@soku-ai/cli 0.1.0-alpha.0

package/README.md

@@ -0,0 +1,91 @@
+# @soku-ai/cli
+
+Call Soku ads/GA4 data capabilities from any shell or AI agent. It's the
+preferred surface for external agents — equivalent to the hosted MCP server, but
+works without an MCP host.
+
+## Install
+
+```bash
+npm i -g @soku-ai/cli
+```
+
+Development builds can be linked from this repo:
+
+```bash
+pnpm --filter @soku-ai/cli run build
+npm link apps/cli
+```
+
+## Quick start
+
+```bash
+soku auth login              # device-login in the browser
+soku org use <slug|id>       # pick a workspace (id, slug, or name)
+soku brand use <slug|id>
+soku --help                  # discover namespaces (ads, ga4, …)
+soku update-check            # check npm for a newer CLI release
+soku ads --help              # actions in a namespace
+soku ads list-ad-accounts --platform google
+```
+
+Each data capability is a typed sub-command under its namespace; `<command>
+--help` shows its flags. `soku call <ns> <action>` is a raw escape hatch for
+actions not yet exposed as a typed sub-command.
+
+## Authentication
+
+`soku` uses an org-agnostic, device-login session token (RFC 8628). You log in
+once; the org and brand are chosen at runtime and sent per request.
+
+- **Human:** `soku auth login` opens the browser and waits for approval.
+- **Agent (non-blocking):** `soku auth login --no-wait` returns the verification
+  URL immediately; resume with `soku auth login --device-code <code>` after the
+  user approves.
+- **CI / headless:** set `SOKU_TOKEN` to a pre-issued token to skip interactive
+  auth (and the OS keychain).
+
+Token storage: OS keychain when available, else `~/.soku/credentials.json`
+(0600). Set `SOKU_NO_KEYCHAIN=1` to always use the file. Behind a proxy, set
+`ALL_PROXY`.
+
+## Output
+
+stdout is JSON (`{"ok":true,"data":...}` when piped; pretty when a TTY).
+Errors go to stderr as `{"ok":false,"error":{type,message,hint}}` with a
+semantic exit code (0 ok / 1 usage / 2 auth / 4 not-found / 5 runtime).
+
+## Use from an AI agent
+
+For a fresh agent, point it at the hosted installer guide:
+
+```text
+Read https://soku.ai/cli/skill.md and install the Soku CLI.
+```
+
+Install the bundled skill so Claude Code / Codex / Cursor know how to drive the
+CLI:
+
+```bash
+soku skill install --global        # all detected agents
+soku skill install --agent claude  # one agent, into the project
+```
+
+## Updates
+
+`soku update-check` queries the npm registry for `@soku-ai/cli@latest` and tells
+the user whether `npm i -g @soku-ai/cli` should be re-run. The CLI also performs a
+TTY-only advisory check at most once every 24 hours, cached in
+`~/.soku/update-check.json`. Set `SOKU_NO_UPDATE_CHECK=1` to disable the
+background notice.
+
+## Environment variables
+
+| Variable | Purpose |
+|----------|---------|
+| `SOKU_TOKEN` | Pre-issued session token (overrides stored credentials) |
+| `SOKU_API_BASE` | API base URL override |
+| `SOKU_ORG_ID` / `SOKU_BRAND_ID` | One-off workspace override |
+| `SOKU_NO_KEYCHAIN` | Skip the OS keychain; use the 0600 file |
+| `SOKU_NO_UPDATE_CHECK` | Disable the TTY-only update notice |
+| `ALL_PROXY` | Proxy for outbound HTTPS |

package/dist/auth/device.d.ts

@@ -0,0 +1,36 @@
+/** RFC 8628 device authorization client. */
+export interface DeviceAuthorization {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete: string;
+    expires_in: number;
+    interval: number;
+}
+export interface TokenResult {
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    scope: string;
+}
+export declare function requestDeviceCode(opts: {
+    apiBase?: string;
+    scope?: string;
+}): Promise<DeviceAuthorization>;
+export type PollOutcome = {
+    status: 'token';
+    token: TokenResult;
+} | {
+    status: 'denied';
+} | {
+    status: 'expired';
+};
+/** Poll until the grant is approved/denied/expired, honoring slow_down (+5s). */
+export declare function pollForToken(opts: {
+    deviceCode: string;
+    interval: number;
+    expiresIn: number;
+    apiBase?: string;
+    onTick?: () => void;
+}): Promise<PollOutcome>;
+//# sourceMappingURL=device.d.ts.map

