@pugi/cli 0.1.0-alpha.6 → 0.1.0-alpha.8

package/dist/runtime/cli.js

@@ -14,6 +14,7 @@ import { FileReadCache } from '../core/file-cache.js';
 import { resolveWorkspacePath } from '../core/path-security.js';
 import { globTool, grepTool, readTool } from '../tools/file-tools.js';
 import { toolRegistry, toolSchemaBundleHashInput } from '../tools/registry.js';
+import { webFetchTool } from '../tools/web-fetch.js';
 import { emptyIndex, rebuildIndex, readIndex, upsertArtifact, writeIndex, } from '../core/index-store.js';
 import { buildRuntimeConfig, loadRuntimeConfig, pollDeviceFlow, pugiHandoffBundleSchema, pugiSyncDryRunPlanSchema, pugiSyncPrivacyModeSchema, pugiSyncRequestSchema, pugiSyncUploadPlanSchema, pugiTripleReviewRequestSchema, startDeviceFlow, submitSync, submitTripleReview, } from '@pugi/sdk';
 import { PUGI_TAGLINE } from '@pugi/personas';
@@ -34,7 +35,7 @@ import { runBudgetCommand } from './commands/budget.js';
  * packages/pugi-sdk/package.json); the publish workflow validates the
  * three are in lockstep.
  */
-const PUGI_CLI_VERSION = '0.1.0-alpha.6';
+const PUGI_CLI_VERSION = '0.1.0-alpha.8';
 const handlers = {
     accounts,
     build: runEngineTask('build_task'),
@@ -59,6 +60,7 @@ const handlers = {
     sync,
     undo: dispatchUndo,
     version,
+    web: dispatchWeb,
     whoami,
 };
 async function dispatchConfig(args, flags, _session) {
@@ -87,6 +89,47 @@ async function dispatchBudget(args, flags, _session) {
         writeOutput: (payload, text) => writeOutput(flags, payload, text),
     });
 }
+/**
+ * `pugi web <url>` — Sprint α6.15 Phase 1 quick-win subcommand.
+ *
+ * One-shot fetch + Markdown convert + print to stdout. The REPL slash
+ * `/web <url>` goes through ReplSession; this surface is for non-REPL
+ * pipelines (CI, scripts, `pugi web ... | pbcopy`). Gated by either
+ * `--allow-fetch` on this invocation or `web.fetch.enabled` in
+ * `.pugi/settings.json`.
+ */
+async function dispatchWeb(args, flags, _session) {
+    const url = args[0];
+    if (!url) {
+        writeOutput(flags, { ok: false, error: 'Usage: pugi web <url> [--allow-fetch]' }, 'Usage: pugi web <url> [--allow-fetch]');
+        process.exitCode = 2;
+        return;
+    }
+    // Malformed `.pugi/settings.json` must not crash the dispatch — the
+    // fetch is gated default-off so we fail safe: refuse with a clear
+    // error and let the operator repair the file.
+    let settings;
+    try {
+        settings = loadSettings(process.cwd());
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        const result = {
+            ok: false,
+            error: `Failed to load .pugi/settings.json (${message}). web_fetch refused.`,
+        };
+        writeOutput(flags, result, `web_fetch refused: ${result.error}`);
+        process.exitCode = 1;
+        return;
+    }
+    const result = await webFetchTool({ url }, { settings, allowFetch: flags.allowFetch });
+    if (!result.ok) {
+        writeOutput(flags, result, `web_fetch refused: ${result.error}`);
+        process.exitCode = 1;
+        return;
+    }
+    writeOutput(flags, result, `# ${result.title}\n# ${result.url}\n# fetched ${result.fetched_at}\n\n${result.content_md}`);
+}
 export async function runCli(argv) {
     const { command, args, flags, isBareInvocation } = parseArgs(argv);
     // Bare `pugi` on a TTY enters the REPL-by-default agentic session
@@ -99,12 +142,33 @@ export async function runCli(argv) {
     if (isBareInvocation && isInteractive(flags)) {
         const runtimeConfig = resolveRuntimeConfig();
         if (runtimeConfig) {
+            // The REPL session reads PUGI_ALLOW_FETCH from env to decide
+            // whether to honor `/web <url>` without the settings flag.
+            // Propagating via env keeps the session module transport-free.
