codexport 0.1.0

package/dist/index.js

@@ -0,0 +1,746 @@
+#!/usr/bin/env node
+import { Command, Option } from "commander";
+import chokidar from "chokidar";
+import { createHash, randomBytes } from "node:crypto";
+import { createServer, request } from "node:http";
+import { mkdir, readFile, readdir, readlink, rename, rm, stat, symlink, writeFile } from "node:fs/promises";
+import { existsSync } from "node:fs";
+import { homedir, platform } from "node:os";
+import path from "node:path";
+import { spawn } from "node:child_process";
+import { parse as parseToml, stringify as stringifyToml } from "smol-toml";
+const VERSION = "0.1.0";
+const DEFAULT_PORT = 17342;
+const DEFAULT_TIMEOUT_MS = 5_000;
+const CODEXPORT_DIR = ".codexport";
+const MASTER_ID_FILE = "master-id.json";
+const LOCAL_FILE = "local.toml";
+const MCPS_LOCAL_FILE = "mcps.local.toml";
+const LAST_BUNDLE_FILE = "last-bundle.json";
+const CACHE_BUNDLE_FILE = "bundle.json";
+const APPLIED_FILES_FILE = "applied-files.json";
+const INCLUDE_ROOTS = [
+    "AGENTS.md",
+    "RTK.md",
+    "config.toml",
+    "auth.json",
+    ".credentials.json",
+    "multi-auth",
+    "hooks.json",
+    "hooks",
+    "prompts",
+    "rules",
+    "skills",
+    "skill-libraries",
+    "mise.toml"
+];
+const EXCLUDE_PARTS = new Set([
+    "logs",
+    "log",
+    "cache",
+    "caches",
+    "tmp",
+    "temp",
+    "sessions",
+    "history",
+    "compact-handoffs",
+    "shell-snapshots",
+    ".sqlite",
+    ".sqlite3"
+]);
+class CliError extends Error {
+    exitCode;
+    details;
+    constructor(message, exitCode = 1, details) {
+        super(message);
+        this.exitCode = exitCode;
+        this.details = details;
+    }
+}
+function asError(error) {
+    return error instanceof Error ? error : new Error(String(error));
+}
+function sha256(input) {
+    return createHash("sha256").update(input).digest("hex");
+}
+function normalizeRelative(input) {
+    return input.split(path.sep).join("/");
+}
+function userPath(homeDir, ...parts) {
+    return path.join(homeDir, ...parts);
+}
+function defaultContext(options) {
+    const homeDir = options.home ? path.resolve(options.home) : homedir();
+    return {
+        homeDir,
+        stateDir: userPath(homeDir, CODEXPORT_DIR),
+        codexDir: path.resolve(options.codexDir ?? userPath(homeDir, ".codex")),
+        quiet: Boolean(options.quiet),
+        json: Boolean(options.json),
+        noInput: Boolean(options.noInput)
+    };
+}
+async function pathExists(filePath) {
+    try {
+        await stat(filePath);
+        return true;
+    }
+    catch (error) {
+        const code = error.code;
+        if (code === "ENOENT")
+            return false;
+        throw error;
+    }
+}
+async function ensureDir(dir) {
+    await mkdir(dir, { recursive: true });
+}
+async function readTextIfExists(filePath) {
+    if (!(await pathExists(filePath)))
+        return undefined;
+    return readFile(filePath, "utf8");
+}
+async function readJsonIfExists(filePath) {
+    const text = await readTextIfExists(filePath);
+    if (!text)
+        return undefined;
+    return JSON.parse(text);
+}
+async function writeJsonAtomic(filePath, value) {
+    await ensureDir(path.dirname(filePath));
+    const tmpPath = path.join(path.dirname(filePath), `.${path.basename(filePath)}.${process.pid}.tmp`);
+    await writeFile(tmpPath, `${JSON.stringify(value, null, 2)}\n`, "utf8");
+    await rename(tmpPath, filePath);
+}
+function parseTomlObject(text, filePath) {
+    try {
+        const parsed = parseToml(text);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+            throw new CliError(`${filePath} must contain a TOML table`, 2);
+        }
+        return parsed;
+    }
+    catch (error) {
