@ttctl/cli 0.0.0 → 0.1.0-rc.2

package/dist/commands/auth/signout.d.ts

@@ -0,0 +1,133 @@
+import type { SignOutResult as CoreSignOutResult } from "@ttctl/core";
+import type { OutputFormat } from "../../lib/output.js";
+/**
+ * Output format for `ttctl auth signout`. Aligned with the cross-CLI
+ * `OutputFormat` post-#126: `pretty` (default) is the human-readable
+ * confirmation, `json` and `yaml` emit the machine-readable shape for
+ * scripting.
+ */
+export interface AuthSignOutOptions {
+    output: OutputFormat;
+}
+/**
+ * Server-side LogOut outcome surfaced alongside the local-clear result.
+ * Stable strings so scripts can branch on the JSON / YAML output without
+ * pattern-matching prose. Maps from `core.signOut()`'s
+ * {@link CoreSignOutResult} discriminated union plus the "no token to
+ * call with" short-circuit.
+ *
+ * **Naming is deliberately scoped to "log-out", not "revoke"**. Live
+ * evidence (issue #180, 2026-05-12) shows the `LogOut` mutation on
+ * `talent_profile/graphql` succeeds but does NOT propagate to bearer
+ * invalidation for subsequent `mobile-gateway` calls — the bearer remains
+ * valid against `getAuthStatus` across t=0/30/60/180/300s. The 24-72h
+ * natural aging-out (CLAUDE.md § Auth Model) is the load-bearing
+ * revocation defense. `serverLogOut: "logged-out"` therefore claims only
+ * "the LogOut mutation was acknowledged by talent_profile" — NOT "the
+ * bearer is now invalid for downstream calls".
+ *
+ * `logged-out`      — talent_profile responded `data.logOut.success === true`;
+ *                     the LogOut flow itself was acknowledged (audit log,
+ *                     web-session/cookie cleanup, defense-in-depth signal).
+ *                     Does NOT imply bearer revocation — see note above.
+ * `already-invalid` — bearer was already invalid server-side (HTTP 401/403 or
+ *                     GraphQL auth-revoke code); user intent (kill the bearer)
+ *                     is satisfied transitively.
+ * `skipped`         — no token to call with (idempotent local-only signout).
+ * `unreachable`     — could not deliver the LogOut signal (network /
+ *                     HTTP / wire-shape divergence). The local clear still
+ *                     ran; the 24-72h aging-out is the load-bearing defense.
+ */
+export type ServerLogOutOutcome = "logged-out" | "already-invalid" | "skipped" | "unreachable";
+/**
+ * Map a {@link CoreSignOutResult} to the CLI's {@link ServerLogOutOutcome}.
+ * Collapses the per-reason discriminator of `unreachable` / `invalid` into
+ * the four CLI-level outcomes. The full reason is surfaced separately via
+ * {@link serverLogOutStderrWarning} for the unreachable path.
+ */
+export declare function mapCoreSignOutResult(result: CoreSignOutResult): ServerLogOutOutcome;
+/**
+ * Build a human-readable stderr warning for the `unreachable` server-side
+ * outcome. Returns `null` for every other outcome — the success path stays
+ * quiet on stderr. The warning text names the reason and tells the user
+ * the bearer will age out as the load-bearing defense (24-72h empirical
+ * per `research/notes/02-auth-and-clients.md`).
+ */
+export declare function serverLogOutStderrWarning(result: CoreSignOutResult): string | null;
+/**
+ * Terminal outcome of `ttctl auth signout`. The `removed` flag distinguishes
+ * the case where an auth token existed and was removed from the YAML config
+ * from the idempotent no-op (no token field present). Both are success
+ * cases — signout MUST be idempotent — but scripts may want to differentiate
+ * (e.g. to count active sessions across machines).
+ *
+ * `path` is the YAML config file path that the `auth.token` field was
+ * removed from.
+ *
+ * `serverLogOut` is the server-side LogOut outcome (post-#180) — see
+ * {@link ServerLogOutOutcome}. Always populated on the success branch.
+ * `serverLogOut: "unreachable"` is a soft warning — local state is still
+ * cleared; the bearer ages out server-side as the load-bearing defense.
+ * **Note**: `serverLogOut: "logged-out"` claims only "talent_profile
+ * acknowledged the LogOut mutation"; it does NOT claim "the bearer is now
+ * invalid for downstream calls". See {@link ServerLogOutOutcome} for the
+ * full empirical scope.
+ *
+ * `error` carries a generic message; the only realistic non-permission
+ * failure is a YAML parse error or a write-back contention (mtime drift),
+ * which the user must resolve out of band.
+ */
+export type SignOutResult = {
+    status: "signed-out";
+    removed: boolean;
+    path: string;
+    serverLogOut: ServerLogOutOutcome;
+} | {
+    status: "error";
+    message: string;
+};
+/**
+ * Render a `SignOutResult` for the human-readable `pretty` format. The
+ * success line is "Signed out." regardless of whether a token was
+ * removed — the user-facing semantics ("you are no longer signed in")
+ * are identical, and the AC explicitly calls out idempotency. Errors
+ * surface verbatim.
+ */
+export declare function formatSignOutPretty(result: SignOutResult): string;
+/**
+ * Format a `SignOutResult` for the requested output mode. JSON and YAML
+ * shapes mirror the discriminated union exactly — `removed` and `path`
+ * on success, `message` on error — so scripts can branch on `removed`
+ * to detect the no-op case.
+ */
+export declare function formatSignOutOutput(result: SignOutResult, output: OutputFormat): string;
+/**
+ * Map a `SignOutResult` to a process exit code. Both success branches
+ * (`removed: true` and `removed: false`) return 0 — signout is idempotent
+ * by AC. Only filesystem failures other than ENOENT exit non-zero.
+ */
+export declare function exitCodeForSignOutResult(result: SignOutResult): number;
+/**
+ * Run the `auth signout` command end-to-end:
+ *   1. Resolve `.ttctl.yaml` and read it (in-memory parsed via core).
+ *   2. If `auth.token` is present:
+ *      a. Call `core.signOut(token)` to attempt server-side LogOut via
+ *         the `LogOut` mutation against talent_profile/graphql.
+ *      b. Remove the field via `clearAuthToken` (yaml.parseDocument +
+ *         deleteIn — preserves comments and credentials).
+ *      c. If the server-side call returned `unreachable`, emit a stderr
+ *         warning. The local clear still ran — the bearer ages out
+ *         server-side in 24-72h as the load-bearing defense.
+ *   3. If `auth.token` was already absent, exit 0 with `removed: false`
+ *      and `serverLogOut: "skipped"` (idempotent no-op).
+ *   4. Emit the result and exit. Always 0 in the success path — server-
+ *      side LogOut failure is a soft warning, not an exit-code signal.
+ *
+ * `clearAuthToken` enforces the same security gates as `persistAuthToken`
+ * (symlink refusal, sync-root refusal, atomic write, mode 0600).
+ *
+ * `core.signOut()` never throws — every failure is classified into
+ * `CoreSignOutResult` and surfaced via `mapCoreSignOutResult`.
+ */
+export declare function runAuthSignOut(options: AuthSignOutOptions): Promise<void>;
+//# sourceMappingURL=signout.d.ts.map

