@ritualai/cli 0.3.0

package/dist/lib/agents/configure-mcp.js

@@ -0,0 +1,127 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.configureMcpForAgent = configureMcpForAgent;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_child_process_1 = require("node:child_process");
+/**
+ * MCP server registration for one agent.
+ *
+ * Today we register one server, named `ritual`, against
+ * `https://mcp.ritualapp.cloud/mcp` (prod) or
+ * `https://mcp.dev.ritualapp.cloud/mcp` (dev) — using a long-lived
+ * Personal Access Token as the bearer.
+ *
+ * Why a PAT and not the user's OAuth access token:
+ *   The OAuth access token from `ritual login` expires every 5-15
+ *   minutes. If we wrote that into the agent's config, the agent
+ *   would 401 within minutes and the user would have to re-init.
+ *   PATs are designed for exactly this — long-lived, scoped,
+ *   revocable per-device tokens. Mint once, agent uses for months.
+ *
+ * The PAT is created with a name like "Ritual CLI — {hostname}" so
+ * the user can see in the management UI which device it's bound to
+ * and revoke per-device if they suspect compromise.
+ */
+const SERVER_NAME = 'ritual';
+/**
+ * Register an MCP server with one agent.
+ *
+ * Returns a result object rather than throwing because the CLI calls
+ * this in a loop across all detected agents — one failure shouldn't
+ * abort the rest. The user can re-run for the failed agent.
+ */
+function configureMcpForAgent(provider, registration) {
+    try {
+        if (provider.mcpConfigMethod === 'cli-command') {
+            configureViaCliCommand(provider, registration);
+        }
+        else {
+            configureViaJsonFile(provider, registration);
+        }
+        return { provider, success: true };
+    }
+    catch (err) {
+        return {
+            provider,
+            success: false,
+            reason: err.message,
+        };
+    }
+}
+/**
+ * Claude Code path: shell out to `claude mcp add-json --scope user`.
+ *
+ * We re-register idempotently by removing-then-adding (the CLI errors
+ * on a duplicate name). The `try/catch` around remove is intentional —
+ * "not found" is fine; we just want a clean slate.
+ */
+function configureViaCliCommand(_provider, registration) {
+    const config = {
+        type: 'http',
+        url: registration.url,
+        headers: { Authorization: `Bearer ${registration.token}` },
+    };
+    // 1. Remove any existing entry, swallowing errors.
+    try {
+        (0, node_child_process_1.execSync)(`claude mcp remove ${SERVER_NAME} --scope user`, { stdio: 'pipe' });
+    }
+    catch {
+        /* not found — fine */
+    }
+    // 2. Add the fresh entry. Escape the JSON for the shell.
+    // Using single-quote wrap is safe because the JSON contains no
+    // single quotes (object keys + string values are all double-quoted
+    // in JSON-stringify output).
+    const json = JSON.stringify(config);
+    (0, node_child_process_1.execSync)(`claude mcp add-json --scope user ${SERVER_NAME} '${json}'`, {
+        stdio: 'pipe',
+    });
+}
+/**
+ * JSON-file path: read existing config (if any), merge in our server
+ * entry, write back.
+ *
+ * We tolerate corrupted JSON by treating it as an empty file. The
+ * user's other (broken) config is preserved on disk under a `.bak`
+ * sibling so we never silently destroy state we don't understand.
+ */
+function configureViaJsonFile(provider, registration) {
+    if (!provider.mcpConfigPath) {
+        throw new Error(`${provider.name} is json-file but has no mcpConfigPath`);
+    }
+    const filePath = provider.mcpConfigPath;
+    const serversKey = provider.mcpConfigKey ?? 'mcpServers';
+    let config = {};
+    if ((0, node_fs_1.existsSync)(filePath)) {
+        const raw = (0, node_fs_1.readFileSync)(filePath, 'utf-8');
+        try {
+            config = JSON.parse(raw);
+        }
+        catch {
+            // Preserve the broken file before we overwrite it.
+            (0, node_fs_1.writeFileSync)(`${filePath}.bak`, raw);
+            config = {};
+        }
+    }
+    if (typeof config[serversKey] !== 'object' || config[serversKey] === null) {
+        config[serversKey] = {};
+    }
+    const servers = config[serversKey];
+    servers[SERVER_NAME] = {
+        type: 'http',
+        url: registration.url,
+        headers: { Authorization: `Bearer ${registration.token}` },
+    };
+    (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(filePath), { recursive: true });
+    (0, node_fs_1.writeFileSync)(filePath, JSON.stringify(config, null, 2) + '\n', 'utf-8');
+    // chmod 0600 — config contains a Bearer token; only the user
+    // should be able to read it. No-op on Windows.
