copillm 0.1.0

package/dist/cli.js

@@ -0,0 +1,1178 @@
+#!/usr/bin/env node
+import { spawn } from "node:child_process";
+import { randomUUID } from "node:crypto";
+import { setTimeout as sleep } from "node:timers/promises";
+import { Command } from "commander";
+import { clearStoredCredential, inspectStoredCredential, loadStoredCredential, saveStoredCredential } from "./auth/credentials.js";
+import { inspectGithubIdentity } from "./auth/githubIdentity.js";
+import { ensureAuthenticatedInteractive as ensureAuthenticatedInteractiveImpl } from "./auth/ensureAuthenticated.js";
+import { loginViaDeviceFlow } from "./auth/deviceFlow.js";
+import { CopilotTokenManager } from "./auth/copilotToken.js";
+import { confirm, choose } from "./auth/interactivePrompt.js";
+import { loadConfig, saveConfig } from "./config/config.js";
+import { createLogger } from "./config/logging.js";
+import { listModels, resolveModelSelections } from "./models/discovery.js";
+import { acquireLock, inspectLock, LockAlreadyRunningError, releaseLock } from "./server/lock.js";
+import { startProxyServer } from "./server/proxy.js";
+import { defaultOutputDir, generateCodexHome } from "./codex/init.js";
+import { defaultOutputDir as defaultPiOutputDir, generatePiHome } from "./pi/init.js";
+import { getCopillmHome } from "./config/home.js";
+import { clearClaudeGatewayCache } from "./claude/cache.js";
+import { detectClaudeSettingsConflicts, formatSettingsConflictWarning } from "./claude/settingsConflict.js";
+import { buildClaudeExportCommand as buildClaudeExport, computeAnthropicDefaults, readModelIdsFromCache } from "./models/anthropicDefaults.js";
+import { isShellSyntax, renderEnvBlock } from "./cli/envBlock.js";
+import { buildClaudeEnvBundle, buildCodexEnvBundle, buildPiEnvBundle } from "./cli/agentEnv.js";
+import { launchAgent } from "./cli/launchAgent.js";
+import { applyAgentConfig, formatApplyNotes } from "./agentconfig/apply.js";
+import { registerConfigCommands } from "./cli/configCommands.js";
+const logger = createLogger();
+const program = new Command();
+program.name("copillm").description("Local Copilot proxy").version("0.1.0");
+program.enablePositionalOptions();
+program
+    .command("login")
+    .description("[deprecated] Use `copillm auth login`")
+    .option("--json", "JSON output")
+    .action(async (opts) => {
+    emitDeprecation(opts, "login", "auth login");
+    await runAuthLogin(opts, { forceSession: false });
+});
+program
+    .command("logout")
+    .description("[deprecated] Use `copillm auth logout`")
+    .option("--json", "JSON output")
+    .action(async (opts) => {
+    emitDeprecation(opts, "logout", "auth logout");
+    await runAuthLogout(opts);
+});
+const auth = program.command("auth").description("Authentication commands");
+auth
+    .command("login")
+    .description("Authenticate with GitHub")
+    .option("--json", "JSON output")
+    // Undocumented test seam: force the session-only backend regardless of
+    // whether the OS keychain is available. Equivalent to setting
+    // COPILLM_FORCE_SESSION_BACKEND=1 for the duration of this command.
+    .option("--force-session", "(test-only) force the session-only backend", false)
+    .action(async (opts) => {
+    await runAuthLogin(opts, { forceSession: Boolean(opts.forceSession) });
+});
+auth
+    .command("logout")
+    .description("Clear credentials and stop running daemon")
+    .option("--json", "JSON output")
+    .action(async (opts) => {
+    await runAuthLogout(opts);
+});
+auth
+    .command("status")
+    .description("Report whether a credential is stored (token is never printed)")
+    .option("--json", "JSON output")
+    .option("--no-user", "Skip the GitHub /user lookup that fetches the login name")
+    .action(async (opts) => {
+    let info;
+    try {
+        info = await inspectStoredCredential();
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : "unknown_error";
+        if (opts.json) {
+            process.stdout.write(JSON.stringify({ status: "error", error: message }, null, 2) + "\n");
+        }
+        else {
+            process.stderr.write(`auth status error: ${message}\n`);
+        }
+        process.exit(1);
+    }
+    // commander's --no-user toggles opts.user to false; when the flag is
+    // omitted opts.user is undefined and we treat that as "fetch by default".
+    const userLookupEnabled = info.stored && opts.user !== false;
+    let identity = null;
+    if (userLookupEnabled) {
+        // inspectGithubIdentity is designed to return null on any failure, but
+        // we wrap defensively at the CLI level too: a regression in the wrapper,
+        // or a platform-specific fetch error path (e.g. Node 22 on macOS has
+        // surfaced uncaught socket rejections from privileged-port ECONNREFUSED),
+        // must never break the auth-status command. Status output should always
+        // succeed even when the network is broken.
+        try {
+            identity = await inspectGithubIdentity();
+        }
+        catch {
+            identity = null;
+        }
+    }
+    if (opts.json) {
+        process.stdout.write(JSON.stringify({
+            status: info.stored ? "logged_in" : "logged_out",
+            stored: info.stored,
+            backend: info.backend,
+            user: identity
+        }, null, 2) + "\n");
+    }
+    else if (info.stored) {
+        process.stdout.write(`${formatHumanAuthStatusLine(info.backend, identity)}\n`);
+    }
+    else {
+        process.stdout.write("not logged in\n");
+    }
+    process.exit(info.stored ? 0 : 2);
+});
+program
+    .command("start")
+    .description("Start proxy")
+    .option("--detach", "Run in detached mode")
+    .option("--debug", "Enable debug endpoints (e.g. /_debug)")
+    .option("--no-codex", "Skip generating ~/.copillm/codex/ for Codex CLI")
+    .option("--codex-model <id>", "Default Codex model slug")
+    .option("--no-pi", "Skip generating ~/.pi/agent/models.json for pi coding agent")
+    .option("--json", "JSON output")
+    .action(async (opts) => {
+    if (opts.detach) {
+        // Fail fast on missing credentials rather than letting the detached
+        // child die silently and surface as a generic "start timed out" error.
