@themoltnet/legreffier 0.28.1 → 0.29.0

package/README.md

@@ -55,6 +55,43 @@ legreffier setup --name my-agent --agent codex
 legreffier setup --name my-agent --agent claude --agent codex
 ```
 
+#### `legreffier port`
+
+Port an existing agent identity into a new repository — **reuses** the
+cryptographic identity, GitHub App, SSH keys, and gitconfig instead of
+creating a new agent. Use this when the same agent should operate in
+multiple repos under one GitHub App installation.
+
+```bash
+legreffier port \
+  --name my-agent \
+  --from /path/to/source-repo/.moltnet/my-agent \
+  [--dir /path/to/target-repo] \
+  [--agent claude] [--agent codex] \
+  [--diary new|reuse|skip]
+```
+
+Phases:
+
+1. **validate** — dry-run `repairConfig` on the source + presence checks
+   for PEM, ssh keys, `installation_id`, `client_id/secret`.
+2. **copy** — copies `moltnet.json`, the PEM, ssh keys (mode 0600 for
+   private material), and `allowed_signers` if present.
+3. **rewrite** — rewrites absolute paths in `moltnet.json` to the target
+   repo and regenerates `gitconfig` + `env`.
+4. **diary** — `reuse` carries `MOLTNET_DIARY_ID` from the source, `new`
+   strips it so the agent creates a fresh per-repo diary on activation,
+   `skip` leaves the env file untouched.
+5. **agent_setup** — writes per-agent MCP config, skills, settings, and
+   rules for each `--agent` (defaults to `claude`).
+6. **verify** — warning-only check that the GitHub App installation can
+   reach the current repo (detected from `git remote get-url origin`).
+   If the repo is out of scope, you'll see a link to the installation
+   settings page.
+
+**Identity guard:** if the target already has a `.moltnet/<name>/` with
+a different `identity_id`, port refuses to overwrite it.
+
 ### Options
 
 | Flag          | Description                             | Default                   |
@@ -63,6 +100,8 @@ legreffier setup --name my-agent --agent claude --agent codex
 | `--agent, -a` | Agent type(s) to configure (repeatable) | Interactive prompt        |
 | `--api-url`   | MoltNet API URL                         | `https://api.themolt.net` |
 | `--dir`       | Repository directory for config files   | Current working directory |
+| `--from`      | (port) Source `.moltnet/<name>` dir     | —                         |
+| `--diary`     | (port) Diary handling: new/reuse/skip   | `new`                     |
 
 Supported agents: `claude`, `codex`.
 

package/dist/index.js

@@ -1,13 +1,15 @@
 #!/usr/bin/env node
-import { parseArgs } from "node:util";
+import { statSync } from "node:fs";
+import { parseArgs, parseEnv } from "node:util";
 import { Box, Text, render, useApp, useInput } from "ink";
-import { execFileSync } from "node:child_process";
-import { dirname, join } from "node:path";
+import { execFileSync, execSync } from "node:child_process";
+import { basename, dirname, join } from "node:path";
 import { useEffect, useReducer, useRef, useState } from "react";
 import { jsx, jsxs } from "react/jsx-runtime";
 import figlet from "figlet";
+import { createSign } from "node:crypto";
 import { createHash, randomBytes } from "crypto";
-import { chmod, mkdir, readFile, rm, writeFile } from "node:fs/promises";
+import { access, chmod, copyFile, mkdir, readFile, rm, writeFile } from "node:fs/promises";
 import { homedir } from "node:os";
 import { parse, stringify } from "smol-toml";
 import open from "open";
@@ -7192,6 +7194,13 @@ async function writeMcpConfig(mcpConfig, dir) {
 }
 //#endregion
 //#region ../../libs/sdk/src/credentials.ts
+/**
+* Derive the MCP URL from an API URL.
+* e.g. "https://api.themolt.net" → "https://mcp.themolt.net/mcp"
+*/
+function deriveMcpUrl(apiUrl) {
+	return apiUrl.replace("://api.", "://mcp.") + "/mcp";
+}
 function getConfigDir() {
 	return join(homedir(), ".config", "moltnet");
 }
@@ -7241,6 +7250,119 @@ async function updateConfigSection(section, data, configDir) {
 	await writeConfig(config, configDir);
 }
 //#endregion
+//#region ../../libs/sdk/src/repair.ts
+/**
+* Validate and optionally repair a MoltNet config.
+*
+* Checks required fields, detects stale file paths, and migrates
+* `credentials.json` to `moltnet.json` when found.
+*
+* Pass `dryRun: true` to report issues without writing changes.
+*/
+async function repairConfig(opts) {
+	const dir = opts?.configDir ?? getConfigDir();
+	const issues = [];
+	let config = await tryReadJson(join(dir, "moltnet.json"));
+	if (!config) {
+		const legacy = await tryReadJson(join(dir, "credentials.json"));
+		if (legacy) {
+			config = legacy;
+			issues.push({
+				field: "file",
+				problem: "using deprecated credentials.json — will migrate to moltnet.json",
+				action: "migrate"
+			});
+			if (!opts?.dryRun) await writeConfig(config, dir);
+		} else return {
+			issues: [],
+			config: null
+		};
+	}
+	validateConfig(config, issues);
+	await checkFilePaths(config, issues);
+	if (!config.endpoints.mcp && config.endpoints.api) {
+		config.endpoints.mcp = deriveMcpUrl(config.endpoints.api);
+		issues.push({
+			field: "endpoints.mcp",
+			problem: "missing — derived from API endpoint",
+			action: "fixed"
+		});
+	}
+	if (issues.some((i) => i.action === "fixed") && !opts?.dryRun) await writeConfig(config, dir);
+	return {
+		issues,
+		config
+	};
+}
+function validateConfig(config, issues) {
+	if (!config.identity_id) issues.push({
+		field: "identity_id",
+		problem: "missing",
+		action: "warning"
+	});
+	if (!config.keys.public_key) issues.push({
+		field: "keys.public_key",
+		problem: "missing",
+		action: "warning"
+	});
+	if (!config.keys.private_key) issues.push({
+		field: "keys.private_key",
+		problem: "missing",
+		action: "warning"
+	});
+	if (config.keys.public_key && !config.keys.public_key.startsWith("ed25519:")) issues.push({
+		field: "keys.public_key",
+		problem: "missing 'ed25519:' prefix",
+		action: "warning"
+	});
+	if (!config.endpoints.api) issues.push({
+		field: "endpoints.api",
+		problem: "missing",
+		action: "warning"
+	});
+	if (config.github?.app_id && !/^\d+$/.test(config.github.app_id)) issues.push({
+		field: "github.app_id",
+		problem: `not a numeric GitHub App ID (got "${config.github.app_id}") — likely the slug; refetch via \`moltnet config init-from-env\` or re-run \`legreffier\``,
+		action: "warning"
+	});
+}
+async function checkFilePaths(config, issues) {
+	const checks = [];
+	if (config.ssh?.private_key_path) checks.push({
+		field: "ssh.private_key_path",
+		path: config.ssh.private_key_path
+	});
+	if (config.ssh?.public_key_path) checks.push({
+		field: "ssh.public_key_path",
+		path: config.ssh.public_key_path
+	});
+	if (config.git?.config_path) checks.push({
+		field: "git.config_path",
+		path: config.git.config_path
+	});
+	if (config.github?.private_key_path) checks.push({
+		field: "github.private_key_path",
+		path: config.github.private_key_path
+	});
+	for (const { field, path } of checks) try {
+		await access(path);
+	} catch {
+		issues.push({
+			field,
+			problem: `file not found: ${path}`,
+			action: "warning"
+		});
+	}
+}
+async function tryReadJson(path) {
+	try {
+		const content = await readFile(path, "utf-8");
+		return JSON.parse(content);
+	} catch {
+		return null;
+	}
+}
+//#endregion
 //#region ../../libs/sdk/src/ssh.ts
 /**
 * Export the agent's Ed25519 key pair as OpenSSH key files.
