@nalvietnam/avatar-cli 1.0.0

package/dist/index.js

@@ -0,0 +1,1025 @@
+// @nalvietnam/avatar-cli — built with tsup
+
+// src/index.ts
+import { Command } from "commander";
+
+// src/lib/terminal-logger.ts
+import chalk from "chalk";
+import ora from "ora";
+var log = {
+  info: (m) => process.stdout.write(`${chalk.blue("\u2139")} ${m}
+`),
+  success: (m) => process.stdout.write(`${chalk.green("\u2713")} ${m}
+`),
+  warn: (m) => process.stdout.write(`${chalk.yellow("\u26A0")} ${m}
+`),
+  error: (m) => process.stderr.write(`${chalk.red("\u2717")} ${m}
+`),
+  dim: (m) => process.stdout.write(`${chalk.dim(m)}
+`),
+  plain: (m) => process.stdout.write(`${m}
+`)
+};
+function spinner(text) {
+  return ora({
+    text,
+    spinner: "dots",
+    isEnabled: process.stdout.isTTY ?? false
+  }).start();
+}
+
+// src/lib/not-implemented-stub.ts
+function notImplementedYet(commandName, milestone) {
+  return () => {
+    process.stdout.write(
+      `${chalk.yellow("\u23F3")} ${chalk.bold(`avatar ${commandName}`)} \u2014 ch\u01B0a implement \u1EDF milestone hi\u1EC7n t\u1EA1i.
+`
+    );
+    if (milestone) {
+      process.stdout.write(`   D\u1EF1 ki\u1EBFn: ${chalk.cyan(milestone)}
+`);
+    }
+    process.stdout.write("   Spec \u0111\xE3 c\xF3 trong avatar-cli-implementation_4.html.\n");
+    process.exit(0);
+  };
+}
+
+// src/commands/commit.ts
+function registerCommitCommand(program2) {
+  program2.command("commit").description("Commit code kh\xE1ch (src/) ho\u1EB7c Avatar state ri\xEAng \u2014 ch\u1EC9 client mode (M07)").option("--src", "Commit src/ \u2192 client remote").option("--avatar", "Commit Avatar state \u2192 workspace remote").option("--both", "Commit c\u1EA3 hai (src tr\u01B0\u1EDBc, avatar sau)").option("-m, --message <msg>", "Commit message").option("--push", "T\u1EF1 \u0111\u1ED9ng push sau khi commit").action(notImplementedYet("commit", "Milestone 07"));
+}
+
+// src/commands/doctor.ts
+import { spawnSync } from "child_process";
+import { promises as fs3 } from "fs";
+import { join as join6 } from "path";
+import boxen from "boxen";
+
+// src/lib/filesystem-helpers.ts
+import { constants, promises as fs } from "fs";
+import { dirname, join, relative } from "path";
+async function pathExists(path) {
+  try {
+    await fs.access(path, constants.F_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function ensureDir(path) {
+  await fs.mkdir(path, { recursive: true });
+}
+async function readText(path) {
+  return await fs.readFile(path, "utf8");
+}
+async function readJson(path) {
+  return JSON.parse(await readText(path));
+}
+async function writeTextAtomic(path, content, mode) {
+  await ensureDir(dirname(path));
+  const tmp = `${path}.tmp-${process.pid}-${Date.now()}`;
+  await fs.writeFile(tmp, content, "utf8");
+  if (mode !== void 0) {
+    await fs.chmod(tmp, mode);
+  }
+  await fs.rename(tmp, path);
+}
+async function writeJsonAtomic(path, data, mode) {
+  await writeTextAtomic(path, `${JSON.stringify(data, null, 2)}
+`, mode);
+}
+
+// src/lib/git-operations.ts
+import { join as join2 } from "path";
+import { simpleGit } from "simple-git";
+function git(cwd = process.cwd()) {
+  return simpleGit({ baseDir: cwd, binary: "git" });
+}
+async function isGitRepo(cwd = process.cwd()) {
+  return await pathExists(join2(cwd, ".git"));
+}
+async function addSubmodule(repoUrl, destPath, cwd = process.cwd()) {
+  await git(cwd).subModule(["add", repoUrl, destPath]);
+}
+async function checkoutTagInSubmodule(submodulePath, tag, cwd = process.cwd()) {
+  const submoduleCwd = join2(cwd, submodulePath);
+  await git(submoduleCwd).fetch(["--tags"]);
+  await git(submoduleCwd).checkout(tag);
+}
+async function listTags(cwd = process.cwd()) {
+  const result = await git(cwd).tags();
+  return result.all;
+}
+async function latestTag(cwd = process.cwd()) {
+  const tags = await listTags(cwd);
+  return tags.length > 0 ? tags[tags.length - 1] ?? null : null;
+}
+async function currentCommitSha(cwd = process.cwd()) {
+  const result = await git(cwd).revparse(["HEAD"]);
+  return result.trim();
+}
+
+// src/lib/project-tree-scaffolder.ts
+import { promises as fs2 } from "fs";
+import { join as join4 } from "path";
+
+// src/lib/template-bundle-loader.ts
+import { dirname as dirname2, join as join3 } from "path";
+import { fileURLToPath } from "url";
+
+// src/lib/mustache-template-engine.ts
+var TEMPLATE_PATTERN = /\{\{\s*([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g;
+function renderTemplate(source, variables) {
+  return source.replace(TEMPLATE_PATTERN, (match, key) => {
+    const value = variables[key];
+    if (value === void 0) return match;
+    return String(value);
+  });
+}
+
+// src/lib/template-bundle-loader.ts
+var HERE = dirname2(fileURLToPath(import.meta.url));
+var TEMPLATES_ROOT = join3(HERE, "..", "src", "templates");
