@moneysiren/cli 0.1.0-alpha.0 → 0.1.0-alpha.1

package/README.md

@@ -20,6 +20,7 @@ moneysiren
 moneysiren --version
 moneysiren /version
 moneysiren install --status
+moneysiren install --all
 moneysiren modes
 moneysiren /modes
 moneysiren doctor
@@ -33,7 +34,7 @@ During a PowerShell, cmd, or shell install with an interactive TTY, `postinstall
 - Web dashboard
 - HUD
 
-Press Enter to accept the recommended default, which selects all three. In CI or non-interactive npm installs, MoneySiren writes that all-selected profile automatically. Re-run `moneysiren install` later to change the profile, or use `moneysiren install --status` to inspect it.
+Press Enter to accept the recommended default, which selects all three. In CI or non-interactive npm installs, MoneySiren writes that all-selected profile automatically. Run `moneysiren install --all` to download GitHub Release assets for the web runtime and HUD desktop shell. Use `moneysiren install --profile-only` to change only the local profile, or `moneysiren install --status` to inspect it.
 
 One-off execution:
 
@@ -66,7 +67,7 @@ Install the generated tarball into a temporary project:
 mkdir -p /tmp/moneysiren-alpha-review
 cd /tmp/moneysiren-alpha-review
 npm init -y
-npm install /path/to/moneysiren-cli-0.1.0-alpha.0.tgz
+npm install /path/to/moneysiren-cli-0.1.0-alpha.1.tgz
 npm exec moneysiren
 npm exec moneysiren -- --version
 npm exec moneysiren -- /version
@@ -82,7 +83,7 @@ PowerShell equivalent for the temporary project:
 New-Item -ItemType Directory -Force -Path $env:TEMP\moneysiren-alpha-review
 Set-Location $env:TEMP\moneysiren-alpha-review
 npm init -y
-npm install C:\path\to\moneysiren-cli-0.1.0-alpha.0.tgz
+npm install C:\path\to\moneysiren-cli-0.1.0-alpha.1.tgz
 npm exec moneysiren
 npm exec moneysiren -- --version
 npm exec moneysiren -- modes
@@ -104,6 +105,8 @@ npm run publish:cli:alpha
 
 The dry run checks the full secret scan, package metadata, npm registry version availability, and tarball contents. The publish command requires `npm login` in the local terminal and publishes this package with the `alpha` tag and public access.
 
+If npm requires passkey or browser approval, complete the URL printed by npm and rerun the publish command. For CI publishing, add a granular npm token with publish access and bypass 2FA enabled as the `NPM_TOKEN` GitHub repository secret, then run the `npm-publish-cli` workflow manually.
+
 ## Slash Home
 
 Running `moneysiren` without subcommands prints a readable slash-command home guide. In a TTY it may enter a minimal line-based slash prompt; in CI or non-TTY package review it prints the guide and exits `0`.

package/dist/apps/cli/src/cli.d.ts

@@ -5,7 +5,7 @@ import type { AwsCostExplorerClientAdapter } from "../../../packages/connectors/
 import type { CloudflareBillingUsageClient } from "../../../packages/connectors/cloudflare/src/index.js";
 import type { OpenAiUsageCostsClient } from "../../../packages/connectors/openai/src/index.js";
 import type { SupabaseManagementClient } from "../../../packages/connectors/supabase/src/index.js";
-export declare const CLI_VERSION = "0.1.0-alpha.0";
+export { CLI_VERSION } from "./version.js";
 export interface CliRuntime {
     cwd?: string;
     env?: Record<string, string | undefined>;

package/dist/apps/cli/src/cli.js

@@ -14,7 +14,8 @@ import { runSlashPrompt } from "./interactive.js";
 import { openUrlInBrowser } from "./runtime-adapter.js";
 import { resolveSlashCommand } from "./slash.js";
 import { createTheme } from "./theme.js";
-export const CLI_VERSION = "0.1.0-alpha.0";
+import { CLI_VERSION } from "./version.js";
+export { CLI_VERSION } from "./version.js";
 const HELP = renderHelpScreen(CLI_VERSION);
 export async function runCli(args, runtime = {}) {
     const stdout = runtime.stdoutBuffer ?? [];

