@runa-ai/runa-cli 0.5.26

package/dist/utils/license/allowlist-checker.d.ts

@@ -0,0 +1,56 @@
+/**
+ * AI HINT: Allowlist API Checker
+ *
+ * Purpose: Check CI access allowlist via API
+ * Pattern: HTTP fetch with caching + last-known-good fallback
+ *
+ * Design decisions:
+ * - 4-hour cache TTL (fast revocation response)
+ * - Last-known-good fallback on API errors (persisted 24h)
+ * - Timeout to prevent hanging CI
+ *
+ * Fail-open strategy:
+ * - API available: Use live response, cache result
+ * - API error + cached result exists: Use cached result (last-known-good)
+ * - API error + no cached result: Throw error (fail closed for new orgs)
+ *
+ * This prevents both:
+ * 1. Blocking legitimate users due to API outages (last-known-good)
+ * 2. Allowing unauthorized access during outages (no cache = fail closed)
+ *
+ * SECURITY (Issue #376):
+ * - URL validation prevents SSRF attacks
+ * - Only HTTPS allowed (except localhost for testing)
+ * - Internal network addresses blocked (127.0.0.0/8, 10.0.0.0/8, etc.)
+ * - Cloud metadata endpoints blocked (169.254.169.254)
+ */
+/**
+ * Check if an owner is in the allowlist
+ *
+ * Strategy:
+ * 1. Check cache (within 4h TTL) → return cached result
+ * 2. Try API → cache result, return
+ * 3. API failed + last-known-good (within 24h) → return cached result
+ * 4. API failed + no cache → throw error (fail closed)
+ *
+ * @param owner - GitHub organization or user name
+ * @returns true if allowed, false otherwise
+ * @throws Error on API failure WITH no last-known-good fallback
+ */
+export declare function checkAllowlist(owner: string): Promise<boolean>;
+/**
+ * Clear the allowlist cache
+ *
+ * @internal For testing purposes
+ */
+export declare function clearAllowlistCache(): void;
+/**
+ * Get cache stats
+ *
+ * @internal For debugging purposes
+ */
+export declare function getAllowlistCacheStats(): {
+    size: number;
+    entries: string[];
+};
+//# sourceMappingURL=allowlist-checker.d.ts.map

package/dist/utils/license/allowlist-checker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"allowlist-checker.d.ts","sourceRoot":"","sources":["../../../src/utils/license/allowlist-checker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AA6KH;;;;;;;;;;;;GAYG;AACH,wBAAsB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAmEpE;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,IAAI;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CAK5E"}

package/dist/utils/license/ci-detector.d.ts

@@ -0,0 +1,43 @@
+/**
+ * AI HINT: CI Environment Detection
+ *
+ * Purpose: Detect if running in CI environment and identify provider
+ * Pattern: Check common CI environment variables
+ *
+ * Supported providers:
+ * - GitHub Actions
+ * - GitLab CI
+ * - CircleCI
+ * - Jenkins
+ * - Travis CI
+ * - Bitbucket Pipelines
+ * - Azure Pipelines
+ * - AWS CodeBuild
+ * - Google Cloud Build
+ * - Vercel
+ * - Netlify
+ */
+import type { CIDetectionResult } from './types.js';
+/**
+ * Detect if running in CI environment
+ *
+ * Checks:
+ * 1. Generic CI=true environment variable
+ * 2. Provider-specific environment variables
+ *
+ * @returns true if running in CI
+ */
+export declare function isCI(): boolean;
+/**
+ * Detect the specific CI provider
+ *
+ * @returns Provider name or undefined if not detected
+ */
+export declare function detectCIProvider(): string | undefined;
+/**
+ * Full CI detection with provider info
+ *
+ * @returns Detection result with isCI flag and optional provider
+ */
+export declare function detectCI(): CIDetectionResult;
+//# sourceMappingURL=ci-detector.d.ts.map

package/dist/utils/license/ci-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ci-detector.d.ts","sourceRoot":"","sources":["../../../src/utils/license/ci-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAyCpD;;;;;;;;GAQG;AACH,wBAAgB,IAAI,IAAI,OAAO,CAc9B;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,GAAG,SAAS,CAarD;AAED;;;;GAIG;AACH,wBAAgB,QAAQ,IAAI,iBAAiB,CAM5C"}

