@vectorplane/ctrl-cli 0.1.12 → 0.1.14

package/README.md

@@ -2,7 +2,7 @@
 
 CLI oficial do VectorPlane.
 
-Use o comando `vp` para autenticar, verificar a sessão local e sincronizar o workspace com o produto.
+Use o comando `vp` para autenticar, verificar a sessão local, sincronizar o workspace e operar o control plane com uma sessão local endurecida.
 
 ## Instalação
 
@@ -15,116 +15,73 @@ npm install -g @vectorplane/ctrl-cli
 ```bash
 vp init
 vp login
+vp login --manual
+vp login --device
 vp logout
 vp status
+vp doctor --policy
 vp sync
 vp task templates
 vp task run --title "Entrega X" --intention "Implementar fluxo Y"
-vp task run --template code-review --title "Review auth" --intention "Revisar risco e cobertura do fluxo de auth"
-vp task claim --capability qa.test
-vp task execute <task-id> --step <step-id>
-vp task daemon --capability qa.test
+vp task watch <task-id>
 vp context --search "decisões sobre autenticação"
-vp context --delivery --search "fluxo de login" --type decisions
-vp context --workspace <workspace> --delivery
-vp session check-in --workspace <workspace> --agent codex --type codex --client openai-codex --feature feature-key --task task-key --owning-path "src/core,src/ui" --need "api-contract" --provide "implementation" --status "starting implementation"
-vp draft create --type progress --title "Entrega concluída" --content "Resumo da mudança"
+vp workspace webhook list
+vp session check-in --workspace <workspace> --agent codex --type codex --client openai-codex
 ```
 
-## Comandos
-
-### `vp init`
-
-- autentica localmente se ainda não houver sessão
-- resolve e associa o workspace atual a partir do `git remote`, somente quando houver correspondência com um workspace que o usuário pode acessar
-- detecta o agente local automaticamente, pede confirmação se houver ambiguidade e aceita `--agent`
-- baixa o template oficial do backend
-- grava o arquivo local e adiciona a entrada no `.gitignore`
-- aceita `--force` para sobrescrever template existente
-- durante execução, se outro agente passar a operar no workspace e a detecção for confiável, o setup local é reconciliado automaticamente
+## Comandos principais
 
 ### `vp login`
 
-- abre o navegador para autenticação
-- conclui o login com callback local seguro
-- salva a sessão localmente
-- suporta `--no-browser` e `--manual`
-- em ambientes remotos ou isolados, o loopback local pode exigir um fluxo alternativo
-- a URL web do login é emitida pelo control plane; o domínio do app não deve ser hardcoded em automações externas
+- suporta `browser`, `manual` e `device`
+- `--manual` evita abrir o navegador automaticamente
+- `--device` evita dependência de callback loopback e fecha melhor com SSH, container, CI e WSL
+- a URL web do login é emitida pelo control plane
 
 ### `vp logout`
 
-- revoga a sessão do CLI quando possível
-- remove a sessão local do dispositivo
+- tenta revogar a sessão remotamente
+- limpa a sessão local do dispositivo
+- registra auditoria local mínima da operação
+
+### `vp doctor`
 
-### `vp sync`
+- valida storage de sessão, política ativa, conectividade e ambiente local
+- suporta `--policy` para checar só conformidade local
+- recomenda o modo de login mais seguro para o ambiente atual
 
-- coleta contexto local do workspace
-- envia a sincronização para o VectorPlane
-- usa fila local quando a API estiver indisponível
+### `vp config`
+
+- gerencia perfis, política local e envelope de privacidade
+- `vp config privacy set <standard|minimal|enterprise>`
+- `vp config policy set <chave> <true|false>`
 
