@xapps-platform/cli 0.1.1

package/dist/cli.cjs

@@ -0,0 +1,4806 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/cli.ts
+var cli_exports = {};
+__export(cli_exports, {
+  CliError: () => CliError,
+  runCli: () => runCli
+});
+module.exports = __toCommonJS(cli_exports);
+var import_node_fs7 = __toESM(require("node:fs"), 1);
+var import_node_crypto2 = require("node:crypto");
+var import_node_http2 = __toESM(require("node:http"), 1);
+var import_node_os = __toESM(require("node:os"), 1);
+var import_node_path7 = __toESM(require("node:path"), 1);
+var import_promises2 = __toESM(require("node:readline/promises"), 1);
+var import_server_sdk3 = require("@xapps-platform/server-sdk");
+
+// src/devStatus.ts
+var import_node_fs = __toESM(require("node:fs"), 1);
+var import_node_path = __toESM(require("node:path"), 1);
+function buildDevRefs(repoRoot) {
+  const refs = [
+    ["pm_readme", "dev/engineering/pm/README.md"],
+    ["open_points", "dev/engineering/pm/OPEN_POINTS.md"],
+    ["open_list", "dev/engineering/pm/OPEN_LIST.md"],
+    ["open_list_v2", "dev/engineering/pm/OPEN_LIST_V2.md"],
+    ["sprint_plan", "dev/engineering/pm/SPRINT_PLAN.md"],
+    ["next_steps", "dev/engineering/pm/NEXT_STEPS.md"],
+    ["done_points", "dev/engineering/pm/DONE_POINTS.md"],
+    ["v1_review_audit", "dev/engineering/audits/V1_PRODUCTION_CODEBASE_REVIEW.md"],
+    ["open067_phase1_plan", "dev/engineering/audits/OPEN_067_PHASE1_INTERNAL_REPO_PLAN.md"],
+    ["sdk_cli_ai_checklist", "dev/engineering/checklists/SDK_CLI_AI_CHECKLIST.md"]
+  ];
+  return refs.map(([key, rel]) => ({
+    key,
+    path: rel,
+    exists: import_node_fs.default.existsSync(import_node_path.default.join(repoRoot, rel))
+  }));
+}
+function runDevStatusRefsCommand(args, deps) {
+  const repoRoot = deps.findRepoRoot();
+  if (!repoRoot) {
+    throw deps.makeCliError(
+      "CLI_REPO_NOT_FOUND",
+      "xapps dev status refs is repo-only and requires the xapps monorepo checkout"
+    );
+  }
+  const refs = buildDevRefs(repoRoot);
+  const sampleXplace = {
+    publisher: {
+      server: "apps/publishers/xplace/backend/server.js",
+      readme: "apps/publishers/xplace/backend/README.md"
+    },
+    xapp: {
+      manifest: "apps/publishers/xplace/xapps/xplace-certs/manifest.json",
+      ai_policy: "apps/publishers/xplace/xapps/xplace-certs/ai/policy.readonly.internal-v1.json"
+    }
+  };
+  const sampleStatus = {
+    xplace_certs: {
+      publisher: Object.fromEntries(
+        Object.entries(sampleXplace.publisher).map(([key, rel]) => [
+          key,
+          { path: rel, exists: import_node_fs.default.existsSync(import_node_path.default.join(repoRoot, rel)) }
+        ])
+      ),
+      xapp: Object.fromEntries(
+        Object.entries(sampleXplace.xapp).map(([key, rel]) => [
+          key,
+          { path: rel, exists: import_node_fs.default.existsSync(import_node_path.default.join(repoRoot, rel)) }
+        ])
+      ),
+      defaults: {
+        publisher_base_url: "http://localhost:3012",
+        gateway_base_url: "http://localhost:3000"
+      }
+    }
+  };
+  const payload = {
+    schema_version: "xapps.dev.status.refs.v1",
+    ok: refs.every((ref) => ref.exists),
+    repo_root: repoRoot,
+    refs,
+    samples: sampleStatus
+  };
+  if (deps.argFlag(args, "json")) {
+    console.log(JSON.stringify(payload, null, 2));
+    return;
+  }
+  console.log(
+    [
+      `Repo root: ${repoRoot}`,
+      ...refs.map((ref) => `${ref.exists ? "OK" : "MISS"}  ${ref.key} -> ${ref.path}`),
+      "Sample refs:",
+      ...Object.entries(sampleStatus.xplace_certs.publisher).map(
+        ([key, item]) => `${item.exists ? "OK" : "MISS"}  xplace.publisher.${key} -> ${item.path}`
+      ),
+      ...Object.entries(sampleStatus.xplace_certs.xapp).map(
+        ([key, item]) => `${item.exists ? "OK" : "MISS"}  xplace.xapp.${key} -> ${item.path}`
+      )
+    ].join("\n")
+  );
+}
+function runDevCheckV1Command(args, deps) {
+  const repoRoot = deps.findRepoRoot();
+  if (!repoRoot) {
+    throw deps.makeCliError(
+      "CLI_REPO_NOT_FOUND",
+      "xapps dev check v1 is repo-only and requires the xapps monorepo checkout"
+    );
+  }
+  const refs = buildDevRefs(repoRoot);
+  const mustRead = (relPath) => import_node_fs.default.readFileSync(import_node_path.default.join(repoRoot, relPath), "utf8");
+  const openList = mustRead("dev/engineering/pm/OPEN_LIST.md");
+  const sprintPlan = mustRead("dev/engineering/pm/SPRINT_PLAN.md");
+  const checks = [
+    {
+      key: "refs_exist",
+      ok: refs.every((ref) => ref.exists),
+      details: { missing: refs.filter((ref) => !ref.exists).map((ref) => ref.path) }
+    },
+    {
+      key: "v1_list_has_must_have_section",
+      ok: /Must Have for First Publisher \/ xplace/i.test(openList),
+      details: {}
+    },
+    {
+      key: "sprint_plan_has_scope_rules",
+      ok: /Scope Proposal Discipline Rule/i.test(sprintPlan) && /Documentation Scope Rule/i.test(sprintPlan),
+      details: {}
+    },
+    {
+      key: "pm_readme_exists",
+      ok: import_node_fs.default.existsSync(import_node_path.default.join(repoRoot, "dev/engineering/pm/README.md")),
+      details: {}
+    }
+  ];
+  const payload = {
+    schema_version: "xapps.dev.check.v1",
+    ok: checks.every((check) => check.ok),
+    repo_root: repoRoot,
+    checks,
+    suggested_flows: ["pay-per-request", "guard-orchestration", "xplace-certs"]
+  };
+  if (deps.argFlag(args, "json")) {
+    console.log(JSON.stringify(payload, null, 2));
+    return;
+  }
+  console.log(
+    [
+      `V1 check: ${payload.ok ? "PASS" : "FAIL"}`,
+      ...checks.map((check) => `${check.ok ? "OK" : "FAIL"}  ${check.key}`)
+    ].join("\n")
+  );
+  if (!payload.ok) {
+    throw deps.makeCliError("CLI_DEV_CHECK_FAILED", "xapps dev check v1 failed", { checks });
+  }
+}
+
+// src/contextCommands.ts
+var import_node_fs2 = __toESM(require("node:fs"), 1);
+var import_node_path2 = __toESM(require("node:path"), 1);
+var import_node_crypto = require("node:crypto");
+function isPlainObject(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function collectContextTools(manifest) {
+  return manifest.tools.map((tool) => {
+    const inputSchema = tool.input_schema && typeof tool.input_schema === "object" ? tool.input_schema : {};
+    const outputSchema = tool.output_schema && typeof tool.output_schema === "object" ? tool.output_schema : {};
+    const requiredRaw = Array.isArray(inputSchema.required) ? inputSchema.required : [];
+    const outputProps = isPlainObject(outputSchema.properties) ? Object.keys(outputSchema.properties) : [];
+    return {
+      tool_name: tool.tool_name,
+      title: tool.title || "",
+      input_required: requiredRaw.filter((item) => typeof item === "string").sort(),
+      output_properties: outputProps.sort()
+    };
+  }).sort((a, b) => a.tool_name.localeCompare(b.tool_name));
+}
+function collectContextWidgets(manifest) {
+  return manifest.widgets.map((widget) => ({
+    widget_name: widget.widget_name,
+    type: widget.type || "",
+    renderer: widget.renderer || "",
+    ...widget.bind_tool_name ? { bind_tool_name: widget.bind_tool_name } : {}
+  })).sort((a, b) => a.widget_name.localeCompare(b.widget_name));
+}
+function buildContextExportPayload(manifest, filePath, deps) {
+  const manifestJson = JSON.stringify(manifest);
+  const manifestSha256 = (0, import_node_crypto.createHash)("sha256").update(manifestJson).digest("hex");
+  const tools = collectContextTools(manifest);
+  const widgets = collectContextWidgets(manifest);
+  return {
+    schema_version: "xapps.context.v1",
+    source: {
+      manifest_path: filePath,
+      manifest_sha256: manifestSha256
+    },
+    summary: {
+      name: manifest.name,
+      slug: manifest.slug,
+      version: manifest.version,
+      tools: manifest.tools.length,
+      widgets: manifest.widgets.length
+    },
+    indexes: {
+      tools,
+      widgets
+    },
+    manifest: deps.canonicalizeJson(manifest)
+  };
+}
+function buildInternalV1ContextPreset(repoRoot, deps) {
+  return {
+    name: "internal-v1",
+    refs: deps.buildDevRefs(repoRoot),
+    anchors: {
+      specs: [
+        "docs/specifications/01-publisher-rendered-integration.md",
+        "docs/specifications/02-platform-rendered-integration.md",
+        "docs/specifications/04-guard-xapps.md",
+        "docs/specifications/10-data-sharing-graph-policy-v2.md",
+        "docs/specifications/13-ai-agent-xapp-authoring.md"
+      ],
+      audits: [
+        "dev/engineering/audits/V1_PRODUCTION_CODEBASE_REVIEW.md",
+        "dev/engineering/audits/OPEN_067_PHASE1_INTERNAL_REPO_PLAN.md"
+      ],
+      tests: [
+        "src/__tests__/xappsCli.test.ts",
+        "src/__tests__/guardBeforeToolRun.test.ts",
+        "src/__tests__/openapiErrorContract.test.ts"
+      ]
+    }
+  };
+}
+function runContextExportCommand(args, deps) {
+  const from = deps.argString(args, "from");
+  if (!from) {
+    throw new Error("Missing required argument: --from <manifest.json>");
+  }
+  const { manifest, filePath } = deps.parseManifestFromFile(from);
+  const payload = buildContextExportPayload(manifest, filePath, deps);
+  const preset = deps.argString(args, "preset");
+  if (preset) {
+    const normalized = preset.trim().toLowerCase();
+    if (normalized !== "internal-v1") {
+      throw deps.makeCliError(
+        "CLI_INVALID_OPTION",
+        `Invalid --preset: ${preset} (expected internal-v1)`,
+        {
+          label: "--preset",
+          value: preset
+        }
+      );
+    }
+    const repoRoot = deps.findRepoRoot();
+    if (!repoRoot) {
+      throw deps.makeCliError(
+        "CLI_REPO_NOT_FOUND",
+        "xapps context export --preset internal-v1 is repo-only and requires the xapps monorepo checkout"
+      );
+    }
+    payload.preset = buildInternalV1ContextPreset(repoRoot, deps);
+  }
+  const outPath = deps.argString(args, "out");
+  const rendered = `${JSON.stringify(payload, null, 2)}
+`;
+  if (outPath) {
+    const target = import_node_path2.default.resolve(process.cwd(), outPath);
+    import_node_fs2.default.mkdirSync(import_node_path2.default.dirname(target), { recursive: true });
+    import_node_fs2.default.writeFileSync(target, rendered);
+    console.log(`Context exported: ${target}`);
+    return;
+  }
+  process.stdout.write(rendered);
+}
+
+// src/commands/manifestCommands.ts
+var import_node_fs3 = __toESM(require("node:fs"), 1);
+var import_node_path3 = __toESM(require("node:path"), 1);
+var import_openapi_import = require("@xapps-platform/openapi-import");
+function buildInitManifestTemplate(input2) {
+  return {
+    name: input2.name,
+    slug: input2.slug,
+    version: input2.version,
+    target_client_id: "REPLACE_CLIENT_ID",
+    description: "Generated by xapps init",
+    tools: [
+      {
+        tool_name: "example_tool",
+        title: "Example Tool",
+        input_schema: {
+          type: "object",
+          properties: {
+            message: { type: "string" }
+          },
+          required: ["message"]
+        },
+        output_schema: {
+          type: "object",
+          properties: {
+            echoed: { type: "string" }
+          }
+        }
+      }
+    ],
+    widgets: [
+      {
+        widget_name: "example_widget",
+        type: "write",
+        renderer: "json-forms",
+        bind_tool_name: "example_tool",
+        entry: {
+          kind: "platform_template",
+          template: "write_form"
+        }
+      }
+    ]
+  };
+}
+function isPlainObject2(value) {
+  return !!value && typeof value === "object" && !Array.isArray(value);
+}
+function jsonTypeMatches(type, value) {
+  if (type === "string") return typeof value === "string";
+  if (type === "number") return typeof value === "number";
+  if (type === "integer") return typeof value === "number" && Number.isInteger(value);
+  if (type === "boolean") return typeof value === "boolean";
+  if (type === "array") return Array.isArray(value);
+  if (type === "object") return isPlainObject2(value);
+  if (type === "null") return value === null;
+  return true;
+}
+function validatePayloadAgainstSchema(schema, payload, label) {
+  if (!isPlainObject2(schema)) return [];
+  if (!isPlainObject2(payload)) {
+    return [`${label} must be a JSON object`];
+  }
+  const errors = [];
+  const required = Array.isArray(schema.required) ? schema.required : [];
+  for (const key of required) {
+    if (typeof key === "string" && !(key in payload)) {
+      errors.push(`${label} missing required field: ${key}`);
+    }
+  }
+  const properties = isPlainObject2(schema.properties) ? schema.properties : {};
+  for (const [key, propSchema] of Object.entries(properties)) {
+    if (!(key in payload)) continue;
+    if (!isPlainObject2(propSchema)) continue;
+    const expectedType = typeof propSchema.type === "string" ? propSchema.type : "";
+    if (expectedType && !jsonTypeMatches(expectedType, payload[key])) {
+      errors.push(
+        `${label}.${key} type mismatch (expected ${expectedType}, got ${Array.isArray(payload[key]) ? "array" : typeof payload[key]})`
+      );
+    }
+  }
+  return errors;
+}
+async function runImportCommand(args, deps) {
+  const from = deps.argString(args, "from");
+  const out = deps.argString(args, "out");
+  const fetchTimeoutMs = deps.parsePositiveIntOrThrow(
+    deps.argString(args, "fetch-timeout-ms"),
+    1e4,
+    "--fetch-timeout-ms"
+  );
+  if (!from || !out) {
+    throw new Error("Missing required arguments: --from and --out");
+  }
+  const openApiText = await deps.readInput(from, fetchTimeoutMs);
+  const fallbackInfo = (0, import_openapi_import.extractOpenApiInfoFromText)(openApiText);
+  const name = deps.argString(args, "name") || fallbackInfo.title || "OpenAPI Imported App";
+  const slug = deps.argString(args, "slug") || (0, import_openapi_import.slugifyManifestName)(name) || "openapi-imported-app";
+  const manifest = (0, import_openapi_import.buildManifestFromOpenApiText)(openApiText, {
+    name,
+    slug,
+    version: deps.argString(args, "version") || "1.0.0",
+    description: deps.argString(args, "description") || fallbackInfo.description,
+    endpointBaseUrl: deps.argString(args, "endpoint") || "https://api.example.com",
+    endpointEnv: deps.argString(args, "endpoint-env") || "prod"
+  });
+  const outPath = import_node_path3.default.resolve(process.cwd(), out);
+  import_node_fs3.default.mkdirSync(import_node_path3.default.dirname(outPath), { recursive: true });
+  import_node_fs3.default.writeFileSync(outPath, JSON.stringify(manifest, null, 2));
+  console.log(
+    `Manifest generated: ${outPath}
+Tools: ${manifest.tools.length}
+Widgets: ${manifest.widgets.length}`
+  );
+}
+function runValidateCommand(args, deps) {
+  const from = deps.argString(args, "from");
+  if (!from) {
+    throw new Error("Missing required argument: --from <manifest.json>");
+  }
+  const { manifest, filePath } = deps.parseManifestFromFile(from);
+  console.log(
+    `Manifest valid: ${filePath}
+Slug: ${manifest.slug}
+Tools: ${manifest.tools.length}
+Widgets: ${manifest.widgets.length}`
+  );
+}
+function runInitCommand(args, deps) {
+  const out = deps.argString(args, "out");
+  if (!out) {
+    throw new Error("Missing required argument: --out <directory>");
+  }
+  const outDir = import_node_path3.default.resolve(process.cwd(), out);
+  import_node_fs3.default.mkdirSync(outDir, { recursive: true });
+  const name = deps.argString(args, "name") || "My Xapp";
+  const slug = deps.argString(args, "slug") || (0, import_openapi_import.slugifyManifestName)(name) || "my-xapp";
+  const version = deps.argString(args, "version") || "1.0.0";
+  const force = deps.argFlag(args, "force");
+  const manifestPath = import_node_path3.default.join(outDir, "manifest.json");
+  const readmePath = import_node_path3.default.join(outDir, "README.md");
+  if (!force) {
+    for (const filePath of [manifestPath, readmePath]) {
+      if (import_node_fs3.default.existsSync(filePath)) {
+        throw new Error(`File already exists: ${filePath} (use --force to overwrite)`);
+      }
+    }
+  }
+  const manifest = buildInitManifestTemplate({ name, slug, version });
+  import_node_fs3.default.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2));
+  import_node_fs3.default.writeFileSync(
+    readmePath,
+    `# ${name}
+
+Generated by xapps init.
+
+Next steps:
+
+1. Edit manifest.json (set target_client_id to the tenant client ID)
+2. Validate: xapps validate --from manifest.json
+3. Import/OpenAPI: xapps import ...
