@nuucognition/cli-core 0.0.1-beta.0

package/dist/index.js

@@ -0,0 +1,1008 @@
+// src/types.ts
+var NUU_ACCOUNT_URL_PROD = "https://account.nuucognition.com";
+var NUU_ACCOUNT_URL_DEV = "http://localhost:3000";
+var TIER_ALIASES = {
+  production: "prod",
+  prod: "prod",
+  experimental: "exp",
+  exp: "exp",
+  development: "dev",
+  dev: "dev"
+};
+function normalizeTier(input) {
+  return TIER_ALIASES[input.toLowerCase()];
+}
+function isValidTier(input) {
+  return normalizeTier(input) !== void 0;
+}
+function normalizeRuntimeMode(input) {
+  const normalized = input.toLowerCase();
+  if (normalized === "prod" || normalized === "production") {
+    return "prod";
+  }
+  if (normalized === "dev" || normalized === "development") {
+    return "dev";
+  }
+  return void 0;
+}
+
+// src/env.ts
+function normalizeSegment(value) {
+  const normalized = value.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  return normalized || value.toUpperCase();
+}
+function scopedEnvPrefix(cliname) {
+  return `NUU_${normalizeSegment(cliname)}`;
+}
+function scopedEnvVarName(cliname, field) {
+  return `${scopedEnvPrefix(cliname)}_${normalizeSegment(field)}`;
+}
+function scopedEnvVar(cliname, field) {
+  return process.env[scopedEnvVarName(cliname, field)];
+}
+function scopedEnvVarTrue(cliname, field) {
+  return parseBoolean(scopedEnvVar(cliname, field)) === true;
+}
+function parseBoolean(value) {
+  if (value === void 0) return void 0;
+  const normalized = value.trim().toLowerCase();
+  if (["1", "true", "yes", "on"].includes(normalized)) return true;
+  if (["0", "false", "no", "off"].includes(normalized)) return false;
+  return void 0;
+}
+function authEnvForMode(mode) {
+  return mode === "dev" ? "dev" : "prod";
+}
+
+// src/config/index.ts
+import { mkdir as mkdir2 } from "fs/promises";
+import { mkdirSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+
+// src/config/io.ts
+import { mkdir, readFile as fsReadFile, writeFile as fsWriteFile } from "fs/promises";
+import { readFileSync as fsReadFileSync } from "fs";
+import { dirname } from "path";
+import { parse as parseToml, stringify as stringifyToml } from "smol-toml";
+async function readConfigFile(path) {
+  try {
+    const content = await fsReadFile(path, "utf-8");
+    return parseToml(content);
+  } catch (error2) {
+    if (error2.code === "ENOENT") {
+      return null;
+    }
+    throw error2;
+  }
+}
+function readConfigFileSync(path) {
+  try {
+    const content = fsReadFileSync(path, "utf-8");
+    return parseToml(content);
+  } catch (error2) {
+    if (error2.code === "ENOENT") {
+      return null;
+    }
+    throw error2;
+  }
+}
+async function writeConfigFile(path, data) {
+  await mkdir(dirname(path), { recursive: true });
+  await fsWriteFile(path, `${stringifyToml(data)}
+`, "utf-8");
+}
+async function setConfigField(path, key, value) {
+  const existing = await readConfigFile(path) ?? {};
+  existing[key] = value;
+  await writeConfigFile(path, existing);
+}
+async function removeConfigField(path, key) {
+  const existing = await readConfigFile(path);
+  if (!existing) return;
+  delete existing[key];
+  await writeConfigFile(path, existing);
+}
+async function setFeatureOverride(path, featureId, enabled) {
+  const existing = await readConfigFile(path) ?? {};
+  const features = existing.features && typeof existing.features === "object" && !Array.isArray(existing.features) ? { ...existing.features } : {};
+  features[featureId] = enabled;
+  existing.features = features;
+  await writeConfigFile(path, existing);
+}
+async function removeFeatureOverride(path, featureId) {
+  const existing = await readConfigFile(path);
+  if (!existing) return;
+  const features = existing.features;
+  if (!features || typeof features !== "object" || Array.isArray(features)) {
+    return;
+  }
+  const next = { ...features };
+  delete next[featureId];
+  if (Object.keys(next).length === 0) {
+    delete existing.features;
+  } else {
+    existing.features = next;
+  }
+  await writeConfigFile(path, existing);
+}
+
+// src/config/index.ts
+var CONFIG_FILENAME = "config.toml";
+function getConfigDir(cliname) {
+  return join(homedir(), ".nuucognition", `.${cliname}`);
+}
+function getConfigPath(cliname) {
+  return join(getConfigDir(cliname), CONFIG_FILENAME);
+}
+async function ensureConfigDir(cliname) {
+  const dir = getConfigDir(cliname);
+  await mkdir2(dir, { recursive: true });
+  return dir;
+}
+function ensureConfigDirSync(cliname) {
+  const dir = getConfigDir(cliname);
+  mkdirSync(dir, { recursive: true });
+  return dir;
+}
+function mergeDefaults(config, defaults) {
+  if (!defaults) return config;
+  return {
+    ...defaults,
+    ...config
+  };
+}
+async function resolveConfig(options) {
