@alta-foundation/plaud-extractor 1.0.0

package/src/PlaudExtractor.ts

@@ -0,0 +1,275 @@
+import path from 'node:path'
+import fs from 'node:fs/promises'
+import os from 'node:os'
+import { createLogger, setLogger, type Logger } from './logger.js'
+import { loadCredentials, saveCredentials, isExpired } from './auth/token-store.js'
+import { runBrowserAuth, type BrowserAuthOptions } from './auth/browser-auth.js'
+import { PlaudApiClient } from './client/plaud-client.js'
+import { SyncEngine } from './sync/sync-engine.js'
+import { IncrementalTracker } from './sync/incremental.js'
+import { RecordingStore } from './storage/recording-store.js'
+import { verifyChecksums } from './storage/checksums.js'
+import { recordingDir, defaultOutDir } from './storage/paths.js'
+import { AuthError } from './errors.js'
+import type { SyncOptions, SyncResult, BackfillOptions, VerifyResult } from './sync/types.js'
+
+export interface PlaudExtractorConfig {
+  /** Output directory for recordings. Default: ~/alta/data/plaud */
+  outDir?: string
+  /** Inject a custom pino logger (e.g., from Alta CORE) */
+  logger?: Logger
+  /** Verbose logging */
+  verbose?: boolean
+  /** Redact tokens from logs */
+  redact?: boolean
+}
+
+export class PlaudExtractor {
+  private readonly outDir: string
+  private readonly engine: SyncEngine
+
+  constructor(config: PlaudExtractorConfig = {}) {
+    this.outDir = config.outDir
+      ? path.resolve(config.outDir.replace(/^~/, os.homedir()))
+      : defaultOutDir()
+
+    if (config.logger) {
+      setLogger(config.logger)
+    } else {
+      createLogger(this.outDir, { verbose: config.verbose, redact: config.redact })
+    }
+
+    this.engine = new SyncEngine()
+  }
+
+  /**
+   * Launch browser for authentication.
+   * Saves credentials to ~/.alta/plaud-auth.json.
+   */
+  async authenticate(opts: BrowserAuthOptions = {}): Promise<void> {
+    const session = await runBrowserAuth(opts)
+    await saveCredentials(session)
+  }
+
+  /**
+   * Check if credentials exist and are not expired.
+   */
+  async isAuthenticated(): Promise<boolean> {
+    const creds = await loadCredentials()
+    if (!creds) return false
+    if (isExpired(creds)) return false
+    return true
+  }
+
+  /**
+   * Incremental sync: only download new or changed recordings since last run.
+   * If the token expires mid-sync, re-authenticates automatically and retries once.
+   */
+  async sync(opts: Partial<SyncOptions> = {}): Promise<SyncResult> {
+    return this.runWithReauth(opts, 'sync')
+  }
+
+  /**
+   * Full backfill: re-evaluate all recordings regardless of sync state.
+   * If the token expires mid-backfill, re-authenticates automatically and retries once.
+   */
+  async backfill(opts: Partial<BackfillOptions> = {}): Promise<SyncResult> {
+    return this.runWithReauth(opts, 'backfill')
+  }
+
+  /**
+   * Run sync/backfill, and if a token-expired AuthError occurs mid-run,
+   * automatically re-authenticate and retry once.
+   */
+  private async runWithReauth(
+    opts: Partial<SyncOptions>,
+    mode: 'sync' | 'backfill',
+  ): Promise<SyncResult> {
+    try {
+      const client = await this.buildClient()
+      return await this.engine.run(client, this.buildSyncOptions(opts), mode)
+    } catch (err) {
+      if (!(err instanceof AuthError)) throw err
+
+      // Token expired or rejected mid-run — re-authenticate and try once more
+      console.error('\nSession expired during sync. Re-authenticating...')
+      await this.authenticate()
+      console.log('Re-authenticated. Resuming sync...\n')
+
+      const client = await this.buildClient()
+      return this.engine.run(client, this.buildSyncOptions(opts), mode)
+    }
+  }
+
+  /**
+   * Walk all recording folders and verify checksums.
+   * With repair=true, re-download any file with a mismatch.