package/dist/utils/license/index.d.ts

@@ -0,0 +1,49 @@
+/**
+ * AI HINT: License Enforcement Module
+ *
+ * Purpose: CI access control for runa CLI
+ * Pattern: Allowlist model with trusted org (r06-dev) always allowed
+ *
+ * Design decisions:
+ * - r06-dev: Instant allow, NO API call, NO log (zero-impact)
+ * - External org: API check via allowlist with last-known-good fallback
+ * - Fail-open strategy:
+ *   - API available: Use live response
+ *   - API error + cached: Use last-known-good (24h window)
+ *   - API error + no cache: Fail closed (new orgs blocked during outage)
+ * - Escape hatch: RUNA_SKIP_LICENSE_CHECK=1 bypasses all checks
+ *
+ * Security model:
+ * - Known orgs protected during outages (last-known-good)
+ * - Unknown orgs cannot bypass by causing outages (fail closed)
+ */
+import type { LicenseCheckResult } from './types.js';
+/**
+ * Perform license check and return result
+ *
+ * @internal Used by enforceLicenseInCI()
+ */
+export declare function checkLicense(): Promise<LicenseCheckResult>;
+/**
+ * Enforce license check in CI environments
+ *
+ * Call this at CLI startup to enforce access control.
+ *
+ * Behavior:
+ * - Local dev: Skip silently
+ * - r06-dev: Skip silently (no API, no log)
+ * - External org in allowlist: Allow (with 4h cache)
+ * - External org NOT in allowlist: Throw CLIError
+ * - API error + last-known-good: Use cached result (24h window)
+ * - API error + no cache: Block (fail closed for unknown orgs)
+ *
+ * @throws CLIError when access is denied
+ */
+export declare function enforceLicenseInCI(): Promise<void>;
+export type { LicenseCheckResult, OwnerResolutionResult, CIDetectionResult } from './types.js';
+export { isCI, detectCI, detectCIProvider } from './ci-detector.js';
+export { resolveGitHubOwner } from './owner-resolver.js';
+export { checkAllowlist, clearAllowlistCache, getAllowlistCacheStats, } from './allowlist-checker.js';
+export { validateOwner, isValidOwner } from './validate-owner.js';
+export { verifyAdminAuth, getGitHubUserEmail, clearAdminAuthCache } from './admin-auth.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/utils/license/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/utils/license/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAOH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAerD;;;;GAIG;AACH,wBAAsB,YAAY,IAAI,OAAO,CAAC,kBAAkB,CAAC,CAoDhE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,IAAI,CAAC,CAMxD;AAGD,YAAY,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC/F,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/utils/license/owner-resolver.d.ts

@@ -0,0 +1,35 @@
+/**
+ * AI HINT: GitHub Owner Resolution
+ *
+ * Purpose: Resolve GitHub organization/user from CI environment
+ * Pattern: Try multiple sources in priority order
+ *
+ * SECURITY (Issue #375):
+ * - Git remote URL is PRIORITIZED over environment variables
+ * - Environment variables can be spoofed; git remote requires repo access
+ * - When using CI env vars, we verify the corresponding CI provider flag is set
+ * - This prevents GITHUB_REPOSITORY spoofing without GITHUB_ACTIONS=true
+ *
+ * Resolution methods (in order):
+ * 1. Git remote: Parse origin URL (MOST TRUSTWORTHY)
+ * 2. GitHub Actions: GITHUB_REPOSITORY env var (requires GITHUB_ACTIONS=true)
+ * 3. GitLab CI: CI_PROJECT_PATH env var (requires GITLAB_CI=true)
+ * 4. CircleCI: CIRCLE_PROJECT_USERNAME env var (requires CIRCLECI=true)
+ */
+import type { OwnerResolutionResult } from './types.js';
+/**
+ * Resolve GitHub owner from CI environment or git remote
+ *
+ * SECURITY (Issue #375): Git remote is prioritized over environment variables
+ * because it cannot be spoofed without actual repository access.
+ *
+ * Tries multiple sources in priority order:
+ * 1. Git remote origin URL (MOST TRUSTWORTHY - requires repo access)
+ * 2. GitHub Actions GITHUB_REPOSITORY (requires GITHUB_ACTIONS=true)
+ * 3. GitLab CI CI_PROJECT_PATH (requires GITLAB_CI=true)
+ * 4. CircleCI CIRCLE_PROJECT_USERNAME (requires CIRCLECI=true)
+ *
+ * @returns Owner resolution result or null if not found
+ */
+export declare function resolveGitHubOwner(): Promise<OwnerResolutionResult | null>;
+//# sourceMappingURL=owner-resolver.d.ts.map

