chapterhouse 0.5.2 → 0.6.0

package/dist/copilot/threat-model.js

@@ -0,0 +1,50 @@
+const THREAT_MODEL_PATTERNS = [
+    /(^|[\/._-])auth([\/._-]|$)/i,
+    /credential/i,
+    /(auth|access|bearer|refresh|session|payment|api)[-_.]?token|token[-_.]?(auth|key|secret|refresh|access|session|payment)/i,
+    /billing/i,
+    /subscription/i,
+    /api[-_]?key/i,
+    /(^|[\/._-])tiers?([\/._-]|$)/i,
+];
+function normalizeChangedFiles(changedFiles) {
+    return changedFiles.map((file) => file.trim()).filter(Boolean);
+}
+export function findThreatModelMatches(changedFiles) {
+    return normalizeChangedFiles(changedFiles).filter((file) => THREAT_MODEL_PATTERNS.some((pattern) => pattern.test(file)));
+}
+export function hasThreatModelSection(prBody) {
+    const stripped = (prBody ?? "").replace(/<!--[\s\S]*?-->/g, "");
+    return /^##+\s+Threat Model\b/im.test(stripped);
+}
+export function evaluateThreatModelCheck(input) {
+    const matchedFiles = findThreatModelMatches(input.changedFiles);
+    if (matchedFiles.length === 0) {
+        return {
+            required: false,
+            valid: true,
+            matchedFiles: [],
+            message: "✅ No auth/credentials/billing file changes detected — a threat model section is not required.",
+        };
+    }
+    if (hasThreatModelSection(input.prBody)) {
+        return {
+            required: true,
+            valid: true,
+            matchedFiles,
+            message: "✅ Threat model section present for auth/credentials/billing changes.",
+        };
+    }
+    return {
+        required: true,
+        valid: false,
+        matchedFiles,
+        message: [
+            "⚠️ This PR modifies auth/credentials/billing files. Add a '## Threat Model' section to the PR description explaining the security implications.",
+            "",
+            "Matched files:",
+            ...matchedFiles.map((file) => `- ${file}`),
+        ].join("\n"),
+    };
+}
+//# sourceMappingURL=threat-model.js.map