+            if (flags.allowFetch)
+                process.env.PUGI_ALLOW_FETCH = '1';
+            // α6.2: peek the npm registry for a newer @pugi/cli before
+            // mounting Ink. Wrapped in a try/catch belt-and-braces even
+            // though `checkForUpdate` already swallows every failure mode —
+            // a thrown bug here must never block REPL startup.
+            const { checkForUpdate } = await import('./update-check.js');
+            let updateBanner = null;
+            try {
+                updateBanner = await checkForUpdate({
+                    installed: PUGI_CLI_VERSION,
+                    cliSkip: flags.noUpdateCheck,
+                });
+            }
+            catch {
+                updateBanner = null;
+            }
             const { renderRepl } = await import('../tui/repl-render.js');
             await renderRepl({
                 apiUrl: runtimeConfig.apiUrl,
                 apiKey: runtimeConfig.apiKey,
                 workspaceLabel: workspaceLabel(process.cwd()),
                 cliVersion: PUGI_CLI_VERSION,
+                updateBanner,
             });
             return;
         }
@@ -138,6 +202,8 @@ function parseArgs(argv) {
         triple: false,
         offline: false,
         noTty: false,
+        allowFetch: false,
+        noUpdateCheck: false,
     };
     const args = [];
     // Sprint 2E: `pugi --version` / `-v` are universal install-test conventions
@@ -173,6 +239,12 @@ function parseArgs(argv) {
         else if (arg === '--no-tty') {
             flags.noTty = true;
         }
+        else if (arg === '--allow-fetch') {
+            flags.allowFetch = true;
+        }
+        else if (arg === '--no-update-check') {
+            flags.noUpdateCheck = true;
+        }
         else if (arg.startsWith('--privacy=')) {
             flags.privacy = parsePrivacyMode(arg.slice('--privacy='.length));
         }
@@ -229,6 +301,8 @@ async function help(_args, flags, _session) {
         'Interactivity:',
         '  --no-tty                Force the line-buffered output path (CI, pipes,',
         '                          recording flows, dumb terminals).',
+        '  --no-update-check       Silence the REPL startup update banner. Pairs',
+        '                          with PUGI_SKIP_UPDATE_BANNER=1.',
         '',
         PUGI_TAGLINE,
         'Execution defaults to local. Use --remote or --web to create a handoff bundle.',
@@ -2203,6 +2277,27 @@ async function performDeviceFlowLogin(apiUrl, flags, label) {
         return;
     }
     const start = startResult.response;
+    // Two render strategies share the same poll loop:
+    //   - TTY (Ink): auto-opens the browser, renders the Claude Code
+    //     parity device-flow screen, drives the spinner, transitions to
+    //     a clean success/failure frame, returns on Enter / Esc.
+    //   - non-TTY (stdout): the legacy line-buffered output kept
+    //     verbatim for `--json`, `--no-tty`, CI and piped contexts so
+    //     scripts that parse stdout are not broken.
+    if (isInteractive(flags) && !flags.json) {
+        await runDeviceFlowLoginInk(apiUrl, flags, label, start);
+        return;
+    }
+    await runDeviceFlowLoginStdout(apiUrl, flags, label, start);
+}
+/**
+ * Legacy stdout polling path. Kept verbatim from the pre-parity
+ * implementation so `--json`, `--no-tty`, CI scripts, and piped
+ * invocations see exactly the same output they did before. Anything
+ * a downstream tool parsed (the `Polling every Ns` line, the
+ * `Pugi logged in for ...` block, the JSON shape) is unchanged.
+ */
+async function runDeviceFlowLoginStdout(apiUrl, flags, label, start) {
     // Surface the user-visible parts to stderr so JSON consumers on
     // stdout are unaffected. The deviceCode itself is NEVER printed —
     // it is the secret poll handle.
@@ -2216,89 +2311,309 @@ async function performDeviceFlowLogin(apiUrl, flags, label) {
         `Polling every ${start.interval}s, expires in ${start.expires_in}s...`,
         '',
     ].join('\n'));
+    const outcome = await pollDeviceFlowUntilTerminal(apiUrl, start);
+    emitDeviceFlowTerminalToStdout(outcome, { apiUrl, flags, label });
+}
+/**
+ * TTY device-flow path — Claude Code parity. Auto-opens the browser,
+ * mounts the Ink device-flow component, drives status transitions as
+ * the poll loop advances, and resolves on Enter (success) or Esc
+ * (cancel). On non-TTY this entry point is never called.
