@m-kopa/launchpad-cli 0.23.0

package/skills/marquee-share/dist/cli.js

@@ -0,0 +1,896 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import * as fs2 from "node:fs/promises";
+import { pathToFileURL } from "node:url";
+
+// src/config.ts
+import * as os from "node:os";
+import * as path from "node:path";
+var DEFAULT_RESOURCE_URL = "https://marquee.launchpad.m-kopa.us";
+function readOverride(value) {
+  if (value === undefined)
+    return;
+  const trimmed = value.trim();
+  return trimmed.length === 0 ? undefined : trimmed;
+}
+function isLoopbackHost(host) {
+  const h = host.toLowerCase();
+  return h === "localhost" || h.endsWith(".localhost") || h === "127.0.0.1" || h === "::1" || h === "[::1]";
+}
+function loadConfig(env = process.env) {
+  const resourceUrl = readOverride(env.MARQUEE_RESOURCE_URL)?.replace(/\/+$/, "") ?? DEFAULT_RESOURCE_URL;
+  let parsedResourceUrl;
+  try {
+    parsedResourceUrl = new URL(resourceUrl);
+  } catch {
+    throw new Error(`MARQUEE_RESOURCE_URL must be a valid absolute URL (got: ${resourceUrl})`);
+  }
+  if (parsedResourceUrl.protocol === "http:") {
+    if (!isLoopbackHost(parsedResourceUrl.hostname)) {
+      throw new Error(`MARQUEE_RESOURCE_URL must use https: for non-loopback hosts; ` + `http: is permitted only for localhost / 127.0.0.1 / ::1 ` + `(got: ${resourceUrl})`);
+    }
+  } else if (parsedResourceUrl.protocol !== "https:") {
+    throw new Error(`MARQUEE_RESOURCE_URL must use https: (or http: for loopback hosts); ` + `got: ${parsedResourceUrl.protocol}`);
+  }
+  const sessionPath = readOverride(env.MARQUEE_SESSION_PATH) ?? path.join(os.homedir(), ".marquee", "session.json");
+  return { resourceUrl, sessionPath };
+}
+
+// src/auth/flow.ts
+import { randomBytes as randomBytes3 } from "node:crypto";
+
+// src/auth/callback-server.ts
+import {
+  createServer
+} from "node:http";
+
+class CallbackError extends Error {
+  code = "callback_error";
+}
+async function bindCallbackServer(expectedState) {
+  let resolveResult;
+  let rejectResult;
+  const result = new Promise((resolve, reject) => {
+    resolveResult = resolve;
+    rejectResult = reject;
+  });
+  const server = createServer((req, res) => {
+    handleRequest(req, res, expectedState, resolveResult, rejectResult);
+  });
+  await new Promise((resolve, reject) => {
+    server.once("error", reject);
+    server.listen(0, "127.0.0.1", () => resolve());
+  });
+  const addr = server.address();
+  if (addr === null || typeof addr === "string") {
+    server.close();
+    throw new CallbackError(`callback server: failed to bind`);
+  }
+  let closed = false;
+  const close = async () => {
+    if (closed)
+      return;
+    closed = true;
+    await new Promise((resolve) => server.close(() => resolve()));
+  };
+  const cancel = async (reason) => {
+    rejectResult(new CallbackError(`callback server cancelled: ${reason}`));
+    await close();
+  };
+  return { port: addr.port, result, close, cancel };
+}
+function handleRequest(req, res, expectedState, resolveResult, rejectResult) {
+  const url = new URL(req.url ?? "/", "http://127.0.0.1");
+  if (url.pathname !== "/callback") {
+    res.statusCode = 404;
+    res.setHeader("content-type", "text/plain");
+    res.end("not found");
+    return;
+  }
+  const error = url.searchParams.get("error");
+  if (error !== null) {
+    const desc = url.searchParams.get("error_description") ?? "";
+    res.statusCode = 400;
+    res.setHeader("content-type", "text/html");
+    res.end(htmlPage(`Authentication failed: ${error}. ${desc}`));
+    rejectResult(new CallbackError(`authorization endpoint returned error=${error}: ${desc}`));
+    return;
+  }
+  const code = url.searchParams.get("code");
+  const state = url.searchParams.get("state");
+  if (code === null || state === null) {
