@manan_joshi/atelier 0.1.0

package/dist/index.js

@@ -0,0 +1,2342 @@
+#!/usr/bin/env bun
+// @bun
+
+// src/index.tsx
+import { execFileSync as execFileSync4 } from "child_process";
+import { stdin as input, stdout as output } from "process";
+import { existsSync as existsSync4, mkdirSync as mkdirSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
+import { homedir as homedir4, platform as platform3 } from "os";
+import { dirname as dirname4, join as join4, resolve as resolve2 } from "path";
+import { Command } from "commander";
+
+// ../../packages/auth-client/src/index.ts
+import { execFileSync } from "child_process";
+import { chmodSync, existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "fs";
+import { homedir, platform } from "os";
+import { dirname, join } from "path";
+var CONFIG_DIR = join(homedir(), ".config", "atelier");
+var SESSION_PATH = join(CONFIG_DIR, "session.json");
+var CONFIG_PATH = join(CONFIG_DIR, "config.json");
+var KEYCHAIN_SERVICE = "dev.atelier.session";
+var DEFAULT_API_URL = "https://atelier.mananjoshi.me/api";
+var DEFAULT_GITHUB_CLIENT_ID = "Ov23liiscZlMXcJ2RLnd";
+function getConfiguredApiUrl() {
+  return process.env.ATELIER_API_URL ?? DEFAULT_API_URL;
+}
+function getConfiguredGithubClientId() {
+  return process.env.ATELIER_GITHUB_CLIENT_ID ?? DEFAULT_GITHUB_CLIENT_ID;
+}
+async function loginWithGitHub(options) {
+  const apiUrl = options.apiUrl ?? getConfiguredApiUrl();
+  const clientId = options.clientId ?? getConfiguredGithubClientId();
+  const device = await requestDeviceCode(clientId);
+  await options.onPrompt({
+    verificationUri: device.verification_uri,
+    userCode: device.user_code,
+    expiresIn: device.expires_in
+  });
+  const githubAccessToken = await pollForGitHubAccessToken(clientId, device, options.onPoll);
+  const exchange = await fetch(`${apiUrl}/auth/github/exchange`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ githubAccessToken })
+  });
+  if (!exchange.ok) {
+    throw new Error(`Atelier API rejected GitHub login (${exchange.status})`);
+  }
+  const body = await exchange.json();
+  saveSession({ apiUrl, user: body.user, token: body.token });
+  return { apiUrl, user: body.user };
+}
+async function getCurrentUser() {
+  const authenticated = getAuthenticatedSession();
+  if (!authenticated)
+    return;
+  const response = await fetch(`${authenticated.apiUrl}/me`, {
+    headers: { authorization: `Bearer ${authenticated.token}` }
+  });
+  if (!response.ok)
+    return;
+  const body = await response.json();
+  return { user: body.user, apiUrl: authenticated.apiUrl };
+}
+function getAuthenticatedSession() {
+  const session = readSession();
+  if (!session)
+    return;
+  const token = readSessionToken(session);
+  if (!token)
+    return;
+  return { apiUrl: session.apiUrl, user: session.user, token };
+}
+function getActiveProfile() {
+  return readConfig().activeProfile ?? "personal";
+}
+function setActiveProfile(profile) {
+  writeConfig({ ...readConfig(), activeProfile: profile });
+}
+function logout() {
+  const session = readSession();
+  if (session?.tokenStorage === "keychain")
+    deleteKeychainToken(session.user.id);
+  if (existsSync(SESSION_PATH))
+    rmSync(SESSION_PATH);
+}
+function readSession() {
+  if (!existsSync(SESSION_PATH))
+    return;
+  return JSON.parse(readFileSync(SESSION_PATH, "utf-8"));
+}
+function readConfig() {
+  if (!existsSync(CONFIG_PATH))
+    return {};
+  return JSON.parse(readFileSync(CONFIG_PATH, "utf-8"));
+}
+function writeConfig(config) {
+  mkdirSync(dirname(CONFIG_PATH), { recursive: true });
+  writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2) + `
+`, "utf-8");
+  chmodSync(CONFIG_PATH, 384);
+}
+function saveSession(input) {
+  mkdirSync(dirname(SESSION_PATH), { recursive: true });
+  const canUseKeychain = platform() === "darwin";
+  const session = {
+    apiUrl: input.apiUrl,
+    user: input.user,
+    tokenStorage: canUseKeychain ? "keychain" : "file",
+    createdAt: new Date().toISOString()
+  };
+  if (canUseKeychain) {
+    saveKeychainToken(input.user.id, input.token);
+  } else {
+    session.token = input.token;
+  }
+  writeFileSync(SESSION_PATH, JSON.stringify(session, null, 2) + `
+`, "utf-8");
+  chmodSync(SESSION_PATH, 384);
+}
+function readSessionToken(session) {
+  if (session.tokenStorage === "file")
+    return session.token;
+  return readKeychainToken(session.user.id);
+}
+async function requestDeviceCode(clientId) {
+  const response = await fetch("https://github.com/login/device/code", {
+    method: "POST",
+    headers: { accept: "application/json", "content-type": "application/json" },
+    body: JSON.stringify({ client_id: clientId, scope: "read:user user:email" })
+  });
+  if (!response.ok)
+    throw new Error(`GitHub device-code request failed (${response.status})`);
+  return response.json();
+}
+async function pollForGitHubAccessToken(clientId, device, onPoll) {
+  let interval = device.interval;
+  const expiresAt = Date.now() + device.expires_in * 1000;
+  while (Date.now() < expiresAt) {
+    await sleep(interval * 1000);
+    await onPoll?.("Waiting for GitHub authorization\u2026");
+    const response = await fetch("https://github.com/login/oauth/access_token", {
+      method: "POST",
+      headers: { accept: "application/json", "content-type": "application/json" },
+      body: JSON.stringify({ client_id: clientId, device_code: device.device_code, grant_type: "urn:ietf:params:oauth:grant-type:device_code" })
+    });
+    if (!response.ok)
+      throw new Error(`GitHub token polling failed (${response.status})`);
+    const body = await response.json();
+    if (body.access_token)
+      return body.access_token;
+    if (body.error === "authorization_pending")
+      continue;
+    if (body.error === "slow_down") {
+      interval += 5;
+      continue;
+    }
+    if (body.error === "access_denied")
+      throw new Error("GitHub login was denied");
+    if (body.error === "expired_token")
+      throw new Error("GitHub login code expired");
+    throw new Error(body.error_description ?? "GitHub login failed");
+  }
+  throw new Error("GitHub login timed out");
+}
+function saveKeychainToken(account, token) {
+  execFileSync("security", ["add-generic-password", "-a", account, "-s", KEYCHAIN_SERVICE, "-w", token, "-U"], { stdio: "ignore" });
+}
+function readKeychainToken(account) {
+  try {
+    return execFileSync("security", ["find-generic-password", "-a", account, "-s", KEYCHAIN_SERVICE, "-w"], { encoding: "utf-8", stdio: ["ignore", "pipe", "ignore"] }).trim();
+  } catch {
+    return;
+  }
+}
+function deleteKeychainToken(account) {
+  try {
+    execFileSync("security", ["delete-generic-password", "-a", account, "-s", KEYCHAIN_SERVICE], { stdio: "ignore" });
+  } catch {}
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// ../../packages/api-client/src/index.ts
+async function listProfiles() {
+  const response = await authedFetch("/profiles");
+  const body = await response.json();
+  return body.profiles;
+}
+async function createProfile(name) {
+  const response = await authedFetch("/profiles", {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ name })
+  });
+  const body = await response.json();
+  return body.profile;
+}
+async function getProfile(name) {
+  const response = await authedFetch(`/profiles/${encodeURIComponent(name)}`);
+  if (response.status === 404)
+    return;
+  const body = await response.json();
+  return body.profile;
+}
+async function getVault() {
+  return await (await authedFetch("/vault")).json();
+}
+async function saveVault(input) {
+  await authedFetch("/vault", {
+    method: "PUT",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(input)
+  });
+}
+async function getProfileKey(profileName) {
+  const response = await authedFetch(`/profiles/${encodeURIComponent(profileName)}/key`);
+  if (response.status === 404)
+    return;
+  const body = await response.json();
+  return body.profileKey;
+}
+async function saveProfileKey(profileName, input) {
+  const response = await authedFetch(`/profiles/${encodeURIComponent(profileName)}/key`, {
+    method: "PUT",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(input)
+  });
+  const body = await response.json();
+  return body.profileKey;
+}
+async function listSavedConfigs(profileName) {
+  const response = await authedFetch(`/profiles/${encodeURIComponent(profileName)}/configs`);
+  const body = await response.json();
+  return body.configs;
+}
+async function getSavedConfig(profileName, stableId) {
+  const response = await authedFetch(`/profiles/${encodeURIComponent(profileName)}/configs/${encodeURIComponent(stableId)}`);
+  if (response.status === 404)
+    return;
+  const body = await response.json();
+  return body.config;
+}
+async function createConfigVersion(profileName, stableId, input) {
+  const response = await authedFetch(`/profiles/${encodeURIComponent(profileName)}/configs/${encodeURIComponent(stableId)}/versions`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(input)
+  });
+  return await response.json();
+}
+async function authedFetch(path, init = {}) {
+  const session = getAuthenticatedSession();
+  if (!session)
+    throw new Error("Not logged in. Run `atl login`.");
+  const response = await fetch(`${session.apiUrl}${path}`, {
+    ...init,
+    headers: {
+      ...init.headers,
+      authorization: `Bearer ${session.token}`
+    }
+  });
+  if (!response.ok && response.status !== 404) {
+    const body = await response.json().catch(() => {
+      return;
+    });
+    throw new Error(body?.error ?? `Atelier API request failed (${response.status})`);
+  }
+  return response;
+}
+
+// ../../packages/save-client/src/index.ts
+import { createCipheriv as createCipheriv2, createHash, randomBytes as randomBytes2 } from "crypto";
+import { readFile } from "fs/promises";
