@y80163442/naver-thin-runner 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,9 @@
+# Changelog
+
+## 0.1.0
+
+- initial public packaging metadata (`publishConfig.access=public`)
+- added `setup --setup-url` self-onboarding command
+- added `service install --mode runner|daemon|both`
+- added `doctor --json` machine-readable health output
+- added setup session status reporting (`READY_FOR_LOGIN` / `READY`)

package/README.md

@@ -0,0 +1,43 @@
+# @y80163442/naver-thin-runner
+
+Naver Blog Writer의 로컬 실행 클라이언트(thin runner)입니다.
+
+## 설치
+
+```bash
+npx @y80163442/naver-thin-runner --help
+```
+
+또는 전역 설치:
+
+```bash
+npm i -g @y80163442/naver-thin-runner
+```
+
+## 핵심 명령
+
+```bash
+naver-thin-runner setup --setup-url "https://<control-plane>/v2/onboarding/setup-sessions/start?setup_token=..." --auto-service both
+naver-thin-runner login
+naver-thin-runner start
+naver-thin-runner daemon start --port 19090
+naver-thin-runner doctor --json
+```
+
+## Self-Onboarding 흐름
+
+1. 판매자/운영자가 setup invite를 발급합니다.
+2. buyer는 `setup_url` 하나로 아래를 자동 실행합니다.
+- setup session 시작
+- runner 등록(onboarding token 소비)
+- optional service 설치(`--auto-service`)
+- health check(`doctor --json`)
+3. buyer가 네이버 로그인만 1회 수동으로 수행합니다.
+
+## 주의사항
+
+- 1차 지원 OS: macOS
+- launchd service 설치는 macOS만 지원합니다.
+- `login/start`는 repo 루트의 `dist/cli/index.js`(bridge)가 필요합니다.
+
+자세한 릴리즈/호환성 정책은 `/docs/THIN_RUNNER_RELEASE.md`를 참고하세요.

package/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "@y80163442/naver-thin-runner",
+  "version": "0.1.0",
+  "description": "Thin runner client for Naver Blog Writer control-plane",
+  "private": false,
+  "type": "commonjs",
+  "bin": {
+    "naver-thin-runner": "src/cli.js"
+  },
+  "scripts": {
+    "start": "node src/cli.js",
+    "test": "node -e \"console.log('no tests')\""
+  },
+  "files": [
+    "src/cli.js",
+    "README.md",
+    "CHANGELOG.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "license": "MIT"
+}

package/src/cli.js

@@ -0,0 +1,767 @@
+#!/usr/bin/env node
+const fs = require('node:fs');
+const os = require('node:os');
+const path = require('node:path');
+const crypto = require('node:crypto');
+const http = require('node:http');
+const { spawn } = require('node:child_process');
+
+const CONFIG_DIR = path.join(os.homedir(), '.config', 'naver-thin-runner');
+const CONFIG_PATH = path.join(CONFIG_DIR, 'config.json');
+const DEFAULT_DAEMON_PORT = 19090;
+const DEFAULT_RUNNER_SERVICE_LABEL = 'com.naver-blog-writer.thin-runner';
+const DEFAULT_DAEMON_SERVICE_LABEL = 'com.naver-blog-writer.thin-runner.daemon';
+
+const readRunnerVersion = () => {
+  try {
+    const packagePath = path.join(__dirname, '..', 'package.json');
+    const parsed = JSON.parse(fs.readFileSync(packagePath, 'utf8'));
+    if (parsed && typeof parsed.version === 'string' && parsed.version.trim()) {
+      return parsed.version.trim();
+    }
+  } catch {
+    // ignore
+  }
+  return '0.0.0';
+};
+
+const RUNNER_VERSION = readRunnerVersion();
+
+const parseArgs = (argv) => {
+  const out = { _: [] };
+  for (let i = 0; i < argv.length; i += 1) {
+    const token = argv[i];
+    if (!token.startsWith('--')) {
+      out._.push(token);
+      continue;
+    }
+
+    const key = token.slice(2);
+    const next = argv[i + 1];
+    if (!next || next.startsWith('--')) {
+      out[key] = true;
+      continue;
+    }
+
+    out[key] = next;
+    i += 1;
+  }
+  return out;
+};
+
+const ensureConfigDir = () => {
+  fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+};
+
+const saveConfig = (value) => {
+  ensureConfigDir();
+  fs.writeFileSync(CONFIG_PATH, `${JSON.stringify(value, null, 2)}\n`, { mode: 0o600 });
+};
+
+const loadConfig = () => {
+  if (!fs.existsSync(CONFIG_PATH)) {
