npm - @aiaiai-pt/martha-cli - Versions diffs - 0.7.0 → 0.9.0 - Mend

@aiaiai-pt/martha-cli 0.7.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,20 @@ All notable changes to `@aiaiai-pt/martha-cli`. Format: [Keep a Changelog](https
 ## [Unreleased]
+## [0.9.0] — 2026-06-10
+### Added — #535 Phase 1 onboarding bootstrap
+- `martha init` can now provision a grant-bearing principal after auth, removing the "denied until hand-granted" wall a fresh caller hits on the tenant's shared default client. Interactive: it asks "how will you use Martha?" and grants the matching read set. Non-interactive flags: `--bootstrap --mode human|integration --intent rag|documents|workflows|custom --workflow <name> --function <name> --label <name> --yes`. Non-TTY requires `--yes`; `--json` is pure JSON.
+  - **human** mode adopts-or-creates *your own* client (`cli-user:{sub}`, not the shared default), grants the intent read set, and wires the profile to run as it (`default_client`).
+  - **integration** mode (admin only) mints a Keycloak service account + Martha client + grants and prints copy-paste `MARTHA_CLIENT_ID`/`MARTHA_CLIENT_SECRET` once for CI.
+  - Deterministic (no LLM), idempotent (adopt-don't-duplicate), least-privilege, and reports exactly what it granted. Unknown function/workflow names are skipped and reported.
+- `workflows execute` now routes by caller type: service accounts hit `/api/service/.../execute`; humans hit `/test` with `selected_client = profile.default_client`, so the bootstrapped grants actually apply (a workflow's function nodes run as the client — #529).
+## [0.8.0] — 2026-06-09
+### Added — #522 source-scoped retry (CLI parity)
+- `document-sync sources retry <id> [--status error] [--yes]` — re-drive a sync source's failed documents directly, mirroring the source-scoped retry already in the API and admin UI (the collection path is `documents retry --collection`). Same herd-free semantics: flips matching docs back to `pending` for the reconciler to re-drive at its capped rate. Non-TTY requires `--yes`; JSON mode emits the result; `--status pending` re-drives stuck-pending docs.
 ## [0.7.0] — 2026-06-09
 ### Added — #522 bulk-ingest observability + management

package/dist/index.js CHANGED Viewed

@@ -2158,6 +2158,9 @@ function extractDetail(body) {
       const nested = obj.detail;
       if (typeof nested.message === "string")
         return nested.message;
+      if (nested.code === "mcp_oauth_authorization_required" && typeof nested.authorization_url === "string") {
+        return "MCP OAuth authorization required";
+      }
     }
     if (typeof obj.message === "string")
       return obj.message;
@@ -2178,30 +2181,32 @@ var init_errors = __esm(() => {
   };
   MarthaAPIError = class MarthaAPIError extends CLIError {
     status;
-    constructor(status, detail, exitCode, suggestion) {
+    body;
+    constructor(status, detail, exitCode, suggestion, body) {
       super(detail, exitCode, suggestion);
       this.status = status;
+      this.body = body;
       this.name = "MarthaAPIError";
     }
     static fromResponse(status, body) {
       const detail = extractDetail(body);
       switch (status) {
         case 401:
-          return new MarthaAPIError(status, detail || "Authentication required", 2 /* Auth */, "Run `martha auth login` to authenticate.");
+          return new MarthaAPIError(status, detail || "Authentication required", 2 /* Auth */, "Run `martha auth login` to authenticate.", body);
         case 403:
-          return new MarthaAPIError(status, detail || "Permission denied", 2 /* Auth */, "Check your permissions or switch profiles with `martha config use <profile>`.");
+          return new MarthaAPIError(status, detail || "Permission denied", 2 /* Auth */, "Check your permissions or switch profiles with `martha config use <profile>`.", body);
         case 404:
