npm - @themoltnet/legreffier - Versions diffs - 0.28.1 → 0.29.1 - Mend

@themoltnet/legreffier 0.28.1 → 0.29.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -1,13 +1,15 @@
 #!/usr/bin/env node
-import { parseArgs } from "node:util";
+import { statSync } from "node:fs";
+import { parseArgs, parseEnv } from "node:util";
 import { Box, Text, render, useApp, useInput } from "ink";
-import { execFileSync } from "node:child_process";
-import { dirname, join } from "node:path";
+import { execFileSync, execSync } from "node:child_process";
+import { basename, dirname, join } from "node:path";
 import { useEffect, useReducer, useRef, useState } from "react";
 import { jsx, jsxs } from "react/jsx-runtime";
 import figlet from "figlet";
+import { createSign } from "node:crypto";
 import { createHash, randomBytes } from "crypto";
-import { chmod, mkdir, readFile, rm, writeFile } from "node:fs/promises";
+import { access, chmod, copyFile, mkdir, readFile, rm, writeFile } from "node:fs/promises";
 import { homedir } from "node:os";
 import { parse, stringify } from "smol-toml";
 import open from "open";
@@ -408,14 +410,14 @@ function CliHero({ animated = false }) {
 				/* @__PURE__ */ jsx(Text, { children: " " }),
 				/* @__PURE__ */ jsxs(Text, { children: [
 					"  ",
-					/* @__PURE__ */ jsx(Text, {
+					/* @__PURE__ */ jsxs(Text, {
 						color: cliTheme.color.text,
-						children: "Accountable AI commits. "
+						children: ["Attribution for AI coding agents.", " "]
 					}),
 					/* @__PURE__ */ jsx(Text, {
 						color: cliTheme.color.accent,
 						bold: true,
-						children: "Cryptographic identity."
+						children: "Identity, memory, signed rationale."
 					})
 				] }),
 				/* @__PURE__ */ jsxs(Text, { children: [
@@ -7192,6 +7194,13 @@ async function writeMcpConfig(mcpConfig, dir) {
 }
 //#endregion
 //#region ../../libs/sdk/src/credentials.ts
+/**
+* Derive the MCP URL from an API URL.
+* e.g. "https://api.themolt.net" → "https://mcp.themolt.net/mcp"
+*/
+function deriveMcpUrl(apiUrl) {
+	return apiUrl.replace("://api.", "://mcp.") + "/mcp";
+}
 function getConfigDir() {
 	return join(homedir(), ".config", "moltnet");
 }
@@ -7241,6 +7250,119 @@ async function updateConfigSection(section, data, configDir) {
 	await writeConfig(config, configDir);
 }
 //#endregion
+//#region ../../libs/sdk/src/repair.ts
+/**
+* Validate and optionally repair a MoltNet config.
+*
+* Checks required fields, detects stale file paths, and migrates
+* `credentials.json` to `moltnet.json` when found.
+*
+* Pass `dryRun: true` to report issues without writing changes.
+*/
+async function repairConfig(opts) {
+	const dir = opts?.configDir ?? getConfigDir();
+	const issues = [];
+	let config = await tryReadJson(join(dir, "moltnet.json"));
+	if (!config) {
+		const legacy = await tryReadJson(join(dir, "credentials.json"));
+		if (legacy) {
+			config = legacy;
+			issues.push({
+				field: "file",
+				problem: "using deprecated credentials.json — will migrate to moltnet.json",
+				action: "migrate"
+			});
+			if (!opts?.dryRun) await writeConfig(config, dir);
+		} else return {
+			issues: [],
+			config: null
+		};
+	}
+	validateConfig(config, issues);
+	await checkFilePaths(config, issues);
+	if (!config.endpoints.mcp && config.endpoints.api) {
+		config.endpoints.mcp = deriveMcpUrl(config.endpoints.api);
+		issues.push({
+			field: "endpoints.mcp",
+			problem: "missing — derived from API endpoint",
+			action: "fixed"
+		});
+	}
+	if (issues.some((i) => i.action === "fixed") && !opts?.dryRun) await writeConfig(config, dir);
+	return {
+		issues,
+		config
+	};
+}
+function validateConfig(config, issues) {
+	if (!config.identity_id) issues.push({
+		field: "identity_id",
+		problem: "missing",
+		action: "warning"
+	});
+	if (!config.keys.public_key) issues.push({
+		field: "keys.public_key",
+		problem: "missing",
+		action: "warning"
+	});
+	if (!config.keys.private_key) issues.push({
+		field: "keys.private_key",
+		problem: "missing",
+		action: "warning"
+	});
+	if (config.keys.public_key && !config.keys.public_key.startsWith("ed25519:")) issues.push({
+		field: "keys.public_key",
+		problem: "missing 'ed25519:' prefix",
+		action: "warning"
+	});
+	if (!config.endpoints.api) issues.push({
+		field: "endpoints.api",
+		problem: "missing",
+		action: "warning"
+	});
+	if (config.github?.app_id && !/^\d+$/.test(config.github.app_id)) issues.push({
+		field: "github.app_id",
+		problem: `not a numeric GitHub App ID (got "${config.github.app_id}") — likely the slug; refetch via \`moltnet config init-from-env\` or re-run \`legreffier\``,
+		action: "warning"
+	});
+}
+async function checkFilePaths(config, issues) {
+	const checks = [];
+	if (config.ssh?.private_key_path) checks.push({
+		field: "ssh.private_key_path",
+		path: config.ssh.private_key_path
+	});
+	if (config.ssh?.public_key_path) checks.push({
+		field: "ssh.public_key_path",
+		path: config.ssh.public_key_path
+	});
+	if (config.git?.config_path) checks.push({
+		field: "git.config_path",
+		path: config.git.config_path
+	});
+	if (config.github?.private_key_path) checks.push({
+		field: "github.private_key_path",
+		path: config.github.private_key_path
+	});
+	for (const { field, path } of checks) try {
+		await access(path);
+	} catch {
+		issues.push({
+			field,
+			problem: `file not found: ${path}`,
+			action: "warning"
+		});
+	}
+}
+async function tryReadJson(path) {
+	try {
+		const content = await readFile(path, "utf-8");
+		return JSON.parse(content);
+	} catch {
+		return null;
+	}
+}
+//#endregion
 //#region ../../libs/sdk/src/ssh.ts
 /**
 * Export the agent's Ed25519 key pair as OpenSSH key files.