+    throw new Error(`config missing: ${CONFIG_PATH}`);
+  }
+
+  const parsed = JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf8'));
+  if (!parsed.serverUrl || !parsed.runnerApiKey || !parsed.runnerId || !parsed.localToken) {
+    throw new Error(`invalid config: ${CONFIG_PATH}`);
+  }
+  return parsed;
+};
+
+const printHelp = () => {
+  console.log(`naver-thin-runner (v${RUNNER_VERSION})
+
+Commands:
+  setup --setup-url <url> [--repo-root <path>] [--auto-service runner|daemon|both]
+  install --server-url <url> --onboarding-token <token> [--tenant-id <id>] [--repo-root <path>]
+  daemon start [--port 19090]
+  service install [--repo-root <path>] [--mode runner|daemon|both] [--label <runner-label>] [--daemon-label <daemon-label>] [--daemon-port <port>]
+  login [--repo-root <path>]
+  start [--repo-root <path>]
+  doctor [--json]
+  logs [--repo-root <path>] [--kind stdout|stderr|both] [--lines 120]
+`);
+};
+
+const requestJson = async (url, init = {}) => {
+  const response = await fetch(url, init);
+  const payload = await response.json().catch(() => ({}));
+  return {
+    ok: response.ok,
+    status: response.status,
+    payload,
+  };
+};
+
+const postJson = async (url, body, headers = {}) => {
+  const response = await requestJson(url, {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/json',
+      ...headers,
+    },
+    body: JSON.stringify(body),
+  });
+
+  if (!response.ok) {
+    const reason = response.payload && typeof response.payload === 'object' && typeof response.payload.error === 'string'
+      ? response.payload.error
+      : 'request_failed';
+    throw new Error(`${response.status}:${reason}`);
+  }
+
+  return response.payload;
+};
+
+const detectRepoRoot = (override, configured) => {
+  if (override) {
+    return path.resolve(override);
+  }
+  if (configured) {
+    return path.resolve(configured);
+  }
+  return process.cwd();
+};
+
+const runNodeCli = (repoRoot, args, extraEnv = {}) => {
+  const cliPath = path.join(repoRoot, 'dist', 'cli', 'index.js');
+  if (!fs.existsSync(cliPath)) {
+    throw new Error(`runner bridge not found: ${cliPath}`);
+  }
+
+  return new Promise((resolve, reject) => {
+    const child = spawn(process.execPath, [cliPath, ...args], {
+      cwd: repoRoot,
+      stdio: 'inherit',
+      env: {
+        ...process.env,
+        ...extraEnv,
+      },
+    });
+
+    child.on('error', reject);
+    child.on('exit', (code) => {
+      if (code === 0) {
+        resolve();
+      } else {
+        reject(new Error(`child exited with code ${code ?? -1}`));
+      }
+    });
+  });
+};
+
+const parseMajorVersion = (version) => {
+  const value = String(version || '').trim();
+  if (!value) {
+    return null;
+  }
+  const major = Number.parseInt(value.split('.')[0], 10);
+  return Number.isFinite(major) ? major : null;
+};
+
+const postSetupSessionStatus = async (controlPlaneUrl, setupSessionId, setupSessionToken, status, lastError = null) => {
+  if (!controlPlaneUrl || !setupSessionId || !setupSessionToken) {
+    return;
+  }
+
+  try {
+    await postJson(
+      `${String(controlPlaneUrl).replace(/\/$/, '')}/v2/onboarding/setup-sessions/${encodeURIComponent(setupSessionId)}/status`,
+      {
+        status,
+        last_error: lastError,
+      },
+      {
+        'x-setup-session-token': setupSessionToken,
+      },
+    );
+  } catch {
+    // setup session status updates are best-effort
+  }
+};
+
+const cmdInstall = async (args, options = {}) => {
+  const serverUrl = String(args['server-url'] || '').trim();
+  const onboardingToken = String(args['onboarding-token'] || '').trim();
+  const tenantId = String(args['tenant-id'] || 'tenant-default').trim();
+  const repoRoot = detectRepoRoot(args['repo-root'], null);
