@kontourai/flow-agents 0.1.1

package/src/cli/init.ts

@@ -0,0 +1,248 @@
+import { spawnSync } from "node:child_process";
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import { createInterface } from "node:readline/promises";
+import { stdin as input, stdout as output } from "node:process";
+import { parseArgs, flagBool, flagList, flagString } from "../lib/args.js";
+import { activateCodexLocal } from "../runtime-adapters.js";
+import { main as buildBundles } from "../tools/build-universal-bundles.js";
+import { root } from "../tools/common.js";
+
+type Runtime = "base" | "codex" | "claude-code" | "kiro";
+type TelemetrySink = "local-files" | "local-kontour-console" | "kontour-hosted-console" | "user-hosted-console" | "kontour-cloud" | "hosted-kontour-console";
+
+type InitOptions = {
+  runtime: Runtime;
+  dest: string;
+  consoleUrl?: string;
+  consoleEndpoint?: string;
+  consoleTokenFile?: string;
+  consoleTokenValue?: string;
+  consoleTenant?: string;
+  telemetrySinks: TelemetrySink[];
+  packs?: string;
+  activateKits: boolean;
+};
+
+const runtimeBundles: Record<Runtime, string> = {
+  base: "base",
+  codex: "codex",
+  "claude-code": "claude-code",
+  kiro: "kiro",
+};
+
+function usage(): void {
+  console.error(`usage: flow-agents init [options]
+
+Options:
+  --runtime base|codex|claude-code|kiro
+  --dest PATH
+  --telemetry-sink local-files|local-kontour-console|kontour-hosted-console|user-hosted-console
+  --console-url URL
+  --console-endpoint URL
+  --console-token-file PATH
+  --console-tenant ID
+  --packs LIST
+  --activate-kits
+  --yes, --headless
+`);
+}
+
+function normalizeRuntime(value: string | undefined): Runtime | undefined {
+  if (!value) return undefined;
+  if (value === "claude") return "claude-code";
+  if (value === "base" || value === "codex" || value === "claude-code" || value === "kiro") return value;
+  throw new Error(`unknown runtime '${value}'; expected base, codex, claude-code, or kiro`);
+}
+
+function normalizeTelemetrySink(value: string): TelemetrySink {
+  if (value === "local-files" || value === "local-kontour-console" || value === "kontour-hosted-console" || value === "user-hosted-console" || value === "kontour-cloud" || value === "hosted-kontour-console") return value;
+  throw new Error(`unknown telemetry sink '${value}'`);
+}
+
+function telemetrySinksFromValues(values: string[]): TelemetrySink[] {
+  const sinks = values.flatMap((value) => value.split(",")).map((value) => value.trim()).filter(Boolean).map(normalizeTelemetrySink);
+  return sinks.length ? Array.from(new Set(sinks)) : ["local-files"];
+}
+
+function telemetrySinksFromFlags(flags: ReturnType<typeof parseArgs>["flags"]): TelemetrySink[] {
+  return telemetrySinksFromValues(flagList(flags, "telemetry-sink").concat(flagList(flags, "telemetry-sinks")));
+}
+
+function needsConsoleCredentials(sinks: TelemetrySink[]): boolean {
+  return sinks.some((sink) => sink !== "local-files");
+}
+
+async function questionHidden(prompt: string): Promise<string> {
+  if (!process.stdin.isTTY) return "";
+  return await new Promise((resolve) => {
+    const stdin = process.stdin;
+    const stdout = process.stdout;
+    const wasRaw = stdin.isRaw;
+    stdout.write(prompt);
+    stdin.setRawMode(true);
+    stdin.resume();
+    let value = "";
+    const onData = (buffer: Buffer) => {
+      const text = buffer.toString("utf8");
+      if (text === "\u0003") {
+        stdout.write("\n");
+        process.exit(130);
+      }
+      if (text === "\r" || text === "\n") {
+        stdout.write("\n");
+        stdin.setRawMode(wasRaw);
+        stdin.off("data", onData);
+        resolve(value);
+        return;
+      }
+      if (text === "\u007f") {
+        value = value.slice(0, -1);
+        return;
+      }
+      value += text;
+    };
+    stdin.on("data", onData);
+  });
+}
+
+function defaultDest(runtime: Runtime): string {