+  const fromFile = await readConfigFile(getConfigPath(options.cliname)) ?? {};
+  return mergeDefaults(fromFile, options.defaults);
+}
+function resolveConfigSync(options) {
+  const fromFile = readConfigFileSync(getConfigPath(options.cliname)) ?? {};
+  return mergeDefaults(fromFile, options.defaults);
+}
+
+// src/features/registry.ts
+function createFeatureRegistry(features) {
+  const seen = /* @__PURE__ */ new Set();
+  const duplicates = /* @__PURE__ */ new Set();
+  const immutable = features.map((feature) => {
+    if (seen.has(feature.id)) {
+      duplicates.add(feature.id);
+    }
+    seen.add(feature.id);
+    return Object.freeze({ ...feature });
+  });
+  if (duplicates.size > 0) {
+    throw new Error(`Duplicate feature IDs in registry: ${Array.from(duplicates).join(", ")}`);
+  }
+  return Object.freeze({
+    features: Object.freeze(immutable)
+  });
+}
+function getFeature(registry, id) {
+  return registry.features.find((feature) => feature.id === id);
+}
+function getFeaturesByTier(registry, tier) {
+  return registry.features.filter((feature) => feature.tier === tier);
+}
+function getFeaturesByType(registry, type) {
+  return registry.features.filter((feature) => feature.type === type);
+}
+function getCommandFeatures(registry) {
+  return getFeaturesByType(registry, "command");
+}
+function hasFeature(registry, id) {
+  return registry.features.some((feature) => feature.id === id);
+}
+
+// src/auth/index.ts
+import { createHash, randomBytes } from "crypto";
+import { createServer } from "http";
+import { existsSync, mkdirSync as mkdirSync2, readFileSync } from "fs";
+import { mkdir as mkdir3, readFile, unlink, writeFile } from "fs/promises";
+import { homedir as homedir2 } from "os";
+import { join as join2 } from "path";
+import pc from "picocolors";
+import open from "open";
+var DEFAULT_CALLBACK_PORT = 3847;
+var REFRESH_WINDOW_MS = 2 * 60 * 1e3;
+var CLI_STATE_PARAM = "cli_state";
+var CLI_CODE_CHALLENGE_PARAM = "cli_code_challenge";
+var CLI_CODE_CHALLENGE_METHOD_PARAM = "cli_code_challenge_method";
+var LOGIN_TIMEOUT_MS = 5 * 60 * 1e3;
+var _verbose = false;
+function setAuthVerbose(enabled) {
+  _verbose = enabled;
+}
+function step(message) {
+  console.log(`${pc.blue("\u203A")} ${message}`);
+}
+function detail(message) {
+  if (_verbose) console.log(`  ${pc.dim(message)}`);
+}
+function stepFail(message) {
+  console.error(`${pc.red("\u2717")} ${message}`);
+}
+function hint(message) {
+  console.error(`  ${pc.dim(message)}`);
+}
+function getAuthFilename(env) {
+  return env === "dev" ? "auth.dev.json" : "auth.json";
+}
+function authPath(env) {
+  return join2(getNuuDir(), getAuthFilename(env));
+}
+function getNuuDir() {
+  return join2(homedir2(), ".nuucognition");
+}
+async function ensureNuuDir() {
+  const dir = getNuuDir();
+  await mkdir3(dir, { recursive: true });
+  return dir;
+}
+function ensureNuuDirSync() {
+  const dir = getNuuDir();
+  mkdirSync2(dir, { recursive: true });
+  return dir;
+}
+function expiresAtMs(expiresAt) {
+  if (!expiresAt) return 0;
+  const parsed = Date.parse(expiresAt);
+  return Number.isFinite(parsed) ? parsed : 0;
+}
+function isExpiredAt(expiresAt) {
+  return expiresAtMs(expiresAt) <= Date.now();
+}
+function decodeJwtExpiry(token) {
+  const parts = token.split(".");
+  if (parts.length < 2 || !parts[1]) return void 0;
+  try {
+    const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf-8"));
+    if (typeof payload.exp !== "number") return void 0;
+    return new Date(payload.exp * 1e3).toISOString();
+  } catch {
+    return void 0;
+  }
+}
+function normalizeCredentials(credentials) {
+  const jwtExpiry = decodeJwtExpiry(credentials.sessionToken);
+  if (!jwtExpiry || jwtExpiry === credentials.expiresAt) {
+    return credentials;
+  }
+  return {
+    ...credentials,
+    expiresAt: jwtExpiry
+  };
+}
+function hasUsableCredentials(credentials) {
+  if (!credentials) return false;
+  if (!isExpiredAt(credentials.expiresAt)) return true;
+  return !!credentials.refreshToken && !isExpiredAt(credentials.refreshExpiresAt);
+}
+async function exchangeCode(accountUrl, code, codeVerifier) {
+  const exchangeUrl = `${accountUrl.replace(/\/$/, "")}/api/cli/exchange`;
+  detail(`POST ${exchangeUrl}`);
+  let response;
+  try {
+    response = await fetch(exchangeUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ code, codeVerifier })
+    });
+  } catch (cause) {
+    const msg = cause instanceof Error ? cause.message : String(cause);
+    throw new Error(
+      `Could not reach the account service at ${exchangeUrl}
+  ${pc.dim(msg)}
+  ${pc.dim("Is the account app running?")}`
+    );
+  }
+  let payload;
+  try {
+    payload = await response.json();
+  } catch {
+    throw new Error(
+      `Account service returned ${response.status} with a non-JSON body.
