@wlfi-agent/cli 1.4.13 → 1.4.14

package/src/lib/agent-auth-clear.js

@@ -0,0 +1 @@
+export * from './agent-auth-clear.ts';

package/src/lib/agent-auth-clear.ts

@@ -0,0 +1,58 @@
+import {
+  deleteConfigKey,
+  redactConfig,
+  readConfig,
+  type WlfiConfig
+} from '../../packages/config/src/index.js';
+import {
+  AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE,
+  assertValidAgentKeyId,
+  deleteAgentAuthTokenFromKeychain
+} from './keychain.js';
+
+export interface ClearAgentAuthTokenResult {
+  agentKeyId: string;
+  keychain: {
+    removed: boolean;
+    service: string | null;
+  };
+  config: Record<string, unknown>;
+}
+
+interface ClearAgentAuthTokenDeps {
+  platform?: NodeJS.Platform;
+  deleteAgentAuthToken?: (agentKeyId: string) => boolean;
+  readConfig?: () => WlfiConfig;
+  deleteConfigKey?: (key: keyof WlfiConfig) => WlfiConfig;
+}
+
+export function clearAgentAuthToken(
+  agentKeyId: string,
+  deps: ClearAgentAuthTokenDeps = {}
+): ClearAgentAuthTokenResult {
+  const platform = deps.platform ?? process.platform;
+  const normalizedAgentKeyId = assertValidAgentKeyId(agentKeyId);
+  const removeAgentAuthToken = deps.deleteAgentAuthToken ?? deleteAgentAuthTokenFromKeychain;
+  const loadConfig = deps.readConfig ?? readConfig;
+  const clearConfigKey = deps.deleteConfigKey ?? deleteConfigKey;
+
+  const existing = loadConfig();
+  const removed = removeAgentAuthToken(normalizedAgentKeyId);
+
+  let updated = existing;
+  if (existing.agentKeyId === normalizedAgentKeyId) {
+    updated = clearConfigKey('agentKeyId');
+  }
+  if (updated.agentAuthToken !== undefined) {
+    updated = clearConfigKey('agentAuthToken');
+  }
+
+  return {
+    agentKeyId: normalizedAgentKeyId,
+    keychain: {
+      removed,
+      service: platform === 'darwin' ? AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE : null
+    },
+    config: redactConfig(updated)
+  };
+}

package/src/lib/agent-auth-forwarding.js

@@ -0,0 +1 @@
+export * from './agent-auth-forwarding.ts';

