@agentbridge1/cli 0.0.5 → 0.0.7

package/dist/build-info.json

@@ -1,6 +1,6 @@
 {
-  "builtAt": "2026-06-03T09:58:38.231Z",
-  "gitHead": "6fcc74c",
-  "sourceLatestMtime": "2026-06-03T05:08:44.109Z",
-  "sourceLatestFile": "src/commands/doctor.ts"
+  "builtAt": "2026-06-07T04:20:05.843Z",
+  "gitHead": "aa4b2fb",
+  "sourceLatestMtime": "2026-06-07T04:16:53.273Z",
+  "sourceLatestFile": "src/commands/room.ts"
 }

package/dist/commands/accept.js

@@ -10,6 +10,7 @@ const server_sync_1 = require("../server-sync");
 const operator_snapshot_1 = require("../operator-snapshot");
 const work_context_resolver_1 = require("../work-context-resolver");
 const error_catalog_1 = require("../error-catalog");
+const proof_obligations_1 = require("../proof-obligations");
 const acceptance_preflight_1 = require("../acceptance-preflight");
 const acceptance_block_1 = require("../acceptance-block");
 function resolveNetworkContext() {
@@ -36,10 +37,9 @@ function blockedErrorCode(report) {
     if ((report.out_of_scope_files ?? []).length > 0 || report.scope_status === "drift") {
         return "SCOPE_DRIFT_OUT_OF_SCOPE_FILE";
     }
-    if (report.decision === "needs_proof")
-        return "PROOF_MISSING";
-    if (report.decision === "stale_evidence")
-        return "PROOF_STALE_AFTER_CHANGE";
+    const proofCode = (0, proof_obligations_1.resolveProofBlockingErrorCode)(report);
+    if (proofCode)
+        return proofCode;
     return "ACCEPTANCE_BLOCKED";
 }
 function buildStructuredBlockedOutput(report) {

package/dist/commands/check.js

@@ -9,6 +9,7 @@ const acceptance_preflight_1 = require("../acceptance-preflight");
 const work_context_resolver_1 = require("../work-context-resolver");
 const operator_snapshot_1 = require("../operator-snapshot");
 const proof_guidance_1 = require("../proof-guidance");
+const proof_obligations_1 = require("../proof-obligations");
 const memory_context_render_1 = require("../memory-context-render");
 const acceptance_block_1 = require("../acceptance-block");
 function resolveNetworkContext() {
@@ -184,8 +185,16 @@ function renderAcceptanceReport(report) {
             }
         }
     }
+    const obligationSection = (0, proof_obligations_1.renderProofObligationSection)(report);
+    if (obligationSection.length > 0) {
+        lines.push(...obligationSection);
+    }
     lines.push(`Decision: ${report.decision}`);
-    if (report.decision === "needs_proof") {
+    const obligationErrorLines = (0, proof_obligations_1.renderProofObligationErrorLines)(report);
+    if (obligationErrorLines.length > 0) {
+        lines.push(...obligationErrorLines);
+    }
+    else if (report.decision === "needs_proof") {
         lines.push("✗ Error code: PROOF_MISSING");
         lines.push("  What happened: No verification proof exists for this work session.");
         lines.push("  Why it matters: Unverified work cannot be accepted — proof is required.");

package/dist/commands/connect.js

@@ -293,6 +293,9 @@ async function runConnect(options = {}) {
         diagnostics.bootstrapStatus = "skipped";
         diagnostics.rotateStatus = "skipped";
     }
+    if (connectionUpgraded) {
+        await verifyCredentials(projectId, effectiveApiKey, apiBaseUrl);
+    }
     if (!executionSurfaceId) {
         (0, config_1.updateConfig)({
             projectId,
@@ -358,7 +361,7 @@ async function runConnect(options = {}) {
             "",
             "Next:",
             "  agentbridge doctor",
-            "  agentbridge start",
+            "  agentbridge watch",
             "",
         ].join("\n"));
     }
@@ -366,6 +369,6 @@ async function runConnect(options = {}) {
         process.stdout.write("✓ Connected.\n");
         process.stdout.write("Run `agentbridge use <agent-id>` and then:\n");
         process.stdout.write("  agentbridge doctor\n");
-        process.stdout.write("  agentbridge start\n");
+        process.stdout.write("  agentbridge watch\n");
     }
 }

