npm - @geostack/arc - Versions diffs - 0.1.0 - Mend

@geostack/arc 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/cli.js ADDED Viewed

@@ -0,0 +1,890 @@
+#!/usr/bin/env node
+import { randomUUID } from "node:crypto";
+import { chmod, mkdir, readFile, unlink, writeFile } from "node:fs/promises";
+import { homedir } from "node:os";
+import { dirname, extname, join, resolve } from "node:path";
+import { pathToFileURL } from "node:url";
+import { ArcAgentClient, ArcDeveloperClient, ArcHttpError, createActionSyncPayload, createArcAgentRuntime, createSlug } from "./index.js";
+const defaultApiUrl = "http://127.0.0.1:4000";
+const defaultDevEmail = "dev@example.test";
+const uuidPattern = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+export async function main(argv = process.argv.slice(2), env = process.env, io = process) {
+    const [scope, action, ...rest] = argv;
+    try {
+        if (!scope || scope === "help" || scope === "--help" || scope === "-h") {
+            printHelp(io);
+            return 0;
+        }
+        if (scope === "config" && action === "set") {
+            await configSet(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "config" && action === "get") {
+            await configGet(env, io);
+            return 0;
+        }
+        if (scope === "app" && action === "create") {
+            await appCreate(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "actions" && action === "sync") {
+            await actionsSync(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "agent" && action === "dev-token") {
+            await agentDevToken(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "agent" && action === "whoami") {
+            await agentWhoami(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "agent" && action === "apps") {
+            await agentApps(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "agent" && action === "actions") {
+            await agentActions(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "agent" && action === "invoke") {
+            await agentInvoke(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "invoke") {
+            await invokeAction(parseArgs([action ?? "", ...rest].filter(Boolean)), env, io);
+            return 0;
+        }
+        if (scope === "delegations" && action === "list") {
+            await delegationsList(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "delegations" && action === "show") {
+            await delegationsShow(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "delegations" && action === "create") {
+            await delegationsCreate(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "delegations" && action === "revoke") {
+            await delegationsRevoke(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "orgs" && action === "list") {
+            await orgsList(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "orgs" && action === "current") {
+            await orgsCurrent(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "orgs" && action === "members") {
+            await orgsMembers(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "orgs" && action === "invite") {
+            await orgsInvite(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "approvals" && action === "list") {
+            await approvalsList(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "approvals" && action === "approve") {
+            await approvalsResolve("approve", parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "approvals" && action === "deny") {
+            await approvalsResolve("deny", parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "audit" && action === "tail") {
+            await auditTail(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "audit" && action === "export") {
+            await auditExport(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "audit" && action === "verify") {
+            await auditVerify(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "audit" && action === "timeline") {
+            await auditTimeline(parseArgs(rest), env, io);
+            return 0;
+        }
+        if (scope === "dev" && action === "smoke") {
+            await devSmoke(parseArgs(rest), env, io);
+            return 0;
+        }
+        throw new Error(`Unknown arc command: ${argv.join(" ")}`);
+    }
+    catch (error) {
+        printError(error, io);
+        return 1;
+    }
+}
+async function configSet(args, env, io) {