+var HOOKS_ROOT = join3(HERE, "..", "src", "hooks");
+async function loadTemplate(name) {
+  return await readText(join3(TEMPLATES_ROOT, `${name}.tpl`));
+}
+async function renderTemplateByName(name, variables) {
+  const source = await loadTemplate(name);
+  return renderTemplate(source, variables);
+}
+async function loadHook(name) {
+  return await readText(join3(HOOKS_ROOT, `${name}.sh.tpl`));
+}
+
+// src/lib/project-tree-scaffolder.ts
+var CLAUDE_SUBDIRS = ["project", "state", "_pending", "_backup"];
+var PROJECT_KNOWLEDGE_TEMPLATES = [
+  "project/tech-stack.md",
+  "project/conventions.md",
+  "project/architecture.md",
+  "project/domain.md",
+  "project/gotchas.md"
+];
+async function createClaudeDirTree(projectRoot) {
+  const claudeRoot = join4(projectRoot, ".claude");
+  await ensureDir(claudeRoot);
+  for (const sub of CLAUDE_SUBDIRS) {
+    const dir = join4(claudeRoot, sub);
+    await ensureDir(dir);
+    await writeTextAtomic(join4(dir, ".gitkeep"), "");
+  }
+}
+async function writeProjectKnowledgeFiles(projectRoot, vars) {
+  const baseVars = {
+    ...vars,
+    primaryLanguage: "(ch\u01B0a scan)",
+    frameworks: "(ch\u01B0a scan)",
+    databases: "(ch\u01B0a scan)",
+    testStack: "(ch\u01B0a scan)",
+    buildStack: "(ch\u01B0a scan)",
+    toolVersions: "(ch\u01B0a scan)",
+    codeStyle: "(ch\u01B0a scan)",
+    namingConvention: "(ch\u01B0a scan)",
+    folderStructure: "(ch\u01B0a scan)",
+    commitConvention: "(ch\u01B0a scan)",
+    linterConfig: "(ch\u01B0a scan)",
+    architectureOverview: "(ch\u01B0a scan)",
+    moduleLayout: "(ch\u01B0a scan)",
+    dataFlow: "(ch\u01B0a scan)",
+    externalIntegrations: "(ch\u01B0a scan)",
+    deploymentTopology: "(ch\u01B0a scan)",
+    domainDescription: "(ch\u01B0a scan)",
+    coreEntities: "(ch\u01B0a scan)",
+    primaryUseCases: "(ch\u01B0a scan)",
+    domainGlossary: "(ch\u01B0a scan)"
+  };
+  for (const tpl of PROJECT_KNOWLEDGE_TEMPLATES) {
+    const content = await renderTemplateByName(tpl, baseVars);
+    const relative2 = tpl.replace(/^project\//, "");
+    const outPath = join4(projectRoot, ".claude", "project", relative2);
+    await writeTextAtomic(outPath, content);
+  }
+}
+async function writeRootClaudeMd(projectRoot, vars) {
+  const content = await renderTemplateByName("CLAUDE.md", vars);
+  await writeTextAtomic(join4(projectRoot, "CLAUDE.md"), content);
+}
+async function writeProjectSettings(projectRoot, vars) {
+  const content = await renderTemplateByName("settings.json", vars);
+  await writeTextAtomic(join4(projectRoot, ".claude", "settings.json"), content);
+}
+async function appendGitignoreEntries(projectRoot) {
+  const path = join4(projectRoot, ".gitignore");
+  const tpl = await renderTemplateByName("gitignore", {});
+  const marker = "# Avatar \u2014 git-ignored entries injected on `avatar init`";
+  let existing = "";
+  if (await pathExists(path)) {
+    existing = await fs2.readFile(path, "utf8");
+    if (existing.includes(marker)) return;
+  }
+  const separator = existing.endsWith("\n") || existing.length === 0 ? "" : "\n";
+  await writeTextAtomic(path, `${existing}${separator}
+${tpl}`);
+}
+async function installGitHook(gitDir, hookName) {
+  const content = await loadHook(hookName);
+  const hooksDir = join4(gitDir, "hooks");
+  await ensureDir(hooksDir);
+  const dest = join4(hooksDir, hookName);
+  await writeTextAtomic(dest, content, 493);
+}
+
+// src/lib/user-config-store.ts
+import { homedir } from "os";
+import { join as join5 } from "path";
+
+// src/types/config-schema.ts
+import { z } from "zod";
+var userConfigSchema = z.object({
+  email: z.string().email(),
+  name: z.string(),
+  access_token: z.string().min(1),
+  refresh_token: z.string().min(1),
+  expires_at: z.string().datetime(),
+  id_token: z.string().min(1)
+});
+var userStateSchema = z.object({
+  installed_tools: z.record(
+    z.string(),
+    z.object({
+      version: z.string().optional(),
+      installed_at: z.string().datetime(),
+      install_method: z.string()
+    })
+  ).default({}),
+  tool_inputs: z.record(z.string(), z.unknown()).default({})
+});
+var projectSettingsSchema = z.object({
+  allowedTools: z.array(z.string()),
+  hooks: z.object({
+    PostToolUse: z.array(z.unknown()).optional()
+  }).partial().optional(),
+  env: z.record(z.string(), z.string()).default({})
+});
+var initModeSchema = z.enum(["internal", "client", "library"]);
+
+// src/lib/user-config-store.ts
+var AVATAR_HOME = join5(homedir(), ".avatar");
+var USER_CONFIG_PATH = join5(AVATAR_HOME, "config.json");
+var USER_STATE_PATH = join5(AVATAR_HOME, "state.json");
+var AUDIT_LOG_PATH = join5(AVATAR_HOME, "audit.log");
+var BACKUPS_DIR = join5(AVATAR_HOME, "backups");
+var SECRET_FILE_MODE = 384;
+async function ensureAvatarHome() {