+    res.statusCode = 400;
+    res.setHeader("content-type", "text/plain");
+    res.end("missing code or state");
+    return;
+  }
+  if (state !== expectedState) {
+    res.statusCode = 400;
+    res.setHeader("content-type", "text/plain");
+    res.end("state mismatch");
+    rejectResult(new CallbackError(`OAuth callback state mismatch — possible CSRF, aborting`));
+    return;
+  }
+  res.statusCode = 200;
+  res.setHeader("content-type", "text/html");
+  res.end(htmlPage("Logged in. You can close this tab."));
+  resolveResult({ code, state });
+}
+function htmlPage(message) {
+  return `<!doctype html>
+<html><head><meta charset="utf-8"><title>marquee</title>
+<style>body{font:16px/1.5 system-ui,sans-serif;padding:3rem;color:#222}h1{font-size:1.2rem;margin:0 0 1rem}</style>
+</head><body><h1>marquee</h1><p>${escapeHtml(message)}</p></body></html>`;
+}
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+
+// src/auth/discovery.ts
+class DiscoveryError extends Error {
+  code = "discovery_error";
+}
+async function discoverOauthEndpoints(resourceUrl, fetcher = fetch) {
+  const wellKnownUrl = `${resourceUrl}/.well-known/cloudflare-access-protected-resource/`;
+  const resourceMeta = await fetchJson(fetcher, wellKnownUrl);
+  if (!Array.isArray(resourceMeta.authorization_servers) || typeof resourceMeta.authorization_servers[0] !== "string") {
+    throw new DiscoveryError(`discovery: ${wellKnownUrl} returned no authorization_servers entry`);
+  }
+  const rawResource = typeof resourceMeta.resource === "string" ? resourceMeta.resource.trim() : "";
+  const resource = rawResource.length > 0 ? rawResource : resourceUrl;
+  const rawServer = resourceMeta.authorization_servers[0];
+  let parsed;
+  try {
+    parsed = new URL(rawServer);
+  } catch {
+    throw new DiscoveryError(`${wellKnownUrl}: authorization_servers[0] is not a valid URL: ${rawServer}`);
+  }
+  if (parsed.protocol !== "https:") {
+    throw new DiscoveryError(`${wellKnownUrl}: authorization_servers[0] is not https: ${rawServer}`);
+  }
+  const server = rawServer.replace(/\/+$/, "");
+  const serverUrl = `${server}/.well-known/oauth-authorization-server`;
+  const serverMeta = await fetchJson(fetcher, serverUrl);
+  const authorizationEndpoint = requireHttpsString(serverMeta, "authorization_endpoint", serverUrl);
+  const tokenEndpoint = requireHttpsString(serverMeta, "token_endpoint", serverUrl);
+  const registrationEndpoint = requireHttpsString(serverMeta, "registration_endpoint", serverUrl);
+  return {
+    authorizationEndpoint,
+    tokenEndpoint,
+    registrationEndpoint,
+    resource
+  };
+}
+async function fetchJson(fetcher, url) {
+  let res;
+  try {
+    res = await fetcher(url, { method: "GET" });
+  } catch (e) {
+    throw new DiscoveryError(`discovery: network error fetching ${url}: ${describe(e)}`);
+  }
+  if (!res.ok) {
+    throw new DiscoveryError(`discovery: ${url} returned HTTP ${res.status}`);
+  }
+  try {
+    return await res.json();
+  } catch (e) {
+    throw new DiscoveryError(`discovery: ${url} returned non-JSON body: ${describe(e)}`);
+  }
+}
+function requireHttpsString(obj, key, source) {
+  const v = obj[key];
+  if (typeof v !== "string") {
+    throw new DiscoveryError(`${source} missing string ${key}`);
+  }
+  if (!v.startsWith("https://")) {
+    throw new DiscoveryError(`${source} ${key} is not https: ${v}`);
+  }
+  return v;
+}
+function describe(e) {
+  return e instanceof Error ? e.message : String(e);
+}
+
+// src/auth/pkce.ts
+import { randomBytes, createHash } from "node:crypto";
+var MAX_PKCE_REGEN_ATTEMPTS = 32;
+
+class PkceGenerationError extends Error {
+  code = "pkce_generation_failed";
+}
+function generatePkcePair(rng = (s) => new Uint8Array(randomBytes(s))) {