package/dist/auth/device.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device.d.ts","sourceRoot":"","sources":["../../src/auth/device.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAI5C,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAA;IACnB,SAAS,EAAE,MAAM,CAAA;IACjB,gBAAgB,EAAE,MAAM,CAAA;IACxB,yBAAyB,EAAE,MAAM,CAAA;IACjC,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B,YAAY,EAAE,MAAM,CAAA;IACpB,UAAU,EAAE,MAAM,CAAA;IAClB,UAAU,EAAE,MAAM,CAAA;IAClB,KAAK,EAAE,MAAM,CAAA;CACd;AAID,wBAAsB,iBAAiB,CAAC,IAAI,EAAE;IAC5C,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAW/B;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,WAAW,CAAA;CAAE,GACvC;IAAE,MAAM,EAAE,QAAQ,CAAA;CAAE,GACpB;IAAE,MAAM,EAAE,SAAS,CAAA;CAAE,CAAA;AAEzB,iFAAiF;AACjF,wBAAsB,YAAY,CAAC,IAAI,EAAE;IACvC,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,MAAM,CAAC,EAAE,MAAM,IAAI,CAAA;CACpB,GAAG,OAAO,CAAC,WAAW,CAAC,CA6CvB"}

package/dist/auth/device.js

@@ -0,0 +1,66 @@
+/** RFC 8628 device authorization client. */
+import { resolveApiBaseUrl } from '../config.js';
+const CLIENT_ID = 'soku-cli';
+export async function requestDeviceCode(opts) {
+    const base = resolveApiBaseUrl(opts.apiBase);
+    const res = await fetch(`${base}/api/device/code`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ client_id: CLIENT_ID, scope: opts.scope ?? 'data-infra' }),
+    });
+    if (!res.ok) {
+        throw new Error(`Failed to start device authorization (HTTP ${res.status})`);
+    }
+    return (await res.json());
+}
+/** Poll until the grant is approved/denied/expired, honoring slow_down (+5s). */
+export async function pollForToken(opts) {
+    const base = resolveApiBaseUrl(opts.apiBase);
+    let interval = Math.max(opts.interval, 1);
+    const deadline = Date.now() + opts.expiresIn * 1000;
+    while (Date.now() < deadline) {
+        await sleep(interval * 1000);
+        opts.onTick?.();
+        let res;
+        try {
+            res = await fetch(`${base}/api/device/token`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+                    device_code: opts.deviceCode,
+                    client_id: CLIENT_ID,
+                }),
+            });
+        }
+        catch {
+            // Transient network blip — keep polling until the deadline rather than
+            // giving up. RFC 8628 only terminates on a definitive error code.
+            continue;
+        }
+        if (res.ok) {
+            return { status: 'token', token: (await res.json()) };
+        }
+        const body = (await res.json().catch(() => ({})));
+        switch (body.error) {
+            case 'authorization_pending':
+                break;
+            case 'slow_down':
+                interval += 5;
+                break;
+            case 'access_denied':
+                return { status: 'denied' };
+            case 'expired_token':
+                return { status: 'expired' };
+            default:
+                // Unknown/transient server error (e.g. 5xx, 429): don't treat as a
+                // terminal expiry — keep polling until the deadline.
+                break;
+        }
+    }
+    return { status: 'expired' };
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+//# sourceMappingURL=device.js.map

package/dist/auth/device.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device.js","sourceRoot":"","sources":["../../src/auth/device.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAE5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA;AAkBhD,MAAM,SAAS,GAAG,UAAU,CAAA;AAE5B,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,IAGvC;IACC,MAAM,IAAI,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAC5C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,kBAAkB,EAAE;QACjD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,YAAY,EAAE,CAAC;KAClF,CAAC,CAAA;IACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,8CAA8C,GAAG,CAAC,MAAM,GAAG,CAAC,CAAA;IAC9E,CAAC;IACD,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAwB,CAAA;AAClD,CAAC;AAOD,iFAAiF;AACjF,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAMlC;IACC,MAAM,IAAI,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAC5C,IAAI,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAA;IACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,GAAG,IAAI,CAAA;IAEnD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC7B,MAAM,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;QAC5B,IAAI,CAAC,MAAM,EAAE,EAAE,CAAA;QACf,IAAI,GAAa,CAAA;QACjB,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,mBAAmB,EAAE;gBAC5C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,UAAU,EAAE,8CAA8C;oBAC1D,WAAW,EAAE,IAAI,CAAC,UAAU;oBAC5B,SAAS,EAAE,SAAS;iBACrB,CAAC;aACH,CAAC,CAAA;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,uEAAuE;YACvE,kEAAkE;YAClE,SAAQ;QACV,CAAC;QACD,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;YACX,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAgB,EAAE,CAAA;QACtE,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAuB,CAAA;QACvE,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;YACnB,KAAK,uBAAuB;gBAC1B,MAAK;YACP,KAAK,WAAW;gBACd,QAAQ,IAAI,CAAC,CAAA;gBACb,MAAK;YACP,KAAK,eAAe;gBAClB,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAA;YAC7B,KAAK,eAAe;gBAClB,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;YAC9B;gBACE,mEAAmE;gBACnE,qDAAqD;gBACrD,MAAK;QACT,CAAC;IACH,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;AAC9B,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAA;AAC1D,CAAC"}