+ */
+async function runDeviceFlowLoginInk(apiUrl, flags, label, start) {
+    const [{ autoOpenBrowser }, { writeClipboard }, { renderDeviceFlow, LoginCancelledError }] = await Promise.all([
+        import('../core/auto-open-browser.js'),
+        import('../core/clipboard.js'),
+        import('../tui/render.js'),
+    ]);
+    // Best-effort: spawn the user's default browser. We do not block on
+    // the browser process — auto-open resolves as soon as spawn returns
+    // (the child is detached and ref-released, so its long-lived browser
+    // handle does not keep this CLI alive). The device-flow loop is the
+    // source of truth for success; if auto-open fails, the Ink screen
+    // renders the copy-the-URL fallback and we keep polling.
+    const open = await autoOpenBrowser(start.verification_uri_complete ?? start.verification_uri);
+    const handle = renderDeviceFlow({
+        verificationUrl: start.verification_uri_complete ?? start.verification_uri,
+        userCode: start.user_code,
+        browserOpened: open.opened,
+        onCopy: () => {
+            // Fire-and-forget; the visual flash is owned by the component.
+            // Clipboard write failures are silent — the user already sees
+            // the URL on screen.
+            void writeClipboard(start.verification_uri_complete ?? start.verification_uri);
+        },
+    });
+    // Race the poll loop against the user's Esc keystroke. We DO NOT
+    // await `handle.done()` in parallel here: the loop pushes status
+    // updates via handle.setStatus, and on terminal status we await
+    // handle.done() (which resolves on Enter / rejects on Esc). On Esc
+    // BEFORE a terminal status, handle.done() rejects and we surface a
+    // cancel exit code without writing any credential.
+    // P3 polish (triple-review 2026-05-24): the old code mirrored the
+    // cancel state into a `cancelled` flag and then checked
+    // `winner.kind === 'cancel' || cancelled` — the second clause was
+    // already implied by the first, since the Promise.race winner is
+    // the only way the cancel branch is taken. Drop the flag.
+    const cancelWatch = handle.done().catch((error) => {
+        if (error instanceof LoginCancelledError)
+            return;
+        throw error;
+    });
+    // P1-1 (triple-review 2026-05-24): the poll loop must be abortable
+    // so an Esc cancel does not leave a background poll running until
+    // the device-flow deadline (up to 1 hour). The controller is wired
+    // into the loop's abortable `sleep()` so the loop returns within
+    // one event-loop tick of `abort()`.
+    const pollAbort = new AbortController();
+    const pollPromise = pollDeviceFlowUntilTerminal(apiUrl, start, pollAbort.signal);
+    // Whichever settles first wins. If the user pressed Esc before the
+    // server returned a terminal status, the cancel branch aborts the
+    // poll and short-circuits. Otherwise the poll outcome drives the
+    // final render frame.
+    const winner = await Promise.race([
+        pollPromise.then((outcome) => ({ kind: 'poll', outcome })),
+        cancelWatch.then(() => ({ kind: 'cancel' })),
+    ]);
+    if (winner.kind === 'cancel') {
+        // Tell the poll loop to stop. The signal short-circuits the inter-
+        // poll sleep and the in-flight HTTP call settles on its own; we
+        // swallow the resulting rejection so an aborted poll does not
+        // surface as an unhandled promise rejection.
+        pollAbort.abort();
+        await pollPromise.catch(() => undefined);
+        // The handle is already unmounted by the Esc path inside
+        // renderDeviceFlow's finish() helper. Surface the cancel state to
+        // the surrounding dispatcher exactly as the legacy stdout path
+        // would have done on a forced Ctrl+C.
+        writeOutput(flags, { status: 'cancelled' }, 'Login cancelled.');
+        process.exitCode = 130;
+        return;
+    }
+    const outcome = winner.outcome;
+    // Translate the terminal outcome into both a final Ink frame AND
+    // the same writeOutput payload the stdout path would have emitted —
+    // tests that pin JSON shape stay green regardless of TTY.
+    applyDeviceFlowOutcomeToInk(outcome, handle);
+    emitDeviceFlowTerminalToStdout(outcome, { apiUrl, flags, label });
+    // On success, the host now waits for the user's Enter keystroke
+    // before returning control to the caller (REPL / shell). Failure
+    // frames also wait — Esc dismisses them. Either way we await done()
+    // so the Ink screen stays on the user's terminal until they react.