+`
+  );
+  console.log(`Initialized xapp scaffold in: ${outDir}`);
+}
+function runTestCommand(args, deps) {
+  const from = deps.argString(args, "from");
+  const vectorsPath = deps.argString(args, "vectors");
+  if (!from || !vectorsPath) {
+    throw new Error(
+      "Missing required arguments: --from <manifest.json> and --vectors <vectors.json>"
+    );
+  }
+  const { manifest, filePath: manifestPath } = deps.parseManifestFromFile(from);
+  const vectorsRaw = deps.readJsonFile(vectorsPath);
+  if (!isPlainObject2(vectorsRaw)) {
+    throw new Error("Vector file must be a JSON object with a vectors[] field");
+  }
+  const vectorsContainer = vectorsRaw;
+  if (!Array.isArray(vectorsContainer.vectors)) {
+    throw new Error("Vector file must contain vectors[]");
+  }
+  const failures = [];
+  for (let index = 0; index < vectorsContainer.vectors.length; index += 1) {
+    const vector = vectorsContainer.vectors[index];
+    const name = typeof vector?.name === "string" ? vector.name : `vector_${index + 1}`;
+    const toolName = typeof vector?.tool_name === "string" ? vector.tool_name : "";
+    if (!toolName) {
+      failures.push(`${name}: missing tool_name`);
+      continue;
+    }
+    const tool = manifest.tools.find((item) => item.tool_name === toolName);
+    if (!tool) {
+      failures.push(`${name}: unknown tool_name '${toolName}'`);
+      continue;
+    }
+    const inputErrors = validatePayloadAgainstSchema(
+      tool.input_schema,
+      vector.input || {},
+      "input"
+    );
+    const outputErrors = validatePayloadAgainstSchema(
+      tool.output_schema,
+      vector.expected_output || {},
+      "expected_output"
+    );
+    for (const error of [...inputErrors, ...outputErrors]) {
+      failures.push(`${name}: ${error}`);
+    }
+  }
+  if (failures.length) {
+    throw new Error(
+      `Contract test failed (${failures.length} issues)
+${failures.map((f) => `- ${f}`).join("\n")}`
+    );
+  }
+  console.log(
+    `Contract test passed: ${vectorsContainer.vectors.length} vector(s)
+Manifest: ${manifestPath}
+Vectors: ${import_node_path3.default.resolve(process.cwd(), vectorsPath)}`
+  );
+}
+
+// src/commands/devCommands.ts
+var import_node_fs6 = __toESM(require("node:fs"), 1);
+var import_node_http = __toESM(require("node:http"), 1);
+var import_node_path6 = __toESM(require("node:path"), 1);
+
+// src/devFlow.ts
+function buildDevFlowInitTemplate(type) {
+  const normalized = String(type || "").trim().toLowerCase();
+  if (normalized === "ai-artifacts") {
+    return {
+      flow: "sample-ai-artifacts",
+      title: "Sample AI plan/check artifacts workflow",
+      description: "Edit paths for your app and policy. Uses {{ARTIFACTS_DIR}} for generated plan/check reports.",
+      commands: [
+        "npm run xapps -- validate --from ./manifest.json",
+        "npm run xapps -- ai plan --mode internal --from ./manifest.json --preset internal-v1 --json --out {{ARTIFACTS_DIR}}/xapps.plan.json",
+        "npm run xapps -- ai check --mode internal --plan {{ARTIFACTS_DIR}}/xapps.plan.json --policy-preset internal-readonly --json --out {{ARTIFACTS_DIR}}/xapps.check.json"
+      ],
+      refs: [
+        "./manifest.json",
+        "./ai/policy.readonly.internal-v1.json",
+        "dev/engineering/checklists/SDK_CLI_AI_CHECKLIST.md"
+      ]
+    };
+  }
+  if (normalized === "manual-loop") {
+    return {
+      flow: "sample-manual-loop",
+      title: "Sample publisher manual response loop smoke",
+      description: "Edit the smoke script path for your publisher sample/workspace. Intended for async manual-response callback loops.",
+      commands: ["node ./scripts/manual-loop-smoke.mjs"],
+      refs: ["./scripts/manual-loop-smoke.mjs", "./README.md"]
+    };
+  }
+  return null;
+}
+function parseDevFlowObject(raw, fallbackFlowId = "") {
+  const errors = [];
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return {
+      flow: { key: "", title: "", description: "", commands: [], refs: [] },
+      errors: ["expected_object"]
+    };
+  }
+  const source = raw;
+  const key = String(source.flow || source.key || fallbackFlowId || "").trim().toLowerCase();
+  const title = String(source.title || "").trim();
+  const description = String(source.description || "").trim();
+  const commands = Array.isArray(source.commands) ? source.commands.filter((v) => typeof v === "string").map((v) => v.trim()).filter(Boolean) : [];
+  const refs = Array.isArray(source.refs) ? source.refs.filter((v) => typeof v === "string").map((v) => v.trim()).filter(Boolean) : [];
+  if (!key) errors.push("flow_id_missing");
+  if (!title) errors.push("title_missing");
+  if (!description) errors.push("description_missing");
+  if (!commands.length) errors.push("commands_missing");
+  return {
+    flow: { key, title, description, commands, refs },
+    errors
+  };
+}
+function lintDevFlowDefinition(flow) {
+  const commands = Array.isArray(flow.commands) ? flow.commands : [];
+  return [
+    {
+      key: "flow_id_present",
+      ok: typeof flow.key === "string" && flow.key.trim().length > 0,
+      details: { value: flow.key || null }
+    },
+    {
+      key: "title_present",
+      ok: typeof flow.title === "string" && flow.title.trim().length > 0,
+      details: { value: flow.title || null }
+    },
+    {
+      key: "description_present",
+      ok: typeof flow.description === "string" && flow.description.trim().length > 0,
+      details: { value: flow.description || null }
+    },
+    {
+      key: "commands_nonempty",
+      ok: commands.length > 0,
+      details: { command_count: commands.length }
+    },
+    {
+      key: "commands_prefixed",
+      ok: commands.every((cmd) => /^(npm|npx|node|pnpm|yarn|bun)\b/.test(String(cmd).trim())),
+      details: {
+        invalid_commands: commands.filter(
+          (cmd) => !/^(npm|npx|node|pnpm|yarn|bun)\b/.test(String(cmd).trim())
+        )
+      }
+    }
+  ];
+}
+
+// src/devCheckFlow.ts
+var import_node_child_process = require("node:child_process");
+var import_node_path4 = __toESM(require("node:path"), 1);
+function shellEscapeArg(value) {
+  if (/^[A-Za-z0-9_./:-]+$/.test(value)) return value;
+  return `'${String(value).replace(/'/g, `'"'"'`)}'`;
+}
+function buildBuiltInDevCheckFlows(artifactsDir) {
+  const xplacePlanPath = import_node_path4.default.join(artifactsDir, "xapps-xplace-certs.plan.json");
+  const xplaceCheckPath = import_node_path4.default.join(artifactsDir, "xapps-xplace-certs.check.json");
+  return {
+    "pay-per-request": {
+      title: "Pay-per-request baseline flow",
+      description: "Verifies guarded payment orchestration baseline across widget/guards/contracts for V1.",
+      commands: [
+        "npm test -- src/__tests__/guardBeforeToolRun.test.ts",
+        "npm test -- src/__tests__/widgetSdk.test.ts src/__tests__/extensionsLabJsonformsPayment.e2e.test.ts",
+        "npm test -- src/__tests__/openapiErrorContract.test.ts"
+      ],
+      refs: [
+        "dev/engineering/audits/V1_PRODUCTION_CODEBASE_REVIEW.md",
+        "dev/engineering/pm/OPEN_LIST.md"
+      ]
+    },
+    "guard-orchestration": {
+      title: "Guard orchestration bridge flow",
+      description: "Verifies blocked/confirm/payment orchestration bridge behavior across host/embed guard paths.",
+      commands: [
+        "npm test -- src/__tests__/guardContractParity.test.ts src/__tests__/integrationHostGuardContracts.test.ts",
+        "npm test -- src/__tests__/widgetRuntime.guardBridge.test.ts",
+        "npx playwright test e2e/extensions-guards.spec.ts --grep orchestration|guard"
+      ],
+      refs: [
+        "dev/engineering/audits/V1_PRODUCTION_CODEBASE_REVIEW.md",
+        "dev/engineering/pm/OPEN_POINTS.md"
+      ]
+    },
+    "xplace-certs": {
+      title: "xplace certs first-xapp internal workflow",
+      description: "Validates and inspects the xplace-certs JSON Forms manifest using internal-repo CLI helpers.",
+      commands: [
+        "npm run xapps -- validate --from apps/publishers/xplace/xapps/xplace-certs/manifest.json",
+        `npm run xapps -- ai plan --mode internal --from apps/publishers/xplace/xapps/xplace-certs/manifest.json --preset internal-v1 --flow xplace-certs --json --out ${shellEscapeArg(xplacePlanPath)}`,
+        `npm run xapps -- ai check --mode internal --plan ${shellEscapeArg(xplacePlanPath)} --policy apps/publishers/xplace/xapps/xplace-certs/ai/policy.readonly.internal-v1.json --json --out ${shellEscapeArg(xplaceCheckPath)}`
+      ],
+      refs: [
+        "apps/publishers/xplace/xapps/xplace-certs/manifest.json",
+        "apps/publishers/xplace/xapps/xplace-certs/ai/policy.readonly.internal-v1.json",
+        "apps/publishers/xplace/backend/server.js",
+        "dev/engineering/audits/OPEN_067_PHASE1_INTERNAL_REPO_PLAN.md"
+      ]
+    }
+  };
+}
+function executeDevCheckFlowCommands(commands, repoRoot) {
+  return commands.map((command) => {
+    const parts = String(command).trim().split(/\s+/).filter(Boolean);
+    if (!parts.length) {
+      return {
+        command,
+        ok: false,
+        exit_code: null,
+        signal: null,
+        stdout: "",
+        stderr: "",
+        error: "empty_command"
+      };
+    }
+    const result = (0, import_node_child_process.spawnSync)(parts[0], parts.slice(1), {
+      cwd: repoRoot,
+      encoding: "utf8",
+      stdio: "pipe"
+    });
+    return {
+      command,
+      ok: (result.status ?? 1) === 0 && !result.error,
+      exit_code: result.status ?? null,
+      signal: result.signal ?? null,
+      stdout: String(result.stdout || ""),
+      stderr: String(result.stderr || ""),
+      error: result.error ? String(result.error.message || result.error) : null
+    };
+  });
+}
+
+// src/aiCommands.ts
+var import_node_fs4 = __toESM(require("node:fs"), 1);
+var import_node_path5 = __toESM(require("node:path"), 1);
+var import_promises = __toESM(require("node:readline/promises"), 1);
+var import_node_process = require("node:process");
+var import_server_sdk = require("@xapps-platform/server-sdk");
+function isPlainObject3(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function parseAiMode(args, deps) {
+  const mode = String(deps.argString(args, "mode") || "internal").trim().toLowerCase();
+  if (mode !== "internal") {
+    throw deps.makeCliError(
+      "CLI_AI_MODE_UNSUPPORTED",
+      `Unsupported --mode: ${mode} (only internal is implemented in this phase)`,
+      { label: "--mode", value: mode, supported: ["internal"] }
+    );
+  }
+  return "internal";
+}
+function parsePositiveIntOptionOrThrow(value, fallback, label, deps) {
+  if (!value) return fallback;
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed) || !Number.isInteger(parsed) || parsed <= 0) {
+    throw deps.makeCliError(
+      "CLI_INVALID_OPTION",
+      `Invalid ${label}: ${value} (expected positive integer)`,
+      { label, value }
+    );
+  }
+  return parsed;
+}
+function detectPlanRendererFamilies(manifest) {
+  const found = /* @__PURE__ */ new Set();
+  for (const widget of manifest.widgets || []) {
+    const renderer = String(widget.renderer || "").trim().toLowerCase();
+    if (renderer === "publisher") {
+      found.add("publisher-rendered");
+      continue;
+    }
+    if (renderer === "json-forms") {
+      found.add("jsonforms");
+      continue;
+    }
+    if (renderer === "platform") found.add("platform");
+  }
+  return Array.from(found.values()).sort();
+}
+function normalizeLowerSet(values) {
+  return new Set(values.map((v) => v.trim().toLowerCase()).filter(Boolean));
+}
+function inferMockAssetKind(fileName) {
+  const lower = fileName.toLowerCase();
+  if (/\.(png|jpe?g|gif|webp|bmp|svg)$/.test(lower)) return "image";
+  if (/\.json$/.test(lower)) return "json";
+  if (/\.(txt|md|yaml|yml)$/.test(lower)) return "text";
+  return "other";
+}
+function listMockAssets(manifestFilePath, args, deps) {
+  const rawMockDirs = [
+    deps.argString(args, "mocks"),
+    deps.argString(args, "mocks-dir"),
+    import_node_path5.default.join(import_node_path5.default.dirname(manifestFilePath), "mocks")
+  ].filter((value) => typeof value === "string" && value.trim().length > 0);
+  const seenDirs = normalizeLowerSet([]);
+  const out = [];
+  for (const rawDir of rawMockDirs) {
+    const dirPath = import_node_path5.default.resolve(process.cwd(), rawDir);
+    const dedupeKey = dirPath.toLowerCase();
+    if (seenDirs.has(dedupeKey)) continue;
+    seenDirs.add(dedupeKey);
+    if (!import_node_fs4.default.existsSync(dirPath)) continue;
+    let entries = [];
+    try {
+      entries = import_node_fs4.default.readdirSync(dirPath, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      if (!entry.isFile()) continue;
+      const absPath = import_node_path5.default.join(dirPath, entry.name);
+      let size;
+      try {
+        size = import_node_fs4.default.statSync(absPath).size;
+      } catch {
+        size = void 0;
+      }
+      out.push({
+        path: import_node_path5.default.relative(process.cwd(), absPath),
+        name: entry.name,
+        kind: inferMockAssetKind(entry.name),
+        ...typeof size === "number" ? { bytes: size } : {}
+      });
+    }
+  }
+  return out.sort((a, b) => a.path.localeCompare(b.path));
+}
+function readAiGuidance(args, deps) {
+  const inline = deps.argString(args, "guidance");
+  const file = deps.argString(args, "guidance-file");
+  if (inline && file) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "Use either --guidance <text> or --guidance-file <path>, not both"
+    );
+  }
+  const raw = file ? import_node_fs4.default.readFileSync(import_node_path5.default.resolve(process.cwd(), file), "utf8") : typeof inline === "string" ? inline : "";
+  const guidance = String(raw || "").trim();
+  return guidance || void 0;
+}
+function getToolByName(manifest, toolName) {
+  for (const tool of manifest.tools || []) {
+    if (String(tool.tool_name || "") === toolName) return tool;
+  }
+  return null;
+}
+function collectUiElements(uiSchema) {
+  if (!uiSchema || typeof uiSchema !== "object") return [];
+  const stack = [uiSchema];
+  const out = [];
+  while (stack.length) {
+    const node = stack.pop();
+    if (!node || typeof node !== "object") continue;
+    out.push(node);
+    const elements = Array.isArray(node.elements) ? node.elements : [];
+    for (const child of elements) stack.push(child);
+  }
+  return out;
+}
+function hasStepperUiSchema(uiSchema) {
+  if (!uiSchema || typeof uiSchema !== "object") return false;
+  if (String(uiSchema.type || "") !== "Categorization") return false;
+  const options = uiSchema.options;
+  return options && typeof options === "object" && String(options.variant || "").toLowerCase() === "stepper";
+}
+function hasPreviewSections(uiSchema) {
+  return collectUiElements(uiSchema).some(
+    (node) => String(node.type || "") === "XAppsDisplayPanel" || String(node.component || "").toLowerCase().includes("preview")
+  );
+}
+function buildControlScope(propertyName) {
+  return `#/properties/${propertyName}`;
+}
+function buildStepperUiSchemaSuggestion(inputSchema, options) {
+  const props = inputSchema && typeof inputSchema === "object" && inputSchema.properties && typeof inputSchema.properties === "object" ? inputSchema.properties : {};
+  const propertyNames = Object.keys(props);
+  const nonAttachments = [];
+  const attachments = [];
+  for (const key of propertyNames) {
+    const prop = props[key] || {};
+    const isBinaryArray = String(prop.type || "") === "array" && prop.items && typeof prop.items === "object" && String(prop.items.format || "").toLowerCase() === "binary";
+    const isBinary = String(prop.format || "").toLowerCase() === "binary";
+    if (isBinary || isBinaryArray) attachments.push(key);
+    else nonAttachments.push(key);
+  }
+  const splitIndex = nonAttachments.length > 3 ? Math.ceil(nonAttachments.length / 2) : nonAttachments.length;
+  const primary = nonAttachments.slice(0, splitIndex);
+  const secondary = nonAttachments.slice(splitIndex);
+  const categories = [];
+  if (primary.length) {
+    const elements = primary.map((key) => ({ type: "Control", scope: buildControlScope(key) }));
+    if (options?.includePreviewPanel) {
+      const previewScope = buildControlScope(attachments[0] || primary[0]);
+      elements.push({
+        type: "XAppsDisplayPanel",
+        component: "json-preview",
+        label: attachments[0] ? "Attachments Preview" : "Form Preview",
+        scope: previewScope
+      });
+    }
+    categories.push({
+      type: "Category",
+      label: "Basic Info",
+      elements
+    });
+  }
+  if (secondary.length) {
+    categories.push({
+      type: "Category",
+      label: "Details",
+      elements: secondary.map((key) => ({ type: "Control", scope: buildControlScope(key) }))
+    });
+  }
+  if (attachments.length) {
+    categories.push({
+      type: "Category",
+      label: "Attachments",
+      elements: attachments.map((key) => ({ type: "Control", scope: buildControlScope(key) }))
+    });
+  }
+  if (!categories.length) {
+    categories.push({
+      type: "Category",
+      label: "Form",
+      elements: options?.includePreviewPanel ? [
+        {
+          type: "XAppsDisplayPanel",
+          component: "json-preview",
+          label: "Form Preview",
+          scope: "#"
+        }
+      ] : []
+    });
+  }
+  return {
+    type: "Categorization",
+    options: { variant: "stepper" },
+    elements: categories
+  };
+}
+function buildPreviewSectionSuggestion(inputSchema) {
+  const props = inputSchema && typeof inputSchema === "object" && inputSchema.properties && typeof inputSchema.properties === "object" ? inputSchema.properties : {};
+  const names = Object.keys(props);
+  const attachmentKey = names.find((key) => {
+    const prop = props[key] || {};
+    return String(prop.type || "") === "array" && prop.items && typeof prop.items === "object" && String(prop.items.format || "").toLowerCase() === "binary" || String(prop.format || "").toLowerCase() === "binary";
+  });
+  const fallbackKey = attachmentKey || names[0];
+  return [
+    {
+      type: "XAppsDisplayPanel",
+      component: "json-preview",
+      label: attachmentKey ? "Attachments Preview" : "Form Preview",
+      ...fallbackKey ? { scope: buildControlScope(fallbackKey) } : { scope: "#" }
+    }
+  ];
+}
+function buildManifestPatchHints(manifest, mockAssets, guidance) {
+  const hints = [];
+  const guidanceLower = String(guidance || "").toLowerCase();
+  const wantsStepper = /step(?:s|per)?|wizard/.test(guidanceLower);
+  const wantsPreview = /preview|widget[- ]?preview|display panel/.test(guidanceLower);
+  const hasImageMocks = mockAssets.some((asset) => asset.kind === "image");
+  for (const widget of manifest.widgets || []) {
+    const w = widget;
+    if (String(w.renderer || "").toLowerCase() !== "json-forms") continue;
+    const toolName = String(w.bind_tool_name || "").trim();
+    if (!toolName) continue;
+    const tool = getToolByName(manifest, toolName);
+    if (!tool) continue;
+    const uiSchema = tool.input_ui_schema;
+    const inputSchema = tool.input_schema;
+    const hasStepper = hasStepperUiSchema(uiSchema);
+    const hasPreview = hasPreviewSections(uiSchema);
+    const shouldSuggestStepper = !hasStepper && (wantsStepper || hasImageMocks);
+    const shouldSuggestPreview = !hasPreview && (wantsPreview || hasImageMocks);
+    if (!shouldSuggestStepper && !shouldSuggestPreview) continue;
+    const proposedInputUiSchema = shouldSuggestStepper ? buildStepperUiSchemaSuggestion(inputSchema, { includePreviewPanel: shouldSuggestPreview }) : void 0;
+    const appendPreviewSections = !shouldSuggestStepper && shouldSuggestPreview ? buildPreviewSectionSuggestion(inputSchema) : void 0;
+    hints.push({
+      widget_name: String(w.widget_name || ""),
+      bind_tool_name: toolName,
+      reasons: [
+        ...hasImageMocks ? ["mock_assets_detected"] : [],
+        ...shouldSuggestStepper ? ["missing_stepper_wizard_ui"] : [],
+        ...shouldSuggestPreview ? ["missing_preview_sections"] : []
+      ],
+      patch: {
+        tool_name: toolName,
+        field: "input_ui_schema",
+        mode: shouldSuggestStepper ? "replace" : "append_preview_sections",
+        ...proposedInputUiSchema ? { value: proposedInputUiSchema } : {},
+        ...appendPreviewSections ? { preview_sections: appendPreviewSections } : {}
+      },
+      review_notes: [
+        "Review inferred step grouping and labels before applying.",
+        "Preview panel suggestion is generic; customize component/scope for your UX."
+      ]
+    });
+  }
+  return hints;
+}
+function mimeTypeForMockAsset(fileName) {
+  const lower = fileName.toLowerCase();
+  if (lower.endsWith(".png")) return "image/png";
+  if (lower.endsWith(".jpg") || lower.endsWith(".jpeg")) return "image/jpeg";
+  if (lower.endsWith(".webp")) return "image/webp";
+  if (lower.endsWith(".gif")) return "image/gif";
+  if (lower.endsWith(".svg")) return "image/svg+xml";
+  return "application/octet-stream";
+}
+function toDataUrlFromFile(filePath) {
+  const abs = import_node_path5.default.resolve(process.cwd(), filePath);
+  const data = import_node_fs4.default.readFileSync(abs);
+  const mime = mimeTypeForMockAsset(filePath);
+  return `data:${mime};base64,${data.toString("base64")}`;
+}
+function extractJsonObjectFromText(text) {
+  const trimmed = String(text || "").trim();
+  if (!trimmed) return null;
+  try {
+    const parsed = JSON.parse(trimmed);
+    return isPlainObject3(parsed) ? parsed : null;
+  } catch {
+  }
+  const fenceMatch = trimmed.match(/```(?:json)?\s*([\s\S]*?)```/i);
+  if (fenceMatch?.[1]) {
+    try {
+      const parsed = JSON.parse(fenceMatch[1].trim());
+      return isPlainObject3(parsed) ? parsed : null;
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+async function buildLlmManifestPatchHints(manifest, mockAssets, guidance, args, deps) {
+  const apiKey = deps.argString(args, "llm-api-key") || process.env.OPENAI_API_KEY || process.env.XAPPS_AI_API_KEY || "";
+  if (!apiKey) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "Missing LLM API key. Provide --llm-api-key or set OPENAI_API_KEY/XAPPS_AI_API_KEY"
+    );
+  }
+  const baseUrl = String(
+    deps.argString(args, "llm-base-url") || process.env.OPENAI_BASE_URL || "https://api.openai.com/v1"
+  ).replace(/\/+$/, "");
+  const model = String(
+    deps.argString(args, "llm-model") || process.env.XAPPS_AI_MODEL || "gpt-5.2"
+  ).trim();
+  const timeoutMs = parsePositiveIntOptionOrThrow(
+    deps.argString(args, "llm-timeout-ms") || process.env.XAPPS_AI_TIMEOUT_MS,
+    3e4,
+    "--llm-timeout-ms",
+    deps
+  );
+  const imageAssets = mockAssets.filter((m) => m.kind === "image").slice(0, 4);
+  const userContent = [
+    {
+      type: "text",
+      text: [
+        "Analyze this xapp manifest and mock assets and propose JSON Forms manifest patch hints.",
+        "Focus on json-forms widgets and infer complete form fields from mockups/guidance.",
+        "When image mockups are provided, BOTH are needed: propose input_schema AND input_ui_schema (wizard + previews).",
+        'Return STRICT JSON object only with shape: {"hints": [ ... ]}.',
+        "Each hint item must include: widget_name, bind_tool_name, reasons (array), patch (object), review_notes (array).",
+        "Patch object must include tool_name, field, mode and target only input_schema or input_ui_schema.",
+        "Supported patch modes: replace (for input_schema or input_ui_schema), append_preview_sections (input_ui_schema only).",
+        "For image mockups, you MUST attempt complete input_schema inference first (best effort), then align input_ui_schema controls/previews to those fields.",
+        "If confidence is low, still provide a best-effort input_schema and explain uncertainty in review_notes.",
+        "For image mocks, prefer image-aware preview suggestions (e.g. attachment-scoped preview panels, data-view cards/list/table of image metadata, or publisher_preview-backed preview sections if endpoints already exist) instead of a generic form-level json-preview when possible.",
+        "If you suggest preview sections, include component and any options needed (label, scope, options.view/options.dataSource, etc.).",
+        "Use only supported preview/display components and views: components=[json-preview, location-map-preview, data-view]; data-view types=[key-value, list, table, badges, cards, json].",
+        "Do not modify security/guards/connectivity.",
+        guidance ? `User guidance: ${guidance}` : "User guidance: none",
+        `Manifest JSON:
+${JSON.stringify(manifest, null, 2)}`,
+        `Mock assets summary:
+${JSON.stringify(mockAssets, null, 2)}`
+      ].join("\n\n")
+    }
+  ];
+  for (const asset of imageAssets) {
+    try {
+      userContent.push({
+        type: "image_url",
+        image_url: { url: toDataUrlFromFile(asset.path) }
+      });
+    } catch {
+    }
+  }
+  const payload = {
+    model,
+    response_format: { type: "json_object" },
+    messages: [
+      {
+        role: "system",
+        content: "You are an xapps manifest assistant. Propose minimal, safe JSON Forms manifest patch hints (input_schema and input_ui_schema only)."
