@meetless/mla 0.1.4

package/dist/lib/update-check.js

@@ -0,0 +1,469 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RELEASE_TRIPLES = exports.DEFAULT_MANIFEST_URL = exports.DEFAULT_UPDATE_URL = exports.UPDATE_STATE_FILE = exports.UPDATE_CHECK_INTERVAL_MS = void 0;
+exports.parseManifest = parseManifest;
+exports.verifyManifestSignature = verifyManifestSignature;
+exports.currentTriple = currentTriple;
+exports.selectArtifact = selectArtifact;
+exports.isBelowMinVersion = isBelowMinVersion;
+exports.parseVersion = parseVersion;
+exports.isNewerVersion = isNewerVersion;
+exports.isCI = isCI;
+exports.notifierDisabled = notifierDisabled;
+exports.upgradeKillSwitch = upgradeKillSwitch;
+exports.autoUpgradeDisabled = autoUpgradeDisabled;
+exports.resolveAutoApply = resolveAutoApply;
+exports.shouldRunCheck = shouldRunCheck;
+exports.shouldShowNag = shouldShowNag;
+exports.detectInstallMethod = detectInstallMethod;
+exports.upgradeCommandFor = upgradeCommandFor;
+exports.formatUpdateNag = formatUpdateNag;
+exports.planUpgrade = planUpgrade;
+exports.parseState = parseState;
+exports.serializeState = serializeState;
+// Update notifier, copied from gh's model: a background version check on a 24h
+// throttle plus an install-method-aware upgrade nag. Two rules, both deliberate:
+//
+//   1. NEVER auto-apply. We detect how `mla` was installed and print the right
+//      upgrade command; we never rename a binary over a brew/npm-managed path
+//      (that corrupts their metadata). Detect-and-redirect, not self-replace.
+//   2. NEVER block or spam. The fetch runs in a detached child so the parent
+//      exits instantly; the nag shows only on a real TTY, off CI, and honors
+//      MLA_NO_UPDATE_NOTIFIER.
+//
+// This file is the PURE core (throttle, version compare, install-method
+// detection, nag text). The IO wrappers (spawn the child, fetch GitHub, read/
+// write the cache) live in update-notifier.ts so this stays unit-testable.
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const crypto = __importStar(require("crypto"));
+exports.UPDATE_CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24h, gh's cadence
+exports.UPDATE_STATE_FILE = "update-check.json";
+// Where the update check learns the latest published version: a plaintext file
+// on the public meetless-public bucket holding the bare version (e.g. "0.4.2"),
+// written by release.yml next to the binaries. We are not open-sourced yet, so
+// there is no public GitHub Releases feed; this keeps the nag and the installer
+// agreeing on the same release host. Override with MLA_UPDATE_URL.
+exports.DEFAULT_UPDATE_URL = "https://storage.googleapis.com/meetless-public/cli/releases/latest/VERSION";
+// --- signed release manifest -------------------------------------------------
+// The signed manifest is the source of truth the upgrade path reads: the latest
+// version, the floor below which a client is forced to upgrade, and a per-triple
+// {url, sha256} so a client can download and verify the exact bytes for its own
+// platform. It is fetched alongside a detached Ed25519 signature (manifest.json
+// .sig) so a tampered manifest is rejected before any byte is trusted.
+//
+// Hosted on the same public bucket as the binaries so the installer, the cask,
+// and the upgrade path all agree on one release host. The bucket can later sit
+// behind the meetless.ai load balancer with zero code change (override the URL).
+exports.DEFAULT_MANIFEST_URL = "https://storage.googleapis.com/meetless-public/cli/releases/latest/manifest.json";
+// The three triples we publish. Hard invariants: install.sh, the Homebrew cask,
+// and this list MUST stay byte-identical or a platform silently loses upgrades.