+        if (error instanceof CliError)
+            throw error;
+        throw new CliError(`Failed to parse ${filePath}: ${asError(error).message}`, 2);
+    }
+}
+async function readLocalConfig(ctx) {
+    const filePath = path.join(ctx.stateDir, LOCAL_FILE);
+    const text = await readTextIfExists(filePath);
+    if (!text)
+        return {};
+    const parsed = parseTomlObject(text, filePath);
+    return {
+        role: parsed.role,
+        masterUrl: parsed.masterUrl,
+        masterFingerprint: parsed.masterFingerprint,
+        lastRevision: parsed.lastRevision,
+        codexDir: parsed.codexDir,
+        port: typeof parsed.port === "number" ? parsed.port : undefined,
+        allowMcpOverrides: Array.isArray(parsed.allowMcpOverrides) ? parsed.allowMcpOverrides.map(String) : undefined,
+        allowSkillOverrides: Array.isArray(parsed.allowSkillOverrides) ? parsed.allowSkillOverrides.map(String) : undefined,
+        pathVariables: parsed.pathVariables && typeof parsed.pathVariables === "object" ? parsed.pathVariables : undefined
+    };
+}
+async function writeLocalConfig(ctx, config) {
+    await ensureDir(ctx.stateDir);
+    await writeFile(path.join(ctx.stateDir, LOCAL_FILE), stringifyToml(removeUndefined({ ...config })), "utf8");
+}
+function removeUndefined(input) {
+    const out = {};
+    for (const [key, value] of Object.entries(input)) {
+        if (value !== undefined)
+            out[key] = value;
+    }
+    return out;
+}
+async function loadMasterIdentity(ctx) {
+    const filePath = path.join(ctx.stateDir, MASTER_ID_FILE);
+    const existing = await readJsonIfExists(filePath);
+    if (existing?.secret && existing.fingerprint === sha256(existing.secret))
+        return existing;
+    const secret = randomBytes(32).toString("hex");
+    const identity = { secret, fingerprint: sha256(secret) };
+    await writeJsonAtomic(filePath, identity);
+    return identity;
+}
+function shouldExclude(relativePath) {
+    const parts = relativePath.split("/");
+    return parts.some((part) => EXCLUDE_PARTS.has(part) || part.endsWith(".sqlite") || part.endsWith(".sqlite3"));
+}
+async function collectFiles(root) {
+    const files = [];
+    for (const includeRoot of INCLUDE_ROOTS) {
+        const absolute = path.join(root, includeRoot);
+        if (!(await pathExists(absolute)))
+            continue;
+        await walkIncluded(root, absolute, files);
+    }
+    files.sort((a, b) => a.path.localeCompare(b.path));
+    return files;
+}
+async function walkIncluded(root, absolute, files) {
+    const relative = normalizeRelative(path.relative(root, absolute));
+    if (!relative || shouldExclude(relative))
+        return;
+    const entryStat = await stat(absolute);
+    if (entryStat.isDirectory()) {
+        const children = await readdir(absolute);
+        for (const child of children) {
+            await walkIncluded(root, path.join(absolute, child), files);
+        }
+        return;
+    }
+    if (entryStat.isFile()) {
+        files.push({
+            path: relative,
+            mode: entryStat.mode & 0o777,
+            kind: "file",
+            content: (await readFile(absolute)).toString("base64")
+        });
+    }
+}
+function computeRevision(files) {
+    const normalized = files.map((file) => ({
+        path: file.path,
+        mode: file.mode,
+        kind: file.kind,
+        contentHash: sha256(Buffer.from(file.content, "base64"))
+    }));
+    return sha256(JSON.stringify(normalized));
+}
+async function buildBundle(codexDir) {
+    const files = await collectFiles(codexDir);
+    const revision = computeRevision(files);
+    return {
+        version: 1,
+        builtAt: new Date().toISOString(),
+        sourceRoot: codexDir,
+        revision,
+        files
+    };
