@aidecisionops/decisionops 0.1.0

package/dist/cli.js

@@ -0,0 +1,950 @@
+#!/usr/bin/env node
+import fs from "node:fs";
+import path from "node:path";
+import process from "node:process";
+import { Command } from "commander";
+import { z } from "zod";
+import { clearAuthState, defaultApiBaseUrl, defaultClientId, defaultScopes, ensureValidAuthState, isExpired, loginWithPkce, readAuthState, revokeAuthState, saveTokenAuthState, } from "./core/auth.js";
+import { DecisionOpsApiError, loadProjectRepositories, loadUserContext } from "./core/controlPlane.js";
+import { inferDefaultBranch, inferRepoRef, resolveRepoPath } from "./core/git.js";
+import { buildPlatforms, cleanupPlatforms, installPlatforms } from "./core/installer.js";
+import { readManifest, writeManifest } from "./core/manifest.js";
+import { loadPlatforms, resolveInstallPath } from "./core/platforms.js";
+import { DEFAULT_MCP_SERVER_NAME, DEFAULT_MCP_SERVER_URL, DEFAULT_OUTPUT_DIR, DEFAULT_PLATFORMS_DIR, DEFAULT_SKILL_NAME, DEFAULT_SOURCE_DIR, PLACEHOLDER_ORG_ID, PLACEHOLDER_PROJECT_ID, PLACEHOLDER_REPO_REF, } from "./core/runtime.js";
+import { promptConfirm, promptSelect, promptText } from "./ui/prompts.js";
+const program = new Command();
+program
+    .name("decisionops")
+    .description("Decision Ops CLI")
+    .version("0.1.0");
+function isInteractive() {
+    return Boolean(process.stdin.isTTY && process.stdout.isTTY);
+}
+function parseScopes(raw) {
+    if (!raw) {
+        return undefined;
+    }
+    return raw
+        .split(/[,\s]+/)
+        .map((value) => value.trim())
+        .filter(Boolean);
+}
+function authDisplay(auth) {
+    const identity = auth.user?.email || auth.user?.name || auth.user?.id || "unknown";
+    const expiry = auth.expiresAt ? `${auth.expiresAt}${isExpired(auth) ? " (expired)" : ""}` : "session";
+    return `${identity} via ${auth.method} • ${expiry}`;
+}
+function normalizeRepoRef(value) {
+    let normalized = value.trim().replace(/\/+$/, "").replace(/\.git$/i, "");
+    for (const prefix of ["git@github.com:", "https://github.com/", "http://github.com/", "ssh://git@github.com/"]) {
+        if (normalized.startsWith(prefix)) {
+            normalized = normalized.slice(prefix.length);
+            break;
+        }
+    }
+    return normalized;
+}
+function inferRepoId(repoRef) {
+    if (!repoRef) {
+        return undefined;
+    }
+    const normalized = normalizeRepoRef(repoRef);
+    return /^[^/\s]+\/[^/\s]+$/.test(normalized) ? normalized : undefined;
+}
+function detectRepoRef(repoPath) {
+    try {
+        return normalizeRepoRef(inferRepoRef(repoPath));
+    }
+    catch {
+        return undefined;
+    }
+}
+function normalizeApiBaseUrl(value) {
+    return String(value ?? process.env.DECISIONOPS_API_BASE_URL ?? defaultApiBaseUrl())
+        .trim()
+        .replace(/\/+$/, "");
+}
+async function runLogin(flags) {
+    const scopes = parseScopes(flags.scopes);
+    const authOptions = {
+        apiBaseUrl: flags.apiBaseUrl,
+        issuerUrl: flags.issuerUrl,
+        clientId: flags.clientId,
+        audience: flags.audience,
+        scopes,
+    };
+    if (flags.clear) {
+        const current = readAuthState();
+        if (current) {
+            await revokeAuthState(current);
+        }
+        clearAuthState();
+        console.log("Cleared saved auth state.");
+        return;
+    }
+    if (flags.withToken) {
+        const token = flags.token ?? (isInteractive()
+            ? await promptText({
+                title: "Paste your Decision Ops access token",
+                chrome: {
+                    eyebrow: "Auth",
+                    description: "Use this fallback for automation or environments where browser OAuth login is unavailable.",
+                },
+                placeholder: "dop_...",
+                secret: true,
+                validate: (value) => (value.length > 0 ? null : "Token is required."),
+            })
+            : "");
+        if (!token) {
+            throw new Error("Token is required. Pass --token in non-interactive mode.");
+        }
+        const result = saveTokenAuthState({ ...authOptions, token });
+        console.log(`Saved auth token -> ${result.storagePath}`);
+        return;
+    }
+    let method;
+    if (flags.web) {
+        method = "web";
+    }
+    else if (!isInteractive()) {
+        throw new Error("Choose --web or --with-token in non-interactive mode.");
+    }
+    else {
+        method = await promptSelect("Choose a login method", [
+            {
+                label: "Browser login",
+                value: "web",
+                description: "Open the DecisionOps sign-in page in your browser and complete OAuth there.",
+            },
+            {
+                label: "Paste token",
+                value: "token",
+                description: "Fallback for automation or environments without interactive OAuth support.",
+            },
+        ], {
+            eyebrow: "Auth",
+            description: "DecisionOps uses OAuth for CLI sessions. Browser login is the primary path.",
+            footer: `Client: ${flags.clientId ?? defaultClientId()} • Scopes: ${(scopes ?? defaultScopes()).join(" ")}`,
+        });
+        if (method === "token") {
+            const result = saveTokenAuthState({
+                ...authOptions,
+                token: await promptText({
+                    title: "Paste your Decision Ops access token",
+                    chrome: {
+                        eyebrow: "Auth",
+                        description: "Use this fallback for automation or environments where browser OAuth login is unavailable.",
+                    },
+                    placeholder: "dop_...",
+                    secret: true,
+                    validate: (value) => (value.length > 0 ? null : "Token is required."),
+                }),
+            });
+            console.log(`Saved auth token -> ${result.storagePath}`);
+            return;
+        }
+    }
+    if (method === "web") {
+        const result = await loginWithPkce({
+            ...authOptions,
+            openBrowser: !(flags.noBrowser ?? false),
+            onAuthorizeUrl: (url) => {
+                if (flags.noBrowser) {