package/dist/copilot/threat-model.test.js

@@ -0,0 +1,129 @@
+import assert from "node:assert/strict";
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+import test from "node:test";
+async function loadThreatModelModule() {
+    const nonce = `${Date.now()}-${Math.random()}`;
+    const moduleUrl = new URL(`./threat-model.js?case=${nonce}`, import.meta.url);
+    const module = await import(moduleUrl.href).catch(() => null);
+    assert.ok(module, "expected threat-model module to exist");
+    return module;
+}
+test("requires a threat model section when auth, credential, token, or billing files change", async () => {
+    const { evaluateThreatModelCheck } = await loadThreatModelModule();
+    const result = evaluateThreatModelCheck({
+        changedFiles: [
+            "src/api/auth.ts",
+            "src/auth/session-token.ts",
+            "docs/architecture.md",
+            "src/billing/subscription-plan.ts",
+        ],
+        prBody: "## Summary\nAdds validation for token refresh.\n",
+    });
+    assert.equal(result.required, true);
+    assert.equal(result.valid, false);
+    assert.deepEqual(result.matchedFiles, [
+        "src/api/auth.ts",
+        "src/auth/session-token.ts",
+        "src/billing/subscription-plan.ts",
+    ]);
+    assert.match(result.message, /This PR modifies auth\/credentials\/billing files/i);
+    assert.match(result.message, /## Threat Model/);
+});
+test("accepts PRs with matching files once the threat model section is present", async () => {
+    const { evaluateThreatModelCheck } = await loadThreatModelModule();
+    const result = evaluateThreatModelCheck({
+        changedFiles: ["src/copilot/auth.ts", "src/config.ts"],
+        prBody: [
+            "## Summary",
+            "Hardens auth bootstrap behavior.",
+            "",
+            "## Threat Model",
+            "Tokens stay in-memory only; no new credentials are persisted.",
+        ].join("\n"),
+    });
+    assert.equal(result.required, true);
+    assert.equal(result.valid, true);
+    assert.deepEqual(result.matchedFiles, ["src/copilot/auth.ts"]);
+});
+test("skips the requirement when changed files are outside auth, credentials, and billing", async () => {
+    const { evaluateThreatModelCheck } = await loadThreatModelModule();
+    const result = evaluateThreatModelCheck({
+        changedFiles: ["src/wiki/index.ts", "web/src/routes/Chat.tsx"],
+        prBody: "## Summary\nUI cleanup only.\n",
+    });
+    assert.equal(result.required, false);
+    assert.equal(result.valid, true);
+    assert.deepEqual(result.matchedFiles, []);
+    assert.match(result.message, /not required/i);
+});
+test("does NOT flag lexer or NLP files with 'token' in the name (false-positive guard)", async () => {
+    const { evaluateThreatModelCheck } = await loadThreatModelModule();
+    const result = evaluateThreatModelCheck({
+        changedFiles: [
+            "src/parser/tokenizer.ts",
+            "src/nlp/token-embeddings.ts",
+            "src/utils/tokenize.ts",
+            "src/copilot/token-cache.ts",
+            "web/src/components/TokenDisplay.tsx",
+        ],
+        prBody: "## Summary\nRefactors NLP pipeline.\n",
+    });
+    assert.equal(result.required, false);
+    assert.equal(result.valid, true);
+    assert.deepEqual(result.matchedFiles, []);
+    assert.match(result.message, /not required/i);
+});
+test("correctly flags security-relevant token files (auth-token, session-token, payment-token)", async () => {
+    const { evaluateThreatModelCheck } = await loadThreatModelModule();
+    const securityFiles = [
+        "src/auth/session-token.ts",
+        "src/billing/payment-token.ts",
+        "src/credentials/access-token-store.ts",
+        "src/api/bearer-token-middleware.ts",
+        "src/copilot/refresh-token.ts",
+        "src/auth/token-secret.ts",
+    ];
+    for (const file of securityFiles) {
+        const result = evaluateThreatModelCheck({
+            changedFiles: [file],
+            prBody: "## Summary\nNo threat model section.\n",
+        });
+        assert.equal(result.required, true, `Expected ${file} to trigger threat-model gate`);
+        assert.deepEqual(result.matchedFiles, [file]);
+    }
+});
+test("hasThreatModelSection returns false when the section exists only inside an HTML comment (template placeholder)", async () => {
+    const { evaluateThreatModelCheck } = await loadThreatModelModule();
+    // Simulates a PR body where the author left the default template untouched —
+    // the Threat Model heading is present only inside an HTML comment block.
+    const templatePlaceholderBody = [
+        "## Summary",
+        "Adds a new auth flow.",
+        "",
+        "<!--",
+        "## Threat Model",
+        "",
+        "If this PR touches auth, credentials, API keys, billing tiers, or subscription logic — fill in the Threat Model section.",
+        "Otherwise delete it.",
+        "",
+        "- Risk:",
+        "- Mitigations:",
+        "- Reviewer focus:",
+        "-->",
+    ].join("\n");
+    const result = evaluateThreatModelCheck({
+        changedFiles: ["src/auth/session-token.ts"],
+        prBody: templatePlaceholderBody,
+    });
+    assert.equal(result.required, true);
+    assert.equal(result.valid, false, "A Threat Model section inside an HTML comment must NOT satisfy the gate");
+    assert.match(result.message, /## Threat Model/);
+});
+test("PR template reminds authors about the threat model section", () => {
+    const template = readFileSync(join(process.cwd(), ".github", "PULL_REQUEST_TEMPLATE.md"), "utf8");
+    assert.match(template, /Threat Model/);
+    assert.match(template, /If this PR touches auth, credentials, API keys, billing tiers, or subscription logic/i);
+    assert.match(template, /Otherwise delete it/i);
+});
+//# sourceMappingURL=threat-model.test.js.map

