@manan_joshi/atelier 0.1.1 → 0.1.2

package/dist/index.js

@@ -1,2342 +1,15 @@
 #!/usr/bin/env bun
 // @bun
-
-// src/index.tsx
-import { execFileSync as execFileSync4 } from "child_process";
-import { stdin as input, stdout as output } from "process";
-import { existsSync as existsSync4, mkdirSync as mkdirSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
-import { homedir as homedir4, platform as platform3 } from "os";
-import { dirname as dirname4, join as join4, resolve as resolve2 } from "path";
-import { Command } from "commander";
-
-// ../../packages/auth-client/src/index.ts
-import { execFileSync } from "child_process";
-import { chmodSync, existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "fs";
-import { homedir, platform } from "os";
-import { dirname, join } from "path";
-var CONFIG_DIR = join(homedir(), ".config", "atelier");
-var SESSION_PATH = join(CONFIG_DIR, "session.json");
-var CONFIG_PATH = join(CONFIG_DIR, "config.json");
-var KEYCHAIN_SERVICE = "dev.atelier.session";
-var DEFAULT_API_URL = "https://atelier.mananjoshi.me/api";
-var DEFAULT_GITHUB_CLIENT_ID = "Ov23liiscZlMXcJ2RLnd";
-function getConfiguredApiUrl() {
-  return process.env.ATELIER_API_URL ?? DEFAULT_API_URL;
-}
-function getConfiguredGithubClientId() {
-  return process.env.ATELIER_GITHUB_CLIENT_ID ?? DEFAULT_GITHUB_CLIENT_ID;
-}
-async function loginWithGitHub(options) {
-  const apiUrl = options.apiUrl ?? getConfiguredApiUrl();
-  const clientId = options.clientId ?? getConfiguredGithubClientId();
-  const device = await requestDeviceCode(clientId);
-  await options.onPrompt({
-    verificationUri: device.verification_uri,
-    userCode: device.user_code,
-    expiresIn: device.expires_in
-  });
-  const githubAccessToken = await pollForGitHubAccessToken(clientId, device, options.onPoll);
-  const exchange = await fetch(`${apiUrl}/auth/github/exchange`, {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify({ githubAccessToken })
-  });
-  if (!exchange.ok) {
-    throw new Error(`Atelier API rejected GitHub login (${exchange.status})`);
-  }
-  const body = await exchange.json();
-  saveSession({ apiUrl, user: body.user, token: body.token });
-  return { apiUrl, user: body.user };
-}
-async function getCurrentUser() {
-  const authenticated = getAuthenticatedSession();
-  if (!authenticated)
-    return;
-  const response = await fetch(`${authenticated.apiUrl}/me`, {
-    headers: { authorization: `Bearer ${authenticated.token}` }
-  });
-  if (!response.ok)
-    return;
-  const body = await response.json();
-  return { user: body.user, apiUrl: authenticated.apiUrl };
-}
-function getAuthenticatedSession() {
-  const session = readSession();
-  if (!session)
-    return;
-  const token = readSessionToken(session);
-  if (!token)
-    return;
-  return { apiUrl: session.apiUrl, user: session.user, token };
-}
-function getActiveProfile() {
-  return readConfig().activeProfile ?? "personal";
-}
-function setActiveProfile(profile) {
-  writeConfig({ ...readConfig(), activeProfile: profile });
-}
-function logout() {
-  const session = readSession();
-  if (session?.tokenStorage === "keychain")
-    deleteKeychainToken(session.user.id);
-  if (existsSync(SESSION_PATH))
-    rmSync(SESSION_PATH);
-}
-function readSession() {
-  if (!existsSync(SESSION_PATH))
-    return;
-  return JSON.parse(readFileSync(SESSION_PATH, "utf-8"));
-}
-function readConfig() {
-  if (!existsSync(CONFIG_PATH))
-    return {};
-  return JSON.parse(readFileSync(CONFIG_PATH, "utf-8"));
-}
-function writeConfig(config) {
-  mkdirSync(dirname(CONFIG_PATH), { recursive: true });
-  writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2) + `
-`, "utf-8");
-  chmodSync(CONFIG_PATH, 384);
-}
-function saveSession(input) {
-  mkdirSync(dirname(SESSION_PATH), { recursive: true });
-  const canUseKeychain = platform() === "darwin";
-  const session = {
-    apiUrl: input.apiUrl,
-    user: input.user,
-    tokenStorage: canUseKeychain ? "keychain" : "file",
-    createdAt: new Date().toISOString()
-  };
-  if (canUseKeychain) {
-    saveKeychainToken(input.user.id, input.token);
-  } else {
-    session.token = input.token;
-  }
-  writeFileSync(SESSION_PATH, JSON.stringify(session, null, 2) + `
-`, "utf-8");
-  chmodSync(SESSION_PATH, 384);
-}
-function readSessionToken(session) {
-  if (session.tokenStorage === "file")
-    return session.token;
-  return readKeychainToken(session.user.id);
-}
-async function requestDeviceCode(clientId) {
-  const response = await fetch("https://github.com/login/device/code", {
-    method: "POST",
-    headers: { accept: "application/json", "content-type": "application/json" },
-    body: JSON.stringify({ client_id: clientId, scope: "read:user user:email" })
-  });
-  if (!response.ok)
-    throw new Error(`GitHub device-code request failed (${response.status})`);
-  return response.json();
-}
-async function pollForGitHubAccessToken(clientId, device, onPoll) {
-  let interval = device.interval;
-  const expiresAt = Date.now() + device.expires_in * 1000;
-  while (Date.now() < expiresAt) {
-    await sleep(interval * 1000);
-    await onPoll?.("Waiting for GitHub authorization\u2026");
-    const response = await fetch("https://github.com/login/oauth/access_token", {
-      method: "POST",
-      headers: { accept: "application/json", "content-type": "application/json" },
-      body: JSON.stringify({ client_id: clientId, device_code: device.device_code, grant_type: "urn:ietf:params:oauth:grant-type:device_code" })
-    });
-    if (!response.ok)
-      throw new Error(`GitHub token polling failed (${response.status})`);
-    const body = await response.json();
-    if (body.access_token)
-      return body.access_token;
-    if (body.error === "authorization_pending")
-      continue;
-    if (body.error === "slow_down") {
-      interval += 5;
-      continue;
-    }
-    if (body.error === "access_denied")
-      throw new Error("GitHub login was denied");
-    if (body.error === "expired_token")
-      throw new Error("GitHub login code expired");
-    throw new Error(body.error_description ?? "GitHub login failed");
-  }
-  throw new Error("GitHub login timed out");
-}
-function saveKeychainToken(account, token) {
-  execFileSync("security", ["add-generic-password", "-a", account, "-s", KEYCHAIN_SERVICE, "-w", token, "-U"], { stdio: "ignore" });
-}
-function readKeychainToken(account) {
-  try {
-    return execFileSync("security", ["find-generic-password", "-a", account, "-s", KEYCHAIN_SERVICE, "-w"], { encoding: "utf-8", stdio: ["ignore", "pipe", "ignore"] }).trim();
-  } catch {
-    return;
-  }
-}
-function deleteKeychainToken(account) {
-  try {
-    execFileSync("security", ["delete-generic-password", "-a", account, "-s", KEYCHAIN_SERVICE], { stdio: "ignore" });
-  } catch {}
-}
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-
-// ../../packages/api-client/src/index.ts
-async function listProfiles() {
-  const response = await authedFetch("/profiles");
-  const body = await response.json();
-  return body.profiles;
-}
-async function createProfile(name) {
-  const response = await authedFetch("/profiles", {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify({ name })
-  });
-  const body = await response.json();
-  return body.profile;
-}
-async function getProfile(name) {
-  const response = await authedFetch(`/profiles/${encodeURIComponent(name)}`);
-  if (response.status === 404)
-    return;
-  const body = await response.json();
-  return body.profile;
-}
-async function getVault() {
-  return await (await authedFetch("/vault")).json();
-}
-async function saveVault(input) {
-  await authedFetch("/vault", {
-    method: "PUT",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify(input)
-  });
-}
-async function getProfileKey(profileName) {
-  const response = await authedFetch(`/profiles/${encodeURIComponent(profileName)}/key`);
-  if (response.status === 404)
-    return;
-  const body = await response.json();
-  return body.profileKey;
-}
-async function saveProfileKey(profileName, input) {
-  const response = await authedFetch(`/profiles/${encodeURIComponent(profileName)}/key`, {
-    method: "PUT",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify(input)
-  });
-  const body = await response.json();
-  return body.profileKey;
-}
-async function listSavedConfigs(profileName) {
-  const response = await authedFetch(`/profiles/${encodeURIComponent(profileName)}/configs`);
-  const body = await response.json();
-  return body.configs;
-}
-async function getSavedConfig(profileName, stableId) {
-  const response = await authedFetch(`/profiles/${encodeURIComponent(profileName)}/configs/${encodeURIComponent(stableId)}`);
-  if (response.status === 404)
-    return;
-  const body = await response.json();
-  return body.config;
-}
-async function createConfigVersion(profileName, stableId, input) {
-  const response = await authedFetch(`/profiles/${encodeURIComponent(profileName)}/configs/${encodeURIComponent(stableId)}/versions`, {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify(input)
-  });
-  return await response.json();
-}
-async function authedFetch(path, init = {}) {
-  const session = getAuthenticatedSession();
-  if (!session)
-    throw new Error("Not logged in. Run `atl login`.");
-  const response = await fetch(`${session.apiUrl}${path}`, {
-    ...init,
-    headers: {
-      ...init.headers,
-      authorization: `Bearer ${session.token}`
-    }
-  });
-  if (!response.ok && response.status !== 404) {
-    const body = await response.json().catch(() => {
-      return;
-    });
-    throw new Error(body?.error ?? `Atelier API request failed (${response.status})`);
-  }
-  return response;
-}
-
-// ../../packages/save-client/src/index.ts
-import { createCipheriv as createCipheriv2, createHash, randomBytes as randomBytes2 } from "crypto";
-import { readFile } from "fs/promises";
-
-// ../../packages/vault-client/src/index.ts
-import { execFileSync as execFileSync2 } from "child_process";
-import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
-import { chmodSync as chmodSync2, existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, rmSync as rmSync2, writeFileSync as writeFileSync2 } from "fs";
-import { homedir as homedir2, platform as platform2 } from "os";
-import { dirname as dirname2, join as join2 } from "path";
-var VAULT_KEYCHAIN_SERVICE = "dev.atelier.vault";
-var LOCAL_VAULT_DIR = join2(homedir2(), ".config", "atelier");
-var LOCAL_VAULT_KEY_PATH = join2(LOCAL_VAULT_DIR, "vault-key.json");
-var KDF_PARAMS = { N: 32768, r: 8, p: 1 };
-var KDF_MAXMEM = 64 * 1024 * 1024;
-var KEY_ALGORITHM = "aes-256-gcm";
-async function getVaultState() {
-  const session = requireSession();
-  const vault = await getVault();
-  return {
-    initialized: vault.initialized,
-    unlocked: Boolean(readLocalVaultKey(session.user.id)),
-    activeProfile: getActiveProfile()
-  };
-}
-async function initializeVault(passphrase, profileName = getActiveProfile()) {
-  assertStrongPassphrase(passphrase);
-  const session = requireSession();
-  const existing = await getVault();
-  if (existing.initialized)
-    throw new Error("Atelier vault already exists. Run `atl vault unlock` if this machine is locked.");
-  const profile = await getProfile(profileName);
-  if (!profile)
-    throw new Error(`Profile not found: ${profileName}`);
-  const vaultKey = randomBytes(32);
-  const profileKey = randomBytes(32);
-  const salt = randomBytes(16);
-  const wrappingKey = deriveWrappingKey(passphrase, salt, KDF_PARAMS);
-  const encryptedVaultKey = encryptBytes(vaultKey, wrappingKey);
-  const encryptedProfileKey = encryptBytes(profileKey, vaultKey);
-  await saveVault({
-    kdf: {
-      algorithm: "scrypt",
-      salt: base64urlEncode(salt),
-      params: KDF_PARAMS
-    },
-    encryptedVaultKey
-  });
-  await saveProfileKey(profileName, {
-    version: 1,
-    algorithm: encryptedProfileKey.algorithm,
-    nonce: encryptedProfileKey.nonce,
-    encryptedKey: encryptedProfileKey.ciphertext
-  });
-  saveLocalVaultKey(session.user.id, vaultKey);
-  return { profileName: profile.name };
-}
-async function unlockVault(passphrase) {
-  const session = requireSession();
-  const vault = await getVault();
-  if (!vault.initialized)
-    throw new Error("Atelier vault is not initialized. Run `atl save <id>` or `atl vault init`.");
-  const vaultKey = decryptVaultKey(vault, passphrase);
-  saveLocalVaultKey(session.user.id, vaultKey);
-  return { activeProfile: getActiveProfile() };
-}
-function lockVault() {
-  const session = requireSession();
-  deleteLocalVaultKey(session.user.id);
-}
-async function ensureLocalVaultKey(passphrase, profileName = getActiveProfile()) {
-  const session = requireSession();
-  const localVaultKey = readLocalVaultKey(session.user.id);
-  if (localVaultKey)
-    return localVaultKey;
-  if (!passphrase)
-    throw new Error("Vault passphrase is required");
-  const vault = await getVault();
-  if (!vault.initialized) {
-    await initializeVault(passphrase, profileName);
-    const initializedKey = readLocalVaultKey(session.user.id);
-    if (!initializedKey)
-      throw new Error("Vault initialized but local key was not stored");
-    return initializedKey;
-  }
-  return decryptVaultKey(vault, passphrase);
-}
-async function ensureProfileKey(passphrase, profileName = getActiveProfile()) {
-  const vaultKey = await ensureLocalVaultKey(passphrase, profileName);
-  const existing = await getProfileKey(profileName);
-  if (existing)
-    return decryptEnvelope(existing.encryptedKey, existing.nonce, vaultKey);
-  const profileKey = randomBytes(32);
-  const encryptedProfileKey = encryptBytes(profileKey, vaultKey);
-  await saveProfileKey(profileName, {
-    version: 1,
-    algorithm: encryptedProfileKey.algorithm,
-    nonce: encryptedProfileKey.nonce,
-    encryptedKey: encryptedProfileKey.ciphertext
-  });
-  return profileKey;
-}
-function decryptVaultKey(vault, passphrase) {
-  if (!vault.kdf || !vault.encryptedVaultKey)
-    throw new Error("Vault payload is incomplete");
-  if (vault.kdf.algorithm !== "scrypt")
-    throw new Error(`Unsupported vault KDF: ${vault.kdf.algorithm}`);
-  const salt = base64urlDecode(vault.kdf.salt);
-  const wrappingKey = deriveWrappingKey(passphrase, salt, vault.kdf.params);
-  const vaultKey = decryptEnvelope(vault.encryptedVaultKey.ciphertext, vault.encryptedVaultKey.nonce, wrappingKey);
-  saveLocalVaultKey(requireSession().user.id, vaultKey);
-  return vaultKey;
-}
-function deriveWrappingKey(passphrase, salt, params) {
-  return scryptSync(passphrase, salt, 32, {
-    N: params.N,
-    r: params.r,
-    p: params.p,
-    maxmem: KDF_MAXMEM
-  });
-}
-function encryptBytes(plaintext, key) {
-  const nonce = randomBytes(12);
-  const cipher = createCipheriv(KEY_ALGORITHM, key, nonce);