+
+// ../../packages/vault-client/src/index.ts
+import { execFileSync as execFileSync2 } from "child_process";
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
+import { chmodSync as chmodSync2, existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, rmSync as rmSync2, writeFileSync as writeFileSync2 } from "fs";
+import { homedir as homedir2, platform as platform2 } from "os";
+import { dirname as dirname2, join as join2 } from "path";
+var VAULT_KEYCHAIN_SERVICE = "dev.atelier.vault";
+var LOCAL_VAULT_DIR = join2(homedir2(), ".config", "atelier");
+var LOCAL_VAULT_KEY_PATH = join2(LOCAL_VAULT_DIR, "vault-key.json");
+var KDF_PARAMS = { N: 32768, r: 8, p: 1 };
+var KDF_MAXMEM = 64 * 1024 * 1024;
+var KEY_ALGORITHM = "aes-256-gcm";
+async function getVaultState() {
+  const session = requireSession();
+  const vault = await getVault();
+  return {
+    initialized: vault.initialized,
+    unlocked: Boolean(readLocalVaultKey(session.user.id)),
+    activeProfile: getActiveProfile()
+  };
+}
+async function initializeVault(passphrase, profileName = getActiveProfile()) {
+  assertStrongPassphrase(passphrase);
+  const session = requireSession();
+  const existing = await getVault();
+  if (existing.initialized)
+    throw new Error("Atelier vault already exists. Run `atl vault unlock` if this machine is locked.");
+  const profile = await getProfile(profileName);
+  if (!profile)
+    throw new Error(`Profile not found: ${profileName}`);
+  const vaultKey = randomBytes(32);
+  const profileKey = randomBytes(32);
+  const salt = randomBytes(16);
+  const wrappingKey = deriveWrappingKey(passphrase, salt, KDF_PARAMS);
+  const encryptedVaultKey = encryptBytes(vaultKey, wrappingKey);
+  const encryptedProfileKey = encryptBytes(profileKey, vaultKey);
+  await saveVault({
+    kdf: {
+      algorithm: "scrypt",
+      salt: base64urlEncode(salt),
+      params: KDF_PARAMS
+    },
+    encryptedVaultKey
+  });
+  await saveProfileKey(profileName, {
+    version: 1,
+    algorithm: encryptedProfileKey.algorithm,
+    nonce: encryptedProfileKey.nonce,
+    encryptedKey: encryptedProfileKey.ciphertext
+  });
+  saveLocalVaultKey(session.user.id, vaultKey);
+  return { profileName: profile.name };
+}
+async function unlockVault(passphrase) {
+  const session = requireSession();
+  const vault = await getVault();
+  if (!vault.initialized)
+    throw new Error("Atelier vault is not initialized. Run `atl save <id>` or `atl vault init`.");
+  const vaultKey = decryptVaultKey(vault, passphrase);
+  saveLocalVaultKey(session.user.id, vaultKey);
+  return { activeProfile: getActiveProfile() };
+}
+function lockVault() {
+  const session = requireSession();
+  deleteLocalVaultKey(session.user.id);
+}
+async function ensureLocalVaultKey(passphrase, profileName = getActiveProfile()) {
+  const session = requireSession();
+  const localVaultKey = readLocalVaultKey(session.user.id);
+  if (localVaultKey)
+    return localVaultKey;
+  if (!passphrase)
+    throw new Error("Vault passphrase is required");
+  const vault = await getVault();
+  if (!vault.initialized) {
+    await initializeVault(passphrase, profileName);
+    const initializedKey = readLocalVaultKey(session.user.id);
+    if (!initializedKey)
+      throw new Error("Vault initialized but local key was not stored");
+    return initializedKey;
+  }
+  return decryptVaultKey(vault, passphrase);
+}
+async function ensureProfileKey(passphrase, profileName = getActiveProfile()) {
+  const vaultKey = await ensureLocalVaultKey(passphrase, profileName);
+  const existing = await getProfileKey(profileName);
+  if (existing)
+    return decryptEnvelope(existing.encryptedKey, existing.nonce, vaultKey);
+  const profileKey = randomBytes(32);
+  const encryptedProfileKey = encryptBytes(profileKey, vaultKey);
+  await saveProfileKey(profileName, {
+    version: 1,
+    algorithm: encryptedProfileKey.algorithm,
+    nonce: encryptedProfileKey.nonce,
+    encryptedKey: encryptedProfileKey.ciphertext
+  });
+  return profileKey;
+}
+function decryptVaultKey(vault, passphrase) {
+  if (!vault.kdf || !vault.encryptedVaultKey)
+    throw new Error("Vault payload is incomplete");
+  if (vault.kdf.algorithm !== "scrypt")
+    throw new Error(`Unsupported vault KDF: ${vault.kdf.algorithm}`);
+  const salt = base64urlDecode(vault.kdf.salt);
+  const wrappingKey = deriveWrappingKey(passphrase, salt, vault.kdf.params);
+  const vaultKey = decryptEnvelope(vault.encryptedVaultKey.ciphertext, vault.encryptedVaultKey.nonce, wrappingKey);
+  saveLocalVaultKey(requireSession().user.id, vaultKey);
+  return vaultKey;
+}
+function deriveWrappingKey(passphrase, salt, params) {
+  return scryptSync(passphrase, salt, 32, {
+    N: params.N,
+    r: params.r,
+    p: params.p,
+    maxmem: KDF_MAXMEM
+  });
+}
+function encryptBytes(plaintext, key) {
+  const nonce = randomBytes(12);
+  const cipher = createCipheriv(KEY_ALGORITHM, key, nonce);
+  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    algorithm: KEY_ALGORITHM,
+    nonce: base64urlEncode(nonce),
+    ciphertext: base64urlEncode(Buffer.concat([ciphertext, tag]))
+  };
+}
+function decryptEnvelope(ciphertextWithTag, nonceValue, key) {
+  const payload = Buffer.from(base64urlDecode(ciphertextWithTag));
+  const nonce = Buffer.from(base64urlDecode(nonceValue));
+  const ciphertext = payload.subarray(0, -16);
+  const tag = payload.subarray(-16);
+  const decipher = createDecipheriv(KEY_ALGORITHM, key, nonce);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+}
+function assertStrongPassphrase(passphrase) {
+  if (passphrase.length < 12)
+    throw new Error("Vault passphrase must be at least 12 characters.");
+}
+function requireSession() {
+  const session = getAuthenticatedSession();
+  if (!session)
+    throw new Error("Not logged in. Run `atl login`.");
+  return session;
+}
+function saveLocalVaultKey(userId, key) {
+  const encoded = base64urlEncode(key);
+  if (platform2() === "darwin") {
+    execFileSync2("security", ["add-generic-password", "-a", userId, "-s", VAULT_KEYCHAIN_SERVICE, "-w", encoded, "-U"], { stdio: "ignore" });
+    return;
+  }
+  mkdirSync2(dirname2(LOCAL_VAULT_KEY_PATH), { recursive: true });
+  writeFileSync2(LOCAL_VAULT_KEY_PATH, JSON.stringify({ userId, key: encoded }, null, 2) + `
+`, "utf-8");
+  chmodSync2(LOCAL_VAULT_KEY_PATH, 384);
+}
+function readLocalVaultKey(userId) {
+  const encoded = platform2() === "darwin" ? readKeychainVaultKey(userId) : readFileVaultKey(userId);
+  return encoded ? Buffer.from(base64urlDecode(encoded)) : undefined;
+}
+function deleteLocalVaultKey(userId) {
+  if (platform2() === "darwin") {
+    try {
+      execFileSync2("security", ["delete-generic-password", "-a", userId, "-s", VAULT_KEYCHAIN_SERVICE], { stdio: "ignore" });
+    } catch {}
+    return;
+  }
+  if (existsSync2(LOCAL_VAULT_KEY_PATH))
+    rmSync2(LOCAL_VAULT_KEY_PATH);
+}
+function readKeychainVaultKey(userId) {
+  try {
+    return execFileSync2("security", ["find-generic-password", "-a", userId, "-s", VAULT_KEYCHAIN_SERVICE, "-w"], { encoding: "utf-8", stdio: ["ignore", "pipe", "ignore"] }).trim();
+  } catch {
+    return;
+  }
+}
+function readFileVaultKey(userId) {
+  if (!existsSync2(LOCAL_VAULT_KEY_PATH))
+    return;
+  const body = JSON.parse(readFileSync2(LOCAL_VAULT_KEY_PATH, "utf-8"));
+  return body.userId === userId ? body.key : undefined;
+}
+function base64urlEncode(bytes) {
+  return Buffer.from(bytes).toString("base64url");
+}
+function base64urlDecode(value) {
+  return new Uint8Array(Buffer.from(value, "base64url"));
+}
+
+// ../../packages/save-client/src/validation.ts
+var MAX_SAVE_SIZE_BYTES = 1024 * 1024;
+function validateSaveCandidate(item) {
+  const reasons = [];
+  if (!item.exists)
+    reasons.push("file does not exist");
+  if (item.isDirectory || item.kind === "directory" || item.format === "directory")
+    reasons.push("directory saving is not supported yet");
+  if (item.kind === "generated")
+    reasons.push("generated/cache files are not saved");
+  if (item.kind === "private" || item.shareability === "private")
+    reasons.push("private/auth files are blocked");
+  if (item.secretFindings.length > 0)
+    reasons.push("detected secret material");
+  if (item.size !== undefined && item.size > MAX_SAVE_SIZE_BYTES)
+    reasons.push(`file is larger than ${formatBytes(MAX_SAVE_SIZE_BYTES)}`);
+  if (isUnsupportedBinary(item))
+    reasons.push("binary files are not supported yet");
+  return { ok: reasons.length === 0, reasons };
+}
+function assertSaveCandidate(item) {
+  const result = validateSaveCandidate(item);
+  if (!result.ok)
+    throw new Error(`Cannot save ${item.id}: ${result.reasons.join("; ")}`);
+}
+function isUnsupportedBinary(item) {
+  if (item.previewSuppressedReason?.toLowerCase().includes("binary"))
+    return true;
+  return ["binary", "sqlite", "db"].includes(item.format.toLowerCase());
+}
+function formatBytes(bytes) {
+  if (bytes < 1024)
+    return `${bytes} B`;
+  const kib = bytes / 1024;
+  if (kib < 1024)
+    return `${Math.round(kib)} KiB`;
+  return `${Math.round(kib / 1024)} MiB`;
+}
+// ../../packages/save-client/src/index.ts
+var CONTENT_ALGORITHM = "aes-256-gcm";
+async function saveConfigItem(item, options = {}) {
+  assertSaveCandidate(item);
+  const profileName = getActiveProfile();
+  const profileKey = await ensureProfileKey(options.passphrase, profileName);
+  const plaintext = await readFile(item.path);
+  const encrypted = encryptContent(plaintext, profileKey);
+  const response = await createConfigVersion(profileName, item.id, {
+    kind: "file",
+    pathHint: item.displayPath,
+    contentSha256: sha256Hex(plaintext),
+    ciphertextSha256: sha256Hex(encrypted.ciphertextBytes),
+    sizeBytes: plaintext.byteLength,
+    algorithm: encrypted.algorithm,
