@undefineds.co/linx 0.2.16 → 0.2.17

package/README.md

@@ -44,7 +44,9 @@ yarn workspace @undefineds.co/linx dev watch run claude "先总结这个目录
 yarn workspace @undefineds.co/linx dev watch run codebuddy -- --tools Read,Edit
 yarn workspace @undefineds.co/linx dev watch backends
 yarn workspace @undefineds.co/linx dev watch sessions
-yarn workspace @undefineds.co/linx dev watch show <sessionId>
+yarn workspace @undefineds.co/linx dev watch approvals
+yarn workspace @undefineds.co/linx dev watch approve <approvalId> --session
+yarn workspace @undefineds.co/linx dev watch reject <approvalId> --reason "unsafe command"
 ```
 
 ## Slash Commands
@@ -70,8 +72,9 @@ yarn workspace @undefineds.co/linx dev watch show <sessionId>
 - `--credential-source local|cloud|auto` 只决定凭据来源；`watch` 当前运行时始终是本地，不会因为选 cloud credential source 就切成 cloud runtime
 - `--credential-source cloud` 当前可显式用于 `codex` / `claude` / `codebuddy`，前提是对应 API key 已写进 Pod
 - 单本地会话时，approval 主路径是在当前 watch TUI 内直接处理；不会依赖额外的 approval inbox
-- 默认人工审批同时支持当前本地 watch 和 Pod 远端控制面，谁先决策谁生效；低上下文的 CLI approval inbox 命令已移除，远端审批队列由 App/Inbox 承载
-- 如果本地已 `linx login`，LinX 会把 pending approval 写进 Pod 的 `approval / audit / inbox_notification`，供 App/Inbox 读取和处理
+- 默认人工审批同时支持当前本地 watch 和 Pod 远端控制面，谁先决策谁生效
+- 如果本地已 `linx login`，LinX 会把 pending approval 写进 Pod 的 `approval / audit / inbox_notification`
+- `linx watch approvals` / `approve` / `reject` 主要用于远端、后台或多会话场景的 approval inbox；不是本地单会话 watch 的主交互路径
 - 当前是最小多轮版：本地 REPL、统一 ACP 会话、归档结构化事件
 - 在交互式 TTY 里，`watch run` 会默认进入全屏 TUI；非 TTY / 管道输出会自动降级到 plain mode
 - `linx watch show <sessionId>` 现在会回放归档 timeline，而不是直接输出 `session.json`

package/dist/generated/version.js

@@ -0,0 +1,3 @@
+// Generated by apps/cli/scripts/build.mjs. Keep a committed fallback for direct test compiles.
+export const LINX_CLI_VERSION = "0.2.17";
+//# sourceMappingURL=version.js.map

package/dist/generated/version.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"version.js","sourceRoot":"","sources":["../../../../../src/generated/version.ts"],"names":[],"mappings":"AAAA,+FAA+F;AAC/F,MAAM,CAAC,MAAM,gBAAgB,GAAG,QAAQ,CAAA"}

package/dist/index.js

@@ -1,46 +1,21 @@
 #!/usr/bin/env node
-import './lib/node-warning-filter.js';
-import { readFileSync } from 'node:fs';
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 import { aiCommand } from './lib/ai-command.js';
 import { resolveAccountBaseUrl } from './lib/account-api.js';
-import { loadCredentials } from './lib/credentials-store.js';
+import { getClientCredentials, loadCredentials } from './lib/credentials-store.js';
+import { loadAccountSession } from './lib/account-session.js';
 import { loginCommand, logoutCommand, whoamiCommand } from './lib/login-command.js';
-import { DefaultPackageManager, SettingsManager, runPrintMode } from '@mariozechner/pi-coding-agent';
+import { runPrintMode } from '@mariozechner/pi-coding-agent';
 import { promptText } from './lib/prompt.js';
 import { resolveRuntimeTarget } from './lib/runtime-target.js';
 import { createCodexNativeProxy } from './lib/codex-plugin/index.js';
 import { bootstrapPiInteractiveMode, createPiRuntimeAdapter } from './lib/pi-adapter/index.js';
-import { isOidcLoginExpiredError } from './lib/oidc-auth.js';
-import { createPodDataSession } from './lib/pod-data-session.js';
-import { DEFAULT_LINX_CLOUD_MODEL_ID, FALLBACK_LINX_CLOUD_MODEL_IDS } from './lib/default-model.js';
-import { createLinxPiSessionManager, formatLinxPiSessionSummary, listLinxPiSessions, } from './lib/pi-adapter/session.js';
-import { LinxPiPodMirror } from './lib/pi-adapter/pod-mirror.js';
+import { getOidcAccessToken } from './lib/oidc-auth.js';
+import { DEFAULT_LINX_CLOUD_MODEL_ID } from './lib/default-model.js';
 import { LINX_AGENT_DIR } from './lib/pi-adapter/branding.js';
-import { formatArchivedWatchSession, formatWatchSessionSummary, loadArchivedWatchEvents, listArchivedWatchSessions, listSupportedWatchBackends, loadArchivedWatchSession, runWatch, } from './lib/watch/index.js';
-function readPackageVersion() {
-    try {
