atris 3.12.1 → 3.14.0

package/commands/computer.js

@@ -5,6 +5,7 @@
  *   atris computer --cloud          — Open CLOUD workspace mode
  *   atris computer wake             — Start the computer
  *   atris computer sleep            — Stop (files persist)
+ *   atris computer card             — Show the local computer card
  *   atris computer run <command>    — Run bash on EC2 (no LLM)
  *   atris computer grep <pattern>   — Search files on EC2
  *   atris computer ls [path]        — List files
@@ -52,8 +53,40 @@ const KNOWN_CHAT_COMMANDS = new Set([
   '/start',
   '/status',
   '/worker',
+  '/workflow',
 ]);
 
+const CODEOPS_WORKFLOW_PROMPT = `
+## Atris CodeOps Workflow
+
+You are running inside Atris CodeOps with full computer permissions (permission_mode=bypassPermissions).
+Use those permissions to inspect, edit, test, commit, push, and open PRs when the task calls for it.
+
+Do not behave like an open-ended chat.
+Every coding or repo operation must follow the scientific workflow:
+OBSERVE -> HYPOTHESIS -> PLAN -> ACTION -> VALIDATION -> EVIDENCE -> NEXT STATE.
+
+For a new coding request, first show a concise PLAN with Files, Checks, Risk, and Merge policy.
+If the user has not clearly approved execution, ask for approval before editing.
+If the user explicitly says to execute, proceed after the concise plan.
+
+After work, always report:
+- edited_files
+- commands_run
+- validation_result
+- evidence
+- pr_url if any
+- pr_state
+- merge_state
+- next_task
+
+Use one of these next states:
+planned, executing, validated, pr_opened, merge_ready, merge_blocked_checks, merge_blocked_policy, merged, failed, needs_human.
+
+Never hide failures.
+A blocked check or missing permission is evidence, not success.
+`.trim();
+
 function color(code, value) {
   if (process.env.NO_COLOR || !process.stdout.isTTY) return String(value);
   return `\x1b[${code}m${value}\x1b[0m`;
@@ -165,6 +198,7 @@ function printCloudHelp() {
   console.log('  /start               Show the beginner flow again');
   console.log('  /help                Show this menu');
   console.log('  /status              Show cloud computer status');
+  console.log('  /workflow            Show the CodeOps workflow contract');
   console.log('  /files [path]        List files in the workspace');
   console.log('  /run <cmd>           Run shell without the model');
   console.log('  /audit [n]           Show recent runs, output, and charges');
@@ -201,6 +235,48 @@ function printCloudStartPanel(ctx, worker, model, billingLabel, authSummary = nu
   console.log(ui.dim('Plain English goes to Atris. Slash commands control the computer.'));
 }
 
+function appendSystemPrompt(basePrompt, extraPrompt) {
+  if (!extraPrompt) return basePrompt || null;
+  if (basePrompt && basePrompt.includes('## Atris CodeOps Workflow')) return basePrompt;
+  if (!basePrompt) return extraPrompt;
+  return `${String(basePrompt).trim()}\n\n${extraPrompt}`;
+}
+
+function codeOpsCloudOptions(options = {}) {
+  return {
+    ...options,
+    worker: options.worker || 'claude',
+    mode: 'codeops',
+    systemPrompt: appendSystemPrompt(options.systemPrompt, CODEOPS_WORKFLOW_PROMPT),
+  };
+}
+
+function printCodeOpsStartPanel(ctx, worker, model, billingLabel, authSummary = null) {
+  console.log('');
+  console.log(ui.bold('Atris CodeOps Computer'));
+  console.log(`${ctx.businessName}  ${ui.dim('/workspace persists, full permissions enabled')}`);
+  console.log(`Lane: ${ui.bold(formatWorkerName(worker))}  ${ui.dim(formatCloudSelection({ worker, model }))}`);
+  console.log(`Billing: ${billingLabel}`);
+  if (authSummary) console.log(`${authSummary.label}  ${ui.dim(authSummary.detail)}`);
+  console.log(`${ui.green('Workflow locked')}  ${ui.dim('observe -> plan -> act -> validate -> evidence -> next')}`);
+  console.log('');
+  console.log(ui.bold('Start here'));
+  console.log('  Type a coding goal in plain English.');
+  console.log('  CodeOps will plan first, then execute after approval or explicit proceed language.');
+  console.log('  Use /workflow to see the contract, /run for shell, /audit for run history, /exit to leave.');
+  console.log('');
+}
+
+function printCodeOpsWorkflowContract() {
+  console.log('');
+  console.log(ui.bold('CodeOps workflow'));
+  console.log('  observe -> hypothesis -> plan -> action -> validation -> evidence -> next state');
+  console.log('');
+  console.log('  Required final evidence: edited_files, commands_run, validation_result, pr_url, pr_state, merge_state, next_task.');
+  console.log('  Allowed states: planned, executing, validated, pr_opened, merge_ready, merge_blocked_checks, merge_blocked_policy, merged, failed, needs_human.');
+  console.log('  Full permissions stay on; the workflow contract controls how the computer uses them.');
+}
+
 function buildLocalBridgeSystemPrompt(sessionId, localRoot, allowBash) {
   const endpoint = `/api/cli/sessions/${sessionId}/file-op`;
   const bashLine = allowBash
@@ -630,8 +706,8 @@ async function runLocalBridgeOp(token, sessionId, op, timeoutSeconds = 30) {
   return data;
 }
 
