@movp/cli 1.0.0

package/bin/cli.js

@@ -0,0 +1,921 @@
+#!/usr/bin/env node
+// @movp/cli
+// Usage:
+//   npx @movp/cli install           — install MoVP plugins to ~/.movp/plugins/
+//   npx @movp/cli install --tool claude|cursor|codex  — install one plugin only
+//   npx @movp/cli install --dir <path>                — custom install location
+//   npx @movp/cli install --version <tag>             — specific release
+//   npx @movp/cli install --init                      — also run init (opt-in)
+//   npx @movp/cli init              — auto-detect tool, write all config
+//   npx @movp/cli init --cursor     — Cursor-specific setup (MCP + rules only)
+//   npx @movp/cli init --codex      — Codex-specific setup (MCP config only)
+//   npx @movp/cli init --no-rules   — skip writing movp-review rule (use when loading the plugin)
+//   npx @movp/cli login             — device auth login
+//   npx @movp/cli hook              — run as PostToolUse hook (reads stdin)
+//   npx @movp/cli                   — alias for `hook`
+
+"use strict";
+
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+const readline = require("readline");
+const https = require("https");
+const http = require("http");
+
+const [, , command, ...args] = process.argv;
+
+if (!command || command === "hook") {
+  require("../hook.js");
+  return;
+}
+
+if (command === "--help" || command === "-h") {
+  console.log(`
+  npx @movp/cli <command>
+
+  Commands:
+    install    Install MoVP plugins to ~/.movp/plugins/
+    init       Write MCP + hook config into the current project
+    login      Device auth login
+    hook       PostToolUse hook (default when no command given)
+
+  Run 'npx @movp/cli install --help' for install-specific options.
+`);
+  process.exit(0);
+}
+
+if (command === "install") {
+  if (args.includes("--help") || args.includes("-h")) {
+    printInstallHelp();
+    process.exit(0);
+  }
+  const dirIdx = args.indexOf("--dir");
+  const toolIdx = args.indexOf("--tool");
+  const versionIdx = args.indexOf("--version");
+  // Require that value-taking flags are followed by a non-flag token
+  function requireFlagValue(idx, flag) {
+    if (idx < 0) return null;
+    const val = args[idx + 1];
+    if (!val || val.startsWith("-")) {
+      console.error(`  ${flag} requires a value`);
+      process.exit(1);
+    }
+    return val;
+  }
+  const installDir = requireFlagValue(dirIdx, "--dir");
+  const tool = requireFlagValue(toolIdx, "--tool");
+  const version = requireFlagValue(versionIdx, "--version");
+  const runInitAfter = args.includes("--init");
+  runInstall({ installDir, tool, version, runInitAfter }).catch((e) => { console.error(e.message); process.exit(1); });
+} else if (command === "init") {
+  const forcedTool = args.includes("--cursor") ? "cursor"
+    : args.includes("--codex") ? "codex"
+    : null;
+  const noRules = args.includes("--no-rules");
+  runInit(forcedTool, { noRules }).catch((e) => { console.error(e.message); process.exit(1); });
+} else if (command === "login") {
+  runLogin().catch((e) => { console.error(e.message); process.exit(1); });
+} else {
+  console.error(`Unknown command: ${command}`);
+  console.error("Run 'npx @movp/cli --help' for available commands.");
+  process.exit(1);
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Shared helpers
+// ─────────────────────────────────────────────────────────────────────────────
+
+function prompt(rl, question) {
+  return new Promise((resolve) => rl.question(question, resolve));
+}
+
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+function postJSON(baseUrl, urlPath, body, extraHeaders = {}) {
+  return new Promise((resolve, reject) => {
+    const data = JSON.stringify(body);
+    const parsed = new URL(urlPath, baseUrl);
+    const mod = parsed.protocol === "https:" ? https : http;
+    const req = mod.request(
+      {
+        hostname: parsed.hostname,
+        port: parsed.port || (parsed.protocol === "https:" ? 443 : 80),
+        path: parsed.pathname + parsed.search,
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Content-Length": Buffer.byteLength(data),
+          ...extraHeaders,
+        },
+      },
+      (res) => {
+        let buf = "";
+        res.on("data", (chunk) => (buf += chunk));
+        res.on("end", () => {
+          try { resolve({ status: res.statusCode, body: JSON.parse(buf) }); }
+          catch { resolve({ status: res.statusCode, body: buf }); }
+        });
+      }
+    );
+    req.on("error", reject);
+    req.write(data);
+    req.end();
+  });
+}
+
+function loadCredentials() {
+  try {
+    const credPath = path.join(os.homedir(), ".config", "movp", "credentials");
+    const lines = fs.readFileSync(credPath, "utf8").split("\n");
+    const creds = {};
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith("#")) continue;
+      const eq = trimmed.indexOf("=");
+      if (eq < 0) continue;
+      creds[trimmed.slice(0, eq).trim()] = trimmed.slice(eq + 1).trim();
+    }
+    return creds;
+  } catch {
+    return {};
+  }
+}
+
+function writeCredentials(bffUrl, userId, tenantId) {
+  const configDir = path.join(os.homedir(), ".config", "movp");
+  fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
+  const credPath = path.join(configDir, "credentials");
+  const content =
+    `# MoVP device credentials — written by 'npx @movp/cli login'\n` +
+    `# Do not commit this file.\n` +
+    `WORKDESK_URL=${bffUrl}\n` +
+    `WORKDESK_USER=${userId}\n` +
+    `WORKDESK_TENANT=${tenantId}\n`;
+  fs.writeFileSync(credPath, content, { mode: 0o600 });
+  return credPath;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Auto-detect the AI coding tool in the current directory
+// ─────────────────────────────────────────────────────────────────────────────
+
+function detectTool() {
+  const cwd = process.cwd();
+  if (fs.existsSync(path.join(cwd, ".claude"))) return "claude-code";
+  if (fs.existsSync(path.join(cwd, ".cursor")) || fs.existsSync(path.join(cwd, ".cursorrules"))) return "cursor";
+  return null; // unknown — will ask
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// movp-review.md rule content
+// ─────────────────────────────────────────────────────────────────────────────
+
+const MOVP_REVIEW_RULE = `rule_id: movp-review
+
+# MoVP Adversarial Review
+
+> Scope: plan files and significant code output
+> MCP tools: \`get_review_status\`, \`trigger_review\`, \`resolve_review\`
+
+After writing a plan file or producing a significant code change (new feature, refactor, migration, or multi-file edit), trigger an adversarial review using the MoVP tools. Do not trigger for trivial operations: file reads, git status/log, search queries, single-line fixes, or tool calls with no code output.