package/src/lib/agent-auth-forwarding.ts

@@ -0,0 +1,149 @@
+import {
+  MAX_AGENT_AUTH_TOKEN_BYTES,
+  assertValidAgentAuthToken
+} from './agent-auth-token.js';
+
+export interface AgentAuthRelayOptions {
+  env?: NodeJS.ProcessEnv;
+  readFromStdin?: (label: string) => Promise<string>;
+}
+
+export interface PreparedAgentAuthRelay {
+  args: string[];
+  stdin?: string;
+  scrubSensitiveEnv: boolean;
+}
+
+const HELP_FLAGS = new Set(['-h', '--help', '-V', '--version']);
+
+function forwardedArgsPrefix(args: string[]): string[] {
+  const terminatorIndex = args.indexOf('--');
+  return terminatorIndex >= 0 ? args.slice(0, terminatorIndex) : args;
+}
+
+function skipEnvRelayForArgs(args: string[]): boolean {
+  const forwarded = forwardedArgsPrefix(args);
+  return forwarded[0] === 'help' || forwarded.some((arg) => HELP_FLAGS.has(arg));
+}
+
+function resolveInlineAgentAuthTokenArg(args: string[]): {
+  index: number;
+  value: string;
+} | null {
+  let match: { index: number; value: string } | null = null;
+
+  for (let index = 0; index < forwardedArgsPrefix(args).length; index += 1) {
+    const current = args[index];
+    let nextMatch: { index: number; value: string } | null = null;
+
+    if (current === '--agent-auth-token') {
+      const value = args[index + 1];
+      if (value === undefined) {
+        throw new Error('--agent-auth-token requires a value');
+      }
+      nextMatch = { index, value };
+      index += 1;
+    } else if (current.startsWith('--agent-auth-token=')) {
+      nextMatch = {
+        index,
+        value: current.slice('--agent-auth-token='.length)
+      };
+    }
+
+    if (nextMatch) {
+      if (match) {
+        throw new Error('--agent-auth-token may only be provided once');
+      }
+      match = nextMatch;
+    }
+  }
+
+  return match;
+}
+
+function countAgentAuthTokenStdinFlags(args: string[]): number {
+  let matches = 0;
+
+  for (const current of forwardedArgsPrefix(args)) {
+    if (current === '--agent-auth-token-stdin') {
+      matches += 1;
+    }
+  }
+
+  return matches;
+}
+
+function validateSecret(secret: string, label: string): string {
+  return assertValidAgentAuthToken(secret, label);
+}
+
+function withTrailingNewline(secret: string): string {
+  return `${secret}\n`;
+}
+
+async function readTrimmedSecretFromProcessStdin(label: string): Promise<string> {
+  process.stdin.setEncoding('utf8');
+  let raw = '';
+  for await (const chunk of process.stdin) {
+    raw += chunk;
+    if (Buffer.byteLength(raw, 'utf8') > MAX_AGENT_AUTH_TOKEN_BYTES) {
+      throw new Error(`${label} must not exceed ${MAX_AGENT_AUTH_TOKEN_BYTES} bytes`);
+    }
+  }
+
+  return validateSecret(raw, label);
+}
+
+export async function prepareAgentAuthRelay(
+  args: string[],
+  options: AgentAuthRelayOptions = {}
+): Promise<PreparedAgentAuthRelay> {
+  const env = options.env ?? process.env;
+  const readFromStdin = options.readFromStdin ?? readTrimmedSecretFromProcessStdin;
+  const inlineArg = resolveInlineAgentAuthTokenArg(args);
+  const stdinFlagCount = countAgentAuthTokenStdinFlags(args);
+  const usesStdinFlag = stdinFlagCount > 0;
+
+  if (stdinFlagCount > 1) {
+    throw new Error('--agent-auth-token-stdin may only be provided once');
+  }
+
+  if (inlineArg && usesStdinFlag) {
+    throw new Error('--agent-auth-token conflicts with --agent-auth-token-stdin');
+  }
+
+  if (inlineArg) {
+    validateSecret(inlineArg.value, 'agentAuthToken');
+    throw new Error(
+      '--agent-auth-token is disabled for security; use --agent-auth-token-stdin or macOS Keychain-backed `wlfi-agent` commands'
+    );
+  }
+
+  if (usesStdinFlag) {
+    return {
+      args: [...args],
+      stdin: withTrailingNewline(validateSecret(await readFromStdin('agentAuthToken'), 'agentAuthToken')),
+      scrubSensitiveEnv: true
+    };
+  }
+
+  if (Object.prototype.hasOwnProperty.call(env, 'WLFI_AGENT_AUTH_TOKEN')) {
+    if (skipEnvRelayForArgs(args)) {
+      return {
+        args: [...args],
+        scrubSensitiveEnv: true
+      };
+    }
+
+    return {
+      args: ['--agent-auth-token-stdin', ...args],
+      stdin: withTrailingNewline(validateSecret(env.WLFI_AGENT_AUTH_TOKEN ?? '', 'agentAuthToken')),
+      scrubSensitiveEnv: true
+    };
+  }
+
+  return {
+    args: [...args],
+    scrubSensitiveEnv: true
+  };
+}

package/src/lib/agent-auth-migrate.js

@@ -0,0 +1 @@
+export * from './agent-auth-migrate.ts';