package/dist/commands/auth/signout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signout.d.ts","sourceRoot":"","sources":["../../../src/commands/auth/signout.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,aAAa,IAAI,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAItE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAExD;;;;;GAKG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,YAAY,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,iBAAiB,GAAG,SAAS,GAAG,aAAa,CAAC;AAE/F;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,iBAAiB,GAAG,mBAAmB,CAUnF;AAED;;;;;;GAMG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,GAAG,IAAI,CAsBlF;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,MAAM,aAAa,GACrB;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,mBAAmB,CAAA;CAAE,GAC3F;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEzC;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAKjE;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,YAAY,GAAG,MAAM,CAQvF;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAEtE;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAS/E"}

package/dist/commands/auth/signout.js

@@ -0,0 +1,172 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+// Copyright (C) 2026 Oleksii PELYKH
+import { AuthTokenPersistError, ConfigError, clearAuthToken, signOut } from "@ttctl/core";
+import { resolveConfigForCli } from "../../lib/config-context.js";
+import { formatYaml } from "../../lib/output.js";
+/**
+ * Map a {@link CoreSignOutResult} to the CLI's {@link ServerLogOutOutcome}.
+ * Collapses the per-reason discriminator of `unreachable` / `invalid` into
+ * the four CLI-level outcomes. The full reason is surfaced separately via
+ * {@link serverLogOutStderrWarning} for the unreachable path.
+ */
+export function mapCoreSignOutResult(result) {
+    if (result.status === "logged-out")
+        return "logged-out";
+    if (result.status === "invalid") {
+        // no-session is the empty-token short-circuit; the CLI handles that
+        // before calling core.signOut(), so it shouldn't surface here. If it
+        // does (defensive), treat the same as the local "skipped" branch.
+        if (result.reason === "no-session")
+            return "skipped";
+        return "already-invalid";
+    }
+    return "unreachable";
+}
+/**
+ * Build a human-readable stderr warning for the `unreachable` server-side
+ * outcome. Returns `null` for every other outcome — the success path stays
+ * quiet on stderr. The warning text names the reason and tells the user
+ * the bearer will age out as the load-bearing defense (24-72h empirical
+ * per `research/notes/02-auth-and-clients.md`).
+ */
+export function serverLogOutStderrWarning(result) {
+    if (result.status !== "unreachable")
+        return null;
+    const reason = result.reason;
+    let detail;
+    switch (reason.kind) {
+        case "transport":
+            detail = `transport error (${reason.reason})`;
+            break;
+        case "http-status":
+            detail = `HTTP ${reason.status.toString()} from talent_profile/graphql`;
+            break;
+        case "graphql-error":
+            detail = `GraphQL error: ${reason.message}`;
+            break;
+        case "payload-missing":
+            detail = "talent_profile/graphql returned an unrecognized payload shape (missing data.logOut)";
+            break;
+        case "success-false":
+            detail = "talent_profile/graphql returned data.logOut.success: false";
+            break;
+    }
+    return `warning: server-side LogOut could not be delivered (${detail}); local token cleared, the bearer will age out server-side in 24-72h`;
+}
+/**
+ * Render a `SignOutResult` for the human-readable `pretty` format. The
+ * success line is "Signed out." regardless of whether a token was
+ * removed — the user-facing semantics ("you are no longer signed in")
+ * are identical, and the AC explicitly calls out idempotency. Errors
+ * surface verbatim.
+ */
+export function formatSignOutPretty(result) {
+    if (result.status === "signed-out") {
+        return "Signed out.";
+    }
+    return `Sign-out failed: ${result.message}`;
+}
+/**
+ * Format a `SignOutResult` for the requested output mode. JSON and YAML
+ * shapes mirror the discriminated union exactly — `removed` and `path`
+ * on success, `message` on error — so scripts can branch on `removed`
