@praxis.guard/auditor-cli 0.0.1

package/dist/cli/firebase-targets.js

@@ -0,0 +1,49 @@
+import fs from "node:fs";
+import path from "node:path";
+function findFirebaserc(startDir) {
+    let dir = startDir;
+    for (let i = 0; i < 10; i++) {
+        const p = path.join(dir, ".firebaserc");
+        if (fs.existsSync(p))
+            return p;
+        const parent = path.dirname(dir);
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    return null;
+}
+export function detectFirebaseProjectId(cwd) {
+    const rcPath = findFirebaserc(cwd);
+    if (!rcPath)
+        return null;
+    try {
+        const raw = fs.readFileSync(rcPath, "utf8");
+        const data = JSON.parse(raw);
+        const project = data?.projects?.default;
+        return typeof project === "string" && project.length > 0 ? project : null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Resolve a Firebase Hosting site id for a given target (e.g. target "app" -> site "praxis-app-33b40").
+ * This reads `.firebaserc` and finds the first site configured for that hosting target.
+ */
+export function detectHostingSiteId(cwd, projectId, hostingTarget) {
+    const rcPath = findFirebaserc(cwd);
+    if (!rcPath)
+        return null;
+    try {
+        const raw = fs.readFileSync(rcPath, "utf8");
+        const data = JSON.parse(raw);
+        const sites = data?.targets?.[projectId]?.hosting?.[hostingTarget];
+        const site = Array.isArray(sites) ? sites[0] : null;
+        return typeof site === "string" && site.length > 0 ? site : null;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=firebase-targets.js.map

package/dist/cli/firebase-targets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"firebase-targets.js","sourceRoot":"","sources":["../../src/cli/firebase-targets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAO7B,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,GAAG,GAAG,QAAQ,CAAC;IACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,IAAI,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,MAAM,KAAK,GAAG;YAAE,MAAM;QAC1B,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,GAAW;IACjD,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAe,CAAC;QAC3C,MAAM,OAAO,GAAG,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC;QACxC,OAAO,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAC5E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAW,EAAE,SAAiB,EAAE,aAAqB;IACvF,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAe,CAAC;QAC3C,MAAM,KAAK,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC,aAAa,CAAC,CAAC;QACnE,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACpD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/cli/function-url.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Build the production Cloud Functions URL for a given function name.
+ *
+ * Respects `PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST` for local dev;
+ * otherwise defaults to production `cloudfunctions.net`.
+ */
+export declare function prodFunctionUrl(functionName: string): string;
+//# sourceMappingURL=function-url.d.ts.map

package/dist/cli/function-url.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"function-url.d.ts","sourceRoot":"","sources":["../../src/cli/function-url.ts"],"names":[],"mappings":"AAKA;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAW5D"}

package/dist/cli/function-url.js

@@ -0,0 +1,20 @@
+import process from "node:process";
+const DEFAULT_PROJECT_ID = "praxis-4cc80";
+const DEFAULT_REGION = "us-central1";
+/**
+ * Build the production Cloud Functions URL for a given function name.
+ *
+ * Respects `PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST` for local dev;
+ * otherwise defaults to production `cloudfunctions.net`.
+ */
+export function prodFunctionUrl(functionName) {
+    const emuHost = process.env.PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST?.trim();
+    const projectId = process.env.PRAXIS_FIREBASE_PROJECT_ID?.trim() || DEFAULT_PROJECT_ID;
+    const region = process.env.PRAXIS_FIREBASE_FUNCTIONS_REGION?.trim() || DEFAULT_REGION;
+    if (emuHost) {
+        const host = emuHost.replace(/^https?:\/\//, "");
+        return `http://${host}/${projectId}/${region}/${functionName}`;
+    }
+    return `https://${region}-${projectId}.cloudfunctions.net/${functionName}`;
+}
+//# sourceMappingURL=function-url.js.map

package/dist/cli/function-url.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"function-url.js","sourceRoot":"","sources":["../../src/cli/function-url.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,cAAc,CAAC;AAEnC,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAC1C,MAAM,cAAc,GAAG,aAAa,CAAC;AAErC;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,YAAoB;IAClD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,IAAI,EAAE,CAAC;IAC5E,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,IAAI,EAAE,IAAI,kBAAkB,CAAC;IACvF,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gCAAgC,EAAE,IAAI,EAAE,IAAI,cAAc,CAAC;IAEtF,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QACjD,OAAO,UAAU,IAAI,IAAI,SAAS,IAAI,MAAM,IAAI,YAAY,EAAE,CAAC;IACjE,CAAC;IAED,OAAO,WAAW,MAAM,IAAI,SAAS,uBAAuB,YAAY,EAAE,CAAC;AAC7E,CAAC"}