+      },
+      {
+        role: "user",
+        content: userContent
+      }
+    ],
+    temperature: 0.2
+  };
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  let response;
+  try {
+    response = await fetch(`${baseUrl}/chat/completions`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${apiKey}`
+      },
+      body: JSON.stringify(payload),
+      signal: controller.signal
+    });
+  } catch (err) {
+    if (err?.name === "AbortError") {
+      throw deps.makeCliError("CLI_RUNTIME_ERROR", `LLM request timed out after ${timeoutMs}ms`, {
+        provider: "openai-compatible",
+        model,
+        timeout_ms: timeoutMs
+      });
+    }
+    throw err;
+  } finally {
+    clearTimeout(timer);
+  }
+  const rawText = await response.text();
+  if (!response.ok) {
+    throw deps.makeCliError("CLI_RUNTIME_ERROR", `LLM request failed: status=${response.status}`, {
+      status: response.status,
+      body: rawText.slice(0, 2e3),
+      provider: "openai-compatible",
+      model
+    });
+  }
+  let parsedResp = null;
+  try {
+    parsedResp = JSON.parse(rawText);
+  } catch {
+    throw deps.makeCliError("CLI_RUNTIME_ERROR", "LLM returned non-JSON response envelope", {
+      provider: "openai-compatible",
+      model
+    });
+  }
+  const content = String(parsedResp?.choices?.[0]?.message?.content || "");
+  const llmJson = extractJsonObjectFromText(content);
+  if (!llmJson || !Array.isArray(llmJson.hints)) {
+    throw deps.makeCliError("CLI_RUNTIME_ERROR", "LLM response missing hints[] JSON payload", {
+      provider: "openai-compatible",
+      model
+    });
+  }
+  const hints = llmJson.hints.filter(
+    (item) => isPlainObject3(item)
+  );
+  return { hints, provider: "openai-compatible", model };
+}
+function evaluateLlmHintCompleteness(hints, options) {
+  const fields = /* @__PURE__ */ new Set();
+  for (const hint of hints) {
+    const patch = isPlainObject3(hint.patch) ? hint.patch : null;
+    const field = String(patch?.field || "").trim();
+    if (field) fields.add(field);
+  }
+  const missing = [];
+  if (options.requireInputSchema && !fields.has("input_schema")) missing.push("input_schema");
+  if (options.requireInputUiSchema && !fields.has("input_ui_schema"))
+    missing.push("input_ui_schema");
+  return { ok: missing.length === 0, missing };
+}
+async function readAiGuidanceInteractiveIfRequested(args, deps) {
+  const guidance = readAiGuidance(args, deps);
+  if (guidance) return guidance;
+  if (!deps.argFlag(args, "ask-guidance")) return void 0;
+  if (!import_node_process.stdin.isTTY || !import_node_process.stdout.isTTY) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "--ask-guidance requires an interactive terminal (TTY) or use --guidance/--guidance-file"
+    );
+  }
+  const rl = import_promises.default.createInterface({ input: import_node_process.stdin, output: import_node_process.stdout });
+  try {
+    const answer = await rl.question(
+      "AI guidance (optional). Example: infer complete form fields from mockups, build a step wizard, add supported preview sections, and exclude payment screens because payment is handled by guards.\n> "
+    );
+    const trimmed = String(answer || "").trim();
+    return trimmed || void 0;
+  } finally {
+    rl.close();
+  }
+}
+function applySingleManifestPatchHint(manifest, hint) {
+  const patch = isPlainObject3(hint.patch) ? hint.patch : null;
+  if (!patch) return { changed: false, summary: "skip: missing patch object" };
+  const toolName = String(patch.tool_name || "").trim();
+  const field = String(patch.field || "").trim();
+  const mode = String(patch.mode || "").trim();
+  if (!toolName || field !== "input_ui_schema" && field !== "input_schema" || !mode) {
+    return {
+      changed: false,
+      summary: `skip: unsupported patch target (${toolName || "?"}:${field}:${mode})`
+    };
+  }
+  const tools = Array.isArray(manifest.tools) ? manifest.tools : [];
+  const tool = tools.find((t) => String(t?.tool_name || "") === toolName);
+  if (!tool || typeof tool !== "object") {
+    return { changed: false, summary: `skip: tool not found (${toolName})` };
+  }
+  if (mode === "replace") {
+    if (!isPlainObject3(patch.value)) {
+      return { changed: false, summary: `skip: replace patch missing object value (${toolName})` };
+    }
+    const before = JSON.stringify(tool[field] ?? null);
+    tool[field] = patch.value;
+    const after = JSON.stringify(tool[field] ?? null);
+    return { changed: before !== after, summary: `replace ${toolName}.${field}` };
+  }
+  if (mode === "append_preview_sections") {
+    if (field !== "input_ui_schema") {
+      return {
+        changed: false,
+        summary: `skip: append_preview_sections only supports input_ui_schema (${toolName})`
+      };
+    }
+    const previewSections = Array.isArray(patch.preview_sections) ? patch.preview_sections.filter((s) => isPlainObject3(s)) : [];
+    if (!previewSections.length) {
+      return { changed: false, summary: `skip: no preview_sections (${toolName})` };
+    }
+    const ui = isPlainObject3(tool[field]) ? tool[field] : null;
+    if (!ui) {
+      tool[field] = { type: "VerticalLayout", elements: [...previewSections] };
+      return { changed: true, summary: `create ${toolName}.${field} with preview sections` };
+    }
+    const uiType = String(ui.type || "");
+    if (uiType === "Categorization" && Array.isArray(ui.elements)) {
+      const categories = ui.elements;
+      const attachmentCategory = categories.find((cat) => {
+        if (!cat || typeof cat !== "object") return false;
+        const label = String(cat.label || "").toLowerCase();
+        if (label.includes("attachment")) return true;
+        const els = Array.isArray(cat.elements) ? cat.elements : [];
+        return els.some(
+          (el) => String(el?.type || "") === "Control" && String(el?.scope || "").toLowerCase().includes("/attachments")
+        );
+      });
+      if (attachmentCategory) {
+        if (!Array.isArray(attachmentCategory.elements))
+          attachmentCategory.elements = [];
+        const targetEls2 = attachmentCategory.elements;
+        const before2 = JSON.stringify(targetEls2);
+        for (const section of previewSections) targetEls2.push(section);
+        return {
+          changed: before2 !== JSON.stringify(targetEls2),
+          summary: `append preview sections to attachment category in ${toolName}.${field}`
+        };
+      }
+      categories.push({
+        type: "Category",
+        label: "Preview",
+        elements: [...previewSections]
+      });
+      return { changed: true, summary: `append Preview category to ${toolName}.${field}` };
+    }
+    if (!Array.isArray(ui.elements)) ui.elements = [];
+    const targetEls = ui.elements;
+    const before = JSON.stringify(targetEls);
+    for (const section of previewSections) targetEls.push(section);
+    return {
+      changed: before !== JSON.stringify(targetEls),
+      summary: `append preview sections to ${toolName}.${field}`
+    };
+  }
+  return { changed: false, summary: `skip: unsupported patch mode (${mode})` };
+}
+function renderSimpleJsonDiff(beforeText, afterText) {
+  if (beforeText === afterText) return "(no changes)";
+  const before = beforeText.split("\n");
+  const after = afterText.split("\n");
+  let prefix = 0;
+  while (prefix < before.length && prefix < after.length && before[prefix] === after[prefix])
+    prefix += 1;
+  let suffix = 0;
+  while (suffix < before.length - prefix && suffix < after.length - prefix && before[before.length - 1 - suffix] === after[after.length - 1 - suffix]) {
+    suffix += 1;
+  }
+  const beforeMid = before.slice(prefix, before.length - suffix);
+  const afterMid = after.slice(prefix, after.length - suffix);
+  const outLines = [];
+  const startLine = prefix + 1;
+  outLines.push(`@@ manifest.json:${startLine} @@`);
+  for (const line of beforeMid) outLines.push(`- ${line}`);
+  for (const line of afterMid) outLines.push(`+ ${line}`);
+  return outLines.join("\n");
+}
+function applyManifestPatchHintsToFile(filePath, manifest, hints) {
+  const beforeObj = JSON.parse(JSON.stringify(manifest));
+  const beforeText = `${JSON.stringify(beforeObj, null, 2)}
+`;
+  const workObj = JSON.parse(beforeText);
+  const summaries = [];
+  let appliedCount = 0;
+  let changed = false;
+  for (const hint of hints) {
+    const result = applySingleManifestPatchHint(workObj, hint);
+    summaries.push(result.summary);
+    if (result.summary.startsWith("skip:")) continue;
+    appliedCount += 1;
+    changed = changed || result.changed;
+  }
+  const afterText = `${JSON.stringify(workObj, null, 2)}
+`;
+  if (changed) {
+    (0, import_server_sdk.parseXappManifest)(workObj);
+    import_node_fs4.default.writeFileSync(filePath, afterText, "utf8");
+  }
+  return {
+    applied: true,
+    changed,
+    file: filePath,
+    applied_count: appliedCount,
+    summaries,
+    diff: renderSimpleJsonDiff(beforeText, afterText)
+  };
+}
+function parseAiCheckPolicy(rawPolicy, policyFile, deps) {
+  if (!isPlainObject3(rawPolicy)) {
+    throw deps.makeCliError("CLI_AI_POLICY_INVALID", "Invalid AI policy JSON: expected object", {
+      file: policyFile
+    });
+  }
+  const policy = rawPolicy;
+  const schemaVersion = typeof policy.schema_version === "string" ? String(policy.schema_version).trim() : "";
+  if (schemaVersion && schemaVersion !== "xapps.ai.policy.v1") {
+    throw deps.makeCliError(
+      "CLI_AI_POLICY_INVALID",
+      `Invalid AI policy schema_version: ${schemaVersion} (expected xapps.ai.policy.v1)`,
+      { file: policyFile, schema_version: schemaVersion }
+    );
+  }
+  if (Object.prototype.hasOwnProperty.call(policy, "require_read_only") && typeof policy.require_read_only !== "boolean") {
+    throw deps.makeCliError(
+      "CLI_AI_POLICY_INVALID",
+      "AI policy require_read_only must be boolean",
+      {
+        file: policyFile
+      }
+    );
+  }
+  if (Object.prototype.hasOwnProperty.call(policy, "max_actions")) {
+    const value = policy.max_actions;
+    if (!Number.isInteger(value) || Number(value) < 0) {
+      throw deps.makeCliError(
+        "CLI_AI_POLICY_INVALID",
+        "AI policy max_actions must be a non-negative integer",
+        { file: policyFile }
+      );
+    }
+  }
+  if (Object.prototype.hasOwnProperty.call(policy, "allow_action_kinds")) {
+    const value = policy.allow_action_kinds;
+    if (!Array.isArray(value) || value.some((item) => typeof item !== "string" || !String(item).trim())) {
+      throw deps.makeCliError(
+        "CLI_AI_POLICY_INVALID",
+        "AI policy allow_action_kinds must be an array of non-empty strings",
+        { file: policyFile }
+      );
+    }
+  }
+  return rawPolicy;
+}
+function buildAiCheckPolicyPreset(name, deps) {
+  const normalized = String(name || "").trim().toLowerCase();
+  if (normalized !== "internal-readonly") {
+    throw deps.makeCliError(
+      "CLI_INVALID_OPTION",
+      `Unknown --policy-preset: ${name} (expected internal-readonly)`,
+      { label: "--policy-preset", value: name, allowed: ["internal-readonly"] }
+    );
+  }
+  return {
+    schema_version: "xapps.ai.policy.v1",
+    require_read_only: true,
+    max_actions: 16,
+    allow_action_kinds: [
+      "analyze.manifest",
+      "suggest.flow_checks",
+      "analyze.renderers",
+      "suggest.renderer_checks",
+      "suggest.manifest_patch",
+      "suggest.context_refresh",
+      "suggest.ai_policy_check",
+      "suggest.flow_run"
+    ]
+  };
+}
+async function runAiPlanCommand(args, deps) {
+  const subcommand = deps.argString(args, "_subcommand");
+  if (subcommand !== "plan") {
+    throw deps.makeCliError("CLI_INVALID_ARGS", "Missing required subcommand: ai plan|check");
+  }
+  const mode = parseAiMode(args, deps);
+  const from = deps.argString(args, "from");
+  if (!from) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "Missing required argument: --from <manifest.json>"
+    );
+  }
+  const repoRoot = deps.findRepoRoot();
+  if (!repoRoot) {
+    throw deps.makeCliError(
+      "CLI_REPO_NOT_FOUND",
+      "xapps ai plan --mode internal is repo-only and requires the xapps monorepo checkout"
+    );
+  }
+  const { manifest, filePath } = deps.parseManifestFromFile(from);
+  const mockAssets = listMockAssets(filePath, args, deps);
+  const guidance = await readAiGuidanceInteractiveIfRequested(args, deps);
+  const context = deps.buildContextExportPayload(manifest, filePath);
+  const refs = deps.buildDevRefs(repoRoot);
+  const rendererFamilies = detectPlanRendererFamilies(manifest);
+  const preset = deps.argString(args, "preset");
+  let presetPayload;
+  if (preset) {
+    const normalizedPreset = preset.trim().toLowerCase();
+    if (normalizedPreset !== "internal-v1") {
+      throw deps.makeCliError(
+        "CLI_INVALID_OPTION",
+        `Invalid --preset: ${preset} (expected internal-v1)`,
+        {
+          label: "--preset",
+          value: preset
+        }
+      );
+    }
+    presetPayload = deps.buildInternalV1ContextPreset(repoRoot);
+  }
+  const flow = deps.argString(args, "flow");
+  const normalizedFlow = flow ? flow.trim().toLowerCase() : void 0;
+  const supportedFlows = /* @__PURE__ */ new Set(["pay-per-request", "guard-orchestration", "xplace-certs"]);
+  if (normalizedFlow && !supportedFlows.has(normalizedFlow)) {
+    throw deps.makeCliError("CLI_INVALID_OPTION", `Unknown --flow: ${flow}`, {
+      label: "--flow",
+      value: flow,
+      allowed: Array.from(supportedFlows)
+    });
+  }
+  const actions = [
+    {
+      kind: "analyze.manifest",
+      status: "proposed",
+      description: "Review manifest/tools/widgets against V1 baseline contracts"
+    },
+    {
+      kind: "suggest.flow_checks",
+      status: "proposed",
+      flows: ["pay-per-request", "guard-orchestration", "xplace-certs"]
+    },
+    {
+      kind: "analyze.renderers",
+      status: "proposed",
+      renderers: rendererFamilies,
+      description: "Classify widget renderer families and map to V1 checks (publisher-rendered, jsonforms, platform)"
+    }
+  ];
+  if (rendererFamilies.includes("jsonforms")) {
+    actions.push({
+      kind: "suggest.renderer_checks",
+      status: "proposed",
+      renderer: "jsonforms",
+      command: "npm test -- src/__tests__/jsonformsEmbed.test.ts src/__tests__/jsonformsStepDispatch.test.ts src/__tests__/jsonformsFiles.test.ts"
+    });
+  }
+  if (rendererFamilies.includes("publisher-rendered")) {
+    actions.push({
+      kind: "suggest.renderer_checks",
+      status: "proposed",
+      renderer: "publisher-rendered",
+      command: "npm test -- src/__tests__/embedWidgets.test.ts src/__tests__/guardContractParity.test.ts src/__tests__/integrationHostGuardContracts.test.ts"
+    });
+  }
+  if (presetPayload) {
+    actions.push({
+      kind: "suggest.context_refresh",
+      status: "proposed",
+      command: `xapps context export --from ${filePath} --preset internal-v1`
+    });
+    actions.push({
+      kind: "suggest.ai_policy_check",
+      status: "proposed",
+      command: "xapps ai check --mode internal --plan <plan.json> --policy <policy.json> --json"
+    });
+  }
+  if (normalizedFlow) {
+    actions.push({
+      kind: "suggest.flow_run",
+      status: "proposed",
+      flow: normalizedFlow,
+      command: `xapps dev check flow --name ${normalizedFlow} --run --json`
+    });
+  }
+  const heuristicManifestPatchHints = buildManifestPatchHints(manifest, mockAssets, guidance);
+  let manifestPatchHints = heuristicManifestPatchHints;
+  let llmInfo;
+  if (deps.argFlag(args, "llm")) {
+    llmInfo = { provider: "openai-compatible", model: "unknown", enabled: true, used: false };
+    try {
+      const llmHints = await buildLlmManifestPatchHints(manifest, mockAssets, guidance, args, deps);
+      llmInfo = {
+        provider: llmHints.provider,
+        model: llmHints.model,
+        enabled: true,
+        used: true
+      };
+      if (llmHints.hints.length > 0) {
+        const hasImageMocks = mockAssets.some((m) => m.kind === "image");
+        const completeness = evaluateLlmHintCompleteness(llmHints.hints, {
+          requireInputSchema: hasImageMocks,
+          requireInputUiSchema: hasImageMocks
+        });
+        if (!completeness.ok && hasImageMocks) {
+          heuristicManifestPatchHints.__llm_error = `LLM hints incomplete for image mocks (missing: ${completeness.missing.join(", ")})`;
+        } else {
+          manifestPatchHints = llmHints.hints;
+        }
+      }
+    } catch (err) {
+      const msg = String(err?.message || err || "LLM manifest hint generation failed");
+      llmInfo = {
+        ...llmInfo || { provider: "openai-compatible", model: "unknown", enabled: true },
+        used: false
+      };
+      manifestPatchHints.__llm_error = msg;
+    }
+  }
+  if (manifestPatchHints.length > 0) {
+    actions.push({
+      kind: "suggest.manifest_patch",
+      status: "proposed",
+      target: "manifest.json",
+      description: "Mock-aware JSON Forms manifest upgrade hints (stepper wizard + preview sections) generated for review",
+      hints: manifestPatchHints,
+      ...llmInfo ? {
+        source: llmInfo.used ? "llm" : "heuristic_fallback",
+        llm: llmInfo
+      } : { source: "heuristic" },
+      ...manifestPatchHints.__llm_error ? { llm_error: manifestPatchHints.__llm_error } : {}
+    });
+  }
+  const payload = {
+    schema_version: "xapps.ai.plan.v1",
+    ok: true,
+    mode,
+    read_only: true,
+    source: {
+      manifest_path: filePath,
+      manifest_sha256: context && isPlainObject3(context.source) && typeof context.source.manifest_sha256 === "string" ? context.source.manifest_sha256 : void 0
+    },
+    context: {
+      summary: isPlainObject3(context.summary) ? context.summary : {},
+      refs,
+      ...guidance ? {
+        ai_inputs: {
+          guidance
+        }
+      } : {},
+      ...mockAssets.length > 0 ? {
+        mock_assets: {
+          count: mockAssets.length,
+          kinds: Array.from(new Set(mockAssets.map((item) => item.kind))).sort(),
+          items: mockAssets
+        }
+      } : {},
+      ...llmInfo ? { llm: llmInfo } : {},
+      ...presetPayload ? { preset: presetPayload } : {}
+    },
+    actions,
+    warnings: [
+      ...refs.every((ref) => ref.exists) ? [] : ["Some internal engineering refs are missing"],
+      ...manifestPatchHints.__llm_error ? [
+        `LLM manifest hint generation failed, heuristic fallback used: ${manifestPatchHints.__llm_error}`
+      ] : []
+    ],
+    errors: []
+  };
+  if (normalizedFlow) payload.flow = normalizedFlow;
+  payload.coverage = {
+    renderers: rendererFamilies,
+    flows_supported: Array.from(supportedFlows.values()),
+    flow_selected: normalizedFlow || null,
+    preset_selected: presetPayload ? "internal-v1" : null
+  };
+  if (deps.argFlag(args, "apply-manifest-hints")) {
+    const patchAction = actions.find((a) => a.kind === "suggest.manifest_patch");
+    const hints = Array.isArray(patchAction?.hints) ? patchAction.hints.filter((h) => isPlainObject3(h)) : [];
+    if (!hints.length) {
+      payload.manifest_apply = {
+        applied: true,
+        changed: false,
+        file: filePath,
+        applied_count: 0,
+        summaries: ["skip: no manifest patch hints available"],
+        diff: "(no changes)"
+      };
+    } else {
+      payload.manifest_apply = applyManifestPatchHintsToFile(filePath, manifest, hints);
+    }
+  }
+  const outPath = deps.argString(args, "out");
+  const rendered = `${JSON.stringify(payload, null, 2)}
+`;
+  if (outPath) {
+    const target = import_node_path5.default.resolve(process.cwd(), outPath);
+    import_node_fs4.default.mkdirSync(import_node_path5.default.dirname(target), { recursive: true });
+    import_node_fs4.default.writeFileSync(target, rendered);
+    console.log(`AI plan exported: ${target}`);
+    return;
+  }
+  if (deps.argFlag(args, "json")) {
+    console.log(rendered.trimEnd());
+    return;
+  }
+  if (payload.manifest_apply) {
+    const apply = payload.manifest_apply;
+    console.log(
+      [
+        "Manifest hints apply:",
+        `File: ${String(apply.file || filePath)}`,
+        `Changed: ${String(Boolean(apply.changed))}`,
+        `Applied hints: ${String(apply.applied_count || 0)}`,
+        ...Array.isArray(apply.summaries) ? apply.summaries.map((s) => `- ${String(s)}`) : [],
+        "Diff:",
+        String(apply.diff || "(no diff)"),
+        ""
+      ].join("\n")
+    );
+  }
+  console.log(
+    [
+      `AI plan (${mode}, read-only)`,
+      `Manifest: ${payload.source.manifest_path}`,
+      `Slug: ${String(payload.context.summary.slug || "n/a")}`,
+      `Proposed actions: ${payload.actions.length}`
+    ].join("\n")
+  );
+}
+function runAiCheckCommand(args, deps) {
+  const subcommand = deps.argString(args, "_subcommand");
+  if (subcommand !== "check") {
+    throw deps.makeCliError("CLI_INVALID_ARGS", "Missing required subcommand: ai plan|check");
+  }
+  const mode = parseAiMode(args, deps);
+  const planFile = deps.argString(args, "plan");
+  if (!planFile) {
+    throw deps.makeCliError("CLI_INVALID_ARGS", "Missing required argument: --plan <plan.json>");
+  }
+  const payload = deps.readJsonFile(planFile);
+  const policyFile = deps.argString(args, "policy");
+  const policyPreset = deps.argString(args, "policy-preset");
+  if (policyFile && policyPreset) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "Use either --policy <policy.json> or --policy-preset <name>, not both"
+    );
+  }
+  let policy = null;
+  if (policyFile) {
+    policy = parseAiCheckPolicy(deps.readJsonFile(policyFile), policyFile, deps);
+  } else if (policyPreset) {
+    policy = buildAiCheckPolicyPreset(policyPreset, deps);
+  }
+  const checks = [];
+  const plan = isPlainObject3(payload) ? payload : {};
+  checks.push({
+    key: "schema_version",
+    ok: plan.schema_version === "xapps.ai.plan.v1",
+    details: { actual: plan.schema_version || null }
+  });
+  checks.push({
+    key: "mode",
+    ok: plan.mode === mode,
+    details: { actual: plan.mode || null, expected: mode }
+  });
+  checks.push({
+    key: "read_only",
+    ok: plan.read_only === true,
+    details: { actual: plan.read_only ?? null }
+  });
+  checks.push({
+    key: "actions_array",
+    ok: Array.isArray(plan.actions),
+    details: { actualType: Array.isArray(plan.actions) ? "array" : typeof plan.actions }
+  });
+  if (policy) {
+    const requireReadOnly = policy.require_read_only !== false;
+    checks.push({
+      key: "policy_require_read_only",
+      ok: !requireReadOnly || plan.read_only === true,
+      details: { required: requireReadOnly, actual: plan.read_only ?? null }
+    });
+    if (typeof policy.max_actions === "number" && Number.isFinite(policy.max_actions)) {
+      const actionCount = Array.isArray(plan.actions) ? plan.actions.length : 0;
+      checks.push({
+        key: "policy_max_actions",
+        ok: actionCount <= policy.max_actions,
+        details: { max_actions: policy.max_actions, actual: actionCount }
+      });
+    }
+    if (Array.isArray(policy.allow_action_kinds)) {
+      const allowed = new Set(
+        policy.allow_action_kinds.filter((item) => typeof item === "string").map((item) => item.trim()).filter(Boolean)
+      );
+      const disallowedKinds = Array.isArray(plan.actions) ? plan.actions.filter((item) => isPlainObject3(item)).map((item) => String(item.kind || "").trim()).filter((kind) => kind && !allowed.has(kind)) : [];
+      checks.push({
+        key: "policy_allow_action_kinds",
+        ok: disallowedKinds.length === 0,
+        details: { disallowed_kinds: disallowedKinds }
+      });
+    }
+  }
+  const result = {
+    schema_version: "xapps.ai.check.v1",
+    ok: checks.every((check) => check.ok),
+    mode,
+    read_only: true,
+    checks,
+    errors: checks.filter((check) => !check.ok).map((check) => ({ code: "CLI_AI_PLAN_INVALID", check: check.key })),
+    ...policy ? {
+      policy: {
