@propper-ai/cli 0.2.1

package/dist/bin/propper.js

@@ -0,0 +1,1354 @@
+#!/usr/bin/env node
+import {
+  ApiError,
+  AuthError,
+  UsageError,
+  callOperation,
+  manifest
+} from "../chunk-CBIH6V3I.js";
+
+// src/bin/propper.ts
+import { CommanderError } from "commander";
+
+// src/output/printer.ts
+import ora from "ora";
+import pc from "picocolors";
+
+// src/output/format.ts
+import Table from "cli-table3";
+import { stringify as yamlStringify } from "yaml";
+var OUTPUT_FORMATS = ["json", "yaml", "table", "text"];
+function isOutputFormat(value) {
+  return OUTPUT_FORMATS.includes(value);
+}
+function isRecordArray(data) {
+  return Array.isArray(data) && data.length > 0 && data.every((d) => d !== null && typeof d === "object" && !Array.isArray(d));
+}
+function scalar(value) {
+  if (value === null || value === void 0) return "";
+  if (typeof value === "object") return JSON.stringify(value);
+  return String(value);
+}
+function toTable(data) {
+  const columns = [...new Set(data.flatMap((row) => Object.keys(row)))];
+  const table = new Table({ head: columns });
+  for (const row of data) table.push(columns.map((c) => scalar(row[c])));
+  return table.toString();
+}
+function toText(data) {
+  if (isRecordArray(data)) {
+    const columns = [...new Set(data.flatMap((row) => Object.keys(row)))];
+    return data.map((row) => columns.map((c) => scalar(row[c])).join("	")).join("\n");
+  }
+  if (Array.isArray(data)) {
+    return data.map((item) => scalar(item)).join("\n");
+  }
+  if (data !== null && typeof data === "object") {
+    return Object.entries(data).map(([k, v]) => `${k}	${scalar(v)}`).join("\n");
+  }
+  return scalar(data);
+}
+function formatOutput(data, format) {
+  switch (format) {
+    case "yaml":
+      return yamlStringify(data).trimEnd();
+    case "table":
+      return isRecordArray(data) ? toTable(data) : JSON.stringify(data, null, 2);
+    case "text":
+      return toText(data);
+    default:
+      return JSON.stringify(data, null, 2);
+  }
+}
+
+// src/output/query.ts
+import * as jmespath from "jmespath";
+function applyQuery(data, expression) {
+  if (!expression) return data;
+  return jmespath.search(data, expression);
+}
+
+// src/output/printer.ts
+var identity = (s) => s;
+function palette(enabled) {
+  if (!enabled)
+    return { red: identity, green: identity, yellow: identity, dim: identity, bold: identity };
+  return { red: pc.red, green: pc.green, yellow: pc.yellow, dim: pc.dim, bold: pc.bold };
+}
+function renderResult(data, opts) {
+  const filtered = applyQuery(data, opts.query);
+  const format = isOutputFormat(opts.output) ? opts.output : "json";
+  return formatOutput(filtered, format);
+}
+function printResult(data, opts, out = process.stdout) {
+  out.write(`${renderResult(data, opts)}
+`);
+}
+var STATUS_TEXT = {
+  400: "Bad Request",
+  401: "Unauthorized",
+  403: "Forbidden",
+  404: "Not Found",
+  405: "Method Not Allowed",
+  409: "Conflict",
+  410: "Gone",
+  422: "Unprocessable Entity",
+  429: "Too Many Requests",
+  500: "Internal Server Error",
+  502: "Bad Gateway",
+  503: "Service Unavailable",
+  504: "Gateway Timeout"
+};
+function indent(text, pad = "  ") {
+  return text.split("\n").map((line) => `${pad}${line}`).join("\n");
+}
+function extraBody(body, message) {
+  if (body == null) return void 0;
+  if (typeof body === "string") {
+    const t = body.trim();
+    return t && t !== message ? body : void 0;
+  }
+  if (Array.isArray(body)) return body.length ? body : void 0;
+  if (typeof body === "object") {
+    const rest = { ...body };
+    for (const k of ["message", "error", "code"]) {
+      if (typeof rest[k] === "string") delete rest[k];
+    }
+    return Object.keys(rest).length ? body : void 0;
+  }
+  return void 0;
+}
+function formatApiError(err, colors) {
+  const statusText = STATUS_TEXT[err.status];
+  const head = err.status ? `HTTP ${err.status}${statusText ? ` ${statusText}` : ""}` : "Request failed";
+  const where = err.method && err.path ? ` on ${colors.bold(`${err.method} ${err.path}`)}` : "";
+  const lines = [`${colors.red("error")}: ${head}${where}`];
+  const msg = err.message?.trim() ?? "";
+  const generic = `${err.status} ${statusText ?? ""}`.trim();
+  if (msg && msg !== generic && msg !== head) lines.push(`  ${msg}`);
+  const details = extraBody(err.body, msg);
+  if (details !== void 0) {
+    const rendered = typeof details === "string" ? details : JSON.stringify(details, null, 2);
+    lines.push(colors.dim(indent(rendered)));
+  }
+  if (err.code) lines.push(colors.dim(`  code: ${err.code}`));
+  if (err.requestId) lines.push(colors.dim(`  request id: ${err.requestId}`));
+  if (err.operation) {
+    lines.push(
+      colors.dim(
+        `  hint: run \`propper ${err.operation} --help\` for required parameters, or re-run with --debug`
+      )
+    );
+  }
+  return lines.join("\n");
+}
+function printError(err, opts = {}, out = process.stderr) {
+  const colors = palette(opts.color ?? true);
+  if (err instanceof ApiError) {
+    out.write(`${formatApiError(err, colors)}
+`);
+    if (opts.debug && err.stack) out.write(`${colors.dim(err.stack)}
+`);
+    return;
+  }
+  const message = err instanceof Error ? err.message : String(err);
+  out.write(`${colors.red("error")}: ${message}
+`);
+  if (opts.debug && err instanceof Error && err.stack) out.write(`${colors.dim(err.stack)}
+`);
+}
+
+// src/runtime/program.ts
+import { Command } from "commander";
+
+// src/commands/auth/login.ts
+import { randomBytes as randomBytes2 } from "crypto";
+import { createServer } from "http";
+
+// src/auth/oidc.ts
+import { createHash, randomBytes } from "crypto";
+function base64url(buf) {
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function generatePkce() {
+  const verifier = base64url(randomBytes(32));