-function readBusinessBinding() {
-  const bindingPath = path.join(process.cwd(), '.atris', 'business.json');
+function readBusinessBinding(cwd = process.cwd()) {
+  const bindingPath = path.join(cwd, '.atris', 'business.json');
   if (!fs.existsSync(bindingPath)) return null;
   try {
     return JSON.parse(fs.readFileSync(bindingPath, 'utf8'));
@@ -640,6 +716,160 @@ function readBusinessBinding() {
   }
 }
 
+function readPackageMeta(cwd = process.cwd()) {
+  const packagePath = path.join(cwd, 'package.json');
+  if (!fs.existsSync(packagePath)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(packagePath, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function relIfExists(cwd, target) {
+  return fs.existsSync(path.join(cwd, target)) ? target : null;
+}
+
+function detectValidationCommand(cwd = process.cwd(), pkg = null) {
+  const meta = pkg || readPackageMeta(cwd);
+  const testScript = meta?.scripts?.test;
+  if (testScript && !/no test specified/i.test(testScript)) return 'npm test';
+  if (fs.existsSync(path.join(cwd, 'pytest.ini')) || fs.existsSync(path.join(cwd, 'pyproject.toml'))) return 'pytest';
+  if (fs.existsSync(path.join(cwd, 'Cargo.toml'))) return 'cargo test';
+  if (fs.existsSync(path.join(cwd, 'go.mod'))) return 'go test ./...';
+  return 'none detected';
+}
+
+function detectComputerType(cwd = process.cwd(), pkg = null, binding = null) {
+  if (binding?.computer_type) return binding.computer_type;
+  if (binding?.workspace_type) return binding.workspace_type;
+  const meta = pkg || readPackageMeta(cwd);
+  if (meta?.bin || fs.existsSync(path.join(cwd, 'bin')) || fs.existsSync(path.join(cwd, 'commands'))) return 'codeops';
+  if (fs.existsSync(path.join(cwd, 'docs')) || fs.existsSync(path.join(cwd, 'atris', 'wiki'))) return 'research';
+  return 'workspace';
+}
+
+function buildComputerCard(cwd = process.cwd()) {
+  const binding = readBusinessBinding(cwd);
+  const pkg = readPackageMeta(cwd);
+  const folderName = path.basename(cwd);
+  const ownerName = binding?.name || pkg?.name || folderName;
+  const ownerType = binding ? 'business' : 'project';
+  const computerName = binding?.computer_name || binding?.workspace_name || `${ownerName} computer`;
+  const computerType = detectComputerType(cwd, pkg, binding);
+  const memory = [
+    relIfExists(cwd, 'atris/MAP.md'),
+    relIfExists(cwd, 'atris/TODO.md'),
+    relIfExists(cwd, 'atris/wiki'),
+    relIfExists(cwd, 'atris/logs'),
+  ].filter(Boolean);
+  const artifacts = [
+    fs.existsSync(path.join(cwd, 'atris')) ? 'atris/reports/' : null,
+    relIfExists(cwd, '.atris/receipts'),
+  ].filter(Boolean);
+
+  return {
+    ownerName,
+    ownerType,
+    computerName,
+    computerType,
+    workspace: cwd,
+    loop: 'plan -> do -> review',
+    memory,
+    validation: detectValidationCommand(cwd, pkg),
+    proof: binding ? 'atris computer proof' : 'atris proof run',
+    visual: 'atris visualize "<prompt>"',
+    artifacts,
+    generatedAt: new Date().toISOString(),
+  };
+}
+
+function renderList(items) {
+  return items.length ? items.join(', ') : 'none detected';
+}
+
+function renderComputerCard(card) {
+  return [
+    'Atris Computer Card',
+    '',
+    `  Owner:      ${card.ownerName} (${card.ownerType})`,
+    `  Computer:   ${card.computerName}`,
+    `  Type:       ${card.computerType}`,
+    `  Workspace:  ${card.workspace}`,
+    `  Loop:       ${card.loop}`,
+    `  Memory:     ${renderList(card.memory)}`,
+    `  Validate:   ${card.validation}`,
