@corsair-dev/cli 0.1.1

package/dist/index.js

@@ -0,0 +1,1302 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// get-tsconfig-info.ts
+import fs from "fs";
+import path from "path";
+function stripJsonComments(jsonString) {
+  return jsonString.replace(
+    /\\"|"(?:\\"|[^"])*"|(\/\/.*|\/\*[\s\S]*?\*\/)/g,
+    (m, g) => g ? "" : m
+  ).replace(/,(?=\s*[}\]])/g, "");
+}
+function getTsconfigInfo(cwd, flatPath) {
+  let tsConfigPath;
+  if (flatPath) {
+    tsConfigPath = flatPath;
+  } else {
+    tsConfigPath = cwd ? path.join(cwd, "tsconfig.json") : path.join("tsconfig.json");
+  }
+  try {
+    const text2 = fs.readFileSync(tsConfigPath, "utf-8");
+    return JSON.parse(stripJsonComments(text2));
+  } catch (error) {
+    throw error;
+  }
+}
+var init_get_tsconfig_info = __esm({
+  "get-tsconfig-info.ts"() {
+    "use strict";
+  }
+});
+
+// auth.ts
+var auth_exports = {};
+__export(auth_exports, {
+  runAuth: () => runAuth
+});
+import * as http from "http";
+import * as https from "https";
+import * as net from "net";
+import * as querystring from "querystring";
+import {
+  CORSAIR_INTERNAL,
+  createAccountKeyManager,
+  createIntegrationKeyManager,
+  encryptDEK,
+  generateDEK
+} from "corsair/core";
+import { createCorsairOrm } from "corsair/orm";
+function out(data) {
+  console.log(JSON.stringify(data));
+}
+function getOAuthConfigForPlugin(plugin) {
+  return plugin.oauthConfig ?? null;
+}
+function getAuthType(plugin) {
+  return plugin.options?.authType;
+}
+function getCustomIntegrationFields(plugin, authType) {
+  const authConfig = plugin.authConfig;
+  return authConfig?.[authType]?.integration ?? [];
+}
+function getCustomAccountFields(plugin, authType) {
+  const authConfig = plugin.authConfig;
+  return authConfig?.[authType]?.account ?? [];
+}
+function findFreePort() {
+  return new Promise((resolve, reject) => {
+    const server = net.createServer();
+    server.listen(0, "127.0.0.1", () => {
+      const address = server.address();
+      const port = typeof address === "object" && address ? address.port : 0;
+      server.close((err) => {
+        if (err) reject(err);
+        else resolve(port);
+      });
+    });
+    server.on("error", reject);
+  });
+}
+function waitForOAuthCode(port) {
+  return new Promise((resolve, reject) => {
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url ?? "/", `http://localhost:${port}`);
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+      if (error) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(`<html><body><h2>Authorization failed: ${error}</h2><p>You can close this tab.</p></body></html>`);
+        server.close();
+        reject(new Error(`OAuth error: ${error}`));
+        return;
+      }
+      if (code) {
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end("<html><body><h2>Authorization successful!</h2><p>You can close this tab and return to the terminal.</p></body></html>");
+        server.close();
+        resolve(code);
+      } else {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end("<html><body><h2>No code received.</h2><p>You can close this tab.</p></body></html>");
+      }
+    });
+    server.listen(port, "127.0.0.1", () => {
+    });
+    server.on("error", reject);
+  });
+}
+function exchangeCodeForTokens(code, clientId, clientSecret, oauthConfig, redirectUri) {
+  const tokenUrl = new URL(oauthConfig.tokenUrl);
+  const useBasicAuth = oauthConfig.tokenAuthMethod === "basic";
+  return new Promise((resolve, reject) => {
+    const postDataParams = {
+      code: code.trim(),
+      redirect_uri: redirectUri,
+      grant_type: "authorization_code"
+    };
+    if (!useBasicAuth) {
+      postDataParams.client_id = clientId;
+      postDataParams.client_secret = clientSecret;
+    }
+    const postData = querystring.stringify(postDataParams);
+    const headers = {
+      "Content-Type": "application/x-www-form-urlencoded",
+      "Content-Length": Buffer.byteLength(postData).toString()
+    };
+    if (useBasicAuth) {
+      headers.Authorization = `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString("base64")}`;
+    }
+    const req = https.request(
+      { hostname: tokenUrl.hostname, path: tokenUrl.pathname, method: "POST", headers },
+      (res) => {
+        let data = "";
+        res.on("data", (chunk) => {
+          data += chunk;
+        });
+        res.on("end", () => {
+          if (res.statusCode !== 200) {
+            reject(new Error(`Token exchange failed: ${data}`));
+            return;
+          }
+          resolve(JSON.parse(data));
+        });
+      }
+    );
+    req.on("error", (error) => reject(new Error(`Request failed: ${error.message}`)));
+    req.write(postData);
+    req.end();
+  });
+}
+async function extractInternalConfig(cwd) {
+  const instance = await getCorsairInstance({ cwd, shouldThrowOnError: true });
+  const internal = instance[CORSAIR_INTERNAL];
+  if (!internal) {
+    throw new Error(
+      "Could not read internal config from Corsair instance. Make sure you are using the latest version of corsair."