+  ${pc.dim(`URL: ${exchangeUrl}`)}`
+    );
+  }
+  detail(`Exchange response: ${response.status} ok=${String(payload.ok)}`);
+  if (!response.ok || !payload.ok) {
+    const serverError = typeof payload.error === "string" ? payload.error : `HTTP ${response.status}`;
+    throw new Error(
+      `Code exchange rejected: ${serverError}
+  ${pc.dim(`URL: ${exchangeUrl}`)}
+  ${pc.dim(`Status: ${response.status}`)}`
+    );
+  }
+  if (!payload.sessionToken || !payload.userId || !payload.email || !payload.expiresAt) {
+    throw new Error(
+      `Code exchange response is missing required fields.
+  ${pc.dim(`Got: ${Object.keys(payload).join(", ")}`)}`
+    );
+  }
+  return {
+    sessionToken: payload.sessionToken,
+    userId: payload.userId,
+    email: payload.email,
+    expiresAt: payload.expiresAt,
+    refreshToken: payload.refreshToken,
+    refreshExpiresAt: payload.refreshExpiresAt
+  };
+}
+function resultHtml(ok, title, message) {
+  const accent = ok ? "#22c55e" : "#ef4444";
+  return `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <title>${title}</title>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; display: grid; place-items: center; min-height: 100vh; margin: 0; background: #fafafa; color: #111; }
+    main { max-width: 28rem; text-align: center; padding: 2.5rem; }
+    .logo { margin-bottom: 1.5rem; }
+    .status { font-size: 0.875rem; font-weight: 500; color: ${accent}; margin-bottom: 0.5rem; }
+    h1 { font-size: 1.25rem; font-weight: 600; margin: 0 0 0.5rem; }
+    p { color: #666; margin: 0; line-height: 1.5; }
+  </style>
+</head>
+<body>
+  <main>
+    <div class="logo">
+      <svg width="40" height="41" viewBox="0 0 281 291" fill="none" xmlns="http://www.w3.org/2000/svg">
+        <path d="M137.498 291L71.1506 94.4027C66.7475 81.416 60.9434 68.6293 53.7382 56.0422C46.5331 43.4552 36.626 37.1617 24.0171 37.1617C18.0128 37.1617 11.4081 38.4603 4.203 41.0576L0 30.5685L74.7532 0L87.9626 0L166.919 230.462L215.854 130.665C224.86 112.684 229.363 98.5984 229.363 88.4088C229.363 80.2173 227.662 68.7291 224.26 53.9443C221.658 43.1555 220.357 35.0638 220.357 29.6694C220.357 9.88977 231.064 0 252.48 0C271.493 0 281 8.99072 281 26.9722C281 44.7539 267.791 78.7189 241.372 128.867L155.511 291L137.498 291Z" fill="#111" fill-rule="evenodd"/>
+      </svg>
+    </div>
+    <h1>${title}</h1>
+    <p>${message}</p>
+  </main>
+</body>
+</html>`;
+}
+async function loadAuth(env = "prod") {
+  try {
+    const content = await readFile(authPath(env), "utf-8");
+    return normalizeCredentials(JSON.parse(content));
+  } catch {
+    return null;
+  }
+}
+function loadAuthSync(env = "prod") {
+  try {
+    ensureNuuDirSync();
+    const path = authPath(env);
+    if (!existsSync(path)) return null;
+    return normalizeCredentials(JSON.parse(readFileSync(path, "utf-8")));
+  } catch {
+    return null;
+  }
+}
+async function saveAuth(creds, env = "prod") {
+  await ensureNuuDir();
+  await writeFile(authPath(env), `${JSON.stringify(normalizeCredentials(creds), null, 2)}
+`, "utf-8");
+}
+async function clearAuth(env = "prod") {
+  try {
+    await unlink(authPath(env));
+  } catch {
+  }
+}
+function hasAuth(env = "prod") {
+  return hasUsableCredentials(loadAuthSync(env));
+}
+async function startLoginFlow(config) {
+  const callbackPort = config.callbackPort ?? DEFAULT_CALLBACK_PORT;
+  const authEnv = config.authEnv ?? "prod";
+  const state = randomBytes(24).toString("base64url");
+  const codeVerifier = randomBytes(32).toString("base64url");
+  const codeChallenge = createHash("sha256").update(codeVerifier).digest("base64url");
+  const cliLabel = config.cliname ?? "nuu";
+  step(`Logging in to ${pc.bold(config.accountUrl)}`);
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    const finish = (fn) => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timeout);
+      server.close();
+      fn();
+    };