+}
+async function saveMasterBundle(ctx, bundle) {
+    await writeJsonAtomic(path.join(ctx.stateDir, LAST_BUNDLE_FILE), bundle);
+}
+async function readMasterBundle(ctx) {
+    const bundle = await readJsonIfExists(path.join(ctx.stateDir, LAST_BUNDLE_FILE));
+    if (bundle)
+        return bundle;
+    const built = await buildBundle(ctx.codexDir);
+    await saveMasterBundle(ctx, built);
+    return built;
+}
+function formatJoinCommand(masterUrl, fingerprint) {
+    return `npx codexport follower join --master ${masterUrl} --fingerprint ${fingerprint}`;
+}
+function buildJoinLink(masterUrl, fingerprint) {
+    const url = new URL(masterUrl);
+    const join = new URL("codexport://join");
+    join.searchParams.set("host", url.hostname);
+    join.searchParams.set("port", url.port || String(DEFAULT_PORT));
+    join.searchParams.set("fingerprint", fingerprint);
+    join.searchParams.set("protocol", url.protocol.replace(":", ""));
+    join.searchParams.set("version", "1");
+    return join.toString();
+}
+function parseJoinLink(input) {
+    if (!input.startsWith("codexport://")) {
+        throw new CliError("Join input must be a codexport://join link or use --master and --fingerprint.", 2);
+    }
+    const url = new URL(input);
+    if (url.hostname !== "join")
+        throw new CliError("Unsupported codexport link. Expected codexport://join.", 2);
+    const host = url.searchParams.get("host");
+    const port = url.searchParams.get("port") ?? String(DEFAULT_PORT);
+    const fingerprint = url.searchParams.get("fingerprint");
+    const protocol = url.searchParams.get("protocol") ?? "http";
+    if (!host || !fingerprint)
+        throw new CliError("Join link is missing host or fingerprint.", 2);
+    return { masterUrl: `${protocol}://${host}:${port}`, fingerprint };
+}
+function requestJson(url, timeoutMs) {
+    return new Promise((resolve, reject) => {
+        const req = request(url, { method: "GET", timeout: timeoutMs }, (res) => {
+            const chunks = [];
+            res.on("data", (chunk) => chunks.push(chunk));
+            res.on("end", () => {
+                const body = Buffer.concat(chunks).toString("utf8");
+                if (!res.statusCode || res.statusCode < 200 || res.statusCode >= 300) {
+                    reject(new CliError(`GET ${url} failed with HTTP ${res.statusCode}: ${body.slice(0, 300)}`, 1));
+                    return;
+                }
+                try {
+                    resolve(JSON.parse(body));
+                }
+                catch (error) {
+                    reject(new CliError(`GET ${url} returned invalid JSON: ${asError(error).message}`, 1));
+                }
+            });
+        });
+        req.on("timeout", () => {
+            req.destroy(new CliError(`GET ${url} timed out after ${timeoutMs}ms`, 1));
+        });
+        req.on("error", reject);
+        req.end();
+    });
+}
+async function fetchMeta(masterUrl, timeoutMs) {
+    return requestJson(new URL("/meta", masterUrl).toString(), timeoutMs);
+}
+async function fetchBundle(masterUrl, timeoutMs) {
+    return requestJson(new URL("/bundle", masterUrl).toString(), timeoutMs);
+}
+function verifyBundle(bundle) {
+    if (bundle.version !== 1 || !Array.isArray(bundle.files)) {
+        throw new CliError("Bundle has an unsupported format.", 1);
+    }
+    const actualRevision = computeRevision(bundle.files);
+    if (bundle.revision !== actualRevision) {
+        throw new CliError(`Bundle revision mismatch. Expected ${bundle.revision}, computed ${actualRevision}.`, 1);
+    }
+    for (const file of bundle.files) {
+        if (path.isAbsolute(file.path) || file.path.includes("..") || file.path.includes("\\")) {
+            throw new CliError(`Bundle contains unsafe path: ${file.path}`, 1);