 ### `vp status`
 
-- mostra o estado da sessão local
-- exibe workspace ativo, diretório atual e última sincronização
-
-### `vp task`
-
-- cria tasks no orchestrator do workspace
-- lista templates disponíveis com `vp task templates`
-- aceita `--template <slug>` para herdar capabilities e paths padrão do backend
-- lista e inspeciona tasks existentes
-- faz claim explícito de steps `pending_claim` atribuídos a agentes CLI
-- executa steps locais via `metadata.execution.command`
-- suporta loop controlado com `vp task daemon --capability ...`
-- registra delegação de step
-- envia callback de execução por step para concluir a pipeline
-- lê handoff operacional por task
-- consulta observabilidade por task ou workspace
-- consulta health do workspace ligado às tasks
-- para automação local real, o agente de registry deve ter `metadata.execution` com:
-  - `type: "command"`
-  - `command: "npm"` ou equivalente
-  - `args`, `cwd` e `env` opcionais
-
-### `vp draft`
-
-- cria drafts editoriais ligados ao workspace atual
-- lista drafts existentes para conferência rápida
-- suporta `ui`, `ux`, `project_skeleton`, `template_engineering`, `patterns`, `progress`, `decisions` e `architecture`
-- aceita `--no-impact` para registrar explicitamente quando uma lane não foi afetada
-
-### `vp session`
-
-- suporta `check-in`, `heartbeat` e `check-out`
-- permite declarar `feature`, `task`, `component`, `role`, `owning-path`, `need`, `provide` e `status`
-- deve ser usado em conjunto com `vp context --delivery` para reduzir conflito entre agentes ativos
-
-### Comandos adicionais já implementados
-
-- `vp whoami`
-  - mostra a identidade autenticada
-- `vp doctor`
-  - executa verificações locais e de conectividade
-- `vp config`
-  - gerencia perfis e configuração local
-  - inclui `vp config privacy` e `vp config policy`
-- `vp workspace`
-  - gerencia o workspace atual
-- `vp session`
-  - gerencia sessões de agente
-- `vp context`
-  - carrega contexto remoto do workspace
-  - suporta `--search "QUERY"` para busca semântica na memória
-  - com `--delivery --search`, retorna delivery context com fragmentos semânticos relevantes
-- `vp bootstrap`
-  - obtém instruções de setup do workspace
-- `vp event send`
-  - envia eventos operacionais
-- `vp draft`
-  - envia e consulta drafts editoriais do workspace
-- `vp task`
-  - opera tasks do autonomous control plane
+- mostra estado da sessão local
+- exibe storage usado, último login, último refresh, último logout e falhas recentes de auth
+
+## Privacidade de máquina
+
+Perfis:
+
+- `standard`: envia o contexto operacional mínimo usual
+- `minimal`: reduz ao máximo dados locais e desabilita lookup de IP/interface por padrão
+- `enterprise`: permite envelope mais rico, mas continua respeitando policies locais
+
+Policies disponíveis:
+
+- `requireSecureStorage`
+- `disableFileSessionFallback`
+- `requireManualLogin`
+- `requireDeviceLogin`
+- `blockPublicIpLookup`
+- `blockMacAddressCollection`
+- `blockUsernameCollection`
+- `blockNetworkInterfaceCollection`
+- `blockCurrentDirectoryCollection`
+- `blockHomeDirectoryCollection`
+- `blockShellCollection`
 
 ## Persistência local
 
@@ -139,8 +96,14 @@ vp draft create --type progress --title "Entrega concluída" --content "Resumo d
 ## Segurança
 
 - tokens nunca são impressos no terminal
-- tokens nunca são enviados por query string
-- o callback valida o `state`
+- logs mascaram chaves sensíveis e ids de sessão
 - a sessão usa secure storage do sistema quando disponível
-- existe fallback para arquivo local apenas quando permitido
+- existe fallback para arquivo local apenas quando permitido pela policy
 - `vp logout` encerra a sessão local e tenta revogação remota
+- o CLI continua sendo thin client: autorização e regra crítica permanecem no backend
+
+## Tutoriais relacionados
+
+- setup completo do ecossistema: [/home/developer/Documentos/Projetos/conductor-edge-ia/docs/tutorials/setup-ecossistema.md](/home/developer/Documentos/Projetos/conductor-edge-ia/docs/tutorials/setup-ecossistema.md)
+- operação de workspace: [/home/developer/Documentos/Projetos/conductor-edge-ia/docs/tutorials/operacao-workspace.md](/home/developer/Documentos/Projetos/conductor-edge-ia/docs/tutorials/operacao-workspace.md)
+- memória e agentes: [/home/developer/Documentos/Projetos/conductor-edge-ia/docs/tutorials/memoria-e-agentes.md](/home/developer/Documentos/Projetos/conductor-edge-ia/docs/tutorials/memoria-e-agentes.md)

