@groundnuty/macf 0.2.0-rc.0

package/dist/cli/commands/init.js

@@ -0,0 +1,279 @@
+import { execFileSync } from 'node:child_process';
+import { mkdirSync, writeFileSync, readFileSync, existsSync, appendFileSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+import { projectMacfDir, writeAgentConfig, addToAgentsIndex, agentCertPath, agentKeyPath, caCertPath as caCertPathFor, caKeyPath as caKeyPathFor, isValidProjectName, } from '../config.js';
+import { loadCA } from '@groundnuty/macf-core';
+import { generateAgentCert } from '@groundnuty/macf-core';
+import { copyCanonicalRules, copyCanonicalScripts } from '../rules.js';
+import { installGhTokenHook, installPluginSkillPermissions, installSandboxFdAllowRead } from '../settings-writer.js';
+import { fetchPluginToWorkspace } from '../plugin-fetcher.js';
+import { writeClaudeSh } from '../claude-sh.js';
+import { resolveLatestVersions, isValidSemver, isValidActionsRef, FALLBACK_VERSIONS, statusMessage, } from '../version-resolver.js';
+/**
+ * Resolve version pins: explicit flags > network-fetched latest > hardcoded fallback.
+ * Validates any explicit flag against format pattern.
+ */
+async function resolveVersions(opts) {
+    if (opts.cliVersion && !isValidSemver(opts.cliVersion)) {
+        throw new Error(`--cli-version must be semver (e.g., 0.1.0), got "${opts.cliVersion}"`);
+    }
+    if (opts.pluginVersion && !isValidSemver(opts.pluginVersion)) {
+        throw new Error(`--plugin-version must be semver (e.g., 0.1.0), got "${opts.pluginVersion}"`);
+    }
+    if (opts.actionsVersion && !isValidActionsRef(opts.actionsVersion)) {
+        throw new Error(`--actions-version must be a tag ref (v1, v1.0, v1.0.0), got "${opts.actionsVersion}"`);
+    }
+    // Skip the network fetch if all three flags are explicitly set
+    const allSet = opts.cliVersion && opts.pluginVersion && opts.actionsVersion;
+    if (allSet) {
+        return {
+            cli: opts.cliVersion,
+            plugin: opts.pluginVersion,
+            actions: opts.actionsVersion,
+        };
+    }
+    let resolved;
+    try {
+        resolved = await resolveLatestVersions();
+        // Print one targeted message per non-ok component so the user sees the
+        // actual reason (no release, network down, malformed response) instead
+        // of a single vague "network fetch failed".
+        const notOk = Object.entries(resolved.sources)
+            .filter(([, status]) => status !== 'ok');
+        if (notOk.length > 0) {
+            process.stderr.write('Warning: using default versions for some components:\n');
+            for (const [component, status] of notOk) {
+                process.stderr.write(`  - ${statusMessage(component, status)}\n`);
+            }
+        }
+    }
+    catch {
+        process.stderr.write('Warning: version resolution failed entirely, using hardcoded fallbacks\n');
+        resolved = {
+            versions: FALLBACK_VERSIONS,
+            sources: {
+                cli: 'network_error',
+                plugin: 'network_error',
+                actions: 'network_error',
+            },
+        };
+    }
+    return {
+        cli: opts.cliVersion ?? resolved.versions.cli,
+        plugin: opts.pluginVersion ?? resolved.versions.plugin,
+        actions: opts.actionsVersion ?? resolved.versions.actions,
+    };
+}
+/**
+ * Validate fields that end up embedded verbatim in `claude.sh` via a
+ * shell double-quoted template literal (`export APP_ID="${appId}"`,
+ * etc.). Reject inputs containing characters that would break quoting
+ * or trigger shell expansion. Runs before any workspace state is
+ * written so bad inputs fail early, not after partial init. (#105)
+ */
+function validateInitOpts(opts) {
+    if (!isValidProjectName(opts.project)) {
+        throw new Error(`project "${opts.project}" must match [a-zA-Z0-9_-]+`);
+    }
+    // role + name are interpolated into claude.sh shell exports the same
+    // way project is. Without this check, `--name 'foo"$(evil)'` would
+    // produce an injection-vulnerable launcher. Apply the same allowlist
+    // as project — per ultrareview finding C2.
+    if (!isValidProjectName(opts.role)) {
+        throw new Error(`role "${opts.role}" must match [a-zA-Z0-9_-]+`);
+    }
+    if (opts.name !== undefined && !isValidProjectName(opts.name)) {
+        throw new Error(`name "${opts.name}" must match [a-zA-Z0-9_-]+`);
+    }
+    if (!/^\d+$/.test(opts.appId)) {
+        throw new Error(`appId "${opts.appId}" must be numeric (GitHub App IDs are digits only)`);
+    }
+    if (!/^\d+$/.test(opts.installId)) {
+        throw new Error(`installId "${opts.installId}" must be numeric (GitHub installation IDs are digits only)`);
+    }
+    // Shell-dangerous chars inside double-quoted context. `\` escapes in
+    // double quotes; include it to avoid any sub-expansion surprise.
+    if (/["$`\\\n\r]/.test(opts.keyPath)) {
+        throw new Error(`keyPath "${opts.keyPath}" contains a shell-unsafe character (", $, backtick, backslash, or newline)`);
+    }
+}
+/**
+ * Set up a project directory for an agent.
+ */
+export async function initAgent(projectDir, opts) {
+    validateInitOpts(opts);
+    const absDir = resolve(projectDir);
+    const macfDir = projectMacfDir(absDir);
+    const agentName = opts.name ?? opts.role;
+    // Create directory structure
+    mkdirSync(join(macfDir, 'certs'), { recursive: true });
+    mkdirSync(join(macfDir, 'logs'), { recursive: true });
+    mkdirSync(join(macfDir, 'plugin'), { recursive: true });
+    // Build registry config
+    let registry;
+    const regType = opts.registryType ?? 'repo';
+    switch (regType) {
+        case 'org':
+            if (!opts.registryOrg)
+                throw new Error('--registry-org required for org registry');
+            registry = { type: 'org', org: opts.registryOrg };
+            break;
+        case 'profile':
+            if (!opts.registryUser)
+                throw new Error('--registry-user required for profile registry');
+            registry = { type: 'profile', user: opts.registryUser };
+            break;
+        case 'repo': {
+            const repo = opts.registryRepo ?? detectRepoFromGit(absDir);
+            if (!repo)
+                throw new Error('--registry-repo required (or run from a git repo with a GitHub remote)');
+            const parts = repo.split('/');
+            if (parts.length !== 2 || !parts[0] || !parts[1]) {
+                throw new Error(`Invalid repo format: "${repo}". Expected "owner/repo".`);
+            }
+            registry = { type: 'repo', owner: parts[0], repo: parts[1] };
+            break;