-        const raw = readFileSync(new URL('../package.json', import.meta.url), 'utf-8');
-        const pkg = JSON.parse(raw);
-        return typeof pkg.version === 'string' && pkg.version.trim() ? pkg.version.trim() : 'unknown';
-    }
-    catch {
-        return 'unknown';
-    }
-}
-function formatRemoteModelMetadata(model) {
-    const provider = resolveRemoteModelProviderLabel(model);
-    return [provider, model.contextWindow ? `${model.contextWindow}` : '']
-        .filter(Boolean)
-        .join(' · ');
-}
-function resolveRemoteModelProviderLabel(model) {
-    if (FALLBACK_LINX_CLOUD_MODEL_IDS.includes(model.id)) {
-        return 'undefineds';
-    }
-    return model.provider || model.ownedBy;
-}
+import { LINX_CLI_VERSION } from './generated/version.js';
+import { formatRemoteWatchApprovalSummary, formatArchivedWatchSession, formatWatchSessionSummary, loadArchivedWatchEvents, listArchivedWatchSessions, listRemoteWatchApprovals, listSupportedWatchBackends, loadArchivedWatchSession, resolveRemoteWatchApproval, runWatch, } from './lib/watch/index.js';
 let chatRuntimePromise = null;
 async function loadChatRuntime() {
     if (!chatRuntimePromise) {
@@ -70,53 +45,71 @@ async function loadChatRuntime() {
 }
 async function resolveContext(urlOverride) {
     const runtime = await loadChatRuntime();
-    const podSession = await createLinxPodDataSession();
+    const creds = loadCredentials();
+    if (!creds) {
+        throw new Error('No credentials found. Run `linx login` first.');
+    }
     const target = resolveRuntimeTarget({
-        issuerUrl: podSession.credentials.url,
+        issuerUrl: creds.url,
         runtimeUrlOverride: urlOverride,
     });
-    const apiKey = await resolvePodRuntimeAuthToken(podSession);
-    const session = podSession.solidSession;
-    await runtime.initPodData(session);
-    const chatId = await runtime.getOrCreateDefaultChat(session);
-    return { runtimeUrl: target.runtimeUrl, apiKey, session, podSession, chatId, runtime };
+    const clientCreds = getClientCredentials(creds);
+    if (clientCreds) {
+        const { session, apiKey } = await runtime.authenticate(clientCreds.clientId, clientCreds.clientSecret, target.oidcIssuer);
+        await runtime.initPodData(session);
+        const chatId = await runtime.getOrCreateDefaultChat(session);
+        return { runtimeUrl: target.runtimeUrl, apiKey, session, chatId, runtime };
+    }
+    if (creds.authType === 'oidc_oauth') {
+        const accessToken = await getOidcAccessToken(creds);
+        if (!accessToken) {
+            throw new Error('Failed to restore OIDC access token. Run `linx login` again.');
+        }
+        const pseudoSession = {
+            async logout() { },
+        };
+        const podUrl = loadAccountSession()?.podUrl || creds.webId.replace('/card#me', '').replace(/\/?$/, '/');
+        const session = {
+            ...pseudoSession,
+            info: {
+                isLoggedIn: true,
+                webId: creds.webId,
+                podUrl,
+            },
+            fetch: (url, init) => runtime.authenticatedFetch(url, accessToken, init),
+        };
+        await runtime.initPodData(session);
+        const chatId = await runtime.getOrCreateDefaultChat(session);
+        return { runtimeUrl: target.runtimeUrl, apiKey: accessToken, session, chatId, runtime };
+    }
+    throw new Error('Unsupported LinX auth type. Run `linx login` again.');
 }
 async function resolveRuntimeAuthContext(urlOverride) {
     const runtime = await loadChatRuntime();
-    const podSession = await createLinxPodDataSession();
+    const creds = loadCredentials();
+    if (!creds) {
+        throw new Error('No credentials found. Run `linx login` first.');
+    }
     const target = resolveRuntimeTarget({
-        issuerUrl: podSession.credentials.url,
+        issuerUrl: creds.url,
         runtimeUrlOverride: urlOverride,
     });
-    const apiKey = await resolvePodRuntimeAuthToken(podSession);
-    return {
-        runtimeUrl: target.runtimeUrl,
-        apiKey,
