@onklave/agent-cli 0.1.1

package/main.js

@@ -0,0 +1,2644 @@
+#!/usr/bin/env node
+/******/ (() => { // webpackBootstrap
+/******/ 	"use strict";
+/******/ 	var __webpack_modules__ = ([
+/* 0 */,
+/* 1 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.COMMANDS = void 0;
+const login_command_1 = __webpack_require__(2);
+const logout_command_1 = __webpack_require__(9);
+const whoami_command_1 = __webpack_require__(10);
+const run_command_1 = __webpack_require__(11);
+const status_command_1 = __webpack_require__(22);
+const stop_command_1 = __webpack_require__(23);
+const approve_command_1 = __webpack_require__(24);
+const deny_command_1 = __webpack_require__(25);
+const doctor_command_1 = __webpack_require__(26);
+const init_command_1 = __webpack_require__(27);
+const config_command_1 = __webpack_require__(28);
+const register_command_1 = __webpack_require__(29);
+const logs_command_1 = __webpack_require__(30);
+exports.COMMANDS = {
+    login: login_command_1.loginCommand,
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    logout: (_args) => (0, logout_command_1.logoutCommand)(),
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    whoami: (_args) => (0, whoami_command_1.whoamiCommand)(),
+    run: run_command_1.runCommand,
+    status: status_command_1.statusCommand,
+    stop: stop_command_1.stopCommand,
+    approve: approve_command_1.approveCommand,
+    deny: deny_command_1.denyCommand,
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    doctor: (_args) => (0, doctor_command_1.doctorCommand)(),
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    init: (_args) => (0, init_command_1.initCommand)(),
+    config: config_command_1.configCommand,
+    register: register_command_1.registerCommand,
+    logs: logs_command_1.logsCommand,
+};
+
+
+/***/ }),
+/* 2 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.loginCommand = loginCommand;
+const auth_service_1 = __webpack_require__(3);
+const utils_1 = __webpack_require__(8);
+async function loginCommand(args) {
+    const { flags } = (0, utils_1.parseArgs)(args);
+    const authService = new auth_service_1.AuthService();
+    const token = flags['token'];
+    const platformUrl = flags['platform-url'];
+    if (typeof token !== 'string' || !token) {
+        console.log('Onklave Agent CLI — Login\n');
+        console.log('Usage: onklave login --token <token> [--platform-url <url>]\n');
+        console.log('To obtain a token:');
+        console.log('  1. Log in to the Onklave Portal at https://portal.onklave.app');
+        console.log('  2. Navigate to Settings > API Tokens');
+        console.log('  3. Generate a new CLI token');
+        console.log('  4. Run: onklave login --token <your-token>\n');
+        console.log('Note: Browser-based OAuth login will be available in v2.');
+        process.exitCode = 1;
+        return;
+    }
+    const metadata = {};
+    if (typeof platformUrl === 'string') {
+        metadata.platformUrl = platformUrl;
+    }
+    try {
+        await authService.saveToken(token, metadata);
+        console.log('Successfully authenticated with Onklave platform.');
+        console.log(`Credentials saved to ~/.config/onklave/credentials.json`);
+        if (typeof platformUrl === 'string') {
+            console.log(`Platform URL: ${platformUrl}`);
+        }
+    }
+    catch (err) {
+        console.error(`Login failed: ${err.message}`);
+        process.exitCode = 1;
+    }
+}
+
+
+/***/ }),
+/* 3 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.AuthService = void 0;
+const tslib_1 = __webpack_require__(4);
+const fs = tslib_1.__importStar(__webpack_require__(5));
+const path = tslib_1.__importStar(__webpack_require__(6));
+const os = tslib_1.__importStar(__webpack_require__(7));
+const DEFAULT_PLATFORM_URL = 'https://api.onklave.app';
+class AuthService {
+    constructor() {
+        this.configDir = path.join(os.homedir(), '.config', 'onklave');
+        this.credentialsPath = path.join(this.configDir, 'credentials.json');
+    }
+    /**
+     * Ensure the config directory exists with restricted permissions.
+     */
+    ensureConfigDir() {
+        if (!fs.existsSync(this.configDir)) {
+            fs.mkdirSync(this.configDir, { recursive: true, mode: 0o700 });
+        }
+    }
+    /**
+     * Read the stored auth token.
+     */
+    async getToken() {
+        const creds = await this.getCredentials();
+        return creds?.token ?? null;
+    }
+    /**
+     * Save an auth token with optional metadata.
+     */
+    async saveToken(token, metadata) {
+        this.ensureConfigDir();
+        const existing = await this.getCredentials();
+        const credentials = {
+            ...existing,
+            token,
+            platformUrl: metadata?.platformUrl ?? existing?.platformUrl ?? DEFAULT_PLATFORM_URL,
+            userId: metadata?.userId ?? existing?.userId,
+            orgId: metadata?.orgId ?? existing?.orgId,
+            expiresAt: metadata?.expiresAt ?? existing?.expiresAt,
+        };
+        fs.writeFileSync(this.credentialsPath, JSON.stringify(credentials, null, 2), {
+            encoding: 'utf-8',
+            mode: 0o600,
+        });
+        // Ensure permissions are set even if file already existed
+        fs.chmodSync(this.credentialsPath, 0o600);
+    }
+    /**
+     * Remove the stored credentials file.
+     */
+    async clearToken() {
+        if (fs.existsSync(this.credentialsPath)) {
+            fs.unlinkSync(this.credentialsPath);
+        }
+    }
+    /**
+     * Check if a valid (non-expired) token exists.
+     */
+    async isAuthenticated() {
+        const creds = await this.getCredentials();
+        if (!creds?.token) {
+            return false;
+        }
+        if (creds.expiresAt) {
+            const expiry = new Date(creds.expiresAt);
+            if (expiry.getTime() <= Date.now()) {
+                return false;
+            }
+        }
+        return true;
+    }
+    /**
+     * Read the full credentials object from disk.
+     */
+    async getCredentials() {
+        if (!fs.existsSync(this.credentialsPath)) {
+            return null;
+        }
+        try {
+            const raw = fs.readFileSync(this.credentialsPath, 'utf-8');
+            return JSON.parse(raw);
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Save the device token received during machine registration.
+     */
+    async saveDeviceToken(deviceToken, machineId) {
+        this.ensureConfigDir();
+        const existing = await this.getCredentials();
+        if (!existing) {
+            throw new Error('No credentials found. Please log in first with: onklave login --token <token>');
+        }
+        const credentials = {
+            ...existing,
+            deviceToken,
+            machineId,
+        };
+        fs.writeFileSync(this.credentialsPath, JSON.stringify(credentials, null, 2), {
+            encoding: 'utf-8',
+            mode: 0o600,
+        });
+        fs.chmodSync(this.credentialsPath, 0o600);
+    }
+    /**
+     * Get the platform URL from credentials or fallback to default.
+     */
+    async getPlatformUrl() {
+        const creds = await this.getCredentials();
+        return creds?.platformUrl ?? DEFAULT_PLATFORM_URL;
+    }
+}
+exports.AuthService = AuthService;
+
+
+/***/ }),
+/* 4 */
+/***/ ((module) => {
+
+module.exports = require("tslib");
+
+/***/ }),
+/* 5 */
+/***/ ((module) => {
+
+module.exports = require("fs");
+
+/***/ }),
+/* 6 */
+/***/ ((module) => {
+
+module.exports = require("path");
+
+/***/ }),
+/* 7 */
+/***/ ((module) => {
+
+module.exports = require("os");
+
+/***/ }),
+/* 8 */
+/***/ ((__unused_webpack_module, exports) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.parseArgs = parseArgs;
+/**
+ * Parse command-line arguments into flags and positional args.