+    );
+  }
+  return internal;
+}
+async function ensureIntegration(database, pluginId, kek) {
+  const orm = createCorsairOrm(database);
+  const existing = await orm.integrations.findByName(pluginId);
+  if (existing) return { id: existing.id };
+  const dek = generateDEK();
+  const encryptedDek = await encryptDEK(dek, kek);
+  const row = await orm.integrations.create({ name: pluginId, config: {}, dek: encryptedDek });
+  return { id: row.id };
+}
+async function ensureAccount(database, integrationId, tenantId, kek) {
+  const orm = createCorsairOrm(database);
+  const existing = await orm.accounts.findOne({ tenant_id: tenantId, integration_id: integrationId });
+  if (existing) return;
+  const dek = generateDEK();
+  const encryptedDek = await encryptDEK(dek, kek);
+  await orm.accounts.create({ tenant_id: tenantId, integration_id: integrationId, config: {}, dek: encryptedDek });
+}
+async function oauthGetUrl(database, plugin, kek, tenantId) {
+  const oauthCfg = getOAuthConfigForPlugin(plugin);
+  if (!oauthCfg) {
+    out({ error: `No oauthConfig defined on plugin '${plugin.id}'.` });
+    return;
+  }
+  const extraFields = getCustomIntegrationFields(plugin, "oauth_2");
+  const integrationKm = createIntegrationKeyManager({
+    authType: "oauth_2",
+    integrationName: plugin.id,
+    kek,
+    database,
+    extraIntegrationFields: extraFields
+  });
+  const clientId = await integrationKm.get_client_id();
+  if (!clientId) {
+    out({ error: `client_id not set for '${plugin.id}'. Run: corsair setup --${plugin.id} client_id=YOUR_CLIENT_ID` });
+    return;
+  }
+  const clientSecret = await integrationKm.get_client_secret();
+  if (!clientSecret) {
+    out({ error: `client_secret not set for '${plugin.id}'. Run: corsair setup --${plugin.id} client_secret=YOUR_CLIENT_SECRET` });
+    return;
+  }
+  let redirectUri;
+  if (oauthCfg.requiresRegisteredRedirect) {
+    const stored = await integrationKm.get_redirect_url();
+    if (!stored) {
+      out({ error: `redirect_url required for '${plugin.id}'. Run: corsair setup --${plugin.id} redirect_url=YOUR_REDIRECT_URI` });
+      return;
+    }
+    redirectUri = stored;
+  } else {
+    const port = await findFreePort();
+    redirectUri = `http://localhost:${port}`;
+  }
+  const authParams = {
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    scope: oauthCfg.scopes.join(" "),
+    ...oauthCfg.authParams
+  };
+  const authUrl = `${oauthCfg.authUrl}?${querystring.stringify(authParams)}`;
+  if (!oauthCfg.requiresRegisteredRedirect) {
+    const portMatch = redirectUri.match(/:(\d+)$/);
+    const port = portMatch?.[1] ? parseInt(portMatch[1], 10) : null;
+    if (port) {
+      out({ status: "pending_oauth", authUrl, redirectUri, plugin: plugin.id, tenant: tenantId, note: "Open authUrl in a browser. Tokens will be saved automatically once authorized." });
+      let code;
+      try {
+        code = await waitForOAuthCode(port);
+      } catch (err) {
+        out({ error: `Authorization failed: ${err instanceof Error ? err.message : String(err)}` });
+        return;
+      }
+      await oauthExchangeCode(database, plugin, kek, tenantId, code, redirectUri, clientId, clientSecret, oauthCfg);
+      return;
+    }
+  }
+  out({ status: "needs_code", authUrl, redirectUri, plugin: plugin.id, tenant: tenantId, note: "Open authUrl, complete auth, then run: corsair auth --plugin=<id> --code=CODE" });
+}
+async function oauthExchangeCode(database, plugin, kek, tenantId, code, redirectUri, clientId, clientSecret, oauthCfg) {
+  let tokens;
+  try {
+    tokens = await exchangeCodeForTokens(code, clientId, clientSecret, oauthCfg, redirectUri);
+  } catch (err) {
+    out({ error: `Token exchange failed: ${err instanceof Error ? err.message : String(err)}` });
+    return;
+  }
+  if (!tokens.access_token) {
+    out({ error: `No access_token in response from ${oauthCfg.providerName}.` });
+    return;
+  }
+  const extraAccountFields = getCustomAccountFields(plugin, "oauth_2");
+  const accountKm = createAccountKeyManager({
+    authType: "oauth_2",
+    integrationName: plugin.id,
+    tenantId,
+    kek,
+    database,
+    extraAccountFields
+  });
+  await accountKm.set_access_token(tokens.access_token);
+  if (tokens.refresh_token) await accountKm.set_refresh_token(tokens.refresh_token);
+  if (tokens.expires_in) await accountKm.set_expires_at((Date.now() + tokens.expires_in * 1e3).toString());
+  out({ status: "success", plugin: plugin.id, tenant: tenantId });
+}
+async function oauthWithCode(database, plugin, kek, tenantId, code) {
+  const oauthCfg = getOAuthConfigForPlugin(plugin);
+  if (!oauthCfg) {
+    out({ error: `No oauthConfig defined on plugin '${plugin.id}'.` });
+    return;
+  }
+  const extraFields = getCustomIntegrationFields(plugin, "oauth_2");
+  const integrationKm = createIntegrationKeyManager({
+    authType: "oauth_2",
+    integrationName: plugin.id,
+    kek,
+    database,
+    extraIntegrationFields: extraFields
+  });
+  const clientId = await integrationKm.get_client_id();
+  const clientSecret = await integrationKm.get_client_secret();
+  const redirectUri = await integrationKm.get_redirect_url() ?? "";
+  if (!clientId || !clientSecret) {
+    out({ error: `client_id and client_secret must be set before exchanging a code.` });