+    profileKeyVersion: 1,
+    nonce: encrypted.nonce,
+    ciphertext: encrypted.ciphertext
+  });
+  return {
+    profileName,
+    stableId: item.id,
+    version: response.version,
+    reused: response.reused
+  };
+}
+function encryptContent(plaintext, key) {
+  const nonce = randomBytes2(12);
+  const cipher = createCipheriv2(CONTENT_ALGORITHM, key, nonce);
+  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const ciphertextBytes = Buffer.concat([ciphertext, tag]);
+  return {
+    algorithm: CONTENT_ALGORITHM,
+    nonce: base64urlEncode2(nonce),
+    ciphertext: base64urlEncode2(ciphertextBytes),
+    ciphertextBytes
+  };
+}
+function sha256Hex(bytes) {
+  return createHash("sha256").update(bytes).digest("hex");
+}
+function base64urlEncode2(bytes) {
+  return Buffer.from(bytes).toString("base64url");
+}
+
+// ../../packages/scanner/src/index.ts
+import { execFileSync as execFileSync3 } from "child_process";
+import { existsSync as existsSync3, lstatSync, mkdirSync as mkdirSync3, readdirSync, readFileSync as readFileSync3, statSync, writeFileSync as writeFileSync3 } from "fs";
+import { homedir as homedir3, userInfo } from "os";
+import { dirname as dirname3, join as join3, relative, resolve } from "path";
+
+// ../../packages/registry/src/definitions.ts
+var registryDefinitions = [
+  {
+    domain: "AI Tools",
+    app: "Pi / Pi Next",
+    items: [
+      {
+        id: "pi.dir",
+        path: "~/.pi",
+        kind: "directory",
+        format: "directory",
+        shareability: "machine-specific"
+      },
+      {
+        id: "pi-next.dir",
+        path: "~/.pi-next",
+        kind: "directory",
+        format: "directory",
+        shareability: "shareable"
+      },
+      {
+        id: "pi-next.design",
+        path: "~/.pi-next/DESIGN.md",
+        kind: "config",
+        format: "markdown",
+        shareability: "shareable"
+      },
+      {
+        id: "pi-next.cmux-config",
+        path: "~/.pi-next/cmux-config",
+        kind: "config",
+        format: "directory",
+        shareability: "shareable"
+      },
+      {
+        id: "pi-next.zed-config",
+        path: "~/.pi-next/zed-config",
+        kind: "config",
+        format: "directory",
+        shareability: "shareable"
+      },
+      {
+        id: "pi-next.bin",
+        path: "~/.pi-next/bin",
+        kind: "config",
+        format: "directory",
+        shareability: "shareable"
+      }
+    ]
+  },
+  {
+    domain: "Shell",
+    app: "Starship",
+    items: [
+      {
+        id: "starship.config",
+        path: "~/.config/starship.toml",
+        kind: "config",
+        format: "toml",
+        shareability: "shareable"
+      }
+    ]
+  },
+  {
+    domain: "Editors",
+    app: "Zed",
+    items: [
+      {
+        id: "zed.dir",
+        path: "~/.config/zed",
+        kind: "directory",
+        format: "directory",
+        shareability: "shareable"
+      },
+      {
+        id: "zed.settings",
+        path: "~/.config/zed/settings.json",
+        kind: "config",
+        format: "jsonc",
+        shareability: "shareable",
+        mirrors: [
+          "~/.pi-next/zed-config/settings.json"
+        ]
+      },
+      {
+        id: "zed.themes",
+        path: "~/.config/zed/themes",
+        kind: "config",
+        format: "directory",
+        shareability: "shareable"
+      },
+      {
+        id: "zed.prompts",
+        path: "~/.config/zed/prompts",
+        kind: "generated",
+        format: "directory",
+        shareability: "machine-specific"
+      }
+    ]
+  },
+  {
+    domain: "Git",
+    app: "Git",
+    items: [
+      {
+        id: "git.config",
+        path: "~/.gitconfig",
+        kind: "config",
+        format: "gitconfig",
+        shareability: "machine-specific"
+      },
+      {
+        id: "git.config-dir",
+        path: "~/.config/git",
+        kind: "directory",
+        format: "directory",
+        shareability: "machine-specific"
+      },
+      {
+        id: "git.ignore",
+        path: "~/.gitignore",
+        kind: "config",
+        format: "gitignore",
+        shareability: "machine-specific"
+      }
+    ]
+  },
+  {
+    domain: "Private/Auth",
+    app: "Credentials",
+    privateByDefault: true,
+    items: [
+      {
+        id: "auth.ssh",
+        path: "~/.ssh",
+        kind: "private",
+        format: "directory",
+        shareability: "private"
+      },
+      {
+        id: "auth.aws",
+        path: "~/.aws",
+        kind: "private",
+        format: "directory",
+        shareability: "private"
+      },
+      {
+        id: "auth.gh",
+        path: "~/.config/gh",
+        kind: "private",
+        format: "directory",
+        shareability: "private"
+      },
+      {
+        id: "auth.gcloud-adc",
+        path: "~/.config/gcloud/application_default_credentials.json",
+        kind: "private",
+        format: "json",
+        shareability: "private"
+      },
+      {
+        id: "auth.docker",
+        path: "~/.docker/config.json",
+        kind: "private",
+        format: "json",
+        shareability: "private"
+      },
+      {
+        id: "auth.pi",
+        path: "~/.config/pi/auth.json",
+        kind: "private",
+        format: "json",
+        shareability: "private"
+      }
+    ]
+  },
+  {
+    domain: "Shell",
+    app: "Zsh",
+    items: [
+      {
+        id: "zsh.home-rc",
+        path: "~/.zshrc",
+        kind: "config",
+        format: "shell",
+        shareability: "shareable"
+      },
+      {
+        id: "zsh.home-env",
+        path: "~/.zshenv",
+        kind: "config",
+        format: "shell",
+        shareability: "private"
+      },
+      {
+        id: "zsh.dir",
+        path: "~/.config/zsh",
+        kind: "directory",
+        format: "directory",
+        shareability: "machine-specific"
+      },
+      {
+        id: "zsh.env",
+        path: "~/.config/zsh/.zshenv",
+        kind: "config",
+        format: "shell",
+        shareability: "private"
+      },
+      {
+        id: "zsh.rc",
+        path: "~/.config/zsh/.zshrc",
+        kind: "config",
+        format: "shell",
+        shareability: "shareable"
+      },
+      {
+        id: "zsh.conf",
+        path: "~/.config/zsh/conf.d",
+        kind: "directory",
+        format: "directory",
+        shareability: "shareable"
+      },
+      {
+        id: "zsh.zcompdump",
+        path: "~/.config/zsh/.zcompdump",
+        kind: "generated",
+        format: "text",
+        shareability: "machine-specific"
+      },
+      {
+        id: "zsh.sessions",
+        path: "~/.config/zsh/.zsh_sessions",
+        kind: "generated",
+        format: "directory",
+        shareability: "machine-specific"
+      }
+    ]
+  },
+  {
+    domain: "Terminals",
+    app: "cmux",
+    items: [
+      {
+        id: "cmux.dir",
+        path: "~/.config/cmux",
+        kind: "directory",
+        format: "directory",
+        shareability: "shareable"
+      },
+      {
+        id: "cmux.config",
+        path: "~/.config/cmux/cmux.json",
+        kind: "config",
+        format: "jsonc",
+        shareability: "shareable",
+        mirrors: [
+          "~/.pi-next/cmux-config/cmux.json"
+        ]
+      },
+      {
+        id: "cmux.ghostty",
+        path: "~/Library/Application Support/com.cmuxterm.app/config.ghostty",
+        kind: "config",
+        format: "ghostty",
+        shareability: "shareable",
+        mirrors: [
+          "~/.pi-next/cmux-config/config.ghostty"
+        ]
+      },
+      {
+        id: "cmux.browser-history",
+        path: "~/Library/Application Support/com.cmuxterm.app/browser_history.json",
+        kind: "generated",
+        format: "json",
+        shareability: "machine-specific"
+      }
+    ]
+  }
+];
+
+// ../../packages/secrets/src/index.ts
+var SECRET_PATTERNS = [
+  ["GitHub token", /gh[pousr]_[A-Za-z0-9_]{20,}/g],
+  ["Slack token", /xox[baprs]-[A-Za-z0-9-]{20,}/g],
+  ["AWS access key", /AKIA[0-9A-Z]{16}/g],
+  ["Private key", /-----BEGIN (?:RSA |OPENSSH |EC |DSA )?PRIVATE KEY-----/g],
+  ["Generic token assignment", /(?:token|api[_-]?key|secret|webhook|password)\s*[=:]\s*["']?[^"'\s]{12,}/gi]
+];
+function detectSecrets(text) {
+  const findings = [];
+  const lines = text.split(/\r?\n/);
+  for (const [type, pattern] of SECRET_PATTERNS) {
+    for (const match of text.matchAll(pattern)) {
+      const index = match.index ?? 0;
+      const line = text.slice(0, index).split(/\r?\n/).length;
+      findings.push({ type, line, preview: redact(match[0]) });
+    }
+  }
+  lines.forEach((lineText, index) => {
+    for (const candidate of lineText.matchAll(/[A-Za-z0-9_+\/=.-]{32,}/g)) {
+      const value = candidate[0];
+      if (!isCoveredByExplicitPattern(value, lineText) && isHighEntropySecretCandidate(value, lineText)) {
+        findings.push({ type: "High-entropy string", line: index + 1, preview: redact(value) });
+      }
+    }
+  });
+  return dedupe(findings);
+}
+function redact(text) {
+  if (text.length <= 8)
+    return "[redacted]";
+  return `${text.slice(0, 4)}\u2026${text.slice(-4)}`;
+}
+function redactText(text) {
+  let redacted = text;
+  for (const [, pattern] of SECRET_PATTERNS) {
+    redacted = redacted.replace(pattern, (match) => redact(match));
+  }
+  redacted = redacted.replace(/[A-Za-z0-9_+\/=.-]{32,}/g, (match) => {
+    if (isHighEntropySecretCandidate(match, text))
+      return redact(match);
+    return match;
+  });
+  return redacted;
+}
+function isCoveredByExplicitPattern(value, context) {
+  return SECRET_PATTERNS.some(([, pattern]) => {
+    pattern.lastIndex = 0;
+    return Array.from(context.matchAll(pattern)).some((match) => match[0].includes(value) || value.includes(match[0]));
+  });
+}
+function isHighEntropySecretCandidate(value, context) {
+  if (value.startsWith("amazon."))