+  if (runtime === "kiro") return path.join(os.homedir(), ".flow-agents");
+  return process.cwd();
+}
+
+function parseYesNo(value: string, fallback: boolean): boolean {
+  const normalized = value.trim().toLowerCase();
+  if (!normalized) return fallback;
+  if (["y", "yes", "true", "1"].includes(normalized)) return true;
+  if (["n", "no", "false", "0"].includes(normalized)) return false;
+  return fallback;
+}
+
+async function interactiveOptions(argv: string[]): Promise<InitOptions> {
+  const args = parseArgs(argv);
+  const rl = createInterface({ input, output });
+  try {
+    const runtimeDefault = normalizeRuntime(flagString(args.flags, "runtime")) ?? "base";
+    const runtimeAnswer = flagString(args.flags, "runtime") ?? await rl.question(`Runtime [${runtimeDefault}]: `);
+    const runtime = normalizeRuntime(runtimeAnswer.trim() || runtimeDefault) ?? runtimeDefault;
+    const destDefault = flagString(args.flags, "dest", defaultDest(runtime)) ?? defaultDest(runtime);
+    const destAnswer = flagString(args.flags, "dest") ?? await rl.question(`Install destination [${destDefault}]: `);
+    const sinkDefault = telemetrySinksFromFlags(args.flags);
+    const sinkAnswer = flagList(args.flags, "telemetry-sink").length || flagList(args.flags, "telemetry-sinks").length
+      ? sinkDefault.join(",")
+      : await rl.question(`Telemetry sinks [${sinkDefault.join(",")}]: `);
+    const telemetrySinks = telemetrySinksFromValues([sinkAnswer || sinkDefault.join(",")]);
+    const needsUserHostedUrl = telemetrySinks.includes("user-hosted-console") || telemetrySinks.includes("hosted-kontour-console");
+    const consoleUrl = flagString(args.flags, "console-url") ?? (needsUserHostedUrl ? await rl.question("User-hosted Console URL: ") : undefined);
+    const consoleEndpoint = flagString(args.flags, "console-endpoint") ?? flagString(args.flags, "console-endpoint-url");
+    const consoleTokenFile = flagString(args.flags, "console-token-file");
+    const consoleTokenValue = consoleTokenFile ? undefined : (needsConsoleCredentials(telemetrySinks) ? await questionHidden("Console telemetry token (blank to skip): ") : undefined);
+    const consoleTenant = flagString(args.flags, "console-tenant") ?? flagString(args.flags, "console-tenant-id") ?? (needsConsoleCredentials(telemetrySinks) ? await rl.question("Console tenant ID (blank to skip): ") : undefined);
+    const activateDefault = false;
+    const activateAnswer = flagBool(args.flags, "activate-kits")
+      ? "yes"
+      : runtime === "codex"
+        ? await rl.question(`Activate local Builder Kit runtime assets [${activateDefault ? "Y/n" : "y/N"}]: `)
+        : "no";
+    return {
+      runtime,
+      dest: path.resolve(destAnswer.trim() || destDefault),
+      consoleUrl: consoleUrl?.trim() || undefined,
+      consoleEndpoint: consoleEndpoint?.trim() || undefined,
+      consoleTokenFile: consoleTokenFile?.trim() || undefined,
+      consoleTokenValue: consoleTokenValue?.trim() || undefined,
+      consoleTenant: consoleTenant?.trim() || undefined,
+      telemetrySinks,
+      packs: flagString(args.flags, "packs"),
+      activateKits: runtime === "codex" && parseYesNo(activateAnswer, activateDefault),
+    };
+  } finally {
+    rl.close();
+  }
+}
+
+function headlessOptions(argv: string[]): InitOptions {
+  const args = parseArgs(argv);
+  const runtime = normalizeRuntime(flagString(args.flags, "runtime")) ?? "base";
+  return {
+    runtime,
+    dest: path.resolve(flagString(args.flags, "dest", defaultDest(runtime)) ?? defaultDest(runtime)),
+    consoleUrl: flagString(args.flags, "console-url"),
+    consoleEndpoint: flagString(args.flags, "console-endpoint") ?? flagString(args.flags, "console-endpoint-url"),
+    consoleTokenFile: flagString(args.flags, "console-token-file"),
+    consoleTenant: flagString(args.flags, "console-tenant") ?? flagString(args.flags, "console-tenant-id"),