+ * to detect the no-op case.
+ */
+export function formatSignOutOutput(result, output) {
+    if (output === "json") {
+        return JSON.stringify(result);
+    }
+    if (output === "yaml") {
+        return formatYaml(result);
+    }
+    return formatSignOutPretty(result);
+}
+/**
+ * Map a `SignOutResult` to a process exit code. Both success branches
+ * (`removed: true` and `removed: false`) return 0 — signout is idempotent
+ * by AC. Only filesystem failures other than ENOENT exit non-zero.
+ */
+export function exitCodeForSignOutResult(result) {
+    return result.status === "signed-out" ? 0 : 1;
+}
+/**
+ * Run the `auth signout` command end-to-end:
+ *   1. Resolve `.ttctl.yaml` and read it (in-memory parsed via core).
+ *   2. If `auth.token` is present:
+ *      a. Call `core.signOut(token)` to attempt server-side LogOut via
+ *         the `LogOut` mutation against talent_profile/graphql.
+ *      b. Remove the field via `clearAuthToken` (yaml.parseDocument +
+ *         deleteIn — preserves comments and credentials).
+ *      c. If the server-side call returned `unreachable`, emit a stderr
+ *         warning. The local clear still ran — the bearer ages out
+ *         server-side in 24-72h as the load-bearing defense.
+ *   3. If `auth.token` was already absent, exit 0 with `removed: false`
+ *      and `serverLogOut: "skipped"` (idempotent no-op).
+ *   4. Emit the result and exit. Always 0 in the success path — server-
+ *      side LogOut failure is a soft warning, not an exit-code signal.
+ *
+ * `clearAuthToken` enforces the same security gates as `persistAuthToken`
+ * (symlink refusal, sync-root refusal, atomic write, mode 0600).
+ *
+ * `core.signOut()` never throws — every failure is classified into
+ * `CoreSignOutResult` and surfaced via `mapCoreSignOutResult`.
+ */
+export async function runAuthSignOut(options) {
+    const { result, stderrWarning } = await performSignOut();
+    const rendered = formatSignOutOutput(result, options.output);
+    const stream = result.status === "signed-out" ? process.stdout : process.stderr;
+    if (stderrWarning !== null) {
+        process.stderr.write(stderrWarning + "\n");
+    }
+    stream.write(rendered + "\n");
+    process.exit(exitCodeForSignOutResult(result));
+}
+async function performSignOut() {
+    let configPath;
+    let token;
+    try {
+        const { config, path } = resolveConfigForCli();
+        configPath = path;
+        token = config.auth.token;
+    }
+    catch (err) {
+        if (err instanceof ConfigError) {
+            return { result: { status: "error", message: err.message }, stderrWarning: null };
+        }
+        const message = err instanceof Error ? err.message : String(err);
+        return { result: { status: "error", message }, stderrWarning: null };
+    }
+    if (token === undefined) {
+        // Idempotent no-op — token field already absent. Don't open the file
+        // for write AND don't call talent_profile (nothing to call with). Report
+        // success with removed: false / serverLogOut: "skipped" so scripts can
+        // detect the no-op case.
+        return {
+            result: { status: "signed-out", removed: false, path: configPath, serverLogOut: "skipped" },
+            stderrWarning: null,
+        };
+    }
+    // Attempt server-side LogOut BEFORE clearing the local token. The
+    // ordering matters: we want the bearer in hand when calling LogOut so
+    // talent_profile can authenticate the request. core.signOut()
+    // never throws (every failure mode is classified into CoreSignOutResult),
+    // so this branch is safe to await without try/catch.
+    const coreResult = await signOut(token);
+    const serverLogOut = mapCoreSignOutResult(coreResult);
+    const stderrWarning = serverLogOutStderrWarning(coreResult);
+    try {
+        await clearAuthToken(configPath);
+    }
+    catch (err) {
+        if (err instanceof ConfigError || err instanceof AuthTokenPersistError) {
+            return { result: { status: "error", message: err.message }, stderrWarning };
+        }
+        const message = err instanceof Error ? err.message : String(err);
+        return { result: { status: "error", message }, stderrWarning };
+    }
+    return {
+        result: { status: "signed-out", removed: true, path: configPath, serverLogOut },
+        stderrWarning,
+    };
+}
+//# sourceMappingURL=signout.js.map