+  const setupSession = options.setupSession && typeof options.setupSession === 'object'
+    ? options.setupSession
+    : null;
+
+  if (!serverUrl || !onboardingToken) {
+    throw new Error('install requires --server-url and --onboarding-token');
+  }
+
+  const registered = await postJson(
+    `${serverUrl.replace(/\/$/, '')}/v2/runners/register-with-token`,
+    {
+      onboarding_token: onboardingToken,
+      label: `thin-runner-${os.hostname()}`,
+    },
+  );
+
+  const localToken = crypto.randomBytes(24).toString('hex');
+  saveConfig({
+    serverUrl: serverUrl.replace(/\/$/, ''),
+    tenantId,
+    runnerId: registered.runner_id,
+    runnerApiKey: registered.api_key,
+    localToken,
+    repoRoot,
+    runnerVersion: RUNNER_VERSION,
+    installedAt: new Date().toISOString(),
+    setupSession: setupSession
+      ? {
+        id: setupSession.id,
+        token: setupSession.token,
+      }
+      : null,
+  });
+
+  const result = {
+    installed: true,
+    config_path: CONFIG_PATH,
+    runner_id: registered.runner_id,
+    tenant_id: registered.tenant_id,
+    local_daemon_token: localToken,
+    runner_version: RUNNER_VERSION,
+  };
+
+  if (!options.quiet) {
+    console.log(JSON.stringify(result, null, 2));
+  }
+
+  return result;
+};
+
+const cmdDaemonStart = async (args) => {
+  const cfg = loadConfig();
+  const port = Number.parseInt(String(args.port || DEFAULT_DAEMON_PORT), 10);
+  const sealKey = crypto.createHash('sha256').update(cfg.localToken).digest();
+
+  const writeJson = (res, statusCode, payload) => {
+    const body = Buffer.from(JSON.stringify(payload, null, 2));
+    res.statusCode = statusCode;
+    res.setHeader('Content-Type', 'application/json; charset=utf-8');
+    res.setHeader('Content-Length', String(body.length));
+    res.end(body);
+  };
+
+  const parseBody = (req) => new Promise((resolve, reject) => {
+    const chunks = [];
+    req.on('data', (chunk) => chunks.push(Buffer.from(chunk)));
+    req.on('end', () => {
+      try {
+        const text = chunks.length ? Buffer.concat(chunks).toString('utf8') : '{}';
+        resolve(JSON.parse(text || '{}'));
+      } catch (error) {
+        reject(error);
+      }
+    });
+    req.on('error', reject);
+  });
+
+  const isAuthorized = (req) => {
+    const token = req.headers['x-local-token'];
+    const value = Array.isArray(token) ? token[0] : token;
+    return typeof value === 'string' && value === cfg.localToken;
+  };
+
+  const server = http.createServer(async (req, res) => {
+    if (!req.url || !req.method) {
+      return writeJson(res, 400, { error: 'INVALID_REQUEST' });
+    }
+
+    if (!isAuthorized(req)) {
+      return writeJson(res, 401, { error: 'UNAUTHORIZED' });
+    }
+
+    if (req.method === 'GET' && req.url === '/v1/local/identity') {
+      const attest = await postJson(
+        `${cfg.serverUrl}/v2/runners/attest`,
+        { ttl_seconds: 120 },
+        { 'x-runner-api-key': cfg.runnerApiKey },
+      );
+
+      return writeJson(res, 200, {
+        runner_id: cfg.runnerId,
+        tenant_id: cfg.tenantId,
+        runner_public_key: null,
+        runner_attestation: attest.runner_attestation,
+        attestation_expires_at: attest.expires_at,
+      });
+    }
+
+    if (req.method === 'POST' && req.url === '/v1/local/seal-job') {
+      let body;
+      try {
+        body = await parseBody(req);
+      } catch {
+        return writeJson(res, 400, { error: 'INVALID_JSON' });
+      }
+
+      const title = typeof body.title === 'string' ? body.title.trim() : '';
+      const bodyMarkdown = typeof body.body_markdown === 'string' ? body.body_markdown : '';
+      const tags = Array.isArray(body.tags) ? body.tags.filter((tag) => typeof tag === 'string') : [];
