@ritualai/cli 0.3.0

package/README.md

@@ -0,0 +1,120 @@
+# `@ritualai/cli`
+
+The Ritual CLI. Connects your AI coding agent (Claude Code, Cursor,
+Codex, Kiro, Gemini CLI, Windsurf, etc.) to Ritual Cloud via the
+[Model Context Protocol][mcp].
+
+## Install
+
+```bash
+npm install -g @ritualai/cli
+```
+
+## Quick start
+
+```bash
+ritual login          # browser-based sign-in (OAuth 2.1 + PKCE)
+ritual init           # scaffold skills + register MCP with every detected agent
+ritual doctor         # sanity-check the environment
+```
+
+That's it. `init` does three things:
+
+1. Detects which AI coding agents you have installed (Claude Code,
+   Cursor, Windsurf, Kiro, Gemini CLI, VS Code / Copilot, Codex).
+2. Mints a long-lived **Personal Access Token** via the Ritual API
+   named `Ritual CLI — <hostname>`, so the agent has a credential
+   that doesn't expire every 5 minutes the way OAuth tokens do.
+3. For each detected agent: copies the Ritual skill files into your
+   project (`.claude/skills/`, `.cursor/rules/`, etc.) AND writes
+   the MCP server config (`claude mcp add-json` for Claude Code, or
+   `mcp.json` merge for the others) with the PAT as the Bearer.
+
+Restart your agent after `init` so it picks up the new MCP server,
+then try `/ritual build <feature>` from inside the agent.
+
+## Commands
+
+```bash
+ritual init [--agent <id>] [--list]   # scaffold + register
+ritual login                          # browser sign-in
+ritual logout                         # clear creds
+ritual whoami                         # session info, auto-refresh
+ritual refresh                        # force token refresh
+ritual doctor                         # env + detection report
+```
+
+The agent ids are: `claude-code`, `cursor`, `windsurf`, `kiro`,
+`gemini`, `vscode`, `codex`. Use `--agent <id>` if you want to scaffold
+for a specific one without auto-detecting (handy when you've got the
+agent installed somewhere non-standard).
+
+## How refresh works (v0.2)
+
+Keycloak issues a short-lived access token (~5 min by default) and a
+longer-lived refresh token (~30 min). The CLI handles this transparently:
+
+- `ritual whoami` and any future Bearer-using command call
+  `getValidAccessToken()` internally. If the cached access token is
+  still fresh (>30s of life left), they use it as-is. If it's expired
+  but the refresh token is still good, they exchange it for a new
+  access token and persist the result before continuing.
+- If the refresh token is also expired/revoked (Keycloak returns
+  `400 invalid_grant`), you'll see a clear "session expired, run
+  `ritual login`" message — not a confusing 401 from the API.
+- `ritual refresh` exposes the refresh path explicitly for scripts
+  and debugging. Most users never need to run it directly.
+
+Refresh-token rotation (Keycloak's default) means the stored refresh
+token changes on every successful refresh — the CLI persists the new
+one automatically.
+
+## How sign-in works
+
+1. CLI binds a one-shot HTTP server on a random localhost port.
+2. CLI opens your browser to the Ritual identity provider (Keycloak).
+3. You authenticate (or use SSO if your org has it configured).
+4. Keycloak redirects back to `http://127.0.0.1:<port>/callback` with
+   an authorization code.
+5. CLI exchanges the code at the token endpoint using PKCE proof.
+6. Tokens are stored at `~/.config/ritual/credentials.json` (chmod 0600).
+
+This is the standard [RFC 8252][rfc8252] loopback pattern — no shared
+secret, no manual API key copy-paste.
+
+## Override defaults
+
+Defaults point at production. For dev, either:
+
+```bash
+ritual login --issuer https://auth.dev.ritualapp.cloud/realms/ritual
+```
+
+or set env vars:
+
+```bash
+export RITUAL_KEYCLOAK_URL=https://auth.dev.ritualapp.cloud/realms/ritual
+ritual login
+```
+
+## What's next
+
+- Per-agent skill *format transforms* (currently every agent gets the
+  same SKILL.md; future versions emit Cursor `.mdc`, Kiro YAML,
+  Gemini's specific frontmatter).
+- Workflow commands (`ritual explore`, `ritual run`, `ritual brief`)
+  that wrap the MCP tools so you can drive Ritual from the terminal
+  outside an agent session.
+
+## Security notes
+
+- The credentials file is chmod 0600 (owner-only). On shared machines
+  this is your only protection — don't `chmod 644 ~/.config/ritual`.
+- The CLI never sends your credentials anywhere except to Keycloak's
+  token endpoint over TLS.
+- The `ritual-cli` Keycloak client is a public OAuth client (no
+  client secret). PKCE is what makes this safe — only the CLI process
+  that generated the verifier can exchange the code.
+
+[mcp]: https://modelcontextprotocol.io
+[rfc8252]: https://datatracker.ietf.org/doc/html/rfc8252