+  const challenge = base64url(createHash("sha256").update(verifier).digest());
+  return { verifier, challenge, method: "S256" };
+}
+function fallbackEndpoints(authBaseUrl) {
+  const base = authBaseUrl.replace(/\/$/, "");
+  return {
+    authorization_endpoint: `${base}/oauth2/authorize`,
+    token_endpoint: `${base}/oauth2/token`,
+    userinfo_endpoint: `${base}/oauth2/userinfo`,
+    introspection_endpoint: `${base}/oauth2/introspect`,
+    revocation_endpoint: `${base}/oauth2/revoke`
+  };
+}
+async function discover(authBaseUrl, fetchFn = fetch) {
+  const base = authBaseUrl.replace(/\/$/, "");
+  const fallback = fallbackEndpoints(base);
+  try {
+    const res = await fetchFn(`${base}/.well-known/openid-configuration`);
+    if (!res.ok) return fallback;
+    const doc = await res.json();
+    return {
+      authorization_endpoint: doc.authorization_endpoint ?? fallback.authorization_endpoint,
+      token_endpoint: doc.token_endpoint ?? fallback.token_endpoint,
+      userinfo_endpoint: doc.userinfo_endpoint ?? fallback.userinfo_endpoint,
+      introspection_endpoint: doc.introspection_endpoint ?? fallback.introspection_endpoint,
+      revocation_endpoint: doc.revocation_endpoint ?? fallback.revocation_endpoint
+    };
+  } catch {
+    return fallback;
+  }
+}
+async function postForm(url, form, fetchFn) {
+  const body = new URLSearchParams();
+  for (const [k, v] of Object.entries(form)) if (v !== void 0) body.set(k, v);
+  return fetchFn(url, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded", accept: "application/json" },
+    body
+  });
+}
+async function tokenCall(res) {
+  const text = await res.text();
+  if (!res.ok) {
+    throw new Error(`Token request failed (${res.status}): ${text.slice(0, 300)}`);
+  }
+  return JSON.parse(text);
+}
+function buildAuthorizeUrl(opts) {
+  const url = new URL(opts.authorizationEndpoint);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", opts.clientId);
+  url.searchParams.set("redirect_uri", opts.redirectUri);
+  url.searchParams.set("scope", opts.scope);
+  url.searchParams.set("state", opts.state);
+  url.searchParams.set("code_challenge", opts.codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  return url.toString();
+}
+function exchangeCode(opts, fetchFn = fetch) {
+  return postForm(
+    opts.tokenEndpoint,
+    {
+      grant_type: "authorization_code",
+      code: opts.code,
+      redirect_uri: opts.redirectUri,
+      client_id: opts.clientId,
+      code_verifier: opts.codeVerifier,
+      client_secret: opts.clientSecret
+    },
+    fetchFn
+  ).then(tokenCall);
+}
+function refresh(opts, fetchFn = fetch) {
+  return postForm(
+    opts.tokenEndpoint,
+    {
+      grant_type: "refresh_token",
+      refresh_token: opts.refreshToken,
+      client_id: opts.clientId,
+      client_secret: opts.clientSecret
+    },
+    fetchFn
+  ).then(tokenCall);
+}
+function clientCredentials(opts, fetchFn = fetch) {
+  return postForm(
+    opts.tokenEndpoint,
+    {
+      grant_type: "client_credentials",
+      client_id: opts.clientId,
+      client_secret: opts.clientSecret,
+      scope: opts.scope
+    },
+    fetchFn
+  ).then(tokenCall);
+}
+async function revoke(opts, fetchFn = fetch) {
+  await postForm(
+    opts.revocationEndpoint,
+    { token: opts.token, client_id: opts.clientId, client_secret: opts.clientSecret },
+    fetchFn
+  );
+}
+async function userinfo(opts, fetchFn = fetch) {
+  const res = await fetchFn(opts.userinfoEndpoint, {
+    headers: { authorization: `Bearer ${opts.accessToken}`, accept: "application/json" }
+  });
+  if (!res.ok) throw new Error(`userinfo failed (${res.status})`);
+  return await res.json();
+}
+async function introspect(opts, fetchFn = fetch) {
+  const res = await postForm(
+    opts.introspectionEndpoint,
+    { token: opts.token, client_id: opts.clientId, client_secret: opts.clientSecret },
+    fetchFn
+  );
+  if (!res.ok) return { active: false };
+  return await res.json();
+}
+
+// src/auth/token-store.ts
+import { chmodSync, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
+
+// src/config/paths.ts
+import { homedir } from "os";
+import { join } from "path";
+
+// package.json
+var package_default = {
+  name: "@propper-ai/cli",
+  version: "0.2.1",
+  description: "Propper CLI \u2014 an AWS-style, OpenAPI-generated command-line interface for the Propper Sign + Auth APIs",
+  type: "module",
+  license: "MIT",
+  repository: {
+    type: "git",
+    url: "git+https://github.com/mypropper/propper-cli.git"
+  },
+  homepage: "https://github.com/mypropper/propper-cli#readme",
+  bugs: {
+    url: "https://github.com/mypropper/propper-cli/issues"
+  },
+  keywords: [
+    "propper",
+    "cli",
+    "e-signature",
+    "esignature",
+    "esign",
+    "sign",
+    "signing",
+    "docgen",
+    "document-generation",
+    "openapi",
+    "sdk",
+    "api"
+  ],
+  bin: {
+    propper: "./dist/bin/propper.js"
+  },
+  exports: {
+    "./generated/client": "./dist/generated/client.js",
+    "./package.json": "./package.json"
+  },
+  files: [
+    "dist",
+    "README.md"
+  ],
+  engines: {
+    node: ">=20"
+  },
+  scripts: {
+    build: "tsup",
+    dev: "tsx src/bin/propper.ts",
+    "dev:setup-local": "npm install && npm run build && npm install -g .",
+    "dev:link-local": "npm install && npm run build && npm link",
+    "dev:uninstall-local": "npm uninstall -g @propper-ai/cli",
+    "dev:reinstall-local": "npm run dev:uninstall-local; npm run dev:link-local && node scripts/install-completion.mjs",
+    test: "vitest run",
+    "test:watch": "vitest",
+    lint: "biome check .",
+    "lint:fix": "biome check --write .",
+    typecheck: "tsc --noEmit",
+    generate: "tsx scripts/generate.ts",
+    "sync-spec": "tsx scripts/sync-spec.ts",
