@theplato/tiro-cli 0.1.0

package/dist/bin/tiro.js

@@ -0,0 +1,1468 @@
+#!/usr/bin/env node
+
+// src/bin/tiro.ts
+import { Command as Command10 } from "commander";
+
+// src/lib/version.ts
+var VERSION = "0.1.0";
+
+// src/lib/error.ts
+var ExitCode = {
+  Ok: 0,
+  Generic: 1,
+  Usage: 2,
+  AuthRequired: 4,
+  ExUsage: 64,
+  ExDataErr: 65,
+  ExConfig: 78
+};
+var TiroError = class extends Error {
+  code;
+  suggestion;
+  errorType;
+  httpStatus;
+  requestId;
+  exitCode;
+  constructor(payload, exitCode = ExitCode.Generic) {
+    super(payload.message);
+    this.name = "TiroError";
+    this.code = payload.code;
+    this.suggestion = payload.suggestion;
+    this.errorType = payload.errorType;
+    this.httpStatus = payload.httpStatus;
+    this.requestId = payload.requestId;
+    this.exitCode = exitCode;
+  }
+  toJSON() {
+    return {
+      ok: false,
+      error: {
+        code: this.code,
+        message: this.message,
+        ...this.suggestion !== void 0 && { suggestion: this.suggestion },
+        ...this.errorType !== void 0 && { errorType: this.errorType },
+        ...this.httpStatus !== void 0 && { httpStatus: this.httpStatus },
+        ...this.requestId !== void 0 && { requestId: this.requestId }
+      }
+    };
+  }
+};
+function authRequired() {
+  return new TiroError(
+    {
+      code: "auth_required",
+      message: "Not authenticated. Run `tiro auth login` to sign in, or set TIRO_TOKEN env var.",
+      suggestion: "tiro auth login",
+      errorType: "auth_required"
+    },
+    ExitCode.AuthRequired
+  );
+}
+
+// src/lib/output/tty.ts
+function resolveOutputMode(opts) {
+  if (opts.json) return "json";
+  if (opts.pretty) return "pretty";
+  return process.stdout.isTTY ? "pretty" : "json";
+}
+function colorEnabled(opts) {
+  if (opts.noColor) return false;
+  if (process.env["NO_COLOR"]) return false;
+  if (process.env["FORCE_COLOR"]) return true;
+  return process.stdout.isTTY === true;
+}
+var ANSI = {
+  reset: "\x1B[0m",
+  bold: "\x1B[1m",
+  dim: "\x1B[2m",
+  red: "\x1B[31m",
+  green: "\x1B[32m",
+  yellow: "\x1B[33m",
+  blue: "\x1B[34m",
+  magenta: "\x1B[35m",
+  cyan: "\x1B[36m",
+  gray: "\x1B[90m"
+};
+function color(text, style, opts = {}) {
+  if (!colorEnabled(opts)) return text;
+  return `${ANSI[style]}${text}${ANSI.reset}`;
+}
+
+// src/lib/output/print.ts
+function printOutput(value, opts = {}) {
+  if (opts.quiet) return;
+  const mode = resolveOutputMode(opts);
+  if (mode === "json") {
+    process.stdout.write(`${JSON.stringify(value)}
+`);
+  } else {
+    process.stdout.write(`${JSON.stringify(value, null, 2)}
+`);
+  }
+}
+function printError(value) {
+  process.stderr.write(`${JSON.stringify(value)}
+`);
+}
+function printNdjson(item) {
+  process.stdout.write(`${JSON.stringify(item)}
+`);
+}
+
+// src/commands/auth/index.ts
+import "commander";
+
+// src/commands/auth/login.ts
+import "commander";
+
+// src/lib/auth/flow.ts
+import { z } from "zod";
+
+// src/lib/auth/pkce.ts
+import { createHash, randomBytes } from "crypto";
+function generatePkce() {
+  const codeVerifier = base64url(randomBytes(32));
+  const codeChallenge = base64url(createHash("sha256").update(codeVerifier).digest());
+  return { codeVerifier, codeChallenge, method: "S256" };
+}
+function generateState() {
+  return base64url(randomBytes(24));
+}
+function base64url(buf) {
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+// src/lib/auth/loopback.ts
+import http from "http";
+async function startLoopbackServer() {
+  let pendingResolve = null;
+  let pendingReject = null;
+  const settle = (fn, arg) => {
+    pendingResolve = null;
+    pendingReject = null;
+    fn(arg);
+  };
+  const server = http.createServer((req, res) => {
+    if (!req.url) {
+      res.writeHead(400).end();
+      return;
+    }
+    const url = new URL(req.url, `http://127.0.0.1`);
+    if (url.pathname !== "/callback") {
+      res.writeHead(404, { "Content-Type": "text/plain" }).end("Not found");
+      return;
+    }
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    const error = url.searchParams.get("error");
+    const errorDesc = url.searchParams.get("error_description") ?? "";
+    if (error) {
+      const msg = `OAuth error: ${error}${errorDesc ? ` \u2014 ${errorDesc}` : ""}`;
+      respondPage(res, 500, "Login failed", msg);
+      if (pendingReject) settle(pendingReject, new Error(msg));
+      return;
+    }
+    if (!code || !state) {
+      respondPage(res, 400, "Missing parameters", "Missing `code` or `state`.");
+      if (pendingReject) settle(pendingReject, new Error("Missing code or state"));
+      return;
+    }
+    respondPage(
+      res,
+      200,
+      "Login successful",
+      "You're signed in. You can close this tab and return to the terminal."