package/dist/auth/store.d.ts

@@ -0,0 +1,11 @@
+/** Token storage: env override → OS keychain (keytar) → 0600 file fallback.
+ *
+ * keytar is a native, optional dependency. In headless/CI/container environments
+ * (where agents typically run) it can fail to load entirely, so every keytar
+ * call is guarded and we fall back to a 0600 file. Agents/CI should prefer the
+ * SOKU_TOKEN env var, which bypasses storage completely.
+ */
+export declare function saveToken(token: string): Promise<void>;
+export declare function loadToken(): Promise<string | null>;
+export declare function clearToken(): Promise<void>;
+//# sourceMappingURL=store.d.ts.map

package/dist/auth/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/auth/store.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAwCH,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAa5D;AAED,wBAAsB,SAAS,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmBxD;AAED,wBAAsB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAchD"}

package/dist/auth/store.js

@@ -0,0 +1,89 @@
+/** Token storage: env override → OS keychain (keytar) → 0600 file fallback.
+ *
+ * keytar is a native, optional dependency. In headless/CI/container environments
+ * (where agents typically run) it can fail to load entirely, so every keytar
+ * call is guarded and we fall back to a 0600 file. Agents/CI should prefer the
+ * SOKU_TOKEN env var, which bypasses storage completely.
+ */
+import { mkdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { configDir } from '../config.js';
+const SERVICE = 'soku-cli';
+const ACCOUNT = 'session';
+let keytarWarned = false;
+async function loadKeytar() {
+    // Explicit opt-out (CI/tests/containers): skip the OS keychain entirely.
+    if (process.env.SOKU_NO_KEYCHAIN)
+        return null;
+    try {
+        const mod = (await import('keytar'));
+        return mod.default ?? mod;
+    }
+    catch {
+        if (!keytarWarned) {
+            process.stderr.write('soku: OS keychain unavailable; storing token in ~/.soku/credentials.json (0600). ' +
+                'Set SOKU_TOKEN to avoid on-disk storage.\n');
+            keytarWarned = true;
+        }
+        return null;
+    }
+}
+function credentialsPath() {
+    return join(configDir(), 'credentials.json');
+}
+export async function saveToken(token) {
+    const keytar = await loadKeytar();
+    if (keytar) {
+        try {
+            await keytar.setPassword(SERVICE, ACCOUNT, token);
+            return;
+        }
+        catch {
+            // fall through to file
+        }
+    }
+    const path = credentialsPath();
+    mkdirSync(configDir(), { recursive: true });
+    writeFileSync(path, JSON.stringify({ token }), { mode: 0o600 });
+}
+export async function loadToken() {
+    const fromEnv = process.env.SOKU_TOKEN?.trim();
+    if (fromEnv)
+        return fromEnv;
+    const keytar = await loadKeytar();
+    if (keytar) {
+        try {
+            const token = await keytar.getPassword(SERVICE, ACCOUNT);
+            if (token)
+                return token;
+        }
+        catch {
+            // fall through to file
+        }
+    }
+    try {
+        const parsed = JSON.parse(readFileSync(credentialsPath(), 'utf8'));
+        return parsed.token ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+export async function clearToken() {
+    const keytar = await loadKeytar();
+    if (keytar) {
+        try {
+            await keytar.deletePassword(SERVICE, ACCOUNT);
+        }
+        catch {
+            // ignore
+        }
+    }
+    try {
+        rmSync(credentialsPath(), { force: true });
+    }
+    catch {
+        // ignore
+    }
+}
+//# sourceMappingURL=store.js.map