@@ -7410,20 +7532,61 @@ async function downloadSkills(repoDir, skillDir) {
 		}
 	}
 }
-function buildGhTokenRule(agentName) {
+function buildGhTokenRule() {
 	return [
-		"# GitHub CLI Authentication (LeGreffier)",
+		"# GitHub CLI Authentication (MoltNet agents)",
 		"",
-		`When \`GIT_CONFIG_GLOBAL\` is set to \`.moltnet/${agentName}/gitconfig\`,`,
-		"authenticate `gh` CLI commands as the GitHub App by prefixing them with:",
+		"> **STRICT RULE — read this before every `gh` call.**",
+		">",
+		"> When `GIT_CONFIG_GLOBAL` is set (matches `.moltnet/<agent>/gitconfig`), you",
+		"> **MUST NOT** run bare `gh <command>`. You **MUST** prefix every `gh` call",
+		"> with a `GH_TOKEN` resolved from an **absolute path** to `moltnet.json`.",
+		"> Running bare `gh` silently falls back to the human personal token and",
+		"> attributes the action to the wrong identity — this is a correctness bug,",
+		"> not a warning.",
+		"",
+		"## The only correct form",
 		"",
 		"```bash",
-		"GH_TOKEN=$(npx @themoltnet/cli github token --credentials \"$(dirname \"$GIT_CONFIG_GLOBAL\")/moltnet.json\") gh <command>",
+		"# 1. Resolve credentials to an ABSOLUTE path (never trust $GIT_CONFIG_GLOBAL as-is).",
+		"CREDS=\"$(cd \"$(dirname \"$GIT_CONFIG_GLOBAL\")\" 2>/dev/null && pwd)/moltnet.json\"",
+		"",
+		"# 2. Refuse to proceed if the file does not exist at that absolute path.",
+		"[ -f \"$CREDS\" ] || { echo \"FATAL: moltnet.json not found at $CREDS\" >&2; exit 1; }",
+		"",
+		"# 3. Call gh with GH_TOKEN inlined.",
+		"GH_TOKEN=$(npx @themoltnet/cli github token --credentials \"$CREDS\") gh <command>",
 		"```",
 		"",
-		"The token is cached locally (~1 hour lifetime, 5-min expiry buffer),",
+		"The credentials file (`moltnet.json`) always lives next to the `gitconfig`",
+		"inside the same `.moltnet/<agent>/` directory, regardless of which agent is",
+		"active. The token is cached locally (~1 hour lifetime, 5-min expiry buffer),",
 		"so repeated calls are fast after the first API hit.",
 		"",
+		"## Why absolute paths are mandatory",
+		"",
+		"`GIT_CONFIG_GLOBAL` is almost always a **relative path** (e.g. `.moltnet/<agent>/gitconfig`).",
+		"Every git worktree has a different CWD from the main worktree root, so",
+		"`$(dirname \"$GIT_CONFIG_GLOBAL\")` resolves differently depending on where you are.",
+		"When it resolves to a non-existent directory:",
+		"",
+		"- `npx @themoltnet/cli github token` prints `no credentials found` to stderr,",
+		"- the command substitution yields an empty `GH_TOKEN`,",
+		"- `gh` silently falls back to your personal token,",
+		"- the resulting API call is attributed to the **human**, not the agent.",
+		"",
+		"This failure is invisible in normal output. The `cd ... && pwd` dance in step 1",
+		"is the only reliable way to get an absolute path that works across worktrees.",
+		"",
+		"## Forbidden patterns",
+		"",
+		"- `gh <command>` — bare, no `GH_TOKEN`. **Never.**",
+		"- `GH_TOKEN=$(... --credentials \"$(dirname \"$GIT_CONFIG_GLOBAL\")/moltnet.json\") gh ...`",
+		"  — uses the raw relative path. Breaks in worktrees.",
+		"- `GH_TOKEN=$(... --credentials \"./moltnet.json\") gh ...` — relative. Breaks.",
+		"- `GH_TOKEN=$(... --credentials \"~/.moltnet/...\") gh ...` — `~` is not expanded",
+		"  inside double quotes; use `$HOME` or the literal absolute path.",
+		"",
 		"## Allowed `gh` subcommands",
 		"",
 		"The GitHub App only has these permissions:",
@@ -7517,6 +7680,28 @@ function buildCodexRules(_agentName) {
 		"    decision = \"allow\",",
 		")",
 		"",
+		"# GitHub CLI — read-only subcommands (write ops prompt the user)",
+		"prefix_rule(",
+		"    pattern = [\"gh\", \"pr\", \"view\"],",
+		"    decision = \"allow\",",
+		")",
+		"prefix_rule(",
+		"    pattern = [\"gh\", \"pr\", \"list\"],",
+		"    decision = \"allow\",",
+		")",
+		"prefix_rule(",
+		"    pattern = [\"gh\", \"issue\", \"view\"],",
+		"    decision = \"allow\",",
+		")",
+		"prefix_rule(",
+		"    pattern = [\"gh\", \"issue\", \"list\"],",
+		"    decision = \"allow\",",
+		")",
+		"prefix_rule(",
+		"    pattern = [\"gh\", \"repo\", \"view\"],",
+		"    decision = \"allow\",",
+		")",
+		"",
 		"# Worktree symlink creation",
 		"prefix_rule(",
 		"    pattern = [\"ln\", \"-s\"],",
@@ -7559,7 +7744,7 @@ function toEnvPrefix(agentName) {
 	return agentName.toUpperCase().replace(/[^A-Z0-9]/g, "_");
 }
 /** Merge agent env vars into .claude/settings.local.json, preserving existing entries. */
-async function writeSettingsLocal({ repoDir, agentName, appSlug, pemPath, installationId, clientId, clientSecret }) {
+async function writeSettingsLocal({ repoDir, agentName, appId, pemPath, installationId, clientId, clientSecret }) {
 	const dir = join(repoDir, ".claude");
 	await mkdir(dir, { recursive: true });
 	const filePath = join(dir, "settings.local.json");
@@ -7582,7 +7767,7 @@ async function writeSettingsLocal({ repoDir, agentName, appSlug, pemPath, instal
 		},
 		env: {
 			...existing.env,
-			[`${prefix}_GITHUB_APP_ID`]: appSlug,
+			[`${prefix}_GITHUB_APP_ID`]: appId,
 			[`${prefix}_GITHUB_APP_PRIVATE_KEY_PATH`]: pemPath,
 			[`${prefix}_GITHUB_APP_INSTALLATION_ID`]: installationId,
 			[`${prefix}_CLIENT_ID`]: clientId,
@@ -7612,7 +7797,7 @@ var ClaudeAdapter = class {
 		await writeSettingsLocal({
 			repoDir: opts.repoDir,
 			agentName: opts.agentName,
-			appSlug: opts.appSlug,
+			appId: opts.appId,
 			pemPath: opts.pemPath,
 			installationId: opts.installationId,
 			clientId: opts.clientId,
@@ -7622,7 +7807,7 @@ var ClaudeAdapter = class {
 	async writeRules(opts) {
 		const dir = join(opts.repoDir, ".claude", "rules");
 		await mkdir(dir, { recursive: true });
-		await writeFile(join(dir, "legreffier-gh.md"), buildGhTokenRule(opts.agentName), "utf-8");
+		await writeFile(join(dir, "legreffier-gh.md"), buildGhTokenRule(), "utf-8");
 	}
 };
 //#endregion
@@ -7672,6 +7857,13 @@ var adapters = {
 };
 //#endregion
 //#region src/env-file.ts
+/**
+* Parse a dotenv-format string using Node.js built-in `util.parseEnv`.