+        applied: true,
+        ...policyFile ? { source: import_node_path5.default.resolve(process.cwd(), policyFile) } : {},
+        ...policyPreset ? { preset: String(policyPreset).trim().toLowerCase() } : {}
+      }
+    } : {}
+  };
+  const outPath = deps.argString(args, "out");
+  const rendered = `${JSON.stringify(result, null, 2)}
+`;
+  if (outPath) {
+    const target = import_node_path5.default.resolve(process.cwd(), outPath);
+    import_node_fs4.default.mkdirSync(import_node_path5.default.dirname(target), { recursive: true });
+    import_node_fs4.default.writeFileSync(target, rendered);
+    console.log(`AI check exported: ${target}`);
+  } else if (deps.argFlag(args, "json")) {
+    console.log(rendered.trimEnd());
+  } else {
+    console.log(
+      [
+        `AI check (${mode}) ${result.ok ? "PASS" : "FAIL"}`,
+        ...checks.map((check) => `${check.ok ? "OK" : "FAIL"}  ${check.key}`)
+      ].join("\n")
+    );
+  }
+  if (!result.ok) {
+    throw deps.makeCliError("CLI_AI_PLAN_INVALID", "xapps ai check failed: invalid plan contract", {
+      checks
+    });
+  }
+}
+
+// src/publisherCommands.ts
+var import_server_sdk2 = require("@xapps-platform/server-sdk");
+var import_node_fs5 = __toESM(require("node:fs"), 1);
+function normalizePublisherGatewayApiBaseUrl(input2) {
+  const raw = String(input2 || "").trim();
+  if (!raw) return "";
+  const parsed = new URL(raw);
+  const pathname = parsed.pathname || "/";
+  if (pathname === "/" || pathname === "") {
+    parsed.pathname = "/v1";
+  }
+  return parsed.toString().replace(/\/+$/g, "");
+}
+function parseHttpUrlOrThrow(value, flagName) {
+  const trimmed = String(value || "").trim();
+  if (!trimmed) throw new Error(`Invalid ${flagName}: empty`);
+  try {
+    const url = new URL(trimmed);
+    if (!/^https?:$/.test(url.protocol)) {
+      throw new Error(`unsupported protocol ${url.protocol}`);
+    }
+    return url.toString();
+  } catch (err) {
+    throw new Error(`Invalid ${flagName}: ${err?.message || String(err)}`);
+  }
+}
+function resolveSecretInput(args, deps) {
+  const secretRef = deps.argString(args, "secret-ref");
+  const secretEnvName = deps.argString(args, "secret-env");
+  const secretStdin = deps.argFlag(args, "secret-stdin");
+  const selected = [Boolean(secretRef), Boolean(secretEnvName), Boolean(secretStdin)].filter(
+    Boolean
+  ).length;
+  if (selected !== 1) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "Provide exactly one of --secret-ref, --secret-env, or --secret-stdin"
+    );
+  }
+  if (secretRef) {
+    return { secretRef, source: "secret_ref" };
+  }
+  if (secretEnvName) {
+    const envValue = String(process.env[secretEnvName] || "");
+    if (!envValue.trim()) {
+      throw deps.makeCliError(
+        "CLI_INVALID_ARGS",
+        `Environment variable is empty or missing for --secret-env ${secretEnvName}`
+      );
+    }
+    return { secret: envValue, source: "env", sourceName: secretEnvName };
+  }
+  const secret = import_node_fs5.default.readFileSync(0, "utf8");
+  if (!String(secret || "").trim()) {
+    throw deps.makeCliError("CLI_INVALID_ARGS", "--secret-stdin provided but stdin is empty");
+  }
+  return { secret, source: "stdin" };
+}
+function pickLatestVersion(items) {
+  if (!Array.isArray(items) || items.length === 0) return null;
+  const published = items.filter((v) => String(v.status || "") === "published");
+  const target = published.length > 0 ? published : items;
+  return [...target].sort(
+    (a, b) => String(b.published_at || b.created_at || "").localeCompare(
+      String(a.published_at || a.created_at || "")
+    )
+  )[0];
+}
+async function resolveEndpointIdOrThrow(args, deps, client) {
+  const endpointIdArg = deps.argString(args, "endpoint-id");
+  const xappSlug = deps.argString(args, "xapp-slug");
+  const targetClientSlug = deps.argString(args, "target-client-slug", "target_client_slug");
+  const endpointEnv = deps.argString(args, "env") || "prod";
+  if (endpointIdArg) {
+    return { endpointId: endpointIdArg, endpointEnv, ...xappSlug ? { xappSlug } : {} };
+  }
+  if (!xappSlug) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "Provide --endpoint-id or (--xapp-slug and optional --env)"
+    );
+  }
+  let targetClientId = "";
+  if (targetClientSlug) {
+    const clients = await client.listClients();
+    const matches = (clients.items || []).filter(
+      (item) => String(item.slug || "") === targetClientSlug
+    );
+    if (matches.length === 0) {
+      throw deps.makeCliError(
+        "CLI_NOT_FOUND",
+        `Publisher client not found for slug=${targetClientSlug}`
+      );
+    }
+    if (matches.length > 1) {
+      throw deps.makeCliError(
+        "CLI_CONFLICT",
+        `Publisher client slug matched multiple rows: ${targetClientSlug}`
+      );
+    }
+    targetClientId = String(matches[0].id || "").trim();
+    if (!targetClientId) {
+      throw deps.makeCliError(
+        "CLI_INVALID_RESPONSE",
+        `Resolved client id is missing for slug=${targetClientSlug}`
+      );
+    }
+  }
+  const xapps = await client.listXapps();
+  const candidates = (xapps.items || []).filter((item) => {
+    if (String(item.slug || "") !== xappSlug) return false;
+    if (!targetClientId) return true;
+    return String(item.target_client_id || "") === targetClientId;
+  });
+  if (candidates.length === 0) {
+    throw deps.makeCliError(
+      "CLI_NOT_FOUND",
+      targetClientId ? `Publisher xapp not found for slug=${xappSlug} target_client_slug=${targetClientSlug}` : `Publisher xapp not found for slug=${xappSlug}`
+    );
+  }
+  if (candidates.length > 1) {
+    throw deps.makeCliError(
+      "CLI_CONFLICT",
+      targetClientId ? `Multiple publisher xapps matched slug=${xappSlug} target_client_slug=${targetClientSlug}` : `Multiple publisher xapps matched slug=${xappSlug}; pass --target-client-slug`
+    );
+  }
+  const xapp = candidates[0];
+  if (!String(xapp.id || "")) {
+    throw deps.makeCliError("CLI_NOT_FOUND", `Publisher xapp not found for slug=${xappSlug}`);
+  }
+  const versions = await client.listXappVersions(String(xapp.id));
+  const version = pickLatestVersion(versions.items);
+  if (!version || !String(version.id || "")) {
+    throw deps.makeCliError(
+      "CLI_NOT_FOUND",
+      `No publisher xapp versions found for slug=${xappSlug}`
+    );
+  }
+  const endpoints = await client.listEndpoints(String(version.id));
+  const endpoint = endpoints.items.find(
+    (item) => String(item.env || "").trim() === endpointEnv
+  );
+  if (!endpoint || !String(endpoint.id || "")) {
+    throw deps.makeCliError(
+      "CLI_NOT_FOUND",
+      `Endpoint not found for xapp=${xappSlug} env=${endpointEnv}`
+    );
+  }
+  return { endpointId: String(endpoint.id), endpointEnv, xappSlug };
+}
+function normalizeAuthTypeForMatch(input2) {
+  const raw = String(input2 || "").trim().toLowerCase().replace(/[^a-z0-9]/g, "");
+  if (!raw) return "";
+  if (raw === "none") return "none";
+  if (raw.includes("api") && raw.includes("key")) return "api_key_header";
+  if (raw === "header") return "header";
+  if (raw === "hmac" || raw === "hmacsha256") return "hmac";
+  return raw;
+}
+function readCredentialHeaderName(item) {
+  const direct = item.auth_header_name;
+  if (typeof direct === "string" && direct.trim()) return direct.trim();
+  const configRaw = item.config ?? item.config_jsonb;
+  const cfg = configRaw && typeof configRaw === "string" ? (() => {
+    try {
+      return JSON.parse(configRaw);
+    } catch {
+      return null;
+    }
+  })() : configRaw;
+  if (cfg && typeof cfg === "object") {
+    const header = cfg.headerName ?? cfg.header_name;
+    if (typeof header === "string" && header.trim()) return header.trim();
+  }
+  return "";
+}
+function findMatchingEndpointCredential(items, input2) {
+  const wantAuth = normalizeAuthTypeForMatch(input2.authType);
+  const wantHeader = String(input2.headerName || "").trim().toLowerCase();
+  for (const item of items) {
+    const authMatch = normalizeAuthTypeForMatch(item.auth_type) === wantAuth;
+    if (!authMatch) continue;
+    if (wantAuth === "api_key_header" || wantAuth === "header") {
+      const existingHeader = readCredentialHeaderName(item).toLowerCase();
+      if (wantHeader && existingHeader !== wantHeader) continue;
+    }
+    return item;
+  }
+  return null;
+}
+async function runPublisherEndpointCredentialSetCommand(args, deps) {
+  const gatewayUrlRaw = deps.argString(args, "gateway-url", "publisher-gateway-url") || process.env.XAPPS_CLI_PUBLISHER_GATEWAY_URL;
+  if (!gatewayUrlRaw) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "Missing required argument: --gateway-url <url> (or --publisher-gateway-url)"
+    );
+  }
+  const gatewayUrl = normalizePublisherGatewayApiBaseUrl(
+    parseHttpUrlOrThrow(gatewayUrlRaw, "--gateway-url")
+  );
+  const apiKey = deps.argString(args, "api-key", "apiKey") || process.env.XAPPS_CLI_API_KEY || "";
+  const token = deps.argString(args, "token") || process.env.XAPPS_CLI_TOKEN || "";
+  if (!apiKey && !token) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "Missing auth: provide --api-key or --token (or XAPPS_CLI_API_KEY/XAPPS_CLI_TOKEN)"
+    );
+  }
+  let endpointId = "";
+  const authType = deps.argString(args, "auth-type") || "api-key";
+  const headerName = deps.argString(args, "header-name") || "x-xplace-api-key";
+  const keyStatus = deps.argString(args, "key-status") || "active";
+  const keyAlgorithm = deps.argString(args, "key-algorithm") || "hmac-sha256";
+  const secretInput = resolveSecretInput(args, deps);
+  const client = (0, import_server_sdk2.createPublisherApiClient)({ baseUrl: gatewayUrl, apiKey, token });
+  try {
+    endpointId = (await resolveEndpointIdOrThrow(args, deps, client)).endpointId;
+    const result = await client.createEndpointCredential(endpointId, {
+      authType,
+      config: {
+        headerName
+      },
+      initialKey: {
+        ...secretInput.secret ? { secret: secretInput.secret } : {},
+        ...secretInput.secretRef ? { secretRef: secretInput.secretRef } : {},
+        status: keyStatus,
+        algorithm: keyAlgorithm
+      }
+    });
+    const credential = result.credential || {};
+    const output2 = {
+      ok: true,
+      gateway_url: gatewayUrl,
+      endpoint_id: endpointId,
+      auth_type: String(credential.auth_type || authType),
+      credential_id: String(credential.id || ""),
+      active_kid: String(credential.active_kid || ""),
+      secret_source: secretInput.source,
+      ...secretInput.sourceName ? { secret_env: secretInput.sourceName } : {},
+      header_name: headerName
+    };
+    if (deps.argFlag(args, "json")) {
+      console.log(JSON.stringify(output2, null, 2));
+      return;
+    }
+    console.log(
+      `Publisher endpoint credential set: endpoint=${output2.endpoint_id} credential=${output2.credential_id || "-"} auth=${output2.auth_type} header=${output2.header_name} secret_source=${output2.secret_source}`
+    );
+  } catch (err) {
+    if (err instanceof import_server_sdk2.PublisherApiClientError) {
+      throw deps.makeCliError(
+        `CLI_${err.code}`,
+        `Publisher endpoint credential set failed: ${err.message}`,
+        { status: err.status, details: err.details, gateway_url: gatewayUrl }
+      );
+    }
+    throw err;
+  }
+}
+async function runPublisherEndpointCredentialEnsureCommand(args, deps) {
+  const gatewayUrlRaw = deps.argString(args, "gateway-url", "publisher-gateway-url") || process.env.XAPPS_CLI_PUBLISHER_GATEWAY_URL;
+  if (!gatewayUrlRaw) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "Missing required argument: --gateway-url <url> (or --publisher-gateway-url)"
+    );
+  }
+  const gatewayUrl = normalizePublisherGatewayApiBaseUrl(
+    parseHttpUrlOrThrow(gatewayUrlRaw, "--gateway-url")
+  );
+  const apiKey = deps.argString(args, "api-key", "apiKey") || process.env.XAPPS_CLI_API_KEY || "";
+  const token = deps.argString(args, "token") || process.env.XAPPS_CLI_TOKEN || "";
+  if (!apiKey && !token) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "Missing auth: provide --api-key or --token (or XAPPS_CLI_API_KEY/XAPPS_CLI_TOKEN)"
+    );
+  }
+  const authType = deps.argString(args, "auth-type") || "api-key";
+  const headerName = deps.argString(args, "header-name") || "x-xplace-api-key";
+  const keyStatus = deps.argString(args, "key-status") || "active";
+  const keyAlgorithm = deps.argString(args, "key-algorithm") || "hmac-sha256";
+  const client = (0, import_server_sdk2.createPublisherApiClient)({ baseUrl: gatewayUrl, apiKey, token });
+  try {
+    const resolved = await resolveEndpointIdOrThrow(args, deps, client);
+    const endpointId = resolved.endpointId;
+    const existing = await client.listEndpointCredentials(endpointId);
+    const match = findMatchingEndpointCredential(existing.items, {
+      authType,
+      headerName
+    });
+    if (match) {
+      const output3 = {
+        ok: true,
+        ensured: true,
+        created: false,
+        gateway_url: gatewayUrl,
+        endpoint_id: endpointId,
+        credential_id: String(match.id || ""),
+        auth_type: String(match.auth_type || authType),
+        header_name: readCredentialHeaderName(match) || headerName,
+        active_kid: String(match.active_kid || "")
+      };
+      if (deps.argFlag(args, "json")) {
+        console.log(JSON.stringify(output3, null, 2));
+        return;
+      }
+      console.log(
+        `Publisher endpoint credential ensure: endpoint=${output3.endpoint_id} credential=${output3.credential_id || "-"} auth=${output3.auth_type} header=${output3.header_name} outcome=existing`
+      );
+      return;
+    }
+    const secretInput = resolveSecretInput(args, deps);
+    const result = await client.createEndpointCredential(endpointId, {
+      authType,
+      config: {
+        headerName
+      },
+      initialKey: {
+        ...secretInput.secret ? { secret: secretInput.secret } : {},
+        ...secretInput.secretRef ? { secretRef: secretInput.secretRef } : {},
+        status: keyStatus,
+        algorithm: keyAlgorithm
+      }
+    });
+    const credential = result.credential || {};
+    const output2 = {
+      ok: true,
+      ensured: true,
+      created: true,
+      gateway_url: gatewayUrl,
+      endpoint_id: endpointId,
+      auth_type: String(credential.auth_type || authType),
+      credential_id: String(credential.id || ""),
+      active_kid: String(credential.active_kid || ""),
+      secret_source: secretInput.source,
+      ...secretInput.sourceName ? { secret_env: secretInput.sourceName } : {},
+      header_name: headerName
+    };
+    if (deps.argFlag(args, "json")) {
+      console.log(JSON.stringify(output2, null, 2));
+      return;
+    }
+    console.log(
+      `Publisher endpoint credential ensure: endpoint=${output2.endpoint_id} credential=${output2.credential_id || "-"} auth=${output2.auth_type} header=${output2.header_name} outcome=created secret_source=${output2.secret_source}`
+    );
+  } catch (err) {
+    if (err instanceof import_server_sdk2.PublisherApiClientError) {
+      throw deps.makeCliError(
+        `CLI_${err.code}`,
+        `Publisher endpoint credential ensure failed: ${err.message}`,
+        { status: err.status, details: err.details, gateway_url: gatewayUrl }
+      );
+    }
+    throw err;
+  }
+}
+
+// src/commands/devCommands.ts
+function runDevStatusRefsCliCommand(args, deps) {
+  runDevStatusRefsCommand(args, {
+    argFlag: deps.argFlag,
+    findRepoRoot: deps.findRepoRoot,
+    makeCliError: deps.makeCliError
+  });
+}
+function runDevCheckV1CliCommand(args, deps) {
+  runDevCheckV1Command(args, {
+    argFlag: deps.argFlag,
+    findRepoRoot: deps.findRepoRoot,
+    makeCliError: deps.makeCliError
+  });
+}
+function runDevCheckFlowCliCommand(args, deps) {
+  const repoRoot = deps.findRepoRoot();
+  if (!repoRoot) {
+    throw deps.makeCliError(
+      "CLI_REPO_NOT_FOUND",
+      "xapps dev check flow is repo-only and requires the xapps monorepo checkout"
+    );
+  }
+  const flowFile = deps.argString(args, "from");
+  const flowName = deps.argString(args, "name");
+  if (!flowFile && !flowName) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "Missing required argument: --name <flow> or --from <flow.json>"
+    );
+  }
+  if (flowFile && flowName) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "Use either --name <flow> or --from <flow.json>, not both"
+    );
+  }
+  const normalized = flowName ? flowName.trim().toLowerCase() : null;
+  const artifactsDirRaw = deps.argString(args, "artifacts-dir");
+  const artifactsDir = artifactsDirRaw ? import_node_path6.default.resolve(repoRoot, String(artifactsDirRaw).trim()) : "/tmp";
+  const plans = buildBuiltInDevCheckFlows(artifactsDir);
+  let selectedFlow;
+  const readFlowFromFile = (inputFlowFile) => {
+    const filePath = import_node_path6.default.resolve(repoRoot, inputFlowFile);
+    const parsed = deps.readJsonFile(filePath);
+    const parsedFlow = parseDevFlowObject(parsed, import_node_path6.default.basename(filePath));
+    if (parsedFlow.errors.length) {
+      throw deps.makeCliError(
+        "CLI_INVALID_OPTION",
+        `Invalid flow file: ${inputFlowFile} (${parsedFlow.errors.join(",")})`,
+        {
+          label: "--from",
+          value: inputFlowFile,
+          errors: parsedFlow.errors
+        }
+      );
+    }
+    return {
+      filePath,
+      flow: parsedFlow.flow
+    };
+  };
+  if (flowFile) {
+    selectedFlow = readFlowFromFile(flowFile).flow;
+  } else {
+    const plan = normalized ? plans[normalized] : void 0;
+    if (!plan) {
+      throw deps.makeCliError("CLI_INVALID_OPTION", `Unknown flow: ${flowName}`, {
+        label: "--name",
+        value: flowName,
+        allowed: Object.keys(plans)
+      });
+    }
+    selectedFlow = { key: normalized, ...plan };
+  }
+  const resolvedCommands = selectedFlow.commands.map(
+    (cmd) => deps.applyFlowCommandTemplates(cmd, { artifactsDir })
+  );
+  const payload = {
+    schema_version: "xapps.dev.check.flow.v1",
+    ok: true,
+    repo_root: repoRoot,
+    flow: selectedFlow.key,
+    artifacts_dir: artifactsDir,
+    title: selectedFlow.title,
+    description: selectedFlow.description,
+    commands: resolvedCommands,
+    refs: selectedFlow.refs,
+    ...flowFile ? { flow_file: import_node_path6.default.relative(repoRoot, import_node_path6.default.resolve(repoRoot, flowFile)) } : {}
+  };
+  if (deps.argFlag(args, "run")) {
+    try {
+      import_node_fs6.default.mkdirSync(artifactsDir, { recursive: true });
+    } catch (error) {
+      throw deps.makeCliError(
+        "CLI_DEV_CHECK_FAILED",
+        `Unable to prepare artifacts directory: ${artifactsDir}`,
+        {
+          flow: normalized || "",
+          artifacts_dir: artifactsDir,
+          error: String(error?.message || error)
+        }
+      );
+    }
+  }
+  if (deps.argFlag(args, "run")) {
+    const runs = executeDevCheckFlowCommands(resolvedCommands, repoRoot);
+    const runSummary = {
+      executed: true,
+      ok: runs.every((run) => run.ok),
+      runs
+    };
+    payload.run = runSummary;
+    payload.ok = runSummary.ok;
+  }
+  if (deps.argFlag(args, "json")) {
+    console.log(JSON.stringify(payload, null, 2));
+    if (!payload.ok) {
+      throw deps.makeCliError(
+        "CLI_DEV_CHECK_FAILED",
+        `xapps dev check flow failed: ${String(selectedFlow.key || normalized || "unknown")}`,
+        {
+          flow: String(selectedFlow.key || normalized || "")
+        }
+      );
+    }
+    return;
+  }
+  console.log(
+    [
+      `Flow check plan: ${payload.flow}`,
+      `Title: ${payload.title}`,
+      `Description: ${payload.description}`,
+      "Commands:",
+      ...payload.commands.map((cmd) => `- ${cmd}`),
+      ...payload.run && typeof payload.run === "object" && Array.isArray(payload.run.runs) ? [
+        "Run results:",
+        ...payload.run.runs.map(
+          (run) => `- ${run.ok ? "OK" : "FAIL"} (${run.exit_code ?? "?"}) ${run.command}`
+        )
+      ] : [],
+      "Refs:",
+      ...payload.refs.map((ref) => `- ${ref}`)
+    ].join("\n")
+  );
+  if (!payload.ok) {
+    throw deps.makeCliError(
+      "CLI_DEV_CHECK_FAILED",
+      `xapps dev check flow failed: ${String(selectedFlow.key || normalized || "unknown")}`,
+      {
+        flow: String(selectedFlow.key || normalized || "")
+      }
+    );
+  }
+}
+function runDevCheckFlowLintCliCommand(args, deps) {
+  const repoRoot = deps.findRepoRoot();
+  if (!repoRoot) {
+    throw deps.makeCliError(
+      "CLI_REPO_NOT_FOUND",
+      "xapps dev check flow lint is repo-only and requires the xapps monorepo checkout"
+    );
+  }
+  const flowFile = deps.argString(args, "from");
+  if (!flowFile) {
+    throw deps.makeCliError("CLI_INVALID_ARGS", "Missing required argument: --from <flow.json>");
+  }
+  const filePath = import_node_path6.default.resolve(repoRoot, flowFile);
+  const parsed = deps.readJsonFile(filePath);
+  const parsedFlow = parseDevFlowObject(parsed, import_node_path6.default.basename(filePath));
+  if (parsedFlow.errors.length) {
+    throw deps.makeCliError(
+      "CLI_INVALID_OPTION",
+      `Invalid flow file: ${flowFile} (${parsedFlow.errors.join(",")})`,
+      {
+        label: "--from",
+        value: flowFile,
+        errors: parsedFlow.errors
+      }
+    );
+  }
+  const checks = lintDevFlowDefinition(parsedFlow.flow);
+  const payload = {
+    schema_version: "xapps.dev.check.flow.lint.v1",
+    ok: checks.every((c) => c.ok),
+    repo_root: repoRoot,
+    flow_file: import_node_path6.default.relative(repoRoot, filePath),
+    flow: parsedFlow.flow.key || null,
+    checks
+  };
+  if (deps.argFlag(args, "json")) {
+    console.log(JSON.stringify(payload, null, 2));
+    if (!payload.ok) {
+      throw deps.makeCliError("CLI_DEV_CHECK_FAILED", "xapps dev check flow lint failed", {
+        flow_file: payload.flow_file,
+        checks
+      });
+    }
+    return;
+  }
+  console.log(
+    [
+      `Flow lint: ${payload.ok ? "PASS" : "FAIL"}`,
+      `Flow file: ${payload.flow_file}`,
+      `Flow: ${payload.flow || "n/a"}`,
+      ...checks.map((c) => `${c.ok ? "OK" : "FAIL"}  ${c.key}`)
+    ].join("\n")
+  );
+  if (!payload.ok) {
+    throw deps.makeCliError("CLI_DEV_CHECK_FAILED", "xapps dev check flow lint failed", {
+      flow_file: payload.flow_file,
+      checks
+    });
+  }
+}
+function buildDevFlowInitTemplate2(type, makeCliError) {
+  const template = buildDevFlowInitTemplate(type);
+  if (template) return template;
+  throw makeCliError("CLI_INVALID_OPTION", `Unknown flow template type: ${type}`, {
+    label: "--type",
+    value: type,
+    allowed: ["ai-artifacts", "manual-loop"]
+  });
+}
+function runDevCheckFlowInitCliCommand(args, deps) {
+  const repoRoot = deps.findRepoRoot();
+  if (!repoRoot) {
+    throw deps.makeCliError(
+      "CLI_REPO_NOT_FOUND",
+      "Could not locate repo root for xapps dev check flow init"
+    );
+  }
+  const out = deps.argString(args, "out");
+  if (!out) {
+    throw deps.makeCliError("CLI_INVALID_ARGS", "Missing required argument: --out <flow.json>");
+  }
+  const type = deps.argString(args, "type");
+  if (!type) {
+    throw deps.makeCliError(
+      "CLI_INVALID_ARGS",
+      "Missing required argument: --type <ai-artifacts|manual-loop>"
+    );
+  }
+  const normalizedType = String(type).trim().toLowerCase();
+  const flowTemplate = buildDevFlowInitTemplate2(type, deps.makeCliError);
+  const flowId = deps.argString(args, "flow-id");
+  if (flowId && String(flowId).trim()) {
+    flowTemplate.flow = String(flowId).trim();
+  }
+  const manifestPathArg = deps.argString(args, "manifest");
+  const policyPathArg = deps.argString(args, "policy");
+  const smokeScriptArg = deps.argString(args, "smoke-script");
+  if (normalizedType === "ai-artifacts") {
+    const manifestPath = manifestPathArg ? String(manifestPathArg).trim() : "";
+    const policyPath = policyPathArg ? String(policyPathArg).trim() : "";
