@quantiya/codevibe-claude-plugin 1.0.37 → 1.0.38

package/node_modules/@quantiya/codevibe-core/dist/index.js

@@ -1,9 +1,9 @@
-"use strict";var Nn=Object.create;var Ve=Object.defineProperty;var Wn=Object.getOwnPropertyDescriptor;var Ln=Object.getOwnPropertyNames;var zn=Object.getPrototypeOf,Bn=Object.prototype.hasOwnProperty;var h=(t,e)=>()=>(t&&(e=t(t=0)),e);var $e=(t,e)=>{for(var r in e)Ve(t,r,{get:e[r],enumerable:!0})},sr=(t,e,r,n)=>{if(e&&typeof e=="object"||typeof e=="function")for(let i of Ln(e))!Bn.call(t,i)&&i!==r&&Ve(t,i,{get:()=>e[i],enumerable:!(n=Wn(e,i))||n.enumerable});return t};var k=(t,e,r)=>(r=t!=null?Nn(zn(t)):{},sr(e||!t||!t.__esModule?Ve(r,"default",{value:t,enumerable:!0}):r,t)),or=t=>sr(Ve({},"__esModule",{value:!0}),t);function Mn(t,e){if(e instanceof Error){let r={name:e.name,message:e.message};e.stack&&(r.stack=e.stack);for(let n of Object.keys(e))n in r||(r[n]=e[n]);return r}return e}function St(t){return new ie(t)}var ge,He,cr,ar,ie,c,dr=h(()=>{"use strict";ge=k(require("fs")),He=k(require("path")),cr=k(require("os")),ar={debug:0,info:1,warn:2,error:3};ie=class{constructor(e){this.name=e.name,this.logFile=e.logFile,this.level=e.level||"info",this.enableConsole=e.console??!1,this.logFile&&this.ensureLogDir()}ensureLogDir(){if(this.logFile){let e=He.dirname(this.logFile);ge.existsSync(e)||ge.mkdirSync(e,{recursive:!0})}}shouldLog(e){return ar[e]>=ar[this.level]}formatMessage(e,r,n){let i=new Date().toISOString(),s=e.toUpperCase().padEnd(5),o=`[${i}] [${s}] [${this.name}] ${r}`;return n!==void 0&&(n instanceof Error?(o+=` ${n.name}: ${n.message}`,n.stack&&(o+=`
-${n.stack}`)):typeof n=="object"?o+=` ${JSON.stringify(n,Mn)}`:o+=` ${n}`),o}log(e,r,n){if(!this.shouldLog(e))return;let i=this.formatMessage(e,r,n);if(this.logFile)try{ge.appendFileSync(this.logFile,i+`
-`)}catch{}if(this.enableConsole)switch(e){case"error":console.error(i);break;case"warn":console.warn(i);break;default:console.log(i)}}debug(e,r){this.log("debug",e,r)}info(e,r){this.log("info",e,r)}warn(e,r){this.log("warn",e,r)}error(e,r){this.log("error",e,r)}setLevel(e){this.level=e}};c=new ie({name:"codevibe-core",logFile:He.join(cr.tmpdir(),"codevibe-core.log"),level:"info"})});var J=h(()=>{"use strict";dr()});function Fn(t){for(let e of t)try{process.stderr.write(e+`
-`)}catch{}}function Vn(){kt=Et.join(lr.homedir(),".codevibe");try{Y.mkdirSync(kt,{recursive:!0,mode:448})}catch{}se="file"}function Hn(){if(se!==null||bt!==null)return;let optedIn=process.env.CODEVIBE_ALLOW_FILE_KEYCHAIN==="1";if(optedIn){Fn(["","\u26A0 CodeVibe: file-based credential storage selected (CODEVIBE_ALLOW_FILE_KEYCHAIN=1).","\u26A0   Location: ~/.codevibe/ (directory 0700, files 0600)","\u26A0   Trust level: equivalent to ~/.ssh/id_rsa \u2014 weaker than OS keyring.","\u26A0 To use the OS keyring instead, unset CODEVIBE_ALLOW_FILE_KEYCHAIN and","\u26A0 install libsecret-1-0 + a running keyring daemon (Linux) or use the","\u26A0 native Keychain (macOS) / Credential Manager (Windows).",""]),c.warn("[keychain-backend] Using file-based storage at ~/.codevibe (CODEVIBE_ALLOW_FILE_KEYCHAIN=1 explicit opt-in)"),Vn();return}let keytarLoadError=null;try{let nodeRequire=eval("require");B=nodeRequire("keytar")}catch(t){keytarLoadError=t instanceof Error?t.message:String(t),B=null}if(B){se="keytar",c.info("[keychain-backend] Using keytar (OS-native keyring)");return}bt=new je(["CodeVibe could not load the OS-native keyring (keytar).",`Reason: ${keytarLoadError??"unknown"}`,"","Options to fix this:","  1. (Linux) Install libsecret and a keyring daemon:","       sudo apt install libsecret-1-0 gnome-keyring","     Then unlock the keyring for your user session.","","  2. (Headless / CI / Docker) Opt in to file-based credential","     storage at ~/.codevibe/ (0600 files). This is equivalent","     in trust to ~/.ssh/id_rsa \u2014 not the OS keyring:","       export CODEVIBE_ALLOW_FILE_KEYCHAIN=1"].join(`
-`))}function jn(t){return t.replace(/[^a-zA-Z0-9._-]/g,"_")}function ur(t){return Et.join(kt,`${jn(t)}.json`)}function At(t){try{let e=Y.readFileSync(ur(t),"utf-8"),r=JSON.parse(e);return r&&typeof r=="object"?r:{}}catch{return{}}}function pr(t,e){let r=ur(t);Y.writeFileSync(r,JSON.stringify(e,null,2),{mode:384});try{Y.chmodSync(r,384)}catch{}}function Rt(){if(Hn(),se===null)throw bt??new je("Keychain backend not initialized")}async function _t(t,e){return Rt(),se==="keytar"&&B?B.getPassword(t,e):At(t)[e]??null}async function It(t,e,r){if(Rt(),se==="keytar"&&B){await B.setPassword(t,e,r);return}let n=At(t);n[e]=r,pr(t,n)}async function xt(t,e){if(Rt(),se==="keytar"&&B)return B.deletePassword(t,e);let r=At(t);return e in r?(delete r[e],pr(t,r),!0):!1}var lr,Et,Y,je,se,B,kt,bt,gr=h(()=>{"use strict";lr=k(require("os")),Et=k(require("path")),Y=k(require("fs"));J();je=class extends Error{constructor(e){super(e),this.name="KeychainBackendUnavailableError"}},se=null,B=null,kt="",bt=null});var W,oe,Tt,Gn,me,K,mr=h(()=>{"use strict";W=k(require("crypto")),oe=class extends Error{constructor(e){super(e),this.name="CryptoError"}},Tt=1,Gn="CodeVibe E2E v1",me=class t{constructor(){}static getInstance(){return t.instance||(t.instance=new t),t.instance}generateKeyPair(){let e=W.createECDH("prime256v1");e.generateKeys();let n=e.getPublicKey().subarray(1).toString("base64");return{privateKey:e.getPrivateKey().toString("base64"),publicKey:n}}generateSessionKey(){return W.randomBytes(32).toString("base64")}deriveSharedKey(e,r){try{let n=W.createECDH("prime256v1"),i=Buffer.from(e,"base64");n.setPrivateKey(i);let s=Buffer.concat([Buffer.from([4]),Buffer.from(r,"base64")]),o=n.computeSecret(s),a=W.hkdfSync("sha256",o,Buffer.alloc(0),Buffer.from(Gn,"utf8"),32);return Buffer.from(a)}catch(n){throw new oe(`Failed to derive shared key: ${n}`)}}encryptSessionKey(e,r){let n=this.generateKeyPair(),i=this.deriveSharedKey(n.privateKey,r),s=Buffer.from(e,"base64");return{encryptedKey:this.encrypt(s,i).toString("base64"),ephemeralPublicKey:n.publicKey}}decryptSessionKey(e,r){let n=this.deriveSharedKey(r,e.ephemeralPublicKey),i=Buffer.from(e.encryptedKey,"base64");return this.decrypt(i,n).toString("base64")}encryptContent(e,r){let n=Buffer.from(r,"base64"),i=Buffer.from(e,"utf8");return this.encrypt(i,n).toString("base64")}decryptContent(e,r){let n=Buffer.from(r,"base64"),i=Buffer.from(e,"base64");return this.decrypt(i,n).toString("utf8")}encryptMetadata(e,r){let n=JSON.stringify(e);return this.encryptContent(n,r)}decryptMetadata(e,r){let n=this.decryptContent(e,r);return JSON.parse(n)}encryptData(e,r){let n=Buffer.from(r,"base64");return this.encrypt(e,n)}decryptData(e,r){let n=Buffer.from(r,"base64");return this.decrypt(e,n)}encrypt(e,r){let n=W.randomBytes(12),i=W.createCipheriv("aes-256-gcm",r,n),s=Buffer.concat([i.update(e),i.final()]),o=i.getAuthTag();return Buffer.concat([n,s,o])}decrypt(e,r){let n=e.subarray(0,12),i=e.subarray(e.length-16),s=e.subarray(12,e.length-16),o=W.createDecipheriv("aes-256-gcm",r,n);o.setAuthTag(i);try{return Buffer.concat([o.update(s),o.final()])}catch{throw new oe("Decryption failed: Invalid ciphertext or authentication tag")}}serializePrivateKey(e){return e}deserializePrivateKey(e){return e}},K=me.getInstance()});var Pe=h(()=>{"use strict";mr()});function U(){let t=process.env.ENVIRONMENT;return t==="development"||t==="production"?t:"production"}function Ge(t){let e=t||U();return qe={...ae[e],aws:{...ae[e].aws,region:process.env.AWS_REGION||ae[e].aws.region,appsyncUrl:process.env.APPSYNC_URL||ae[e].aws.appsyncUrl,cognitoUserPoolId:process.env.COGNITO_USER_POOL_ID||ae[e].aws.cognitoUserPoolId,cognitoClientId:process.env.COGNITO_CLIENT_ID||ae[e].aws.cognitoClientId,cognitoDomain:process.env.COGNITO_DOMAIN||ae[e].aws.cognitoDomain}},fr=!0,qe}function I(){return(!fr||!qe)&&Ge(),qe}var Oe,Ke,ae,qe,fr,yr=h(()=>{"use strict";Oe=k(require("os")),Ke=k(require("path")),ae={development:{environment:"development",aws:{region:"us-east-1",appsyncUrl:"https://api-dev.codevibe.quantiya.ai/graphql",cognitoUserPoolId:"us-east-1_yVwWDPvvJ",cognitoClientId:"e9r5apv6v5uui3l928r2ris0r",cognitoDomain:"codevibe-development.auth.us-east-1.amazoncognito.com"},keychain:{serviceName:"ai.quantiya.app.codevibe"},server:{port:3456,host:"127.0.0.1",dynamicPort:!0},claude:{command:"claude",defaultTimeout:6e4},codex:{command:"codex",defaultTimeout:6e4,sessionsDir:Ke.default.join(Oe.default.homedir(),".codex","sessions"),approvalTimeoutMs:5e3},gemini:{command:"gemini",defaultTimeout:6e4,transcriptDir:Ke.default.join(Oe.default.homedir(),".gemini","tmp")}},production:{environment:"production",aws:{region:"us-east-1",appsyncUrl:"https://api.codevibe.quantiya.ai/graphql",cognitoUserPoolId:"us-east-1_mNRO0j5og",cognitoClientId:"5p04dbc9ojptc5r8n7605fg78f",cognitoDomain:"codevibe-production.auth.us-east-1.amazoncognito.com"},keychain:{serviceName:"ai.quantiya.app.codevibe"},server:{port:3456,host:"127.0.0.1",dynamicPort:!0},claude:{command:"claude",defaultTimeout:6e4},codex:{command:"codex",defaultTimeout:6e4,sessionsDir:Ke.default.join(Oe.default.homedir(),".codex","sessions"),approvalTimeoutMs:5e3},gemini:{command:"gemini",defaultTimeout:6e4,transcriptDir:Ke.default.join(Oe.default.homedir(),".gemini","tmp")}}},qe=null,fr=!1});var fe=h(()=>{"use strict";yr()});var Je,hr,M,Ct,Jn,ce,v,vr=h(()=>{"use strict";Je=k(require("os")),hr=require("uuid");gr();Pe();fe();J();M=class extends Error{constructor(e){super(e),this.name="KeychainError"}},Ct="device-identity",Jn="tokens-",ce=class t{constructor(){this.deviceIdentity=null;this.sessionKeyCache=new Map;this.isRegistered=!1;this._serviceName=null}get serviceName(){return this._serviceName||(this._serviceName=I().keychain.serviceName),this._serviceName}static getInstance(){return t.instance||(t.instance=new t),t.instance}async getDeviceIdentity(){if(this.deviceIdentity)return this.deviceIdentity;let e=await _t(this.serviceName,Ct);return e?(this.deviceIdentity=JSON.parse(e),c.info(`[KeychainManager] Loaded device identity: ${this.deviceIdentity.deviceId}`),this.deviceIdentity):null}async setDeviceIdentity(e){try{await It(this.serviceName,Ct,JSON.stringify(e)),this.deviceIdentity=e,c.info(`[KeychainManager] Saved device identity: ${e.deviceId}`)}catch(r){throw c.error(`[KeychainManager] Failed to save device identity: ${r}`),new M(`Failed to save device identity: ${r}`)}}async getOrCreateDeviceIdentity(){let e=await this.getDeviceIdentity();if(e)return e;let r=K.generateKeyPair();return e={deviceId:(0,hr.v4)().toUpperCase(),privateKey:r.privateKey,publicKey:r.publicKey,createdAt:new Date().toISOString()},await this.setDeviceIdentity(e),c.info(`[KeychainManager] Generated new device identity: ${e.deviceId}`),e}async getDeviceId(){return(await this.getOrCreateDeviceIdentity()).deviceId}async getDevicePublicKey(){return(await this.getOrCreateDeviceIdentity()).publicKey}async getDevicePrivateKey(){return(await this.getOrCreateDeviceIdentity()).privateKey}async hasDeviceIdentity(){return await this.getDeviceIdentity()!==null}async deleteDeviceIdentity(){try{await xt(this.serviceName,Ct),this.deviceIdentity=null,this.sessionKeyCache.clear(),this.isRegistered=!1,c.info("[KeychainManager] Deleted device identity")}catch(e){throw c.error(`[KeychainManager] Failed to delete device identity: ${e}`),new M(`Failed to delete device identity: ${e}`)}}getTokenAccount(e){return`${Jn}${e}`}async getTokens(e="production"){let r=await _t(this.serviceName,this.getTokenAccount(e));if(!r)return null;let n=JSON.parse(r);return c.debug(`[KeychainManager] Loaded tokens for ${e}`),n}async setTokens(e,r="production"){try{await It(this.serviceName,this.getTokenAccount(r),JSON.stringify(e)),c.info(`[KeychainManager] Saved tokens for ${r}`,{userId:e.userId,email:e.email})}catch(n){throw c.error(`[KeychainManager] Failed to save tokens: ${n}`),new M(`Failed to save tokens: ${n}`)}}async deleteTokens(e="production"){try{let r=await xt(this.serviceName,this.getTokenAccount(e));return r&&c.info(`[KeychainManager] Deleted tokens for ${e}`),r}catch(r){return c.error(`[KeychainManager] Failed to delete tokens: ${r}`),!1}}isTokenExpired(e){return Date.now()>=e.expiresAt-3e5}async getSessionKey(e,r){let n=this.sessionKeyCache.get(e);if(n)return n;if(!r||r.length===0)return null;let i=await this.getDeviceId(),s=r.find(d=>d.deviceId===i);if(!s)return c.warn(`[KeychainManager] Device ${i} not found in encryptedKeys`),null;let o=await this.getDevicePrivateKey(),a=K.decryptSessionKey(s,o);return this.sessionKeyCache.set(e,a),c.info(`[KeychainManager] Decrypted and cached session key for ${e}`),a}createSessionKey(e){let r=K.generateSessionKey(),n=e.map(i=>{let s=K.encryptSessionKey(r,i.publicKey);return{deviceId:i.deviceId,encryptedKey:s.encryptedKey,ephemeralPublicKey:s.ephemeralPublicKey}});return c.info(`[KeychainManager] Created session key for ${e.length} devices`),{sessionKey:r,encryptedKeys:n}}cacheSessionKey(e,r){this.sessionKeyCache.set(e,r)}getCachedSessionKey(e){return this.sessionKeyCache.get(e)??null}getCachedSessionIds(){return Array.from(this.sessionKeyCache.keys())}clearSessionKey(e){this.sessionKeyCache.delete(e)}clearAllSessionKeys(){this.sessionKeyCache.clear()}getIsRegistered(){return this.isRegistered}setIsRegistered(e){this.isRegistered=e}getDeviceName(){return Je.hostname()||"CLI Client"}getDevicePlatform(){let e=Je.platform();return e==="darwin"?"MACOS":e==="linux"?"LINUX":e==="win32"?"WINDOWS":"CLI"}async clearAllData(){await this.deleteDeviceIdentity(),await this.deleteTokens("development"),await this.deleteTokens("production"),this.sessionKeyCache.clear(),this.isRegistered=!1,c.info("[KeychainManager] Cleared all data")}},v=ce.getInstance()});var wr={};$e(wr,{KeychainError:()=>M,KeychainManager:()=>ce,keychainManager:()=>v});var X=h(()=>{"use strict";vr()});function Yn(){if(process.platform!=="linux")return!1;try{let t=kr.readFileSync("/proc/sys/kernel/osrelease","utf8");return/microsoft|wsl/i.test(t)}catch{return!1}}async function ye(t,e,r){try{return await fetch(t,e)}catch(n){let i=n?.cause?.code,s=n?.cause?.message,o=i||s||n?.message||"unknown",a=Xn(i),d=r?`${r}: `:"",l=`Node ${process.version} on ${process.platform}`,p=[`${d}Cannot reach ${t}`,`  Underlying error: ${o}`];a&&p.push(`  Suggested fix: ${a}`),p.push(`  Platform: ${l}`);let u=new Error(p.join(`
-`));throw u.cause=n,u}}function Xn(t){if(!t)return null;switch(t){case"ENOTFOUND":case"EAI_AGAIN":return'DNS resolution failed. On WSL Ubuntu, check /etc/resolv.conf, or try running with NODE_OPTIONS="--dns-result-order=ipv4first".';case"ETIMEDOUT":case"ECONNREFUSED":case"ECONNRESET":case"EHOSTUNREACH":case"ENETUNREACH":return`Network unreachable. On WSL Ubuntu, try NODE_OPTIONS="--dns-result-order=ipv4first" (WSL's IPv6 is often broken). If behind a corporate proxy, set HTTPS_PROXY.`;case"CERT_HAS_EXPIRED":case"CERT_NOT_YET_VALID":return"TLS certificate time error \u2014 likely system clock drift. On WSL, run `sudo hwclock -s`, or shut down WSL from PowerShell with `wsl --shutdown` and restart.";case"UNABLE_TO_GET_ISSUER_CERT_LOCALLY":case"SELF_SIGNED_CERT_IN_CHAIN":case"UNABLE_TO_VERIFY_LEAF_SIGNATURE":case"DEPTH_ZERO_SELF_SIGNED_CERT":return"Corporate HTTPS proxy detected \u2014 the TLS cert is not trusted by Node. Set NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem, or configure HTTPS_PROXY if a proxy is required.";default:return null}}var Sr,kr,Dt=h(()=>{"use strict";Sr=k(require("dns")),kr=k(require("fs"));if(Yn())try{Sr.setDefaultResultOrder("ipv4first")}catch{}});var F,P,Q,$t=h(()=>{"use strict";F={getSession:`
+"use strict";var It=Object.create;var ce=Object.defineProperty;var At=Object.getOwnPropertyDescriptor;var Tt=Object.getOwnPropertyNames;var Ct=Object.getPrototypeOf,Dt=Object.prototype.hasOwnProperty;var D=(n,e)=>()=>(n&&(e=n(n=0)),e);var Me=(n,e)=>{for(var t in e)ce(n,t,{get:e[t],enumerable:!0})},Be=(n,e,t,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let i of Tt(e))!Dt.call(n,i)&&i!==t&&ce(n,i,{get:()=>e[i],enumerable:!(r=At(e,i))||r.enumerable});return n};var v=(n,e,t)=>(t=n!=null?It(Ct(n)):{},Be(e||!n||!n.__esModule?ce(t,"default",{value:n,enumerable:!0}):t,n)),xt=n=>Be(ce({},"__esModule",{value:!0}),n);function _t(n,e){if(e instanceof Error){let t={name:e.name,message:e.message};e.stack&&(t.stack=e.stack);for(let r of Object.keys(e))r in t||(t[r]=e[r]);return t}return e}function ve(n){return new W(n)}var G,de,qe,Fe,W,c,He=D(()=>{"use strict";G=v(require("fs")),de=v(require("path")),qe=v(require("os")),Fe={debug:0,info:1,warn:2,error:3};W=class{constructor(e){this.name=e.name,this.logFile=e.logFile,this.level=e.level||"info",this.enableConsole=e.console??!1,this.logFile&&this.ensureLogDir()}ensureLogDir(){if(this.logFile){let e=de.dirname(this.logFile);G.existsSync(e)||G.mkdirSync(e,{recursive:!0})}}shouldLog(e){return Fe[e]>=Fe[this.level]}formatMessage(e,t,r){let i=new Date().toISOString(),s=e.toUpperCase().padEnd(5),o=`[${i}] [${s}] [${this.name}] ${t}`;return r!==void 0&&(r instanceof Error?(o+=` ${r.name}: ${r.message}`,r.stack&&(o+=`
+${r.stack}`)):typeof r=="object"?o+=` ${JSON.stringify(r,_t)}`:o+=` ${r}`),o}log(e,t,r){if(!this.shouldLog(e))return;let i=this.formatMessage(e,t,r);if(this.logFile)try{G.appendFileSync(this.logFile,i+`
+`)}catch{}if(this.enableConsole)switch(e){case"error":console.error(i);break;case"warn":console.warn(i);break;default:console.log(i)}}debug(e,t){this.log("debug",e,t)}info(e,t){this.log("info",e,t)}warn(e,t){this.log("warn",e,t)}error(e,t){this.log("error",e,t)}setLevel(e){this.level=e}};c=new W({name:"codevibe-core",logFile:de.join(qe.tmpdir(),"codevibe-core.log"),level:"info"})});var M=D(()=>{"use strict";He()});function Kt(n){for(let e of n)try{process.stderr.write(e+`
+`)}catch{}}function Rt(){Se=ke.join(Ve.homedir(),".codevibe");try{N.mkdirSync(Se,{recursive:!0,mode:448})}catch{}B="file"}function Pt(){if(B!==null||we!==null)return;let optedIn=process.env.CODEVIBE_ALLOW_FILE_KEYCHAIN==="1";if(optedIn){Kt(["","\u26A0 CodeVibe: file-based credential storage selected (CODEVIBE_ALLOW_FILE_KEYCHAIN=1).","\u26A0   Location: ~/.codevibe/ (directory 0700, files 0600)","\u26A0   Trust level: equivalent to ~/.ssh/id_rsa \u2014 weaker than OS keyring.","\u26A0 To use the OS keyring instead, unset CODEVIBE_ALLOW_FILE_KEYCHAIN and","\u26A0 install libsecret-1-0 + a running keyring daemon (Linux) or use the","\u26A0 native Keychain (macOS) / Credential Manager (Windows).",""]),c.warn("[keychain-backend] Using file-based storage at ~/.codevibe (CODEVIBE_ALLOW_FILE_KEYCHAIN=1 explicit opt-in)"),Rt();return}let keytarLoadError=null;try{let nodeRequire=eval("require");x=nodeRequire("keytar")}catch(n){keytarLoadError=n instanceof Error?n.message:String(n),x=null}if(x){B="keytar",c.info("[keychain-backend] Using keytar (OS-native keyring)");return}we=new le(["CodeVibe could not load the OS-native keyring (keytar).",`Reason: ${keytarLoadError??"unknown"}`,"","Options to fix this:","  1. (Linux) Install libsecret and a keyring daemon:","       sudo apt install libsecret-1-0 gnome-keyring","     Then unlock the keyring for your user session.","","  2. (Headless / CI / Docker) Opt in to file-based credential","     storage at ~/.codevibe/ (0600 files). This is equivalent","     in trust to ~/.ssh/id_rsa \u2014 not the OS keyring:","       export CODEVIBE_ALLOW_FILE_KEYCHAIN=1"].join(`
+`))}function Ot(n){return n.replace(/[^a-zA-Z0-9._-]/g,"_")}function Je(n){return ke.join(Se,`${Ot(n)}.json`)}function be(n){try{let e=N.readFileSync(Je(n),"utf-8"),t=JSON.parse(e);return t&&typeof t=="object"?t:{}}catch{return{}}}function je(n,e){let t=Je(n);N.writeFileSync(t,JSON.stringify(e,null,2),{mode:384});try{N.chmodSync(t,384)}catch{}}function Ee(){if(Pt(),B===null)throw we??new le("Keychain backend not initialized")}async function Ie(n,e){return Ee(),B==="keytar"&&x?x.getPassword(n,e):be(n)[e]??null}async function Ae(n,e,t){if(Ee(),B==="keytar"&&x){await x.setPassword(n,e,t);return}let r=be(n);r[e]=t,je(n,r)}async function Te(n,e){if(Ee(),B==="keytar"&&x)return x.deletePassword(n,e);let t=be(n);return e in t?(delete t[e],je(n,t),!0):!1}var Ve,ke,N,le,B,x,Se,we,Ge=D(()=>{"use strict";Ve=v(require("os")),ke=v(require("path")),N=v(require("fs"));M();le=class extends Error{constructor(e){super(e),this.name="KeychainBackendUnavailableError"}},B=null,x=null,Se="",we=null});var T,_,Ce,Ut,z,E,ze=D(()=>{"use strict";T=v(require("crypto")),_=class extends Error{constructor(e){super(e),this.name="CryptoError"}},Ce=1,Ut="CodeVibe E2E v1",z=class n{constructor(){}static getInstance(){return n.instance||(n.instance=new n),n.instance}generateKeyPair(){let e=T.createECDH("prime256v1");e.generateKeys();let r=e.getPublicKey().subarray(1).toString("base64");return{privateKey:e.getPrivateKey().toString("base64"),publicKey:r}}generateSessionKey(){return T.randomBytes(32).toString("base64")}deriveSharedKey(e,t){try{let r=T.createECDH("prime256v1"),i=Buffer.from(e,"base64");r.setPrivateKey(i);let s=Buffer.concat([Buffer.from([4]),Buffer.from(t,"base64")]),o=r.computeSecret(s),a=T.hkdfSync("sha256",o,Buffer.alloc(0),Buffer.from(Ut,"utf8"),32);return Buffer.from(a)}catch(r){throw new _(`Failed to derive shared key: ${r}`)}}encryptSessionKey(e,t){let r=this.generateKeyPair(),i=this.deriveSharedKey(r.privateKey,t),s=Buffer.from(e,"base64");return{encryptedKey:this.encrypt(s,i).toString("base64"),ephemeralPublicKey:r.publicKey}}decryptSessionKey(e,t){let r=this.deriveSharedKey(t,e.ephemeralPublicKey),i=Buffer.from(e.encryptedKey,"base64");return this.decrypt(i,r).toString("base64")}encryptContent(e,t){let r=Buffer.from(t,"base64"),i=Buffer.from(e,"utf8");return this.encrypt(i,r).toString("base64")}decryptContent(e,t){let r=Buffer.from(t,"base64"),i=Buffer.from(e,"base64");return this.decrypt(i,r).toString("utf8")}encryptMetadata(e,t){let r=JSON.stringify(e);return this.encryptContent(r,t)}decryptMetadata(e,t){let r=this.decryptContent(e,t);return JSON.parse(r)}encryptData(e,t){let r=Buffer.from(t,"base64");return this.encrypt(e,r)}decryptData(e,t){let r=Buffer.from(t,"base64");return this.decrypt(e,r)}encrypt(e,t){let r=T.randomBytes(12),i=T.createCipheriv("aes-256-gcm",t,r),s=Buffer.concat([i.update(e),i.final()]),o=i.getAuthTag();return Buffer.concat([r,s,o])}decrypt(e,t){let r=e.subarray(0,12),i=e.subarray(e.length-16),s=e.subarray(12,e.length-16),o=T.createDecipheriv("aes-256-gcm",t,r);o.setAuthTag(i);try{return Buffer.concat([o.update(s),o.final()])}catch{throw new _("Decryption failed: Invalid ciphertext or authentication tag")}}serializePrivateKey(e){return e}deserializePrivateKey(e){return e}},E=z.getInstance()});var ee=D(()=>{"use strict";ze()});function I(){let n=process.env.ENVIRONMENT;return n==="development"||n==="production"?n:"production"}function ue(n){let e=n||I();return pe={...F[e],aws:{...F[e].aws,region:process.env.AWS_REGION||F[e].aws.region,appsyncUrl:process.env.APPSYNC_URL||F[e].aws.appsyncUrl,cognitoUserPoolId:process.env.COGNITO_USER_POOL_ID||F[e].aws.cognitoUserPoolId,cognitoClientId:process.env.COGNITO_CLIENT_ID||F[e].aws.cognitoClientId,cognitoDomain:process.env.COGNITO_DOMAIN||F[e].aws.cognitoDomain}},Ye=!0,pe}function w(){return(!Ye||!pe)&&ue(),pe}var te,re,F,pe,Ye,Xe=D(()=>{"use strict";te=v(require("os")),re=v(require("path")),F={development:{environment:"development",aws:{region:"us-east-1",appsyncUrl:"https://api-dev.codevibe.quantiya.ai/graphql",cognitoUserPoolId:"us-east-1_yVwWDPvvJ",cognitoClientId:"e9r5apv6v5uui3l928r2ris0r",cognitoDomain:"codevibe-development.auth.us-east-1.amazoncognito.com"},keychain:{serviceName:"ai.quantiya.app.codevibe"},server:{port:3456,host:"127.0.0.1",dynamicPort:!0},claude:{command:"claude",defaultTimeout:6e4},codex:{command:"codex",defaultTimeout:6e4,sessionsDir:re.default.join(te.default.homedir(),".codex","sessions"),approvalTimeoutMs:5e3},gemini:{command:"gemini",defaultTimeout:6e4,transcriptDir:re.default.join(te.default.homedir(),".gemini","tmp")}},production:{environment:"production",aws:{region:"us-east-1",appsyncUrl:"https://api.codevibe.quantiya.ai/graphql",cognitoUserPoolId:"us-east-1_mNRO0j5og",cognitoClientId:"5p04dbc9ojptc5r8n7605fg78f",cognitoDomain:"codevibe-production.auth.us-east-1.amazoncognito.com"},keychain:{serviceName:"ai.quantiya.app.codevibe"},server:{port:3456,host:"127.0.0.1",dynamicPort:!0},claude:{command:"claude",defaultTimeout:6e4},codex:{command:"codex",defaultTimeout:6e4,sessionsDir:re.default.join(te.default.homedir(),".codex","sessions"),approvalTimeoutMs:5e3},gemini:{command:"gemini",defaultTimeout:6e4,transcriptDir:re.default.join(te.default.homedir(),".gemini","tmp")}}},pe=null,Ye=!1});var Y=D(()=>{"use strict";Xe()});var ye,Ze,K,De,$t,q,y,Qe=D(()=>{"use strict";ye=v(require("os")),Ze=require("uuid");Ge();ee();Y();M();K=class extends Error{constructor(e){super(e),this.name="KeychainError"}},De="device-identity",$t="tokens-",q=class n{constructor(){this.deviceIdentity=null;this.sessionKeyCache=new Map;this.isRegistered=!1;this._serviceName=null}get serviceName(){return this._serviceName||(this._serviceName=w().keychain.serviceName),this._serviceName}static getInstance(){return n.instance||(n.instance=new n),n.instance}async getDeviceIdentity(){if(this.deviceIdentity)return this.deviceIdentity;let e=await Ie(this.serviceName,De);return e?