+exports.RELEASE_TRIPLES = [
+    "aarch64-apple-darwin",
+    "x86_64-apple-darwin",
+    "x86_64-unknown-linux-gnu",
+];
+const SHA256_RE = /^[0-9a-f]{64}$/;
+const BARE_SEMVER_RE = /^\d+\.\d+\.\d+([.-][0-9A-Za-z.-]+)?$/;
+// Allow https anywhere; allow http ONLY for loopback hosts. Loopback can't be
+// MITM'd, which is exactly what the local eval server needs, and a real release
+// URL is always https so production never downgrades the transport.
+function isAllowedArtifactUrl(u) {
+    try {
+        const url = new URL(u);
+        if (url.protocol === "https:")
+            return true;
+        if (url.protocol === "http:" &&
+            (url.hostname === "127.0.0.1" || url.hostname === "::1" || url.hostname === "localhost")) {
+            return true;
+        }
+        return false;
+    }
+    catch {
+        return false;
+    }
+}
+// Parse + validate a manifest's JSON text. Returns null on ANY shape violation
+// (wrong schemaVersion, bad semver, non-hex sha, disallowed url, empty artifact
+// set) so a malformed or truncated manifest is treated as "no update", never
+// acted on. Pure: callers verify the signature over the raw bytes first.
+function parseManifest(raw) {
+    if (!raw)
+        return null;
+    let o;
+    try {
+        o = JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+    if (!o || typeof o !== "object")
+        return null;
+    if (o.schemaVersion !== 1)
+        return null;
+    if (typeof o.channel !== "string" || !o.channel)
+        return null;
+    if (typeof o.version !== "string" || !BARE_SEMVER_RE.test(o.version))
+        return null;
+    if (typeof o.minVersion !== "string" || !BARE_SEMVER_RE.test(o.minVersion))
+        return null;
+    if (typeof o.releasedAt !== "string" || !o.releasedAt)
+        return null;
+    if (!o.artifacts || typeof o.artifacts !== "object")
+        return null;
+    const artifacts = {};
+    for (const [triple, a] of Object.entries(o.artifacts)) {
+        if (!a || typeof a !== "object")
+            return null;
+        const url = a.url;
+        const sha256 = a.sha256;
+        if (typeof url !== "string" || !isAllowedArtifactUrl(url))
+            return null;
+        if (typeof sha256 !== "string" || !SHA256_RE.test(sha256))
+            return null;
+        artifacts[triple] = { url, sha256 };
+    }
+    if (Object.keys(artifacts).length === 0)
+        return null;
+    const m = {
+        schemaVersion: 1,
+        channel: o.channel,
+        version: o.version,
+        minVersion: o.minVersion,
+        releasedAt: o.releasedAt,
+        artifacts,
+    };
+    if (typeof o.notes === "string")
+        m.notes = o.notes;
+    return m;
+}
+// Verify a detached Ed25519 signature over the EXACT manifest bytes against a
+// trust list of SPKI PEM public keys. True iff any key verifies (so the prod key
+// and a rotation key can be trusted at once). Ed25519 takes a null algorithm in
+// Node's crypto (the hash is intrinsic). A malformed key or signature returns
+// false, never throws: an unverifiable manifest is simply not trusted.
+function verifyManifestSignature(manifestBytes, signatureB64, publicKeysPem) {
+    if (!signatureB64 || publicKeysPem.length === 0)
+        return false;
+    let sig;
+    try {
+        sig = Buffer.from(signatureB64.trim(), "base64");
+    }
+    catch {
+        return false;
+    }
+    if (sig.length === 0)
+        return false;
+    for (const pem of publicKeysPem) {
+        if (!pem || !pem.trim())
+            continue;
+        try {
+            const key = crypto.createPublicKey(pem);
+            if (crypto.verify(null, manifestBytes, key, sig))
+                return true;
+        }
+        catch {
+            // a bad key in the trust list is skipped, not fatal
+        }
+    }
+    return false;
+}
+// Map this process's platform/arch to a release triple, or null if unsupported
+// (e.g. win32, or linux-arm64 which we do not publish). Mirrors install.sh's
+// detect_target so the upgrade path picks the same artifact the installer would.