package/dist/commands/context.js

@@ -12,6 +12,7 @@ export async function runContextCommand(cliVersion, args) {
     const parsed = parseArgs(args);
     const delivery = getBooleanOption(parsed, "delivery");
     const snapshot = getBooleanOption(parsed, "snapshot");
+    const diff = getBooleanOption(parsed, "diff");
     const search = getStringOption(parsed, "search")?.trim();
     const runtime = await loadRuntimeStatus();
     const session = await ensureSessionAvailable(runtime.profile.name);
@@ -38,6 +39,9 @@ export async function runContextCommand(cliVersion, args) {
         throw new ValidationError("Nenhum workspace resolvido para carregar contexto.");
     }
     await ensureRuntimeAgentSetup({ rootPath, workspace, git, session: freshSession, apiClient, logger: runtime.logger });
+    if (diff && (delivery || snapshot || search)) {
+        throw new ValidationError("`--diff` não pode ser combinado com `--delivery`, `--snapshot` ou `--search`.");
+    }
     const payload = search
         ? (delivery
             ? await apiClient.getWorkspaceDeliveryContextSemantic(freshSession.accessToken, workspace, {
@@ -52,11 +56,16 @@ export async function runContextCommand(cliVersion, args) {
                 authority: getStringOption(parsed, "authority")?.trim(),
                 limit: Number(getStringOption(parsed, "limit") ?? "0") || undefined,
             }))
-        : delivery
-            ? await apiClient.getWorkspaceDeliveryContext(freshSession.accessToken, workspace)
-            : snapshot
-                ? await apiClient.getWorkspaceSnapshot(freshSession.accessToken, workspace)
-                : await apiClient.getWorkspaceContext(freshSession.accessToken, workspace);
+        : diff
+            ? await apiClient.getWorkspaceSnapshotDiff(freshSession.accessToken, workspace, {
+                from: getStringOption(parsed, "from")?.trim() || "latest-1",
+                to: getStringOption(parsed, "to")?.trim() || "latest",
+            })
+            : delivery
+                ? await apiClient.getWorkspaceDeliveryContext(freshSession.accessToken, workspace)
+                : snapshot
+                    ? await apiClient.getWorkspaceSnapshot(freshSession.accessToken, workspace)
+                    : await apiClient.getWorkspaceContext(freshSession.accessToken, workspace);
     process.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
     return 0;
 }

package/dist/commands/doctor.d.ts

@@ -1 +1 @@
-export declare function runDoctorCommand(cliVersion: string): Promise<number>;
+export declare function runDoctorCommand(cliVersion: string, args?: string[]): Promise<number>;

