@xera-ai/core 0.3.0 → 0.4.1

package/dist/src/index.js

@@ -1,120 +1,25 @@
 // @bun
-// src/config/schema.ts
-import { z } from "zod";
-var AuthRoleSchema = z.object({
-  envEmail: z.string().min(1),
-  envPassword: z.string().min(1)
-});
-var AuthSchema = z.object({
-  strategy: z.enum(["storageState", "apiToken", "none"]).default("none"),
-  ttl: z.string().default("8h"),
-  refreshBuffer: z.string().default("30m"),
-  setupScript: z.string().optional(),
-  roles: z.record(z.string(), AuthRoleSchema).default({})
-});
-var WebSchema = z.object({
-  baseUrl: z.record(z.string(), z.string().url()).refine((m) => Object.keys(m).length > 0, {
-    message: "baseUrl must have at least one environment"
-  }),
-  defaultEnv: z.string(),
-  auth: AuthSchema.default({}),
-  testData: z.object({
-    users: z.record(z.string(), z.object({ fromAuth: z.string() })).default({})
-  }).default({ users: {} })
-}).refine((w) => w.baseUrl[w.defaultEnv] !== undefined, {
-  message: "defaultEnv must exist in baseUrl map",
-  path: ["defaultEnv"]
-});
-var JiraSchema = z.object({
-  baseUrl: z.string().url(),
-  projectKeys: z.array(z.string().min(1)).min(1),
-  fields: z.object({
-    story: z.string().min(1),
-    acceptanceCriteria: z.string().optional(),
-    attachments: z.string().default("attachment")
-  })
-});
-var AISchema = z.object({
-  livePageSnapshot: z.boolean().default(true),
-  confidenceThreshold: z.enum(["low", "medium", "high"]).default("medium"),
-  maxRetries: z.object({
-    typecheck: z.number().int().min(0).max(5).default(2),
-    lint: z.number().int().min(0).max(5).default(2),
-    validateFeature: z.number().int().min(0).max(5).default(2)
-  }).default({})
-}).default({});
-var ReportingSchema = z.object({
-  language: z.enum(["en", "vi"]).default("en"),
-  postToJira: z.boolean().default(true),
-  transition: z.object({
-    onPass: z.string().nullable().default(null),
-    onFail: z.string().nullable().default(null)
-  }).default({}),
-  artifactLinks: z.enum(["git", "local"]).default("git")
-}).default({});
-var XeraConfigSchema = z.object({
-  jira: JiraSchema,
-  web: WebSchema,
-  ai: AISchema,
-  reporting: ReportingSchema,
-  adapters: z.array(z.string().min(1)).min(1).default(["web"])
-});
-// src/config/define.ts
-function defineConfig(config) {
-  return config;
-}
-// src/config/load.ts
-import { existsSync } from "fs";
-import { join } from "path";
-import { pathToFileURL } from "url";
-async function loadConfig(cwd) {
-  const path = join(cwd, "xera.config.ts");
-  if (!existsSync(path)) {
-    throw new Error(`xera.config.ts not found in ${cwd}`);
-  }
-  const mod = await import(pathToFileURL(path).href);
-  const raw = mod.default ?? mod;
-  return XeraConfigSchema.parse(raw);
-}
-// src/artifact/paths.ts
-import { join as join2 } from "path";
-var TICKET_RE = /^[A-Z][A-Z0-9_]*-\d+$|^SAMPLE-\d+$/;
-function resolveArtifactPaths(repoRoot, ticket) {
-  if (!TICKET_RE.test(ticket)) {
-    throw new Error(`Invalid ticket key: "${ticket}" (expected e.g. JIRA-123 or SAMPLE-001)`);
-  }
-  const ticketDir = join2(repoRoot, ".xera", ticket);
-  return {
-    ticketDir,
-    storyPath: join2(ticketDir, "story.md"),
-    featurePath: join2(ticketDir, "test.feature"),
-    specPath: join2(ticketDir, "spec.ts"),
-    pageObjectsDir: join2(ticketDir, "page-objects"),
-    runsDir: join2(ticketDir, "runs"),
-    metaPath: join2(ticketDir, "meta.json"),
-    statusPath: join2(ticketDir, "status.json"),
-    logPath: join2(ticketDir, "xera.log"),
-    lockPath: join2(ticketDir, ".lock"),
-    authDir: join2(repoRoot, ".xera", ".auth"),
-    runPath: (runId) => {
-      const runDir = join2(ticketDir, "runs", runId);