+    telemetrySinks: telemetrySinksFromFlags(args.flags),
+    packs: flagString(args.flags, "packs"),
+    activateKits: runtime === "codex" && flagBool(args.flags, "activate-kits"),
+  };
+}
+
+function ensureBundle(runtime: Runtime): string {
+  const bundle = path.join(root, "dist", runtimeBundles[runtime]);
+  if (!fs.existsSync(path.join(bundle, "install.sh"))) {
+    const rc = buildBundles();
+    if (rc !== 0) throw new Error(`bundle build failed with exit code ${rc}`);
+  }
+  if (!fs.existsSync(path.join(bundle, "install.sh"))) throw new Error(`bundle installer missing: ${bundle}`);
+  return bundle;
+}
+
+function installBundle(bundle: string, options: InitOptions): number {
+  const args = ["install.sh", options.dest];
+  for (const sink of options.telemetrySinks) args.push("--telemetry-sink", sink);
+  if (options.consoleUrl) args.push("--console-url", options.consoleUrl);
+  if (options.consoleEndpoint) args.push("--console-endpoint", options.consoleEndpoint);
+  let tempTokenFile: string | undefined;
+  const consoleTokenFile = options.consoleTokenFile ?? (() => {
+    if (!options.consoleTokenValue) return undefined;
+    const file = path.join(fs.mkdtempSync(path.join(os.tmpdir(), "flow-agents-token-")), "console-token");
+    fs.writeFileSync(file, options.consoleTokenValue, { encoding: "utf8", mode: 0o600 });
+    tempTokenFile = file;
+    return file;
+  })();
+  if (consoleTokenFile) args.push("--console-token-file", consoleTokenFile);
+  if (options.consoleTenant) args.push("--console-tenant", options.consoleTenant);
+  const env = { ...process.env };
+  if (options.packs) env.FLOW_AGENTS_PACKS = options.packs;
+  const result = spawnSync("bash", args, { cwd: bundle, env, encoding: "utf8", stdio: "inherit" });
+  if (tempTokenFile) fs.rmSync(path.dirname(tempTokenFile), { recursive: true, force: true });
+  if (result.error) {
+    console.error(`flow-agents init: unable to run bundle installer: ${result.error.message}`);
+    return 1;
+  }
+  return result.status ?? 1;
+}
+
+function activateKits(options: InitOptions): number {
+  if (!options.activateKits) return 0;
+  const result = activateCodexLocal(options.dest, options.dest);
+  if (Array.isArray(result.errors) && result.errors.length > 0) {
+    console.error(JSON.stringify(result, null, 2));
+    return 1;
+  }
+  const generated = Array.isArray(result.generated_runtime_files) ? result.generated_runtime_files : [];
+  console.log(`Activated ${generated.length} Codex local runtime asset(s)`);
+  return 0;
+}
+
+export async function main(argv = process.argv.slice(2)): Promise<number> {
+  if (argv.includes("--help") || argv.includes("-h")) {
+    usage();
+    return 0;
+  }
+  const headless = argv.includes("--yes") || argv.includes("--headless") || !process.stdin.isTTY;
+  try {
+    const options = headless ? headlessOptions(argv) : await interactiveOptions(argv);
+    const bundle = ensureBundle(options.runtime);
+    const installed = installBundle(bundle, options);
+    if (installed !== 0) return installed;
+    return activateKits(options);
+  } catch (error) {
+    console.error(`flow-agents init: ${(error as Error).message}`);
+    return 2;
+  }
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) process.exit(await main());

package/src/cli/promote-workflow-artifact.ts

@@ -0,0 +1,64 @@
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { parseArgs, flagString } from "../lib/args.js";
+import { isoNow, relPath } from "../lib/fs.js";
+
+function slugify(value: string): string {
+  return value.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "") || "delivery";
+}
+
+function repoRootFor(file: string): string {
+  let current = path.dirname(path.resolve(file));
+  for (let i = 0; i < 40; i += 1) {
+    if (fs.existsSync(path.join(current, ".git")) || fs.existsSync(path.join(current, "AGENTS.md"))) return current;
