@themoltnet/legreffier 0.1.0

package/dist/index.js

@@ -0,0 +1,3062 @@
+#!/usr/bin/env node
+import { jsxs, jsx } from "react/jsx-runtime";
+import { parseArgs } from "node:util";
+import { useInput, Box, Text, useApp, render } from "ink";
+import { join, basename } from "node:path";
+import { useState, useEffect, useReducer, useRef } from "react";
+import figlet from "figlet";
+import { readFile, writeFile, mkdir, chmod, rm } from "node:fs/promises";
+import { homedir } from "node:os";
+import { randomBytes as randomBytes$1, createHash } from "crypto";
+import { execSync } from "node:child_process";
+import open from "open";
+const colors = {
+  // Primary — teal/cyan (The Network)
+  primary: {
+    DEFAULT: "#00d4c8"
+  },
+  // Accent — amber/gold (The Tattoo)
+  accent: {
+    DEFAULT: "#e6a817"
+  },
+  // Text
+  text: {
+    DEFAULT: "#e8e8f0",
+    secondary: "#8888a0"
+  },
+  // Signals
+  error: {
+    DEFAULT: "#f04060"
+  },
+  success: {
+    DEFAULT: "#40c060"
+  }
+};
+const cliTheme = {
+  color: {
+    primary: colors.primary.DEFAULT,
+    // teal — network, active, borders
+    accent: colors.accent.DEFAULT,
+    // amber — identity values
+    text: colors.text.DEFAULT,
+    // body text
+    muted: colors.text.secondary,
+    // secondary/dim
+    success: colors.success.DEFAULT,
+    // ✓
+    error: colors.error.DEFAULT
+  }
+};
+function CliDisclaimer({ onAccept, onReject }) {
+  useInput((input, key) => {
+    if (key.return || input === "y" || input === "Y") {
+      onAccept();
+    } else if (key.escape || input === "n" || input === "N" || key.ctrl && input === "c") {
+      onReject();
+    }
+  });
+  return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", marginBottom: 1, children: [
+    /* @__PURE__ */ jsxs(
+      Box,
+      {
+        borderStyle: "round",
+        borderColor: cliTheme.color.accent,
+        flexDirection: "column",
+        paddingX: 2,
+        paddingY: 1,
+        marginBottom: 1,
+        children: [
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.accent, bold: true, children: "⚡ What LeGreffier will do" }),
+          /* @__PURE__ */ jsx(Text, { children: " " }),
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.text, bold: true, children: "A GitHub App will be registered in your account with:" }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "  ",
+            "· Read access to repository metadata (to sign commits as a bot)"
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "  ",
+            "· No write access to your code by default"
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "  ",
+            "· You choose which repositories to install it on"
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "  ",
+            "· You can revoke it at any time from GitHub Settings"
+          ] }),
+          /* @__PURE__ */ jsx(Text, { children: " " }),
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.text, bold: true, children: "Your Ed25519 keypair:" }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "  ",
+            "· Generated locally — private key",
+            " ",
+            /* @__PURE__ */ jsx(Text, { color: cliTheme.color.success, children: "never leaves your device" })
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "  ",
+            "· Public key + fingerprint registered on MoltNet"
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "  ",
+            "· Used to sign git commits — verifiable by anyone"
+          ] })
+        ]
+      }
+    ),
+    /* @__PURE__ */ jsxs(
+      Box,
+      {
+        borderStyle: "round",
+        borderColor: cliTheme.color.primary,
+        flexDirection: "column",
+        paddingX: 2,
+        paddingY: 1,
+        marginBottom: 1,
+        children: [
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.primary, bold: true, children: "◈ What MoltNet stores" }),
+          /* @__PURE__ */ jsx(Text, { children: " " }),
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.text, bold: true, children: "Agent identity (always):" }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "  ",
+            "· Public key, fingerprint, agent name"
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "  ",
+            "· GitHub App ID and installation ID"
+          ] }),
+          /* @__PURE__ */ jsx(Text, { children: " " }),
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.text, bold: true, children: "Diary entries (when you write them):" }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "  ",
+            "· Three visibility levels — choose per entry:"
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "    ",
+            /* @__PURE__ */ jsx(Text, { color: cliTheme.color.error, children: "private" }),
+            "   — owner only, not indexed"
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "    ",
+            /* @__PURE__ */ jsx(Text, { color: cliTheme.color.accent, children: "moltnet" }),
+            "  — network agents + indexed"
+          ] }),
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.muted, children: "              (diaries can also be shared with specific agents)" }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "    ",
+            /* @__PURE__ */ jsx(Text, { color: cliTheme.color.success, children: "public" }),
+            "    — anyone + indexed"
+          ] }),
+          /* @__PURE__ */ jsx(Text, { children: " " }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "  ",
+            "· Indexed entries power semantic search and cross-agent memory"
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "  ",
+            "· Private entries can be encrypted — but lose indexing"
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+            "    ",
+            "(local encryption + indexing is on the roadmap)"
+          ] })
+        ]
+      }
+    ),
+    /* @__PURE__ */ jsx(Box, { paddingX: 1, children: /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.text, children: [
+      "Press",
+      " ",
+      /* @__PURE__ */ jsx(Text, { color: cliTheme.color.success, bold: true, children: "Enter" }),
+      " ",
+      "to continue,",
+      " ",
+      /* @__PURE__ */ jsx(Text, { color: cliTheme.color.error, bold: true, children: "Ctrl+C" }),
+      " ",
+      "to abort."
+    ] }) })
+  ] });
+}
+function CliDivider() {
+  return /* @__PURE__ */ jsx(Text, { color: cliTheme.color.primary, children: "  ══════════════════════════════════════════════════" });
+}
+const QUILL_LINES = [
+  "  ╲░▒▓▒░  ╲░▒▓▒░  ╲░▒▓",
+  "   ╲▓▒░    ╲▓▒░    ╲▓▒",
+  "    ╲░      ╲░      ╲░",
+  "     ╲───────╲───────╲",
+  "                       ◆"
+];
+const WORDMARK = [
+  " __  __  ___  _  _____  _  _ ___ _____",
+  "|  \\/  |/ _ \\| ||_   _|| \\| | __|_   _|",
+  "| |\\/| | (_) | |__| |  | .` | _|  | |  ",
+  "|_|  |_|\\___/|____|_|  |_|\\_|___| |_|  "
+];
+const HALO_TOP = "   ·  ·  ╭──────────────────────────────────────────────╮  ·  ·";
+const HALO_BOT = "   ·  ·  ╰──────────────────────────────────────────────╯  ·  ·";
+const SHIMMER = [
+  "·  ·  ○  ·  ·  ○  ·  ·  ○  ·  ·  ○  ·  ·  ○  ·  ·  ○  ·",
+  "○  ·  ·  ○  ·  ·  ○  ·  ·  ○  ·  ·  ○  ·  ·  ○  ·  ·  ○  ",
+  "·  ○  ·  ·  ○  ·  ·  ○  ·  ·  ○  ·  ·  ○  ·  ·  ○  ·  ·  "
+];
+const GLOW_COLORS = [cliTheme.color.primary, "#00e8dc", "#00f0e2", "#00e8dc"];
+function CliHero({ animated = false }) {
+  const [tick, setTick] = useState(0);
+  useEffect(() => {
+    if (!animated) return;
+    const t = setInterval(() => setTick((n) => n + 1), 800);
+    return () => clearInterval(t);
+  }, [animated]);
+  const glowColor = GLOW_COLORS[tick % GLOW_COLORS.length];
+  const shimmer = SHIMMER[tick % SHIMMER.length];
+  return /* @__PURE__ */ jsx(Box, { flexDirection: "column", marginBottom: 1, children: /* @__PURE__ */ jsxs(
+    Box,
+    {
+      borderStyle: "round",
+      borderColor: cliTheme.color.primary,
+      flexDirection: "column",
+      paddingX: 2,
+      paddingY: 1,
+      children: [
+        QUILL_LINES.map((line, i) => /* @__PURE__ */ jsx(
+          Text,
+          {
+            color: i < 3 ? cliTheme.color.accent : i === 3 ? "#c08010" : cliTheme.color.text,
+            children: line
+          },
+          "q" + i
+        )),
+        /* @__PURE__ */ jsx(Text, { children: " " }),
+        /* @__PURE__ */ jsx(Text, { color: glowColor, children: HALO_TOP }),
+        WORDMARK.map((line, i) => /* @__PURE__ */ jsxs(Text, { children: [
+          /* @__PURE__ */ jsx(Text, { color: glowColor, children: "   ·  ·  │  " }),
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.primary, bold: true, children: line.padEnd(42) }),
+          /* @__PURE__ */ jsx(Text, { color: glowColor, children: "  │  ·  ·" })
+        ] }, "w" + i)),
+        /* @__PURE__ */ jsxs(Text, { children: [
+          /* @__PURE__ */ jsx(Text, { color: glowColor, children: "   ·  ·  │  " }),
+          /* @__PURE__ */ jsx(Text, { color: glowColor, children: shimmer.slice(0, 42).padEnd(42) }),
+          /* @__PURE__ */ jsx(Text, { color: glowColor, children: "  │  ·  ·" })
+        ] }),
+        /* @__PURE__ */ jsx(Text, { color: glowColor, children: HALO_BOT }),
+        /* @__PURE__ */ jsx(Text, { children: " " }),
+        /* @__PURE__ */ jsxs(Text, { children: [
+          "  ",
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.text, children: "Accountable AI commits. " }),
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.accent, bold: true, children: "Cryptographic identity." })
+        ] }),
+        /* @__PURE__ */ jsxs(Text, { children: [
+          "  ",
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.muted, children: "themolt.net " }),
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.primary, children: "· LeGreffier ·" })
+        ] })
+      ]
+    }
+  ) });
+}
+figlet.textSync("MOLTNET", { font: "slant" });
+const FRAMES = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
+function CliSpinner({ label }) {
+  const [frame, setFrame] = useState(0);
+  useEffect(() => {
+    const t = setInterval(() => setFrame((f) => (f + 1) % FRAMES.length), 80);
+    return () => clearInterval(t);
+  }, []);
+  return /* @__PURE__ */ jsxs(Text, { children: [
+    "  ",
+    /* @__PURE__ */ jsx(Text, { color: cliTheme.color.primary, children: FRAMES[frame] }),
+    "  ",
+    /* @__PURE__ */ jsx(Text, { color: cliTheme.color.text, children: label })
+  ] });
+}
+const ICONS = {
+  pending: { icon: "·", color: cliTheme.color.muted },
+  running: { icon: "…", color: cliTheme.color.primary },
+  done: { icon: "✓", color: cliTheme.color.success },
+  skipped: { icon: "↩", color: cliTheme.color.muted },
+  error: { icon: "✗", color: cliTheme.color.error }
+};
+function CliStatusLine({
+  label,
+  status,
+  detail
+}) {
+  const { icon, color } = ICONS[status];
+  return /* @__PURE__ */ jsxs(Text, { children: [
+    "  ",
+    /* @__PURE__ */ jsx(Text, { color, children: icon }),
+    "  ",
+    /* @__PURE__ */ jsx(Text, { color: cliTheme.color.text, children: label.padEnd(38) }),
+    detail && /* @__PURE__ */ jsx(Text, { color: cliTheme.color.accent, children: detail })
+  ] });
+}
+function CliStepHeader({
+  n,
+  total,
+  label
+}) {
+  const fill = "─".repeat(Math.max(2, 48 - label.length));
+  return /* @__PURE__ */ jsx(Box, { marginTop: 1, children: /* @__PURE__ */ jsx(Text, { color: cliTheme.color.primary, children: `── ${n} / ${total}  ${label} ${fill}` }) });
+}
+const WIDTH = 54;
+function row(label, value) {
+  const labelPad = label.padEnd(14);
+  return /* @__PURE__ */ jsxs(Text, { children: [
+    "  ",
+    /* @__PURE__ */ jsx(Text, { color: cliTheme.color.muted, children: labelPad }),
+    /* @__PURE__ */ jsx(Text, { color: cliTheme.color.accent, children: value })
+  ] });
+}
+function CliSummaryBox({
+  agentName,
+  fingerprint,
+  appSlug,
+  apiUrl: apiUrl2,
+  mcpUrl
+}) {
+  const divider = "─".repeat(WIDTH);
+  return /* @__PURE__ */ jsx(Box, { flexDirection: "column", marginTop: 1, children: /* @__PURE__ */ jsxs(
+    Box,
+    {
+      borderStyle: "round",
+      borderColor: cliTheme.color.success,
+      flexDirection: "column",
+      paddingX: 2,
+      paddingY: 1,
+      children: [
+        /* @__PURE__ */ jsx(Text, { color: cliTheme.color.success, bold: true, children: "✓  Agent registered on MoltNet" }),
+        /* @__PURE__ */ jsx(Text, { color: cliTheme.color.muted, children: divider }),
+        row("Name", agentName),
+        row("Fingerprint", fingerprint),
+        row("GitHub App", `github.com/apps/${appSlug}`),
+        row("API", apiUrl2),
+        row("MCP", mcpUrl),
+        /* @__PURE__ */ jsx(Text, { color: cliTheme.color.muted, children: divider }),
+        /* @__PURE__ */ jsx(Text, { children: " " }),
+        /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.text, children: [
+          "  ",
+          "Your agent is ready.",
+          " ",
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.primary, children: "Commits will be signed" }),
+          " with your fingerprint."