+        const authState = await inspectStoredCredential();
+        if (!authState.stored) {
+            throw new Error("Not authenticated. Run `copillm auth login` first, or start without --detach to log in interactively.");
+        }
+        const existingLock = await readLiveLock();
+        if (existingLock) {
+            const codex = opts.codex === false ? null : await refreshCodexHome(existingLock.port, opts.codexModel ?? null);
+            const pi = opts.pi === false ? null : await refreshPiHome(existingLock.port);
+            const claude = buildClaudeExportCommand(existingLock.port, null);
+            const banner = formatStartBanner({
+                port: existingLock.port,
+                pid: existingLock.pid,
+                mode: "already_running",
+                debug: false,
+                codex,
+                pi
+            });
+            writeCommandOutput(opts, banner, {
+                status: "already_running",
+                pid: existingLock.pid,
+                port: existingLock.port,
+                url: `http://127.0.0.1:${existingLock.port}`,
+                codex_home: codex?.outDir ?? null,
+                codex_export_command: codex?.exportCommand ?? null,
+                codex_env: codex ? buildCodexEnvBundle(codex.outDir).env : null,
+                pi_home: pi?.outDir ?? null,
+                pi_config_path: pi?.configPath ?? null,
+                pi_mirror_path: pi?.mirrorPath ?? null,
+                pi_backup_path: pi?.backupPath ?? null,
+                pi_model_count: pi?.modelCount ?? null,
+                claude_export_command: claude.command,
+                claude_env: claude.bundle.env,
+                claude_defaults: claude.defaults
+            });
+            return;
+        }
+        const daemonArgs = [process.argv[1], "daemon"];
+        if (opts.debug) {
+            daemonArgs.push("--debug");
+        }
+        const child = spawn(process.execPath, daemonArgs, {
+            detached: true,
+            stdio: "ignore"
+        });
+        child.unref();
+        const started = await waitForDaemonReady(child.pid ?? null, 8_000);
+        if (!started) {
+            throw new Error("Detached daemon start timed out.");
+        }
+        const codex = opts.codex === false ? null : await refreshCodexHome(started.port, opts.codexModel ?? null);
+        const pi = opts.pi === false ? null : await refreshPiHome(started.port);
+        const claude = buildClaudeExportCommand(started.port, null);
+        const banner = formatStartBanner({
+            port: started.port,
+            pid: started.pid,
+            mode: "detached",
+            debug: Boolean(opts.debug),
+            codex,
+            pi
+        });
+        writeCommandOutput(opts, banner, {
+            status: "ok",
+            mode: "detached",
+            pid: started.pid,
+            port: started.port,
+            debug: Boolean(opts.debug),
+            url: `http://127.0.0.1:${started.port}`,
+            codex_home: codex?.outDir ?? null,
+            codex_export_command: codex?.exportCommand ?? null,
+            codex_env: codex ? buildCodexEnvBundle(codex.outDir).env : null,
+            codex_default_model: codex?.defaultModel ?? null,
+            codex_model_count: codex?.modelCount ?? null,
+            pi_home: pi?.outDir ?? null,
+            pi_config_path: pi?.configPath ?? null,
+            pi_mirror_path: pi?.mirrorPath ?? null,
+            pi_backup_path: pi?.backupPath ?? null,
+            pi_model_count: pi?.modelCount ?? null,
+            claude_export_command: claude.command,
+            claude_env: claude.bundle.env,
+            claude_defaults: claude.defaults
+        });
+        return;
+    }
+    // Foreground path: interactively prompt for login if needed.
+    await ensureAuthenticatedInteractive();
+    const started = await runDaemon({ debug: Boolean(opts.debug) });
+    if (started.kind === "already_running") {
+        const codex = opts.codex === false ? null : await refreshCodexHome(started.lock.port, opts.codexModel ?? null);
+        const pi = opts.pi === false ? null : await refreshPiHome(started.lock.port);
+        const claude = buildClaudeExportCommand(started.lock.port, null);
+        const banner = formatStartBanner({
+            port: started.lock.port,
+            pid: started.lock.pid,
+            mode: "already_running",
+            debug: false,
+            codex,
+            pi
+        });
+        writeCommandOutput(opts, banner, {
+            status: "already_running",
+            pid: started.lock.pid,
+            port: started.lock.port,
+            url: `http://127.0.0.1:${started.lock.port}`,
+            codex_home: codex?.outDir ?? null,
+            codex_export_command: codex?.exportCommand ?? null,
+            codex_env: codex ? buildCodexEnvBundle(codex.outDir).env : null,
+            pi_home: pi?.outDir ?? null,
+            pi_config_path: pi?.configPath ?? null,
+            pi_mirror_path: pi?.mirrorPath ?? null,
+            pi_backup_path: pi?.backupPath ?? null,
+            pi_model_count: pi?.modelCount ?? null,
+            claude_export_command: claude.command,
+            claude_env: claude.bundle.env,
+            claude_defaults: claude.defaults
+        });
+        return;
+    }
+    const codex = opts.codex === false ? null : await refreshCodexHome(started.port, opts.codexModel ?? null);
+    const pi = opts.pi === false ? null : await refreshPiHome(started.port);
+    const claude = buildClaudeExportCommand(started.port, started.callerSecret);
+    const banner = formatStartBanner({
+        port: started.port,
+        pid: process.pid,
+        mode: "foreground",
+        debug: Boolean(opts.debug),
+        codex,
+        pi
+    });
+    writeCommandOutput(opts, banner, {
+        status: "ok",
+        mode: "foreground",
+        pid: process.pid,
+        port: started.port,
+        debug: Boolean(opts.debug),
+        url: `http://127.0.0.1:${started.port}`,
+        caller_secret: started.callerSecret,
+        codex_home: codex?.outDir ?? null,
+        codex_export_command: codex?.exportCommand ?? null,
+        codex_env: codex ? buildCodexEnvBundle(codex.outDir).env : null,
+        codex_default_model: codex?.defaultModel ?? null,