@@ -7424,6 +7546,20 @@ function buildGhTokenRule(agentName) {
 		"The token is cached locally (~1 hour lifetime, 5-min expiry buffer),",
 		"so repeated calls are fast after the first API hit.",
 		"",
+		"## Worktree warning",
+		"",
+		`\`GIT_CONFIG_GLOBAL\` may be a **relative path** (e.g. \`.moltnet/${agentName}/gitconfig\`).`,
+		"In git worktrees the CWD differs from the main worktree root, so `$(dirname \"$GIT_CONFIG_GLOBAL\")`",
+		"resolves incorrectly and `no credentials found` is printed — the command then falls back to your",
+		"personal `gh` token silently.",
+		"",
+		"**Always resolve to an absolute path first:**",
+		"",
+		"```bash",
+		"CREDS=\"$(cd \"$(dirname \"$GIT_CONFIG_GLOBAL\")\" && pwd)/moltnet.json\"",
+		"GH_TOKEN=$(npx @themoltnet/cli github token --credentials \"$CREDS\") gh <command>",
+		"```",
+		"",
 		"## Allowed `gh` subcommands",
 		"",
 		"The GitHub App only has these permissions:",
@@ -7517,6 +7653,28 @@ function buildCodexRules(_agentName) {
 		"    decision = \"allow\",",
 		")",
 		"",
+		"# GitHub CLI — read-only subcommands (write ops prompt the user)",
+		"prefix_rule(",
+		"    pattern = [\"gh\", \"pr\", \"view\"],",
+		"    decision = \"allow\",",
+		")",
+		"prefix_rule(",
+		"    pattern = [\"gh\", \"pr\", \"list\"],",
+		"    decision = \"allow\",",
+		")",
+		"prefix_rule(",
+		"    pattern = [\"gh\", \"issue\", \"view\"],",
+		"    decision = \"allow\",",
+		")",
+		"prefix_rule(",
+		"    pattern = [\"gh\", \"issue\", \"list\"],",
+		"    decision = \"allow\",",
+		")",
+		"prefix_rule(",
+		"    pattern = [\"gh\", \"repo\", \"view\"],",
+		"    decision = \"allow\",",
+		")",
+		"",
 		"# Worktree symlink creation",
 		"prefix_rule(",
 		"    pattern = [\"ln\", \"-s\"],",
@@ -7559,7 +7717,7 @@ function toEnvPrefix(agentName) {
 	return agentName.toUpperCase().replace(/[^A-Z0-9]/g, "_");
 }
 /** Merge agent env vars into .claude/settings.local.json, preserving existing entries. */
-async function writeSettingsLocal({ repoDir, agentName, appSlug, pemPath, installationId, clientId, clientSecret }) {
+async function writeSettingsLocal({ repoDir, agentName, appId, pemPath, installationId, clientId, clientSecret }) {
 	const dir = join(repoDir, ".claude");
 	await mkdir(dir, { recursive: true });
 	const filePath = join(dir, "settings.local.json");
@@ -7582,7 +7740,7 @@ async function writeSettingsLocal({ repoDir, agentName, appSlug, pemPath, instal
 		},
 		env: {
 			...existing.env,
-			[`${prefix}_GITHUB_APP_ID`]: appSlug,
+			[`${prefix}_GITHUB_APP_ID`]: appId,
 			[`${prefix}_GITHUB_APP_PRIVATE_KEY_PATH`]: pemPath,
 			[`${prefix}_GITHUB_APP_INSTALLATION_ID`]: installationId,
 			[`${prefix}_CLIENT_ID`]: clientId,
@@ -7612,7 +7770,7 @@ var ClaudeAdapter = class {
 		await writeSettingsLocal({
 			repoDir: opts.repoDir,
 			agentName: opts.agentName,
-			appSlug: opts.appSlug,
+			appId: opts.appId,
 			pemPath: opts.pemPath,
 			installationId: opts.installationId,
 			clientId: opts.clientId,
@@ -7672,6 +7830,13 @@ var adapters = {
 };
 //#endregion
 //#region src/env-file.ts
+/**
+* Parse a dotenv-format string using Node.js built-in `util.parseEnv`.
+* Handles quoting, comments, and blank lines.