+    await handle.done().catch((error) => {
+        if (error instanceof LoginCancelledError)
+            return;
+        throw error;
+    });
+}
+/**
+ * Sentinel thrown (P1-1, triple-review 2026-05-24) when the caller
+ * aborts the poll loop via the optional `AbortSignal`. The Ink host
+ * treats this as a silent cancel — the surrounding
+ * `runDeviceFlowLoginInk` already owns the cancel exit code via the
+ * keystroke race.
+ */
+class DeviceFlowPollAbortedError extends Error {
+    constructor() {
+        super('Device-flow poll aborted by caller');
+        this.name = 'DeviceFlowPollAbortedError';
+    }
+}
+async function pollDeviceFlowUntilTerminal(apiUrl, start, signal, deps = {}) {
+    const poll = deps.poll ?? pollDeviceFlow;
+    const sleepImpl = deps.sleepFn ?? sleep;
+    const now = deps.now ?? Date.now;
     // Hard local cap on the polling deadline so a hostile or buggy
     // runtime returning an absurdly large `expires_in` cannot trap
     // the CLI in a long-running poll. The SDK schema already caps
     // `expires_in` at 3600s, but enforce the floor here too — the
     // SDK contract is what we own, and a future broadening must
     // still respect this local maximum.
-    const PUGI_DEVICE_FLOW_DEADLINE_MAX_SEC = 60 * 60; // 1 hour
+    const PUGI_DEVICE_FLOW_DEADLINE_MAX_SEC = (deps.deadlineMaxMs ?? 60 * 60 * 1000) / 1000;
     const expiresInSec = Math.min(start.expires_in, PUGI_DEVICE_FLOW_DEADLINE_MAX_SEC);
-    const deadline = Date.now() + expiresInSec * 1000;
+    const deadline = now() + expiresInSec * 1000;
     const pollInterval = start.interval;
-    while (Date.now() < deadline) {
-        await sleep(pollInterval * 1000);
-        const pollResult = await pollDeviceFlow(apiUrl, start.device_code);
+    // P1-1 (triple-review 2026-05-24): cancellable interval. If the
+    // Ink host aborts (user pressed Esc), `sleep` resolves immediately
+    // and the loop throws DeviceFlowPollAbortedError so the caller can
+    // drain the rejection silently without waiting up to an hour.
+    while (now() < deadline) {
+        if (signal?.aborted)
+            throw new DeviceFlowPollAbortedError();
+        await sleepImpl(pollInterval * 1000, signal);
+        if (signal?.aborted)
+            throw new DeviceFlowPollAbortedError();
+        const pollResult = await poll(apiUrl, start.device_code);
+        if (signal?.aborted)
+            throw new DeviceFlowPollAbortedError();
         if (pollResult.status !== 'ok') {
             const failure = describeDeviceFlowFailure(pollResult, 'poll');
-            writeOutput(flags, {
-                status: failure.status,
+            return {
+                kind: 'failed',
+                failure,
                 code: 'code' in pollResult ? pollResult.code : undefined,
-                message: failure.message,
-            }, [failure.headline, failure.next ? `Next: ${failure.next}` : '']
-                .filter(Boolean)
-                .join('\n'));
-            process.exitCode = failure.exitCode;
-            return;
+            };
         }
         const outcome = pollResult.response;
         if (outcome.status === 'authorized') {
-            const record = storeApiKey({
-                apiUrl,
-                apiKey: outcome.access_token,
-                label: label ?? undefined,
-                source: 'device-flow',
-            });
-            // Defense-in-depth against the device-flow phishing class
-            // (P0, 2026-05-22 review): decode the JWT we just received
-            // and surface the principal identity to the user so they
-            // can confirm we landed in the expected tenant. Cabinet UI
-            // alone showing "you are about to grant access" is not
-            // enough — a phisher who tricked the victim into reading
-            // out a userCode would have approved on their own account
-            // and the JWT would silently authenticate the victim's CLI
-            // as the attacker. By showing the user/tenant on the CLI,
-            // the victim sees the mismatch before any sensitive
-            // operation runs.