+function currentTriple(platform, arch) {
+    if (platform === "darwin") {
+        if (arch === "arm64")
+            return "aarch64-apple-darwin";
+        if (arch === "x64")
+            return "x86_64-apple-darwin";
+        return null;
+    }
+    if (platform === "linux") {
+        if (arch === "x64")
+            return "x86_64-unknown-linux-gnu";
+        return null;
+    }
+    return null;
+}
+function selectArtifact(manifest, triple) {
+    if (!triple)
+        return null;
+    return manifest.artifacts[triple] ?? null;
+}
+// True iff `current` is strictly below `minVersion` (the forced-upgrade floor).
+// Reuses the dev-build-safe comparison: an unparseable current is never "below".
+function isBelowMinVersion(current, minVersion) {
+    return isNewerVersion(minVersion, current);
+}
+// --- version comparison ------------------------------------------------------
+// Parse "1.2.3" / "v1.2.3" / "1.2.3-dirty" / "abc123-dirty" into [major,minor,
+// patch], or null if it has no clean numeric core. Build suffixes (a git sha,
+// "-dirty", "+meta") are ignored: a dev build like "b6a81f7a-dirty" has no
+// semver and must never be compared as if it were behind or ahead.
+function parseVersion(v) {
+    if (!v)
+        return null;
+    const m = /^v?(\d+)\.(\d+)\.(\d+)/.exec(v.trim());
+    if (!m)
+        return null;
+    return [Number(m[1]), Number(m[2]), Number(m[3])];
+}
+// True iff `latest` is strictly newer than `current`. If either side has no
+// parseable semver (e.g. a dev `<sha>-dirty` build), return false: we never nag
+// someone whose version we can't reason about.
+function isNewerVersion(latest, current) {
+    const a = parseVersion(latest);
+    const b = parseVersion(current);
+    if (!a || !b)
+        return false;
+    for (let i = 0; i < 3; i++) {
+        if (a[i] > b[i])
+            return true;
+        if (a[i] < b[i])
+            return false;
+    }
+    return false;
+}
+// --- environment gating ------------------------------------------------------
+// Standard CI markers. The notifier is pointless (and noisy in logs) on CI.
+function isCI(env) {
+    return Boolean(env.CI ||
+        env.CONTINUOUS_INTEGRATION ||
+        env.GITHUB_ACTIONS ||
+        env.GITLAB_CI ||
+        env.BUILDKITE ||
+        env.CIRCLECI ||
+        env.TEAMCITY_VERSION);
+}
+// Shared env-flag truthiness: unset / "" / "0" / "false" is off, anything else
+// (1, yes, true, ...) is on. One definition so every opt-out reads the same way.
+function envTruthy(v) {
+    const s = (v || "").trim().toLowerCase();
+    return s !== "" && s !== "0" && s !== "false";
+}
+// The user-facing opt-out (gh uses GH_NO_UPDATE_NOTIFIER; we mirror it).
+function notifierDisabled(env) {
+    return envTruthy(env.MLA_NO_UPDATE_NOTIFIER);
+}
+// --- upgrade opt-out precedence ----------------------------------------------
+// The total kill switch. When set, the binary does NO self-management at all:
+// no background check, no nag, no staging, no apply-on-launch, and even an
+// explicit `mla upgrade` refuses. For locked-down / managed environments that
+// want the binary to never modify itself or phone home about versions.
+function upgradeKillSwitch(env) {
+    return envTruthy(env.MLA_DISABLE_UPGRADE);
+}
+// Disable only the automatic self-replace (background staging + apply-on-launch).
+// The check and the nag still run, and explicit `mla upgrade` still works; the
+// binary just never swaps itself without the user typing the command.
+function autoUpgradeDisabled(env) {
+    return envTruthy(env.MLA_DISABLE_AUTO_UPGRADE);
+}
+// Whether the binary may replace itself unattended (stage in the background and
+// promote on launch). Precedence, highest first:
+//   MLA_DISABLE_UPGRADE > MLA_DISABLE_AUTO_UPGRADE > MLA_NO_UPDATE_NOTIFIER
+//   > config.update.autoApply (default false: nag-only).