+   */
+  async verify(opts: { repair?: boolean } = {}): Promise<VerifyResult> {
+    const client = opts.repair ? await this.buildClient() : null
+    const tracker = new IncrementalTracker()
+    await tracker.load(this.outDir)
+
+    const result: VerifyResult = { scanned: 0, ok: 0, failed: 0, repaired: 0, issues: [] }
+    const recordingIds = tracker.getAllRecordingIds()
+
+    for (const id of recordingIds) {
+      const state = tracker.getRecordingState(id)
+      if (!state) continue
+
+      const dir = recordingDir(this.outDir, state.recordedAt, id)
+      result.scanned++
+
+      try {
+        const mismatches = await verifyChecksums(dir)
+        if (mismatches.length === 0) {
+          result.ok++
+          tracker.markVerified(id)
+        } else {
+          result.failed++
+          for (const m of mismatches) {
+            result.issues.push({
+              recordingId: id,
+              file: path.basename(m.filePath),
+              issue: `checksum mismatch (expected: ${m.expected.slice(0, 8)}..., got: ${m.actual === 'MISSING' ? 'MISSING' : m.actual.slice(0, 8) + '...'})`,
+            })
+          }
+
+          // TODO: repair support requires re-fetching the recording object
+          // For now, log the mismatch
+        }
+      } catch (err) {
+        result.failed++
+        result.issues.push({ recordingId: id, file: '', issue: String(err) })
+      }
+    }
+
+    await tracker.persist(this.outDir)
+    return result
+  }
+
+  /**
+   * Export all local recordings to a JSONL dataset file.
+   * Returns the path to the generated file.
+   */
+  async exportDataset(opts: { format?: 'jsonl' } = {}): Promise<string> {
+    const { DatasetWriter } = await import('./storage/dataset-writer.js')
+    const { default: fsSync } = await import('node:fs')
+
+    // Walk recordings dir and collect existing transcript data
+    const datasetWriter = new DatasetWriter(this.outDir)
+    await datasetWriter.open()
+
+    // Re-generate from existing transcript.json files on disk
+    const recordingsBase = path.join(this.outDir, 'recordings')
+    try {
+      await this.walkAndExport(recordingsBase, datasetWriter)
+    } finally {
+      await datasetWriter.close()
+    }
+
+    return datasetWriter.path
+  }
+
+  private async walkAndExport(
+    recordingsBase: string,
+    dataset: InstanceType<typeof import('./storage/dataset-writer.js').DatasetWriter>,
+  ): Promise<void> {
+    const { PlaudRecordingSchema } = await import('./client/types.js')
+    const { PlaudTranscriptSchema } = await import('./client/types.js')
+
+    // Walk year/month/dir structure
+    let yearDirs: string[]
+    try {
+      yearDirs = await fs.readdir(recordingsBase)
+    } catch {
+      return
+    }
+
+    for (const year of yearDirs) {
+      const yearPath = path.join(recordingsBase, year)
+      let monthDirs: string[]
+      try {
+        monthDirs = await fs.readdir(yearPath)
+      } catch {
+        continue
+      }
+
+      for (const month of monthDirs) {
+        const monthPath = path.join(yearPath, month)
+        let recDirs: string[]
+        try {
+          recDirs = await fs.readdir(monthPath)
+        } catch {
+          continue
+        }
+
+        for (const recDir of recDirs) {
+          const recPath = path.join(monthPath, recDir)
+          try {
+            const metaRaw = await fs.readFile(path.join(recPath, 'meta.json'), 'utf8')
+            const transcriptRaw = await fs.readFile(path.join(recPath, 'transcript.json'), 'utf8')
+            const meta = JSON.parse(metaRaw) as Record<string, unknown>
+            const transcriptData = JSON.parse(transcriptRaw) as Record<string, unknown>
+
+            // Reconstruct minimal PlaudRecording from meta.json
+            const recording = PlaudRecordingSchema.parse({
+              id: meta['source_recording_id'],
+              title: meta['title'],
+              duration: meta['duration_seconds'],
+              recordedAt: meta['recorded_at'],
+              createdAt: meta['recorded_at'],
+              updatedAt: meta['recorded_at'],
+              hasTranscript: true,
+              _raw: meta,
+            })
+
+            const fullText = ((transcriptData['segments'] ?? []) as Array<{ text?: string }>)
+              .map(s => s.text ?? '')
+              .filter(Boolean)
+              .join('\n\n')
+