-            const principal = decodeJwtPrincipal(outcome.access_token);
-            writeOutput(flags, {
-                status: 'logged_in',
-                apiUrl: record.apiUrl,
-                apiKeyMasked: maskApiKey(record.apiKey),
-                label: record.label ?? null,
-                createdAt: record.createdAt,
-                via: 'device-flow',
-                principal,
-            }, [
-                `Pugi logged in for ${record.apiUrl} via device flow`,
-                `Token: ${maskApiKey(record.apiKey)}${record.label ? ` (${record.label})` : ''}`,
-                principal
-                    ? `Authenticated as user=${principal.email ?? principal.sub} tenant=${principal.customerId ?? '(unknown)'}.`
-                    : 'Authenticated (JWT payload could not be decoded for principal display).',
-                'If this is NOT the user/tenant you expected, run `pugi logout` immediately and re-check the verification URL.',
-                'Stored at ~/.pugi/credentials.json (mode 0600). Run `pugi whoami` to verify.',
-            ].join('\n'));
-            return;
-        }
-        if (outcome.status === 'denied') {
-            writeOutput(flags, { status: 'denied' }, 'Pugi device flow denied. The cabinet user clicked Deny.');
-            process.exitCode = 5;
-            return;
-        }
-        if (outcome.status === 'expired' || outcome.status === 'redeemed') {
-            writeOutput(flags, { status: outcome.status }, outcome.status === 'expired'
-                ? 'Pugi device flow expired before approval. Run `pugi login` again.'
-                : 'Pugi device flow already redeemed by another CLI. Run `pugi login` to start a fresh flow.');
-            process.exitCode = 5;
-            return;
+            return { kind: 'authorized', accessToken: outcome.access_token };
         }
+        if (outcome.status === 'denied')
+            return { kind: 'denied' };
+        if (outcome.status === 'expired')
+            return { kind: 'expired' };
+        if (outcome.status === 'redeemed')
+            return { kind: 'redeemed' };
         // status === 'pending' — keep polling
     }
-    writeOutput(flags, { status: 'expired' }, 'Pugi device flow timed out locally. Run `pugi login` again.');
-    process.exitCode = 5;
+    // P1-2 (triple-review 2026-05-24): the loop hit the LOCAL deadline
+    // without the server returning a terminal status. The legacy stdout
+    // path distinguished this from server-side `expired` so operators
+    // could tell a local-cap timeout from an actual server expiry; we
+    // preserve that signal via this dedicated outcome kind.
+    return { kind: 'timed_out_local' };
+}
+/**
+ * Final writeOutput emission, identical shape to the pre-parity
+ * stdout path so JSON consumers, scripts, and CI snapshots are not
+ * affected by the TTY-vs-stdout branch.
+ */
+function emitDeviceFlowTerminalToStdout(outcome, ctx) {
+    if (outcome.kind === 'authorized') {
+        const record = storeApiKey({
+            apiUrl: ctx.apiUrl,
+            apiKey: outcome.accessToken,
+            label: ctx.label ?? undefined,
+            source: 'device-flow',
+        });
+        // Defense-in-depth against the device-flow phishing class
+        // (P0, 2026-05-22 review): decode the JWT we just received and
+        // surface the principal identity to the user so they can confirm
+        // we landed in the expected tenant.
+        const principal = decodeJwtPrincipal(outcome.accessToken);
+        writeOutput(ctx.flags, {
+            status: 'logged_in',
+            apiUrl: record.apiUrl,
+            apiKeyMasked: maskApiKey(record.apiKey),
+            label: record.label ?? null,
+            createdAt: record.createdAt,
+            via: 'device-flow',
+            principal,
+        }, [
+            `Pugi logged in for ${record.apiUrl} via device flow`,
+            `Token: ${maskApiKey(record.apiKey)}${record.label ? ` (${record.label})` : ''}`,
+            principal
+                ? `Authenticated as user=${principal.email ?? principal.sub} tenant=${principal.customerId ?? '(unknown)'}.`
+                : 'Authenticated (JWT payload could not be decoded for principal display).',
+            'If this is NOT the user/tenant you expected, run `pugi logout` immediately and re-check the verification URL.',
+            'Stored at ~/.pugi/credentials.json (mode 0600). Run `pugi whoami` to verify.',
+        ].join('\n'));
+        return;
+    }
+    if (outcome.kind === 'denied') {
+        writeOutput(ctx.flags, { status: 'denied' }, 'Pugi device flow denied. The cabinet user clicked Deny.');
+        process.exitCode = 5;
+        return;
+    }
+    if (outcome.kind === 'expired' || outcome.kind === 'redeemed') {
+        writeOutput(ctx.flags, { status: outcome.kind }, outcome.kind === 'expired'
+            ? 'Pugi device flow expired before approval. Run `pugi login` again.'
