@solarains/va-cli 0.1.1

package/dist/commands/doctor/doctor-command.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.doctorCommand = void 0;
+const output_1 = require("../../shared/output");
+exports.doctorCommand = {
+    name: 'doctor',
+    summary: 'Inspect config, paths, and local bootstrap state.',
+    usage: 'vaone doctor',
+    async run(context) {
+        const tokens = await context.tokenStore.read();
+        const installation = await context.installationStore.read();
+        (0, output_1.printSection)(context.logger, 'Runtime configuration');
+        (0, output_1.printKeyValue)(context.logger, 'Environment', context.runtimeConfig.appEnv);
+        (0, output_1.printKeyValue)(context.logger, 'API base URL', context.runtimeConfig.apiBaseUrl);
+        (0, output_1.printKeyValue)(context.logger, 'Debug', String(context.runtimeConfig.debug));
+        (0, output_1.printSection)(context.logger, 'Local paths');
+        (0, output_1.printKeyValue)(context.logger, 'Root', context.paths.rootDir);
+        (0, output_1.printKeyValue)(context.logger, 'Config', context.paths.configFile);
+        (0, output_1.printKeyValue)(context.logger, 'State directory', context.paths.stateDir);
+        (0, output_1.printKeyValue)(context.logger, 'Auth state', context.paths.authStateFile);
+        (0, output_1.printKeyValue)(context.logger, 'Installation state', context.paths.installationStateFile);
+        (0, output_1.printSection)(context.logger, 'Stored bootstrap state');
+        (0, output_1.printList)(context.logger, [
+            tokens
+                ? 'Auth token state file exists.'
+                : 'Auth token state file is empty.',
+            installation
+                ? 'Installation state file exists.'
+                : 'Installation state file is empty.',
+        ]);
+        return 0;
+    },
+};

package/dist/commands/init/init-command.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initCommand = void 0;
+const doctor_command_1 = require("../doctor/doctor-command");
+const usage_command_1 = require("../usage/usage-command");
+const login_command_1 = require("../auth/login-command");
+const init_flow_1 = require("../../features/init/init-flow");
+exports.initCommand = {
+    name: 'init',
+    summary: 'Install VisionAlpha operator skills and optionally chain browser login.',
+    usage: 'vaone init [.] [--agents codex,claude,openclaw] [--scope project|user] [--lang en|zh-CN] [--skip-login] [--force] [--yes]',
+    async run(context, args) {
+        return (0, init_flow_1.runInitFlow)(context, args, {
+            login: async (logger) => login_command_1.loginCommand.run?.({ ...context, logger }, []) ?? 0,
+            verifyDoctor: async (logger) => doctor_command_1.doctorCommand.run?.({ ...context, logger }, []) ?? 0,
+            verifyUsage: async (logger) => usage_command_1.usageCommand.run?.({ ...context, logger }, []) ?? 0,
+        });
+    },
+};

package/dist/commands/intelligence/intelligence-command.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.intelligenceCommand = void 0;
+const query_command_1 = require("./query-command");
+exports.intelligenceCommand = {
+    name: 'intelligence',
+    summary: 'Query paid asset intelligence data.',
+    usage: 'vaone intelligence <query> [options]',
+    children: [query_command_1.intelligenceQueryCommand],
+};

