@zonko-ai/harbor 0.1.0

package/dist/index.js

@@ -0,0 +1,941 @@
+#!/usr/bin/env node
+import { spawn } from 'node:child_process';
+import { createInterface } from 'node:readline/promises';
+import { Writable } from 'node:stream';
+import { goke } from 'goke';
+import { runHarborMcpCli } from './mcp/index.js';
+import { ApiError, approveRequest, claimAgent, createComposioLinkSession, deleteComposioServiceRoute, deleteSecretReference, ensureLocalOwnerSession, fetchCapability, fetchCatalog, fetchComposioLinkSession, fetchComposioService, fetchHealth, fetchWhoAmI, getSecretReference, listSecretReferences, setComposioServiceRoute, setSecretReference, startExecution, } from './api.js';
+import { findCapability, registerCapabilityCommands } from './capabilities.js';
+import { streamExecutionForeground } from './foreground.js';
+import { CliInputError, getOutputMode, renderApprove, renderClaim, renderComposioLinkSession, renderComposioRoute, renderComposioService, renderDevDown, renderDevUp, renderError, renderExecutionStart, renderInspect, renderLocalDaemonLog, renderLocalDaemonStatus, renderLs, renderProfileCleanup, renderProfileCurrent, renderProfileList, renderSecretReference, renderSecretReferenceDeleted, renderSecretReferenceList, renderSetup, renderStatus, renderWhoAmI, withOwner, } from './output.js';
+import { buildCapabilityPassthroughInput, buildCapabilityPassthroughUsage, isCapabilitySlugCandidate, passthroughAllowsJson, shouldBootstrapCapabilitiesForCommand, supportsArgvPassthrough, } from './passthrough.js';
+import { classifyCommandForLocalRuntime, ensureLocalDevCommandProfile, ensureLocalRuntimeForCommand, fetchLocalDaemonStatus, persistLocalProfileSessionState, readLocalDaemonLog, stopLocalRuntime, } from './local-daemon.js';
+import { clearProfileSession, deleteProfile, getActiveProfileSlug, getCatalog, getProfile, listProfiles, normalizeProfileSlug, profileExists, saveCatalog, saveProfile, setActiveProfile, } from './state.js';
+import { CLI_PACKAGE_VERSION } from './constants.js';
+const VERSION = CLI_PACKAGE_VERSION;
+const rawUserArgv = () => process.argv.slice(2);
+const commandArgIndex = (command, argv = rawUserArgv()) => argv.indexOf(command);
+const bootstrapModeFromArgvForCommand = (command) => {
+    const argv = rawUserArgv();
+    const commandIndex = command ? commandArgIndex(command, argv) : -1;
+    const modeArgs = commandIndex >= 0 ? argv.slice(0, commandIndex) : argv;
+    if (modeArgs.includes('--json')) {
+        return 'json';
+    }
+    if (modeArgs.includes('--plain')) {
+        return 'plain';
+    }
+    return 'human';
+};
+const commandTokensFromArgv = (argv = rawUserArgv()) => {
+    const tokens = [];
+    for (let index = 0; index < argv.length; index += 1) {
+        const arg = argv[index];
+        if (arg === '--profile') {
+            index += 1;
+            continue;
+        }
+        if (arg.startsWith('--profile=')) {
+            continue;
+        }
+        if (arg.startsWith('-')) {
+            continue;
+        }
+        tokens.push(arg);
+    }
+    return tokens;
+};
+const bootstrapModeFromArgv = () => bootstrapModeFromArgvForCommand(firstCommandArg());
+const firstCommandArg = () => commandTokensFromArgv()[0] ?? null;
+const loadBootstrapCatalog = async () => {
+    try {
+        return await fetchCatalog();
+    }
+    catch {
+        return getCatalog()?.capabilities ?? [];
+    }
+};
+const bootstrapCapabilitiesForCommand = async (command) => {
+    const cachedCapabilities = getCatalog()?.capabilities ?? [];
+    if (!shouldBootstrapCapabilitiesForCommand(command)) {
+        return cachedCapabilities;
+    }
+    if (command && findCapability(cachedCapabilities, command)) {
+        return cachedCapabilities;
+    }
+    return await loadBootstrapCatalog();
+};
+const withCommandErrorHandling = (handler) => async (...args) => {
+    const options = (args.length > 0 ? args[args.length - 1] : {});
+    const mode = getOutputMode(options);
+    try {
+        await handler(...args);
+    }
+    catch (error) {
+        renderError(mode, error);
+        process.exitCode = 1;
+    }
+};
+const resolveOptionValue = (positionalValue, optionValue, flagName, message, invocation, note) => {
+    if (optionValue === true) {
+        throw new CliInputError(`Flag ${flagName} requires a value.`, invocation, note);
+    }
+    const value = positionalValue ?? optionValue;
+    if (typeof value !== 'string' || value.length === 0) {
+        throw new CliInputError(message, invocation, note);
+    }
+    return value;
+};
+const stripTrailingLineEnding = (value) => value.replace(/\r?\n$/, '');
+const readStdin = async () => {
+    let value = '';
+    process.stdin.setEncoding('utf8');
+    for await (const chunk of process.stdin) {
+        value += chunk;
+    }
+    return stripTrailingLineEnding(value);
+};
+const promptHidden = async (prompt) => {
+    let muted = false;
+    const output = new Writable({
+        write(chunk, encoding, callback) {
+            if (!muted) {
+                process.stderr.write(chunk, encoding);
+            }
+            callback();
+        },
+    });
+    const readline = createInterface({
+        input: process.stdin,
+        output,
+        terminal: true,
+    });
+    try {
+        process.stderr.write(prompt);
+        muted = true;
+        const value = await readline.question('');
+        process.stderr.write('\n');
+        return value;
+    }
+    finally {
+        muted = false;
+        readline.close();
+    }
+};
+const readSecretValue = async (options, invocation) => {
+    if (options.value === true) {
+        throw new CliInputError('Flag --value requires a value.', invocation);
+    }
+    if (typeof options.value === 'string') {
+        process.stderr.write('Warning: --value exposes the secret in your shell history. Prefer stdin when possible.\n');