+    return;
+  }
+  await oauthExchangeCode(database, plugin, kek, tenantId, code, redirectUri, clientId, clientSecret, oauthCfg);
+}
+async function getCredentials(database, plugin, kek, tenantId) {
+  const authType = getAuthType(plugin);
+  const result = {};
+  if (authType === "oauth_2") {
+    const extraIntegrationFields = getCustomIntegrationFields(plugin, authType);
+    const integrationKm = createIntegrationKeyManager({
+      authType,
+      integrationName: plugin.id,
+      kek,
+      database,
+      extraIntegrationFields
+    });
+    result.client_id = await integrationKm.get_client_id();
+    result.client_secret = await integrationKm.get_client_secret();
+    result.redirect_url = await integrationKm.get_redirect_url();
+    for (const field of extraIntegrationFields) {
+      const fn = integrationKm[`get_${field}`];
+      if (typeof fn === "function") result[field] = await fn();
+    }
+    const extraAccountFields = getCustomAccountFields(plugin, authType);
+    const accountKm = createAccountKeyManager({
+      authType,
+      integrationName: plugin.id,
+      tenantId,
+      kek,
+      database,
+      extraAccountFields
+    });
+    result.access_token = await accountKm.get_access_token();
+    result.refresh_token = await accountKm.get_refresh_token();
+    result.expires_at = await accountKm.get_expires_at();
+    result.webhook_signature = await accountKm.get_webhook_signature();
+    for (const field of extraAccountFields) {
+      const fn = accountKm[`get_${field}`];
+      if (typeof fn === "function") result[field] = await fn();
+    }
+  } else if (authType === "api_key") {
+    const extraAccountFields = getCustomAccountFields(plugin, authType);
+    const accountKm = createAccountKeyManager({
+      authType,
+      integrationName: plugin.id,
+      tenantId,
+      kek,
+      database,
+      extraAccountFields
+    });
+    result.api_key = await accountKm.get_api_key();
+    result.webhook_signature = await accountKm.get_webhook_signature();
+  } else if (authType === "bot_token") {
+    const extraAccountFields = getCustomAccountFields(plugin, authType);
+    const accountKm = createAccountKeyManager({
+      authType,
+      integrationName: plugin.id,
+      tenantId,
+      kek,
+      database,
+      extraAccountFields
+    });
+    result.bot_token = await accountKm.get_bot_token();
+    result.webhook_signature = await accountKm.get_webhook_signature();
+  }
+  const masked = {};
+  for (const [k, v] of Object.entries(result)) {
+    if (!v) {
+      masked[k] = null;
+      continue;
+    }
+    masked[k] = v.length <= 9 ? "***" : `${v.slice(0, 6)}...${v.slice(-3)}`;
+  }
+  out({ plugin: plugin.id, tenant: tenantId, credentials: masked });
+}
+async function runAuth({
+  cwd,
+  pluginId: pluginIdArg,
+  tenantId: tenantIdArg,
+  code: codeArg,
+  credentials: showCredentials = false
+}) {
+  let internal;
+  try {
+    internal = await extractInternalConfig(cwd);
+  } catch (error) {
+    out({ error: error instanceof Error ? error.message : String(error) });
+    process.exit(1);
+  }
+  const { plugins, database, kek } = internal;
+  if (!database) {
+    out({ error: "No database adapter configured." });
+    process.exit(1);
+  }
+  if (!pluginIdArg) {
+    out({
+      error: "No plugin specified. Use --plugin=<id>.",
+      available: plugins.map((pl) => ({ id: pl.id, authType: getAuthType(pl) }))
+    });
+    process.exit(1);
+  }
+  const plugin = plugins.find((pl) => pl.id === pluginIdArg);
+  if (!plugin) {
+    out({ error: `Plugin '${pluginIdArg}' not found.`, available: plugins.map((pl) => pl.id) });
+    process.exit(1);
+  }
+  const integration = await ensureIntegration(database, plugin.id, kek);
+  const tenantId = tenantIdArg ?? "default";
+  await ensureAccount(database, integration.id, tenantId, kek);
+  if (showCredentials) {
+    await getCredentials(database, plugin, kek, tenantId);
+    return;
+  }
+  const authType = getAuthType(plugin);
+  if (authType !== "oauth_2") {
+    out({ error: `'corsair auth' is for OAuth flows. Plugin '${plugin.id}' uses '${authType}'. Set credentials via: corsair setup --${plugin.id} <field>=<value>` });
+    return;
+  }
+  if (codeArg) {
+    await oauthWithCode(database, plugin, kek, tenantId, codeArg);
+  } else {
+    await oauthGetUrl(database, plugin, kek, tenantId);
+  }
+}
+var init_auth = __esm({
+  "auth.ts"() {
+    "use strict";
+    init_index();
+  }
+});
+
+// watch-renew.ts
+var watch_renew_exports = {};
+__export(watch_renew_exports, {
+  runWatchRenew: () => runWatchRenew
+});
+import { execSync } from "child_process";
+import * as crypto from "crypto";
+import * as p from "@clack/prompts";
+import {
+  CORSAIR_INTERNAL as CORSAIR_INTERNAL2,
+  createAccountKeyManager as createAccountKeyManager2,
+  createIntegrationKeyManager as createIntegrationKeyManager2
+} from "corsair/core";
+async function extractInternalConfig2(cwd) {
+  const instance = await getCorsairInstance({ cwd, shouldThrowOnError: true });
+  const internal = instance[CORSAIR_INTERNAL2];
+  if (!internal) {
+    throw new Error(
+      "Could not read internal config from Corsair instance. Make sure you are using the latest version of corsair."