+    );
+    if (pendingResolve) settle(pendingResolve, { code, state });
+  });
+  await new Promise((resolve2) => {
+    server.listen(0, "127.0.0.1", () => resolve2());
+  });
+  const address = server.address();
+  const port = address.port;
+  const redirectUri = `http://127.0.0.1:${port}/callback`;
+  return {
+    redirectUri,
+    port,
+    waitForCallback(timeoutMs) {
+      return new Promise((resolve2, reject) => {
+        const timer = setTimeout(() => {
+          pendingResolve = null;
+          pendingReject = null;
+          reject(new Error(`Timed out waiting for OAuth callback (${timeoutMs}ms)`));
+        }, timeoutMs);
+        pendingResolve = (r) => {
+          clearTimeout(timer);
+          resolve2(r);
+        };
+        pendingReject = (e) => {
+          clearTimeout(timer);
+          reject(e);
+        };
+      });
+    },
+    close() {
+      server.close();
+    }
+  };
+}
+function respondPage(res, status, title, body) {
+  const html = `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>${title}</title>
+  <style>
+    body { font-family: -apple-system, system-ui, sans-serif; padding: 4rem; max-width: 32rem; margin: 0 auto; color: #1a1a1a; }
+    h1 { font-size: 1.5rem; margin-bottom: 1rem; }
+    p { color: #555; line-height: 1.5; }
+  </style>
+</head>
+<body>
+  <h1>${title}</h1>
+  <p>${body}</p>
+</body>
+</html>`;
+  res.writeHead(status, { "Content-Type": "text/html; charset=utf-8" });
+  res.end(html);
+}
+
+// src/lib/auth/browser.ts
+import open from "open";
+async function openBrowser(url) {
+  try {
+    await open(url, { wait: false });
+  } catch {
+  }
+}
+
+// src/lib/auth/keychain.ts
+import { Entry } from "@napi-rs/keyring";
+var SERVICE = "io.tiro.cli";
+var ACCOUNT = "default";
+function saveToken(token) {
+  const entry = new Entry(SERVICE, ACCOUNT);
+  try {
+    entry.setPassword(JSON.stringify(token));
+  } catch (err) {
+    throw new TiroError(
+      {
+        code: "keychain_write_failed",
+        message: `Failed to write to OS keychain: ${err.message}`,
+        errorType: "internal_error",
+        suggestion: process.platform === "linux" ? "Linux requires a Secret Service daemon (gnome-keyring or kwallet). Or set TIRO_TOKEN env var." : "Check OS keychain permissions, or set TIRO_TOKEN env var."
+      },
+      ExitCode.Generic
+    );
+  }
+}
+function loadToken() {
+  const entry = new Entry(SERVICE, ACCOUNT);
+  let raw;
+  try {
+    raw = entry.getPassword();
+  } catch {
+    return null;
+  }
+  if (!raw) return null;
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function deleteToken() {
+  const entry = new Entry(SERVICE, ACCOUNT);
+  try {
+    return entry.deletePassword();
+  } catch {
+    return false;
+  }
+}
+
+// src/lib/auth/token.ts
+function resolveToken() {
+  const envToken = process.env["TIRO_TOKEN"];
+  if (envToken) {
+    return { accessToken: envToken, source: "env" };
+  }
+  const stored = loadToken();
+  if (stored) {
+    return {
+      accessToken: stored.accessToken,
+      source: "keychain",
+      hostname: stored.hostname,
+      expiresAt: stored.expiresAt,
+      ...stored.userId !== void 0 && { userId: stored.userId }
+    };
+  }
+  return null;
+}
+function decodeJwtPayload(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  try {
+    const payload = parts[1];
+    if (!payload) return null;
+    const json = Buffer.from(payload, "base64url").toString("utf8");
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
+
+// src/lib/config.ts
+import Conf from "conf";
+var DEFAULT_HOSTNAME = "https://api.tiro.ooo";
+var config = new Conf({
+  projectName: "tiro",
+  defaults: {
+    hostname: DEFAULT_HOSTNAME,
+    oauthClientId: null,
+    oauthClientIdRegisteredAt: null,
+    defaultOutputDir: null
+  }
+});
+function getHostname(override) {
+  if (override) return stripTrailingSlash(override);
+  const env = process.env["TIRO_HOSTNAME"];
+  if (env) return stripTrailingSlash(env);
+  return stripTrailingSlash(config.get("hostname"));
+}
+function getOauthClientId() {
+  const id = config.get("oauthClientId");
+  const registeredAt = config.get("oauthClientIdRegisteredAt");
+  if (!id || !registeredAt) return null;
+  const ttlMs = 29 * 24 * 60 * 60 * 1e3;
+  if (Date.now() - registeredAt > ttlMs) return null;
+  return id;
+}
+function setOauthClientId(clientId) {
+  config.set("oauthClientId", clientId);
+  config.set("oauthClientIdRegisteredAt", Date.now());
+}
+function clearOauthClientId() {
+  config.set("oauthClientId", null);
+  config.set("oauthClientIdRegisteredAt", null);
+}
+function stripTrailingSlash(s) {
+  return s.endsWith("/") ? s.slice(0, -1) : s;
+}
+
+// src/lib/auth/flow.ts
+var RegisterResponseSchema = z.object({
+  client_id: z.string(),
+  client_secret: z.string().optional()
+});
+var TokenResponseSchema = z.object({
+  access_token: z.string(),
+  token_type: z.string(),
+  expires_in: z.number().optional(),
+  scope: z.string().optional()
+});
+var CALLBACK_TIMEOUT_MS = 5 * 60 * 1e3;
+var DEFAULT_SCOPE = "mcp:notes:read";
+async function performLogin(options = {}) {
+  const hostname = getHostname(options.hostname);
+  const onPrompt = options.onPrompt ?? ((msg) => process.stderr.write(`${msg}
+`));
+  const loopback = await startLoopbackServer();
+  try {
+    const clientId = await ensureOauthClient(hostname, loopback.redirectUri);
+    const { codeVerifier, codeChallenge } = generatePkce();
+    const state = generateState();
+    const authorizeUrl = buildAuthorizeUrl({
+      hostname,
+      clientId,
+      redirectUri: loopback.redirectUri,
+      state,
+      codeChallenge,
+      scope: options.scope ?? DEFAULT_SCOPE
+    });
+    if (options.noBrowser) {
+      onPrompt(`Open this URL in your browser:
+${authorizeUrl}`);
+    } else {
+      onPrompt(`Opening browser for sign-in...`);
+      onPrompt(`If the browser does not open, visit:
+${authorizeUrl}`);
+      await openBrowser(authorizeUrl);
+    }
+    const callback = await loopback.waitForCallback(CALLBACK_TIMEOUT_MS);
+    if (callback.state !== state) {
+      throw new TiroError(
+        {
+          code: "auth_state_mismatch",
+          message: "OAuth state mismatch \u2014 possible CSRF. Aborting.",
+          errorType: "unauthorized"
+        },
+        ExitCode.Generic
+      );
+    }
+    const tokenRes = await exchangeToken({
+      hostname,
+      clientId,
+      code: callback.code,
+      redirectUri: loopback.redirectUri,
+      codeVerifier
+    });
+    const expiresAt = computeExpiry(tokenRes.expires_in);
+    const payload = decodeJwtPayload(tokenRes.access_token);
+    const userId = typeof payload?.["sub"] === "string" ? payload["sub"] : void 0;
+    const stored = {
+      accessToken: tokenRes.access_token,
+      tokenType: tokenRes.token_type,
+      expiresAt,
+      hostname,
+      ...tokenRes.scope !== void 0 && { scope: tokenRes.scope },
+      ...userId !== void 0 && { userId }
+    };
+    saveToken(stored);
+    return { hostname, userId, expiresAt };
+  } finally {
+    loopback.close();
+  }
+}
+async function ensureOauthClient(hostname, redirectUri) {
+  const cached = getOauthClientId();
+  if (cached) return cached;
+  const url = `${hostname}/v1/mcp/oauth/register`;
+  let res;
+  try {
+    res = await fetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        client_name: "tiro-cli",
+        redirect_uris: [redirectUri],
+        grant_types: ["authorization_code"],
+        response_types: ["code"],
+        token_endpoint_auth_method: "none",
+        scope: DEFAULT_SCOPE
+      })
+    });
+  } catch (err) {
+    throw new TiroError(
+      {
+        code: "network_error",
+        message: `Failed to reach ${hostname}: ${err.message}`,
+        errorType: "network_error",
+        suggestion: "Check your network connection or --hostname."
