@graphorin/cli 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (109) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/LICENSE +21 -0
  3. package/README.md +130 -0
  4. package/dist/bin/graphorin.d.ts +1 -0
  5. package/dist/bin/graphorin.js +606 -0
  6. package/dist/bin/graphorin.js.map +1 -0
  7. package/dist/commands/audit.d.ts +59 -0
  8. package/dist/commands/audit.d.ts.map +1 -0
  9. package/dist/commands/audit.js +156 -0
  10. package/dist/commands/audit.js.map +1 -0
  11. package/dist/commands/auth.d.ts +48 -0
  12. package/dist/commands/auth.d.ts.map +1 -0
  13. package/dist/commands/auth.js +148 -0
  14. package/dist/commands/auth.js.map +1 -0
  15. package/dist/commands/consolidator.d.ts +49 -0
  16. package/dist/commands/consolidator.d.ts.map +1 -0
  17. package/dist/commands/consolidator.js +97 -0
  18. package/dist/commands/consolidator.js.map +1 -0
  19. package/dist/commands/doctor.d.ts +64 -0
  20. package/dist/commands/doctor.d.ts.map +1 -0
  21. package/dist/commands/doctor.js +150 -0
  22. package/dist/commands/doctor.js.map +1 -0
  23. package/dist/commands/guard.d.ts +35 -0
  24. package/dist/commands/guard.d.ts.map +1 -0
  25. package/dist/commands/guard.js +86 -0
  26. package/dist/commands/guard.js.map +1 -0
  27. package/dist/commands/index.d.ts +21 -0
  28. package/dist/commands/index.js +22 -0
  29. package/dist/commands/init.d.ts +46 -0
  30. package/dist/commands/init.d.ts.map +1 -0
  31. package/dist/commands/init.js +131 -0
  32. package/dist/commands/init.js.map +1 -0
  33. package/dist/commands/memory.d.ts +243 -0
  34. package/dist/commands/memory.d.ts.map +1 -0
  35. package/dist/commands/memory.js +471 -0
  36. package/dist/commands/memory.js.map +1 -0
  37. package/dist/commands/migrate-config.d.ts +20 -0
  38. package/dist/commands/migrate-config.d.ts.map +1 -0
  39. package/dist/commands/migrate-config.js +48 -0
  40. package/dist/commands/migrate-config.js.map +1 -0
  41. package/dist/commands/migrate-export.d.ts +26 -0
  42. package/dist/commands/migrate-export.d.ts.map +1 -0
  43. package/dist/commands/migrate-export.js +67 -0
  44. package/dist/commands/migrate-export.js.map +1 -0
  45. package/dist/commands/migrate.d.ts +31 -0
  46. package/dist/commands/migrate.d.ts.map +1 -0
  47. package/dist/commands/migrate.js +59 -0
  48. package/dist/commands/migrate.js.map +1 -0
  49. package/dist/commands/pricing.d.ts +66 -0
  50. package/dist/commands/pricing.d.ts.map +1 -0
  51. package/dist/commands/pricing.js +128 -0
  52. package/dist/commands/pricing.js.map +1 -0
  53. package/dist/commands/secrets.d.ts +96 -0
  54. package/dist/commands/secrets.d.ts.map +1 -0
  55. package/dist/commands/secrets.js +182 -0
  56. package/dist/commands/secrets.js.map +1 -0
  57. package/dist/commands/skills.d.ts +58 -0
  58. package/dist/commands/skills.d.ts.map +1 -0
  59. package/dist/commands/skills.js +181 -0
  60. package/dist/commands/skills.js.map +1 -0
  61. package/dist/commands/start.d.ts +51 -0
  62. package/dist/commands/start.d.ts.map +1 -0
  63. package/dist/commands/start.js +122 -0
  64. package/dist/commands/start.js.map +1 -0
  65. package/dist/commands/storage.d.ts +110 -0
  66. package/dist/commands/storage.d.ts.map +1 -0
  67. package/dist/commands/storage.js +274 -0
  68. package/dist/commands/storage.js.map +1 -0
  69. package/dist/commands/telemetry.d.ts +21 -0
  70. package/dist/commands/telemetry.d.ts.map +1 -0
  71. package/dist/commands/telemetry.js +75 -0
  72. package/dist/commands/telemetry.js.map +1 -0
  73. package/dist/commands/token.d.ts +109 -0
  74. package/dist/commands/token.d.ts.map +1 -0
  75. package/dist/commands/token.js +246 -0
  76. package/dist/commands/token.js.map +1 -0
  77. package/dist/commands/tools-lint.d.ts +103 -0
  78. package/dist/commands/tools-lint.d.ts.map +1 -0
  79. package/dist/commands/tools-lint.js +240 -0
  80. package/dist/commands/tools-lint.js.map +1 -0
  81. package/dist/commands/traces.d.ts +33 -0
  82. package/dist/commands/traces.d.ts.map +1 -0
  83. package/dist/commands/traces.js +103 -0
  84. package/dist/commands/traces.js.map +1 -0
  85. package/dist/commands/triggers.d.ts +49 -0
  86. package/dist/commands/triggers.d.ts.map +1 -0
  87. package/dist/commands/triggers.js +129 -0
  88. package/dist/commands/triggers.js.map +1 -0
  89. package/dist/index.d.ts +46 -0
  90. package/dist/index.d.ts.map +1 -0
  91. package/dist/index.js +47 -0
  92. package/dist/index.js.map +1 -0
  93. package/dist/internal/exit.js +17 -0
  94. package/dist/internal/exit.js.map +1 -0
  95. package/dist/internal/load-config.js +84 -0