+* Handles quoting, comments, and blank lines.
+*/
+function parseEnvFile(content) {
+	return parseEnv(content);
+}
 function q(v) {
 	return `'${v.replace(/'/g, "'\\''")}'`;
 }
@@ -7686,10 +7878,11 @@ async function writeEnvFile(opts) {
 	const managedEntries = [
 		[`${opts.prefix}_CLIENT_ID`, q(opts.clientId)],
 		[`${opts.prefix}_CLIENT_SECRET`, q(opts.clientSecret)],
-		[`${opts.prefix}_GITHUB_APP_ID`, q(opts.appSlug)],
+		[`${opts.prefix}_GITHUB_APP_ID`, q(opts.appId)],
 		[`${opts.prefix}_GITHUB_APP_PRIVATE_KEY_PATH`, q(opts.pemPath)],
 		[`${opts.prefix}_GITHUB_APP_INSTALLATION_ID`, q(opts.installationId)],
-		["GIT_CONFIG_GLOBAL", q(`.moltnet/${opts.agentName}/gitconfig`)]
+		["GIT_CONFIG_GLOBAL", q(`.moltnet/${opts.agentName}/gitconfig`)],
+		["MOLTNET_AGENT_NAME", q(opts.agentName)]
 	];
 	const managedKeys = new Set(managedEntries.map(([k]) => k));
 	let existingLines = [];
@@ -7746,7 +7939,7 @@ async function clearState(configDir) {
 //#endregion
 //#region src/phases/agentSetup.ts
 async function runAgentSetupPhase(opts) {
-	const { apiUrl, repoDir, configDir, agentName, agentTypes, publicKey, fingerprint, appSlug, pemPath, installationId, identityId, clientId, clientSecret, dispatch } = opts;
+	const { apiUrl, repoDir, configDir, agentName, agentTypes, publicKey, fingerprint, appId, appSlug, pemPath, installationId, identityId, clientId, clientSecret, org, dispatch } = opts;
 	dispatch({
 		type: "phase",
 		phase: "agent_setup"
@@ -7769,10 +7962,11 @@ async function runAgentSetupPhase(opts) {
 			mcp: apiUrl.replace("://api.", "://mcp.") + "/mcp"
 		},
 		github: {
-			app_id: appSlug,
+			app_id: appId,
 			app_slug: appSlug,
 			installation_id: installationId,
-			private_key_path: pemPath
+			private_key_path: pemPath,
+			...org ? { org } : {}
 		}
 	}, configDir);
 	const prefix = toEnvPrefix(agentName);
@@ -7784,6 +7978,7 @@ async function runAgentSetupPhase(opts) {
 		clientId,
 		clientSecret,
 		appSlug,
+		appId,
 		pemPath,
 		installationId
 	};
@@ -7819,7 +8014,7 @@ async function runAgentSetupPhase(opts) {
 		prefix,
 		clientId,
 		clientSecret,
-		appSlug,
+		appId,
 		pemPath,
 		installationId
 	});
@@ -7878,35 +8073,6 @@ async function suggestAppNames(appName) {
 		available: await checkAppNameAvailable(name)
 	})))).filter((r) => r.available).map((r) => r.name);
 }
-/**
-* Look up GitHub bot user and derive noreply email.
-* Tries <appSlug>[bot] first (exists post-installation), then falls back to
-* plain <appSlug> (exists right after app creation, pre-installation).
-*
-* Retries with exponential backoff because GitHub's public /users API
-* may not index a newly created app account immediately.
-*/
-async function lookupBotUser(appSlug, { maxRetries = 5, baseDelayMs = 2e3 } = {}) {
-	for (let attempt = 0; attempt <= maxRetries; attempt++) {
-		for (const username of [`${appSlug}[bot]`, appSlug]) {
-			const res = await fetch(`https://api.github.com/users/${encodeURIComponent(username)}`, { headers: GITHUB_HEADERS });
-			if (res.ok) {
-				const data = await res.json();
-				return {
-					id: data.id,
-					email: `${data.id}+${data.login}@users.noreply.github.com`
-				};
-			}
-		}
-		if (attempt < maxRetries) {
-			const delayMs = baseDelayMs * 2 ** attempt;
-			await new Promise((resolve) => {
-				setTimeout(resolve, delayMs);
-			});
-		}
-	}
-	throw new Error(`GitHub user lookup failed for app "${appSlug}"`);
-}
 /** Write GitHub App PEM to <configDir>/<appSlug>.pem (mode 0o600). */
 async function writePem(pem, appSlug, configDir) {
 	await mkdir(configDir, { recursive: true });
@@ -7918,17 +8084,21 @@ async function writePem(pem, appSlug, configDir) {
 /**
 * Write a standalone gitconfig file to <configDir>/gitconfig and return
 * its path. The config sets user.name/email and enables SSH commit signing
-* using the agent's SSH key.
+* using the agent's SSH public key.
+*
+* **Important:** `signingkey` must live under `[user]`, not `[gpg "ssh"]`.
+* Git only reads `user.signingkey`; a key declared as `gpg.ssh.signingkey`
+* is silently ignored and `git commit -S` fails with
+* `fatal: either user.signingkey or gpg.ssh.defaultKeyCommand needs to be configured`.
 */
-async function writeGitConfig({ configDir, name, email, sshKeyPath }) {
+async function writeGitConfig({ configDir, name, email, sshPublicKeyPath }) {
 	const content = [
 		"[user]",
 		`\tname = ${name}`,
 		`\temail = ${email}`,
+		`\tsigningkey = ${sshPublicKeyPath}`,
 		"[gpg]",
 		"	format = ssh",
-		"[gpg \"ssh\"]",
-		`\tsigningKey = ${sshKeyPath}`,
 		"[commit]",
 		"	gpgsign = true",
 		""
@@ -7954,6 +8124,7 @@ async function runGithubAppPhase(opts) {
 			appSlug: existingConfig.github.app_slug ?? ""
 		});
 		return {
+			appId: existingConfig.github.app_id,
 			appSlug: existingConfig.github.app_slug ?? "",
 			pemPath: existingConfig.github.private_key_path,
 			installationId: existingConfig.github.installation_id,
@@ -7972,6 +8143,7 @@ async function runGithubAppPhase(opts) {
 			appSlug: existingState.appSlug
 		});
 		return {
+			appId: existingState.appId,
 			appSlug: existingState.appSlug,
 			pemPath,
 			installationId: "",
@@ -8023,6 +8195,7 @@ async function runGithubAppPhase(opts) {
 		status: "done"
 	});
 	return {
+		appId: ghCreds.appId,
 		appSlug: ghCreds.appSlug,
 		pemPath,
 		installationId: "",
@@ -8030,6 +8203,136 @@ async function runGithubAppPhase(opts) {
 	};
 }
 //#endregion
+//#region ../github-agent/src/bot-user.ts
+var GITHUB_API_BASE_URL = "https://api.github.com";
+/**
+* Look up the shadow bot user associated with a GitHub App.
+* Every GitHub App gets a bot user account (`<slug>[bot]`).