(this.deviceIdentity=JSON.parse(e),c.info(`[KeychainManager] Loaded device identity: ${this.deviceIdentity.deviceId}`),this.deviceIdentity):null}async setDeviceIdentity(e){try{await Ae(this.serviceName,De,JSON.stringify(e)),this.deviceIdentity=e,c.info(`[KeychainManager] Saved device identity: ${e.deviceId}`)}catch(t){throw c.error(`[KeychainManager] Failed to save device identity: ${t}`),new K(`Failed to save device identity: ${t}`)}}async getOrCreateDeviceIdentity(){let e=await this.getDeviceIdentity();if(e)return e;let t=E.generateKeyPair();return e={deviceId:(0,Ze.v4)().toUpperCase(),privateKey:t.privateKey,publicKey:t.publicKey,createdAt:new Date().toISOString()},await this.setDeviceIdentity(e),c.info(`[KeychainManager] Generated new device identity: ${e.deviceId}`),e}async getDeviceId(){return(await this.getOrCreateDeviceIdentity()).deviceId}async getDevicePublicKey(){return(await this.getOrCreateDeviceIdentity()).publicKey}async getDevicePrivateKey(){return(await this.getOrCreateDeviceIdentity()).privateKey}async hasDeviceIdentity(){return await this.getDeviceIdentity()!==null}async deleteDeviceIdentity(){try{await Te(this.serviceName,De),this.deviceIdentity=null,this.sessionKeyCache.clear(),this.isRegistered=!1,c.info("[KeychainManager] Deleted device identity")}catch(e){throw c.error(`[KeychainManager] Failed to delete device identity: ${e}`),new K(`Failed to delete device identity: ${e}`)}}getTokenAccount(e){return`${$t}${e}`}async getTokens(e="production"){let t=await Ie(this.serviceName,this.getTokenAccount(e));if(!t)return null;let r=JSON.parse(t);return c.debug(`[KeychainManager] Loaded tokens for ${e}`),r}async setTokens(e,t="production"){try{await Ae(this.serviceName,this.getTokenAccount(t),JSON.stringify(e)),c.info(`[KeychainManager] Saved tokens for ${t}`,{userId:e.userId,email:e.email})}catch(r){throw c.error(`[KeychainManager] Failed to save tokens: ${r}`),new K(`Failed to save tokens: ${r}`)}}async deleteTokens(e="production"){try{let t=await Te(this.serviceName,this.getTokenAccount(e));return t&&c.info(`[KeychainManager] Deleted tokens for ${e}`),t}catch(t){return c.error(`[KeychainManager] Failed to delete tokens: ${t}`),!1}}isTokenExpired(e){return Date.now()>=e.expiresAt-3e5}async getSessionKey(e,t){let r=this.sessionKeyCache.get(e);if(r)return r;if(!t||t.length===0)return null;let i=await this.getDeviceId(),s=t.find(d=>d.deviceId===i);if(!s)return c.warn(`[KeychainManager] Device ${i} not found in encryptedKeys`),null;let o=await this.getDevicePrivateKey(),a=E.decryptSessionKey(s,o);return this.sessionKeyCache.set(e,a),c.info(`[KeychainManager] Decrypted and cached session key for ${e}`),a}createSessionKey(e,t){let r=E.generateSessionKey(),i=[],s=[];for(let o of e)try{let a=E.encryptSessionKey(r,o.publicKey);i.push({deviceId:o.deviceId,encryptedKey:a.encryptedKey,ephemeralPublicKey:a.ephemeralPublicKey})}catch(a){c.warn("[KeychainManager] Skipping device with invalid public key",{deviceId:o.deviceId,error:a instanceof Error?a.message:String(a)}),s.push(o.deviceId);try{t?.onDeviceSkipped?.(s.length)}catch{}}if(i.length===0)throw new _(`Failed to encrypt session key for any of ${e.length} devices`);return c.info("[KeychainManager] Created session key",{encryptedCount:i.length,skippedCount:s.length,totalCount:e.length}),{sessionKey:r,encryptedKeys:i,skippedDeviceIds:s}}cacheSessionKey(e,t){this.sessionKeyCache.set(e,t)}getCachedSessionKey(e){return this.sessionKeyCache.get(e)??null}getCachedSessionIds(){return Array.from(this.sessionKeyCache.keys())}clearSessionKey(e){this.sessionKeyCache.delete(e)}clearAllSessionKeys(){this.sessionKeyCache.clear()}getIsRegistered(){return this.isRegistered}setIsRegistered(e){this.isRegistered=e}getDeviceName(){return ye.hostname()||"CLI Client"}getDevicePlatform(){let e=ye.platform();return e==="darwin"?"MACOS":e==="linux"?"LINUX":e==="win32"?"WINDOWS":"CLI"}async clearAllData(){await this.deleteDeviceIdentity(),await this.deleteTokens("development"),await this.deleteTokens("production"),this.sessionKeyCache.clear(),this.isRegistered=!1,c.info("[KeychainManager] Cleared all data")}},y=q.getInstance()});var et={};Me(et,{KeychainError:()=>K,KeychainManager:()=>q,keychainManager:()=>y});var R=D(()=>{"use strict";Qe()});var sr={};Me(sr,{AgentType:()=>st,AppSyncClient:()=>ne,AuthService:()=>Q,CryptoError:()=>_,CryptoService:()=>z,DeliveryStatus:()=>it,ENCRYPTION_VERSION:()=>Ce,EventSource:()=>xe,EventType:()=>nt,KeychainError:()=>K,KeychainManager:()=>q,Logger:()=>W,SessionStatus:()=>he,authService:()=>P,createLogger:()=>ve,cryptoService:()=>E,errorWasBeaconed:()=>se,fireAuthCompletedBeacon:()=>ie,fireAuthFailedBeacon:()=>b,getConfig:()=>w,getEnvironment:()=>I,getErrorReason:()=>Re,keychainManager:()=>y,loadConfig:()=>ue,logger:()=>c,markErrorBeaconed:()=>A,mutations:()=>C,normalizeSnapshot:()=>$e,parseInteractivePrompt:()=>St,prepareSessionEncryption:()=>fe,queries:()=>U,registerDeviceEncryptionKey:()=>ae,rekeySessionForNewDevices:()=>j,resumeOrCreateSession:()=>Le,runAuthCli:()=>me,startDeviceKeyWatcher:()=>We,subscriptions:()=>H});module.exports=xt(sr);R();ee();var V=v(require("ws")),J=require("uuid");Y();M();R();var tt=v(require("dns")),rt=v(require("fs"));if(Lt())try{tt.setDefaultResultOrder("ipv4first")}catch{}function Lt(){if(process.platform!=="linux")return!1;try{let n=rt.readFileSync("/proc/sys/kernel/osrelease","utf8");return/microsoft|wsl/i.test(n)}catch{return!1}}async function X(n,e,t){try{return await fetch(n,e)}catch(r){let i=r?.cause?.code,s=r?.cause?.message,o=i||s||r?.message||"unknown",a=Wt(i),d=t?`${t}: `:"",l=`Node ${process.version} on ${process.platform}`,h=[`${d}Cannot reach ${n}`,`  Underlying error: ${o}`];a&&h.push(`  Suggested fix: ${a}`),h.push(`  Platform: ${l}`);let p=new Error(h.join(`
+`));throw p.cause=r,p}}function Wt(n){if(!n)return null;switch(n){case"ENOTFOUND":case"EAI_AGAIN":return'DNS resolution failed. On WSL Ubuntu, check /etc/resolv.conf, or try running with NODE_OPTIONS="--dns-result-order=ipv4first".';case"ETIMEDOUT":case"ECONNREFUSED":case"ECONNRESET":case"EHOSTUNREACH":case"ENETUNREACH":return`Network unreachable. On WSL Ubuntu, try NODE_OPTIONS="--dns-result-order=ipv4first" (WSL's IPv6 is often broken). If behind a corporate proxy, set HTTPS_PROXY.`;case"CERT_HAS_EXPIRED":case"CERT_NOT_YET_VALID":return"TLS certificate time error \u2014 likely system clock drift. On WSL, run `sudo hwclock -s`, or shut down WSL from PowerShell with `wsl --shutdown` and restart.";case"UNABLE_TO_GET_ISSUER_CERT_LOCALLY":case"SELF_SIGNED_CERT_IN_CHAIN":case"UNABLE_TO_VERIFY_LEAF_SIGNATURE":case"DEPTH_ZERO_SELF_SIGNED_CERT":return"Corporate HTTPS proxy detected \u2014 the TLS cert is not trusted by Node. Set NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem, or configure HTTPS_PROXY if a proxy is required.";default:return null}}var U={getSession:`
     query GetSession($sessionId: ID!) {
       getSession(sessionId: $sessionId) {
         sessionId
@@ -78,15 +78,7 @@ ${n.stack}`)):typeof n=="object"?o+=` ${JSON.stringify(n,Mn)}`:o+=` ${n}`),o}log
         nextToken
       }
     }
-  `,getSubscriptionStatus:`
-    query GetSubscriptionStatus {
-      getSubscriptionStatus {
-        tier
-        status
-        expiresAt
-      }
-    }
-  `},P={createSession:`
+  `},C={createSession:`
     mutation CreateSession($input: CreateSessionInput!) {
       createSession(input: $input) {
         sessionId
@@ -163,47 +155,7 @@ ${n.stack}`)):typeof n=="object"?o+=` ${JSON.stringify(n,Mn)}`:o+=` ${n}`),o}log
         expiresAt
       }
     }
-  `,updateAvailableAgents:`
-    mutation UpdateAvailableAgents($agents: [AgentType!]!) {
-      updateAvailableAgents(agents: $agents) {
-        userId
-        availableAgents
-        orchestrationEnabledDefault
-        reviewerSeats {
-          seatId
-          role
-          agent
-          modelHint
-        }
-        updatedAt
-      }
-    }
-  `,updateReviewerPolicy:`
-    mutation UpdateReviewerPolicy($input: UpdateReviewerPolicyInput!) {
-      updateReviewerPolicy(input: $input) {
-        userId
-        availableAgents
-        orchestrationEnabledDefault
-        reviewerSeats {
-          seatId
-          role
-          agent
-          modelHint
-        }
-        updatedAt
-      }
-    }
-  `,applyUserDecision:`
-    mutation ApplyUserDecision($input: ApplyUserDecisionInput!) {
-      applyUserDecision(input: $input) {
-        sessionId
-        taskId
-        gateId
-        decision
-        payload
-      }
-    }
-  `},Q={onEventCreated:`
+  `},H={onEventCreated:`
     subscription OnEventCreated($sessionId: ID!) {
       onEventCreated(sessionId: $sessionId) {
         eventId
@@ -242,16 +194,6 @@ ${n.stack}`)):typeof n=="object"?o+=` ${JSON.stringify(n,Mn)}`:o+=` ${n}`),o}log
         lastUsedAt
       }
     }
-  `,onApplyUserDecision:`
-    subscription OnApplyUserDecision($sessionId: ID!) {
-      onApplyUserDecision(sessionId: $sessionId) {
-        sessionId
-        taskId
-        gateId
-        decision
-        payload
-      }
-    }
   `,onSessionUpdated:`
     subscription OnSessionUpdated($sessionId: ID!) {
       onSessionUpdated(sessionId: $sessionId) {
@@ -260,110 +202,7 @@ ${n.stack}`)):typeof n=="object"?o+=` ${JSON.stringify(n,Mn)}`:o+=` ${n}`),o}log
         updatedAt
       }
     }
-  `}});var br,Pt,Er,Ar=h(()=>{"use strict";br=(a=>(a.USER_PROMPT="USER_PROMPT",a.ASSISTANT_RESPONSE="ASSISTANT_RESPONSE",a.TOOL_USE="TOOL_USE",a.NOTIFICATION="NOTIFICATION",a.INTERACTIVE_PROMPT="INTERACTIVE_PROMPT",a.PROMPT_RESPONSE="PROMPT_RESPONSE",a.REASONING="REASONING",a))(br||{}),Pt=(r=>(r.DESKTOP="DESKTOP",r.MOBILE="MOBILE",r))(Pt||{}),Er=(n=>(n.SENT="SENT",n.DELIVERED="DELIVERED",n.EXECUTED="EXECUTED",n))(Er||{})});var Ye,Rr,_r=h(()=>{"use strict";Ye=(n=>(n.ACTIVE="ACTIVE",n.INACTIVE="INACTIVE",n.PAUSED="PAUSED",n))(Ye||{}),Rr=(n=>(n.CLAUDE="CLAUDE",n.GEMINI="GEMINI",n.CODEX="CODEX",n))(Rr||{})});var Ir=h(()=>{"use strict"});var xr=h(()=>{"use strict"});var Xe,Ot=h(()=>{"use strict";Xe=(l=>(l.ARCHITECTURE="ARCHITECTURE",l.CORRECTNESS="CORRECTNESS",l.SECURITY="SECURITY",l.ACCURACY="ACCURACY",l.CLARITY="CLARITY",l.COMPLETENESS="COMPLETENESS",l.ARCHITECTURE_AND_ACCURACY="ARCHITECTURE_AND_ACCURACY",l.CORRECTNESS_AND_CLARITY="CORRECTNESS_AND_CLARITY",l.SECURITY_AND_COMPLETENESS="SECURITY_AND_COMPLETENESS",l))(Xe||{})});var Tr,Cr=h(()=>{"use strict";Tr=(s=>(s.ACCEPT="ACCEPT",s.ACCEPT_WITH_NOTES="ACCEPT_WITH_NOTES",s.REJECT_WITH_NOTES="REJECT_WITH_NOTES",s.REJECT_RESTART="REJECT_RESTART",s.ABORT_TASK="ABORT_TASK",s))(Tr||{})});var Ue=h(()=>{"use strict";Ar();_r();Ir();xr();Ot();Cr()});var V,H,_,j,Kt=h(()=>{"use strict";V=k(require("ws")),H=require("uuid");fe();J();X();Dt();$t();Ue();_={urgentMaxAttempts:10,baseDelayMs:1e3,maxDelayMs:6e4,backoffMultiplier:2,persistentDelayMs:300*1e3},j=class t{constructor(){this.authenticated=!1;this.currentUserId=null;this.currentEmail=null;this.tokens=null;this.activeSubscriptions=new Map;this.lastAuthFailureKind=null;this.lastRefreshNetworkError=!1;this.pendingRefresh=null;this.lastRefreshFailureAt=null;this.deviceKeyWatcher=null;this.sessionUpdateWatchers=new Map;this.userDecisionAppliedWatchers=new Map;this.heartbeatTimers=new Map;this.environment=U(),c.info("[AppSyncClient] Initialized",{environment:this.environment})}static{this.REFRESH_BACKOFF_MS=3e4}getCurrentUserId(){if(!this.currentUserId)throw new Error("Not authenticated. Call authenticateWithStoredTokens() first.");return this.currentUserId}getCurrentUserEmail(){return this.currentEmail}getLastAuthFailureKind(){return this.lastAuthFailureKind}static isNetworkLikeMessage(e){return/ECONN|ENETUNREACH|ETIMEDOUT|EAI_AGAIN|ENOTFOUND|fetch failed|getaddrinfo|\b5\d\d\b|service unavailable|gateway timeout/i.test(e)}async authenticateWithStoredTokens(){this.lastAuthFailureKind=null;try{let e=await v.getTokens(this.environment);if(!e)return c.debug("[AppSyncClient] No stored tokens found"),this.lastAuthFailureKind="no_tokens",!1;if(c.info("[AppSyncClient] Found stored OAuth tokens",{userId:e.userId,email:e.email,expired:v.isTokenExpired(e)}),v.isTokenExpired(e)){if(c.info("[AppSyncClient] Tokens expired, attempting refresh..."),!await this.refreshTokens(e))return c.warn("[AppSyncClient] Token refresh failed"),this.lastAuthFailureKind=this.lastRefreshNetworkError?"refresh_network":"refresh_auth_rejected",!1}else this.tokens=e;return this.currentUserId=this.tokens.userId,this.currentEmail=this.tokens.email,this.authenticated=!0,c.info("[AppSyncClient] Authenticated successfully",{userId:this.currentUserId,email:this.currentEmail}),!0}catch(e){c.error("[AppSyncClient] Authentication failed:",e);let r=e instanceof Error?e.message:String(e);return this.lastAuthFailureKind=t.isNetworkLikeMessage(r)?"refresh_network":"refresh_auth_rejected",!1}}async refreshTokens(e){if(this.pendingRefresh)return this.pendingRefresh;if(this.lastRefreshFailureAt!==null&&Date.now()-this.lastRefreshFailureAt<t.REFRESH_BACKOFF_MS)return!1;this.pendingRefresh=this.performRefresh(e);try{return await this.pendingRefresh}finally{this.pendingRefresh=null}}async performRefresh(e){this.lastRefreshNetworkError=!1;let r=await this.callCognitoRefresh(e.refreshToken);if(r!==null)return this.applyRefreshedTokens(e,r);let n=null;try{n=await v.getTokens(this.environment)}catch(i){c.warn("[AppSyncClient] Failed to re-read tokens from storage during refresh recovery",{error:i instanceof Error?i.message:String(i)})}if(n&&n.refreshToken&&n.refreshToken!==e.refreshToken){c.info("[AppSyncClient] In-memory refresh token rejected; retrying with storage-backed token (likely out-of-band re-auth)"),this.lastRefreshNetworkError=!1;let i=await this.callCognitoRefresh(n.refreshToken);if(i!==null)return this.applyRefreshedTokens(n,i)}return this.lastRefreshFailureAt=Date.now(),!1}async callCognitoRefresh(e){try{let r=I(),n=`https://${r.aws.cognitoDomain}/oauth2/token`,i=new URLSearchParams({grant_type:"refresh_token",client_id:r.aws.cognitoClientId,refresh_token:e}),s=await ye(n,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:i.toString()},"Token refresh");return s.ok?await s.json():(c.error("[AppSyncClient] Token refresh failed",{status:s.status}),(s.status>=500&&s.status<600||s.status===429)&&(this.lastRefreshNetworkError=!0),null)}catch(r){return c.error("[AppSyncClient] Token refresh error:",r),this.lastRefreshNetworkError=!0,null}}async applyRefreshedTokens(e,r){let n={...e,accessToken:r.access_token,idToken:r.id_token,expiresAt:Date.now()+r.expires_in*1e3};this.tokens=n,this.lastRefreshFailureAt=null;try{await v.setTokens(n,this.environment),c.info("[AppSyncClient] Tokens refreshed",{expiresAt:new Date(n.expiresAt).toISOString()})}catch(i){c.warn("[AppSyncClient] Tokens refreshed but persistence failed; daemon keeps using fresh tokens in memory. A restart while persistence is still broken would lose them.",{error:i instanceof Error?i.message:String(i),expiresAt:new Date(n.expiresAt).toISOString()})}return!0}isAuthenticated(){return this.authenticated}signOut(){this.authenticated=!1,this.tokens=null,this.currentUserId=null,this.currentEmail=null,this.cleanupSubscriptions(),c.info("[AppSyncClient] Signed out")}async graphqlRequest(e,r,n=!1){let i=I();if(!this.tokens?.idToken)throw new Error('Not authenticated. Run "codevibe login" first.');let s={"Content-Type":"application/json",Authorization:this.tokens.idToken},o=await ye(i.aws.appsyncUrl,{method:"POST",headers:s,body:JSON.stringify({query:e,variables:r})},"AppSync GraphQL request"),a=await o.json();if(o.status===401&&!n&&this.tokens){if(c.info("[AppSyncClient] 401 Unauthorized, refreshing token..."),await this.refreshTokens(this.tokens))return this.graphqlRequest(e,r,!0);throw new Error("Token expired and refresh failed")}if(!o.ok)throw new Error(`GraphQL request failed: ${o.status}`);if(a.errors?.length)throw new Error(`GraphQL error: ${a.errors[0].message}`);return a}async createSession(e){let r={...e,metadata:e.metadata?JSON.stringify(e.metadata):void 0},n=await this.graphqlRequest(P.createSession,{input:r});return c.info("[AppSyncClient] Session created",{sessionId:n.data.createSession.sessionId}),n.data.createSession}async updateSession(e){let r={...e,metadata:e.metadata?JSON.stringify(e.metadata):void 0},n=await this.graphqlRequest(P.updateSession,{input:r});return c.debug("[AppSyncClient] Session updated",{sessionId:n.data.updateSession.sessionId}),n.data.updateSession}async getSession(e){return(await this.graphqlRequest(F.getSession,{sessionId:e})).data.getSession}async createEvent(e){let r={...e,metadata:e.metadata?JSON.stringify(e.metadata):void 0},n=await this.graphqlRequest(P.createEvent,{input:r});return c.debug("[AppSyncClient] Event created",{eventId:n.data.createEvent.eventId,type:n.data.createEvent.type}),n.data.createEvent}async updateEventStatus(e){return(await this.graphqlRequest(P.updateEventStatus,{input:e})).data.updateEventStatus}async applyUserDecision(e){let r=await this.graphqlRequest(P.applyUserDecision,{input:e});return c.debug("[AppSyncClient] applyUserDecision returned",{sessionId:r.data?.applyUserDecision?.sessionId,gateId:r.data?.applyUserDecision?.gateId,decision:r.data?.applyUserDecision?.decision}),r.data.applyUserDecision}async listEvents(e,r,n){return(await this.graphqlRequest(F.listEvents,{sessionId:e,source:r,limit:n})).data.listEvents.items}async listSessions(e=100){if(!this.currentUserId)throw new Error("Not authenticated");let r=[],n=null;do{let s=(await this.graphqlRequest(F.listSessions,{userId:this.currentUserId,limit:e,nextToken:n})).data?.listSessions;s?.items&&r.push(...s.items),n=s?.nextToken??null}while(n);return r}async sweepOrphanSessions(e){let r=e.staleThresholdMs??9e5,n=new Set(e.excludeSessionIds??[]),i=Date.now(),s;try{s=await this.listSessions()}catch(a){return c.warn("[AppSyncClient] OrphanSweep: listSessions failed, skipping sweep",{agentType:e.agentType,error:a instanceof Error?a.message:String(a)}),0}let o=0;for(let a of s){if(a.agentType!==e.agentType||a.status!=="ACTIVE"||n.has(a.sessionId)||!a.lastHeartbeatAt)continue;let d=i-new Date(a.lastHeartbeatAt).getTime();if(!(d<r)){c.warn("[AppSyncClient] OrphanSweep: marking stale session INACTIVE",{sessionId:a.sessionId,agentType:a.agentType,lastHeartbeatAt:a.lastHeartbeatAt,heartbeatAgeMinutes:Math.round(d/6e4)});try{await this.updateSession({sessionId:a.sessionId,status:"INACTIVE"}),o++}catch(l){c.warn("[AppSyncClient] OrphanSweep: updateSession failed, leaving row as-is",{sessionId:a.sessionId,error:l instanceof Error?l.message:String(l)})}}}return o>0&&c.info("[AppSyncClient] OrphanSweep complete",{agentType:e.agentType,swept:o}),o}async listUserDeviceKeys(){return(await this.graphqlRequest(F.listUserDeviceKeys,{})).data.listUserDeviceKeys||[]}async registerDeviceKey(e,r,n,i){let s={deviceId:e,publicKey:r,platform:n,deviceName:i};await this.graphqlRequest(P.registerDeviceKey,{input:s}),c.info("[AppSyncClient] Device key registered",{deviceId:e,platform:n})}async grantSessionKey(e){await this.graphqlRequest(P.grantSessionKey,{input:e}),c.info("[AppSyncClient] Session key granted",{sessionId:e.sessionId,deviceId:e.deviceId})}async getAttachmentDownloadUrl(e){return(await this.graphqlRequest(P.getAttachmentDownloadUrl,{s3Key:e})).data.getAttachmentDownloadUrl}async updateAvailableAgents(e){let r=await this.graphqlRequest(P.updateAvailableAgents,{agents:e});return c.info("[AppSyncClient] Updated available agents",{agents:e}),r.data.updateAvailableAgents}async updateReviewerPolicy(e){let r=await this.graphqlRequest(P.updateReviewerPolicy,{input:e});return c.info("[AppSyncClient] Updated reviewer policy",{orchestrationEnabledDefault:e.orchestrationEnabledDefault,reviewerSeatCount:e.reviewerSeats?.length}),r.data.updateReviewerPolicy}async getSubscriptionStatus(){return(await this.graphqlRequest(F.getSubscriptionStatus,{})).data.getSubscriptionStatus}subscribeToEvents(e,r,n){c.info("[AppSyncClient] Subscribing to events",{sessionId:e});let i=this.activeSubscriptions.get(e);i&&(this.cleanupSubscriptionState(i),this.activeSubscriptions.delete(e));let s={ws:null,subscriptionId:(0,H.v4)(),sessionId:e,onEvent:r,onError:n,reconnectAttempts:0,isReconnecting:!1,destroyed:!1};return this.activeSubscriptions.set(e,s),this.createSubscription(s),()=>{this.cleanupSubscriptionState(s),this.activeSubscriptions.delete(e)}}buildRealtimeUrl(){let e=I(),r=new URL(e.aws.appsyncUrl),i=/\.appsync-api\.[^.]+\.amazonaws\.com$/.test(r.host)?e.aws.appsyncUrl.replace("https://","wss://").replace("appsync-api","appsync-realtime-api"):`wss://${r.host}/graphql/realtime`,s={host:r.host};this.tokens?.idToken&&(s.Authorization=this.tokens.idToken);let o=Buffer.from(JSON.stringify(s)).toString("base64"),a=Buffer.from(JSON.stringify({})).toString("base64");return`${i}?header=${o}&payload=${a}`}createSubscription(e){let{sessionId:r,subscriptionId:n,onEvent:i,onError:s}=e;try{let o=this.buildRealtimeUrl(),a=new V.default(o,["graphql-ws"]);a.on("open",()=>{c.info("[AppSyncClient] WebSocket connected",{sessionId:r}),a.send(JSON.stringify({type:"connection_init"}))}),a.on("message",d=>{try{let l=JSON.parse(d.toString());switch(l.type){case"connection_ack":this.sendSubscriptionStart(a,e);break;case"start_ack":c.info("[AppSyncClient] Subscription started",{sessionId:r}),e.isReconnecting=!1,e.reconnectAttempts=0,this.startHeartbeat(r);break;case"data":this.resetKeepAliveTimer(e);let p=l.payload?.data?.onEventCreated;p&&p.source==="MOBILE"&&i(p);break;case"ka":this.resetKeepAliveTimer(e);break;case"error":let u=l.payload?.errors?.