+    );
+  }
+  return internal;
+}
+async function refreshAccessToken(clientId, clientSecret, refreshToken) {
+  const response = await fetch("https://oauth2.googleapis.com/token", {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      client_id: clientId,
+      client_secret: clientSecret,
+      refresh_token: refreshToken,
+      grant_type: "refresh_token"
+    })
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to refresh access token: ${error}`);
+  }
+  const data = await response.json();
+  return data.access_token;
+}
+async function renewGmailWatch(accessToken, topicName) {
+  const watchSpin = p.spinner();
+  watchSpin.start("Starting Gmail watch...");
+  const response = await fetch(`${GMAIL_API_BASE}/users/me/watch`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      topicName,
+      labelIds: ["INBOX"]
+    })
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    watchSpin.stop("Failed.");
+    p.log.error(`Gmail watch failed: ${error}`);
+    p.outro("");
+    process.exit(1);
+  }
+  const data = await response.json();
+  watchSpin.stop("Watch started.");
+  p.note(
+    `History ID: ${data.historyId}
+Expiration: ${new Date(Number(data.expiration)).toISOString()}`,
+    "Watch Response"
+  );
+}
+async function renewDriveWatch(accessToken, webhookUrl) {
+  const watchSpin = p.spinner();
+  watchSpin.start("Getting start page token...");
+  const startPageTokenRes = await fetch(
+    `${DRIVE_API_BASE}/changes/startPageToken`,
+    {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    }
+  );
+  if (!startPageTokenRes.ok) {
+    const error = await startPageTokenRes.text();
+    watchSpin.stop("Failed.");
+    p.log.error(`Failed to get start page token: ${error}`);
+    p.outro("");
+    process.exit(1);
+  }
+  const startPageTokenData = await startPageTokenRes.json();
+  watchSpin.message("Starting Drive watch...");
+  const channelId = crypto.randomUUID();
+  const watchRes = await fetch(
+    `${DRIVE_API_BASE}/changes/watch?pageToken=${startPageTokenData.startPageToken}`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        id: channelId,
+        type: "web_hook",
+        address: webhookUrl
+      })
+    }
+  );
+  if (!watchRes.ok) {
+    const error = await watchRes.text();
+    watchSpin.stop("Failed.");
+    p.log.error(`Drive watch failed: ${error}`);
+    p.outro("");
+    process.exit(1);
+  }
+  const data = await watchRes.json();
+  watchSpin.stop("Watch started.");
+  p.note(
+    `Channel ID: ${channelId}
+Resource ID: ${data.resourceId}
+Start Page Token: ${startPageTokenData.startPageToken}
+Expiration: ${new Date(Number(data.expiration)).toISOString()}`,
+    "Watch Response"
+  );
+}
+async function renewCalendarWatch(accessToken, webhookUrl, calendarId) {
+  const watchSpin = p.spinner();
+  watchSpin.start("Starting Calendar watch...");
+  const channelId = crypto.randomUUID();
+  const watchRes = await fetch(
+    `${CALENDAR_API_BASE}/calendars/${encodeURIComponent(calendarId)}/events/watch`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        id: channelId,
+        type: "web_hook",
+        address: webhookUrl
+      })
+    }
+  );
+  if (!watchRes.ok) {
+    const error = await watchRes.text();
+    watchSpin.stop("Failed.");
+    p.log.error(`Calendar watch failed: ${error}`);
+    p.outro("");
+    process.exit(1);
+  }
+  const data = await watchRes.json();
+  watchSpin.stop("Watch started.");
+  p.note(
+    `Channel ID: ${channelId}
+Resource ID: ${data.resourceId}
+Expiration: ${new Date(Number(data.expiration)).toISOString()}`,
+    "Watch Response"
+  );
+}
+function copyToClipboard(text2) {
+  try {
+    const platform = process.platform;
+    if (platform === "darwin") {
+      execSync("pbcopy", { input: text2 });
+      return true;
+    } else if (platform === "linux") {
+      try {
+        execSync("xclip -selection clipboard", { input: text2 });
+        return true;
+      } catch {
+        try {
+          execSync("xsel --clipboard --input", { input: text2 });
+          return true;
+        } catch {
+          return false;
+        }
+      }
+    } else if (platform === "win32") {
+      execSync("clip", { input: text2 });
+      return true;
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+async function renewSheetsWatch(webhookUrl) {
+  const appsScriptCode = `var WEBHOOK_URL = "${webhookUrl}";
+
+function onEditTrigger(e) {
+  if (!e || !e.range) return;
+
+  var sheet = e.range.getSheet();
+  var payload = {
+    spreadsheetId: e.source.getId(),
+    sheetName: sheet.getName(),
+    range: e.range.getA1Notation(),
+    values: e.range.getValues(),
+    eventType: "rangeUpdated",
+    timestamp: new Date().toISOString()
+  };
+
+  UrlFetchApp.fetch(WEBHOOK_URL, {
+    method: "post",
+    contentType: "application/json",
+    payload: JSON.stringify(payload)
+  });
+}
+
+function onChangeTrigger(e) {
+  if (!e) return;
+
+  var ss = SpreadsheetApp.getActiveSpreadsheet();
+  var sheet = ss.getActiveSheet();
+  var lastRow = sheet.getLastRow();
+  var lastCol = sheet.getLastColumn();
+  if (lastRow === 0 || lastCol === 0) return;
+
+  var values = sheet.getRange(lastRow, 1, 1, lastCol).getValues();
+
+  var payload = {
+    spreadsheetId: ss.getId(),
+    sheetName: sheet.getName(),
+    range: "A" + lastRow + ":" + String.fromCharCode(64 + lastCol) + lastRow,
+    values: values,
+    eventType: "rangeUpdated",
+    timestamp: new Date().toISOString()
+  };
+
+  UrlFetchApp.fetch(WEBHOOK_URL, {
+    method: "post",
+    contentType: "application/json",
+    payload: JSON.stringify(payload)
+  });
+}
+
+function createTriggers() {
+  var ss = SpreadsheetApp.getActiveSpreadsheet();
+
+  ScriptApp.newTrigger("onEditTrigger").forSpreadsheet(ss).onEdit().create();
+  ScriptApp.newTrigger("onChangeTrigger").forSpreadsheet(ss).onChange().create();
+  
+  Logger.log("Triggers created successfully!");
+}
+
+function removeTriggers() {
+  var triggers = ScriptApp.getProjectTriggers();
+  triggers.forEach(function(trigger) {
+    ScriptApp.deleteTrigger(trigger);
+  });
+  Logger.log("All triggers removed.");
+}`;
+  p.log.info("Google Sheets does not have a native watch API.");
+  p.log.info(
+    "Instead, you need to set up Google Apps Script triggers in your spreadsheet."
