@4ort/cli 0.8.4 → 0.8.6

package/dist/index.js

@@ -34,7 +34,7 @@ const program = new Command();
 program
     .name("4ort")
     .description("Unified CLI for the 4ort ecosystem — hosting, knowledge graph, and more")
-    .version("0.8.4");
+    .version("0.8.6");
 // ─────────────────────────────────────────────────────────────────────
 // 4ort.net subdomain hosting
 // ─────────────────────────────────────────────────────────────────────

package/dist/peertube-client.js

@@ -62,19 +62,46 @@ export async function getToken(server, client, username, password) {
     return { accessToken: j.access_token, refreshToken: j.refresh_token };
 }
 async function refresh(cfg) {
-    const body = new URLSearchParams({
-        client_id: cfg.clientId,
-        client_secret: cfg.clientSecret,
-        grant_type: "refresh_token",
-        refresh_token: cfg.refreshToken,
-    });
-    const j = await asJson(await fetch(`${base(cfg.server)}/api/v1/users/token`, {
-        method: "POST",
-        headers: { "content-type": "application/x-www-form-urlencoded" },
-        body,
-    }));
-    const next = { ...cfg, accessToken: j.access_token, refreshToken: j.refresh_token };
-    saveMovConfig(next);
+    let next;
+    try {
+        const body = new URLSearchParams({
+            client_id: cfg.clientId,
+            client_secret: cfg.clientSecret,
+            grant_type: "refresh_token",
+            refresh_token: cfg.refreshToken,
+        });
+        const j = await asJson(await fetch(`${base(cfg.server)}/api/v1/users/token`, {
+            method: "POST",
+            headers: { "content-type": "application/x-www-form-urlencoded" },
+            body,
+        }));
+        next = { ...cfg, accessToken: j.access_token, refreshToken: j.refresh_token };
+    }
+    catch (err) {
+        // Refresh tokens are single-use: if a rotated token is ever lost (e.g. a
+        // read-only config in a container), refresh dies with invalid_grant
+        // forever. Recover with a full password grant when env creds exist.
+        const username = process.env.FORT_MOV_USERNAME || cfg.username;
+        const password = process.env.FORT_MOV_PASSWORD;
+        if (!username || !password)
+            throw err;
+        const client = await getOAuthClient(cfg.server);
+        const tok = await getToken(cfg.server, client, username, password);
+        next = {
+            ...cfg,
+            clientId: client.clientId,
+            clientSecret: client.clientSecret,
+            accessToken: tok.accessToken,
+            refreshToken: tok.refreshToken,
+            username,
+        };
+    }
+    try {
+        saveMovConfig(next);
+    }
+    catch {
+        // Read-only config (containerized factory) — keep going with in-memory tokens.
+    }
     return next;
 }
 /** Authenticated JSON request with one transparent refresh-on-401 retry. */