[0]?.message||"Unknown error";this.handleSubscriptionError(e,new Error(u));break}}catch(l){c.error("[AppSyncClient] Failed to parse message",{error:l})}}),a.on("error",d=>{c.error("[AppSyncClient] WebSocket error",{sessionId:r,error:d.message}),this.handleSubscriptionError(e,d)}),a.on("close",(d,l)=>{c.info("[AppSyncClient] WebSocket closed",{sessionId:r,code:d}),e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),!e.destroyed&&this.activeSubscriptions.get(r)===e&&this.handleSubscriptionError(e,new Error(`WebSocket closed: ${d}`))}),e.ws=a,this.resetKeepAliveTimer(e)}catch(o){this.handleSubscriptionError(e,o)}}sendSubscriptionStart(e,r){let n=I(),{sessionId:i,subscriptionId:s}=r,o={host:new URL(n.aws.appsyncUrl).host};this.tokens?.idToken&&(o.Authorization=this.tokens.idToken),e.send(JSON.stringify({id:s,type:"start",payload:{data:JSON.stringify({query:Q.onEventCreated,variables:{sessionId:i}}),extensions:{authorization:o}}}))}resetKeepAliveTimer(e){e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),e.keepAliveTimer=setTimeout(()=>{this.handleSubscriptionError(e,new Error("Keep-alive timeout"))},300*1e3)}handleSubscriptionError(e,r){let{sessionId:n,onError:i}=e;if(e.isReconnecting||!this.activeSubscriptions.has(n))return;e.isReconnecting=!0,e.reconnectAttempts++,this.stopHeartbeat(n);let s=e.reconnectAttempts<=_.urgentMaxAttempts,o;if(s?o=Math.min(_.baseDelayMs*Math.pow(_.backoffMultiplier,e.reconnectAttempts-1),_.maxDelayMs):(o=_.persistentDelayMs,e.reconnectAttempts===_.urgentMaxAttempts+1&&c.info("[AppSyncClient] Switching to persistent reconnect (every 5min)",{sessionId:n})),c.info("[AppSyncClient] Scheduling reconnect",{sessionId:n,attempt:e.reconnectAttempts,phase:s?"urgent":"persistent",delayMs:o}),e.ws){try{e.ws.close(1e3)}catch{}e.ws=null}e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),e.reconnectTimer=setTimeout(async()=>{if(e.isReconnecting=!1,e.destroyed||this.activeSubscriptions.get(n)!==e){c.info("[AppSyncClient] Reconnect skipped \u2014 state is no longer canonical",{sessionId:n});return}try{let a=await v.getTokens(this.environment);a&&(v.isTokenExpired(a)?await this.refreshTokens(a)&&c.info("[AppSyncClient] Tokens refreshed before reconnect",{sessionId:n}):this.tokens=a)}catch{c.warn("[AppSyncClient] Token refresh failed before reconnect, using existing tokens",{sessionId:n})}if(e.destroyed||this.activeSubscriptions.get(n)!==e){c.info("[AppSyncClient] Reconnect skipped after token refresh \u2014 state no longer canonical",{sessionId:n});return}e.subscriptionId=(0,H.v4)(),this.createSubscription(e)},o)}cleanupSubscriptionState(e){if(e.destroyed=!0,e.reconnectTimer&&(clearTimeout(e.reconnectTimer),e.reconnectTimer=void 0),e.keepAliveTimer&&(clearTimeout(e.keepAliveTimer),e.keepAliveTimer=void 0),e.ws){try{e.ws.readyState===V.default.OPEN&&e.ws.send(JSON.stringify({id:e.subscriptionId,type:"stop"}))}catch{}try{e.ws.close(1e3)}catch{}try{e.ws.removeAllListeners()}catch{}e.ws=null}}subscribeToDeviceKeyRegistered(e,r,n,i){c.info("[AppSyncClient] Subscribing to device key registrations",{userId:e}),this.deviceKeyWatcher&&this.stopDeviceKeyWatcherInternal();let s={userId:e,subscriptionId:(0,H.v4)(),ws:null,onNewDevice:r,onReconnect:n,onError:i,reconnectAttempts:0,isReconnecting:!1,destroyed:!1};return this.deviceKeyWatcher=s,this.createDeviceKeyWatcherConnection(s),()=>{this.stopDeviceKeyWatcherInternal()}}stopDeviceKeyWatcher(){this.stopDeviceKeyWatcherInternal()}stopDeviceKeyWatcherInternal(){let e=this.deviceKeyWatcher;if(e){if(e.destroyed=!0,e.reconnectTimer&&(clearTimeout(e.reconnectTimer),e.reconnectTimer=void 0),e.keepAliveTimer&&(clearTimeout(e.keepAliveTimer),e.keepAliveTimer=void 0),e.ws){try{e.ws.readyState===V.default.OPEN&&e.ws.send(JSON.stringify({id:e.subscriptionId,type:"stop"}))}catch{}try{e.ws.close(1e3)}catch{}try{e.ws.removeAllListeners()}catch{}e.ws=null}this.deviceKeyWatcher=null,c.info("[AppSyncClient] Device key watcher stopped")}}createDeviceKeyWatcherConnection(e){try{let r=this.buildRealtimeUrl(),n=new V.default(r,["graphql-ws"]);n.on("open",()=>{c.info("[AppSyncClient] Device key watcher WebSocket connected",{userId:e.userId}),n.send(JSON.stringify({type:"connection_init"}))}),n.on("message",i=>{try{let s=JSON.parse(i.toString());switch(s.type){case"connection_ack":this.sendDeviceKeyWatcherStart(n,e);break;case"start_ack":c.info("[AppSyncClient] Device key watcher subscription started",{userId:e.userId});let o=e.isReconnecting;if(e.isReconnecting=!1,e.reconnectAttempts=0,o&&e.onReconnect)try{e.onReconnect()}catch(l){c.warn("[AppSyncClient] Device key watcher onReconnect handler threw",{error:l})}break;case"data":this.resetDeviceKeyWatcherKeepAlive(e);let a=s.payload?.data?.onDeviceKeyRegistered;if(a){c.info("[AppSyncClient] Device key registration observed",{userId:e.userId,newDeviceId:a.deviceId,platform:a.platform});try{e.onNewDevice(a)}catch(l){c.warn("[AppSyncClient] Device key watcher onNewDevice handler threw",{error:l})}}break;case"ka":this.resetDeviceKeyWatcherKeepAlive(e);break;case"error":let d=s.payload?.errors?.[0]?.message||"Unknown error";this.handleDeviceKeyWatcherError(e,new Error(d));break}}catch(s){c.error("[AppSyncClient] Failed to parse device key watcher message",{error:s})}}),n.on("error",i=>{c.error("[AppSyncClient] Device key watcher WebSocket error",{userId:e.userId,error:i.message}),this.handleDeviceKeyWatcherError(e,i)}),n.on("close",i=>{c.info("[AppSyncClient] Device key watcher WebSocket closed",{userId:e.userId,code:i}),e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),!e.destroyed&&this.deviceKeyWatcher===e&&this.handleDeviceKeyWatcherError(e,new Error(`WebSocket closed: ${i}`))}),e.ws=n,this.resetDeviceKeyWatcherKeepAlive(e)}catch(r){this.handleDeviceKeyWatcherError(e,r)}}sendDeviceKeyWatcherStart(e,r){let n=I(),{userId:i,subscriptionId:s}=r,o={host:new URL(n.aws.appsyncUrl).host};this.tokens?.idToken&&(o.Authorization=this.tokens.idToken),e.send(JSON.stringify({id:s,type:"start",payload:{data:JSON.stringify({query:Q.onDeviceKeyRegistered,variables:{userId:i}}),extensions:{authorization:o}}}))}resetDeviceKeyWatcherKeepAlive(e){e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),e.keepAliveTimer=setTimeout(()=>{this.handleDeviceKeyWatcherError(e,new Error("Device key watcher keep-alive timeout"))},300*1e3)}handleDeviceKeyWatcherError(e,r){if(e.isReconnecting||e.destroyed||this.deviceKeyWatcher!==e)return;if(e.isReconnecting=!0,e.reconnectAttempts++,e.onError)try{e.onError(r)}catch{}if(e.ws){try{e.ws.removeAllListeners()}catch{}try{e.ws.close(1e3)}catch{}e.ws=null}e.keepAliveTimer&&(clearTimeout(e.keepAliveTimer),e.keepAliveTimer=void 0);let i=e.reconnectAttempts<=_.urgentMaxAttempts?Math.min(_.baseDelayMs*Math.pow(_.backoffMultiplier,e.reconnectAttempts-1),_.maxDelayMs):_.persistentDelayMs;c.warn("[AppSyncClient] Device key watcher reconnect scheduled",{userId:e.userId,attempts:e.reconnectAttempts,delayMs:i,error:r.message}),e.reconnectTimer=setTimeout(async()=>{if(e.isReconnecting=!1,e.destroyed||this.deviceKeyWatcher!==e){c.info("[AppSyncClient] Device key watcher reconnect skipped \u2014 state no longer canonical",{userId:e.userId});return}try{let s=await v.getTokens(this.environment);s&&(v.isTokenExpired(s)?await this.refreshTokens(s)&&c.info("[AppSyncClient] Tokens refreshed before device key watcher reconnect",{userId:e.userId}):this.tokens=s)}catch{c.warn("[AppSyncClient] Token refresh failed before device key watcher reconnect, using existing tokens",{userId:e.userId})}e.destroyed||this.deviceKeyWatcher!==e||(e.subscriptionId=(0,H.v4)(),this.createDeviceKeyWatcherConnection(e))},i)}watchForMobileEnd(e,r){c.info("[AppSyncClient] Starting mobile-end watcher",{sessionId:e});let n=this.sessionUpdateWatchers.get(e);n&&(c.info("[AppSyncClient] Replacing existing mobile-end watcher",{sessionId:e}),this.cleanupSessionUpdateWatcherState(n),this.sessionUpdateWatchers.delete(e));let i={sessionId:e,subscriptionId:(0,H.v4)(),ws:null,onMobileEndRequested:r,priorStatus:"ACTIVE",firedOnce:!1,reconnectAttempts:0,isReconnecting:!1,destroyed:!1};return this.sessionUpdateWatchers.set(e,i),this.createSessionUpdateWatcherConnection(i),{stop:()=>{this.sessionUpdateWatchers.get(e)===i&&(this.cleanupSessionUpdateWatcherState(i),this.sessionUpdateWatchers.delete(e),c.info("[AppSyncClient] Mobile-end watcher stopped",{sessionId:e}))}}}createSessionUpdateWatcherConnection(e){try{let r=this.buildRealtimeUrl(),n=new V.default(r,["graphql-ws"]);n.on("open",()=>{c.info("[AppSyncClient] Mobile-end watcher WebSocket connected",{sessionId:e.sessionId}),n.send(JSON.stringify({type:"connection_init"}))}),n.on("message",i=>{try{let s=JSON.parse(i.toString());switch(s.type){case"connection_ack":this.sendSessionUpdateWatcherStart(n,e);break;case"start_ack":c.info("[AppSyncClient] Mobile-end watcher subscription started",{sessionId:e.sessionId}),e.isReconnecting=!1,e.reconnectAttempts=0;break;case"data":this.resetSessionUpdateWatcherKeepAlive(e),this.handleSessionUpdatePayload(e,s.payload);break;case"ka":this.resetSessionUpdateWatcherKeepAlive(e);break;case"error":let o=s.payload?.errors?.[0]?.message||"Unknown error";this.handleSessionUpdateWatcherError(e,new Error(o));break}}catch(s){c.error("[AppSyncClient] Failed to parse mobile-end watcher message",{error:s})}}),n.on("error",i=>{c.error("[AppSyncClient] Mobile-end watcher WebSocket error",{sessionId:e.sessionId,error:i.message}),this.handleSessionUpdateWatcherError(e,i)}),n.on("close",i=>{c.info("[AppSyncClient] Mobile-end watcher WebSocket closed",{sessionId:e.sessionId,code:i}),e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),!e.destroyed&&this.sessionUpdateWatchers.get(e.sessionId)===e&&this.handleSessionUpdateWatcherError(e,new Error(`WebSocket closed: ${i}`))}),e.ws=n,this.resetSessionUpdateWatcherKeepAlive(e)}catch(r){this.handleSessionUpdateWatcherError(e,r)}}handleSessionUpdatePayload(e,r){let n=r?.data?.onSessionUpdated;if(!n){c.warn("[AppSyncClient] Mobile-end watcher received malformed payload",{sessionId:e.sessionId});return}if(e.firedOnce)return;let i=n.status;if(i==null){c.debug("[AppSyncClient] Mobile-end watcher skipped non-status payload",{sessionId:e.sessionId});return}if(e.priorStatus==="ACTIVE"&&i==="INACTIVE"){e.firedOnce=!0,e.priorStatus="INACTIVE",c.info("[AppSyncClient] Mobile end requested for session",{sessionId:e.sessionId}),Promise.resolve().then(()=>e.onMobileEndRequested()).catch(s=>{c.warn("[AppSyncClient] Mobile-end callback threw",{sessionId:e.sessionId,error:s})});return}e.priorStatus=i}sendSessionUpdateWatcherStart(e,r){let n=I(),{sessionId:i,subscriptionId:s}=r,o={host:new URL(n.aws.appsyncUrl).host};this.tokens?.idToken&&(o.Authorization=this.tokens.idToken),e.send(JSON.stringify({id:s,type:"start",payload:{data:JSON.stringify({query:Q.onSessionUpdated,variables:{sessionId:i}}),extensions:{authorization:o}}}))}resetSessionUpdateWatcherKeepAlive(e){e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),e.keepAliveTimer=setTimeout(()=>{this.handleSessionUpdateWatcherError(e,new Error("Mobile-end watcher keep-alive timeout"))},300*1e3)}handleSessionUpdateWatcherError(e,r){if(e.isReconnecting||e.destroyed||this.sessionUpdateWatchers.get(e.sessionId)!==e)return;if(e.isReconnecting=!0,e.reconnectAttempts++,e.ws){try{e.ws.removeAllListeners()}catch{}try{e.ws.close(1e3)}catch{}e.ws=null}e.keepAliveTimer&&(clearTimeout(e.keepAliveTimer),e.keepAliveTimer=void 0);let i=e.reconnectAttempts<=_.urgentMaxAttempts?Math.min(_.baseDelayMs*Math.pow(_.backoffMultiplier,e.reconnectAttempts-1),_.maxDelayMs):_.persistentDelayMs;c.warn("[AppSyncClient] Mobile-end watcher reconnect scheduled",{sessionId:e.sessionId,attempts:e.reconnectAttempts,delayMs:i,error:r.message}),e.reconnectTimer=setTimeout(async()=>{if(e.isReconnecting=!1,!(e.destroyed||this.sessionUpdateWatchers.get(e.sessionId)!==e)){try{let s=await v.getTokens(this.environment);s&&(v.isTokenExpired(s)?await this.refreshTokens(s):this.tokens=s)}catch{c.warn("[AppSyncClient] Token refresh failed before mobile-end watcher reconnect",{sessionId:e.sessionId})}e.destroyed||this.sessionUpdateWatchers.get(e.sessionId)!==e||(e.subscriptionId=(0,H.v4)(),this.createSessionUpdateWatcherConnection(e))}},i)}cleanupSessionUpdateWatcherState(e){if(e.destroyed=!0,e.reconnectTimer&&(clearTimeout(e.reconnectTimer),e.reconnectTimer=void 0),e.keepAliveTimer&&(clearTimeout(e.keepAliveTimer),e.keepAliveTimer=void 0),e.ws){try{e.ws.readyState===V.default.OPEN&&e.ws.send(JSON.stringify({id:e.subscriptionId,type:"stop"}))}catch{}try{e.ws.close(1e3)}catch{}try{e.ws.removeAllListeners()}catch{}e.ws=null}}subscribeToOnApplyUserDecision(e,r,n){c.info("[AppSyncClient] Starting onApplyUserDecision watcher",{sessionId:e});let i=this.userDecisionAppliedWatchers.get(e);i&&(c.info("[AppSyncClient] Replacing existing onApplyUserDecision watcher",{sessionId:e}),this.cleanupUserDecisionAppliedWatcherState(i),this.userDecisionAppliedWatchers.delete(e));let s={sessionId:e,subscriptionId:(0,H.v4)(),ws:null,onEvent:r,onError:n,reconnectAttempts:0,isReconnecting:!1,destroyed:!1};return this.userDecisionAppliedWatchers.set(e,s),this.createUserDecisionAppliedWatcherConnection(s),{stop:()=>{this.userDecisionAppliedWatchers.get(e)===s&&(this.cleanupUserDecisionAppliedWatcherState(s),this.userDecisionAppliedWatchers.delete(e),c.info("[AppSyncClient] onApplyUserDecision watcher stopped",{sessionId:e}))}}}createUserDecisionAppliedWatcherConnection(e){try{let r=this.buildRealtimeUrl(),n=new V.default(r,["graphql-ws"]);n.on("open",()=>{c.info("[AppSyncClient] onApplyUserDecision WebSocket connected",{sessionId:e.sessionId}),n.send(JSON.stringify({type:"connection_init"}))}),n.on("message",i=>{try{let s=JSON.parse(i.toString());switch(s.type){case"connection_ack":this.sendOnApplyUserDecisionStart(n,e);break;case"start_ack":c.info("[AppSyncClient] onApplyUserDecision subscription started",{sessionId:e.sessionId}),e.isReconnecting=!1,e.reconnectAttempts=0;break;case"data":this.resetOnApplyUserDecisionKeepAlive(e);let o=s.payload?.data?.onApplyUserDecision;o&&Promise.resolve().then(()=>e.onEvent(o)).catch(d=>{c.warn("[AppSyncClient] onApplyUserDecision callback threw",{sessionId:e.sessionId,error:d})});break;case"ka":this.resetOnApplyUserDecisionKeepAlive(e);break;case"error":let a=s.payload?.errors?.[0]?.message||"Unknown error";this.handleOnApplyUserDecisionError(e,new Error(a));break}}catch(s){c.error("[AppSyncClient] Failed to parse onApplyUserDecision message",{error:s})}}),n.on("error",i=>{c.error("[AppSyncClient] onApplyUserDecision WebSocket error",{sessionId:e.sessionId,error:i.message}),this.handleOnApplyUserDecisionError(e,i)}),n.on("close",i=>{c.info("[AppSyncClient] onApplyUserDecision WebSocket closed",{sessionId:e.sessionId,code:i}),e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),!e.destroyed&&this.userDecisionAppliedWatchers.get(e.sessionId)===e&&this.handleOnApplyUserDecisionError(e,new Error(`WebSocket closed: ${i}`))}),e.ws=n,this.resetOnApplyUserDecisionKeepAlive(e)}catch(r){this.handleOnApplyUserDecisionError(e,r)}}sendOnApplyUserDecisionStart(e,r){let n=I(),{sessionId:i,subscriptionId:s}=r,o={host:new URL(n.aws.appsyncUrl).host};this.tokens?.idToken&&(o.Authorization=this.tokens.idToken),e.send(JSON.stringify({id:s,type:"start",payload:{data:JSON.stringify({query:Q.onApplyUserDecision,variables:{sessionId:i}}),extensions:{authorization:o}}}))}resetOnApplyUserDecisionKeepAlive(e){e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),e.keepAliveTimer=setTimeout(()=>{this.handleOnApplyUserDecisionError(e,new Error("onApplyUserDecision keep-alive timeout"))},300*1e3)}handleOnApplyUserDecisionError(e,r){if(e.isReconnecting||e.destroyed||this.userDecisionAppliedWatchers.get(e.sessionId)!==e)return;if(e.isReconnecting=!0,e.reconnectAttempts++,e.onError)try{e.onError(r)}catch{}if(e.ws){try{e.ws.removeAllListeners()}catch{}try{e.ws.close(1e3)}catch{}e.ws=null}e.keepAliveTimer&&(clearTimeout(e.keepAliveTimer),e.keepAliveTimer=void 0);let i=e.reconnectAttempts<=_.urgentMaxAttempts?Math.min(_.baseDelayMs*Math.pow(_.backoffMultiplier,e.reconnectAttempts-1),_.maxDelayMs):_.persistentDelayMs;c.warn("[AppSyncClient] onApplyUserDecision reconnect scheduled",{sessionId:e.sessionId,attempts:e.reconnectAttempts,delayMs:i,error:r.message}),e.reconnectTimer=setTimeout(async()=>{if(e.isReconnecting=!1,!(e.destroyed||this.userDecisionAppliedWatchers.get(e.sessionId)!==e)){try{let s=await v.getTokens(this.environment);s&&(v.isTokenExpired(s)?await this.refreshTokens(s):this.tokens=s)}catch{c.warn("[AppSyncClient] Token refresh failed before onApplyUserDecision reconnect",{sessionId:e.sessionId})}e.destroyed||this.userDecisionAppliedWatchers.get(e.sessionId)!==e||(e.subscriptionId=(0,H.v4)(),this.createUserDecisionAppliedWatcherConnection(e))}},i)}cleanupUserDecisionAppliedWatcherState(e){if(e.destroyed=!0,e.reconnectTimer&&(clearTimeout(e.reconnectTimer),e.reconnectTimer=void 0),e.keepAliveTimer&&(clearTimeout(e.keepAliveTimer),e.keepAliveTimer=void 0),e.ws){try{e.ws.readyState===V.default.OPEN&&e.ws.send(JSON.stringify({id:e.subscriptionId,type:"stop"}))}catch{}try{e.ws.close(1e3)}catch{}try{e.ws.removeAllListeners()}catch{}e.ws=null}}startHeartbeat(e,r=120*1e3){this.stopHeartbeat(e),this.sendHeartbeat(e);let n=setInterval(()=>{this.sendHeartbeat(e)},r);this.heartbeatTimers.set(e,n),c.info("[AppSyncClient] Heartbeat started",{sessionId:e,intervalMs:r})}stopHeartbeat(e){let r=this.heartbeatTimers.get(e);r&&(clearInterval(r),this.heartbeatTimers.delete(e),c.info("[AppSyncClient] Heartbeat stopped",{sessionId:e}))}async sendHeartbeat(e){try{await this.updateSession({sessionId:e,lastHeartbeatAt:new Date().toISOString()}),c.debug("[AppSyncClient] Heartbeat sent",{sessionId:e})}catch(r){c.warn("[AppSyncClient] Heartbeat failed",{sessionId:e,error:r})}}cleanupSubscriptions(){this.activeSubscriptions.forEach(e=>{this.cleanupSubscriptionState(e)}),this.activeSubscriptions.clear(),this.stopDeviceKeyWatcherInternal(),this.sessionUpdateWatchers.forEach(e=>{this.cleanupSessionUpdateWatcherState(e)}),this.sessionUpdateWatchers.clear(),this.userDecisionAppliedWatchers.forEach(e=>{this.cleanupUserDecisionAppliedWatcherState(e)}),this.userDecisionAppliedWatchers.clear(),this.heartbeatTimers.forEach(e=>clearInterval(e)),this.heartbeatTimers.clear()}}});var Qe=h(()=>{"use strict";Kt();$t()});function z(){let t=[];for(let e of["CLAUDE","GEMINI","CODEX"])ai(e)&&t.push(e);return c.debug("[detectInstalledAgents] Detected",{detected:t}),t}function ai(t){try{return(0,Br.execSync)(`command -v ${oi[t]}`,{stdio:"ignore",shell:"/bin/sh"}),!0}catch{return!1}}async function et(t,e){let r=z();if(r.length===0){e.warn("No AI coding agents detected on PATH \u2014 skipping updateAvailableAgents");return}await t.updateAvailableAgents(r),e.info("Pushed available agents to backend",{agents:r})}async function tt(t,e,r){let n=process.env.CODEVIBE_ORCHESTRATION_OVERRIDE;if(n!=="true"&&n!=="false")return;let i=n==="true";try{await t.updateSession({sessionId:e,orchestrationEnabled:i}),r.info("Applied per-session orchestration override",{sessionId:e,enabled:i})}catch(s){r.warn("Failed to apply per-session orchestration override",{sessionId:e,enabled:i,error:s?.message})}}var Br,oi,rt=h(()=>{"use strict";Br=require("child_process");J();oi={CLAUDE:"claude",GEMINI:"gemini",CODEX:"codex"}});function L(t){return t<2?"<2":t<5?"2-5":t<10?"5-10":t<30?"10-30":"30+"}function ve(t){return t<=1?"1":t===2?"2":"3"}function Fr(t){switch(t){case"architecture":return"ARCHITECTURE";case"correctness":return"CORRECTNESS";case"security":return"SECURITY"}}function Vr(t){return t.toUpperCase()}var zt,Z,Mr,nt,we=h(()=>{"use strict";Ot();zt={FREE:null,PRO:2,MAX:3},Z=["architecture","correctness","security"],Mr=["architecture","correctness","security"],nt=["claude","gemini","codex"]});function pi(){let t=typeof process.getuid=="function"?process.getuid():0;return de.createHash("sha256").update(`${qr.hostname()}-${t}`).digest("hex").substring(0,36)}function Se(){return{platform:process.platform,source:process.env.CODEVIBE_TELEMETRY_SOURCE||"production"}}async function gi(t,e){try{let r=JSON.stringify({client_id:pi(),events:[{name:t,params:e}]});await new Promise(n=>{let i=jr.request({hostname:li,path:ui,method:"POST",headers:{"Content-Type":"application/json"}},()=>n());i.on("error",()=>n()),i.write(r),i.end(),setTimeout(n,2e3)})}catch{}}function Gr(){if(typeof de.randomUUID=="function")return de.randomUUID();let t=de.randomBytes(16);t[6]=t[6]&15|64,t[8]=t[8]&63|128;let e=t.toString("hex");return e.substring(0,8)+"-"+e.substring(8,12)+"-"+e.substring(12,16)+"-"+e.substring(16,20)+"-"+e.substring(20,32)}async function Jr(t){await Ee("wizard_started",{...Se(),wizard_run_id:t.wizardRunId,tier:t.tier.toLowerCase(),entry:t.entry,installed_agents_bucket:t.installedAgentsBucket})}async function ee(t){await Ee("wizard_step_started",{...Se(),wizard_run_id:t.wizardRunId,step:t.step})}async function te(t){await Ee("wizard_step_completed",{...Se(),wizard_run_id:t.wizardRunId,step:t.step,latency_bucket_s:t.latencyBucket})}async function ke(t){await Ee("wizard_step_failed",{...Se(),wizard_run_id:t.wizardRunId,step:t.step,reason:t.reason,latency_bucket_s:t.latencyBucket})}async function Yr(t){await Ee("wizard_completed",{...Se(),wizard_run_id:t.wizardRunId,outcome:t.outcome,tier:t.tier.toLowerCase(),seats_bucket:t.seatsBucket,agents_distinct_bucket:t.agentsDistinctBucket,roles_distinct_bucket:t.rolesDistinctBucket,total_latency_bucket_s:t.totalLatencyBucket})}async function be(t){await Ee("wizard_aborted",{...Se(),wizard_run_id:t.wizardRunId,reason:t.reason,last_step:t.lastStep})}async function Ee(t,e){if(Hr!==null){Hr({name:t,params:e});return}await gi(t,e)}var de,jr,qr,ci,di,li,ui,Hr,Ae=h(()=>{"use strict";de=k(require("crypto")),jr=k(require("https")),qr=k(require("os")),ci="G-GS74YEQTB8",di="lAfOF6OxRzSQ-NsLBRjhAg",li="www.google-analytics.com",ui=`/mp/collect?measurement_id=${ci}&api_secret=${di}`;Hr=null});async function Xr(){let t=new j;if(await t.authenticateWithStoredTokens())return t;if(t.getLastAuthFailureKind()==="refresh_network")throw new it("refresh-token POST failed");return null}async function Qr(t){let e=Date.now();await ee({wizardRunId:t.wizardRunId,step:"bootstrap"});let r;try{let p=await t.clientFactory();if(!p)return await le(t,e,{kind:"not_signed_in"});r=p}catch(p){if(p instanceof it)return await le(t,e,{kind:"subscription_status_network",cause:p.message});let u=p instanceof Error?p.message:String(p);return mi(u)?await le(t,e,{kind:"subscription_status_network",cause:u}):await le(t,e,{kind:"not_signed_in"})}let n;try{n=(await r.getSubscriptionStatus()).tier}catch(p){return await le(t,e,{kind:"subscription_status_network",cause:p instanceof Error?p.message:"unknown"})}let i=t.agentDetector(),s=i.map(p=>p.toLowerCase()),o=ve(s.length);if(await Jr({wizardRunId:t.wizardRunId,tier:n,entry:t.entry,installedAgentsBucket:o}),zt[n]===null)return await le(t,e,{kind:"tier_gate_free",tier:"FREE"});if(i.length===0)return await le(t,e,{kind:"no_clis_installed"});let a=zt[n],d=r.getCurrentUserEmail(),l=null;try{l=await r.updateAvailableAgents(s.map(p=>p.toUpperCase()))}catch(p){console.warn("[setup-bootstrap] updateAvailableAgents failed; proceeding without saved-policy defaults",p instanceof Error?p.message:String(p)),l=null}return await te({wizardRunId:t.wizardRunId,step:"bootstrap",latencyBucket:L((Date.now()-e)/1e3)}),{ok:!0,result:{tier:n,seatBudget:a,installedAgents:s,installedAgentsBucket:o,client:r,userEmail:d,savedPolicy:l}}}function mi(t){return/ECONN|ENETUNREACH|ETIMEDOUT|EAI_AGAIN|ENOTFOUND|fetch failed|getaddrinfo|\b5\d\d\b|service unavailable|gateway timeout/i.test(t)}async function le(t,e,r){let n=L((Date.now()-e)/1e3),i=r.kind;await ke({wizardRunId:t.wizardRunId,step:"bootstrap",reason:i,latencyBucket:n});let s=r.kind==="tier_gate_free"?"tier_gate_free":r.kind==="no_clis_installed"?"no_clis":r.kind==="not_signed_in"?"auth_expired":"bootstrap_failure";return await be({wizardRunId:t.wizardRunId,reason:s,lastStep:"bootstrap"}),{ok:!1,failure:r}}var it,Zr=h(()=>{"use strict";Kt();we();Ae();it=class extends Error{constructor(e){super(`auth refresh network failure: ${e}`),this.name="AuthRefreshNetworkError"}}});async function en(t){let e=Date.now();await ee({wizardRunId:t.wizardRunId,step:"seat_assignment"});let r=[],n=new Set;t.io.write(""),t.io.write(`${R.bold}Step 1 of 3 \u2014 Reviewer seat assignment${R.reset}
-`),t.io.write(`\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
-You have ${t.seatBudget} reviewer seats.