+    try {
+        (0, node_fs_1.chmodSync)(filePath, 0o600);
+    }
+    catch {
+        /* ignore */
+    }
+}
+//# sourceMappingURL=configure-mcp.js.map

package/dist/lib/agents/configure-mcp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"configure-mcp.js","sourceRoot":"","sources":["../../../src/lib/agents/configure-mcp.ts"],"names":[],"mappings":";;AA0DA,oDAkBC;AA5ED,qCAMiB;AACjB,yCAAoC;AACpC,2DAA8C;AAG9C;;;;;;;;;;;;;;;;;;GAkBG;AAEH,MAAM,WAAW,GAAG,QAAQ,CAAC;AAoB7B;;;;;;GAMG;AACH,SAAgB,oBAAoB,CACnC,QAAuB,EACvB,YAA6B;IAE7B,IAAI,CAAC;QACJ,IAAI,QAAQ,CAAC,eAAe,KAAK,aAAa,EAAE,CAAC;YAChD,sBAAsB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAChD,CAAC;aAAM,CAAC;YACP,oBAAoB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACpC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,OAAO;YACN,QAAQ;YACR,OAAO,EAAE,KAAK;YACd,MAAM,EAAG,GAAa,CAAC,OAAO;SAC9B,CAAC;IACH,CAAC;AACF,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAC9B,SAAwB,EACxB,YAA6B;IAE7B,MAAM,MAAM,GAAG;QACd,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,YAAY,CAAC,GAAG;QACrB,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,YAAY,CAAC,KAAK,EAAE,EAAE;KAC1D,CAAC;IAEF,mDAAmD;IACnD,IAAI,CAAC;QACJ,IAAA,6BAAQ,EAAC,qBAAqB,WAAW,eAAe,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QACR,sBAAsB;IACvB,CAAC;IAED,yDAAyD;IACzD,+DAA+D;IAC/D,mEAAmE;IACnE,6BAA6B;IAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACpC,IAAA,6BAAQ,EAAC,oCAAoC,WAAW,KAAK,IAAI,GAAG,EAAE;QACrE,KAAK,EAAE,MAAM;KACb,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,oBAAoB,CAC5B,QAAuB,EACvB,YAA6B;IAE7B,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,CAAC,IAAI,wCAAwC,CAAC,CAAC;IAC3E,CAAC;IACD,MAAM,QAAQ,GAAG,QAAQ,CAAC,aAAa,CAAC;IACxC,MAAM,UAAU,GAAG,QAAQ,CAAC,YAAY,IAAI,YAAY,CAAC;IAEzD,IAAI,MAAM,GAA4B,EAAE,CAAC;IACzC,IAAI,IAAA,oBAAU,EAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC;YACJ,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACR,mDAAmD;YACnD,IAAA,uBAAa,EAAC,GAAG,QAAQ,MAAM,EAAE,GAAG,CAAC,CAAC;YACtC,MAAM,GAAG,EAAE,CAAC;QACb,CAAC;IACF,CAAC;IAED,IAAI,OAAO,MAAM,CAAC,UAAU,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,UAAU,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3E,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;IACzB,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,CAA4B,CAAC;IAC9D,OAAO,CAAC,WAAW,CAAC,GAAG;QACtB,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,YAAY,CAAC,GAAG;QACrB,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,YAAY,CAAC,KAAK,EAAE,EAAE;KAC1D,CAAC;IAEF,IAAA,mBAAS,EAAC,IAAA,mBAAO,EAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,IAAA,uBAAa,EAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IACzE,6DAA6D;IAC7D,+CAA+C;IAC/C,IAAI,CAAC;QACJ,IAAA,mBAAS,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACR,YAAY;IACb,CAAC;AACF,CAAC"}

package/dist/lib/agents/detector.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectAgents = detectAgents;
+exports.detectedAgents = detectedAgents;
+const providers_1 = require("./providers");
+/**
+ * Probe every known agent. Returns the full list in the order they
+ * appear in `PROVIDERS` (deterministic — useful for snapshot tests).
+ *
+ * Caller usually filters to `.detected === true`; we return the full
+ * list so `ritual doctor` can also report "Cursor: not detected".
+ */
+function detectAgents() {
+    return providers_1.PROVIDERS.map((p) => {
+        let detected;
+        try {
+            detected = p.detect();
+        }
+        catch {
+            // Any thrown error during detection → treat as not detected.
+            // Detection probes touch the filesystem and shell out; we
+            // never want a transient EBUSY / EACCES to break `ritual init`.