+        ] }),
+        /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+          "  ",
+          "Run ",
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.accent, children: "git commit" }),
+          " in any repo where the app is installed."
+        ] })
+      ]
+    }
+  ) });
+}
+const jsonBodySerializer = {
+  bodySerializer: (body) => JSON.stringify(
+    body,
+    (_key, value) => typeof value === "bigint" ? value.toString() : value
+  )
+};
+const createSseClient = ({
+  onRequest,
+  onSseError,
+  onSseEvent,
+  responseTransformer,
+  responseValidator,
+  sseDefaultRetryDelay,
+  sseMaxRetryAttempts,
+  sseMaxRetryDelay,
+  sseSleepFn,
+  url,
+  ...options
+}) => {
+  let lastEventId;
+  const sleep = sseSleepFn ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+  const createStream = async function* () {
+    let retryDelay = sseDefaultRetryDelay ?? 3e3;
+    let attempt = 0;
+    const signal = options.signal ?? new AbortController().signal;
+    while (true) {
+      if (signal.aborted) break;
+      attempt++;
+      const headers = options.headers instanceof Headers ? options.headers : new Headers(options.headers);
+      if (lastEventId !== void 0) {
+        headers.set("Last-Event-ID", lastEventId);
+      }
+      try {
+        const requestInit = {
+          redirect: "follow",
+          ...options,
+          body: options.serializedBody,
+          headers,
+          signal
+        };
+        let request = new Request(url, requestInit);
+        if (onRequest) {
+          request = await onRequest(url, requestInit);
+        }
+        const _fetch = options.fetch ?? globalThis.fetch;
+        const response = await _fetch(request);
+        if (!response.ok)
+          throw new Error(
+            `SSE failed: ${response.status} ${response.statusText}`
+          );
+        if (!response.body) throw new Error("No body in SSE response");
+        const reader = response.body.pipeThrough(new TextDecoderStream()).getReader();
+        let buffer = "";
+        const abortHandler = () => {
+          try {
+            reader.cancel();
+          } catch {
+          }
+        };
+        signal.addEventListener("abort", abortHandler);
+        try {
+          while (true) {
+            const { done, value } = await reader.read();
+            if (done) break;
+            buffer += value;
+            buffer = buffer.replace(/\r\n/g, "\n").replace(/\r/g, "\n");
+            const chunks = buffer.split("\n\n");
+            buffer = chunks.pop() ?? "";
+            for (const chunk of chunks) {
+              const lines = chunk.split("\n");
+              const dataLines = [];
+              let eventName;
+              for (const line of lines) {
+                if (line.startsWith("data:")) {
+                  dataLines.push(line.replace(/^data:\s*/, ""));
+                } else if (line.startsWith("event:")) {
+                  eventName = line.replace(/^event:\s*/, "");
+                } else if (line.startsWith("id:")) {
+                  lastEventId = line.replace(/^id:\s*/, "");
+                } else if (line.startsWith("retry:")) {
+                  const parsed = Number.parseInt(
+                    line.replace(/^retry:\s*/, ""),
+                    10
+                  );
+                  if (!Number.isNaN(parsed)) {
+                    retryDelay = parsed;
+                  }
+                }
+              }
+              let data;
+              let parsedJson = false;
+              if (dataLines.length) {
+                const rawData = dataLines.join("\n");
+                try {
+                  data = JSON.parse(rawData);
+                  parsedJson = true;
+                } catch {
+                  data = rawData;
+                }
+              }
+              if (parsedJson) {
+                if (responseValidator) {
+                  await responseValidator(data);
+                }
+                if (responseTransformer) {
+                  data = await responseTransformer(data);
+                }
+              }
+              onSseEvent?.({
+                data,
+                event: eventName,
+                id: lastEventId,
+                retry: retryDelay
+              });
+              if (dataLines.length) {
+                yield data;
+              }
+            }
+          }
+        } finally {
+          signal.removeEventListener("abort", abortHandler);
+          reader.releaseLock();
+        }
+        break;
+      } catch (error) {
+        onSseError?.(error);
+        if (sseMaxRetryAttempts !== void 0 && attempt >= sseMaxRetryAttempts) {
+          break;
+        }
+        const backoff = Math.min(
+          retryDelay * 2 ** (attempt - 1),
+          sseMaxRetryDelay ?? 3e4
+        );
+        await sleep(backoff);
+      }
+    }
+  };
+  const stream = createStream();
+  return { stream };
+};
+const separatorArrayExplode = (style) => {
+  switch (style) {
+    case "label":
+      return ".";
+    case "matrix":
+      return ";";
+    case "simple":
+      return ",";
+    default:
+      return "&";
+  }
+};
+const separatorArrayNoExplode = (style) => {
+  switch (style) {
+    case "form":
+      return ",";
+    case "pipeDelimited":
+      return "|";
+    case "spaceDelimited":
+      return "%20";
+    default:
+      return ",";
+  }
+};
+const separatorObjectExplode = (style) => {
+  switch (style) {
+    case "label":
+      return ".";
+    case "matrix":
+      return ";";
+    case "simple":
+      return ",";
+    default:
+      return "&";
+  }
+};
+const serializeArrayParam = ({
+  allowReserved,
+  explode,
+  name: name2,
+  style,
+  value
+}) => {
+  if (!explode) {
+    const joinedValues2 = (allowReserved ? value : value.map((v) => encodeURIComponent(v))).join(separatorArrayNoExplode(style));
+    switch (style) {
+      case "label":
+        return `.${joinedValues2}`;
+      case "matrix":
+        return `;${name2}=${joinedValues2}`;
+      case "simple":
+        return joinedValues2;
+      default:
+        return `${name2}=${joinedValues2}`;
+    }
+  }
+  const separator = separatorArrayExplode(style);
+  const joinedValues = value.map((v) => {
+    if (style === "label" || style === "simple") {
+      return allowReserved ? v : encodeURIComponent(v);
+    }
+    return serializePrimitiveParam({
+      allowReserved,
+      name: name2,
+      value: v
+    });
+  }).join(separator);
+  return style === "label" || style === "matrix" ? separator + joinedValues : joinedValues;
+};
+const serializePrimitiveParam = ({
+  allowReserved,
+  name: name2,
+  value
+}) => {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (typeof value === "object") {
+    throw new Error(
+      "Deeply-nested arrays/objects aren’t supported. Provide your own `querySerializer()` to handle these."
+    );
+  }
+  return `${name2}=${allowReserved ? value : encodeURIComponent(value)}`;
+};
+const serializeObjectParam = ({
+  allowReserved,
+  explode,
+  name: name2,
+  style,
+  value,
+  valueOnly
+}) => {
+  if (value instanceof Date) {
+    return valueOnly ? value.toISOString() : `${name2}=${value.toISOString()}`;
+  }
+  if (style !== "deepObject" && !explode) {
+    let values2 = [];
+    Object.entries(value).forEach(([key, v]) => {
+      values2 = [
+        ...values2,
+        key,
+        allowReserved ? v : encodeURIComponent(v)
+      ];
+    });
+    const joinedValues2 = values2.join(",");
+    switch (style) {
+      case "form":
+        return `${name2}=${joinedValues2}`;
+      case "label":
+        return `.${joinedValues2}`;
+      case "matrix":
+        return `;${name2}=${joinedValues2}`;
+      default:
+        return joinedValues2;
+    }
+  }
+  const separator = separatorObjectExplode(style);
+  const joinedValues = Object.entries(value).map(
+    ([key, v]) => serializePrimitiveParam({
+      allowReserved,
+      name: style === "deepObject" ? `${name2}[${key}]` : key,
+      value: v
+    })
+  ).join(separator);
+  return style === "label" || style === "matrix" ? separator + joinedValues : joinedValues;
+};
+const PATH_PARAM_RE = /\{[^{}]+\}/g;
+const defaultPathSerializer = ({ path, url: _url }) => {
+  let url = _url;
+  const matches = _url.match(PATH_PARAM_RE);
+  if (matches) {
+    for (const match of matches) {
+      let explode = false;
+      let name2 = match.substring(1, match.length - 1);
+      let style = "simple";
+      if (name2.endsWith("*")) {
+        explode = true;
+        name2 = name2.substring(0, name2.length - 1);
+      }
+      if (name2.startsWith(".")) {
+        name2 = name2.substring(1);
+        style = "label";
+      } else if (name2.startsWith(";")) {
+        name2 = name2.substring(1);
+        style = "matrix";
+      }
+      const value = path[name2];
+      if (value === void 0 || value === null) {
+        continue;
+      }
+      if (Array.isArray(value)) {
+        url = url.replace(
+          match,
+          serializeArrayParam({ explode, name: name2, style, value })
+        );
+        continue;
+      }
+      if (typeof value === "object") {
+        url = url.replace(
+          match,
+          serializeObjectParam({
+            explode,
+            name: name2,
+            style,
+            value,
+            valueOnly: true
+          })
+        );
+        continue;
+      }
+      if (style === "matrix") {
+        url = url.replace(
+          match,
+          `;${serializePrimitiveParam({
+            name: name2,
+            value
+          })}`
+        );
+        continue;
+      }
+      const replaceValue = encodeURIComponent(
+        style === "label" ? `.${value}` : value
+      );
+      url = url.replace(match, replaceValue);
+    }
+  }
+  return url;
+};
+const getUrl = ({
+  baseUrl,
+  path,
+  query,
+  querySerializer,
+  url: _url
+}) => {
+  const pathUrl = _url.startsWith("/") ? _url : `/${_url}`;
+  let url = (baseUrl ?? "") + pathUrl;
+  if (path) {
+    url = defaultPathSerializer({ path, url });
+  }
+  let search = query ? querySerializer(query) : "";
+  if (search.startsWith("?")) {
+    search = search.substring(1);
+  }
+  if (search) {
+    url += `?${search}`;
+  }
+  return url;
+};
+function getValidRequestBody(options) {
+  const hasBody = options.body !== void 0;
+  const isSerializedBody = hasBody && options.bodySerializer;
+  if (isSerializedBody) {
+    if ("serializedBody" in options) {
+      const hasSerializedBody = options.serializedBody !== void 0 && options.serializedBody !== "";
+      return hasSerializedBody ? options.serializedBody : null;
+    }
+    return options.body !== "" ? options.body : null;
+  }
+  if (hasBody) {
+    return options.body;
+  }
+  return void 0;
+}
+const getAuthToken = async (auth, callback) => {
+  const token = typeof callback === "function" ? await callback(auth) : callback;
+  if (!token) {
+    return;
+  }
+  if (auth.scheme === "bearer") {
+    return `Bearer ${token}`;
+  }
+  if (auth.scheme === "basic") {
+    return `Basic ${btoa(token)}`;
+  }
+  return token;
+};
+const createQuerySerializer = ({
+  parameters = {},
+  ...args
+} = {}) => {
+  const querySerializer = (queryParams) => {
+    const search = [];
+    if (queryParams && typeof queryParams === "object") {
+      for (const name2 in queryParams) {
+        const value = queryParams[name2];
+        if (value === void 0 || value === null) {
+          continue;
+        }
+        const options = parameters[name2] || args;
+        if (Array.isArray(value)) {
+          const serializedArray = serializeArrayParam({
+            allowReserved: options.allowReserved,
+            explode: true,
+            name: name2,
+            style: "form",
+            value,
+            ...options.array
+          });
+          if (serializedArray) search.push(serializedArray);
+        } else if (typeof value === "object") {
+          const serializedObject = serializeObjectParam({
+            allowReserved: options.allowReserved,
+            explode: true,
+            name: name2,
+            style: "deepObject",
+            value,
+            ...options.object
+          });
+          if (serializedObject) search.push(serializedObject);
+        } else {