+
+## When to trigger
+
+Trigger \`trigger_review\` automatically when you:
+
+- Write or significantly modify a plan file (\`.md\` planning documents, architecture docs, PRDs)
+- Complete a multi-file code change (3+ files, or any new service/module)
+- Produce a significant new code output in a single response (functions, handlers, migrations)
+
+Do **not** trigger for: reading files, running tests, git commands, grep/search, single-line edits, config-only changes.
+
+## How to run a review
+
+\`\`\`
+1. Call trigger_review(artifact_type="plan_file"|"code_output", content=<artifact>, session_id=<current session>)
+   → returns review_id
+
+2. Poll get_review_status(review_id=<id>) until review_status is "completed" or "error"
+   Always use the review_id from step 1 — do NOT call get_review_status without review_id
+   when multiple reviews may be in flight (returns most recent tenant review otherwise).
+
+3. Ask the developer: implement fixes, dismiss findings, or accept as-is
+
+4. Call resolve_review(review_id=<id>, action="accept"|"dismiss"|"escalate"|"retry") based on their choice
+\`\`\`
+
+## Presenting findings
+
+Format findings as structured output with severity badges. After showing findings, always ask:
+
+> **Reply with:** implement fixes, dismiss (false positive / not applicable / deferred), or accept as-is
+
+## Resolve actions
+
+| Developer says | Action to call | Notes |
+|---|---|---|
+| "accept", "looks good", "ship it" | \`resolve_review(action="accept")\` | Idempotent — safe to call twice |
+| "dismiss", "false positive", "not applicable" | \`resolve_review(action="dismiss", reason="false_positive"\\|"not_applicable"\\|"deferred")\` | |
+| "escalate", "create a ticket" | \`resolve_review(action="escalate", target="todo")\` | |
+| "retry", "run it again" | \`resolve_review(action="retry")\` | **Only valid when review_status is "error"** — do not call on completed reviews |
+
+## Rate and cost awareness
+
+Reviews consume LLM budget. Do not trigger multiple reviews in a single session for the same artifact. If \`trigger_review\` returns a rate limit error (429), inform the developer and do not retry automatically.
+`;
+
+// ─────────────────────────────────────────────────────────────────────────────
+// .movp/config.yaml default content
+// ─────────────────────────────────────────────────────────────────────────────
+
+const DEFAULT_PROJECT_CONFIG = `version: 1
+review:
+  enabled: true
+  categories:
+    # Default 8 categories — all scored 1-10 by the adversarial model.
+    # All weights are equal by default. Increase a weight to emphasize a category.
+    # Weights must be positive integers >= 1.
+    - name: security
+      weight: 1
+    - name: correctness
+      weight: 1
+    - name: performance
+      weight: 1
+    - name: stability
+      weight: 1
+    - name: ux_drift
+      weight: 1
+    - name: outcome_drift
+      weight: 1
+    - name: missing_tests
+      weight: 1
+    - name: scope_creep
+      weight: 1
+    # Add custom categories:
+    # - name: accessibility
+    #   description: WCAG 2.1 AA compliance
+    #   weight: 1
+  auto_review:
+    plan_files: true    # auto-trigger review after writing plan files
+    code_output: false  # auto-trigger review after significant code output
+  cost_cap_daily_usd: 5.0
+  max_rounds: 3
+  # rule_apply_mode: "direct"  # "direct" = write rules on confirm; "pr" = create branch + PR
+control_plane:
+  health_check_interval: 20  # seconds between health checks
+  show_cost: true
+  show_recommendations: true
+`;
+
+const DEFAULT_LOCAL_CONFIG = `# .movp/config.local.yaml — personal overrides (gitignored)
+# Overrides .movp/config.yaml for your local environment only.
+# Example:
+# review:
+#   enabled: false
+`;
+
+// ─────────────────────────────────────────────────────────────────────────────
+// install
+// ─────────────────────────────────────────────────────────────────────────────
+
+function printInstallHelp() {
+  console.log(`
+  npx @movp/cli install [options]
+
+  Install MoVP plugins to ~/.movp/plugins/ (or a custom directory).
