clean-room-skill 0.1.12 → 0.1.13

package/lib/install-artifacts.cjs

@@ -7,6 +7,7 @@ const {
   listFiles,
   readJsonFile,
 } = require('./fs-utils.cjs');
+const { OPENCODE_PLUGIN_MARKER } = require('./hooks.cjs');
 const { resolveRuntimeLayout } = require('./runtime-layout.cjs');
 
 const PACKAGE_ROOT = path.resolve(__dirname, '..');
@@ -104,6 +105,168 @@ function generatePluginManifest() {
   return `${JSON.stringify(manifest, null, 2)}\n`;
 }
 
+function generateOpenCodePlugin(layout, hookMode) {
+  const wrapperPath = path.join(layout.targetRoot, 'hooks', 'clean-room', 'clean-room-hook.py');
+  const mode = hookMode === 'strict' ? 'strict' : 'safe';
+  return `import { spawn } from "node:child_process"
+
+const CLEAN_ROOM_OPENCODE_PLUGIN_MARKER = ${JSON.stringify(OPENCODE_PLUGIN_MARKER)}
+const CLEAN_ROOM_HOOK_MODE = ${JSON.stringify(mode)}
+const CLEAN_ROOM_HOOK_WRAPPER = ${JSON.stringify(wrapperPath)}
+const CLEAN_ROOM_HOOK_PYTHON = process.env.CLEAN_ROOM_HOOK_PYTHON || "python3"
+const CLEAN_ROOM_HOOK_TIMEOUT_MS = 30_000
+const MAX_HOOK_OUTPUT_CHARS = 256 * 1024
+
+const CHECKS = {
+  shell: ["require-clean-room-env.py", "deny-clean-room-shell.py"],
+  read: ["require-clean-room-env.py", "deny-clean-source-read.py"],
+  write: ["require-clean-room-env.py", "deny-contaminated-clean-write.py"],
+  postWrite: [
+    "require-clean-room-env.py",
+    "check-artifact-leakage.py",
+    "validate-json-schema.py",
+    "validate-handoff-package.py",
+  ],
+}
+
+const SHELL_TOOLS = new Set([
+  "bash",
+  "shell",
+  "powershell",
+  "terminal",
+  "exec_command",
+  "shell_command",
+  "writestdin",
+  "write_stdin",
+])
+
+const READ_TOOLS = new Set([
+  "read",
+  "glob",
+  "grep",
+  "list",
+  "ls",
+  "lsp",
+  "notebookread",
+  "viewimage",
+  "view_image",
+])
+
+const DIRECTORY_READ_TOOLS = new Set(["glob", "grep", "list", "ls", "lsp"])
+const WRITE_TOOLS = new Set(["write", "edit", "multiedit", "notebookedit", "applypatch", "apply_patch"])
+const PATH_KEYS = ["file_path", "filePath", "path", "notebook_path", "notebookPath"]
+
+function normalizeTool(tool) {
+  return String(tool || "").toLowerCase().replace(/[^a-z0-9_]/g, "")
+}
+
+function objectArgs(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return {}
+  return { ...value }
+}
+
+function cwdFor(args, directory, worktree) {
+  if (typeof args.cwd === "string" && args.cwd) return args.cwd
+  if (typeof directory === "string" && directory) return directory
+  if (typeof worktree === "string" && worktree) return worktree
+  return process.cwd()
+}
+
+function withDirectoryFallbackPath(tool, args, cwd) {
+  if (!DIRECTORY_READ_TOOLS.has(tool)) return args
+  if (PATH_KEYS.some((key) => typeof args[key] === "string" && args[key])) return args
+  return { ...args, path: cwd }
+}
+
+function hookPayload(input, args, directory, worktree) {
+  const tool = input?.tool
+  const normalized = normalizeTool(tool)
+  const cwd = cwdFor(args, directory, worktree)
+  return {
+    tool_name: tool,
+    tool,
+    tool_input: withDirectoryFallbackPath(normalized, args, cwd),
+    cwd,
+    opencode: {
+      sessionID: input?.sessionID,
+      callID: input?.callID,
+    },
+  }
+}
+
+function hookArgs(checks) {
+  const args = [CLEAN_ROOM_HOOK_WRAPPER, "--mode", CLEAN_ROOM_HOOK_MODE]
+  for (const check of checks) args.push("--check", check)
+  return args
+}
+
+function appendBounded(current, chunk) {
+  if (current.length >= MAX_HOOK_OUTPUT_CHARS) return current
+  return (current + String(chunk)).slice(0, MAX_HOOK_OUTPUT_CHARS)
+}
+
