@mainwp/control 1.0.0

package/dist/commands/abilities/list.js

@@ -0,0 +1,98 @@
+/**
+ * Abilities list command for mainwpcontrol
+ *
+ * Lists all available abilities from the Dashboard.
+ */
+import { Flags } from '@oclif/core';
+import { BaseCommand, commonFlags } from '../../lib/base-command.js';
+import { formatTable, formatHeading } from '../../output/formatter.js';
+import { color, colors } from '../../utils/colors.js';
+import { stripControlChars } from '../../utils/terminal-sanitizer.js';
+export default class AbilitiesList extends BaseCommand {
+    static description = 'List available abilities';
+    static examples = [
+        '<%= config.bin %> abilities list',
+        '<%= config.bin %> abilities list --category sites',
+        '<%= config.bin %> abilities list --json',
+    ];
+    static flags = {
+        ...commonFlags,
+        category: Flags.string({
+            char: 'c',
+            description: 'Filter by category',
+        }),
+    };
+    async run() {
+        const { flags } = await this.parse(AbilitiesList);
+        await this.initCommon(flags);
+        const executor = await this.getExecutor();
+        let abilities = await executor.listAbilities();
+        // Filter by category if specified
+        if (flags.category) {
+            abilities = abilities.filter((a) => a.category.toLowerCase() === flags.category?.toLowerCase());
+        }
+        // Get unique categories for display
+        const categories = [...new Set(abilities.map((a) => a.category))].sort();
+        this.output({
+            abilities: abilities.map((a) => ({
+                name: a.name,
+                label: a.label,
+                category: a.category,
+                readonly: a.meta?.annotations?.readonly ?? false,
+                destructive: a.meta?.annotations?.destructive ?? false,
+            })),
+            total: abilities.length,
+            categories,
+        }, () => {
+            if (abilities.length === 0) {
+                return 'No abilities found.';
+            }
+            const lines = [
+                formatHeading(`Abilities (${abilities.length} total)`),
+                '',
+            ];
+            // Group by category
+            const grouped = new Map();
+            for (const ability of abilities) {
+                const cat = ability.category;
+                if (!grouped.has(cat)) {
+                    grouped.set(cat, []);
+                }
+                grouped.get(cat)?.push(ability);
+            }
+            // Sort categories
+            const sortedCategories = [...grouped.keys()].sort();
+            for (const category of sortedCategories) {
+                const catAbilities = grouped.get(category) ?? [];
+                lines.push(formatHeading(`  ${category}`));
+                const headers = ['Name', 'Description', 'Type'];
+                const rows = catAbilities.map((a) => {
+                    let type = '📖 read';
+                    if (a.meta?.annotations?.destructive) {
+                        type = '⚠️  destructive';
+                    }
+                    else if (!a.meta?.annotations?.readonly) {
+                        type = '✏️  write';
+                    }
+                    return [a.name, a.label || a.description.slice(0, 50), type];
+                });
+                // Render table with usage sub-rows under each ability
+                const tableStr = formatTable(headers, rows);
+                const tableLines = tableStr.split('\n');
+                // Header and separator
+                lines.push(tableLines[0] ?? '', tableLines[1] ?? '');
+                // Data rows with copy-pasteable usage hints
+                for (let j = 0; j < catAbilities.length; j++) {
+                    lines.push(tableLines[j + 2] ?? '');
+                    const ability = catAbilities[j];
+                    const safeName = stripControlChars(ability.name);
+                    const shortName = safeName.split('/').pop() ?? safeName;
