@lsddream/platform-cli 0.1.0

package/dist/cli.js

@@ -0,0 +1,1255 @@
+#!/usr/bin/env node
+import {
+  CLIENT_ID,
+  CLI_API_PREFIX,
+  CLI_VERSION,
+  DEFAULT_SCOPE,
+  EXCLUDED_PATTERNS,
+  PRE_PLATFORM_URL,
+  PROD_PLATFORM_URL,
+  QWENPAW_API_PREFIX,
+  SENSITIVE_REASONS,
+  SYNC_DEFAULT_FILES,
+  clearCredentials,
+  credentialsFromTokenResponse,
+  getQwenpawWorkspacesRoot,
+  isTokenExpired,
+  loadCredentials,
+  resolveConfig,
+  saveCredentials
+} from "./chunk-2RAWITF3.js";
+
+// src/cli.ts
+import { Command } from "commander";
+
+// src/utils/errors.ts
+var AspError = class _AspError extends Error {
+  code;
+  hint;
+  requestId;
+  statusCode;
+  exitCode;
+  constructor(message, options = {}) {
+    super(message, { cause: options.cause });
+    this.name = "AspError";
+    this.code = options.code ?? "UNKNOWN";
+    this.hint = options.hint;
+    this.requestId = options.requestId;
+    this.statusCode = options.statusCode;
+    this.exitCode = options.exitCode ?? 1;
+  }
+  static fromResponse(status, body) {
+    const parsed = body;
+    if (parsed?.error) {
+      const exitCode = mapErrorCodeToExit(parsed.error.code, status);
+      let hint = parsed.error.hint ?? parsed.error.detail;
+      if (parsed.error.code === "ASP.COMM.NOT_FOUND") {
+        hint = hint ?? "The API endpoint is not available on this Platform environment. Pre-release may not have /api/qwenpaw/v1 yet; try production `asp qwenpaw remote list` after `asp auth login`.";
+      }
+      return new _AspError(parsed.error.message, {
+        code: parsed.error.code,
+        hint,
+        requestId: parsed.request_id,
+        statusCode: status,
+        exitCode
+      });
+    }
+    return new _AspError(`HTTP ${status}`, {
+      code: "HTTP_ERROR",
+      statusCode: status,
+      exitCode: status >= 500 ? 2 : 1
+    });
+  }
+};
+function mapErrorCodeToExit(code, status) {
+  if (code === "UNAUTHORIZED" || code === "UNAUTHENTICATED" || code === "ASP.AUTH.UNAUTHORIZED" || code === "ASP.AUTH.SESSION_INVALID" || code === "SESSION_INVALID") {
+    return 3;
+  }
+  if (code === "FORBIDDEN") return 4;
+  if (status >= 500) return 2;
+  return 1;
+}
+function maskSecrets(text) {
+  return text.replace(/Bearer\s+[A-Za-z0-9._-]+/gi, "Bearer [REDACTED]").replace(/"access_token"\s*:\s*"[^"]+"/gi, '"access_token":"[REDACTED]"').replace(/"refresh_token"\s*:\s*"[^"]+"/gi, '"refresh_token":"[REDACTED]"').replace(/"token"\s*:\s*"[^"]+"/gi, '"token":"[REDACTED]"');
+}
+
+// src/auth/session.ts
+function isSessionInvalidError(err) {
+  if (!(err instanceof AspError)) return false;
+  return err.code === "ASP.AUTH.SESSION_INVALID" || err.code === "SESSION_INVALID";
+}
+async function refreshStoredSession(config, refreshToken, platformUrl) {
+  const client = new CliApiClient({
+    ...config,
+    token: void 0,
+    platformUrl: platformUrl.replace(/\/$/, "")
+  });
+  const refreshed = await client.refresh(refreshToken);
+  const creds = credentialsFromTokenResponse(platformUrl, refreshed);
+  await saveCredentials(creds);
+  return creds;
+}
+async function finalizeLogin(config, loginResponse) {
+  if (!loginResponse.refresh_token) {
+    const creds = credentialsFromTokenResponse(config.platformUrl, loginResponse);
+    await saveCredentials(creds);
+    return creds;
+  }
+  try {
+    return await refreshStoredSession(
+      config,
+      loginResponse.refresh_token,
+      config.platformUrl
+    );
+  } catch {
+    const creds = credentialsFromTokenResponse(config.platformUrl, loginResponse);
+    await saveCredentials(creds);
+    return creds;
+  }
+}
+
+// src/api/client.ts
+var HttpClient = class {
+  constructor(config) {
+    this.config = config;
+  }
+  config;
+  async request(opts) {
+    try {
+      return await this.doRequest(opts);
+    } catch (err) {
+      if (opts.auth !== false && !opts._retried && isSessionInvalidError(err) && !this.config.token) {
+        const creds = await loadCredentials();
+        if (creds?.refresh_token) {
+          await refreshStoredSession(configWithPlatform(this.config, creds), creds.refresh_token, creds.platform_url);
+          return this.doRequest({ ...opts, _retried: true });
+        }
+      }
+      throw err;
+    }
+  }
+  async doRequest(opts) {
+    const creds = opts.auth !== false && !this.config.token ? await loadCredentials() : null;
+    const platformUrl = creds?.platform_url ?? this.config.platformUrl;
+    const prefix = opts.prefix ?? "";
+    const url = `${platformUrl}${prefix}${opts.path}`;
+    const headers = {
+      Accept: "application/json",
+      ...opts.headers
+    };
+    if (opts.body !== void 0) {
+      headers["Content-Type"] = "application/json";
+    }
+    if (opts.auth !== false) {
+      const token = await this.resolveAccessToken(creds);
+      if (token) {
+        headers.Authorization = `Bearer ${token}`;
+      }
+    }
+    if (this.config.verbose) {
+      console.error(`[verbose] ${opts.method ?? "GET"} ${url}`);
+      if (opts.body) console.error(maskSecrets(JSON.stringify(opts.body)));
+    }
+    const res = await fetch(url, {
+      method: opts.method ?? "GET",
+      headers,
+      body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0