-          return new MarthaAPIError(status, detail || "Resource not found", 3 /* NotFound */);
+          return new MarthaAPIError(status, detail || "Resource not found", 3 /* NotFound */, undefined, body);
         case 409:
-          return new MarthaAPIError(status, detail || "Conflict", 5 /* Conflict */);
+          return new MarthaAPIError(status, detail || "Conflict", 5 /* Conflict */, undefined, body);
         case 400:
         case 422:
-          return new MarthaAPIError(status, detail || "Validation error", 4 /* Validation */);
+          return new MarthaAPIError(status, detail || "Validation error", 4 /* Validation */, undefined, body);
         default:
           if (status >= 500) {
-            return new MarthaAPIError(status, detail || `Server error (${status})`, 1 /* Error */, "Run `martha status` to check API health.");
+            return new MarthaAPIError(status, detail || `Server error (${status})`, 1 /* Error */, "Run `martha status` to check API health.", body);
           }
-          return new MarthaAPIError(status, detail || `Unexpected error (${status})`, 1 /* Error */);
+          return new MarthaAPIError(status, detail || `Unexpected error (${status})`, 1 /* Error */, undefined, body);
       }
     }
   };
@@ -10687,7 +10692,10 @@ init_errors();
 function createContext(opts) {
   const config = loadConfig(opts.configDir);
   const profileName = opts.profileOverride ?? process.env.MARTHA_PROFILE ?? config.current_profile;
-  const profile = getActiveProfile(config, profileName);
+  const profile = {
+    ...getActiveProfile(config, profileName),
+    ...opts.apiUrlOverride ? { api_url: opts.apiUrlOverride } : {}
+  };
   const tokenStore = new TokenStore(opts.configDir);
   const getAccessToken = async () => {
     const envToken = process.env.MARTHA_TOKEN;
@@ -12836,10 +12844,10 @@ function registerExecutionCommands(parentCmd, getCtx, isJson) {
     } catch {
       throw new CLIError("Invalid JSON in --inputs", 4 /* Validation */);
     }
-    let result = await ctx.api.post(`/api/admin/workflows/${encodeURIComponent(name)}/test`, {
-      user_inputs: userInputs,
-      acknowledge_side_effects: !!opts.yes
-    });
+    const isServiceAccount = ctx.profile.auth_type === "client_credentials";
+    const runAs = ctx.profile.default_client;
+    const executeOnce = (ack) => isServiceAccount ? ctx.api.post(`/api/service/workflows/${encodeURIComponent(name)}/execute`, { user_inputs: userInputs, acknowledge_side_effects: true }) : ctx.api.post(`/api/admin/workflows/${encodeURIComponent(name)}/test`, { user_inputs: userInputs, acknowledge_side_effects: ack }, runAs ? { params: { selected_client: runAs } } : undefined);
+    let result = await executeOnce(!!opts.yes);
     if (result.status === "warning_required" && !opts.yes) {
       const nodes = result.side_effect_nodes?.join(", ") ?? "unknown";
       console.error(source_default.yellow(`Warning: workflow has side-effect nodes: ${nodes}`));
@@ -12849,10 +12857,7 @@ function registerExecutionCommands(parentCmd, getCtx, isJson) {
         process.exitCode = 0;
         return;
       }
-      result = await ctx.api.post(`/api/admin/workflows/${encodeURIComponent(name)}/test`, {
-        user_inputs: userInputs,
-        acknowledge_side_effects: true
-      });
+      result = await executeOnce(true);
     }
     const executionId = result.execution_id;
     if (!executionId) {
@@ -14350,6 +14355,32 @@ No google_drive sources found.`));
     }
     printIngestionStatus(sourceId, summary);
   });
+  sources.command("retry <source_id>").description("Re-drive a source's failed documents. Bounded + idempotent — flips " + "them back to pending; the ingestion reconciler re-drives them at " + "its capped rate (no herd).").option("--status <status>", "Which docs to retry: error | pending", "error").option("--yes", "Skip confirmation (required in non-interactive mode)").action(async (sourceId, opts) => {