+                    lines.push(color(`    mainwpcontrol abilities run ${shortName}`, colors.dim));
+                }
+                lines.push('');
+            }
+            return lines.join('\n');
+        });
+    }
+}
+//# sourceMappingURL=list.js.map

package/dist/commands/abilities/list.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"list.js","sourceRoot":"","sources":["../../../src/commands/abilities/list.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AAEtE,MAAM,CAAC,OAAO,OAAO,aAAc,SAAQ,WAAW;IACpD,MAAM,CAAC,WAAW,GAAG,0BAA0B,CAAC;IAEhD,MAAM,CAAC,QAAQ,GAAG;QAChB,kCAAkC;QAClC,mDAAmD;QACnD,yCAAyC;KAC1C,CAAC;IAEF,MAAM,CAAC,KAAK,GAAG;QACb,GAAG,WAAW;QACd,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC;YACrB,IAAI,EAAE,GAAG;YACT,WAAW,EAAE,oBAAoB;SAClC,CAAC;KACH,CAAC;IAEF,KAAK,CAAC,GAAG;QACP,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QAClD,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QAE7B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QAE1C,IAAI,SAAS,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,CAAC;QAE/C,kCAAkC;QAClC,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACnB,SAAS,GAAG,SAAS,CAAC,MAAM,CAC1B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,QAAQ,EAAE,WAAW,EAAE,CAClE,CAAC;QACJ,CAAC;QAED,oCAAoC;QACpC,MAAM,UAAU,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAEzE,IAAI,CAAC,MAAM,CACT;YACE,SAAS,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC/B,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,QAAQ,EAAE,CAAC,CAAC,IAAI,EAAE,WAAW,EAAE,QAAQ,IAAI,KAAK;gBAChD,WAAW,EAAE,CAAC,CAAC,IAAI,EAAE,WAAW,EAAE,WAAW,IAAI,KAAK;aACvD,CAAC,CAAC;YACH,KAAK,EAAE,SAAS,CAAC,MAAM;YACvB,UAAU;SACX,EACD,GAAG,EAAE;YACH,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC3B,OAAO,qBAAqB,CAAC;YAC/B,CAAC;YAED,MAAM,KAAK,GAAG;gBACZ,aAAa,CAAC,cAAc,SAAS,CAAC,MAAM,SAAS,CAAC;gBACtD,EAAE;aACH,CAAC;YAEF,oBAAoB;YACpB,MAAM,OAAO,GAAG,IAAI,GAAG,EAA4B,CAAC;YACpD,KAAK,MAAM,OAAO,IAAI,SAAS,EAAE,CAAC;gBAChC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC;gBAC7B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBACtB,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBACvB,CAAC;gBACD,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;YAClC,CAAC;YAED,kBAAkB;YAClB,MAAM,gBAAgB,GAAG,CAAC,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAEpD,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;gBACxC,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAEjD,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,QAAQ,EAAE,CAAC,CAAC,CAAC;gBAE3C,MAAM,OAAO,GAAG,CAAC,MAAM,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC;gBAChD,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;oBAClC,IAAI,IAAI,GAAG,SAAS,CAAC;oBACrB,IAAI,CAAC,CAAC,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC;wBACrC,IAAI,GAAG,iBAAiB,CAAC;oBAC3B,CAAC;yBAAM,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC;wBAC1C,IAAI,GAAG,WAAW,CAAC;oBACrB,CAAC;oBACD,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC;gBAC/D,CAAC,CAAC,CAAC;gBAEH,sDAAsD;gBACtD,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;gBAC5C,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACxC,uBAAuB;gBACvB,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;gBACrD,4CAA4C;gBAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC7C,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;oBACpC,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAE,CAAC;oBACjC,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;oBACjD,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;oBACxD,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,mCAAmC,SAAS,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;gBAChF,CAAC;gBAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACjB,CAAC;YAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC,CACF,CAAC;IACJ,CAAC"}

package/dist/commands/abilities/run.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Abilities run command for mainwpcontrol
+ *
+ * Execute abilities with safety enforcement.
+ * Routes through SafetyController for destructive actions.
+ *
+ * INVARIANT: Commands and chat share the same execution path.