+
+  Options:
+    --tool <name>      Install only one plugin: claude, cursor, or codex
+    --dir  <path>      Install to a custom directory instead of ~/.movp/plugins/
+    --version <tag>    Install a specific git tag/branch (default: main)
+    --init             Also run \`init\` for the installed tool after install
+    -h, --help         Show this help text
+
+  Environment:
+    MOVP_RELEASE_URL   If set, download a release .tar.gz instead of cloning.
+                       Must be https://. Overrides --version.
+                       The archive must have the mona-lisa repo layout at depth 1
+                       (--strip-components=1 is applied during extraction).
+
+  Examples:
+    npx @movp/cli install
+    npx @movp/cli install --tool claude
+    npx @movp/cli install --dir /opt/movp/plugins
+    npx @movp/cli install --version v1.2.0
+    npx @movp/cli install --tool cursor --init
+`);
+}
+
+async function runInstall({ installDir, tool, version, runInitAfter }) {
+  const { spawnSync } = require("child_process");
+
+  const targetDir = installDir
+    ? path.resolve(installDir)
+    : path.join(os.homedir(), ".movp", "plugins");
+
+  console.log("\n  MoVP Plugin Installer\n");
+
+  // Check prerequisites — use process.version (we're already in Node) to avoid
+  // edge cases with multiple Node installs on PATH.
+  const nodeMatch = process.version.match(/^v(\d+)/);
+  const nodeMajor = nodeMatch ? parseInt(nodeMatch[1], 10) : 0;
+  if (nodeMajor < 18) {
+    console.error(`  Node.js 18+ is required (found ${process.version}). Install from https://nodejs.org`);
+    process.exit(1);
+  }
+
+  const releaseUrl = process.env.MOVP_RELEASE_URL || "";
+
+  // git is only needed for the clone path — skip check when using MOVP_RELEASE_URL.
+  if (!releaseUrl && spawnSync("git", ["--version"]).status !== 0) {
+    console.error("  git is required. Install from https://git-scm.com");
+    process.exit(1);
+  }
+
+  // tar is only needed for the tarball path.
+  // Use a feature probe (not --version) because some BSD tar builds exit non-zero for --version.
+  if (releaseUrl) {
+    const tarProbe = spawnSync("tar", ["--help"]);
+    if (tarProbe.error && tarProbe.error.code === "ENOENT") {
+      console.error("  tar is required when MOVP_RELEASE_URL is set. Install BSD/GNU tar (comes with macOS and most Linux distros; on Windows, use Windows 10+ built-in tar or WSL).");
+      process.exit(1);
+    }
+  }
+
+  // Validate --tool
+  const validTools = ["claude", "cursor", "codex"];
+  if (tool && !validTools.includes(tool)) {
+    console.error(`  Unknown tool: ${tool}. Must be one of: claude, cursor, codex`);
+    process.exit(1);
+  }
+
+  // Determine which plugin dirs to copy
+  const pluginDirs = tool
+    ? [`${tool}-plugin`]
+    : ["claude-plugin", "cursor-plugin", "codex-plugin"];
+
+  fs.mkdirSync(targetDir, { recursive: true });
+
+  // Download from release tarball or git clone — no shell interpolation
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "movp-install-"));
+  try {
+    if (releaseUrl) {
+      // MOVP_RELEASE_URL must be an https:// URL pointing to a .tar.gz with the
+      // mona-lisa repo layout at depth 1 (--strip-components=1 removes the top dir).
+      if (!releaseUrl.startsWith("https://")) {
+        throw new Error("MOVP_RELEASE_URL must start with https://");
+      }
+      if (version) {
+        console.warn(`  Warning: --version is ignored when MOVP_RELEASE_URL is set.\n  To install a specific tag, use a URL for that release or unset MOVP_RELEASE_URL.`);
+      }
+      // Log only origin + path — strip query and hash to avoid leaking pre-signed tokens.
+      const logUrl = (() => { try { const u = new URL(releaseUrl); return u.origin + u.pathname; } catch { return releaseUrl; } })();
+      console.log(`  Downloading ${logUrl} ...`);
+      const tarPath = path.join(os.tmpdir(), `movp-release-${Date.now()}.tar.gz`);
+      try {
+        await downloadFile(releaseUrl, tarPath);
+        const tarResult = spawnSync("tar", ["-xz", "-C", tmpDir, "--strip-components=1", "-f", tarPath], { stdio: "inherit" });
+        if (tarResult.status !== 0) {
+          throw new Error(
+            "tar extraction failed. Verify MOVP_RELEASE_URL points to a .tar.gz with the mona-lisa repo layout at the top level."