+        return options.value;
+    }
+    if (process.stdin.isTTY === false) {
+        return readStdin();
+    }
+    return promptHidden('Secret value: ');
+};
+const SETUP_INVOCATION = 'harbor setup [api-url]';
+const promptWithDefault = async (label, defaultValue) => {
+    if (process.stdin.isTTY === false) {
+        return defaultValue;
+    }
+    const readline = createInterface({
+        input: process.stdin,
+        output: process.stderr,
+        terminal: true,
+    });
+    try {
+        const answer = await readline.question(`${label} [${defaultValue}]: `);
+        const value = answer.trim();
+        return value.length > 0 ? value : defaultValue;
+    }
+    finally {
+        readline.close();
+    }
+};
+const resolveSetupValue = async (explicitValue, envValue, label, defaultValue, flagName) => {
+    if (explicitValue === true && flagName) {
+        throw new CliInputError(`Flag ${flagName} requires a value.`, SETUP_INVOCATION);
+    }
+    if (typeof explicitValue === 'string' && explicitValue.trim().length > 0) {
+        return explicitValue.trim();
+    }
+    if (typeof envValue === 'string' && envValue.trim().length > 0) {
+        return envValue.trim();
+    }
+    return promptWithDefault(label, defaultValue);
+};
+const resolveSetupMetadataUrl = (target) => {
+    const trimmed = target.trim().replace(/\/$/, '');
+    if (trimmed.length === 0) {
+        throw new CliInputError('Missing Harbor API URL.', SETUP_INVOCATION);
+    }
+    if (trimmed.endsWith('/.well-known/harbor.json')) {
+        return trimmed;
+    }
+    return `${trimmed}/.well-known/harbor.json`;
+};
+const readRequiredManifestString = (record, key) => {
+    const value = record[key];
+    if (typeof value !== 'string' || value.length === 0) {
+        throw new Error(`Harbor manifest is missing required field: ${key}`);
+    }
+    return value;
+};
+const readOptionalManifestString = (record, key) => {
+    const value = record[key];
+    return typeof value === 'string' && value.length > 0 ? value : null;
+};
+const fetchSetupManifest = async (target) => {
+    const metadataUrl = resolveSetupMetadataUrl(target);
+    let response;
+    try {
+        response = await fetch(metadataUrl);
+    }
+    catch (error) {
+        throw new Error(`Failed to fetch Harbor manifest from ${metadataUrl}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    if (!response.ok) {
+        throw new Error(`Failed to fetch Harbor manifest from ${metadataUrl}: HTTP ${response.status}`);
+    }
+    const payload = await response.json();
+    if (typeof payload !== 'object' || payload === null) {
+        throw new Error('Harbor manifest response is not a JSON object');
+    }
+    const record = payload;
+    const schemaVersion = readRequiredManifestString(record, 'schema_version');
+    if (schemaVersion !== 'harbor.compatibility.v2' && schemaVersion !== 'harbor.deployment.v1') {
+        throw new Error(`Unsupported Harbor manifest schema version: ${schemaVersion}`);
+    }
+    return {
+        schema_version: schemaVersion,
+        environment: readRequiredManifestString(record, 'environment'),
+        api_url: readRequiredManifestString(record, 'api_url'),
+        dashboard_url: readRequiredManifestString(record, 'dashboard_url'),
+        auth_url: readRequiredManifestString(record, 'auth_url'),
+        metadata_url: readRequiredManifestString(record, 'metadata_url'),
+        catalog_stage: readRequiredManifestString(record, 'catalog_stage'),
+        runner_mode: readRequiredManifestString(record, 'runner_mode'),
+        deployment_revision: readOptionalManifestString(record, 'deployment_revision'),
+        package_version: readOptionalManifestString(record, 'package_version'),
+        minimum_cli_version: readOptionalManifestString(record, 'minimum_cli_version'),
+        minimum_runner_version: readOptionalManifestString(record, 'minimum_runner_version'),
+        api_protocol: record.api_protocol,
+        supported_daemon_protocols: record.supported_daemon_protocols,
+        supported_runner_protocols: record.supported_runner_protocols,
+    };
+};
+const writeSetupProfile = (manifest, profileSlug) => {
+    const existing = getProfile(profileSlug);
+    const sameApi = existing.api_url === manifest.api_url;
+    saveProfile({
+        profile_slug: profileSlug,
+        api_url: manifest.api_url,
+        auth_url: manifest.auth_url,
+        dashboard_url: manifest.dashboard_url,
+        metadata_url: manifest.metadata_url,
+        environment: manifest.environment,
+        deployment_revision: manifest.deployment_revision,
+        catalog_stage: manifest.catalog_stage,
+        runner_mode: manifest.runner_mode,
+        api_protocol: manifest.api_protocol,
+        supported_daemon_protocols: manifest.supported_daemon_protocols,
+        supported_runner_protocols: manifest.supported_runner_protocols,
+        package_version: manifest.package_version,
+        minimum_cli_version: manifest.minimum_cli_version,
+        minimum_runner_version: manifest.minimum_runner_version,
+        agent_id: sameApi ? existing.agent_id : null,
+        owner_scope_id: sameApi ? existing.owner_scope_id : null,
+        owner: sameApi ? existing.owner : null,
+        owner_display_name: sameApi ? existing.owner_display_name : null,
+        owner_token: sameApi ? existing.owner_token : null,
+        owner_token_expires_at: sameApi ? existing.owner_token_expires_at : null,
+        agent_token: sameApi ? existing.agent_token : null,
+        token_expires_at: sameApi ? existing.token_expires_at : null,
+        pending_claim_display_name: sameApi ? existing.pending_claim_display_name : null,
+        pending_claim_approval_id: sameApi ? existing.pending_claim_approval_id : null,
+    }, profileSlug);
+    setActiveProfile(profileSlug);
+};