-  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
-  const tag = cipher.getAuthTag();
-  return {
-    algorithm: KEY_ALGORITHM,
-    nonce: base64urlEncode(nonce),
-    ciphertext: base64urlEncode(Buffer.concat([ciphertext, tag]))
-  };
-}
-function decryptEnvelope(ciphertextWithTag, nonceValue, key) {
-  const payload = Buffer.from(base64urlDecode(ciphertextWithTag));
-  const nonce = Buffer.from(base64urlDecode(nonceValue));
-  const ciphertext = payload.subarray(0, -16);
-  const tag = payload.subarray(-16);
-  const decipher = createDecipheriv(KEY_ALGORITHM, key, nonce);
-  decipher.setAuthTag(tag);
-  return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-}
-function assertStrongPassphrase(passphrase) {
-  if (passphrase.length < 12)
-    throw new Error("Vault passphrase must be at least 12 characters.");
-}
-function requireSession() {
-  const session = getAuthenticatedSession();
-  if (!session)
-    throw new Error("Not logged in. Run `atl login`.");
-  return session;
-}
-function saveLocalVaultKey(userId, key) {
-  const encoded = base64urlEncode(key);
-  if (platform2() === "darwin") {
-    execFileSync2("security", ["add-generic-password", "-a", userId, "-s", VAULT_KEYCHAIN_SERVICE, "-w", encoded, "-U"], { stdio: "ignore" });
-    return;
-  }
-  mkdirSync2(dirname2(LOCAL_VAULT_KEY_PATH), { recursive: true });
-  writeFileSync2(LOCAL_VAULT_KEY_PATH, JSON.stringify({ userId, key: encoded }, null, 2) + `
-`, "utf-8");
-  chmodSync2(LOCAL_VAULT_KEY_PATH, 384);
-}
-function readLocalVaultKey(userId) {
-  const encoded = platform2() === "darwin" ? readKeychainVaultKey(userId) : readFileVaultKey(userId);
-  return encoded ? Buffer.from(base64urlDecode(encoded)) : undefined;
-}
-function deleteLocalVaultKey(userId) {
-  if (platform2() === "darwin") {
-    try {
-      execFileSync2("security", ["delete-generic-password", "-a", userId, "-s", VAULT_KEYCHAIN_SERVICE], { stdio: "ignore" });
-    } catch {}
-    return;
-  }
-  if (existsSync2(LOCAL_VAULT_KEY_PATH))
-    rmSync2(LOCAL_VAULT_KEY_PATH);
-}
-function readKeychainVaultKey(userId) {
-  try {
-    return execFileSync2("security", ["find-generic-password", "-a", userId, "-s", VAULT_KEYCHAIN_SERVICE, "-w"], { encoding: "utf-8", stdio: ["ignore", "pipe", "ignore"] }).trim();
-  } catch {
-    return;
-  }
-}
-function readFileVaultKey(userId) {
-  if (!existsSync2(LOCAL_VAULT_KEY_PATH))
-    return;
-  const body = JSON.parse(readFileSync2(LOCAL_VAULT_KEY_PATH, "utf-8"));
-  return body.userId === userId ? body.key : undefined;
-}
-function base64urlEncode(bytes) {
-  return Buffer.from(bytes).toString("base64url");
-}
-function base64urlDecode(value) {
-  return new Uint8Array(Buffer.from(value, "base64url"));
-}
-
-// ../../packages/save-client/src/validation.ts
-var MAX_SAVE_SIZE_BYTES = 1024 * 1024;
-function validateSaveCandidate(item) {
-  const reasons = [];
-  if (!item.exists)
-    reasons.push("file does not exist");
-  if (item.isDirectory || item.kind === "directory" || item.format === "directory")
-    reasons.push("directory saving is not supported yet");
-  if (item.kind === "generated")
-    reasons.push("generated/cache files are not saved");
-  if (item.kind === "private" || item.shareability === "private")
-    reasons.push("private/auth files are blocked");
-  if (item.secretFindings.length > 0)
-    reasons.push("detected secret material");
-  if (item.size !== undefined && item.size > MAX_SAVE_SIZE_BYTES)
-    reasons.push(`file is larger than ${formatBytes(MAX_SAVE_SIZE_BYTES)}`);
-  if (isUnsupportedBinary(item))
-    reasons.push("binary files are not supported yet");
-  return { ok: reasons.length === 0, reasons };
-}
-function assertSaveCandidate(item) {
-  const result = validateSaveCandidate(item);
-  if (!result.ok)
-    throw new Error(`Cannot save ${item.id}: ${result.reasons.join("; ")}`);
-}
-function isUnsupportedBinary(item) {
-  if (item.previewSuppressedReason?.toLowerCase().includes("binary"))
-    return true;
-  return ["binary", "sqlite", "db"].includes(item.format.toLowerCase());
-}
-function formatBytes(bytes) {
-  if (bytes < 1024)
-    return `${bytes} B`;
-  const kib = bytes / 1024;
-  if (kib < 1024)
-    return `${Math.round(kib)} KiB`;
-  return `${Math.round(kib / 1024)} MiB`;
-}
-// ../../packages/save-client/src/index.ts
-var CONTENT_ALGORITHM = "aes-256-gcm";
-async function saveConfigItem(item, options = {}) {
-  assertSaveCandidate(item);
-  const profileName = getActiveProfile();
-  const profileKey = await ensureProfileKey(options.passphrase, profileName);
-  const plaintext = await readFile(item.path);
-  const encrypted = encryptContent(plaintext, profileKey);
-  const response = await createConfigVersion(profileName, item.id, {
-    kind: "file",
-    pathHint: item.displayPath,
-    contentSha256: sha256Hex(plaintext),
-    ciphertextSha256: sha256Hex(encrypted.ciphertextBytes),
-    sizeBytes: plaintext.byteLength,
-    algorithm: encrypted.algorithm,
-    profileKeyVersion: 1,
-    nonce: encrypted.nonce,
-    ciphertext: encrypted.ciphertext
-  });
-  return {
-    profileName,
-    stableId: item.id,
-    version: response.version,
-    reused: response.reused
-  };
-}
-function encryptContent(plaintext, key) {
-  const nonce = randomBytes2(12);
-  const cipher = createCipheriv2(CONTENT_ALGORITHM, key, nonce);
-  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
-  const tag = cipher.getAuthTag();
-  const ciphertextBytes = Buffer.concat([ciphertext, tag]);
-  return {
-    algorithm: CONTENT_ALGORITHM,
-    nonce: base64urlEncode2(nonce),
-    ciphertext: base64urlEncode2(ciphertextBytes),
-    ciphertextBytes
-  };
-}
-function sha256Hex(bytes) {
-  return createHash("sha256").update(bytes).digest("hex");
-}
-function base64urlEncode2(bytes) {
-  return Buffer.from(bytes).toString("base64url");
-}
-
-// ../../packages/scanner/src/index.ts
-import { execFileSync as execFileSync3 } from "child_process";
-import { existsSync as existsSync3, lstatSync, mkdirSync as mkdirSync3, readdirSync, readFileSync as readFileSync3, statSync, writeFileSync as writeFileSync3 } from "fs";
-import { homedir as homedir3, userInfo } from "os";
-import { dirname as dirname3, join as join3, relative, resolve } from "path";
-
-// ../../packages/registry/src/definitions.ts
-var registryDefinitions = [
-  {
-    domain: "AI Tools",
-    app: "Pi / Pi Next",
-    items: [
-      {
-        id: "pi.dir",
-        path: "~/.pi",
-        kind: "directory",
-        format: "directory",
-        shareability: "machine-specific"
-      },
-      {
-        id: "pi-next.dir",
-        path: "~/.pi-next",
-        kind: "directory",
-        format: "directory",
-        shareability: "shareable"
-      },
-      {
-        id: "pi-next.design",
-        path: "~/.pi-next/DESIGN.md",
-        kind: "config",
-        format: "markdown",
-        shareability: "shareable"
-      },
-      {
-        id: "pi-next.cmux-config",
-        path: "~/.pi-next/cmux-config",
-        kind: "config",
-        format: "directory",
-        shareability: "shareable"
-      },
-      {
-        id: "pi-next.zed-config",
-        path: "~/.pi-next/zed-config",
-        kind: "config",
-        format: "directory",
-        shareability: "shareable"
-      },
-      {
-        id: "pi-next.bin",
-        path: "~/.pi-next/bin",
-        kind: "config",
-        format: "directory",
-        shareability: "shareable"
-      }
-    ]
-  },
-  {
-    domain: "Shell",
-    app: "Starship",
-    items: [
-      {
-        id: "starship.config",
-        path: "~/.config/starship.toml",
-        kind: "config",
-        format: "toml",
-        shareability: "shareable"
-      }
-    ]
-  },
-  {
-    domain: "Editors",
-    app: "Zed",
-    items: [
-      {
-        id: "zed.dir",
-        path: "~/.config/zed",
-        kind: "directory",
-        format: "directory",
-        shareability: "shareable"
-      },
-      {
-        id: "zed.settings",
-        path: "~/.config/zed/settings.json",
-        kind: "config",
-        format: "jsonc",
-        shareability: "shareable",
-        mirrors: [
-          "~/.pi-next/zed-config/settings.json"
-        ]
-      },
-      {
-        id: "zed.themes",
-        path: "~/.config/zed/themes",
-        kind: "config",
-        format: "directory",
-        shareability: "shareable"
-      },
-      {
-        id: "zed.prompts",
-        path: "~/.config/zed/prompts",
-        kind: "generated",
-        format: "directory",
-        shareability: "machine-specific"
-      }
-    ]
-  },
-  {
-    domain: "Git",
-    app: "Git",
-    items: [
-      {
-        id: "git.config",
-        path: "~/.gitconfig",
-        kind: "config",
-        format: "gitconfig",
-        shareability: "machine-specific"
-      },
-      {
-        id: "git.config-dir",
-        path: "~/.config/git",
-        kind: "directory",
-        format: "directory",
-        shareability: "machine-specific"
-      },
-      {
-        id: "git.ignore",
-        path: "~/.gitignore",
-        kind: "config",
-        format: "gitignore",
-        shareability: "machine-specific"
-      }
-    ]
-  },
-  {
-    domain: "Private/Auth",
-    app: "Credentials",
-    privateByDefault: true,
-    items: [
-      {
-        id: "auth.ssh",
-        path: "~/.ssh",
-        kind: "private",
-        format: "directory",
-        shareability: "private"
-      },
-      {
-        id: "auth.aws",
-        path: "~/.aws",
-        kind: "private",
-        format: "directory",
-        shareability: "private"
-      },
-      {
-        id: "auth.gh",
-        path: "~/.config/gh",
-        kind: "private",
-        format: "directory",
-        shareability: "private"
-      },
-      {
-        id: "auth.gcloud-adc",
-        path: "~/.config/gcloud/application_default_credentials.json",
-        kind: "private",
-        format: "json",
-        shareability: "private"
-      },
-      {
-        id: "auth.docker",
-        path: "~/.docker/config.json",
-        kind: "private",
-        format: "json",
-        shareability: "private"
-      },
-      {
-        id: "auth.pi",
-        path: "~/.config/pi/auth.json",
-        kind: "private",
-        format: "json",
-        shareability: "private"
-      }
-    ]
-  },
-  {
-    domain: "Shell",
-    app: "Zsh",
-    items: [
-      {
-        id: "zsh.home-rc",
-        path: "~/.zshrc",
-        kind: "config",
-        format: "shell",
-        shareability: "shareable"
-      },
-      {
-        id: "zsh.home-env",
-        path: "~/.zshenv",
-        kind: "config",
-        format: "shell",
-        shareability: "private"
-      },
-      {
-        id: "zsh.dir",
-        path: "~/.config/zsh",
-        kind: "directory",
-        format: "directory",
-        shareability: "machine-specific"
-      },
-      {
-        id: "zsh.env",
-        path: "~/.config/zsh/.zshenv",
-        kind: "config",
-        format: "shell",
-        shareability: "private"
-      },
-      {
-        id: "zsh.rc",
-        path: "~/.config/zsh/.zshrc",
-        kind: "config",
-        format: "shell",
-        shareability: "shareable"
-      },
-      {
-        id: "zsh.conf",
-        path: "~/.config/zsh/conf.d",
-        kind: "directory",
-        format: "directory",
-        shareability: "shareable"
-      },
-      {
-        id: "zsh.zcompdump",
-        path: "~/.config/zsh/.zcompdump",
-        kind: "generated",
-        format: "text",
-        shareability: "machine-specific"
-      },
-      {
-        id: "zsh.sessions",
-        path: "~/.config/zsh/.zsh_sessions",
-        kind: "generated",
-        format: "directory",
-        shareability: "machine-specific"
-      }
-    ]
-  },
-  {
-    domain: "Terminals",
-    app: "cmux",
-    items: [
-      {
-        id: "cmux.dir",
-        path: "~/.config/cmux",
-        kind: "directory",
-        format: "directory",
-        shareability: "shareable"
-      },
-      {
-        id: "cmux.config",
-        path: "~/.config/cmux/cmux.json",
-        kind: "config",
-        format: "jsonc",
-        shareability: "shareable",
-        mirrors: [
-          "~/.pi-next/cmux-config/cmux.json"
-        ]
-      },
-      {
-        id: "cmux.ghostty",
-        path: "~/Library/Application Support/com.cmuxterm.app/config.ghostty",
-        kind: "config",
-        format: "ghostty",
-        shareability: "shareable",
-        mirrors: [
-          "~/.pi-next/cmux-config/config.ghostty"
-        ]
-      },
-      {
-        id: "cmux.browser-history",
-        path: "~/Library/Application Support/com.cmuxterm.app/browser_history.json",
-        kind: "generated",
-        format: "json",
-        shareability: "machine-specific"
-      }
-    ]
-  }
-];
-
-// ../../packages/secrets/src/index.ts
-var SECRET_PATTERNS = [
-  ["GitHub token", /gh[pousr]_[A-Za-z0-9_]{20,}/g],
-  ["Slack token", /xox[baprs]-[A-Za-z0-9-]{20,}/g],
-  ["AWS access key", /AKIA[0-9A-Z]{16}/g],
-  ["Private key", /-----BEGIN (?:RSA |OPENSSH |EC |DSA )?PRIVATE KEY-----/g],
-  ["Generic token assignment", /(?:token|api[_-]?key|secret|webhook|password)\s*[=:]\s*["']?[^"'\s]{12,}/gi]
-];
-function detectSecrets(text) {
-  const findings = [];
-  const lines = text.split(/\r?\n/);
-  for (const [type, pattern] of SECRET_PATTERNS) {
-    for (const match of text.matchAll(pattern)) {
-      const index = match.index ?? 0;
-      const line = text.slice(0, index).split(/\r?\n/).length;
-      findings.push({ type, line, preview: redact(match[0]) });
-    }
-  }
-  lines.forEach((lineText, index) => {
-    for (const candidate of lineText.matchAll(/[A-Za-z0-9_+\/=.-]{32,}/g)) {
-      const value = candidate[0];
-      if (!isCoveredByExplicitPattern(value, lineText) && isHighEntropySecretCandidate(value, lineText)) {
-        findings.push({ type: "High-entropy string", line: index + 1, preview: redact(value) });
-      }
-    }
-  });
-  return dedupe(findings);
-}
-function redact(text) {
-  if (text.length <= 8)
-    return "[redacted]";
-  return `${text.slice(0, 4)}\u2026${text.slice(-4)}`;
-}
-function redactText(text) {
-  let redacted = text;
-  for (const [, pattern] of SECRET_PATTERNS) {
-    redacted = redacted.replace(pattern, (match) => redact(match));
-  }
-  redacted = redacted.replace(/[A-Za-z0-9_+\/=.-]{32,}/g, (match) => {
-    if (isHighEntropySecretCandidate(match, text))
-      return redact(match);
-    return match;
-  });
-  return redacted;
-}
-function isCoveredByExplicitPattern(value, context) {
-  return SECRET_PATTERNS.some(([, pattern]) => {
-    pattern.lastIndex = 0;
-    return Array.from(context.matchAll(pattern)).some((match) => match[0].includes(value) || value.includes(match[0]));
-  });
-}
-function isHighEntropySecretCandidate(value, context) {
-  if (value.startsWith("amazon."))
