@fukuchang/taskchute-cli 0.1.0

package/dist/index.js

@@ -0,0 +1,2250 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import { Entry } from '@napi-rs/keyring';
+import { input, password } from '@inquirer/prompts';
+import { createClient } from '@supabase/supabase-js';
+import { argon2id } from 'hash-wasm';
+import '@scure/bip39';
+import '@scure/bip39/wordlists/english.js';
+
+var KEYRING_SERVICE = "taskchute-cli";
+var KEYRING_ACCOUNT = "passphrase";
+var KeyringPassphraseStore = class {
+  get() {
+    try {
+      const entry = new Entry(KEYRING_SERVICE, KEYRING_ACCOUNT);
+      return entry.getPassword();
+    } catch {
+      return null;
+    }
+  }
+  set(passphrase) {
+    const entry = new Entry(KEYRING_SERVICE, KEYRING_ACCOUNT);
+    entry.setPassword(passphrase);
+  }
+  clear() {
+    try {
+      const entry = new Entry(KEYRING_SERVICE, KEYRING_ACCOUNT);
+      entry.deletePassword();
+    } catch {
+    }
+  }
+};
+
+// src/commands/lock.ts
+function lockCommand() {
+  return new Command("lock").description("keyring \u304B\u3089 E2EE passphrase \u3092\u524A\u9664\u3059\u308B (session \u306F\u7DAD\u6301)").action(() => {
+    new KeyringPassphraseStore().clear();
+    console.log("locked");
+  });
+}
+function createNodeSupabaseClient(config, options) {
+  return createClient(config.url, config.publishableKey, {
+    auth: {
+      storage: options.storage,
+      persistSession: true,
+      autoRefreshToken: true,
+      detectSessionInUrl: false
+    }
+  });
+}
+
+// ../infra-supabase/src/supabase-utils.ts
+async function getCurrentUserId(supabase) {
+  const { data, error } = await supabase.auth.getUser();
+  if (error) throw error;
+  if (!data.user) {
+    throw new Error("Not authenticated. Sign in to access this resource.");
+  }
+  return data.user.id;
+}
+function dateToIsoOrNull(date) {
+  return date ? date.toISOString() : null;
+}
+
+// ../crypto/src/bytes.ts
+function allocBytes(length) {
+  return new Uint8Array(new ArrayBuffer(length));
+}
+function randomBytes(length) {
+  const bytes = allocBytes(length);
+  crypto.getRandomValues(bytes);
+  return bytes;
+}
+function copyToArrayBuffer(source) {
+  const copy = allocBytes(source.byteLength);
+  copy.set(source);
+  return copy;
+}
+
+// ../crypto/src/aad.ts
+var TEXT_ENCODER = new TextEncoder();
+function buildAAD(ctx) {
+  const text = `${ctx.entityId}:${ctx.field}`;
+  return copyToArrayBuffer(TEXT_ENCODER.encode(text));
+}
+
+// ../crypto/src/base64url.ts
+function base64urlToBytes(s) {
+  if (!/^[A-Za-z0-9_-]*$/.test(s)) {
+    throw new Error("base64url payload contains characters outside the alphabet");
+  }
+  const standard = s.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = standard + "=".repeat((4 - standard.length % 4) % 4);
+  const binary = atob(padded);
+  const out = allocBytes(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    out[i] = binary.charCodeAt(i);
+  }
+  return out;
+}
+
+// ../crypto/src/bytea-codec.ts
+var HEX_RE = /^[0-9a-f]*$/i;
+function bytesToBytea(bytes) {
+  let hex = "";
+  for (const b of bytes) {
+    hex += b.toString(16).padStart(2, "0");
+  }
+  return `\\x${hex}`;
+}
+function byteaToBytes(bytea) {
+  if (!bytea.startsWith("\\x")) {
+    throw new Error(`expected bytea to start with \\x, got: ${bytea.slice(0, 8)}`);
+  }
+  const hex = bytea.slice(2);
+  if (hex.length % 2 !== 0) {
+    throw new Error(`bytea hex payload must have an even length, got ${hex.length}`);
+  }
+  if (!HEX_RE.test(hex)) {
+    throw new Error("bytea hex payload contains non-hex characters");
+  }
+  const bytes = allocBytes(hex.length / 2);
+  for (let i = 0; i < bytes.length; i++) {
+    bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes;
+}
+
+// ../crypto/src/field-codec.ts
+async function encryptTextToWire(session, plaintext, ctx) {
+  const enc = await session.encryptText(plaintext, ctx);
+  return {
+    ciphertext: bytesToBytea(enc.ciphertext),
+    iv: bytesToBytea(enc.iv)
+  };
+}
+async function encryptOptionalTextToWire(session, plaintext, ctx) {
+  if (plaintext == null) return null;
+  return encryptTextToWire(session, plaintext, ctx);
+}
+async function decryptOptionalTextFromWire(session, ciphertext, iv, keyId, ctx) {
+  if (ciphertext == null || iv == null) return null;
+  if (keyId == null) {
+    throw new Error(
+      `decryptOptionalTextFromWire: row has ${ctx.field} ciphertext but key_id is null (${ctx.entityId})`
+    );
+  }
+  return session.decryptText(
+    { ciphertext: byteaToBytes(ciphertext), iv: byteaToBytes(iv), keyId },
+    ctx
+  );
+}
+async function decryptRequiredTextFromWire(session, ciphertext, iv, keyId, ctx) {
+  if (ciphertext == null || iv == null || keyId == null) {
+    throw new Error(
+      `decryptRequiredTextFromWire: row missing ciphertext / iv / key_id for ${ctx.field} (${ctx.entityId})`
+    );
+  }
+  return session.decryptText(
+    { ciphertext: byteaToBytes(ciphertext), iv: byteaToBytes(iv), keyId },
+    ctx
+  );
+}
+
+// ../crypto/src/crypto-types.ts
+var DEFAULT_ARGON2ID_PARAMS = {
+  memorySize: 65536,
+  iterations: 3,
+  parallelism: 4,
+  hashLength: 32
+};
+var LockedError = class extends Error {
+  constructor(message = "crypto session is locked") {
+    super(message);
+    this.name = "LockedError";
+  }
+};
+
+// ../crypto/src/key-derivation.ts
+async function deriveKeyMaterial(password4, salt, params = DEFAULT_ARGON2ID_PARAMS) {
+  const hash = await argon2id({
+    password: password4.normalize("NFC"),
+    salt,
+    parallelism: params.parallelism,
+    iterations: params.iterations,
+    memorySize: params.memorySize,
+    hashLength: params.hashLength,
+    outputType: "binary"
+  });
+  if (typeof hash === "string") throw new Error("argon2id returned string in binary mode");
+  return copyToArrayBuffer(hash);
+}
+async function importKEK(material) {
+  return crypto.subtle.importKey(
+    "raw",
+    material,
+    { name: "AES-GCM" },
+    false,
+    ["wrapKey", "unwrapKey"]
+  );
+}
+async function deriveKEK(password4, salt, params = DEFAULT_ARGON2ID_PARAMS) {
+  const material = await deriveKeyMaterial(password4, salt, params);
+  return importKEK(material);
+}
+
+// ../crypto/src/wrap.ts
+async function unwrapMasterKey(wrapped, iv, kek) {
+  return crypto.subtle.unwrapKey(
+    "raw",
+    wrapped,
+    kek,
+    { name: "AES-GCM", iv },
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+
+// ../crypto/src/crypto-session.ts
+var TEXT_ENCODER2 = new TextEncoder();
+var TEXT_DECODER = new TextDecoder();
+var CryptoSession = class {
+  masterKey = null;
+  currentKeyId = null;
+  listeners = /* @__PURE__ */ new Set();
+  isUnlocked() {
+    return this.masterKey !== null;
+  }
+  getCurrentKeyId() {
+    return this.currentKeyId;
+  }
+  /**
+   * Returns the unwrapped CryptoKey handle, or null when locked.
+   *
+   * Intended primarily for persistence adapters (e.g. IndexedDB) that need
+   * to structured-clone the key to outlive the React tree. The handle is
+   * still `extractable: false`, so this does not leak raw bytes.
+   */
+  getMasterKey() {
+    return this.masterKey;
+  }
+  /**
+   * Install an unlocked master key. The caller is responsible for obtaining
+   * a non-extractable CryptoKey (typically via `unwrapMasterKey`).
+   */
+  setMasterKey(masterKey, keyId) {
+    this.masterKey = masterKey;
+    this.currentKeyId = keyId;
+    this.notify();
+  }
+  /**
+   * Drop the master key handle. Subsequent encrypt/decrypt calls throw
+   * `LockedError` so that callers at the UI boundary can redirect to the
+   * unlock screen.
+   */
+  lock() {
+    this.masterKey = null;
+    this.currentKeyId = null;
+    this.notify();
+  }
+  /**
+   * Subscribe to lock / unlock transitions. The listener is invoked
+   * synchronously after `setMasterKey` or `lock` mutates the session.
+   *
+   * The signature is intentionally `() => void` so that `useSyncExternalStore`
+   * can plug straight in: React reads the latest snapshot via the getter
+   * functions (`isUnlocked`, `getCurrentKeyId`) on its own schedule.
+   *
+   * Returns an unsubscribe function. Idempotent — calling twice is fine.
+   */
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => {
+      this.listeners.delete(listener);
+    };
+  }
+  notify() {
+    for (const listener of this.listeners) {
+      try {
+        listener();
+      } catch (error) {
+        console.error("CryptoSession listener threw during notify()", error);
+      }
+    }
+  }
+  /**
+   * Encrypt a text field with the active master key. The AAD binds the
+   * ciphertext to its (entity, field) coordinates: an attacker who can
+   * write to Supabase cannot graft one row's encrypted title onto another
+   * row, because the AAD will mismatch on decrypt.
+   */
+  async encryptText(plaintext, ctx) {
+    if (!this.masterKey || !this.currentKeyId) throw new LockedError();
+    const iv = randomBytes(12);
+    const buffer = await crypto.subtle.encrypt(
+      { name: "AES-GCM", iv, additionalData: buildAAD(ctx) },
+      this.masterKey,
+      TEXT_ENCODER2.encode(plaintext)
+    );
+    return {
+      ciphertext: new Uint8Array(buffer),
+      iv,
+      keyId: this.currentKeyId
+    };
+  }
+  /**
+   * Decrypt a previously encrypted text field. A mismatched AAD, IV, or
+   * ciphertext surfaces as an AES-GCM authentication failure
+   * (DOMException from `crypto.subtle.decrypt`); callers should treat any
+   * thrown error as "this row is corrupt or not ours".