+* This endpoint is public — no authentication required.
+*
+* Tries `<appSlug>[bot]` first (exists post-installation), then falls
+* back to plain `<appSlug>` (exists right after app creation, pre-install).
+*
+* @returns The bot user ID and login
+*/
+async function lookupBotUser(appSlug, opts = {}) {
+	const { apiBaseUrl = GITHUB_API_BASE_URL, maxRetries = 0, baseDelayMs = 2e3 } = opts;
+	const headers = {
+		Accept: "application/vnd.github+json",
+		"X-GitHub-Api-Version": "2022-11-28"
+	};
+	for (let attempt = 0; attempt <= maxRetries; attempt++) {
+		for (const username of [`${appSlug}[bot]`, appSlug]) {
+			const url = `${apiBaseUrl}/users/${encodeURIComponent(username)}`;
+			const response = await fetch(url, { headers });
+			if (response.ok) {
+				const data = await response.json();
+				return {
+					id: data.id,
+					login: data.login
+				};
+			}
+		}
+		if (attempt < maxRetries) {
+			const delayMs = baseDelayMs * 2 ** attempt;
+			await new Promise((resolve) => {
+				setTimeout(resolve, delayMs);
+			});
+		}
+	}
+	throw new Error(`GitHub user lookup failed for app "${appSlug}"`);
+}
+/**
+* Build the GitHub noreply email for a bot user.
+* Format: `<bot-user-id>+<slug>[bot]@users.noreply.github.com`
+*/
+function buildBotEmail(botUserId, appSlug) {
+	return `${botUserId}+${appSlug}[bot]@users.noreply.github.com`;
+}
+//#endregion
+//#region ../github-agent/src/token.ts
+/**
+* Create a JWT signed with the GitHub App's RSA private key.
+*/
+function createAppJWT(appId, privateKeyPem) {
+	const now = Math.floor(Date.now() / 1e3);
+	const header = Buffer.from(JSON.stringify({
+		alg: "RS256",
+		typ: "JWT"
+	})).toString("base64url");
+	const payload = Buffer.from(JSON.stringify({
+		iss: appId,
+		iat: now - 60,
+		exp: now + 600
+	})).toString("base64url");
+	const sign = createSign("RSA-SHA256");
+	sign.update(`${header}.${payload}`);
+	return `${header}.${payload}.${sign.sign(privateKeyPem, "base64url")}`;
+}
+/** Minimum remaining validity before we consider a cached token expired. */
+var EXPIRY_BUFFER_MS = 300 * 1e3;
+/**
+* Read a cached token from disk. Returns null if missing, corrupt, or expired.
+*/
+async function readTokenCache(cachePath) {
+	try {
+		const raw = await readFile(cachePath, "utf-8");
+		const cached = JSON.parse(raw);
+		if (!cached.token || !cached.expires_at) return null;
+		const expiresAt = new Date(cached.expires_at).getTime();
+		if (Date.now() + EXPIRY_BUFFER_MS >= expiresAt) return null;
+		return {
+			token: cached.token,
+			expiresAt: cached.expires_at
+		};
+	} catch {
+		return null;
+	}
+}
+/**
+* Write a token to the cache file (best-effort).
+*/
+async function writeTokenCache(cachePath, token, expiresAt) {
+	const cache = {
+		token,
+		expires_at: expiresAt
+	};
+	try {
+		await writeFile(cachePath, JSON.stringify(cache), { mode: 384 });
+	} catch {}
+}
+/**
+* Exchange a GitHub App JWT for an installation access token.
+* Uses a file-based cache next to the private key to avoid
+* hitting the GitHub API on every call.
+*/
+async function getInstallationToken(opts) {
+	const cachePath = join(dirname(opts.privateKeyPath), "gh-token-cache.json");
+	const cached = await readTokenCache(cachePath);
+	if (cached) return cached;
+	const privateKeyPem = await readFile(opts.privateKeyPath, "utf-8");
+	const jwt = createAppJWT(opts.appId, privateKeyPem);
+	const response = await fetch(`https://api.github.com/app/installations/${opts.installationId}/access_tokens`, {
+		method: "POST",
+		headers: {
+			Authorization: `Bearer ${jwt}`,
+			Accept: "application/vnd.github+json",
+			"X-GitHub-Api-Version": "2022-11-28"
+		}
+	});
+	if (!response.ok) {
+		const body = await response.text();
+		throw new Error(`GitHub API error (${response.status}): ${body}`);
+	}
+	const data = await response.json();
+	const result = {
+		token: data.token,
+		expiresAt: data.expires_at
+	};
+	await writeTokenCache(cachePath, result.token, result.expiresAt);
+	return result;
+}
+//#endregion
 //#region src/phases/gitSetup.ts
 async function runGitSetupPhase(opts) {
 	const { configDir, agentName, appSlug, dispatch } = opts;
@@ -8050,19 +8353,18 @@ async function runGitSetupPhase(opts) {
 		key: "gitSetup",
 		status: "running"
 	});
-	const { privatePath } = await exportSSHKey({ configDir });
-	const botUser = await lookupBotUser(appSlug);
-	const gitConfigPath = await writeGitConfig({
-		configDir,
-		name: agentName,
-		email: botUser.email,
-		sshKeyPath: privatePath
-	});
+	const { publicPath } = await exportSSHKey({ configDir });
+	const email = buildBotEmail((await lookupBotUser(appSlug, { maxRetries: 5 })).id, appSlug);
 	await updateConfigSection("git", {
 		name: agentName,
-		email: botUser.email,
+		email,
 		signing: true,
-		config_path: gitConfigPath
+		config_path: await writeGitConfig({
+			configDir,
+			name: agentName,
+			email,
+			sshPublicKeyPath: publicPath
+		})
 	}, configDir);
 	dispatch({
 		type: "step",
@@ -8073,7 +8375,7 @@ async function runGitSetupPhase(opts) {
 //#endregion
 //#region src/phases/identity.ts
 async function runIdentityPhase(opts) {
-	const { apiUrl, agentName, configDir, dispatch } = opts;
+	const { apiUrl, agentName, configDir, org, dispatch } = opts;
 	const existingConfig = await readConfig(configDir);
 	const existingState = await readState(configDir);
 	if (existingConfig?.keys?.public_key && existingConfig?.oauth2?.client_id) {
@@ -8180,7 +8482,8 @@ async function runIdentityPhase(opts) {
 	const started = await startOnboarding(apiUrl, {
 		publicKey: kp.publicKey,
 		fingerprint: kp.fingerprint,
-		agentName
+		agentName,
+		...org ? { org } : {}
 	});
 	await writeState({
 		workflowId: started.workflowId,
@@ -8572,7 +8875,7 @@ function ProgressPhase({ state, name, showManifestFallback, showInstallFallback
 		]
 	});
 }
-function InitApp({ name, agents: agentsProp, apiUrl, dir = process.cwd() }) {
+function InitApp({ name, agents: agentsProp, apiUrl, dir = process.cwd(), org }) {
 	const { exit } = useApp();
 	const [state, dispatch] = useReducer(uiReducer, {
 		phase: "disclaimer",
@@ -8614,6 +8917,7 @@ function InitApp({ name, agents: agentsProp, apiUrl, dir = process.cwd() }) {
 					apiUrl,
 					agentName: name,
 					configDir,
+					org,
 					dispatch
 				});
 				const githubApp = await runGithubAppPhase({
@@ -8648,12 +8952,14 @@ function InitApp({ name, agents: agentsProp, apiUrl, dir = process.cwd() }) {
 					agentTypes: selectedAgents,
 					publicKey: identity.publicKey,
 					fingerprint: identity.fingerprint,
+					appId: githubApp.appId,
 					appSlug: githubApp.appSlug,
 					pemPath: githubApp.pemPath,
 					installationId: installation.installationId || githubApp.installationId,
 					identityId: installation.identityId,
 					clientId: installation.clientId || identity.clientId,
 					clientSecret: installation.clientSecret || identity.clientSecret,
+					org,
 					dispatch
 				});
 				const mcpUrl = apiUrl.replace("://api.", "://mcp.") + "/mcp";
@@ -8707,6 +9013,580 @@ function InitApp({ name, agents: agentsProp, apiUrl, dir = process.cwd() }) {
 	});
 }
 //#endregion
+//#region src/phases/portValidate.ts
+/**
+* Validate a source `.moltnet/<agent>/` directory for porting.