+ *
+ * Handles:
+ *   --flag value
+ *   --flag=value
+ *   --boolean-flag (no value, treated as true)
+ *   positional arguments
+ */
+function parseArgs(args) {
+    const flags = {};
+    const positional = [];
+    let i = 0;
+    while (i < args.length) {
+        const arg = args[i];
+        if (arg.startsWith('--')) {
+            // Check for --flag=value format
+            const eqIndex = arg.indexOf('=');
+            if (eqIndex !== -1) {
+                const key = arg.slice(2, eqIndex);
+                const value = arg.slice(eqIndex + 1);
+                flags[key] = value;
+                i++;
+                continue;
+            }
+            const key = arg.slice(2);
+            const nextArg = args[i + 1];
+            // If next arg doesn't exist or is another flag, treat as boolean
+            if (!nextArg || nextArg.startsWith('--')) {
+                flags[key] = true;
+                i++;
+            }
+            else {
+                flags[key] = nextArg;
+                i += 2;
+            }
+        }
+        else if (arg.startsWith('-') && arg.length === 2) {
+            // Short flags like -h, -v
+            const key = arg.slice(1);
+            const nextArg = args[i + 1];
+            if (!nextArg || nextArg.startsWith('-')) {
+                flags[key] = true;
+                i++;
+            }
+            else {
+                flags[key] = nextArg;
+                i += 2;
+            }
+        }
+        else {
+            positional.push(arg);
+            i++;
+        }
+    }
+    return { flags, positional };
+}
+
+
+/***/ }),
+/* 9 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.logoutCommand = logoutCommand;
+const auth_service_1 = __webpack_require__(3);
+async function logoutCommand() {
+    const authService = new auth_service_1.AuthService();
+    const isAuth = await authService.isAuthenticated();
+    if (!isAuth) {
+        console.log('Not currently logged in.');
+        return;
+    }
+    try {
+        await authService.clearToken();
+        console.log('Successfully logged out. Credentials removed.');
+    }
+    catch (err) {
+        console.error(`Logout failed: ${err.message}`);
+        process.exitCode = 1;
+    }
+}
+
+
+/***/ }),
+/* 10 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.whoamiCommand = whoamiCommand;
+const auth_service_1 = __webpack_require__(3);
+async function whoamiCommand() {
+    const authService = new auth_service_1.AuthService();
+    const creds = await authService.getCredentials();
+    if (!creds?.token) {
+        console.log('Not logged in. Run: onklave login --token <token>');
+        process.exitCode = 1;
+        return;
+    }
+    const isValid = await authService.isAuthenticated();
+    console.log('Onklave Agent CLI — Identity\n');
+    console.log(`  Platform URL:  ${creds.platformUrl}`);
+    console.log(`  User ID:       ${creds.userId ?? '(not set)'}`);
+    console.log(`  Org ID:        ${creds.orgId ?? '(not set)'}`);
+    console.log(`  Machine ID:    ${creds.machineId ?? '(not registered)'}`);
+    console.log(`  Token status:  ${isValid ? 'valid' : 'expired'}`);
+    if (creds.expiresAt) {
+        console.log(`  Expires at:    ${creds.expiresAt}`);
+    }
+    console.log(`  Device token:  ${creds.deviceToken ? 'present' : 'not set'}`);
+}
+
+
+/***/ }),
+/* 11 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.runCommand = runCommand;
+const auth_service_1 = __webpack_require__(3);
+const config_resolver_1 = __webpack_require__(12);
+const platform_client_1 = __webpack_require__(13);
+const comms_client_1 = __webpack_require__(14);
+const session_manager_1 = __webpack_require__(16);
+const state_publisher_1 = __webpack_require__(18);
+const audit_streamer_1 = __webpack_require__(20);
+const guardrail_enforcer_1 = __webpack_require__(21);
+const events_types_1 = __webpack_require__(19);
+const utils_1 = __webpack_require__(8);
+async function runCommand(args) {
+    const { flags } = (0, utils_1.parseArgs)(args);
+    // Validate required flags
+    const task = flags['task'];
+    if (typeof task !== 'string' || !task) {
+        console.error('Error: --task is required.\n');
+        console.log('Usage: onklave run --task "..." [options]\n');
+        console.log('Options:');
+        console.log('  --task <task>          Task description (required)');
+        console.log('  --context <path>       Working directory (default: .)');
+        console.log('  --persona <name>       Persona to use');
+        console.log('  --workflow <name>      Workflow to execute');
+        console.log('  --model <model>        Model to use');
+        console.log('  --timeout <seconds>    Timeout in seconds (default: 120)');
+        console.log('  --headless             Run without terminal output');
+        console.log('  --api-endpoint <url>   Override platform API endpoint');
+        console.log('  --dry-run              Print resolved config and exit');
+        process.exitCode = 1;
+        return;
+    }
+    // Authenticate
+    const authService = new auth_service_1.AuthService();
+    const isAuth = await authService.isAuthenticated();
+    if (!isAuth) {
+        console.error('Error: Not authenticated. Run: onklave login --token <token>');
+        process.exitCode = 1;
+        return;
+    }
+    const creds = await authService.getCredentials();
+    if (!creds) {
+        console.error('Error: Failed to read credentials.');
+        process.exitCode = 1;
+        return;
+    }
+    // Resolve configuration
+    const configResolver = new config_resolver_1.ConfigResolver();
+    const resolvedConfig = await configResolver.resolve(flags, process.cwd());
+    resolvedConfig.task = task;
+    // Dry run — print config and exit
+    if (resolvedConfig.dryRun) {
+        console.log('Onklave Agent CLI — Dry Run\n');
+        console.log('Resolved configuration:');
+        console.log(JSON.stringify(resolvedConfig, null, 2));
+        return;
+    }
+    // Create platform client
+    const platformClient = new platform_client_1.PlatformClient(resolvedConfig.platformUrl, creds.token);
+    // Create session on platform
+    let sessionId;
+    try {
+        console.log('Creating agent session on Onklave platform...');
+        const result = await platformClient.spawnSession({
+            task: resolvedConfig.task,
+            context: resolvedConfig.context,
+            persona: resolvedConfig.persona,
+            workflow: resolvedConfig.workflow,
+            model: resolvedConfig.model,
+            timeout: resolvedConfig.timeout,
+            machineId: creds.machineId,
+        });
+        sessionId = result.sessionId;
+        console.log(`Session created: ${sessionId}`);
+    }
+    catch (err) {
+        console.error(`Failed to create session: ${err.message}`);
+        process.exitCode = 1;
+        return;
+    }
+    // Connect to comms service
+    const commsClient = new comms_client_1.CommsClient();
+    const statePublisher = new state_publisher_1.StatePublisher(commsClient);
+    const auditStreamer = new audit_streamer_1.AuditStreamer(commsClient);
+    try {
+        console.log('Connecting to Onklave comms service...');
+        await commsClient.connect(resolvedConfig.platformUrl, creds.token);
+        console.log('Connected.');
+    }
+    catch (err) {
+        console.warn(`Warning: Could not connect to comms service: ${err.message}`);
+        console.warn('Session will continue without real-time streaming.');
+    }
+    // Load persona config if specified
+    let personaSystemPrompt = null;
+    if (resolvedConfig.persona) {
+        try {
+            const persona = await platformClient.getPersona(resolvedConfig.persona);
+            personaSystemPrompt = persona.systemPrompt;
+            // Merge persona guardrails
+            if (persona.allowedTools?.length) {
+                resolvedConfig.allowedTools = [
+                    ...new Set([...resolvedConfig.allowedTools, ...persona.allowedTools]),
+                ];
+            }
+            if (persona.deniedTools?.length) {
+                resolvedConfig.deniedTools = [
+                    ...new Set([...resolvedConfig.deniedTools, ...persona.deniedTools]),
+                ];
+            }
+        }
+        catch (err) {
+            console.warn(`Warning: Could not load persona "${resolvedConfig.persona}": ${err.message}`);
+        }
+    }
+    // Set up guardrail enforcer (available for future tool-call interception)
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    const _guardrailEnforcer = new guardrail_enforcer_1.GuardrailEnforcer({
+        rules: resolvedConfig.guardrails,
+        allowedTools: resolvedConfig.allowedTools,
+        deniedTools: resolvedConfig.deniedTools,
+        readablePaths: resolvedConfig.readablePaths,
+        writablePaths: resolvedConfig.writablePaths,
+    });
+    // Build session config
+    const sessionConfig = {
+        task: resolvedConfig.task,
+        context: resolvedConfig.context,
+        persona: resolvedConfig.persona,
+        workflow: resolvedConfig.workflow,
+        model: resolvedConfig.model,
+        timeout: resolvedConfig.timeout,
+        guardrails: resolvedConfig.guardrails,
+        allowedTools: resolvedConfig.allowedTools,
+        deniedTools: resolvedConfig.deniedTools,
+        apiKey: resolvedConfig.apiKey,
+        headless: resolvedConfig.headless,
+        platformUrl: resolvedConfig.platformUrl,
+        orgId: resolvedConfig.orgId,
+        systemPromptAppend: personaSystemPrompt ?? resolvedConfig.systemPromptAppend,
+    };
+    // Publish session started
+    statePublisher.publishSessionStarted(sessionId, sessionConfig);
+    auditStreamer.record({
+        sessionId,
+        type: events_types_1.AuditEventType.STATE_CHANGE,
+        action: 'session_started',
+        details: { task: resolvedConfig.task, model: resolvedConfig.model },
+        outcome: 'success',
+    });
+    // Listen for cancel commands
+    commsClient.onCancel((cancelledId) => {
+        if (cancelledId === sessionId) {
+            console.log('\nSession cancelled by platform.');
+            sessionManager.stopSession(sessionId).catch(() => {
+                /* already exiting */
+            });
+        }
+    });
+    // Listen for approval responses
+    commsClient.onApprovalResponse((response) => {
+        if (response.sessionId === sessionId) {
+            console.log(`\nApproval response: ${response.decision}${response.message ? ` — ${response.message}` : ''}`);
+        }
+    });
+    // Spawn Claude Code subprocess
+    const sessionManager = new session_manager_1.SessionManager();
+    let output = '';
+    console.log(`\nRunning task: ${resolvedConfig.task}`);
+    console.log(`Model: ${resolvedConfig.model}`);
+    console.log(`Context: ${resolvedConfig.context}`);
+    console.log('---\n');
+    // Set up timeout
+    const timeoutMs = resolvedConfig.timeout * 1000;
+    const timeoutHandle = setTimeout(async () => {
+        console.error(`\nSession timed out after ${resolvedConfig.timeout} seconds.`);
+        statePublisher.publishSessionFailed(sessionId, 'Session timed out');
+        await sessionManager.stopSession(sessionId).catch(() => {
+            /* already exiting */
+        });
+        try {
+            await platformClient.cancelSession(sessionId);
+        }
+        catch {
+            // Best effort
+        }
+        process.exitCode = 1;
+    }, timeoutMs);
+    try {
+        await sessionManager.spawnSession(sessionId, sessionConfig, {
+            onStdout: (data) => {
+                output += data;
+                if (!resolvedConfig.headless) {
+                    process.stdout.write(data);
+                }
+                statePublisher.publishActivityUpdate(sessionId, data.trim().slice(0, 200));
+            },
+            onStderr: (data) => {
+                if (!resolvedConfig.headless) {
+                    process.stderr.write(data);
+                }
+                auditStreamer.record({
+                    sessionId,
+                    type: events_types_1.AuditEventType.COMMAND_EXECUTION,
+                    action: 'stderr_output',
+                    details: { data: data.trim().slice(0, 500) },
+                    outcome: 'failure',
+                });
+            },
+            onExit: async (code) => {
+                clearTimeout(timeoutHandle);
+                if (code === 0) {
+                    console.log('\n---');
+                    console.log(`Session ${sessionId} completed successfully.`);
+                    statePublisher.publishSessionCompleted(sessionId, output.trim().slice(-500));
+                    auditStreamer.record({
+                        sessionId,
+                        type: events_types_1.AuditEventType.STATE_CHANGE,
+                        action: 'session_completed',
+                        details: { exitCode: code },
+                        outcome: 'success',
+                    });
+                }
+                else {
+                    console.error(`\n---`);
+                    console.error(`Session ${sessionId} exited with code ${code}.`);
+                    statePublisher.publishSessionFailed(sessionId, `Exit code: ${code}`);
+                    auditStreamer.record({
+                        sessionId,
+                        type: events_types_1.AuditEventType.STATE_CHANGE,
+                        action: 'session_failed',
+                        details: { exitCode: code },
+                        outcome: 'failure',
+                    });
+                    process.exitCode = 1;
+                }
+                // Disconnect comms
+                commsClient.disconnect();
+            },
+        });
+        // Wait for the process to finish
+        await new Promise((resolve) => {
+            const checkInterval = setInterval(() => {
+                if (!sessionManager.isSessionActive(sessionId)) {
+                    clearInterval(checkInterval);
+                    resolve();
+                }
+            }, 500);
+        });
+    }
+    catch (err) {
+        clearTimeout(timeoutHandle);
+        console.error(`Session failed: ${err.message}`);
+        statePublisher.publishSessionFailed(sessionId, err.message);
+        commsClient.disconnect();
+        process.exitCode = 1;
+    }
+}
+
+
+/***/ }),
+/* 12 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.ConfigResolver = void 0;
+const tslib_1 = __webpack_require__(4);
+const fs = tslib_1.__importStar(__webpack_require__(5));
+const path = tslib_1.__importStar(__webpack_require__(6));
+const os = tslib_1.__importStar(__webpack_require__(7));
+const DEFAULT_MODEL = 'claude-sonnet-4-20250514';
+const DEFAULT_TIMEOUT = 120;
+const DEFAULT_PLATFORM_URL = 'https://api.onklave.app';
+class ConfigResolver {
+    /**
+     * Resolve configuration by merging all sources.
