@eightstate/escli 0.7.1 → 0.8.0

package/dist/services/mcp/gate-client.js

@@ -0,0 +1,86 @@
+import { z } from 'zod';
+import { ErrorCode } from '@eightstate/contracts/errors';
+import { ExitCodes } from '@eightstate/contracts/exit-codes';
+import { EscliError } from '../../lib/escli-error.js';
+import { resolveCliToken } from '../credentials.js';
+import { authRequired, gateUrl, parseJsonResponse } from './common.js';
+const McpMachineCreateResponseSchema = z.object({
+    machine_id: z.number(),
+    machine_secret: z.string(),
+    hostname: z.string(),
+    resource: z.string(),
+});
+const McpMachineStatusResponseSchema = z.object({
+    machine_id: z.number(),
+    slug: z.string(),
+    hostname: z.string(),
+    resource: z.string(),
+    port: z.number(),
+    label: z.string().nullable(),
+    created_at: z.string(),
+    revoked_at: z.string().nullable(),
+});
+const IntrospectionResponseSchema = z.discriminatedUnion('active', [
+    z.object({ active: z.literal(true), user_id: z.number(), machine_id: z.number(), scopes: z.array(z.string()), expires_at: z.string() }),
+    z.object({ active: z.literal(false) }),
+]);
+export class McpGateClient {
+    baseUrl;
+    constructor(baseUrl = gateUrl()) {
+        this.baseUrl = baseUrl;
+    }
+    async createMachine(input) {
+        const data = await this.request('/api/mcp/machines', { method: 'POST', body: input, userAuth: true });
+        return McpMachineCreateResponseSchema.parse(data);
+    }
+    async getMachineStatus(slug) {
+        const data = await this.request(`/api/mcp/machines/${encodeURIComponent(slug)}`, { method: 'GET', userAuth: true });
+        return McpMachineStatusResponseSchema.parse(data);
+    }
+    async revokeMachine(slug) {
+        const data = await this.request(`/api/mcp/machines/${encodeURIComponent(slug)}/revoke`, { method: 'POST', userAuth: true });
+        const parsed = McpMachineStatusResponseSchema.safeParse(data);
+        return parsed.success ? parsed.data : data;
+    }
+    async introspectToken(machineSecret, token, resource) {
+        const data = await this.request('/api/mcp/introspect', {
+            method: 'POST',
+            body: { token, resource },
+            bearer: machineSecret,
+        });
+        return IntrospectionResponseSchema.parse(data);
+    }
+    async request(path, options) {
+        const bearer = options.bearer ?? (options.userAuth ? resolveCliToken() : undefined);
+        if (!bearer)
+            throw authRequired();
+        let response;
+        try {
+            response = await fetch(`${this.baseUrl}${path}`, {
+                method: options.method,
+                headers: {
+                    authorization: `Bearer ${bearer}`,
+                    accept: 'application/json',
+                    ...(options.body === undefined ? {} : { 'content-type': 'application/json' }),
+                },
+                body: options.body === undefined ? undefined : JSON.stringify(options.body),
+            });
+        }
+        catch (error) {
+            throw new EscliError('gate unavailable', { code: ErrorCode.GateUnavailable, exitCode: ExitCodes.Transient, details: error instanceof Error ? error.message : error });
+        }
+        const data = await parseJsonResponse(response);
+        if (!response.ok) {
+            throw new EscliError(`gate request failed (${response.status})`, {
+                code: response.status === 401 ? ErrorCode.AuthInvalid : ErrorCode.GateUnavailable,
+                exitCode: response.status === 401 || response.status === 403 ? ExitCodes.Auth : ExitCodes.Transient,
+                details: data,
+            });
+        }
+        return data;
+    }
+}
+export function createGateClient() {
+    return new McpGateClient();
+}
+//# sourceMappingURL=gate-client.js.map

package/dist/services/mcp/protocol.js

@@ -0,0 +1,68 @@
+export const JSON_RPC_PARSE_ERROR = -32700;
+export const JSON_RPC_INVALID_REQUEST = -32600;
+export const JSON_RPC_METHOD_NOT_FOUND = -32601;
+export const JSON_RPC_INVALID_PARAMS = -32602;
+export const JSON_RPC_INTERNAL_ERROR = -32603;
+export class JsonRpcProtocolError extends Error {
+    code;
+    data;
+    constructor(code, message, data) {
+        super(message);
+        this.name = 'JsonRpcProtocolError';
+        this.code = code;
+        this.data = data;
+    }