+        }
+        default:
+            throw new Error(`Unknown registry type: "${regType}"`);
+    }
+    // Resolve version pins (explicit flags > network-fetched latest > fallback)
+    const versions = await resolveVersions(opts);
+    // Write agent config
+    const config = {
+        project: opts.project,
+        agent_name: agentName,
+        agent_role: opts.role,
+        agent_type: (opts.type ?? 'permanent'),
+        registry,
+        github_app: {
+            app_id: opts.appId,
+            install_id: opts.installId,
+            key_path: opts.keyPath,
+        },
+        ...(opts.advertiseHost !== undefined ? { advertise_host: opts.advertiseHost } : {}),
+        ...(opts.tmuxSession !== undefined ? { tmux_session: opts.tmuxSession } : {}),
+        ...(opts.tmuxWindow !== undefined ? { tmux_window: opts.tmuxWindow } : {}),
+        versions,
+    };
+    writeAgentConfig(absDir, config);
+    // Generate claude.sh launcher.
+    const claudeShPath = writeClaudeSh(absDir, config);
+    // Add .macf/ to .gitignore
+    updateGitignore(absDir);
+    // Register in global index
+    addToAgentsIndex(absDir);
+    // Copy canonical coordination rules into <workspace>/.claude/rules/
+    // (single source of truth shipped with the CLI; refreshed by `macf update`)
+    const copiedRules = copyCanonicalRules(absDir);
+    if (copiedRules.length > 0) {
+        console.log(`  Rules: copied ${copiedRules.length} canonical rule file(s) to .claude/rules/`);
+    }
+    // Copy canonical helper scripts (e.g., tmux-send-to-claude.sh) into
+    // <workspace>/.claude/scripts/. Hooks in settings.local.json.example
+    // call these by relative path.
+    const copiedScripts = copyCanonicalScripts(absDir);
+    if (copiedScripts.length > 0) {
+        console.log(`  Scripts: copied ${copiedScripts.length} helper script(s) to .claude/scripts/`);
+    }
+    // Install the attribution-trap PreToolUse hook entry in
+    // .claude/settings.json (merge-preserving). Per #140, structurally
+    // blocks gh / git push calls when GH_TOKEN isn't a ghs_ bot token —
+    // behavioral controls recurred the trap 5 times in a single day.
+    installGhTokenHook(absDir);
+    console.log(`  Hooks: installed gh-token guard in .claude/settings.json`);
+    // Pre-approve the 4 macf-agent plugin skills so first-turn
+    // invocations (/macf-status, /macf-issues, etc.) don't block on
+    // interactive approval dialogs — essential for SessionStart
+    // auto-pickup + general agent autonomy. Operator opted into the
+    // plugin deliberately via `macf init`; trusting its own skills is
+    // a safe default. Non-macf permissions.allow entries preserved.
+    // See macf#189 sub-item 2.
+    installPluginSkillPermissions(absDir);
+    console.log(`  Permissions: pre-approved macf-agent plugin skills`);
+    // Add `/proc/self/fd/**` to sandbox.filesystem.allowRead so Claude
+    // Code's Bash-tool harness can pass command-input fds to spawned
+    // shells without hitting zsh permission-denied. Every MACF agent
+    // pre-#200 silently failed every Bash call; this fixes on init.
+    installSandboxFdAllowRead(absDir);
+    console.log(`  Sandbox: allowRead for /proc/self/fd/** installed`);
+    // Fetch the macf-agent plugin at the pinned version and place it at
+    // .macf/plugin/ so claude.sh can use --plugin-dir (per DR-013).
+    // Network failures here don't abort init — the workspace is usable
+    // without the plugin (degrades to rules-only mode), and the user can
+    // re-try with `macf update` once connectivity is back.
+    try {
+        fetchPluginToWorkspace(absDir, versions.plugin);
+        console.log(`  Plugin: fetched macf-agent@v${versions.plugin} to .macf/plugin/`);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.warn(`  Warning: plugin fetch failed: ${msg}`);
+        console.warn(`  You can retry later with \`macf update\` once the issue is resolved.`);
+    }
+    // Generate agent cert if CA key is available locally (per-project)
+    const caCertFile = caCertPathFor(opts.project);
+    const caKeyFile = caKeyPathFor(opts.project);
+    if (existsSync(caCertFile) && existsSync(caKeyFile)) {
+        try {
+            const ca = loadCA(caCertFile, caKeyFile);
+            await generateAgentCert({
+                agentName,
+                caCertPem: ca.certPem,
+                caKeyPem: ca.keyPem,
+                ...(opts.advertiseHost !== undefined ? { advertiseHost: opts.advertiseHost } : {}),
+                certPath: agentCertPath(absDir),
+                keyPath: agentKeyPath(absDir),
+            });
+            console.log(`Agent "${agentName}" initialized in ${absDir}`);
+            console.log(`  Config: ${join(macfDir, 'macf-agent.json')}`);
+            console.log(`  Cert:   ${agentCertPath(absDir)}`);
+            console.log(`  Launcher: ${claudeShPath}`);
+        }
+        catch (err) {
+            console.warn(`  Warning: cert generation failed: ${err instanceof Error ? err.message : String(err)}`);
+            console.log(`Agent "${agentName}" initialized in ${absDir} (no cert — run macf certs rotate)`);
+        }
+    }
+    else {
+        console.log(`Agent "${agentName}" initialized in ${absDir}`);
+        console.log(`  Config: ${join(macfDir, 'macf-agent.json')}`);
+        console.log(`  Launcher: ${claudeShPath}`);
+        console.log(`\n  No CA found locally. To generate agent cert:`);
+        console.log(`    macf certs init     (if first agent — creates CA)`);
+        console.log(`    macf certs rotate   (if CA already exists)`);
+    }
+}
+function updateGitignore(projectDir) {
+    const gitignorePath = join(projectDir, '.gitignore');
+    const entry = '.macf/';
+    if (existsSync(gitignorePath)) {
+        const content = readFileSync(gitignorePath, 'utf-8');
+        if (!content.includes(entry)) {
+            appendFileSync(gitignorePath, `\n# MACF agent data\n${entry}\n`);
+        }
+    }
+    else {
+        writeFileSync(gitignorePath, `# MACF agent data\n${entry}\n`);
+    }
+}
+/**
+ * Detect owner/repo from git remote. Uses execFileSync (safe — no shell injection).
+ */
+function detectRepoFromGit(dir) {
+    try {
+        const remote = execFileSync('git', ['remote', 'get-url', 'origin'], {
+            cwd: dir,
+            encoding: 'utf-8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+        }).trim();
+        const match = /github\.com[/:]([\w.-]+)\/([\w.-]+?)(?:\.git)?$/.exec(remote);
+        if (match)
+            return `${match[1]}/${match[2]}`;
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=init.js.map