+ */
+import { BaseCommand } from '../../lib/base-command.js';
+export default class AbilitiesRun extends BaseCommand {
+    static description: string;
+    static examples: string[];
+    static flags: {
+        input: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        'input-file': import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        'dry-run': import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        confirm: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        force: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        wait: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        'wait-timeout': import("@oclif/core/interfaces").OptionFlag<number, import("@oclif/core/interfaces").CustomOptions>;
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        quiet: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        profile: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        debug: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+    };
+    static args: {
+        name: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    run(): Promise<void>;
+    /**
+     * Execute preview (dry_run mode)
+     */
+    private executePreview;
+    /**
+     * Execute destructive ability with confirmation
+     */
+    private executeDestructive;
+    /**
+     * Execute directly (read-only or non-destructive)
+     */
+    private executeDirect;
+    /**
+     * Wait for a batch job to complete using BatchManager
+     */
+    private waitForBatchJob;
+    /**
+     * Format watch result output for human display
+     */
+    private formatWatchResultOutput;
+    /**
+     * Resolve input from --input, --input-file, or stdin (--input -)
+     */
+    private resolveInput;
+    /**
+     * Read all data from stdin
+     */
+    private readStdin;
+    /**
+     * Format preview output for human display
+     */
+    private formatPreviewOutput;
+    /**
+     * Format execution output for human display
+     */
+    private formatExecutionOutput;
+    /**
+     * Format batch job output
+     */
+    private formatBatchOutput;
+    /**
+     * Output guidance for destructive abilities
+     */
+    private outputDestructiveGuidance;
+}
+//# sourceMappingURL=run.d.ts.map

package/dist/commands/abilities/run.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../../src/commands/abilities/run.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,EAAE,WAAW,EAAe,MAAM,2BAA2B,CAAC;AAiBrE,MAAM,CAAC,OAAO,OAAO,YAAa,SAAQ,WAAW;IACnD,MAAM,CAAC,WAAW,SAAwB;IAE1C,MAAM,CAAC,QAAQ,WAuBb;IAEF,MAAM,CAAC,KAAK;;;;;;;;;;;;MAkCV;IAEF,MAAM,CAAC,IAAI;;MAKT;IAEI,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC;IA4F1B;;OAEG;YACW,cAAc;IA4B5B;;OAEG;YACW,kBAAkB;IAqHhC;;OAEG;YACW,aAAa;IAiD3B;;OAEG;YACW,eAAe;IA6C7B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAwC/B;;OAEG;YACW,YAAY;IAqC1B;;OAEG;YACW,SAAS;IAavB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAU3B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAc7B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAUzB;;OAEG;IACH,OAAO,CAAC,yBAAyB;CAalC"}

package/dist/commands/abilities/run.js

@@ -0,0 +1,468 @@
+/**
+ * Abilities run command for mainwpcontrol
+ *
+ * Execute abilities with safety enforcement.
+ * Routes through SafetyController for destructive actions.
+ *
+ * INVARIANT: Commands and chat share the same execution path.
+ */
+import { Args, Flags } from '@oclif/core';
+import { readFile } from 'node:fs/promises';
+import { resolve } from 'node:path';
+import { BaseCommand, commonFlags } from '../../lib/base-command.js';
+import { formatSuccess, formatWarning, formatPreview, formatHeading, formatKeyValue, } from '../../output/formatter.js';
+import { InputError, MutualExclusionError } from '../../utils/errors.js';
+import { getSafetyController } from '../../core/safety-controller.js';
+import { getSchemaValidator } from '../../validation/schema-validator.js';
+import { getInputSanitizer } from '../../validation/input-sanitizer.js';
+import { promptForConfirmation, isInteractive } from '../../utils/prompt.js';
+import { logDestructiveActionSafe } from '../../utils/audit-logger.js';
+import { APIError } from '../../utils/errors.js';
+export default class AbilitiesRun extends BaseCommand {
+    static description = 'Execute an ability';
+    static examples = [
+        // Read-only abilities
+        '<%= config.bin %> abilities run list-sites-v1',