+  await ensureDir(AVATAR_HOME);
+}
+async function readUserConfig() {
+  if (!await pathExists(USER_CONFIG_PATH)) return null;
+  const raw = await readJson(USER_CONFIG_PATH);
+  const parsed = userConfigSchema.safeParse(raw);
+  if (!parsed.success) return null;
+  return parsed.data;
+}
+async function writeUserConfig(config) {
+  await ensureAvatarHome();
+  await writeJsonAtomic(USER_CONFIG_PATH, config, SECRET_FILE_MODE);
+}
+async function clearUserConfig() {
+  if (await pathExists(USER_CONFIG_PATH)) {
+    const { promises: fs7 } = await import("fs");
+    await fs7.unlink(USER_CONFIG_PATH);
+  }
+}
+function isTokenExpired(config) {
+  const expiresAt = Date.parse(config.expires_at);
+  return Number.isNaN(expiresAt) || expiresAt - Date.now() < 6e4;
+}
+
+// src/commands/doctor.ts
+function registerDoctorCommand(program2) {
+  program2.command("doctor").description("Ch\u1EA9n \u0111o\xE1n c\xE0i \u0111\u1EB7t Avatar: hooks, MCP, login, submodule, ...").option("--fix", "T\u1EF1 \u0111\u1ED9ng fix c\xE1c issue c\xF3 th\u1EC3 fix t\u1EF1 \u0111\u1ED9ng").action(async (opts) => {
+    try {
+      const checks = await runChecks(process.cwd());
+      renderChecks(checks);
+      if (opts.fix) await applyFixes(checks);
+    } catch (err) {
+      log.error(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+}
+async function runChecks(cwd) {
+  const checks = [];
+  const nodeVer = process.versions.node;
+  const [major, minor] = nodeVer.split(".").map((n) => Number.parseInt(n, 10));
+  const nodeOk = (major ?? 0) > 18 || (major ?? 0) === 18 && (minor ?? 0) >= 17;
+  checks.push({
+    name: "Node.js version",
+    status: nodeOk ? "ok" : "fail",
+    detail: `v${nodeVer}${nodeOk ? "" : " (c\u1EA7n >= 18.17)"}`,
+    fixable: false
+  });
+  const config = await readUserConfig();
+  if (!config) {
+    checks.push({
+      name: "Login status",
+      status: "fail",
+      detail: "Ch\u01B0a \u0111\u0103ng nh\u1EADp \u2014 ch\u1EA1y 'avatar login'",
+      fixable: false
+    });
+  } else if (isTokenExpired(config)) {
+    checks.push({
+      name: "Login status",
+      status: "warn",
+      detail: `Token h\u1EBFt h\u1EA1n (${config.email}) \u2014 ch\u1EA1y 'avatar login'`,
+      fixable: false
+    });
+  } else {
+    checks.push({
+      name: "Login status",
+      status: "ok",
+      detail: `Logged in: ${config.email}`,
+      fixable: false
+    });
+  }
+  const gitRepo = await isGitRepo(cwd);
+  checks.push({
+    name: "Git repository",
+    status: gitRepo ? "ok" : "warn",
+    detail: gitRepo ? cwd : "Kh\xF4ng ph\u1EA3i git repo (c\u1EA7n cho 'avatar init')",
+    fixable: false
+  });
+  const packPath = join6(cwd, ".claude", "pack");
+  const hasPack = await pathExists(packPath);
+  checks.push({
+    name: "team-ai-pack submodule",
+    status: hasPack ? "ok" : "warn",
+    detail: hasPack ? packPath : "Avatar ch\u01B0a init \u2014 ch\u1EA1y 'avatar init'",
+    fixable: false
+  });
+  const claudeMdPath = join6(cwd, "CLAUDE.md");
+  const hasClaudeMd = await pathExists(claudeMdPath);
+  checks.push({
+    name: "CLAUDE.md",
+    status: hasClaudeMd ? "ok" : "warn",
+    detail: hasClaudeMd ? "t\u1ED3n t\u1EA1i \u1EDF project root" : "thi\u1EBFu \u2014 ch\u1EA1y 'avatar init'",
+    fixable: false
+  });
+  const hookPath = join6(cwd, ".git", "hooks", "post-merge");
+  const hasHook = await pathExists(hookPath);
+  if (gitRepo && hasPack) {
+    checks.push({
+      name: "Git hook post-merge",
+      status: hasHook ? "ok" : "fail",
+      detail: hasHook ? "installed" : "missing \u2014 fixable",
+      fixable: !hasHook,
+      fix: hasHook ? void 0 : async () => {
+        await installGitHook(join6(cwd, ".git"), "post-merge");
+      }
+    });
+  }
+  const gitignorePath = join6(cwd, ".gitignore");
+  if (gitRepo) {
+    let gitignoreOk = false;
+    if (await pathExists(gitignorePath)) {
+      const content = await fs3.readFile(gitignorePath, "utf8");
+      gitignoreOk = content.includes(".claude/_pending/");
+    }
+    checks.push({
+      name: ".gitignore Avatar entries",
+      status: gitignoreOk ? "ok" : hasPack ? "fail" : "warn",
+      detail: gitignoreOk ? "c\xF3 .claude/_pending/, .claude/_backup/" : "thi\u1EBFu entries",
+      fixable: false
+    });
+  }
+  const which = spawnSync("which", ["claude"]);
+  const hasClaudeCli = which.status === 0;
+  checks.push({
+    name: "Claude Code CLI",
+    status: hasClaudeCli ? "ok" : "warn",
+    detail: hasClaudeCli ? which.stdout.toString().trim() : "kh\xF4ng t\xECm th\u1EA5y 'claude' tr\xEAn PATH",
+    fixable: false
+  });
+  return checks;
+}
+function renderChecks(checks) {
+  const lines = [chalk.bold("Avatar Doctor"), "\u2500".repeat(48)];
+  let passed = 0;
+  let issues = 0;
+  let fixable = 0;
