npm - @balise.dev/cli - Versions diffs - 0.1.0 - Mend

@balise.dev/cli 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1337 @@
+#!/usr/bin/env node
+// src/index.ts
+import { defineCommand, runMain } from "citty";
+// src/commands/login.ts
+import open from "open";
+import crypto2 from "crypto";
+// src/oauth.ts
+import crypto from "crypto";
+import http from "http";
+import { request } from "undici";
+function generateCodeVerifier() {
+  return base64url(crypto.randomBytes(64));
+}
+function codeChallengeFor(verifier) {
+  return base64url(crypto.createHash("sha256").update(verifier).digest());
+}
+function base64url(buf) {
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+var SUCCESS_HTML = `<!doctype html>
+<html><head><title>Balise \u2014 Logged in</title>
+<style>body{font-family:system-ui,sans-serif;padding:4rem;text-align:center;background:#0b0b0b;color:#eee}
+h1{font-size:2rem;margin:0 0 1rem}p{opacity:.7}</style></head>
+<body><h1>&#10003; Balise CLI logged in</h1>
+<p>You can close this tab and return to your terminal.</p>
+<script>setTimeout(()=>window.close(),1200)</script></body></html>`;
+var FAILURE_HTML = `<!doctype html>
+<html><head><title>Balise \u2014 Login failed</title></head>
+<body style="font-family:system-ui;padding:4rem;text-align:center">
+<h1>Login failed</h1><p>See your terminal for details.</p></body></html>`;
+function startLoopbackServer(timeoutMs = 3e5) {
+  let resolveCode;
+  let rejectCode;
+  const waitForCode = new Promise((res, rej) => {
+    resolveCode = res;
+    rejectCode = rej;
+  });
+  const server = http.createServer((req, res) => {
+    if (!req.url) return;
+    const url = new URL(req.url, "http://localhost");
+    if (url.pathname !== "/callback") {
+      res.writeHead(404).end("Not Found");
+      return;
+    }
+    const code = url.searchParams.get("code");
+    const error = url.searchParams.get("error");
+    if (error) {
+      res.writeHead(400, { "Content-Type": "text/html" }).end(FAILURE_HTML);
+      rejectCode(new Error(`OAuth error: ${error}`));
+      return;
+    }
+    if (!code) {
+      res.writeHead(400, { "Content-Type": "text/html" }).end(FAILURE_HTML);
+      rejectCode(new Error("OAuth callback missing `code`"));
+      return;
+    }
+    res.writeHead(200, { "Content-Type": "text/html" }).end(SUCCESS_HTML);
+    resolveCode(code);
+  });
+  const portPromise = new Promise((res, rej) => {
+    server.once("error", rej);
+    server.listen(0, "127.0.0.1", () => {
+      const { port } = server.address();
+      res(port);
+    });
+  });
+  const timer = setTimeout(() => {
+    rejectCode(new Error(`OAuth login timed out after ${timeoutMs / 1e3}s`));
+    server.close();
+  }, timeoutMs);
+  return {
+    port: portPromise,
+    waitForCode: waitForCode.finally(() => {
+      clearTimeout(timer);
+      server.close();
+    }),
+    close: () => {
+      clearTimeout(timer);
+      server.close();
+    }
+  };
+}
+function buildAuthorizeUrl(params) {
+  const u = new URL(
+    `${params.supabaseUrl.replace(/\/$/, "")}/auth/v1/oauth/authorize`
+  );
+  u.searchParams.set("response_type", "code");
+  u.searchParams.set("client_id", params.clientId);
+  u.searchParams.set("redirect_uri", params.redirectUri);
+  u.searchParams.set("code_challenge", params.codeChallenge);
+  u.searchParams.set("code_challenge_method", "S256");
+  u.searchParams.set("state", params.state);
+  return u.toString();
+}
+async function registerClient(params) {
+  const url = `${params.supabaseUrl.replace(/\/$/, "")}/auth/v1/oauth/clients/register`;
+  const body = JSON.stringify({
+    client_name: params.clientName,
+    redirect_uris: [params.redirectUri],
+    grant_types: ["authorization_code", "refresh_token"],
+    response_types: ["code"],
+    token_endpoint_auth_method: "none",
+    application_type: "native"
+  });
+  const { statusCode, body: respBody } = await request(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body
+  });
+  const text = await respBody.text();
+  if (statusCode < 200 || statusCode >= 300) {
+    throw new Error(
+      `Client registration failed (${statusCode}): ${text.slice(0, 200)}`
+    );
+  }
+  const data = JSON.parse(text);
+  if (!data.client_id) {
+    throw new Error(
+      `Client registration response missing client_id: ${text.slice(0, 200)}`
+    );
+  }
+  return data.client_id;
+}
+async function exchangeCodeForTokens(params) {
+  const url = `${params.supabaseUrl.replace(/\/$/, "")}/auth/v1/oauth/token`;
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: params.code,
+    code_verifier: params.codeVerifier,
+    redirect_uri: params.redirectUri,
+    client_id: params.clientId
+  }).toString();
+  const { statusCode, body: respBody } = await request(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+  const text = await respBody.text();
+  if (statusCode < 200 || statusCode >= 300) {
+    throw new Error(
+      `Token exchange failed (${statusCode}): ${text.slice(0, 200)}`
+    );
+  }
+  return JSON.parse(text);
+}
+async function refreshAccessToken(params) {
+  const url = `${params.supabaseUrl.replace(/\/$/, "")}/auth/v1/oauth/token`;
+  const reqBody = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: params.refreshToken,
+    client_id: params.clientId
+  }).toString();
+  const { statusCode, body } = await request(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: reqBody
+  });
+  const text = await body.text();
+  if (statusCode < 200 || statusCode >= 300) {
+    throw new Error(
+      `Token refresh failed (${statusCode}): ${text.slice(0, 200)}`
+    );
+  }
+  return JSON.parse(text);
+}
+// src/credentials.ts
+import { promises as fs } from "fs";
+import path from "path";
+import os from "os";
+var APP_DIR = "balise";
+var FILENAME = "credentials.json";
+var CredentialsError = class extends Error {
+  constructor(message, cause) {
+    super(message);
+    this.cause = cause;
+    this.name = "CredentialsError";
+  }
+  cause;
+};
+function credentialsPath() {
+  const fileOverride = process.env.BALISE_CREDENTIALS_FILE;
+  if (fileOverride && fileOverride.length > 0) return fileOverride;
+  const xdg = process.env.XDG_CONFIG_HOME;
+  const base = xdg && xdg.length > 0 ? xdg : path.join(os.homedir(), ".config");
+  return path.join(base, APP_DIR, FILENAME);
+}
+function hasEnvToken() {
+  const v = process.env.BALISE_TOKEN;
+  return typeof v === "string" && v.length > 0;
+}
+function isValidTokens(v) {
+  if (!v || typeof v !== "object") return false;
+  const t = v;
+  return typeof t.access_token === "string" && typeof t.refresh_token === "string";
+}
+async function loadTokens() {
+  if (hasEnvToken()) {
+    return {
+      access_token: process.env.BALISE_TOKEN,
+      refresh_token: ""
+    };
+  }
+  const p = credentialsPath();
+  let raw;
+  try {
+    raw = await fs.readFile(p, "utf8");
+  } catch (err) {
+    if (err?.code === "ENOENT") return null;
+    throw new CredentialsError(
+      `Cannot read credentials file ${p}: ${err.message}`,
+      err
+    );
+  }
+  if (process.platform !== "win32") {
+    try {
+      const st = await fs.stat(p);
+      if ((st.mode & 63) !== 0) {
+        process.stderr.write(
+          `Warning: credentials file ${p} has loose permissions; will re-tighten on next write.