+    const store = await loadConfig(env);
+    const apiUrl = optionalFlag(args, "api-url");
+    const devEmail = optionalFlag(args, "dev-email");
+    const orgId = optionalFlag(args, "org");
+    if (!apiUrl && !devEmail && !orgId) {
+        throw new Error("config set requires --api-url, --dev-email, or --org.");
+    }
+    if (apiUrl) {
+        store.config.apiUrl = trimTrailingSlash(apiUrl);
+    }
+    if (devEmail) {
+        store.config.devEmail = devEmail;
+    }
+    if (orgId) {
+        store.config.currentOrgId = orgId;
+    }
+    await store.save();
+    io.stdout.write(`Arc config saved at ${store.path}\n`);
+}
+async function configGet(env, io) {
+    const store = await loadConfig(env);
+    io.stdout.write(`${JSON.stringify(sanitizeConfig(store.config), null, 2)}\n`);
+}
+async function appCreate(args, env, io) {
+    const name = requiredPositional(args, 0, "app name");
+    const executeUrl = requiredFlag(args, "execute-url");
+    const slug = optionalFlag(args, "slug") ?? createSlug(name);
+    const appUserId = optionalFlag(args, "app-user-id") ?? "local-dev-user";
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.createApp({
+        execute_url: executeUrl,
+        name,
+        slug
+    });
+    const app = readRecord(readRecord(response, "data"), "app");
+    store.config.currentAppId = readString(app, "id");
+    store.config.currentAppSlug = readString(app, "slug");
+    try {
+        await client.createAppConnection({
+            app_id: store.config.currentAppId,
+            app_user_id: appUserId
+        });
+    }
+    catch (error) {
+        if (!(error instanceof ArcHttpError && error.status === 409)) {
+            throw error;
+        }
+    }
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    io.stdout.write(`Created app ${readString(app, "name")} (${store.config.currentAppSlug})\n` +
+        `App id: ${store.config.currentAppId}\n` +
+        `Linked local app user: ${appUserId}\n`);
+}
+async function actionsSync(args, env, io) {
+    const file = requiredPositional(args, 0, "actions file");
+    const actions = await loadActionsFile(file);
+    const payload = createActionSyncPayload(actions);
+    if (args.flags.has("dry-run")) {
+        io.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
+        return;
+    }
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const appId = await resolveAppId(client, store.config, optionalFlag(args, "app"));
+    const response = await client.syncActions(appId, payload.actions);
+    const synced = readArray(readRecord(response, "data").actions);
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    io.stdout.write(`Synced ${synced.length} action${synced.length === 1 ? "" : "s"} to app ${appId}\n`);
+}
+async function agentDevToken(args, env, io) {
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.createDevAgentToken({
+        agent_type: optionalFlag(args, "agent-type") ?? "local-cli",
+        display_name: optionalFlag(args, "display-name") ?? "Arc CLI"
+    });
+    const token = readRecord(readRecord(readRecord(response, "data"), "agent_token"), "agent_connection");
+    const tokenResponse = readRecord(readRecord(response, "data"), "agent_token");
+    const plainToken = readString(tokenResponse, "token");
+    if (!args.flags.has("no-store")) {
+        store.config.agentToken = plainToken;
+    }
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    io.stdout.write(`Created dev agent token for ${readString(token, "id")}\n` +
+        `Token: ${plainToken}\n` +
+        (args.flags.has("no-store")
+            ? ""
+            : "Stored local dev token in Arc CLI config. Use only for development.\n"));
+}
+async function agentWhoami(args, env, io) {
+    const runtime = await createRuntimeClient(args, env);
+    const agent = await runtime.me();
+    io.stdout.write(`Agent ${agent.name} (${agent.id})\n`);
+    io.stdout.write(`Type: ${agent.type}\n`);
+    io.stdout.write(`Environment: ${agent.environment}\n`);
+    io.stdout.write(`Status: ${agent.status}\n`);
+}
+async function agentApps(args, env, io) {
+    const runtime = await createRuntimeClient(args, env);
+    const apps = await runtime.listApps();
+    if (apps.length === 0) {
+        io.stdout.write("No granted apps.\n");
+        return;
+    }
+    for (const app of apps) {
+        io.stdout.write(`${app.id} ${app.slug} ${app.name} actions:${app.granted_action_count} verification:${app.arc_verification_status}\n`);