-For each seat, pick an agent + a role.
-
-`);for(let i=0;i<t.seatBudget;i++){t.io.write(`${R.bold}Seat ${i+1}${R.reset}
-`);let s=t.savedSeats?.find(p=>p.seatId===i),o=await fi(t.io,t.installedAgents,s?.agent),a=Z.filter(p=>!n.has(p)),d=hi(i,a,s?.role),l=await yi(t.io,a,d);r.push({seatId:i,agent:o,role:l}),n.add(l),t.io.write(`
-`)}return await te({wizardRunId:t.wizardRunId,step:"seat_assignment",latencyBucket:L((Date.now()-e)/1e3)}),r}async function fi(t,e,r){if(e.length===1)return t.write(`  Agent: ${R.bold}${e[0]}${R.reset} ${R.dim}(only installed agent)${R.reset}
-`),e[0];let n=nt.find(s=>e.includes(s))??e[0],i=r&&e.includes(r)?r:n;for(t.write(`  Agent ${R.dim}(default: ${i})${R.reset}:
-`),e.forEach((s,o)=>{let a=s===i?`${R.cyan}*${R.reset}`:" ";t.write(`    ${a} ${o+1}. ${s}
-`)});;){let s=await t.ask("  > ");if(s==="")return i;let o=parseInt(s,10)-1;if(o>=0&&o<e.length)return e[o];t.write(`    ${R.yellow}Enter a number 1-${e.length} or press Enter for the default.${R.reset}
-`)}}async function yi(t,e,r){if(e.length===1)return t.write(`  Role: ${R.bold}${e[0]}${R.reset} ${R.dim}(only remaining role; press Enter to accept)${R.reset}
-`),await t.ask("  > "),e[0];for(t.write(`  Role ${R.dim}(default: ${r})${R.reset}:
-`),e.forEach((n,i)=>{let s=n===r?`${R.cyan}*${R.reset}`:" ";t.write(`    ${s} ${i+1}. ${n}
-`)});;){let n=await t.ask("  > ");if(n==="")return r;let i=parseInt(n,10)-1;if(i>=0&&i<e.length)return e[i];t.write(`    ${R.yellow}Enter a number 1-${e.length} or press Enter for the default.${R.reset}
-`)}}function hi(t,e,r){if(r&&Z.includes(r)&&e.includes(r))return r;let n=Mr[t]??Z[0];if(e.includes(n))return n;for(let i of Z)if(e.includes(i))return i;return e[0]}function tn(t){return{write:e=>process.stdout.write(e),ask:e=>new Promise(r=>t.question(e,n=>r(n.trim())))}}var R,rn=h(()=>{"use strict";we();Ae();R={reset:"\x1B[0m",bold:"\x1B[1m",dim:"\x1B[2m",green:"\x1B[32m",yellow:"\x1B[33m",cyan:"\x1B[36m"}});function vi(t){switch(t.kind){case"timeout":return`${t.agent} reviewer timed out after ${t.elapsed_ms}ms`;case"spawn_failed":return`${t.agent} reviewer spawn failed: ${t.reason}`;case"parse_failure":return`${t.agent} reviewer output was unparseable`;case"cancelled":return"reviewer cancelled before completion";case"internal_join_failure":return`reviewer task internal join failure: ${t.reason}`}}var b,ue=h(()=>{"use strict";b=class t extends Error{constructor(e){super(vi(e)),this.name="ReviewerError",this.detail=e,typeof Error.captureStackTrace=="function"&&Error.captureStackTrace(this,t)}}});function wi(t){switch(t.kind){case"empty_output":return"reviewer returned an empty reply";case"invalid_verdict":return`first non-blank line ${JSON.stringify(t.found)} is not a valid verdict (expected APPROVE | REJECT | REVISE | ESCALATE)`;case"reasoning_missing":return"reviewer returned a bare verdict with no reasoning";case"revise_missing_changes":return"REVISE verdict requires at least one suggested change in a bulleted list";case"suggested_changes_require_revise":return`suggested changes are reserved for REVISE verdicts; ${JSON.stringify(t.found)} verdict must not carry a bulleted list`}}function re(t){let r=t.replace(/\r\n/g,`
-`).split(`
-`),n=0;for(;n<r.length&&r[n].trim()==="";)n+=1;if(n>=r.length)return{ok:!1,error:{kind:"empty_output"}};let i=r[n];n+=1;let s=Si(i.trim());if(!s.ok)return s;let o=s.kind,a=[],d=[],l=!1;for(;n<r.length;n+=1){let u=r[n];if(ki(u)){l=!0;let S=bi(u).trimEnd();S.length>0&&d.push(S);continue}let w=Ei(u);if(l){if(w==="")continue;let S=d[d.length-1];if(S!==void 0&&(u.startsWith(" ")||u.startsWith("	"))){d[d.length-1]=S+" "+w.trimStart();continue}return{ok:!1,error:{kind:"invalid_verdict",found:w}}}a.push(w)}for(;a.length>0&&a[0]==="";)a.shift();for(;a.length>0&&a[a.length-1]==="";)a.pop();let p=a.join(`
-`);if(p.trim()==="")return{ok:!1,error:{kind:"reasoning_missing"}};if(o==="REVISE"){if(d.length===0)return{ok:!1,error:{kind:"revise_missing_changes"}}}else if(d.length>0)return{ok:!1,error:{kind:"suggested_changes_require_revise",found:o}};return{ok:!0,verdict:{kind:o,reasoning:p,suggested_changes:d}}}function Si(t){let e=t;switch((e.endsWith(":")||e.endsWith("."))&&(e=e.slice(0,-1)),e.toUpperCase()){case"APPROVE":return{ok:!0,kind:"APPROVE"};case"REJECT":return{ok:!0,kind:"REJECT"};case"REVISE":return{ok:!0,kind:"REVISE"};case"ESCALATE":return{ok:!0,kind:"ESCALATE"};default:return{ok:!1,error:{kind:"invalid_verdict",found:t}}}}function ki(t){return t.startsWith("- ")||t.startsWith("* ")}function bi(t){return t.slice(2).trimStart()}function Ei(t){return t.trimEnd()}var st,ze=h(()=>{"use strict";st=class t extends Error{constructor(e){super(wi(e)),this.name="VerdictParseError",this.detail=e,typeof Error.captureStackTrace=="function"&&Error.captureStackTrace(this,t)}}});function Ai(t){switch(t.kind){case"spawn_failed":return`failed to spawn subprocess: ${t.reason}`;case"timeout":return`subprocess timed out after ${t.elapsed_ms}ms`;case"io":return`subprocess IO error: ${t.reason}`;case"cancelled":return"subprocess cancelled before completion"}}function ne(t){return new Promise((e,r)=>{let n=Date.now(),i;try{i=(0,nn.spawn)(t.command,[...t.args],{env:t.env,cwd:t.cwd,stdio:["pipe","pipe","pipe"],windowsHide:!0})}catch(y){r(new x({kind:"spawn_failed",reason:y instanceof Error?y.message:String(y)}));return}let s=!1,o=[],a=[],d=()=>{try{i.stdin&&!i.stdin.destroyed&&i.stdin.destroy()}catch{}try{i.stdout&&!i.stdout.destroyed&&i.stdout.destroy()}catch{}try{i.stderr&&!i.stderr.destroyed&&i.stderr.destroy()}catch{}},l=()=>{try{i.kill("SIGKILL")}catch{}},p=()=>{},u=()=>{},w=y=>{s||(s=!0,p(),u(),e(y))},S=y=>{s||(s=!0,p(),u(),d(),l(),r(y))};i.stdout.on("data",y=>{o.push(y)}),i.stderr.on("data",y=>{a.push(y)}),i.on("error",y=>{y.code==="ENOENT"||y.code==="EACCES"||y.code==="EPERM"?S(new x({kind:"spawn_failed",reason:y.message})):S(new x({kind:"io",reason:y.message}))}),i.on("close",(y,wt)=>{if(s)return;let C=Date.now()-n,O=Buffer.concat(o).toString("utf8"),G=Buffer.concat(a).toString("utf8");w({stdout:O,stderr:G,elapsed_ms:C,exit_success:y===0&&wt===null})}),i.stdin.on("error",y=>{});try{i.stdin.write(t.prompt,"utf8",()=>{try{i.stdin.end()}catch{}})}catch(y){S(new x({kind:"io",reason:y instanceof Error?y.message:String(y)}));return}let $=setTimeout(()=>{S(new x({kind:"timeout",elapsed_ms:t.timeout_ms}))},t.timeout_ms);u=()=>{clearTimeout($)};let A=()=>{S(new x({kind:"cancelled"}))};if(t.signal){if(p=()=>{t.signal.removeEventListener("abort",A)},t.signal.aborted){A();return}t.signal.addEventListener("abort",A,{once:!0})}})}var nn,x,Be=h(()=>{"use strict";nn=require("child_process"),x=class t extends Error{constructor(e){super(Ai(e)),this.name="SubprocessError",this.detail=e,typeof Error.captureStackTrace=="function"&&Error.captureStackTrace(this,t)}}});function Re(t,e){switch(e.kind){case"spawn_failed":return{kind:"spawn_failed",agent:t,reason:e.reason};case"timeout":return{kind:"timeout",agent:t,elapsed_ms:e.elapsed_ms};case"io":return{kind:"spawn_failed",agent:t,reason:`io error: ${e.reason}`};case"cancelled":return{kind:"cancelled"}}}var ot=h(()=>{"use strict"});function Ri(t,e){let r=[];r.push("--print"),r.push("--allowed-tools",e.tool_allowlist.join(",")),e.model_hint!==null&&r.push("--model",e.model_hint);let n={...process.env,QUORUM_REVIEWER_SUBPROCESS:"1"};return{command:t,args:r,env:n}}function _i(t,e,r){if(!r.exit_success)throw new b({kind:"spawn_failed",agent:t.agent,reason:`claude exited with non-zero status; stderr: ${r.stderr.trim()}`});let n=re(r.stdout);if(!n.ok)throw new b({kind:"parse_failure",agent:t.agent,raw_output:r.stdout});return{verdict_id:(0,sn.v4)(),gate_id:e,seat_id:t.seat_id,role:t.role,reviewer_agent:t.agent,verdict:n.verdict.kind,reasoning:n.verdict.reasoning,suggested_changes:n.verdict.suggested_changes,model_used:t.model_hint,tokens_used:null,latency_ms:r.elapsed_ms,submitted_at:new Date().toISOString()}}var sn,_e,Bt=h(()=>{"use strict";sn=require("uuid");ze();ue();Be();ot();_e=class{constructor(e={}){this.executable=e.executable??"claude"}async evaluate(e,r){if(e.agent!=="claude")throw new Error(`ClaudeReviewerProvider called with non-Claude spec (got ${e.agent}); the engine's registry wiring is responsible for dispatch`);let n=Ri(this.executable,e),i;try{i=await ne({command:n.command,args:n.args,env:n.env,prompt:e.prompt_template,timeout_ms:e.timeout_ms})}catch(s){throw s instanceof x?new b(Re(e.agent,s.detail)):s}return _i(e,r,i)}}});function Ii(t,e){let r=[];r.push("-p",""),r.push("--approval-mode","plan"),r.push("--output-format","json"),e.model_hint!==null&&r.push("--model",e.model_hint);let n={...process.env,QUORUM_REVIEWER_SUBPROCESS:"1"};return{command:t,args:r,env:n}}function xi(t,e,r){if(!r.exit_success)throw new b({kind:"spawn_failed",agent:t.agent,reason:`gemini exited with non-zero status; stderr: ${r.stderr.trim()}`});let n=Ci(r.stdout);if(n===null)throw new b({kind:"parse_failure",agent:t.agent,raw_output:r.stdout});let i=re(n.response);if(!i.ok)throw new b({kind:"parse_failure",agent:t.agent,raw_output:n.response});let s=Ti(n);return{verdict_id:(0,on.v4)(),gate_id:e,seat_id:t.seat_id,role:t.role,reviewer_agent:t.agent,verdict:i.verdict.kind,reasoning:i.verdict.reasoning,suggested_changes:i.verdict.suggested_changes,model_used:t.model_hint,tokens_used:s,latency_ms:r.elapsed_ms,submitted_at:new Date().toISOString()}}function Ti(t){let e=t.stats?.models;if(!e)return null;let r=[];for(let n of Object.values(e)){let i=n.tokens?.total;typeof i=="number"&&r.push(i)}return r.length===0?null:r.reduce((n,i)=>n+i,0)}function Ci(t){let e=t.indexOf("{");if(e<0)return null;let r=0,n=!1,i=!1;for(let s=e;s<t.length;s+=1){let o=t[s];if(i){i=!1;continue}if(n){o==="\\"?i=!0:o==='"'&&(n=!1);continue}if(o==='"'){n=!0;continue}if(o==="{")r+=1;else if(o==="}"&&(r-=1,r===0)){let a=t.slice(e,s+1),d;try{d=JSON.parse(a)}catch{return null}return Di(d)}}return null}function Di(t){if(typeof t!="object"||t===null||Array.isArray(t))return null;let e=t;return typeof e.response!="string"?null:e}var on,Ie,Mt=h(()=>{"use strict";on=require("uuid");ze();ue();Be();ot();Ie=class{constructor(e={}){this.executable=e.executable??"gemini"}async evaluate(e,r){if(e.agent!=="gemini")throw new Error(`GeminiReviewerProvider called with non-Gemini spec (got ${e.agent}); the engine's registry wiring is responsible for dispatch`);let n=Ii(this.executable,e),i;try{i=await ne({command:n.command,args:n.args,env:n.env,prompt:e.prompt_template,timeout_ms:e.timeout_ms})}catch(s){throw s instanceof x?new b(Re(e.agent,s.detail)):s}return xi(e,r,i)}}});function $i(t,e,r){let n=[];n.push("exec"),n.push("--sandbox","read-only"),n.push("--skip-git-repo-check"),n.push("--color","never"),n.push("--json"),n.push("--ephemeral"),n.push("--output-last-message",r),e.model_hint!==null&&n.push("--model",e.model_hint),n.push("-");let i={...process.env,QUORUM_REVIEWER_SUBPROCESS:"1"};return{command:t,args:n,env:i}}function Pi(t,e,r,n){if(!r.exit_success)throw new b({kind:"spawn_failed",agent:t.agent,reason:`codex exited with non-zero status; stderr: ${r.stderr.trim()}`});let i=re(n);if(!i.ok)throw new b({kind:"parse_failure",agent:t.agent,raw_output:n});let s=Oi(r.stdout);return{verdict_id:(0,Ft.v4)(),gate_id:e,seat_id:t.seat_id,role:t.role,reviewer_agent:t.agent,verdict:i.verdict.kind,reasoning:i.verdict.reasoning,suggested_changes:i.verdict.suggested_changes,model_used:t.model_hint,tokens_used:s,latency_ms:r.elapsed_ms,submitted_at:new Date().toISOString()}}function Oi(t){let e=[];for(let r of t.split(`
-`)){let n=r.trim();if(n==="")continue;let i;try{i=JSON.parse(n)}catch{continue}if(i.type==="turn.completed"&&i.usage){let s=i.usage.input_tokens??0,o=i.usage.output_tokens??0;e.push(s+o)}}return e.length===0?null:e.reduce((r,n)=>r+n,0)}function Ki(){return cn.join(an.tmpdir(),`quorum-codex-last-${process.pid}-${(0,Ft.v4)()}.txt`)}function at(t){try{ct.unlinkSync(t)}catch{}}var ct,an,cn,Ft,xe,Vt=h(()=>{"use strict";ct=k(require("fs")),an=k(require("os")),cn=k(require("path")),Ft=require("uuid");ze();ue();Be();ot();xe=class{constructor(e={}){this.executable=e.executable??"codex"}async evaluate(e,r){if(e.agent!=="codex")throw new Error(`CodexReviewerProvider called with non-Codex spec (got ${e.agent}); the engine's registry wiring is responsible for dispatch`);let n=Ki(),i=$i(this.executable,e,n),s;try{s=await ne({command:i.command,args:i.args,env:i.env,prompt:e.prompt_template,timeout_ms:e.timeout_ms})}catch(a){throw at(n),a instanceof x?new b(Re(e.agent,a.detail)):a}if(!s.exit_success)throw at(n),new b({kind:"spawn_failed",agent:e.agent,reason:`codex exited with non-zero status; stderr: ${s.stderr.trim()}`});let o;try{o=ct.readFileSync(n,"utf8")}catch(a){at(n);let d=a instanceof Error?a.message:String(a);throw new b({kind:"parse_failure",agent:e.agent,raw_output:`codex exited 0 but --output-last-message file unreadable (${d}): stdout follows
-${s.stdout}`})}return at(n),Pi(e,r,s,o)}}});function dt(){return new Me().with("claude",new _e).with("gemini",new Ie).with("codex",new xe)}var Me,dn=h(()=>{"use strict";ue();Bt();Vt();Mt();Me=class{constructor(){this.providers=new Map}with(e,r){return this.providers.set(e,r),this}register(e,r){this.providers.set(e,r)}providerFor(e){return this.providers.get(e)}registeredAgents(){return Array.from(this.providers.keys())}async evaluate(e,r){let n=this.providers.get(e.agent);if(n===void 0)throw new b({kind:"spawn_failed",agent:e.agent,reason:`no provider registered for ${e.agent} \u2014 registry was built without a ${e.agent} entry but the policy snapshot includes a ${e.agent} reviewer`});return n.evaluate(e,r)}}});function ln(){return{type:"verdict",kind:"APPROVE",reasoning:"static mock: approve",suggested_changes:[]}}function un(){return{type:"verdict",kind:"REJECT",reasoning:"static mock: reject",suggested_changes:[]}}function pn(t){return{type:"verdict",kind:"REVISE",reasoning:"static mock: revise",suggested_changes:t.length===0?["static mock: placeholder revision"]:t}}function gn(){return{type:"verdict",kind:"ESCALATE",reasoning:"static mock: escalate",suggested_changes:[]}}var Ht,lt,ut,mn=h(()=>{"use strict";Ht=require("uuid");ue();lt=class t{constructor(){this.scripts=new Map}static key(e,r){return`${e}|${r}`}scriptVerdict(e,r,n,i){this.scriptVerdictWithChanges(e,r,n,i,[])}scriptVerdictWithChanges(e,r,n,i,s){let o=t.key(e,r),a=this.scripts.get(o)??[];a.push({type:"verdict",kind:n,reasoning:i,suggested_changes:s}),this.scripts.set(o,a)}scriptError(e,r,n){let i=t.key(e,r),s=this.scripts.get(i)??[];s.push({type:"error",error:n}),this.scripts.set(i,s)}remaining(e,r){let n=t.key(e,r);return this.scripts.get(n)?.length??0}async evaluate(e,r){let n=t.key(e.agent,r),i=this.scripts.get(n),s=i&&i.length>0?i.shift():null;if(s===null)throw new b({kind:"spawn_failed",agent:e.agent,reason:`no scripted response for (${e.agent}, gate=${r}); test forgot to wire a reviewer`});if(s.type==="error")throw new b(s.error);return{verdict_id:(0,Ht.v4)(),gate_id:r,seat_id:e.seat_id,role:e.role,reviewer_agent:e.agent,verdict:s.kind,reasoning:s.reasoning,suggested_changes:s.suggested_changes,model_used:`mock-${e.agent}`,tokens_used:0,latency_ms:0,submitted_at:new Date().toISOString()}}};ut=class t{constructor(){this.defaultResponse=null;this.perAgent=new Map}static new(){return new t}static allApprove(){let e=new t;return e.defaultResponse=ln(),e}static allReject(){let e=new t;return e.defaultResponse=un(),e}static allRevise(e){let r=new t;return r.defaultResponse=pn(e),r}static allEscalate(){let e=new t;return e.defaultResponse=gn(),e}static allError(e){let r=new t;return r.defaultResponse={type:"error",error:e},r}withAgentVerdict(e,r){let n;switch(r){case"APPROVE":n=ln();break;case"REJECT":n=un();break;case"REVISE":n=pn([]);break;case"ESCALATE":n=gn();break}return this.perAgent.set(e,n),this}withAgentError(e,r){return this.perAgent.set(e,{type:"error",error:r}),this}async evaluate(e,r){let n=this.perAgent.get(e.agent)??this.defaultResponse;if(n===null)throw new b({kind:"spawn_failed",agent:e.agent,reason:`StaticReviewerMock has no response configured for ${e.agent} (set a default via allApprove() / allReject() / etc., or an override via withAgentVerdict() / withAgentError())`});if(n.type==="error")throw new b(n.error);return{verdict_id:(0,Ht.v4)(),gate_id:r,seat_id:e.seat_id,role:e.role,reviewer_agent:e.agent,verdict:n.kind,reasoning:n.reasoning,suggested_changes:n.suggested_changes,model_used:`static-mock-${e.agent}`,tokens_used:0,latency_ms:0,submitted_at:new Date().toISOString()}}}});var jt={};$e(jt,{ClaudeReviewerProvider:()=>_e,CodexReviewerProvider:()=>xe,GeminiReviewerProvider:()=>Ie,MockReviewerSpawner:()=>lt,ReviewerErrorClass:()=>b,ReviewerRegistry:()=>Me,StaticReviewerMock:()=>ut,SubprocessErrorClass:()=>x,VerdictParseErrorClass:()=>st,createSubprocessReviewerRegistry:()=>dt,parseVerdictOutput:()=>re,runReviewer:()=>ne});var qt=h(()=>{"use strict";ue();ze();Be();Bt();Mt();Vt();dn();mn()});async function fn(t){let e=Date.now();await ee({wizardRunId:t.wizardRunId,step:"test_my_agents"});let r=t.write??(u=>process.stdout.write(u)),n=t.registryFactory?t.registryFactory():dt(),i=t.gateId??(await import("crypto")).randomUUID();for(let u of t.seats)r(`Spawning seat ${u.seatId} (${u.agent} / ${u.role})\u2026
-`);let s=t.seats.map(u=>Wi(u)),o=new Map;for(let u of t.seats)o.set(u.seatId,Date.now());let a=await Promise.allSettled(s.map(u=>n.evaluate(u,i))),d=[];for(let u=0;u<t.seats.length;u++){let w=t.seats[u],S=a[u],$=Date.now()-(o.get(w.seatId)??e),A=$/1e3,y={seatId:w.seatId,agent:w.agent,role:w.role,elapsedSeconds:A,result:Li(S,$)};d.push(y),r(zi(y))}let l=Bi(d),p=L((Date.now()-e)/1e3);return l===null?(r(`${E.green}\u2713${E.reset} All reviewers responded with parseable verdicts (parallel run, total wall: ${((Date.now()-e)/1e3).toFixed(1)}s)
-`),await te({wizardRunId:t.wizardRunId,step:"test_my_agents",latencyBucket:p}),{ok:!0,seatOutcomes:d}):(await ke({wizardRunId:t.wizardRunId,step:"test_my_agents",reason:l,latencyBucket:p}),{ok:!1,reason:l,canSaveAnyway:Mi(l),seatOutcomes:d})}function Wi(t){return{seat_id:t.seatId,role:t.role,agent:t.agent,tool_allowlist:["Read","Grep","Glob"],prompt_template:Ui,timeout_ms:Ni,model_hint:null}}function Li(t,e){if(t.status==="fulfilled"){let n=t.value.verdict;return n==="APPROVE"?{kind:"approve"}:n==="REVISE"?{kind:"revise"}:n==="REJECT"?{kind:"reject"}:n==="ESCALATE"?{kind:"escalate"}:{kind:"parse_failure"}}let r=t.reason;if(r instanceof b){let n=r.detail;return n.kind==="timeout"?{kind:"timeout",elapsedMs:n.elapsed_ms}:n.kind==="spawn_failed"?{kind:"spawn_failure",reason:n.reason}:n.kind==="parse_failure"?{kind:"parse_failure"}:{kind:"unknown_error",message:`unexpected reviewer error: ${n.kind}`}}return{kind:"unknown_error",message:r instanceof Error?r.message:String(r)}}function zi(t){let e=`  [${t.elapsedSeconds.toFixed(1)}s] seat ${t.seatId}:`,r=` ${E.dim}(${t.agent} / ${t.role})${E.reset}
-`;switch(t.result.kind){case"approve":return`${e} ${E.green}APPROVE${E.reset}${r}`;case"revise":return`${e} ${E.yellow}REVISE${E.reset}${r}`;case"reject":return`${e} ${E.red}REJECT${E.reset}${r}`;case"escalate":return`${e} ${E.yellow}ESCALATE${E.reset}${r}`;case"parse_failure":return`${e} ${E.red}parse failure${E.reset}${r}`;case"spawn_failure":return`${e} ${E.red}spawn failure${E.reset} ${E.dim}\u2014 ${t.result.reason}${E.reset}${r}`;case"timeout":return`${e} ${E.red}timeout${E.reset} ${E.dim}(${(t.result.elapsedMs/1e3).toFixed(0)}s)${E.reset}${r}`;case"unknown_error":return`${e} ${E.red}error${E.reset} ${E.dim}\u2014 ${t.result.message}${E.reset}${r}`}}function Bi(t){for(let e of t)if(e.result.kind==="spawn_failure")return"test_spawn_failure";for(let e of t)if(e.result.kind==="timeout")return"test_timeout";for(let e of t)if(e.result.kind==="parse_failure")return"test_parse_failure";for(let e of t)if(e.result.kind==="reject")return"test_reject";for(let e of t)if(e.result.kind==="escalate")return"test_escalate";for(let e of t)if(e.result.kind==="revise")return"test_revise";for(let e of t)if(e.result.kind==="unknown_error")return"test_parse_failure";return null}function Mi(t){return!(t==="test_spawn_failure"||t==="test_timeout")}function yn(t){let e=[];for(let r of t)switch(r.result.kind){case"approve":continue;case"spawn_failure":e.push(`Couldn't spawn the ${r.agent} CLI for seat ${r.seatId} \u2014 install or fix it before retrying (cause: ${r.result.reason}).`);break;case"timeout":e.push(`Seat ${r.seatId}'s ${r.agent} reviewer didn't respond within ${(r.result.elapsedMs/1e3).toFixed(0)}s \u2014 your CLI may be hanging.`);break;case"parse_failure":e.push(`Seat ${r.seatId}'s ${r.agent} reviewer returned output the parser couldn't understand. Try a different agent or re-run.`);break;case"reject":e.push(`Seat ${r.seatId} (${r.agent} / ${r.role}) REJECTED the test proposal. Either save anyway, or try a different role/agent.`);break;case"escalate":e.push(`Seat ${r.seatId} (${r.agent} / ${r.role}) ESCALATED \u2014 the reviewer wants human input. Save anyway or retry.`);break;case"revise":e.push(`Seat ${r.seatId} (${r.agent} / ${r.role}) requested REVISIONS. Safe to save anyway; the canned proposal is intentionally trivial.`);break;case"unknown_error":e.push(`Seat ${r.seatId} (${r.agent} / ${r.role}) hit an unexpected error: ${r.result.message}.`);break}return e}var E,Ui,Ni,hn=h(()=>{"use strict";we();Ae();qt();E={reset:"\x1B[0m",bold:"\x1B[1m",dim:"\x1B[2m",green:"\x1B[32m",yellow:"\x1B[33m",red:"\x1B[31m"},Ui=`## Problem
-Add a one-line Python "Hello, World" script to a new file.