+`
+        );
+      }
+    } catch {
+    }
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    process.stderr.write(
+      `Warning: credentials file ${p} is corrupt, please re-login.
+`
+    );
+    return null;
+  }
+  if (!isValidTokens(parsed)) {
+    process.stderr.write(
+      `Warning: credentials file ${p} is missing required keys, please re-login.
+`
+    );
+    return null;
+  }
+  return parsed;
+}
+async function saveTokens(t) {
+  if (hasEnvToken()) {
+    process.stderr.write(
+      "Warning: env var BALISE_TOKEN active, skipping credentials file write.\n"
+    );
+    return;
+  }
+  if (process.platform === "win32") {
+    throw new CredentialsError(
+      "Windows credential file storage not yet supported. Use BALISE_TOKEN env var instead."
+    );
+  }
+  const p = credentialsPath();
+  const dir = path.dirname(p);
+  try {
+    await fs.mkdir(dir, { recursive: true, mode: 448 });
+  } catch (err) {
+    throw new CredentialsError(
+      `Cannot create credentials directory ${dir}: ${err.message}. Set BALISE_TOKEN env var instead.`,
+      err
+    );
+  }
+  try {
+    await fs.writeFile(p, JSON.stringify(t), { mode: 384 });
+    await fs.chmod(p, 384);
+  } catch (err) {
+    throw new CredentialsError(
+      `Cannot write credentials file ${p}: ${err.message}. Set BALISE_TOKEN env var instead.`,
+      err
+    );
+  }
+}
+async function clearTokens() {
+  const p = credentialsPath();
+  let existed = true;
+  try {
+    await fs.unlink(p);
+  } catch (err) {
+    const e = err;
+    if (e?.code === "ENOENT") {
+      existed = false;
+    } else {
+      throw new CredentialsError(
+        `Cannot remove credentials file ${p}: ${e.message ?? String(err)}`,
+        err
+      );
+    }
+  }
+  if (hasEnvToken()) {
+    process.stderr.write(
+      "Warning: BALISE_TOKEN env var still set \u2014 unset it manually to fully log out.\n"
+    );
+  }
+  return existed;
+}
+function credentialsHelpMessage() {
+  const p = credentialsPath();
+  return `Credentials are stored at ${p} (mode 0600).
+  \u2022 Set BALISE_TOKEN=<jwt> to supply a token directly (useful in CI).
+  \u2022 Set BALISE_CREDENTIALS_FILE=<path> to override the storage location.`;
+}
+// src/commands/login.ts
+async function runLogin(opts) {
+  if (process.env.BALISE_TOKEN && process.env.BALISE_TOKEN.length > 0) {
+    process.stderr.write(
+      "Already authenticated via BALISE_TOKEN env var. Unset it to run browser-based login.\n"
+    );
+    return;
+  }
+  const verifier = generateCodeVerifier();
+  const challenge = codeChallengeFor(verifier);
+  const state = crypto2.randomBytes(16).toString("hex");
+  const { port: portPromise, waitForCode } = startLoopbackServer(
+    opts.timeoutMs ?? 3e5
+  );
+  const port = await portPromise;
+  const redirectUri = `http://localhost:${port}/callback`;
+  const clientId = await registerClient({
+    supabaseUrl: opts.supabaseUrl,
+    clientName: "Balise CLI",
+    redirectUri
+  });
+  const url = buildAuthorizeUrl({
+    supabaseUrl: opts.supabaseUrl,
+    clientId,
+    redirectUri,
+    codeChallenge: challenge,
+    state
+  });
+  process.stderr.write(`Opening browser to log in\u2026
+  ${url}
+`);
+  const opener = opts.openBrowser ?? (async (u) => {
+    await open(u);
+  });
+  try {
+    await opener(url);
+  } catch {
+    process.stderr.write(
+      "Could not auto-open browser. Copy the URL above manually.\n"
+    );
+  }
+  const code = await waitForCode;
+  const tokens = await exchangeCodeForTokens({
+    supabaseUrl: opts.supabaseUrl,
+    code,
+    codeVerifier: verifier,
+    redirectUri,
+    clientId
+  });
+  try {
+    await saveTokens({
+      access_token: tokens.access_token,
+      refresh_token: tokens.refresh_token,
+      client_id: clientId,
+      expires_at: Math.floor(Date.now() / 1e3) + (tokens.expires_in ?? 3600),
+      user_id: tokens.user?.id
+    });
+  } catch (err) {
+    if (err instanceof CredentialsError) {
+      process.stderr.write(`
+${err.message}
+${credentialsHelpMessage()}
+`);
+      process.exit(1);
+    }
+    throw err;
+  }
+  const who = tokens.user?.email ?? tokens.user?.id ?? "you";
+  process.stdout.write(`Logged in as ${who}
+`);
+}
+// src/commands/logout.ts
+async function runLogout() {
+  try {
+    const existed = await clearTokens();
+    if (existed) {
+      process.stdout.write("Logged out \u2014 credentials file removed.\n");
+    } else {
+      process.stdout.write("Already logged out (no credentials file found).\n");
+    }
+  } catch (err) {
+    if (err instanceof CredentialsError) {
+      process.stderr.write(`
+${err.message}
+${credentialsHelpMessage()}
+`);
+      process.exit(1);
+    }
+    throw err;
+  }
+}
+// src/api.ts
+import { request as request2 } from "undici";
+var NotAuthenticatedError = class extends Error {
+  constructor(msg = "Not authenticated \u2014 run `balise login`") {
+    super(msg);
+    this.name = "NotAuthenticatedError";
+  }
+};
+var ApiError = class extends Error {
+  constructor(status, body, message) {
+    super(message ?? `API ${status}: ${body.slice(0, 200)}`);
+    this.status = status;
+    this.body = body;
+    this.name = "ApiError";
+  }
+  status;
+  body;
+};