+*/
+function parseEnvFile(content) {
+	return parseEnv(content);
+}
 function q(v) {
 	return `'${v.replace(/'/g, "'\\''")}'`;
 }
@@ -7686,10 +7851,11 @@ async function writeEnvFile(opts) {
 	const managedEntries = [
 		[`${opts.prefix}_CLIENT_ID`, q(opts.clientId)],
 		[`${opts.prefix}_CLIENT_SECRET`, q(opts.clientSecret)],
-		[`${opts.prefix}_GITHUB_APP_ID`, q(opts.appSlug)],
+		[`${opts.prefix}_GITHUB_APP_ID`, q(opts.appId)],
 		[`${opts.prefix}_GITHUB_APP_PRIVATE_KEY_PATH`, q(opts.pemPath)],
 		[`${opts.prefix}_GITHUB_APP_INSTALLATION_ID`, q(opts.installationId)],
-		["GIT_CONFIG_GLOBAL", q(`.moltnet/${opts.agentName}/gitconfig`)]
+		["GIT_CONFIG_GLOBAL", q(`.moltnet/${opts.agentName}/gitconfig`)],
+		["MOLTNET_AGENT_NAME", q(opts.agentName)]
 	];
 	const managedKeys = new Set(managedEntries.map(([k]) => k));
 	let existingLines = [];
@@ -7746,7 +7912,7 @@ async function clearState(configDir) {
 //#endregion
 //#region src/phases/agentSetup.ts
 async function runAgentSetupPhase(opts) {
-	const { apiUrl, repoDir, configDir, agentName, agentTypes, publicKey, fingerprint, appSlug, pemPath, installationId, identityId, clientId, clientSecret, dispatch } = opts;
+	const { apiUrl, repoDir, configDir, agentName, agentTypes, publicKey, fingerprint, appId, appSlug, pemPath, installationId, identityId, clientId, clientSecret, org, dispatch } = opts;
 	dispatch({
 		type: "phase",
 		phase: "agent_setup"
@@ -7769,10 +7935,11 @@ async function runAgentSetupPhase(opts) {
 			mcp: apiUrl.replace("://api.", "://mcp.") + "/mcp"
 		},
 		github: {
-			app_id: appSlug,
+			app_id: appId,
 			app_slug: appSlug,
 			installation_id: installationId,
-			private_key_path: pemPath
+			private_key_path: pemPath,
+			...org ? { org } : {}
 		}
 	}, configDir);
 	const prefix = toEnvPrefix(agentName);
@@ -7784,6 +7951,7 @@ async function runAgentSetupPhase(opts) {
 		clientId,
 		clientSecret,
 		appSlug,
+		appId,
 		pemPath,
 		installationId
 	};
@@ -7819,7 +7987,7 @@ async function runAgentSetupPhase(opts) {
 		prefix,
 		clientId,
 		clientSecret,
-		appSlug,
+		appId,
 		pemPath,
 		installationId
 	});
@@ -7878,35 +8046,6 @@ async function suggestAppNames(appName) {
 		available: await checkAppNameAvailable(name)
 	})))).filter((r) => r.available).map((r) => r.name);
 }
-/**
-* Look up GitHub bot user and derive noreply email.
-* Tries <appSlug>[bot] first (exists post-installation), then falls back to
-* plain <appSlug> (exists right after app creation, pre-installation).
-*
-* Retries with exponential backoff because GitHub's public /users API
-* may not index a newly created app account immediately.
-*/
-async function lookupBotUser(appSlug, { maxRetries = 5, baseDelayMs = 2e3 } = {}) {
-	for (let attempt = 0; attempt <= maxRetries; attempt++) {
-		for (const username of [`${appSlug}[bot]`, appSlug]) {
-			const res = await fetch(`https://api.github.com/users/${encodeURIComponent(username)}`, { headers: GITHUB_HEADERS });
-			if (res.ok) {
-				const data = await res.json();
-				return {
-					id: data.id,
-					email: `${data.id}+${data.login}@users.noreply.github.com`
-				};
-			}
-		}
-		if (attempt < maxRetries) {
-			const delayMs = baseDelayMs * 2 ** attempt;
-			await new Promise((resolve) => {
-				setTimeout(resolve, delayMs);
-			});
-		}
-	}
-	throw new Error(`GitHub user lookup failed for app "${appSlug}"`);
-}
 /** Write GitHub App PEM to <configDir>/<appSlug>.pem (mode 0o600). */
 async function writePem(pem, appSlug, configDir) {
 	await mkdir(configDir, { recursive: true });
@@ -7954,6 +8093,7 @@ async function runGithubAppPhase(opts) {
 			appSlug: existingConfig.github.app_slug ?? ""
 		});
 		return {
+			appId: existingConfig.github.app_id,
 			appSlug: existingConfig.github.app_slug ?? "",
 			pemPath: existingConfig.github.private_key_path,
 			installationId: existingConfig.github.installation_id,
@@ -7972,6 +8112,7 @@ async function runGithubAppPhase(opts) {
 			appSlug: existingState.appSlug
 		});
 		return {
+			appId: existingState.appId,
 			appSlug: existingState.appSlug,
 			pemPath,
 			installationId: "",
@@ -8023,6 +8164,7 @@ async function runGithubAppPhase(opts) {
 		status: "done"
 	});
 	return {
+		appId: ghCreds.appId,
 		appSlug: ghCreds.appSlug,
 		pemPath,
 		installationId: "",
@@ -8030,6 +8172,136 @@ async function runGithubAppPhase(opts) {
 	};
 }
 //#endregion
+//#region ../github-agent/src/bot-user.ts
+var GITHUB_API_BASE_URL = "https://api.github.com";
+/**
+* Look up the shadow bot user associated with a GitHub App.
+* Every GitHub App gets a bot user account (`<slug>[bot]`).
+* This endpoint is public — no authentication required.
+*
+* Tries `<appSlug>[bot]` first (exists post-installation), then falls
+* back to plain `<appSlug>` (exists right after app creation, pre-install).
+*
+* @returns The bot user ID and login
+*/
+async function lookupBotUser(appSlug, opts = {}) {
+	const { apiBaseUrl = GITHUB_API_BASE_URL, maxRetries = 0, baseDelayMs = 2e3 } = opts;
+	const headers = {
+		Accept: "application/vnd.github+json",
+		"X-GitHub-Api-Version": "2022-11-28"
+	};
+	for (let attempt = 0; attempt <= maxRetries; attempt++) {
+		for (const username of [`${appSlug}[bot]`, appSlug]) {
+			const url = `${apiBaseUrl}/users/${encodeURIComponent(username)}`;
+			const response = await fetch(url, { headers });
+			if (response.ok) {
+				const data = await response.json();
+				return {
+					id: data.id,
+					login: data.login
+				};
+			}
+		}
+		if (attempt < maxRetries) {
+			const delayMs = baseDelayMs * 2 ** attempt;
+			await new Promise((resolve) => {
+				setTimeout(resolve, delayMs);
+			});
+		}
+	}
+	throw new Error(`GitHub user lookup failed for app "${appSlug}"`);
+}
+/**
+* Build the GitHub noreply email for a bot user.
+* Format: `<bot-user-id>+<slug>[bot]@users.noreply.github.com`
+*/
+function buildBotEmail(botUserId, appSlug) {
+	return `${botUserId}+${appSlug}[bot]@users.noreply.github.com`;
+}
+//#endregion
+//#region ../github-agent/src/token.ts
+/**
+* Create a JWT signed with the GitHub App's RSA private key.
+*/
+function createAppJWT(appId, privateKeyPem) {
+	const now = Math.floor(Date.now() / 1e3);
+	const header = Buffer.from(JSON.stringify({
+		alg: "RS256",
+		typ: "JWT"
+	})).toString("base64url");
+	const payload = Buffer.from(JSON.stringify({
+		iss: appId,
+		iat: now - 60,
+		exp: now + 600
+	})).toString("base64url");
+	const sign = createSign("RSA-SHA256");
+	sign.update(`${header}.${payload}`);
+	return `${header}.${payload}.${sign.sign(privateKeyPem, "base64url")}`;
+}
+/** Minimum remaining validity before we consider a cached token expired. */
+var EXPIRY_BUFFER_MS = 300 * 1e3;
+/**
+* Read a cached token from disk. Returns null if missing, corrupt, or expired.