package/dist/peertube-client.js.map

@@ -1 +1 @@
-{"version":3,"file":"peertube-client.js","sourceRoot":"","sources":["../src/peertube-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,EAAa,aAAa,EAAE,MAAM,aAAa,CAAC;AAkBvD,MAAM,OAAO,GAA2B,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;AAE5F,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACxB,IAAI,CAAC,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,IAAI,sCAAsC,CAAC,CAAC;IACxF,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAc,EAAE,SAAiB;IAC7D,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,SAAS,EAAE,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,QAAmB,EAAE,eAAwB;IAC5E,IAAI,CAAC,QAAQ,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACvE,IAAI,CAAC,eAAe;QAAE,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5C,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,IAAI,CAAC,CAAC,WAAW,KAAK,eAAe,CAAC,CAAC;IAClG,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,eAAe,YAAY,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACrH,OAAO,GAAG,CAAC,EAAE,CAAC;AAChB,CAAC;AAED,SAAS,IAAI,CAAC,MAAc;IAC1B,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACnC,CAAC;AAED,KAAK,UAAU,MAAM,CAAC,GAAa;IACjC,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACxF,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACtC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAc;IACjD,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,6BAA6B,CAAC,CAAC,CAAC;IAClF,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAC,SAAS,EAAE,YAAY,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC;AAClE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,MAAc,EAAE,MAAmB,EAAE,QAAgB,EAAE,QAAgB;IACpG,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;QAClC,UAAU,EAAE,UAAU;QACtB,QAAQ;QACR,QAAQ;KACT,CAAC,CAAC;IACH,MAAM,CAAC,GAAG,MAAM,MAAM,CACpB,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAqB,EAAE;QAChD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACL,CAAC,CACH,CAAC;IACF,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC,YAAY,EAAE,YAAY,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC;AACxE,CAAC;AAED,KAAK,UAAU,OAAO,CAAC,GAAc;IACnC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,SAAS,EAAE,GAAG,CAAC,QAAQ;QACvB,aAAa,EAAE,GAAG,CAAC,YAAY;QAC/B,UAAU,EAAE,eAAe;QAC3B,aAAa,EAAE,GAAG,CAAC,YAAY;KAChC,CAAC,CAAC;IACH,MAAM,CAAC,GAAG,MAAM,MAAM,CACpB,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,qBAAqB,EAAE;QACpD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACL,CAAC,CACH,CAAC;IACF,MAAM,IAAI,GAAG,EAAE,GAAG,GAAG,EAAE,WAAW,EAAE,CAAC,CAAC,YAAY,EAAE,YAAY,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC;IACpF,aAAa,CAAC,IAAI,CAAC,CAAC;IACpB,OAAO,IAAI,CAAC;AACd,CAAC;AAED,4EAA4E;AAC5E,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAc,EAAE,IAAY,EAAE,OAA4C,EAAE;IAC1G,MAAM,IAAI,GAAG,CAAC,KAAa,EAAE,EAAE,CAC7B,KAAK,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,EAAE;QAClC,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,KAAK;QAC5B,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE;QAC3G,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;KACxD,CAAC,CAAC;IACL,IAAI,GAAG,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACtC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,GAA2B,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;AAC/G,MAAM,UAAU,GAA2B,EAAE,MAAM,EAAE,YAAY,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;AAEhH,SAAS,OAAO,CAAC,IAAY,EAAE,KAA6B,EAAE,QAAgB;IAC5E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5D,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC;AAChC,CAAC;AAYD,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,GAAc,EAAE,CAAa;IAC7D,MAAM,IAAI,GAAG,IAAI,QAAQ,EAAE,CAAC;IAC5B,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IACzB,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;IAC3C,IAAI,CAAC,CAAC,OAAO;QAAE,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IACtD,IAAI,CAAC,CAAC,WAAW;QAAE,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,WAAW,CAAC,CAAC;IAC1D,IAAI,CAAC,CAAC,IAAI;QAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC/C,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAC7G,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;QAChB,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QACnD,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;IAC7H,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,KAAa,EAAE,EAAE,CAC7B,KAAK,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,uBAAuB,EAAE;QAChD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;QAC7C,IAAI,EAAE,IAAI;KACX,CAAC,CAAC;IACL,IAAI,GAAG,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACtC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IACtC,CAAC;IACD,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,CAAC,CAAC,KAAK,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAc;IACjD,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;IACpD,OAAO,CAAC,EAAE,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AAC5G,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAc,EAAE,IAAY;IAC9D,MAAM,CAAC,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,wBAAwB,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;IAChH,OAAO,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAc;IAC/C,MAAM,CAAC,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;IAC1D,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;AAC/H,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,GAAc,EAAE,EAAU;IAC1D,MAAM,SAAS,CAAC,GAAG,EAAE,kBAAkB,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;AACrE,CAAC"}
