@dreamboard-games/cli 0.1.30-alpha.2 → 0.1.30-alpha.4

package/dist/agent-verifier/chunk-5NYBTZB4.mjs

@@ -0,0 +1,226 @@
+#!/usr/bin/env node
+import {
+  atomicWriteFile,
+  withFileLock
+} from "./chunk-TAEQKBJB.mjs";
+import {
+  ensureDir,
+  readJsonFile
+} from "./chunk-IAYRNVUC.mjs";
+import {
+  PROJECT_DIR_NAME
+} from "./chunk-H76MT5UR.mjs";
+
+// src/config/global-config.ts
+import os2 from "os";
+import path2 from "path";
+
+// src/config/credential-store.ts
+import os from "os";
+import path from "path";
+import { promises as fs } from "fs";
+function getCredentialFilePath() {
+  return path.join(os.homedir(), PROJECT_DIR_NAME, "auth.json");
+}
+function getCredentialLockPath() {
+  return `${getCredentialFilePath()}.lock`;
+}
+async function fileRead() {
+  const filePath = getCredentialFilePath();
+  let data;
+  try {
+    data = await fs.readFile(filePath, "utf8");
+  } catch (err) {
+    if (err.code === "ENOENT") return null;
+    throw err;
+  }
+  if (data.trim().length === 0) {
+    return null;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(data);
+  } catch {
+    return null;
+  }
+  const accessToken = parsed.accessToken ?? parsed.authToken;
+  const refreshToken = parsed.refreshToken;
+  if (!accessToken && !refreshToken) return null;
+  return {
+    accessToken: accessToken || void 0,
+    refreshToken: refreshToken || void 0,
+    tokenExpiresAt: parsed.tokenExpiresAt || void 0,
+    clerkOAuthIssuer: parsed.clerkOAuthIssuer || void 0,
+    clerkOAuthClientId: parsed.clerkOAuthClientId || void 0,
+    clerkOAuthTokenUrl: parsed.clerkOAuthTokenUrl || void 0,
+    environment: parsed.environment || void 0
+  };
+}
+async function writeFilePayload(payload) {
+  await atomicWriteFile(
+    getCredentialFilePath(),
+    `${JSON.stringify(payload, null, 2)}
+`,
+    { mode: 384 }
+  );
+}
+async function fileWriteFull(creds) {
+  if (!creds.accessToken || !creds.refreshToken) {
+    throw new Error(
+      "Refusing to persist credentials with an empty accessToken or refreshToken."
+    );
+  }
+  await writeFilePayload({
+    authToken: creds.accessToken,
+    refreshToken: creds.refreshToken,
+    tokenExpiresAt: creds.tokenExpiresAt,
+    clerkOAuthIssuer: creds.clerkOAuthIssuer,
+    clerkOAuthClientId: creds.clerkOAuthClientId,
+    clerkOAuthTokenUrl: creds.clerkOAuthTokenUrl,
+    environment: creds.environment
+  });
+}
+async function fileWriteAccessOnly(accessToken) {
+  if (!accessToken) {
+    throw new Error("Refusing to persist an empty access token.");
+  }
+  await writeFilePayload({ authToken: accessToken });
+}
+async function fileClear() {
+  const filePath = getCredentialFilePath();
+  try {
+    await fs.unlink(filePath);
+  } catch (err) {
+    if (err.code !== "ENOENT") throw err;
+  }
+}
+var fileCredentialBackend = {
+  name: "file",
+  read: fileRead,
+  writeFull: fileWriteFull,
+  writeAccessOnly: fileWriteAccessOnly,
+  clear: fileClear
+};
+var cachedBackend = null;
+var migrationCompleted = false;
+var backendResolver = defaultBackendResolver;
+async function defaultBackendResolver() {
+  const override = (process.env.DREAMBOARD_CREDENTIAL_BACKEND ?? "").trim().toLowerCase();
+  if (override === "file") {
+    return fileCredentialBackend;
+  }
+  if (override && override !== "keychain" && override !== "auto") {
+    throw new Error(
+      `Unknown DREAMBOARD_CREDENTIAL_BACKEND value "${override}" (expected "file", "keychain", or "auto").`
+    );
+  }
+  const useKeychain = override === "keychain" || await readCredentialBackendPreference();
+  if (!useKeychain) {
+    return fileCredentialBackend;
+  }
+  const { tryKeychainBackend } = await import("./keychain-backend-A3MRWLPF.mjs");
+  const keychain = await tryKeychainBackend();
+  if (keychain.available) {
+    return keychain.backend;
+  }
+  return fileCredentialBackend;
+}
+async function readCredentialBackendPreference() {
+  try {
+    const { loadGlobalConfig: loadGlobalConfig2 } = await import("./global-config-NYCSCAUI.mjs");
+    const config = await loadGlobalConfig2();
+    return config.credentialBackend === "keychain";
+  } catch {
+    return false;
+  }
+}
+async function getCredentialBackend() {
+  if (cachedBackend === null) {
+    cachedBackend = await backendResolver();
+    if (!migrationCompleted && cachedBackend.name !== "file") {
+      await migrateFromFileBackendIfNeeded(cachedBackend);
+    }
+    migrationCompleted = true;
+  }
+  return cachedBackend;
+}
+async function migrateFromFileBackendIfNeeded(target) {
+  try {
+    const [onDisk, onTarget] = await Promise.all([
+      fileCredentialBackend.read(),
+      target.read()
+    ]);
+    if (!onDisk) return;
+    if (onTarget) {
+      await fileCredentialBackend.clear();
+      return;
+    }
+    if (onDisk.accessToken && onDisk.refreshToken) {
+      await target.writeFull({
+        accessToken: onDisk.accessToken,
+        refreshToken: onDisk.refreshToken
+      });
+    } else if (onDisk.accessToken) {
+      await target.writeAccessOnly(onDisk.accessToken);
+    } else {
+      return;
+    }
+    await fileCredentialBackend.clear();
+  } catch {
+  }
+}
+async function getStoredSession() {
+  const backend = await getCredentialBackend();
+  return backend.read();
+}
+async function setCredentials(creds) {
+  await withFileLock(getCredentialLockPath(), async () => {
+    const backend = await getCredentialBackend();
+    await backend.writeFull(creds);
+  });
+}
+
+// src/config/global-config.ts
+function normalizeCredentialBackend(value) {