+*/
+async function readTokenCache(cachePath) {
+	try {
+		const raw = await readFile(cachePath, "utf-8");
+		const cached = JSON.parse(raw);
+		if (!cached.token || !cached.expires_at) return null;
+		const expiresAt = new Date(cached.expires_at).getTime();
+		if (Date.now() + EXPIRY_BUFFER_MS >= expiresAt) return null;
+		return {
+			token: cached.token,
+			expiresAt: cached.expires_at
+		};
+	} catch {
+		return null;
+	}
+}
+/**
+* Write a token to the cache file (best-effort).
+*/
+async function writeTokenCache(cachePath, token, expiresAt) {
+	const cache = {
+		token,
+		expires_at: expiresAt
+	};
+	try {
+		await writeFile(cachePath, JSON.stringify(cache), { mode: 384 });
+	} catch {}
+}
+/**
+* Exchange a GitHub App JWT for an installation access token.
+* Uses a file-based cache next to the private key to avoid
+* hitting the GitHub API on every call.
+*/
+async function getInstallationToken(opts) {
+	const cachePath = join(dirname(opts.privateKeyPath), "gh-token-cache.json");
+	const cached = await readTokenCache(cachePath);
+	if (cached) return cached;
+	const privateKeyPem = await readFile(opts.privateKeyPath, "utf-8");
+	const jwt = createAppJWT(opts.appId, privateKeyPem);
+	const response = await fetch(`https://api.github.com/app/installations/${opts.installationId}/access_tokens`, {
+		method: "POST",
+		headers: {
+			Authorization: `Bearer ${jwt}`,
+			Accept: "application/vnd.github+json",
+			"X-GitHub-Api-Version": "2022-11-28"
+		}
+	});
+	if (!response.ok) {
+		const body = await response.text();
+		throw new Error(`GitHub API error (${response.status}): ${body}`);
+	}
+	const data = await response.json();
+	const result = {
+		token: data.token,
+		expiresAt: data.expires_at
+	};
+	await writeTokenCache(cachePath, result.token, result.expiresAt);
+	return result;
+}
+//#endregion
 //#region src/phases/gitSetup.ts
 async function runGitSetupPhase(opts) {
 	const { configDir, agentName, appSlug, dispatch } = opts;
@@ -8051,18 +8323,17 @@ async function runGitSetupPhase(opts) {
 		status: "running"
 	});
 	const { privatePath } = await exportSSHKey({ configDir });
-	const botUser = await lookupBotUser(appSlug);
-	const gitConfigPath = await writeGitConfig({
-		configDir,
-		name: agentName,
-		email: botUser.email,
-		sshKeyPath: privatePath
-	});
+	const email = buildBotEmail((await lookupBotUser(appSlug, { maxRetries: 5 })).id, appSlug);
 	await updateConfigSection("git", {
 		name: agentName,
-		email: botUser.email,
+		email,
 		signing: true,
-		config_path: gitConfigPath
+		config_path: await writeGitConfig({
+			configDir,
+			name: agentName,
+			email,
+			sshKeyPath: privatePath
+		})
 	}, configDir);
 	dispatch({
 		type: "step",
@@ -8073,7 +8344,7 @@ async function runGitSetupPhase(opts) {
 //#endregion
 //#region src/phases/identity.ts
 async function runIdentityPhase(opts) {
-	const { apiUrl, agentName, configDir, dispatch } = opts;
+	const { apiUrl, agentName, configDir, org, dispatch } = opts;
 	const existingConfig = await readConfig(configDir);
 	const existingState = await readState(configDir);
 	if (existingConfig?.keys?.public_key && existingConfig?.oauth2?.client_id) {
@@ -8180,7 +8451,8 @@ async function runIdentityPhase(opts) {
 	const started = await startOnboarding(apiUrl, {
 		publicKey: kp.publicKey,
 		fingerprint: kp.fingerprint,
-		agentName
+		agentName,
+		...org ? { org } : {}
 	});
 	await writeState({
 		workflowId: started.workflowId,
@@ -8572,7 +8844,7 @@ function ProgressPhase({ state, name, showManifestFallback, showInstallFallback
 		]
 	});
 }
-function InitApp({ name, agents: agentsProp, apiUrl, dir = process.cwd() }) {
+function InitApp({ name, agents: agentsProp, apiUrl, dir = process.cwd(), org }) {
 	const { exit } = useApp();
 	const [state, dispatch] = useReducer(uiReducer, {
 		phase: "disclaimer",
@@ -8614,6 +8886,7 @@ function InitApp({ name, agents: agentsProp, apiUrl, dir = process.cwd() }) {
 					apiUrl,
 					agentName: name,
 					configDir,
+					org,
 					dispatch
 				});
 				const githubApp = await runGithubAppPhase({
@@ -8648,12 +8921,14 @@ function InitApp({ name, agents: agentsProp, apiUrl, dir = process.cwd() }) {
 					agentTypes: selectedAgents,
 					publicKey: identity.publicKey,
 					fingerprint: identity.fingerprint,
+					appId: githubApp.appId,
 					appSlug: githubApp.appSlug,
 					pemPath: githubApp.pemPath,
 					installationId: installation.installationId || githubApp.installationId,
 					identityId: installation.identityId,
 					clientId: installation.clientId || identity.clientId,
 					clientSecret: installation.clientSecret || identity.clientSecret,
+					org,
 					dispatch
 				});
 				const mcpUrl = apiUrl.replace("://api.", "://mcp.") + "/mcp";
@@ -8707,6 +8982,580 @@ function InitApp({ name, agents: agentsProp, apiUrl, dir = process.cwd() }) {
 	});
 }
 //#endregion
+//#region src/phases/portValidate.ts
+/**
+* Validate a source `.moltnet/<agent>/` directory for porting.
+*
+* Runs the generic `repairConfig({ dryRun: true })` checks, then adds
+* port-specific blocking checks:
+*  - `identity_id`, `keys.fingerprint`, `oauth2.client_id/secret`
+*  - `github.app_id` present and numeric, `github.app_slug`, `github.installation_id`
+*  - `ssh.private_key_path`, `ssh.public_key_path`, `git.config_path` set
+*  - `github.private_key_path` set
+*  - All four absolute paths (ssh priv/pub, git config, github pem) exist on disk
+*
+* Throws if `moltnet.json` is missing or unreadable — nothing to port.
