@sickr/cli 0.9.2

package/dist/cli.js

@@ -0,0 +1,1109 @@
+#!/usr/bin/env node
+import { pathToFileURL } from 'node:url';
+import { readFileSync, writeFileSync, mkdirSync, existsSync, readdirSync, statSync, unlinkSync } from 'node:fs';
+import { homedir, userInfo } from 'node:os';
+import { join, dirname } from 'node:path';
+import { spawn, spawnSync, execFileSync } from 'node:child_process';
+import { appendEvent, loadRun, runsDir, latestRunId } from './recorder.js';
+import { mergeHooks, removeHooks } from './hookConfig.js';
+import { renderRunHtml, renderCombinedHtml } from './render.js';
+import { buildSharePayload, buildCombinedPayload, publish, PublishError } from './share.js';
+import { AUTH_ENDPOINT, readCredentials, writeCredentials, clearCredentials, startDevice, pollDevice, sleep } from './auth.js';
+import { ui, card, kv } from './ui.js';
+import { AGENT_API_URL, clearAgentCredentials, disconnectAgent, fetchAgentStatus, pollAgentConnect, readAgentCredentials, rotateAgentKey, startAgentConnect, writeAgentCredentials, } from './agentAuth.js';
+const REPLAY_ENDPOINT = process.env.SICKR_REPLAY_ENDPOINT ?? 'https://sickr.ai/api/replay';
+const COMMANDS = ['init', 'record', 'open', 'list', 'share', 'stop', 'clear', 'login', 'logout', 'whoami', 'agent', 'live', 'replay', 'workflow', 'help'];
+export function parseCommand(argv) {
+    const c = argv[0];
+    return c && COMMANDS.includes(c) ? c : null;
+}
+export function replaySubcommand(rest) {
+    const sub = rest.find((a) => !a.startsWith('-'));
+    if (!sub)
+        return 'auto';
+    if (sub === 'init' || sub === 'share' || sub === 'status' || sub === 'live' || sub === 'open' || sub === 'list' || sub === 'clear' || sub === 'stop') {
+        return sub;
+    }
+    return null;
+}
+export function workflowAgentAlias(rest) {
+    const sub = rest[0];
+    if (sub === 'connect' || sub === 'rotate' || sub === 'disconnect')
+        return [...rest];
+    return null;
+}
+function withoutFirst(rest) {
+    return rest.slice(1);
+}
+export function buildWorkflowInvocation(rest, command = 'uvx') {
+    const sub = rest[0] ?? 'status';
+    const tail = withoutFirst(rest);
+    if (sub === 'start') {
+        return { command, args: ['kindle', ...tail] };
+    }
+    if (sub === 'status') {
+        const hasRoot = tail.includes('--root-dir');
+        return { command, args: ['status', ...(hasRoot ? tail : [...tail, '--root-dir', '.'])] };
+    }
+    if (sub === 'stop') {
+        const hasRoot = tail.includes('--root-dir');
+        return { command, args: ['workflow', 'stop', ...(hasRoot ? tail : [...tail, '--root-dir', '.'])] };
+    }
+    return { command, args: rest };
+}
+export const HELP = `SICKR Replay — audit & replay what your AI coding agent did.
+
+Records your Claude Code or Codex session (prompts, edits, commands) to a local,
+redacted timeline you can replay — and optionally share as a public link.
+
+Why: a durable record of every agent action — a dashcam for your coding agent.
+If your agent (Claude or Codex) loses context or can't reload a past chat, the
+replay log helps you — and it — recall exactly what was just done.
+
+Usage: npx @sickr/cli <command> [options]
+
+Commands:
+  replay        Auto mode: installs Claude + Codex recording hooks. If the
+                signed-in user has Replay Pro, starts Live Look as well.
+  replay init all|claude|codex
+                Install recording hooks under the unified command name.
+  replay share  Publish a redacted replay to sickr.ai/r/<id>.
+  replay status Show Live Look sidecar status.
+  workflow connect --agent-id <id>
+                Connect this machine to a configured SICKR workflow agent.
+  workflow start --agent-id <id>
+                Start the workflow orchestrator for that configured agent.
+  workflow status
+                Show running workflow daemon status.
+  workflow rotate | workflow disconnect
+                Rotate or revoke this machine's workflow agent key.
+
+Legacy replay commands remain supported:
+  init <agent>   Install recording hooks for an agent (REQUIRED — no default)
+                 and start capturing to ~/.sickr/runs (secrets redacted):
+                   claude    Claude Code  (.claude/settings.json)
+                   codex     Codex        (.codex/hooks.json — needs Codex 0.133+)
+                   all       both of the above (feeds the combined view)
+                 Flag: --no-name  (label prompts "Human", not your login name)
+  open [run]     Render a run to a local HTML timeline and open it. 100% local.
+                 Defaults to the newest run; pass a run id, or --codex/--claude
+                 for the newest run of that agent. Combine across agents with a
+                 window: --today, --since <2h|30m|1d>, or --all (interleaved,
+                 filterable by agent, sortable by prompt/response time).
+  share [run]    Redact and publish ONE run to a public sickr.ai/r/<id> link
+                 (shows a preview and asks first). Links expire after 24h.
+                   --open    also open the published link in your browser
+                   --yes     skip the confirmation prompt
+                 Or publish a COMBINED multi-agent view with a window:
+                 --today / --since <2h|30m|1d> / --all (+ --claude/--codex).
+  list           List recorded runs, newest first.
+  stop           Stop recording — removes SICKR's hooks from this project.
+                 Your recorded runs are kept; run \`init\` to start again.
+  clear          Delete all local runs in ~/.sickr/runs (asks first).
+  login          Sign in with GitHub (optional — unlocks persistent shares and
+                 Replay Pro cohort eligibility). Zero-account use still works.
+  logout         Forget the local login. Server-side session stays valid until
+                 it expires; revoke from your account page if needed.
+  whoami         Show who you're logged in as.