package/dist/auth/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/auth/store.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAA;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAEhC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAA;AAExC,MAAM,OAAO,GAAG,UAAU,CAAA;AAC1B,MAAM,OAAO,GAAG,SAAS,CAAA;AAQzB,IAAI,YAAY,GAAG,KAAK,CAAA;AAExB,KAAK,UAAU,UAAU;IACvB,yEAAyE;IACzE,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAAE,OAAO,IAAI,CAAA;IAC7C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAqD,CAAA;QACxF,OAAO,GAAG,CAAC,OAAO,IAAI,GAAG,CAAA;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,mFAAmF;gBACjF,4CAA4C,CAC/C,CAAA;YACD,YAAY,GAAG,IAAI,CAAA;QACrB,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,SAAS,eAAe;IACtB,OAAO,IAAI,CAAC,SAAS,EAAE,EAAE,kBAAkB,CAAC,CAAA;AAC9C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,KAAa;IAC3C,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAA;IACjC,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAAA;YACjD,OAAM;QACR,CAAC;QAAC,MAAM,CAAC;YACP,uBAAuB;QACzB,CAAC;IACH,CAAC;IACD,MAAM,IAAI,GAAG,eAAe,EAAE,CAAA;IAC9B,SAAS,CAAC,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IAC3C,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;AACjE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS;IAC7B,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE,CAAA;IAC9C,IAAI,OAAO;QAAE,OAAO,OAAO,CAAA;IAE3B,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAA;IACjC,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;YACxD,IAAI,KAAK;gBAAE,OAAO,KAAK,CAAA;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,uBAAuB;QACzB,CAAC;IACH,CAAC;IACD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,eAAe,EAAE,EAAE,MAAM,CAAC,CAAuB,CAAA;QACxF,OAAO,MAAM,CAAC,KAAK,IAAI,IAAI,CAAA;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU;IAC9B,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAA;IACjC,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;IACD,IAAI,CAAC;QACH,MAAM,CAAC,eAAe,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;AACH,CAAC"}

package/dist/commands/auth.d.ts

@@ -0,0 +1,4 @@
+/** `soku auth login | status | logout` */
+import { Command } from 'commander';
+export declare function registerAuthCommands(program: Command): void;
+//# sourceMappingURL=auth.d.ts.map

package/dist/commands/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/commands/auth.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAE1C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AAUnC,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA4F3D"}

package/dist/commands/auth.js

@@ -0,0 +1,99 @@
+/** `soku auth login | status | logout` */
+import open from 'open';
+import qrcode from 'qrcode-terminal';
+import { pollForToken, requestDeviceCode } from '../auth/device.js';
+import { clearToken, loadToken, saveToken } from '../auth/store.js';
+import { updateConfig } from '../config.js';
+import { apiRequest } from '../http/client.js';
+import { cyan, dim, emitError, emitSuccess, ExitCode, green } from '../output/envelope.js';
+export function registerAuthCommands(program) {
+    const auth = program.command('auth').description('Authenticate the CLI with Soku');
+    auth
+        .command('login')
+        .description('Sign in via device authorization')
+        .option('--api-base <url>', 'Override the API base URL')
+        .option('--resource <bundles>', 'Resource bundles to request (comma-separated): data-infra, conversion-groups-write', 'data-infra')
+        .option('--no-wait', 'Print the verification URL and exit without polling (for agents)')
+        .option('--device-code <code>', 'Resume polling for a previously started login')
+        .option('--qr', 'Render the verification URL as a QR code')
+        .action(async (opts) => {
+        // Persist a non-default API base so subsequent commands reuse it.
+        if (opts.apiBase)
+            updateConfig({ apiBaseUrl: opts.apiBase });
+        // Split-flow resume: an agent started with --no-wait, the human approved,
+        // now poll for the token.
+        if (opts.deviceCode) {
+            await pollAndStore({
+                deviceCode: opts.deviceCode,
+                interval: 5,
+                expiresIn: 900,
+                apiBase: opts.apiBase,
+            });
+            return;
+        }
+        let auth;
+        try {
+            auth = await requestDeviceCode({ apiBase: opts.apiBase, scope: opts.resource });
+        }
+        catch (err) {
+            emitError('device_code_failed', err.message, ExitCode.RUNTIME);
+        }
+        if (!opts.wait) {
+            // Non-blocking: hand the URL back to the caller (agent surfaces it to the
+            // human), then exit. The agent resumes with `--device-code` next turn.
+            emitSuccess({
+                device_code: auth.device_code,
+                user_code: auth.user_code,
+                verification_uri: auth.verification_uri,
+                verification_uri_complete: auth.verification_uri_complete,
+                expires_in: auth.expires_in,
+                interval: auth.interval,
+                next: `soku auth login --device-code ${auth.device_code}`,
+            });
+        }
+        // Interactive (human) path.
+        process.stderr.write(`\n  To connect, visit:\n    ${auth.verification_uri}\n  and enter code:\n    ${auth.user_code}\n\n`);
+        if (opts.qr) {
+            qrcode.generate(auth.verification_uri_complete, { small: true });
+        }
+        await open(auth.verification_uri_complete).catch(() => undefined);
+        process.stderr.write('  Waiting for approval...\n');
+        await pollAndStore({
+            deviceCode: auth.device_code,
+            interval: auth.interval,
+            expiresIn: auth.expires_in,
+            apiBase: opts.apiBase,
+        });
+    });
+    auth
+        .command('status')
+        .description('Show the current session')
+        .action(async () => {
+        const token = await loadToken();
+        if (!token) {
+            emitError('not_authenticated', 'Not signed in.', ExitCode.AUTH, 'Run `soku auth login`.');
+        }
+        const me = await apiRequest('/api/cli/me');
+        emitSuccess({ signed_in: true, ...me }, (d) => `${green('✓')} Signed in ${dim(`(${d.scope_type})`)}\n  owner: ${cyan(d.owner_id)}`);
+    });
+    auth
+        .command('logout')
+        .description('Remove the stored session token')
+        .action(async () => {
+        await clearToken();
+        emitSuccess({ signed_out: true }, () => `${green('✓')} Signed out`);
+    });
+}
+async function pollAndStore(opts) {
+    const outcome = await pollForToken(opts);
+    if (outcome.status === 'denied') {
+        emitError('access_denied', 'Authorization was denied.', ExitCode.AUTH);
+    }
+    if (outcome.status === 'expired') {
+        emitError('expired', 'The login request expired before approval.', ExitCode.AUTH, 'Run `soku auth login` again.');
+    }
+    await saveToken(outcome.token.access_token);
+    const days = Math.round(outcome.token.expires_in / 86400);
+    emitSuccess({ signed_in: true, expires_in: outcome.token.expires_in, scope: outcome.token.scope }, () => `${green('✓')} Signed in ${dim(`(token valid ~${days} days)`)}\n  ${dim('Next: soku org list')}`);
+}
+//# sourceMappingURL=auth.js.map