package/dist/commands/doctor.js

@@ -2,10 +2,11 @@ import { access } from "node:fs/promises";
 import { constants as fsConstants } from "node:fs";
 import { configDirectoryExists, ensureSessionAvailable, getConfigDirectoryPath, getSessionStorageInfo } from "../core/config.js";
 import { collectGitContext } from "../core/git.js";
-import { collectMachineContext, collectRuntimeContext } from "../core/machine.js";
+import { assessExecutionEnvironment, collectMachineContext, collectRuntimeContext, describePrivacyEnvelope } from "../core/machine.js";
 import { loadRuntimeStatus } from "../core/runtime.js";
 import { ensureFreshSession } from "../core/session.js";
 import { VectorPlaneApiClient } from "../core/api.js";
+import { getBooleanOption, parseArgs } from "../core/cli.js";
 async function writable(filePath) {
     try {
         await access(filePath, fsConstants.W_OK);
@@ -18,23 +19,9 @@ async function writable(filePath) {
 function printCheck(label, ok, details) {
     process.stdout.write(`${ok ? "OK" : "FAIL"} ${label}: ${details}\n`);
 }
-function detectExecutionRisks() {
-    const risks = [];
-    if (process.env.WSL_DISTRO_NAME) {
-        risks.push("wsl");
-    }
-    if (process.env.SSH_CONNECTION || process.env.SSH_CLIENT) {
-        risks.push("ssh");
-    }
-    if (process.env.CI === "true") {
-        risks.push("ci");
-    }
-    if (process.env.CONTAINER || process.env.DOCKER_CONTAINER) {
-        risks.push("container");
-    }
-    return risks;
-}
-export async function runDoctorCommand(cliVersion) {
+export async function runDoctorCommand(cliVersion, args = []) {
+    const parsed = parseArgs(args);
+    const policyOnly = getBooleanOption(parsed, "policy");
     const runtime = await loadRuntimeStatus();
     const configDirectory = await getConfigDirectoryPath();
     const [hasConfigDir, git, canWriteConfig] = await Promise.all([
@@ -43,15 +30,21 @@ export async function runDoctorCommand(cliVersion) {
         writable(configDirectory),
     ]);
     const storage = await getSessionStorageInfo(runtime.profile.name);
-    const risks = detectExecutionRisks();
+    const environment = assessExecutionEnvironment();
+    const privacyEnvelope = describePrivacyEnvelope(runtime.profile.machinePrivacyProfile, runtime.config.policy);
     printCheck("config_dir", hasConfigDir, configDirectory);
     printCheck("config_dir_writable", canWriteConfig, canWriteConfig ? "gravável" : "sem permissão de escrita");
     printCheck("git", git.isRepository, git.isRepository ? (git.rootPath ?? process.cwd()) : "repositório não detectado");
     printCheck("node", true, process.version);
     printCheck("privacy_profile", true, runtime.profile.machinePrivacyProfile);
+    printCheck("privacy_envelope", true, JSON.stringify(privacyEnvelope));
     printCheck("session_storage", (storage?.protected ?? false) || runtime.config.preferredSessionStorage === "system", storage ? `${storage.backend}:${storage.protected ? "protected" : "file"}` : runtime.config.preferredSessionStorage);
     printCheck("policy_secure_storage", !runtime.config.policy.requireSecureStorage || storage?.protected === true, JSON.stringify(runtime.config.policy));
-    printCheck("execution_environment", risks.length === 0, risks.length === 0 ? "local" : risks.join(","));
+    printCheck("execution_environment", environment.loopbackLikelySafe, environment.risks.length === 0 ? "local" : environment.risks.join(","));
+    printCheck("login_recommendation", true, environment.recommendedLoginMode);
+    if (policyOnly) {
+        return 0;
+    }
     const apiClient = new VectorPlaneApiClient(runtime.profile.apiBaseUrl, runtime.config.requestTimeoutMs, runtime.logger);
     try {
         const health = await apiClient.getHealth();

package/dist/commands/login.js

@@ -1,18 +1,37 @@
 import { getBooleanOption, getStringOption, parseArgs } from "../core/cli.js";
 import { runLoginFlow } from "../core/auth.js";
 import { getSessionStorageInfo, saveSession, setActiveProfile, updateProfileState, upsertProfile } from "../core/config.js";
-import { collectMachineContext, collectRuntimeContext } from "../core/machine.js";
+import { assessExecutionEnvironment, collectMachineContext, collectRuntimeContext } from "../core/machine.js";
 import { loadRuntimeStatus } from "../core/runtime.js";
 import { VectorPlaneApiClient } from "../core/api.js";
+function resolveLoginMode(args) {
+    if (args.device || args.requireDeviceLogin) {
+        return "device";
+    }
+    if (args.manual || args.noBrowser || args.requireManualLogin) {
+        return "manual";
+    }
+    return "browser";
+}
 export async function runLoginCommand(cliVersion, args) {
     const parsed = parseArgs(args);
     const requestedProfile = getStringOption(parsed, "profile");
-    const noBrowser = getBooleanOption(parsed, "no-browser") || getBooleanOption(parsed, "manual");
     if (requestedProfile) {
         await upsertProfile(requestedProfile, { name: requestedProfile });
         await setActiveProfile(requestedProfile);
     }
     const runtime = await loadRuntimeStatus();
+    const loginMode = resolveLoginMode({
+        noBrowser: getBooleanOption(parsed, "no-browser"),
+        manual: getBooleanOption(parsed, "manual"),
+        device: getBooleanOption(parsed, "device"),
+        requireManualLogin: runtime.config.policy.requireManualLogin,
+        requireDeviceLogin: runtime.config.policy.requireDeviceLogin,
+    });
+    const environment = assessExecutionEnvironment();
+    if (environment.recommendedLoginMode === "device" && loginMode === "browser") {
+        runtime.logger.warn("o ambiente atual parece pouco confiável para loopback. considere `vp login --device`.");
+    }
     const machine = await collectMachineContext(runtime.device, runtime.config);
     const runtimeContext = await collectRuntimeContext(cliVersion, "login", process.argv.slice(2));
     const apiClient = new VectorPlaneApiClient(runtime.profile.apiBaseUrl, runtime.config.requestTimeoutMs, runtime.logger);
@@ -24,7 +43,7 @@ export async function runLoginCommand(cliVersion, args) {
         device: runtime.device,
         apiClient,
         logger: runtime.logger,
-        noBrowser: noBrowser || runtime.config.policy.requireManualLogin,
+        loginMode,
     });
     await saveSession(session, runtime.profile.name);
     const storage = await getSessionStorageInfo(runtime.profile.name);
@@ -34,6 +53,7 @@ export async function runLoginCommand(cliVersion, args) {
         lastWorkspace: session.workspace,
         lastError: null,
         lastLoginAt: session.obtainedAt,
+        lastLoginMethod: loginMode,
         lastSessionId: session.sessionId,
         storageBackend: storage?.backend ?? null,
         storageProtected: storage?.protected ?? null,
@@ -42,6 +62,7 @@ export async function runLoginCommand(cliVersion, args) {
     });
     runtime.logger.success("login realizado com sucesso.");
     process.stdout.write(`Perfil: ${runtime.profile.name}\n`);
+    process.stdout.write(`Modo de login: ${loginMode}\n`);
     process.stdout.write(`Workspace ativo: ${session.workspace}\n`);
     return 0;
 }