+}
+export async function handleJsonRpc(raw, handlers) {
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        return jsonRpcError(null, JSON_RPC_PARSE_ERROR, 'Parse error');
+    }
+    const request = parseRequest(parsed);
+    if (!request.valid)
+        return jsonRpcError(request.id, JSON_RPC_INVALID_REQUEST, 'Invalid Request');
+    if (!request.value.id && request.value.id !== 0 && request.value.id !== null)
+        return undefined;
+    const handler = handlers[request.value.method];
+    if (!handler)
+        return jsonRpcError(request.value.id ?? null, JSON_RPC_METHOD_NOT_FOUND, 'Method not found');
+    try {
+        const result = await handler(request.value.params, request.value);
+        return { jsonrpc: '2.0', id: request.value.id ?? null, result };
+    }
+    catch (error) {
+        if (error instanceof JsonRpcProtocolError)
+            return jsonRpcError(request.value.id ?? null, error.code, error.message, error.data);
+        return jsonRpcError(request.value.id ?? null, JSON_RPC_INTERNAL_ERROR, error instanceof Error ? error.message : 'Internal error');
+    }
+}
+export function invalidParams(message, data) {
+    return new JsonRpcProtocolError(JSON_RPC_INVALID_PARAMS, message, data);
+}
+export function jsonRpcError(id, code, message, data) {
+    return { jsonrpc: '2.0', id, error: { code, message, ...(data === undefined ? {} : { data }) } };
+}
+function parseRequest(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value))
+        return { valid: false, id: null };
+    const record = value;
+    const id = parseId(record.id);
+    if (record.id !== undefined && id === undefined)
+        return { valid: false, id: null };
+    if (record.jsonrpc !== '2.0' || typeof record.method !== 'string')
+        return { valid: false, id: id ?? null };
+    return { valid: true, value: { jsonrpc: '2.0', id, method: record.method, params: record.params } };
+}
+function parseId(value) {
+    if (value === undefined)
+        return undefined;
+    if (value === null || typeof value === 'string')
+        return value;
+    if (typeof value === 'number' && Number.isInteger(value))
+        return value;
+    return undefined;
+}
+//# sourceMappingURL=protocol.js.map

package/dist/services/mcp/server.js

@@ -0,0 +1,131 @@
+import { createServer } from 'node:http';
+import { realpath } from 'node:fs/promises';
+import { McpGateClient } from './gate-client.js';
+import { MCP_AUTH_SERVER } from './common.js';
+import { handleJsonRpc, invalidParams } from './protocol.js';
+import { executeToolCall, toolDefinitions } from './tools.js';
+const MCP_PROTOCOL_VERSION = '2025-06-18';
+const MCP_SCOPES = ['mcp:read', 'mcp:write'];
+export async function startMcpServer(options) {
+    const resolvedRoot = await realpath(options.root);
+    const gateClient = options.gateClient ?? new McpGateClient();
+    const server = createServer((request, response) => {
+        void handleRequest(request, response, { ...options, root: resolvedRoot, gateClient });
+    });
+    await new Promise((resolve, reject) => {
+        const onError = (error) => {
+            server.off('listening', onListening);
+            reject(error);
+        };
+        const onListening = () => {
+            server.off('error', onError);
+            resolve();
+        };
+        server.once('error', onError);
+        server.once('listening', onListening);
+        server.listen(options.port, '127.0.0.1');
+    });
+    return {
+        server,
+        url: `http://127.0.0.1:${options.port}/mcp`,
+        close: () => new Promise((resolve, reject) => server.close((error) => error ? reject(error) : resolve())),
+    };
+}
+async function handleRequest(request, response, options) {
+    try {
+        const method = request.method ?? 'GET';
+        const url = new URL(request.url ?? '/', `http://${request.headers.host ?? '127.0.0.1'}`);
+        if (method === 'GET' && url.pathname === '/.well-known/oauth-protected-resource') {
+            writeJson(response, 200, {
+                resource: options.config.resource,
+                authorization_servers: [process.env.MCP_AUTH_ISSUER ?? MCP_AUTH_SERVER],
+                scopes_supported: [...MCP_SCOPES],
+            });
+            return;
+        }
+        if (url.pathname !== '/mcp') {
+            writeJson(response, 404, { error: 'not found' });