+            const transcript = PlaudTranscriptSchema.parse({
+              recordingId: String(meta['source_recording_id'] ?? ''),
+              duration: Number(meta['duration_seconds'] ?? 0),
+              segments: transcriptData['segments'] ?? [],
+              fullText,
+              _raw: transcriptData,
+            })
+
+            await dataset.append(this.outDir, recording, transcript)
+          } catch {
+            // Skip recordings with missing/invalid files
+          }
+        }
+      }
+    }
+  }
+
+  private async buildClient(): Promise<PlaudApiClient> {
+    const creds = await loadCredentials()
+    if (!creds) {
+      throw new AuthError("No credentials found — run 'alta-plaud auth' to authenticate")
+    }
+    if (isExpired(creds)) {
+      throw new AuthError("Credentials expired — run 'alta-plaud auth' to re-authenticate")
+    }
+    return new PlaudApiClient(creds)
+  }
+
+  private buildSyncOptions(partial: Partial<SyncOptions>): SyncOptions {
+    return {
+      outDir: this.outDir,
+      since: partial.since,
+      limit: partial.limit,
+      concurrency: partial.concurrency ?? 3,
+      formats: partial.formats ?? ['json', 'txt', 'md'],
+      includeDataset: partial.includeDataset ?? true,
+      dryRun: partial.dryRun ?? false,
+    }
+  }
+
+  get dataDir(): string {
+    return this.outDir
+  }
+}

package/src/auth/browser-auth.ts

@@ -0,0 +1,248 @@
+import { execSync } from 'node:child_process'
+import { chromium, type Page, type Request as PWRequest, type BrowserContext } from 'playwright'
+import { AuthError } from '../errors.js'
+import { getLogger } from '../logger.js'
+import { loadCredentials } from './token-store.js'
+import { extractRegionalBaseUrl } from '../client/endpoints.js'
+import type { AuthSession, EndpointMap } from './types.js'
+
+const PLAUD_APP_URL = 'https://web.plaud.ai'
+
+export interface BrowserAuthOptions {
+  headless?: boolean
+  email?: string
+  password?: string
+  /** How long to wait for the user to log in (ms). Default: 5 minutes. */
+  loginTimeoutMs?: number
+}
+
+export async function runBrowserAuth(opts: BrowserAuthOptions = {}): Promise<AuthSession> {
+  const log = getLogger()
+  const launchOpts = {
+    channel: 'chrome' as const,
+    headless: opts.headless ?? false,
+    args: ['--disable-blink-features=AutomationControlled'],
+  }
+
+  const browser = await chromium.launch(launchOpts).catch(async err => {
+    const msg = String(err)
+    if (msg.includes("Executable doesn't exist") || msg.includes('not found')) {
+      log.warn('System Chrome not found, falling back to Playwright Chromium (Google OAuth may be blocked)')
+      return chromium.launch({ headless: opts.headless ?? false }).catch(err2 => {
+        if (String(err2).includes("Executable doesn't exist")) {
+          log.info('Installing Playwright Chromium (one-time setup)...')
+          execSync('npx playwright install chromium', { stdio: 'inherit' })
+          return chromium.launch({ headless: opts.headless ?? false })
+        }
+        throw err2
+      })
+    }
+    throw err
+  })
+
+  const context = await browser.newContext({ userAgent: undefined })
+  const page = await context.newPage()
+
+  // Remove webdriver property that Google checks for automation detection
+  await page.addInitScript(
+    'Object.defineProperty(navigator, "webdriver", { get: () => undefined })',
+  )
+
+  // Inject existing plaud.ai cookies so we don't need a fresh login if session is still valid
+  await injectExistingCookies(context)
+
+  try {
+    log.info('Opening Plaud...')
+
+    // Set up Bearer token capture BEFORE navigation — the SPA fires API calls on load
+    const loginTimeoutMs = opts.loginTimeoutMs ?? 5 * 60_000
+    const bearerTokenCapture = captureBearerToken(page, loginTimeoutMs, log)
+
+    await page.goto(PLAUD_APP_URL, { waitUntil: 'domcontentloaded' })
+    // Give SPA time to initialize and run its auth check (may redirect to /login)
+    await page.waitForLoadState('networkidle', { timeout: 10_000 }).catch(() => {})
+
+    if (opts.email && opts.password) {
+      await automatedLogin(page, opts.email, opts.password)
+    } else if (isLoginUrl(page.url())) {
+      // Not logged in — prompt user and wait
+      console.log('\n──────────────────────────────────────────────────────────')
+      console.log('  Log in to Plaud in the browser window.')