package/dist/commands/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/commands/auth.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAG1C,OAAO,IAAI,MAAM,MAAM,CAAA;AACvB,OAAO,MAAM,MAAM,iBAAiB,CAAA;AAEpC,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAA4B,MAAM,mBAAmB,CAAA;AAC7F,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAA;AACnE,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAA;AAE1F,MAAM,UAAU,oBAAoB,CAAC,OAAgB;IACnD,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,WAAW,CAAC,gCAAgC,CAAC,CAAA;IAElF,IAAI;SACD,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,kCAAkC,CAAC;SAC/C,MAAM,CAAC,kBAAkB,EAAE,2BAA2B,CAAC;SACvD,MAAM,CACL,sBAAsB,EACtB,oFAAoF,EACpF,YAAY,CACb;SACA,MAAM,CAAC,WAAW,EAAE,kEAAkE,CAAC;SACvF,MAAM,CAAC,sBAAsB,EAAE,+CAA+C,CAAC;SAC/E,MAAM,CAAC,MAAM,EAAE,0CAA0C,CAAC;SAC1D,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;QACrB,kEAAkE;QAClE,IAAI,IAAI,CAAC,OAAO;YAAE,YAAY,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAA;QAE5D,0EAA0E;QAC1E,0BAA0B;QAC1B,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,YAAY,CAAC;gBACjB,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,QAAQ,EAAE,CAAC;gBACX,SAAS,EAAE,GAAG;gBACd,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,CAAC,CAAA;YACF,OAAM;QACR,CAAC;QAED,IAAI,IAAyB,CAAA;QAC7B,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,iBAAiB,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAA;QACjF,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,SAAS,CAAC,oBAAoB,EAAG,GAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAA;QAC3E,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,0EAA0E;YAC1E,uEAAuE;YACvE,WAAW,CAAC;gBACV,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;gBACvC,yBAAyB,EAAE,IAAI,CAAC,yBAAyB;gBACzD,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,IAAI,EAAE,iCAAiC,IAAI,CAAC,WAAW,EAAE;aAC1D,CAAC,CAAA;QACJ,CAAC;QAED,4BAA4B;QAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,+BAA+B,IAAI,CAAC,gBAAgB,4BAA4B,IAAI,CAAC,SAAS,MAAM,CACrG,CAAA;QACD,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;QAClE,CAAC;QACD,MAAM,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;QACjE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAA;QAEnD,MAAM,YAAY,CAAC;YACjB,UAAU,EAAE,IAAI,CAAC,WAAW;YAC5B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,SAAS,EAAE,IAAI,CAAC,UAAU;YAC1B,OAAO,EAAE,IAAI,CAAC,OAAO;SACtB,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEJ,IAAI;SACD,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,0BAA0B,CAAC;SACvC,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,KAAK,GAAG,MAAM,SAAS,EAAE,CAAA;QAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,SAAS,CAAC,mBAAmB,EAAE,gBAAgB,EAAE,QAAQ,CAAC,IAAI,EAAE,wBAAwB,CAAC,CAAA;QAC3F,CAAC;QACD,MAAM,EAAE,GAAG,MAAM,UAAU,CAA2C,aAAa,CAAC,CAAA;QACpF,WAAW,CACT,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAC1B,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,cAAc,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,cAAc,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAC3F,CAAA;IACH,CAAC,CAAC,CAAA;IAEJ,IAAI;SACD,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,iCAAiC,CAAC;SAC9C,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,UAAU,EAAE,CAAA;QAClB,WAAW,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;IACrE,CAAC,CAAC,CAAA;AACN,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,IAK3B;IACC,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,CAAA;IACxC,IAAI,OAAO,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QAChC,SAAS,CAAC,eAAe,EAAE,2BAA2B,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAA;IACxE,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACjC,SAAS,CACP,SAAS,EACT,4CAA4C,EAC5C,QAAQ,CAAC,IAAI,EACb,8BAA8B,CAC/B,CAAA;IACH,CAAC;IACD,MAAM,SAAS,CAAC,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,CAAA;IAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,CAAA;IACzD,WAAW,CACT,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,EACrF,GAAG,EAAE,CACH,GAAG,KAAK,CAAC,GAAG,CAAC,cAAc,GAAG,CAAC,iBAAiB,IAAI,QAAQ,CAAC,OAAO,GAAG,CAAC,qBAAqB,CAAC,EAAE,CACnG,CAAA;AACH,CAAC"}