+   */
+  async decryptText(encrypted, ctx) {
+    if (!this.masterKey) throw new LockedError();
+    const buffer = await crypto.subtle.decrypt(
+      { name: "AES-GCM", iv: encrypted.iv, additionalData: buildAAD(ctx) },
+      this.masterKey,
+      encrypted.ciphertext
+    );
+    return TEXT_DECODER.decode(buffer);
+  }
+};
+
+// ../crypto/src/user-keys-row-mapper.ts
+function buildPassphrase(row) {
+  if (!row.passphrase_salt || !row.passphrase_iv || !row.passphrase_wrapped || !row.passphrase_kdf_params) {
+    return null;
+  }
+  return {
+    salt: byteaToBytes(row.passphrase_salt),
+    iv: byteaToBytes(row.passphrase_iv),
+    wrapped: byteaToBytes(row.passphrase_wrapped),
+    kdfParams: row.passphrase_kdf_params
+  };
+}
+function buildRecovery(row) {
+  if (!row.recovery_salt || !row.recovery_iv || !row.recovery_wrapped || !row.recovery_kdf_params) {
+    return null;
+  }
+  return {
+    salt: byteaToBytes(row.recovery_salt),
+    iv: byteaToBytes(row.recovery_iv),
+    wrapped: byteaToBytes(row.recovery_wrapped),
+    kdfParams: row.recovery_kdf_params
+  };
+}
+function rowToUserKeysSnapshot(row) {
+  return {
+    currentKeyId: row.current_key_id,
+    passphrase: buildPassphrase(row),
+    recovery: buildRecovery(row),
+    passkeys: row.passkey_wraps ?? [],
+    isInitialized: row.is_initialized
+  };
+}
+
+// ../crypto/src/passkey.ts
+var PRF_INFO_LABEL = "taskchute-e2ee-kek-v1";
+var KEK_BITS = 256;
+async function prfOutputToKEKMaterial(prfOutput, hkdfSalt = new Uint8Array()) {
+  const key = await crypto.subtle.importKey("raw", prfOutput, "HKDF", false, ["deriveBits"]);
+  const bits = await crypto.subtle.deriveBits(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: hkdfSalt,
+      info: new TextEncoder().encode(PRF_INFO_LABEL)
+    },
+    key,
+    KEK_BITS
+  );
+  const out = allocBytes(KEK_BITS / 8);
+  out.set(new Uint8Array(bits));
+  return out;
+}
+async function mnemonicToKEKMaterial(mnemonic, salt, params = DEFAULT_ARGON2ID_PARAMS) {
+  return deriveKeyMaterial(normaliseMnemonic(mnemonic), salt, params);
+}
+function normaliseMnemonic(mnemonic) {
+  return mnemonic.normalize("NFC").toLowerCase().trim().split(/\s+/).join(" ");
+}
+
+// ../crypto/src/unlock-orchestrator.ts
+var UnlockError = class extends Error {
+  reason;
+  constructor(message, reason) {
+    super(message);
+    this.name = "UnlockError";
+    this.reason = reason;
+  }
+};
+async function unlockMasterKey(snapshot, method) {
+  switch (method.kind) {
+    case "passphrase": {
+      if (!snapshot.passphrase) {
+        throw new UnlockError("Passphrase envelope not configured", "no-envelope");
+      }
+      const kek = await deriveKEK(
+        method.passphrase,
+        snapshot.passphrase.salt,
+        snapshot.passphrase.kdfParams
+      );
+      try {
+        return await unwrapMasterKey(
+          snapshot.passphrase.wrapped,
+          snapshot.passphrase.iv,
+          kek
+        );
+      } catch {
+        throw new UnlockError("Wrong passphrase", "wrong-key");
+      }
+    }
+    case "recovery": {
+      if (!snapshot.recovery) {
+        throw new UnlockError("Recovery envelope not configured", "no-envelope");
+      }
+      const material = await mnemonicToKEKMaterial(
+        method.mnemonic,
+        snapshot.recovery.salt,
+        snapshot.recovery.kdfParams
+      );
+      const kek = await importKEK(material);
+      try {
+        return await unwrapMasterKey(
+          snapshot.recovery.wrapped,
+          snapshot.recovery.iv,
+          kek
+        );
+      } catch {
+        throw new UnlockError("Wrong recovery key", "wrong-key");
+      }
+    }
+    case "passkey": {
+      const wrap = findPasskeyWrap(snapshot.passkeys, method.credentialId);
+      if (!wrap) {
+        throw new UnlockError("Passkey credentialId not registered", "no-credential");
+      }
+      const material = await prfOutputToKEKMaterial(method.prfOutput);
+      const kek = await importKEK(material);
+      try {
+        return await unwrapMasterKey(
+          base64urlToBytes(wrap.wrapped),
+          base64urlToBytes(wrap.iv),
+          kek
+        );
+      } catch {
+        throw new UnlockError("Passkey PRF output did not unwrap", "wrong-key");
+      }
+    }
+  }
+}
+function findPasskeyWrap(wraps, credentialId) {
+  return wraps.find((w) => w.credentialId === credentialId);
+}
+
+// ../infra-supabase/src/supabase-context-repository.ts
+async function rowToContext(row, cryptoSession) {
+  const [name, description] = await Promise.all([
+    decryptRequiredTextFromWire(
+      cryptoSession,
+      row.name_ciphertext,
+      row.name_iv,
+      row.key_id,
+      { entityId: row.id, field: "name" }
+    ),
+    decryptOptionalTextFromWire(
+      cryptoSession,
+      row.description_ciphertext,
+      row.description_iv,
+      row.key_id,
+      { entityId: row.id, field: "description" }
+    )
+  ]);
+  const context = {
+    id: row.id,
+    name,
+    status: row.status,
+    createdAt: new Date(row.created_at),
+    updatedAt: new Date(row.updated_at)
+  };
+  if (row.icon !== null) context.icon = row.icon;
+  if (row.color !== null) context.color = row.color;
+  if (description !== null) context.description = description;
+  return context;
+}
+function nonEncryptedFieldsToRow(input2) {
+  const row = {};
+  if ("icon" in input2) row.icon = input2.icon ?? null;
+  if ("color" in input2) row.color = input2.color ?? null;
+  if ("status" in input2 && input2.status !== void 0) row.status = input2.status;
+  return row;
+}
+async function encryptContextFieldsInto(row, entityId, patch, cryptoSession) {
+  let touched = false;
+  if (patch.name !== void 0) {
+    const wire = await encryptTextToWire(cryptoSession, patch.name, {
+      entityId,
+      field: "name"
+    });
+    row.name_ciphertext = wire.ciphertext;
+    row.name_iv = wire.iv;
+    touched = true;
+  }
+  if ("description" in patch) {
+    const wire = await encryptOptionalTextToWire(cryptoSession, patch.description, {
+      entityId,
+      field: "description"
+    });
+    row.description_ciphertext = wire?.ciphertext ?? null;
+    row.description_iv = wire?.iv ?? null;
+    touched = true;
+  }
+  if (touched) {
+    const keyId = cryptoSession.getCurrentKeyId();
+    if (keyId === null) {
+      throw new Error("SupabaseContextRepository: session became locked mid-write");
+    }
+    row.key_id = keyId;
+  }
+}
+var SupabaseContextRepository = class {
+  supabase;
+  cryptoSession;
+  constructor(supabase, cryptoSession) {
+    this.supabase = supabase;
+    this.cryptoSession = cryptoSession;
+  }
+  async findAll(filter) {
+    let query = this.supabase.from("contexts").select("*");
+    if (filter?.status) query = query.eq("status", filter.status);
+    const { data, error } = await query.order("created_at", { ascending: true });
+    if (error) throw error;
+    return Promise.all(data.map((row) => rowToContext(row, this.cryptoSession)));
+  }
+  async findById(id) {
+    const { data, error } = await this.supabase.from("contexts").select("*").eq("id", id).maybeSingle();
+    if (error) throw error;
+    return data ? rowToContext(data, this.cryptoSession) : null;
+  }
+  async create(input2) {
+    const userId = await getCurrentUserId(this.supabase);
+    const id = crypto.randomUUID();
+    const row = nonEncryptedFieldsToRow(input2);
+    await encryptContextFieldsInto(
+      row,
+      id,
+      { name: input2.name, description: input2.description },
+      this.cryptoSession
+    );
+    const insert = {
+      ...row,
+      id,
+      user_id: userId
+    };
+    const { data, error } = await this.supabase.from("contexts").insert(insert).select().single();
+    if (error) throw error;
+    return rowToContext(data, this.cryptoSession);
+  }
+  async update(id, patch) {
+    const row = nonEncryptedFieldsToRow(patch);
+    await encryptContextFieldsInto(row, id, patch, this.cryptoSession);
+    const { data, error } = await this.supabase.from("contexts").update(row).eq("id", id).select().single();
+    if (error) throw error;
+    return rowToContext(data, this.cryptoSession);
+  }
+  async archive(id) {
+    return this.update(id, { status: "archived" });
+  }
+  async delete(id) {
+    const { error } = await this.supabase.from("contexts").delete().eq("id", id);
+    if (error) throw error;
+  }
+};
+
+// ../infra-supabase/src/supabase-project-repository.ts
+async function rowToProject(row, cryptoSession) {
+  const [name, description] = await Promise.all([
+    decryptRequiredTextFromWire(
+      cryptoSession,
+      row.name_ciphertext,
+      row.name_iv,
+      row.key_id,
+      { entityId: row.id, field: "name" }
+    ),
+    decryptOptionalTextFromWire(
+      cryptoSession,
+      row.description_ciphertext,
+      row.description_iv,
+      row.key_id,
+      { entityId: row.id, field: "description" }
+    )
+  ]);
+  const project = {
+    id: row.id,
+    name,
+    status: row.status,
+    createdAt: new Date(row.created_at),
+    updatedAt: new Date(row.updated_at)
+  };
+  if (description !== null) project.description = description;
+  if (row.color !== null) project.color = row.color;
+  if (row.parent_project_id !== null) project.parentProjectId = row.parent_project_id;
+  if (row.goal_id !== null) project.goalId = row.goal_id;
+  if (row.started_at !== null) project.startedAt = new Date(row.started_at);
+  if (row.target_end_date !== null) project.targetEndDate = new Date(row.target_end_date);
+  if (row.archived_at !== null) project.archivedAt = new Date(row.archived_at);
+  return project;
+}
+function nonEncryptedFieldsToRow2(input2) {
+  const row = {};
+  if ("color" in input2) row.color = input2.color ?? null;
+  if ("parentProjectId" in input2) row.parent_project_id = input2.parentProjectId ?? null;
+  if ("goalId" in input2) row.goal_id = input2.goalId ?? null;
+  if ("status" in input2 && input2.status !== void 0) row.status = input2.status;
+  if ("startedAt" in input2) row.started_at = dateToIsoOrNull(input2.startedAt);
+  if ("targetEndDate" in input2) row.target_end_date = dateToIsoOrNull(input2.targetEndDate);
+  if ("archivedAt" in input2) row.archived_at = dateToIsoOrNull(input2.archivedAt);
+  return row;
+}