+            return;
+        }
+        if (method === 'GET') {
+            response.writeHead(405, { 'allow': 'POST', 'content-type': 'application/json' });
+            response.end(JSON.stringify({ error: 'method not allowed' }));
+            return;
+        }
+        if (method !== 'POST') {
+            response.writeHead(405, { 'allow': 'POST', 'content-type': 'application/json' });
+            response.end(JSON.stringify({ error: 'method not allowed' }));
+            return;
+        }
+        const bearer = bearerToken(request);
+        if (!bearer) {
+            unauthorized(response, options.config.resource);
+            return;
+        }
+        const body = await readBody(request);
+        const rpc = await handleJsonRpc(body, handlers(options, bearer));
+        if (!rpc) {
+            response.writeHead(204);
+            response.end();
+            return;
+        }
+        writeJson(response, 200, rpc);
+    }
+    catch (error) {
+        writeJson(response, 500, { error: error instanceof Error ? error.message : 'internal error' });
+    }
+}
+function handlers(options, bearer) {
+    return {
+        initialize: () => ({
+            protocolVersion: MCP_PROTOCOL_VERSION,
+            capabilities: { tools: {} },
+            serverInfo: { name: 'escli-mcp', version: '0.1.0' },
+        }),
+        'tools/list': () => ({ tools: toolDefinitions }),
+        'tools/call': async (params) => {
+            const parsed = parseToolCallParams(params);
+            return executeToolCall({
+                root: options.root,
+                config: options.config,
+                gateClient: options.gateClient,
+                bearerToken: bearer,
+                verbose: options.verbose,
+            }, parsed.name, parsed.arguments);
+        },
+    };
+}
+function parseToolCallParams(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value))
+        throw invalidParams('tools/call params must be an object');
+    const record = value;
+    if (typeof record.name !== 'string')
+        throw invalidParams('tools/call params.name must be a string');
+    return { name: record.name, arguments: record.arguments ?? {} };
+}
+function bearerToken(request) {
+    const header = request.headers.authorization;
+    if (!header)
+        return undefined;
+    const match = /^Bearer\s+(.+)$/iu.exec(header);
+    return match?.[1];
+}
+function unauthorized(response, resource) {
+    const metadata = `${resource}/.well-known/oauth-protected-resource`;
+    response.writeHead(401, {
+        'content-type': 'application/json',
+        'www-authenticate': `Bearer resource_metadata="${metadata}", scope="${MCP_SCOPES.join(' ')}"`,
+    });
+    response.end(JSON.stringify({ error: 'unauthorized' }));
+}
+async function readBody(request) {
+    const chunks = [];
+    for await (const chunk of request)
+        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+    return Buffer.concat(chunks).toString('utf8');
+}
+function writeJson(response, status, value) {
+    response.writeHead(status, { 'content-type': 'application/json' });
+    response.end(JSON.stringify(value));
+}
+//# sourceMappingURL=server.js.map

package/dist/services/mcp/tools.js

@@ -0,0 +1,228 @@
+import { spawn } from 'node:child_process';
+import { mkdtemp, readFile, realpath, stat, writeFile } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { dirname, isAbsolute, join, relative, resolve } from 'node:path';
+import { z } from 'zod';
+import { writeAuditRecord } from './audit.js';
+export const BASH_OUTPUT_LIMIT_BYTES = 2 * 1024 * 1024;
+const READ_MAX_BYTES = 10 * 1024 * 1024;
+const SAFE_PATH = '/usr/local/bin:/opt/homebrew/bin:/usr/bin:/bin';
+export const toolDefinitions = [
+    {
+        name: 'read',
+        description: 'Read a UTF-8 text file under the configured root. Use when you need file contents before editing.',
+        inputSchema: { type: 'object', properties: { path: { type: 'string' } }, required: ['path'], additionalProperties: false },
+        annotations: { readOnlyHint: true },
+    },
+    {
+        name: 'write',
+        description: 'Create or replace a UTF-8 text file under the configured root. Requires user confirmation in ChatGPT.',
+        inputSchema: { type: 'object', properties: { path: { type: 'string' }, content: { type: 'string' } }, required: ['path', 'content'], additionalProperties: false },