+      console.log('  The browser will close automatically once connected.')
+      console.log(`  (Waiting up to ${Math.round(loginTimeoutMs / 60_000)} minutes)`)
+      console.log('──────────────────────────────────────────────────────────\n')
+    } else {
+      log.info('Already connected — capturing token...')
+    }
+
+    // Wait for Bearer token from any API request (fires on page load if session is active,
+    // or after login if the user needed to authenticate)
+    const authToken = await bearerTokenCapture
+    log.info('Bearer token captured — closing browser')
+
+    const cookies = await context.cookies()
+    // Close browser without blocking — Chrome can take a long time to flush its profile
+    void browser.close().catch(() => {})
+
+    // Discover the correct regional API base URL (e.g. api-euc1.plaud.ai for EU users)
+    const apiBaseUrl = await discoverApiRegion(authToken)
+    log.info({ apiBaseUrl }, 'Regional API base URL discovered')
+
+    return {
+      cookies: cookies.map(c => ({
+        name: c.name,
+        value: c.value,
+        domain: c.domain,
+        path: c.path,
+        httpOnly: c.httpOnly,
+        secure: c.secure,
+        sameSite: c.sameSite as 'Strict' | 'Lax' | 'None' | undefined,
+        expires: c.expires && c.expires > 0 ? c.expires : undefined,
+      })),
+      authToken,
+      apiBaseUrl,
+      capturedAt: new Date().toISOString(),
+      endpointMap: buildEndpointMap(apiBaseUrl),
+    }
+  } catch (err) {
+    await browser.close().catch(() => {})
+    throw err
+  }
+}
+
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+
+/**
+ * Inject plaud.ai cookies from the previous auth session so the browser picks up
+ * an existing session without requiring the user to log in again.
+ */
+async function injectExistingCookies(context: BrowserContext): Promise<void> {
+  const log = getLogger()
+  const existing = await loadCredentials().catch(() => null)
+  if (!existing?.cookies?.length) return
+
+  const plaudCookies = existing.cookies.filter(
+    c => c.domain === 'web.plaud.ai' || c.domain.endsWith('.plaud.ai') || c.domain === 'plaud.ai',
+  )
+  if (plaudCookies.length === 0) return
+
+  try {
+    await context.addCookies(
+      plaudCookies.map(c => ({
+        name: c.name,
+        value: c.value,
+        domain: c.domain,
+        path: c.path,
+        httpOnly: c.httpOnly,
+        secure: c.secure,
+        sameSite: (c.sameSite ?? 'Lax') as 'Strict' | 'Lax' | 'None',
+        expires: c.expires ?? -1,
+      })),
+    )
+    log.debug({ count: plaudCookies.length }, 'Injected existing session cookies')
+  } catch (err) {
+    log.debug({ err }, 'Could not inject existing cookies — fresh login required')
+  }
+}
+
+/**
+ * Wait for the first API request that carries a Bearer token.
+ * This fires automatically when:
+ *   - The page loads with an existing authenticated session (cookies restored)
+ *   - The user completes login via Google OAuth or email
+ *
+ * Resolves with the raw token string (without "bearer " prefix).