-    return false;
-  if (value.includes("anthropic.claude"))
-    return false;
-  if (/^[A-Za-z0-9.-]+@[A-Za-z0-9.-]+$/.test(value))
-    return false;
-  if (/model/i.test(context) && /^[A-Za-z0-9_.-]+$/.test(value))
-    return false;
-  return entropy(value) > 4.2 && /[A-Za-z]/.test(value) && /[0-9]/.test(value);
-}
-function entropy(value) {
-  const counts = new Map;
-  for (const char of value)
-    counts.set(char, (counts.get(char) ?? 0) + 1);
-  let result = 0;
-  for (const count of counts.values()) {
-    const p = count / value.length;
-    result -= p * Math.log2(p);
-  }
-  return result;
-}
-function dedupe(findings) {
-  const seen = new Set;
-  return findings.filter((finding) => {
-    const key = `${finding.type}:${finding.line}:${finding.preview}`;
-    if (seen.has(key))
-      return false;
-    seen.add(key);
-    return true;
-  });
-}
-
-// ../../packages/scanner/src/jsonc.ts
-function parseJsonc(input) {
-  const withoutBlockComments = input.replace(/\/\*[\s\S]*?\*\//g, "");
-  const withoutLineComments = withoutBlockComments.replace(/(^|[^:])\/\/.*$/gm, "$1");
-  const withoutTrailingCommas = withoutLineComments.replace(/,\s*([}\]])/g, "$1");
-  return JSON.parse(withoutTrailingCommas);
-}
-
-// ../../packages/scanner/src/index.ts
-var HOME = homedir3();
-var TEXT_EXTENSIONS = new Set([".zsh", ".zshrc", ".zshenv", ".sh", ".json", ".jsonc", ".toml", ".md", ".yml", ".yaml", ".gitconfig", ".gitignore", ".ghostty", ""]);
-var GENERATED_NAMES = [/cache/i, /history/i, /session/i, /state/i, /\.mdb$/i, /\.sqlite/i, /\.db$/i, /zcompdump/i, /logs?/i];
-var PRIVATE_NAMES = [/credential/i, /secret/i, /token/i, /auth\.json$/i, /hosts\.yml$/i, /config\.json$/i];
-var yadmCache;
-async function scan(options) {
-  yadmCache = options.includeLegacyManagers ? loadYadmCache() : undefined;
-  const definitions = loadRegistry(options.repoRoot);
-  const registryItems = definitions.flatMap((definition) => definition.items.map((item) => ({ definition, item })));
-  const seen = new Set;
-  const items = [];
-  for (const { definition, item } of registryItems) {
-    const path = expandHome(item.path);
-    seen.add(path);
-    items.push(inspectRegistryItem(definition, item, path));
-  }
-  for (const candidate of discoverConfigCandidates()) {
-    if (seen.has(candidate.path))
-      continue;
-    seen.add(candidate.path);
-    items.push(inspectHeuristicItem(candidate));
-  }
-  for (const manual of options.manualPaths ?? []) {
-    const path = expandHome(manual);
-    if (seen.has(path))
-      continue;
-    seen.add(path);
-    items.push(inspectHeuristicItem({ path, reason: "manual path" }));
-  }
-  items.sort((a, b) => `${a.domain}:${a.app}:${a.path}`.localeCompare(`${b.domain}:${b.app}:${b.path}`));
-  return {
-    version: 1,
-    generatedAt: new Date().toISOString(),
-    repoRoot: options.repoRoot,
-    home: HOME,
-    items,
-    summary: {
-      total: items.length,
-      existing: items.filter((item) => item.exists).length,
-      secrets: items.filter((item) => item.secretFindings.length > 0).length,
-      drift: items.filter((item) => item.mirrors.some((mirror) => mirror.exists && mirror.identical === false)).length,
-      generated: items.filter((item) => item.kind === "generated").length,
-      private: items.filter((item) => item.shareability === "private").length
-    }
-  };
-}
-function writeInventory(inventory, options = {}) {
-  const path = options.path ?? join3(inventory.repoRoot, ".atelier", "state", "inventory.json");
-  mkdirSync3(dirname3(path), { recursive: true });
-  writeFileSync3(path, JSON.stringify(inventory, null, 2) + `
-`, "utf-8");
-  return path;
-}
-function loadRegistry(repoRoot) {
-  const dir = join3(repoRoot, "packages", "registry", "definitions");
-  if (!existsSync3(dir))
-    return registryDefinitions;
-  return readdirSync(dir).filter((file) => file.endsWith(".jsonc")).map((file) => parseJsonc(readFileSync3(join3(dir, file), "utf-8")));
-}
-function inspectRegistryItem(definition, item, path) {
-  return inspectPath({
-    path,
-    domain: definition.domain,
-    app: definition.app,
-    kind: item.kind,
-    format: item.format,
-    shareability: item.shareability,
-    reason: "registry match",
-    mirrors: item.mirrors ?? [],
-    privateByDefault: definition.privateByDefault,
-    id: item.id
-  });
-}
-function inspectHeuristicItem(candidate) {
-  const app = appNameFromPath(candidate.path);
-  const kind = heuristicKind(candidate.path);
-  const shareability = heuristicShareability(candidate.path, kind);
-  return inspectPath({
-    path: candidate.path,
-    domain: heuristicDomain(candidate.path),
-    app,
-    kind,
-    format: detectFormat(candidate.path),
-    shareability,
-    reason: candidate.reason,
-    mirrors: [],
-    privateByDefault: shareability === "private"
-  });
-}
-function inspectPath(input) {
-  const exists = existsSync3(input.path);
-  const lst = exists ? lstatSync(input.path) : undefined;
-  const stat = exists ? statSync(input.path) : undefined;
-  const isDirectory = !!stat?.isDirectory();
-  const isSymlink = !!lst?.isSymbolicLink();
-  const secretFindings = exists && !isDirectory && isSafeTextPath(input.path) ? detectSecrets(readFileSync3(input.path, "utf-8")) : [];
-  const mirrors = input.mirrors.map((mirror) => inspectMirror(input.path, expandHome(mirror)));
-  const recommendation = recommend(input.kind, input.shareability, secretFindings.length, mirrors);
-  const previewInfo = preview(input.path, exists, isDirectory, input.shareability, input.privateByDefault, input.kind);
-  return {
-    id: input.id ?? stableId(input.path),
-    domain: input.domain,
-    app: input.app,
-    path: input.path,
-    displayPath: displayPath(input.path),
-    kind: input.kind,
-    format: input.format,
-    shareability: input.shareability,
-    exists,
-    isDirectory,
-    isSymlink,
-    mode: stat ? `0${(stat.mode & 511).toString(8)}` : undefined,
-    owner: exists ? userInfo().username : undefined,
-    size: stat?.size,
-    git: exists ? gitInfo(input.path) : undefined,
-    legacyManagers: exists ? legacyManagerInfo(input.path) : {},
-    mirrors,
-    secretFindings,
-    ...previewInfo,
-    recommendation,
-    reason: input.reason
-  };
-}
-function discoverConfigCandidates() {
-  const candidates = [];
-  const configRoot = join3(HOME, ".config");
-  if (!existsSync3(configRoot))
-    return candidates;
-  for (const entry of readdirSync(configRoot, { withFileTypes: true })) {
-    if (entry.name.startsWith("."))
-      continue;
-    const appDir = join3(configRoot, entry.name);
-    candidates.push({ path: appDir, reason: "~/.config app directory" });
-    if (!entry.isDirectory())
-      continue;
-    for (const child of safeReadDir(appDir).slice(0, 80)) {
-      const childPath = join3(appDir, child.name);
-      if (isGeneratedPath(childPath)) {
-        candidates.push({ path: childPath, reason: "generated/app-state candidate" });
-        continue;
-      }
-      if (child.isFile() && looksLikeConfigFile(child.name)) {
-        candidates.push({ path: childPath, reason: "shallow ~/.config config candidate" });
-      }
-      if (child.isDirectory() && ["conf.d", "themes", "snippets", "plugins"].includes(child.name)) {
-        candidates.push({ path: childPath, reason: "shallow ~/.config config directory" });
-      }
-    }
-  }
-  return candidates;
-}
-function safeReadDir(path) {
-  try {
-    return readdirSync(path, { withFileTypes: true });
-  } catch {
-    return [];
-  }
-}
-function inspectMirror(livePath, mirrorPath) {
-  const exists = existsSync3(mirrorPath);
-  if (!exists || !existsSync3(livePath) || statSync(livePath).isDirectory() || statSync(mirrorPath).isDirectory()) {
-    return { path: mirrorPath, displayPath: displayPath(mirrorPath), exists };
-  }
-  const live = readFileSync3(livePath, "utf-8");
-  const mirror = readFileSync3(mirrorPath, "utf-8");
-  return {
-    path: mirrorPath,
-    displayPath: displayPath(mirrorPath),
-    exists,
-    identical: live === mirror,
-    diff: live === mirror ? undefined : simpleDiff(mirror, live)
-  };
-}
-function simpleDiff(before, after) {
-  const beforeLines = before.split(/\r?\n/);
-  const afterLines = after.split(/\r?\n/);
-  const max = Math.max(beforeLines.length, afterLines.length);
-  const output = [];
-  for (let index = 0;index < max; index++) {
-    if (beforeLines[index] === afterLines[index])
-      continue;
-    if (beforeLines[index] !== undefined)
-      output.push(`-${beforeLines[index]}`);
-    if (afterLines[index] !== undefined)
-      output.push(`+${afterLines[index]}`);
-  }
-  return output.slice(0, 200).join(`
-`);
-}
-function preview(path, exists, isDirectory, shareability, privateByDefault, kind) {
-  if (!exists)
-    return { previewSuppressedReason: "missing" };
-  if (isDirectory)
-    return { previewSuppressedReason: "directory" };
-  if (shareability === "private" || privateByDefault || kind === "private")
-    return { previewSuppressedReason: "private/auth metadata-only" };
-  if (!isSafeTextPath(path))
-    return { previewSuppressedReason: "binary or unsupported file type" };
-  const text = readFileSync3(path, "utf-8");
-  return { preview: redactText(text).slice(0, 20000) };
-}
-function recommend(kind, shareability, secretCount, mirrors) {
-  if (secretCount > 0)
-    return "rotate-secret";
-  if (kind === "generated")
-    return "ignore-generated";
-  if (shareability === "private")
-    return "mark-private";
-  if (mirrors.some((mirror) => mirror.exists && mirror.identical === false))
-    return "resolve-drift";
-  if (shareability === "machine-specific")
-    return "review-machine-specific";
-  if (kind === "config" || kind === "directory")
-    return "adopt-candidate";
-  return "none";
-}
-function gitInfo(path) {
-  const cwd = statSync(path).isDirectory() ? path : dirname3(path);
-  const root = git(["rev-parse", "--show-toplevel"], cwd);
-  if (!root)
-    return;
-  const rel = relative(root, path);
-  const ignored = !!git(["check-ignore", "-q", rel], root, true);
-  const tracked = !!git(["ls-files", "--error-unmatch", rel], root, true);
-  const modified = tracked && !!git(["status", "--porcelain", "--", rel], root);
-  return { root, tracked, modified, ignored };
-}
-function legacyManagerInfo(path) {
-  if (!yadmCache)
-    return {};
-  return { yadm: yadmInfo(path) };
-}
-function yadmInfo(path) {
-  const rel = displayPath(path).replace(/^~\//, "");
-  if (yadmCache?.modified.has(rel))
-    return "modified";
-  if (yadmCache?.tracked.has(rel))
-    return "tracked";
-  return "unknown";
-}
-function loadYadmCache() {
-  const tracked = new Set((gitLike("yadm", ["ls-files"]) ?? "").split(`
-`).filter(Boolean));
-  const modified = new Set((gitLike("yadm", ["status", "--porcelain"]) ?? "").split(`
-`).map((line) => line.slice(3).trim()).filter(Boolean));
-  return { tracked, modified };
-}
-function git(args, cwd, allowEmpty = false) {
-  try {
-    const out = execFileSync3("git", args, { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "ignore"] }).trim();
-    return out || (allowEmpty ? "ok" : undefined);
-  } catch {
-    return;
-  }
-}
-function gitLike(command, args) {
-  try {
-    return execFileSync3(command, args, { cwd: HOME, encoding: "utf-8", stdio: ["ignore", "pipe", "ignore"] });
-  } catch {
-    return;
-  }
-}
-function expandHome(path) {
-  return resolve(path.replace(/^~(?=\/|$)/, HOME));
-}
-function displayPath(path) {
-  return path.startsWith(HOME) ? `~${path.slice(HOME.length)}` : path;
-}
-function stableId(path) {
-  return displayPath(path).replace(/[^A-Za-z0-9_.-]+/g, ":");
-}
-function appNameFromPath(path) {
-  const rel = relative(join3(HOME, ".config"), path);
-  if (!rel.startsWith(".."))
-    return rel.split(/[\\/]/)[0] || "Unknown";
-  return "Unknown";
-}
-function heuristicDomain(path) {
-  if (path.includes("/.config/"))
-    return "~/.config";
-  if (path.includes("/.ssh") || path.includes("/.aws"))
-    return "Private/Auth";
-  return "Unknown";
-}
-function heuristicKind(path) {
-  if (isGeneratedPath(path))
-    return "generated";
-  if (PRIVATE_NAMES.some((pattern) => pattern.test(path)))
-    return "private";
-  if (existsSync3(path) && statSync(path).isDirectory())
-    return "directory";
-  if (looksLikeConfigFile(path))
-    return "config";
-  return "unknown";
-}
-function heuristicShareability(path, kind) {
-  if (kind === "private")
-    return "private";
-  if (kind === "generated")
-    return "machine-specific";
-  if (path.includes("/credentials") || path.includes("/.ssh") || path.includes("/.aws"))
-    return "private";
-  return "machine-specific";
-}
-function detectFormat(path) {
-  if (existsSync3(path) && statSync(path).isDirectory())
-    return "directory";
-  if (path.endsWith(".jsonc"))
-    return "jsonc";
-  if (path.endsWith(".json"))
-    return "json";
-  if (path.endsWith(".toml"))
-    return "toml";
-  if (path.endsWith(".zsh"))
-    return "shell";
-  if (path.endsWith(".md"))
-    return "markdown";
-  return "text";
-}
-function isGeneratedPath(path) {
-  return GENERATED_NAMES.some((pattern) => pattern.test(path));
-}
-function looksLikeConfigFile(name) {
-  return /(^config\.|settings\.|rc$|\.rc$|\.zshrc$|\.zshenv$|\.jsonc?$|\.toml$|\.ya?ml$|\.zsh$|\.conf$|\.ini$)/i.test(name);
-}
-function isSafeTextPath(path) {
-  const name = path.split("/").pop() ?? "";
-  if (isGeneratedPath(path))
-    return false;
-  if (name.includes("lock") || name.endsWith(".mdb") || name.endsWith(".sqlite") || name.endsWith(".db"))
-    return false;
-  const ext = name.includes(".") ? name.slice(name.lastIndexOf(".")) : "";
-  return TEXT_EXTENSIONS.has(ext) || looksLikeConfigFile(name);
-}
-
-// src/ui.tsx
-import { Box, Text, render } from "ink";
-import { jsxDEV, Fragment } from "react/jsx-dev-runtime";
-function renderInk(element) {
-  const app = render(/* @__PURE__ */ jsxDEV(Fragment, {
-    children: element
-  }, undefined, false, undefined, this));
-  return app.waitUntilExit();
-}
-function ScanSummary({ inventory, path }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    gap: 1,
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title: "Scan complete",
-        subtitle: path
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Box, {
-        gap: 2,
-        children: [
-          /* @__PURE__ */ jsxDEV(Stat, {
-            label: "total",
-            value: inventory.summary.total,
-            color: "cyan"
-          }, undefined, false, undefined, this),
-          /* @__PURE__ */ jsxDEV(Stat, {
-            label: "existing",
-            value: inventory.summary.existing,
-            color: "green"
-          }, undefined, false, undefined, this),
-          /* @__PURE__ */ jsxDEV(Stat, {
-            label: "private",
-            value: inventory.summary.private,
-            color: "red"
-          }, undefined, false, undefined, this),
-          /* @__PURE__ */ jsxDEV(Stat, {
-            label: "generated",
-            value: inventory.summary.generated,
-            color: "magenta"
-          }, undefined, false, undefined, this),
-          /* @__PURE__ */ jsxDEV(Stat, {
-            label: "secrets",
-            value: inventory.summary.secrets,
-            color: "red"
-          }, undefined, false, undefined, this),
-          /* @__PURE__ */ jsxDEV(Stat, {
-            label: "drift",
-            value: inventory.summary.drift,
-            color: "blue"
-          }, undefined, false, undefined, this)
-        ]
-      }, undefined, true, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function ItemList({ items, title }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title,
-        subtitle: `${items.length} item${items.length === 1 ? "" : "s"}`
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Box, {
-        flexDirection: "column",
-        marginTop: 1,
-        children: items.map((item) => /* @__PURE__ */ jsxDEV(Box, {
-          gap: 1,
-          children: [
-            /* @__PURE__ */ jsxDEV(Text, {
-              color: item.exists ? "white" : "gray",
-              children: item.exists ? "\u25CF" : "\u25CB"
-            }, undefined, false, undefined, this),
-            /* @__PURE__ */ jsxDEV(Text, {
-              color: kindColor(item),
-              children: item.domain
-            }, undefined, false, undefined, this),
-            /* @__PURE__ */ jsxDEV(Text, {
-              color: "gray",
-              children: "/"
-            }, undefined, false, undefined, this),
-            /* @__PURE__ */ jsxDEV(Text, {
-              color: "cyan",
-              children: item.app
-            }, undefined, false, undefined, this),
-            /* @__PURE__ */ jsxDEV(Text, {
-              children: item.displayPath
-            }, undefined, false, undefined, this),
-            /* @__PURE__ */ jsxDEV(Badge, {
-              label: item.shareability,
-              color: shareabilityColor(item.shareability)
-            }, undefined, false, undefined, this),
-            item.secretFindings.length > 0 ? /* @__PURE__ */ jsxDEV(Badge, {
-              label: "secret",
-              color: "red"
-            }, undefined, false, undefined, this) : null,
-            item.mirrors.some((mirror) => mirror.exists && mirror.identical === false) ? /* @__PURE__ */ jsxDEV(Badge, {
-              label: "drift",
-              color: "blue"
-            }, undefined, false, undefined, this) : null
-          ]
-        }, item.id, true, undefined, this))
-      }, undefined, false, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function ItemDetail({ item }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    gap: 1,
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title: item.app,
-        subtitle: item.displayPath
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Box, {
-        gap: 1,
-        children: [
-          /* @__PURE__ */ jsxDEV(Badge, {
-            label: item.domain,
-            color: "cyan"
-          }, undefined, false, undefined, this),
-          /* @__PURE__ */ jsxDEV(Badge, {
-            label: item.kind,
-            color: kindColor(item)
-          }, undefined, false, undefined, this),
-          /* @__PURE__ */ jsxDEV(Badge, {
-            label: item.shareability,
-            color: shareabilityColor(item.shareability)
-          }, undefined, false, undefined, this),
-          /* @__PURE__ */ jsxDEV(Badge, {
-            label: item.recommendation,
-            color: "yellow"
-          }, undefined, false, undefined, this)
-        ]
-      }, undefined, true, undefined, this),
-      /* @__PURE__ */ jsxDEV(KeyValues, {
-        rows: [
-          ["reason", item.reason],
-          ["exists", String(item.exists)],
-          ["mode", item.mode ?? "\u2014"],
-          ["symlink", String(item.isSymlink)],
-          ["git", gitText(item)],
-          ["legacy", legacyText(item)]
-        ]
-      }, undefined, false, undefined, this),
-      item.secretFindings.length > 0 ? /* @__PURE__ */ jsxDEV(Box, {
-        flexDirection: "column",
-        children: [
-          /* @__PURE__ */ jsxDEV(Text, {
-            color: "red",
-            bold: true,
-            children: "Secret warnings"
-          }, undefined, false, undefined, this),
-          item.secretFindings.map((finding, index) => /* @__PURE__ */ jsxDEV(Text, {
-            color: "red",
-            children: [
-              "  ",
-              finding.type,
-              finding.line ? ` line ${finding.line}` : "",
-              ": ",
-              finding.preview
-            ]
-          }, `${finding.type}-${index}`, true, undefined, this))
-        ]
-      }, undefined, true, undefined, this) : null,
-      item.mirrors.length > 0 ? /* @__PURE__ */ jsxDEV(Box, {
-        flexDirection: "column",
-        children: [
-          /* @__PURE__ */ jsxDEV(Text, {
-            color: "blue",
-            bold: true,
-            children: "Mirrors"
-          }, undefined, false, undefined, this),
-          item.mirrors.map((mirror) => /* @__PURE__ */ jsxDEV(Text, {
-            children: [
-              "  ",
-              mirror.displayPath,
-              " \u2014 ",
-              mirror.exists ? mirror.identical === false ? "differs" : "identical" : "missing"
-            ]
-          }, mirror.path, true, undefined, this))
-        ]
-      }, undefined, true, undefined, this) : null,
-      /* @__PURE__ */ jsxDEV(Box, {
-        flexDirection: "column",
-        children: [
-          /* @__PURE__ */ jsxDEV(Text, {
-            bold: true,
-            children: item.preview ? "Safe preview" : "Preview"
-          }, undefined, false, undefined, this),
-          /* @__PURE__ */ jsxDEV(Text, {
-            color: item.preview ? "white" : "gray",
-            children: item.preview ? item.preview.slice(0, 3000) : `Suppressed: ${item.previewSuppressedReason ?? "not available"}`
-          }, undefined, false, undefined, this)
-        ]
-      }, undefined, true, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function DecisionsView({ decisions }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title: "Decisions",
-        subtitle: `${decisions.length} saved`
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Box, {
-        flexDirection: "column",
-        marginTop: 1,
-        children: decisions.length === 0 ? /* @__PURE__ */ jsxDEV(Text, {
-          color: "gray",
-          children: "No decisions recorded yet."