-        session: podSession.solidSession,
-        podSession,
-        runtime,
-    };
-}
-async function createLinxPodDataSession() {
-    if (!loadCredentials()) {
-        throw new Error('No credentials found. Run `linx login` first.');
-    }
-    const podSession = await createPodDataSession();
-    if (!podSession) {
-        throw new Error('Unsupported LinX auth type. Run `linx login` again.');
-    }
-    return podSession;
-}
-async function resolvePodRuntimeAuthToken(podSession) {
-    try {
-        return await podSession.getRuntimeAuthToken();
-    }
-    catch (error) {
-        if (isOidcLoginExpiredError(error)) {
-            throw new Error('LinX Cloud login expired. Run `linx login` to re-authorize.');
+    const clientCreds = getClientCredentials(creds);
+    if (clientCreds) {
+        const { session, apiKey } = await runtime.authenticate(clientCreds.clientId, clientCreds.clientSecret, target.oidcIssuer);
+        return { runtimeUrl: target.runtimeUrl, apiKey, session, runtime };
+    }
+    if (creds.authType === 'oidc_oauth') {
+        const accessToken = await getOidcAccessToken(creds);
+        if (!accessToken) {
+            throw new Error('Failed to restore OIDC access token. Run `linx login` again.');
         }
-        throw error;
+        const pseudoSession = {
+            async logout() { },
+        };
+        return { runtimeUrl: target.runtimeUrl, apiKey: accessToken, session: pseudoSession, runtime };
     }
+    throw new Error('Unsupported LinX auth type. Run `linx login` again.');
 }
 async function runSingleTurn(options) {
     const { ctx, threadId, model, prompt } = options;
@@ -149,7 +142,7 @@ async function runInteractive(options) {
     const { ctx, initialThreadId, initialModel, initialPrompt } = options;
     let threadId = initialThreadId;
     let model = initialModel;
-    process.stdout.write(`LinX CLI ready\nthread: ${threadId}\nmodel: ${model || DEFAULT_LINX_CLOUD_MODEL_ID}\n输入 /hotkeys 查看快捷键。\n\n`);
+    process.stdout.write(`LinX CLI ready\nthread: ${threadId}\nmodel: ${model || DEFAULT_LINX_CLOUD_MODEL_ID}\n输入 /help 查看命令。\n\n`);
     if (initialPrompt) {
         await runSingleTurn({ ctx, threadId, model, prompt: initialPrompt });
     }
@@ -161,7 +154,7 @@ async function runInteractive(options) {
             break;
         }
         if (input === '/help') {
-            process.stdout.write('/hotkeys 查看快捷键\n/threads 列出 threads\n/new 新建 thread\n/use <threadId> 切换 thread\n/model <modelId> 切换模型\n/exit 退出\n\n');
+            process.stdout.write('/help 查看帮助\n/threads 列出 threads\n/new 新建 thread\n/use <threadId> 切换 thread\n/model <modelId> 切换模型\n/exit 退出\n\n');
             continue;
         }
         if (input === '/threads') {
@@ -197,77 +190,32 @@ async function runInteractive(options) {
         await runSingleTurn({ ctx, threadId, model, prompt: input });
     }
 }
-async function runLinxPackageCommand(command, options = {}) {
-    if ((command === 'install' || command === 'remove') && !options.source) {
-        throw new Error(`Missing ${command} source. Usage: linx ${command} <source> [-l]`);
-    }
-    const cwd = process.cwd();
-    const settingsManager = SettingsManager.create(cwd, LINX_AGENT_DIR);
-    const packageManager = new DefaultPackageManager({
-        cwd,
-        agentDir: LINX_AGENT_DIR,
-        settingsManager,
-    });
-    packageManager.setProgressCallback((event) => {
-        if (event.type === 'start' && event.message) {
-            process.stdout.write(`${event.message}\n`);
-        }
-    });
-    switch (command) {
-        case 'install':
-            await packageManager.installAndPersist(options.source, { local: Boolean(options.local) });
-            process.stdout.write(`Installed ${options.source}\n`);
-            return;
-        case 'remove': {
-            const removed = await packageManager.removeAndPersist(options.source, { local: Boolean(options.local) });
-            if (!removed) {
-                throw new Error(`No matching package found for ${options.source}`);