+  if (value === "file" || value === "keychain") return value;
+  return void 0;
+}
+function getGlobalConfigPath() {
+  return path2.join(os2.homedir(), PROJECT_DIR_NAME, "config.json");
+}
+function getGlobalAuthPath() {
+  return getCredentialFilePath();
+}
+async function loadGlobalConfig() {
+  const config = await readJsonFile(getGlobalConfigPath()).catch(
+    () => ({})
+  );
+  return {
+    environment: config.environment,
+    credentialBackend: normalizeCredentialBackend(config.credentialBackend)
+  };
+}
+async function saveGlobalConfig(config) {
+  const configDir = path2.join(os2.homedir(), PROJECT_DIR_NAME);
+  await ensureDir(configDir);
+  const normalized = {
+    environment: config.environment,
+    credentialBackend: normalizeCredentialBackend(config.credentialBackend)
+  };
+  await atomicWriteFile(
+    getGlobalConfigPath(),
+    `${JSON.stringify(normalized, null, 2)}
+`,
+    { mode: 384 }
+  );
+}
+
+export {
+  getStoredSession,
+  setCredentials,
+  getGlobalConfigPath,
+  getGlobalAuthPath,
+  loadGlobalConfig,
+  saveGlobalConfig
+};
+//# sourceMappingURL=chunk-5NYBTZB4.mjs.map

package/dist/agent-verifier/chunk-5NYBTZB4.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/config/global-config.ts","../../src/config/credential-store.ts"],"sourcesContent":["import os from \"node:os\";\nimport path from \"node:path\";\nimport type { CredentialBackendPreference, GlobalConfig } from \"../types.js\";\nimport { PROJECT_DIR_NAME } from \"../constants.js\";\nimport { ensureDir, readJsonFile } from \"../utils/fs.js\";\nimport { atomicWriteFile } from \"../utils/atomic-file.js\";\nimport { getCredentialFilePath } from \"./credential-store.js\";\n\nfunction normalizeCredentialBackend(\n  value: unknown,\n): CredentialBackendPreference | undefined {\n  if (value === \"file\" || value === \"keychain\") return value;\n  // Tolerate unknown / malformed values rather than refusing to load the\n  // whole config - an unrecognised backend name should degrade to \"use\n  // the default\" instead of locking the user out of their CLI.\n  return undefined;\n}\n\nexport function getGlobalConfigPath(): string {\n  return path.join(os.homedir(), PROJECT_DIR_NAME, \"config.json\");\n}\n\n/**\n * Path to the on-disk credential file used by the file backend of\n * `CredentialStore`. Re-exported here to avoid circular / ad-hoc imports\n * in UI surface (`auth status`, `config show`, etc).\n */\nexport function getGlobalAuthPath(): string {\n  return getCredentialFilePath();\n}\n\n/**\n * Load non-credential CLI configuration.\n *\n * Note: this function used to also load `authToken` / `refreshToken`\n * from `auth.json` and flatten them onto `GlobalConfig`. That shape\n * enabled the refresh-token-wipe bug: `saveGlobalConfig({ ...config })`\n * without explicit auth fields erased the stored refresh token.\n *\n * Credentials are now owned exclusively by `CredentialStore`. Callers\n * that need them must import `getCredentials()` directly.\n */\nexport async function loadGlobalConfig(): Promise<GlobalConfig> {\n  const config = await readJsonFile<GlobalConfig>(getGlobalConfigPath()).catch(\n    () => ({}) as GlobalConfig,\n  );\n  return {\n    environment: config.environment,\n    credentialBackend: normalizeCredentialBackend(config.credentialBackend),\n  };\n}\n\n/**\n * Persist non-credential CLI configuration.\n *\n * This function cannot write credentials, by construction: the\n * `GlobalConfig` type has no credential fields. Credentials must be\n * persisted through `setCredentials` / `clearCredentials` from\n * `credential-store.ts`.\n */\nexport async function saveGlobalConfig(config: GlobalConfig): Promise<void> {\n  const configDir = path.join(os.homedir(), PROJECT_DIR_NAME);\n  await ensureDir(configDir);\n  const normalized: GlobalConfig = {\n    environment: config.environment,\n    credentialBackend: normalizeCredentialBackend(config.credentialBackend),\n  };\n  await atomicWriteFile(\n    getGlobalConfigPath(),\n    `${JSON.stringify(normalized, null, 2)}\\n`,\n    { mode: 0o600 },\n  );\n}\n","/**\n * Single writer for the long-lived Dreamboard session credentials.\n *\n * Design invariants (enforced at the type level and tested in\n * `credential-store.test.ts`):\n *\n * 1. This module is the ONLY place in the CLI that writes credentials to\n *    disk or the OS keychain. `global-config.ts` used to own both the\n *    config and the credentials via `saveGlobalConfig`, which made it\n *    trivial to wipe a refresh token by accident. The `GlobalConfig` type\n *    no longer carries credentials, so attempting to persist one through\n *    the config path is a type error.\n *\n * 2. The mutating surface is intentionally narrow:\n *      - `setCredentials(c)` for refreshable sessions (both tokens present)\n *      - `setAccessOnlySession(accessToken)` for the `auth set` / `config set\n *        --token` power-user path, which has no refresh token by\n *        construction\n *      - `clearCredentials()` wipes the file entirely\n *    There is no \"partial update\" API. `Credentials` requires both\n *    `accessToken` and `refreshToken`, so it is impossible to persist a\n *    half-populated refreshable session.\n *\n * 3. Writes go through `atomicWriteFile` + `withFileLock`, so a crash or\n *    interrupt during `dreamboard sync`/`compile` cannot leave `auth.json`\n *    truncated, and parallel CLI invocations cannot clobber each other's\n *    rotated refresh tokens.\n *\n * 4. The on-disk JSON shape for the file backend is kept backward\n *    compatible: we continue to read/write `authToken` + `refreshToken`\n *    so existing users are not forced to log in again after this change.