+     * Priority: flags > env > .onklave.json > global config > platform defaults
+     */
+    async resolve(flags, cwd) {
+        const projectConfig = this.loadOnklaveJson(cwd);
+        const globalConfig = this.loadGlobalConfig();
+        // Build config layers from lowest to highest priority
+        const defaults = {
+            task: '',
+            context: cwd,
+            persona: null,
+            workflow: null,
+            model: DEFAULT_MODEL,
+            timeout: DEFAULT_TIMEOUT,
+            headless: false,
+            dryRun: false,
+            apiKey: null,
+            apiEndpoint: DEFAULT_PLATFORM_URL,
+            platformUrl: DEFAULT_PLATFORM_URL,
+            orgId: null,
+            allowedTools: [],
+            deniedTools: [],
+            readablePaths: [],
+            writablePaths: [],
+            guardrails: [],
+            systemPromptAppend: null,
+            contextIncludes: [],
+        };
+        const fromGlobal = {};
+        if (globalConfig) {
+            if (globalConfig.platformUrl)
+                fromGlobal.platformUrl = globalConfig.platformUrl;
+            if (globalConfig.platformUrl)
+                fromGlobal.apiEndpoint = globalConfig.platformUrl;
+            if (globalConfig.defaultModel)
+                fromGlobal.model = globalConfig.defaultModel;
+            if (globalConfig.defaultPersona)
+                fromGlobal.persona = globalConfig.defaultPersona;
+            if (globalConfig.defaultTimeout)
+                fromGlobal.timeout = globalConfig.defaultTimeout;
+        }
+        const fromProject = {};
+        if (projectConfig) {
+            if (projectConfig.org)
+                fromProject.orgId = projectConfig.org;
+            if (projectConfig.defaults?.persona)
+                fromProject.persona = projectConfig.defaults.persona;
+            if (projectConfig.defaults?.workflow)
+                fromProject.workflow = projectConfig.defaults.workflow;
+            if (projectConfig.defaults?.model)
+                fromProject.model = projectConfig.defaults.model;
+            if (projectConfig.defaults?.timeout)
+                fromProject.timeout = projectConfig.defaults.timeout;
+            if (projectConfig.permissions?.tools_allowed)
+                fromProject.allowedTools = projectConfig.permissions.tools_allowed;
+            if (projectConfig.permissions?.tools_denied)
+                fromProject.deniedTools = projectConfig.permissions.tools_denied;
+            if (projectConfig.permissions?.paths_readable)
+                fromProject.readablePaths = projectConfig.permissions.paths_readable;
+            if (projectConfig.permissions?.paths_writable)
+                fromProject.writablePaths = projectConfig.permissions.paths_writable;
+            if (projectConfig.guardrails)
+                fromProject.guardrails = projectConfig.guardrails;
+            if (projectConfig.context?.system_prompt_append)
+                fromProject.systemPromptAppend =
+                    projectConfig.context.system_prompt_append;
+            if (projectConfig.context?.includes)
+                fromProject.contextIncludes = projectConfig.context.includes;
+        }
+        const fromEnv = {};
+        if (process.env['ONKLAVE_API_KEY'])
+            fromEnv.apiKey = process.env['ONKLAVE_API_KEY'];
+        if (process.env['ONKLAVE_PLATFORM_URL']) {
+            fromEnv.platformUrl = process.env['ONKLAVE_PLATFORM_URL'];
+            fromEnv.apiEndpoint = process.env['ONKLAVE_PLATFORM_URL'];
+        }
+        if (process.env['ONKLAVE_MODEL'])
+            fromEnv.model = process.env['ONKLAVE_MODEL'];
+        if (process.env['ONKLAVE_ORG_ID'])
+            fromEnv.orgId = process.env['ONKLAVE_ORG_ID'];
+        if (process.env['ANTHROPIC_API_KEY'])
+            fromEnv.apiKey = process.env['ANTHROPIC_API_KEY'];
+        const fromFlags = {};
+        if (typeof flags['task'] === 'string')
+            fromFlags.task = flags['task'];
+        if (typeof flags['context'] === 'string')
+            fromFlags.context = path.resolve(flags['context']);
+        if (typeof flags['persona'] === 'string')
+            fromFlags.persona = flags['persona'];
+        if (typeof flags['workflow'] === 'string')
+            fromFlags.workflow = flags['workflow'];
+        if (typeof flags['model'] === 'string')
+            fromFlags.model = flags['model'];
+        if (typeof flags['timeout'] === 'string')
+            fromFlags.timeout = parseInt(flags['timeout'], 10);
+        if (flags['headless'] === true)
+            fromFlags.headless = true;
+        if (flags['dry-run'] === true)
+            fromFlags.dryRun = true;
+        if (typeof flags['api-endpoint'] === 'string') {
+            fromFlags.apiEndpoint = flags['api-endpoint'];
+            fromFlags.platformUrl = flags['api-endpoint'];
+        }
+        return this.mergeConfigs(defaults, fromGlobal, fromProject, fromEnv, fromFlags);
+    }
+    /**
+     * Load .onklave.json from the given directory.
+     */
+    loadOnklaveJson(cwd) {
+        const filePath = path.join(cwd, '.onklave.json');
+        if (!fs.existsSync(filePath)) {
+            return null;
+        }
+        try {
+            const raw = fs.readFileSync(filePath, 'utf-8');
+            return JSON.parse(raw);
+        }
+        catch (err) {
+            console.error(`Warning: Failed to parse .onklave.json: ${err.message}`);
+            return null;
+        }
+    }
+    /**
+     * Load global config from ~/.config/onklave/config.json.
+     */
+    loadGlobalConfig() {
+        const filePath = path.join(os.homedir(), '.config', 'onklave', 'config.json');
+        if (!fs.existsSync(filePath)) {
+            return null;
+        }
+        try {
+            const raw = fs.readFileSync(filePath, 'utf-8');
+            return JSON.parse(raw);
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Save a value to the global config file.
+     */
+    saveGlobalConfig(key, value) {
+        const configDir = path.join(os.homedir(), '.config', 'onklave');
+        const filePath = path.join(configDir, 'config.json');
+        if (!fs.existsSync(configDir)) {
+            fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
+        }
+        let config = {};
+        if (fs.existsSync(filePath)) {
+            try {
+                config = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+            }
+            catch {
+                // Start fresh
+            }
+        }
+        // Support dot-notation keys
+        const keys = key.split('.');
+        let target = config;
+        for (let i = 0; i < keys.length - 1; i++) {
+            const k = keys[i];
+            if (!target[k] || typeof target[k] !== 'object') {
+                target[k] = {};
+            }
+            target = target[k];
+        }
+        target[keys[keys.length - 1]] = value;
+        fs.writeFileSync(filePath, JSON.stringify(config, null, 2), {
+            encoding: 'utf-8',
+            mode: 0o600,
+        });
+    }
+    /**
+     * Get a value from the global config by dot-notation key.
+     */
+    getGlobalConfigValue(key) {
+        const config = this.loadGlobalConfig();
+        if (!config)
+            return undefined;
+        const keys = key.split('.');
+        let target = config;
+        for (const k of keys) {
+            if (target && typeof target === 'object' && k in target) {
+                target = target[k];
+            }
+            else {
+                return undefined;
+            }
+        }
+        return target;
+    }
+    /**
+     * Merge multiple partial configs, later entries override earlier.
+     */
+    mergeConfigs(...configs) {
+        const result = {};
+        for (const config of configs) {
+            for (const [key, value] of Object.entries(config)) {
+                if (value !== undefined && value !== null && value !== '') {
+                    result[key] = value;
+                }
+            }
+        }
+        return result;
+    }
+}
+exports.ConfigResolver = ConfigResolver;
+
+
+/***/ }),
+/* 13 */
+/***/ ((__unused_webpack_module, exports) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.PlatformClient = void 0;
+class PlatformClient {
+    constructor(baseUrl, token) {
+        this.baseUrl = baseUrl;
+        this.token = token;
+    }
+    /**
+     * Create a new agent session on the platform.
+     */
+    async spawnSession(config) {
+        return this.request('POST', '/api/v1/agent/spawn', config);
+    }
+    /**
+     * Get details for a specific session.
+     */
+    async getSession(sessionId) {
+        return this.request('GET', `/api/v1/agent/sessions/${sessionId}`);
+    }
+    /**
+     * List all active sessions for the authenticated user/machine.
+     */
+    async listSessions() {
+        return this.request('GET', '/api/v1/agent/sessions');
+    }
+    /**
+     * Cancel a running session.
