npm - @sentry/warden - Versions diffs - 0.0.0 - Mend

@sentry/warden 0.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (199) hide show

package/.agents/skills/find-bugs/SKILL.md +75 -0
package/.agents/skills/vercel-react-best-practices/AGENTS.md +2934 -0
package/.agents/skills/vercel-react-best-practices/SKILL.md +136 -0
package/.agents/skills/vercel-react-best-practices/rules/advanced-event-handler-refs.md +55 -0
package/.agents/skills/vercel-react-best-practices/rules/advanced-init-once.md +42 -0
package/.agents/skills/vercel-react-best-practices/rules/advanced-use-latest.md +39 -0
package/.agents/skills/vercel-react-best-practices/rules/async-api-routes.md +38 -0
package/.agents/skills/vercel-react-best-practices/rules/async-defer-await.md +80 -0
package/.agents/skills/vercel-react-best-practices/rules/async-dependencies.md +51 -0
package/.agents/skills/vercel-react-best-practices/rules/async-parallel.md +28 -0
package/.agents/skills/vercel-react-best-practices/rules/async-suspense-boundaries.md +99 -0
package/.agents/skills/vercel-react-best-practices/rules/bundle-barrel-imports.md +59 -0
package/.agents/skills/vercel-react-best-practices/rules/bundle-conditional.md +31 -0
package/.agents/skills/vercel-react-best-practices/rules/bundle-defer-third-party.md +49 -0
package/.agents/skills/vercel-react-best-practices/rules/bundle-dynamic-imports.md +35 -0
package/.agents/skills/vercel-react-best-practices/rules/bundle-preload.md +50 -0
package/.agents/skills/vercel-react-best-practices/rules/client-event-listeners.md +74 -0
package/.agents/skills/vercel-react-best-practices/rules/client-localstorage-schema.md +71 -0
package/.agents/skills/vercel-react-best-practices/rules/client-passive-event-listeners.md +48 -0
package/.agents/skills/vercel-react-best-practices/rules/client-swr-dedup.md +56 -0
package/.agents/skills/vercel-react-best-practices/rules/js-batch-dom-css.md +107 -0
package/.agents/skills/vercel-react-best-practices/rules/js-cache-function-results.md +80 -0
package/.agents/skills/vercel-react-best-practices/rules/js-cache-property-access.md +28 -0
package/.agents/skills/vercel-react-best-practices/rules/js-cache-storage.md +70 -0
package/.agents/skills/vercel-react-best-practices/rules/js-combine-iterations.md +32 -0
package/.agents/skills/vercel-react-best-practices/rules/js-early-exit.md +50 -0
package/.agents/skills/vercel-react-best-practices/rules/js-hoist-regexp.md +45 -0
package/.agents/skills/vercel-react-best-practices/rules/js-index-maps.md +37 -0
package/.agents/skills/vercel-react-best-practices/rules/js-length-check-first.md +49 -0
package/.agents/skills/vercel-react-best-practices/rules/js-min-max-loop.md +82 -0
package/.agents/skills/vercel-react-best-practices/rules/js-set-map-lookups.md +24 -0
package/.agents/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md +57 -0
package/.agents/skills/vercel-react-best-practices/rules/rendering-activity.md +26 -0
package/.agents/skills/vercel-react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
package/.agents/skills/vercel-react-best-practices/rules/rendering-conditional-render.md +40 -0
package/.agents/skills/vercel-react-best-practices/rules/rendering-content-visibility.md +38 -0
package/.agents/skills/vercel-react-best-practices/rules/rendering-hoist-jsx.md +46 -0
package/.agents/skills/vercel-react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
package/.agents/skills/vercel-react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
package/.agents/skills/vercel-react-best-practices/rules/rendering-svg-precision.md +28 -0
package/.agents/skills/vercel-react-best-practices/rules/rendering-usetransition-loading.md +75 -0
package/.agents/skills/vercel-react-best-practices/rules/rerender-defer-reads.md +39 -0