package/dist/commands/auth/signout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signout.js","sourceRoot":"","sources":["../../../src/commands/auth/signout.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,oCAAoC;AAEpC,OAAO,EAAE,qBAAqB,EAAE,WAAW,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAG1F,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AA4CjD;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAyB;IAC5D,IAAI,MAAM,CAAC,MAAM,KAAK,YAAY;QAAE,OAAO,YAAY,CAAC;IACxD,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAChC,oEAAoE;QACpE,qEAAqE;QACrE,kEAAkE;QAClE,IAAI,MAAM,CAAC,MAAM,KAAK,YAAY;YAAE,OAAO,SAAS,CAAC;QACrD,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,yBAAyB,CAAC,MAAyB;IACjE,IAAI,MAAM,CAAC,MAAM,KAAK,aAAa;QAAE,OAAO,IAAI,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAC7B,IAAI,MAAc,CAAC;IACnB,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,KAAK,WAAW;YACd,MAAM,GAAG,oBAAoB,MAAM,CAAC,MAAM,GAAG,CAAC;YAC9C,MAAM;QACR,KAAK,aAAa;YAChB,MAAM,GAAG,QAAQ,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,8BAA8B,CAAC;YACxE,MAAM;QACR,KAAK,eAAe;YAClB,MAAM,GAAG,kBAAkB,MAAM,CAAC,OAAO,EAAE,CAAC;YAC5C,MAAM;QACR,KAAK,iBAAiB;YACpB,MAAM,GAAG,qFAAqF,CAAC;YAC/F,MAAM;QACR,KAAK,eAAe;YAClB,MAAM,GAAG,4DAA4D,CAAC;YACtE,MAAM;IACV,CAAC;IACD,OAAO,uDAAuD,MAAM,uEAAuE,CAAC;AAC9I,CAAC;AA6BD;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAqB;IACvD,IAAI,MAAM,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;QACnC,OAAO,aAAa,CAAC;IACvB,CAAC;IACD,OAAO,oBAAoB,MAAM,CAAC,OAAO,EAAE,CAAC;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAqB,EAAE,MAAoB;IAC7E,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IACD,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC;IAC5B,CAAC;IACD,OAAO,mBAAmB,CAAC,MAAM,CAAC,CAAC;AACrC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,MAAqB;IAC5D,OAAO,MAAM,CAAC,MAAM,KAAK,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAA2B;IAC9D,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,cAAc,EAAE,CAAC;IACzD,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,KAAK,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAChF,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;QAC3B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,CAAC,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAC9B,OAAO,CAAC,IAAI,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,KAAK,UAAU,cAAc;IAC3B,IAAI,UAAkB,CAAC;IACvB,IAAI,KAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,mBAAmB,EAAE,CAAC;QAC/C,UAAU,GAAG,IAAI,CAAC;QAClB,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,WAAW,EAAE,CAAC;YAC/B,OAAO,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QACpF,CAAC;QACD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACvE,CAAC;IAED,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,qEAAqE;QACrE,yEAAyE;QACzE,uEAAuE;QACvE,yBAAyB;QACzB,OAAO;YACL,MAAM,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE;YAC3F,aAAa,EAAE,IAAI;SACpB,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,sEAAsE;IACtE,8DAA8D;IAC9D,0EAA0E;IAC1E,qDAAqD;IACrD,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,YAAY,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;IACtD,MAAM,aAAa,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAC;IAE5D,IAAI,CAAC;QACH,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,WAAW,IAAI,GAAG,YAAY,qBAAqB,EAAE,CAAC;YACvE,OAAO,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,CAAC;QAC9E,CAAC;QACD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,CAAC;IACjE,CAAC;IAED,OAAO;QACL,MAAM,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,YAAY,EAAE;QAC/E,aAAa;KACd,CAAC;AACJ,CAAC"}