+  );
+  p.log.info("");
+  const shouldCopy = await p.confirm({
+    message: "Copy Apps Script code to clipboard?",
+    initialValue: true
+  });
+  let copied = false;
+  if (shouldCopy) {
+    copied = copyToClipboard(appsScriptCode);
+    if (copied) {
+      p.log.success("Apps Script code copied to clipboard!");
+    } else {
+      p.log.warn("Failed to copy to clipboard. Code will be displayed below.");
+    }
+  }
+  p.log.info("");
+  p.log.info("Setup Instructions:");
+  p.log.info("1. Open your Google Sheet");
+  p.log.info("2. Go to Extensions > Apps Script");
+  p.log.info("3. Paste the code into the script editor");
+  p.log.info(
+    '4. Run the "createTriggers" function once to install the triggers'
+  );
+  p.log.info("5. Authorize the script when prompted");
+  p.log.info("");
+  if (!copied) {
+    p.log.info("Apps Script Code:");
+    p.log.info("");
+    p.log.info(appsScriptCode);
+    p.log.info("");
+  }
+  p.note(
+    `Webhook URL: ${webhookUrl}
+
+The Apps Script code ${copied ? "has been copied to your clipboard" : "is displayed above"}. Paste it into your Google Sheet's Apps Script editor.`,
+    "Google Sheets Setup"
+  );
+}
+async function runWatchRenew({ cwd }) {
+  p.intro("Corsair \u2014 Google Watch Renewal");
+  const spin = p.spinner();
+  spin.start("Loading corsair instance...");
+  let internal;
+  try {
+    internal = await extractInternalConfig2(cwd);
+  } catch (error) {
+    spin.stop("Failed to load.");
+    p.log.error(error instanceof Error ? error.message : String(error));
+    p.outro("");
+    process.exit(1);
+  }
+  const { plugins, database, kek } = internal;
+  if (!database) {
+    spin.stop("Failed.");
+    p.log.error("No database adapter configured.");
+    p.outro("");
+    process.exit(1);
+  }
+  const googlePlugins = plugins.filter((pl) => {
+    const opts = pl.options;
+    return opts?.authType === "oauth_2" && GOOGLE_PLUGINS.includes(pl.id);
+  });
+  if (googlePlugins.length === 0) {
+    spin.stop("No Google OAuth2 plugins found.");
+    p.outro("");
+    process.exit(1);
+  }
+  spin.stop(
+    `Loaded. Found ${googlePlugins.length} Google plugin${googlePlugins.length === 1 ? "" : "s"}.`
+  );
+  const pluginId = await p.select({
+    message: "Select a Google integration:",
+    options: googlePlugins.map((pl) => ({
+      value: pl.id,
+      label: pl.id
+    }))
+  });
+  if (p.isCancel(pluginId)) {
+    p.cancel("Operation cancelled.");
+    process.exit(0);
+  }
+  const pluginType = pluginId;
+  if (pluginType === "googlesheets") {
+    const webhookUrl = await p.text({
+      message: "Enter webhook URL:",
+      placeholder: "https://example.com/api/webhook",
+      validate: (v) => {
+        if (!v || v.trim().length === 0) return "Webhook URL is required";
+        if (!v.startsWith("http://") && !v.startsWith("https://")) {
+          return "Webhook URL must start with http:// or https://";
+        }
+      }
+    });
+    if (p.isCancel(webhookUrl)) {
+      p.cancel("Operation cancelled.");
+      process.exit(0);
+    }
+    await renewSheetsWatch(webhookUrl);
+    p.outro("Done!");
+    return;
+  }
+  const tenantId = await p.text({
+    message: "Enter tenant ID:",
+    defaultValue: "default",
+    placeholder: "default"
+  });
+  if (p.isCancel(tenantId)) {
+    p.cancel("Operation cancelled.");
+    process.exit(0);
+  }
+  const credSpin = p.spinner();
+  credSpin.start("Fetching credentials...");
+  try {
+    const integrationKm = createIntegrationKeyManager2({
+      authType: "oauth_2",
+      integrationName: pluginId,
+      kek,
+      database
+    });
+    const accountKm = createAccountKeyManager2({
+      authType: "oauth_2",
+      integrationName: pluginId,
+      tenantId,
+      kek,
+      database
+    });
+    const clientId = await integrationKm.get_client_id();
+    const clientSecret = await integrationKm.get_client_secret();
+    const refreshToken = await accountKm.get_refresh_token();
+    if (!clientId || !clientSecret || !refreshToken) {
+      credSpin.stop("Missing credentials.");
+      p.log.error(
+        'Client ID, Client Secret, and Refresh Token are required. Use "corsair auth" to set them.'