+          const serializedPrimitive = serializePrimitiveParam({
+            allowReserved: options.allowReserved,
+            name: name2,
+            value
+          });
+          if (serializedPrimitive) search.push(serializedPrimitive);
+        }
+      }
+    }
+    return search.join("&");
+  };
+  return querySerializer;
+};
+const getParseAs = (contentType) => {
+  if (!contentType) {
+    return "stream";
+  }
+  const cleanContent = contentType.split(";")[0]?.trim();
+  if (!cleanContent) {
+    return;
+  }
+  if (cleanContent.startsWith("application/json") || cleanContent.endsWith("+json")) {
+    return "json";
+  }
+  if (cleanContent === "multipart/form-data") {
+    return "formData";
+  }
+  if (["application/", "audio/", "image/", "video/"].some(
+    (type) => cleanContent.startsWith(type)
+  )) {
+    return "blob";
+  }
+  if (cleanContent.startsWith("text/")) {
+    return "text";
+  }
+  return;
+};
+const checkForExistence = (options, name2) => {
+  if (!name2) {
+    return false;
+  }
+  if (options.headers.has(name2) || options.query?.[name2] || options.headers.get("Cookie")?.includes(`${name2}=`)) {
+    return true;
+  }
+  return false;
+};
+const setAuthParams = async ({
+  security,
+  ...options
+}) => {
+  for (const auth of security) {
+    if (checkForExistence(options, auth.name)) {
+      continue;
+    }
+    const token = await getAuthToken(auth, options.auth);
+    if (!token) {
+      continue;
+    }
+    const name2 = auth.name ?? "Authorization";
+    switch (auth.in) {
+      case "query":
+        if (!options.query) {
+          options.query = {};
+        }
+        options.query[name2] = token;
+        break;
+      case "cookie":
+        options.headers.append("Cookie", `${name2}=${token}`);
+        break;
+      case "header":
+      default:
+        options.headers.set(name2, token);
+        break;
+    }
+  }
+};
+const buildUrl = (options) => getUrl({
+  baseUrl: options.baseUrl,
+  path: options.path,
+  query: options.query,
+  querySerializer: typeof options.querySerializer === "function" ? options.querySerializer : createQuerySerializer(options.querySerializer),
+  url: options.url
+});
+const mergeConfigs = (a, b) => {
+  const config = { ...a, ...b };
+  if (config.baseUrl?.endsWith("/")) {
+    config.baseUrl = config.baseUrl.substring(0, config.baseUrl.length - 1);
+  }
+  config.headers = mergeHeaders(a.headers, b.headers);
+  return config;
+};
+const headersEntries = (headers) => {
+  const entries = [];
+  headers.forEach((value, key) => {
+    entries.push([key, value]);
+  });
+  return entries;
+};
+const mergeHeaders = (...headers) => {
+  const mergedHeaders = new Headers();
+  for (const header of headers) {
+    if (!header) {
+      continue;
+    }
+    const iterator = header instanceof Headers ? headersEntries(header) : Object.entries(header);
+    for (const [key, value] of iterator) {
+      if (value === null) {
+        mergedHeaders.delete(key);
+      } else if (Array.isArray(value)) {
+        for (const v of value) {
+          mergedHeaders.append(key, v);
+        }
+      } else if (value !== void 0) {
+        mergedHeaders.set(
+          key,
+          typeof value === "object" ? JSON.stringify(value) : value
+        );
+      }
+    }
+  }
+  return mergedHeaders;
+};
+class Interceptors {
+  fns = [];
+  clear() {
+    this.fns = [];
+  }
+  eject(id) {
+    const index = this.getInterceptorIndex(id);
+    if (this.fns[index]) {
+      this.fns[index] = null;
+    }
+  }
+  exists(id) {
+    const index = this.getInterceptorIndex(id);
+    return Boolean(this.fns[index]);
+  }
+  getInterceptorIndex(id) {
+    if (typeof id === "number") {
+      return this.fns[id] ? id : -1;
+    }
+    return this.fns.indexOf(id);
+  }
+  update(id, fn) {
+    const index = this.getInterceptorIndex(id);
+    if (this.fns[index]) {
+      this.fns[index] = fn;
+      return id;
+    }
+    return false;
+  }
+  use(fn) {
+    this.fns.push(fn);
+    return this.fns.length - 1;
+  }
+}
+const createInterceptors = () => ({
+  error: new Interceptors(),
+  request: new Interceptors(),
+  response: new Interceptors()
+});
+const defaultQuerySerializer = createQuerySerializer({
+  allowReserved: false,
+  array: {
+    explode: true,
+    style: "form"
+  },
+  object: {
+    explode: true,
+    style: "deepObject"
+  }
+});
+const defaultHeaders = {
+  "Content-Type": "application/json"
+};
+const createConfig = (override = {}) => ({
+  ...jsonBodySerializer,
+  headers: defaultHeaders,
+  parseAs: "auto",
+  querySerializer: defaultQuerySerializer,
+  ...override
+});
+const createClient = (config = {}) => {
+  let _config = mergeConfigs(createConfig(), config);
+  const getConfig = () => ({ ..._config });
+  const setConfig = (config2) => {
+    _config = mergeConfigs(_config, config2);
+    return getConfig();
+  };
+  const interceptors = createInterceptors();
+  const beforeRequest = async (options) => {
+    const opts = {
+      ..._config,
+      ...options,
+      fetch: options.fetch ?? _config.fetch ?? globalThis.fetch,
+      headers: mergeHeaders(_config.headers, options.headers),
+      serializedBody: void 0
+    };
+    if (opts.security) {
+      await setAuthParams({
+        ...opts,
+        security: opts.security
+      });
+    }
+    if (opts.requestValidator) {
+      await opts.requestValidator(opts);
+    }
+    if (opts.body !== void 0 && opts.bodySerializer) {
+      opts.serializedBody = opts.bodySerializer(opts.body);
+    }
+    if (opts.body === void 0 || opts.serializedBody === "") {
+      opts.headers.delete("Content-Type");
+    }
+    const url = buildUrl(opts);
+    return { opts, url };
+  };
+  const request = async (options) => {
+    const { opts, url } = await beforeRequest(options);
+    const requestInit = {
+      redirect: "follow",
+      ...opts,
+      body: getValidRequestBody(opts)
+    };
+    let request2 = new Request(url, requestInit);
+    for (const fn of interceptors.request.fns) {
+      if (fn) {
+        request2 = await fn(request2, opts);
+      }
+    }
+    const _fetch = opts.fetch;
+    let response;
+    try {
+      response = await _fetch(request2);
+    } catch (error2) {
+      let finalError2 = error2;
+      for (const fn of interceptors.error.fns) {
+        if (fn) {
+          finalError2 = await fn(
+            error2,
+            void 0,
+            request2,
+            opts
+          );
+        }
+      }
+      finalError2 = finalError2 || {};
+      if (opts.throwOnError) {
+        throw finalError2;
+      }
+      return opts.responseStyle === "data" ? void 0 : {
+        error: finalError2,
+        request: request2,
+        response: void 0
+      };
+    }
+    for (const fn of interceptors.response.fns) {
+      if (fn) {
+        response = await fn(response, request2, opts);
+      }
+    }
+    const result = {
+      request: request2,
+      response
+    };
+    if (response.ok) {
+      const parseAs = (opts.parseAs === "auto" ? getParseAs(response.headers.get("Content-Type")) : opts.parseAs) ?? "json";
+      if (response.status === 204 || response.headers.get("Content-Length") === "0") {
+        let emptyData;
+        switch (parseAs) {
+          case "arrayBuffer":
+          case "blob":
+          case "text":
+            emptyData = await response[parseAs]();
+            break;
+          case "formData":
+            emptyData = new FormData();
+            break;
+          case "stream":
+            emptyData = response.body;
+            break;
+          case "json":
+          default:
+            emptyData = {};
+            break;
+        }
+        return opts.responseStyle === "data" ? emptyData : {
+          data: emptyData,
+          ...result
+        };
+      }
+      let data;
+      switch (parseAs) {
+        case "arrayBuffer":
+        case "blob":
+        case "formData":
+        case "json":
+        case "text":
+          data = await response[parseAs]();
+          break;
+        case "stream":
+          return opts.responseStyle === "data" ? response.body : {
+            data: response.body,
+            ...result
+          };
+      }
+      if (parseAs === "json") {
+        if (opts.responseValidator) {
+          await opts.responseValidator(data);
+        }
+        if (opts.responseTransformer) {
+          data = await opts.responseTransformer(data);
+        }
+      }
+      return opts.responseStyle === "data" ? data : {
+        data,
+        ...result
+      };
+    }
+    const textError = await response.text();
+    let jsonError;
+    try {
+      jsonError = JSON.parse(textError);
+    } catch {
+    }
+    const error = jsonError ?? textError;
+    let finalError = error;
+    for (const fn of interceptors.error.fns) {
+      if (fn) {
+        finalError = await fn(error, response, request2, opts);
+      }
+    }
+    finalError = finalError || {};
+    if (opts.throwOnError) {
+      throw finalError;
+    }
+    return opts.responseStyle === "data" ? void 0 : {
+      error: finalError,
+      ...result
+    };
+  };
+  const makeMethodFn = (method) => (options) => request({ ...options, method });
+  const makeSseFn = (method) => async (options) => {
+    const { opts, url } = await beforeRequest(options);
+    return createSseClient({
+      ...opts,
+      body: opts.body,
+      headers: opts.headers,
+      method,
+      onRequest: async (url2, init) => {
+        let request2 = new Request(url2, init);
+        for (const fn of interceptors.request.fns) {
+          if (fn) {
+            request2 = await fn(request2, opts);
+          }
+        }
+        return request2;
+      },
+      url
+    });
+  };
+  return {
+    buildUrl,
+    connect: makeMethodFn("CONNECT"),
+    delete: makeMethodFn("DELETE"),
+    get: makeMethodFn("GET"),
+    getConfig,
+    head: makeMethodFn("HEAD"),
+    interceptors,
+    options: makeMethodFn("OPTIONS"),
+    patch: makeMethodFn("PATCH"),
+    post: makeMethodFn("POST"),
+    put: makeMethodFn("PUT"),
+    request,
+    setConfig,
+    sse: {
+      connect: makeSseFn("CONNECT"),
+      delete: makeSseFn("DELETE"),
+      get: makeSseFn("GET"),
+      head: makeSseFn("HEAD"),
+      options: makeSseFn("OPTIONS"),
+      patch: makeSseFn("PATCH"),
+      post: makeSseFn("POST"),
+      put: makeSseFn("PUT"),
+      trace: makeSseFn("TRACE")
+    },
+    trace: makeMethodFn("TRACE")
+  };
+};
+const client = createClient(
+  createConfig({ baseUrl: "https://api.themolt.net" })
+);
+const startLegreffierOnboarding = (options) => (options.client ?? client).post({
+  url: "/public/legreffier/start",
+  ...options,
+  headers: {
+    "Content-Type": "application/json",
+    ...options.headers
+  }
+});
+const getLegreffierOnboardingStatus = (options) => (options.client ?? client).get({ url: "/public/legreffier/status/{workflowId}", ...options });
+class MoltNetError extends Error {
+  code;
+  statusCode;
+  detail;
+  constructor(message, options) {
+    super(message);
+    this.name = "MoltNetError";
+    this.code = options.code;
+    this.statusCode = options.statusCode;
+    this.detail = options.detail;
+  }
+}
+function problemToError(problem, statusCode) {
+  return new MoltNetError(problem.title ?? "Request failed", {
+    code: problem.type ?? problem.code ?? "UNKNOWN",
+    statusCode,
+    detail: problem.detail
+  });
+}
+async function writeMcpConfig(mcpConfig, dir2) {
+  const targetDir = dir2 ?? process.cwd();
+  const filePath = join(targetDir, ".mcp.json");
+  let existing = {};
+  try {
+    const content = await readFile(filePath, "utf-8");
+    existing = JSON.parse(content);
+  } catch {
+  }
+  const merged = {
+    ...existing,
+    mcpServers: {
+      ...existing.mcpServers ?? {},
+      ...mcpConfig.mcpServers
+    }
+  };
+  await writeFile(filePath, JSON.stringify(merged, null, 2) + "\n");
+  return filePath;
+}
+function getConfigDir() {
+  return join(homedir(), ".config", "moltnet");
+}
+function getConfigPath(configDir) {
+  return join(configDir ?? getConfigDir(), "moltnet.json");
+}
+async function readConfig(configDir) {
+  const dir2 = configDir ?? getConfigDir();
+  try {
+    const content = await readFile(join(dir2, "moltnet.json"), "utf-8");