+    `  Proof:      ${card.proof}`,
+    `  Visual:     ${card.visual}`,
+    `  Artifacts:  ${renderList(card.artifacts)}`,
+  ].join('\n');
+}
+
+function renderComputerCardMarkdown(card) {
+  return [
+    '# Atris Computer Card',
+    '',
+    `Generated: ${card.generatedAt}`,
+    '',
+    `- Owner: ${card.ownerName} (${card.ownerType})`,
+    `- Computer: ${card.computerName}`,
+    `- Type: ${card.computerType}`,
+    `- Workspace: ${card.workspace}`,
+    `- Loop: ${card.loop}`,
+    `- Memory: ${renderList(card.memory)}`,
+    `- Validate: ${card.validation}`,
+    `- Proof: ${card.proof}`,
+    `- Visual: ${card.visual}`,
+    `- Artifacts: ${renderList(card.artifacts)}`,
+    '',
+  ].join('\n');
+}
+
+function parseComputerCardArgs(args = []) {
+  const options = { write: false, out: null, help: false };
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === '--help' || arg === '-h') options.help = true;
+    else if (arg === '--write') options.write = true;
+    else if (arg === '--out' && args[i + 1]) options.out = args[++i];
+    else if (arg.startsWith('--out=')) options.out = arg.slice('--out='.length);
+  }
+  return options;
+}
+
+function defaultComputerCardPath(cwd = process.cwd()) {
+  if (fs.existsSync(path.join(cwd, 'atris'))) {
+    return path.join(cwd, 'atris', 'reports', 'computer-card.md');
+  }
+  return path.join(cwd, 'computer-card.md');
+}
+
+function computerCard(args = [], cwd = process.cwd()) {
+  const options = parseComputerCardArgs(args);
+  if (options.help) {
+    console.log('Usage: atris computer card [--write] [--out <path>]');
+    console.log('');
+    console.log('Show the local owner/computer card for this workspace.');
+    return null;
+  }
+
+  const card = buildComputerCard(cwd);
+  console.log(renderComputerCard(card));
+
+  if (options.write || options.out) {
+    const outputPath = options.out
+      ? (path.isAbsolute(options.out) ? options.out : path.join(cwd, options.out))
+      : defaultComputerCardPath(cwd);
+    fs.mkdirSync(path.dirname(outputPath), { recursive: true });
+    fs.writeFileSync(outputPath, renderComputerCardMarkdown(card), 'utf8');
+    console.log('');
+    console.log(`Wrote ${path.relative(cwd, outputPath) || outputPath}`);
+    return outputPath;
+  }
+
+  return card;
+}
+
 async function resolveBusinessContext(token) {
   const binding = readBusinessBinding();
   if (!binding) return null;
@@ -1386,6 +1616,8 @@ async function computerExec(token, prompt, ctx = null, options = {}) {
         workspace_id: ctx.workspaceId,
         ...(options.worker ? { worker: options.worker } : {}),
         ...(options.model ? { model: options.model } : {}),
+        ...(options.systemPrompt ? { system_prompt: options.systemPrompt } : {}),
+        ...(options.allowedTools ? { allowed_tools: options.allowedTools } : {}),
       },
       timeoutMs: 40000,
     });
@@ -1742,6 +1974,10 @@ async function computerChat(token, ctx, initialOptions = {}) {
     return;
   }
 
+  const isCodeOps = initialOptions.mode === 'codeops' || ctx.slug === 'atris-codeops';
+  const chatSystemPrompt = isCodeOps
+    ? appendSystemPrompt(initialOptions.systemPrompt, CODEOPS_WORKFLOW_PROMPT)
+    : initialOptions.systemPrompt;
   let sessionId = `biz-${ctx.businessId.slice(0, 8)}-${Date.now().toString(36)}`;
   printCloudWordmark();
   const selection = await chooseCloudLane(token, ctx, initialOptions);
@@ -1758,12 +1994,16 @@ async function computerChat(token, ctx, initialOptions = {}) {
     return;
   }
 