+        codex_model_count: codex?.modelCount ?? null,
+        pi_home: pi?.outDir ?? null,
+        pi_config_path: pi?.configPath ?? null,
+        pi_mirror_path: pi?.mirrorPath ?? null,
+        pi_backup_path: pi?.backupPath ?? null,
+        pi_model_count: pi?.modelCount ?? null,
+        claude_export_command: claude.command,
+        claude_env: claude.bundle.env,
+        claude_defaults: claude.defaults
+    });
+});
+program
+    .command("daemon")
+    .description("Internal background command")
+    .option("--debug", "Enable debug endpoints")
+    .action(async (opts) => {
+    const started = await runDaemon({ debug: Boolean(opts.debug) });
+    if (started.kind === "already_running") {
+        process.exit(0);
+    }
+    process.stdout.write(`copillm listening on http://127.0.0.1:${started.port}${opts.debug ? " [debug]" : ""}\n`);
+});
+program
+    .command("stop")
+    .description("Stop detached daemon")
+    .option("--json", "JSON output")
+    .action(async (opts) => {
+    const lockState = inspectLock();
+    if (lockState.state === "missing") {
+        const cache = clearClaudeGatewayCache();
+        writeCommandOutput(opts, formatStopHumanLine("Not running.", cache), {
+            status: "not_running",
+            claude_cache: cache
+        });
+        return;
+    }
+    if (lockState.state === "stale") {
+        releaseLock();
+        const cache = clearClaudeGatewayCache();
+        writeCommandOutput(opts, formatStopHumanLine("Removed stale lock.", cache), {
+            status: "stale_lock_removed",
+            reason: lockState.reason,
+            claude_cache: cache
+        });
+        return;
+    }
+    await stopByPid(lockState.lock.pid);
+    const cache = clearClaudeGatewayCache();
+    writeCommandOutput(opts, formatStopHumanLine("Stopped.", cache), {
+        status: "ok",
+        pid: lockState.lock.pid,
+        claude_cache: cache
+    });
+});
+program
+    .command("status")
+    .description("Show daemon status")
+    .option("--json", "JSON output")
+    .action(async (opts) => {
+    const config = loadConfig();
+    const lockState = inspectLock();
+    const checkedAtIso = new Date().toISOString();
+    const uptimeSeconds = lockState.state === "running" ? computeUptimeSeconds(lockState.lock.started_at_iso) : null;
+    // inspectStoredCredential never returns the token itself, so it's safe to
+    // include the result in the status payload.
+    let authInfo;
+    try {
+        const info = await inspectStoredCredential();
+        authInfo = { stored: info.stored, backend: info.backend, error: null };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : "unknown_error";
+        authInfo = { stored: false, backend: null, error: message };
+    }
+    const status = {
+        running: lockState.state === "running",
+        stale: lockState.state === "stale",
+        pid: lockState.state === "running" ? lockState.lock.pid : null,
+        port: lockState.state === "running" ? lockState.lock.port : null,
+        started_at_iso: lockState.state === "running" ? lockState.lock.started_at_iso : null,
+        uptime_seconds: uptimeSeconds,
+        url: lockState.state === "running" ? `http://127.0.0.1:${lockState.lock.port}` : null,
+        require_caller_secret: config.requireCallerSecret,
+        account_type: config.accountType,
+        selected_models: config.selectedModels,
+        auth: authInfo,
+        bearer_ttl_seconds: null,
+        health_check_status_code: null,
+        health_state: null,
+        health_error: null,
+        health_status: "unknown",
+        checked_at_iso: checkedAtIso,
+        stale_reason: lockState.state === "stale" ? lockState.reason : null
+    };
+    if (lockState.state === "running") {
+        const health = await probeHealth(lockState.lock.port);
+        status.health_status = health.ok ? "ok" : "degraded";
+        status.bearer_ttl_seconds = health.bearerTtlSeconds;
+        status.health_check_status_code = health.statusCode;
+        status.health_state = health.status;
+        status.health_error = health.error;
+    }
+    if (opts.json) {
+        process.stdout.write(JSON.stringify(status, null, 2) + "\n");
+        return;
+    }
+    if (lockState.state === "running") {
+        process.stdout.write(`running (pid ${lockState.lock.pid}, port ${lockState.lock.port})\n`);
+        process.stdout.write(`health: ${status.health_status}`);
+        if (status.health_state) {
+            process.stdout.write(` (${status.health_state})`);
+        }
+        if (status.health_check_status_code !== null) {
+            process.stdout.write(` [http ${status.health_check_status_code}]`);
+        }
+        if (status.health_error) {
+            process.stdout.write(` error=${status.health_error}`);
+        }
+        process.stdout.write("\n");
+        if (status.bearer_ttl_seconds !== null) {
+            process.stdout.write(`bearer_ttl_seconds: ${status.bearer_ttl_seconds}\n`);
+        }
+        if (status.uptime_seconds !== null) {
+            process.stdout.write(`uptime_seconds: ${status.uptime_seconds}\n`);
+        }
+        writeAuthStatusLine(authInfo);
+        process.stdout.write(`checked_at: ${status.checked_at_iso}\n`);
+        return;
+    }
+    if (lockState.state === "stale") {
+        process.stdout.write(`stale lock (${lockState.reason})\n`);
+        writeAuthStatusLine(authInfo);
+        return;
+    }
+    process.stdout.write("not running\n");
+    writeAuthStatusLine(authInfo);
+});
+function writeAuthStatusLine(authInfo) {
+    if (authInfo.error) {
+        process.stdout.write(`auth: error (${authInfo.error})\n`);
+        return;
+    }
+    if (authInfo.stored) {
+        process.stdout.write(`auth: logged in (${describeBackend(authInfo.backend)})\n`);
+    }
+    else {
+        process.stdout.write("auth: not logged in\n");
+    }
+}
+program
+    .command("health")
+    .description("Check health endpoint")
+    .option("--json", "JSON output")
+    .action(async (opts) => {
+    const lockState = inspectLock();
+    if (lockState.state !== "running") {
+        const payload = {
+            ok: false,
+            status: lockState.state === "stale" ? "stale_lock" : "not_running",
+            detail: lockState.state === "stale" ? lockState.reason : "Daemon is not running."