package/dist/copilot/tools.js

@@ -53,6 +53,21 @@ function yamlListItem(value) {
 function indexSafe(text) {
     return text.replace(/[\r\n|]/g, " ").trim();
 }
+function sanitizeWikiUpdateError(err) {
+    if (err instanceof z.ZodError) {
+        return err.issues.map((issue) => issue.message).join("; ") || "Invalid wiki_update arguments.";
+    }
+    const message = err instanceof Error ? err.message : String(err);
+    if (message.startsWith("Wiki page frontmatter violates the required shape:")
+        || message.startsWith("Wiki path")
+        || message.startsWith("Wiki page paths must end in .md:")
+        || message.startsWith("Refused unsafe wiki path:")
+        || message.startsWith("Refused: only pages under pages/")
+        || message === "Wiki path is required") {
+        return message;
+    }
+    return "Wiki update failed. Check the page path and frontmatter, then try again.";
+}
 function isTimeoutError(err) {
     const msg = err instanceof Error ? err.message : String(err);
     return /timeout|timed?\s*out/i.test(msg);
@@ -189,6 +204,13 @@ const memoryProposeArgsSchema = z.object({
     }
 });
 const memoryTierTableSchema = z.enum(["observation", "decision", "entity", "action_item"]);
+const wikiUpdateArgsSchema = z.object({
+    path: z.string().describe("Page path relative to wiki root (e.g. 'pages/projects/chapterhouse/index.md', 'pages/projects/chapterhouse/decisions.md', 'pages/people/brian/index.md')"),
+    title: z.string().describe("Page title for the index"),
+    summary: z.string().describe("One-line summary for the index"),
+    section: z.string().optional().describe("Index section (default: 'Knowledge')"),
+    content: z.string().describe("Full page content (markdown)"),
+});
 function getCurrentQuarter(now = new Date()) {
     return `${now.getUTCFullYear()}-Q${Math.floor(now.getUTCMonth() / 3) + 1}`;
 }
@@ -1661,46 +1683,48 @@ export function createTools(deps) {
                 "topic overview or a facet name (e.g. 'decisions', 'feature-ideas') — exactly one topic level, " +
                 "lowercase slugs only. Flat-category pages MUST be 'pages/<category>.md' (preferences, facts, " +
                 "routines, decisions). Bad paths are rejected with a suggested correction.",
-            parameters: z.object({
-                path: z.string().describe("Page path relative to wiki root (e.g. 'pages/projects/chapterhouse/index.md', 'pages/projects/chapterhouse/decisions.md', 'pages/people/brian/index.md')"),
-                title: z.string().describe("Page title for the index"),
-                summary: z.string().describe("One-line summary for the index"),
-                section: z.string().optional().describe("Index section (default: 'Knowledge')"),
-                content: z.string().describe("Full page content (markdown)"),
-            }),
+            parameters: wikiUpdateArgsSchema,
             handler: async (args) => {
-                return withWikiWrite(async () => {
-                    ensureWikiStructure();
-                    assertPagePath(args.path);
-                    const validation = validateWikiFrontmatter(args.content, {
-                        allowedTags: loadTaxonomy(),
-                    });
-                    if (!validation.valid) {
-                        throw new Error(validation.errors.map((error) => error.message).join("\n\n"));
-                    }
-                    writePage(args.path, args.content);
-                    // Rebuild from disk so the index summary/tags/updated reflect the actual page.
-                    const today = new Date().toISOString().slice(0, 10);
-                    const rebuilt = buildIndexEntryForPage(args.path, {
-                        section: args.section || "Knowledge",
-                        updated: today,
-                    });
-                    if (rebuilt) {
-                        rebuilt.section = args.section || "Knowledge";
-                        addToIndex(rebuilt);
-                    }
-                    else {
-                        addToIndex({
-                            path: args.path,
-                            title: args.title,
-                            summary: indexSafe(args.summary).slice(0, 160),
-                            section: args.section || "Knowledge",
+                try {
+                    const parsedArgs = wikiUpdateArgsSchema.parse(args);
+                    return await withWikiWrite(async () => {
+                        ensureWikiStructure();
+                        assertPagePath(parsedArgs.path);
+                        const validation = validateWikiFrontmatter(parsedArgs.content, {
+                            allowedTags: loadTaxonomy(),
+                        });
+                        if (!validation.valid) {
+                            throw new Error(validation.errors.map((error) => error.message).join("\n\n"));
+                        }
+                        writePage(parsedArgs.path, parsedArgs.content);
+                        // Rebuild from disk so the index summary/tags/updated reflect the actual page.
+                        const today = new Date().toISOString().slice(0, 10);
+                        const rebuilt = buildIndexEntryForPage(parsedArgs.path, {
+                            section: parsedArgs.section || "Knowledge",
                             updated: today,
                         });
-                    }
-                    appendLog("update", `wiki_update: ${indexSafe(args.title)} (${args.path})`);
-                    return `Wiki page updated: ${args.title} (${args.path})`;
-                });
+                        if (rebuilt) {
+                            rebuilt.section = parsedArgs.section || "Knowledge";
+                            addToIndex(rebuilt);
+                        }
+                        else {
+                            addToIndex({
+                                path: parsedArgs.path,
+                                title: parsedArgs.title,
+                                summary: indexSafe(parsedArgs.summary).slice(0, 160),
+                                section: parsedArgs.section || "Knowledge",
+                                updated: today,
+                            });
+                        }
+                        appendLog("update", `wiki_update: ${indexSafe(parsedArgs.title)} (${parsedArgs.path})`);
+                        return `Wiki page updated: ${parsedArgs.title} (${parsedArgs.path})`;
+                    });
+                }
+                catch (err) {
+                    const error = sanitizeWikiUpdateError(err);
+                    log.error({ err: err instanceof Error ? err.message : err, path: typeof args?.path === "string" ? args.path : undefined }, "wiki_update failed");
+                    return { error };
+                }
             },
         }),
         defineTool("wiki_ingest", {