package/src/lib/agent-auth-migrate.ts

@@ -0,0 +1,150 @@
+import {
+  deleteConfigKey,
+  readConfig,
+  redactConfig,
+  writeConfig,
+  type WlfiConfig
+} from '../../packages/config/src/index.js';
+import {
+  AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE,
+  assertValidAgentKeyId,
+  readAgentAuthTokenFromKeychain,
+  storeAgentAuthTokenInKeychain
+} from './keychain.js';
+
+export interface MigrateLegacyAgentAuthInput {
+  agentKeyId?: string;
+  overwriteKeychain?: boolean;
+}
+
+export interface MigrateLegacyAgentAuthResult {
+  agentKeyId: string;
+  source: 'config';
+  keychain: {
+    service: string;
+    stored: boolean;
+    overwritten: boolean;
+    alreadyPresent: boolean;
+    matchedExisting: boolean;
+  };
+  config: Record<string, unknown>;
+}
+
+interface MigrateLegacyAgentAuthDeps {
+  platform?: NodeJS.Platform;
+  readConfig?: () => WlfiConfig;
+  writeConfig?: (nextConfig: WlfiConfig) => WlfiConfig;
+  deleteConfigKey?: (key: keyof WlfiConfig) => WlfiConfig;
+  readAgentAuthToken?: (agentKeyId: string) => string | null;
+  storeAgentAuthToken?: (agentKeyId: string, token: string) => void;
+}
+
+function presentSecret(value: string | undefined): string | null {
+  if (typeof value !== 'string') {
+    return null;
+  }
+
+  return value.trim().length > 0 ? value : null;
+}
+
+function resolveConfiguredAgentKeyId(
+  config: WlfiConfig,
+  explicitAgentKeyId: string | undefined
+): string | undefined {
+  const configuredAgentKeyId = config.agentKeyId?.trim();
+  if (!configuredAgentKeyId) {
+    return undefined;
+  }
+
+  try {
+    return assertValidAgentKeyId(configuredAgentKeyId);
+  } catch (error) {
+    if (explicitAgentKeyId) {
+      return undefined;
+    }
+    throw new Error(
+      (error instanceof Error ? error.message : String(error)) +
+        '; pass --agent-key-id to migrate the legacy config secret explicitly'
+    );
+  }
+}
+
+export function migrateLegacyAgentAuthToken(
+  input: MigrateLegacyAgentAuthInput = {},
+  deps: MigrateLegacyAgentAuthDeps = {}
+): MigrateLegacyAgentAuthResult {
+  const platform = deps.platform ?? process.platform;
+  if (platform !== 'darwin') {
+    throw new Error('legacy agent auth migration requires macOS Keychain');
+  }
+
+  const loadConfig = deps.readConfig ?? readConfig;
+  const persistConfig = deps.writeConfig ?? writeConfig;
+  const clearConfigKey = deps.deleteConfigKey ?? deleteConfigKey;
+  const readAgentAuthToken = deps.readAgentAuthToken ?? readAgentAuthTokenFromKeychain;
+  const storeAgentAuthToken = deps.storeAgentAuthToken ?? storeAgentAuthTokenInKeychain;
+
+  const explicitAgentKeyId = input.agentKeyId ? assertValidAgentKeyId(input.agentKeyId) : undefined;
+  const config = loadConfig();
+  const configuredAgentKeyId = resolveConfiguredAgentKeyId(config, explicitAgentKeyId);
+
+  if (explicitAgentKeyId && configuredAgentKeyId && explicitAgentKeyId !== configuredAgentKeyId) {
+    throw new Error(
+      'explicit --agent-key-id does not match the configured agentKeyId; refuse to bind a legacy config secret to a different agent'
+    );
+  }
+
+  const agentKeyId = explicitAgentKeyId ?? configuredAgentKeyId;
+  if (!agentKeyId) {
+    throw new Error('agentKeyId is required; pass --agent-key-id or configure agentKeyId first');
+  }
+
+  const legacyToken = presentSecret(config.agentAuthToken);
+  if (!legacyToken) {
+    throw new Error('config.json does not contain a legacy agentAuthToken to migrate');
+  }
+
+  const existingKeychainToken = readAgentAuthToken(agentKeyId);
+  const alreadyPresent = existingKeychainToken !== null;
+  let matchedExisting = false;
+  let stored = false;
+  let overwritten = false;
+
+  if (existingKeychainToken === null) {
+    storeAgentAuthToken(agentKeyId, legacyToken);
+    stored = true;
+  } else if (existingKeychainToken === legacyToken) {
+    matchedExisting = true;
+  } else {
+    if (!input.overwriteKeychain) {
+      throw new Error(
+        'macOS Keychain already contains a different agent auth token for this agentKeyId; rerun with --overwrite-keychain after verifying the correct credential'
+      );
+    }
+
+    storeAgentAuthToken(agentKeyId, legacyToken);
+    stored = true;
+    overwritten = true;
+  }
+
+  let updatedConfig = config;
+  if (configuredAgentKeyId !== agentKeyId) {
+    updatedConfig = persistConfig({ agentKeyId });
+  }
+  if (updatedConfig.agentAuthToken !== undefined) {
+    updatedConfig = clearConfigKey('agentAuthToken');
+  }
+
+  return {
+    agentKeyId,
+    source: 'config',
+    keychain: {
+      service: AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE,
+      stored,
+      overwritten,
+      alreadyPresent,
+      matchedExisting
+    },
+    config: redactConfig(updatedConfig)
+  };
+}