package/dist/commands/doctor.js

@@ -0,0 +1,87 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.doctorCommand = doctorCommand;
+const node_fs_1 = require("node:fs");
+const node_os_1 = require("node:os");
+const config_1 = require("../lib/config");
+const detector_1 = require("../lib/agents/detector");
+const api_client_1 = require("../lib/api-client");
+/**
+ * `ritual doctor` — sanity check the CLI's environment.
+ *
+ * Print, in order:
+ *   1. Runtime: node version, OS, hostname
+ *   2. Credentials: path + signed-in status + scopes + expiry
+ *   3. Resolved endpoints: API base, MCP URL (derived from issuer)
+ *   4. Agent detection: which agents we see installed
+ *
+ * Never modifies state. Always exits 0 unless the user asked for
+ * action items we can't complete (e.g. signed out — exit 1 so CI can
+ * gate on it).
+ */
+async function doctorCommand() {
+    let problems = 0;
+    console.log('');
+    console.log('  Ritual CLI — environment report');
+    console.log('');
+    // --- Runtime --------------------------------------------------
+    console.log('  Runtime:');
+    console.log(`    node       ${process.version}`);
+    console.log(`    platform   ${(0, node_os_1.platform)()}`);
+    console.log(`    hostname   ${(0, node_os_1.hostname)()}`);
+    console.log('');
+    // --- Credentials ----------------------------------------------
+    console.log('  Credentials:');
+    console.log(`    path       ${(0, config_1.getCredentialsPath)()}`);
+    const tokenStatus = await (0, config_1.getValidAccessToken)();
+    if (tokenStatus.kind === 'not-signed-in') {
+        console.log('    state      not signed in');
+        console.log('    fix        run `ritual login`');
+        problems++;
+        console.log('');
+    }
+    else if (tokenStatus.kind === 're-auth-required') {
+        console.log(`    state      re-auth required (${tokenStatus.reason})`);
+        console.log('    fix        run `ritual login`');
+        problems++;
+        console.log('');
+    }
+    else {
+        const { creds } = tokenStatus;
+        const nowSec = Math.floor(Date.now() / 1000);
+        const expiresInSec = creds.tokenSet.expires_at - nowSec;
+        console.log(`    state      signed in as ${creds.user?.email ?? creds.user?.sub ?? 'unknown'}`);
+        console.log(`    issuer     ${creds.issuer}`);
+        console.log(`    expires    in ${expiresInSec}s${tokenStatus.refreshed ? ' (auto-refreshed)' : ''}`);
+        console.log('');
+        // --- Resolved endpoints (only meaningful if signed in) ----
+        console.log('  Resolved endpoints:');
+        console.log(`    api        ${(0, api_client_1.apiBaseFromIssuer)(creds.issuer)}`);
+        console.log(`    mcp        ${(0, api_client_1.mcpUrlFromIssuer)(creds.issuer)}`);
+        console.log('');
+    }
+    // --- Agent detection ------------------------------------------
+    console.log('  AI coding agents:');
+    for (const a of (0, detector_1.detectAgents)()) {
+        const status = a.detected ? '✓' : '·';
+        // Pad id column so output aligns regardless of which agents
+        // the user has installed.
+        console.log(`    ${status} ${a.id.padEnd(14)} ${a.name}`);
+    }
+    console.log('');
+    // --- Project state --------------------------------------------
+    // If we're inside a project that has any of the agent skill
+    // directories, mention it — useful for the "did init work" check.
+    const projectAgents = (0, detector_1.detectAgents)().filter((a) => (0, node_fs_1.existsSync)(`${process.cwd()}/${a.provider.projectSkillDir}`));
+    if (projectAgents.length > 0) {
+        console.log('  This project has skills for:');
+        for (const a of projectAgents) {
+            console.log(`    ${a.provider.projectSkillDir}/`);
+        }
+        console.log('');
+    }
+    if (problems > 0) {
+        process.exitCode = 1;
+    }
+}
+//# sourceMappingURL=doctor.js.map