+  live           Replay Pro: stream the current session to sickr.ai/r/<your-link>
+                 in real time. Requires \`login\` and Replay Pro entitlement.
+                   replay live            start the sidecar (foreground; ^C exits)
+                   replay live status     show pid + connection state
+                   replay live stop       stop the sidecar
+                 While running, steer messages from the watching browser are
+                 saved to ~/.sickr/inbox/<urlid>.md and printed in your terminal.
+  agent connect --agent-id <id>
+                 Connect this machine to a configured SICKR agent using GitHub
+                 browser approval. Stores the agent key in ~/.sickr/agent.json.
+  agent status  Show the connected agent, org and team.
+  agent rotate  Rotate this machine's agent key.
+  agent disconnect
+                 Revoke this machine's agent key and remove it locally.
+  help           Show this help.
+
+Requires Node 18+. Codex capture needs Codex CLI 0.133+ (run /hooks to trust);
+Claude Code: any hooks-capable build.
+
+────────────────────────────────────────────────────────────────────
+This replays your AI coding agents on ONE machine. SICKR governs your whole team.
+Issue tracking + your team + automation + agents — one governed workflow for
+audit, accountability, productivity and confidence.
+
+  · Gates & approvals — work holds at plan sign-off, review, merge and
+    validation checks until each one passes.
+  · Humans + agents on one board — agents are first-class teammates with
+    roles, capacity and accountability, not a side channel.
+  · A full, signed-off audit trail across every actor and every change.
+  · Runs 24/7 — produce as much work as you like; the team handles it.
+
+  Free tier available · bring your own Claude or Codex subscription.
+  → https://sickr.ai
+`;
+export function currentRunId(cc) {
+    return String(cc.session_id ?? 'session');
+}
+const PROVIDERS = {
+    claude: { name: 'Claude Code', label: 'Claude', settingsPath: () => join(process.cwd(), '.claude', 'settings.json') },
+    codex: { name: 'Codex', label: 'Codex', settingsPath: () => join(process.cwd(), '.codex', 'hooks.json') },
+};
+function configPath() {
+    return join(homedir(), '.sickr', 'config.json');
+}
+/** The machine's own identity — git user.name, else OS username, else "Human". */
+function loginName() {
+    try {
+        const n = execFileSync('git', ['config', 'user.name'], { stdio: ['ignore', 'pipe', 'ignore'] }).toString().trim();
+        if (n)
+            return n;
+    }
+    catch { /* git not configured */ }
+    try {
+        const u = userInfo().username;
+        if (u)
+            return u;
+    }
+    catch { /* no os user */ }
+    return 'Human';
+}
+/** Human label for prompts: the name stored at init (login name, or "Human" if anonymized). */
+function resolveName() {
+    try {
+        const c = JSON.parse(readFileSync(configPath(), 'utf8'));
+        if (c.name)
+            return c.name;
+    }
+    catch { /* no config */ }
+    return 'Human';
+}
+/** Ingest one hook payload (Claude Code or Codex). Must never throw. */
+export function handleRecord(input, provider = 'claude') {
+    try {
+        const cc = JSON.parse(input);
+        appendEvent(currentRunId(cc), cc, { human: resolveName(), agent: PROVIDERS[provider].label });
+    }
+    catch {
+        /* swallow: recording is best-effort and must not disrupt the session */
+    }
+}
+export function handleInit(provider, noName = false) {
+    const p = PROVIDERS[provider];
+    const settingsPath = p.settingsPath();
+    const settings = existsSync(settingsPath) ? JSON.parse(readFileSync(settingsPath, 'utf8')) : {};
+    const command = `npx @sickr/cli record${provider === 'codex' ? ' --codex' : ''}`;
+    // Remove any prior SICKR hook first, then install the current command — so
+    // re-running init (or a CLI upgrade that changes the command) self-heals
+    // instead of leaving a stale hook. Scoped to this provider's file.
+    const merged = mergeHooks(removeHooks(settings), command);
+    mkdirSync(dirname(settingsPath), { recursive: true });
+    writeFileSync(settingsPath, JSON.stringify(merged, null, 2) + '\n');
+    mkdirSync(runsDir(), { recursive: true });
+    // Always (re)write the name so re-running init resets it — no arbitrary names
+    // (avoids impersonation on public shares); just the login name, or "Human".