+    "spec-diff": "tsx scripts/spec-diff.ts"
+  },
+  dependencies: {
+    "cli-table3": "^0.6.5",
+    commander: "^12.1.0",
+    jmespath: "^0.16.0",
+    open: "^10.1.0",
+    ora: "^8.1.1",
+    picocolors: "^1.1.1",
+    yaml: "^2.6.1"
+  },
+  devDependencies: {
+    "@biomejs/biome": "^1.9.4",
+    "@types/jmespath": "^0.15.2",
+    "@types/node": "^20.17.6",
+    "openapi-types": "^12.1.3",
+    tsup: "^8.3.5",
+    tsx: "^4.19.2",
+    typescript: "^5.7.2",
+    vitest: "^3.2.6"
+  }
+};
+
+// src/constants.ts
+var CLI_VERSION = package_default.version;
+var USER_AGENT = `propper-cli/${CLI_VERSION}`;
+var DEFAULT_API_BASE_URL = "https://api.propper.ai";
+var DEFAULT_AUTH_BASE_URL = "https://auth.propper.ai";
+var OAUTH_CLIENT_ID = "propper-cli";
+var DEFAULT_PROFILE = "default";
+var DEFAULT_OUTPUT = "json";
+var ENV = {
+  token: "PROPPER_API_TOKEN",
+  profile: "PROPPER_PROFILE",
+  apiBaseUrl: "PROPPER_BASE_URL",
+  authBaseUrl: "PROPPER_AUTH_BASE_URL",
+  /** Client-credentials (M2M) client id. */
+  clientId: "PROPPER_CLIENT_ID",
+  clientSecret: "PROPPER_CLIENT_SECRET",
+  configDir: "PROPPER_CONFIG_DIR"
+};
+
+// src/config/paths.ts
+function configDir() {
+  return process.env[ENV.configDir] || join(homedir(), ".propper");
+}
+function configFile() {
+  return join(configDir(), "config.json");
+}
+function credentialsFile() {
+  return join(configDir(), "credentials.json");
+}
+
+// src/config/store.ts
+import { mkdirSync, readFileSync, writeFileSync } from "fs";
+import { dirname } from "path";
+var PROFILE_KEYS = ["api_base_url", "auth_base_url", "client_id", "output"];
+function loadConfig() {
+  try {
+    const raw = readFileSync(configFile(), "utf8");
+    const parsed = JSON.parse(raw);
+    return { default_profile: parsed.default_profile, profiles: parsed.profiles ?? {} };
+  } catch {
+    return { profiles: {} };
+  }
+}
+function saveConfig(config) {
+  mkdirSync(configDir(), { recursive: true, mode: 448 });
+  writeFileSync(configFile(), `${JSON.stringify(config, null, 2)}
+`, { mode: 420 });
+}
+function getProfile(name) {
+  return loadConfig().profiles[name] ?? {};
+}
+function listProfiles() {
+  return Object.keys(loadConfig().profiles).sort();
+}
+function setProfileValue(name, key, value) {
+  const config = loadConfig();
+  const profile = config.profiles[name] ?? {};
+  profile[key] = value;
+  config.profiles[name] = profile;
+  if (!config.default_profile) config.default_profile = name;
+  saveConfig(config);
+}
+function ensureDirFor(filePath) {
+  mkdirSync(dirname(filePath), { recursive: true, mode: 448 });
+}
+
+// src/auth/token-store.ts
+function readAll() {
+  try {
+    return JSON.parse(readFileSync2(credentialsFile(), "utf8"));
+  } catch {
+    return {};
+  }
+}
+function writeAll(all) {
+  const file = credentialsFile();
+  ensureDirFor(file);
+  writeFileSync2(file, `${JSON.stringify(all, null, 2)}
+`, { mode: 384 });
+  chmodSync(file, 384);
+}
+function readCredentials(profile) {
+  return readAll()[profile];
+}
+function writeCredentials(profile, creds) {
+  const all = readAll();
+  all[profile] = creds;
+  writeAll(all);
+}
+function clearCredentials(profile) {
+  const all = readAll();
+  delete all[profile];
+  writeAll(all);
+}
+function isExpired(creds, skewSec = 60, now = Date.now()) {
+  if (!creds.expires_at) return false;
+  return now >= creds.expires_at - skewSec * 1e3;
+}
+function expiresAtFrom(expiresIn, now = Date.now()) {
+  return typeof expiresIn === "number" ? now + expiresIn * 1e3 : void 0;
+}
+
+// src/auth/chain.ts
+var defaultDeps = {
+  readCredentials,
+  writeCredentials,
+  discover,
+  refresh,
+  clientCredentials
+};
+var explicitProvider = async (ctx) => ctx.explicitToken ?? null;
+var envProvider = async (ctx) => (ctx.env ?? process.env)[ENV.token] ?? null;
+var storedProvider = async (ctx, deps) => {
+  const creds = deps.readCredentials(ctx.profile);
+  if (!creds?.access_token) return null;
+  if (!isExpired(creds)) return creds.access_token;
+  if (!creds.refresh_token) return null;
+  try {
+    const endpoints = await deps.discover(ctx.authBaseUrl, ctx.fetchFn);
+    const tok = await deps.refresh(
+      {
+        tokenEndpoint: endpoints.token_endpoint,
+        refreshToken: creds.refresh_token,
+        clientId: OAUTH_CLIENT_ID
+      },
+      ctx.fetchFn
+    );
+    const updated = {
+      access_token: tok.access_token,
+      refresh_token: tok.refresh_token ?? creds.refresh_token,
+      expires_at: expiresAtFrom(tok.expires_in),
+      scope: tok.scope ?? creds.scope,
+      client_secret: creds.client_secret
+    };
+    deps.writeCredentials(ctx.profile, updated);
+    return tok.access_token;
+  } catch {
+    return null;
+  }
+};
+var clientCredentialsProvider = async (ctx, deps) => {
+  if (!ctx.clientSecret || !ctx.clientId) return null;
+  const endpoints = await deps.discover(ctx.authBaseUrl, ctx.fetchFn);
+  const tok = await deps.clientCredentials(
+    {
+      tokenEndpoint: endpoints.token_endpoint,
+      clientId: ctx.clientId,
+      clientSecret: ctx.clientSecret,
+      scope: ctx.scope
+    },
+    ctx.fetchFn
+  );
+  deps.writeCredentials(ctx.profile, {
+    access_token: tok.access_token,
+    expires_at: expiresAtFrom(tok.expires_in),
+    scope: tok.scope,
+    client_secret: ctx.clientSecret
+  });
+  return tok.access_token;
+};
+var PROVIDERS = [
+  explicitProvider,
+  envProvider,
+  storedProvider,
+  clientCredentialsProvider
+];
+async function resolveToken(ctx) {
+  const deps = { ...defaultDeps, ...ctx.deps };
+  for (const provider of PROVIDERS) {
+    const token = await provider(ctx, deps);
+    if (token) return token;
+  }
+  throw new AuthError(
+    "Not authenticated. Run `propper auth login`, or set PROPPER_API_TOKEN / client credentials."