-            }
-            process.stdout.write(`Removed ${options.source}\n`);
-            return;
-        }
-        case 'update':
-            await packageManager.update(options.source);
-            process.stdout.write(options.source ? `Updated ${options.source}\n` : 'Updated packages\n');
-            return;
-        case 'list':
-            printConfiguredLinxPackages(packageManager);
-            return;
-    }
-}
-function printConfiguredLinxPackages(packageManager) {
-    const configuredPackages = packageManager.listConfiguredPackages();
-    if (configuredPackages.length === 0) {
-        process.stdout.write('No packages installed.\n');
-        return;
-    }
-    const printGroup = (title, packages) => {
-        if (packages.length === 0) {
-            return;
-        }
-        process.stdout.write(`${title}:\n`);
-        for (const pkg of packages) {
-            const display = pkg.filtered ? `${pkg.source} (filtered)` : pkg.source;
-            process.stdout.write(`  ${display}\n`);
-            if (pkg.installedPath) {
-                process.stdout.write(`    ${pkg.installedPath}\n`);
-            }
-        }
-    };
-    printGroup('User packages', configuredPackages.filter((pkg) => pkg.scope === 'user'));
-    printGroup('Project packages', configuredPackages.filter((pkg) => pkg.scope === 'project'));
-}
 async function runPiCommand(argv) {
     const backend = argv.backend ?? 'cloud';
-    let shouldPromptLinxCloudLoginOnStart = false;
     if (!argv.print && backend === 'cloud') {
         const { resolveLinxPiCloudOAuthCredential } = await import('./lib/pi-adapter/auth.js');
-        const existingCredential = await resolveLinxPiCloudOAuthCredential(undefined).catch((error) => {
-            shouldPromptLinxCloudLoginOnStart = true;
-            return null;
-        });
+        const existingCredential = await resolveLinxPiCloudOAuthCredential(undefined);
         if (!existingCredential) {
-            shouldPromptLinxCloudLoginOnStart = true;
+            const answer = (await promptText('LinX Cloud not connected. Open browser login now? [Y/n] ')).trim().toLowerCase();
+            const shouldLoginNow = answer === '' || answer === 'y' || answer === 'yes';
+            if (shouldLoginNow) {
+                const { ensureBrowserConsentLogin } = await import('./lib/oidc-auth.js');
+                process.stdout.write('Opening LinX Cloud login in your browser...\n');
+                try {
+                    const result = await ensureBrowserConsentLogin({
+                        issuerUrl: resolveAccountBaseUrl(),
+                    });
+                    if (result.reusedExistingSession) {
+                        process.stdout.write('Reused existing LinX Cloud session.\n');
+                    }
+                }
+                catch (error) {
+                    process.stdout.write('LinX Cloud login was not completed. Continuing into TUI without auth.\n');
+                    if (error instanceof Error && error.message.trim()) {
+                        process.stdout.write(`${error.message}\n`);
+                    }
+                }
+            }
         }
     }
     const adapter = createPiRuntimeAdapter({
@@ -284,11 +232,11 @@ async function runPiCommand(argv) {
         },
         async listRemoteModels(session, runtimeUrl, apiKey) {
             const chatApi = await import('./lib/chat-api.js');
-            return chatApi.listRemoteModels(session, runtimeUrl, apiKey, { fallback: false, timeoutMs: 5000 });
+            return chatApi.listRemoteModels(session, runtimeUrl, apiKey);
         },
     }, {
         cwd: argv.cwd || process.cwd(),
-        model: argv.model,
+        model: argv.model || DEFAULT_LINX_CLOUD_MODEL_ID,
         backend,
         port: argv.port,
         providerConfig: {
@@ -297,40 +245,13 @@ async function runPiCommand(argv) {
         },
     });
     await adapter.start();
-    const sessionManager = await createLinxPiSessionManager({
-        cwd: adapter.cwd,