+            detected = false;
+        }
+        return { id: p.id, name: p.name, detected, provider: p };
+    });
+}
+/** Just the agents we detected — convenience for `init`. */
+function detectedAgents() {
+    return detectAgents().filter((r) => r.detected);
+}
+//# sourceMappingURL=detector.js.map

package/dist/lib/agents/detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detector.js","sourceRoot":"","sources":["../../../src/lib/agents/detector.ts"],"names":[],"mappings":";;AA0BA,oCAaC;AAGD,wCAEC;AA5CD,2CAA4D;AAmB5D;;;;;;GAMG;AACH,SAAgB,YAAY;IAC3B,OAAO,qBAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAC1B,IAAI,QAAiB,CAAC;QACtB,IAAI,CAAC;YACJ,QAAQ,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACR,6DAA6D;YAC7D,0DAA0D;YAC1D,gEAAgE;YAChE,QAAQ,GAAG,KAAK,CAAC;QAClB,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;IAC1D,CAAC,CAAC,CAAC;AACJ,CAAC;AAED,4DAA4D;AAC5D,SAAgB,cAAc;IAC7B,OAAO,YAAY,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;AACjD,CAAC"}

package/dist/lib/agents/providers.js

@@ -0,0 +1,118 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PROVIDERS = void 0;
+exports.findProviderById = findProviderById;
+const node_fs_1 = require("node:fs");
+const node_os_1 = require("node:os");
+const node_path_1 = require("node:path");
+const node_child_process_1 = require("node:child_process");
+/**
+ * Tiny helper: is `cmd` on the PATH? Used by the detectors below.
+ *
+ * We use `which`/`where` rather than spawning the agent because some
+ * agents print interactive output on `--version`, and we don't want to
+ * pollute the user's terminal during detection.
+ */
+function commandExists(cmd) {
+    try {
+        const which = process.platform === 'win32' ? 'where' : 'which';
+        (0, node_child_process_1.execSync)(`${which} ${cmd}`, { stdio: 'pipe' });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * The canonical agent registry. Order is significant: `ritual init`
+ * iterates this list to write skills, so agents that share parent
+ * directories (e.g. Cursor + Windsurf both use `.cursor/rules` source
+ * format) appear in their preferred order.
+ *
+ * To add a new agent: append to this array. Detection + paths are
+ * self-contained; nothing else in the CLI needs to know about it.
+ */
+exports.PROVIDERS = [
+    {
+        name: 'Claude Code',
+        id: 'claude-code',
+        // `claude` on PATH OR ~/.claude dir present. The directory check
+        // covers fresh installs where the user hasn't symlinked the
+        // binary into PATH yet (homebrew + manual installs both).
+        detect: () => commandExists('claude') || (0, node_fs_1.existsSync)((0, node_path_1.join)((0, node_os_1.homedir)(), '.claude')),
+        projectSkillDir: '.claude/skills',
+        packageSkillDir: 'skills/claude-code',
+        // `claude mcp add-json` writes to ~/.claude.json itself; we
+        // shell out so we don't fight its config-file format.
+        mcpConfigMethod: 'cli-command',
+    },
+    {
+        name: 'Cursor',
+        id: 'cursor',
+        detect: () => (0, node_fs_1.existsSync)((0, node_path_1.join)((0, node_os_1.homedir)(), '.cursor')),
+        projectSkillDir: '.cursor/rules',
+        packageSkillDir: 'skills/cursor',
+        mcpConfigMethod: 'json-file',
+        mcpConfigPath: (0, node_path_1.join)((0, node_os_1.homedir)(), '.cursor', 'mcp.json'),
+    },
+    {
+        name: 'Windsurf',
+        id: 'windsurf',
+        // Windsurf is Codeium's IDE; the dotdir is `.codeium`.
+        detect: () => (0, node_fs_1.existsSync)((0, node_path_1.join)((0, node_os_1.homedir)(), '.codeium')),
+        projectSkillDir: '.windsurf/rules',
+        // Windsurf accepts the same rules format Cursor does, so we ship
+        // the same bundle.
+        packageSkillDir: 'skills/cursor',
+        mcpConfigMethod: 'json-file',
+        mcpConfigPath: (0, node_path_1.join)((0, node_os_1.homedir)(), '.codeium', 'windsurf', 'mcp_config.json'),
+    },
+    {
+        name: 'Kiro',
+        id: 'kiro',
+        detect: () => (0, node_fs_1.existsSync)((0, node_path_1.join)((0, node_os_1.homedir)(), '.kiro')) || commandExists('kiro'),
+        projectSkillDir: '.kiro/skills',
+        packageSkillDir: 'skills/kiro',
+        mcpConfigMethod: 'json-file',
+        mcpConfigPath: (0, node_path_1.join)((0, node_os_1.homedir)(), '.kiro', 'mcp.json'),
+    },
+    {
+        name: 'Gemini CLI',
+        id: 'gemini',
+        detect: () => (0, node_fs_1.existsSync)((0, node_path_1.join)((0, node_os_1.homedir)(), '.gemini')) || commandExists('gemini'),
+        projectSkillDir: '.gemini/skills',
+        packageSkillDir: 'skills/gemini',
+        mcpConfigMethod: 'json-file',
+        mcpConfigPath: (0, node_path_1.join)((0, node_os_1.homedir)(), '.gemini', 'mcp.json'),
+    },
+    {
+        name: 'VS Code (Copilot)',
+        id: 'vscode',
+        // `code` CLI or ~/.vscode dir. VS Code's MCP support comes via
+        // the GitHub Copilot Chat extension; the config path is the
+        // same regardless.