+*
+* Runs the generic `repairConfig({ dryRun: true })` checks, then adds
+* port-specific blocking checks:
+*  - `identity_id`, `keys.fingerprint`, `oauth2.client_id/secret`
+*  - `github.app_id` present and numeric, `github.app_slug`, `github.installation_id`
+*  - `ssh.private_key_path`, `ssh.public_key_path`, `git.config_path` set
+*  - `github.private_key_path` set
+*  - All four absolute paths (ssh priv/pub, git config, github pem) exist on disk
+*
+* Throws if `moltnet.json` is missing or unreadable — nothing to port.
+*/
+async function runPortValidatePhase(opts) {
+	const { sourceDir } = opts;
+	const config = await readConfig(sourceDir);
+	if (!config) throw new Error(`No moltnet.json found in ${sourceDir} — nothing to port. Run \`legreffier\` on a repo first to create a source identity.`);
+	const { issues: baseIssues } = await repairConfig({
+		configDir: sourceDir,
+		dryRun: true
+	});
+	const issues = [...baseIssues];
+	if (!config.oauth2?.client_id) issues.push({
+		field: "oauth2.client_id",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.oauth2?.client_secret) issues.push({
+		field: "oauth2.client_secret",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.keys?.fingerprint) issues.push({
+		field: "keys.fingerprint",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.github?.app_id) issues.push({
+		field: "github.app_id",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.github?.app_slug) issues.push({
+		field: "github.app_slug",
+		problem: "missing — required for port (used for PEM filename and bot lookup)",
+		action: "warning"
+	});
+	if (!config.github?.installation_id) issues.push({
+		field: "github.installation_id",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.github?.private_key_path) issues.push({
+		field: "github.private_key_path",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.ssh?.private_key_path) issues.push({
+		field: "ssh.private_key_path",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.ssh?.public_key_path) issues.push({
+		field: "ssh.public_key_path",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	if (!config.git?.config_path) issues.push({
+		field: "git.config_path",
+		problem: "missing — required for port",
+		action: "warning"
+	});
+	return {
+		config,
+		issues,
+		canProceed: issues.filter((i) => i.action === "warning").length === 0
+	};
+}
+/** Check whether a file is readable. Used by portCopy for optional files. */
+async function fileExists(path) {
+	try {
+		await access(path);
+		return true;
+	} catch {
+		return false;
+	}
+}
+//#endregion
+//#region src/phases/portCopy.ts
+/**
+* Copy private material from a source `.moltnet/<agent>/` into the target.
+*
+* Copies:
+*  - `moltnet.json` (0600) — will later be rewritten in P3 with absolute paths
+*  - GitHub App PEM (0600) — at `<sourceDir>/<appSlug>.pem` by convention
+*  - SSH private key (0600) and public key (0644)
+*  - `allowed_signers` if present (0644) — optional, warning only
+*
+* Assumes `runPortValidatePhase` has been run and `canProceed` was true,
+* so required fields and files are known to exist.
+*/
+async function runPortCopyPhase(opts) {
+	const { sourceDir, targetDir, config } = opts;
+	const copied = [];
+	const warnings = [];
+	await mkdir(targetDir, { recursive: true });
+	const targetConfig = join(targetDir, "moltnet.json");
+	await copyFile(join(sourceDir, "moltnet.json"), targetConfig);
+	await chmod(targetConfig, 384);
+	copied.push(targetConfig);
+	if (!config.github?.private_key_path) throw new Error("github.private_key_path missing — run portValidate first");
+	const targetPem = join(targetDir, basename(config.github.private_key_path));
+	await copyFile(config.github.private_key_path, targetPem);
+	await chmod(targetPem, 384);
+	copied.push(targetPem);
+	if (!config.ssh?.private_key_path || !config.ssh?.public_key_path) throw new Error("ssh key paths missing — run portValidate first");
+	const sshDir = join(targetDir, "ssh");
+	await mkdir(sshDir, { recursive: true });
+	const targetSshPriv = join(sshDir, basename(config.ssh.private_key_path));
+	await copyFile(config.ssh.private_key_path, targetSshPriv);
+	await chmod(targetSshPriv, 384);
+	copied.push(targetSshPriv);
+	const targetSshPub = join(sshDir, basename(config.ssh.public_key_path));
+	await copyFile(config.ssh.public_key_path, targetSshPub);
+	await chmod(targetSshPub, 420);
+	copied.push(targetSshPub);
+	const sourceAllowed = join(dirname(config.ssh.private_key_path), "allowed_signers");
+	if (await fileExists(sourceAllowed)) {
+		const targetAllowed = join(sshDir, "allowed_signers");
+		await copyFile(sourceAllowed, targetAllowed);
+		await chmod(targetAllowed, 420);
+		copied.push(targetAllowed);
+	} else warnings.push(`allowed_signers not found at ${sourceAllowed} — skipping (optional)`);
+	return {
+		copied,
+		warnings
+	};
+}
+//#endregion
+//#region src/phases/portDiary.ts
+/**
+* Standard UUID v4-ish shape. Diary IDs are server-issued UUIDs; anything
+* else in this field is either stale data, a mis-parsed env line, or a
+* crafted injection attempt (e.g. embedded newlines) and must be rejected
+* before we echo it into the target env file.
+*/
+var DIARY_ID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+/**
+* Read `MOLTNET_DIARY_ID` from a source env file.
+* Returns null if the file or key is absent, or if the stored value is
+* not a valid UUID (defensive: never propagate malformed data).