+function resolveAutoApply(opts) {
+    const { env, configAutoApply } = opts;
+    if (upgradeKillSwitch(env))
+        return false;
+    if (autoUpgradeDisabled(env))
+        return false;
+    if (notifierDisabled(env))
+        return false;
+    return configAutoApply === true;
+}
+// --- throttle ----------------------------------------------------------------
+// Should the background fetch run? Only when notifications could ever be shown
+// (not disabled, not CI) AND the throttle window has elapsed. Gating the fetch
+// here means a disabled notifier makes zero network calls.
+function shouldRunCheck(opts) {
+    const { state, now, env } = opts;
+    if (upgradeKillSwitch(env) || notifierDisabled(env) || isCI(env))
+        return false;
+    return now - state.lastCheckedAt >= exports.UPDATE_CHECK_INTERVAL_MS;
+}
+// --- nag display gating ------------------------------------------------------
+// Should we print the upgrade nag now? Requires a cached newer version, an
+// interactive session (both stdout and stderr are TTYs, so piping `mla ... |`
+// stays clean), off CI, and not opted out.
+function shouldShowNag(opts) {
+    const { state, currentVersion, env, stdoutTTY, stderrTTY } = opts;
+    if (notifierDisabled(env) || isCI(env))
+        return false;
+    if (!stdoutTTY || !stderrTTY)
+        return false;
+    return isNewerVersion(state.latestVersion, currentVersion);
+}
+// --- install-method detection ------------------------------------------------
+// Detect how this `mla` was installed so the nag prints the command that
+// actually works. We check both the running binary path (pkg build) and the
+// script path (node + cli.js for source/npm), because which one is meaningful
+// depends on the install:
+//   - curl|sh    -> binary lives under ~/.meetless/bin
+//   - homebrew   -> path under a brew prefix or a Caskroom dir
+//   - npm        -> path under a node_modules tree
+// MLA_INSTALL_METHOD overrides everything (an explicit escape hatch + the test seam).
+function detectInstallMethod(opts) {
+    const { execPath, scriptPath, env } = opts;
+    const override = (env.MLA_INSTALL_METHOD || "").trim().toLowerCase();
+    if (override === "homebrew" || override === "curl" || override === "npm" || override === "unknown") {
+        return override;
+    }
+    const home = opts.home ?? os.homedir();
+    const brewPrefixes = opts.brewPrefixes ?? ["/opt/homebrew", "/usr/local", "/home/linuxbrew/.linuxbrew"];
+    const candidates = [execPath, scriptPath].filter((p) => Boolean(p));
+    const within = (child, parent) => {
+        const rel = path.relative(parent, child);
+        return rel === "" || (!rel.startsWith("..") && !path.isAbsolute(rel));
+    };
+    // curl|sh install dir wins first: it is the most specific and unambiguous.
+    const curlDir = path.join(home, ".meetless", "bin");
+    if (candidates.some((c) => within(c, curlDir)))
+        return "curl";
+    // Homebrew: a Caskroom path, or anything under a brew prefix.
+    if (candidates.some((c) => c.includes(`${path.sep}Caskroom${path.sep}`)))
+        return "homebrew";
+    if (candidates.some((c) => brewPrefixes.some((p) => within(c, p))))
+        return "homebrew";
+    // npm global / npx: served out of a node_modules tree.
+    if (candidates.some((c) => c.includes(`${path.sep}node_modules${path.sep}`)))
+        return "npm";
+    return "unknown";
+}
+// The upgrade command to print for each install method.
+function upgradeCommandFor(method) {
+    switch (method) {
+        case "homebrew":
+            return "brew upgrade --cask mla";
+        case "curl":
+            return "curl -fsSL https://meetless.ai/install.sh | sh";
+        case "npm":
+            return "npm i -g @meetless/mla@latest";
+        case "unknown":
+        default:
+            // We genuinely don't know how it was installed; send them to the page
+            // rather than guess a command that might corrupt a managed install.