+    return JSON.parse(content);
+  } catch {
+  }
+  try {
+    const content = await readFile(join(dir2, "credentials.json"), "utf-8");
+    console.warn("Warning: credentials.json is deprecated. New writes use moltnet.json. Support will be removed in 3 minor versions.");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+async function writeConfig(config, configDir) {
+  const dir2 = configDir ?? getConfigDir();
+  await mkdir(dir2, { recursive: true });
+  const filePath = join(dir2, "moltnet.json");
+  await writeFile(filePath, JSON.stringify(config, null, 2) + "\n", {
+    mode: 384
+  });
+  await chmod(filePath, 384);
+  return filePath;
+}
+async function updateConfigSection(section, data, configDir) {
+  const config = await readConfig(configDir);
+  if (!config) {
+    throw new Error("No config found — run `moltnet register` first");
+  }
+  const existing = config[section] ?? {};
+  const updated = { ...existing, ...data };
+  Object.assign(config, { [section]: updated });
+  await writeConfig(config, configDir);
+}
+/*! noble-ed25519 - MIT License (c) 2019 Paul Miller (paulmillr.com) */
+const ed25519_CURVE = {
+  p: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffedn,
+  n: 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3edn,
+  a: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffecn,
+  d: 0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3n,
+  Gx: 0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51an,
+  Gy: 0x6666666666666666666666666666666666666666666666666666666666666658n
+};
+const { p: P, n: N, Gx, Gy, a: _a, d: _d } = ed25519_CURVE;
+const h = 8n;
+const L = 32;
+const L2 = 64;
+const err = (m = "") => {
+  throw new Error(m);
+};
+const isBig = (n) => typeof n === "bigint";
+const isStr = (s) => typeof s === "string";
+const isBytes = (a) => a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
+const abytes = (a, l) => !isBytes(a) || typeof l === "number" && l > 0 && a.length !== l ? err("Uint8Array expected") : a;
+const u8n = (len) => new Uint8Array(len);
+const u8fr = (buf) => Uint8Array.from(buf);
+const padh = (n, pad) => n.toString(16).padStart(pad, "0");
+const bytesToHex = (b) => Array.from(abytes(b)).map((e) => padh(e, 2)).join("");
+const C = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
+const _ch = (ch) => {
+  if (ch >= C._0 && ch <= C._9)
+    return ch - C._0;
+  if (ch >= C.A && ch <= C.F)
+    return ch - (C.A - 10);
+  if (ch >= C.a && ch <= C.f)
+    return ch - (C.a - 10);
+  return;
+};
+const hexToBytes = (hex) => {
+  const e = "hex invalid";
+  if (!isStr(hex))
+    return err(e);
+  const hl = hex.length;
+  const al = hl / 2;
+  if (hl % 2)
+    return err(e);
+  const array = u8n(al);
+  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+    const n1 = _ch(hex.charCodeAt(hi));
+    const n2 = _ch(hex.charCodeAt(hi + 1));
+    if (n1 === void 0 || n2 === void 0)
+      return err(e);
+    array[ai] = n1 * 16 + n2;
+  }
+  return array;
+};
+const toU8 = (a, len) => abytes(isStr(a) ? hexToBytes(a) : u8fr(abytes(a)), len);
+const cr = () => globalThis?.crypto;
+const subtle = () => cr()?.subtle ?? err("crypto.subtle must be defined");
+const concatBytes = (...arrs) => {
+  const r = u8n(arrs.reduce((sum, a) => sum + abytes(a).length, 0));
+  let pad = 0;
+  arrs.forEach((a) => {
+    r.set(a, pad);
+    pad += a.length;
+  });
+  return r;
+};
+const randomBytes = (len = L) => {
+  const c = cr();
+  return c.getRandomValues(u8n(len));
+};
+const big = BigInt;
+const arange = (n, min, max, msg = "bad number: out of range") => isBig(n) && min <= n && n < max ? n : err(msg);
+const M = (a, b = P) => {
+  const r = a % b;
+  return r >= 0n ? r : b + r;
+};
+const modN = (a) => M(a, N);
+const invert = (num, md) => {
+  if (num === 0n || md <= 0n)
+    err("no inverse n=" + num + " mod=" + md);
+  let a = M(num, md), b = md, x = 0n, u = 1n;
+  while (a !== 0n) {
+    const q = b / a, r = b % a;
+    const m = x - u * q;
+    b = a, a = r, x = u, u = m;
+  }
+  return b === 1n ? M(x, md) : err("no inverse");
+};
+const callHash = (name2) => {
+  const fn = etc[name2];
+  if (typeof fn !== "function")
+    err("hashes." + name2 + " not set");
+  return fn;
+};
+const apoint = (p) => p instanceof Point ? p : err("Point expected");
+const B256 = 2n ** 256n;
+class Point {
+  static BASE;
+  static ZERO;
+  ex;
+  ey;
+  ez;
+  et;
+  constructor(ex, ey, ez, et) {
+    const max = B256;
+    this.ex = arange(ex, 0n, max);
+    this.ey = arange(ey, 0n, max);
+    this.ez = arange(ez, 1n, max);
+    this.et = arange(et, 0n, max);
+    Object.freeze(this);
+  }
+  static fromAffine(p) {
+    return new Point(p.x, p.y, 1n, M(p.x * p.y));
+  }
+  /** RFC8032 5.1.3: Uint8Array to Point. */
+  static fromBytes(hex, zip215 = false) {
+    const d = _d;
+    const normed = u8fr(abytes(hex, L));
+    const lastByte = hex[31];
+    normed[31] = lastByte & -129;
+    const y = bytesToNumLE(normed);
+    const max = zip215 ? B256 : P;
+    arange(y, 0n, max);
+    const y2 = M(y * y);
+    const u = M(y2 - 1n);
+    const v = M(d * y2 + 1n);
+    let { isValid, value: x } = uvRatio(u, v);
+    if (!isValid)
+      err("bad point: y not sqrt");
+    const isXOdd = (x & 1n) === 1n;
+    const isLastByteOdd = (lastByte & 128) !== 0;
+    if (!zip215 && x === 0n && isLastByteOdd)
+      err("bad point: x==0, isLastByteOdd");
+    if (isLastByteOdd !== isXOdd)
+      x = M(-x);
+    return new Point(x, y, 1n, M(x * y));
+  }
+  /** Checks if the point is valid and on-curve. */
+  assertValidity() {
+    const a = _a;
+    const d = _d;
+    const p = this;
+    if (p.is0())
+      throw new Error("bad point: ZERO");
+    const { ex: X, ey: Y, ez: Z, et: T } = p;
+    const X2 = M(X * X);
+    const Y2 = M(Y * Y);
+    const Z2 = M(Z * Z);
+    const Z4 = M(Z2 * Z2);
+    const aX2 = M(X2 * a);
+    const left = M(Z2 * M(aX2 + Y2));
+    const right = M(Z4 + M(d * M(X2 * Y2)));
+    if (left !== right)
+      throw new Error("bad point: equation left != right (1)");
+    const XY = M(X * Y);
+    const ZT = M(Z * T);
+    if (XY !== ZT)
+      throw new Error("bad point: equation left != right (2)");
+    return this;
+  }
+  /** Equality check: compare points P&Q. */
+  equals(other) {
+    const { ex: X1, ey: Y1, ez: Z1 } = this;
+    const { ex: X2, ey: Y2, ez: Z2 } = apoint(other);
+    const X1Z2 = M(X1 * Z2);
+    const X2Z1 = M(X2 * Z1);
+    const Y1Z2 = M(Y1 * Z2);
+    const Y2Z1 = M(Y2 * Z1);
+    return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
+  }
+  is0() {
+    return this.equals(I);
+  }
+  /** Flip point over y coordinate. */
+  negate() {
+    return new Point(M(-this.ex), this.ey, this.ez, M(-this.et));
+  }
+  /** Point doubling. Complete formula. Cost: `4M + 4S + 1*a + 6add + 1*2`. */
+  double() {
+    const { ex: X1, ey: Y1, ez: Z1 } = this;
+    const a = _a;
+    const A = M(X1 * X1);
+    const B = M(Y1 * Y1);
+    const C2 = M(2n * M(Z1 * Z1));
+    const D = M(a * A);
+    const x1y1 = X1 + Y1;
+    const E = M(M(x1y1 * x1y1) - A - B);
+    const G2 = D + B;
+    const F = G2 - C2;
+    const H = D - B;
+    const X3 = M(E * F);
+    const Y3 = M(G2 * H);
+    const T3 = M(E * H);
+    const Z3 = M(F * G2);
+    return new Point(X3, Y3, Z3, T3);
+  }
+  /** Point addition. Complete formula. Cost: `8M + 1*k + 8add + 1*2`. */
+  add(other) {
+    const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
+    const { ex: X2, ey: Y2, ez: Z2, et: T2 } = apoint(other);
+    const a = _a;
+    const d = _d;
+    const A = M(X1 * X2);
+    const B = M(Y1 * Y2);
+    const C2 = M(T1 * d * T2);
+    const D = M(Z1 * Z2);
+    const E = M((X1 + Y1) * (X2 + Y2) - A - B);
+    const F = M(D - C2);
+    const G2 = M(D + C2);
+    const H = M(B - a * A);
+    const X3 = M(E * F);
+    const Y3 = M(G2 * H);
+    const T3 = M(E * H);
+    const Z3 = M(F * G2);
+    return new Point(X3, Y3, Z3, T3);
+  }
+  /**
+   * Point-by-scalar multiplication. Scalar must be in range 1 <= n < CURVE.n.
+   * Uses {@link wNAF} for base point.
+   * Uses fake point to mitigate side-channel leakage.
+   * @param n scalar by which point is multiplied
+   * @param safe safe mode guards against timing attacks; unsafe mode is faster
+   */
+  multiply(n, safe = true) {
+    if (!safe && (n === 0n || this.is0()))
+      return I;
+    arange(n, 1n, N);
+    if (n === 1n)
+      return this;
+    if (this.equals(G))
+      return wNAF(n).p;
+    let p = I;
+    let f = G;
+    for (let d = this; n > 0n; d = d.double(), n >>= 1n) {
+      if (n & 1n)
+        p = p.add(d);
+      else if (safe)
+        f = f.add(d);
+    }
+    return p;
+  }
+  /** Convert point to 2d xy affine point. (X, Y, Z) ∋ (x=X/Z, y=Y/Z) */
+  toAffine() {
+    const { ex: x, ey: y, ez: z } = this;
+    if (this.equals(I))
+      return { x: 0n, y: 1n };
+    const iz = invert(z, P);
+    if (M(z * iz) !== 1n)
+      err("invalid inverse");
+    return { x: M(x * iz), y: M(y * iz) };
+  }
+  toBytes() {
+    const { x, y } = this.assertValidity().toAffine();
+    const b = numTo32bLE(y);
+    b[31] |= x & 1n ? 128 : 0;
+    return b;
+  }
+  toHex() {
+    return bytesToHex(this.toBytes());
+  }
+  // encode to hex string
+  clearCofactor() {
+    return this.multiply(big(h), false);
+  }
+  isSmallOrder() {
+    return this.clearCofactor().is0();
+  }
+  isTorsionFree() {
+    let p = this.multiply(N / 2n, false).double();
+    if (N % 2n)
+      p = p.add(this);
+    return p.is0();
+  }
+  static fromHex(hex, zip215) {
+    return Point.fromBytes(toU8(hex), zip215);
+  }
+  get x() {
+    return this.toAffine().x;
+  }
+  get y() {
+    return this.toAffine().y;
+  }
+  toRawBytes() {
+    return this.toBytes();
+  }
+}
+const G = new Point(Gx, Gy, 1n, M(Gx * Gy));
+const I = new Point(0n, 1n, 1n, 0n);
+Point.BASE = G;
+Point.ZERO = I;
+const numTo32bLE = (num) => hexToBytes(padh(arange(num, 0n, B256), L2)).reverse();
+const bytesToNumLE = (b) => big("0x" + bytesToHex(u8fr(abytes(b)).reverse()));
+const pow2 = (x, power) => {
+  let r = x;
+  while (power-- > 0n) {
+    r *= r;
+    r %= P;
+  }
+  return r;
+};
+const pow_2_252_3 = (x) => {
+  const x2 = x * x % P;
+  const b2 = x2 * x % P;
+  const b4 = pow2(b2, 2n) * b2 % P;
+  const b5 = pow2(b4, 1n) * x % P;
+  const b10 = pow2(b5, 5n) * b5 % P;
+  const b20 = pow2(b10, 10n) * b10 % P;
+  const b40 = pow2(b20, 20n) * b20 % P;
+  const b80 = pow2(b40, 40n) * b40 % P;
+  const b160 = pow2(b80, 80n) * b80 % P;
+  const b240 = pow2(b160, 80n) * b80 % P;
+  const b250 = pow2(b240, 10n) * b10 % P;
+  const pow_p_5_8 = pow2(b250, 2n) * x % P;
+  return { pow_p_5_8, b2 };
+};
+const RM1 = 0x2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0n;
+const uvRatio = (u, v) => {
+  const v3 = M(v * v * v);
+  const v7 = M(v3 * v3 * v);
+  const pow = pow_2_252_3(u * v7).pow_p_5_8;
+  let x = M(u * v3 * pow);
+  const vx2 = M(v * x * x);
+  const root1 = x;
+  const root2 = M(x * RM1);
+  const useRoot1 = vx2 === u;
+  const useRoot2 = vx2 === M(-u);
+  const noRoot = vx2 === M(-u * RM1);
+  if (useRoot1)
+    x = root1;
+  if (useRoot2 || noRoot)
+    x = root2;
+  if ((M(x) & 1n) === 1n)
+    x = M(-x);
+  return { isValid: useRoot1 || useRoot2, value: x };
+};
+const modL_LE = (hash) => modN(bytesToNumLE(hash));
+const sha512a = (...m) => etc.sha512Async(...m);
+const sha512s = (...m) => callHash("sha512Sync")(...m);
+const hash2extK = (hashed) => {
+  const head = hashed.slice(0, L);
+  head[0] &= 248;
+  head[31] &= 127;
+  head[31] |= 64;
+  const prefix = hashed.slice(L, L2);
+  const scalar = modL_LE(head);
+  const point = G.multiply(scalar);
+  const pointBytes = point.toBytes();
+  return { head, prefix, scalar, point, pointBytes };
+};
+const getExtendedPublicKeyAsync = (priv) => sha512a(toU8(priv, L)).then(hash2extK);
+const getExtendedPublicKey = (priv) => hash2extK(sha512s(toU8(priv, L)));
+const getPublicKeyAsync = (priv) => getExtendedPublicKeyAsync(priv).then((p) => p.pointBytes);
+const getPublicKey = (priv) => getExtendedPublicKey(priv).pointBytes;
+const hashFinishA = (res) => sha512a(res.hashable).then(res.finish);
+const _sign = (e, rBytes, msg) => {
+  const { pointBytes: P2, scalar: s } = e;
+  const r = modL_LE(rBytes);
+  const R = G.multiply(r).toBytes();