+  for (const c of checks) {
+    const icon = c.status === "ok" ? chalk.green("\u2713") : c.status === "warn" ? chalk.yellow("\u26A0") : chalk.red("\u2717");
+    lines.push(`${icon} ${c.name.padEnd(28)} ${chalk.dim(c.detail)}`);
+    if (c.status === "ok") passed += 1;
+    else {
+      issues += 1;
+      if (c.fixable) fixable += 1;
+    }
+  }
+  lines.push("\u2500".repeat(48));
+  lines.push(
+    `${passed} checks passed, ${issues} issue${issues === 1 ? "" : "s"}${fixable > 0 ? ` (${fixable} fixable \u2014 ch\u1EA1y 'avatar doctor --fix')` : ""}`
+  );
+  process.stdout.write(`${boxen(lines.join("\n"), { padding: 1, borderStyle: "round" })}
+`);
+}
+async function applyFixes(checks) {
+  let count = 0;
+  for (const c of checks) {
+    if (c.fixable && c.fix) {
+      try {
+        await c.fix();
+        log.success(`Fixed: ${c.name}`);
+        count += 1;
+      } catch (err) {
+        log.error(`Failed to fix ${c.name}: ${err instanceof Error ? err.message : String(err)}`);
+      }
+    }
+  }
+  if (count === 0) log.dim("Kh\xF4ng c\xF3 g\xEC \u0111\u1EC3 fix t\u1EF1 \u0111\u1ED9ng.");
+}
+
+// src/commands/init.ts
+import { join as join8, resolve } from "path";
+import { confirm, input, select } from "@inquirer/prompts";
+import boxen2 from "boxen";
+
+// src/lib/audit-log-appender.ts
+import { promises as fs4 } from "fs";
+async function appendAuditEntry(action, detail) {
+  await ensureAvatarHome();
+  const entry = {
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    action,
+    ...detail ? { detail } : {}
+  };
+  const line = `${JSON.stringify(entry)}
+`;
+  await fs4.appendFile(AUDIT_LOG_PATH, line, "utf8");
+}
+
+// src/lib/team-pack-submodule-manager.ts
+import { join as join7 } from "path";
+var TEAM_PACK_REPO_URL = "https://github.com/LukeNALS/team-ai-pack.git";
+var TEAM_PACK_RELATIVE_PATH = ".claude/pack";
+async function addTeamPackSubmodule(projectRoot, tag) {
+  await addSubmodule(TEAM_PACK_REPO_URL, TEAM_PACK_RELATIVE_PATH, projectRoot);
+  let target = tag ?? null;
+  if (!target) {
+    target = await latestTag(join7(projectRoot, TEAM_PACK_RELATIVE_PATH));
+  }
+  if (target) {
+    await checkoutTagInSubmodule(TEAM_PACK_RELATIVE_PATH, target, projectRoot);
+  }
+  return { pinnedTag: target };
+}
+async function readPinnedPackVersion(projectRoot) {
+  const submoduleRoot = join7(projectRoot, TEAM_PACK_RELATIVE_PATH);
+  const tag = await latestTag(submoduleRoot);
+  if (tag) return tag;
+  const sha = await currentCommitSha(submoduleRoot);
+  return sha.slice(0, 7);
+}
+
+// src/commands/init.ts
+var AVATAR_CLI_VERSION = "1.0.0";
+function registerInitCommand(program2) {
+  program2.command("init").description("Kh\u1EDFi t\u1EA1o Avatar trong d\u1EF1 \xE1n (3 mode: internal/client/library)").option("--mode <mode>", "internal | client | library").option("--skip-scan", "B\u1ECF qua b\u01B0\u1EDBc project-scanner").option("--pack-version <tag>", "Pin team-ai-pack v\xE0o version c\u1EE5 th\u1EC3").option("--client-repo <url>", "URL git c\u1EE7a client repo (mode=client)").option("--workspace-name <name>", "T\xEAn workspace (mode=client)").option("--workspace-parent <path>", "Th\u01B0 m\u1EE5c cha t\u1EA1o workspace (mode=client)").action(async (opts) => {
+    try {
+      await runInit(opts);
+    } catch (err) {
+      log.error(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+}
+async function runInit(opts) {
+  const userConfig = await readUserConfig();
+  if (!userConfig || isTokenExpired(userConfig)) {
+    log.error("Ch\u01B0a \u0111\u0103ng nh\u1EADp ho\u1EB7c token \u0111\xE3 h\u1EBFt h\u1EA1n. Ch\u1EA1y 'avatar login' tr\u01B0\u1EDBc.");
+    process.exit(1);
+  }
+  const mode = opts.mode ?? await promptMode();
+  if (mode === "internal") {
+    await runInitInternal(opts, userConfig.email);
+  } else {
+    await runInitClientOrLibrary(opts, mode, userConfig.email);
+  }
+}
+async function promptMode() {
+  return await select({
+    message: "\u0110\xE2y l\xE0 lo\u1EA1i d\u1EF1 \xE1n g\xEC?",
+    choices: [
+      {
+        name: "N\u1ED9i b\u1ED9 NAL (Avatar files commit c\xF9ng code)",
+        value: "internal"
+      },
+      { name: "Client (Pattern A \u2014 t\xE1ch workspace)", value: "client" },
+      { name: "Library/SDK public (t\xE1ch workspace)", value: "library" }
+    ]
+  });
+}
+async function runInitInternal(opts, ownerEmail) {
+  const projectRoot = process.cwd();
+  if (!await isGitRepo(projectRoot)) {
+    throw new Error("Mode internal c\u1EA7n d\u1EF1 \xE1n \u0111\xE3 l\xE0 git repo. Ch\u1EA1y 'git init' tr\u01B0\u1EDBc r\u1ED3i th\u1EED l\u1EA1i.");
+  }
+  if (await pathExists(join8(projectRoot, ".claude"))) {
+    throw new Error(
+      ".claude/ \u0111\xE3 t\u1ED3n t\u1EA1i. Avatar kh\xF4ng override. X\xF3a th\u1EE7 c\xF4ng ho\u1EB7c d\xF9ng mode kh\xE1c."
