@agenzo/admin-cli 0.1.1

package/dist/index.js

@@ -0,0 +1,1862 @@
+#!/usr/bin/env node
+import {
+  notify,
+  render,
+  resolveFormat
+} from "./chunk-UIGWXIDT.js";
+import {
+  Formatter,
+  createSpinner
+} from "./chunk-AZALPHQR.js";
+
+// src/index.ts
+import { Command } from "commander";
+
+// src/utils/errors.ts
+var CliError = class extends Error {
+};
+var ApiBusinessError = class extends CliError {
+  constructor(errorCode, errorMessage, statusCode) {
+    super(`[${errorCode}] ${errorMessage}`);
+    this.errorCode = errorCode;
+    this.errorMessage = errorMessage;
+    this.statusCode = statusCode;
+  }
+  errorCode;
+  errorMessage;
+  statusCode;
+  code = "API_BUSINESS_ERROR";
+};
+var NetworkError = class extends CliError {
+  constructor(url, timeout, cause) {
+    const detail = cause?.message;
+    let msg;
+    if (timeout) {
+      msg = `Request timed out (${timeout}ms): ${url}`;
+    } else if (detail) {
+      msg = `Connection failed: ${url} (${detail})`;
+    } else {
+      msg = `Connection failed: ${url}`;
+    }
+    super(msg);
+    this.url = url;
+    this.timeout = timeout;
+    this.cause = cause;
+  }
+  url;
+  timeout;
+  cause;
+  code = "NETWORK_ERROR";
+};
+var AuthError = class extends CliError {
+  constructor(message, suggestion) {
+    super(message);
+    this.suggestion = suggestion;
+  }
+  suggestion;
+  code = "AUTH_ERROR";
+};
+var ConfigError = class extends CliError {
+  constructor(message, filePath) {
+    super(message);
+    this.filePath = filePath;
+  }
+  filePath;
+  code = "CONFIG_ERROR";
+};
+var ValidationError = class extends CliError {
+  code = "VALIDATION_ERROR";
+  constructor(message) {
+    super(message);
+  }
+};
+var IdempotencyKeyRequiredError = class extends CliError {
+  code = "IDEMPOTENCY_KEY_REQUIRED_ERROR";
+  constructor(commandPath) {
+    super(
+      `\`${commandPath}\` requires --idempotency-key <key>. Supply a unique key so the write can be safely retried.`
+    );
+  }
+};
+var UpgradeRequiredError = class extends CliError {
+  constructor(currentVersion, minVersion, upgradeCommand) {
+    super(
+      `agenzo-admin-cli ${currentVersion} is out of date \u2014 the server requires ${minVersion} or newer. To upgrade, run: ${upgradeCommand}`
+    );
+    this.currentVersion = currentVersion;
+    this.minVersion = minVersion;
+    this.upgradeCommand = upgradeCommand;
+  }
+  currentVersion;
+  minVersion;
+  upgradeCommand;
+  code = "UPGRADE_REQUIRED";
+};
+var UserCancelError = class extends CliError {
+  code = "USER_CANCEL_ERROR";
+  constructor(message = "Operation cancelled by user") {
+    super(message);
+    this.name = "UserCancelError";
+  }
+};
+function authErrorCode(error) {
+  const haystack = `${error.message} ${error.suggestion}`.toLowerCase();
+  if (haystack.includes("timed out") || haystack.includes("timeout")) {
+    return "AUTH_TIMEOUT";
+  }
+  if (haystack.includes("expired") || haystack.includes("session") || haystack.includes("refresh")) {
+    return "AUTH_SESSION_EXPIRED";
+  }
+  return "AUTH_NOT_SIGNED_IN";
+}
+function errorCodeFor(error) {
+  if (error instanceof UpgradeRequiredError) {
+    return "UPGRADE_REQUIRED";
+  }
+  if (error instanceof UserCancelError) {
+    return "USER_CANCELLED";
+  }
+  if (error instanceof AuthError) {
+    return authErrorCode(error);
+  }
+  if (error instanceof ValidationError) {
+    return "PARAM_INVALID";
+  }
+  if (error instanceof IdempotencyKeyRequiredError) {
+    return "PARAM_IDEMPOTENCY_KEY_REQUIRED";
+  }
+  if (error instanceof ConfigError) {
+    return "INTERNAL_ERROR";
+  }
+  if (error instanceof NetworkError) {
+    return "UPSTREAM_UNAVAILABLE";
+  }
+  if (error instanceof ApiBusinessError) {
+    const status = error.statusCode;
+    if (status === 401) {
+      return "AUTH_FAILED";
+    }
+    if (status === 403) {
+      return "KEY_SCOPE_DENIED";
+    }
+    if (status === 404) {
+      return "ORG_NOT_FOUND";
+    }
+    if (status === 409) {
+      return "ORG_CONFLICT";
+    }
+    if (status === 429) {
+      return "RATE_LIMITED";
+    }
+    if (status >= 500) {
+      return "UPSTREAM_UNAVAILABLE";
+    }
+    return "PARAM_INVALID";
+  }
+  return "INTERNAL_ERROR";
+}
+function toErrorEnvelope(error) {
+  const code = errorCodeFor(error);
+  let message;
+  if (error instanceof Error && error.message) {
+    message = error.message;
+  } else if (typeof error === "string" && error.length > 0) {
+    message = error;
+  } else {
+    message = "Unexpected error";
+  }
+  const http = error instanceof ApiBusinessError ? error.statusCode : void 0;
+  if (http === void 0) {
+    return { error: { code, message } };
+  }
+  return { error: { code, message, http } };
+}
+
+// src/utils/version.ts
+import { readFileSync } from "fs";
+import { dirname, join } from "path";
+import { fileURLToPath } from "url";
+var UPGRADE_COMMAND = "npm install -g agenzo-admin-cli@latest";
+var FALLBACK_VERSION = "0.1.1";
+var cachedVersion = null;
+function getCurrentVersion() {
+  if (cachedVersion !== null) return cachedVersion;
+  const here = dirname(fileURLToPath(import.meta.url));
+  const candidates = [
+    join(here, "..", "package.json"),
+    // dist/ → project root
+    join(here, "..", "..", "package.json")
+    // src/utils/ → project root
+  ];
+  for (const p of candidates) {
+    try {
+      const pkg = JSON.parse(readFileSync(p, "utf-8"));
+      if (typeof pkg.version === "string") {
+        cachedVersion = pkg.version;
+        return cachedVersion;
+      }
+    } catch {
+    }
+  }
+  cachedVersion = FALLBACK_VERSION;
+  console.warn(
+    `[agenzo-admin-cli] package.json not found; using fallback version ${FALLBACK_VERSION}`
+  );
+  return cachedVersion;
+}
+function compareVersions(a, b) {
+  const parse = (v) => {
+    const clean = v.trim().replace(/^v/, "").split(/[-+]/)[0];
+    const parts = clean.split(".");
+    return [
+      parseInt(parts[0] ?? "0", 10) || 0,
+      parseInt(parts[1] ?? "0", 10) || 0,
+      parseInt(parts[2] ?? "0", 10) || 0
+    ];
+  };
+  const [a1, a2, a3] = parse(a);
+  const [b1, b2, b3] = parse(b);
+  if (a1 !== b1) return a1 - b1;
+  if (a2 !== b2) return a2 - b2;
+  return a3 - b3;
+}
+function isBelow(current, minimum) {
+  return compareVersions(current, minimum) < 0;
+}
+
+// src/api/client.ts
+var ApiClient = class {
+  baseUrl;
+  timeout;
+  constructor(config) {
+    this.baseUrl = config.baseUrl.replace(/\/+$/, "");
+    this.timeout = config.timeout ?? 6e4;
+  }
+  buildHeaders(auth) {
+    const headers = {
+      "User-Agent": `agenzo-admin-cli/${getCurrentVersion()}`
+    };
+    if (auth.type === "bearer") {
+      headers["Authorization"] = `Bearer ${auth.token}`;
+    } else if (auth.type === "api-key") {
+      headers["X-Api-Key"] = auth.key;
+    }
+    return headers;
+  }
+  async get(path, auth, params) {
+    let url = `${this.baseUrl}${path}`;
+    if (params && Object.keys(params).length > 0) {
+      const searchParams = new URLSearchParams(params);
+      url += `?${searchParams.toString()}`;
+    }
+    return this.request(url, {
+      method: "GET",
+      headers: this.buildHeaders(auth)
+    });
+  }
+  async post(path, auth, body, extraHeaders) {
+    const url = `${this.baseUrl}${path}`;
+    const headers = this.buildHeaders(auth);
+    headers["Content-Type"] = "application/json";
+    if (extraHeaders) {
+      Object.assign(headers, extraHeaders);
+    }
+    return this.request(url, {
+      method: "POST",
+      headers,
+      body: body ? JSON.stringify(body) : void 0
+    });
+  }
+  async request(url, init) {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+    try {
+      const response = await fetch(url, {
+        ...init,
+        signal: controller.signal
+      });
+      this.enforceMinVersion(response.headers.get("x-cli-min-version"));
+      const contentType = response.headers.get("content-type") ?? "";
+      let responseBody;
+      if (contentType.includes("application/json")) {
+        responseBody = await response.json();
+      } else {
+        const text = await response.text();
+        if (!response.ok) {
+          const statusMsg = this.friendlyStatusMessage(response.status);
+          return {
+            success: false,
+            errorCode: 0,
+            errorMessage: statusMsg,
+            statusCode: response.status
+          };
+        }
+        try {
+          responseBody = JSON.parse(text);
+        } catch {
+          return {
+            success: false,
+            errorCode: 0,