+    const parent = path.dirname(current);
+    if (parent === current) break;
+    current = parent;
+  }
+  return process.cwd();
+}
+
+function firstHeading(text: string): string {
+  return text.split(/\r?\n/).find((line) => line.startsWith("# "))?.slice(2).trim() || "Delivery";
+}
+
+function field(text: string, name: string): string {
+  return text.match(new RegExp(`^${name}:\\s*(.+)$`, "m"))?.[1].trim() ?? "";
+}
+
+function section(text: string, heading: string): string {
+  const match = new RegExp(`^##\\s+${heading}\\s*$`, "m").exec(text);
+  if (!match) return "";
+  const start = match.index + match[0].length;
+  const rest = text.slice(start);
+  const next = /^##\s+/m.exec(rest);
+  return rest.slice(0, next ? next.index : undefined).trim();
+}
+
+export function main(argv = process.argv.slice(2)): number {
+  const args = parseArgs(argv);
+  const artifact = path.resolve(args.positionals[0] ?? "");
+  if (!artifact || !fs.existsSync(artifact)) throw new Error(`artifact not found: ${artifact}`);
+  const root = repoRootFor(artifact);
+  const text = fs.readFileSync(artifact, "utf8");
+  const title = flagString(args.flags, "title") ?? firstHeading(text);
+  const docsDir = path.resolve(root, flagString(args.flags, "docs-dir", "docs/delivery") ?? "docs/delivery");
+  const date = isoNow().slice(0, 10);
+  const archiveBase = flagString(args.flags, "archive-dir") ? path.resolve(root, flagString(args.flags, "archive-dir") ?? "") : path.join(path.dirname(artifact), "archive");
+  const archive = path.join(archiveBase, date, path.basename(artifact));
+  const doc = path.join(docsDir, `${slugify(title)}.md`);
+  fs.mkdirSync(path.dirname(archive), { recursive: true });
+  fs.mkdirSync(path.dirname(doc), { recursive: true });
+  fs.copyFileSync(artifact, archive);
+  const pieces = ["---", `title: "${title}"`, `created: ${isoNow()}`, `source_artifact: ${relPath(root, artifact)}`, `archived_artifact: ${relPath(root, archive)}`, `delivery_status: ${field(text, "status") || "unknown"}`, "---", "", `# ${title}`, "", "This document was promoted from a delivery artifact after final acceptance.", "", "## Source", "", `- Working artifact: \`${relPath(root, artifact)}\``, `- Archived artifact: \`${relPath(root, archive)}\``, `- Status at promotion: \`${field(text, "status") || "unknown"}\``, ""];
+  for (const heading of ["Definition Of Done", "Plan", "Verification Report", "Goal Fit Gate", "Final Acceptance", "History"]) {
+    const body = section(text, heading);
+    if (body) pieces.push(`## ${heading}`, "", body, "");
+  }
+  fs.writeFileSync(doc, `${pieces.join("\n").trimEnd()}\n`, "utf8");
+  console.log(`promoted_doc=${doc}`);
+  console.log(`archived_artifact=${archive}`);
+  return 0;
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) process.exit(main());

package/src/cli/publish-change-helper.ts

@@ -0,0 +1,143 @@
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { parseArgs, flagString } from "../lib/args.js";
+import { readJson } from "../lib/fs.js";
+
+const CLOSING_KEYWORD_RE = /\b(?:close[sd]?|fix(?:e[sd])?|resolve[sd]?)\s+(?<refs>(?:(?:[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+)?#\d+|https:\/\/github\.com\/[^\s)]+\/(?:issues|pull)\/\d+)(?:\s*(?:,|and)\s*(?:(?:[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+)?#\d+|https:\/\/github\.com\/[^\s)]+\/(?:issues|pull)\/\d+))*)/gi;
+const GITHUB_REF_RE = /(?<url>https:\/\/github\.com\/(?<url_owner>[^/\s)]+)\/(?<url_repo>[^/\s)]+)\/(?:issues|pull)\/(?<url_number>\d+))|(?:(?<owner>[A-Za-z0-9_.-]+)\/(?<repo>[A-Za-z0-9_.-]+))?#(?<number>\d+)/g;
+const DOC_EXTENSIONS = new Set([".md", ".mdx", ".txt", ".adoc", ".rst"]);
+const PACKAGE_FILES = new Set(["package.json", "package-lock.json", "pnpm-lock.yaml", "yarn.lock", "pyproject.toml", "uv.lock", "poetry.lock", "requirements.txt", "Cargo.toml", "Cargo.lock", "go.mod", "go.sum"]);