-
-## Proposal
-Create a single Python file at /tmp/quorum_test_hello.py containing the
-single line: print("hello world")
-
-## Implementation Plan
-1. Create the file at /tmp/quorum_test_hello.py
-2. Write print("hello world") on line 1 followed by a trailing newline
-3. Make no other changes
-
-## Expected Outputs
-- /tmp/quorum_test_hello.py \u2014 exists, contains the single-line script
-`,Ni=6e4});async function vn(t){let e=Date.now();await ee({wizardRunId:t.wizardRunId,step:"save"});let r=t.seats.map(n=>({seatId:n.seatId,role:Fr(n.role),agent:Vr(n.agent)}));try{return await t.client.updateReviewerPolicy({orchestrationEnabledDefault:!0,reviewerSeats:r}),await te({wizardRunId:t.wizardRunId,step:"save",latencyBucket:L((Date.now()-e)/1e3)}),{ok:!0}}catch(n){let i=Fi(n),s=i!=="auth_token_expired";return await ke({wizardRunId:t.wizardRunId,step:"save",reason:i,latencyBucket:L((Date.now()-e)/1e3)}),{ok:!1,reason:i,recoverable:s}}}function Fi(t){let e=t instanceof Error?t.message:String(t);return/401|Unauthorized|NotAuthorizedException|(?:token|session|access[_-]?token|refresh[_-]?token|sign[ -]?in)\b[^.]{0,40}\bexpired/i.test(e)?"auth_token_expired":/429|throttl|RateExceeded|TooManyRequests/i.test(e)?"update_policy_throttle":/\b5\d\d\b|InternalServerError|InternalFailure|ServiceUnavailable/i.test(e)?"update_policy_5xx":"update_policy_network"}var wn=h(()=>{"use strict";we();Ae()});async function Sn(t,e){for(t.write(`
-`),t.write(`${T.bold}What now?${T.reset}
-`),t.write(`  [r] retry the test
-`),e&&t.write(`  [s] save the policy anyway (use with caution \u2014 your reviewers may not work as expected)
-`),t.write(`  [x] exit without saving
-`);;){let r=(await t.ask("> ")).toLowerCase();if(r==="r"||r==="retry")return"retry";if(e&&(r==="s"||r==="save"))return"save_anyway";if(r==="x"||r==="exit"||r==="q"||r==="quit")return"exit";let n=e?"[r]/[s]/[x]":"[r]/[x]";t.write(`${T.yellow}Enter ${n}.${T.reset}
-`)}}async function kn(t,e=!0){if(t.write(`
-`),!e)for(t.write(`${T.bold}Your sign-in expired between bootstrap and save.${T.reset}
-`),t.write(`Re-run ${T.bold}codevibe login${T.reset} and then ${T.bold}codevibe orchestration setup${T.reset} to try again.
-`),t.write(`  [x] exit (your picks are lost)
-`);;){let r=(await t.ask("> ")).toLowerCase();if(r==="x"||r==="exit"||r==="q"||r==="quit")return"exit";t.write(`${T.yellow}Enter [x].${T.reset}
-`)}for(t.write(`${T.bold}What now?${T.reset}
-`),t.write(`  [r] retry the save
-`),t.write(`  [x] exit (your picks are lost)
-`);;){let r=(await t.ask("> ")).toLowerCase();if(r==="r"||r==="retry")return"retry";if(r==="x"||r==="exit"||r==="q"||r==="quit")return"exit";t.write(`${T.yellow}Enter [r]/[x].${T.reset}
-`)}}var T,bn=h(()=>{"use strict";T={reset:"\x1B[0m",bold:"\x1B[1m",yellow:"\x1B[33m"}});function Vi(t){for(let e of t)if(e.startsWith("--entry=")){let r=e.slice(8);if(r==="meta_cli"||r==="claude_alias"||r==="gemini_alias"||r==="codex_alias")return r}return"meta_cli"}async function An(t){let e=await Hi(t,{clientFactory:Xr,agentDetector:z,write:r=>process.stdout.write(r),createPickerIO:()=>{let r=En.createInterface({input:process.stdin,output:process.stdout});return{io:tn(r),close:()=>r.close()}}});process.exit(e.exitCode)}async function Hi(t,e){let r=Gr(),n=Vi(t),i=Date.now(),s="bootstrap",o=!1,a=async()=>{o&&process.exit(130),o=!0;try{await be({wizardRunId:r,reason:"ctrl_c",lastStep:s})}catch{}e.write(`
-^C \u2014 wizard aborted, nothing saved.
-`),process.exit(130)};process.on("SIGINT",a);try{ji(e.write),s="bootstrap";let d=await Qr({wizardRunId:r,clientFactory:e.clientFactory,agentDetector:e.agentDetector,entry:n});if(!d.ok)return Ji(e.write,d.failure),{exitCode:1};let l=d.result;qi(e.write,l);let p=l.client;s="seat_assignment";let u=e.createPickerIO(),w;try{let C=l.savedPolicy?.reviewerSeats?.filter(O=>Z.includes(O.role.toLowerCase())).map(O=>({seatId:O.seatId,agent:O.agent.toLowerCase(),role:O.role.toLowerCase()}));w=await en({wizardRunId:r,installedAgents:l.installedAgents,seatBudget:l.seatBudget,io:u.io,savedSeats:C??void 0})}finally{u.close()}s="test_my_agents";let S=!1,$=!1;for(;;){e.write(`
-${m.bold}Step 2 of 3 \u2014 Test My Agents${m.reset}
-`),e.write(`\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
-`);let C=await fn({wizardRunId:r,seats:w,registryFactory:e.registryFactory,write:e.write});if(C.ok){$=!0,S=!1;break}for(let ir of yn(C.seatOutcomes))e.write(`${m.yellow}${ir}${m.reset}
-`);let O=e.createPickerIO(),G;try{G=await Sn(O.io,C.canSaveAnyway)}finally{O.close()}if(G!=="retry"){if(G==="save_anyway"){$=!0,S=!0;break}return await be({wizardRunId:r,reason:"step_user_exit",lastStep:"test_my_agents"}),e.write(`
-Exited without saving.
-`),{exitCode:0}}}if(!$)return{exitCode:1};for(s="save";;){e.write(`
-${m.bold}Step 3 of 3 \u2014 Save${m.reset}
-`),e.write(`\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
-`),e.write(`Saving reviewer policy to your account\u2026
-`);let C=await vn({wizardRunId:r,client:p,seats:w,savedAfterTestWarning:S});if(C.ok)break;e.write(`
-${m.red}Save failed:${m.reset} ${Xi(C.reason)}
-`);let O=e.createPickerIO(),G;try{G=await kn(O.io,C.recoverable)}finally{O.close()}if(G!=="retry")return await be({wizardRunId:r,reason:"step_save_failed_exit",lastStep:"save"}),e.write(`
-Exited; your picks are lost.
-`),{exitCode:1}}e.write(`
-${m.green}\u2713${m.reset} Policy saved
-
-`),Yi(e.write,w,l.installedAgents);let A=L((Date.now()-i)/1e3),y=new Set(w.map(C=>C.agent)).size,wt=new Set(w.map(C=>C.role)).size;return await Yr({wizardRunId:r,outcome:S?"saved_after_test_warning":"ok",tier:l.tier,seatsBucket:ve(w.length),agentsDistinctBucket:ve(y),rolesDistinctBucket:ve(wt),totalLatencyBucket:A}),{exitCode:0}}finally{process.removeListener("SIGINT",a)}}function ji(t){t(`
-`),t(`${m.bold}Quorum 2.0 setup wizard${m.reset}
-`),t(`\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
-
-`),t(`Checking your account\u2026
-`)}function qi(t,e){e.userEmail&&t(`  ${m.green}\u2713${m.reset} Signed in as ${m.bold}${e.userEmail}${m.reset}
-`),t(`  ${m.green}\u2713${m.reset} Tier: ${m.bold}${Gi(e.tier)}${m.reset}
-`),t(`  ${m.green}\u2713${m.reset} Reviewer-seat budget: ${e.seatBudget} seat${e.seatBudget===1?"":"s"}
-`),t(`
-Detecting installed agents\u2026
-`);for(let r of e.installedAgents)t(`  ${m.green}\u2713${m.reset} ${r}
-`)}function Gi(t){return t.charAt(0)+t.slice(1).toLowerCase()}function Ji(t,e){switch(t(`
-`),e.kind){case"tier_gate_free":t(`${m.yellow}Quorum review is a Pro/Max feature.${m.reset}
-`),t(`Upgrade in the CodeVibe app or visit ${m.bold}https://quantiya.ai/codevibe${m.reset}.
-`);break;case"not_signed_in":t(`${m.yellow}Not signed in.${m.reset} Run ${m.bold}codevibe login${m.reset} first.
-`);break;case"subscription_status_network":t(`${m.red}Couldn't fetch your account info.${m.reset} Check your connection and try again.
-`);break;case"no_clis_installed":t(`${m.red}No supported agent CLI detected.${m.reset} Install at least one of: ${m.bold}claude${m.reset}, ${m.bold}gemini${m.reset}, or ${m.bold}codex${m.reset}.
-`);break}}function Yi(t,e,r){t(`${m.bold}Your reviewer panel:${m.reset}
-`);for(let n of e)t(`  Seat ${n.seatId}: ${m.bold}${n.role}${m.reset} \u2192 ${m.bold}${n.agent}${m.reset}
-`);t(`
-Notifications: mobile push + desktop status pane (both on by default).
-`),t(`
-You're set. Next steps:
-`),t(`  Start an orchestrated session with any installed agent:
-`);for(let n of nt)r.includes(n)&&t(`    - ${m.bold}codevibe-${n} --orchestration${m.reset}
-`);t(`
-  Re-run this wizard: ${m.bold}codevibe orchestration setup${m.reset}
-`),t(`
-`)}function Xi(t){switch(t){case"update_policy_network":return"network failure \u2014 check your connection";case"update_policy_5xx":return"the orchestration service couldn't be reached \u2014 try again in a moment";case"update_policy_throttle":return"rate-limited \u2014 wait a moment and retry";case"auth_token_expired":return"your session expired \u2014 re-run `codevibe login` and try again";default:return`unexpected error (${t})`}}var En,m,Rn=h(()=>{"use strict";En=k(require("readline"));rt();we();Ae();Zr();rn();hn();wn();bn();m={reset:"\x1B[0m",bold:"\x1B[1m",dim:"\x1B[2m",green:"\x1B[32m",yellow:"\x1B[33m",red:"\x1B[31m"}});async function pt(t){let r=t.slice(3).filter(n=>!n.startsWith("--"))[0];switch(r){case"enable":await es();break;case"disable":await ts();break;case"status":await rs();break;case"configure":await ns();break;case"setup":await An(t);break;default:Zi(),process.exit(r?1:0)}}function Zi(){console.log(""),console.log(`${g.bold}codevibe orchestration${g.reset} \u2014 Quorum 2.0 reviewer policy`),console.log(""),console.log("Usage: codevibe orchestration <command>"),console.log(""),console.log("Commands:"),console.log("  setup      Run the locked 3-step setup wizard (recommended for first-time)"),console.log("  enable     Auto-enable orchestration for new sessions"),console.log("  disable    Disable orchestration (sessions route to 1.0 flow)"),console.log("  status     Show current reviewer policy + installed agents"),console.log("  configure  Advanced wizard (all 9 roles, manual seat-count)"),console.log("")}async function es(){let e=await(await gt()).updateReviewerPolicy({orchestrationEnabledDefault:!0});Jt(e),console.log(`
-${g.green}\u2713${g.reset} Orchestration enabled. New sessions will use your reviewer panel.`)}async function ts(){let e=await(await gt()).updateReviewerPolicy({orchestrationEnabledDefault:!1});Jt(e),console.log(`
-${g.yellow}\u2713${g.reset} Orchestration disabled. New sessions route to the 1.0 companion flow.`)}async function rs(){let t=z();if(console.log(""),console.log(`${g.bold}Installed agents${g.reset}`),t.length===0)console.log(`  ${g.dim}(none detected on PATH)${g.reset}`);else for(let n of t)console.log(`  ${g.green}\u2713${g.reset} ${n.toLowerCase()}`);console.log("");let r=await(await gt()).updateAvailableAgents(t);Jt(r)}async function ns(){let t=z();t.length===0&&(console.log(""),console.log(`${g.yellow}No agents detected on PATH.${g.reset}`),console.log(`Install at least one of ${g.bold}claude${g.reset}, ${g.bold}gemini${g.reset}, or ${g.bold}codex${g.reset} before configuring orchestration.`),process.exit(1)),console.log(""),console.log(`${g.bold}Quorum 2.0 orchestration configuration${g.reset}`),console.log(`${g.dim}Detected agents: ${t.map(n=>n.toLowerCase()).join(", ")}${g.reset}`),console.log("");let e=await gt();await e.updateAvailableAgents(t);let r=xn.createInterface({input:process.stdin,output:process.stdout});try{if(!await _n(r,"Enable orchestration for new sessions?",!1)){await e.updateReviewerPolicy({orchestrationEnabledDefault:!1}),console.log(`
-${g.yellow}\u2713${g.reset} Orchestration disabled.`);return}if(!await _n(r,"Customize reviewer panel (otherwise use tier defaults)?",!1)){await e.updateReviewerPolicy({orchestrationEnabledDefault:!0,reviewerSeats:[]}),console.log(`
-${g.green}\u2713${g.reset} Orchestration enabled with tier-default reviewer panel.`);return}let s=await is(r),o=[],a=new Set;for(let d=0;d<s;d++){console.log(""),console.log(`${g.bold}Seat ${d}${g.reset}`);let l=Qi.filter(w=>!a.has(w)),p=await In(r,"Role:",l),u=await In(r,"Agent:",t);o.push({seatId:d,role:p,agent:u}),a.add(p)}await e.updateReviewerPolicy({orchestrationEnabledDefault:!0,reviewerSeats:o}),console.log(""),console.log(`${g.green}\u2713${g.reset} Orchestration enabled with custom panel:`);for(let d of o)console.log(`  Seat ${d.seatId}: ${d.role.toLowerCase()} \u2192 ${d.agent.toLowerCase()}`)}finally{r.close()}}function Gt(t,e){return new Promise(r=>t.question(e,n=>r(n.trim())))}async function _n(t,e,r){let i=(await Gt(t,e+(r?" [Y/n] ":" [y/N] "))).toLowerCase();return i?i.startsWith("y"):r}async function is(t){for(;;){let e=await Gt(t,"How many seats (2 for Pro, 3 for Max)? "),r=parseInt(e,10);if(r===2||r===3)return r;console.log(`${g.yellow}Enter 2 or 3.${g.reset}`)}}async function In(t,e,r){for(;;){console.log(e),r.forEach((s,o)=>{console.log(`  ${g.cyan}${o+1}${g.reset}. ${s.toLowerCase()}`)});let n=await Gt(t,"> "),i=parseInt(n,10)-1;if(i>=0&&i<r.length)return r[i];console.log(`${g.yellow}Enter a number between 1 and ${r.length}.${g.reset}`)}}async function gt(){let t=new j;return await t.authenticateWithStoredTokens()||(console.log(""),console.log(`${g.yellow}Not authenticated.${g.reset} Run ${g.bold}codevibe login${g.reset} first.`),process.exit(1)),t}function Jt(t){console.log(""),console.log(`${g.bold}Current reviewer policy${g.reset}`),console.log(`  Orchestration default: ${ss(t.orchestrationEnabledDefault)}`),console.log(`  Available agents: ${t.availableAgents?.length?t.availableAgents.map(e=>e.toLowerCase()).join(", "):`${g.dim}(not yet detected)${g.reset}`}`),console.log(`  Reviewer panel: ${os(t.reviewerSeats)}`)}function ss(t){return t===!0?`${g.green}enabled${g.reset}`:t===!1?`${g.yellow}disabled${g.reset}`:`${g.dim}(unset \u2014 defaults to disabled)${g.reset}`}function os(t){return!t||t.length===0?`${g.dim}tier defaults${g.reset}`:t.map(e=>`Seat ${e.seatId} ${e.role.toLowerCase()}\u2192${e.agent.toLowerCase()}`).join(", ")}var xn,g,Qi,Tn=h(()=>{"use strict";xn=k(require("readline"));Qe();Ue();rt();Rn();g={reset:"\x1B[0m",bold:"\x1B[1m",dim:"\x1B[2m",green:"\x1B[32m",yellow:"\x1B[33m",purple:"\x1B[35m",cyan:"\x1B[36m"},Qi=["ARCHITECTURE","CORRECTNESS","SECURITY","ACCURACY","CLARITY","COMPLETENESS","ARCHITECTURE_AND_ACCURACY","CORRECTNESS_AND_CLARITY","SECURITY_AND_COMPLETENESS"]});function Fe(t){return!Number.isInteger(t)||t<1||t>Te.length?null:Te[t-1].kind}function yt(t){switch(t){case"accept":return"ACCEPT";case"reject_restart":return"REJECT_RESTART";case"abort_task":return"ABORT_TASK"}}var mt,Te,ft,Cn=h(()=>{"use strict";mt="orchestration_escalated_gate",Te=[{number:"1",label:"Accept",kind:"accept"},{number:"2",label:"Reject (restart proposal)",kind:"reject_restart"},{number:"3",label:"Abort task",kind:"abort_task"}];ft=Fe});var Dn={};$e(Dn,{V1_ORCHESTRATION_OPTIONS:()=>Te,V1_ORCHESTRATION_PROMPT_KIND:()=>mt,applyPerSessionOrchestrationOverride:()=>tt,detectInstalledAgents:()=>z,mapOptionNumberToUserDecisionKind:()=>Fe,mapOptionToUserDecisionKind:()=>ft,mapV1KindToWire:()=>yt,pushDetectedAgents:()=>et,runOrchestrationCli:()=>pt});var Yt=h(()=>{"use strict";rt();Tn();Cn()});var $s={};$e($s,{AgentType:()=>Rr,AppSyncClient:()=>j,AuditKeys:()=>nr,AuthService:()=>he,CryptoError:()=>oe,CryptoService:()=>me,DeliveryStatus:()=>Er,ENCRYPTION_VERSION:()=>Tt,EventSource:()=>Pt,EventType:()=>br,KeychainError:()=>M,KeychainManager:()=>ce,Logger:()=>ie,Reviewer:()=>jt,ReviewerRole:()=>Xe,SessionStatus:()=>Ye,UserDecisionKind:()=>Tr,V1_ORCHESTRATION_OPTIONS:()=>Te,V1_ORCHESTRATION_PROMPT_KIND:()=>mt,applyPerSessionOrchestrationOverride:()=>tt,authService:()=>q,createLogger:()=>St,cryptoService:()=>K,detectInstalledAgents:()=>z,errorWasBeaconed:()=>We,fireAuthCompletedBeacon:()=>Ne,fireAuthFailedBeacon:()=>D,getConfig:()=>I,getEnvironment:()=>U,getErrorReason:()=>Nt,keychainManager:()=>v,loadConfig:()=>Ge,logger:()=>c,mapOptionNumberToUserDecisionKind:()=>Fe,mapOptionToUserDecisionKind:()=>ft,mapV1KindToWire:()=>yt,markErrorBeaconed:()=>N,mutations:()=>P,normalizeSnapshot:()=>Zt,parseInteractivePrompt:()=>$n,prepareSessionEncryption:()=>vt,pushDetectedAgents:()=>et,queries:()=>F,registerDeviceEncryptionKey:()=>rr,rekeySessionForNewDevices:()=>pe,resumeOrCreateSession:()=>er,runAuthCli:()=>ht,runOrchestrationCli:()=>pt,startDeviceKeyWatcher:()=>tr,subscriptions:()=>Q});module.exports=or($s);X();Pe();Qe();Qe();var Nr=k(require("crypto")),Wr=k(require("fs")),Lt=k(require("http")),Lr=require("child_process");fe();X();J();Dt();var Dr=k(require("crypto")),$r=k(require("https")),Ze=k(require("os")),Qn="G-GS74YEQTB8",Zn="lAfOF6OxRzSQ-NsLBRjhAg",ei="www.google-analytics.com",ti=`/mp/collect?measurement_id=${Qn}&api_secret=${Zn}`,ri={port_in_use:"server_start",server_listen_failed:"server_start",browser_open_failed:"browser_open",login_timeout:"awaiting_callback",cognito_rejected:"awaiting_callback",state_mismatch:"awaiting_callback",no_authorization_code:"awaiting_callback",token_exchange_failed:"exchanging_code",token_exchange_network_error:"exchanging_code",keychain_write_failed:"storing_tokens",user_aborted:"unknown",unknown:"unknown"};function ni(){let t=typeof process.getuid=="function"?process.getuid():0;return Dr.createHash("sha256").update(`${Ze.hostname()}-${t}`).digest("hex").substring(0,36)}function Pr(){return{platform:process.platform,source:process.env.CODEVIBE_TELEMETRY_SOURCE||"production"}}async function Or(t,e){try{let r=JSON.stringify({client_id:ni(),events:[{name:t,params:e}]});await new Promise(n=>{let i=$r.request({hostname:ei,path:ti,method:"POST",headers:{"Content-Type":"application/json"}},()=>n());i.on("error",()=>n()),i.write(r),i.end(),setTimeout(n,2e3)})}catch{}}async function Ne(t){await Or("auth_completed",{...Pr(),user_id:t})}function Kr(t){if(!t)return"";let e=t.replace(/\x1b\[[0-9;]*[a-zA-Z]/g,"").replace(/\\/g,"/").replace(/[\n\r\t"]/g," ").replace(/[^\x20-\x7E]/g,"").trim(),r=[process.env.HOME,process.env.USERPROFILE,(()=>{try{return Ze.homedir()}catch{return}})()].filter(n=>typeof n=="string"&&n.length>0).map(n=>n.replace(/\\/g,"/"));for(let n of r){let i=n.replace(/[.*+?^${}()|[\]\\]/g,"\\$&");e=e.replace(new RegExp(i,"g"),"~")}return e.replace(/\/Users\/[^/ ]+/g,"/Users/<user>").replace(/\/home\/[^/ ]+/g,"/home/<user>").replace(/[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}/g,"<email>")}function ii(t){return Kr(t).substring(0,100)}function si(t){return Kr(t).substring(100,200)}async function D(t,e){let r={...Pr(),reason:t,stage:e?.stage??ri[t]};if(typeof e?.httpStatus=="number"&&(r.http_status=e.httpStatus),e?.errorFragment){let n=ii(e.errorFragment),i=si(e.errorFragment);n&&(r.error_fragment=n),i&&(r.error_fragment_2=i)}await Or("auth_failed",r)}var Ut=Symbol.for("codevibe.auth.beaconed"),Ur=Symbol.for("codevibe.auth.failureReason");function N(t,e){try{Object.defineProperty(t,Ut,{value:!0,enumerable:!1,configurable:!0,writable:!1}),Object.defineProperty(t,Ur,{value:e,enumerable:!1,configurable:!0,writable:!1})}catch{}return t}function We(t){return!!(t&&typeof t=="object"&&t[Ut])}function Nt(t){if(t&&typeof t=="object"&&t[Ut]){let e=t[Ur];if(typeof e=="string")return e}}var Le=8080,zr="/callback",Wt=`http://localhost:${Le}${zr}`,he=class t{constructor(){}static getInstance(){return t.instance||(t.instance=new t),t.instance}openBrowser(e){console.error(""),console.error("Opening your browser for sign-in..."),this.isRunningInWSL()?console.error("If your browser does not open, paste this URL in your Windows browser:"):console.error("If your browser does not open automatically, visit this URL:"),console.error(`  ${e}`),console.error("");let r=this.getBrowserCommands();this.tryBrowserCommand(r,e,0)}getBrowserCommands(){let e=process.platform;if(e==="darwin")return[{cmd:"open",fixedArgs:[]}];if(e==="win32")return[{cmd:"cmd",fixedArgs:["/c","start",""]}];let r=[];return this.isRunningInWSL()&&(r.push({cmd:"wslview",fixedArgs:[]}),r.push({cmd:"cmd.exe",fixedArgs:["/c","start",""]}),r.push({cmd:"powershell.exe",fixedArgs:["-NoProfile","-Command","Start-Process"]})),r.push({cmd:"xdg-open",fixedArgs:[]}),r}isRunningInWSL(){if(process.platform!=="linux")return!1;try{let e=Wr.readFileSync("/proc/sys/kernel/osrelease","utf8");return/microsoft|wsl/i.test(e)}catch{return!1}}tryBrowserCommand(e,r,n){if(n>=e.length){c.debug("[AuthService] No browser-opening command succeeded. User must open the sign-in URL manually (printed to stderr above)."),console.error(""),console.error("\u26A0\uFE0F  Could not open browser automatically."),this.isRunningInWSL()?console.error("   WSL detected \u2014 paste this URL in your Windows browser:"):console.error("   Please copy and paste this URL into your browser:"),console.error(`   ${r}`),console.error("");return}let i=e[n],s=[...i.fixedArgs,r],o=!1,a=u=>{o||(o=!0,c.debug(`[AuthService] Browser command '${i.cmd}' ${u}; trying next fallback`),this.tryBrowserCommand(e,r,n+1))},d=u=>{o||(o=!0,c.debug(`[AuthService] Browser command '${i.cmd}' ${u}`))},l;try{l=(0,Lr.spawn)(i.cmd,s,{detached:!0,stdio:"ignore"})}catch(u){a(`threw synchronously: ${u?.message||u}`);return}l.on("error",u=>{a(`failed to spawn: ${u?.message||u}`)}),l.on("exit",(u,w)=>{u===0?d("exited successfully"):a(w?`terminated by signal ${w}`:`exited with code ${u}`)}),setTimeout(()=>{d("still running after 3s, assuming success")},3e3).unref(),l.unref()}generateState(){return Nr.randomBytes(32).toString("hex")}buildAuthUrl(e){let r=I(),n=new URLSearchParams({client_id:r.aws.cognitoClientId,response_type:"code",scope:"email openid profile",redirect_uri:Wt,state:e});return`https://${r.aws.cognitoDomain}/oauth2/authorize?${n.toString()}`}async exchangeCodeForTokens(e){let r=I(),n=`https://${r.aws.cognitoDomain}/oauth2/token`,i=new URLSearchParams({grant_type:"authorization_code",client_id:r.aws.cognitoClientId,code:e,redirect_uri:Wt}),s;try{s=await ye(n,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:i.toString()},"Token exchange")}catch(a){throw await D("token_exchange_network_error"),N(a,"token_exchange_network_error"),a}if(!s.ok){let a=await s.text(),d=new Error(`Token exchange failed: ${s.status} ${a}`);throw await D("token_exchange_failed",{httpStatus:s.status}),N(d,"token_exchange_failed"),d}let o=await s.json();return{accessToken:o.access_token,idToken:o.id_token,refreshToken:o.refresh_token,expiresIn:o.expires_in}}decodeJwt(e){let r=e.split(".");if(r.length!==3)throw new Error("Invalid JWT");return JSON.parse(Buffer.from(r[1],"base64").toString("utf-8"))}async refreshTokens(e){let r=I(),n=`https://${r.aws.cognitoDomain}/oauth2/token`,i=new URLSearchParams({grant_type:"refresh_token",client_id:r.aws.cognitoClientId,refresh_token:e}),s=await ye(n,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:i.toString()},"Token refresh");if(!s.ok)throw new Error(`Token refresh failed: ${s.status}`);let o=await s.json();return{accessToken:o.access_token,idToken:o.id_token,expiresIn:o.expires_in}}async login(){let e=await v.getTokens(U());if(e&&!v.isTokenExpired(e))return e;let r=this.generateState(),n=this.buildAuthUrl(r);return new Promise((i,s)=>{let o=Lt.createServer(async(a,d)=>{if(!a.url?.startsWith(zr)){d.writeHead(404),d.end("Not found");return}try{let l=new URL(a.url,`http://localhost:${Le}`),p=l.searchParams.get("code"),u=l.searchParams.get("state"),w=l.searchParams.get("error");if(w){let y=new Error(`OAuth error: ${w}`);throw await D("cognito_rejected"),N(y,"cognito_rejected"),y}if(u!==r){let y=new Error("State mismatch");throw await D("state_mismatch"),N(y,"state_mismatch"),y}if(!p){let y=new Error("No authorization code");throw await D("no_authorization_code"),N(y,"no_authorization_code"),y}let S=await this.exchangeCodeForTokens(p),$=this.decodeJwt(S.idToken),A={accessToken:S.accessToken,idToken:S.idToken,refreshToken:S.refreshToken,expiresAt:Date.now()+S.expiresIn*1e3,userId:$.sub,email:$.email||"unknown"};try{await v.setTokens(A,U())}catch(y){throw await D("keychain_write_failed"),N(y,"keychain_write_failed"),y}d.writeHead(200,{"Content-Type":"text/html; charset=utf-8"}),d.end(`