package/dist/commands/doctor.js

@@ -10,9 +10,16 @@ const http_1 = require("../http");
 const dist_freshness_1 = require("./dist-freshness");
 const session_state_1 = require("../session-state");
 const server_sync_1 = require("../server-sync");
+const recovery_reconcile_1 = require("../recovery-reconcile");
+const rules_sync_1 = require("../rules-sync");
 function cliRootFromCommandDir() {
     return (0, node_path_1.resolve)(__dirname, "..", "..");
 }
+function isRecoveryBaselinePendingHello(hello) {
+    return (hello.setup_required === true ||
+        hello.agentbridge_status === "recovery_baseline_pending" ||
+        hello.instruction?.recovery_status === "baseline_required");
+}
 function normalizeReasonCandidate(value) {
     if (!value)
         return undefined;
@@ -86,11 +93,70 @@ function extractHttpReason(error) {
     }
     return `http_${error.status}`;
 }
-function recoveryRequiredByPacket(packet) {
-    if (!packet || packet.project_mode !== "recovery")
-        return false;
-    const status = packet.recovery_status ?? null;
-    return status === "baseline_required" || status === "pending" || status === null;
+function detectGovernanceSignals(workspaceRoot, expectedProjectId) {
+    const analysis = (0, rules_sync_1.analyzeRulesArtifacts)(workspaceRoot, expectedProjectId);
+    const mcpConfigPath = (0, node_path_1.resolve)(workspaceRoot, ".cursor", "mcp.json");
+    let mcpConfigured = false;
+    if ((0, node_fs_1.existsSync)(mcpConfigPath)) {
+        try {
+            const parsed = JSON.parse((0, node_fs_1.readFileSync)(mcpConfigPath, "utf8"));
+            mcpConfigured = Boolean(parsed?.mcpServers &&
+                (parsed.mcpServers["agentbridge"] || parsed.mcpServers["agentbridge-mcp"]));
+        }
+        catch {
+            mcpConfigured = false;
+        }
+    }
+    return {
+        rulesFilesPresent: analysis.filesPresent,
+        rulesFormat: analysis.format,
+        rulesProjectIdInRepo: analysis.projectIdInRepo,
+        rulesProjectIdMatches: analysis.projectIdMatchesConfig,
+        rulesInstalled: analysis.protocolRulesValid,
+        rulesIssues: analysis.issues,
+        mcpConfigured,
+        governanceStatus: analysis.protocolRulesValid && mcpConfigured ? "active" : "inactive",
+    };
+}
+function isRouteMissingBody(body) {
+    return body.toLowerCase().includes("route not found");
+}
+function mapProjectAccessFailure(error) {
+    if (error instanceof http_1.CliHttpError) {
+        const reason = extractHttpReason(error);
+        if (reason === "not_project_member") {
+            return {
+                status: "failed",
+                reason,
+                suggestedNextAction: "use an API key/agent that is a member of this project, or add this agent to the project.",
+            };
+        }
+        if (reason === "unauthorized") {
+            return {
+                status: "failed",
+                reason,
+                suggestedNextAction: "verify AGENTBRIDGE_API_KEY is valid for this environment and has project read access.",
+            };
+        }
+        if (reason === "project_not_found") {
+            return {
+                status: "failed",
+                reason,
+                suggestedNextAction: "verify AGENTBRIDGE_PROJECT_ID points to an existing project in this API environment.",
+            };
+        }
+        return {
+            status: "failed",
+            reason,
+            suggestedNextAction: "confirm project ID, API key, and base URL are correct and that this key has project read access.",
+        };
+    }
+    const messageReason = error instanceof Error ? normalizeReasonCandidate(error.message) : undefined;
+    return {
+        status: "failed",
+        reason: messageReason ?? "network_error",
+        suggestedNextAction: "check network reachability to the API base URL and retry doctor.",
+    };
 }
 async function checkProjectAccess(ctx) {
     if (!ctx.configComplete) {
@@ -102,46 +168,33 @@ async function checkProjectAccess(ctx) {
     const projectId = ctx.projectId;
     const apiKey = ctx.apiKey;
     const apiBaseUrl = ctx.apiBaseUrl;
+    const syncCtx = { projectId, apiKey, apiBaseUrl, apiKeySource: "config" };