+            errorMessage: `Unexpected response from server (${response.status})`,
+            statusCode: response.status
+          };
+        }
+      }
+      const code = responseBody.code;
+      const message = responseBody.message;
+      const data = responseBody.data;
+      if (response.ok && (!code || code === "0000")) {
+        const payload = data ?? responseBody;
+        return { success: true, data: payload, message };
+      }
+      const errorCode = code ? parseInt(code, 10) : 0;
+      let errorMsg = message ?? response.statusText;
+      if (!errorMsg || errorMsg === response.statusText) {
+        const detail = responseBody.detail;
+        if (Array.isArray(detail)) {
+          errorMsg = detail.map((d) => {
+            const loc = d.loc?.slice(1).join(".") ?? "";
+            return loc ? `${loc}: ${d.msg}` : String(d.msg);
+          }).join("; ");
+        } else if (typeof detail === "string") {
+          errorMsg = detail;
+        }
+      }
+      return {
+        success: false,
+        errorCode: isNaN(errorCode) ? 0 : errorCode,
+        errorMessage: errorMsg,
+        statusCode: response.status
+      };
+    } catch (error) {
+      if (error instanceof UpgradeRequiredError) {
+        throw error;
+      }
+      if (error instanceof DOMException && error.name === "AbortError") {
+        throw new NetworkError(url, this.timeout);
+      }
+      throw new NetworkError(url, void 0, error instanceof Error ? error : void 0);
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  }
+  /**
+   * Validate that the running CLI meets the server-advertised minimum.
+   * Missing or empty header → skip (backward compat with servers that don't
+   * advertise yet, and clients hitting legacy proxies).
+   */
+  enforceMinVersion(headerValue) {
+    const minVersion = headerValue?.trim();
+    if (!minVersion) return;
+    const current = getCurrentVersion();
+    if (isBelow(current, minVersion)) {
+      throw new UpgradeRequiredError(current, minVersion, UPGRADE_COMMAND);
+    }
+  }
+  friendlyStatusMessage(status) {
+    const messages = {
+      400: "Invalid request. Please check your input.",
+      401: "Authentication failed. Please check your API key or login again.",
+      403: "Access denied. You do not have permission for this operation.",
+      404: "Resource not found. Please check the ID.",
+      409: "Conflict. This resource may already exist.",
+      422: "Invalid input. Please check the request parameters.",
+      429: "Too many requests. Please wait and try again.",
+      500: "Something went wrong on the server. Please try again later.",
+      502: "Service is temporarily unavailable. Please try again in a moment.",
+      503: "Service is temporarily unavailable. Please try again in a moment.",
+      504: "The request took too long. Please try again."
+    };
+    return messages[status] ?? `Something went wrong (${status}). Please try again later.`;
+  }
+};
+
+// src/config/config-manager.ts
+import { readFile, writeFile, mkdir } from "fs/promises";
+import { join as join2 } from "path";
+import { homedir } from "os";
+var DEFAULT_CONFIG = {
+  active_org: null,
+  active_developer_id: null,
+  api_host: "https://agent.everonet.com",
+  api_path: "/api/v3/agent-pay"
+};
+var ConfigManager = class {
+  basePath;
+  configPath;
+  constructor(basePath) {
+    this.basePath = basePath ?? join2(homedir(), ".agenzo-admin-cli");
+    this.configPath = join2(this.basePath, "config.json");
+  }
+  async ensureDirectories() {
+    await mkdir(this.basePath, { recursive: true });
+    await mkdir(join2(this.basePath, "credentials"), { recursive: true });
+  }
+  async load() {
+    try {
+      const content = await readFile(this.configPath, "utf-8");
+      try {
+        const raw = JSON.parse(content);
+        if (raw.api_base_url && !raw.api_host) {
+          const url = String(raw.api_base_url);
+          const pathIndex = url.indexOf("/api/");
+          raw.api_host = pathIndex > 0 ? url.slice(0, pathIndex) : url;
+          raw.api_path = pathIndex > 0 ? url.slice(pathIndex) : DEFAULT_CONFIG.api_path;
+          delete raw.api_base_url;
+        }
+        return {
+          active_org: raw.active_org ?? null,
+          active_developer_id: raw.active_developer_id ?? null,
+          api_host: raw.api_host ?? DEFAULT_CONFIG.api_host,
+          api_path: raw.api_path ?? DEFAULT_CONFIG.api_path
+        };
+      } catch {
+        throw new ConfigError(
+          `Invalid config file: ${this.configPath}`,
+          this.configPath
+        );
+      }
+    } catch (error) {
+      if (error instanceof ConfigError) throw error;
+      if (error.code === "ENOENT") {
+        return { ...DEFAULT_CONFIG };
+      }
+      throw error;
+    }
+  }
+  async save(config) {
+    await this.ensureDirectories();
+    await writeFile(this.configPath, JSON.stringify(config, null, 2), "utf-8");
+  }
+  async getActiveOrg() {
+    const config = await this.load();
+    return config.active_org;
+  }
+  async setActiveOrg(orgId) {
+    const config = await this.load();
+    config.active_org = orgId;
+    await this.save(config);
+  }
+  async getApiBaseUrl() {
+    const config = await this.load();
+    const host = config.api_host.replace(/\/+$/, "");
+    const path = config.api_path.startsWith("/") ? config.api_path : `/${config.api_path}`;
+    return `${host}${path}`;
+  }
+  async setApiHost(host) {
+    const config = await this.load();
+    config.api_host = host;
+    await this.save(config);
+  }
+  async getApiHost() {
+    const config = await this.load();
+    return config.api_host;
+  }
+};
+
+// src/config/credential-store.ts
+import { readFile as readFile2, writeFile as writeFile2, readdir, unlink, access, mkdir as mkdir2 } from "fs/promises";
+import { join as join3 } from "path";
+import { homedir as homedir2 } from "os";
+var CredentialStore = class {
+  basePath;
+  constructor(basePath) {
+    this.basePath = basePath ?? join3(homedir2(), ".agenzo-admin-cli", "credentials");
+  }
+  filePath(orgId) {
+    return join3(this.basePath, `${orgId}.json`);
+  }
+  async ensureDir() {
+    await mkdir2(this.basePath, { recursive: true });
+  }
+  async get(orgId) {
+    try {
+      const content = await readFile2(this.filePath(orgId), "utf-8");
+      return JSON.parse(content);
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return null;
+      }
+      throw error;
+    }
+  }
+  async save(credential) {
+    await this.ensureDir();
+    await writeFile2(
+      this.filePath(credential.org_id),
+      JSON.stringify(credential, null, 2),
+      "utf-8"
+    );
+  }
+  async delete(orgId) {
+    try {
+      await unlink(this.filePath(orgId));
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return;
+      }
+      throw error;
+    }
+  }
+  async listAll() {
+    try {
+      const files = await readdir(this.basePath);
+      const jsonFiles = files.filter((f) => f.endsWith(".json"));
+      const credentials = [];
+      for (const file of jsonFiles) {
+        try {
+          const content = await readFile2(join3(this.basePath, file), "utf-8");
+          credentials.push(JSON.parse(content));
+        } catch {
+        }
+      }
+      return credentials;
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return [];
+      }
+      throw error;
+    }
+  }
+  async exists(orgId) {
+    try {
+      await access(this.filePath(orgId));
+      return true;
+    } catch {
+      return false;
+    }
+  }
+};
+
+// src/config/key-store.ts
+import { readFile as readFile3, writeFile as writeFile3, mkdir as mkdir3 } from "fs/promises";
+import { dirname as dirname2, join as join4 } from "path";
+import { homedir as homedir3 } from "os";
+var KeyStore = class {
+  filePath;
+  constructor(filePath) {
+    this.filePath = filePath ?? join4(homedir3(), ".agenzo-admin-cli", "keys.json");
+  }
+  async loadData() {
+    try {
+      const content = await readFile3(this.filePath, "utf-8");
+      return JSON.parse(content);
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return {};
+      }
+      throw error;
+    }
+  }
+  async saveData(data) {
+    await mkdir3(dirname2(this.filePath), { recursive: true });
+    await writeFile3(this.filePath, JSON.stringify(data, null, 2), "utf-8");
+  }
+  async add(orgId, key) {
+    const data = await this.loadData();
+    if (!data[orgId]) {
+      data[orgId] = [];
+    }
+    data[orgId].push(key);
+    await this.saveData(data);
+  }
+  async update(orgId, keyId, newKeyValue) {
