@selleragent/sa-admin 0.1.0

package/dist/cli.js

@@ -0,0 +1,1199 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const promises_1 = require("node:fs/promises");
+const node_path_1 = require("node:path");
+const client_sdk_1 = require("@selleragent/client-sdk");
+const auth_1 = require("./auth");
+const context_1 = require("./context");
+const help_1 = require("./help");
+const provisioning_1 = require("./provisioning");
+const rollout_1 = require("./rollout");
+const project_1 = require("./project");
+const render_1 = require("./render");
+function flagValue(args, name) {
+    const index = args.indexOf(name);
+    return index >= 0 ? args[index + 1] ?? null : null;
+}
+function flagValues(args, name) {
+    const values = [];
+    for (let index = 0; index < args.length; index += 1) {
+        if (args[index] === name && args[index + 1]) {
+            values.push(args[index + 1]);
+            index += 1;
+        }
+    }
+    return values;
+}
+function hasFlag(args, name) {
+    return args.includes(name);
+}
+function normalizeTelegramUsername(value) {
+    if (!value) {
+        return null;
+    }
+    const normalized = value.trim().replace(/^@/, '');
+    return normalized.length > 0 ? normalized : null;
+}
+function extractCommandTokens(args) {
+    const tokens = [];
+    for (const arg of args) {
+        if (arg.startsWith('-')) {
+            break;
+        }
+        tokens.push(arg);
+    }
+    return tokens;
+}
+function normalizeCommandTokens(tokens) {
+    if (tokens[0] === 'telegram-bots') {
+        return ['telegram', 'integrations', ...tokens.slice(1)];
+    }
+    if (tokens[0] === 'telegram-business-accounts') {
+        return ['telegram', 'business-accounts', ...tokens.slice(1)];
+    }
+    if (tokens[0] === 'emp' && tokens[1] === 'telegram') {
+        return ['telegram', 'employees', ...tokens.slice(2)];
+    }
+    return tokens;
+}
+function resolveProfileSlug(args, manifestBusinessSlug) {
+    return flagValue(args, '--business-profile-slug') ?? manifestBusinessSlug;
+}
+function resolveScopedBusinessSlug(args, manifestBusinessSlug, options = {}) {
+    const explicit = flagValue(args, '--business-profile-slug');
+    if (explicit) {
+        return explicit;
+    }
+    if (options.allowGlobal && hasFlag(args, '--global')) {
+        return null;
+    }
+    return options.defaultToManifest === false ? null : manifestBusinessSlug;
+}
+function resolveRuntimeProviderScope(args) {
+    const explicit = flagValue(args, '--scope');
+    if (explicit === 'global' || explicit === 'business') {
+        return explicit;
+    }
+    return hasFlag(args, '--global') ? 'global' : null;
+}
+async function resolveIntegrationKey(context, args) {
+    const explicit = flagValue(args, '--integration-key');
+    if (explicit) {
+        return explicit;
+    }
+    const declarations = await (0, project_1.loadTelegramBotDeclarations)(context);
+    const compatibleDeclarations = declarations.filter((entry) => entry.environmentMatches);
+    if (compatibleDeclarations.length === 1) {
+        return compatibleDeclarations[0].integrationKey;
+    }
+    throw new Error('This command requires --integration-key when the current repo declares zero or multiple compatible Telegram integrations for the active environment.');
+}
+async function writeYamlSnapshot(path, content) {
+    await (0, promises_1.mkdir)((0, node_path_1.dirname)(path), { recursive: true });
+    await (0, promises_1.writeFile)(path, content, 'utf8');
+}
+async function resolveVersionId(input) {
+    const versions = await input.client.businessProfiles.listVersions({
+        businessProfileSlug: input.businessProfileSlug
+    });
+    if (input.specifier === 'latest') {
+        const latest = versions.versions.at(-1);
+        if (!latest) {
+            throw new Error(`No versions found for ${input.businessProfileSlug}.`);
+        }
+        return {
+            versionId: latest.versionId,
+            versions
+        };
+    }
+    if (input.specifier === 'active') {
+        const profile = await input.client.businessProfiles.get({
+            businessProfileSlug: input.businessProfileSlug
+        });
+        if (!profile.activeVersion) {
+            throw new Error(`No active version found for ${input.businessProfileSlug}.`);
+        }
+        return {
+            versionId: profile.activeVersion.versionId,
+            versions
+        };
+    }
+    return {
+        versionId: input.specifier,
+        versions
+    };
+}
+async function resolveVerifiedBy(context) {
+    const whoami = await (0, auth_1.resolveWhoAmI)(context);
+    return whoami.accessContext?.operator?.email ?? null;
+}
+async function handleProfileCommand(input) {
+    const { args, subcommand, context, outputMode } = input;
+    if (subcommand === 'validate') {
+        (0, render_1.renderOutput)(await (0, project_1.validateProfileProject)(context), outputMode);
+        return;
+    }
+    if (subcommand === 'upload') {
+        const prepared = await (0, project_1.buildProfileBundleForUpload)(context);
+        const auth = await (0, auth_1.resolveAuthenticatedClient)({
+            context
+        });
+        const result = await auth.client.businessProfiles.uploadBundle({
+            bundle: prepared.bundle,
+            activateOnUpload: hasFlag(args, '--activate'),
+            targetEnvironment: context.environment,
+            sourceRepositoryUrl: prepared.sourceRepositoryUrl,
+            sourceCommitSha: prepared.sourceCommitSha,
+            resolvedSecrets: prepared.resolvedSecrets
+        });
+        (0, render_1.renderOutput)({
+            ...result,
+            authMode: auth.authMode,
+            projectRoot: context.root.rootDir,
+            manifestPath: context.root.manifestPath,
+            sourceRepositoryUrl: prepared.sourceRepositoryUrl,
+            sourceCommitSha: prepared.sourceCommitSha,