package/dist/commands/intelligence/query-command.js

@@ -0,0 +1,109 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.intelligenceQueryCommand = void 0;
+const authenticated_api_client_1 = require("../../features/auth/authenticated-api-client");
+const intelligence_query_state_1 = require("../../features/intelligence/intelligence-query-state");
+const intelligence_api_client_1 = require("../../features/intelligence/intelligence-api-client");
+const intelligence_output_1 = require("../../features/intelligence/intelligence-output");
+const argv_1 = require("../../shared/argv");
+function ensureManualCursorCompatible(useNext, cursor) {
+    if (useNext && cursor) {
+        throw new Error('Use either `--next` or `--cursor`, not both.');
+    }
+}
+function buildFreshQuery(args) {
+    return {
+        assetId: (0, argv_1.getStringOption)(args, 'asset-id'),
+        category: (0, argv_1.getStringOption)(args, 'category'),
+        issuer: (0, argv_1.getStringOption)(args, 'issuer'),
+        publishDateFrom: (0, argv_1.getStringOption)(args, 'publish-date-from'),
+        publishDateTo: (0, argv_1.getStringOption)(args, 'publish-date-to'),
+        minRelevanceScore: (0, argv_1.getNumberOption)(args, 'min-relevance-score'),
+        cursor: (0, argv_1.getStringOption)(args, 'cursor'),
+        limit: (0, argv_1.getNumberOption)(args, 'limit'),
+    };
+}
+function hasFreshQueryFilters(query) {
+    return Boolean(query.assetId ||
+        query.category ||
+        query.issuer ||
+        query.publishDateFrom ||
+        query.publishDateTo ||
+        query.minRelevanceScore !== undefined ||
+        query.limit !== undefined);
+}
+function hydrateNextQuery(saved) {
+    return {
+        ...saved.query,
+        cursor: saved.nextCursor,
+        limit: saved.limit,
+    };
+}
+exports.intelligenceQueryCommand = {
+    name: 'query',
+    summary: 'Query paid asset intelligence data with stable filters.',
+    usage: 'vaone intelligence query [--asset-id <id>] [--category <category>] [--issuer <issuer>] [--publish-date-from <yyyy-mm-dd>] [--publish-date-to <yyyy-mm-dd>] [--min-relevance-score <n>] [--limit <n>] [--next]',
+    async run(context, args) {
+        const parsed = (0, argv_1.parseCommandArgs)(args);
+        if (parsed.positionals.length) {
+            throw new Error('`vaone intelligence query` does not accept positional arguments.');
+        }
+        const useNext = (0, argv_1.getBooleanOption)(parsed, 'next');
+        const manualCursor = (0, argv_1.getStringOption)(parsed, 'cursor');
+        ensureManualCursorCompatible(useNext, manualCursor);
+        const stateStore = new intelligence_query_state_1.IntelligenceQueryStateStore(context.paths.intelligenceQueryStateFile);
+        const freshQuery = buildFreshQuery(parsed);
+        let query;
+        if (useNext) {
+            if (hasFreshQueryFilters(freshQuery)) {
+                throw new Error('`--next` reuses the previous query. Do not combine it with new filters or limits.');
+            }
+            const saved = await stateStore.read();
+            if (!saved) {
+                throw new Error('No saved intelligence query continuation exists. Run `vaone intelligence query` without `--next` first.');
+            }
+            query = hydrateNextQuery(saved);
+        }
+        else {
+            query = freshQuery;
+        }
+        try {
+            const page = await (0, intelligence_api_client_1.queryAssetIntelligence)(context, query);
+            if (page.nextCursor) {
+                await stateStore.save({
+                    query: {
+                        assetId: query.assetId,
+                        category: query.category,
+                        issuer: query.issuer,
+                        publishDateFrom: query.publishDateFrom,
+                        publishDateTo: query.publishDateTo,
+                        minRelevanceScore: query.minRelevanceScore,
+                    },
+                    limit: page.limit,
+                    nextCursor: page.nextCursor,
+                    savedAt: new Date().toISOString(),
+                });
+            }
+            else {
+                await stateStore.clear();
+            }
+            (0, intelligence_output_1.renderIntelligencePage)(context.logger, page);
+            return 0;
+        }
+        catch (error) {
+            if (error instanceof authenticated_api_client_1.CliApiError &&
+                error.code === 'ASSET_INTELLIGENCE_ACCESS_DENIED') {
+                throw new Error('This account does not currently have paid asset-intelligence access.');
+            }
+            if (error instanceof authenticated_api_client_1.CliApiError &&
+                error.code === 'ASSET_INTELLIGENCE_QUOTA_EXCEEDED') {
+                throw new Error('The current intelligence query would exceed the daily paid usage quota.');
+            }
+            if (error instanceof authenticated_api_client_1.CliApiError && error.code === 'INVALID_CURSOR') {
+                await stateStore.clear();
+                throw new Error('The saved or provided query cursor is no longer valid. Restart the query without `--next`.');
+            }
+            throw error;
+        }
+    },
+};