package/dist/commands/brand.d.ts

@@ -0,0 +1,4 @@
+/** `soku brand list | use <id>` */
+import { Command } from 'commander';
+export declare function registerBrandCommands(program: Command): void;
+//# sourceMappingURL=brand.d.ts.map

package/dist/commands/brand.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"brand.d.ts","sourceRoot":"","sources":["../../src/commands/brand.ts"],"names":[],"mappings":"AAAA,mCAAmC;AAEnC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AAcnC,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAiF5D"}

package/dist/commands/brand.js

@@ -0,0 +1,53 @@
+/** `soku brand list | use <id>` */
+import { loadConfig, updateConfig } from '../config.js';
+import { apiRequest } from '../http/client.js';
+import { cyan, dim, emitError, emitSuccess, ExitCode, green, table } from '../output/envelope.js';
+import { matchRef } from '../resolve.js';
+export function registerBrandCommands(program) {
+    const brand = program.command('brand').description('Manage the active brand');
+    brand
+        .command('list')
+        .description('List brands in the active organization')
+        .option('--org <orgId>', 'Organization to list brands for (defaults to active org)')
+        .action(async (opts) => {
+        const orgId = opts.org || loadConfig().activeOrgId;
+        if (!orgId) {
+            emitError('no_org', 'No active organization.', ExitCode.USAGE, 'Run `soku org use <id>` or pass --org.');
+        }
+        const data = await apiRequest(`/api/cli/brands?org_id=${encodeURIComponent(orgId)}`);
+        const activeBrandId = loadConfig().activeBrandId;
+        emitSuccess(data, (d) => table(d.brands.map((b) => ({
+            active: b.id === activeBrandId ? green('●') : ' ',
+            name: b.name,
+            slug: b.slug,
+            id: b.id,
+        })), [
+            { key: 'active', header: ' ' },
+            { key: 'name', header: 'NAME' },
+            { key: 'slug', header: 'SLUG' },
+            { key: 'id', header: 'ID' },
+        ]));
+    });
+    brand
+        .command('use <brand>')
+        .description('Set the active brand (accepts id, slug, or name)')
+        .action(async (ref) => {
+        const cfg = loadConfig();
+        if (!cfg.activeOrgId) {
+            emitError('no_org', 'Select an organization first.', ExitCode.USAGE, 'Run `soku org use <slug|id>`.');
+        }
+        const { brands } = await apiRequest(`/api/cli/brands?org_id=${encodeURIComponent(cfg.activeOrgId)}`);
+        const res = matchRef(brands, ref);
+        if (res.kind === 'none') {
+            emitError('not_found', `No brand matching "${ref}" in the active org.`, ExitCode.NOT_FOUND, 'Run `soku brand list` to see available brands.');
+        }
+        if (res.kind === 'ambiguous') {
+            const candidates = res.matches.map((b) => `${b.slug} (${b.id})`).join(', ');
+            emitError('ambiguous', `"${ref}" matches ${res.matches.length} brands.`, ExitCode.USAGE, `Use a slug or id: ${candidates}`);
+        }
+        const match = res.item;
+        updateConfig({ activeBrandId: match.id });
+        emitSuccess({ active_org_id: cfg.activeOrgId, active_brand_id: match.id, name: match.name }, (d) => `${green('✓')} Active brand: ${cyan(d.name)} ${dim(`(${d.active_brand_id})`)}\n  ${dim('Next: soku --help (data commands under each namespace)')}`);
+    });
+}
+//# sourceMappingURL=brand.js.map