+            resolvedBaseUrl: context.baseUrl,
+            targetEnvironment: context.environment
+        }, outputMode);
+        return;
+    }
+    if (subcommand === 'download') {
+        const auth = await (0, auth_1.resolveAuthenticatedClient)({
+            context
+        });
+        const businessProfileSlug = resolveProfileSlug(args, context.manifest.business_slug);
+        const result = await auth.client.businessProfiles.downloadBundle({
+            businessProfileSlug,
+            versionId: flagValue(args, '--version-id')
+        });
+        const outputDir = (0, node_path_1.resolve)(context.root.rootDir, flagValue(args, '--output-dir') ?? '.');
+        await (0, project_1.writeDownloadedProfileBundle)({
+            rootDir: outputDir,
+            bundle: result.bundle
+        });
+        (0, render_1.renderOutput)({
+            ...result,
+            authMode: auth.authMode,
+            outputDir,
+            resolvedBaseUrl: context.baseUrl
+        }, outputMode);
+        return;
+    }
+    if (subcommand === 'activate') {
+        const specifier = flagValue(args, '--version') ?? flagValue(args, '--version-id');
+        if (!specifier) {
+            throw new Error('profile activate requires --version <latest|active|version-id>.');
+        }
+        const auth = await (0, auth_1.resolveAuthenticatedClient)({
+            context
+        });
+        const businessProfileSlug = resolveProfileSlug(args, context.manifest.business_slug);
+        const resolvedVersion = await resolveVersionId({
+            client: auth.client,
+            businessProfileSlug,
+            specifier
+        });
+        const result = await auth.client.businessProfiles.activateVersion({
+            businessProfileSlug,
+            versionId: resolvedVersion.versionId
+        });
+        (0, render_1.renderOutput)({
+            ...result,
+            authMode: auth.authMode,
+            requestedVersion: specifier
+        }, outputMode);
+        return;
+    }
+    if (subcommand === 'status') {
+        const auth = await (0, auth_1.resolveAuthenticatedClient)({
+            context
+        });
+        const businessProfileSlug = resolveProfileSlug(args, context.manifest.business_slug);
+        const [profile, versions, members] = await Promise.all([
+            auth.client.businessProfiles.get({
+                businessProfileSlug
+            }),
+            auth.client.businessProfiles.listVersions({
+                businessProfileSlug
+            }),
+            auth.client.businessProfiles.listMembers({
+                businessProfileSlug
+            })
+        ]);
+        (0, render_1.renderOutput)({
+            profile: profile.profile,
+            activeVersion: profile.activeVersion,
+            versionsCount: versions.versions.length,
+            membersCount: members.members.length,
+            authMode: auth.authMode
+        }, outputMode);
+        return;
+    }
+    if (subcommand === 'versions') {
+        const auth = await (0, auth_1.resolveAuthenticatedClient)({
+            context
+        });
+        const businessProfileSlug = resolveProfileSlug(args, context.manifest.business_slug);
+        const versions = await auth.client.businessProfiles.listVersions({
+            businessProfileSlug
+        });
+        (0, render_1.renderOutput)({
+            ...versions,
+            authMode: auth.authMode
+        }, outputMode);
+        return;
+    }
+    throw new Error(`Unknown profile command: ${subcommand ?? '(missing)'}.`);
+}
+async function handleTelegramIntegrationsCommand(input) {
+    const { args, action, context, outputMode } = input;
+    if (action === 'upload') {
+        const prepared = await (0, project_1.buildProfileBundleForUpload)(context);
+        const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+        const secretByIntegration = new Map(prepared.resolvedSecrets.map((entry) => [entry.integrationKey, entry]));
+        const results = [];
+        const skipped = [];
+        for (const declaration of prepared.declarations) {
+            if (!declaration.environmentMatches) {
+                skipped.push({
+                    integrationKey: declaration.integrationKey,
+                    environments: declaration.environments,
+                    reason: 'skipped_by_environment'
+                });
+                continue;
+            }
+            const resolvedSecrets = secretByIntegration.get(declaration.integrationKey);
+            results.push(await auth.client.integrations.upsertTelegramBot({
+                businessProfileSlug: context.manifest.business_slug,
+                integrationKey: declaration.integrationKey,
+                label: declaration.label,
+                mode: declaration.mode,
+                enabled: declaration.enabled,
+                webhookPath: declaration.webhookPath,
+                ...(declaration.allowDirectCommands !== undefined
+                    ? { allowDirectCommands: declaration.allowDirectCommands }
+                    : {}),
+                ...(declaration.allowDebugCommands !== undefined
+                    ? { allowDebugCommands: declaration.allowDebugCommands }
+                    : {}),
+                channelAccountId: declaration.channelAccountId ?? null,
+                botUsername: declaration.botUsername ?? null,
+                telegramBotId: declaration.telegramBotId ?? null,
+                ...(resolvedSecrets?.botToken !== undefined ? { botToken: resolvedSecrets.botToken } : {}),
+                ...(resolvedSecrets?.webhookSecret !== undefined
+                    ? { webhookSecret: resolvedSecrets.webhookSecret }
+                    : {})
+            }));
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            count: results.length,
+            skippedCount: skipped.length,