package/dist/utils/license/owner-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"owner-resolver.d.ts","sourceRoot":"","sources":["../../../src/utils/license/owner-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAuHxD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAsBhF"}

package/dist/utils/license/types.d.ts

@@ -0,0 +1,42 @@
+/**
+ * AI HINT: License Check Type Definitions
+ *
+ * Purpose: Type definitions for CI access control
+ * Pattern: Allowlist model - r06-dev always allowed, others checked via API
+ */
+/**
+ * Result of CI environment detection
+ */
+export interface CIDetectionResult {
+    /** Whether running in CI environment */
+    isCI: boolean;
+    /** Detected CI provider name (e.g., 'github-actions', 'gitlab-ci') */
+    provider?: string;
+}
+/**
+ * Result of GitHub owner resolution
+ */
+export interface OwnerResolutionResult {
+    /** GitHub organization or user name */
+    owner: string;
+    /** Repository name (optional) */
+    repo?: string;
+    /** Resolution method used */
+    source: 'github-env' | 'gitlab-env' | 'git-remote' | 'circleci-env';
+}
+/**
+ * Result of license check
+ */
+export interface LicenseCheckResult {
+    /** Whether access is allowed */
+    allowed: boolean;
+    /** Reason for the decision */
+    reason: LicenseCheckReason;
+    /** Resolved owner (if available) */
+    owner?: string;
+}
+/**
+ * Reasons for license check decisions
+ */
+export type LicenseCheckReason = 'not-ci' | 'trusted-org' | 'allowlist' | 'not-found' | 'error' | 'skip-flag';
+//# sourceMappingURL=types.d.ts.map

package/dist/utils/license/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/utils/license/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,wCAAwC;IACxC,IAAI,EAAE,OAAO,CAAC;IACd,sEAAsE;IACtE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,uCAAuC;IACvC,KAAK,EAAE,MAAM,CAAC;IACd,iCAAiC;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6BAA6B;IAC7B,MAAM,EAAE,YAAY,GAAG,YAAY,GAAG,YAAY,GAAG,cAAc,CAAC;CACrE;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,gCAAgC;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,8BAA8B;IAC9B,MAAM,EAAE,kBAAkB,CAAC;IAC3B,oCAAoC;IACpC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,QAAQ,GACR,aAAa,GACb,WAAW,GACX,WAAW,GACX,OAAO,GACP,WAAW,CAAC"}

package/dist/utils/license/validate-owner.d.ts

@@ -0,0 +1,33 @@
+/**
+ * AI HINT: GitHub Owner Validation
+ *
+ * Purpose: Validate GitHub organization/user name format
+ * Pattern: Shared validation utility for allowlist operations
+ *
+ * GitHub username rules:
+ * - 1-39 characters (we use 100 for flexibility with enterprise)
+ * - Alphanumeric and hyphens only
+ * - Cannot start or end with hyphen
+ * - Case-insensitive
+ */
+/**
+ * Validate GitHub owner format
+ *
+ * @param owner - GitHub organization or user name
+ * @throws CLIError if owner format is invalid
+ *
+ * @example
+ * validateOwner('acme-corp');  // OK
+ * validateOwner('myorg');      // OK
+ * validateOwner('-invalid');   // Throws
+ * validateOwner('');           // Throws
+ */
+export declare function validateOwner(owner: string): void;
+/**
+ * Check if owner format is valid without throwing
+ *
+ * @param owner - GitHub organization or user name
+ * @returns true if valid, false otherwise
+ */
+export declare function isValidOwner(owner: string): boolean;
+//# sourceMappingURL=validate-owner.d.ts.map

package/dist/utils/license/validate-owner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-owner.d.ts","sourceRoot":"","sources":["../../../src/utils/license/validate-owner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAeH;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAkBjD;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAKnD"}