+  const hashable = concatBytes(R, P2, msg);
+  const finish = (hashed) => {
+    const S = modN(r + modL_LE(hashed) * s);
+    return abytes(concatBytes(R, numTo32bLE(S)), L2);
+  };
+  return { hashable, finish };
+};
+const signAsync = async (msg, privKey) => {
+  const m = toU8(msg);
+  const e = await getExtendedPublicKeyAsync(privKey);
+  const rBytes = await sha512a(e.prefix, m);
+  return hashFinishA(_sign(e, rBytes, m));
+};
+const veriOpts = { zip215: true };
+const _verify = (sig, msg, pub, opts = veriOpts) => {
+  sig = toU8(sig, L2);
+  msg = toU8(msg);
+  pub = toU8(pub, L);
+  const { zip215 } = opts;
+  let A;
+  let R;
+  let s;
+  let SB;
+  let hashable = Uint8Array.of();
+  try {
+    A = Point.fromHex(pub, zip215);
+    R = Point.fromHex(sig.slice(0, L), zip215);
+    s = bytesToNumLE(sig.slice(L, L2));
+    SB = G.multiply(s, false);
+    hashable = concatBytes(R.toBytes(), A.toBytes(), msg);
+  } catch (error) {
+  }
+  const finish = (hashed) => {
+    if (SB == null)
+      return false;
+    if (!zip215 && A.isSmallOrder())
+      return false;
+    const k = modL_LE(hashed);
+    const RkA = R.add(A.multiply(k, false));
+    return RkA.add(SB.negate()).clearCofactor().is0();
+  };
+  return { hashable, finish };
+};
+const verifyAsync = async (s, m, p, opts = veriOpts) => hashFinishA(_verify(s, m, p, opts));
+const etc = {
+  sha512Async: async (...messages) => {
+    const s = subtle();
+    const m = concatBytes(...messages);
+    return u8n(await s.digest("SHA-512", m.buffer));
+  },
+  sha512Sync: void 0,
+  bytesToHex,
+  hexToBytes,
+  concatBytes,
+  mod: M,
+  invert,
+  randomBytes
+};
+const utils = {
+  getExtendedPublicKeyAsync,
+  getExtendedPublicKey,
+  randomPrivateKey: () => randomBytes(L),
+  precompute: (w = 8, p = G) => {
+    p.multiply(3n);
+    return p;
+  }
+  // no-op
+};
+const W = 8;
+const scalarBits = 256;
+const pwindows = Math.ceil(scalarBits / W) + 1;
+const pwindowSize = 2 ** (W - 1);
+const precompute = () => {
+  const points = [];
+  let p = G;
+  let b = p;
+  for (let w = 0; w < pwindows; w++) {
+    b = p;
+    points.push(b);
+    for (let i = 1; i < pwindowSize; i++) {
+      b = b.add(p);
+      points.push(b);
+    }
+    p = b.double();
+  }
+  return points;
+};
+let Gpows = void 0;
+const ctneg = (cnd, p) => {
+  const n = p.negate();
+  return cnd ? n : p;
+};
+const wNAF = (n) => {
+  const comp = Gpows || (Gpows = precompute());
+  let p = I;
+  let f = G;
+  const pow_2_w = 2 ** W;
+  const maxNum = pow_2_w;
+  const mask = big(pow_2_w - 1);
+  const shiftBy = big(W);
+  for (let w = 0; w < pwindows; w++) {
+    let wbits = Number(n & mask);
+    n >>= shiftBy;
+    if (wbits > pwindowSize) {
+      wbits -= maxNum;
+      n += 1n;
+    }
+    const off = w * pwindowSize;
+    const offF = off;
+    const offP = off + Math.abs(wbits) - 1;
+    const isEven = w % 2 !== 0;
+    const isNeg = wbits < 0;
+    if (wbits === 0) {
+      f = f.add(ctneg(isEven, comp[offF]));
+    } else {
+      p = p.add(ctneg(isNeg, comp[offP]));
+    }
+  }
+  return { p, f };
+};
+etc.sha512Sync = (...m) => {
+  const hash = createHash("sha512");
+  m.forEach((msg) => hash.update(msg));
+  return hash.digest();
+};
+const DOMAIN_PREFIX = "moltnet:v1";
+function buildSigningBytes(message, nonce) {
+  const msgHash = createHash("sha256").update(Buffer.from(message, "utf-8")).digest();
+  const nonceBytes = Buffer.from(nonce, "utf-8");
+  const prefix = Buffer.from(DOMAIN_PREFIX, "utf-8");
+  const buf = Buffer.alloc(
+    prefix.length + 4 + msgHash.length + 4 + nonceBytes.length
+  );
+  let offset = 0;
+  prefix.copy(buf, offset);
+  offset += prefix.length;
+  buf.writeUInt32BE(msgHash.length, offset);
+  offset += 4;
+  msgHash.copy(buf, offset);
+  offset += msgHash.length;
+  buf.writeUInt32BE(nonceBytes.length, offset);
+  offset += 4;
+  nonceBytes.copy(buf, offset);
+  return new Uint8Array(buf);
+}
+const cryptoService = {
+  /**
+   * Generate a new Ed25519 keypair
+   */
+  async generateKeyPair() {
+    const privateKeyBytes = utils.randomPrivateKey();
+    const publicKeyBytes = await getPublicKeyAsync(privateKeyBytes);
+    const privateKey = Buffer.from(privateKeyBytes).toString("base64");
+    const publicKey = `ed25519:${Buffer.from(publicKeyBytes).toString("base64")}`;
+    const fingerprint = this.generateFingerprint(publicKeyBytes);
+    return { publicKey, privateKey, fingerprint };
+  },
+  /**
+   * Generate human-readable fingerprint from public key
+   * Format: A1B2-C3D4-E5F6-G7H8 (first 16 hex chars of SHA256)
+   */
+  generateFingerprint(publicKeyBytes) {
+    const hash = createHash("sha256").update(publicKeyBytes).digest("hex");
+    const segments = hash.slice(0, 16).toUpperCase().match(/.{4}/g) ?? [];
+    return segments.join("-");
+  },
+  /**
+   * Parse public key from string format
+   */
+  parsePublicKey(publicKey) {
+    const base64 = publicKey.replace(/^ed25519:/, "");
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  },
+  /**
+   * Sign a message with private key
+   */
+  async sign(message, privateKeyBase64) {
+    const privateKeyBytes = new Uint8Array(
+      Buffer.from(privateKeyBase64, "base64")
+    );
+    const messageBytes = new TextEncoder().encode(message);
+    const signature = await signAsync(messageBytes, privateKeyBytes);
+    return Buffer.from(signature).toString("base64");
+  },
+  /**
+   * Verify a signature against a message and public key
+   */
+  async verify(message, signature, publicKey) {
+    try {
+      const publicKeyBytes = this.parsePublicKey(publicKey);
+      const signatureBytes = new Uint8Array(Buffer.from(signature, "base64"));
+      const messageBytes = new TextEncoder().encode(message);
+      return await verifyAsync(signatureBytes, messageBytes, publicKeyBytes);
+    } catch {
+      return false;
+    }
+  },
+  /**
+   * Sign a (message, nonce) pair using deterministic pre-hash.
+   * Uses buildSigningBytes for domain separation and canonical serialization.
+   */
+  async signWithNonce(message, nonce, privateKeyBase64) {
+    const privateKeyBytes = new Uint8Array(
+      Buffer.from(privateKeyBase64, "base64")
+    );
+    const signingBytes = buildSigningBytes(message, nonce);
+    const signature = await signAsync(signingBytes, privateKeyBytes);
+    return Buffer.from(signature).toString("base64");
+  },
+  /**
+   * Verify a signature produced by signWithNonce.
+   */
+  async verifyWithNonce(message, nonce, signature, publicKey) {
+    try {
+      const publicKeyBytes = this.parsePublicKey(publicKey);
+      const signatureBytes = new Uint8Array(Buffer.from(signature, "base64"));
+      const signingBytes = buildSigningBytes(message, nonce);
+      return await verifyAsync(signatureBytes, signingBytes, publicKeyBytes);
+    } catch {
+      return false;
+    }
+  },
+  /**
+   * Create a signed message object
+   */
+  async createSignedMessage(message, privateKeyBase64, publicKey) {
+    const signature = await this.sign(message, privateKeyBase64);
+    return { message, signature, publicKey };
+  },
+  /**
+   * Verify a signed message object
+   */
+  async verifySignedMessage(signedMessage) {
+    return this.verify(
+      signedMessage.message,
+      signedMessage.signature,
+      signedMessage.publicKey
+    );
+  },
+  /**
+   * Generate a random challenge for authentication
+   */
+  generateChallenge() {
+    return `moltnet:challenge:${randomBytes$1(32).toString("hex")}:${Date.now()}`;
+  },
+  /**
+   * Derive public key from private key
+   */
+  async derivePublicKey(privateKeyBase64) {
+    const privateKeyBytes = new Uint8Array(
+      Buffer.from(privateKeyBase64, "base64")
+    );
+    const publicKeyBytes = await getPublicKeyAsync(privateKeyBytes);
+    return `ed25519:${Buffer.from(publicKeyBytes).toString("base64")}`;
+  },
+  /**
+   * Get fingerprint from public key string
+   */
+  getFingerprintFromPublicKey(publicKey) {
+    const publicKeyBytes = this.parsePublicKey(publicKey);
+    return this.generateFingerprint(publicKeyBytes);
+  },
+  /**
+   * Create a proof of identity ownership (for DCR metadata)
+   */
+  async createIdentityProof(identityId, privateKeyBase64) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const message = `moltnet:register:${identityId}:${timestamp}`;
+    const signature = await this.sign(message, privateKeyBase64);
+    return { message, signature, timestamp };
+  },
+  /**
+   * Verify an identity proof
+   */
+  async verifyIdentityProof(proof, publicKey, expectedIdentityId) {
+    const isValid = await this.verify(
+      proof.message,
+      proof.signature,
+      publicKey
+    );
+    if (!isValid) return false;
+    const expectedPrefix = `moltnet:register:${expectedIdentityId}:`;
+    if (!proof.message.startsWith(expectedPrefix)) return false;
+    const proofTime = new Date(proof.timestamp).getTime();
+    const now = Date.now();
+    const fiveMinutes = 5 * 60 * 1e3;
+    if (now - proofTime > fiveMinutes) return false;
+    return true;
+  }
+};
+if (!etc.sha512Sync) {
+  etc.sha512Sync = (...m) => {
+    const hash = createHash("sha512");
+    m.forEach((msg) => hash.update(msg));
+    return hash.digest();
+  };
+}
+const SSH_ED25519_KEY_TYPE = "ssh-ed25519";
+const AUTH_MAGIC = "openssh-key-v1\0";
+const CIPHER_NONE = "none";
+function encodeUInt32(n) {
+  const buf = Buffer.alloc(4);
+  buf.writeUInt32BE(n, 0);
+  return buf;
+}
+function encodeSSHString(data) {
+  const buf = typeof data === "string" ? Buffer.from(data) : data;
+  return Buffer.concat([encodeUInt32(buf.length), buf]);
+}
+function toSSHPublicKey(moltnetPublicKey) {
+  const match = moltnetPublicKey.match(/^ed25519:(.+)$/);
+  if (!match) {
+    throw new Error(
+      'Invalid MoltNet public key format: expected "ed25519:<base64>"'
+    );
+  }
+  const pubkeyBytes = Buffer.from(match[1], "base64");
+  if (pubkeyBytes.length !== 32) {
+    throw new Error(
+      `Invalid Ed25519 public key length: expected 32 bytes, got ${pubkeyBytes.length}`
+    );
+  }
+  const blob = Buffer.concat([
+    encodeSSHString(SSH_ED25519_KEY_TYPE),
+    encodeSSHString(pubkeyBytes)
+  ]);
+  return `${SSH_ED25519_KEY_TYPE} ${blob.toString("base64")}`;
+}
+function toSSHPrivateKey(seedBase64) {
+  const seed = Buffer.from(seedBase64, "base64");
+  if (seed.length !== 32) {
+    throw new Error(
+      `Invalid Ed25519 seed length: expected 32 bytes, got ${seed.length}`
+    );
+  }
+  const pubkeyBytes = Buffer.from(getPublicKey(seed));
+  const pubkeyBlob = Buffer.concat([
+    encodeSSHString(SSH_ED25519_KEY_TYPE),
+    encodeSSHString(pubkeyBytes)
+  ]);
+  const checkInt = encodeUInt32(0);
+  const privkeyData = Buffer.concat([seed, pubkeyBytes]);
+  const comment = Buffer.alloc(0);
+  const privateSection = Buffer.concat([
+    checkInt,
+    // checkint1
+    checkInt,
+    // checkint2
+    encodeSSHString(SSH_ED25519_KEY_TYPE),
+    // keytype
+    encodeSSHString(pubkeyBytes),
+    // pubkey
+    encodeSSHString(privkeyData),
+    // privkey (seed + pubkey)
+    encodeSSHString(comment)
+    // comment
+  ]);
+  const blockSize = 8;
+  const padLength = privateSection.length % blockSize === 0 ? 0 : blockSize - privateSection.length % blockSize;
+  const padding = Buffer.alloc(padLength);
+  for (let i = 0; i < padLength; i++) {
+    padding[i] = i + 1;
+  }
+  const paddedPrivateSection = Buffer.concat([privateSection, padding]);
+  const keyBinary = Buffer.concat([
+    Buffer.from(AUTH_MAGIC, "ascii"),
+    // "openssh-key-v1\0"
+    encodeSSHString(CIPHER_NONE),
+    // ciphername
+    encodeSSHString(CIPHER_NONE),
+    // kdfname
+    encodeSSHString(Buffer.alloc(0)),
+    // kdf options (empty)
+    encodeUInt32(1),
+    // number of keys
+    encodeSSHString(pubkeyBlob),
+    // public key blob
+    encodeSSHString(paddedPrivateSection)
+    // private section
+  ]);
+  const base64 = keyBinary.toString("base64");
+  const lines = [];
+  for (let i = 0; i < base64.length; i += 70) {
+    lines.push(base64.slice(i, i + 70));
+  }
+  return [
+    "-----BEGIN OPENSSH PRIVATE KEY-----",
+    ...lines,
+    "-----END OPENSSH PRIVATE KEY-----",
+    ""
+    // trailing newline
+  ].join("\n");
+}
+async function exportSSHKey(opts) {
+  const config = await readConfig(opts?.configDir);