package/dist/commands/doctor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../../src/commands/doctor.ts"],"names":[],"mappings":";;AAmBA,sCAqEC;AAxFD,qCAAqC;AACrC,qCAA6C;AAC7C,0CAAwE;AACxE,qDAAsD;AACtD,kDAAwE;AAExE;;;;;;;;;;;;GAYG;AACI,KAAK,UAAU,aAAa;IAClC,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACjD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,iEAAiE;IACjE,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAC1B,OAAO,CAAC,GAAG,CAAC,kBAAkB,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IACjD,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAA,kBAAQ,GAAE,EAAE,CAAC,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAA,kBAAQ,GAAE,EAAE,CAAC,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,iEAAiE;IACjE,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC9B,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAA,2BAAkB,GAAE,EAAE,CAAC,CAAC;IACtD,MAAM,WAAW,GAAG,MAAM,IAAA,4BAAmB,GAAE,CAAC;IAChD,IAAI,WAAW,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;QACjD,QAAQ,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;SAAM,IAAI,WAAW,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,oCAAoC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;QACjD,QAAQ,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;SAAM,CAAC;QACP,MAAM,EAAE,KAAK,EAAE,GAAG,WAAW,CAAC;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7C,MAAM,YAAY,GAAG,KAAK,CAAC,QAAQ,CAAC,UAAU,GAAG,MAAM,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,+BAA+B,KAAK,CAAC,IAAI,EAAE,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,GAAG,IAAI,SAAS,EAAE,CAAC,CAAC;QAChG,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,qBAAqB,YAAY,IAAI,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,6DAA6D;QAC7D,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAA,8BAAiB,EAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACjE,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAA,6BAAgB,EAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAChE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,iEAAiE;IACjE,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IACnC,KAAK,MAAM,CAAC,IAAI,IAAA,uBAAY,GAAE,EAAE,CAAC;QAChC,MAAM,MAAM,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QACtC,4DAA4D;QAC5D,0BAA0B;QAC1B,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,IAAI,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,iEAAiE;IACjE,4DAA4D;IAC5D,kEAAkE;IAClE,MAAM,aAAa,GAAG,IAAA,uBAAY,GAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAA,oBAAU,EAAC,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC;IACjH,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC9C,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;YAC/B,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,eAAe,GAAG,CAAC,CAAC;QACnD,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;QAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IACtB,CAAC;AACF,CAAC"}

package/dist/commands/init.js

@@ -0,0 +1,158 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initCommand = initCommand;
+const config_1 = require("../lib/config");
+const api_client_1 = require("../lib/api-client");
+const pat_store_1 = require("../lib/pat-store");
+const detector_1 = require("../lib/agents/detector");
+const providers_1 = require("../lib/agents/providers");
+const configure_mcp_1 = require("../lib/agents/configure-mcp");
+const skill_copy_1 = require("../lib/skill-copy");
+async function initCommand(opts = {}) {
+    console.log('');
+    console.log('  Ritual — scaffolding skills + connecting AI coding agents');
+    console.log('');
+    // --- 0. Handle --list (early exit, no auth required) ------------
+    if (opts.list) {
+        console.log('  Known agents:');
+        for (const p of providers_1.PROVIDERS) {
+            console.log(`    ${p.id.padEnd(14)} ${p.name}`);
+        }
+        console.log('');
+        return;
+    }
+    // --- 1. Auth check -----------------------------------------------
+    const tokenStatus = await (0, config_1.getValidAccessToken)();
+    if (tokenStatus.kind === 'not-signed-in') {
+        console.error('  ✗ Not signed in. Run `ritual login` first, then `ritual init`.');
+        console.error('');
+        process.exitCode = 1;
+        return;
+    }
+    if (tokenStatus.kind === 're-auth-required') {
+        console.error('  ✗ Your session expired. Run `ritual login` to re-authenticate.');
+        console.error(`    Reason: ${tokenStatus.reason}`);
+        console.error('');
+        process.exitCode = 1;
+        return;
+    }
+    // --- 2. Detect agents (or pick a specific one) -------------------
+    let targets;
+    if (opts.agent) {
+        const provider = (0, providers_1.findProviderById)(opts.agent);
+        if (!provider) {
+            console.error(`  ✗ Unknown agent: ${opts.agent}`);
+            console.error('    Run `ritual init --list` to see known agents.');
+            console.error('');
+            process.exitCode = 1;
+            return;
+        }
+        // Explicit `--agent` overrides detection — the user knows what
+        // they want, don't make them install/symlink the binary just
+        // to pass detection.
+        targets = [
+            {
+                id: provider.id,
+                name: provider.name,
+                detected: true,
+                provider,
+            },
+        ];
+    }
+    else {
+        const all = (0, detector_1.detectAgents)();
+        const detected = all.filter((a) => a.detected);
+        if (detected.length === 0) {
+            // Nothing detected → default to Claude Code. This matches
+            // legacy behavior and matches the documented MCP launch
+            // partner. User can override with `--agent <id>`.
+            const claudeProvider = (0, providers_1.findProviderById)('claude-code');
+            targets = [
+                {
+                    id: claudeProvider.id,
+                    name: claudeProvider.name,
+                    detected: false,
+                    provider: claudeProvider,
+                },
+            ];
+            console.log('  No coding agents detected on this machine.');
+            console.log(`  Defaulting to ${claudeProvider.name}. Use --agent <id> to choose explicitly.`);
+            console.log('');
+        }
+        else {
+            targets = detected;
+            console.log(`  Detected ${detected.length} agent(s): ${detected.map((d) => d.name).join(', ')}`);
+            console.log('');
+        }
+    }
+    // --- 3. Mint a long-lived PAT for agents to use ------------------
+    const issuer = tokenStatus.creds.issuer;
+    const api = new api_client_1.ApiClient({
+        issuer,
+        accessToken: tokenStatus.accessToken,
+    });
+    const mcpUrl = (0, api_client_1.mcpUrlFromIssuer)(issuer);
+    let pat;
+    try {
+        pat = await (0, pat_store_1.mintAgentPat)({ api });
+    }
+    catch (err) {
+        console.error(`  ✗ Could not mint access token: ${err.message}`);
+        console.error('');
+        process.exitCode = 1;
+        return;
+    }
+    console.log(`  ✓ Minted ${pat.name}`);
+    console.log(`    Manage tokens at: ${webAppUrlFromIssuer(issuer)}/settings/tokens`);
+    console.log('');
+    // --- 4. Copy skills + register MCP for each target agent ---------
+    const projectDir = opts.cwd ?? process.cwd();
+    const copyResults = [];
+    const registrationResults = [];
+    for (const t of targets) {
+        copyResults.push((0, skill_copy_1.copySkillsForProvider)(t.provider, projectDir));
+        registrationResults.push((0, configure_mcp_1.configureMcpForAgent)(t.provider, { url: mcpUrl, token: pat.plaintextToken }));
+    }
+    // --- 5. Summary --------------------------------------------------
+    console.log('  Per-agent results:');
+    for (const t of targets) {
+        const copy = copyResults.find((r) => r.provider.id === t.provider.id);
+        const reg = registrationResults.find((r) => r.provider.id === t.provider.id);
+        const skillSummary = copy.copied > 0
+            ? `${copy.copied} skill(s) → ${t.provider.projectSkillDir}/`
+            : `skills skipped (${copy.reason ?? 'unknown'})`;
+        const mcpSummary = reg.success
+            ? `MCP server registered`
+            : `MCP register failed: ${reg.reason ?? 'unknown'}`;
+        console.log(`    ${t.provider.name}`);
+        console.log(`      ${skillSummary}`);
+        console.log(`      ${mcpSummary}`);
+    }
+    console.log('');
+    console.log('  Next: restart your AI coding agent so it picks up the new MCP server.');
+    console.log('        In your agent, try:  /ritual build <feature>');
+    console.log('');
+}
+/**
+ * Mirror of `apiBaseFromIssuer` but for the web app. Used in the
+ * "manage tokens at <url>" hint above.
+ *
+ *   dev:  https://dev.ritualapp.cloud
+ *   prod: https://app.ritualapp.cloud  (matches the legacy domain)
+ */
+function webAppUrlFromIssuer(issuer) {
+    try {
+        const u = new URL(issuer);
+        const host = u.host;
+        if (host.startsWith('auth.dev.'))
+            return 'https://dev.ritualapp.cloud';
+        if (host === 'auth.ritualapp.cloud')
+            return 'https://app.ritualapp.cloud';
+        // Self-hosted / enterprise — replace auth. with app.
+        return `https://${host.replace(/^auth\./, 'app.')}`;
+    }
+    catch {
+        return 'https://app.ritualapp.cloud';
+    }
+}
+//# sourceMappingURL=init.js.map