  96. package/dist/internal/load-config.js.map +1 -0
  97. package/dist/internal/offline.d.ts +58 -0
  98. package/dist/internal/offline.d.ts.map +1 -0
  99. package/dist/internal/offline.js +72 -0
  100. package/dist/internal/offline.js.map +1 -0
  101. package/dist/internal/output.d.ts +56 -0
  102. package/dist/internal/output.d.ts.map +1 -0
  103. package/dist/internal/output.js +86 -0
  104. package/dist/internal/output.js.map +1 -0
  105. package/dist/internal/prompts.js +49 -0
  106. package/dist/internal/prompts.js.map +1 -0
  107. package/dist/internal/store-context.js +69 -0
  108. package/dist/internal/store-context.js.map +1 -0
  109. package/package.json +79 -0
@@ -0,0 +1,606 @@
1
+ #!/usr/bin/env node
2
+ import { runAuditExport, runAuditPrune, runAuditVerify } from "../commands/audit.js";
3
+ import { isOfflineMode } from "../internal/offline.js";
4
+ import { runAuthList, runAuthLogin, runAuthRefresh, runAuthRevoke, runAuthStatus } from "../commands/auth.js";
5
+ import { runConsolidatorSetTier, runConsolidatorStatus, runConsolidatorStop } from "../commands/consolidator.js";
6
+ import { runDoctor } from "../commands/doctor.js";
7
+ import { runGuardExplain, runGuardStatus } from "../commands/guard.js";
8
+ import { runInit } from "../commands/init.js";
9
+ import { runMemoryActivity, runMemoryInspect, runMemoryMigrate, runMemoryReview, runMemoryStatus, runMemoryWhy } from "../commands/memory.js";
10
+ import { runStart } from "../commands/start.js";
11
+ import { runMigrate } from "../commands/migrate.js";
12
+ import { runMigrateConfig } from "../commands/migrate-config.js";
13
+ import { runMigrateExport } from "../commands/migrate-export.js";
14
+ import { runPricingDiff, runPricingLookup, runPricingMissing, runPricingRefresh, runPricingStatus } from "../commands/pricing.js";
15
+ import { runSecretsDelete, runSecretsGet, runSecretsList, runSecretsRef, runSecretsRotate, runSecretsSet } from "../commands/secrets.js";
16
+ import { runSkillsAudit, runSkillsInspect, runSkillsInstall, runSkillsMigrateFrontmatter } from "../commands/skills.js";
17
+ import { runStorageCleanupBackups, runStorageEncrypt, runStorageRekey, runStorageStatus } from "../commands/storage.js";
18
+ import { runTelemetryDisable, runTelemetryEnable, runTelemetryInspect, runTelemetryStatus } from "../commands/telemetry.js";
19
+ import { runTokenCreate, runTokenList, runTokenRekey, runTokenRevoke, runTokenRotate, runTokenVerify } from "../commands/token.js";
20
+ import { runToolsLint } from "../commands/tools-lint.js";
21
+ import { runTracesPrune, runTracesStatus } from "../commands/traces.js";
22
+ import { runTriggersDisable, runTriggersFire, runTriggersList, runTriggersPrune, runTriggersStatus } from "../commands/triggers.js";
23
+ import { VERSION } from "../index.js";
24
+ import process from "node:process";
25
+ import { Command } from "commander";
26
+
27
+ //#region src/bin/graphorin.ts
28
+ /**
29
+ * `graphorin` CLI entry point. Built into `dist/bin/graphorin.js`
30
+ * with a shebang prepended by `tsdown`; the `package.json` `bin`
31
+ * field points npm at the compiled file.
32
+ *
33
+ * Phase 14a installs three subcommands grouped by lifecycle phase:
34
+ *
35
+ * Bootstrap:
36
+ * - graphorin init
37
+ *
38
+ * Maintenance:
39
+ * - graphorin migrate
40
+ *
41
+ * Runtime:
42
+ * - graphorin start
43
+ *
44
+ * Phase 15 extends this binary with the full operator surface
45
+ * (`doctor`, `token`, `secrets`, `audit`, `storage`, `memory`,
46
+ * `consolidator`, `triggers`, `auth`, `pricing`, `skills`, `traces`,
47
+ * `migrate-export`, `migrate-config`, `guard`, `telemetry`,
48
+ * `tools lint`).
49
+ *
50
+ * `GRAPHORIN_OFFLINE=1` is honoured by every subcommand — the v0.1
51
+ * surface never makes implicit network calls. Phase 15 commands that
52
+ * do touch the network (e.g. `graphorin pricing refresh`) consult
53
+ * the same flag through the helper in `../internal/offline.ts`.
54
+ *
55
+ * @packageDocumentation
56
+ */
57
+ async function main() {
58
+ const program = new Command();
59
+ program.name("graphorin").description([
60
+ "Operator CLI for the Graphorin framework.",
61
+ "",
62
+ "Commands grouped by purpose:",
63
+ " Bootstrap: init, migrate, migrate-config",
64
+ " Runtime: start",
65
+ " Diagnostics: doctor, telemetry, traces, guard",
66
+ " Auth: token, secrets, auth",
67
+ " Storage: storage, audit, memory, consolidator, triggers, migrate-export",
68
+ " Catalogue: pricing, skills, tools",
69
+ "",
70
+ "Honours GRAPHORIN_OFFLINE=1 — the v0.1 surface never makes implicit network calls."