+      },
+      ExitCode.Generic
+    );
+  }
+  if (!res.ok) {
+    const detail = await safeText(res);
+    throw new TiroError(
+      {
+        code: "oauth_register_failed",
+        message: `Dynamic Client Registration failed: HTTP ${res.status}`,
+        errorType: "internal_error",
+        httpStatus: res.status,
+        ...detail !== "" && { suggestion: detail.slice(0, 200) }
+      },
+      ExitCode.Generic
+    );
+  }
+  const json = await res.json();
+  const parsed = RegisterResponseSchema.safeParse(json);
+  if (!parsed.success) {
+    throw new TiroError(
+      {
+        code: "oauth_register_invalid",
+        message: "Registration response did not match expected shape.",
+        errorType: "internal_error"
+      },
+      ExitCode.Generic
+    );
+  }
+  setOauthClientId(parsed.data.client_id);
+  return parsed.data.client_id;
+}
+function buildAuthorizeUrl(input) {
+  const u = new URL(`${input.hostname}/v1/mcp/oauth/authorize`);
+  u.searchParams.set("response_type", "code");
+  u.searchParams.set("client_id", input.clientId);
+  u.searchParams.set("redirect_uri", input.redirectUri);
+  u.searchParams.set("state", input.state);
+  u.searchParams.set("code_challenge", input.codeChallenge);
+  u.searchParams.set("code_challenge_method", "S256");
+  u.searchParams.set("scope", input.scope);
+  return u.toString();
+}
+async function exchangeToken(input) {
+  const url = `${input.hostname}/v1/mcp/oauth/token`;
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: input.code,
+    redirect_uri: input.redirectUri,
+    client_id: input.clientId,
+    code_verifier: input.codeVerifier
+  });
+  let res;
+  try {
+    res = await fetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+  } catch (err) {
+    throw new TiroError(
+      {
+        code: "network_error",
+        message: `Failed to reach ${input.hostname}: ${err.message}`,
+        errorType: "network_error"
+      },
+      ExitCode.Generic
+    );
+  }
+  if (!res.ok) {
+    if (res.status === 400 || res.status === 401) {
+      clearOauthClientId();
+    }
+    const detail = await safeText(res);
+    throw new TiroError(
+      {
+        code: "oauth_token_failed",
+        message: `Token exchange failed: HTTP ${res.status}`,
+        errorType: "unauthorized",
+        httpStatus: res.status,
+        ...detail !== "" && { suggestion: detail.slice(0, 200) }
+      },
+      ExitCode.AuthRequired
+    );
+  }
+  const json = await res.json();
+  const parsed = TokenResponseSchema.safeParse(json);
+  if (!parsed.success) {
+    throw new TiroError(
+      {
+        code: "oauth_token_invalid",
+        message: "Token response did not match expected shape.",
+        errorType: "internal_error"
+      },
+      ExitCode.Generic
+    );
+  }
+  return parsed.data;
+}
+function computeExpiry(expiresIn) {
+  const fallbackSeconds = 180 * 24 * 60 * 60;
+  const seconds = expiresIn ?? fallbackSeconds;
+  return Date.now() + seconds * 1e3;
+}
+async function safeText(res) {
+  try {
+    return await res.text();
+  } catch {
+    return "";
+  }
+}
+
+// src/commands/auth/login.ts
+function registerAuthLogin(parent) {
+  parent.command("login").description("Sign in to Tiro via OAuth (browser-based, PKCE)").option("--hostname <url>", "API base URL (overrides config / TIRO_HOSTNAME)").option("--no-browser", "Print the URL instead of opening a browser").action(async (opts, cmd) => {
+    const globalOpts = cmd.optsWithGlobals();
+    const result = await performLogin({
+      ...opts.hostname !== void 0 && { hostname: opts.hostname },
+      noBrowser: opts.noBrowser === true,
+      onPrompt: (msg) => {
+        if (globalOpts.quiet) return;
+        process.stderr.write(`${color(msg, "cyan", globalOpts)}
+`);
+      }
+    });
+    const hostname = getHostname(opts.hostname);
+    const expiresIso = new Date(result.expiresAt).toISOString();
+    if (globalOpts.json) {
+      printOutput(
+        {
+          ok: true,
+          data: {
+            signedIn: true,
+            hostname,
+            userId: result.userId ?? null,
+            expiresAt: expiresIso
+          }
+        },
+        globalOpts
+      );
+    } else if (!globalOpts.quiet) {
+      process.stderr.write(`${color("\u2713", "green", globalOpts)} Signed in to ${hostname}
+`);
+      if (result.userId) {
+        process.stderr.write(`  user: ${result.userId}
+`);
+      }
+      process.stderr.write(`  token expires: ${expiresIso}
+`);
+    }
+  });
+}
+
+// src/commands/auth/status.ts
+import "commander";
+function registerAuthStatus(parent) {
+  parent.command("status").description("Show current authenticated account and scopes").action(async (_opts, cmd) => {
+    const globalOpts = cmd.optsWithGlobals();
+    const t = resolveToken();
+    if (!t) {
+      throw authRequired();
+    }
+    const payload = decodeJwtPayload(t.accessToken);
+    const sub = typeof payload?.["sub"] === "string" ? payload["sub"] : null;
+    const exp = typeof payload?.["exp"] === "number" ? payload["exp"] * 1e3 : null;
+    const scope = typeof payload?.["scope"] === "string" ? payload["scope"] : null;
+    const expMs = exp ?? t.expiresAt ?? null;
+    const expired = expMs !== null && Date.now() >= expMs;
+    const report = {
+      signedIn: true,
+      source: t.source,
+      hostname: t.hostname ?? null,
+      userId: t.userId ?? sub,
+      scope,
+      expiresAt: expMs ? new Date(expMs).toISOString() : null,
+      expired,
+      tokenPrefix: `${t.accessToken.slice(0, 4)}...***`
+    };
+    if (globalOpts.json || !process.stdout.isTTY) {