+function runHook(label, checks, payload) {
+  return new Promise((resolve, reject) => {
+    const child = spawn(CLEAN_ROOM_HOOK_PYTHON, hookArgs(checks), {
+      env: process.env,
+      shell: false,
+      stdio: ["pipe", "pipe", "pipe"],
+    })
+    let stdout = ""
+    let stderr = ""
+    let settled = false
+    const timer = setTimeout(() => {
+      settled = true
+      child.kill("SIGTERM")
+      reject(new Error(\`clean-room \${label} hook timed out after \${CLEAN_ROOM_HOOK_TIMEOUT_MS}ms\`))
+    }, CLEAN_ROOM_HOOK_TIMEOUT_MS)
+    child.stdout.on("data", (chunk) => {
+      stdout = appendBounded(stdout, chunk)
+    })
+    child.stderr.on("data", (chunk) => {
+      stderr = appendBounded(stderr, chunk)
+    })
+    child.on("error", (error) => {
+      if (settled) return
+      settled = true
+      clearTimeout(timer)
+      reject(error)
+    })
+    child.on("close", (status, signal) => {
+      if (settled) return
+      settled = true
+      clearTimeout(timer)
+      if (status === 0) {
+        resolve()
+        return
+      }
+      const detail = (stderr || stdout || \`status \${status}\${signal ? \`, signal \${signal}\` : ""}\`).trim()
+      reject(new Error(\`clean-room \${label} hook denied tool use: \${detail}\`))
+    })
+    child.stdin.end(JSON.stringify(payload))
+  })
+}
+
+export const CleanRoomPlugin = async ({ directory, worktree }) => {
+  return {
+    "tool.execute.before": async (input, output) => {
+      const tool = normalizeTool(input?.tool)
+      const payload = hookPayload(input, objectArgs(output?.args), directory, worktree)
+      if (SHELL_TOOLS.has(tool)) await runHook("shell", CHECKS.shell, payload)
+      if (READ_TOOLS.has(tool)) await runHook("read", CHECKS.read, payload)
+      if (WRITE_TOOLS.has(tool)) await runHook("write", CHECKS.write, payload)
+    },
+    "tool.execute.after": async (input) => {
+      const tool = normalizeTool(input?.tool)
+      if (!WRITE_TOOLS.has(tool)) return
+      const payload = hookPayload(input, objectArgs(input?.args), directory, worktree)
+      await runHook("post-write", CHECKS.postWrite, payload)
+    },
+  }
+}
+`;
+}
+
 function addCommandWrappers(desired, artifact) {
   const skillsRoot = path.join(PACKAGE_ROOT, artifact.source);
   const entries = fs.readdirSync(skillsRoot, { withFileTypes: true });
@@ -117,7 +280,15 @@ function addCommandWrappers(desired, artifact) {
   }
 }
 
-function addArtifact(desired, artifact) {
+function shouldInstallArtifact(artifact, hookMode) {
+  if (!Array.isArray(artifact.hookModes)) return true;
+  return artifact.hookModes.includes(hookMode);
+}
+
+function addArtifact(desired, artifact, layout, hookMode) {
+  if (!shouldInstallArtifact(artifact, hookMode)) {
+    return;
+  }
   if (artifact.kind === 'skills' || artifact.kind === 'agents') {
     addTree(desired, artifact.source, artifact.destSubpath);
     return;
@@ -136,6 +307,10 @@ function addArtifact(desired, artifact) {
     desired.set(artifact.destSubpath, Buffer.from(generatePluginManifest(), 'utf8'));
     return;
   }
+  if (artifact.kind === 'opencode-plugin') {
+    desired.set(artifact.destSubpath, Buffer.from(generateOpenCodePlugin(layout, hookMode), 'utf8'));
+    return;
+  }
   throw new Error(`unsupported artifact kind: ${artifact.kind}`);
 }
 
@@ -147,12 +322,11 @@ function layoutFromInput(runtimeOrLayout, scope, configDir) {
 }
 
 function buildDesiredFiles(runtimeOrLayout, hookMode, scope = 'global', configDir = null) {
-  // Retained for callers that still pass the install hook mode.