+        detect: () => commandExists('code') || (0, node_fs_1.existsSync)((0, node_path_1.join)((0, node_os_1.homedir)(), '.vscode')),
+        projectSkillDir: '.github/copilot/skills',
+        packageSkillDir: 'skills/vscode',
+        mcpConfigMethod: 'json-file',
+        mcpConfigPath: (0, node_path_1.join)((0, node_os_1.homedir)(), '.vscode', 'mcp.json'),
+        // VS Code's quirk: top-level key is `servers`, not `mcpServers`.
+        mcpConfigKey: 'servers',
+    },
+    {
+        name: 'Codex',
+        id: 'codex',
+        // Codex (the OpenAI coding agent — not the deprecated model)
+        // reads `.agents/` config from the user's home or project.
+        detect: () => (0, node_fs_1.existsSync)((0, node_path_1.join)((0, node_os_1.homedir)(), '.codex')) || commandExists('codex'),
+        projectSkillDir: '.agents/skills',
+        packageSkillDir: 'skills/codex',
+        mcpConfigMethod: 'json-file',
+        mcpConfigPath: (0, node_path_1.join)((0, node_os_1.homedir)(), '.codex', 'mcp.json'),
+    },
+];
+/** Look up a provider by its kebab-case id, or undefined if unknown. */
+function findProviderById(id) {
+    return exports.PROVIDERS.find((p) => p.id === id);
+}
+//# sourceMappingURL=providers.js.map

package/dist/lib/agents/providers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"providers.js","sourceRoot":"","sources":["../../../src/lib/agents/providers.ts"],"names":[],"mappings":";;;AAmLA,4CAEC;AArLD,qCAAqC;AACrC,qCAAkC;AAClC,yCAAiC;AACjC,2DAA8C;AAqE9C;;;;;;GAMG;AACH,SAAS,aAAa,CAAC,GAAW;IACjC,IAAI,CAAC;QACJ,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;QAC/D,IAAA,6BAAQ,EAAC,GAAG,KAAK,IAAI,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,KAAK,CAAC;IACd,CAAC;AACF,CAAC;AAED;;;;;;;;GAQG;AACU,QAAA,SAAS,GAAoB;IACzC;QACC,IAAI,EAAE,aAAa;QACnB,EAAE,EAAE,aAAa;QACjB,iEAAiE;QACjE,4DAA4D;QAC5D,0DAA0D;QAC1D,MAAM,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,CAAC,CAAC;QAC/E,eAAe,EAAE,gBAAgB;QACjC,eAAe,EAAE,oBAAoB;QACrC,4DAA4D;QAC5D,sDAAsD;QACtD,eAAe,EAAE,aAAa;KAC9B;IACD;QACC,IAAI,EAAE,QAAQ;QACd,EAAE,EAAE,QAAQ;QACZ,MAAM,EAAE,GAAG,EAAE,CAAC,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,CAAC,CAAC;QACpD,eAAe,EAAE,eAAe;QAChC,eAAe,EAAE,eAAe;QAChC,eAAe,EAAE,WAAW;QAC5B,aAAa,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,EAAE,UAAU,CAAC;KACrD;IACD;QACC,IAAI,EAAE,UAAU;QAChB,EAAE,EAAE,UAAU;QACd,uDAAuD;QACvD,MAAM,EAAE,GAAG,EAAE,CAAC,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,UAAU,CAAC,CAAC;QACrD,eAAe,EAAE,iBAAiB;QAClC,iEAAiE;QACjE,mBAAmB;QACnB,eAAe,EAAE,eAAe;QAChC,eAAe,EAAE,WAAW;QAC5B,aAAa,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,UAAU,EAAE,UAAU,EAAE,iBAAiB,CAAC;KACzE;IACD;QACC,IAAI,EAAE,MAAM;QACZ,EAAE,EAAE,MAAM;QACV,MAAM,EAAE,GAAG,EAAE,CAAC,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,OAAO,CAAC,CAAC,IAAI,aAAa,CAAC,MAAM,CAAC;QAC3E,eAAe,EAAE,cAAc;QAC/B,eAAe,EAAE,aAAa;QAC9B,eAAe,EAAE,WAAW;QAC5B,aAAa,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,OAAO,EAAE,UAAU,CAAC;KACnD;IACD;QACC,IAAI,EAAE,YAAY;QAClB,EAAE,EAAE,QAAQ;QACZ,MAAM,EAAE,GAAG,EAAE,CAAC,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,CAAC,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC;QAC