auramaxx 0.0.1

package/server/cli/commands/actions.ts

@@ -0,0 +1,474 @@
+/**
+ * auramaxx actions — Human-action request and token management
+ */
+
+import {
+  bootstrapViaAuthRequest,
+  bootstrapViaSocket,
+  decryptWithPrivateKey,
+  generateEphemeralKeypair,
+  type ProfileIssuanceSelection,
+} from '../../lib/credential-transport';
+import { getErrorMessage } from '../../lib/error';
+import { waitForAuthDecision } from '../lib/approval-poll';
+import { printHelp } from '../lib/theme';
+import { serverUrl } from '../lib/http';
+
+type JsonObject = Record<string, unknown>;
+
+interface ParsedPollCommon {
+  json: boolean;
+  rawToken: boolean;
+  noWait: boolean;
+  timeoutMs: number;
+  intervalMs: number;
+}
+
+function showHelp(): void {
+  printHelp('ACTIONS', 'npx auramaxx actions <subcommand> [options]', [
+    { name: 'create', desc: 'Create action request and optionally poll for approval token' },
+    { name: 'pending', desc: 'List pending human actions' },
+    { name: 'resolve <id>', desc: 'Approve or reject a pending action' },
+    { name: 'tokens', desc: 'List agent tokens (admin)' },
+    { name: 'revoke <tokenHash>', desc: 'Revoke token by hash (or --self)' },
+  ], [
+    'Create options:',
+    '  --summary <text>             Required summary',
+    '  --permissions <a,b,c>        Required permission CSV',
+    '  --ttl <seconds>              Optional token TTL for approved action token',
+    '  --limit-fund <eth>           Optional fund limit override',
+    '  --limit-send <eth>           Optional send limit override',
+    '  --limit-swap <eth>           Optional swap limit override',
+    '  --wallet-access <a,b,c>      Optional wallet access CSV',
+    '  --credential-read <a,b,c>    Optional credential read scope CSV',
+    '  --credential-write <a,b,c>   Optional credential write scope CSV',
+    '  --exclude-fields <a,b,c>     Optional excluded field CSV',
+    '  --metadata <json>            Optional metadata object',
+    '  --no-wait                    Do not poll for approval result',
+    '  --timeout-ms <ms>            Poll timeout (default: 120000)',
+    '  --interval-ms <ms>           Poll interval (default: 3000)',
+    '  --raw-token                  Print full approved token',
+    '  --json                       JSON output',
+    '',
+    'Auth bootstrap options (when AURA_TOKEN is not set):',
+    '  --profile <id>               /auth fallback profile (default: strict)',
+    '  --profile-version <v>        /auth fallback profile version (default: v1)',
+    '  --profile-overrides <json>   Tighten-only profile override JSON',
+    '',
+    'Resolve options:',
+    '  --approve                    Approve action',
+    '  --reject                     Reject action',
+    '  --wallet-access <a,b,c>      Optional wallet access override',
+    '  --limits <json>              Optional limits override object',
+    '',
+    'Token options:',
+    '  --token <token>              Use this bearer token (default: AURA_TOKEN or socket fallback)',
+    '  --self                       Revoke current token (for revoke subcommand)',
+    '',
+    'Examples:',
+    '  npx auramaxx actions create --summary "Grant read" --permissions secret:read',
+    '  npx auramaxx actions pending',
+    '  npx auramaxx actions resolve act_123 --approve',
+    '  npx auramaxx actions tokens',
+    '  npx auramaxx actions revoke tok_abc',
+  ]);
+}
+
+function getFlagValue(args: string[], flag: string): string | undefined {
+  const idx = args.indexOf(flag);
+  return idx >= 0 ? args[idx + 1] : undefined;
+}
+
+function parseInteger(args: string[], flag: string, fallback: number): number {
+  const raw = getFlagValue(args, flag);
+  if (!raw) return fallback;
+  const n = Number(raw);
+  if (!Number.isFinite(n) || n <= 0) throw new Error(`${flag} must be a positive number`);
+  return Math.floor(n);
+}
+
+function parseNumber(args: string[], flag: string): number | undefined {
+  const raw = getFlagValue(args, flag);
+  if (!raw) return undefined;
+  const n = Number(raw);
+  if (!Number.isFinite(n) || n < 0) throw new Error(`${flag} must be a non-negative number`);
+  return n;
+}
+