+    return false;
+  if (value.includes("anthropic.claude"))
+    return false;
+  if (/^[A-Za-z0-9.-]+@[A-Za-z0-9.-]+$/.test(value))
+    return false;
+  if (/model/i.test(context) && /^[A-Za-z0-9_.-]+$/.test(value))
+    return false;
+  return entropy(value) > 4.2 && /[A-Za-z]/.test(value) && /[0-9]/.test(value);
+}
+function entropy(value) {
+  const counts = new Map;
+  for (const char of value)
+    counts.set(char, (counts.get(char) ?? 0) + 1);
+  let result = 0;
+  for (const count of counts.values()) {
+    const p = count / value.length;
+    result -= p * Math.log2(p);
+  }
+  return result;
+}
+function dedupe(findings) {
+  const seen = new Set;
+  return findings.filter((finding) => {
+    const key = `${finding.type}:${finding.line}:${finding.preview}`;
+    if (seen.has(key))
+      return false;
+    seen.add(key);
+    return true;
+  });
+}
+
+// ../../packages/scanner/src/jsonc.ts
+function parseJsonc(input) {
+  const withoutBlockComments = input.replace(/\/\*[\s\S]*?\*\//g, "");
+  const withoutLineComments = withoutBlockComments.replace(/(^|[^:])\/\/.*$/gm, "$1");
+  const withoutTrailingCommas = withoutLineComments.replace(/,\s*([}\]])/g, "$1");
+  return JSON.parse(withoutTrailingCommas);
+}
+
+// ../../packages/scanner/src/index.ts
+var HOME = homedir3();
+var TEXT_EXTENSIONS = new Set([".zsh", ".zshrc", ".zshenv", ".sh", ".json", ".jsonc", ".toml", ".md", ".yml", ".yaml", ".gitconfig", ".gitignore", ".ghostty", ""]);
+var GENERATED_NAMES = [/cache/i, /history/i, /session/i, /state/i, /\.mdb$/i, /\.sqlite/i, /\.db$/i, /zcompdump/i, /logs?/i];
+var PRIVATE_NAMES = [/credential/i, /secret/i, /token/i, /auth\.json$/i, /hosts\.yml$/i, /config\.json$/i];
+var yadmCache;
+async function scan(options) {
+  yadmCache = options.includeLegacyManagers ? loadYadmCache() : undefined;
+  const definitions = loadRegistry(options.repoRoot);
+  const registryItems = definitions.flatMap((definition) => definition.items.map((item) => ({ definition, item })));
+  const seen = new Set;
+  const items = [];
+  for (const { definition, item } of registryItems) {
+    const path = expandHome(item.path);
+    seen.add(path);
+    items.push(inspectRegistryItem(definition, item, path));
+  }
+  for (const candidate of discoverConfigCandidates()) {
+    if (seen.has(candidate.path))
+      continue;
+    seen.add(candidate.path);
+    items.push(inspectHeuristicItem(candidate));
+  }
+  for (const manual of options.manualPaths ?? []) {
+    const path = expandHome(manual);
+    if (seen.has(path))
+      continue;
+    seen.add(path);
+    items.push(inspectHeuristicItem({ path, reason: "manual path" }));
+  }
+  items.sort((a, b) => `${a.domain}:${a.app}:${a.path}`.localeCompare(`${b.domain}:${b.app}:${b.path}`));
+  return {
+    version: 1,
+    generatedAt: new Date().toISOString(),
+    repoRoot: options.repoRoot,
+    home: HOME,
+    items,
+    summary: {
+      total: items.length,
+      existing: items.filter((item) => item.exists).length,
+      secrets: items.filter((item) => item.secretFindings.length > 0).length,
+      drift: items.filter((item) => item.mirrors.some((mirror) => mirror.exists && mirror.identical === false)).length,
+      generated: items.filter((item) => item.kind === "generated").length,
+      private: items.filter((item) => item.shareability === "private").length
+    }
+  };
+}
+function writeInventory(inventory, options = {}) {
+  const path = options.path ?? join3(inventory.repoRoot, ".atelier", "state", "inventory.json");
+  mkdirSync3(dirname3(path), { recursive: true });
+  writeFileSync3(path, JSON.stringify(inventory, null, 2) + `
+`, "utf-8");
+  return path;
+}
+function loadRegistry(repoRoot) {
+  const dir = join3(repoRoot, "packages", "registry", "definitions");
+  if (!existsSync3(dir))
+    return registryDefinitions;
+  return readdirSync(dir).filter((file) => file.endsWith(".jsonc")).map((file) => parseJsonc(readFileSync3(join3(dir, file), "utf-8")));
+}
+function inspectRegistryItem(definition, item, path) {
+  return inspectPath({
+    path,
+    domain: definition.domain,
+    app: definition.app,
+    kind: item.kind,
+    format: item.format,
+    shareability: item.shareability,
+    reason: "registry match",
+    mirrors: item.mirrors ?? [],
+    privateByDefault: definition.privateByDefault,
+    id: item.id
+  });
+}
+function inspectHeuristicItem(candidate) {
+  const app = appNameFromPath(candidate.path);
+  const kind = heuristicKind(candidate.path);
+  const shareability = heuristicShareability(candidate.path, kind);
+  return inspectPath({
+    path: candidate.path,
+    domain: heuristicDomain(candidate.path),
+    app,
+    kind,
+    format: detectFormat(candidate.path),
+    shareability,
+    reason: candidate.reason,
+    mirrors: [],
+    privateByDefault: shareability === "private"
+  });
+}
+function inspectPath(input) {
+  const exists = existsSync3(input.path);
+  const lst = exists ? lstatSync(input.path) : undefined;
+  const stat = exists ? statSync(input.path) : undefined;
+  const isDirectory = !!stat?.isDirectory();
+  const isSymlink = !!lst?.isSymbolicLink();
+  const secretFindings = exists && !isDirectory && isSafeTextPath(input.path) ? detectSecrets(readFileSync3(input.path, "utf-8")) : [];
+  const mirrors = input.mirrors.map((mirror) => inspectMirror(input.path, expandHome(mirror)));
+  const recommendation = recommend(input.kind, input.shareability, secretFindings.length, mirrors);
+  const previewInfo = preview(input.path, exists, isDirectory, input.shareability, input.privateByDefault, input.kind);
+  return {
+    id: input.id ?? stableId(input.path),
+    domain: input.domain,
+    app: input.app,
+    path: input.path,
+    displayPath: displayPath(input.path),
+    kind: input.kind,
+    format: input.format,
+    shareability: input.shareability,
+    exists,
+    isDirectory,
+    isSymlink,
+    mode: stat ? `0${(stat.mode & 511).toString(8)}` : undefined,
+    owner: exists ? userInfo().username : undefined,
+    size: stat?.size,
+    git: exists ? gitInfo(input.path) : undefined,
+    legacyManagers: exists ? legacyManagerInfo(input.path) : {},
+    mirrors,
+    secretFindings,
+    ...previewInfo,
+    recommendation,
+    reason: input.reason
+  };
+}
+function discoverConfigCandidates() {
+  const candidates = [];
+  const configRoot = join3(HOME, ".config");
+  if (!existsSync3(configRoot))
+    return candidates;
+  for (const entry of readdirSync(configRoot, { withFileTypes: true })) {
+    if (entry.name.startsWith("."))