+      printOutput({ ok: true, data: report }, globalOpts);
+    } else {
+      const headIcon = expired ? color("!", "yellow", globalOpts) : color("\u2713", "green", globalOpts);
+      const headText = expired ? "Token expired" : "Signed in";
+      process.stdout.write(`${headIcon} ${headText}
+`);
+      process.stdout.write(`  source:     ${report.source}
+`);
+      if (report.hostname) process.stdout.write(`  hostname:   ${report.hostname}
+`);
+      if (report.userId) process.stdout.write(`  user:       ${report.userId}
+`);
+      if (report.scope) process.stdout.write(`  scope:      ${report.scope}
+`);
+      if (report.expiresAt) {
+        const tag = expired ? color(" (expired)", "red", globalOpts) : "";
+        process.stdout.write(`  expires at: ${report.expiresAt}${tag}
+`);
+      }
+      process.stdout.write(`  token:      ${report.tokenPrefix}
+`);
+      if (expired) {
+        process.stdout.write(
+          `
+${color("\u2192", "gray", globalOpts)} Run \`tiro auth login\` to refresh.
+`
+        );
+      }
+    }
+  });
+}
+
+// src/commands/auth/logout.ts
+import "commander";
+function registerAuthLogout(parent) {
+  parent.command("logout").description("Sign out and clear the stored token").action(async (_opts, cmd) => {
+    const globalOpts = cmd.optsWithGlobals();
+    const removed = deleteToken();
+    clearOauthClientId();
+    if (globalOpts.json) {
+      printOutput({ ok: true, data: { signedOut: true, hadToken: removed } }, globalOpts);
+    } else if (!globalOpts.quiet) {
+      if (removed) {
+        process.stderr.write(`${color("\u2713", "green", globalOpts)} Signed out
+`);
+      } else {
+        process.stderr.write(`${color("\u2022", "gray", globalOpts)} No token was stored
+`);
+      }
+    }
+  });
+}
+
+// src/commands/auth/index.ts
+function registerAuth(program) {
+  const auth = program.command("auth").description("Manage authentication");
+  registerAuthLogin(auth);
+  registerAuthStatus(auth);
+  registerAuthLogout(auth);
+}
+
+// src/commands/notes/index.ts
+import "commander";
+
+// src/commands/notes/list.ts
+import "commander";
+
+// src/lib/api/client.ts
+import "zod";
+
+// src/lib/api/types.ts
+import { z as z2 } from "zod";
+var CollaboratorSchema = z2.object({
+  guid: z2.string(),
+  name: z2.string(),
+  email: z2.string(),
+  role: z2.enum(["OWNER", "EDITOR", "VIEWER"])
+});
+var ParticipantSchema = z2.object({
+  name: z2.string().nullable().optional(),
+  email: z2.string().nullable().optional()
+});
+var NoteSchema = z2.object({
+  guid: z2.string(),
+  title: z2.string(),
+  createdAt: z2.string(),
+  updatedAt: z2.string(),
+  sourceType: z2.string(),
+  recordingDurationSeconds: z2.number(),
+  collaborators: z2.array(CollaboratorSchema).optional().default([]),
+  participants: z2.array(ParticipantSchema).optional().default([]),
+  webUrl: z2.string(),
+  recordingStartAt: z2.string().nullable().optional(),
+  recordingEndAt: z2.string().nullable().optional()
+}).passthrough();
+var ParagraphSchema = z2.object({
+  text: z2.string(),
+  startMs: z2.number().nullable().optional(),
+  endMs: z2.number().nullable().optional(),
+  speaker: z2.object({
+    name: z2.string().nullable().optional(),
+    email: z2.string().nullable().optional()
+  }).nullable().optional()
+}).passthrough();
+var PageCursorResponseSchema = (item) => z2.object({
+  content: z2.array(item),
+  nextCursor: z2.string().nullable()
+});
+var SimpleListResponseSchema = (item) => z2.object({
+  content: z2.array(item)
+});
+var ApiErrorSchema = z2.object({
+  error: z2.object({
+    code: z2.number(),
+    errorType: z2.string(),
+    message: z2.string(),
+    detail: z2.string().nullable().optional()
+  })
+});
+
+// src/lib/api/client.ts
+var TiroApiClient = class {
+  constructor(hostname, token) {
+    this.hostname = hostname;
+    this.token = token;
+  }
+  hostname;
+  token;
+  async getJson(path, schema, params) {
+    const url = this.buildUrl(path, params);
+    const res = await this.fetch(url, { method: "GET" });
+    return this.parseJson(res, schema, "GET", path);
+  }
+  async postJson(path, schema, body) {
+    const url = this.buildUrl(path);
+    const res = await this.fetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    return this.parseJson(res, schema, "POST", path);
+  }
+  async putJson(path, schema, body) {
+    const url = this.buildUrl(path);
+    const res = await this.fetch(url, {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    return this.parseJson(res, schema, "PUT", path);
+  }
+  async deleteVoid(path) {
+    const url = this.buildUrl(path);
+    const res = await this.fetch(url, { method: "DELETE" });
+    if (!res.ok) throw await mapHttpError(res, "DELETE", path);
+  }
+  buildUrl(path, params) {
+    const base = path.startsWith("http") ? path : `${this.hostname}${path}`;
+    const u = new URL(base);
+    if (params) {
+      for (const [k, v] of Object.entries(params)) {
+        if (v !== void 0 && v !== null && v !== "") {
+          u.searchParams.set(k, String(v));
+        }
+      }
+    }
+    return u.toString();
+  }
+  async fetch(url, init) {
+    const headers = new Headers(init.headers);
+    headers.set("Authorization", `Bearer ${this.token}`);
+    headers.set("Accept", "application/json");
+    try {
+      return await fetch(url, { ...init, headers });
+    } catch (err) {
+      throw new TiroError(
+        {
+          code: "network_error",
+          message: `Network error reaching ${this.hostname}: ${err.message}`,
+          errorType: "network_error",
+          suggestion: "Check your network or --hostname."