+  for (let attempt = 0;attempt < MAX_PKCE_REGEN_ATTEMPTS; attempt++) {
+    const verifierBytes = rng(32);
+    const verifier = base64Url(verifierBytes);
+    const challenge = sha256Base64Url(verifier);
+    if (/^[a-zA-Z0-9]/.test(challenge)) {
+      return { verifier, challenge };
+    }
+  }
+  throw new PkceGenerationError(`could not produce a Cloudflare-acceptable PKCE challenge after ${MAX_PKCE_REGEN_ATTEMPTS} attempts; check the RNG`);
+}
+function sha256Base64Url(verifier) {
+  const hash = createHash("sha256").update(verifier).digest();
+  return base64Url(hash);
+}
+function base64Url(bytes) {
+  const buf = Buffer.isBuffer(bytes) ? bytes : Buffer.from(bytes);
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+// src/auth/registration.ts
+class RegistrationError extends Error {
+  code = "registration_error";
+}
+async function registerClient(registrationEndpoint, redirectUri, fetcher = fetch) {
+  const body = {
+    client_name: "marquee-share-skill",
+    redirect_uris: [redirectUri],
+    token_endpoint_auth_method: "none",
+    grant_types: ["authorization_code", "refresh_token"],
+    response_types: ["code"]
+  };
+  let res;
+  try {
+    res = await fetcher(registrationEndpoint, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      },
+      body: JSON.stringify(body)
+    });
+  } catch (e) {
+    throw new RegistrationError(`registration: network error: ${describe2(e)}`);
+  }
+  if (!res.ok) {
+    const detail = await res.text().catch(() => "");
+    throw new RegistrationError(`registration: ${registrationEndpoint} returned HTTP ${res.status}: ${detail.slice(0, 200)}`);
+  }
+  let parsed;
+  try {
+    parsed = await res.json();
+  } catch (e) {
+    throw new RegistrationError(`registration: non-JSON response: ${describe2(e)}`);
+  }
+  if (parsed === null || typeof parsed !== "object" || typeof parsed.client_id !== "string") {
+    throw new RegistrationError(`registration: response missing string client_id`);
+  }
+  return { clientId: parsed.client_id };
+}
+function describe2(e) {
+  return e instanceof Error ? e.message : String(e);
+}
+
+// src/auth/token.ts
+class TokenError extends Error {
+  code = "token_error";
+  httpStatus;
+  constructor(message, httpStatus) {
+    super(message);
+    this.name = "TokenError";
+    if (httpStatus !== undefined)
+      this.httpStatus = httpStatus;
+  }
+}
+async function exchangeCodeForTokens(params, fetcher = fetch) {
+  const form = new URLSearchParams({
+    grant_type: "authorization_code",
+    client_id: params.clientId,
+    code: params.code,
+    code_verifier: params.codeVerifier,
+    redirect_uri: params.redirectUri,
+    resource: params.resource
+  });
+  return postTokenForm(params.tokenEndpoint, form, fetcher);
+}
+async function refreshTokens(params, fetcher = fetch) {
+  const form = new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: params.clientId,
+    refresh_token: params.refreshToken,
+    resource: params.resource
+  });
+  return postTokenForm(params.tokenEndpoint, form, fetcher);
+}
+async function postTokenForm(tokenEndpoint, form, fetcher) {
+  let res;
+  try {
+    res = await fetcher(tokenEndpoint, {
+      method: "POST",
+      headers: {
+        "content-type": "application/x-www-form-urlencoded",
+        accept: "application/json"
+      },
+      body: form.toString()
+    });
+  } catch (e) {
+    throw new TokenError(`token endpoint: network error: ${describe3(e)}`);
+  }
+  if (!res.ok) {
+    const detail = await res.text().catch(() => "");
+    let oauthError = "";
+    try {
+      const parsed2 = JSON.parse(detail);
+      if (typeof parsed2.error === "string") {
+        oauthError = ` (${parsed2.error})`;
+      }
+    } catch {}
+    throw new TokenError(`token endpoint ${tokenEndpoint} returned HTTP ${res.status}${oauthError}`, res.status);