+    const data = await this.loadData();
+    const keys = data[orgId];
+    if (!keys) return;
+    const key = keys.find((k) => k.key_id === keyId);
+    if (key) {
+      key.key_value = newKeyValue;
+      await this.saveData(data);
+    }
+  }
+  async list(orgId) {
+    const data = await this.loadData();
+    return data[orgId] ?? [];
+  }
+  async get(orgId, keyId) {
+    const data = await this.loadData();
+    const keys = data[orgId];
+    if (!keys) return null;
+    return keys.find((k) => k.key_id === keyId) ?? null;
+  }
+};
+
+// src/utils/prompt-engine.ts
+import { input, password, select } from "@inquirer/prompts";
+var PromptEngine = class _PromptEngine {
+  /** Return flagValue directly if provided, otherwise prompt interactively */
+  static async resolveInput(flagValue, config) {
+    if (flagValue !== void 0) {
+      return flagValue;
+    }
+    if (config.type === "password") {
+      return password({ message: config.message, mask: "*" });
+    }
+    if (config.type === "select" && config.choices) {
+      return select({
+        message: config.message,
+        choices: config.choices
+      });
+    }
+    return input({
+      message: config.message,
+      validate: config.validate
+    });
+  }
+  /** Always collect CVV interactively with masked display */
+  static async collectCvv() {
+    return password({
+      message: "CVV:",
+      mask: "*"
+    });
+  }
+  /** Collect payment method params based on type */
+  static async collectPaymentMethodParams(type, flags) {
+    const params = { type };
+    const email = await _PromptEngine.resolveInput(flags.cardEmail ?? flags.email, {
+      message: "Email (for 3DS verification):"
+    });
+    params.email = email;
+    if (type === "card") {
+      params.card_number = await _PromptEngine.resolveInput(flags.cardNumber, {
+        message: "Card number:"
+      });
+      params.expiry_date = await _PromptEngine.resolveInput(flags.expiry, {
+        message: "Expiry (MMYY):"
+      });
+      if (flags.cvv) {
+        params.cvv = flags.cvv;
+      } else {
+        params.cvv = await _PromptEngine.collectCvv();
+      }
+    }
+    return params;
+  }
+};
+
+// src/auth/auth-service.ts
+var POLL_INTERVAL_MS = 3e3;
+var POLL_TIMEOUT_MS = 10 * 60 * 1e3;
+var TOKEN_REFRESH_THRESHOLD_S = 300;
+var AuthService = class {
+  constructor(apiClient, credentialStore, configManager) {
+    this.apiClient = apiClient;
+    this.credentialStore = credentialStore;
+    this.configManager = configManager;
+  }
+  apiClient;
+  credentialStore;
+  configManager;
+  async login(email, options = {}) {
+    const { Formatter: Formatter2 } = await import("./formatter-3JVOJXN6.js");
+    let isNewRegistration = false;
+    const noAuth = { type: "none" };
+    const idempotencyHeaders = options.idempotencyKey ? { "Idempotency-Key": options.idempotencyKey } : void 0;
+    const loginResult = await this.apiClient.post(
+      "/auth/login",
+      noAuth,
+      { email },
+      idempotencyHeaders
+    );
+    let magicLinkToken;
+    if (!loginResult.success && loginResult.errorCode === 1007) {
+      isNewRegistration = true;
+      const orgName = await PromptEngine.resolveInput(void 0, {
+        message: "Organization name:"
+      });
+      const registerBody = {
+        email,
+        organization_name: orgName
+      };
+      let registerResult = await this.apiClient.post(
+        "/auth/register",
+        noAuth,
+        registerBody,
+        idempotencyHeaders
+      );
+      if (!registerResult.success && registerResult.errorCode === 1103) {
+        const invitationCode = await PromptEngine.resolveInput(void 0, {
+          message: "Invitation code:"
+        });
+        registerBody.invitation_code = invitationCode;
+        registerResult = await this.apiClient.post(
+          "/auth/register",
+          noAuth,
+          registerBody,
+          idempotencyHeaders
+        );
+      }
+      if (!registerResult.success) {
+        throw new AuthError(
+          `Registration failed: ${registerResult.errorMessage}`,
+          "Please check your input and try again"
+        );
+      }
+      magicLinkToken = registerResult.data.magic_link_token;
+    } else if (!loginResult.success) {
+      throw new AuthError(
+        `Login failed: ${loginResult.errorMessage}`,
+        "Please check your email and try again"
+      );
+    } else {
+      magicLinkToken = loginResult.data.magic_link_token;
+    }
+    if (!options.quiet) {
+      console.error(Formatter2.status("success", "Magic link sent. Please check your inbox."));
+    }
+    const credential = await this.pollMagicLinkStatus(
+      magicLinkToken,
+      email,
+      options.quiet
+    );
+    await this.credentialStore.save(credential);
+    await this.configManager.setActiveOrg(credential.org_id);
+    return { credential, isNewRegistration };
+  }
+  async pollMagicLinkStatus(magicLinkToken, email, quiet = false) {
+    const startTime = Date.now();
+    const noAuth = { type: "none" };
+    const spinner = quiet ? null : createSpinner("Waiting for email verification");
+    while (Date.now() - startTime < POLL_TIMEOUT_MS) {
+      const result = await this.apiClient.get(
+        "/auth/magic-links/status",
+        noAuth,
+        { token: magicLinkToken }
+      );
+      if (!result.success) {
+        spinner?.stop();
+        if (result.errorCode === 1101) {
+          throw new AuthError("Magic link expired", "Please run agenzo-admin-cli auth login again");
+        }
+        throw new AuthError(
+          `Polling failed: [${result.errorCode}] ${result.errorMessage}`,
+          "Please run agenzo-admin-cli auth login again"
+        );
+      }
+      const data = result.data;
+      if (data.status === "CONSUMED") {
+        spinner?.stop();
+        const raw = data;
+        const org = raw.organization;
+        const orgId = String(raw.organization_id ?? org?.id ?? "");
+        const orgName = String(org?.name ?? "");
+        let accessExpiresAt;
+        const rawExpires = raw.expires_at ?? data.access_token_expires_at;
+        if (typeof rawExpires === "string") {
+          accessExpiresAt = Math.floor(new Date(rawExpires).getTime() / 1e3);
+        } else {
+          accessExpiresAt = rawExpires ?? 0;
+        }
+        const refreshExpiresAt = data.refresh_token_expires_at ?? accessExpiresAt + 30 * 24 * 60 * 60;
+        return {
+          org_id: orgId,
+          org_name: orgName,
+          email,
+          access_token: data.access_token,
+          refresh_token: data.refresh_token,
+          access_token_expires_at: accessExpiresAt,
+          refresh_token_expires_at: refreshExpiresAt,
+          api_host: await this.configManager.getApiHost()
+        };
+      }
+      if (data.status === "EXPIRED") {
+        spinner?.stop();
+        throw new AuthError("Magic link expired", "Please run agenzo-admin-cli auth login again");
+      }
+      await this.sleep(POLL_INTERVAL_MS);
+    }
+    spinner?.stop();
+    throw new AuthError("Login timed out (10 minutes)", "Please run agenzo-admin-cli auth login again");
+  }
+  async logout() {
+    const orgId = await this.configManager.getActiveOrg();
+    if (!orgId) {
+      throw new AuthError("Not signed in", "Please run agenzo-admin-cli auth login first");
+    }
+    const credential = await this.credentialStore.get(orgId);
+    if (credential) {
+      try {
+        await this.apiClient.post(
+          "/auth/logout",
+          { type: "bearer", token: credential.access_token }
+        );
+      } catch {
+      }
+    }
+    await this.credentialStore.delete(orgId);
+  }
+  async getValidAccessToken() {
+    const orgId = await this.configManager.getActiveOrg();
+    if (!orgId) {
+      throw new AuthError("Not signed in", "Please run agenzo-admin-cli auth login first");
+    }
+    const credential = await this.credentialStore.get(orgId);
+    if (!credential) {
+      throw new AuthError("Not signed in", "Please run agenzo-admin-cli auth login first");
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    if (credential.access_token_expires_at - now < TOKEN_REFRESH_THRESHOLD_S) {
+      try {
+        await this.refreshToken(orgId);
+        const refreshed = await this.credentialStore.get(orgId);
+        return refreshed.access_token;
+      } catch {
+        return this.autoReLogin(credential);
+      }
+    }
+    return credential.access_token;
+  }
+  /**
+   * Automatically re-login using the stored email.