package/dist/apps/cli/src/commands/install.js

@@ -1,12 +1,14 @@
 import { DEFAULT_INSTALL_SURFACES, INSTALL_SURFACES, isInstallSurface, readInstallProfileFile, resolveInstallProfilePath, writeInstallProfileFile, } from "../install-profile.js";
 import { formatInstallSelectionLine, installSelectionHelp, parseInstallSurfaceSelection, promptForInstallSurfaces, } from "../install-selector.js";
+import { DEFAULT_RELEASE_REPOSITORY, DEFAULT_RELEASE_TAG, installReleaseAssets, } from "../release-installer.js";
 const INSTALL_USAGE = [
-    "Usage: moneysiren install [--status|--all|--cli|--web|--hud|--no-cli|--no-web|--no-hud]",
+    "Usage: moneysiren install [--status|--all|--cli|--web|--hud|--no-cli|--no-web|--no-hud] [--profile-only] [--tag <tag>] [--repo <owner/name>] [--dir <path>]",
     "",
     "Components:",
     installSelectionHelp(),
     "",
     "Default: all components selected (recommended).",
+    `Release default: ${DEFAULT_RELEASE_REPOSITORY}@${DEFAULT_RELEASE_TAG}.`,
 ].join("\n");
 export async function runInstallCommand(args, context) {
     if (args.includes("--help") || args.includes("-h")) {
@@ -21,7 +23,15 @@ export async function runInstallCommand(args, context) {
         context.stderr(INSTALL_USAGE);
         return 1;
     }
-    const selectedSurfaces = parsed ?? await selectedSurfacesFromPromptOrDefault(context);
+    const selectedSurfaces = parsed.selectedSurfaces ?? await selectedSurfacesFromPromptOrDefault(context);
+    const releaseResult = await installReleaseAssetsForSelectionSafely({
+        context,
+        parsed,
+        selectedSurfaces,
+    });
+    if (releaseResult === "failed") {
+        return 1;
+    }
     const profile = await writeInstallProfileFile({
         selectedSurfaces,
         source: "cli",
@@ -32,6 +42,7 @@ export async function runInstallCommand(args, context) {
     });
     context.stdout("MoneySiren install profile updated.");
     context.stdout(formatInstallSelectionLine(profile.selectedSurfaces));
+    writeReleaseInstallResult(context, releaseResult);
     context.stdout("Secrets returned: false");
     return 0;
 }
@@ -59,17 +70,63 @@ async function selectedSurfacesFromPromptOrDefault(context) {
 }
 function parseInstallArgs(args) {
     if (args.length === 0) {
-        return undefined;
+        return {
+            profileOnly: false,
+        };
     }
     if (args.length === 1) {
         const selected = parseInstallSurfaceSelection(args[0] ?? "");
         if (selected !== null) {
-            return selected;
+            return {
+                profileOnly: false,
+                selectedSurfaces: selected,
+            };
         }
     }
     let explicitIncludes = false;
+    let installDir;
+    let profileOnly = false;
+    let releaseRepository;
+    let releaseTag;
     const selected = new Set();
-    for (const arg of args) {
+    for (let index = 0; index < args.length; index += 1) {
+        const arg = args[index];
+        if (arg === undefined) {
+            return null;
+        }
+        if (arg === "--profile-only") {
+            profileOnly = true;
+            continue;
+        }
+        if (arg === "--tag" || arg === "--repo" || arg === "--dir") {
+            const value = args[index + 1];
+            if (value === undefined || value.startsWith("--")) {
+                return null;
+            }
+            if (arg === "--tag") {
+                releaseTag = value;
+            }
+            else if (arg === "--repo") {
+                releaseRepository = value;
+            }
+            else {
+                installDir = value;
+            }
+            index += 1;
+            continue;
+        }
+        if (arg.startsWith("--tag=")) {
+            releaseTag = arg.slice("--tag=".length);
+            continue;
+        }
+        if (arg.startsWith("--repo=")) {
+            releaseRepository = arg.slice("--repo=".length);
+            continue;
+        }
+        if (arg.startsWith("--dir=")) {
+            installDir = arg.slice("--dir=".length);
+            continue;
+        }
         if (arg === "--all") {
             for (const surface of DEFAULT_INSTALL_SURFACES) {
                 selected.add(surface);
@@ -107,10 +164,72 @@ function parseInstallArgs(args) {
         explicitIncludes = true;
     }
     const normalized = INSTALL_SURFACES.filter((surface) => selected.has(surface));
-    return normalized.length === 0 ? null : normalized;
+    if (normalized.length === 0 && explicitIncludes) {
+        return null;
+    }
+    return {
+        ...(installDir === undefined ? {} : { installDir }),
+        profileOnly,
+        ...(releaseRepository === undefined ? {} : { releaseRepository }),
+        ...(releaseTag === undefined ? {} : { releaseTag }),
+        ...(normalized.length === 0 ? {} : { selectedSurfaces: normalized }),
+    };
 }
 function isDefaultSelection(selectedSurfaces) {
     return selectedSurfaces.length === INSTALL_SURFACES.length &&
         INSTALL_SURFACES.every((surface, index) => selectedSurfaces[index] === surface);
 }
+async function installReleaseAssetsForSelection(input) {
+    if (input.parsed.profileOnly) {
+        return "profile-only";
+    }
+    if (!input.selectedSurfaces.some((surface) => surface === "web" || surface === "hud")) {
+        return "cli-only";
+    }
+    return installReleaseAssets({
+        env: input.context.env,
+        fetchImpl: input.context.fetch,
+        ...(input.parsed.installDir === undefined ? {} : { installDir: input.parsed.installDir }),
+        now: input.context.now,
+        ...(input.parsed.releaseRepository === undefined ? {} : { repository: input.parsed.releaseRepository }),
+        selectedSurfaces: input.selectedSurfaces,
+        ...(input.parsed.releaseTag === undefined ? {} : { tag: input.parsed.releaseTag }),
+    });
+}
+async function installReleaseAssetsForSelectionSafely(input) {
+    try {
+        return await installReleaseAssetsForSelection(input);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        input.context.stderr(`Release asset installation failed: ${message}`);
+        if (input.selectedSurfaces.includes("hud")) {
+            input.context.stderr("The selected HUD desktop artifact must be present, checksummed, and signed before MoneySiren will install it.");
+            input.context.stderr("For now, use `moneysiren install --web` to install only the web runtime, or retry after a signed desktop release is published.");
+        }
+        input.context.stderr("Install profile was not changed.");
+        return "failed";
+    }
+}
+function writeReleaseInstallResult(context, result) {
+    if (result === "profile-only") {
+        context.stdout("Release assets: skipped (--profile-only).");
+        return;
+    }
+    if (result === "cli-only") {
+        context.stdout("Release assets: skipped (CLI-only selection).");
+        return;
+    }
+    writeReleaseInstallSummary(context, result);
+}
+function writeReleaseInstallSummary(context, result) {
+    context.stdout(`Release: ${result.repository}@${result.tag}`);
+    context.stdout(`Release URL: ${result.releaseUrl}`);
+    context.stdout(`Install directory: ${result.installDir}`);
+    for (const asset of result.assets) {
+        context.stdout(`Downloaded ${asset.surface}: ${asset.name}`);
+        context.stdout(`  SHA256 verified: ${asset.checksumVerified ? "yes" : "checksum unavailable"}`);
+        context.stdout(`  Signature verified: ${asset.signatureVerified ? "yes" : "not required"}`);
+    }
+}
 //# sourceMappingURL=install.js.map