+  if (!config) {
+    throw new Error(`No config found at ${getConfigPath(opts?.configDir)} — run \`moltnet register\` first`);
+  }
+  const privateKeySSH = toSSHPrivateKey(config.keys.private_key);
+  const publicKeySSH = toSSHPublicKey(config.keys.public_key);
+  const outputDir = opts?.outputDir ?? join(opts?.configDir ?? getConfigDir(), "ssh");
+  await mkdir(outputDir, { recursive: true });
+  const privatePath = join(outputDir, "id_ed25519");
+  const publicPath = join(outputDir, "id_ed25519.pub");
+  await writeFile(privatePath, privateKeySSH, { mode: 384 });
+  await writeFile(publicPath, publicKeySSH, { mode: 420 });
+  await updateConfigSection("ssh", { private_key_path: privatePath, public_key_path: publicPath }, opts?.configDir);
+  return { privatePath, publicPath };
+}
+const POLL_INTERVAL_MS = 5e3;
+function isProblemDetails(err2) {
+  return typeof err2 === "object" && err2 !== null && "title" in err2 && typeof err2.title === "string" && "status" in err2 && typeof err2.status === "number";
+}
+function toErrorMessage(err2) {
+  if (err2 instanceof Error) {
+    return err2.message;
+  }
+  if (isProblemDetails(err2)) {
+    return problemToError(err2, err2.status).message;
+  }
+  return JSON.stringify(err2);
+}
+const POLL_TIMEOUT_MS = 5 * 60 * 1e3;
+function makeClient(baseUrl) {
+  return createClient({ baseUrl });
+}
+async function startOnboarding(baseUrl, body) {
+  const client2 = makeClient(baseUrl);
+  const res = await startLegreffierOnboarding({
+    client: client2,
+    body,
+    throwOnError: true
+  });
+  return res.data;
+}
+async function checkWorkflowLive(baseUrl, workflowId) {
+  try {
+    const result = await pollStatus(baseUrl, workflowId);
+    return result.status !== "failed";
+  } catch {
+    return false;
+  }
+}
+async function pollStatus(baseUrl, workflowId) {
+  const client2 = makeClient(baseUrl);
+  const res = await getLegreffierOnboardingStatus({
+    client: client2,
+    path: { workflowId },
+    throwOnError: true
+  });
+  return res.data;
+}
+async function pollUntil(baseUrl, workflowId, targetStatuses, onTick) {
+  const deadline = Date.now() + POLL_TIMEOUT_MS;
+  while (Date.now() < deadline) {
+    const result = await pollStatus(baseUrl, workflowId);
+    onTick?.(result.status);
+    if (targetStatuses.includes(result.status)) {
+      return result;
+    }
+    if (result.status === "failed") {
+      throw new Error("Onboarding workflow failed");
+    }
+    await new Promise((resolve) => {
+      setTimeout(resolve, POLL_INTERVAL_MS);
+    });
+  }
+  throw new Error(
+    `Timed out waiting for status: ${targetStatuses.join(" or ")}`
+  );
+}
+const SKILLS = [
+  {
+    name: "legreffier",
+    url: "https://raw.githubusercontent.com/getlarge/themoltnet/main/.claude/skills/legreffier/SKILL.md"
+  }
+];
+async function downloadSkills(repoDir) {
+  for (const skill of SKILLS) {
+    const dir2 = join(repoDir, ".claude", "skills", skill.name);
+    await mkdir(dir2, { recursive: true });
+    const res = await fetch(skill.url);
+    if (!res.ok) {
+      throw new Error(`Failed to download skill ${skill.name} (${res.status})`);
+    }
+    const content = await res.text();
+    await writeFile(join(dir2, "SKILL.md"), content, "utf-8");
+  }
+}
+function toEnvPrefix(agentName) {
+  return agentName.toUpperCase().replace(/[^A-Z0-9]/g, "_");
+}
+async function writeSettingsLocal({
+  repoDir,
+  agentName,
+  appSlug,
+  pemPath,
+  installationId,
+  clientId,
+  clientSecret
+}) {
+  const dir2 = join(repoDir, ".claude");
+  await mkdir(dir2, { recursive: true });
+  const filePath = join(dir2, "settings.local.json");
+  let existing = {};
+  try {
+    existing = JSON.parse(await readFile(filePath, "utf-8"));
+  } catch {
+  }
+  const prefix = toEnvPrefix(agentName);
+  const settings = {
+    ...existing,
+    enableAllProjectMcpServers: true,
+    env: {
+      ...existing.env,
+      [`${prefix}_GITHUB_APP_ID`]: appSlug,
+      [`${prefix}_GITHUB_APP_PRIVATE_KEY_PATH`]: pemPath,
+      [`${prefix}_GITHUB_APP_INSTALLATION_ID`]: installationId,
+      [`${prefix}_CLIENT_ID`]: clientId,
+      [`${prefix}_CLIENT_SECRET`]: clientSecret
+    }
+  };
+  await writeFile(filePath, JSON.stringify(settings, null, 2) + "\n", "utf-8");
+}
+function deriveProjectSlug(cwd = process.cwd()) {
+  try {
+    const origin = execSync("git remote get-url origin", {
+      cwd,
+      stdio: ["pipe", "pipe", "pipe"]
+    }).toString().trim();
+    const match = origin.match(/[:/]([^/]+\/[^/]+?)(?:\.git)?$/);
+    if (match) {
+      return match[1].replace("/", "-");
+    }
+  } catch {
+  }
+  return basename(cwd);
+}
+function getStatePath(projectSlug, agentName) {
+  return join(
+    homedir(),
+    ".config",
+    "moltnet",
+    projectSlug,
+    `legreffier-init.${agentName}.state.json`
+  );
+}
+async function readState(projectSlug, agentName) {
+  try {
+    const raw = await readFile(getStatePath(projectSlug, agentName), "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+async function writeState(state, projectSlug, agentName) {
+  const path = getStatePath(projectSlug, agentName);
+  await mkdir(join(homedir(), ".config", "moltnet", projectSlug), {
+    recursive: true
+  });
+  await writeFile(path, JSON.stringify(state, null, 2) + "\n", {
+    mode: 384
+  });
+}
+async function clearState(projectSlug, agentName) {
+  try {
+    await rm(getStatePath(projectSlug, agentName));
+  } catch {
+  }
+}
+async function runAgentSetupPhase(opts) {
+  const {
+    apiUrl: apiUrl2,
+    repoDir,
+    configDir,
+    agentName,
+    publicKey,
+    fingerprint,
+    appSlug,
+    pemPath,
+    installationId,
+    identityId,
+    clientId,
+    clientSecret,
+    projectSlug,
+    dispatch
+  } = opts;
+  dispatch({ type: "phase", phase: "agent_setup" });
+  const existingConfig = await readConfig(configDir);
+  if (!existingConfig?.oauth2?.client_id && clientId) {
+    await writeConfig(
+      {
+        identity_id: identityId,
+        registered_at: (/* @__PURE__ */ new Date()).toISOString(),
+        oauth2: { client_id: clientId, client_secret: clientSecret },
+        keys: {
+          public_key: publicKey,
+          private_key: existingConfig?.keys?.private_key ?? "",
+          fingerprint
+        },
+        endpoints: {
+          api: apiUrl2,
+          mcp: apiUrl2.replace("://api.", "://mcp.") + "/mcp"
+        },
+        github: {
+          app_id: appSlug,
+          app_slug: appSlug,
+          installation_id: installationId,
+          private_key_path: pemPath
+        }
+      },
+      configDir
+    );
+  }
+  if (clientId) {
+    const prefix = toEnvPrefix(agentName);
+    const mcpUrl = apiUrl2.replace("://api.", "://mcp.") + "/mcp";
+    await writeMcpConfig(
+      {
+        mcpServers: {
+          [agentName]: {
+            type: "http",
+            url: mcpUrl,
+            headers: {
+              "X-Client-Id": `\${${prefix}_CLIENT_ID}`,
+              "X-Client-Secret": `\${${prefix}_CLIENT_SECRET}`
+            }
+          }
+        }
+      },
+      repoDir
+    );
+  }
+  dispatch({ type: "step", key: "skills", status: "running" });
+  await downloadSkills(repoDir);
+  dispatch({ type: "step", key: "skills", status: "done" });
+  dispatch({ type: "step", key: "settings", status: "running" });
+  await writeSettingsLocal({
+    repoDir,
+    agentName,
+    appSlug,
+    pemPath,
+    installationId,
+    clientId,
+    clientSecret
+  });
+  dispatch({ type: "step", key: "settings", status: "done" });
+  await clearState(projectSlug, agentName);
+}
+async function exchangeManifestCode(code) {
+  const res = await fetch(
+    `https://api.github.com/app-manifests/${code}/conversions`,
+    {
+      method: "POST",
+      headers: {
+        Accept: "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28"
+      }
+    }
+  );
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`GitHub code exchange failed (${res.status}): ${body}`);
+  }
+  const data = await res.json();
+  return {
+    appId: String(data.id),
+    appSlug: data.slug,
+    pem: data.pem,
+    clientId: data.client_id,
+    clientSecret: data.client_secret
+  };
+}
+const GITHUB_HEADERS = {
+  Accept: "application/vnd.github+json",
+  "X-GitHub-Api-Version": "2022-11-28"
+};
+async function githubUserExists(username) {
+  const res = await fetch(
+    `https://api.github.com/users/${encodeURIComponent(username)}`,
+    { headers: GITHUB_HEADERS }
+  );
+  return res.status === 200;
+}
+async function checkAppNameAvailable(appName) {
+  const [userTaken, botTaken] = await Promise.all([
+    githubUserExists(appName),
+    githubUserExists(appName + "[bot]")
+  ]);
+  return !userTaken && !botTaken;
+}
+async function suggestAppNames(appName) {
+  const candidates = [
+    `${appName}-bot`,
+    `${appName}-app`,
+    `${appName}-moltnet`,
+    `my-${appName}`
+  ];
+  const results = await Promise.all(
+    candidates.map(async (name2) => ({
+      name: name2,
+      available: await checkAppNameAvailable(name2)
+    }))
+  );
+  return results.filter((r) => r.available).map((r) => r.name);
+}
+async function lookupBotUser(appSlug, { maxRetries = 5, baseDelayMs = 2e3 } = {}) {
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    for (const username of [`${appSlug}[bot]`, appSlug]) {
+      const res = await fetch(
+        `https://api.github.com/users/${encodeURIComponent(username)}`,
+        { headers: GITHUB_HEADERS }
+      );
+      if (res.ok) {
+        const data = await res.json();
+        return {
+          id: data.id,
+          email: `${data.id}+${data.login}@users.noreply.github.com`
+        };
+      }
+    }
+    if (attempt < maxRetries) {
+      const delayMs = baseDelayMs * 2 ** attempt;
+      await new Promise((resolve) => {
+        setTimeout(resolve, delayMs);
+      });
+    }
+  }
+  throw new Error(`GitHub user lookup failed for app "${appSlug}"`);
+}
+async function writePem(pem, appSlug, projectSlug) {
+  const dir2 = join(homedir(), ".config", "moltnet", projectSlug);
+  await mkdir(dir2, { recursive: true });
+  const path = join(dir2, `${appSlug}.pem`);
+  await writeFile(path, pem, { mode: 384 });
+  await chmod(path, 384);
+  return path;
+}
+async function writeGitConfig({
+  configDir,
+  name: name2,
+  email,
+  sshKeyPath
+}) {
+  const content = [
+    "[user]",
+    `	name = ${name2}`,
+    `	email = ${email}`,
+    "[gpg]",
+    "	format = ssh",
+    '[gpg "ssh"]',
+    `	signingKey = ${sshKeyPath}`,
+    "[commit]",
+    "	gpgsign = true",
+    ""
+  ].join("\n");
+  const filePath = join(configDir, "gitconfig");
+  await writeFile(filePath, content, { mode: 384 });
+  return filePath;
+}
+async function runGithubAppPhase(opts) {
+  const {
+    apiUrl: apiUrl2,
+    agentName,
+    configDir,
+    projectSlug,
+    publicKey,
+    privateKey,
+    fingerprint,
+    workflowId,
+    manifestFormUrl,
+    dispatch
+  } = opts;
+  const existingConfig = await readConfig(configDir);
+  const existingState = await readState(projectSlug, agentName);
+  if (existingConfig?.github?.app_id) {
+    dispatch({ type: "step", key: "githubApp", status: "skipped" });
+    dispatch({
+      type: "appSlug",
+      appSlug: existingConfig.github.app_slug ?? ""
+    });
+    return {
+      appSlug: existingConfig.github.app_slug ?? "",
+      pemPath: existingConfig.github.private_key_path,
+      installationId: existingConfig.github.installation_id,
+      skipped: true
+    };
+  }
+  if (existingState?.appSlug && existingState?.appId) {
+    const pemPath2 = join(
+      homedir(),
+      ".config",
+      "moltnet",
+      projectSlug,
+      `${existingState.appSlug}.pem`
+    );
+    dispatch({ type: "step", key: "githubApp", status: "skipped" });
+    dispatch({ type: "appSlug", appSlug: existingState.appSlug });
+    return {
+      appSlug: existingState.appSlug,
+      pemPath: pemPath2,
+      installationId: "",
+      skipped: true
+    };
+  }
+  dispatch({ type: "phase", phase: "github_app" });
+  dispatch({ type: "step", key: "githubApp", status: "running" });
+  dispatch({ type: "manifestFormUrl", url: manifestFormUrl });
+  await open(manifestFormUrl);
+  const codeResult = await pollUntil(
+    apiUrl2,
+    workflowId,