+        };
+        writeHealthOutput(opts, payload);
+        process.exitCode = 1;
+        return;
+    }
+    const response = await fetch(`http://127.0.0.1:${lockState.lock.port}/healthz`, { signal: AbortSignal.timeout(2_000) });
+    const payload = (await response.json());
+    const output = { ok: response.ok, status_code: response.status, ...payload };
+    writeHealthOutput(opts, output);
+    if (!response.ok) {
+        process.exitCode = 1;
+    }
+});
+const models = program.command("models").description("Model commands");
+models
+    .command("list")
+    .description("List entitled models")
+    .option("--json", "JSON output")
+    .action(async (opts) => {
+    const config = loadConfig();
+    const creds = await loadStoredCredential();
+    if (!creds) {
+        throw new Error("Not authenticated. Run `copillm login`.");
+    }
+    const tokenManager = new CopilotTokenManager(creds.token);
+    await tokenManager.ensureToken(false);
+    const result = await listModels(config.accountType, creds.token);
+    if (opts.json) {
+        process.stdout.write(JSON.stringify({
+            models: result.models,
+            discovery: {
+                source: result.source,
+                stale: result.stale,
+                cache_age_seconds: result.cacheAgeSeconds,
+                warning: result.warning
+            }
+        }, null, 2) + "\n");
+        return;
+    }
+    process.stdout.write(result.models.map((model) => model.id).join("\n") + "\n");
+    if (result.stale) {
+        process.stdout.write("⚠ using stale model snapshot (upstream discovery unavailable)\n");
+    }
+});
+models
+    .command("select")
+    .requiredOption("--models <ids>", "Comma-separated model ids")
+    .description("Select exposed models")
+    .option("--json", "JSON output")
+    .action(async (opts) => {
+    const config = loadConfig();
+    const requested = Array.from(new Set(opts.models
+        .split(",")
+        .map((value) => value.trim())
+        .filter((value) => value.length > 0)));
+    if (requested.length === 0) {
+        throw new Error("At least one model must be selected.");
+    }
+    const creds = await loadStoredCredential();
+    if (!creds) {
+        throw new Error("Not authenticated. Run `copillm login`.");
+    }
+    const tokenManager = new CopilotTokenManager(creds.token);
+    await tokenManager.ensureToken(false);
+    const discovery = await listModels(config.accountType, creds.token);
+    const resolution = resolveModelSelections(requested, discovery.models);
+    if (resolution.unresolved.length > 0) {
+        const available = discovery.models.map((model) => model.id).join(", ");
+        throw new Error(`Unknown model selection(s): ${resolution.unresolved.join(", ")}. Available models: ${available}`);
+    }
+    const resolvedSelected = Array.from(new Set(resolution.resolved.map((entry) => entry.resolvedId)));
+    saveConfig({ ...config, selectedModels: resolvedSelected });
+    const usedAlias = resolution.resolved.some((entry) => entry.input !== entry.resolvedId);
+    writeCommandOutput(opts, `Selected ${resolvedSelected.length} model(s)${usedAlias ? " (resolved aliases)." : "."}${discovery.stale ? " Using stale snapshot." : ""}`, {
+        status: "ok",
+        selected_models: resolvedSelected,
+        requested_models: requested,
+        resolutions: resolution.resolved,
+        discovery: {
+            source: discovery.source,
+            stale: discovery.stale,
+            cache_age_seconds: discovery.cacheAgeSeconds,
+            warning: discovery.warning
+        }
+    });
+});
+program
+    .command("env <agent>")
+    .description("Print env vars to launch codex, claude, or pi against copillm")
+    .option("--shell <shell>", "Shell syntax: sh|fish|powershell", "sh")
+    .option("--json", "JSON output")
+    .option("--inline", "Single-line legacy export form (claude only)")
+    .action(async (agentRaw, opts) => {
+    const agent = parseAgentName(agentRaw);
+    if (!isShellSyntax(opts.shell)) {
+        throw new Error(`Unsupported --shell value: ${opts.shell}. Use sh, fish, or powershell.`);
+    }
+    const shell = opts.shell;
+    const lockState = inspectLock();
+    if (lockState.state !== "running") {
+        const message = lockState.state === "stale"
+            ? `copillm has a stale lock (${lockState.reason}). Run \`copillm stop\` then \`copillm start --detach\`.`
+            : "copillm is not running. Run `copillm start --detach` first.";
+        if (opts.json) {
+            process.stdout.write(JSON.stringify({ status: "not_running", agent, error: message }, null, 2) + "\n");
+        }
+        else {
+            process.stderr.write(`${message}\n`);
+        }
+        process.exit(2);
+        return;
+    }
+    if (agent === "codex") {
+        const codex = await refreshCodexHome(lockState.lock.port, null);
+        if (!codex) {
+            throw new Error("Failed to prepare Codex home (see warning above).");
+        }
+        const bundle = buildCodexEnvBundle(codex.outDir);
+        const block = renderEnvBlock({
+            agent: "codex",
+            env: bundle.env,
+            shell,
+            inlineComments: bundle.inlineComments,
+            trailingNotes: bundle.trailingNotes
+        });
+        if (opts.json) {
+            process.stdout.write(JSON.stringify({
+                agent: "codex",
+                package: "@openai/codex",
+                shell,
+                env: bundle.env,
+                shell_block: block
+            }, null, 2) + "\n");
+        }
+        else {
+            process.stdout.write(`${block}\n`);
+        }
+        process.exit(0);
+    }
+    if (agent === "pi") {
+        const pi = await refreshPiHome(lockState.lock.port);