package/dist/apps/cli/src/commands/modes.js

@@ -25,17 +25,20 @@ export async function runModesCommand(args, context) {
     context.stdout("   Try: moneysiren sync --provider mock");
     context.stdout("");
     context.stdout("2. Local web dashboard/runtime");
-    context.stdout(`   Status: ${surfaceStatus("web", selectedSurfaces)} local API runtime is available from the npm CLI package`);
+    context.stdout(`   Status: ${surfaceStatus("web", selectedSurfaces)} GitHub Release web runtime archive is installed by the CLI`);
+    context.stdout("   Install: moneysiren install --web");
     context.stdout("   Try: moneysiren serve [--port <port>]");
     context.stdout("   Try: moneysiren dashboard check");
-    context.stdout("   Note: the full Next.js dashboard is run from the repo or a future bundled desktop app.");
+    context.stdout("   Note: the npm CLI starts the local API; full dashboard runtime ships as a release asset.");
     context.stdout("");
     context.stdout("3. Desktop tray/notifier");
-    context.stdout(`   Status: ${surfaceStatus("hud", selectedSurfaces)} Windows/macOS target is the thin Tauri tray shell; the native tray binary is not bundled in moneysiren`);
+    context.stdout(`   Status: ${surfaceStatus("hud", selectedSurfaces)} Windows/macOS target is the thin Tauri tray shell from GitHub Releases`);
+    context.stdout("   Install: moneysiren install --hud");
     context.stdout("   Try: moneysiren desktop status");
     context.stdout("   Try: moneysiren notify once --dry-run");
     context.stdout("");
-    context.stdout("Change selection: moneysiren install");
+    context.stdout("Install recommended set: moneysiren install --all");
+    context.stdout("Change selection only: moneysiren install --profile-only");
     return 0;
 }
 function surfaceStatus(surface, selectedSurfaces) {