+const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+const openBrowser = (url) => {
+    if (!url) {
+        return;
+    }
+    if (process.platform === 'darwin') {
+        spawn('open', [url], { stdio: 'ignore', detached: true }).unref();
+        return;
+    }
+    if (process.platform === 'win32') {
+        spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true, shell: false }).unref();
+        return;
+    }
+    spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref();
+};
+const parseWaitSeconds = (value, invocation) => {
+    if (value === undefined) {
+        return 180;
+    }
+    if (value === true) {
+        throw new CliInputError('Flag --wait-seconds requires a value.', invocation);
+    }
+    const seconds = Number.parseInt(String(value), 10);
+    if (!Number.isFinite(seconds) || seconds <= 0) {
+        throw new CliInputError('Flag --wait-seconds must be a positive integer.', invocation);
+    }
+    return seconds;
+};
+const parseLogLines = (value, invocation) => {
+    if (value === undefined) {
+        return 40;
+    }
+    if (value === true) {
+        throw new CliInputError('Flag --lines requires a value.', invocation);
+    }
+    const lines = Number.parseInt(String(value), 10);
+    if (!Number.isFinite(lines) || lines <= 0) {
+        throw new CliInputError('Flag --lines must be a positive integer.', invocation);
+    }
+    return lines;
+};
+const waitForComposioLinkSession = async (linkSessionId, waitSeconds) => {
+    const deadline = Date.now() + waitSeconds * 1000;
+    let session = await fetchComposioLinkSession(linkSessionId);
+    while (session.status === 'pending' && Date.now() < deadline) {
+        await sleep(2_000);
+        session = await fetchComposioLinkSession(linkSessionId);
+    }
+    return session;
+};
+const parseApprovalConflictStatus = (error) => {
+    if (error.status !== 409) {
+        return null;
+    }
+    const match = error.message.match(/^Approval is already ([a-z_]+)\.$/i);
+    return match?.[1] ?? null;
+};
+const persistSessionState = async (updates) => {
+    if (await persistLocalProfileSessionState(updates)) {
+        return;
+    }
+    saveProfile(updates);
+};
+const encodePosixToken = (token) => {
+    if (token.length === 0) {
+        return "''";
+    }
+    if (/^[A-Za-z0-9_./:-]+$/.test(token)) {
+        return token;
+    }
+    return `'${token.replace(/'/g, `'"'"'`)}'`;
+};
+const encodePosixCommand = (tokens) => tokens.map(encodePosixToken).join(' ');
+const renderCapabilityPassthroughUsage = (capability) => {
+    process.stdout.write(buildCapabilityPassthroughUsage(capability, VERSION));
+};
+const runCapabilityPassthrough = async (capability) => {
+    const mode = bootstrapModeFromArgvForCommand(capability.slug);
+    if (mode === 'json' && !passthroughAllowsJson(capability)) {
+        throw new CliInputError(`JSON output is not supported for harbor ${capability.slug}.`, `harbor ${capability.slug}`, 'This passthrough capability streams foreground output. Use default output or `--plain`.');
+    }
+    const argv = rawUserArgv();
+    const capabilityIndex = commandArgIndex(capability.slug, argv);
+    const capabilityArgv = capabilityIndex >= 0 ? argv.slice(capabilityIndex + 1) : [];
+    if (capabilityArgv.length === 0 || (capabilityArgv.length === 1 && (capabilityArgv[0] === '--help' || capabilityArgv[0] === '-h'))) {
+        renderCapabilityPassthroughUsage(capability);
+        return;
+    }
+    const result = await startExecution(capability.slug, buildCapabilityPassthroughInput(capability, encodePosixCommand(capabilityArgv)));
+    if (result.status !== 'accepted' || !result.execution_id) {
+        renderExecutionStart(mode, result);
+        if (result.status !== 'accepted') {
+            process.exitCode = 1;
+        }
+        return;
+    }
+    const status = await streamExecutionForeground(mode, result.execution_id);
+    if (status.state === 'failed' || status.state === 'cancelled') {
+        if (status.error_message) {
+            process.stderr.write(`${status.error_message}\n`);
+        }
+        process.exitCode = typeof status.exit_code === 'number' && status.exit_code !== 0 ? status.exit_code : 1;
+    }
+};
+const buildCli = (capabilities) => {
+    const cli = goke('harbor');
+    cli.option('--plain', 'Stable key=value output');
+    cli.option('--json', 'JSON output');
+    cli.option('--profile [profile]', 'Use a named Harbor profile for this command');
+    cli.version(VERSION);
+    cli.help();
+    cli
+        .example('harbor auth --help')
+        .example('harbor ls --plain');
+    cli
+        .command('mcp', 'Expose Harbor capabilities as an MCP server (stdio only)')
+        .example('harbor mcp')
+        .action(withCommandErrorHandling(async () => {
+        await runHarborMcpCli();
+    }));
+    cli
+        .command('dev', 'Manage the local Harbor daemon.\n\nSubcommands:\n  up      Start or adopt the local Harbor runtime\n  down    Stop the local Harbor runtime\n  status  Show local daemon state\n  logs    Read daemon-managed local logs')
+        .example('harbor dev up --plain')
+        .example('harbor dev status --plain');
+    cli
+        .command('dev up', 'Start or adopt the local Harbor runtime')
+        .example('harbor dev up --plain')
+        .action(withCommandErrorHandling(async (options) => {
+        ensureLocalDevCommandProfile();
+        const mode = getOutputMode(options);
+        const status = await fetchLocalDaemonStatus(true);
+        if (!status) {
+            throw new Error('Local Harbor daemon did not return status.');
+        }
+        renderDevUp(mode, {
+            status: status.ready_state === 'ready' ? 'ok' : status.ready_state,
+            profile: status.profile_slug,
+            api_url: status.api_url,
+            auth_url: status.auth_url,
+        });
+    }));
+    cli