+     */
+    async cancelSession(sessionId) {
+        await this.request('POST', `/api/v1/agent/sessions/${sessionId}/cancel`);
+    }
+    /**
+     * Respond to an approval gate.
+     */
+    async respondToGate(sessionId, decision, value) {
+        await this.request('POST', `/api/v1/agent/sessions/${sessionId}/gate`, {
+            decision,
+            message: value,
+        });
+    }
+    /**
+     * Get session logs from the platform.
+     */
+    async getSessionLogs(sessionId) {
+        return this.request('GET', `/api/v1/agent/sessions/${sessionId}/logs`);
+    }
+    /**
+     * Get a persona configuration by name.
+     */
+    async getPersona(name) {
+        return this.request('GET', `/api/v1/agent/personas/${encodeURIComponent(name)}`);
+    }
+    /**
+     * List all available personas.
+     */
+    async listPersonas() {
+        return this.request('GET', '/api/v1/agent/personas');
+    }
+    /**
+     * Get a workflow configuration by name.
+     */
+    async getWorkflow(name) {
+        return this.request('GET', `/api/v1/agent/workflows/${encodeURIComponent(name)}`);
+    }
+    /**
+     * Register this machine as an agent runner.
+     */
+    async registerMachine(linkingToken, metadata) {
+        return this.request('POST', '/api/v1/runner/register', {
+            linkingToken,
+            metadata,
+        });
+    }
+    /**
+     * Unregister this machine.
+     */
+    async unregisterMachine() {
+        await this.request('POST', '/api/v1/runner/unregister');
+    }
+    /**
+     * List all registered machines.
+     */
+    async listMachines() {
+        return this.request('GET', '/api/v1/runner/machines');
+    }
+    /**
+     * Check platform health.
+     */
+    async healthCheck() {
+        try {
+            const response = await fetch(`${this.baseUrl}/health`, {
+                method: 'GET',
+                headers: { Accept: 'application/json' },
+                signal: AbortSignal.timeout(5000),
+            });
+            return response.ok;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Make an authenticated HTTP request to the platform.
+     */
+    async request(method, path, body) {
+        const url = `${this.baseUrl}${path}`;
+        const headers = {
+            Authorization: `Bearer ${this.token}`,
+            'Content-Type': 'application/json',
+            Accept: 'application/json',
+        };
+        const options = {
+            method,
+            headers,
+            signal: AbortSignal.timeout(30000),
+        };
+        if (body && (method === 'POST' || method === 'PUT' || method === 'PATCH')) {
+            options.body = JSON.stringify(body);
+        }
+        const response = await fetch(url, options);
+        if (!response.ok) {
+            let errorMessage = `Platform API error: ${response.status} ${response.statusText}`;
+            try {
+                const errorBody = await response.json();
+                if (errorBody &&
+                    typeof errorBody === 'object' &&
+                    'message' in errorBody) {
+                    errorMessage = `Platform API error: ${errorBody.message}`;
+                }
+            }
+            catch {
+                // Ignore JSON parse errors for error body
+            }
+            throw new Error(errorMessage);
+        }
+        // Handle empty responses (204, etc.)
+        const contentType = response.headers.get('content-type');
+        if (!contentType || !contentType.includes('application/json')) {
+            return undefined;
+        }
+        const text = await response.text();
+        if (!text) {
+            return undefined;
+        }
+        return JSON.parse(text);
+    }
+}
+exports.PlatformClient = PlatformClient;
+
+
+/***/ }),
+/* 14 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.CommsClient = void 0;
+const socket_io_client_1 = __webpack_require__(15);
+class CommsClient {
+    constructor() {
+        this.socket = null;
+        this.reconnectAttempts = 0;
+        this.maxReconnectAttempts = 10;
+    }
+    /**
+     * Connect to the Onklave comms service via Socket.IO.
+     */
+    async connect(platformUrl, token) {
+        return new Promise((resolve, reject) => {
+            const commsUrl = platformUrl.replace(/\/+$/, '');
+            this.socket = (0, socket_io_client_1.io)(`${commsUrl}/agent`, {
+                auth: { token },
+                transports: ['websocket', 'polling'],
+                reconnection: true,
+                reconnectionAttempts: this.maxReconnectAttempts,
+                reconnectionDelay: 1000,
+                reconnectionDelayMax: 30000,
+                timeout: 10000,
+            });
+            const connectTimeout = setTimeout(() => {
+                if (this.socket && !this.socket.connected) {
+                    this.socket.disconnect();
+                    reject(new Error('WebSocket connection timed out after 10 seconds'));
+                }
+            }, 10000);
+            this.socket.on('connect', () => {
+                clearTimeout(connectTimeout);
+                this.reconnectAttempts = 0;
+                resolve();
+            });
+            this.socket.on('connect_error', (error) => {
+                this.reconnectAttempts++;
+                if (this.reconnectAttempts >= this.maxReconnectAttempts) {
+                    clearTimeout(connectTimeout);
+                    reject(new Error(`WebSocket connection failed after ${this.maxReconnectAttempts} attempts: ${error.message}`));
+                }
+            });
+            this.socket.on('disconnect', (reason) => {
+                if (reason === 'io server disconnect') {
+                    // Server disconnected us, don't reconnect automatically
+                    console.error('[comms] Disconnected by server');
+                }
+            });
+        });
+    }
+    /**
+     * Disconnect from the comms service.
+     */
+    disconnect() {
+        if (this.socket) {
+            this.socket.removeAllListeners();
+            this.socket.disconnect();
+            this.socket = null;
+        }
+    }
+    /**
+     * Check if currently connected.
+     */
+    isConnected() {
+        return this.socket?.connected ?? false;
+    }
+    /**
+     * Emit a state event to the platform.
+     */
+    emitState(event) {
+        this.socket?.emit('agent:state', event);
+    }
+    /**
+     * Emit an audit event to the platform.
+     */
+    emitAudit(event) {
+        this.socket?.emit('agent:audit', event);
+    }
+    /**
+     * Emit a heartbeat to the platform.
+     */
+    emitHeartbeat(data) {
+        this.socket?.emit('agent:heartbeat', data);
+    }
+    /**
+     * Listen for approval responses from the platform.
+     */
+    onApprovalResponse(handler) {
+        this.socket?.on('agent:approval_response', handler);
+    }
+    /**
+     * Listen for session cancel commands from the platform.
+     */
+    onCancel(handler) {
+        this.socket?.on('agent:cancel', (data) => {
+            handler(data.sessionId);
+        });
+    }
+    /**
+     * Listen for remote spawn requests from the platform.
+     */
+    onSpawnRequest(handler) {
+        this.socket?.on('agent:spawn', handler);
+    }
+}
+exports.CommsClient = CommsClient;
+
+
+/***/ }),
+/* 15 */
+/***/ ((module) => {
+
+module.exports = require("socket.io-client");
+
+/***/ }),
+/* 16 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.SessionManager = void 0;
+const child_process_1 = __webpack_require__(17);
+class SessionManager {
+    constructor() {
+        this.activeSessions = new Map();
+    }
+    /**
+     * Spawn a new Claude Code subprocess for an agent session.
+     * Returns the session ID.
+     */
+    async spawnSession(sessionId, config, callbacks = {}) {
+        const args = [];
+        // Build Claude CLI arguments
+        if (config.task) {
+            args.push('--print');
+            args.push(config.task);
+        }
+        if (config.model) {
+            args.push('--model', config.model);
+        }
+        if (config.allowedTools && config.allowedTools.length > 0) {
+            args.push('--allowedTools', config.allowedTools.join(','));
+        }
+        if (config.systemPromptAppend) {
+            args.push('--append-system-prompt', config.systemPromptAppend);
+        }
+        // Build environment
+        const env = { ...process.env };
+        if (config.apiKey) {
+            env['ANTHROPIC_API_KEY'] = config.apiKey;
+        }
+        const child = (0, child_process_1.spawn)('claude', args, {
+            cwd: config.context,
+            env,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        const managed = {
+            sessionId,
+            process: child,
+            config,
+            startedAt: new Date(),
+        };
+        this.activeSessions.set(sessionId, managed);
+        // Wire up stdout
+        child.stdout?.on('data', (data) => {
+            const text = data.toString();
+            if (callbacks.onStdout) {
+                callbacks.onStdout(text);
+            }
+        });
+        // Wire up stderr
+        child.stderr?.on('data', (data) => {
+            const text = data.toString();
+            if (callbacks.onStderr) {
+                callbacks.onStderr(text);
+            }
+        });
+        // Handle process exit
+        child.on('exit', (code, signal) => {
+            this.activeSessions.delete(sessionId);
+            if (callbacks.onExit) {
+                callbacks.onExit(code, signal);
+            }
+        });
+        // Handle spawn errors
+        child.on('error', (err) => {
+            this.activeSessions.delete(sessionId);
+            if (callbacks.onStderr) {
+                callbacks.onStderr(`Failed to spawn Claude Code: ${err.message}`);
+            }
+            if (callbacks.onExit) {
+                callbacks.onExit(1, null);
+            }
+        });
+        return sessionId;
+    }
+    /**
+     * Stop a specific session by killing its subprocess.
+     */
+    async stopSession(sessionId) {
+        const session = this.activeSessions.get(sessionId);
+        if (!session) {
+            throw new Error(`No active session found with ID: ${sessionId}`);
+        }
+        // Try graceful shutdown first (SIGTERM), then force after timeout
+        session.process.kill('SIGTERM');
+        await new Promise((resolve) => {
+            const forceTimeout = setTimeout(() => {
+                if (session.process.killed === false) {
+                    session.process.kill('SIGKILL');
+                }
+                resolve();
+            }, 5000);
+            session.process.on('exit', () => {
+                clearTimeout(forceTimeout);
+                resolve();
+            });
+        });
+        this.activeSessions.delete(sessionId);
+    }
+    /**
+     * Stop all active sessions.