+async function encryptProjectFieldsInto(row, entityId, patch, cryptoSession) {
+  let touched = false;
+  if (patch.name !== void 0) {
+    const wire = await encryptTextToWire(cryptoSession, patch.name, {
+      entityId,
+      field: "name"
+    });
+    row.name_ciphertext = wire.ciphertext;
+    row.name_iv = wire.iv;
+    touched = true;
+  }
+  if ("description" in patch) {
+    const wire = await encryptOptionalTextToWire(cryptoSession, patch.description, {
+      entityId,
+      field: "description"
+    });
+    row.description_ciphertext = wire?.ciphertext ?? null;
+    row.description_iv = wire?.iv ?? null;
+    touched = true;
+  }
+  if (touched) {
+    const keyId = cryptoSession.getCurrentKeyId();
+    if (keyId === null) {
+      throw new Error("SupabaseProjectRepository: session became locked mid-write");
+    }
+    row.key_id = keyId;
+  }
+}
+var SupabaseProjectRepository = class {
+  supabase;
+  cryptoSession;
+  constructor(supabase, cryptoSession) {
+    this.supabase = supabase;
+    this.cryptoSession = cryptoSession;
+  }
+  async findAll(filter) {
+    let query = this.supabase.from("projects").select("*");
+    if (filter?.status) query = query.eq("status", filter.status);
+    const { data, error } = await query.order("created_at", { ascending: true });
+    if (error) throw error;
+    return Promise.all(data.map((row) => rowToProject(row, this.cryptoSession)));
+  }
+  async findById(id) {
+    const { data, error } = await this.supabase.from("projects").select("*").eq("id", id).maybeSingle();
+    if (error) throw error;
+    return data ? rowToProject(data, this.cryptoSession) : null;
+  }
+  async create(input2) {
+    const userId = await getCurrentUserId(this.supabase);
+    const id = crypto.randomUUID();
+    const row = nonEncryptedFieldsToRow2(input2);
+    await encryptProjectFieldsInto(
+      row,
+      id,
+      { name: input2.name, description: input2.description },
+      this.cryptoSession
+    );
+    const insert = {
+      ...row,
+      id,
+      user_id: userId
+    };
+    const { data, error } = await this.supabase.from("projects").insert(insert).select().single();
+    if (error) throw error;
+    return rowToProject(data, this.cryptoSession);
+  }
+  async update(id, patch) {
+    const row = nonEncryptedFieldsToRow2(patch);
+    await encryptProjectFieldsInto(row, id, patch, this.cryptoSession);
+    const { data, error } = await this.supabase.from("projects").update(row).eq("id", id).select().single();
+    if (error) throw error;
+    return rowToProject(data, this.cryptoSession);
+  }
+  async archive(id) {
+    return this.update(id, { status: "archived", archivedAt: /* @__PURE__ */ new Date() });
+  }
+  async delete(id) {
+    const { error } = await this.supabase.from("projects").delete().eq("id", id);
+    if (error) throw error;
+  }
+};
+
+// ../infra-supabase/src/supabase-routine-repository.ts
+async function rowToRoutine(row, cryptoSession) {
+  const [title, description] = await Promise.all([
+    decryptRequiredTextFromWire(
+      cryptoSession,
+      row.title_ciphertext,
+      row.title_iv,
+      row.key_id,
+      { entityId: row.id, field: "title" }
+    ),
+    decryptOptionalTextFromWire(
+      cryptoSession,
+      row.description_ciphertext,
+      row.description_iv,
+      row.key_id,
+      { entityId: row.id, field: "description" }
+    )
+  ]);
+  const routine = {
+    id: row.id,
+    title,
+    estimatedSeconds: row.estimated_seconds,
+    tagIds: row.tag_ids,
+    frequency: row.frequency,
+    autoExpand: row.auto_expand,
+    status: row.status,
+    createdAt: new Date(row.created_at),
+    updatedAt: new Date(row.updated_at)
+  };
+  if (description !== null) routine.description = description;
+  if (row.project_id !== null) routine.projectId = row.project_id;
+  if (row.context_id !== null) routine.contextId = row.context_id;
+  if (row.default_scheduled_start_time !== null) {
+    routine.defaultScheduledStartTime = row.default_scheduled_start_time;
+  }
+  if (row.start_date !== null) routine.startDate = row.start_date;
+  if (row.end_date !== null) routine.endDate = row.end_date;
+  if (row.last_expanded_date !== null) routine.lastExpandedDate = row.last_expanded_date;
+  return routine;
+}
+function nonEncryptedFieldsToRow3(input2) {
+  const row = {};
+  if ("estimatedSeconds" in input2 && input2.estimatedSeconds !== void 0) {
+    row.estimated_seconds = input2.estimatedSeconds;
+  }
+  if ("projectId" in input2) row.project_id = input2.projectId ?? null;
+  if ("contextId" in input2) row.context_id = input2.contextId ?? null;
+  if ("tagIds" in input2 && input2.tagIds !== void 0) row.tag_ids = input2.tagIds;
+  if ("defaultScheduledStartTime" in input2) {
+    row.default_scheduled_start_time = input2.defaultScheduledStartTime ?? null;
+  }
+  if ("frequency" in input2 && input2.frequency !== void 0) {
+    row.frequency = input2.frequency;
+  }
+  if ("startDate" in input2) row.start_date = input2.startDate ?? null;
+  if ("endDate" in input2) row.end_date = input2.endDate ?? null;
+  if ("autoExpand" in input2 && input2.autoExpand !== void 0) {
+    row.auto_expand = input2.autoExpand;
+  }
+  if ("lastExpandedDate" in input2) {
+    row.last_expanded_date = input2.lastExpandedDate ?? null;
+  }
+  if ("status" in input2 && input2.status !== void 0) row.status = input2.status;
+  return row;
+}
+async function encryptRoutineFieldsInto(row, entityId, patch, cryptoSession) {
+  let touched = false;
+  if (patch.title !== void 0) {
+    const wire = await encryptTextToWire(cryptoSession, patch.title, {
+      entityId,
+      field: "title"
+    });
+    row.title_ciphertext = wire.ciphertext;
+    row.title_iv = wire.iv;
+    touched = true;
+  }
+  if ("description" in patch) {
+    const wire = await encryptOptionalTextToWire(cryptoSession, patch.description, {
+      entityId,
+      field: "description"
+    });
+    row.description_ciphertext = wire?.ciphertext ?? null;
+    row.description_iv = wire?.iv ?? null;
+    touched = true;
+  }
+  if (touched) {
+    const keyId = cryptoSession.getCurrentKeyId();
+    if (keyId === null) {
+      throw new Error("SupabaseRoutineRepository: session became locked mid-write");
+    }
+    row.key_id = keyId;
+  }
+}
+var SupabaseRoutineRepository = class {
+  supabase;
+  cryptoSession;
+  constructor(supabase, cryptoSession) {
+    this.supabase = supabase;
+    this.cryptoSession = cryptoSession;
+  }
+  async findAll(filter) {
+    let query = this.supabase.from("routines").select("*");
+    if (filter?.status) query = query.eq("status", filter.status);
+    const { data, error } = await query.order("created_at", { ascending: true });
+    if (error) throw error;
+    return Promise.all(data.map((row) => rowToRoutine(row, this.cryptoSession)));
+  }
+  async findById(id) {
+    const { data, error } = await this.supabase.from("routines").select("*").eq("id", id).maybeSingle();
+    if (error) throw error;
+    return data ? rowToRoutine(data, this.cryptoSession) : null;
+  }
+  async create(input2) {
+    const userId = await getCurrentUserId(this.supabase);
+    const id = crypto.randomUUID();
+    const row = nonEncryptedFieldsToRow3(input2);
+    await encryptRoutineFieldsInto(
+      row,
+      id,
+      { title: input2.title, description: input2.description },
+      this.cryptoSession
+    );
+    const insert = {
+      ...row,
+      id,
+      user_id: userId,
+      // CreateRoutineInput requires `frequency`; non-encrypted writer keeps
+      // it under `frequency`, but the insert path needs it typed at the
+      // call site.
+      frequency: input2.frequency
+    };
+    const { data, error } = await this.supabase.from("routines").insert(insert).select().single();
+    if (error) throw error;
+    return rowToRoutine(data, this.cryptoSession);
+  }
+  async update(id, patch) {
+    const row = nonEncryptedFieldsToRow3(patch);
+    await encryptRoutineFieldsInto(row, id, patch, this.cryptoSession);
+    const { data, error } = await this.supabase.from("routines").update(row).eq("id", id).select().single();
+    if (error) throw error;
+    return rowToRoutine(data, this.cryptoSession);
+  }
+  async archive(id) {
+    return this.update(id, { status: "archived" });
+  }
+  async delete(id) {
+    const { error } = await this.supabase.from("routines").delete().eq("id", id);
+    if (error) throw error;
+  }
+};
+
+// ../infra-supabase/src/supabase-tag-repository.ts
+async function rowToTag(row, cryptoSession) {
+  const [name, description] = await Promise.all([
+    decryptRequiredTextFromWire(
+      cryptoSession,
+      row.name_ciphertext,
+      row.name_iv,
+      row.key_id,
+      { entityId: row.id, field: "name" }
+    ),
+    decryptOptionalTextFromWire(
+      cryptoSession,
+      row.description_ciphertext,
+      row.description_iv,
+      row.key_id,
+      { entityId: row.id, field: "description" }
+    )
+  ]);
+  const tag = {
+    id: row.id,
+    name,
+    status: row.status,
+    createdAt: new Date(row.created_at),
+    updatedAt: new Date(row.updated_at)
+  };
+  if (row.color !== null) tag.color = row.color;
+  if (description !== null) tag.description = description;
+  return tag;
+}
+function nonEncryptedFieldsToRow4(input2) {
+  const row = {};
+  if ("color" in input2) row.color = input2.color ?? null;
+  if ("status" in input2 && input2.status !== void 0) row.status = input2.status;
+  return row;
+}
+async function encryptTagFieldsInto(row, entityId, patch, cryptoSession) {
+  let touched = false;
+  if (patch.name !== void 0) {
+    const wire = await encryptTextToWire(cryptoSession, patch.name, {
+      entityId,
+      field: "name"
+    });
+    row.name_ciphertext = wire.ciphertext;
+    row.name_iv = wire.iv;
+    touched = true;
+  }
+  if ("description" in patch) {
+    const wire = await encryptOptionalTextToWire(cryptoSession, patch.description, {
+      entityId,
+      field: "description"
+    });
+    row.description_ciphertext = wire?.ciphertext ?? null;
+    row.description_iv = wire?.iv ?? null;
+    touched = true;
+  }
+  if (touched) {
+    const keyId = cryptoSession.getCurrentKeyId();
+    if (keyId === null) {