package/dist/cli/http-fetch.d.ts

@@ -0,0 +1,7 @@
+export declare function fetchJson<TRes>(options: {
+    url: string;
+    bearerToken: string;
+    method?: "GET" | "POST";
+    body?: unknown;
+}): Promise<TRes>;
+//# sourceMappingURL=http-fetch.d.ts.map

package/dist/cli/http-fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-fetch.d.ts","sourceRoot":"","sources":["../../src/cli/http-fetch.ts"],"names":[],"mappings":"AAAA,wBAAsB,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE;IAC7C,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;IACxB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB,GAAG,OAAO,CAAC,IAAI,CAAC,CAoBhB"}

package/dist/cli/http-fetch.js

@@ -0,0 +1,21 @@
+export async function fetchJson(options) {
+    const res = await fetch(options.url, {
+        method: options.method ?? (options.body === undefined ? "GET" : "POST"),
+        headers: {
+            ...(options.body === undefined ? {} : { "Content-Type": "application/json" }),
+            Authorization: `Bearer ${options.bearerToken}`,
+        },
+        body: options.body === undefined ? undefined : JSON.stringify(options.body),
+    });
+    const text = await res.text();
+    if (!res.ok) {
+        throw new Error(`${res.status} ${res.statusText}`.trim() || "http_error");
+    }
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        throw new Error(`Invalid JSON response (${res.status}): ${text.slice(0, 200)}`);
+    }
+}
+//# sourceMappingURL=http-fetch.js.map

package/dist/cli/http-fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-fetch.js","sourceRoot":"","sources":["../../src/cli/http-fetch.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,KAAK,UAAU,SAAS,CAAO,OAKrC;IACC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE;QACnC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC;QACvE,OAAO,EAAE;YACP,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;YAC7E,aAAa,EAAE,UAAU,OAAO,CAAC,WAAW,EAAE;SAC/C;QACD,IAAI,EAAE,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC;KAC5E,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,IAAI,YAAY,CAAC,CAAC;IAC5E,CAAC;IAED,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAS,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,CAAC,MAAM,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;AACH,CAAC"}

package/dist/cli/install-id.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Returns the persisted install GUID, creating one if it doesn't exist.
+ * The ID is stored at ~/.config/praxis/install-id as a plain UUID string.
+ */
+export declare function getInstallId(): string;
+//# sourceMappingURL=install-id.d.ts.map

package/dist/cli/install-id.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"install-id.d.ts","sourceRoot":"","sources":["../../src/cli/install-id.ts"],"names":[],"mappings":"AAYA;;;GAGG;AACH,wBAAgB,YAAY,IAAI,MAAM,CAarC"}

package/dist/cli/install-id.js

@@ -0,0 +1,30 @@
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import process from "node:process";
+import { v4 as uuidv4 } from "uuid";
+function installIdPath() {
+    const xdg = process.env.XDG_CONFIG_HOME?.trim();
+    const base = xdg || path.join(os.homedir(), ".config");
+    return path.join(base, "praxis", "install-id");
+}
+/**
+ * Returns the persisted install GUID, creating one if it doesn't exist.
+ * The ID is stored at ~/.config/praxis/install-id as a plain UUID string.
+ */
+export function getInstallId() {
+    const p = installIdPath();
+    try {
+        const existing = fs.readFileSync(p, "utf8").trim();
+        if (existing.length >= 36)
+            return existing;
+    }
+    catch {
+        // File doesn't exist or is unreadable — generate below
+    }
+    const id = uuidv4();
+    fs.mkdirSync(path.dirname(p), { recursive: true, mode: 0o700 });
+    fs.writeFileSync(p, id + "\n", { mode: 0o600 });
+    return id;
+}
+//# sourceMappingURL=install-id.js.map

package/dist/cli/install-id.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"install-id.js","sourceRoot":"","sources":["../../src/cli/install-id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,OAAO,MAAM,cAAc,CAAC;AACnC,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AAEpC,SAAS,aAAa;IACpB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,EAAE,CAAC;IAChD,MAAM,IAAI,GAAG,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;IACvD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;AACjD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY;IAC1B,MAAM,CAAC,GAAG,aAAa,EAAE,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QACnD,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE;YAAE,OAAO,QAAQ,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,uDAAuD;IACzD,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;IACpB,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAChE,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAChD,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/cli/login.d.ts