+*/
+async function readSourceDiaryId(sourceDir) {
+	try {
+		const raw = parseEnvFile(await readFile(join(sourceDir, "env"), "utf-8")).MOLTNET_DIARY_ID;
+		if (!raw || !DIARY_ID_RE.test(raw)) return null;
+		return raw;
+	} catch {
+		return null;
+	}
+}
+/**
+* Apply the chosen diary mode to the target env file:
+*
+*  - `reuse`: persist the source MOLTNET_DIARY_ID in the target env
+*  - `new`: strip MOLTNET_DIARY_ID from the target env (legreffier skill
+*    will resolve it at session start via `diaries_list` / create)
+*  - `skip`: leave the target env untouched
+*
+* Assumes the target env file has already been written by `portRewrite`.
+*/
+async function runPortDiaryPhase(opts) {
+	const { targetDir, mode, sourceDiaryId } = opts;
+	const envPath = join(targetDir, "env");
+	if (mode === "skip") return {
+		mode,
+		diaryId: null,
+		modified: false
+	};
+	let content = "";
+	try {
+		content = await readFile(envPath, "utf-8");
+	} catch {
+		return {
+			mode,
+			diaryId: null,
+			modified: false
+		};
+	}
+	const lines = content.split("\n");
+	const diaryLineRe = /^\s*MOLTNET_DIARY_ID\s*=/;
+	const filtered = lines.filter((l) => !diaryLineRe.test(l));
+	const strippedExisting = filtered.length !== lines.length;
+	if (mode === "reuse") {
+		if (!sourceDiaryId) return {
+			mode,
+			diaryId: null,
+			modified: false
+		};
+		if (!DIARY_ID_RE.test(sourceDiaryId)) throw new Error(`invalid sourceDiaryId: ${JSON.stringify(sourceDiaryId)} — expected UUID`);
+		const diaryLine = `MOLTNET_DIARY_ID='${sourceDiaryId}'`;
+		const gitCfgIdx = filtered.findIndex((l) => /^\s*GIT_CONFIG_GLOBAL\s*=/.test(l));
+		if (gitCfgIdx >= 0) filtered.splice(gitCfgIdx + 1, 0, diaryLine);
+		else filtered.unshift(diaryLine);
+		await writeFile(envPath, filtered.join("\n"), { mode: 384 });
+		return {
+			mode,
+			diaryId: sourceDiaryId,
+			modified: true
+		};
+	}
+	if (strippedExisting) await writeFile(envPath, filtered.join("\n"), { mode: 384 });
+	return {
+		mode,
+		diaryId: null,
+		modified: strippedExisting
+	};
+}
+//#endregion
+//#region src/phases/portRewrite.ts
+/**
+* Rewrite absolute paths in the ported `moltnet.json` so they point to
+* target locations, then regenerate the gitconfig and env file.
+*
+* Assumes `portCopy` already placed files at:
+*  - `<targetDir>/moltnet.json`
+*  - `<targetDir>/<appSlug>.pem`
+*  - `<targetDir>/ssh/<basename(ssh.private_key_path)>`
+*  - `<targetDir>/ssh/<basename(ssh.public_key_path)>`
+*
+* The ported config still has the *source* absolute paths — this phase
+* rewrites them to the target absolute paths, then writes the gitconfig
+* (which needs the new ssh key path) and the env file (which needs the
+* new PEM path).
+*/
+async function runPortRewritePhase(opts) {
+	const { targetDir, agentName, config } = opts;
+	if (!config.ssh || !config.git || !config.github) throw new Error("config missing ssh/git/github sections — run portValidate first");
+	const newSshPriv = join(targetDir, "ssh", basename(config.ssh.private_key_path));
+	const newSshPub = join(targetDir, "ssh", basename(config.ssh.public_key_path));
+	const newPem = join(targetDir, basename(config.github.private_key_path));
+	const newGitConfig = join(targetDir, "gitconfig");
+	await updateConfigSection("ssh", {
+		private_key_path: newSshPriv,
+		public_key_path: newSshPub
+	}, targetDir);
+	await updateConfigSection("github", {
+		app_id: config.github.app_id,
+		app_slug: config.github.app_slug,
+		installation_id: config.github.installation_id,
+		private_key_path: newPem,
+		...config.github.org ? { org: config.github.org } : {}
+	}, targetDir);
+	await updateConfigSection("git", {
+		name: config.git.name,
+		email: config.git.email,
+		signing: config.git.signing,
+		config_path: newGitConfig
+	}, targetDir);
+	const rewrittenFields = [
+		"ssh.private_key_path",
+		"ssh.public_key_path",
+		"github.private_key_path",
+		"git.config_path"
+	];
+	await writeGitConfig({
+		configDir: targetDir,
+		name: config.git.name,
+		email: config.git.email,
+		sshPublicKeyPath: newSshPub
+	});
+	await writeEnvFile({
+		envDir: targetDir,
+		agentName,
+		prefix: toEnvPrefix(agentName),
+		clientId: config.oauth2.client_id,
+		clientSecret: config.oauth2.client_secret,
+		appId: config.github.app_id,
+		pemPath: newPem,
+		installationId: config.github.installation_id
+	});
+	return {
+		configPath: join(targetDir, "moltnet.json"),
+		rewrittenFields,
+		gitConfigPath: newGitConfig,
+		envDir: targetDir
+	};
+}
+//#endregion
+//#region src/phases/portVerifyInstallation.ts
+/**
+* Warning-only check: can the ported GitHub App installation reach the
+* repo the port command is running against?
+*
+* Mints an installation token via github-agent, then calls
+* GET /installation/repositories. Never blocks — returns a warning
+* object the TUI renders. Any failure (bad token, network, missing
+* currentRepo) is downgraded to a warning.
+*/
+async function runPortVerifyInstallationPhase(opts) {
+	const { config, currentRepo, apiBaseUrl = "https://api.github.com" } = opts;
+	if (!currentRepo) return {
+		status: "warning",
+		message: "unable to determine current repo (git remote missing) — skipping installation scope check"
+	};
+	if (!config.github?.app_id || !config.github?.installation_id || !config.github?.private_key_path) return {
+		status: "warning",
+		message: "github.app_id / installation_id / private_key_path missing",
+		currentRepo
+	};
+	let token;
+	try {
+		token = (await getInstallationToken({
+			appId: config.github.app_id,
+			privateKeyPath: config.github.private_key_path,
+			installationId: config.github.installation_id
+		})).token;
+	} catch (err) {
+		return {
+			status: "warning",
+			message: `could not mint installation token: ${err.message}`,
+			currentRepo
+		};
+	}
+	const accessible = [];
+	let nextUrl = `${apiBaseUrl}/installation/repositories?per_page=100`;
+	let pageCount = 0;
+	const MAX_PAGES = 20;
+	while (nextUrl && pageCount < MAX_PAGES) {
+		pageCount++;
+		let res;
+		try {
+			res = await fetch(nextUrl, { headers: {
+				Accept: "application/vnd.github+json",
+				"X-GitHub-Api-Version": "2022-11-28",
+				Authorization: `Bearer ${token}`
+			} });
+		} catch (err) {
+			return {
+				status: "warning",
+				message: `installation check network error: ${err.message}`,
+				currentRepo
+			};
+		}
+		if (!res.ok) return {
+			status: "warning",
+			message: `installation check failed (${res.status})`,
+			currentRepo
+		};
+		const data = await res.json();
+		if (data.repository_selection === "all") return {
+			status: "ok",
+			message: "installation has access to all repos on the account",
+			currentRepo,
+			repositorySelection: "all"
+		};
+		for (const r of data.repositories) accessible.push(r.full_name);
+		if (accessible.includes(currentRepo)) break;
+		nextUrl = parseNextLink(res.headers.get("link"));
+	}
+	if (accessible.includes(currentRepo)) return {
+		status: "ok",
+		message: `installation has access to ${currentRepo}`,
+		currentRepo,
+		repositorySelection: "selected",
+		accessibleRepos: accessible
+	};
+	const truncated = pageCount >= MAX_PAGES && nextUrl !== null;
+	const truncatedNote = truncated ? " (scan truncated after " + MAX_PAGES + " pages — result may be stale)" : "";
+	return {
+		status: "repo-not-in-scope",
+		message: `installation is scoped to ${accessible.length}${truncated ? "+" : ""} repo(s) but does not include ${currentRepo}. Add the repo at https://github.com/settings/installations/${config.github.installation_id}` + truncatedNote,
+		currentRepo,
+		repositorySelection: "selected",
+		accessibleRepos: accessible
+	};
+}
+/**
+* Parse the `Link` header for a `rel="next"` URL. Returns null if absent.