+      throw new Error("SupabaseTagRepository: session became locked mid-write");
+    }
+    row.key_id = keyId;
+  }
+}
+var SupabaseTagRepository = class {
+  supabase;
+  cryptoSession;
+  constructor(supabase, cryptoSession) {
+    this.supabase = supabase;
+    this.cryptoSession = cryptoSession;
+  }
+  async findAll(filter) {
+    let query = this.supabase.from("tags").select("*");
+    if (filter?.status) query = query.eq("status", filter.status);
+    const { data, error } = await query.order("created_at", { ascending: true });
+    if (error) throw error;
+    return Promise.all(data.map((row) => rowToTag(row, this.cryptoSession)));
+  }
+  async findById(id) {
+    const { data, error } = await this.supabase.from("tags").select("*").eq("id", id).maybeSingle();
+    if (error) throw error;
+    return data ? rowToTag(data, this.cryptoSession) : null;
+  }
+  async create(input2) {
+    const userId = await getCurrentUserId(this.supabase);
+    const id = crypto.randomUUID();
+    const row = nonEncryptedFieldsToRow4(input2);
+    await encryptTagFieldsInto(
+      row,
+      id,
+      { name: input2.name, description: input2.description },
+      this.cryptoSession
+    );
+    const insert = {
+      ...row,
+      id,
+      user_id: userId
+    };
+    const { data, error } = await this.supabase.from("tags").insert(insert).select().single();
+    if (error) throw error;
+    return rowToTag(data, this.cryptoSession);
+  }
+  async update(id, patch) {
+    const row = nonEncryptedFieldsToRow4(patch);
+    await encryptTagFieldsInto(row, id, patch, this.cryptoSession);
+    const { data, error } = await this.supabase.from("tags").update(row).eq("id", id).select().single();
+    if (error) throw error;
+    return rowToTag(data, this.cryptoSession);
+  }
+  async archive(id) {
+    return this.update(id, { status: "archived" });
+  }
+  async delete(id) {
+    const { error } = await this.supabase.from("tags").delete().eq("id", id);
+    if (error) throw error;
+  }
+};
+
+// ../infra-supabase/src/supabase-task-note-repository.ts
+async function rowToTaskNote(row, cryptoSession) {
+  const [body, metaJson, historyJson] = await Promise.all([
+    decryptRequiredTextFromWire(
+      cryptoSession,
+      row.body_ciphertext,
+      row.body_iv,
+      row.key_id,
+      { entityId: row.id, field: "body" }
+    ),
+    decryptOptionalTextFromWire(
+      cryptoSession,
+      row.metadata_ciphertext,
+      row.metadata_iv,
+      row.key_id,
+      { entityId: row.id, field: "metadata" }
+    ),
+    decryptOptionalTextFromWire(
+      cryptoSession,
+      row.edit_history_ciphertext,
+      row.edit_history_iv,
+      row.key_id,
+      { entityId: row.id, field: "edit_history" }
+    )
+  ]);
+  const metadata = metaJson !== null ? JSON.parse(metaJson) : null;
+  let editHistory = null;
+  if (historyJson !== null) {
+    const stored = JSON.parse(historyJson);
+    editHistory = stored.map((e) => ({
+      at: new Date(e.at),
+      previousBody: e.previous_body
+    }));
+  }
+  const note = {
+    id: row.id,
+    taskId: row.task_id,
+    type: row.type,
+    body,
+    createdAt: new Date(row.created_at),
+    updatedAt: new Date(row.updated_at)
+  };
+  if (metadata !== null) {
+    note.metadata = metadata;
+  }
+  if (row.edited_at !== null) {
+    note.editedAt = new Date(row.edited_at);
+  }
+  if (editHistory !== null) {
+    note.editHistory = editHistory;
+  }
+  return note;
+}
+function historyToStored(history) {
+  return history.map((e) => ({ at: e.at.toISOString(), previous_body: e.previousBody }));
+}
+function nonEncryptedFieldsToRow5(input2) {
+  const row = {};
+  if ("taskId" in input2 && input2.taskId !== void 0) row.task_id = input2.taskId;
+  if ("type" in input2 && input2.type !== void 0) row.type = input2.type;
+  if ("editedAt" in input2) {
+    row.edited_at = input2.editedAt ? input2.editedAt.toISOString() : null;
+  }
+  return row;
+}
+async function encryptTaskNoteFieldsInto(row, entityId, patch, cryptoSession) {
+  let touched = false;
+  if (patch.body !== void 0) {
+    const wire = await encryptTextToWire(cryptoSession, patch.body, {
+      entityId,
+      field: "body"
+    });
+    row.body_ciphertext = wire.ciphertext;
+    row.body_iv = wire.iv;
+    touched = true;
+  }
+  if ("metadata" in patch) {
+    const serialized = patch.metadata === void 0 ? null : JSON.stringify(patch.metadata);
+    const wire = await encryptOptionalTextToWire(cryptoSession, serialized, {
+      entityId,
+      field: "metadata"
+    });
+    row.metadata_ciphertext = wire?.ciphertext ?? null;
+    row.metadata_iv = wire?.iv ?? null;
+    touched = true;
+  }
+  if ("editHistory" in patch) {
+    const stored = patch.editHistory === void 0 ? null : historyToStored(patch.editHistory);
+    const serialized = stored === null ? null : JSON.stringify(stored);
+    const wire = await encryptOptionalTextToWire(cryptoSession, serialized, {
+      entityId,
+      field: "edit_history"
+    });
+    row.edit_history_ciphertext = wire?.ciphertext ?? null;
+    row.edit_history_iv = wire?.iv ?? null;
+    touched = true;
+  }
+  if (touched) {
+    const keyId = cryptoSession.getCurrentKeyId();
+    if (keyId === null) {
+      throw new Error(
+        "SupabaseTaskNoteRepository: session became locked mid-write"
+      );
+    }
+    row.key_id = keyId;
+  }
+}
+var SupabaseTaskNoteRepository = class {
+  supabase;
+  cryptoSession;
+  constructor(supabase, cryptoSession) {
+    this.supabase = supabase;
+    this.cryptoSession = cryptoSession;
+  }
+  async findByTaskId(taskId, filter) {
+    let query = this.supabase.from("task_notes").select("*").eq("task_id", taskId).order("created_at", { ascending: true });
+    if (filter?.type !== void 0) {
+      query = query.eq("type", filter.type);
+    }
+    const { data, error } = await query;
+    if (error) throw error;
+    return Promise.all(data.map((row) => rowToTaskNote(row, this.cryptoSession)));
+  }
+  async findByTaskIds(taskIds) {
+    const result = /* @__PURE__ */ new Map();
+    for (const id of taskIds) result.set(id, []);
+    if (taskIds.length === 0) return result;
+    const { data, error } = await this.supabase.from("task_notes").select("*").in("task_id", taskIds).order("created_at", { ascending: true });
+    if (error) throw error;
+    const decoded = await Promise.all(
+      data.map((row) => rowToTaskNote(row, this.cryptoSession))
+    );
+    for (const note of decoded) {
+      const bucket = result.get(note.taskId);
+      if (bucket) bucket.push(note);
+    }
+    return result;
+  }
+  async findById(id) {
+    const { data, error } = await this.supabase.from("task_notes").select("*").eq("id", id).maybeSingle();
+    if (error) throw error;
+    return data ? rowToTaskNote(data, this.cryptoSession) : null;
+  }
+  async create(input2) {
+    const userId = await getCurrentUserId(this.supabase);
+    const id = crypto.randomUUID();
+    const row = nonEncryptedFieldsToRow5(input2);
+    await encryptTaskNoteFieldsInto(
+      row,
+      id,
+      { body: input2.body, metadata: input2.metadata, editHistory: input2.editHistory },
+      this.cryptoSession
+    );
+    const insert = {
+      ...row,
+      id,
+      user_id: userId,
+      task_id: input2.taskId,
+      type: input2.type
+    };
+    const { data, error } = await this.supabase.from("task_notes").insert(insert).select().single();
+    if (error) throw error;
+    return rowToTaskNote(data, this.cryptoSession);
+  }
+  async update(id, patch) {
+    const row = nonEncryptedFieldsToRow5(patch);
+    await encryptTaskNoteFieldsInto(row, id, patch, this.cryptoSession);
+    const { data, error } = await this.supabase.from("task_notes").update(row).eq("id", id).select().single();
+    if (error) throw error;
+    return rowToTaskNote(data, this.cryptoSession);
+  }
+  async delete(id) {
+    const { error } = await this.supabase.from("task_notes").delete().eq("id", id);
+    if (error) throw error;
+  }
+};
+
+// ../infra-supabase/src/supabase-task-repository.ts
+async function rowToTask(row, cryptoSession) {
+  const [title, description] = await Promise.all([
+    decryptRequiredTextFromWire(
+      cryptoSession,
+      row.title_ciphertext,
+      row.title_iv,
+      row.key_id,
+      { entityId: row.id, field: "title" }
+    ),
+    decryptOptionalTextFromWire(
+      cryptoSession,
+      row.description_ciphertext,
+      row.description_iv,
+      row.key_id,
+      { entityId: row.id, field: "description" }
+    )
+  ]);
+  const sessions = row.sessions.map((s) => ({
+    startedAt: new Date(s.started_at),
+    finishedAt: new Date(s.finished_at)
+  }));
+  const task = {
+    id: row.id,
+    date: row.date,
+    title,
+    estimatedSeconds: row.estimated_seconds,
+    sessions,
+    status: row.status,
+    orderIndex: row.order_index,
+    tagIds: row.tag_ids,
+    createdAt: new Date(row.created_at),
+    updatedAt: new Date(row.updated_at)
+  };
+  if (description !== null) task.description = description;
+  if (row.scheduled_start_time !== null) task.scheduledStartTime = row.scheduled_start_time;
+  if (row.actual_start_time !== null) task.actualStartTime = row.actual_start_time;
+  if (row.current_session) {
+    const cs = row.current_session;
+    task.currentSession = { startedAt: new Date(cs.started_at) };
+  }
+  if (row.is_background !== null) task.isBackground = row.is_background;
+  if (row.project_id !== null) task.projectId = row.project_id;
+  if (row.routine_id !== null) task.routineId = row.routine_id;
+  if (row.context_id !== null) task.contextId = row.context_id;
+  if (row.split_from_task_id !== null) task.splitFromTaskId = row.split_from_task_id;
+  if (row.notify_at_scheduled_start) task.notifyAtScheduledStart = true;
+  return task;
+}
+function nonEncryptedFieldsToRow6(input2) {
+  const row = {};
+  if ("date" in input2 && input2.date !== void 0) row.date = input2.date;
+  if ("estimatedSeconds" in input2 && input2.estimatedSeconds !== void 0) {
+    row.estimated_seconds = input2.estimatedSeconds;
+  }
+  if ("scheduledStartTime" in input2) {
+    row.scheduled_start_time = input2.scheduledStartTime ?? null;
+  }
+  if ("actualStartTime" in input2) {
+    row.actual_start_time = input2.actualStartTime ?? null;