+        '<%= config.bin %> abilities run list-sites-v1 --input \'{"status": "connected"}\'',
+        // Input from file or stdin
+        '<%= config.bin %> abilities run update-site-plugins-v1 --input-file params.json --confirm',
+        'echo \'{"site_id": 5}\' | <%= config.bin %> abilities run list-sites-v1 --input -',
+        // Destructive abilities - preview first
+        '<%= config.bin %> abilities run delete-site-v1 --input \'{"site_id": 1}\' --dry-run',
+        // Destructive abilities - execute after preview
+        '<%= config.bin %> abilities run delete-site-v1 --input \'{"site_id": 1}\' --confirm',
+        // Wait for batch job completion
+        '<%= config.bin %> abilities run sync-sites-v1 --wait --json',
+        // JSON output for scripting
+        '<%= config.bin %> abilities run list-sites-v1 --json',
+        // Quiet mode (exit code only)
+        '<%= config.bin %> abilities run check-site-v1 --input \'{"site_id": 1}\' --quiet',
+    ];
+    static flags = {
+        ...commonFlags,
+        input: Flags.string({
+            char: 'i',
+            description: 'Input parameters as JSON (use "-" to read from stdin)',
+            default: '{}',
+            exclusive: ['input-file'],
+        }),
+        'input-file': Flags.string({
+            description: 'Read input parameters from a JSON file',
+            exclusive: ['input'],
+        }),
+        'dry-run': Flags.boolean({
+            description: 'Preview changes without executing (required for destructive abilities)',
+            default: false,
+            exclusive: ['confirm'],
+        }),
+        confirm: Flags.boolean({
+            description: 'Execute destructive ability (after preview)',
+            default: false,
+            exclusive: ['dry-run'],
+        }),
+        force: Flags.boolean({
+            description: 'Skip confirmation prompt (use with --confirm)',
+            default: false,
+        }),
+        wait: Flags.boolean({
+            description: 'Wait for batch job to complete (blocks until done)',
+            default: false,
+        }),
+        'wait-timeout': Flags.integer({
+            description: 'Maximum seconds to wait for batch job (default: 300)',
+            default: 300,
+        }),
+    };
+    static args = {
+        name: Args.string({
+            description: 'Ability name (e.g., list-sites-v1, delete-site-v1)',
+            required: true,
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(AbilitiesRun);
+        await this.initCommon(flags);
+        const executor = await this.getExecutor();
+        const safetyController = getSafetyController();
+        const schemaValidator = getSchemaValidator();
+        const inputSanitizer = getInputSanitizer();
+        // Get ability metadata
+        const ability = await executor.getAbility(args.name);
+        if (!ability) {
+            throw new InputError(`Ability not found: ${args.name}. Run \`mainwpcontrol abilities list\` to see available abilities.`);
+        }
+        // Resolve input from --input, --input-file, or stdin
+        const rawInput = await this.resolveInput(flags.input, flags['input-file']);
+        // Parse input JSON
+        let input;
+        try {
+            input = JSON.parse(rawInput);
+        }
+        catch {
+            throw new InputError(`Invalid JSON input: ${rawInput}`);
+        }
+        // Sanitize input
+        input = inputSanitizer.sanitize(input);
+        // Validate input against schema if available
+        if (ability.input_schema) {
+            const validated = schemaValidator.validateOrThrow(input, ability.input_schema, ability.name);
+            // Use coerced values (type coercion, defaults applied) from validated clone
+            input = validated.coerced ?? input;
+        }
+        // Safety validation BEFORE any network call
+        const dryRun = flags['dry-run'];
+        const confirm = flags.confirm;
+        const requiresSafetyFlow = safetyController.requiresSafetyFlow(ability);
+        this.debugLog('Resolved ability execution', {
+            abilityName: ability.name,
+            dryRun,
+            confirm,
+            wait: flags.wait,
+            waitTimeoutSeconds: flags['wait-timeout'],
+            requiresSafetyFlow,
+        });
+        try {
+            safetyController.validateExecutionFlags(ability, dryRun, confirm);
+        }
+        catch (error) {
+            if (error instanceof MutualExclusionError) {
+                throw error;