+            items: results,
+            skipped
+        }, outputMode);
+        return;
+    }
+    if (action === 'status' || action === 'download') {
+        const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+        const items = await auth.client.integrations.listTelegramBots({
+            businessProfileSlug: resolveProfileSlug(args, context.manifest.business_slug)
+        });
+        if (action === 'download') {
+            const outputFile = (0, node_path_1.resolve)(context.root.rootDir, flagValue(args, '--output-file') ?? '.sa-admin/downloads/telegram-bots.yaml');
+            await writeYamlSnapshot(outputFile, (0, project_1.buildTelegramBotSnapshotYaml)({
+                integrations: items.items.map((entry) => ({
+                    integration_key: entry.integrationKey,
+                    label: entry.label,
+                    business_profile_slug: entry.businessProfileSlug,
+                    mode: entry.mode,
+                    enabled: entry.enabled,
+                    webhook_path: entry.webhookPath,
+                    allow_direct_commands: entry.allowDirectCommands,
+                    allow_debug_commands: entry.allowDebugCommands,
+                    channel_account_id: entry.channelAccountId,
+                    bot_username: entry.botUsername,
+                    telegram_bot_id: entry.telegramBotId,
+                    has_bot_token: entry.hasBotToken,
+                    has_webhook_secret: entry.hasWebhookSecret,
+                    bot_token_key_id: entry.botTokenKeyId,
+                    webhook_secret_key_id: entry.webhookSecretKeyId
+                }))
+            }));
+            (0, render_1.renderOutput)({
+                authMode: auth.authMode,
+                count: items.items.length,
+                outputFile,
+                items: items.items
+            }, outputMode);
+            return;
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            count: items.items.length,
+            items: items.items
+        }, outputMode);
+        return;
+    }
+    if (action === 'verify') {
+        const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+        const integrationKey = await resolveIntegrationKey(context, args);
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.verifyTelegramIntegration({ integrationKey }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'sync-webhook') {
+        const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+        const integrationKey = await resolveIntegrationKey(context, args);
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.syncTelegramWebhook({ integrationKey }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'sync-commands') {
+        const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+        const integrationKey = await resolveIntegrationKey(context, args);
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.syncTelegramCommands({ integrationKey }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'reconcile') {
+        const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+        const integrationKey = await resolveIntegrationKey(context, args);
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.reconcileTelegramIntegration({ integrationKey }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'migrate-legacy-default') {
+        const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+        const newIntegrationKey = flagValue(args, '--new-integration-key');
+        if (!newIntegrationKey) {
+            throw new Error('telegram integrations migrate-legacy-default requires --new-integration-key.');
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.migrateLegacyTelegramDefault({
+                oldIntegrationKey: flagValue(args, '--old-integration-key') ?? 'telegram-default',
+                newIntegrationKey,
+                webhookPath: flagValue(args, '--webhook-path') ?? null
+            }))
+        }, outputMode);
+        return;
+    }
+    throw new Error(`Unknown telegram integrations command: ${action ?? '(missing)'}.`);
+}
+async function handleTelegramBusinessAccountsCommand(input) {
+    const { args, action, context, outputMode } = input;
+    if (action === 'status' || action === 'download') {
+        const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+        const items = await auth.client.integrations.listTelegramBusinessAccounts({
+            businessProfileSlug: resolveProfileSlug(args, context.manifest.business_slug),
+            integrationKey: flagValue(args, '--integration-key')
+        });
+        if (action === 'download') {
+            const outputFile = (0, node_path_1.resolve)(context.root.rootDir, flagValue(args, '--output-file') ?? '.sa-admin/downloads/telegram-business-accounts.yaml');
+            await writeYamlSnapshot(outputFile, (0, project_1.buildTelegramBusinessAccountSnapshotYaml)({
+                items: items.items.map((entry) => ({
+                    business_connection_id: entry.businessConnectionId,
+                    integration_key: entry.integrationKey,
+                    business_profile_slug: entry.businessProfileSlug,
+                    telegram_user_id: entry.telegramUserId,
+                    user_chat_id: entry.userChatId,
+                    can_reply: entry.canReply,
+                    is_enabled: entry.isEnabled,
+                    binding_status: entry.bindingStatus,
+                    metadata: entry.metadata,
+                    first_seen_at: entry.firstSeenAt,
+                    last_seen_at: entry.lastSeenAt
+                }))
+            }));
+            (0, render_1.renderOutput)({
+                authMode: auth.authMode,
+                count: items.items.length,
+                outputFile,
+                items: items.items
+            }, outputMode);
+            return;