package/dist/apps/cli/src/release-installer.d.ts

@@ -0,0 +1,54 @@
+import type { InstallSurface } from "./install-profile.js";
+export declare const DEFAULT_RELEASE_REPOSITORY = "ztwz11/moneysiren";
+export declare const DEFAULT_RELEASE_TAG = "v0.1.0-alpha.0";
+export interface ReleaseInstallOptions {
+    env?: Record<string, string | undefined>;
+    fetchImpl: typeof fetch;
+    installDir?: string;
+    now?: () => Date;
+    platform?: NodeJS.Platform;
+    repository?: string;
+    selectedSurfaces: readonly InstallSurface[];
+    signatureVerifier?: ReleaseAssetSignatureVerifier;
+    tag?: string;
+    trustedWindowsSignerThumbprints?: readonly string[];
+}
+export interface ReleaseInstallResult {
+    repository: string;
+    tag: string;
+    installDir: string;
+    releaseUrl: string;
+    assets: readonly InstalledReleaseAsset[];
+}
+export interface InstalledReleaseAsset {
+    surface: Exclude<InstallSurface, "cli">;
+    name: string;
+    path: string;
+    size: number;
+    sha256: string;
+    checksumVerified: boolean;
+    signatureVerified: boolean;
+}
+export interface ReleaseAssetSignatureVerifier {
+    verify(input: ReleaseAssetSignatureVerificationInput): Promise<ReleaseAssetSignatureVerificationResult>;
+}
+export interface ReleaseAssetSignatureVerificationInput {
+    assetName: string;
+    expectedSignerThumbprints?: readonly string[];
+    path: string;
+    platform: NodeJS.Platform;
+    surface: Exclude<InstallSurface, "cli">;
+}
+export interface ReleaseAssetSignatureVerificationResult {
+    verified: boolean;
+    status: string;
+    message: string;
+}
+export declare function installReleaseAssets(options: ReleaseInstallOptions): Promise<ReleaseInstallResult>;
+export declare function resolveReleaseInstallDir(input?: {
+    env?: Record<string, string | undefined>;
+    installDir?: string;
+    platform?: NodeJS.Platform;
+    tag?: string;
+}): string;
+//# sourceMappingURL=release-installer.d.ts.map