package/dist/commands/reports/get-command.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.reportsGetCommand = void 0;
+const authenticated_api_client_1 = require("../../features/auth/authenticated-api-client");
+const daily_reports_api_client_1 = require("../../features/daily-reports/daily-reports-api-client");
+const daily_reports_output_1 = require("../../features/daily-reports/daily-reports-output");
+const usage_api_client_1 = require("../../features/usage/usage-api-client");
+const argv_1 = require("../../shared/argv");
+function resolveAssetId(positionals, optionAssetId) {
+    if (positionals.length > 1) {
+        throw new Error('Only one asset id may be provided to `vaone reports get`.');
+    }
+    return optionAssetId ?? positionals[0] ?? '';
+}
+function getSelectionMessage(input) {
+    if (input.previousSelectedReportKey === input.requestedReportKey) {
+        return 'This report is already the locked daily selection for the current product day.';
+    }
+    if (!input.previousSelectedReportKey && input.detailSelectedToday) {
+        return 'This read locked the account daily-report selection for the current product day.';
+    }
+    if (input.detailSelectedToday) {
+        return 'This report is currently the selected daily report for the current product day.';
+    }
+    return 'Selection state is available but no new lock was created.';
+}
+exports.reportsGetCommand = {
+    name: 'get',
+    summary: 'Get a normalized daily report by asset id and optional date.',
+    usage: 'vaone reports get <asset-id> [--date <yyyy-mm-dd>] [--asset-id <id>]',
+    async run(context, args) {
+        const parsed = (0, argv_1.parseCommandArgs)(args);
+        const assetId = resolveAssetId(parsed.positionals, (0, argv_1.getStringOption)(parsed, 'asset-id'));
+        const date = (0, argv_1.getStringOption)(parsed, 'date');
+        if (!assetId) {
+            throw new Error('`vaone reports get` requires an asset id either as a positional argument or `--asset-id`.');
+        }
+        const usageSummary = await (0, usage_api_client_1.getUsageSummary)(context);
+        try {
+            const report = await (0, daily_reports_api_client_1.getDailyReportDetail)(context, assetId, { date });
+            const requestedReportKey = `${report.assetId}:${report.date}`;
+            (0, daily_reports_output_1.renderDailyReportDetail)(context.logger, report, getSelectionMessage({
+                previousSelectedReportKey: usageSummary.dailyReport.selectedReportKey,
+                requestedReportKey,
+                detailSelectedToday: report.selectedToday,
+            }));
+            return 0;
+        }
+        catch (error) {
+            if (error instanceof authenticated_api_client_1.CliApiError &&
+                error.code === 'DAILY_REPORT_SELECTION_LIMIT_REACHED') {
+                const selectedReportKey = usageSummary.dailyReport.selectedReportKey;
+                throw new Error(selectedReportKey
+                    ? `Daily report selection is already locked for ${selectedReportKey}. Free accounts can only keep one report selection per product day.`
+                    : 'Daily report selection is already locked for the current product day.');
+            }
+            if (error instanceof authenticated_api_client_1.CliApiError &&
+                error.code === 'DAILY_REPORT_NOT_FOUND') {
+                throw new Error(date
+                    ? `No daily report was found for asset ${assetId} on ${date}.`
+                    : `No daily report was found for asset ${assetId}.`);
+            }
+            if (error instanceof authenticated_api_client_1.CliApiError && error.code === 'ASSET_NOT_FOUND') {
+                throw new Error(`Asset ${assetId} was not found.`);
+            }
+            throw error;
+        }
+    },
+};