package/dist/commands/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":";;AAuDA,kCAsIC;AA7LD,0CAAoD;AACpD,kDAAgE;AAChE,gDAAgD;AAChD,qDAGgC;AAChC,uDAAsE;AACtE,+DAGqC;AACrC,kDAA2E;AA2CpE,KAAK,UAAU,WAAW,CAAC,OAAoB,EAAE;IACvD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;IAC3E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,mEAAmE;IACnE,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,qBAAS,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO;IACR,CAAC;IAED,oEAAoE;IACpE,MAAM,WAAW,GAAG,MAAM,IAAA,4BAAmB,GAAE,CAAC;IAEhD,IAAI,WAAW,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAC;QAClF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IACD,IAAI,WAAW,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QAC7C,OAAO,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAC;QAClF,OAAO,CAAC,KAAK,CAAC,eAAe,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;QACnD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IAED,oEAAoE;IACpE,IAAI,OAA0B,CAAC;IAE/B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,QAAQ,GAAG,IAAA,4BAAgB,EAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,sBAAsB,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;YAClD,OAAO,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACnE,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACR,CAAC;QACD,+DAA+D;QAC/D,6DAA6D;QAC7D,qBAAqB;QACrB,OAAO,GAAG;YACT;gBACC,EAAE,EAAE,QAAQ,CAAC,EAAE;gBACf,IAAI,EAAE,QAAQ,CAAC,IAAI;gBACnB,QAAQ,EAAE,IAAI;gBACd,QAAQ;aACR;SACD,CAAC;IACH,CAAC;SAAM,CAAC;QACP,MAAM,GAAG,GAAG,IAAA,uBAAY,GAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,0DAA0D;YAC1D,wDAAwD;YACxD,kDAAkD;YAClD,MAAM,cAAc,GAAG,IAAA,4BAAgB,EAAC,aAAa,CAAE,CAAC;YACxD,OAAO,GAAG;gBACT;oBACC,EAAE,EAAE,cAAc,CAAC,EAAE;oBACrB,IAAI,EAAE,cAAc,CAAC,IAAI;oBACzB,QAAQ,EAAE,KAAK;oBACf,QAAQ,EAAE,cAAc;iBACxB;aACD,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;YAC5D,OAAO,CAAC,GAAG,CAAC,mBAAmB,cAAc,CAAC,IAAI,0CAA0C,CAAC,CAAC;YAC9F,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;aAAM,CAAC;YACP,OAAO,GAAG,QAAQ,CAAC;YACnB,OAAO,CAAC,GAAG,CAAC,cAAc,QAAQ,CAAC,MAAM,cAAc,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACjG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;IACF,CAAC;IAED,oEAAoE;IACpE,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC;IACxC,MAAM,GAAG,GAAG,IAAI,sBAAS,CAAC;QACzB,MAAM;QACN,WAAW,EAAE,WAAW,CAAC,WAAW;KACpC,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,MAAM,CAAC,CAAC;IAExC,IAAI,GAA6C,CAAC;IAClD,IAAI,CAAC;QACJ,GAAG,GAAG,MAAM,IAAA,wBAAY,EAAC,EAAE,GAAG,EAAE,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,oCAAqC,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5E,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACtC,OAAO,CAAC,GAAG,CAAC,yBAAyB,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;IACpF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,oEAAoE;IACpE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAC7C,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,MAAM,mBAAmB,GAAyB,EAAE,CAAC;IAErD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACzB,WAAW,CAAC,IAAI,CAAC,IAAA,kCAAqB,EAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC;QAChE,mBAAmB,CAAC,IAAI,CACvB,IAAA,oCAAoB,EAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,CAAC,cAAc,EAAE,CAAC,CAC5E,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACpC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAE,CAAC;QACvE,MAAM,GAAG,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAE,CAAC;QAC9E,MAAM,YAAY,GACjB,IAAI,CAAC,MAAM,GAAG,CAAC;YACd,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,QAAQ,CAAC,eAAe,GAAG;YAC5D,CAAC,CAAC,mBAAmB,IAAI,CAAC,MAAM,IAAI,SAAS,GAAG,CAAC;QACnD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO;YAC7B,CAAC,CAAC,uBAAuB;YACzB,CAAC,CAAC,wBAAwB,GAAG,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QACtC,OAAO,CAAC,GAAG,CAAC,SAAS,YAAY,EAAE,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,SAAS,UAAU,EAAE,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,yEAAyE,CAAC,CAAC;IACvF,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;IACpE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AACjB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,MAAc;IAC1C,IAAI,CAAC;QACJ,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1B,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;QACpB,IAAI,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;YAAE,OAAO,6BAA6B,CAAC;QACvE,IAAI,IAAI,KAAK,sBAAsB;YAAE,OAAO,6BAA6B,CAAC;QAC1E,qDAAqD;QACrD,OAAO,WAAW,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,CAAC;IACrD,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,6BAA6B,CAAC;IACtC,CAAC;AACF,CAAC"}