+function parseCsv(args: string[], flag: string): string[] | undefined {
+  const raw = getFlagValue(args, flag);
+  if (!raw) return undefined;
+  const out = raw.split(',').map((v) => v.trim()).filter(Boolean);
+  return out.length > 0 ? out : undefined;
+}
+
+function parseJsonObject(args: string[], flag: string): JsonObject | undefined {
+  const raw = getFlagValue(args, flag);
+  if (!raw) return undefined;
+  const parsed = JSON.parse(raw) as unknown;
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+    throw new Error(`${flag} must be a JSON object`);
+  }
+  return parsed as JsonObject;
+}
+
+function parsePollCommon(args: string[]): ParsedPollCommon {
+  return {
+    json: args.includes('--json'),
+    rawToken: args.includes('--raw-token'),
+    noWait: args.includes('--no-wait'),
+    timeoutMs: parseInteger(args, '--timeout-ms', 120_000),
+    intervalMs: parseInteger(args, '--interval-ms', 3_000),
+  };
+}
+
+function parseProfileSelection(args: string[]): ProfileIssuanceSelection {
+  const profile = getFlagValue(args, '--profile');
+  const profileVersion = getFlagValue(args, '--profile-version');
+  const profileOverrides = parseJsonObject(args, '--profile-overrides');
+  return {
+    ...(profile ? { profile } : {}),
+    ...(profileVersion ? { profileVersion } : {}),
+    ...(profileOverrides ? { profileOverrides } : {}),
+  };
+}
+
+async function resolveBearerToken(args: string[]): Promise<string> {
+  const explicit = getFlagValue(args, '--token') || process.env.AURA_TOKEN;
+  if (explicit) return explicit;
+
+  const selection = parseProfileSelection(args);
+  const keypair = generateEphemeralKeypair();
+
+  if (selection.profile) {
+    const result = await bootstrapViaAuthRequest(serverUrl(), 'cli-actions', keypair, {
+      ...selection,
+      noWait: true,
+      onStatus: (message) => console.error(message),
+    });
+    if (result.approveUrl) {
+      console.error(`Approve at: ${result.approveUrl}`);
+    }
+    console.error(`After approval, re-run with: AURA_TOKEN=<token> npx auramaxx actions ...`);
+    console.error(`Or use: npx auramaxx auth request --profile ${selection.profile} --raw-token`);
+    process.exit(1);
+  }
+
+  try {
+    return await bootstrapViaSocket('cli-actions', keypair);
+  } catch (socketErr) {
+    return bootstrapViaAuthRequest(serverUrl(), 'cli-actions', keypair, {
+      ...selection,
+      onStatus: (message) => console.error(message),
+    }).catch((authErr) => {
+      throw new Error(`${getErrorMessage(socketErr)}\n${getErrorMessage(authErr)}`);
+    });
+  }
+}
+
+function maskToken(token: string): string {
+  if (token.length <= 24) return token;
+  return `${token.slice(0, 20)}...${token.slice(-4)}`;
+}
+
+async function postJson(path: string, token: string, body?: unknown): Promise<Record<string, unknown>> {
+  const res = await fetch(`${serverUrl()}${path}`, {
+    method: body !== undefined ? 'POST' : 'GET',
+    headers: {
+      'Authorization': `Bearer ${token}`,
+      'Content-Type': 'application/json',
+    },
+    body: body !== undefined ? JSON.stringify(body) : undefined,
+    signal: AbortSignal.timeout(12_000),
+  });
+
+  const data = await res.json().catch(() => ({})) as Record<string, unknown>;
+  if (!res.ok) {
+    throw new Error(String(data.error || `HTTP ${res.status}`));
+  }
+  return data;
+}
+
+async function cmdCreate(args: string[]): Promise<number> {
+  console.error('DEPRECATED: `actions create` is deprecated. Use `npx auramaxx auth request --profile <profile>` instead.');
+  console.error('  To include a pre-computed action: --action \'{"endpoint":"/send","method":"POST","body":{...}}\'');
+  console.error('');
+  const common = parsePollCommon(args);
+  const summary = getFlagValue(args, '--summary');
+  const permissions = parseCsv(args, '--permissions');
+  if (!summary) throw new Error('--summary is required');
+  if (!permissions || permissions.length === 0) throw new Error('--permissions is required');
+
+  const token = await resolveBearerToken(args);
+  const keypair = generateEphemeralKeypair();
+
+  const ttl = parseNumber(args, '--ttl');
+  const limitFund = parseNumber(args, '--limit-fund');