@@ -0,0 +1,2 @@
+export declare function runLogin(): Promise<void>;
+//# sourceMappingURL=login.d.ts.map

package/dist/cli/login.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/cli/login.ts"],"names":[],"mappings":"AASA,wBAAsB,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,CAoC9C"}

package/dist/cli/login.js

@@ -0,0 +1,76 @@
+import os from "node:os";
+import process from "node:process";
+import { saveCredentials } from "./credentials.js";
+import { detectFirebaseProjectId } from "./firebase-targets.js";
+import { getInstallId } from "./install-id.js";
+export async function runLogin() {
+    const baseUrl = getBaseUrl();
+    process.stdout.write("Requesting login code...\n");
+    const createRes = await fetch(`${baseUrl}/cliAuthCreate`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+            hostname: os.hostname(),
+            installId: getInstallId(),
+        }),
+        signal: AbortSignal.timeout(10_000),
+    });
+    if (!createRes.ok) {
+        const text = await createRes.text().catch(() => "");
+        throw new Error(`Failed to create auth request (${createRes.status}): ${text.slice(0, 200)}`);
+    }
+    const { code, expiresAt } = (await createRes.json());
+    const appUrl = process.env.PRAXIS_APP_URL || "https://praxis-app-33b40.web.app";
+    const authUrl = `${appUrl}/app/cli-auth?code=${code}`;
+    process.stdout.write(`\n`);
+    process.stdout.write(`  Your one-time code:  ${code}\n\n`);
+    process.stdout.write(`  Open this URL to authorize:\n`);
+    process.stdout.write(`  ${authUrl}\n\n`);
+    process.stdout.write(`  Waiting for authorization... (expires in 10 minutes)\n`);
+    const token = await poll(baseUrl, code, expiresAt);
+    saveCredentials(token);
+    process.stdout.write(`\n  Authenticated! Token saved.\n`);
+    process.stdout.write(`  Run \`auditor doctor\` to verify.\n`);
+}
+async function poll(baseUrl, code, expiresAt) {
+    const deadline = new Date(expiresAt).getTime();
+    while (Date.now() < deadline) {
+        await new Promise((r) => setTimeout(r, 2000));
+        const res = await fetch(`${baseUrl}/cliAuthPoll`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ code }),
+            signal: AbortSignal.timeout(5000),
+        });
+        if (!res.ok)
+            continue;
+        const data = (await res.json());
+        if (data.status === "authorized" && data.token)
+            return data.token;
+        if (data.status === "expired")
+            throw new Error("Code expired. Run `auditor login` again.");
+    }
+    throw new Error("Timed out waiting for authorization. Run `auditor login` again.");
+}
+function detectProjectId() {
+    const envId = process.env.PRAXIS_FIREBASE_PROJECT_ID?.trim();
+    if (envId)
+        return envId;
+    return detectFirebaseProjectId(process.cwd());
+}
+const DEFAULT_PROJECT_ID = "praxis-4cc80";
+const DEFAULT_REGION = "us-central1";
+function getBaseUrl() {
+    const full = process.env.PRAXIS_FIREBASE_CALLABLE_BASE_URL?.trim();
+    if (full)
+        return full.replace(/\/$/, "");
+    const projectId = detectProjectId() || DEFAULT_PROJECT_ID;
+    const region = process.env.PRAXIS_FIREBASE_FUNCTIONS_REGION?.trim() || DEFAULT_REGION;
+    const emuHost = process.env.PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST?.trim();
+    if (emuHost) {
+        const host = emuHost.replace(/^https?:\/\//, "");
+        return `http://${host}/${projectId}/${region}`;
+    }
+    return `https://${region}-${projectId}.cloudfunctions.net`;
+}
+//# sourceMappingURL=login.js.map