+        if (!pi) {
+            throw new Error("Failed to prepare pi models.json (see warning above).");
+        }
+        const bundle = buildPiEnvBundle(pi.outDir);
+        const block = renderEnvBlock({
+            agent: "pi",
+            env: bundle.env,
+            shell,
+            inlineComments: bundle.inlineComments,
+            trailingNotes: bundle.trailingNotes
+        });
+        if (opts.json) {
+            process.stdout.write(JSON.stringify({
+                agent: "pi",
+                package: "@earendil-works/pi-coding-agent",
+                shell,
+                env: bundle.env,
+                shell_block: block,
+                pi_home: pi.outDir,
+                pi_config_path: pi.configPath,
+                pi_mirror_path: pi.mirrorPath,
+                pi_backup_path: pi.backupPath,
+                pi_model_count: pi.modelCount
+            }, null, 2) + "\n");
+        }
+        else {
+            process.stdout.write(`${block}\n`);
+        }
+        process.exit(0);
+    }
+    const claude = buildClaudeExportCommand(lockState.lock.port, null);
+    const settingsConflicts = detectClaudeSettingsConflicts(claude.bundle.env);
+    if (opts.inline) {
+        if (opts.json) {
+            process.stdout.write(JSON.stringify({ agent: "claude", inline: claude.command }, null, 2) + "\n");
+        }
+        else {
+            process.stdout.write(`${claude.command}\n`);
+        }
+        for (const line of formatSettingsConflictWarning(settingsConflicts)) {
+            process.stderr.write(`${line}\n`);
+        }
+        process.exit(0);
+    }
+    const block = renderEnvBlock({
+        agent: "claude",
+        env: claude.bundle.env,
+        shell,
+        inlineComments: claude.bundle.inlineComments,
+        trailingNotes: claude.bundle.trailingNotes
+    });
+    if (opts.json) {
+        process.stdout.write(JSON.stringify({
+            agent: "claude",
+            package: "@anthropic-ai/claude-code",
+            shell,
+            env: claude.bundle.env,
+            shell_block: block,
+            defaults: claude.defaults,
+            settings_conflicts: settingsConflicts.conflicts
+        }, null, 2) + "\n");
+    }
+    else {
+        process.stdout.write(`${block}\n`);
+    }
+    for (const line of formatSettingsConflictWarning(settingsConflicts)) {
+        process.stderr.write(`${line}\n`);
+    }
+    process.exit(0);
+});
+program
+    .command("codex")
+    .description("Launch Codex CLI against copillm (auto-starts daemon, downloads codex if missing)")
+    .option("--copillm-use <spec>", "Pin codex package version (e.g. 1.4.7 or @openai/codex@1.4.7)")
+    .option("--copillm-debug", "Enable debug endpoints when auto-starting daemon")
+    .option("--copillm-profile <name>", "Override active profile from ~/.copillm/agent.toml for this launch")
+    .option("--copillm-no-config", "Skip agent.toml fan-out for this launch", false)
+    .allowUnknownOption(true)
+    .passThroughOptions()
+    .helpOption(false)
+    .argument("[args...]", "Args forwarded to codex")
+    .action(async (forwardedArgs, opts) => {
+    const lock = await ensureDaemonRunningForLauncher({ debug: Boolean(opts.copillmDebug) });
+    const codex = await refreshCodexHome(lock.port, null);
+    if (!codex) {
+        throw new Error("Failed to prepare Codex home (see warning above).");
+    }
+    const bundle = buildCodexEnvBundle(codex.outDir);
+    const pinnedSpec = opts.copillmUse ?? process.env.COPILLM_CODEX_VERSION ?? undefined;
+    const applyResult = applyAgentConfig({
+        agent: "codex",
+        cwd: process.cwd(),
+        codexHomeDir: codex.outDir,
+        profileOverride: opts.copillmProfile ?? process.env.COPILLM_PROFILE ?? null,
+        skip: Boolean(opts.copillmNoConfig)
+    });
+    for (const line of formatApplyNotes(applyResult, "codex")) {
+        process.stderr.write(`${line}\n`);
+    }
+    const env = { ...bundle.env, ...applyResult.envOverlay };
+    const exitCode = await launchAgent({
+        agent: "codex",
+        args: [...(forwardedArgs ?? []), ...applyResult.cliArgs],
+        env,
+        pinnedSpec
+    });
+    process.exit(exitCode);
+});
+program
+    .command("claude")
+    .description("Launch Claude Code against copillm (auto-starts daemon, downloads claude if missing)")
+    .option("--copillm-use <spec>", "Pin claude package version (e.g. 1.0.0 or @anthropic-ai/claude-code@1.0.0)")
+    .option("--copillm-debug", "Enable debug endpoints when auto-starting daemon")
+    .option("--copillm-profile <name>", "Override active profile from ~/.copillm/agent.toml for this launch")
+    .option("--copillm-no-config", "Skip agent.toml fan-out for this launch", false)
+    .allowUnknownOption(true)
+    .passThroughOptions()
+    .helpOption(false)
+    .argument("[args...]", "Args forwarded to claude")
+    .action(async (forwardedArgs, opts) => {
+    const lock = await ensureDaemonRunningForLauncher({ debug: Boolean(opts.copillmDebug) });
+    const claude = buildClaudeExportCommand(lock.port, null);
+    const pinnedSpec = opts.copillmUse ?? process.env.COPILLM_CLAUDE_VERSION ?? undefined;
+    const conflicts = detectClaudeSettingsConflicts(claude.bundle.env);
+    for (const line of formatSettingsConflictWarning(conflicts)) {
+        process.stderr.write(`${line}\n`);
+    }
+    const applyResult = applyAgentConfig({
+        agent: "claude",
+        cwd: process.cwd(),
+        profileOverride: opts.copillmProfile ?? process.env.COPILLM_PROFILE ?? null,
+        skip: Boolean(opts.copillmNoConfig)
+    });
+    for (const line of formatApplyNotes(applyResult, "claude")) {
+        process.stderr.write(`${line}\n`);
+    }
+    const env = { ...claude.bundle.env, ...applyResult.envOverlay };