+    const server = createServer((req, res) => {
+      const url = new URL(req.url ?? "/", `http://localhost:${callbackPort}`);
+      if (url.pathname !== "/callback") {
+        res.writeHead(404, { "Content-Type": "text/plain" });
+        res.end("Not found");
+        return;
+      }
+      const params = Object.fromEntries(url.searchParams.entries());
+      detail(`Callback received with params: ${JSON.stringify(params)}`);
+      const errorParam = url.searchParams.get("error");
+      if (errorParam) {
+        const errorDesc = url.searchParams.get("error_description") ?? errorParam;
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(resultHtml(false, "Login failed", errorDesc));
+        finish(() => {
+          stepFail(`Account service returned an error: ${errorDesc}`);
+          reject(new Error(errorDesc));
+        });
+        return;
+      }
+      const code = url.searchParams.get("code");
+      const returnedState = url.searchParams.get(CLI_STATE_PARAM);
+      const legacyToken = url.searchParams.get("token");
+      const legacyUserId = url.searchParams.get("userId");
+      const legacyEmail = url.searchParams.get("email");
+      const legacyExpiresAt = url.searchParams.get("expiresAt");
+      if (!code && legacyToken && legacyUserId && legacyEmail && legacyExpiresAt) {
+        detail("Using legacy token flow (PKCE params were lost in redirect chain)");
+        const credentials = {
+          sessionToken: legacyToken,
+          userId: legacyUserId,
+          email: legacyEmail,
+          expiresAt: legacyExpiresAt,
+          refreshToken: url.searchParams.get("refreshToken") ?? void 0,
+          refreshExpiresAt: url.searchParams.get("refreshExpiresAt") ?? void 0
+        };
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(resultHtml(true, "Login successful", "You can close this tab and return to the terminal."));
+        void saveAuth(credentials, authEnv).then(() => finish(() => resolve(credentials))).catch((cause) => {
+          const message = cause instanceof Error ? cause.message : String(cause);
+          finish(() => {
+            stepFail(`Failed to save credentials: ${message}`);
+            reject(new Error(`Failed to save credentials: ${message}`));
+          });
+        });
+        return;
+      }
+      if (!code) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(resultHtml(false, "Login failed", "No authorization code received. Return to the terminal and try again."));
+        finish(() => {
+          stepFail("No authorization code in callback");
+          hint(`Received params: ${Object.keys(params).join(", ") || "(none)"}`);
+          hint("The account service did not return a code or token.");
+          hint(`Try running \`${cliLabel} login\` again.`);
+          reject(new Error("Login failed: no authorization code received"));
+        });
+        return;
+      }
+      if (returnedState !== state) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(resultHtml(false, "Login failed", "State mismatch \u2014 possible CSRF or stale session. Return to the terminal and try again."));
+        finish(() => {
+          stepFail("State mismatch in callback");
+          hint(`Expected cli_state but got: ${returnedState ? "(different value)" : "(missing)"}`);
+          hint("This can happen if the browser sent a stale or cached callback URL.");
+          hint(`Try running \`${cliLabel} login\` again.`);
+          reject(new Error("Login failed: state mismatch"));
+        });
+        return;
+      }
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(resultHtml(true, "Login successful", "You can close this tab and return to the terminal."));
+      step("Exchanging authorization code for session token...");
+      void exchangeCode(config.accountUrl, code, codeVerifier).then(async (credentials) => {
+        await saveAuth(credentials, authEnv);