package/dist/commands/brand.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"brand.js","sourceRoot":"","sources":["../../src/commands/brand.ts"],"names":[],"mappings":"AAAA,mCAAmC;AAInC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAA;AACjG,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AASxC,MAAM,UAAU,qBAAqB,CAAC,OAAgB;IACpD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,yBAAyB,CAAC,CAAA;IAE7E,KAAK;SACF,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,wCAAwC,CAAC;SACrD,MAAM,CAAC,eAAe,EAAE,0DAA0D,CAAC;SACnF,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;QACrB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,IAAI,UAAU,EAAE,CAAC,WAAW,CAAA;QAClD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,SAAS,CACP,QAAQ,EACR,yBAAyB,EACzB,QAAQ,CAAC,KAAK,EACd,wCAAwC,CACzC,CAAA;QACH,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,0BAA0B,kBAAkB,CAAC,KAAK,CAAC,EAAE,CACtD,CAAA;QACD,MAAM,aAAa,GAAG,UAAU,EAAE,CAAC,aAAa,CAAA;QAChD,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CACtB,KAAK,CACH,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACnB,MAAM,EAAE,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG;YACjD,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,EAAE,EAAE,CAAC,CAAC,EAAE;SACT,CAAC,CAAC,EACH;YACE,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE;YAC9B,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE;YAC/B,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE;YAC/B,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;SAC5B,CACF,CACF,CAAA;IACH,CAAC,CAAC,CAAA;IAEJ,KAAK;SACF,OAAO,CAAC,aAAa,CAAC;SACtB,WAAW,CAAC,kDAAkD,CAAC;SAC/D,MAAM,CAAC,KAAK,EAAE,GAAW,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,UAAU,EAAE,CAAA;QACxB,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YACrB,SAAS,CACP,QAAQ,EACR,+BAA+B,EAC/B,QAAQ,CAAC,KAAK,EACd,+BAA+B,CAChC,CAAA;QACH,CAAC;QACD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,UAAU,CACjC,0BAA0B,kBAAkB,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAChE,CAAA;QACD,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QACjC,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YACxB,SAAS,CACP,WAAW,EACX,sBAAsB,GAAG,sBAAsB,EAC/C,QAAQ,CAAC,SAAS,EAClB,gDAAgD,CACjD,CAAA;QACH,CAAC;QACD,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC7B,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC3E,SAAS,CACP,WAAW,EACX,IAAI,GAAG,aAAa,GAAG,CAAC,OAAO,CAAC,MAAM,UAAU,EAChD,QAAQ,CAAC,KAAK,EACd,qBAAqB,UAAU,EAAE,CAClC,CAAA;QACH,CAAC;QACD,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAA;QACtB,YAAY,CAAC,EAAE,aAAa,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAA;QACzC,WAAW,CACT,EAAE,aAAa,EAAE,GAAG,CAAC,WAAW,EAAE,eAAe,EAAE,KAAK,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,EAC/E,CAAC,CAAC,EAAE,EAAE,CACJ,GAAG,KAAK,CAAC,GAAG,CAAC,kBAAkB,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,eAAe,GAAG,CAAC,OAAO,GAAG,CAAC,wDAAwD,CAAC,EAAE,CACrJ,CAAA;IACH,CAAC,CAAC,CAAA;AACN,CAAC"}

package/dist/commands/call.d.ts

@@ -0,0 +1,4 @@
+/** `soku call <namespace> <action> [--payload '<json>' | -p key=value ...]` */
+import { Command } from 'commander';
+export declare function registerCallCommand(program: Command): void;
+//# sourceMappingURL=call.d.ts.map

package/dist/commands/call.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"call.d.ts","sourceRoot":"","sources":["../../src/commands/call.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAE/E,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AAMnC,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAyC1D"}

package/dist/commands/call.js

@@ -0,0 +1,48 @@
+/** `soku call <namespace> <action> [--payload '<json>' | -p key=value ...]` */
+import { apiRequest } from '../http/client.js';
+import { emitError, emitSuccess, ExitCode } from '../output/envelope.js';
+import { unwrapDispatch } from '../output/unwrap.js';
+export function registerCallCommand(program) {
+    program
+        .command('call <namespace> <action>')
+        .description('Invoke a data capability')
+        .option('--payload <json>', 'Full JSON payload')
+        .option('-p, --param <key=value>', 'Set one payload field (repeatable); values are parsed as JSON when possible', collectParam, {})
+        .option('--summary <text>', 'Human-readable summary; required for review-gated write actions (becomes the HITL approval description)')
+        .action(async (namespace, action, opts) => {
+        let payload = {};
+        if (opts.payload) {
+            try {
+                payload = JSON.parse(opts.payload);
+            }
+            catch {
+                emitError('usage', '--payload must be valid JSON.', ExitCode.USAGE);
+            }
+        }
+        payload = { ...payload, ...opts.param };
+        // Review-gated write actions return a pending review; the server reads
+        // `_summary` as the human-facing approval description.
+        if (opts.summary)
+            payload._summary = opts.summary;
+        const result = await apiRequest(`/api/cli/call/${encodeURIComponent(namespace)}/${encodeURIComponent(action)}`, { method: 'POST', body: payload, workspace: true });
+        emitSuccess(unwrapDispatch(result));
+    });
+}
+function collectParam(entry, acc) {
+    const eq = entry.indexOf('=');
+    if (eq === -1) {
+        emitError('usage', `--param must be key=value, got: ${entry}`, ExitCode.USAGE);
+    }
+    const key = entry.slice(0, eq);
+    const raw = entry.slice(eq + 1);
+    let value = raw;
+    try {
+        value = JSON.parse(raw);
+    }
+    catch {
+        value = raw; // keep as string
+    }
+    acc[key] = value;
+    return acc;
+}
+//# sourceMappingURL=call.js.map