package/dist/commands/reports/list-command.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.reportsListCommand = void 0;
+const argv_1 = require("../../shared/argv");
+const daily_reports_api_client_1 = require("../../features/daily-reports/daily-reports-api-client");
+const daily_reports_output_1 = require("../../features/daily-reports/daily-reports-output");
+const usage_api_client_1 = require("../../features/usage/usage-api-client");
+exports.reportsListCommand = {
+    name: 'list',
+    summary: 'List normalized daily reports with current selection state.',
+    usage: 'vaone reports list [--asset-id <id>] [--category <category>] [--date-from <yyyy-mm-dd>] [--date-to <yyyy-mm-dd>] [--limit <n>]',
+    async run(context, args) {
+        const parsed = (0, argv_1.parseCommandArgs)(args);
+        if (parsed.positionals.length) {
+            throw new Error('`vaone reports list` does not accept positional arguments.');
+        }
+        const [usageSummary, reports] = await Promise.all([
+            (0, usage_api_client_1.getUsageSummary)(context),
+            (0, daily_reports_api_client_1.listDailyReports)(context, {
+                assetId: (0, argv_1.getStringOption)(parsed, 'asset-id'),
+                category: (0, argv_1.getStringOption)(parsed, 'category'),
+                dateFrom: (0, argv_1.getStringOption)(parsed, 'date-from'),
+                dateTo: (0, argv_1.getStringOption)(parsed, 'date-to'),
+                limit: (0, argv_1.getNumberOption)(parsed, 'limit'),
+            }),
+        ]);
+        (0, daily_reports_output_1.renderDailyReportList)(context.logger, reports, {
+            statusLabel: usageSummary.dailyReport.statusLabel,
+            selectedReportKey: usageSummary.dailyReport.selectedReportKey,
+        });
+        return 0;
+    },
+};

package/dist/commands/reports/reports-command.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.reportsCommand = void 0;
+const get_command_1 = require("./get-command");
+const list_command_1 = require("./list-command");
+exports.reportsCommand = {
+    name: 'reports',
+    summary: 'Browse and retrieve daily reports.',
+    usage: 'vaone reports <list|get> [options]',
+    children: [list_command_1.reportsListCommand, get_command_1.reportsGetCommand],
+};

package/dist/commands/usage/usage-command.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.usageCommand = void 0;
+const authenticated_api_client_1 = require("../../features/auth/authenticated-api-client");
+const usage_api_client_1 = require("../../features/usage/usage-api-client");
+const usage_output_1 = require("../../features/usage/usage-output");
+exports.usageCommand = {
+    name: 'usage',
+    summary: 'Show plan, quota, and commercial summary.',
+    usage: 'vaone usage',
+    async run(context) {
+        try {
+            const summary = await (0, usage_api_client_1.getUsageSummary)(context);
+            (0, usage_output_1.renderUsageSummary)(context.logger, summary);
+            return 0;
+        }
+        catch (error) {
+            if (error instanceof authenticated_api_client_1.AuthRequiredError) {
+                throw new Error('Usage summary requires login. Run `vaone auth login` first.');
+            }
+            if (error instanceof authenticated_api_client_1.CliApiError && error.status === 401) {
+                throw new Error('Usage summary requires a valid CLI login session.');
+            }
+            throw error;
+        }
+    },
+};

package/dist/config/locale.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_LOCALE = exports.SUPPORTED_LOCALES = void 0;
+exports.isSupportedLocale = isSupportedLocale;
+exports.parseSupportedLocale = parseSupportedLocale;
+exports.getLocaleDisplayName = getLocaleDisplayName;
+exports.SUPPORTED_LOCALES = ['en', 'zh-CN'];
+exports.DEFAULT_LOCALE = 'en';
+function isSupportedLocale(value) {
+    return exports.SUPPORTED_LOCALES.includes(value);
+}
+function parseSupportedLocale(value, sourceLabel = 'locale') {
+    if (value === undefined || value === null) {
+        return undefined;
+    }
+    if (typeof value !== 'string') {
+        throw new Error(`Invalid ${sourceLabel} value. Expected a string.`);
+    }
+    const trimmed = value.trim();
+    if (!trimmed) {
+        return undefined;
+    }
+    if (isSupportedLocale(trimmed)) {
+        return trimmed;
+    }
+    throw new Error(`Unsupported ${sourceLabel} "${trimmed}". Supported values: ${exports.SUPPORTED_LOCALES.join(', ')}.`);
+}
+function getLocaleDisplayName(locale) {
+    return locale === 'zh-CN' ? '简体中文' : 'English';
+}