+  `};var nt=(a=>(a.USER_PROMPT="USER_PROMPT",a.ASSISTANT_RESPONSE="ASSISTANT_RESPONSE",a.TOOL_USE="TOOL_USE",a.NOTIFICATION="NOTIFICATION",a.INTERACTIVE_PROMPT="INTERACTIVE_PROMPT",a.PROMPT_RESPONSE="PROMPT_RESPONSE",a.REASONING="REASONING",a))(nt||{}),xe=(t=>(t.DESKTOP="DESKTOP",t.MOBILE="MOBILE",t))(xe||{}),it=(r=>(r.SENT="SENT",r.DELIVERED="DELIVERED",r.EXECUTED="EXECUTED",r))(it||{});var he=(r=>(r.ACTIVE="ACTIVE",r.INACTIVE="INACTIVE",r.PAUSED="PAUSED",r))(he||{}),st=(r=>(r.CLAUDE="CLAUDE",r.GEMINI="GEMINI",r.CODEX="CODEX",r))(st||{});var k={urgentMaxAttempts:10,baseDelayMs:1e3,maxDelayMs:6e4,backoffMultiplier:2,persistentDelayMs:300*1e3},ne=class n{constructor(){this.authenticated=!1;this.currentUserId=null;this.currentEmail=null;this.tokens=null;this.activeSubscriptions=new Map;this.pendingRefresh=null;this.lastRefreshFailureAt=null;this.deviceKeyWatcher=null;this.sessionUpdateWatchers=new Map;this.heartbeatTimers=new Map;this.environment=I(),c.info("[AppSyncClient] Initialized",{environment:this.environment})}static{this.REFRESH_BACKOFF_MS=3e4}getCurrentUserId(){if(!this.currentUserId)throw new Error("Not authenticated. Call authenticateWithStoredTokens() first.");return this.currentUserId}getCurrentUserEmail(){return this.currentEmail}async authenticateWithStoredTokens(){try{let e=await y.getTokens(this.environment);if(!e)return c.debug("[AppSyncClient] No stored tokens found"),!1;if(c.info("[AppSyncClient] Found stored OAuth tokens",{userId:e.userId,email:e.email,expired:y.isTokenExpired(e)}),y.isTokenExpired(e)){if(c.info("[AppSyncClient] Tokens expired, attempting refresh..."),!await this.refreshTokens(e))return c.warn("[AppSyncClient] Token refresh failed"),!1}else this.tokens=e;return this.currentUserId=this.tokens.userId,this.currentEmail=this.tokens.email,this.authenticated=!0,c.info("[AppSyncClient] Authenticated successfully",{userId:this.currentUserId,email:this.currentEmail}),!0}catch(e){return c.error("[AppSyncClient] Authentication failed:",e),!1}}async refreshTokens(e){if(this.pendingRefresh)return this.pendingRefresh;if(this.lastRefreshFailureAt!==null&&Date.now()-this.lastRefreshFailureAt<n.REFRESH_BACKOFF_MS)return!1;this.pendingRefresh=this.performRefresh(e);try{return await this.pendingRefresh}finally{this.pendingRefresh=null}}async performRefresh(e){let t=await this.callCognitoRefresh(e.refreshToken);if(t!==null)return this.applyRefreshedTokens(e,t);let r=null;try{r=await y.getTokens(this.environment)}catch(i){c.warn("[AppSyncClient] Failed to re-read tokens from storage during refresh recovery",{error:i instanceof Error?i.message:String(i)})}if(r&&r.refreshToken&&r.refreshToken!==e.refreshToken){c.info("[AppSyncClient] In-memory refresh token rejected; retrying with storage-backed token (likely out-of-band re-auth)");let i=await this.callCognitoRefresh(r.refreshToken);if(i!==null)return this.applyRefreshedTokens(r,i)}return this.lastRefreshFailureAt=Date.now(),!1}async callCognitoRefresh(e){try{let t=w(),r=`https://${t.aws.cognitoDomain}/oauth2/token`,i=new URLSearchParams({grant_type:"refresh_token",client_id:t.aws.cognitoClientId,refresh_token:e}),s=await X(r,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:i.toString()},"Token refresh");return s.ok?await s.json():(c.error("[AppSyncClient] Token refresh failed",{status:s.status}),null)}catch(t){return c.error("[AppSyncClient] Token refresh error:",t),null}}async applyRefreshedTokens(e,t){let r={...e,accessToken:t.access_token,idToken:t.id_token,expiresAt:Date.now()+t.expires_in*1e3};this.tokens=r,this.lastRefreshFailureAt=null;try{await y.setTokens(r,this.environment),c.info("[AppSyncClient] Tokens refreshed",{expiresAt:new Date(r.expiresAt).toISOString()})}catch(i){c.warn("[AppSyncClient] Tokens refreshed but persistence failed; daemon keeps using fresh tokens in memory. A restart while persistence is still broken would lose them.",{error:i instanceof Error?i.message:String(i),expiresAt:new Date(r.expiresAt).toISOString()})}return!0}isAuthenticated(){return this.authenticated}signOut(){this.authenticated=!1,this.tokens=null,this.currentUserId=null,this.currentEmail=null,this.cleanupSubscriptions(),c.info("[AppSyncClient] Signed out")}async graphqlRequest(e,t,r=!1){let i=w();if(!this.tokens?.idToken)throw new Error('Not authenticated. Run "codevibe login" first.');let s={"Content-Type":"application/json",Authorization:this.tokens.idToken},o=await X(i.aws.appsyncUrl,{method:"POST",headers:s,body:JSON.stringify({query:e,variables:t})},"AppSync GraphQL request"),a=await o.json();if(o.status===401&&!r&&this.tokens){if(c.info("[AppSyncClient] 401 Unauthorized, refreshing token..."),await this.refreshTokens(this.tokens))return this.graphqlRequest(e,t,!0);throw new Error("Token expired and refresh failed")}if(!o.ok)throw new Error(`GraphQL request failed: ${o.status}`);if(a.errors?.length)throw new Error(`GraphQL error: ${a.errors[0].message}`);return a}async createSession(e){let t={...e,metadata:e.metadata?JSON.stringify(e.metadata):void 0},r=await this.graphqlRequest(C.createSession,{input:t});return c.info("[AppSyncClient] Session created",{sessionId:r.data.createSession.sessionId}),r.data.createSession}async updateSession(e){let t={...e,metadata:e.metadata?JSON.stringify(e.metadata):void 0},r=await this.graphqlRequest(C.updateSession,{input:t});return c.debug("[AppSyncClient] Session updated",{sessionId:r.data.updateSession.sessionId}),r.data.updateSession}async getSession(e){return(await this.graphqlRequest(U.getSession,{sessionId:e})).data.getSession}async createEvent(e){let t={...e,metadata:e.metadata?JSON.stringify(e.metadata):void 0},r=await this.graphqlRequest(C.createEvent,{input:t});return c.debug("[AppSyncClient] Event created",{eventId:r.data.createEvent.eventId,type:r.data.createEvent.type}),r.data.createEvent}async updateEventStatus(e){return(await this.graphqlRequest(C.updateEventStatus,{input:e})).data.updateEventStatus}async listEvents(e,t,r){return(await this.graphqlRequest(U.listEvents,{sessionId:e,source:t,limit:r})).data.listEvents.items}async listSessions(e=100){if(!this.currentUserId)throw new Error("Not authenticated");let t=[],r=null;do{let s=(await this.graphqlRequest(U.listSessions,{userId:this.currentUserId,limit:e,nextToken:r})).data?.listSessions;s?.items&&t.push(...s.items),r=s?.nextToken??null}while(r);return t}async sweepOrphanSessions(e){let t=e.staleThresholdMs??9e5,r=new Set(e.excludeSessionIds??[]),i=Date.now(),s;try{s=await this.listSessions()}catch(a){return c.warn("[AppSyncClient] OrphanSweep: listSessions failed, skipping sweep",{agentType:e.agentType,error:a instanceof Error?a.message:String(a)}),0}let o=0;for(let a of s){if(a.agentType!==e.agentType||a.status!=="ACTIVE"||r.has(a.sessionId)||!a.lastHeartbeatAt)continue;let d=i-new Date(a.lastHeartbeatAt).getTime();if(!(d<t)){c.warn("[AppSyncClient] OrphanSweep: marking stale session INACTIVE",{sessionId:a.sessionId,agentType:a.agentType,lastHeartbeatAt:a.lastHeartbeatAt,heartbeatAgeMinutes:Math.round(d/6e4)});try{await this.updateSession({sessionId:a.sessionId,status:"INACTIVE"}),o++}catch(l){c.warn("[AppSyncClient] OrphanSweep: updateSession failed, leaving row as-is",{sessionId:a.sessionId,error:l instanceof Error?l.message:String(l)})}}}return o>0&&c.info("[AppSyncClient] OrphanSweep complete",{agentType:e.agentType,swept:o}),o}async listUserDeviceKeys(){return(await this.graphqlRequest(U.listUserDeviceKeys,{})).data.listUserDeviceKeys||[]}async registerDeviceKey(e,t,r,i){let s={deviceId:e,publicKey:t,platform:r,deviceName:i};await this.graphqlRequest(C.registerDeviceKey,{input:s}),c.info("[AppSyncClient] Device key registered",{deviceId:e,platform:r})}async grantSessionKey(e){await this.graphqlRequest(C.grantSessionKey,{input:e}),c.info("[AppSyncClient] Session key granted",{sessionId:e.sessionId,deviceId:e.deviceId})}async getAttachmentDownloadUrl(e){return(await this.graphqlRequest(C.getAttachmentDownloadUrl,{s3Key:e})).data.getAttachmentDownloadUrl}subscribeToEvents(e,t,r){c.info("[AppSyncClient] Subscribing to events",{sessionId:e});let i=this.activeSubscriptions.get(e);i&&(this.cleanupSubscriptionState(i),this.activeSubscriptions.delete(e));let s={ws:null,subscriptionId:(0,J.v4)(),sessionId:e,onEvent:t,onError:r,reconnectAttempts:0,isReconnecting:!1,destroyed:!1};return this.activeSubscriptions.set(e,s),this.createSubscription(s),()=>{this.cleanupSubscriptionState(s),this.activeSubscriptions.delete(e)}}buildRealtimeUrl(){let e=w(),t=new URL(e.aws.appsyncUrl),i=/\.appsync-api\.[^.]+\.amazonaws\.com$/.test(t.host)?e.aws.appsyncUrl.replace("https://","wss://").replace("appsync-api","appsync-realtime-api"):`wss://${t.host}/graphql/realtime`,s={host:t.host};this.tokens?.idToken&&(s.Authorization=this.tokens.idToken);let o=Buffer.from(JSON.stringify(s)).toString("base64"),a=Buffer.from(JSON.stringify({})).toString("base64");return`${i}?header=${o}&payload=${a}`}createSubscription(e){let{sessionId:t,subscriptionId:r,onEvent:i,onError:s}=e;try{let o=this.buildRealtimeUrl(),a=new V.default(o,["graphql-ws"]);a.on("open",()=>{c.info("[AppSyncClient] WebSocket connected",{sessionId:t}),a.send(JSON.stringify({type:"connection_init"}))}),a.on("message",d=>{try{let l=JSON.parse(d.toString());switch(l.type){case"connection_ack":this.sendSubscriptionStart(a,e);break;case"start_ack":c.info("[AppSyncClient] Subscription started",{sessionId:t}),e.isReconnecting=!1,e.reconnectAttempts=0,this.startHeartbeat(t);break;case"data":this.resetKeepAliveTimer(e);let h=l.payload?.data?.onEventCreated;h&&h.source==="MOBILE"&&i(h);break;case"ka":this.resetKeepAliveTimer(e);break;case"error":let p=l.payload?.errors?.[0]?.message||"Unknown error";this.handleSubscriptionError(e,new Error(p));break}}catch(l){c.error("[AppSyncClient] Failed to parse message",{error:l})}}),a.on("error",d=>{c.error("[AppSyncClient] WebSocket error",{sessionId:t,error:d.message}),this.handleSubscriptionError(e,d)}),a.on("close",(d,l)=>{c.info("[AppSyncClient] WebSocket closed",{sessionId:t,code:d}),e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),!e.destroyed&&this.activeSubscriptions.get(t)===e&&this.handleSubscriptionError(e,new Error(`WebSocket closed: ${d}`))}),e.ws=a,this.resetKeepAliveTimer(e)}catch(o){this.handleSubscriptionError(e,o)}}sendSubscriptionStart(e,t){let r=w(),{sessionId:i,subscriptionId:s}=t,o={host:new URL(r.aws.appsyncUrl).host};this.tokens?.idToken&&(o.Authorization=this.tokens.idToken),e.send(JSON.stringify({id:s,type:"start",payload:{data:JSON.stringify({query:H.onEventCreated,variables:{sessionId:i}}),extensions:{authorization:o}}}))}resetKeepAliveTimer(e){e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),e.keepAliveTimer=setTimeout(()=>{this.handleSubscriptionError(e,new Error("Keep-alive timeout"))},300*1e3)}handleSubscriptionError(e,t){let{sessionId:r,onError:i}=e;if(e.isReconnecting||!this.activeSubscriptions.has(r))return;e.isReconnecting=!0,e.reconnectAttempts++,this.stopHeartbeat(r);let s=e.reconnectAttempts<=k.urgentMaxAttempts,o;if(s?o=Math.min(k.baseDelayMs*Math.pow(k.backoffMultiplier,e.reconnectAttempts-1),k.maxDelayMs):(o=k.persistentDelayMs,e.reconnectAttempts===k.urgentMaxAttempts+1&&c.info("[AppSyncClient] Switching to persistent reconnect (every 5min)",{sessionId:r})),c.info("[AppSyncClient] Scheduling reconnect",{sessionId:r,attempt:e.reconnectAttempts,phase:s?"urgent":"persistent",delayMs:o}),e.ws){try{e.ws.close(1e3)}catch{}e.ws=null}e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),e.reconnectTimer=setTimeout(async()=>{if(e.isReconnecting=!1,e.destroyed||this.activeSubscriptions.get(r)!==e){c.info("[AppSyncClient] Reconnect skipped \u2014 state is no longer canonical",{sessionId:r});return}try{let a=await y.getTokens(this.environment);a&&(y.isTokenExpired(a)?await this.refreshTokens(a)&&c.info("[AppSyncClient] Tokens refreshed before reconnect",{sessionId:r}):this.tokens=a)}catch{c.warn("[AppSyncClient] Token refresh failed before reconnect, using existing tokens",{sessionId:r})}if(e.destroyed||this.activeSubscriptions.get(r)!==e){c.info("[AppSyncClient] Reconnect skipped after token refresh \u2014 state no longer canonical",{sessionId:r});return}e.subscriptionId=(0,J.v4)(),this.createSubscription(e)},o)}cleanupSubscriptionState(e){if(e.destroyed=!0,e.reconnectTimer&&(clearTimeout(e.reconnectTimer),e.reconnectTimer=void 0),e.keepAliveTimer&&(clearTimeout(e.keepAliveTimer),e.keepAliveTimer=void 0),e.ws){try{e.ws.readyState===V.default.OPEN&&e.ws.send(JSON.stringify({id:e.subscriptionId,type:"stop"}))}catch{}try{e.ws.close(1e3)}catch{}try{e.ws.removeAllListeners()}catch{}e.ws=null}}subscribeToDeviceKeyRegistered(e,t,r,i){c.info("[AppSyncClient] Subscribing to device key registrations",{userId:e}),this.deviceKeyWatcher&&this.stopDeviceKeyWatcherInternal();let s={userId:e,subscriptionId:(0,J.v4)(),ws:null,onNewDevice:t,onReconnect:r,onError:i,reconnectAttempts:0,isReconnecting:!1,destroyed:!1};return this.deviceKeyWatcher=s,this.createDeviceKeyWatcherConnection(s),()=>{this.stopDeviceKeyWatcherInternal()}}stopDeviceKeyWatcher(){this.stopDeviceKeyWatcherInternal()}stopDeviceKeyWatcherInternal(){let e=this.deviceKeyWatcher;if(e){if(e.destroyed=!0,e.reconnectTimer&&(clearTimeout(e.reconnectTimer),e.reconnectTimer=void 0),e.keepAliveTimer&&(clearTimeout(e.keepAliveTimer),e.keepAliveTimer=void 0),e.ws){try{e.ws.readyState===V.default.OPEN&&e.ws.send(JSON.stringify({id:e.subscriptionId,type:"stop"}))}catch{}try{e.ws.close(1e3)}catch{}try{e.ws.removeAllListeners()}catch{}e.ws=null}this.deviceKeyWatcher=null,c.info("[AppSyncClient] Device key watcher stopped")}}createDeviceKeyWatcherConnection(e){try{let t=this.buildRealtimeUrl(),r=new V.default(t,["graphql-ws"]);r.on("open",()=>{c.info("[AppSyncClient] Device key watcher WebSocket connected",{userId:e.userId}),r.send(JSON.stringify({type:"connection_init"}))}),r.on("message",i=>{try{let s=JSON.parse(i.toString());switch(s.type){case"connection_ack":this.sendDeviceKeyWatcherStart(r,e);break;case"start_ack":c.info("[AppSyncClient] Device key watcher subscription started",{userId:e.userId});let o=e.isReconnecting;if(e.isReconnecting=!1,e.reconnectAttempts=0,o&&e.onReconnect)try{e.onReconnect()}catch(l){c.warn("[AppSyncClient] Device key watcher onReconnect handler threw",{error:l})}break;case"data":this.resetDeviceKeyWatcherKeepAlive(e);let a=s.payload?.data?.onDeviceKeyRegistered;if(a){c.info("[AppSyncClient] Device key registration observed",{userId:e.userId,newDeviceId:a.deviceId,platform:a.platform});try{e.onNewDevice(a)}catch(l){c.warn("[AppSyncClient] Device key watcher onNewDevice handler threw",{error:l})}}break;case"ka":this.resetDeviceKeyWatcherKeepAlive(e);break;case"error":let d=s.payload?.errors?.[0]?.message||"Unknown error";this.handleDeviceKeyWatcherError(e,new Error(d));break}}catch(s){c.error("[AppSyncClient] Failed to parse device key watcher message",{error:s})}}),r.on("error",i=>{c.error("[AppSyncClient] Device key watcher WebSocket error",{userId:e.userId,error:i.message}),this.handleDeviceKeyWatcherError(e,i)}),r.on("close",i=>{c.info("[AppSyncClient] Device key watcher WebSocket closed",{userId:e.userId,code:i}),e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),!e.destroyed&&this.deviceKeyWatcher===e&&this.handleDeviceKeyWatcherError(e,new Error(`WebSocket closed: ${i}`))}),e.ws=r,this.resetDeviceKeyWatcherKeepAlive(e)}catch(t){this.handleDeviceKeyWatcherError(e,t)}}sendDeviceKeyWatcherStart(e,t){let r=w(),{userId:i,subscriptionId:s}=t,o={host:new URL(r.aws.appsyncUrl).host};this.tokens?.idToken&&(o.Authorization=this.tokens.idToken),e.send(JSON.stringify({id:s,type:"start",payload:{data:JSON.stringify({query:H.onDeviceKeyRegistered,variables:{userId:i}}),extensions:{authorization:o}}}))}resetDeviceKeyWatcherKeepAlive(e){e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),e.keepAliveTimer=setTimeout(()=>{this.handleDeviceKeyWatcherError(e,new Error("Device key watcher keep-alive timeout"))},300*1e3)}handleDeviceKeyWatcherError(e,t){if(e.isReconnecting||e.destroyed||this.deviceKeyWatcher!==e)return;if(e.isReconnecting=!0,e.reconnectAttempts++,e.onError)try{e.onError(t)}catch{}if(e.ws){try{e.ws.removeAllListeners()}catch{}try{e.ws.close(1e3)}catch{}e.ws=null}e.keepAliveTimer&&(clearTimeout(e.keepAliveTimer),e.keepAliveTimer=void 0);let i=e.reconnectAttempts<=k.urgentMaxAttempts?Math.min(k.baseDelayMs*Math.pow(k.backoffMultiplier,e.reconnectAttempts-1),k.maxDelayMs):k.persistentDelayMs;c.warn("[AppSyncClient] Device key watcher reconnect scheduled",{userId:e.userId,attempts:e.reconnectAttempts,delayMs:i,error:t.message}),e.reconnectTimer=setTimeout(async()=>{if(e.isReconnecting=!1,e.destroyed||this.deviceKeyWatcher!==e){c.info("[AppSyncClient] Device key watcher reconnect skipped \u2014 state no longer canonical",{userId:e.userId});return}try{let s=await y.getTokens(this.environment);s&&(y.isTokenExpired(s)?await this.refreshTokens(s)&&c.info("[AppSyncClient] Tokens refreshed before device key watcher reconnect",{userId:e.userId}):this.tokens=s)}catch{c.warn("[AppSyncClient] Token refresh failed before device key watcher reconnect, using existing tokens",{userId:e.userId})}e.destroyed||this.deviceKeyWatcher!==e||(e.subscriptionId=(0,J.v4)(),this.createDeviceKeyWatcherConnection(e))},i)}watchForMobileEnd(e,t){c.info("[AppSyncClient] Starting mobile-end watcher",{sessionId:e});let r=this.sessionUpdateWatchers.get(e);r&&(c.info("[AppSyncClient] Replacing existing mobile-end watcher",{sessionId:e}),this.cleanupSessionUpdateWatcherState(r),this.sessionUpdateWatchers.delete(e));let i={sessionId:e,subscriptionId:(0,J.v4)(),ws:null,onMobileEndRequested:t,priorStatus:"ACTIVE",firedOnce:!1,reconnectAttempts:0,isReconnecting:!1,destroyed:!1};return this.sessionUpdateWatchers.set(e,i),this.createSessionUpdateWatcherConnection(i),{stop:()=>{this.sessionUpdateWatchers.get(e)===i&&(this.cleanupSessionUpdateWatcherState(i),this.sessionUpdateWatchers.delete(e),c.info("[AppSyncClient] Mobile-end watcher stopped",{sessionId:e}))}}}createSessionUpdateWatcherConnection(e){try{let t=this.buildRealtimeUrl(),r=new V.default(t,["graphql-ws"]);r.on("open",()=>{c.info("[AppSyncClient] Mobile-end watcher WebSocket connected",{sessionId:e.sessionId}),r.send(JSON.stringify({type:"connection_init"}))}),r.on("message",i=>{try{let s=JSON.parse(i.toString());switch(s.type){case"connection_ack":this.sendSessionUpdateWatcherStart(r,e);break;case"start_ack":c.info("[AppSyncClient] Mobile-end watcher subscription started",{sessionId:e.sessionId}),e.isReconnecting=!1,e.reconnectAttempts=0;break;case"data":this.resetSessionUpdateWatcherKeepAlive(e),this.handleSessionUpdatePayload(e,s.payload);break;case"ka":this.resetSessionUpdateWatcherKeepAlive(e);break;case"error":let o=s.payload?.errors?.[0]?.message||"Unknown error";this.handleSessionUpdateWatcherError(e,new Error(o));break}}catch(s){c.error("[AppSyncClient] Failed to parse mobile-end watcher message",{error:s})}}),r.on("error",i=>{c.error("[AppSyncClient] Mobile-end watcher WebSocket error",{sessionId:e.sessionId,error:i.message}),this.handleSessionUpdateWatcherError(e,i)}),r.on("close",i=>{c.info("[AppSyncClient] Mobile-end watcher WebSocket closed",{sessionId:e.sessionId,code:i}),e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),!e.destroyed&&this.sessionUpdateWatchers.get(e.sessionId)===e&&this.handleSessionUpdateWatcherError(e,new Error(`WebSocket closed: ${i}`))}),e.ws=r,this.resetSessionUpdateWatcherKeepAlive(e)}catch(t){this.handleSessionUpdateWatcherError(e,t)}}handleSessionUpdatePayload(e,t){let r=t?.data?.onSessionUpdated;if(!r){c.warn("[AppSyncClient] Mobile-end watcher received malformed payload",{sessionId:e.sessionId});return}if(e.firedOnce)return;let i=r.status;if(i==null){c.debug("[AppSyncClient] Mobile-end watcher skipped non-status payload",{sessionId:e.sessionId});return}if(e.priorStatus==="ACTIVE"&&i==="INACTIVE"){e.firedOnce=!0,e.priorStatus="INACTIVE",c.info("[AppSyncClient] Mobile end requested for session",{sessionId:e.sessionId}),Promise.resolve().then(()=>e.onMobileEndRequested()).catch(s=>{c.warn("[AppSyncClient] Mobile-end callback threw",{sessionId:e.sessionId,error:s})});return}e.priorStatus=i}sendSessionUpdateWatcherStart(e,t){let r=w(),{sessionId:i,subscriptionId:s}=t,o={host:new URL(r.aws.appsyncUrl).host};this.tokens?.idToken&&(o.Authorization=this.tokens.idToken),e.send(JSON.stringify({id:s,type:"start",payload:{data:JSON.stringify({query:H.onSessionUpdated,variables:{sessionId:i}}),extensions:{authorization:o}}}))}resetSessionUpdateWatcherKeepAlive(e){e.keepAliveTimer&&clearTimeout(e.keepAliveTimer),e.keepAliveTimer=setTimeout(()=>{this.handleSessionUpdateWatcherError(e,new Error("Mobile-end watcher keep-alive timeout"))},300*1e3)}handleSessionUpdateWatcherError(e,t){if(e.isReconnecting||e.destroyed||this.sessionUpdateWatchers.get(e.sessionId)!