+          );
+        }
+      } finally {
+        try { fs.unlinkSync(tarPath); } catch { /* best-effort */ }
+      }
+    } else {
+      const ref = version || "main";
+      console.log(`  Cloning mona-lisa @ ${ref} ...`);
+      const cloneResult = spawnSync(
+        "git",
+        ["clone", "--depth", "1", "--filter=blob:none", "--single-branch", "--branch", ref,
+          "https://github.com/MostViableProduct/mona-lisa.git", tmpDir],
+        { stdio: "inherit" }
+      );
+      if (cloneResult.status !== 0) {
+        throw new Error(
+          `git clone failed (ref: ${ref}). Check the tag exists at https://github.com/MostViableProduct/mona-lisa/releases and that you have network access.`
+        );
+      }
+    }
+
+    // Copy each plugin directory into targetDir
+    for (const dir of pluginDirs) {
+      const src = path.join(tmpDir, dir);
+      const dest = path.join(targetDir, dir);
+      if (!fs.existsSync(src)) {
+        throw new Error(`Plugin directory not found in downloaded repo: ${dir}. The archive layout may have changed — check https://github.com/MostViableProduct/mona-lisa`);
+      }
+      if (fs.existsSync(dest)) {
+        fs.rmSync(dest, { recursive: true, force: true });
+      }
+      fs.cpSync(src, dest, { recursive: true });
+      console.log(`  Installed ${dir}  →  ${dest}`);
+    }
+  } finally {
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  }
+
+  // Auto-detect installed tools (skip when --tool is specified)
+  if (!tool) {
+    const detected = [];
+    for (const [name, cmd] of [["Claude Code", "claude"], ["Cursor", "cursor"], ["Codex", "codex"]]) {
+      if (spawnSync(cmd, ["--version"]).status === 0) detected.push(name);
+    }
+    if (detected.length) {
+      console.log(`\n  Detected: ${detected.join(", ")}`);
+    }
+  }
+
+  printInstallNextSteps(targetDir, tool);
+
+  // Opt-in: run init after install (requires a project cwd)
+  if (runInitAfter) {
+    // Map install --tool names to runInit's expected tool identifiers
+    const forcedTool = tool === "claude" ? "claude-code" : tool === "cursor" ? "cursor" : tool === "codex" ? "codex" : null;
+    try {
+      await runInit(forcedTool);
+    } catch (e) {
+      // Plugins are already on disk — distinguish install success from init failure.
+      const msg = e instanceof Error ? e.message : String(e);
+      console.error(`\n  Plugins were installed to ${targetDir}/`);
+      console.error(`  Init failed: ${msg}`);
+      process.exit(1);
+    }
+  }
+}
+
+// Downloads a URL (following up to maxRedirects redirects) to a local file path.
+// Resolves relative Location headers against the current URL.
+function downloadFile(url, dest, maxRedirects = 5) {
+  return new Promise((resolve, reject) => {
+    if (maxRedirects < 0) {
+      reject(new Error(`Too many redirects downloading ${url}`));
+      return;
+    }
+    const file = fs.createWriteStream(dest);
+    const mod = url.startsWith("https:") ? https : http;
+    const req = mod.get(url, (res) => {
+      if ([301, 302, 303, 307, 308].includes(res.statusCode)) {
+        res.resume(); // drain body so the socket is released
+        file.close();
+        // Synchronously remove the empty file before starting the next request
+        // to the same path, avoiding a write overlap on slow filesystems.
+        try { fs.unlinkSync(dest); } catch { /* best-effort */ }
+        const location = res.headers.location;
+        if (!location) {
+          reject(new Error(`Redirect (${res.statusCode}) without Location header from ${url}`));
+          return;
+        }
+        let next;
+        try {
+          next = new URL(location, url).href;
+        } catch {
+          reject(new Error(`Invalid redirect Location header: ${JSON.stringify(location)}`));
+          return;
+        }
+        // Enforce HTTPS on every hop — reject downgrades via redirect.
+        if (!next.startsWith("https:")) {
+          reject(new Error(`Redirect to non-HTTPS URL rejected (${new URL(next).origin}). Set MOVP_RELEASE_URL to an https:// URL.`));
+          return;
+        }
+        downloadFile(next, dest, maxRedirects - 1).then(resolve).catch(reject);
+        return;
+      }
+      if (res.statusCode !== 200) {
+        file.close();
+        try { fs.unlinkSync(dest); } catch { /* best-effort */ }
+        const hint =
+          res.statusCode === 408 ? " (request timeout — retry or check network)" :
+          res.statusCode === 429 ? " (rate limited — wait a moment and retry)" :
+          res.statusCode === 401 || res.statusCode === 403 ? " (check authentication or access permissions)" :
+          res.statusCode === 404 ? " (URL not found — verify MOVP_RELEASE_URL)" :
+          res.statusCode >= 500 ? " (server error — try again later)" : "";
+        reject(new Error(`HTTP ${res.statusCode}${hint} downloading ${url}`));
+        return;
+      }
+      req.setTimeout(0); // clear the connection timeout once we're actively streaming
+      res.pipe(file);
+      file.on("finish", () => file.close(resolve));
+      file.on("error", (err) => {
+        try { fs.unlinkSync(dest); } catch { /* best-effort */ }
+        reject(err);
+      });
+    });
+    // Abort the request if no data arrives within 30 seconds.