\n *    A newer `accessToken` key is also accepted for read to ease any\n *    future format bump.\n *\n * 5. The file backend is the default. The OS keychain is opt-in via\n *    `credentialBackend: \"keychain\"` in `~/.dreamboard/config.json`\n *    because on macOS the first keychain write triggers a login-password\n *    prompt, and re-prompts whenever the executing Node binary's code\n *    signature changes (e.g. after an `nvm`/`volta` upgrade). Users who\n *    want encrypted-at-rest storage can opt in explicitly; everyone else\n *    gets a zero-prompt experience.\n */\n\nimport os from \"node:os\";\nimport path from \"node:path\";\nimport { promises as fs } from \"node:fs\";\nimport { PROJECT_DIR_NAME } from \"../constants.js\";\nimport {\n  atomicWriteFile,\n  withFileLock,\n  type FileLockOptions,\n} from \"../utils/atomic-file.js\";\n\n/** Fully refreshable session: both tokens required. */\nexport type Credentials = {\n  readonly accessToken: string;\n  readonly refreshToken: string;\n  readonly tokenExpiresAt?: string;\n  readonly clerkOAuthIssuer?: string;\n  readonly clerkOAuthClientId?: string;\n  readonly clerkOAuthTokenUrl?: string;\n  readonly environment?: string;\n};\n\n/**\n * Raw on-disk snapshot. Either or both fields may be present. The refresh\n * coordinator only acts on snapshots that have both tokens populated.\n */\nexport type StoredSessionSnapshot = {\n  readonly accessToken?: string;\n  readonly refreshToken?: string;\n  readonly tokenExpiresAt?: string;\n  readonly clerkOAuthIssuer?: string;\n  readonly clerkOAuthClientId?: string;\n  readonly clerkOAuthTokenUrl?: string;\n  readonly environment?: string;\n};\n\nexport type CredentialBackendName = \"file\" | \"keychain\";\n\nexport type CredentialBackend = {\n  readonly name: CredentialBackendName;\n  read(): Promise<StoredSessionSnapshot | null>;\n  writeFull(creds: Credentials): Promise<void>;\n  writeAccessOnly(accessToken: string): Promise<void>;\n  clear(): Promise<void>;\n};\n\nexport type CredentialLockOps = {\n  readonly backendName: CredentialBackendName;\n  read(): Promise<StoredSessionSnapshot | null>;\n  writeFull(creds: Credentials): Promise<void>;\n  writeAccessOnly(accessToken: string): Promise<void>;\n  clear(): Promise<void>;\n};\n\ntype DiskShape = Partial<{\n  accessToken: string;\n  authToken: string;\n  refreshToken: string;\n  tokenExpiresAt: string;\n  clerkOAuthIssuer: string;\n  clerkOAuthClientId: string;\n  clerkOAuthTokenUrl: string;\n  environment: string;\n}>;\n\nexport function getCredentialFilePath(): string {\n  return path.join(os.homedir(), PROJECT_DIR_NAME, \"auth.json\");\n}\n\nfunction getCredentialLockPath(): string {\n  return `${getCredentialFilePath()}.lock`;\n}\n\nasync function fileRead(): Promise<StoredSessionSnapshot | null> {\n  const filePath = getCredentialFilePath();\n  let data: string;\n  try {\n    data = await fs.readFile(filePath, \"utf8\");\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code === \"ENOENT\") return null;\n    throw err;\n  }\n  if (data.trim().length === 0) {\n    return null;\n  }\n  let parsed: DiskShape;\n  try {\n    parsed = JSON.parse(data) as DiskShape;\n  } catch {\n    return null;\n  }\n  const accessToken = parsed.accessToken ?? parsed.authToken;\n  const refreshToken = parsed.refreshToken;\n  if (!accessToken && !refreshToken) return null;\n  return {\n    accessToken: accessToken || undefined,\n    refreshToken: refreshToken || undefined,\n    tokenExpiresAt: parsed.tokenExpiresAt || undefined,\n    clerkOAuthIssuer: parsed.clerkOAuthIssuer || undefined,\n    clerkOAuthClientId: parsed.clerkOAuthClientId || undefined,\n    clerkOAuthTokenUrl: parsed.clerkOAuthTokenUrl || undefined,\n    environment: parsed.environment || undefined,\n  };\n}\n\nasync function writeFilePayload(payload: DiskShape): Promise<void> {\n  await atomicWriteFile(\n    getCredentialFilePath(),\n    `${JSON.stringify(payload, null, 2)}\\n`,\n    { mode: 0o600 },\n  );\n}\n\nasync function fileWriteFull(creds: Credentials): Promise<void> {\n  if (!creds.accessToken || !creds.refreshToken) {\n    throw new Error(\n      \"Refusing to persist credentials with an empty accessToken or refreshToken.\",\n    );\n  }\n  await writeFilePayload({\n    authToken: creds.accessToken,\n    refreshToken: creds.refreshToken,\n    tokenExpiresAt: creds.tokenExpiresAt,\n    clerkOAuthIssuer: creds.clerkOAuthIssuer,\n    clerkOAuthClientId: creds.clerkOAuthClientId,\n    clerkOAuthTokenUrl: creds.clerkOAuthTokenUrl,\n    environment: creds.environment,\n  });\n}\n\nasync function fileWriteAccessOnly(accessToken: string): Promise<void> {\n  if (!accessToken) {\n    throw new Error(\"Refusing to persist an empty access token.\");\n  }\n  await writeFilePayload({ authToken: accessToken });\n}\n\nasync function fileClear(): Promise<void> {\n  const filePath = getCredentialFilePath();\n  try {\n    await fs.unlink(filePath);\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") throw err;\n  }\n}\n\nexport const fileCredentialBackend: CredentialBackend = {\n  name: \"file\",\n  read: fileRead,\n  writeFull: fileWriteFull,\n  writeAccessOnly: fileWriteAccessOnly,\n  clear: fileClear,\n};\n\nexport type BackendResolver = () =>\n  | CredentialBackend\n  | Promise<CredentialBackend>;\n\nlet cachedBackend: CredentialBackend | null = null;\nlet migrationCompleted = false;\nlet backendResolver: BackendResolver = defaultBackendResolver;\n\n/**\n * Default resolver precedence:\n *\n *   1. `DREAMBOARD_CREDENTIAL_BACKEND` env var (debugging / CI override).