+var ApiUnreachableError = class extends Error {
+  constructor(cause) {
+    super("Cannot reach the Balise API");
+    this.cause = cause;
+    this.name = "ApiUnreachableError";
+  }
+  cause;
+};
+var UNREACHABLE_CODES = /* @__PURE__ */ new Set([
+  "ECONNREFUSED",
+  "ENOTFOUND",
+  "ECONNRESET",
+  "ETIMEDOUT",
+  "EAI_AGAIN",
+  "UND_ERR_CONNECT_TIMEOUT",
+  "UND_ERR_SOCKET"
+]);
+function isUnreachable(err) {
+  if (!err || typeof err !== "object") return false;
+  const e = err;
+  if (e.code && UNREACHABLE_CODES.has(e.code)) return true;
+  if (e.cause?.code && UNREACHABLE_CODES.has(e.cause.code)) return true;
+  if (Array.isArray(e.errors)) {
+    return e.errors.some((inner) => isUnreachable(inner));
+  }
+  return false;
+}
+function wrapNetwork(fn) {
+  return fn().catch((err) => {
+    if (isUnreachable(err)) throw new ApiUnreachableError(err);
+    throw err;
+  });
+}
+var ApiClient = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  opts;
+  async authHeader() {
+    const tokens = await loadTokens();
+    if (!tokens) throw new NotAuthenticatedError();
+    return { Authorization: `Bearer ${tokens.access_token}` };
+  }
+  /**
+   * Proactively refresh the access token if it expires within `graceSec`.
+   *
+   * Needed before non-replayable requests (e.g. uploadBundle, whose body is
+   * a `git archive` subprocess stdout that cannot be re-consumed). Without
+   * this the withAuth retry-on-401 path would kick in but the retry would
+   * send a drained stream (0 bytes).
+   *
+   * No-op when BALISE_TOKEN env var is in effect (stateless CI mode —
+   * caller is responsible for providing a fresh token).
+   */
+  async ensureFreshToken(graceSec = 60) {
+    if (process.env.BALISE_TOKEN && process.env.BALISE_TOKEN.length > 0) return;
+    const tokens = await loadTokens();
+    if (!tokens) throw new NotAuthenticatedError();
+    if (!tokens.expires_at || !tokens.client_id) return;
+    const secondsLeft = tokens.expires_at - Math.floor(Date.now() / 1e3);
+    if (secondsLeft > graceSec) return;
+    try {
+      const r = await refreshAccessToken({
+        supabaseUrl: this.opts.supabaseUrl,
+        refreshToken: tokens.refresh_token,
+        clientId: tokens.client_id
+      });
+      await saveTokens({
+        access_token: r.access_token,
+        refresh_token: r.refresh_token,
+        client_id: tokens.client_id,
+        expires_at: Math.floor(Date.now() / 1e3) + (r.expires_in ?? 3600),
+        user_id: r.user?.id ?? tokens.user_id
+      });
+    } catch {
+      throw new NotAuthenticatedError();
+    }
+  }
+  /**
+   * Execute a request, retrying exactly once after a 401 via refresh_token.
+   */
+  async withAuth(fn) {
+    let tokens = await loadTokens();
+    if (!tokens) throw new NotAuthenticatedError();
+    let res = await fn({ Authorization: `Bearer ${tokens.access_token}` });
+    if (res.status !== 401) {
+      if (res.status < 200 || res.status >= 300) {
+        throw new ApiError(res.status, res.text);
+      }
+      return res.json();
+    }
+    if (!tokens.client_id) {
+      throw new NotAuthenticatedError();
+    }
+    let refreshed;
+    try {
+      const r = await refreshAccessToken({
+        supabaseUrl: this.opts.supabaseUrl,
+        refreshToken: tokens.refresh_token,
+        clientId: tokens.client_id
+      });
+      refreshed = {
+        access_token: r.access_token,
+        refresh_token: r.refresh_token,
+        client_id: tokens.client_id,
+        expires_at: Math.floor(Date.now() / 1e3) + (r.expires_in ?? 3600),
+        user_id: r.user?.id ?? tokens.user_id
+      };
+      await saveTokens(refreshed);
+    } catch {
+      throw new NotAuthenticatedError();
+    }
+    res = await fn({ Authorization: `Bearer ${refreshed.access_token}` });
+    if (res.status < 200 || res.status >= 300) {
+      if (res.status === 401) throw new NotAuthenticatedError();
+      throw new ApiError(res.status, res.text);
+    }
+    return res.json();
+  }
+  async getJson(path4) {
+    const url = joinUrl(this.opts.apiUrl, path4);
+    return this.withAuth(async (headers) => {
+      const { statusCode, body } = await wrapNetwork(() => request2(url, {
+        method: "GET",
+        headers,
+        dispatcher: this.opts.dispatcher
+      }));
+      const text = await body.text();
+      return {
+        status: statusCode,
+        text,
+        json: () => JSON.parse(text)
+      };
+    });
+  }
+  async postJson(path4, payload) {
+    const url = joinUrl(this.opts.apiUrl, path4);
+    return this.withAuth(async (headers) => {
+      const { statusCode, body } = await wrapNetwork(() => request2(url, {
+        method: "POST",
+        headers: {
+          ...headers,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(payload),
+        dispatcher: this.opts.dispatcher
+      }));
+      const text = await body.text();
+      return {
+        status: statusCode,
+        text,
+        json: () => JSON.parse(text)
+      };
+    });
+  }
+  /**
+   * Raw-body bundle upload — streams a git bundle directly as the request body,
+   * metadata travels in the query string. Matches the FastAPI contract
+   * `POST /v1/repos/:owner/:slug/sync?commit_sha=...&branch=...`.