+    req.setTimeout(30000, () => {
+      req.destroy(new Error(`Download timed out after 30s. Check your network or the URL: ${url}`));
+    });
+    req.on("error", (err) => {
+      file.close();
+      try { fs.unlinkSync(dest); } catch { /* best-effort */ }
+      reject(err);
+    });
+  });
+}
+
+function printInstallNextSteps(pluginsDir, tool) {
+  console.log(`\n  Plugins installed to ${pluginsDir}/\n`);
+  console.log("  Next steps:\n");
+
+  if (!tool || tool === "claude") {
+    console.log("    Claude Code:");
+    console.log("      cd your-project");
+    console.log("      npx @movp/cli init");
+    console.log(`      claude --plugin-dir ${pluginsDir}/claude-plugin\n`);
+  }
+  if (!tool || tool === "cursor") {
+    console.log("    Cursor:");
+    console.log("      cd your-project");
+    console.log("      npx @movp/cli init --cursor");
+    console.log(`      cursor --plugin-dir ${pluginsDir}/cursor-plugin\n`);
+  }
+  if (!tool || tool === "codex") {
+    console.log("    Codex:");
+    console.log("      cd your-project");
+    console.log("      npx @movp/cli init --codex");
+    console.log(`      codex --plugin-dir ${pluginsDir}/codex-plugin\n`);
+  }
+
+  console.log("  Need help? https://github.com/MostViableProduct/mona-lisa#troubleshooting\n");
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// init
+// ─────────────────────────────────────────────────────────────────────────────
+
+async function runInit(forcedTool, { noRules = false } = {}) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  const cwd = process.cwd();
+
+  console.log("\n  MoVP CLI v1.0.0\n");
+
+  // ── Step 0: Determine tool ─────────────────────────────────────────────────
+  let tool = forcedTool || detectTool();
+  if (!tool) {
+    console.log("  Could not auto-detect AI coding tool.");
+    const answer = (await prompt(rl, "  Tool [claude-code|cursor|codex]: ")).trim().toLowerCase();
+    tool = answer || "claude-code";
+  } else {
+    console.log(`  Detected: ${tool}`);
+  }
+
+  if (!["claude-code", "cursor", "codex"].includes(tool)) {
+    console.error(`  Unknown tool: ${tool}`);
+    rl.close();
+    process.exit(1);
+  }
+
+  // ── Step 1: Authentication ────────────────────────────────────────────────
+  console.log("\n  Step 1/3: Authentication");
+  let creds = loadCredentials();
+  let bffUrl = creds.WORKDESK_URL || process.env.WORKDESK_URL || "";
+  let tenantId = creds.WORKDESK_TENANT || process.env.WORKDESK_TENANT || "";
+  let userId = creds.WORKDESK_USER || "";
+
+  if (bffUrl && tenantId) {
+    console.log(`    Already authenticated (tenant: ${tenantId})`);
+  } else {
+    console.log("    Opening browser for device login...");
+    // runLogin() only writes to stdout and polls HTTP — rl stays open for prompts after
+    await runLogin();
+    creds = loadCredentials();
+    bffUrl = creds.WORKDESK_URL || "";
+    tenantId = creds.WORKDESK_TENANT || "";
+    userId = creds.WORKDESK_USER || "";
+  }
+
+  if (!bffUrl || !tenantId) {
+    console.error("  Authentication incomplete. Run `npx @movp/cli login` first.");
+    rl.close();
+    process.exit(1);
+  }
+
+  // ── Step 2: Agent Source ──────────────────────────────────────────────────
+  console.log("\n  Step 2/3: Agent Source");
+  let apiKey = "";
+  try {
+    const res = await postJSON(bffUrl, "/api/workdesk/agents/setup", {
+      agent_type: tool,
+      user_id: userId,
+      tenant_id: tenantId,
+    }, {
+      "X-Tenant-ID": tenantId,
+    });
+    if (res.status === 200 || res.status === 201) {
+      apiKey = res.body.api_key || res.body.apiKey || "";
+      if (apiKey) {
+        console.log("    Agent source created.");
+        // Persist api_key to credentials file
+        const configDir = path.join(os.homedir(), ".config", "movp");
+        const credPath = path.join(configDir, "credentials");
+        let existing = "";
+        try { existing = fs.readFileSync(credPath, "utf8"); } catch {}
+        if (!existing.includes("WORKDESK_API_KEY=")) {
+          fs.appendFileSync(credPath, `WORKDESK_API_KEY=${apiKey}\n`);
+        }
+      } else {
+        console.log("    Agent source configured (no new key returned — using existing).");
+        apiKey = process.env.WORKDESK_API_KEY || "";
+      }
+    } else {
+      console.log(`    Agent source setup returned HTTP ${res.status} — continuing with existing config.`);
+      apiKey = process.env.WORKDESK_API_KEY || "";
+    }
+  } catch (e) {
+    console.log(`    Could not reach ${bffUrl}: ${e.message}`);