+        },
+        ExitCode.Generic
+      );
+    }
+  }
+  async parseJson(res, schema, method, path) {
+    if (!res.ok) throw await mapHttpError(res, method, path);
+    let json;
+    try {
+      json = await res.json();
+    } catch (err) {
+      throw new TiroError(
+        {
+          code: "invalid_response",
+          message: `Failed to parse JSON from ${method} ${path}: ${err.message}`,
+          errorType: "internal_error"
+        },
+        ExitCode.Generic
+      );
+    }
+    const parsed = schema.safeParse(json);
+    if (!parsed.success) {
+      throw new TiroError(
+        {
+          code: "schema_mismatch",
+          message: `Response shape did not match expected schema (${method} ${path}).`,
+          errorType: "internal_error",
+          suggestion: parsed.error.issues.slice(0, 3).map((i) => `${i.path.join(".") || "(root)"}: ${i.message}`).join("; ")
+        },
+        ExitCode.Generic
+      );
+    }
+    return parsed.data;
+  }
+};
+async function mapHttpError(res, method, path) {
+  const requestId = res.headers.get("x-request-id") ?? void 0;
+  const exitCode = res.status === 401 ? ExitCode.AuthRequired : ExitCode.Generic;
+  const apiError = await tryParseApiError(res);
+  if (apiError) {
+    return new TiroError(
+      {
+        code: `${apiError.error.errorType}`,
+        message: apiError.error.message,
+        errorType: apiError.error.errorType,
+        httpStatus: res.status,
+        ...requestId !== void 0 && { requestId },
+        ...res.status === 401 && {
+          suggestion: "Run `tiro auth login` to refresh."
+        }
+      },
+      exitCode
+    );
+  }
+  return new TiroError(
+    {
+      code: "http_error",
+      message: `${method} ${path} failed: HTTP ${res.status} ${res.statusText}`,
+      errorType: httpStatusToErrorType(res.status),
+      httpStatus: res.status,
+      ...requestId !== void 0 && { requestId }
+    },
+    exitCode
+  );
+}
+function httpStatusToErrorType(status) {
+  if (status === 400) return "bad_request";
+  if (status === 401) return "unauthorized";
+  if (status === 403) return "forbidden";
+  if (status === 404) return "not_found";
+  if (status === 409) return "conflict";
+  if (status === 413) return "payload_too_large";
+  if (status === 422) return "unprocessable_entity";
+  if (status === 429) return "too_many_requests";
+  return "internal_error";
+}
+async function tryParseApiError(res) {
+  try {
+    const json = await res.clone().json();
+    const parsed = ApiErrorSchema.safeParse(json);
+    return parsed.success ? parsed.data : null;
+  } catch {
+    return null;
+  }
+}
+function createApiClient(opts = {}) {
+  if (opts.tokenOverride) {
+    return new TiroApiClient(getHostname(opts.hostnameOverride), opts.tokenOverride);
+  }
+  const t = resolveToken();
+  if (!t) throw authRequired();
+  const hostname = getHostname(opts.hostnameOverride ?? t.hostname);
+  return new TiroApiClient(hostname, t.accessToken);
+}
+
+// src/commands/notes/list.ts
+var ListResponseSchema = PageCursorResponseSchema(NoteSchema);
+function registerNotesList(parent) {
+  parent.command("list").description("List recent notes").option("--folder <id>", "Filter by folder ID").option("--limit <n>", "Max results per page (default 50, max 500)").option("--cursor <token>", "Cursor for the next page").action(async (opts, cmd) => {
+    const globalOpts = cmd.optsWithGlobals();
+    const limit = clampLimit(opts.limit);
+    const client = createApiClient({
+      ...globalOpts.hostname !== void 0 && { hostnameOverride: globalOpts.hostname }
+    });
+    const params = {};
+    if (opts.folder) params["folderId"] = opts.folder;
+    if (limit !== void 0) params["size"] = limit;
+    if (opts.cursor) params["cursor"] = opts.cursor;
+    const res = await client.getJson("/v1/external/notes", ListResponseSchema, params);
+    const mode = resolveOutputMode(globalOpts);
+    if (mode === "json") {
+      for (const note of res.content) printNdjson(note);
+      if (res.nextCursor) printNdjson({ _cursor: res.nextCursor });
+    } else {
+      printPretty(res.content, res.nextCursor, globalOpts);
+    }
+  });
+}
+function clampLimit(raw) {
+  if (!raw) return void 0;
+  const n = parseInt(raw, 10);
+  if (!Number.isFinite(n) || n <= 0) return 50;
+  return Math.min(n, 500);
+}
+function printPretty(notes, nextCursor, opts) {
+  if (notes.length === 0) {
+    process.stdout.write(`${color("(no notes)", "gray", opts)}
+`);
+    return;
+  }
+  for (const n of notes) {
+    const date = n.createdAt.slice(0, 10);