package/dist/cli/commands/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,YAAY,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAC7F,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EACL,cAAc,EAAE,gBAAgB,EAAE,gBAAgB,EAClD,aAAa,EAAE,YAAY,EAC3B,UAAU,IAAI,aAAa,EAAE,SAAS,IAAI,YAAY,EACtD,kBAAkB,GACnB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACvE,OAAO,EAAE,kBAAkB,EAAE,6BAA6B,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AACrH,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EACL,qBAAqB,EAAE,aAAa,EAAE,iBAAiB,EACvD,iBAAiB,EAAE,aAAa,GACjC,MAAM,wBAAwB,CAAC;AAoChC;;;GAGG;AACH,KAAK,UAAU,eAAe,CAAC,IAAiB;IAC9C,IAAI,IAAI,CAAC,UAAU,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,oDAAoD,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;IAC1F,CAAC;IACD,IAAI,IAAI,CAAC,aAAa,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,uDAAuD,IAAI,CAAC,aAAa,GAAG,CAAC,CAAC;IAChG,CAAC;IACD,IAAI,IAAI,CAAC,cAAc,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CAAC,gEAAgE,IAAI,CAAC,cAAc,GAAG,CAAC,CAAC;IAC1G,CAAC;IAED,+DAA+D;IAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,cAAc,CAAC;IAC5E,IAAI,MAAM,EAAE,CAAC;QACX,OAAO;YACL,GAAG,EAAE,IAAI,CAAC,UAAW;YACrB,MAAM,EAAE,IAAI,CAAC,aAAc;YAC3B,OAAO,EAAE,IAAI,CAAC,cAAe;SAC9B,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,CAAC;IACb,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,qBAAqB,EAAE,CAAC;QACzC,uEAAuE;QACvE,uEAAuE;QACvE,4CAA4C;QAC5C,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;aAC3C,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC;QAC3C,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;YAC/E,KAAK,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACxC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,0EAA0E,CAC3E,CAAC;QACF,QAAQ,GAAG;YACT,QAAQ,EAAE,iBAAiB;YAC3B,OAAO,EAAE;gBACP,GAAG,EAAE,eAAwB;gBAC7B,MAAM,EAAE,eAAwB;gBAChC,OAAO,EAAE,eAAwB;aAClC;SACF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,GAAG,EAAE,IAAI,CAAC,UAAU,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG;QAC7C,MAAM,EAAE,IAAI,CAAC,aAAa,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM;QACtD,OAAO,EAAE,IAAI,CAAC,cAAc,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO;KAC1D,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAS,gBAAgB,CAAC,IAAiB;IACzC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CACb,YAAY,IAAI,CAAC,OAAO,6BAA6B,CACtD,CAAC;IACJ,CAAC;IACD,qEAAqE;IACrE,mEAAmE;IACnE,qEAAqE;IACrE,2CAA2C;IAC3C,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CACb,SAAS,IAAI,CAAC,IAAI,6BAA6B,CAChD,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,KAAK,CACb,SAAS,IAAI,CAAC,IAAI,6BAA6B,CAChD,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CACb,UAAU,IAAI,CAAC,KAAK,oDAAoD,CACzE,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,cAAc,IAAI,CAAC,SAAS,6DAA6D,CAC1F,CAAC;IACJ,CAAC;IACD,qEAAqE;IACrE,iEAAiE;IACjE,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,YAAY,IAAI,CAAC,OAAO,6EAA6E,CACtG,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,UAAkB,EAAE,IAAiB;IACnE,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAEvB,MAAM,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACnC,MAAM,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC;IAEzC,6BAA6B;IAC7B,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtD,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAExD,wBAAwB;IACxB,IAAI,QAAqC,CAAC;IAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,IAAI,MAAM,CAAC;IAE5C,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,KAAK;YACR,IAAI,CAAC,IAAI,CAAC,WAAW;gBAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;YACnF,QAAQ,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC;YAClD,MAAM;QACR,KAAK,SAAS;YACZ,IAAI,CAAC,IAAI,CAAC,YAAY;gBAAE,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;YACzF,QAAQ,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;YACxD,MAAM;QACR,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,IAAI,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC5D,IAAI,CAAC,IAAI;gBAAE,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;YACrG,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjD,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,2BAA2B,CAAC,CAAC;YAC5E,CAAC;YACD,QAAQ,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