package/dist/commands/login.js

@@ -0,0 +1,63 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loginCommand = loginCommand;
+const open_1 = __importDefault(require("open"));
+const oidc_1 = require("../lib/oidc");
+const config_1 = require("../lib/config");
+const DEFAULT_ISSUER = process.env.RITUAL_KEYCLOAK_URL ?? 'https://auth.ritualapp.cloud/realms/ritual';
+const DEFAULT_CLIENT_ID = process.env.RITUAL_KEYCLOAK_CLIENT_ID ?? 'ritual-cli';
+const DEFAULT_SCOPE = 'openid profile email ritual:read ritual:write';
+/**
+ * `ritual login` — browser-based Auth Code + PKCE flow against
+ * Keycloak. On success, stores the access + refresh tokens in
+ * `~/.config/ritual/credentials.json` for subsequent commands.
+ *
+ * Defaults point at production (`auth.ritualapp.cloud`); override via
+ * `--issuer https://auth.dev.ritualapp.cloud/realms/ritual` for dev,
+ * or set `RITUAL_KEYCLOAK_URL` env var.
+ */
+async function loginCommand(options) {
+    const issuer = options.issuer ?? DEFAULT_ISSUER;
+    const clientId = options.clientId ?? DEFAULT_CLIENT_ID;
+    console.log('');
+    console.log('  Ritual — sign in');
+    console.log('');
+    let tokenSet;
+    try {
+        tokenSet = await (0, oidc_1.performLoginFlow)({ issuer, clientId, scope: DEFAULT_SCOPE }, (url) => (0, open_1.default)(url), (msg) => console.log(`  ${msg}`));
+    }
+    catch (err) {
+        console.error('');
+        console.error(`  ✗ Login failed: ${err.message}`);
+        process.exitCode = 1;
+        return;
+    }
+    const claims = (0, oidc_1.decodeJwtPayloadUnsafe)(tokenSet.access_token);
+    const creds = {
+        version: 1,
+        issuer,
+        clientId,
+        tokenSet: {
+            access_token: tokenSet.access_token,
+            refresh_token: tokenSet.refresh_token,
+            expires_at: Math.floor(Date.now() / 1000) + tokenSet.expires_in,
+            id_token: tokenSet.id_token,
+            scope: tokenSet.scope,
+        },
+        user: claims
+            ? { sub: claims.sub, email: claims.email ?? claims.preferred_username }
+            : undefined,
+    };
+    (0, config_1.saveCredentials)(creds);
+    const display = creds.user?.email ?? creds.user?.sub ?? 'unknown';
+    console.log('');
+    console.log(`  ✓ Signed in as ${display}`);
+    console.log('');
+    console.log('  Your AI coding agent can now connect to Ritual via MCP.');
+    console.log('  Run `ritual whoami` to confirm session details.');
+    console.log('');
+}
+//# sourceMappingURL=login.js.map