+      const publishAt = typeof body.publish_at === 'string' ? body.publish_at : null;
+      const idempotencyKey = typeof body.idempotency_key === 'string' && body.idempotency_key.trim().length > 0
+        ? body.idempotency_key.trim()
+        : crypto.randomUUID();
+
+      if (!title || !bodyMarkdown) {
+        return writeJson(res, 400, { error: 'title and body_markdown are required' });
+      }
+
+      const clearPayload = {
+        title,
+        body_markdown: bodyMarkdown,
+        tags,
+        publish_at: publishAt,
+      };
+
+      const iv = crypto.randomBytes(12);
+      const cipher = crypto.createCipheriv('aes-256-gcm', sealKey, iv);
+      const encrypted = Buffer.concat([
+        cipher.update(Buffer.from(JSON.stringify(clearPayload), 'utf8')),
+        cipher.final(),
+      ]);
+      const authTag = cipher.getAuthTag();
+      const ciphertext = Buffer.concat([encrypted, authTag]).toString('base64url');
+
+      const sealedPayload = {
+        ciphertext,
+        nonce: iv.toString('base64url'),
+        ephemeral_pubkey: 'aes-gcm-local',
+        schema_version: 'sealed-aes-gcm-v1',
+      };
+
+      const payloadDigest = crypto.createHash('sha256').update(JSON.stringify(sealedPayload)).digest('hex');
+      return writeJson(res, 200, {
+        idempotency_key: idempotencyKey,
+        sealed_payload: sealedPayload,
+        payload_digest: payloadDigest,
+      });
+    }
+
+    return writeJson(res, 404, { error: 'NOT_FOUND' });
+  });
+
+  await new Promise((resolve, reject) => {
+    server.listen(port, '127.0.0.1', () => resolve());
+    server.on('error', reject);
+  });
+
+  console.log(`thin-runner daemon started on 127.0.0.1:${port}`);
+  await new Promise(() => {});
+};
+
+const createLaunchdPlist = (params) => {
+  const argsXml = params.programArgs.map((value) => `    <string>${value}</string>`).join('\n');
+  return `<?xml version="1.0" encoding="UTF-8"?>\n<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">\n<plist version="1.0">\n<dict>\n  <key>Label</key>\n  <string>${params.label}</string>\n  <key>ProgramArguments</key>\n  <array>\n${argsXml}\n  </array>\n  <key>RunAtLoad</key>\n  <true/>\n  <key>KeepAlive</key>\n  <true/>\n  <key>StandardOutPath</key>\n  <string>${params.stdoutPath}</string>\n  <key>StandardErrorPath</key>\n  <string>${params.stderrPath}</string>\n</dict>\n</plist>\n`;
+};
+
+const installLaunchdService = (params) => {
+  const plistPath = path.join(os.homedir(), 'Library', 'LaunchAgents', `${params.label}.plist`);
+  fs.mkdirSync(path.dirname(plistPath), { recursive: true });
+  fs.writeFileSync(plistPath, createLaunchdPlist(params), 'utf8');
+  return {
+    label: params.label,
+    plist: plistPath,
+  };
+};
+
+const cmdServiceInstall = async (args, options = {}) => {
+  if (process.platform !== 'darwin') {
+    throw new Error('service install currently supports macOS launchd only');
+  }
+
+  const cfg = loadConfig();
+  const repoRoot = detectRepoRoot(args['repo-root'], cfg.repoRoot);
+  const modeRaw = String(args.mode || 'runner').trim().toLowerCase();
+  const mode = modeRaw || 'runner';
+  if (!['runner', 'daemon', 'both'].includes(mode)) {
+    throw new Error('service install --mode must be runner|daemon|both');
+  }
+
+  const daemonPort = Number.parseInt(String(args['daemon-port'] || DEFAULT_DAEMON_PORT), 10);
+  const runnerLabel = String(args.label || DEFAULT_RUNNER_SERVICE_LABEL).trim();
+  const daemonLabel = String(args['daemon-label'] || `${runnerLabel}.daemon` || DEFAULT_DAEMON_SERVICE_LABEL).trim();
+
+  const logDir = path.join(repoRoot, 'data');
+  fs.mkdirSync(logDir, { recursive: true });
+
+  const installed = [];
+