+    }
+}
+async function agentActions(args, env, io) {
+    const app = requiredFlag(args, "app");
+    const runtime = await createRuntimeClient(args, env);
+    const appId = await resolveRuntimeAppId(runtime, app);
+    const actions = await runtime.listActions(appId);
+    if (actions.length === 0) {
+        io.stdout.write("No granted actions.\n");
+        return;
+    }
+    for (const action of actions) {
+        io.stdout.write(`${action.key} decision:${action.decision} risk:${action.risk_level} default:${action.default_decision}\n`);
+    }
+}
+async function agentInvoke(args, env, io) {
+    const app = requiredFlag(args, "app");
+    const actionKey = requiredFlag(args, "action");
+    const input = parseJsonFlag(optionalFlag(args, "input") ?? "{}", "input");
+    const runtime = await createRuntimeClient(args, env);
+    const appId = await resolveRuntimeAppId(runtime, app);
+    const result = await runtime.invoke(appId, actionKey, input, {
+        idempotencyKey: optionalFlag(args, "idempotency-key") ?? randomUUID()
+    });
+    if (result.status === "error") {
+        throw new Error(`Arc runtime error ${result.error.code}: ${result.error.message}`);
+    }
+    io.stdout.write(`Invocation ${result.invocation_id ?? "unknown"} status: ${result.status} decision: ${result.decision}\n`);
+    if (result.status === "pending_approval" && result.approval_id) {
+        io.stdout.write(`Approval required: ${result.approval_id}\n`);
+    }
+}
+async function invokeAction(args, env, io) {
+    const actionKey = requiredPositional(args, 0, "action key");
+    const store = await loadConfig(env);
+    const agentToken = optionalFlag(args, "agent-token") ?? store.config.agentToken;
+    const app = optionalFlag(args, "app") ?? store.config.currentAppSlug ?? store.config.currentAppId;
+    if (!agentToken) {
+        throw new Error("No agent token configured. Run arc agent dev-token first.");
+    }
+    if (!app) {
+        throw new Error("No app configured. Pass --app or run arc app create first.");
+    }
+    const input = parseJsonFlag(optionalFlag(args, "input") ?? "{}", "input");
+    const client = new ArcAgentClient({
+        agentToken,
+        baseUrl: store.config.apiUrl ?? defaultApiUrl
+    });
+    const response = await client.invoke({
+        action_key: actionKey,
+        app_id: uuidPattern.test(app) ? app : undefined,
+        app_slug: uuidPattern.test(app) ? undefined : app,
+        idempotency_key: optionalFlag(args, "idempotency-key") ?? randomUUID(),
+        input
+    });
+    const data = readRecord(response, "data");
+    const invocation = readRecord(data, "invocation");
+    const approval = maybeRecord(data.approval);
+    io.stdout.write(`Invocation ${readString(invocation, "id")} status: ${readString(data, "status")}\n`);
+    if (approval) {
+        io.stdout.write(`Approval required: ${readString(approval, "id")}\n`);
+    }
+}
+async function delegationsList(args, env, io) {
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.listDelegations();
+    const delegations = readArray(readRecord(response, "data").delegations);
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    if (delegations.length === 0) {
+        io.stdout.write("No delegations.\n");
+        return;
+    }
+    for (const item of delegations) {
+        const delegation = readRecordValue(item);
+        const agent = readRecord(delegation, "agent");
+        const app = readRecord(delegation, "app");
+        io.stdout.write(`${readString(delegation, "id")} ${readString(delegation, "status")} ` +
+            `${readString(agent, "name")} -> ${readString(app, "slug")}\n`);
+    }
+}
+async function delegationsShow(args, env, io) {
+    const delegationId = requiredPositional(args, 0, "delegation id");
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.getDelegation(delegationId);
+    const delegation = readRecord(readRecord(response, "data"), "delegation");
+    const agent = readRecord(delegation, "agent");
+    const app = readRecord(delegation, "app");
+    const matrix = readRecord(delegation, "permission_matrix");
+    const actions = readArray(matrix.actions);
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    io.stdout.write(`Delegation ${readString(delegation, "id")}\n`);
+    io.stdout.write(`Status: ${readString(delegation, "status")}\n`);
+    io.stdout.write(`Agent: ${readString(agent, "name")}\n`);
+    io.stdout.write(`App: ${readString(app, "slug")}\n`);