package/dist/utils/port-allocator.d.ts

@@ -0,0 +1,59 @@
+/**
+ * AI HINT: Dynamic port allocation for Supabase local development
+ *
+ * Purpose: Prevent port conflicts when running multiple pj-repos simultaneously.
+ * Since pj-repos cannot share state, we use a deterministic hash-based approach
+ * where the project path determines the port offset.
+ *
+ * Port ranges (10 ports per slot, 100 slots):
+ *   Slot 0:  54321-54330
+ *   Slot 1:  54331-54340
+ *   ...
+ *   Slot 99: 55311-55320
+ *
+ * Port assignments within a slot:
+ *   +0: API (Kong gateway)
+ *   +1: DB (PostgreSQL)
+ *   +2: Studio
+ *   +3: Inbucket (email testing)
+ *   +4: JWT verification
+ *   +5: Auth
+ *   +6: REST (PostgREST)
+ *   +7: Realtime
+ *   +8: Storage
+ *   +9: Reserved
+ */
+export interface SupabasePorts {
+    api: number;
+    db: number;
+    studio: number;
+    inbucket: number;
+    auth: number;
+    rest: number;
+    realtime: number;
+    storage: number;
+    shadow: number;
+}
+/**
+ * Calculate port offset from project path using MD5 hash.
+ * Same path always produces same offset (deterministic).
+ */
+export declare function calculatePortOffset(projectPath: string): number;
+/**
+ * Get Supabase ports for a project based on its path.
+ */
+export declare function getSupabasePorts(projectPath: string): SupabasePorts;
+/**
+ * Update supabase/config.toml with allocated ports.
+ * Preserves other settings and comments.
+ */
+export declare function updateSupabaseConfigPorts(projectPath: string): {
+    updated: boolean;
+    ports: SupabasePorts;
+    configPath: string;
+};
+/**
+ * Get a human-readable summary of port allocation.
+ */
+export declare function getPortAllocationSummary(projectPath: string): string;
+//# sourceMappingURL=port-allocator.d.ts.map

package/dist/utils/port-allocator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"port-allocator.d.ts","sourceRoot":"","sources":["../../src/utils/port-allocator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAUH,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAI/D;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,aAAa,CAenE;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG;IAC9D,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,aAAa,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;CACpB,CAwCA;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAYpE"}

package/dist/utils/secure-exec.d.ts

@@ -0,0 +1,95 @@
+/**
+ * AI HINT: Secure Binary Execution Utility
+ *
+ * Purpose: Prevent PATH manipulation attacks by resolving and validating binary paths
+ * Security: Resolves binary paths once, caches results, validates before execution
+ *
+ * Pattern:
+ * 1. Resolve binary path using `which` command (or platform equivalent)
+ * 2. Cache resolved paths for performance
+ * 3. Validate binary exists and is executable before use
+ * 4. Use absolute path in execa calls
+ *
+ * @see Issue #380 - User-controlled path binary execution vulnerability
+ */
+import { type Options as ExecaOptions, type ResultPromise } from 'execa';
+/**
+ * Known trusted binaries that the CLI may execute.
+ * Only binaries in this list can be resolved and executed.
+ */
+export declare const TRUSTED_BINARIES: readonly ["node", "pnpm", "npm", "npx", "git", "gh", "vercel", "supabase", "docker", "psql", "turbo", "biome", "lsof", "runa"];
+export type TrustedBinary = (typeof TRUSTED_BINARIES)[number];
+/**
+ * Clear the binary path cache.
+ * Useful for testing or when PATH changes.
+ */
+export declare function clearBinaryPathCache(): void;
+/**
+ * Resolve a binary name to its absolute path.
+ *
+ * SECURITY:
+ * - Only resolves binaries in the TRUSTED_BINARIES list
+ * - Uses PATH environment variable for resolution
+ * - Validates the resolved path is executable
+ * - Caches results with TTL to prevent repeated lookups
+ *
+ * @throws Error if binary is not trusted or not found
+ */
+export declare function resolveBinaryPath(binaryName: string): string;
+/**
+ * Check if a binary is available without throwing.
+ */
+export declare function isBinaryAvailable(binaryName: string): boolean;
+/**
+ * Execute a trusted binary with resolved absolute path.
+ *
+ * SECURITY: This function:
+ * 1. Validates the binary is in the trusted list
+ * 2. Resolves the absolute path (not relying on shell PATH)
+ * 3. Validates the path is executable
+ * 4. Passes the absolute path to execa
+ *
+ * @param binaryName - Name of the trusted binary to execute
+ * @param args - Arguments to pass to the binary
+ * @param options - execa options
+ * @returns execa result promise
+ */
+export declare function secureExeca(binaryName: TrustedBinary, args?: readonly string[], options?: ExecaOptions): ResultPromise;
+/**
+ * Execute a command relative to node_modules/.bin
+ * This is for locally installed packages.
+ *
+ * SECURITY: Only executes from the project's node_modules/.bin directory.
+ */
+export declare function secureExecaLocal(binaryName: string, args?: readonly string[], options?: ExecaOptions & {
+    cwd?: string;
+}): ResultPromise;
+/**
+ * Execute pnpm with secure path resolution.
+ */
+export declare function securePnpm(args?: readonly string[], options?: ExecaOptions): ResultPromise;
+/**
+ * Execute git with secure path resolution.
+ */
+export declare function secureGit(args?: readonly string[], options?: ExecaOptions): ResultPromise;
+/**
+ * Execute gh (GitHub CLI) with secure path resolution.
+ */
+export declare function secureGh(args?: readonly string[], options?: ExecaOptions): ResultPromise;
+/**
+ * Execute vercel with secure path resolution.
+ */
+export declare function secureVercel(args?: readonly string[], options?: ExecaOptions): ResultPromise;
+/**
+ * Execute supabase with secure path resolution.
+ */
+export declare function secureSupabase(args?: readonly string[], options?: ExecaOptions): ResultPromise;
+/**
+ * Execute docker with secure path resolution.
+ */
+export declare function secureDocker(args?: readonly string[], options?: ExecaOptions): ResultPromise;
+/**
+ * Execute psql with secure path resolution.
+ */
+export declare function securePsql(args?: readonly string[], options?: ExecaOptions): ResultPromise;
+//# sourceMappingURL=secure-exec.d.ts.map