+   */
+  async uploadBundle(path4, opts) {
+    await this.ensureFreshToken();
+    const qs = new URLSearchParams(opts.query).toString();
+    const url = `${joinUrl(this.opts.apiUrl, path4)}${qs ? `?${qs}` : ""}`;
+    return this.withAuth(async (headers) => {
+      const { statusCode, body } = await wrapNetwork(() => request2(url, {
+        method: "POST",
+        headers: {
+          ...headers,
+          "Content-Type": "application/octet-stream"
+          // Chunked encoding is applied automatically by undici for streams
+          // when no Content-Length is set; setting it manually is rejected.
+        },
+        body: opts.bundleStream,
+        dispatcher: this.opts.dispatcher
+      }));
+      const text = await body.text();
+      return {
+        status: statusCode,
+        text,
+        json: () => JSON.parse(text)
+      };
+    });
+  }
+};
+function joinUrl(base, path4) {
+  return `${base.replace(/\/$/, "")}${path4.startsWith("/") ? path4 : `/${path4}`}`;
+}
+// src/config.ts
+import fs2 from "fs/promises";
+import path2 from "path";
+import ini from "ini";
+var CONFIG_DIR = ".balise";
+var CONFIG_FILE = "config";
+var DEFAULT_API_URL = process.env.BALISE_API_URL ?? "https://api.balise.dev";
+function configPath(cwd = process.cwd()) {
+  return path2.join(cwd, CONFIG_DIR, CONFIG_FILE);
+}
+async function readConfig(cwd = process.cwd()) {
+  const p = configPath(cwd);
+  let raw;
+  try {
+    raw = await fs2.readFile(p, "utf8");
+  } catch (err) {
+    if (err.code === "ENOENT") return null;
+    throw err;
+  }
+  const parsed = ini.parse(raw);
+  if (!parsed.repo?.id || !parsed.repo.slug || !parsed.repo.owner_login) {
+    throw new Error(`Invalid .balise/config at ${p}: missing [repo] fields`);
+  }
+  return {
+    repo: {
+      id: String(parsed.repo.id),
+      slug: String(parsed.repo.slug),
+      owner_login: String(parsed.repo.owner_login)
+    },
+    api: {
+      url: String(parsed.api?.url ?? DEFAULT_API_URL)
+    }
+  };
+}
+async function writeConfig(cfg, cwd = process.cwd()) {
+  const dir = path2.join(cwd, CONFIG_DIR);
+  await fs2.mkdir(dir, { recursive: true });
+  const serialized = ini.stringify(cfg);
+  await fs2.writeFile(path2.join(dir, CONFIG_FILE), serialized, "utf8");
+}
+async function ensureGitignored(cwd = process.cwd()) {
+  const gi = path2.join(cwd, ".gitignore");
+  let current = "";
+  try {
+    current = await fs2.readFile(gi, "utf8");
+  } catch (err) {
+    if (err.code !== "ENOENT") throw err;
+  }
+  const lines = current.split(/\r?\n/).map((l) => l.trim());
+  if (lines.some((l) => l === ".balise" || l === ".balise/")) return;
+  const suffix = current.length && !current.endsWith("\n") ? "\n" : "";
+  await fs2.writeFile(gi, `${current}${suffix}.balise/
+`, "utf8");
+}
+// src/commands/whoami.ts
+async function runWhoami(opts) {
+  const cfg = await readConfig().catch(() => null);
+  const apiUrl = cfg?.api.url ?? DEFAULT_API_URL;
+  const client = new ApiClient({
+    apiUrl,
+    supabaseUrl: opts.supabaseUrl,
+    clientId: opts.clientId
+  });
+  try {
+    const me = await client.getJson("/v1/me");
+    process.stdout.write(
+      `login       : ${me.login}
+type        : ${me.type}
+account_id  : ${me.account_id}
+` + (me.email ? `email       : ${me.email}
+` : "")
+    );
+  } catch (err) {
+    if (err instanceof NotAuthenticatedError) {
+      process.stderr.write("Not logged in \u2014 run `balise login`.\n");
+      process.exit(1);
+    }
+    throw err;
+  }
+}
+// src/commands/init.ts
+import path3 from "path";
+import React2 from "react";
+import { render } from "ink";
+// src/git.ts
+import { spawn } from "child_process";
+import { createReadStream } from "fs";
+import { unlink } from "fs/promises";
+import { randomBytes } from "crypto";
+import { tmpdir } from "os";
+import { join } from "path";
+var GitError = class extends Error {
+  constructor(args, code, stderr) {
+    super(`git ${args.join(" ")} failed (exit ${code}): ${stderr.trim()}`);
+    this.args = args;
+    this.code = code;
+    this.stderr = stderr;
+    this.name = "GitError";
+  }
+  args;
+  code;
+  stderr;
+};
+var NotAGitRepoError = class extends Error {
+  constructor(cwd) {
+    super(`not a git repo: ${cwd}`);
+    this.name = "NotAGitRepoError";
+  }
+};
+async function runGit(opts, args) {
+  const sp = opts.spawner ?? spawn;
+  return new Promise((resolve, reject) => {
+    const proc = sp("git", args, { cwd: opts.cwd, stdio: ["ignore", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+    proc.stdout?.on("data", (d) => {
+      stdout += d.toString();
+    });
+    proc.stderr?.on("data", (d) => {
+      stderr += d.toString();
+    });
+    proc.on("error", reject);
+    proc.on("close", (code) => {
+      if (code === 0) resolve(stdout);
+      else reject(new GitError(args, code, stderr));
+    });
+  });
+}
+async function isGitRepo(opts) {
+  try {
+    await runGit(opts, ["rev-parse", "--is-inside-work-tree"]);
+    return true;
+  } catch (err) {
+    if (err instanceof GitError) return false;
+    throw err;
+  }
+}
+async function assertGitRepo(opts) {
+  if (!await isGitRepo(opts)) {