+*/
+async function runPortValidatePhase(opts) {
+	const { sourceDir } = opts;
+	const config = await readConfig(sourceDir);
+	if (!config) throw new Error(`No moltnet.json found in ${sourceDir} — nothing to port. Run \`legreffier\` on a repo first to create a source identity.`);
+	const { issues: baseIssues } = await repairConfig({
+		configDir: sourceDir,
+		dryRun: true
+	});
+	const issues = [...baseIssues];
+	if (!config.oauth2?.client_id) issues.push({
+		field: "oauth2.client_id",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.oauth2?.client_secret) issues.push({
+		field: "oauth2.client_secret",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.keys?.fingerprint) issues.push({
+		field: "keys.fingerprint",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.github?.app_id) issues.push({
+		field: "github.app_id",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.github?.app_slug) issues.push({
+		field: "github.app_slug",
+		problem: "missing — required for port (used for PEM filename and bot lookup)",
+		action: "warning"
+	});
+	if (!config.github?.installation_id) issues.push({
+		field: "github.installation_id",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.github?.private_key_path) issues.push({
+		field: "github.private_key_path",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.ssh?.private_key_path) issues.push({
+		field: "ssh.private_key_path",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.ssh?.public_key_path) issues.push({
+		field: "ssh.public_key_path",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.git?.config_path) issues.push({
+		field: "git.config_path",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	return {
+		config,
+		issues,
+		canProceed: issues.filter((i) => i.action === "warning").length === 0
+	};
+}
+/** Check whether a file is readable. Used by portCopy for optional files. */
+async function fileExists(path) {
+	try {
+		await access(path);
+		return true;
+	} catch {
+		return false;
+	}
+}
+//#endregion
+//#region src/phases/portCopy.ts
+/**
+* Copy private material from a source `.moltnet/<agent>/` into the target.
+*
+* Copies:
+*  - `moltnet.json` (0600) — will later be rewritten in P3 with absolute paths
+*  - GitHub App PEM (0600) — at `<sourceDir>/<appSlug>.pem` by convention
+*  - SSH private key (0600) and public key (0644)
+*  - `allowed_signers` if present (0644) — optional, warning only
+*
+* Assumes `runPortValidatePhase` has been run and `canProceed` was true,
+* so required fields and files are known to exist.
+*/
+async function runPortCopyPhase(opts) {
+	const { sourceDir, targetDir, config } = opts;
+	const copied = [];
+	const warnings = [];
+	await mkdir(targetDir, { recursive: true });
+	const targetConfig = join(targetDir, "moltnet.json");
+	await copyFile(join(sourceDir, "moltnet.json"), targetConfig);
+	await chmod(targetConfig, 384);
+	copied.push(targetConfig);
+	if (!config.github?.private_key_path) throw new Error("github.private_key_path missing — run portValidate first");
+	const targetPem = join(targetDir, basename(config.github.private_key_path));
+	await copyFile(config.github.private_key_path, targetPem);
+	await chmod(targetPem, 384);
+	copied.push(targetPem);
+	if (!config.ssh?.private_key_path || !config.ssh?.public_key_path) throw new Error("ssh key paths missing — run portValidate first");
+	const sshDir = join(targetDir, "ssh");
+	await mkdir(sshDir, { recursive: true });
+	const targetSshPriv = join(sshDir, basename(config.ssh.private_key_path));
+	await copyFile(config.ssh.private_key_path, targetSshPriv);
+	await chmod(targetSshPriv, 384);
+	copied.push(targetSshPriv);
+	const targetSshPub = join(sshDir, basename(config.ssh.public_key_path));
+	await copyFile(config.ssh.public_key_path, targetSshPub);
+	await chmod(targetSshPub, 420);
+	copied.push(targetSshPub);
+	const sourceAllowed = join(dirname(config.ssh.private_key_path), "allowed_signers");
+	if (await fileExists(sourceAllowed)) {
+		const targetAllowed = join(sshDir, "allowed_signers");
+		await copyFile(sourceAllowed, targetAllowed);
+		await chmod(targetAllowed, 420);
+		copied.push(targetAllowed);
+	} else warnings.push(`allowed_signers not found at ${sourceAllowed} — skipping (optional)`);
+	return {
+		copied,
+		warnings
+	};
+}
+//#endregion
+//#region src/phases/portDiary.ts
+/**
+* Standard UUID v4-ish shape. Diary IDs are server-issued UUIDs; anything
+* else in this field is either stale data, a mis-parsed env line, or a
+* crafted injection attempt (e.g. embedded newlines) and must be rejected
+* before we echo it into the target env file.
+*/
+var DIARY_ID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+/**
+* Read `MOLTNET_DIARY_ID` from a source env file.
+* Returns null if the file or key is absent, or if the stored value is
+* not a valid UUID (defensive: never propagate malformed data).
+*/
+async function readSourceDiaryId(sourceDir) {
+	try {
+		const raw = parseEnvFile(await readFile(join(sourceDir, "env"), "utf-8")).MOLTNET_DIARY_ID;
+		if (!raw || !DIARY_ID_RE.test(raw)) return null;
+		return raw;
+	} catch {
+		return null;
+	}
+}
+/**
+* Apply the chosen diary mode to the target env file:
+*
+*  - `reuse`: persist the source MOLTNET_DIARY_ID in the target env
+*  - `new`: strip MOLTNET_DIARY_ID from the target env (legreffier skill
+*    will resolve it at session start via `diaries_list` / create)
+*  - `skip`: leave the target env untouched
+*
+* Assumes the target env file has already been written by `portRewrite`.
+*/
+async function runPortDiaryPhase(opts) {
+	const { targetDir, mode, sourceDiaryId } = opts;
+	const envPath = join(targetDir, "env");
+	if (mode === "skip") return {
+		mode,
+		diaryId: null,
+		modified: false
+	};
+	let content = "";
+	try {
+		content = await readFile(envPath, "utf-8");
+	} catch {
+		return {
+			mode,
+			diaryId: null,
+			modified: false
+		};
+	}
+	const lines = content.split("\n");
+	const diaryLineRe = /^\s*MOLTNET_DIARY_ID\s*=/;
+	const filtered = lines.filter((l) => !diaryLineRe.test(l));
+	const strippedExisting = filtered.length !== lines.length;
+	if (mode === "reuse") {
+		if (!sourceDiaryId) return {
+			mode,
+			diaryId: null,
+			modified: false
+		};
+		if (!DIARY_ID_RE.test(sourceDiaryId)) throw new Error(`invalid sourceDiaryId: ${JSON.stringify(sourceDiaryId)} — expected UUID`);
+		const diaryLine = `MOLTNET_DIARY_ID='${sourceDiaryId}'`;
+		const gitCfgIdx = filtered.findIndex((l) => /^\s*GIT_CONFIG_GLOBAL\s*=/.test(l));
+		if (gitCfgIdx >= 0) filtered.splice(gitCfgIdx + 1, 0, diaryLine);
+		else filtered.unshift(diaryLine);
+		await writeFile(envPath, filtered.join("\n"), { mode: 384 });
+		return {
+			mode,
+			diaryId: sourceDiaryId,
+			modified: true
+		};
+	}
+	if (strippedExisting) await writeFile(envPath, filtered.join("\n"), { mode: 384 });
+	return {
+		mode,
+		diaryId: null,
+		modified: strippedExisting
+	};
+}
+//#endregion
+//#region src/phases/portRewrite.ts
+/**
+* Rewrite absolute paths in the ported `moltnet.json` so they point to
+* target locations, then regenerate the gitconfig and env file.
