@clipboard-health/groundcrew 4.0.3 → 4.2.0

package/dist/lib/workspaces.js

@@ -1,263 +1,15 @@
 /**
- * Workspace adapter — opens/lists/closes the host-side terminal session
+ * Workspace facade — opens/lists/closes the host-side terminal session
  * that runs an agent for one ticket. `Workspace.name` is the ticket id;
- * callers key on it. Adapters do their own internal lookup when their
- * backend uses opaque refs.
+ * callers key on it. The cmux and tmux backends live in their own files
+ * (`cmuxAdapter.ts`, `tmuxAdapter.ts`) behind the shared `Adapter`
+ * interface in `workspaceAdapter.ts`; this module resolves which one to
+ * use, caches it per config, and exposes the `workspaces` API.
  */
-import { runCommandAsync } from "./commandRunner.js";
+import { cmuxAdapter } from "./cmuxAdapter.js";
 import { detectHostCapabilities } from "./host.js";
-import { shellSingleQuote } from "./shell.js";
-import { errorMessage, log, readEnvironmentVariable } from "./util.js";
-async function runWorkspaceCommand(command, arguments_, signal) {
-    return signal === undefined
-        ? await runCommandAsync(command, arguments_)
-        : await runCommandAsync(command, arguments_, { signal });
-}
-function isSignalAborted(signal) {
-    return signal?.aborted === true;
-}
-function parseCmuxList(output) {
-    // oxlint-disable-next-line typescript/no-unsafe-type-assertion -- cmux --json list-workspaces always emits this shape
-    const parsed = JSON.parse(output);
-    const items = [];
-    /* v8 ignore next @preserve -- cmux always emits a workspaces field; default keeps the loop safe */
-    for (const ws of parsed.workspaces ?? []) {
-        if (typeof ws.title !== "string" || ws.title.length === 0) {
-            continue;
-        }
-        const id = pickCmuxId(ws);
-        if (id === undefined) {
-            log(`cmux list-workspaces returned workspace "${ws.title}" without a usable id or ref; skipping`);
-            continue;
-        }
-        items.push({ title: ws.title, id });
-    }
-    return items;
-}
-/**
- * The stable workspace handle cmux v2 expects in JSON-RPC params. Prefer
- * the UUID; fall back to the legacy `workspace:N` short ref when older
- * cmux builds don't surface it. Returns `undefined` when neither is
- * available — cmux v2 `workspace.close` rejects titles, so we must never
- * forward `title` as a workspace handle.
- */
-function pickCmuxId(ws) {
-    if (typeof ws.id === "string" && ws.id.length > 0) {
-        return ws.id;
-    }
-    if (typeof ws.ref === "string" && ws.ref.length > 0) {
-        return ws.ref;
-    }
-    return undefined;
-}
-async function listCmuxRaw(signal) {
-    try {
-        return parseCmuxList(await runWorkspaceCommand("cmux", ["--json", "list-workspaces"], signal));
-    }
-    catch (error) {
-        if (isSignalAborted(signal)) {
-            throw error;
-        }
-        log(`cmux list-workspaces failed: ${errorMessage(error)}`);
-        return undefined;
-    }
-}
-function extractCmuxOpenId(output) {
-    try {
-        // oxlint-disable-next-line typescript/no-unsafe-type-assertion -- cmux --json prints a workspace_id/ref object
-        const parsed = JSON.parse(output);
-        const uuid = parsed.workspace_id ?? parsed.id ?? "";
-        if (uuid.length > 0) {
-            return uuid;
-        }
-        const ref = parsed.workspace_ref ?? parsed.ref ?? "";
-        if (ref.length > 0) {
-            return ref;
-        }
-    }
-    catch {
-        /* not JSON; fall through to regex */
-    }
-    const match = /workspace:\d+/.exec(output);
-    return match ? match[0] : undefined;
-}
-/**
- * Inspect `cmux current-workspace`. When groundcrew is itself launched
- * inside a cmux SSH workspace, `workspace.create` lands the new workspace
- * on the local (macOS) cmux app rather than the remote where the agent's
- * worktree lives. We can't replicate cmux's full SSH bootstrap
- * (relay_port, daemon, etc.) from the remote side, so we instead wrap the
- * agent launch command in a plain `ssh` to the same destination. Returns
- * `undefined` when there is nothing to inherit, leaving callers free to
- * launch locally as usual.