+    for (const item of actions) {
+        const action = readRecordValue(item);
+        const decision = typeof action.decision === "string" ? action.decision : "block";
+        io.stdout.write(`${readString(action, "key")} decision:${decision} risk:${readString(action, "risk_level")}\n`);
+    }
+}
+async function delegationsCreate(args, env, io) {
+    const agentId = requiredFlag(args, "agent");
+    const appId = requiredFlag(args, "app");
+    const actions = parseJsonFlag(requiredFlag(args, "actions"), "actions");
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.createDelegation({
+        actions: actions,
+        agent_id: agentId,
+        app_id: appId,
+        expires_at: optionalFlag(args, "expires-at") ?? undefined,
+        label: optionalFlag(args, "label") ?? undefined,
+        name: optionalFlag(args, "name") ?? undefined
+    });
+    const delegation = readRecord(readRecord(response, "data"), "delegation");
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    io.stdout.write(`Created delegation ${readString(delegation, "id")}\n`);
+    io.stdout.write(`Status: ${readString(delegation, "status")}\n`);
+}
+async function delegationsRevoke(args, env, io) {
+    const delegationId = requiredPositional(args, 0, "delegation id");
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.revokeDelegation(delegationId, {
+        reason: optionalFlag(args, "reason") ?? undefined
+    });
+    const delegation = readRecord(readRecord(response, "data"), "delegation");
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    io.stdout.write(`Revoked delegation ${readString(delegation, "id")}\n`);
+    io.stdout.write(`Status: ${readString(delegation, "status")}\n`);
+}
+async function orgsList(args, env, io) {
+    void args;
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.listOrgs();
+    const data = readRecord(response, "data");
+    const current = readRecord(data, "current_org");
+    const orgs = readArray(data.orgs);
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    store.config.currentOrgId = readString(current, "id");
+    await store.save();
+    for (const item of orgs) {
+        const org = readRecordValue(item);
+        const marker = readString(org, "org_id") === store.config.currentOrgId ? "*" : " ";
+        io.stdout.write(`${marker} ${readString(org, "org_id")} ${readString(org, "org_slug")} ` +
+            `${readString(org, "role")} ${readString(org, "status")}\n`);
+    }
+}
+async function orgsCurrent(args, env, io) {
+    void args;
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.getCurrentOrg();
+    const data = readRecord(response, "data");
+    const current = readRecord(data, "current_org");
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    store.config.currentOrgId = readString(current, "id");
+    await store.save();
+    io.stdout.write(`${readString(current, "name")} (${readString(current, "id")})\n`);
+    io.stdout.write(`Slug: ${readString(current, "slug")}\n`);
+    io.stdout.write(`Role: ${readString(data, "role")}\n`);
+}
+async function orgsMembers(args, env, io) {
+    void args;
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.listOrgMembers();
+    const members = readArray(readRecord(response, "data").members);
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    for (const item of members) {
+        const member = readRecordValue(item);
+        io.stdout.write(`${readString(member, "user_id")} ${readString(member, "email")} ` +
+            `${readString(member, "role")} ${readString(member, "status")}\n`);
+    }
+}
+async function orgsInvite(args, env, io) {
+    const email = requiredFlag(args, "email");
+    const role = requiredFlag(args, "role");
+    const name = optionalFlag(args, "name");
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.inviteOrgMember({ email, name, role });
+    const user = readRecord(readRecord(response, "data"), "user");
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    io.stdout.write(`Invited ${readString(user, "email")} as ${readString(user, "role")}\n`);
+}
+async function createRuntimeClient(args, env) {
+    const store = await loadConfig(env);
+    const agentToken = optionalFlag(args, "agent-token") ?? env.ARC_AGENT_TOKEN ?? store.config.agentToken;
+    if (!agentToken) {
+        throw new Error("ARC_AGENT_TOKEN is required for agent runtime commands.");
+    }
+    return createArcAgentRuntime({
+        agentToken,