+  const limitSend = parseNumber(args, '--limit-send');
+  const limitSwap = parseNumber(args, '--limit-swap');
+  const metadata = parseJsonObject(args, '--metadata');
+  const walletAccess = parseCsv(args, '--wallet-access');
+  const credentialRead = parseCsv(args, '--credential-read');
+  const credentialWrite = parseCsv(args, '--credential-write');
+  const excludeFields = parseCsv(args, '--exclude-fields');
+
+  const limits: Record<string, number> = {};
+  if (limitFund !== undefined) limits.fund = limitFund;
+  if (limitSend !== undefined) limits.send = limitSend;
+  if (limitSwap !== undefined) limits.swap = limitSwap;
+
+  const credentialAccess: Record<string, unknown> = {};
+  if (credentialRead) credentialAccess.read = credentialRead;
+  if (credentialWrite) credentialAccess.write = credentialWrite;
+  if (excludeFields) credentialAccess.excludeFields = excludeFields;
+
+  const body: Record<string, unknown> = {
+    summary,
+    permissions,
+    pubkey: keypair.publicKeyPem,
+    ...(ttl !== undefined ? { ttl } : {}),
+    ...(Object.keys(limits).length > 0 ? { limits } : {}),
+    ...(walletAccess ? { walletAccess } : {}),
+    ...(Object.keys(credentialAccess).length > 0 ? { credentialAccess } : {}),
+    ...(metadata ? { metadata } : {}),
+  };
+
+  const created = await postJson('/actions', token, body) as {
+    success?: boolean;
+    requestId?: string;
+    secret?: string;
+    message?: string;
+  };
+
+  if (!created.success || !created.requestId || !created.secret) {
+    throw new Error('Action request did not return requestId/secret');
+  }
+
+  if (common.noWait) {
+    if (common.json) {
+      console.log(JSON.stringify({
+        success: true,
+        status: 'pending',
+        requestId: created.requestId,
+        secret: created.secret,
+      }, null, 2));
+    } else {
+      console.log(`Action request created.`);
+      console.log(`  requestId: ${created.requestId}`);
+      console.log(`  secret: ${created.secret}`);
+      console.log('Use `npx auramaxx auth poll <requestId> --secret <secret>` to continue.');
+    }
+    return 0;
+  }
+
+  console.log(`Action request created (${created.requestId}). Waiting for approval...`);
+
+  const { response, attempts, elapsedMs } = await waitForAuthDecision(
+    serverUrl(),
+    created.requestId,
+    created.secret,
+    {
+      timeoutMs: common.timeoutMs,
+      intervalMs: common.intervalMs,
+      onPending: ({ attempt }) => {
+        if (attempt === 1 || attempt % 5 === 0) {
+          console.log('  pending...');
+        }
+      },
+    },
+  );
+
+  if (response.status === 'rejected') {
+    if (common.json) {
+      console.log(JSON.stringify({
+        success: true,
+        status: 'rejected',
+        requestId: created.requestId,
+        attempts,
+        elapsedMs,
+      }, null, 2));
+    } else {
+      console.log('Action request was rejected.');
+    }
+    return 1;
+  }
+
+  if (!response.encryptedToken) {
+    throw new Error('Approved action response missing encryptedToken');
+  }
+
+  const approvedToken = decryptWithPrivateKey(response.encryptedToken, keypair.privateKeyPem);
+
+  if (common.json) {
+    console.log(JSON.stringify({
+      success: true,
+      status: 'approved',
+      requestId: created.requestId,
+      attempts,
+      elapsedMs,
+      token: common.rawToken ? approvedToken : undefined,
+      tokenPreview: maskToken(approvedToken),
+    }, null, 2));
+  } else {
+    console.log('Approved.');
+    if (common.rawToken) {
+      console.log(`  token: ${approvedToken}`);
+    } else {
+      console.log(`  token: ${maskToken(approvedToken)}`);
+      console.log('  (use --raw-token to print full token)');
+    }
+    console.log(`  export AURA_TOKEN='${approvedToken}'`);
+  }
+
+  return 0;
+}
+
+async function cmdPending(args: string[]): Promise<number> {
+  const token = await resolveBearerToken(args);
+  const json = args.includes('--json');
+  const data = await postJson('/actions/pending', token);
+
+  if (json) {
+    console.log(JSON.stringify(data, null, 2));
+    return 0;
+  }
+
+  const actions = Array.isArray((data as { actions?: unknown[] }).actions)