+   * Sends a magic link and polls until verified, then updates the
+   * credential without changing the active org.
+   */
+  async autoReLogin(credential) {
+    const { Formatter: Formatter2 } = await import("./formatter-3JVOJXN6.js");
+    const { resolveFormat: resolveFormat2 } = await import("./output-VMJKMMKS.js");
+    const quiet = resolveFormat2(void 0) === "json";
+    if (!quiet) {
+      console.error(Formatter2.status("info", "Session expired, re-authenticating"));
+      console.error(Formatter2.status("loading", "Sending magic link"));
+    }
+    const noAuth = { type: "none" };
+    const loginResult = await this.apiClient.post(
+      "/auth/login",
+      noAuth,
+      { email: credential.email }
+    );
+    if (!loginResult.success) {
+      throw new AuthError(
+        `Auto re-login failed: ${loginResult.errorMessage}`,
+        "Please run agenzo-admin-cli auth login manually"
+      );
+    }
+    const newCredential = await this.pollMagicLinkStatus(
+      loginResult.data.magic_link_token,
+      credential.email,
+      quiet
+    );
+    const activeOrg = await this.configManager.getActiveOrg();
+    if (activeOrg && newCredential.org_id !== activeOrg) {
+      await this.credentialStore.save(newCredential);
+      await this.configManager.setActiveOrg(newCredential.org_id);
+      if (!quiet) {
+        console.error(Formatter2.status("warning", `You were signed into a different organization: ${newCredential.org_name}. Your active organization has been updated.`));
+      }
+      throw new AuthError(
+        "Please run your command again.",
+        "The active organization was switched during re-authentication."
+      );
+    }
+    await this.credentialStore.save(newCredential);
+    if (!quiet) {
+      console.error(Formatter2.status("success", "Re-authenticated successfully"));
+    }
+    return newCredential.access_token;
+  }
+  async refreshToken(orgId) {
+    const credential = await this.credentialStore.get(orgId);
+    if (!credential) {
+      throw new AuthError("Not signed in", "Please run agenzo-admin-cli auth login first");
+    }
+    const result = await this.apiClient.post(
+      "/auth/refresh",
+      { type: "bearer", token: credential.access_token },
+      { refresh_token: credential.refresh_token }
+    );
+    if (!result.success) {
+      if (result.errorCode === 1002) {
+        throw new AuthError("Session expired", "Please run agenzo-admin-cli auth login again");
+      }
+      throw new AuthError(
+        `Token refresh failed: [${result.errorCode}] ${result.errorMessage}`,
+        "Please run agenzo-admin-cli auth login again"
+      );
+    }
+    credential.access_token = result.data.access_token;
+    credential.refresh_token = result.data.refresh_token;
+    if (result.data.access_token_expires_at) {
+      credential.access_token_expires_at = result.data.access_token_expires_at;
+    } else if (result.data.expires_at) {
+      credential.access_token_expires_at = Math.floor(new Date(result.data.expires_at).getTime() / 1e3);
+    }
+    await this.credentialStore.save(credential);
+  }
+  /**
+   * Execute an authenticated API call with automatic token recovery.
+   * If the call returns 1002 (token invalid), attempts refresh → re-login → retry once.
+   */
+  async executeWithAuth(apiFn) {
+    const token = await this.getValidAccessToken();
+    const result = await apiFn(token);
+    if (!result.success && result.errorCode === 1002) {
+      const freshToken = await this.recoverToken();
+      return apiFn(freshToken);
+    }
+    return result;
+  }
+  /**
+   * Attempt token refresh; if that fails, fall back to auto re-login.