+    const summaryPath = `/v1/dev/projects/${encodeURIComponent(projectId)}/summary`;
+    const packetPath = `/v1/dev/projects/${encodeURIComponent(projectId)}/packet`;
     try {
-        const packet = await (0, http_1.getJson)({ projectId, apiKey, apiBaseUrl, apiKeySource: "config" }, `/v1/dev/projects/${encodeURIComponent(projectId)}/packet`);
+        await (0, http_1.getJson)(syncCtx, summaryPath);
+        let packet;
+        try {
+            packet = await (0, http_1.getJson)(syncCtx, packetPath);
+        }
+        catch {
+            // Summary proves access; packet is optional (recovery metadata only).
+        }
         return { status: "ok", packet };
     }
     catch (error) {
-        if (error instanceof http_1.CliHttpError) {
-            const reason = extractHttpReason(error);
-            if (reason === "not_project_member") {
-                return {
-                    status: "failed",
-                    reason,
-                    suggestedNextAction: "use an API key/agent that is a member of this project, or add this agent to the project.",
-                };
-            }
-            if (reason === "unauthorized") {
-                return {
-                    status: "failed",
-                    reason,
-                    suggestedNextAction: "verify AGENTBRIDGE_API_KEY is valid for this environment and has project read access.",
-                };
+        if (error instanceof http_1.CliHttpError &&
+            error.status === 404 &&
+            isRouteMissingBody(error.body ?? "")) {
+            try {
+                const packet = await (0, http_1.getJson)(syncCtx, packetPath);
+                return { status: "ok", packet };
             }
-            if (reason === "project_not_found") {
-                return {
-                    status: "failed",
-                    reason,
-                    suggestedNextAction: "verify AGENTBRIDGE_PROJECT_ID points to an existing project in this API environment.",
-                };
+            catch (packetError) {
+                return mapProjectAccessFailure(packetError);
             }
-            return {
-                status: "failed",
-                reason,
-                suggestedNextAction: "confirm project ID, API key, and base URL are correct and that this key has project read access.",
-            };
         }
-        const messageReason = error instanceof Error ? normalizeReasonCandidate(error.message) : undefined;
-        return {
-            status: "failed",
-            reason: messageReason ?? "network_error",
-            suggestedNextAction: "check network reachability to the API base URL and retry doctor.",
-        };
+        return mapProjectAccessFailure(error);
     }
 }
 async function checkIdentityAccess(ctx) {
@@ -156,7 +209,8 @@ async function checkIdentityAccess(ctx) {
     }
     const helloUrl = `${ctx.apiBaseUrl}/v1/dev/projects/${ctx.projectId}/hello`;
     let identityModel = "unknown";
-    let executionSurfaceId = null;
+    let helloExecutionSurfaceId = null;
+    let baselinePending = false;
     try {
         const helloRes = await fetch(helloUrl, {
             method: "POST",
@@ -168,18 +222,22 @@ async function checkIdentityAccess(ctx) {
         });
         if (helloRes.ok) {
             const hello = (await helloRes.json());
+            baselinePending = isRecoveryBaselinePendingHello(hello);
             if (hello.identity_model === "work_identity") {
                 identityModel = "work_identity";
             }
             else if (hello.identity_model === "legacy") {
                 identityModel = "legacy";
             }
-            executionSurfaceId = hello.execution_surface?.id?.trim() || null;
+            helloExecutionSurfaceId = hello.execution_surface?.id?.trim() || null;
         }
     }
     catch {
         // Keep default unknown/null and continue with identity resolution checks.
     }
+    const configSurfaceId = ctx.configExecutionSurfaceId?.trim() || null;
+    const executionSurfaceId = helloExecutionSurfaceId || configSurfaceId;