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            count: items.items.length,
+            items: items.items
+        }, outputMode);
+        return;
+    }
+    const businessConnectionId = flagValue(args, '--business-connection-id');
+    if (!businessConnectionId) {
+        throw new Error(`telegram business-accounts ${action ?? '(missing)'} requires --business-connection-id.`);
+    }
+    const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+    const actorEmail = await resolveVerifiedBy(context);
+    if (action === 'approve') {
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.approveTelegramBusinessAccount({
+                businessConnectionId,
+                approvedBy: actorEmail,
+                note: flagValue(args, '--note')
+            }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'block') {
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.blockTelegramBusinessAccount({
+                businessConnectionId,
+                blockedBy: actorEmail,
+                note: flagValue(args, '--note')
+            }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'refresh') {
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.refreshTelegramBusinessAccount({
+                businessConnectionId
+            }))
+        }, outputMode);
+        return;
+    }
+    throw new Error(`Unknown telegram business-accounts command: ${action ?? '(missing)'}.`);
+}
+async function handleTelegramEmployeesCommand(input) {
+    const { args, action, context, outputMode } = input;
+    const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+    const verifiedBy = await resolveVerifiedBy(context);
+    if (action === 'observed') {
+        const items = await auth.client.integrations.listTelegramObservedUsers({
+            businessProfileSlug: resolveProfileSlug(args, context.manifest.business_slug),
+            integrationKey: flagValue(args, '--integration-key'),
+            username: normalizeTelegramUsername(flagValue(args, '--username')),
+            telegramUserId: flagValue(args, '--telegram-user-id')
+        });
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            count: items.items.length,
+            items: items.items
+        }, outputMode);
+        return;
+    }
+    if (action === 'bindings') {
+        const items = await auth.client.integrations.listTelegramEmployeeBindings({
+            operatorEmail: flagValue(args, '--email'),
+            telegramUserId: flagValue(args, '--telegram-user-id')
+        });
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            count: items.items.length,
+            items: items.items
+        }, outputMode);
+        return;
+    }
+    if (action === 'verify') {
+        const operatorEmail = flagValue(args, '--email');
+        const username = normalizeTelegramUsername(flagValue(args, '--username'));
+        if (!operatorEmail || !username) {
+            throw new Error('telegram employees verify requires --email and --username.');
+        }
+        const observed = await auth.client.integrations.listTelegramObservedUsers({
+            businessProfileSlug: resolveProfileSlug(args, context.manifest.business_slug),
+            integrationKey: flagValue(args, '--integration-key'),
+            username
+        });
+        if (observed.items.length === 0) {
+            throw new Error(`No observed Telegram user found for @${username}. Ask the user to write to the bot first or check the username.`);
+        }
+        if (observed.items.length > 1) {
+            throw new Error(`Username @${username} matched multiple observed users. Narrow the lookup with --integration-key or bind by --telegram-user-id.`);
+        }
+        const match = observed.items[0];
+        const result = await auth.client.integrations.bindTelegramEmployee({
+            operatorEmail,
+            telegramUserId: match.telegramUserId,
+            telegramChatId: match.telegramChatId,
+            telegramUsernameSnapshot: match.usernameSnapshot,
+            verifiedBy
+        });
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            matchedObservation: match,
+            ...result
+        }, outputMode);
+        return;
+    }
+    if (action === 'bind') {
+        const operatorEmail = flagValue(args, '--email');
+        const telegramUserId = flagValue(args, '--telegram-user-id');
+        if (!operatorEmail || !telegramUserId) {
+            throw new Error('telegram employees bind requires --email and --telegram-user-id.');
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.bindTelegramEmployee({
+                operatorEmail,
+                telegramUserId,
+                telegramChatId: flagValue(args, '--telegram-chat-id'),
+                telegramUsernameSnapshot: normalizeTelegramUsername(flagValue(args, '--username')),
+                verifiedBy
+            }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'revoke') {
+        const telegramUserId = flagValue(args, '--telegram-user-id');
+        if (!telegramUserId) {
+            throw new Error('telegram employees revoke requires --telegram-user-id.');
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.revokeTelegramEmployeeBinding({
+                telegramUserId,
+                verifiedBy
+            }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'status') {
+        const telegramUserId = flagValue(args, '--telegram-user-id');
+        if (!telegramUserId) {
+            throw new Error('telegram employees status requires --telegram-user-id.');
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.getTelegramEmployeeBindingStatus({
+                telegramUserId
+            }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'resync') {
+        const telegramUserId = flagValue(args, '--telegram-user-id');
+        if (!telegramUserId) {