+  }
+  if ("currentSession" in input2) {
+    row.current_session = input2.currentSession ? { started_at: input2.currentSession.startedAt.toISOString() } : null;
+  }
+  if ("sessions" in input2 && input2.sessions !== void 0) {
+    row.sessions = input2.sessions.map((s) => ({
+      started_at: s.startedAt.toISOString(),
+      finished_at: s.finishedAt.toISOString()
+    }));
+  }
+  if ("status" in input2 && input2.status !== void 0) row.status = input2.status;
+  if ("orderIndex" in input2 && input2.orderIndex !== void 0) {
+    row.order_index = input2.orderIndex;
+  }
+  if ("isBackground" in input2) row.is_background = input2.isBackground ?? null;
+  if ("projectId" in input2) row.project_id = input2.projectId ?? null;
+  if ("routineId" in input2) row.routine_id = input2.routineId ?? null;
+  if ("contextId" in input2) row.context_id = input2.contextId ?? null;
+  if ("tagIds" in input2 && input2.tagIds !== void 0) row.tag_ids = input2.tagIds;
+  if ("splitFromTaskId" in input2) {
+    row.split_from_task_id = input2.splitFromTaskId ?? null;
+  }
+  if ("notifyAtScheduledStart" in input2) {
+    row.notify_at_scheduled_start = input2.notifyAtScheduledStart ?? false;
+  }
+  return row;
+}
+async function encryptTaskFieldsInto(row, entityId, patch, cryptoSession) {
+  let touched = false;
+  if (patch.title !== void 0) {
+    const wire = await encryptTextToWire(cryptoSession, patch.title, {
+      entityId,
+      field: "title"
+    });
+    row.title_ciphertext = wire.ciphertext;
+    row.title_iv = wire.iv;
+    touched = true;
+  }
+  if ("description" in patch) {
+    const wire = await encryptOptionalTextToWire(cryptoSession, patch.description, {
+      entityId,
+      field: "description"
+    });
+    row.description_ciphertext = wire?.ciphertext ?? null;
+    row.description_iv = wire?.iv ?? null;
+    touched = true;
+  }
+  if (touched) {
+    const keyId = cryptoSession.getCurrentKeyId();
+    if (keyId === null) {
+      throw new Error("SupabaseTaskRepository: session became locked mid-write");
+    }
+    row.key_id = keyId;
+  }
+}
+var SupabaseTaskRepository = class {
+  supabase;
+  cryptoSession;
+  constructor(supabase, cryptoSession) {
+    this.supabase = supabase;
+    this.cryptoSession = cryptoSession;
+  }
+  async findById(id) {
+    const { data, error } = await this.supabase.from("tasks").select("*").eq("id", id).maybeSingle();
+    if (error) throw error;
+    return data ? rowToTask(data, this.cryptoSession) : null;
+  }
+  async findByDate(date) {
+    const { data, error } = await this.supabase.from("tasks").select("*").eq("date", date).order("order_index", { ascending: true });
+    if (error) throw error;
+    return Promise.all(data.map((row) => rowToTask(row, this.cryptoSession)));
+  }
+  async findByRoutineIdFromDate(routineId, fromDate) {
+    const { data, error } = await this.supabase.from("tasks").select("*").eq("routine_id", routineId).gte("date", fromDate).order("date", { ascending: true });
+    if (error) throw error;
+    return Promise.all(data.map((row) => rowToTask(row, this.cryptoSession)));
+  }
+  async findFromDate(fromDate) {
+    const { data, error } = await this.supabase.from("tasks").select("*").gte("date", fromDate).order("updated_at", { ascending: false });
+    if (error) throw error;
+    return Promise.all(data.map((row) => rowToTask(row, this.cryptoSession)));
+  }
+  async create(input2) {
+    const userId = await getCurrentUserId(this.supabase);
+    const id = crypto.randomUUID();
+    const row = nonEncryptedFieldsToRow6(input2);
+    await encryptTaskFieldsInto(
+      row,
+      id,
+      { title: input2.title, description: input2.description },
+      this.cryptoSession
+    );
+    const insert = {
+      ...row,
+      id,
+      user_id: userId,
+      date: input2.date
+    };
+    const { data, error } = await this.supabase.from("tasks").insert(insert).select().single();
+    if (error) throw error;
+    return rowToTask(data, this.cryptoSession);
+  }
+  async update(id, patch) {
+    const row = nonEncryptedFieldsToRow6(patch);
+    await encryptTaskFieldsInto(row, id, patch, this.cryptoSession);
+    const { data, error } = await this.supabase.from("tasks").update(row).eq("id", id).select().single();
+    if (error) throw error;
+    return rowToTask(data, this.cryptoSession);
+  }
+  async delete(id) {
+    const { error } = await this.supabase.from("tasks").delete().eq("id", id);
+    if (error) throw error;
+  }
+};
+
+// ../infra-supabase/src/supabase-time-block-repository.ts
+async function rowToTimeBlock(row, cryptoSession) {
+  const name = await decryptRequiredTextFromWire(
+    cryptoSession,
+    row.name_ciphertext,
+    row.name_iv,
+    row.key_id,
+    { entityId: row.id, field: "name" }
+  );
+  const block = {
+    id: row.id,
+    name,
+    startTime: row.start_time,
+    endTime: row.end_time,
+    weekdays: row.weekdays,
+    status: row.status,
+    createdAt: new Date(row.created_at),
+    updatedAt: new Date(row.updated_at)
+  };
+  if (row.default_project_id !== null) block.defaultProjectId = row.default_project_id;
+  if (row.default_context_id !== null) block.defaultContextId = row.default_context_id;
+  if (row.default_tag_ids.length > 0) block.defaultTagIds = row.default_tag_ids;
+  if (row.color !== null) block.color = row.color;
+  if (row.start_date !== null) block.startDate = row.start_date;
+  if (row.end_date !== null) block.endDate = row.end_date;
+  return block;
+}
+function nonEncryptedFieldsToRow7(input2) {
+  const row = {};
+  if ("startTime" in input2 && input2.startTime !== void 0) row.start_time = input2.startTime;
+  if ("endTime" in input2 && input2.endTime !== void 0) row.end_time = input2.endTime;
+  if ("weekdays" in input2 && input2.weekdays !== void 0) row.weekdays = input2.weekdays;
+  if ("defaultProjectId" in input2) {
+    row.default_project_id = input2.defaultProjectId ?? null;
+  }
+  if ("defaultContextId" in input2) {
+    row.default_context_id = input2.defaultContextId ?? null;
+  }
+  if ("defaultTagIds" in input2) {
+    row.default_tag_ids = input2.defaultTagIds ?? [];
+  }
+  if ("color" in input2) row.color = input2.color ?? null;
+  if ("status" in input2 && input2.status !== void 0) row.status = input2.status;
+  if ("startDate" in input2) row.start_date = input2.startDate ?? null;
+  if ("endDate" in input2) row.end_date = input2.endDate ?? null;
+  return row;
+}
+async function encryptTimeBlockFieldsInto(row, entityId, patch, cryptoSession) {
+  if (patch.name === void 0) return;
+  const wire = await encryptTextToWire(cryptoSession, patch.name, {
+    entityId,
+    field: "name"
+  });
+  row.name_ciphertext = wire.ciphertext;
+  row.name_iv = wire.iv;
+  const keyId = cryptoSession.getCurrentKeyId();
+  if (keyId === null) {
+    throw new Error("SupabaseTimeBlockRepository: session became locked mid-write");
+  }
+  row.key_id = keyId;
+}
+var SupabaseTimeBlockRepository = class {
+  supabase;
+  cryptoSession;
+  constructor(supabase, cryptoSession) {
+    this.supabase = supabase;
+    this.cryptoSession = cryptoSession;
+  }
+  async findAll(filter) {
+    let query = this.supabase.from("time_blocks").select("*");
+    if (filter?.status) query = query.eq("status", filter.status);
+    const { data, error } = await query.order("start_time", { ascending: true });
+    if (error) throw error;
+    return Promise.all(data.map((row) => rowToTimeBlock(row, this.cryptoSession)));
+  }
+  async findById(id) {
+    const { data, error } = await this.supabase.from("time_blocks").select("*").eq("id", id).maybeSingle();
+    if (error) throw error;
+    return data ? rowToTimeBlock(data, this.cryptoSession) : null;
+  }
+  async create(input2) {
+    const userId = await getCurrentUserId(this.supabase);
+    const id = crypto.randomUUID();
+    const row = nonEncryptedFieldsToRow7(input2);
+    await encryptTimeBlockFieldsInto(row, id, { name: input2.name }, this.cryptoSession);
+    const insert = {
+      ...row,
+      id,
+      user_id: userId,
+      start_time: input2.startTime,
+      end_time: input2.endTime
+    };
+    const { data, error } = await this.supabase.from("time_blocks").insert(insert).select().single();
+    if (error) throw error;
+    return rowToTimeBlock(data, this.cryptoSession);
+  }
+  async update(id, patch) {
+    const row = nonEncryptedFieldsToRow7(patch);
+    await encryptTimeBlockFieldsInto(row, id, patch, this.cryptoSession);
+    const { data, error } = await this.supabase.from("time_blocks").update(row).eq("id", id).select().single();
+    if (error) throw error;
+    return rowToTimeBlock(data, this.cryptoSession);
+  }
+  async archive(id) {
+    return this.update(id, { status: "archived" });
+  }
+  async delete(id) {
+    const { error } = await this.supabase.from("time_blocks").delete().eq("id", id);
+    if (error) throw error;
+  }
+};
+
+// ../infra-supabase/src/supabase-user-keys-repository.ts
+var SupabaseUserKeysRepository = class {
+  supabase;
+  constructor(supabase) {
+    this.supabase = supabase;
+  }
+  async requireUserId() {
+    const { data, error } = await this.supabase.auth.getUser();
+    if (error) throw error;
+    if (!data.user) throw new Error("not authenticated");
+    return data.user.id;
+  }
+  async getOwn() {
+    const { data, error } = await this.supabase.from("user_keys").select("*").maybeSingle();
+    if (error) throw error;
+    if (!data) return null;
+    return rowToUserKeysSnapshot(data);
+  }
+  async initialize(input2) {
+    const userId = await this.requireUserId();
+    const { data, error } = await this.supabase.from("user_keys").upsert(
+      {
+        user_id: userId,
+        current_key_id: input2.currentKeyId,
+        passphrase_salt: bytesToBytea(input2.passphrase.salt),
+        passphrase_iv: bytesToBytea(input2.passphrase.iv),
+        passphrase_wrapped: bytesToBytea(input2.passphrase.wrapped),
+        // The database.types.ts JSONB columns are widened to `Json`. Our
+        // domain types (Argon2idParams, PasskeyWrapEnvelope) are interfaces
+        // without an index signature, so TS rejects the direct assignment.
+        // Cast at the boundary — repositories own the narrow shape.