+            : 'Pugi device flow already redeemed by another CLI. Run `pugi login` to start a fresh flow.');
+        process.exitCode = 5;
+        return;
+    }
+    if (outcome.kind === 'timed_out_local') {
+        // P1-2 (triple-review 2026-05-24): the legacy stdout path
+        // surfaced local-cap timeouts under a dedicated message so
+        // operators could tell a 1-hour client cap apart from a server
+        // expiry. The JSON shape uses `status: 'timed_out_local'` so
+        // downstream scripts can branch on it; the human message stays
+        // close to the pre-parity wording.
+        writeOutput(ctx.flags, { status: 'timed_out_local' }, 'Pugi device flow timed out locally before the server returned a terminal status. Run `pugi login` again.');
+        process.exitCode = 5;
+        return;
+    }
+    // failed
+    writeOutput(ctx.flags, {
+        status: outcome.failure.status,
+        code: outcome.code,
+        message: outcome.failure.message,
+    }, [outcome.failure.headline, outcome.failure.next ? `Next: ${outcome.failure.next}` : '']
+        .filter(Boolean)
+        .join('\n'));
+    process.exitCode = outcome.failure.exitCode;
+}
+/**
+ * Drives the Ink screen toward the success / failure frame based on
+ * the terminal outcome. The principal label mirrors the stdout
+ * "Authenticated as user=… tenant=…" line so the on-screen identity
+ * the user confirms matches the verbose message the stdout path
+ * still emits.
+ */
+function applyDeviceFlowOutcomeToInk(outcome, handle) {
+    if (outcome.kind === 'authorized') {
+        const principal = decodeJwtPrincipal(outcome.accessToken);
+        const label = principal
+            ? `${principal.email ?? principal.sub ?? 'authenticated'}${principal.customerId ? ` (tenant: ${principal.customerId})` : ''}`
+            : 'authenticated';
+        handle.setStatus({ kind: 'success', principalLabel: label });
+        return;
+    }
+    if (outcome.kind === 'denied') {
+        handle.setStatus({
+            kind: 'failure',
+            reason: 'Login was denied in the browser.',
+            hint: 'Run `pugi login` again to retry.',
+        });
+        return;
+    }
+    if (outcome.kind === 'expired') {
+        handle.setStatus({
+            kind: 'failure',
+            reason: 'Login code expired before approval.',
+            hint: 'Run `pugi login` again to retry.',
+        });
+        return;
+    }
+    if (outcome.kind === 'timed_out_local') {
+        handle.setStatus({
+            kind: 'failure',
+            reason: 'Login timed out locally before the server returned a terminal status.',
+            hint: 'Run `pugi login` again to retry.',
+        });
+        return;
+    }
+    if (outcome.kind === 'redeemed') {
+        handle.setStatus({
+            kind: 'failure',
+            reason: 'Login code already redeemed by another CLI.',
+            hint: 'Run `pugi login` again to start a fresh flow.',
+        });
+        return;
+    }
+    handle.setStatus({
+        kind: 'failure',
+        reason: outcome.failure.headline,
+        hint: outcome.failure.next ?? undefined,
+    });
 }
-function sleep(ms) {
-    return new Promise((resolve) => setTimeout(resolve, ms));
+function sleep(ms, signal) {
+    return new Promise((resolve) => {
+        if (signal?.aborted) {
+            resolve();
+            return;
+        }
+        const timer = setTimeout(() => {
+            if (signal)
+                signal.removeEventListener('abort', onAbort);
+            resolve();
+        }, ms);
+        const onAbort = () => {
+            clearTimeout(timer);
+            resolve();
+        };
+        signal?.addEventListener('abort', onAbort, { once: true });
+    });
 }
 /**
  * Best-effort JWT payload decode for principal display ONLY. Does
@@ -3044,4 +3359,15 @@ function writeOutput(flags, payload, text) {
 export function packageRoot() {
     return dirname(dirname(fileURLToPath(import.meta.url)));
 }
+/**
+ * Test-only surface for the triple-review 2026-05-24 device-flow
+ * fixes (P1-1 abort + P1-2 local-timeout distinction). Kept under an
+ * explicit `__test__` namespace so consumers do not accidentally
+ * import internals; the module's runtime contract is still the
+ * `runCli` entry point above.
+ */
+export const __test__ = {
+    sleep,
+    pollDeviceFlowUntilTerminal,
+};
 //# sourceMappingURL=cli.js.map