+  );
+}
+
+// src/commands/auth/deps.ts
+var defaultAuthDeps = {
+  resolveToken,
+  discover,
+  exchangeCode,
+  clientCredentials,
+  revoke,
+  userinfo,
+  introspect,
+  readCredentials,
+  writeCredentials,
+  clearCredentials,
+  openBrowser: async (url) => {
+    const { default: open } = await import("open");
+    return open(url);
+  }
+};
+
+// src/commands/auth/login.ts
+var DEFAULT_SCOPE = [
+  "openid",
+  "email",
+  "profile",
+  "offline_access",
+  "sign:read",
+  "sign:write",
+  "click:read",
+  "click:write",
+  "docgen:read",
+  "docgen:write",
+  "locker:read",
+  "locker:write",
+  "org:read"
+].join(" ");
+var PKCE_TIMEOUT_MS = 12e4;
+function rememberProfile(ctx) {
+  if (ctx.clientId) setProfileValue(ctx.profile, "client_id", ctx.clientId);
+  setProfileValue(ctx.profile, "auth_base_url", ctx.authBaseUrl);
+  setProfileValue(ctx.profile, "api_base_url", ctx.apiBaseUrl);
+}
+function loginWithToken(ctx, token, deps = defaultAuthDeps) {
+  const creds = { access_token: token };
+  deps.writeCredentials(ctx.profile, creds);
+  rememberProfile(ctx);
+  return creds;
+}
+async function loginClientCredentials(ctx, clientSecret, scope = DEFAULT_SCOPE, deps = defaultAuthDeps) {
+  if (!ctx.clientId) {
+    throw new UsageError(
+      "No client id configured. Set one via --client-id, PROPPER_CLIENT_ID, or `propper configure`."
+    );
+  }
+  const endpoints = await deps.discover(ctx.authBaseUrl);
+  const tok = await deps.clientCredentials({
+    tokenEndpoint: endpoints.token_endpoint,
+    clientId: ctx.clientId,
+    clientSecret,
+    scope
+  });
+  const creds = {
+    access_token: tok.access_token,
+    expires_at: expiresAtFrom(tok.expires_in),
+    scope: tok.scope,
+    client_secret: clientSecret
+  };
+  deps.writeCredentials(ctx.profile, creds);
+  rememberProfile(ctx);
+  return creds;
+}
+function awaitCallback(server, expectedState) {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => {
+      server.close();
+      reject(new Error("Timed out waiting for the browser callback."));
+    }, PKCE_TIMEOUT_MS);
+    server.on("request", (req, res) => {
+      const url = new URL(req.url ?? "/", "http://127.0.0.1");
+      if (url.pathname !== "/callback") {
+        res.writeHead(404).end();
+        return;
+      }
+      const code = url.searchParams.get("code");
+      const state = url.searchParams.get("state");
+      const error = url.searchParams.get("error");
+      res.writeHead(200, { "content-type": "text/html" });
+      res.end(
+        error ? `<h1>Login failed</h1><p>${error}</p>` : "<h1>Login complete</h1><p>You can close this tab and return to the terminal.</p>"
+      );
+      clearTimeout(timer);
+      server.close();
+      if (error || !code || !state) {
+        reject(new Error(`Authorization failed: ${error ?? "missing code/state"}`));
+      } else if (state !== expectedState) {
+        reject(new Error("State mismatch (possible CSRF); aborting."));
+      } else {
+        resolve({ code, state });
+      }
+    });
+  });
+}
+async function loginPkce(ctx, scope = DEFAULT_SCOPE, deps = defaultAuthDeps) {
+  const endpoints = await deps.discover(ctx.authBaseUrl);
+  const pkce = generatePkce();
+  const state = randomBytes2(16).toString("hex");
+  const server = createServer();
+  await new Promise((resolve) => server.listen(0, "127.0.0.1", resolve));
+  const address = server.address();
+  if (!address || typeof address === "string") {
+    server.close();
+    throw new Error("Could not bind a loopback port for the OAuth callback.");
+  }
+  const redirectUri = `http://127.0.0.1:${address.port}/callback`;
+  const authorizeUrl = buildAuthorizeUrl({
+    authorizationEndpoint: endpoints.authorization_endpoint,
+    clientId: OAUTH_CLIENT_ID,
+    redirectUri,
+    scope,
+    state,
+    codeChallenge: pkce.challenge
+  });
+  const callbackPromise = awaitCallback(server, state);
+  await deps.openBrowser(authorizeUrl);
+  const { code } = await callbackPromise;
+  const tok = await deps.exchangeCode({
+    tokenEndpoint: endpoints.token_endpoint,
+    code,
+    redirectUri,
+    clientId: OAUTH_CLIENT_ID,
+    codeVerifier: pkce.verifier
+  });
+  const creds = {
+    access_token: tok.access_token,
+    refresh_token: tok.refresh_token,
+    expires_at: expiresAtFrom(tok.expires_in),
+    scope: tok.scope
+  };
+  deps.writeCredentials(ctx.profile, creds);
+  rememberProfile(ctx);
+  return { creds, authorizeUrl };
+}
+
+// src/commands/auth/logout.ts
+async function logout(ctx, deps = defaultAuthDeps) {
+  const creds = deps.readCredentials(ctx.profile);
+  if (!creds) return false;
+  if (creds.access_token) {
+    try {
+      const endpoints = await deps.discover(ctx.authBaseUrl);
+      await deps.revoke({
+        revocationEndpoint: endpoints.revocation_endpoint,
+        token: creds.refresh_token ?? creds.access_token,
+        clientId: creds.client_secret && ctx.clientId ? ctx.clientId : OAUTH_CLIENT_ID,
+        clientSecret: creds.client_secret
+      });
+    } catch {
+    }
+  }
+  deps.clearCredentials(ctx.profile);
+  return true;
+}
+
+// src/commands/auth/status.ts
+function maskToken(token) {
+  return token.length > 12 ? `${token.slice(0, 4)}\u2026${token.slice(-4)}` : "****";
+}
+function detectSource(ctx, deps) {
+  if (ctx.explicitToken) return "flag";
+  if (ctx.env[ENV.token]) return "env";
+  if (deps.readCredentials(ctx.profile)?.access_token) return "profile";
+  if (ctx.clientSecret) return "client-credentials";
+  return "none";
+}
+function toScopes(scope) {
+  if (!scope) return void 0;
+  const parts = scope.split(/\s+/).filter(Boolean);
+  return parts.length ? parts : void 0;
+}
+async function authStatus(ctx, deps = defaultAuthDeps) {
+  let token;
+  try {
+    token = await deps.resolveToken({
+      explicitToken: ctx.explicitToken,
+      profile: ctx.profile,
+      authBaseUrl: ctx.authBaseUrl,
+      clientId: ctx.clientId,
+      clientSecret: ctx.clientSecret,
+      env: ctx.env
+    });
+  } catch {
+    throw new AuthError(
+      `Not authenticated for profile "${ctx.profile}". Run \`propper auth login\` to sign in.`
+    );
+  }
+  const result = {
+    profile: ctx.profile,
+    source: detectSource(ctx, deps),
+    apiBaseUrl: ctx.apiBaseUrl,
+    authBaseUrl: ctx.authBaseUrl,
+    tokenMasked: maskToken(token)
+  };
+  let expiresAtMs = deps.readCredentials(ctx.profile)?.expires_at;
+  const endpoints = await deps.discover(ctx.authBaseUrl);
+  try {
+    const info = await deps.userinfo({
+      userinfoEndpoint: endpoints.userinfo_endpoint,
+      accessToken: token
+    });
+    result.user = {
+      sub: info.sub,
+      email: info.email,
+      name: info.name,
+      roles: info.roles,
+      org: info.org
+    };
+    result.scopes = toScopes(info.scope);
+  } catch {
+  }
+  try {
+    const intro = await deps.introspect({
+      introspectionEndpoint: endpoints.introspection_endpoint,
+      token,
+      // Authenticate the introspection call with whichever client minted the
+      // token: the M2M client when there's a secret, else the public OAuth client.