+                    console.log("Open this URL in your browser to continue authentication:");
+                    console.log(url);
+                }
+            },
+        });
+        if (!result.openedBrowser) {
+            if (!flags.noBrowser && result.authorizationUrl) {
+                console.log("Open this URL in your browser to continue authentication:");
+                console.log(result.authorizationUrl);
+            }
+        }
+        else {
+            console.log("Browser login started.");
+        }
+        console.log(`Saved session -> ${result.storagePath}`);
+        console.log(`Authenticated as ${authDisplay(result.state)}`);
+        return;
+    }
+}
+function printInstallResult(result) {
+    console.log("");
+    console.log("=== Install summary ===");
+    console.log("");
+    if (result.manifestPath) {
+        console.log(result.placeholdersUsed
+            ? `  Manifest (placeholder): ${result.manifestPath}`
+            : `  Manifest: ${result.manifestPath}`);
+    }
+    for (const entry of result.installedSkills) {
+        console.log(`  Skill installed: ${entry.target} (${entry.platformId})`);
+    }
+    for (const entry of result.installedMcp) {
+        console.log(`  MCP config written: ${entry.target} (${entry.platformId})`);
+    }
+    for (const entry of result.skippedMcp) {
+        console.log(`  MCP config skipped: ${entry.platformId} — ${entry.reason}`);
+    }
+    if (result.installedMcp.length > 0 || result.installedSkills.length > 0) {
+        console.log("");
+        console.log("=== Next steps (complete these in your IDE) ===");
+        console.log("");
+        console.log("The CLI wrote config files to disk, but your IDE needs to pick them up.");
+        console.log("");
+        console.log("  1. Open (or restart) your IDE in the target repository.");
+        for (const entry of result.installedMcp) {
+            console.log(`     → ${entry.platformId}: verify MCP server at ${entry.target}`);
+        }
+        console.log("  2. Invoke any DecisionOps MCP tool once to trigger the auth handoff.");
+        console.log("  3. Complete the sign-in flow prompted by the MCP server.");
+        console.log("  4. Retry the same tool call — you're live.");
+        console.log("");
+        console.log("Note: `decisionops login` authenticates CLI commands only.");
+        console.log("IDE MCP auth is a separate session completed from inside the IDE.");
+    }
+    if (result.authHandoffPath) {
+        console.log("");
+        console.log(`Detailed auth handoff steps: ${result.authHandoffPath}`);
+    }
+    console.log("");
+}
+function printCleanupResult(result) {
+    console.log("");
+    console.log("=== Cleanup summary ===");
+    console.log("");
+    for (const entry of result.removedSkills) {
+        console.log(`  Skill removed: ${entry.target} (${entry.platformId})`);
+    }
+    for (const entry of result.skippedSkills) {
+        console.log(`  Skill skipped: ${entry.platformId} — ${entry.reason}`);
+    }
+    for (const entry of result.removedMcp) {
+        console.log(`  MCP config removed: ${entry.target} (${entry.platformId})`);
+    }
+    for (const entry of result.skippedMcp) {
+        console.log(`  MCP config skipped: ${entry.platformId} — ${entry.reason}`);
+    }
+    if (result.removedManifestPath) {
+        console.log(`  Manifest removed: ${result.removedManifestPath}`);
+    }
+    if (result.removedAuthHandoffPath) {
+        console.log(`  Auth handoff removed: ${result.removedAuthHandoffPath}`);
+    }
+    if (result.removedMcp.length > 0) {
+        console.log("");
+        console.log("Restart your IDE to stop using the removed MCP server.");
+    }
+    console.log("");
+}
+function addInstallFlags(command) {
+    return command
+        .option("-p, --platform <id>", "Select a platform to install", collectValues, [])
+        .option("--repo-path <path>")
+        .option("--api-base-url <url>", "Decision Ops API base URL", defaultApiBaseUrl())
+        .option("--org-id <orgId>")
+        .option("--project-id <projectId>")
+        .option("--repo-ref <repoRef>")
+        .option("--repo-id <repoId>")
+        .option("--default-branch <branch>")
+        .option("--user-session-token <token>", "Decision Ops user session token for interactive org/project discovery")
+        .option("--allow-placeholders", "Allow placeholder manifest values for local prototyping")
+        .option("--skip-manifest", "Do not write .decisionops/manifest.toml")
+        .option("--skip-skill", "Do not install skill bundles")
+        .option("--skip-mcp", "Do not install MCP config")
+        .option("--output-dir <path>", "Build output directory", DEFAULT_OUTPUT_DIR)
+        .option("--source-dir <path>", "Skill source directory", DEFAULT_SOURCE_DIR)
+        .option("--skill-name <name>", "Skill bundle name", DEFAULT_SKILL_NAME)
+        .option("--server-name <name>", "MCP server name", DEFAULT_MCP_SERVER_NAME)
+        .option("--server-url <url>", "MCP server URL", DEFAULT_MCP_SERVER_URL)
+        .option("-y, --yes", "Accept interactive defaults");
+}
+function collectValues(value, previous) {
+    previous.push(value);
+    return previous;
+}
+async function choosePlatforms(initialPlatformIds, action = "install") {
+    if (initialPlatformIds && initialPlatformIds.length > 0) {
+        return initialPlatformIds;
+    }
+    if (!isInteractive()) {
+        throw new Error("No platform selected. Use --platform in non-interactive mode.");
+    }
+    const platforms = Object.values(loadPlatforms(DEFAULT_PLATFORMS_DIR));
+    const chosen = new Set();
+    let addAnother = true;
+    while (addAnother) {
+        const platformId = await promptSelect(action === "install" ? "Choose a platform to install" : "Choose a platform to clean up", platforms.map((platform) => ({
+            label: platform.display_name,
+            value: platform.id,
+            description: `Target id: ${platform.id}`,
+        })), {
+            eyebrow: action === "install" ? "Install" : "Cleanup",
+            description: action === "install"
+                ? "Select where DecisionOps should register its skill bundle and MCP configuration."
