crocoder-dev
diff --git a/‎cli/src/app.rs‎
Lines changed: 38 additions & 0 deletions b/‎cli/src/app.rs‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎cli/src/command_surface.rs‎
Lines changed: 9 additions & 2 deletions b/‎cli/src/command_surface.rs‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎cli/src/services/logout.rs‎
Lines changed: 151 additions & 0 deletions b/‎cli/src/services/logout.rs‎
Lines changed: 151 additions & 0 deletions
diff --git a/‎cli/src/services/mod.rs‎
Lines changed: 1 addition & 0 deletions b/‎cli/src/services/mod.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎context/architecture.md‎
Lines changed: 2 additions & 2 deletions b/‎context/architecture.md‎
Lines changed: 2 additions & 2 deletions
@@ -114,6 +114,8 @@ enum Command {
     DoctorHelp,
     Login(services::login::LoginRequest),
     LoginHelp,
+    Logout(services::logout::LogoutRequest),
+    LogoutHelp,
     Mcp(services::mcp::McpRequest),
     McpHelp,
     Hooks(services::hooks::HookSubcommand),
@@ -133,6 +135,7 @@ impl Command {
             Self::Setup(_) | Self::SetupHelp => services::setup::NAME,
             Self::Doctor(_) | Self::DoctorHelp => services::doctor::NAME,
             Self::Login(_) | Self::LoginHelp => services::login::NAME,
+            Self::Logout(_) | Self::LogoutHelp => services::logout::NAME,
             Self::Mcp(_) | Self::McpHelp => services::mcp::NAME,
             Self::Hooks(_) | Self::HooksHelp => services::hooks::NAME,
             Self::Sync(_) | Self::SyncHelp => services::sync::NAME,
@@ -352,6 +355,7 @@ fn parse_subcommand(value: String, tail_args: Vec<String>) -> Result<Command, Cl
         "setup" => parse_setup_subcommand(tail_args),
         "doctor" => parse_doctor_subcommand(tail_args),
         "login" => parse_login_subcommand(tail_args),
+        "logout" => parse_logout_subcommand(tail_args),
         "mcp" => parse_mcp_subcommand(tail_args),
         "hooks" => parse_hooks_subcommand(tail_args),
         "sync" => parse_sync_subcommand(tail_args),
@@ -441,6 +445,16 @@ fn parse_sync_subcommand(args: Vec<String>) -> Result<Command, ClassifiedError>
     Ok(Command::Sync(request))
 }
 
+fn parse_logout_subcommand(args: Vec<String>) -> Result<Command, ClassifiedError> {
+    if args.len() == 1 && (args[0] == "--help" || args[0] == "-h") {
+        return Ok(Command::LogoutHelp);
+    }
+
+    let request = services::logout::parse_logout_request(args)
+        .map_err(|error| ClassifiedError::validation(error.to_string()))?;
+    Ok(Command::Logout(request))
+}
+
 fn parse_hooks_subcommand(args: Vec<String>) -> Result<Command, ClassifiedError> {
     if args.len() == 1 && (args[0] == "--help" || args[0] == "-h") {
         return Ok(Command::HooksHelp);
@@ -514,6 +528,9 @@ fn dispatch(command: &Command) -> Result<String, ClassifiedError> {
         Command::LoginHelp => Ok(services::login::login_usage_text().to_string()),
         Command::Login(request) => services::login::run_login(*request)
             .map_err(|error| ClassifiedError::runtime(error.to_string())),
+        Command::LogoutHelp => Ok(services::logout::logout_usage_text().to_string()),
+        Command::Logout(request) => services::logout::run_logout(*request)
+            .map_err(|error| ClassifiedError::runtime(error.to_string())),
         Command::McpHelp => Ok(services::mcp::mcp_usage_text().to_string()),
         Command::Mcp(request) => services::mcp::run_placeholder_mcp(*request)
             .map_err(|error| ClassifiedError::runtime(error.to_string())),
@@ -719,6 +736,16 @@ mod tests {
         assert_eq!(code, ExitCode::SUCCESS);
     }
 