+      clientId: ctx.clientSecret && ctx.clientId ? ctx.clientId : OAUTH_CLIENT_ID,
+      clientSecret: ctx.clientSecret
+    });
+    if (intro.active) {
+      result.scopes = result.scopes ?? toScopes(intro.scope);
+      if (typeof intro.exp === "number") expiresAtMs = expiresAtMs ?? intro.exp * 1e3;
+    }
+  } catch {
+  }
+  if (typeof expiresAtMs === "number") result.tokenExpiresAt = new Date(expiresAtMs).toISOString();
+  return result;
+}
+
+// src/commands/completion.ts
+var SUPPORTED_SHELLS = ["bash", "zsh", "fish"];
+var GLOBAL_FLAGS = [
+  "--profile",
+  "--output",
+  "--query",
+  "--base-url",
+  "--auth-base-url",
+  "--client-id",
+  "--token",
+  "--no-color",
+  "--quiet",
+  "--debug",
+  "--help"
+];
+var STATIC_GROUPS = {
+  auth: ["login", "logout", "status", "whoami"],
+  configure: ["set", "get", "list-profiles"],
+  completion: [...SUPPORTED_SHELLS]
+};
+function operationFlags(entry) {
+  const flags = [
+    ...entry.pathParams.map((p) => p.flag),
+    ...entry.queryParams.map((p) => p.flag),
+    ...entry.bodyFields.map((f) => f.flag)
+  ];
+  if (entry.hasBody) flags.push("--input-json");
+  if (entry.fileField) flags.push("--file");
+  if (entry.produces === "binary") flags.push("--output-file");
+  if (entry.queryParams.some((p) => p.name === "page")) flags.push("--all");
+  return flags;
+}
+function uniq(values) {
+  return [...new Set(values)].sort();
+}
+function candidatesAt(path, manifest2) {
+  const apiNames = manifest2.apis.map((a) => a.name);
+  if (path.length === 0) return uniq([...apiNames, ...Object.keys(STATIC_GROUPS)]);
+  const head = path[0] ?? "";
+  if (head in STATIC_GROUPS) return path.length === 1 ? STATIC_GROUPS[head] ?? [] : [];
+  if (!apiNames.includes(head)) return [];
+  if (path.length === 1) {
+    return uniq(manifest2.operations.filter((o) => o.api === head).map((o) => o.topic));
+  }
+  if (path.length === 2) {
+    return uniq(
+      manifest2.operations.filter((o) => o.api === head && o.topic === path[1]).map((o) => o.command)
+    );
+  }
+  const entry = manifest2.operations.find(
+    (o) => o.api === head && o.topic === path[1] && o.command === path[2]
+  );
+  return uniq([...entry ? operationFlags(entry) : [], ...GLOBAL_FLAGS]);
+}
+function completeArgs(completedWords, manifest2) {
+  const path = completedWords.filter((w) => !w.startsWith("-"));
+  return candidatesAt(path, manifest2);
+}
+function completionScript(shell) {
+  if (shell === "bash") {
+    return `# propper bash completion
+_propper_complete() {
+  local cur completed candidates
+  cur="\${COMP_WORDS[COMP_CWORD]}"
+  completed=("\${COMP_WORDS[@]:1:COMP_CWORD-1}")
+  candidates="$(propper __complete "\${completed[@]}" 2>/dev/null)"
+  local IFS=$'\\n'
+  COMPREPLY=( $(compgen -W "\${candidates}" -- "\${cur}") )
+}
+complete -F _propper_complete propper
+`;
+  }
+  if (shell === "zsh") {
+    return `#compdef propper
+_propper() {
+  local -a candidates
+  candidates=("\${(@f)$(propper __complete \${words[2,CURRENT-1]} 2>/dev/null)}")
+  compadd -- $candidates
+}
+compdef _propper propper
+`;
+  }
+  return `# propper fish completion
+function __propper_complete
+  set -l tokens (commandline -opc)
+  propper __complete $tokens[2..-1]
+end
+complete -c propper -f -a '(__propper_complete)'
+`;
+}
+
+// src/commands/configure/index.ts
+import { createInterface } from "readline/promises";
+var SECRET_KEYS = ["client_secret"];
+var ALL_KEYS = [...PROFILE_KEYS, ...SECRET_KEYS];
+var CREDENTIAL_KEYS = /* @__PURE__ */ new Set(["client_id", "client_secret"]);
+function cleanCredential(value) {
+  return value.replace(/\s+/g, "");
+}
+function maskSecret(secret) {
+  const n = secret.length;
+  if (n >= 14) return `${secret.slice(0, 5)}\u2026${secret.slice(-5)}`;
+  if (n > 6) return `${secret.slice(0, 3)}\u2026${secret.slice(-3)}`;
+  return "****";
+}
+function isSecretKey(key) {
+  return SECRET_KEYS.includes(key);
+}
+function assertKey(key) {
+  if (!PROFILE_KEYS.includes(key)) {
+    throw new UsageError(`Unknown config key "${key}". Valid keys: ${ALL_KEYS.join(", ")}`);
+  }
+}
+function writeClientSecret(profile, secret) {
+  const existing = readCredentials(profile) ?? {};
+  writeCredentials(profile, { ...existing, client_secret: cleanCredential(secret) });
+}
+function configureSet(profile, key, value) {
+  const v = CREDENTIAL_KEYS.has(key) ? cleanCredential(value) : value;
+  if (isSecretKey(key)) {
+    writeClientSecret(profile, v);
+    return;
+  }
+  assertKey(key);
+  setProfileValue(profile, key, v);
+}
+function configureGet(profile, key) {
+  if (isSecretKey(key)) {
+    return readCredentials(profile)?.client_secret;
+  }
+  assertKey(key);
+  return getProfile(profile)[key];
+}
+function configureListProfiles() {
+  return listProfiles();
+}
+async function runConfigureWizard(ctx, input = process.stdin, output = process.stdout) {
+  const rl = createInterface({ input, output });
+  const written = [];
+  try {
+    const ask = async (label, current2) => {
+      const suffix = current2 ? ` [${current2}]` : "";
+      const answer = (await rl.question(`${label}${suffix}: `)).trim();
+      return answer || current2 || "";
+    };
+    const current = getProfile(ctx.profile);
+    const apiBaseUrl = await ask("API base URL", current.api_base_url ?? ctx.apiBaseUrl);
+    const authBaseUrl = await ask("Auth base URL", current.auth_base_url ?? ctx.authBaseUrl);
+    const clientId = cleanCredential(
+      await ask("Client id (client-credentials / M2M)", current.client_id ?? ctx.clientId)
+    );