+     */
+    async stopAll() {
+        const sessionIds = [...this.activeSessions.keys()];
+        const results = await Promise.allSettled(sessionIds.map((id) => this.stopSession(id)));
+        for (let i = 0; i < results.length; i++) {
+            const result = results[i];
+            if (result.status === 'rejected') {
+                console.error(`Failed to stop session ${sessionIds[i]}: ${result.reason}`);
+            }
+        }
+    }
+    /**
+     * Get all active session IDs.
+     */
+    getActiveSessionIds() {
+        return [...this.activeSessions.keys()];
+    }
+    /**
+     * Check if a session is currently active.
+     */
+    isSessionActive(sessionId) {
+        return this.activeSessions.has(sessionId);
+    }
+    /**
+     * Get session details for an active session.
+     */
+    getSession(sessionId) {
+        const session = this.activeSessions.get(sessionId);
+        if (!session)
+            return null;
+        return { config: session.config, startedAt: session.startedAt };
+    }
+}
+exports.SessionManager = SessionManager;
+
+
+/***/ }),
+/* 17 */
+/***/ ((module) => {
+
+module.exports = require("child_process");
+
+/***/ }),
+/* 18 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.StatePublisher = void 0;
+const events_types_1 = __webpack_require__(19);
+class StatePublisher {
+    constructor(commsClient) {
+        this.commsClient = commsClient;
+    }
+    /**
+     * Publish that a session has started.
+     */
+    publishSessionStarted(sessionId, config) {
+        this.emit({
+            sessionId,
+            type: events_types_1.AgentStateEventType.SESSION_STARTED,
+            timestamp: new Date().toISOString(),
+            data: {
+                task: config.task,
+                persona: config.persona,
+                workflow: config.workflow,
+                model: config.model,
+                context: config.context,
+                timeout: config.timeout,
+            },
+        });
+    }
+    /**
+     * Publish an activity update (e.g., "Reading file src/main.ts").
+     */
+    publishActivityUpdate(sessionId, activity) {
+        this.emit({
+            sessionId,
+            type: events_types_1.AgentStateEventType.ACTIVITY_UPDATE,
+            timestamp: new Date().toISOString(),
+            data: { activity },
+        });
+    }
+    /**
+     * Publish a step transition in a workflow.
+     */
+    publishStepTransition(sessionId, step) {
+        this.emit({
+            sessionId,
+            type: events_types_1.AgentStateEventType.STEP_TRANSITION,
+            timestamp: new Date().toISOString(),
+            data: { step },
+        });
+    }
+    /**
+     * Publish that the session is waiting for an approval gate.
+     */
+    publishWaitingApproval(sessionId, gate) {
+        this.emit({
+            sessionId,
+            type: events_types_1.AgentStateEventType.WAITING_APPROVAL,
+            timestamp: new Date().toISOString(),
+            data: { gate },
+        });
+    }
+    /**
+     * Publish that a session completed successfully.
+     */
+    publishSessionCompleted(sessionId, summary) {
+        this.emit({
+            sessionId,
+            type: events_types_1.AgentStateEventType.SESSION_COMPLETED,
+            timestamp: new Date().toISOString(),
+            data: { summary },
+        });
+    }
+    /**
+     * Publish that a session failed.
+     */
+    publishSessionFailed(sessionId, error) {
+        this.emit({
+            sessionId,
+            type: events_types_1.AgentStateEventType.SESSION_FAILED,
+            timestamp: new Date().toISOString(),
+            data: { error },
+        });
+    }
+    emit(event) {
+        if (this.commsClient.isConnected()) {
+            this.commsClient.emitState(event);
+        }
+    }
+}
+exports.StatePublisher = StatePublisher;
+
+
+/***/ }),
+/* 19 */
+/***/ ((__unused_webpack_module, exports) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.AuditEventType = exports.AgentStateEventType = void 0;
+var AgentStateEventType;
+(function (AgentStateEventType) {
+    AgentStateEventType["SESSION_STARTED"] = "session_started";
+    AgentStateEventType["SESSION_COMPLETED"] = "session_completed";
+    AgentStateEventType["SESSION_FAILED"] = "session_failed";
+    AgentStateEventType["SESSION_CANCELLED"] = "session_cancelled";
+    AgentStateEventType["ACTIVITY_UPDATE"] = "activity_update";
+    AgentStateEventType["STEP_TRANSITION"] = "step_transition";
+    AgentStateEventType["WAITING_APPROVAL"] = "waiting_approval";
+    AgentStateEventType["APPROVAL_RECEIVED"] = "approval_received";
+    AgentStateEventType["HEARTBEAT"] = "heartbeat";
+})(AgentStateEventType || (exports.AgentStateEventType = AgentStateEventType = {}));
+var AuditEventType;
+(function (AuditEventType) {
+    AuditEventType["TOOL_CALL"] = "tool_call";
+    AuditEventType["FILE_ACCESS"] = "file_access";
+    AuditEventType["COMMAND_EXECUTION"] = "command_execution";
+    AuditEventType["GUARDRAIL_CHECK"] = "guardrail_check";
+    AuditEventType["APPROVAL_GATE"] = "approval_gate";
+    AuditEventType["STATE_CHANGE"] = "state_change";
+})(AuditEventType || (exports.AuditEventType = AuditEventType = {}));
+
+
+/***/ }),
+/* 20 */
+/***/ ((__unused_webpack_module, exports) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.AuditStreamer = void 0;
+class AuditStreamer {
+    constructor(commsClient) {
+        this.commsClient = commsClient;
+        this.buffer = [];
+        this.maxBufferSize = 1000;
+    }
+    /**
+     * Record and stream an audit event.
+     * If disconnected, events are buffered for later flushing.
+     */
+    record(event) {
+        const fullEvent = {
+            ...event,
+            timestamp: new Date().toISOString(),
+        };
+        if (this.commsClient.isConnected()) {
+            // Flush any buffered events first
+            if (this.buffer.length > 0) {
+                this.flush();
+            }
+            this.commsClient.emitAudit(fullEvent);
+        }
+        else {
+            // Buffer if disconnected
+            this.buffer.push(fullEvent);
+            if (this.buffer.length > this.maxBufferSize) {
+                // Drop oldest events if buffer is full
+                this.buffer = this.buffer.slice(-this.maxBufferSize);
+            }
+        }
+    }
+    /**
+     * Flush all buffered events to the platform.
+     * Called on reconnect or when connection becomes available.
+     */
+    flush() {
+        if (!this.commsClient.isConnected() || this.buffer.length === 0) {
+            return;
+        }
+        const events = [...this.buffer];
+        this.buffer = [];
+        for (const event of events) {
+            this.commsClient.emitAudit(event);
+        }
+    }
+    /**
+     * Get the number of buffered events.
+     */
+    getBufferSize() {
+        return this.buffer.length;
+    }
+}
+exports.AuditStreamer = AuditStreamer;
+
+
+/***/ }),
+/* 21 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.GuardrailEnforcer = void 0;
+const tslib_1 = __webpack_require__(4);
+const path = tslib_1.__importStar(__webpack_require__(6));
+class GuardrailEnforcer {
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Check if a tool call is permitted by the guardrail configuration.
+     */
+    checkToolCall(tool, params) {
+        // Check explicit deny list first
+        if (this.config.deniedTools.length > 0) {
+            for (const denied of this.config.deniedTools) {
+                if (this.matchPattern(tool, denied)) {
+                    return {
+                        allowed: false,
+                        reason: `Tool "${tool}" is explicitly denied`,
+                    };
+                }
+            }
+        }
+        // Check explicit allow list (if set, only listed tools are allowed)
+        if (this.config.allowedTools.length > 0) {
+            const isAllowed = this.config.allowedTools.some((allowed) => this.matchPattern(tool, allowed));
+            if (!isAllowed) {
+                return {
+                    allowed: false,
+                    reason: `Tool "${tool}" is not in the allowed tools list`,
+                };
+            }
+        }
+        // Check guardrail rules
+        for (const rule of this.config.rules) {
+            if (this.matchPattern(tool, rule.match)) {
+                if (rule.action === 'deny') {
+                    return {
+                        allowed: false,
+                        reason: rule.reason ?? `Denied by guardrail rule: ${rule.name}`,
+                    };
+                }
+                if (rule.action === 'require_approval') {
+                    return {
+                        allowed: true,
+                        requiresApproval: true,
+                        reason: rule.reason ?? `Requires approval per rule: ${rule.name}`,
+                    };
+                }
+            }
+        }
+        // Check file paths in params if applicable
+        if (params['path'] && typeof params['path'] === 'string') {
+            const pathResult = this.checkPathAccess(params['path'], 'read');
+            if (!pathResult.allowed) {
+                return pathResult;
+            }
+        }
+        return { allowed: true };
+    }
+    /**
+     * Check if a file path is accessible for the given operation.
+     */
+    checkPathAccess(filePath, operation) {
+        const normalizedPath = path.resolve(filePath);
+        if (operation === 'write' || operation === 'delete') {
+            // Check writable paths
+            if (this.config.writablePaths.length > 0) {
+                const isWritable = this.config.writablePaths.some((wp) => normalizedPath.startsWith(path.resolve(wp)));
+                if (!isWritable) {
+                    return {
+                        allowed: false,
+                        reason: `Path "${filePath}" is not in the writable paths list`,
+                    };
+                }
+            }
+        }
+        if (operation === 'read') {
+            // Check readable paths
+            if (this.config.readablePaths.length > 0) {
+                const isReadable = this.config.readablePaths.some((rp) => normalizedPath.startsWith(path.resolve(rp)));
+                if (!isReadable) {
+                    return {
+                        allowed: false,
+                        reason: `Path "${filePath}" is not in the readable paths list`,
+                    };
+                }
+            }
+        }
+        // Block sensitive paths always
+        const sensitivePatterns = [
+            '.env',
+            'credentials.json',
+            '.ssh',
+            '.gnupg',
+            '.aws/credentials',
+            'id_rsa',
+            'id_ed25519',
+        ];
+        const basename = path.basename(normalizedPath);
+        for (const sensitive of sensitivePatterns) {
+            if (basename === sensitive || normalizedPath.includes(`/${sensitive}`)) {
+                return {
+                    allowed: false,
+                    reason: `Access to sensitive path "${filePath}" is blocked by default`,
+                };
+            }
+        }
+        return { allowed: true };
+    }
+    /**
+     * Check if a shell command is permitted.