+    ? (data as { actions: Array<{ id: string; type: string; status: string; metadata?: string }> }).actions
+    : [];
+
+  if (actions.length === 0) {
+    console.log('No pending actions.');
+    return 0;
+  }
+
+  for (const action of actions) {
+    console.log(`${action.id}  type=${action.type}  status=${action.status}`);
+  }
+  return 0;
+}
+
+async function cmdResolve(args: string[]): Promise<number> {
+  const actionId = args[0];
+  if (!actionId) throw new Error('Usage: npx auramaxx actions resolve <id> --approve|--reject');
+
+  const approve = args.includes('--approve');
+  const reject = args.includes('--reject');
+  if (approve === reject) {
+    throw new Error('Specify exactly one of --approve or --reject');
+  }
+
+  const token = await resolveBearerToken(args);
+  const walletAccess = parseCsv(args, '--wallet-access');
+  const limits = parseJsonObject(args, '--limits');
+  const json = args.includes('--json');
+
+  const data = await postJson(`/actions/${encodeURIComponent(actionId)}/resolve`, token, {
+    approved: approve,
+    ...(walletAccess ? { walletAccess } : {}),
+    ...(limits ? { limits } : {}),
+  });
+
+  if (json) {
+    console.log(JSON.stringify(data, null, 2));
+  } else {
+    console.log(`Resolved ${actionId}: ${approve ? 'approved' : 'rejected'}`);
+  }
+
+  return 0;
+}
+
+async function cmdTokens(args: string[]): Promise<number> {
+  const token = await resolveBearerToken(args);
+  const json = args.includes('--json');
+  const data = await postJson('/actions/tokens', token);
+
+  if (json) {
+    console.log(JSON.stringify(data, null, 2));
+    return 0;
+  }
+
+  const total = Number((data as { total?: unknown }).total || 0);
+  const tokens = (data as { tokens?: Record<string, unknown[]> }).tokens || {};
+  const active = Array.isArray(tokens.active) ? tokens.active.length : 0;
+  const inactive = Array.isArray(tokens.inactive) ? tokens.inactive.length : 0;
+  const expired = Array.isArray(tokens.expired) ? tokens.expired.length : 0;
+  const revoked = Array.isArray(tokens.revoked) ? tokens.revoked.length : 0;
+  const depleted = Array.isArray(tokens.depleted) ? tokens.depleted.length : 0;
+
+  console.log(`total=${total}`);
+  console.log(`active=${active}`);
+  console.log(`inactive=${inactive}`);
+  console.log(`expired=${expired}`);
+  console.log(`revoked=${revoked}`);
+  console.log(`depleted=${depleted}`);
+  return 0;
+}
+
+async function cmdRevoke(args: string[]): Promise<number> {
+  const token = await resolveBearerToken(args);
+  const json = args.includes('--json');
+  const self = args.includes('--self');
+  const tokenHash = self ? undefined : args[0];
+
+  if (!self && !tokenHash) {
+    throw new Error('Usage: npx auramaxx actions revoke <tokenHash> (or --self)');
+  }
+
+  const body = self ? {} : { tokenHash };
+  const data = await postJson('/actions/tokens/revoke', token, body);
+
+  if (json) {
+    console.log(JSON.stringify(data, null, 2));
+  } else {
+    console.log(String((data as { message?: unknown }).message || 'Token revoke attempted.'));
+  }
+
+  return (data as { success?: boolean }).success === false ? 1 : 0;
+}
+
+async function main(): Promise<void> {
+  const args = process.argv.slice(2);
+  const subcommand = args[0];
+
+  if (!subcommand || subcommand === '--help' || subcommand === '-h') {
+    showHelp();
+    process.exit(0);
+  }
+
+  try {
+    let exitCode = 0;
+    switch (subcommand) {
+      case 'create':
+        exitCode = await cmdCreate(args.slice(1));
+        break;
+      case 'pending':
+      case 'list':
+        exitCode = await cmdPending(args.slice(1));
+        break;
+      case 'resolve':
+        exitCode = await cmdResolve(args.slice(1));
+        break;
+      case 'tokens':
+        exitCode = await cmdTokens(args.slice(1));
+        break;
+      case 'revoke':
+        exitCode = await cmdRevoke(args.slice(1));
+        break;
+      default:
+        throw new Error(`Unknown actions subcommand: ${subcommand}`);
+    }
+
+    process.exit(exitCode);
+  } catch (error) {
+    console.error(`Actions command failed: ${getErrorMessage(error)}`);
+    process.exit(1);
+  }
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) {