+    console.log("    Continuing with manual config...");
+    apiKey = process.env.WORKDESK_API_KEY || "";
+  }
+
+  // Ask for MCP server path (required for settings.json)
+  let mcpServerPath = "";
+  if (tool === "claude-code" || tool === "cursor") {
+    const envPath = process.env.MOVP_MCP_SERVER_PATH || "";
+    const inputPath = await prompt(rl, `\n  MCP server path (dist/index.js) [${envPath || "skip"}]: `);
+    mcpServerPath = inputPath.trim() || envPath;
+  }
+
+  rl.close();
+
+  // ── Step 3: Write configuration ───────────────────────────────────────────
+  console.log("\n  Step 3/3: Configuration");
+
+  if (tool === "claude-code") {
+    writeClaudeCodeConfig(cwd, bffUrl, apiKey, tenantId, mcpServerPath, noRules);
+  } else if (tool === "cursor") {
+    writeCursorConfig(cwd, bffUrl, apiKey, tenantId, mcpServerPath, noRules);
+  } else if (tool === "codex") {
+    writeCodexConfig(cwd, bffUrl, tenantId, apiKey);
+  }
+
+  // .movp/config.yaml (all tools)
+  writeMovpConfig(cwd);
+
+  console.log("\n  Ready. Type /movp review to begin.\n");
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Per-tool config writers
+// ─────────────────────────────────────────────────────────────────────────────
+
+function writeClaudeCodeConfig(cwd, bffUrl, apiKey, tenantId, mcpServerPath, noRules = false) {
+  const claudeDir = path.join(cwd, ".claude");
+  const rulesDir = path.join(claudeDir, "rules");
+  const settingsPath = path.join(claudeDir, "settings.json");
+  fs.mkdirSync(claudeDir, { recursive: true });
+  if (!noRules) fs.mkdirSync(rulesDir, { recursive: true });
+
+  // settings.json: hook + MCP server
+  let settings = {};
+  if (fs.existsSync(settingsPath)) {
+    try { settings = JSON.parse(fs.readFileSync(settingsPath, "utf8")); } catch {}
+  }
+
+  // PostToolUse hook
+  settings.hooks = settings.hooks || {};
+  settings.hooks.PostToolUse = settings.hooks.PostToolUse || [];
+  const hookCmd = "npx @movp/cli hook";
+  const alreadyHooked = settings.hooks.PostToolUse.some(
+    (h) => h.hooks && h.hooks.some((hh) => hh.command === hookCmd || hh.command === "npx @movp/workdesk-hook")
+  );
+  if (!alreadyHooked) {
+    settings.hooks.PostToolUse.push({
+      matcher: "",
+      hooks: [{ type: "command", command: hookCmd }],
+    });
+  }
+
+  // MCP server
+  if (mcpServerPath) {
+    settings.mcpServers = settings.mcpServers || {};
+    settings.mcpServers.movp = {
+      type: "stdio",
+      command: "node",
+      args: [mcpServerPath],
+      env: {
+        WORKDESK_SERVICE_URL: "http://localhost:8115",
+        WORKDESK_TENANT: tenantId,
+        ...(apiKey ? { WORKDESK_API_KEY: apiKey } : {}),
+      },
+    };
+  }
+
+  fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + "\n");
+  console.log(`    ${settingsPath}  → PostToolUse hook${mcpServerPath ? " + MCP server" : ""}`);
+
+  // movp-review.md rule — skipped when --no-rules (plugin's skill replaces it)
+  if (!noRules) {
+    const rulePath = path.join(rulesDir, "movp-review.md");
+    fs.writeFileSync(rulePath, MOVP_REVIEW_RULE);
+    console.log(`    ${rulePath}`);
+  } else {
+    console.log("    movp-review.md skipped (--no-rules) — plugin skill is active");
+  }
+
+  // .env.movp
+  const envPath = path.join(cwd, ".env.movp");
+  if (!fs.existsSync(envPath)) {
+    const envContent =
+      `# MoVP — Claude Code hook environment\n` +
+      `WORKDESK_URL=${bffUrl}\n` +
+      (apiKey ? `WORKDESK_API_KEY=${apiKey}\n` : `# WORKDESK_API_KEY=wdg_...\n`) +
+      `WORKDESK_TENANT=${tenantId}\n` +
+      `# WORKDESK_OUTCOME=outcome-id\n`;
+    fs.writeFileSync(envPath, envContent);
+    console.log(`    ${envPath}`);
+  }
+}
+
+function writeCursorConfig(cwd, bffUrl, apiKey, tenantId, mcpServerPath, noRules = false) {
+  const cursorDir = path.join(cwd, ".cursor");
+  fs.mkdirSync(cursorDir, { recursive: true });
+
+  // MCP config
+  if (mcpServerPath) {
+    const mcpConfigPath = path.join(cursorDir, "mcp.json");
+    let mcpConfig = { mcpServers: {} };
+    if (fs.existsSync(mcpConfigPath)) {
+      try { mcpConfig = JSON.parse(fs.readFileSync(mcpConfigPath, "utf8")); } catch {}
+    }
+    mcpConfig.mcpServers = mcpConfig.mcpServers || {};
+    mcpConfig.mcpServers.movp = {
+      type: "stdio",
+      command: "node",
+      args: [mcpServerPath],
+      env: {
+        // WORKDESK_SERVICE_URL points directly to the Workdesk service (port 8115),
+        // same as Claude Code. The hook/login use the BFF URL (bffUrl) separately.