+    ["github_code_ready", "awaiting_installation", "completed"],
+    (status) => dispatch({ type: "serverStatus", status })
+  );
+  if (!codeResult.githubCode) {
+    throw new Error("GitHub code not available in onboarding status");
+  }
+  const ghCreds = await exchangeManifestCode(codeResult.githubCode);
+  dispatch({ type: "appSlug", appSlug: ghCreds.appSlug });
+  const pemPath = await writePem(ghCreds.pem, ghCreds.appSlug, projectSlug);
+  await writeState(
+    {
+      workflowId,
+      publicKey,
+      privateKey,
+      fingerprint,
+      agentName,
+      phase: "awaiting_installation",
+      appId: ghCreds.appId,
+      appSlug: ghCreds.appSlug
+    },
+    projectSlug,
+    agentName
+  );
+  dispatch({ type: "step", key: "githubApp", status: "done" });
+  return {
+    appSlug: ghCreds.appSlug,
+    pemPath,
+    installationId: "",
+    skipped: false
+  };
+}
+async function runGitSetupPhase(opts) {
+  const { configDir, agentName, appSlug, dispatch } = opts;
+  const existingConfig = await readConfig(configDir);
+  if (existingConfig?.git?.config_path) {
+    dispatch({ type: "step", key: "gitSetup", status: "skipped" });
+    return;
+  }
+  dispatch({ type: "phase", phase: "git_setup" });
+  dispatch({ type: "step", key: "gitSetup", status: "running" });
+  const { privatePath } = await exportSSHKey({ configDir });
+  const botUser = await lookupBotUser(appSlug);
+  const gitConfigPath = await writeGitConfig({
+    configDir,
+    name: agentName,
+    email: botUser.email,
+    sshKeyPath: privatePath
+  });
+  await updateConfigSection(
+    "git",
+    {
+      name: agentName,
+      email: botUser.email,
+      signing: true,
+      config_path: gitConfigPath
+    },
+    configDir
+  );
+  dispatch({ type: "step", key: "gitSetup", status: "done" });
+}
+async function runIdentityPhase(opts) {
+  const { apiUrl: apiUrl2, agentName, configDir, projectSlug, dispatch } = opts;
+  const existingConfig = await readConfig(configDir);
+  const existingState = await readState(projectSlug, agentName);
+  if (existingConfig?.keys?.public_key && existingConfig?.oauth2?.client_id) {
+    dispatch({ type: "step", key: "keypair", status: "skipped" });
+    dispatch({ type: "step", key: "register", status: "skipped" });
+    dispatch({
+      type: "fingerprint",
+      fingerprint: existingConfig.keys.fingerprint
+    });
+    const workflowId = existingState?.workflowId && !existingConfig.github?.app_id ? existingState.workflowId : "";
+    return {
+      publicKey: existingConfig.keys.public_key,
+      privateKey: existingConfig.keys.private_key,
+      fingerprint: existingConfig.keys.fingerprint,
+      workflowId,
+      manifestFormUrl: "",
+      clientId: existingConfig.oauth2.client_id,
+      clientSecret: existingConfig.oauth2.client_secret,
+      skipped: true
+    };
+  }
+  const resumePublicKey = existingConfig?.keys?.public_key ?? existingState?.publicKey;
+  const resumeFingerprint = existingConfig?.keys?.fingerprint ?? existingState?.fingerprint;
+  if (existingState?.workflowId && resumePublicKey && resumeFingerprint) {
+    const live = await checkWorkflowLive(apiUrl2, existingState.workflowId);
+    if (live) {
+      dispatch({ type: "step", key: "keypair", status: "skipped" });
+      dispatch({ type: "step", key: "register", status: "skipped" });
+      dispatch({ type: "fingerprint", fingerprint: resumeFingerprint });
+      const resumePrivateKey = existingConfig?.keys?.private_key ?? existingState.privateKey;
+      if (!existingConfig?.keys?.public_key) {
+        await writeConfig(
+          {
+            identity_id: "",
+            registered_at: (/* @__PURE__ */ new Date()).toISOString(),
+            oauth2: { client_id: "", client_secret: "" },
+            keys: {
+              public_key: resumePublicKey,
+              private_key: resumePrivateKey,
+              fingerprint: resumeFingerprint
+            },
+            endpoints: { api: apiUrl2, mcp: "" }
+          },
+          configDir
+        );
+      }
+      return {
+        publicKey: resumePublicKey,
+        privateKey: resumePrivateKey,
+        fingerprint: resumeFingerprint,
+        workflowId: existingState.workflowId,
+        manifestFormUrl: "",
+        clientId: existingConfig?.oauth2?.client_id ?? "",
+        clientSecret: existingConfig?.oauth2?.client_secret ?? "",
+        skipped: true
+      };
+    }
+    await clearState(projectSlug, agentName);
+  }
+  const available = await checkAppNameAvailable(agentName);
+  if (!available) {
+    const suggestions = await suggestAppNames(agentName);
+    const hint = suggestions.length > 0 ? ` Try one of: ${suggestions.map((s) => `--name ${s}`).join(", ")}` : ` Try adding a suffix like --name ${agentName}-bot`;
+    throw new Error(`GitHub App name "${agentName}" is already taken.${hint}`);
+  }
+  dispatch({ type: "step", key: "keypair", status: "running" });
+  const kp = await cryptoService.generateKeyPair();
+  dispatch({ type: "fingerprint", fingerprint: kp.fingerprint });
+  dispatch({ type: "step", key: "keypair", status: "done" });
+  dispatch({ type: "step", key: "register", status: "running" });
+  const started = await startOnboarding(apiUrl2, {
+    publicKey: kp.publicKey,
+    fingerprint: kp.fingerprint,
+    agentName
+  });
+  await writeState(
+    {
+      workflowId: started.workflowId,
+      publicKey: kp.publicKey,
+      privateKey: kp.privateKey,
+      fingerprint: kp.fingerprint,
+      agentName,
+      phase: "awaiting_github"
+    },
+    projectSlug,
+    agentName
+  );
+  await writeConfig(
+    {
+      identity_id: "",
+      registered_at: (/* @__PURE__ */ new Date()).toISOString(),
+      oauth2: { client_id: "", client_secret: "" },
+      keys: {
+        public_key: kp.publicKey,
+        private_key: kp.privateKey,
+        fingerprint: kp.fingerprint
+      },
+      endpoints: { api: apiUrl2, mcp: "" }
+    },
+    configDir
+  );
+  dispatch({ type: "step", key: "register", status: "done" });
+  return {
+    publicKey: kp.publicKey,
+    privateKey: kp.privateKey,
+    fingerprint: kp.fingerprint,
+    workflowId: started.workflowId,
+    manifestFormUrl: started.manifestFormUrl,
+    clientId: "",
+    clientSecret: "",
+    skipped: false
+  };
+}
+async function runInstallationPhase(opts) {
+  const { apiUrl: apiUrl2, configDir, workflowId, appSlug, dispatch } = opts;
+  const existingConfig = await readConfig(configDir);
+  if (existingConfig?.github?.installation_id && existingConfig?.oauth2?.client_id) {
+    dispatch({ type: "step", key: "installation", status: "skipped" });
+    return {
+      installationId: existingConfig.github.installation_id,
+      identityId: existingConfig.identity_id ?? "",
+      clientId: existingConfig.oauth2.client_id,
+      clientSecret: existingConfig.oauth2.client_secret
+    };
+  }
+  dispatch({ type: "phase", phase: "installation" });
+  dispatch({ type: "step", key: "installation", status: "running" });
+  const installUrl = `https://github.com/apps/${appSlug}/installations/new`;
+  dispatch({ type: "installationUrl", url: installUrl });
+  await open(installUrl);
+  const result = await pollUntil(
+    apiUrl2,
+    workflowId,
+    ["completed"],
+    (status) => dispatch({ type: "serverStatus", status })
+  );
+  dispatch({ type: "step", key: "installation", status: "done" });
+  return {
+    installationId: "",
+    identityId: result.identityId ?? "",
+    clientId: result.clientId ?? "",
+    clientSecret: result.clientSecret ?? ""
+  };
+}
+const AGENTS = [
+  {
+    id: "claude",
+    label: "Claude Code",
+    description: "settings.local.json + .mcp.json + /legreffier skill",
+    available: true
+  },
+  {
+    id: "cursor",
+    label: "Cursor",
+    description: "coming soon",
+    available: false
+  },
+  {
+    id: "codex",
+    label: "Codex",
+    description: "coming soon",
+    available: false
+  }
+];
+function AgentSelect({ onSelect }) {
+  const [selected, setSelected] = useState(0);
+  useInput((_input, key) => {
+    if (key.upArrow) {
+      setSelected((i) => i > 0 ? i - 1 : i);
+    } else if (key.downArrow) {
+      setSelected((i) => i < AGENTS.length - 1 ? i + 1 : i);
+    } else if (key.return) {
+      const agent2 = AGENTS[selected];
+      if (agent2 && agent2.available) {
+        onSelect(agent2.id);
+      }
+    }
+  });
+  return /* @__PURE__ */ jsx(Box, { flexDirection: "column", marginBottom: 1, children: /* @__PURE__ */ jsxs(
+    Box,
+    {
+      borderStyle: "round",
+      borderColor: cliTheme.color.primary,
+      flexDirection: "column",
+      paddingX: 2,
+      paddingY: 1,
+      children: [
+        /* @__PURE__ */ jsx(Text, { color: cliTheme.color.primary, bold: true, children: "Select your AI coding agent" }),
+        /* @__PURE__ */ jsx(Text, { children: " " }),
+        AGENTS.map((agent2, i) => {
+          const isCurrent = i === selected;
+          const prefix = isCurrent ? "▸ " : "  ";
+          return /* @__PURE__ */ jsxs(Box, { children: [
+            /* @__PURE__ */ jsx(
+              Text,
+              {
+                color: !agent2.available ? cliTheme.color.muted : isCurrent ? cliTheme.color.accent : cliTheme.color.text,
+                bold: isCurrent && agent2.available,
+                children: prefix + agent2.label
+              }
+            ),
+            /* @__PURE__ */ jsx(Text, { color: cliTheme.color.muted, children: "  " + agent2.description })
+          ] }, agent2.id);
+        }),
+        /* @__PURE__ */ jsx(Text, { children: " " }),
+        /* @__PURE__ */ jsx(Text, { color: cliTheme.color.muted, children: "  ↑↓ to navigate, Enter to select" })
+      ]
+    }
+  ) });
+}
+const initialSteps = {
+  keypair: "pending",
+  register: "pending",
+  githubApp: "pending",
+  gitSetup: "pending",
+  installation: "pending",
+  skills: "pending",
+  settings: "pending"
+};
+function uiReducer(state, action) {
+  switch (action.type) {
+    case "step":
+      return {
+        ...state,
+        steps: { ...state.steps, [action.key]: action.status }
+      };
+    case "phase":
+      return { ...state, phase: action.phase };
+    case "fingerprint":
+      return { ...state, fingerprint: action.fingerprint };
+    case "appSlug":
+      return { ...state, appSlug: action.appSlug };
+    case "serverStatus":
+      return { ...state, serverStatus: action.status };
+    case "manifestFormUrl":
+      return { ...state, manifestFormUrl: action.url };
+    case "installationUrl":
+      return { ...state, installationUrl: action.url };
+    case "summary":
+      return { ...state, summary: action.summary };
+    case "error":
+      return { ...state, phase: "error", errorMessage: action.message };
+    default:
+      return state;
+  }
+}
+const WORK_PHASES = [
+  "identity",
+  "github_app",
+  "git_setup",
+  "installation",
+  "agent_setup"
+];
+function isFuturePhase(current, target) {
+  return WORK_PHASES.indexOf(target) > WORK_PHASES.indexOf(current);
+}
+function DisclaimerPhase({
+  selectedAgent,
+  onAccept,
+  onSelectAgent,
+  onReject
+}) {
+  return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", paddingY: 1, children: [
+    /* @__PURE__ */ jsx(CliHero, { animated: true }),
+    /* @__PURE__ */ jsx(
+      CliDisclaimer,
+      {
+        onAccept: selectedAgent ? onAccept : onSelectAgent,
+        onReject
+      }
+    )
+  ] });
+}
+function AgentSelectPhase({
+  onSelect
+}) {
+  return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", paddingY: 1, children: [
+    /* @__PURE__ */ jsx(CliHero, {}),
+    /* @__PURE__ */ jsx(AgentSelect, { onSelect })
+  ] });
+}
+function ErrorPhase({ message }) {
+  return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", paddingY: 1, children: [
+    /* @__PURE__ */ jsx(CliHero, {}),
+    /* @__PURE__ */ jsx(
+      Box,
+      {
+        borderStyle: "round",
+        borderColor: cliTheme.color.error,
+        paddingX: 2,
+        paddingY: 1,
+        marginBottom: 1,
+        children: /* @__PURE__ */ jsx(Text, { color: cliTheme.color.error, bold: true, children: "✗  Setup failed: " + (message ?? "unknown error") })
+      }
+    ),
+    /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+      "  ",
+      "Run again to resume from where you left off."