+        }
+    }
+}
+async function readCachedBundle(ctx) {
+    const bundle = await readJsonIfExists(path.join(ctx.stateDir, CACHE_BUNDLE_FILE));
+    if (!bundle)
+        throw new CliError("No staged bundle exists. Run codexport sync first.", 1);
+    verifyBundle(bundle);
+    return bundle;
+}
+async function writeCachedBundle(ctx, bundle) {
+    verifyBundle(bundle);
+    await writeJsonAtomic(path.join(ctx.stateDir, CACHE_BUNDLE_FILE), bundle);
+}
+function decodeFile(file) {
+    return Buffer.from(file.content, "base64");
+}
+function extractTomlTableNames(text, prefix) {
+    const names = new Set();
+    const pattern = new RegExp(`^\\s*\\[${prefix.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\.\"?([^"\\]]+)\"?\\]\\s*$`);
+    for (const line of text.split(/\r?\n/)) {
+        const match = line.match(pattern);
+        if (match)
+            names.add(match[1]);
+    }
+    return names;
+}
+function mergeTomlText(canonical, localMcpText, localConfig) {
+    const expandedCanonical = expandPathVariables(canonical, localConfig);
+    if (!localMcpText?.trim())
+        return expandedCanonical;
+    const canonicalMcps = extractTomlTableNames(canonical, "mcp_servers");
+    const localMcps = extractTomlTableNames(localMcpText, "mcp_servers");
+    const allowed = new Set(localConfig.allowMcpOverrides ?? []);
+    const conflicts = [...localMcps].filter((name) => canonicalMcps.has(name) && !allowed.has(name));
+    if (conflicts.length) {
+        throw new CliError(`Local MCP conflicts with canonical names: ${conflicts.join(", ")}. Add allowMcpOverrides in ~/.codexport/local.toml to override intentionally.`, 1, { conflicts });
+    }
+    return `${expandedCanonical.trimEnd()}\n\n# Follower-local MCP overlay from ~/.codexport/mcps.local.toml\n${localMcpText.trim()}\n`;
+}
+function expandPathVariables(text, localConfig) {
+    const variables = {
+        home: homedir(),
+        codexDir: localConfig.codexDir ?? path.join(homedir(), ".codex"),
+        ...(localConfig.pathVariables ?? {})
+    };
+    return text.replace(/\$\{([A-Za-z0-9_]+)\}/g, (match, name) => {
+        const replacement = variables[name];
+        return replacement === undefined ? match : replacement.replace(/\\/g, "\\\\");
+    });
+}
+async function assertSkillConflicts(ctx, bundle, localConfig) {
+    const canonicalSkills = new Set(bundle.files
+        .filter((file) => file.path.startsWith("skills/"))
+        .map((file) => file.path.split("/")[1])
+        .filter(Boolean));
+    const localSkillsDir = path.join(ctx.stateDir, "skills");
+    if (!(await pathExists(localSkillsDir)))
+        return;
+    const localNames = await readdir(localSkillsDir);
+    const allowed = new Set(localConfig.allowSkillOverrides ?? []);
+    const conflicts = localNames.filter((name) => canonicalSkills.has(name) && !allowed.has(name));
+    if (conflicts.length) {
+        throw new CliError(`Local skills conflict with canonical names: ${conflicts.join(", ")}. Add allowSkillOverrides in ~/.codexport/local.toml to override intentionally.`, 1, { conflicts });
+    }
+}
+async function applyBundle(ctx, bundle) {
+    verifyBundle(bundle);
+    const localConfig = await readLocalConfig(ctx);
+    await assertSkillConflicts(ctx, bundle, localConfig);
+    await ensureDir(ctx.codexDir);
+    const nextFiles = new Set(bundle.files.map((file) => file.path));
+    const previousFiles = await readJsonIfExists(path.join(ctx.stateDir, APPLIED_FILES_FILE)) ?? [];
+    for (const previousFile of previousFiles) {
+        if (nextFiles.has(previousFile))
+            continue;
+        const target = path.join(ctx.codexDir, previousFile);
+        if (path.relative(ctx.codexDir, target).startsWith(".."))