71
+ ].join("\n")).version(VERSION);
72
+ registerLifecycleCommands(program);
73
+ registerDoctorCommand(program);
74
+ registerTokenCommands(program);
75
+ registerSecretsCommands(program);
76
+ registerStorageCommands(program);
77
+ registerAuditCommands(program);
78
+ registerMemoryCommands(program);
79
+ registerConsolidatorCommands(program);
80
+ registerTriggersCommands(program);
81
+ registerAuthCommands(program);
82
+ registerPricingCommands(program);
83
+ registerSkillsCommands(program);
84
+ registerTracesCommands(program);
85
+ registerMigrateExportCommand(program);
86
+ registerMigrateConfigCommand(program);
87
+ registerGuardCommands(program);
88
+ registerTelemetryCommands(program);
89
+ registerToolsCommands(program);
90
+ await program.parseAsync(process.argv);
91
+ }
92
+ function registerLifecycleCommands(program) {
93
+ program.command("start").description("[Runtime] Start the @graphorin/server daemon.").option("-c, --config <path>", "Path to the graphorin.config file (TS / JS / JSON).").option("-h, --host <host>", "Override the configured listen host.").option("-p, --port <port>", "Override the configured listen port.", (value) => Number.parseInt(value, 10)).option("--secrets-source <kind>", "Override secrets.source: auto | keyring | encrypted-file | env (DEC-136).").option("--strict-secrets", "Refuse to fall back to a different secrets store (DEC-136).").action(async (opts) => {
94
+ if (isOfflineMode()) process.stderr.write("[graphorin/cli] GRAPHORIN_OFFLINE=1 — running with no implicit network calls.\n");
95
+ await runStart({
96
+ ...opts.config !== void 0 ? { config: opts.config } : {},
97
+ ...opts.host !== void 0 ? { host: opts.host } : {},
98
+ ...opts.port !== void 0 ? { port: opts.port } : {},
99
+ ...opts.secretsSource !== void 0 ? { secretsSource: opts.secretsSource } : {},
100
+ ...opts.strictSecrets !== void 0 ? { strictSecrets: opts.strictSecrets } : {}
101
+ });
102
+ });
103
+ program.command("init").description("[Bootstrap] Generate a fresh graphorin.config.ts and a one-shot bootstrap admin token.").option("-o, --out <path>", "Output path; defaults to ./graphorin.config.ts.").option("--non-interactive", "Accept defaults / env vars without prompting.", false).option("--cloud-consent <tier>", "Cloud-upload consent tier: public-only | public-and-internal | all-with-warnings.").option("--encrypted", "Enable storage encryption opt-in.").option("--no-encrypted", "Disable storage encryption opt-in.").action(async (opts) => {
104
+ if (isOfflineMode()) process.stderr.write("[graphorin/cli] GRAPHORIN_OFFLINE=1 — init never reaches the network.\n");
105
+ await runInit({
106
+ ...opts.out !== void 0 ? { out: opts.out } : {},
107
+ ...opts.nonInteractive !== void 0 ? { nonInteractive: opts.nonInteractive } : {},
108
+ ...opts.cloudConsent !== void 0 ? { cloudConsent: opts.cloudConsent } : {},
109
+ ...opts.encrypted !== void 0 ? { encrypted: opts.encrypted } : {}
110
+ });
111
+ });
112
+ program.command("migrate").description("[Maintenance] Apply pending storage migrations against the configured SQLite store.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--target <version>", "Reserved for the Phase 15 partial-migration runner.").action(async (opts) => {
113
+ if (isOfflineMode()) process.stderr.write("[graphorin/cli] GRAPHORIN_OFFLINE=1 — migrate is a local-only operation.\n");
114
+ await runMigrate({
115
+ ...opts.config !== void 0 ? { config: opts.config } : {},
116
+ ...opts.target !== void 0 ? { target: opts.target } : {}
117
+ });
118
+ });
119
+ }
120
+ function registerDoctorCommand(program) {
121
+ program.command("doctor").description("[Diagnostics] Health check (perms + secrets + encryption + systemd).").option("--fix-perms", "Repair drifted POSIX file modes.").option("--check-perms", "Run the file-perms check.").option("--check-secrets", "Run the secrets-store check.").option("--check-encryption", "Run the audit-encryption check.").option("--check-systemd", "Run the systemd-hardening check (Linux only).").option("--all", "Run every check.").option("--json", "Emit a structured JSON report on stdout.").action(async (opts) => {
122
+ await runDoctor({
123
+ ...opts.fixPerms !== void 0 ? { fixPerms: opts.fixPerms } : {},
124
+ ...opts.checkPerms !== void 0 ? { checkPerms: opts.checkPerms } : {},
125
+ ...opts.checkSecrets !== void 0 ? { checkSecrets: opts.checkSecrets } : {},
126
+ ...opts.checkEncryption !== void 0 ? { checkEncryption: opts.checkEncryption } : {},
127
+ ...opts.checkSystemd !== void 0 ? { checkSystemd: opts.checkSystemd } : {},
128
+ ...opts.all !== void 0 ? { all: opts.all } : {},
129
+ ...opts.json !== void 0 ? { json: opts.json } : {}
130
+ });
131
+ });
132
+ }
133
+ function registerTokenCommands(program) {
134
+ const token = program.command("token").description("[Auth] Manage server auth tokens.");
135
+ token.command("create").description("Mint a new token. Prints the raw value once.").requiredOption("--scopes <list>", "Comma-separated scope list.").option("--label <name>", "Optional label.").option("--expires-in <duration>", "Duration string: 30d, 12h, 90m, 45s.").option("--env <env>", "Token environment: live | test.", "live").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
136
+ await runTokenCreate({
137
+ scopes: opts.scopes.split(",").map((s) => s.trim()).filter(Boolean),
138
+ ...opts.label !== void 0 ? { label: opts.label } : {},
139
+ ...opts.expiresIn !== void 0 ? { expiresIn: opts.expiresIn } : {},
140
+ ...opts.env !== void 0 ? { env: opts.env } : {},
141
+ ...opts.config !== void 0 ? { config: opts.config } : {},
142
+ ...opts.json !== void 0 ? { json: opts.json } : {}
143
+ });
144
+ });
145
+ token.command("list").description("List token metadata.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--include-revoked", "Include revoked tokens.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
146
+ await runTokenList({
147
+ ...opts.config !== void 0 ? { config: opts.config } : {},
148
+ ...opts.includeRevoked !== void 0 ? { includeRevoked: opts.includeRevoked } : {},
149