-      return {
-        runDir,
-        reportJsonPath: join2(runDir, "report.json"),
-        tracePath: join2(runDir, "trace.zip"),
-        normalizedPath: join2(runDir, "normalized.json"),
-        screenshotsDir: join2(runDir, "screenshots"),
-        videoDir: join2(runDir, "videos")
-      };
-    }
-  };
-}
-function generateRunId(now = new Date) {
-  return now.toISOString().replace(/[:.]/g, "-").replace("Z", "");
-}
+var __defProp = Object.defineProperty;
+var __commonJS = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = import.meta.require;
+
 // src/artifact/hash.ts
 import { createHash } from "crypto";
-import { existsSync as existsSync2, readFileSync } from "fs";
+import { existsSync, readFileSync } from "fs";
 function hashString(s) {
   return `sha256:${createHash("sha256").update(s).digest("hex")}`;
 }
@@ -122,30 +27,30 @@ function hashFile(path) {
   return hashString(readFileSync(path, "utf8"));
 }
 function hashFileIfExists(path) {
-  if (!existsSync2(path))
+  if (!existsSync(path))
     return null;
   return hashFile(path);
 }
 // src/artifact/meta.ts
-import { existsSync as existsSync3, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
+import { existsSync as existsSync2, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
 import { dirname } from "path";
-import { z as z2 } from "zod";
-var MetaJsonSchema = z2.object({
-  ticket: z2.string(),
-  adapter: z2.string(),
-  xera_version: z2.string(),
-  prompts_version: z2.string(),
-  fetched_at: z2.string().optional(),
-  story_hash: z2.string().optional(),
-  feature_generated_at: z2.string().optional(),
-  feature_generated_from_story_hash: z2.string().optional(),
-  feature_hash: z2.string().optional(),
-  script_generated_at: z2.string().optional(),
-  script_generated_from_feature_hash: z2.string().optional(),
-  script_warnings: z2.array(z2.string()).optional()
+import { z } from "zod";
+var MetaJsonSchema = z.object({
+  ticket: z.string(),
+  adapter: z.string(),
+  xera_version: z.string(),
+  prompts_version: z.string(),
+  fetched_at: z.string().optional(),
+  story_hash: z.string().optional(),
+  feature_generated_at: z.string().optional(),
+  feature_generated_from_story_hash: z.string().optional(),
+  feature_hash: z.string().optional(),
+  script_generated_at: z.string().optional(),
+  script_generated_from_feature_hash: z.string().optional(),
+  script_warnings: z.array(z.string()).optional()
 });
 function readMeta(path) {
-  if (!existsSync3(path))
+  if (!existsSync2(path))
     return null;
   return MetaJsonSchema.parse(JSON.parse(readFileSync2(path, "utf8")));
 }
@@ -162,36 +67,79 @@ function updateMeta(path, patch) {
   writeMeta(path, next);
   return next;
 }
+// src/artifact/paths.ts
+import { join } from "path";
+var TICKET_RE = /^[A-Z][A-Z0-9_]*-\d+$|^SAMPLE-\d+$/;
+function resolveArtifactPaths(repoRoot, ticket) {
+  if (!TICKET_RE.test(ticket)) {
+    throw new Error(`Invalid ticket key: "${ticket}" (expected e.g. JIRA-123 or SAMPLE-001)`);
+  }
+  const ticketDir = join(repoRoot, ".xera", ticket);
+  return {
+    ticketDir,
+    storyPath: join(ticketDir, "story.md"),
+    featurePath: join(ticketDir, "test.feature"),
+    specPath: join(ticketDir, "spec.ts"),
+    pageObjectsDir: join(ticketDir, "page-objects"),
+    runsDir: join(ticketDir, "runs"),
+    metaPath: join(ticketDir, "meta.json"),
+    statusPath: join(ticketDir, "status.json"),
+    logPath: join(ticketDir, "xera.log"),
+    lockPath: join(ticketDir, ".lock"),
+    authDir: join(repoRoot, ".xera", ".auth"),
+    runPath: (runId) => {
+      const runDir = join(ticketDir, "runs", runId);
+      return {
+        runDir,
+        reportJsonPath: join(runDir, "report.json"),