+    throw new NotAGitRepoError(opts.cwd);
+  }
+}
+async function getCommitSha(opts, ref = "HEAD") {
+  return (await runGit(opts, ["rev-parse", ref])).trim();
+}
+async function getCurrentBranch(opts) {
+  return (await runGit(opts, ["rev-parse", "--abbrev-ref", "HEAD"])).trim();
+}
+async function isDirty(opts) {
+  const status = await runGit(opts, ["status", "--porcelain"]);
+  return status.trim().length > 0;
+}
+async function gitBundle(opts) {
+  await assertGitRepo(opts);
+  const [commitSha, branch, dirty] = await Promise.all([
+    getCommitSha(opts),
+    getCurrentBranch(opts),
+    isDirty(opts)
+  ]);
+  const tmpFile = join(
+    tmpdir(),
+    `balise-bundle-${randomBytes(8).toString("hex")}.bundle`
+  );
+  await runGit(opts, ["bundle", "create", tmpFile, "--all"]);
+  const stream = createReadStream(tmpFile);
+  const cleanup = () => {
+    unlink(tmpFile).catch(() => {
+    });
+  };
+  stream.on("close", cleanup);
+  stream.on("error", cleanup);
+  return { stream, commitSha, branch, dirty };
+}
+// src/auth-ensure.ts
+import readline from "readline/promises";
+import crypto3 from "crypto";
+import open2 from "open";
+var LoginDeclinedError = class extends Error {
+  constructor() {
+    super("login declined by user");
+    this.name = "LoginDeclinedError";
+  }
+};
+function isInteractive(stdin) {
+  const s = stdin ?? process.stdin;
+  return Boolean(s.isTTY);
+}
+async function ensureAuthenticated(opts) {
+  const existing = await loadTokens();
+  if (existing) return;
+  const stderr = opts.stderr ?? process.stderr;
+  if (!isInteractive(opts.stdin)) {
+    throw new LoginDeclinedError();
+  }
+  const rl = readline.createInterface({
+    input: opts.stdin ?? process.stdin,
+    output: opts.stdout ?? process.stdout
+  });
+  let answer;
+  try {
+    answer = (await rl.question("Not logged in. Login now? (Y/n) ")).trim();
+  } finally {
+    rl.close();
+  }
+  if (answer && !/^y(es)?$/i.test(answer)) {
+    throw new LoginDeclinedError();
+  }
+  const verifier = generateCodeVerifier();
+  const challenge = codeChallengeFor(verifier);
+  const state = crypto3.randomBytes(16).toString("hex");
+  const { port: portPromise, waitForCode } = startLoopbackServer(
+    opts.timeoutMs ?? 3e5
+  );
+  const port = await portPromise;
+  const redirectUri = `http://localhost:${port}/callback`;
+  const clientId = await registerClient({
+    supabaseUrl: opts.supabaseUrl,
+    clientName: "Balise CLI",
+    redirectUri
+  });
+  const url = buildAuthorizeUrl({
+    supabaseUrl: opts.supabaseUrl,
+    clientId,
+    redirectUri,
+    codeChallenge: challenge,
+    state
+  });
+  stderr.write(`Opening browser to log in\u2026
+  ${url}
+`);
+  const opener = opts.openBrowser ?? (async (u) => {
+    await open2(u);
+  });
+  try {
+    await opener(url);
+  } catch {
+    stderr.write("Could not auto-open browser. Copy the URL above manually.\n");
+  }
+  const code = await waitForCode;
+  const tokens = await exchangeCodeForTokens({
+    supabaseUrl: opts.supabaseUrl,
+    code,
+    codeVerifier: verifier,
+    redirectUri,
+    clientId
+  });
+  try {
+    await saveTokens({
+      access_token: tokens.access_token,
+      refresh_token: tokens.refresh_token,
+      client_id: clientId,
+      expires_at: Math.floor(Date.now() / 1e3) + (tokens.expires_in ?? 3600),
+      user_id: tokens.user?.id
+    });
+  } catch (err) {
+    if (err instanceof CredentialsError) {
+      stderr.write(`
+${err.message}
+${credentialsHelpMessage()}
+`);
+      throw err;
+    }
+    throw err;
+  }
+}
+// src/ui/InitPicker.tsx
+import React, { useState } from "react";
+import { Box, Text, useApp, useInput } from "ink";
+function InitPicker(props) {
+  const { exit } = useApp();
+  const [zone, setZone] = useState(
+    props.repos.length > 0 ? "link" : "create"
+  );
+  const [slug, setSlug] = useState(props.defaultSlug);
+  const [ownerIdx, setOwnerIdx] = useState(0);
+  const [repoIdx, setRepoIdx] = useState(0);
+  useInput((input, key) => {
+    if (key.escape) {
+      props.onDone({ action: "cancel" });
+      exit();
+      return;
+    }
+    if (key.tab) {
+      setZone((z) => z === "create" ? "link" : "create");
+      return;
+    }
+    if (key.return) {
+      if (zone === "create") {
+        if (!props.ownerships[ownerIdx]) return;
+        props.onDone({
+          action: "create",
+          slug,
+          owner: props.ownerships[ownerIdx]
+        });
+      } else {
+        if (!props.repos[repoIdx]) return;
+        props.onDone({ action: "link", repo: props.repos[repoIdx] });
+      }
+      exit();
+      return;
+    }
+    if (zone === "create") {
+      if (key.upArrow)
+        setOwnerIdx((i) => (i - 1 + props.ownerships.length) % Math.max(1, props.ownerships.length));
+      else if (key.downArrow)
+        setOwnerIdx((i) => (i + 1) % Math.max(1, props.ownerships.length));
+      else if (key.backspace || key.delete) setSlug((s) => s.slice(0, -1));
+      else if (input && /^[a-z0-9-]$/i.test(input))
+        setSlug((s) => (s + input).toLowerCase());
+    } else {
+      if (key.upArrow)
