return null;
-        const parsed = JSON.parse(fs_1.default.readFileSync(AUTH_FILE, 'utf8'));
-        if (!parsed || typeof parsed.accessToken !== 'string' || !parsed.accessToken)
-            return null;
-        return parsed;
+        const shared = new config_js_1.Config();
+        shared.set('apiUrl', trimTrailingSlash(config.apiUrl || getApiUrl()));
+        if (config.token) {
+            shared.set('authToken', config.token);
+        }
+        if (config.user?.id) {
+            shared.set('userId', String(config.user.id));
+        }
+        if (config.user?.email) {
+            shared.set('email', String(config.user.email));
+        }
     }
-    catch (error) {
-        console.error('Failed to read saved authentication session:', asErrorMessage(error));
-        return null;
+    catch {
+        // Keep legacy auth flow working even if shared config write fails.
     }
 }
-function clearBrowserStorage() {
-    const storage = globalThis.localStorage;
-    if (!storage)
-        return;
+function clearSharedConfigAuth() {
     try {
-        if (typeof storage.removeItem === 'function') {
-            storage.removeItem('vigthoria.auth');
-            storage.removeItem('vigthoria.jwt');
-            storage.removeItem('auth');
-            storage.removeItem('jwt');
-        }
-        if (typeof storage.clear === 'function')
-            storage.clear();
+        const shared = new config_js_1.Config();
+        shared.set('authToken', null);
+        shared.set('refreshToken', null);
+        shared.set('userId', null);
+        shared.set('email', null);
     }
-    catch (error) {
-        console.warn('Failed to clear local auth storage:', asErrorMessage(error));
+    catch {
+        // Ignore shared config clear failures during logout.
     }
 }
-function resetJwtState(state) {
-    if (!state)
-        return;
-    state.token = null;
-    state.expiresAt = null;
-    state.refreshToken = null;
+function humanMessage(error) {
+    const raw = error instanceof Error ? error.message : String(error);
+    if (/^\s*</.test(raw) || /<!doctype html/i.test(raw)) {
+        return 'The Vigthoria service returned an unexpected HTML response. This usually means auth routes are misconfigured server-side.';
+    }
+    return raw || 'Unknown authentication error.';
+}
+function extractAuthToken(payload) {
+    if (!payload || typeof payload !== 'object') {
+        return undefined;
+    }
+    const body = payload;
+    return body.token || body.accessToken || body.tokens?.access_token;
 }
-function clearAuthSession(state) {
-    let ok = true;
+function extractAuthUser(payload, fallbackEmail) {
+    if (!payload || typeof payload !== 'object') {
+        return fallbackEmail ? { email: fallbackEmail } : undefined;
+    }
+    const body = payload;
+    const user = body.user;
+    if (user && typeof user === 'object') {
+        const typed = user;
+        return {
+            id: typed.id ? String(typed.id) : undefined,
+            email: typed.email ? String(typed.email) : fallbackEmail,
+            name: typed.name ? String(typed.name) : typed.username ? String(typed.username) : undefined,
+        };
+    }
+    if (body.email || body.id || body.username) {
+        return {
+            id: body.id ? String(body.id) : undefined,
+            email: body.email ? String(body.email) : fallbackEmail,
+            name: body.username ? String(body.username) : body.name ? String(body.name) : undefined,
+        };
+    }
+    return fallbackEmail ? { email: fallbackEmail } : undefined;
+}
+function loadAuthConfig() {
+    if (!(0, fs_1.existsSync)(CONFIG_FILE)) {
+        return { apiUrl: getApiUrl() };
+    }
     try {
-        if (fs_1.default.existsSync(AUTH_FILE))
-            fs_1.default.rmSync(AUTH_FILE, { force: true });
+        const parsed = JSON.parse((0, fs_1.readFileSync)(CONFIG_FILE, 'utf8'));
+        return {
+            apiUrl: trimTrailingSlash(parsed.apiUrl || getApiUrl()),
+            token: parsed.token || parsed.authToken,
+            user: parsed.user,
+        };
     }
     catch (error) {
-        ok = false;
-        console.error('Failed to remove saved authentication session:', asErrorMessage(error));
+        console.warn(chalk_1.default.yellow(`Warning: could not read auth config: ${humanMessage(error)}`));
+        return { apiUrl: getApiUrl() };
+    }
+}
+function saveAuthConfig(config) {
+    ensureConfigDir();
+    (0, fs_1.writeFileSync)(CONFIG_FILE, `${JSON.stringify(config, null, 2)}\n`, 'utf8');
+    try {
+        (0, fs_1.chmodSync)(CONFIG_FILE, 0o600);
+    }
+    catch {
+        // Best-effort on non-POSIX filesystems.