package/dist/commands/login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/commands/login.ts"],"names":[],"mappings":";;;;;AAuBA,oCAkDC;AAzED,gDAAwB;AACxB,sCAAuE;AACvE,0CAAqE;AAOrE,MAAM,cAAc,GACnB,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,4CAA4C,CAAC;AACjF,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,IAAI,YAAY,CAAC;AAChF,MAAM,aAAa,GAAG,+CAA+C,CAAC;AAEtE;;;;;;;;GAQG;AACI,KAAK,UAAU,YAAY,CAAC,OAAqB;IACvD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC;IAChD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,iBAAiB,CAAC;IAEvD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,IAAI,QAAQ,CAAC;IACb,IAAI,CAAC;QACJ,QAAQ,GAAG,MAAM,IAAA,uBAAgB,EAChC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,aAAa,EAAE,EAC1C,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,cAAI,EAAC,GAAG,CAAC,EAClB,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC,CAChC,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,qBAAsB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IAED,MAAM,MAAM,GAAG,IAAA,6BAAsB,EACpC,QAAQ,CAAC,YAAY,CACrB,CAAC;IAEF,MAAM,KAAK,GAAmB;QAC7B,OAAO,EAAE,CAAC;QACV,MAAM;QACN,QAAQ;QACR,QAAQ,EAAE;YACT,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,aAAa,EAAE,QAAQ,CAAC,aAAa;YACrC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,QAAQ,CAAC,UAAU;YAC/D,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,KAAK,EAAE,QAAQ,CAAC,KAAK;SACrB;QACD,IAAI,EAAE,MAAM;YACX,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,kBAAkB,EAAE;YACvE,CAAC,CAAC,SAAS;KACZ,CAAC;IACF,IAAA,wBAAe,EAAC,KAAK,CAAC,CAAC;IAEvB,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,GAAG,IAAI,SAAS,CAAC;IAClE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;IAC3C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AACjB,CAAC"}

package/dist/commands/logout.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.logoutCommand = logoutCommand;
+const config_1 = require("../lib/config");
+/**
+ * `ritual logout` — clears local credentials. Does NOT call Keycloak's
+ * end-session endpoint — that's a browser-side concept; clearing local
+ * tokens is what matters from a CLI perspective. The user can sign out
+ * of the realm session itself via the web app.
+ */
+async function logoutCommand() {
+    const had = (0, config_1.loadCredentials)();
+    (0, config_1.clearCredentials)();
+    console.log('');
+    if (had) {
+        const display = had.user?.email ?? had.user?.sub ?? 'unknown';
+        console.log(`  ✓ Signed out (${display}).`);
+    }
+    else {
+        console.log('  No active session — nothing to clear.');
+    }
+    console.log(`  Credentials path: ${(0, config_1.getCredentialsPath)()}`);
+    console.log('');
+}
+//# sourceMappingURL=logout.js.map

package/dist/commands/logout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../src/commands/logout.ts"],"names":[],"mappings":";;AAQA,sCAYC;AApBD,0CAAsF;AAEtF;;;;;GAKG;AACI,KAAK,UAAU,aAAa;IAClC,MAAM,GAAG,GAAG,IAAA,wBAAe,GAAE,CAAC;IAC9B,IAAA,yBAAgB,GAAE,CAAC;IACnB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,IAAI,GAAG,EAAE,CAAC;QACT,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,KAAK,IAAI,GAAG,CAAC,IAAI,EAAE,GAAG,IAAI,SAAS,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,mBAAmB,OAAO,IAAI,CAAC,CAAC;IAC7C,CAAC;SAAM,CAAC;QACP,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAA,2BAAkB,GAAE,EAAE,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AACjB,CAAC"}