+            throw new Error('telegram employees resync requires --telegram-user-id.');
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.resyncTelegramEmployeeCommands({
+                telegramUserId
+            }))
+        }, outputMode);
+        return;
+    }
+    throw new Error(`Unknown telegram employees command: ${action ?? '(missing)'}.`);
+}
+async function handleRuntimeProvidersCommand(input) {
+    const { args, action, context, outputMode } = input;
+    const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+    const scope = resolveRuntimeProviderScope(args);
+    const businessProfileSlug = scope === 'global'
+        ? null
+        : resolveScopedBusinessSlug(args, context.manifest.business_slug, {
+            allowGlobal: true,
+            defaultToManifest: true
+        });
+    if (action === 'status') {
+        const items = await auth.client.runtime.listProviders({
+            ...(scope ? { scope } : {}),
+            businessProfileSlug
+        });
+        const diagnostics = await auth.client.ops.getDiagnostics({
+            businessProfileSlug,
+            entityKind: 'runtime_provider',
+            entityId: null
+        });
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            providers: items.items,
+            snapshots: diagnostics.snapshots
+        }, outputMode);
+        return;
+    }
+    if (action === 'refresh') {
+        const providerKey = flagValue(args, '--provider-key');
+        if (!providerKey) {
+            throw new Error('runtime providers refresh requires --provider-key.');
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.ops.refreshRuntimeProvider({
+                providerKey,
+                businessProfileSlug
+            }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'reconcile') {
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.runtime.reconcileProviders({
+                businessProfileSlug,
+                providerKey: flagValue(args, '--provider-key')
+            }))
+        }, outputMode);
+        return;
+    }
+    throw new Error(`Unknown runtime providers command: ${action ?? '(missing)'}.`);
+}
+async function handleRuntimeRoutingCommand(input) {
+    const { args, action, context, outputMode } = input;
+    const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+    const businessProfileSlug = resolveScopedBusinessSlug(args, context.manifest.business_slug, {
+        allowGlobal: true,
+        defaultToManifest: true
+    });
+    const stage = flagValue(args, '--stage');
+    if (action === 'status') {
+        const configured = await auth.client.runtime.listRoutingProfiles({
+            businessProfileSlug,
+            ...(stage ? { stage } : {})
+        });
+        const diagnostics = await auth.client.ops.getDiagnostics({
+            businessProfileSlug,
+            entityKind: 'runtime_routing',
+            entityId: null
+        });
+        const stages = stage
+            ? [stage]
+            : ['reply', 'analysis', 'review', 'summary'];
+        const effectiveProfiles = [];
+        for (const stageKey of stages) {
+            try {
+                const result = await auth.client.runtime.getEffectiveRoutingProfile({
+                    businessProfileSlug,
+                    stage: stageKey
+                });
+                effectiveProfiles.push(result.profile);
+            }
+            catch { }
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            configuredProfiles: configured.items,
+            effectiveProfiles,
+            snapshots: diagnostics.snapshots
+        }, outputMode);
+        return;
+    }
+    if (action === 'reconcile') {
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.runtime.reconcileRoutingVisibility({
+                businessProfileSlug,
+                stage
+            }))
+        }, outputMode);
+        return;
+    }
+    throw new Error(`Unknown runtime routing command: ${action ?? '(missing)'}.`);
+}
+async function handleRuntimeUsageCommand(input) {
+    const { args, action, context, outputMode } = input;
+    if (action !== 'summary') {
+        throw new Error(`Unknown runtime usage command: ${action ?? '(missing)'}.`);
+    }
+    const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+    const businessProfileSlug = resolveScopedBusinessSlug(args, context.manifest.business_slug, {
+        allowGlobal: true,
+        defaultToManifest: true
+    });
+    (0, render_1.renderOutput)({
+        authMode: auth.authMode,
+        ...(await auth.client.runtime.getUsageSummary({
+            businessProfileSlug,
+            from: flagValue(args, '--from'),
+            to: flagValue(args, '--to')
+        }))
+    }, outputMode);
+}
+async function handleRuntimeFallbacksCommand(input) {
+    const { args, action, context, outputMode } = input;
+    if (action !== 'list') {
+        throw new Error(`Unknown runtime fallbacks command: ${action ?? '(missing)'}.`);
+    }
+    const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+    const businessProfileSlug = resolveScopedBusinessSlug(args, context.manifest.business_slug, {
+        allowGlobal: true,
+        defaultToManifest: true
+    });
+    (0, render_1.renderOutput)({
+        authMode: auth.authMode,
+        ...(await auth.client.runtime.listFallbackEvents({
+            businessProfileSlug,
+            stage: flagValue(args, '--stage') ??
+                null,
+            limit: Number(flagValue(args, '--limit') ?? '50')
+        }))
+    }, outputMode);
+}
+async function executeBackupCommand(input) {
+    const { args, action, context, outputMode } = input;
+    const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+    if (action === 'create') {
+        const backupKind = flagValue(args, '--backup-kind') ??
+            'manual_emergency';
+        const sourceKind = flagValue(args, '--source-kind') ??