+    }
+    syncSharedConfig(config);
+}
+function clearAuthConfig() {
+    if ((0, fs_1.existsSync)(CONFIG_FILE)) {
+        (0, fs_1.rmSync)(CONFIG_FILE, { force: true });
     }
-    clearBrowserStorage();
-    resetJwtState(state);
-    refreshRequests.clear();
-    return ok;
+    clearSharedConfigAuth();
 }
-async function postJson(url, body, token) {
+function getAuthToken() {
+    return process.env.VIGTHORIA_TOKEN || loadAuthConfig().token;
+}
+async function requestJson(url, init) {
+    const timeoutMsRaw = Number(process.env.VIGTHORIA_AUTH_TIMEOUT_MS || 8000);
+    const timeoutMs = Number.isFinite(timeoutMsRaw) && timeoutMsRaw > 0 ? timeoutMsRaw : 8000;
+    const controller = new AbortController();
+    const timeoutHandle = setTimeout(() => controller.abort(), timeoutMs);
     let response;
     try {
         response = await fetch(url, {
-            method: 'POST',
+            ...init,
+            signal: controller.signal,
             headers: {
+                accept: 'application/json',
                 'content-type': 'application/json',
-                ...(token ? { authorization: `Bearer ${token}` } : {}),
+                ...(init.headers || {}),
             },
-            body: JSON.stringify(body),
         });
     }
     catch (error) {
-        throw new Error(asErrorMessage(error));
+        const name = error?.name;
+        if (name === 'AbortError') {
+            throw new Error(`Authentication request timed out after ${timeoutMs}ms`);
+        }
+        throw error;
     }
-    const data = await parseResponseBody(response);
-    if (!response.ok)
-        throw new Error(responseErrorMessage(response, data));
-    return data;
-}
-async function getJson(url, token) {
-    let response;
-    try {
-        response = await fetch(url, {
-            headers: token ? { authorization: `Bearer ${token}` } : undefined,
-        });
+    finally {
+        clearTimeout(timeoutHandle);
     }
-    catch (error) {
-        throw new Error(asErrorMessage(error));
+    const text = await response.text();
+    let body = {};
+    if (text.trim()) {
+        try {
+            body = JSON.parse(text);
+        }
+        catch {
+            if (/^\s*</.test(text) || /<!doctype html/i.test(text)) {
+                throw new HttpError(response.status, 'The Vigthoria service returned an unexpected HTML response. Please verify auth routes.');
+            }
+            throw new HttpError(response.status, text.slice(0, 240));
+        }
     }
-    const data = await parseResponseBody(response);
-    if (!response.ok)
-        throw new Error(responseErrorMessage(response, data));
-    return data;
-}
-function normalizeSession(data, apiUrl) {
-    const accessToken = data.accessToken || data.token;
-    if (!accessToken)
-        throw new Error('Authentication response did not include an access token.');
-    const now = new Date().toISOString();
-    const expiresAt = typeof data.expiresAt === 'number'
-        ? data.expiresAt
-        : typeof data.expiresIn === 'number'
-            ? Date.now() + data.expiresIn * 1000
-            : undefined;
-    return {
-        accessToken,
-        refreshToken: data.refreshToken,
-        user: data.user,
-        expiresAt,
-        apiUrl,
-        createdAt: now,
-        updatedAt: now,
-    };
-}
-function isExpired(session) {
-    return typeof session.expiresAt === 'number' && Date.now() >= session.expiresAt - REFRESH_SKEW_MS;
-}
-function jwtNeedsRefresh(state) {
-    if (!state.token)
-        return false;
-    if (typeof state.isExpired === 'function')
-        return state.isExpired();
-    return typeof state.expiresAt === 'number' && Date.now() >= state.expiresAt - REFRESH_SKEW_MS;
-}
-function refreshKey(state, session) {