package/dist/copilot/tools.wiki.test.js

@@ -23,7 +23,7 @@ test.afterEach(async () => {
         rmSync(home, { recursive: true, force: true });
     }
 });
-test("wiki_update rejects content without required frontmatter", async () => {
+test("wiki_update returns validation errors instead of throwing for invalid frontmatter", async () => {
     const toolsModule = await loadToolsModule();
     const tools = toolsModule.createTools({
         client: { async listModels() { return []; } },
@@ -31,14 +31,19 @@ test("wiki_update rejects content without required frontmatter", async () => {
     });
     const tool = tools.find((entry) => entry.name === "wiki_update");
     assert.ok(tool);
-    await assert.rejects(tool.handler({
+    const result = await tool.handler({
         path: "pages/shared/chapterhouse.md",
         title: "Chapterhouse",
         summary: "Runtime notes",
         content: "# Chapterhouse\n\nRuntime notes.\n",
-    }), /Wiki page frontmatter violates the required shape/i);
+    });
+    assert.deepEqual(result, {
+        error: "Wiki page frontmatter violates the required shape: missing YAML frontmatter. Use:\n---\ntitle: <title>\nsummary: <plain-text one-line summary, max 200 chars>\nupdated: YYYY-MM-DD\ntags: []\nrelated: []\n---",
+    });
+    const wikiFs = await readWikiArtifacts();
+    assert.equal(wikiFs.readPage("pages/shared/chapterhouse.md"), undefined);
 });
-test("wiki_update rejects malformed summaries and unknown tags", async () => {
+test("wiki_update returns descriptive validation errors for malformed summaries and unknown tags", async () => {
     const toolsModule = await loadToolsModule();
     const tools = toolsModule.createTools({
         client: { async listModels() { return []; } },
@@ -46,7 +51,7 @@ test("wiki_update rejects malformed summaries and unknown tags", async () => {
     });
     const tool = tools.find((entry) => entry.name === "wiki_update");
     assert.ok(tool);
-    await assert.rejects(tool.handler({
+    const result = await tool.handler({
         path: "pages/shared/chapterhouse.md",
         title: "Chapterhouse",
         summary: "Runtime notes",
@@ -60,7 +65,11 @@ tags: [engineering, made-up-tag]
 
