@m-kopa/launchpad-cli 0.23.0

package/README.md

@@ -0,0 +1,109 @@
+# `@m-kopa/launchpad-cli`
+
+The user-facing CLI for Launchpad. Talks to the portal-bot endpoints
+shipped under SCOPE-M-760 / T4 (`/apps/<slug>/source-bundle`,
+`/apps/<slug>/deploy-pr`, `/apps/<slug>/review/<prNumber>`,
+`/apps/<slug>/merge/<prNumber>`).
+
+## Status
+
+**Released**, published to **public npm**. The CLI delivers the full
+SCOPE-M-760 command surface plus follow-on commands; every release is
+documented in `CHANGELOG.md`.
+
+```bash
+npm i -g @m-kopa/launchpad-cli     # or: bun add -g / pnpm add -g
+launchpad login                     # authenticate against the M-KOPA SSO
+launchpad skills install            # install the Claude Code slash-commands
+```
+
+`@m-kopa/launchpad-cli` is published to **public npmjs** — `npm i -g
+@m-kopa/launchpad-cli` works on any machine with **no `~/.npmrc` setup,
+no auth token, and no antivirus block** (a registry install carries no
+embedded payload, unlike the legacy self-contained installer). Once
+installed, `launchpad update` keeps it current. Access to *apps* is still
+gated by M-KOPA SSO at `launchpad login`; only the install is public.
+
+| Command | What it does |
+| ------- | ------------ |
+| `login` / `logout` | Start / clear a Cloudflare Access OAuth session |
+| `whoami` | Show the current session identity + per-app role |
+| `apps` | List the apps the caller can access |
+| `create` | File a new app from the terminal (mirrors the portal wizard) |
+| `clone <slug>` | Fetch an app's source into a local git repo |
+| `deploy` | Package the working tree + open/update a review PR |
+| `review` | Show a PR's review state + findings |
+| `merge` | Squash-merge a review-passed PR |
+| `envvars` | List / set / remove Pages environment variables |
+| `logs` | Show recent deployment history |
+| `skills` | Install / update the Claude Code skill bundle |
+| `update` | Self-update the CLI to the latest published release |
+
+Run `launchpad --help` for the list, or `launchpad <command> --help` for
+per-command usage.
+
+## Auth
+
+The CLI uses Cloudflare Access **Managed OAuth (PKCE)** — see
+`.planning/research/cf-access-cli-auth.md` for the full flow. `launchpad
+login` opens a browser, completes the PKCE handshake, and stores the
+session at `~/.launchpad/session.json` (mode `0600`). Subsequent commands
+refresh the access token silently until the grant session expires, at
+which point the CLI prompts a re-login.
+
+## Local dev
+
+```bash
+cd packages/launchpad-cli
+bun install
+bun run typecheck
+bun run lint
+bun run test
+bun run build
+node dist/cli.js --help
+```
+
+## Skills bundle
+
+The CLI ships a bundle of Claude Code skills under `skills/`, copied
+into a user's `~/.claude/skills/` by `launchpad skills install`. A public
+npm `npm i -g @m-kopa/launchpad-cli` install needs one explicit
+`launchpad skills install` afterward; the legacy platform installer
+(https://get.launchpad.m-kopa.us) runs that step automatically. See
+`docs/runbooks/launchpad-skills-bundle.md` for both channels.
+
+| Skill | Source |
+| ----- | ------ |
+| `launchpad-onboard` | this repo |
+| `launchpad-deploy` | this repo |
+| `launchpad-deploy-status` | this repo |
+| `launchpad-content-pr` | this repo |
+| `marquee-share` | **`M-KOPA/marquee`** (vendored — see below) |
+
+### The `marquee-share` skill (cross-repo, vendored)
+
+`marquee-share` is **not** authored here. Its canonical source is the
+`M-KOPA/marquee` repository, under `skill/`. It is *vendored* into
+`skills/marquee-share/` so the CLI can install a working skill straight
+from the published npm package — the CLI cannot reach another repo at
+install time.
+
+The vendored copy must never be hand-edited; it would silently drift
+from the canonical source. The single supported way to refresh it is
+the sync script:
+
+```bash
+packages/launchpad-cli/scripts/sync-marquee-share-skill.sh <marquee-checkout> [git-ref]
+```
+
+Run this at marquee-share **release time**, review the diff, and
+commit. The script records the source commit in
+`skills/marquee-share/SYNC.md`. `--check` reports the currently pinned
+commit. This keeps the bundle a deliberate, reviewed mirror rather
+than a hand-maintained second copy.
+
+## Versioning
+
+Pre-1.0 consumer-pinning policy (per ADR 0005): consumers must pin
+exact versions until v1.0.0. Caret ranges are forbidden. Each
+minor-version bump may carry breaking changes.