+            return "see https://meetless.ai/install";
+    }
+}
+// --- nag text ----------------------------------------------------------------
+// The two-line nag, gh-style. Kept here so it is asserted in tests verbatim.
+function formatUpdateNag(opts) {
+    const { current, latest, method, required } = opts;
+    const from = current ? `${current} ` : "";
+    const lead = required
+        ? `\nmla ${from}is below the minimum supported version. Please upgrade to ${latest}.\n`
+        : `\nA new release of mla is available: ${from}-> ${latest}\n`;
+    return lead + `To upgrade, run: ${upgradeCommandFor(method)}\n`;
+}
+// Decide what `mla upgrade` should do given the current version, the verified
+// manifest, this machine's triple, and whether --force was passed. Encapsulates
+// the downgrade guard: we never silently move a user to an OLDER build (a stale
+// "latest" pointer, a rolled-back release) unless they explicitly force it.
+function planUpgrade(opts) {
+    const { current, manifest, triple, force } = opts;
+    const to = manifest.version;
+    if (!triple || !selectArtifact(manifest, triple)) {
+        return { action: "no-artifact", from: current, to, triple };
+    }
+    if (isNewerVersion(to, current)) {
+        return { action: "upgrade", from: current, to, triple };
+    }
+    // Not newer: same version, older, or a current we can't parse.
+    if (force) {
+        return { action: "upgrade", from: current, to, triple };
+    }
+    const cur = parseVersion(current);
+    const tgt = parseVersion(to); // always parses; manifest.version is validated
+    if (!cur) {
+        return { action: "unparseable-current", from: current, to, triple };
+    }
+    if (tgt && cur[0] === tgt[0] && cur[1] === tgt[1] && cur[2] === tgt[2]) {
+        return { action: "up-to-date", from: current, to, triple };
+    }
+    return { action: "downgrade-blocked", from: current, to, triple };
+}
+// --- state (de)serialization -------------------------------------------------
+const EMPTY_STATE = { lastCheckedAt: 0, latestVersion: null };
+// Validate a staged-upgrade pointer read back from disk; null if any field is
+// missing or the wrong type, so a corrupt staged record is ignored, never acted
+// on (apply-on-launch re-verifies the file's sha before promoting regardless).
+function parseStaged(v) {
+    if (!v || typeof v !== "object")
+        return null;
+    const o = v;
+    if (typeof o.version !== "string" || typeof o.triple !== "string")
+        return null;
+    if (typeof o.sha256 !== "string" || typeof o.path !== "string")
+        return null;
+    if (typeof o.stagedAt !== "number")
+        return null;
+    return {
+        version: o.version,
+        triple: o.triple,
+        sha256: o.sha256,
+        path: o.path,
+        stagedAt: o.stagedAt,
+    };
+}
+function parseState(raw) {
+    if (!raw)
+        return { ...EMPTY_STATE };
+    try {
+        const o = JSON.parse(raw);
+        // Base shape only, so a pre-manifest cache deserializes to exactly the two
+        // original fields. Optional fields are attached ONLY when present and valid.
+        const state = {
+            lastCheckedAt: typeof o.lastCheckedAt === "number" ? o.lastCheckedAt : 0,
+            latestVersion: typeof o.latestVersion === "string" ? o.latestVersion : null,
+        };
+        if (typeof o.minVersion === "string")
+            state.minVersion = o.minVersion;
+        const staged = parseStaged(o.staged);
+        if (staged)
+            state.staged = staged;
+        return state;
+    }
+    catch {
+        // A corrupt cache is treated as "never checked", never fatal.