+      continue;
+    const appDir = join3(configRoot, entry.name);
+    candidates.push({ path: appDir, reason: "~/.config app directory" });
+    if (!entry.isDirectory())
+      continue;
+    for (const child of safeReadDir(appDir).slice(0, 80)) {
+      const childPath = join3(appDir, child.name);
+      if (isGeneratedPath(childPath)) {
+        candidates.push({ path: childPath, reason: "generated/app-state candidate" });
+        continue;
+      }
+      if (child.isFile() && looksLikeConfigFile(child.name)) {
+        candidates.push({ path: childPath, reason: "shallow ~/.config config candidate" });
+      }
+      if (child.isDirectory() && ["conf.d", "themes", "snippets", "plugins"].includes(child.name)) {
+        candidates.push({ path: childPath, reason: "shallow ~/.config config directory" });
+      }
+    }
+  }
+  return candidates;
+}
+function safeReadDir(path) {
+  try {
+    return readdirSync(path, { withFileTypes: true });
+  } catch {
+    return [];
+  }
+}
+function inspectMirror(livePath, mirrorPath) {
+  const exists = existsSync3(mirrorPath);
+  if (!exists || !existsSync3(livePath) || statSync(livePath).isDirectory() || statSync(mirrorPath).isDirectory()) {
+    return { path: mirrorPath, displayPath: displayPath(mirrorPath), exists };
+  }
+  const live = readFileSync3(livePath, "utf-8");
+  const mirror = readFileSync3(mirrorPath, "utf-8");
+  return {
+    path: mirrorPath,
+    displayPath: displayPath(mirrorPath),
+    exists,
+    identical: live === mirror,
+    diff: live === mirror ? undefined : simpleDiff(mirror, live)
+  };
+}
+function simpleDiff(before, after) {
+  const beforeLines = before.split(/\r?\n/);
+  const afterLines = after.split(/\r?\n/);
+  const max = Math.max(beforeLines.length, afterLines.length);
+  const output = [];
+  for (let index = 0;index < max; index++) {
+    if (beforeLines[index] === afterLines[index])
+      continue;
+    if (beforeLines[index] !== undefined)
+      output.push(`-${beforeLines[index]}`);
+    if (afterLines[index] !== undefined)
+      output.push(`+${afterLines[index]}`);
+  }
+  return output.slice(0, 200).join(`
+`);
+}
+function preview(path, exists, isDirectory, shareability, privateByDefault, kind) {
+  if (!exists)
+    return { previewSuppressedReason: "missing" };
+  if (isDirectory)
+    return { previewSuppressedReason: "directory" };
+  if (shareability === "private" || privateByDefault || kind === "private")
+    return { previewSuppressedReason: "private/auth metadata-only" };
+  if (!isSafeTextPath(path))
+    return { previewSuppressedReason: "binary or unsupported file type" };
+  const text = readFileSync3(path, "utf-8");
+  return { preview: redactText(text).slice(0, 20000) };
+}
+function recommend(kind, shareability, secretCount, mirrors) {
+  if (secretCount > 0)
+    return "rotate-secret";
+  if (kind === "generated")
+    return "ignore-generated";
+  if (shareability === "private")
+    return "mark-private";
+  if (mirrors.some((mirror) => mirror.exists && mirror.identical === false))
+    return "resolve-drift";
+  if (shareability === "machine-specific")
+    return "review-machine-specific";
+  if (kind === "config" || kind === "directory")
+    return "adopt-candidate";
+  return "none";
+}
+function gitInfo(path) {
+  const cwd = statSync(path).isDirectory() ? path : dirname3(path);
+  const root = git(["rev-parse", "--show-toplevel"], cwd);
+  if (!root)
+    return;
+  const rel = relative(root, path);
+  const ignored = !!git(["check-ignore", "-q", rel], root, true);
+  const tracked = !!git(["ls-files", "--error-unmatch", rel], root, true);
+  const modified = tracked && !!git(["status", "--porcelain", "--", rel], root);
+  return { root, tracked, modified, ignored };
+}
+function legacyManagerInfo(path) {
+  if (!yadmCache)
+    return {};
+  return { yadm: yadmInfo(path) };
+}
+function yadmInfo(path) {
+  const rel = displayPath(path).replace(/^~\//, "");
+  if (yadmCache?.modified.has(rel))
+    return "modified";
+  if (yadmCache?.tracked.has(rel))
+    return "tracked";
+  return "unknown";
+}
+function loadYadmCache() {
+  const tracked = new Set((gitLike("yadm", ["ls-files"]) ?? "").split(`
+`).filter(Boolean));
+  const modified = new Set((gitLike("yadm", ["status", "--porcelain"]) ?? "").split(`
+`).map((line) => line.slice(3).trim()).filter(Boolean));
+  return { tracked, modified };
+}
+function git(args, cwd, allowEmpty = false) {
+  try {
+    const out = execFileSync3("git", args, { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "ignore"] }).trim();
+    return out || (allowEmpty ? "ok" : undefined);
+  } catch {
+    return;
+  }
+}
+function gitLike(command, args) {
+  try {
+    return execFileSync3(command, args, { cwd: HOME, encoding: "utf-8", stdio: ["ignore", "pipe", "ignore"] });
+  } catch {
+    return;
+  }
+}
+function expandHome(path) {
+  return resolve(path.replace(/^~(?=\/|$)/, HOME));
+}
+function displayPath(path) {
+  return path.startsWith(HOME) ? `~${path.slice(HOME.length)}` : path;
+}
+function stableId(path) {
+  return displayPath(path).replace(/[^A-Za-z0-9_.-]+/g, ":");
+}
+function appNameFromPath(path) {
+  const rel = relative(join3(HOME, ".config"), path);
+  if (!rel.startsWith(".."))
+    return rel.split(/[\\/]/)[0] || "Unknown";
+  return "Unknown";
+}
+function heuristicDomain(path) {
+  if (path.includes("/.config/"))
+    return "~/.config";
+  if (path.includes("/.ssh") || path.includes("/.aws"))
+    return "Private/Auth";
+  return "Unknown";
+}
+function heuristicKind(path) {
+  if (isGeneratedPath(path))
+    return "generated";
+  if (PRIVATE_NAMES.some((pattern) => pattern.test(path)))
+    return "private";
+  if (existsSync3(path) && statSync(path).isDirectory())
+    return "directory";
+  if (looksLikeConfigFile(path))
+    return "config";
+  return "unknown";
+}
+function heuristicShareability(path, kind) {
+  if (kind === "private")
+    return "private";
+  if (kind === "generated")
+    return "machine-specific";
+  if (path.includes("/credentials") || path.includes("/.ssh") || path.includes("/.aws"))
+    return "private";
+  return "machine-specific";
+}
+function detectFormat(path) {
+  if (existsSync3(path) && statSync(path).isDirectory())
+    return "directory";
+  if (path.endsWith(".jsonc"))
+    return "jsonc";
+  if (path.endsWith(".json"))
+    return "json";
+  if (path.endsWith(".toml"))
+    return "toml";
+  if (path.endsWith(".zsh"))
+    return "shell";
+  if (path.endsWith(".md"))
+    return "markdown";
+  return "text";
+}
+function isGeneratedPath(path) {
+  return GENERATED_NAMES.some((pattern) => pattern.test(path));
+}
+function looksLikeConfigFile(name) {
+  return /(^config\.|settings\.|rc$|\.rc$|\.zshrc$|\.zshenv$|\.jsonc?$|\.toml$|\.ya?ml$|\.zsh$|\.conf$|\.ini$)/i.test(name);
+}
+function isSafeTextPath(path) {
+  const name = path.split("/").pop() ?? "";
+  if (isGeneratedPath(path))
+    return false;
+  if (name.includes("lock") || name.endsWith(".mdb") || name.endsWith(".sqlite") || name.endsWith(".db"))
+    return false;
+  const ext = name.includes(".") ? name.slice(name.lastIndexOf(".")) : "";
+  return TEXT_EXTENSIONS.has(ext) || looksLikeConfigFile(name);
+}
+
+// src/ui.tsx
+import { Box, Text, render } from "ink";
+import { jsxDEV, Fragment } from "react/jsx-dev-runtime";
+function renderInk(element) {
+  const app = render(/* @__PURE__ */ jsxDEV(Fragment, {
+    children: element
+  }, undefined, false, undefined, this));
+  return app.waitUntilExit();
+}
+function ScanSummary({ inventory, path }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    gap: 1,
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title: "Scan complete",
+        subtitle: path
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Box, {
+        gap: 2,
+        children: [
+          /* @__PURE__ */ jsxDEV(Stat, {
+            label: "total",
+            value: inventory.summary.total,
+            color: "cyan"
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV(Stat, {
+            label: "existing",
+            value: inventory.summary.existing,
+            color: "green"
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV(Stat, {
+            label: "private",
+            value: inventory.summary.private,
+            color: "red"
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV(Stat, {
+            label: "generated",
+            value: inventory.summary.generated,
+            color: "magenta"
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV(Stat, {
+            label: "secrets",
+            value: inventory.summary.secrets,
+            color: "red"
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV(Stat, {
+            label: "drift",
+            value: inventory.summary.drift,
+            color: "blue"
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function ItemList({ items, title }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title,
+        subtitle: `${items.length} item${items.length === 1 ? "" : "s"}`
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Box, {
+        flexDirection: "column",
+        marginTop: 1,
+        children: items.map((item) => /* @__PURE__ */ jsxDEV(Box, {
+          gap: 1,
+          children: [
+            /* @__PURE__ */ jsxDEV(Text, {
+              color: item.exists ? "white" : "gray",
+              children: item.exists ? "\u25CF" : "\u25CB"
+            }, undefined, false, undefined, this),
+            /* @__PURE__ */ jsxDEV(Text, {
+              color: kindColor(item),
+              children: item.domain
+            }, undefined, false, undefined, this),
+            /* @__PURE__ */ jsxDEV(Text, {
+              color: "gray",
+              children: "/"
+            }, undefined, false, undefined, this),
+            /* @__PURE__ */ jsxDEV(Text, {
+              color: "cyan",
+              children: item.app
+            }, undefined, false, undefined, this),
+            /* @__PURE__ */ jsxDEV(Text, {
+              children: item.displayPath
+            }, undefined, false, undefined, this),
+            /* @__PURE__ */ jsxDEV(Badge, {
+              label: item.shareability,
+              color: shareabilityColor(item.shareability)
+            }, undefined, false, undefined, this),
+            item.secretFindings.length > 0 ? /* @__PURE__ */ jsxDEV(Badge, {
+              label: "secret",
+              color: "red"
+            }, undefined, false, undefined, this) : null,
+            item.mirrors.some((mirror) => mirror.exists && mirror.identical === false) ? /* @__PURE__ */ jsxDEV(Badge, {
+              label: "drift",
+              color: "blue"
+            }, undefined, false, undefined, this) : null
+          ]
+        }, item.id, true, undefined, this))
+      }, undefined, false, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function ItemDetail({ item }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    gap: 1,
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title: item.app,
+        subtitle: item.displayPath
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Box, {
+        gap: 1,
+        children: [
+          /* @__PURE__ */ jsxDEV(Badge, {
+            label: item.domain,
+            color: "cyan"
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV(Badge, {
+            label: item.kind,
+            color: kindColor(item)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV(Badge, {
+            label: item.shareability,
+            color: shareabilityColor(item.shareability)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV(Badge, {
+            label: item.recommendation,
+            color: "yellow"
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this),
+      /* @__PURE__ */ jsxDEV(KeyValues, {
+        rows: [
+          ["reason", item.reason],
+          ["exists", String(item.exists)],
+          ["mode", item.mode ?? "\u2014"],
+          ["symlink", String(item.isSymlink)],
+          ["git", gitText(item)],
+          ["legacy", legacyText(item)]
+        ]
+      }, undefined, false, undefined, this),
+      item.secretFindings.length > 0 ? /* @__PURE__ */ jsxDEV(Box, {
+        flexDirection: "column",
+        children: [
+          /* @__PURE__ */ jsxDEV(Text, {
+            color: "red",
+            bold: true,
+            children: "Secret warnings"
+          }, undefined, false, undefined, this),
+          item.secretFindings.map((finding, index) => /* @__PURE__ */ jsxDEV(Text, {
+            color: "red",
+            children: [
+              "  ",
+              finding.type,
+              finding.line ? ` line ${finding.line}` : "",
+              ": ",
+              finding.preview
+            ]
+          }, `${finding.type}-${index}`, true, undefined, this))
+        ]
+      }, undefined, true, undefined, this) : null,
+      item.mirrors.length > 0 ? /* @__PURE__ */ jsxDEV(Box, {
+        flexDirection: "column",
+        children: [
+          /* @__PURE__ */ jsxDEV(Text, {
+            color: "blue",
+            bold: true,
+            children: "Mirrors"
+          }, undefined, false, undefined, this),
+          item.mirrors.map((mirror) => /* @__PURE__ */ jsxDEV(Text, {
+            children: [
+              "  ",
+              mirror.displayPath,
+              " \u2014 ",
+              mirror.exists ? mirror.identical === false ? "differs" : "identical" : "missing"
+            ]
+          }, mirror.path, true, undefined, this))
+        ]
+      }, undefined, true, undefined, this) : null,
+      /* @__PURE__ */ jsxDEV(Box, {
+        flexDirection: "column",
+        children: [
+          /* @__PURE__ */ jsxDEV(Text, {
+            bold: true,
+            children: item.preview ? "Safe preview" : "Preview"
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV(Text, {
+            color: item.preview ? "white" : "gray",
+            children: item.preview ? item.preview.slice(0, 3000) : `Suppressed: ${item.previewSuppressedReason ?? "not available"}`
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function DecisionsView({ decisions }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title: "Decisions",
+        subtitle: `${decisions.length} saved`
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Box, {
+        flexDirection: "column",
+        marginTop: 1,
+        children: decisions.length === 0 ? /* @__PURE__ */ jsxDEV(Text, {
+          color: "gray",
+          children: "No decisions recorded yet."