+            (context.environment === 'beta'
+                ? 'beta_rollout'
+                : context.environment === 'production' || context.environment === 'prod'
+                    ? 'prod_rollout'
+                    : 'local_drill');
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.ops.createBackupArtifact({
+                environment: context.environment,
+                backupKind,
+                sourceKind,
+                notes: flagValue(args, '--notes')
+            }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'list') {
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.ops.listBackupArtifacts({
+                environment: context.environment,
+                backupKind: flagValue(args, '--backup-kind') ?? null
+            }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'inspect') {
+        const backupId = flagValue(args, '--backup-id');
+        if (!backupId) {
+            throw new Error('backup inspect requires --backup-id.');
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.ops.getBackupArtifact({
+                backupId
+            }))
+        }, outputMode);
+        return;
+    }
+    throw new Error(`Unknown backup command: ${action ?? '(missing)'}.`);
+}
+async function executeRestoreCommand(input) {
+    const { args, action, context, outputMode } = input;
+    const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+    if (action === 'run') {
+        const backupId = flagValue(args, '--backup-id');
+        if (!backupId) {
+            throw new Error('restore run requires --backup-id.');
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.ops.runRestoreDrill({
+                backupId,
+                targetKind: 'isolated_in_memory',
+                targetEnvironment: context.environment,
+                startedBy: auth.accessContext?.operator?.email ?? null,
+                notes: flagValue(args, '--notes')
+            }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'list') {
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.ops.listRestoreDrills({
+                backupId: flagValue(args, '--backup-id')
+            }))
+        }, outputMode);
+        return;
+    }
+    if (action === 'inspect') {
+        const restoreDrillId = flagValue(args, '--restore-drill-id');
+        if (!restoreDrillId) {
+            throw new Error('restore inspect requires --restore-drill-id.');
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.ops.getRestoreDrill({
+                restoreDrillId
+            }))
+        }, outputMode);
+        return;
+    }
+    throw new Error(`Unknown restore command: ${action ?? '(missing)'}.`);
+}
+async function handleBackupCommand(input) {
+    await executeBackupCommand({
+        args: input.args,
+        action: input.subcommand,
+        context: input.context,
+        outputMode: input.outputMode
+    });
+}
+async function handleRestoreCommand(input) {
+    await executeRestoreCommand({
+        args: input.args,
+        action: input.subcommand,
+        context: input.context,
+        outputMode: input.outputMode
+    });
+}
+async function handleRolloutCommand(input) {
+    const { args, subcommand, context, outputMode } = input;
+    if (subcommand === 'preflight') {
+        (0, render_1.renderOutput)(await (0, rollout_1.inspectRolloutPreflight)({ context }), outputMode);
+        return;
+    }
+    if (subcommand === 'migrate') {
+        (0, render_1.renderOutput)(await (0, rollout_1.runRolloutMigrate)({ context }), outputMode);
+        return;
+    }
+    if (subcommand === 'promote-profile') {
+        (0, render_1.renderOutput)(await (0, rollout_1.runRolloutPromoteProfile)({ context }), outputMode);
+        return;
+    }
+    if (subcommand === 'finalize-telegram') {
+        (0, render_1.renderOutput)(await (0, rollout_1.runRolloutFinalizeTelegram)({ context }), outputMode);
+        return;
+    }
+    if (subcommand === 'promote') {
+        (0, render_1.renderOutput)(await (0, rollout_1.runRolloutPromote)({
+            context,
+            notes: flagValue(args, '--notes')
+        }), outputMode);
+        return;
+    }
+    if (subcommand === 'verify') {
+        (0, render_1.renderOutput)(await (0, rollout_1.runRolloutVerify)({
+            context,
+            rolloutId: flagValue(args, '--rollout-id')
+        }), outputMode);
+        return;
+    }
+    if (subcommand === 'verdict') {
+        (0, render_1.renderOutput)(await (0, rollout_1.inspectReleaseVerdict)({
+            context,
+            verificationId: flagValue(args, '--verification-id'),
+            rolloutId: flagValue(args, '--rollout-id')
+        }), outputMode);
+        return;
+    }
+    if (subcommand === 'evidence') {
+        (0, render_1.renderOutput)(await (0, rollout_1.inspectReleaseEvidence)({
+            context,
+            verificationId: flagValue(args, '--verification-id'),
+            rolloutId: flagValue(args, '--rollout-id')
+        }), outputMode);
+        return;
+    }
+    if (subcommand === 'list') {