+        annotations: { readOnlyHint: false, destructiveHint: true },
+    },
+    {
+        name: 'edit',
+        description: 'Replace one exact text occurrence in a UTF-8 file under root. Fails unless oldText matches exactly once.',
+        inputSchema: { type: 'object', properties: { path: { type: 'string' }, oldText: { type: 'string' }, newText: { type: 'string' } }, required: ['path', 'oldText', 'newText'], additionalProperties: false },
+        annotations: { readOnlyHint: false, destructiveHint: true },
+    },
+    {
+        name: 'bash',
+        description: 'Run a shell command with cwd clamped under root, empty environment except a safe PATH, timeout, and output cap. Use for tests, builds, git status, and repo discovery.',
+        inputSchema: { type: 'object', properties: { command: { type: 'string' }, cwd: { type: 'string' }, timeoutSeconds: { type: 'integer', minimum: 1, maximum: 300 } }, required: ['command'], additionalProperties: false },
+        annotations: { readOnlyHint: false, destructiveHint: true },
+    },
+];
+const ReadArgs = z.object({ path: z.string() }).strict();
+const WriteArgs = z.object({ path: z.string(), content: z.string() }).strict();
+const EditArgs = z.object({ path: z.string(), oldText: z.string(), newText: z.string() }).strict();
+const BashArgs = z.object({ command: z.string(), cwd: z.string().optional(), timeoutSeconds: z.number().int().min(1).max(300).optional() }).strict();
+export async function executeToolCall(context, name, args) {
+    const start = Date.now();
+    let target;
+    let bytes = 0;
+    let truncated = false;
+    let status = 'error';
+    try {
+        const active = await context.gateClient.introspectToken(context.config.machine_secret, context.bearerToken, context.config.resource);
+        if (!active.active)
+            return toolError('unauthorized: inactive token');
+        let result;
+        switch (name) {
+            case 'read': {
+                const parsed = ReadArgs.parse(args);
+                target = parsed.path;
+                result = await readTool(context.root, parsed.path);
+                break;
+            }
+            case 'write': {
+                const parsed = WriteArgs.parse(args);
+                target = parsed.path;
+                result = await writeTool(context.root, parsed.path, parsed.content);
+                break;
+            }
+            case 'edit': {
+                const parsed = EditArgs.parse(args);
+                target = parsed.path;
+                result = await editTool(context.root, parsed.path, parsed.oldText, parsed.newText);
+                break;
+            }
+            case 'bash': {
+                const parsed = BashArgs.parse(args);
+                const cwd = await resolveCwd(context.root, parsed.cwd);
+                target = relative(context.root, cwd) || '.';
+                result = await bashTool(context.root, parsed.command, cwd, parsed.timeoutSeconds ?? 60);
+                break;
+            }
+            default:
+                return toolError(`unknown tool: ${name}`);
+        }
+        const text = result.content.map((item) => item.text).join('');
+        bytes = Buffer.byteLength(text);
+        truncated = result.truncated === true;
+        status = result.isError ? 'error' : 'ok';
+        context.verbose?.(`${name} ${target ?? ''} ${status} ${Date.now() - start}ms ${bytes}B${truncated ? ' truncated' : ''}`.trim());
+        return result;
+    }
+    catch (error) {
+        const result = toolError(error instanceof Error ? error.message : String(error));
+        bytes = Buffer.byteLength(result.content[0]?.text ?? '');
+        context.verbose?.(`${name} ${target ?? ''} error ${Date.now() - start}ms ${bytes}B`.trim());
+        return result;
+    }
+    finally {
+        await writeAuditRecord(context.config.slug, { tool: name, target, status, duration_ms: Date.now() - start, bytes, truncated }).catch(() => { });
+    }
+}
+async function readTool(root, path) {
+    const file = await resolveExistingFile(root, path);
+    const info = await stat(file);
+    if (info.isDirectory())
+        return toolError('path is a directory');
+    if (info.size > READ_MAX_BYTES)
+        return toolError('file exceeds 10MB read limit');