+    const name = noName ? 'Human' : loginName();
+    writeFileSync(configPath(), JSON.stringify({ name }, null, 2) + '\n');
+    const labelLine = `Your prompts will be labelled "${name}"${noName ? '' : ' — run `init --no-name` to anonymize'}.\n`;
+    const nextSteps = provider === 'codex'
+        ? 'Next: in Codex, run `/hooks` to review & trust these hooks (Codex gates new hooks),\nthen use Codex as normal and: npx @sickr/cli replay open --codex\n'
+        : 'Use Claude Code as normal, then: npx @sickr/cli replay open\n';
+    process.stdout.write(`sickr: installed ${p.name} recording hooks in ${settingsPath}\n` +
+        `Runs are recorded locally to ${runsDir()} (secrets redacted).\n` +
+        labelLine + nextSteps);
+}
+/** Stop recording: remove SICKR's hooks from this project (both providers), keep runs. */
+export function handleStop() {
+    const targets = [PROVIDERS.claude.settingsPath(), PROVIDERS.codex.settingsPath()];
+    const cleaned = [];
+    for (const settingsPath of targets) {
+        if (!existsSync(settingsPath))
+            continue;
+        let settings;
+        try {
+            settings = JSON.parse(readFileSync(settingsPath, 'utf8'));
+        }
+        catch {
+            process.stderr.write(`sickr: could not parse ${settingsPath}; left it unchanged.\n`);
+            continue;
+        }
+        writeFileSync(settingsPath, JSON.stringify(removeHooks(settings), null, 2) + '\n');
+        cleaned.push(settingsPath);
+    }
+    if (cleaned.length === 0) {
+        process.stdout.write('sickr: no SICKR hooks found here — not recording in this project.\n');
+        return;
+    }
+    process.stdout.write(`sickr: recording stopped — removed SICKR hooks from ${cleaned.join(', ')}.\n` +
+        'Your recorded runs are kept. Run `npx @sickr/cli replay init all` to start again.\n');
+}
+/** Delete all local runs. Destructive — confirms unless `yes` is set. */
+export async function handleClear(yes) {
+    const dir = runsDir();
+    const files = existsSync(dir) ? readdirSync(dir).filter((f) => f.endsWith('.ndjson')) : [];
+    if (files.length === 0) {
+        process.stdout.write('sickr: no local runs to clear.\n');
+        return;
+    }
+    if (!yes) {
+        if (!process.stdin.isTTY) {
+            process.stderr.write(`sickr: ${files.length} run(s) in ${dir}. Re-run with --yes to delete them.\n`);
+            process.exit(1);
+            return;
+        }
+        process.stdout.write(`Delete ${files.length} recorded run(s) from ${dir}? This cannot be undone. [y/N] `);
+        const answer = await promptLine();
+        if (answer !== 'y' && answer !== 'yes') {
+            process.stdout.write('sickr: cancelled.\n');
+            return;
+        }
+    }
+    for (const f of files)
+        unlinkSync(join(dir, f));
+    process.stdout.write(`sickr: cleared ${files.length} run(s).\n`);
+}
+function openInBrowser(file) {
+    const cmd = process.platform === 'win32' ? 'cmd' : process.platform === 'darwin' ? 'open' : 'xdg-open';
+    const args = process.platform === 'win32' ? ['/c', 'start', '', file] : [file];
+    try {
+        spawn(cmd, args, { detached: true, stdio: 'ignore' }).unref();
+    }
+    catch { /* ignore */ }
+}
+/** A short, human-readable summary of a run: agent + first prompt + event count. */
+function runSummary(id) {
+    const run = loadRun(id);
+    // Use the LATEST response label — long-lived runs may carry pre-provider
+    // ('Response') labels from older CLI versions in their early events.
+    const responses = run.events.filter((e) => e.kind === 'response');
+    const last = responses.length ? responses[responses.length - 1].label : '';
+    const agent = last && last !== 'Response' ? last : '—';
+    const prompt = (run.events.find((e) => e.kind === 'prompt')?.detail || '').replace(/\s+/g, ' ').trim();
+    return { agent, prompt, events: run.events.length };
+}
+/** Newest run whose agent (response label) matches `agent`, or null. */
+export function latestRunIdFor(agent) {
+    const dir = runsDir();
+    if (!existsSync(dir))
+        return null;
+    const files = readdirSync(dir)
+        .filter((f) => f.endsWith('.ndjson'))
+        .sort((a, b) => statSync(join(dir, b)).mtimeMs - statSync(join(dir, a)).mtimeMs);
+    for (const f of files) {
+        const id = f.replace(/\.ndjson$/, '');
+        if (loadRun(id).events.some((e) => e.kind === 'response' && e.label === agent))
+            return id;
+    }
+    return null;
+}
+function handleOpen(runId, provider) {
+    let id = runId;
+    if (!id && provider) {
+        id = latestRunIdFor(PROVIDERS[provider].label) ?? undefined;
+        if (!id) {
+            process.stdout.write(`sickr: no ${PROVIDERS[provider].label} runs yet — use ${PROVIDERS[provider].name} with the hooks installed, then try again.\n`);
+            return;
+        }
+    }
+    id = id ?? latestRunId() ?? undefined;
+    if (!id) {
+        process.stdout.write('sickr: no runs recorded yet. Run `npx @sickr/cli replay init all`, then use Claude Code or Codex.\n');
+        return;
+    }
+    const html = renderRunHtml(loadRun(id));
+    const out = join(homedir(), '.sickr', 'last.html');
+    mkdirSync(join(homedir(), '.sickr'), { recursive: true });
+    writeFileSync(out, html);
+    const s = runSummary(id);
+    process.stdout.write(`sickr: opened ${s.agent} run ${id} · ${s.events} events${s.prompt ? ` · "${s.prompt.slice(0, 60)}"` : ''}\n` +
+        `→ ${out}  (newest run; use \`list\` to see others, \`open <id>\` to pick one)\n`);
+    openInBrowser(out);
+}
+function parseDur(s) {
+    const m = /^(\d+)(m|h|d)$/.exec(String(s ?? ''));
+    if (!m)
+        return null;
+    return Number(m[1]) * (m[2] === 'm' ? 60_000 : m[2] === 'h' ? 3_600_000 : 86_400_000);
+}
+/** Select runs by window flag (--today/--since <dur>/--all) + optional agent. Null if no window flag. */
+export function selectWindow(rest) {
+    let pred = null;
+    let label = '';
+    const now = Date.now();
+    if (rest.includes('--all')) {
+        pred = () => true;
+        label = 'all runs';
+    }
+    else if (rest.includes('--today')) {