+            continue;
+        await rm(target, { recursive: true, force: true });
+    }
+    for (const file of bundle.files) {
+        const target = path.join(ctx.codexDir, file.path);
+        await ensureDir(path.dirname(target));
+        if (file.path === "config.toml")
+            continue;
+        await writeFile(target, decodeFile(file), { mode: file.mode });
+    }
+    const configEntry = bundle.files.find((file) => file.path === "config.toml");
+    if (configEntry) {
+        const canonicalConfig = decodeFile(configEntry).toString("utf8");
+        const localMcpText = await readTextIfExists(path.join(ctx.stateDir, MCPS_LOCAL_FILE));
+        const generated = mergeTomlText(canonicalConfig, localMcpText, localConfig);
+        const configPath = path.join(ctx.codexDir, "config.toml");
+        if (await pathExists(configPath)) {
+            const backupPath = `${configPath}.codexport-backup-${new Date().toISOString().replace(/[:.]/g, "-")}`;
+            await writeFile(backupPath, await readFile(configPath));
+        }
+        await writeFile(configPath, generated, "utf8");
+    }
+    const localSkillsDir = path.join(ctx.stateDir, "skills");
+    if (await pathExists(localSkillsDir)) {
+        const targetLocalSkills = path.join(ctx.codexDir, "skills-local");
+        await rm(targetLocalSkills, { recursive: true, force: true });
+        await copyDirectory(localSkillsDir, targetLocalSkills);
+    }
+    await writeLocalConfig(ctx, { ...localConfig, lastRevision: bundle.revision, codexDir: ctx.codexDir });
+    await writeJsonAtomic(path.join(ctx.stateDir, APPLIED_FILES_FILE), bundle.files.map((file) => file.path));
+}
+async function copyDirectory(source, target) {
+    await ensureDir(target);
+    for (const entry of await readdir(source, { withFileTypes: true })) {
+        const sourcePath = path.join(source, entry.name);
+        const targetPath = path.join(target, entry.name);
+        if (entry.isDirectory()) {
+            await copyDirectory(sourcePath, targetPath);
+        }
+        else if (entry.isFile()) {
+            await ensureDir(path.dirname(targetPath));
+            await writeFile(targetPath, await readFile(sourcePath));
+        }
+        else if (entry.isSymbolicLink()) {
+            const linkTarget = await readlink(sourcePath);
+            await symlink(linkTarget, targetPath);
+        }
+    }
+}
+async function installHook(ctx, timeoutMs) {
+    await ensureDir(ctx.codexDir);
+    const hooksPath = path.join(ctx.codexDir, "hooks.json");
+    const existingText = await readTextIfExists(hooksPath);
+    const existing = existingText ? JSON.parse(existingText) : {};
+    const hooks = existing.SessionStart && Array.isArray(existing.SessionStart) ? existing.SessionStart : [];
+    const command = `codexport sync --apply --timeout-ms ${timeoutMs} --no-input`;
+    const filtered = hooks.filter((hook) => !(hook && typeof hook === "object" && hook.name === "codexport-sync"));
+    filtered.push({ name: "codexport-sync", command, timeoutMs });
+    await writeJsonAtomic(hooksPath, { ...existing, SessionStart: filtered });
+}
+function runCommand(command, args) {
+    return new Promise((resolve, reject) => {
+        const child = spawn(command, args, { stdio: "inherit" });
+        child.on("error", reject);
+        child.on("exit", (code) => {
+            if (code === 0)
+                resolve();
+            else
+                reject(new CliError(`${command} ${args.join(" ")} exited with ${code}`, code ?? 1));
+        });
+    });
+}
+async function installMasterService(ctx, port, dryRun) {
+    const command = `codexport master serve --port ${port}`;
+    if (platform() === "linux") {
+        const unitDir = path.join(ctx.homeDir, ".config", "systemd", "user");
+        const unitPath = path.join(unitDir, "codexport-master.service");
+        const unit = `[Unit]
+Description=Codexport master server
+
+[Service]
+ExecStart=${command}
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=default.target
+`;
+        if (!dryRun) {
+            await ensureDir(unitDir);
+            await writeFile(unitPath, unit, "utf8");
+            await runCommand("systemctl", ["--user", "daemon-reload"]);
+            await runCommand("systemctl", ["--user", "enable", "--now", "codexport-master.service"]);
+        }
+        return unitPath;
+    }
+    if (platform() === "win32") {