+
+function loadJson(file: string): Record<string, unknown> {
+  return (file === "-" ? JSON.parse(fs.readFileSync(0, "utf8")) : readJson(file)) as Record<string, unknown>;
+}
+
+function normalizeRef(ref: string, defaultOwner?: string, defaultRepo?: string): string {
+  const matches = Array.from(ref.trim().replace(/[.,]+$/, "").matchAll(GITHUB_REF_RE));
+  const match = matches.length === 1 && matches[0][0] === ref.trim().replace(/[.,]+$/, "") ? matches[0] : null;
+  if (!match?.groups) throw new Error(`unsupported closing reference: ${ref}`);
+  if (match.groups.url) return `github:${match.groups.url_owner}/${match.groups.url_repo}#${Number(match.groups.url_number)}`;
+  const owner = match.groups.owner ?? defaultOwner;
+  const repo = match.groups.repo ?? defaultRepo;
+  if (!owner || !repo) throw new Error(`unqualified reference needs default owner/repo: ${ref}`);
+  return `github:${owner}/${repo}#${Number(match.groups.number)}`;
+}
+
+function extractClosingRefs(text: string, defaultOwner?: string, defaultRepo?: string): string[] {
+  const refs: string[] = [];
+  const seen = new Set<string>();
+  for (const keyword of text.matchAll(CLOSING_KEYWORD_RE)) {
+    for (const ref of String(keyword.groups?.refs ?? "").matchAll(GITHUB_REF_RE)) {
+      const normalized = normalizeRef(ref[0], defaultOwner, defaultRepo);
+      if (!seen.has(normalized)) {
+        seen.add(normalized);
+        refs.push(normalized);
+      }
+    }
+  }
+  return refs;
+}
+
+function renderBody(spec: Record<string, unknown>): string {
+  if (typeof spec.body_file === "string") return fs.readFileSync(spec.body_file, "utf8");
+  if (spec.body !== undefined) return String(spec.body);
+  if (Array.isArray(spec.sections)) {
+    return spec.sections.map((section) => {
+      const record = section as Record<string, unknown>;
+      const title = String(record.title ?? "").trim();
+      const body = String(record.body ?? "").trimEnd();
+      return body ? `## ${title}\n\n${body}` : `## ${title}`;
+    }).join("\n\n").trimEnd() + "\n";
+  }
+  throw new Error("publish input must include body_file, body, or sections");
+}
+
+function render(argv: string[]): number {
+  const args = parseArgs(argv);
+  const input = flagString(args.flags, "input-json");
+  if (!input) throw new Error("--input-json is required");
+  const spec = loadJson(input);
+  const body = renderBody(spec);
+  const bodyOut = flagString(args.flags, "body-out");
+  if (bodyOut) fs.writeFileSync(bodyOut, body, "utf8");
+  console.log(JSON.stringify({ role: "PublishChangeRequest", provider: spec.provider ?? "github", change_provider: spec.change_provider ?? { kind: spec.provider ?? "github" }, title: spec.title, body, expected_closing_refs: spec.expected_closing_refs ?? [] }, null, 2));
+  return 0;
+}
+
+function validateClosingRefs(argv: string[]): number {
+  const input = flagString(parseArgs(argv).flags, "input-json");
+  if (!input) throw new Error("--input-json is required");
+  const spec = loadJson(input);
+  const defaultOwner = typeof spec.default_owner === "string" ? spec.default_owner : undefined;
+  const defaultRepo = typeof spec.default_repo === "string" ? spec.default_repo : undefined;
+  const expected = (Array.isArray(spec.expected_closing_refs) ? spec.expected_closing_refs : []).map((ref) => normalizeRef(String(ref), defaultOwner, defaultRepo));
+  const provider = (spec.provider_output ?? {}) as Record<string, unknown>;
+  const recognized = Array.isArray(provider.recognized_closing_refs)
+    ? provider.recognized_closing_refs.map((ref) => normalizeRef(String(ref), defaultOwner, defaultRepo))
+    : extractClosingRefs(String(provider.body ?? ""), defaultOwner, defaultRepo);
+  const missing = expected.filter((ref) => !recognized.includes(ref));