package/dist/cli/login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/cli/login.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,SAAS,CAAC;AAEzB,OAAO,OAAO,MAAM,cAAc,CAAC;AAEnC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAE/C,MAAM,CAAC,KAAK,UAAU,QAAQ;IAC5B,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;IAE7B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAEnD,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,gBAAgB,EAAE;QACxD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,QAAQ,EAAE,EAAE,CAAC,QAAQ,EAAE;YACvB,SAAS,EAAE,YAAY,EAAE;SAC1B,CAAC;QACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACpC,CAAC,CAAC;IAEH,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC;QAClB,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,kCAAkC,SAAS,CAAC,MAAM,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IAChG,CAAC;IAED,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,CAAC,MAAM,SAAS,CAAC,IAAI,EAAE,CAAwC,CAAC;IAE5F,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,kCAAkC,CAAC;IAChF,MAAM,OAAO,GAAG,GAAG,MAAM,sBAAsB,IAAI,EAAE,CAAC;IAEtD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC3B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,IAAI,MAAM,CAAC,CAAC;IAC3D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACxD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,OAAO,MAAM,CAAC,CAAC;IACzC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAEjF,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC;IAEnD,eAAe,CAAC,KAAK,CAAC,CAAC;IACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;IAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;AAChE,CAAC;AAED,KAAK,UAAU,IAAI,CAAC,OAAe,EAAE,IAAY,EAAE,SAAiB;IAClE,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;IAC/C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC7B,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;QAC9C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,cAAc,EAAE;YAChD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC;YAC9B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,SAAS;QACtB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuC,CAAC;QACtE,IAAI,IAAI,CAAC,MAAM,KAAK,YAAY,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC;QAClE,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC7F,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;AACrF,CAAC;AAED,SAAS,eAAe;IACtB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,IAAI,EAAE,CAAC;IAC7D,IAAI,KAAK;QAAE,OAAO,KAAK,CAAC;IAExB,OAAO,uBAAuB,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAC1C,MAAM,cAAc,GAAG,aAAa,CAAC;AAErC,SAAS,UAAU;IACjB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,iCAAiC,EAAE,IAAI,EAAE,CAAC;IACnE,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAEzC,MAAM,SAAS,GAAG,eAAe,EAAE,IAAI,kBAAkB,CAAC;IAC1D,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gCAAgC,EAAE,IAAI,EAAE,IAAI,cAAc,CAAC;IAEtF,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,IAAI,EAAE,CAAC;IAC5E,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QACjD,OAAO,UAAU,IAAI,IAAI,SAAS,IAAI,MAAM,EAAE,CAAC;IACjD,CAAC;IAED,OAAO,WAAW,MAAM,IAAI,SAAS,qBAAqB,CAAC;AAC7D,CAAC"}

package/dist/cli/logout.d.ts

@@ -0,0 +1,2 @@
+export declare function runLogout(args?: string[]): Promise<void>;
+//# sourceMappingURL=logout.d.ts.map

package/dist/cli/logout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.d.ts","sourceRoot":"","sources":["../../src/cli/logout.ts"],"names":[],"mappings":"AAmCA,wBAAsB,SAAS,CAAC,IAAI,GAAE,MAAM,EAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAwBlE"}

package/dist/cli/logout.js

@@ -0,0 +1,51 @@
+import process from "node:process";
+import { fetchJson } from "./http-fetch.js";
+import { credentialsPath, deleteCredentials, resolveGuardToken } from "./credentials.js";
+import { functionsHttpUrl } from "./policies-callable-url.js";
+function parseLogoutOptions(args) {
+    let revoke = false;
+    for (const arg of args) {
+        if (arg === "--revoke") {
+            revoke = true;
+            continue;
+        }
+        throw new Error(`Unknown logout option: ${arg}`);
+    }
+    return { revoke };
+}
+async function revokeCurrentTokenOrThrow() {
+    const token = resolveGuardToken();
+    if (!token) {
+        throw new Error("No local token available to revoke.");
+    }
+    await fetchJson({
+        url: functionsHttpUrl("cliTokenRevokeHttp"),
+        bearerToken: token,
+        method: "POST",
+    });
+}
+export async function runLogout(args = []) {
+    const opts = parseLogoutOptions(args);
+    let revokeError = null;
+    if (opts.revoke) {
+        try {
+            await revokeCurrentTokenOrThrow();
+            process.stdout.write("  Remote token revoked.\n");
+        }
+        catch (e) {
+            revokeError = e instanceof Error ? e.message : String(e);
+        }
+    }
+    const deleted = deleteCredentials();
+    if (deleted) {
+        process.stdout.write(`  Credentials removed (${credentialsPath()}).\n`);
+    }
+    else {
+        process.stdout.write(`  No credentials found.\n`);
+    }
+    if (revokeError) {
+        process.stderr.write(`  Remote revoke failed: ${revokeError}\n`);
+        process.exitCode = 1;
+    }
+}
+//# sourceMappingURL=logout.js.map