package/dist/auth/browser.d.ts

@@ -0,0 +1,18 @@
+import { spawn } from "node:child_process";
+export declare class BrowserOpenError extends Error {
+    readonly code: "browser_open_error";
+}
+/**
+ * Open `url` in the user's default browser. Resolves once the
+ * spawn succeeds; the OS opener is fire-and-forget after that.
+ *
+ * `platform` is injected for tests so the dispatch table is
+ * exercised without actually opening a browser. The default reads
+ * `process.platform`.
+ */
+export declare function openBrowser(url: string, platform?: NodeJS.Platform, spawner?: typeof spawn): Promise<void>;
+export declare function chooseOpener(platform: NodeJS.Platform, url: string): {
+    command: string;
+    args: string[];
+};
+//# sourceMappingURL=browser.d.ts.map

package/dist/auth/browser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../../src/auth/browser.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,IAAI,EAAG,oBAAoB,CAAU;CAC/C;AAED;;;;;;;GAOG;AACH,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,EACX,QAAQ,GAAE,MAAM,CAAC,QAA2B,EAC5C,OAAO,GAAE,OAAO,KAAa,GAC5B,OAAO,CAAC,IAAI,CAAC,CAoBf;AAED,wBAAgB,YAAY,CAC1B,QAAQ,EAAE,MAAM,CAAC,QAAQ,EACzB,GAAG,EAAE,MAAM,GACV;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,EAAE,CAAA;CAAE,CAoCrC"}

package/dist/auth/callback-server.d.ts

@@ -0,0 +1,24 @@
+export interface CallbackResult {
+    readonly code: string;
+    readonly state: string;
+}
+export interface CallbackServer {
+    readonly port: number;
+    /** Resolves when the user's browser hits /callback with a valid
+     *  code + matching state. Rejects on `cancel()`. */
+    readonly result: Promise<CallbackResult>;
+    /** Tear down the listener. Idempotent. */
+    readonly close: () => Promise<void>;
+    /** Reject the pending `result` and close. */
+    readonly cancel: (reason: string) => Promise<void>;
+}
+export declare class CallbackError extends Error {
+    readonly code: "callback_error";
+}
+/**
+ * Bind a fresh callback server. `expectedState` is the value the
+ * authorization URL will carry in `state`; the server rejects any
+ * request whose `state` differs.
+ */
+export declare function bindCallbackServer(expectedState: string): Promise<CallbackServer>;
+//# sourceMappingURL=callback-server.d.ts.map

package/dist/auth/callback-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback-server.d.ts","sourceRoot":"","sources":["../../src/auth/callback-server.ts"],"names":[],"mappings":"AA2BA,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;wDACoD;IACpD,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACzC,0CAA0C;IAC1C,QAAQ,CAAC,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IACpC,6CAA6C;IAC7C,QAAQ,CAAC,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACpD;AAED,qBAAa,aAAc,SAAQ,KAAK;IACtC,QAAQ,CAAC,IAAI,EAAG,gBAAgB,CAAU;CAC3C;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,cAAc,CAAC,CAoCzB"}

package/dist/auth/discovery.d.ts

@@ -0,0 +1,25 @@
+export interface OAuthEndpoints {
+    readonly authorizationEndpoint: string;
+    readonly tokenEndpoint: string;
+    readonly registrationEndpoint: string;
+    /**
+     * The protected resource's canonical URL (per RFC 8707 OAuth 2.0
+     * Resource Indicators). Cf Access REQUIRES this parameter on the
+     * authorization request — omitting it returns
+     * `error=invalid_target, error_description="No resource parameter
+     * found"`. Sourced from the protected-resource metadata's
+     * `resource` field; falls back to `botUrl` if the metadata omits
+     * it (older Cf deployments may not).
+     */
+    readonly resource: string;
+}
+export declare class DiscoveryError extends Error {
+    readonly code: "discovery_error";
+}
+/**
+ * Walk the two-step discovery and return the endpoints. `botUrl`
+ * is the base of the protected Worker (no trailing slash). The
+ * fetcher is injected so tests don't need a network.
+ */
+export declare function discoverOauthEndpoints(botUrl: string, fetcher?: typeof fetch): Promise<OAuthEndpoints>;
+//# sourceMappingURL=discovery.d.ts.map