+    const dur = formatDuration(n.recordingDurationSeconds);
+    process.stdout.write(
+      `${color(date, "gray", opts)}  ${color(n.guid, "dim", opts)}  ${color(dur, "cyan", opts)}  ${n.title}
+`
+    );
+  }
+  if (nextCursor) {
+    process.stdout.write(
+      `${color(`
+  next: --cursor ${nextCursor}`, "gray", opts)}
+`
+    );
+  }
+}
+function formatDuration(sec) {
+  if (!sec || sec <= 0) return "\u2014";
+  const m = Math.floor(sec / 60);
+  const s = Math.floor(sec % 60);
+  if (m > 0) return `${m}m${s.toString().padStart(2, "0")}s`;
+  return `${s}s`;
+}
+
+// src/commands/notes/search.ts
+import "commander";
+
+// src/lib/util/parseDate.ts
+var RELATIVE_RE = /^(\d+)([smhdw])$/i;
+var UNIT_MS = {
+  s: 1e3,
+  m: 6e4,
+  h: 36e5,
+  d: 864e5,
+  w: 6048e5
+};
+function parseDate(input) {
+  const trimmed = input.trim();
+  const rel = trimmed.match(RELATIVE_RE);
+  if (rel) {
+    const num = parseInt(rel[1] ?? "", 10);
+    const unit = (rel[2] ?? "").toLowerCase();
+    const factor = UNIT_MS[unit];
+    if (!factor || !Number.isFinite(num)) {
+      throw invalidDate(input);
+    }
+    return new Date(Date.now() - num * factor).toISOString();
+  }
+  const d = new Date(trimmed);
+  if (Number.isNaN(d.getTime())) throw invalidDate(input);
+  return d.toISOString();
+}
+function invalidDate(input) {
+  return new TiroError(
+    {
+      code: "invalid_date",
+      message: `Invalid date: "${input}". Use ISO-8601 (e.g. 2026-04-01T10:00:00Z) or relative (e.g. 7d, 24h, 30m).`,
+      errorType: "bad_request"
+    },
+    ExitCode.Usage
+  );
+}
+
+// src/commands/notes/search.ts
+var SearchResponseSchema = PageCursorResponseSchema(NoteSchema);
+function registerNotesSearch(parent) {
+  parent.command("search [query]").description("Search notes by speaker / date / folder / keyword").option("--speaker <name>", "Filter by speaker name").option("--since <date>", "Notes created after this date (ISO-8601 or 7d, 24h, 30m)").option("--until <date>", "Notes created before this date").option("--folder <id>", "Filter by folder ID").option("--limit <n>", "Max results per page (default 50, max 500)").option("--cursor <token>", "Cursor for the next page").action(async (query, opts, cmd) => {
+    const globalOpts = cmd.optsWithGlobals();
+    const client = createApiClient({
+      ...globalOpts.hostname !== void 0 && { hostnameOverride: globalOpts.hostname }
+    });
+    const body = {};
+    if (query) body["query"] = query;
+    if (opts.speaker) body["speaker"] = opts.speaker;
+    if (opts.since) body["since"] = parseDate(opts.since);
+    if (opts.until) body["until"] = parseDate(opts.until);
+    if (opts.folder) body["folderId"] = opts.folder;
+    const limit = clampLimit2(opts.limit);
+    if (limit !== void 0) body["size"] = limit;
+    if (opts.cursor) body["cursor"] = opts.cursor;
+    const res = await client.postJson(
+      "/v1/external/notes/search",
+      SearchResponseSchema,
+      body
+    );
+    const mode = resolveOutputMode(globalOpts);
+    if (mode === "json") {
+      for (const note of res.content) printNdjson(note);
+      if (res.nextCursor) printNdjson({ _cursor: res.nextCursor });
+    } else {
+      printPretty2(res.content, res.nextCursor, globalOpts);
+    }
+  });
+}
+function clampLimit2(raw) {
+  if (!raw) return void 0;
+  const n = parseInt(raw, 10);
+  if (!Number.isFinite(n) || n <= 0) return 50;
+  return Math.min(n, 500);
+}
+function printPretty2(notes, nextCursor, opts) {
+  if (notes.length === 0) {
+    process.stdout.write(`${color("(no matches)", "gray", opts)}
+`);
+    return;
+  }
+  for (const n of notes) {
+    const date = n.createdAt.slice(0, 10);
+    process.stdout.write(
+      `${color(date, "gray", opts)}  ${color(n.guid, "dim", opts)}  ${n.title}
+`
+    );
+  }
+  if (nextCursor) {
+    process.stdout.write(
+      `${color(`
+  next: --cursor ${nextCursor}`, "gray", opts)}
+`
+    );
+  }
+}
+
+// src/commands/notes/get.ts
+import "commander";
+
+// src/lib/output/file.ts
+import { mkdir, rename, stat, writeFile, access } from "fs/promises";
+import { dirname, resolve } from "path";
+async function writeFileAtomic(filepath, content, opts = {}) {
+  const absPath = resolve(filepath);
+  await mkdir(dirname(absPath), { recursive: true });
+  if (!opts.force) {
+    const exists = await fileExists(absPath);
+    if (exists) {
+      throw new TiroError(
+        {
+          code: "file_exists",
+          message: `File already exists: ${absPath}`,
+          errorType: "conflict",
+          suggestion: "Use --force to overwrite, or pick a different --output."