-  void hookMode;
+  hookMode = hookMode || 'safe';
   const layout = layoutFromInput(runtimeOrLayout, scope, configDir);
   const desired = new Map();
   for (const artifact of layout.artifacts) {
-    addArtifact(desired, artifact);
+    addArtifact(desired, artifact, layout, hookMode);
   }
   return desired;
 }

package/lib/install-claude-plugin.cjs

@@ -0,0 +1,374 @@
+'use strict';
+
+const fs = require('node:fs');
+const path = require('node:path');
+const { spawnSync } = require('node:child_process');
+
+const { packageVersion } = require('./install-artifacts.cjs');
+
+const CLAUDE_PLUGIN_TIMEOUT_MS = envPositiveInteger('CLEAN_ROOM_INSTALL_CLAUDE_PLUGIN_TIMEOUT_MS', 120_000);
+const CLAUDE_EXECUTABLE_ENV = 'CLEAN_ROOM_CLAUDE_EXECUTABLE';
+const CLAUDE_PLUGIN_MARKETPLACE_NAME = 'clean-room-skill';
+const CLAUDE_PLUGIN_NAME = 'clean-room';
+const CLAUDE_PLUGIN_ID = `${CLAUDE_PLUGIN_NAME}@${CLAUDE_PLUGIN_MARKETPLACE_NAME}`;
+const CLAUDE_PLUGIN_SOURCE_URL = 'https://github.com/whit3rabbit/clean-room-skill.git';
+const CLAUDE_PLUGIN_SCOPE = 'user';
+
+function envPositiveInteger(name, fallback) {
+  const value = process.env[name];
+  if (value === undefined || value === '') {
+    return fallback;
+  }
+  return /^[1-9][0-9]*$/.test(value) ? Number(value) : fallback;
+}
+
+function usesClaudeGlobalPlugin(layout) {
+  return layout.runtime === 'claude' && layout.scope === 'global';
+}
+
+function claudePluginSource() {
+  return `${CLAUDE_PLUGIN_SOURCE_URL}#v${packageVersion()}`;
+}
+
+function truncateCommandOutput(value) {
+  const text = String(value || '').trim();
+  if (text.length <= 2000) return text;
+  return `${text.slice(0, 2000)}...`;
+}
+
+function pathIsUnder(candidate, root) {
+  return candidate === root || candidate.startsWith(`${root}${path.sep}`);
+}
+
+function currentWorkingRoots() {
+  const cwd = path.resolve(process.cwd());
+  const roots = [cwd];
+  try {
+    const real = fs.realpathSync.native(cwd);
+    if (!roots.includes(real)) roots.push(real);
+  } catch {
+    // Keep the resolved cwd as the policy root if realpath is unavailable.