+    const existingSecret = readCredentials(ctx.profile)?.client_secret;
+    const secretLabel = existingSecret ? `Client secret [${maskSecret(existingSecret)}]` : "Client secret (optional, blank to skip)";
+    const secretAnswer = cleanCredential(await rl.question(`${secretLabel}: `));
+    const token = (await rl.question("API token (optional, blank to skip): ")).trim();
+    const out = await ask("Default output (json/table/yaml/text)", current.output ?? ctx.output);
+    for (const [key, value] of [
+      ["api_base_url", apiBaseUrl],
+      ["auth_base_url", authBaseUrl],
+      ["client_id", clientId],
+      ["output", out]
+    ]) {
+      if (value) {
+        setProfileValue(ctx.profile, key, value);
+        written.push(key);
+      }
+    }
+    if (secretAnswer) {
+      writeClientSecret(ctx.profile, secretAnswer);
+      written.push("client_secret");
+    }
+    if (token) {
+      const existing = readCredentials(ctx.profile) ?? {};
+      writeCredentials(ctx.profile, { ...existing, access_token: token });
+      written.push("token");
+    }
+    return written;
+  } finally {
+    rl.close();
+  }
+}
+
+// src/runtime/dispatch.ts
+import { Buffer } from "buffer";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
+
+// src/manifest/types.ts
+function kebabCase(input) {
+  return input.replace(/([a-z0-9])([A-Z])/g, "$1-$2").replace(/[\s_]+/g, "-").replace(/-+/g, "-").toLowerCase();
+}
+function camelCase(input) {
+  const parts = kebabCase(input).split("-").filter(Boolean);
+  return parts.map((p, i) => i === 0 ? p : p.charAt(0).toUpperCase() + p.slice(1)).join("");
+}
+
+// src/runtime/options.ts
+function buildContext(globals, env = process.env) {
+  const profile = globals.profile || env[ENV.profile] || loadConfig().default_profile || DEFAULT_PROFILE;
+  const cfg = getProfile(profile);
+  return {
+    profile,
+    apiBaseUrl: globals.baseUrl || env[ENV.apiBaseUrl] || cfg.api_base_url || manifest.apiBaseUrl || DEFAULT_API_BASE_URL,
+    authBaseUrl: globals.authBaseUrl || env[ENV.authBaseUrl] || cfg.auth_base_url || DEFAULT_AUTH_BASE_URL,
+    // Client-credentials (M2M) client id: flag > env > profile. Optional.
+    clientId: globals.clientId || env[ENV.clientId] || cfg.client_id || void 0,
+    clientSecret: env[ENV.clientSecret] || readCredentials(profile)?.client_secret || void 0,
+    output: globals.output || cfg.output || DEFAULT_OUTPUT,
+    query: globals.query,
+    color: globals.color !== false && !env.NO_COLOR,
+    quiet: Boolean(globals.quiet),
+    debug: Boolean(globals.debug),
+    explicitToken: globals.token,
+    env
+  };
+}
+function makeRequestContext(ctx, token) {
+  return {
+    apiBaseUrl: ctx.apiBaseUrl,
+    token,
+    userAgent: USER_AGENT,
+    debug: ctx.debug
+  };
+}
+
+// src/runtime/dispatch.ts
+function flagKey(flag) {
+  return camelCase(flag.replace(/^--/, ""));
+}
+var defaultDispatchDeps = {
+  resolveToken,
+  call: (entry, req, ctx) => callOperation(entry.api, entry.operationId, req, ctx),
+  readFile: (path) => readFileSync3(path),
+  writeFile: (path, data) => writeFileSync3(path, data),
+  stdout: process.stdout
+};
+function coerce(value, type) {
+  if (type === "boolean") return value === true || value === "true";
+  if (type === "number" || type === "integer") return Number(value);
+  return String(value);
+}
+function readInputJson(raw, deps) {
+  const text = raw === "-" ? readFileSync3(0, "utf8") : raw.startsWith("@") ? deps.readFile(raw.slice(1)).toString("utf8") : raw;
+  try {
+    return JSON.parse(text);
+  } catch (err) {
+    throw new UsageError(`--input-json is not valid JSON: ${err.message}`);
+  }
+}
+function buildRequest(entry, flags, deps) {
+  const pathParams = {};
+  for (const p of entry.pathParams) {
+    const value = flags[flagKey(p.flag)];
+    if (value === void 0 || value === "") {
+      throw new UsageError(`Missing required option ${p.flag}`);
+    }
+    pathParams[p.name] = String(value);
+  }
+  const query = {};
+  for (const p of entry.queryParams) {
+    const value = flags[flagKey(p.flag)];
+    if (value !== void 0) query[p.name] = value;
+  }
+  let body;
+  if (entry.hasBody) {
+    body = {};
+    const inputJson = flags.inputJson;
+    if (typeof inputJson === "string") Object.assign(body, readInputJson(inputJson, deps));
+    for (const field of entry.bodyFields) {
+      const value = flags[flagKey(field.flag)];
+      if (value !== void 0) body[field.name] = coerce(value, field.type);
+    }
+    if (entry.fileField && typeof flags.file === "string") {
+      body[entry.fileField] = deps.readFile(flags.file).toString("base64");
+    }
+    if (Object.keys(body).length === 0) body = void 0;
+  }
+  return { pathParams, query, body };
+}
+function pageItems(data) {
+  if (Array.isArray(data)) return data;
+  if (data && typeof data === "object") {
+    for (const key of ["data", "items", "results", "agreements", "templates", "recipients"]) {
+      const value = data[key];
+      if (Array.isArray(value)) return value;
+    }
+  }
+  return void 0;
+}
+var MAX_PAGES = 50;
+async function dispatch(entry, flags, ctx, deps = defaultDispatchDeps) {
+  const token = await deps.resolveToken({
+    explicitToken: ctx.explicitToken,
+    profile: ctx.profile,
+    authBaseUrl: ctx.authBaseUrl,
+    clientId: ctx.clientId,
+    clientSecret: ctx.clientSecret,
+    env: ctx.env
+  });
+  const reqCtx = makeRequestContext(ctx, token);
+  const req = buildRequest(entry, flags, deps);
+  const canPaginate = entry.queryParams.some((p) => p.name === "page");
+  if (flags.all && canPaginate && entry.produces === "json") {