+        finish(() => resolve(credentials));
+      }).catch((cause) => {
+        const message = cause instanceof Error ? cause.message : String(cause);
+        finish(() => {
+          stepFail("Code exchange failed");
+          console.error(`  ${message}`);
+          reject(new Error(`Code exchange failed: ${message}`));
+        });
+      });
+    });
+    server.on("error", (err) => {
+      if (err.code === "EADDRINUSE") {
+        stepFail(`Port ${callbackPort} is already in use`);
+        hint("Another process (or a previous login attempt) is using this port.");
+        hint(`Kill it with: lsof -ti :${callbackPort} | xargs kill`);
+        finish(() => reject(new Error(`Port ${callbackPort} is already in use`)));
+      } else {
+        stepFail(`Callback server error: ${err.message}`);
+        finish(() => reject(new Error(`Callback server error: ${err.message}`)));
+      }
+    });
+    server.listen(callbackPort, "127.0.0.1", () => {
+      detail(`Callback server listening on http://127.0.0.1:${callbackPort}`);
+      const cliCallback = `http://localhost:${callbackPort}/callback`;
+      const authUrl = `${config.accountUrl.replace(/\/$/, "")}/cli/callback?cli_callback=${encodeURIComponent(cliCallback)}&${CLI_STATE_PARAM}=${encodeURIComponent(state)}&${CLI_CODE_CHALLENGE_PARAM}=${encodeURIComponent(codeChallenge)}&${CLI_CODE_CHALLENGE_METHOD_PARAM}=S256`;
+      step("Opening browser for authentication...");
+      detail(authUrl);
+      open(authUrl).catch((cause) => {
+        const message = cause instanceof Error ? cause.message : String(cause);
+        finish(() => {
+          stepFail("Could not open browser");
+          hint(message);
+          hint(`Open this URL manually:
+  ${authUrl}`);
+          reject(new Error(`Could not open browser: ${message}`));
+        });
+      });
+    });
+    const timeout = setTimeout(() => {
+      finish(() => {
+        stepFail("Login timed out after 5 minutes");
+        hint("No callback was received from the browser.");
+        hint(`Try running \`${cliLabel} login\` again.`);
+        reject(new Error("Login timed out"));
+      });
+    }, LOGIN_TIMEOUT_MS);
+    timeout.unref();
+  });
+}
+async function refreshAuth(creds, config) {
+  const cliname = config.cliname ?? "nuu";
+  if (!creds.refreshToken) {
+    throw new Error(
+      `No refresh token available.
+  ${pc.dim(`Run \`${cliname} login\` to start a new session.`)}`
+    );
+  }
+  const refreshUrl = `${config.accountUrl.replace(/\/$/, "")}/api/cli/refresh`;
+  detail(`POST ${refreshUrl}`);
+  let response;
+  try {
+    response = await fetch(refreshUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ refreshToken: creds.refreshToken })
+    });
+  } catch (cause) {
+    const msg = cause instanceof Error ? cause.message : String(cause);
+    throw new Error(
+      `Could not reach the account service for token refresh.
+  ${pc.dim(msg)}
+  ${pc.dim(`URL: ${refreshUrl}`)}
+  ${pc.dim(`Run \`${cliname} login\` to re-authenticate.`)}`
+    );
+  }
+  let payload;
+  try {
+    payload = await response.json();
+  } catch {
+    throw new Error(
+      `Account service returned ${response.status} with a non-JSON body during refresh.
+  ${pc.dim(`URL: ${refreshUrl}`)}
+  ${pc.dim(`Run \`${cliname} login\` to re-authenticate.`)}`
+    );
+  }
+  detail(`Refresh response: ${response.status} ok=${String(payload.ok)}`);
+  if (!response.ok || !payload.ok) {
+    const serverError = typeof payload.error === "string" ? payload.error : `HTTP ${response.status}`;
+    throw new Error(
+      `Token refresh rejected: ${serverError}
+  ${pc.dim(`Status: ${response.status}`)}
+  ${pc.dim(`Run \`${cliname} login\` to re-authenticate.`)}`
+    );
+  }
+  if (!payload.sessionToken || !payload.userId || !payload.email || !payload.expiresAt) {
+    throw new Error(
+      `Token refresh response is missing required fields.