+  }
+  return roots;
+}
+
+function pathIsUnderAny(candidate, roots) {
+  return roots.some((root) => pathIsUnder(candidate, root));
+}
+
+function pathContainsNodeModulesBin(candidate) {
+  const parts = path.resolve(candidate).split(path.sep);
+  for (let i = 0; i < parts.length - 1; i += 1) {
+    if (parts[i] === 'node_modules' && parts[i + 1] === '.bin') return true;
+  }
+  return false;
+}
+
+function unsafeClaudeExecutableReason(filePath, label) {
+  if (!filePath || typeof filePath !== 'string' || !path.isAbsolute(filePath)) {
+    return `${label} must be an absolute path`;
+  }
+  const resolved = path.resolve(filePath);
+  const cwdRoots = currentWorkingRoots();
+  if (pathIsUnderAny(resolved, cwdRoots)) {
+    return `${label} must not be under the current working directory`;
+  }
+  if (pathContainsNodeModulesBin(resolved)) {
+    return `${label} must not be under node_modules/.bin`;
+  }
+  let real;
+  try {
+    real = fs.realpathSync.native(resolved);
+  } catch {
+    return `${label} must resolve to an executable file`;
+  }
+  if (pathIsUnderAny(real, cwdRoots)) {
+    return `${label} target must not be under the current working directory`;
+  }
+  if (pathContainsNodeModulesBin(real)) {
+    return `${label} target must not be under node_modules/.bin`;
+  }
+  try {
+    const stat = fs.statSync(real);
+    fs.accessSync(real, fs.constants.X_OK);
+    if (!stat.isFile()) {
+      return `${label} must be an executable regular file`;
+    }
+  } catch {
+    return `${label} must be an executable regular file`;
+  }
+  return null;
+}
+
+function assertClaudeExecutable(filePath, label) {
+  const reason = unsafeClaudeExecutableReason(filePath, label);
+  if (reason) throw new Error(reason);
+  return path.resolve(filePath);
+}
+
+function sanitizedPathEntriesForClaude(value) {
+  const entries = String(value || '').split(path.delimiter).filter(Boolean);
+  const cwdRoots = currentWorkingRoots();
+  const seen = new Set();
+  return entries.filter((entry) => {
+    if (!path.isAbsolute(entry)) return false;
+    const normalized = path.resolve(entry);
+    if (pathIsUnderAny(normalized, cwdRoots)) return false;
+    try {
+      if (pathIsUnderAny(fs.realpathSync.native(normalized), cwdRoots)) return false;
+    } catch {
+      // Nonexistent PATH entries cannot provide claude; leave candidate validation to fail later.
+    }
+    if (pathContainsNodeModulesBin(normalized)) return false;
+    if (seen.has(normalized)) return false;
+    seen.add(normalized);
+    return true;
+  });
+}
+
+function sanitizePathForClaude(value) {
+  return sanitizedPathEntriesForClaude(value).join(path.delimiter);
+}
+
+function resolveClaudeExecutable() {
+  const configuredExecutable = process.env[CLAUDE_EXECUTABLE_ENV];
+  const searchPath = sanitizePathForClaude(process.env.PATH);
+  if (configuredExecutable) {
+    return {
+      executable: assertClaudeExecutable(configuredExecutable, CLAUDE_EXECUTABLE_ENV),
+      searchPath,
+    };
+  }
+
+  const entries = sanitizedPathEntriesForClaude(process.env.PATH);
+  if (entries.length === 0) {
+    throw new Error(`Claude plugin command requires ${CLAUDE_EXECUTABLE_ENV} or a non-empty sanitized PATH`);
+  }
+
+  const candidates = [];
+  const seenCandidates = new Set();
+  for (const entry of entries) {
+    const candidate = path.join(entry, 'claude');
+    if (unsafeClaudeExecutableReason(candidate, 'Claude executable')) continue;
+    const resolved = path.resolve(candidate);
+    let realCandidate;
+    try {