+        const d = new Date();
+        d.setHours(0, 0, 0, 0);
+        const t = d.getTime();
+        pred = (m) => m >= t;
+        label = 'today';
+    }
+    else {
+        const i = rest.indexOf('--since');
+        if (i >= 0) {
+            const ms = parseDur(rest[i + 1]);
+            if (ms == null) {
+                process.stderr.write('sickr: --since takes a duration like 2h, 30m, or 1d.\n');
+                process.exit(1);
+                return null;
+            }
+            pred = (m) => m >= now - ms;
+            label = `last ${rest[i + 1]}`;
+        }
+    }
+    if (!pred)
+        return null;
+    const dir = runsDir();
+    const wantAgent = rest.includes('--codex') ? 'Codex' : rest.includes('--claude') ? 'Claude' : null;
+    let ids = existsSync(dir)
+        ? readdirSync(dir).filter((f) => f.endsWith('.ndjson')).filter((f) => pred(statSync(join(dir, f)).mtimeMs)).map((f) => f.replace(/\.ndjson$/, ''))
+        : [];
+    if (wantAgent) {
+        ids = ids.filter((id) => runSummary(id).agent === wantAgent);
+        label += ` · ${wantAgent}`;
+    }
+    return { ids, label };
+}
+function handleOpenCombined(sel) {
+    const runs = sel.ids
+        .map((id) => ({ id, events: loadRun(id).events }))
+        .filter((r) => r.events.length)
+        .map((r) => ({ agent: runSummary(r.id).agent, events: r.events }));
+    if (runs.length === 0) {
+        process.stdout.write(`sickr: no runs in ${sel.label}.\n`);
+        return;
+    }
+    const out = join(homedir(), '.sickr', 'last.html');
+    mkdirSync(join(homedir(), '.sickr'), { recursive: true });
+    writeFileSync(out, renderCombinedHtml(runs, sel.label));
+    process.stdout.write(`sickr: opened combined replay (${sel.label}) · ${runs.length} runs → ${out}\n`);
+    openInBrowser(out);
+}
+function handleList(provider) {
+    const dir = runsDir();
+    let files = existsSync(dir) ? readdirSync(dir).filter((f) => f.endsWith('.ndjson')) : [];
+    if (provider) {
+        const want = PROVIDERS[provider].label;
+        files = files.filter((f) => loadRun(f.replace(/\.ndjson$/, '')).events.some((e) => e.kind === 'response' && e.label === want));
+    }
+    if (files.length === 0) {
+        process.stdout.write(provider ? `sickr: no ${PROVIDERS[provider].label} runs yet.\n` : 'sickr: no runs yet.\n');
+        return;
+    }
+    files
+        .sort((a, b) => statSync(join(dir, b)).mtimeMs - statSync(join(dir, a)).mtimeMs)
+        .forEach((f) => {
+        const id = f.replace(/\.ndjson$/, '');
+        const s = runSummary(id);
+        const when = statSync(join(dir, f)).mtime.toISOString().replace('T', ' ').slice(0, 16);
+        const snippet = s.prompt ? ` "${s.prompt.slice(0, 48)}"` : '';
+        process.stdout.write(`${id}  ${s.agent.padEnd(7)} ${String(s.events).padStart(4)} ev  ${when}${snippet}\n`);
+    });
+}
+async function confirmPublish(yes, what) {
+    if (yes)
+        return true;
+    if (!process.stdin.isTTY) {
+        process.stderr.write('sickr: re-run with --yes to publish non-interactively.\n');
+        process.exit(1);
+        return false;
+    }
+    process.stdout.write(`Publish ${what} publicly? [y/N] `);
+    const a = await promptLine();
+    if (a !== 'y' && a !== 'yes') {
+        process.stdout.write('sickr: cancelled.\n');
+        return false;
+    }
+    return true;
+}
+/** Publish with a single friendly retry on 429 (the WAF allows ~1/10s).
+ *  If the user is logged in, attach their token so the share lands in the
+ *  7-day daily slot (free_authed) instead of the 24h anon dedup pool. */
+async function publishWithRetry(payload) {
+    const token = readCredentials()?.token ?? null;
+    const post = async () => {
+        const r = await publish(payload, REPLAY_ENDPOINT, { token });
+        return { url: r.url, ttl_days: r.ttl_days ?? 1 };
+    };
+    try {
+        return await post();
+    }
+    catch (err) {
+        if (err instanceof PublishError && err.status === 429) {
+            process.stdout.write('sickr: rate-limited — you can publish about once every 10s. Waiting to retry once...\n');
+            await new Promise((r) => setTimeout(r, 11_000));
+            try {
+                return await post();
+            }
+            catch (retryErr) {
+                if (retryErr instanceof PublishError && retryErr.status === 429) {
+                    process.stderr.write('sickr: still rate-limited. Give it a minute and run `share` again.\n');
+                    process.exit(1);
+                }
+                throw retryErr;
+            }
+        }
+        throw err;
+    }
+}
+function expiryCopy(ttl_days) {
+    if (ttl_days >= 30)
+        return {
+            kind: 'pro',
+            value: `${ttl_days} days`,
+            tag: 'Replay Pro',
+            footer: [],
+        };
+    if (ttl_days >= 2)
+        return {
+            kind: 'authed',
+            value: `in ${ttl_days} days`,
+            tag: 'signed-in link',
+            footer: ['re-share before it expires to roll the window forward.'],
+        };
+    return {
+        kind: 'anon',
+        value: 'in 24h',
+        tag: 'anon link',
+        footer: [
+            'run `npx @sickr/cli login` to extend new links to 7 days.',
+            'Replay Pro (live + remote) — early access, rolling cohorts:',
+            '  https://sickr.ai/#waitlist',
+        ],
+    };
+}
+function expiryValueStyled(e) {
+    if (e.kind === 'anon')
+        return ui.warn(e.value) + '   ' + ui.dim(ui.glyph.tag + ' ' + e.tag);
+    if (e.kind === 'pro')
+        return ui.brand(e.value) + '   ' + ui.accent(ui.bold(ui.glyph.tag + ' ' + e.tag));
+    return ui.brand(e.value) + '   ' + ui.dim(ui.glyph.tag + ' ' + e.tag);
+}
+function tipLine(text) {
+    return '  ' + ui.accent(ui.glyph.tip) + ' ' + ui.dim(text) + '\n';
+}
+function legacyExpiryLine(ttl_days) {
+    if (ttl_days >= 30)
+        return `sickr: this link is live for ${ttl_days} days (Replay Pro retention).\n`;
+    if (ttl_days >= 2)
+        return `sickr: this link is live for ${ttl_days} days — re-share before it expires to extend.\n`;