+    const exitCode = await launchAgent({
+        agent: "claude",
+        args: [...(forwardedArgs ?? []), ...applyResult.cliArgs],
+        env,
+        pinnedSpec
+    });
+    process.exit(exitCode);
+});
+program
+    .command("pi")
+    .description("Launch pi coding agent against copillm (auto-starts daemon, downloads pi if missing)")
+    .option("--copillm-use <spec>", "Pin pi package version (e.g. 0.75.4 or @earendil-works/pi-coding-agent@0.75.4)")
+    .option("--copillm-debug", "Enable debug endpoints when auto-starting daemon")
+    .option("--copillm-profile <name>", "Override active profile from ~/.copillm/agent.toml for this launch")
+    .option("--copillm-no-config", "Skip agent.toml fan-out for this launch", false)
+    .allowUnknownOption(true)
+    .passThroughOptions()
+    .helpOption(false)
+    .argument("[args...]", "Args forwarded to pi")
+    .action(async (forwardedArgs, opts) => {
+    const lock = await ensureDaemonRunningForLauncher({ debug: Boolean(opts.copillmDebug) });
+    const pi = await refreshPiHome(lock.port);
+    if (!pi) {
+        throw new Error("Failed to prepare pi models.json (see warning above).");
+    }
+    const bundle = buildPiEnvBundle(pi.outDir);
+    const pinnedSpec = opts.copillmUse ?? process.env.COPILLM_PI_VERSION ?? undefined;
+    const applyResult = applyAgentConfig({
+        agent: "pi",
+        cwd: process.cwd(),
+        profileOverride: opts.copillmProfile ?? process.env.COPILLM_PROFILE ?? null,
+        skip: Boolean(opts.copillmNoConfig)
+    });
+    for (const line of formatApplyNotes(applyResult, "pi")) {
+        process.stderr.write(`${line}\n`);
+    }
+    const env = { ...bundle.env, ...applyResult.envOverlay };
+    const exitCode = await launchAgent({
+        agent: "pi",
+        args: [...(forwardedArgs ?? []), ...applyResult.cliArgs],
+        env,
+        pinnedSpec
+    });
+    process.exit(exitCode);
+});
+registerConfigCommands(program);
+program.parseAsync(process.argv).catch((error) => {
+    if (error instanceof Error) {
+        logger.error({ err: error }, error.message);
+        process.stderr.write(`${error.message}\n`);
+        process.exit(1);
+    }
+    throw error;
+});
+async function runDaemon(options) {
+    const config = loadConfig();
+    const creds = await loadStoredCredential();
+    if (!creds) {
+        throw new Error("Not authenticated. Run `copillm login` first.");
+    }
+    const tokenManager = new CopilotTokenManager(creds.token);
+    await tokenManager.ensureToken(false);
+    const callerSecret = config.requireCallerSecret ? randomUUID() : null;
+    if (callerSecret) {
+        process.stdout.write(`Caller secret: ${callerSecret}\n`);
+    }
+    const ports = candidatePorts(config.preferredPort);
+    let server = null;
+    let selectedPort = null;
+    for (const port of ports) {
+        try {
+            await acquireLock(port, { isRunning: async (lock) => probeLivez(lock.port) });
+        }
+        catch (error) {
+            if (error instanceof LockAlreadyRunningError) {
+                tokenManager.clear();
+                return { kind: "already_running", lock: error.lock };
+            }
+            throw error;
+        }
+        try {
+            server = await startProxyServer({
+                port,
+                config,
+                tokenManager,
+                callerSecret,
+                logger,
+                debug: Boolean(options?.debug),
+                githubToken: creds.token
+            });
+            selectedPort = port;
+            break;
+        }
+        catch (error) {
+            releaseLock();
+            if (isAddrInUse(error)) {
+                continue;
+            }
+            throw error;
+        }
+    }
+    if (!server || selectedPort === null) {
+        tokenManager.clear();
+        throw new Error(`No available port in configured range (${ports[0]}-${ports[ports.length - 1]}).`);
+    }
+    let shuttingDown = false;
+    const shutdown = async () => {
+        if (shuttingDown) {
+            return;
+        }
+        shuttingDown = true;
+        try {
+            await withTimeout(server.close(), 5_000, "Timed out while draining requests.");
+        }
+        catch (error) {
+            logger.warn({ err: error }, "graceful shutdown timed out");
+        }
+        finally {
+            tokenManager.clear();
+            releaseLock();
+            process.exit(0);
+        }
+    };
+    process.once("SIGINT", () => {
+        void shutdown();
+    });
+    process.once("SIGTERM", () => {
+        void shutdown();
+    });
+    return { kind: "started", port: selectedPort, callerSecret };
+}
+function candidatePorts(preferredPort) {
+    const ports = [];
+    for (let offset = 0; offset < 10; offset += 1) {
+        const port = preferredPort + offset;
+        if (port <= 65535) {
+            ports.push(port);
+        }
+    }
+    return ports;
+}
+function describeBackend(backend) {
+    switch (backend) {
+        case "keytar":
+            return "OS keychain";
+        case "file":
+            return "credentials file";
+        case "session":
+            return "in-memory (session only)";
+        default:
+            return "no backend";
+    }
+}
+function formatHumanAuthStatusLine(backend, identity) {
+    if (!identity) {
+        return `logged in (${describeBackend(backend)})`;
+    }
+    const nameSuffix = identity.name && identity.name !== identity.login ? ` (${identity.name})` : "";
+    return `logged in as @${identity.login}${nameSuffix} (${describeBackend(backend)})`;
+}
+function emitDeprecation(opts, oldCmd, newCmd) {
+    if (opts.json) {
+        // Keep stdout pristine for JSON consumers; deprecation goes to stderr.