package/.agents/skills/vercel-react-best-practices/rules/rerender-dependencies.md +45 -0
package/.agents/skills/vercel-react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
package/.agents/skills/vercel-react-best-practices/rules/rerender-derived-state.md +29 -0
package/.agents/skills/vercel-react-best-practices/rules/rerender-functional-setstate.md +74 -0
package/.agents/skills/vercel-react-best-practices/rules/rerender-lazy-state-init.md +58 -0
package/.agents/skills/vercel-react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
package/.agents/skills/vercel-react-best-practices/rules/rerender-memo.md +44 -0
package/.agents/skills/vercel-react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
package/.agents/skills/vercel-react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
package/.agents/skills/vercel-react-best-practices/rules/rerender-transitions.md +40 -0
package/.agents/skills/vercel-react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
package/.agents/skills/vercel-react-best-practices/rules/server-after-nonblocking.md +73 -0
package/.agents/skills/vercel-react-best-practices/rules/server-auth-actions.md +96 -0
package/.agents/skills/vercel-react-best-practices/rules/server-cache-lru.md +41 -0
package/.agents/skills/vercel-react-best-practices/rules/server-cache-react.md +76 -0
package/.agents/skills/vercel-react-best-practices/rules/server-dedup-props.md +65 -0
package/.agents/skills/vercel-react-best-practices/rules/server-parallel-fetching.md +83 -0
package/.agents/skills/vercel-react-best-practices/rules/server-serialization.md +38 -0
package/.claude/settings.json +57 -0
package/.claude/settings.local.json +88 -0
package/.claude/skills/agent-prompt/SKILL.md +54 -0
package/.claude/skills/agent-prompt/references/agentic-patterns.md +94 -0
package/.claude/skills/agent-prompt/references/anti-patterns.md +140 -0
package/.claude/skills/agent-prompt/references/context-design.md +124 -0
package/.claude/skills/agent-prompt/references/core-principles.md +75 -0
package/.claude/skills/agent-prompt/references/model-guidance.md +118 -0
package/.claude/skills/agent-prompt/references/output-formats.md +98 -0
package/.claude/skills/agent-prompt/references/skill-structure.md +115 -0
package/.claude/skills/agent-prompt/references/system-prompts.md +115 -0
package/.claude/skills/notseer/SKILL.md +131 -0
package/.claude/skills/skill-writer/SKILL.md +140 -0
package/.claude/skills/testing-guidelines/SKILL.md +132 -0
package/.claude/skills/warden-skill/SKILL.md +250 -0
package/.claude/skills/warden-skill/references/config-schema.md +133 -0
package/.dex/config.toml +2 -0
package/.github/workflows/ci.yml +33 -0
package/.github/workflows/release.yml +54 -0
package/.github/workflows/warden.yml +40 -0
package/AGENTS.md +89 -0
package/CONTRIBUTING.md +60 -0
package/LICENSE +105 -0
package/README.md +43 -0
package/SPEC.md +263 -0
package/action.yml +87 -0
package/assets/favicon.png +0 -0
package/assets/warden-icon-bw.svg +5 -0
package/assets/warden-icon-purple.png +0 -0
package/assets/warden-icon-purple.svg +5 -0
package/docs/.claude/settings.local.json +11 -0
package/docs/astro.config.mjs +43 -0
package/docs/package.json +19 -0
package/docs/pnpm-lock.yaml +4000 -0
package/docs/public/favicon.svg +5 -0
package/docs/src/components/Code.astro +141 -0
package/docs/src/components/PackageManagerTabs.astro +183 -0
package/docs/src/components/Terminal.astro +212 -0
package/docs/src/layouts/Base.astro +380 -0
package/docs/src/pages/cli.astro +167 -0
package/docs/src/pages/config.astro +394 -0
package/docs/src/pages/guide.astro +449 -0
package/docs/src/pages/index.astro +490 -0
package/docs/src/styles/global.css +551 -0
package/docs/tsconfig.json +3 -0
package/docs/vercel.json +5 -0