+  ${pc.dim(`Got: ${Object.keys(payload).join(", ")}`)}`
+    );
+  }
+  const nextCreds = {
+    sessionToken: payload.sessionToken,
+    userId: payload.userId,
+    email: payload.email,
+    expiresAt: payload.expiresAt,
+    refreshToken: payload.refreshToken ?? creds.refreshToken,
+    refreshExpiresAt: payload.refreshExpiresAt ?? creds.refreshExpiresAt,
+    activeOrg: creds.activeOrg
+  };
+  await saveAuth(nextCreds, config.authEnv ?? "prod");
+  return nextCreds;
+}
+async function getValidAuth(config, env = config.authEnv ?? "prod") {
+  const creds = await loadAuth(env);
+  if (!creds) return null;
+  if (!isExpiredAt(creds.expiresAt)) {
+    return creds;
+  }
+  if (!creds.refreshToken || isExpiredAt(creds.refreshExpiresAt)) {
+    return null;
+  }
+  try {
+    return await refreshAuth(creds, { ...config, authEnv: env });
+  } catch {
+    return null;
+  }
+}
+async function requireValidAuth(config, env = config.authEnv ?? "prod") {
+  const cliname = config.cliname ?? "nuu";
+  const creds = await getValidAuth(config, env);
+  if (!creds) {
+    throw new Error(
+      `Not logged in.
+  ${pc.dim(`Run \`${cliname} login\` to authenticate.`)}`
+    );
+  }
+  return creds;
+}
+function isAuthExpired(credentials) {
+  return isExpiredAt(credentials.expiresAt);
+}
+function shouldRefreshAuth(credentials) {
+  if (!credentials.refreshToken) return false;
+  if (isExpiredAt(credentials.refreshExpiresAt)) return false;
+  return expiresAtMs(credentials.expiresAt) - Date.now() <= REFRESH_WINDOW_MS;
+}
+
+// src/features/runtime.ts
+function isTierEnabled(featureTier, mode) {
+  if (mode === "dev") return true;
+  if (featureTier === "prod") return true;
+  if (featureTier === "exp") return false;
+  return false;
+}
+function resolveModeFromRecord(record) {
+  const raw = record.mode;
+  return typeof raw === "string" ? normalizeRuntimeMode(raw) : void 0;
+}
+function resolveExperimentalFromRecord(record) {
+  const raw = record.experimental;
+  return typeof raw === "boolean" ? raw : void 0;
+}
+function resolveEnabledFeaturesFromRecord(record) {
+  if (!record.features || typeof record.features !== "object" || Array.isArray(record.features)) {
+    return [];
+  }
+  return Object.entries(record.features).filter(([, enabled]) => enabled === true).map(([featureId]) => featureId);
+}
+function buildDefaultMode() {
+  return normalizeRuntimeMode(process.env.BUILD_MODE ?? "") ?? "dev";
+}
+function readRuntimeSync(config, resolvedConfig) {
+  const mode = resolveModeFromRecord(resolvedConfig) ?? buildDefaultMode();
+  const configExperimental = resolveExperimentalFromRecord(resolvedConfig);
+  const experimental = mode === "dev" ? true : configExperimental ?? false;
+  const enabledFeatures = resolveEnabledFeaturesFromRecord(resolvedConfig);
+  const authenticated = hasAuth(authEnvForMode(mode));
+  return {
+    mode,
+    experimental,
+    enabledFeatures,
+    authenticated
+  };
+}
+async function resolveRuntime(config) {
+  const resolvedConfig = await resolveConfig({ cliname: config.cliname });
+  return readRuntimeSync(config, resolvedConfig);
+}
+function resolveRuntimeSync(config) {
+  const resolvedConfig = resolveConfigSync({ cliname: config.cliname });
+  return readRuntimeSync(config, resolvedConfig);
+}
+async function setMode(config, mode) {
+  await setConfigField(getConfigPath(config.cliname), "mode", mode);
+}
+async function resetMode(config) {
+  await removeConfigField(getConfigPath(config.cliname), "mode");
+}
+async function setExperimental(config, enabled) {
+  await setConfigField(getConfigPath(config.cliname), "experimental", enabled);
+}
+async function resetExperimental(config) {
+  await removeConfigField(getConfigPath(config.cliname), "experimental");
+}
+async function setFeatureEnabled(config, featureId, enabled) {
+  await setFeatureOverride(getConfigPath(config.cliname), featureId, enabled);
+}
+async function resetFeatureEnabled(config, featureId) {
+  await removeFeatureOverride(getConfigPath(config.cliname), featureId);
+}
+
+// src/errors.ts
+var CliError = class extends Error {
+  exitCode;
+  code;
+  ref;
+  suggestions;
+  constructor(message, exitCode = 1, code, ref, suggestions) {
+    super(message);
+    this.name = "CliError";
+    this.exitCode = exitCode;
+    this.code = code;
+    this.ref = ref;
+    this.suggestions = suggestions;