+  main().catch((error) => {
+    console.error(`Actions command failed: ${getErrorMessage(error)}`);
+    process.exit(1);
+  });
+}

package/server/cli/commands/api.ts

@@ -0,0 +1,220 @@
+/**
+ * auramaxx api — Generic wallet API caller from CLI
+ *
+ * Usage:
+ *   npx auramaxx api GET /health
+ *   npx auramaxx api POST /auth --body '{"agentId":"cli-api","profile":"dev","profileVersion":"v1","pubkey":"..."}' --no-auth
+ *   npx auramaxx api POST /credentials --body '{"name":"X","type":"note","fields":[{"key":"content","value":"hello"}]}'
+ */
+
+import {
+  bootstrapViaAuthRequest,
+  bootstrapViaSocket,
+  generateEphemeralKeypair,
+  type ProfileIssuanceSelection,
+} from '../../lib/credential-transport';
+import { getErrorMessage } from '../../lib/error';
+import { handlePermissionDenied } from '../lib/escalation';
+import { maybeHandleLockError } from '../lib/lock-unlock-helper';
+import { serverUrl } from '../lib/http';
+import { printHelp } from '../lib/theme';
+
+interface ApiCliArgs {
+  method: string;
+  endpoint: string;
+  bodyRaw?: string;
+  noAuth: boolean;
+  profile?: string;
+  profileVersion?: string;
+  profileOverridesRaw?: string;
+}
+
+function showHelp(): void {
+  printHelp('API', 'npx auramaxx api [METHOD] <endpoint> [options]', [], [
+    'Examples:',
+    '  npx auramaxx api GET /health --no-auth',
+    '  npx auramaxx api GET /setup --no-auth',
+    '  npx auramaxx api GET /wallets',
+    '  npx auramaxx api POST /credential-shares --body \'{"credentialId":"cred_x","expiresAfter":"24h"}\'',
+    '  npx auramaxx api GET /credential-shares/<token> --no-auth',
+    '  npx auramaxx api POST /auth --no-auth --body \'{"agentId":"cli-api","profile":"dev","profileVersion":"v1","pubkey":"..."}\'',
+    '',
+    'Options:',
+    '  --body <json>             JSON request body',
+    '  --no-auth                 Do not attach bearer auth token',
+    '  --profile <p>             Profile for /auth fallback when socket auto-approve is blocked',
+    '  --profile-version <v>     Profile version for /auth fallback',
+    '  --profile-overrides <j>   Tighten-only profile override JSON for /auth fallback',
+    '',
+    'Auth:',
+    '  Uses Unix socket by default.',
+    '  Falls back to /auth polling when strict local mode disables auto-approve.',
+    '  Uses AURA_TOKEN if present.',
+  ]);
+}
+
+function parseArgs(argv: string[]): ApiCliArgs | null {
+  const args = [...argv];
+  if (args.length === 0 || args.includes('--help') || args.includes('-h')) return null;
+
+  let method = 'GET';
+  let endpoint = '';
+
+  if (args[0].startsWith('/')) {
+    endpoint = args.shift()!;
+  } else {
+    method = (args.shift() || 'GET').toUpperCase();
+    endpoint = args.shift() || '';
+  }
+
+  if (!endpoint) return null;
+  if (!endpoint.startsWith('/')) endpoint = `/${endpoint}`;
+
+  const getValue = (flag: string): string | undefined => {
+    const idx = args.indexOf(flag);
+    return idx >= 0 ? args[idx + 1] : undefined;
+  };
+
+  return {
+    method,
+    endpoint,
+    bodyRaw: getValue('--body'),
+    noAuth: args.includes('--no-auth'),
+    profile: getValue('--profile'),
+    profileVersion: getValue('--profile-version'),
+    profileOverridesRaw: getValue('--profile-overrides'),
+  };
+}
+
+function parseProfileOverrides(raw?: string): ProfileIssuanceSelection['profileOverrides'] | undefined {
+  if (!raw) return undefined;
+  const parsed = JSON.parse(raw) as unknown;
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+    throw new Error('--profile-overrides must be a JSON object');
+  }
+  return parsed as ProfileIssuanceSelection['profileOverrides'];
+}
+
+function parseBody(raw?: string): unknown | undefined {
+  if (!raw) return undefined;
+  return JSON.parse(raw) as unknown;
+}
+
+async function resolveAuthToken(selection: ProfileIssuanceSelection): Promise<string> {
+  const envToken = process.env.AURA_TOKEN;
+  if (envToken) return envToken;
+
+  const keypair = generateEphemeralKeypair();
+
+  // If an explicit profile was requested, skip socket bootstrap (which ignores profiles)
+  // and create the /auth request non-blocking — print approval URL and exit.