+    const collected = [];
+    for (let page = 1; page <= MAX_PAGES; page++) {
+      const res2 = await deps.call(entry, { ...req, query: { ...req.query, page } }, reqCtx);
+      const items = pageItems(res2.data);
+      if (!items || items.length === 0) break;
+      collected.push(...items);
+      const limit = Number(req.query?.limit ?? items.length);
+      if (items.length < limit) break;
+    }
+    printResult(collected, { output: ctx.output, query: ctx.query }, deps.stdout);
+    return;
+  }
+  const res = await deps.call(entry, req, reqCtx);
+  if (entry.produces === "binary") {
+    const bytes = res.bytes ?? Buffer.alloc(0);
+    if (typeof flags.outputFile === "string") {
+      deps.writeFile(flags.outputFile, bytes);
+      deps.stdout.write(`Saved ${bytes.length} bytes to ${flags.outputFile}
+`);
+    } else {
+      deps.stdout.write(bytes);
+    }
+    return;
+  }
+  printResult(res.data, { output: ctx.output, query: ctx.query }, deps.stdout);
+}
+
+// src/runtime/program.ts
+var defaultProgramDeps = {
+  buildContext: (globals) => buildContext(globals),
+  dispatch,
+  auth: {
+    loginWithToken,
+    loginClientCredentials,
+    loginPkce,
+    logout,
+    authStatus
+  },
+  configure: {
+    configureSet,
+    configureGet,
+    configureListProfiles,
+    runConfigureWizard
+  }
+};
+function addGlobalOptions(cmd) {
+  return cmd.option("--profile <name>", "Config profile to use").option("--output <format>", "Output format: json|table|yaml|text").option("--query <jmespath>", "JMESPath filter expression (like AWS --query)").option("--base-url <url>", "Override the API base URL").option("--auth-base-url <url>", "Override the auth base URL").option("--client-id <id>", "Client-credentials (M2M) client id").option("--token <token>", "Bearer token (overrides stored credentials)").option("--no-color", "Disable colored output").option("--quiet", "Suppress spinners and non-essential output").option("--debug", "Print request/response debug info");
+}
+function renderEnvHelp() {
+  const rows = [
+    { name: ENV.token, desc: "Bearer token (overrides stored credentials)" },
+    { name: ENV.profile, desc: "Active profile", flag: "--profile" },
+    { name: ENV.apiBaseUrl, desc: "API base URL", flag: "--base-url" },
+    { name: ENV.authBaseUrl, desc: "Auth base URL", flag: "--auth-base-url" },
+    { name: ENV.clientId, desc: "Client-credentials (M2M) client id", flag: "--client-id" },
+    { name: ENV.clientSecret, desc: "Client-credentials (M2M) client secret" },
+    { name: ENV.configDir, desc: "Config directory (default ~/.propper)" },
+    { name: "NO_COLOR", desc: "Disable colored output", flag: "--no-color" }
+  ];
+  const nameWidth = Math.max(...rows.map((r) => r.name.length));
+  const descWidth = Math.max(...rows.map((r) => r.desc.length));
+  const lines = rows.map((r) => {
+    const left = `  ${r.name.padEnd(nameWidth)}  ${r.desc.padEnd(descWidth)}`;
+    return r.flag ? `${left}  (${r.flag})` : left.trimEnd();
+  });
+  return [
+    "Environment variables:",
+    ...lines,
+    "",
+    "Precedence: command flags > environment variables > profile config > built-in defaults."
+  ].join("\n");
+}
+function showHelpWhenEmpty(cmd) {
+  return cmd.action(() => cmd.help());
+}
+function addApiCommand(topicCmd, entry, deps) {
+  const cmd = topicCmd.command(entry.command);
+  if (entry.summary) cmd.description(entry.summary);
+  const added = /* @__PURE__ */ new Set();
+  const add = (flag, desc, required = false) => {
+    const key = flag.split(" ")[0] ?? flag;
+    if (added.has(key)) return;
+    added.add(key);
+    if (required) cmd.requiredOption(flag, desc);
+    else cmd.option(flag, desc);
+  };
+  for (const p of entry.pathParams) {
+    add(`${p.flag} <value>`, p.description ?? `path parameter '${p.name}'`, true);
+  }
+  for (const p of entry.queryParams) {
+    add(`${p.flag} <value>`, p.description ?? `query parameter '${p.name}'`);
+  }
+  for (const f of entry.bodyFields) {
+    const desc = `${f.description ?? `body field '${f.name}'`}${f.required ? " (required)" : ""}`;
+    add(f.type === "boolean" ? f.flag : `${f.flag} <value>`, desc);
+  }
+  if (entry.hasBody) {
+    add("--input-json <json|@file>", "Raw JSON body: a string, @file.json, or '-' for stdin");
+  }
+  if (entry.fileField) {
+    add("--file <path>", `Local file for the '${entry.fileField}' field (base64-encoded)`);
+  }
+  if (entry.produces === "binary") {
+    add("--output-file <path>", "Write the binary response to a file (else stdout)");
+  }
+  if (entry.queryParams.some((p) => p.name === "page")) {
+    add("--all", "Auto-paginate and return all pages");
+  }
+  addGlobalOptions(cmd);
+  cmd.action(async (_opts, c) => {
+    const ctx = deps.buildContext(c.optsWithGlobals());
+    await deps.dispatch(entry, c.opts(), ctx);
+  });
+}
+function registerApiTopics(program, manifest2, deps) {
+  const apiCmds = /* @__PURE__ */ new Map();
+  const topicCmds = /* @__PURE__ */ new Map();
+  for (const api of manifest2.apis) {
+    const title = api.title.replace(/\s*API$/i, "");
+    const apiCmd = program.command(api.name).description(`${title} API`);
+    showHelpWhenEmpty(apiCmd);
+    apiCmds.set(api.name, apiCmd);
+  }
+  for (const entry of manifest2.operations) {
+    const apiCmd = apiCmds.get(entry.api);
+    if (!apiCmd) continue;
+    const topicKey = `${entry.api}:${entry.topic}`;
+    let topicCmd = topicCmds.get(topicKey);
+    if (!topicCmd) {
+      topicCmd = apiCmd.command(entry.topic).description(`Manage ${entry.topic}`);