+     */
+    checkCommand(command) {
+        // Check guardrail rules that apply to commands
+        for (const rule of this.config.rules) {
+            if (rule.match.startsWith('cmd:')) {
+                const cmdPattern = rule.match.slice(4);
+                if (this.matchPattern(command, cmdPattern)) {
+                    if (rule.action === 'deny') {
+                        return {
+                            allowed: false,
+                            reason: rule.reason ?? `Command denied by guardrail rule: ${rule.name}`,
+                        };
+                    }
+                    if (rule.action === 'require_approval') {
+                        return {
+                            allowed: true,
+                            requiresApproval: true,
+                            reason: rule.reason ??
+                                `Command requires approval per rule: ${rule.name}`,
+                        };
+                    }
+                }
+            }
+        }
+        // Block destructive commands by default
+        const destructivePatterns = [
+            'rm -rf /',
+            'rm -rf ~',
+            'mkfs',
+            'dd if=',
+            ':(){:|:&};:',
+            'chmod -R 777 /',
+        ];
+        for (const pattern of destructivePatterns) {
+            if (command.includes(pattern)) {
+                return {
+                    allowed: false,
+                    reason: `Destructive command pattern detected: "${pattern}"`,
+                };
+            }
+        }
+        return { allowed: true };
+    }
+    /**
+     * Check if an approval gate should trigger for the given tool call.
+     */
+    shouldTriggerApproval(tool, params) {
+        const result = this.checkToolCall(tool, params);
+        return result.requiresApproval === true;
+    }
+    /**
+     * Match a value against a pattern (supports simple glob with *).
+     */
+    matchPattern(value, pattern) {
+        if (pattern === '*')
+            return true;
+        if (pattern === value)
+            return true;
+        // Simple glob matching: convert * to regex .*
+        if (pattern.includes('*')) {
+            const escaped = pattern
+                .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+                .replace(/\*/g, '.*');
+            const regex = new RegExp(`^${escaped}$`);
+            return regex.test(value);
+        }
+        return false;
+    }
+}
+exports.GuardrailEnforcer = GuardrailEnforcer;
+
+
+/***/ }),
+/* 22 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.statusCommand = statusCommand;
+const auth_service_1 = __webpack_require__(3);
+const platform_client_1 = __webpack_require__(13);
+const utils_1 = __webpack_require__(8);
+async function statusCommand(args) {
+    const { positional } = (0, utils_1.parseArgs)(args);
+    const sessionId = positional[0];
+    const authService = new auth_service_1.AuthService();
+    const creds = await authService.getCredentials();
+    if (!creds?.token) {
+        console.error('Not authenticated. Run: onklave login --token <token>');
+        process.exitCode = 1;
+        return;
+    }
+    const platformClient = new platform_client_1.PlatformClient(creds.platformUrl, creds.token);
+    try {
+        if (sessionId) {
+            // Show details for a specific session
+            const session = await platformClient.getSession(sessionId);
+            printSessionDetails(session);
+        }
+        else {
+            // List all active sessions
+            const sessions = await platformClient.listSessions();
+            if (sessions.length === 0) {
+                console.log('No active sessions.');
+                return;
+            }
+            printSessionTable(sessions);
+        }
+    }
+    catch (err) {
+        console.error(`Failed to get session status: ${err.message}`);
+        process.exitCode = 1;
+    }
+}
+function printSessionDetails(session) {
+    console.log('Onklave Agent Session\n');
+    console.log(`  Session ID:   ${session.sessionId}`);
+    console.log(`  Status:       ${formatStatus(session.status)}`);
+    console.log(`  Task:         ${session.task}`);
+    console.log(`  Model:        ${session.model}`);
+    console.log(`  Persona:      ${session.persona ?? '(none)'}`);
+    console.log(`  Workflow:     ${session.workflow ?? '(none)'}`);
+    console.log(`  Machine:      ${session.machineId ?? '(unknown)'}`);
+    console.log(`  Started:      ${session.startedAt}`);
+    if (session.completedAt) {
+        console.log(`  Completed:    ${session.completedAt}`);
+    }
+    if (session.duration !== null && session.duration !== undefined) {
+        console.log(`  Duration:     ${session.duration}s`);
+    }
+    if (session.error) {
+        console.log(`  Error:        ${session.error}`);
+    }
+    if (session.summary) {
+        console.log(`\n  Summary:\n    ${session.summary}`);
+    }
+}
+function printSessionTable(sessions) {
+    console.log('Active Agent Sessions\n');
+    // Header
+    const idWidth = 24;
+    const statusWidth = 18;
+    const taskWidth = 40;
+    const modelWidth = 16;
+    const header = [
+        'SESSION ID'.padEnd(idWidth),
+        'STATUS'.padEnd(statusWidth),
+        'TASK'.padEnd(taskWidth),
+        'MODEL'.padEnd(modelWidth),
+    ].join('  ');
+    console.log(header);
+    console.log('-'.repeat(header.length));
+    for (const session of sessions) {
+        const row = [
+            session.sessionId.slice(0, idWidth - 2).padEnd(idWidth),
+            formatStatus(session.status).padEnd(statusWidth),
+            truncate(session.task, taskWidth - 2).padEnd(taskWidth),
+            session.model.padEnd(modelWidth),
+        ].join('  ');
+        console.log(row);
+    }
+    console.log(`\nTotal: ${sessions.length} session(s)`);
+}
+function formatStatus(status) {
+    const statusMap = {
+        pending: 'PENDING',
+        initializing: 'INITIALIZING',
+        running: 'RUNNING',
+        waiting_approval: 'WAITING APPROVAL',
+        paused: 'PAUSED',
+        completed: 'COMPLETED',
+        failed: 'FAILED',
+        cancelled: 'CANCELLED',
+        timed_out: 'TIMED OUT',
+    };
+    return statusMap[status] ?? status.toUpperCase();
+}
+function truncate(str, maxLen) {
+    if (str.length <= maxLen)
+        return str;
+    return str.slice(0, maxLen - 3) + '...';
+}
+
+
+/***/ }),
+/* 23 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.stopCommand = stopCommand;
+const auth_service_1 = __webpack_require__(3);
+const platform_client_1 = __webpack_require__(13);
+const utils_1 = __webpack_require__(8);
+async function stopCommand(args) {
+    const { flags, positional } = (0, utils_1.parseArgs)(args);
+    const sessionId = positional[0];
+    const stopAll = flags['all'] === true;
+    if (!sessionId && !stopAll) {
+        console.error('Error: Provide a session ID or use --all.\n');
+        console.log('Usage: onklave stop <session-id>');
+        console.log('       onklave stop --all');
+        process.exitCode = 1;
+        return;
+    }
+    const authService = new auth_service_1.AuthService();
+    const creds = await authService.getCredentials();
+    if (!creds?.token) {
+        console.error('Not authenticated. Run: onklave login --token <token>');
+        process.exitCode = 1;
+        return;
+    }
+    const platformClient = new platform_client_1.PlatformClient(creds.platformUrl, creds.token);
+    try {
+        if (stopAll) {
+            const sessions = await platformClient.listSessions();
+            if (sessions.length === 0) {
+                console.log('No active sessions to stop.');
+                return;
+            }
+            console.log(`Stopping ${sessions.length} session(s)...`);
+            const results = await Promise.allSettled(sessions.map((s) => platformClient.cancelSession(s.sessionId)));
+            let succeeded = 0;
+            let failed = 0;
+            for (const result of results) {
+                if (result.status === 'fulfilled') {
+                    succeeded++;
+                }
+                else {
+                    failed++;
+                }
+            }
+            console.log(`Stopped ${succeeded} session(s).`);
+            if (failed > 0) {
+                console.warn(`Failed to stop ${failed} session(s).`);
+            }
+        }
+        else {
+            console.log(`Stopping session ${sessionId}...`);
+            await platformClient.cancelSession(sessionId);
+            console.log(`Session ${sessionId} cancelled.`);
+        }
+    }
+    catch (err) {
+        console.error(`Failed to stop session: ${err.message}`);
+        process.exitCode = 1;
+    }
+}
+
+
+/***/ }),
+/* 24 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.approveCommand = approveCommand;
+const auth_service_1 = __webpack_require__(3);
+const platform_client_1 = __webpack_require__(13);
+const utils_1 = __webpack_require__(8);
+async function approveCommand(args) {
+    const { flags, positional } = (0, utils_1.parseArgs)(args);
+    const sessionId = positional[0];
+    if (!sessionId) {
+        console.error('Error: Session ID is required.\n');
+        console.log('Usage: onklave approve <session-id> [--message "..."]');
+        process.exitCode = 1;
+        return;
+    }
+    const authService = new auth_service_1.AuthService();
+    const creds = await authService.getCredentials();
+    if (!creds?.token) {
+        console.error('Not authenticated. Run: onklave login --token <token>');
+        process.exitCode = 1;
+        return;
+    }
+    const platformClient = new platform_client_1.PlatformClient(creds.platformUrl, creds.token);
+    const message = typeof flags['message'] === 'string' ? flags['message'] : undefined;
+    try {
+        await platformClient.respondToGate(sessionId, 'approve', message);
+        console.log(`Session ${sessionId} approved.`);
+        if (message) {
+            console.log(`Message: ${message}`);
+        }
+    }
+    catch (err) {
+        console.error(`Failed to approve session: ${err.message}`);
+        process.exitCode = 1;
+    }
+}
+
+
+/***/ }),
+/* 25 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.denyCommand = denyCommand;
+const auth_service_1 = __webpack_require__(3);
+const platform_client_1 = __webpack_require__(13);
+const utils_1 = __webpack_require__(8);
+async function denyCommand(args) {
+    const { flags, positional } = (0, utils_1.parseArgs)(args);
+    const sessionId = positional[0];
+    if (!sessionId) {
+        console.error('Error: Session ID is required.\n');
+        console.log('Usage: onklave deny <session-id> [--reason "..."]');