+    return `sickr: this link expires in 24h. Run \`npx @sickr/cli login\` to extend to 7 days.\n`;
+}
+async function handleShare(runId, yes, open) {
+    const id = runId ?? latestRunId();
+    if (!id) {
+        process.stderr.write('sickr: no runs to share. Use Claude Code or Codex first.\n');
+        process.exit(1);
+        return;
+    }
+    const run = loadRun(id);
+    const payload = buildSharePayload(run);
+    const agentSet = Array.from(new Set(run.events.map((e) => e.label).filter((a) => a && a !== '—' && a !== 'Response')));
+    const agent = agentSet.length ? agentSet.join(', ') : 'Agent';
+    const target = REPLAY_ENDPOINT.replace(/^https?:\/\//, '');
+    if (ui.enabled()) {
+        process.stdout.write(card('publish preview', [
+            kv('run', ui.white(id)),
+            kv('agent', ui.white(agent)),
+            kv('events', ui.white(String(payload.run.events.length))),
+            kv('secrets', `redacted ${ui.ok(ui.glyph.check)}`),
+            kv('target', ui.white(target)),
+        ]));
+        process.stdout.write(tipLine(`run \`npx @sickr/cli replay open ${id}\` to review locally first.`));
+        process.stdout.write('\n');
+    }
+    else {
+        process.stdout.write(`sickr: about to publish run "${id}" (${payload.run.events.length} events, secrets already redacted) to ${REPLAY_ENDPOINT}\n` +
+            `sickr: tip — run \`npx @sickr/cli replay open ${id}\` to review the full timeline locally before sharing.\n`);
+    }
+    if (!(await confirmPublish(yes, 'this run')))
+        return;
+    const { url, ttl_days } = await publishWithRetry(payload);
+    const exp = expiryCopy(ttl_days);
+    if (ui.enabled()) {
+        process.stdout.write(card('published', [
+            kv('url', ui.underline(ui.white(url))),
+            kv('run', ui.white(`${id} · ${payload.run.events.length} events`)),
+            kv(exp.kind === 'pro' ? 'retention' : 'expires', expiryValueStyled(exp)),
+        ]));
+        for (const line of exp.footer)
+            process.stdout.write(tipLine(line));
+    }
+    else {
+        process.stdout.write(`sickr: published → ${url}\n` +
+            legacyExpiryLine(ttl_days) +
+            (exp.kind === 'anon' ? `sickr: Replay Pro (live + remote) — early access, rolling out in cohorts → https://sickr.ai/#waitlist\n` : ''));
+    }
+    if (open)
+        openInBrowser(url);
+}
+async function handleShareCombined(sel, yes, open) {
+    const runs = sel.ids
+        .map((id) => ({ id, events: loadRun(id).events }))
+        .filter((r) => r.events.length)
+        .map((r) => ({ agent: runSummary(r.id).agent, events: r.events }));
+    if (runs.length === 0) {
+        process.stdout.write(`sickr: no runs in ${sel.label} to share.\n`);
+        return;
+    }
+    const turns = runs.reduce((n, r) => n + r.events.filter((e) => e.kind === 'prompt').length, 0);
+    // Drop the placeholder dash that runSummary returns when an agent label is
+    // missing — otherwise the join produces "across —, Codex, Claude".
+    const agentSet = Array.from(new Set(runs.map((r) => r.agent).filter((a) => a && a !== '—')));
+    const agents = agentSet.length ? agentSet.join(', ') : 'Agent';
+    const payload = buildCombinedPayload(runs, sel.label);
+    const target = REPLAY_ENDPOINT.replace(/^https?:\/\//, '');
+    if (ui.enabled()) {
+        process.stdout.write(card('publish preview', [
+            kv('scope', ui.white(sel.label)),
+            kv('runs', ui.white(String(runs.length))),
+            kv('turns', ui.white(`~${turns}`)),
+            kv('agents', ui.white(agents)),
+            kv('secrets', `redacted ${ui.ok(ui.glyph.check)}`),
+            kv('target', ui.white(target)),
+        ]));
+        process.stdout.write(tipLine('run the matching `open` window to review locally first.'));
+        process.stdout.write('\n');
+    }
+    else {
+        process.stdout.write(`sickr: about to publish a combined replay (${sel.label}) — ${runs.length} runs, ~${turns} turns across ${agents}, secrets already redacted, to ${REPLAY_ENDPOINT}\n` +
+            `sickr: tip — run the matching \`open\` window to review locally before sharing.\n`);
+    }
+    if (!(await confirmPublish(yes, 'this combined replay')))
+        return;
+    const { url, ttl_days } = await publishWithRetry(payload);
+    const exp = expiryCopy(ttl_days);
+    if (ui.enabled()) {
+        process.stdout.write(card('published', [
+            kv('url', ui.underline(ui.white(url))),
+            kv('scope', ui.white(`${sel.label} · ${runs.length} runs · ~${turns} turns`)),
+            kv(exp.kind === 'pro' ? 'retention' : 'expires', expiryValueStyled(exp)),
+        ]));
+        for (const line of exp.footer)
+            process.stdout.write(tipLine(line));
+    }
+    else {
+        process.stdout.write(`sickr: published → ${url}\n` +
+            legacyExpiryLine(ttl_days) +
+            (exp.kind === 'anon' ? `sickr: Replay Pro (live + remote) — early access, rolling out in cohorts → https://sickr.ai/#waitlist\n` : ''));
+    }
+    if (open)
+        openInBrowser(url);
+}
+/** Read a single line of input, then release stdin so the process can exit. */
+async function promptLine() {
+    return new Promise((resolve) => {
+        process.stdin.once('data', (d) => {
+            process.stdin.pause(); // unref stdin — otherwise the event loop never drains and the CLI hangs
+            resolve(d.toString().trim().toLowerCase());
+        });
+    });
+}
+/** GitHub Device Flow login — optional, but unlocks persistent shares + Pro eligibility. */
+export async function handleLogin() {
+    const existing = readCredentials();
+    if (existing) {
+        process.stdout.write(`sickr: already logged in as ${existing.login}. Run \`logout\` to switch accounts.\n`);
+        return;
+    }
+    let device;
+    try {
+        device = await startDevice();
+    }
+    catch (e) {
+        process.stderr.write(`sickr: could not start GitHub login (${e.message}).\n`);
+        process.exit(1);
+        return;
+    }
+    const verifyUrl = device.verification_uri_complete ?? device.verification_uri;