package/dist/apps/cli/src/release-installer.js

@@ -0,0 +1,393 @@
+import { createHash } from "node:crypto";
+import { execFile } from "node:child_process";
+import { mkdir, unlink, writeFile } from "node:fs/promises";
+import { homedir } from "node:os";
+import { basename, isAbsolute, join, posix, resolve, win32 } from "node:path";
+import { promisify } from "node:util";
+const execFileAsync = promisify(execFile);
+export const DEFAULT_RELEASE_REPOSITORY = "ztwz11/moneysiren";
+// The npm CLI can patch faster than desktop assets; keep this pinned until a signed release supersedes it.
+export const DEFAULT_RELEASE_TAG = "v0.1.0-alpha.0";
+const RELEASE_REPOSITORY_ENV_KEY = "MONEYSIREN_RELEASE_REPOSITORY";
+const RELEASE_TAG_ENV_KEY = "MONEYSIREN_RELEASE_TAG";
+const RELEASE_INSTALL_DIR_ENV_KEY = "MONEYSIREN_RELEASE_INSTALL_DIR";
+const RELEASE_PLATFORM_ENV_KEY = "MONEYSIREN_RELEASE_PLATFORM";
+const WINDOWS_SIGNER_THUMBPRINTS_ENV_KEY = "MONEYSIREN_WINDOWS_SIGNER_THUMBPRINTS";
+export async function installReleaseAssets(options) {
+    const env = options.env ?? process.env;
+    const repository = normalizeRepository(options.repository ?? env[RELEASE_REPOSITORY_ENV_KEY] ?? DEFAULT_RELEASE_REPOSITORY);
+    const tag = normalizeTag(options.tag ?? env[RELEASE_TAG_ENV_KEY] ?? DEFAULT_RELEASE_TAG);
+    const platform = normalizePlatform(options.platform ?? env[RELEASE_PLATFORM_ENV_KEY] ?? process.platform);
+    const configuredInstallDir = options.installDir ?? env[RELEASE_INSTALL_DIR_ENV_KEY];
+    const installDir = resolveReleaseInstallDir({
+        env,
+        ...(configuredInstallDir === undefined ? {} : { installDir: configuredInstallDir }),
+        platform,
+        tag,
+    });
+    const release = await fetchRelease({
+        fetchImpl: options.fetchImpl,
+        repository,
+        tag,
+    });
+    const releaseAssets = parseReleaseAssets(release.assets);
+    const checksumAssets = releaseAssets.filter((asset) => asset.name.toLowerCase().includes("sha256sums"));
+    const requestedSurfaces = options.selectedSurfaces.filter((surface) => surface === "web" || surface === "hud");
+    const installedAssets = [];
+    await mkdir(installDir, { recursive: true });
+    for (const surface of requestedSurfaces) {
+        const asset = selectSurfaceAsset(surface, platform, releaseAssets);
+        if (asset === null) {
+            throw new Error(`No ${surface} release asset found for ${platform} in ${repository}@${tag}.`);
+        }
+        const downloaded = await downloadAsset(options.fetchImpl, asset.browser_download_url);
+        const sha256 = sha256Hex(downloaded);
+        const checksum = await findChecksum({
+            assetName: asset.name,
+            checksumAssets,
+            fetchImpl: options.fetchImpl,
+        });
+        if (checksumAssets.length > 0 && checksum === null) {
+            throw new Error(`SHA256 checksum entry missing for ${asset.name}.`);
+        }
+        if (checksum !== null && checksum.toLowerCase() !== sha256) {
+            throw new Error(`SHA256 mismatch for ${asset.name}.`);
+        }
+        const outputPath = join(installDir, sanitizeAssetFileName(asset.name));
+        await writeFile(outputPath, downloaded);
+        let signature;
+        try {
+            signature = await verifyReleaseAssetSignature({
+                assetName: asset.name,
+                env,
+                fetchImpl: options.fetchImpl,
+                path: outputPath,
+                platform,
+                releaseAssets,
+                surface,
+                ...(options.signatureVerifier === undefined ? {} : { signatureVerifier: options.signatureVerifier }),
+                ...(options.trustedWindowsSignerThumbprints === undefined
+                    ? {}
+                    : { trustedWindowsSignerThumbprints: options.trustedWindowsSignerThumbprints }),
+            });
+        }
+        catch (error) {
+            await unlink(outputPath).catch(() => undefined);
+            throw error;
+        }
+        if (!signature.verified) {
+            await unlink(outputPath).catch(() => undefined);
+            throw new Error(`Release asset signature verification failed for ${asset.name}: ${signature.status} ${signature.message}`.trim());
+        }
+        installedAssets.push({
+            surface,
+            name: asset.name,
+            path: outputPath,
+            size: downloaded.byteLength,