+        tracePath: join(runDir, "trace.zip"),
+        normalizedPath: join(runDir, "normalized.json"),
+        screenshotsDir: join(runDir, "screenshots"),
+        videoDir: join(runDir, "videos")
+      };
+    }
+  };
+}
+function generateRunId(now = new Date) {
+  return now.toISOString().replace(/[:.]/g, "-").replace("Z", "");
+}
 // src/artifact/status.ts
-import { existsSync as existsSync4, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import { existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
 import { dirname as dirname2 } from "path";
-import { z as z3 } from "zod";
-var ClassificationEnum = z3.enum(["PASS", "REAL_BUG", "SELECTOR_DRIFT", "FLAKY", "TEST_BUG"]);
-var ResultEnum = z3.enum(["PASS", "FAIL"]);
-var ConfidenceEnum = z3.enum(["low", "medium", "high"]);
-var HistoryEntrySchema = z3.object({
-  ts: z3.string(),
+import { z as z2 } from "zod";
+var ClassificationEnum = z2.enum([
+  "PASS",
+  "REAL_BUG",
+  "SELECTOR_DRIFT",
+  "FLAKY",
+  "TEST_BUG",
+  "TEST_OUTDATED"
+]);
+var ResultEnum = z2.enum(["PASS", "FAIL"]);
+var ConfidenceEnum = z2.enum(["low", "medium", "high"]);
+var HistoryEntrySchema = z2.object({
+  ts: z2.string(),
   result: ResultEnum,
   class: ClassificationEnum
 });
-var StatusJsonSchema = z3.object({
-  ticket: z3.string(),
-  lastRun: z3.string(),
+var StatusJsonSchema = z2.object({
+  ticket: z2.string(),
+  lastRun: z2.string(),
   result: ResultEnum,
   classification: ClassificationEnum,
   confidence: ConfidenceEnum,
-  scenarios: z3.object({
-    total: z3.number().int().nonnegative(),
-    passed: z3.number().int().nonnegative(),
-    failed: z3.number().int().nonnegative(),
-    skipped: z3.number().int().nonnegative()
+  scenarios: z2.object({
+    total: z2.number().int().nonnegative(),
+    passed: z2.number().int().nonnegative(),
+    failed: z2.number().int().nonnegative(),
+    skipped: z2.number().int().nonnegative()
   }),
-  history: z3.array(HistoryEntrySchema).default([]),
-  last_jira_comment_id: z3.string().optional()
+  history: z2.array(HistoryEntrySchema).default([]),
+  last_jira_comment_id: z2.string().optional()
 });
 var HISTORY_CAP = 20;
 function readStatus(path) {
-  if (!existsSync4(path))
+  if (!existsSync3(path))
     return null;
   return StatusJsonSchema.parse(JSON.parse(readFileSync3(path, "utf8")));
 }
@@ -208,105 +156,219 @@ function appendHistory(path, entry) {
   writeStatus(path, s);
   return s;
 }
-// src/logging/ndjson-logger.ts
-import { appendFileSync, existsSync as existsSync5, mkdirSync as mkdirSync3, readFileSync as readFileSync4 } from "fs";
-import { dirname as dirname3 } from "path";
-
-class NdjsonLogger {
-  path;
-  constructor(path) {
-    this.path = path;
-    mkdirSync3(dirname3(path), { recursive: true });
-  }
-  log(payload) {
-    const entry = { ts: new Date().toISOString(), ...payload };
-    appendFileSync(this.path, `${JSON.stringify(entry)}
-`);
+// src/auth/encrypt.ts
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+var ALGO = "aes-256-gcm";
+var KEY_LEN = 32;
+var IV_LEN = 12;
+var TAG_LEN = 16;
+var VERSION = "v1";
+function generateKey() {
+  return randomBytes(KEY_LEN).toString("hex");
+}
+function keyToBuf(key) {
+  const buf = Buffer.from(key, "hex");
+  if (buf.length !== KEY_LEN)
+    throw new Error(`Key must be ${KEY_LEN} bytes (got ${buf.length})`);
+  return buf;
+}
+function encrypt(plaintext, keyHex) {
+  const key = keyToBuf(keyHex);
+  const iv = randomBytes(IV_LEN);
+  const cipher = createCipheriv(ALGO, key, iv);
+  const ct = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return `${VERSION}:${iv.toString("base64")}:${tag.toString("base64")}:${ct.toString("base64")}`;