+ */
+function captureBearerToken(page: Page, timeoutMs: number, log: ReturnType<typeof getLogger>): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => {
+      page.off('request', handler)
+      reject(new AuthError(`Login timeout after ${Math.round(timeoutMs / 60_000)} minutes — no token captured`))
+    }, timeoutMs)
+
+    const handler = (req: PWRequest) => {
+      const auth = req.headers()['authorization'] ?? req.headers()['Authorization']
+      if (!auth) return
+      const token = auth.replace(/^bearer\s+/i, '').trim()
+      // Basic sanity check: JWT has 3 parts separated by dots
+      if (token.split('.').length === 3) {
+        clearTimeout(timer)
+        page.off('request', handler)
+        log.debug({ url: req.url() }, 'Bearer token found in request')
+        resolve(token)
+      }
+    }
+
+    page.on('request', handler)
+  })
+}
+
+/** Discover the correct regional API base URL (e.g. https://api-euc1.plaud.ai). */
+async function discoverApiRegion(token: string): Promise<string> {
+  const log = getLogger()
+  try {
+    // The global endpoint returns a region-redirect response pointing to the right server
+    const res = await fetch('https://api.plaud.ai/user/me', {
+      headers: {
+        'Authorization': `bearer ${token}`,
+        'app-platform': 'web',
+        'Origin': 'https://web.plaud.ai',
+      },
+    })
+    const body = await res.json()
+    const regional = extractRegionalBaseUrl(body)
+    if (regional) return regional
+
+    // If the global endpoint returns user data directly (no redirect), it IS the right base
+    if ((body as Record<string, unknown>)?.data_user) return 'https://api.plaud.ai'
+  } catch (err) {
+    log.debug({ err }, 'Region discovery failed — using global API')
+  }
+  return 'https://api.plaud.ai'
+}
+
+/** Build the complete endpoint map from the known regional API base URL. */
+function buildEndpointMap(apiBaseUrl: string): EndpointMap {
+  return {
+    listRecordings: `${apiBaseUrl}/file/simple/web`,
+    batchDetail: `${apiBaseUrl}/file/list`,
+    getAudioUrl: `${apiBaseUrl}/file/temp-url`,
+    userProfile: `${apiBaseUrl}/user/me`,
+    apiBaseUrl,
+  }
+}
+
+function isLoginUrl(url: string): boolean {
+  try {
+    const p = new URL(url).pathname
+    return p.startsWith('/login') || p.startsWith('/signin') || p.startsWith('/auth')
+  } catch {
+    return false
+  }
+}
+
+async function automatedLogin(page: Page, email: string, password: string): Promise<void> {
+  const log = getLogger()
+  log.info('Attempting automated login...')
+
+  const emailSelectors = [
+    'input[type="email"]', 'input[name="email"]',
+    'input[name="username"]', '[data-testid="email"]', '#email',
+  ]
+  const passwordSelectors = [
+    'input[type="password"]', 'input[name="password"]',
+    '[data-testid="password"]', '#password',
+  ]
+
+  for (const sel of emailSelectors) {
+    if (await page.locator(sel).count() > 0) { await page.fill(sel, email); break }
+  }
+  for (const sel of passwordSelectors) {
+    if (await page.locator(sel).count() > 0) { await page.fill(sel, password); break }
+  }
+
+  await page.click(
+    'button[type="submit"], [type="submit"], button:has-text("Login"), button:has-text("Sign in")',
+  )
+  await page.waitForLoadState('networkidle', { timeout: 15_000 }).catch(() => undefined)
+}

package/src/auth/token-store.ts

@@ -0,0 +1,79 @@
+import fs from 'node:fs/promises'
+import { authTokenPath } from '../storage/paths.js'
+import { StoredCredentialsSchema, type AuthSession, type StoredCredentials } from './types.js'
+import { writeFileAtomic } from '../storage/atomic.js'
+import { getLogger } from '../logger.js'
+
+export async function loadCredentials(): Promise<StoredCredentials | null> {
+  const tokenPath = authTokenPath()
+  try {
+    const raw = await fs.readFile(tokenPath, 'utf8')
+    const json = JSON.parse(raw)
+    const result = StoredCredentialsSchema.safeParse(json)
+    if (!result.success) {
+      getLogger().warn({ issues: result.error.issues }, 'Stored credentials failed schema validation — re-authenticate')
+      return null
+    }
+    return result.data
+  } catch (err: unknown) {
+    if ((err as NodeJS.ErrnoException).code === 'ENOENT') return null
+    getLogger().warn({ err }, 'Failed to read credentials file')
+    return null
+  }
+}
+
+export async function saveCredentials(session: AuthSession): Promise<void> {
+  const tokenPath = authTokenPath()
+  const stored: StoredCredentials = { ...session, schemaVersion: 1 }
+  await writeFileAtomic(tokenPath, JSON.stringify(stored, null, 2))
+  getLogger().info({ path: tokenPath }, 'Auth credentials saved')
+}
+
+/** Returns true if the stored credentials are expired. */
+export function isExpired(creds: StoredCredentials): boolean {
+  const now = Date.now()
+
+  // Explicit expiresAt takes precedence
+  if (creds.expiresAt) {
+    return now > new Date(creds.expiresAt).getTime()
+  }
+
+  // If we have a JWT bearer token, decode the exp claim (most reliable)
+  if (creds.authToken) {
+    const jwtExp = decodeJwtExp(creds.authToken)
+    if (jwtExp !== null) return now > jwtExp * 1000
+  }
+
+  // Fallback: check only plaud.ai session cookies (ignore analytics/CDN cookies
+  // which have short TTLs and would cause false "expired" readings)
+  const plaudCookies = creds.cookies.filter(
+    c => c.expires && c.expires > 0 && (c.domain.endsWith('.plaud.ai') || c.domain === 'plaud.ai')
+  )
+  if (plaudCookies.length > 0) {
+    const minExpiry = Math.min(...plaudCookies.map(c => (c.expires ?? 0) * 1000))
+    if (minExpiry > 0 && now > minExpiry) return true
+  }
+
+  // Last resort: treat as expired after 30 days
+  const capturedAt = new Date(creds.capturedAt).getTime()
+  return now - capturedAt > 30 * 24 * 60 * 60 * 1000
+}
+
+/** Decode the `exp` claim from a JWT (no signature verification — just decode). */
+function decodeJwtExp(token: string): number | null {
+  try {
+    const parts = token.split('.')