+    });
+    const text = await res.text();
+    let data = {};
+    if (text) {
+      try {
+        data = JSON.parse(text);
+      } catch {
+        data = { raw: text };
+      }
+    }
+    if (this.config.verbose) {
+      console.error(`[verbose] ${res.status}`, maskSecrets(text.slice(0, 2e3)));
+    }
+    if (!res.ok) {
+      throw AspError.fromResponse(res.status, data);
+    }
+    return data;
+  }
+  async resolveAccessToken(existing) {
+    if (this.config.token) return this.config.token;
+    const creds = existing ?? await loadCredentials();
+    if (!creds) return void 0;
+    if (isTokenExpired(creds) && creds.refresh_token) {
+      const refreshed = await refreshStoredSession(
+        configWithPlatform(this.config, creds),
+        creds.refresh_token,
+        creds.platform_url
+      );
+      return refreshed.access_token;
+    }
+    return creds.access_token;
+  }
+};
+function configWithPlatform(config, creds) {
+  return { ...config, platformUrl: creds.platform_url || config.platformUrl };
+}
+
+// src/api/cli-api.ts
+var CliApiClient = class {
+  http;
+  constructor(config) {
+    this.http = new HttpClient(config);
+  }
+  req(opts) {
+    return this.http.request({ ...opts, prefix: CLI_API_PREFIX });
+  }
+  getMeta() {
+    return this.req({ path: "/meta", auth: false });
+  }
+  getMe() {
+    return this.req({ path: "/me" });
+  }
+  login(account, password) {
+    return this.req({
+      method: "POST",
+      path: "/auth/login",
+      auth: false,
+      body: { account, password }
+    });
+  }
+  refresh(refreshToken) {
+    return this.req({
+      method: "POST",
+      path: "/auth/refresh",
+      auth: false,
+      body: { refresh_token: refreshToken }
+    });
+  }
+  oauthToken(body) {
+    return this.req({ method: "POST", path: "/oauth/token", auth: false, body });
+  }
+  oauthDeviceCode(body) {
+    return this.req({ method: "POST", path: "/oauth/device/code", auth: false, body });
+  }
+  oauthDeviceToken(body) {
+    return this.req({ method: "POST", path: "/oauth/device/token", auth: false, body });
+  }
+  oauthRevoke(token, tokenTypeHint = "refresh_token") {
+    return this.req({
+      method: "POST",
+      path: "/oauth/revoke",
+      body: { token, token_type_hint: tokenTypeHint }
+    });
+  }
+  async logout() {
+    try {
+      return await this.req({ method: "POST", path: "/auth/logout" });
+    } catch {
+      return this.oauthRevoke("", "access_token");
+    }
+  }
+};
+
+// src/auth/browser-login.ts
+import { createServer } from "http";
+import open from "open";
+
+// src/auth/pkce.ts
+import { randomBytes, createHash } from "crypto";
+function base64Url(buf) {
+  return buf.toString("base64url");
+}
+function generatePkce() {
+  const codeVerifier = base64Url(randomBytes(32));
+  const codeChallenge = base64Url(createHash("sha256").update(codeVerifier).digest());
+  const state = `state_${base64Url(randomBytes(16))}`;
+  const nonce = `nonce_${base64Url(randomBytes(16))}`;
+  return { codeVerifier, codeChallenge, state, nonce };
+}
+
+// src/utils/output.ts
+import chalk from "chalk";
+function printJson(data) {
+  console.log(JSON.stringify(data, null, 2));
+}
+function printSuccess(message) {
+  console.log(chalk.green("\u2713"), message);
+}
+function printInfo(message) {
+  console.log(chalk.blue("\u2139"), message);
+}
+function printError(message) {
+  console.error(chalk.red("\u2717"), message);
+}
+function printTable(headers, rows) {
+  const widths = headers.map(
+    (h, i) => Math.max(h.length, ...rows.map((r) => (r[i] ?? "").length))
+  );
+  const headerLine = headers.map((h, i) => h.padEnd(widths[i])).join("  ");
+  console.log(chalk.bold(headerLine));
+  for (const row of rows) {
+    console.log(row.map((c, i) => (c ?? "").padEnd(widths[i])).join("  "));
+  }
+}
+function formatBytes(bytes) {
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+
+// src/auth/browser-login.ts
+var LOGIN_TIMEOUT_MS = 3e5;
+async function browserPkceLogin(config) {
+  const pkce = generatePkce();
+  const port = await pickPort();
+  const redirectUri = `http://127.0.0.1:${port}/callback/${pkce.nonce}`;
+  const loginUrl = new URL(`${config.platformUrl}/cli/login`);
+  loginUrl.searchParams.set("client_id", CLIENT_ID);
+  loginUrl.searchParams.set("redirect_uri", redirectUri);
+  loginUrl.searchParams.set("response_type", "code");
+  loginUrl.searchParams.set("code_challenge", pkce.codeChallenge);
+  loginUrl.searchParams.set("code_challenge_method", "S256");
+  loginUrl.searchParams.set("state", pkce.state);
+  loginUrl.searchParams.set("scope", DEFAULT_SCOPE);
+  const code = await waitForCallback(port, pkce.nonce, pkce.state, loginUrl.toString());
+  const client = new CliApiClient(config);
+  const token = await client.oauthToken({
+    grant_type: "authorization_code",
+    client_id: CLIENT_ID,
+    code,
+    code_verifier: pkce.codeVerifier,
+    redirect_uri: redirectUri
+  });
+  await finalizeLogin(config, token);
+  printSuccess(`Logged in as ${token.user?.email ?? token.user?.display_name ?? "user"}`);
+}
+async function pickPort() {
+  return new Promise((resolve2, reject) => {
+    const server = createServer();