+                : "Select which platform integration should be removed from this machine/repository.",
+            footer: chosen.size > 0 ? `Already selected: ${[...chosen].join(", ")}` : undefined,
+        });
+        chosen.add(platformId);
+        const remaining = platforms.filter((platform) => !chosen.has(platform.id));
+        if (remaining.length === 0) {
+            break;
+        }
+        addAnother = await promptConfirm("Add another platform?", false, {
+            eyebrow: action === "install" ? "Install" : "Cleanup",
+            description: action === "install"
+                ? "Choose more than one platform if you want to register DecisionOps across multiple local agent runtimes."
+                : "Choose more than one platform if you want to remove DecisionOps integrations across multiple runtimes.",
+        });
+    }
+    return [...chosen];
+}
+async function chooseManifestSetupMode(allowPlaceholders) {
+    const options = [
+        {
+            label: "Load from DecisionOps",
+            value: "remote",
+            description: "Browse organizations, projects, and project repositories using a DecisionOps user session token.",
+        },
+        {
+            label: "Enter IDs manually",
+            value: "manual",
+            description: "Paste org_id, project_id, and repo_ref yourself.",
+        },
+    ];
+    if (allowPlaceholders) {
+        options.push({
+            label: "Use placeholders",
+            value: "placeholder",
+            description: "Write sample values for local prototyping only.",
+        });
+    }
+    return await promptSelect("Choose manifest setup mode", options, {
+        eyebrow: "Init",
+        description: "Select where the repository binding values should come from.",
+    });
+}
+async function resolveManualRepoBinding(repoPath, flags, detectedRepoRef) {
+    if (flags.repoRef) {
+        const repoRef = normalizeRepoRef(flags.repoRef);
+        return { repoRef, repoId: flags.repoId ?? inferRepoId(repoRef) };
+    }
+    if (!isInteractive()) {
+        if (detectedRepoRef) {
+            return { repoRef: detectedRepoRef, repoId: flags.repoId ?? inferRepoId(detectedRepoRef) };
+        }
+        if (flags.allowPlaceholders ?? false) {
+            return { repoRef: PLACEHOLDER_REPO_REF, repoId: flags.repoId ?? PLACEHOLDER_REPO_REF };
+        }
+        throw new Error("Could not infer repo_ref from git remote. Pass --repo-ref or use --allow-placeholders for local prototyping.");
+    }
+    if (detectedRepoRef) {
+        const useDetected = await promptConfirm(`Use detected repo_ref ${detectedRepoRef}?`, true, {
+            eyebrow: "Init",
+            description: `Detected from git remote for ${repoPath}. Choose No to enter a different repository binding.`,
+        });
+        if (useDetected) {
+            return { repoRef: detectedRepoRef, repoId: flags.repoId ?? inferRepoId(detectedRepoRef) };
+        }
+    }
+    const repoRef = normalizeRepoRef(await promptText({
+        title: "Decision Ops repo_ref",
+        chrome: {
+            eyebrow: "Init",
+            description: "Choose the repository reference this manifest should bind to.",
+            footer: detectedRepoRef ? `Detected from git remote: ${detectedRepoRef}` : undefined,
+        },
+        defaultValue: detectedRepoRef,
+        placeholder: (flags.allowPlaceholders ?? false) ? PLACEHOLDER_REPO_REF : "owner/repo",
+        validate: (value) => (value.trim().length > 0 ? null : "repo_ref is required."),
+    }));
+    return { repoRef, repoId: flags.repoId ?? inferRepoId(repoRef) };
+}
+async function resolveRemoteRepoBinding(options) {
+    const { detectedRepoRef, flags, projectName, repositories } = options;
+    if (flags.repoRef) {
+        const repoRef = normalizeRepoRef(flags.repoRef);
+        return { repoRef, repoId: flags.repoId ?? inferRepoId(repoRef) };
+    }
+    if (!isInteractive()) {
+        if (detectedRepoRef) {
+            return { repoRef: detectedRepoRef, repoId: flags.repoId ?? inferRepoId(detectedRepoRef) };
+        }
+        if (repositories.length === 1) {
+            const repoRef = normalizeRepoRef(repositories[0] ?? "");
+            return { repoRef, repoId: flags.repoId ?? inferRepoId(repoRef) };
+        }
+        if (flags.allowPlaceholders ?? false) {
+            return { repoRef: PLACEHOLDER_REPO_REF, repoId: flags.repoId ?? PLACEHOLDER_REPO_REF };
+        }
+        throw new Error("--repo-ref is required when no single repository binding can be inferred. Pass --repo-ref or use --allow-placeholders for local prototyping.");
+    }
+    const optionsList = [];
+    const seen = new Set();
+    if (detectedRepoRef) {
+        seen.add(detectedRepoRef);
+        optionsList.push({
+            label: `Detected current repo (${detectedRepoRef})`,
+            value: { kind: "repo", repoRef: detectedRepoRef },
+            description: repositories.includes(detectedRepoRef)
+                ? "Detected from git remote and already assigned to the selected project."