-    const apiUrl = getApiUrl(state.apiUrl || session?.apiUrl);
-    const refreshToken = state.refreshToken || session?.refreshToken || 'no-refresh-token';
-    return `${apiUrl}:${refreshToken}`;
+    if (!response.ok) {
+        const message = typeof body === 'object' && body && 'error' in body
+            ? String(body.error)
+            : typeof body === 'object' && body && 'message' in body
+                ? String(body.message)
+                : `Request failed with status ${response.status}`;
+        throw new HttpError(response.status, message);
+    }
+    return body;
 }
-async function performRefresh(state, session) {
-    if (!session.refreshToken) {
-        resetJwtState(state);
-        return null;
+async function ask(question, hidden = false) {
+    const rl = readline_1.default.createInterface({ input: process.stdin, output: process.stdout });
+    if (!hidden) {
+        try {
+            return await new Promise((resolve) => rl.question(question, resolve));
+        }
+        finally {
+            rl.close();
+        }
     }
+    const output = process.stdout;
+    const mutableRl = rl;
+    const originalWrite = mutableRl._writeToOutput;
+    mutableRl._writeToOutput = function writeMasked(value) {
+        if (value.includes('\n') || value.includes('\r')) {
+            output.write(value);
+        }
+        else {
+            output.write('*');
+        }
+    };
     try {
-        const data = await postJson(`${session.apiUrl}/api/auth/refresh`, { refreshToken: session.refreshToken, client: 'vigthoria-cli' });
-        const refreshed = normalizeSession({ ...data, refreshToken: data.refreshToken || session.refreshToken }, session.apiUrl);
-        refreshed.createdAt = session.createdAt;
-        refreshed.updatedAt = new Date().toISOString();
-        writeAuthSession(refreshed);
-        state.token = refreshed.accessToken;
-        state.expiresAt = refreshed.expiresAt ?? null;
-        state.refreshToken = refreshed.refreshToken ?? session.refreshToken;
-        state.apiUrl = refreshed.apiUrl;
-        return refreshed.accessToken;
+        return await new Promise((resolve) => rl.question(question, resolve));
     }
-    catch (error) {
-        console.error('Failed to refresh authentication session:', asErrorMessage(error));
-        clearAuthSession(state);
-        return null;
+    finally {
+        if (originalWrite) {
+            mutableRl._writeToOutput = originalWrite;
+        }
+        output.write('\n');
+        rl.close();
     }
 }
-async function refreshJwtIfNeeded(state) {
-    if (!state || typeof state !== 'object')
-        throw new Error('JWT state is required.');
-    if (!jwtNeedsRefresh(state))
-        return state.token;
-    const session = readAuthSession();
-    if (!session) {
-        resetJwtState(state);
-        return null;
-    }
-    const key = refreshKey(state, session);
-    const existing = refreshRequests.get(key);
-    if (existing)
-        return existing;
-    const request = performRefresh(state, session).finally(() => {
-        refreshRequests.delete(key);
-    });
-    refreshRequests.set(key, request);
-    return request;
+function markSuccessExit() {
+    process.exitCode = 0;
+}
+function markErrorExit() {
+    process.exitCode = 1;
 }
-async function loginWithToken(token, options = {}) {
-    if (!token || typeof token !== 'string')
-        throw new Error('A token is required.');
-    const apiUrl = getApiUrl(options.apiUrl);
-    let user;
+async function login(email, password) {
     try {
-        const profile = await getJson(`${apiUrl}/api/auth/me`, token);
-        user = profile.data || profile.user;
+        const resolvedEmail = (email || '').trim();
+        const resolvedPassword = password || '';
+        if (!resolvedEmail || !resolvedPassword) {