+  console.log(JSON.stringify({ role: "ClosingReferenceCheck", provider: spec.provider ?? "github", status: missing.length ? "fail" : "pass", expected_closing_refs: expected, recognized_closing_refs: recognized, missing_closing_refs: missing }, null, 2));
+  if (missing.length) {
+    console.error(`missing recognized closing refs: ${missing.join(", ")}`);
+    return 2;
+  }
+  return 0;
+}
+
+function riskForPath(value: string): string {
+  const parts = new Set(value.split(/[\\/]+/));
+  const name = path.basename(value);
+  const ext = path.extname(value).toLowerCase();
+  if (parts.has("schemas")) return "schema";
+  if (parts.has("hooks")) return "hook";
+  if (parts.has("scripts")) return "runtime";
+  if (PACKAGE_FILES.has(name)) return "package";
+  if (parts.has("security") || name.toLowerCase().startsWith("security")) return "security";
+  if (parts.has("docs") || DOC_EXTENSIONS.has(ext)) return "docs";
+  return "runtime";
+}
+
+function evaluateProviderChecks(argv: string[]): number {
+  const args = parseArgs(argv);
+  const filesDoc = loadJson(flagString(args.flags, "change-files-json") ?? "");
+  const checksPath = flagString(args.flags, "provider-checks-json");
+  const checks = checksPath ? loadJson(checksPath) : [];
+  const files = Array.isArray(filesDoc) ? filesDoc : (filesDoc.files as unknown[] ?? []);
+  const risks = Array.from(new Set(files.map((file) => riskForPath(String(file))))).sort();
+  const checksPresent = Array.isArray(checks) ? checks.length > 0 : Object.keys(checks).length > 0;
+  const risky = risks.some((risk) => ["runtime", "schema", "package", "hook", "security"].includes(risk));
+  const status = checksPresent ? "pass" : risky ? "not_verified" : "skip";
+  const release = checksPresent ? "pass" : risky ? "hold" : "not_required";
+  console.log(JSON.stringify({ role: "ProviderCheckPolicy", risk_classes: risks.length ? risks : ["unknown"], provider_checks_present: checksPresent, evidence_status: status, release_gate_status: release, summary: checksPresent ? "Provider checks are present." : risky ? "Missing provider checks for risky change classes." : "Provider checks skipped for docs-only change." }, null, 2));
+  return status === "not_verified" ? 3 : 0;
+}
+
+function reconcile(argv: string[]): number {
+  const root = argv[0];
+  if (!root) throw new Error("artifact_root is required");
+  const evidence = readJson(path.join(root, "evidence.json")) as Record<string, unknown>;
+  const release = readJson(path.join(root, "release.json")) as Record<string, unknown>;
+  const mismatches: string[] = [];
+  if (evidence.verdict !== "pass") mismatches.push("evidence verdict is not pass");
+  const gates = Array.isArray(release.gates) ? release.gates as Record<string, unknown>[] : [];
+  if (["merge", "release", "deploy"].includes(String(release.decision)) && gates.filter((gate) => gate.required !== false).some((gate) => gate.status !== "pass")) mismatches.push("positive release decision has non-pass required gate");
+  console.log(JSON.stringify({ role: "FinalStateReconciliation", status: mismatches.length ? "fail" : "pass", authoritative_refs: [path.join(root, "evidence.json"), path.join(root, "release.json")], mismatches }, null, 2));
+  return mismatches.length ? 4 : 0;
+}
+
+export function main(argv = process.argv.slice(2)): number {
+  try {
+    const [command, ...rest] = argv;
+    if (command === "render") return render(rest);
+    if (command === "validate-closing-refs") return validateClosingRefs(rest);
+    if (command === "evaluate-provider-checks") return evaluateProviderChecks(rest);
+    if (command === "reconcile-final-state") return reconcile(rest);
+    console.error("usage: publish-change-helper <render|validate-closing-refs|evaluate-provider-checks|reconcile-final-state>");
+    return 2;
+  } catch (error) {
+    console.error(`publish-change-helper: ${(error as Error).message}`);
+    return 1;
+  }
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) process.exit(main());