\n *        - \"file\"     -> force file\n *        - \"keychain\" -> force keychain (falls back to file if the native\n *                        module or the OS keyring is unavailable)\n *        - \"auto\"     -> same as unset (use config)\n *        - unknown    -> throw so typos fail loud\n *   2. `credentialBackend` in `~/.dreamboard/config.json`.\n *        - \"keychain\" -> opt in to the OS keychain (with file fallback)\n *        - \"file\" / unset / malformed -> file\n *   3. Default: file backend.\n *\n * Keychain is opt-in because on macOS the OS login-keychain prompts for\n * the user's password the first time a new binary tries to write to an\n * item, and re-prompts whenever the Node binary signature changes. We\n * would rather ship a zero-prompt default and let users who care about\n * encrypted-at-rest storage enable it.\n *\n * The resolver is async because the keychain probe requires a dynamic\n * `@napi-rs/keyring` import.\n */\nasync function defaultBackendResolver(): Promise<CredentialBackend> {\n  const override = (process.env.DREAMBOARD_CREDENTIAL_BACKEND ?? \"\")\n    .trim()\n    .toLowerCase();\n  if (override === \"file\") {\n    return fileCredentialBackend;\n  }\n  if (override && override !== \"keychain\" && override !== \"auto\") {\n    // Fail loud on typos rather than silently falling back: this env\n    // var exists specifically for users who are debugging auth issues\n    // and need to know their override took effect.\n    throw new Error(\n      `Unknown DREAMBOARD_CREDENTIAL_BACKEND value \"${override}\" (expected \"file\", \"keychain\", or \"auto\").`,\n    );\n  }\n\n  const useKeychain =\n    override === \"keychain\" || (await readCredentialBackendPreference());\n  if (!useKeychain) {\n    return fileCredentialBackend;\n  }\n\n  const { tryKeychainBackend } = await import(\"./keychain-backend.js\");\n  const keychain = await tryKeychainBackend();\n  if (keychain.available) {\n    return keychain.backend;\n  }\n  // The user explicitly asked for keychain but the platform can't\n  // provide one (no libsecret on Linux, missing native module, etc).\n  // Silently degrade to the file backend so the CLI stays usable; the\n  // active backend is still visible through `dreamboard auth status`.\n  return fileCredentialBackend;\n}\n\nasync function readCredentialBackendPreference(): Promise<boolean> {\n  try {\n    // Dynamic import to avoid a top-level cycle with `global-config.ts`\n    // (which imports `getCredentialFilePath` from this module). Using\n    // the async path keeps the cycle purely lazy.\n    const { loadGlobalConfig } = await import(\"./global-config.js\");\n    const config = await loadGlobalConfig();\n    return config.credentialBackend === \"keychain\";\n  } catch {\n    // If the config file is unreadable or the dynamic import fails\n    // (e.g. during early bootstrap), fall back to the file-backed\n    // default rather than crashing credential lookups.\n    return false;\n  }\n}\n\n/**\n * Override which backend is used. Tests use this to inject in-memory\n * backends; production code uses the default keychain-first resolver.\n */\nexport function setCredentialBackendResolver(resolver: BackendResolver): void {\n  backendResolver = resolver;\n  cachedBackend = null;\n  migrationCompleted = false;\n}\n\nexport async function getCredentialBackend(): Promise<CredentialBackend> {\n  if (cachedBackend === null) {\n    cachedBackend = await backendResolver();\n    // One-time migration: if we resolved to a non-file backend and\n    // `auth.json` still has credentials from the old layout, copy them\n    // over and remove the file. We only do this when the new backend is\n    // empty, so repeated migrations cannot stomp a newer keychain\n    // session with a stale file session.\n    if (!migrationCompleted && cachedBackend.name !== \"file\") {\n      await migrateFromFileBackendIfNeeded(cachedBackend);\n    }\n    migrationCompleted = true;\n  }\n  return cachedBackend;\n}\n\nasync function migrateFromFileBackendIfNeeded(\n  target: CredentialBackend,\n): Promise<void> {\n  try {\n    const [onDisk, onTarget] = await Promise.all([\n      fileCredentialBackend.read(),\n      target.read(),\n    ]);\n    if (!onDisk) return;\n    if (onTarget) {\n      // Target already has a session - the user has already migrated.\n      // Remove the file so it cannot get re-used accidentally.\n      await fileCredentialBackend.clear();\n      return;\n    }\n    if (onDisk.accessToken && onDisk.refreshToken) {\n      await target.writeFull({\n        accessToken: onDisk.accessToken,\n        refreshToken: onDisk.refreshToken,\n      });\n    } else if (onDisk.accessToken) {\n      await target.writeAccessOnly(onDisk.accessToken);\n    } else {\n      return;\n    }\n    await fileCredentialBackend.clear();\n  } catch {\n    // Migration is best-effort. A failure here should not block CLI\n    // operation; on next run the file backend is still consulted\n    // directly because the keychain backend's `read` returns null and\n    // callers fall through to \"missing session\" → login prompt.