-  printCloudStartPanel(ctx, worker, model, billingLabel, authSummary);
+  if (isCodeOps) {
+    printCodeOpsStartPanel(ctx, worker, model, billingLabel, authSummary);
+  } else {
+    printCloudStartPanel(ctx, worker, model, billingLabel, authSummary);
+  }
 
   const rl = readline.createInterface({
     input: process.stdin,
     output: process.stdout,
-    prompt: 'cloud> ',
+    prompt: isCodeOps ? 'codeops> ' : 'cloud> ',
   });
 
   rl.prompt();
@@ -1782,7 +2022,11 @@ async function computerChat(token, ctx, initialOptions = {}) {
       if (line === '/start') {
         billingLabel = await describeBillingMode(token, ctx, worker);
         authSummary = activeWorker(worker) === 'claude' ? await describeClaudeAuth(token, ctx) : null;
-        printCloudStartPanel(ctx, worker, model, billingLabel, authSummary);
+        if (isCodeOps) {
+          printCodeOpsStartPanel(ctx, worker, model, billingLabel, authSummary);
+        } else {
+          printCloudStartPanel(ctx, worker, model, billingLabel, authSummary);
+        }
         rl.prompt();
         continue;
       }
@@ -1796,6 +2040,11 @@ async function computerChat(token, ctx, initialOptions = {}) {
         rl.prompt();
         continue;
       }
+      if (line === '/workflow') {
+        printCodeOpsWorkflowContract();
+        rl.prompt();
+        continue;
+      }
       if (line === '/pwd') {
         await computerRun(token, 'pwd', ctx);
         rl.prompt();
@@ -1889,7 +2138,12 @@ async function computerChat(token, ctx, initialOptions = {}) {
         }
       }
 
-      sessionId = await sendBusinessChat(token, ctx, line, sessionId, false, rl, { worker, model });
+      sessionId = await sendBusinessChat(token, ctx, line, sessionId, false, rl, {
+        worker,
+        model,
+        systemPrompt: chatSystemPrompt,
+        allowedTools: initialOptions.allowedTools,
+      });
       rl.prompt();
     }
   } catch (error) {
@@ -2298,6 +2552,11 @@ async function runComputer() {
     return;
   }
 