+    if (manifestPath) {
+      flowTemplate.commands = flowTemplate.commands.map(
+        (cmd) => cmd.replaceAll("./manifest.json", manifestPath)
+      );
+      flowTemplate.refs = flowTemplate.refs.map(
+        (ref) => ref === "./manifest.json" ? manifestPath : ref
+      );
+    }
+    if (policyPath) {
+      flowTemplate.commands = flowTemplate.commands.map(
+        (cmd) => cmd.replaceAll(
+          "--policy-preset internal-readonly",
+          `--policy ${deps.shellEscapeArg(policyPath)}`
+        )
+      );
+      flowTemplate.refs = flowTemplate.refs.map(
+        (ref) => ref === "./ai/policy.readonly.internal-v1.json" ? policyPath : ref
+      );
+    }
+  }
+  if (normalizedType === "manual-loop") {
+    const smokeScriptPath = smokeScriptArg ? String(smokeScriptArg).trim() : "";
+    if (smokeScriptPath) {
+      flowTemplate.commands = [`node ${deps.shellEscapeArg(smokeScriptPath)}`];
+      flowTemplate.refs = flowTemplate.refs.map(
+        (ref) => ref === "./scripts/manual-loop-smoke.mjs" ? smokeScriptPath : ref
+      );
+    }
+  }
+  const target = import_node_path6.default.resolve(process.cwd(), out);
+  import_node_fs6.default.mkdirSync(import_node_path6.default.dirname(target), { recursive: true });
+  const rendered = `${JSON.stringify(flowTemplate, null, 2)}
+`;
+  import_node_fs6.default.writeFileSync(target, rendered);
+  const payload = {
+    schema_version: "xapps.dev.check.flow.init.v1",
+    ok: true,
+    type: String(type).trim().toLowerCase(),
+    out: target,
+    flow: flowTemplate.flow,
+    ...manifestPathArg ? { manifest: String(manifestPathArg).trim() } : {},
+    ...policyPathArg ? { policy: String(policyPathArg).trim() } : {},
+    ...smokeScriptArg ? { smoke_script: String(smokeScriptArg).trim() } : {}
+  };
+  if (deps.argFlag(args, "json")) {
+    console.log(JSON.stringify(payload, null, 2));
+    return;
+  }
+  console.log(`Flow template created: ${target}
+Type: ${payload.type}
+Flow: ${payload.flow}`);
+}
+async function runAiPlanCliCommand(args, deps) {
+  await runAiPlanCommand(args, {
+    argString: deps.argString,
+    argFlag: deps.argFlag,
+    findRepoRoot: deps.findRepoRoot,
+    parseManifestFromFile: deps.parseManifestFromFile,
+    buildContextExportPayload: (manifest, filePath) => buildContextExportPayload(manifest, filePath, {
+      canonicalizeJson: deps.canonicalizeJson
+    }),
+    buildDevRefs: deps.buildDevRefs,
+    buildInternalV1ContextPreset: (repoRoot) => buildInternalV1ContextPreset(repoRoot, { buildDevRefs: deps.buildDevRefs }),
+    readJsonFile: deps.readJsonFile,
+    makeCliError: deps.makeCliError
+  });
+}
+async function runAiCheckCliCommand(args, deps) {
+  await runAiCheckCommand(args, {
+    argString: deps.argString,
+    argFlag: deps.argFlag,
+    findRepoRoot: deps.findRepoRoot,
+    parseManifestFromFile: deps.parseManifestFromFile,
+    buildContextExportPayload: (manifest, filePath) => buildContextExportPayload(manifest, filePath, {
+      canonicalizeJson: deps.canonicalizeJson
+    }),
+    buildDevRefs: deps.buildDevRefs,
+    buildInternalV1ContextPreset: (repoRoot) => buildInternalV1ContextPreset(repoRoot, { buildDevRefs: deps.buildDevRefs }),
+    readJsonFile: deps.readJsonFile,
+    makeCliError: deps.makeCliError
+  });
+}
+async function runPublisherCliCommand(args, deps) {
+  const subcommand = deps.argString(args, "_subcommand");
+  const subcommand2 = deps.argString(args, "_subcommand2");
+  const subcommand3 = deps.argString(args, "_subcommand3");
+  if (subcommand === "endpoint" && subcommand2 === "credential" && subcommand3 === "set") {
+    await runPublisherEndpointCredentialSetCommand(args, {
+      argString: deps.argString,
+      argFlag: deps.argFlag,
+      makeCliError: deps.makeCliError
+    });
+    return;
+  }
+  if (subcommand === "endpoint" && subcommand2 === "credential" && subcommand3 === "ensure") {
+    await runPublisherEndpointCredentialEnsureCommand(args, {
+      argString: deps.argString,
+      argFlag: deps.argFlag,
+      makeCliError: deps.makeCliError
+    });
+    return;
+  }
+  throw deps.makeCliError(
+    "CLI_INVALID_ARGS",
+    "Missing required subcommand: publisher endpoint credential set|ensure"
+  );
+}
+async function runDevCommand(args, deps) {
+  const subcommand = deps.argString(args, "_subcommand");
+  const subcommand2 = deps.argString(args, "_subcommand2");
+  if (subcommand === "status" && subcommand2 === "refs") {
+    runDevStatusRefsCliCommand(args, deps);
+    return;
+  }
+  if (subcommand === "check" && subcommand2 === "v1") {
+    runDevCheckV1CliCommand(args, deps);
+    return;
+  }
+  if (subcommand === "check" && subcommand2 === "flow") {
+    if (deps.argString(args, "_subcommand3") === "init") {
+      runDevCheckFlowInitCliCommand(args, deps);
+      return;
+    }
+    if (deps.argString(args, "_subcommand3") === "lint") {
+      runDevCheckFlowLintCliCommand(args, deps);
+      return;
+    }
+    runDevCheckFlowCliCommand(args, deps);
+    return;
+  }
+  const from = deps.argString(args, "from");
+  if (!from) {
+    throw new Error("Missing required argument: --from <manifest.json>");
+  }
+  const once = deps.argFlag(args, "once");
+  const watchEnabled = !deps.argFlag(args, "no-watch");
+  const host = deps.argString(args, "host") || "127.0.0.1";
+  const port = Number(deps.argString(args, "port") || "4011");
+  const first = deps.parseManifestFromFile(from);
+  console.log(
+    `Dev manifest loaded: ${first.filePath}
+Slug: ${first.manifest.slug}
+Tools: ${first.manifest.tools.length}
+Widgets: ${first.manifest.widgets.length}`
+  );
+  deps.runDryRun(args, first.manifest);
+  if (once) return;
+  const manifestPath = first.filePath;
+  let currentManifest = first.manifest;
+  let watchTimer = null;
+  const watcher = watchEnabled ? import_node_fs6.default.watch(manifestPath, () => {
+    if (watchTimer) clearTimeout(watchTimer);
+    watchTimer = setTimeout(() => {
+      try {
+        const parsed = deps.parseManifestFromFile(manifestPath);
+        currentManifest = parsed.manifest;
+        console.log(
+          `Manifest revalidated: ${parsed.filePath}
+Slug: ${parsed.manifest.slug}
+Tools: ${parsed.manifest.tools.length}
+Widgets: ${parsed.manifest.widgets.length}`
+        );
+      } catch (err) {
+        console.error(`Manifest validation failed: ${err?.message || String(err)}`);
+      }
+    }, 120);
+  }) : null;
+  const server = import_node_http.default.createServer(async (req, res) => {
+    const method = (req.method || "GET").toUpperCase();
+    const url = req.url || "/";
+    const eventMatch = /^\/v1\/requests\/([^/]+)\/events\/?$/.exec(url);
+    const completeMatch = /^\/v1\/requests\/([^/]+)\/complete\/?$/.exec(url);
+    if (method === "POST" && (eventMatch || completeMatch)) {
+      const requestId = decodeURIComponent((eventMatch || completeMatch)[1]);
+      const payload = await deps.readRequestBody(req);
+      const kind = eventMatch ? "event" : "complete";
+      const payloadText = JSON.stringify(payload);
+      console.log(
+        `[dev-callback] ${kind} request_id=${requestId} slug=${currentManifest.slug} payload=${payloadText}`
+      );
+      const response = {
+        ok: true,
+        simulated: true,
+        kind,
+        request_id: requestId
+      };
+      res.statusCode = 200;
+      res.setHeader("content-type", "application/json");
+      res.end(JSON.stringify(response));
+      return;
+    }
+    res.statusCode = 404;
+    res.setHeader("content-type", "application/json");
+    res.end(JSON.stringify({ ok: false, error: "not_found" }));
+  });
+  await new Promise((resolve, reject) => {
+    server.once("error", reject);
+    server.listen(port, host, () => {
+      server.off("error", reject);
+      resolve();
+    });
+  });
+  console.log(
+    `xapps dev running
+Manifest watch: ${watchEnabled ? "on" : "off"}
+Mock callbacks: http://${host}:${port}
+Endpoints: POST /v1/requests/:id/events and POST /v1/requests/:id/complete`
+  );
+  await new Promise((resolve) => {
+    const shutdown = () => {
+      if (watchTimer) {
+        clearTimeout(watchTimer);
+      }
+      watcher?.close();
+      server.close(() => resolve());
+    };
+    process.once("SIGINT", shutdown);
+    process.once("SIGTERM", shutdown);
+  });
+}
+
+// src/cli.ts
+var DEFAULT_PUBLISH_BUNDLES_DIR = import_node_path7.default.join("artifacts", "xapps-publish");
+var CliError = class extends Error {
+  code;
+  details;
+  exitCode;
+  constructor(code, message, details, options) {
+    super(message);
+    this.name = "CliError";
+    this.code = code;
+    this.details = details;
+    this.exitCode = options?.exitCode;
+  }
+};
+function printUsage() {
+  console.log(`xapps CLI
+
+Usage:
+  Public/stable publish surface:
+  xapps import --from <openapi-file-or-url> --out <manifest.json> [options]
+  xapps init --out <directory> [options]
+  xapps validate --from <manifest.json>
+  xapps test --from <manifest.json> --vectors <test-vectors.json>
+  xapps publish --from <manifest.json> [options]
+  xapps logs [options]
+  xapps publisher endpoint credential set [options]
+  xapps publisher endpoint credential ensure [options]
+
+  Local/repo-only helpers:
+  xapps dev --from <manifest.json> [options]
+  xapps context export --from <manifest.json> [options]
+  xapps tunnel --target <base-url> [options]
+  xapps ai plan --mode internal --from <manifest.json> [--preset <internal-v1>] [--flow <name>] [--mocks-dir <dir>] [--guidance <text> | --guidance-file <file> | --ask-guidance] [--llm] [--llm-model <model>] [--llm-timeout-ms <n>] [--apply-manifest-hints] [--json]
+    Example guidance: "Infer complete form fields from mockups, build a step wizard, add supported preview sections, and exclude payment screens because payment is handled by guards."
+    LLM flags: --llm-api-key <key> --llm-base-url <url> --llm-model <model> --llm-timeout-ms <n> (default model: gpt-5.2, default timeout: 30000ms)
+  xapps ai check --mode internal --plan <plan.json> [--policy <policy.json> | --policy-preset <internal-readonly>] [--json]
+  xapps dev status refs [--json]
+  xapps dev check v1 [--json]
+  xapps dev check flow --name <flow> [--json] [--run] [--artifacts-dir <dir>]
+  xapps dev check flow --from <flow.json> [--json] [--run] [--artifacts-dir <dir>]
+  xapps dev check flow init --out <flow.json> --type <ai-artifacts|manual-loop> [--flow-id <id>] [--manifest <path>] [--policy <path>] [--smoke-script <path>] [--json]
+  xapps dev check flow lint --from <flow.json> [--json]
+
+Global options:
+  --profile <name>           Profile name from ~/.xapps/config (or env XAPPS_CLI_PROFILE)
+
+Import options:
+  --name <name>               App name (default: OpenAPI info.title)
+  --slug <slug>               Manifest slug (default: slugified app name)
+  --version <semver>          Manifest version (default: 1.0.0)
+  --description <text>        Manifest description
+  --endpoint <base_url>       Endpoint base_url (default: https://api.example.com)
+  --endpoint-env <env>        Endpoint env key (default: prod)
+  --fetch-timeout-ms <n>      Remote OpenAPI fetch timeout in ms (default: 10000)
+
+Init options:
+  --name <name>               App name (default: My Xapp)
+  --slug <slug>               Manifest slug (default: slugified app name)
+  --version <semver>          Manifest version (default: 1.0.0)
+  --force                     Overwrite existing files
+
+Test options:
+  --from <manifest.json>      Manifest file to validate against
+  --vectors <vectors.json>    Request/response contract vectors
+
+Publish options:
+  --from <manifest.json>      Manifest file to package
+  --out <file-or-dir>         Output file or directory (default: artifacts/xapps-publish/<slug>/<version>)
+  --dry-run                   Validate + print summary only (no files written)
+  --yes                       Skip release confirmation prompt (required in non-interactive mode)
+  --force                     Overwrite target artifact if it exists
+  --publish-url <url>         Optional remote publish endpoint (POST bundle JSON)
+  --publisher-gateway-url <url>  Optional local gateway publisher API base URL (uses /publisher/* routes)
+  --target-client-slug <slug> Resolve tenant slug to target_client_id via --publisher-gateway-url for publish
+  --replace <A=B>             Replace placeholder/text A with literal B in manifest before publish (repeatable)
+  --replace-env <A=ENV>       Replace placeholder/text A with process.env[ENV] before publish (repeatable)
+  --bump-version <kind>       Bump manifest version before publish: patch|minor|major
+  --write-manifest-version    Write bumped version back to source manifest file (only version field is persisted)
+  --allow-unresolved-placeholders  Skip preflight failure when __PLACEHOLDER__ tokens remain after replacements
+  --token <token>             Bearer token for --publish-url (or env XAPPS_CLI_TOKEN)
+  --api-key <key>             API key header value (or env XAPPS_CLI_API_KEY)
+  --signing-key <key>         HMAC key for signed publish metadata headers (or env XAPPS_CLI_SIGNING_KEY)
+  --version-conflict <mode>   Version conflict policy: fail|allow (default: fail)
+  --release-channel <name>    Release channel label for remote publish handoff (default: stable)
+  --registry-target <name>    Registry target/namespace label for remote publish handoff
+  --idempotency-key <key>     Idempotency key header for --publish-url handoff
+  --timeout-ms <n>            Remote publish timeout in ms (default: 10000)
+  --retry-attempts <n>        Remote publish retry attempts for transient failures (default: 1)
+  --retry-backoff-ms <n>      Base backoff between publish retries (default: 250)
+
+Publisher endpoint credential set/ensure options:
+  --gateway-url <url>         Gateway base URL (auto-uses /v1 if path omitted)
+  --api-key <key>             Publisher API key (or env XAPPS_CLI_API_KEY)
+  --token <token>             Publisher bearer token (or env XAPPS_CLI_TOKEN)
+  --endpoint-id <id>          Endpoint id (optional if using --xapp-slug + --env)
+  --xapp-slug <slug>          Resolve endpoint by publisher xapp slug
+  --target-client-slug <slug> Resolve the tenant-scoped xapp variant before endpoint lookup
+  --env <name>                Endpoint env when resolving by xapp slug (default: prod)
+  --auth-type <type>          Endpoint auth type (default: api-key)
+  --header-name <name>        API key header name for api-key header auth (default: x-xplace-api-key)
+  --secret-env <ENV>          Read initial credential key secret from environment variable
+  --secret-stdin              Read initial credential key secret from stdin
+  --secret-ref <ref>          Store a gateway secret provider reference instead of literal secret
+  --key-status <status>       Initial key status (default: active)
+  --key-algorithm <alg>       Initial key algorithm (default: hmac-sha256)
+  --json                      Machine-readable output
+
+Logs options:
+  --from <bundle.json>        Read a single local publish bundle
+  --dir <path>                Scan publish bundles in directory (default: artifacts/xapps-publish)
+  --limit <n>                 Max entries (default: 10)
+  --json                      Print JSON output
+  --logs-url <url>            Optional remote logs endpoint (GET)
+  --token <token>             Bearer token for --logs-url (or env XAPPS_CLI_TOKEN)
+  --api-key <key>             API key header value (or env XAPPS_CLI_API_KEY)
+  --cursor <value>            Optional pagination cursor for remote logs
+  --lease-id <value>          Optional managed log stream lease identifier
+  --checkpoint <value>        Optional managed log stream checkpoint token
+  --severity <value>          Optional remote filter (ex: error or error,warn)
+  --since <iso>               Optional remote filter start timestamp
+  --until <iso>               Optional remote filter end timestamp
+  --follow                    Keep polling remote logs and resume from next cursor
+  --follow-interval-ms <n>    Poll interval for --follow mode (default: 2000)
+  --follow-max-cycles <n>     Optional max follow polling cycles (for automation/testing)
+  --follow-cursor-file <path> Persist/restore follow cursor state to local file
+  --timeout-ms <n>            Remote logs timeout in ms (default: 10000)
+  --retry-attempts <n>        Remote logs retry attempts for transient failures (default: 1)
+  --retry-backoff-ms <n>      Base backoff between logs retries (default: 250)
+
+Context export options:
+  export --from <manifest.json>   Manifest file to export deterministic context from
+  --out <file>                    Write context JSON to file (default: stdout)
+  --preset <name>                 Optional repo-only context preset (Phase 1: internal-v1)
+
+Tunnel options:
+  --target <base-url>         Relay target base URL (required)
+  --allow-target-hosts <csv>  Explicit target host allowlist (default: 127.0.0.1,localhost,::1)
+  --host <host>               Relay bind host (default: 127.0.0.1)
+  --listen-port <port>        Relay bind port (default: 4041)
+  --session-id <id>           Stable tunnel session id (optional)
+  --session-file <path>       Persist/reuse session id across restarts
+  --session-policy <mode>     Session lifecycle policy: reuse|require|rotate (default: reuse)
+  --require-auth-token <tok>  Require inbound relay token (header x-xapps-tunnel-token or Bearer)
+  --upstream-timeout-ms <n>   Upstream request timeout in ms (default: 15000)
+  --retry-attempts <n>        Upstream retry attempts for GET/HEAD/OPTIONS transient failures (default: 1)
+  --retry-backoff-ms <n>      Base backoff between upstream retries (default: 200)
+  --once                      Start, print config, and exit
+
+Dev options:
+  --from <manifest.json>      Manifest file to validate/watch
+  --dry-run <request.json>    Inspect a request payload against manifest tools
+  --port <port>               Mock callback server port (default: 4011)
+  --host <host>               Mock callback server host (default: 127.0.0.1)
+  --once                      Validate + dry-run only; skip watch/server
+  --no-watch                  Disable manifest watch loop
+
+Notes:
+  - Public/stable surface focuses on manifest authoring, validation, publish, logs, and publisher endpoint credentials.
+  - AI/internal preset/dev-check commands are repo-only helpers and require the xapps monorepo checkout.
+`);
+}
+function parseArgs(argv) {
+  const [command = "", ...rest] = argv;
+  const args = {};
+  let subcommandCount = 0;
+  for (let i = 0; i < rest.length; i += 1) {
+    const token = rest[i];
+    if (!token.startsWith("--")) {
+      subcommandCount += 1;
+      if (subcommandCount === 1) args._subcommand = token;
+      else if (subcommandCount === 2) args._subcommand2 = token;
+      else if (subcommandCount === 3) args._subcommand3 = token;
+      continue;
+    }
+    const key = token.slice(2);
+    const next = rest[i + 1];
+    if (!next || next.startsWith("--")) {
+      if (args[key] === void 0) {
+        args[key] = true;
+      } else if (Array.isArray(args[key])) {
+        args[key].push("true");
+      } else if (typeof args[key] === "string") {
+        args[key] = [args[key], "true"];
+      }
+      continue;
+    }
+    if (args[key] === void 0) {
+      args[key] = next;
+    } else if (Array.isArray(args[key])) {
+      args[key].push(next);
+    } else if (typeof args[key] === "string") {
+      args[key] = [args[key], next];
+    } else {
+      args[key] = [next];
+    }
+    i += 1;
+  }
+  return { command, args };
+}
+function argString(args, ...keys) {
+  for (const key of keys) {
+    const value = args[key];
+    if (Array.isArray(value)) {
+      for (let i = value.length - 1; i >= 0; i -= 1) {
+        const item = value[i];
+        if (typeof item === "string" && item.trim()) return item.trim();
+      }
+      continue;
+    }
+    if (typeof value === "string" && value.trim()) {
+      return value.trim();
+    }
+  }
+  return void 0;
+}
+function argStrings(args, ...keys) {
+  const out = [];
+  for (const key of keys) {
+    const value = args[key];
+    if (Array.isArray(value)) {
+      for (const item of value) {
+        if (typeof item === "string" && item.trim()) out.push(item.trim());
+      }
+      continue;
+    }
+    if (typeof value === "string" && value.trim()) {
+      out.push(value.trim());
+    }
+  }
+  return out;
+}
+function argFlag(args, key) {
+  const value = args[key];
+  if (value === true) return true;
+  if (Array.isArray(value)) return value.includes("true");
+  return false;
+}
+function shellEscapeArg2(value) {
+  const input2 = String(value ?? "");
+  if (/^[A-Za-z0-9_./:-]+$/.test(input2)) return input2;
+  return `'${input2.replace(/'/g, `'"'"'`)}'`;
+}
+function applyFlowCommandTemplates(command, params) {
+  return String(command || "").replaceAll("{{ARTIFACTS_DIR}}", params.artifactsDir);
+}
+function normalizePublisherGatewayApiBaseUrl2(input2) {
+  const raw = String(input2 || "").trim();
+  if (!raw) return "";
+  const parsed = new URL(raw);
+  const pathname = parsed.pathname || "/";
+  if (pathname === "/" || pathname === "") {
+    parsed.pathname = "/v1";
+    return parsed.toString().replace(/\/+$/g, "");
+  }
+  return parsed.toString().replace(/\/+$/g, "");
+}
+function defaultCliConfigPath() {
+  return import_node_path7.default.join(import_node_os.default.homedir(), ".xapps", "config");
+}
+function parseVersionConflictPolicy(value, fallback = "fail") {
+  if (!value) return fallback;
+  const normalized = String(value).trim().toLowerCase();
+  if (normalized === "fail" || normalized === "allow") return normalized;
+  throw new CliError(
+    "CLI_INVALID_OPTION",
+    `Invalid --version-conflict: ${value} (expected fail|allow)`,
+    { label: "--version-conflict", value }
+  );
+}
+function parseManifestReplaceLiteral(raw) {
+  const idx = raw.indexOf("=");
+  if (idx <= 0) {
+    throw new CliError("CLI_INVALID_OPTION", `Invalid --replace value: ${raw} (expected FROM=TO)`, {
+      label: "--replace",
+      value: raw
+    });
+  }
+  const from = raw.slice(0, idx).trim();
+  const to = raw.slice(idx + 1);
+  if (!from) {
+    throw new CliError("CLI_INVALID_OPTION", `Invalid --replace value: ${raw} (empty FROM)`, {
+      label: "--replace",
+      value: raw
+    });
+  }
+  return { from, to, source: "literal" };
+}
+function parseManifestReplaceEnv(raw) {
+  const idx = raw.indexOf("=");
+  if (idx <= 0) {
+    throw new CliError(
+      "CLI_INVALID_OPTION",
+      `Invalid --replace-env value: ${raw} (expected FROM=ENV_VAR)`,
+      { label: "--replace-env", value: raw }
+    );
+  }
+  const from = raw.slice(0, idx).trim();
+  const envName = raw.slice(idx + 1).trim();
+  if (!from || !envName) {
+    throw new CliError(
+      "CLI_INVALID_OPTION",
+      `Invalid --replace-env value: ${raw} (empty FROM or ENV_VAR)`,
+      { label: "--replace-env", value: raw }
+    );
+  }
+  const envValue = process.env[envName];
+  if (typeof envValue !== "string" || envValue.length === 0) {
+    throw new CliError(
+      "CLI_INVALID_OPTION",
+      `Environment variable missing/empty for --replace-env ${envName}`,
+      { label: "--replace-env", value: raw, env: envName }
+    );
+  }
+  return { from, to: envValue, source: "env", sourceName: envName };
+}
+function applyManifestReplaceRulesDeep(input2, rules) {
+  if (!rules.length) return input2;
+  const replaceToken = (raw) => {
+    let next = raw;
+    for (const rule of rules) {
+      next = next.split(rule.from).join(rule.to);
+    }
+    return next;
+  };
+  const walk = (value) => {
+    if (typeof value === "string") {
+      return replaceToken(value);
+    }
+    if (Array.isArray(value)) return value.map(walk);
+    if (value && typeof value === "object") {
+      const out = {};
+      for (const [k, v] of Object.entries(value)) {
+        out[replaceToken(k)] = walk(v);
+      }
+      return out;
+    }
+    return value;
+  };