package/src/lib/agent-auth-revoke.ts

@@ -0,0 +1,103 @@
+import {
+  deleteConfigKey,
+  redactConfig,
+  readConfig,
+  type WlfiConfig,
+  writeConfig
+} from '../../packages/config/src/index.js';
+import {
+  AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE,
+  assertValidAgentKeyId,
+  deleteAgentAuthTokenFromKeychain
+} from './keychain.js';
+
+export interface RevokeAgentKeyAdminArgsInput {
+  agentKeyId: string;
+  vaultPassword?: string;
+  vaultPasswordStdin?: boolean;
+  nonInteractive?: boolean;
+  daemonSocket?: string;
+}
+
+export interface RevokeAgentKeyAdminOutput {
+  agent_key_id: string;
+  revoked: boolean;
+}
+
+export interface CompleteAgentKeyRevocationResult {
+  agentKeyId: string;
+  revoked: true;
+  keychain: {
+    removed: boolean;
+    service: string | null;
+  };
+  config: Record<string, unknown>;
+}
+
+interface CompleteAgentKeyRevocationDeps {
+  platform?: NodeJS.Platform;
+  deleteAgentAuthToken?: (agentKeyId: string) => boolean;
+  readConfig?: () => WlfiConfig;
+  writeConfig?: (nextConfig: WlfiConfig) => WlfiConfig;
+  deleteConfigKey?: (key: keyof WlfiConfig) => WlfiConfig;
+}
+
+export function buildRevokeAgentKeyAdminArgs(input: RevokeAgentKeyAdminArgsInput): string[] {
+  const args = ['--json', '--quiet'];
+
+  if (input.vaultPassword) {
+    throw new Error(
+      'insecure vaultPassword is disabled; use vaultPasswordStdin or an interactive prompt'
+    );
+  }
+  if (input.vaultPasswordStdin) {
+    args.push('--vault-password-stdin');
+  }
+  if (input.nonInteractive) {
+    args.push('--non-interactive');
+  }
+  if (input.daemonSocket) {
+    args.push('--daemon-socket', input.daemonSocket);
+  }
+
+  args.push('revoke-agent-key', '--agent-key-id', assertValidAgentKeyId(input.agentKeyId));
+
+  return args;
+}
+
+export function completeAgentKeyRevocation(
+  output: RevokeAgentKeyAdminOutput,
+  deps: CompleteAgentKeyRevocationDeps = {}
+): CompleteAgentKeyRevocationResult {
+  const platform = deps.platform ?? process.platform;
+  const agentKeyId = assertValidAgentKeyId(output.agent_key_id);
+  if (!output.revoked) {
+    throw new Error('revoke-agent-key did not confirm revocation');
+  }
+
+  const removeAgentAuthToken = deps.deleteAgentAuthToken ?? deleteAgentAuthTokenFromKeychain;
+  const loadConfig = deps.readConfig ?? readConfig;
+  const persistConfig = deps.writeConfig ?? writeConfig;
+  const clearLegacyConfigKey = deps.deleteConfigKey ?? deleteConfigKey;
+
+  const existing = loadConfig();
+  const removed = removeAgentAuthToken(agentKeyId);
+
+  let updated = existing;
+  if (existing.agentKeyId === agentKeyId) {
+    updated = persistConfig({ agentKeyId: undefined });
+    if (updated.agentAuthToken !== undefined) {
+      updated = clearLegacyConfigKey('agentAuthToken');
+    }
+  }
+
+  return {
+    agentKeyId,
+    revoked: true,
+    keychain: {
+      removed,
+      service: platform === 'darwin' ? AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE : null
+    },
+    config: redactConfig(updated)
+  };
+}