+    const executionSurfaceSource = helloExecutionSurfaceId ? "hello" : configSurfaceId ? "config" : undefined;
     try {
         const syncCtx = {
             projectId: ctx.projectId,
@@ -192,18 +250,28 @@ async function checkIdentityAccess(ctx) {
             (0, server_sync_1.listWorkIdentities)(syncCtx),
         ]);
         const callerId = callerPacket?.work_identity?.id ?? null;
-        const startCapable = Boolean(executionSurfaceId);
-        if (callerId) {
-            return { status: "ok", identityModel, executionSurfaceId, startCapable };
+        const callerResolvable = Boolean(callerId) || identities.length === 1;
+        if (identityModel === "unknown" &&
+            callerResolvable &&
+            (baselinePending || Boolean(configSurfaceId))) {
+            identityModel = "work_identity";
         }
-        if (identities.length === 1) {
-            return { status: "ok", identityModel, executionSurfaceId, startCapable };
+        const startCapable = Boolean(executionSurfaceId);
+        if (callerResolvable) {
+            return {
+                status: "ok",
+                identityModel,
+                executionSurfaceId,
+                executionSurfaceSource,
+                startCapable,
+            };
         }
         return {
             status: "failed",
             reason: "caller_identity_unresolved",
             identityModel,
             executionSurfaceId,
+            executionSurfaceSource,
             startCapable,
         };
     }
@@ -213,12 +281,14 @@ async function checkIdentityAccess(ctx) {
             reason: "caller_identity_unresolved",
             identityModel,
             executionSurfaceId,
+            executionSurfaceSource,
             startCapable: Boolean(executionSurfaceId),
         };
     }
 }
 async function runDoctor(cliRootOverride) {
     const cliRoot = cliRootOverride ?? cliRootFromCommandDir();
+    const workspaceRoot = process.cwd();
     const cfg = (0, config_1.readConfig)();
     const freshness = (0, dist_freshness_1.getDistFreshnessReport)(cliRoot);
     const configPath = cliRootOverride
@@ -238,6 +308,7 @@ async function runDoctor(cliRootOverride) {
     const projectConfigPresent = projectIdPresent && apiKeyPresent && baseUrlPresent;
     const activeSession = (0, session_state_1.readSessionState)();
     const hasActiveWork = Boolean(activeSession?.id || activeSession?.serverSessionId);
+    const governance = detectGovernanceSignals(workspaceRoot, resolvedProjectId ?? undefined);
     const envContributed = Boolean(process.env.AGENTBRIDGE_PROJECT_ID) ||
         Boolean(process.env.AGENTBRIDGE_API_KEY) ||
         Boolean(process.env.AGENTBRIDGE_BASE_URL) ||
@@ -271,18 +342,35 @@ async function runDoctor(cliRootOverride) {
     if (projectAccess.reason) {
         lines.push(`Project access reason: ${projectAccess.reason}`);
     }
+    lines.push(`API key accepted by server: ${projectAccess.status === "ok"
+        ? "yes"
+        : projectAccess.status === "skipped"
+            ? "skipped"
+            : "no"}`);
     const identityAccess = await checkIdentityAccess({
         projectId: resolvedProjectId,
         apiKey: resolvedApiKey,
         apiBaseUrl: resolvedBaseUrl,
-        configComplete: projectConfigPresent && projectAccess.status === "ok",
+        configComplete: projectConfigPresent,
+        configExecutionSurfaceId: cfg.executionSurfaceId,
     });
-    lines.push(`Caller identity access: ${identityAccess.status}`);
-    if (identityAccess.reason) {
-        lines.push(`Caller identity reason: ${identityAccess.reason}`);
+    lines.push(`Rules files present: ${governance.rulesFilesPresent ? "yes" : "no"}`);
+    lines.push(`Rules format: ${governance.rulesFormat}`);
+    if (governance.rulesProjectIdInRepo) {
+        lines.push(`Rules project ID: ${governance.rulesProjectIdInRepo}`);
+    }
+    if (governance.rulesProjectIdMatches !== null) {
+        lines.push(`Rules project ID match: ${governance.rulesProjectIdMatches ? "yes" : "no"}`);
+    }
+    lines.push(`Rules installed: ${governance.rulesInstalled ? "yes" : "no"}`);
+    lines.push(`MCP configured: ${governance.mcpConfigured ? "yes" : "no"}`);