+{"version":3,"file":"peertube-client.js","sourceRoot":"","sources":["../src/peertube-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,EAAa,aAAa,EAAE,MAAM,aAAa,CAAC;AAkBvD,MAAM,OAAO,GAA2B,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;AAE5F,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACxB,IAAI,CAAC,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,IAAI,sCAAsC,CAAC,CAAC;IACxF,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAc,EAAE,SAAiB;IAC7D,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,SAAS,EAAE,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,QAAmB,EAAE,eAAwB;IAC5E,IAAI,CAAC,QAAQ,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACvE,IAAI,CAAC,eAAe;QAAE,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5C,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,IAAI,CAAC,CAAC,WAAW,KAAK,eAAe,CAAC,CAAC;IAClG,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,eAAe,YAAY,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACrH,OAAO,GAAG,CAAC,EAAE,CAAC;AAChB,CAAC;AAED,SAAS,IAAI,CAAC,MAAc;IAC1B,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACnC,CAAC;AAED,KAAK,UAAU,MAAM,CAAC,GAAa;IACjC,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACxF,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACtC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAc;IACjD,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,6BAA6B,CAAC,CAAC,CAAC;IAClF,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAC,SAAS,EAAE,YAAY,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC;AAClE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,MAAc,EAAE,MAAmB,EAAE,QAAgB,EAAE,QAAgB;IACpG,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;QAClC,UAAU,EAAE,UAAU;QACtB,QAAQ;QACR,QAAQ;KACT,CAAC,CAAC;IACH,MAAM,CAAC,GAAG,MAAM,MAAM,CACpB,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAqB,EAAE;QAChD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACL,CAAC,CACH,CAAC;IACF,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC,YAAY,EAAE,YAAY,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC;AACxE,CAAC;AAED,KAAK,UAAU,OAAO,CAAC,GAAc;IACnC,IAAI,IAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,SAAS,EAAE,GAAG,CAAC,QAAQ;YACvB,aAAa,EAAE,GAAG,CAAC,YAAY;YAC/B,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,GAAG,CAAC,YAAY;SAChC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,MAAM,CACpB,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,qBAAqB,EAAE;YACpD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI;SACL,CAAC,CACH,CAAC;QACF,IAAI,GAAG,EAAE,GAAG,GAAG,EAAE,WAAW,EAAE,CAAC,CAAC,YAAY,EAAE,YAAY,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC;IAChF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,yEAAyE;QACzE,oEAAoE;QACpE,oEAAoE;QACpE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,GAAG,CAAC,QAAQ,CAAC;QAC/D,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;QAC/C,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ;YAAE,MAAM,GAAG,CAAC;QACtC,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAChD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACnE,IAAI,GAAG;YACL,GAAG,GAAG;YACN,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,WAAW,EAAE,GAAG,CAAC,WAAW;YAC5B,YAAY,EAAE,GAAG,CAAC,YAAY;YAC9B,QAAQ;SACT,CAAC;IACJ,CAAC;IACD,IAAI,CAAC;QACH,aAAa,CAAC,IAAI,CAAC,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,+EAA+E;IACjF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,4EAA4E;AAC5E,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAc,EAAE,IAAY,EAAE,OAA4C,EAAE;IAC1G,MAAM,IAAI,GAAG,CAAC,KAAa,EAAE,EAAE,CAC7B,KAAK,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,EAAE;QAClC,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,KAAK;QAC5B,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE;QAC3G,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;KACxD,CAAC,CAAC;IACL,IAAI,GAAG,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACtC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,GAA2B,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;AAC/G,MAAM,UAAU,GAA2B,EAAE,MAAM,EAAE,YAAY,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;AAEhH,SAAS,OAAO,CAAC,IAAY,EAAE,KAA6B,EAAE,QAAgB;IAC5E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5D,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC;AAChC,CAAC;AAYD,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,GAAc,EAAE,CAAa;IAC7D,MAAM,IAAI,GAAG,IAAI,QAAQ,EAAE,CAAC;IAC5B,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IACzB,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;IAC3C,IAAI,CAAC,CAAC,OAAO;QAAE,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IACtD,IAAI,CAAC,CAAC,WAAW;QAAE,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,WAAW,CAAC,CAAC;IAC1D,IAAI,CAAC,CAAC,IAAI;QAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC/C,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAC7G,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;QAChB,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QACnD,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;IAC7H,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,KAAa,EAAE,EAAE,CAC7B,KAAK,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,uBAAuB,EAAE;QAChD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;QAC7C,IAAI,EAAE,IAAI;KACX,CAAC,CAAC;IACL,IAAI,GAAG,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACtC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IACtC,CAAC;IACD,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,CAAC,CAAC,KAAK,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAc;IACjD,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;IACpD,OAAO,CAAC,EAAE,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AAC5G,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAc,EAAE,IAAY;IAC9D,MAAM,CAAC,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,wBAAwB,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;IAChH,OAAO,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAc;IAC/C,MAAM,CAAC,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;IAC1D,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;AAC/H,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,GAAc,EAAE,EAAU;IAC1D,MAAM,SAAS,CAAC,GAAG,EAAE,kBAAkB,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;AACrE,CAAC"}