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      if (!addr || typeof addr === "string") {
+        server.close();
+        reject(new Error("Failed to bind callback port"));
+        return;
+      }
+      const port = addr.port;
+      server.close(() => resolve2(port));
+    });
+    server.on("error", reject);
+  });
+}
+function waitForCallback(port, nonce, expectedState, loginUrl) {
+  return new Promise((resolve2, reject) => {
+    const server = createServer(async (req, res) => {
+      try {
+        const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+        if (url.pathname !== `/callback/${nonce}`) {
+          res.writeHead(404);
+          res.end("Not found");
+          return;
+        }
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        if (!code || state !== expectedState) {
+          res.writeHead(400);
+          res.end("Invalid callback");
+          reject(new Error("Invalid OAuth callback: state mismatch or missing code"));
+          server.close();
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end("<html><body><h2>Login successful. You can close this window.</h2></body></html>");
+        server.close();
+        resolve2(code);
+      } catch (err) {
+        server.close();
+        reject(err);
+      }
+    });
+    server.listen(port, "127.0.0.1", () => {
+      printInfo(`Opening browser for login...`);
+      void open(loginUrl).catch(() => {
+        printInfo(`Open this URL manually: ${loginUrl}`);
+      });
+    });
+    setTimeout(() => {
+      server.close();
+      reject(new Error("Login timed out"));
+    }, LOGIN_TIMEOUT_MS);
+  });
+}
+
+// src/auth/device.ts
+import open2 from "open";
+async function deviceCodeLogin(config) {
+  const client = new CliApiClient(config);
+  const device = await client.oauthDeviceCode({
+    client_id: CLIENT_ID,
+    scope: DEFAULT_SCOPE
+  });
+  printInfo(`Visit: ${device.verification_uri_complete ?? device.verification_uri}`);
+  printInfo(`Enter code: ${device.user_code}`);
+  await open2(device.verification_uri_complete ?? device.verification_uri).catch(() => {
+  });
+  const interval = (device.interval ?? 5) * 1e3;
+  const deadline = Date.now() + device.expires_in * 1e3;
+  while (Date.now() < deadline) {
+    await sleep(interval);
+    try {
+      const token = await client.oauthDeviceToken({
+        grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+        client_id: CLIENT_ID,
+        device_code: device.device_code
+      });
+      await finalizeLogin(config, token);
+      printSuccess(`Logged in as ${token.user?.email ?? token.user?.display_name ?? "user"}`);
+      return;
+    } catch (err) {
+      const code = err.code;
+      if (code === "AUTHORIZATION_PENDING" || code === "SLOW_DOWN") continue;
+      throw err;
+    }
+  }
+  throw new Error("Device code login timed out");
+}
+function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+// src/utils/prompt.ts
+import { createInterface } from "readline/promises";
+import { stdin as input, stdout as output } from "process";
+async function promptLine(message) {
+  const rl = createInterface({ input, output });
+  try {
+    const value = (await rl.question(message)).trim();
+    if (!value) {
+      throw new Error("Input is required.");
+    }
+    return value;
+  } finally {
+    rl.close();
+  }
+}
+async function promptPassword(message = "Password: ") {
+  return new Promise((resolve2, reject) => {
+    const stdin = process.stdin;
+    const wasRaw = stdin.isRaw;
+    const wasPaused = stdin.isPaused();
+    if (!stdin.isTTY) {
+      reject(new Error("Password prompt requires an interactive terminal."));
+      return;
+    }
+    output.write(message);
+    stdin.setRawMode(true);
+    stdin.resume();
+    stdin.setEncoding("utf8");
+    let password = "";
+    const cleanup = () => {
+      stdin.removeListener("data", onData);
+      stdin.setRawMode(wasRaw ?? false);
+      if (wasPaused) stdin.pause();
+      else stdin.resume();
+    };
+    const onData = (char) => {
+      switch (char) {
+        case "\n":
+        case "\r":
+        case "":
+          cleanup();
+          output.write("\n");
+          if (!password) {
+            reject(new Error("Password is required."));
+            return;
+          }
+          resolve2(password);
+          break;
+        case "":
+          cleanup();
+          output.write("\n");
+          reject(new Error("Login cancelled."));
+          break;
+        case "\x7F":
+        case "\b":
+          if (password.length > 0) {
+            password = password.slice(0, -1);
+            output.write("\b \b");
+          }
+          break;
+        default:
+          if (char < " " && char !== "	") return;
+          password += char;
+          output.write("*");
+          break;
+      }
+    };
+    stdin.on("data", onData);
+  });
+}
+async function promptCredentials(options) {
+  const account = options.account ?? await promptLine("Email: ");
+  const password = options.password ?? await promptPassword();
+  return { account, password };
+}
+
+// src/utils/platform.ts
+function detectPlatformEnv(url) {
+  const normalized = url.replace(/\/$/, "");