+      );
+      p.outro("");
+      process.exit(1);
+    }
+    const accessToken = await refreshAccessToken(
+      clientId,
+      clientSecret,
+      refreshToken
+    );
+    credSpin.stop("Credentials loaded.");
+    if (pluginType === "gmail") {
+      const topicName = await p.text({
+        message: "Enter Pub/Sub topic name:",
+        placeholder: "projects/my-project/topics/my-topic",
+        validate: (v) => {
+          if (!v || v.trim().length === 0) return "Topic name is required";
+        }
+      });
+      if (p.isCancel(topicName)) {
+        p.cancel("Operation cancelled.");
+        process.exit(0);
+      }
+      await renewGmailWatch(accessToken, topicName);
+    } else if (pluginType === "googledrive") {
+      const webhookUrl = await p.text({
+        message: "Enter webhook URL:",
+        placeholder: "https://example.com/api/webhook",
+        validate: (v) => {
+          if (!v || v.trim().length === 0) return "Webhook URL is required";
+        }
+      });
+      if (p.isCancel(webhookUrl)) {
+        p.cancel("Operation cancelled.");
+        process.exit(0);
+      }
+      await renewDriveWatch(accessToken, webhookUrl);
+    } else if (pluginType === "googlecalendar") {
+      const webhookUrl = await p.text({
+        message: "Enter webhook URL:",
+        placeholder: "https://example.com/api/webhook",
+        validate: (v) => {
+          if (!v || v.trim().length === 0) return "Webhook URL is required";
+        }
+      });
+      if (p.isCancel(webhookUrl)) {
+        p.cancel("Operation cancelled.");
+        process.exit(0);
+      }
+      const calendarId = await p.text({
+        message: "Enter calendar ID:",
+        defaultValue: "primary",
+        placeholder: "primary"
+      });
+      if (p.isCancel(calendarId)) {
+        p.cancel("Operation cancelled.");
+        process.exit(0);
+      }
+      await renewCalendarWatch(
+        accessToken,
+        webhookUrl,
+        calendarId
+      );
+    } else {
+      p.log.error(`Unsupported Google plugin: ${pluginType}`);
+      process.exit(1);
+    }
+  } catch (error) {
+    credSpin.stop("Failed.");
+    p.log.error(
+      `Error: ${error instanceof Error ? error.message : String(error)}`
+    );
+    process.exit(1);
+  }
+  p.outro("Done!");
+}
+var GMAIL_API_BASE, DRIVE_API_BASE, CALENDAR_API_BASE, GOOGLE_PLUGINS;
+var init_watch_renew = __esm({
+  "watch-renew.ts"() {
+    "use strict";
+    init_index();
+    GMAIL_API_BASE = "https://gmail.googleapis.com/gmail/v1";
+    DRIVE_API_BASE = "https://www.googleapis.com/drive/v3";
+    CALENDAR_API_BASE = "https://www.googleapis.com/calendar/v3";
+    GOOGLE_PLUGINS = [
+      "gmail",
+      "googledrive",
+      "googlecalendar",
+      "googlesheets"
+    ];
+  }
+});
+
+// index.ts
+import fs2, { existsSync } from "fs";
+import path2 from "path";
+import babelPresetReact from "@babel/preset-react";
+import babelPresetTypeScript from "@babel/preset-typescript";
+import { loadConfig } from "c12";
+function resolveReferencePath(configDir, refPath) {
+  const resolvedPath = path2.resolve(configDir, refPath);
+  if (refPath.endsWith(".json")) {
+    return resolvedPath;
+  }
+  if (fs2.existsSync(resolvedPath)) {
+    try {
+      const stats = fs2.statSync(resolvedPath);
+      if (stats.isFile()) {
+        return resolvedPath;
+      }
+    } catch {
+    }
+  }
+  return path2.resolve(configDir, refPath, "tsconfig.json");
+}
+function getPathAliasesRecursive(tsconfigPath, visited = /* @__PURE__ */ new Set()) {
+  if (visited.has(tsconfigPath)) {
+    return {};
+  }
+  visited.add(tsconfigPath);
+  if (!fs2.existsSync(tsconfigPath)) {
+    console.warn(`Referenced tsconfig not found: ${tsconfigPath}`);
+    return {};
+  }
+  try {
+    const tsConfig = getTsconfigInfo(void 0, tsconfigPath);
+    const { paths = {}, baseUrl = "." } = tsConfig.compilerOptions || {};
+    const result = {};
+    const configDir = path2.dirname(tsconfigPath);
+    const obj = Object.entries(paths);
+    for (const [alias, aliasPaths] of obj) {
+      for (const aliasedPath of aliasPaths) {
+        const resolvedBaseUrl = path2.resolve(configDir, baseUrl);
+        const finalAlias = alias.slice(-1) === "*" ? alias.slice(0, -1) : alias;
+        const finalAliasedPath = aliasedPath.slice(-1) === "*" ? aliasedPath.slice(0, -1) : aliasedPath;
+        result[finalAlias || ""] = path2.join(resolvedBaseUrl, finalAliasedPath);
+      }
+    }
+    if (tsConfig.references) {
+      for (const ref of tsConfig.references) {
+        const refPath = resolveReferencePath(configDir, ref.path);
+        const refAliases = getPathAliasesRecursive(refPath, visited);
+        for (const [alias, aliasPath] of Object.entries(refAliases)) {
+          if (!(alias in result)) {
+            result[alias] = aliasPath;
+          }
+        }
+      }
+    }
+    return result;
+  } catch (error) {
+    console.warn(`Error parsing tsconfig at ${tsconfigPath}: ${error}`);
+    return {};
+  }
+}
+function getPathAliases(cwd) {
+  const tsConfigPath = path2.join(cwd, "tsconfig.json");
+  if (!fs2.existsSync(tsConfigPath)) {
+    return null;
+  }
+  try {
+    const result = getPathAliasesRecursive(tsConfigPath);
+    return result;
+  } catch (error) {
+    console.error(error);
+    throw new Error("Error parsing tsconfig.json");
+  }
+}
+function findCorsairConfigPath(cwd) {
+  for (const possiblePath of possiblePaths) {
+    const fullPath = path2.join(cwd, possiblePath);
+    if (existsSync(fullPath)) {
+      return fullPath;
+    }
+  }
+  return null;
+}
+async function getCorsairInstance({
+  cwd,
+  configPath,
+  shouldThrowOnError = false
+}) {
+  try {