7D,MAAM;QACR,CAAC;QACD;YACE,MAAM,IAAI,KAAK,CAAC,2BAA2B,OAAO,GAAG,CAAC,CAAC;IAC3D,CAAC;IAED,4EAA4E;IAC5E,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,CAAC;IAE7C,qBAAqB;IACrB,MAAM,MAAM,GAAoB;QAC9B,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,UAAU,EAAE,SAAS;QACrB,UAAU,EAAE,IAAI,CAAC,IAAI;QACrB,UAAU,EAAE,CAAC,IAAI,CAAC,IAAI,IAAI,WAAW,CAA2B;QAChE,QAAQ;QACR,UAAU,EAAE;YACV,MAAM,EAAE,IAAI,CAAC,KAAK;YAClB,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,QAAQ,EAAE,IAAI,CAAC,OAAO;SACvB;QACD,GAAG,CAAC,IAAI,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACnF,GAAG,CAAC,IAAI,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7E,GAAG,CAAC,IAAI,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,QAAQ;KACT,CAAC;IAEF,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEjC,+BAA+B;IAC/B,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEnD,2BAA2B;IAC3B,eAAe,CAAC,MAAM,CAAC,CAAC;IAExB,2BAA2B;IAC3B,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEzB,oEAAoE;IACpE,4EAA4E;IAC5E,MAAM,WAAW,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,mBAAmB,WAAW,CAAC,MAAM,2CAA2C,CAAC,CAAC;IAChG,CAAC;IAED,oEAAoE;IACpE,qEAAqE;IACrE,+BAA+B;IAC/B,MAAM,aAAa,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IACnD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,qBAAqB,aAAa,CAAC,MAAM,uCAAuC,CAAC,CAAC;IAChG,CAAC;IAED,wDAAwD;IACxD,mEAAmE;IACnE,oEAAoE;IACpE,iEAAiE;IACjE,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC3B,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;IAE1E,2DAA2D;IAC3D,gEAAgE;IAChE,4DAA4D;IAC5D,gEAAgE;IAChE,kEAAkE;IAClE,gEAAgE;IAChE,2BAA2B;IAC3B,6BAA6B,CAAC,MAAM,CAAC,CAAC;IACtC,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;IAEpE,mEAAmE;IACnE,iEAAiE;IACjE,iEAAiE;IACjE,gEAAgE;IAChE,yBAAyB,CAAC,MAAM,CAAC,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;IAEnE,oEAAoE;IACpE,gEAAgE;IAChE,mEAAmE;IACnE,qEAAqE;IACrE,uDAAuD;IACvD,IAAI,CAAC;QACH,sBAAsB,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,iCAAiC,QAAQ,CAAC,MAAM,mBAAmB,CAAC,CAAC;IACnF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,IAAI,CAAC,mCAAmC,GAAG,EAAE,CAAC,CAAC;QACvD,OAAO,CAAC,IAAI,CAAC,wEAAwE,CAAC,CAAC;IACzF,CAAC;IAED,mEAAmE;IACnE,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;YACzC,MAAM,iBAAiB,CAAC;gBACtB,SAAS;gBACT,SAAS,EAAE,EAAE,CAAC,OAAO;gBACrB,QAAQ,EAAE,EAAE,CAAC,MAAM;gBACnB,GAAG,CAAC,IAAI,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAClF,QAAQ,EAAE,aAAa,CAAC,MAAM,CAAC;gBAC/B,OAAO,EAAE,YAAY,CAAC,MAAM,CAAC;aAC9B,CAAC,CAAC;YACH,OAAO,CAAC,GAAG,CAAC,UAAU,SAAS,oBAAoB,MAAM,EAAE,CAAC,CAAC;YAC7D,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,CAAC,CAAC;YAC7D,OAAO,CAAC,GAAG,CAAC,aAAa,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAClD,OAAO,CAAC,GAAG,CAAC,eAAe,YAAY,EAAE,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,sCAAsC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACvG,OAAO,CAAC,GAAG,CAAC,UAAU,SAAS,oBAAoB,MAAM,oCAAoC,CAAC,CAAC;QACjG,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,UAAU,SAAS,oBAAoB,MAAM,EAAE,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,eAAe,YAAY,EAAE,CAAC,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;QAChE,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;QACrE,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,UAAkB;IACzC,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,QAAQ,CAAC;IAEvB,IAAI,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAC9B,MAAM,OAAO,GAAG,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACrD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7B,cAAc,CAAC,aAAa,EAAE,wBAAwB,KAAK,IAAI,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;SAAM,CAAC;QACN,aAAa,CAAC,aAAa,EAAE,sBAAsB,KAAK,IAAI,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,GAAW;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC,EAAE;YAClE,GAAG,EAAE,GAAG;YACR,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,KAAK,GAAG,iDAAiD,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7E,IAAI,KAAK;YAAE,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/cli/commands/list.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Default command: list all agents registered on this machine.
+ */
+export declare function listAgents(): void;
+//# sourceMappingURL=list.d.ts.map