+ ...opts.json !== void 0 ? { json: opts.json } : {}
150
+ });
151
+ });
152
+ token.command("revoke <id>").description("Revoke a single token.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (id, opts) => {
153
+ await runTokenRevoke({
154
+ id,
155
+ ...opts.config !== void 0 ? { config: opts.config } : {},
156
+ ...opts.json !== void 0 ? { json: opts.json } : {}
157
+ });
158
+ });
159
+ token.command("rotate <id>").description("Revoke + reissue a token with the same scopes.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--env <env>", "Token environment: live | test.", "live").option("--json", "Emit a structured JSON document on stdout.").action(async (id, opts) => {
160
+ await runTokenRotate({
161
+ id,
162
+ ...opts.config !== void 0 ? { config: opts.config } : {},
163
+ ...opts.env !== void 0 ? { env: opts.env } : {},
164
+ ...opts.json !== void 0 ? { json: opts.json } : {}
165
+ });
166
+ });
167
+ token.command("rekey").description("Re-issue every active token (use after a known compromise).").option("-c, --config <path>", "Path to the graphorin.config file.").option("--env <env>", "Token environment: live | test.", "live").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
168
+ await runTokenRekey({
169
+ ...opts.config !== void 0 ? { config: opts.config } : {},
170
+ ...opts.env !== void 0 ? { env: opts.env } : {},
171
+ ...opts.json !== void 0 ? { json: opts.json } : {}
172
+ });
173
+ });
174
+ token.command("verify <token>").description("Offline checksum verification — never consults the store.").option("--prefix <prefix>", "Override the expected token prefix.").option("--json", "Emit a structured JSON document on stdout.").action((tok, opts) => {
175
+ runTokenVerify({
176
+ token: tok,
177
+ ...opts.prefix !== void 0 ? { prefix: opts.prefix } : {},
178
+ ...opts.json !== void 0 ? { json: opts.json } : {}
179
+ });
180
+ });
181
+ }
182
+ function registerSecretsCommands(program) {
183
+ const secrets = program.command("secrets").description("[Auth] Manage secrets in the configured store.");
184
+ const commonOpts = (cmd) => cmd.option("--secrets-source <kind>", "auto | keyring | encrypted-file | env (DEC-136).").option("--strict-secrets", "Refuse to fall back to a different secrets store.").option("--json", "Emit a structured JSON document on stdout.");
185
+ commonOpts(secrets.command("list").description("List secret metadata.")).action(async (opts) => {
186
+ await runSecretsList({
187
+ ...opts.secretsSource !== void 0 ? { secretsSource: opts.secretsSource } : {},
188
+ ...opts.strictSecrets !== void 0 ? { strictSecrets: opts.strictSecrets } : {},
189
+ ...opts.json !== void 0 ? { json: opts.json } : {}
190
+ });
191
+ });
192
+ commonOpts(secrets.command("get <key>").description("Read a secret. Use --reveal to print the bytes.").option("--reveal", "Print the raw value.")).action(async (key, opts) => {
193
+ await runSecretsGet({
194
+ key,
195
+ ...opts.secretsSource !== void 0 ? { secretsSource: opts.secretsSource } : {},
196
+ ...opts.strictSecrets !== void 0 ? { strictSecrets: opts.strictSecrets } : {},
197
+ ...opts.json !== void 0 ? { json: opts.json } : {},
198
+ ...opts.reveal !== void 0 ? { reveal: opts.reveal } : {}
199
+ });
200
+ });
201
+ commonOpts(secrets.command("set <key>").description("Persist a secret. Pass --value <v> or --from-stdin.").option("--value <v>", "Inline value.").option("--from-stdin", "Read the value from stdin.")).action(async (key, opts) => {
202
+ await runSecretsSet({
203
+ key,
204
+ ...opts.value !== void 0 ? { value: opts.value } : {},
205
+ ...opts.fromStdin !== void 0 ? { fromStdin: opts.fromStdin } : {},
206
+ ...opts.secretsSource !== void 0 ? { secretsSource: opts.secretsSource } : {},
207
+ ...opts.strictSecrets !== void 0 ? { strictSecrets: opts.strictSecrets } : {},
208
+ ...opts.json !== void 0 ? { json: opts.json } : {}
209
+ });
210
+ });
211
+ commonOpts(secrets.command("delete <key>").description("Delete a secret.")).action(async (key, opts) => {
212
+ await runSecretsDelete({
213
+ key,
214
+ ...opts.secretsSource !== void 0 ? { secretsSource: opts.secretsSource } : {},
215
+ ...opts.strictSecrets !== void 0 ? { strictSecrets: opts.strictSecrets } : {},
216
+ ...opts.json !== void 0 ? { json: opts.json } : {}
217
+ });
218
+ });
219
+ commonOpts(secrets.command("ref <uri>").description("Test resolution of a SecretRef URI.").option("--reveal", "Include the resolved value in the report.")).action(async (uri, opts) => {
220
+ await runSecretsRef({
221
+ uri,
222
+ ...opts.reveal !== void 0 ? { reveal: opts.reveal } : {},
223
+ ...opts.json !== void 0 ? { json: opts.json } : {}
224
+ });
225
+ });
226
+ commonOpts(secrets.command("rotate <key>").description("Replace an existing secret with a fresh value.").option("--new-value <v>", "Inline new value.").option("--from-stdin", "Read the new value from stdin.")).action(async (key, opts) => {
227
+ await runSecretsRotate({
228
+ key,
229
+ ...opts.newValue !== void 0 ? { newValue: opts.newValue } : {},
230
+ ...opts.fromStdin !== void 0 ? { fromStdin: opts.fromStdin } : {},
231
+ ...opts.secretsSource !== void 0 ? { secretsSource: opts.secretsSource } : {},
232
+ ...opts.strictSecrets !== void 0 ? { strictSecrets: opts.strictSecrets } : {},
233
+ ...opts.json !== void 0 ? { json: opts.json } : {}
234
+ });
235
+ });
236
+ }
237
+ function registerStorageCommands(program) {
238
+ const storage = program.command("storage").description("[Storage] SQLite + encryption-at-rest commands.");
239
+ storage.command("status").description("Report current store state + cipher peer availability.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
240
+ await runStorageStatus({
241
+ ...opts.config !== void 0 ? { config: opts.config } : {},
242
+ ...opts.json !== void 0 ? { json: opts.json } : {}
243
+ });
244
+ });
245