+            throw new Error('Email and password are required. Pass --email and --password or run login interactively.');
+        }
+        const authBases = getAuthBaseCandidates(getApiUrl());
+        const endpointVariants = [
+            { path: '/auth/login', body: { email: resolvedEmail, password: resolvedPassword } },
+            { path: '/api/auth/login', body: { email: resolvedEmail, password: resolvedPassword } },
+            { path: '/api/login-json', body: { identifier: resolvedEmail, password: resolvedPassword } },
+            { path: '/api/login', body: { email: resolvedEmail, password: resolvedPassword } },
+        ];
+        const attempted = [];
+        const failures = [];
+        for (const base of authBases) {
+            for (const variant of endpointVariants) {
+                const endpoint = `${trimTrailingSlash(base)}${variant.path}`;
+                attempted.push(endpoint);
+                try {
+                    const result = await requestJson(endpoint, {
+                        method: 'POST',
+                        body: JSON.stringify(variant.body),
+                    });
+                    const token = extractAuthToken(result);
+                    if (!token) {
+                        failures.push(`${endpoint} -> success without token`);
+                        continue;
+                    }
+                    const config = {
+                        apiUrl: trimTrailingSlash(base),
+                        token,
+                        user: extractAuthUser(result, resolvedEmail),
+                        success: true,
+                    };
+                    saveAuthConfig(config);
+                    markSuccessExit();
+                    return config;
+                }
+                catch (error) {
+                    const message = humanMessage(error);
+                    failures.push(`${endpoint} -> ${message}`);
+                }
+            }
+        }
+        throw new Error([
+            'Login failed on all known auth endpoints.',
+            `Tried: ${attempted.join(', ')}`,
+            `Last errors: ${failures.slice(-4).join(' | ')}`,
+        ].join(' '));
     }
     catch (error) {
-        throw new Error(`Token validation failed: ${asErrorMessage(error)}`);
+        const message = humanMessage(error);
+        markErrorExit();
+        throw new Error(message);
     }
-    const now = new Date().toISOString();
-    const session = { accessToken: token, user, apiUrl, createdAt: now, updatedAt: now };
-    writeAuthSession(session);
-    return session;
 }
-async function loginWithCredentials(email, password, options = {}) {
-    if (!email || !password)
-        throw new Error('Email and password are required.');
-    const apiUrl = getApiUrl(options.apiUrl);
-    const data = await postJson(`${apiUrl}/api/auth/login`, { email, password, client: 'vigthoria-cli' });
-    const session = normalizeSession(data, apiUrl);
-    writeAuthSession(session);
-    return session;
+async function logout() {
+    const config = loadAuthConfig();
+    if (config.token) {
+        const bases = getAuthBaseCandidates(config.apiUrl || getApiUrl());
+        const logoutPaths = ['/auth/logout', '/api/auth/logout', '/api/logout'];
+        let remoteLogoutDone = false;
+        for (const base of bases) {
+            for (const route of logoutPaths) {
+                try {
+                    await requestJson(`${trimTrailingSlash(base)}${route}`, {
+                        method: 'POST',
+                        headers: { authorization: `Bearer ${config.token}` },
+                    });
+                    remoteLogoutDone = true;
+                    break;
+                }
+                catch {
+                    // Continue trying known routes.