+  if (mode === 'runner' || mode === 'both') {
+    installed.push(installLaunchdService({
+      label: runnerLabel,
+      programArgs: [
+        process.execPath,
+        path.join(__dirname, 'cli.js'),
+        'start',
+        '--repo-root',
+        repoRoot,
+      ],
+      stdoutPath: path.join(logDir, 'thin-runner.stdout.log'),
+      stderrPath: path.join(logDir, 'thin-runner.stderr.log'),
+    }));
+  }
+
+  if (mode === 'daemon' || mode === 'both') {
+    installed.push(installLaunchdService({
+      label: daemonLabel,
+      programArgs: [
+        process.execPath,
+        path.join(__dirname, 'cli.js'),
+        'daemon',
+        'start',
+        '--port',
+        String(daemonPort),
+      ],
+      stdoutPath: path.join(logDir, 'thin-runner-daemon.stdout.log'),
+      stderrPath: path.join(logDir, 'thin-runner-daemon.stderr.log'),
+    }));
+  }
+
+  const result = {
+    installed: true,
+    mode,
+    services: installed,
+    note: 'LaunchAgent plist files created. Load with launchctl if not auto-loaded.',
+  };
+
+  if (!options.quiet) {
+    console.log(JSON.stringify(result, null, 2));
+  }
+
+  return result;
+};
+
+const cmdLogin = async (args) => {
+  const cfg = loadConfig();
+  const repoRoot = detectRepoRoot(args['repo-root'], cfg.repoRoot);
+
+  try {
+    await runNodeCli(repoRoot, ['runner', 'login'], {
+      ACP_RUNNER_SERVER_URL: cfg.serverUrl,
+      ACP_RUNNER_API_KEY: cfg.runnerApiKey,
+      ACP_RUNNER_ID: cfg.runnerId,
+      ACP_RUNNER_TENANT_ID: cfg.tenantId,
+      THIN_RUNNER_LOCAL_TOKEN: cfg.localToken,
+    });
+
+    const setupSession = cfg.setupSession && typeof cfg.setupSession === 'object'
+      ? cfg.setupSession
+      : null;
+
+    if (setupSession && setupSession.id && setupSession.token) {
+      await postSetupSessionStatus(cfg.serverUrl, setupSession.id, setupSession.token, 'READY', null);
+      const updated = {
+        ...cfg,
+        setupSession: null,
+        readyAt: new Date().toISOString(),
+      };
+      saveConfig(updated);
+    }
+  } catch (error) {
+    const setupSession = cfg.setupSession && typeof cfg.setupSession === 'object'
+      ? cfg.setupSession
+      : null;
+
+    if (setupSession && setupSession.id && setupSession.token) {
+      await postSetupSessionStatus(
+        cfg.serverUrl,
+        setupSession.id,
+        setupSession.token,
+        'READY_FOR_LOGIN',
+        error instanceof Error ? error.message : String(error),
+      );
+    }
+
+    throw error;
+  }
+};
+
+const cmdStart = async (args) => {
+  const cfg = loadConfig();
+  const repoRoot = detectRepoRoot(args['repo-root'], cfg.repoRoot);
+  await runNodeCli(repoRoot, ['runner', 'start'], {
+    ACP_RUNNER_SERVER_URL: cfg.serverUrl,
+    ACP_RUNNER_API_KEY: cfg.runnerApiKey,
+    ACP_RUNNER_ID: cfg.runnerId,
+    ACP_RUNNER_TENANT_ID: cfg.tenantId,
+    THIN_RUNNER_LOCAL_TOKEN: cfg.localToken,
+  });
+};
+
+const cmdDoctor = async (args = {}, options = {}) => {
+  const cfg = loadConfig();
+
+  let heartbeatOk = false;
+  let heartbeatStatus = 0;
+  let heartbeatError = null;
+
+  try {
+    const heartbeat = await fetch(`${cfg.serverUrl}/v1/runners/heartbeat`, {
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        'x-runner-api-key': cfg.runnerApiKey,
+      },
+      body: JSON.stringify({ status: 'ready' }),
+    });
+    heartbeatOk = heartbeat.ok;
+    heartbeatStatus = heartbeat.status;
+  } catch (error) {
+    heartbeatError = error instanceof Error ? error.message : String(error);
+  }
+
+  let versionInfo = null;
+  try {
+    const versionRes = await requestJson(`${cfg.serverUrl}/v2/version`, {
+      method: 'GET',
+      headers: {
+        accept: 'application/json',
+      },
+    });
+