+        },
+        ExitCode.Generic
+      );
+    }
+  }
+  const tmp = `${absPath}.tmp.${process.pid}.${Date.now()}`;
+  await writeFile(tmp, content, "utf8");
+  await rename(tmp, absPath);
+  const s = await stat(absPath);
+  return { path: absPath, size: s.size };
+}
+async function fileExists(p) {
+  try {
+    await access(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/lib/output/format.ts
+function formatNote(note, format, opts = {}) {
+  switch (format) {
+    case "md":
+      return formatMarkdown(note, opts);
+    case "json":
+      return formatJson(note, opts);
+    case "txt":
+      return formatText(note, opts);
+  }
+}
+function formatMarkdown(note, opts) {
+  const fm = [
+    "---",
+    `guid: ${escapeYaml(note.guid)}`,
+    `title: ${escapeYaml(note.title)}`,
+    `createdAt: ${note.createdAt}`,
+    `updatedAt: ${note.updatedAt}`,
+    `sourceType: ${note.sourceType}`,
+    `recordingDurationSeconds: ${note.recordingDurationSeconds}`,
+    `webUrl: ${note.webUrl}`
+  ];
+  if (note.recordingStartAt) fm.push(`recordingStartAt: ${note.recordingStartAt}`);
+  if (note.recordingEndAt) fm.push(`recordingEndAt: ${note.recordingEndAt}`);
+  fm.push("---", "");
+  const parts = [fm.join("\n"), `# ${note.title}`, ""];
+  if (note.participants && note.participants.length > 0) {
+    parts.push("## Participants", "");
+    for (const p of note.participants) {
+      const name = p.name ?? "(no name)";
+      const email = p.email ? ` <${p.email}>` : "";
+      parts.push(`- ${name}${email}`);
+    }
+    parts.push("");
+  }
+  if (opts.includeTranscript && opts.paragraphs && opts.paragraphs.length > 0) {
+    parts.push("## Transcript", "");
+    for (const p of opts.paragraphs) {
+      const speaker = p.speaker?.name ?? "Unknown";
+      const ts = formatTimestamp(p.startMs ?? null);
+      parts.push(`**[${speaker}${ts ? `, ${ts}` : ""}]** ${p.text}`);
+      parts.push("");
+    }
+  }
+  return parts.join("\n");
+}
+function formatJson(note, opts) {
+  const out = { ...note };
+  if (opts.includeTranscript && opts.paragraphs) {
+    out["transcript"] = { paragraphs: opts.paragraphs };
+  }
+  return `${JSON.stringify(out, null, 2)}
+`;
+}
+function formatText(note, opts) {
+  if (!opts.paragraphs || opts.paragraphs.length === 0) {
+    return `${note.title}
+${note.webUrl}
+`;
+  }
+  return opts.paragraphs.map((p) => `[${p.speaker?.name ?? "Unknown"}] ${p.text}`).join("\n");
+}
+function formatTimestamp(ms) {
+  if (ms === null || ms === void 0 || !Number.isFinite(ms)) return "";
+  const totalSec = Math.floor(ms / 1e3);
+  const h = Math.floor(totalSec / 3600);
+  const m = Math.floor(totalSec % 3600 / 60);
+  const s = totalSec % 60;
+  if (h > 0) {
+    return `${pad(h)}:${pad(m)}:${pad(s)}`;
+  }
+  return `${pad(m)}:${pad(s)}`;
+}
+function pad(n) {
+  return n.toString().padStart(2, "0");
+}
+function escapeYaml(s) {
+  if (/[:#\n"']/.test(s)) {
+    return JSON.stringify(s);
+  }
+  return s;
+}
+
+// src/commands/notes/get.ts
+var ParagraphsListSchema = SimpleListResponseSchema(ParagraphSchema);
+var ParagraphsCursorSchema = PageCursorResponseSchema(ParagraphSchema);
+function registerNotesGet(parent) {
+  parent.command("get <guid>").description("Get a single note (stdout or file)").option("--output <path>", "Write to file (stdout becomes metadata only)").option("--format <md|json|txt>", "Output format (default: md for TTY, json for pipe)").option(
+    "--include <items>",
+    "Comma-separated extras: transcript",
+    ""
+  ).option("--force", "Overwrite existing file").action(async (guid, opts, cmd) => {
+    const globalOpts = cmd.optsWithGlobals();
+    const client = createApiClient({
+      ...globalOpts.hostname !== void 0 && { hostnameOverride: globalOpts.hostname }
+    });
+    const includes = parseIncludes(opts.include);
+    const format = pickFormat(opts.format, opts.output);
+    const note = await client.getJson(`/v1/external/notes/${guid}`, NoteSchema);
+    let paragraphs;
+    if (includes.has("transcript") || format === "txt") {
+      paragraphs = await fetchAllParagraphs(client, guid);
+    }
+    const content = formatNote(note, format, {
+      includeTranscript: includes.has("transcript"),
+      ...paragraphs !== void 0 && { paragraphs }
+    });
+    if (opts.output) {
+      const result = await writeFileAtomic(opts.output, content, {
+        ...opts.force === true && { force: true }
+      });
+      printOutput(
+        {
+          ok: true,
+          data: {
+            saved: result.path,
+            size: result.size,
+            format,
+            guid: note.guid,
+            title: note.title
+          }
+        },
+        globalOpts
+      );
+      return;
+    }
+    const mode = resolveOutputMode(globalOpts);
+    if (mode === "json" && format !== "json") {
+      printOutput(
+        {
+          ok: true,
+          data: {
+            ...note,
+            ...paragraphs && { transcript: { paragraphs } }
+          }
+        },
+        globalOpts
+      );
+    } else if (format === "json") {
+      process.stdout.write(content);
+    } else {
+      if (process.stdout.isTTY) {
+        process.stdout.write(`${color(`# ${note.title}`, "bold", globalOpts)}
+`);
+      }
+      process.stdout.write(content);
+    }
+  });
+}
+async function fetchAllParagraphs(client, guid) {
+  const tryCursor = await client.getJson(
+    `/v1/external/notes/${guid}/paragraphs`,
+    ParagraphsCursorSchema.or(ParagraphsListSchema)
+  );
+  const all = [...tryCursor.content];
+  if ("nextCursor" in tryCursor) {
+    let cursor = tryCursor.nextCursor;
+    while (cursor) {
+      const next = await client.getJson(
+        `/v1/external/notes/${guid}/paragraphs`,
+        ParagraphsCursorSchema,
+        { cursor }
+      );
+      all.push(...next.content);
+      cursor = next.nextCursor;
+    }
+  }
+  return all;
+}
+function parseIncludes(raw) {
+  if (!raw) return /* @__PURE__ */ new Set();
+  return new Set(
+    raw.split(",").map((s) => s.trim().toLowerCase()).filter((s) => s.length > 0)
+  );
+}
+function pickFormat(format, output) {
+  const allowed = ["md", "json", "txt"];