+ storage.command("encrypt").description("Encrypt the store. Requires the @graphorin/store-sqlite-encrypted sub-pack (Phase 16).").requiredOption("--passphrase-from <ref>", "SecretRef URI for the new passphrase.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--target-path <path>", "Override the encrypted output path. Default <storage>.encrypted.").option("--swap", "Atomically swap the encrypted output into the storage path; original kept under .bak.<ts>.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
246
+ await runStorageEncrypt({
247
+ passphraseFrom: opts.passphraseFrom,
248
+ ...opts.config !== void 0 ? { config: opts.config } : {},
249
+ ...opts.targetPath !== void 0 ? { targetPath: opts.targetPath } : {},
250
+ ...opts.swap === true ? { swap: true } : {},
251
+ ...opts.json !== void 0 ? { json: opts.json } : {}
252
+ });
253
+ });
254
+ storage.command("rekey").description("Rekey an already-encrypted store.").requiredOption("--old-passphrase-from <ref>", "SecretRef URI for the existing passphrase.").requiredOption("--new-passphrase-from <ref>", "SecretRef URI for the new passphrase.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
255
+ await runStorageRekey({
256
+ oldPassphraseFrom: opts.oldPassphraseFrom,
257
+ newPassphraseFrom: opts.newPassphraseFrom,
258
+ ...opts.config !== void 0 ? { config: opts.config } : {},
259
+ ...opts.json !== void 0 ? { json: opts.json } : {}
260
+ });
261
+ });
262
+ storage.command("cleanup-backups").description("Drop stale .bak / .tmp.<ts> files left by previous encrypt / rekey runs.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--dry-run", "Print what would be removed without touching the filesystem.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
263
+ await runStorageCleanupBackups({
264
+ ...opts.config !== void 0 ? { config: opts.config } : {},
265
+ ...opts.dryRun !== void 0 ? { dryRun: opts.dryRun } : {},
266
+ ...opts.json !== void 0 ? { json: opts.json } : {}
267
+ });
268
+ });
269
+ }
270
+ function registerAuditCommands(program) {
271
+ const audit = program.command("audit").description("[Storage] Operate on the encrypted audit log.");
272
+ audit.command("verify").description("Replay the chain and report the first broken link (if any).").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
273
+ await runAuditVerify({
274
+ ...opts.config !== void 0 ? { config: opts.config } : {},
275
+ ...opts.json !== void 0 ? { json: opts.json } : {}
276
+ });
277
+ });
278
+ audit.command("prune").description("Drop entries older than --before (cutoff is required).").requiredOption("--before <date>", "ISO date / epoch ms cutoff.").option("--retain <n>", "Minimum number of entries that must survive.", (v) => Number.parseInt(v, 10)).option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
279
+ await runAuditPrune({
280
+ before: opts.before,
281
+ ...opts.retain !== void 0 ? { retain: opts.retain } : {},
282
+ ...opts.config !== void 0 ? { config: opts.config } : {},
283
+ ...opts.json !== void 0 ? { json: opts.json } : {}
284
+ });
285
+ });
286
+ audit.command("export").description("Stream every audit entry as JSONL into --to.").requiredOption("--to <file>", "Output path.").option("--from-seq <n>", "Lower bound (inclusive).", (v) => Number.parseInt(v, 10)).option("--to-seq <n>", "Upper bound (inclusive).", (v) => Number.parseInt(v, 10)).option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
287
+ await runAuditExport({
288
+ to: opts.to,
289
+ ...opts.fromSeq !== void 0 ? { fromSeq: opts.fromSeq } : {},
290
+ ...opts.toSeq !== void 0 ? { toSeq: opts.toSeq } : {},
291
+ ...opts.config !== void 0 ? { config: opts.config } : {},
292
+ ...opts.json !== void 0 ? { json: opts.json } : {}
293
+ });
294
+ });
295
+ }
296
+ function registerMemoryCommands(program) {
297
+ const memory = program.command("memory").description("[Storage] Long-term memory operator commands.");
298
+ memory.command("status").description("Report counts + active embedder + migration state.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
299
+ await runMemoryStatus({
300
+ ...opts.config !== void 0 ? { config: opts.config } : {},
301
+ ...opts.json !== void 0 ? { json: opts.json } : {}
302
+ });
303
+ });
304
+ memory.command("migrate").description("Embedder swap. Requires --embedders module that exports the factories.").requiredOption("--from <id>", "Source embedder id.").requiredOption("--to <id>", "Target embedder id.").requiredOption("--strategy <s>", "lock-on-first | auto-migrate | multi-active.").option("--embedders <path>", "Path to a module exporting embedder factories.").option("-c, --config <path>", "Path to the graphorin.config file.").action(async (opts) => {
305
+ await runMemoryMigrate({
306
+ from: opts.from,
307
+ to: opts.to,
308
+ strategy: opts.strategy,
309
+ ...opts.embedders !== void 0 ? { embeddersModule: opts.embedders } : {},
310
+ ...opts.config !== void 0 ? { config: opts.config } : {}
311
+ });
312
+ });
313
+ memory.command("inspect").description("Inspect one fact: supersede chain, quarantine, conflicts, citing insights.").argument("<factId>", "Id of the fact to inspect.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (factId, opts) => {
314
+ await runMemoryInspect({
315
+ factId,
316
+ ...opts.config !== void 0 ? { config: opts.config } : {},
317
+ ...opts.json !== void 0 ? { json: opts.json } : {}
318
+ });
319
+ });
320
+ memory.command("activity").description("Store-wide consolidator / reflection activity: quarantine, history, conflicts.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--limit <n>", "Cap on recent history / conflict rows (default 20).").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
321
+ const limit = opts.limit !== void 0 ? Number.parseInt(opts.limit, 10) : void 0;
322
+ await runMemoryActivity({
323
+ ...limit !== void 0 && Number.isFinite(limit) ? { limit } : {},
324
+ ...opts.config !== void 0 ? { config: opts.config } : {},
325
+ ...opts.json !== void 0 ? { json: opts.json } : {}
326
+ });
327
+ });
328
+ memory.command("why").description("Explain why facts were recalled (ranking signals) from the persisted recall spans.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--session <id>", "Restrict to one session's recall spans.").option("--limit <n>", "Cap on the most-recent recall spans (default 5).").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