+    let corsairInstance = null;
+    if (configPath) {
+      let resolvedPath = path2.join(cwd, configPath);
+      if (existsSync(configPath)) {
+        resolvedPath = configPath;
+      }
+      const { config } = await loadConfig({
+        configFile: resolvedPath,
+        dotenv: true,
+        jitiOptions: jitiOptions(cwd),
+        cwd
+      });
+      if ("corsair" in config && isCorsairInstance(config.corsair)) {
+        corsairInstance = config.corsair;
+      } else if ("default" in config && isCorsairInstance(config.default)) {
+        corsairInstance = config.default;
+      } else {
+        if (shouldThrowOnError) {
+          throw new Error(
+            `Couldn't read your Corsair instance in ${resolvedPath}. Make sure to export your Corsair instance as a variable named 'corsair' or as the default export.`
+          );
+        }
+        console.error(
+          `[#corsair]: Couldn't read your Corsair instance in ${resolvedPath}. Make sure to export your Corsair instance as a variable named 'corsair' or as the default export.`
+        );
+        process.exit(1);
+      }
+    }
+    if (!corsairInstance) {
+      for (const possiblePath of possiblePaths) {
+        try {
+          const { config } = await loadConfig({
+            configFile: possiblePath,
+            jitiOptions: jitiOptions(cwd),
+            cwd
+          });
+          const hasConfig = Object.keys(config).length > 0;
+          if (hasConfig) {
+            if ("corsair" in config && isCorsairInstance(config.corsair)) {
+              corsairInstance = config.corsair;
+            } else if ("default" in config && isCorsairInstance(config.default)) {
+              corsairInstance = config.default;
+            }
+            if (!corsairInstance) {
+              if (shouldThrowOnError) {
+                throw new Error(
+                  "Couldn't read your Corsair instance. Make sure to export your Corsair instance as a variable named 'corsair' or as the default export."
+                );
+              }
+              console.error("[#corsair]: Couldn't read your Corsair instance.");
+              console.log("");
+              console.log(
+                "[#corsair]: Make sure to export your Corsair instance as a variable named 'corsair' or as the default export."
+              );
+              process.exit(1);
+            }
+            break;
+          }
+        } catch (e) {
+          if (typeof e === "object" && e && "message" in e && typeof e.message === "string" && e.message.includes(
+            "This module cannot be imported from a Client Component module"
+          )) {
+            if (shouldThrowOnError) {
+              throw new Error(
+                `Please remove import 'server-only' from your corsair.ts file temporarily. The CLI cannot resolve the configuration with it included. You can re-add it after running the CLI.`
+              );
+            }
+            console.error(
+              `Please remove import 'server-only' from your corsair.ts file temporarily. The CLI cannot resolve the configuration with it included. You can re-add it after running the CLI.`
+            );
+            process.exit(1);
+          }
+          if (shouldThrowOnError) {
+            throw e;
+          }
+          const msg = typeof e === "object" && e && "message" in e && typeof e.message === "string" ? e.message : String(e);
+          console.error(`[#corsair]: Error loading ${possiblePath}:`, msg);
+          process.exit(1);
+        }
+      }
+    }
+    if (!corsairInstance) {
+      if (shouldThrowOnError) {
+        throw new Error(
+          "Couldn't find corsair.ts in your project. Make sure you have a corsair.ts file in your project root or in src/, lib/, or server/ directories."
+        );
+      }
+      console.error("[#corsair]: Couldn't find corsair.ts in your project.");
+      console.log("");
+      console.log(
+        "[#corsair]: Make sure you have a corsair.ts file in your project root or in src/, lib/, or server/ directories."
+      );
+      process.exit(1);
+    }
+    return corsairInstance;
+  } catch (e) {
+    if (typeof e === "object" && e && "message" in e && typeof e.message === "string" && e.message.includes(
+      "This module cannot be imported from a Client Component module"
+    )) {
+      if (shouldThrowOnError) {
+        throw new Error(
+          `Please remove import 'server-only' from your corsair.ts file temporarily. The CLI cannot resolve the configuration with it included. You can re-add it after running the CLI.`
+        );
+      }
+      console.error(
+        `Please remove import 'server-only' from your corsair.ts file temporarily. The CLI cannot resolve the configuration with it included. You can re-add it after running the CLI.`
+      );
+      process.exit(1);
+    }
+    if (shouldThrowOnError) {
+      throw e;
+    }
+    console.error("Couldn't read your Corsair instance.", e);
+    process.exit(1);
+  }
+}
+function parseAuthArgs(args) {
+  let pluginId;
+  let tenantId;
+  let code;
+  let credentials = false;
+  for (const arg of args) {
+    if (arg === "--credentials") {
+      credentials = true;
+      continue;
+    }
+    const eqIdx = arg.indexOf("=");
+    if (arg.startsWith("--") && eqIdx !== -1) {
+      const key = arg.slice(2, eqIdx);
+      const value = arg.slice(eqIdx + 1);
+      if (key === "plugin") {
+        pluginId = value;
+        continue;
+      }
+      if (key === "tenant") {
+        tenantId = value;
+        continue;
+      }
+      if (key === "code") {
+        code = value;
+        continue;
+      }
+    }
+  }
+  return { pluginId, tenantId, code, credentials };
+}