+        }, undefined, false, undefined, this) : decisions.map((decision) => /* @__PURE__ */ jsxDEV(Box, {
+          gap: 1,
+          children: [
+            /* @__PURE__ */ jsxDEV(Badge, {
+              label: decision.status,
+              color: "cyan"
+            }, undefined, false, undefined, this),
+            /* @__PURE__ */ jsxDEV(Text, {
+              children: decision.itemId
+            }, undefined, false, undefined, this),
+            /* @__PURE__ */ jsxDEV(Text, {
+              color: "gray",
+              children: decision.updatedAt
+            }, undefined, false, undefined, this)
+          ]
+        }, `${decision.itemId}-${decision.updatedAt}`, true, undefined, this))
+      }, undefined, false, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function LoginPrompt({ verificationUri, userCode, expiresIn }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    gap: 1,
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title: "Login with GitHub",
+        subtitle: `code expires in ${Math.round(expiresIn / 60)} minutes`
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Box, {
+        flexDirection: "column",
+        children: [
+          /* @__PURE__ */ jsxDEV(Text, {
+            children: "Open:"
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV(Text, {
+            color: "blue",
+            underline: true,
+            children: verificationUri
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this),
+      /* @__PURE__ */ jsxDEV(Box, {
+        gap: 1,
+        children: [
+          /* @__PURE__ */ jsxDEV(Text, {
+            children: "Enter code:"
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV(Text, {
+            color: "green",
+            bold: true,
+            children: userCode
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function LoginSuccess({ login, apiUrl }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title: "Logged in",
+        subtitle: apiUrl
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Text, {
+        color: "green",
+        children: [
+          "\u2713 ",
+          login
+        ]
+      }, undefined, true, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function WhoamiView({ login, apiUrl }) {
+  if (!login)
+    return /* @__PURE__ */ jsxDEV(Text, {
+      color: "yellow",
+      children: "Not logged in. Run `atl login`."
+    }, undefined, false, undefined, this);
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title: "Current account",
+        subtitle: apiUrl
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Text, {
+        color: "green",
+        children: login
+      }, undefined, false, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function LogoutView() {
+  return /* @__PURE__ */ jsxDEV(Text, {
+    color: "green",
+    children: "\u2713 Logged out"
+  }, undefined, false, undefined, this);
+}
+function ProfileListView({ profiles, activeProfile }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title: "Profiles",
+        subtitle: `active: ${activeProfile}`
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Box, {
+        flexDirection: "column",
+        marginTop: 1,
+        children: profiles.map((profile) => /* @__PURE__ */ jsxDEV(Box, {
+          gap: 1,
+          children: [
+            /* @__PURE__ */ jsxDEV(Text, {
+              color: profile.name === activeProfile ? "green" : "gray",
+              children: profile.name === activeProfile ? "\u25CF" : "\u25CB"
+            }, undefined, false, undefined, this),
+            /* @__PURE__ */ jsxDEV(Text, {
+              bold: profile.name === activeProfile,
+              children: profile.name
+            }, undefined, false, undefined, this),
+            /* @__PURE__ */ jsxDEV(Text, {
+              color: "gray",
+              children: profile.createdAt
+            }, undefined, false, undefined, this)
+          ]
+        }, profile.id, true, undefined, this))
+      }, undefined, false, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function ProfileSavedView({ title, name }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Text, {
+        color: "green",
+        children: [
+          "\u2713 ",
+          name
+        ]
+      }, undefined, true, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function SavedConfigListView({ configs, profileName }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title: "Saved configs",
+        subtitle: profileName
+      }, undefined, false, undefined, this),
+      configs.length === 0 ? /* @__PURE__ */ jsxDEV(Text, {
+        color: "gray",
+        children: "No saved configs yet."
+      }, undefined, false, undefined, this) : configs.map((config) => /* @__PURE__ */ jsxDEV(Box, {
+        flexDirection: "column",
+        marginTop: 1,
+        children: [
+          /* @__PURE__ */ jsxDEV(Text, {
+            bold: true,
+            children: config.stableId
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV(Text, {
+            color: "gray",
+            children: config.pathHint ?? "no path hint"
+          }, undefined, false, undefined, this),
+          config.latestVersion ? /* @__PURE__ */ jsxDEV(Text, {
+            color: "green",
+            children: [
+              config.latestVersion.contentSha256.slice(0, 12),
+              " \xB7 ",
+              config.latestVersion.sizeBytes,
+              " bytes \xB7 ",
+              config.latestVersion.createdAt
+            ]
+          }, undefined, true, undefined, this) : null
+        ]
+      }, config.id, true, undefined, this))
+    ]
+  }, undefined, true, undefined, this);
+}
+function SavedConfigDetailView({ config, profileName }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title: config.stableId,
+        subtitle: profileName
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Text, {
+        color: "gray",
+        children: config.pathHint ?? "no path hint"
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Box, {
+        flexDirection: "column",
+        marginTop: 1,
+        children: (config.versions ?? []).map((version) => /* @__PURE__ */ jsxDEV(Text, {
+          children: [
+            version.contentSha256.slice(0, 12),
+            " \xB7 ",
+            version.sizeBytes,
+            " bytes \xB7 ",
+            version.createdAt
+          ]
+        }, version.id, true, undefined, this))
+      }, undefined, false, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function ConfigSavedView({ stableId: stableId2, profileName, versionHash, sizeBytes, reused }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title: reused ? "Config already saved" : "Config saved",
+        subtitle: profileName
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Text, {
+        color: "green",
+        children: [
+          "\u2713 ",
+          stableId2
+        ]
+      }, undefined, true, undefined, this),
+      /* @__PURE__ */ jsxDEV(Text, {
+        color: "gray",
+        children: [
+          "Version ",
+          versionHash.slice(0, 12),
+          " \xB7 ",
+          sizeBytes,
+          " bytes \xB7 encrypted"
+        ]
+      }, undefined, true, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function DecisionSaved({ item, status }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title: "Decision saved",
+        subtitle: item.displayPath
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Box, {
+        gap: 1,
+        children: [
+          /* @__PURE__ */ jsxDEV(Text, {
+            children: "Status:"
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV(Badge, {
+            label: status,
+            color: "green"
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function DoctorView({ checks }) {
+  const failing = checks.filter((check) => check.status === "fail").length;
+  const warnings = checks.filter((check) => check.status === "warn").length;
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    gap: 1,
+    children: [
+      /* @__PURE__ */ jsxDEV(Header, {
+        title: "Doctor",
+        subtitle: failing ? `${failing} failing` : warnings ? `${warnings} warning${warnings === 1 ? "" : "s"}` : "all checks passed"
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Box, {
+        flexDirection: "column",
+        children: checks.map((check) => /* @__PURE__ */ jsxDEV(Box, {
+          gap: 1,
+          children: [
+            /* @__PURE__ */ jsxDEV(Text, {
+              color: doctorColor(check.status),
+              children: doctorIcon(check.status)
+            }, undefined, false, undefined, this),
+            /* @__PURE__ */ jsxDEV(Text, {
+              bold: true,
+              children: check.label
+            }, undefined, false, undefined, this),
+            /* @__PURE__ */ jsxDEV(Text, {
+              color: "gray",
+              children: check.detail
+            }, undefined, false, undefined, this)
+          ]
+        }, check.label, true, undefined, this))
+      }, undefined, false, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function NotFound({ query }) {
+  return /* @__PURE__ */ jsxDEV(Text, {
+    color: "red",
+    children: [
+      "No inventory item matched: ",
+      query
+    ]
+  }, undefined, true, undefined, this);
+}
+function Header({ title, subtitle }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    children: [
+      /* @__PURE__ */ jsxDEV(Text, {
+        bold: true,
+        color: "cyan",
+        children: "\u25C6 Atelier"
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Box, {
+        gap: 1,
+        children: [
+          /* @__PURE__ */ jsxDEV(Text, {
+            bold: true,
+            children: title
+          }, undefined, false, undefined, this),
+          subtitle ? /* @__PURE__ */ jsxDEV(Text, {
+            color: "gray",
+            children: subtitle
+          }, undefined, false, undefined, this) : null
+        ]
+      }, undefined, true, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function Stat({ label, value, color }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    borderStyle: "round",
+    borderColor: color,
+    paddingX: 1,
+    children: [
+      /* @__PURE__ */ jsxDEV(Text, {
+        color,
+        bold: true,
+        children: value
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Text, {
+        color: "gray",
+        children: label
+      }, undefined, false, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function Badge({ label, color }) {
+  return /* @__PURE__ */ jsxDEV(Text, {
+    color,
+    children: [
+      "[",
+      label,
+      "]"
+    ]