+  if (normalized === PROD_PLATFORM_URL) return "prod";
+  if (normalized === PRE_PLATFORM_URL) return "pre";
+  return "custom";
+}
+function formatPlatformLabel(url) {
+  const env = detectPlatformEnv(url);
+  if (env === "prod") return `prod (${PROD_PLATFORM_URL})`;
+  if (env === "pre") return `pre (${PRE_PLATFORM_URL})`;
+  return url;
+}
+function withPlatformUrl(config, platformUrl) {
+  return { ...config, platformUrl: platformUrl.replace(/\/$/, "") };
+}
+function resolveCommandPlatformUrl(config, options = {}) {
+  if (options.pre) return PRE_PLATFORM_URL;
+  if (options.prod) return PROD_PLATFORM_URL;
+  return config.platformUrl;
+}
+async function requireCredentials(config, targetPlatformUrl) {
+  if (config.token) {
+    return {
+      config: withPlatformUrl(config, targetPlatformUrl),
+      creds: {
+        access_token: config.token,
+        token_type: "Bearer",
+        platform_url: targetPlatformUrl
+      }
+    };
+  }
+  const creds = await loadCredentials();
+  if (!creds?.access_token) {
+    const hint = detectPlatformEnv(targetPlatformUrl) === "pre" ? "Run `asp auth login-pre`." : "Run `asp auth login`.";
+    throw new AspError("Not logged in.", {
+      code: "UNAUTHORIZED",
+      hint,
+      exitCode: 3
+    });
+  }
+  const credsUrl = creds.platform_url.replace(/\/$/, "");
+  const targetUrl = targetPlatformUrl.replace(/\/$/, "");
+  if (credsUrl !== targetUrl) {
+    const loggedIn = formatPlatformLabel(credsUrl);
+    const target = formatPlatformLabel(targetUrl);
+    const hint = detectPlatformEnv(targetUrl) === "pre" ? `You are logged in to ${loggedIn}. Run \`asp auth login-pre\` or use the matching -pre command.` : `You are logged in to ${loggedIn}. Run \`asp auth login\` or use production commands without -pre.`;
+    throw new AspError(`Credential environment mismatch: logged in to ${loggedIn}, command targets ${target}.`, {
+      code: "ENV_MISMATCH",
+      hint,
+      exitCode: 1
+    });
+  }
+  return {
+    config: withPlatformUrl(config, targetUrl),
+    creds
+  };
+}
+async function resolveAuthContext(getConfig2, options = {}) {
+  const base = getConfig2();
+  const platformUrl = resolveCommandPlatformUrl(base, options);
+  return requireCredentials(base, platformUrl);
+}
+
+// src/commands/auth.ts
+var LOGIN_OPTIONS = [
+  ["--device", "Use device code flow (headless)"],
+  ["--browser", "Use browser PKCE login"],
+  ["--token <token>", "Save and validate an existing access token"],
+  ["--account <email>", "Account email (non-interactive)"],
+  ["--password <password>", "Account password (non-interactive)"]
+];
+async function runLogin(config, opts) {
+  const client = new CliApiClient(config);
+  if (opts.token) {
+    await saveTokenLogin(config, opts.token);
+    return;
+  }
+  const meta = await client.getMeta().catch(() => null);
+  if (opts.device) {
+    if (meta?.features?.device_login === false) {
+      throw new AspError("Device login is not enabled on this platform.", {
+        code: "FEATURE_DISABLED",
+        hint: "Use email/password login instead."
+      });
+    }
+    await deviceCodeLogin(config);
+    return;
+  }
+  if (opts.browser) {
+    if (meta?.features?.browser_pkce_login === false) {
+      throw new AspError("Browser PKCE login is not enabled on this platform.", {
+        code: "FEATURE_DISABLED",
+        hint: "Use email/password login instead."
+      });
+    }
+    await browserPkceLogin(config);
+    return;
+  }
+  const { account, password } = await promptCredentials({
+    account: opts.account,
+    password: opts.password
+  });
+  const loginResponse = await client.login(account, password);
+  await finalizeLogin(config, loginResponse);
+  const me = await new CliApiClient(config).getMe();
+  const display = me.user?.email ?? me.email ?? me.user?.display_name ?? me.account ?? account;
+  printSuccess(`Logged in as ${display} (${formatPlatformLabel(config.platformUrl)})`);
+}
+async function saveTokenLogin(config, token) {
+  const creds = credentialsFromTokenResponse(config.platformUrl, {
+    access_token: token,
+    token_type: "Bearer"
+  });
+  await saveCredentials(creds);
+  const me = await new CliApiClient({ ...config, token }).getMe();
+  const display = me.user?.email ?? me.email ?? me.user?.display_name ?? me.account ?? me.user_id;
+  printSuccess(`Token saved. Logged in as ${display} (${formatPlatformLabel(config.platformUrl)})`);
+}
+function registerLoginCommand(auth, getConfig2, name, description, platformUrl) {
+  let cmd = auth.command(name).description(description);
+  for (const [flags, desc] of LOGIN_OPTIONS) {
+    cmd = cmd.option(flags, desc);
+  }
+  cmd.action(async (opts) => {
+    const config = withPlatformUrl(getConfig2(), platformUrl);
+    await runLogin(config, opts);
+  });
+}
+async function runStatus(getConfig2, env) {
+  const base = getConfig2();
+  const platformUrl = resolveCommandPlatformUrl(base, env);
+  const creds = await loadCredentials();
+  if (!base.token && !creds) {
+    printInfo("Not logged in.");
+    printInfo("  prod: `asp auth login`");
+    printInfo("  pre:  `asp auth login-pre`");
+    return;
+  }
+  const { config: apiConfig } = await requireCredentials(base, platformUrl);