+  if (sub === 'card') {
+    computerCard(args.slice(1));
+    return;
+  }
+
   if (sub === 'claude' || sub === 'codex') {
     computerLocalLegacy(args);
     return;
@@ -2306,6 +2565,15 @@ async function runComputer() {
   if (sub === '--help') {
     console.log('Usage: atris computer [mode|command]');
     console.log('');
+    console.log('Atris computers are persistent AI workspaces for scoped jobs.');
+    console.log('');
+    console.log('  Owner = User | Business');
+    console.log('  Owner has many Computers');
+    console.log('  Computer = workspace + files + tools + secrets + memory + agents + validation');
+    console.log('');
+    console.log('Common types: codeops, research, CRM, reporting, recruiting, event ops, support, business ops.');
+    console.log('A business can be a company, lab, collective, community, artist, team, or project.');
+    console.log('');
     console.log('First use:');
     console.log('  cd ~/arena/atris-business/<business>');
     console.log('  atris computer');
@@ -2313,12 +2581,13 @@ async function runComputer() {
     console.log('');
     console.log('Modes:');
     console.log('  (default)       Choose CLOUD vs LOCAL when both are available');
+    console.log('  card            Show the local owner/computer card, no login required');
     console.log('  local           Open LOCAL Atris mode; cloud brain edits this folder');
     console.log('  proof           Run the local-edit + cloud-isolation + audit proof');
     console.log('  local-byo       Open LOCAL BYO Claude mode; Anthropic tokens, no cloud audit');
     console.log('  --cloud         Open CLOUD workspace mode in the bound business workspace');
     console.log('  cloud           Open CLOUD workspace mode in the bound business workspace');
-    console.log('  codeops         Open Atris CodeOps cloud workspace if your account has access');
+    console.log('  codeops         Open Atris CodeOps workflow computer if your account has access');
     console.log('  --worker        Cloud worker override: claude | openai');
     console.log('  --model         Cloud model override');
     console.log('  claude|codex    Legacy local console backends');
@@ -2344,6 +2613,8 @@ async function runComputer() {
     console.log('');
     console.log('Examples:');
     console.log('  atris computer');
+    console.log('  atris computer card --write');
+    console.log('  atris business init "My Lab"     # shared owner + first/default computer');
     console.log('  atris computer proof');
     console.log('  atris computer local');
     console.log('  atris computer codex');
@@ -2351,6 +2622,9 @@ async function runComputer() {
     console.log('  atris computer --cloud --worker openai --model gpt-5.4');
     console.log('  atris computer cloud');
     console.log('  atris computer codeops');
+    console.log('  atris computer codeops status');
+    console.log('  atris computer codeops run "pwd"');
+    console.log('  atris computer codeops exec "Plan a safe repo fix"');
     console.log('  atris computer status');
     console.log('  atris computer wake');
     console.log('  atris computer run "ls -la /workspace"');
@@ -2370,7 +2644,44 @@ async function runComputer() {
       console.error('Ask an Atris CodeOps admin to add you to the atris-codeops business.');
       return;
     }
-    await computerChat(token, codeopsCtx, { worker: 'claude', ...cloudOptions });
+    const codeopsOptions = codeOpsCloudOptions(cloudOptions);
+    const codeopsSub = args[1];
+    const codeopsRest = args.slice(2).join(' ');
+    if (!codeopsSub || codeopsSub === 'chat') {
+      await computerChat(token, codeopsCtx, codeopsOptions);
+      return;
+    }
+    switch (codeopsSub) {
+      case '--help':
+      case 'help':
+        console.log('Usage: atris computer codeops [chat|status|wake|sleep|run|grep|ls|cat|exec|audit|workflow]');
+        console.log('');
+        console.log('Examples:');
+        console.log('  atris computer codeops');
+        console.log('  atris computer codeops status');
+        console.log('  atris computer codeops run "pwd && git status --short"');
+        console.log('  atris computer codeops exec "Plan the smallest safe fix, then wait"');
+        return;
+      case 'status': return computerStatus(token, codeopsCtx);
+      case 'wake': return computerWake(token, codeopsCtx);
+      case 'sleep': return computerSleep(token, codeopsCtx);
+      case 'run': return computerRun(token, codeopsRest, codeopsCtx);
+      case 'grep': return computerGrep(token, codeopsRest, codeopsCtx);
+      case 'ls': return computerLs(token, codeopsRest || undefined, codeopsCtx);
+      case 'cat': return computerCat(token, codeopsRest, codeopsCtx);
+      case 'exec': return computerExec(token, codeopsRest, codeopsCtx, codeopsOptions);
+      case 'audit': {
+        const limit = codeopsRest ? Number.parseInt(codeopsRest, 10) : 10;
+        return computerAudit(token, codeopsCtx, Number.isFinite(limit) ? limit : 10);
+      }
+      case 'workflow':
+        printCodeOpsWorkflowContract();
+        return;
+      default:
+        console.error(`Unknown CodeOps subcommand: ${codeopsSub}`);
+        console.log('Run: atris computer codeops help');
+        return;
+    }
     return;
   }
 
@@ -2383,6 +2694,7 @@ async function runComputer() {
 
   switch (sub) {
     case 'chat': return computerChat(token, ctx, cloudOptions);
+    case 'card': return computerCard(args.slice(1));
     case 'proof': return computerProof(token, ctx, cloudOptions);
     case 'status': return computerStatus(token, ctx);
     case 'wake': return computerWake(token, ctx);
@@ -2405,4 +2717,9 @@ async function runComputer() {
   }
 }
 
-module.exports = { runComputer };
+module.exports = {
+  runComputer,
+  buildComputerCard,
+  renderComputerCard,
+  renderComputerCardMarkdown,
+};