+      realCandidate = fs.realpathSync.native(resolved);
+    } catch {
+      continue;
+    }
+    if (seenCandidates.has(realCandidate)) continue;
+    seenCandidates.add(realCandidate);
+    candidates.push(resolved);
+  }
+
+  if (candidates.length === 1) {
+    return { executable: candidates[0], searchPath };
+  }
+  if (candidates.length > 1) {
+    throw new Error(`Claude plugin command found multiple claude executables on sanitized PATH; set ${CLAUDE_EXECUTABLE_ENV} to the intended absolute executable`);
+  }
+  throw new Error(`Claude plugin command requires ${CLAUDE_EXECUTABLE_ENV} or a claude executable on sanitized PATH`);
+}
+
+function claudePluginEnv(layout, searchPath) {
+  return {
+    ...process.env,
+    PATH: searchPath,
+    CLAUDE_CONFIG_DIR: layout.targetRoot,
+  };
+}
+
+function claudeCommandLabel(command, args) {
+  return [command, ...args].join(' ');
+}
+
+function claudePluginCommandFailure(command, args, result) {
+  const parts = [`Claude plugin command failed: ${claudeCommandLabel(command, args)}`];
+  if (result.error) {
+    parts.push(result.error.message);
+  }
+  if (result.status !== null && result.status !== undefined) {
+    parts.push(`status ${result.status}`);
+  }
+  if (result.signal) {
+    parts.push(`signal ${result.signal}`);
+  }
+  const stdout = truncateCommandOutput(result.stdout);
+  const stderr = truncateCommandOutput(result.stderr);
+  if (stdout) parts.push(`stdout: ${stdout}`);
+  if (stderr) parts.push(`stderr: ${stderr}`);
+  return parts.join('; ');
+}
+
+function runClaudePluginCommand(layout, args, options = {}) {
+  const { executable: claudeExecutable, searchPath } = resolveClaudeExecutable();
+  const result = spawnSync(claudeExecutable, args, {
+    encoding: 'utf8',
+    env: claudePluginEnv(layout, searchPath),
+    stdio: ['ignore', 'pipe', 'pipe'],
+    timeout: CLAUDE_PLUGIN_TIMEOUT_MS,
+  });
+  result.command = claudeExecutable;
+  if (result.error || result.status !== 0) {
+    throw new Error(claudePluginCommandFailure(claudeExecutable, args, result));
+  }
+  if (!options.silent) {
+    if (result.stdout) process.stdout.write(result.stdout);
+    if (result.stderr) process.stderr.write(result.stderr);
+  }
+  return result;
+}
+
+function readClaudePluginJson(layout, args) {
+  const result = runClaudePluginCommand(layout, args, { silent: true });
+  try {
+    const parsed = JSON.parse(result.stdout || '[]');
+    return Array.isArray(parsed) ? parsed : [];
+  } catch (err) {
+    throw new Error(
+      `Claude plugin command returned invalid JSON: ${claudeCommandLabel(result.command || 'claude', args)}; ` +
+      `stdout: ${truncateCommandOutput(result.stdout)}; ${err.message}`
+    );
+  }
+}
+
+function claudeMarketplaceExists(layout) {
+  return readClaudePluginJson(layout, ['plugin', 'marketplace', 'list', '--json'])
+    .some((entry) => entry && entry.name === CLAUDE_PLUGIN_MARKETPLACE_NAME);
+}
+
+function claudePluginEntry(layout) {
+  return readClaudePluginJson(layout, ['plugin', 'list', '--json'])
+    .find((entry) => entry && entry.id === CLAUDE_PLUGIN_ID) || null;
+}
+
+function claudePluginExists(layout) {
+  return Boolean(claudePluginEntry(layout));
+}
+
+function claudePluginMetadata(manifest, state = {}) {
+  const previous = manifest?.claude_plugin || {};
+  const metadata = {
+    plugin_id: CLAUDE_PLUGIN_ID,
+    plugin_name: CLAUDE_PLUGIN_NAME,
+    marketplace_name: CLAUDE_PLUGIN_MARKETPLACE_NAME,
+    source_url: CLAUDE_PLUGIN_SOURCE_URL,
+    source: claudePluginSource(),
+    scope: CLAUDE_PLUGIN_SCOPE,