package/src/lib/agent-auth-rotate.ts

@@ -0,0 +1,107 @@
+import {
+  deleteConfigKey,
+  redactConfig,
+  readConfig,
+  type WlfiConfig,
+  writeConfig
+} from '../../packages/config/src/index.js';
+import {
+  AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE,
+  assertValidAgentKeyId,
+  storeAgentAuthTokenInKeychain
+} from './keychain.js';
+
+export interface RotateAgentAuthTokenAdminArgsInput {
+  agentKeyId: string;
+  vaultPassword?: string;
+  vaultPasswordStdin?: boolean;
+  nonInteractive?: boolean;
+  daemonSocket?: string;
+}
+
+export interface RotateAgentAuthTokenAdminOutput {
+  agent_key_id: string;
+  agent_auth_token: string;
+  agent_auth_token_redacted: boolean;
+}
+
+export interface CompleteAgentAuthRotationResult {
+  agentKeyId: string;
+  keychain: {
+    stored: true;
+    service: string;
+  };
+  config: Record<string, unknown>;
+}
+
+interface CompleteAgentAuthRotationDeps {
+  storeAgentAuthToken?: (agentKeyId: string, token: string) => void;
+  readConfig?: () => WlfiConfig;
+  writeConfig?: (nextConfig: WlfiConfig) => WlfiConfig;
+  deleteConfigKey?: (key: keyof WlfiConfig) => WlfiConfig;
+}
+
+export function buildRotateAgentAuthTokenAdminArgs(
+  input: RotateAgentAuthTokenAdminArgsInput
+): string[] {
+  const args = ['--json', '--quiet'];
+
+  if (input.vaultPassword) {
+    throw new Error(
+      'insecure vaultPassword is disabled; use vaultPasswordStdin or an interactive prompt'
+    );
+  }
+  if (input.vaultPasswordStdin) {
+    args.push('--vault-password-stdin');
+  }
+  if (input.nonInteractive) {
+    args.push('--non-interactive');
+  }
+  if (input.daemonSocket) {
+    args.push('--daemon-socket', input.daemonSocket);
+  }
+
+  args.push(
+    'rotate-agent-auth-token',
+    '--agent-key-id',
+    assertValidAgentKeyId(input.agentKeyId),
+    '--print-agent-auth-token'
+  );
+
+  return args;
+}
+
+export function completeAgentAuthRotation(
+  output: RotateAgentAuthTokenAdminOutput,
+  deps: CompleteAgentAuthRotationDeps = {}
+): CompleteAgentAuthRotationResult {
+  const agentKeyId = assertValidAgentKeyId(output.agent_key_id);
+  if (output.agent_auth_token_redacted) {
+    throw new Error('rotate-agent-auth-token returned a redacted agent auth token');
+  }
+  if (!output.agent_auth_token?.trim()) {
+    throw new Error('rotate-agent-auth-token returned an empty agent auth token');
+  }
+
+  const storeAgentAuthToken = deps.storeAgentAuthToken ?? storeAgentAuthTokenInKeychain;
+  const loadConfig = deps.readConfig ?? readConfig;
+  const persistConfig = deps.writeConfig ?? writeConfig;
+  const clearLegacyConfigKey = deps.deleteConfigKey ?? deleteConfigKey;
+
+  loadConfig();
+  storeAgentAuthToken(agentKeyId, output.agent_auth_token);
+
+  let updated = persistConfig({ agentKeyId });
+  if (updated.agentAuthToken !== undefined) {
+    updated = clearLegacyConfigKey('agentAuthToken');
+  }
+
+  return {
+    agentKeyId,
+    keychain: {
+      stored: true,
+      service: AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE
+    },
+    config: redactConfig(updated)
+  };
+}

package/src/lib/agent-auth-token.js

@@ -0,0 +1 @@
+export * from './agent-auth-token.ts';