package/dist/config/runtime-config.js

@@ -0,0 +1,64 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadRuntimeConfig = loadRuntimeConfig;
+exports.saveRuntimeConfig = saveRuntimeConfig;
+const node_os_1 = require("node:os");
+const promises_1 = require("node:fs/promises");
+const node_path_1 = require("node:path");
+const locale_1 = require("./locale");
+function parseBoolean(value) {
+    if (value === undefined) {
+        return undefined;
+    }
+    return value === '1' || value.toLowerCase() === 'true';
+}
+function normalizeHomePath(value) {
+    if (value === '~') {
+        return (0, node_os_1.homedir)();
+    }
+    if (value.startsWith('~/')) {
+        return value.replace('~', (0, node_os_1.homedir)());
+    }
+    return value;
+}
+async function readConfigFile(paths) {
+    try {
+        const raw = await (0, promises_1.readFile)(paths.configFile, 'utf8');
+        return JSON.parse(raw);
+    }
+    catch (error) {
+        if (error.code === 'ENOENT') {
+            return {};
+        }
+        throw error;
+    }
+}
+async function loadRuntimeConfig(env, paths) {
+    const fileConfig = await readConfigFile(paths);
+    const authCallbackMode = env.VAONE_AUTH_CALLBACK_MODE ?? fileConfig.authCallbackMode ?? 'auto';
+    if (authCallbackMode !== 'auto' && authCallbackMode !== 'manual') {
+        throw new Error(`Invalid VAONE_AUTH_CALLBACK_MODE value: ${authCallbackMode}`);
+    }
+    const envLocale = (0, locale_1.parseSupportedLocale)(env.VAONE_LANG, 'VAONE_LANG');
+    const fileLocale = (0, locale_1.parseSupportedLocale)(fileConfig.locale, 'config locale');
+    const locale = envLocale ?? fileLocale ?? locale_1.DEFAULT_LOCALE;
+    return {
+        appEnv: env.VAONE_ENV ?? fileConfig.appEnv ?? 'local',
+        apiBaseUrl: normalizeHomePath(env.VAONE_API_BASE_URL ??
+            fileConfig.apiBaseUrl ??
+            'http://localhost:3000').replace(/\/$/, ''),
+        debug: parseBoolean(env.VAONE_DEBUG) ?? fileConfig.debug ?? false,
+        authCallbackMode,
+        locale,
+        localeConfigured: envLocale !== undefined || fileLocale !== undefined,
+    };
+}
+async function saveRuntimeConfig(paths, patch) {
+    const current = await readConfigFile(paths);
+    const next = {
+        ...current,
+        ...patch,
+    };
+    await (0, promises_1.mkdir)((0, node_path_1.dirname)(paths.configFile), { recursive: true });
+    await (0, promises_1.writeFile)(paths.configFile, `${JSON.stringify(next, null, 2)}\n`, 'utf8');
+}

package/dist/features/assets/assets-api-client.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.listAssets = listAssets;
+const authenticated_api_client_1 = require("../auth/authenticated-api-client");
+function createQueryString(query) {
+    const searchParams = new URLSearchParams();
+    for (const [key, value] of Object.entries(query)) {
+        if (value === undefined) {
+            continue;
+        }
+        searchParams.set(key, String(value));
+    }
+    const encoded = searchParams.toString();
+    return encoded ? `?${encoded}` : '';
+}
+async function listAssets(context, query) {
+    return (0, authenticated_api_client_1.requestAuthenticatedJson)(context, `/v1/asset-intelligence/assets${createQueryString(query)}`);
+}