+        const taskName = "CodexportMaster";
+        if (!dryRun) {
+            await runCommand("schtasks.exe", ["/Create", "/TN", taskName, "/SC", "ONLOGON", "/TR", command, "/F"]);
+            await runCommand("schtasks.exe", ["/Run", "/TN", taskName]);
+        }
+        return taskName;
+    }
+    throw new CliError(`Unsupported service platform: ${platform()}`, 1);
+}
+function print(ctx, value) {
+    if (ctx.quiet)
+        return;
+    if (ctx.json) {
+        process.stdout.write(`${JSON.stringify(typeof value === "string" ? { message: value } : value, null, 2)}\n`);
+    }
+    else {
+        process.stdout.write(`${typeof value === "string" ? value : humanSummary(value)}\n`);
+    }
+}
+function humanSummary(value) {
+    if (!value || typeof value !== "object" || Array.isArray(value))
+        return String(value);
+    return Object.entries(value).map(([key, item]) => `${key}: ${String(item)}`).join("\n");
+}
+function masterUrl(host, port) {
+    if (host.startsWith("http://") || host.startsWith("https://"))
+        return host;
+    return `http://${host}:${port}`;
+}
+function parsePositiveInt(value) {
+    const parsed = Number.parseInt(value, 10);
+    if (!Number.isFinite(parsed) || parsed <= 0) {
+        throw new Error(`Expected a positive integer, got ${value}`);
+    }
+    return parsed;
+}
+async function commandMasterInit(ctx, options) {
+    const identity = await loadMasterIdentity(ctx);
+    const bundle = await buildBundle(ctx.codexDir);
+    await saveMasterBundle(ctx, bundle);
+    await writeLocalConfig(ctx, { ...(await readLocalConfig(ctx)), role: "master", codexDir: ctx.codexDir, port: options.port ?? DEFAULT_PORT });
+    print(ctx, { role: "master", fingerprint: identity.fingerprint, revision: bundle.revision, files: bundle.files.length });
+}
+async function commandMasterRebuild(ctx) {
+    const bundle = await buildBundle(ctx.codexDir);
+    await saveMasterBundle(ctx, bundle);
+    print(ctx, { revision: bundle.revision, files: bundle.files.length });
+}
+async function commandMasterLink(ctx, options) {
+    const identity = await loadMasterIdentity(ctx);
+    const local = await readLocalConfig(ctx);
+    const port = options.port ?? local.port ?? DEFAULT_PORT;
+    const host = options.host ?? "machine1.tailnet.ts.net";
+    const url = masterUrl(host, port);
+    print(ctx, {
+        joinLink: buildJoinLink(url, identity.fingerprint),
+        command: formatJoinCommand(url, identity.fingerprint)
+    });
+}
+async function commandMasterServe(ctx, options) {
+    const identity = await loadMasterIdentity(ctx);
+    let bundle = await readMasterBundle(ctx);
+    let rebuilding = false;
+    async function rebuild(reason) {
+        if (rebuilding)
+            return;
+        rebuilding = true;
+        try {
+            bundle = await buildBundle(ctx.codexDir);
+            await saveMasterBundle(ctx, bundle);
+            if (!ctx.quiet)
+                process.stderr.write(`rebuilt ${bundle.revision} after ${reason}\n`);
+        }
+        finally {
+            rebuilding = false;
+        }
+    }
+    if (options.watch) {
+        const watchPaths = INCLUDE_ROOTS.map((item) => path.join(ctx.codexDir, item)).filter(existsSync);
+        const watcher = chokidar.watch(watchPaths, { ignoreInitial: true, awaitWriteFinish: { stabilityThreshold: 250, pollInterval: 100 } });
+        watcher.on("all", (_event, changedPath) => {
+            void rebuild(path.relative(ctx.codexDir, changedPath));
+        });
+    }
+    const server = createServer((req, res) => {
+        if (!req.url || req.method !== "GET") {
+            res.writeHead(405).end("method not allowed");
+            return;
+        }
+        if (req.url === "/meta") {
+            res.setHeader("content-type", "application/json");
+            res.end(JSON.stringify({ version: 1, fingerprint: identity.fingerprint, revision: bundle.revision, fileCount: bundle.files.length }));
+            return;
+        }
+        if (req.url === "/bundle") {
+            res.setHeader("content-type", "application/json");
+            res.end(JSON.stringify(bundle));
+            return;
+        }
+        res.writeHead(404).end("not found");
+    });
+    server.listen(options.port, options.host, () => {
+        if (!ctx.quiet)
+            process.stderr.write(`codexport master serving ${bundle.revision} on http://${options.host}:${options.port}\n`);