+function parseSetupArgs(args) {
+  let backfill = false;
+  const credentials = {};
+  let currentPlugin = null;
+  for (const arg of args) {
+    if (arg === "--backfill" || arg === "-backfill") {
+      backfill = true;
+      currentPlugin = null;
+      continue;
+    }
+    if (arg.startsWith("--")) {
+      const name = arg.slice(2);
+      if (RESERVED_FLAGS.has(name)) continue;
+      currentPlugin = name;
+      credentials[currentPlugin] = {};
+      continue;
+    }
+    if (currentPlugin && arg.includes("=")) {
+      const eqIdx = arg.indexOf("=");
+      const field = arg.slice(0, eqIdx);
+      const value = arg.slice(eqIdx + 1);
+      credentials[currentPlugin][field] = value;
+    }
+  }
+  return { backfill, credentials };
+}
+async function main() {
+  const cwd = process.cwd();
+  const args = process.argv.slice(2);
+  const command = args[0];
+  if (command === "help" || command === "--help" || command === "-h") {
+    console.log("[#corsair]: Corsair CLI\n");
+    console.log("Commands:");
+    console.log("  corsair setup                               Initialize your Corsair instance");
+    console.log("  corsair setup -backfill                     Initialize and backfill initial data");
+    console.log("  corsair setup --<plugin> <field>=VALUE ...  Set credentials for a plugin");
+    console.log("  corsair auth --plugin=<id>                 Start OAuth flow (outputs auth URL as JSON)");
+    console.log("  corsair auth --plugin=<id> --code=<code>   Exchange OAuth code for tokens");
+    console.log("  corsair auth --plugin=<id> --credentials   Show current credential status");
+    console.log(
+      "  corsair watch-renew        Renew Google webhook watch (Gmail/Drive/Calendar)"
+    );
+    console.log("  corsair migrate            Create a data migration script");
+    console.log("  corsair migrate help       Show migration help\n");
+    return;
+  }
+  if (command === "setup") {
+    const { backfill, credentials } = parseSetupArgs(args.slice(1));
+    const { setupCorsair } = await import("corsair/setup");
+    const instance = await getCorsairInstance({ cwd });
+    await setupCorsair(instance, {
+      backfill,
+      credentials,
+      caller: "cli"
+    });
+    return;
+  }
+  if (command === "auth") {
+    const { runAuth: runAuth2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
+    const authArgs = parseAuthArgs(args.slice(1));
+    await runAuth2({ cwd, ...authArgs });
+    return;
+  }
+  if (command === "watch-renew") {
+    const { runWatchRenew: runWatchRenew2 } = await Promise.resolve().then(() => (init_watch_renew(), watch_renew_exports));
+    await runWatchRenew2({ cwd });
+    return;
+  }
+  console.log(`[#corsair]: Looking for Corsair instance in ${cwd}...
+`);
+  try {
+    const instance = await getCorsairInstance({ cwd });
+    console.log("[#corsair]: \u2705 Successfully loaded Corsair instance!");
+    if (instance && typeof instance === "object" && "withTenant" in instance) {
+      console.log(
+        "[#corsair]: Multi-tenant setup detected (has withTenant method)"
+      );
+    } else {
+      console.log("[#corsair]: Single-tenant setup detected (direct client)");
+    }
+    if (instance && typeof instance === "object") {
+      console.log(
+        `[#corsair]: Instance keys: ${Object.keys(instance).join(", ")}`
+      );
+    }
+  } catch (error) {
+    console.error("[#corsair]: Error:", error);
+    process.exit(1);
+  }
+}
+var possiblePaths, jitiOptions, isCorsairInstance, RESERVED_FLAGS, isMainModule;
+var init_index = __esm({
+  "index.ts"() {
+    init_get_tsconfig_info();
+    possiblePaths = [
+      "corsair.ts",
+      "corsair.tsx",
+      "corsair.js",
+      "corsair.jsx",
+      "src/corsair.ts",
+      "src/corsair.tsx",
+      "src/corsair.js",
+      "src/corsair.jsx",
+      "lib/corsair.ts",
+      "lib/corsair.tsx",
+      "lib/corsair.js",
+      "lib/corsair.jsx",
+      "server/corsair.ts",
+      "server/corsair.tsx",
+      "server/corsair.js",
+      "server/corsair.jsx",
+      "src/server/corsair.ts",
+      "src/server/corsair.tsx",
+      "src/server/corsair.js",
+      "src/server/corsair.jsx",
+      "app/corsair.ts",
+      "app/corsair.tsx",
+      "app/corsair.js",
+      "app/corsair.jsx",
+      "corsair/index.ts",
+      "corsair/index.tsx",
+      "corsair/index.js",
+      "corsair/index.jsx"
+    ];
+    jitiOptions = (cwd) => {
+      const alias = getPathAliases(cwd) || {};
+      return {
+        transformOptions: {
+          babel: {
+            presets: [
+              [
+                babelPresetTypeScript,
+                {
+                  isTSX: true,
+                  allExtensions: true
+                }
+              ],
+              [babelPresetReact, { runtime: "automatic" }]
+            ]
+          }
+        },
+        extensions: [".ts", ".tsx", ".js", ".jsx"],
+        alias
+      };
+    };
+    isCorsairInstance = (object) => {
+      if (typeof object !== "object" || object === null || Array.isArray(object)) {
+        return false;
+      }
+      if ("withTenant" in object && typeof object.withTenant === "function") {
+        return true;
+      }
+      return Object.keys(object).length > 0;
+    };
+    RESERVED_FLAGS = /* @__PURE__ */ new Set(["backfill", "help", "h"]);
+    isMainModule = import.meta.url === `file://${process.argv[1]?.replace(/\\/g, "/")}` || process.argv[1]?.includes("index.ts") || process.argv[1]?.includes("index.js") || import.meta.url.endsWith("/index.ts") || import.meta.url.endsWith("/index.js");
+    if (isMainModule) {
+      main();
+    }
+  }
+});
+init_index();
+export {
+  findCorsairConfigPath,
+  getCorsairInstance
+};