+  }
+};
+function tierInstruction(requiredTier, cliname, featureId) {
+  if (requiredTier === "dev") {
+    return [
+      `Run \`${cliname} --dev ${featureId}\` for one invocation`,
+      `or persist dev mode with \`${cliname} mode dev\` when that command exists.`
+    ];
+  }
+  return [
+    `Run \`${cliname} --enable ${featureId}\` for one invocation`,
+    `or set \`[features].${featureId} = true\` in \`~/.nuucognition/.${cliname}/config.toml\`.`
+  ];
+}
+var FeatureNotAvailableError = class extends CliError {
+  constructor(featureId, requiredTier, context, cliname) {
+    const suggestions = tierInstruction(requiredTier, cliname, featureId);
+    super(
+      requiredTier === "dev" ? `Feature '${featureId}' requires dev mode.` : `Feature '${featureId}' requires experimental access.`,
+      1,
+      "FEATURE_NOT_AVAILABLE",
+      void 0,
+      suggestions
+    );
+    this.name = "FeatureNotAvailableError";
+  }
+};
+var AuthRequiredError = class extends CliError {
+  constructor(featureId, cliname) {
+    super(
+      `Feature '${featureId}' requires authentication.`,
+      1,
+      "AUTH_REQUIRED",
+      void 0,
+      [`Run \`${cliname} login\` or \`nuu login\`.`]
+    );
+    this.name = "AuthRequiredError";
+  }
+};
+
+// src/features/guard.ts
+function isTierAvailable(tier, context, featureId) {
+  if (tier === "prod") {
+    return { available: true };
+  }
+  if (tier === "dev") {
+    return context.mode === "dev" ? { available: true } : { available: false, reason: `Feature '${featureId}' requires dev mode.` };
+  }
+  if (context.mode === "dev") {
+    return { available: true };
+  }
+  if (context.experimental || context.enabledFeatures.includes(featureId)) {
+    return { available: true };
+  }
+  return {
+    available: false,
+    reason: `Feature '${featureId}' requires experimental access.`
+  };
+}
+function isFeatureEnabled(registry, id, context) {
+  const feature = getFeature(registry, id);
+  if (!feature) return false;
+  const tier = isTierAvailable(feature.tier, context, id);
+  if (!tier.available) return false;
+  if (feature.requiresAuth && !context.authenticated) return false;
+  return true;
+}
+function requireFeature(registry, id, context, cliname) {
+  const feature = getFeature(registry, id);
+  if (!feature) {
+    throw new CliError(`Unknown feature: ${id}`, 1, "UNKNOWN_FEATURE");
+  }
+  const tier = isTierAvailable(feature.tier, context, id);
+  if (!tier.available) {
+    throw new FeatureNotAvailableError(id, feature.tier, context, cliname);
+  }
+  if (feature.requiresAuth && !context.authenticated) {
+    throw new AuthRequiredError(id, cliname);
+  }
+}
+function checkFeature(registry, id, context) {
+  const feature = getFeature(registry, id);
+  if (!feature) {
+    return {
+      available: false,
+      requiredTier: "dev",
+      currentMode: context.mode,
+      experimental: context.experimental,
+      requiresAuth: false,
+      authenticated: context.authenticated,
+      reason: `Unknown feature: ${id}`
+    };
+  }
+  const tier = isTierAvailable(feature.tier, context, id);
+  if (!tier.available) {
+    return {
+      available: false,
+      requiredTier: feature.tier,
+      currentMode: context.mode,
+      experimental: context.experimental,
+      requiresAuth: feature.requiresAuth,
+      authenticated: context.authenticated,
+      reason: tier.reason
+    };
+  }
+  if (feature.requiresAuth && !context.authenticated) {
+    return {
+      available: false,
+      requiredTier: feature.tier,
+      currentMode: context.mode,
+      experimental: context.experimental,
+      requiresAuth: true,
+      authenticated: false,
+      reason: `Feature '${id}' requires authentication.`
+    };
+  }
+  return {
+    available: true,
+    requiredTier: feature.tier,
+    currentMode: context.mode,
+    experimental: context.experimental,
+    requiresAuth: feature.requiresAuth,
+    authenticated: context.authenticated
+  };
+}
+
+// src/commands/auth.ts
+import { Command } from "commander";
+import cfonts from "cfonts";
+import pc3 from "picocolors";
+
+// src/output/index.ts
+import pc2 from "picocolors";
+function success(message) {
+  console.log(`${pc2.green("\u2713")} ${message}`);
+}
+function error(message) {
+  console.error(`${pc2.red("\u2717")} ${message}`);
+}
+function warn(message) {