-        agentDir: LINX_AGENT_DIR,
-        session: argv.session,
-        last: argv.last,
-    });
+    const { SessionManager } = await import('@mariozechner/pi-coding-agent');
     const runtime = await adapter.createRuntime({
         cwd: adapter.cwd,
         agentDir: LINX_AGENT_DIR,
-        sessionManager,
-    });
-    const podMirror = new LinxPiPodMirror({
-        cwd: adapter.cwd,
-        sessionManager,
-        onError(error) {
-            if (process.env.LINX_DEBUG === '1') {
-                const message = error instanceof Error ? error.stack || error.message : String(error);
-                process.stderr.write(`[linx pod mirror] ${message}\n`);
-            }
-        },
-    });
-    const unsubscribePodMirror = runtime.session.subscribe((event) => {
-        podMirror.handleEvent(event);
+        sessionManager: SessionManager.inMemory(adapter.cwd),
     });
     const interactive = bootstrapPiInteractiveMode(runtime);
-    const bridge = runtime;
-    const loginPromptReason = bridge.linxAuthBridge?.shouldPromptLoginOnStart
-        ? 'expired'
-        : shouldPromptLinxCloudLoginOnStart
-            ? 'startup'
-            : null;
-    if (loginPromptReason) {
-        interactive.requestLogin?.(loginPromptReason);
-    }
     try {
         if (argv.print) {
             const prompt = (argv.prompt ?? []).join(' ').trim();
@@ -346,8 +267,6 @@ async function runPiCommand(argv) {
         await interactive.run();
     }
     finally {
-        unsubscribePodMirror();
-        await podMirror.close().catch(() => undefined);
         interactive.stop();
         await adapter.close();
     }
@@ -360,7 +279,7 @@ function buildPiCommand(command) {
     })
         .option('model', {
         type: 'string',
-        describe: 'Model id to expose through the Pi runtime adapter; defaults to the last LinX selection',
+        describe: 'Model id to expose through the Pi runtime adapter',
     })
         .option('backend', {
         type: 'string',
@@ -382,15 +301,6 @@ function buildPiCommand(command) {
         type: 'boolean',
         default: false,
         describe: 'Run a single prompt without entering interactive mode',
-    })
-        .option('session', {
-        type: 'string',
-        describe: 'Resume a specific LinX/Pi session id or JSONL file',
-    })
-        .option('last', {
-        type: 'boolean',
-        default: false,
-        describe: 'Continue the most recent local LinX/Pi session for this workspace',
     })
         .positional('prompt', {
         array: true,
@@ -428,7 +338,7 @@ const execCommand = {
 };
 const cli = yargs(hideBin(process.argv))
     .scriptName('linx')
-    .version(readPackageVersion())
+    .version(LINX_CLI_VERSION)
     .parserConfiguration({
     'populate--': true,
 })
@@ -436,30 +346,6 @@ const cli = yargs(hideBin(process.argv))
     .command(logoutCommand)
     .command(whoamiCommand)
     .command(aiCommand)
-    .command('install [source]', 'Install a LinX package or extension', (command) => command
-    .positional('source', { type: 'string', describe: 'Package source to install' })
-    .option('local', { alias: 'l', type: 'boolean', default: false, describe: 'Install project-locally (.pi/settings.json)' }), async (argv) => {
-    await runLinxPackageCommand('install', {
-        source: typeof argv.source === 'string' ? argv.source : undefined,
-        local: Boolean(argv.local),
-    });
-})
-    .command('remove [source]', 'Remove a LinX package or extension', (command) => command
-    .positional('source', { type: 'string', describe: 'Package source to remove' })
-    .option('local', { alias: 'l', type: 'boolean', default: false, describe: 'Remove from project settings (.pi/settings.json)' }), async (argv) => {
-    await runLinxPackageCommand('remove', {
-        source: typeof argv.source === 'string' ? argv.source : undefined,
-        local: Boolean(argv.local),
-    });
-})
-    .command('update [source]', 'Update installed LinX packages', (command) => command.positional('source', { type: 'string', describe: 'Package source to update' }), async (argv) => {