+    if (parts.length !== 3) return null
+    const payload = JSON.parse(Buffer.from(parts[1]!, 'base64url').toString('utf8')) as Record<string, unknown>
+    const exp = payload['exp']
+    return typeof exp === 'number' ? exp : null
+  } catch {
+    return null
+  }
+}
+
+export function cookieHeader(creds: StoredCredentials): string {
+  return creds.cookies.map(c => `${c.name}=${c.value}`).join('; ')
+}
+
+export { authTokenPath }

package/src/auth/types.ts

@@ -0,0 +1,41 @@
+import { z } from 'zod'
+
+export const CookieSchema = z.object({
+  name: z.string(),
+  value: z.string(),
+  domain: z.string(),
+  path: z.string(),
+  httpOnly: z.boolean(),
+  secure: z.boolean(),
+  sameSite: z.enum(['Strict', 'Lax', 'None']).optional(),
+  expires: z.number().optional(),
+})
+
+export const EndpointMapSchema = z.object({
+  listRecordings: z.string().optional(),   // GET /file/simple/web
+  batchDetail: z.string().optional(),       // POST /file/list
+  getAudioUrl: z.string().optional(),       // GET /file/temp-url/<id>
+  userProfile: z.string().optional(),       // GET /user/me
+  apiBaseUrl: z.string().optional(),
+  /** @deprecated — transcript is embedded in the recording, not a separate endpoint */
+  getTranscript: z.string().optional(),
+})
+
+export type EndpointMap = z.infer<typeof EndpointMapSchema>
+
+export const AuthSessionSchema = z.object({
+  cookies: z.array(CookieSchema),
+  authToken: z.string().optional(),
+  apiBaseUrl: z.string(),
+  capturedAt: z.string().datetime(),
+  expiresAt: z.string().datetime().optional(),
+  endpointMap: EndpointMapSchema.optional(),
+})
+
+export type AuthSession = z.infer<typeof AuthSessionSchema>
+
+export const StoredCredentialsSchema = AuthSessionSchema.extend({
+  schemaVersion: z.literal(1),
+})
+
+export type StoredCredentials = z.infer<typeof StoredCredentialsSchema>

package/src/cli/bin.ts

@@ -0,0 +1,30 @@
+#!/usr/bin/env node
+import { Command } from 'commander'
+import { registerAuthCommand } from './commands/auth.js'
+import { registerSyncCommand } from './commands/sync.js'
+import { registerBackfillCommand } from './commands/backfill.js'
+import { registerVerifyCommand } from './commands/verify.js'
+import { ExitCode, toExitCode } from './exit-codes.js'
+
+const program = new Command()
+  .name('alta-plaud')
+  .description('Export recordings, transcripts, and metadata from Plaud')
+  .version('1.0.0')
+  .helpOption('-h, --help', 'Show help')
+
+registerAuthCommand(program)
+registerSyncCommand(program)
+registerBackfillCommand(program)
+registerVerifyCommand(program)
+
+program.parseAsync(process.argv).catch((err: unknown) => {
+  // This is the only place in the codebase where process.exit() is called.
+  const code = toExitCode(err)
+  if (err instanceof Error) {
+    console.error(`\nError: ${err.message}`)
+    if (process.env['DEBUG']) console.error(err.stack)
+  } else {
+    console.error(`\nUnexpected error: ${String(err)}`)
+  }
+  process.exit(code)
+})