+                }
+            }
+            if (remoteLogoutDone) {
+                break;
+            }
+        }
+        if (!remoteLogoutDone) {
+            console.warn(chalk_1.default.yellow('Remote logout endpoint not reachable; local credentials were still cleared.'));
+        }
+    }
+    clearAuthConfig();
+    process.exitCode = 0;
 }
-async function loginWithDeviceCode(options = {}) {
-    const apiUrl = getApiUrl(options.apiUrl);
-    const start = await postJson(`${apiUrl}/api/auth/device`, { client: 'vigthoria-cli' });
-    const verificationUri = start.verificationUri || start.verification_uri;
-    const userCode = start.userCode || start.user_code;
-    const deviceCode = start.deviceCode || start.device_code;
-    if (!verificationUri || !userCode || !deviceCode)
-        throw new Error('Device authorization endpoint returned an incomplete response.');
-    console.log(`Open this URL to authenticate: ${verificationUri}`);
-    console.log(`Enter code: ${userCode}`);
-    const timeoutAt = Date.now() + (options.pollTimeoutMs ?? 10 * 60 * 1000);
-    const intervalMs = Math.max(1000, (start.interval ?? 5) * 1000);
-    while (Date.now() < timeoutAt) {
-        await (0, promises_1.setTimeout)(intervalMs);
+async function whoami() {
+    const config = loadAuthConfig();
+    if (!config.token) {
+        return undefined;
+    }
+    const bases = getAuthBaseCandidates(config.apiUrl || getApiUrl());
+    const attempted = [];
+    for (const base of bases) {
+        const normalizedBase = trimTrailingSlash(base);
+        const getRoutes = ['/auth/me', '/api/auth/me', '/api/user/info', '/api/profile'];
+        for (const route of getRoutes) {
+            const endpoint = `${normalizedBase}${route}`;
+            attempted.push(endpoint);
+            try {
+                const result = await requestJson(endpoint, {
+                    method: 'GET',
+                    headers: { authorization: `Bearer ${config.token}` },
+                });
+                const user = extractAuthUser(result) || extractAuthUser(result.user);
+                if (user) {
+                    saveAuthConfig({ ...config, apiUrl: normalizedBase, user });
+                    return user;
+                }
+            }
+            catch {
+                // continue fallback route probing
+            }
+        }
+        const verifyEndpoint = `${normalizedBase}/api/auth/verify`;
+        attempted.push(verifyEndpoint);
         try {
-            const result = await postJson(`${apiUrl}/api/auth/device/complete`, { deviceCode, device_code: deviceCode, client: 'vigthoria-cli' });
-            if (result.accessToken || result.token) {
-                const session = normalizeSession(result, apiUrl);
-                writeAuthSession(session);
-                return session;
+            const result = await requestJson(verifyEndpoint, {
+                method: 'POST',
+                headers: { authorization: `Bearer ${config.token}` },
+                body: JSON.stringify({ token: config.token }),
+            });
+            const user = extractAuthUser(result) || extractAuthUser(result.user);
+            if (user) {
+                saveAuthConfig({ ...config, apiUrl: normalizedBase, user });
+                return user;
             }
         }
-        catch (error) {
-            const message = asErrorMessage(error);
-            if (!/pending|authorization_pending|slow_down/i.test(message))
-                throw new Error(message);
+        catch {
+            // continue fallback route probing
         }
     }
-    throw new Error('Timed out waiting for device authentication.');
+    throw new Error(`Unable to verify account on known auth endpoints. Tried ${attempted.join(', ')}`);
 }
-async function getValidAuthSession() {
-    const session = readAuthSession();
-    if (!session)
-        return null;
-    if (!isExpired(session))
-        return session;
-    if (!session.refreshToken) {
-        clearAuthSession();
-        return null;
-    }
-    const state = {
-        token: session.accessToken,
-        expiresAt: session.expiresAt ?? null,
-        refreshToken: session.refreshToken,
-        apiUrl: session.apiUrl,
-        isExpired: () => true,
+async function doctor() {
+    const config = loadAuthConfig();
+    const report = {
+        nodeVersion: process.version,
+        platform: process.platform,