package/dist/auth/discovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/auth/discovery.ts"],"names":[],"mappings":"AAsBA,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,qBAAqB,EAAE,MAAM,CAAC;IACvC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC;;;;;;;;OAQG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,qBAAa,cAAe,SAAQ,KAAK;IACvC,QAAQ,CAAC,IAAI,EAAG,iBAAiB,CAAU;CAC5C;AAED;;;;GAIG;AACH,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,OAAO,KAAa,GAC5B,OAAO,CAAC,cAAc,CAAC,CA0EzB"}

package/dist/auth/flow.d.ts

@@ -0,0 +1,39 @@
+import { type CliSession } from "./session.js";
+export declare class LoginRequiredError extends Error {
+    readonly code: "login_required";
+}
+/** Refresh-window buffer: refresh `refreshSkewMs` before expiry
+ *  so a request fired right at the edge doesn't hit a 401. */
+export declare const REFRESH_SKEW_MS = 30000;
+export interface LoginOptions {
+    readonly botUrl: string;
+    readonly sessionPath: string;
+    /** Receives the auth URL once the localhost server is bound +
+     *  the browser opener is about to fire. The CLI verb prints it
+     *  to stdout so a headless dev can copy-paste. */
+    readonly onAuthUrl?: (url: string) => void;
+    /** Injection points for tests. */
+    readonly fetcher?: typeof fetch;
+    readonly browserOpener?: (url: string) => Promise<void>;
+}
+/**
+ * Run the full PKCE flow and persist the session. Returns the
+ * resulting session for the caller (so the verb can print
+ * confirmation diagnostics).
+ */
+export declare function login(opts: LoginOptions): Promise<CliSession>;
+/**
+ * Read the session and return a still-valid access token. If the
+ * persisted access token is past (or near) expiry, silently
+ * refresh and persist the new pair before returning. If the
+ * refresh fails because the grant has expired, throws
+ * `LoginRequiredError`.
+ *
+ * `now` is injected for tests so we can simulate expiry without
+ * mocking the system clock.
+ */
+export declare function getValidAccessToken(sessionPath: string, fetcher?: typeof fetch, now?: () => number): Promise<{
+    accessToken: string;
+    session: CliSession;
+}>;
+//# sourceMappingURL=flow.d.ts.map

package/dist/auth/flow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"flow.d.ts","sourceRoot":"","sources":["../../src/auth/flow.ts"],"names":[],"mappings":"AAwCA,OAAO,EAGL,KAAK,UAAU,EAEhB,MAAM,cAAc,CAAC;AAGtB,qBAAa,kBAAmB,SAAQ,KAAK;IAC3C,QAAQ,CAAC,IAAI,EAAG,gBAAgB,CAAU;CAC3C;AAED;8DAC8D;AAC9D,eAAO,MAAM,eAAe,QAAS,CAAC;AAEtC,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;sDAEkD;IAClD,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC3C,kCAAkC;IAClC,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;IAChC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACzD;AAED;;;;GAIG;AACH,wBAAsB,KAAK,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CA8DnE;AAED;;;;;;;;;GASG;AACH,wBAAsB,mBAAmB,CACvC,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,OAAO,KAAa,EAC7B,GAAG,GAAE,MAAM,MAAiB,GAC3B,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,CAAC,CAiDvD"}