+            }
+            // For destructive abilities without flags, provide guidance
+            if (requiresSafetyFlow) {
+                this.outputDestructiveGuidance(ability.name);
+                throw error;
+            }
+            throw error;
+        }
+        // Determine execution path
+        const shouldExecute = safetyController.shouldExecuteDirectly(ability, dryRun, confirm);
+        if (dryRun || !shouldExecute) {
+            // Preview mode — --dry-run always previews, regardless of ability classification
+            await this.executePreview(ability.name, input, dryRun);
+        }
+        else if (confirm && safetyController.requiresSafetyFlow(ability)) {
+            // Destructive execution with confirmation
+            await this.executeDestructive({
+                abilityName: ability.name,
+                input,
+                force: flags.force,
+                wait: flags.wait,
+                waitTimeout: flags['wait-timeout'],
+            });
+        }
+        else {
+            // Direct execution (read-only or non-destructive)
+            await this.executeDirect({
+                abilityName: ability.name,
+                input,
+                wait: flags.wait,
+                waitTimeout: flags['wait-timeout'],
+            });
+        }
+    }
+    /**
+     * Execute preview (dry_run mode)
+     */
+    async executePreview(abilityName, input, _dryRun) {
+        const executor = await this.getExecutor();
+        const result = await executor.execute(abilityName, input, { dryRun: true });
+        if (!result.success) {
+            throw new InputError(result.error?.message ?? 'Preview failed', result.error);
+        }
+        const safetyController = getSafetyController();
+        const ability = await executor.getAbility(abilityName);
+        const preview = safetyController.formatPreviewResult(ability, input, result);
+        this.output({
+            mode: 'preview',
+            ability: abilityName,
+            ...result,
+            preview,
+        }, () => this.formatPreviewOutput(preview));
+    }
+    /**
+     * Execute destructive ability with confirmation
+     */
+    async executeDestructive(opts) {
+        const { abilityName, input, force, wait, waitTimeout } = opts;
+        const executor = await this.getExecutor();
+        const safetyController = getSafetyController();
+        // Get preview data first for audit logging (gracefully handle failures)
+        let preview;
+        try {
+            const ability = await executor.getAbility(abilityName);
+            const previewResult = await executor.execute(abilityName, input, { dryRun: true });
+            if (previewResult.success && ability) {
+                preview = safetyController.formatPreviewResult(ability, input, previewResult);
+            }
+        }
+        catch {
+            // Preview failure is non-fatal - continue without preview data in audit
+        }
+        // Helper to build preview metadata for audit entries (spread-friendly)
+        const previewMeta = preview
+            ? { preview: { summary: preview.summary, affectedCount: preview.affected.length } }
+            : {};
+        // In non-interactive mode, require --force or fail
+        if (!isInteractive() && !force) {
+            await logDestructiveActionSafe({
+                abilityName,
+                ...previewMeta,
+                userDecision: 'declined',
+                input,
+            });
+            throw new InputError('Destructive operations require interactive confirmation or --force flag in non-interactive mode.');
+        }
+        // Interactive confirmation (unless --force)
+        if (!force) {
+            const confirmed = await promptForConfirmation(`Execute destructive ability "${abilityName}"?`);
+            if (!confirmed) {
+                await logDestructiveActionSafe({
+                    abilityName,
+                    ...previewMeta,
+                    userDecision: 'declined',
+                    input,
+                });
+                this.log(formatWarning('Operation cancelled by user.'));
+                return;
+            }
+        }
+        // Execute with confirm
+        const result = await executor.execute(abilityName, input, { confirm: true });
+        // Build execution result for audit
+        const executionResult = {
+            success: result.success,
+        };