+        process.exitCode = 1;
+        return;
+    }
+    const authService = new auth_service_1.AuthService();
+    const creds = await authService.getCredentials();
+    if (!creds?.token) {
+        console.error('Not authenticated. Run: onklave login --token <token>');
+        process.exitCode = 1;
+        return;
+    }
+    const platformClient = new platform_client_1.PlatformClient(creds.platformUrl, creds.token);
+    const reason = typeof flags['reason'] === 'string' ? flags['reason'] : undefined;
+    try {
+        await platformClient.respondToGate(sessionId, 'deny', reason);
+        console.log(`Session ${sessionId} denied.`);
+        if (reason) {
+            console.log(`Reason: ${reason}`);
+        }
+    }
+    catch (err) {
+        console.error(`Failed to deny session: ${err.message}`);
+        process.exitCode = 1;
+    }
+}
+
+
+/***/ }),
+/* 26 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.doctorCommand = doctorCommand;
+const tslib_1 = __webpack_require__(4);
+const fs = tslib_1.__importStar(__webpack_require__(5));
+const path = tslib_1.__importStar(__webpack_require__(6));
+const child_process_1 = __webpack_require__(17);
+const auth_service_1 = __webpack_require__(3);
+const platform_client_1 = __webpack_require__(13);
+const comms_client_1 = __webpack_require__(14);
+async function doctorCommand() {
+    console.log('Onklave Agent CLI — Doctor\n');
+    console.log('Running diagnostics...\n');
+    const results = [];
+    // 1. Auth status
+    results.push(await checkAuth());
+    // 2. Platform URL reachability
+    results.push(await checkPlatform());
+    // 3. Claude Code CLI availability
+    results.push(checkClaudeCli());
+    // 4. Node.js version
+    results.push(checkNodeVersion());
+    // 5. .onklave.json in cwd
+    results.push(checkProjectConfig());
+    // 6. WebSocket connectivity
+    results.push(await checkWebSocket());
+    // Print results
+    let hasFailure = false;
+    for (const result of results) {
+        const icon = result.status === 'ok'
+            ? '[OK]  '
+            : result.status === 'warn'
+                ? '[WARN]'
+                : '[FAIL]';
+        console.log(`  ${icon}  ${result.name}: ${result.detail}`);
+        if (result.status === 'fail')
+            hasFailure = true;
+    }
+    console.log('');
+    if (hasFailure) {
+        console.log('Some checks failed. Please resolve the issues above.');
+        process.exitCode = 1;
+    }
+    else {
+        console.log('All checks passed. Onklave Agent CLI is ready.');
+    }
+}
+async function checkAuth() {
+    const authService = new auth_service_1.AuthService();
+    const isAuth = await authService.isAuthenticated();
+    if (isAuth) {
+        const creds = await authService.getCredentials();
+        return {
+            name: 'Authentication',
+            status: 'ok',
+            detail: `Authenticated (platform: ${creds?.platformUrl ?? 'default'})`,
+        };
+    }
+    const creds = await authService.getCredentials();
+    if (creds?.token) {
+        return {
+            name: 'Authentication',
+            status: 'warn',
+            detail: 'Token exists but may be expired',
+        };
+    }
+    return {
+        name: 'Authentication',
+        status: 'fail',
+        detail: 'Not authenticated. Run: onklave login --token <token>',
+    };
+}
+async function checkPlatform() {
+    const authService = new auth_service_1.AuthService();
+    const platformUrl = await authService.getPlatformUrl();
+    const platformClient = new platform_client_1.PlatformClient(platformUrl, '');
+    const healthy = await platformClient.healthCheck();
+    if (healthy) {
+        return {
+            name: 'Platform API',
+            status: 'ok',
+            detail: `Reachable at ${platformUrl}`,
+        };
+    }
+    return {
+        name: 'Platform API',
+        status: 'warn',
+        detail: `Not reachable at ${platformUrl}`,
+    };
+}
+function checkClaudeCli() {
+    try {
+        const claudePath = (0, child_process_1.execSync)('which claude', {
+            encoding: 'utf-8',
+            timeout: 5000,
+        }).trim();
+        return {
+            name: 'Claude Code CLI',
+            status: 'ok',
+            detail: `Found at ${claudePath}`,
+        };
+    }
+    catch {
+        return {
+            name: 'Claude Code CLI',
+            status: 'fail',
+            detail: 'Not found. Install Claude Code CLI: https://docs.anthropic.com/claude-code',
+        };
+    }
+}
+function checkNodeVersion() {
+    const version = process.version;
+    const major = parseInt(version.slice(1).split('.')[0], 10);
+    if (major >= 22) {
+        return { name: 'Node.js', status: 'ok', detail: version };
+    }
+    if (major >= 18) {
+        return {
+            name: 'Node.js',
+            status: 'warn',
+            detail: `${version} (22+ recommended)`,
+        };
+    }
+    return {
+        name: 'Node.js',
+        status: 'fail',
+        detail: `${version} (22+ required)`,
+    };
+}
+function checkProjectConfig() {
+    const configPath = path.join(process.cwd(), '.onklave.json');
+    if (fs.existsSync(configPath)) {
+        try {
+            const raw = fs.readFileSync(configPath, 'utf-8');
+            JSON.parse(raw);
+            return {
+                name: 'Project config',
+                status: 'ok',
+                detail: `.onklave.json found and valid`,
+            };
+        }
+        catch (err) {
+            return {
+                name: 'Project config',
+                status: 'warn',
+                detail: `.onklave.json found but invalid: ${err.message}`,
+            };
+        }
+    }
+    return {
+        name: 'Project config',
+        status: 'warn',
+        detail: 'No .onklave.json in current directory. Run: onklave init',
+    };
+}
+async function checkWebSocket() {
+    const authService = new auth_service_1.AuthService();
+    const creds = await authService.getCredentials();
+    if (!creds?.token) {
+        return {
+            name: 'WebSocket',
+            status: 'warn',
+            detail: 'Skipped (not authenticated)',
+        };
+    }
+    const commsClient = new comms_client_1.CommsClient();
+    try {
+        await commsClient.connect(creds.platformUrl, creds.token);
+        commsClient.disconnect();
+        return {
+            name: 'WebSocket',
+            status: 'ok',
+            detail: 'Connected to comms service',
+        };
+    }
+    catch {
+        return {
+            name: 'WebSocket',
+            status: 'warn',
+            detail: 'Could not connect to comms service',
+        };
+    }
+}
+
+
+/***/ }),
+/* 27 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.initCommand = initCommand;
+const tslib_1 = __webpack_require__(4);
+const fs = tslib_1.__importStar(__webpack_require__(5));
+const path = tslib_1.__importStar(__webpack_require__(6));
+async function initCommand() {
+    const configPath = path.join(process.cwd(), '.onklave.json');
+    if (fs.existsSync(configPath)) {
+        console.error('Error: .onklave.json already exists in this directory.');
+        console.log('To overwrite, delete the existing file first.');
+        process.exitCode = 1;
+        return;
+    }
+    const template = {
+        project: path.basename(process.cwd()),
+        org: '',
+        description: '',
+        defaults: {
+            persona: '',
+            workflow: '',
+            model: 'claude-sonnet-4-20250514',
+            timeout: 120,
+        },
+        guardrails: [
+            {
+                name: 'no-secrets-access',
+                match: 'file_*',
+                action: 'deny',
+                reason: 'Prevent access to secret files',
+                paths: ['.env*', '*.pem', '*.key'],
+            },
+            {
+                name: 'approve-destructive-commands',
+                match: 'cmd:rm*',
+                action: 'require_approval',
+                reason: 'Destructive commands require approval',
+            },
+        ],
+        permissions: {
+            tools_allowed: [],
+            tools_denied: [],
+            paths_readable: ['.'],
+            paths_writable: ['src/', 'tests/', 'docs/'],
+        },
+        context: {
+            includes: ['src/', 'package.json', 'tsconfig.json'],
+            system_prompt_append: '',
+        },
+    };
+    fs.writeFileSync(configPath, JSON.stringify(template, null, 2) + '\n', 'utf-8');
+    console.log('Created .onklave.json in the current directory.\n');
+    console.log('Edit the file to configure:');
+    console.log('  - project: Your project name');
+    console.log('  - org: Your Onklave organization ID');
+    console.log('  - defaults: Default persona, workflow, model, and timeout');
+    console.log('  - guardrails: Rules for tool/path restrictions');
+    console.log('  - permissions: Allowed/denied tools and path access');
+    console.log('  - context: Files to include and system prompt additions');
+}
+
+
+/***/ }),
+/* 28 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.configCommand = configCommand;
+const config_resolver_1 = __webpack_require__(12);
+const utils_1 = __webpack_require__(8);
+async function configCommand(args) {
+    const { positional } = (0, utils_1.parseArgs)(args);
+    const subcommand = positional[0];
+    const key = positional[1];
+    const value = positional[2];
+    const configResolver = new config_resolver_1.ConfigResolver();
+    if (!subcommand) {
+        // Show effective config
+        const resolved = await configResolver.resolve({}, process.cwd());
+        console.log('Onklave Agent CLI — Effective Configuration\n');
+        console.log('Sources (highest to lowest priority):');
+        console.log('  1. Command-line flags');
+        console.log('  2. Environment variables (ONKLAVE_*, ANTHROPIC_API_KEY)');
+        console.log('  3. Project config (.onklave.json)');
+        console.log('  4. Global config (~/.config/onklave/config.json)');
+        console.log('  5. Platform defaults\n');
+        console.log('Resolved values:');
+        console.log(JSON.stringify(resolved, null, 2));
+        return;
+    }
+    if (subcommand === 'get') {
+        if (!key) {
+            console.error('Error: Key is required.\n');
+            console.log('Usage: onklave config get <key>');
+            console.log('Example: onklave config get defaultModel');
+            process.exitCode = 1;
+            return;
+        }
+        const configValue = configResolver.getGlobalConfigValue(key);
+        if (configValue === undefined) {
+            console.log(`(not set)`);
+        }