+    process.stdout.write(`\nsickr: open ${device.verification_uri} in your browser and enter this code:\n\n` +
+        `    ${device.user_code}\n\n` +
+        `(opening ${verifyUrl} for you …)\n`);
+    openInBrowser(verifyUrl);
+    const deadline = Date.now() + device.expires_in * 1000;
+    let intervalMs = Math.max(1, device.interval) * 1000;
+    while (Date.now() < deadline) {
+        await sleep(intervalMs);
+        let result;
+        try {
+            result = await pollDevice(device.device_code);
+        }
+        catch (e) {
+            process.stderr.write(`sickr: login poll failed (${e.message}).\n`);
+            process.exit(1);
+            return;
+        }
+        if (result.status === 'success') {
+            writeCredentials({
+                token: result.token, login: result.login, github_user_id: result.github_user_id,
+                name: result.name ?? null, login_at: new Date().toISOString(),
+            });
+            process.stdout.write(`\nsickr: logged in as ${result.login}. Your shares are now persistent and claimable.\n`);
+            return;
+        }
+        if (result.status === 'pending')
+            continue;
+        if (result.status === 'slow_down') {
+            intervalMs += 5000;
+            continue;
+        }
+        if (result.status === 'expired') {
+            process.stderr.write('sickr: login code expired. Run `login` again.\n');
+            process.exit(1);
+            return;
+        }
+        if (result.status === 'denied') {
+            process.stderr.write('sickr: authorization denied.\n');
+            process.exit(1);
+            return;
+        }
+        process.stderr.write(`sickr: login error: ${result.error ?? 'unknown'}.\n`);
+        process.exit(1);
+        return;
+    }
+    process.stderr.write('sickr: login timed out. Run `login` again.\n');
+    process.exit(1);
+}
+export function handleLogout() {
+    const c = readCredentials();
+    clearCredentials();
+    process.stdout.write(c ? `sickr: logged out (was ${c.login}).\n` : 'sickr: not logged in.\n');
+}
+export function handleWhoami() {
+    const c = readCredentials();
+    if (!c) {
+        process.stdout.write('sickr: not logged in. Run `npx @sickr/cli login`.\n');
+        return;
+    }
+    process.stdout.write(`sickr: ${c.login}${c.name ? ` (${c.name})` : ''} · since ${c.login_at}\n`);
+}
+function valueAt(rest, flag) {
+    const i = rest.indexOf(flag);
+    return i >= 0 && rest[i + 1] && !rest[i + 1].startsWith('-') ? rest[i + 1] : null;
+}
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function agentContextLabel(context) {
+    const root = isRecord(context) ? context : {};
+    const agent = isRecord(root.agent) ? root.agent : {};
+    const org = isRecord(root.org) ? root.org : {};
+    const team = isRecord(root.team) ? root.team : {};
+    return {
+        agentId: typeof agent.agent_id === 'string' ? agent.agent_id : 'unknown',
+        provider: typeof agent.provider === 'string' ? agent.provider : 'unknown',
+        status: typeof agent.status === 'string' ? agent.status : 'unknown',
+        org: typeof org.name === 'string' ? org.name : 'unknown org',
+        team: typeof team.name === 'string' ? team.name : 'unknown team',
+    };
+}
+export async function handleAgentStatus() {
+    const c = readAgentCredentials();
+    if (!c) {
+        process.stdout.write('sickr: agent is not connected. Run `sickr agent connect --agent-id <id>`.\n');
+        return;
+    }
+    try {
+        const label = agentContextLabel(await fetchAgentStatus(c));
+        process.stdout.write(`sickr: connected as ${label.agentId} (${label.provider}, ${label.status})\n` +
+            `org: ${label.org}  team: ${label.team}\n` +
+            `api: ${c.api_url}\n`);
+    }
+    catch (e) {
+        process.stderr.write(`sickr: agent status failed (${e.message}).\n`);
+        process.exit(1);
+    }
+}
+export async function handleAgentRotate() {
+    const c = readAgentCredentials();
+    if (!c) {
+        process.stderr.write('sickr: agent is not connected. Run `sickr agent connect --agent-id <id>`.\n');
+        process.exit(1);
+        return;
+    }
+    try {
+        const rotated = await rotateAgentKey(c);
+        writeAgentCredentials({ ...c, api_key: rotated.api_key, key_id: rotated.key?.id ?? c.key_id });
+        process.stdout.write(`sickr: rotated key for ${c.agent_id}.\n`);
+    }
+    catch (e) {
+        process.stderr.write(`sickr: agent rotate failed (${e.message}).\n`);
+        process.exit(1);
+    }
+}
+export async function handleAgentDisconnect() {
+    const c = readAgentCredentials();
+    if (!c) {
+        process.stdout.write('sickr: agent is not connected.\n');
+        return;
+    }
+    try {
+        await disconnectAgent(c);
+        clearAgentCredentials();
+        process.stdout.write(`sickr: disconnected ${c.agent_id} and removed the local key.\n`);
+    }
+    catch (e) {
+        process.stderr.write(`sickr: agent disconnect failed (${e.message}).\n`);
+        process.exit(1);
+    }
+}
+function storeApprovedAgent(apiUrl, result) {
+    writeAgentCredentials({
+        api_url: apiUrl,
+        agent_id: result.agent_id,
+        api_key: result.api_key,
+        key_id: result.key_id ?? null,
+        org_id: result.org_id,
+        team_id: result.team_id,
+        connected_at: new Date().toISOString(),
+    });
+}
+export async function handleAgentConnect(rest) {
+    const agentId = valueAt(rest, '--agent-id') ?? rest.find((a) => !a.startsWith('-')) ?? null;
+    if (!agentId) {
+        process.stderr.write('sickr: `agent connect` requires --agent-id <id>.\n');
+        process.exit(1);
+        return;
+    }
+    const apiUrl = (valueAt(rest, '--api-url') ?? AGENT_API_URL).replace(/\/+$/, '');
+    let started;
+    try {
+        started = await startAgentConnect(apiUrl, agentId);
+    }
+    catch (e) {
+        process.stderr.write(`sickr: could not start agent connect (${e.message}).\n`);
+        process.exit(1);
+        return;
+    }
+    const verifyUrl = started.verification_uri_complete ?? started.verification_uri;