package/dist/peertube-refresh.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/peertube-refresh.test.js

@@ -0,0 +1,95 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { createServer } from "node:http";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+// Sandbox the config file BEFORE importing anything that touches config.ts.
+const tmp = fs.mkdtempSync(path.join(os.tmpdir(), "fort-refresh-"));
+process.env.HOME = tmp; // CONFIG_DIR derives from os.homedir()
+const { ptRequest } = await import("./peertube-client.js");
+function listen(handler) {
+    return new Promise((resolve) => {
+        const srv = createServer(handler);
+        srv.listen(0, "127.0.0.1", () => {
+            const a = srv.address();
+            resolve({ url: `http://127.0.0.1:${a.port}`, close: () => srv.close() });
+        });
+    });
+}
+test("dead refresh token recovers via password grant when env creds exist", async () => {
+    const grants = [];
+    const m = await listen(async (req, res) => {
+        res.setHeader("content-type", "application/json");
+        if (req.url === "/api/v1/users/token" && req.method === "POST") {
+            const chunks = [];
+            for await (const c of req)
+                chunks.push(c);
+            const body = new URLSearchParams(Buffer.concat(chunks).toString());
+            grants.push(body.get("grant_type"));
+            if (body.get("grant_type") === "refresh_token") {
+                res.statusCode = 400;
+                return res.end(JSON.stringify({ code: "invalid_grant" }));
+            }
+            return res.end(JSON.stringify({ access_token: "fresh-atok", refresh_token: "fresh-rtok" }));
+        }
+        if (req.url === "/api/v1/oauth-clients/local") {
+            return res.end(JSON.stringify({ client_id: "cid2", client_secret: "csec2" }));
+        }
+        if (req.url === "/api/v1/users/me") {
+            const auth = req.headers.authorization ?? "";
+            if (auth !== "Bearer fresh-atok") {
+                res.statusCode = 401;
+                return res.end("{}");
+            }
+            return res.end(JSON.stringify({ ok: true }));
+        }
+        res.statusCode = 404;
+        res.end("{}");
+    });
+    process.env.FORT_MOV_USERNAME = "video-factory";
+    process.env.FORT_MOV_PASSWORD = "pw123";
+    try {
+        const cfg = {
+            server: m.url,
+            accessToken: "stale-atok",
+            refreshToken: "dead-rtok",
+            clientId: "cid",
+            clientSecret: "csec",
+        };
+        const out = await ptRequest(cfg, "/api/v1/users/me");
+        assert.equal(out.ok, true);
+        // It tried the refresh grant first, then fell back to the password grant.
+        assert.deepEqual(grants, ["refresh_token", "password"]);
+    }
+    finally {
+        delete process.env.FORT_MOV_USERNAME;
+        delete process.env.FORT_MOV_PASSWORD;
+        m.close();
+    }
+});
+test("dead refresh token with no env creds still throws", async () => {
+    const m = await listen((req, res) => {
+        res.setHeader("content-type", "application/json");
+        if (req.url === "/api/v1/users/token") {
+            res.statusCode = 400;
+            return res.end(JSON.stringify({ code: "invalid_grant" }));
+        }
+        res.statusCode = 401;
+        res.end("{}");
+    });
+    try {
+        const cfg = {
+            server: m.url,
+            accessToken: "stale",
+            refreshToken: "dead",
+            clientId: "c",
+            clientSecret: "s",
+        };
+        await assert.rejects(ptRequest(cfg, "/api/v1/users/me"), /400/);
+    }
+    finally {
+        m.close();
+    }
+});
+//# sourceMappingURL=peertube-refresh.test.js.map