+}
+function decrypt(ciphertext, keyHex) {
+  const [version, ivB64, tagB64, ctB64] = ciphertext.split(":");
+  if (version !== VERSION)
+    throw new Error(`Unsupported ciphertext version: ${version}`);
+  if (!ivB64 || !tagB64 || !ctB64)
+    throw new Error("Malformed ciphertext");
+  const key = keyToBuf(keyHex);
+  const iv = Buffer.from(ivB64, "base64");
+  const tag = Buffer.from(tagB64, "base64");
+  const ct = Buffer.from(ctB64, "base64");
+  if (tag.length !== TAG_LEN)
+    throw new Error("Bad auth tag length");
+  const decipher = createDecipheriv(ALGO, key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ct), decipher.final()]).toString("utf8");
+}
+// src/auth/key.ts
+var AUTH_KEY_ENV = "XERA_AUTH_KEY";
+function resolveAuthKey() {
+  const key = process.env[AUTH_KEY_ENV];
+  if (!key) {
+    throw new Error(`${AUTH_KEY_ENV} not set. It is auto-generated by \`xera init\` and saved to .env. If you deleted .env, regenerate it by running \`xera init --update\` \u2014 note that any cached auth state will be invalidated.`);
   }
-  static readAll(path) {
-    if (!existsSync5(path))
-      return [];
-    const txt = readFileSync4(path, "utf8").trim();
-    if (!txt)
-      return [];
-    return txt.split(`
-`).map((line) => JSON.parse(line));
+  if (!/^[0-9a-f]{64}$/i.test(key)) {
+    throw new Error(`${AUTH_KEY_ENV} must be a 64-character hex string (32 bytes).`);
   }
+  return key;
 }
-// src/lock/file-lock.ts
-import { existsSync as existsSync6, mkdirSync as mkdirSync4, readFileSync as readFileSync5, unlinkSync, writeFileSync as writeFileSync3 } from "fs";
-import { hostname } from "os";
-import { dirname as dirname4 } from "path";
-function acquireLock(path, runId) {
-  if (existsSync6(path))
-    return false;
-  mkdirSync4(dirname4(path), { recursive: true });
-  const data = {
-    pid: process.pid,
-    hostname: hostname(),
-    started_at: new Date().toISOString(),
-    run_id: runId
-  };
-  try {
-    writeFileSync3(path, JSON.stringify(data), { flag: "wx" });
+// src/auth/refresh.ts
+var RE = /^(\d+)([hms])$/;
+function parseDuration(d) {
+  const m = RE.exec(d);
+  if (!m)
+    throw new Error(`Bad duration "${d}" \u2014 expected e.g. "8h", "30m", "45s"`);
+  const n = Number(m[1]);
+  const unit = m[2];
+  if (unit === "h")
+    return n * 3600 * 1000;
+  if (unit === "m")
+    return n * 60 * 1000;
+  return n * 1000;
+}
+function needsRefresh(entry, policy, now = new Date) {
+  if (!entry)
     return true;
-  } catch {
-    return false;
-  }
+  const ttlMs = parseDuration(policy.ttl);
+  const bufMs = parseDuration(policy.refreshBuffer);
+  const createdAt = new Date(entry.created_at).getTime();
+  if (now.getTime() - createdAt > ttlMs)
+    return true;
+  const expiresAt = new Date(entry.expires_at).getTime();
+  if (expiresAt - now.getTime() < bufMs)
+    return true;
+  return false;
 }
-function releaseLock(path) {
-  if (existsSync6(path))
-    unlinkSync(path);
+// src/auth/state.ts
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
+import { join as join2 } from "path";
+import { z as z3 } from "zod";
+var AuthStateEntrySchema = z3.object({
+  role: z3.string(),
+  strategy: z3.enum(["storageState", "apiToken"]),
+  created_at: z3.string(),
+  expires_at: z3.string(),
+  payload: z3.record(z3.string(), z3.unknown())
+});
+function pathFor(authDir, role) {
+  return join2(authDir, `${role}.json`);
 }
-function readLock(path) {
-  if (!existsSync6(path))
+function writeAuthState(authDir, entry) {
+  mkdirSync3(authDir, { recursive: true });
+  const ct = encrypt(JSON.stringify(entry), resolveAuthKey());
+  writeFileSync3(pathFor(authDir, entry.role), ct);
+}