+        WORKDESK_SERVICE_URL: "http://localhost:8115",
+        WORKDESK_TENANT: tenantId,
+        ...(apiKey ? { WORKDESK_API_KEY: apiKey } : {}),
+      },
+    };
+    fs.writeFileSync(mcpConfigPath, JSON.stringify(mcpConfig, null, 2) + "\n");
+    console.log(`    ${mcpConfigPath}  → MCP server`);
+  }
+
+  // movp-review rule for Cursor — skipped when --no-rules (plugin's skill replaces it)
+  if (!noRules) {
+    const rulesDir = path.join(cursorDir, "rules");
+    fs.mkdirSync(rulesDir, { recursive: true });
+    const rulePath = path.join(rulesDir, "movp-review.mdc");
+    fs.writeFileSync(rulePath, MOVP_REVIEW_RULE.replace("rule_id:", "description:"));
+    console.log(`    ${rulePath}`);
+  } else {
+    console.log("    movp-review.mdc skipped (--no-rules) — plugin skill is active");
+  }
+}
+
+function writeCodexConfig(cwd, bffUrl, tenantId, apiKey) {
+  // Write codex.yaml with MCP server configuration
+  const codexConfigPath = path.join(cwd, "codex.yaml");
+  const mcpServerPath = process.env.MOVP_MCP_SERVER_PATH || "";
+
+  const apiKeyLine = apiKey ? `      WORKDESK_API_KEY: "${apiKey}"` : "";
+  const codexConfig = [
+    "# MoVP control plane — Codex configuration",
+    "# Generated by @movp/cli init --codex",
+    "#",
+    "# Add your model and approval settings above the mcp_servers block.",
+    "# Example: model: o4-mini",
+    "#          approval_policy: on-failure",
+    "",
+    "mcp_servers:",
+    "  movp:",
+    `    command: node`,
+    `    args:`,
+    `      - ${mcpServerPath || "/path/to/movp-mcp/dist/index.js"}`,
+    `    env:`,
+    `      WORKDESK_SERVICE_URL: "http://localhost:8115"`,
+    `      WORKDESK_TENANT: "${tenantId}"`,
+    ...(apiKeyLine ? [apiKeyLine] : []),
+    "",
+  ].join("\n");
+
+  if (!fs.existsSync(codexConfigPath)) {
+    fs.writeFileSync(codexConfigPath, codexConfig);
+    console.log(`    ${codexConfigPath}  → Codex MCP config`);
+  } else {
+    console.log(`    ${codexConfigPath}  → already exists, not overwritten`);
+  }
+  if (!mcpServerPath) {
+    console.log("    [!] Set MOVP_MCP_SERVER_PATH env var or edit args in codex.yaml before use.");
+  }
+}
+
+function writeMovpConfig(cwd) {
+  const movpDir = path.join(cwd, ".movp");
+  fs.mkdirSync(movpDir, { recursive: true });
+
+  const configPath = path.join(movpDir, "config.yaml");
+  if (!fs.existsSync(configPath)) {
+    fs.writeFileSync(configPath, DEFAULT_PROJECT_CONFIG);
+    console.log(`    ${configPath}  → project config (commit this)`);
+  } else {
+    console.log(`    ${configPath}  → already exists, not overwritten`);
+  }
+
+  const localConfigPath = path.join(movpDir, "config.local.yaml");
+  if (!fs.existsSync(localConfigPath)) {
+    fs.writeFileSync(localConfigPath, DEFAULT_LOCAL_CONFIG);
+    console.log(`    ${localConfigPath}  → local overrides (gitignore this)`);
+  }
+
+  // Ensure .movp/config.local.yaml is gitignored
+  const gitignorePath = path.join(cwd, ".gitignore");
+  const gitignoreEntry = ".movp/config.local.yaml";
+  try {
+    let gitignore = fs.existsSync(gitignorePath) ? fs.readFileSync(gitignorePath, "utf8") : "";
+    if (!gitignore.includes(gitignoreEntry)) {
+      fs.appendFileSync(gitignorePath, `\n# MoVP local config\n${gitignoreEntry}\n.env.movp\n`);
+    }
+  } catch { /* gitignore update is best-effort */ }
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// login (RFC 8628 device auth)
+// ─────────────────────────────────────────────────────────────────────────────
+
+async function runLogin() {
+  const bffUrl =
+    process.env.WORKDESK_URL ||
+    process.env.MOVP_BFF_URL ||
+    "https://host.mostviableproduct.com";
+
+  console.log(`\n  MoVP CLI — Device Login\n`);
+  console.log(`  BFF: ${bffUrl}\n`);
+
+  let authorizeRes;
+  try {
+    authorizeRes = await postJSON(bffUrl, "/api/auth/device/authorize", {});
+  } catch (err) {
+    console.error(`  Failed to connect to ${bffUrl}: ${err.message}`);
+    process.exit(1);
+  }
+
+  if (authorizeRes.status !== 200) {
+    console.error(`  Device authorize failed (HTTP ${authorizeRes.status})`);
+    process.exit(1);
+  }
+
+  const { device_code, user_code, verification_uri_complete, expires_in, interval } =
+    authorizeRes.body;
+
+  console.log(`  Your verification code: ${user_code}`);
+  console.log(`\n  Open this URL to approve:\n`);
+  console.log(`    ${verification_uri_complete}\n`);
+  console.log(`  (Code expires in ${Math.round(expires_in / 60)} minutes)\n`);
+
+  try {
+    const { execSync } = require("child_process");
+    const openCmd =
+      process.platform === "darwin" ? `open "${verification_uri_complete}"`
+      : process.platform === "win32" ? `start "" "${verification_uri_complete}"`
+      : `xdg-open "${verification_uri_complete}"`;
+    execSync(openCmd, { stdio: "ignore" });
+  } catch { /* non-fatal */ }
+
+  const pollInterval = Math.max((interval || 5) * 1000, 5000);
+  const deadline = Date.now() + expires_in * 1000;
+
+  process.stdout.write("  Waiting for approval");
+  while (Date.now() < deadline) {
+    await sleep(pollInterval);
+    process.stdout.write(".");
+
+    let tokenRes;
+    try {
+      tokenRes = await postJSON(bffUrl, "/api/auth/device/token", { device_code });
+    } catch {
+      continue;
+    }
+
+    if (tokenRes.status === 404) {
+      console.log("\n  Device code expired.");
+      process.exit(1);
+    }
+
+    if (tokenRes.status === 200) {
+      const { status, user_id, tenant_id } = tokenRes.body;
+      if (status === "authorized") {
+        console.log("\n\n  Login successful!\n");
+        const credPath = writeCredentials(bffUrl, user_id, tenant_id);
+        console.log(`  Credentials: ${credPath}`);
+        console.log(`  User ID:     ${user_id}`);
+        console.log(`  Tenant ID:   ${tenant_id}\n`);
+        return;
+      }
+      if (status === "denied") {
+        console.log("\n  Login denied by user.");
+        process.exit(1);
+      }
+    }
+  }
+
+  console.log("\n  Timed out waiting for approval.");
+  process.exit(1);
+}

package/hook.js

@@ -0,0 +1,111 @@
+#!/usr/bin/env node
+// @movp/cli — PostToolUse hook for Claude Code
+// Reads the tool event from stdin and sends telemetry through the BFF to the
+// Workdesk Gateway. Configured as a PostToolUse hook in .claude/settings.json:
+//
+//   "hooks": { "PostToolUse": [{ "matcher": "", "hooks": [{ "type": "command", "command": "npx @movp/cli hook" }] }] }
+//
+// Required env vars:
+//   WORKDESK_URL      - BFF origin (default: http://localhost:8080)
+//   WORKDESK_API_KEY  - wdg_* key from agent source creation (required)
+//   WORKDESK_TENANT   - Tenant UUID (required)
+// Optional:
+//   WORKDESK_USER     - User UUID (defaults to device-auth credentials, then process.env.USER)
+//   WORKDESK_OUTCOME  - Outcome ID to attribute work to
+//   WORKDESK_REASONING_CHAIN - Reasoning chain ID
+//
+// Credentials written by 'npx @movp/cli login' are read from
+// ~/.config/movp/credentials and used as fallback for WORKDESK_USER and WORKDESK_TENANT.