+  const client = new CliApiClient(apiConfig);
+  const me = await client.getMe();
+  const latestCreds = await loadCredentials() ?? creds;
+  if (base.json) {
+    printJson({
+      logged_in: true,
+      environment: formatPlatformLabel(platformUrl),
+      user: me.user ?? {
+        id: me.user_id,
+        email: me.email,
+        display_name: me.username ?? me.account
+      },
+      qwenpaw_instance: me.qwenpaw_instance,
+      scopes: me.scopes,
+      expires_at: latestCreds?.expires_at,
+      platform_url: platformUrl
+    });
+    return;
+  }
+  const user = me.user ?? {
+    id: me.user_id ?? "",
+    email: me.email,
+    display_name: me.username ?? me.account
+  };
+  printInfo(`Environment: ${formatPlatformLabel(platformUrl)}`);
+  printInfo(`User: ${user.display_name ?? user.email ?? user.id}`);
+  if (user.email) printInfo(`Email: ${user.email}`);
+  if (me.qwenpaw_instance) {
+    printInfo(`QwenPaw instance: ${me.qwenpaw_instance.status} (${me.qwenpaw_instance.id})`);
+    printInfo(`Cloud URL: ${me.qwenpaw_instance.cloud_url}`);
+  }
+  if (me.scopes?.length) printInfo(`Scopes: ${me.scopes.join(", ")}`);
+  if (latestCreds?.expires_at) printInfo(`Token expires: ${latestCreds.expires_at}`);
+}
+async function runRefresh(getConfig2, env) {
+  const base = getConfig2();
+  const platformUrl = resolveCommandPlatformUrl(base, env);
+  const { config, creds } = await requireCredentials(base, platformUrl);
+  if (!creds.refresh_token) {
+    throw new AspError("No refresh token available.", {
+      code: "UNAUTHORIZED",
+      hint: env.pre ? "Run `asp auth login-pre`." : "Run `asp auth login`.",
+      exitCode: 3
+    });
+  }
+  await refreshStoredSession(config, creds.refresh_token, platformUrl);
+  printSuccess(`Token refreshed (${formatPlatformLabel(platformUrl)}).`);
+}
+async function runLogout(getConfig2, env) {
+  const base = getConfig2();
+  const platformUrl = resolveCommandPlatformUrl(base, env);
+  const creds = await loadCredentials();
+  if (!creds) {
+    printInfo(`Not logged in to ${formatPlatformLabel(platformUrl)}.`);
+    return;
+  }
+  const credsUrl = creds.platform_url.replace(/\/$/, "");
+  const targetUrl = platformUrl.replace(/\/$/, "");
+  if (credsUrl !== targetUrl) {
+    throw new AspError(
+      `Not logged in to ${formatPlatformLabel(targetUrl)}.`,
+      {
+        code: "ENV_MISMATCH",
+        hint: env.pre ? `Current session is ${formatPlatformLabel(credsUrl)}. Use \`asp auth logout-pre\` after \`asp auth login-pre\`.` : `Current session is ${formatPlatformLabel(credsUrl)}. Use \`asp auth logout-pre\` for pre, or re-login with \`asp auth login\`.`,
+        exitCode: 1
+      }
+    );
+  }
+  if (creds.refresh_token) {
+    const client = new CliApiClient({ ...base, platformUrl: targetUrl });
+    await client.logout().catch(() => {
+    });
+  }
+  await clearCredentials();
+  printSuccess(`Logged out from ${formatPlatformLabel(platformUrl)}.`);
+}
+function registerEnvAuthCommand(auth, getConfig2, baseName, description, env, handler) {
+  auth.command(baseName).description(description).action(async () => {
+    await handler(getConfig2, env);
+  });
+}
+function registerAuthCommands(program2, getConfig2) {
+  const auth = program2.command("auth").description("Authentication commands");
+  registerLoginCommand(
+    auth,
+    getConfig2,
+    "login",
+    `Log in to production (${PROD_PLATFORM_URL})`,
+    PROD_PLATFORM_URL
+  );
+  registerLoginCommand(
+    auth,
+    getConfig2,
+    "login-pre",
+    `Log in to pre-release (${PRE_PLATFORM_URL})`,
+    PRE_PLATFORM_URL
+  );
+  registerEnvAuthCommand(
+    auth,
+    getConfig2,
+    "status",
+    `Show login status (production, ${PROD_PLATFORM_URL})`,
+    { prod: true },
+    runStatus
+  );
+  registerEnvAuthCommand(
+    auth,
+    getConfig2,
+    "status-pre",
+    `Show login status (pre-release, ${PRE_PLATFORM_URL})`,
+    { pre: true },
+    runStatus
+  );
+  registerEnvAuthCommand(
+    auth,
+    getConfig2,
+    "refresh",
+    `Refresh access token (production, ${PROD_PLATFORM_URL})`,
+    { prod: true },
+    runRefresh
+  );
+  registerEnvAuthCommand(
+    auth,
+    getConfig2,
+    "refresh-pre",
+    `Refresh access token (pre-release, ${PRE_PLATFORM_URL})`,
+    { pre: true },
+    runRefresh
+  );
+  registerEnvAuthCommand(
+    auth,
+    getConfig2,
+    "logout",
+    `Log out from production (${PROD_PLATFORM_URL})`,
+    { prod: true },
+    runLogout
+  );
+  registerEnvAuthCommand(
+    auth,
+    getConfig2,
+    "logout-pre",
+    `Log out from pre-release (${PRE_PLATFORM_URL})`,
+    { pre: true },
+    runLogout
+  );
+}
+
+// src/qwenpaw/workspace.ts
+import { readFile, access, readdir, stat as stat2 } from "fs/promises";
+import { join as join2 } from "path";
+
+// src/utils/hash.ts
+import { createHash as createHash2 } from "crypto";
+import { createReadStream } from "fs";
+import { stat } from "fs/promises";
+import { hostname, userInfo } from "os";
+import { basename, join, posix, relative, resolve } from "path";
+async function sha256File(filePath) {
+  return new Promise((resolvePromise, reject) => {
+    const hash = createHash2("sha256");