+        return { ...EMPTY_STATE };
+    }
+}
+function serializeState(state) {
+    return JSON.stringify(state);
+}

package/dist/lib/update-notifier.js

@@ -0,0 +1,217 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.stateFilePath = exports.writeUpdateState = exports.readUpdateState = void 0;
+exports.maybeSpawnBackgroundCheck = maybeSpawnBackgroundCheck;
+exports.maybeShowUpdateNag = maybeShowUpdateNag;
+exports.fetchLatestVersion = fetchLatestVersion;
+exports.runInternalUpdateCheck = runInternalUpdateCheck;
+// IO layer for the update notifier. The decision logic is the pure core in
+// update-check.ts; the heavier upgrade IO (cache read/write, manifest fetch +
+// verify, download, swap, stage) lives in upgrade-apply.ts. This file wires the
+// two together for the two background concerns: spawn the detached check child,
+// and print the nag. Every function here is best-effort and swallows its own
+// errors: the update notifier must never change an exit code or break a command.
+const child_process_1 = require("child_process");
+const update_check_1 = require("./update-check");
+const observability_1 = require("./observability");
+const config_1 = require("./config");
+const upgrade_apply_1 = require("./upgrade-apply");
+const fs = __importStar(require("fs"));
+// Re-export the cache IO from its new home so existing importers keep working.
+var upgrade_apply_2 = require("./upgrade-apply");
+Object.defineProperty(exports, "readUpdateState", { enumerable: true, get: function () { return upgrade_apply_2.readUpdateState; } });
+Object.defineProperty(exports, "writeUpdateState", { enumerable: true, get: function () { return upgrade_apply_2.writeUpdateState; } });
+Object.defineProperty(exports, "stateFilePath", { enumerable: true, get: function () { return upgrade_apply_2.stateFilePath; } });
+// Spawn a detached `mla _internal update-check` that fetches the signed manifest
+// (and stages a binary when auto-apply is on), writes the cache, then returns
+// immediately. The parent never waits on it. Skipped entirely for `_internal`
+// commands (so the check child can't recurse) and whenever the throttle/gating
+// says no (shouldRunCheck).
+function maybeSpawnBackgroundCheck(opts) {
+    try {
+        const { command, env, now } = opts;
+        if (command === "_internal")
+            return; // never recurse from the check child
+        const entry = process.argv[1];
+        if (!entry)
+            return; // no re-invokable entry; skip rather than guess
+        if (!(0, update_check_1.shouldRunCheck)({ state: (0, upgrade_apply_1.readUpdateState)(), now, env }))
+            return;
+        const child = (0, child_process_1.spawn)(process.execPath, [entry, "_internal", "update-check"], {
+            detached: true,
+            stdio: "ignore",
+        });
+        child.on("error", () => { }); // swallow ENOENT etc; never throw from here
+        child.unref();
+    }
+    catch {
+        // never let the notifier break the real command
+    }
+}
+// Print the upgrade nag to stderr if a newer version is cached and the session
+// is interactive (TTY) and not opted out / not CI. stderr keeps it off stdout
+// so `mla ... | jq` stays clean. When the current version is below the manifest
+// floor (minVersion), the stronger "required" wording is shown.
+function maybeShowUpdateNag(opts) {
+    try {
+        const { currentVersion, env } = opts;
+        const state = (0, upgrade_apply_1.readUpdateState)();
+        const show = (0, update_check_1.shouldShowNag)({
+            state,
+            currentVersion,
+            env,
+            stdoutTTY: Boolean(process.stdout.isTTY),
+            stderrTTY: Boolean(process.stderr.isTTY),
+        });
+        if (!show || !state.latestVersion)
+            return;
+        const method = (0, update_check_1.detectInstallMethod)({
+            execPath: process.execPath,
+            scriptPath: process.argv[1],
+            env,
+        });
+        const required = (0, update_check_1.isBelowMinVersion)(currentVersion, state.minVersion ?? null);
+        process.stderr.write((0, update_check_1.formatUpdateNag)({ current: currentVersion, latest: state.latestVersion, method, required }));
+    }
+    catch {
+        // never let the notifier break the real command
+    }
+}
+// Query the plaintext release feed for the latest version (bare, no leading v).
+// This is the FALLBACK path used only when the signed manifest is unreachable
+// (e.g. during the manifest rollout window): it keeps the nag working but cannot
+// drive a self-upgrade (no per-artifact sha to verify). Returns null on any
+// failure so the caller just leaves the cache untouched.