package/eslint.config.js +33 -0
package/package.json +73 -0
package/src/action/index.ts +1 -0
package/src/action/main.ts +868 -0
package/src/cli/args.test.ts +477 -0
package/src/cli/args.ts +415 -0
package/src/cli/commands/add.ts +447 -0
package/src/cli/commands/init.test.ts +136 -0
package/src/cli/commands/init.ts +132 -0
package/src/cli/commands/setup-app/browser.ts +38 -0
package/src/cli/commands/setup-app/credentials.ts +45 -0
package/src/cli/commands/setup-app/manifest.ts +48 -0
package/src/cli/commands/setup-app/server.ts +172 -0
package/src/cli/commands/setup-app.ts +156 -0
package/src/cli/commands/sync.ts +114 -0
package/src/cli/context.ts +131 -0
package/src/cli/files.test.ts +155 -0
package/src/cli/files.ts +89 -0
package/src/cli/fix.test.ts +310 -0
package/src/cli/fix.ts +387 -0
package/src/cli/git.test.ts +119 -0
package/src/cli/git.ts +318 -0
package/src/cli/index.ts +14 -0
package/src/cli/main.ts +672 -0
package/src/cli/output/box.ts +235 -0
package/src/cli/output/formatters.test.ts +187 -0
package/src/cli/output/formatters.ts +269 -0
package/src/cli/output/icons.ts +13 -0
package/src/cli/output/index.ts +44 -0
package/src/cli/output/ink-runner.tsx +337 -0
package/src/cli/output/jsonl.test.ts +347 -0
package/src/cli/output/jsonl.ts +126 -0
package/src/cli/output/reporter.ts +435 -0
package/src/cli/output/tasks.ts +374 -0
package/src/cli/output/tty.test.ts +117 -0
package/src/cli/output/tty.ts +60 -0
package/src/cli/output/verbosity.test.ts +40 -0
package/src/cli/output/verbosity.ts +31 -0
package/src/cli/terminal.test.ts +148 -0
package/src/cli/terminal.ts +301 -0
package/src/config/index.ts +3 -0
package/src/config/loader.test.ts +313 -0
package/src/config/loader.ts +103 -0
package/src/config/schema.ts +168 -0
package/src/config/writer.test.ts +119 -0
package/src/config/writer.ts +84 -0
package/src/diff/classify.test.ts +162 -0
package/src/diff/classify.ts +92 -0
package/src/diff/coalesce.test.ts +208 -0
package/src/diff/coalesce.ts +133 -0
package/src/diff/context.test.ts +226 -0
package/src/diff/context.ts +201 -0
package/src/diff/index.ts +4 -0
package/src/diff/parser.test.ts +212 -0
package/src/diff/parser.ts +149 -0
package/src/event/context.ts +132 -0
package/src/event/index.ts +2 -0
package/src/event/schedule-context.ts +101 -0
package/src/examples/examples.integration.test.ts +66 -0
package/src/examples/index.test.ts +101 -0
package/src/examples/index.ts +122 -0
package/src/examples/setup.ts +25 -0
package/src/index.ts +115 -0
package/src/output/dedup.test.ts +419 -0
package/src/output/dedup.ts +607 -0
package/src/output/github-checks.test.ts +300 -0
package/src/output/github-checks.ts +476 -0
package/src/output/github-issues.ts +329 -0
package/src/output/index.ts +5 -0
package/src/output/issue-renderer.ts +197 -0
package/src/output/renderer.test.ts +727 -0
package/src/output/renderer.ts +217 -0
package/src/output/stale.test.ts +375 -0
package/src/output/stale.ts +155 -0
package/src/output/types.ts +34 -0
package/src/sdk/index.ts +1 -0
package/src/sdk/runner.test.ts +806 -0
package/src/sdk/runner.ts +1232 -0
package/src/skills/index.ts +36 -0
package/src/skills/loader.test.ts +300 -0
package/src/skills/loader.ts +423 -0
package/src/skills/remote.test.ts +704 -0
package/src/skills/remote.ts +604 -0
package/src/triggers/matcher.test.ts +277 -0
package/src/triggers/matcher.ts +152 -0
package/src/types/index.ts +194 -0
package/src/utils/async.ts +18 -0
package/src/utils/index.test.ts +84 -0
package/src/utils/index.ts +50 -0
package/tsconfig.json +25 -0
package/vitest.config.ts +8 -0
package/vitest.integration.config.ts +11 -0
package/warden.toml +19 -0

package/src/cli/commands/setup-app/browser.ts ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * Cross-platform browser opener.