- */
-async function probeCurrentCmuxRemote(signal) {
-    if (readEnvironmentVariable("CMUX_WORKSPACE_ID") === undefined) {
-        return undefined;
-    }
-    let output;
-    try {
-        output = await runWorkspaceCommand("cmux", ["--json", "current-workspace"], signal);
-    }
-    catch (error) {
-        if (isSignalAborted(signal)) {
-            throw error;
-        }
-        // CMUX_WORKSPACE_ID is set, so we are inside a cmux workspace and a
-        // probe failure means we cannot tell whether this is an SSH context.
-        // Silently degrading to the local path would point cmux at a working
-        // directory that lives on a remote host; surface the failure instead
-        // so the caller can roll the worktree back rather than launch into
-        // the void.
-        throw new Error(`cmux current-workspace probe failed while CMUX_WORKSPACE_ID is set: ${errorMessage(error)}`, { cause: error });
-    }
-    try {
-        // oxlint-disable-next-line typescript/no-unsafe-type-assertion -- cmux --json current-workspace shape per v2 API
-        const parsed = JSON.parse(output);
-        const remote = parsed.workspace?.remote;
-        if (remote === undefined ||
-            remote.connected !== true ||
-            remote.transport !== "ssh" ||
-            typeof remote.destination !== "string" ||
-            remote.destination.length === 0) {
-            return undefined;
-        }
-        const inherited = { destination: remote.destination };
-        if (typeof remote.port === "number") {
-            inherited.port = remote.port;
-        }
-        if (typeof remote.identity_file === "string" && remote.identity_file.length > 0) {
-            inherited.identity_file = remote.identity_file;
-        }
-        if (Array.isArray(remote.ssh_options) && remote.ssh_options.length > 0) {
-            inherited.ssh_options = remote.ssh_options;
-        }
-        return inherited;
-    }
-    catch (error) {
-        // Same reasoning as the command-failure branch above: with
-        // CMUX_WORKSPACE_ID set, malformed JSON means we cannot decide
-        // between local and SSH context, so refuse rather than silently
-        // launching at the wrong working directory.
-        throw new Error(`cmux current-workspace returned malformed output while CMUX_WORKSPACE_ID is set: ${errorMessage(error)}`, { cause: error });
-    }
-}
-/**
- * Compose an `ssh -t <destination> -- <cd && cmd>` invocation that lands
- * a new cmux workspace's terminal on the same SSH remote where
- * groundcrew is running. Path-bearing fields (`cwd`, the launch script
- * inside `command`) stay valid because the remote shell evaluates them.
- * The outermost return value is a single shell string suitable for
- * `cmux new-workspace --command`.
- */
-function buildSshWrappedCommand(spec, remote) {
-    const remoteShell = `cd ${shellSingleQuote(spec.cwd)} && ${spec.command}`;
-    const sshTokens = ["ssh", "-t"];
-    if (remote.port !== undefined) {
-        sshTokens.push("-p", String(remote.port));
-    }
-    if (remote.identity_file !== undefined) {
-        sshTokens.push("-i", shellSingleQuote(remote.identity_file));
-    }
-    for (const option of remote.ssh_options ?? []) {
-        sshTokens.push("-o", shellSingleQuote(option));
-    }
-    sshTokens.push(shellSingleQuote(remote.destination), "--", shellSingleQuote(remoteShell));
-    return sshTokens.join(" ");
-}
-async function applyCmuxStatus(workspaceId, status, signal) {
-    const arguments_ = ["set-status", "model", status.text];
-    if (status.icon !== undefined) {
-        arguments_.push("--icon", status.icon);
-    }
-    if (status.color !== undefined) {
-        arguments_.push("--color", status.color);
-    }
-    arguments_.push("--workspace", workspaceId);
-    await runWorkspaceCommand("cmux", arguments_, signal);
-}
-async function closeCmuxWorkspace(workspaceId, signal) {
-    await runWorkspaceCommand("cmux", ["close-workspace", "--workspace", workspaceId], signal);
-}
-function isCmuxSetStatusUnsupported(error) {
-    return errorMessage(error).includes('unknown command "set-status"');
-}
-const cmuxAdapter = {
-    async open(spec, signal) {
-        const inheritedRemote = await probeCurrentCmuxRemote(signal);
-        const newWorkspaceArguments = ["--json", "new-workspace", "--name", spec.name];
-        if (inheritedRemote === undefined) {
-            newWorkspaceArguments.push("--cwd", spec.cwd, "--command", spec.command);
-        }
-        else {
-            // Skip --cwd: the path is on the SSH remote and would fall back to
-            // $HOME (macOS) when cmux tries to chdir locally. The wrapped ssh
-            // command does its own `cd` on the remote side.