package/dist/features/assets/assets-output.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.renderAssetList = renderAssetList;
+const output_1 = require("../../shared/output");
+function formatAssetName(asset) {
+    return asset.nameZh || asset.nameEn || asset.assetId;
+}
+function formatEnabledState(enabled) {
+    return enabled ? 'enabled' : 'disabled';
+}
+function renderAssetList(logger, assets) {
+    (0, output_1.printSection)(logger, 'Asset catalog');
+    if (!assets.length) {
+        logger.info('No assets matched the current filters.');
+        return;
+    }
+    assets.forEach((asset, index) => {
+        if (index > 0) {
+            logger.plain('');
+        }
+        (0, output_1.printKeyValue)(logger, 'Asset', `${formatAssetName(asset)} (${asset.assetId})`);
+        (0, output_1.printKeyValue)(logger, 'Category', asset.category || 'unknown');
+        (0, output_1.printKeyValue)(logger, 'Status', formatEnabledState(asset.enabled));
+        if (asset.lastUpdated) {
+            (0, output_1.printKeyValue)(logger, 'Last updated', asset.lastUpdated);
+        }
+    });
+}

package/dist/features/auth/auth-api-client.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startCliAuthSession = startCliAuthSession;
+exports.getAuthSession = getAuthSession;
+exports.redeemCliAuthSession = redeemCliAuthSession;
+exports.refreshCliToken = refreshCliToken;
+exports.logoutCliSession = logoutCliSession;
+async function requestJson(apiBaseUrl, path, init) {
+    const response = await fetch(`${apiBaseUrl}${path}`, {
+        ...init,
+        headers: {
+            'content-type': 'application/json',
+            ...(init?.headers ?? {}),
+        },
+    });
+    if (!response.ok) {
+        let message = `${response.status} ${response.statusText}`;
+        try {
+            const payload = (await response.json());
+            if (payload.message) {
+                message = payload.message;
+            }
+        }
+        catch {
+            // Ignore invalid JSON and keep the HTTP status line.
+        }
+        throw new Error(message);
+    }
+    return (await response.json());
+}
+async function startCliAuthSession(apiBaseUrl, payload) {
+    return requestJson(apiBaseUrl, '/v1/auth/sessions/start', {
+        method: 'POST',
+        body: JSON.stringify({
+            flowSource: 'cli',
+            ...payload,
+        }),
+    });
+}
+async function getAuthSession(apiBaseUrl, sessionId) {
+    return requestJson(apiBaseUrl, `/v1/auth/sessions/${encodeURIComponent(sessionId)}`);
+}
+async function redeemCliAuthSession(apiBaseUrl, sessionId, payload) {
+    return requestJson(apiBaseUrl, `/v1/auth/sessions/${encodeURIComponent(sessionId)}/redeem`, {
+        method: 'POST',
+        body: JSON.stringify(payload),
+    });
+}
+async function refreshCliToken(apiBaseUrl, payload) {
+    return requestJson(apiBaseUrl, '/v1/auth/tokens/refresh', {
+        method: 'POST',
+        body: JSON.stringify(payload),
+    });
+}
+async function logoutCliSession(apiBaseUrl, payload) {
+    return requestJson(apiBaseUrl, '/v1/auth/logout', {
+        method: 'POST',
+        body: JSON.stringify(payload),
+    });
+}