+    const stream = createReadStream(filePath);
+    stream.on("data", (chunk) => hash.update(chunk));
+    stream.on("end", () => resolvePromise(hash.digest("hex")));
+    stream.on("error", reject);
+  });
+}
+function toPosixPath(p) {
+  return p.split("\\").join("/");
+}
+function guessContentType(filePath) {
+  const ext = basename(filePath).split(".").pop()?.toLowerCase();
+  const map = {
+    json: "application/json",
+    md: "text/markdown",
+    txt: "text/plain",
+    csv: "text/csv",
+    pdf: "application/pdf",
+    zip: "application/zip",
+    png: "image/png",
+    jpg: "image/jpeg",
+    jpeg: "image/jpeg"
+  };
+  return map[ext ?? ""] ?? "application/octet-stream";
+}
+async function fileStat(filePath) {
+  const s = await stat(filePath);
+  return {
+    bytes: s.size,
+    mtime: s.mtime.toISOString()
+  };
+}
+function remoteAgentId(localAgentId, custom) {
+  if (custom) return custom;
+  return `${localAgentId}_remote`;
+}
+function validateAgentId(agentId, allowRemoteSource = false) {
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/.test(agentId)) {
+    throw new Error(`Invalid agent id: ${agentId}`);
+  }
+  if (!allowRemoteSource && agentId.endsWith("_remote")) {
+    throw new Error(
+      `Agent id '${agentId}' ends with '_remote'. Use --allow-remote-source to override.`
+    );
+  }
+}
+function getMachineLabel() {
+  try {
+    const user = userInfo().username;
+    return `${user} ${hostname()}`;
+  } catch {
+    return "unknown";
+  }
+}
+
+// src/qwenpaw/workspace.ts
+function getAgentWorkspace(agentId) {
+  return join2(getQwenpawWorkspacesRoot(), agentId);
+}
+async function listLocalAgentIds() {
+  const root = getQwenpawWorkspacesRoot();
+  try {
+    const entries = await readdir(root, { withFileTypes: true });
+    return entries.filter((e) => e.isDirectory()).map((e) => e.name).sort();
+  } catch {
+    return [];
+  }
+}
+async function ensureAgentWorkspace(agentId) {
+  const ws = getAgentWorkspace(agentId);
+  const root = getQwenpawWorkspacesRoot();
+  try {
+    await access(ws);
+    return ws;
+  } catch {
+    const agents = await listLocalAgentIds();
+    if (agents.length === 0) {
+      throw new AspError(`Local QwenPaw workspace directory not found: ${root}`, {
+        code: "WORKSPACE_NOT_FOUND",
+        hint: "Install and create a local QwenPaw agent first, or set QWENPAW_WORKSPACES_DIR to your workspaces path."
+      });
+    }
+    throw new AspError(`Local agent '${agentId}' not found under ${root}`, {
+      code: "AGENT_NOT_FOUND",
+      hint: `Available agents: ${agents.join(", ")}. Run \`asp qwenpaw agents list\`.`
+    });
+  }
+}
+async function readAgentJson(agentId) {
+  const ws = await ensureAgentWorkspace(agentId);
+  const raw = await readFile(join2(ws, "agent.json"), "utf8");
+  return JSON.parse(raw);
+}
+function isExcluded(relPath) {
+  const posix2 = toPosixPath(relPath);
+  for (const pattern of EXCLUDED_PATTERNS) {
+    if (posix2 === pattern.replace(/\/$/, "") || posix2.startsWith(pattern)) {
+      return SENSITIVE_REASONS[pattern] ?? "excluded";
+    }
+  }
+  return null;
+}
+async function collectFilesRecursive(workspaceRoot, relDir, files, excluded) {
+  const absDir = join2(workspaceRoot, relDir);
+  let entries;
+  try {
+    entries = await readdir(absDir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    const rel = relDir ? `${relDir}/${entry.name}` : entry.name;
+    const posix2 = toPosixPath(rel);
+    const reason = isExcluded(posix2);
+    if (reason) {
+      if (!excluded.some((e) => e.path === posix2 || posix2.startsWith(`${e.path}/`))) {
+        excluded.push({ path: posix2.endsWith("/") ? posix2 : `${posix2}/`, reason });
+      }
+      continue;
+    }
+    if (entry.isDirectory()) {
+      await collectFilesRecursive(workspaceRoot, rel, files, excluded);
+    } else if (entry.isFile()) {
+      const abs = join2(workspaceRoot, rel);
+      const sha256 = await sha256File(abs);
+      const st = await fileStat(abs);
+      files.push({
+        path: posix2,
+        sha256,
+        bytes: st.bytes,
+        role: inferRole(posix2),
+        content_type: guessContentType(posix2),
+        mtime: st.mtime
+      });
+    }
+  }
+}
+function inferRole(path) {
+  if (path === "agent.json") return "agent_config";
+  if (path.endsWith(".md") && ["AGENTS.md", "SOUL.md", "PROFILE.md", "MEMORY.md"].includes(path))
+    return "persona";
+  if (path === "skill.json" || path.startsWith("skills/")) return "skill";
+  if (path.startsWith("memory/")) return "memory";
+  if (path === "jobs.json") return "jobs";
+  return "user_file";
+}
+async function buildSyncManifest(agentId, options = {}) {
+  const ws = await ensureAgentWorkspace(agentId);
+  const files = [];
+  const excluded = [];
+  for (const f of SYNC_DEFAULT_FILES) {
+    const abs = join2(ws, f);
+    try {
+      await stat2(abs);
+      const reason = isExcluded(f);
+      if (reason) {
+        excluded.push({ path: f, reason });
+        continue;
+      }
+      const sha256 = await sha256File(abs);
+      const st = await fileStat(abs);
+      files.push({
+        path: f,
+        sha256,
+        bytes: st.bytes,
+        role: inferRole(f),
+        content_type: guessContentType(f),