package/src/lib/agent-auth-token.ts

@@ -0,0 +1,25 @@
+export const MAX_AGENT_AUTH_TOKEN_BYTES = 16 * 1024;
+
+export function assertValidAgentAuthToken(token: string, label = 'agentAuthToken'): string {
+  if (Buffer.byteLength(token, 'utf8') > MAX_AGENT_AUTH_TOKEN_BYTES) {
+    throw new Error(`${label} must not exceed ${MAX_AGENT_AUTH_TOKEN_BYTES} bytes`);
+  }
+
+  const normalized = token.replace(/[\r\n]+$/u, '');
+  if (!normalized.trim()) {
+    throw new Error(`${label} is required`);
+  }
+
+  return normalized;
+}
+
+export function resolveOptionalAgentAuthToken(
+  token: string | null | undefined,
+  label = 'agentAuthToken'
+): string | null {
+  if (token === null || token === undefined) {
+    return null;
+  }
+
+  return assertValidAgentAuthToken(token, label);
+}

package/src/lib/agent-auth.ts

@@ -0,0 +1,89 @@
+import { resolveOptionalAgentAuthToken } from './agent-auth-token.js';
+
+export type AgentAuthTokenSource = 'stdin' | 'argv' | 'keychain' | 'config' | 'env';
+
+export interface ResolveAgentAuthTokenInput {
+  agentKeyId?: string;
+  cliToken?: string;
+  cliTokenStdin?: boolean;
+  keychainToken?: string | null;
+  configToken?: string;
+  envToken?: string;
+  allowLegacySource?: boolean;
+  readFromStdin: (label: string) => Promise<string>;
+}
+
+export interface ResolvedAgentAuthToken {
+  token: string;
+  source: AgentAuthTokenSource;
+}
+
+function migrationHint(agentKeyId?: string): string {
+  const keyPart = agentKeyId ? agentKeyId : '<uuid>';
+  return (
+    'migrate it with `wlfi-agent config agent-auth set --agent-key-id ' +
+    keyPart +
+    ' --agent-auth-token-stdin`'
+  );
+}
+
+export async function resolveAgentAuthToken(
+  input: ResolveAgentAuthTokenInput,
+): Promise<ResolvedAgentAuthToken> {
+  if (input.cliToken && input.cliTokenStdin) {
+    throw new Error('--agent-auth-token conflicts with --agent-auth-token-stdin');
+  }
+
+  if (input.cliTokenStdin) {
+    return {
+      token: resolveOptionalAgentAuthToken(
+        await input.readFromStdin('agentAuthToken'),
+        'agentAuthToken',
+      ) as string,
+      source: 'stdin',
+    };
+  }
+
+  const cliToken = resolveOptionalAgentAuthToken(input.cliToken, 'agentAuthToken');
+  if (cliToken) {
+    if (!input.allowLegacySource) {
+      throw new Error(
+        '--agent-auth-token is disabled by default for security; use macOS Keychain or --agent-auth-token-stdin, ' +
+          migrationHint(input.agentKeyId) +
+          ', or pass --allow-legacy-agent-auth-source',
+      );
+    }
+    return { token: cliToken, source: 'argv' };
+  }
+
+  const keychainToken = resolveOptionalAgentAuthToken(input.keychainToken, 'agentAuthToken');
+  if (keychainToken) {
+    return { token: keychainToken, source: 'keychain' };
+  }
+
+  const configToken = resolveOptionalAgentAuthToken(input.configToken, 'agentAuthToken');
+  if (configToken) {
+    if (!input.allowLegacySource) {
+      throw new Error(
+        'agentAuthToken from config.json is disabled by default for security; use macOS Keychain or --agent-auth-token-stdin, ' +
+          migrationHint(input.agentKeyId) +
+          ', or pass --allow-legacy-agent-auth-source',
+      );
+    }
+    return { token: configToken, source: 'config' };
+  }
+
+  const envToken = resolveOptionalAgentAuthToken(input.envToken, 'agentAuthToken');
+  if (envToken) {
+    if (!input.allowLegacySource) {
+      throw new Error(
+        'WLFI_AGENT_AUTH_TOKEN is disabled by default for security; use macOS Keychain or --agent-auth-token-stdin, ' +
+          migrationHint(input.agentKeyId) +
+          ', or pass --allow-legacy-agent-auth-source',
+      );
+    }
+    return { token: envToken, source: 'env' };
+  }
+
+  throw new Error('agentAuthToken is required; use macOS Keychain or --agent-auth-token-stdin');
+}

package/src/lib/asset-broadcast.js

@@ -0,0 +1 @@
+export * from './asset-broadcast.ts';