+        apiUrl: trimTrailingSlash(optionalFlag(args, "api-url") ?? env.ARC_API_URL ?? store.config.apiUrl ?? defaultApiUrl)
+    });
+}
+async function resolveRuntimeAppId(runtime, requestedApp) {
+    if (uuidPattern.test(requestedApp)) {
+        return requestedApp;
+    }
+    const apps = await runtime.listApps();
+    const match = apps.find((app) => app.slug === requestedApp || app.name === requestedApp || app.id === requestedApp);
+    if (!match) {
+        throw new Error(`Granted app not found: ${requestedApp}`);
+    }
+    return match.id;
+}
+async function approvalsList(args, env, io) {
+    const limit = Number(optionalFlag(args, "limit") ?? "20");
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.listApprovals();
+    const approvals = readArray(readRecord(response, "data").approvals).slice(0, limit);
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    if (approvals.length === 0) {
+        io.stdout.write("No approvals.\n");
+        return;
+    }
+    for (const approval of approvals) {
+        const row = readRecordValue(approval);
+        const summary = maybeRecord(row.summary);
+        io.stdout.write(`${readString(row, "id")} ${readString(row, "status")} ` +
+            `${summary ? readString(summary, "text") : ""}\n`);
+    }
+}
+async function approvalsResolve(resolution, args, env, io) {
+    const approvalId = requiredPositional(args, 0, "approval id");
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = resolution === "approve"
+        ? await client.approveApproval(approvalId)
+        : await client.denyApproval(approvalId);
+    const approval = readRecord(readRecord(response, "data"), "approval");
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    io.stdout.write(`${resolution === "approve" ? "Approved" : "Denied"} approval ${readString(approval, "id")}\n`);
+    io.stdout.write(`Status: ${readString(approval, "status")}\n`);
+}
+async function auditTail(args, env, io) {
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.tailAudit({
+        limit: Number(optionalFlag(args, "limit") ?? "20")
+    });
+    const events = readArray(readRecord(response, "data").events);
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    if (events.length === 0) {
+        io.stdout.write("No audit events.\n");
+        return;
+    }
+    for (const event of events) {
+        const row = readRecordValue(event);
+        const createdAt = readString(row, "created_at");
+        const eventType = readString(row, "event_type");
+        const actorType = readString(row, "actor_type");
+        const reason = typeof row.reason === "string" ? row.reason : "";
+        io.stdout.write(`${createdAt} ${eventType} ${actorType}${reason ? ` ${reason}` : ""}\n`);
+    }
+}
+async function auditExport(args, env, io) {
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const input = auditInputFromArgs(args);
+    const response = await client.exportAudit(input);
+    const data = readRecord(response, "data");
+    const content = readString(data, "content");
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    io.stdout.write(`${content}${content.endsWith("\n") ? "" : "\n"}`);
+}
+async function auditVerify(args, env, io) {
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.verifyAudit(auditInputFromArgs(args));
+    const verification = readRecord(readRecord(response, "data"), "verification");
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    io.stdout.write(`Audit verification: ${readString(verification, "status")}\n`);
+    io.stdout.write(`Continuity: ${readString(verification, "continuity")}\n`);
+    io.stdout.write(`Events: ${String(verification.event_count ?? 0)}\n`);
+    const mismatches = Array.isArray(verification.mismatches) ? verification.mismatches.length : 0;
+    const gaps = Array.isArray(verification.gaps) ? verification.gaps.length : 0;
+    io.stdout.write(`Mismatches: ${mismatches}\n`);
+    io.stdout.write(`Scoped gaps: ${gaps}\n`);
+    io.stdout.write("Evidence: tamper-evident inside Arc DB unless externally anchored.\n");
+}
+async function auditTimeline(args, env, io) {
+    const store = await loadConfig(env);
+    const client = await ensureDeveloperClient(store, io);
+    const response = await client.getAuditTimeline(auditInputFromArgs(args));
+    const timeline = readRecord(readRecord(response, "data"), "timeline");
+    const events = readArray(timeline.events);
+    store.config.sessionCookie = client.cookie ?? store.config.sessionCookie;