+    if (versionRes.ok && versionRes.payload && typeof versionRes.payload === 'object') {
+      versionInfo = versionRes.payload;
+    }
+  } catch {
+    // ignore version check failures
+  }
+
+  const runnerMajor = parseMajorVersion(RUNNER_VERSION);
+  const supportedMajor = versionInfo && Number.isFinite(Number(versionInfo.supported_runner_major))
+    ? Number(versionInfo.supported_runner_major)
+    : null;
+
+  const versionCompatible = supportedMajor === null || runnerMajor === null
+    ? null
+    : runnerMajor === supportedMajor;
+
+  const report = {
+    ok: heartbeatOk && versionCompatible !== false,
+    config_path: CONFIG_PATH,
+    runner_id: cfg.runnerId,
+    tenant_id: cfg.tenantId,
+    server_url: cfg.serverUrl,
+    runner_version: RUNNER_VERSION,
+    heartbeat_ok: heartbeatOk,
+    heartbeat_status: heartbeatStatus,
+    heartbeat_error: heartbeatError,
+    protocol: versionInfo
+      ? {
+        service_version: versionInfo.service_version || null,
+        protocol_version: versionInfo.protocol_version || null,
+        min_runner_version: versionInfo.min_runner_version || null,
+        supported_runner_major: supportedMajor,
+      }
+      : null,
+    version_compatible: versionCompatible,
+  };
+
+  const wantsJson = Boolean(args.json);
+  if (wantsJson || options.quiet) {
+    if (!options.quiet) {
+      console.log(JSON.stringify(report, null, 2));
+    }
+    return report;
+  }
+
+  console.log(`runner_id=${report.runner_id}`);
+  console.log(`tenant_id=${report.tenant_id}`);
+  console.log(`server_url=${report.server_url}`);
+  console.log(`runner_version=${report.runner_version}`);
+  console.log(`heartbeat_ok=${report.heartbeat_ok} (status=${report.heartbeat_status})`);
+  if (report.heartbeat_error) {
+    console.log(`heartbeat_error=${report.heartbeat_error}`);
+  }
+  if (report.protocol) {
+    console.log(`protocol_version=${report.protocol.protocol_version}`);
+    console.log(`service_version=${report.protocol.service_version}`);
+    console.log(`min_runner_version=${report.protocol.min_runner_version}`);
+    console.log(`supported_runner_major=${report.protocol.supported_runner_major}`);
+    console.log(`version_compatible=${report.version_compatible}`);
+  }
+
+  return report;
+};
+
+const cmdSetup = async (args) => {
+  const setupUrl = String(args['setup-url'] || '').trim();
+  const autoService = String(args['auto-service'] || '').trim().toLowerCase();
+  const repoRoot = args['repo-root'] ? String(args['repo-root']).trim() : null;
+
+  if (!setupUrl) {
+    throw new Error('setup requires --setup-url');
+  }
+
+  let controlPlaneUrl = null;
+  let setupSessionId = null;
+  let setupSessionToken = null;
+
+  const reportFailure = async (message) => {
+    if (!controlPlaneUrl || !setupSessionId || !setupSessionToken) {
+      return;
+    }
+
+    await postSetupSessionStatus(
+      controlPlaneUrl,
+      setupSessionId,
+      setupSessionToken,
+      'WAITING_INSTALL',
+      message,
+    );
+  };
+
+  try {
+    const started = await postJson(setupUrl, {
+      client_meta: {
+        host: os.hostname(),
+        platform: process.platform,
+        arch: process.arch,
+        runner_version: RUNNER_VERSION,
+      },
+    });
+
+    const onboardingToken = typeof started.onboarding_token === 'string' ? started.onboarding_token.trim() : '';
+    controlPlaneUrl = typeof started.control_plane_url === 'string' ? started.control_plane_url.trim().replace(/\/$/, '') : null;
+    setupSessionId = typeof started.setup_session_id === 'string' ? started.setup_session_id.trim() : null;
+    setupSessionToken = typeof started.setup_session_token === 'string' ? started.setup_session_token.trim() : null;