+*
+* Assumes `portCopy` already placed files at:
+*  - `<targetDir>/moltnet.json`
+*  - `<targetDir>/<appSlug>.pem`
+*  - `<targetDir>/ssh/<basename(ssh.private_key_path)>`
+*  - `<targetDir>/ssh/<basename(ssh.public_key_path)>`
+*
+* The ported config still has the *source* absolute paths — this phase
+* rewrites them to the target absolute paths, then writes the gitconfig
+* (which needs the new ssh key path) and the env file (which needs the
+* new PEM path).
+*/
+async function runPortRewritePhase(opts) {
+	const { targetDir, agentName, config } = opts;
+	if (!config.ssh || !config.git || !config.github) throw new Error("config missing ssh/git/github sections — run portValidate first");
+	const newSshPriv = join(targetDir, "ssh", basename(config.ssh.private_key_path));
+	const newSshPub = join(targetDir, "ssh", basename(config.ssh.public_key_path));
+	const newPem = join(targetDir, basename(config.github.private_key_path));
+	const newGitConfig = join(targetDir, "gitconfig");
+	await updateConfigSection("ssh", {
+		private_key_path: newSshPriv,
+		public_key_path: newSshPub
+	}, targetDir);
+	await updateConfigSection("github", {
+		app_id: config.github.app_id,
+		app_slug: config.github.app_slug,
+		installation_id: config.github.installation_id,
+		private_key_path: newPem,
+		...config.github.org ? { org: config.github.org } : {}
+	}, targetDir);
+	await updateConfigSection("git", {
+		name: config.git.name,
+		email: config.git.email,
+		signing: config.git.signing,
+		config_path: newGitConfig
+	}, targetDir);
+	const rewrittenFields = [
+		"ssh.private_key_path",
+		"ssh.public_key_path",
+		"github.private_key_path",
+		"git.config_path"
+	];
+	await writeGitConfig({
+		configDir: targetDir,
+		name: config.git.name,
+		email: config.git.email,
+		sshKeyPath: newSshPriv
+	});
+	await writeEnvFile({
+		envDir: targetDir,
+		agentName,
+		prefix: toEnvPrefix(agentName),
+		clientId: config.oauth2.client_id,
+		clientSecret: config.oauth2.client_secret,
+		appId: config.github.app_id,
+		pemPath: newPem,
+		installationId: config.github.installation_id
+	});
+	return {
+		configPath: join(targetDir, "moltnet.json"),
+		rewrittenFields,
+		gitConfigPath: newGitConfig,
+		envDir: targetDir
+	};
+}
+//#endregion
+//#region src/phases/portVerifyInstallation.ts
+/**
+* Warning-only check: can the ported GitHub App installation reach the
+* repo the port command is running against?
+*
+* Mints an installation token via github-agent, then calls
+* GET /installation/repositories. Never blocks — returns a warning
+* object the TUI renders. Any failure (bad token, network, missing
+* currentRepo) is downgraded to a warning.
+*/
+async function runPortVerifyInstallationPhase(opts) {
+	const { config, currentRepo, apiBaseUrl = "https://api.github.com" } = opts;
+	if (!currentRepo) return {
+		status: "warning",
+		message: "unable to determine current repo (git remote missing) — skipping installation scope check"
+	};
+	if (!config.github?.app_id || !config.github?.installation_id || !config.github?.private_key_path) return {
+		status: "warning",
+		message: "github.app_id / installation_id / private_key_path missing",
+		currentRepo
+	};
+	let token;
+	try {
+		token = (await getInstallationToken({
+			appId: config.github.app_id,
+			privateKeyPath: config.github.private_key_path,
+			installationId: config.github.installation_id
+		})).token;
+	} catch (err) {
+		return {
+			status: "warning",
+			message: `could not mint installation token: ${err.message}`,
+			currentRepo
+		};
+	}
+	const accessible = [];
+	let nextUrl = `${apiBaseUrl}/installation/repositories?per_page=100`;
+	let pageCount = 0;
+	const MAX_PAGES = 20;
+	while (nextUrl && pageCount < MAX_PAGES) {
+		pageCount++;
+		let res;
+		try {
+			res = await fetch(nextUrl, { headers: {
+				Accept: "application/vnd.github+json",
+				"X-GitHub-Api-Version": "2022-11-28",
+				Authorization: `Bearer ${token}`
+			} });
+		} catch (err) {
+			return {
+				status: "warning",
+				message: `installation check network error: ${err.message}`,
+				currentRepo
+			};
+		}
+		if (!res.ok) return {
+			status: "warning",
+			message: `installation check failed (${res.status})`,
+			currentRepo
+		};
+		const data = await res.json();
+		if (data.repository_selection === "all") return {
+			status: "ok",
+			message: "installation has access to all repos on the account",
+			currentRepo,
+			repositorySelection: "all"
+		};
+		for (const r of data.repositories) accessible.push(r.full_name);
+		if (accessible.includes(currentRepo)) break;
+		nextUrl = parseNextLink(res.headers.get("link"));
+	}
+	if (accessible.includes(currentRepo)) return {
+		status: "ok",
+		message: `installation has access to ${currentRepo}`,
+		currentRepo,
+		repositorySelection: "selected",
+		accessibleRepos: accessible
+	};
+	const truncated = pageCount >= MAX_PAGES && nextUrl !== null;
+	const truncatedNote = truncated ? " (scan truncated after " + MAX_PAGES + " pages — result may be stale)" : "";
+	return {
+		status: "repo-not-in-scope",
+		message: `installation is scoped to ${accessible.length}${truncated ? "+" : ""} repo(s) but does not include ${currentRepo}. Add the repo at https://github.com/settings/installations/${config.github.installation_id}` + truncatedNote,
+		currentRepo,
+		repositorySelection: "selected",
+		accessibleRepos: accessible
+	};
+}
+/**
+* Parse the `Link` header for a `rel="next"` URL. Returns null if absent.