+        (0, render_1.renderOutput)(await (0, rollout_1.listRecordedRollouts)({
+            context,
+            environment: flagValue(args, '--environment') ?? context.environment,
+            businessProfileSlug: resolveScopedBusinessSlug(args, context.manifest.business_slug, {
+                allowGlobal: true,
+                defaultToManifest: true
+            })
+        }), outputMode);
+        return;
+    }
+    if (subcommand === 'inspect') {
+        const rolloutId = flagValue(args, '--rollout-id');
+        if (!rolloutId) {
+            throw new Error('rollout inspect requires --rollout-id.');
+        }
+        (0, render_1.renderOutput)(await (0, rollout_1.inspectRecordedRollout)({
+            context,
+            rolloutId
+        }), outputMode);
+        return;
+    }
+    throw new Error(`Unknown rollout command: ${subcommand ?? '(missing)'}.`);
+}
+async function handleDbCommand(input) {
+    const { args, subcommand, action, context, outputMode } = input;
+    const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+    if (subcommand === 'migrations') {
+        if (action === 'status') {
+            (0, render_1.renderOutput)({
+                authMode: auth.authMode,
+                ...(await auth.client.ops.getSchemaStatus({}))
+            }, outputMode);
+            return;
+        }
+        if (action === 'apply') {
+            (0, render_1.renderOutput)({
+                authMode: auth.authMode,
+                ...(await auth.client.ops.applySchemaMigrations({
+                    appliedBy: auth.accessContext?.operator?.email ?? null,
+                    sourceKind: context.environment === 'beta'
+                        ? 'beta_rollout'
+                        : context.environment === 'production' || context.environment === 'prod'
+                            ? 'prod_rollout'
+                            : 'local_bootstrap'
+                }))
+            }, outputMode);
+            return;
+        }
+        throw new Error(`Unknown db migrations command: ${action ?? '(missing)'}.`);
+    }
+    if (subcommand === 'backups') {
+        await executeBackupCommand({ args, action, context, outputMode });
+        return;
+    }
+    if (subcommand === 'restore-drills') {
+        await executeRestoreCommand({ args, action, context, outputMode });
+        return;
+    }
+    throw new Error(`Unknown db command: ${subcommand ?? '(missing)'}.`);
+}
+async function handleDiagnosticsCommand(input) {
+    const { args, subcommand, context, outputMode } = input;
+    const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+    const businessProfileSlug = resolveScopedBusinessSlug(args, context.manifest.business_slug, {
+        allowGlobal: true,
+        defaultToManifest: true
+    });
+    if (subcommand === 'readiness') {
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.ops.getReadiness({
+                businessProfileSlug
+            }))
+        }, outputMode);
+        return;
+    }
+    if (subcommand === 'snapshots') {
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.ops.getDiagnostics({
+                businessProfileSlug,
+                entityKind: flagValue(args, '--entity-kind') ?? null,
+                entityId: flagValue(args, '--entity-id')
+            }))
+        }, outputMode);
+        return;
+    }
+    throw new Error(`Unknown diagnostics command: ${subcommand ?? '(missing)'}.`);
+}
+async function handleReconcileCommand(input) {
+    const { args, subcommand, context, outputMode } = input;
+    const auth = await (0, auth_1.resolveAuthenticatedClient)({ context });
+    if (subcommand === 'business') {
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.ops.reconcileBusiness({
+                businessProfileSlug: resolveProfileSlug(args, context.manifest.business_slug)
+            }))
+        }, outputMode);
+        return;
+    }
+    if (subcommand === 'integration') {
+        const integrationKey = await resolveIntegrationKey(context, args);
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.reconcileTelegramIntegration({ integrationKey }))
+        }, outputMode);
+        return;
+    }
+    if (subcommand === 'provider') {
+        const businessProfileSlug = resolveScopedBusinessSlug(args, context.manifest.business_slug, {
+            allowGlobal: true,
+            defaultToManifest: true
+        });
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.runtime.reconcileProviders({
+                businessProfileSlug,
+                providerKey: flagValue(args, '--provider-key')
+            }))
+        }, outputMode);
+        return;
+    }
+    if (subcommand === 'routing') {
+        const businessProfileSlug = resolveScopedBusinessSlug(args, context.manifest.business_slug, {
+            allowGlobal: true,
+            defaultToManifest: true
+        });
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.runtime.reconcileRoutingVisibility({
+                businessProfileSlug,
+                stage: flagValue(args, '--stage') ??