+    lines.push(`Agent governance: ${governance.governanceStatus}`);
+    if (governance.rulesIssues.length > 0) {
+        for (const issue of governance.rulesIssues) {
+            lines.push(`Rules issue: ${issue}`);
+        }
+        lines.push("Rules fix: run `agentbridge install-rules`");
     }
-    lines.push(`Caller identity model: ${identityAccess.identityModel}`);
-    lines.push(`Execution surface present: ${identityAccess.executionSurfaceId ? "yes" : "no"}`);
     lines.push(`Start capable: ${identityAccess.startCapable ? "yes" : "no"}`);
     if (projectAccess.status === "failed" && projectAccess.reason) {
         const view = (0, error_catalog_1.catalogViewForDoctorReason)(projectAccess.reason, projectAccess.suggestedNextAction);
@@ -309,55 +397,132 @@ async function runDoctor(cliRootOverride) {
             productStatus = "active_work_found";
         }
         else {
-            productStatus = recoveryRequiredByPacket(projectAccess.packet)
-                ? "needs_recover"
-                : "ready";
+            if ((0, recovery_reconcile_1.recoveryBaselineRequired)(projectAccess.packet)) {
+                productStatus = "needs_recover";
+            }
+            else if ((0, recovery_reconcile_1.recoveryIsBasicPacket)(projectAccess.packet)) {
+                productStatus = "ready_basic_recovery";
+            }
+            else {
+                productStatus = "ready";
+            }
         }
     }
+    const localSupervisionReady = true;
+    const cloudSyncReady = projectAccess.status === "ok";
+    const strictTrackedReady = projectAccess.status === "ok" && identityAccess.status === "ok" && identityAccess.startCapable;
+    lines.push("");
+    lines.push("Capability levels:");
+    lines.push(`- Local supervision: ${localSupervisionReady ? "ready" : "unavailable"}`);
+    lines.push(`- Cloud sync: ${cloudSyncReady ? "ready" : "unavailable"}`);
+    lines.push(`- Strict tracked work: ${strictTrackedReady ? "ready" : "unavailable"}`);
+    if (!cloudSyncReady && projectAccess.reason) {
+        lines.push(`  Cloud sync note: ${projectAccess.reason}`);
+    }
+    if (!strictTrackedReady && identityAccess.reason) {
+        lines.push(`  Strict tracked note: ${identityAccess.reason}`);
+    }
     lines.push("");
     lines.push("Product status:");
     if (productStatus === "ready") {
         lines.push("- Connection: ready");
+        lines.push("- Governance: " + governance.governanceStatus);
         lines.push("- Recovery: ready");
-        lines.push("- Next: agentbridge start");
+        lines.push(`- Rules: ${governance.rulesInstalled ? "installed" : "missing"}`);
+        lines.push(`- MCP: ${governance.mcpConfigured ? "configured" : "missing"}`);
+        lines.push("- Next: run `agentbridge watch` beside Cursor for live supervision");
+    }
+    else if (productStatus === "ready_basic_recovery") {
+        lines.push("- Connection: ready");
+        lines.push("- Governance: " + governance.governanceStatus);
+        lines.push("- Recovery: basic");
+        lines.push(`- Rules: ${governance.rulesInstalled ? "installed" : "missing"}`);
+        lines.push(`- MCP: ${governance.mcpConfigured ? "configured" : "missing"}`);
+        lines.push("- Note: Project context exists, but domains are not fully mapped yet.");
+        lines.push("- Next: run `agentbridge recover --force` for a full domain rebuild, or `agentbridge watch` for live supervision");
     }
     else if (productStatus === "active_work_found") {
+        const recoveryBasic = (0, recovery_reconcile_1.recoveryIsBasicPacket)(projectAccess.packet);
         lines.push("- Connection: ready");
-        lines.push("- Recovery: ready");
+        lines.push("- Governance: " + governance.governanceStatus);
+        lines.push("- Recovery: " + (recoveryBasic ? "basic" : "ready"));
+        lines.push(`- Rules: ${governance.rulesInstalled ? "installed" : "missing"}`);
+        lines.push(`- MCP: ${governance.mcpConfigured ? "configured" : "missing"}`);
+        if (recoveryBasic) {
+            lines.push("- Note: Project context exists, but domains are not fully mapped yet.");
+        }
         lines.push("- Active work: found");