package/dist/commands/call.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"call.js","sourceRoot":"","sources":["../../src/commands/call.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAI/E,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AACxE,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAEpD,MAAM,UAAU,mBAAmB,CAAC,OAAgB;IAClD,OAAO;SACJ,OAAO,CAAC,2BAA2B,CAAC;SACpC,WAAW,CAAC,0BAA0B,CAAC;SACvC,MAAM,CAAC,kBAAkB,EAAE,mBAAmB,CAAC;SAC/C,MAAM,CACL,yBAAyB,EACzB,6EAA6E,EAC7E,YAAY,EACZ,EAA6B,CAC9B;SACA,MAAM,CACL,kBAAkB,EAClB,yGAAyG,CAC1G;SACA,MAAM,CACL,KAAK,EACH,SAAiB,EACjB,MAAc,EACd,IAA4E,EAC5E,EAAE;QACF,IAAI,OAAO,GAA4B,EAAE,CAAA;QACzC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAA4B,CAAA;YAC/D,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,CAAC,OAAO,EAAE,+BAA+B,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAA;YACrE,CAAC;QACH,CAAC;QACD,OAAO,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAA;QACvC,uEAAuE;QACvE,uDAAuD;QACvD,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAA;QAEjD,MAAM,MAAM,GAAG,MAAM,UAAU,CAC7B,iBAAiB,kBAAkB,CAAC,SAAS,CAAC,IAAI,kBAAkB,CAAC,MAAM,CAAC,EAAE,EAC9E,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,CACnD,CAAA;QACD,WAAW,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAA;IACrC,CAAC,CACF,CAAA;AACL,CAAC;AAED,SAAS,YAAY,CAAC,KAAa,EAAE,GAA4B;IAC/D,MAAM,EAAE,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC7B,IAAI,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC;QACd,SAAS,CAAC,OAAO,EAAE,mCAAmC,KAAK,EAAE,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAA;IAChF,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IAC9B,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAA;IAC/B,IAAI,KAAK,GAAY,GAAG,CAAA;IACxB,IAAI,CAAC;QACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,KAAK,GAAG,GAAG,CAAA,CAAC,iBAAiB;IAC/B,CAAC;IACD,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;IAChB,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/commands/egress.d.ts

@@ -0,0 +1,24 @@
+/** `soku egress -- <curl…>` — proxy a third-party API call through Soku so the
+ * credential is injected server-side (no API key on this machine), and
+ * `soku egress providers` — list the covered hosts.
+ *
+ * The agent prefixes its existing skill `curl` with `soku egress --`; we parse
+ * the curl, strip any placeholder auth header, and forward the request to
+ * `/api/cli/egress`. The upstream response is streamed back to stdout verbatim,
+ * so the skill sees exactly what a direct call would return. Only Soku-level
+ * failures (auth, allowlist, billing) become a CLI error envelope.
+ */
+import { Command } from 'commander';
+export interface ParsedCurl {
+    method?: string;
+    url?: string;
+    headers: Record<string, string>;
+    body?: Buffer;
+}
+/** Extract method / url / headers / body from a curl-style token list. Pure. */
+export declare function parseCurl(tokens: string[]): ParsedCurl;
+/** Drop empty / bare-scheme auth headers so the server injects the real key
+ * (an empty `Authorization: Bearer ` would otherwise be treated as BYO). */
+export declare function stripPlaceholderAuth(headers: Record<string, string>): Record<string, string>;
+export declare function registerEgressCommands(program: Command): void;
+//# sourceMappingURL=egress.d.ts.map

package/dist/commands/egress.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"egress.d.ts","sourceRoot":"","sources":["../../src/commands/egress.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAOH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AAOnC,MAAM,WAAW,UAAU;IACzB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AAWD,gFAAgF;AAChF,wBAAgB,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,UAAU,CA0DtD;AAED;4EAC4E;AAC5E,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAO5F;AA4FD,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAkC7D"}