+        mtime: st.mtime
+      });
+    } catch {
+    }
+  }
+  if (options.includeMemoryDir !== false) {
+    await collectFilesRecursive(ws, "skills", files, excluded);
+    await collectFilesRecursive(ws, "memory", files, excluded);
+  }
+  if (options.includeJobs) {
+    const jobs = "jobs.json";
+    try {
+      await stat2(join2(ws, jobs));
+      const sha256 = await sha256File(join2(ws, jobs));
+      const st = await fileStat(join2(ws, jobs));
+      files.push({
+        path: jobs,
+        sha256,
+        bytes: st.bytes,
+        role: "jobs",
+        content_type: "application/json",
+        mtime: st.mtime
+      });
+    } catch {
+    }
+  }
+  const seen = /* @__PURE__ */ new Set();
+  const deduped = files.filter((f) => {
+    if (seen.has(f.path)) return false;
+    seen.add(f.path);
+    return true;
+  });
+  return { files: deduped, excluded };
+}
+
+// src/commands/qwenpaw/agents.ts
+function registerAgentsCommands(qwenpaw, getConfig2) {
+  const agents = qwenpaw.command("agents").description("Local QwenPaw agents");
+  agents.command("list").description("List local QwenPaw agent workspaces").action(async () => {
+    const config = getConfig2();
+    const root = getQwenpawWorkspacesRoot();
+    const ids = await listLocalAgentIds();
+    if (config.json) {
+      printJson({ workspaces_root: root, agents: ids });
+      return;
+    }
+    printInfo(`Workspaces root: ${root}`);
+    if (ids.length === 0) {
+      printInfo("No local agents found.");
+      printInfo("Create an agent in QwenPaw first, or set QWENPAW_WORKSPACES_DIR.");
+      return;
+    }
+    printTable(["AGENT ID"], ids.map((id) => [id]));
+  });
+}
+
+// src/api/qwenpaw-api.ts
+var QwenpawApiClient = class {
+  http;
+  constructor(config) {
+    this.http = new HttpClient(config);
+  }
+  req(opts) {
+    return this.http.request({ ...opts, prefix: QWENPAW_API_PREFIX });
+  }
+  listRemoteAgents(params = {}) {
+    const qs = new URLSearchParams(params).toString();
+    return this.req({ path: `/remote-agents${qs ? `?${qs}` : ""}` });
+  }
+  createRemoteAgent(body) {
+    return this.req({
+      method: "POST",
+      path: "/remote-agents",
+      body
+    });
+  }
+};
+
+// src/commands/qwenpaw/remote.ts
+async function runRemoteList(getConfig2, options, opts) {
+  const { config } = await resolveAuthContext(getConfig2, options);
+  const api = new QwenpawApiClient(config);
+  const params = { page_size: opts.pageSize };
+  if (opts.query) params.q = opts.query;
+  if (opts.status) params.status = opts.status;
+  if (opts.cursor) params.cursor = opts.cursor;
+  const res = await api.listRemoteAgents(params);
+  if (config.json) {
+    printJson({
+      platform_url: config.platformUrl,
+      environment: formatPlatformLabel(config.platformUrl),
+      ...res
+    });
+    return;
+  }
+  printInfo(`Environment: ${formatPlatformLabel(config.platformUrl)}`);
+  if (res.items.length === 0) {
+    printInfo("No remote agents found.");
+    return;
+  }
+  printTable(
+    ["REMOTE ID", "LOCAL ID", "STATUS", "UPDATED"],
+    res.items.map((a) => [
+      a.remote_agent_id,
+      a.local_agent_id ?? "-",
+      a.status,
+      a.latest_sync?.completed_at ?? a.created_at ?? "-"
+    ])
+  );
+  if (res.next_cursor) {
+    const cmd = options.pre ? "asp qwenpaw remote list-pre" : "asp qwenpaw remote list";
+    printInfo(`More results available. Use: ${cmd} --cursor ${res.next_cursor}`);
+  }
+}
+function registerListCommand(remote, getConfig2, name, description, env) {
+  remote.command(name).description(description).option("-q, --query <q>", "Search query").option("--status <status>", "Filter by status: creating|ready|syncing|error|archived").option("--page-size <n>", "Page size", "50").option("--cursor <cursor>", "Pagination cursor from previous response").action(async (opts) => {
+    await runRemoteList(getConfig2, env, opts);
+  });
+}
+function registerRemoteCommands(qwenpaw, getConfig2) {
+  const remote = qwenpaw.command("remote").description("Remote agent registry");
+  registerListCommand(
+    remote,
+    getConfig2,
+    "list",
+    `List remote agents on production (${PROD_PLATFORM_URL})`,
+    { prod: true }
+  );
+  registerListCommand(
+    remote,
+    getConfig2,
+    "list-pre",
+    `List remote agents on pre-release (${PRE_PLATFORM_URL})`,
+    { pre: true }
+  );
+}
+
+// src/qwenpaw/sync.ts
+async function ensureRemoteAgent(config, localAgentId, customRemoteId) {
+  const api = new QwenpawApiClient(config);
+  const rid = remoteAgentId(localAgentId, customRemoteId);
+  const existing = await api.listRemoteAgents({ q: rid });
+  const found = existing.items.find((a) => a.remote_agent_id === rid);
+  if (found) {
+    return { remoteAgentId: rid, created: false };
+  }
+  const agent = await readAgentJson(localAgentId).catch(() => ({ name: void 0 }));
+  const agentName = agent.name ?? localAgentId;
+  await api.createRemoteAgent({
+    local_agent_id: localAgentId,
+    local_agent_name: agentName,
+    remote_agent_id: rid,
+    remote_agent_name: `${agentName}_remote`,
+    source: {
+      kind: "local_qwenpaw",
+      qwenpaw_version: process.env.QWENPAW_VERSION ?? "unknown",