package/dist/cli/logout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../src/cli/logout.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,cAAc,CAAC;AAEnC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACzF,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAM9D,SAAS,kBAAkB,CAAC,IAAc;IACxC,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YACvB,MAAM,GAAG,IAAI,CAAC;YACd,SAAS;QACX,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,EAAE,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,CAAC;AACpB,CAAC;AAED,KAAK,UAAU,yBAAyB;IACtC,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAClC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,SAAS,CAAmC;QAChD,GAAG,EAAE,gBAAgB,CAAC,oBAAoB,CAAC;QAC3C,WAAW,EAAE,KAAK;QAClB,MAAM,EAAE,MAAM;KACf,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAiB,EAAE;IACjD,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAEtC,IAAI,WAAW,GAAkB,IAAI,CAAC;IACtC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,yBAAyB,EAAE,CAAC;YAClC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;QACpD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,WAAW,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;IACpC,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,eAAe,EAAE,MAAM,CAAC,CAAC;IAC1E,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,WAAW,IAAI,CAAC,CAAC;QACjE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IACvB,CAAC;AACH,CAAC"}

package/dist/cli/main.d.ts

@@ -0,0 +1,2 @@
+export declare function runCli(argv: string[]): Promise<void>;
+//# sourceMappingURL=main.d.ts.map

package/dist/cli/main.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../../src/cli/main.ts"],"names":[],"mappings":"AAmDA,wBAAsB,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAkH1D"}

package/dist/cli/main.js

@@ -0,0 +1,158 @@
+import process from "node:process";
+import { runDoctor } from "./doctor.js";
+import { runBeforeShellHookFromStdin } from "../hooks/run-before-shell.js";
+import { runVersion } from "./version.js";
+function printHelp() {
+    process.stdout.write(`auditor — Praxis guard CLI
+
+Usage:
+  auditor setup all          Configure both Cursor hook and MCP server entry
+  auditor setup hook         Configure .cursor/hooks.json beforeShellExecution
+  auditor setup mcp          Configure ~/.cursor/mcp.json praxis-guard server
+  auditor setup doctor       Validate hook + MCP setup status and paths
+  auditor login              Authenticate this CLI with your Praxis account (device code flow)
+  auditor logout [--revoke] Remove saved credentials (and optionally revoke token server-side)
+  auditor whoami             Show signed-in uid, email, and token source (calls Cloud Function)
+  auditor mcp                MCP stdio server (tool: guard) — use in Cursor mcp.json
+  auditor hook before-shell   Cursor beforeShellExecution (stdin JSON → stdout JSON)
+  auditor doctor             Show policy path, sync revision, auth status
+  auditor policies sync      Fetch policies from Cloud Functions → local policies.v1.json + meta
+  auditor version            Package version and git short SHA when available
+  auditor help | --help      This message
+
+Auth:
+  Token is resolved in order: PRAXIS_GUARD_TOKEN env var → ~/.config/praxis/credentials.json.
+  Run \`auditor login\` to authenticate interactively.
+
+Defaults (production):
+  Project ID:    praxis-4cc80
+  Region:        us-central1
+  Functions:     https://us-central1-praxis-4cc80.cloudfunctions.net/…
+
+Local development:
+  Set PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST=127.0.0.1:5001 to target the local
+  Firebase emulator instead of production.
+
+Env (all optional):
+  PRAXIS_GUARD_TOKEN                       Override token (CI/CD). Skips credential file.
+  PRAXIS_FIREBASE_ID_TOKEN                 Alternative: Firebase Auth ID JWT for the functions project.
+  PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST  Set to target local emulator (e.g. 127.0.0.1:5001).
+  PRAXIS_FIREBASE_PROJECT_ID               Override project (default: praxis-4cc80).
+  PRAXIS_FIREBASE_FUNCTIONS_REGION         Override region (default: us-central1).
+  PRAXIS_FIREBASE_CALLABLE_BASE_URL        Full override base URL (no trailing slash).
+  PRAXIS_GUARD_EVENT_URL                   Full override for guard event endpoint.
+  PRAXIS_APP_URL                           Web app URL for login (default: https://praxis-app-33b40.web.app).
+  PRAXIS_POLICIES_V1_PATH                  Override path for policies.v1.json.
+  PRAXIS_POLICIES_META_PATH                Override path for policies.v1.meta.json.
+`);
+}
+export async function runCli(argv) {
+    const a0 = argv[0];
+    const a1 = argv[1];
+    if (!a0 || a0 === "help" || a0 === "-h" || a0 === "--help") {
+        printHelp();
+        return;
+    }
+    if (a0 === "login") {
+        const { runLogin } = await import("./login.js");
+        try {
+            await runLogin();
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            process.stderr.write(`${msg}\n`);
+            process.exitCode = 1;
+        }
+        return;
+    }
+    if (a0 === "setup") {
+        const sub = a1;
+        const rest = argv.slice(2);
+        try {
+            if (sub === "all") {
+                const { runSetupAll } = await import("./setup-all.js");
+                await runSetupAll(rest);
+                return;
+            }
+            if (sub === "hook") {
+                const { runSetupHook } = await import("./setup-hook.js");
+                await runSetupHook(rest);
+                return;
+            }
+            if (sub === "mcp") {
+                const { runSetupMcp } = await import("./setup-mcp.js");
+                await runSetupMcp(rest);
+                return;
+            }
+            if (sub === "doctor") {
+                const { runSetupDoctor } = await import("./setup-doctor.js");
+                await runSetupDoctor(rest);
+                return;
+            }
+            throw new Error(`Unknown setup command: ${sub ?? "(missing)"}`);
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            process.stderr.write(`${msg}\n`);
+            process.exitCode = 1;
+            return;
+        }
+    }
+    if (a0 === "logout") {
+        const { runLogout } = await import("./logout.js");
+        try {
+            await runLogout(argv.slice(1));
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            process.stderr.write(`${msg}\n`);
+            process.exitCode = 1;
+        }
+        return;
+    }
+    if (a0 === "whoami") {
+        const { runWhoami } = await import("./whoami.js");
+        try {
+            await runWhoami();
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            process.stderr.write(`${msg}\n`);
+            process.exitCode = 1;
+        }
+        return;
+    }
+    if (a0 === "version" || a0 === "--version" || a0 === "-v") {
+        runVersion();
+        return;
+    }
+    if (a0 === "doctor") {
+        await runDoctor();
+        return;
+    }
+    if (a0 === "policies" && a1 === "sync") {
+        const { runPoliciesSync } = await import("./policies-sync.js");
+        try {
+            await runPoliciesSync();
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            process.stderr.write(`${msg}\n`);
+            process.exitCode = 1;
+        }
+        return;
+    }
+    if (a0 === "mcp") {
+        const { runMcpStdioServer } = await import("../mcp/server.js");
+        await runMcpStdioServer();
+        return;
+    }
+    if (a0 === "hook" && a1 === "before-shell") {
+        await runBeforeShellHookFromStdin();
+        return;
+    }
+    process.stderr.write(`Unknown command: ${argv.join(" ")}\n\n`);
+    printHelp();
+    process.exitCode = 1;
+}
+//# sourceMappingURL=main.js.map