+    if (!["error", "pending"].includes(opts.status)) {
+      throw new CLIError("--status must be one of: error, pending", 4 /* Validation */);
+    }
+    if (!opts.yes) {
+      if (!process.stdin.isTTY) {
+        throw new CLIError("Cannot confirm in non-interactive mode. Use --yes to retry.", 1 /* Error */);
+      }
+      const ok = await confirm(`Retry ${opts.status} documents for source ${sourceId}?`);
+      if (!ok) {
+        if (isJson()) {
+          console.log(JSON.stringify({ reset_count: 0, cancelled: true }));
+        } else {
+          console.log("Cancelled.");
+        }
+        return;
+      }
+    }
+    const ctx = getCtx();
+    const result = await ctx.api.post(`/api/admin/document-sync/sources/${encodeURIComponent(sourceId)}/retry-ingestion`, undefined, { params: { status: opts.status } });
+    if (isJson()) {
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+    console.log(source_default.green(`Re-drove ${result.reset_count} ${opts.status} document(s) for ` + `source ${sourceId}. The ingestion reconciler will pick them up ` + `within ~1 min (rate-limited by the per-tenant quota).`));
+  });
 }
 // src/commands/approvals.ts
@@ -15509,13 +15540,11 @@ init_errors();
 function registerConnectionCommands(program2) {
   const cmd = program2.command("connections").description("Manage Vault-backed integration connections (credentials live in Vault)");
   function getCtx() {
-    const ctx = createContext({
+    return createContext({
       profileOverride: program2.opts().profile,
+      apiUrlOverride: program2.opts().apiUrl,
       verbose: program2.opts().verbose
     });
-    if (program2.opts().apiUrl)
-      ctx.profile.api_url = program2.opts().apiUrl;
-    return ctx;
   }
   function isJson() {
     return !!program2.opts().json;
@@ -17361,6 +17390,181 @@ ${pages.length} pages`));
   });
 }
+// src/commands/mcp.ts
+init_errors();
+function registerMCPCommands(program2) {
+  const cmd = program2.command("mcp").description("Discover and call MCP tools");
+  function getCtx() {
+    return createContext({
+      profileOverride: program2.opts().profile,
+      apiUrlOverride: program2.opts().apiUrl,
+      verbose: program2.opts().verbose
+    });
+  }
+  function isJson() {
+    return !!program2.opts().json;
+  }
+  cmd.command("discover").description("Discover tools from an MCP server").option("--url <serverUrl>", "Direct MCP Streamable HTTP URL").option("--connection <connectionId>", "Martha connection UUID").option("--connection-ref <connectionRef>", "Martha connection reference").option("--force-refresh", "Bypass cached discovery").action(async (opts) => {
+    const ctx = getCtx();
+    const body = buildLocatorBody(opts);
+    if (opts.forceRefresh)
+      body.force_refresh = true;
+    let result;
+    try {
+      result = await ctx.api.post("/api/admin/mcp/discover", body);
+    } catch (err) {
+      const authorizationUrl = mcpOAuthAuthorizationUrl(err);
+      if (!authorizationUrl)
+        throw err;
+      const payload = {
+        code: "mcp_oauth_authorization_required",
+        authorization_url: authorizationUrl
+      };
+      if (isJson()) {
+        console.log(JSON.stringify(payload, null, 2));
+      } else {
+        console.log(source_default.yellow("MCP OAuth authorization required"));
+        console.log(authorizationUrl);
+      }
+      return;
+    }
+    if (isJson()) {
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+    console.log(source_default.bold(`MCP tools: ${result.server_url}`));
+    for (const tool of result.tools) {
+      console.log(`  ${source_default.cyan(tool.name)} ${source_default.dim(tool.description ?? "")}`);
+    }
+    if (result.cached)
+      console.log(source_default.dim(`
+(cache hit)`));
+  });