\n  }\n}\n\nexport async function getActiveCredentialBackendName(): Promise<CredentialBackendName> {\n  const backend = await getCredentialBackend();\n  return backend.name;\n}\n\n/** Loose read: returns whatever is on disk, including access-only sessions. */\nexport async function getStoredSession(): Promise<StoredSessionSnapshot | null> {\n  const backend = await getCredentialBackend();\n  return backend.read();\n}\n\n/** Strict read: returns a refreshable pair, or null if either token is missing. */\nexport async function getCredentials(): Promise<Credentials | null> {\n  const snapshot = await getStoredSession();\n  if (!snapshot) return null;\n  const { accessToken, refreshToken } = snapshot;\n  if (!accessToken || !refreshToken) return null;\n  return { accessToken, refreshToken };\n}\n\nexport async function setCredentials(creds: Credentials): Promise<void> {\n  await withFileLock(getCredentialLockPath(), async () => {\n    const backend = await getCredentialBackend();\n    await backend.writeFull(creds);\n  });\n}\n\nexport async function setAccessOnlySession(accessToken: string): Promise<void> {\n  await withFileLock(getCredentialLockPath(), async () => {\n    const backend = await getCredentialBackend();\n    await backend.writeAccessOnly(accessToken);\n  });\n}\n\nexport async function clearCredentials(): Promise<void> {\n  await withFileLock(getCredentialLockPath(), async () => {\n    const backend = await getCredentialBackend();\n    await backend.clear();\n  });\n}\n\n/**\n * Run `fn` while holding the cross-process credential lock. `fn` receives\n * an ops handle that reads/writes the active backend without re-acquiring\n * the lock (avoiding deadlock).\n *\n * This is the only correct way to perform a read-modify-write on stored\n * credentials (e.g. CLI refresh rotation) in the presence of\n * concurrent CLI invocations.\n */\nexport async function withCredentialLock<T>(\n  fn: (ops: CredentialLockOps) => Promise<T>,\n  options?: FileLockOptions,\n): Promise<T> {\n  return withFileLock(\n    getCredentialLockPath(),\n    async () => {\n      const backend = await getCredentialBackend();\n      const ops: CredentialLockOps = {\n        backendName: backend.name,\n        read: () => backend.read(),\n        writeFull: (creds) => backend.writeFull(creds),\n        writeAccessOnly: (accessToken) => backend.writeAccessOnly(accessToken),\n        clear: () => backend.clear(),\n      };\n      return fn(ops);\n    },\n    options,\n  );\n}\n\n/** Test-only reset of module state. Not exported through the barrel. */\nexport function _resetCredentialStoreForTests(): void {\n  cachedBackend = null;\n  migrationCompleted = false;\n  backendResolver = defaultBackendResolver;\n}\n"],"mappings":";;;;;;;;;;;;;;AAAA,OAAOA,SAAQ;AACf,OAAOC,WAAU;;;AC0CjB,OAAO,QAAQ;AACf,OAAO,UAAU;AACjB,SAAS,YAAY,UAAU;AA8DxB,SAAS,wBAAgC;AAC9C,SAAO,KAAK,KAAK,GAAG,QAAQ,GAAG,kBAAkB,WAAW;AAC9D;AAEA,SAAS,wBAAgC;AACvC,SAAO,GAAG,sBAAsB,CAAC;AACnC;AAEA,eAAe,WAAkD;AAC/D,QAAM,WAAW,sBAAsB;AACvC,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,GAAG,SAAS,UAAU,MAAM;AAAA,EAC3C,SAAS,KAAK;AACZ,QAAK,IAA8B,SAAS,SAAU,QAAO;AAC7D,UAAM;AAAA,EACR;AACA,MAAI,KAAK,KAAK,EAAE,WAAW,GAAG;AAC5B,WAAO;AAAA,EACT;AACA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,IAAI;AAAA,EAC1B,QAAQ;AACN,WAAO;AAAA,EACT;AACA,QAAM,cAAc,OAAO,eAAe,OAAO;AACjD,QAAM,eAAe,OAAO;AAC5B,MAAI,CAAC,eAAe,CAAC,aAAc,QAAO;AAC1C,SAAO;AAAA,IACL,aAAa,eAAe;AAAA,IAC5B,cAAc,gBAAgB;AAAA,IAC9B,gBAAgB,OAAO,kBAAkB;AAAA,IACzC,kBAAkB,OAAO,oBAAoB;AAAA,IAC7C,oBAAoB,OAAO,sBAAsB;AAAA,IACjD,oBAAoB,OAAO,sBAAsB;AAAA,IACjD,aAAa,OAAO,eAAe;AAAA,EACrC;AACF;AAEA,eAAe,iBAAiB,SAAmC;AACjE,QAAM;AAAA,IACJ,sBAAsB;AAAA,IACtB,GAAG,KAAK,UAAU,SAAS,MAAM,CAAC,CAAC;AAAA;AAAA,IACnC,EAAE,MAAM,IAAM;AAAA,EAChB;AACF;AAEA,eAAe,cAAc,OAAmC;AAC9D,MAAI,CAAC,MAAM,eAAe,CAAC,MAAM,cAAc;AAC7C,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,iBAAiB;AAAA,IACrB,WAAW,MAAM;AAAA,IACjB,cAAc,MAAM;AAAA,IACpB,gBAAgB,MAAM;AAAA,IACtB,kBAAkB,MAAM;AAAA,IACxB,oBAAoB,MAAM;AAAA,IAC1B,oBAAoB,MAAM;AAAA,IAC1B,aAAa,MAAM;AAAA,EACrB,CAAC;AACH;AAEA,eAAe,oBAAoB,aAAoC;AACrE,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI,MAAM,4CAA4C;AAAA,EAC9D;AACA,QAAM,iBAAiB,EAAE,WAAW,YAAY,CAAC;AACnD;AAEA,eAAe,YAA2B;AACxC,QAAM,WAAW,sBAAsB;AACvC,MAAI;AACF,UAAM,GAAG,OAAO,QAAQ;AAAA,EAC1B,SAAS,KAAK;AACZ,QAAK,IAA8B,SAAS,SAAU,OAAM;AAAA,EAC9D;AACF;AAEO,IAAM,wBAA2C;AAAA,EACtD,MAAM;AAAA,EACN,MAAM;AAAA,EACN,WAAW;AAAA,EACX,iBAAiB;AAAA,EACjB,OAAO;AACT;AAMA,IAAI,gBAA0C;AAC9C,IAAI,qBAAqB;AACzB,IAAI,kBAAmC;AAyBvC,eAAe,yBAAqD;AAClE,QAAM,YAAY,QAAQ,IAAI,iCAAiC,IAC5D,KAAK,EACL,YAAY;AACf,MAAI,aAAa,QAAQ;AACvB,WAAO;AAAA,EACT;AACA,MAAI,YAAY,aAAa,cAAc,aAAa,QAAQ;AAI9D,UAAM,IAAI;AAAA,MACR,gDAAgD,QAAQ;AAAA,IAC1D;AAAA,EACF;AAEA,QAAM,cACJ,aAAa,cAAe,MAAM,gCAAgC;AACpE,MAAI,CAAC,aAAa;AAChB,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,mBAAmB,IAAI,MAAM,OAAO,iCAAuB;AACnE,QAAM,WAAW,MAAM,mBAAmB;AAC1C,MAAI,SAAS,WAAW;AACtB,WAAO,SAAS;AAAA,EAClB;AAKA,SAAO;AACT;AAEA,eAAe,kCAAoD;AACjE,MAAI;AAIF,UAAM,EAAE,kBAAAC,kBAAiB,IAAI,MAAM,OAAO,8BAAoB;AAC9D,UAAM,SAAS,MAAMA,kBAAiB;AACtC,WAAO,OAAO,sBAAsB;AAAA,EACtC,QAAQ;AAIN,WAAO;AAAA,EACT;AACF;AAYA,eAAsB,uBAAmD;AACvE,MAAI,kBAAkB,MAAM;AAC1B,oBAAgB,MAAM,gBAAgB;AAMtC,QAAI,CAAC,sBAAsB,cAAc,SAAS,QAAQ;AACxD,YAAM,+BAA+B,aAAa;AAAA,IACpD;AACA,yBAAqB;AAAA,EACvB;AACA,SAAO;AACT;AAEA,eAAe,+BACb,QACe;AACf,MAAI;AACF,UAAM,CAAC,QAAQ,QAAQ,IAAI,MAAM,QAAQ,IAAI;AAAA,MAC3C,sBAAsB,KAAK;AAAA,MAC3B,OAAO,KAAK;AAAA,IACd,CAAC;AACD,QAAI,CAAC,OAAQ;AACb,QAAI,UAAU;AAGZ,YAAM,sBAAsB,MAAM;AAClC;AAAA,IACF;AACA,QAAI,OAAO,eAAe,OAAO,cAAc;AAC7C,YAAM,OAAO,UAAU;AAAA,QACrB,aAAa,OAAO;AAAA,QACpB,cAAc,OAAO;AAAA,MACvB,CAAC;AAAA,IACH,WAAW,OAAO,aAAa;AAC7B,YAAM,OAAO,gBAAgB,OAAO,WAAW;AAAA,IACjD,OAAO;AACL;AAAA,IACF;AACA,UAAM,sBAAsB,MAAM;AAAA,EACpC,QAAQ;AAAA,EAKR;AACF;AAQA,eAAsB,mBAA0D;AAC9E,QAAM,UAAU,MAAM,qBAAqB;AAC3C,SAAO,QAAQ,KAAK;AACtB;AAWA,eAAsB,eAAe,OAAmC;AACtE,QAAM,aAAa,sBAAsB,GAAG,YAAY;AACtD,UAAM,UAAU,MAAM,qBAAqB;AAC3C,UAAM,QAAQ,UAAU,KAAK;AAAA,EAC/B,CAAC;AACH;;;ADlWA,SAAS,2BACP,OACyC;AACzC,MAAI,UAAU,UAAU,UAAU,WAAY,QAAO;AAIrD,SAAO;AACT;AAEO,SAAS,sBAA8B;AAC5C,SAAOC,MAAK,KAAKC,IAAG,QAAQ,GAAG,kBAAkB,aAAa;AAChE;AAOO,SAAS,oBAA4B;AAC1C,SAAO,sBAAsB;AAC/B;AAaA,eAAsB,mBAA0C;AAC9D,QAAM,SAAS,MAAM,aAA2B,oBAAoB,CAAC,EAAE;AAAA,IACrE,OAAO,CAAC;AAAA,EACV;AACA,SAAO;AAAA,IACL,aAAa,OAAO;AAAA,IACpB,mBAAmB,2BAA2B,OAAO,iBAAiB;AAAA,EACxE;AACF;AAUA,eAAsB,iBAAiB,QAAqC;AAC1E,QAAM,YAAYD,MAAK,KAAKC,IAAG,QAAQ,GAAG,gBAAgB;AAC1D,QAAM,UAAU,SAAS;AACzB,QAAM,aAA2B;AAAA,IAC/B,aAAa,OAAO;AAAA,IACpB,mBAAmB,2BAA2B,OAAO,iBAAiB;AAAA,EACxE;AACA,QAAM;AAAA,IACJ,oBAAoB;AAAA,IACpB,GAAG,KAAK,UAAU,YAAY,MAAM,CAAC,CAAC;AAAA;AAAA,IACtC,EAAE,MAAM,IAAM;AAAA,EAChB;AACF;","names":["os","path","loadGlobalConfig","path","os"]}