+* GitHub's Link header format:
+*   <https://api.github.com/...?page=2>; rel="next", <...>; rel="last"
+*/
+function parseNextLink(header) {
+	if (!header) return null;
+	for (const part of header.split(",")) {
+		const match = part.match(/<([^>]+)>\s*;\s*rel="next"/);
+		if (match) return match[1];
+	}
+	return null;
+}
+//#endregion
+//#region src/PortApp.tsx
+/** Read `owner/repo` from `git remote get-url origin`. Returns null on any failure. */
+function detectCurrentRepo(repoDir) {
+	try {
+		const match = execSync("git remote get-url origin", {
+			cwd: repoDir,
+			encoding: "utf-8",
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			]
+		}).trim().match(/github\.com[:/]([^/]+\/[^/]+?)(\.git)?$/);
+		return match ? match[1] : null;
+	} catch {
+		return null;
+	}
+}
+function PortApp({ name, agents, sourceDir, targetRepoDir, diaryMode, apiUrl }) {
+	const { exit } = useApp();
+	const [phase, setPhase] = useState("validating");
+	const [error, setError] = useState();
+	const [summary, setSummary] = useState(null);
+	useEffect(() => {
+		(async () => {
+			try {
+				const targetDir = join(targetRepoDir, ".moltnet", name);
+				const filesWritten = [];
+				const warnings = [];
+				setPhase("validating");
+				const { config, issues, canProceed } = await runPortValidatePhase({ sourceDir });
+				if (!canProceed) throw new Error("source .moltnet is not portable: " + issues.map((i) => `${i.field} (${i.problem})`).join(", "));
+				const existing = await readConfig(targetDir);
+				if (existing?.identity_id && existing.identity_id !== config.identity_id) throw new Error(`target ${targetDir} already has a different identity_id (${existing.identity_id}); refusing to overwrite`);
+				setPhase("copying");
+				const copyResult = await runPortCopyPhase({
+					sourceDir,
+					targetDir,
+					config
+				});
+				filesWritten.push(...copyResult.copied);
+				warnings.push(...copyResult.warnings);
+				setPhase("rewriting");
+				const rewriteResult = await runPortRewritePhase({
+					targetDir,
+					agentName: name,
+					config
+				});
+				filesWritten.push(rewriteResult.gitConfigPath);
+				filesWritten.push(join(targetDir, "env"));
+				setPhase("diary");
+				const diaryResult = await runPortDiaryPhase({
+					targetDir,
+					mode: diaryMode,
+					sourceDiaryId: await readSourceDiaryId(sourceDir)
+				});
+				setPhase("agent_setup");
+				const adapterOpts = {
+					repoDir: targetRepoDir,
+					agentName: name,
+					prefix: toEnvPrefix(name),
+					mcpUrl: config.endpoints?.mcp ?? apiUrl.replace("://api.", "://mcp.") + "/mcp",
+					clientId: config.oauth2.client_id,
+					clientSecret: config.oauth2.client_secret,
+					appSlug: config.github?.app_slug ?? "",
+					appId: config.github?.app_id ?? "",
+					pemPath: join(targetDir, basename(config.github?.private_key_path ?? "")),
+					installationId: config.github?.installation_id ?? ""
+				};
+				for (const agentType of agents) {
+					const adapter = adapters[agentType];
+					await adapter.writeMcpConfig(adapterOpts);
+					filesWritten.push(`${agentType}: MCP config`);
+					await adapter.writeSkills(targetRepoDir);
+					filesWritten.push(`${agentType}: skills`);
+					await adapter.writeSettings(adapterOpts);
+					filesWritten.push(`${agentType}: settings`);
+					await adapter.writeRules(adapterOpts);
+					filesWritten.push(`${agentType}: gh token rule`);
+				}
+				setPhase("verifying");
+				const verifyResult = await runPortVerifyInstallationPhase({
+					config: await readConfig(targetDir) ?? config,
+					currentRepo: detectCurrentRepo(targetRepoDir) ?? void 0
+				});
+				if (verifyResult.status !== "ok") warnings.push(verifyResult.message);
+				setSummary({
+					agentName: name,
+					filesWritten,
+					warnings,
+					validationIssues: issues,
+					diaryMode,
+					diaryId: diaryResult.diaryId,
+					installMessage: verifyResult.message,
+					installStatus: verifyResult.status
+				});
+				setPhase("done");
+				setTimeout(() => exit(), 3e3);
+			} catch (err) {
+				setError(toErrorMessage(err));
+				setPhase("error");
+				setTimeout(() => exit(/* @__PURE__ */ new Error("Port failed")), 3e3);
+			}
+		})();
+	}, []);
+	if (phase === "error") return /* @__PURE__ */ jsxs(Box, {
+		flexDirection: "column",
+		paddingY: 1,
+		children: [/* @__PURE__ */ jsx(CliHero, {}), /* @__PURE__ */ jsx(Box, {
+			borderStyle: "round",
+			borderColor: cliTheme.color.error,
+			paddingX: 2,
+			paddingY: 1,
+			children: /* @__PURE__ */ jsx(Text, {
+				color: cliTheme.color.error,
+				bold: true,
+				children: "* Port failed: " + (error ?? "unknown error")
+			})
+		})]
+	});
+	if (phase !== "done") {
+		const labels = {
+			validating: `Validating source .moltnet/${name}...`,
+			copying: `Copying private material...`,
+			rewriting: `Rewriting paths in moltnet.json...`,
+			diary: `Configuring diary (${diaryMode})...`,
+			agent_setup: `Installing agent files for ${agents.join(", ")}...`,
+			verifying: `Verifying GitHub App installation scope...`
+		};
+		return /* @__PURE__ */ jsxs(Box, {
+			flexDirection: "column",
+			paddingY: 1,
+			children: [/* @__PURE__ */ jsx(CliHero, {}), /* @__PURE__ */ jsx(CliSpinner, { label: labels[phase] })]
+		});
+	}
+	return /* @__PURE__ */ jsxs(Box, {
+		flexDirection: "column",
+		paddingY: 1,