-            newWorkspaceArguments.push("--command", buildSshWrappedCommand(spec, inheritedRemote));
-        }
-        const output = await runWorkspaceCommand("cmux", newWorkspaceArguments, signal);
-        const workspaceId = extractCmuxOpenId(output);
-        if (workspaceId === undefined) {
-            log(`cmux new-workspace returned unrecognized output for ${spec.name}; if a workspace was created, run \`cmux close-workspace\` manually.`);
-            throw new Error(`Unexpected cmux output: ${output}`);
-        }
-        if (spec.status !== undefined) {
-            try {
-                await applyCmuxStatus(workspaceId, spec.status, signal);
-            }
-            catch (error) {
-                // Status pills are best-effort. cmux v2+ dropped `set-status` entirely,
-                // so swallow that specific gap silently; surface anything else so a real
-                // regression doesn't hide behind the same swallow.
-                if (!isCmuxSetStatusUnsupported(error)) {
-                    log(`cmux set-status failed for ${spec.name} (continuing): ${errorMessage(error)}`);
-                }
-            }
-        }
-    },
-    async list(signal) {
-        const raw = await listCmuxRaw(signal);
-        return raw?.map((ws) => ({ name: ws.title }));
-    },
-    async close(name, signal) {
-        const raw = await listCmuxRaw(signal);
-        if (raw === undefined) {
-            // cmux v2 `workspace.close` rejects titles, so forwarding `name`
-            // would always fail. The list failure has already been logged by
-            // `listCmuxRaw`; bail rather than guarantee a downstream error.
-            log(`cmux close-workspace skipped for ${name}: list-workspaces failed, no usable id`);
-            return { kind: "unavailable" };
-        }
-        const match = raw.find((ws) => ws.title === name);
-        if (match === undefined) {
-            return { kind: "missing" };
-        }
-        try {
-            await closeCmuxWorkspace(match.id, signal);
-            return { kind: "closed" };
-        }
-        catch (error) {
-            if (isSignalAborted(signal)) {
-                throw error;
-            }
-            const remaining = await listCmuxRaw(signal);
-            if (remaining === undefined) {
-                return { kind: "unavailable", error };
-            }
-            const isStillPresent = remaining.some((ws) => ws.title === name);
-            if (!isStillPresent) {
-                return { kind: "closed" };
-            }
-            throw error;
-        }
-    },
-    accessHint(_name) {
-        // cmux is a TUI; users surface workspaces by launching the cmux app,
-        // not a shell command. No useful hint to emit.
-        // oxlint-disable-next-line unicorn/no-useless-undefined -- explicit signal that the backend has no hint
-        return undefined;
-    },
-};
+import { tmuxAdapter } from "./tmuxAdapter.js";
+import { isSignalAborted, } from "./workspaceAdapter.js";
 export function resolveWorkspaceKind(arguments_) {
     const { config, host } = arguments_;
     const requested = config.workspaceKind;
@@ -290,154 +42,6 @@ function failIfBinaryUnavailable(kind, host) {
         throw new Error(`workspaceKind '${kind}' is set but the ${kind} binary is not on PATH. Install ${kind} or change the setting.`);
     }
 }
-const TMUX_SESSION = "groundcrew";
-// `tmux new-session -d -s …` always creates one initial window. Without
-// `-n`, that window is named after the running shell (e.g. "0" / "zsh") and
-// would surface from `list()` as a phantom workspace. We name it with this
-// sentinel and filter it out — it stays around as a placeholder so the
-// session doesn't collapse when the last ticket window closes.