package/dist/cli/main.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"main.js","sourceRoot":"","sources":["../../src/cli/main.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,cAAc,CAAC;AAEnC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,2BAA2B,EAAE,MAAM,8BAA8B,CAAC;AAC3E,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,SAAS,SAAS;IAChB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyCtB,CAAC,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,IAAc;IACzC,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACnB,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IAEnB,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,MAAM,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC3D,SAAS,EAAE,CAAC;QACZ,OAAO;IACT,CAAC;IAED,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;QACnB,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;QAChD,IAAI,CAAC;YACH,MAAM,QAAQ,EAAE,CAAC;QACnB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;YACjC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;QACnB,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3B,IAAI,CAAC;YACH,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;gBAClB,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;gBACvD,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;gBACxB,OAAO;YACT,CAAC;YACD,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;gBACnB,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;gBACzD,MAAM,YAAY,CAAC,IAAI,CAAC,CAAC;gBACzB,OAAO;YACT,CAAC;YACD,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;gBAClB,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;gBACvD,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;gBACxB,OAAO;YACT,CAAC;YACD,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACrB,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;gBAC7D,MAAM,cAAc,CAAC,IAAI,CAAC,CAAC;gBAC3B,OAAO;YACT,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,IAAI,WAAW,EAAE,CAAC,CAAC;QAClE,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;YACjC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;IACH,CAAC;IAED,IAAI,EAAE,KAAK,QAAQ,EAAE,CAAC;QACpB,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;YACjC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,EAAE,KAAK,QAAQ,EAAE,CAAC;QACpB,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,SAAS,EAAE,CAAC;QACpB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;YACjC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,EAAE,KAAK,SAAS,IAAI,EAAE,KAAK,WAAW,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;QAC1D,UAAU,EAAE,CAAC;QACb,OAAO;IACT,CAAC;IAED,IAAI,EAAE,KAAK,QAAQ,EAAE,CAAC;QACpB,MAAM,SAAS,EAAE,CAAC;QAClB,OAAO;IACT,CAAC;IAED,IAAI,EAAE,KAAK,UAAU,IAAI,EAAE,KAAK,MAAM,EAAE,CAAC;QACvC,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAC/D,IAAI,CAAC;YACH,MAAM,eAAe,EAAE,CAAC;QAC1B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;YACjC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;QACjB,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAC/D,MAAM,iBAAiB,EAAE,CAAC;QAC1B,OAAO;IACT,CAAC;IAED,IAAI,EAAE,KAAK,MAAM,IAAI,EAAE,KAAK,cAAc,EAAE,CAAC;QAC3C,MAAM,2BAA2B,EAAE,CAAC;QACpC,OAAO;IACT,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC/D,SAAS,EAAE,CAAC;IACZ,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACvB,CAAC"}