+        arch: process.arch,
+        configFile: CONFIG_FILE,
+        loggedIn: Boolean(config.token),
+        apiUrl: config.apiUrl,
     };
-    const token = await refreshJwtIfNeeded(state);
-    return token ? readAuthSession() : null;
-}
-function printSession(session) {
-    const user = session.user?.email || session.user?.name || session.user?.id || 'authenticated user';
-    console.log(`Authenticated as ${user}`);
-    console.log(`API: ${session.apiUrl}`);
-    if (session.expiresAt)
-        console.log(`Expires: ${new Date(session.expiresAt).toLocaleString()}`);
+    process.exitCode = 0;
+    return report;
 }
-async function loginAction(options = {}) {
+async function handleLogin(options = {}) {
     try {
-        const session = options.token
-            ? await loginWithToken(options.token, options)
-            : options.email && options.password
-                ? await loginWithCredentials(options.email, options.password, options)
-                : await loginWithDeviceCode(options);
-        console.log('Login successful.');
-        printSession(session);
-    }
-    catch (error) {
-        clearAuthSession();
-        throw new Error(asErrorMessage(error));
-    }
-}
-async function logoutAction(state) {
-    const session = readAuthSession();
-    if (session) {
-        try {
-            await postJson(`${session.apiUrl}/api/auth/logout`, { client: 'vigthoria-cli' }, session.accessToken);
+        if (options.token) {
+            const config = {
+                apiUrl: getApiUrl(),
+                token: options.token,
+                success: true,
+            };
+            saveAuthConfig(config);
+            console.log(chalk_1.default.green('Logged in successfully with API token.'));
+            process.exitCode = 0;
+            return config;
         }
-        catch (error) {
-            console.warn('Remote logout failed; local session will still be cleared:', asErrorMessage(error));
+        let email = options.email?.trim();
+        let password = options.password;
+        if (options.device) {
+            console.log(chalk_1.default.yellow('Device-code login is not enabled by this Vigthoria service. Falling back to email and password authentication.'));
+        }
+        if (!email) {
+            email = (await ask('Email: ')).trim();
+        }
+        if (!password) {
+            password = await ask('Password: ', true);
         }
+        if (!email || !password) {
+            throw new Error('Email and password are required. Use --email and --password, or run vigthoria login interactively.');
+        }
+        const config = await login(email, password);
+        console.log(chalk_1.default.green('Logged in successfully.'));
+        if (config.user?.email) {
+            console.log(`Account: ${config.user.email}`);
+        }
+        console.log(`API: ${config.apiUrl}`);
+        process.exitCode = 0;
+        return config;
     }
-    if (!clearAuthSession(state))
+    catch (error) {
+        console.error(chalk_1.default.red(`Login failed: ${humanMessage(error)}`));
         process.exitCode = 1;
-    else
-        console.log('Logged out.');
+        return undefined;
+    }
 }
-async function handleLogin(config) {
+async function handleLogout(_options) {
     try {
-        await loginAction(config || {});
+        await logout();
+        console.log(chalk_1.default.green('Logged out successfully.'));
+        process.exitCode = 0;
     }
     catch (error) {
-        console.error('Login failed:', asErrorMessage(error));
+        console.error(chalk_1.default.red(`Logout failed: ${humanMessage(error)}`));
         process.exitCode = 1;
     }
 }
-async function handleLogout(config) {
-    await logoutAction(config && typeof config === 'object' ? config : null);
-}
 async function statusAction() {
-    const session = await getValidAuthSession();
-    if (!session) {
-        console.log('Not authenticated. Run `vigthoria auth login` to sign in.');
+    try {
+        const config = loadAuthConfig();
+        if (!config.token) {
+            console.log(chalk_1.default.yellow('Not logged in.'));
+            process.exitCode = 0;
+            return;
+        }
+        let user = config.user;
+        try {
+            user = await whoami();
+        }
+        catch {
+            // Keep local status available even if remote whoami endpoint is down.