+  return walk(input2);
+}
+function findUnresolvedPlaceholderTokens(input2) {
+  const seen = /* @__PURE__ */ new Set();
+  const re = /__[A-Z0-9_]+__/g;
+  const collect = (raw) => {
+    const matches = raw.match(re);
+    if (matches) for (const m of matches) seen.add(m);
+  };
+  const walk = (value) => {
+    if (typeof value === "string") {
+      collect(value);
+      return;
+    }
+    if (Array.isArray(value)) {
+      for (const item of value) walk(item);
+      return;
+    }
+    if (value && typeof value === "object") {
+      for (const [k, v] of Object.entries(value)) {
+        collect(k);
+        walk(v);
+      }
+      return;
+    }
+  };
+  walk(input2);
+  return Array.from(seen).sort();
+}
+function parseVersionBumpKind(value) {
+  if (!value) return null;
+  const normalized = String(value).trim().toLowerCase();
+  if (normalized === "patch" || normalized === "minor" || normalized === "major") {
+    return normalized;
+  }
+  throw new CliError(
+    "CLI_INVALID_OPTION",
+    `Invalid --bump-version: ${value} (expected patch|minor|major)`,
+    { label: "--bump-version", value }
+  );
+}
+function bumpSemverVersionOrThrow(version, kind) {
+  const match = /^(\d+)\.(\d+)\.(\d+)$/.exec(String(version || "").trim());
+  if (!match) {
+    throw new CliError("CLI_INVALID_OPTION", `Cannot ${kind}-bump non-semver version: ${version}`, {
+      label: "--bump-version",
+      version
+    });
+  }
+  let major = Number(match[1]);
+  let minor = Number(match[2]);
+  let patch = Number(match[3]);
+  if (kind === "major") {
+    major += 1;
+    minor = 0;
+    patch = 0;
+  } else if (kind === "minor") {
+    minor += 1;
+    patch = 0;
+  } else {
+    patch += 1;
+  }
+  return `${major}.${minor}.${patch}`;
+}
+function parseTunnelSessionPolicy(value, fallback = "reuse") {
+  if (!value) return fallback;
+  const normalized = String(value).trim().toLowerCase();
+  if (normalized === "reuse" || normalized === "require" || normalized === "rotate") {
+    return normalized;
+  }
+  throw new CliError(
+    "CLI_INVALID_OPTION",
+    `Invalid --session-policy: ${value} (expected reuse|require|rotate)`,
+    { label: "--session-policy", value }
+  );
+}
+function parseReleaseLabel(label, fallback, optionName) {
+  const raw = String(label || fallback || "").trim().toLowerCase();
+  if (!raw)
+    return String(fallback || "").trim().toLowerCase();
+  if (!/^[a-z0-9][a-z0-9._-]{0,63}$/.test(raw)) {
+    throw new CliError(
+      "CLI_INVALID_OPTION",
+      `Invalid ${optionName}: ${label} (expected 1-64 chars: a-z, 0-9, ., _, -)`,
+      { label: optionName, value: label }
+    );
+  }
+  return raw;
+}
+function parseCsvSet(value, fallbackCsv) {
+  const raw = String(value || fallbackCsv);
+  return new Set(
+    raw.split(",").map((item) => item.trim().toLowerCase()).filter(Boolean)
+  );
+}
+function randomSessionId(prefix = "tnl") {
+  return `${prefix}_${Date.now()}_${Math.random().toString(36).slice(2, 10)}`;
+}
+function resolveCursorStatePath(rawPath) {
+  return import_node_path7.default.resolve(process.cwd(), rawPath);
+}
+function loadLogsResumeState(filePathRaw) {
+  const filePath = resolveCursorStatePath(filePathRaw);
+  if (!import_node_fs7.default.existsSync(filePath)) return {};
+  try {
+    const raw = import_node_fs7.default.readFileSync(filePath, "utf8").trim();
+    if (!raw) return {};
+    if (!raw.startsWith("{")) {
+      return { cursor: raw };
+    }
+    const parsed = JSON.parse(raw);
+    if (!isPlainObject4(parsed)) {
+      throw new Error("resume state must be a JSON object");
+    }
+    const cursor = typeof parsed.cursor === "string" ? String(parsed.cursor) : typeof parsed.next_cursor === "string" ? String(parsed.next_cursor) : "";
+    const leaseId = typeof parsed.lease_id === "string" ? String(parsed.lease_id) : typeof parsed.leaseId === "string" ? String(parsed.leaseId) : "";
+    const checkpoint = typeof parsed.checkpoint === "string" ? String(parsed.checkpoint) : typeof parsed.checkpoint_token === "string" ? String(parsed.checkpoint_token) : typeof parsed.checkpointToken === "string" ? String(parsed.checkpointToken) : "";
+    return {
+      ...cursor ? { cursor } : {},
+      ...leaseId ? { leaseId } : {},
+      ...checkpoint ? { checkpoint } : {}
+    };
+  } catch (err) {
+    throw new CliError(
+      "CLI_CURSOR_STATE_IO",
+      `Failed reading cursor state file: ${filePath} (${err?.message || String(err)})`,
+      { filePath }
+    );
+  }
+}
+function saveLogsResumeState(filePathRaw, state) {
+  const filePath = resolveCursorStatePath(filePathRaw);
+  try {
+    import_node_fs7.default.mkdirSync(import_node_path7.default.dirname(filePath), { recursive: true });
+    const cursor = String(state.cursor || "").trim();
+    const leaseId = String(state.leaseId || "").trim();
+    const checkpoint = String(state.checkpoint || "").trim();
+    if (!leaseId && !checkpoint) {
+      import_node_fs7.default.writeFileSync(filePath, `${cursor}
+`);
+      return;
+    }
+    const payload = {
+      v: 1,
+      ...cursor ? { cursor } : {},
+      ...leaseId ? { lease_id: leaseId } : {},
+      ...checkpoint ? { checkpoint } : {},
+      updated_at: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    import_node_fs7.default.writeFileSync(filePath, JSON.stringify(payload, null, 2));
+  } catch (err) {
+    throw new CliError(
+      "CLI_CURSOR_STATE_IO",
+      `Failed writing cursor state file: ${filePath} (${err?.message || String(err)})`,
+      { filePath }
+    );
+  }
+}
+function loadTunnelSessionState(filePathRaw) {
+  const filePath = import_node_path7.default.resolve(process.cwd(), filePathRaw);
+  if (!import_node_fs7.default.existsSync(filePath)) return null;
+  try {
+    const raw = import_node_fs7.default.readFileSync(filePath, "utf8").trim();
+    if (!raw) return null;
+    if (!raw.startsWith("{")) {
+      return { sessionId: raw };
+    }
+    const parsed = JSON.parse(raw);
+    if (!isPlainObject4(parsed)) {
+      throw new Error("session state must be a JSON object");
+    }
+    const sessionId = typeof parsed.session_id === "string" ? String(parsed.session_id).trim() : typeof parsed.sessionId === "string" ? String(parsed.sessionId).trim() : "";
+    if (!sessionId) {
+      throw new Error("session_id is required");
+    }
+    const target = typeof parsed.target === "string" ? String(parsed.target).trim() : "";
+    const updatedAt = typeof parsed.updated_at === "string" ? String(parsed.updated_at).trim() : typeof parsed.updatedAt === "string" ? String(parsed.updatedAt).trim() : "";
+    const schemaVersion = typeof parsed.v === "number" ? Number(parsed.v) : typeof parsed.version === "number" ? Number(parsed.version) : void 0;
+    return {
+      sessionId,
+      ...target ? { target } : {},
+      ...updatedAt ? { updatedAt } : {},
+      ...schemaVersion !== void 0 ? { schemaVersion } : {}
+    };
+  } catch (err) {
+    throw new CliError(
+      "CLI_TUNNEL_SESSION_IO",
+      `Failed reading tunnel session file: ${filePath} (${err?.message || String(err)})`,
+      { filePath }
+    );
+  }
+}
+function saveTunnelSessionState(filePathRaw, state) {
+  const filePath = import_node_path7.default.resolve(process.cwd(), filePathRaw);
+  try {
+    import_node_fs7.default.mkdirSync(import_node_path7.default.dirname(filePath), { recursive: true });
+    const payload = {
+      v: 1,
+      session_id: state.sessionId,
+      ...state.target ? { target: state.target } : {},
+      updated_at: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    import_node_fs7.default.writeFileSync(filePath, `${JSON.stringify(payload, null, 2)}
+`);
+  } catch (err) {
+    throw new CliError(
+      "CLI_TUNNEL_SESSION_IO",
+      `Failed writing tunnel session file: ${filePath} (${err?.message || String(err)})`,
+      { filePath }
+    );
+  }
+}
+function base64url(input2) {
+  return input2.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function stableStringify(input2) {
+  const keys = Object.keys(input2).sort((a, b) => a.localeCompare(b));
+  const out = {};
+  for (const key of keys) out[key] = input2[key];
+  return JSON.stringify(out);
+}
+function canonicalizeJson(value) {
+  if (Array.isArray(value)) {
+    return value.map((item) => canonicalizeJson(item));
+  }
+  if (value && typeof value === "object") {
+    const out = {};
+    for (const key of Object.keys(value).sort(
+      (a, b) => a.localeCompare(b)
+    )) {
+      out[key] = canonicalizeJson(value[key]);
+    }
+    return out;
+  }
+  return value;
+}
+function parseCliConfig(raw, sourcePath) {
+  try {
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new CliError("CLI_CONFIG_INVALID", "config root must be a JSON object", {
+        sourcePath
+      });
+    }
+    return parsed;
+  } catch (err) {
+    if (err instanceof CliError) throw err;
+    throw new CliError(
+      "CLI_CONFIG_INVALID",
+      `Invalid CLI config JSON (${sourcePath}): ${err?.message || String(err)}`,
+      { sourcePath }
+    );
+  }
+}
+function loadCliConfig(_args) {
+  const configPath = process.env.XAPPS_CLI_CONFIG || defaultCliConfigPath();
+  if (!import_node_fs7.default.existsSync(configPath)) {
+    return { config: {}, configPath: null };
+  }
+  const raw = import_node_fs7.default.readFileSync(configPath, "utf8");
+  return { config: parseCliConfig(raw, configPath), configPath };
+}
+function getProfile(args) {
+  const { config, configPath } = loadCliConfig(args);
+  const profileName = argString(args, "profile") || process.env.XAPPS_CLI_PROFILE || config.defaultProfile || "";
+  if (!profileName) {
+    return { profileName: "", profile: {}, configPath };
+  }
+  const profile = config.profiles?.[profileName];
+  if (!profile || typeof profile !== "object") {
+    const configLabel = configPath || defaultCliConfigPath();
+    throw new CliError(
+      "CLI_PROFILE_NOT_FOUND",
+      `Unknown CLI profile '${profileName}' in ${configLabel}`,
+      {
+        profileName,
+        configPath: configLabel
+      }
+    );
+  }
+  return { profileName, profile, configPath };
+}
+async function confirmPublishOrThrow(summary) {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    throw new CliError(
+      "CLI_CONFIRM_REQUIRED",
+      "Publish confirmation required in non-interactive mode. Re-run with --yes."
+    );
+  }
+  const rl = import_promises2.default.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const answer = await rl.question(
+      `Release ${summary.slug}@${summary.version} (tools=${summary.tools}, widgets=${summary.widgets})? [y/N] `
+    );
+    const normalized = String(answer || "").trim().toLowerCase();
+    if (normalized !== "y" && normalized !== "yes") {
+      throw new CliError("CLI_CONFIRM_DECLINED", "Publish cancelled by user.");
+    }
+  } finally {
+    rl.close();
+  }
+}
+async function readInput(from, fetchTimeoutMs) {
+  if (/^https?:\/\//i.test(from)) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), fetchTimeoutMs);
+    try {
+      const res = await fetch(from, { signal: controller.signal });
+      if (!res.ok) {
+        throw new CliError(
+          "CLI_REMOTE_FETCH_ERROR",
+          `Failed to fetch OpenAPI URL (${res.status}): ${from}`,
+          {
+            from,
+            status: res.status,
+            timeout_ms: fetchTimeoutMs
+          }
+        );
+      }
+      return await res.text();
+    } catch (err) {
+      if (err instanceof CliError) throw err;
+      if (err?.name === "AbortError") {
+        throw new CliError(
+          "CLI_REMOTE_FETCH_ERROR",
+          `OpenAPI fetch timed out after ${fetchTimeoutMs}ms: ${from}`,
+          { from, timeout_ms: fetchTimeoutMs }
+        );
+      }
+      throw new CliError("CLI_REMOTE_FETCH_ERROR", `Failed to fetch OpenAPI URL: ${from}`, {
+        from,
+        timeout_ms: fetchTimeoutMs,
+        cause: String(err?.message || err || "fetch_failed")
+      });
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+  const absolute = import_node_path7.default.resolve(process.cwd(), from);
+  return import_node_fs7.default.readFileSync(absolute, "utf8");
+}
+function readJsonFile(file) {
+  const filePath = import_node_path7.default.resolve(process.cwd(), file);
+  const raw = import_node_fs7.default.readFileSync(filePath, "utf8");
+  try {
+    return JSON.parse(raw);
+  } catch (err) {
+    throw new Error(`Invalid JSON in ${filePath}: ${err?.message || String(err)}`);
+  }
+}
+function parseManifestFromFile(from) {
+  const filePath = import_node_path7.default.resolve(process.cwd(), from);
+  const parsed = readJsonFile(from);
+  return { manifest: (0, import_server_sdk3.parseXappManifest)(parsed), filePath };
+}
+function runContextExport(args) {
+  runContextExportCommand(args, {
+    argString,
+    findRepoRoot,
+    parseManifestFromFile,
+    buildDevRefs,
+    canonicalizeJson,
+    makeCliError: (code, message, details) => new CliError(code, message, details)
+  });
+}
+async function readRequestBody(req) {
+  const chunks = [];
+  for await (const chunk of req) {
+    if (typeof chunk === "string") {
+      chunks.push(Buffer.from(chunk));
+    } else {
+      chunks.push(chunk);
+    }
+  }
+  if (!chunks.length) return {};
+  const raw = Buffer.concat(chunks).toString("utf8");
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return { _raw: raw };
+  }
+}
+async function readRawRequestBody(req) {
+  const chunks = [];
+  for await (const chunk of req) {
+    if (typeof chunk === "string") chunks.push(Buffer.from(chunk));
+    else chunks.push(chunk);
+  }
+  return Buffer.concat(chunks);
+}
+function runDryRun(args, manifest) {
+  const dryRunFile = argString(args, "dry-run");
+  if (!dryRunFile) return;
+  const requestPath = import_node_path7.default.resolve(process.cwd(), dryRunFile);
+  const raw = import_node_fs7.default.readFileSync(requestPath, "utf8");
+  let payload;
+  try {
+    payload = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(
+      `Invalid JSON in dry-run payload ${requestPath}: ${err?.message || String(err)}`
+    );
+  }
+  const toolName = typeof payload?.tool_name === "string" ? payload.tool_name : "";
+  const tool = manifest.tools.find((item) => item.tool_name === toolName);
+  const inputKeys = payload && typeof payload.input === "object" && payload.input ? Object.keys(payload.input) : [];
+  console.log(
+    [
+      `Dry-run payload: ${requestPath}`,
+      `Request id: ${typeof payload?.request_id === "string" ? payload.request_id : "n/a"}`,
+      `Tool: ${toolName || "n/a"}${tool ? " (manifest match)" : " (not found in manifest)"}`,
+      `Input keys: ${inputKeys.length ? inputKeys.join(", ") : "(none)"}`
+    ].join("\n")
+  );
+}
+function findRepoRoot(startDir = process.cwd()) {
+  let current = import_node_path7.default.resolve(startDir);
+  for (let i = 0; i < 8; i += 1) {
+    if (import_node_fs7.default.existsSync(import_node_path7.default.join(current, "package.json")) && import_node_fs7.default.existsSync(import_node_path7.default.join(current, "dev"))) {
+      return current;
+    }
+    const parent = import_node_path7.default.dirname(current);
+    if (parent === current) break;
+    current = parent;
+  }
+  return null;
+}
+function isPlainObject4(value) {
+  return !!value && typeof value === "object" && !Array.isArray(value);
+}
+function resolvePublishBundlePath(outArg, slug, version) {
+  if (!outArg) {
+    return import_node_path7.default.resolve(process.cwd(), DEFAULT_PUBLISH_BUNDLES_DIR, slug, version, "bundle.json");
+  }
+  const resolved = import_node_path7.default.resolve(process.cwd(), outArg);
+  if (resolved.toLowerCase().endsWith(".json")) {
+    return resolved;
+  }
+  return import_node_path7.default.join(resolved, "bundle.json");
+}
+function parsePositiveIntOrThrow(value, fallback, label) {
+  if (!value) return fallback;
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed) || !Number.isInteger(parsed) || parsed <= 0) {
+    throw new CliError(
+      "CLI_INVALID_OPTION",
+      `Invalid ${label}: ${value} (expected positive integer)`,
+      { label, value }
+    );
+  }
+  return parsed;
+}
+function parseHttpUrlOrThrow2(value, label) {
+  let parsed;
+  try {
+    parsed = new URL(String(value || "").trim());
+  } catch {
+    throw new CliError("CLI_INVALID_OPTION", `Invalid ${label}: ${value}`, { label, value });
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new CliError(
+      "CLI_INVALID_OPTION",
+      `Invalid ${label} protocol (http/https required): ${value}`,
+      { label, value }
+    );
+  }
+  return parsed.toString();
+}
+function parseListenPortOrThrow(value, fallback) {
+  if (!value) return fallback;
+  const parsed = Number(value);
+  if (!Number.isInteger(parsed) || parsed < 1 || parsed > 65535) {
+    throw new CliError(
+      "CLI_INVALID_OPTION",
+      `Invalid --listen-port: ${value} (expected integer 1-65535)`,
+      { label: "--listen-port", value }
+    );
+  }
+  return parsed;
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, Math.max(0, ms)));
+}
+function isRetryableStatus(status) {
+  return status === 408 || status === 425 || status === 429 || status >= 500;
+}
+function appendForwardedHeader(existing, next) {
+  const normalized = next.trim();
+  if (!normalized) return existing || "";
+  if (!existing) return normalized;
+  return `${existing}, ${normalized}`;
+}
+function makeRetryableError(message, retryable = false) {
+  const err = new Error(message);
+  err.retryable = retryable;
+  return err;
+}
+function normalizeRemoteErrorDetails(bodyText) {
+  const text = String(bodyText || "").trim();
+  if (!text) return "";
+  try {
+    const parsed = JSON.parse(text);
+    if (!isPlainObject4(parsed)) {
+      return `body=${text.slice(0, 400)}`;
+    }
+    const errorCode = typeof parsed.error === "string" ? parsed.error : typeof parsed.code === "string" ? parsed.code : "";
+    const message = typeof parsed.message === "string" ? parsed.message : typeof parsed.detail === "string" ? parsed.detail : "";
+    const parts = [];
+    if (errorCode) parts.push(`error=${errorCode}`);
+    if (message) parts.push(`message=${message.slice(0, 300)}`);
+    return parts.length ? parts.join(" ") : `body=${text.slice(0, 400)}`;
+  } catch {
+    return `body=${text.slice(0, 400)}`;
+  }
+}
+function buildRemoteHttpFailureMessage(input2) {
+  const detail = normalizeRemoteErrorDetails(input2.bodyText);
+  const retryable = isRetryableStatus(input2.status);
+  return [
+    `Remote ${input2.channel} failed (status=${input2.status})`,
+    `url=${input2.url}`,
+    `retryable=${retryable ? "yes" : "no"}`,
+    detail
+  ].filter(Boolean).join(" ");
+}
+function normalizePublishOutcome(raw) {
+  const normalized = String(raw ?? "").trim().toLowerCase();
+  if (!normalized) return "";
+  if (normalized === "created" || normalized === "new" || normalized === "published" || normalized === "success")
+    return "created";
+  if (normalized === "updated" || normalized === "modified" || normalized === "replaced")
+    return "updated";
+  if (normalized === "already_exists" || normalized === "already-exists" || normalized === "exists" || normalized === "version_exists" || normalized === "version-exists" || normalized === "conflict")
+    return "already_exists";
+  return "";
+}
+function pickPublishAckContainers(payload) {
+  const containers = [payload];
+  const nestedKeys = ["ack", "data", "publish", "release", "result"];
+  for (const key of nestedKeys) {
+    const value = payload[key];
+    if (isPlainObject4(value)) {
+      containers.push(value);
+    }
+  }
+  return containers;
+}
+function parsePublishAck(payload) {
+  if (!isPlainObject4(payload)) {
+    return { hasOutcomeSignal: false };
+  }
+  const candidates = pickPublishAckContainers(payload);
+  let outcome = "";
+  let hasOutcomeSignal = false;
+  let releaseId = "";
+  let registryEntry = "";
+  let provider = "";
+  for (const candidate of candidates) {
+    const outcomeRaw = candidate.outcome ?? candidate.result ?? candidate.status ?? candidate.state ?? candidate.disposition;
+    if (outcomeRaw !== void 0) {
+      hasOutcomeSignal = true;
+      const normalized = normalizePublishOutcome(outcomeRaw);
+      if (normalized) outcome = normalized;
+    }
+    if (!releaseId) {
+      const value = candidate.release_id ?? candidate.releaseId ?? candidate.id;
+      if (typeof value === "string" && value.trim()) releaseId = value.trim();
+    }
+    if (!registryEntry) {
+      const value = candidate.registry_entry ?? candidate.registryEntry;
+      if (typeof value === "string" && value.trim()) registryEntry = value.trim();
+    }
+    if (!provider) {
+      const value = candidate.provider ?? candidate.publisher ?? candidate.vendor;
+      if (typeof value === "string" && value.trim()) provider = value.trim();
+    }
+  }
+  return {
+    ...outcome ? { outcome } : {},
+    ...releaseId ? { releaseId } : {},
+    ...registryEntry ? { registryEntry } : {},
+    ...provider ? { provider } : {},
+    hasOutcomeSignal
+  };
+}
+function detectPublishConflict(bodyText) {
+  const text = String(bodyText || "").trim();
+  if (!text) return false;
+  try {
+    const parsed = JSON.parse(text);
+    if (!isPlainObject4(parsed)) return false;
+    const parts = [];
+    const pushIfString = (value) => {
+      if (typeof value === "string" && value.trim()) parts.push(value.trim().toLowerCase());
+    };
+    const containers = pickPublishAckContainers(parsed);
+    for (const item of containers) {
+      pushIfString(item.error);
+      pushIfString(item.code);
+      pushIfString(item.reason);
+      pushIfString(item.message);
+      pushIfString(item.outcome);
+      pushIfString(item.result);
+      pushIfString(item.status);
+      pushIfString(item.state);
+    }
+    return parts.some(
+      (value) => /already[_-]?exists|version[_-]?exists|version[_-]?conflict|conflict/.test(value)
+    );
+  } catch {
+    return false;
+  }
+}
+async function withRetries(input2) {
+  const attempts = Math.max(1, input2.attempts);
+  let lastError = null;
+  for (let attempt = 1; attempt <= attempts; attempt += 1) {
+    try {
+      return await input2.action(attempt);
+    } catch (err) {
+      lastError = err;
+      const retryable = Boolean(err?.retryable);
+      const isLast = attempt >= attempts;
+      if (!retryable || isLast) {
+        break;
+      }
+      const backoff = Math.max(0, input2.backoffMs) * attempt;
+      await sleep(backoff);
+    }
+  }
+  throw lastError;
+}
+async function postPublishBundle(input2) {
+  return withRetries({
+    attempts: input2.retryAttempts,
+    backoffMs: input2.retryBackoffMs,
+    action: async (attempt) => {
+      const controller = new AbortController();
+      const timer = setTimeout(() => controller.abort(), input2.timeoutMs);
+      try {
+        const headers = new Headers({ "content-type": "application/json" });
+        if (input2.token) {
+          headers.set("authorization", `Bearer ${input2.token}`);
+        }
+        if (input2.apiKey) {
+          headers.set("x-api-key", input2.apiKey);
+        }
+        if (input2.metadataHeaders) {
+          headers.set("x-xapps-meta", input2.metadataHeaders.meta);
+          headers.set("x-xapps-meta-signature", input2.metadataHeaders.signature);
+        }
+        headers.set("x-xapps-version-conflict-policy", input2.versionConflictPolicy);
+        headers.set("x-xapps-release-channel", input2.releaseChannel);
+        if (input2.registryTarget) {
+          headers.set("x-xapps-registry-target", input2.registryTarget);
+        }
+        if (input2.idempotencyKey) {
+          headers.set("x-idempotency-key", input2.idempotencyKey);
+        }
+        const res = await fetch(input2.publishUrl, {
+          method: "POST",
+          headers,
+          body: JSON.stringify(input2.payload),
+          signal: controller.signal
+        });
+        if (!res.ok) {
+          const body = await res.text().catch(() => "");
+          if (res.status === 409) {