package/dist/cli/commands/list.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"list.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/list.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,wBAAgB,UAAU,IAAI,IAAI,CAmBjC"}

package/dist/cli/commands/list.js

@@ -0,0 +1,21 @@
+import { loadAllAgents, readAgentsIndex } from '../config.js';
+/**
+ * Default command: list all agents registered on this machine.
+ */
+export function listAgents() {
+    const index = readAgentsIndex();
+    if (index.agents.length === 0) {
+        console.log('No agents registered. Run `macf init` in a project directory to set up an agent.');
+        return;
+    }
+    const agents = loadAllAgents();
+    if (agents.length === 0) {
+        console.log('Agent index has entries but no valid configs found.');
+        return;
+    }
+    console.log('macf agents:\n');
+    for (const { path, config } of agents) {
+        console.log(`  ${config.agent_name.padEnd(20)} ${config.agent_role.padEnd(15)} ${config.project.padEnd(10)} ${path}`);
+    }
+}
+//# sourceMappingURL=list.js.map

package/dist/cli/commands/list.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"list.js","sourceRoot":"","sources":["../../../src/cli/commands/list.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAE9D;;GAEG;AACH,MAAM,UAAU,UAAU;IACxB,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAEhC,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,kFAAkF,CAAC,CAAC;QAChG,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAE/B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;QACnE,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC9B,KAAK,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,MAAM,EAAE,CAAC;QACtC,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IACxH,CAAC;AACH,CAAC"}