+   */
+  async recoverToken() {
+    const orgId = await this.configManager.getActiveOrg();
+    if (!orgId) {
+      throw new AuthError("Not signed in", "Please run agenzo-admin-cli auth login first");
+    }
+    const credential = await this.credentialStore.get(orgId);
+    if (!credential) {
+      throw new AuthError("Not signed in", "Please run agenzo-admin-cli auth login first");
+    }
+    try {
+      await this.refreshToken(orgId);
+      const refreshed = await this.credentialStore.get(orgId);
+      return refreshed.access_token;
+    } catch {
+      return this.autoReLogin(credential);
+    }
+  }
+  sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+};
+
+// src/utils/exit.ts
+function isUserCancel(error) {
+  if (typeof error !== "object" || error === null) {
+    return false;
+  }
+  const code = error.code;
+  const name = error.name;
+  return code === "USER_CANCEL_ERROR" || name === "UserCancelError";
+}
+function exitCodeFor(error) {
+  if (error instanceof UpgradeRequiredError) {
+    return 2;
+  }
+  if (error instanceof AuthError) {
+    return 3;
+  }
+  if (isUserCancel(error)) {
+    return 5;
+  }
+  if (error instanceof NetworkError) {
+    return 4;
+  }
+  if (error instanceof ValidationError) {
+    return 1;
+  }
+  if (error instanceof IdempotencyKeyRequiredError) {
+    return 1;
+  }
+  if (error instanceof ConfigError) {
+    return 1;
+  }
+  if (error instanceof ApiBusinessError) {
+    const status = error.statusCode;
+    if (status === 401 || status === 403) {
+      return 3;
+    }
+    if (status >= 500) {
+      return 4;
+    }
+    return 1;
+  }
+  return 1;
+}
+
+// src/auth/login.ts
+function registerLoginCommand(program, deps) {
+  program.command("login").description("Sign in to Agent Payment API").option("--email <email>", "Email address").option(
+    "--idempotency-key <key>",
+    "Forwarded verbatim as the Idempotency-Key header on login/registration"
+  ).action(async (options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    const email = await PromptEngine.resolveInput(options.email, {
+      message: "Email:"
+    });
+    let idempotencyKey = options.idempotencyKey;
+    if (!idempotencyKey) {
+      if (command.optsWithGlobals().yes) {
+        throw new IdempotencyKeyRequiredError("auth login");
+      }
+      idempotencyKey = await PromptEngine.resolveInput(void 0, {
+        message: "Idempotency key (unique per write, for safe retry):",
+        validate: (v) => v.trim().length > 0 || "Idempotency key is required"
+      });
+    }
+    const result = await deps.authService.login(email, {
+      idempotencyKey,
+      quiet: format === "json"
+    });
+    const signedInMessage = result.isNewRegistration ? "Registered and signed in" : "Signed in successfully";
+    notify(format, "success", signedInMessage);
+    const data = {
+      org_id: result.credential.org_id,
+      org_name: result.credential.org_name,
+      email: result.credential.email,
+      is_new_registration: result.isNewRegistration
+    };
+    const commandResult = {
+      data,
+      text: () => Formatter.keyValue([
+        ["Org ID", data.org_id],
+        ["Org Name", data.org_name],
+        ["Email", data.email]
+      ]),
+      note: signedInMessage
+    };
+    render(commandResult, { format });
+  });
+}
+
+// src/auth/logout.ts
+function registerLogoutCommand(program, deps) {
+  program.command("logout").description("Sign out of current organization").action(async (_options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    await deps.authService.logout();
+    notify(format, "success", "Signed out");
+    const data = { signed_out: true };
+    const commandResult = {
+      data,
+      text: () => Formatter.status("success", "Signed out"),
+      note: "Signed out"
+    };
+    render(commandResult, { format });
+  });
+}
+
+// src/config/set.ts
+var DEFAULT_HOST = "https://agent.everonet.com";
+async function applyHost(deps, host, verb, format) {
+  await deps.configManager.setApiHost(host);
+  const credentials = await deps.credentialStore.listAll();
+  const match = credentials.find((c) => c.api_host === host);
+  let activeOrg;
+  if (match) {
+    await deps.configManager.setActiveOrg(match.org_id);
+    activeOrg = match.org_id;
+  } else {
+    const config = await deps.configManager.load();
+    config.active_org = null;
+    await deps.configManager.save(config);
+    activeOrg = null;
+  }
+  notify(format, "success", `API host ${verb}: ${host}`);
+  notify(
+    format,
+    "info",
+    match ? `Switched to organization: ${match.org_name} (${match.org_id})` : "No organization found for this host. Please run login."
+  );
+  return {
+    data: { api_host: host, active_org: activeOrg },
+    // stdout payload projection (table mode). The ✓/ℹ status lines are emitted
+    // by `notify` above (stderr) — do NOT repeat them here, or table mode would
+    // print each line twice (once on stderr via notify, once on stdout via render).
+    text: () => Formatter.keyValue([
+      ["API Host", host],
+      ["Active Org", activeOrg ?? "(none)"]
+    ])
+  };
+}
+function registerConfigCommand(program, deps) {
+  const configCmd = program.command("config").description("Manage CLI configuration");
+  configCmd.command("set-host <host>").description("Set API host (e.g. https://agent.everonet.com)").action(async (host, _options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    const result = await applyHost(deps, host, "set to", format);
+    render(result, { format });
+  });
+  configCmd.command("show").description("Show current configuration").action(async (_options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    const config = await deps.configManager.load();
+    const data = {
+      api_host: config.api_host,
+      api_path: config.api_path,
+      active_org: config.active_org
+    };
+    const commandResult = {
+      data,
+      text: () => Formatter.keyValue([
+        ["API Host", data.api_host],
+        ["API Path", data.api_path],
+        ["Active Org", data.active_org ?? "(none)"]
+      ])
+    };
+    render(commandResult, { format });
+  });
+  configCmd.command("reset-host").description("Reset API host to default (https://agent.everonet.com)").action(async (_options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    const result = await applyHost(deps, DEFAULT_HOST, "reset to", format);
+    render(result, { format });
+  });
+}
+
+// src/orgs/get.ts
+function registerMeCommand(parent, deps) {
+  parent.command("get").description("View current organization").action(async (_options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    const result = await deps.authService.executeWithAuth(
+      (token) => deps.apiClient.get(
+        "/organizations/me",
+        { type: "bearer", token }
+      )
+    );
+    if (!result.success) {
+      throw new ApiBusinessError(result.errorCode, result.errorMessage, result.statusCode);
+    }
+    const org = result.data;
+    const commandResult = {
+      data: org,
+      text: () => Formatter.keyValue([
+        ["Org ID", org.id],
+        ["Name", org.name],
+        ["Email", org.email],
+        ["Status", org.status],
+        ["Created", Formatter.formatTime(org.created_at)],
+        ["Updated", Formatter.formatTime(org.updated_at)]
+      ])
+    };
+    render(commandResult, { format });
+  });
+}
+
+// src/orgs/update.ts
+function registerUpdateCommand(parent, deps) {
+  parent.command("update").description("Update current organization").option("--name <name>", "New organization name").option("--email <email>", "New email").option("--idempotency-key <key>", "Idempotency key forwarded as the Idempotency-Key header").action(async (options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    const body = {};
+    if (options.name) body.name = options.name;
+    if (options.email) body.email = options.email;
+    let idempotencyKey = options.idempotencyKey;
+    if (!idempotencyKey) {
+      if (command.optsWithGlobals().yes) {
+        throw new IdempotencyKeyRequiredError("orgs update");
+      }
+      idempotencyKey = await PromptEngine.resolveInput(void 0, {
+        message: "Idempotency key (unique per write, for safe retry):",
+        validate: (v) => v.trim().length > 0 || "Idempotency key is required"
+      });
+    }
+    const extraHeaders = {
+      "Idempotency-Key": String(idempotencyKey)
+    };
+    const result = await deps.authService.executeWithAuth(
+      (token) => deps.apiClient.post(
+        "/organizations/me/update",
+        { type: "bearer", token },
+        body,
+        extraHeaders
+      )
+    );
+    if (!result.success) {
+      throw new ApiBusinessError(result.errorCode, result.errorMessage, result.statusCode);
+    }
+    const data = result.data;
+    if (data.magic_link_token) {
+      notify(
+        format,
+        "info",
+        "Verification email sent to the new address. The email changes once verified."