-    await runLinxPackageCommand('update', {
-        source: typeof argv.source === 'string' ? argv.source : undefined,
-    });
-})
-    .command('list', 'List installed LinX packages', () => undefined, async () => {
-    await runLinxPackageCommand('list');
-})
     .command(execCommand)
     .command(defaultPiCommand)
     .command('chat [prompt..]', false, (command) => command
@@ -478,11 +364,11 @@ const cli = yargs(hideBin(process.argv))
     const prompt = argv.prompt?.join(' ').trim() || undefined;
     if (prompt) {
         await runSingleTurn({ ctx, threadId, model: argv.model, prompt });
-        await ctx.podSession.close();
+        await ctx.session.logout();
         return;
     }
     await runInteractive({ ctx, initialThreadId: threadId, initialModel: argv.model });
-    await ctx.podSession.close();
+    await ctx.session.logout();
 })
     .command('models', 'List available remote models', (command) => command.option('url', { type: 'string', describe: 'Runtime API base URL override' }), async (argv) => {
     const ctx = await resolveRuntimeAuthContext(argv.url);
@@ -499,44 +385,24 @@ const cli = yargs(hideBin(process.argv))
     }
     else {
         for (const model of models) {
-            const meta = formatRemoteModelMetadata(model);
+            const meta = [model.provider || model.ownedBy, model.contextWindow ? `${model.contextWindow}` : '']
+                .filter(Boolean)
+                .join(' · ');
             process.stdout.write(`- ${model.id}${meta ? ` (${meta})` : ''}\n`);
         }
     }
-    await ctx.podSession.close();
-})
-    .command('resume [session]', 'Resume a previous interactive LinX session', (command) => command
-    .positional('session', { type: 'string', describe: 'Session id/prefix or JSONL file to resume' })
-    .option('last', { type: 'boolean', default: false, describe: 'Resume the most recent local session for this workspace' })
-    .option('cwd', { type: 'string', describe: 'Workspace path for the resumed session' })
-    .option('model', { type: 'string', describe: 'Model id to expose through the Pi runtime adapter' })
-    .option('backend', {
-    type: 'string',
-    default: 'cloud',
-    choices: ['cloud', 'native'],
-    describe: 'Backend mode. Default is cloud; native keeps the local Codex proxy for debugging only.',
+    await ctx.session.logout();
 })
-    .option('port', { type: 'number', default: 8787, describe: 'Local websocket port used only when --backend native' })
-    .option('runtime-url', { type: 'string', default: 'https://api.undefineds.co/v1', describe: 'Cloud runtime API base URL' }), async (argv) => {
-    const session = typeof argv.session === 'string' ? argv.session : undefined;
-    if (!session && !argv.last) {
-        const sessions = await listLinxPiSessions(argv.cwd || process.cwd(), LINX_AGENT_DIR);
-        if (sessions.length === 0) {
-            process.stdout.write('No LinX sessions found.\n');
-            return;
-        }
-        process.stdout.write(`${sessions.map(formatLinxPiSessionSummary).join('\n')}\n`);
-        return;
+    .command('resume', 'List resumable CLI threads', (command) => command.option('url', { type: 'string', describe: 'Runtime API base URL override' }), async (argv) => {
+    const ctx = await resolveContext(argv.url);
+    const threads = await ctx.runtime.listThreads(ctx.session, ctx.chatId);
+    if (threads.length === 0) {
+        process.stdout.write('No threads found.\n');
     }
-    await runPiCommand({
-        cwd: argv.cwd,
-        model: argv.model,
-        backend: argv.backend,
-        port: argv.port,
-        'runtime-url': argv['runtime-url'],
-        session,
-        last: argv.last || !session,
-    });
+    else {
+        process.stdout.write(`${threads.map((thread) => `- ${ctx.runtime.formatThreadLabel(thread)}`).join('\n')}\n`);
+    }
+    await ctx.session.logout();
 })
     .command('fork [thread]', 'Fork a previous interactive session', (command) => command