-const TMUX_IDLE_WINDOW = "_groundcrew_idle";
-function tmuxTarget(name) {
-    return `${TMUX_SESSION}:${name}`;
-}
-function isTmuxNotFoundError(error) {
-    // runCommand surfaces the child's stderr in error.message, so the "no
-    // server" / "missing session" / "can't find window" signatures are visible
-    // without a separate stderr probe.
-    const message = errorMessage(error);
-    return (message.includes("no server running") ||
-        message.includes("can't find session") ||
-        message.includes("can't find window"));
-}
-async function probeTmuxList(format, signal) {
-    try {
-        return {
-            status: "ok",
-            output: await runWorkspaceCommand("tmux", ["list-windows", "-t", TMUX_SESSION, "-F", format], signal),
-        };
-    }
-    catch (error) {
-        if (isSignalAborted(signal)) {
-            throw error;
-        }
-        if (isTmuxNotFoundError(error)) {
-            return { status: "missing" };
-        }
-        return { status: "failed", reason: errorMessage(error) };
-    }
-}
-async function ensureTmuxSession(signal) {
-    try {
-        await runWorkspaceCommand("tmux", ["has-session", "-t", TMUX_SESSION], signal);
-        return;
-    }
-    catch (error) {
-        if (isSignalAborted(signal)) {
-            throw error;
-        }
-        /* session missing or server down; create it */
-    }
-    try {
-        await runWorkspaceCommand("tmux", ["new-session", "-d", "-s", TMUX_SESSION, "-n", TMUX_IDLE_WINDOW], signal);
-    }
-    catch (error) {
-        if (isSignalAborted(signal)) {
-            throw error;
-        }
-        try {
-            await runWorkspaceCommand("tmux", ["has-session", "-t", TMUX_SESSION], signal);
-        }
-        catch {
-            throw error;
-        }
-    }
-}
-function parseTmuxWindows(output) {
-    const items = [];
-    for (const line of output.split("\n")) {
-        if (line.length === 0) {
-            continue;
-        }
-        const [name, deadFlag] = line.split("\t");
-        /* v8 ignore next 3 @preserve -- split on a non-empty string always yields a non-empty first element */
-        if (name === undefined || name.length === 0) {
-            continue;
-        }
-        if (name === TMUX_IDLE_WINDOW) {
-            continue;
-        }
-        // pane_dead != 0 means the command exited and the window is a zombie
-        // (only happens when remain-on-exit is on; defense in depth in case a
-        // user-globally-set value beats our per-window override).
-        if (deadFlag !== undefined && deadFlag !== "0") {
-            continue;
-        }
-        items.push({ name });
-    }
-    return items;
-}
-const tmuxAdapter = {
-    async open(spec, signal) {
-        await ensureTmuxSession(signal);
-        const target = tmuxTarget(spec.name);
-        const keepDeadWindowsEnv = readEnvironmentVariable("GROUNDCREW_KEEP_DEAD_WINDOWS");
-        const keepDeadWindows = keepDeadWindowsEnv !== undefined && keepDeadWindowsEnv.length > 0;
-        await runWorkspaceCommand("tmux", [
-            "new-window",
-            "-d",
-            "-t",
-            TMUX_SESSION,
-            "-n",
-            spec.name,
-            "-c",
-            spec.cwd,
-            spec.command,
-            ";",
-            "set-window-option",
-            "-t",
-            target,
-            "remain-on-exit",
-            keepDeadWindows ? "on" : "off",
-            ";",
-            "set-window-option",
-            "-t",
-            target,
-            "allow-rename",
-            "off",
-        ], signal);
-        // tmux can't paint status pills; spec.status is silently dropped.
-    },
-    async list(signal) {
-        const probe = await probeTmuxList("#{window_name}\t#{pane_dead}", signal);
-        if (probe.status === "missing") {
-            return [];
-        }
-        if (probe.status === "failed") {
-            log(`tmux list-windows failed: ${probe.reason}`);
-            // oxlint-disable-next-line unicorn/no-useless-undefined -- undefined marks the workspace backend as unavailable.