-        }, undefined, false, undefined, this) : decisions.map((decision) => /* @__PURE__ */ jsxDEV(Box, {
-          gap: 1,
-          children: [
-            /* @__PURE__ */ jsxDEV(Badge, {
-              label: decision.status,
-              color: "cyan"
-            }, undefined, false, undefined, this),
-            /* @__PURE__ */ jsxDEV(Text, {
-              children: decision.itemId
-            }, undefined, false, undefined, this),
-            /* @__PURE__ */ jsxDEV(Text, {
-              color: "gray",
-              children: decision.updatedAt
-            }, undefined, false, undefined, this)
-          ]
-        }, `${decision.itemId}-${decision.updatedAt}`, true, undefined, this))
-      }, undefined, false, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function LoginPrompt({ verificationUri, userCode, expiresIn }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    gap: 1,
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title: "Login with GitHub",
-        subtitle: `code expires in ${Math.round(expiresIn / 60)} minutes`
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Box, {
-        flexDirection: "column",
-        children: [
-          /* @__PURE__ */ jsxDEV(Text, {
-            children: "Open:"
-          }, undefined, false, undefined, this),
-          /* @__PURE__ */ jsxDEV(Text, {
-            color: "blue",
-            underline: true,
-            children: verificationUri
-          }, undefined, false, undefined, this)
-        ]
-      }, undefined, true, undefined, this),
-      /* @__PURE__ */ jsxDEV(Box, {
-        gap: 1,
-        children: [
-          /* @__PURE__ */ jsxDEV(Text, {
-            children: "Enter code:"
-          }, undefined, false, undefined, this),
-          /* @__PURE__ */ jsxDEV(Text, {
-            color: "green",
-            bold: true,
-            children: userCode
-          }, undefined, false, undefined, this)
-        ]
-      }, undefined, true, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function LoginSuccess({ login, apiUrl }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title: "Logged in",
-        subtitle: apiUrl
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Text, {
-        color: "green",
-        children: [
-          "\u2713 ",
-          login
-        ]
-      }, undefined, true, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function WhoamiView({ login, apiUrl }) {
-  if (!login)
-    return /* @__PURE__ */ jsxDEV(Text, {
-      color: "yellow",
-      children: "Not logged in. Run `atl login`."
-    }, undefined, false, undefined, this);
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title: "Current account",
-        subtitle: apiUrl
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Text, {
-        color: "green",
-        children: login
-      }, undefined, false, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function LogoutView() {
-  return /* @__PURE__ */ jsxDEV(Text, {
-    color: "green",
-    children: "\u2713 Logged out"
-  }, undefined, false, undefined, this);
-}
-function ProfileListView({ profiles, activeProfile }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title: "Profiles",
-        subtitle: `active: ${activeProfile}`
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Box, {
-        flexDirection: "column",
-        marginTop: 1,
-        children: profiles.map((profile) => /* @__PURE__ */ jsxDEV(Box, {
-          gap: 1,
-          children: [
-            /* @__PURE__ */ jsxDEV(Text, {
-              color: profile.name === activeProfile ? "green" : "gray",
-              children: profile.name === activeProfile ? "\u25CF" : "\u25CB"
-            }, undefined, false, undefined, this),
-            /* @__PURE__ */ jsxDEV(Text, {
-              bold: profile.name === activeProfile,
-              children: profile.name
-            }, undefined, false, undefined, this),
-            /* @__PURE__ */ jsxDEV(Text, {
-              color: "gray",
-              children: profile.createdAt
-            }, undefined, false, undefined, this)
-          ]
-        }, profile.id, true, undefined, this))
-      }, undefined, false, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function ProfileSavedView({ title, name }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Text, {
-        color: "green",
-        children: [
-          "\u2713 ",
-          name
-        ]
-      }, undefined, true, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function SavedConfigListView({ configs, profileName }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title: "Saved configs",
-        subtitle: profileName
-      }, undefined, false, undefined, this),
-      configs.length === 0 ? /* @__PURE__ */ jsxDEV(Text, {
-        color: "gray",
-        children: "No saved configs yet."
-      }, undefined, false, undefined, this) : configs.map((config) => /* @__PURE__ */ jsxDEV(Box, {
-        flexDirection: "column",
-        marginTop: 1,
-        children: [
-          /* @__PURE__ */ jsxDEV(Text, {
-            bold: true,
-            children: config.stableId
-          }, undefined, false, undefined, this),
-          /* @__PURE__ */ jsxDEV(Text, {
-            color: "gray",
-            children: config.pathHint ?? "no path hint"
-          }, undefined, false, undefined, this),
-          config.latestVersion ? /* @__PURE__ */ jsxDEV(Text, {
-            color: "green",
-            children: [
-              config.latestVersion.contentSha256.slice(0, 12),
-              " \xB7 ",
-              config.latestVersion.sizeBytes,
-              " bytes \xB7 ",
-              config.latestVersion.createdAt
-            ]
-          }, undefined, true, undefined, this) : null
-        ]
-      }, config.id, true, undefined, this))
-    ]
-  }, undefined, true, undefined, this);
-}
-function SavedConfigDetailView({ config, profileName }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title: config.stableId,
-        subtitle: profileName
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Text, {
-        color: "gray",
-        children: config.pathHint ?? "no path hint"
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Box, {
-        flexDirection: "column",
-        marginTop: 1,
-        children: (config.versions ?? []).map((version) => /* @__PURE__ */ jsxDEV(Text, {
-          children: [
-            version.contentSha256.slice(0, 12),
-            " \xB7 ",
-            version.sizeBytes,
-            " bytes \xB7 ",
-            version.createdAt
-          ]
-        }, version.id, true, undefined, this))
-      }, undefined, false, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function ConfigSavedView({ stableId: stableId2, profileName, versionHash, sizeBytes, reused }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title: reused ? "Config already saved" : "Config saved",
-        subtitle: profileName
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Text, {
-        color: "green",
-        children: [
-          "\u2713 ",
-          stableId2
-        ]
-      }, undefined, true, undefined, this),
-      /* @__PURE__ */ jsxDEV(Text, {
-        color: "gray",
-        children: [
-          "Version ",
-          versionHash.slice(0, 12),
-          " \xB7 ",
-          sizeBytes,
-          " bytes \xB7 encrypted"
-        ]
-      }, undefined, true, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function DecisionSaved({ item, status }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title: "Decision saved",
-        subtitle: item.displayPath
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Box, {
-        gap: 1,
-        children: [
-          /* @__PURE__ */ jsxDEV(Text, {
-            children: "Status:"
-          }, undefined, false, undefined, this),
-          /* @__PURE__ */ jsxDEV(Badge, {
-            label: status,
-            color: "green"
-          }, undefined, false, undefined, this)
-        ]
-      }, undefined, true, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function DoctorView({ checks }) {
-  const failing = checks.filter((check) => check.status === "fail").length;
-  const warnings = checks.filter((check) => check.status === "warn").length;
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    gap: 1,
-    children: [
-      /* @__PURE__ */ jsxDEV(Header, {
-        title: "Doctor",
-        subtitle: failing ? `${failing} failing` : warnings ? `${warnings} warning${warnings === 1 ? "" : "s"}` : "all checks passed"
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Box, {
-        flexDirection: "column",
-        children: checks.map((check) => /* @__PURE__ */ jsxDEV(Box, {
-          gap: 1,
-          children: [
-            /* @__PURE__ */ jsxDEV(Text, {
-              color: doctorColor(check.status),
-              children: doctorIcon(check.status)
-            }, undefined, false, undefined, this),
-            /* @__PURE__ */ jsxDEV(Text, {
-              bold: true,
-              children: check.label
-            }, undefined, false, undefined, this),
-            /* @__PURE__ */ jsxDEV(Text, {
-              color: "gray",
-              children: check.detail
-            }, undefined, false, undefined, this)
-          ]
-        }, check.label, true, undefined, this))
-      }, undefined, false, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function NotFound({ query }) {
-  return /* @__PURE__ */ jsxDEV(Text, {
-    color: "red",
-    children: [
-      "No inventory item matched: ",
-      query
-    ]
-  }, undefined, true, undefined, this);
-}
-function Header({ title, subtitle }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    children: [
-      /* @__PURE__ */ jsxDEV(Text, {
-        bold: true,
-        color: "cyan",
-        children: "\u25C6 Atelier"
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Box, {
-        gap: 1,
-        children: [
-          /* @__PURE__ */ jsxDEV(Text, {
-            bold: true,
-            children: title
-          }, undefined, false, undefined, this),
-          subtitle ? /* @__PURE__ */ jsxDEV(Text, {
-            color: "gray",
-            children: subtitle
-          }, undefined, false, undefined, this) : null
-        ]
-      }, undefined, true, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function Stat({ label, value, color }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    borderStyle: "round",
-    borderColor: color,
-    paddingX: 1,
-    children: [
-      /* @__PURE__ */ jsxDEV(Text, {
-        color,
-        bold: true,
-        children: value
-      }, undefined, false, undefined, this),
-      /* @__PURE__ */ jsxDEV(Text, {
-        color: "gray",
-        children: label
-      }, undefined, false, undefined, this)
-    ]
-  }, undefined, true, undefined, this);
-}
-function Badge({ label, color }) {
-  return /* @__PURE__ */ jsxDEV(Text, {
-    color,
-    children: [
-      "[",
-      label,
-      "]"
-    ]
-  }, undefined, true, undefined, this);
-}
-function KeyValues({ rows }) {
-  return /* @__PURE__ */ jsxDEV(Box, {
-    flexDirection: "column",
-    children: rows.map(([key, value]) => /* @__PURE__ */ jsxDEV(Box, {
-      gap: 1,
-      children: [
-        /* @__PURE__ */ jsxDEV(Text, {
-          color: "gray",
-          children: key.padEnd(10)
-        }, undefined, false, undefined, this),
-        /* @__PURE__ */ jsxDEV(Text, {
-          children: value
-        }, undefined, false, undefined, this)
-      ]
-    }, key, true, undefined, this))
-  }, undefined, false, undefined, this);
-}
-function kindColor(item) {
-  const kind = typeof item === "string" ? item : item.kind;
-  if (kind === "private")
-    return "red";
-  if (kind === "generated")
-    return "magenta";
-  if (kind === "config")
-    return "green";
-  return "yellow";
-}
-function shareabilityColor(shareability) {
-  if (shareability === "private")
-    return "red";
-  if (shareability === "shareable")
-    return "green";
-  return "yellow";
-}
-function doctorIcon(status) {
-  if (status === "pass")
-    return "\u2713";
-  if (status === "warn")
-    return "!";
-  return "\u2717";
-}
-function doctorColor(status) {
-  if (status === "pass")
-    return "green";
-  if (status === "warn")
-    return "yellow";
-  return "red";
-}
-function legacyText(item) {
-  const entries = Object.entries(item.legacyManagers ?? {});
-  if (entries.length === 0)
-    return "not scanned";
-  return entries.map(([manager, status]) => `${manager}: ${status}`).join(", ");
-}
-function gitText(item) {
-  if (!item.git)
-    return "not in repo";
-  return `${item.git.tracked ? "tracked" : "untracked"}${item.git.modified ? ", modified" : ""} @ ${item.git.root}`;
-}
-
-// src/index.tsx
-import { jsxDEV as jsxDEV2 } from "react/jsx-dev-runtime";
-var repoRoot = resolve2(import.meta.dir, "../../..");
-var stateDir = getStateDir();
-var inventoryPath = join4(stateDir, "inventory.json");
-var decisionsPath = join4(stateDir, "decisions.json");
-var decisionStatuses = new Set(["undecided", "candidate", "shareable", "machine-specific", "private", "ignored"]);
-var pipedInputLines;
-var program = new Command;
-program.name("atl").description("Atelier config inventory cockpit").version("0.1.1");
-program.command("login").description("Login to Atelier with GitHub device auth").option("--api-url <url>", "Atelier API URL", getConfiguredApiUrl()).action(async (options) => {
-  const result = await loginWithGitHub({
-    apiUrl: options.apiUrl,
-    onPrompt: async (prompt) => {
-      await renderInk(/* @__PURE__ */ jsxDEV2(LoginPrompt, {
-        verificationUri: prompt.verificationUri,
-        userCode: prompt.userCode,
-        expiresIn: prompt.expiresIn
-      }, undefined, false, undefined, this));
-    }
-  });
-  await renderInk(/* @__PURE__ */ jsxDEV2(LoginSuccess, {
-    login: result.user.login,
-    apiUrl: result.apiUrl
-  }, undefined, false, undefined, this));
-});
-program.command("whoami").description("Show the current Atelier account").action(async () => {
-  const current = await getCurrentUser();
-  await renderInk(/* @__PURE__ */ jsxDEV2(WhoamiView, {
-    login: current?.user.login,
-    apiUrl: current?.apiUrl
-  }, undefined, false, undefined, this));
-  if (!current)
-    process.exitCode = 1;
-});
-program.command("logout").description("Remove the local Atelier session").action(async () => {
-  logout();
-  await renderInk(/* @__PURE__ */ jsxDEV2(LogoutView, {}, undefined, false, undefined, this));
-});
-program.command("api").description("Run the local Atelier API server for development").option("--port <port>", "port to bind", "8787").action(async (options) => {
-  await startApi(Number(options.port));
-});
-var profile = program.command("profile").description("Manage account-backed config profiles");
-profile.command("list").description("List remote profiles").action(async () => {
-  await renderInk(/* @__PURE__ */ jsxDEV2(ProfileListView, {
-    profiles: await listProfiles(),
-    activeProfile: getActiveProfile()
-  }, undefined, false, undefined, this));
-});
-profile.command("create").description("Create a remote profile").argument("<name>").action(async (name) => {
-  const profile2 = await createProfile(name);
-  await renderInk(/* @__PURE__ */ jsxDEV2(ProfileSavedView, {
-    title: "Profile created",
-    name: profile2.name
-  }, undefined, false, undefined, this));
-});
-profile.command("switch").description("Set the active local profile after verifying it exists remotely").argument("<name>").action(async (name) => {