+            sha256,
+            checksumVerified: checksum !== null,
+            signatureVerified: signature.status !== "not-required",
+        });
+    }
+    await writeFile(join(installDir, "install-manifest.json"), `${JSON.stringify({
+        version: 1,
+        repository,
+        tag,
+        releaseUrl: typeof release.html_url === "string" ? release.html_url : releaseUrl(repository, tag),
+        installedAt: (options.now ?? (() => new Date()))().toISOString(),
+        selectedSurfaces: options.selectedSurfaces,
+        assets: installedAssets.map((asset) => ({
+            surface: asset.surface,
+            name: asset.name,
+            path: asset.path,
+            size: asset.size,
+            sha256: asset.sha256,
+            checksumVerified: asset.checksumVerified,
+            signatureVerified: asset.signatureVerified,
+        })),
+    }, null, 2)}\n`, "utf8");
+    return {
+        repository,
+        tag,
+        installDir,
+        releaseUrl: typeof release.html_url === "string" ? release.html_url : releaseUrl(repository, tag),
+        assets: installedAssets,
+    };
+}
+export function resolveReleaseInstallDir(input = {}) {
+    const env = input.env ?? process.env;
+    const platform = input.platform ?? process.platform;
+    const tag = input.tag ?? DEFAULT_RELEASE_TAG;
+    const configured = trimToNull(input.installDir);
+    if (configured !== null) {
+        return isAbsolute(configured) ? configured : resolve(process.cwd(), configured);
+    }
+    const root = platform === "win32"
+        ? joinForPlatform(platform, trimToNull(env.APPDATA) ?? win32.join(resolveHomeDirectory(env), "AppData", "Roaming"), "MoneySiren")
+        : platform === "darwin"
+            ? joinForPlatform(platform, resolveHomeDirectory(env), "Library", "Application Support", "MoneySiren")
+            : joinForPlatform(platform, trimToNull(env.XDG_DATA_HOME) ?? joinForPlatform(platform, resolveHomeDirectory(env), ".local", "share"), "moneysiren");
+    return joinForPlatform(platform, root, "releases", sanitizePathSegment(tag));
+}
+function normalizeRepository(repository) {
+    const normalized = repository.trim();
+    if (!/^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/.test(normalized)) {
+        throw new Error("Release repository must be in owner/name form.");
+    }
+    return normalized;
+}
+function normalizeTag(tag) {
+    const normalized = tag.trim();
+    if (normalized.length === 0 || normalized.length > 128) {
+        throw new Error("Release tag is empty or too long.");
+    }
+    return normalized;
+}
+function normalizePlatform(platform) {
+    if (platform === "win32" || platform === "darwin" || platform === "linux") {
+        return platform;
+    }
+    return process.platform;
+}
+async function fetchRelease(input) {
+    const response = await input.fetchImpl(`https://api.github.com/repos/${input.repository}/releases/tags/${encodeURIComponent(input.tag)}`, {
+        headers: {
+            Accept: "application/vnd.github+json",
+            "User-Agent": "moneysiren-cli-release-installer",
+        },
+    });
+    if (!response.ok) {
+        throw new Error(`Could not read GitHub Release ${input.repository}@${input.tag}: ${response.status} ${response.statusText}`);
+    }
+    const body = await response.json();
+    if (!isRecord(body)) {
+        throw new Error("GitHub Release response was not an object.");
+    }
+    return body;
+}
+function parseReleaseAssets(value) {
+    if (!Array.isArray(value)) {
+        return [];
+    }
+    return value
+        .filter(isRecord)
+        .flatMap((asset) => {
+        const name = asset.name;
+        const browserDownloadUrl = asset.browser_download_url;
+        if (typeof name !== "string" || typeof browserDownloadUrl !== "string") {
+            return [];
+        }
+        return [{
+                name,
+                browser_download_url: browserDownloadUrl,
+                ...(typeof asset.size === "number" ? { size: asset.size } : {}),
+            }];
+    });
+}
+function selectSurfaceAsset(surface, platform, assets) {
+    const candidates = assets.filter((asset) => !asset.name.toLowerCase().includes("sha256sums"));
+    if (surface === "web") {
+        return candidates.find((asset) => /^moneysiren-web-runtime-.+\.tar\.gz$/i.test(asset.name)) ?? null;
+    }
+    if (platform === "win32") {