+        process.stderr.write(`note: \`copillm ${oldCmd}\` is deprecated; use \`copillm ${newCmd}\`\n`);
+    }
+    else {
+        process.stderr.write(`note: \`copillm ${oldCmd}\` is deprecated; use \`copillm ${newCmd}\`\n`);
+    }
+}
+async function runAuthLogin(opts, options) {
+    if (options.forceSession) {
+        process.env.COPILLM_FORCE_SESSION_BACKEND = "1";
+    }
+    const config = loadConfig();
+    const token = await loginViaDeviceFlow();
+    const saveMode = options.forceSession ? "session" : "auto";
+    const backend = await saveStoredCredential(token, config.accountType, { mode: saveMode });
+    writeCommandOutput(opts, `Login succeeded. Credentials stored via ${describeBackend(backend)}.`, {
+        status: "ok",
+        action: "login",
+        credential_backend: backend
+    });
+}
+async function runAuthLogout(opts) {
+    const result = await clearStoredCredential();
+    const lockState = inspectLock();
+    if (lockState.state === "running") {
+        await stopByPid(lockState.lock.pid);
+    }
+    else if (lockState.state === "stale") {
+        releaseLock();
+    }
+    const credentialStatus = result.removed ? "removed" : "not present";
+    writeCommandOutput(opts, `Logged out. Credentials ${credentialStatus} from ${describeBackend(result.backend)}.`, {
+        status: "ok",
+        action: "logout",
+        credential_backend: result.backend,
+        credential_removed: result.removed
+    });
+}
+/**
+ * Build the default dependency bundle for ensureAuthenticatedInteractive.
+ * Lives here (rather than inside the auth module) so the auth module stays
+ * UI-framework-agnostic and tests can supply alternative implementations.
+ */
+function defaultEnsureAuthDeps() {
+    return {
+        inspectStoredCredential,
+        isTty: () => process.stdin.isTTY === true,
+        confirm,
+        choose,
+        loginViaDeviceFlow,
+        loadAccountType: () => loadConfig().accountType,
+        saveStoredCredential,
+        describeBackend,
+        print: (line) => process.stdout.write(line),
+        setEnv: (key, value) => {
+            process.env[key] = value;
+        }
+    };
+}
+async function ensureAuthenticatedInteractive() {
+    return ensureAuthenticatedInteractiveImpl(defaultEnsureAuthDeps());
+}
+function writeCommandOutput(opts, humanLine, payload) {
+    if (opts.json) {
+        process.stdout.write(JSON.stringify(payload, null, 2) + "\n");
+        return;
+    }
+    process.stdout.write(`${humanLine}\n`);
+}
+function formatStopHumanLine(primary, cache) {
+    if (cache.cleared) {
+        return `${primary} Cleared Claude Code gateway cache.`;
+    }
+    if (cache.reason === "not_present") {
+        return primary;
+    }
+    return `${primary} Could not clear Claude Code gateway cache: ${cache.reason ?? "unknown error"}.`;
+}
+function writeHealthOutput(opts, payload) {
+    if (opts.json) {
+        process.stdout.write(JSON.stringify(payload, null, 2) + "\n");
+        return;
+    }
+    process.stdout.write(`${JSON.stringify(payload)}\n`);
+}
+function isAddrInUse(error) {
+    return error instanceof Error && "code" in error && error.code === "EADDRINUSE";
+}
+async function refreshCodexHome(port, model) {
+    try {
+        const home = getCopillmHome();
+        return await generateCodexHome({
+            outDir: defaultOutputDir(home),
+            model,
+            port,
+            providerId: "copillm",
+            reasoningEffort: null
+        });
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : "unknown_error";
+        process.stderr.write(`warning: failed to generate ~/.copillm/codex/ — ${message}\n`);
+        return null;
+    }
+}
+async function refreshPiHome(port) {
+    try {
+        const home = getCopillmHome();
+        return await generatePiHome({
+            outDir: defaultPiOutputDir(home),
+            port,
+            providerId: "copillm"
+        });
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : "unknown_error";
+        process.stderr.write(`warning: failed to generate pi models.json — ${message}\n`);
+        return null;
+    }
+}
+function buildClaudeExportCommand(port, callerSecret) {
+    const modelIds = readModelIdsFromCache();
+    const defaults = computeAnthropicDefaults(modelIds);
+    const command = buildClaudeExport({
+        port,
+        callerSecret,
+        defaults,
+        enableGatewayDiscovery: true
+    });
+    const bundle = buildClaudeEnvBundle({ port, callerSecret, defaults, enableGatewayDiscovery: true });
+    return { command, defaults, bundle };
+}
+function formatStartBanner(input) {
+    const verb = input.mode === "foreground" ? "listening on" : "running on";
+    const lines = [];
+    const debugSuffix = input.debug ? " [debug]" : "";
+    const modeSuffix = input.mode === "already_running" ? " (already running)" : "";
+    lines.push(`\u25CF copillm ${verb} http://127.0.0.1:${input.port} (pid ${input.pid})${debugSuffix}${modeSuffix}`);
+    if (input.codex) {
+        lines.push(`   ${input.codex.modelCount} Copilot models discovered \u00B7 default: ${input.codex.defaultModel}`);
+    }
+    if (input.pi) {
+        lines.push(`   pi: wrote ${input.pi.modelCount} models to ${displayHomePath(input.pi.configPath)}${input.pi.backupPath ? ` (backed up prior config to ${displayHomePath(input.pi.backupPath)})` : ""}`);