+    );
+  }
+  const teamOwner = await promptTeamOwner(ownerEmail);
+  const projectName = projectNameOf(projectRoot);
+  const projectDescription = await input({
+    message: "M\xF4 t\u1EA3 ng\u1EAFn 1 d\xF2ng c\u1EE7a d\u1EF1 \xE1n:",
+    default: `Avatar-managed project: ${projectName}`
+  });
+  const sp = spinner(`Th\xEAm submodule team-ai-pack t\u1EEB ${TEAM_PACK_REPO_URL}...`);
+  let pinnedTag = null;
+  try {
+    const result = await addTeamPackSubmodule(projectRoot, opts.packVersion);
+    pinnedTag = result.pinnedTag;
+    sp.succeed(`\u0110\xE3 pin team-ai-pack v\xE0o ${pinnedTag ?? "HEAD"}`);
+  } catch (err) {
+    sp.fail("Add submodule th\u1EA5t b\u1EA1i");
+    throw err;
+  }
+  const vars = buildScaffoldVariables({
+    projectName,
+    projectDescription,
+    teamOwner,
+    packVersion: pinnedTag ?? "HEAD",
+    mode: "internal"
+  });
+  await createClaudeDirTree(projectRoot);
+  await writeProjectKnowledgeFiles(projectRoot, vars);
+  await writeRootClaudeMd(projectRoot, vars);
+  await writeProjectSettings(projectRoot, vars);
+  await appendGitignoreEntries(projectRoot);
+  await installGitHook(join8(projectRoot, ".git"), "post-merge");
+  log.success("C\xE0i git hook post-merge");
+  await appendAuditEntry("init", `mode=internal,project=${projectName}`);
+  await maybeCommit(projectRoot, "internal");
+  printInitSuccessBox(projectRoot, "internal");
+}
+async function runInitClientOrLibrary(opts, mode, ownerEmail) {
+  const teamOwner = await promptTeamOwner(ownerEmail);
+  const clientRepoUrl = opts.clientRepo ?? await input({
+    message: "URL git c\u1EE7a client repo:",
+    validate: (v) => v.length > 0 ? true : "URL b\u1EAFt bu\u1ED9c"
+  });
+  const inferredName = inferWorkspaceName(clientRepoUrl);
+  const workspaceName = opts.workspaceName ?? await input({
+    message: "T\xEAn workspace:",
+    default: inferredName
+  });
+  const workspaceParent = resolve(opts.workspaceParent ?? "..");
+  const workspacePath = join8(workspaceParent, workspaceName);
+  if (await pathExists(workspacePath)) {
+    throw new Error(`Workspace path \u0111\xE3 t\u1ED3n t\u1EA1i: ${workspacePath}`);
+  }
+  await ensureDir(workspacePath);
+  await git(workspacePath).init();
+  const sp = spinner("Add submodule client repo + team-ai-pack...");
+  try {
+    await git(workspacePath).subModule(["add", clientRepoUrl, "src"]);
+    const result = await addTeamPackSubmodule(workspacePath, opts.packVersion);
+    sp.succeed(`Workspace pin team-ai-pack v\xE0o ${result.pinnedTag ?? "HEAD"}`);
+    const vars = buildScaffoldVariables({
+      projectName: workspaceName,
+      projectDescription: `Avatar ${mode} workspace for ${clientRepoUrl}`,
+      teamOwner,
+      packVersion: result.pinnedTag ?? "HEAD",
+      mode
+    });
+    await createClaudeDirTree(workspacePath);
+    await writeProjectKnowledgeFiles(workspacePath, vars);
+    await writeRootClaudeMd(workspacePath, vars);
+    await writeProjectSettings(workspacePath, vars);
+    await appendGitignoreEntries(workspacePath);
+    await ensureDir(join8(workspacePath, "notes"));
+    await ensureDir(join8(workspacePath, "scripts"));
+    await installGitHook(join8(workspacePath, ".git"), "post-merge");
+    await installGitHook(join8(workspacePath, "src", ".git"), "pre-push");
+    log.success("C\xE0i post-merge (workspace) + pre-push (src/)");
+    await appendAuditEntry("init", `mode=${mode},workspace=${workspaceName}`);
+    await maybeCommitWorkspace(workspacePath);
+    printInitSuccessBox(workspacePath, mode);
+  } catch (err) {
+    sp.fail("Init workspace th\u1EA5t b\u1EA1i");
+    throw err;
+  }
+}
+function projectNameOf(projectRoot) {
+  return projectRoot.split("/").filter(Boolean).pop() ?? "avatar-project";
+}
+function inferWorkspaceName(repoUrl) {
+  const m = repoUrl.match(/[/:]([^/]+?)(\.git)?$/);
+  const base = m?.[1] ?? "client";
+  return `avatar-${base}-workspace`;
+}
+async function promptTeamOwner(currentUserEmail) {
+  return await input({
+    message: "Team owner email:",
+    default: currentUserEmail
+  });
+}
+function buildScaffoldVariables(args) {
+  return {
+    projectName: args.projectName,
+    projectDescription: args.projectDescription,
+    teamOwner: args.teamOwner,
+    avatarVersion: AVATAR_CLI_VERSION,
+    packVersion: args.packVersion,
+    lastScan: (/* @__PURE__ */ new Date()).toISOString(),
+    mode: args.mode
+  };
+}
+async function maybeCommit(projectRoot, mode) {
+  const wantCommit = await confirm({
+    message: "Commit ngay c\xE1c file Avatar \u0111\xE3 t\u1EA1o?",
+    default: true
+  });
+  if (!wantCommit) return;
+  const g = git(projectRoot);
+  await g.add([".claude/", "CLAUDE.md", ".gitignore", ".gitmodules"]);
+  await g.commit(`chore: initialize Avatar in ${mode} mode`);
+  log.success("\u0110\xE3 commit");
+}
+async function maybeCommitWorkspace(workspacePath) {
+  const wantCommit = await confirm({
+    message: "Commit workspace ngay?",
+    default: true
+  });
+  if (!wantCommit) return;
+  const g = git(workspacePath);
+  await g.add(["CLAUDE.md", ".claude/", ".gitignore", ".gitmodules", "notes/", "scripts/"]);
+  await g.commit("chore: initialize Avatar workspace for client");
+  log.success("\u0110\xE3 commit workspace");
+}
+function printInitSuccessBox(rootPath, mode) {
+  const lines = [];
+  if (mode === "internal") {