+        return candidates.find((asset) => /\.(exe|msi)$/i.test(asset.name)) ?? null;
+    }
+    if (platform === "darwin") {
+        return candidates.find((asset) => /macos/i.test(asset.name) && /\.(tar\.gz|dmg)$/i.test(asset.name)) ?? null;
+    }
+    return null;
+}
+async function findChecksum(input) {
+    for (const checksumAsset of input.checksumAssets) {
+        const content = await downloadAsset(input.fetchImpl, checksumAsset.browser_download_url);
+        const checksum = parseChecksumFile(content.toString("utf8"), input.assetName);
+        if (checksum !== null) {
+            return checksum;
+        }
+    }
+    return null;
+}
+async function downloadAsset(fetchImpl, url) {
+    const parsed = new URL(url);
+    if (parsed.protocol !== "https:") {
+        throw new Error("Refusing to download a non-HTTPS release asset.");
+    }
+    const response = await fetchImpl(url, {
+        headers: {
+            "User-Agent": "moneysiren-cli-release-installer",
+        },
+    });
+    if (!response.ok) {
+        throw new Error(`Could not download release asset: ${response.status} ${response.statusText}`);
+    }
+    return Buffer.from(await response.arrayBuffer());
+}
+function parseChecksumFile(content, assetName) {
+    for (const line of content.split(/\r?\n/)) {
+        const match = /^([a-f0-9]{64})\s+\*?(.+)$/i.exec(line.trim());
+        if (match !== null && basename(match[2] ?? "") === assetName) {
+            return match[1] ?? null;
+        }
+    }
+    return null;
+}
+function sha256Hex(content) {
+    return createHash("sha256").update(content).digest("hex");
+}
+async function verifyReleaseAssetSignature(input) {
+    const verifier = input.signatureVerifier ?? defaultReleaseAssetSignatureVerifier;
+    const expectedSignerThumbprints = await findExpectedSignerThumbprints({
+        assetName: input.assetName,
+        env: input.env,
+        fetchImpl: input.fetchImpl,
+        platform: input.platform,
+        releaseAssets: input.releaseAssets,
+        surface: input.surface,
+        ...(input.trustedWindowsSignerThumbprints === undefined
+            ? {}
+            : { trustedWindowsSignerThumbprints: input.trustedWindowsSignerThumbprints }),
+    });
+    return verifier.verify({
+        assetName: input.assetName,
+        ...(expectedSignerThumbprints === null ? {} : { expectedSignerThumbprints }),
+        path: input.path,
+        platform: input.platform,
+        surface: input.surface,
+    });
+}
+const defaultReleaseAssetSignatureVerifier = {
+    async verify(input) {
+        if (input.surface !== "hud" || input.platform !== "win32") {
+            return {
+                verified: true,
+                status: "not-required",
+                message: "No platform signature check is required for this release asset.",
+            };
+        }
+        if (!/\.(exe|msi)$/i.test(input.assetName)) {
+            return {
+                verified: false,
+                status: "unsupported",
+                message: "Windows HUD release assets must be .exe or .msi installers.",
+            };
+        }
+        if (input.expectedSignerThumbprints === undefined || input.expectedSignerThumbprints.length === 0) {
+            return {
+                verified: false,
+                status: "missing-signature-metadata",
+                message: `Windows HUD release assets require ${WINDOWS_SIGNER_THUMBPRINTS_ENV_KEY} or moneysiren-tray-windows-SIGNATURE.json metadata.`,
+            };
+        }
+        return verifyWindowsAuthenticodeSignature(input.path, input.expectedSignerThumbprints);
+    },
+};
+async function findExpectedSignerThumbprints(input) {
+    if (input.surface !== "hud" || input.platform !== "win32") {
+        return null;
+    }
+    const trustedThumbprints = normalizeThumbprintList([
+        ...(input.trustedWindowsSignerThumbprints ?? []),
+        ...parseThumbprintEnv(input.env[WINDOWS_SIGNER_THUMBPRINTS_ENV_KEY]),
+    ]);
+    if (trustedThumbprints.length > 0) {
+        return trustedThumbprints;
+    }
+    const metadataAsset = input.releaseAssets.find((asset) => /^moneysiren-tray-windows-SIGNATURE\.json$/i.test(asset.name));
+    if (metadataAsset === undefined) {
+        return null;
+    }
+    const metadata = JSON.parse((await downloadAsset(input.fetchImpl, metadataAsset.browser_download_url)).toString("utf8"));
+    const entries = Array.isArray(metadata) ? metadata : [metadata];