+    return toolOk(await readFile(file, 'utf8'));
+}
+async function writeTool(root, path, content) {
+    const file = await resolveNewPath(root, path);
+    await writeFile(file, content, 'utf8');
+    return toolOk(`wrote ${Buffer.byteLength(content, 'utf8')} bytes`);
+}
+async function editTool(root, path, oldText, newText) {
+    const file = await resolveExistingFile(root, path);
+    const current = await readFile(file, 'utf8');
+    const first = current.indexOf(oldText);
+    if (first === -1)
+        return toolError('oldText did not match');
+    if (current.indexOf(oldText, first + oldText.length) !== -1)
+        return toolError('oldText matched more than once');
+    await writeFile(file, `${current.slice(0, first)}${newText}${current.slice(first + oldText.length)}`, 'utf8');
+    return toolOk('edited 1 occurrence');
+}
+async function bashTool(root, command, cwd, timeoutSeconds) {
+    const home = await mkdtemp(join(tmpdir(), 'escli-mcp-home-'));
+    return new Promise((resolvePromise) => {
+        const child = spawn('/bin/sh', ['-c', command], {
+            cwd,
+            env: { PATH: SAFE_PATH, HOME: home, PWD: cwd },
+            stdio: ['ignore', 'pipe', 'pipe'],
+        });
+        const chunks = [];
+        let collected = 0;
+        let omitted = 0;
+        let truncated = false;
+        let settled = false;
+        let timedOut = false;
+        const timer = setTimeout(() => {
+            timedOut = true;
+            child.kill('SIGTERM');
+            setTimeout(() => child.kill('SIGKILL'), 1000).unref();
+        }, Math.min(Math.max(timeoutSeconds, 1), 300) * 1000);
+        const collect = (chunk) => {
+            if (collected < BASH_OUTPUT_LIMIT_BYTES) {
+                const remaining = BASH_OUTPUT_LIMIT_BYTES - collected;
+                if (chunk.length <= remaining) {
+                    chunks.push(chunk);
+                    collected += chunk.length;
+                }
+                else {
+                    chunks.push(chunk.subarray(0, remaining));
+                    collected += remaining;
+                    omitted += chunk.length - remaining;
+                    truncated = true;
+                }
+            }
+            else {
+                omitted += chunk.length;
+                truncated = true;
+            }
+        };
+        child.stdout?.on('data', collect);
+        child.stderr?.on('data', collect);
+        child.on('error', (error) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            resolvePromise(toolError(error.message));
+        });
+        child.on('close', (code, signal) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            if (timedOut) {
+                resolvePromise(toolError(`command timed out after ${timeoutSeconds} seconds`));
+                return;
+            }
+            let output = Buffer.concat(chunks).toString('utf8');
+            if (truncated)
+                output += `\n[escli:mcp output truncated at ${BASH_OUTPUT_LIMIT_BYTES} bytes; omitted ${omitted} bytes]\n`;
+            const exitCode = code ?? (signal ? 128 : 1);
+            resolvePromise({ content: [{ type: 'text', text: output }], isError: exitCode !== 0, truncated });
+        });
+    });
+}
+async function resolveExistingFile(root, input) {
+    const candidate = resolveCandidate(root, input);
+    const real = await realpath(candidate);
+    assertUnderRoot(root, real);
+    return real;
+}
+async function resolveNewPath(root, input) {
+    const candidate = resolveCandidate(root, input);
+    assertUnderRoot(root, candidate);
+    const parentReal = await realpath(dirname(candidate));
+    assertUnderRoot(root, parentReal);
+    return candidate;
+}
+async function resolveCwd(root, input) {
+    if (!input)
+        return root;
+    const candidate = resolveCandidate(root, input);
+    const real = await realpath(candidate);
+    assertUnderRoot(root, real);
+    const info = await stat(real);
+    if (!info.isDirectory())
+        throw new Error('cwd is not a directory');
+    return real;
+}
+function resolveCandidate(root, input) {
+    if (input.includes('\0'))
+        throw new Error('path contains NUL byte');
+    const candidate = isAbsolute(input) ? resolve(input) : resolve(root, input);
+    return candidate;
+}
+function assertUnderRoot(root, candidate) {