+ */
+import { exec } from 'node:child_process';
+import { platform } from 'node:os';
+/**
+ * Open a URL in the default browser.
+ * Returns a promise that resolves when the browser open command has been executed.
+ */
+export function openBrowser(url: string): Promise<void> {
+  return new Promise((resolve, reject) => {
+    const os = platform();
+    let command: string;
+    switch (os) {
+      case 'darwin':
+        command = `open "${url}"`;
+        break;
+      case 'win32':
+        command = `start "" "${url}"`;
+        break;
+      default:
+        // Linux and others
+        command = `xdg-open "${url}"`;
+        break;
+    }
+    exec(command, (error) => {
+      if (error) {
+        reject(error);
+      } else {
+        resolve();
+      }
+    });
+  });
+}

package/src/cli/commands/setup-app/credentials.ts ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * Exchange temporary code for GitHub App credentials via GitHub API.
+ */
+export interface AppCredentials {
+  id: number;
+  name: string;
+  pem: string;
+  htmlUrl: string;
+}
+/**
+ * Exchange a temporary code for GitHub App credentials.
+ * This uses the GitHub API to convert the code into full app credentials.
+ */
+export async function exchangeCodeForCredentials(code: string): Promise<AppCredentials> {
+  const url = `https://api.github.com/app-manifests/${code}/conversions`;
+  const response = await fetch(url, {
+    method: 'POST',
+    headers: {
+      Accept: 'application/vnd.github+json',
+      'X-GitHub-Api-Version': '2022-11-28',
+    },
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to exchange code for credentials: ${response.status} ${response.statusText}\n${errorText}`);
+  }
+  const data = (await response.json()) as {
+    id: number;
+    name: string;
+    pem: string;
+    html_url: string;
+  };
+  return {
+    id: data.id,
+    name: data.name,
+    pem: data.pem,
+    htmlUrl: data.html_url,
+  };
+}

package/src/cli/commands/setup-app/manifest.ts ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * GitHub App manifest builder for the setup-app flow.
+ */
+export interface ManifestOptions {
+  name?: string;
+  port: number;
+}
+export interface GitHubAppManifest {
+  name: string;
+  url: string;
+  hook_attributes: {
+    url: string;
+    active: boolean;
+  };
+  redirect_url: string;
+  public: boolean;
+  default_permissions: Record<string, string>;
+  default_events: string[];
+}
+/**
+ * Build a GitHub App manifest for Warden.
+ */
+export function buildManifest(options: ManifestOptions): GitHubAppManifest {
+  const name = options.name ?? 'Warden';
+  return {
+    name,
+    url: 'https://github.com/getsentry/warden',
+    hook_attributes: {
+      // URL is required by GitHub even when webhooks are disabled
+      url: 'https://example.com/webhook',
+      active: false,
+    },
+    redirect_url: `http://localhost:${options.port}/callback`,
+    public: false,
+    default_permissions: {
+      contents: 'read',
+      pull_requests: 'write',
+      issues: 'write',
+      checks: 'write',
+      metadata: 'read',
+    },
+    default_events: ['pull_request'],
+  };
+}

package/src/cli/commands/setup-app/server.ts ADDED Viewed

@@ -0,0 +1,172 @@
+/**
+ * Local HTTP server for GitHub App manifest flow.
+ * Serves a form that POSTs the manifest to GitHub, then receives the callback.
+ */
+import { createServer, type Server, type IncomingMessage, type ServerResponse } from 'node:http';
+import { URL } from 'node:url';
+import type { GitHubAppManifest } from './manifest.js';
+export interface CallbackResult {
+  code: string;
+}
+export interface ServerOptions {
+  port: number;
+  expectedState: string;
+  timeoutMs: number;
+  manifest: GitHubAppManifest;
+  org?: string;
+}
+/**
+ * Build the HTML page that auto-submits the manifest form to GitHub.