+  if (format) {
+    const f = format.toLowerCase();
+    if (!allowed.includes(f)) {
+      throw new TiroError(
+        {
+          code: "invalid_format",
+          message: `Invalid --format "${format}". Allowed: md, json, txt.`,
+          errorType: "bad_request"
+        },
+        ExitCode.Usage
+      );
+    }
+    return f;
+  }
+  if (output) {
+    if (output.endsWith(".json")) return "json";
+    if (output.endsWith(".txt")) return "txt";
+    return "md";
+  }
+  return process.stdout.isTTY ? "md" : "json";
+}
+
+// src/commands/notes/transcript.ts
+import "commander";
+var ParagraphsListSchema2 = SimpleListResponseSchema(ParagraphSchema);
+var ParagraphsCursorSchema2 = PageCursorResponseSchema(ParagraphSchema);
+function registerNotesTranscript(parent) {
+  parent.command("transcript <guid>").description("Get raw transcript paragraphs of a note").option("--output <path>", "Write to file (stdout = metadata only)").option("--format <md|json|txt>", "Output format (default: txt for transcript)").option("--force", "Overwrite existing file").action(async (guid, opts, cmd) => {
+    const globalOpts = cmd.optsWithGlobals();
+    const client = createApiClient({
+      ...globalOpts.hostname !== void 0 && { hostnameOverride: globalOpts.hostname }
+    });
+    const format = pickFormat2(opts.format, opts.output);
+    const note = await client.getJson(`/v1/external/notes/${guid}`, NoteSchema);
+    const paragraphs = await fetchAllParagraphs2(client, guid);
+    const content = formatNote(note, format, {
+      includeTranscript: true,
+      paragraphs
+    });
+    if (opts.output) {
+      const result = await writeFileAtomic(opts.output, content, {
+        ...opts.force === true && { force: true }
+      });
+      printOutput(
+        {
+          ok: true,
+          data: {
+            saved: result.path,
+            size: result.size,
+            format,
+            guid: note.guid,
+            paragraphCount: paragraphs.length
+          }
+        },
+        globalOpts
+      );
+      return;
+    }
+    const mode = resolveOutputMode(globalOpts);
+    if (mode === "json" && format !== "json") {
+      printOutput(
+        { ok: true, data: { guid: note.guid, paragraphs } },
+        globalOpts
+      );
+    } else {
+      process.stdout.write(content);
+    }
+  });
+}
+async function fetchAllParagraphs2(client, guid) {
+  const first = await client.getJson(
+    `/v1/external/notes/${guid}/paragraphs`,
+    ParagraphsCursorSchema2.or(ParagraphsListSchema2)
+  );
+  const all = [...first.content];
+  if ("nextCursor" in first) {
+    let cursor = first.nextCursor;
+    while (cursor) {
+      const next = await client.getJson(
+        `/v1/external/notes/${guid}/paragraphs`,
+        ParagraphsCursorSchema2,
+        { cursor }
+      );
+      all.push(...next.content);
+      cursor = next.nextCursor;
+    }
+  }
+  return all;
+}
+function pickFormat2(format, output) {
+  const allowed = ["md", "json", "txt"];
+  if (format) {
+    const f = format.toLowerCase();
+    if (!allowed.includes(f)) {
+      throw new TiroError(
+        {
+          code: "invalid_format",
+          message: `Invalid --format "${format}". Allowed: md, json, txt.`,
+          errorType: "bad_request"
+        },
+        ExitCode.Usage
+      );
+    }
+    return f;
+  }
+  if (output) {
+    if (output.endsWith(".json")) return "json";
+    if (output.endsWith(".md")) return "md";
+    return "txt";
+  }
+  return "txt";
+}
+
+// src/commands/notes/index.ts
+function registerNotes(program) {
+  const notes = program.command("notes").description("List, search, and download notes");
+  registerNotesList(notes);
+  registerNotesSearch(notes);
+  registerNotesGet(notes);
+  registerNotesTranscript(notes);
+}
+
+// src/bin/tiro.ts
+var EXAMPLES = `
+EXAMPLES
+  $ tiro auth login
+  $ tiro notes search --speaker "\uAE40\uCCA0\uC218" --since 7d --json
+  $ tiro notes get <guid> --output ./meeting.md --include transcript
+  $ tiro notes transcript <guid> --format txt
+
+ENVIRONMENT
+  TIRO_TOKEN       Bearer token (overrides keychain)
+  TIRO_HOSTNAME    API base URL (default: https://api.tiro.ooo)
+  NO_COLOR         Disable colors
+
+DOCS
+  https://api.tiro.ooo/cli
+`;
+function buildProgram() {
+  const program = new Command10();
+  program.name("tiro").description("Tiro AI notes & transcripts \u2014 agent-first command line").version(VERSION, "-v, --version", "Print version").option("--hostname <url>", "API base URL (default: https://api.tiro.ooo)").option("--json", "Force JSON output").option("--pretty", "Force pretty (human) output").option("--quiet", "Suppress non-error output").option("--verbose", "Verbose logging to stderr").option("--no-color", "Disable ANSI colors").addHelpText("after", EXAMPLES);
+  program.showHelpAfterError("(run `tiro --help` for available commands)");
+  registerAuth(program);
+  registerNotes(program);
+  return program;
+}
+async function main() {
+  const program = buildProgram();
+  try {
+    await program.parseAsync(process.argv);
+  } catch (err) {
+    handleError(err, program);
+  }
+}
+function handleError(err, program) {
+  const opts = program.opts();
+  if (err instanceof TiroError) {
+    if (opts.json) {
+      printError(err.toJSON());
+    } else if (!opts.quiet) {
+      process.stderr.write(`${color("\u2717", "red", opts)} ${err.message}
+`);
+      if (err.suggestion) {
+        process.stderr.write(`  ${color("\u2192", "gray", opts)} ${err.suggestion}
+`);
+      }
+    }
+    process.exit(err.exitCode);
+  }
+  if (err instanceof Error) {
+    if (opts.json) {
+      printError({
+        ok: false,
+        error: { code: "internal_error", message: err.message, errorType: "internal_error" }
+      });
+    } else if (!opts.quiet) {
+      process.stderr.write(`${color("\u2717", "red", opts)} ${err.message}
+`);
+    }
+    process.exit(ExitCode.Generic);
+  }
+  process.stderr.write(`Unknown error: ${String(err)}
+`);
+  process.exit(ExitCode.Generic);
+}
+main().catch((err) => {
+  process.stderr.write(`Fatal: ${String(err)}
+`);
+  process.exit(ExitCode.Generic);
+});
+//# sourceMappingURL=tiro.js.map