+        else if (typeof configValue === 'object') {
+            console.log(JSON.stringify(configValue, null, 2));
+        }
+        else {
+            console.log(String(configValue));
+        }
+        return;
+    }
+    if (subcommand === 'set') {
+        if (!key) {
+            console.error('Error: Key is required.\n');
+            console.log('Usage: onklave config set <key> <value>');
+            console.log('Example: onklave config set defaultModel claude-sonnet-4-20250514');
+            process.exitCode = 1;
+            return;
+        }
+        if (value === undefined) {
+            console.error('Error: Value is required.\n');
+            console.log('Usage: onklave config set <key> <value>');
+            process.exitCode = 1;
+            return;
+        }
+        // Try to parse as number or boolean
+        let parsedValue = value;
+        if (value === 'true')
+            parsedValue = true;
+        else if (value === 'false')
+            parsedValue = false;
+        else if (/^\d+$/.test(value))
+            parsedValue = parseInt(value, 10);
+        configResolver.saveGlobalConfig(key, parsedValue);
+        console.log(`Set ${key} = ${JSON.stringify(parsedValue)}`);
+        return;
+    }
+    console.error(`Unknown config subcommand: ${subcommand}\n`);
+    console.log('Usage:');
+    console.log('  onklave config              Show effective configuration');
+    console.log('  onklave config get <key>    Get a specific config value');
+    console.log('  onklave config set <k> <v>  Set a global config value');
+    process.exitCode = 1;
+}
+
+
+/***/ }),
+/* 29 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.registerCommand = registerCommand;
+const tslib_1 = __webpack_require__(4);
+const os = tslib_1.__importStar(__webpack_require__(7));
+const auth_service_1 = __webpack_require__(3);
+const platform_client_1 = __webpack_require__(13);
+const utils_1 = __webpack_require__(8);
+async function registerCommand(args) {
+    const { flags } = (0, utils_1.parseArgs)(args);
+    const linkingToken = flags['token'];
+    if (typeof linkingToken !== 'string' || !linkingToken) {
+        console.error('Error: --token is required.\n');
+        console.log('Usage: onklave register --token <linking-token>\n');
+        console.log('To obtain a linking token:');
+        console.log('  1. Log in to the Onklave Portal');
+        console.log('  2. Navigate to Settings > Machines');
+        console.log('  3. Click "Register Machine" to generate a linking token');
+        process.exitCode = 1;
+        return;
+    }
+    const authService = new auth_service_1.AuthService();
+    const creds = await authService.getCredentials();
+    if (!creds?.token) {
+        console.error('Not authenticated. Run: onklave login --token <token>');
+        process.exitCode = 1;
+        return;
+    }
+    const metadata = {
+        hostname: os.hostname(),
+        os: `${os.platform()} ${os.release()}`,
+        arch: os.arch(),
+        nodeVersion: process.version,
+        capabilities: detectCapabilities(),
+    };
+    const platformClient = new platform_client_1.PlatformClient(creds.platformUrl, creds.token);
+    try {
+        console.log('Registering machine with Onklave platform...');
+        console.log(`  Hostname: ${metadata.hostname}`);
+        console.log(`  OS: ${metadata.os}`);
+        console.log(`  Arch: ${metadata.arch}`);
+        console.log(`  Node: ${metadata.nodeVersion}`);
+        const result = await platformClient.registerMachine(linkingToken, metadata);
+        await authService.saveDeviceToken(result.deviceToken, result.machineId);
+        console.log(`\nMachine registered successfully.`);
+        console.log(`  Machine ID: ${result.machineId}`);
+        console.log(`  Device token stored in ~/.config/onklave/credentials.json`);
+        console.log(`\nThis machine can now receive remote agent session requests.`);
+    }
+    catch (err) {
+        console.error(`Registration failed: ${err.message}`);
+        process.exitCode = 1;
+    }
+}
+function detectCapabilities() {
+    const capabilities = ['agent-runner'];
+    // Check if Claude Code is available
+    try {
+        const { execSync } = __webpack_require__(17);
+        execSync('which claude', { timeout: 3000, stdio: 'pipe' });
+        capabilities.push('claude-code');
+    }
+    catch {
+        // Claude Code not available
+    }
+    // Check if Docker is available
+    try {
+        const { execSync } = __webpack_require__(17);
+        execSync('which docker', { timeout: 3000, stdio: 'pipe' });
+        capabilities.push('docker');
+    }
+    catch {
+        // Docker not available
+    }
+    return capabilities;
+}
+
+
+/***/ }),
+/* 30 */
+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
+
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.logsCommand = logsCommand;
+const auth_service_1 = __webpack_require__(3);
+const platform_client_1 = __webpack_require__(13);
+const utils_1 = __webpack_require__(8);
+async function logsCommand(args) {
+    const { positional, flags } = (0, utils_1.parseArgs)(args);
+    const sessionId = positional[0];
+    if (!sessionId) {
+        console.error('Error: Session ID is required.\n');
+        console.log('Usage: onklave logs <session-id> [--tail <n>]');
+        process.exitCode = 1;
+        return;
+    }
+    const authService = new auth_service_1.AuthService();
+    const creds = await authService.getCredentials();
+    if (!creds?.token) {
+        console.error('Not authenticated. Run: onklave login --token <token>');
+        process.exitCode = 1;
+        return;
+    }
+    const platformClient = new platform_client_1.PlatformClient(creds.platformUrl, creds.token);
+    try {
+        const logs = await platformClient.getSessionLogs(sessionId);
+        if (!logs || logs.length === 0) {
+            console.log(`No logs available for session ${sessionId}.`);
+            return;
+        }
+        // Apply tail if specified
+        const tail = typeof flags['tail'] === 'string' ? parseInt(flags['tail'], 10) : 0;
+        const displayLogs = tail > 0 ? logs.slice(-tail) : logs;
+        console.log(`Logs for session ${sessionId}:\n`);
+        for (const line of displayLogs) {
+            console.log(line);
+        }
+    }
+    catch (err) {
+        console.error(`Failed to fetch logs: ${err.message}`);
+        process.exitCode = 1;
+    }
+}
+
+
+/***/ })
+/******/ 	]);
+/************************************************************************/
+/******/ 	// The module cache
+/******/ 	var __webpack_module_cache__ = {};
+/******/ 	
+/******/ 	// The require function
+/******/ 	function __webpack_require__(moduleId) {
+/******/ 		// Check if module is in cache
+/******/ 		var cachedModule = __webpack_module_cache__[moduleId];
+/******/ 		if (cachedModule !== undefined) {
+/******/ 			return cachedModule.exports;
+/******/ 		}
+/******/ 		// Create a new module (and put it into the cache)
+/******/ 		var module = __webpack_module_cache__[moduleId] = {
+/******/ 			// no module.id needed
+/******/ 			// no module.loaded needed
+/******/ 			exports: {}
+/******/ 		};
+/******/ 	
+/******/ 		// Execute the module function
+/******/ 		__webpack_modules__[moduleId](module, module.exports, __webpack_require__);
+/******/ 	
+/******/ 		// Return the exports of the module
+/******/ 		return module.exports;
+/******/ 	}
+/******/ 	
+/************************************************************************/
+var __webpack_exports__ = {};
+// This entry needs to be wrapped in an IIFE because it needs to be isolated against other modules in the chunk.
+(() => {
+var exports = __webpack_exports__;
+//#!/usr/bin/env node
+
+/**
+ * Copyright (c) 2025 Onklave (Pty) Ltd. All Rights Reserved.
+ *
+ * This software is proprietary and confidential.
+ * Unauthorized copying, modification, or distribution is strictly prohibited.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+const commands_1 = __webpack_require__(1);
+const VERSION = '0.1.0';
+function showHelp() {
+    console.log(`
+Onklave Agent CLI v${VERSION}
+
+Usage: onklave <command> [options]
+
+Commands:
+  login                Log in to Onklave platform
+  logout               Log out and remove stored credentials
+  whoami               Show current identity and auth status
+  run                  Run an agent task via Claude Code
+  status [session-id]  Show session status or list active sessions
+  stop <session-id>    Stop a running session
+  approve <session-id> Approve a pending approval gate
+  deny <session-id>    Deny a pending approval gate
+  doctor               Run diagnostic checks
+  init                 Create .onklave.json in the current directory
+  config               View or modify configuration
+  register             Register this machine as an agent runner
+  logs <session-id>    View logs for a session
+
+Options:
+  --help, -h           Show this help message
+  --version, -v        Show version number
+
+Examples:
+  onklave login --token <token>
+  onklave run --task "Fix the failing tests in src/"
+  onklave run --task "Refactor auth module" --persona security-reviewer
+  onklave status
+  onklave stop abc123
+  onklave doctor
+`.trim());
+}
+async function main() {
+    const args = process.argv.slice(2);
+    const command = args[0];
+    // Handle top-level flags
+    if (!command || command === '--help' || command === '-h') {
+        showHelp();
+        return;
+    }
+    if (command === '--version' || command === '-v') {
+        console.log(`onklave v${VERSION}`);
+        return;
+    }
+    // Look up command handler
+    const handler = commands_1.COMMANDS[command];
+    if (!handler) {
+        console.error(`Unknown command: ${command}\n`);
+        showHelp();
+        process.exitCode = 1;
+        return;
+    }
+    // Pass remaining args to command handler
+    const commandArgs = args.slice(1);
+    // Check for --help on subcommand
+    if (commandArgs.includes('--help') || commandArgs.includes('-h')) {
+        // Let the command handle its own help (it will show usage when missing required args)
+        // But for commands that don't check, show generic help
+    }
+    try {
+        await handler(commandArgs);
+    }
+    catch (err) {
+        console.error(`Error: ${err.message}`);
+        process.exitCode = 1;
+    }
+}
+main();
+
+})();
+
+var __webpack_export_target__ = exports;
+for(var __webpack_i__ in __webpack_exports__) __webpack_export_target__[__webpack_i__] = __webpack_exports__[__webpack_i__];
+if(__webpack_exports__.__esModule) Object.defineProperty(__webpack_export_target__, "__esModule", { value: true });
+/******/ })()
+;