+ */
+function buildStartPage(manifest: GitHubAppManifest, state: string, org?: string): string {
+  const githubUrl = org
+    ? `https://github.com/organizations/${org}/settings/apps/new?state=${state}`
+    : `https://github.com/settings/apps/new?state=${state}`;
+  const manifestJson = JSON.stringify(manifest);
+  return `<!DOCTYPE html>
+<html>
+<head>
+  <title>Creating GitHub App...</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, sans-serif; text-align: center; padding: 50px; }
+    .spinner { border: 4px solid #f3f3f3; border-top: 4px solid #3498db; border-radius: 50%; width: 40px; height: 40px; animation: spin 1s linear infinite; margin: 20px auto; }
+    @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } }
+  </style>
+</head>
+<body>
+  <h1>Redirecting to GitHub...</h1>
+  <div class="spinner"></div>
+  <p>If you are not redirected automatically, click the button below.</p>
+  <form id="manifest-form" action="${githubUrl}" method="post">
+    <input type="hidden" name="manifest" value='${manifestJson.replace(/'/g, '&#39;')}'>
+    <button type="submit" style="padding: 10px 20px; font-size: 16px; cursor: pointer;">Continue to GitHub</button>
+  </form>
+  <script>
+    // Auto-submit the form after a brief delay
+    setTimeout(function() {
+      document.getElementById('manifest-form').submit();
+    }, 500);
+  </script>
+</body>
+</html>`;
+}
+/**
+ * Create and start a local HTTP server for the manifest flow.
+ * - GET / or /start: Serves the form that POSTs to GitHub
+ * - GET /callback: Receives the callback from GitHub with the code
+ */
+export function startCallbackServer(options: ServerOptions): {
+  server: Server;
+  waitForCallback: Promise<CallbackResult>;
+  close: () => void;
+  startUrl: string;
+} {
+  let resolveCallback: (result: CallbackResult) => void;
+  let rejectCallback: (error: Error) => void;
+  const waitForCallback = new Promise<CallbackResult>((resolve, reject) => {
+    resolveCallback = resolve;
+    rejectCallback = reject;
+  });
+  const server = createServer((req: IncomingMessage, res: ServerResponse) => {
+    const url = new URL(req.url || '/', `http://localhost:${options.port}`);
+    // Serve the start page that auto-submits to GitHub
+    if (req.method === 'GET' && (url.pathname === '/' || url.pathname === '/start')) {
+      res.writeHead(200, { 'Content-Type': 'text/html' });
+      res.end(buildStartPage(options.manifest, options.expectedState, options.org));
+      return;
+    }
+    // Handle callback from GitHub
+    if (req.method === 'GET' && url.pathname === '/callback') {
+      const code = url.searchParams.get('code');
+      const state = url.searchParams.get('state');
+      // Validate state parameter (CSRF protection)
+      if (state !== options.expectedState) {
+        res.writeHead(400, { 'Content-Type': 'text/html' });
+        res.end(`
+          <!DOCTYPE html>
+          <html>
+          <head><title>Error</title></head>
+          <body>
+            <h1>Error: Invalid state parameter</h1>
+            <p>This may be a CSRF attack. Please try again.</p>
+          </body>
+          </html>
+        `);
+        rejectCallback(new Error('Invalid state parameter - possible CSRF attack'));
+        return;
+      }
+      if (!code) {
+        res.writeHead(400, { 'Content-Type': 'text/html' });
+        res.end(`
+          <!DOCTYPE html>
+          <html>
+          <head><title>Error</title></head>
+          <body>
+            <h1>Error: Missing code parameter</h1>
+            <p>GitHub did not provide the expected authorization code.</p>
+          </body>
+          </html>
+        `);
+        rejectCallback(new Error('Missing code parameter in callback'));
+        return;
+      }
+      // Success - send response and resolve promise
+      res.writeHead(200, { 'Content-Type': 'text/html' });
+      res.end(`
+        <!DOCTYPE html>
+        <html>
+        <head>
+          <title>Success</title>
+          <style>
+            body { font-family: -apple-system, BlinkMacSystemFont, sans-serif; text-align: center; padding: 50px; }
+            h1 { color: #28a745; }
+          </style>
+        </head>
+        <body>
+          <h1>GitHub App Created!</h1>