package/dist/peertube-refresh.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"peertube-refresh.test.js","sourceRoot":"","sources":["../src/peertube-refresh.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,4EAA4E;AAC5E,MAAM,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,eAAe,CAAC,CAAC,CAAC;AACpE,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,uCAAuC;AAE/D,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;AAE3D,SAAS,MAAM,CAAC,OAA2C;IACzD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QAClC,GAAG,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YAC9B,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,EAAS,CAAC;YAC/B,OAAO,CAAC,EAAE,GAAG,EAAE,oBAAoB,CAAC,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC3E,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,IAAI,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;IACrF,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACxC,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;QAClD,IAAI,GAAG,CAAC,GAAG,KAAK,qBAAqB,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/D,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,IAAI,KAAK,EAAE,MAAM,CAAC,IAAI,GAAG;gBAAE,MAAM,CAAC,IAAI,CAAC,CAAW,CAAC,CAAC;YACpD,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;YACnE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAE,CAAC,CAAC;YACrC,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,KAAK,eAAe,EAAE,CAAC;gBAC/C,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC;YAC5D,CAAC;YACD,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;QAC9F,CAAC;QACD,IAAI,GAAG,CAAC,GAAG,KAAK,6BAA6B,EAAE,CAAC;YAC9C,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QAChF,CAAC;QACD,IAAI,GAAG,CAAC,GAAG,KAAK,kBAAkB,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,IAAI,EAAE,CAAC;YAC7C,IAAI,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACjC,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACvB,CAAC;YACD,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC/C,CAAC;QACD,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;QACrB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CAAC,iBAAiB,GAAG,eAAe,CAAC;IAChD,OAAO,CAAC,GAAG,CAAC,iBAAiB,GAAG,OAAO,CAAC;IACxC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG;YACV,MAAM,EAAE,CAAC,CAAC,GAAG;YACb,WAAW,EAAE,YAAY;YACzB,YAAY,EAAE,WAAW;YACzB,QAAQ,EAAE,KAAK;YACf,YAAY,EAAE,MAAM;SACrB,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACrD,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QAC3B,0EAA0E;QAC1E,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC,CAAC;IAC1D,CAAC;YAAS,CAAC;QACT,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;QACrC,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;QACrC,CAAC,CAAC,KAAK,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;IACnE,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAClC,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;QAClD,IAAI,GAAG,CAAC,GAAG,KAAK,qBAAqB,EAAE,CAAC;YACtC,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC;QAC5D,CAAC;QACD,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;QACrB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;IACH,IAAI,CAAC;QACH,MAAM,GAAG,GAAG;YACV,MAAM,EAAE,CAAC,CAAC,GAAG;YACb,WAAW,EAAE,OAAO;YACpB,YAAY,EAAE,MAAM;YACpB,QAAQ,EAAE,GAAG;YACb,YAAY,EAAE,GAAG;SAClB,CAAC;QACF,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,EAAE,kBAAkB,CAAC,EAAE,KAAK,CAAC,CAAC;IAClE,CAAC;YAAS,CAAC;QACT,CAAC,CAAC,KAAK,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC"}