package/dist/auth/jwt.d.ts

@@ -0,0 +1,27 @@
+export interface JwtPayload {
+    /** Cf Access user-scoped JWT subject — Entra UUID. */
+    readonly sub?: string;
+    /** Email / UPN claim. Cloudflare populates this from the IdP. */
+    readonly email?: string;
+    /** Cf Access aud (the App's UUID). */
+    readonly aud?: string | readonly string[];
+    /** Issued-at + expiry, seconds since epoch (RFC 7519). */
+    readonly iat?: number;
+    readonly exp?: number;
+    /** Token type — "app" for Cf Access app tokens. */
+    readonly type?: string;
+    /** Anything else the IdP / Cf added; we don't validate it. */
+    readonly [k: string]: unknown;
+}
+export declare class JwtParseError extends Error {
+    readonly code: "jwt_parse_error";
+}
+/**
+ * Decode the payload of a JWT. Returns `null` for inputs that
+ * don't look like a JWT at all (e.g. an opaque token). Throws
+ * `JwtParseError` only for shapes that look JWT-like but have an
+ * undecodable payload — callers should treat both null and throw
+ * as "show empty identity".
+ */
+export declare function decodeJwtPayload(token: string): JwtPayload | null;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/auth/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/auth/jwt.ts"],"names":[],"mappings":"AAYA,MAAM,WAAW,UAAU;IACzB,sDAAsD;IACtD,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,iEAAiE;IACjE,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,sCAAsC;IACtC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAC1C,0DAA0D;IAC1D,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,mDAAmD;IACnD,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,8DAA8D;IAC9D,QAAQ,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;CAC/B;AAED,qBAAa,aAAc,SAAQ,KAAK;IACtC,QAAQ,CAAC,IAAI,EAAG,iBAAiB,CAAU;CAC5C;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAwBjE"}

package/dist/auth/pkce.d.ts

@@ -0,0 +1,26 @@
+export interface PkcePair {
+    /** Plain-text random secret, kept on the client. */
+    readonly verifier: string;
+    /** S256 hash of the verifier, sent in the authorization URL. */
+    readonly challenge: string;
+}
+/** Hard cap on regeneration attempts — defends against an
+ *  algorithmic mistake silently spinning forever. The probability
+ *  of a `-` or `_` first byte is ~2/64 per attempt, so even 5 tries
+ *  is enough for ~6-nines reliability; we pick a higher bound so a
+ *  pathological RNG (or a future encoding change) surfaces as a
+ *  clear error rather than a hang. */
+export declare const MAX_PKCE_REGEN_ATTEMPTS = 32;
+export declare class PkceGenerationError extends Error {
+    readonly code: "pkce_generation_failed";
+}
+/**
+ * Generate a fresh PKCE pair satisfying both RFC 7636 and the
+ * Cloudflare Access "challenge must start with [a-zA-Z0-9]" rule.
+ * Pure (modulo `randomBytes`) — caller can re-test by injecting
+ * a deterministic RNG via the optional `rng` parameter.
+ */
+export declare function generatePkcePair(rng?: (size: number) => Uint8Array): PkcePair;
+/** S256 challenge for an arbitrary verifier. Exposed for tests. */
+export declare function sha256Base64Url(verifier: string): string;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/auth/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAmBA,MAAM,WAAW,QAAQ;IACvB,oDAAoD;IACpD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,gEAAgE;IAChE,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;sCAKsC;AACtC,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,qBAAa,mBAAoB,SAAQ,KAAK;IAC5C,QAAQ,CAAC,IAAI,EAAG,wBAAwB,CAAU;CACnD;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,GAAE,CAAC,IAAI,EAAE,MAAM,KAAK,UAAkD,GACxE,QAAQ,CAgBV;AAED,mEAAmE;AACnE,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAGxD"}

package/dist/auth/registration.d.ts

@@ -0,0 +1,8 @@
+export interface RegistrationResult {
+    readonly clientId: string;
+}
+export declare class RegistrationError extends Error {
+    readonly code: "registration_error";
+}
+export declare function registerClient(registrationEndpoint: string, redirectUri: string, fetcher?: typeof fetch): Promise<RegistrationResult>;
+//# sourceMappingURL=registration.d.ts.map

package/dist/auth/registration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registration.d.ts","sourceRoot":"","sources":["../../src/auth/registration.ts"],"names":[],"mappings":"AAgBA,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,IAAI,EAAG,oBAAoB,CAAU;CAC/C;AAED,wBAAsB,cAAc,CAClC,oBAAoB,EAAE,MAAM,EAC5B,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,OAAO,KAAa,GAC5B,OAAO,CAAC,kBAAkB,CAAC,CA6C7B"}