+function readAuthState(authDir, role) {
+  const p = pathFor(authDir, role);
+  if (!existsSync4(p))
     return null;
-  return JSON.parse(readFileSync5(path, "utf8"));
+  const txt = readFileSync4(p, "utf8");
+  const plain = decrypt(txt, resolveAuthKey());
+  return AuthStateEntrySchema.parse(JSON.parse(plain));
 }
-function isLockStale(path) {
-  const lock = readLock(path);
-  if (!lock)
-    return true;
-  if (lock.hostname !== hostname()) {
-    return false;
-  }
-  try {
-    process.kill(lock.pid, 0);
-    return false;
-  } catch {
-    return true;
-  }
+// src/config/define.ts
+function defineConfig(config) {
+  return config;
 }
-function forceUnlock(path) {
-  releaseLock(path);
+// src/config/load.ts
+import { existsSync as existsSync5 } from "fs";
+import { join as join3 } from "path";
+import { pathToFileURL } from "url";
+
+// src/config/schema.ts
+import { z as z4 } from "zod";
+var AuthRoleSchema = z4.object({
+  envEmail: z4.string().min(1),
+  envPassword: z4.string().min(1)
+});
+var AuthSchema = z4.object({
+  strategy: z4.enum(["storageState", "apiToken", "none"]).default("none"),
+  ttl: z4.string().default("8h"),
+  refreshBuffer: z4.string().default("30m"),
+  setupScript: z4.string().optional(),
+  roles: z4.record(z4.string(), AuthRoleSchema).default({})
+});
+var WebSchema = z4.object({
+  baseUrl: z4.record(z4.string(), z4.string().url()).refine((m) => Object.keys(m).length > 0, {
+    message: "baseUrl must have at least one environment"
+  }),
+  defaultEnv: z4.string(),
+  auth: AuthSchema.prefault({}),
+  testData: z4.object({
+    users: z4.record(z4.string(), z4.object({ fromAuth: z4.string() })).default({})
+  }).prefault({})
+}).refine((w) => w.baseUrl[w.defaultEnv] !== undefined, {
+  message: "defaultEnv must exist in baseUrl map",
+  path: ["defaultEnv"]
+});
+var JiraSchema = z4.object({
+  baseUrl: z4.string().url(),
+  projectKeys: z4.array(z4.string().min(1)).min(1),
+  fields: z4.object({
+    story: z4.string().min(1),
+    acceptanceCriteria: z4.string().optional(),
+    attachments: z4.string().default("attachment")
+  })
+});
+var AISchema = z4.object({
+  livePageSnapshot: z4.boolean().default(true),
+  confidenceThreshold: z4.enum(["low", "medium", "high"]).default("medium"),
+  maxRetries: z4.object({
+    typecheck: z4.number().int().min(0).max(5).default(2),
+    lint: z4.number().int().min(0).max(5).default(2),
+    validateFeature: z4.number().int().min(0).max(5).default(2)
+  }).prefault({})
+}).prefault({});
+var ReportingSchema = z4.object({
+  language: z4.enum(["en", "vi"]).default("en"),
+  postToJira: z4.boolean().default(true),
+  transition: z4.object({
+    onPass: z4.string().nullable().default(null),
+    onFail: z4.string().nullable().default(null)
+  }).prefault({}),
+  artifactLinks: z4.enum(["git", "local"]).default("git")
+}).prefault({});
+var XeraConfigSchema = z4.object({
+  jira: JiraSchema,
+  web: WebSchema,
+  ai: AISchema,
+  reporting: ReportingSchema,
+  adapters: z4.array(z4.string().min(1)).min(1).default(["web"])
+});
+
+// src/config/load.ts
+async function loadConfig(cwd) {
+  const path = join3(cwd, "xera.config.ts");
+  if (!existsSync5(path)) {
+    throw new Error(`xera.config.ts not found in ${cwd}`);
+  }
+  const mod = await import(pathToFileURL(path).href);
+  const raw = mod.default ?? mod;
+  return XeraConfigSchema.parse(raw);
 }
 // src/jira/mcp-backend.ts
-import { existsSync as existsSync7, mkdirSync as mkdirSync5, readFileSync as readFileSync6, writeFileSync as writeFileSync4 } from "fs";
+import { existsSync as existsSync6, mkdirSync as mkdirSync4, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
 import { tmpdir } from "os";