+  }
+  let parsed;
+  try {
+    parsed = await res.json();
+  } catch (e) {
+    throw new TokenError(`token endpoint: non-JSON response: ${describe3(e)}`);
+  }
+  if (parsed === null || typeof parsed !== "object") {
+    throw new TokenError(`token endpoint: response is not an object`);
+  }
+  const obj = parsed;
+  if (typeof obj.access_token !== "string") {
+    throw new TokenError(`token endpoint: response missing access_token`);
+  }
+  if (typeof obj.refresh_token !== "string") {
+    throw new TokenError(`token endpoint: response missing refresh_token`);
+  }
+  const expiresIn = obj.expires_in;
+  if (typeof expiresIn !== "number" || !Number.isFinite(expiresIn) || expiresIn <= 0) {
+    throw new TokenError(`token endpoint: response missing positive finite numeric expires_in (got ${String(expiresIn)})`);
+  }
+  return {
+    accessToken: obj.access_token,
+    refreshToken: obj.refresh_token,
+    expiresInSec: expiresIn
+  };
+}
+function describe3(e) {
+  return e instanceof Error ? e.message : String(e);
+}
+
+// src/auth/session.ts
+import * as fs from "node:fs/promises";
+import * as path2 from "node:path";
+import { randomBytes as randomBytes2 } from "node:crypto";
+var SESSION_VERSION = 1;
+
+class SessionParseError extends Error {
+  code = "session_parse_error";
+}
+async function readSession(sessionPath) {
+  let raw;
+  try {
+    raw = await fs.readFile(sessionPath, "utf8");
+  } catch (e) {
+    if (isErrno(e) && e.code === "ENOENT")
+      return null;
+    throw e;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (e) {
+    throw new SessionParseError(`session file at ${sessionPath} is not valid JSON: ${describe4(e)}`);
+  }
+  if (typeof parsed !== "object" || parsed === null) {
+    throw new SessionParseError(`session file at ${sessionPath} is not an object`);
+  }
+  const obj = parsed;
+  if (obj.version !== SESSION_VERSION) {
+    throw new SessionParseError(`unsupported session version ${String(obj.version)} at ${sessionPath}; expected ${SESSION_VERSION}`);
+  }
+  for (const k of [
+    "accessToken",
+    "refreshToken",
+    "clientId",
+    "tokenEndpoint",
+    "issuedAt"
+  ]) {
+    if (typeof obj[k] !== "string") {
+      throw new SessionParseError(`session file at ${sessionPath}: missing or non-string ${k}`);
+    }
+  }
+  if (typeof obj.accessTokenExpiresAt !== "number" || !Number.isFinite(obj.accessTokenExpiresAt) || obj.accessTokenExpiresAt <= 0) {
+    throw new SessionParseError(`session file at ${sessionPath}: missing or invalid accessTokenExpiresAt`);
+  }
+  if (obj.resource !== undefined && typeof obj.resource !== "string") {
+    throw new SessionParseError(`session file at ${sessionPath}: resource present but not a string`);
+  }
+  return obj;
+}
+async function writeSession(sessionPath, session) {
+  const dir = path2.dirname(sessionPath);
+  await fs.mkdir(dir, { recursive: true, mode: 448 });
+  try {
+    await fs.chmod(dir, 448);
+  } catch {}
+  const tmp = `${sessionPath}.${process.pid}.${Date.now()}.${randomBytes2(4).toString("hex")}.tmp`;
+  try {
+    await fs.writeFile(tmp, JSON.stringify(session, null, 2), {
+      encoding: "utf8",
+      mode: 384
+    });
+    await fs.rename(tmp, sessionPath);
+  } catch (e) {
+    await fs.unlink(tmp).catch(() => {
+      return;
+    });
+    throw e;
+  }
+}
+async function clearSession(sessionPath) {
+  try {
+    await fs.unlink(sessionPath);
+    return true;
+  } catch (e) {
+    if (isErrno(e) && e.code === "ENOENT")
+      return false;
+    throw e;
+  }
+}
+function isErrno(e) {
+  return e instanceof Error && typeof e.code === "string";
+}
+function describe4(e) {
+  return e instanceof Error ? e.message : String(e);
+}
+
+// src/auth/browser.ts
+import { spawn } from "node:child_process";
+