329
+ const limit = opts.limit !== void 0 ? Number.parseInt(opts.limit, 10) : void 0;
330
+ await runMemoryWhy({
331
+ ...opts.session !== void 0 ? { sessionId: opts.session } : {},
332
+ ...limit !== void 0 && Number.isFinite(limit) ? { limit } : {},
333
+ ...opts.config !== void 0 ? { config: opts.config } : {},
334
+ ...opts.json !== void 0 ? { json: opts.json } : {}
335
+ });
336
+ });
337
+ memory.command("review").description("List quarantined memory by tier, or promote a reviewed item with --promote.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--limit <n>", "Cap on rows listed per type (default 20).").option("--promote <id>", "Promote this quarantined memory id out of quarantine.").option("--reason <text>", "Audit reason recorded with the promotion.").option("--force", "Override the injection-refusal gate (operator action, after review).").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
338
+ const limit = opts.limit !== void 0 ? Number.parseInt(opts.limit, 10) : void 0;
339
+ await runMemoryReview({
340
+ ...limit !== void 0 && Number.isFinite(limit) ? { limit } : {},
341
+ ...opts.promote !== void 0 ? { promote: opts.promote } : {},
342
+ ...opts.reason !== void 0 ? { reason: opts.reason } : {},
343
+ ...opts.force !== void 0 ? { force: opts.force } : {},
344
+ ...opts.config !== void 0 ? { config: opts.config } : {},
345
+ ...opts.json !== void 0 ? { json: opts.json } : {}
346
+ });
347
+ });
348
+ }
349
+ function registerConsolidatorCommands(program) {
350
+ const c = program.command("consolidator").description("[Storage] Inspect and steer the memory consolidator.");
351
+ c.command("status").description("Current tier hint + DLQ size + recent run history.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
352
+ await runConsolidatorStatus({
353
+ ...opts.config !== void 0 ? { config: opts.config } : {},
354
+ ...opts.json !== void 0 ? { json: opts.json } : {}
355
+ });
356
+ });
357
+ c.command("set-tier <tier>").description("Persist a tier hint (free | cheap | standard | full | custom).").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (tier, opts) => {
358
+ await runConsolidatorSetTier({
359
+ tier,
360
+ ...opts.config !== void 0 ? { config: opts.config } : {},
361
+ ...opts.json !== void 0 ? { json: opts.json } : {}
362
+ });
363
+ });
364
+ c.command("stop").description("Persist a pause flag the running daemon honours.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
365
+ await runConsolidatorStop({
366
+ ...opts.config !== void 0 ? { config: opts.config } : {},
367
+ ...opts.json !== void 0 ? { json: opts.json } : {}
368
+ });
369
+ });
370
+ }
371
+ function registerTriggersCommands(program) {
372
+ const t = program.command("triggers").description("[Storage] Operate on the durable trigger registry.");
373
+ t.command("list").description("Every persisted trigger.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
374
+ await runTriggersList({
375
+ ...opts.config !== void 0 ? { config: opts.config } : {},
376
+ ...opts.json !== void 0 ? { json: opts.json } : {}
377
+ });
378
+ });
379
+ t.command("status <id>").description("Single-trigger detail.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (id, opts) => {
380
+ await runTriggersStatus({
381
+ id,
382
+ ...opts.config !== void 0 ? { config: opts.config } : {},
383
+ ...opts.json !== void 0 ? { json: opts.json } : {}
384
+ });
385
+ });
386
+ t.command("fire <id>").description("Operator-fired side-effect (admin only).").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (id, opts) => {
387
+ await runTriggersFire({
388
+ id,
389
+ ...opts.config !== void 0 ? { config: opts.config } : {},
390
+ ...opts.json !== void 0 ? { json: opts.json } : {}
391
+ });
392
+ });
393
+ t.command("disable <id>").description("Flip the disabled column on the registry row.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (id, opts) => {
394
+ await runTriggersDisable({
395
+ id,
396
+ ...opts.config !== void 0 ? { config: opts.config } : {},
397
+ ...opts.json !== void 0 ? { json: opts.json } : {}
398
+ });
399
+ });
400
+ t.command("prune").description("Drop disabled triggers older than --before.").option("--before <date>", "ISO date / epoch ms cutoff. Defaults to 0 (drop every disabled row).").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
401
+ await runTriggersPrune({
402
+ ...opts.before !== void 0 ? { before: opts.before } : {},
403
+ ...opts.config !== void 0 ? { config: opts.config } : {},
404
+ ...opts.json !== void 0 ? { json: opts.json } : {}
405
+ });
406
+ });
407
+ }
408
+ function registerAuthCommands(program) {
409
+ const a = program.command("auth").description("[Auth] Outbound OAuth (e.g. for MCP servers).");
410
+ a.command("login").description("Drive an interactive login flow.").requiredOption("--server <url>", "Authorization server URL.").option("--server-id <id>", "Override the persisted server identifier.").option("--scope <scope>", "OAuth scope.").option("--device-flow", "Use the Device Authorization Grant.").option("--client-id <id>", "Pre-existing client identifier (skip DCR).").option("-c, --config <path>", "Path to the graphorin.config file.").action(async (opts) => {
411
+ await runAuthLogin({
412
+ serverUrl: opts.server,
413
+ ...opts.serverId !== void 0 ? { serverId: opts.serverId } : {},
414
+ ...opts.scope !== void 0 ? { scope: opts.scope } : {},
415
+ ...opts.deviceFlow !== void 0 ? { deviceFlow: opts.deviceFlow } : {},
416
+ ...opts.clientId !== void 0 ? { clientId: opts.clientId } : {},
417
+ ...opts.config !== void 0 ? { config: opts.config } : {}
418
+ });
419
+ });
420
+ a.command("list").description("List persisted OAuth sessions.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
421
+ await runAuthList({
422
+ ...opts.config !== void 0 ? { config: opts.config } : {},
423
+ ...opts.json !== void 0 ? { json: opts.json } : {}
424
+ });
425
+ });
426
+ a.command("refresh <id>").description("Refresh a session.").option("-c, --config <path>", "Path to the graphorin.config file.").action(async (id, opts) => {