+		children: [
+			/* @__PURE__ */ jsx(CliHero, {}),
+			/* @__PURE__ */ jsxs(Box, {
+				flexDirection: "column",
+				marginBottom: 1,
+				children: [
+					/* @__PURE__ */ jsx(Text, {
+						color: cliTheme.color.success,
+						bold: true,
+						children: `Ported ${name} to ${targetRepoDir}`
+					}),
+					/* @__PURE__ */ jsx(Text, {
+						color: cliTheme.color.muted,
+						children: `  diary: ${summary?.diaryMode}${summary?.diaryId ? ` (${summary.diaryId})` : ""}`
+					}),
+					/* @__PURE__ */ jsx(Text, {
+						color: cliTheme.color.muted,
+						children: `  installation: ${summary?.installStatus}`
+					}),
+					summary?.filesWritten.map((f, i) => /* @__PURE__ */ jsx(Text, {
+						color: cliTheme.color.muted,
+						children: "  * " + f
+					}, i))
+				]
+			}),
+			summary && summary.warnings.length > 0 && /* @__PURE__ */ jsxs(Box, {
+				borderStyle: "round",
+				borderColor: cliTheme.color.warning,
+				paddingX: 2,
+				paddingY: 0,
+				flexDirection: "column",
+				children: [/* @__PURE__ */ jsx(Text, {
+					color: cliTheme.color.warning,
+					bold: true,
+					children: "Warnings:"
+				}), summary.warnings.map((w, i) => /* @__PURE__ */ jsx(Text, {
+					color: cliTheme.color.warning,
+					children: "  ! " + w
+				}, i))]
+			})
+		]
+	});
+}
+//#endregion
 //#region src/SetupApp.tsx
 function SetupApp({ name, agents: agentsProp, apiUrl, dir }) {
 	const { exit } = useApp();
@@ -8732,6 +9612,7 @@ function SetupApp({ name, agents: agentsProp, apiUrl, dir }) {
 					clientId: config.oauth2.client_id,
 					clientSecret: config.oauth2.client_secret,
 					appSlug: config.github?.app_slug ?? config.github?.app_id ?? "",
+					appId: config.github?.app_id ?? "",
 					pemPath: config.github?.private_key_path ?? "",
 					installationId: config.github?.installation_id ?? ""
 				};
@@ -8835,7 +9716,13 @@ var { values, positionals } = parseArgs({
 			multiple: true
 		},
 		"api-url": { type: "string" },
-		dir: { type: "string" }
+		dir: { type: "string" },
+		org: {
+			type: "string",
+			short: "o"
+		},
+		from: { type: "string" },
+		diary: { type: "string" }
 	}
 });
 var subcommand = positionals[0] ?? "init";
@@ -8843,6 +9730,13 @@ var name = values["name"];
 var agentFlags = values["agent"] ?? [];
 var apiUrl = values["api-url"] ?? process.env.MOLTNET_API_URL ?? "https://api.themolt.net";
 var dir = values["dir"] ?? process.cwd();
+var org = values["org"];
+var fromDir = values["from"];
+var diaryModeArg = values["diary"];
+if (diaryModeArg !== void 0 && subcommand !== "port") {
+	process.stderr.write(`Error: --diary is only valid for \`legreffier port\` (got subcommand "${subcommand}")\n`);
+	process.exit(1);
+}
 if (subcommand === "github" && positionals[1] === "token") try {
 	printGitHubToken(resolveAgentName(name, process.env.GIT_CONFIG_GLOBAL), dir);
 	process.exit(0);
@@ -8851,7 +9745,7 @@ if (subcommand === "github" && positionals[1] === "token") try {
 	process.exit(1);
 }
 if (!name) {
-	const usage = subcommand === "setup" ? "Usage: legreffier setup --name <agent-name> [--agent claude] [--agent codex] [--dir <path>]" : "Usage: legreffier [init] --name <agent-name> [--agent claude] [--agent codex] [--api-url <url>] [--dir <path>]";
+	const usage = subcommand === "setup" ? "Usage: legreffier setup --name <agent-name> [--agent claude] [--agent codex] [--dir <path>]" : subcommand === "port" ? "Usage: legreffier port --name <agent-name> --from <path/to/source/.moltnet/<agent>> [--agent claude] [--agent codex] [--dir <target-repo>] [--diary new|reuse|skip]" : "Usage: legreffier [init] --name <agent-name> [--agent claude] [--agent codex] [--api-url <url>] [--dir <path>] [--org <github-org>]";
 	process.stderr.write(usage + "\n");
 	process.exit(1);
 }
@@ -8874,10 +9768,51 @@ else if (subcommand === "init") render(/* @__PURE__ */ jsx(InitApp, {
 	name,
 	agents: agents.length > 0 ? agents : void 0,
 	apiUrl,
-	dir
+	dir,
+	org
 }));
-else {
-	process.stderr.write(`Unknown subcommand: ${subcommand}. Use "init" or "setup".\n`);
+else if (subcommand === "port") {
+	if (!fromDir) {
+		process.stderr.write("Error: legreffier port requires --from <path/to/source/.moltnet/<agent>>\n");
+		process.exit(1);
+	}
+	const resolvedDiaryMode = diaryModeArg ?? "new";
+	if (![
+		"new",
+		"reuse",
+		"skip"
+	].includes(resolvedDiaryMode)) {
+		process.stderr.write(`Error: --diary must be one of: new, reuse, skip (got "${resolvedDiaryMode}")\n`);
+		process.exit(1);
+	}
+	try {
+		if (!statSync(dir).isDirectory()) {
+			process.stderr.write(`Error: --dir "${dir}" is not a directory\n`);
+			process.exit(1);
+		}
+	} catch {
+		process.stderr.write(`Error: --dir "${dir}" does not exist\n`);
+		process.exit(1);
+	}
+	try {
+		if (!statSync(fromDir).isDirectory()) {
+			process.stderr.write(`Error: --from "${fromDir}" is not a directory\n`);
+			process.exit(1);
+		}
+	} catch {
+		process.stderr.write(`Error: --from "${fromDir}" does not exist\n`);
+		process.exit(1);
+	}
+	render(/* @__PURE__ */ jsx(PortApp, {
+		name,
+		agents: agents.length > 0 ? agents : ["claude"],
+		sourceDir: fromDir,
+		targetRepoDir: dir,
+		diaryMode: resolvedDiaryMode,
+		apiUrl
+	}));
+} else {
+	process.stderr.write(`Unknown subcommand: ${subcommand}. Use "init", "setup", or "port".\n`);
 	process.exit(1);
 }
 //#endregion