+  console.error(`${pc2.yellow("!")} ${message}`);
+}
+function info(message) {
+  console.log(`${pc2.blue("i")} ${message}`);
+}
+function dim(message) {
+  return pc2.dim(message);
+}
+function bold(message) {
+  return pc2.bold(message);
+}
+
+// src/commands/auth.ts
+function resolveEnv(options, fallback = "prod") {
+  return options.dev ? "dev" : fallback;
+}
+function resolveAccountUrl(config, env) {
+  return env === "dev" ? config.devAccountUrl ?? NUU_ACCOUNT_URL_DEV : config.prodAccountUrl ?? NUU_ACCOUNT_URL_PROD;
+}
+function createLoginCommand(config) {
+  const cmd = new Command("login").description("Authenticate with NUU").option("--verbose", "Show detailed debug output");
+  if (config.devAvailable) {
+    cmd.option("--dev", "Use the local development account service");
+  }
+  cmd.action(async (options) => {
+    const authEnv = resolveEnv(options, config.defaultEnv);
+    const cliname = config.cliname ?? "nuu";
+    if (options.verbose) setAuthVerbose(true);
+    try {
+      const credentials = await startLoginFlow({
+        accountUrl: resolveAccountUrl(config, authEnv),
+        authEnv,
+        callbackPort: config.callbackPort,
+        cliname
+      });
+      success(`Logged in as ${pc3.bold(credentials.email)}`);
+      cfonts.say("NUU Cognition", {
+        font: "simple",
+        colors: ["white"],
+        space: false,
+        align: "center"
+      });
+      console.log();
+    } catch (cause) {
+      const message = cause instanceof Error ? cause.message : String(cause);
+      if (!message.startsWith("Login failed") && !message.startsWith("Code exchange failed")) {
+        console.error(`
+${pc3.red("\u2717")} Login failed: ${message}`);
+      }
+      process.exit(1);
+    }
+  });
+  return cmd;
+}
+function createLogoutCommand(config) {
+  const cmd = new Command("logout").description("Clear stored credentials");
+  if (config.devAvailable) {
+    cmd.option("--dev", "Clear development credentials");
+  }
+  cmd.action(async (options) => {
+    const authEnv = resolveEnv(options, config.defaultEnv);
+    await clearAuth(authEnv);
+    success("Logged out");
+  });
+  return cmd;
+}
+function createWhoamiCommand(config) {
+  const cliname = config.cliname ?? "nuu";
+  const cmd = new Command("whoami").description("Show the current identity");
+  if (config.devAvailable) {
+    cmd.option("--dev", "Read development credentials");
+  }
+  cmd.action(async (options) => {
+    const authEnv = resolveEnv(options, config.defaultEnv);
+    const accountUrl = resolveAccountUrl(config, authEnv);
+    const credentials = await getValidAuth(
+      { accountUrl, authEnv, cliname },
+      authEnv
+    );
+    if (!credentials) {
+      const raw = await loadAuth(authEnv);
+      if (!raw) {
+        console.log(pc3.yellow("Not logged in"));
+        console.log(dim(`  Run \`${cliname} login\` to authenticate.`));
+        return;
+      }
+      console.log(`${pc3.bold(raw.email)} ${pc3.red("expired")}`);
+      console.log(pc3.yellow(`
+Session expired. Run \`${cliname} login\` to re-authenticate.`));
+      return;
+    }
+    console.log(`${dim("logged-in:")} ${credentials.email}`);
+    if (credentials.activeOrg) {
+      console.log(`${dim("selected-org:")} ${credentials.activeOrg.name}`);
+    }
+  });
+  return cmd;
+}
+export {
+  AuthRequiredError,
+  CliError,
+  FeatureNotAvailableError,
+  NUU_ACCOUNT_URL_DEV,
+  NUU_ACCOUNT_URL_PROD,
+  TIER_ALIASES,
+  bold,
+  checkFeature,
+  clearAuth,
+  createFeatureRegistry,
+  createLoginCommand,
+  createLogoutCommand,
+  createWhoamiCommand,
+  dim,
+  ensureConfigDir,
+  ensureConfigDirSync,
+  ensureNuuDir,
+  error,
+  getCommandFeatures,
+  getConfigDir,
+  getConfigPath,
+  getFeature,
+  getFeaturesByTier,
+  getFeaturesByType,
+  getNuuDir,
+  getValidAuth,
+  hasAuth,
+  hasFeature,
+  info,
+  isAuthExpired,
+  isFeatureEnabled,
+  isTierEnabled,
+  isValidTier,
+  loadAuth,
+  loadAuthSync,
+  normalizeRuntimeMode,
+  normalizeTier,
+  refreshAuth,
+  requireFeature,
+  requireValidAuth,
+  resetExperimental,
+  resetFeatureEnabled,
+  resetMode,
+  resolveConfig,
+  resolveConfigSync,
+  resolveRuntime,
+  resolveRuntimeSync,
+  saveAuth,
+  scopedEnvVar,
+  scopedEnvVarTrue,
+  setAuthVerbose,
+  setExperimental,
+  setFeatureEnabled,
+  setMode,
+  shouldRefreshAuth,
+  startLoginFlow,
+  success,
+  warn
+};