==e)return;if(e.isReconnecting=!0,e.reconnectAttempts++,e.ws){try{e.ws.removeAllListeners()}catch{}try{e.ws.close(1e3)}catch{}e.ws=null}e.keepAliveTimer&&(clearTimeout(e.keepAliveTimer),e.keepAliveTimer=void 0);let i=e.reconnectAttempts<=k.urgentMaxAttempts?Math.min(k.baseDelayMs*Math.pow(k.backoffMultiplier,e.reconnectAttempts-1),k.maxDelayMs):k.persistentDelayMs;c.warn("[AppSyncClient] Mobile-end watcher reconnect scheduled",{sessionId:e.sessionId,attempts:e.reconnectAttempts,delayMs:i,error:t.message}),e.reconnectTimer=setTimeout(async()=>{if(e.isReconnecting=!1,!(e.destroyed||this.sessionUpdateWatchers.get(e.sessionId)!==e)){try{let s=await y.getTokens(this.environment);s&&(y.isTokenExpired(s)?await this.refreshTokens(s):this.tokens=s)}catch{c.warn("[AppSyncClient] Token refresh failed before mobile-end watcher reconnect",{sessionId:e.sessionId})}e.destroyed||this.sessionUpdateWatchers.get(e.sessionId)!==e||(e.subscriptionId=(0,J.v4)(),this.createSessionUpdateWatcherConnection(e))}},i)}cleanupSessionUpdateWatcherState(e){if(e.destroyed=!0,e.reconnectTimer&&(clearTimeout(e.reconnectTimer),e.reconnectTimer=void 0),e.keepAliveTimer&&(clearTimeout(e.keepAliveTimer),e.keepAliveTimer=void 0),e.ws){try{e.ws.readyState===V.default.OPEN&&e.ws.send(JSON.stringify({id:e.subscriptionId,type:"stop"}))}catch{}try{e.ws.close(1e3)}catch{}try{e.ws.removeAllListeners()}catch{}e.ws=null}}startHeartbeat(e,t=120*1e3){this.stopHeartbeat(e),this.sendHeartbeat(e);let r=setInterval(()=>{this.sendHeartbeat(e)},t);this.heartbeatTimers.set(e,r),c.info("[AppSyncClient] Heartbeat started",{sessionId:e,intervalMs:t})}stopHeartbeat(e){let t=this.heartbeatTimers.get(e);t&&(clearInterval(t),this.heartbeatTimers.delete(e),c.info("[AppSyncClient] Heartbeat stopped",{sessionId:e}))}async sendHeartbeat(e){try{await this.updateSession({sessionId:e,lastHeartbeatAt:new Date().toISOString()}),c.debug("[AppSyncClient] Heartbeat sent",{sessionId:e})}catch(t){c.warn("[AppSyncClient] Heartbeat failed",{sessionId:e,error:t})}}cleanupSubscriptions(){this.activeSubscriptions.forEach(e=>{this.cleanupSubscriptionState(e)}),this.activeSubscriptions.clear(),this.stopDeviceKeyWatcherInternal(),this.sessionUpdateWatchers.forEach(e=>{this.cleanupSessionUpdateWatcherState(e)}),this.sessionUpdateWatchers.clear(),this.heartbeatTimers.forEach(e=>clearInterval(e)),this.heartbeatTimers.clear()}};var gt=v(require("crypto")),mt=v(require("fs")),Oe=v(require("http")),ft=require("child_process");Y();R();M();var _e=v(require("crypto")),ot=v(require("https")),at=v(require("os")),Mt="G-GS74YEQTB8",Bt="lAfOF6OxRzSQ-NsLBRjhAg",Ft="www.google-analytics.com",qt=`/mp/collect?measurement_id=${Mt}&api_secret=${Bt}`,Ht={port_in_use:"server_start",server_listen_failed:"server_start",browser_open_failed:"browser_open",login_timeout:"awaiting_callback",cognito_rejected:"awaiting_callback",state_mismatch:"awaiting_callback",no_authorization_code:"awaiting_callback",token_exchange_failed:"exchanging_code",token_exchange_network_error:"exchanging_code",keychain_write_failed:"storing_tokens",user_aborted:"unknown",unknown:"unknown"};function Vt(){let n=typeof process.getuid=="function"?process.getuid():0;return _e.createHash("sha256").update(`${at.hostname()}-${n}`).digest("hex").substring(0,36)}function $(){return{platform:process.platform,source:process.env.CODEVIBE_TELEMETRY_SOURCE||"production"}}async function L(n,e){try{let t=JSON.stringify({client_id:Vt(),events:[{name:n,params:e}]});await new Promise(r=>{let i=ot.request({hostname:Ft,path:qt,method:"POST",headers:{"Content-Type":"application/json"}},()=>r());i.on("error",()=>r()),i.write(t),i.end(),setTimeout(r,2e3)})}catch{}}async function ie(n){await L("auth_completed",{...$(),user_id:n})}async function b(n,e){let t={...$(),reason:n,stage:e?.stage??Ht[n]};if(typeof e?.httpStatus=="number"&&(t.http_status=e.httpStatus),e?.errorFragment){let{homedir:r}=await import("os"),i=e.errorFragment.replace(/\x1b\[[0-9;]*[a-zA-Z]/g,"").replace(/\\/g,"/").replace(/[\n\r\t"]/g," ").replace(/[^\x20-\x7E]/g,"").trim(),s=[process.env.HOME,process.env.USERPROFILE,(()=>{try{return r()}catch{return}})()].filter(d=>typeof d=="string"&&d.length>0).map(d=>d.replace(/\\/g,"/"));for(let d of s){let l=d.replace(/[.*+?^${}()|[\]\\]/g,"\\$&");i=i.replace(new RegExp(l,"g"),"~")}i=i.replace(/\/Users\/[^/ ]+/g,"/Users/<user>").replace(/\/home\/[^/ ]+/g,"/home/<user>").replace(/[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}/g,"<email>");let o=i.substring(0,100),a=i.substring(100,200);o&&(t.error_fragment=o),a&&(t.error_fragment_2=a)}await L("auth_failed",t)}var Ke=Symbol.for("codevibe.auth.beaconed"),ct=Symbol.for("codevibe.auth.failureReason");function A(n,e){try{Object.defineProperty(n,Ke,{value:!0,enumerable:!1,configurable:!0,writable:!1}),Object.defineProperty(n,ct,{value:e,enumerable:!1,configurable:!0,writable:!1})}catch{}return n}function se(n){return!!(n&&typeof n=="object"&&n[Ke])}function Re(n){if(n&&typeof n=="object"&&n[Ke]){let e=n[ct];if(typeof e=="string")return e}}function Z(n){return n<=0?"0":n===1?"1":n<=5?"2-5":"6+"}function ge(n){return _e.createHash("sha256").update(n).digest("hex").slice(0,8)}async function dt(n){return L("session_encryption_device_skipped",{...$(),...n})}async function lt(n){return L("session_encryption_partial_success",{...$(),...n})}async function pt(n){return L("session_encryption_catch_up_grant",{...$(),...n})}async function ut(n){return L("session_encryption_self_rekey_request",{...$(),...n})}async function yt(n){return L("session_encryption_self_rekey_success",{...$(),...n})}async function ht(n){return L("session_encryption_self_rekey_timeout",{...$(),...n})}var oe=8080,vt="/callback",Pe=`http://localhost:${oe}${vt}`,Q=class n{constructor(){}static getInstance(){return n.instance||(n.instance=new n),n.instance}openBrowser(e){console.error(""),console.error("Opening your browser for sign-in..."),this.isRunningInWSL()?console.error("If your browser does not open, paste this URL in your Windows browser:"):console.error("If your browser does not open automatically, visit this URL:"),console.error(`  ${e}`),console.error("");let t=this.getBrowserCommands();this.tryBrowserCommand(t,e,0)}getBrowserCommands(){let e=process.platform;if(e==="darwin")return[{cmd:"open",fixedArgs:[]}];if(e==="win32")return[{cmd:"cmd",fixedArgs:["/c","start",""]}];let t=[];return this.isRunningInWSL()&&(t.push({cmd:"wslview",fixedArgs:[]}),t.push({cmd:"cmd.exe",fixedArgs:["/c","start",""]}),t.push({cmd:"powershell.exe",fixedArgs:["-NoProfile","-Command","Start-Process"]})),t.push({cmd:"xdg-open",fixedArgs:[]}),t}isRunningInWSL(){if(process.platform!=="linux")return!1;try{let e=mt.readFileSync("/proc/sys/kernel/osrelease","utf8");return/microsoft|wsl/i.test(e)}catch{return!1}}tryBrowserCommand(e,t,r){if(r>=e.length){c.debug("[AuthService] No browser-opening command succeeded. User must open the sign-in URL manually (printed to stderr above)."),console.error(""),console.error("\u26A0\uFE0F  Could not open browser automatically."),this.isRunningInWSL()?console.error("   WSL detected \u2014 paste this URL in your Windows browser:"):console.error("   Please copy and paste this URL into your browser:"),console.error(`   ${t}`),console.error("");return}let i=e[r],s=[...i.fixedArgs,t],o=!1,a=p=>{o||(o=!0,c.debug(`[AuthService] Browser command '${i.cmd}' ${p}; trying next fallback`),this.tryBrowserCommand(e,t,r+1))},d=p=>{o||(o=!0,c.debug(`[AuthService] Browser command '${i.cmd}' ${p}`))},l;try{l=(0,ft.spawn)(i.cmd,s,{detached:!0,stdio:"ignore"})}catch(p){a(`threw synchronously: ${p?.message||p}`);return}l.on("error",p=>{a(`failed to spawn: ${p?.message||p}`)}),l.on("exit",(p,g)=>{p===0?d("exited successfully"):a(g?`terminated by signal ${g}`:`exited with code ${p}`)}),setTimeout(()=>{d("still running after 3s, assuming success")},3e3).unref(),l.unref()}generateState(){return gt.randomBytes(32).toString("hex")}buildAuthUrl(e){let t=w(),r=new URLSearchParams({client_id:t.aws.cognitoClientId,response_type:"code",scope:"email openid profile",redirect_uri:Pe,state:e});return`https://${t.aws.cognitoDomain}/oauth2/authorize?${r.toString()}`}async exchangeCodeForTokens(e){let t=w(),r=`https://${t.aws.cognitoDomain}/oauth2/token`,i=new URLSearchParams({grant_type:"authorization_code",client_id:t.aws.cognitoClientId,code:e,redirect_uri:Pe}),s;try{s=await X(r,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:i.toString()},"Token exchange")}catch(a){throw await b("token_exchange_network_error"),A(a,"token_exchange_network_error"),a}if(!s.ok){let a=await s.text(),d=new Error(`Token exchange failed: ${s.status} ${a}`);throw await b("token_exchange_failed",{httpStatus:s.status}),A(d,"token_exchange_failed"),d}let o=await s.json();return{accessToken:o.access_token,idToken:o.id_token,refreshToken:o.refresh_token,expiresIn:o.expires_in}}decodeJwt(e){let t=e.split(".");if(t.length!==3)throw new Error("Invalid JWT");return JSON.parse(Buffer.from(t[1],"base64").toString("utf-8"))}async refreshTokens(e){let t=w(),r=`https://${t.aws.cognitoDomain}/oauth2/token`,i=new URLSearchParams({grant_type:"refresh_token",client_id:t.aws.cognitoClientId,refresh_token:e}),s=await X(r,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:i.toString()},"Token refresh");if(!s.ok)throw new Error(`Token refresh failed: ${s.status}`);let o=await s.json();return{accessToken:o.access_token,idToken:o.id_token,expiresIn:o.expires_in}}async login(){let e=await y.getTokens(I());if(e&&!y.isTokenExpired(e))return e;let t=this.generateState(),r=this.buildAuthUrl(t);return new Promise((i,s)=>{let o=Oe.createServer(async(a,d)=>{if(!a.url?.startsWith(vt)){d.writeHead(404),d.end("Not found");return}try{let l=new URL(a.url,`http://localhost:${oe}`),h=l.searchParams.get("code"),p=l.searchParams.get("state"),g=l.searchParams.get("error");if(g){let S=new Error(`OAuth error: ${g}`);throw await b("cognito_rejected"),A(S,"cognito_rejected"),S}if(p!==t){let S=new Error("State mismatch");throw await b("state_mismatch"),A(S,"state_mismatch"),S}if(!h){let S=new Error("No authorization code");throw await b("no_authorization_code"),A(S,"no_authorization_code"),S}let f=await this.exchangeCodeForTokens(h),O=this.decodeJwt(f.idToken),m={accessToken:f.accessToken,idToken:f.idToken,refreshToken:f.refreshToken,expiresAt:Date.now()+f.expiresIn*1e3,userId:O.sub,email:O.email||"unknown"};try{await y.setTokens(m,I())}catch(S){throw await b("keychain_write_failed"),A(S,"keychain_write_failed"),S}d.writeHead(200,{"Content-Type":"text/html; charset=utf-8"}),d.end(`
             <!DOCTYPE html>
             <html>
             <head><title>Success</title></head>
@@ -372,17 +211,17 @@ ${g.green}\u2713${g.reset} Orchestration enabled with tier-default reviewer pane
               <p>You can close this window.</p>
             </body>
             </html>
-          `),setTimeout(()=>{o.close(()=>i(A))},500)}catch(l){let p=String(l?.message||l).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");d.writeHead(400,{"Content-Type":"text/html; charset=utf-8"}),d.end(`
+          `),setTimeout(()=>{o.close(()=>i(m))},500)}catch(l){let h=String(l?.message||l).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");d.writeHead(400,{"Content-Type":"text/html; charset=utf-8"}),d.end(`
             <!DOCTYPE html>
             <html>
             <head><title>Error</title></head>
             <body style="font-family: system-ui; max-width: 720px; margin: 50px auto; padding: 0 16px;">
               <h1 style="color: #ef4444; text-align: center;">&#10007; Authentication Failed</h1>
-              <pre style="background: #f4f4f5; padding: 16px; border-radius: 8px; white-space: pre-wrap; word-wrap: break-word; font-size: 13px; line-height: 1.5;">${p}</pre>
+              <pre style="background: #f4f4f5; padding: 16px; border-radius: 8px; white-space: pre-wrap; word-wrap: break-word; font-size: 13px; line-height: 1.5;">${h}</pre>
               <p style="text-align: center; color: #71717a; margin-top: 24px;">You can close this window and try again in your terminal.</p>
             </body>
             </html>
-          `),setTimeout(()=>{o.close(()=>s(l))},500)}});o.on("error",async a=>{if(a.code==="EADDRINUSE"){let d=new Error(`Port ${Le} is in use`);await D("port_in_use"),N(d,"port_in_use"),s(d)}else await D("server_listen_failed"),N(a,"server_listen_failed"),s(a)}),o.listen(Le,"localhost",()=>{c.info("[AuthService] Callback server started"),this.openBrowser(n)}),setTimeout(async()=>{let a=new Error("Login timeout");await D("login_timeout"),N(a,"login_timeout"),o.close(()=>s(a))},120*1e3)})}async logout(){let e=I(),r=await v.deleteTokens(U());return r&&new Promise(n=>{let i=Lt.createServer((s,o)=>{s.url?.startsWith("/signout")?(o.writeHead(200,{"Content-Type":"text/html; charset=utf-8"}),o.end(`
+          `),setTimeout(()=>{o.close(()=>s(l))},500)}});o.on("error",async a=>{if(a.code==="EADDRINUSE"){let d=new Error(`Port ${oe} is in use`);await b("port_in_use"),A(d,"port_in_use"),s(d)}else await b("server_listen_failed"),A(a,"server_listen_failed"),s(a)}),o.listen(oe,"localhost",()=>{c.info("[AuthService] Callback server started"),this.openBrowser(r)}),setTimeout(async()=>{let a=new Error("Login timeout");await b("login_timeout"),A(a,"login_timeout"),o.close(()=>s(a))},120*1e3)})}async logout(){let e=w(),t=await y.deleteTokens(I());return t&&new Promise(r=>{let i=Oe.createServer((s,o)=>{s.url?.startsWith("/signout")?(o.writeHead(200,{"Content-Type":"text/html; charset=utf-8"}),o.end(`
               <!DOCTYPE html>
               <html>
               <head><title>Signed Out</title></head>
@@ -391,27 +230,27 @@ ${g.green}\u2713${g.reset} Orchestration enabled with tier-default reviewer pane
                 <p>You can close this window.</p>
               </body>
               </html>
-            `),setTimeout(()=>{i.close(()=>n(!0))},500)):(o.writeHead(404),o.end("Not found"))});i.on("error",()=>{n(!0)}),i.listen(Le,"localhost",()=>{let s=`https://${e.aws.cognitoDomain}/logout?client_id=${e.aws.cognitoClientId}&logout_uri=${encodeURIComponent(Wt.replace("/callback","/signout"))}`;this.openBrowser(s)}),setTimeout(()=>{i.close(()=>n(!0))},30*1e3)})}async getStatus(){let e=await v.getTokens(U());return e?{authenticated:!v.isTokenExpired(e),tokens:e}:{authenticated:!1}}},q=he.getInstance();fe();var f={reset:"\x1B[0m",green:"\x1B[32m",red:"\x1B[31m",yellow:"\x1B[33m",cyan:"\x1B[36m",dim:"\x1B[2m"};async function as(){console.log(`${f.cyan}CodeVibe Login${f.reset}
-`);try{let t=await q.getStatus();if(t.authenticated&&t.tokens){console.log(`${f.yellow}Already logged in as: ${t.tokens.email}${f.reset}`),console.log(`Token expires: ${new Date(t.tokens.expiresAt).toLocaleString()}`),console.log(`
-Run '${f.dim}codevibe logout${f.reset}' to sign out first.`),process.exit(0);return}console.log("Opening browser for authentication..."),console.log(`${f.dim}Waiting for callback...${f.reset}
-`);let e=await q.login();e&&(console.log(`
-${f.green}\u2713 Authentication successful!${f.reset}`),console.log(`  User: ${e.email}`),console.log(`  User ID: ${e.userId}`),console.log(`  Expires: ${new Date(e.expiresAt).toLocaleString()}`),await Ne(e.userId)),process.exit(0)}catch(t){let e=(()=>{let r=t?.message;return typeof r=="string"&&r.length>0?r:t==null?"(null/undefined error)":`[no_message ctor=${t?.constructor?.name??typeof t}] ${String(t).substring(0,80)}`})();console.error(`
-${f.red}\u2717 Authentication failed${f.reset}`),console.error(`  Error: ${e}`),We(t)||await D("unknown",{errorFragment:e}),process.exit(1)}}async function cs(){console.log(`${f.cyan}CodeVibe Logout${f.reset}
-`);try{let t=await q.getStatus();if(!t.authenticated){console.log(`${f.yellow}Not logged in.${f.reset}`),process.exit(0);return}let e=t.tokens?.email;await q.logout()?(console.log(`${f.green}\u2713 Logged out successfully.${f.reset}`),console.log(`  Previous user: ${e}`),console.log(`
-${f.dim}Clearing browser session...${f.reset}`)):console.log(`${f.red}\u2717 Failed to log out.${f.reset}`),process.exit(0)}catch(t){console.error(`${f.red}\u2717 Logout failed: ${t.message}${f.reset}`),process.exit(1)}}async function ds(){console.log(`${f.cyan}CodeVibe Auth Status${f.reset}
-`);try{let t=await q.getStatus();if(!t.tokens){console.log(`${f.yellow}Not authenticated.${f.reset}`),console.log(`
-Run '${f.dim}codevibe login${f.reset}' to sign in.`),process.exit(0);return}let e=!t.authenticated;console.log(e?`${f.yellow}\u26A0 Token expired${f.reset}`:`${f.green}\u2713 Authenticated${f.reset}`),console.log(`  User: ${t.tokens.email}`),console.log(`  User ID: ${t.tokens.userId}`),console.log(`  Expires: ${new Date(t.tokens.expiresAt).toLocaleString()}`),e&&console.log(`
-${f.dim}Token will be refreshed automatically.${f.reset}`),process.exit(0)}catch(t){console.error(`${f.red}\u2717 Status check failed: ${t.message}${f.reset}`),process.exit(1)}}async function ls(){console.log(`${f.cyan}CodeVibe Reset Device${f.reset}
-`),console.log(`${f.red}\u26A0 WARNING: This will delete your device identity.${f.reset}`),console.log(`${f.red}  Old encrypted sessions will become inaccessible.${f.reset}
-`);let{keychainManager:t}=await Promise.resolve().then(()=>(X(),wr));try{await t.clearAllData(),console.log(`${f.green}\u2713 Device reset complete.${f.reset}`),console.log(`  Run '${f.dim}codevibe login${f.reset}' to set up again.`),process.exit(0)}catch(e){console.error(`${f.red}\u2717 Reset failed: ${e.message}${f.reset}`),process.exit(1)}}function us(){console.log(`CodeVibe Authentication
+            `),setTimeout(()=>{i.close(()=>r(!0))},500)):(o.writeHead(404),o.end("Not found"))});i.on("error",()=>{r(!0)}),i.listen(oe,"localhost",()=>{let s=`https://${e.aws.cognitoDomain}/logout?client_id=${e.aws.cognitoClientId}&logout_uri=${encodeURIComponent(Pe.replace("/callback","/signout"))}`;this.openBrowser(s)}),setTimeout(()=>{i.close(()=>r(!0))},30*1e3)})}async getStatus(){let e=await y.getTokens(I());return e?{authenticated:!y.isTokenExpired(e),tokens:e}:{authenticated:!1}}},P=Q.getInstance();Y();var u={reset:"\x1B[0m",green:"\x1B[32m",red:"\x1B[31m",yellow:"\x1B[33m",cyan:"\x1B[36m",dim:"\x1B[2m"};async function Jt(){console.log(`${u.cyan}CodeVibe Login${u.reset}
+`);try{let n=await P.getStatus();if(n.authenticated&&n.tokens){console.log(`${u.yellow}Already logged in as: ${n.tokens.email}${u.reset}`),console.log(`Token expires: ${new Date(n.tokens.expiresAt).toLocaleString()}`),console.log(`
+Run '${u.dim}codevibe logout${u.reset}' to sign out first.`),process.exit(0);return}console.log("Opening browser for authentication..."),console.log(`${u.dim}Waiting for callback...${u.reset}
+`);let e=await P.login();e&&(console.log(`
+${u.green}\u2713 Authentication successful!${u.reset}`),console.log(`  User: ${e.email}`),console.log(`  User ID: ${e.userId}`),console.log(`  Expires: ${new Date(e.expiresAt).toLocaleString()}`),await ie(e.userId)),process.exit(0)}catch(n){let e=(()=>{let t=n?.message;return typeof t=="string"&&t.length>0?t:n==null?"(null/undefined error)":`[no_message ctor=${n?.constructor?.name??typeof n}] ${String(n).substring(0,80)}`})();console.error(`
+${u.red}\u2717 Authentication failed${u.reset}`),console.error(`  Error: ${e}`),se(n)||await b("unknown",{errorFragment:e}),process.exit(1)}}async function jt(){console.log(`${u.cyan}CodeVibe Logout${u.reset}
+`);try{let n=await P.getStatus();if(!n.authenticated){console.log(`${u.yellow}Not logged in.${u.reset}`),process.exit(0);return}let e=n.tokens?.email;await P.logout()?(console.log(`${u.green}\u2713 Logged out successfully.${u.reset}`),console.log(`  Previous user: ${e}`),console.log(`
+${u.dim}Clearing browser session...${u.reset}`)):console.log(`${u.red}\u2717 Failed to log out.${u.reset}`),process.exit(0)}catch(n){console.error(`${u.red}\u2717 Logout failed: ${n.message}${u.reset}`),process.exit(1)}}async function Gt(){console.log(`${u.cyan}CodeVibe Auth Status${u.reset}
+`);try{let n=await P.getStatus();if(!n.tokens){console.log(`${u.yellow}Not authenticated.${u.reset}`),console.log(`
+Run '${u.dim}codevibe login${u.reset}' to sign in.`),process.exit(0);return}let e=!n.authenticated;console.log(e?`${u.yellow}\u26A0 Token expired${u.reset}`:`${u.green}\u2713 Authenticated${u.reset}`),console.log(`  User: ${n.tokens.email}`),console.log(`  User ID: ${n.tokens.userId}`),console.log(`  Expires: ${new Date(n.tokens.expiresAt).toLocaleString()}`),e&&console.log(`
+${u.dim}Token will be refreshed automatically.${u.reset}`),process.exit(0)}catch(n){console.error(`${u.red}\u2717 Status check failed: ${n.message}${u.reset}`),process.exit(1)}}async function zt(){console.log(`${u.cyan}CodeVibe Reset Device${u.reset}
+`),console.log(`${u.red}\u26A0 WARNING: This will delete your device identity.${u.reset}`),console.log(`${u.red}  Old encrypted sessions will become inaccessible.${u.reset}
+`);let{keychainManager:n}=await Promise.resolve().then(()=>(R(),et));try{await n.clearAllData(),console.log(`${u.green}\u2713 Device reset complete.${u.reset}`),console.log(`  Run '${u.dim}codevibe login${u.reset}' to set up again.`),process.exit(0)}catch(e){console.error(`${u.red}\u2717 Reset failed: ${e.message}${u.reset}`),process.exit(1)}}function Yt(){console.log(`CodeVibe Authentication
 `),console.log("Usage:"),console.log("  codevibe login        - Sign in via browser"),console.log("  codevibe logout       - Sign out"),console.log("  codevibe status       - Show auth status"),console.log("  codevibe reset-device - Reset device identity (destructive)"),console.log(`
-Environment:`),console.log('  Set ENVIRONMENT env var to "development" or "production" (default)'),console.log("  Example: ENVIRONMENT=development codevibe login")}async function ht(t){let e=U();console.log(`${f.dim}Environment: ${e}${f.reset}