+* GitHub's Link header format:
+*   <https://api.github.com/...?page=2>; rel="next", <...>; rel="last"
+*/
+function parseNextLink(header) {
+	if (!header) return null;
+	for (const part of header.split(",")) {
+		const match = part.match(/<([^>]+)>\s*;\s*rel="next"/);
+		if (match) return match[1];
+	}
+	return null;
+}
+//#endregion
+//#region src/PortApp.tsx
+/** Read `owner/repo` from `git remote get-url origin`. Returns null on any failure. */
+function detectCurrentRepo(repoDir) {
+	try {
+		const match = execSync("git remote get-url origin", {
+			cwd: repoDir,
+			encoding: "utf-8",
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			]
+		}).trim().match(/github\.com[:/]([^/]+\/[^/]+?)(\.git)?$/);
+		return match ? match[1] : null;
+	} catch {
+		return null;
+	}
+}
+function PortApp({ name, agents, sourceDir, targetRepoDir, diaryMode, apiUrl }) {
+	const { exit } = useApp();
+	const [phase, setPhase] = useState("validating");
+	const [error, setError] = useState();
+	const [summary, setSummary] = useState(null);
+	useEffect(() => {
+		(async () => {
+			try {
+				const targetDir = join(targetRepoDir, ".moltnet", name);
+				const filesWritten = [];
+				const warnings = [];
+				setPhase("validating");
+				const { config, issues, canProceed } = await runPortValidatePhase({ sourceDir });
+				if (!canProceed) throw new Error("source .moltnet is not portable: " + issues.map((i) => `${i.field} (${i.problem})`).join(", "));
+				const existing = await readConfig(targetDir);
+				if (existing?.identity_id && existing.identity_id !== config.identity_id) throw new Error(`target ${targetDir} already has a different identity_id (${existing.identity_id}); refusing to overwrite`);
+				setPhase("copying");
+				const copyResult = await runPortCopyPhase({
+					sourceDir,
+					targetDir,
+					config
+				});
+				filesWritten.push(...copyResult.copied);
+				warnings.push(...copyResult.warnings);
+				setPhase("rewriting");
+				const rewriteResult = await runPortRewritePhase({
+					targetDir,
+					agentName: name,
+					config
+				});
+				filesWritten.push(rewriteResult.gitConfigPath);
+				filesWritten.push(join(targetDir, "env"));
+				setPhase("diary");
+				const diaryResult = await runPortDiaryPhase({
+					targetDir,
+					mode: diaryMode,
+					sourceDiaryId: await readSourceDiaryId(sourceDir)
+				});
+				setPhase("agent_setup");
+				const adapterOpts = {
+					repoDir: targetRepoDir,
+					agentName: name,
+					prefix: toEnvPrefix(name),
+					mcpUrl: config.endpoints?.mcp ?? apiUrl.replace("://api.", "://mcp.") + "/mcp",
+					clientId: config.oauth2.client_id,
+					clientSecret: config.oauth2.client_secret,
+					appSlug: config.github?.app_slug ?? "",
+					appId: config.github?.app_id ?? "",
+					pemPath: join(targetDir, basename(config.github?.private_key_path ?? "")),
+					installationId: config.github?.installation_id ?? ""
+				};
+				for (const agentType of agents) {
+					const adapter = adapters[agentType];
+					await adapter.writeMcpConfig(adapterOpts);
+					filesWritten.push(`${agentType}: MCP config`);
+					await adapter.writeSkills(targetRepoDir);
+					filesWritten.push(`${agentType}: skills`);
+					await adapter.writeSettings(adapterOpts);
+					filesWritten.push(`${agentType}: settings`);
+					await adapter.writeRules(adapterOpts);
+					filesWritten.push(`${agentType}: gh token rule`);
+				}
+				setPhase("verifying");
+				const verifyResult = await runPortVerifyInstallationPhase({
+					config: await readConfig(targetDir) ?? config,
+					currentRepo: detectCurrentRepo(targetRepoDir) ?? void 0
+				});
+				if (verifyResult.status !== "ok") warnings.push(verifyResult.message);
+				setSummary({
+					agentName: name,
+					filesWritten,
+					warnings,
+					validationIssues: issues,
+					diaryMode,
+					diaryId: diaryResult.diaryId,
+					installMessage: verifyResult.message,
+					installStatus: verifyResult.status
+				});
+				setPhase("done");
+				setTimeout(() => exit(), 3e3);
+			} catch (err) {
+				setError(toErrorMessage(err));
+				setPhase("error");
+				setTimeout(() => exit(/* @__PURE__ */ new Error("Port failed")), 3e3);
+			}
+		})();
+	}, []);
+	if (phase === "error") return /* @__PURE__ */ jsxs(Box, {
+		flexDirection: "column",
+		paddingY: 1,
+		children: [/* @__PURE__ */ jsx(CliHero, {}), /* @__PURE__ */ jsx(Box, {
+			borderStyle: "round",
+			borderColor: cliTheme.color.error,
+			paddingX: 2,
+			paddingY: 1,
+			children: /* @__PURE__ */ jsx(Text, {
+				color: cliTheme.color.error,
+				bold: true,
+				children: "* Port failed: " + (error ?? "unknown error")
+			})
+		})]
+	});
+	if (phase !== "done") {
+		const labels = {
+			validating: `Validating source .moltnet/${name}...`,
+			copying: `Copying private material...`,
+			rewriting: `Rewriting paths in moltnet.json...`,
+			diary: `Configuring diary (${diaryMode})...`,
+			agent_setup: `Installing agent files for ${agents.join(", ")}...`,
+			verifying: `Verifying GitHub App installation scope...`
+		};
+		return /* @__PURE__ */ jsxs(Box, {
+			flexDirection: "column",
+			paddingY: 1,
+			children: [/* @__PURE__ */ jsx(CliHero, {}), /* @__PURE__ */ jsx(CliSpinner, { label: labels[phase] })]
+		});
+	}
+	return /* @__PURE__ */ jsxs(Box, {
+		flexDirection: "column",
+		paddingY: 1,
+		children: [
+			/* @__PURE__ */ jsx(CliHero, {}),
+			/* @__PURE__ */ jsxs(Box, {
+				flexDirection: "column",
+				marginBottom: 1,
+				children: [
+					/* @__PURE__ */ jsx(Text, {
+						color: cliTheme.color.success,
+						bold: true,
+						children: `Ported ${name} to ${targetRepoDir}`
+					}),
+					/* @__PURE__ */ jsx(Text, {
+						color: cliTheme.color.muted,
+						children: `  diary: ${summary?.diaryMode}${summary?.diaryId ? ` (${summary.diaryId})` : ""}`