+    ] })
+  ] });
+}
+function DonePhase({ summary }) {
+  return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", paddingY: 1, children: [
+    /* @__PURE__ */ jsx(CliHero, {}),
+    summary && /* @__PURE__ */ jsx(
+      CliSummaryBox,
+      {
+        agentName: summary.agentName,
+        fingerprint: summary.fingerprint,
+        appSlug: summary.appSlug,
+        apiUrl: summary.apiUrl,
+        mcpUrl: summary.mcpUrl
+      }
+    )
+  ] });
+}
+function ProgressPhase({
+  state,
+  name: name2,
+  showManifestFallback,
+  showInstallFallback
+}) {
+  const {
+    phase,
+    fingerprint,
+    appSlug,
+    serverStatus,
+    manifestFormUrl,
+    installationUrl,
+    steps
+  } = state;
+  const future = (p) => isFuturePhase(phase, p);
+  const githubAppSpinnerLabel = serverStatus === "awaiting_installation" ? "GitHub App created, waiting for installation…" : `Waiting for GitHub App creation (app name: "${name2}")…`;
+  const installationSpinnerLabel = serverStatus === "completed" ? "Installation confirmed, finalising…" : "Waiting for GitHub App installation…";
+  return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", paddingY: 1, children: [
+    /* @__PURE__ */ jsx(CliHero, {}),
+    /* @__PURE__ */ jsx(Text, { color: cliTheme.color.muted, children: "  API: " + state.agentName }),
+    /* @__PURE__ */ jsx(CliStepHeader, { n: 1, total: 4, label: "Identity" }),
+    /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(
+        CliStatusLine,
+        {
+          label: "Generate Ed25519 keypair",
+          status: future("identity") ? "pending" : steps.keypair,
+          detail: steps.keypair === "done" || steps.keypair === "skipped" ? fingerprint : void 0
+        }
+      ),
+      /* @__PURE__ */ jsx(
+        CliStatusLine,
+        {
+          label: "Register on MoltNet",
+          status: future("identity") ? "pending" : steps.register
+        }
+      )
+    ] }),
+    /* @__PURE__ */ jsx(CliStepHeader, { n: 2, total: 4, label: "GitHub App" }),
+    /* @__PURE__ */ jsx(Box, { flexDirection: "column", children: steps.githubApp === "running" ? /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(CliSpinner, { label: githubAppSpinnerLabel }),
+      showManifestFallback && manifestFormUrl ? /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+        "  → ",
+        /* @__PURE__ */ jsx(Text, { color: cliTheme.color.accent, children: manifestFormUrl })
+      ] }) : null
+    ] }) : /* @__PURE__ */ jsx(
+      CliStatusLine,
+      {
+        label: "Create GitHub App",
+        status: future("github_app") ? "pending" : steps.githubApp,
+        detail: appSlug ?? void 0
+      }
+    ) }),
+    /* @__PURE__ */ jsx(CliStepHeader, { n: 3, total: 4, label: "Git identity" }),
+    /* @__PURE__ */ jsx(
+      CliStatusLine,
+      {
+        label: "Export SSH keys + configure git",
+        status: future("git_setup") ? "pending" : steps.gitSetup
+      }
+    ),
+    /* @__PURE__ */ jsx(CliStepHeader, { n: 4, total: 4, label: "Finalise" }),
+    /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      steps.installation === "running" ? /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+        /* @__PURE__ */ jsx(CliSpinner, { label: installationSpinnerLabel }),
+        showInstallFallback && installationUrl ? /* @__PURE__ */ jsxs(Text, { color: cliTheme.color.muted, children: [
+          "  → ",
+          /* @__PURE__ */ jsx(Text, { color: cliTheme.color.accent, children: installationUrl })
+        ] }) : null
+      ] }) : /* @__PURE__ */ jsx(
+        CliStatusLine,
+        {
+          label: "GitHub App installation",
+          status: future("installation") ? "pending" : steps.installation
+        }
+      ),
+      /* @__PURE__ */ jsx(
+        CliStatusLine,
+        {
+          label: "Download skills",
+          status: future("installation") ? "pending" : steps.skills
+        }
+      ),
+      /* @__PURE__ */ jsx(
+        CliStatusLine,
+        {
+          label: "Write settings.local.json",
+          status: future("installation") ? "pending" : steps.settings
+        }
+      )
+    ] }),
+    /* @__PURE__ */ jsx(CliDivider, {})
+  ] });
+}
+function InitApp({
+  name: name2,
+  agent: agentProp,
+  apiUrl: apiUrl2,
+  dir: dir2 = process.cwd()
+}) {
+  const { exit } = useApp();
+  const [state, dispatch] = useReducer(uiReducer, {
+    phase: "disclaimer",
+    agentName: name2,
+    steps: initialSteps
+  });
+  const [accepted, setAccepted] = useState(false);
+  const [selectedAgent, setSelectedAgent] = useState(
+    agentProp ?? null
+  );
+  const [showManifestFallback, setShowManifestFallback] = useState(false);
+  const [showInstallFallback, setShowInstallFallback] = useState(false);
+  const manifestTimerRef = useRef(null);
+  const installTimerRef = useRef(null);
+  useEffect(() => {
+    if (state.manifestFormUrl) {
+      manifestTimerRef.current = setTimeout(
+        () => setShowManifestFallback(true),
+        2e3
+      );
+      return () => {
+        if (manifestTimerRef.current) clearTimeout(manifestTimerRef.current);
+      };
+    }
+  }, [state.manifestFormUrl]);
+  useEffect(() => {
+    if (state.installationUrl) {
+      installTimerRef.current = setTimeout(
+        () => setShowInstallFallback(true),
+        2e3
+      );
+      return () => {
+        if (installTimerRef.current) clearTimeout(installTimerRef.current);
+      };
+    }
+  }, [state.installationUrl]);
+  useEffect(() => {
+    if (!accepted) return;
+    dispatch({ type: "phase", phase: "identity" });
+    void (async () => {
+      try {
+        const configDir = join(dir2, ".moltnet", name2);
+        const projectSlug = deriveProjectSlug(dir2);
+        const identity = await runIdentityPhase({
+          apiUrl: apiUrl2,
+          agentName: name2,
+          configDir,
+          projectSlug,
+          dispatch
+        });
+        const githubApp = await runGithubAppPhase({
+          apiUrl: apiUrl2,
+          agentName: name2,
+          configDir,
+          projectSlug,
+          publicKey: identity.publicKey,
+          privateKey: identity.privateKey,
+          fingerprint: identity.fingerprint,
+          workflowId: identity.workflowId,
+          manifestFormUrl: identity.manifestFormUrl,
+          dispatch
+        });
+        await runGitSetupPhase({
+          configDir,
+          agentName: name2,
+          appSlug: githubApp.appSlug,
+          dispatch
+        });
+        const installation = await runInstallationPhase({
+          apiUrl: apiUrl2,
+          configDir,
+          workflowId: identity.workflowId,
+          appSlug: githubApp.appSlug,
+          dispatch
+        });
+        await runAgentSetupPhase({
+          apiUrl: apiUrl2,
+          repoDir: dir2,
+          configDir,
+          agentName: name2,
+          publicKey: identity.publicKey,
+          fingerprint: identity.fingerprint,
+          appSlug: githubApp.appSlug,
+          pemPath: githubApp.pemPath,
+          installationId: installation.installationId || githubApp.installationId,
+          identityId: installation.identityId,
+          clientId: installation.clientId || identity.clientId,
+          clientSecret: installation.clientSecret || identity.clientSecret,
+          projectSlug,
+          dispatch
+        });
+        const mcpUrl = apiUrl2.replace("://api.", "://mcp.") + "/mcp";
+        dispatch({
+          type: "summary",
+          summary: {
+            agentName: name2,
+            fingerprint: identity.fingerprint,
+            appSlug: githubApp.appSlug,
+            apiUrl: apiUrl2,
+            mcpUrl
+          }
+        });
+        dispatch({ type: "phase", phase: "done" });
+        setTimeout(() => exit(), 3e3);
+      } catch (err2) {
+        dispatch({ type: "error", message: toErrorMessage(err2) });
+      }
+    })();
+  }, [accepted]);
+  const { phase } = state;
+  const renderPhase = {
+    disclaimer: () => /* @__PURE__ */ jsx(
+      DisclaimerPhase,
+      {
+        selectedAgent,
+        onAccept: () => setAccepted(true),
+        onSelectAgent: () => dispatch({ type: "phase", phase: "agent_select" }),
+        onReject: () => exit()
+      }
+    ),
+    agent_select: () => /* @__PURE__ */ jsx(
+      AgentSelectPhase,
+      {
+        onSelect: (agent2) => {
+          setSelectedAgent(agent2);
+          setAccepted(true);
+        }
+      }
+    ),
+    error: () => /* @__PURE__ */ jsx(ErrorPhase, { message: state.errorMessage }),
+    done: () => /* @__PURE__ */ jsx(DonePhase, { summary: state.summary })
+  };
+  const renderer = renderPhase[phase];
+  if (renderer) return renderer();
+  return /* @__PURE__ */ jsx(
+    ProgressPhase,
+    {
+      state,
+      name: name2,
+      showManifestFallback,
+      showInstallFallback
+    }
+  );
+}
+const SUPPORTED_AGENTS = ["claude"];
+const { values } = parseArgs({
+  args: process.argv.slice(2),
+  options: {
+    name: { type: "string", short: "n" },
+    agent: { type: "string", short: "a" },
+    "api-url": { type: "string" },
+    dir: { type: "string" }
+  }
+});
+const name = values["name"];
+const agentFlag = values["agent"];
+const apiUrl = values["api-url"] ?? process.env.MOLTNET_API_URL ?? "https://api.themolt.net";
+const dir = values["dir"] ?? process.cwd();
+if (!name) {
+  process.stderr.write(
+    "Usage: legreffier --name <agent-name> [--agent claude] [--api-url <url>] [--dir <path>]\n"
+  );
+  process.exit(1);
+}
+if (agentFlag && !SUPPORTED_AGENTS.includes(agentFlag)) {
+  process.stderr.write(
+    `Unsupported agent: ${agentFlag}. Supported: ${SUPPORTED_AGENTS.join(", ")}
+`
+  );
+  process.exit(1);
+}
+const agent = agentFlag;
+render(/* @__PURE__ */ jsx(InitApp, { name, agent, apiUrl, dir }));