+        .command('dev down', 'Stop the local Harbor runtime')
+        .example('harbor dev down --plain')
+        .action(withCommandErrorHandling(async (options) => {
+        ensureLocalDevCommandProfile();
+        const mode = getOutputMode(options);
+        const result = await stopLocalRuntime();
+        renderDevDown(mode, {
+            status: typeof result.status === 'string' ? result.status : 'stopped',
+            profile: getProfile().profile_slug,
+        });
+    }));
+    cli
+        .command('dev status', 'Show local daemon state')
+        .example('harbor dev status --plain')
+        .action(withCommandErrorHandling(async (options) => {
+        ensureLocalDevCommandProfile();
+        const mode = getOutputMode(options);
+        const status = await fetchLocalDaemonStatus(false);
+        if (!status) {
+            renderDevDown(mode, { status: 'stopped', profile: getProfile().profile_slug });
+            return;
+        }
+        renderLocalDaemonStatus(mode, {
+            profile: status.profile_slug,
+            ready_state: status.ready_state,
+            api_url: status.api_url,
+            auth_url: status.auth_url,
+            daemon_package_version: status.daemon_package_version,
+            selected_daemon_protocol: status.selected_daemon_protocol,
+            state_schema_version: status.state_schema_version,
+            api_manifest_revision: status.api_manifest_revision,
+            last_ready_at: status.last_ready_at,
+            managed_children: status.managed_children,
+            paths: status.paths,
+        });
+    }));
+    cli
+        .command('dev logs [component]', 'Read local daemon logs')
+        .option('--lines [lines]', 'Number of trailing lines to print')
+        .example('harbor dev logs daemon --plain')
+        .example('harbor dev logs runner --lines 80')
+        .action(withCommandErrorHandling(async (component, options) => {
+        ensureLocalDevCommandProfile();
+        const mode = getOutputMode(options);
+        const selected = component ?? 'daemon';
+        if (selected !== 'daemon' && selected !== 'api' && selected !== 'runner') {
+            throw new CliInputError('Component must be one of: daemon, api, runner.', 'harbor dev logs [daemon|api|runner] [--lines <lines>]');
+        }
+        const log = readLocalDaemonLog(selected, parseLogLines(options.lines, 'harbor dev logs [daemon|api|runner] [--lines <lines>]'));
+        renderLocalDaemonLog(mode, {
+            component: selected,
+            path: log.path,
+            lines: log.lines,
+        });
+    }));
+    cli
+        .command('profile', 'Manage Harbor CLI profiles.\n\nSubcommands:\n  current  Show the selected Harbor profile\n  ls       List saved Harbor profiles\n  use      Select a Harbor profile for future commands\n  cleanup  Clear saved owner/agent session state for a profile\n  delete   Delete a saved Harbor profile and its cached state')
+        .example('harbor profile current --plain')
+        .example('harbor profile ls --plain')
+        .example('harbor profile use staging');
+    cli
+        .command('profile current', 'Show the selected Harbor profile')
+        .example('harbor profile current --plain')
+        .action(withCommandErrorHandling(async (options) => {
+        const mode = getOutputMode(options);
+        const profile = getProfile();
+        renderProfileCurrent(mode, {
+            profile: profile.profile_slug,
+            active_profile: getActiveProfileSlug(),
+            api_url: profile.api_url,
+            owner: profile.owner,
+            agent_id: profile.agent_id,
+        });
+    }));
+    cli
+        .command('profile ls', 'List saved Harbor profiles')
+        .example('harbor profile ls --plain')
+        .action(withCommandErrorHandling(async (options) => {
+        const mode = getOutputMode(options);
+        renderProfileList(mode, listProfiles());
+    }));
+    cli
+        .command('profile use [profile]', 'Select a Harbor profile for future commands')
+        .example('harbor profile use local-alice')
+        .action(withCommandErrorHandling(async (profileArg, options) => {
+        const mode = getOutputMode(options);
+        const requestedProfile = resolveOptionValue(profileArg, undefined, '<profile>', 'Missing required profile slug.', 'harbor profile use <profile>', 'Use letters, numbers, dots, underscores, or hyphens.');
+        const nextProfileSlug = normalizeProfileSlug(requestedProfile);
+        if (!nextProfileSlug) {
+            throw new CliInputError('Invalid profile slug. Use letters, numbers, dots, underscores, or hyphens.', 'harbor profile use <profile>');
+        }
+        if (!profileExists(nextProfileSlug)) {
+            const currentProfile = getProfile();
+            saveProfile({
+                ...currentProfile,
+                profile_slug: nextProfileSlug,
+                agent_id: null,
+                agent_token: null,
+                token_expires_at: null,
+            }, nextProfileSlug);
+            const currentCatalog = getCatalog();
+            if (currentCatalog) {
+                saveCatalog(currentCatalog.capabilities, currentCatalog.etag, nextProfileSlug);
+            }
+        }
+        setActiveProfile(nextProfileSlug);
+        const profile = getProfile(nextProfileSlug);
+        renderProfileCurrent(mode, {
+            profile: profile.profile_slug,
+            active_profile: getActiveProfileSlug(),
+            api_url: profile.api_url,
+            owner: profile.owner,
+            agent_id: profile.agent_id,
+        });
+    }));
+    cli
+        .command('profile cleanup [profile]', 'Clear saved owner and agent session state for a profile without deleting its API config')
+        .example('harbor profile cleanup local --plain')
+        .action(withCommandErrorHandling(async (profileArg, options) => {