package/dist/features/auth/authenticated-api-client.js

@@ -0,0 +1,142 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CliApiError = exports.AuthRequiredError = void 0;
+exports.requestAuthenticatedJson = requestAuthenticatedJson;
+const node_crypto_1 = require("node:crypto");
+const installation_state_1 = require("./installation-state");
+const auth_api_client_1 = require("./auth-api-client");
+class AuthRequiredError extends Error {
+}
+exports.AuthRequiredError = AuthRequiredError;
+class CliApiError extends Error {
+    status;
+    code;
+    details;
+    constructor(message, status, code, details) {
+        super(message);
+        this.status = status;
+        this.code = code;
+        this.details = details;
+    }
+}
+exports.CliApiError = CliApiError;
+const ACCESS_TOKEN_REFRESH_SKEW_MS = 30 * 1000;
+function toRefreshRecoveryError(error) {
+    if (!(error instanceof Error)) {
+        return new AuthRequiredError('The local session could not be refreshed. Run `vaone auth login` again.');
+    }
+    const message = error.message.toLowerCase();
+    if (message.includes('revoked')) {
+        return new AuthRequiredError('This installation has been revoked. Run `vaone auth login` on an allowed device.');
+    }
+    if (message.includes('not bound to this installation') ||
+        message.includes('proof verification failed') ||
+        message.includes('proof signature is malformed') ||
+        message.includes('proof timestamp is invalid') ||
+        message.includes('proof is stale')) {
+        return new AuthRequiredError('The local installation proof is no longer valid. Run `vaone auth login` again.');
+    }
+    return error;
+}
+function isAccessTokenExpired(tokens) {
+    if (!tokens.expiresAt) {
+        return false;
+    }
+    return (new Date(tokens.expiresAt).getTime() <=
+        Date.now() + ACCESS_TOKEN_REFRESH_SKEW_MS);
+}
+async function readTokensOrThrow(tokenStore) {
+    const tokens = await tokenStore.read();
+    if (!tokens?.accessToken || !tokens.installationId) {
+        throw new AuthRequiredError('Authentication is required. Run `vaone auth login` first.');
+    }
+    if (!tokens.refreshToken) {
+        return {
+            ...tokens,
+            refreshToken: '',
+            accessToken: tokens.accessToken,
+            installationId: tokens.installationId,
+        };
+    }
+    return {
+        ...tokens,
+        accessToken: tokens.accessToken,
+        refreshToken: tokens.refreshToken,
+        installationId: tokens.installationId,
+    };
+}
+async function refreshAccessToken(context, tokens) {
+    if (!tokens.refreshToken) {
+        throw new AuthRequiredError('The local access token has expired and no refresh token is available. Run `vaone auth login` again.');
+    }
+    const installation = await (0, installation_state_1.ensureInstallationState)(context.installationStore);
+    const signedAt = new Date().toISOString();
+    const payload = Buffer.from(`${tokens.refreshToken}.${tokens.installationId}.${signedAt}`, 'utf8');
+    const signature = (0, node_crypto_1.sign)(null, payload, (0, node_crypto_1.createPrivateKey)(installation.privateKey)).toString('base64url');
+    let refreshed;
+    try {
+        refreshed = await (0, auth_api_client_1.refreshCliToken)(context.runtimeConfig.apiBaseUrl, {
+            refreshToken: tokens.refreshToken,
+            installationId: tokens.installationId,
+            signedAt,
+            signature,
+        });
+    }
+    catch (error) {
+        throw toRefreshRecoveryError(error);
+    }
+    await context.tokenStore.save({
+        ...tokens,
+        accountId: refreshed.accountId,
+        installationId: refreshed.installationId,
+        accessToken: refreshed.accessToken,
+        refreshToken: refreshed.refreshToken,
+        expiresAt: refreshed.expiresAt,
+        tokenType: refreshed.tokenType,
+        refreshBoundAt: new Date().toISOString(),
+    });
+    context.logger.debug('Refreshed CLI access token.');
+    return {
+        accessToken: refreshed.accessToken,
+    };
+}
+async function resolveSession(context) {
+    const tokens = await readTokensOrThrow(context.tokenStore);
+    if (!isAccessTokenExpired(tokens)) {
+        return {
+            accessToken: tokens.accessToken,
+        };
+    }
+    return refreshAccessToken(context, tokens);
+}
+async function parseApiError(response) {
+    let payload;
+    try {
+        payload = (await response.json());
+    }
+    catch {
+        payload = undefined;
+    }
+    return new CliApiError(payload?.message ?? `${response.status} ${response.statusText}`, response.status, payload?.code, payload?.details);
+}
+async function requestAuthenticatedJson(context, path, init) {
+    const send = async (accessToken) => fetch(`${context.runtimeConfig.apiBaseUrl}${path}`, {
+        ...init,
+        headers: {
+            ...(init?.body ? { 'content-type': 'application/json' } : {}),
+            authorization: `Bearer ${accessToken}`,
+            ...(init?.headers ?? {}),
+        },
+    });
+    const session = await resolveSession(context);
+    let response = await send(session.accessToken);
+    if (response.status === 401) {
+        const tokens = await readTokensOrThrow(context.tokenStore);
+        const refreshed = await refreshAccessToken(context, tokens);
+        response = await send(refreshed.accessToken);
+    }
+    if (!response.ok) {
+        throw await parseApiError(response);
+    }
+    return (await response.json());
+}