+        setRepoIdx((i) => (i - 1 + props.repos.length) % Math.max(1, props.repos.length));
+      else if (key.downArrow)
+        setRepoIdx((i) => (i + 1) % Math.max(1, props.repos.length));
+    }
+  });
+  return /* @__PURE__ */ React.createElement(Box, { flexDirection: "column", paddingX: 1 }, /* @__PURE__ */ React.createElement(Text, { bold: true }, "Balise \u2014 link or create a repo"), /* @__PURE__ */ React.createElement(Box, { marginTop: 1, flexDirection: "column" }, /* @__PURE__ */ React.createElement(Text, { color: zone === "create" ? "cyan" : "gray" }, zone === "create" ? "\u25B8 " : "  ", "Create new repo"), zone === "create" && /* @__PURE__ */ React.createElement(Box, { marginLeft: 2, flexDirection: "column" }, /* @__PURE__ */ React.createElement(Text, null, "slug : ", /* @__PURE__ */ React.createElement(Text, { color: "yellow" }, slug)), /* @__PURE__ */ React.createElement(Text, null, "owner: ", /* @__PURE__ */ React.createElement(Text, { color: "yellow" }, props.ownerships[ownerIdx] ? `${props.ownerships[ownerIdx].login} (${props.ownerships[ownerIdx].type})` : "<no ownership>"), " (\u2191/\u2193 to change)"))), /* @__PURE__ */ React.createElement(Box, { marginTop: 1, flexDirection: "column" }, /* @__PURE__ */ React.createElement(Text, { color: zone === "link" ? "cyan" : "gray" }, zone === "link" ? "\u25B8 " : "  ", "Link existing (", props.repos.length, ")"), zone === "link" && props.repos.length > 0 && /* @__PURE__ */ React.createElement(Box, { marginLeft: 2, flexDirection: "column" }, props.repos.map((r, i) => /* @__PURE__ */ React.createElement(Text, { key: r.id, color: i === repoIdx ? "yellow" : void 0 }, i === repoIdx ? "\u25B8 " : "  ", r.owner_login, "/", r.slug)))), /* @__PURE__ */ React.createElement(Box, { marginTop: 1 }, /* @__PURE__ */ React.createElement(Text, { dimColor: true }, "Tab: switch zone \xB7 \u2191/\u2193: navigate \xB7 Enter: confirm \xB7 Esc: cancel")));
+}
+// src/commands/init.ts
+async function runInit(opts) {
+  const cwd = opts.cwd ?? process.cwd();
+  try {
+    await assertGitRepo({ cwd });
+  } catch (err) {
+    if (err instanceof NotAGitRepoError) {
+      process.stderr.write("not a git repo\n");
+      process.exit(1);
+    }
+    throw err;
+  }
+  try {
+    await ensureAuthenticated({
+      supabaseUrl: opts.supabaseUrl,
+      clientId: opts.clientId
+    });
+  } catch (err) {
+    if (err instanceof LoginDeclinedError) {
+      process.stderr.write("Login required. Aborting.\n");
+      process.exit(1);
+    }
+    throw err;
+  }
+  const apiUrl = DEFAULT_API_URL;
+  const client = new ApiClient({
+    apiUrl,
+    supabaseUrl: opts.supabaseUrl,
+    clientId: opts.clientId
+  });
+  let ownerships = [];
+  let repos = [];
+  try {
+    const [me, orgs, repoList] = await Promise.all([
+      client.getJson("/v1/me"),
+      client.getJson("/v1/me/orgs"),
+      client.getJson("/v1/me/repos")
+    ]);
+    ownerships = [
+      { id: me.account_id, login: me.login, type: "user" },
+      ...orgs.map((o) => ({ id: o.id, login: o.login, type: "org" }))
+    ];
+    repos = repoList;
+  } catch (err) {
+    if (err instanceof NotAuthenticatedError) {
+      process.stderr.write("Not logged in \u2014 run `balise login` first.\n");
+      process.exit(1);
+    }
+    throw err;
+  }
+  const sortedRepos = [...repos].sort(
+    (a, b) => `${a.owner_login}/${a.slug}`.localeCompare(`${b.owner_login}/${b.slug}`)
+  );
+  const defaultSlug = path3.basename(cwd).toLowerCase();
+  const result = await new Promise((resolve) => {
+    const app = render(
+      React2.createElement(InitPicker, {
+        defaultSlug,
+        ownerships,
+        repos: sortedRepos,
+        onDone: (r) => {
+          resolve(r);
+          app.unmount();
+        }
+      })
+    );
+  });
+  if (result.action === "cancel") {
+    process.stderr.write("Cancelled.\n");
+    process.exit(1);
+  }
+  let cfg;
+  if (result.action === "create") {
+    const created = await client.postJson("/v1/repos", {
+      owner_id: result.owner.id,
+      slug: result.slug
+    });
+    cfg = {
+      repo: {
+        id: created.id,
+        slug: created.slug,
+        owner_login: created.owner_login
+      },
+      api: { url: apiUrl }
+    };
+  } else {
+    cfg = {
+      repo: {
+        id: result.repo.id,
+        slug: result.repo.slug,
+        owner_login: result.repo.owner_login
+      },
+      api: { url: apiUrl }
+    };
+  }
+  await writeConfig(cfg, cwd);
+  await ensureGitignored(cwd);
+  process.stdout.write(
+    `Linked ${cfg.repo.owner_login}/${cfg.repo.slug} \u2192 .balise/config
+`
+  );
+}
+// src/commands/sync.ts
+import React4 from "react";
+import { render as render2 } from "ink";
+// src/ui/SyncProgress.tsx
+import React3, { useEffect, useState as useState2 } from "react";
+import { Box as Box2, Text as Text2, useApp as useApp2 } from "ink";
+import Spinner from "ink-spinner";
+var QUEUED_MESSAGES = [
+  "Waiting for an agent willing to accept the job\u2026",
+  "Your request is in line. An agent will be assigned once one stops pretending to be busy.",
+  'Looking for an available agent. Most are currently "in a meeting."',