package/dist/commands/logout.js

@@ -15,8 +15,10 @@ export async function runLogoutCommand() {
         return 0;
     }
     const apiClient = new VectorPlaneApiClient(runtime.profile.apiBaseUrl, runtime.config.requestTimeoutMs, runtime.logger);
+    let remoteRevokedAt = null;
     try {
         await revokeSession({ session, apiClient });
+        remoteRevokedAt = new Date().toISOString();
     }
     catch (error) {
         runtime.logger.warn("não foi possível revogar a sessão remotamente. removendo a sessão local mesmo assim.");
@@ -29,6 +31,7 @@ export async function runLogoutCommand() {
     await updateProfileState(runtime.profile.name, {
         lastCommand: "logout",
         lastLogoutAt: loggedOutAt,
+        lastRemoteRevokeAt: remoteRevokedAt,
         lastSessionId: null,
     });
     runtime.logger.success("sessão local encerrada.");

package/dist/commands/status.js

@@ -35,16 +35,22 @@ export async function runStatusCommand() {
     process.stdout.write(`Sessão CLI: ${session.sessionId}\n`);
     process.stdout.write(`Expira em: ${session.expiresAt}\n`);
     process.stdout.write(`Último refresh: ${profileState.lastRefreshAt ?? session.lastRefreshAt ?? "nunca"}\n`);
+    process.stdout.write(`Último login: ${profileState.lastLoginAt ?? "desconhecido"}\n`);
+    process.stdout.write(`Último método de login: ${profileState.lastLoginMethod ?? "desconhecido"}\n`);
+    process.stdout.write(`Último logout: ${profileState.lastLogoutAt ?? "nunca"}\n`);
+    process.stdout.write(`Última revogação remota: ${profileState.lastRemoteRevokeAt ?? "nunca"}\n`);
     if (git.branch) {
         process.stdout.write(`Branch: ${git.branch}\n`);
     }
     process.stdout.write(`Última sincronização: ${profileState.lastSyncAt ?? "nunca"}\n`);
     process.stdout.write(`Status do último sync: ${profileState.lastSyncStatus ?? "desconhecido"}\n`);
-    process.stdout.write(`Último login: ${profileState.lastLoginAt ?? "desconhecido"}\n`);
-    process.stdout.write(`Último logout: ${profileState.lastLogoutAt ?? "nunca"}\n`);
     if (profileState.lastSnapshotPath) {
         process.stdout.write(`Último snapshot local: ${profileState.lastSnapshotPath}\n`);
     }
+    if (profileState.lastAuthFailure) {
+        process.stdout.write(`Última falha de auth: ${profileState.lastAuthFailure}\n`);
+        process.stdout.write(`Falha registrada em: ${profileState.lastAuthFailureAt ?? "desconhecido"}\n`);
+    }
     if (profileState.lastError) {
         process.stdout.write(`Último erro: ${profileState.lastError}\n`);
     }