package/dist/auth/session.d.ts

@@ -0,0 +1,54 @@
+export declare const SESSION_VERSION = 1;
+export interface CliSession {
+    readonly version: typeof SESSION_VERSION;
+    /** OAuth `access_token`. Sent to the bot as `Authorization: Bearer <accessToken>`. */
+    readonly accessToken: string;
+    /** OAuth `refresh_token` — used to silently mint a fresh
+     *  access token when the current one expires. */
+    readonly refreshToken: string;
+    /** Epoch milliseconds at which `accessToken` ceases to be valid.
+     *  Computed at write-time as `Date.now() + (expires_in * 1000)`. */
+    readonly accessTokenExpiresAt: number;
+    /** OAuth client id from dynamic-client-registration. Cached so
+     *  refreshes don't re-register. */
+    readonly clientId: string;
+    /** Token endpoint discovered at login. Cached for refreshes so
+     *  refresh doesn't re-walk discovery. */
+    readonly tokenEndpoint: string;
+    /** RFC 8707 resource indicator (the protected bot's canonical URL).
+     *  Cached so silent refresh can re-include it without
+     *  re-discovering — Cf Access binds the access_token's audience to
+     *  this and the refresh grant must match. Optional in the on-disk
+     *  schema so pre-0.7.1 sessions (which omit it) still parse —
+     *  those callers fall through to a forced re-login on the next
+     *  refresh attempt. */
+    readonly resource?: string;
+    /** ISO-8601 UTC timestamp of when this session was written. Used
+     *  by `whoami` (slice 3) for diagnostic display only. */
+    readonly issuedAt: string;
+}
+export declare class SessionParseError extends Error {
+    readonly code: "session_parse_error";
+}
+/**
+ * Read the session file. Returns `null` if the file doesn't exist
+ * (the user hasn't logged in yet — a normal state). Throws
+ * `SessionParseError` for a corrupt file: better to fail loudly
+ * than to silently re-prompt for login when the storage is
+ * actually broken.
+ */
+export declare function readSession(sessionPath: string): Promise<CliSession | null>;
+/**
+ * Atomic-ish write: writes to `<path>.tmp` then renames into
+ * place. The whole-directory chmod is best-effort (Windows ignores
+ * mode bits) — the per-file mode is the load-bearing one.
+ */
+export declare function writeSession(sessionPath: string, session: CliSession): Promise<void>;
+/**
+ * `launchpad logout`: zero out the session file. Idempotent —
+ * already-absent file is a no-op success. Returns whether a
+ * session actually existed (so the verb can render the right
+ * message).
+ */
+export declare function clearSession(sessionPath: string): Promise<boolean>;
+//# sourceMappingURL=session.d.ts.map

package/dist/auth/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AA0BA,eAAO,MAAM,eAAe,IAAI,CAAC;AAEjC,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,OAAO,EAAE,OAAO,eAAe,CAAC;IACzC,sFAAsF;IACtF,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;qDACiD;IACjD,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B;wEACoE;IACpE,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC;uCACmC;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B;6CACyC;IACzC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B;;;;;;2BAMuB;IACvB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;6DACyD;IACzD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,IAAI,EAAG,qBAAqB,CAAU;CAChD;AAED;;;;;;GAMG;AACH,wBAAsB,WAAW,CAC/B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAmD5B;AAED;;;;GAIG;AACH,wBAAsB,YAAY,CAChC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,IAAI,CAAC,CA4Bf;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAQxE"}