package/dist/commands/auth/status.d.ts

@@ -0,0 +1,62 @@
+import type { AuthStatusResult } from "@ttctl/core";
+import type { OutputFormat } from "../../lib/output.js";
+/**
+ * Output format for `ttctl auth status`. Aligned with the cross-CLI
+ * `OutputFormat` post-#126: `pretty` (default) emits a human-readable
+ * single-line summary; `json` emits the `AuthStatusResult` shape
+ * verbatim for scripting; `yaml` emits the same shape as block-style
+ * YAML.
+ */
+export interface AuthStatusOptions {
+    output: OutputFormat;
+}
+/**
+ * Map an `AuthStatusResult` to a process exit code:
+ *   - `valid`       → 0 (everything OK)
+ *   - `invalid`     → 1 (auth-related; user must run `ttctl auth signin`)
+ *   - `unreachable` → 2 (transport-level; transient, retryable)
+ *
+ * Three distinct codes are deliberate: shell consumers can branch on them
+ * without parsing stdout (`if ttctl auth status; then ... else case $? in 1)
+ * ... ;; 2) ... ;; esac`).
+ */
+export declare function exitCodeForAuthStatus(result: AuthStatusResult): number;
+/**
+ * Render an `AuthStatusResult` for the human-readable `pretty` format.
+ * Keeps the user-facing strings here so the CLI surface owns wording
+ * (the core library returns stable machine-readable codes; this layer
+ * translates them to prose).
+ *
+ * Both `session-expired` and the rarer 200-with-malformed-payload cases
+ * collapse to the same "Session expired" message — from the user's
+ * perspective the next action is identical (re-run signin).
+ */
+export declare function formatAuthStatusPretty(result: AuthStatusResult): string;
+/**
+ * Format an `AuthStatusResult` for the requested output mode. The JSON
+ * and YAML shapes mirror `AuthStatusResult` 1:1 — `email` only on
+ * `valid`, `reason` on the other two — which lets callers consume the
+ * same discriminated-union structure on the wire.
+ */
+export declare function formatAuthStatusOutput(result: AuthStatusResult, output: OutputFormat): string;
+/**
+ * Run the `auth status` command end-to-end:
+ *   1. Resolve `.ttctl.yaml` (in-memory parsed via core). A missing/malformed
+ *      config collapses to `invalid/no-session` — the user-facing
+ *      "Run `ttctl auth signin`" hint is still the right next step, and
+ *      surfacing the raw `ConfigError` would be more confusing than helpful
+ *      in the read-only status path.
+ *   2. Read `config.auth.token` directly (no separate file load — the token
+ *      lives inline in the YAML config post-#107).
+ *   3. Probe the gateway for session validity via `getAuthStatus(token)`.
+ *      No token → invalid/no-session, short-circuited (no network call).
+ *   4. Emit the result in the requested format.
+ *   5. Exit the process with the corresponding code.
+ *
+ * `process.exit` is the terminal step: action handlers in commander otherwise
+ * resolve to `undefined` and the process keeps the libuv event loop spinning
+ * until natural exit, which is fine for CLI usage but loses the explicit
+ * exit-code contract this command needs.
+ */
+export declare function runAuthStatus(options: AuthStatusOptions): Promise<void>;
+//# sourceMappingURL=status.d.ts.map

package/dist/commands/auth/status.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../../../src/commands/auth/status.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAIpD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAExD;;;;;;GAMG;AACH,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,YAAY,CAAC;CACtB;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAItE;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAWvE;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,YAAY,GAAG,MAAM,CAQ7F;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAiB7E"}