package/dist/agent-verifier/chunk-776W3UGV.mjs

@@ -0,0 +1,167 @@
+#!/usr/bin/env node
+import {
+  atomicWriteFile
+} from "./chunk-TAEQKBJB.mjs";
+import {
+  ensureDir,
+  exists,
+  readJsonFile
+} from "./chunk-IAYRNVUC.mjs";
+import {
+  PROJECT_CONFIG_FILE,
+  PROJECT_DIR_NAME,
+  PROJECT_STATE_FILE
+} from "./chunk-H76MT5UR.mjs";
+
+// src/build-target.ts
+var injectedBuildChannel = true ? "development" : void 0;
+var BUILD_CHANNEL = injectedBuildChannel === "published" ? "published" : "development";
+var IS_PUBLISHED_BUILD = BUILD_CHANNEL === "published";
+var PUBLISHED_ENVIRONMENT = "prod";
+
+// src/config/project-config.ts
+import path from "path";
+var LEGACY_DEFAULT_DEPLOYMENT_ID = "legacy";
+var LEGACY_DEFAULT_OWNER_SCOPE_ID = "default";
+var LEGACY_DEFAULT_BINDING_KEY = `${LEGACY_DEFAULT_DEPLOYMENT_ID}:${LEGACY_DEFAULT_OWNER_SCOPE_ID}`;
+function normalizeProjectManifest(config) {
+  return {
+    schemaVersion: 2,
+    projectId: config.projectId,
+    slug: config.slug
+  };
+}
+function normalizeProjectBinding(config) {
+  return {
+    deploymentId: config.deploymentId ?? LEGACY_DEFAULT_DEPLOYMENT_ID,
+    ownerScopeId: config.ownerScopeId ?? LEGACY_DEFAULT_OWNER_SCOPE_ID,
+    gameId: config.gameId,
+    remoteHeadDigest: config.remoteHeadDigest,
+    jobId: config.jobId,
+    agentManaged: config.agentManaged,
+    workspacePrepared: config.workspacePrepared,
+    allowCreateGame: config.allowCreateGame,
+    environment: config.environment,
+    authoring: config.authoring,
+    compile: config.compile,
+    localMaintainerRegistry: config.localMaintainerRegistry,
+    apiBaseUrl: config.apiBaseUrl,
+    webBaseUrl: config.webBaseUrl,
+    packageManifest: config.packageManifest,
+    environmentManifest: config.environmentManifest
+  };
+}
+function normalizeProjectState(config, existing) {
+  const binding = normalizeProjectBinding(config);
+  const bindingKey = config.bindingKey || `${binding.deploymentId}:${binding.ownerScopeId}`;
+  return {
+    schemaVersion: 1,
+    bindings: {
+      ...existing?.bindings ?? {},
+      [bindingKey]: binding
+    }
+  };
+}
+function mergeManifestAndBinding(manifest, binding, bindingKey) {
+  return {
+    ...manifest,
+    ...binding ?? {
+      deploymentId: LEGACY_DEFAULT_DEPLOYMENT_ID,
+      ownerScopeId: LEGACY_DEFAULT_OWNER_SCOPE_ID
+    },
+    gameId: binding?.gameId ?? manifest.projectId,
+    bindingKey: bindingKey ?? `${binding?.deploymentId ?? LEGACY_DEFAULT_DEPLOYMENT_ID}:${binding?.ownerScopeId ?? LEGACY_DEFAULT_OWNER_SCOPE_ID}`
+  };
+}
+function isProjectManifestV2(value) {
+  const candidate = value;
+  return candidate?.schemaVersion === 2 && typeof candidate.projectId === "string" && typeof candidate.slug === "string";
+}
+function normalizeLegacyProjectConfig(config) {
+  return {
+    schemaVersion: 2,
+    projectId: config.projectId ?? config.gameId,
+    slug: config.slug,
+    bindingKey: LEGACY_DEFAULT_BINDING_KEY,
+    deploymentId: LEGACY_DEFAULT_DEPLOYMENT_ID,
+    ownerScopeId: LEGACY_DEFAULT_OWNER_SCOPE_ID,
+    gameId: config.gameId,
+    jobId: config.jobId,
+    agentManaged: config.agentManaged,
+    workspacePrepared: config.workspacePrepared,
+    allowCreateGame: config.allowCreateGame,
+    environment: config.environment,
+    authoring: config.authoring,
+    compile: config.compile,
+    localMaintainerRegistry: config.localMaintainerRegistry,
+    apiBaseUrl: config.apiBaseUrl,
+    webBaseUrl: config.webBaseUrl,
+    packageManifest: config.packageManifest,
+    environmentManifest: config.environmentManifest
+  };
+}
+async function loadProjectEnvironmentState(rootDir) {
+  const filePath = path.join(rootDir, PROJECT_DIR_NAME, PROJECT_STATE_FILE);
+  if (!await exists(filePath)) {
+    return { schemaVersion: 1, bindings: {} };
+  }
+  const state = await readJsonFile(filePath);
+  return state.schemaVersion === 1 && state.bindings ? state : { schemaVersion: 1, bindings: {} };
+}
+async function loadProjectConfig(rootDir) {
+  const filePath = path.join(rootDir, PROJECT_DIR_NAME, PROJECT_CONFIG_FILE);
+  const rawConfig = await readJsonFile(
+    filePath
+  );
+  if (!isProjectManifestV2(rawConfig)) {
+    const migrated = normalizeLegacyProjectConfig(
+      rawConfig
+    );
+    await updateProjectState(rootDir, migrated);
+    return migrated;
+  }
+  const state = await loadProjectEnvironmentState(rootDir);
+  const entries = Object.entries(state.bindings);
+  const [bindingKey, binding] = entries.find(([key]) => key !== LEGACY_DEFAULT_BINDING_KEY) ?? entries.find(([key]) => key === LEGACY_DEFAULT_BINDING_KEY) ?? [];
+  return mergeManifestAndBinding(rawConfig, binding, bindingKey);
+}
+async function updateProjectState(rootDir, config) {
+  const dir = path.join(rootDir, PROJECT_DIR_NAME);