+      machine_label: getMachineLabel()
+    },
+    create_if_missing: true,
+    update_if_exists: false
+  });
+  return { remoteAgentId: rid, created: true };
+}
+async function runSyncAgent(config, localAgentId, options = {}) {
+  const manifest = await buildSyncManifest(localAgentId, {
+    includeJobs: options.includeJobs,
+    includeMemoryDir: options.includeMemoryDir
+  });
+  if (options.dryRun) {
+    return { manifest };
+  }
+  const { remoteAgentId: rid, created } = await ensureRemoteAgent(
+    config,
+    localAgentId,
+    options.remoteId
+  );
+  return { manifest, remoteAgentId: rid, created };
+}
+
+// src/commands/qwenpaw/sync.ts
+async function runSyncAgentCommand(getConfig2, agentId, env, opts) {
+  validateAgentId(agentId, opts.allowRemoteSource);
+  const syncOptions = {
+    dryRun: opts.dryRun,
+    includeJobs: opts.includeJobs,
+    includeMemoryDir: opts.memoryDir !== false,
+    remoteId: opts.remoteId
+  };
+  if (opts.dryRun) {
+    const result2 = await runSyncAgent(getConfig2(), agentId, syncOptions);
+    printSyncResult(getConfig2(), agentId, opts, result2, null);
+    return;
+  }
+  const { config } = await resolveAuthContext(getConfig2, env);
+  const result = await runSyncAgent(config, agentId, syncOptions);
+  printSyncResult(config, agentId, opts, result, config.platformUrl);
+}
+function printSyncResult(config, agentId, opts, result, platformUrl) {
+  if (config.json) {
+    printJson({
+      agent_id: agentId,
+      platform_url: platformUrl,
+      environment: platformUrl ? formatPlatformLabel(platformUrl) : "local",
+      dry_run: !!opts.dryRun,
+      ...result
+    });
+    return;
+  }
+  if (opts.dryRun) {
+    printInfo(`Sync preview for agent: ${agentId} (local only, no upload)`);
+    if (result.manifest.files.length > 0) {
+      printInfo("\nWill upload:");
+      for (const f of result.manifest.files) {
+        console.log(`  ${f.path}  (${formatBytes(f.bytes)})`);
+      }
+    } else {
+      printInfo("\nNo files to upload.");
+    }
+    if (result.manifest.excluded.length > 0) {
+      printInfo("\nExcluded:");
+      for (const e of result.manifest.excluded) {
+        console.log(`  ${e.path.padEnd(20)} ${e.reason}`);
+      }
+    }
+    return;
+  }
+  printInfo(`Environment: ${formatPlatformLabel(platformUrl)}`);
+  const rid = result.remoteAgentId;
+  if (result.created) {
+    printSuccess(`Created remote agent: ${rid}`);
+  } else {
+    printSuccess(`Remote agent already exists: ${rid}`);
+  }
+}
+function registerSyncAgentCommand(sync, getConfig2, name, description, env) {
+  sync.command(name).description(description).argument("<agent_id>", "Local QwenPaw agent id").option("--dry-run", "Preview files to sync without uploading").option("--remote-id <id>", "Custom remote agent id").option("--include-jobs", "Include jobs.json in sync manifest").option("--no-memory-dir", "Exclude memory/ directory from manifest").option("--allow-remote-source", "Allow agent ids ending with _remote").action(async (agentId, opts) => {
+    await runSyncAgentCommand(getConfig2, agentId, env, opts);
+  });
+}
+function registerSyncCommands(qwenpaw, getConfig2) {
+  const sync = qwenpaw.command("sync").description("Sync local agent to cloud");
+  registerSyncAgentCommand(
+    sync,
+    getConfig2,
+    "agent",
+    `Sync agent to production remote (${PROD_PLATFORM_URL})`,
+    { prod: true }
+  );
+  registerSyncAgentCommand(
+    sync,
+    getConfig2,
+    "agent-pre",
+    `Sync agent to pre-release remote (${PRE_PLATFORM_URL})`,
+    { pre: true }
+  );
+}
+
+// src/commands/qwenpaw/index.ts
+function registerQwenpawCommands(program2, getConfig2) {
+  const qwenpaw = program2.command("qwenpaw").description("QwenPaw cloud sync commands");
+  registerAgentsCommands(qwenpaw, getConfig2);
+  registerRemoteCommands(qwenpaw, getConfig2);
+  registerSyncCommands(qwenpaw, getConfig2);
+}
+
+// src/cli.ts
+var globalOpts = {};
+var program = new Command().name("asp").description("AgentScope Platform CLI").version(CLI_VERSION).option("--platform-url <url>", "Custom Platform base URL (advanced)").option("--token <token>", "Access token (overrides stored credentials)").option("-v, --verbose", "Verbose logging").option("--json", "Output JSON").hook("preAction", (thisCommand) => {
+  const opts = thisCommand.opts();
+  globalOpts.platformUrl = opts.platformUrl;
+  globalOpts.token = opts.token;
+  globalOpts.verbose = opts.verbose;
+  globalOpts.json = opts.json;
+});
+var getConfig = () => resolveConfig(globalOpts);
+registerAuthCommands(program, getConfig);
+registerQwenpawCommands(program, getConfig);
+async function main() {
+  try {
+    await program.parseAsync(process.argv);
+  } catch (err) {
+    if (err instanceof AspError) {
+      printError(`${err.message} [${err.code}]`);
+      if (err.hint) printError(`Hint: ${err.hint}`);
+      if (err.requestId) printError(`Request ID: ${err.requestId}`);
+      process.exit(err.exitCode);
+    }
+    if (err instanceof Error) {
+      printError(err.message);
+      if (globalOpts.verbose && err.stack) console.error(err.stack);
+      process.exit(1);
+    }
+    throw err;
+  }
+}
+main();
+//# sourceMappingURL=cli.js.map