 Runtime notes.
 `,
-    }), /Add it to `pages\/_meta\/taxonomy\.md` first\./);
+    });
+    assert.equal(typeof result, "object");
+    assert.match(result.error, /invalid 'summary'/i);
+    assert.match(result.error, /unknown tag 'made-up-tag'/i);
+    assert.match(result.error, /pages\/_meta\/taxonomy\.md/);
 });
 test("wiki_update accepts valid frontmatter and refreshes the index entry", async () => {
     const toolsModule = await loadToolsModule();

package/dist/setup.js

@@ -103,13 +103,16 @@ function upsertEnvLines(lines, updates) {
 function hasTokenEnv() {
     return Boolean(process.env.GITHUB_TOKEN?.trim() || process.env.COPILOT_TOKEN?.trim());
 }
-function hasGhAuth() {
+function getGhAuthStatus() {
     try {
-        execFileSync("gh", ["auth", "status"], { stdio: "ignore" });
-        return true;
+        const output = execFileSync("gh", ["auth", "status"], {
+            encoding: "utf-8",
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        return output.trim();
     }
     catch {
-        return false;
+        return null;
     }
 }
 async function showWikiLocation(rl) {
@@ -143,12 +146,19 @@ ${BOLD}╔═══════════════════════
         await ask(rl, `${DIM}Press Enter to continue...${RESET}`);
         console.log();
         if (mode === "personal") {
-            if (!hasTokenEnv() && !hasGhAuth()) {
+            const ghAuthStatus = hasTokenEnv() ? null : getGhAuthStatus();
+            if (!hasTokenEnv() && !ghAuthStatus) {
                 console.log(`${YELLOW}GitHub authentication is required before setup can continue.${RESET}`);
                 console.log("Run `gh auth login` to authenticate with GitHub, then re-run setup.");
                 console.log(`${DIM}If you already manage credentials via environment, set GITHUB_TOKEN or COPILOT_TOKEN before running setup.${RESET}`);
                 return;
             }
+            if (ghAuthStatus) {
+                console.log(`${BOLD}GitHub CLI auth status${RESET}`);
+                console.log(`${DIM}Verified with gh auth status:${RESET}`);
+                console.log(ghAuthStatus);
+                console.log();
+            }
             console.log();
             await showWikiLocation(rl);
         }

package/dist/setup.test.js

@@ -3,6 +3,7 @@ import test from "node:test";
 async function runSetupScript(t, options = {}) {
     const output = [];
     const prompts = [];
+    const ghAuthInvocations = [];
     let writtenConfig = "";
     const answers = [...(options.answers ?? [])];
     t.mock.module("node:readline", {
@@ -40,11 +41,12 @@ async function runSetupScript(t, options = {}) {
     });
     t.mock.module("node:child_process", {
         namedExports: {
-            execFileSync: () => {
+            execFileSync: (command, args) => {
+                ghAuthInvocations.push({ command, args });
                 if (options.ghAuthStatus === "unauthenticated") {
                     throw new Error("gh auth status failed");
                 }
-                return Buffer.from("github.com\n  ✓ Logged in");
+                return "github.com\n  ✓ Logged in";
             },
         },
     });
@@ -83,9 +85,10 @@ async function runSetupScript(t, options = {}) {
     finally {
         process.env = priorEnv;
     }
-    return { output, prompts, writtenConfig };
+    return { output, prompts, writtenConfig, ghAuthInvocations };
 }
 test("personal setup uses existing gh auth and never prompts for tokens", async (t) => {
+    // Security: the wizard must not ask users to paste long-lived credentials into an interactive prompt.
     const result = await runSetupScript(t, {
         env: { CHAPTERHOUSE_MODE: "personal" },
         answers: ["", "", "1"],
@@ -98,7 +101,20 @@ test("personal setup uses existing gh auth and never prompts for tokens", async
     assert.match(result.writtenConfig, /^COPILOT_MODEL=claude-sonnet-4\.6$/m);
     assert.doesNotMatch(result.writtenConfig, /^GITHUB_TOKEN=/m);
 });
+test("personal setup checks gh auth status and surfaces the authenticated result", async (t) => {
+    // Security: showing CLI auth state keeps credentials in GitHub CLI instead of training users to paste tokens into Chapterhouse.
+    const result = await runSetupScript(t, {
+        env: { CHAPTERHOUSE_MODE: "personal" },
+        answers: ["", "", "1"],
+        ghAuthStatus: "authenticated",
+    });
+    assert.deepEqual(result.ghAuthInvocations, [{ command: "gh", args: ["auth", "status"] }]);
+    assert.match(result.output.join("\n"), /gh auth status/i);
+    assert.match(result.output.join("\n"), /Logged in/i);
+    assert.doesNotMatch(result.prompts.join("\n"), /token/i);
+});
 test("personal setup accepts env var tokens silently without prompting", async (t) => {
+    // Security: pre-configured environment credentials should be honored without re-exposing them through setup prompts.
     const result = await runSetupScript(t, {
         env: { CHAPTERHOUSE_MODE: "personal", GITHUB_TOKEN: "ghp_env_token" },
         answers: ["", "", "1"],
@@ -110,6 +126,7 @@ test("personal setup accepts env var tokens silently without prompting", async (
     assert.doesNotMatch(result.writtenConfig, /^GITHUB_TOKEN=/m);
 });
 test("personal setup instructs users to run gh auth login when not authenticated", async (t) => {
+    // Security: failed auth should route users to GitHub CLI login flow, not to an unsafe token entry screen.
     const result = await runSetupScript(t, {
         env: { CHAPTERHOUSE_MODE: "personal" },
         answers: [""],