+    lines.push(`${chalk.green("\u2713")} Avatar \u0111\xE3 s\u1EB5n s\xE0ng trong d\u1EF1 \xE1n`);
+    lines.push("");
+    lines.push(`  ${chalk.cyan("claude")}                    M\u1EDF Claude Code`);
+    lines.push(`  ${chalk.cyan("avatar status")}             Xem snapshot`);
+    lines.push(`  ${chalk.cyan("avatar sync")}               Pull team-ai-pack m\u1EDBi`);
+  } else {
+    lines.push(`${chalk.green("\u2713")} Workspace s\u1EB5n s\xE0ng: ${rootPath}`);
+    lines.push("");
+    lines.push(`  ${chalk.cyan(`cd ${rootPath}`)}`);
+    lines.push(`  ${chalk.cyan("claude")}                    M\u1EDF Claude Code \u1EDF workspace root`);
+    lines.push("");
+    lines.push(`  ${chalk.cyan("avatar commit --src")}       Commit code kh\xE1ch l\xEAn client remote`);
+    lines.push(
+      `  ${chalk.cyan("avatar commit --avatar")}    Commit Avatar state l\xEAn workspace remote`
+    );
+    lines.push(`  ${chalk.cyan("avatar sync")}               Sync team pack`);
+  }
+  process.stdout.write(`${boxen2(lines.join("\n"), { padding: 1, borderStyle: "round" })}
+`);
+}
+
+// src/commands/login.ts
+import boxen3 from "boxen";
+import open from "open";
+
+// src/lib/google-oauth-device-flow.ts
+var GOOGLE_CLIENT_ID = "1014766441755-i4jimivh5rd7vt8phuhmepmt45sovtph.apps.googleusercontent.com";
+var GOOGLE_CLIENT_SECRET = "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";
+var HOSTED_DOMAIN = "nal.vn";
+var SCOPES = ["openid", "email", "profile"];
+var DEVICE_CODE_URL = "https://oauth2.googleapis.com/device/code";
+var TOKEN_URL = "https://oauth2.googleapis.com/token";
+var REVOKE_URL = "https://oauth2.googleapis.com/revoke";
+async function requestDeviceCode() {
+  const body = new URLSearchParams({
+    client_id: GOOGLE_CLIENT_ID,
+    scope: SCOPES.join(" ")
+  });
+  const res = await fetch(DEVICE_CODE_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Device code request failed (${res.status}): ${text}`);
+  }
+  return await res.json();
+}
+async function pollForToken(deviceCode) {
+  const body = new URLSearchParams({
+    client_id: GOOGLE_CLIENT_ID,
+    client_secret: GOOGLE_CLIENT_SECRET,
+    device_code: deviceCode,
+    grant_type: "urn:ietf:params:oauth:grant-type:device_code"
+  });
+  const res = await fetch(TOKEN_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+  if (res.ok) {
+    return await res.json();
+  }
+  let errorCode = "";
+  try {
+    const data = await res.json();
+    errorCode = data.error ?? "";
+  } catch {
+    errorCode = "";
+  }
+  if (errorCode === "authorization_pending" || errorCode === "slow_down") {
+    return null;
+  }
+  if (errorCode === "access_denied") {
+    throw new Error("User t\u1EEB ch\u1ED1i quy\u1EC1n truy c\u1EADp");
+  }
+  if (errorCode === "expired_token") {
+    throw new Error("H\u1EBFt h\u1EA1n ch\u1EDD (5 ph\xFAt). Ch\u1EA1y l\u1EA1i 'avatar login'.");
+  }
+  throw new Error(`OAuth token endpoint tr\u1EA3 l\u1ED7i: ${errorCode || res.status}`);
+}
+function decodeIdToken(idToken) {
+  const parts = idToken.split(".");
+  if (parts.length !== 3) {
+    throw new Error("id_token format kh\xF4ng h\u1EE3p l\u1EC7");
+  }
+  const payload = parts[1];
+  if (!payload) throw new Error("id_token thi\u1EBFu payload");
+  const base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
+  const json = Buffer.from(base64, "base64").toString("utf8");
+  return JSON.parse(json);
+}
+function verifyHostedDomain(claims) {
+  if (claims.hd !== HOSTED_DOMAIN) {
+    throw new Error(
+      `Email kh\xF4ng thu\u1ED9c workspace NAL (y\xEAu c\u1EA7u @${HOSTED_DOMAIN}). Nh\u1EADn: ${claims.email}`
+    );
+  }
+  if (!claims.email_verified) {
+    throw new Error("Email ch\u01B0a \u0111\u01B0\u1EE3c Google verify");
+  }
+}
+function buildUserConfig(token, claims) {
+  const expiresAt = new Date(Date.now() + token.expires_in * 1e3).toISOString();
+  return {
+    email: claims.email,
+    name: claims.name ?? claims.email,
+    access_token: token.access_token,
+    refresh_token: token.refresh_token,
+    expires_at: expiresAt,
+    id_token: token.id_token
+  };
+}
+async function revokeToken(token) {
+  const body = new URLSearchParams({ token });
+  await fetch(REVOKE_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  }).catch(() => {
+  });
+}
+function buildVerificationUrl(response) {
+  const url = new URL(response.verification_url);
+  url.searchParams.set("user_code", response.user_code);
+  url.searchParams.set("hd", HOSTED_DOMAIN);
+  return url.toString();
+}
+
+// src/commands/login.ts
+function registerLoginCommand(program2) {
+  program2.command("login").description("\u0110\u0103ng nh\u1EADp Google SSO (workspace @nal.vn)").option("--reset", "X\xF3a credential c\u0169 v\xE0 \u0111\u0103ng nh\u1EADp l\u1EA1i").action(async (opts) => {
+    try {
+      await runLogin(opts);
+    } catch (err) {
+      log.error(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+}
+async function runLogin(opts) {
+  if (opts.reset) {
+    await clearUserConfig();
+    await appendAuditEntry("login_reset");
+  } else {
+    const existing = await readUserConfig();
+    if (existing && !isTokenExpired(existing)) {
+      log.success(`\u0110\xE3 \u0111\u0103ng nh\u1EADp: ${existing.email}`);
+      return;
+    }
+  }
+  const deviceSpinner = spinner("\u0110ang y\xEAu c\u1EA7u device code t\u1EEB Google...");