+  "Queued. An agent will pick this up as soon as they finish rereading the spec.",
+  "Your task is waiting for an agent with the right vibes.",
+  "Negotiating with an agent. They want a raise.",
+  "All agents are currently on strike. Sending in a scab.",
+  "Waiting for an agent to finish their coffee \u2615",
+  "An agent saw your task and walked away slowly. Finding another one.",
+  "Your task is being passed around like a hot potato. Someone will catch it eventually.",
+  "Agents are currently arguing about who has to do this one.",
+  "Waiting for an agent brave enough to open your repo.",
+  "Your task is sitting in the agent break room. Someone will notice it soon.",
+  "An agent was assigned, but they ghosted. Recruiting a replacement.",
+  "Paging an agent. Please hold while we bribe one.",
+  "Queued. Waiting for an agent with enough context window to care.",
+  "An agent is spinning up. They're doing their stretches.",
+  "Looking for an agent whose system prompt allows this.",
+  "Waiting for a worker. Their last task traumatized them.",
+  "Your task is in queue. Agents are busy arguing about tabs vs spaces.",
+  "Finding an agent\u2026",
+  "Found one. They said no.",
+  "Finding another agent\u2026",
+  "This one looks promising.",
+  "Negotiating\u2026"
+];
+var RUNNING_MESSAGES = [
+  "An agent is on it. Try not to watch.",
+  "Your task has an owner. They seem focused.",
+  "An agent accepted the job. Surprisingly.",
+  "Working. The agent asked not to be disturbed.",
+  "An agent is handling it. They'll let us know if they need anything.",
+  "Progress is happening. Allegedly.",
+  "An agent rolled up their sleeves. Mostly for show.",
+  "Hard at work. The agent has opened seventeen browser tabs.",
+  "Your agent is locked in. Do not make eye contact.",
+  "An agent is typing furiously. Some of it might be relevant.",
+  "Working. The agent has entered the zone. And also a Wikipedia rabbit hole.",
+  "An agent is deep in thought. Or buffering. Hard to tell.",
+  "Your task is being handled. The agent is muttering to themselves.",
+  "Cooking. \u{1F9D1}\u200D\u{1F373}",
+  "The agent is working. They've asked for snacks.",
+  "An agent is doing the thing. Please clap.",
+  "Agent is crunching tokens.",
+  "Working. The agent is reasoning about your reasoning.",
+  "An agent is in a tool-use loop. Going well so far.",
+  "Thinking hard. The agent just discovered your codebase has opinions.",
+  "Working. The agent is negotiating with your linter.",
+  "An agent is running. They promise it's not an infinite loop.",
+  "The agent is writing, deleting, and rewriting. Classic.",
+  "An agent picked it up.",
+  "They're reading the task\u2026",
+  "Looks like they have a plan.",
+  "Executing\u2026",
+  "Still going. Confidently.",
+  "Almost there. (They always say that.)"
+];
+function pickInitialIndex(len) {
+  return Math.floor(Math.random() * len);
+}
+function SyncProgress(props) {
+  const { exit } = useApp2();
+  const [status, setStatus] = useState2(null);
+  const [error, setError] = useState2(null);
+  const [startedAt] = useState2(() => Date.now());
+  const [queuedIdx, setQueuedIdx] = useState2(
+    () => pickInitialIndex(QUEUED_MESSAGES.length)
+  );
+  const [runningIdx, setRunningIdx] = useState2(
+    () => pickInitialIndex(RUNNING_MESSAGES.length)
+  );
+  useEffect(() => {
+    let cancelled = false;
+    const tick = async () => {
+      try {
+        const s = await props.client.getJson(
+          `/v1/syncs/${props.syncId}`
+        );
+        if (cancelled) return;
+        setStatus(s);
+        if (s.status === "done") {
+          props.onDone(true);
+          exit();
+          return;
+        }
+        if (s.status === "failed") {
+          props.onDone(false);
+          exit();
+          return;
+        }
+      } catch (err) {
+        if (cancelled) return;
+        setError(err.message);
+        props.onDone(false);
+        exit();
+        return;
+      }
+      setTimeout(tick, props.pollIntervalMs ?? 1e3);
+    };
+    void tick();
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+  useEffect(() => {
+    const period = props.messageRotationMs ?? 1e4;
+    const h = setInterval(() => {
+      setQueuedIdx((i) => (i + 1) % QUEUED_MESSAGES.length);
+      setRunningIdx((i) => (i + 1) % RUNNING_MESSAGES.length);
+    }, period);
+    return () => clearInterval(h);
+  }, [props.messageRotationMs]);
+  if (error) {
+    return /* @__PURE__ */ React3.createElement(Text2, { color: "red" }, "\u2717 Failed");
+  }
+  if (!status) {
+    return /* @__PURE__ */ React3.createElement(Box2, null, /* @__PURE__ */ React3.createElement(Text2, { color: "cyan" }, /* @__PURE__ */ React3.createElement(Spinner, { type: "dots" })), /* @__PURE__ */ React3.createElement(Text2, null, " Getting things ready\u2026"));
+  }
+  if (status.status === "done") {
+    return /* @__PURE__ */ React3.createElement(Text2, { color: "green" }, "\u2713 Done");
+  }
+  if (status.status === "failed") {
+    return /* @__PURE__ */ React3.createElement(Text2, { color: "red" }, "\u2717 Failed");
+  }