     .positional('thread', { type: 'string', describe: 'Thread ID to fork' })
@@ -582,11 +448,11 @@ const cli = yargs(hideBin(process.argv))
     .command('watch <action> [backend] [prompt..]', 'Run or inspect local watch backends', (command) => command
     .positional('action', {
     type: 'string',
-    choices: ['run', 'backends', 'sessions', 'show', 'codex', 'claude', 'codebuddy'],
+    choices: ['run', 'backends', 'sessions', 'show', 'approvals', 'approve', 'reject', 'codex', 'claude', 'codebuddy'],
 })
     .positional('backend', {
     type: 'string',
-    describe: 'Watch backend for `run` or session id for `show`',
+    describe: 'Watch backend for `run`, session id for `show`, or approval id for `approve|reject`',
 })
     .option('mode', {
     type: 'string',
@@ -613,11 +479,14 @@ const cli = yargs(hideBin(process.argv))
     choices: ['auto', 'local', 'cloud'],
     describe: 'Resolve credentials only: local CLI login, LinX cloud config, or auto fallback. Runtime still runs locally.',
 })
-    .option('approval-source', {
+    .option('session', {
+    type: 'boolean',
+    default: false,
+    describe: 'Approve for the current watch session instead of only once.',
+})
+    .option('reason', {
     type: 'string',
-    default: 'hybrid',
-    choices: ['local', 'remote', 'hybrid'],
-    describe: 'Resolve backend approval requests locally, through Pod remote approvals, or whichever answers first.',
+    describe: 'Optional note recorded with an approval decision.',
 }), async (argv) => {
     const rawAction = String(argv.action);
     const directBackend = ['codex', 'claude', 'codebuddy'].includes(rawAction);
@@ -654,6 +523,30 @@ const cli = yargs(hideBin(process.argv))
         process.stdout.write(formatArchivedWatchSession(session, loadArchivedWatchEvents(sessionId)));
         return;
     }
+    if (action === 'approvals') {
+        const approvals = await listRemoteWatchApprovals();
+        if (approvals.length === 0) {
+            process.stdout.write('No pending remote approvals in the approval inbox.\n');
+            return;
+        }
+        process.stdout.write(`${approvals.map(formatRemoteWatchApprovalSummary).join('\n')}\n`);
+        return;
+    }
+    if (action === 'approve' || action === 'reject') {
+        const approvalId = argv.backend ? String(argv.backend) : '';
+        if (!approvalId) {
+            throw new Error(`Usage: linx watch ${action} <approvalId>`);
+        }
+        const summary = await resolveRemoteWatchApproval({
+            approvalId,
+            decision: action === 'approve'
+                ? (argv.session ? 'accept_for_session' : 'accept')
+                : 'decline',
+            note: argv.reason ? String(argv.reason) : undefined,
+        });
+        process.stdout.write(`${formatRemoteWatchApprovalSummary(summary)}\n`);
+        return;
+    }
     const backend = (directBackend ? rawAction : argv.backend);
     if (!backend || !['codex', 'claude', 'codebuddy'].includes(backend)) {
         throw new Error('Usage: linx watch run <codex|claude|codebuddy> <prompt> [-- backend args]\n   or: linx watch <codex|claude|codebuddy> <prompt>');
@@ -672,26 +565,13 @@ const cli = yargs(hideBin(process.argv))
         prompt,
         passthroughArgs: (argv['--'] ?? []).map(String),
         credentialSource: argv['credential-source'],
-        approvalSource: argv['approval-source'],
     });
     if (exitCode !== 0) {
         process.exitCode = exitCode;
     }
 })
     .strict()
-    .help()
-    .fail((message, error, yargsInstance) => {
-    if (error) {
-        console.error(error instanceof Error ? error.message : String(error));
-        process.exit(1);
-    }
-    if (message) {
-        console.error(message);
-        process.exit(1);
-    }
-    yargsInstance.showHelp();
-    process.exit(1);
-});
+    .help();
 process.on('unhandledRejection', (error) => {
     console.error(error instanceof Error ? error.message : String(error));
     process.exit(1);