package/dist/cli/commands/migrate-ca-key.d.ts

@@ -0,0 +1,36 @@
+import type { GitHubVariablesClient } from '@groundnuty/macf-core';
+export type MigrationResult = {
+    readonly status: 'no_variable';
+} | {
+    readonly status: 'already_v2';
+} | {
+    readonly status: 'migrated';
+} | {
+    readonly status: 'wrong_passphrase';
+} | {
+    readonly status: 'error';
+    readonly message: string;
+};
+/**
+ * Check if a registry-stored value is the legacy v1 (raw base64)
+ * shape. v2 envelopes always start with `{` (JSON object); base64
+ * alphabet excludes `{`, so this dispatch is safe by construction.
+ */
+export declare function isV1Blob(value: string): boolean;
+/**
+ * Run the migration for one project. Returns a result tag for the
+ * caller to render to the operator. Does NOT log directly — the
+ * caller owns stdout/stderr presentation so this is testable without
+ * capturing output.
+ */
+export declare function migrateCaKeyToV2(opts: {
+    readonly project: string;
+    readonly client: GitHubVariablesClient;
+    readonly prompt: (message: string) => Promise<string>;
+}): Promise<MigrationResult>;
+/**
+ * Render a MigrationResult to the operator. Kept out of
+ * `migrateCaKeyToV2` so tests don't need stdout capture.
+ */
+export declare function formatMigrationResult(result: MigrationResult, project: string): string;
+//# sourceMappingURL=migrate-ca-key.d.ts.map

package/dist/cli/commands/migrate-ca-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"migrate-ca-key.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/migrate-ca-key.ts"],"names":[],"mappings":"AAoBA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AAEnE,MAAM,MAAM,eAAe,GACvB;IAAE,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAA;CAAE,GAClC;IAAE,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAA;CAAE,GACjC;IAAE,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAA;CAAE,GAC/B;IAAE,QAAQ,CAAC,MAAM,EAAE,kBAAkB,CAAA;CAAE,GACvC;IAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAE3D;;;;GAIG;AACH,wBAAgB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAE/C;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,EAAE;IAC3C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,qBAAqB,CAAC;IACvC,QAAQ,CAAC,MAAM,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CACvD,GAAG,OAAO,CAAC,eAAe,CAAC,CA6C3B;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAatF"}

package/dist/cli/commands/migrate-ca-key.js

@@ -0,0 +1,92 @@
+/**
+ * macf update auto-migrate for CA key encryption (DR-011 rev2, #115).
+ *
+ * Detects legacy v1-shaped `{PROJECT}_CA_KEY_ENCRYPTED` blobs in the
+ * registry and upgrades them in place to v2 (JSON envelope at 600k
+ * iters). One-time per project — subsequent `macf update` runs see
+ * the v2 blob and no-op silently.
+ *
+ * Idempotent: re-running on a v2 blob is a no-op. Atomic: if the
+ * passphrase is wrong or re-encryption fails, the v1 blob in the
+ * registry is untouched — the only state change is the prompt. The
+ * operator can retry.
+ *
+ * Isolation: this module has no hard dependency on the `macf update`
+ * command shape. Callers provide the registry client + prompt
+ * function, enabling headless tests and future `--passphrase-file`
+ * extension (Future Work in DR-011 rev2).
+ */
+import { encryptCAKey, decryptCAKey, CaError } from '@groundnuty/macf-core';
+import { toVariableSegment } from '@groundnuty/macf-core';
+/**
+ * Check if a registry-stored value is the legacy v1 (raw base64)
+ * shape. v2 envelopes always start with `{` (JSON object); base64
+ * alphabet excludes `{`, so this dispatch is safe by construction.
+ */
+export function isV1Blob(value) {
+    return !value.trimStart().startsWith('{');
+}
+/**
+ * Run the migration for one project. Returns a result tag for the
+ * caller to render to the operator. Does NOT log directly — the
+ * caller owns stdout/stderr presentation so this is testable without
+ * capturing output.
+ */
+export async function migrateCaKeyToV2(opts) {
+    const { project, client, prompt } = opts;
+    const varName = `${toVariableSegment(project)}_CA_KEY_ENCRYPTED`;
+    const current = await client.readVariable(varName);
+    if (current === null) {
+        return { status: 'no_variable' };
+    }
+    if (!isV1Blob(current)) {
+        // Already v2 (or v3+ future) — nothing to do. Silent no-op.
+        return { status: 'already_v2' };
+    }
+    // DR-011 rev2 canonical prompt text. Keep verbatim — matches the
+    // operator-facing doctrine in design/decisions/DR-011-ca-key-backup.md.
+    const passphrase = await prompt(`Migrating CA key encryption: v1/iter=10000 → v2/iter=600000 for project ${project}.\n` +
+        `This is a one-time passphrase prompt for this project; subsequent \`macf update\`\n` +
+        `runs in this or any other workspace for the same project won't re-prompt.\n` +
+        `Enter CA key passphrase: `);
+    let keyPem;
+    try {
+        keyPem = decryptCAKey(current, passphrase);
+    }
+    catch (err) {
+        if (err instanceof CaError) {
+            return { status: 'wrong_passphrase' };
+        }
+        throw err;
+    }
+    const v2Value = encryptCAKey(keyPem, passphrase);
+    try {
+        await client.writeVariable(varName, v2Value);
+    }
+    catch (err) {
+        return {
+            status: 'error',
+            message: err instanceof Error ? err.message : String(err),
+        };
+    }
+    return { status: 'migrated' };
+}
+/**
+ * Render a MigrationResult to the operator. Kept out of
+ * `migrateCaKeyToV2` so tests don't need stdout capture.
+ */
+export function formatMigrationResult(result, project) {
+    switch (result.status) {
+        case 'no_variable':
+            return ''; // No backup exists; silent no-op.
+        case 'already_v2':
+            return ''; // Already migrated; silent no-op.
+        case 'migrated':
+            return `Migration complete: ${toVariableSegment(project)}_CA_KEY_ENCRYPTED is now v2/600k.`;
+        case 'wrong_passphrase':
+            return `Migration aborted: wrong passphrase. Your v1 backup is untouched; re-run \`macf update\` to retry.`;
+        case 'error':
+            return `Migration failed: ${result.message}. Your v1 backup is untouched; re-run \`macf update\` to retry.`;
+    }
+}
+//# sourceMappingURL=migrate-ca-key.js.map