package/dist/utils/secure-exec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-exec.d.ts","sourceRoot":"","sources":["../../src/utils/secure-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,OAAO,EAAE,KAAK,OAAO,IAAI,YAAY,EAAE,KAAK,aAAa,EAAS,MAAM,OAAO,CAAC;AAMhF;;;GAGG;AACH,eAAO,MAAM,gBAAgB,gIAenB,CAAC;AAEX,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC;AAgB9D;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AA+CD;;;;;;;;;;GAUG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAuC5D;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAO7D;AAMD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,WAAW,CACzB,UAAU,EAAE,aAAa,EACzB,IAAI,GAAE,SAAS,MAAM,EAAO,EAC5B,OAAO,CAAC,EAAE,YAAY,GACrB,aAAa,CAGf;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,SAAS,MAAM,EAAO,EAC5B,OAAO,CAAC,EAAE,YAAY,GAAG;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GACxC,aAAa,CAaf;AAMD;;GAEG;AACH,wBAAgB,UAAU,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE9F;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE7F;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE5F;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAEhG;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,IAAI,GAAE,SAAS,MAAM,EAAO,EAC5B,OAAO,CAAC,EAAE,YAAY,GACrB,aAAa,CAEf;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAEhG;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,IAAI,GAAE,SAAS,MAAM,EAAO,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,aAAa,CAE9F"}