+          <p>You can close this window and return to the terminal.</p>
+        </body>
+        </html>
+      `);
+      resolveCallback({ code });
+      return;
+    }
+    // 404 for anything else
+    res.writeHead(404);
+    res.end('Not found');
+  });
+  // Bind only to localhost for security
+  server.listen(options.port, '127.0.0.1');
+  // Set up timeout
+  const timeoutId = setTimeout(() => {
+    rejectCallback(new Error(`Timeout: No callback received within ${options.timeoutMs / 1000} seconds`));
+    server.close();
+  }, options.timeoutMs);
+  const close = () => {
+    clearTimeout(timeoutId);
+    server.close();
+  };
+  const startUrl = `http://localhost:${options.port}/start`;
+  return { server, waitForCallback, close, startUrl };
+}

package/src/cli/commands/setup-app.ts ADDED Viewed

@@ -0,0 +1,156 @@
+/**
+ * Setup GitHub App command.
+ * Creates a GitHub App via the manifest flow for Warden to post as a custom bot.
+ */
+import { randomBytes } from 'node:crypto';
+import chalk from 'chalk';
+import type { SetupAppOptions } from '../args.js';
+import type { Reporter } from '../output/reporter.js';
+import { getGitHubRepoUrl } from '../git.js';
+import { buildManifest } from './setup-app/manifest.js';
+import { startCallbackServer } from './setup-app/server.js';
+import { openBrowser } from './setup-app/browser.js';
+import { exchangeCodeForCredentials } from './setup-app/credentials.js';
+/**
+ * Run the setup-app command.
+ */
+export async function runSetupApp(options: SetupAppOptions, reporter: Reporter): Promise<number> {
+  const { port, timeout, org, name, open } = options;
+  reporter.bold('SETUP GITHUB APP');
+  reporter.blank();
+  // Generate state token for CSRF protection
+  const state = randomBytes(16).toString('hex');
+  // Build manifest
+  const manifest = buildManifest({ name, port });
+  // Show what permissions will be requested
+  reporter.text('This will create a GitHub App with the following permissions:');
+  reporter.text(`  ${chalk.dim('•')} contents: read        ${chalk.dim('- Read repository files')}`);
+  reporter.text(`  ${chalk.dim('•')} pull_requests: write  ${chalk.dim('- Post review comments')}`);
+  reporter.text(`  ${chalk.dim('•')} issues: write         ${chalk.dim('- Create/update issues')}`);
+  reporter.text(`  ${chalk.dim('•')} checks: write         ${chalk.dim('- Create check runs')}`);
+  reporter.text(`  ${chalk.dim('•')} metadata: read        ${chalk.dim('- Read repository metadata')}`);
+  reporter.blank();
+  // Start local server (serves the form and handles callback)
+  reporter.step(`Starting local server on http://localhost:${port}...`);
+  const serverHandle = startCallbackServer({
+    port,
+    expectedState: state,
+    timeoutMs: timeout * 1000,
+    manifest,
+    org,
+  });
+  // Handle server errors (e.g., port already in use)
+  serverHandle.server.on('error', (error: NodeJS.ErrnoException) => {
+    if (error.code === 'EADDRINUSE') {
+      reporter.error(`Port ${port} is already in use. Try a different port with --port <number>`);
+    } else {
+      reporter.error(`Server error: ${error.message}`);
+    }
+    process.exit(1);
+  });
+  try {
+    // Open browser to our local server (which will POST to GitHub)
+    if (open) {
+      reporter.step('Opening browser...');
+      try {
+        await openBrowser(serverHandle.startUrl);
+      } catch {
+        reporter.warning('Could not open browser automatically.');
+        reporter.blank();
+        reporter.text('Open this URL in your browser:');
+        reporter.text(chalk.cyan(serverHandle.startUrl));
+      }
+    } else {
+      reporter.blank();
+      reporter.text('Open this URL in your browser:');
+      reporter.text(chalk.cyan(serverHandle.startUrl));
+    }
+    reporter.blank();
+    reporter.text(`On the GitHub page, click ${chalk.cyan('"Create GitHub App"')} to continue.`);
+    reporter.blank();
+    reporter.text(chalk.dim('Waiting for GitHub callback... (Ctrl+C to cancel)'));
+    // Wait for callback
+    const { code } = await serverHandle.waitForCallback;
+    // Exchange code for credentials
+    reporter.blank();
+    reporter.step('Exchanging code for credentials...');
+    const credentials = await exchangeCodeForCredentials(code);
+    // Success!