+        const mode = getOutputMode(options);
+        const targetProfile = profileArg ? resolveOptionValue(profileArg, undefined, '<profile>', 'Missing required profile slug.', 'harbor profile cleanup <profile>') : getProfile().profile_slug;
+        clearProfileSession(targetProfile);
+        renderProfileCleanup(mode, {
+            profile: normalizeProfileSlug(targetProfile) ?? getProfile().profile_slug,
+            deleted: false,
+            cleared_session: true,
+            active_profile: getActiveProfileSlug(),
+        });
+    }));
+    cli
+        .command('profile delete [profile]', 'Delete a saved Harbor profile and its cached state')
+        .example('harbor profile delete preview --plain')
+        .action(withCommandErrorHandling(async (profileArg, options) => {
+        const mode = getOutputMode(options);
+        const targetProfile = resolveOptionValue(profileArg, undefined, '<profile>', 'Missing required profile slug.', 'harbor profile delete <profile>');
+        const normalized = normalizeProfileSlug(targetProfile);
+        if (!normalized) {
+            throw new CliInputError('Invalid profile slug. Use letters, numbers, dots, underscores, or hyphens.', 'harbor profile delete <profile>');
+        }
+        deleteProfile(normalized);
+        renderProfileCleanup(mode, {
+            profile: normalized,
+            deleted: true,
+            cleared_session: true,
+            active_profile: getActiveProfileSlug(),
+        });
+    }));
+    cli
+        .command('setup [apiUrl]', 'Install a Harbor profile and claim or restore this agent identity')
+        .option('--display-name [displayName]', 'Override the agent display name for this claim request')
+        .example('harbor setup https://api.tryharbor.ai --profile production --display-name "Harbor CLI" --plain')
+        .action(withCommandErrorHandling(async (apiUrlArg, options) => {
+        const mode = getOutputMode(options);
+        const apiUrl = await resolveSetupValue(apiUrlArg, process.env.HARBOR_API_URL, 'Harbor API URL', 'https://api.tryharbor.ai');
+        const requestedProfile = await resolveSetupValue(options.profile, process.env.HARBOR_PROFILE, 'Harbor profile', 'production', '--profile');
+        const profileSlug = normalizeProfileSlug(requestedProfile);
+        if (!profileSlug) {
+            throw new CliInputError('Invalid profile slug. Use letters, numbers, dots, underscores, or hyphens.', SETUP_INVOCATION);
+        }
+        const displayName = await resolveSetupValue(options.displayName, process.env.HARBOR_AGENT_NAME, 'Agent display name', 'Harbor CLI', '--display-name');
+        const manifest = await fetchSetupManifest(apiUrl);
+        writeSetupProfile(manifest, profileSlug);
+        try {
+            await ensureLocalOwnerSession();
+        }
+        catch (error) {
+            if (!(error instanceof ApiError) || error.status !== 404) {
+                throw error;
+            }
+        }
+        const claim = await claimAgent(displayName);
+        let owner = claim.owner ?? null;
+        let agentId = claim.agent_id ?? null;
+        let agentName = claim.agent_display_name ?? displayName;
+        let health = null;
+        let capabilityCount = null;
+        if (claim.agent_token) {
+            const whoami = await fetchWhoAmI();
+            await persistSessionState({
+                owner_scope_id: whoami.owner_scope_id,
+                owner: whoami.owner,
+                owner_display_name: whoami.owner_display_name,
+                agent_id: whoami.agent_id,
+            });
+            health = await fetchHealth();
+            owner = whoami.owner ?? owner;
+            agentId = whoami.agent_id ?? agentId;
+            agentName = whoami.agent_display_name ?? agentName;
+            capabilityCount = health.published_capabilities ?? (getCatalog()?.capabilities.length ?? capabilities.length);
+        }
+        renderSetup(mode, {
+            profile: profileSlug,
+            api_url: manifest.api_url,
+            status: claim.result,
+            owner,
+            agent_id: agentId,
+            agent_name: agentName,
+            approval_url: claim.approval_url ?? null,
+            health: health?.status ?? null,
+            capabilities: capabilityCount,
+            pending_approvals: health?.pending_approvals ?? null,
+            recent_executions: health?.recent_executions ?? null,
+        });
+    }));
+    cli
+        .command('auth', 'Manage Harbor identity.\n\nSubcommands:\n  claim   Claim or restore the local Harbor agent identity\n  whoami  Show the current Harbor identity\n  logout  Clear saved owner/agent tokens for the selected profile')
+        .example('harbor auth claim --plain')
+        .example('harbor auth whoami --plain');
+    cli
+        .command('auth claim', 'Claim or restore the local Harbor agent identity')
+        .option('--display-name [displayName]', 'Override the agent display name for this claim request')
+        .example('harbor auth claim --plain')
+        .example('harbor auth claim --display-name "py agent" --plain')
+        .example('harbor auth claim --json')
+        .action(withCommandErrorHandling(async (options) => {
+        const mode = getOutputMode(options);
+        try {
+            await ensureLocalOwnerSession();
+        }
+        catch (error) {
+            if (!(error instanceof ApiError) || error.status !== 404) {
+                throw error;
+            }
+        }
+        if (options.displayName === true) {
+            throw new CliInputError('Flag --display-name requires a value.', 'harbor auth claim [--display-name <display-name>]');
+        }
+        const claim = await claimAgent(typeof options.displayName === 'string' && options.displayName.length > 0 ? options.displayName : 'Harbor CLI');