+      );
+      const verifyResult = {
+        data: {
+          magic_link_token: data.magic_link_token,
+          expires_at: data.expires_at
+        },
+        text: () => Formatter.keyValue([
+          ["Status", "PENDING_EMAIL_VERIFICATION"],
+          ["Magic Link Token", data.magic_link_token ?? ""],
+          ["Expires At", Formatter.formatTime(data.expires_at)]
+        ])
+      };
+      render(verifyResult, { format });
+      return;
+    }
+    const org = data;
+    const activeOrg = await deps.configManager.getActiveOrg();
+    if (activeOrg) {
+      const cred = await deps.credentialStore.get(activeOrg);
+      if (cred && options.name) {
+        cred.org_name = org.name;
+        await deps.credentialStore.save(cred);
+      }
+    }
+    notify(format, "success", "Organization updated");
+    const commandResult = {
+      data: org,
+      text: () => Formatter.keyValue([
+        ["Org ID", org.id],
+        ["Name", org.name],
+        ["Email", org.email],
+        ["Status", org.status]
+      ])
+    };
+    render(commandResult, { format });
+  });
+}
+
+// src/orgs/list.ts
+function registerListCommand(parent, deps) {
+  parent.command("list").description("List all signed-in organizations").action(async (_options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    const credentials = await deps.credentialStore.listAll();
+    const activeOrg = await deps.configManager.getActiveOrg();
+    const currentHost = await deps.configManager.getApiHost();
+    const data = credentials.filter((cred) => cred.api_host === currentHost).map((cred) => ({
+      org_id: cred.org_id,
+      org_name: cred.org_name,
+      email: cred.email,
+      active: cred.org_id === activeOrg
+    }));
+    const commandResult = {
+      data,
+      text: () => {
+        if (data.length === 0) {
+          return Formatter.status("info", "No signed-in organizations");
+        }
+        const headers = ["", "Org ID", "Org Name", "Email"];
+        const rows = data.map((item) => [
+          item.active ? "*" : "",
+          item.org_id,
+          item.org_name,
+          item.email
+        ]);
+        return Formatter.table(headers, rows);
+      }
+    };
+    render(commandResult, { format });
+  });
+}
+
+// src/orgs/switch.ts
+function registerSwitchCommand(parent, deps) {
+  parent.command("switch <org_id>").description("Switch active organization").action(async (orgId, _options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    const credential = await deps.credentialStore.get(orgId);
+    if (!credential) {
+      throw new AuthError(
+        `Organization ${orgId} not signed in locally`,
+        "Please run agenzo-admin-cli auth login to sign in to this organization"
+      );
+    }
+    const currentHost = await deps.configManager.getApiHost();
+    if (credential.api_host && credential.api_host !== currentHost) {
+      throw new ValidationError(
+        `Organization ${orgId} belongs to a different environment (${credential.api_host})`
+      );
+    }
+    await deps.configManager.setActiveOrg(orgId);
+    notify(format, "success", `Switched to organization ${orgId}`);
+    const commandResult = {
+      data: { active_org: orgId },
+      text: () => Formatter.status("success", `Switched to organization ${orgId}`)
+    };
+    render(commandResult, { format });
+  });
+}
+
+// src/developers/billing-mode.ts
+var VALID_BILLING_MODES = ["pay_per_call", "monthly_settlement"];
+var DEFAULT_BILLING_MODE = "pay_per_call";
+function isBillingMode(value) {
+  return VALID_BILLING_MODES.includes(value);
+}
+function resolveBillingMode(flag) {
+  if (flag === void 0) {
+    return DEFAULT_BILLING_MODE;
+  }
+  const normalized = flag.trim().toLowerCase();
+  if (!isBillingMode(normalized)) {
+    throw new ValidationError(
+      `Invalid --billing-mode: ${flag}. Allowed: ${VALID_BILLING_MODES.join(", ")}.`
+    );
+  }
+  return normalized;
+}
+
+// src/developers/create.ts
+function registerCreateCommand(parent, deps) {
+  parent.command("create").description("Create a developer").option("--developer-name <name>", "Developer name").option("--developer-email <email>", "Developer email").option(
+    "--billing-mode <mode>",
+    "Billing mode: pay_per_call | monthly_settlement (default: pay_per_call)"
+  ).option("--idempotency-key <key>", "Idempotency key forwarded as the Idempotency-Key header").action(async (options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    const name = await PromptEngine.resolveInput(options.developerName, {
+      message: "Developer name:"
+    });
+    const email = await PromptEngine.resolveInput(options.developerEmail, {
+      message: "Developer email:"
+    });
+    const billingMode = resolveBillingMode(options.billingMode);
+    let idempotencyKey = options.idempotencyKey;
+    if (!idempotencyKey) {
+      if (command.optsWithGlobals().yes) {
+        throw new IdempotencyKeyRequiredError("developers create");
+      }
+      idempotencyKey = await PromptEngine.resolveInput(void 0, {
+        message: "Idempotency key (unique per write, for safe retry):",
+        validate: (v) => v.trim().length > 0 || "Idempotency key is required"
+      });
+    }
+    const extraHeaders = {
+      "Idempotency-Key": String(idempotencyKey)
+    };
+    const result = await deps.authService.executeWithAuth(
+      (token) => deps.apiClient.post(
+        "/developers/create",
+        { type: "bearer", token },
+        { name, email, billing_mode: billingMode },
+        extraHeaders
+      )
+    );
+    if (!result.success) {
+      throw new ApiBusinessError(result.errorCode, result.errorMessage, result.statusCode);
+    }
+    const dev = result.data;
+    const idDisplay = String(
+      dev.id ?? dev.developer_id ?? "-"
+    );
+    const commandResult = {
+      data: dev,
+      note: "Developer created",
+      text: () => Formatter.keyValue([
+        ["ID", idDisplay],
+        ["Org ID", String(dev.organization_id ?? "-")],
+        ["Name", String(dev.name ?? "-")],
+        ["Email", String(dev.email ?? "-")],
+        ["Status", String(dev.status ?? "-")],
+        ["Billing Mode", String(dev.billing_mode ?? "-")]
+      ])
+    };
+    if (commandResult.note) {
+      notify(format, "success", commandResult.note);
+    }
+    render(commandResult, { format });
+  });
+}
+
+// src/developers/list.ts
+function registerListCommand2(parent, deps) {
+  parent.command("list").description("List all developers").action(async (_options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    const result = await deps.authService.executeWithAuth(
+      (token) => deps.apiClient.get(
+        "/developers",
+        { type: "bearer", token }
+      )
+    );
+    if (!result.success) {
+      throw new ApiBusinessError(result.errorCode, result.errorMessage, result.statusCode);
+    }
+    const developers = result.data;
+    const commandResult = {
+      data: developers,
+      text: () => {
+        if (developers.length === 0) {
+          return Formatter.status("info", "No developers found");
+        }
+        const headers = ["ID", "Name", "Email", "Status"];
+        const rows = developers.map((d) => [d.id, d.name, d.email, d.status]);
+        return Formatter.table(headers, rows);
+      }
+    };
+    render(commandResult, { format });
+  });
+}
+
+// src/developers/get.ts
+function registerGetCommand(parent, deps) {
+  parent.command("get <developer_id>").description("View developer details").action(async (developerId, _options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    const result = await deps.authService.executeWithAuth(
+      (token) => deps.apiClient.get(
+        `/developers/${developerId}`,
+        { type: "bearer", token }
+      )
+    );
+    if (!result.success) {
+      throw new ApiBusinessError(result.errorCode, result.errorMessage, result.statusCode);
+    }
+    const dev = result.data;
+    const commandResult = {
+      data: dev,
+      text: () => Formatter.keyValue([
+        ["ID", dev.id],
+        ["Name", dev.name],
+        ["Email", dev.email],
+        ["Status", dev.status],
+        ["Billing Mode", dev.billing_mode ?? "-"],
+        ["Created", Formatter.formatTime(dev.created_at)],
+        ["Updated", Formatter.formatTime(dev.updated_at)]
+      ])
+    };
+    render(commandResult, { format });
+  });
+}
+
+// src/developers/update.ts
+function registerUpdateCommand2(parent, deps) {