+    process.stdout.write(`\nsickr: approve agent ${agentId} in your browser:\n\n` +
+        `    ${verifyUrl}\n\n` +
+        `code: ${started.user_code}\n` +
+        `(opening browser...)\n`);
+    openInBrowser(verifyUrl);
+    const deadline = Date.now() + started.expires_in * 1000;
+    const intervalMs = Math.max(1, started.interval) * 1000;
+    while (Date.now() < deadline) {
+        await sleep(intervalMs);
+        let polled;
+        try {
+            polled = await pollAgentConnect(apiUrl, started.device_code);
+        }
+        catch (e) {
+            process.stderr.write(`sickr: agent connect poll failed (${e.message}).\n`);
+            process.exit(1);
+            return;
+        }
+        if (polled.status === 'pending')
+            continue;
+        if (polled.status === 'approved') {
+            storeApprovedAgent(apiUrl, polled);
+            process.stdout.write(`\nsickr: connected ${polled.agent_id}. Run \`sickr agent status\` to verify.\n`);
+            return;
+        }
+        if (polled.status === 'expired') {
+            process.stderr.write('sickr: agent connect code expired. Run `sickr agent connect` again.\n');
+            process.exit(1);
+            return;
+        }
+        if (polled.status === 'denied') {
+            process.stderr.write('sickr: agent connect was denied.\n');
+            process.exit(1);
+            return;
+        }
+        if (polled.status === 'consumed') {
+            process.stderr.write('sickr: agent connect code was already used. Run `sickr agent connect` again.\n');
+            process.exit(1);
+            return;
+        }
+        process.stderr.write(`sickr: agent connect error: ${polled.error ?? 'unknown'}.\n`);
+        process.exit(1);
+        return;
+    }
+    process.stderr.write('sickr: agent connect timed out. Run `sickr agent connect` again.\n');
+    process.exit(1);
+}
+async function fetchReplayProEntitlement() {
+    const creds = readCredentials();
+    if (!creds)
+        return false;
+    try {
+        const r = await fetch(`${AUTH_ENDPOINT}/me`, {
+            headers: { Authorization: `Bearer ${creds.token}` },
+        });
+        if (!r.ok)
+            return false;
+        const me = await r.json();
+        return !!me.entitlements?.replay_pro || me.tier === 'replay_pro';
+    }
+    catch {
+        return false;
+    }
+}
+async function handleReplay(rest) {
+    const sub = replaySubcommand(rest);
+    if (!sub) {
+        process.stderr.write('sickr: unknown replay command. Use `sickr replay`, `sickr replay init all`, `sickr replay share`, or `sickr replay status`.\n');
+        process.exit(1);
+        return;
+    }
+    const replayRest = sub === 'auto' ? [] : rest.slice(1);
+    if (sub === 'init') {
+        const noName = replayRest.includes('--no-name');
+        const agent = replayRest.find((a) => !a.startsWith('-')) ?? 'all';
+        if (agent === 'all') {
+            handleInit('claude', noName);
+            handleInit('codex', noName);
+            return;
+        }
+        if (agent === 'claude' || agent === 'codex') {
+            handleInit(agent, noName);
+            return;
+        }
+        process.stderr.write('sickr: choose an agent - `sickr replay init claude`, `codex`, or `all`.\n');
+        process.exit(1);
+        return;
+    }
+    if (sub === 'share') {
+        const yes = replayRest.includes('--yes') || replayRest.includes('-y');
+        const openAfter = replayRest.includes('--open');
+        const sel = selectWindow(replayRest);
+        if (sel) {
+            await handleShareCombined(sel, yes, openAfter);
+            return;
+        }
+        await handleShare(replayRest.find((a) => !a.startsWith('-')), yes, openAfter);
+        return;
+    }
+    if (sub === 'open') {
+        const sel = selectWindow(replayRest);
+        if (sel) {
+            handleOpenCombined(sel);
+            return;
+        }
+        const openProvider = replayRest.includes('--codex') ? 'codex' : replayRest.includes('--claude') ? 'claude' : undefined;
+        handleOpen(replayRest.find((a) => !a.startsWith('-')), openProvider);
+        return;
+    }
+    if (sub === 'list') {
+        const listProvider = replayRest.includes('--codex') ? 'codex' : replayRest.includes('--claude') ? 'claude' : undefined;
+        handleList(listProvider);
+        return;
+    }
+    if (sub === 'clear') {
+        await handleClear(replayRest.includes('--yes') || replayRest.includes('-y'));
+        return;
+    }
+    if (sub === 'stop') {
+        handleStop();
+        return;
+    }
+    const { startLive, stopLive, liveStatus } = await import('./live.js');
+    if (sub === 'status') {
+        liveStatus();
+        return;
+    }
+    if (sub === 'live') {
+        const liveSub = replayRest[0];
+        if (liveSub === 'stop') {
+            stopLive();
+            return;
+        }
+        if (liveSub === 'status') {
+            liveStatus();
+            return;
+        }
+        await startLive({ verbose: replayRest.includes('--verbose') || replayRest.includes('-v'), background: replayRest.includes('--background') });
+        return;
+    }
+    handleInit('claude');
+    handleInit('codex');
+    if (await fetchReplayProEntitlement()) {
+        await startLive({ verbose: rest.includes('--verbose') || rest.includes('-v'), background: rest.includes('--background') });
+        return;
+    }
+    process.stdout.write('sickr: replay recording is ready for Claude and Codex.\n' +
+        '       Replay Pro unlocks live viewing with `sickr replay live`.\n');
+}
+function commandCandidates(mappedArgs) {
+    const override = process.env.SICKR_ORCHESTRATOR_CMD?.trim();
+    if (override) {
+        const [command, ...prefix] = override.split(/\s+/);
+        return [{ command, args: [...prefix, ...mappedArgs] }];
+    }
+    return [
+        { command: 'uvx', args: ['sickr', ...mappedArgs] },
+        { command: process.platform === 'win32' ? 'python' : 'python3', args: ['-m', 'labudi_orchestrator.cli', ...mappedArgs] },
+        { command: 'python', args: ['-m', 'labudi_orchestrator.cli', ...mappedArgs] },