+        passphrase_kdf_params: input2.passphrase.kdfParams,
+        recovery_salt: bytesToBytea(input2.recovery.salt),
+        recovery_iv: bytesToBytea(input2.recovery.iv),
+        recovery_wrapped: bytesToBytea(input2.recovery.wrapped),
+        recovery_kdf_params: input2.recovery.kdfParams,
+        passkey_wraps: input2.passkeys ?? [],
+        is_initialized: true
+      },
+      { onConflict: "user_id" }
+    ).select("*").single();
+    if (error) throw error;
+    return rowToUserKeysSnapshot(data);
+  }
+  async updatePassphrase(envelope) {
+    const userId = await this.requireUserId();
+    const { error } = await this.supabase.from("user_keys").update({
+      passphrase_salt: bytesToBytea(envelope.salt),
+      passphrase_iv: bytesToBytea(envelope.iv),
+      passphrase_wrapped: bytesToBytea(envelope.wrapped),
+      passphrase_kdf_params: envelope.kdfParams
+    }).eq("user_id", userId);
+    if (error) throw error;
+  }
+  async updateRecovery(envelope) {
+    const userId = await this.requireUserId();
+    const { error } = await this.supabase.from("user_keys").update({
+      recovery_salt: bytesToBytea(envelope.salt),
+      recovery_iv: bytesToBytea(envelope.iv),
+      recovery_wrapped: bytesToBytea(envelope.wrapped),
+      recovery_kdf_params: envelope.kdfParams
+    }).eq("user_id", userId);
+    if (error) throw error;
+  }
+  async addPasskey(wrap) {
+    const userId = await this.requireUserId();
+    const { data, error: readErr } = await this.supabase.from("user_keys").select("passkey_wraps").eq("user_id", userId).maybeSingle();
+    if (readErr) throw readErr;
+    const current = data?.passkey_wraps ?? [];
+    if (current.some((w) => w.credentialId === wrap.credentialId)) {
+      throw new Error(`passkey credentialId already registered: ${wrap.credentialId}`);
+    }
+    const next = [...current, wrap];
+    const { error } = await this.supabase.from("user_keys").update({ passkey_wraps: next }).eq("user_id", userId);
+    if (error) throw error;
+  }
+  async removePasskey(credentialId) {
+    const userId = await this.requireUserId();
+    const { data, error: readErr } = await this.supabase.from("user_keys").select("passkey_wraps").eq("user_id", userId).maybeSingle();
+    if (readErr) throw readErr;
+    const current = data?.passkey_wraps ?? [];
+    const next = current.filter((w) => w.credentialId !== credentialId);
+    if (next.length === current.length) return;
+    const { error } = await this.supabase.from("user_keys").update({ passkey_wraps: next }).eq("user_id", userId);
+    if (error) throw error;
+  }
+};
+
+// ../domain/src/shared/date.ts
+function toDateString(date) {
+  const year = date.getFullYear();
+  const month = String(date.getMonth() + 1).padStart(2, "0");
+  const day = String(date.getDate()).padStart(2, "0");
+  return `${year}-${month}-${day}`;
+}
+function todayDateString() {
+  return toDateString(/* @__PURE__ */ new Date());
+}
+function toTimeString(date) {
+  const hours = String(date.getHours()).padStart(2, "0");
+  const minutes = String(date.getMinutes()).padStart(2, "0");
+  return `${hours}:${minutes}`;
+}
+
+// ../domain/src/task-operations.ts
+async function startTask(repo, taskId) {
+  const task = await repo.findById(taskId);
+  if (!task) throw new Error(`Task not found: ${taskId}`);
+  if (task.status === "running") return task;
+  const now = /* @__PURE__ */ new Date();
+  const patch = {
+    status: "running",
+    currentSession: { startedAt: now }
+  };
+  if (!task.actualStartTime) {
+    patch.actualStartTime = toTimeString(now);
+  }
+  return repo.update(taskId, patch);
+}
+async function pauseTask(repo, taskId) {
+  const task = await repo.findById(taskId);
+  if (!task) throw new Error(`Task not found: ${taskId}`);
+  if (!task.currentSession) {
+    throw new Error(`Task is not currently running: ${taskId}`);
+  }
+  const newSession = {
+    startedAt: task.currentSession.startedAt,
+    finishedAt: /* @__PURE__ */ new Date()
+  };
+  return repo.update(taskId, {
+    status: "paused",
+    sessions: [...task.sessions, newSession],
+    currentSession: void 0
+  });
+}
+async function completeTask(repo, taskId) {
+  const task = await repo.findById(taskId);
+  if (!task) throw new Error(`Task not found: ${taskId}`);
+  const updates = { status: "completed" };
+  if (task.currentSession) {
+    updates.sessions = [
+      ...task.sessions,
+      {
+        startedAt: task.currentSession.startedAt,
+        finishedAt: /* @__PURE__ */ new Date()
+      }
+    ];
+    updates.currentSession = void 0;
+  }
+  return repo.update(taskId, updates);
+}
+
+// ../domain/src/task-reorder.ts
+function computeNextOrderIndex(existingTasks) {
+  if (existingTasks.length === 0) return 10;
+  const max = existingTasks.reduce(
+    (acc, t) => t.orderIndex > acc ? t.orderIndex : acc,
+    0
+  );
+  return max + 10;
+}
+
+// ../domain/src/task-change-log.ts
+function describeStatusTransition(from, to) {
+  if (from === "planned" && to === "running") return "\u958B\u59CB";
+  if (from === "paused" && to === "running") return "\u518D\u958B";
+  if (from === "running" && to === "paused") return "\u4E00\u6642\u505C\u6B62";
+  if (to === "completed") return "\u5B8C\u4E86";
+  if (to === "skipped") return "\u30B9\u30AD\u30C3\u30D7";
+  if (to === "planned") return "\u672A\u7740\u624B\u306B\u623B\u3059";
+  return `\u30B9\u30C6\u30FC\u30BF\u30B9\u3092 ${from} \u2192 ${to} \u306B\u5909\u66F4`;
+}
+function formatMinutes(seconds) {
+  return `${Math.floor(seconds / 60)}\u5206`;
+}
+function lookupName(list, id) {
+  if (!id) return null;
+  const found = list.find((e) => e.id === id);
+  return found?.name ?? null;
+}
+function eqNullable(a, b) {
+  return (a ?? null) === (b ?? null);
+}
+var FIELD_DESCRIPTORS = [
+  {
+    field: "status",
+    hasChanged: (b, a) => b.status !== a.status,
+    toFragments: (b, a) => [
+      {
+        type: "status-change",
+        body: describeStatusTransition(b.status, a.status),
+        metadata: { field: "status", from: b.status, to: a.status }
+      }
+    ]
+  },
+  {
+    field: "date",
+    hasChanged: (b, a) => b.date !== a.date,
+    toFragments: (b, a) => [
+      {
+        type: "system",
+        body: `\u65E5\u4ED8\u3092 ${b.date} \u2192 ${a.date} \u306B\u5909\u66F4`,
+        metadata: { field: "date", from: b.date, to: a.date }
+      }
+    ]
+  },
+  {
+    field: "scheduledStartTime",
+    hasChanged: (b, a) => !eqNullable(b.scheduledStartTime, a.scheduledStartTime),
+    toFragments: (b, a) => [
+      {
+        type: "system",
+        body: `\u4E88\u5B9A\u6642\u523B\u3092 ${b.scheduledStartTime ?? "\u672A\u8A2D\u5B9A"} \u2192 ${a.scheduledStartTime ?? "\u672A\u8A2D\u5B9A"} \u306B\u5909\u66F4`,
+        metadata: {
+          field: "scheduledStartTime",
+          from: b.scheduledStartTime ?? null,
+          to: a.scheduledStartTime ?? null
+        }
+      }
+    ]
+  },
+  {
+    field: "estimatedSeconds",
+    hasChanged: (b, a) => b.estimatedSeconds !== a.estimatedSeconds,
+    toFragments: (b, a) => [
+      {
+        type: "system",
+        body: `\u898B\u7A4D\u3092 ${formatMinutes(b.estimatedSeconds)} \u2192 ${formatMinutes(a.estimatedSeconds)} \u306B\u5909\u66F4`,
+        metadata: {
+          field: "estimatedSeconds",
+          from: b.estimatedSeconds,
+          to: a.estimatedSeconds
+        }
+      }
+    ]
+  },
+  {
+    field: "title",
+    hasChanged: (b, a) => b.title !== a.title,
+    toFragments: (b, a) => [
+      {
+        type: "system",
+        body: `\u30BF\u30A4\u30C8\u30EB\u3092\u300C${b.title || "\u7121\u984C"}\u300D\u2192\u300C${a.title || "\u7121\u984C"}\u300D\u306B\u5909\u66F4`,
+        metadata: { field: "title", from: b.title, to: a.title }
+      }
+    ]
+  },
+  {
+    field: "description",
+    hasChanged: (b, a) => (b.description ?? "") !== (a.description ?? ""),
+    toFragments: (b, a) => [
+      {
+        type: "system",
+        body: "\u8AAC\u660E\u3092\u5909\u66F4",
+        metadata: {
+          field: "description",
+          from: b.description ?? null,
+          to: a.description ?? null
+        }
+      }
+    ]
+  },
+  {
+    field: "projectId",
+    hasChanged: (b, a) => !eqNullable(b.projectId, a.projectId),
+    toFragments: (b, a, lookups) => {
+      const fromName = lookupName(lookups.projects, b.projectId);
+      const toName = lookupName(lookups.projects, a.projectId);
+      let body;
+      if (a.projectId && b.projectId) {
+        body = `\u30D7\u30ED\u30B8\u30A7\u30AF\u30C8\u3092\u300C${fromName ?? b.projectId}\u300D\u2192\u300C${toName ?? a.projectId}\u300D\u306B\u5909\u66F4`;
+      } else if (a.projectId) {
+        body = `\u30D7\u30ED\u30B8\u30A7\u30AF\u30C8\u3092\u300C${toName ?? a.projectId}\u300D\u306B\u8A2D\u5B9A`;
+      } else {
+        body = `\u30D7\u30ED\u30B8\u30A7\u30AF\u30C8\u300C${fromName ?? b.projectId ?? ""}\u300D\u3092\u89E3\u9664`;
+      }
+      return [
+        {
+          type: "system",
+          body,
+          metadata: {
+            field: "projectId",
+            from: b.projectId ?? null,
+            to: a.projectId ?? null,
+            fromName,
+            toName
+          }
+        }
+      ];
+    }
+  },
+  {
+    field: "contextId",
+    hasChanged: (b, a) => !eqNullable(b.contextId, a.contextId),
+    toFragments: (b, a, lookups) => {
+      const fromName = lookupName(lookups.contexts, b.contextId);
+      const toName = lookupName(lookups.contexts, a.contextId);
+      let body;
+      if (a.contextId && b.contextId) {
+        body = `\u30B3\u30F3\u30C6\u30AD\u30B9\u30C8\u3092\u300C${fromName ?? b.contextId}\u300D\u2192\u300C${toName ?? a.contextId}\u300D\u306B\u5909\u66F4`;
+      } else if (a.contextId) {