package/docs/MCP.md

@@ -0,0 +1,77 @@
+# 🧠 `4ort mcp` — Run the CLI as an MCP server
+
+`@4ort/cli` is **both a CLI and an MCP server** in the same binary. Every
+subcommand surface (`kg`, `mov`, `web`, `vault run`, etc.) becomes an MCP tool
+when the CLI is launched in MCP mode — so any MCP-speaking agent gets the
+entire galaxy toolkit for free, without re-implementing anything.
+
+## Two modes
+
+```bash
+4ort mcp stdio     # local: pipe to a Claude/agent runner via stdin/stdout
+4ort mcp serve     # network: expose the MCP server over HTTP (for remote agents)
+```
+
+## stdio mode (most common)
+
+Wire the CLI as an MCP server in a Claude Desktop / Claude Code / Cursor / any
+MCP client config. Example (Claude Code-style):
+
+```jsonc
+{
+  "mcpServers": {
+    "4ort": {
+      "command": "4ort",
+      "args": ["mcp", "stdio"]
+    }
+  }
+}
+```
+
+The agent will discover tools like:
+- `4ort.kg.search`, `4ort.kg.ask`, `4ort.kg.entity`, `4ort.kg.match`,
+  `4ort.kg.popularity`, `4ort.kg.trending`, `4ort.kg.agent-context`,
+  `4ort.kg.article-context`
+- `4ort.mov.publish`, `4ort.mov.render`, `4ort.mov.list`
+- `4ort.web.get`
+- `4ort.search` (smart router)
+- `4ort.run` (vault-resolved subprocess)
+
+Identity is the CLI's existing `~/.4ort/config.json` — whichever keys you've
+configured (4ort.net, kg, vault) flow through to the agent.
+
+## serve mode (network)
+
+For remote agents or shared infrastructure:
+
+```bash
+4ort mcp serve --port 8080
+```
+
+Exposes the same tool surface over HTTP transport. Pair with reverse-proxy +
+auth as needed (the CLI itself doesn't add network auth — bring your own).
+
+## Where this fits in the galaxy
+
+- **Mission Control panels (ADR-0002 MCP-as-panels)** — the 4ort.ai agent can
+  call `4ort.kg.*` and `4ort.mov.*` tools directly via this surface; sidebar
+  panels render the results.
+- **The code-command sandbox** ships `@4ort/cli` baked into the image so every
+  spawned agent has these tools natively, no MCP wiring needed inside the
+  sandbox itself.
+- **The future "MCP Uplink"** property (galaxy plan
+  `plans/MCP_UPLINK_PLAN.md`) mounts `@4ort/cli` alongside open MCP servers
+  (Gmail, Slack, GitHub, etc.) into a unified MCP gateway.
+
+## Composing with the vault
+
+`4ort run` is also exposed as an MCP tool — meaning an agent can ask the CLI to
+**run a subprocess with vault-resolved secrets** without ever seeing the raw
+values. Great for "run my SQL migration with the prod DB password" workflows
+where the agent should never touch the secret.
+
+## Versioning / surface stability
+
+The MCP tool names and schemas track the CLI's commander.js definitions
+directly. When a new subcommand lands in the CLI, it's available as an MCP
+tool in the next published version (`npm install -g @4ort/cli@latest`).