+  parent.command("update <developer_id>").description("Update developer info").option("--name <name>", "New name").option("--email <email>", "New email").option("--idempotency-key <key>", "Idempotency key forwarded as the Idempotency-Key header").action(async (developerId, options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    const body = {};
+    if (options.name) body.name = options.name;
+    if (options.email) body.email = options.email;
+    let idempotencyKey = options.idempotencyKey;
+    if (!idempotencyKey) {
+      if (command.optsWithGlobals().yes) {
+        throw new IdempotencyKeyRequiredError("developers update");
+      }
+      idempotencyKey = await PromptEngine.resolveInput(void 0, {
+        message: "Idempotency key (unique per write, for safe retry):",
+        validate: (v) => v.trim().length > 0 || "Idempotency key is required"
+      });
+    }
+    const extraHeaders = {
+      "Idempotency-Key": String(idempotencyKey)
+    };
+    const result = await deps.authService.executeWithAuth(
+      (token) => deps.apiClient.post(
+        `/developers/${developerId}/update`,
+        { type: "bearer", token },
+        body,
+        extraHeaders
+      )
+    );
+    if (!result.success) {
+      throw new ApiBusinessError(result.errorCode, result.errorMessage, result.statusCode);
+    }
+    const dev = result.data;
+    const commandResult = {
+      data: dev,
+      note: "Developer updated",
+      text: () => Formatter.keyValue([
+        ["ID", dev.id],
+        ["Name", dev.name],
+        ["Email", dev.email],
+        ["Status", dev.status]
+      ])
+    };
+    if (commandResult.note) {
+      notify(format, "success", commandResult.note);
+    }
+    render(commandResult, { format });
+  });
+}
+
+// src/keys/scope.ts
+import { checkbox } from "@inquirer/prompts";
+var VALID_SCOPES = ["token", "merchant", "payment"];
+var DEFAULT_SCOPES = ["token", "merchant", "payment"];
+function isScope(value) {
+  return VALID_SCOPES.includes(value);
+}
+function parseScopeFlag(raw) {
+  const parts = raw.split(",").map((s) => s.trim().toLowerCase()).filter((s) => s.length > 0);
+  if (parts.length === 0) {
+    throw new ValidationError(
+      `Invalid --scope: empty. Expected a comma-separated subset of ${VALID_SCOPES.join(", ")}.`
+    );
+  }
+  const invalid = parts.filter((p) => !isScope(p));
+  if (invalid.length > 0) {
+    throw new ValidationError(
+      `Invalid --scope value(s): ${invalid.join(", ")}. Allowed: ${VALID_SCOPES.join(", ")}.`
+    );
+  }
+  return DEFAULT_SCOPES.filter((s) => parts.includes(s));
+}
+async function resolveScopes(flag, nonInteractive) {
+  if (flag !== void 0) {
+    return parseScopeFlag(flag);
+  }
+  if (nonInteractive) {
+    return DEFAULT_SCOPES;
+  }
+  const selected = await checkbox({
+    message: "Select scopes (which CLIs this key may call):",
+    choices: DEFAULT_SCOPES.map((s) => ({ name: s, value: s, checked: true }))
+  });
+  return selected.length > 0 ? selected : DEFAULT_SCOPES;
+}
+
+// src/keys/create.ts
+function registerCreateCommand2(parent, deps) {
+  const cmd = parent.command("create").description("Create an API Key").option("--developer-id <developer_id>", "Developer ID (e.g. dev_01KPX...)").option("--key-name <key_name>", "Key name (e.g. Production Key)").option(
+    "--scope <scope>",
+    "Comma-separated CLI scopes: token,merchant,payment (default: all three)"
+  ).option(
+    "--idempotency-key <key>",
+    "Idempotency key forwarded verbatim as the Idempotency-Key header"
+  );
+  cmd.action(async () => {
+    const opts = cmd.optsWithGlobals();
+    const format = resolveFormat(opts.format);
+    const developerId = await PromptEngine.resolveInput(opts.developerId, {
+      message: "Developer ID (e.g. dev_01KPX...):"
+    });
+    const name = await PromptEngine.resolveInput(opts.keyName, {
+      message: "Key name (e.g. Production Key):"
+    });
+    const scope = await resolveScopes(
+      opts.scope,
+      Boolean(opts.yes)
+    );
+    let idempotencyKey = opts.idempotencyKey;
+    if (!idempotencyKey) {
+      if (opts.yes) {
+        throw new IdempotencyKeyRequiredError("keys create");
+      }
+      idempotencyKey = await PromptEngine.resolveInput(void 0, {
+        message: "Idempotency key (unique per write, for safe retry):",
+        validate: (v) => v.trim().length > 0 || "Idempotency key is required"
+      });
+    }
+    const extraHeaders = {
+      "Idempotency-Key": idempotencyKey
+    };
+    const result = await deps.authService.executeWithAuth(
+      (token) => deps.apiClient.post(
+        "/keys/create",
+        { type: "bearer", token },
+        { developer_id: developerId, name, scope },
+        extraHeaders
+      )
+    );
+    if (!result.success) {
+      throw new ApiBusinessError(result.errorCode, result.errorMessage, result.statusCode);
+    }
+    const key = result.data;
+    if (!key.scope || key.scope.length === 0) {
+      key.scope = scope;
+    }
+    const orgId = await deps.configManager.getActiveOrg();
+    if (orgId && key.api_key) {
+      await deps.keyStore.add(orgId, {
+        key_id: key.id,
+        developer_id: key.developer_id,
+        name: key.name,
+        key_value: key.api_key,
+        created_at: key.created_at
+      });
+    }
+    notify(format, "success", "API Key created");
+    if (format === "table") {
+      console.error(Formatter.status("warning", `API Key: ${key.api_key}`));
+      console.error(
+        Formatter.status("warning", "Save it now \u2014 this key is shown only once")
+      );
+    }
+    const cmdResult = {
+      data: key,
+      text: () => Formatter.keyValue([
+        ["Name", key.name],
+        ["Scope", (key.scope ?? []).join(", ")],
+        ["Status", key.status]
+      ])
+    };
+    render(cmdResult, { format });
+  });
+}
+
+// src/keys/list.ts
+function toMetadata(key) {
+  const { api_key: _api_key, ...metadata } = key;
+  return metadata;
+}
+function registerListCommand3(parent, deps) {
+  const cmd = parent.command("list").description("List API Keys").option("--developer-id <developer_id>", "Developer ID (e.g. dev_01KPX...)");
+  cmd.action(async () => {
+    const opts = cmd.optsWithGlobals();
+    const format = resolveFormat(opts.format);
+    const developerId = await PromptEngine.resolveInput(opts.developerId, {
+      message: "Developer ID (e.g. dev_01KPX...):"
+    });
+    const result = await deps.authService.executeWithAuth(
+      (token) => deps.apiClient.get(
+        "/keys",
+        { type: "bearer", token },
+        { developer_id: developerId }
+      )
+    );
+    if (!result.success) {
+      throw new ApiBusinessError(result.errorCode, result.errorMessage, result.statusCode);
+    }
+    const keys = result.data.map(toMetadata);
+    const cmdResult = {
+      data: keys,
+      text: () => {
+        if (keys.length === 0) {
+          return Formatter.status("info", "No API Keys found");
+        }
+        const headers = ["ID", "Developer", "Name", "Scope", "Status", "Last Used"];
+        const rows = keys.map((k) => [
+          k.id,
+          k.developer_id,
+          k.name,
+          (k.scope ?? []).join(","),
+          k.status,
+          k.last_used_at ? Formatter.formatTime(k.last_used_at) : "Never"
+        ]);
+        return Formatter.table(headers, rows);
+      }
+    };
+    render(cmdResult, { format });
+  });
+}
+
+// src/keys/get.ts
+function toMetadata2(key) {
+  const { api_key: _api_key, ...metadata } = key;
+  return metadata;
+}
+function registerGetCommand2(parent, deps) {
+  const cmd = parent.command("get <key_id>").description("View API Key details");
+  cmd.action(async (keyId) => {
+    const opts = cmd.optsWithGlobals();
+    const format = resolveFormat(opts.format);
+    const result = await deps.authService.executeWithAuth(
+      (token) => deps.apiClient.get(
+        `/keys/${keyId}`,
+        { type: "bearer", token }
+      )
+    );
+    if (!result.success) {
+      throw new ApiBusinessError(result.errorCode, result.errorMessage, result.statusCode);
+    }
+    const k = toMetadata2(result.data);
+    const cmdResult = {
+      data: k,
+      text: () => Formatter.keyValue([
+        ["Key ID", k.id],
+        ["Developer ID", k.developer_id],
+        ["Name", k.name],
+        ["Scope", (k.scope ?? []).join(", ")],
+        ["Status", k.status],
+        ["Last Used", k.last_used_at ? Formatter.formatTime(k.last_used_at) : "Never"],
+        ["Created", Formatter.formatTime(k.created_at)]
+      ])
+    };
+    render(cmdResult, { format });