+            const details = normalizeRemoteErrorDetails(body);
+            const looksLikeConflict = detectPublishConflict(body) || details.includes("already_exists");
+            if (looksLikeConflict) {
+              return {
+                status: res.status,
+                attempt,
+                outcome: "already_exists",
+                detail: details
+              };
+            }
+          }
+          const message = buildRemoteHttpFailureMessage({
+            channel: "publish",
+            status: res.status,
+            url: input2.publishUrl,
+            bodyText: body
+          });
+          throw makeRetryableError(message, isRetryableStatus(res.status));
+        }
+        const contentType = String(res.headers.get("content-type") || "").toLowerCase();
+        if (contentType.includes("application/json")) {
+          const payloadText = await res.text().catch(() => "");
+          const trimmed = payloadText.trim();
+          if (trimmed.length > 0) {
+            let parsed;
+            try {
+              parsed = JSON.parse(trimmed);
+            } catch {
+              throw makeRetryableError(
+                `Remote publish returned malformed JSON ack url=${input2.publishUrl}`,
+                false
+              );
+            }
+            if (isPlainObject4(parsed) && parsed.ok === false) {
+              const detail = normalizeRemoteErrorDetails(trimmed);
+              throw makeRetryableError(
+                `Remote publish rejected by ack url=${input2.publishUrl} ${detail}`,
+                false
+              );
+            }
+            if (isPlainObject4(parsed)) {
+              const ack = parsePublishAck(parsed);
+              const outcome = ack.outcome || "";
+              if (outcome === "updated") {
+                return {
+                  status: res.status,
+                  attempt,
+                  outcome: "updated",
+                  ...ack.releaseId ? { releaseId: ack.releaseId } : {},
+                  ...ack.registryEntry ? { registryEntry: ack.registryEntry } : {},
+                  ...ack.provider ? { provider: ack.provider } : {}
+                };
+              }
+              if (outcome === "already_exists") {
+                return {
+                  status: res.status,
+                  attempt,
+                  outcome: "already_exists",
+                  ...ack.releaseId ? { releaseId: ack.releaseId } : {},
+                  ...ack.registryEntry ? { registryEntry: ack.registryEntry } : {},
+                  ...ack.provider ? { provider: ack.provider } : {}
+                };
+              }
+              if (ack.hasOutcomeSignal && !outcome) {
+                throw makeRetryableError(
+                  `Remote publish returned unsupported outcome url=${input2.publishUrl}`,
+                  false
+                );
+              }
+              if (ack.releaseId || ack.registryEntry || ack.provider) {
+                return {
+                  status: res.status,
+                  attempt,
+                  outcome: "created",
+                  ...ack.releaseId ? { releaseId: ack.releaseId } : {},
+                  ...ack.registryEntry ? { registryEntry: ack.registryEntry } : {},
+                  ...ack.provider ? { provider: ack.provider } : {}
+                };
+              }
+            }
+          }
+        }
+        return { status: res.status, attempt, outcome: "created" };
+      } catch (err) {
+        if (err?.name === "AbortError") {
+          throw makeRetryableError(
+            `Remote publish timed out after ${input2.timeoutMs}ms url=${input2.publishUrl}`,
+            true
+          );
+        }
+        if (err?.retryable) {
+          throw err;
+        }
+        throw makeRetryableError(
+          `Remote publish request failed url=${input2.publishUrl} cause=${err?.message || String(err)}`,
+          true
+        );
+      } finally {
+        clearTimeout(timer);
+      }
+    }
+  });
+}
+async function runPublish(args) {
+  const from = argString(args, "from");
+  if (!from) {
+    throw new Error("Missing required argument: --from <manifest.json>");
+  }
+  const dryRun = argFlag(args, "dry-run");
+  const force = argFlag(args, "force");
+  const filePath = import_node_path7.default.resolve(process.cwd(), from);
+  const sourceManifestObject = readJsonFile(from);
+  if (!sourceManifestObject || typeof sourceManifestObject !== "object" || Array.isArray(sourceManifestObject)) {
+    throw new CliError("CLI_INVALID_ARGS", `Manifest file must contain a JSON object: ${filePath}`);
+  }
+  const replaceRules = [
+    ...argStrings(args, "replace").map(parseManifestReplaceLiteral),
+    ...argStrings(args, "replace-env").map(parseManifestReplaceEnv)
+  ];
+  const bumpVersionKind = parseVersionBumpKind(argString(args, "bump-version"));
+  const writeManifestVersion = argFlag(args, "write-manifest-version");
+  const allowUnresolvedPlaceholders = argFlag(args, "allow-unresolved-placeholders");
+  if (writeManifestVersion && !bumpVersionKind) {
+    throw new CliError(
+      "CLI_INVALID_ARGS",
+      "--write-manifest-version requires --bump-version patch|minor|major"
+    );
+  }
+  let manifestSourceForPublish = JSON.parse(JSON.stringify(sourceManifestObject));
+  if (replaceRules.length > 0) {
+    manifestSourceForPublish = applyManifestReplaceRulesDeep(
+      manifestSourceForPublish,
+      replaceRules
+    );
+  }
+  const sourceVersionBeforeBump = String(manifestSourceForPublish.version ?? "").trim();
+  let sourceVersionAfterBump = sourceVersionBeforeBump;
+  if (bumpVersionKind) {
+    sourceVersionAfterBump = bumpSemverVersionOrThrow(sourceVersionBeforeBump, bumpVersionKind);
+    manifestSourceForPublish.version = sourceVersionAfterBump;
+  }
+  const unresolvedPlaceholders = findUnresolvedPlaceholderTokens(manifestSourceForPublish);
+  if (unresolvedPlaceholders.length > 0 && !allowUnresolvedPlaceholders) {
+    throw new CliError(
+      "CLI_INVALID_ARGS",
+      `Manifest contains unresolved placeholders after replacements: ${unresolvedPlaceholders.join(", ")}`,
+      { placeholders: unresolvedPlaceholders, manifest: filePath }
+    );
+  }
+  const manifest = (0, import_server_sdk3.parseXappManifest)(manifestSourceForPublish);
+  const { profile } = getProfile(args);
+  const publishUrlRaw = argString(args, "publish-url") || process.env.XAPPS_CLI_PUBLISH_URL || profile.publishUrl;
+  const publishUrl = publishUrlRaw ? parseHttpUrlOrThrow2(publishUrlRaw, "--publish-url") : "";
+  const publisherGatewayUrlRaw = argString(args, "publisher-gateway-url") || process.env.XAPPS_CLI_PUBLISHER_GATEWAY_URL;
+  const publisherGatewayUrl = publisherGatewayUrlRaw ? parseHttpUrlOrThrow2(publisherGatewayUrlRaw, "--publisher-gateway-url") : "";
+  const publisherGatewayApiBaseUrl = publisherGatewayUrl ? normalizePublisherGatewayApiBaseUrl2(publisherGatewayUrl) : "";
+  const targetClientSlug = argString(args, "target-client-slug", "target_client_slug");
+  const token = argString(args, "token") || process.env.XAPPS_CLI_TOKEN || profile.token;
+  const apiKey = argString(args, "api-key", "apiKey") || process.env.XAPPS_CLI_API_KEY || profile.apiKey;
+  const signingKey = argString(args, "signing-key") || process.env.XAPPS_CLI_SIGNING_KEY || profile.signingKey;
+  const versionConflictPolicy = parseVersionConflictPolicy(
+    argString(args, "version-conflict"),
+    profile.versionConflict || "fail"
+  );
+  const releaseChannel = parseReleaseLabel(
+    argString(args, "release-channel") || process.env.XAPPS_CLI_RELEASE_CHANNEL || profile.releaseChannel,
+    "stable",
+    "--release-channel"
+  );
+  const registryTarget = parseReleaseLabel(
+    argString(args, "registry-target") || process.env.XAPPS_CLI_REGISTRY_TARGET || profile.registryTarget,
+    "",
+    "--registry-target"
+  );
+  const retryAttempts = parsePositiveIntOrThrow(
+    argString(args, "retry-attempts"),
+    1,
+    "--retry-attempts"
+  );
+  const retryBackoffMs = parsePositiveIntOrThrow(
+    argString(args, "retry-backoff-ms"),
+    250,
+    "--retry-backoff-ms"
+  );
+  const timeoutMsStrict = parsePositiveIntOrThrow(
+    argString(args, "timeout-ms"),
+    1e4,
+    "--timeout-ms"
+  );
+  let manifestForPublish = manifest;
+  if (targetClientSlug) {
+    if (!publisherGatewayApiBaseUrl) {
+      throw new CliError(
+        "CLI_INVALID_ARGS",
+        "Resolving --target-client-slug requires --publisher-gateway-url (tenant slug lookup uses publisher API).",
+        { target_client_slug: targetClientSlug }
+      );
+    }
+    const client = (0, import_server_sdk3.createPublisherApiClient)({
+      baseUrl: publisherGatewayApiBaseUrl,
+      apiKey,
+      token
+    });
+    let clientsPayload;
+    try {
+      clientsPayload = await client.listClients();
+    } catch (err) {
+      if (err instanceof import_server_sdk3.PublisherApiClientError) {
+        throw new CliError(
+          `CLI_${err.code}`,
+          `Publisher tenant lookup failed: ${err.message}`,
+          {
+            url: publisherGatewayUrl,
+            api_base_url: publisherGatewayApiBaseUrl,
+            status: err.status,
+            details: err.details,
+            target_client_slug: targetClientSlug
+          },
+          { exitCode: 4 }
+        );
+      }
+      throw err;
+    }
+    const matches = clientsPayload.items.filter(
+      (item) => String(item.slug || "").trim() === targetClientSlug
+    );
+    if (matches.length === 0) {
+      throw new CliError(
+        "CLI_INVALID_ARGS",
+        `Tenant slug not found via publisher API: ${targetClientSlug}`,
+        { target_client_slug: targetClientSlug, api_base_url: publisherGatewayApiBaseUrl }
+      );
+    }
+    if (matches.length > 1) {
+      throw new CliError(
+        "CLI_INVALID_ARGS",
+        `Tenant slug resolved ambiguously via publisher API: ${targetClientSlug}`,
+        { target_client_slug: targetClientSlug, matches: matches.map((m) => m.id || m.slug) }
+      );
+    }
+    const resolvedClientId = String(matches[0]?.id || "").trim();
+    if (!resolvedClientId) {
+      throw new CliError(
+        "CLI_INVALID_ARGS",
+        `Publisher API returned tenant without id for slug: ${targetClientSlug}`,
+        { target_client_slug: targetClientSlug, match: matches[0] }
+      );
+    }
+    manifestForPublish = {
+      ...manifest,
+      target_client_id: resolvedClientId
+    };
+  }
+  if (!Object.prototype.hasOwnProperty.call(manifestForPublish, "target_client_id") || !String(manifestForPublish.target_client_id || "").trim()) {
+    throw new CliError(
+      "CLI_INVALID_ARGS",
+      "Manifest publish requires target_client_id (tenant-aware publish is required). Use manifest.target_client_id or --target-client-slug with --publisher-gateway-url.",
+      { manifest: filePath }
+    );
+  }
+  const manifestJson = JSON.stringify(manifestForPublish);
+  const manifestSha256 = (0, import_node_crypto2.createHash)("sha256").update(manifestJson).digest("hex");
+  const idempotencyKey = argString(args, "idempotency-key") || `xapps-cli:${manifest.slug}:${manifest.version}:${manifestSha256.slice(0, 16)}`;
+  const outPath = resolvePublishBundlePath(argString(args, "out"), manifest.slug, manifest.version);
+  const summary = {
+    slug: manifest.slug,
+    version: manifest.version,
+    tools: manifest.tools.length,
+    widgets: manifest.widgets.length,
+    manifest_sha256: manifestSha256,
+    release_channel: releaseChannel,
+    ...registryTarget ? { registry_target: registryTarget } : {}
+  };
+  if (dryRun) {
+    console.log(
+      `Publish dry-run (no deploy)
+Manifest: ${filePath}
+Bundle target: ${outPath}
+Remote target: ${publishUrl || "(none)"}
+Summary: ${JSON.stringify(summary)}`
+    );
+    return;
+  }
+  if (!argFlag(args, "yes")) {
+    await confirmPublishOrThrow(summary);
+  }
+  if (!force && import_node_fs7.default.existsSync(outPath)) {
+    throw new Error(`Publish bundle already exists: ${outPath} (use --force to overwrite)`);
+  }
+  if (writeManifestVersion) {
+    if (sourceVersionBeforeBump !== sourceVersionAfterBump) {
+      const sourceUpdated = {
+        ...sourceManifestObject,
+        version: sourceVersionAfterBump
+      };
+      import_node_fs7.default.writeFileSync(filePath, `${JSON.stringify(sourceUpdated, null, 2)}
+`);
+    }
+  }
+  const bundle = {
+    schema_version: "xapps.publish.v0",
+    generated_at: (/* @__PURE__ */ new Date()).toISOString(),
+    manifest_source: filePath,
+    summary,
+    ...replaceRules.length > 0 ? {
+      manifest_transforms: {
+        replacements: replaceRules.map((rule) => ({
+          from: rule.from,
+          source: rule.source,
+          ...rule.sourceName ? { source_name: rule.sourceName } : {}
+        })),
+        ...bumpVersionKind ? {
+          version_bump: {
+            kind: bumpVersionKind,
+            from: sourceVersionBeforeBump,
+            to: sourceVersionAfterBump,
+            ...writeManifestVersion ? { wrote_source_manifest_version: true } : {}
+          }
+        } : {}
+      }
+    } : bumpVersionKind ? {
+      manifest_transforms: {
+        version_bump: {
+          kind: bumpVersionKind,
+          from: sourceVersionBeforeBump,
+          to: sourceVersionAfterBump,
+          ...writeManifestVersion ? { wrote_source_manifest_version: true } : {}
+        }
+      }
+    } : {},
+    release: {
+      channel: releaseChannel,
+      ...registryTarget ? { registry_target: registryTarget } : {},
+      version_conflict_policy: versionConflictPolicy
+    },
+    manifest: manifestForPublish
+  };
+  import_node_fs7.default.mkdirSync(import_node_path7.default.dirname(outPath), { recursive: true });
+  import_node_fs7.default.writeFileSync(outPath, JSON.stringify(bundle, null, 2));
+  const lines = [
+    `Publish bundle created: ${outPath}`,
+    `Summary: ${JSON.stringify(summary)}`
+  ];
+  const metadataPayload = {
+    generated_at: bundle.generated_at,
+    idempotency_key: idempotencyKey,
+    manifest_sha256: manifestSha256,
+    slug: manifest.slug,
+    version: manifest.version,
+    release_channel: releaseChannel,
+    ...registryTarget ? { registry_target: registryTarget } : {}
+  };
+  const metadataJson = stableStringify(metadataPayload);
+  const metadataSignature = signingKey ? `hmac-sha256:${base64url((0, import_node_crypto2.createHmac)("sha256", signingKey).update(metadataJson).digest())}` : "";
+  if (publishUrl) {
+    const remote = await postPublishBundle({
+      publishUrl,
+      token,
+      apiKey,
+      metadataHeaders: signingKey ? { meta: metadataJson, signature: metadataSignature } : void 0,
+      versionConflictPolicy,
+      releaseChannel,
+      registryTarget,
+      idempotencyKey,
+      timeoutMs: timeoutMsStrict,
+      retryAttempts,
+      retryBackoffMs,
+      payload: bundle
+    });
+    if (remote.outcome === "already_exists") {
+      if (versionConflictPolicy === "allow") {
+        lines.push(
+          `Remote publish version conflict allowed: outcome=already_exists url=${publishUrl} attempts=${remote.attempt}`
+        );
+        if (remote.releaseId || remote.registryEntry || remote.provider) {
+          lines.push(
+            `Remote release metadata: release_id=${remote.releaseId || "-"} registry_entry=${remote.registryEntry || "-"} provider=${remote.provider || "-"}`
+          );
+        }
+        console.log(lines.join("\n"));
+        return;
+      }
+      throw new CliError(
+        "CLI_VERSION_CONFLICT",
+        `Remote publish version conflict: already_exists url=${publishUrl} (set --version-conflict allow to continue)`,
+        { url: publishUrl, outcome: remote.outcome },
+        { exitCode: 3 }
+      );
+    }
+    lines.push(
+      `Remote publish delivered: status=${remote.status} url=${publishUrl} attempts=${remote.attempt} outcome=${remote.outcome}`
+    );
+    if (remote.releaseId || remote.registryEntry || remote.provider) {
+      lines.push(
+        `Remote release metadata: release_id=${remote.releaseId || "-"} registry_entry=${remote.registryEntry || "-"} provider=${remote.provider || "-"}`
+      );
+    }
+  }
+  if (publisherGatewayApiBaseUrl) {
+    try {
+      const client = (0, import_server_sdk3.createPublisherApiClient)({
+        baseUrl: publisherGatewayApiBaseUrl,
+        apiKey,
+        token
+      });
+      const result = await client.importAndPublishManifest(manifestForPublish);
+      const versionStatus = result && result.version && typeof result.version === "object" ? String(result.version.status || "") : "";
+      lines.push(
+        `Publisher gateway import+publish delivered: base=${publisherGatewayApiBaseUrl} xapp_id=${result.xappId} version_id=${result.versionId}${versionStatus ? ` status=${versionStatus}` : ""}`
+      );
+    } catch (err) {
+      if (err instanceof import_server_sdk3.PublisherApiClientError) {
+        if (err.code === "PUBLISHER_API_CONFLICT") {
+          const conflictCode = String(err.details?.code || "").trim();
+          const isVersionConflict = conflictCode === "VERSION_CONFLICT" || /version.*exist/i.test(String(err.message || ""));
+          if (isVersionConflict) {
+            if (versionConflictPolicy === "allow") {
+              lines.push(
+                `Publisher gateway version conflict allowed: base=${publisherGatewayApiBaseUrl} outcome=already_exists`
+              );
+              console.log(lines.join("\n"));
+              return;
+            }
+            throw new CliError(
+              "CLI_VERSION_CONFLICT",
+              `Publisher gateway version conflict: already_exists base=${publisherGatewayApiBaseUrl} (set --version-conflict allow to continue)`,
+              {
+                url: publisherGatewayUrl,
+                api_base_url: publisherGatewayApiBaseUrl,
+                status: err.status,
+                details: err.details
+              },
+              { exitCode: 3 }
+            );
+          }
+        }
+        throw new CliError(
+          `CLI_${err.code}`,
+          `Publisher gateway publish failed: ${err.message}`,
+          {
+            url: publisherGatewayUrl,
+            api_base_url: publisherGatewayApiBaseUrl,
+            status: err.status,
+            details: err.details
+          },
+          { exitCode: 4 }
+        );
+      }
+      throw err;
+    }
+  }
+  console.log(lines.join("\n"));
+}
+function normalizeBundleSummary(value, fallbackPath, fallbackGeneratedAt = "") {
+  if (!isPlainObject4(value)) return null;
+  const bundlePath = typeof value.bundle_path === "string" ? value.bundle_path : typeof value.path === "string" ? value.path : fallbackPath;
+  const generatedAt = typeof value.generated_at === "string" ? value.generated_at : typeof value.created_at === "string" ? value.created_at : fallbackGeneratedAt;
+  const slug = typeof value.slug === "string" ? value.slug.trim() : "";
+  const version = typeof value.version === "string" ? value.version.trim() : "";
+  const tools = typeof value.tools === "number" ? value.tools : NaN;
+  const widgets = typeof value.widgets === "number" ? value.widgets : NaN;
+  const manifestSha256 = typeof value.manifest_sha256 === "string" ? value.manifest_sha256 : "";
+  if (!bundlePath || !generatedAt || !slug || !version) return null;
+  if (!Number.isFinite(tools) || tools < 0 || !Number.isFinite(widgets) || widgets < 0) return null;
+  return {
+    bundle_path: bundlePath,
+    generated_at: generatedAt,
+    slug,
+    version,
+    tools,
+    widgets,
+    manifest_sha256: manifestSha256
+  };
+}
+function toBundleSummary(bundlePath, payload) {
+  if (!isPlainObject4(payload)) {
+    throw new Error(`Invalid bundle payload in ${bundlePath}`);
+  }
+  if (payload.schema_version !== "xapps.publish.v0") {
+    throw new Error(`Unsupported bundle schema in ${bundlePath}`);
+  }
+  const summary = isPlainObject4(payload.summary) ? payload.summary : {};
+  return {
+    bundle_path: bundlePath,
+    generated_at: typeof payload.generated_at === "string" ? payload.generated_at : "",
+    slug: typeof summary.slug === "string" ? summary.slug : "",
+    version: typeof summary.version === "string" ? summary.version : "",
+    tools: typeof summary.tools === "number" ? summary.tools : 0,
+    widgets: typeof summary.widgets === "number" ? summary.widgets : 0,
+    manifest_sha256: typeof summary.manifest_sha256 === "string" ? summary.manifest_sha256 : ""
+  };
+}
+function collectBundleFiles(dirPath) {
+  const out = [];
+  if (!import_node_fs7.default.existsSync(dirPath)) {
+    return out;
+  }
+  const entries = import_node_fs7.default.readdirSync(dirPath, { withFileTypes: true });
+  for (const entry of entries) {
+    const full = import_node_path7.default.join(dirPath, entry.name);
+    if (entry.isDirectory()) {
+      out.push(...collectBundleFiles(full));
+      continue;
+    }
+    if (entry.isFile() && entry.name === "bundle.json") {
+      out.push(full);
+    }
+  }
+  return out;
+}
+async function fetchRemoteLogs(input2) {
+  return withRetries({
+    attempts: input2.retryAttempts,
+    backoffMs: input2.retryBackoffMs,
+    action: async () => {
+      const controller = new AbortController();
+      const timer = setTimeout(() => controller.abort(), input2.timeoutMs);
+      try {
+        const headers = new Headers();
+        if (input2.token) headers.set("authorization", `Bearer ${input2.token}`);
+        if (input2.apiKey) headers.set("x-api-key", input2.apiKey);
+        const url = new URL(input2.logsUrl);
+        if (!url.searchParams.has("limit")) {
+          url.searchParams.set("limit", String(input2.limit));
+        }
+        if (input2.cursor) url.searchParams.set("cursor", input2.cursor);
+        if (input2.leaseId) url.searchParams.set("lease_id", input2.leaseId);
+        if (input2.checkpoint) url.searchParams.set("checkpoint", input2.checkpoint);
+        if (input2.severity) url.searchParams.set("severity", input2.severity);
+        if (input2.since) url.searchParams.set("since", input2.since);
+        if (input2.until) url.searchParams.set("until", input2.until);
+        const res = await fetch(url, {
+          method: "GET",
+          headers,
+          signal: controller.signal
+        });
+        if (!res.ok) {
+          const body = await res.text().catch(() => "");
+          const message = buildRemoteHttpFailureMessage({
+            channel: "logs",
+            status: res.status,
+            url: input2.logsUrl,
+            bodyText: body
+          });
+          throw makeRetryableError(message, isRetryableStatus(res.status));
+        }
+        const payload = await res.json();
+        const rowsRaw = Array.isArray(payload) ? payload : isPlainObject4(payload) && Array.isArray(payload.entries) ? payload.entries : null;
+        if (!rowsRaw) {
+          throw makeRetryableError(
+            `Remote logs returned malformed payload url=${input2.logsUrl}`,
+            false
+          );
+        }
+        const rows = rowsRaw.map((entry) => normalizeBundleSummary(entry, "remote://logs")).filter((entry) => !!entry);
+        if (rowsRaw.length > 0 && rows.length === 0) {
+          throw makeRetryableError(
+            `Remote logs returned malformed entries url=${input2.logsUrl}`,
+            false
+          );
+        }
+        const nextCursor = isPlainObject4(payload) && (typeof payload.next_cursor === "string" || typeof payload.nextCursor === "string") ? String(payload.next_cursor ?? payload.nextCursor ?? "") : "";
+        const payloadHasLease = isPlainObject4(payload) && (Object.prototype.hasOwnProperty.call(payload, "lease_id") || Object.prototype.hasOwnProperty.call(payload, "leaseId"));
+        const payloadHasCheckpoint = isPlainObject4(payload) && (Object.prototype.hasOwnProperty.call(payload, "checkpoint") || Object.prototype.hasOwnProperty.call(payload, "checkpoint_token") || Object.prototype.hasOwnProperty.call(payload, "checkpointToken"));