+class BrowserOpenError extends Error {
+  code = "browser_open_error";
+}
+async function openBrowser(url, platform = process.platform, spawner = spawn) {
+  const { command, args } = chooseOpener(platform, url);
+  return new Promise((resolve, reject) => {
+    const child = spawner(command, args, {
+      stdio: "ignore",
+      detached: true
+    });
+    child.once("error", (err) => {
+      reject(new BrowserOpenError(`could not open browser via ${command}: ${err.message}`));
+    });
+    child.once("spawn", () => {
+      child.unref();
+      resolve();
+    });
+  });
+}
+function chooseOpener(platform, url) {
+  switch (platform) {
+    case "darwin":
+      return { command: "open", args: [url] };
+    case "win32":
+      return { command: "cmd", args: ["/c", "start", "", url] };
+    default:
+      return { command: "xdg-open", args: [url] };
+  }
+}
+
+// src/auth/flow.ts
+class LoginRequiredError extends Error {
+  code = "login_required";
+}
+var REFRESH_SKEW_MS = 30000;
+var CALLBACK_TIMEOUT_MS = 5 * 60000;
+async function login(opts) {
+  const fetcher = opts.fetcher ?? fetch;
+  const opener = opts.browserOpener ?? ((url) => openBrowser(url));
+  const endpoints = await discoverOauthEndpoints(opts.resourceUrl, fetcher);
+  const state = randomBytes3(16).toString("hex");
+  const server = await bindCallbackServer(state);
+  try {
+    const redirectUri = `http://127.0.0.1:${server.port}/callback`;
+    const reg = await registerClient(endpoints.registrationEndpoint, redirectUri, fetcher);
+    const pkce = generatePkcePair();
+    const authUrl = buildAuthorizationUrl({
+      authorizationEndpoint: endpoints.authorizationEndpoint,
+      clientId: reg.clientId,
+      redirectUri,
+      challenge: pkce.challenge,
+      state,
+      resource: endpoints.resource
+    });
+    opts.onAuthUrl?.(authUrl);
+    try {
+      await opener(authUrl);
+    } catch (e) {
+      opts.onAuthUrl?.(`(could not auto-open browser: ${describe5(e)} — copy the URL above into a browser instead)`);
+    }
+    let callbackTimer;
+    const callback = await Promise.race([
+      server.result,
+      new Promise((_, reject) => {
+        callbackTimer = setTimeout(() => reject(new LoginRequiredError("timed out waiting for the browser callback — run `marquee login` again")), CALLBACK_TIMEOUT_MS);
+      })
+    ]).finally(() => {
+      if (callbackTimer !== undefined)
+        clearTimeout(callbackTimer);
+    });
+    const tokens = await exchangeCodeForTokens({
+      tokenEndpoint: endpoints.tokenEndpoint,
+      clientId: reg.clientId,
+      code: callback.code,
+      codeVerifier: pkce.verifier,
+      redirectUri,
+      resource: endpoints.resource
+    }, fetcher);
+    const session = {
+      version: SESSION_VERSION,
+      accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken,
+      accessTokenExpiresAt: Date.now() + tokens.expiresInSec * 1000,
+      clientId: reg.clientId,
+      tokenEndpoint: endpoints.tokenEndpoint,
+      resource: endpoints.resource,
+      issuedAt: new Date().toISOString()
+    };
+    await writeSession(opts.sessionPath, session);
+    return session;
+  } finally {
+    await server.close();
+  }
+}
+async function getValidAccessToken(sessionPath, fetcher = fetch, now = Date.now) {
+  const session = await readSession(sessionPath);
+  if (session === null) {
+    throw new LoginRequiredError("no session — run `marquee login`");
+  }
+  if (session.accessTokenExpiresAt - REFRESH_SKEW_MS > now()) {
+    return { accessToken: session.accessToken, session };
+  }
+  if (session.resource === undefined) {
+    throw new LoginRequiredError("session is missing the resource indicator — run `marquee login`");
+  }
+  let next;
+  try {
+    next = await refreshTokens({
+      tokenEndpoint: session.tokenEndpoint,