+  cmd.command("call <tool>").description("Call an MCP tool through a temporary Martha workflow").option("--url <serverUrl>", "Direct MCP Streamable HTTP URL").option("--connection <connectionId>", "Martha connection UUID").option("--connection-ref <connectionRef>", "Martha connection reference").option("--input <json>", "JSON argument object", "{}").option("--timeout <seconds>", "Wait timeout in seconds", "60").action(async (tool, opts) => {
+    const ctx = getCtx();
+    let input;
+    try {
+      input = JSON.parse(opts.input);
+    } catch {
+      throw new CLIError("Invalid JSON in --input", 4 /* Validation */);
+    }
+    if (!input || typeof input !== "object" || Array.isArray(input)) {
+      throw new CLIError("--input must be a JSON object", 4 /* Validation */);
+    }
+    const timeoutSec = Number.parseInt(opts.timeout, 10);
+    if (!Number.isFinite(timeoutSec) || timeoutSec < 1) {
+      throw new CLIError("--timeout must be a positive integer", 4 /* Validation */);
+    }
+    const workflowName = temporaryWorkflowName(tool);
+    const definition = buildTemporaryWorkflow(workflowName, tool, input, opts);
+    try {
+      await ctx.api.post("/api/admin/definitions/workflows", definition);
+      let execution = await ctx.api.post(`/api/admin/workflows/${encodeURIComponent(workflowName)}/test`, { user_inputs: {}, acknowledge_side_effects: true });
+      if (execution.status === "warning_required") {
+        execution = await ctx.api.post(`/api/admin/workflows/${encodeURIComponent(workflowName)}/test`, { user_inputs: {}, acknowledge_side_effects: true });
+      }
+      if (!execution.execution_id) {
+        throw new CLIError("No execution ID returned", 1 /* Error */);
+      }
+      const final = await pollExecution(ctx, execution.execution_id, timeoutSec * 1000);
+      if (final.status !== "completed") {
+        throw new CLIError(`MCP workflow ${final.status}: ${final.error_message ?? "unknown error"}`, 1 /* Error */);
+      }
+      const output = extractMCPOutput(final);
+      if (isJson()) {
+        console.log(JSON.stringify(output, null, 2));
+      } else {
+        console.log(JSON.stringify(output, null, 2));
+      }
+    } finally {
+      await ctx.api.del(`/api/admin/definitions/workflows/${encodeURIComponent(workflowName)}?hard=true`).catch(() => {
+        return;
+      });
+    }
+  });
+}
+function mcpOAuthAuthorizationUrl(err) {
+  if (!(err instanceof MarthaAPIError) || err.status !== 428)
+    return null;
+  const body = err.body;
+  if (!body || typeof body !== "object")
+    return null;
+  const detail = body.detail;
+  if (!detail || typeof detail !== "object")
+    return null;
+  const nested = detail;
+  if (nested.code !== "mcp_oauth_authorization_required")
+    return null;
+  return typeof nested.authorization_url === "string" ? nested.authorization_url : null;
+}
+function buildLocatorBody(opts) {
+  const body = {};
+  if (opts.url)
+    body.server_url = opts.url;
+  if (opts.connection)
+    body.connection_id = opts.connection;
+  if (opts.connectionRef)
+    body.connection_ref = opts.connectionRef;
+  if (!body.server_url && !body.connection_id && !body.connection_ref) {
+    throw new CLIError("Provide --url, --connection, or --connection-ref", 4 /* Validation */);
+  }
+  return body;
+}
+function temporaryWorkflowName(tool) {
+  const safeTool = tool.toLowerCase().replace(/[^a-z0-9_]+/g, "_").replace(/^_+|_+$/g, "");
+  return `mcp_call_${safeTool || "tool"}_${Date.now().toString(36)}`;
+}
+function buildTemporaryWorkflow(name, tool, input, opts) {
+  const mcpConfig = {
+    tool_name: tool,
+    input_mapping: input
+  };
+  if (opts.url)
+    mcpConfig.server_url = opts.url;
+  if (opts.connection)
+    mcpConfig.connection_id = opts.connection;
+  if (opts.connectionRef)
+    mcpConfig.connection_ref = opts.connectionRef;
+  return {
+    name,
+    description: "Temporary MCP tool invocation generated by martha mcp call",
+    nodes: [