-import { join as join3 } from "path";
+import { join as join4 } from "path";
 var MCP_ENV = "XERA_MCP_JIRA";
 async function createMcpBackend(_baseUrl) {
   if (process.env[MCP_ENV] !== "1")
     return null;
-  const tmpDir = join3(tmpdir(), "xera-mcp");
-  mkdirSync5(tmpDir, { recursive: true });
+  const tmpDir = join4(tmpdir(), "xera-mcp");
+  mkdirSync4(tmpDir, { recursive: true });
   return {
     backend: "mcp",
     async fetchTicket(key, _fields) {
-      const cachePath = join3(tmpDir, `${key}.json`);
-      if (!existsSync7(cachePath)) {
+      const cachePath = join4(tmpDir, `${key}.json`);
+      if (!existsSync6(cachePath)) {
         throw new Error(`MCP-mode fetch requires the skill to first call mcp__atlassian__getJiraIssue and write ${cachePath}. ` + `If you are running this directly, unset ${MCP_ENV} to use REST.`);
       }
-      const parsed = JSON.parse(readFileSync6(cachePath, "utf8"));
+      const parsed = JSON.parse(readFileSync5(cachePath, "utf8"));
       return parsed;
     },
     async postComment(key, body) {
-      const outPath = join3(tmpDir, `${key}.comment.json`);
+      const outPath = join4(tmpDir, `${key}.comment.json`);
       writeFileSync4(outPath, JSON.stringify({ key, body }));
       return { id: "mcp-pending" };
     },
     async transitionStatus(key, statusName) {
-      const outPath = join3(tmpDir, `${key}.transition.json`);
+      const outPath = join4(tmpDir, `${key}.transition.json`);
       writeFileSync4(outPath, JSON.stringify({ key, statusName }));
     },
     async listFields(_sampleKey) {
@@ -444,111 +506,77 @@ async function withRetry(fn, opts) {
   }
   throw lastErr;
 }
-// src/auth/encrypt.ts
-import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
-var ALGO = "aes-256-gcm";
-var KEY_LEN = 32;
-var IV_LEN = 12;
-var TAG_LEN = 16;
-var VERSION = "v1";
-function generateKey() {
-  return randomBytes(KEY_LEN).toString("hex");
-}
-function keyToBuf(key) {
-  const buf = Buffer.from(key, "hex");
-  if (buf.length !== KEY_LEN)
-    throw new Error(`Key must be ${KEY_LEN} bytes (got ${buf.length})`);
-  return buf;
-}
-function encrypt(plaintext, keyHex) {
-  const key = keyToBuf(keyHex);
-  const iv = randomBytes(IV_LEN);
-  const cipher = createCipheriv(ALGO, key, iv);
-  const ct = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
-  const tag = cipher.getAuthTag();
-  return `${VERSION}:${iv.toString("base64")}:${tag.toString("base64")}:${ct.toString("base64")}`;
-}
-function decrypt(ciphertext, keyHex) {
-  const [version, ivB64, tagB64, ctB64] = ciphertext.split(":");
-  if (version !== VERSION)
-    throw new Error(`Unsupported ciphertext version: ${version}`);
-  if (!ivB64 || !tagB64 || !ctB64)
-    throw new Error("Malformed ciphertext");
-  const key = keyToBuf(keyHex);
-  const iv = Buffer.from(ivB64, "base64");
-  const tag = Buffer.from(tagB64, "base64");
-  const ct = Buffer.from(ctB64, "base64");
-  if (tag.length !== TAG_LEN)
-    throw new Error("Bad auth tag length");
-  const decipher = createDecipheriv(ALGO, key, iv);
-  decipher.setAuthTag(tag);
-  return Buffer.concat([decipher.update(ct), decipher.final()]).toString("utf8");
-}
-// src/auth/key.ts
-var AUTH_KEY_ENV = "XERA_AUTH_KEY";
-function resolveAuthKey() {
-  const key = process.env[AUTH_KEY_ENV];
-  if (!key) {
-    throw new Error(`${AUTH_KEY_ENV} not set. It is auto-generated by \`xera init\` and saved to .env. If you deleted .env, regenerate it by running \`xera init --update\` \u2014 note that any cached auth state will be invalidated.`);
-  }
-  if (!/^[0-9a-f]{64}$/i.test(key)) {
-    throw new Error(`${AUTH_KEY_ENV} must be a 64-character hex string (32 bytes).`);