+  const message = status.status === "queued" ? QUEUED_MESSAGES[queuedIdx] : RUNNING_MESSAGES[runningIdx];
+  const { files_processed, files_total, nodes_pushed } = status.progress;
+  const hasCounters = status.status === "running" && (files_total > 0 || nodes_pushed > 0);
+  return /* @__PURE__ */ React3.createElement(Box2, { flexDirection: "column" }, /* @__PURE__ */ React3.createElement(Box2, null, /* @__PURE__ */ React3.createElement(Text2, { color: "cyan" }, /* @__PURE__ */ React3.createElement(Spinner, { type: "dots" })), /* @__PURE__ */ React3.createElement(Text2, null, " ", message)), hasCounters ? /* @__PURE__ */ React3.createElement(Text2, { dimColor: true }, "  ", files_processed, "/", files_total, " files \xB7 ", nodes_pushed, " concepts") : null);
+}
+// src/commands/sync.ts
+async function runSync(opts) {
+  try {
+    await runSyncInner(opts);
+  } catch (err) {
+    if (err instanceof ApiUnreachableError) {
+      process.stderr.write(
+        "Cannot reach the Balise service. Please try again in a moment.\n"
+      );
+    } else {
+      process.stderr.write("Something went wrong. Please try again.\n");
+    }
+    process.exit(1);
+  }
+}
+async function runSyncInner(opts) {
+  const cwd = opts.cwd ?? process.cwd();
+  try {
+    await assertGitRepo({ cwd });
+  } catch (err) {
+    if (err instanceof NotAGitRepoError) {
+      process.stderr.write("not a git repo\n");
+      process.exit(1);
+    }
+    throw err;
+  }
+  try {
+    await ensureAuthenticated({
+      supabaseUrl: opts.supabaseUrl,
+      clientId: opts.clientId
+    });
+  } catch (err) {
+    if (err instanceof LoginDeclinedError) {
+      process.stderr.write("Login required. Aborting.\n");
+      process.exit(1);
+    }
+    throw err;
+  }
+  let cfg = await readConfig(cwd);
+  if (!cfg) {
+    process.stderr.write("No .balise/config \u2014 running `balise init` first.\n");
+    await runInit({ ...opts, cwd });
+    cfg = await readConfig(cwd);
+    if (!cfg) {
+      process.stderr.write("Init cancelled. Aborting sync.\n");
+      process.exit(1);
+    }
+  }
+  if (await isDirty({ cwd })) {
+    process.stderr.write(
+      "Warning: working tree has uncommitted changes \u2014 syncing HEAD anyway.\n"
+    );
+  }
+  const client = new ApiClient({
+    apiUrl: cfg.api.url,
+    supabaseUrl: opts.supabaseUrl,
+    clientId: opts.clientId
+  });
+  process.stderr.write(
+    `Packing ${cfg.repo.owner_login}/${cfg.repo.slug} at HEAD\u2026
+`
+  );
+  const { stream, commitSha, branch } = await gitBundle({ cwd });
+  let accepted;
+  try {
+    accepted = await client.uploadBundle(
+      `/v1/repos/${cfg.repo.owner_login}/${cfg.repo.slug}/sync`,
+      {
+        bundleStream: stream,
+        query: { commit_sha: commitSha, branch }
+      }
+    );
+  } catch (err) {
+    if (err instanceof NotAuthenticatedError) {
+      process.stderr.write("Not logged in \u2014 run `balise login`.\n");
+      process.exit(1);
+    }
+    if (err instanceof ApiUnreachableError) {
+      process.stderr.write(
+        "Cannot reach the Balise service. Please try again in a moment.\n"
+      );
+      process.exit(1);
+    }
+    process.stderr.write(
+      "Something went wrong while uploading. Please try again.\n"
+    );
+    process.exit(1);
+  }
+  const result = await new Promise((resolve) => {
+    const app = render2(
+      React4.createElement(SyncProgress, {
+        client,
+        syncId: accepted.sync_id,
+        onDone: (ok) => {
+          resolve(ok);
+          app.unmount();
+        }
+      })
+    );
+  });
+  process.exit(result ? 0 : 1);
+}
+// src/index.ts
+var SUPABASE_URL = process.env.BALISE_SUPABASE_URL ?? "https://auth.balise.dev";
+var CLIENT_ID = process.env.BALISE_CLIENT_ID ?? "balise-cli";
+var loginCmd = defineCommand({
+  meta: { name: "login", description: "Authenticate via OAuth (PKCE loopback)." },
+  async run() {
+    await runLogin({ supabaseUrl: SUPABASE_URL, clientId: CLIENT_ID });
+  }
+});
+var logoutCmd = defineCommand({
+  meta: { name: "logout", description: "Clear stored credentials." },
+  async run() {
+    await runLogout();
+  }
+});
+var whoamiCmd = defineCommand({
+  meta: { name: "whoami", description: "Show current authenticated user." },
+  async run() {
+    await runWhoami({ supabaseUrl: SUPABASE_URL, clientId: CLIENT_ID });
+  }
+});
+var initCmd = defineCommand({
+  meta: {
+    name: "init",
+    description: "Link or create a Balise repo and write .balise/config."
+  },
+  async run() {
+    await runInit({ supabaseUrl: SUPABASE_URL, clientId: CLIENT_ID });
+  }
+});
+var syncCmd = defineCommand({
+  meta: {
+    name: "sync",
+    description: "Tarball current repo \u2192 upload \u2192 poll extraction progress."
+  },
+  async run() {
+    await runSync({ supabaseUrl: SUPABASE_URL, clientId: CLIENT_ID });
+  }
+});
+var main = defineCommand({
+  meta: {
+    name: "balise",
+    version: "0.1.0",
+    description: "Balise CLI \u2014 push codebase for spec extraction."
+  },
+  subCommands: {
+    login: loginCmd,
+    logout: logoutCmd,
+    whoami: whoamiCmd,
+    init: initCmd,
+    sync: syncCmd
+  }
+});
+void runMain(main);
+//# sourceMappingURL=index.js.map