+      { id: "start", type: "start", config: {} },
+      { id: "mcp", type: "mcp_client", config: mcpConfig },
+      { id: "end", type: "end", config: {} }
+    ],
+    edges: [
+      { source: "start", target: "mcp" },
+      { source: "mcp", target: "end" }
+    ],
+    timeout_seconds: 120
+  };
+}
+async function pollExecution(ctx, executionId, timeoutMs) {
+  const started = Date.now();
+  let last;
+  while (Date.now() - started < timeoutMs) {
+    last = await ctx.api.get(`/api/admin/executions/${encodeURIComponent(executionId)}`);
+    if (["completed", "failed", "cancelled", "timeout"].includes(last.status)) {
+      return last;
+    }
+    await new Promise((resolve) => setTimeout(resolve, 1000));
+  }
+  throw new CLIError(`Timed out waiting for MCP workflow execution ${executionId}`, 1 /* Error */, last ? `Last status: ${last.status}` : undefined);
+}
+function extractMCPOutput(status) {
+  const stepResults = status.step_results ?? {};
+  const mcpStep = stepResults.mcp;
+  if (!mcpStep) {
+    throw new CLIError("MCP step result not found", 1 /* Error */);
+  }
+  const output = mcpStep.output;
+  if (output && typeof output === "object" && "output" in output) {
+    return output.output;
+  }
+  return output;
+}
 // src/commands/init.ts
 import readline from "node:readline/promises";
 init_config();
@@ -17379,23 +17583,47 @@ var PRESETS = {
     keycloak_realm: "frank"
   }
 };
+var VALID_INTENTS = ["rag", "documents", "workflows", "custom"];
+var INTENT_HELP = {
+  rag: "retrieve from collections (query, search, read)",
+  documents: "browse + fetch documents",
+  workflows: "execute workflows (grants the workflows + the rag read set)",
+  custom: "pick exact functions / workflows yourself"
+};
 async function prompt2(rl, question, fallback) {
   const answer = await rl.question(`  ${question} ${source_default.dim(`[${fallback}]`)} `);
   return answer.trim() || fallback;
 }
+function normalizeList(values) {
+  if (!values)
+    return [];
+  return values.flatMap((v) => v.split(/[,\s]+/)).map((v) => v.trim()).filter(Boolean);
+}
+function parseIntents(raw) {
+  const out = [];
+  for (const v of raw) {
+    if (!VALID_INTENTS.includes(v)) {
+      throw new CLIError(`Unknown intent '${v}'. Valid: ${VALID_INTENTS.join(", ")}.`, 4 /* Validation */);
+    }
+    if (!out.includes(v))
+      out.push(v);
+  }
+  return out;
+}
 async function initCommand(opts) {
   const presetKey = opts.preset ?? "cloud";
   const preset = PRESETS[presetKey];
   if (!preset) {
     throw new CLIError(`Unknown preset: ${presetKey}. Choose one of: ${Object.keys(PRESETS).join(", ")}.`, 4 /* Validation */);
   }
+  const jsonMode = !!opts.json;
   const profileName = opts.name ?? presetKey;
   const config = loadConfig();
   if (config.profiles[profileName] && !opts.force) {
-    throw new CLIError(`Profile ${source_default.cyan(profileName)} already exists. Re-run with --force to overwrite, or pass --profile <name> to add a new one.`, 5 /* Conflict */);
+    throw new CLIError(`Profile ${source_default.cyan(profileName)} already exists. Re-run with --force to overwrite, or pass --name <name> to add a new one.`, 5 /* Conflict */);
   }
-  const interactive = !opts.noInteractive && process.stdin.isTTY && !opts.apiUrl && !opts.keycloakUrl && !opts.keycloakRealm;
-  let profile = {
+  const interactive = !opts.noInteractive && !jsonMode && !!process.stdin.isTTY && !opts.apiUrl && !opts.keycloakUrl && !opts.keycloakRealm;
+  const profile = {
     api_url: opts.apiUrl ?? preset.api_url,
     keycloak_url: opts.keycloakUrl ?? preset.keycloak_url,
     keycloak_realm: opts.keycloakRealm ?? preset.keycloak_realm,
@@ -17424,22 +17652,226 @@ Martha CLI — first-run setup
   config.profiles[profileName] = profile;
   config.current_profile = profileName;
   saveConfig(config);
+  if (!jsonMode) {
+    console.log();
+    console.log(source_default.green(`Profile saved.