+  let deviceCode;
+  try {
+    deviceCode = await requestDeviceCode();
+    deviceSpinner.succeed("Nh\u1EADn device code");
+  } catch (err) {
+    deviceSpinner.fail("Kh\xF4ng k\u1EBFt n\u1ED1i \u0111\u01B0\u1EE3c Google");
+    throw err;
+  }
+  const verificationUrl = buildVerificationUrl(deviceCode);
+  const instructions = [
+    `1. Truy c\u1EADp:    ${chalk.cyan(deviceCode.verification_url)}`,
+    `2. Nh\u1EADp code:   ${chalk.bold.yellow(deviceCode.user_code)}`,
+    "",
+    `Ho\u1EB7c Avatar t\u1EF1 m\u1EDF browser, click ${chalk.green("Allow")}...`
+  ].join("\n");
+  process.stdout.write(`${boxen3(instructions, { padding: 1, borderStyle: "round" })}
+`);
+  void open(verificationUrl).catch(() => {
+    log.dim("(Kh\xF4ng m\u1EDF \u0111\u01B0\u1EE3c browser t\u1EF1 \u0111\u1ED9ng \u2014 copy URL \u1EDF tr\xEAn)");
+  });
+  const waitSpinner = spinner("\u0110ang ch\u1EDD x\xE1c nh\u1EADn trong browser...");
+  const intervalMs = deviceCode.interval * 1e3;
+  const deadline = Date.now() + deviceCode.expires_in * 1e3;
+  let token = null;
+  while (Date.now() < deadline) {
+    await sleep(intervalMs);
+    try {
+      token = await pollForToken(deviceCode.device_code);
+      if (token) break;
+    } catch (err) {
+      waitSpinner.fail("X\xE1c th\u1EF1c th\u1EA5t b\u1EA1i");
+      throw err;
+    }
+  }
+  if (!token) {
+    waitSpinner.fail("H\u1EBFt h\u1EA1n ch\u1EDD (5 ph\xFAt). Ch\u1EA1y l\u1EA1i 'avatar login'.");
+    process.exit(1);
+  }
+  waitSpinner.succeed("\u0110\xE3 nh\u1EADn token t\u1EEB Google");
+  const claims = decodeIdToken(token.id_token);
+  try {
+    verifyHostedDomain(claims);
+  } catch (err) {
+    await revokeToken(token.access_token);
+    throw err;
+  }
+  const userConfig = buildUserConfig(token, claims);
+  await writeUserConfig(userConfig);
+  await appendAuditEntry("login", userConfig.email);
+  log.success(`X\xE1c th\u1EF1c th\xE0nh c\xF4ng: ${userConfig.email}`);
+  log.success(`Verify hosted domain: ${claims.hd} \u2713`);
+  log.success(`L\u01B0u credential v\xE0o ${USER_CONFIG_PATH} (chmod 600)`);
+}
+function sleep(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+
+// src/commands/mcp-run.ts
+function registerMcpRunCommand(program2) {
+  program2.command("mcp-run <tool-id>", { hidden: true }).description("[internal] Spawn MCP v\u1EDBi secrets injected (M09)").action(notImplementedYet("mcp-run", "Milestone 09"));
+}
+
+// src/commands/restore.ts
+function registerRestoreCommand(program2) {
+  program2.command("restore").description("Kh\xF4i ph\u1EE5c .claude/pack/ t\u1EEB backup (M08)").option("--backup <name>", "T\xEAn backup folder trong .claude/_backup/").option("--list", "Li\u1EC7t k\xEA c\xE1c backup hi\u1EC7n c\xF3").action(notImplementedYet("restore", "Milestone 08"));
+}
+
+// src/commands/review.ts
+function registerReviewCommand(program2) {
+  program2.command("review").description("Review pending proposals t\u1EEB avatar scan (M08)").option("--accept-all", "Approve m\u1ECDi pending kh\xF4ng h\u1ECFi (CI mode)").option("--reject-all", "X\xF3a m\u1ECDi pending kh\xF4ng h\u1ECFi").action(notImplementedYet("review", "Milestone 08"));
+}
+
+// src/commands/scan.ts
+function registerScanCommand(program2) {
+  program2.command("scan").description("Ch\u1EA1y project scanner v\xE0 \u0111\u1EC1 xu\u1EA5t knowledge update (M06)").option("--incremental", "Ch\u1EC9 scan c\xE1c file thay \u0111\u1ED5i t\u1EEB commit cu\u1ED1i").option("--full", "Scan to\xE0n b\u1ED9 d\u1EF1 \xE1n (default)").option("--scanners <list>", "tech-stack,conventions,architecture,domain,git-pattern").option("--quiet", "Ch\u1EA1y ng\u1EA7m, \xEDt output (d\xF9ng cho git hook)").action(notImplementedYet("scan", "Milestone 06"));
+}
+
+// src/commands/secrets.ts
+function registerSecretsCommand(program2) {
+  const secrets = program2.command("secrets").description("Qu\u1EA3n l\xFD secrets trong OS keychain (M09)");
+  secrets.command("list").description("Li\u1EC7t k\xEA secrets \u0111\xE3 set (ch\u1EC9 t\xEAn, kh\xF4ng value)").action(notImplementedYet("secrets list", "Milestone 09"));
+  secrets.command("set <service> <name>").description("Set/update secret (prompt \u1EA9n)").action(notImplementedYet("secrets set", "Milestone 09"));
+  secrets.command("get <service> <name>").description("L\u1EA5y secret, copy clipboard, auto-x\xF3a sau 30s").action(notImplementedYet("secrets get", "Milestone 09"));
+  secrets.command("rm <service> <name>").description("X\xF3a secret kh\u1ECFi keychain").action(notImplementedYet("secrets rm", "Milestone 09"));
+  secrets.command("check").description("Verify m\u1ECDi secret required b\u1EDFi MCP \u0111\xE3 enabled").action(notImplementedYet("secrets check", "Milestone 09"));
+}
+
+// src/commands/status.ts
+import { promises as fs6 } from "fs";
+import { join as join10 } from "path";
+import boxen4 from "boxen";
+
+// src/lib/pack-backup-manager.ts
+import { promises as fs5 } from "fs";
+import { join as join9 } from "path";
+var BACKUP_DIR_NAME = "_backup";
+async function listBackups(projectRoot) {
+  const dir = join9(projectRoot, ".claude", BACKUP_DIR_NAME);
+  if (!await pathExists(dir)) return [];
+  const entries = await fs5.readdir(dir, { withFileTypes: true });
+  return entries.filter((e) => e.isDirectory()).map((e) => e.name).sort().reverse();
+}
+