package/dist/auth/token.d.ts

@@ -0,0 +1,37 @@
+export interface TokenResponse {
+    readonly accessToken: string;
+    readonly refreshToken: string;
+    /** Seconds until `accessToken` expiry, as returned by the
+     *  server. Caller converts to absolute epoch when persisting. */
+    readonly expiresInSec: number;
+}
+export declare class TokenError extends Error {
+    readonly code: "token_error";
+    /** Optional HTTP status — present only for non-2xx responses, not
+     *  for network errors. Lets the login flow distinguish "user
+     *  denied at the IdP" from "network is down". */
+    readonly httpStatus?: number;
+    constructor(message: string, httpStatus?: number);
+}
+export declare function exchangeCodeForTokens(params: {
+    readonly tokenEndpoint: string;
+    readonly clientId: string;
+    readonly code: string;
+    readonly codeVerifier: string;
+    readonly redirectUri: string;
+    /** RFC 8707 resource indicator. Cf Access binds the resulting
+     *  access_token's audience to this value; the bot's JWT
+     *  validation MUST see a matching `aud` claim. Always pass it
+     *  so the token is valid for the right protected app. */
+    readonly resource: string;
+}, fetcher?: typeof fetch): Promise<TokenResponse>;
+export declare function refreshTokens(params: {
+    readonly tokenEndpoint: string;
+    readonly clientId: string;
+    readonly refreshToken: string;
+    /** RFC 8707 resource indicator — same posture as
+     *  exchangeCodeForTokens. The refreshed access_token's audience
+     *  must match what `apiRaw` calls into. */
+    readonly resource: string;
+}, fetcher?: typeof fetch): Promise<TokenResponse>;
+//# sourceMappingURL=token.d.ts.map

package/dist/auth/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/auth/token.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B;qEACiE;IACjE,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B;AAED,qBAAa,UAAW,SAAQ,KAAK;IACnC,QAAQ,CAAC,IAAI,EAAG,aAAa,CAAU;IACvC;;qDAEiD;IACjD,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;gBACjB,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM;CAKjD;AAED,wBAAsB,qBAAqB,CACzC,MAAM,EAAE;IACN,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;;6DAGyD;IACzD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B,EACD,OAAO,GAAE,OAAO,KAAa,GAC5B,OAAO,CAAC,aAAa,CAAC,CAUxB;AAED,wBAAsB,aAAa,CACjC,MAAM,EAAE;IACN,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B;;+CAE2C;IAC3C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B,EACD,OAAO,GAAE,OAAO,KAAa,GAC5B,OAAO,CAAC,aAAa,CAAC,CAQxB"}

package/dist/bundle/cron-bundle.d.ts

@@ -0,0 +1,77 @@
+/**
+ * The built cron-Worker artifact the CLI ships alongside the source tarball.
+ * `script` must match a `kind: worker` target the bot has registered for the
+ * app; the bot re-validates it against the app's surfaces before uploading.
+ */
+export interface WorkerArtifact {
+    /** Worker script name — must equal the manifest target's `script`. */
+    readonly script: string;
+    /** The bundled ES-module source (single file, workerd-compatible). */
+    readonly moduleContent: string;
+    /** Module filename for the multipart upload (e.g. `index.js`). */
+    readonly moduleFilename: string;
+    /** `compatibility_date` from the worker's wrangler.toml. */
+    readonly compatibilityDate: string;
+    /** `compatibility_flags` from the worker's wrangler.toml (e.g. nodejs_compat). */
+    readonly compatibilityFlags: readonly string[];
+}
+export type BuildWorkerResult = {
+    kind: "none";
+} | {
+    kind: "ok";
+    artifact: WorkerArtifact;
+} | {
+    kind: "error";
+    message: string;
+};
+/** Top-level scalar/array keys we need out of a worker's wrangler.toml. */
+interface WranglerTopLevel {
+    readonly name?: string;
+    readonly main?: string;
+    readonly compatibility_date?: string;
+    readonly compatibility_flags?: readonly string[];
+}
+/**
+ * Parse ONLY the top-level keys of a wrangler.toml that precede the first
+ * `[section]` / `[[array-of-tables]]`. We need `name`, `main`,
+ * `compatibility_date`, `compatibility_flags` — all top-level scalars/string
+ * arrays. We deliberately do NOT parse `[triggers]` (crons) or
+ * `[[d1_databases]]`: the schedule + D1 binding are the bot-authoritative
+ * deploy contract (manifest `targets[]`), not CLI build inputs. A
+ * purpose-built reader avoids a TOML dependency for these four keys.
+ */
+export declare function parseWranglerTopLevel(tomlText: string): WranglerTopLevel;
+/**
+ * Script names of the manifest's **deployable** worker targets — `kind: worker`
+ * entries that carry a non-empty `schedule`. The schedule is the discriminator
+ * (ADR 0022 Decision #3): a worker target WITH a schedule is a *deploy surface*
+ * (build + upload it here); a worker target WITHOUT one is secrets-only (the
+ * existing fan-out target) and is NOT built. Keying the CLI build gate on the
+ * same `schedule` the bot keys its deploy gate on avoids a build-but-skip
+ * mismatch.
+ */
+export declare function scheduledWorkerScripts(manifestYaml: string): string[];
+/**
+ * Bundle a worker entry into a single workerd-compatible ES module. Config is
+ * pinned to what a real ai-cost cron build produced cleanly (sp-tt2cap C3a
+ * spike, 2026-06-09): `conditions: [worker, browser]` + `node:*` external
+ * (nodejs_compat provides them at runtime). `write: false` returns the module
+ * source in-memory so it never touches disk or the source tarball.
+ */
+export declare function bundleWorker(entryAbs: string, workerDir: string): Promise<string>;
+/**
+ * Build the cron-Worker artifact for an app, if it declares one.
+ *
+ * Returns `{kind:"none"}` for single-tier apps (no `kind: worker` target) so
+ * the caller ships the tarball unchanged. Returns `{kind:"error"}` with a
+ * CLI-friendly message when a worker is declared but its build config or
+ * bundle can't be produced — a deploy that would silently skip the cron tier
+ * is worse than a loud failure.
+ *
+ * Only the FIRST worker target is built — the two-tier shape (one Pages, one
+ * cron Worker) is the only one ADR 0022 supports today. A second worker target
+ * is rejected loudly rather than silently dropped.
+ */
+export declare function buildWorkerArtifact(cwd: string, manifestYaml: string, walkFiles: readonly string[]): Promise<BuildWorkerResult>;
+export {};
+//# sourceMappingURL=cron-bundle.d.ts.map