-  const profile2 = await getProfile(name);
-  if (!profile2)
-    throw new Error(`Profile not found: ${name}`);
-  setActiveProfile(profile2.name);
-  await renderInk(/* @__PURE__ */ jsxDEV2(ProfileSavedView, {
-    title: "Active profile",
-    name: profile2.name
-  }, undefined, false, undefined, this));
-});
-profile.command("current").description("Show the active local profile").action(async () => {
-  await renderInk(/* @__PURE__ */ jsxDEV2(ProfileSavedView, {
-    title: "Active profile",
-    name: getActiveProfile()
-  }, undefined, false, undefined, this));
-});
-program.command("checkout").description("Alias for `atl profile switch`").argument("<name>").action(async (name) => {
-  const profile2 = await getProfile(name);
-  if (!profile2)
-    throw new Error(`Profile not found: ${name}`);
-  setActiveProfile(profile2.name);
-  await renderInk(/* @__PURE__ */ jsxDEV2(ProfileSavedView, {
-    title: "Active profile",
-    name: profile2.name
-  }, undefined, false, undefined, this));
-});
-var vault = program.command("vault").description("Advanced vault controls");
-vault.command("status").description("Show vault initialization and local unlock state").action(async () => {
-  const state = await getVaultState();
-  console.log(`Vault: ${state.initialized ? "initialized" : "not initialized"}`);
-  console.log(`Local state: ${state.unlocked ? "unlocked" : "locked"}`);
-  console.log(`Active profile: ${state.activeProfile}`);
-});
-vault.command("init").description("Initialize the encrypted vault now instead of waiting for first save").action(async () => {
-  const passphrase = await readConfirmedPassphrase("Create an Atelier vault passphrase: ");
-  const result = await initializeVault(passphrase);
-  console.log(`Vault initialized for profile ${result.profileName}`);
-});
-vault.command("unlock").description("Unlock this machine with the vault passphrase").action(async () => {
-  const passphrase = await readHiddenLine("Vault passphrase: ");
-  const result = await unlockVault(passphrase);
-  console.log(`Vault unlocked for profile ${result.activeProfile}`);
-});
-vault.command("lock").description("Remove local unlocked vault material from this machine").action(async () => {
-  lockVault();
-  console.log("Vault locked");
-});
-program.command("save").description("Save a config snapshot to the active encrypted profile").argument("<id-or-path>").action(async (query) => {
-  await saveInventoryItem(query);
-});
-program.command("adopt").description("Alias for `atl save`").argument("<id-or-path>").action(async (query) => {
-  await saveInventoryItem(query);
-});
-var saved = program.command("saved").description("Inspect encrypted configs saved remotely");
-saved.command("list").description("List saved configs for the active profile").action(async () => {
-  const profileName = getActiveProfile();
-  await renderInk(/* @__PURE__ */ jsxDEV2(SavedConfigListView, {
-    configs: await listSavedConfigs(profileName),
-    profileName
-  }, undefined, false, undefined, this));
-});
-saved.command("show").description("Show saved metadata and version history").argument("<stable-id>").action(async (stableId2) => {
-  const profileName = getActiveProfile();
-  const config = await getSavedConfig(profileName, stableId2);
-  if (!config)
-    throw new Error(`Saved config not found: ${stableId2}`);
-  await renderInk(/* @__PURE__ */ jsxDEV2(SavedConfigDetailView, {
-    config,
-    profileName
-  }, undefined, false, undefined, this));
-});
-program.command("scan").description("Scan this machine and write local inventory").option("--path <path...>", "additional manual path(s) to scan").option("--legacy", "include legacy manager signals like yadm").action(async (options) => {
-  const inventory = await scan({ repoRoot, manualPaths: options.path ?? [], includeLegacyManagers: options.legacy });
-  const path = writeInventory(inventory, { path: inventoryPath });
-  await renderInk(/* @__PURE__ */ jsxDEV2(ScanSummary, {
-    inventory,
-    path
-  }, undefined, false, undefined, this));
-});
-program.command("ui").description("Open the local TanStack Start inventory UI").option("--scan", "rescan before opening the UI").option("--path <path...>", "additional manual path(s) to scan").option("--legacy", "include legacy manager signals like yadm during scan").option("--port <port>", "port to bind", "4141").action(async (options) => {
-  if (!existsSync4(inventoryPath) || options.scan) {
-    console.log("Atelier: scanning configs\u2026");
-    const inventory = await scan({ repoRoot, manualPaths: options.path ?? [], includeLegacyManagers: options.legacy });
-    writeInventory(inventory, { path: inventoryPath });
-    console.log(`Atelier: scan complete (${inventory.summary.existing}/${inventory.summary.total} existing)`);
-  }
-  console.log("Atelier: starting UI\u2026");
-  await startUi(Number(options.port));
-});
-program.command("list").description("List inventory items with polished terminal output").option("--domain <domain>", "filter by domain").option("--app <app>", "filter by app").option("--secrets", "only items with secret warnings").option("--drift", "only items with mirror drift").option("--generated", "only generated/app-state items").option("--private", "only private items").option("--missing", "only missing registry items").option("--json", "print JSON instead of Ink output").action(async (options) => {
-  const inventory = readInventory();
-  const items = filterItems(inventory.items, options);
-  if (options.json)
-    return printJson(items);
-  await renderInk(/* @__PURE__ */ jsxDEV2(ItemList, {
-    items,
-    title: "Inventory"
-  }, undefined, false, undefined, this));
-});
-program.command("inspect").description("Inspect one inventory item by id or path").argument("<id-or-path>").option("--json", "print JSON instead of Ink output").action(async (query, options) => {
-  const inventory = readInventory();
-  const item = findItem(inventory, query);
-  if (options.json)
-    return printJson(item ?? null);
-  await renderInk(item ? /* @__PURE__ */ jsxDEV2(ItemDetail, {
-    item
-  }, undefined, false, undefined, this) : /* @__PURE__ */ jsxDEV2(NotFound, {
-    query
-  }, undefined, false, undefined, this));
-});
-program.command("decisions").description("Show saved item decisions").option("--json", "print JSON instead of Ink output").action(async (options) => {
-  const decisions = readDecisions().decisions;
-  if (options.json)
-    return printJson(decisions);
-  await renderInk(/* @__PURE__ */ jsxDEV2(DecisionsView, {
-    decisions
-  }, undefined, false, undefined, this));
-});
-program.command("decide").description("Save a decision for one inventory item").argument("<id-or-path>").argument("<status>", `one of: ${Array.from(decisionStatuses).join(", ")}`).action(async (query, status) => {
-  if (!decisionStatuses.has(status)) {
-    program.error(`invalid status '${status}'. Valid: ${Array.from(decisionStatuses).join(", ")}`);
-  }
-  const inventory = readInventory();
-  const item = findItem(inventory, query);
-  if (!item) {
-    await renderInk(/* @__PURE__ */ jsxDEV2(NotFound, {
-      query
-    }, undefined, false, undefined, this));
-    process.exitCode = 1;
-    return;
-  }
-  const decisions = readDecisions();
-  decisions.decisions = decisions.decisions.filter((decision) => decision.itemId !== item.id);
-  decisions.decisions.push({ itemId: item.id, status, updatedAt: new Date().toISOString() });
-  mkdirSync4(dirname4(decisionsPath), { recursive: true });
-  writeFileSync4(decisionsPath, JSON.stringify(decisions, null, 2) + `
-`, "utf-8");
-  await renderInk(/* @__PURE__ */ jsxDEV2(DecisionSaved, {
-    item,
-    status
-  }, undefined, false, undefined, this));
-});
-program.command("summary").description("Print the last scan summary").option("--json", "print JSON instead of Ink output").action(async (options) => {
-  const inventory = readInventory();
-  if (options.json)
-    return printJson(inventory.summary);
-  await renderInk(/* @__PURE__ */ jsxDEV2(ScanSummary, {
-    inventory,
-    path: inventoryPath
-  }, undefined, false, undefined, this));
-});
-program.command("doctor").description("Check Atelier CLI, UI, inventory, and local environment health").option("--json", "print JSON instead of Ink output").action(async (options) => {
-  const checks = runDoctorChecks();
-  if (options.json)
-    printJson(checks);
-  else
-    await renderInk(/* @__PURE__ */ jsxDEV2(DoctorView, {
-      checks
-    }, undefined, false, undefined, this));
-  if (checks.some((check) => check.status === "fail"))
-    process.exitCode = 1;
-});
-program.parseAsync(process.argv).catch((error) => {
-  console.error(error instanceof Error ? error.message : error);
-  process.exit(1);
-});
-function printJson(value) {
-  console.log(JSON.stringify(value, null, 2));
-}
-function readInventory() {
-  if (!existsSync4(inventoryPath)) {
-    throw new Error("No inventory found. Run `atl scan` first.");
-  }
-  return JSON.parse(readFileSync4(inventoryPath, "utf-8"));
-}
-function readDecisions() {
-  if (!existsSync4(decisionsPath))
-    return { version: 1, decisions: [] };
-  return JSON.parse(readFileSync4(decisionsPath, "utf-8"));
-}
-function getStateDir() {
-  if (process.env.ATELIER_STATE_DIR)
-    return process.env.ATELIER_STATE_DIR;
-  if (process.env.XDG_STATE_HOME)
-    return join4(process.env.XDG_STATE_HOME, "atelier");
-  if (platform3() === "win32" && process.env.LOCALAPPDATA)
-    return join4(process.env.LOCALAPPDATA, "Atelier");
-  return join4(homedir4(), ".local", "state", "atelier");
-}
-async function saveInventoryItem(query) {
-  const inventory = readInventory();
-  const item = findItem(inventory, query);
-  if (!item) {
-    await renderInk(/* @__PURE__ */ jsxDEV2(NotFound, {
-      query
-    }, undefined, false, undefined, this));
-    process.exitCode = 1;
-    return;
-  }
-  const vault2 = await getVaultState();
-  let passphrase;
-  if (!vault2.initialized) {
-    passphrase = await readConfirmedPassphrase("Create an Atelier vault passphrase: ");
-  } else if (!vault2.unlocked) {
-    passphrase = await readHiddenLine("Vault passphrase: ");
-  }
-  const result = await saveConfigItem(item, { passphrase });
-  await renderInk(/* @__PURE__ */ jsxDEV2(ConfigSavedView, {
-    stableId: result.stableId,
-    profileName: result.profileName,
-    versionHash: result.version.contentSha256,
-    sizeBytes: result.version.sizeBytes,
-    reused: result.reused
-  }, undefined, false, undefined, this));
-}
-async function readConfirmedPassphrase(prompt) {
-  const passphrase = await readHiddenLine(prompt);
-  const confirmation = await readHiddenLine("Confirm vault passphrase: ");
-  if (passphrase !== confirmation)
-    throw new Error("Vault passphrases do not match");
-  return passphrase;
-}
-async function readHiddenLine(prompt) {
-  if (!input.isTTY) {
-    output.write(prompt);
-    pipedInputLines ??= readFileSync4(0, "utf-8").split(/\r?\n/);
-    return pipedInputLines.shift() ?? "";
-  }
-  output.write(prompt);
-  input.setRawMode(true);
-  input.resume();
-  input.setEncoding("utf-8");
-  let value = "";
-  try {
-    for await (const chunk of input) {
-      const text = String(chunk);
-      for (const char of text) {
-        if (char === "\x03") {
-          output.write(`
-`);
-          process.exit(130);
-        }
-        if (char === "\r" || char === `
-`) {
-          output.write(`
-`);
-          return value;
-        }
-        if (char === "\x7F") {
-          value = value.slice(0, -1);
-          continue;
-        }
-        value += char;
-      }
-    }
-  } finally {
-    input.setRawMode(false);
-    input.pause();
-  }
-  return value;
-}
-function filterItems(items, options) {
-  return items.filter((item) => {
-    if (options.domain && item.domain.toLowerCase() !== options.domain.toLowerCase())
-      return false;
-    if (options.app && item.app.toLowerCase() !== options.app.toLowerCase())
-      return false;
-    if (options.secrets && item.secretFindings.length === 0)
-      return false;
-    if (options.drift && !item.mirrors.some((mirror) => mirror.exists && mirror.identical === false))
-      return false;
-    if (options.generated && item.kind !== "generated")
-      return false;
-    if (options.private && item.shareability !== "private")
-      return false;
-    if (options.missing && item.exists)
-      return false;
-    return true;
-  });
-}
-function findItem(inventory, query) {
-  const normalized = normalizeQuery(query);
-  return inventory.items.find((item) => item.id === query || normalizeQuery(item.path) === normalized || normalizeQuery(item.displayPath) === normalized) ?? inventory.items.find((item) => item.displayPath.includes(query) || item.path.includes(query));
-}
-function normalizeQuery(query) {
-  return query.replace(/^~(?=\/|$)/, process.env.HOME ?? "").toLowerCase();
-}
-function runDoctorChecks() {
-  const checks = [];
-  const inventory = existsSync4(inventoryPath) ? readInventory() : undefined;
-  const bunVersion = commandOutput("bun", ["--version"]);
-  const nodeVersion = commandOutput("node", ["--version"]);
-  const atlPath = commandOutput("which", ["atl"]);
-  const gitDirty = commandOutput("git", ["status", "--porcelain"], repoRoot);
-  checks.push({
-    label: "repo",
-    status: existsSync4(join4(repoRoot, "package.json")) ? "pass" : "fail",
-    detail: repoRoot
-  });
-  checks.push({
-    label: "bun",
-    status: bunVersion ? "pass" : "fail",
-    detail: bunVersion ? `v${bunVersion}` : "not found"
-  });
-  checks.push({
-    label: "node for Vite",
-    status: nodeVersion && isViteSupportedNode(nodeVersion) ? "pass" : "warn",
-    detail: nodeVersion ? `${nodeVersion}${isViteSupportedNode(nodeVersion) ? "" : " \u2014 Vite wants 20.19+ or 22.12+"}` : "not found"
-  });
-  checks.push({
-    label: "global atl",
-    status: atlPath ? atlPath.includes(".bun") || atlPath.includes(repoRoot) ? "pass" : "warn" : "fail",
-    detail: atlPath ?? "not linked; run `bun link` from the repo"
-  });
-  checks.push({
-    label: "inventory",
-    status: inventory ? "pass" : "warn",
-    detail: inventory ? `${inventory.summary.existing}/${inventory.summary.total} existing, generated ${inventory.generatedAt}` : "missing; run `atl scan`"
-  });
-  checks.push({
-    label: "secret warnings",
-    status: inventory && inventory.summary.secrets > 0 ? "warn" : "pass",
-    detail: inventory ? `${inventory.summary.secrets} item${inventory.summary.secrets === 1 ? "" : "s"} flagged` : "no inventory"
-  });
-  checks.push({
-    label: "ui dependencies",
-    status: existsSync4(join4(repoRoot, "node_modules", "@tanstack", "react-start")) ? "pass" : "fail",
-    detail: existsSync4(join4(repoRoot, "node_modules", "@tanstack", "react-start")) ? "installed" : "missing; run `bun install`"
-  });
-  checks.push({
-    label: "git state",
-    status: gitDirty === undefined ? "warn" : gitDirty.trim() ? "warn" : "pass",
-    detail: gitDirty === undefined ? "not a git repo" : gitDirty.trim() ? `${gitDirty.trim().split(`
-`).length} changed file(s)` : "clean"
-  });
-  return checks;
-}
-function commandOutput(command, args, cwd = repoRoot) {
-  try {
-    return execFileSync4(command, args, { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "ignore"] }).trim();
-  } catch {
-    return;
-  }
-}
-function isViteSupportedNode(version) {
-  const match = version.match(/^v?(\d+)\.(\d+)\.(\d+)/);