+        let whoami = null;
+        if (claim.agent_token) {
+            try {
+                whoami = await fetchWhoAmI();
+                await persistSessionState({
+                    owner_scope_id: whoami.owner_scope_id,
+                    owner: whoami.owner,
+                    owner_display_name: whoami.owner_display_name,
+                    agent_id: whoami.agent_id,
+                });
+            }
+            catch {
+                whoami = null;
+            }
+        }
+        renderClaim(mode, withOwner(claim, whoami, getProfile()));
+    }));
+    cli
+        .command('auth whoami', 'Show the current Harbor identity')
+        .example('harbor auth whoami --plain')
+        .example('harbor auth whoami --json')
+        .action(withCommandErrorHandling(async (options) => {
+        const mode = getOutputMode(options);
+        const profile = getProfile();
+        const whoami = await fetchWhoAmI();
+        await persistSessionState({
+            owner_scope_id: whoami.owner_scope_id,
+            owner: whoami.owner,
+            owner_display_name: whoami.owner_display_name,
+            agent_id: whoami.agent_id,
+        });
+        renderWhoAmI(mode, { ...whoami, profile: whoami.profile_slug ?? profile.profile_slug });
+    }));
+    cli
+        .command('auth logout', 'Clear saved owner and agent tokens for the selected profile')
+        .example('harbor auth logout --plain')
+        .action(withCommandErrorHandling(async (options) => {
+        const mode = getOutputMode(options);
+        const profile = getProfile();
+        clearProfileSession(profile.profile_slug);
+        renderProfileCleanup(mode, {
+            profile: profile.profile_slug,
+            deleted: false,
+            cleared_session: true,
+            active_profile: getActiveProfileSlug(),
+        });
+    }));
+    cli
+        .command('status', 'Show Harbor health and summary')
+        .example('harbor status --plain')
+        .example('harbor status --json')
+        .action(withCommandErrorHandling(async (options) => {
+        const mode = getOutputMode(options);
+        const profile = getProfile();
+        const [health, whoami] = await Promise.all([
+            fetchHealth(),
+            fetchWhoAmI(),
+        ]);
+        renderStatus(mode, {
+            profile: profile.profile_slug,
+            whoami,
+            health,
+            capabilityCount: health.published_capabilities ?? (getCatalog()?.capabilities.length ?? capabilities.length),
+        });
+    }));
+    cli
+        .command('ls', 'List published capabilities')
+        .example('harbor ls --plain')
+        .example('harbor ls --json')
+        .action(withCommandErrorHandling(async (options) => {
+        const mode = getOutputMode(options);
+        const liveCatalog = await fetchCatalog().catch(() => getCatalog()?.capabilities ?? capabilities);
+        renderLs(mode, liveCatalog);
+    }));
+    cli
+        .command('inspect [capability]', 'Inspect one capability')
+        .option('--capability [capability]', 'Capability slug')
+        .example('harbor inspect compute.modal')
+        .example('harbor inspect --capability compute.modal --plain')
+        .action(withCommandErrorHandling(async (capability, options) => {
+        const mode = getOutputMode(options);
+        const requestedCapabilitySlug = resolveOptionValue(capability, options.capability, '--capability', 'Missing required capability slug.', 'harbor inspect --capability <capability>', 'Find available slugs with `harbor ls --plain`.');
+        const capabilitySlug = requestedCapabilitySlug;
+        const snapshot = await fetchCapability(capabilitySlug).catch(() => {
+            const cached = findCapability(getCatalog()?.capabilities ?? capabilities, capabilitySlug);
+            if (cached?.snapshot) {
+                return cached.snapshot;
+            }
+            throw new ApiError(404, 'capability_not_found', `Capability ${capabilitySlug} was not found`);
+        });
+        renderInspect(mode, snapshot);
+    }));
+    cli
+        .command('approve [approvalId]', 'Approve a pending request (owner action)')
+        .option('--approval-id [approvalId]', 'Approval ID')
+        .option('--yes', 'Skip confirmation prompts')
+        .example('harbor approve apr_01HQ --yes --plain')
+        .action(withCommandErrorHandling(async (approvalId, options) => {
+        const mode = getOutputMode(options);
+        const approvalIdValue = resolveOptionValue(approvalId, options.approvalId, '--approval-id', 'Missing required approval id.', 'harbor approve --approval-id <approval-id>', 'Find the approval_id in `harbor auth claim --plain` or command output.');
+        try {
+            const response = await approveRequest(approvalIdValue);
+            renderApprove(mode, {
+                approval_id: approvalIdValue,
+                status: typeof response.status === 'string' ? response.status : 'approved',
+            });
+        }
+        catch (error) {
+            if (error instanceof ApiError) {
+                const status = parseApprovalConflictStatus(error);
+                if (status) {
+                    renderApprove(mode, { approval_id: approvalIdValue, status });
+                    return;
+                }
+            }
+            throw error;
+        }
+    }));
+    cli
+        .command('secrets', 'Manage owner secret references')
+        .example('harbor secrets ls --plain')
+        .example('echo $OPENAI_API_KEY | harbor secrets set OPENAI_API_KEY --plain');
+    cli
+        .command('secrets ls', 'List owner secret references')
+        .example('harbor secrets ls --plain')
+        .example('harbor secrets ls --json')
+        .action(withCommandErrorHandling(async (options) => {
+        const mode = getOutputMode(options);