+    const rel = relative(root, candidate);
+    if (rel === '' || (!rel.startsWith('..') && !isAbsolute(rel)))
+        return;
+    throw new Error('path escapes root');
+}
+function toolOk(text) {
+    return { content: [{ type: 'text', text }], isError: false };
+}
+function toolError(text) {
+    return { content: [{ type: 'text', text }], isError: true };
+}
+//# sourceMappingURL=tools.js.map

package/dist/services/notion.js

@@ -65,9 +65,10 @@ export function notionFileUploadCreate(body) {
     return proxy('POST', '/v1/file_uploads', { body });
 }
 export function notionFileUploadSend(fileUploadId, options) {
-    return proxy('POST', `/v1/file_uploads/${encodeURIComponent(fileUploadId)}/send`, {
-        body: withDefined({ file: options.file, filename: options.filename, content_type: options.contentType }),
-    });
+    return gateMultipartRequest('POST', `/v1/file_uploads/${encodeURIComponent(fileUploadId)}/send`, [
+        { name: 'file', filename: options.filename, contentType: options.contentType, value: bytesFromFile(options.file) },
+        ...(options.partNumber === undefined ? [] : [{ name: 'part_number', value: String(options.partNumber) }]),
+    ]);
 }
 export function notionFileUploadComplete(fileUploadId) {
     return proxy('POST', `/v1/file_uploads/${encodeURIComponent(fileUploadId)}/complete`);
@@ -87,6 +88,9 @@ export function notionPagesTrash(pageId, inTrash) {
 export function notionUsersMe() {
     return proxy('GET', '/v1/users/me');
 }
+export function notionUsersList(nextCursor, pageSize = 100) {
+    return proxy('GET', '/v1/users', { query: withDefined({ start_cursor: nextCursor, page_size: pageSize }) });
+}
 export function notionBlocksGet(blockId, nextCursor) {
     return proxy('GET', `/v1/blocks/${encodeURIComponent(blockId)}/children`, { query: withDefined({ start_cursor: nextCursor }) });
 }
@@ -99,6 +103,47 @@ export function notionBlocksDelete(blockId) {
 export function notionBlocksAppendChildren(blockId, children, position) {
     return proxy('PATCH', `/v1/blocks/${encodeURIComponent(blockId)}/children`, { body: withDefined({ children, position }) });
 }
+async function gateMultipartRequest(method, path, parts) {
+    const token = resolveCliToken();
+    if (!token) {
+        throw new EscliError('not authenticated', {
+            code: ErrorCode.AuthRequired,
+            exitCode: ExitCodes.Auth,
+            remediation: { command: 'escli auth login' },
+        });
+    }
+    const form = new FormData();
+    for (const part of parts) {
+        if (part.value instanceof Uint8Array) {
+            form.append(part.name, new File([part.value], part.filename ?? part.name, part.contentType ? { type: part.contentType } : undefined));
+        }
+        else {
+            form.append(part.name, part.value);
+        }
+    }
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), DEFAULT_TIMEOUT_MS);
+    try {
+        const response = await fetch(new URL('/v1/notion/proxy/multipart', gateUrl()), {
+            method: 'POST',
+            headers: { 'authorization': `Bearer ${token}`, 'accept': 'application/json', 'x-notion-proxy-method': method, 'x-notion-proxy-path': path },
+            body: form,
+            signal: controller.signal,
+        });
+        const payload = await parseJson(response);
+        if (!response.ok)
+            throw mapGateFailure(response.status, payload);
+        return normalizeGatePayload(payload);
+    }
+    catch (error) {
+        if (error instanceof EscliError)
+            throw error;
+        throw mapNetworkError(error);
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
 async function gateRequest(method, path, body) {
     const token = resolveCliToken();
     if (!token) {
@@ -259,6 +304,13 @@ function extractErrorMessage(body) {
     const root = recordValue(body);
     return stringValue(root?.message) ?? stringValue(root?.error) ?? stringValue(recordValue(root?.error)?.message);
 }
+function bytesFromFile(file) {
+    if (file instanceof Uint8Array)
+        return file;
+    if (file instanceof ArrayBuffer)
+        return new Uint8Array(file);
+    throw new EscliError('unsupported file upload payload', { code: ErrorCode.UsageInvalid, exitCode: ExitCodes.Usage });
+}
 function withDefined(input) {
     return Object.fromEntries(Object.entries(input).filter(([, value]) => value !== undefined));
 }