+                : "Detected from git remote for the current checkout.",
+        });
+    }
+    for (const repository of repositories) {
+        const repoRef = normalizeRepoRef(repository);
+        if (!repoRef || seen.has(repoRef)) {
+            continue;
+        }
+        seen.add(repoRef);
+        optionsList.push({
+            label: repoRef,
+            value: { kind: "repo", repoRef },
+            description: `Already assigned to ${projectName} in DecisionOps.`,
+        });
+    }
+    optionsList.push({
+        label: "Enter repo_ref manually",
+        value: { kind: "manual" },
+        description: "Use a repository binding that is not currently mapped to the selected project.",
+    });
+    if (flags.allowPlaceholders ?? false) {
+        optionsList.push({
+            label: "Use placeholder repo_ref",
+            value: { kind: "placeholder" },
+            description: "For local prototyping only.",
+        });
+    }
+    const choice = await promptSelect("Choose the repository binding", optionsList, {
+        eyebrow: "Init",
+        description: repositories.length > 0
+            ? `${projectName} already has ${repositories.length} repository binding${repositories.length === 1 ? "" : "s"} in DecisionOps.`
+            : `${projectName} does not have any repositories assigned in DecisionOps yet.`,
+    });
+    if (choice.kind === "repo") {
+        return { repoRef: choice.repoRef, repoId: flags.repoId ?? inferRepoId(choice.repoRef) };
+    }
+    if (choice.kind === "placeholder") {
+        return { repoRef: PLACEHOLDER_REPO_REF, repoId: flags.repoId ?? PLACEHOLDER_REPO_REF };
+    }
+    const repoRef = normalizeRepoRef(await promptText({
+        title: "Decision Ops repo_ref",
+        chrome: {
+            eyebrow: "Init",
+            description: `Enter the repository reference to bind to ${projectName}.`,
+            footer: detectedRepoRef ? `Detected from git remote: ${detectedRepoRef}` : undefined,
+        },
+        defaultValue: detectedRepoRef,
+        placeholder: "owner/repo",
+        validate: (value) => (value.trim().length > 0 ? null : "repo_ref is required."),
+    }));
+    return { repoRef, repoId: flags.repoId ?? inferRepoId(repoRef) };
+}
+async function collectRemoteManifestValues(repoPath, flags, detectedRepoRef, defaultBranch) {
+    const apiBaseUrl = normalizeApiBaseUrl(flags.apiBaseUrl);
+    const userSessionToken = (flags.userSessionToken ?? process.env.DECISIONOPS_USER_SESSION_TOKEN ?? "").trim() || await promptText({
+        title: "Decision Ops user session token",
+        chrome: {
+            eyebrow: "Init",
+            description: "Paste a DecisionOps user session token to browse your organizations, projects, and repositories.",
+            footer: "This uses /v1/auth/me and /v1/admin/projects/* on the DecisionOps API.",
+        },
+        placeholder: "session_...",
+        secret: true,
+        validate: (value) => (value.trim().length > 0 ? null : "A user session token is required."),
+    });
+    let context;
+    try {
+        context = await loadUserContext({ token: userSessionToken, apiBaseUrl });
+    }
+    catch (error) {
+        if (error instanceof DecisionOpsApiError && error.status === 401) {
+            throw new Error("DecisionOps rejected the user session token. Sign in via the dashboard and paste a valid session token, or pass --org-id/--project-id manually.");
+        }
+        throw error;
+    }
+    if (context.organizations.length === 0) {
+        throw new Error("The current DecisionOps user session is not a member of any organizations.");
+    }
+    const selectedOrganization = flags.orgId
+        ? context.organizations.find((organization) => organization.orgId === flags.orgId)
+        : context.organizations.length === 1
+            ? context.organizations[0]
+            : await promptSelect("Choose a DecisionOps organization", context.organizations.map((organization) => ({
+                label: organization.orgName || organization.orgId,
+                value: organization,
+                description: `${organization.orgId} • role: ${organization.role}`,
+            })), {
+                eyebrow: "Init",
+                description: `Bind ${repoPath} to one of your DecisionOps organizations.`,
+            });
+    if (!selectedOrganization) {
+        throw new Error(`Could not find organization ${flags.orgId} in the current DecisionOps session.`);
+    }
+    const orgContext = await loadUserContext({
+        token: userSessionToken,
+        orgId: selectedOrganization.orgId,
+        apiBaseUrl,
+    });
+    const activeProjects = orgContext.projects.filter((project) => project.status === "active");
+    if (activeProjects.length === 0) {
+        throw new Error(`Organization ${selectedOrganization.orgName || selectedOrganization.orgId} does not have any active projects.`);
+    }
+    const selectedProject = flags.projectId
+        ? activeProjects.find((project) => project.id === flags.projectId)
+        : activeProjects.length === 1