-`);let n=t.slice(2).filter(i=>!i.startsWith("--"))[0];switch(n){case"login":await as();break;case"logout":await cs();break;case"status":await ds();break;case"reset-device":await ls();break;case"orchestration":{let{runOrchestrationCli:i}=(Yt(),or(Dn));await i(t);break}default:us(),process.exit(n?1:0)}}require.main===module&&ht(process.argv).catch(t=>{console.error("Error:",t),process.exit(1)});fe();J();var ps=/\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])/g;function $n(t){let e=Zt(t);if(!e)return null;let r=gs(e);if(r)return r;let n=ms(e);return n||null}function Zt(t){return t.replace(/\r/g,`
-`).replace(ps,"").replace(/[│┌┐└┘─├┤┬┴┼╌╎╭╮╯╰║═╔╗╚╝╠╣╦╩╬]/g," ").replace(/[ \t]+\n/g,`
+Environment:`),console.log('  Set ENVIRONMENT env var to "development" or "production" (default)'),console.log("  Example: ENVIRONMENT=development codevibe login")}async function me(n){let e=I();console.log(`${u.dim}Environment: ${e}${u.reset}
+`);let r=n.slice(2).filter(i=>!i.startsWith("--"))[0];switch(r){case"login":await Jt();break;case"logout":await jt();break;case"status":await Gt();break;case"reset-device":await zt();break;default:Yt(),process.exit(r?1:0)}}require.main===module&&me(process.argv).catch(n=>{console.error("Error:",n),process.exit(1)});Y();M();var Xt=/\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])/g;function St(n){let e=$e(n);if(!e)return null;let t=Zt(e);if(t)return t;let r=Qt(e);return r||null}function $e(n){return n.replace(/\r/g,`
+`).replace(Xt,"").replace(/[│┌┐└┘─├┤┬┴┼╌╎╭╮╯╰║═╔╗╚╝╠╣╦╩╬]/g," ").replace(/[ \t]+\n/g,`
 `).replace(/\n{3,}/g,`
 
-`).trim()}function gs(t){let e=t.split(`
-`).map(p=>p.trim()),r=fs(e,p=>/\[(?:y\/n|Y\/n|y\/N)\]/.test(p)),n=r>=0?e[r]:null;if(!n)return null;let i=On(e,r),s=i.length>0?i.join(`
-`):n,o=s.toLowerCase(),a=o.includes("what to change")||o.includes("what should")||o.includes("provide")||o.includes("instructions");return{kind:"yes_no",promptText:s,options:a?[{number:"1",text:"Yes"},{number:"2",text:"No, provide instructions"}]:[{number:"1",text:"Yes"},{number:"2",text:"No"}],submitMap:{1:"y",2:"n"},requiresFollowUpText:a}}function ms(t){let e=t.split(`
-`).map(d=>d.trim()),r=ys(e);if(r.length<2)return null;let n=r.map(({line:d})=>Pn(d)).filter(d=>!!d),i={};for(let d of n)i[d.number]=d.number;let s=r[0]?.index??-1,o=On(e,s-1);return{kind:"numbered",promptText:o.length>0?o.join(`
-`):"Select an option",options:n,submitMap:i}}function fs(t,e){for(let r=t.length-1;r>=0;r-=1)if(e(t[r]))return r;return-1}function Pn(t){let e=t.match(/^(?:[>›❯▸▶➜➤*●]\s*)?(\d+)\.\s+(.*)$/);return e?{number:e[1],text:e[2]}:null}function ys(t){let e=t.map((n,i)=>({index:i,line:n,parsed:Pn(n)})).filter(n=>!!n.parsed);if(e.length===0)return[];let r=[e[e.length-1]];for(let n=e.length-2;n>=0;n-=1){let i=e[n],s=r[0];if(i.index!==s.index-1)break;r.unshift(i)}return r.map(({index:n,line:i})=>({index:n,line:i}))}function On(t,e){if(e<0)return[];let r=Xt(t,e);if(r<0)return[];let{start:n,end:i}=Qt(t,r),s=t.slice(n,i+1).filter(Boolean);if(vs(s)){let u=hs(t,n-1);return u.length>0?u:s}if(n<=1)return s;let o=n-1;if(o=Xt(t,o),o<0||o===n-1)return s;let{start:a,end:d}=Qt(t,o),l=t.slice(a,d+1).filter(Boolean);return l.some(Kn)?[...l,...s]:s}function Kn(t){return/^(?:would you like to|do you want to|the model would like to|action required|confirm)\b/i.test(t)}function Xt(t,e){let r=e;for(;r>=0&&!t[r];)r-=1;return r}function Qt(t,e){let r=e;for(;r>=0&&t[r];)r-=1;return{start:r+1,end:e}}function hs(t,e){let r=[],n=e;for(;n>=0&&r.length<2&&(n=Xt(t,n),!(n<0));){let{start:s,end:o}=Qt(t,n),a=t.slice(s,o+1).filter(Boolean);a.length>0&&r.unshift(a),n=s-1}if(r.length===0)return[];let i=r.findIndex(s=>s.some(Kn));return i>=0?r.slice(i).flat():r[r.length-1]}function vs(t){return t.length===0?!1:t.filter(ws).length>=Math.max(2,Math.ceil(t.length/2))}function ws(t){return/^\d+\s/.test(t)}Pe();X();Ue();Pe();J();async function pe(t,e,r,n={}){let i;try{i=await r.getSession(t)}catch(u){return c.warn("[SessionRekey] Failed to fetch session state for re-key",{sessionId:t,error:u instanceof Error?u.message:String(u)}),0}if(!i)return c.warn("[SessionRekey] Session not found, skipping re-key",{sessionId:t}),0;if(!i.isEncrypted)return 0;let s=i.encryptedKeys||[],o=new Set(s.map(u=>u.deviceId)),a=n.forceDeviceIds??new Set,d;try{d=await r.listUserDeviceKeys()}catch(u){return c.warn("[SessionRekey] Failed to fetch user device keys",{sessionId:t,error:u instanceof Error?u.message:String(u)}),0}let l=d.filter(u=>!o.has(u.deviceId)||a.has(u.deviceId));if(l.length===0)return 0;c.info("[SessionRekey] Granting session key to devices",{sessionId:t,existingDeviceCount:s.length,grantCount:l.length,grantDeviceIds:l.map(u=>u.deviceId),forceCount:a.size});let p=0;for(let u of l)try{let w=K.encryptSessionKey(e,u.publicKey);await r.grantSessionKey({sessionId:t,deviceId:u.deviceId,encryptedKey:w.encryptedKey,ephemeralPublicKey:w.ephemeralPublicKey}),p++,c.info("[SessionRekey] Granted session key to device",{sessionId:t,deviceId:u.deviceId,platform:u.platform})}catch(w){c.warn("[SessionRekey] Failed to grant session key to device",{sessionId:t,deviceId:u.deviceId,error:w instanceof Error?w.message:String(w)})}return p>0&&c.info("[SessionRekey] Re-key complete",{sessionId:t,grantedCount:p,requestedCount:l.length}),p}async function vt(t,e,r){try{let n=await e.listUserDeviceKeys();if(n.length===0)return r.info("No device keys found, session will not be encrypted"),null;r.info("Preparing session encryption",{sessionId:t,deviceCount:n.length});let{sessionKey:i,encryptedKeys:s}=v.createSessionKey(n);return r.info("Session encryption prepared",{sessionId:t,deviceCount:s.length}),{sessionKey:i,encryptedKeys:s}}catch(n){return r.warn("Failed to prepare session encryption:",n),null}}async function er(t,e,r){let{sessionId:n,userId:i,agentType:s,projectPath:o,metadata:a}=t,d=null;try{d=await e.getSession(n)}catch(S){r.warn("Failed to get session (will attempt to create new)",{sessionId:n,error:S})}if(d){r.info("Session exists in backend - reactivating",{sessionId:n,previousStatus:d.status});try{await e.updateSession({sessionId:n,status:"ACTIVE"})}catch(A){r.warn("Failed to reactivate existing session, will continue",{sessionId:n,error:A})}let S=null,$=d.encryptedKeys;if(d.isEncrypted&&$?.length)try{let A=await v.getSessionKey(n,$);A?(S=A,v.cacheSessionKey(n,A),r.info("Session key retrieved for resumed session",{sessionId:n})):r.warn("No encrypted key for this device; proceeding without decryption",{sessionId:n})}catch(A){r.warn("Failed to retrieve session key for resumed session",{sessionId:n,error:A})}if(S)try{let A=await pe(n,S,e);A>0&&r.info("Session re-keyed for newly registered devices on resume",{sessionId:n,newDeviceCount:A})}catch(A){r.warn("Session re-key on resume failed (non-fatal)",{sessionId:n,error:A instanceof Error?A.message:String(A)})}return{resumed:!0,sessionKey:S}}let l=await vt(n,e,r),p=o,u=a;l&&(p=K.encryptContent(o,l.sessionKey),u&&Object.keys(u).length>0&&(u={encrypted:K.encryptMetadata(u,l.sessionKey)}),r.info("Session data encrypted",{sessionId:n})),r.info("Creating new session in backend",{sessionId:n,userId:i,agentType:s,isEncrypted:!!l}),await e.createSession({sessionId:n,userId:i,agentType:s,projectPath:p,status:"ACTIVE",metadata:u,isEncrypted:l?!0:void 0,creatorDeviceId:l?await v.getDeviceId():void 0,encryptionVersion:l?1:void 0,encryptedKeys:l?.encryptedKeys});let w=l?.sessionKey||null;return l&&v.cacheSessionKey(n,l.sessionKey),r.info("Session created",{sessionId:n,userId:i,isEncrypted:!!l}),{resumed:!1,sessionKey:w}}X();function tr(t,e){let r=t.getCurrentUserId(),n=async(s,o)=>{let a=v.getCachedSessionIds();if(a.length===0){e.info("[DeviceKeyWatcher] No active sessions to re-key",{reason:s});return}e.info("[DeviceKeyWatcher] Running re-key pass",{reason:s,activeSessionCount:a.length,forceDeviceCount:o?.size??0});for(let d of a){let l=v.getCachedSessionKey(d);if(l)try{let p=await pe(d,l,t,o?{forceDeviceIds:o}:void 0);p>0&&e.info("[DeviceKeyWatcher] Session re-keyed",{sessionId:d,newDeviceCount:p,reason:s})}catch(p){e.warn("[DeviceKeyWatcher] Re-key failed for session (non-fatal)",{sessionId:d,reason:s,error:p instanceof Error?p.message:String(p)})}}},i=t.subscribeToDeviceKeyRegistered(r,s=>{e.info("[DeviceKeyWatcher] New device observed, triggering re-key",{userId:r,newDeviceId:s.deviceId,platform:s.platform,deviceName:s.deviceName}),n(`new-device:${s.deviceId}`,new Set([s.deviceId]))},()=>{n("watcher-reconnect")},s=>{e.warn("[DeviceKeyWatcher] Subscription error (will retry)",{error:s instanceof Error?s.message:String(s)})});return e.info("[DeviceKeyWatcher] Started",{userId:r}),i}X();async function rr(t,e){try{let r=await v.getDeviceId(),n=await v.getDevicePublicKey(),i=v.getDevicePlatform(),s=v.getDeviceName();e.info("Registering device encryption key",{deviceId:r,platform:i,deviceName:s}),await t.registerDeviceKey(r,n,i,s),v.setIsRegistered(!0),e.info("Device encryption key registered successfully",{deviceId:r})}catch(r){e.warn("Failed to register device encryption key (E2E encryption may not work):",r)}}Yt();qt();var nr={};$e(nr,{dedupKeyForDestructiveActionEscalated:()=>Cs,dedupKeyForFlagBadApproval:()=>Ds,dedupKeyForProgressEvent:()=>xs,dedupKeyForTaskCreated:()=>_s,dedupKeyForTaskTerminated:()=>Is,dedupKeyForToolUse:()=>Ts});var Un=require("node:crypto"),Ss="task_created",ks="task_terminated",bs="progress",Es="tool_use",As="destructive_escalated",Rs="flag_bad_approval";function Ce(t){if(t.length!==36)throw new Error(`UUID must be 36 chars (got ${t.length}): ${t}`);if(t[8]!=="-"||t[13]!=="-"||t[18]!=="-"||t[23]!=="-")throw new Error(`UUID dashes misplaced: ${t}`);let e=t.replace(/-/g,"");if(!/^[0-9a-fA-F]{32}$/.test(e))throw new Error(`UUID contains non-hex characters: ${t}`);return Buffer.from(e,"hex")}function De(t){let e=(0,Un.createHash)("sha256");for(let r of t)typeof r=="string"?e.update(r,"utf8"):e.update(r);return e.digest("hex")}function _s(t){return De([Ce(t),Ss])}function Is(t){return De([Ce(t),ks])}function xs(t,e){return De([Ce(t),bs,e])}function Ts(t,e){return De([Ce(t),Es,e])}function Cs(t,e){return De([Ce(t),As,e])}function Ds(t){return De([Ce(t),Rs])}Ue();0&&(module.exports={AgentType,AppSyncClient,AuditKeys,AuthService,CryptoError,CryptoService,DeliveryStatus,ENCRYPTION_VERSION,EventSource,EventType,KeychainError,KeychainManager,Logger,Reviewer,ReviewerRole,SessionStatus,UserDecisionKind,V1_ORCHESTRATION_OPTIONS,V1_ORCHESTRATION_PROMPT_KIND,applyPerSessionOrchestrationOverride,authService,createLogger,cryptoService,detectInstalledAgents,errorWasBeaconed,fireAuthCompletedBeacon,fireAuthFailedBeacon,getConfig,getEnvironment,getErrorReason,keychainManager,loadConfig,logger,mapOptionNumberToUserDecisionKind,mapOptionToUserDecisionKind,mapV1KindToWire,markErrorBeaconed,mutations,normalizeSnapshot,parseInteractivePrompt,prepareSessionEncryption,pushDetectedAgents,queries,registerDeviceEncryptionKey,rekeySessionForNewDevices,resumeOrCreateSession,runAuthCli,runOrchestrationCli,startDeviceKeyWatcher,subscriptions});
+`).trim()}function Zt(n){let e=n.split(`
+`).map(h=>h.trim()),t=er(e,h=>/\[(?:y\/n|Y\/n|y\/N)\]/.test(h)),r=t>=0?e[t]:null;if(!r)return null;let i=kt(e,t),s=i.length>0?i.join(`
+`):r,o=s.toLowerCase(),a=o.includes("what to change")||o.includes("what should")||o.includes("provide")||o.includes("instructions");return{kind:"yes_no",promptText:s,options:a?[{number:"1",text:"Yes"},{number:"2",text:"No, provide instructions"}]:[{number:"1",text:"Yes"},{number:"2",text:"No"}],submitMap:{1:"y",2:"n"},requiresFollowUpText:a}}function Qt(n){let e=n.split(`
+`).map(d=>d.trim()),t=tr(e);if(t.length<2)return null;let r=t.map(({line:d})=>wt(d)).filter(d=>!!d),i={};for(let d of r)i[d.number]=d.number;let s=t[0]?.index??-1,o=kt(e,s-1);return{kind:"numbered",promptText:o.length>0?o.join(`
+`):"Select an option",options:r,submitMap:i}}function er(n,e){for(let t=n.length-1;t>=0;t-=1)if(e(n[t]))return t;return-1}function wt(n){let e=n.match(/^(?:[>›❯▸▶➜➤*●]\s*)?(\d+)\.\s+(.*)$/);return e?{number:e[1],text:e[2]}:null}function tr(n){let e=n.map((r,i)=>({index:i,line:r,parsed:wt(r)})).filter(r=>!!r.parsed);if(e.length===0)return[];let t=[e[e.length-1]];for(let r=e.length-2;r>=0;r-=1){let i=e[r],s=t[0];if(i.index!==s.index-1)break;t.unshift(i)}return t.map(({index:r,line:i})=>({index:r,line:i}))}function kt(n,e){if(e<0)return[];let t=Ne(n,e);if(t<0)return[];let{start:r,end:i}=Ue(n,t),s=n.slice(r,i+1).filter(Boolean);if(nr(s)){let p=rr(n,r-1);return p.length>0?p:s}if(r<=1)return s;let o=r-1;if(o=Ne(n,o),o<0||o===r-1)return s;let{start:a,end:d}=Ue(n,o),l=n.slice(a,d+1).filter(Boolean);return l.some(bt)?[...l,...s]:s}function bt(n){return/^(?:would you like to|do you want to|the model would like to|action required|confirm)\b/i.test(n)}function Ne(n,e){let t=e;for(;t>=0&&!n[t];)t-=1;return t}function Ue(n,e){let t=e;for(;t>=0&&n[t];)t-=1;return{start:t+1,end:e}}function rr(n,e){let t=[],r=e;for(;r>=0&&t.length<2&&(r=Ne(n,r),!(r<0));){let{start:s,end:o}=Ue(n,r),a=n.slice(s,o+1).filter(Boolean);a.length>0&&t.unshift(a),r=s-1}if(t.length===0)return[];let i=t.findIndex(s=>s.some(bt));return i>=0?t.slice(i).flat():t[t.length-1]}function nr(n){return n.length===0?!1:n.filter(ir).length>=Math.max(2,Math.ceil(n.length/2))}function ir(n){return/^\d+\s/.test(n)}ee();R();ee();R();M();async function j(n,e,t,r={}){let i;try{i=await t.getSession(n)}catch(p){return c.warn("[SessionRekey] Failed to fetch session state for re-key",{sessionId:n,error:p instanceof Error?p.message:String(p)}),0}if(!i)return c.warn("[SessionRekey] Session not found, skipping re-key",{sessionId:n}),0;if(!i.isEncrypted)return 0;let s=i.encryptedKeys||[],o=new Set(s.map(p=>p.deviceId)),a=r.forceDeviceIds??new Set,d;try{d=await t.listUserDeviceKeys()}catch(p){return c.warn("[SessionRekey] Failed to fetch user device keys",{sessionId:n,error:p instanceof Error?p.message:String(p)}),0}let l=d.filter(p=>!o.has(p.deviceId)||a.has(p.deviceId));if(l.length===0)return 0;c.info("[SessionRekey] Granting session key to devices",{sessionId:n,existingDeviceCount:s.length,grantCount:l.length,grantDeviceIds:l.map(p=>p.deviceId),forceCount:a.size});let h=0;for(let p of l)try{let g=E.encryptSessionKey(e,p.publicKey);await t.grantSessionKey({sessionId:n,deviceId:p.deviceId,encryptedKey:g.encryptedKey,ephemeralPublicKey:g.ephemeralPublicKey}),h++,c.info("[SessionRekey] Granted session key to device",{sessionId:n,deviceId:p.deviceId,platform:p.platform})}catch(g){c.warn("[SessionRekey] Failed to grant session key to device",{sessionId:n,deviceId:p.deviceId,error:g instanceof Error?g.message:String(g)})}return h>0&&c.info("[SessionRekey] Re-key complete",{sessionId:n,grantedCount:h,requestedCount:l.length}),h}async function Et(n,e){let t=e.pollIntervalMs??5e3,r=e.maxAttempts??6,i,s;try{i=await y.getDeviceId(),s=await y.getDevicePrivateKey()}catch(o){c.warn("[SessionRekey] A1 pre-loop keychain read failed",{sessionId:n,error:o instanceof Error?o.message:String(o)});try{e.onTimeout?.(0)}catch{}return null}for(let o=1;o<=r;o++){o>1&&await new Promise(g=>setTimeout(g,t));let a;try{a=await e.appSyncClient.getSession(n)}catch(g){c.warn("[SessionRekey] A1 getSession failed during poll, will retry",{sessionId:n,attempt:o,error:g instanceof Error?g.message:String(g)});continue}let d=a?.encryptedKeys??[],l=d.filter(g=>g.deviceId===i);if(l.length===0){c.info("[SessionRekey] A1 our deviceId still not in encryptedKeys",{sessionId:n,attempt:o,freshDeviceCount:d.length});continue}let h=null,p=[];for(let g=l.length-1;g>=0;g--)try{h=E.decryptSessionKey(l[g],s);break}catch(f){p.push(f instanceof Error?f.message:String(f))}if(h){y.cacheSessionKey(n,h);try{e.onSuccess?.(o)}catch{}return c.info("[SessionRekey] A1 self-rekey successful",{sessionId:n,attempt:o,entriesTriedToDecrypt:l.length}),h}c.warn("[SessionRekey] A1 found entries but all decrypt-failed, will retry",{sessionId:n,attempt:o,entriesTried:l.length,errors:p})}try{e.onTimeout?.(r)}catch{}return c.warn("[SessionRekey] A1 self-rekey exhausted maxAttempts",{sessionId:n,maxAttempts:r}),null}R();async function ae(n,e){try{let t=await y.getDeviceId(),r=await y.getDevicePublicKey(),i=y.getDevicePlatform(),s=y.getDeviceName();e.info("Registering device encryption key",{deviceId:t,platform:i,deviceName:s}),await n.registerDeviceKey(t,r,i,s),y.setIsRegistered(!0),e.info("Device encryption key registered successfully",{deviceId:t})}catch(t){e.warn("Failed to register device encryption key (E2E encryption may not work):",t)}}async function fe(n,e,t){try{let r=await e.listUserDeviceKeys();if(r.length===0)return t.info("No device keys found, session will not be encrypted"),null;t.info("Preparing session encryption",{sessionId:n,deviceCount:r.length});let i=ge(n),{sessionKey:s,encryptedKeys:o,skippedDeviceIds:a}=y.createSessionKey(r,{onDeviceSkipped:d=>{dt({skipped_count_bucket:Z(d),session_hash:i}).catch(()=>{})}});return a.length>0&&lt({session_hash:i,encrypted_count_bucket:Z(o.length),skipped_count_bucket:Z(a.length)}).catch(()=>{}),t.info("Session encryption prepared",{sessionId:n,deviceCount:o.length,skippedCount:a.length}),{sessionKey:s,encryptedKeys:o,skippedDeviceIds:a}}catch(r){return t.warn("Failed to prepare session encryption:",r),null}}async function Le(n,e,t){let{sessionId:r,userId:i,agentType:s,projectPath:o,metadata:a}=n,d=null;try{d=await e.getSession(r)}catch(f){t.warn("Failed to get session (will attempt to create new)",{sessionId:r,error:f})}if(d){t.info("Session exists in backend - reactivating",{sessionId:r,previousStatus:d.status});try{await e.updateSession({sessionId:r,status:"ACTIVE"})}catch(m){t.warn("Failed to reactivate existing session, will continue",{sessionId:r,error:m})}let f=null,O=d.encryptedKeys??[];if(d.isEncrypted){if(O.length>0){try{let m=await y.getSessionKey(r,O);m&&(f=m,y.cacheSessionKey(r,m),t.info("Session key retrieved for resumed session",{sessionId:r}))}catch(m){t.warn("Failed to retrieve session key for resumed session",{sessionId:r,error:m})}if(!f){let m=ge(r);t.info("Self-rekey: re-registering device key + awaiting grant",{sessionId:r,otherDeviceCount:O.length}),ut({session_hash:m,other_device_count_bucket:Z(O.length)}).catch(()=>{});try{await ae(e,t),f=await Et(r,{appSyncClient:e,onSuccess:S=>{yt({session_hash:m,attempt_count:S}).catch(()=>{})},onTimeout:S=>{ht({session_hash:m,attempt_count:S}).catch(()=>{})}})}catch(S){t.warn("Self-rekey path failed",{sessionId:r,error:S instanceof Error?S.message:String(S)})}}}else t.warn("Encrypted session has empty encryptedKeys; cannot self-rekey",{sessionId:r});if(!f){let m=new Error(`Cannot resume encrypted session ${r}: `+(O.length===0?"session is marked encrypted but session.encryptedKeys is empty (corrupt state). Cannot self-rekey without a peer device. Start a new session.":"this device's key is not in session.encryptedKeys and self-rekey did not complete within 30s. This typically means the device key was rotated and mobile has not yet granted access to this device. Open the mobile app to refresh device keys, then retry."));throw m.code="ENCRYPTED_SESSION_NO_KEY",m}}if(f)try{let m=await j(r,f,e);m>0&&(t.info("Session re-keyed for newly registered devices on resume",{sessionId:r,newDeviceCount:m}),pt({session_hash:ge(r),granted_count_bucket:Z(m)}).catch(()=>{}))}catch(m){t.warn("Session re-key on resume failed (non-fatal)",{sessionId:r,error:m instanceof Error?m.message:String(m)})}return{resumed:!0,sessionKey:f}}let l=await fe(r,e,t),h=o,p=a;l&&(h=E.encryptContent(o,l.sessionKey),p&&Object.keys(p).length>0&&(p={encrypted:E.encryptMetadata(p,l.sessionKey)}),t.info("Session data encrypted",{sessionId:r})),t.info("Creating new session in backend",{sessionId:r,userId:i,agentType:s,isEncrypted:!!l}),await e.createSession({sessionId:r,userId:i,agentType:s,projectPath:h,status:"ACTIVE",metadata:p,isEncrypted:l?!0:void 0,creatorDeviceId:l?await y.getDeviceId():void 0,encryptionVersion:l?1:void 0,encryptedKeys:l?.encryptedKeys});let g=l?.sessionKey||null;return l&&y.cacheSessionKey(r,l.sessionKey),t.info("Session created",{sessionId:r,userId:i,isEncrypted:!!l}),{resumed:!1,sessionKey:g}}R();function We(n,e){let t=n.getCurrentUserId(),r=async(s,o)=>{let a=y.getCachedSessionIds();if(a.length===0){e.info("[DeviceKeyWatcher] No active sessions to re-key",{reason:s});return}e.info("[DeviceKeyWatcher] Running re-key pass",{reason:s,activeSessionCount:a.length,forceDeviceCount:o?.size??0});for(let d of a){let l=y.getCachedSessionKey(d);if(l)try{let h=await j(d,l,n,o?{forceDeviceIds:o}:void 0);h>0&&e.info("[DeviceKeyWatcher] Session re-keyed",{sessionId:d,newDeviceCount:h,reason:s})}catch(h){e.warn("[DeviceKeyWatcher] Re-key failed for session (non-fatal)",{sessionId:d,reason:s,error:h instanceof Error?h.message:String(h)})}}},i=n.subscribeToDeviceKeyRegistered(t,s=>{e.info("[DeviceKeyWatcher] New device observed, triggering re-key",{userId:t,newDeviceId:s.deviceId,platform:s.platform,deviceName:s.deviceName}),r(`new-device:${s.deviceId}`,new Set([s.deviceId]))},()=>{r("watcher-reconnect")},s=>{e.warn("[DeviceKeyWatcher] Subscription error (will retry)",{error:s instanceof Error?s.message:String(s)})});return e.info("[DeviceKeyWatcher] Started",{userId:t}),i}0&&(module.exports={AgentType,AppSyncClient,AuthService,CryptoError,CryptoService,DeliveryStatus,ENCRYPTION_VERSION,EventSource,EventType,KeychainError,KeychainManager,Logger,SessionStatus,authService,createLogger,cryptoService,errorWasBeaconed,fireAuthCompletedBeacon,fireAuthFailedBeacon,getConfig,getEnvironment,getErrorReason,keychainManager,loadConfig,logger,markErrorBeaconed,mutations,normalizeSnapshot,parseInteractivePrompt,prepareSessionEncryption,queries,registerDeviceEncryptionKey,rekeySessionForNewDevices,resumeOrCreateSession,runAuthCli,startDeviceKeyWatcher,subscriptions});