+        if (result.error?.message) {
+            executionResult.error = getInputSanitizer().sanitizeErrorMessage(result.error.message);
+        }
+        // Log audit entry (fire-and-forget, covers both success and failure)
+        await logDestructiveActionSafe({
+            abilityName,
+            ...previewMeta,
+            userDecision: 'approved',
+            execution: executionResult,
+            input,
+        });
+        // Throw after audit logging if execution failed
+        if (!result.success) {
+            throw new APIError(result.error?.code ?? 'ABILITY_EXECUTION_ERROR', result.error?.message ?? 'Execution failed', undefined, result.error);
+        }
+        // Check for batch job
+        if (result.jobId) {
+            if (wait) {
+                await this.waitForBatchJob(abilityName, result.jobId, waitTimeout ?? 300);
+                return;
+            }
+            this.output({
+                mode: 'batch',
+                ability: abilityName,
+                jobId: result.jobId,
+                ...result,
+            }, () => this.formatBatchOutput(abilityName, result.jobId));
+            return;
+        }
+        this.output({
+            mode: 'execute',
+            ability: abilityName,
+            ...result,
+        }, () => this.formatExecutionOutput(abilityName, result.data));
+    }
+    /**
+     * Execute directly (read-only or non-destructive)
+     */
+    async executeDirect(opts) {
+        const { abilityName, input, wait, waitTimeout } = opts;
+        const executor = await this.getExecutor();
+        const result = await executor.execute(abilityName, input);
+        if (!result.success) {
+            throw new APIError(result.error?.code ?? 'ABILITY_EXECUTION_ERROR', result.error?.message ?? 'Execution failed', undefined, result.error);
+        }
+        // Check for batch job
+        if (result.jobId) {
+            if (wait) {
+                // --wait: poll until job completes
+                await this.waitForBatchJob(abilityName, result.jobId, waitTimeout ?? 300);
+                return;
+            }
+            this.output({
+                mode: 'batch',
+                ability: abilityName,
+                jobId: result.jobId,
+                ...result,
+            }, () => this.formatBatchOutput(abilityName, result.jobId));
+            return;
+        }
+        this.output({
+            mode: 'execute',
+            ability: abilityName,
+            ...result,
+        }, () => this.formatExecutionOutput(abilityName, result.data));
+    }
+    /**
+     * Wait for a batch job to complete using BatchManager
+     */
+    async waitForBatchJob(abilityName, jobId, timeoutSeconds) {
+        const batchManager = await this.getBatchManager();
+        const watchResult = await batchManager.resumeJob(jobId, {
+            maxWait: timeoutSeconds * 1000,
+        });
+        if (watchResult.timedOut) {
+            // Output partial results and throw API error for exit code 4
+            this.output({
+                mode: 'batch',
+                ability: abilityName,
+                jobId,
+                timedOut: true,
+                ...watchResult.status,
+                elapsed_ms: watchResult.elapsed,
+            }, () => formatWarning(`Batch job ${jobId} timed out after ${timeoutSeconds}s (partial results returned)`));
+            throw new APIError('BATCH_TIMEOUT', `Batch job timed out after ${timeoutSeconds}s`, undefined, { jobId, partialStatus: watchResult.status });
+        }
+        // Job completed (or failed)
+        const data = {
+            mode: 'batch',
+            ability: abilityName,
+            jobId,
+            timedOut: false,
+            ...watchResult.status,
+            elapsed_ms: watchResult.elapsed,
+        };
+        this.output(data, () => this.formatWatchResultOutput(abilityName, jobId, watchResult));
+    }
+    /**
+     * Format watch result output for human display
+     */
+    formatWatchResultOutput(abilityName, jobId, result) {
+        const { status, elapsed } = result;
+        const lines = [];
+        if (status.status === 'completed') {
+            lines.push(formatSuccess(`Batch job completed: ${abilityName}`));
+        }
+        else if (status.status === 'failed') {
+            lines.push(formatWarning(`Batch job failed: ${abilityName}`));
+        }
+        else {
+            lines.push(formatWarning(`Batch job ${status.status}: ${abilityName}`));