+  }, undefined, true, undefined, this);
+}
+function KeyValues({ rows }) {
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    children: rows.map(([key, value]) => /* @__PURE__ */ jsxDEV(Box, {
+      gap: 1,
+      children: [
+        /* @__PURE__ */ jsxDEV(Text, {
+          color: "gray",
+          children: key.padEnd(10)
+        }, undefined, false, undefined, this),
+        /* @__PURE__ */ jsxDEV(Text, {
+          children: value
+        }, undefined, false, undefined, this)
+      ]
+    }, key, true, undefined, this))
+  }, undefined, false, undefined, this);
+}
+function kindColor(item) {
+  const kind = typeof item === "string" ? item : item.kind;
+  if (kind === "private")
+    return "red";
+  if (kind === "generated")
+    return "magenta";
+  if (kind === "config")
+    return "green";
+  return "yellow";
+}
+function shareabilityColor(shareability) {
+  if (shareability === "private")
+    return "red";
+  if (shareability === "shareable")
+    return "green";
+  return "yellow";
+}
+function doctorIcon(status) {
+  if (status === "pass")
+    return "\u2713";
+  if (status === "warn")
+    return "!";
+  return "\u2717";
+}
+function doctorColor(status) {
+  if (status === "pass")
+    return "green";
+  if (status === "warn")
+    return "yellow";
+  return "red";
+}
+function legacyText(item) {
+  const entries = Object.entries(item.legacyManagers ?? {});
+  if (entries.length === 0)
+    return "not scanned";
+  return entries.map(([manager, status]) => `${manager}: ${status}`).join(", ");
+}
+function gitText(item) {
+  if (!item.git)
+    return "not in repo";
+  return `${item.git.tracked ? "tracked" : "untracked"}${item.git.modified ? ", modified" : ""} @ ${item.git.root}`;
+}
+
+// src/index.tsx
+import { jsxDEV as jsxDEV2 } from "react/jsx-dev-runtime";
+var repoRoot = resolve2(import.meta.dir, "../../..");
+var stateDir = getStateDir();
+var inventoryPath = join4(stateDir, "inventory.json");
+var decisionsPath = join4(stateDir, "decisions.json");
+var decisionStatuses = new Set(["undecided", "candidate", "shareable", "machine-specific", "private", "ignored"]);
+var pipedInputLines;
+var program = new Command;
+program.name("atl").description("Atelier config inventory cockpit").version("0.1.0");
+program.command("login").description("Login to Atelier with GitHub device auth").option("--api-url <url>", "Atelier API URL", getConfiguredApiUrl()).action(async (options) => {
+  const result = await loginWithGitHub({
+    apiUrl: options.apiUrl,
+    onPrompt: async (prompt) => {
+      await renderInk(/* @__PURE__ */ jsxDEV2(LoginPrompt, {
+        verificationUri: prompt.verificationUri,
+        userCode: prompt.userCode,
+        expiresIn: prompt.expiresIn
+      }, undefined, false, undefined, this));
+    }
+  });
+  await renderInk(/* @__PURE__ */ jsxDEV2(LoginSuccess, {
+    login: result.user.login,
+    apiUrl: result.apiUrl
+  }, undefined, false, undefined, this));
+});
+program.command("whoami").description("Show the current Atelier account").action(async () => {
+  const current = await getCurrentUser();
+  await renderInk(/* @__PURE__ */ jsxDEV2(WhoamiView, {
+    login: current?.user.login,
+    apiUrl: current?.apiUrl
+  }, undefined, false, undefined, this));
+  if (!current)
+    process.exitCode = 1;
+});
+program.command("logout").description("Remove the local Atelier session").action(async () => {
+  logout();
+  await renderInk(/* @__PURE__ */ jsxDEV2(LogoutView, {}, undefined, false, undefined, this));
+});
+program.command("api").description("Run the local Atelier API server for development").option("--port <port>", "port to bind", "8787").action(async (options) => {
+  await startApi(Number(options.port));
+});
+var profile = program.command("profile").description("Manage account-backed config profiles");
+profile.command("list").description("List remote profiles").action(async () => {
+  await renderInk(/* @__PURE__ */ jsxDEV2(ProfileListView, {
+    profiles: await listProfiles(),
+    activeProfile: getActiveProfile()
+  }, undefined, false, undefined, this));
+});
+profile.command("create").description("Create a remote profile").argument("<name>").action(async (name) => {
+  const profile2 = await createProfile(name);
+  await renderInk(/* @__PURE__ */ jsxDEV2(ProfileSavedView, {
+    title: "Profile created",
+    name: profile2.name
+  }, undefined, false, undefined, this));
+});
+profile.command("switch").description("Set the active local profile after verifying it exists remotely").argument("<name>").action(async (name) => {
+  const profile2 = await getProfile(name);
+  if (!profile2)
+    throw new Error(`Profile not found: ${name}`);
+  setActiveProfile(profile2.name);
+  await renderInk(/* @__PURE__ */ jsxDEV2(ProfileSavedView, {
+    title: "Active profile",
+    name: profile2.name
+  }, undefined, false, undefined, this));
+});
+profile.command("current").description("Show the active local profile").action(async () => {
+  await renderInk(/* @__PURE__ */ jsxDEV2(ProfileSavedView, {
+    title: "Active profile",
+    name: getActiveProfile()
+  }, undefined, false, undefined, this));
+});
+program.command("checkout").description("Alias for `atl profile switch`").argument("<name>").action(async (name) => {
+  const profile2 = await getProfile(name);
+  if (!profile2)
+    throw new Error(`Profile not found: ${name}`);
+  setActiveProfile(profile2.name);
+  await renderInk(/* @__PURE__ */ jsxDEV2(ProfileSavedView, {
+    title: "Active profile",
+    name: profile2.name
+  }, undefined, false, undefined, this));
+});
+var vault = program.command("vault").description("Advanced vault controls");
+vault.command("status").description("Show vault initialization and local unlock state").action(async () => {
+  const state = await getVaultState();
+  console.log(`Vault: ${state.initialized ? "initialized" : "not initialized"}`);
+  console.log(`Local state: ${state.unlocked ? "unlocked" : "locked"}`);
+  console.log(`Active profile: ${state.activeProfile}`);
+});
+vault.command("init").description("Initialize the encrypted vault now instead of waiting for first save").action(async () => {
+  const passphrase = await readConfirmedPassphrase("Create an Atelier vault passphrase: ");
+  const result = await initializeVault(passphrase);
+  console.log(`Vault initialized for profile ${result.profileName}`);
+});
+vault.command("unlock").description("Unlock this machine with the vault passphrase").action(async () => {
+  const passphrase = await readHiddenLine("Vault passphrase: ");
+  const result = await unlockVault(passphrase);
+  console.log(`Vault unlocked for profile ${result.activeProfile}`);
+});
+vault.command("lock").description("Remove local unlocked vault material from this machine").action(async () => {
+  lockVault();
+  console.log("Vault locked");
+});
+program.command("save").description("Save a config snapshot to the active encrypted profile").argument("<id-or-path>").action(async (query) => {
+  await saveInventoryItem(query);
+});
+program.command("adopt").description("Alias for `atl save`").argument("<id-or-path>").action(async (query) => {
+  await saveInventoryItem(query);
+});
+var saved = program.command("saved").description("Inspect encrypted configs saved remotely");
+saved.command("list").description("List saved configs for the active profile").action(async () => {
+  const profileName = getActiveProfile();
+  await renderInk(/* @__PURE__ */ jsxDEV2(SavedConfigListView, {
+    configs: await listSavedConfigs(profileName),
+    profileName
+  }, undefined, false, undefined, this));
+});
+saved.command("show").description("Show saved metadata and version history").argument("<stable-id>").action(async (stableId2) => {
+  const profileName = getActiveProfile();
+  const config = await getSavedConfig(profileName, stableId2);
+  if (!config)
+    throw new Error(`Saved config not found: ${stableId2}`);
+  await renderInk(/* @__PURE__ */ jsxDEV2(SavedConfigDetailView, {
+    config,
+    profileName
+  }, undefined, false, undefined, this));
+});
+program.command("scan").description("Scan this machine and write local inventory").option("--path <path...>", "additional manual path(s) to scan").option("--legacy", "include legacy manager signals like yadm").action(async (options) => {
+  const inventory = await scan({ repoRoot, manualPaths: options.path ?? [], includeLegacyManagers: options.legacy });
+  const path = writeInventory(inventory, { path: inventoryPath });
+  await renderInk(/* @__PURE__ */ jsxDEV2(ScanSummary, {
+    inventory,
+    path
+  }, undefined, false, undefined, this));
+});
+program.command("ui").description("Open the local TanStack Start inventory UI").option("--scan", "rescan before opening the UI").option("--path <path...>", "additional manual path(s) to scan").option("--legacy", "include legacy manager signals like yadm during scan").option("--port <port>", "port to bind", "4141").action(async (options) => {
+  if (!existsSync4(inventoryPath) || options.scan) {
+    console.log("Atelier: scanning configs\u2026");
+    const inventory = await scan({ repoRoot, manualPaths: options.path ?? [], includeLegacyManagers: options.legacy });
+    writeInventory(inventory, { path: inventoryPath });
+    console.log(`Atelier: scan complete (${inventory.summary.existing}/${inventory.summary.total} existing)`);
+  }
+  console.log("Atelier: starting UI\u2026");
+  await startUi(Number(options.port));
+});
+program.command("list").description("List inventory items with polished terminal output").option("--domain <domain>", "filter by domain").option("--app <app>", "filter by app").option("--secrets", "only items with secret warnings").option("--drift", "only items with mirror drift").option("--generated", "only generated/app-state items").option("--private", "only private items").option("--missing", "only missing registry items").option("--json", "print JSON instead of Ink output").action(async (options) => {
+  const inventory = readInventory();
+  const items = filterItems(inventory.items, options);
+  if (options.json)
+    return printJson(items);
+  await renderInk(/* @__PURE__ */ jsxDEV2(ItemList, {
+    items,
+    title: "Inventory"
+  }, undefined, false, undefined, this));
+});
+program.command("inspect").description("Inspect one inventory item by id or path").argument("<id-or-path>").option("--json", "print JSON instead of Ink output").action(async (query, options) => {
+  const inventory = readInventory();
+  const item = findItem(inventory, query);
+  if (options.json)
+    return printJson(item ?? null);