+  if (selection.profile) {
+    const result = await bootstrapViaAuthRequest(serverUrl(), 'cli-api', keypair, {
+      ...selection,
+      noWait: true,
+      onStatus: (message) => console.error(message),
+    });
+    if (result.approveUrl) {
+      console.error(`Approve at: ${result.approveUrl}`);
+    }
+    console.error(`After approval, re-run with: AURA_TOKEN=<token> npx auramaxx api ...`);
+    console.error(`Or use: npx auramaxx auth request --profile ${selection.profile} --raw-token`);
+    process.exit(1);
+  }
+
+  try {
+    return await bootstrapViaSocket('cli-api', keypair);
+  } catch (socketErr) {
+    return bootstrapViaAuthRequest(serverUrl(), 'cli-api', keypair, {
+      ...selection,
+      onStatus: (message) => console.error(message),
+    }).catch((authErr) => {
+      throw new Error(`${getErrorMessage(socketErr)}\n${getErrorMessage(authErr)}`);
+    });
+  }
+}
+
+async function main(): Promise<void> {
+  const parsed = parseArgs(process.argv.slice(2));
+  if (!parsed) {
+    showHelp();
+    process.exit(0);
+  }
+
+  const base = serverUrl();
+  const url = `${base}${parsed.endpoint}`;
+
+  const profileOverrides = parseProfileOverrides(parsed.profileOverridesRaw);
+  const authSelection: ProfileIssuanceSelection = {
+    ...(parsed.profile ? { profile: parsed.profile } : {}),
+    ...(parsed.profileVersion ? { profileVersion: parsed.profileVersion } : {}),
+    ...(profileOverrides ? { profileOverrides } : {}),
+  };
+
+  const body = parseBody(parsed.bodyRaw);
+  const token = parsed.noAuth ? null : await resolveAuthToken(authSelection);
+
+  const headers: Record<string, string> = {};
+  if (body !== undefined) headers['Content-Type'] = 'application/json';
+  if (token) headers['Authorization'] = `Bearer ${token}`;
+
+  const res = await fetch(url, {
+    method: parsed.method,
+    headers,
+    body: body !== undefined ? JSON.stringify(body) : undefined,
+    signal: AbortSignal.timeout(15_000),
+  });
+
+  const text = await res.text();
+  let payload: unknown = text;
+  try {
+    payload = text ? JSON.parse(text) as unknown : {};
+  } catch {
+    payload = text;
+  }
+
+  if (!res.ok) {
+    const handledLock = await maybeHandleLockError({
+      context: 'api command',
+      statusCode: res.status,
+      payload,
+    });
+    if (!handledLock) {
+      if (handlePermissionDenied(res.status, payload)) {
+        process.exit(1);
+      }
+      if (typeof payload === 'string') {
+        console.error(`HTTP ${res.status}: ${payload}`);
+      } else {
+        console.error(`HTTP ${res.status}: ${JSON.stringify(payload, null, 2)}`);
+        const obj = payload as Record<string, unknown>;
+        const approvalUrl = typeof obj.approveUrl === 'string' ? obj.approveUrl : undefined;
+        const actionId = typeof obj.actionId === 'string' ? obj.actionId : undefined;
+
+        if (approvalUrl) {
+          console.error(`\nApproval required. Open: ${approvalUrl}`);
+          if (actionId) console.error(`Action ID: ${actionId}`);
+          console.error('After approval, retry the same command.');
+        }
+      }
+    }
+    process.exit(1);
+  }
+
+  if (typeof payload === 'string') {
+    console.log(payload);
+    return;
+  }
+
+  console.log(JSON.stringify(payload, null, 2));
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) {
+  main().catch(async (error) => {
+    const handledLock = await maybeHandleLockError({ context: 'api command', error });
+    if (!handledLock) {
+      console.error(`API call failed: ${getErrorMessage(error)}`);
+    }
+    process.exit(1);
+  });
+}