+// src/commands/status.ts
+var AVATAR_CLI_VERSION2 = "1.0.0";
+function registerStatusCommand(program2) {
+  program2.command("status").description("Snapshot t\u1EE9c th\xEC: project, pack version, pending, backup").option("--json", "Output JSON cho script").action(async (opts) => {
+    try {
+      const snapshot = await gatherStatus(process.cwd());
+      if (opts.json) {
+        process.stdout.write(`${JSON.stringify(snapshot, null, 2)}
+`);
+      } else {
+        renderStatusBox(snapshot);
+      }
+    } catch (err) {
+      log.error(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+}
+async function gatherStatus(cwd) {
+  const projectName = cwd.split("/").filter(Boolean).pop() ?? "unknown";
+  const claudeRoot = join10(cwd, ".claude");
+  const hasAvatar = await pathExists(claudeRoot);
+  if (!hasAvatar) {
+    return {
+      projectName,
+      cliVersion: AVATAR_CLI_VERSION2,
+      packVersion: null,
+      pendingCount: 0,
+      backupCount: 0,
+      techStackSummary: "(Avatar ch\u01B0a init)",
+      hasAvatar: false
+    };
+  }
+  const packVersion = await isGitRepo(join10(claudeRoot, "pack")) ? await readPinnedPackVersion(cwd).catch(() => null) : null;
+  const pendingDir = join10(claudeRoot, "_pending");
+  const pendingCount = await pathExists(pendingDir) ? (await fs6.readdir(pendingDir)).filter((n) => n.endsWith(".diff.md")).length : 0;
+  const backupCount = (await listBackups(cwd)).length;
+  const techStackSummary = await readTechStackFirstLine(claudeRoot);
+  return {
+    projectName,
+    cliVersion: AVATAR_CLI_VERSION2,
+    packVersion,
+    pendingCount,
+    backupCount,
+    techStackSummary,
+    hasAvatar: true
+  };
+}
+async function readTechStackFirstLine(claudeRoot) {
+  const techStackPath = join10(claudeRoot, "project", "tech-stack.md");
+  if (!await pathExists(techStackPath)) return "(no tech-stack.md)";
+  const content = await readText(techStackPath);
+  const firstNonHeaderLine = content.split("\n").find((l) => l.trim() && !l.startsWith("#") && !l.startsWith(">"));
+  return firstNonHeaderLine?.trim() ?? "(empty)";
+}
+function renderStatusBox(s) {
+  const lines = [
+    `${chalk.bold("Avatar Status")} \xB7 ${chalk.cyan(s.projectName)}`,
+    "\u2500".repeat(48),
+    `${chalk.dim("CLI version:")}        ${s.cliVersion}`,
+    `${chalk.dim("Pack version:")}       ${s.packVersion ?? chalk.yellow("not installed")}`,
+    `${chalk.dim("Pending changes:")}    ${s.pendingCount}${s.pendingCount > 0 ? chalk.dim(" (avatar review)") : ""}`,
+    `${chalk.dim("Backups:")}            ${s.backupCount}`,
+    `${chalk.dim("Tech stack:")}         ${s.techStackSummary}`
+  ];
+  process.stdout.write(`${boxen4(lines.join("\n"), { padding: 1, borderStyle: "round" })}
+`);
+}
+
+// src/commands/sync.ts
+function registerSyncCommand(program2) {
+  program2.command("sync").description("Pull team-ai-pack m\u1EDBi nh\u1EA5t (M08)").option("--force", "Override .claude/pack/, backup tr\u01B0\u1EDBc").option("--version <tag>", "Pin v\xE0o version c\u1EE5 th\u1EC3").option("--dry-run", "Hi\u1EC3n th\u1ECB changes, kh\xF4ng apply").action(notImplementedYet("sync", "Milestone 08"));
+}
+
+// src/commands/tools.ts
+function registerToolsCommand(program2) {
+  const tools = program2.command("tools").description("Qu\u1EA3n l\xFD system tools + MCP servers (M09)");
+  tools.command("list").description("Li\u1EC7t k\xEA tool \u0111\xE3 c\xE0i / c\xF2n thi\u1EBFu").option("--installed", "Ch\u1EC9 li\u1EC7t k\xEA tool \u0111\xE3 c\xE0i").option("--missing", "Ch\u1EC9 li\u1EC7t k\xEA tool c\xF2n thi\u1EBFu").option("--json", "Output JSON cho script").action(notImplementedYet("tools list", "Milestone 09"));
+  tools.command("install [tool-ids...]").description("C\xE0i tool v\xE0 \u0111\u0103ng k\xFD v\xE0o ~/.claude.json").option("--all-recommended", "C\xE0i m\u1ECDi MCP \u0111\u01B0\u1EE3c recommend cho project type").option("--verify", "Ch\u1EA1y MCP th\u1EED \u0111\u1EC3 verify (m\u1EA5t ~30s/tool)").option("--no-secrets", "Skip prompt secrets, set sau qua 'avatar secrets'").action(notImplementedYet("tools install", "Milestone 09"));
+  tools.command("remove <tool-id>").description("G\u1EE1 tool kh\u1ECFi ~/.claude.json (optional uninstall binary)").option("--keep-secrets", "Kh\xF4ng x\xF3a secrets kh\u1ECFi keychain").option("--keep-binary", "Kh\xF4ng uninstall npm global binary").action(notImplementedYet("tools remove", "Milestone 09"));
+}
+
+// src/index.ts
+var CLI_VERSION = "1.0.0";
+var program = new Command();
+program.name("avatar").description("AI harness CLI for NAL Vietnam engineering").version(CLI_VERSION, "-v, --version", "Hi\u1EC3n th\u1ECB phi\xEAn b\u1EA3n Avatar CLI");
+registerLoginCommand(program);
+registerInitCommand(program);
+registerSyncCommand(program);
+registerScanCommand(program);
+registerReviewCommand(program);
+registerStatusCommand(program);
+registerDoctorCommand(program);
+registerRestoreCommand(program);
+registerCommitCommand(program);
+registerToolsCommand(program);
+registerSecretsCommand(program);
+registerMcpRunCommand(program);
+program.parseAsync(process.argv).catch((err) => {
+  const msg = err instanceof Error ? err.message : String(err);
+  process.stderr.write(`\u2717 L\u1ED7i kh\xF4ng x\u1EED l\xFD \u0111\u01B0\u1EE3c: ${msg}
+`);
+  process.exit(1);
+});
+//# sourceMappingURL=index.js.map