package/dist/commands/auth/status.js

@@ -0,0 +1,98 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+// Copyright (C) 2026 Oleksii PELYKH
+import { ConfigError, getAuthStatus } from "@ttctl/core";
+import { resolveConfigForCli } from "../../lib/config-context.js";
+import { formatYaml } from "../../lib/output.js";
+/**
+ * Map an `AuthStatusResult` to a process exit code:
+ *   - `valid`       → 0 (everything OK)
+ *   - `invalid`     → 1 (auth-related; user must run `ttctl auth signin`)
+ *   - `unreachable` → 2 (transport-level; transient, retryable)
+ *
+ * Three distinct codes are deliberate: shell consumers can branch on them
+ * without parsing stdout (`if ttctl auth status; then ... else case $? in 1)
+ * ... ;; 2) ... ;; esac`).
+ */
+export function exitCodeForAuthStatus(result) {
+    if (result.status === "valid")
+        return 0;
+    if (result.status === "invalid")
+        return 1;
+    return 2;
+}
+/**
+ * Render an `AuthStatusResult` for the human-readable `pretty` format.
+ * Keeps the user-facing strings here so the CLI surface owns wording
+ * (the core library returns stable machine-readable codes; this layer
+ * translates them to prose).
+ *
+ * Both `session-expired` and the rarer 200-with-malformed-payload cases
+ * collapse to the same "Session expired" message — from the user's
+ * perspective the next action is identical (re-run signin).
+ */
+export function formatAuthStatusPretty(result) {
+    if (result.status === "valid") {
+        return `Signed in as ${result.email}`;
+    }
+    if (result.status === "invalid") {
+        if (result.reason === "no-session") {
+            return "No session found. Run `ttctl auth signin`.";
+        }
+        return "Session expired. Run `ttctl auth signin`.";
+    }
+    return "Could not reach Toptal.";
+}
+/**
+ * Format an `AuthStatusResult` for the requested output mode. The JSON
+ * and YAML shapes mirror `AuthStatusResult` 1:1 — `email` only on
+ * `valid`, `reason` on the other two — which lets callers consume the
+ * same discriminated-union structure on the wire.
+ */
+export function formatAuthStatusOutput(result, output) {
+    if (output === "json") {
+        return JSON.stringify(result);
+    }
+    if (output === "yaml") {
+        return formatYaml(result);
+    }
+    return formatAuthStatusPretty(result);
+}
+/**
+ * Run the `auth status` command end-to-end:
+ *   1. Resolve `.ttctl.yaml` (in-memory parsed via core). A missing/malformed
+ *      config collapses to `invalid/no-session` — the user-facing
+ *      "Run `ttctl auth signin`" hint is still the right next step, and
+ *      surfacing the raw `ConfigError` would be more confusing than helpful
+ *      in the read-only status path.
+ *   2. Read `config.auth.token` directly (no separate file load — the token
+ *      lives inline in the YAML config post-#107).
+ *   3. Probe the gateway for session validity via `getAuthStatus(token)`.
+ *      No token → invalid/no-session, short-circuited (no network call).
+ *   4. Emit the result in the requested format.
+ *   5. Exit the process with the corresponding code.
+ *
+ * `process.exit` is the terminal step: action handlers in commander otherwise
+ * resolve to `undefined` and the process keeps the libuv event loop spinning
+ * until natural exit, which is fine for CLI usage but loses the explicit
+ * exit-code contract this command needs.
+ */
+export async function runAuthStatus(options) {
+    let token;
+    try {
+        const { config } = resolveConfigForCli();
+        token = config.auth.token ?? null;
+    }
+    catch (err) {
+        if (err instanceof ConfigError) {
+            const noSession = { status: "invalid", reason: "no-session" };
+            process.stdout.write(formatAuthStatusOutput(noSession, options.output) + "\n");
+            process.exit(exitCodeForAuthStatus(noSession));
+            return;
+        }
+        throw err;
+    }
+    const result = await getAuthStatus(token);
+    process.stdout.write(formatAuthStatusOutput(result, options.output) + "\n");
+    process.exit(exitCodeForAuthStatus(result));
+}
+//# sourceMappingURL=status.js.map