+  });
+}
+
+// src/keys/rotate.ts
+function registerRotateCommand(parent, deps) {
+  const cmd = parent.command("rotate <key_id>").description("Rotate API Key").option(
+    "--idempotency-key <key>",
+    "Idempotency key forwarded verbatim as the Idempotency-Key header"
+  );
+  cmd.action(async (keyId) => {
+    const opts = cmd.optsWithGlobals();
+    const format = resolveFormat(opts.format);
+    let idempotencyKey = opts.idempotencyKey;
+    if (!idempotencyKey) {
+      if (opts.yes) {
+        throw new IdempotencyKeyRequiredError("keys rotate");
+      }
+      idempotencyKey = await PromptEngine.resolveInput(void 0, {
+        message: "Idempotency key (unique per write, for safe retry):",
+        validate: (v) => v.trim().length > 0 || "Idempotency key is required"
+      });
+    }
+    const extraHeaders = {
+      "Idempotency-Key": idempotencyKey
+    };
+    const result = await deps.authService.executeWithAuth(
+      (token) => deps.apiClient.post(
+        `/keys/${keyId}/rotate`,
+        { type: "bearer", token },
+        void 0,
+        extraHeaders
+      )
+    );
+    if (!result.success) {
+      throw new ApiBusinessError(result.errorCode, result.errorMessage, result.statusCode);
+    }
+    const key = result.data;
+    const orgId = await deps.configManager.getActiveOrg();
+    if (orgId && key.api_key) {
+      await deps.keyStore.update(orgId, keyId, key.api_key);
+    }
+    notify(format, "success", "API Key rotated");
+    if (format === "table") {
+      console.error(Formatter.status("warning", `New API Key: ${key.api_key}`));
+      console.error(
+        Formatter.status("warning", "Save it now \u2014 this key is shown only once")
+      );
+    }
+    const cmdResult = {
+      data: key,
+      text: () => Formatter.keyValue([
+        ["Key ID", key.id],
+        ["Name", key.name],
+        ["Scope", (key.scope ?? []).join(", ")],
+        ["Status", key.status]
+      ])
+    };
+    render(cmdResult, { format });
+  });
+}
+
+// src/keys/disable.ts
+function registerDisableCommand(parent, deps) {
+  const cmd = parent.command("disable <key_id>").description("Disable API Key").option(
+    "--idempotency-key <key>",
+    "Idempotency key forwarded verbatim as the Idempotency-Key header"
+  );
+  cmd.action(async (keyId) => {
+    const opts = cmd.optsWithGlobals();
+    const format = resolveFormat(opts.format);
+    let idempotencyKey = opts.idempotencyKey;
+    if (!idempotencyKey) {
+      if (opts.yes) {
+        throw new IdempotencyKeyRequiredError("keys disable");
+      }
+      idempotencyKey = await PromptEngine.resolveInput(void 0, {
+        message: "Idempotency key (unique per write, for safe retry):",
+        validate: (v) => v.trim().length > 0 || "Idempotency key is required"
+      });
+    }
+    const extraHeaders = {
+      "Idempotency-Key": idempotencyKey
+    };
+    const result = await deps.authService.executeWithAuth(
+      (token) => deps.apiClient.post(
+        `/keys/${keyId}/disable`,
+        { type: "bearer", token },
+        void 0,
+        extraHeaders
+      )
+    );
+    if (!result.success) {
+      throw new ApiBusinessError(result.errorCode, result.errorMessage, result.statusCode);
+    }
+    const disableResult = result.data;
+    notify(format, "success", `API Key ${keyId} disabled`);
+    const cmdResult = {
+      data: disableResult,
+      text: () => Formatter.keyValue([
+        ["Status", disableResult.status]
+      ])
+    };
+    render(cmdResult, { format });
+  });
+}
+
+// src/accounts/get.ts
+function registerGetCommand3(parent, deps) {
+  parent.command("get").description("Query a developer's settlement account").option("--developer-id <id>", "Developer ID to query").action(async (options, command) => {
+    const format = resolveFormat(command.optsWithGlobals().format);
+    const developerId = await PromptEngine.resolveInput(options.developerId, {
+      message: "Developer ID (e.g. dev_01HZ...):"
+    });
+    const result = await deps.authService.executeWithAuth(
+      (token) => deps.apiClient.get(
+        "/accounts",
+        { type: "bearer", token },
+        { developer_id: developerId }
+      )
+    );
+    if (!result.success) {
+      throw new ApiBusinessError(result.errorCode, result.errorMessage, result.statusCode);
+    }
+    const account = result.data;
+    if (!account) {
+      notify(
+        format,
+        "info",
+        "No settlement account found for this developer. Complete offline contract signing first."
+      );
+      render({ data: null, text: () => "" }, { format });
+      return;
+    }
+    const commandResult = {
+      data: account,
+      text: () => Formatter.keyValue([
+        ["Account ID", account.id],
+        ["Developer ID", account.developer_id],
+        ["Balance", String(account.balance)],
+        ["Currency", account.currency],
+        ["Status", account.status],
+        ["Created", Formatter.formatTime(account.created_at)],
+        ["Updated", Formatter.formatTime(account.updated_at)]
+      ])
+    };
+    render(commandResult, { format });
+  });
+}
+
+// src/index.ts
+var programRef;
+async function main() {
+  const configManager = new ConfigManager();
+  await configManager.ensureDirectories();
+  const credentialStore = new CredentialStore();
+  const keyStore = new KeyStore();
+  const apiBaseUrl = await configManager.getApiBaseUrl();
+  const apiClient = new ApiClient({ baseUrl: apiBaseUrl });
+  const authService = new AuthService(apiClient, credentialStore, configManager);
+  const controlPlaneDeps = { apiClient, authService, credentialStore, configManager };
+  const keysDeps = { apiClient, authService, keyStore, configManager };
+  const orgsDeps = { credentialStore, configManager };
+  const program = new Command();
+  programRef = program;
+  program.name("agenzo-admin-cli").version(getCurrentVersion()).description(
+    "Agenzo control plane: login, organizations, developers, API keys, settlement accounts, and config"
+  ).option("--verbose", "Show verbose logs").option("--yes", "Skip confirmation prompts (for automation/AI Agents)").option(
+    "--format <format>",
+    "Output format: json | table (default: table; or set AGENZO_FORMAT)"
+  );
+  program.hook("preAction", (thisCommand) => {
+    const flag = thisCommand.opts().format;
+    process.env.AGENZO_FORMAT = resolveFormat(flag);
+  });
+  const authCmd = program.command("auth").description("Authentication");
+  registerLoginCommand(authCmd, { authService });
+  registerLogoutCommand(authCmd, { authService });
+  registerConfigCommand(program, { configManager, credentialStore });
+  const orgsCmd = program.command("orgs").description("Organization management");
+  registerMeCommand(orgsCmd, controlPlaneDeps);
+  registerUpdateCommand(orgsCmd, controlPlaneDeps);
+  registerListCommand(orgsCmd, orgsDeps);
+  registerSwitchCommand(orgsCmd, orgsDeps);
+  const devsCmd = program.command("developers").description("Developer management");
+  registerCreateCommand(devsCmd, controlPlaneDeps);
+  registerListCommand2(devsCmd, controlPlaneDeps);
+  registerGetCommand(devsCmd, controlPlaneDeps);
+  registerUpdateCommand2(devsCmd, controlPlaneDeps);
+  const keysCmd = program.command("keys").description("API Key management");
+  registerCreateCommand2(keysCmd, keysDeps);
+  registerListCommand3(keysCmd, controlPlaneDeps);
+  registerGetCommand2(keysCmd, controlPlaneDeps);
+  registerRotateCommand(keysCmd, keysDeps);
+  registerDisableCommand(keysCmd, controlPlaneDeps);
+  const accountsCmd = program.command("accounts").description("Settlement account management");
+  registerGetCommand3(accountsCmd, controlPlaneDeps);
+  await program.parseAsync(process.argv);
+}
+function resolveActiveFormat() {
+  const flag = programRef?.opts().format;
+  return resolveFormat(flag);
+}
+function reportError(error) {
+  const envelope = toErrorEnvelope(error);
+  const format = resolveActiveFormat();
+  if (format === "json") {
+    console.error(JSON.stringify(envelope));
+  } else {
+    console.error(Formatter.status("error", envelope.error.message));
+    if (error instanceof AuthError) {
+      console.error(Formatter.status("info", error.suggestion));
+    }
+    if (!(error instanceof CliError) && process.argv.includes("--verbose")) {
+      console.error(error);
+    }
+  }
+  process.exit(exitCodeFor(error));
+}
+process.on("SIGINT", () => {
+  reportError(new UserCancelError());
+});
+main().catch(reportError);
+//# sourceMappingURL=index.js.map