+        }
+        lines.push('');
+        lines.push(formatKeyValue('Job ID', jobId));
+        lines.push(formatKeyValue('Status', status.status));
+        lines.push(formatKeyValue('Elapsed', `${Math.round(elapsed / 1000)}s`));
+        if (status.processed !== undefined && status.total !== undefined) {
+            lines.push(formatKeyValue('Processed', `${status.processed}/${status.total}`));
+        }
+        if (status.results && status.results.length > 0) {
+            lines.push('');
+            lines.push(`${status.results.length} items processed`);
+        }
+        if (status.errors && status.errors.length > 0) {
+            lines.push('');
+            for (const error of status.errors) {
+                lines.push(formatWarning(`  ${error.message}`));
+            }
+        }
+        return lines.join('\n');
+    }
+    /**
+     * Resolve input from --input, --input-file, or stdin (--input -)
+     */
+    async resolveInput(inputFlag, inputFilePath) {
+        // --input-file takes priority when provided
+        if (inputFilePath) {
+            // SECURITY: Reject null bytes before any path processing
+            if (inputFilePath.includes('\0')) {
+                throw new InputError('Invalid file path: contains null bytes');
+            }
+            const resolvedPath = resolve(inputFilePath);
+            try {
+                return await readFile(resolvedPath, 'utf-8');
+            }
+            catch (error) {
+                if (error.code === 'ENOENT') {
+                    throw new InputError(`Input file not found: ${inputFilePath}`);
+                }
+                throw new InputError(`Failed to read input file: ${inputFilePath}: ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        // --input - means read from stdin
+        if (inputFlag === '-') {
+            const data = await this.readStdin();
+            if (!data) {
+                throw new InputError('No input received from stdin');
+            }
+            return data;
+        }
+        // Default: use --input value directly
+        return inputFlag;
+    }
+    /**
+     * Read all data from stdin
+     */
+    async readStdin() {
+        if (process.stdin.isTTY) {
+            return '';
+        }
+        return new Promise((resolve, reject) => {
+            const chunks = [];
+            process.stdin.setEncoding('utf-8');
+            process.stdin.on('data', (chunk) => chunks.push(chunk));
+            process.stdin.on('end', () => resolve(chunks.join('')));
+            process.stdin.on('error', reject);
+        });
+    }
+    /**
+     * Format preview output for human display
+     */
+    formatPreviewOutput(preview) {
+        const lines = [
+            formatHeading(`Preview: ${preview.abilityName}`),
+            '',
+            formatPreview(preview.summary, preview.affected),
+        ];
+        return lines.join('\n');
+    }
+    /**
+     * Format execution output for human display
+     */
+    formatExecutionOutput(abilityName, data) {
+        const lines = [
+            formatSuccess(`Executed: ${abilityName}`),
+            '',
+        ];
+        if (data !== undefined) {
+            lines.push(formatHeading('Result:'));
+            lines.push(JSON.stringify(data, null, 2));
+        }
+        return lines.join('\n');
+    }
+    /**
+     * Format batch job output
+     */
+    formatBatchOutput(abilityName, jobId) {
+        return [
+            formatSuccess(`Batch job started: ${abilityName}`),
+            '',
+            formatKeyValue('Job ID', jobId),
+            '',
+            `Monitor progress with: mainwpcontrol jobs watch ${jobId}`,
+        ].join('\n');
+    }
+    /**
+     * Output guidance for destructive abilities
+     */
+    outputDestructiveGuidance(abilityName) {
+        if (!this.jsonOutput) {
+            this.logToStderr('');
+            this.logToStderr(formatWarning(`"${abilityName}" is a destructive ability.`));
+            this.logToStderr('');
+            this.logToStderr('To preview changes:');
+            this.logToStderr(`  mainwpcontrol abilities run ${abilityName} --dry-run --input '{...}'`);
+            this.logToStderr('');
+            this.logToStderr('To execute after preview:');
+            this.logToStderr(`  mainwpcontrol abilities run ${abilityName} --confirm --input '{...}'`);
+            this.logToStderr('');
+        }
+    }
+}
+//# sourceMappingURL=run.js.map