/E,eAAe,EAAE,gBAAgB;QACjC,eAAe,EAAE,eAAe;QAChC,eAAe,EAAE,WAAW;QAC5B,aAAa,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,EAAE,UAAU,CAAC;KACrD;IACD;QACC,IAAI,EAAE,mBAAmB;QACzB,EAAE,EAAE,QAAQ;QACZ,+DAA+D;QAC/D,4DAA4D;QAC5D,mBAAmB;QACnB,MAAM,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,CAAC,CAAC;QAC7E,eAAe,EAAE,wBAAwB;QACzC,eAAe,EAAE,eAAe;QAChC,eAAe,EAAE,WAAW;QAC5B,aAAa,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,EAAE,UAAU,CAAC;QACrD,iEAAiE;QACjE,YAAY,EAAE,SAAS;KACvB;IACD;QACC,IAAI,EAAE,OAAO;QACb,EAAE,EAAE,OAAO;QACX,6DAA6D;QAC7D,2DAA2D;QAC3D,MAAM,EAAE,GAAG,EAAE,CAAC,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,QAAQ,CAAC,CAAC,IAAI,aAAa,CAAC,OAAO,CAAC;QAC7E,eAAe,EAAE,gBAAgB;QACjC,eAAe,EAAE,cAAc;QAC/B,eAAe,EAAE,WAAW;QAC5B,aAAa,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,QAAQ,EAAE,UAAU,CAAC;KACpD;CACD,CAAC;AAEF,wEAAwE;AACxE,SAAgB,gBAAgB,CAAC,EAAU;IAC1C,OAAO,iBAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AAC3C,CAAC"}

package/dist/lib/api-client.js

@@ -0,0 +1,120 @@
+"use strict";
+/**
+ * Tiny HTTP client for calling the Ritual REST API from the CLI.
+ *
+ * We don't pull in axios / undici / etc. — global `fetch` (Node 20+,
+ * already in `package.json` engines) is enough for the handful of
+ * endpoints the CLI calls.
+ *
+ * The base URL is derived from the user's signed-in issuer so the dev
+ * CLI talks to dev API and prod talks to prod, without a second
+ * `--api-url` flag for the user to keep in sync.
+ *
+ *   issuer: https://auth.dev.ritualapp.cloud/realms/ritual
+ *   apiBase: https://api.dev.ritualapp.cloud
+ *
+ *   issuer: https://auth.ritualapp.cloud/realms/ritual
+ *   apiBase: https://api.ritualapp.cloud
+ *
+ * Override path for self-hosted: `RITUAL_API_URL` env var wins over
+ * the derivation above.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApiClient = exports.ApiError = void 0;
+exports.apiBaseFromIssuer = apiBaseFromIssuer;
+exports.mcpUrlFromIssuer = mcpUrlFromIssuer;
+class ApiError extends Error {
+    status;
+    body;
+    constructor(status, body) {
+        super(`api error ${status}: ${body.slice(0, 200)}`);
+        this.status = status;
+        this.body = body;
+        this.name = 'ApiError';
+    }
+}
+exports.ApiError = ApiError;
+/**
+ * Map a Keycloak issuer URL to the matching Ritual API base URL.
+ *
+ *   - dev:  api.dev.ritualapp.cloud
+ *   - prod: api.ritualapp.cloud
+ *   - else: pulled from the issuer host, replacing `auth.` with `api.`
+ *     (lets self-hosted enterprise installs work without env var).
+ */
+function apiBaseFromIssuer(issuer) {
+    if (process.env.RITUAL_API_URL) {
+        return process.env.RITUAL_API_URL.replace(/\/$/, '');
+    }
+    try {
+        const u = new URL(issuer);
+        // auth.* → api.* (covers auth.ritualapp.cloud and
+        // auth.dev.ritualapp.cloud, plus enterprise patterns like
+        // auth.acme.com → api.acme.com).
+        const host = u.host.replace(/^auth\./, 'api.');
+        return `https://${host}`;
+    }
+    catch {
+        // Bad issuer URL — fall back to prod and let the request fail
+        // loudly with a real error message instead of crashing on URL
+        // parsing.