+        const secretReferences = await listSecretReferences();
+        renderSecretReferenceList(mode, secretReferences);
+    }));
+    cli
+        .command('secrets inspect [name]', 'Inspect one owner secret reference')
+        .option('--name [name]', 'Secret reference name')
+        .example('harbor secrets inspect OPENAI_API_KEY')
+        .example('harbor secrets inspect --name OPENAI_API_KEY --plain')
+        .action(withCommandErrorHandling(async (name, options) => {
+        const mode = getOutputMode(options);
+        const secretName = resolveOptionValue(name, options.name, '--name', 'Missing required secret reference name.', 'harbor secrets inspect --name <name>');
+        const secretReference = await getSecretReference(secretName);
+        renderSecretReference(mode, secretReference);
+    }));
+    cli
+        .command('secrets set [name]', 'Create or update one owner secret reference')
+        .option('--name [name]', 'Secret reference name')
+        .option('--value [value]', 'Secret value (warning: appears in shell history)')
+        .option('--display-name [displayName]', 'Override the secret display name')
+        .option('--kind [kind]', 'Secret kind')
+        .example('echo sk-live | harbor secrets set OPENAI_API_KEY --plain')
+        .example('harbor secrets set --name OPENAI_API_KEY --value sk-live --display-name "OpenAI API key"')
+        .action(withCommandErrorHandling(async (name, options) => {
+        const mode = getOutputMode(options);
+        const invocation = 'harbor secrets set --name <name> [--value <value>] [--display-name <display-name>] [--kind <kind>]';
+        const secretName = resolveOptionValue(name, options.name, '--name', 'Missing required secret reference name.', invocation);
+        const value = await readSecretValue(options, invocation);
+        if (options.displayName === true) {
+            throw new CliInputError('Flag --display-name requires a value.', invocation);
+        }
+        if (options.kind === true) {
+            throw new CliInputError('Flag --kind requires a value.', invocation);
+        }
+        const secretReference = await setSecretReference(secretName, value, {
+            display_name: typeof options.displayName === 'string' && options.displayName.length > 0 ? options.displayName : undefined,
+            kind: typeof options.kind === 'string' && options.kind.length > 0 ? options.kind : undefined,
+        });
+        renderSecretReference(mode, secretReference);
+    }));
+    cli
+        .command('secrets delete [name]', 'Delete one owner secret reference')
+        .option('--name [name]', 'Secret reference name')
+        .example('harbor secrets delete OPENAI_API_KEY --plain')
+        .action(withCommandErrorHandling(async (name, options) => {
+        const mode = getOutputMode(options);
+        const secretName = resolveOptionValue(name, options.name, '--name', 'Missing required secret reference name.', 'harbor secrets delete --name <name>');
+        const result = await deleteSecretReference(secretName);
+        renderSecretReferenceDeleted(mode, { name: secretName, ok: result.ok });
+    }));
+    cli
+        .command('services', 'Manage owner control-plane service setup flows')
+        .example('harbor services inspect composio --plain');
+    cli
+        .command('services connect composio', 'Start a Harbor-owned Composio link flow for an owner-managed route target')
+        .option('--toolkit [toolkit]', 'Toolkit slug')
+        .option('--auth-config [authConfig]', 'Composio auth config id')
+        .option('--shared', 'Use the owner-shared route target')
+        .option('--agent [agent]', 'Use an agent-specific route target under the current owner')
+        .option('--open', 'Open the returned redirect URL in your browser')
+        .option('--wait', 'Poll the link session until it is no longer pending')
+        .option('--wait-seconds [waitSeconds]', 'Maximum wait time in seconds when --wait is used')
+        .example('harbor services connect composio --toolkit github --auth-config ac_123 --shared --open --wait')
+        .example('harbor services connect composio --toolkit slack --auth-config ac_456 --agent agt_123')
+        .action(withCommandErrorHandling(async (options) => {
+        const mode = getOutputMode(options);
+        const invocation = 'harbor services connect composio --toolkit <toolkit> --auth-config <auth-config> --shared [--open --wait]';
+        const toolkitSlug = resolveOptionValue(undefined, options.toolkit, '--toolkit', 'Missing required toolkit slug.', invocation);
+        const authConfigId = resolveOptionValue(undefined, options.authConfig, '--auth-config', 'Missing required auth config id.', invocation);
+        const ownerSession = await ensureLocalOwnerSession();
+        const agentId = typeof options.agent === 'string' && options.agent.length > 0 ? options.agent : null;
+        const shared = options.shared === true;
+        if ((shared && agentId) || (!shared && !agentId)) {
+            throw new CliInputError('Choose exactly one route target: --shared or --agent <agent-id>.', invocation);
+        }
+        const created = await createComposioLinkSession({
+            toolkit_slug: toolkitSlug,
+            auth_config_id: authConfigId,
+            subject_kind: shared ? 'owner' : 'agent',
+            subject_id: shared ? ownerSession?.owner_scope_id ?? '' : agentId,
+        });
+        if (options.open === true && created.redirect_url) {
+            openBrowser(created.redirect_url);
+        }
+        const linkSession = options.wait === true
+            ? await waitForComposioLinkSession(created.link_session_id, parseWaitSeconds(options.waitSeconds, invocation))
+            : created;
+        renderComposioLinkSession(mode, linkSession);
+    }));
+    cli