+      showHelpWhenEmpty(topicCmd);
+      topicCmds.set(topicKey, topicCmd);
+    }
+    addApiCommand(topicCmd, entry, deps);
+  }
+}
+function registerAuth(program, deps) {
+  const auth = program.command("auth").description("Authenticate with Propper");
+  showHelpWhenEmpty(auth);
+  const login = addGlobalOptions(auth.command("login")).description("Log in via browser (PKCE), --client-credentials, or --token").option("--client-credentials", "Use the OAuth client-credentials grant (CI)").option(
+    "--scope <scope>",
+    "Space-separated OAuth scopes to request (defaults to the full propper-cli set)"
+  ).action(async (_opts, c) => {
+    const ctx = deps.buildContext(c.optsWithGlobals());
+    const o = c.opts();
+    if (ctx.explicitToken) {
+      deps.auth.loginWithToken(ctx, ctx.explicitToken);
+    } else if (o.clientCredentials) {
+      if (!ctx.clientId || !ctx.clientSecret) {
+        throw new UsageError(
+          `Set a client id (--client-id / ${ENV.clientId} / \`propper configure\`) and ${ENV.clientSecret} to use --client-credentials.`
+        );
+      }
+      await deps.auth.loginClientCredentials(ctx, ctx.clientSecret, o.scope);
+    } else {
+      const { authorizeUrl } = await deps.auth.loginPkce(ctx, o.scope);
+      process.stderr.write(`Opening browser to authorize...
+  ${authorizeUrl}
+`);
+    }
+    process.stdout.write(`\u2713 Logged in to profile "${ctx.profile}".
+`);
+  });
+  void login;
+  addGlobalOptions(auth.command("logout")).description("Revoke and clear stored credentials").action(async (_opts, c) => {
+    const ctx = deps.buildContext(c.optsWithGlobals());
+    const ok = await deps.auth.logout(ctx);
+    process.stdout.write(ok ? `\u2713 Logged out of "${ctx.profile}".
+` : "Nothing to log out of.\n");
+  });
+  addGlobalOptions(auth.command("status")).alias("whoami").description("Show the current identity and token status").action(async (_opts, c) => {
+    const ctx = deps.buildContext(c.optsWithGlobals());
+    const status = await deps.auth.authStatus(ctx);
+    printResult(status, { output: ctx.output, query: ctx.query });
+  });
+}
+function registerConfigure(program, deps) {
+  const configure = addGlobalOptions(program.command("configure")).description(
+    "Configure profiles (base URLs, client id + secret, default output, token)"
+  );
+  addGlobalOptions(configure.command("set")).argument("<key>", "Config key").argument("<value>", "Value").description("Set a profile value").action((key, value, _o, c) => {
+    const ctx = deps.buildContext(c.optsWithGlobals());
+    deps.configure.configureSet(ctx.profile, key, value);
+    process.stdout.write(`\u2713 Set ${key} for profile "${ctx.profile}".
+`);
+  });
+  addGlobalOptions(configure.command("get")).argument("<key>", "Config key").description("Get a profile value").action((key, _o, c) => {
+    const ctx = deps.buildContext(c.optsWithGlobals());
+    const value = deps.configure.configureGet(ctx.profile, key);
+    process.stdout.write(`${value ?? ""}
+`);
+  });
+  addGlobalOptions(configure.command("list-profiles")).description("List configured profiles").action(() => {
+    printResult(deps.configure.configureListProfiles(), { output: "json" });
+  });
+  configure.action(async (_opts, c) => {
+    const ctx = deps.buildContext(c.optsWithGlobals());
+    await deps.configure.runConfigureWizard(ctx);
+  });
+}
+function registerCompletion(program, manifest2) {
+  program.command("completion").argument("<shell>", `shell to emit a completion script for (${SUPPORTED_SHELLS.join(" | ")})`).description("Output a shell completion script").action((shell) => {
+    if (!SUPPORTED_SHELLS.includes(shell)) {
+      throw new UsageError(
+        `Unsupported shell "${shell}". Use one of: ${SUPPORTED_SHELLS.join(", ")}`
+      );
+    }
+    process.stdout.write(completionScript(shell));
+  });
+  const complete = new Command("__complete").argument("[words...]", "tokens typed after `propper`").action((words = []) => {
+    for (const candidate of completeArgs(words, manifest2)) process.stdout.write(`${candidate}
+`);
+  });
+  program.addCommand(complete, { hidden: true });
+}
+function buildProgram(manifest2, deps = defaultProgramDeps) {
+  const program = new Command();
+  program.name("propper").description("Propper CLI \u2014 AWS-style, OpenAPI-generated interface for the Propper APIs").version(CLI_VERSION, "-V, --version").showHelpAfterError("(add --help for usage)");
+  addGlobalOptions(program);
+  program.addHelpText("after", `
+${renderEnvHelp()}`);
+  registerApiTopics(program, manifest2, deps);
+  registerAuth(program, deps);
+  registerConfigure(program, deps);
+  registerCompletion(program, manifest2);
+  return program;
+}
+
+// src/bin/propper.ts
+function exitCodeFor(err) {
+  if (err instanceof UsageError) return 2;
+  if (err instanceof AuthError) return 3;
+  if (err instanceof ApiError) return 4;
+  return 1;
+}
+async function main() {
+  const argv = process.argv;
+  const debug = argv.includes("--debug");
+  try {
+    const program = buildProgram(manifest);
+    program.exitOverride();
+    if (argv.slice(2).length === 0) {
+      program.outputHelp();
+      return;
+    }
+    await program.parseAsync(argv);
+  } catch (err) {
+    if (err instanceof CommanderError) {
+      process.exitCode = err.exitCode === 0 ? 0 : 2;
+      return;
+    }
+    const color = !argv.includes("--no-color") && !process.env.NO_COLOR;
+    printError(err, { debug, color });
+    process.exitCode = exitCodeFor(err);
+  }
+}
+void main();
+//# sourceMappingURL=propper.js.map