+            ? activeProjects[0]
+            : await promptSelect("Choose a DecisionOps project", activeProjects.map((project) => ({
+                label: project.name,
+                value: project,
+                description: `${project.id}${project.repoCount > 0 ? ` • ${project.repoCount} repos` : ""}${project.isDefault ? " • default" : ""}`,
+            })), {
+                eyebrow: "Init",
+                description: `Select the project inside ${selectedOrganization.orgName || selectedOrganization.orgId}.`,
+            });
+    if (!selectedProject) {
+        throw new Error(`Could not find project ${flags.projectId} in organization ${selectedOrganization.orgId}.`);
+    }
+    const projectRepositories = await loadProjectRepositories({
+        token: userSessionToken,
+        orgId: selectedOrganization.orgId,
+        projectId: selectedProject.id,
+        apiBaseUrl,
+    });
+    const repoBinding = await resolveRemoteRepoBinding({
+        repoPath,
+        detectedRepoRef,
+        flags,
+        projectName: selectedProject.name,
+        repositories: projectRepositories.repositories,
+    });
+    return {
+        orgId: selectedOrganization.orgId,
+        projectId: selectedProject.id,
+        repoRef: repoBinding.repoRef,
+        repoId: flags.repoId ?? repoBinding.repoId,
+        defaultBranch,
+    };
+}
+async function collectManifestValues(repoPath, flags) {
+    const allowPlaceholders = flags.allowPlaceholders ?? false;
+    const detectedRepoRef = flags.repoRef ? normalizeRepoRef(flags.repoRef) : detectRepoRef(repoPath);
+    const defaultBranch = flags.defaultBranch ?? inferDefaultBranch(repoPath);
+    if (flags.orgId && flags.projectId) {
+        const repoBinding = await resolveManualRepoBinding(repoPath, flags, detectedRepoRef);
+        return {
+            orgId: flags.orgId,
+            projectId: flags.projectId,
+            repoRef: repoBinding.repoRef,
+            repoId: flags.repoId ?? repoBinding.repoId,
+            defaultBranch,
+        };
+    }
+    if (!isInteractive()) {
+        if (!allowPlaceholders) {
+            throw new Error("--org-id and --project-id are required when writing a manifest. Pass explicit values, provide --user-session-token in interactive mode, or use --allow-placeholders for local prototyping.");
+        }
+        return {
+            orgId: flags.orgId ?? PLACEHOLDER_ORG_ID,
+            projectId: flags.projectId ?? PLACEHOLDER_PROJECT_ID,
+            repoRef: detectedRepoRef ?? PLACEHOLDER_REPO_REF,
+            repoId: flags.repoId ?? inferRepoId(detectedRepoRef) ?? PLACEHOLDER_REPO_REF,
+            defaultBranch,
+        };
+    }
+    const setupMode = await chooseManifestSetupMode(allowPlaceholders);
+    if (setupMode === "remote") {
+        return await collectRemoteManifestValues(repoPath, flags, detectedRepoRef, defaultBranch);
+    }
+    if (setupMode === "placeholder") {
+        return {
+            orgId: PLACEHOLDER_ORG_ID,
+            projectId: PLACEHOLDER_PROJECT_ID,
+            repoRef: detectedRepoRef ?? PLACEHOLDER_REPO_REF,
+            repoId: flags.repoId ?? inferRepoId(detectedRepoRef) ?? PLACEHOLDER_REPO_REF,
+            defaultBranch,
+        };
+    }
+    const repoBinding = await resolveManualRepoBinding(repoPath, flags, detectedRepoRef);
+    const orgId = flags.orgId ?? await promptText({
+        title: "Decision Ops org_id",
+        chrome: {
+            eyebrow: "Init",
+            description: `Bind repository ${repoPath} to an existing DecisionOps organization.`,
+            footer: `repo_ref: ${repoBinding.repoRef} • default branch: ${defaultBranch}`,
+        },
+        placeholder: allowPlaceholders ? PLACEHOLDER_ORG_ID : undefined,
+        validate: (value) => (value.length > 0 ? null : "org_id is required."),
+    });
+    const projectId = flags.projectId ?? await promptText({
+        title: "Decision Ops project_id",
+        chrome: {
+            eyebrow: "Init",
+            description: "Choose the project this repository should publish decisions into.",
+            footer: `repo_ref: ${repoBinding.repoRef} • default branch: ${defaultBranch}`,
+        },
+        placeholder: allowPlaceholders ? PLACEHOLDER_PROJECT_ID : undefined,
+        validate: (value) => (value.length > 0 ? null : "project_id is required."),
+    });
+    return {
+        orgId,
+        projectId,
+        repoRef: repoBinding.repoRef,
+        repoId: flags.repoId ?? repoBinding.repoId,
+        defaultBranch,
+    };
+}
+program
+    .command("login")
+    .description("Authenticate this machine with DecisionOps")
+    .option("--api-base-url <url>", "Decision Ops API base URL", defaultApiBaseUrl())
+    .option("--issuer-url <url>", "OAuth issuer base URL")
+    .option("--client-id <id>", "OAuth client id", defaultClientId())
+    .option("--audience <value>", "OAuth audience")
+    .option("--scopes <list>", "Comma or space separated OAuth scopes", defaultScopes().join(" "))
+    .option("--web", "Use browser-based PKCE login")