package/dist/bundle/cron-bundle.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cron-bundle.d.ts","sourceRoot":"","sources":["../../src/bundle/cron-bundle.ts"],"names":[],"mappings":"AA4BA;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,sEAAsE;IACtE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,sEAAsE;IACtE,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,kEAAkE;IAClE,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,4DAA4D;IAC5D,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IACnC,kFAAkF;IAClF,QAAQ,CAAC,kBAAkB,EAAE,SAAS,MAAM,EAAE,CAAC;CAChD;AAED,MAAM,MAAM,iBAAiB,GACzB;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,GAChB;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,QAAQ,EAAE,cAAc,CAAA;CAAE,GACxC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,2EAA2E;AAC3E,UAAU,gBAAgB;IACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAClD;AAED;;;;;;;;GAQG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,gBAAgB,CA0CxE;AAuBD;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,CAuBrE;AAkCD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC,CAiBjB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,MAAM,EACX,YAAY,EAAE,MAAM,EACpB,SAAS,EAAE,SAAS,MAAM,EAAE,GAC3B,OAAO,CAAC,iBAAiB,CAAC,CAgD5B"}

package/dist/bundle/cwd-walker.d.ts

@@ -0,0 +1,43 @@
+import { relative } from "node:path";
+/**
+ * Default ignore patterns applied even when no `.gitignore` is
+ * present. Mirrors the bot's AC8 ingest policy on dotfiles +
+ * common build outputs.
+ *
+ * Each entry is interpreted as a "match the basename OR a path
+ * segment" rule — simpler than full gitignore glob semantics and
+ * sufficient for the common cases.
+ */
+export declare const DEFAULT_IGNORE: readonly string[];
+export interface WalkResult {
+    /** Relative paths from `cwd`, lexicographically sorted for determinism. */
+    readonly files: readonly string[];
+    /** Skipped paths and their reason — for `--verbose` output. */
+    readonly skipped: ReadonlyArray<{
+        path: string;
+        reason: string;
+    }>;
+}
+export interface WalkOptions {
+    /**
+     * Maximum number of files to return. Beyond this the walk
+     * aborts with an error rather than producing a partial result —
+     * the bot's AC8 caps at 5000 files; the walker errs lower so
+     * `launchpad deploy` surfaces "too many files" with a clearer
+     * error than a server-side rejection.
+     */
+    readonly maxFiles?: number;
+}
+export declare class WalkError extends Error {
+    constructor(message: string);
+}
+/**
+ * Walk `cwd` and produce the list of files to bundle.
+ *
+ * Pure FS — no network, no shell-out. Respects `.gitignore` if
+ * present + the built-in DEFAULT_IGNORE. Skips symlinks
+ * silently (the bot rejects them anyway via AC8).
+ */
+export declare function walkCwd(cwd: string, options?: WalkOptions): WalkResult;
+export { relative };
+//# sourceMappingURL=cwd-walker.d.ts.map