-  if (!match)
-    return false;
-  const [, majorRaw, minorRaw] = match;
-  const major = Number(majorRaw);
-  const minor = Number(minorRaw);
-  if (major === 20)
-    return minor >= 19;
-  if (major === 22)
-    return minor >= 12;
-  return major > 22;
-}
-async function startApi(port) {
-  const apiSecret = process.env.ATELIER_API_SECRET ?? crypto.randomUUID();
-  const proc = Bun.spawn(["bun", "src/index.ts"], {
-    cwd: join4(repoRoot, "apps", "api"),
-    env: { ...process.env, PORT: String(port), ATELIER_API_SECRET: apiSecret },
-    stdin: "inherit",
-    stdout: "inherit",
-    stderr: "inherit"
-  });
-  console.log(`Atelier API: http://localhost:${port}`);
-  const code = await proc.exited;
-  process.exit(code);
-}
-async function startUi(port) {
-  const proc = Bun.spawn(["bun", "--bun", "vite", "dev", "--host", "127.0.0.1", "--port", String(port)], {
-    cwd: join4(repoRoot, "apps", "ui"),
-    env: { ...process.env, ATELIER_REPO_ROOT: repoRoot },
-    stdin: "inherit",
-    stdout: "inherit",
-    stderr: "inherit"
-  });
-  console.log(`Atelier UI: http://localhost:${port}`);
-  const code = await proc.exited;
-  process.exit(code);
-}
+import{execFileSync as un}from"child_process";import{stdin as C,stdout as F}from"process";import{existsSync as x,mkdirSync as dn,readFileSync as ke,writeFileSync as yn}from"fs";import{homedir as bn,platform as wn}from"os";import{dirname as hn,join as p,resolve as pn}from"path";import{Command as Bn}from"commander";import{execFileSync as te}from"child_process";import{chmodSync as Me,existsSync as ne,mkdirSync as Re,readFileSync as Se,rmSync as Gr,writeFileSync as _e}from"fs";import{homedir as Or,platform as Ir}from"os";import{dirname as me,join as oe}from"path";var Xe=oe(Or(),".config","atelier"),z=oe(Xe,"session.json"),S=oe(Xe,"config.json"),ie="dev.atelier.session",Hr="https://atelier.mananjoshi.me/api",qr="Ov23liiscZlMXcJ2RLnd";function le(){return process.env.ATELIER_API_URL??Hr}function Fr(){return process.env.ATELIER_GITHUB_CLIENT_ID??qr}async function Ye(e){let r=e.apiUrl??le(),t=e.clientId??Fr(),n=await Dr(t);await e.onPrompt({verificationUri:n.verification_uri,userCode:n.user_code,expiresIn:n.expires_in});let i=await jr(t,n,e.onPoll),l=await fetch(`${r}/auth/github/exchange`,{method:"POST",headers:{"content-type":"application/json"},body:JSON.stringify({githubAccessToken:i})});if(!l.ok)throw new Error(`Atelier API rejected GitHub login (${l.status})`);let a=await l.json();return Vr({apiUrl:r,user:a.user,token:a.token}),{apiUrl:r,user:a.user}}async function Je(){let e=_();if(!e)return;let r=await fetch(`${e.apiUrl}/me`,{headers:{authorization:`Bearer ${e.token}`}});if(!r.ok)return;return{user:(await r.json()).user,apiUrl:e.apiUrl}}function _(){let e=Le();if(!e)return;let r=Er(e);if(!r)return;return{apiUrl:e.apiUrl,user:e.user,token:r}}function b(){return Qe().activeProfile??"personal"}function ae(e){Pr({...Qe(),activeProfile:e})}function We(){let e=Le();if(e?.tokenStorage==="keychain")tt(e.user.id);if(ne(z))Gr(z)}function Le(){if(!ne(z))return;return JSON.parse(Se(z,"utf-8"))}function Qe(){if(!ne(S))return{};return JSON.parse(Se(S,"utf-8"))}function Pr(e){Re(me(S),{recursive:!0}),_e(S,JSON.stringify(e,null,2)+`
+`,"utf-8"),Me(S,384)}function Vr(e){Re(me(z),{recursive:!0});let r=Ir()==="darwin",t={apiUrl:e.apiUrl,user:e.user,tokenStorage:r?"keychain":"file",createdAt:new Date().toISOString()};if(r)et(e.user.id,e.token);else t.token=e.token;_e(z,JSON.stringify(t,null,2)+`
+`,"utf-8"),Me(z,384)}function Er(e){if(e.tokenStorage==="file")return e.token;return rt(e.user.id)}async function Dr(e){let r=await fetch("https://github.com/login/device/code",{method:"POST",headers:{accept:"application/json","content-type":"application/json"},body:JSON.stringify({client_id:e,scope:"read:user user:email"})});if(!r.ok)throw new Error(`GitHub device-code request failed (${r.status})`);return r.json()}async function jr(e,r,t){let n=r.interval,i=Date.now()+r.expires_in*1000;while(Date.now()<i){await nt(n*1000),await t?.("Waiting for GitHub authorization\u2026");let l=await fetch("https://github.com/login/oauth/access_token",{method:"POST",headers:{accept:"application/json","content-type":"application/json"},body:JSON.stringify({client_id:e,device_code:r.device_code,grant_type:"urn:ietf:params:oauth:grant-type:device_code"})});if(!l.ok)throw new Error(`GitHub token polling failed (${l.status})`);let a=await l.json();if(a.access_token)return a.access_token;if(a.error==="authorization_pending")continue;if(a.error==="slow_down"){n+=5;continue}if(a.error==="access_denied")throw new Error("GitHub login was denied");if(a.error==="expired_token")throw new Error("GitHub login code expired");throw new Error(a.error_description??"GitHub login failed")}throw new Error("GitHub login timed out")}function et(e,r){te("security",["add-generic-password","-a",e,"-s",ie,"-w",r,"-U"],{stdio:"ignore"})}function rt(e){try{return te("security",["find-generic-password","-a",e,"-s",ie,"-w"],{encoding:"utf-8",stdio:["ignore","pipe","ignore"]}).trim()}catch{return}}function tt(e){try{te("security",["delete-generic-password","-a",e,"-s",ie],{stdio:"ignore"})}catch{}}function nt(e){return new Promise((r)=>setTimeout(r,e))}async function Ne(){return(await(await h("/profiles")).json()).profiles}async function Ge(e){return(await(await h("/profiles",{method:"POST",headers:{"content-type":"application/json"},body:JSON.stringify({name:e})})).json()).profile}async function m(e){let r=await h(`/profiles/${encodeURIComponent(e)}`);if(r.status===404)return;return(await r.json()).profile}async function X(){return await(await h("/vault")).json()}async function Oe(e){await h("/vault",{method:"PUT",headers:{"content-type":"application/json"},body:JSON.stringify(e)})}async function Ie(e){let r=await h(`/profiles/${encodeURIComponent(e)}/key`);if(r.status===404)return;return(await r.json()).profileKey}async function ce(e,r){return(await(await h(`/profiles/${encodeURIComponent(e)}/key`,{method:"PUT",headers:{"content-type":"application/json"},body:JSON.stringify(r)})).json()).profileKey}async function He(e){return(await(await h(`/profiles/${encodeURIComponent(e)}/configs`)).json()).configs}async function qe(e,r){let t=await h(`/profiles/${encodeURIComponent(e)}/configs/${encodeURIComponent(r)}`);if(t.status===404)return;return(await t.json()).config}async function Fe(e,r,t){return await(await h(`/profiles/${encodeURIComponent(e)}/configs/${encodeURIComponent(r)}/versions`,{method:"POST",headers:{"content-type":"application/json"},body:JSON.stringify(t)})).json()}async function h(e,r={}){let t=_();if(!t)throw new Error("Not logged in. Run `atl login`.");let n=await fetch(`${t.apiUrl}${e}`,{...r,headers:{...r.headers,authorization:`Bearer ${t.token}`}});if(!n.ok&&n.status!==404){let i=await n.json().catch(()=>{return});throw new Error(i?.error??`Atelier API request failed (${n.status})`)}return n}import{createCipheriv as $t,createHash as At,randomBytes as Ct}from"crypto";import{readFile as xt}from"fs/promises";import{execFileSync as ue}from"child_process";import{createCipheriv as ot,createDecipheriv as it,randomBytes as Y,scryptSync as lt}from"crypto";import{chmodSync as at,existsSync as Ve,mkdirSync as ct,readFileSync as ft,rmSync as gt,writeFileSync as st}from"fs";import{homedir as ut,platform as de}from"os";import{dirname as dt,join as Ee}from"path";var ye="dev.atelier.vault",yt=Ee(ut(),".config","atelier"),K=Ee(yt,"vault-key.json"),Pe={N:32768,r:8,p:1},bt=67108864,fe="aes-256-gcm";async function be(){let e=U();return{initialized:(await X()).initialized,unlocked:Boolean(se(e.user.id)),activeProfile:b()}}async function we(e,r=b()){ht(e);let t=U();if((await X()).initialized)throw new Error("Atelier vault already exists. Run `atl vault unlock` if this machine is locked.");let i=await m(r);if(!i)throw new Error(`Profile not found: ${r}`);let l=Y(32),a=Y(32),d=Y(16),ee=tr(e,d,Pe),re=ge(l,ee),R=ge(a,l);return await Oe({kdf:{algorithm:"scrypt",salt:N(d),params:Pe},encryptedVaultKey:re}),await ce(r,{version:1,algorithm:R.algorithm,nonce:R.nonce,encryptedKey:R.ciphertext}),he(t.user.id,l),{profileName:i.name}}async function De(e){let r=U(),t=await X();if(!t.initialized)throw new Error("Atelier vault is not initialized. Run `atl save <id>` or `atl vault init`.");let n=rr(t,e);return he(r.user.id,n),{activeProfile:b()}}function je(){let e=U();pt(e.user.id)}async function wt(e,r=b()){let t=U(),n=se(t.user.id);if(n)return n;if(!e)throw new Error("Vault passphrase is required");let i=await X();if(!i.initialized){await we(e,r);let l=se(t.user.id);if(!l)throw new Error("Vault initialized but local key was not stored");return l}return rr(i,e)}async function er(e,r=b()){let t=await wt(e,r),n=await Ie(r);if(n)return nr(n.encryptedKey,n.nonce,t);let i=Y(32),l=ge(i,t);return await ce(r,{version:1,algorithm:l.algorithm,nonce:l.nonce,encryptedKey:l.ciphertext}),i}function rr(e,r){if(!e.kdf||!e.encryptedVaultKey)throw new Error("Vault payload is incomplete");if(e.kdf.algorithm!=="scrypt")throw new Error(`Unsupported vault KDF: ${e.kdf.algorithm}`);let t=G(e.kdf.salt),n=tr(r,t,e.kdf.params),i=nr(e.encryptedVaultKey.ciphertext,e.encryptedVaultKey.nonce,n);return he(U().user.id,i),i}function tr(e,r,t){return lt(e,r,32,{N:t.N,r:t.r,p:t.p,maxmem:bt})}function ge(e,r){let t=Y(12),n=ot(fe,r,t),i=Buffer.concat([n.update(e),n.final()]),l=n.getAuthTag();return{algorithm:fe,nonce:N(t),ciphertext:N(Buffer.concat([i,l]))}}function nr(e,r,t){let n=Buffer.from(G(e)),i=Buffer.from(G(r)),l=n.subarray(0,-16),a=n.subarray(-16),d=it(fe,t,i);return d.setAuthTag(a),Buffer.concat([d.update(l),d.final()])}function ht(e){if(e.length<12)throw new Error("Vault passphrase must be at least 12 characters.")}function U(){let e=_();if(!e)throw new Error("Not logged in. Run `atl login`.");return e}function he(e,r){let t=N(r);if(de()==="darwin"){ue("security",["add-generic-password","-a",e,"-s",ye,"-w",t,"-U"],{stdio:"ignore"});return}ct(dt(K),{recursive:!0}),st(K,JSON.stringify({userId:e,key:t},null,2)+`
+`,"utf-8"),at(K,384)}function se(e){let r=de()==="darwin"?Bt(e):zt(e);return r?Buffer.from(G(r)):void 0}function pt(e){if(de()==="darwin"){try{ue("security",["delete-generic-password","-a",e,"-s",ye],{stdio:"ignore"})}catch{}return}if(Ve(K))gt(K)}function Bt(e){try{return ue("security",["find-generic-password","-a",e,"-s",ye,"-w"],{encoding:"utf-8",stdio:["ignore","pipe","ignore"]}).trim()}catch{return}}function zt(e){if(!Ve(K))return;let r=JSON.parse(ft(K,"utf-8"));return r.userId===e?r.key:void 0}function N(e){return Buffer.from(e).toString("base64url")}function G(e){return new Uint8Array(Buffer.from(e,"base64url"))}function or(e){let r=[];if(!e.exists)r.push("file does not exist");if(e.isDirectory||e.kind==="directory"||e.format==="directory")r.push("directory saving is not supported yet");if(e.kind==="generated")r.push("generated/cache files are not saved");if(e.kind==="private"||e.shareability==="private")r.push("private/auth files are blocked");if(e.secretFindings.length>0)r.push("detected secret material");if(e.size!==void 0&&e.size>1048576)r.push(`file is larger than ${Tt(1048576)}`);if(Kt(e))r.push("binary files are not supported yet");return{ok:r.length===0,reasons:r}}function pe(e){let r=or(e);if(!r.ok)throw new Error(`Cannot save ${e.id}: ${r.reasons.join("; ")}`)}function Kt(e){if(e.previewSuppressedReason?.toLowerCase().includes("binary"))return!0;return["binary","sqlite","db"].includes(e.format.toLowerCase())}function Tt(e){if(e<1024)return`${e} B`;let r=e/1024;if(r<1024)return`${Math.round(r)} KiB`;return`${Math.round(r/1024)} MiB`}var ir="aes-256-gcm";async function cr(e,r={}){pe(e);let t=b(),n=await er(r.passphrase,t),i=await xt(e.path),l=vt(i,n),a=await Fe(t,e.id,{kind:"file",pathHint:e.displayPath,contentSha256:lr(i),ciphertextSha256:lr(l.ciphertextBytes),sizeBytes:i.byteLength,algorithm:l.algorithm,profileKeyVersion:1,nonce:l.nonce,ciphertext:l.ciphertext});return{profileName:t,stableId:e.id,version:a.version,reused:a.reused}}function vt(e,r){let t=Ct(12),n=$t(ir,r,t),i=Buffer.concat([n.update(e),n.final()]),l=n.getAuthTag(),a=Buffer.concat([i,l]);return{algorithm:ir,nonce:ar(t),ciphertext:ar(a),ciphertextBytes:a}}function lr(e){return At("sha256").update(e).digest("hex")}function ar(e){return Buffer.from(e).toString("base64url")}import{execFileSync as wr}from"child_process";import{existsSync as $,lstatSync as Mt,mkdirSync as Rt,readdirSync as Ke,readFileSync as J,statSync as k,writeFileSync as St}from"fs";import{homedir as _t,userInfo as mt}from"os";import{dirname as hr,join as T,relative as pr,resolve as Xt}from"path";var fr=[{domain:"AI Tools",app:"Pi",items:[{id:"pi.dir",path:"~/.pi",kind:"directory",format:"directory",shareability:"machine-specific"}]},{domain:"Shell",app:"Starship",items:[{id:"starship.config",path:"~/.config/starship.toml",kind:"config",format:"toml",shareability:"shareable"}]},{domain:"Editors",app:"Zed",items:[{id:"zed.dir",path:"~/.config/zed",kind:"directory",format:"directory",shareability:"shareable"},{id:"zed.settings",path:"~/.config/zed/settings.json",kind:"config",format:"jsonc",shareability:"shareable"},{id:"zed.themes",path:"~/.config/zed/themes",kind:"config",format:"directory",shareability:"shareable"},{id:"zed.prompts",path:"~/.config/zed/prompts",kind:"generated",format:"directory",shareability:"machine-specific"}]},{domain:"Git",app:"Git",items:[{id:"git.config",path:"~/.gitconfig",kind:"config",format:"gitconfig",shareability:"machine-specific"},{id:"git.config-dir",path:"~/.config/git",kind:"directory",format:"directory",shareability:"machine-specific"},{id:"git.ignore",path:"~/.gitignore",kind:"config",format:"gitignore",shareability:"machine-specific"}]},{domain:"Private/Auth",app:"Credentials",privateByDefault:!0,items:[{id:"auth.ssh",path:"~/.ssh",kind:"private",format:"directory",shareability:"private"},{id:"auth.aws",path:"~/.aws",kind:"private",format:"directory",shareability:"private"},{id:"auth.gh",path:"~/.config/gh",kind:"private",format:"directory",shareability:"private"},{id:"auth.gcloud-adc",path:"~/.config/gcloud/application_default_credentials.json",kind:"private",format:"json",shareability:"private"},{id:"auth.docker",path:"~/.docker/config.json",kind:"private",format:"json",shareability:"private"},{id:"auth.pi",path:"~/.config/pi/auth.json",kind:"private",format:"json",shareability:"private"}]},{domain:"Shell",app:"Zsh",items:[{id:"zsh.home-rc",path:"~/.zshrc",kind:"config",format:"shell",shareability:"shareable"},{id:"zsh.home-env",path:"~/.zshenv",kind:"config",format:"shell",shareability:"private"},{id:"zsh.dir",path:"~/.config/zsh",kind:"directory",format:"directory",shareability:"machine-specific"},{id:"zsh.env",path:"~/.config/zsh/.zshenv",kind:"config",format:"shell",shareability:"private"},{id:"zsh.rc",path:"~/.config/zsh/.zshrc",kind:"config",format:"shell",shareability:"shareable"},{id:"zsh.conf",path:"~/.config/zsh/conf.d",kind:"directory",format:"directory",shareability:"shareable"},{id:"zsh.zcompdump",path:"~/.config/zsh/.zcompdump",kind:"generated",format:"text",shareability:"machine-specific"},{id:"zsh.sessions",path:"~/.config/zsh/.zsh_sessions",kind:"generated",format:"directory",shareability:"machine-specific"}]},{domain:"Terminals",app:"cmux",items:[{id:"cmux.dir",path:"~/.config/cmux",kind:"directory",format:"directory",shareability:"shareable"},{id:"cmux.config",path:"~/.config/cmux/cmux.json",kind:"config",format:"jsonc",shareability:"shareable"},{id:"cmux.ghostty",path:"~/Library/Application Support/com.cmuxterm.app/config.ghostty",kind:"config",format:"ghostty",shareability:"shareable"},{id:"cmux.browser-history",path:"~/Library/Application Support/com.cmuxterm.app/browser_history.json",kind:"generated",format:"json",shareability:"machine-specific"}]}];var Be=[["GitHub token",/gh[pousr]_[A-Za-z0-9_]{20,}/g],["Slack token",/xox[baprs]-[A-Za-z0-9-]{20,}/g],["AWS access key",/AKIA[0-9A-Z]{16}/g],["Private key",/-----BEGIN (?:RSA |OPENSSH |EC |DSA )?PRIVATE KEY-----/g],["Generic token assignment",/(?:token|api[_-]?key|secret|webhook|password)\s*[=:]\s*["']?