+`));
+    console.log(`  Profile:     ${source_default.cyan(profileName)}`);
+    console.log(`  API URL:     ${profile.api_url}`);
+    console.log(`  Keycloak:    ${profile.keycloak_url}`);
+    console.log(`  Realm:       ${profile.keycloak_realm}`);
+  }
+  const bootstrapResult = await maybeBootstrap(opts, profileName, interactive, jsonMode);
+  if (jsonMode) {
+    console.log(JSON.stringify({
+      profile: { name: profileName, ...profile },
+      bootstrap: bootstrapResult
+    }));
+    return;
+  }
+  if (!bootstrapResult) {
+    console.log();
+    console.log(source_default.dim("  Next:"));
+    console.log(source_default.dim("    martha auth login                    # browser PKCE"));
+    console.log(source_default.dim("    martha init --bootstrap --intent rag # provision access"));
+    console.log(source_default.dim("    martha doctor                        # verify setup"));
+  }
+}
+async function maybeBootstrap(opts, profileName, interactive, jsonMode) {
+  if (!interactive) {
+    if (!opts.bootstrap)
+      return null;
+    if (!opts.yes) {
+      throw new CLIError("Refusing to bootstrap a principal non-interactively without --yes.", 4 /* Validation */, "Re-run with --yes (and --mode / --intent as needed).");
+    }
+  }
+  let run = !!opts.bootstrap;
+  if (interactive && !run) {
+    run = await askYesNo(`
+Provision an access principal now so calls just work?`, true);
+  }
+  if (!run)
+    return null;
+  let mode;
+  if (opts.mode) {
+    if (opts.mode !== "human" && opts.mode !== "integration") {
+      throw new CLIError(`Unknown --mode '${opts.mode}'. Use 'human' or 'integration'.`, 4 /* Validation */);
+    }
+    mode = opts.mode;
+  } else if (interactive) {
+    const choice = await askChoice("  How will you run Martha?", [
+      { key: "1", label: "This machine (you)", value: "human" },
+      {
+        key: "2",
+        label: "An integration / CI (service account)",
+        value: "integration"
+      }
+    ], "1");
+    mode = choice;
+  } else {
+    mode = "human";
+  }
+  let intents = parseIntents(normalizeList(opts.intent));
+  if (intents.length === 0 && interactive) {
+    intents = await askIntents();
+  }
+  let workflows = normalizeList(opts.workflow);
+  let functions = normalizeList(opts.function);
+  if (interactive && (intents.includes("workflows") || intents.includes("custom"))) {
+    if (workflows.length === 0) {
+      workflows = normalizeList([
+        await askLine("  Workflow name(s) to grant (comma-separated, optional): ")
+      ]);
+    }
+  }
+  if (interactive && intents.includes("custom") && functions.length === 0) {
+    functions = normalizeList([
+      await askLine("  Extra function name(s) to grant (comma-separated, optional): ")
+    ]);
+  }
+  if (intents.length === 0 && workflows.length === 0 && functions.length === 0) {
+    throw new CLIError("Nothing to grant: declare at least one --intent (rag/documents/workflows/custom) or a --workflow/--function.", 4 /* Validation */);
+  }
+  const ctx = createContext({ profileOverride: profileName });
+  if (opts.apiUrl)
+    ctx.profile.api_url = opts.apiUrl;
+  await ensureAuthenticated(ctx, interactive, jsonMode);
+  if (!jsonMode) {
+    console.log();
+    console.log(source_default.dim(`  Provisioning ${mode === "integration" ? "an integration service account" : "your access principal"}…`));
+  }
+  const body = {
+    mode,
+    intents,
+    workflows,
+    functions,
+    ...opts.label ? { label: opts.label } : {}
+  };
+  const resp = await ctx.api.post("/api/admin/definitions/principals/bootstrap", body);
+  if (mode === "human" && resp.client_key) {
+    const cfg = loadConfig();
+    if (cfg.profiles[profileName]) {
+      cfg.profiles[profileName].default_client = resp.client_key;
+      saveConfig(cfg);
+    }
+  }
+  if (!jsonMode)
+    printBootstrapResult(resp, profileName);
+  return resp;
+}
+async function ensureAuthenticated(ctx, interactive, jsonMode) {
+  try {
+    await ctx.getTenantId();
+    return;
+  } catch {}
+  if (!interactive || jsonMode) {
+    throw new CLIError("Not authenticated.", 2 /* Auth */, "Run `martha auth login` first (or set MARTHA_TOKEN / MARTHA_CLIENT_ID+SECRET), then re-run with --bootstrap.");
+  }
   console.log();
-  console.log(source_default.green(`Profile saved.