+async function fetchLatestVersion(opts) {
+    const url = opts?.url ?? process.env.MLA_UPDATE_URL ?? update_check_1.DEFAULT_UPDATE_URL;
+    const timeoutMs = opts?.timeoutMs ?? 4000;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        const res = await fetch(url, {
+            headers: { "User-Agent": "mla-update-check" },
+            signal: controller.signal,
+        });
+        if (!res.ok)
+            return null;
+        // The VERSION file holds a single bare version line (e.g. "0.4.2"). Trim
+        // whitespace, take the first line, and drop an optional leading "v". Guard
+        // against an unexpected large/HTML body so a misrouted URL can't poison the
+        // cache with junk.
+        const text = (await res.text()).trim();
+        const first = text.split(/\r?\n/, 1)[0]?.trim() ?? "";
+        const ver = first.replace(/^v/, "");
+        if (!/^\d+\.\d+\.\d+([.-][0-9A-Za-z.-]+)?$/.test(ver))
+            return null;
+        return ver;
+    }
+    catch {
+        return null;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+// `mla _internal update-check`: the detached child. Fetch + verify the signed
+// manifest, stamp latestVersion + minVersion, and (when auto-apply is enabled on
+// a curl install) download + verify + stage a newer binary so apply-on-launch is
+// a cheap local swap. Always exits 0 (best-effort); stamps lastCheckedAt even on
+// a failed fetch so a flaky network doesn't hammer the feed every command.
+async function runInternalUpdateCheck() {
+    const now = Date.now();
+    const env = process.env;
+    const buildInfo = (0, observability_1.loadBuildInfo)();
+    const prev = (0, upgrade_apply_1.readUpdateState)();
+    const verified = await (0, upgrade_apply_1.fetchManifest)({ env, buildInfo });
+    let latestVersion = prev.latestVersion;
+    let minVersion = prev.minVersion ?? null;
+    if (verified) {
+        latestVersion = verified.manifest.version;
+        minVersion = verified.manifest.minVersion;
+    }
+    else {
+        // Manifest unreachable: fall back to the plaintext VERSION feed so the nag
+        // keeps working. Cannot stage from this path (no verified artifact sha).
+        const plain = await fetchLatestVersion();
+        if (plain)
+            latestVersion = plain;
+    }
+    let staged = prev.staged ?? null;
+    if (verified &&
+        (0, update_check_1.resolveAutoApply)({ env, configAutoApply: (0, config_1.readUpdateConfig)().autoApply })) {
+        const method = (0, update_check_1.detectInstallMethod)({
+            execPath: process.execPath,
+            scriptPath: process.argv[1],
+            env,
+        });
+        if (method === "curl") {
+            const triple = (0, update_check_1.currentTriple)(process.platform, process.arch);
+            const plan = (0, update_check_1.planUpgrade)({
+                current: buildInfo.version,
+                manifest: verified.manifest,
+                triple,
+                force: false,
+            });
+            if (plan.action === "upgrade" && triple) {
+                const already = staged &&
+                    staged.version === plan.to &&
+                    staged.triple === triple &&
+                    fs.existsSync(staged.path);
+                if (!already) {
+                    const artifact = (0, update_check_1.selectArtifact)(verified.manifest, triple);
+                    if (artifact) {
+                        const extracted = await (0, upgrade_apply_1.downloadVerifyExtract)({ artifact });
+                        if (extracted) {
+                            try {
+                                staged = (0, upgrade_apply_1.stageBinary)({
+                                    binaryPath: extracted.binaryPath,
+                                    version: plan.to,
+                                    triple,
+                                    now,
+                                });
+                            }
+                            finally {
+                                (0, upgrade_apply_1.cleanupDir)(extracted.dir);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+    (0, upgrade_apply_1.writeUpdateState)({ lastCheckedAt: now, latestVersion, minVersion, staged });
+    return 0;
+}