-            return undefined;
-        }
-        return parseTmuxWindows(probe.output);
-    },
-    async close(name, signal) {
-        try {
-            await runWorkspaceCommand("tmux", ["kill-window", "-t", tmuxTarget(name)], signal);
-            return { kind: "closed" };
-        }
-        catch (error) {
-            if (isSignalAborted(signal)) {
-                throw error;
-            }
-            if (isTmuxNotFoundError(error)) {
-                return { kind: "missing" };
-            }
-            throw error;
-        }
-    },
-    accessHint(name) {
-        return { kind: "attachCommand", command: `tmux attach -t ${tmuxTarget(name)}` };
-    },
-};
 // Per-config cache: production resolves the adapter once at first use
 // (loadConfig returns a frozen, cached instance); each test uses a fresh
 // config object so the cache invalidates naturally between tests.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clipboard-health/groundcrew",
-  "version": "4.0.3",
+  "version": "4.2.0",
   "description": "Linear-driven orchestrator that launches AI coding agents in git worktrees, with workspace lifecycle and usage tracking.",
   "keywords": [
     "agent",
@@ -68,7 +68,6 @@
   },
   "dependencies": {
     "@clipboard-health/clearance": "1.0.8",
-    "@inquirer/checkbox": "5.1.5",
     "@linear/sdk": "86.0.0",
     "cosmiconfig": "9.0.1",
     "tslib": "2.8.1",

package/dist/commands/sandbox/auth.d.ts

@@ -1,3 +0,0 @@
-import type { ResolvedConfig } from "../../lib/config.ts";
-export declare function runAuth(config: ResolvedConfig, argv: string[]): Promise<void>;
-//# sourceMappingURL=auth.d.ts.map

package/dist/commands/sandbox/auth.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/commands/sandbox/auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAc,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAuNtE,wBAAsB,OAAO,CAAC,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAcnF"}

package/dist/commands/sandbox/auth.js

@@ -1,227 +0,0 @@
-import { runCommandAsync } from "../../lib/commandRunner.js";
-import { writeOutput } from "../../lib/util.js";
-import { ensureOne } from "./lifecycle.js";
-import { resolveModel, sandboxModels } from "./model.js";
-import { pickTools } from "./picker.js";
-/**
- * Built-in recipes shipped with crew. Users register additional tools
- * by adding entries under `sandbox.authRecipes` in `crew.config.ts`;
- * a user recipe under the same key overrides the built-in.
- *
- * `kind: "agent"` recipes only appear in the picker when the current
- * sandbox's agent matches the recipe key. `kind: "tool"` (the default
- * for user recipes) is cross-cutting and always appears.
- */
-const BUILTIN_AUTH_RECIPES = {
-    claude: {
-        displayName: "Claude",
-        loginArgs: ["auth", "login"],
-        statusArgs: ["auth", "status"],
-        authenticatedPattern: /"loggedIn"\s*:\s*true/,
-        kind: "agent",
-    },
-    codex: {
-        displayName: "Codex",
-        // `--device-auth` keeps the OAuth flow headless: codex prints a URL
-        // and a code instead of trying to open a browser inside the sandbox.
-        loginArgs: ["login", "--device-auth"],
-        statusArgs: ["login", "status"],
-        // Match "Logged in using …" but not a hypothetical "Not logged in".
-        authenticatedPattern: /(^|\W)Logged in using\b/i,
-        kind: "agent",
-    },
-    cursor: {
-        displayName: "Cursor",
-        binary: "cursor-agent",
-        loginArgs: ["login"],
-        statusArgs: ["status"],
-        // Authenticated output is "✓ Logged in as <email>"; the unauthenticated
-        // output is "Not logged in", which a loose /Logged in/i would falsely
-        // match.
-        authenticatedPattern: /Logged in as\b/i,
-        kind: "agent",
-        // cursor-agent tries to open a browser by default and silently
-        // writes a partial auth file when xdg-open fails; this env var
-        // switches it to a device-code flow that works without a browser.