package/dist/utils/template-fetcher.d.ts

@@ -0,0 +1,63 @@
+/**
+ * AI HINT: Template Fetcher Utility
+ *
+ * Purpose: Fetch templates from @r06-dev/runa-templates (GitHub Packages)
+ * Used by: init.ts, upgrade.ts (Admin commands only)
+ *
+ * Authentication Flow:
+ * ┌─────────────────────────────────────────────────────────────────┐
+ * │ 1. Check workspace (runa-repo development)                      │
+ * │    └─ Found → Use local packages/runa-templates/ (no auth)      │
+ * │                                                                 │
+ * │ 2. Try auto-detect NODE_AUTH_TOKEN                              │
+ * │    ├─ Already set → Continue                                    │
+ * │    └─ Not set → Try `gh auth token` command                     │
+ * │        ├─ Success → Set NODE_AUTH_TOKEN and continue            │
+ * │        └─ Fail → CLIError with setup instructions               │
+ * │                                                                 │
+ * │ 3. Check cache (~/.cache/runa/templates/{version}/)             │
+ * │    └─ Hit → Return cached path (no network)                     │
+ * │                                                                 │
+ * │ 4. Fetch from GitHub Packages                                   │
+ * │    └─ Success → Cache and return path                           │
+ * └─────────────────────────────────────────────────────────────────┘
+ *
+ * Token Sources (precedence order):
+ * 1. NODE_AUTH_TOKEN env var (explicit)
+ * 2. `gh auth token` command (GitHub CLI auto-detection)
+ * 3. Manual PAT creation (fallback instructions in error)
+ *
+ * Cache Location: ~/.cache/runa/templates/{version}/templates/
+ * Cache Invalidation: --fresh flag or version change
+ */
+export interface FetchTemplatesOptions {
+    /** Templates version to fetch (default: COMPATIBLE_TEMPLATES_VERSION) */
+    version?: string;
+    /** Clear cache and re-fetch */
+    fresh?: boolean;
+    /** Show verbose output */
+    verbose?: boolean;
+}
+export interface FetchTemplatesResult {
+    /** Path to the fetched templates directory */
+    templatesDir: string;
+    /** Version that was fetched */
+    version: string;
+    /** Whether templates were served from cache */
+    cached: boolean;
+}
+/**
+ * Fetch templates from GitHub Packages.
+ *
+ * SECURITY: Token handling is scoped to this operation only.
+ * Auto-detected tokens are cleaned up after fetch completes.
+ *
+ * @param options - Fetch options
+ * @returns Path to templates directory and metadata
+ */
+export declare function fetchTemplates(options?: FetchTemplatesOptions): Promise<FetchTemplatesResult>;
+/**
+ * Clear templates cache.
+ */
+export declare function clearTemplatesCache(): Promise<void>;
+//# sourceMappingURL=template-fetcher.d.ts.map

package/dist/utils/template-fetcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"template-fetcher.d.ts","sourceRoot":"","sources":["../../src/utils/template-fetcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAcH,MAAM,WAAW,qBAAqB;IACpC,yEAAyE;IACzE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,0BAA0B;IAC1B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,8CAA8C;IAC9C,YAAY,EAAE,MAAM,CAAC;IACrB,+BAA+B;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,+CAA+C;IAC/C,MAAM,EAAE,OAAO,CAAC;CACjB;AA6MD;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAClC,OAAO,GAAE,qBAA0B,GAClC,OAAO,CAAC,oBAAoB,CAAC,CAgF/B;AAkCD;;GAEG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,IAAI,CAAC,CAKzD"}

package/dist/utils/type-guards.d.ts

@@ -0,0 +1,25 @@
+/**
+ * AI HINT: Common type guards for CLI
+ *
+ * Purpose: Reusable type guards shared across commands
+ * Design: Pure functions, no dependencies
+ */
+import type { Ora } from 'ora';
+/**
+ * Execa error structure
+ */
+export interface ExecaError extends Error {
+    stdout?: string;
+    stderr?: string;
+    exitCode?: number;
+    command?: string;
+}
+/**
+ * Type guard for ExecaError
+ */
+export declare function isExecaError(error: unknown): error is ExecaError;
+/**
+ * Type guard for spinner (Ora instance)
+ */
+export declare function isSpinner(spinner: unknown): spinner is Ora;
+//# sourceMappingURL=type-guards.d.ts.map

package/dist/utils/type-guards.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"type-guards.d.ts","sourceRoot":"","sources":["../../src/utils/type-guards.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,KAAK,CAAC;AAE/B;;GAEG;AACH,MAAM,WAAW,UAAW,SAAQ,KAAK;IACvC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,UAAU,CAEhE;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,IAAI,GAAG,CAQ1D"}

package/dist/utils/vercel-project.d.ts

@@ -0,0 +1,38 @@
+/**
+ * AI HINT: Vercel Project Information Helper
+ *
+ * Purpose: Fetch Vercel project settings (Root Directory, etc.) via CLI
+ * Design: Uses `vercel project inspect` output parsing
+ *
+ * Usage:
+ *   const info = await getVercelProjectInfo();
+ *   // info.rootDirectory = 'apps/dashboard'
+ *
+ * Requirements:
+ *   - Vercel CLI installed
+ *   - Vercel authentication (vercel login or VERCEL_TOKEN)
+ *   - Linked project (.vercel/project.json or VERCEL_PROJECT_ID)
+ */
+export interface VercelProjectInfo {
+    id: string;
+    name: string;
+    owner: string;
+    rootDirectory: string | null;
+    nodeVersion: string | null;
+    frameworkPreset: string | null;
+}
+/**
+ * Get Vercel project information via CLI
+ *
+ * @returns Project info or null if not available
+ */
+export declare function getVercelProjectInfo(): Promise<VercelProjectInfo | null>;
+/**
+ * Get Vercel project root directory
+ *
+ * Convenience function for common use case
+ *
+ * @returns Root directory path (e.g., 'apps/dashboard') or null
+ */
+export declare function getVercelRootDirectory(): Promise<string | null>;
+//# sourceMappingURL=vercel-project.d.ts.map