+      clientId: session.clientId,
+      refreshToken: session.refreshToken,
+      resource: session.resource
+    }, fetcher);
+  } catch (e) {
+    if (e instanceof TokenError && e.httpStatus !== undefined && e.httpStatus >= 400 && e.httpStatus < 500) {
+      throw new LoginRequiredError(`session expired — run \`marquee login\` (token endpoint said: ${e.message})`);
+    }
+    throw e;
+  }
+  const refreshed = {
+    ...session,
+    accessToken: next.accessToken,
+    refreshToken: next.refreshToken,
+    accessTokenExpiresAt: now() + next.expiresInSec * 1000,
+    issuedAt: new Date(now()).toISOString()
+  };
+  await writeSession(sessionPath, refreshed);
+  return { accessToken: refreshed.accessToken, session: refreshed };
+}
+function describe5(e) {
+  return e instanceof Error ? e.message : String(e);
+}
+function buildAuthorizationUrl(params) {
+  const u = new URL(params.authorizationEndpoint);
+  u.searchParams.set("client_id", params.clientId);
+  u.searchParams.set("redirect_uri", params.redirectUri);
+  u.searchParams.set("response_type", "code");
+  u.searchParams.set("code_challenge", params.challenge);
+  u.searchParams.set("code_challenge_method", "S256");
+  u.searchParams.set("state", params.state);
+  u.searchParams.set("resource", params.resource);
+  return u.toString();
+}
+
+// src/auth/index.ts
+function resolveConfig(opts) {
+  return opts.config ?? loadConfig();
+}
+function diag(opts, line) {
+  (opts.onDiagnostic ?? ((l) => console.error(l)))(line);
+}
+async function login2(opts = {}) {
+  const cfg = resolveConfig(opts);
+  diag(opts, "Opening browser to authenticate with Cloudflare Access…");
+  diag(opts, "(if it doesn't open automatically, copy the URL below)");
+  const session = await login({
+    resourceUrl: cfg.resourceUrl,
+    sessionPath: cfg.sessionPath,
+    onAuthUrl: (url) => diag(opts, url),
+    ...opts.fetcher !== undefined ? { fetcher: opts.fetcher } : {},
+    ...opts.browserOpener !== undefined ? { browserOpener: opts.browserOpener } : {}
+  });
+  diag(opts, `Logged in. Session stored at ${cfg.sessionPath}`);
+  return session;
+}
+async function logout(opts = {}) {
+  const cfg = resolveConfig(opts);
+  const had = await clearSession(cfg.sessionPath);
+  diag(opts, had ? `Logged out. Session cleared at ${cfg.sessionPath}` : "Already logged out.");
+  return had;
+}
+async function getValidToken(opts = {}) {
+  const cfg = resolveConfig(opts);
+  const interactive = opts.interactive ?? true;
+  const fetcher = opts.fetcher ?? fetch;
+  const now = opts.now ?? Date.now;
+  try {
+    const { accessToken } = await getValidAccessToken(cfg.sessionPath, fetcher, now);
+    return accessToken;
+  } catch (e) {
+    if (e instanceof LoginRequiredError) {
+      if (!interactive) {
+        throw e;
+      }
+      diag(opts, "No valid Marquee session — starting a browser login…");
+      const session = await login2(opts);
+      return session.accessToken;
+    }
+    throw e;
+  }
+}
+
+// src/render/template.ts
+var BRAND_GREEN = "#00b140";
+var INK = "#1a1a1a";
+var DEFAULT_TITLE = "Shared via Marquee";
+function escapeHtml2(value) {
+  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+var STYLE = `
+  :root { --brand-green: ${BRAND_GREEN}; --ink: ${INK}; }
+  * { box-sizing: border-box; }
+  html, body { margin: 0; padding: 0; }
+  body {
+    background: #ffffff;
+    color: var(--ink);
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto,
+      Helvetica, Arial, sans-serif;
+    line-height: 1.6;
+    -webkit-text-size-adjust: 100%;
+  }
+  .marquee-shell {
+    max-width: 760px;
+    margin: 0 auto;
+    padding: 40px 24px 64px;
+  }
+  .marquee-header {
+    border-bottom: 3px solid var(--brand-green);
+    padding-bottom: 16px;
+    margin-bottom: 32px;
+  }