package/dist/sprint-merge.js

@@ -0,0 +1,168 @@
+#!/usr/bin/env node
+import { execFileSync } from "node:child_process";
+import { fileURLToPath } from "node:url";
+import { resolve } from "node:path";
+export const USAGE = `Usage:\n  ./scripts/merge-sprint.sh [--dry-run|-n] <pr> [pr...]\n\nExamples:\n  ./scripts/merge-sprint.sh 264 265 266\n  ./scripts/merge-sprint.sh --dry-run 264 265 266\n  ./scripts/merge-sprint.sh -n 264 265 266`;
+function isHelpFlag(arg) {
+    return arg === "--help" || arg === "-h";
+}
+function isDryRunFlag(arg) {
+    return arg === "--dry-run" || arg === "-n";
+}
+function formatDryRunLine(description, command, args) {
+    return `[DRY RUN] ${description}: ${commandText(command, args)}`;
+}
+function defaultRunner(command, args) {
+    return execFileSync(command, args, {
+        encoding: "utf8",
+        stdio: ["ignore", "pipe", "pipe"],
+    }).trim();
+}
+function commandText(command, args) {
+    return [command, ...args].join(" ");
+}
+function parsePrNumber(value) {
+    const pr = Number.parseInt(value, 10);
+    if (!Number.isInteger(pr) || pr <= 0) {
+        throw new Error(`Invalid PR number: ${value}\n${USAGE}`);
+    }
+    return pr;
+}
+export function parseSprintMergeArgs(argv) {
+    let dryRun = false;
+    const prArgs = [];
+    for (const arg of argv) {
+        if (isHelpFlag(arg)) {
+            throw new Error(USAGE);
+        }
+        if (isDryRunFlag(arg)) {
+            dryRun = true;
+            continue;
+        }
+        prArgs.push(arg);
+    }
+    if (prArgs.length === 0) {
+        throw new Error(USAGE);
+    }
+    return {
+        dryRun,
+        prs: prArgs.map(parsePrNumber),
+    };
+}
+function parsePrStatus(raw) {
+    const parsed = JSON.parse(raw);
+    return {
+        state: parsed.state ?? "UNKNOWN",
+        mergeable: parsed.mergeable ?? "UNKNOWN",
+        reviewDecision: parsed.reviewDecision ?? null,
+    };
+}
+function formatError(error) {
+    if (error instanceof Error) {
+        return error.message;
+    }
+    return String(error);
+}
+export async function runSprintMerge(prs, options = {}) {
+    const runner = options.runner ?? defaultRunner;
+    const dryRun = options.dryRun ?? false;
+    const lines = [];
+    if (dryRun) {
+        lines.push(`[DRY RUN] Merge order: ${prs.map((pr) => `#${pr}`).join(" -> ")}`);
+        for (let index = 0; index < prs.length; index += 1) {
+            const pr = prs[index];
+            const remaining = prs.slice(index + 1);
+            let status;
+            try {
+                const raw = runner("gh", ["pr", "view", String(pr), "--json", "state,mergeable,reviewDecision"]);
+                status = parsePrStatus(raw);
+            }
+            catch (error) {
+                lines.push(`[DRY RUN] PR #${pr}: fetch failed ❌ — ${formatError(error)}`);
+                continue;
+            }
+            const ok = status.state === "OPEN" && status.mergeable === "MERGEABLE";
+            const statePart = status.state === "OPEN"
+                ? `OPEN, mergeable: ${status.mergeable}`
+                : status.state;
+            const reviewPart = status.reviewDecision ? `, reviewDecision: ${status.reviewDecision}` : "";