+        body = `\u30B3\u30F3\u30C6\u30AD\u30B9\u30C8\u3092\u300C${toName ?? a.contextId}\u300D\u306B\u8A2D\u5B9A`;
+      } else {
+        body = `\u30B3\u30F3\u30C6\u30AD\u30B9\u30C8\u300C${fromName ?? b.contextId ?? ""}\u300D\u3092\u89E3\u9664`;
+      }
+      return [
+        {
+          type: "system",
+          body,
+          metadata: {
+            field: "contextId",
+            from: b.contextId ?? null,
+            to: a.contextId ?? null,
+            fromName,
+            toName
+          }
+        }
+      ];
+    }
+  },
+  {
+    field: "tagIds",
+    // 配列の参照比較は意味がない。要素単位で diff を取って add / remove に分ける。
+    hasChanged: (b, a) => {
+      const bs = new Set(b.tagIds);
+      const as = new Set(a.tagIds);
+      if (bs.size !== as.size) return true;
+      for (const id of bs) if (!as.has(id)) return true;
+      return false;
+    },
+    toFragments: (b, a, lookups) => {
+      const bs = new Set(b.tagIds);
+      const as = new Set(a.tagIds);
+      const added = a.tagIds.filter((id) => !bs.has(id));
+      const removed = b.tagIds.filter((id) => !as.has(id));
+      const fragments = [];
+      for (const tagId of added) {
+        const name = lookupName(lookups.tags, tagId);
+        fragments.push({
+          type: "system",
+          body: `\u30BF\u30B0\u300C${name ?? tagId}\u300D\u3092\u8FFD\u52A0`,
+          metadata: { field: "tagIds", op: "add", tagId, tagName: name }
+        });
+      }
+      for (const tagId of removed) {
+        const name = lookupName(lookups.tags, tagId);
+        fragments.push({
+          type: "system",
+          body: `\u30BF\u30B0\u300C${name ?? tagId}\u300D\u3092\u524A\u9664`,
+          metadata: { field: "tagIds", op: "remove", tagId, tagName: name }
+        });
+      }
+      return fragments;
+    }
+  },
+  {
+    field: "isBackground",
+    hasChanged: (b, a) => (b.isBackground ?? false) !== (a.isBackground ?? false),
+    toFragments: (b, a) => [
+      {
+        type: "system",
+        body: a.isBackground ? "\u80CC\u666F\u30BF\u30B9\u30AF\u306B\u8A2D\u5B9A" : "\u80CC\u666F\u30BF\u30B9\u30AF\u3092\u89E3\u9664",
+        metadata: {
+          field: "isBackground",
+          from: b.isBackground ?? false,
+          to: a.isBackground ?? false
+        }
+      }
+    ]
+  },
+  {
+    field: "notifyAtScheduledStart",
+    hasChanged: (b, a) => (b.notifyAtScheduledStart ?? false) !== (a.notifyAtScheduledStart ?? false),
+    toFragments: (b, a) => [
+      {
+        type: "system",
+        body: a.notifyAtScheduledStart ? "\u4E88\u5B9A\u6642\u523B\u901A\u77E5\u3092 ON" : "\u4E88\u5B9A\u6642\u523B\u901A\u77E5\u3092 OFF",
+        metadata: {
+          field: "notifyAtScheduledStart",
+          from: b.notifyAtScheduledStart ?? false,
+          to: a.notifyAtScheduledStart ?? false
+        }
+      }
+    ]
+  }
+];
+function diffTasksToNoteInputs(before, after, lookups) {
+  const result = [];
+  for (const desc of FIELD_DESCRIPTORS) {
+    if (!desc.hasChanged(before, after)) continue;
+    for (const fragment of desc.toFragments(before, after, lookups)) {
+      result.push({ taskId: after.id, ...fragment });
+    }
+  }
+  return result;
+}
+
+// ../infra-supabase/src/audit-task-repository.ts
+var AuditingTaskRepository = class {
+  // `erasableSyntaxOnly` 配下では parameter property が使えないので、明示的に
+  // フィールド宣言 + コンストラクタ代入の形にしている。
+  inner;
+  notes;
+  getLookups;
+  constructor(inner, notes, getLookups) {
+    this.inner = inner;
+    this.notes = notes;
+    this.getLookups = getLookups;
+  }
+  findById(id) {
+    return this.inner.findById(id);
+  }
+  findByDate(date) {
+    return this.inner.findByDate(date);
+  }
+  findByRoutineIdFromDate(routineId, fromDate) {
+    return this.inner.findByRoutineIdFromDate(routineId, fromDate);
+  }
+  findFromDate(fromDate) {
+    return this.inner.findFromDate(fromDate);
+  }
+  create(input2) {
+    return this.inner.create(input2);
+  }
+  update(id, patch) {
+    return this.runUpdate(id, patch, null);
+  }
+  /**
+   * 「ユーザーの直接操作ではなく、別イベント由来の派生変更」を audit に記録
+   * したいときに使う。各 note の metadata に `cause` が載るので、UI フィルタや
+   * SQL 集計で「直接 vs 派生」を区別できる。
+   *
+   * 標準の `update` には影響しない（呼び分けが必要なときだけ使う）。
+   */
+  updateWithCause(id, patch, cause) {
+    return this.runUpdate(id, patch, cause);
+  }
+  async runUpdate(id, patch, cause) {
+    const before = await this.inner.findById(id);
+    const after = await this.inner.update(id, patch);
+    if (before) {
+      try {
+        const lookups = await this.getLookups();
+        const inputs = diffTasksToNoteInputs(before, after, lookups);
+        const tagged = cause ? inputs.map((input2) => ({
+          ...input2,
+          metadata: {
+            ...input2.metadata ?? {},
+            cause
+          }
+        })) : inputs;
+        if (tagged.length > 0) {
+          await Promise.all(tagged.map((input2) => this.notes.create(input2)));
+        }
+      } catch (err) {
+        console.error("[audit] failed to record task changes", { taskId: id, err });
+      }
+    }
+    return after;
+  }
+  delete(id) {
+    return this.inner.delete(id);
+  }
+};
+
+// ../infra-supabase/src/composition-root.ts
+function buildRepositories(supabaseClient, cryptoSession, getLookups) {
+  const taskNote = new SupabaseTaskNoteRepository(supabaseClient, cryptoSession);
+  const rawTask = new SupabaseTaskRepository(supabaseClient, cryptoSession);
+  const task = getLookups ? new AuditingTaskRepository(rawTask, taskNote, getLookups) : rawTask;
+  return {
+    task,
+    taskNote,
+    routine: new SupabaseRoutineRepository(supabaseClient, cryptoSession),
+    project: new SupabaseProjectRepository(supabaseClient, cryptoSession),
+    tag: new SupabaseTagRepository(supabaseClient, cryptoSession),
+    context: new SupabaseContextRepository(supabaseClient, cryptoSession),
+    timeBlock: new SupabaseTimeBlockRepository(supabaseClient, cryptoSession)
+  };
+}
+
+// src/config.ts
+var ENV_URL = "TASKCHUTE_SUPABASE_URL";
+var ENV_KEY = "TASKCHUTE_SUPABASE_PUBLISHABLE_KEY";
+function readSupabaseConfigFromEnv() {
+  const url = process.env.TASKCHUTE_SUPABASE_URL;
+  const publishableKey = process.env.TASKCHUTE_SUPABASE_PUBLISHABLE_KEY;
+  if (!url || !publishableKey) {
+    throw new Error(
+      `Supabase \u306E\u74B0\u5883\u5909\u6570\u304C\u898B\u3064\u304B\u3089\u306A\u3044\u3002${ENV_URL} \u3068 ${ENV_KEY} \u3092\u8A2D\u5B9A\u3057\u3066\u306D\u301C`
+    );
+  }
+  return { url, publishableKey };
+}
+var KEYRING_SERVICE2 = "taskchute-cli";
+var KeyringSessionStore = class {
+  getItem(key) {
+    try {
+      const entry = new Entry(KEYRING_SERVICE2, key);
+      return entry.getPassword();
+    } catch {
+      return null;
+    }
+  }
+  setItem(key, value) {
+    const entry = new Entry(KEYRING_SERVICE2, key);
+    entry.setPassword(value);
+  }
+  removeItem(key) {
+    try {
+      const entry = new Entry(KEYRING_SERVICE2, key);
+      entry.deletePassword();
+    } catch {
+    }
+  }
+};
+
+// src/commands/login.ts
+function loginCommand() {
+  return new Command("login").description("Supabase \u306B email + password \u3067\u30ED\u30B0\u30A4\u30F3\u3057\u3066 session \u3092 keyring \u306B\u4FDD\u5B58\u3059\u308B").action(async () => {
+    const config = readSupabaseConfigFromEnv();
+    const supabase = createNodeSupabaseClient(config, {
+      storage: new KeyringSessionStore()
+    });
+    const email = await input({ message: "Email:" });
+    const pw = await password({ message: "Password:", mask: "*" });
+    const { error } = await supabase.auth.signInWithPassword({ email, password: pw });
+    if (error) {
+      console.error("login failed:", error.message);
+      process.exitCode = 1;
+      return;
+    }
+    console.log("login OK \u26A1");
+  });
+}
+function logoutCommand() {
+  return new Command("logout").description("\u30ED\u30B0\u30A2\u30A6\u30C8\u3057\u3066 keyring \u304B\u3089 session \u3092\u524A\u9664\u3059\u308B").action(async () => {
+    const config = readSupabaseConfigFromEnv();
+    const supabase = createNodeSupabaseClient(config, {
+      storage: new KeyringSessionStore()
+    });
+    const { error } = await supabase.auth.signOut();
+    if (error) {
+      console.error("logout failed:", error.message);
+      process.exitCode = 1;
+      return;
+    }
+    console.log("logged out \u{1F44B}");
+  });
+}
+var CliError = class extends Error {
+  exitCode;
+  constructor(message, exitCode = 1) {
+    super(message);
+    this.name = "CliError";
+    this.exitCode = exitCode;
+  }
+};
+async function resolvePassphrase(store, allowPrompt = true) {
+  const envPw = process.env.TASKCHUTE_PASSPHRASE;
+  if (envPw) return envPw;
+  const stored = store.get();
+  if (stored) return stored;
+  if (!allowPrompt) {
+    throw new CliError(
+      "No passphrase available. Set TASKCHUTE_PASSPHRASE env or run `taskchute unlock` first."
+    );
+  }
+  return await password({ message: "Passphrase:", mask: "*" });
+}
+async function createAppContext(opts = {}) {
+  const passphraseStore = opts.passphraseStore ?? new KeyringPassphraseStore();
+  const allowPrompt = opts.allowPrompt ?? true;
+  const supabase = createNodeSupabaseClient(readSupabaseConfigFromEnv(), {
+    storage: new KeyringSessionStore()
+  });
+  const {
+    data: { user },
+    error: authError
+  } = await supabase.auth.getUser();
+  if (authError || !user || !user.email) {
+    throw new CliError("Not logged in. Run `taskchute login` first.");
+  }
+  const userKeysRepo = new SupabaseUserKeysRepository(supabase);
+  const snapshot = await userKeysRepo.getOwn();
+  if (!snapshot) {
+    throw new CliError(
+      "E2EE not set up. Complete setup from the web app first (Settings \u2192 \u30C7\u30FC\u30BF\u306E\u6697\u53F7\u5316)."