+    version: packageVersion(),
+    marketplace_added_by_installer: previous.marketplace_added_by_installer === true ||
+      state.marketplaceAdded === true,
+    plugin_installed_by_installer: previous.plugin_installed_by_installer === true ||
+      state.pluginInstalled === true,
+    recorded_at: new Date().toISOString(),
+  };
+  if (state.installPath || previous.install_path) {
+    metadata.install_path = state.installPath || previous.install_path;
+  }
+  return metadata;
+}
+
+function ensureClaudeGlobalPlugin(layout, manifest, options, action) {
+  if (!usesClaudeGlobalPlugin(layout)) return null;
+
+  const source = claudePluginSource();
+  if (options.dryRun) {
+    const marketplaceVerb = action === 'update' ? 'refresh' : 'add';
+    const pluginVerb = action === 'update' ? 'update or install' : 'install';
+    console.log(`  Claude plugin marketplace: would ${marketplaceVerb} ${source}`);
+    console.log(`  Claude plugin: would ${pluginVerb} ${CLAUDE_PLUGIN_ID}`);
+    return claudePluginMetadata(manifest);
+  }
+
+  const marketplaceWasPresent = claudeMarketplaceExists(layout);
+  console.log(`  Claude plugin marketplace: ${source}`);
+  runClaudePluginCommand(layout, [
+    'plugin',
+    'marketplace',
+    'add',
+    source,
+    '--scope',
+    CLAUDE_PLUGIN_SCOPE,
+  ]);
+
+  const pluginBefore = claudePluginEntry(layout);
+  const pluginWasPresent = Boolean(pluginBefore);
+  if (action === 'update' && pluginWasPresent) {
+    console.log(`  Claude plugin: updating ${CLAUDE_PLUGIN_ID}`);
+    runClaudePluginCommand(layout, ['plugin', 'update', CLAUDE_PLUGIN_ID]);
+  } else if (!pluginWasPresent) {
+    console.log(`  Claude plugin: installing ${CLAUDE_PLUGIN_ID}`);
+    runClaudePluginCommand(layout, [
+      'plugin',
+      'install',
+      CLAUDE_PLUGIN_ID,
+      '--scope',
+      CLAUDE_PLUGIN_SCOPE,
+    ]);
+  } else {
+    console.log(`  Claude plugin: already installed ${CLAUDE_PLUGIN_ID}`);
+  }
+
+  const pluginAfter = claudePluginEntry(layout) || pluginBefore;
+  return claudePluginMetadata(manifest, {
+    marketplaceAdded: !marketplaceWasPresent,
+    pluginInstalled: !pluginWasPresent,
+    installPath: pluginAfter?.installPath,
+  });
+}
+
+function removeClaudeGlobalPlugin(layout, manifest, options) {
+  if (!usesClaudeGlobalPlugin(layout)) return;
+  const plugin = manifest?.claude_plugin;
+  if (!plugin) return;
+
+  if (options.dryRun) {
+    if (plugin.plugin_installed_by_installer) {
+      console.log(`  Claude plugin: would uninstall ${plugin.plugin_id || CLAUDE_PLUGIN_ID}`);
+    }
+    if (plugin.marketplace_added_by_installer) {
+      console.log(`  Claude plugin marketplace: would remove ${plugin.marketplace_name || CLAUDE_PLUGIN_MARKETPLACE_NAME}`);
+    }
+    return;
+  }
+
+  if (plugin.plugin_installed_by_installer) {
+    const pluginId = plugin.plugin_id || CLAUDE_PLUGIN_ID;
+    if (claudePluginExists(layout)) {
+      console.log(`  Claude plugin: uninstalling ${pluginId}`);
+      runClaudePluginCommand(layout, ['plugin', 'uninstall', pluginId]);
+    } else {
+      console.log(`  Claude plugin: already absent ${pluginId}`);
+    }
+  }
+
+  if (plugin.marketplace_added_by_installer) {
+    const marketplaceName = plugin.marketplace_name || CLAUDE_PLUGIN_MARKETPLACE_NAME;
+    if (claudeMarketplaceExists(layout)) {
+      console.log(`  Claude plugin marketplace: removing ${marketplaceName}`);
+      runClaudePluginCommand(layout, ['plugin', 'marketplace', 'remove', marketplaceName]);
+    } else {