+    reporter.blank();
+    reporter.success('GitHub App created!');
+    reporter.blank();
+    reporter.text(`  App ID:    ${chalk.cyan(credentials.id)}`);
+    reporter.text(`  App Name:  ${chalk.cyan(credentials.name)}`);
+    reporter.text(`  App URL:   ${chalk.cyan(credentials.htmlUrl)}`);
+    reporter.blank();
+    // Next steps - in correct order!
+    const githubRepoUrl = getGitHubRepoUrl(process.cwd());
+    reporter.bold('Next steps:');
+    reporter.blank();
+    // Step 1: Install the app (must happen first!)
+    reporter.text(`  ${chalk.cyan('1.')} Install the app on your repository:`);
+    reporter.text(`     ${chalk.cyan(credentials.htmlUrl + '/installations/new')}`);
+    reporter.blank();
+    // Step 2: Add secrets
+    reporter.text(`  ${chalk.cyan('2.')} Add these secrets to your repository:`);
+    if (githubRepoUrl) {
+      reporter.text(`     ${chalk.cyan(githubRepoUrl + '/settings/secrets/actions')}`);
+    }
+    reporter.blank();
+    reporter.text(`     ${chalk.white('WARDEN_APP_ID')}          ${credentials.id}`);
+    reporter.text(`     ${chalk.white('WARDEN_PRIVATE_KEY')}     ${chalk.dim('(copy the key below)')}`);
+    reporter.blank();
+    // Private key with clear instructions
+    reporter.text(`  ${chalk.cyan('Private Key')} ${chalk.dim('(copy entire block including BEGIN/END lines):')}`);
+    reporter.blank();
+    // Indent the private key for readability
+    const pemLines = credentials.pem.trim().split('\n');
+    for (const line of pemLines) {
+      reporter.text(`     ${chalk.dim(line)}`);
+    }
+    reporter.blank();
+    return 0;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    reporter.error(message);
+    reporter.blank();
+    // Provide recovery guidance if the app might have been created
+    const githubRepoUrl = getGitHubRepoUrl(process.cwd());
+    reporter.text(chalk.dim('If the GitHub App was created before this error:'));
+    reporter.text(chalk.dim('  1. Go to https://github.com/settings/apps' + (org ? ` (or your org's settings)` : '')));
+    reporter.text(chalk.dim('  2. Find your app and click "Edit"'));
+    reporter.text(chalk.dim('  3. Note the App ID from the "About" section'));
+    reporter.text(chalk.dim('  4. Scroll to "Private keys" and click "Generate a private key"'));
+    reporter.text(chalk.dim('  5. Install the app: click "Install App" in the sidebar'));
+    reporter.text(chalk.dim('  6. Add secrets to your repository:'));
+    if (githubRepoUrl) {
+      reporter.text(chalk.dim(`     ${githubRepoUrl}/settings/secrets/actions`));
+    }
+    reporter.text(chalk.dim('     - WARDEN_APP_ID: your App ID'));
+    reporter.text(chalk.dim('     - WARDEN_PRIVATE_KEY: contents of the downloaded .pem file'));
+    return 1;
+  } finally {
+    serverHandle.close();
+  }
+}

package/src/cli/commands/sync.ts ADDED Viewed

@@ -0,0 +1,114 @@
+import chalk from 'chalk';
+import {
+  fetchRemote,
+  listCachedRemotes,
+  parseRemoteRef,
+} from '../../skills/remote.js';
+import type { Reporter } from '../output/reporter.js';
+import type { CLIOptions } from '../args.js';
+/**
+ * Run the sync command.