+            const suffix = ok ? " ✅" : " ❌ — would be skipped";
+            lines.push(`[DRY RUN] PR #${pr}: ${statePart}${reviewPart}${suffix}`);
+            if (!ok)
+                continue;
+            lines.push(formatDryRunLine(`Would merge #${pr} with`, "gh", ["pr", "merge", String(pr), "--squash"]));
+            lines.push(formatDryRunLine("Would fetch origin/main with", "git", ["fetch", "origin", "main"]));
+            for (const nextPr of remaining) {
+                lines.push(formatDryRunLine(`Would refresh #${nextPr} with`, "gh", ["pr", "update-branch", String(nextPr)]));
+            }
+        }
+        return lines;
+    }
+    for (let index = 0; index < prs.length; index += 1) {
+        const pr = prs[index];
+        const remaining = prs.slice(index + 1);
+        lines.push(`Processing #${pr}...`);
+        try {
+            const status = parsePrStatus(runner("gh", ["pr", "view", String(pr), "--json", "state,mergeable,reviewDecision"]));
+            lines.push(`  Status #${pr}: state=${status.state}, mergeable=${status.mergeable}, reviewDecision=${status.reviewDecision ?? "NONE"}`);
+            if (status.state !== "OPEN" || status.mergeable !== "MERGEABLE") {
+                lines.push(`Skipped #${pr}: mergeable=${status.mergeable}, state=${status.state}`);
+                continue;
+            }
+            runner("gh", ["pr", "merge", String(pr), "--squash"]);
+            lines.push(`Merged #${pr}.`);
+        }
+        catch (error) {
+            lines.push(`Failed #${pr}: ${formatError(error)}`);
+            continue;
+        }
+        try {
+            runner("git", ["fetch", "origin", "main"]);
+            lines.push("  Fetched origin/main (remote tracking ref updated, local branch untouched).");
+        }
+        catch (error) {
+            lines.push(`  Failed to sync local main after #${pr}: ${formatError(error)}`);
+        }
+        for (const nextPr of remaining) {
+            try {
+                runner("gh", ["pr", "update-branch", String(nextPr)]);
+                lines.push(`  Refreshed #${nextPr}.`);
+            }
+            catch (error) {
+                lines.push(`  Failed to refresh #${nextPr}: ${formatError(error)}`);
+            }
+        }
+        lines.push(`Done #${pr}.`);
+    }
+    return lines;
+}
+export async function main(argv = process.argv.slice(2)) {
+    if (argv.some(isHelpFlag)) {
+        console.log(USAGE);
+        return 0;
+    }
+    let args;
+    try {
+        args = parseSprintMergeArgs(argv);
+    }
+    catch (error) {
+        console.error(formatError(error));
+        return 1;
+    }
+    const lines = await runSprintMerge(args.prs, { dryRun: args.dryRun });
+    for (const line of lines) {
+        console.log(line);
+    }
+    return 0;
+}
+const invokedPath = process.argv[1] ? resolve(process.argv[1]) : "";
+const modulePath = fileURLToPath(import.meta.url);
+if (invokedPath === modulePath) {
+    main().then((code) => {
+        process.exitCode = code;
+    }).catch((error) => {
+        console.error(formatError(error));
+        process.exitCode = 1;
+    });
+}
+//# sourceMappingURL=sprint-merge.js.map