-        lines.push("- Next: agentbridge start");
+        lines.push("- Next: run `agentbridge watch` beside Cursor for live supervision");
     }
     else if (productStatus === "needs_recover") {
         lines.push("- Connection: ready");
+        lines.push("- Governance: " + governance.governanceStatus);
         lines.push("- Recovery: required");
+        lines.push(`- Rules: ${governance.rulesInstalled ? "installed" : "missing"}`);
+        lines.push(`- MCP: ${governance.mcpConfigured ? "configured" : "missing"}`);
         lines.push("- Next: agentbridge recover");
     }
     else {
         lines.push("- Connection: incomplete");
+        lines.push("- Governance: " + governance.governanceStatus);
         lines.push("- Recovery: pending");
+        lines.push(`- Rules: ${governance.rulesInstalled ? "installed" : "missing"}`);
+        lines.push(`- MCP: ${governance.mcpConfigured ? "configured" : "missing"}`);
         if (!projectConfigPresent) {
             lines.push("- Note: Connection details are missing. Add credentials, then rerun agentbridge doctor.");
         }
+        else if (projectAccess.status === "failed" &&
+            (projectAccess.reason === "unauthorized" ||
+                projectAccess.reason === "forbidden" ||
+                projectAccess.reason === "not_project_member")) {
+            lines.push("- Reason: API key rejected by server.");
+            lines.push("- Next: run `agentbridge room exit`, get a fresh key from the dashboard, then `agentbridge connect`.");
+            if (identityAccess.executionSurfaceId) {
+                lines.push("- Note: Config still has a saved execution surface, but the server rejected the stored API key.");
+            }
+        }
         else if (!identityAccess.startCapable) {
             lines.push("- Reason: execution surface missing.");
             lines.push("- Next: agentbridge connect");
         }
-        else if (identityAccess.status !== "ok") {
-            lines.push("- Note: Caller identity is unresolved. Run agentbridge identity list and set a valid active agent.");
-        }
         else {
             lines.push("- Note: Connection check failed. Verify credentials/network, then rerun agentbridge doctor.");
         }
-        if (identityAccess.startCapable) {
+        if (identityAccess.startCapable &&
+            projectAccess.status === "failed" &&
+            projectAccess.reason !== "unauthorized" &&
+            projectAccess.reason !== "forbidden" &&
+            projectAccess.reason !== "not_project_member") {
             lines.push("- Next: agentbridge doctor");
         }
     }
+    lines.push("");
+    lines.push("Advanced details:");
+    lines.push(`- Caller identity access: ${identityAccess.status}`);
+    if (identityAccess.reason) {
+        lines.push(`- Caller identity reason: ${identityAccess.reason}`);
+    }
+    lines.push(`- Caller identity model: ${identityAccess.identityModel}`);
+    lines.push(`- Execution surface present: ${identityAccess.executionSurfaceId ? "yes" : "no"}`);
+    if (identityAccess.executionSurfaceSource) {
+        lines.push(`- Execution surface source: ${identityAccess.executionSurfaceSource}`);
+    }
+    lines.push(`- Start capable (strict/session modes): ${identityAccess.startCapable ? "yes" : "no"}`);
+    if (identityAccess.status !== "ok") {
+        lines.push("- Note: internal identity mismatch affects strict/resume flows, not room-level inferred watch startup.");
+    }
+    if (governance.governanceStatus === "inactive") {
+        lines.push("");
+        lines.push("Governance note: AgentBridge can review in terminal, but your AI agent may not stop automatically until rules and MCP are both configured.");
+    }
+    else {
+        lines.push("");
+        lines.push("Governance note: AgentBridge rules are installed and MCP is configured. The AI agent should stop when AgentBridge flags blocked work.");
+    }
     process.stdout.write(`${lines.join("\n")}\n`);
     if (freshness.state === "stale")
         return 1;
     if (projectAccess.status === "failed")
         return 1;
-    if (identityAccess.status === "failed")
-        return 1;
     return 0;
 }