+        return 'https://api.ritualapp.cloud';
+    }
+}
+class ApiClient {
+    baseUrl;
+    accessToken;
+    constructor(cfg) {
+        this.baseUrl = cfg.apiUrlOverride ?? apiBaseFromIssuer(cfg.issuer);
+        this.accessToken = cfg.accessToken;
+    }
+    /** Convenience: the base URL we're calling. Surfaced for `doctor`. */
+    getBaseUrl() {
+        return this.baseUrl;
+    }
+    async post(path, body) {
+        const res = await fetch(`${this.baseUrl}${path}`, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${this.accessToken}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify(body),
+        });
+        if (!res.ok) {
+            throw new ApiError(res.status, await res.text());
+        }
+        return (await res.json());
+    }
+    async get(path) {
+        const res = await fetch(`${this.baseUrl}${path}`, {
+            headers: { Authorization: `Bearer ${this.accessToken}` },
+        });
+        if (!res.ok) {
+            throw new ApiError(res.status, await res.text());
+        }
+        return (await res.json());
+    }
+}
+exports.ApiClient = ApiClient;
+/**
+ * Map the same issuer derivation to the MCP server URL.
+ *
+ *   - dev:  https://mcp.dev.ritualapp.cloud/mcp
+ *   - prod: https://mcp.ritualapp.cloud/mcp
+ *
+ * Override with `RITUAL_MCP_URL` env var.
+ */
+function mcpUrlFromIssuer(issuer) {
+    if (process.env.RITUAL_MCP_URL)
+        return process.env.RITUAL_MCP_URL;
+    try {
+        const u = new URL(issuer);
+        const host = u.host.replace(/^auth\./, 'mcp.');
+        return `https://${host}/mcp`;
+    }
+    catch {
+        return 'https://mcp.ritualapp.cloud/mcp';
+    }
+}
+//# sourceMappingURL=api-client.js.map

package/dist/lib/api-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../../src/lib/api-client.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;GAmBG;;;AA6BH,8CAiBC;AAkDD,4CASC;AA9FD,MAAa,QAAS,SAAQ,KAAK;IAEjB;IACA;IAFjB,YACiB,MAAc,EACd,IAAY;QAE5B,KAAK,CAAC,aAAa,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;QAHpC,WAAM,GAAN,MAAM,CAAQ;QACd,SAAI,GAAJ,IAAI,CAAQ;QAG5B,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC;IACxB,CAAC;CACD;AARD,4BAQC;AAED;;;;;;;GAOG;AACH,SAAgB,iBAAiB,CAAC,MAAc;IAC/C,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;QAChC,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,CAAC;QACJ,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1B,kDAAkD;QAClD,0DAA0D;QAC1D,iCAAiC;QACjC,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC/C,OAAO,WAAW,IAAI,EAAE,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACR,8DAA8D;QAC9D,8DAA8D;QAC9D,WAAW;QACX,OAAO,6BAA6B,CAAC;IACtC,CAAC;AACF,CAAC;AAED,MAAa,SAAS;IACJ,OAAO,CAAS;IAChB,WAAW,CAAS;IAErC,YAAY,GAAoB;QAC/B,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,cAAc,IAAI,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACnE,IAAI,CAAC,WAAW,GAAG,GAAG,CAAC,WAAW,CAAC;IACpC,CAAC;IAED,sEAAsE;IACtE,UAAU;QACT,OAAO,IAAI,CAAC,OAAO,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,IAAI,CAAI,IAAY,EAAE,IAAa;QACxC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE;YACjD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACR,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC3C,cAAc,EAAE,kBAAkB;aAClC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC1B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,GAAG,CAAI,IAAY;QACxB,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE;YACjD,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE,EAAE;SACxD,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;IAChC,CAAC;CACD;AAtCD,8BAsCC;AAED;;;;;;;GAOG;AACH,SAAgB,gBAAgB,CAAC,MAAc;IAC9C,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAClE,IAAI,CAAC;QACJ,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1B,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC/C,OAAO,WAAW,IAAI,MAAM,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,iCAAiC,CAAC;IAC1C,CAAC;AACF,CAAC"}

package/dist/lib/config.js

@@ -0,0 +1,154 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getCredentialsPath = getCredentialsPath;
+exports.loadCredentials = loadCredentials;
+exports.saveCredentials = saveCredentials;
+exports.clearCredentials = clearCredentials;
+exports.hasValidCredentials = hasValidCredentials;
+exports.getValidAccessToken = getValidAccessToken;
+const node_fs_1 = require("node:fs");
+const node_os_1 = require("node:os");
+const node_path_1 = require("node:path");
+const oidc_1 = require("./oidc");
+/**
+ * Local credentials store for the Ritual CLI.
+ *
+ * Credentials live at `~/.config/ritual/credentials.json` (XDG-friendly
+ * on Linux/macOS; uses HOME on Windows too — fine in practice). File
+ * is created with 0600 permissions so other users on a shared machine
+ * can't read it.