package/dist/commands/refresh.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.refreshCommand = refreshCommand;
+const config_1 = require("../lib/config");
+/**
+ * `ritual refresh` — force-refresh the cached access token using the
+ * stored refresh token. Mostly useful for scripting + debugging
+ * (e.g. "I want to confirm my refresh token still works without
+ * waiting for the access token to expire").
+ *
+ * Most subcommands don't need this — they call `getValidAccessToken()`
+ * which refreshes lazily on demand.
+ */
+async function refreshCommand() {
+    console.log('');
+    const status = await (0, config_1.getValidAccessToken)();
+    if (status.kind === 'not-signed-in') {
+        console.log('  Not signed in. Run `ritual login` to authenticate.');
+        console.log('');
+        process.exitCode = 1;
+        return;
+    }
+    if (status.kind === 're-auth-required') {
+        console.log('  ✗ Refresh failed.');
+        console.log(`    Reason: ${status.reason}`);
+        console.log('    Run `ritual login` to sign in again.');
+        console.log(`    Credentials path: ${(0, config_1.getCredentialsPath)()}`);
+        console.log('');
+        process.exitCode = 1;
+        return;
+    }
+    const display = status.creds.user?.email ?? status.creds.user?.sub ?? 'unknown';
+    const expiresInSec = status.creds.tokenSet.expires_at - Math.floor(Date.now() / 1000);
+    if (status.refreshed) {
+        console.log(`  ✓ Refreshed token for ${display} (valid for ${expiresInSec}s)`);
+    }
+    else {
+        console.log(`  Token still fresh for ${display} (${expiresInSec}s remaining) — no refresh needed.`);
+    }
+    console.log('');
+}
+//# sourceMappingURL=refresh.js.map

package/dist/commands/refresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../src/commands/refresh.ts"],"names":[],"mappings":";;AAWA,wCAgCC;AA3CD,0CAAwE;AAExE;;;;;;;;GAQG;AACI,KAAK,UAAU,cAAc;IACnC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,MAAM,IAAA,4BAAmB,GAAE,CAAC;IAE3C,IAAI,MAAM,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,yBAAyB,IAAA,2BAAkB,GAAE,EAAE,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,GAAG,IAAI,SAAS,CAAC;IAChF,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEtF,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,2BAA2B,OAAO,eAAe,YAAY,IAAI,CAAC,CAAC;IAChF,CAAC;SAAM,CAAC;QACP,OAAO,CAAC,GAAG,CACV,2BAA2B,OAAO,KAAK,YAAY,mCAAmC,CACtF,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AACjB,CAAC"}

package/dist/commands/whoami.js

@@ -0,0 +1,52 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.whoamiCommand = whoamiCommand;
+const config_1 = require("../lib/config");
+/**
+ * `ritual whoami` — print the active session's identity + token
+ * status. Calls `getValidAccessToken()` so an expired access token
+ * is transparently refreshed first; the user sees current state, not
+ * stale state.
+ *
+ * Three terminal states:
+ *   - signed-in:        print identity + token expiry
+ *   - not-signed-in:    suggest `ritual login`
+ *   - re-auth-required: refresh failed; clear hint to re-login
+ */
+async function whoamiCommand() {
+    console.log('');
+    const status = await (0, config_1.getValidAccessToken)();
+    if (status.kind === 'not-signed-in') {
+        console.log('  Not signed in. Run `ritual login` to authenticate.');
+        console.log('');
+        process.exitCode = 1;
+        return;
+    }
+    if (status.kind === 're-auth-required') {
+        console.log('  ✗ Session expired and refresh failed.');
+        console.log(`    Reason: ${status.reason}`);
+        console.log('    Run `ritual login` to sign in again.');
+        console.log(`    Credentials path: ${(0, config_1.getCredentialsPath)()}`);
+        console.log('');
+        process.exitCode = 1;
+        return;
+    }
+    const { creds, refreshed } = status;
+    const display = creds.user?.email ?? creds.user?.sub ?? 'unknown';
+    const issuerHost = (() => {
+        try {
+            return new URL(creds.issuer).host;
+        }
+        catch {
+            return creds.issuer;
+        }
+    })();
+    const expiresInSec = creds.tokenSet.expires_at - Math.floor(Date.now() / 1000);
+    console.log(`  Signed in as: ${display}`);
+    console.log(`  Issuer:       ${issuerHost}`);
+    console.log(`  Client:       ${creds.clientId}`);
+    console.log(`  Scopes:       ${creds.tokenSet.scope ?? '(none)'}`);
+    console.log(`  Access token: ✓ valid (expires in ${expiresInSec > 0 ? `${expiresInSec}s` : 'expired'})${refreshed ? ' — auto-refreshed' : ''}`);
+    console.log('');
+}
+//# sourceMappingURL=whoami.js.map