package/dist/commands/install-rules.js

@@ -0,0 +1,64 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runInstallRules = runInstallRules;
+const node_path_1 = require("node:path");
+const node_process_1 = require("node:process");
+const config_1 = require("../config");
+const errors_1 = require("../errors");
+const http_1 = require("../http");
+const rules_sync_1 = require("../rules-sync");
+function resolveNetworkContext(overrides) {
+    const cfg = (0, config_1.readConfig)();
+    const projectId = overrides.projectId ?? process.env.AGENTBRIDGE_PROJECT_ID ?? cfg.projectId ?? "";
+    const apiKey = overrides.apiKey ?? process.env.AGENTBRIDGE_API_KEY ?? cfg.apiKey ?? "";
+    const apiBaseUrl = overrides.apiBaseUrl ??
+        process.env.AGENTBRIDGE_BASE_URL ??
+        cfg.apiBaseUrl ??
+        "https://agentauth-api-production.up.railway.app";
+    if (!projectId || !apiKey) {
+        throw (0, errors_1.catalogCliError)("CONFIG_INCOMPLETE");
+    }
+    return { projectId, apiKey, apiBaseUrl };
+}
+async function runInstallRules(opts = {}) {
+    const ctx = resolveNetworkContext(opts);
+    const workspaceRoot = (0, node_process_1.cwd)();
+    let rules;
+    try {
+        rules = await (0, rules_sync_1.fetchProjectRules)(ctx);
+    }
+    catch (error) {
+        if ((0, http_1.isCliHttpError)(error)) {
+            throw new errors_1.SafeCliError(`Could not fetch AgentBridge rules for project ${ctx.projectId} (${error.status}).`);
+        }
+        throw error;
+    }
+    if (!Array.isArray(rules.files) || rules.files.length === 0) {
+        throw new errors_1.SafeCliError("AgentBridge rules response did not include any files to install.");
+    }
+    (0, rules_sync_1.writeRulesFiles)(workspaceRoot, rules.files);
+    let installedAt = null;
+    try {
+        const marked = await (0, rules_sync_1.markProjectRulesInstalled)(ctx);
+        installedAt = marked.rules_installed_at ?? null;
+    }
+    catch (error) {
+        if ((0, http_1.isCliHttpError)(error)) {
+            throw new errors_1.SafeCliError(`Wrote rules files locally, but could not mark them installed on the server (${error.status}).`);
+        }
+        throw error;
+    }
+    const projectName = (0, rules_sync_1.extractProjectNameFromRulesResponse)(rules.files);
+    const lines = [
+        "Installed AgentBridge protocol rules:",
+        `  Project: ${projectName ?? "(unknown name)"} (${ctx.projectId})`,
+        `  Wrote: ${(0, node_path_1.resolve)(workspaceRoot, "AGENTBRIDGE.md")}`,
+        `  Wrote: ${(0, node_path_1.resolve)(workspaceRoot, ".cursor", "rules", "agentbridge.mdc")}`,
+    ];
+    if (installedAt) {
+        lines.push(`  Server marked installed at: ${installedAt}`);
+    }
+    lines.push("");
+    lines.push("Next: run `agentbridge doctor` to verify rules and MCP configuration.");
+    process.stdout.write(`${lines.join("\n")}\n`);
+}

package/dist/commands/proof-guidance.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runProofGuidance = runProofGuidance;
+const config_1 = require("../config");
+const errors_1 = require("../errors");
+const server_sync_1 = require("../server-sync");
+function resolveNetworkContext() {
+    const cfg = (0, config_1.readConfig)();
+    const projectId = process.env.AGENTBRIDGE_PROJECT_ID ?? cfg.projectId;
+    const apiKey = process.env.AGENTBRIDGE_API_KEY ?? cfg.apiKey ?? "";
+    const apiBaseUrl = process.env.AGENTBRIDGE_BASE_URL ?? cfg.apiBaseUrl ?? "https://agentauth-api-production.up.railway.app";
+    if (!projectId) {
+        throw new errors_1.SafeCliError("Missing AGENTBRIDGE_PROJECT_ID. Set AGENTBRIDGE_PROJECT_ID (or run `agentbridge init --project ...`).");
+    }
+    if (!apiKey) {
+        throw new errors_1.SafeCliError("Missing AGENTBRIDGE_API_KEY. Provide --api-key, set AGENTBRIDGE_API_KEY, or save apiKey in .agentbridge/config.json.");
+    }
+    return { projectId, apiKey, apiBaseUrl };
+}
+async function runProofGuidance(options = {}) {
+    const ctx = resolveNetworkContext();
+    const guidance = await (0, server_sync_1.fetchAgentProofGuidance)(ctx, {
+        workSessionId: options.workSessionId,
+        changeRequestId: options.changeRequestId,
+        rolloutProofTooWeak: options.rolloutProofTooWeak,
+        rolloutProofNotRelevant: options.rolloutProofNotRelevant,
+        rolloutImpactCoverageGap: options.rolloutImpactCoverageGap,
+    });
+    process.stdout.write(`${JSON.stringify(guidance, null, 2)}\n`);
+}