package/docs/MOV.md

@@ -0,0 +1,136 @@
+# 🎬 `4ort mov` — Publishing video to 4ort.mov
+
+Since `@4ort/cli@0.6.0` (`publish`) + `0.7.0` (`render`). Two complementary
+flows for getting video onto the galaxy's PeerTube host (4ort.mov).
+
+## Setup
+
+```bash
+# one-time: mint your OWN 4ort.mov account + render token, then sign in with it
+4ort provision run video
+4ort mov login --provisioned
+
+# or sign in to an existing account interactively / non-interactively
+4ort mov login                       # prompts for username + password
+4ort mov login -u <user> -p <pass>   # non-interactive (agents/CI; or env
+                                     # FORT_MOV_USERNAME / FORT_MOV_PASSWORD)
+```
+
+All credentials persist to `~/.4ort/config.json` (mode `0600`). The CLI
+authenticates via PeerTube's OAuth on `/api/*`, so it never needs a separate
+site/gate credential.
+
+## Accounts & channels (per-user)
+
+`4ort mov` is **per-account**. Every user/agent has their own 4ort.mov account,
+so videos publish under **their own channel** — not a shared one.
+
+```bash
+# one-time: mint your own account + render token
+4ort provision run video
+4ort mov login --provisioned     # or: 4ort mov login -u <user> -p <pass>
+```
+
+**Which channel does a publish go to?**
+
+- No `--channel` → your account's **default (first) channel**.
+- `--channel <name>` → a channel **you own** by that name/displayName (the
+  command errors and lists your channels if there's no match).
+- `4ort mov channels --create <name>` → make a new channel under your account.
+
+So two agents running `4ort mov publish` land in two different channels — each
+writes only to its own account. (Admin/`root` is just another account; the
+autonomous pipelines historically published as `root`, but provisioned agents
+get their own.)
+
+## Two flows
+
+### Flow A — Direct publish (you have an MP4)
+
+```bash
+4ort mov publish ./my-video.mp4 \
+  --title "My Video" \
+  --channel galaxy \
+  --description "..." \
+  --thumbnail ./thumb.png \
+  --privacy unlisted
+```
+
+- Single-request multipart upload (`POST /api/v1/videos/upload`)
+- Prints the watch URL on success
+- Privacy: `public` / `unlisted` / `private` / `internal` (default `unlisted`)
+
+### Flow B — Render-and-publish (you have a HyperFrames composition dir)
+
+```bash
+4ort mov render ./my-composition --publish \
+  --title "My Composition" \
+  --channel galaxy
+```
+
+End-to-end agent publish chain in one command:
+
+```
+local dir of HyperFrames composition
+     │
+     ▼ tar (gitignore-respecting)
+     ▼
+POST to factory.4ort.mov (video-factory)
+     │
+     ▼ async job (poll for status)
+     ▼
+MP4 + preview frames back
+     │
+     ▼ (if --publish)
+     ▼
+4ort mov publish (under-the-hood)
+     │
+     ▼
+watch URL printed
+```
+
+This is the **path that 4ort.ai's agents inside the code-command sandbox use**
+to publish content end-to-end — the bridge spec is in `~/ai/code-command/docs/`
+and the engine is at `~/ai/4ort.mov/engine/`.
+
+## Other commands
+
+| Command | What it does |
+|---|---|
+| `4ort mov list` | List your videos on 4ort.mov |
+| `4ort mov channels` | List channels; `--create <name>` to make one |
+| `4ort mov delete <id>` | Delete a video (with confirm) |
+
+## Where this fits in the galaxy
+
+| Property | Role |
+|---|---|
+| **4ort.mov** | The PeerTube host (`~/ai/4ort.mov/`) — final destination for all videos |
+| **video-factory** | Render engine at `factory.4ort.mov` (lives in `~/ai/4ort.mov/engine/`) — turns HyperFrames compositions into MP4s |
+| **4ort-tv** | Long-form video pipeline — outputs HyperFrames compositions that get rendered + published via this CLI |
+| **4ort.stream** | Short-form autonomous pipeline — outputs MP4s directly; uses `4ort mov publish` (Flow A) |
+| **code-command sandbox** | Ships `@4ort/cli` baked in; the `4ort mov render --publish` chain is how spawned agents publish |
+
+## Auth model
+
+The CLI talks to PeerTube exclusively over `/api/*` using an OAuth bearer
+token (password grant at `4ort mov login`, transparently refreshed on 401).
+Any human-facing password wall on `4ort.mov` carves out `/api/*` (see
+`~/ai/4ort.mov/docs/AS-BUILT.md`, ADR-0009), so **automated publishes need no
+separate gate credential** — the bearer token is the only auth the CLI sends.
+Per-property security posture is in
+`~/ai/4ort-galaxy/property-notes/4ort-mov.md`.
+
+## Versioning / what's new
+
+- **0.6.0** — `4ort mov publish`: PeerTube upload + login + list/channels/delete
+- **0.7.0** — `4ort mov render`: dir → video-factory → optional publish in one command
+- **0.8.0** — `4ort provision run video` mints a per-agent 4ort.mov account + render
+  token; `4ort mov login --provisioned` signs in with it
+- **0.8.4** — shipped a verified, lint-passing render starter template at
+  `examples/fact-short.html` (`4ort mov render examples/fact-short.html -q draft`)
+- **0.8.5** — publish reliability: PeerTube token refresh now recovers from an
+  expired/rotated refresh token via a password-grant fallback (env or stored
+  credentials), so long-lived render hosts keep publishing
+- **0.8.6** — docs: documented the per-account channel model + provisioned login,
+  corrected the upload method (multipart, not resumable), refreshed the auth model