package/dist/commands/task.js

@@ -157,6 +157,12 @@ function printObservability(payload) {
     process.stdout.write(`Delegadas: ${String(payload.delegatedTasks ?? 0)}\n`);
     process.stdout.write(`Success rate: ${String(payload.successRate ?? 0)}\n`);
 }
+function printWatchEvent(event) {
+    const scope = event.taskId ? `task=${event.taskId}` : `workspace=${event.workspaceId}`;
+    const step = event.stepId ? ` step=${event.stepId}` : "";
+    const summary = event.summary ? ` ${JSON.stringify(event.summary)}` : "";
+    process.stdout.write(`[${event.timestamp}] ${event.type} ${scope}${step}${summary}\n`);
+}
 async function runTaskList(cliVersion, args) {
     const { parsed, apiClient, freshSession, workspace } = await resolveAuthenticatedWorkspace(cliVersion, args);
     const tasks = await apiClient.listTasks(freshSession.accessToken, workspace);
@@ -433,6 +439,40 @@ async function runTaskObservability(cliVersion, args) {
     }
     return 0;
 }
+async function runTaskWatch(cliVersion, args) {
+    const { apiClient, freshSession, workspace } = await resolveAuthenticatedWorkspace(cliVersion, args);
+    const parsed = parseArgs(args);
+    const taskId = requirePositional(parsed, 0, "Uso: vp task watch <taskId> [--json]");
+    const task = await apiClient.getTask(freshSession.accessToken, workspace, taskId);
+    if (printJsonIfRequested(parsed, task)) {
+        return 0;
+    }
+    printTask(task);
+    const controller = new AbortController();
+    let exitCode = 0;
+    await apiClient.streamWorkspaceEvents(freshSession.accessToken, workspace, {
+        taskId,
+        signal: controller.signal,
+        onEvent: (event) => {
+            if (event.type === "ready" || event.type === "heartbeat") {
+                return;
+            }
+            printWatchEvent(event);
+            if (event.type === "task.failed" || event.type === "task.blocked") {
+                exitCode = 1;
+            }
+            if (event.type === "task.completed" || event.type === "task.failed" || event.type === "task.blocked") {
+                controller.abort();
+            }
+        },
+    }).catch((error) => {
+        if (controller.signal.aborted) {
+            return;
+        }
+        throw error;
+    });
+    return exitCode;
+}
 async function runTaskHealth(cliVersion, args) {
     const { apiClient, freshSession, workspace } = await resolveAuthenticatedWorkspace(cliVersion, args);
     const parsed = parseArgs(args);
@@ -465,7 +505,7 @@ async function runTaskApproval(cliVersion, args, approved) {
 }
 export async function runTaskCommand(cliVersion, args) {
     const parsed = parseArgs(args);
-    const subcommand = requirePositional(parsed, 0, "Uso: vp task <run|templates|list|inspect|claim|execute|daemon|approve|reject|delegate|step-update|handoff|observability|health> [...]");
+    const subcommand = requirePositional(parsed, 0, "Uso: vp task <run|templates|list|inspect|watch|claim|execute|daemon|approve|reject|delegate|step-update|handoff|observability|health> [...]");
     switch (subcommand) {
         case "run":
             return runTaskRun(cliVersion, args.slice(1));
@@ -475,6 +515,8 @@ export async function runTaskCommand(cliVersion, args) {
             return runTaskList(cliVersion, args.slice(1));
         case "inspect":
             return runTaskInspect(cliVersion, args.slice(1));
+        case "watch":
+            return runTaskWatch(cliVersion, args.slice(1));
         case "claim":
             return runTaskClaim(cliVersion, args.slice(1));
         case "execute":
@@ -496,7 +538,7 @@ export async function runTaskCommand(cliVersion, args) {
         case "health":
             return runTaskHealth(cliVersion, args.slice(1));
         default:
-            throw new ValidationError("Uso: vp task <run|templates|list|inspect|claim|execute|daemon|approve|reject|delegate|step-update|handoff|observability|health> [...]");
+            throw new ValidationError("Uso: vp task <run|templates|list|inspect|watch|claim|execute|daemon|approve|reject|delegate|step-update|handoff|observability|health> [...]");
     }
 }
 //# sourceMappingURL=task.js.map