+    .option("--with-token", "Save a raw access token instead of using OAuth")
+    .option("--token <token>", "Access token value for --with-token")
+    .option("--no-browser", "Do not attempt to launch a browser automatically")
+    .option("--clear", "Remove saved login state")
+    .action(async (flags) => {
+    await runLogin(flags);
+});
+program
+    .command("logout")
+    .description("Revoke and remove the local DecisionOps session")
+    .action(async () => {
+    const current = readAuthState();
+    if (!current) {
+        console.log("No DecisionOps session is stored locally.");
+        return;
+    }
+    await revokeAuthState(current);
+    clearAuthState();
+    console.log("Logged out and removed the local session.");
+});
+const authCommand = program.command("auth").description("Inspect or manage the current DecisionOps auth session");
+authCommand
+    .command("status")
+    .description("Show the current auth session")
+    .action(async () => {
+    const current = readAuthState();
+    if (!current) {
+        console.log("Auth: missing");
+        process.exitCode = 1;
+        return;
+    }
+    const auth = await ensureValidAuthState(current);
+    console.log(`Auth: configured`);
+    console.log(`API base URL: ${auth.apiBaseUrl}`);
+    console.log(`Issuer URL: ${auth.issuerUrl}`);
+    console.log(`Client ID: ${auth.clientId}`);
+    console.log(`Method: ${auth.method}`);
+    console.log(`Scopes: ${auth.scopes.join(" ")}`);
+    console.log(`Access token: ${"*".repeat(Math.min(8, auth.accessToken.length))}…`);
+    console.log(`Expires: ${auth.expiresAt ?? "session"}`);
+    if (auth.user?.email || auth.user?.name || auth.user?.id) {
+        console.log(`User: ${auth.user?.email ?? auth.user?.name ?? auth.user?.id}`);
+    }
+});
+program
+    .command("init")
+    .description("Bind the current repository to a Decision Ops project")
+    .option("--repo-path <path>")
+    .option("--api-base-url <url>", "Decision Ops API base URL", defaultApiBaseUrl())
+    .option("--org-id <orgId>")
+    .option("--project-id <projectId>")
+    .option("--repo-ref <repoRef>")
+    .option("--repo-id <repoId>")
+    .option("--default-branch <branch>")
+    .option("--user-session-token <token>", "Decision Ops user session token for interactive org/project discovery")
+    .option("--allow-placeholders", "Allow placeholder manifest values for local prototyping")
+    .option("--server-name <name>", "MCP server name", DEFAULT_MCP_SERVER_NAME)
+    .option("--server-url <url>", "MCP server URL", DEFAULT_MCP_SERVER_URL)
+    .action(async (flags) => {
+    const repoPath = resolveRepoPath(flags.repoPath);
+    if (!repoPath) {
+        throw new Error("Could not determine repository path. Use --repo-path.");
+    }
+    const values = await collectManifestValues(repoPath, flags);
+    const manifestPath = writeManifest(repoPath, {
+        org_id: values.orgId,
+        project_id: values.projectId,
+        repo_ref: values.repoRef,
+        default_branch: values.defaultBranch,
+        mcp_server_name: flags.serverName ?? DEFAULT_MCP_SERVER_NAME,
+        mcp_server_url: flags.serverUrl ?? DEFAULT_MCP_SERVER_URL,
+        repo_id: values.repoId ?? flags.repoId,
+    });
+    console.log(`Wrote manifest: ${manifestPath}`);
+});
+addInstallFlags(program
+    .command("install")
+    .description("Install Decision Ops platform integrations and optionally bind the current repo")).action(async (flags) => {
+    const selectedPlatforms = await choosePlatforms(flags.platform);
+    const repoPath = resolveRepoPath(flags.repoPath);
+    let shouldWriteManifest = !(flags.skipManifest ?? false);
+    let orgId = flags.orgId;
+    let projectId = flags.projectId;
+    let repoRef = flags.repoRef;
+    let repoId = flags.repoId;
+    let defaultBranch = flags.defaultBranch;
+    if (!repoPath) {
+        shouldWriteManifest = false;
+    }
+    else if (!flags.yes && isInteractive() && !flags.repoPath && !flags.orgId && !flags.projectId && !(flags.skipManifest ?? false)) {
+        shouldWriteManifest = await promptConfirm("Also configure the current repository with a Decision Ops manifest?", true, {
+            eyebrow: "Install",
+            description: `Detected repository: ${repoPath}`,
+            footer: "This writes .decisionops/manifest.toml and keeps the install bound to the current repo.",
+        });
+    }
+    if (shouldWriteManifest && repoPath) {
+        const manifestValues = await collectManifestValues(repoPath, flags);
+        orgId = manifestValues.orgId;
+        projectId = manifestValues.projectId;
+        repoRef = manifestValues.repoRef;
+        repoId = manifestValues.repoId ?? repoId;
+        defaultBranch = manifestValues.defaultBranch;
+    }
+    const result = installPlatforms({
+        platformsDir: DEFAULT_PLATFORMS_DIR,
+        selectedPlatforms,
+        repoPath,
+        orgId,
+        projectId,
+        repoRef,
+        repoId,
+        defaultBranch,
+        installSkill: !(flags.skipSkill ?? false),