427
+ await runAuthRefresh({
428
+ id,
429
+ ...opts.config !== void 0 ? { config: opts.config } : {}
430
+ });
431
+ });
432
+ a.command("revoke <id>").description("Revoke a session.").option("--reason <text>", "Optional reason persisted in the audit log.").option("-c, --config <path>", "Path to the graphorin.config file.").action(async (id, opts) => {
433
+ await runAuthRevoke({
434
+ id,
435
+ ...opts.reason !== void 0 ? { reason: opts.reason } : {},
436
+ ...opts.config !== void 0 ? { config: opts.config } : {}
437
+ });
438
+ });
439
+ a.command("status").description("OAuth subsystem snapshot.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
440
+ await runAuthStatus({
441
+ ...opts.config !== void 0 ? { config: opts.config } : {},
442
+ ...opts.json !== void 0 ? { json: opts.json } : {}
443
+ });
444
+ });
445
+ }
446
+ function registerPricingCommands(program) {
447
+ const p = program.command("pricing").description("[Catalogue] Bundled LLM pricing snapshot.");
448
+ p.command("status").description("Show bundled snapshot version + entry count + digest.").option("--json", "Emit a structured JSON document on stdout.").action((opts) => {
449
+ runPricingStatus({ ...opts.json !== void 0 ? { json: opts.json } : {} });
450
+ });
451
+ p.command("refresh").description("Pull a fresh snapshot from --url (network).").requiredOption("--url <url>", "Snapshot URL.").option("--out <file>", "Optional path to write the refreshed snapshot to.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
452
+ await runPricingRefresh({
453
+ url: opts.url,
454
+ ...opts.out !== void 0 ? { out: opts.out } : {},
455
+ ...opts.json !== void 0 ? { json: opts.json } : {}
456
+ });
457
+ });
458
+ p.command("diff").description("Diff a supplied snapshot against the bundled one.").requiredOption("--snapshot <file>", "JSON file containing a PricingSnapshot.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
459
+ await runPricingDiff({
460
+ snapshot: opts.snapshot,
461
+ ...opts.json !== void 0 ? { json: opts.json } : {}
462
+ });
463
+ });
464
+ p.command("lookup").description("Print the per-token price for a single (provider, model) pair.").requiredOption("--provider <name>", "Provider id.").requiredOption("--model <id>", "Model id.").option("--region <region>", "Optional region.").option("--json", "Emit a structured JSON document on stdout.").action((opts) => {
465
+ runPricingLookup({
466
+ provider: opts.provider,
467
+ model: opts.model,
468
+ ...opts.region !== void 0 ? { region: opts.region } : {},
469
+ ...opts.json !== void 0 ? { json: opts.json } : {}
470
+ });
471
+ });
472
+ p.command("missing").description("Report (provider, model) pairs absent from the bundled snapshot.").requiredOption("--spans <file>", "JSON file containing trace spans (array of { attributes }).").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
473
+ await runPricingMissing({
474
+ spans: opts.spans,
475
+ ...opts.json !== void 0 ? { json: opts.json } : {}
476
+ });
477
+ });
478
+ }
479
+ function registerSkillsCommands(program) {
480
+ const s = program.command("skills").description("[Catalogue] Manage operator-managed skill packages.");
481
+ s.command("install <source>").description("Install a skill from npm:<name>[@version] or git:<url>.").option("--version <version>", "npm version pin.").option("--ref <ref>", "git ref (branch / tag / sha).").option("--trust-level <level>", "trusted | trusted-with-scripts | untrusted.").option("--cwd <dir>", "Working directory for npm installs.").option("--dry-run", "Skip the install; run the policy + audit pipeline only.").option("--json", "Emit a structured JSON document on stdout.").action(async (source, opts) => {
482
+ await runSkillsInstall({
483
+ source,
484
+ ...opts.version !== void 0 ? { version: opts.version } : {},
485
+ ...opts.ref !== void 0 ? { ref: opts.ref } : {},
486
+ ...opts.trustLevel !== void 0 ? { trustLevel: opts.trustLevel } : {},
487
+ ...opts.cwd !== void 0 ? { cwd: opts.cwd } : {},
488
+ ...opts.dryRun !== void 0 ? { dryRun: opts.dryRun } : {},
489
+ ...opts.json !== void 0 ? { json: opts.json } : {}
490
+ });
491
+ });
492
+ s.command("inspect <name>").description("Print a single recorded installation.").option("--json", "Emit a structured JSON document on stdout.").action(async (name, opts) => {
493
+ await runSkillsInspect({
494
+ name,
495
+ ...opts.json !== void 0 ? { json: opts.json } : {}
496
+ });
497
+ });
498
+ s.command("audit").description("Audit every recorded installation in this process.").option("--json", "Emit a structured JSON document on stdout.").action((opts) => {
499
+ runSkillsAudit({ ...opts.json !== void 0 ? { json: opts.json } : {} });
500
+ });
501
+ s.command("migrate-frontmatter").description("Migrate legacy graphorin-* frontmatter fields onto upstream equivalents (DEC-156).").option("--path <dir>", "Directory to walk. Defaults to cwd.").option("--recursive", "Walk subdirectories.").option("--apply", "Actually rewrite files (default: dry-run).").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
502
+ await runSkillsMigrateFrontmatter({
503
+ ...opts.path !== void 0 ? { path: opts.path } : {},
504
+ ...opts.recursive !== void 0 ? { recursive: opts.recursive } : {},
505
+ ...opts.apply !== void 0 ? { apply: opts.apply } : {},
506
+ ...opts.json !== void 0 ? { json: opts.json } : {}
507
+ });
508
+ });
509
+ }
510
+ function registerTracesCommands(program) {
511
+ const t = program.command("traces").description("[Diagnostics] Operate on the trace cache.");
512
+ t.command("status").description("Count rows + report TTL config.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
513
+ await runTracesStatus({
514
+ ...opts.config !== void 0 ? { config: opts.config } : {},
515
+ ...opts.json !== void 0 ? { json: opts.json } : {}
516
+ });
517
+ });
518
+ t.command("prune").description("Manual TTL enforcement (cutoff is required).").requiredOption("--before <date>", "ISO date / epoch ms cutoff.").option("-c, --config <path>", "Path to the graphorin.config file.").option("--json", "Emit a structured JSON document on stdout.").action(async (opts) => {