+ *
+ * The shape is small and stable across CLI versions:
+ *
+ *   {
+ *     "version": 1,
+ *     "issuer": "https://auth.ritualapp.cloud/realms/ritual",
+ *     "clientId": "ritual-cli",
+ *     "tokenSet": {
+ *       "access_token":  "...",
+ *       "refresh_token": "...",
+ *       "expires_at":    1700000000,    // unix seconds
+ *       "id_token":      "...",
+ *       "scope":         "openid profile email ritual:read ritual:write"
+ *     },
+ *     "user": {
+ *       "sub":   "kc-uuid",
+ *       "email": "alice@example.com"
+ *     }
+ *   }
+ *
+ * Older CLI versions reading a newer file ignore unknown fields; newer
+ * CLIs reading an older file run a tiny migration. We're at v1 so this
+ * is theoretical until v2.
+ */
+const CONFIG_DIR = (0, node_path_1.join)((0, node_os_1.homedir)(), '.config', 'ritual');
+const CREDS_PATH = (0, node_path_1.join)(CONFIG_DIR, 'credentials.json');
+function getCredentialsPath() {
+    return CREDS_PATH;
+}
+function loadCredentials() {
+    if (!(0, node_fs_1.existsSync)(CREDS_PATH))
+        return null;
+    try {
+        const raw = (0, node_fs_1.readFileSync)(CREDS_PATH, 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (parsed.version !== 1)
+            return null;
+        return parsed;
+    }
+    catch {
+        // Corrupt file — treat as no credentials. User can re-login.
+        return null;
+    }
+}
+function saveCredentials(creds) {
+    (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(CREDS_PATH), { recursive: true });
+    (0, node_fs_1.writeFileSync)(CREDS_PATH, JSON.stringify(creds, null, 2), 'utf-8');
+    // chmod 0600 — owner read/write only. No-op on Windows but
+    // harmless. Best-effort; some FS (e.g. on CI) may not honor it.
+    try {
+        (0, node_fs_1.chmodSync)(CREDS_PATH, 0o600);
+    }
+    catch {
+        /* ignore */
+    }
+}
+function clearCredentials() {
+    if ((0, node_fs_1.existsSync)(CREDS_PATH)) {
+        try {
+            (0, node_fs_1.unlinkSync)(CREDS_PATH);
+        }
+        catch {
+            /* ignore */
+        }
+    }
+}
+/** True if credentials exist AND the access token isn't expired. */
+function hasValidCredentials() {
+    const c = loadCredentials();
+    if (!c)
+        return false;
+    const nowSec = Math.floor(Date.now() / 1000);
+    return c.tokenSet.expires_at > nowSec + 30; // small buffer for clock skew
+}
+/**
+ * Return a valid access token, refreshing transparently if the cached
+ * one is expired. This is the primary entry point any subcommand
+ * should use to "get my Bearer token" — it hides the refresh logic
+ * from the call site.
+ *
+ * Behavior:
+ *   1. No creds on disk → `not-signed-in`
+ *   2. Access token still fresh (>30s buffer) → return as-is
+ *   3. Access token expired but refresh token present → exchange,
+ *      persist new tokens, return new access token
+ *   4. Refresh fails with 4xx → `re-auth-required` (refresh token
+ *      itself is dead; nothing left but to re-login)
+ *   5. Refresh fails with 5xx/network → throw (caller can retry)
+ */
+async function getValidAccessToken() {
+    const creds = loadCredentials();
+    if (!creds)
+        return { kind: 'not-signed-in' };
+    const nowSec = Math.floor(Date.now() / 1000);
+    if (creds.tokenSet.expires_at > nowSec + 30) {
+        return { kind: 'signed-in', accessToken: creds.tokenSet.access_token, creds, refreshed: false };
+    }
+    if (!creds.tokenSet.refresh_token) {
+        return {
+            kind: 're-auth-required',
+            reason: 'access token expired and no refresh token stored',
+        };
+    }
+    try {
+        const fresh = await (0, oidc_1.refreshTokens)({ issuer: creds.issuer, clientId: creds.clientId }, creds.tokenSet.refresh_token);
+        const claims = (0, oidc_1.decodeJwtPayloadUnsafe)(fresh.access_token);
+        const updated = {
+            ...creds,
+            tokenSet: {
+                access_token: fresh.access_token,
+                refresh_token: fresh.refresh_token ?? creds.tokenSet.refresh_token,
+                expires_at: Math.floor(Date.now() / 1000) + fresh.expires_in,