+  .marquee-eyebrow {
+    font-size: 12px;
+    font-weight: 700;
+    letter-spacing: 0.08em;
+    text-transform: uppercase;
+    color: var(--brand-green);
+    margin: 0 0 6px;
+  }
+  .marquee-title {
+    font-size: 28px;
+    font-weight: 700;
+    color: var(--ink);
+    margin: 0;
+  }
+  .marquee-content {
+    font-size: 16px;
+  }
+  .marquee-content a { color: var(--brand-green); }
+  .marquee-content pre,
+  .marquee-content code {
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+  }
+  .marquee-content pre {
+    background: #f5f5f5;
+    border-left: 3px solid var(--brand-green);
+    padding: 12px 16px;
+    overflow-x: auto;
+  }
+  .marquee-footer {
+    margin-top: 48px;
+    padding-top: 16px;
+    border-top: 1px solid #e6e6e6;
+    font-size: 12px;
+    color: #6b6b6b;
+  }
+`.trim();
+function renderBrandedDocument(input) {
+  const safeTitle = escapeHtml2(input.title.trim().length > 0 ? input.title : DEFAULT_TITLE);
+  const shellPrefix = `<!DOCTYPE html>
+` + `<html lang="en">
+` + `<head>
+` + `<meta charset="utf-8">
+` + `<meta name="viewport" content="width=device-width, initial-scale=1">
+` + `<title>${safeTitle}</title>
+` + `<style>${STYLE}</style>
+` + `</head>
+` + `<body>
+` + `<main class="marquee-shell">
+` + `<header class="marquee-header">
+` + `<p class="marquee-eyebrow">M-KOPA</p>
+` + `<h1 class="marquee-title">${safeTitle}</h1>
+` + `</header>
+` + `<article class="marquee-content">
+`;
+  const shellSuffix = `
+</article>
+` + `<footer class="marquee-footer">Shared via Marquee</footer>
+` + `</main>
+` + `</body>
+` + `</html>
+`;
+  return shellPrefix + input.contentHtml + shellSuffix;
+}
+
+// src/upload/upload.ts
+var DEFAULT_UPLOAD_TIMEOUT_MS = 30000;
+
+class MarqueeUploadError extends Error {
+  status;
+  constructor(message, status) {
+    super(message);
+    this.name = "MarqueeUploadError";
+    this.status = status;
+  }
+}
+async function shareToMarquee(input, options = {}) {
+  const config = options.config ?? loadConfig();
+  const fetcher = options.fetcher ?? fetch;
+  const tokenProvider = options.tokenProvider ?? (() => getValidToken());
+  const timeoutMs = options.timeoutMs ?? DEFAULT_UPLOAD_TIMEOUT_MS;
+  const document = renderBrandedDocument({
+    title: input.title,
+    contentHtml: input.contentHtml
+  });
+  const token = await tokenProvider();
+  const endpoint = `${config.resourceUrl}/api/uploads`;
+  let response;
+  const controller = new AbortController;
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    response = await fetcher(endpoint, {
+      method: "POST",
+      headers: {
+        "content-type": "text/html; charset=utf-8",
+        authorization: `Bearer ${token}`
+      },
+      body: document,
+      signal: controller.signal
+    });
+  } catch (_e) {
+    throw new MarqueeUploadError("upload request failed (network error)", 0);
+  } finally {
+    clearTimeout(timer);
+  }
+  if (!response.ok) {
+    throw new MarqueeUploadError(`Marquee upload failed with HTTP ${response.status}`, response.status);
+  }
+  let parsed;
+  try {
+    parsed = await response.json();
+  } catch (_e) {
+    throw new MarqueeUploadError("Marquee upload returned a non-JSON response", response.status);
+  }
+  if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new MarqueeUploadError("Marquee upload response was not a JSON object", response.status);
+  }
+  const shape = parsed;
+  if (typeof shape.view_url !== "string" || shape.view_url.length === 0) {
+    throw new MarqueeUploadError("Marquee upload response did not include a view_url", response.status);
+  }
+  return {
+    viewUrl: shape.view_url,
+    ...typeof shape.id === "string" ? { id: shape.id } : {}
+  };
+}
+// src/cli.ts
+var USAGE = `marquee-share — share an AI-chat result to Marquee.