+  await ensureDir(dir);
+  const existingState = await loadProjectEnvironmentState(rootDir);
+  await atomicWriteFile(
+    path.join(dir, PROJECT_CONFIG_FILE),
+    `${JSON.stringify(normalizeProjectManifest(config), null, 2)}
+`,
+    { mode: 420 }
+  );
+  await atomicWriteFile(
+    path.join(dir, PROJECT_STATE_FILE),
+    `${JSON.stringify(normalizeProjectState(config, existingState), null, 2)}
+`,
+    { mode: 384 }
+  );
+}
+async function findProjectRoot(startDir) {
+  let current = path.resolve(startDir);
+  for (let i = 0; i < 25; i++) {
+    const candidate = path.join(current, PROJECT_DIR_NAME, PROJECT_CONFIG_FILE);
+    if (await exists(candidate)) {
+      return current;
+    }
+    const parent = path.dirname(current);
+    if (parent === current) break;
+    current = parent;
+  }
+  return null;
+}
+
+export {
+  BUILD_CHANNEL,
+  IS_PUBLISHED_BUILD,
+  PUBLISHED_ENVIRONMENT,
+  loadProjectConfig,
+  updateProjectState,
+  findProjectRoot
+};
+//# sourceMappingURL=chunk-776W3UGV.mjs.map

package/dist/agent-verifier/chunk-776W3UGV.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/build-target.ts","../../src/config/project-config.ts"],"sourcesContent":["declare const __DREAMBOARD_BUILD_CHANNEL__: string | undefined;\n\nconst injectedBuildChannel =\n  typeof __DREAMBOARD_BUILD_CHANNEL__ === \"string\"\n    ? __DREAMBOARD_BUILD_CHANNEL__\n    : undefined;\n\nexport const BUILD_CHANNEL =\n  injectedBuildChannel === \"published\" ? \"published\" : \"development\";\n\nexport const IS_PUBLISHED_BUILD = BUILD_CHANNEL === \"published\";\nexport const PUBLISHED_ENVIRONMENT = \"prod\" as const;\n","import path from \"node:path\";\nimport type {\n  LegacyProjectConfigV1,\n  ProjectConfig,\n  ProjectEnvironmentBindingV1,\n  ProjectEnvironmentStateV1,\n  ProjectManifestV2,\n} from \"../types.js\";\nimport {\n  PROJECT_DIR_NAME,\n  PROJECT_CONFIG_FILE,\n  PROJECT_STATE_FILE,\n} from \"../constants.js\";\nimport { ensureDir, exists, readJsonFile } from \"../utils/fs.js\";\nimport { atomicWriteFile } from \"../utils/atomic-file.js\";\n\nconst LEGACY_DEFAULT_DEPLOYMENT_ID = \"legacy\";\nconst LEGACY_DEFAULT_OWNER_SCOPE_ID = \"default\";\nconst LEGACY_DEFAULT_BINDING_KEY = `${LEGACY_DEFAULT_DEPLOYMENT_ID}:${LEGACY_DEFAULT_OWNER_SCOPE_ID}`;\n\nfunction normalizeProjectManifest(config: ProjectConfig): ProjectManifestV2 {\n  return {\n    schemaVersion: 2,\n    projectId: config.projectId,\n    slug: config.slug,\n  };\n}\n\nfunction normalizeProjectBinding(\n  config: ProjectConfig,\n): ProjectEnvironmentBindingV1 {\n  return {\n    deploymentId: config.deploymentId ?? LEGACY_DEFAULT_DEPLOYMENT_ID,\n    ownerScopeId: config.ownerScopeId ?? LEGACY_DEFAULT_OWNER_SCOPE_ID,\n    gameId: config.gameId,\n    remoteHeadDigest: config.remoteHeadDigest,\n    jobId: config.jobId,\n    agentManaged: config.agentManaged,\n    workspacePrepared: config.workspacePrepared,\n    allowCreateGame: config.allowCreateGame,\n    environment: config.environment,\n    authoring: config.authoring,\n    compile: config.compile,\n    localMaintainerRegistry: config.localMaintainerRegistry,\n    apiBaseUrl: config.apiBaseUrl,\n    webBaseUrl: config.webBaseUrl,\n    packageManifest: config.packageManifest,\n    environmentManifest: config.environmentManifest,\n  };\n}\n\nfunction normalizeProjectState(\n  config: ProjectConfig,\n  existing?: ProjectEnvironmentStateV1,\n): ProjectEnvironmentStateV1 {\n  const binding = normalizeProjectBinding(config);\n  const bindingKey =\n    config.bindingKey || `${binding.deploymentId}:${binding.ownerScopeId}`;\n  return {\n    schemaVersion: 1,\n    bindings: {\n      ...(existing?.bindings ?? {}),\n      [bindingKey]: binding,\n    },\n  };\n}\n\nfunction mergeManifestAndBinding(\n  manifest: ProjectManifestV2,\n  binding: ProjectEnvironmentBindingV1 | undefined,\n  bindingKey: string | undefined,\n): ProjectConfig {\n  return {\n    ...manifest,\n    ...(binding ?? {\n      deploymentId: LEGACY_DEFAULT_DEPLOYMENT_ID,\n      ownerScopeId: LEGACY_DEFAULT_OWNER_SCOPE_ID,\n    }),\n    gameId: binding?.gameId ?? manifest.projectId,\n    bindingKey:\n      bindingKey ??\n      `${binding?.deploymentId ?? LEGACY_DEFAULT_DEPLOYMENT_ID}:${\n        binding?.ownerScopeId ?? LEGACY_DEFAULT_OWNER_SCOPE_ID\n      }`,\n  };\n}\n\nfunction isProjectManifestV2(value: unknown): value is ProjectManifestV2 {\n  const candidate = value as Partial<ProjectManifestV2>;\n  return (\n    candidate?.schemaVersion === 2 &&\n    typeof candidate.projectId === \"string\" &&\n    typeof candidate.slug === \"string\"\n  );\n}\n\nfunction normalizeLegacyProjectConfig(\n  config: LegacyProjectConfigV1 & { projectId?: string },\n): ProjectConfig {\n  return {\n    schemaVersion: 2,\n    projectId: config.projectId ?? config.gameId,\n    slug: config.slug,\n    bindingKey: LEGACY_DEFAULT_BINDING_KEY,\n    deploymentId: LEGACY_DEFAULT_DEPLOYMENT_ID,\n    ownerScopeId: LEGACY_DEFAULT_OWNER_SCOPE_ID,\n    gameId: config.gameId,\n    jobId: config.jobId,\n    agentManaged: config.agentManaged,\n    workspacePrepared: config.workspacePrepared,\n    allowCreateGame: config.allowCreateGame,\n    environment: config.environment,\n    authoring: config.authoring,\n    compile: config.compile,\n    localMaintainerRegistry: config.localMaintainerRegistry,\n    apiBaseUrl: config.apiBaseUrl,\n    webBaseUrl: config.webBaseUrl,\n    packageManifest: config.packageManifest,\n    environmentManifest: config.environmentManifest,\n  };\n}\n\nasync function loadProjectEnvironmentState(\n  rootDir: string,\n): Promise<ProjectEnvironmentStateV1> {\n  const filePath = path.join(rootDir, PROJECT_DIR_NAME, PROJECT_STATE_FILE);\n  if (!