+    });
+}
+async function commandFollowerJoin(ctx, input, options) {
+    const parsed = input ? parseJoinLink(input) : undefined;
+    const master = options.master ?? parsed?.masterUrl;
+    const fingerprint = options.fingerprint ?? parsed?.fingerprint;
+    if (!master || !fingerprint) {
+        throw new CliError("follower join requires a join link or both --master and --fingerprint.", 2);
+    }
+    const meta = await fetchMeta(master, options.timeoutMs);
+    if (meta.fingerprint !== fingerprint) {
+        throw new CliError(`Master fingerprint mismatch. Expected ${fingerprint}, got ${meta.fingerprint}.`, 1);
+    }
+    const current = await readLocalConfig(ctx);
+    await writeLocalConfig(ctx, { ...current, role: "follower", masterUrl: master, masterFingerprint: fingerprint, codexDir: ctx.codexDir });
+    if (options.apply) {
+        await commandSync(ctx, { apply: true, timeoutMs: options.timeoutMs });
+    }
+    print(ctx, { role: "follower", masterUrl: master, masterFingerprint: fingerprint, revision: meta.revision });
+}
+async function commandSync(ctx, options) {
+    const local = await readLocalConfig(ctx);
+    if (!local.masterUrl || !local.masterFingerprint) {
+        throw new CliError("This machine is not enrolled. Run codexport follower join first.", 1);
+    }
+    const meta = await fetchMeta(local.masterUrl, options.timeoutMs);
+    if (meta.fingerprint !== local.masterFingerprint) {
+        throw new CliError("Stored master fingerprint does not match the reachable master. Refusing to sync; re-enroll or reset trust explicitly.", 1);
+    }
+    if (local.lastRevision === meta.revision) {
+        print(ctx, { status: "current", revision: meta.revision });
+        return;
+    }
+    const bundle = await fetchBundle(local.masterUrl, options.timeoutMs);
+    if (bundle.revision !== meta.revision)
+        throw new CliError("Master changed revision during sync. Retry.", 1);
+    await writeCachedBundle(ctx, bundle);
+    if (options.apply) {
+        await applyBundle(ctx, bundle);
+        print(ctx, { status: "applied", revision: bundle.revision, files: bundle.files.length });
+    }
+    else {
+        print(ctx, { status: "staged", revision: bundle.revision, files: bundle.files.length });
+    }
+}
+async function commandApply(ctx) {
+    const bundle = await readCachedBundle(ctx);
+    await applyBundle(ctx, bundle);
+    print(ctx, { status: "applied", revision: bundle.revision, files: bundle.files.length });
+}
+async function commandStatus(ctx, options) {
+    const local = await readLocalConfig(ctx);
+    let remote = null;
+    if (local.masterUrl) {
+        try {
+            remote = await fetchMeta(local.masterUrl, options.timeoutMs);
+        }
+        catch (error) {
+            remote = { reachable: false, error: asError(error).message };
+        }
+    }
+    print(ctx, {
+        role: local.role ?? "unknown",
+        codexDir: ctx.codexDir,
+        stateDir: ctx.stateDir,
+        masterUrl: local.masterUrl ?? null,
+        masterFingerprint: local.masterFingerprint ?? null,
+        lastRevision: local.lastRevision ?? null,
+        remote
+    });
+}
+function addGlobalOptions(command) {
+    return command
+        .option("--home <path>", "home directory override for testing")
+        .option("--codex-dir <path>", "Codex directory to read or write")
+        .option("--json", "write structured JSON output")
+        .option("-q, --quiet", "suppress normal success output")
+        .option("--no-input", "never prompt for input")
+        .addOption(new Option("--no-color", "accepted for CLI convention compatibility"));
+}
+function contextFromCommand(command) {
+    const options = command.optsWithGlobals();
+    return defaultContext({ home: options.home, codexDir: options.codexDir, quiet: options.quiet, json: options.json, noInput: options.input === false });
+}
+async function main(argv) {
+    const program = addGlobalOptions(new Command())
+        .name("codexport")
+        .description("Replicate a canonical Codex setup from a master machine to follower machines.")
+        .version(VERSION);
+    const master = program.command("master").description("Manage the canonical Machine1 export.");
+    master.command("init")
+        .description("Create or refresh master identity and canonical bundle state.")