package/dist/commands/workspace.js

@@ -39,6 +39,20 @@ function printPolicyRule(rule) {
         process.stdout.write(`Required capabilities: ${rule.conditions.requiredCapabilities.join(", ")}\n`);
     }
 }
+function printWebhook(hook) {
+    process.stdout.write(`Webhook: ${hook.id}\n`);
+    process.stdout.write(`Nome: ${hook.name}\n`);
+    process.stdout.write(`URL: ${hook.targetUrl}\n`);
+    process.stdout.write(`Enabled: ${hook.enabled ? "true" : "false"}\n`);
+    process.stdout.write(`Secret: ${hook.secretPreview}\n`);
+    process.stdout.write(`Eventos: ${hook.events.join(", ")}\n`);
+    if (hook.lastDeliveryStatus) {
+        process.stdout.write(`Última entrega: ${hook.lastDeliveryStatus}${hook.lastDeliveryAt ? ` em ${hook.lastDeliveryAt}` : ""}\n`);
+    }
+    if (hook.lastError) {
+        process.stdout.write(`Erro: ${hook.lastError}\n`);
+    }
+}
 function resolvePolicyConditions(parsed) {
     const archetypes = getStringListOption(parsed, "archetypes");
     const requiredCapabilities = getStringListOption(parsed, "required-capabilities");
@@ -155,6 +169,54 @@ async function runWorkspacePolicyCommand(args) {
     }
     throw new ValidationError("Subcomando de workspace policy não suportado.");
 }
+async function runWorkspaceWebhookCommand(args) {
+    const parsed = parseArgs(args);
+    const [subcommand] = parsed.positionals.slice(1);
+    const { session, apiClient, workspace } = await resolveWorkspaceApiContext();
+    if (!subcommand || subcommand === "list") {
+        const hooks = await apiClient.listWorkspaceWebhooks(session.accessToken, workspace);
+        if (printJsonIfRequested(parsed, hooks)) {
+            return 0;
+        }
+        if (hooks.length === 0) {
+            process.stdout.write("VectorPlane: nenhum webhook encontrado.\n");
+            return 0;
+        }
+        for (const hook of hooks) {
+            process.stdout.write(`${hook.id} | ${hook.enabled ? "enabled" : "disabled"} | ${hook.name} | ${hook.targetUrl}\n`);
+        }
+        return 0;
+    }
+    if (subcommand === "create") {
+        const name = getStringOption(parsed, "name")?.trim();
+        const targetUrl = getStringOption(parsed, "url")?.trim();
+        const secret = getStringOption(parsed, "secret")?.trim();
+        const events = getStringListOption(parsed, "events");
+        if (!name || !targetUrl || !secret || events.length === 0) {
+            throw new ValidationError("Informe `--name`, `--url`, `--secret` e `--events`.");
+        }
+        const hook = await apiClient.createWorkspaceWebhook(session.accessToken, workspace, {
+            name,
+            targetUrl,
+            secret,
+            events,
+            enabled: parsed.options.enabled === undefined ? true : getBooleanOption(parsed, "enabled"),
+        });
+        if (!printJsonIfRequested(parsed, hook)) {
+            printWebhook(hook);
+        }
+        return 0;
+    }
+    if (subcommand === "delete") {
+        const webhookId = requirePositional(parsed, 2, "Informe o identificador do webhook.");
+        const result = await apiClient.deleteWorkspaceWebhook(session.accessToken, workspace, webhookId);
+        if (!printJsonIfRequested(parsed, result)) {
+            process.stdout.write(`Webhook removido: ${result.webhookId}\n`);
+        }
+        return 0;
+    }
+    throw new ValidationError("Subcomando de workspace webhook não suportado.");
+}
 export async function runWorkspaceCommand(args) {
     const parsed = parseArgs(args);
     const [subcommand] = parsed.positionals;
@@ -214,6 +276,9 @@ export async function runWorkspaceCommand(args) {
     if (subcommand === "policy") {
         return runWorkspacePolicyCommand(args);
     }
+    if (subcommand === "webhook") {
+        return runWorkspaceWebhookCommand(args);
+    }
     throw new ValidationError("Subcomando de workspace não suportado.");
 }
 //# sourceMappingURL=workspace.js.map