+        .command('services inspect composio', 'Inspect the Harbor-owned Composio principal and owner-managed routes')
+        .example('harbor services inspect composio --json')
+        .action(withCommandErrorHandling(async (options) => {
+        const mode = getOutputMode(options);
+        const service = await fetchComposioService();
+        renderComposioService(mode, service);
+    }));
+    cli
+        .command('services route composio', 'Bind an owner-managed Harbor Composio route target to an existing connected account')
+        .option('--toolkit [toolkit]', 'Toolkit slug')
+        .option('--connected-account [connectedAccount]', 'Composio connected account id')
+        .option('--shared', 'Set the owner-shared route target')
+        .option('--agent [agent]', 'Set an agent-specific route target under the current owner')
+        .example('harbor services route composio --toolkit github --connected-account ca_123 --shared')
+        .example('harbor services route composio --toolkit github --connected-account ca_456 --agent agt_123')
+        .action(withCommandErrorHandling(async (options) => {
+        const mode = getOutputMode(options);
+        const toolkitSlug = resolveOptionValue(undefined, options.toolkit, '--toolkit', 'Missing required toolkit slug.', 'harbor services route composio --toolkit <toolkit> --connected-account <connected-account> --shared');
+        const connectedAccountId = resolveOptionValue(undefined, options.connectedAccount, '--connected-account', 'Missing required connected account id.', 'harbor services route composio --toolkit <toolkit> --connected-account <connected-account> --shared');
+        const ownerSession = await ensureLocalOwnerSession();
+        const agentId = typeof options.agent === 'string' && options.agent.length > 0 ? options.agent : null;
+        const shared = options.shared === true;
+        if ((shared && agentId) || (!shared && !agentId)) {
+            throw new CliInputError('Choose exactly one route target: --shared or --agent <agent-id>.', 'harbor services route composio --toolkit <toolkit> --connected-account <connected-account> --shared');
+        }
+        const route = await setComposioServiceRoute({
+            toolkit_slug: toolkitSlug,
+            connected_account_id: connectedAccountId,
+            subject_kind: shared ? 'owner' : 'agent',
+            subject_id: shared ? ownerSession?.owner_scope_id ?? '' : agentId,
+        });
+        renderComposioRoute(mode, route);
+    }));
+    cli
+        .command('services unmount composio', 'Remove an owner-managed Harbor Composio route binding')
+        .option('--route-id [routeId]', 'Delete one route by route id')
+        .option('--toolkit [toolkit]', 'Toolkit slug')
+        .option('--auth-config [authConfig]', 'Narrow deletion to one auth config id')
+        .option('--shared', 'Delete the owner-shared route target')
+        .option('--agent [agent]', 'Delete an agent-specific route target under the current owner')
+        .example('harbor services unmount composio --route-id cmprt_123 --plain')
+        .example('harbor services unmount composio --toolkit github --agent agt_123 --auth-config ac_456')
+        .action(withCommandErrorHandling(async (options) => {
+        const mode = getOutputMode(options);
+        const routeId = typeof options.routeId === 'string' && options.routeId.length > 0 ? options.routeId : null;
+        const ownerSession = await ensureLocalOwnerSession();
+        const agentId = typeof options.agent === 'string' && options.agent.length > 0 ? options.agent : null;
+        const shared = options.shared === true;
+        if (!routeId) {
+            const toolkitSlug = resolveOptionValue(undefined, options.toolkit, '--toolkit', 'Missing required toolkit slug.', 'harbor services unmount composio --toolkit <toolkit> --shared');
+            if ((shared && agentId) || (!shared && !agentId)) {
+                throw new CliInputError('Choose exactly one route target: --shared or --agent <agent-id>.', 'harbor services unmount composio --toolkit <toolkit> --shared');
+            }
+            const authConfigId = typeof options.authConfig === 'string' && options.authConfig.length > 0 ? options.authConfig : undefined;
+            const route = await deleteComposioServiceRoute({
+                toolkit_slug: toolkitSlug,
+                auth_config_id: authConfigId,
+                subject_kind: shared ? 'owner' : 'agent',
+                subject_id: shared ? ownerSession?.owner_scope_id ?? '' : agentId,
+            });
+            renderComposioRoute(mode, route);
+            return;
+        }
+        const route = await deleteComposioServiceRoute({ route_id: routeId });
+        renderComposioRoute(mode, route);
+    }));
+    registerCapabilityCommands(cli, capabilities);
+    return cli;
+};
+const main = async () => {
+    const mode = bootstrapModeFromArgv();
+    const firstArg = firstCommandArg();
+    if (classifyCommandForLocalRuntime(rawUserArgv()) === 'local_runtime') {
+        await ensureLocalRuntimeForCommand(rawUserArgv());
+    }
+    const capabilities = await bootstrapCapabilitiesForCommand(firstArg);
+    if (firstArg && isCapabilitySlugCandidate(firstArg) && !findCapability(capabilities, firstArg)) {
+        renderError(mode, new ApiError(404, 'capability_not_found', `Capability ${firstArg} was not found`));
+        process.exit(1);
+        return;
+    }
+    const passthroughCapability = firstArg ? findCapability(capabilities, firstArg) : null;
+    if (passthroughCapability && supportsArgvPassthrough(passthroughCapability)) {
+        await runCapabilityPassthrough(passthroughCapability);
+        return;
+    }
+    const cli = buildCli(capabilities);
+    cli.parse(process.argv);
+};
+main().catch((error) => {
+    renderError(bootstrapModeFromArgv(), error);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map