+
+Usage:
+  marquee-share login              Authenticate with Marquee (one-time browser login).
+  marquee-share logout             Clear the cached Marquee session.
+  marquee-share share [file]       Wrap an HTML document, upload it, print the view URL.
+                                   Reads the document from [file], or from stdin if omitted.
+    --title <text>                 Title for the branded document (default: "Shared via Marquee").
+
+The 'share' command prints ONLY the resulting view URL to stdout.`;
+function parseShareArgs(args) {
+  let title = "Shared via Marquee";
+  let file;
+  for (let i = 0;i < args.length; i++) {
+    const arg = args[i];
+    if (arg === "--title") {
+      const value = args[i + 1];
+      if (value === undefined) {
+        throw new Error("--title requires a value");
+      }
+      title = value;
+      i++;
+      continue;
+    }
+    if (arg.startsWith("--title=")) {
+      title = arg.slice("--title=".length);
+      continue;
+    }
+    if (arg.startsWith("-")) {
+      throw new Error(`unknown option: ${arg}`);
+    }
+    if (file !== undefined) {
+      throw new Error("share accepts at most one file argument");
+    }
+    file = arg;
+  }
+  return file !== undefined ? { file, title } : { title };
+}
+async function runShare(deps, rest) {
+  const { file, title } = parseShareArgs(rest);
+  const contentHtml = file !== undefined ? await deps.readFile(file) : await deps.readStdin();
+  if (contentHtml.trim().length === 0) {
+    deps.stderr("error: no HTML content to share (input was empty)");
+    return 1;
+  }
+  const result = await deps.shareToMarquee({ title, contentHtml });
+  deps.stdout(result.viewUrl);
+  return 0;
+}
+async function run(deps) {
+  const [subcommand, ...rest] = deps.argv;
+  if (subcommand === undefined || subcommand === "--help" || subcommand === "-h") {
+    deps.stderr(USAGE);
+    return subcommand === undefined ? 1 : 0;
+  }
+  try {
+    switch (subcommand) {
+      case "login": {
+        await deps.login({ onDiagnostic: deps.stderr });
+        return 0;
+      }
+      case "logout": {
+        await deps.logout({ onDiagnostic: deps.stderr });
+        return 0;
+      }
+      case "share": {
+        return await runShare(deps, rest);
+      }
+      default: {
+        deps.stderr(`error: unknown command "${subcommand}"`);
+        deps.stderr(USAGE);
+        return 1;
+      }
+    }
+  } catch (e) {
+    const message = e instanceof Error ? e.message : String(e);
+    deps.stderr(`error: ${message}`);
+    return 1;
+  }
+}
+async function main() {
+  const code = await run({
+    argv: process.argv.slice(2),
+    stdout: (line) => process.stdout.write(`${line}
+`),
+    stderr: (line) => process.stderr.write(`${line}
+`),
+    readStdin: async () => {
+      const chunks = [];
+      for await (const chunk of process.stdin) {
+        chunks.push(Buffer.from(chunk));
+      }
+      return Buffer.concat(chunks).toString("utf8");
+    },
+    readFile: (path3) => fs2.readFile(path3, "utf8"),
+    login: login2,
+    logout,
+    shareToMarquee
+  });
+  process.exitCode = code;
+}
+var invokedDirectly = process.argv[1] !== undefined && import.meta.url === pathToFileURL(process.argv[1]).href;
+if (invokedDirectly) {
+  main();
+}
+export {
+  run
+};