package/dist/core/api.d.ts

@@ -1,6 +1,6 @@
 import type { Logger } from "./logger.js";
 import type { CurrentUserResponse, AuthCodeExchangeRequest, AuthTokenExchangeResponse, CreateLoginAttemptRequest, CreateLoginAttemptResponse, LoginAttemptStatusResponse, RefreshTokenRequest } from "../types/auth.js";
-import type { AgentCheckoutRequest, AgentHeartbeatRequest, AgentSessionRequest, AgentSessionResponse, EventRequest, MemoryDraftCreateRequest, MemoryDraftRecord, MemoryDraftStatus, MemorySearchRecord, ClaimableTaskStepRecord, ClaimedTaskStepResponse, TaskCreateRequest, TaskHandoffRecord, TaskObservabilityRecord, TaskRecord, ResolveWorkspaceRequest, ResolveWorkspaceResponse, SyncRequest, SyncResponse, WorkspaceAgentSetup, WorkspacePolicyRuleRecord, AgentRegistryRecord, TaskTemplateRecord } from "../types/api.js";
+import type { AgentCheckoutRequest, AgentHeartbeatRequest, AgentSessionRequest, AgentSessionResponse, EventRequest, MemoryDraftCreateRequest, MemoryDraftRecord, MemoryDraftStatus, MemorySearchRecord, ClaimableTaskStepRecord, ClaimedTaskStepResponse, TaskCreateRequest, TaskHandoffRecord, TaskObservabilityRecord, TaskRecord, ResolveWorkspaceRequest, ResolveWorkspaceResponse, SyncRequest, SyncResponse, WorkspaceAgentSetup, WorkspaceSnapshotDiffRecord, WorkspacePolicyRuleRecord, WorkspaceWebhookRecord, AgentRegistryRecord, TaskTemplateRecord, WorkspaceStreamEventRecord } from "../types/api.js";
 export declare class VectorPlaneApiClient {
     private readonly apiBaseUrl;
     private readonly timeoutMs;
@@ -20,6 +20,10 @@ export declare class VectorPlaneApiClient {
     resolveWorkspaceByRepo(accessToken: string, payload: ResolveWorkspaceRequest): Promise<ResolveWorkspaceResponse>;
     getWorkspaceContext(accessToken: string, workspaceId: string): Promise<Record<string, unknown>>;
     getWorkspaceSnapshot(accessToken: string, workspaceId: string): Promise<Record<string, unknown>>;
+    getWorkspaceSnapshotDiff(accessToken: string, workspaceId: string, params: {
+        from?: string;
+        to?: string;
+    }): Promise<WorkspaceSnapshotDiffRecord>;
     getWorkspaceDeliveryContext(accessToken: string, workspaceId: string): Promise<Record<string, unknown>>;
     getWorkspaceDeliveryContextSemantic(accessToken: string, workspaceId: string, params: {
         query: string;
@@ -49,6 +53,18 @@ export declare class VectorPlaneApiClient {
         approvalRole?: string | null;
         enabled?: boolean;
     }): Promise<WorkspacePolicyRuleRecord>;
+    listWorkspaceWebhooks(accessToken: string, workspaceRef: string): Promise<WorkspaceWebhookRecord[]>;
+    createWorkspaceWebhook(accessToken: string, workspaceRef: string, payload: {
+        name: string;
+        targetUrl: string;
+        secret: string;
+        events: WorkspaceWebhookRecord["events"];
+        enabled?: boolean;
+    }): Promise<WorkspaceWebhookRecord>;
+    deleteWorkspaceWebhook(accessToken: string, workspaceRef: string, webhookId: string): Promise<{
+        deleted: boolean;
+        webhookId: string;
+    }>;
     listMemoryDrafts(accessToken: string, workspaceRef: string, status?: MemoryDraftStatus): Promise<MemoryDraftRecord[]>;
     createMemoryDraft(accessToken: string, workspaceRef: string, payload: MemoryDraftCreateRequest): Promise<MemoryDraftRecord>;
     searchWorkspaceMemory(accessToken: string, workspaceRef: string, params: {
@@ -119,4 +135,10 @@ export declare class VectorPlaneApiClient {
     checkOutAgent(accessToken: string, payload: AgentCheckoutRequest): Promise<AgentSessionResponse>;
     getHealth(): Promise<Record<string, unknown>>;
     getReady(): Promise<Record<string, unknown>>;
+    streamWorkspaceEvents(accessToken: string, workspaceRef: string, params: {
+        taskId?: string;
+        types?: string[];
+        signal?: AbortSignal;
+        onEvent: (event: WorkspaceStreamEventRecord) => void;
+    }): Promise<void>;
 }