+  const tokens = await loginPKCE({
+    keycloakUrl: ctx.profile.keycloak_url,
+    realm: ctx.profile.keycloak_realm,
+    onAuthUrl: (url) => {
+      console.log("Opening browser for login...");
+      console.log(source_default.dim(`If the browser doesn't open, visit:
 `));
-  console.log(`  Profile:     ${source_default.cyan(profileName)}`);
-  console.log(`  API URL:     ${profile.api_url}`);
-  console.log(`  Keycloak:    ${profile.keycloak_url}`);
-  console.log(`  Realm:       ${profile.keycloak_realm}`);
+      console.log(`  ${source_default.dim(url)}
+`);
+    }
+  });
+  ctx.tokenStore.saveTokens(ctx.profileName, tokens);
+  console.log(source_default.green("Logged in") + (tokens.username ? ` as ${source_default.bold(tokens.username)}` : ""));
+  await ctx.getTenantId();
+}
+function printBootstrapResult(resp, profileName) {
   console.log();
-  console.log(source_default.dim("  Next:"));
-  console.log(source_default.dim("    martha auth login                    # browser PKCE"));
-  console.log(source_default.dim("    martha auth login --service-account  # CI/agent"));
-  console.log(source_default.dim("    martha doctor                        # verify setup"));
+  const verb = resp.adopted ? "Using existing" : "Created";
+  console.log(source_default.green(`${verb} client ${source_default.bold(resp.client_name)} (#${resp.client_id}).`));
+  if (resp.granted_functions.length > 0) {
+    console.log(`  Granted functions: ${source_default.cyan(resp.granted_functions.join(", "))}`);
+  }
+  if (resp.granted_workflows.length > 0) {
+    console.log(`  Granted workflows: ${source_default.cyan(resp.granted_workflows.join(", "))}`);
+  }
+  if (resp.granted_functions.length === 0 && resp.granted_workflows.length === 0) {
+    console.log(source_default.yellow("  No grants applied."));
+  }
+  for (const s of resp.skipped) {
+    console.log(source_default.yellow(`  Skipped ${s.name} — ${s.reason}`));
+  }
+  if (resp.service_account) {
+    const sa = resp.service_account;
+    console.log();
+    console.log(source_default.bold("  Service-account credentials (shown once — store them now):"));
+    console.log();
+    console.log(`    export MARTHA_CLIENT_ID=${sa.client_id}`);
+    console.log(`    export MARTHA_CLIENT_SECRET=${sa.client_secret}`);
+    console.log();
+    console.log(source_default.dim(`    token endpoint: ${sa.token_endpoint}`));
+    console.log(source_default.dim("    Then: martha auth login --service-account  (in your CI environment)"));
+  } else {
+    console.log(source_default.dim(`  Profile ${source_default.cyan(profileName)} will now run as this client.`));
+    console.log();
+    console.log(source_default.dim("  Next:"));
+    console.log(source_default.dim("    martha workflows list"));
+    console.log(source_default.dim("    martha workflows execute <name> --inputs '{}'"));
+  }
+}
+async function askYesNo(message, fallbackYes) {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  try {
+    const hint = fallbackYes ? "[Y/n]" : "[y/N]";
+    const answer = (await rl.question(`${message} ${source_default.dim(hint)} `)).trim().toLowerCase();
+    if (!answer)
+      return fallbackYes;
+    return answer === "y" || answer === "yes";
+  } finally {
+    rl.close();
+  }
+}
+async function askLine(message) {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  try {
+    return (await rl.question(message)).trim();
+  } finally {
+    rl.close();
+  }
+}