package/dist/bundle/cwd-walker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwd-walker.d.ts","sourceRoot":"","sources":["../../src/bundle/cwd-walker.ts"],"names":[],"mappings":"AAwBA,OAAO,EAAQ,QAAQ,EAAO,MAAM,WAAW,CAAC;AAEhD;;;;;;;;GAQG;AACH,eAAO,MAAM,cAAc,EAAE,SAAS,MAAM,EA+B3C,CAAC;AAIF,MAAM,WAAW,UAAU;IACzB,2EAA2E;IAC3E,QAAQ,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,+DAA+D;IAC/D,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACnE;AAED,MAAM,WAAW,WAAW;IAC1B;;;;;;OAMG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC5B;AAID,qBAAa,SAAU,SAAQ,KAAK;gBACtB,OAAO,EAAE,MAAM;CAI5B;AAED;;;;;;GAMG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,WAAgB,GAAG,UAAU,CAU1E;AA0LD,OAAO,EAAE,QAAQ,EAAE,CAAC"}

package/dist/bundle/orchestrate.d.ts

@@ -0,0 +1,51 @@
+import type { CliConfig } from "../config.js";
+import { type DeployBundleResult } from "./upload.js";
+import { type WalkResult } from "./cwd-walker.js";
+export interface BundleAndDeployArgs {
+    readonly cfg: CliConfig;
+    readonly cwd: string;
+    readonly slug: string;
+}
+export type BundleAndDeployResult = {
+    kind: "walk-error";
+    message: string;
+} | {
+    kind: "no-manifest";
+    message: string;
+} | {
+    kind: "pack-error";
+    message: string;
+} | {
+    kind: "worker-build-error";
+    message: string;
+} | {
+    kind: "upload-error";
+    status: number;
+    body: unknown;
+} | {
+    kind: "ok";
+    result: Extract<DeployBundleResult, {
+        kind: "ok";
+    }>["response"];
+    walk: WalkResult;
+    fileCount: number;
+    compressedBytes: number;
+    /** The cron Worker script name that was built + shipped, if any. */
+    workerScript: string | null;
+};
+/**
+ * Bundle the user's CWD and ship it to the bot.
+ *
+ * Reads `launchpad.yaml` from `cwd` (it must exist — caller is
+ * expected to have invoked `launchpad init` first). Walks the
+ * CWD respecting .gitignore + default-ignore, packs the result
+ * into a gzipped tar via the existing `packTarGz`, and POSTs the
+ * tarball + manifest YAML as multipart/form-data to the bot's
+ * `/apps/<slug>/deploy/bundle` endpoint.
+ *
+ * **What this function does NOT do:** authz pre-flight,
+ * provisioning of a not-yet-existing slug, status polling for
+ * the live URL. All of those are caller responsibilities.
+ */
+export declare function bundleAndDeploy(args: BundleAndDeployArgs): Promise<BundleAndDeployResult>;
+//# sourceMappingURL=orchestrate.d.ts.map

package/dist/bundle/orchestrate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"orchestrate.d.ts","sourceRoot":"","sources":["../../src/bundle/orchestrate.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAEL,KAAK,kBAAkB,EACxB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAsB,KAAK,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAGtE,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC;IACxB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,MAAM,qBAAqB,GAC7B;IAAE,IAAI,EAAE,YAAY,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACvC;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACxC;IAAE,IAAI,EAAE,YAAY,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACvC;IAAE,IAAI,EAAE,oBAAoB,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAC/C;IAAE,IAAI,EAAE,cAAc,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,OAAO,CAAA;CAAE,GACvD;IACE,IAAI,EAAE,IAAI,CAAC;IACX,MAAM,EAAE,OAAO,CAAC,kBAAkB,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC,CAAC,UAAU,CAAC,CAAC;IAChE,IAAI,EAAE,UAAU,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,CAAC;IACxB,oEAAoE;IACpE,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B,CAAC;AAEN;;;;;;;;;;;;;GAaG;AACH,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,qBAAqB,CAAC,CAoFhC"}