-        env: { NO_OPEN_BROWSER: "1" },
-    },
-    github: {
-        displayName: "GitHub CLI",
-        binary: "gh",
-        loginArgs: ["auth", "login"],
-        statusArgs: ["auth", "status"],
-        authenticatedPattern: /Logged in to github\.com/i,
-        kind: "tool",
-    },
-};
-function binaryFor(toolKey, recipe) {
-    return recipe.binary ?? toolKey;
-}
-function envFlags(recipe) {
-    const entries = Object.entries(recipe.env ?? {});
-    return entries.flatMap(([key, value]) => ["-e", `${key}=${value}`]);
-}
-// User-supplied recipes can carry arbitrary tokens; wrap each in single
-// quotes so spaces and shell metacharacters can't change how the in-sandbox
-// shell tokenizes the status command.
-function shellQuote(value) {
-    return `'${value.replaceAll("'", `'\\''`)}'`;
-}
-async function probeAuthStatus(sandboxName, toolKey, recipe) {
-    // Some CLIs print status to stderr instead of stdout (codex does
-    // this). Fold stderr into stdout via the in-sandbox shell so the
-    // pattern match sees the message regardless of which stream it
-    // landed on.
-    const innerCommand = `${[binaryFor(toolKey, recipe), ...recipe.statusArgs]
-        .map(shellQuote)
-        .join(" ")} 2>&1`;
-    try {
-        const output = await runCommandAsync("sbx", [
-            "exec",
-            ...envFlags(recipe),
-            sandboxName,
-            "sh",
-            "-c",
-            innerCommand,
-        ]);
-        // Reset lastIndex so a /g or /y user recipe doesn't carry state
-        // across probes and return a false negative.
-        recipe.authenticatedPattern.lastIndex = 0;
-        return recipe.authenticatedPattern.test(output);
-    }
-    catch {
-        return false;
-    }
-}
-async function loginAndVerify(input) {
-    const { sandboxName, toolKey, recipe, modelName, gitDefaults } = input;
-    const binary = binaryFor(toolKey, recipe);
-    writeOutput(`${sandboxName}: launching '${recipe.displayName}' login...`);
-    writeOutput("Complete the login flow in the prompts/browser, then return here.");
-    await runCommandAsync("sbx", ["exec", "-it", ...envFlags(recipe), sandboxName, binary, ...recipe.loginArgs], { stdio: "inherit" });
-    writeOutput("");
-    writeOutput(`${sandboxName}: verifying '${recipe.displayName}' authentication...`);
-    const authenticated = await probeAuthStatus(sandboxName, toolKey, recipe);
-    if (authenticated) {
-        writeOutput(`${sandboxName}: '${recipe.displayName}' authenticated.`);
-        if (gitDefaults && toolKey === "github" && binary === "gh") {
-            await runGhSetupGit(sandboxName);
-        }
-        return;
-    }
-    writeOutput(`${sandboxName}: could not confirm '${recipe.displayName}' authentication — re-run 'crew sandbox auth ${modelName}' to retry.`);
-}
-/**
- * Register `gh` as git's credential helper inside the sandbox so HTTPS
- * pushes succeed without prompting. Best-effort — a failure here doesn't
- * undo the login itself, so we warn and move on.
- */
-async function runGhSetupGit(sandboxName) {
-    writeOutput(`${sandboxName}: wiring 'gh' as git credential helper...`);
-    try {
-        await runCommandAsync("sbx", ["exec", sandboxName, "gh", "auth", "setup-git"]);
-        writeOutput(`${sandboxName}: 'gh auth setup-git' done.`);
-    }
-    catch (error) {
-        writeOutput(`${sandboxName}: warning — 'gh auth setup-git' failed: ${String(error)}`);
-    }
-}
-function availableRecipes(config) {
-    const merged = {
-        ...BUILTIN_AUTH_RECIPES,
-        ...config.sandbox.authRecipes,
-    };
-    return Object.entries(merged)
-        .map(([key, recipe]) => ({ key, recipe }))
-        .toSorted((a, b) => a.key.localeCompare(b.key));
-}
-function shouldShowInPicker(entry, currentAgent) {
-    // Tools (the default) appear in every sandbox. Agent recipes only
-    // appear when they match the current sandbox's agent, so opening
-    // 'crew sandbox auth codex' doesn't list Claude or Cursor.