+        installMcp: !(flags.skipMcp ?? false),
+        writeManifest: shouldWriteManifest,
+        allowPlaceholders: flags.allowPlaceholders,
+        outputDir: flags.outputDir,
+        sourceDir: flags.sourceDir,
+        skillName: flags.skillName,
+        serverName: flags.serverName,
+        serverUrl: flags.serverUrl,
+    });
+    printInstallResult(result);
+});
+program
+    .command("cleanup")
+    .alias("uninstall")
+    .description("Remove installed Decision Ops skills, MCP entries, and local auth state")
+    .option("-p, --platform <id>", "Select a platform to clean up", collectValues, [])
+    .option("--repo-path <path>")
+    .option("--skill-name <name>", "Skill bundle name", DEFAULT_SKILL_NAME)
+    .option("--server-name <name>", "MCP server name", DEFAULT_MCP_SERVER_NAME)
+    .option("--skip-skill", "Do not remove installed skill bundles")
+    .option("--skip-mcp", "Do not remove MCP config entries")
+    .option("--skip-auth", "Do not remove local auth tokens")
+    .option("--remove-manifest", "Also remove .decisionops/manifest.toml from the repository")
+    .option("--remove-auth-handoff", "Also remove .decisionops/auth-handoff.toml from the repository")
+    .action(async (flags) => {
+    const selectedPlatforms = await choosePlatforms(flags.platform, "cleanup");
+    const repoPath = resolveRepoPath(flags.repoPath);
+    const result = cleanupPlatforms({
+        platformsDir: DEFAULT_PLATFORMS_DIR,
+        selectedPlatforms,
+        repoPath,
+        skillName: flags.skillName,
+        serverName: flags.serverName,
+        removeSkill: !(flags.skipSkill ?? false),
+        removeMcp: !(flags.skipMcp ?? false),
+        removeManifest: flags.removeManifest ?? false,
+        removeAuthHandoff: flags.removeAuthHandoff ?? false,
+    });
+    printCleanupResult(result);
+    if (flags.skipAuth ?? false) {
+        console.log("Skipping auth cleanup.");
+        return;
+    }
+    const current = readAuthState();
+    if (!current) {
+        console.log("No local auth state found.");
+        return;
+    }
+    await revokeAuthState(current);
+    clearAuthState();
+    console.log("Removed local auth state.");
+});
+program
+    .command("doctor")
+    .description("Diagnose local Decision Ops setup and suggest fixes")
+    .option("--repo-path <path>")
+    .action(async (flags) => {
+    const repoPath = resolveRepoPath(flags.repoPath);
+    const currentAuth = readAuthState();
+    const auth = currentAuth ? await ensureValidAuthState(currentAuth) : null;
+    const platforms = loadPlatforms(DEFAULT_PLATFORMS_DIR);
+    const issues = [];
+    console.log("");
+    console.log("=== DecisionOps Doctor ===");
+    console.log("");
+    if (auth) {
+        console.log(`  CLI auth: configured (${authDisplay(auth)})`);
+    }
+    else {
+        console.log("  CLI auth: not configured");
+        console.log("    → Run: npx @aidecisionops/decisionops login");
+        issues.push("CLI auth not configured");
+    }
+    if (repoPath) {
+        console.log(`  Repository: ${repoPath}`);
+        const manifest = readManifest(repoPath);
+        if (manifest) {
+            console.log("  Manifest: present");
+            console.log(`    org_id:     ${manifest.org_id ?? "(missing)"}`);
+            console.log(`    project_id: ${manifest.project_id ?? "(missing)"}`);
+            console.log(`    repo_ref:   ${manifest.repo_ref ?? "(missing)"}`);
+            if (!manifest.org_id || !manifest.project_id || !manifest.repo_ref) {
+                issues.push("Manifest is missing required fields (org_id, project_id, or repo_ref)");
+                console.log("    → Run: npx @aidecisionops/decisionops init --repo-path .");
+            }
+        }
+        else {
+            console.log("  Manifest: missing");
+            console.log("    → Run: npx @aidecisionops/decisionops init --repo-path .");
+            issues.push("No .decisionops/manifest.toml found");
+        }
+    }
+    else {
+        console.log("  Repository: not detected (run from a git repo or pass --repo-path)");
+        issues.push("Not inside a git repository");
+    }
+    console.log("");
+    console.log("  Platforms:");
+    const context = {
+        skill_name: DEFAULT_SKILL_NAME,
+        repo_path: repoPath ?? "",
+    };
+    for (const platform of Object.values(platforms)) {
+        const skillPath = platform.skill?.supported ? resolveInstallPath(platform.skill, context) : null;
+        const mcpPath = platform.mcp?.supported ? resolveInstallPath(platform.mcp, context) : null;
+        const skillInstalled = skillPath ? fs.existsSync(skillPath) : false;
+        const mcpInstalled = mcpPath ? fs.existsSync(mcpPath) : false;
+        const skillStatus = !platform.skill?.supported ? "n/a" : skillInstalled ? `installed (${skillPath})` : `not installed (${skillPath})`;
+        const mcpStatus = !platform.mcp?.supported ? "n/a" : mcpInstalled ? `configured (${mcpPath})` : `not configured (${mcpPath})`;