+    await store.save();
+    if (events.length === 0) {
+        io.stdout.write("No timeline events.\n");
+        return;
+    }
+    for (const item of events) {
+        const event = readRecordValue(item);
+        io.stdout.write(`${readString(event, "created_at")} ${readString(event, "event_type")} ` +
+            `${String(event.actor_type ?? "")} ${String(event.reason ?? "")}\n`);
+    }
+}
+async function devSmoke(args, env, io) {
+    const store = await loadConfig(env);
+    const apiUrl = trimTrailingSlash(optionalFlag(args, "api-url") ?? store.config.apiUrl ?? defaultApiUrl);
+    const response = await fetch(`${apiUrl}/healthz`);
+    if (!response.ok) {
+        throw new Error(`Arc API health check failed with HTTP ${response.status}.`);
+    }
+    io.stdout.write(`Arc API healthy at ${apiUrl}\n`);
+}
+async function ensureDeveloperClient(store, io, env = process.env) {
+    const client = new ArcDeveloperClient({
+        baseUrl: store.config.apiUrl ?? defaultApiUrl,
+        orgId: env.ARC_ORG_ID ?? store.config.currentOrgId,
+        sessionCookie: store.config.sessionCookie
+    });
+    if (store.config.sessionCookie) {
+        try {
+            await client.me();
+            return client;
+        }
+        catch (error) {
+            if (!(error instanceof ArcHttpError && error.status === 401)) {
+                throw error;
+            }
+        }
+    }
+    const email = store.config.devEmail ?? defaultDevEmail;
+    await client.devLogin({
+        email,
+        name: "Arc CLI Dev"
+    });
+    store.config.sessionCookie = client.cookie ?? undefined;
+    await store.save();
+    io.stderr.write(`Using Arc dev login as ${email}\n`);
+    return client;
+}
+async function resolveAppId(client, config, requestedApp) {
+    if (!requestedApp && config.currentAppId) {
+        return config.currentAppId;
+    }
+    const app = requestedApp ?? config.currentAppSlug;
+    if (!app) {
+        throw new Error("No app configured. Pass --app or run arc app create first.");
+    }
+    if (uuidPattern.test(app)) {
+        return app;
+    }
+    const response = await client.listApps();
+    const apps = readArray(readRecord(readRecord(response, "data"), "apps"));
+    const match = apps
+        .map(readRecordValue)
+        .find((item) => item.slug === app || item.name === app || item.id === app);
+    if (!match) {
+        throw new Error(`App not found: ${app}`);
+    }
+    return readString(match, "id");
+}
+async function loadActionsFile(file) {
+    const absolute = resolve(file);
+    const extension = extname(absolute);
+    let imported;
+    if (extension === ".ts" || extension === ".tsx") {
+        imported = await importTranspiledTypescript(absolute);
+    }
+    else {
+        imported = await import(`${pathToFileURL(absolute).href}?v=${Date.now()}`);
+    }
+    const module = readRecordValue(imported);
+    const actions = module.actions ?? module.default;
+    if (!actions || typeof actions !== "object") {
+        throw new Error("Actions file must export actions or a default action object.");
+    }
+    return actions;
+}
+async function importTranspiledTypescript(absolute) {
+    const typescript = await import("typescript");
+    const source = await readFile(absolute, "utf8");
+    const output = typescript.transpileModule(source, {
+        compilerOptions: {
+            esModuleInterop: true,
+            module: typescript.ModuleKind.ES2022,
+            moduleResolution: typescript.ModuleResolutionKind.NodeNext,
+            target: typescript.ScriptTarget.ES2022
+        },
+        fileName: absolute
+    }).outputText;
+    const tempFile = join(dirname(absolute), `.arc-actions-${process.pid}-${Date.now()}.mjs`);
+    await writeFile(tempFile, output, "utf8");
+    try {
+        return await import(`${pathToFileURL(tempFile).href}?v=${Date.now()}`);
+    }
+    finally {
+        await unlink(tempFile).catch(() => undefined);
+    }
+}
+function auditInputFromArgs(args) {
+    return {
+        action_id: optionalFlag(args, "action-id"),
+        action_key: optionalFlag(args, "action") ?? optionalFlag(args, "action-key"),
+        actor_id: optionalFlag(args, "actor") ?? optionalFlag(args, "actor-id"),
+        agent_id: optionalFlag(args, "agent") ?? optionalFlag(args, "agent-id"),
+        app_id: optionalFlag(args, "app") ?? optionalFlag(args, "app-id"),
+        approval_id: optionalFlag(args, "approval") ?? optionalFlag(args, "approval-id"),