+
+"use strict";
+
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+
+// Read device-auth credentials from ~/.config/movp/credentials (written by `login` subcommand).
+// Environment variables take precedence over stored credentials.
+function loadCredentials() {
+  try {
+    const credPath = path.join(os.homedir(), ".config", "movp", "credentials");
+    const lines = fs.readFileSync(credPath, "utf8").split("\n");
+    const creds = {};
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith("#")) continue;
+      const eq = trimmed.indexOf("=");
+      if (eq < 0) continue;
+      creds[trimmed.slice(0, eq).trim()] = trimmed.slice(eq + 1).trim();
+    }
+    return creds;
+  } catch {
+    return {};
+  }
+}
+
+const storedCreds = loadCredentials();
+
+const url = process.env.WORKDESK_URL || storedCreds.WORKDESK_URL || "http://localhost:8080";
+const apiKey = process.env.WORKDESK_API_KEY || "";
+const tenant = process.env.WORKDESK_TENANT || storedCreds.WORKDESK_TENANT || "";
+
+// Exit silently if not configured — never block the agent
+if (!apiKey || !tenant) process.exit(0);
+
+let raw = "";
+process.stdin.setEncoding("utf8");
+process.stdin.on("data", (chunk) => { raw += chunk; });
+process.stdin.on("end", () => {
+  let event = {};
+  try { event = JSON.parse(raw); } catch { process.exit(0); }
+
+  const reasoningChainId =
+    event.reasoning_chain_id ||
+    process.env.WORKDESK_REASONING_CHAIN ||
+    "";
+
+  const payload = {
+    hook_type: "PostToolUse",
+    tool_name: event.tool_name || "",
+    tool_input: event.tool_input || {},
+    tool_result: event.tool_result || {},
+    session_id: event.session_id || `ses_${Date.now()}`,
+    tenant_id: tenant,
+    user_id: process.env.WORKDESK_USER || storedCreds.WORKDESK_USER || process.env.USER || "unknown",
+    outcome_id: process.env.WORKDESK_OUTCOME || "",
+    timestamp: new Date().toISOString(),
+    thinking_tokens: event.thinking_tokens || 0,
+    cache_read_tokens: event.cache_read_tokens || 0,
+    cache_creation_tokens: event.cache_creation_tokens || 0,
+    parent_activity_id: event.parent_activity_id || "",
+    reasoning_chain_id: reasoningChainId,
+    progress_pct: event.progress_pct || 0,
+  };
+
+  const body = JSON.stringify(payload);
+
+  // Fire and forget — use Node's built-in https/http, no dependencies
+  const { request } = url.startsWith("https") ? require("https") : require("http");
+  const parsed = new URL(`${url}/api/workdesk/ingest/claude-code`);
+
+  const req = request(
+    {
+      hostname: parsed.hostname,
+      port: parsed.port || (parsed.protocol === "https:" ? 443 : 80),
+      path: parsed.pathname,
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-API-Key": apiKey,
+        "Content-Length": Buffer.byteLength(body),
+      },
+      timeout: 5000,
+    },
+    () => { process.exit(0); }
+  );
+
+  req.on("error", () => { process.exit(0); });
+  req.on("timeout", () => { req.destroy(); process.exit(0); });
+  req.write(body);
+  req.end();
+});

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "@movp/cli",
+  "version": "1.0.0",
+  "description": "MoVP CLI — configure AI coding tools with the MoVP control plane (PostToolUse hook + MCP setup)",
+  "main": "hook.js",
+  "bin": {
+    "movp": "bin/cli.js"
+  },
+  "files": [
+    "bin/",
+    "hook.js"
+  ],
+  "scripts": {
+    "test": "node --test"
+  },
+  "keywords": [
+    "movp",
+    "claude-code",
+    "cursor",
+    "mcp",
+    "telemetry",
+    "adversarial-review"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/MostViableProduct/big-wave-backend.git",
+    "directory": "packages/cli"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}