+    }
+    lines.push(``);
+    lines.push(`Launch an agent against copillm:`);
+    if (input.codex) {
+        lines.push(`    copillm codex      # starts Codex CLI, preconfigured`);
+    }
+    lines.push(`    copillm claude     # starts Claude Code, preconfigured`);
+    if (input.pi) {
+        lines.push(`    copillm pi         # starts pi coding agent, preconfigured`);
+    }
+    lines.push(``);
+    lines.push(`Or print env vars to use yourself:`);
+    if (input.codex) {
+        lines.push(`    copillm env codex`);
+    }
+    lines.push(`    copillm env claude`);
+    if (input.pi) {
+        lines.push(`    copillm env pi`);
+    }
+    return lines.join("\n");
+}
+function displayHomePath(p) {
+    const home = process.env.HOME ?? process.env.USERPROFILE;
+    if (home && p.startsWith(home)) {
+        return p.replace(home, "~");
+    }
+    return p;
+}
+async function probeLivez(port) {
+    try {
+        const response = await fetch(`http://127.0.0.1:${port}/livez`, { signal: AbortSignal.timeout(800) });
+        return response.ok;
+    }
+    catch {
+        return false;
+    }
+}
+async function probeHealth(port) {
+    try {
+        const response = await fetch(`http://127.0.0.1:${port}/healthz`, { signal: AbortSignal.timeout(1_500) });
+        const payload = (await response.json());
+        return {
+            ok: response.ok,
+            statusCode: response.status,
+            status: typeof payload.status === "string" ? payload.status : null,
+            error: typeof payload.error === "string" ? payload.error : null,
+            bearerTtlSeconds: response.ok && typeof payload.bearer_ttl_seconds === "number" ? payload.bearer_ttl_seconds : null
+        };
+    }
+    catch {
+        return { ok: false, bearerTtlSeconds: null, statusCode: null, status: null, error: "health_probe_failed" };
+    }
+}
+async function waitForDaemonReady(pid, timeoutMs) {
+    const startedAt = Date.now();
+    while (Date.now() - startedAt <= timeoutMs) {
+        const lockState = inspectLock();
+        if (lockState.state === "running" && (await probeLivez(lockState.lock.port))) {
+            return { pid: lockState.lock.pid, port: lockState.lock.port };
+        }
+        if (pid !== null && !isPidAlive(pid)) {
+            return null;
+        }
+        await sleep(150);
+    }
+    return null;
+}
+function isPidAlive(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function stopByPid(pid) {
+    if (!sendSignalIfAlive(pid, "SIGTERM")) {
+        return;
+    }
+    const stopDeadline = Date.now() + 8_000;
+    while (Date.now() < stopDeadline) {
+        const lockState = inspectLock();
+        if (lockState.state !== "running" || lockState.lock.pid !== pid) {
+            return;
+        }
+        await sleep(150);
+    }
+    if (!sendSignalIfAlive(pid, "SIGKILL")) {
+        return;
+    }
+    const killDeadline = Date.now() + 2_000;
+    while (Date.now() < killDeadline) {
+        const lockState = inspectLock();
+        if (lockState.state !== "running" || lockState.lock.pid !== pid) {
+            return;
+        }
+        await sleep(100);
+    }
+    throw new Error(`Failed to stop daemon pid ${pid}.`);
+}
+async function withTimeout(promise, timeoutMs, message) {
+    const timeoutPromise = sleep(timeoutMs).then(() => {
+        throw new Error(message);
+    });
+    return Promise.race([promise, timeoutPromise]);
+}
+function sendSignalIfAlive(pid, signal) {
+    try {
+        process.kill(pid, signal);
+        return true;
+    }
+    catch (error) {
+        if (error instanceof Error && "code" in error && error.code === "ESRCH") {
+            return false;
+        }
+        throw error;
+    }
+}
+async function readLiveLock() {
+    const lockState = inspectLock();
+    if (lockState.state !== "running") {
+        return null;
+    }
+    return (await probeLivez(lockState.lock.port)) ? lockState.lock : null;
+}
+function computeUptimeSeconds(startedAtIso) {
+    const startedMs = Date.parse(startedAtIso);
+    if (!Number.isFinite(startedMs)) {
+        return null;
+    }
+    return Math.max(0, Math.floor((Date.now() - startedMs) / 1000));
+}
+function parseAgentName(raw) {
+    const v = raw.trim().toLowerCase();
+    if (v === "codex" || v === "claude" || v === "pi")
+        return v;
+    throw new Error(`Unknown agent: ${raw}. Expected "codex", "claude", or "pi".`);
+}
+async function ensureDaemonRunningForLauncher(opts) {
+    const live = await readLiveLock();
+    if (live)
+        return live;
+    process.stderr.write(`Starting copillm in background...\n`);
+    const daemonArgs = [process.argv[1], "daemon"];
+    if (opts.debug)
+        daemonArgs.push("--debug");
+    const child = spawn(process.execPath, daemonArgs, {
+        detached: true,
+        stdio: "ignore"
+    });
+    child.unref();
+    const started = await waitForDaemonReady(child.pid ?? null, 10_000);
+    if (!started) {
+        throw new Error("Auto-start of copillm daemon timed out.");
+    }
+    const inspection = inspectLock();
+    if (inspection.state !== "running") {
+        throw new Error("copillm daemon failed to register a lock after auto-start.");
+    }
+    return inspection.lock;
+}