+        decision: parseAuditDecisionFlag(optionalFlag(args, "decision")),
+        delegation_id: optionalFlag(args, "delegation") ?? optionalFlag(args, "delegation-id"),
+        event_type: optionalFlag(args, "event-type"),
+        format: parseAuditFormatFlag(optionalFlag(args, "format")),
+        from: optionalFlag(args, "from"),
+        invocation_id: optionalFlag(args, "invocation") ?? optionalFlag(args, "invocation-id"),
+        limit: optionalNumberFlag(args, "limit"),
+        offset: optionalNumberFlag(args, "offset"),
+        status: optionalFlag(args, "status"),
+        to: optionalFlag(args, "to"),
+        user_id: optionalFlag(args, "user") ?? optionalFlag(args, "user-id")
+    };
+}
+function parseAuditFormatFlag(value) {
+    if (!value) {
+        return undefined;
+    }
+    if (value === "jsonl" || value === "csv" || value === "bundle") {
+        return value;
+    }
+    throw new Error("--format must be jsonl, csv, or bundle.");
+}
+function parseAuditDecisionFlag(value) {
+    if (!value) {
+        return undefined;
+    }
+    if (value === "allow" || value === "ask" || value === "block") {
+        return value;
+    }
+    throw new Error("--decision must be allow, ask, or block.");
+}
+function optionalNumberFlag(args, name) {
+    const value = optionalFlag(args, name);
+    if (value === undefined) {
+        return undefined;
+    }
+    const parsed = Number(value);
+    if (!Number.isInteger(parsed) || parsed < 0) {
+        throw new Error(`--${name} must be a non-negative integer.`);
+    }
+    return parsed;
+}
+async function loadConfig(env) {
+    const configDir = env.ARC_CONFIG_HOME ? resolve(env.ARC_CONFIG_HOME) : join(homedir(), ".arc");
+    const configPath = join(configDir, "config.json");
+    let config = {};
+    try {
+        config = JSON.parse(await readFile(configPath, "utf8"));
+    }
+    catch (error) {
+        if (error.code !== "ENOENT") {
+            throw error;
+        }
+    }
+    return {
+        config,
+        path: configPath,
+        save: async () => {
+            await mkdir(configDir, { mode: 0o700, recursive: true });
+            await chmod(configDir, 0o700).catch(() => undefined);
+            await writeFile(configPath, `${JSON.stringify(config, null, 2)}\n`, {
+                encoding: "utf8",
+                mode: 0o600
+            });
+            await chmod(configPath, 0o600).catch(() => undefined);
+        }
+    };
+}
+function parseArgs(argv) {
+    const flags = new Map();
+    const positionals = [];
+    for (let index = 0; index < argv.length; index += 1) {
+        const item = argv[index];
+        if (!item) {
+            continue;
+        }
+        if (item.startsWith("--")) {
+            const [rawName, inlineValue] = item.slice(2).split("=", 2);
+            const name = rawName ?? "";
+            if (!name) {
+                continue;
+            }
+            if (inlineValue !== undefined) {
+                flags.set(name, inlineValue);
+                continue;
+            }
+            const next = argv[index + 1];
+            if (next && !next.startsWith("--")) {
+                flags.set(name, next);
+                index += 1;
+            }
+            else {
+                flags.set(name, true);
+            }
+            continue;
+        }
+        positionals.push(item);
+    }
+    return { flags, positionals };
+}
+function requiredFlag(args, name) {
+    const value = optionalFlag(args, name);
+    if (!value) {
+        throw new Error(`Missing required --${name}.`);
+    }
+    return value;
+}
+function optionalFlag(args, name) {
+    const value = args.flags.get(name);
+    return typeof value === "string" ? value : undefined;
+}
+function requiredPositional(args, index, label) {
+    const value = args.positionals[index];
+    if (!value) {
+        throw new Error(`Missing ${label}.`);
+    }
+    return value;
+}
+function parseJsonFlag(value, label) {
+    try {
+        const parsed = JSON.parse(value);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+            throw new Error("not object");
+        }
+        return parsed;
+    }
+    catch {
+        throw new Error(`--${label} must be a JSON object.`);
+    }
+}
+function sanitizeConfig(config) {
+    return {
+        ...config,
+        agentToken: config.agentToken ? maskSecret(config.agentToken, "stored dev token") : undefined,