+    #[test]
+    fn logout_help_exits_success() {
+        let code = run(vec![
+            "sce".to_string(),
+            "logout".to_string(),
+            "--help".to_string(),
+        ]);
+        assert_eq!(code, ExitCode::SUCCESS);
+    }
+
     #[test]
     fn hooks_help_exits_success() {
         let code = run(vec![
@@ -1036,6 +1063,17 @@ mod tests {
         assert_eq!(command, Command::LoginHelp);
     }
 
+    #[test]
+    fn parser_routes_logout_help() {
+        let command = parse_command(vec![
+            "sce".to_string(),
+            "logout".to_string(),
+            "--help".to_string(),
+        ])
+        .expect("command should parse");
+        assert_eq!(command, Command::LogoutHelp);
+    }
+
     #[test]
     fn parser_routes_mcp_json_format() {
         let command = parse_command(vec![
 
@@ -39,6 +39,11 @@ pub const COMMANDS: &[CommandContract] = &[
         status: ImplementationStatus::Implemented,
         purpose: "Authenticate with WorkOS via OAuth device flow",
     },
+    CommandContract {
+        name: services::logout::NAME,
+        status: ImplementationStatus::Implemented,
+        purpose: "Clear locally stored WorkOS authentication credentials",
+    },
     CommandContract {
         name: services::mcp::NAME,
         status: ImplementationStatus::Placeholder,
@@ -91,11 +96,11 @@ Config usage:\n  sce config <show|validate> [--format <text|json>] [options]\n\n
 Setup usage:\n  sce setup [--opencode|--claude|--both] [--non-interactive] [--hooks] [--repo <path>]\n\n\
 Completion usage:\n  sce completion --shell <bash|zsh|fish>\n\n\
 Output format contract:\n  Supported commands accept --format <text|json>\n\n\
-Examples:\n  sce setup\n  sce setup --opencode --non-interactive --hooks\n  sce setup --hooks --repo ../demo-repo\n  sce doctor --format json\n  sce version --format json\n  WORKOS_CLIENT_ID=client_123 sce login\n\n\
+Examples:\n  sce setup\n  sce setup --opencode --non-interactive --hooks\n  sce setup --hooks --repo ../demo-repo\n  sce doctor --format json\n  sce version --format json\n  WORKOS_CLIENT_ID=client_123 sce login\n  sce logout\n\n\
 Commands:\n{}\n\n\
 Setup defaults to interactive target selection when no setup target flag is passed, and installs hooks in the same run.\n\
 Use '--hooks' to install required git hooks for the current repository or '--repo <path>' for a specific repository.\n\
-`setup`, `doctor`, `hooks`, and `login` are implemented; `mcp` and `sync` remain placeholder-oriented.\n",
+`setup`, `doctor`, `hooks`, `login`, and `logout` are implemented; `mcp` and `sync` remain placeholder-oriented.\n",
         command_rows
     )
 }
@@ -143,6 +148,8 @@ mod tests {
         let help = help_text();
         assert!(help.contains("login"));
         assert!(help.contains("WORKOS_CLIENT_ID=client_123 sce login"));
+        assert!(help.contains("logout"));
+        assert!(help.contains("sce logout"));
     }
 
     #[test]
 