+      console.log(`  Claude plugin marketplace: already absent ${marketplaceName}`);
+    }
+  }
+}
+
+module.exports = {
+  CLAUDE_EXECUTABLE_ENV,
+  CLAUDE_PLUGIN_ID,
+  CLAUDE_PLUGIN_MARKETPLACE_NAME,
+  CLAUDE_PLUGIN_NAME,
+  CLAUDE_PLUGIN_SCOPE,
+  CLAUDE_PLUGIN_SOURCE_URL,
+  assertClaudeExecutable,
+  claudePluginSource,
+  ensureClaudeGlobalPlugin,
+  pathContainsNodeModulesBin,
+  removeClaudeGlobalPlugin,
+  resolveClaudeExecutable,
+  sanitizedPathEntriesForClaude,
+  sanitizePathForClaude,
+  unsafeClaudeExecutableReason,
+  usesClaudeGlobalPlugin,
+};

package/lib/install-cli.cjs

@@ -0,0 +1,99 @@
+'use strict';
+
+const { runInit } = require('./bootstrap.cjs');
+const { runDoctor } = require('./doctor.cjs');
+const { runPreflight } = require('./preflight.cjs');
+const { parseRunArgs, runCleanRoom } = require('./run.cjs');
+const { resolveInteractiveOptions } = require('./install-tui.cjs');
+const {
+  operationForOptions,
+  parseArgs,
+  validateRuntimeOptions,
+} = require('./install-options.cjs');
+const {
+  installRuntime,
+  uninstallRuntime,
+  updateRuntime,
+} = require('./install-operations.cjs');
+const {
+  runStatus,
+  selectedUpdateRuntimes,
+} = require('./install-status.cjs');
+
+async function main() {
+  const argv = process.argv.slice(2);
+  if (argv[0] === 'init') {
+    runInit(argv.slice(1));
+    return;
+  }
+  if (argv[0] === 'doctor') {
+    runDoctor(argv.slice(1));
+    return;
+  }
+  if (argv[0] === 'preflight') {
+    runPreflight(argv.slice(1));
+    return;
+  }
+  if (argv[0] === 'run') {
+    await runCleanRoom(parseRunArgs(argv.slice(1)));
+    return;
+  }
+  if (argv[0] === 'status') {
+    const options = parseArgs(argv.slice(1));
+    options.operation = 'status';
+    if (options.configDir && options.runtimes.length === 0) {
+      throw new Error('--config-dir can only be used with one runtime');
+    }
+    if (!options.scope) options.scope = 'global';
+    validateRuntimeOptions(options);
+    runStatus(options);
+    return;
+  }
+  if (argv[0] === 'update') {
+    const options = parseArgs(argv.slice(1));
+    options.operation = 'update';
+    if (options.configDir && options.runtimes.length === 0) {
+      throw new Error('--config-dir can only be used with one runtime');
+    }
+    if (!options.scope) options.scope = 'global';
+    options.runtimes = selectedUpdateRuntimes(options);
+    validateRuntimeOptions(options);
+    if (options.runtimes.length === 0) {
+      console.log(`No installed ${options.scope} runtimes found to update.`);
+      return;
+    }
+    for (const runtime of options.runtimes) {
+      await updateRuntime(runtime, options);
+    }
+    return;
+  }
+  const options = await resolveInteractiveOptions(parseArgs(argv));
+  if (!options.scope) {
+    options.scope = 'global';
+  }
+  validateRuntimeOptions(options);
+  if (operationForOptions(options) === 'status') {
+    runStatus(options);
+    return;
+  }
+  if (operationForOptions(options) === 'update') {
+    options.runtimes = selectedUpdateRuntimes(options);
+    if (options.runtimes.length === 0) {
+      console.log(`No installed ${options.scope} runtimes found to update.`);
+      return;
+    }
+  }
+  for (const runtime of options.runtimes) {
+    if (operationForOptions(options) === 'uninstall') {
+      await uninstallRuntime(runtime, options);
+    } else if (operationForOptions(options) === 'update') {
+      await updateRuntime(runtime, options);
+    } else {
+      await installRuntime(runtime, options);
+    }
+  }
+}
+
+module.exports = {
+  main,
+};