+					}),
+					/* @__PURE__ */ jsx(Text, {
+						color: cliTheme.color.muted,
+						children: `  installation: ${summary?.installStatus}`
+					}),
+					summary?.filesWritten.map((f, i) => /* @__PURE__ */ jsx(Text, {
+						color: cliTheme.color.muted,
+						children: "  * " + f
+					}, i))
+				]
+			}),
+			summary && summary.warnings.length > 0 && /* @__PURE__ */ jsxs(Box, {
+				borderStyle: "round",
+				borderColor: cliTheme.color.warning,
+				paddingX: 2,
+				paddingY: 0,
+				flexDirection: "column",
+				children: [/* @__PURE__ */ jsx(Text, {
+					color: cliTheme.color.warning,
+					bold: true,
+					children: "Warnings:"
+				}), summary.warnings.map((w, i) => /* @__PURE__ */ jsx(Text, {
+					color: cliTheme.color.warning,
+					children: "  ! " + w
+				}, i))]
+			})
+		]
+	});
+}
+//#endregion
 //#region src/SetupApp.tsx
 function SetupApp({ name, agents: agentsProp, apiUrl, dir }) {
 	const { exit } = useApp();
@@ -8732,6 +9581,7 @@ function SetupApp({ name, agents: agentsProp, apiUrl, dir }) {
 					clientId: config.oauth2.client_id,
 					clientSecret: config.oauth2.client_secret,
 					appSlug: config.github?.app_slug ?? config.github?.app_id ?? "",
+					appId: config.github?.app_id ?? "",
 					pemPath: config.github?.private_key_path ?? "",
 					installationId: config.github?.installation_id ?? ""
 				};
@@ -8835,7 +9685,13 @@ var { values, positionals } = parseArgs({
 			multiple: true
 		},
 		"api-url": { type: "string" },
-		dir: { type: "string" }
+		dir: { type: "string" },
+		org: {
+			type: "string",
+			short: "o"
+		},
+		from: { type: "string" },
+		diary: { type: "string" }
 	}
 });
 var subcommand = positionals[0] ?? "init";
@@ -8843,6 +9699,13 @@ var name = values["name"];
 var agentFlags = values["agent"] ?? [];
 var apiUrl = values["api-url"] ?? process.env.MOLTNET_API_URL ?? "https://api.themolt.net";
 var dir = values["dir"] ?? process.cwd();
+var org = values["org"];
+var fromDir = values["from"];
+var diaryModeArg = values["diary"];
+if (diaryModeArg !== void 0 && subcommand !== "port") {
+	process.stderr.write(`Error: --diary is only valid for \`legreffier port\` (got subcommand "${subcommand}")\n`);
+	process.exit(1);
+}
 if (subcommand === "github" && positionals[1] === "token") try {
 	printGitHubToken(resolveAgentName(name, process.env.GIT_CONFIG_GLOBAL), dir);
 	process.exit(0);
@@ -8851,7 +9714,7 @@ if (subcommand === "github" && positionals[1] === "token") try {
 	process.exit(1);
 }
 if (!name) {
-	const usage = subcommand === "setup" ? "Usage: legreffier setup --name <agent-name> [--agent claude] [--agent codex] [--dir <path>]" : "Usage: legreffier [init] --name <agent-name> [--agent claude] [--agent codex] [--api-url <url>] [--dir <path>]";
+	const usage = subcommand === "setup" ? "Usage: legreffier setup --name <agent-name> [--agent claude] [--agent codex] [--dir <path>]" : subcommand === "port" ? "Usage: legreffier port --name <agent-name> --from <path/to/source/.moltnet/<agent>> [--agent claude] [--agent codex] [--dir <target-repo>] [--diary new|reuse|skip]" : "Usage: legreffier [init] --name <agent-name> [--agent claude] [--agent codex] [--api-url <url>] [--dir <path>] [--org <github-org>]";
 	process.stderr.write(usage + "\n");
 	process.exit(1);
 }
@@ -8874,10 +9737,51 @@ else if (subcommand === "init") render(/* @__PURE__ */ jsx(InitApp, {
 	name,
 	agents: agents.length > 0 ? agents : void 0,
 	apiUrl,
-	dir
+	dir,
+	org
 }));
-else {
-	process.stderr.write(`Unknown subcommand: ${subcommand}. Use "init" or "setup".\n`);
+else if (subcommand === "port") {
+	if (!fromDir) {
+		process.stderr.write("Error: legreffier port requires --from <path/to/source/.moltnet/<agent>>\n");
+		process.exit(1);
+	}
+	const resolvedDiaryMode = diaryModeArg ?? "new";
+	if (![
+		"new",
+		"reuse",
+		"skip"
+	].includes(resolvedDiaryMode)) {
+		process.stderr.write(`Error: --diary must be one of: new, reuse, skip (got "${resolvedDiaryMode}")\n`);
+		process.exit(1);
+	}
+	try {
+		if (!statSync(dir).isDirectory()) {
+			process.stderr.write(`Error: --dir "${dir}" is not a directory\n`);
+			process.exit(1);
+		}
+	} catch {
+		process.stderr.write(`Error: --dir "${dir}" does not exist\n`);
+		process.exit(1);
+	}
+	try {
+		if (!statSync(fromDir).isDirectory()) {
+			process.stderr.write(`Error: --from "${fromDir}" is not a directory\n`);
+			process.exit(1);
+		}
+	} catch {
+		process.stderr.write(`Error: --from "${fromDir}" does not exist\n`);
+		process.exit(1);
+	}
+	render(/* @__PURE__ */ jsx(PortApp, {
+		name,
+		agents: agents.length > 0 ? agents : ["claude"],
+		sourceDir: fromDir,
+		targetRepoDir: dir,
+		diaryMode: resolvedDiaryMode,
+		apiUrl
+	}));
+} else {
+	process.stderr.write(`Unknown subcommand: ${subcommand}. Use "init", "setup", or "port".\n`);
 	process.exit(1);
 }
 //#endregion

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@themoltnet/legreffier",
-  "version": "0.28.1",
+  "version": "0.29.0",
   "description": "LeGreffier — one-command accountable AI agent setup",
   "license": "AGPL-3.0-only",
   "type": "module",
@@ -24,7 +24,7 @@
     "ink": "^6.8.0",
     "open": "^10.1.2",
     "react": "^19.0.0",
-    "smol-toml": "^1.6.0"
+    "smol-toml": "^1.6.1"
   },
   "devDependencies": {
     "@types/figlet": "^1.7.0",
@@ -33,10 +33,11 @@
     "typescript": "^5.3.3",
     "vite": "^8.0.0",
     "vitest": "^3.0.0",
-    "@moltnet/crypto-service": "0.1.0",
-    "@themoltnet/design-system": "0.3.2",
     "@moltnet/api-client": "0.1.0",
-    "@themoltnet/sdk": "0.86.1"
+    "@themoltnet/design-system": "0.3.2",
+    "@moltnet/crypto-service": "0.1.0",
+    "@themoltnet/github-agent": "0.23.0",
+    "@themoltnet/sdk": "0.88.0"
   },
   "scripts": {
     "dev": "vite build --watch",