+// src/lock/file-lock.ts
+import { existsSync as existsSync7, mkdirSync as mkdirSync5, readFileSync as readFileSync6, unlinkSync, writeFileSync as writeFileSync5 } from "fs";
+import { hostname } from "os";
+import { dirname as dirname3 } from "path";
+function acquireLock(path, runId) {
+  if (existsSync7(path))
+    return false;
+  mkdirSync5(dirname3(path), { recursive: true });
+  const data = {
+    pid: process.pid,
+    hostname: hostname(),
+    started_at: new Date().toISOString(),
+    run_id: runId
+  };
+  try {
+    writeFileSync5(path, JSON.stringify(data), { flag: "wx" });
+    return true;
+  } catch {
+    return false;
   }
-  return key;
 }
-// src/auth/state.ts
-import { existsSync as existsSync8, mkdirSync as mkdirSync6, readFileSync as readFileSync7, writeFileSync as writeFileSync5 } from "fs";
-import { join as join4 } from "path";
-import { z as z4 } from "zod";
-var AuthStateEntrySchema = z4.object({
-  role: z4.string(),
-  strategy: z4.enum(["storageState", "apiToken"]),
-  created_at: z4.string(),
-  expires_at: z4.string(),
-  payload: z4.record(z4.string(), z4.unknown())
-});
-function pathFor(authDir, role) {
-  return join4(authDir, `${role}.json`);
-}
-function writeAuthState(authDir, entry) {
-  mkdirSync6(authDir, { recursive: true });
-  const ct = encrypt(JSON.stringify(entry), resolveAuthKey());
-  writeFileSync5(pathFor(authDir, entry.role), ct);
+function releaseLock(path) {
+  if (existsSync7(path))
+    unlinkSync(path);
 }
-function readAuthState(authDir, role) {
-  const p = pathFor(authDir, role);
-  if (!existsSync8(p))
+function readLock(path) {
+  if (!existsSync7(path))
     return null;
-  const txt = readFileSync7(p, "utf8");
-  const plain = decrypt(txt, resolveAuthKey());
-  return AuthStateEntrySchema.parse(JSON.parse(plain));
-}
-// src/auth/refresh.ts
-var RE = /^(\d+)([hms])$/;
-function parseDuration(d) {
-  const m = RE.exec(d);
-  if (!m)
-    throw new Error(`Bad duration "${d}" \u2014 expected e.g. "8h", "30m", "45s"`);
-  const n = Number(m[1]);
-  const unit = m[2];
-  if (unit === "h")
-    return n * 3600 * 1000;
-  if (unit === "m")
-    return n * 60 * 1000;
-  return n * 1000;
+  return JSON.parse(readFileSync6(path, "utf8"));
 }
-function needsRefresh(entry, policy, now = new Date) {
-  if (!entry)
-    return true;
-  const ttlMs = parseDuration(policy.ttl);
-  const bufMs = parseDuration(policy.refreshBuffer);
-  const createdAt = new Date(entry.created_at).getTime();
-  if (now.getTime() - createdAt > ttlMs)
+function isLockStale(path) {
+  const lock = readLock(path);
+  if (!lock)
     return true;
-  const expiresAt = new Date(entry.expires_at).getTime();
-  if (expiresAt - now.getTime() < bufMs)
+  if (lock.hostname !== hostname()) {
+    return false;
+  }
+  try {
+    process.kill(lock.pid, 0);
+    return false;
+  } catch {
     return true;
-  return false;
+  }
+}
+function forceUnlock(path) {
+  releaseLock(path);
+}
+// src/logging/ndjson-logger.ts
+import { appendFileSync, existsSync as existsSync8, mkdirSync as mkdirSync6, readFileSync as readFileSync7 } from "fs";
+import { dirname as dirname4 } from "path";
+
+class NdjsonLogger {
+  path;
+  constructor(path) {
+    this.path = path;
+    mkdirSync6(dirname4(path), { recursive: true });
+  }
+  log(payload) {
+    const entry = { ts: new Date().toISOString(), ...payload };
+    appendFileSync(this.path, `${JSON.stringify(entry)}
+`);
+  }
+  static readAll(path) {
+    if (!existsSync8(path))
+      return [];
+    const txt = readFileSync7(path, "utf8").trim();
+    if (!txt)
+      return [];
+    return txt.split(`
+`).map((line) => JSON.parse(line));
+  }
 }
 
 // src/index.ts