+                    null
+            }))
+        }, outputMode);
+        return;
+    }
+    if (subcommand === 'employee') {
+        const telegramUserId = flagValue(args, '--telegram-user-id');
+        if (!telegramUserId) {
+            throw new Error('reconcile employee requires --telegram-user-id.');
+        }
+        (0, render_1.renderOutput)({
+            authMode: auth.authMode,
+            ...(await auth.client.integrations.resyncTelegramEmployeeCommands({
+                telegramUserId
+            }))
+        }, outputMode);
+        return;
+    }
+    throw new Error(`Unknown reconcile command: ${subcommand ?? '(missing)'}.`);
+}
+async function handleAuthCommand(input) {
+    const { args, subcommand, context, outputMode } = input;
+    if (subcommand === 'login') {
+        const email = flagValue(args, '--email');
+        if (!email) {
+            throw new Error('auth login requires --email.');
+        }
+        const result = await (0, auth_1.loginAdminSession)({
+            context,
+            email,
+            nextPath: flagValue(args, '--next-path'),
+            timeoutSeconds: Number(flagValue(args, '--timeout-seconds') ?? '180'),
+            openBrowser: !hasFlag(args, '--no-browser')
+        });
+        (0, render_1.renderOutput)({
+            authMode: 'employee_login',
+            state: result.state,
+            accessContext: result.accessContext,
+            intent: result.intent,
+            userCode: result.userCode,
+            verificationUri: result.verificationUri,
+            verificationUriComplete: result.verificationUriComplete,
+            browserOpened: result.browserOpened,
+            pollCount: result.pollCount
+        }, outputMode);
+        return;
+    }
+    if (subcommand === 'logout') {
+        (0, render_1.renderOutput)(await (0, auth_1.logoutAdminSession)(context), outputMode);
+        return;
+    }
+    if (subcommand === 'session') {
+        (0, render_1.renderOutput)(await (0, auth_1.inspectSessionState)(context), outputMode);
+        return;
+    }
+    if (subcommand === 'preflight') {
+        (0, render_1.renderOutput)(await (0, provisioning_1.inspectAuthPreflight)(context), outputMode);
+        return;
+    }
+    if (subcommand === 'seed-policy') {
+        const preflight = await (0, provisioning_1.inspectAuthPreflight)(context);
+        (0, render_1.renderOutput)({
+            environment: context.environment,
+            provisioningPolicy: preflight.provisioningPolicy
+        }, outputMode);
+        return;
+    }
+    if (subcommand === 'whoami') {
+        (0, render_1.renderOutput)(await (0, auth_1.resolveWhoAmI)(context), outputMode);
+        return;
+    }
+    throw new Error(`Unknown auth command: ${subcommand ?? '(missing)'}.`);
+}
+async function main() {
+    const args = process.argv.slice(2);
+    const rawCommandTokens = extractCommandTokens(args);
+    const normalizedCommandTokens = normalizeCommandTokens(rawCommandTokens[0] === 'help' ? rawCommandTokens.slice(1) : rawCommandTokens);
+    if (rawCommandTokens.length === 0 ||
+        rawCommandTokens[0] === 'help' ||
+        hasFlag(args, '--help')) {
+        process.stdout.write((0, help_1.renderHelpPage)(normalizedCommandTokens));
+        return;
+    }
+    const outputMode = hasFlag(args, '--json') ? 'json' : 'pretty';
+    const explicitCwd = flagValue(args, '--cwd');
+    const context = await (0, context_1.resolveSaAdminContext)({
+        ...(explicitCwd ? { cwd: explicitCwd } : {}),
+        baseUrl: flagValue(args, '--base-url'),
+        environment: flagValue(args, '--environment'),
+        envFiles: flagValues(args, '--env-file')
+    });
+    const command = normalizedCommandTokens[0] ?? null;
+    const subcommand = normalizedCommandTokens[1] ?? null;
+    const action = normalizedCommandTokens[2] ?? null;
+    if (command === 'profile') {
+        await handleProfileCommand({ args, subcommand, context, outputMode });
+        return;
+    }
+    if (command === 'db') {
+        await handleDbCommand({ args, subcommand, action, context, outputMode });
+        return;
+    }
+    if (command === 'backup') {
+        await handleBackupCommand({ args, subcommand, context, outputMode });
+        return;
+    }
+    if (command === 'restore') {
+        await handleRestoreCommand({ args, subcommand, context, outputMode });
+        return;
+    }
+    if (command === 'telegram') {
+        if (subcommand === 'integrations') {
+            await handleTelegramIntegrationsCommand({ args, action, context, outputMode });
+            return;
+        }
+        if (subcommand === 'business-accounts') {
+            await handleTelegramBusinessAccountsCommand({ args, action, context, outputMode });
+            return;
+        }
+        if (subcommand === 'employees') {
+            await handleTelegramEmployeesCommand({ args, action, context, outputMode });
+            return;
+        }
+    }
+    if (command === 'runtime') {
+        if (subcommand === 'providers') {
+            await handleRuntimeProvidersCommand({ args, action, context, outputMode });
+            return;
+        }
+        if (subcommand === 'routing') {
+            await handleRuntimeRoutingCommand({ args, action, context, outputMode });
+            return;
+        }
+        if (subcommand === 'usage') {
+            await handleRuntimeUsageCommand({ args, action, context, outputMode });
+            return;
+        }
+        if (subcommand === 'fallbacks') {
+            await handleRuntimeFallbacksCommand({ args, action, context, outputMode });
+            return;
+        }
+    }
+    if (command === 'diagnostics') {
+        await handleDiagnosticsCommand({ args, subcommand, context, outputMode });
+        return;
+    }
+    if (command === 'reconcile') {
+        await handleReconcileCommand({ args, subcommand, context, outputMode });
+        return;
+    }
+    if (command === 'rollout') {
+        await handleRolloutCommand({ args, subcommand, context, outputMode });
+        return;
+    }
+    if (command === 'auth') {
+        await handleAuthCommand({ args, subcommand, context, outputMode });
+        return;
+    }
+    process.stdout.write((0, help_1.renderHelpPage)([]));
+    process.exitCode = 1;
+}
+main().catch((error) => {
+    if (error instanceof client_sdk_1.PlatformClientError) {
+        process.stderr.write(`${error.code}${error.status ? ` [${error.status}]` : ''}: ${error.message}\n`);
+    }
+    else {
+        process.stderr.write(`${error instanceof Error ? error.message : String(error)}\n`);
+    }
+    process.exitCode = 1;
+});
+//# sourceMappingURL=cli.js.map