package/dist/commands/whoami.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"whoami.js","sourceRoot":"","sources":["../../src/commands/whoami.ts"],"names":[],"mappings":";;AAaA,sCAwCC;AArDD,0CAAwE;AAExE;;;;;;;;;;GAUG;AACI,KAAK,UAAU,aAAa;IAClC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,MAAM,IAAA,4BAAmB,GAAE,CAAC;IAE3C,IAAI,MAAM,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,yBAAyB,IAAA,2BAAkB,GAAE,EAAE,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACR,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IACpC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,GAAG,IAAI,SAAS,CAAC;IAClE,MAAM,UAAU,GAAG,CAAC,GAAG,EAAE;QACxB,IAAI,CAAC;YACJ,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,KAAK,CAAC,MAAM,CAAC;QACrB,CAAC;IACF,CAAC,CAAC,EAAE,CAAC;IACL,MAAM,YAAY,GAAG,KAAK,CAAC,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAE/E,OAAO,CAAC,GAAG,CAAC,mBAAmB,OAAO,EAAE,CAAC,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,mBAAmB,UAAU,EAAE,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;IACjD,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,CAAC,QAAQ,CAAC,KAAK,IAAI,QAAQ,EAAE,CAAC,CAAC;IACnE,OAAO,CAAC,GAAG,CACV,uCAAuC,YAAY,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,YAAY,GAAG,CAAC,CAAC,CAAC,SAAS,IAAI,SAAS,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,CAClI,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AACjB,CAAC"}

package/dist/index.js

@@ -0,0 +1,51 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const login_1 = require("./commands/login");
+const logout_1 = require("./commands/logout");
+const whoami_1 = require("./commands/whoami");
+const refresh_1 = require("./commands/refresh");
+const init_1 = require("./commands/init");
+const doctor_1 = require("./commands/doctor");
+const program = new commander_1.Command();
+program
+    .name('ritual')
+    .description('Ritual CLI — connect AI coding agents to Ritual Cloud. ' +
+    'Scaffold skills, register MCP servers, manage sessions.')
+    .version('0.3.0');
+// `init` is the headline command: scaffold + register against every
+// detected agent. Listed first so `ritual --help` surfaces it.
+program
+    .command('init')
+    .description('Scaffold Ritual skills + register MCP server with every detected AI coding agent')
+    .option('--agent <id>', 'Restrict to one agent (e.g. claude-code, cursor, kiro)')
+    .option('--list', 'List known agents and exit')
+    .action(init_1.initCommand);
+program
+    .command('login')
+    .description('Authenticate with Ritual via your browser')
+    .option('--issuer <url>', 'OIDC issuer (defaults to https://auth.ritualapp.cloud/realms/ritual or RITUAL_KEYCLOAK_URL env)')
+    .option('--client-id <id>', 'OIDC client id (defaults to "ritual-cli" or RITUAL_KEYCLOAK_CLIENT_ID env)')
+    .action(login_1.loginCommand);
+program
+    .command('logout')
+    .description('Clear local credentials')
+    .action(logout_1.logoutCommand);
+program
+    .command('whoami')
+    .description('Show current session info (auto-refreshes token if expired)')
+    .action(whoami_1.whoamiCommand);
+program
+    .command('refresh')
+    .description('Force-refresh the cached access token using the stored refresh token')
+    .action(refresh_1.refreshCommand);
+program
+    .command('doctor')
+    .description('Sanity check the CLI environment: credentials, endpoints, detected agents')
+    .action(doctor_1.doctorCommand);
+program.parseAsync(process.argv).catch((err) => {
+    console.error(`\n  ✗ ${err.message}\n`);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAEA,yCAAoC;AACpC,4CAAgD;AAChD,8CAAkD;AAClD,8CAAkD;AAClD,gDAAoD;AACpD,0CAA8C;AAC9C,8CAAkD;AAElD,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACL,IAAI,CAAC,QAAQ,CAAC;KACd,WAAW,CACX,yDAAyD;IACxD,yDAAyD,CAC1D;KACA,OAAO,CAAC,OAAO,CAAC,CAAC;AAEnB,oEAAoE;AACpE,+DAA+D;AAC/D,OAAO;KACL,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,kFAAkF,CAAC;KAC/F,MAAM,CAAC,cAAc,EAAE,wDAAwD,CAAC;KAChF,MAAM,CAAC,QAAQ,EAAE,4BAA4B,CAAC;KAC9C,MAAM,CAAC,kBAAW,CAAC,CAAC;AAEtB,OAAO;KACL,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,2CAA2C,CAAC;KACxD,MAAM,CACN,gBAAgB,EAChB,iGAAiG,CACjG;KACA,MAAM,CACN,kBAAkB,EAClB,4EAA4E,CAC5E;KACA,MAAM,CAAC,oBAAY,CAAC,CAAC;AAEvB,OAAO;KACL,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,yBAAyB,CAAC;KACtC,MAAM,CAAC,sBAAa,CAAC,CAAC;AAExB,OAAO;KACL,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,6DAA6D,CAAC;KAC1E,MAAM,CAAC,sBAAa,CAAC,CAAC;AAExB,OAAO;KACL,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,sEAAsE,CAAC;KACnF,MAAM,CAAC,wBAAc,CAAC,CAAC;AAEzB,OAAO;KACL,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,2EAA2E,CAAC;KACxF,MAAM,CAAC,sBAAa,CAAC,CAAC;AAExB,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;IACrD,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;IACxC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACjB,CAAC,CAAC,CAAC"}