[^"'\s]{12,}/gi]];function gr(e){let r=[],t=e.split(/\r?\n/);for(let[n,i]of Be)for(let l of e.matchAll(i)){let a=l.index??0,d=e.slice(0,a).split(/\r?\n/).length;r.push({type:n,line:d,preview:O(l[0])})}return t.forEach((n,i)=>{for(let l of n.matchAll(/[A-Za-z0-9_+\/=.-]{32,}/g)){let a=l[0];if(!Ut(a,n)&&ur(a,n))r.push({type:"High-entropy string",line:i+1,preview:O(a)})}}),Zt(r)}function O(e){if(e.length<=8)return"[redacted]";return`${e.slice(0,4)}\u2026${e.slice(-4)}`}function sr(e){let r=e;for(let[,t]of Be)r=r.replace(t,(n)=>O(n));return r=r.replace(/[A-Za-z0-9_+\/=.-]{32,}/g,(t)=>{if(ur(t,e))return O(t);return t}),r}function Ut(e,r){return Be.some(([,t])=>{return t.lastIndex=0,Array.from(r.matchAll(t)).some((n)=>n[0].includes(e)||e.includes(n[0]))})}function ur(e,r){if(e.startsWith("amazon."))return!1;if(e.includes("anthropic.claude"))return!1;if(/^[A-Za-z0-9.-]+@[A-Za-z0-9.-]+$/.test(e))return!1;if(/model/i.test(r)&&/^[A-Za-z0-9_.-]+$/.test(e))return!1;return kt(e)>4.2&&/[A-Za-z]/.test(e)&&/[0-9]/.test(e)}function kt(e){let r=new Map;for(let n of e)r.set(n,(r.get(n)??0)+1);let t=0;for(let n of r.values()){let i=n/e.length;t-=i*Math.log2(i)}return t}function Zt(e){let r=new Set;return e.filter((t)=>{let n=`${t.type}:${t.line}:${t.preview}`;if(r.has(n))return!1;return r.add(n),!0})}function dr(e){let n=e.replace(/\/\*[\s\S]*?\*\//g,"").replace(/(^|[^:])\/\/.*$/gm,"$1").replace(/,\s*([}\]])/g,"$1");return JSON.parse(n)}var A=_t(),Yt=new Set([".zsh",".zshrc",".zshenv",".sh",".json",".jsonc",".toml",".md",".yml",".yaml",".gitconfig",".gitignore",".ghostty",""]),Jt=[/cache/i,/history/i,/session/i,/state/i,/\.mdb$/i,/\.sqlite/i,/\.db$/i,/zcompdump/i,/logs?/i],Wt=[/credential/i,/secret/i,/token/i,/auth\.json$/i,/hosts\.yml$/i,/config\.json$/i],H;async function Te(e){H=e.includeLegacyManagers?Et():void 0;let t=Lt(e.repoRoot).flatMap((l)=>l.items.map((a)=>({definition:l,item:a}))),n=new Set,i=[];for(let{definition:l,item:a}of t){let d=ze(a.path);n.add(d),i.push(Qt(l,a,d))}for(let l of Nt()){if(n.has(l.path))continue;n.add(l.path),i.push(yr(l))}for(let l of e.manualPaths??[]){let a=ze(l);if(n.has(a))continue;n.add(a),i.push(yr({path:a,reason:"manual path"}))}return i.sort((l,a)=>`${l.domain}:${l.app}:${l.path}`.localeCompare(`${a.domain}:${a.app}:${a.path}`)),{version:1,generatedAt:new Date().toISOString(),repoRoot:e.repoRoot,home:A,items:i,summary:{total:i.length,existing:i.filter((l)=>l.exists).length,secrets:i.filter((l)=>l.secretFindings.length>0).length,drift:i.filter((l)=>l.mirrors.some((a)=>a.exists&&a.identical===!1)).length,generated:i.filter((l)=>l.kind==="generated").length,private:i.filter((l)=>l.shareability==="private").length}}}function $e(e,r={}){let t=r.path??T(e.repoRoot,".atelier","state","inventory.json");return Rt(hr(t),{recursive:!0}),St(t,JSON.stringify(e,null,2)+`
+`,"utf-8"),t}function Lt(e){let r=T(e,"packages","registry","definitions");if(!$(r))return fr;return Ke(r).filter((t)=>t.endsWith(".jsonc")).map((t)=>dr(J(T(r,t),"utf-8")))}function Qt(e,r,t){return Br({path:t,domain:e.domain,app:e.app,kind:r.kind,format:r.format,shareability:r.shareability,reason:"registry match",mirrors:r.mirrors??[],privateByDefault:e.privateByDefault,id:r.id})}function yr(e){let r=jt(e.path),t=rn(e.path),n=tn(e.path,t);return Br({path:e.path,domain:en(e.path),app:r,kind:t,format:nn(e.path),shareability:n,reason:e.reason,mirrors:[],privateByDefault:n==="private"})}function Br(e){let r=$(e.path),t=r?Mt(e.path):void 0,n=r?k(e.path):void 0,i=!!n?.isDirectory(),l=!!t?.isSymbolicLink(),a=r&&!i&&zr(e.path)?gr(J(e.path,"utf-8")):[],d=e.mirrors.map((R)=>Ot(e.path,ze(R))),ee=qt(e.kind,e.shareability,a.length,d),re=Ht(e.path,r,i,e.shareability,e.privateByDefault,e.kind);return{id:e.id??Dt(e.path),domain:e.domain,app:e.app,path:e.path,displayPath:W(e.path),kind:e.kind,format:e.format,shareability:e.shareability,exists:r,isDirectory:i,isSymlink:l,mode:n?`0${(n.mode&511).toString(8)}`:void 0,owner:r?mt().username:void 0,size:n?.size,git:r?Ft(e.path):void 0,legacyManagers:r?Pt(e.path):{},mirrors:d,secretFindings:a,...re,recommendation:ee,reason:e.reason}}function Nt(){let e=[],r=T(A,".config");if(!$(r))return e;for(let t of Ke(r,{withFileTypes:!0})){if(t.name.startsWith("."))continue;let n=T(r,t.name);if(e.push({path:n,reason:"~/.config app directory"}),!t.isDirectory())continue;for(let i of Gt(n).slice(0,80)){let l=T(n,i.name);if(Ae(l)){e.push({path:l,reason:"generated/app-state candidate"});continue}if(i.isFile()&&Ce(i.name))e.push({path:l,reason:"shallow ~/.config config candidate"});if(i.isDirectory()&&["conf.d","themes","snippets","plugins"].includes(i.name))e.push({path:l,reason:"shallow ~/.config config directory"})}}return e}function Gt(e){try{return Ke(e,{withFileTypes:!0})}catch{return[]}}function Ot(e,r){let t=$(r);if(!t||!$(e)||k(e).isDirectory()||k(r).isDirectory())return{path:r,displayPath:W(r),exists:t};let n=J(e,"utf-8"),i=J(r,"utf-8");return{path:r,displayPath:W(r),exists:t,identical:n===i,diff:n===i?void 0:It(i,n)}}function It(e,r){let t=e.split(/\r?\n/),n=r.split(/\r?\n/),i=Math.max(t.length,n.length),l=[];for(let a=0;a<i;a++){if(t[a]===n[a])continue;if(t[a]!==void 0)l.push(`-${t[a]}`);if(n[a]!==void 0)l.push(`+${n[a]}`)}return l.slice(0,200).join(`
+`)}function Ht(e,r,t,n,i,l){if(!r)return{previewSuppressedReason:"missing"};if(t)return{previewSuppressedReason:"directory"};if(n==="private"||i||l==="private")return{previewSuppressedReason:"private/auth metadata-only"};if(!zr(e))return{previewSuppressedReason:"binary or unsupported file type"};let a=J(e,"utf-8");return{preview:sr(a).slice(0,20000)}}function qt(e,r,t,n){if(t>0)return"rotate-secret";if(e==="generated")return"ignore-generated";if(r==="private")return"mark-private";if(n.some((i)=>i.exists&&i.identical===!1))return"resolve-drift";if(r==="machine-specific")return"review-machine-specific";if(e==="config"||e==="directory")return"adopt-candidate";return"none"}function Ft(e){let r=k(e).isDirectory()?e:hr(e),t=I(["rev-parse","--show-toplevel"],r);if(!t)return;let n=pr(t,e),i=!!I(["check-ignore","-q",n],t,!0),l=!!I(["ls-files","--error-unmatch",n],t,!0),a=l&&!!I(["status","--porcelain","--",n],t);return{root:t,tracked:l,modified:a,ignored:i}}function Pt(e){if(!H)return{};return{yadm:Vt(e)}}function Vt(e){let r=W(e).replace(/^~\//,"");if(H?.modified.has(r))return"modified";if(H?.tracked.has(r))return"tracked";return"unknown"}function Et(){let e=new Set((br("yadm",["ls-files"])??"").split(`
+`).filter(Boolean)),r=new Set((br("yadm",["status","--porcelain"])??"").split(`
+`).map((t)=>t.slice(3).trim()).filter(Boolean));return{tracked:e,modified:r}}function I(e,r,t=!1){try{return wr("git",e,{cwd:r,encoding:"utf-8",stdio:["ignore","pipe","ignore"]}).trim()||(t?"ok":void 0)}catch{return}}function br(e,r){try{return wr(e,r,{cwd:A,encoding:"utf-8",stdio:["ignore","pipe","ignore"]})}catch{return}}function ze(e){return Xt(e.replace(/^~(?=\/|$)/,A))}function W(e){return e.startsWith(A)?`~${e.slice(A.length)}`:e}function Dt(e){return W(e).replace(/[^A-Za-z0-9_.-]+/g,":")}function jt(e){let r=pr(T(A,".config"),e);if(!r.startsWith(".."))return r.split(/[\\/]/)[0]||"Unknown";return"Unknown"}function en(e){if(e.includes("/.config/"))return"~/.config";if(e.includes("/.ssh")||e.includes("/.aws"))return"Private/Auth";return"Unknown"}function rn(e){if(Ae(e))return"generated";if(Wt.some((r)=>r.test(e)))return"private";if($(e)&&k(e).isDirectory())return"directory";if(Ce(e))return"config";return"unknown"}function tn(e,r){if(r==="private")return"private";if(r==="generated")return"machine-specific";if(e.includes("/credentials")||e.includes("/.ssh")||e.includes("/.aws"))return"private";return"machine-specific"}function nn(e){if($(e)&&k(e).isDirectory())return"directory";if(e.endsWith(".jsonc"))return"jsonc";if(e.endsWith(".json"))return"json";if(e.endsWith(".toml"))return"toml";if(e.endsWith(".zsh"))return"shell";if(e.endsWith(".md"))return"markdown";return"text"}function Ae(e){return Jt.some((r)=>r.test(e))}function Ce(e){return/(^config\.|settings\.|rc$|\.rc$|\.zshrc$|\.zshenv$|\.jsonc?$|\.toml$|\.ya?ml$|\.zsh$|\.conf$|\.ini$)/i.test(e)}function zr(e){let r=e.split("/").pop()??"";if(Ae(e))return!1;if(r.includes("lock")||r.endsWith(".mdb")||r.endsWith(".sqlite")||r.endsWith(".db"))return!1;let t=r.includes(".")?r.slice(r.lastIndexOf(".")):"";return Yt.has(t)||Ce(r)}import{Box as f,Text as c,render as on}from"ink";import{jsxDEV as o,Fragment as sn}from"react/jsx-dev-runtime";function g(e){return on(o(sn,{children:e},void 0,!1,void 0,this)).waitUntilExit()}function xe({inventory:e,path:r}){return o(f,{flexDirection:"column",gap:1,children:[o(y,{title:"Scan complete",subtitle:r},void 0,!1,void 0,this),o(f,{gap:2,children:[o(Z,{label:"total",value:e.summary.total,color:"cyan"},void 0,!1,void 0,this),o(Z,{label:"existing",value:e.summary.existing,color:"green"},void 0,!1,void 0,this),o(Z,{label:"private",value:e.summary.private,color:"red"},void 0,!1,void 0,this),o(Z,{label:"generated",value:e.summary.generated,color:"magenta"},void 0,!1,void 0,this),o(Z,{label:"secrets",value:e.summary.secrets,color:"red"},void 0,!1,void 0,this),o(Z,{label:"drift",value:e.summary.drift,color:"blue"},void 0,!1,void 0,this)]},void 0,!0,void 0,this)]},void 0,!0,void 0,this)}function Kr({items:e,title:r}){return o(f,{flexDirection:"column",children:[o(y,{title:r,subtitle:`${e.length} item${e.length===1?"":"s"}`},void 0,!1,void 0,this),o(f,{flexDirection:"column",marginTop:1,children:e.map((t)=>o(f,{gap:1,children:[o(c,{color:t.exists?"white":"gray",children:t.exists?"\u25CF":"\u25CB"},void 0,!1,void 0,this),o(c,{color:_r(t),children:t.domain},void 0,!1,void 0,this),o(c,{color:"gray",children:"/"},void 0,!1,void 0,this),o(c,{color:"cyan",children:t.app},void 0,!1,void 0,this),o(c,{children:t.displayPath},void 0,!1,void 0,this),o(B,{label:t.shareability,color:mr(t.shareability)},void 0,!1,void 0,this),t.secretFindings.length>0?o(B,{label:"secret",color:"red"},void 0,!1,void 0,this):null,t.mirrors.some((n)=>n.exists&&n.identical===!1)?o(B,{label:"drift",color:"blue"},void 0,!1,void 0,this):null]},t.id,!0,void 0,this))},void 0,!1,void 0,this)]},void 0,!0,void 0,this)}function Tr({item:e}){return o(f,{flexDirection:"column",gap:1,children:[o(y,{title:e.app,subtitle:e.displayPath},void 0,!1,void 0,this),o(f,{gap:1,children:[o(B,{label:e.domain,color:"cyan"},void 0,!1,void 0,this),o(B,{label:e.kind,color:_r(e)},void 0,!1,void 0,this),o(B,{label:e.shareability,color:mr(e.shareability)},void 0,!1,void 0,this),o(B,{label:e.recommendation,color:"yellow"},void 0,!1,void 0,this)]},void 0,!0,void 0,this),o(ln,{rows:[["reason",e.reason],["exists",String(e.exists)],["mode",e.mode??"\u2014"],["symlink",String(e.isSymlink)],["git",gn(e)],["legacy",fn(e)]]},void 0,!1,void 0,this),e.secretFindings.length>0?o(f,{flexDirection:"column",children:[o(c,{color:"red",bold:!0,children:"Secret warnings"},void 0,!1,void 0,this),e.secretFindings.map((r,t)=>o(c,{color:"red",children:["  ",r.type,r.line?` line ${r.line}`:"",": ",r.preview]},`${r.type}-${t}`,!0,void 0,this))]},void 0,!0,void 0,this):null,e.mirrors.length>0?o(f,{flexDirection:"column",children:[o(c,{color:"blue",bold:!0,children:"Mirrors"},void 0,!1,void 0,this),e.mirrors.map((r)=>o(c,{children:["  ",r.displayPath," \u2014 ",r.exists?r.identical===!1?"differs":"identical":"missing"]},r.path,!0,void 0,this))]},void 0,!0,void 0,this):null,o(f,{flexDirection:"column",children:[o(c,{bold:!0,children:e.preview?"Safe preview":"Preview"},void 0,!1,void 0,this),o(c,{color:e.preview?"white":"gray",children:e.preview?e.preview.slice(0,3000):`Suppressed: ${e.previewSuppressedReason??"not available"}`},void 0,!1,void 0,this)]},void 0,!0,void 0,this)]},void 0,!0,void 0,this)}function $r({decisions:e}){return o(f,{flexDirection:"column",children:[o(y,{title:"Decisions",subtitle:`${e.length} saved`},void 0,!1,void 0,this),o(f,{flexDirection:"column",marginTop:1,children:e.length===0?o(c,{color:"gray",children:"No decisions recorded yet."},void 0,!1,void 0,this):e.map((r)=>o(f,{gap:1,children:[o(B,{label:r.status,color:"cyan"},void 0,!1,void 0,this),o(c,{children:r.itemId},void 0,!1,void 0,this),o(c,{color:"gray",children:r.updatedAt},void 0,!1,void 0,this)]},`${r.itemId}-${r.updatedAt}`,!0,void 0,this))},void 0,!1,void 0,this)]},void 0,!0,void 0,this)}function Ar({verificationUri:e,userCode:r,expiresIn:t}){return o(f,{flexDirection:"column",gap:1,children:[o(y,{title:"Login with GitHub",subtitle:`code expires in ${Math.round(t/60)} minutes`},void 0,!1,void 0,this),o(f,{flexDirection:"column",children:[o(c,{children:"Open:"},void 0,!1,void 0,this),o(c,{color:"blue",underline:!0,children:e},void 0,!1,void 0,this)]},void 0,!0,void 0,this),o(f,{gap:1,children:[o(c,{children:"Enter code:"},void 0,!1,void 0,this),o(c,{color:"green",bold:!0,children:r},void 0,!1,void 0,this)]},void 0,!0,void 0,this)]},void 0,!0,void 0,this)}function Cr({login:e,apiUrl:r}){return o(f,{flexDirection:"column",children:[o(y,{title:"Logged in",subtitle:r},void 0,!1,void 0,this),o(c,{color:"green",children:["\u2713 ",e]},void 0,!0,void 0,this)]},void 0,!0,void 0,this)}function xr({login:e,apiUrl:r}){if(!e)return o(c,{color:"yellow",children:"Not logged in. Run `atl login`."},void 0,!1,void 0,this);return o(f,{flexDirection:"column",children:[o(y,{title:"Current account",subtitle:r},void 0,!1,void 0,this),o(c,{color:"green",children:e},void 0,!1,void 0,this)]},void 0,!0,void 0,this)}function vr(){return o(c,{color:"green",children:"\u2713 Logged out"},void 0,!1,void 0,this)}function Ur({profiles:e,activeProfile:r}){return o(f,{flexDirection:"column",children:[o(y,{title:"Profiles",subtitle:`active: ${r}`},void 0,!1,void 0,this),o(f,{flexDirection:"column",marginTop:1,children:e.map((t)=>o(f,{gap:1,children:[o(c,{color:t.name===r?"green":"gray",children:t.name===r?"\u25CF":"\u25CB"},void 0,!1,void 0,this),o(c,{bold:t.name===r,children:t.name},void 0,!1,void 0,this),o(c,{color:"gray",children:t.createdAt},void 0,!1,void 0,this)]},t.id,!0,void 0,this))},void 0,!1,void 0,this)]},void 0,!0,void 0,this)}function L({title:e,name:r}){return o(f,{flexDirection:"column",children:[o(y,{title:e},void 0,!1,void 0,this),o(c,{color:"green",children:["\u2713 ",r]},void 0,!0,void 0,this)]},void 0,!0,void 0,this)}function kr({configs:e,profileName:r}){return o(f,{flexDirection:"column",children:[o(y,{title:"Saved configs",subtitle:r},void 0,!1,void 0,this),e.length===0?o(c,{color:"gray",children:"No saved configs yet."},void 0,!1,void 0,this):e.map((t)=>o(f,{flexDirection:"column",marginTop:1,children:[o(c,{bold:!0,children:t.stableId},void 0,!1,void 0,this),o(c,{color:"gray",children:t.pathHint??"no path hint"},void 0,!1,void 0,this),t.latestVersion?o(c,{color:"green",children:[t.latestVersion.contentSha256.slice(0,12)," \xB7 ",t.latestVersion.sizeBytes," bytes \xB7 ",t.latestVersion.createdAt]},void 0,!0,void 0,this):null]},t.id,!0,void 0,this))]},void 0,!0,void 0,this)}function Zr({config:e,profileName:r}){return o(f,{flexDirection:"column",children:[o(y,{title:e.stableId,subtitle:r},void 0,!1,void 0,this),o(c,{color:"gray",children:e.pathHint??"no path hint"},void 0,!1,void 0,this),o(f,{flexDirection:"column",marginTop:1,children:(e.versions??