package/dist/cli/policies-callable-url.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Callable URL for policies functions.
+ *
+ * Resolution order:
+ * 1. `PRAXIS_FIREBASE_CALLABLE_BASE_URL` — full override (no trailing slash)
+ * 1b. `PRAXIS_FIREBASE_FUNCTIONS_CUSTOM_DOMAIN` — use a single origin for functions (e.g. https://<site>.web.app)
+ * 2. `PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST` + project/region → local emulator
+ * 3. Detect hosting site from `.firebaserc` (target "app") → https://<site>.web.app/<functionName>
+ * 4. Default: production cloudfunctions.net URL
+ */
+export declare function policiesCallableUrl(functionName: string): string;
+/**
+ * Plain HTTP function URL (onRequest).
+ *
+ * Unlike callables, prefer `cloudfunctions.net` in production so the CLI doesn't
+ * depend on Hosting rewrites / SSR framework deploys.
+ *
+ * Resolution order:
+ * 1. `PRAXIS_FIREBASE_HTTP_BASE_URL` — full override (no trailing slash)
+ * 2. Emulator (`PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST`)
+ * 3. Production cloudfunctions.net URL
+ */
+export declare function functionsHttpUrl(functionName: string): string;
+//# sourceMappingURL=policies-callable-url.d.ts.map

package/dist/cli/policies-callable-url.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policies-callable-url.d.ts","sourceRoot":"","sources":["../../src/cli/policies-callable-url.ts"],"names":[],"mappings":"AAQA;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CA6BhE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAiB7D"}

package/dist/cli/policies-callable-url.js

@@ -0,0 +1,66 @@
+import process from "node:process";
+import { detectFirebaseProjectId, detectHostingSiteId } from "./firebase-targets.js";
+const DEFAULT_PROJECT_ID = "praxis-4cc80";
+const DEFAULT_REGION = "us-central1";
+const DEFAULT_HOSTING_TARGET = "app";
+/**
+ * Callable URL for policies functions.
+ *
+ * Resolution order:
+ * 1. `PRAXIS_FIREBASE_CALLABLE_BASE_URL` — full override (no trailing slash)
+ * 1b. `PRAXIS_FIREBASE_FUNCTIONS_CUSTOM_DOMAIN` — use a single origin for functions (e.g. https://<site>.web.app)
+ * 2. `PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST` + project/region → local emulator
+ * 3. Detect hosting site from `.firebaserc` (target "app") → https://<site>.web.app/<functionName>
+ * 4. Default: production cloudfunctions.net URL
+ */
+export function policiesCallableUrl(functionName) {
+    const full = process.env.PRAXIS_FIREBASE_CALLABLE_BASE_URL?.trim();
+    if (full) {
+        return `${full.replace(/\/$/, "")}/${functionName}`;
+    }
+    const customDomain = process.env.PRAXIS_FIREBASE_FUNCTIONS_CUSTOM_DOMAIN?.trim();
+    if (customDomain) {
+        return `${customDomain.replace(/\/$/, "")}/${functionName}`;
+    }
+    const emuHost = process.env.PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST?.trim();
+    const projectId = process.env.PRAXIS_FIREBASE_PROJECT_ID?.trim() ||
+        detectFirebaseProjectId(process.cwd()) ||
+        DEFAULT_PROJECT_ID;
+    const region = process.env.PRAXIS_FIREBASE_FUNCTIONS_REGION?.trim() || DEFAULT_REGION;
+    if (emuHost) {
+        const host = emuHost.replace(/^https?:\/\//, "");
+        return `http://${host}/${projectId}/${region}/${functionName}`;
+    }
+    const hostingSite = detectHostingSiteId(process.cwd(), projectId, DEFAULT_HOSTING_TARGET);
+    if (hostingSite) {
+        return `https://${hostingSite}.web.app/${functionName}`;
+    }
+    return `https://${region}-${projectId}.cloudfunctions.net/${functionName}`;
+}
+/**
+ * Plain HTTP function URL (onRequest).
+ *
+ * Unlike callables, prefer `cloudfunctions.net` in production so the CLI doesn't
+ * depend on Hosting rewrites / SSR framework deploys.
+ *
+ * Resolution order:
+ * 1. `PRAXIS_FIREBASE_HTTP_BASE_URL` — full override (no trailing slash)
+ * 2. Emulator (`PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST`)
+ * 3. Production cloudfunctions.net URL
+ */
+export function functionsHttpUrl(functionName) {
+    const full = process.env.PRAXIS_FIREBASE_HTTP_BASE_URL?.trim();
+    if (full)
+        return `${full.replace(/\/$/, "")}/${functionName}`;
+    const emuHost = process.env.PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST?.trim();
+    const projectId = process.env.PRAXIS_FIREBASE_PROJECT_ID?.trim() ||
+        detectFirebaseProjectId(process.cwd()) ||
+        DEFAULT_PROJECT_ID;
+    const region = process.env.PRAXIS_FIREBASE_FUNCTIONS_REGION?.trim() || DEFAULT_REGION;
+    if (emuHost) {
+        const host = emuHost.replace(/^https?:\/\//, "");
+        return `http://${host}/${projectId}/${region}/${functionName}`;
+    }
+    return `https://${region}-${projectId}.cloudfunctions.net/${functionName}`;
+}
+//# sourceMappingURL=policies-callable-url.js.map