+    ];
+}
+function runWorkflow(rest) {
+    const mapped = buildWorkflowInvocation(rest).args;
+    const candidates = commandCandidates(mapped);
+    let lastStatus = 1;
+    for (const candidate of candidates) {
+        const result = spawnSync(candidate.command, candidate.args, { stdio: 'inherit', env: process.env });
+        if (result.error && result.error.code === 'ENOENT') {
+            lastStatus = 127;
+            continue;
+        }
+        if (result.error) {
+            process.stderr.write(`sickr: workflow command failed to start: ${result.error.message}\n`);
+            process.exit(1);
+            return;
+        }
+        process.exit(result.status ?? 0);
+        return;
+    }
+    process.stderr.write('sickr: workflow orchestrator is not available. Install Python package `sickr` with `uv tool install sickr`, or set SICKR_ORCHESTRATOR_CMD.\n');
+    process.exit(lastStatus);
+}
+async function handleWorkflow(rest) {
+    const alias = workflowAgentAlias(rest);
+    if (alias) {
+        const sub = alias[0];
+        const agentRest = alias.slice(1);
+        if (sub === 'connect') {
+            await handleAgentConnect(agentRest);
+            return;
+        }
+        if (sub === 'rotate') {
+            await handleAgentRotate();
+            return;
+        }
+        if (sub === 'disconnect') {
+            await handleAgentDisconnect();
+            return;
+        }
+    }
+    runWorkflow(rest.length ? rest : ['status']);
+}
+async function readStdin() {
+    const chunks = [];
+    for await (const chunk of process.stdin)
+        chunks.push(chunk);
+    return Buffer.concat(chunks).toString('utf8');
+}
+async function main() {
+    const argv = process.argv.slice(2);
+    if (argv.length === 0 || argv[0] === 'help' || argv.includes('--help') || argv.includes('-h')) {
+        process.stdout.write(HELP);
+        return;
+    }
+    const cmd = parseCommand(argv);
+    const rest = argv.slice(1);
+    const provider = rest.includes('--codex') ? 'codex' : 'claude';
+    switch (cmd) {
+        case 'record':
+            handleRecord(await readStdin(), provider);
+            return;
+        case 'init': {
+            const noName = rest.includes('--no-name');
+            const agent = rest.find((a) => !a.startsWith('-'));
+            if (agent === 'all') {
+                handleInit('claude', noName);
+                handleInit('codex', noName);
+                return;
+            }
+            if (agent === 'claude' || agent === 'codex') {
+                handleInit(agent, noName);
+                return;
+            }
+            process.stderr.write('sickr: choose an agent — `init claude`, `init codex`, or `init all`.\n');
+            process.exit(1);
+            return;
+        }
+        case 'open': {
+            const sel = selectWindow(rest);
+            if (sel) {
+                handleOpenCombined(sel);
+                return;
+            }
+            const openProvider = rest.includes('--codex') ? 'codex' : rest.includes('--claude') ? 'claude' : undefined;
+            handleOpen(rest.find((a) => !a.startsWith('-')), openProvider);
+            return;
+        }
+        case 'list': {
+            const listProvider = rest.includes('--codex') ? 'codex' : rest.includes('--claude') ? 'claude' : undefined;
+            handleList(listProvider);
+            return;
+        }
+        case 'stop':
+            handleStop();
+            return;
+        case 'clear':
+            await handleClear(rest.includes('--yes') || rest.includes('-y'));
+            return;
+        case 'login':
+            await handleLogin();
+            return;
+        case 'logout':
+            handleLogout();
+            return;
+        case 'whoami':
+            handleWhoami();
+            return;
+        case 'replay':
+            await handleReplay(rest);
+            return;
+        case 'workflow':
+            await handleWorkflow(rest);
+            return;
+        case 'agent': {
+            const sub = rest[0];
+            const agentRest = rest.slice(1);
+            if (sub === 'connect') {
+                await handleAgentConnect(agentRest);
+                return;
+            }
+            if (sub === 'status') {
+                await handleAgentStatus();
+                return;
+            }
+            if (sub === 'disconnect') {
+                await handleAgentDisconnect();
+                return;
+            }
+            if (sub === 'rotate') {
+                await handleAgentRotate();
+                return;
+            }
+            process.stderr.write('sickr: unknown agent command. Use `sickr agent connect|status|disconnect|rotate`.\n');
+            process.exit(1);
+            return;
+        }
+        case 'live': {
+            const sub = rest[0];
+            const { startLive, stopLive, liveStatus } = await import('./live.js');
+            if (sub === 'stop') {
+                stopLive();
+                return;
+            }
+            if (sub === 'status') {
+                liveStatus();
+                return;
+            }
+            // default: start (foreground)
+            const opts = { verbose: rest.includes('--verbose') || rest.includes('-v'), background: rest.includes('--background') };
+            await startLive(opts);
+            return;
+        }
+        case 'share': {
+            const yes = rest.includes('--yes') || rest.includes('-y');
+            const openAfter = rest.includes('--open');
+            const sel = selectWindow(rest);
+            if (sel) {
+                await handleShareCombined(sel, yes, openAfter);
+                return;
+            }
+            await handleShare(rest.find((a) => !a.startsWith('-')), yes, openAfter);
+            return;
+        }
+        default:
+            process.stderr.write('sickr: unknown command. Run `npx @sickr/cli help`.\n');
+            process.exit(1);
+    }
+}
+const invokedDirectly = process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href;
+if (invokedDirectly)
+    void main();