+        }
+        const sharedConfig = new config_js_1.Config();
+        let overallStatus = 'Unknown';
+        let coderStatus = 'Unknown';
+        let modelsStatus = 'Unknown';
+        try {
+            const [coderResponse, modelsResponse] = await Promise.all([
+                fetch(`${trimTrailingSlash(config.apiUrl)}/api/health`),
+                fetch('https://api.vigthoria.io/health'),
+            ]);
+            const coderJson = await coderResponse.json().catch(() => ({}));
+            const modelsJson = await modelsResponse.json().catch(() => ({}));
+            const coderOk = coderResponse.ok && (coderJson.status === 'ok' || coderJson.healthy === true);
+            const modelsOk = modelsResponse.ok && (modelsJson.status === 'ok' || modelsJson.status === 'healthy' || modelsJson.healthy === true);
+            coderStatus = coderOk ? 'Online' : 'Offline';
+            modelsStatus = modelsOk ? 'Online' : 'Offline';
+            overallStatus = coderOk && modelsOk ? 'Healthy' : 'Degraded';
+        }
+        catch {
+            // Status should still render even if health probes fail.
+        }
+        const plan = String(sharedConfig.get('subscription')?.plan || '').trim();
+        console.log(chalk_1.default.white('Account Status'));
+        console.log(chalk_1.default.green('Logged in.'));
+        if (user?.email) {
+            console.log(`Account: ${user.email}`);
+        }
+        if (plan) {
+            console.log(`Plan: ${plan.toUpperCase()}`);
+        }
+        console.log(`Overall: ${overallStatus}`);
+        console.log(`Coder API: ${coderStatus}`);
+        console.log(`Models API: ${modelsStatus}`);
+        console.log(`API: ${config.apiUrl}`);
+        process.exitCode = 0;
+    }
+    catch (error) {
+        console.error(chalk_1.default.red(`Unable to read status: ${humanMessage(error)}`));
         process.exitCode = 1;
-        return;
     }
-    printSession(session);
 }
-function createAuthCommand() {
-    const auth = new commander_1.Command('auth').description('Manage Vigthoria CLI authentication');
+function registerAuthCommands(program) {
+    const auth = program.command('auth').description('Manage Vigthoria CLI authentication');
     auth
         .command('login')
-        .description('Sign in to Vigthoria')
-        .option('--token <token>', 'use an existing access token')
-        .option('--email <email>', 'account email for password login')
-        .option('--password <password>', 'account password for password login')
-        .option('--api-url <url>', 'Vigthoria API URL')
-        .option('--device', 'force browser/device-code login')
+        .description('Sign in with your Vigthoria account')
+        .option('-t, --token <token>', 'API token for token-based authentication')
+        .option('-e, --email <email>', 'Account email address')
+        .option('-p, --password <password>', 'Account password')
+        .option('--device', 'Use OAuth device flow (requires server support)')
         .action(async (options) => {
         await handleLogin(options);
     });
     auth
         .command('logout')
-        .description('Clear the saved Vigthoria session')
+        .description('Sign out and remove saved credentials')
         .action(async () => {
-        await handleLogout(null);
+        await handleLogout();
     });
     auth
-        .command('status')
-        .description('Show current authentication status')
+        .command('whoami')
+        .description('Show the authenticated Vigthoria account')
         .action(async () => {
-        await statusAction();
+        try {
+            const user = await whoami();
+            if (!user) {
+                console.log(chalk_1.default.yellow('Not logged in.'));
+                process.exitCode = 0;
+                return;
+            }
+            console.log(chalk_1.default.green('Logged in.'));
+            console.log(user.email || user.name || user.id || 'Authenticated user');
+            process.exitCode = 0;
+        }
+        catch (error) {
+            console.error(chalk_1.default.red(`Unable to fetch account: ${humanMessage(error)}`));
+            process.exitCode = 1;
+        }
     });
-    auth.action(() => auth.help());
-    return auth;
-}
-function registerAuthCommand(program) {
-    const command = createAuthCommand();
-    program.addCommand(command);
-    return command;
 }
-exports.authCommand = createAuthCommand();
-exports.default = exports.authCommand;