-    const kind = entry.recipe.kind ?? "tool";
-    return kind === "tool" || entry.key === currentAgent;
-}
-const AUTH_USAGE = "Usage: crew sandbox auth <model> | --all";
-function parseAuthArgs(config, argv) {
-    const positionals = [];
-    let all = false;
-    for (const argument of argv) {
-        if (argument === "--all") {
-            all = true;
-            continue;
-        }
-        if (argument.startsWith("-")) {
-            throw new Error(`crew sandbox auth: unknown option '${argument}'`);
-        }
-        positionals.push(argument);
-    }
-    if (all && positionals.length > 0) {
-        throw new Error("crew sandbox auth: --all cannot be combined with a model name");
-    }
-    if (all) {
-        const models = sandboxModels(config);
-        if (models.length === 0) {
-            throw new Error("crew sandbox auth --all: no sandbox-bearing models configured");
-        }
-        return { models: models.map((model) => ({ modelName: model.modelName, model })) };
-    }
-    const [modelName, ...extras] = positionals;
-    if (modelName === undefined || extras.length > 0) {
-        throw new Error(AUTH_USAGE);
-    }
-    return { models: [{ modelName, model: resolveModel(config, modelName) }] };
-}
-export async function runAuth(config, argv) {
-    const { models } = parseAuthArgs(config, argv);
-    for (const [index, { modelName, model }] of models.entries()) {
-        if (models.length > 1) {
-            writeOutput("");
-            writeOutput(`════ ${modelName} (${index + 1}/${models.length}) ════`);
-        }
-        writeOutput(`${model.sandboxName}: ensuring sandbox is up...`);
-        // oxlint-disable-next-line no-await-in-loop -- each sandbox is interactive; running them sequentially keeps the prompts coherent
-        await ensureOne(config, model);
-        writeOutput("");
-        // oxlint-disable-next-line no-await-in-loop -- intentionally sequential, see above
-        await runAuthInteractive(config, model, modelName);
-    }
-}
-async function runAuthInteractive(config, model, modelName) {
-    const recipes = availableRecipes(config).filter((entry) => shouldShowInPicker(entry, model.sandbox.agent));
-    writeOutput(`${model.sandboxName}: probing authentication status for ${recipes.length} tools...`);
-    const statuses = await Promise.all(recipes.map(async ({ key, recipe }) => ({
-        key,
-        recipe,
-        authenticated: await probeAuthStatus(model.sandboxName, key, recipe),
-    })));
-    const choices = statuses.map(({ key, recipe, authenticated }) => ({
-        key,
-        label: `${recipe.displayName} (${key})`,
-        authenticated,
-    }));
-    writeOutput("");
-    const selectedKeys = await pickTools(choices);
-    if (selectedKeys.length === 0) {
-        writeOutput("Nothing selected. Exiting.");
-        return;
-    }
-    const selectedRecipes = new Map(statuses.map((entry) => [entry.key, entry.recipe]));
-    for (const key of selectedKeys) {
-        const recipe = selectedRecipes.get(key);
-        /* v8 ignore next 3 @preserve - defensive; selectedKeys come from the same map */
-        if (recipe === undefined) {
-            continue;
-        }
-        writeOutput("");
-        writeOutput(`── ${recipe.displayName} ──`);
-        // oxlint-disable-next-line no-await-in-loop -- each login is interactive; running them sequentially keeps the prompts coherent
-        await loginAndVerify({
-            sandboxName: model.sandboxName,
-            toolKey: key,
-            recipe,
-            modelName,
-            gitDefaults: config.sandbox.gitDefaults,
-        });
-    }
-}

package/dist/commands/sandbox/index.d.ts

@@ -1,2 +0,0 @@
-export declare function sandboxCli(argv: string[]): Promise<void>;
-//# sourceMappingURL=index.d.ts.map

package/dist/commands/sandbox/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/commands/sandbox/index.ts"],"names":[],"mappings":"AAkBA,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA8B9D"}