(await exists(filePath))) {\n    return { schemaVersion: 1, bindings: {} };\n  }\n  const state = await readJsonFile<ProjectEnvironmentStateV1>(filePath);\n  return state.schemaVersion === 1 && state.bindings\n    ? state\n    : { schemaVersion: 1, bindings: {} };\n}\n\nexport async function loadProjectConfig(\n  rootDir: string,\n): Promise<ProjectConfig> {\n  const filePath = path.join(rootDir, PROJECT_DIR_NAME, PROJECT_CONFIG_FILE);\n  const rawConfig = await readJsonFile<ProjectManifestV2 | LegacyProjectConfigV1>(\n    filePath,\n  );\n  if (!isProjectManifestV2(rawConfig)) {\n    const migrated = normalizeLegacyProjectConfig(\n      rawConfig as LegacyProjectConfigV1,\n    );\n    await updateProjectState(rootDir, migrated);\n    return migrated;\n  }\n\n  const state = await loadProjectEnvironmentState(rootDir);\n  const entries = Object.entries(state.bindings);\n  const [bindingKey, binding] =\n    entries.find(([key]) => key !== LEGACY_DEFAULT_BINDING_KEY) ??\n    entries.find(([key]) => key === LEGACY_DEFAULT_BINDING_KEY) ??\n    [];\n  return mergeManifestAndBinding(rawConfig, binding, bindingKey);\n}\n\nexport async function updateProjectState(\n  rootDir: string,\n  config: ProjectConfig,\n): Promise<void> {\n  const dir = path.join(rootDir, PROJECT_DIR_NAME);\n  await ensureDir(dir);\n  const existingState = await loadProjectEnvironmentState(rootDir);\n  await atomicWriteFile(\n    path.join(dir, PROJECT_CONFIG_FILE),\n    `${JSON.stringify(normalizeProjectManifest(config), null, 2)}\\n`,\n    { mode: 0o644 },\n  );\n  await atomicWriteFile(\n    path.join(dir, PROJECT_STATE_FILE),\n    `${JSON.stringify(normalizeProjectState(config, existingState), null, 2)}\\n`,\n    { mode: 0o600 },\n  );\n}\n\nexport async function findProjectRoot(\n  startDir: string,\n): Promise<string | null> {\n  let current = path.resolve(startDir);\n  for (let i = 0; i < 25; i++) {\n    const candidate = path.join(current, PROJECT_DIR_NAME, PROJECT_CONFIG_FILE);\n    if (await exists(candidate)) {\n      return current;\n    }\n    const parent = path.dirname(current);\n    if (parent === current) break;\n    current = parent;\n  }\n  return null;\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAEA,IAAM,uBACJ,OACI,gBACA;AAEC,IAAM,gBACX,yBAAyB,cAAc,cAAc;AAEhD,IAAM,qBAAqB,kBAAkB;AAC7C,IAAM,wBAAwB;;;ACXrC,OAAO,UAAU;AAgBjB,IAAM,+BAA+B;AACrC,IAAM,gCAAgC;AACtC,IAAM,6BAA6B,GAAG,4BAA4B,IAAI,6BAA6B;AAEnG,SAAS,yBAAyB,QAA0C;AAC1E,SAAO;AAAA,IACL,eAAe;AAAA,IACf,WAAW,OAAO;AAAA,IAClB,MAAM,OAAO;AAAA,EACf;AACF;AAEA,SAAS,wBACP,QAC6B;AAC7B,SAAO;AAAA,IACL,cAAc,OAAO,gBAAgB;AAAA,IACrC,cAAc,OAAO,gBAAgB;AAAA,IACrC,QAAQ,OAAO;AAAA,IACf,kBAAkB,OAAO;AAAA,IACzB,OAAO,OAAO;AAAA,IACd,cAAc,OAAO;AAAA,IACrB,mBAAmB,OAAO;AAAA,IAC1B,iBAAiB,OAAO;AAAA,IACxB,aAAa,OAAO;AAAA,IACpB,WAAW,OAAO;AAAA,IAClB,SAAS,OAAO;AAAA,IAChB,yBAAyB,OAAO;AAAA,IAChC,YAAY,OAAO;AAAA,IACnB,YAAY,OAAO;AAAA,IACnB,iBAAiB,OAAO;AAAA,IACxB,qBAAqB,OAAO;AAAA,EAC9B;AACF;AAEA,SAAS,sBACP,QACA,UAC2B;AAC3B,QAAM,UAAU,wBAAwB,MAAM;AAC9C,QAAM,aACJ,OAAO,cAAc,GAAG,QAAQ,YAAY,IAAI,QAAQ,YAAY;AACtE,SAAO;AAAA,IACL,eAAe;AAAA,IACf,UAAU;AAAA,MACR,GAAI,UAAU,YAAY,CAAC;AAAA,MAC3B,CAAC,UAAU,GAAG;AAAA,IAChB;AAAA,EACF;AACF;AAEA,SAAS,wBACP,UACA,SACA,YACe;AACf,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAI,WAAW;AAAA,MACb,cAAc;AAAA,MACd,cAAc;AAAA,IAChB;AAAA,IACA,QAAQ,SAAS,UAAU,SAAS;AAAA,IACpC,YACE,cACA,GAAG,SAAS,gBAAgB,4BAA4B,IACtD,SAAS,gBAAgB,6BAC3B;AAAA,EACJ;AACF;AAEA,SAAS,oBAAoB,OAA4C;AACvE,QAAM,YAAY;AAClB,SACE,WAAW,kBAAkB,KAC7B,OAAO,UAAU,cAAc,YAC/B,OAAO,UAAU,SAAS;AAE9B;AAEA,SAAS,6BACP,QACe;AACf,SAAO;AAAA,IACL,eAAe;AAAA,IACf,WAAW,OAAO,aAAa,OAAO;AAAA,IACtC,MAAM,OAAO;AAAA,IACb,YAAY;AAAA,IACZ,cAAc;AAAA,IACd,cAAc;AAAA,IACd,QAAQ,OAAO;AAAA,IACf,OAAO,OAAO;AAAA,IACd,cAAc,OAAO;AAAA,IACrB,mBAAmB,OAAO;AAAA,IAC1B,iBAAiB,OAAO;AAAA,IACxB,aAAa,OAAO;AAAA,IACpB,WAAW,OAAO;AAAA,IAClB,SAAS,OAAO;AAAA,IAChB,yBAAyB,OAAO;AAAA,IAChC,YAAY,OAAO;AAAA,IACnB,YAAY,OAAO;AAAA,IACnB,iBAAiB,OAAO;AAAA,IACxB,qBAAqB,OAAO;AAAA,EAC9B;AACF;AAEA,eAAe,4BACb,SACoC;AACpC,QAAM,WAAW,KAAK,KAAK,SAAS,kBAAkB,kBAAkB;AACxE,MAAI,CAAE,MAAM,OAAO,QAAQ,GAAI;AAC7B,WAAO,EAAE,eAAe,GAAG,UAAU,CAAC,EAAE;AAAA,EAC1C;AACA,QAAM,QAAQ,MAAM,aAAwC,QAAQ;AACpE,SAAO,MAAM,kBAAkB,KAAK,MAAM,WACtC,QACA,EAAE,eAAe,GAAG,UAAU,CAAC,EAAE;AACvC;AAEA,eAAsB,kBACpB,SACwB;AACxB,QAAM,WAAW,KAAK,KAAK,SAAS,kBAAkB,mBAAmB;AACzE,QAAM,YAAY,MAAM;AAAA,IACtB;AAAA,EACF;AACA,MAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC,UAAM,WAAW;AAAA,MACf;AAAA,IACF;AACA,UAAM,mBAAmB,SAAS,QAAQ;AAC1C,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,MAAM,4BAA4B,OAAO;AACvD,QAAM,UAAU,OAAO,QAAQ,MAAM,QAAQ;AAC7C,QAAM,CAAC,YAAY,OAAO,IACxB,QAAQ,KAAK,CAAC,CAAC,GAAG,MAAM,QAAQ,0BAA0B,KAC1D,QAAQ,KAAK,CAAC,CAAC,GAAG,MAAM,QAAQ,0BAA0B,KAC1D,CAAC;AACH,SAAO,wBAAwB,WAAW,SAAS,UAAU;AAC/D;AAEA,eAAsB,mBACpB,SACA,QACe;AACf,QAAM,MAAM,KAAK,KAAK,SAAS,gBAAgB;AAC/C,QAAM,UAAU,GAAG;AACnB,QAAM,gBAAgB,MAAM,4BAA4B,OAAO;AAC/D,QAAM;AAAA,IACJ,KAAK,KAAK,KAAK,mBAAmB;AAAA,IAClC,GAAG,KAAK,UAAU,yBAAyB,MAAM,GAAG,MAAM,CAAC,CAAC;AAAA;AAAA,IAC5D,EAAE,MAAM,IAAM;AAAA,EAChB;AACA,QAAM;AAAA,IACJ,KAAK,KAAK,KAAK,kBAAkB;AAAA,IACjC,GAAG,KAAK,UAAU,sBAAsB,QAAQ,aAAa,GAAG,MAAM,CAAC,CAAC;AAAA;AAAA,IACxE,EAAE,MAAM,IAAM;AAAA,EAChB;AACF;AAEA,eAAsB,gBACpB,UACwB;AACxB,MAAI,UAAU,KAAK,QAAQ,QAAQ;AACnC,WAAS,IAAI,GAAG,IAAI,IAAI,KAAK;AAC3B,UAAM,YAAY,KAAK,KAAK,SAAS,kBAAkB,mBAAmB;AAC1E,QAAI,MAAM,OAAO,SAAS,GAAG;AAC3B,aAAO;AAAA,IACT;AACA,UAAM,SAAS,KAAK,QAAQ,OAAO;AACnC,QAAI,WAAW,QAAS;AACxB,cAAU;AAAA,EACZ;AACA,SAAO;AACT;","names":[]}