package/dist/commands/auth/status.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"status.js","sourceRoot":"","sources":["../../../src/commands/auth/status.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,oCAAoC;AAEpC,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAGzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAcjD;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAwB;IAC5D,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO;QAAE,OAAO,CAAC,CAAC;IACxC,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS;QAAE,OAAO,CAAC,CAAC;IAC1C,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAAwB;IAC7D,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC9B,OAAO,gBAAgB,MAAM,CAAC,KAAK,EAAE,CAAC;IACxC,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAChC,IAAI,MAAM,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;YACnC,OAAO,4CAA4C,CAAC;QACtD,CAAC;QACD,OAAO,2CAA2C,CAAC;IACrD,CAAC;IACD,OAAO,yBAAyB,CAAC;AACnC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAAwB,EAAE,MAAoB;IACnF,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IACD,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC;IAC5B,CAAC;IACD,OAAO,sBAAsB,CAAC,MAAM,CAAC,CAAC;AACxC,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,OAA0B;IAC5D,IAAI,KAAoB,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,mBAAmB,EAAE,CAAC;QACzC,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC;IACpC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,WAAW,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAqB,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;YAChF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC;YAC/E,OAAO,CAAC,IAAI,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC,CAAC;YAC/C,OAAO;QACT,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;IAC1C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC;IAC5E,OAAO,CAAC,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,CAAC,CAAC;AAC9C,CAAC"}

package/dist/commands/availability/allocated-hours.d.ts

@@ -0,0 +1,27 @@
+import type { OutputFormat } from "../../lib/output.js";
+/**
+ * Action handler for `ttctl availability allocated-hours show`. Reads
+ * just the viewer-scoped `allocatedHours` value.
+ *
+ * Throws `AvailabilityError("UNKNOWN")` (via the service) when the
+ * viewer-role payload is missing the field — defensive only.
+ */
+export declare function runAllocatedHoursShow(output: OutputFormat): Promise<void>;
+/**
+ * Action handler for `ttctl availability allocated-hours set --hours <n>`.
+ * Updates the viewer-scoped allocated-hours value via
+ * `UpdateAllocatedHours`.
+ *
+ * The CLI surface is required-arg (`--hours`); commander applies the
+ * `--hours` parser before this handler runs, so the value is already a
+ * validated non-negative integer.
+ *
+ * Returns the post-update `{ allocatedHours, hiredHours }` payload in
+ * the success-update envelope.
+ */
+export interface AllocatedHoursSetOptions {
+    hours: number;
+    output: OutputFormat;
+}
+export declare function runAllocatedHoursSet(opts: AllocatedHoursSetOptions): Promise<void>;
+//# sourceMappingURL=allocated-hours.d.ts.map

package/dist/commands/availability/allocated-hours.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"allocated-hours.d.ts","sourceRoot":"","sources":["../../../src/commands/availability/allocated-hours.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAIxD;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAa/E;AAED;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,wBAAsB,oBAAoB,CAAC,IAAI,EAAE,wBAAwB,GAAG,OAAO,CAAC,IAAI,CAAC,CAiCxF"}

package/dist/commands/availability/allocated-hours.js

@@ -0,0 +1,61 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+// Copyright (C) 2026 Oleksii PELYKH
+import { availability } from "@ttctl/core";
+import { getCliDryRun } from "../../lib/dry-run.js";
+import { emitResult } from "../../lib/output.js";
+import { emitDryRunSuccess, emitUpdateSuccess } from "../../lib/envelopes.js";
+import { handleAvailabilityError, loadAuthTokenOrExit } from "./shared.js";
+/**
+ * Action handler for `ttctl availability allocated-hours show`. Reads
+ * just the viewer-scoped `allocatedHours` value.
+ *
+ * Throws `AvailabilityError("UNKNOWN")` (via the service) when the
+ * viewer-role payload is missing the field — defensive only.
+ */
+export async function runAllocatedHoursShow(output) {
+    const token = await loadAuthTokenOrExit("availability allocated-hours show", output);
+    let data;
+    try {
+        data = await availability.allocatedHours.show(token);
+    }
+    catch (err) {
+        handleAvailabilityError("availability allocated-hours show", err, output);
+    }
+    emitResult(data, output, {
+        pretty: (d) => `Allocated hours: ${d.allocatedHours.toString()} h/week`,
+    });
+}
+export async function runAllocatedHoursSet(opts) {
+    const token = await loadAuthTokenOrExit("availability allocated-hours set", opts.output);
+    const dryRun = getCliDryRun();
+    let outcome;
+    try {
+        outcome = await availability.allocatedHours.set(token, opts.hours, { dryRun });
+    }
+    catch (err) {
+        handleAvailabilityError("availability allocated-hours set", err, opts.output);
+    }
+    if (outcome.kind === "preview") {
+        emitDryRunSuccess({
+            operation: "availability.allocated-hours.set",
+            format: opts.output,
+            preview: outcome.preview,
+        });
+        return;
+    }
+    const updated = outcome.result;
+    emitUpdateSuccess({
+        operation: "availability.allocated-hours.set",
+        format: opts.output,
+        updated,
+        prettySummary: `allocated hours = ${updated.allocatedHours.toString()} h/week`,
+        prettyEntity: (data) => {
+            const lines = [`Allocated: ${data.allocatedHours.toString()} h/week`];
+            if (data.hiredHours !== null)
+                lines.push(`Hired:     ${data.hiredHours.toString()} h/week`);
+            return lines.join("\n");
+        },
+        notice: updated.notice ?? undefined,
+    });
+}
+//# sourceMappingURL=allocated-hours.js.map