+    for (const entry of entries) {
+        if (!isRecord(entry) || entry.assetName !== input.assetName || typeof entry.signerThumbprint !== "string") {
+            continue;
+        }
+        return [normalizeThumbprint(entry.signerThumbprint)];
+    }
+    return null;
+}
+async function verifyWindowsAuthenticodeSignature(path, expectedSignerThumbprints) {
+    const literalPath = powerShellSingleQuotedString(path);
+    try {
+        const { stdout } = await execFileAsync("powershell.exe", [
+            "-NoProfile",
+            "-NonInteractive",
+            "-Command",
+            [
+                `$signature = Get-AuthenticodeSignature -LiteralPath ${literalPath}`,
+                "$status = [string]$signature.Status",
+                "$message = [string]$signature.StatusMessage",
+                "if ($signature.Status -ne 'Valid' -or $null -eq $signature.SignerCertificate) {",
+                "  Write-Output ($status + \"|\" + $message)",
+                "  exit 1",
+                "}",
+                "Write-Output ($status + \"|\" + $signature.SignerCertificate.Thumbprint + \"|\" + $signature.SignerCertificate.Subject)",
+            ].join("; "),
+        ], {
+            windowsHide: true,
+            timeout: 30_000,
+        });
+        const [status, signerThumbprint, ...messageParts] = stdout.trim().split("|");
+        const normalizedSignerThumbprint = normalizeThumbprint(signerThumbprint ?? "");
+        const normalizedExpectedSignerThumbprints = expectedSignerThumbprints.map(normalizeThumbprint);
+        if (!normalizedExpectedSignerThumbprints.includes(normalizedSignerThumbprint)) {
+            return {
+                verified: false,
+                status: "signer-mismatch",
+                message: `Expected signer ${normalizedExpectedSignerThumbprints.join(", ")}, got ${normalizedSignerThumbprint || "unknown"}.`,
+            };
+        }
+        return {
+            verified: true,
+            status: status ?? "Valid",
+            message: messageParts.join("|"),
+        };
+    }
+    catch (error) {
+        const output = isRecord(error) && typeof error.stdout === "string" ? error.stdout.trim() : "";
+        const [status, ...messageParts] = output.split("|");
+        return {
+            verified: false,
+            status: status && status.length > 0 ? status : "Unknown",
+            message: messageParts.join("|") || (error instanceof Error ? error.message : String(error)),
+        };
+    }
+}
+function normalizeThumbprint(value) {
+    return value.replaceAll(/\s/g, "").toUpperCase();
+}
+function normalizeThumbprintList(values) {
+    return Array.from(new Set(values.map(normalizeThumbprint).filter((value) => value.length > 0)));
+}
+function parseThumbprintEnv(value) {
+    if (value === undefined) {
+        return [];
+    }
+    return value.split(/[,\s;]+/).map((part) => part.trim()).filter((part) => part.length > 0);
+}
+function powerShellSingleQuotedString(value) {
+    return `'${value.replaceAll("'", "''")}'`;
+}
+function sanitizeAssetFileName(name) {
+    return basename(name).replace(/[^A-Za-z0-9._ -]/g, "_");
+}
+function sanitizePathSegment(value) {
+    return value.replace(/[^A-Za-z0-9._-]/g, "_");
+}
+function releaseUrl(repository, tag) {
+    return `https://github.com/${repository}/releases/tag/${encodeURIComponent(tag)}`;
+}
+function resolveHomeDirectory(env) {
+    return trimToNull(env.HOME) ?? trimToNull(env.USERPROFILE) ?? homedir();
+}
+function trimToNull(value) {
+    const trimmed = value?.trim();
+    return trimmed === undefined || trimmed.length === 0 ? null : trimmed;
+}
+function joinForPlatform(platform, ...segments) {
+    return platform === "win32" ? win32.join(...segments) : posix.join(...segments);
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+//# sourceMappingURL=release-installer.js.map

package/dist/apps/cli/src/version.d.ts

@@ -0,0 +1,2 @@
+export declare const CLI_VERSION = "0.1.0-alpha.1";
+//# sourceMappingURL=version.d.ts.map

package/dist/apps/cli/src/version.js

@@ -0,0 +1,2 @@
+export const CLI_VERSION = "0.1.0-alpha.1";
+//# sourceMappingURL=version.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@moneysiren/cli",
-  "version": "0.1.0-alpha.0",
+  "version": "0.1.0-alpha.1",
   "description": "Local-first cloud/SaaS usage, status, and expected billing CLI for MoneySiren.",
   "private": false,
   "license": "MIT",