package/dist/cli/commands/migrate-ca-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"migrate-ca-key.js","sourceRoot":"","sources":["../../../src/cli/commands/migrate-ca-key.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AACH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAC5E,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAU1D;;;;GAIG;AACH,MAAM,UAAU,QAAQ,CAAC,KAAa;IACpC,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAItC;IACC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IACzC,MAAM,OAAO,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,mBAAmB,CAAC;IAEjE,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IACnD,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IACnC,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACvB,4DAA4D;QAC5D,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;IAClC,CAAC;IAED,iEAAiE;IACjE,wEAAwE;IACxE,MAAM,UAAU,GAAG,MAAM,MAAM,CAC7B,2EAA2E,OAAO,KAAK;QACvF,qFAAqF;QACrF,6EAA6E;QAC7E,2BAA2B,CAC5B,CAAC;IAEF,IAAI,MAAc,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,YAAY,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAC7C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,OAAO,EAAE,CAAC;YAC3B,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;QACxC,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IAEjD,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SAC1D,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAuB,EAAE,OAAe;IAC5E,QAAQ,MAAM,CAAC,MAAM,EAAE,CAAC;QACtB,KAAK,aAAa;YAChB,OAAO,EAAE,CAAC,CAAC,kCAAkC;QAC/C,KAAK,YAAY;YACf,OAAO,EAAE,CAAC,CAAC,kCAAkC;QAC/C,KAAK,UAAU;YACb,OAAO,uBAAuB,iBAAiB,CAAC,OAAO,CAAC,mCAAmC,CAAC;QAC9F,KAAK,kBAAkB;YACrB,OAAO,oGAAoG,CAAC;QAC9G,KAAK,OAAO;YACV,OAAO,qBAAqB,MAAM,CAAC,OAAO,iEAAiE,CAAC;IAChH,CAAC;AACH,CAAC"}

package/dist/cli/commands/peers.d.ts

@@ -0,0 +1,8 @@
+/**
+ * List peers from the registry.
+ *
+ * If projectDir is given, uses that project's config for registry access.
+ * Otherwise uses the first agent from the global index.
+ */
+export declare function listPeers(projectDir?: string): Promise<void>;
+//# sourceMappingURL=peers.d.ts.map

package/dist/cli/commands/peers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"peers.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/peers.ts"],"names":[],"mappings":"AAIA;;;;;GAKG;AACH,wBAAsB,SAAS,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAwClE"}

package/dist/cli/commands/peers.js

@@ -0,0 +1,45 @@
+import { loadAllAgents, readAgentConfig, tokenSourceFromConfig } from '../config.js';
+import { createRegistryFromConfig } from '@groundnuty/macf-core';
+import { generateToken } from '@groundnuty/macf-core';
+/**
+ * List peers from the registry.
+ *
+ * If projectDir is given, uses that project's config for registry access.
+ * Otherwise uses the first agent from the global index.
+ */
+export async function listPeers(projectDir) {
+    let driverConfig;
+    let driverPath;
+    if (projectDir) {
+        const c = readAgentConfig(projectDir);
+        if (!c) {
+            console.error(`Could not read agent config at ${projectDir}/.macf/macf-agent.json`);
+            return;
+        }
+        driverConfig = c;
+        driverPath = projectDir;
+    }
+    else {
+        const agents = loadAllAgents();
+        if (agents.length === 0) {
+            console.log('No agents configured. Run `macf init` first.');
+            return;
+        }
+        driverConfig = agents[0].config;
+        driverPath = agents[0].path;
+    }
+    const token = await generateToken(tokenSourceFromConfig(driverPath, driverConfig));
+    const registry = createRegistryFromConfig(driverConfig.registry, driverConfig.project, token);
+    const peers = await registry.list('');
+    if (peers.length === 0) {
+        console.log('No peers registered in the registry.');
+        return;
+    }
+    console.log('macf peers:\n');
+    console.log(`  ${'NAME'.padEnd(25)} ${'HOST'.padEnd(20)} ${'PORT'.padEnd(8)} ${'TYPE'.padEnd(12)} STARTED`);
+    console.log(`  ${'─'.repeat(25)} ${'─'.repeat(20)} ${'─'.repeat(8)} ${'─'.repeat(12)} ${'─'.repeat(24)}`);
+    for (const peer of peers) {
+        console.log(`  ${peer.name.padEnd(25)} ${peer.info.host.padEnd(20)} ${String(peer.info.port).padEnd(8)} ${peer.info.type.padEnd(12)} ${peer.info.started}`);
+    }
+}
+//# sourceMappingURL=peers.js.map