[]).map((t)=>o(c,{children:[t.contentSha256.slice(0,12)," \xB7 ",t.sizeBytes," bytes \xB7 ",t.createdAt]},t.id,!0,void 0,this))},void 0,!1,void 0,this)]},void 0,!0,void 0,this)}function Mr({stableId:e,profileName:r,versionHash:t,sizeBytes:n,reused:i}){return o(f,{flexDirection:"column",children:[o(y,{title:i?"Config already saved":"Config saved",subtitle:r},void 0,!1,void 0,this),o(c,{color:"green",children:["\u2713 ",e]},void 0,!0,void 0,this),o(c,{color:"gray",children:["Version ",t.slice(0,12)," \xB7 ",n," bytes \xB7 encrypted"]},void 0,!0,void 0,this)]},void 0,!0,void 0,this)}function Rr({item:e,status:r}){return o(f,{flexDirection:"column",children:[o(y,{title:"Decision saved",subtitle:e.displayPath},void 0,!1,void 0,this),o(f,{gap:1,children:[o(c,{children:"Status:"},void 0,!1,void 0,this),o(B,{label:r,color:"green"},void 0,!1,void 0,this)]},void 0,!0,void 0,this)]},void 0,!0,void 0,this)}function Sr({checks:e}){let r=e.filter((n)=>n.status==="fail").length,t=e.filter((n)=>n.status==="warn").length;return o(f,{flexDirection:"column",gap:1,children:[o(y,{title:"Doctor",subtitle:r?`${r} failing`:t?`${t} warning${t===1?"":"s"}`:"all checks passed"},void 0,!1,void 0,this),o(f,{flexDirection:"column",children:e.map((n)=>o(f,{gap:1,children:[o(c,{color:cn(n.status),children:an(n.status)},void 0,!1,void 0,this),o(c,{bold:!0,children:n.label},void 0,!1,void 0,this),o(c,{color:"gray",children:n.detail},void 0,!1,void 0,this)]},n.label,!0,void 0,this))},void 0,!1,void 0,this)]},void 0,!0,void 0,this)}function q({query:e}){return o(c,{color:"red",children:["No inventory item matched: ",e]},void 0,!0,void 0,this)}function y({title:e,subtitle:r}){return o(f,{flexDirection:"column",children:[o(c,{bold:!0,color:"cyan",children:"\u25C6 Atelier"},void 0,!1,void 0,this),o(f,{gap:1,children:[o(c,{bold:!0,children:e},void 0,!1,void 0,this),r?o(c,{color:"gray",children:r},void 0,!1,void 0,this):null]},void 0,!0,void 0,this)]},void 0,!0,void 0,this)}function Z({label:e,value:r,color:t}){return o(f,{flexDirection:"column",borderStyle:"round",borderColor:t,paddingX:1,children:[o(c,{color:t,bold:!0,children:r},void 0,!1,void 0,this),o(c,{color:"gray",children:e},void 0,!1,void 0,this)]},void 0,!0,void 0,this)}function B({label:e,color:r}){return o(c,{color:r,children:["[",e,"]"]},void 0,!0,void 0,this)}function ln({rows:e}){return o(f,{flexDirection:"column",children:e.map(([r,t])=>o(f,{gap:1,children:[o(c,{color:"gray",children:r.padEnd(10)},void 0,!1,void 0,this),o(c,{children:t},void 0,!1,void 0,this)]},r,!0,void 0,this))},void 0,!1,void 0,this)}function _r(e){let r=typeof e==="string"?e:e.kind;if(r==="private")return"red";if(r==="generated")return"magenta";if(r==="config")return"green";return"yellow"}function mr(e){if(e==="private")return"red";if(e==="shareable")return"green";return"yellow"}function an(e){if(e==="pass")return"\u2713";if(e==="warn")return"!";return"\u2717"}function cn(e){if(e==="pass")return"green";if(e==="warn")return"yellow";return"red"}function fn(e){let r=Object.entries(e.legacyManagers??{});if(r.length===0)return"not scanned";return r.map(([t,n])=>`${t}: ${n}`).join(", ")}function gn(e){if(!e.git)return"not in repo";return`${e.git.tracked?"tracked":"untracked"}${e.git.modified?", modified":""} @ ${e.git.root}`}import{jsxDEV as s}from"react/jsx-dev-runtime";var w=pn(import.meta.dir,"../../.."),Jr=zn(),v=p(Jr,"inventory.json"),V=p(Jr,"decisions.json"),ve=new Set(["undecided","candidate","shareable","machine-specific","private","ignored"]),Xr,u=new Bn;u.name("atl").description("Atelier config inventory cockpit").version("0.1.2");u.command("login").description("Login to Atelier with GitHub device auth").option("--api-url <url>","Atelier API URL",le()).action(async(e)=>{let r=await Ye({apiUrl:e.apiUrl,onPrompt:async(t)=>{await g(s(Ar,{verificationUri:t.verificationUri,userCode:t.userCode,expiresIn:t.expiresIn},void 0,!1,void 0,this))}});await g(s(Cr,{login:r.user.login,apiUrl:r.apiUrl},void 0,!1,void 0,this))});u.command("whoami").description("Show the current Atelier account").action(async()=>{let e=await Je();if(await g(s(xr,{login:e?.user.login,apiUrl:e?.apiUrl},void 0,!1,void 0,this)),!e)process.exitCode=1});u.command("logout").description("Remove the local Atelier session").action(async()=>{We(),await g(s(vr,{},void 0,!1,void 0,this))});u.command("api").description("Run the local Atelier API server for development").option("--port <port>","port to bind","8787").action(async(e)=>{await $n(Number(e.port))});var D=u.command("profile").description("Manage account-backed config profiles");D.command("list").description("List remote profiles").action(async()=>{await g(s(Ur,{profiles:await Ne(),activeProfile:b()},void 0,!1,void 0,this))});D.command("create").description("Create a remote profile").argument("<name>").action(async(e)=>{let r=await Ge(e);await g(s(L,{title:"Profile created",name:r.name},void 0,!1,void 0,this))});D.command("switch").description("Set the active local profile after verifying it exists remotely").argument("<name>").action(async(e)=>{let r=await m(e);if(!r)throw new Error(`Profile not found: ${e}`);ae(r.name),await g(s(L,{title:"Active profile",name:r.name},void 0,!1,void 0,this))});D.command("current").description("Show the active local profile").action(async()=>{await g(s(L,{title:"Active profile",name:b()},void 0,!1,void 0,this))});u.command("checkout").description("Alias for `atl profile switch`").argument("<name>").action(async(e)=>{let r=await m(e);if(!r)throw new Error(`Profile not found: ${e}`);ae(r.name),await g(s(L,{title:"Active profile",name:r.name},void 0,!1,void 0,this))});var j=u.command("vault").description("Advanced vault controls");j.command("status").description("Show vault initialization and local unlock state").action(async()=>{let e=await be();console.log(`Vault: ${e.initialized?"initialized":"not initialized"}`),console.log(`Local state: ${e.unlocked?"unlocked":"locked"}`),console.log(`Active profile: ${e.activeProfile}`)});j.command("init").description("Initialize the encrypted vault now instead of waiting for first save").action(async()=>{let e=await Nr("Create an Atelier vault passphrase: "),r=await we(e);console.log(`Vault initialized for profile ${r.profileName}`)});j.command("unlock").description("Unlock this machine with the vault passphrase").action(async()=>{let e=await E("Vault passphrase: "),r=await De(e);console.log(`Vault unlocked for profile ${r.activeProfile}`)});j.command("lock").description("Remove local unlocked vault material from this machine").action(async()=>{je(),console.log("Vault locked")});u.command("save").description("Save a config snapshot to the active encrypted profile").argument("<id-or-path>").action(async(e)=>{await Qr(e)});u.command("adopt").description("Alias for `atl save`").argument("<id-or-path>").action(async(e)=>{await Qr(e)});var Wr=u.command("saved").description("Inspect encrypted configs saved remotely");Wr.command("list").description("List saved configs for the active profile").action(async()=>{let e=b();await g(s(kr,{configs:await He(e),profileName:e},void 0,!1,void 0,this))});Wr.command("show").description("Show saved metadata and version history").argument("<stable-id>").action(async(e)=>{let r=b(),t=await qe(r,e);if(!t)throw new Error(`Saved config not found: ${e}`);await g(s(Zr,{config:t,profileName:r},void 0,!1,void 0,this))});u.command("scan").description("Scan this machine and write local inventory").option("--path <path...>","additional manual path(s) to scan").option("--legacy","include legacy manager signals like yadm").action(async(e)=>{let r=await Te({repoRoot:w,manualPaths:e.path??[],includeLegacyManagers:e.legacy}),t=$e(r,{path:v});await g(s(xe,{inventory:r,path:t},void 0,!1,void 0,this))});u.command("ui").description("Open the local TanStack Start inventory UI").option("--scan","rescan before opening the UI").option("--path <path...>","additional manual path(s) to scan").option("--legacy","include legacy manager signals like yadm during scan").option("--port <port>","port to bind","4141").action(async(e)=>{if(!x(v)||e.scan){console.log("Atelier: scanning configs\u2026");let r=await Te({repoRoot:w,manualPaths:e.path??[],includeLegacyManagers:e.legacy});$e(r,{path:v}),console.log(`Atelier: scan complete (${r.summary.existing}/${r.summary.total} existing)`)}console.log("Atelier: starting UI\u2026"),await An(Number(e.port))});u.command("list").description("List inventory items with polished terminal output").option("--domain <domain>","filter by domain").option("--app <app>","filter by app").option("--secrets","only items with secret warnings").option("--drift","only items with mirror drift").option("--generated","only generated/app-state items").option("--private","only private items").option("--missing","only missing registry items").option("--json","print JSON instead of Ink output").action(async(e)=>{let r=M(),t=Kn(r.items,e);if(e.json)return Q(t);await g(s(Kr,{items:t,title:"Inventory"},void 0,!1,void 0,this))});u.command("inspect").description("Inspect one inventory item by id or path").argument("<id-or-path>").option("--json","print JSON instead of Ink output").action(async(e,r)=>{let t=M(),n=Ze(t,e);if(r.json)return Q(n??null);await g(n?s(Tr,{item:n},void 0,!1,void 0,this):s(q,{query:e},void 0,!1,void 0,this))});u.command("decisions").description("Show saved item decisions").option("--json","print JSON instead of Ink output").action(async(e)=>{let r=Lr().decisions;if(e.json)return Q(r);await g(s($r,{decisions:r},void 0,!1,void 0,this))});u.command("decide").description("Save a decision for one inventory item").argument("<id-or-path>").argument("<status>",`one of: ${Array.from(ve).join(", ")}`).action(async(e,r)=>{if(!ve.has(r))u.error(`invalid status '${r}'. Valid: ${Array.from(ve).join(", ")}`);let t=M(),n=Ze(t,e);if(!n){await g(s(q,{query:e},void 0,!1,void 0,this)),process.exitCode=1;return}let i=Lr();i.decisions=i.decisions.filter((l)=>l.itemId!==n.id),i.decisions.push({itemId:n.id,status:r,updatedAt:new Date().toISOString()}),dn(hn(V),{recursive:!0}),yn(V,JSON.stringify(i,null,2)+`
+`,"utf-8"),await g(s(Rr,{item:n,status:r},void 0,!1,void 0,this))});u.command("summary").description("Print the last scan summary").option("--json","print JSON instead of Ink output").action(async(e)=>{let r=M();if(e.json)return Q(r.summary);await g(s(xe,{inventory:r,path:v},void 0,!1,void 0,this))});u.command("doctor").description("Check Atelier CLI, UI, inventory, and local environment health").option("--json","print JSON instead of Ink output").action(async(e)=>{let r=Tn();if(e.json)Q(r);else await g(s(Sr,{checks:r},void 0,!1,void 0,this));if(r.some((t)=>t.status==="fail"))process.exitCode=1});u.parseAsync(process.argv).catch((e)=>{console.error(e instanceof Error?e.message:e),process.exit(1)});function Q(e){console.log(JSON.stringify(e,null,2))}function M(){if(!x(v))throw new Error("No inventory found. Run `atl scan` first.");return JSON.parse(ke(v,"utf-8"))}function Lr(){if(!x(V))return{version:1,decisions:[]};return JSON.parse(ke(V,"utf-8"))}function zn(){if(process.env.ATELIER_STATE_DIR)return process.env.ATELIER_STATE_DIR;if(process.env.XDG_STATE_HOME)return p(process.env.XDG_STATE_HOME,"atelier");if(wn()==="win32"&&process.env.LOCALAPPDATA)return p(process.env.LOCALAPPDATA,"Atelier");return p(bn(),".local","state","atelier")}async function Qr(e){let r=M(),t=Ze(r,e);if(!t){await g(s(q,{query:e},void 0,!1,void 0,this)),process.exitCode=1;return}let n=await be(),i;if(!n.initialized)i=await Nr("Create an Atelier vault passphrase: ");else if(!n.unlocked)i=await E("Vault passphrase: ");let l=await cr(t,{passphrase:i});await g(s(Mr,{stableId:l.stableId,profileName:l.profileName,versionHash:l.version.contentSha256,sizeBytes:l.version.sizeBytes,reused:l.reused},void 0,!1,void 0,this))}async function Nr(e){let r=await E(e),t=await E("Confirm vault passphrase: ");if(r!==t)throw new Error("Vault passphrases do not match");return r}async function E(e){if(!C.isTTY)return F.write(e),Xr??=ke(0,"utf-8").split(/\r?\n/),Xr.shift()??"";F.write(e),C.setRawMode(!0),C.resume(),C.setEncoding("utf-8");let r="";try{for await(let t of C){let n=String(t);for(let i of n){if(i==="\x03")F.write(`
+`),process.exit(130);if(i==="\r"||i===`
+`)return F.write(`
+`),r;if(i==="\x7F"){r=r.slice(0,-1);continue}r+=i}}}finally{C.setRawMode(!1),C.pause()}return r}function Kn(e,r){return e.filter((t)=>{if(r.domain&&t.domain.toLowerCase()!==r.domain.toLowerCase())return!1;if(r.app&&t.app.toLowerCase()!==r.app.toLowerCase())return!1;if(r.secrets&&t.secretFindings.length===0)return!1;if(r.drift&&!t.mirrors.some((n)=>n.exists&&n.identical===!1))return!1;if(r.generated&&t.kind!=="generated")return!1;if(r.private&&t.shareability!=="private")return!1;if(r.missing&&t.exists)return!1;return!0})}function Ze(e,r){let t=Ue(r);return e.items.find((n)=>n.id===r||Ue(n.path)===t||Ue(n.displayPath)===t)??e.items.find((n)=>n.displayPath.includes(r)||n.path.includes(r))}function Ue(e){return e.replace(/^~(?=\/|$)/,process.env.HOME??"").toLowerCase()}function Tn(){let e=[],r=x(v)?M():void 0,t=P("bun",["--version"]),n=P("node",["--version"]),i=P("which",["atl"]),l=P("git",["status","--porcelain"],w);return e.push({label:"repo",status:x(p(w,"package.json"))?"pass":"fail",detail:w}),e.push({label:"bun",status:t?"pass":"fail",detail:t?`v${t}`:"not found"}),e.push({label:"node for Vite",status:n&&Yr(n)?"pass":"warn",detail:n?`${n}${Yr(n)?"":" \u2014 Vite wants 20.19+ or 22.12+"}`:"not found"}),e.push({label:"global atl",status:i?i.includes(".bun")||i.includes(w)?"pass":"warn":"fail",detail:i??"not linked; run `bun link` from the repo"}),e.push({label:"inventory",status:r?"pass":"warn",detail:r?`${r.summary.existing}/${r.summary.total} existing, generated ${r.generatedAt}`:"missing; run `atl scan`"}),e.push({label:"secret warnings",status:r&&r.summary.secrets>0?"warn":"pass",detail:r?`${r.summary.secrets} item${r.summary.secrets===1?"":"s"} flagged`:"no inventory"}),e.push({label:"ui dependencies",status:x(p(w,"node_modules","@tanstack","react-start"))?"pass":"fail",detail:x(p(w,"node_modules","@tanstack","react-start"))?"installed":"missing; run `bun install`"}),e.push({label:"git state",status:l===void 0?"warn":l.trim()?"warn":"pass",detail:l===void 0?"not a git repo":l.trim()?`${l.trim().split(`
+`).length} changed file(s)`:"clean"}),e}function P(e,r,t=w){try{return un(e,r,{cwd:t,encoding:"utf-8",stdio:["ignore","pipe","ignore"]}).trim()}catch{return}}function Yr(e){let r=e.match(/^v?(\d+)\.(\d+)\.(\d+)/);if(!r)return!1;let[,t,n]=r,i=Number(t),l=Number(n);if(i===20)return l>=19;if(i===22)return l>=12;return i>22}async function $n(e){let r=process.env.ATELIER_API_SECRET??crypto.randomUUID(),t=Bun.spawn(["bun","src/index.ts"],{cwd:p(w,"apps","api"),env:{...process.env,PORT:String(e),ATELIER_API_SECRET:r},stdin:"inherit",stdout:"inherit",stderr:"inherit"});console.log(`Atelier API: http://localhost:${e}`);let n=await t.exited;process.exit(n)}async function An(e){let r=Bun.spawn(["bun","--bun","vite","dev","--host","127.0.0.1","--port",String(e)],{cwd:p(w,"apps","ui"),env:{...process.env,ATELIER_REPO_ROOT:w},stdin:"inherit",stdout:"inherit",stderr:"inherit"});console.log(`Atelier UI: http://localhost:${e}`);let t=await r.exited;process.exit(t)}