+                id_token: fresh.id_token ?? creds.tokenSet.id_token,
+                scope: fresh.scope ?? creds.tokenSet.scope,
+            },
+            user: claims
+                ? { sub: claims.sub, email: claims.email ?? claims.preferred_username }
+                : creds.user,
+        };
+        saveCredentials(updated);
+        return {
+            kind: 'signed-in',
+            accessToken: fresh.access_token,
+            creds: updated,
+            refreshed: true,
+        };
+    }
+    catch (err) {
+        if (err instanceof oidc_1.RefreshTokenError && err.status >= 400 && err.status < 500) {
+            return { kind: 're-auth-required', reason: err.message };
+        }
+        throw err;
+    }
+}
+//# sourceMappingURL=config.js.map

package/dist/lib/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":";;AAyDA,gDAEC;AAED,0CAWC;AAED,0CAUC;AAED,4CAQC;AAGD,kDAKC;AAiCD,kDAoDC;AA3LD,qCAAoG;AACpG,qCAAkC;AAClC,yCAA0C;AAC1C,iCAAkF;AAElF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,MAAM,UAAU,GAAG,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;AACxD,MAAM,UAAU,GAAG,IAAA,gBAAI,EAAC,UAAU,EAAE,kBAAkB,CAAC,CAAC;AAmBxD,SAAgB,kBAAkB;IACjC,OAAO,UAAU,CAAC;AACnB,CAAC;AAED,SAAgB,eAAe;IAC9B,IAAI,CAAC,IAAA,oBAAU,EAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IACzC,IAAI,CAAC;QACJ,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAmB,CAAC;QACjD,IAAI,MAAM,CAAC,OAAO,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACtC,OAAO,MAAM,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACR,6DAA6D;QAC7D,OAAO,IAAI,CAAC;IACb,CAAC;AACF,CAAC;AAED,SAAgB,eAAe,CAAC,KAAqB;IACpD,IAAA,mBAAS,EAAC,IAAA,mBAAO,EAAC,UAAU,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,IAAA,uBAAa,EAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACnE,2DAA2D;IAC3D,gEAAgE;IAChE,IAAI,CAAC;QACJ,IAAA,mBAAS,EAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACR,YAAY;IACb,CAAC;AACF,CAAC;AAED,SAAgB,gBAAgB;IAC/B,IAAI,IAAA,oBAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,IAAI,CAAC;YACJ,IAAA,oBAAU,EAAC,UAAU,CAAC,CAAC;QACxB,CAAC;QAAC,MAAM,CAAC;YACR,YAAY;QACb,CAAC;IACF,CAAC;AACF,CAAC;AAED,oEAAoE;AACpE,SAAgB,mBAAmB;IAClC,MAAM,CAAC,GAAG,eAAe,EAAE,CAAC;IAC5B,IAAI,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACrB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC7C,OAAO,CAAC,CAAC,QAAQ,CAAC,UAAU,GAAG,MAAM,GAAG,EAAE,CAAC,CAAC,8BAA8B;AAC3E,CAAC;AAkBD;;;;;;;;;;;;;;GAcG;AACI,KAAK,UAAU,mBAAmB;IACxC,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC;IAE7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC7C,IAAI,KAAK,CAAC,QAAQ,CAAC,UAAU,GAAG,MAAM,GAAG,EAAE,EAAE,CAAC;QAC7C,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,KAAK,CAAC,QAAQ,CAAC,YAAY,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACjG,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;QACnC,OAAO;YACN,IAAI,EAAE,kBAAkB;YACxB,MAAM,EAAE,kDAAkD;SAC1D,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACJ,MAAM,KAAK,GAAG,MAAM,IAAA,oBAAa,EAChC,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,EAClD,KAAK,CAAC,QAAQ,CAAC,aAAa,CAC5B,CAAC;QACF,MAAM,MAAM,GAAG,IAAA,6BAAsB,EAIlC,KAAK,CAAC,YAAY,CAAC,CAAC;QACvB,MAAM,OAAO,GAAmB;YAC/B,GAAG,KAAK;YACR,QAAQ,EAAE;gBACT,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,aAAa,EAAE,KAAK,CAAC,aAAa,IAAI,KAAK,CAAC,QAAQ,CAAC,aAAa;gBAClE,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,KAAK,CAAC,UAAU;gBAC5D,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ;gBACnD,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK;aAC1C;YACD,IAAI,EAAE,MAAM;gBACX,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,kBAAkB,EAAE;gBACvE,CAAC,CAAC,KAAK,CAAC,IAAI;SACb,CAAC;QACF,eAAe,CAAC,OAAO,CAAC,CAAC;QACzB,OAAO;YACN,IAAI,EAAE,WAAW;YACjB,WAAW,EAAE,KAAK,CAAC,YAAY;YAC/B,KAAK,EAAE,OAAO;YACd,SAAS,EAAE,IAAI;SACf,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,IAAI,GAAG,YAAY,wBAAiB,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YAC/E,OAAO,EAAE,IAAI,EAAE,kBAAkB,EAAE,MAAM,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;QAC1D,CAAC;QACD,MAAM,GAAG,CAAC;IACX,CAAC;AACF,CAAC"}