+        sessionCookie: config.sessionCookie ? maskSecret(config.sessionCookie, "stored session cookie") : undefined
+    };
+}
+function maskSecret(value, label) {
+    if (value.length < 24) {
+        return `[${label}: hidden]`;
+    }
+    return `[${label}: ${value.slice(0, 6)}...${value.slice(-4)}]`;
+}
+function readRecord(input, key) {
+    const parent = readRecordValue(input);
+    return readRecordValue(parent[key]);
+}
+function maybeRecord(input) {
+    return input && typeof input === "object" && !Array.isArray(input)
+        ? input
+        : null;
+}
+function readRecordValue(input) {
+    if (!input || typeof input !== "object" || Array.isArray(input)) {
+        throw new Error("Arc response was missing an expected object.");
+    }
+    return input;
+}
+function readArray(input) {
+    if (!Array.isArray(input)) {
+        throw new Error("Arc response was missing an expected array.");
+    }
+    return input;
+}
+function readString(input, key) {
+    const value = input[key];
+    if (typeof value !== "string") {
+        throw new Error(`Arc response was missing ${key}.`);
+    }
+    return value;
+}
+function printHelp(io) {
+    io.stdout.write(`Arc CLI
+Trust layer tooling for high-risk AI actions.
+From this monorepo after npm run build, run:
+  node packages/arc-sdk/dist/cli.js <command>
+Installed package usage:
+  arc <command>
+Commands:
+  arc config set --api-url <url> [--dev-email <email>] [--org <id>] Save local Arc API config
+  arc config get                                           Show config with secrets masked
+  arc app create <name> --execute-url <url> [--slug <s>]  Register an app and local app connection
+  arc actions sync <file> [--app <id-or-slug>]            Sync arc.defineActions output
+  arc actions sync <file> --dry-run                       Print the sync payload only
+  arc agent dev-token [--agent-type <type>]               Create a local dev agent token
+  arc agent whoami                                        Show agent runtime identity
+  arc agent apps                                          List apps granted to ARC_AGENT_TOKEN
+  arc agent actions --app <id-or-slug>                    List granted app actions
+  arc agent invoke --app <id-or-slug> --action <key>      Request an action through Arc
+  arc invoke <action-key> --app <id-or-slug> --input '{}' Invoke through Arc
+  arc delegations list                                   List Agentic SSO delegations
+  arc delegations show <delegation-id>                   Show delegated authority
+  arc delegations create --agent <id> --app <id> --actions '{"read":"allow"}'
+  arc delegations revoke <delegation-id>                 Revoke delegated authority
+  arc orgs list                                          List available workspaces
+  arc orgs current                                       Show current workspace context
+  arc orgs members                                       List current workspace members
+  arc orgs invite --email <email> --role <role>          Invite a member to the workspace
+  arc approvals list                                      List pending/resolved approvals
+  arc approvals approve <approval-id>                     Approve and queue execution
+  arc approvals deny <approval-id>                        Deny without execution
+  arc audit tail [--limit <n>]                            Show recent redacted audit events
+  arc audit export --format jsonl|csv [--agent <id>]      Export redacted audit evidence
+  arc audit verify [--agent <id>]                         Verify audit hashes for a scope
+  arc audit timeline --invocation <id>                    Show an incident timeline
+  arc dev smoke                                           Check Arc API health
+Local proof:
+  ARC_API_URL=http://127.0.0.1:<dev-port> npm --workspace @geostack/ai-support-ops-reference run smoke:dev
+`);
+}
+function printError(error, io) {
+    if (error instanceof ArcHttpError) {
+        io.stderr.write(`Arc API error ${error.status} ${error.code}: ${error.message}\n`);
+        return;
+    }
+    if (error instanceof Error) {
+        io.stderr.write(`${error.message}\n`);
+        return;
+    }
+    io.stderr.write("Unknown Arc CLI error.\n");
+}
+function trimTrailingSlash(value) {
+    return value.replace(/\/+$/u, "");
+}
+if (process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href) {
+    const code = await main();
+    process.exitCode = code;
+}
+//# sourceMappingURL=cli.js.map