+    const tenantId = typeof started.tenant_id === 'string' ? started.tenant_id.trim() : 'tenant-default';
+
+    if (!onboardingToken || !controlPlaneUrl || !setupSessionId || !setupSessionToken) {
+      throw new Error('setup response missing required fields');
+    }
+
+    const installResult = await cmdInstall({
+      'server-url': controlPlaneUrl,
+      'onboarding-token': onboardingToken,
+      'tenant-id': tenantId,
+      'repo-root': repoRoot || undefined,
+    }, {
+      quiet: true,
+      setupSession: {
+        id: setupSessionId,
+        token: setupSessionToken,
+      },
+    });
+
+    if (autoService) {
+      if (!['runner', 'daemon', 'both'].includes(autoService)) {
+        throw new Error('setup --auto-service must be runner|daemon|both');
+      }
+
+      await cmdServiceInstall({
+        'repo-root': repoRoot || undefined,
+        mode: autoService,
+      }, { quiet: true });
+    }
+
+    const doctor = await cmdDoctor({ json: true }, { quiet: true });
+
+    await postSetupSessionStatus(controlPlaneUrl, setupSessionId, setupSessionToken, 'READY_FOR_LOGIN', null);
+
+    console.log(JSON.stringify({
+      setup_completed: true,
+      setup_session_id: setupSessionId,
+      runner_id: installResult.runner_id,
+      tenant_id: installResult.tenant_id,
+      doctor_ok: doctor.ok,
+      config_path: installResult.config_path,
+      next_actions: [
+        'Run: npx @y80163442/naver-thin-runner login',
+        'After login, run: npx @y80163442/naver-thin-runner start',
+        'Start local daemon if needed: npx @y80163442/naver-thin-runner daemon start',
+      ],
+    }, null, 2));
+  } catch (error) {
+    await reportFailure(error instanceof Error ? error.message : String(error));
+    throw error;
+  }
+};
+
+const cmdLogs = async (args) => {
+  const cfg = loadConfig();
+  const repoRoot = detectRepoRoot(args['repo-root'], cfg.repoRoot);
+  const kind = String(args.kind || 'both');
+  const lines = Number.parseInt(String(args.lines || 120), 10);
+  const takeTail = (input) => input.split(/\r?\n/).slice(-Math.max(1, lines)).join('\n');
+
+  const stdoutPath = path.join(repoRoot, 'data', 'runner.stdout.log');
+  const stderrPath = path.join(repoRoot, 'data', 'runner.stderr.log');
+
+  if (kind === 'stdout' || kind === 'both') {
+    const text = fs.existsSync(stdoutPath) ? fs.readFileSync(stdoutPath, 'utf8') : '';
+    console.log(`\n[stdout] ${stdoutPath}`);
+    console.log(text ? takeTail(text) : '(empty)');
+  }
+
+  if (kind === 'stderr' || kind === 'both') {
+    const text = fs.existsSync(stderrPath) ? fs.readFileSync(stderrPath, 'utf8') : '';
+    console.log(`\n[stderr] ${stderrPath}`);
+    console.log(text ? takeTail(text) : '(empty)');
+  }
+};
+
+const main = async () => {
+  const args = parseArgs(process.argv.slice(2));
+  const [command, subcommand] = args._;
+
+  if (!command) {
+    printHelp();
+    return;
+  }
+
+  if (command === 'setup') {
+    await cmdSetup(args);
+    return;
+  }
+
+  if (command === 'install') {
+    await cmdInstall(args);
+    return;
+  }
+
+  if (command === 'daemon' && subcommand === 'start') {
+    await cmdDaemonStart(args);
+    return;
+  }
+
+  if (command === 'service' && subcommand === 'install') {
+    await cmdServiceInstall(args);
+    return;
+  }
+
+  if (command === 'login') {
+    await cmdLogin(args);
+    return;
+  }
+
+  if (command === 'start') {
+    await cmdStart(args);
+    return;
+  }
+
+  if (command === 'doctor') {
+    await cmdDoctor(args);
+    return;
+  }
+
+  if (command === 'logs') {
+    await cmdLogs(args);
+    return;
+  }
+
+  printHelp();
+};
+
+main().catch((error) => {
+  console.error(error instanceof Error ? error.message : String(error));
+  process.exit(1);
+});