package/commands/errors.js

@@ -0,0 +1,155 @@
+/**
+ * Errors command for Atris CLI — admin dashboard over atris_error_events.
+ *
+ * Usage:
+ *   atris errors                      List errors from last 24h, grouped by signature
+ *   atris errors --hours 72           Widen the window (max 720h / 30d)
+ *   atris errors --limit 1000         Raise the raw-event cap for grouping
+ *   atris errors show <id>            Full detail (stack trace, message) for one event
+ *
+ * Requires admin role on the user row.
+ */
+
+const { loadCredentials } = require('../utils/auth');
+const { apiRequestJson } = require('../utils/api');
+
+function getToken() {
+  const creds = loadCredentials();
+  if (!creds || !creds.token) {
+    console.error('Not logged in. Run: atris login');
+    process.exit(1);
+  }
+  return creds.token;
+}
+
+function extractFlag(args, ...names) {
+  const remaining = [];
+  let value = null;
+  for (let i = 0; i < args.length; i++) {
+    const a = args[i];
+    const eq = a.indexOf('=');
+    const key = eq >= 0 ? a.slice(0, eq) : a;
+    if (names.includes(key)) {
+      value = eq >= 0 ? a.slice(eq + 1) : args[++i];
+    } else {
+      remaining.push(a);
+    }
+  }
+  return [value, remaining];
+}
+
+async function listErrors(args) {
+  const [hoursArg, r1] = extractFlag(args, '--hours', '-H');
+  const [limitArg, r2] = extractFlag(r1, '--limit', '-L');
+  const hours = hoursArg ? parseInt(hoursArg, 10) : 24;
+  const limit = limitArg ? parseInt(limitArg, 10) : 500;
+
+  const token = getToken();
+  const result = await apiRequestJson(`/errors?hours=${hours}&limit=${limit}`, {
+    method: 'GET',
+    token,
+  });
+
+  if (!result.ok) {
+    console.error(`Error: ${result.error || 'Failed to fetch errors'}`);
+    process.exit(1);
+  }
+
+  const data = result.data || {};
+  const groups = data.groups || [];
+
+  if (groups.length === 0) {
+    console.log(`No errors in the last ${hours}h. Clean.`);
+    return;
+  }
+
+  console.log(
+    `Errors — last ${data.window_hours}h — ` +
+      `${data.total_events} events across ${data.unique_signatures} signatures\n`,
+  );
+
+  groups.forEach((g, idx) => {
+    const s = g.sample || {};
+    const shortId = (s.id || '').substring(0, 8);
+    const last = s.created_at ? s.created_at.substring(0, 16).replace('T', ' ') : '';
+    const status = s.status_code ? ` [${s.status_code}]` : '';
+    const msg = (s.message || '').replace(/\s+/g, ' ').substring(0, 140);
+
+    console.log(`${idx + 1}. x${g.count}  ${g.signature}${status}`);
+    if (last) console.log(`   last: ${last} UTC  latest id: ${shortId}`);
+    if (msg) console.log(`   "${msg}"`);
+    console.log('');
+  });
+
+  console.log(
+    `Run \`atris errors show <id>\` for full stack trace of a specific event.`,
+  );
+}
+
+async function showError(errorId) {
+  if (!errorId) {
+    console.error('Usage: atris errors show <id>');
+    console.error('(id must be a full UUID — get one from `atris errors` output)');
+    process.exit(1);
+  }
+
+  const token = getToken();
+  const result = await apiRequestJson(`/errors/${encodeURIComponent(errorId)}`, {
+    method: 'GET',
+    token,
+  });
+
+  if (!result.ok) {
+    console.error(`Error: ${result.error || 'Failed to fetch error'}`);
+    process.exit(1);
+  }
+
+  const e = result.data || {};
+  console.log(`Error ${e.id || errorId}`);
+  console.log(`  type:    ${e.error_type || '?'}`);
+  console.log(`  method:  ${e.request_method || '?'}`);
+  console.log(`  path:    ${e.request_path || '?'}`);
+  console.log(`  status:  ${e.status_code || '?'}`);
+  console.log(`  when:    ${e.created_at || '?'}`);
+  console.log(`  source:  ${e.source || '?'}`);
+  if (e.user_id) console.log(`  user:    ${e.user_id}`);
+  console.log('');
+  console.log('Message:');
+  console.log('  ' + (e.message || '(none)').split('\n').join('\n  '));
+  console.log('');
+  if (e.stack_trace) {
+    console.log('Stack trace:');
+    console.log('  ' + e.stack_trace.split('\n').join('\n  '));
+  }
+}
+
+function printHelp() {
+  console.log('');
+  console.log('Usage:');
+  console.log('  atris errors                         List errors from last 24h, grouped');
+  console.log('  atris errors --hours 72              Widen the window (max 720h / 30d)');
+  console.log('  atris errors --limit 1000            Raise the raw-event cap');
+  console.log('  atris errors show <full-uuid>        Full detail for one event');
+  console.log('');
+  console.log('Admin role required.');
+  console.log('');
+}
+
+async function errorsCommand() {
+  const args = process.argv.slice(3);
+  const sub = args[0];
+
+  if (sub === '--help' || sub === '-h' || sub === 'help') {
+    printHelp();
+    return;
+  }
+
+  if (sub === 'show') {
+    await showError(args[1]);
+    return;
+  }
+
+  await listErrors(args);
+}
+
+module.exports = { errorsCommand };