package/dist/utils/vercel-project.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vercel-project.d.ts","sourceRoot":"","sources":["../../src/utils/vercel-project.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAIH,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAkB9E;AA4ED;;;;;;GAMG;AACH,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAGrE"}

package/dist/utils/workspace-detector.d.ts

@@ -0,0 +1,71 @@
+/**
+ * AI HINT: Workspace and package detection utility
+ *
+ * Purpose: Smart detection of workspace structure and package locations
+ * Design: Zero-config, works in both runa-repo (workspace) and pj-repo (npm installed)
+ *
+ * Key Features:
+ * - Finds workspace root by looking for workspace markers (uses @runa-ai/runa)
+ * - Locates packages by name without hardcoded paths
+ * - Detects environment (runa-repo vs pj-repo)
+ * - Falls back gracefully to conventions
+ *
+ * Security Features (Issue #383):
+ * - Package name validation (no path traversal sequences)
+ * - Path boundary validation (resolved paths must be within workspace)
+ * - Pattern validation for workspace yaml
+ */
+/**
+ * Environment type detection
+ */
+export type Environment = 'runa-repo' | 'pj-repo' | 'unknown';
+/**
+ * Find workspace root by looking up the directory tree
+ * Uses @runa-ai/runa implementation with stopAtGitRoot option
+ *
+ * @param from - Starting directory (defaults to cwd)
+ * @returns Workspace root path or null if not in workspace
+ */
+export declare function findWorkspaceRoot(from?: string): string | null;
+/**
+ * Find package directory by name
+ *
+ * Search strategy:
+ * 1. Workspace packages (if in workspace)
+ * 2. node_modules/@runa/{packageName}
+ * 3. Conventional locations (e.g., packages/{packageName})
+ *
+ * SECURITY: Validates package name before searching to prevent path traversal attacks
+ *
+ * @param packageName - Package name (e.g., "database", "sdk")
+ * @param from - Starting directory (defaults to cwd)
+ * @returns Package directory path or null if not found
+ */
+export declare function findPackage(packageName: string, from?: string): string | null;
+/**
+ * Detect current environment
+ *
+ * Detection logic:
+ * - runa-repo: In workspace with @runa-ai/runa-cli and @runa-ai/runa packages
+ * - pj-repo: Has @runa-ai/runa in node_modules but not in workspace
+ * - unknown: No runa packages found
+ */
+export declare function detectEnvironment(from?: string): Environment;
+/**
+ * Find runa.config.ts location
+ *
+ * Search strategy:
+ * 1. Current directory
+ * 2. Workspace root (if in workspace)
+ * 3. Walk up to git root
+ */
+export declare function findRunaConfig(from?: string): string | null;
+/**
+ * Get package info from package.json
+ */
+export declare function getPackageInfo(packagePath: string): {
+    name: string;
+    version: string;
+    main?: string;
+} | null;
+//# sourceMappingURL=workspace-detector.d.ts.map

package/dist/utils/workspace-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-detector.d.ts","sourceRoot":"","sources":["../../src/utils/workspace-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAyHH;;GAEG;AACH,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,SAAS,GAAG,SAAS,CAAC;AAE9D;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,GAAE,MAAsB,GAAG,MAAM,GAAG,IAAI,CAE7E;AAuLD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,IAAI,GAAE,MAAsB,GAAG,MAAM,GAAG,IAAI,CAgB5F;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,GAAE,MAAsB,GAAG,WAAW,CAoB3E;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,IAAI,GAAE,MAAsB,GAAG,MAAM,GAAG,IAAI,CAwB1E;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,WAAW,EAAE,MAAM,GAAG;IACnD,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,GAAG,IAAI,CAgBP"}