+    );
+  }
+  const passphrase = await resolvePassphrase(passphraseStore, allowPrompt);
+  let masterKey;
+  try {
+    masterKey = await unlockMasterKey(snapshot, { kind: "passphrase", passphrase });
+  } catch (err) {
+    if (err instanceof UnlockError) {
+      throw new CliError(`Unlock failed: ${err.message}`);
+    }
+    throw err;
+  }
+  const cryptoSession = new CryptoSession();
+  cryptoSession.setMasterKey(masterKey, snapshot.currentKeyId);
+  const repos = buildRepositories(supabase, cryptoSession);
+  return {
+    supabase,
+    cryptoSession,
+    repos,
+    userId: user.id,
+    email: user.email
+  };
+}
+
+// src/format/parse-estimated.ts
+var HOURS_HEAD = /^(\d{1,4})h/;
+var MINUTES_TAIL = /^(\d{1,4})m$/;
+var MAX_HOURS = 9999;
+function parseEstimated(input2) {
+  const normalized = input2.trim().toLowerCase();
+  let rest = normalized;
+  let hours = 0;
+  let minutes = 0;
+  const hMatch = HOURS_HEAD.exec(rest);
+  if (hMatch) {
+    hours = Number(hMatch[1]);
+    rest = rest.slice(hMatch[0].length);
+  }
+  const mMatch = MINUTES_TAIL.exec(rest);
+  if (mMatch) {
+    minutes = Number(mMatch[1]);
+    rest = "";
+  }
+  if (rest !== "" || hMatch === null && mMatch === null || hours > MAX_HOURS) {
+    throw new Error(
+      `Invalid estimated format: "${input2}". Use formats like "30m", "1h", "1h30m".`
+    );
+  }
+  return (hours * 60 + minutes) * 60;
+}
+
+// src/format/task-row.ts
+function shortenId(id, length = 8) {
+  return id.slice(0, length);
+}
+function formatEstimated(seconds) {
+  const totalMinutes = Math.round(seconds / 60);
+  if (totalMinutes < 60) return `${totalMinutes}m`;
+  const h = Math.floor(totalMinutes / 60);
+  const m = totalMinutes % 60;
+  return m === 0 ? `${h}h` : `${h}h${m}m`;
+}
+function formatTaskRow(task) {
+  return {
+    id: shortenId(task.id),
+    status: task.status,
+    scheduled: task.scheduledStartTime ?? "-",
+    estimated: formatEstimated(task.estimatedSeconds),
+    title: task.title
+  };
+}
+
+// src/commands/tasks/add.ts
+function tasksAddCommand() {
+  return new Command("add").description("\u30BF\u30B9\u30AF\u3092\u8FFD\u52A0\u3059\u308B").argument("<title>", "\u30BF\u30B9\u30AF\u306E\u30BF\u30A4\u30C8\u30EB").option("-d, --date <date>", "YYYY-MM-DD \u5F62\u5F0F\u306E\u65E5\u4ED8 (\u30C7\u30D5\u30A9\u30EB\u30C8: \u4ECA\u65E5)").option("-e, --estimated <duration>", '\u898B\u7A4D\u3082\u308A\u6642\u9593 ("30m" / "1h" / "1h30m") (\u30C7\u30D5\u30A9\u30EB\u30C8: 30m)').option("--description <text>", "\u30BF\u30B9\u30AF\u306E\u8A73\u7D30\u8AAC\u660E").action(async (title, opts) => {
+    const ctx = await createAppContext();
+    const date = opts.date ?? todayDateString();
+    const estimatedSeconds = opts.estimated ? parseEstimated(opts.estimated) : 30 * 60;
+    const existing = await ctx.repos.task.findByDate(date);
+    const orderIndex = computeNextOrderIndex(existing);
+    const task = await ctx.repos.task.create({
+      date,
+      title,
+      description: opts.description,
+      estimatedSeconds,
+      sessions: [],
+      status: "planned",
+      orderIndex,
+      tagIds: []
+    });
+    console.log(`\u2713 Created: ${shortenId(task.id)}  ${task.title}`);
+  });
+}
+
+// src/resolve-task-id.ts
+var MIN_PREFIX_LENGTH = 4;
+function resolveTaskIdByPrefix(tasks, prefix) {
+  if (prefix.length < MIN_PREFIX_LENGTH) {
+    throw new CliError(
+      `Task id prefix must be at least ${MIN_PREFIX_LENGTH} chars to avoid ambiguity.`
+    );
+  }
+  const matches = tasks.filter((t) => t.id.startsWith(prefix));
+  if (matches.length === 0) {
+    throw new CliError(`No task matched prefix "${prefix}".`);
+  }
+  if (matches.length > 1) {
+    const candidates = matches.map((t) => `  ${shortenId(t.id)}  ${t.title}`).join("\n");
+    throw new CliError(`Ambiguous prefix "${prefix}":
+${candidates}`);
+  }
+  return matches[0].id;
+}
+
+// src/commands/tasks/done.ts
+function tasksDoneCommand() {
+  return new Command("done").description("\u30BF\u30B9\u30AF\u3092\u5B8C\u4E86\u3059\u308B (status \u2192 completed)").argument("<id-prefix>", "\u30BF\u30B9\u30AF id \u306E\u5148\u982D 4 \u6587\u5B57\u4EE5\u4E0A").option("-d, --date <date>", "\u5BFE\u8C61\u65E5 (\u30C7\u30D5\u30A9\u30EB\u30C8: \u4ECA\u65E5)").action(async (prefix, opts) => {
+    const ctx = await createAppContext();
+    const date = opts.date ?? todayDateString();
+    const tasks = await ctx.repos.task.findByDate(date);
+    const taskId = resolveTaskIdByPrefix(tasks, prefix);
+    const updated = await completeTask(ctx.repos.task, taskId);
+    console.log(`\u2713 Done: ${shortenId(updated.id)}  ${updated.title}`);
+  });
+}
+function tasksListCommand() {
+  return new Command("list").alias("ls").description("\u6307\u5B9A\u65E5 (\u30C7\u30D5\u30A9\u30EB\u30C8\u306F\u4ECA\u65E5) \u306E\u30BF\u30B9\u30AF\u4E00\u89A7\u3092\u8868\u793A\u3059\u308B").option("-d, --date <date>", "YYYY-MM-DD \u5F62\u5F0F\u306E\u65E5\u4ED8 (\u30C7\u30D5\u30A9\u30EB\u30C8: \u4ECA\u65E5)").action(async (opts) => {
+    const ctx = await createAppContext();
+    const date = opts.date ?? todayDateString();
+    const tasks = await ctx.repos.task.findByDate(date);
+    if (tasks.length === 0) {
+      console.log(`No tasks for ${date}`);
+      return;
+    }
+    console.log(`${date}:`);
+    console.table(tasks.map(formatTaskRow));
+  });
+}
+function tasksPauseCommand() {
+  return new Command("pause").description("\u8A08\u6E2C\u4E2D\u306E\u30BF\u30B9\u30AF\u3092\u4E00\u6642\u505C\u6B62\u3059\u308B (status \u2192 paused)").argument("<id-prefix>", "\u30BF\u30B9\u30AF id \u306E\u5148\u982D 4 \u6587\u5B57\u4EE5\u4E0A").option("-d, --date <date>", "\u5BFE\u8C61\u65E5 (\u30C7\u30D5\u30A9\u30EB\u30C8: \u4ECA\u65E5)").action(async (prefix, opts) => {
+    const ctx = await createAppContext();
+    const date = opts.date ?? todayDateString();
+    const tasks = await ctx.repos.task.findByDate(date);
+    const taskId = resolveTaskIdByPrefix(tasks, prefix);
+    const updated = await pauseTask(ctx.repos.task, taskId);
+    console.log(`\u23F8 Paused: ${shortenId(updated.id)}  ${updated.title}`);
+  });
+}
+function tasksStartCommand() {
+  return new Command("start").description("\u30BF\u30B9\u30AF\u306E\u8A08\u6E2C\u3092\u958B\u59CB\u3059\u308B (status \u2192 running)").argument("<id-prefix>", "\u30BF\u30B9\u30AF id \u306E\u5148\u982D 4 \u6587\u5B57\u4EE5\u4E0A").option("-d, --date <date>", "\u5BFE\u8C61\u65E5 (\u30C7\u30D5\u30A9\u30EB\u30C8: \u4ECA\u65E5)").action(async (prefix, opts) => {
+    const ctx = await createAppContext();
+    const date = opts.date ?? todayDateString();
+    const tasks = await ctx.repos.task.findByDate(date);
+    const taskId = resolveTaskIdByPrefix(tasks, prefix);
+    const updated = await startTask(ctx.repos.task, taskId);
+    console.log(`\u25B6 Started: ${shortenId(updated.id)}  ${updated.title}`);
+  });
+}
+
+// src/commands/tasks/index.ts
+function tasksCommand() {
+  return new Command("tasks").description("\u30BF\u30B9\u30AF\u306E\u4E00\u89A7/\u8FFD\u52A0/\u64CD\u4F5C").addCommand(tasksListCommand()).addCommand(tasksAddCommand()).addCommand(tasksStartCommand()).addCommand(tasksPauseCommand()).addCommand(tasksDoneCommand());
+}
+function unlockCommand() {
+  return new Command("unlock").description("E2EE passphrase \u3092 keyring \u306B\u4FDD\u5B58\u3057\u3066\u4EE5\u964D\u306E\u30B3\u30DE\u30F3\u30C9\u3092\u5BFE\u8A71\u306A\u3057\u306B\u8D70\u3089\u305B\u308B").action(async () => {
+    const supabase = createNodeSupabaseClient(readSupabaseConfigFromEnv(), {
+      storage: new KeyringSessionStore()
+    });
+    const {
+      data: { user },
+      error: authError
+    } = await supabase.auth.getUser();
+    if (authError || !user) {
+      throw new CliError("Not logged in. Run `taskchute login` first.");
+    }
+    const userKeysRepo = new SupabaseUserKeysRepository(supabase);
+    const snapshot = await userKeysRepo.getOwn();
+    if (!snapshot) {
+      throw new CliError(
+        "E2EE not set up. Complete setup from the web app first (Settings \u2192 \u30C7\u30FC\u30BF\u306E\u6697\u53F7\u5316)."
+      );
+    }
+    const envPw = process.env.TASKCHUTE_PASSPHRASE;
+    const pw = envPw ?? await password({ message: "Passphrase:", mask: "*" });
+    try {
+      await unlockMasterKey(snapshot, { kind: "passphrase", passphrase: pw });
+    } catch (err) {
+      if (err instanceof UnlockError) {
+        throw new CliError(`Unlock failed: ${err.message}`);
+      }
+      throw err;
+    }
+    new KeyringPassphraseStore().set(pw);
+    console.log("unlock OK \u26A1");
+  });
+}
+function whoamiCommand() {
+  return new Command("whoami").description("\u73FE\u5728\u30ED\u30B0\u30A4\u30F3\u4E2D\u306E\u30E6\u30FC\u30B6\u30FC (Supabase auth) \u3092\u8868\u793A\u3059\u308B").action(async () => {
+    const config = readSupabaseConfigFromEnv();
+    const supabase = createNodeSupabaseClient(config, {
+      storage: new KeyringSessionStore()
+    });
+    const { data, error } = await supabase.auth.getUser();
+    if (error || !data.user) {
+      console.log("\u672A\u30ED\u30B0\u30A4\u30F3 (taskchute login \u3067\u5165\u3063\u3066\u301C)");
+      process.exitCode = 1;
+      return;
+    }
+    console.log(`logged in as: ${data.user.email ?? data.user.id}`);
+  });
+}
+
+// src/index.ts
+var program = new Command();
+program.name("taskchute").description("TaskChute CLI \u2014 CLI/MCP \u304B\u3089 TaskChute \u306B\u30A2\u30AF\u30BB\u30B9\u3059\u308B\u305F\u3081\u306E\u30A8\u30F3\u30C8\u30EA\u30DD\u30A4\u30F3\u30C8").version("0.0.0");
+program.addCommand(loginCommand());
+program.addCommand(whoamiCommand());
+program.addCommand(logoutCommand());
+program.addCommand(unlockCommand());
+program.addCommand(lockCommand());
+program.addCommand(tasksCommand());
+program.parseAsync(process.argv).catch((err) => {
+  if (err instanceof CliError) {
+    console.error(err.message);
+    process.exit(err.exitCode);
+  }
+  console.error(err instanceof Error ? err.message : String(err));
+  process.exit(1);
+});