package/dist/cli/commands/peers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"peers.js","sourceRoot":"","sources":["../../../src/cli/commands/peers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACrF,OAAO,EAAE,wBAAwB,EAAE,MAAM,uBAAuB,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,UAAmB;IACjD,IAAI,YAAY,CAAC;IACjB,IAAI,UAAkB,CAAC;IACvB,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,CAAC,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;QACtC,IAAI,CAAC,CAAC,EAAE,CAAC;YACP,OAAO,CAAC,KAAK,CAAC,kCAAkC,UAAU,wBAAwB,CAAC,CAAC;YACpF,OAAO;QACT,CAAC;QACD,YAAY,GAAG,CAAC,CAAC;QACjB,UAAU,GAAG,UAAU,CAAC;IAC1B,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;QAC/B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;YAC5D,OAAO;QACT,CAAC;QACD,YAAY,GAAG,MAAM,CAAC,CAAC,CAAE,CAAC,MAAM,CAAC;QACjC,UAAU,GAAG,MAAM,CAAC,CAAC,CAAE,CAAC,IAAI,CAAC;IAC/B,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,qBAAqB,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC;IACnF,MAAM,QAAQ,GAAG,wBAAwB,CAAC,YAAY,CAAC,QAAQ,EAAE,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAE9F,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEtC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;QACpD,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAC7B,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC;IAC5G,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAE1G,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CACT,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAC/I,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/cli/commands/repo-init.d.ts

@@ -0,0 +1,43 @@
+export interface RepoInitOptions {
+    readonly repo?: string;
+    readonly actionsVersion: string;
+    readonly agents?: string;
+    readonly force: boolean;
+    /**
+     * Optional shared tmux session name. When provided alongside 2+ agents,
+     * all agents share this session and each is given a `tmux_window` equal
+     * to the agent name. Omit or combine with a single agent to get the
+     * legacy "session per agent, no window" layout.
+     */
+    readonly sessionName?: string;
+}
+interface LabelSpec {
+    readonly name: string;
+    readonly color: string;
+    readonly description: string;
+}
+export declare function generateWorkflow(actionsVersion: string): string;
+/**
+ * Options passed to generate/patch helpers so they can compute sensible
+ * default values for new entries. Owner/repo come from `--repo`; ssh_user
+ * defaults to 'ubuntu' matching the other template defaults.
+ */
+export interface AgentEntryDefaults {
+    readonly owner: string;
+    readonly repo: string;
+}
+export declare function generateAgentConfig(agents: readonly string[], sessionName?: string, defaults?: AgentEntryDefaults): string;
+/**
+ * Merge-preserving regenerate for #76: update only tmux_session/tmux_window
+ * fields from user input, preserve app_name/host/ssh_key_secret/ssh_user
+ * /tmux_bin/unknown-fields, preserve top-level label_to_status and extras.
+ * Agents not in the --agents list are left alone.
+ */
+export declare function patchAgentConfig(existingJson: string, agents: readonly string[], sessionName?: string, defaults?: AgentEntryDefaults): string;
+export declare function createLabel(owner: string, repo: string, token: string, spec: LabelSpec): Promise<'created' | 'exists' | 'failed'>;
+/**
+ * Bootstrap a repo for MACF routing.
+ */
+export declare function repoInit(projectDir: string, opts: RepoInitOptions): Promise<void>;
+export {};
+//# sourceMappingURL=repo-init.d.ts.map

package/dist/cli/commands/repo-init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"repo-init.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/repo-init.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB;;;;;OAKG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,UAAU,SAAS;IACjB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AA4CD,wBAAgB,gBAAgB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAkB/D;AA8BD;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAuCD,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,SAAS,MAAM,EAAE,EACzB,WAAW,CAAC,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,kBAAkB,GAC5B,MAAM,CA4BR;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAC9B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,SAAS,MAAM,EAAE,EACzB,WAAW,CAAC,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,kBAAkB,GAC5B,MAAM,CA0CR;AAED,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,SAAS,GACd,OAAO,CAAC,SAAS,GAAG,QAAQ,GAAG,QAAQ,CAAC,CAmB1C;AAYD;;GAEG;AACH,wBAAsB,QAAQ,CAC5B,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,IAAI,CAAC,CA8Ff"}