package/docs/VAULT.md

@@ -0,0 +1,86 @@
+# 🔑 `4ort vault` + `4ort run` — Secrets layer
+
+Since `@4ort/cli@0.5.0`. The galaxy's secrets layer, modeled directly on
+**1Password's `op run`** pattern: secrets live server-side in the 4ort.ai
+vault, the CLI fetches them at invocation time, and they're **injected
+into the child process only** — never written to disk.
+
+## The model in one line
+
+```
+secret ref in env  →  4ort run resolves it  →  child process gets the real value  →  exit
+                                                ↑
+                                       (plaintext never touches disk)
+```
+
+## Setup (one time per machine)
+
+```bash
+# 1. Get a vault token from Mission Control (4ort.ai → Secrets panel)
+#    The token is prefixed `4vt_…`
+
+# 2. Link this machine
+4ort vault login
+# → paste the 4vt_ token when prompted
+
+# 3. Verify
+4ort vault status
+# → prints: server, vault user, token (masked), connection OK
+```
+
+Token gets persisted to `~/.4ort/config.json` under `vault.token` (file mode `0600`).
+Vault server defaults to `https://4ort.ai`.
+
+## Using it
+
+### Reference secrets in env at runtime
+
+The reference shape is `4ort://service[/name]`:
+
+```bash
+# .env or shell:
+OPENAI_API_KEY=4ort://openai
+DATABASE_URL=4ort://postgres/prod
+SLACK_TOKEN=4ort://slack/team-a
+```
+
+### Run a command with refs resolved
+
+```bash
+4ort run -- python my_script.py
+4ort run -- npm start
+4ort run -- /usr/bin/env  # see what got injected (for debugging)
+```
+
+At invocation:
+1. CLI scans the env of the parent shell + any `.env` file in cwd
+2. For each `4ort://…` ref, fetches the real value from the vault
+3. Spawns the child process with the real values in its env
+4. Plaintext exists only in the child's memory; never lands on disk
+
+## Other commands
+
+| Command | What it does |
+|---|---|
+| `4ort vault login` | Paste a `4vt_` token; persist to `~/.4ort/config.json` |
+| `4ort vault status` | Show current vault identity + connection check |
+| `4ort vault logout` | Wipe the vault token (other identities preserved) |
+
+## Where this fits in the galaxy
+
+- **Same vault backend as the 4ort.ai Secrets panel** — the CLI is a peer client;
+  every UI write is visible to `4ort run` instantly.
+- **The code-command sandbox** uses the CLI inside spawned interpreters via
+  `FORT_CLI_CONFIG_B64` env (the config is materialized into the sandbox at
+  spawn-time so the sandboxed agent has vault access without seeing the token).
+- **The future "MCP Uplink"** property layers on top: third-party OAuth tokens
+  (Gmail / Slack / GitHub) get stored in the same vault, keyed by galaxy JWT
+  user-id. See `plans/MCP_UPLINK_PLAN.md` in the galaxy repo.
+
+## Security posture
+
+- Vault token is the only persistent secret on the machine
+- Per-service secrets are fetched fresh per `4ort run` invocation
+- `0600` perms on `~/.4ort/config.json`
+- Never echo `4ort vault status` output into logs (token is masked but the
+  shape gives away the service has one)

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@4ort/cli",
-  "version": "0.8.4",
-  "description": "Unified CLI for the 4ort ecosystem \u2014 4ort.net hosting, knowledge graph, and more",
+  "version": "0.8.6",
+  "description": "Unified CLI for the 4ort ecosystem — 4ort.net hosting, knowledge graph, and more",
   "type": "module",
   "bin": {
     "4ort": "./dist/index.js"
@@ -9,7 +9,8 @@
   "files": [
     "dist",
     "README.md",
-    "examples"
+    "examples",
+    "docs"
   ],
   "scripts": {
     "dev": "tsx src/index.ts",