+        console.log(`    ${platform.display_name}:`);
+        console.log(`      Skill: ${skillStatus}`);
+        console.log(`      MCP:   ${mcpStatus}`);
+    }
+    console.log("");
+    if (issues.length === 0) {
+        console.log("  No issues found.");
+    }
+    else {
+        console.log(`  ${issues.length} issue${issues.length === 1 ? "" : "s"} found:`);
+        for (const issue of issues) {
+            console.log(`    - ${issue}`);
+        }
+    }
+    console.log("");
+});
+const platformCommand = program.command("platform").description("Low-level platform registry operations");
+platformCommand
+    .command("list")
+    .description("List supported platforms")
+    .action(() => {
+    for (const platform of Object.values(loadPlatforms(DEFAULT_PLATFORMS_DIR))) {
+        console.log(platform.id);
+    }
+});
+platformCommand
+    .command("build")
+    .description("Build platform bundles into the local build directory")
+    .option("-p, --platform <id>", "Select a platform to build", collectValues, [])
+    .option("--output-dir <path>", "Build output directory", DEFAULT_OUTPUT_DIR)
+    .option("--source-dir <path>", "Skill source directory", DEFAULT_SOURCE_DIR)
+    .option("--skill-name <name>", "Skill bundle name", DEFAULT_SKILL_NAME)
+    .option("--server-name <name>", "MCP server name", DEFAULT_MCP_SERVER_NAME)
+    .option("--server-url <url>", "MCP server URL", DEFAULT_MCP_SERVER_URL)
+    .action((flags) => {
+    const results = buildPlatforms({
+        platformsDir: DEFAULT_PLATFORMS_DIR,
+        selectedPlatforms: flags.platform,
+        outputDir: flags.outputDir,
+        sourceDir: flags.sourceDir,
+        skillName: flags.skillName,
+        serverName: flags.serverName,
+        serverUrl: flags.serverUrl,
+    });
+    for (const result of results) {
+        console.log(`Built ${result.platformId} -> ${result.outputPath}`);
+    }
+});
+platformCommand
+    .command("install")
+    .description("Low-level install path matching the legacy installer")
+    .option("-p, --platform <id>", "Select a platform to install", collectValues, [])
+    .option("--repo-path <path>")
+    .option("--org-id <orgId>")
+    .option("--project-id <projectId>")
+    .option("--repo-ref <repoRef>")
+    .option("--repo-id <repoId>")
+    .option("--default-branch <branch>")
+    .option("--allow-placeholders", "Allow placeholder manifest values for local prototyping")
+    .option("--skip-manifest")
+    .option("--skip-skill")
+    .option("--skip-mcp")
+    .option("--output-dir <path>", "Build output directory", DEFAULT_OUTPUT_DIR)
+    .option("--source-dir <path>", "Skill source directory", DEFAULT_SOURCE_DIR)
+    .option("--skill-name <name>", "Skill bundle name", DEFAULT_SKILL_NAME)
+    .option("--server-name <name>", "MCP server name", DEFAULT_MCP_SERVER_NAME)
+    .option("--server-url <url>", "MCP server URL", DEFAULT_MCP_SERVER_URL)
+    .action((flags) => {
+    const result = installPlatforms({
+        platformsDir: DEFAULT_PLATFORMS_DIR,
+        selectedPlatforms: flags.platform,
+        repoPath: flags.repoPath ? path.resolve(flags.repoPath) : null,
+        orgId: flags.orgId,
+        projectId: flags.projectId,
+        repoRef: flags.repoRef,
+        repoId: flags.repoId,
+        defaultBranch: flags.defaultBranch,
+        installSkill: !(flags.skipSkill ?? false),
+        installMcp: !(flags.skipMcp ?? false),
+        writeManifest: !(flags.skipManifest ?? false),
+        allowPlaceholders: flags.allowPlaceholders,
+        outputDir: flags.outputDir,
+        sourceDir: flags.sourceDir,
+        skillName: flags.skillName,
+        serverName: flags.serverName,
+        serverUrl: flags.serverUrl,
+    });
+    printInstallResult(result);
+});
+platformCommand
+    .command("install-skill")
+    .description("Install only skill bundles for skill-capable platforms")
+    .option("-p, --platform <id>", "Select a platform to install", collectValues, [])
+    .option("--repo-path <path>")
+    .option("--output-dir <path>", "Build output directory", DEFAULT_OUTPUT_DIR)
+    .option("--source-dir <path>", "Skill source directory", DEFAULT_SOURCE_DIR)
+    .option("--skill-name <name>", "Skill bundle name", DEFAULT_SKILL_NAME)
+    .action((flags) => {
+    const result = installPlatforms({
+        platformsDir: DEFAULT_PLATFORMS_DIR,
+        selectedPlatforms: flags.platform,
+        repoPath: flags.repoPath ? path.resolve(flags.repoPath) : null,
+        installSkill: true,
+        installMcp: false,
+        writeManifest: false,
+        outputDir: flags.outputDir,
+        sourceDir: flags.sourceDir,
+        skillName: flags.skillName,
+    });
+    printInstallResult(result);
+});
+program.parseAsync(process.argv).catch((error) => {
+    const message = error instanceof z.ZodError
+        ? error.issues.map((issue) => issue.message).join(", ")
+        : error instanceof Error
+            ? error.message
+            : String(error);
+    console.error(message);
+    process.exitCode = 1;
+});
+//# sourceMappingURL=cli.js.map