+ * Updates cached remote skills to their latest versions.
+ * Pinned skills (with @sha) are skipped as they're immutable.
+ */
+export async function runSync(options: CLIOptions, reporter: Reporter): Promise<number> {
+  const cachedRemotes = listCachedRemotes();
+  if (cachedRemotes.length === 0) {
+    reporter.warning('No remote skills cached.');
+    reporter.tip('Add remote skills with: warden add --remote owner/repo --skill name');
+    return 0;
+  }
+  // If a specific remote is provided, only sync that one
+  const targetRepo = options.remote;
+  const remotesToSync = targetRepo
+    ? cachedRemotes.filter(({ ref }) => ref === targetRepo || ref.startsWith(`${targetRepo}@`))
+    : cachedRemotes;
+  if (targetRepo && remotesToSync.length === 0) {
+    reporter.error(`Remote not found in cache: ${targetRepo}`);
+    reporter.blank();
+    reporter.text('Cached remotes:');
+    for (const { ref } of cachedRemotes) {
+      reporter.text(`  - ${ref}`);
+    }
+    return 1;
+  }
+  // Separate pinned and unpinned remotes
+  const unpinnedRemotes = remotesToSync.filter(({ ref }) => {
+    const parsed = parseRemoteRef(ref);
+    return !parsed.sha;
+  });
+  const pinnedRemotes = remotesToSync.filter(({ ref }) => {
+    const parsed = parseRemoteRef(ref);
+    return !!parsed.sha;
+  });
+  if (unpinnedRemotes.length === 0) {
+    if (pinnedRemotes.length > 0) {
+      reporter.warning('All cached remotes are pinned to specific versions.');
+      reporter.text('Pinned remotes do not need syncing as they are immutable.');
+      for (const { ref } of pinnedRemotes) {
+        reporter.text(`  - ${ref} ${chalk.dim('(pinned)')}`);
+      }
+    } else {
+      reporter.warning('No remotes to sync.');
+    }
+    return 0;
+  }
+  reporter.bold('SYNC REMOTE SKILLS');
+  reporter.blank();
+  let updated = 0;
+  let errors = 0;
+  for (const { ref, entry } of unpinnedRemotes) {
+    reporter.step(`Syncing ${ref}...`);
+    const previousSha = entry.sha;
+    try {
+      const newSha = await fetchRemote(ref, { force: true });
+      if (newSha !== previousSha) {
+        reporter.success(`${ref}: updated ${chalk.dim(previousSha.slice(0, 7))} -> ${chalk.dim(newSha.slice(0, 7))}`);
+        updated++;
+      } else {
+        reporter.text(`${ref}: ${chalk.dim('already up to date')}`);
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      reporter.error(`${ref}: ${message}`);
+      errors++;
+    }
+  }
+  // Show pinned remotes that were skipped
+  if (pinnedRemotes.length > 0 && !targetRepo) {
+    reporter.blank();
+    reporter.text(chalk.dim('Skipped pinned remotes:'));
+    for (const { ref } of pinnedRemotes) {
+      reporter.text(chalk.dim(`  - ${ref}`));
+    }
+  }
+  // Summary
+  reporter.blank();
+  if (errors > 0) {
+    reporter.warning(`Synced with ${errors} error${errors === 1 ? '' : 's'}.`);
+    return 1;
+  }
+  if (updated > 0) {
+    reporter.success(`Updated ${updated} remote${updated === 1 ? '' : 's'}.`);
+  } else {
+    reporter.success('All remotes up to date.');
+  }
+  return 0;
+}