+        .option("--port <port>", "default serve port", parsePositiveInt, DEFAULT_PORT)
+        .action(async (options, command) => commandMasterInit(contextFromCommand(command), options));
+    master.command("rebuild")
+        .description("Force rebuild the master bundle from the current Codex directory.")
+        .action(async (_options, command) => commandMasterRebuild(contextFromCommand(command)));
+    master.command("link")
+        .description("Print a durable follower join link and copy-paste command.")
+        .option("--host <host>", "Tailscale host, IP, or full URL", "machine1.tailnet.ts.net")
+        .option("--port <port>", "master port", parsePositiveInt, DEFAULT_PORT)
+        .action(async (options, command) => commandMasterLink(contextFromCommand(command), options));
+    master.command("serve")
+        .description("Serve the current canonical bundle over HTTP.")
+        .option("--host <host>", "bind host", "0.0.0.0")
+        .option("--port <port>", "bind port", parsePositiveInt, DEFAULT_PORT)
+        .option("--no-watch", "disable automatic bundle rebuilds")
+        .action(async (options, command) => commandMasterServe(contextFromCommand(command), options));
+    const service = master.command("service").description("Manage the user-level master background service.");
+    service.command("install")
+        .description("Install and start the user-level master background service.")
+        .option("--port <port>", "master port", parsePositiveInt, DEFAULT_PORT)
+        .option("-n, --dry-run", "print the install target without changing system service state")
+        .action(async (options, command) => {
+        const ctx = contextFromCommand(command);
+        const target = await installMasterService(ctx, options.port, Boolean(options.dryRun));
+        print(ctx, { installed: !options.dryRun, target });
+    });
+    const follower = program.command("follower").description("Enroll and manage a follower machine.");
+    follower.command("join [link]")
+        .description("Enroll this follower from a codexport://join link or explicit master URL.")
+        .option("--master <url>", "master URL, for example http://machine1.tailnet.ts.net:17342")
+        .option("--fingerprint <hex>", "expected master fingerprint")
+        .option("--apply", "download and apply immediately after enrollment")
+        .option("--timeout-ms <ms>", "network timeout", parsePositiveInt, DEFAULT_TIMEOUT_MS)
+        .action(async (link, options, command) => commandFollowerJoin(contextFromCommand(command), link, options));
+    program.command("sync")
+        .description("Fetch the latest master bundle and optionally apply it.")
+        .option("--apply", "apply the fetched bundle immediately")
+        .option("--timeout-ms <ms>", "network timeout", parsePositiveInt, DEFAULT_TIMEOUT_MS)
+        .action(async (options, command) => commandSync(contextFromCommand(command), options));
+    program.command("apply")
+        .description("Apply the last staged bundle.")
+        .action(async (_options, command) => commandApply(contextFromCommand(command)));
+    const hook = program.command("hook").description("Manage follower Codex hooks.");
+    hook.command("install")
+        .description("Install a follower-only Codex SessionStart sync hook.")
+        .option("--timeout-ms <ms>", "hook sync timeout", parsePositiveInt, 3_000)
+        .action(async (options, command) => {
+        const ctx = contextFromCommand(command);
+        await installHook(ctx, options.timeoutMs);
+        print(ctx, { installed: true, hook: "SessionStart", command: `codexport sync --apply --timeout-ms ${options.timeoutMs} --no-input` });
+    });
+    program.command("status")
+        .description("Show local enrollment state and remote revision reachability.")
+        .option("--timeout-ms <ms>", "network timeout", parsePositiveInt, 1_500)
+        .action(async (options, command) => commandStatus(contextFromCommand(command), options));
+    await program.parseAsync(argv);
+}
+if (import.meta.url === `file://${process.argv[1]}`) {
+    main(process.argv).catch((error) => {
+        const err = asError(error);
+        const exitCode = error instanceof CliError ? error.exitCode : 1;
+        process.stderr.write(`${err.message}\n`);
+        if (!(error instanceof CliError) && process.env.DEBUG) {
+            process.stderr.write(`${err.stack ?? ""}\n`);
+        }
+        process.exit(exitCode);
+    });
+}
+export { applyBundle, buildBundle, buildJoinLink, computeRevision, defaultContext, installHook, mergeTomlText, parseJoinLink, verifyBundle };