+  await renderInk(item ? /* @__PURE__ */ jsxDEV2(ItemDetail, {
+    item
+  }, undefined, false, undefined, this) : /* @__PURE__ */ jsxDEV2(NotFound, {
+    query
+  }, undefined, false, undefined, this));
+});
+program.command("decisions").description("Show saved item decisions").option("--json", "print JSON instead of Ink output").action(async (options) => {
+  const decisions = readDecisions().decisions;
+  if (options.json)
+    return printJson(decisions);
+  await renderInk(/* @__PURE__ */ jsxDEV2(DecisionsView, {
+    decisions
+  }, undefined, false, undefined, this));
+});
+program.command("decide").description("Save a decision for one inventory item").argument("<id-or-path>").argument("<status>", `one of: ${Array.from(decisionStatuses).join(", ")}`).action(async (query, status) => {
+  if (!decisionStatuses.has(status)) {
+    program.error(`invalid status '${status}'. Valid: ${Array.from(decisionStatuses).join(", ")}`);
+  }
+  const inventory = readInventory();
+  const item = findItem(inventory, query);
+  if (!item) {
+    await renderInk(/* @__PURE__ */ jsxDEV2(NotFound, {
+      query
+    }, undefined, false, undefined, this));
+    process.exitCode = 1;
+    return;
+  }
+  const decisions = readDecisions();
+  decisions.decisions = decisions.decisions.filter((decision) => decision.itemId !== item.id);
+  decisions.decisions.push({ itemId: item.id, status, updatedAt: new Date().toISOString() });
+  mkdirSync4(dirname4(decisionsPath), { recursive: true });
+  writeFileSync4(decisionsPath, JSON.stringify(decisions, null, 2) + `
+`, "utf-8");
+  await renderInk(/* @__PURE__ */ jsxDEV2(DecisionSaved, {
+    item,
+    status
+  }, undefined, false, undefined, this));
+});
+program.command("summary").description("Print the last scan summary").option("--json", "print JSON instead of Ink output").action(async (options) => {
+  const inventory = readInventory();
+  if (options.json)
+    return printJson(inventory.summary);
+  await renderInk(/* @__PURE__ */ jsxDEV2(ScanSummary, {
+    inventory,
+    path: inventoryPath
+  }, undefined, false, undefined, this));
+});
+program.command("doctor").description("Check Atelier CLI, UI, inventory, and local environment health").option("--json", "print JSON instead of Ink output").action(async (options) => {
+  const checks = runDoctorChecks();
+  if (options.json)
+    printJson(checks);
+  else
+    await renderInk(/* @__PURE__ */ jsxDEV2(DoctorView, {
+      checks
+    }, undefined, false, undefined, this));
+  if (checks.some((check) => check.status === "fail"))
+    process.exitCode = 1;
+});
+program.parseAsync(process.argv).catch((error) => {
+  console.error(error instanceof Error ? error.message : error);
+  process.exit(1);
+});
+function printJson(value) {
+  console.log(JSON.stringify(value, null, 2));
+}
+function readInventory() {
+  if (!existsSync4(inventoryPath)) {
+    throw new Error("No inventory found. Run `atl scan` first.");
+  }
+  return JSON.parse(readFileSync4(inventoryPath, "utf-8"));
+}
+function readDecisions() {
+  if (!existsSync4(decisionsPath))
+    return { version: 1, decisions: [] };
+  return JSON.parse(readFileSync4(decisionsPath, "utf-8"));
+}
+function getStateDir() {
+  if (process.env.ATELIER_STATE_DIR)
+    return process.env.ATELIER_STATE_DIR;
+  if (process.env.XDG_STATE_HOME)
+    return join4(process.env.XDG_STATE_HOME, "atelier");
+  if (platform3() === "win32" && process.env.LOCALAPPDATA)
+    return join4(process.env.LOCALAPPDATA, "Atelier");
+  return join4(homedir4(), ".local", "state", "atelier");
+}
+async function saveInventoryItem(query) {
+  const inventory = readInventory();
+  const item = findItem(inventory, query);
+  if (!item) {
+    await renderInk(/* @__PURE__ */ jsxDEV2(NotFound, {
+      query
+    }, undefined, false, undefined, this));
+    process.exitCode = 1;
+    return;
+  }
+  const vault2 = await getVaultState();
+  let passphrase;
+  if (!vault2.initialized) {
+    passphrase = await readConfirmedPassphrase("Create an Atelier vault passphrase: ");
+  } else if (!vault2.unlocked) {
+    passphrase = await readHiddenLine("Vault passphrase: ");
+  }
+  const result = await saveConfigItem(item, { passphrase });
+  await renderInk(/* @__PURE__ */ jsxDEV2(ConfigSavedView, {
+    stableId: result.stableId,
+    profileName: result.profileName,
+    versionHash: result.version.contentSha256,
+    sizeBytes: result.version.sizeBytes,
+    reused: result.reused
+  }, undefined, false, undefined, this));
+}
+async function readConfirmedPassphrase(prompt) {
+  const passphrase = await readHiddenLine(prompt);
+  const confirmation = await readHiddenLine("Confirm vault passphrase: ");
+  if (passphrase !== confirmation)
+    throw new Error("Vault passphrases do not match");
+  return passphrase;
+}
+async function readHiddenLine(prompt) {
+  if (!input.isTTY) {
+    output.write(prompt);
+    pipedInputLines ??= readFileSync4(0, "utf-8").split(/\r?\n/);
+    return pipedInputLines.shift() ?? "";
+  }
+  output.write(prompt);
+  input.setRawMode(true);
+  input.resume();
+  input.setEncoding("utf-8");
+  let value = "";
+  try {
+    for await (const chunk of input) {
+      const text = String(chunk);
+      for (const char of text) {
+        if (char === "\x03") {
+          output.write(`
+`);
+          process.exit(130);
+        }
+        if (char === "\r" || char === `
+`) {
+          output.write(`
+`);
+          return value;
+        }
+        if (char === "\x7F") {
+          value = value.slice(0, -1);
+          continue;
+        }
+        value += char;
+      }
+    }
+  } finally {
+    input.setRawMode(false);
+    input.pause();
+  }
+  return value;
+}
+function filterItems(items, options) {
+  return items.filter((item) => {
+    if (options.domain && item.domain.toLowerCase() !== options.domain.toLowerCase())
+      return false;
+    if (options.app && item.app.toLowerCase() !== options.app.toLowerCase())
+      return false;
+    if (options.secrets && item.secretFindings.length === 0)
+      return false;
+    if (options.drift && !item.mirrors.some((mirror) => mirror.exists && mirror.identical === false))
+      return false;
+    if (options.generated && item.kind !== "generated")
+      return false;
+    if (options.private && item.shareability !== "private")
+      return false;
+    if (options.missing && item.exists)
+      return false;
+    return true;
+  });
+}
+function findItem(inventory, query) {
+  const normalized = normalizeQuery(query);
+  return inventory.items.find((item) => item.id === query || normalizeQuery(item.path) === normalized || normalizeQuery(item.displayPath) === normalized) ?? inventory.items.find((item) => item.displayPath.includes(query) || item.path.includes(query));
+}
+function normalizeQuery(query) {
+  return query.replace(/^~(?=\/|$)/, process.env.HOME ?? "").toLowerCase();
+}
+function runDoctorChecks() {
+  const checks = [];
+  const inventory = existsSync4(inventoryPath) ? readInventory() : undefined;
+  const bunVersion = commandOutput("bun", ["--version"]);
+  const nodeVersion = commandOutput("node", ["--version"]);
+  const atlPath = commandOutput("which", ["atl"]);
+  const gitDirty = commandOutput("git", ["status", "--porcelain"], repoRoot);
+  checks.push({
+    label: "repo",
+    status: existsSync4(join4(repoRoot, "package.json")) ? "pass" : "fail",
+    detail: repoRoot
+  });
+  checks.push({
+    label: "bun",
+    status: bunVersion ? "pass" : "fail",
+    detail: bunVersion ? `v${bunVersion}` : "not found"
+  });
+  checks.push({
+    label: "node for Vite",
+    status: nodeVersion && isViteSupportedNode(nodeVersion) ? "pass" : "warn",
+    detail: nodeVersion ? `${nodeVersion}${isViteSupportedNode(nodeVersion) ? "" : " \u2014 Vite wants 20.19+ or 22.12+"}` : "not found"
+  });
+  checks.push({
+    label: "global atl",
+    status: atlPath ? atlPath.includes(".bun") || atlPath.includes(repoRoot) ? "pass" : "warn" : "fail",
+    detail: atlPath ?? "not linked; run `bun link` from the repo"
+  });
+  checks.push({
+    label: "inventory",
+    status: inventory ? "pass" : "warn",
+    detail: inventory ? `${inventory.summary.existing}/${inventory.summary.total} existing, generated ${inventory.generatedAt}` : "missing; run `atl scan`"
+  });
+  checks.push({
+    label: "secret warnings",
+    status: inventory && inventory.summary.secrets > 0 ? "warn" : "pass",
+    detail: inventory ? `${inventory.summary.secrets} item${inventory.summary.secrets === 1 ? "" : "s"} flagged` : "no inventory"
+  });
+  checks.push({
+    label: "ui dependencies",
+    status: existsSync4(join4(repoRoot, "node_modules", "@tanstack", "react-start")) ? "pass" : "fail",
+    detail: existsSync4(join4(repoRoot, "node_modules", "@tanstack", "react-start")) ? "installed" : "missing; run `bun install`"
+  });
+  checks.push({
+    label: "git state",
+    status: gitDirty === undefined ? "warn" : gitDirty.trim() ? "warn" : "pass",
+    detail: gitDirty === undefined ? "not a git repo" : gitDirty.trim() ? `${gitDirty.trim().split(`
+`).length} changed file(s)` : "clean"
+  });
+  return checks;
+}
+function commandOutput(command, args, cwd = repoRoot) {
+  try {
+    return execFileSync4(command, args, { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "ignore"] }).trim();
+  } catch {
+    return;
+  }
+}
+function isViteSupportedNode(version) {
+  const match = version.match(/^v?(\d+)\.(\d+)\.(\d+)/);
+  if (!match)
+    return false;
+  const [, majorRaw, minorRaw] = match;
+  const major = Number(majorRaw);
+  const minor = Number(minorRaw);
+  if (major === 20)
+    return minor >= 19;
+  if (major === 22)
+    return minor >= 12;
+  return major > 22;
+}
+async function startApi(port) {
+  const apiSecret = process.env.ATELIER_API_SECRET ?? crypto.randomUUID();
+  const proc = Bun.spawn(["bun", "src/index.ts"], {
+    cwd: join4(repoRoot, "apps", "api"),
+    env: { ...process.env, PORT: String(port), ATELIER_API_SECRET: apiSecret },
+    stdin: "inherit",
+    stdout: "inherit",
+    stderr: "inherit"
+  });
+  console.log(`Atelier API: http://localhost:${port}`);
+  const code = await proc.exited;
+  process.exit(code);
+}
+async function startUi(port) {
+  const proc = Bun.spawn(["bun", "--bun", "vite", "dev", "--host", "127.0.0.1", "--port", String(port)], {
+    cwd: join4(repoRoot, "apps", "ui"),
+    env: { ...process.env, ATELIER_REPO_ROOT: repoRoot },
+    stdin: "inherit",
+    stdout: "inherit",
+    stderr: "inherit"
+  });
+  console.log(`Atelier UI: http://localhost:${port}`);
+  const code = await proc.exited;
+  process.exit(code);
+}