package/dist/cli/policies-callable-url.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policies-callable-url.js","sourceRoot":"","sources":["../../src/cli/policies-callable-url.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,cAAc,CAAC;AAEnC,OAAO,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAErF,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAC1C,MAAM,cAAc,GAAG,aAAa,CAAC;AACrC,MAAM,sBAAsB,GAAG,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,YAAoB;IACtD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,iCAAiC,EAAE,IAAI,EAAE,CAAC;IACnE,IAAI,IAAI,EAAE,CAAC;QACT,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,YAAY,EAAE,CAAC;IACtD,CAAC;IAED,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,IAAI,EAAE,CAAC;IACjF,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,YAAY,EAAE,CAAC;IAC9D,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,IAAI,EAAE,CAAC;IAC5E,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,IAAI,EAAE;QAC9C,uBAAuB,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QACtC,kBAAkB,CAAC;IACrB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gCAAgC,EAAE,IAAI,EAAE,IAAI,cAAc,CAAC;IAEtF,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QACjD,OAAO,UAAU,IAAI,IAAI,SAAS,IAAI,MAAM,IAAI,YAAY,EAAE,CAAC;IACjE,CAAC;IAED,MAAM,WAAW,GAAG,mBAAmB,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,sBAAsB,CAAC,CAAC;IAC1F,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,WAAW,WAAW,YAAY,YAAY,EAAE,CAAC;IAC1D,CAAC;IAED,OAAO,WAAW,MAAM,IAAI,SAAS,uBAAuB,YAAY,EAAE,CAAC;AAC7E,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAAC,YAAoB;IACnD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,EAAE,IAAI,EAAE,CAAC;IAC/D,IAAI,IAAI;QAAE,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,YAAY,EAAE,CAAC;IAE9D,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,IAAI,EAAE,CAAC;IAC5E,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,IAAI,EAAE;QAC9C,uBAAuB,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QACtC,kBAAkB,CAAC;IACrB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gCAAgC,EAAE,IAAI,EAAE,IAAI,cAAc,CAAC;IAEtF,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QACjD,OAAO,UAAU,IAAI,IAAI,SAAS,IAAI,MAAM,IAAI,YAAY,EAAE,CAAC;IACjE,CAAC;IAED,OAAO,WAAW,MAAM,IAAI,SAAS,uBAAuB,YAAY,EAAE,CAAC;AAC7E,CAAC"}

package/dist/cli/policies-meta.d.ts

@@ -0,0 +1,6 @@
+export type PoliciesMetaFile = {
+    revision: number;
+    syncedAt?: string;
+};
+export declare function readPoliciesMetaFile(metaPath: string): Promise<PoliciesMetaFile | null>;
+//# sourceMappingURL=policies-meta.d.ts.map

package/dist/cli/policies-meta.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policies-meta.d.ts","sourceRoot":"","sources":["../../src/cli/policies-meta.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,wBAAsB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAc7F"}