package/dist/commands/availability/allocated-hours.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"allocated-hours.js","sourceRoot":"","sources":["../../../src/commands/availability/allocated-hours.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,oCAAoC;AAEpC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC9E,OAAO,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAE3E;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,MAAoB;IAC9D,MAAM,KAAK,GAAG,MAAM,mBAAmB,CAAC,mCAAmC,EAAE,MAAM,CAAC,CAAC;IAErF,IAAI,IAAkE,CAAC;IACvE,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,YAAY,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,uBAAuB,CAAC,mCAAmC,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;IAC5E,CAAC;IAED,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE;QACvB,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,oBAAoB,CAAC,CAAC,cAAc,CAAC,QAAQ,EAAE,SAAS;KACxE,CAAC,CAAC;AACL,CAAC;AAmBD,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,IAA8B;IACvE,MAAM,KAAK,GAAG,MAAM,mBAAmB,CAAC,kCAAkC,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACzF,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAE9B,IAAI,OAA8C,CAAC;IACnD,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,YAAY,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IACjF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,uBAAuB,CAAC,kCAAkC,EAAE,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAChF,CAAC;IAED,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC/B,iBAAiB,CAAC;YAChB,SAAS,EAAE,kCAAkC;YAC7C,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO,EAAE,OAAO,CAAC,OAAO;SACzB,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;IAC/B,iBAAiB,CAAC;QAChB,SAAS,EAAE,kCAAkC;QAC7C,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO;QACP,aAAa,EAAE,qBAAqB,OAAO,CAAC,cAAc,CAAC,QAAQ,EAAE,SAAS;QAC9E,YAAY,EAAE,CAAC,IAAI,EAAE,EAAE;YACrB,MAAM,KAAK,GAAa,CAAC,cAAc,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;YAChF,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI;gBAAE,KAAK,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;YAC5F,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QACD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,SAAS;KACpC,CAAC,CAAC;AACL,CAAC"}

package/dist/commands/availability/index.d.ts

@@ -0,0 +1,30 @@
+import { Command } from "commander";
+/**
+ * Build the `ttctl availability` command tree (#146 amended spec). Five
+ * leaves across the top-level group and two nested sub-groups
+ * (`working-hours`, `allocated-hours`):
+ *
+ * | Leaf                                | Description                              |
+ * |-------------------------------------|------------------------------------------|
+ * | `show`                              | Full availability snapshot               |
+ * | `working-hours show`                | Just the time-zone + daily window subset |
+ * | `working-hours set [--start/--end/--time-zone/--flex-start/--flex-end]` | Partial-update working hours |
+ * | `allocated-hours show`              | Just the allocated-hours value           |
+ * | `allocated-hours set --hours <n>`   | Set allocated-hours                      |
+ *
+ * **Vocabulary note**: per-engagement "time off" is owned by
+ * `ttctl engagements breaks {list, add, remove}` — there is no parallel
+ * `ttctl availability time-off` surface (the underlying API would be
+ * identical to the engagement-break one). Booking-page "lead time" /
+ * "minimum scheduling notice" is a different surface and is not
+ * surfaced in v1.
+ *
+ * **Out of scope for v1** (per #146 amended spec from 2026-05-11):
+ *   - Time-off list/add/remove (use `engagements breaks` instead)
+ *   - Lead-time / minimum-scheduling-notice setting (booking-page
+ *     follow-up)
+ *   - Setting `meetingTimeFrom` / `meetingTimeTo` (read-only)
+ *   - Per-engagement availability overrides (no API support)
+ */
+export declare function buildAvailabilityCommand(): Command;
+//# sourceMappingURL=index.d.ts.map

package/dist/commands/availability/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/commands/availability/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,OAAO,EAAgC,MAAM,WAAW,CAAC;AAUlE;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,wBAAwB,IAAI,OAAO,CAuGlD"}