+async function askChoice(message, choices, fallbackKey) {
+  console.log(message);
+  for (const c of choices)
+    console.log(`    ${c.key}) ${c.label}`);
+  const ans = await askLine(`  Choose ${source_default.dim(`[${fallbackKey}]`)} `);
+  const key = ans || fallbackKey;
+  const found = choices.find((c) => c.key === key || c.value === key);
+  if (!found) {
+    throw new CLIError(`Invalid choice '${key}'.`, 4 /* Validation */);
+  }
+  return found.value;
+}
+async function askIntents() {
+  console.log(`
+  How will you use Martha? (comma-separated)`);
+  VALID_INTENTS.forEach((intent, i) => {
+    console.log(`    ${i + 1}) ${intent} — ${source_default.dim(INTENT_HELP[intent])}`);
+  });
+  const ans = await askLine("  Select [1] ");
+  const raw = (ans || "1").split(/[,\s]+/).map((t) => t.trim()).filter(Boolean).map((t) => {
+    const n = Number(t);
+    return Number.isInteger(n) && n >= 1 && n <= VALID_INTENTS.length ? VALID_INTENTS[n - 1] : t;
+  });
+  return parseIntents(raw);
 }
 function registerInitCommand(program2) {
-  program2.command("init").description("Create or update a profile in ~/.martha/config.yaml").option("--preset <name>", "Preset: cloud or local", "cloud").option("--name <name>", "Profile name (defaults to preset name)").option("--force", "Overwrite an existing profile").option("--api-url <url>", "Override the API URL").option("--keycloak-url <url>", "Override the Keycloak URL").option("--keycloak-realm <realm>", "Override the Keycloak realm").option("--no-interactive", "Skip prompts; use defaults / overrides only").action(async (opts) => {
-    await initCommand(opts);
+  program2.command("init").description("Create or update a profile, and optionally bootstrap an access principal").option("--preset <name>", "Preset: cloud or local", "cloud").option("--name <name>", "Profile name (defaults to preset name)").option("--force", "Overwrite an existing profile").option("--api-url <url>", "Override the API URL").option("--keycloak-url <url>", "Override the Keycloak URL").option("--keycloak-realm <realm>", "Override the Keycloak realm").option("--no-interactive", "Skip prompts; use defaults / overrides only").option("--bootstrap", "Provision an intent-scoped principal + grants after saving the profile").option("--mode <mode>", "Bootstrap mode: 'human' (your own client) or 'integration' (service account)").option("--intent <intents...>", "Usage buckets to grant: rag, documents, workflows, custom").option("--workflow <names...>", "Workflow name(s) to grant (workflows/custom intent)").option("--function <names...>", "Extra function name(s) to grant (custom intent)").option("--label <name>", "Integration mode: label for the SA client id").option("--yes", "Acknowledge non-interactive bootstrap side effects").action(async (opts, command) => {
+    const globals = command.parent?.opts() ?? {};
+    await initCommand({ ...opts, json: !!globals.json });
   });
 }
@@ -17779,6 +18211,7 @@ registerMessagingCommands(program2);
 registerClientCommands(program2);
 registerModelsCommand(program2);
 registerSessionCommands(program2);
+registerMCPCommands(program2);
 registerInitCommand(program2);
 registerDoctorCommand(program2);
 registerSkillCommand(program2);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aiaiai-pt/martha-cli",
-  "version": "0.7.0",
+  "version": "0.9.0",
   "description": "Terminal-first client for the Martha AI platform",
   "homepage": "https://docs.martha.nomadriver.co",
   "repository": {