+        const leaseId = isPlainObject4(payload) && (typeof payload.lease_id === "string" || typeof payload.leaseId === "string") ? String(payload.lease_id ?? payload.leaseId ?? "") : "";
+        const checkpoint = isPlainObject4(payload) && (typeof payload.checkpoint === "string" || typeof payload.checkpoint_token === "string" || typeof payload.checkpointToken === "string") ? String(
+          payload.checkpoint ?? payload.checkpoint_token ?? payload.checkpointToken ?? ""
+        ) : "";
+        if (payloadHasLease && !leaseId) {
+          throw makeRetryableError(
+            `Remote logs returned malformed lease_id field url=${input2.logsUrl}`,
+            false
+          );
+        }
+        if (payloadHasCheckpoint && !checkpoint) {
+          throw makeRetryableError(
+            `Remote logs returned malformed checkpoint field url=${input2.logsUrl}`,
+            false
+          );
+        }
+        return {
+          entries: rows.sort((a, b) => String(b.generated_at).localeCompare(String(a.generated_at))).slice(0, input2.limit),
+          ...nextCursor ? { nextCursor } : {},
+          ...leaseId ? { leaseId } : {},
+          ...checkpoint ? { checkpoint } : {}
+        };
+      } catch (err) {
+        if (err?.name === "AbortError") {
+          throw makeRetryableError(
+            `Remote logs timed out after ${input2.timeoutMs}ms url=${input2.logsUrl}`,
+            true
+          );
+        }
+        if (err?.retryable) {
+          throw err;
+        }
+        throw makeRetryableError(
+          `Remote logs request failed url=${input2.logsUrl} cause=${err?.message || String(err)}`,
+          true
+        );
+      } finally {
+        clearTimeout(timer);
+      }
+    }
+  });
+}
+async function runLogs(args) {
+  const { profile } = getProfile(args);
+  const json = argFlag(args, "json");
+  const limit = parsePositiveIntOrThrow(argString(args, "limit"), 10, "--limit");
+  const from = argString(args, "from");
+  const dir = import_node_path7.default.resolve(process.cwd(), argString(args, "dir") || DEFAULT_PUBLISH_BUNDLES_DIR);
+  const logsUrlRaw = argString(args, "logs-url") || process.env.XAPPS_CLI_LOGS_URL || profile.logsUrl;
+  const logsUrl = logsUrlRaw ? parseHttpUrlOrThrow2(logsUrlRaw, "--logs-url") : "";
+  const token = argString(args, "token") || process.env.XAPPS_CLI_TOKEN || profile.token;
+  const apiKey = argString(args, "api-key", "apiKey") || process.env.XAPPS_CLI_API_KEY || profile.apiKey;
+  const cursor = argString(args, "cursor");
+  const leaseId = argString(args, "lease-id");
+  const checkpoint = argString(args, "checkpoint");
+  const severity = argString(args, "severity");
+  const since = argString(args, "since");
+  const until = argString(args, "until");
+  const follow = argFlag(args, "follow");
+  const followCursorFile = argString(args, "follow-cursor-file");
+  const followIntervalMs = parsePositiveIntOrThrow(
+    argString(args, "follow-interval-ms"),
+    2e3,
+    "--follow-interval-ms"
+  );
+  const followMaxCycles = parsePositiveIntOrThrow(
+    argString(args, "follow-max-cycles"),
+    1,
+    "--follow-max-cycles"
+  );
+  const timeoutMs = parsePositiveIntOrThrow(argString(args, "timeout-ms"), 1e4, "--timeout-ms");
+  const retryAttempts = parsePositiveIntOrThrow(
+    argString(args, "retry-attempts"),
+    1,
+    "--retry-attempts"
+  );
+  const retryBackoffMs = parsePositiveIntOrThrow(
+    argString(args, "retry-backoff-ms"),
+    250,
+    "--retry-backoff-ms"
+  );
+  const localSummaries = logsUrl ? null : (() => {
+    const bundleFiles = from ? [import_node_path7.default.resolve(process.cwd(), from)] : collectBundleFiles(dir);
+    if (!bundleFiles.length) {
+      throw new Error(
+        from ? `Bundle not found: ${import_node_path7.default.resolve(process.cwd(), from)}` : `No bundles found in ${dir}`
+      );
+    }
+    return bundleFiles.map((file) => toBundleSummary(file, readJsonFile(file))).sort((a, b) => String(b.generated_at).localeCompare(String(a.generated_at))).slice(0, limit);
+  })();
+  async function printRows(rows, nextCursor, leaseId2, checkpoint2) {
+    if (!rows.length) return;
+    if (json) {
+      console.log(
+        JSON.stringify(
+          {
+            count: rows.length,
+            entries: rows,
+            ...nextCursor ? { next_cursor: nextCursor } : {},
+            ...leaseId2 ? { lease_id: leaseId2 } : {},
+            ...checkpoint2 ? { checkpoint: checkpoint2 } : {}
+          },
+          null,
+          2
+        )
+      );
+      return;
+    }
+    const lines = [`Logs entries: ${rows.length}`];
+    for (const entry of rows) {
+      lines.push(
+        [
+          `- ${entry.slug}@${entry.version}`,
+          `generated_at=${entry.generated_at || "n/a"}`,
+          `tools=${entry.tools}`,
+          `widgets=${entry.widgets}`,
+          `bundle=${entry.bundle_path}`
+        ].join(" ")
+      );
+    }
+    if (nextCursor) lines.push(`next_cursor=${nextCursor}`);
+    if (leaseId2) lines.push(`lease_id=${leaseId2}`);
+    if (checkpoint2) lines.push(`checkpoint=${checkpoint2}`);
+    console.log(lines.join("\n"));
+  }
+  if (!logsUrl && localSummaries) {
+    if (!localSummaries.length) {
+      throw new Error(
+        from ? `Bundle not found: ${import_node_path7.default.resolve(process.cwd(), from)}` : `No bundles found in ${dir}`
+      );
+    }
+    await printRows(localSummaries);
+    return;
+  }
+  if (!logsUrl) return;
+  let currentCursor = cursor || "";
+  let currentLeaseId = leaseId || "";
+  let currentCheckpoint = checkpoint || "";
+  if (followCursorFile) {
+    const state = loadLogsResumeState(followCursorFile);
+    if (!currentCursor && state.cursor) currentCursor = state.cursor;
+    if (state.leaseId) currentLeaseId = state.leaseId;
+    if (state.checkpoint) currentCheckpoint = state.checkpoint;
+  }
+  let cycles = 0;
+  let seen = 0;
+  while (true) {
+    cycles += 1;
+    try {
+      const remote = await fetchRemoteLogs({
+        logsUrl,
+        token,
+        apiKey,
+        timeoutMs,
+        limit,
+        cursor: currentCursor || void 0,
+        leaseId: currentLeaseId || void 0,
+        checkpoint: currentCheckpoint || void 0,
+        severity,
+        since,
+        until,
+        retryAttempts,
+        retryBackoffMs
+      });
+      if (remote.entries.length) {
+        seen += remote.entries.length;
+        await printRows(remote.entries, remote.nextCursor, remote.leaseId, remote.checkpoint);
+      } else if (!follow && seen === 0) {
+        throw new Error(`No log entries returned by remote endpoint: ${logsUrl}`);
+      }
+      if (remote.leaseId) currentLeaseId = remote.leaseId;
+      if (remote.checkpoint) currentCheckpoint = remote.checkpoint;
+      if (remote.nextCursor) {
+        currentCursor = remote.nextCursor;
+      }
+      if (followCursorFile) {
+        saveLogsResumeState(followCursorFile, {
+          ...currentCursor ? { cursor: currentCursor } : {},
+          ...currentLeaseId ? { leaseId: currentLeaseId } : {},
+          ...currentCheckpoint ? { checkpoint: currentCheckpoint } : {}
+        });
+      }
+    } catch (err) {
+      if (!follow) throw err;
+      console.error(`[logs-follow] reconnecting after error: ${err?.message || String(err)}`);
+    }
+    if (!follow) return;
+    if (cycles >= followMaxCycles) return;
+    await sleep(followIntervalMs);
+  }
+}
+async function runTunnel(args) {
+  const { profile } = getProfile(args);
+  const target = argString(args, "target");
+  if (!target) {
+    throw new Error("Missing required argument: --target <base-url>");
+  }
+  const targetBase = parseHttpUrlOrThrow2(String(target).replace(/\/$/, ""), "--target").replace(
+    /\/$/,
+    ""
+  );
+  const targetHostname = new URL(targetBase).hostname.toLowerCase();
+  const allowTargetHosts = parseCsvSet(
+    argString(args, "allow-target-hosts") || process.env.XAPPS_CLI_TUNNEL_ALLOW_TARGET_HOSTS,
+    "127.0.0.1,localhost,::1"
+  );
+  if (!allowTargetHosts.has(targetHostname)) {
+    throw new CliError(
+      "CLI_TUNNEL_TARGET_NOT_ALLOWED",
+      `Tunnel target host is not allowed: ${targetHostname} (allowlist=${Array.from(allowTargetHosts).join(",")})`,
+      { targetHostname, allowlist: Array.from(allowTargetHosts) }
+    );
+  }
+  const host = argString(args, "host") || "127.0.0.1";
+  const port = parseListenPortOrThrow(argString(args, "listen-port"), 4041);
+  const sessionFile = argString(args, "session-file");
+  const sessionIdArg = argString(args, "session-id");
+  const sessionPolicy = parseTunnelSessionPolicy(argString(args, "session-policy"), "reuse");
+  const sessionStateFromFile = sessionFile ? loadTunnelSessionState(sessionFile) : null;
+  let sessionId = "";
+  let sessionSource = "generated";
+  if (sessionPolicy === "rotate") {
+    if (sessionIdArg) {
+      sessionId = sessionIdArg;
+      sessionSource = "arg";
+    } else {
+      sessionId = randomSessionId("tnl");
+      sessionSource = "rotated";
+    }
+  } else if (sessionIdArg) {
+    if (sessionStateFromFile?.sessionId && sessionStateFromFile.sessionId !== sessionIdArg && sessionPolicy !== "rotate") {
+      throw new CliError(
+        "CLI_TUNNEL_SESSION_CONFLICT",
+        `Provided --session-id does not match persisted session file (${sessionFile})`,
+        {
+          provided_session_id: sessionIdArg,
+          persisted_session_id: sessionStateFromFile.sessionId,
+          session_file: sessionFile,
+          session_policy: sessionPolicy
+        }
+      );
+    }
+    sessionId = sessionIdArg;
+    sessionSource = "arg";
+  } else if (sessionStateFromFile?.sessionId) {
+    const persistedTarget = String(sessionStateFromFile.target || "").trim();
+    if (persistedTarget && persistedTarget !== targetBase) {
+      if (sessionPolicy === "require") {
+        throw new CliError(
+          "CLI_TUNNEL_SESSION_TARGET_MISMATCH",
+          `Persisted tunnel session target does not match current --target (${persistedTarget} != ${targetBase})`,
+          {
+            persisted_target: persistedTarget,
+            current_target: targetBase,
+            session_file: sessionFile || ""
+          }
+        );
+      }
+      sessionId = randomSessionId("tnl");
+      sessionSource = "rotated";
+    } else {
+      sessionId = sessionStateFromFile.sessionId;
+      sessionSource = "file";
+    }
+  } else if (sessionPolicy === "require") {
+    throw new CliError(
+      "CLI_TUNNEL_SESSION_REQUIRED",
+      "Session policy 'require' needs existing --session-file state or explicit --session-id",
+      {
+        session_file: sessionFile || "",
+        session_policy: sessionPolicy
+      }
+    );
+  } else {
+    sessionId = randomSessionId("tnl");
+    sessionSource = "generated";
+  }
+  if (sessionFile) {
+    saveTunnelSessionState(sessionFile, {
+      sessionId,
+      target: targetBase
+    });
+  }
+  const once = argFlag(args, "once");
+  const requiredToken = argString(args, "require-auth-token") || process.env.XAPPS_CLI_TUNNEL_TOKEN || profile.tunnelToken || void 0;
+  const upstreamTimeoutMs = parsePositiveIntOrThrow(
+    argString(args, "upstream-timeout-ms"),
+    15e3,
+    "--upstream-timeout-ms"
+  );
+  const retryAttempts = parsePositiveIntOrThrow(
+    argString(args, "retry-attempts"),
+    1,
+    "--retry-attempts"
+  );
+  const retryBackoffMs = parsePositiveIntOrThrow(
+    argString(args, "retry-backoff-ms"),
+    200,
+    "--retry-backoff-ms"
+  );
+  const idempotentMethods = /* @__PURE__ */ new Set(["GET", "HEAD", "OPTIONS"]);
+  const startedAt = (/* @__PURE__ */ new Date()).toISOString();
+  let proxiedRequests = 0;
+  let proxyErrors = 0;
+  let lastUpstreamStatus = 0;
+  const announce = `xapps tunnel relay
+Session: ${sessionId}
+Session policy: ${sessionPolicy}
+Session source: ${sessionSource}
+Listen: http://${host}:${port}
+Target: ${targetBase}
+Allowlist: ${Array.from(allowTargetHosts).join(",")}
+Mode: local relay baseline (no external public URL)
+Upstream timeout: ${upstreamTimeoutMs}ms`;
+  if (once) {
+    console.log(announce);
+    return;
+  }
+  const server = import_node_http2.default.createServer(async (req, res) => {
+    const method = (req.method || "GET").toUpperCase();
+    const requestUrl = req.url || "/";
+    const headerToken = typeof req.headers["x-xapps-tunnel-token"] === "string" ? req.headers["x-xapps-tunnel-token"] : void 0;
+    const authHeader = typeof req.headers.authorization === "string" ? req.headers.authorization.trim() : "";
+    const bearerToken = authHeader.toLowerCase().startsWith("bearer ") ? authHeader.slice(7).trim() : void 0;
+    const suppliedToken = headerToken || bearerToken;
+    if (requiredToken && suppliedToken !== requiredToken) {
+      res.statusCode = 401;
+      res.setHeader("content-type", "application/json");
+      res.end(
+        JSON.stringify({
+          ok: false,
+          error: "tunnel_auth_required",
+          message: "Missing or invalid tunnel auth token"
+        })
+      );
+      return;
+    }
+    if (requestUrl === "/__ready") {
+      res.statusCode = 200;
+      res.setHeader("content-type", "application/json");
+      res.end(
+        JSON.stringify({
+          ok: true,
+          tunnel: "ready",
+          session_id: sessionId,
+          session_policy: sessionPolicy,
+          session_source: sessionSource,
+          target: targetBase
+        })
+      );
+      return;
+    }
+    if (requestUrl === "/__status") {
+      res.statusCode = 200;
+      res.setHeader("content-type", "application/json");
+      res.end(
+        JSON.stringify({
+          ok: true,
+          tunnel: "status",
+          session_id: sessionId,
+          session_policy: sessionPolicy,
+          session_source: sessionSource,
+          session_file: sessionFile || null,
+          target: targetBase,
+          listen: { host, port },
+          started_at: startedAt,
+          proxied_requests: proxiedRequests,
+          proxy_errors: proxyErrors,
+          last_upstream_status: lastUpstreamStatus || null
+        })
+      );
+      return;
+    }
+    const body = await readRawRequestBody(req);
+    const headers = new Headers();
+    for (const [key, value] of Object.entries(req.headers)) {
+      if (!value) continue;
+      const lower = key.toLowerCase();
+      if (lower === "host") continue;
+      if (lower === "connection" || lower === "keep-alive" || lower === "proxy-authorization" || lower === "proxy-authenticate" || lower === "te" || lower === "trailers" || lower === "transfer-encoding" || lower === "upgrade") {
+        continue;
+      }
+      if (Array.isArray(value)) headers.set(key, value.join(", "));
+      else headers.set(key, String(value));
+    }
+    headers.set(
+      "x-forwarded-host",
+      appendForwardedHeader(headers.get("x-forwarded-host"), `${host}:${port}`)
+    );
+    headers.set(
+      "x-forwarded-proto",
+      appendForwardedHeader(headers.get("x-forwarded-proto"), "http")
+    );
+    headers.set(
+      "x-forwarded-port",
+      appendForwardedHeader(headers.get("x-forwarded-port"), String(port))
+    );
+    if (req.socket?.remoteAddress) {
+      const existingForwardedFor = headers.get("x-forwarded-for");
+      headers.set(
+        "x-forwarded-for",
+        appendForwardedHeader(existingForwardedFor, req.socket.remoteAddress)
+      );
+    }
+    const targetUrl = `${targetBase}${requestUrl}`;
+    try {
+      const attempts = idempotentMethods.has(method) ? retryAttempts : 1;
+      const upstream = await withRetries({
+        attempts,
+        backoffMs: retryBackoffMs,
+        action: async () => {
+          const controller = new AbortController();
+          const timer = setTimeout(() => controller.abort(), upstreamTimeoutMs);
+          try {
+            const resUpstream = await fetch(targetUrl, {
+              method,
+              headers,
+              body: method === "GET" || method === "HEAD" ? void 0 : body,
+              signal: controller.signal
+            });
+            if (isRetryableStatus(resUpstream.status)) {
+              throw makeRetryableError(`upstream status ${resUpstream.status}`, true);
+            }
+            return resUpstream;
+          } catch (err) {
+            if (err?.name === "AbortError") {
+              throw makeRetryableError("upstream timeout", true);
+            }
+            if (err?.retryable) throw err;
+            throw makeRetryableError(err?.message || String(err), true);
+          } finally {
+            clearTimeout(timer);
+          }
+        }
+      });
+      const upstreamBody = Buffer.from(await upstream.arrayBuffer());
+      res.statusCode = upstream.status;
+      proxiedRequests += 1;
+      lastUpstreamStatus = upstream.status;
+      upstream.headers.forEach((value, key) => {
+        if (key.toLowerCase() === "transfer-encoding") return;
+        res.setHeader(key, value);
+      });
+      res.end(upstreamBody);
+      console.log(
+        `[tunnel] ${method} ${requestUrl} -> ${targetUrl} status=${upstream.status} bytes=${upstreamBody.length}`
+      );
+    } catch (err) {
+      proxyErrors += 1;
+      const timeout = String(err?.message || "").toLowerCase().includes("timeout");
+      res.statusCode = timeout ? 504 : 502;
+      res.setHeader("content-type", "application/json");
+      res.end(
+        JSON.stringify({
+          ok: false,
+          error: timeout ? "upstream_timeout" : "upstream_unreachable",
+          message: err?.message || String(err)
+        })
+      );
+      console.error(
+        `[tunnel] upstream error ${method} ${requestUrl}: ${err?.message || String(err)}`
+      );
+    }
+  });
+  await new Promise((resolve, reject) => {
+    server.once("error", reject);
+    server.listen(port, host, () => {
+      server.off("error", reject);
+      resolve();
+    });
+  });
+  console.log(announce);
+  await new Promise((resolve) => {
+    const shutdown = () => server.close(() => resolve());
+    process.once("SIGINT", shutdown);
+    process.once("SIGTERM", shutdown);
+  });
+}
+async function runCli(argv) {
+  try {
+    const { command, args } = parseArgs(argv);
+    if (!command || command === "--help" || command === "-h" || command === "help") {
+      printUsage();
+      return;
+    }
+    if (command === "import") {
+      await runImportCommand(args, {
+        argString,
+        argFlag,
+        readInput,
+        parsePositiveIntOrThrow,
+        parseManifestFromFile,
+        readJsonFile
+      });
+      return;
+    }
+    if (command === "validate") {
+      runValidateCommand(args, {
+        argString,
+        argFlag,
+        readInput,
+        parsePositiveIntOrThrow,
+        parseManifestFromFile,
+        readJsonFile
+      });
+      return;
+    }
+    if (command === "test") {
+      runTestCommand(args, {
+        argString,
+        argFlag,
+        readInput,
+        parsePositiveIntOrThrow,
+        parseManifestFromFile,
+        readJsonFile
+      });
+      return;
+    }
+    if (command === "publish") {
+      await runPublish(args);
+      return;
+    }
+    if (command === "logs") {
+      await runLogs(args);
+      return;
+    }
+    if (command === "context") {
+      const subcommand = argString(args, "_subcommand");
+      if (subcommand !== "export") {
+        throw new CliError("CLI_INVALID_ARGS", "Missing required subcommand: context export");
+      }
+      runContextExport(args);
+      return;
+    }
+    if (command === "tunnel") {
+      await runTunnel(args);
+      return;
+    }
+    if (command === "init") {
+      runInitCommand(args, {
+        argString,
+        argFlag,
+        readInput,
+        parsePositiveIntOrThrow,
+        parseManifestFromFile,
+        readJsonFile
+      });
+      return;
+    }
+    if (command === "dev") {
+      await runDevCommand(args, {
+        argString,
+        argFlag,
+        shellEscapeArg: shellEscapeArg2,
+        applyFlowCommandTemplates,
+        findRepoRoot,
+        readJsonFile,
+        parseManifestFromFile,
+        runDryRun,
+        buildDevRefs,
+        canonicalizeJson,
+        readRequestBody,
+        makeCliError: (code, message, details) => new CliError(code, message, details)
+      });
+      return;
+    }
+    if (command === "ai") {
+      const subcommand = argString(args, "_subcommand");
+      if (subcommand === "plan") {
+        await runAiPlanCliCommand(args, {
+          argString,
+          argFlag,
+          shellEscapeArg: shellEscapeArg2,
+          applyFlowCommandTemplates,
+          findRepoRoot,
+          readJsonFile,
+          parseManifestFromFile,
+          runDryRun,
+          buildDevRefs,
+          canonicalizeJson,
+          readRequestBody,
+          makeCliError: (code, message, details) => new CliError(code, message, details)
+        });
+        return;
+      }
+      if (subcommand === "check") {
+        await runAiCheckCliCommand(args, {
+          argString,
+          argFlag,
+          shellEscapeArg: shellEscapeArg2,
+          applyFlowCommandTemplates,
+          findRepoRoot,
+          readJsonFile,
+          parseManifestFromFile,
+          runDryRun,
+          buildDevRefs,
+          canonicalizeJson,
+          readRequestBody,
+          makeCliError: (code, message, details) => new CliError(code, message, details)
+        });
+        return;
+      }
+      throw new CliError("CLI_INVALID_ARGS", "Missing required subcommand: ai plan|check");
+    }
+    if (command === "publisher") {
+      await runPublisherCliCommand(args, {
+        argString,
+        argFlag,
+        shellEscapeArg: shellEscapeArg2,
+        applyFlowCommandTemplates,
+        findRepoRoot,
+        readJsonFile,
+        parseManifestFromFile,
+        runDryRun,
+        buildDevRefs,
+        canonicalizeJson,
+        readRequestBody,
+        makeCliError: (code, message, details) => new CliError(code, message, details)
+      });
+      return;
+    }
+    throw new CliError("CLI_UNKNOWN_COMMAND", `Unknown command: ${command}`);
+  } catch (err) {
+    if (err instanceof CliError) throw err;
+    const message = String(err?.message || err || "Unknown CLI error");
+    let code = "CLI_RUNTIME_ERROR";
+    if (message.includes("Missing required argument")) code = "CLI_INVALID_ARGS";
+    else if (message.includes("Missing required arguments")) code = "CLI_INVALID_ARGS";
+    else if (message.includes("Invalid --")) code = "CLI_INVALID_OPTION";
+    else if (message.includes("Invalid JSON")) code = "CLI_INVALID_JSON";
+    else if (message.includes("Unknown CLI profile")) code = "CLI_PROFILE_NOT_FOUND";
+    else if (message.includes("Invalid CLI config JSON")) code = "CLI_CONFIG_INVALID";
+    else if (message.includes("Unsupported --mode")) code = "CLI_AI_MODE_UNSUPPORTED";
+    else if (message.includes("Invalid AI policy JSON")) code = "CLI_AI_POLICY_INVALID";
+    else if (message.includes("ai check failed")) code = "CLI_AI_PLAN_INVALID";
+    else if (message.includes("unsupported outcome")) code = "CLI_REMOTE_PUBLISH_ACK_INVALID";
+    else if (message.includes("Remote publish")) code = "CLI_REMOTE_PUBLISH_ERROR";
+    else if (message.includes("Remote logs")) code = "CLI_REMOTE_LOGS_ERROR";
+    else if (message.includes("No bundles found")) code = "CLI_BUNDLE_NOT_FOUND";
+    else if (message.includes("Bundle not found")) code = "CLI_BUNDLE_NOT_FOUND";
+    throw new CliError(code, message);
+  }
+}
+if (/(?:^|[\\/])cli\.(?:cjs|mjs|js)$/.test(String(process.argv[1] || ""))) {
+  runCli(process.argv.slice(2)).catch((err) => {
+    const code = typeof err?.code === "string" ? err.code : "CLI_RUNTIME_ERROR";
+    const message = err?.message || String(err);
+    console.error(`[${code}] ${message}`);
+    const exitCode = Number.isInteger(err?.exitCode) ? err.exitCode : 1;
+    process.exit(exitCode);
+  });
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  CliError,
+  runCli
+});
+//# sourceMappingURL=cli.cjs.map