@@ -0,0 +1,151 @@
+use std::fs;
+use std::path::Path;
+
+use anyhow::{bail, Context, Result};
+use lexopt::Arg;
+use lexopt::ValueExt;
+
+use crate::services::token_storage::token_file_path;
+
+pub const NAME: &str = "logout";
+
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+pub struct LogoutRequest;
+
+pub fn logout_usage_text() -> &'static str {
+    "Usage:\n  sce logout\n\nDescription:\n  Delete locally stored WorkOS authentication tokens.\n\nExamples:\n  sce logout"
+}
+
+pub fn parse_logout_request(args: Vec<String>) -> Result<LogoutRequest> {
+    let mut parser = lexopt::Parser::from_args(args);
+
+    if let Some(arg) = parser.next()? {
+        match arg {
+            Arg::Long("help") | Arg::Short('h') => {
+                bail!("Use 'sce logout --help' for logout usage.");
+            }
+            Arg::Long(option) => {
+                bail!(
+                    "Unknown logout option '--{}'. Run 'sce logout --help' to see valid usage.",
+                    option
+                );
+            }
+            Arg::Short(option) => {
+                bail!(
+                    "Unknown logout option '-{}'. Run 'sce logout --help' to see valid usage.",
+                    option
+                );
+            }
+            Arg::Value(value) => {
+                bail!(
+                    "Unexpected logout argument '{}'. Run 'sce logout --help' to see valid usage.",
+                    value.string()?
+                );
+            }
+        }
+    }
+
+    Ok(LogoutRequest)
+}
+
+pub fn run_logout(_request: LogoutRequest) -> Result<String> {
+    let path = token_file_path().context("failed to resolve token storage path")?;
+    remove_token_file_at_path(&path)
+}
+
+fn remove_token_file_at_path(path: &Path) -> Result<String> {
+    match fs::remove_file(path) {
+        Ok(()) => Ok(format!(
+            "Logged out successfully. Removed stored WorkOS credentials at '{}'.",
+            path.display()
+        )),
+        Err(error) if error.kind() == std::io::ErrorKind::NotFound => {
+            Ok("No stored WorkOS credentials were found. You are already logged out.".to_string())
+        }
+        Err(error) => Err(error)
+            .with_context(|| {
+                format!(
+                    "failed to delete stored WorkOS credentials at '{}'",
+                    path.display()
+                )
+            })
+            .context(
+                "Try: verify file permissions for the auth state directory and rerun 'sce logout'",
+            ),
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use std::fs;
+
+    use super::{
+        logout_usage_text, parse_logout_request, remove_token_file_at_path, LogoutRequest,
+    };
+
+    fn unique_test_path(test_name: &str) -> std::path::PathBuf {
+        let unique = format!(
+            "sce-logout-{}-{}-{}",
+            test_name,
+            std::process::id(),
+            std::time::SystemTime::now()
+                .duration_since(std::time::UNIX_EPOCH)
+                .expect("system clock should be after unix epoch")
+                .as_nanos()
+        );
+        std::env::temp_dir().join(unique).join("tokens.json")
+    }
+
+    #[test]
+    fn parse_logout_accepts_no_arguments() {
+        let request = parse_logout_request(vec![]).expect("logout request should parse");
+        assert_eq!(request, LogoutRequest);
+    }
+
+    #[test]
+    fn parse_logout_rejects_unexpected_argument() {
+        let error = parse_logout_request(vec!["extra".to_string()])
+            .expect_err("unexpected argument should fail");
+        assert_eq!(
+            error.to_string(),
+            "Unexpected logout argument 'extra'. Run 'sce logout --help' to see valid usage."
+        );
+    }
+
+    #[test]
+    fn usage_mentions_logout_command() {
+        let usage = logout_usage_text();
+        assert!(usage.contains("sce logout"));
+    }
+
+    #[test]
+    fn remove_token_file_deletes_existing_file() {
+        let token_path = unique_test_path("delete-existing");
+        let parent = token_path.parent().expect("token path should have parent");
+        fs::create_dir_all(parent).expect("should create parent directory");
+        fs::write(&token_path, "{}").expect("should create token file");
+
+        let result = remove_token_file_at_path(&token_path).expect("logout should succeed");
+        assert!(result.contains("Logged out successfully"));
+        assert!(!token_path.exists());
+
+        let _ = fs::remove_dir_all(
+            token_path
+                .parent()
+                .and_then(|path| path.parent())
+                .expect("temp tree should have two parent levels"),
+        );
+    }
+
+    #[test]
+    fn remove_token_file_handles_missing_file() {
+        let token_path = unique_test_path("already-logged-out");
+
+        let result =
+            remove_token_file_at_path(&token_path).expect("missing token file should not fail");
+        assert_eq!(
+            result,
+            "No stored WorkOS credentials were found. You are already logged out."
+        );
+    }
+}
@@ -7,6 +7,7 @@ pub mod hooks;
 pub mod hosted_reconciliation;
 pub mod local_db;
 pub mod login;
+pub mod logout;
 pub mod mcp;
 pub mod observability;
 pub mod output_format;