519
+ await runTracesPrune({
520
+ before: opts.before,
521
+ ...opts.config !== void 0 ? { config: opts.config } : {},
522
+ ...opts.json !== void 0 ? { json: opts.json } : {}
523
+ });
524
+ });
525
+ }
526
+ function registerMigrateExportCommand(program) {
527
+ program.command("migrate-export <input>").description("[Storage] Migrate a session export file to the current schema (DEC-155).").requiredOption("--to <file>", "Output path.").option("--to-schema <version>", "Target schema version.", "1.0").option("--writer <id>", "Writer identifier surfaced on the meta header.").option("--json", "Emit a structured JSON document on stdout.").action(async (input, opts) => {
528
+ await runMigrateExport({
529
+ input,
530
+ to: opts.to,
531
+ ...opts.toSchema !== void 0 ? { toSchema: opts.toSchema } : {},
532
+ ...opts.writer !== void 0 ? { writer: opts.writer } : {},
533
+ ...opts.json !== void 0 ? { json: opts.json } : {}
534
+ });
535
+ });
536
+ }
537
+ function registerMigrateConfigCommand(program) {
538
+ program.command("migrate-config <input>").description("[Bootstrap] Migrate an old config file to the current schema.").option("--out <file>", "Output path. Defaults to <input>.migrated.json next to the source.").option("--json", "Emit a structured JSON document on stdout.").action(async (input, opts) => {
539
+ await runMigrateConfig({
540
+ input,
541
+ ...opts.out !== void 0 ? { out: opts.out } : {},
542
+ ...opts.json !== void 0 ? { json: opts.json } : {}
543
+ });
544
+ });
545
+ }
546
+ function registerGuardCommands(program) {
547
+ const g = program.command("guard").description("[Diagnostics] Inspect the memory-modification guard.");
548
+ g.command("status").description("Print the four guard tiers and their variants.").option("--json", "Emit a structured JSON document on stdout.").action((opts) => {
549
+ runGuardStatus({ ...opts.json !== void 0 ? { json: opts.json } : {} });
550
+ });
551
+ g.command("explain <toolName>").description("Derive the tier the classifier would assign to a tool with the supplied metadata.").option("--tags <list>", "Comma-separated tag list.").option("--secrets-allowed <list>", "Comma-separated secret allowlist.").option("--trust-level <level>", "built-in | user-defined | trusted | untrusted.").option("--explicit-tier <tier>", "pure | side-effecting-no-memory | memory-aware | unknown | untrusted.").option("--json", "Emit a structured JSON document on stdout.").action((toolName, opts) => {
552
+ runGuardExplain({
553
+ toolName,
554
+ ...opts.tags !== void 0 ? { tags: opts.tags.split(",").map((s) => s.trim()).filter(Boolean) } : {},
555
+ ...opts.secretsAllowed !== void 0 ? { secretsAllowed: opts.secretsAllowed.split(",").map((s) => s.trim()).filter(Boolean) } : {},
556
+ ...opts.trustLevel !== void 0 ? { trustLevel: opts.trustLevel } : {},
557
+ ...opts.explicitTier !== void 0 ? { explicitTier: opts.explicitTier } : {},
558
+ ...opts.json !== void 0 ? { json: opts.json } : {}
559
+ });
560
+ });
561
+ }
562
+ function registerTelemetryCommands(program) {
563
+ const t = program.command("telemetry").description("[Diagnostics] Telemetry policy (zero-default per ADR-041).");
564
+ t.command("status").description("Always reports disabled.").option("--json", "Emit a structured JSON document on stdout.").action((opts) => {
565
+ runTelemetryStatus({ ...opts.json !== void 0 ? { json: opts.json } : {} });
566
+ });
567
+ t.command("enable").description("Refuses; opt-in collector is on the v0.2+ roadmap.").option("--json", "Emit a structured JSON document on stdout.").action((opts) => {
568
+ runTelemetryEnable({ ...opts.json !== void 0 ? { json: opts.json } : {} });
569
+ });
570
+ t.command("disable").description("No-op; telemetry is always disabled.").option("--json", "Emit a structured JSON document on stdout.").action((opts) => {
571
+ runTelemetryDisable({ ...opts.json !== void 0 ? { json: opts.json } : {} });
572
+ });
573
+ t.command("inspect").description("Informational summary of the zero-default promise.").option("--json", "Emit a structured JSON document on stdout.").action((opts) => {
574
+ runTelemetryInspect({ ...opts.json !== void 0 ? { json: opts.json } : {} });
575
+ });
576
+ }
577
+ function registerToolsCommands(program) {
578
+ program.command("tools").description("[Catalogue] Operate on the tool registry.").command("lint").description([
579
+ "Static AST analysis of every tool({...}) registration; per-tool grader + threshold gate (RB-49).",
580
+ "",
581
+ "Grader rubric (40 + 30 + 30 = 100 points):",
582
+ " description axis (0..40): 0 if missing/placeholder/<20 chars; 16/24/32/40 by length.",
583
+ " examples axis (0..30): 0 if none or >5; 12 base + 6 per additional, cap 30; -6 per PII.",
584
+ " parameter naming (0..30): 30 base; -30/N per ambiguous name; -10/N per numeric suffix.",
585
+ "",
586
+ "Exit codes (CI-friendly):",
587
+ " 0 every tool meets or exceeds --threshold.",
588
+ " 1 at least one tool falls below --threshold.",
589
+ " 2 invocation could not start (config missing, walker failed)."
590
+ ].join("\n")).option("-c, --config <path>", "Optional tsconfig.json whose include overrides the file glob.").option("--threshold <n>", "Minimum acceptable per-tool score (default 60).", (v) => Number.parseInt(v, 10)).option("--format <fmt>", "text | json (default text).").option("--source <pattern>", "File glob override (e.g. src/skills/**/tools/*.ts).").action(async (opts) => {
591
+ await runToolsLint({
592
+ ...opts.config !== void 0 ? { config: opts.config } : {},
593
+ ...opts.threshold !== void 0 ? { threshold: opts.threshold } : {},
594
+ ...opts.format !== void 0 ? { format: opts.format } : {},
595
+ ...opts.source !== void 0 ? { source: opts.source } : {}
596
+ });
597
+ });
598
+ }
599
+ main().catch((err) => {
600
+ process.stderr.write(`[graphorin/cli] ${err.message}\n`);
601
+ process.exit(1);
602
+ });
603
+
604
+ //#endregion
605
+ export { };
606
+ //# sourceMappingURL=graphorin.js.map